378 files changed, 8016 insertions, 4533 deletions
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index c584a0af77d3..50f58f5f1c34 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -12,7 +12,7 @@ int __vlan_hwaccel_rx(struct sk_buff *skb, struct vlan_group *grp,
                return NET_RX_DROP;
        if (skb_bond_should_drop(skb, ACCESS_ONCE(skb->dev->master)))
-                goto drop;
+                skb->deliver_no_wcard = 1;
        skb->skb_iif = skb->dev->ifindex;
        __vlan_hwaccel_put_tag(skb, vlan_tci);
@@ -61,7 +61,7 @@ int vlan_hwaccel_do_receive(struct sk_buff *skb)
                                        dev->dev_addr))
                        skb->pkt_type = PACKET_HOST;
                break;
-        };
+        }
        return 0;
 }
@@ -84,7 +84,7 @@ vlan_gro_common(struct napi_struct *napi, struct vlan_group *grp,
        struct sk_buff *p;
        if (skb_bond_should_drop(skb, ACCESS_ONCE(skb->dev->master)))
-                goto drop;
+                skb->deliver_no_wcard = 1;
        skb->skb_iif = skb->dev->ifindex;
        __vlan_hwaccel_put_tag(skb, vlan_tci);
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index b5249c5fd4d3..529842677817 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -327,7 +327,7 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
        len = skb->len;
        ret = dev_queue_xmit(skb);
-        if (likely(ret == NET_XMIT_SUCCESS)) {
+        if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
                txq->tx_packets++;
                txq->tx_bytes += len;
        } else
@@ -353,7 +353,7 @@ static netdev_tx_t vlan_dev_hwaccel_hard_start_xmit(struct sk_buff *skb,
        len = skb->len;
        ret = dev_queue_xmit(skb);
-        if (likely(ret == NET_XMIT_SUCCESS)) {
+        if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
                txq->tx_packets++;
                txq->tx_bytes += len;
        } else
@@ -708,7 +708,8 @@ static int vlan_dev_init(struct net_device *dev)
        netif_carrier_off(dev);
        /* IFF_BROADCAST|IFF_MULTICAST; ??? */
-        dev->flags  = real_dev->flags & ~(IFF_UP | IFF_PROMISC | IFF_ALLMULTI);
+        dev->flags  = real_dev->flags & ~(IFF_UP | IFF_PROMISC | IFF_ALLMULTI |
+                                          IFF_MASTER | IFF_SLAVE);
        dev->iflink = real_dev->ifindex;
        dev->state  = (real_dev->state & ((1<<__LINK_STATE_NOCARRIER) |
                                          (1<<__LINK_STATE_DORMANT))) |
diff --git a/net/9p/client.c b/net/9p/client.c
index 0aa79faa9850..37c8da07a80b 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -1321,7 +1321,8 @@ static int p9_client_statsize(struct p9_wstat *wst, int proto_version)
        if (wst->muid)
                ret += strlen(wst->muid);
-        if (proto_version == p9_proto_2000u) {
+        if ((proto_version == p9_proto_2000u) ||
+                (proto_version == p9_proto_2000L)) {
                ret += 2+4+4+4; /* extension[s] n_uid[4] n_gid[4] n_muid[4] */
                if (wst->extension)
                        ret += strlen(wst->extension);
@@ -1364,3 +1365,70 @@ error:
        return err;
 }
 EXPORT_SYMBOL(p9_client_wstat);
+int p9_client_statfs(struct p9_fid *fid, struct p9_rstatfs *sb)
+{
+        int err;
+        struct p9_req_t *req;
+        struct p9_client *clnt;
+        err = 0;
+        clnt = fid->clnt;
+        P9_DPRINTK(P9_DEBUG_9P, ">>> TSTATFS fid %d\n", fid->fid);
+        req = p9_client_rpc(clnt, P9_TSTATFS, "d", fid->fid);
+        if (IS_ERR(req)) {
+                err = PTR_ERR(req);
+                goto error;
+        }
+        err = p9pdu_readf(req->rc, clnt->proto_version, "ddqqqqqqd", &sb->type,
+                &sb->bsize, &sb->blocks, &sb->bfree, &sb->bavail,
+                &sb->files, &sb->ffree, &sb->fsid, &sb->namelen);
+        if (err) {
+                p9pdu_dump(1, req->rc);
+                p9_free_req(clnt, req);
+                goto error;
+        }
+        P9_DPRINTK(P9_DEBUG_9P, "<<< RSTATFS fid %d type 0x%lx bsize %ld "
+                "blocks %llu bfree %llu bavail %llu files %llu ffree %llu "
+                "fsid %llu namelen %ld\n",
+                fid->fid, (long unsigned int)sb->type, (long int)sb->bsize,
+                sb->blocks, sb->bfree, sb->bavail, sb->files,  sb->ffree,
+                sb->fsid, (long int)sb->namelen);
+        p9_free_req(clnt, req);
+error:
+        return err;
+}
+EXPORT_SYMBOL(p9_client_statfs);
+int p9_client_rename(struct p9_fid *fid, struct p9_fid *newdirfid, char *name)
+{
+        int err;
+        struct p9_req_t *req;
+        struct p9_client *clnt;
+        err = 0;
+        clnt = fid->clnt;
+        P9_DPRINTK(P9_DEBUG_9P, ">>> TRENAME fid %d newdirfid %d name %s\n",
+                        fid->fid, newdirfid->fid, name);
+        req = p9_client_rpc(clnt, P9_TRENAME, "dds", fid->fid,
+                        newdirfid->fid, name);
+        if (IS_ERR(req)) {
+                err = PTR_ERR(req);
+                goto error;
+        }
+        P9_DPRINTK(P9_DEBUG_9P, "<<< RRENAME fid %d\n", fid->fid);
+        p9_free_req(clnt, req);
+error:
+        return err;
+}
+EXPORT_SYMBOL(p9_client_rename);
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index e7541d5b0118..149f82160130 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -341,7 +341,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
                        }
                        break;
                case '?':
-                        if (proto_version != p9_proto_2000u)
+                        if ((proto_version != p9_proto_2000u) &&
+                                (proto_version != p9_proto_2000L))
                                return 0;
                        break;
                default:
@@ -393,7 +394,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                const char *sptr = va_arg(ap, const char *);
                                int16_t len = 0;
                                if (sptr)
-                                        len = MIN(strlen(sptr), USHORT_MAX);
+                                        len = MIN(strlen(sptr), USHRT_MAX);
                                errcode = p9pdu_writef(pdu, proto_version,
                                                                "w", len);
@@ -488,7 +489,8 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt,
                        }
                        break;
                case '?':
-                        if (proto_version != p9_proto_2000u)
+                        if ((proto_version != p9_proto_2000u) &&
+                                (proto_version != p9_proto_2000L))
                                return 0;
                        break;
                default:
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 041101ab4aa5..0ea20c30466c 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -308,7 +308,6 @@ handle_recv(struct p9_client *client, struct p9_trans_rdma *rdma,
                   req, err, status);
        rdma->state = P9_RDMA_FLUSHING;
        client->status = Disconnected;
-        return;
 }
 static void
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 7eb78ecc1618..dcfbe99ff81c 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -137,7 +137,7 @@ static void req_done(struct virtqueue *vq)
        P9_DPRINTK(P9_DEBUG_TRANS, ": request done\n");
-        while ((rc = chan->vq->vq_ops->get_buf(chan->vq, &len)) != NULL) {
+        while ((rc = virtqueue_get_buf(chan->vq, &len)) != NULL) {
                P9_DPRINTK(P9_DEBUG_TRANS, ": rc %p\n", rc);
                P9_DPRINTK(P9_DEBUG_TRANS, ": lookup tag %d\n", rc->tag);
                req = p9_tag_lookup(chan->client, rc->tag);
@@ -209,13 +209,13 @@ p9_virtio_request(struct p9_client *client, struct p9_req_t *req)
        req->status = REQ_STATUS_SENT;
-        if (chan->vq->vq_ops->add_buf(chan->vq, chan->sg, out, in, req->tc) < 0) {
+        if (virtqueue_add_buf(chan->vq, chan->sg, out, in, req->tc) < 0) {
                P9_DPRINTK(P9_DEBUG_TRANS,
                        "9p debug: virtio rpc add_buf returned failure");
                return -EIO;
        }
-        chan->vq->vq_ops->kick(chan->vq);
+        virtqueue_kick(chan->vq);
        P9_DPRINTK(P9_DEBUG_TRANS, "9p debug: virtio request kicked\n");
        return 0;
diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index d6c7ceaf13e9..6719af6a59fa 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -446,7 +446,6 @@ error:
        net_dev->stats.rx_errors++;
 free_skb:
        dev_kfree_skb(skb);
-        return;
 }
 /*
diff --git a/net/atm/lec.c b/net/atm/lec.c
index feeaf5718472..d98bde1a0ac8 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -161,8 +161,6 @@ static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
                skb_queue_tail(&sk->sk_receive_queue, skb2);
                sk->sk_data_ready(sk, skb2->len);
        }
-        return;
 }
 #endif /* defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE) */
@@ -640,7 +638,6 @@ static void lec_set_multicast_list(struct net_device *dev)
         * by default, all multicast frames arrive over the bus.
         * eventually support selective multicast service
         */
-        return;
 }
 static const struct net_device_ops lec_netdev_ops = {
@@ -1199,8 +1196,6 @@ static void __exit lane_module_cleanup(void)
                        dev_lec[i] = NULL;
                }
        }
-        return;
 }
 module_init(lane_module_init);
@@ -1334,7 +1329,6 @@ static void lane2_associate_ind(struct net_device *dev, const u8 *mac_addr,
                priv->lane2_ops->associate_indicator(dev, mac_addr,
                                                     tlvs, sizeoftlvs);
        }
-        return;
 }
 /*
diff --git a/net/atm/mpc.c b/net/atm/mpc.c
index 436f2e177657..622b471e14e0 100644
--- a/net/atm/mpc.c
+++ b/net/atm/mpc.c
@@ -455,7 +455,6 @@ static void lane2_assoc_ind(struct net_device *dev, const u8 *mac_addr,
        if (end_of_tlvs - tlvs != 0)
                pr_info("(%s) ignoring %Zd bytes of trailing TLV garbage\n",
                        dev->name, end_of_tlvs - tlvs);
-        return;
 }
 /*
@@ -684,8 +683,6 @@ static void mpc_vcc_close(struct atm_vcc *vcc, struct net_device *dev)
        if (in_entry == NULL && eg_entry == NULL)
                dprintk("(%s) unused vcc closed\n", dev->name);
-        return;
 }
 static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
@@ -783,8 +780,6 @@ static void mpc_push(struct atm_vcc *vcc, struct sk_buff *skb)
        memset(ATM_SKB(skb), 0, sizeof(struct atm_skb_data));
        netif_rx(new_skb);
-        return;
 }
 static struct atmdev_ops mpc_ops = { /* only send is required */
@@ -873,8 +868,6 @@ static void send_set_mps_ctrl_addr(const char *addr, struct mpoa_client *mpc)
        mesg.type = SET_MPS_CTRL_ADDR;
        memcpy(mesg.MPS_ctrl, addr, ATM_ESA_LEN);
        msg_to_mpoad(&mesg, mpc);
-        return;
 }
 static void mpoad_close(struct atm_vcc *vcc)
@@ -911,8 +904,6 @@ static void mpoad_close(struct atm_vcc *vcc)
        pr_info("(%s) going down\n",
                (mpc->dev) ? mpc->dev->name : "<unknown>");
        module_put(THIS_MODULE);
-        return;
 }
 /*
@@ -1122,7 +1113,6 @@ static void MPOA_trigger_rcvd(struct k_message *msg, struct mpoa_client *mpc)
        pr_info("(%s) entry already in resolving state\n",
                (mpc->dev) ? mpc->dev->name : "<unknown>");
        mpc->in_ops->put(entry);
-        return;
 }
 /*
@@ -1166,7 +1156,6 @@ static void check_qos_and_open_shortcut(struct k_message *msg,
        } else
                memset(&msg->qos, 0, sizeof(struct atm_qos));
        msg_to_mpoad(msg, client);
-        return;
 }
 static void MPOA_res_reply_rcvd(struct k_message *msg, struct mpoa_client *mpc)
@@ -1240,8 +1229,6 @@ static void ingress_purge_rcvd(struct k_message *msg, struct mpoa_client *mpc)
                mpc->in_ops->put(entry);
                entry = mpc->in_ops->get_with_mask(dst_ip, mpc, mask);
        } while (entry != NULL);
-        return;
 }
 static void egress_purge_rcvd(struct k_message *msg, struct mpoa_client *mpc)
@@ -1260,8 +1247,6 @@ static void egress_purge_rcvd(struct k_message *msg, struct mpoa_client *mpc)
        write_unlock_irq(&mpc->egress_lock);
        mpc->eg_ops->put(entry);
-        return;
 }
 static void purge_egress_shortcut(struct atm_vcc *vcc, eg_cache_entry *entry)
@@ -1295,8 +1280,6 @@ static void purge_egress_shortcut(struct atm_vcc *vcc, eg_cache_entry *entry)
        skb_queue_tail(&sk->sk_receive_queue, skb);
        sk->sk_data_ready(sk, skb->len);
        dprintk("exiting\n");
-        return;
 }
 /*
@@ -1325,8 +1308,6 @@ static void mps_death(struct k_message *msg, struct mpoa_client *mpc)
        mpc->in_ops->destroy_cache(mpc);
        mpc->eg_ops->destroy_cache(mpc);
-        return;
 }
 static void MPOA_cache_impos_rcvd(struct k_message *msg,
@@ -1353,8 +1334,6 @@ static void MPOA_cache_impos_rcvd(struct k_message *msg,
        write_unlock_irq(&mpc->egress_lock);
        mpc->eg_ops->put(entry);
-        return;
 }
 static void set_mpc_ctrl_addr_rcvd(struct k_message *mesg,
@@ -1392,8 +1371,6 @@ static void set_mpc_ctrl_addr_rcvd(struct k_message *mesg,
                        pr_info("(%s) targetless LE_ARP request failed\n",
                                mpc->dev->name);
        }
-        return;
 }
 static void set_mps_mac_addr_rcvd(struct k_message *msg,
@@ -1409,8 +1386,6 @@ static void set_mps_mac_addr_rcvd(struct k_message *msg,
                return;
        }
        client->number_of_mps_macs = 1;
-        return;
 }
 /*
@@ -1436,7 +1411,6 @@ static void clean_up(struct k_message *msg, struct mpoa_client *mpc, int action)
        msg->type = action;
        msg_to_mpoad(msg, mpc);
-        return;
 }
 static void mpc_timer_refresh(void)
@@ -1445,8 +1419,6 @@ static void mpc_timer_refresh(void)
        mpc_timer.data = mpc_timer.expires;
        mpc_timer.function = mpc_cache_check;
        add_timer(&mpc_timer);
-        return;
 }
 static void mpc_cache_check(unsigned long checking_time)
@@ -1471,8 +1443,6 @@ static void mpc_cache_check(unsigned long checking_time)
                mpc = mpc->next;
        }
        mpc_timer_refresh();
-        return;
 }
 static int atm_mpoa_ioctl(struct socket *sock, unsigned int cmd,
@@ -1561,8 +1531,6 @@ static void __exit atm_mpoa_cleanup(void)
                kfree(qos);
                qos = nextqos;
        }
-        return;
 }
 module_init(atm_mpoa_init);
diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c
index e773d8336918..d1b2d9a03144 100644
--- a/net/atm/mpoa_caches.c
+++ b/net/atm/mpoa_caches.c
@@ -182,8 +182,6 @@ static void in_cache_put(in_cache_entry *entry)
                memset(entry, 0, sizeof(in_cache_entry));
                kfree(entry);
        }
-        return;
 }
 /*
@@ -221,8 +219,6 @@ static void in_cache_remove_entry(in_cache_entry *entry,
                }
                vcc_release_async(vcc, -EPIPE);
        }
-        return;
 }
 /* Call this every MPC-p2 seconds... Not exactly correct solution,
@@ -248,8 +244,6 @@ static void clear_count_and_expired(struct mpoa_client *client)
                entry = next_entry;
        }
        write_unlock_bh(&client->ingress_lock);
-        return;
 }
 /* Call this every MPC-p4 seconds. */
@@ -334,8 +328,6 @@ static void in_destroy_cache(struct mpoa_client *mpc)
        while (mpc->in_cache != NULL)
                mpc->in_ops->remove_entry(mpc->in_cache, mpc);
        write_unlock_irq(&mpc->ingress_lock);
-        return;
 }
 static eg_cache_entry *eg_cache_get_by_cache_id(__be32 cache_id,
@@ -427,8 +419,6 @@ static void eg_cache_put(eg_cache_entry *entry)
                memset(entry, 0, sizeof(eg_cache_entry));
                kfree(entry);
        }
-        return;
 }
 /*
@@ -463,8 +453,6 @@ static void eg_cache_remove_entry(eg_cache_entry *entry,
                }
                vcc_release_async(vcc, -EPIPE);
        }
-        return;
 }
 static eg_cache_entry *eg_cache_add_entry(struct k_message *msg,
@@ -509,8 +497,6 @@ static void update_eg_cache_entry(eg_cache_entry *entry, uint16_t holding_time)
        do_gettimeofday(&(entry->tv));
        entry->entry_state = EGRESS_RESOLVED;
        entry->ctrl_info.holding_time = holding_time;
-        return;
 }
 static void clear_expired(struct mpoa_client *client)
@@ -537,8 +523,6 @@ static void clear_expired(struct mpoa_client *client)
                entry = next_entry;
        }
        write_unlock_irq(&client->egress_lock);
-        return;
 }
 static void eg_destroy_cache(struct mpoa_client *mpc)
@@ -547,8 +531,6 @@ static void eg_destroy_cache(struct mpoa_client *mpc)
        while (mpc->eg_cache != NULL)
                mpc->eg_ops->remove_entry(mpc->eg_cache, mpc);
        write_unlock_irq(&mpc->egress_lock);
-        return;
 }
@@ -584,6 +566,4 @@ void atm_mpoa_init_cache(struct mpoa_client *mpc)
 {
        mpc->in_ops = &ingress_ops;
        mpc->eg_ops = &egress_ops;
-        return;
 }
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 5e83f8e0877a..2f768de87011 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1316,8 +1316,6 @@ void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags)
        }
        tasklet_schedule(&hdev->tx_task);
-        return;
 }
 EXPORT_SYMBOL(hci_send_acl);
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 673a36886716..1b682a5aa061 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1322,8 +1322,6 @@ static void l2cap_drop_acked_frames(struct sock *sk)
        if (!l2cap_pi(sk)->unacked_frames)
                del_timer(&l2cap_pi(sk)->retrans_timer);
-        return;
 }
 static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
@@ -4667,7 +4665,6 @@ void l2cap_load(void)
        /* Dummy function to trigger automatic L2CAP module loading by
         * other modules that use L2CAP sockets but don't use any other
         * symbols from it. */
-        return;
 }
 EXPORT_SYMBOL(l2cap_load);
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index cab71ea2796d..309b6c261b25 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -1014,8 +1014,6 @@ static void rfcomm_tty_set_termios(struct tty_struct *tty, struct ktermios *old)
                rfcomm_send_rpn(dev->dlc->session, 1, dev->dlc->dlci, baud,
                                data_bits, stop_bits, parity,
                                RFCOMM_RPN_FLOW_NONE, x_on, x_off, changes);
-        return;
 }
 static void rfcomm_tty_throttle(struct tty_struct *tty)
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 4767928a93d3..d0927d1fdada 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -273,7 +273,6 @@ static inline void sco_recv_frame(struct sco_conn *conn, struct sk_buff *skb)
 drop:
        kfree_skb(skb);
-        return;
 }
 /* -------- Socket interface ---------- */
diff --git a/net/bridge/br.c b/net/bridge/br.c
index e1241c76239a..76357b547752 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -38,7 +38,7 @@ static int __init br_init(void)
        err = stp_proto_register(&br_stp_proto);
        if (err < 0) {
-                printk(KERN_ERR "bridge: can't register sap for STP\n");
+                pr_err("bridge: can't register sap for STP\n");
                return err;
        }
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 074c59690fc5..eedf2c94820e 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -17,6 +17,7 @@
 #include <linux/etherdevice.h>
 #include <linux/ethtool.h>
 #include <linux/list.h>
+#include <linux/netfilter_bridge.h>
 #include <asm/uaccess.h>
 #include "br_private.h"
@@ -30,6 +31,13 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
        struct net_bridge_mdb_entry *mdst;
        struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
+                br_nf_pre_routing_finish_bridge_slow(skb);
+                return NETDEV_TX_OK;
+        }
+#endif
        brstats->tx_packets++;
        brstats->tx_bytes += skb->len;
@@ -191,7 +199,7 @@ static int br_set_tx_csum(struct net_device *dev, u32 data)
 }
 #ifdef CONFIG_NET_POLL_CONTROLLER
-bool br_devices_support_netpoll(struct net_bridge *br)
+static bool br_devices_support_netpoll(struct net_bridge *br)
 {
        struct net_bridge_port *p;
        bool ret = true;
@@ -217,9 +225,9 @@ static void br_poll_controller(struct net_device *br_dev)
                netpoll_poll_dev(np->real_dev);
 }
-void br_netpoll_cleanup(struct net_device *br_dev)
+void br_netpoll_cleanup(struct net_device *dev)
 {
-        struct net_bridge *br = netdev_priv(br_dev);
+        struct net_bridge *br = netdev_priv(dev);
        struct net_bridge_port *p, *n;
        const struct net_device_ops *ops;
@@ -235,10 +243,29 @@ void br_netpoll_cleanup(struct net_device *br_dev)
        }
 }
-#else
+void br_netpoll_disable(struct net_bridge *br,
+                        struct net_device *dev)
+{
+        if (br_devices_support_netpoll(br))
+                br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
+        if (dev->netdev_ops->ndo_netpoll_cleanup)
+                dev->netdev_ops->ndo_netpoll_cleanup(dev);
+        else
+                dev->npinfo = NULL;
+}
-void br_netpoll_cleanup(struct net_device *br_dev)
+void br_netpoll_enable(struct net_bridge *br,
+                       struct net_device *dev)
 {
+        if (br_devices_support_netpoll(br)) {
+                br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
+                if (br->dev->npinfo)
+                        dev->npinfo = br->dev->npinfo;
+        } else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
+                br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
+                br_info(br,"new device %s does not support netpoll (disabling)",
+                        dev->name);
+        }
 }
 #endif
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 9101a4e56201..26637439965b 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -353,8 +353,7 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                 */
                if (fdb->is_local)
                        return 0;
+                br_warn(br, "adding interface %s with same address "
-                printk(KERN_WARNING "%s adding interface with same address "
                       "as a received packet\n",
                       source->dev->name);
                fdb_delete(fdb);
@@ -397,9 +396,9 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
                /* attempt to update an entry for a local interface */
                if (unlikely(fdb->is_local)) {
                        if (net_ratelimit())
-                                printk(KERN_WARNING "%s: received packet with "
+                                br_warn(br, "received packet on %s with "
-                                       "own address as source address\n",
+                                        "own address as source address\n",
-                                       source->dev->name);
+                                        source->dev->name);
                } else {
                        /* fastpath: update of existing entry */
                        fdb->dst = source;
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 92ad9feb199d..a98ef1393097 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -45,7 +45,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
        if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
                kfree_skb(skb);
        else {
-                /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
+                /* ip_fragment doesn't copy the MAC header */
                if (nf_bridge_maybe_copy_header(skb))
                        kfree_skb(skb);
                else {
@@ -66,7 +66,7 @@ int br_dev_queue_push_xmit(struct sk_buff *skb)
 int br_forward_finish(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
+        return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
                       br_dev_queue_push_xmit);
 }
@@ -84,8 +84,8 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
        }
 #endif
        skb->dev = to->dev;
-        NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+        NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
-                        br_forward_finish);
+                br_forward_finish);
 #ifdef CONFIG_NET_POLL_CONTROLLER
        if (skb->dev->npinfo)
                skb->dev->npinfo->netpoll->dev = br->dev;
@@ -105,8 +105,8 @@ static void __br_forward(const struct net_bridge_port *to, struct sk_buff *skb)
        skb->dev = to->dev;
        skb_forward_csum(skb);
-        NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
+        NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
-                        br_forward_finish);
+                br_forward_finish);
 }
 /* called with rcu_read_lock */
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 537bdd60d9b9..18b245e2c00e 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -133,7 +133,7 @@ static void del_nbp(struct net_bridge_port *p)
        struct net_bridge *br = p->br;
        struct net_device *dev = p->dev;
-        sysfs_remove_link(br->ifobj, dev->name);
+        sysfs_remove_link(br->ifobj, p->dev->name);
        dev_set_promiscuity(dev, -1);
@@ -154,14 +154,7 @@ static void del_nbp(struct net_bridge_port *p)
        kobject_uevent(&p->kobj, KOBJ_REMOVE);
        kobject_del(&p->kobj);
-#ifdef CONFIG_NET_POLL_CONTROLLER
+        br_netpoll_disable(br, dev);
-        if (br_devices_support_netpoll(br))
-                br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
-        if (dev->netdev_ops->ndo_netpoll_cleanup)
-                dev->netdev_ops->ndo_netpoll_cleanup(dev);
-        else
-                dev->npinfo = NULL;
-#endif
        call_rcu(&p->rcu, destroy_nbp_rcu);
 }
@@ -455,19 +448,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        kobject_uevent(&p->kobj, KOBJ_ADD);
-#ifdef CONFIG_NET_POLL_CONTROLLER
+        br_netpoll_enable(br, dev);
-        if (br_devices_support_netpoll(br)) {
-                br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
-                if (br->dev->npinfo)
-                        dev->npinfo = br->dev->npinfo;
-        } else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
-                br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
-                printk(KERN_INFO "New device %s does not support netpoll\n",
-                        dev->name);
-                printk(KERN_INFO "Disabling netpoll for %s\n",
-                        br->dev->name);
-        }
-#endif
        return 0;
 err2:
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index e7f4c1d02f57..d36e700f7a26 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -33,7 +33,7 @@ static int br_pass_frame_up(struct sk_buff *skb)
        indev = skb->dev;
        skb->dev = brdev;
-        return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
+        return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
                       netif_receive_skb);
 }
@@ -156,7 +156,7 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
                if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
                        goto forward;
-                if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
+                if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
                            NULL, br_handle_local_finish))
                        return NULL;    /* frame consumed by filter */
                else
@@ -177,7 +177,7 @@ forward:
                if (!compare_ether_addr(p->br->dev->dev_addr, dest))
                        skb->pkt_type = PACKET_HOST;
-                NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+                NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
                        br_handle_frame_finish);
                break;
        default:
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index 995afc4b04dc..cb43312b846e 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -412,6 +412,6 @@ int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        }
-        pr_debug("Bridge does not support ioctl 0x%x\n", cmd);
+        br_debug(br, "Bridge does not support ioctl 0x%x\n", cmd);
        return -EOPNOTSUPP;
 }
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 7128abdce45f..9d21d98ae5fa 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -585,10 +585,9 @@ static struct net_bridge_mdb_entry *br_multicast_get_group(
        if (unlikely(count > br->hash_elasticity && count)) {
                if (net_ratelimit())
-                        printk(KERN_INFO "%s: Multicast hash table "
+                        br_info(br, "Multicast hash table "
-                               "chain limit reached: %s\n",
+                                "chain limit reached: %s\n",
-                               br->dev->name, port ? port->dev->name :
+                                port ? port->dev->name : br->dev->name);
-                                                     br->dev->name);
                elasticity = br->hash_elasticity;
        }
@@ -596,11 +595,9 @@ static struct net_bridge_mdb_entry *br_multicast_get_group(
        if (mdb->size >= max) {
                max *= 2;
                if (unlikely(max >= br->hash_max)) {
-                        printk(KERN_WARNING "%s: Multicast hash table maximum "
+                        br_warn(br, "Multicast hash table maximum "
-                               "reached, disabling snooping: %s, %d\n",
+                                "reached, disabling snooping: %s, %d\n",
-                               br->dev->name, port ? port->dev->name :
+                                port ? port->dev->name : br->dev->name, max);
-                                                     br->dev->name,
-                               max);
                        err = -E2BIG;
 disable:
                        br->multicast_disabled = 1;
@@ -611,22 +608,19 @@ disable:
        if (max > mdb->max || elasticity) {
                if (mdb->old) {
                        if (net_ratelimit())
-                                printk(KERN_INFO "%s: Multicast hash table "
+                                br_info(br, "Multicast hash table "
-                                       "on fire: %s\n",
+                                        "on fire: %s\n",
-                                       br->dev->name, port ? port->dev->name :
+                                        port ? port->dev->name : br->dev->name);
-                                                             br->dev->name);
                        err = -EEXIST;
                        goto err;
                }
                err = br_mdb_rehash(&br->mdb, max, elasticity);
                if (err) {
-                        printk(KERN_WARNING "%s: Cannot rehash multicast "
+                        br_warn(br, "Cannot rehash multicast "
-                               "hash table, disabling snooping: "
+                                "hash table, disabling snooping: %s, %d, %d\n",
-                               "%s, %d, %d\n",
+                                port ? port->dev->name : br->dev->name,
-                               br->dev->name, port ? port->dev->name :
+                                mdb->size, err);
-                                                     br->dev->name,
-                               mdb->size, err);
                        goto disable;
                }
@@ -814,7 +808,7 @@ static void __br_multicast_send_query(struct net_bridge *br,
        if (port) {
                __skb_push(skb, sizeof(struct ethhdr));
                skb->dev = port->dev;
-                NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+                NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
                        dev_queue_xmit);
        } else
                netif_rx(skb);
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 4c4977d12fd6..44420992f72f 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -3,15 +3,8 @@
 *      Linux ethernet bridge
 *
 *      Authors:
- *      Lennert Buytenhek               <buytenh@gnu.org>
+ *      Lennert Buytenhek               <buytenh@gnu.org>
- *      Bart De Schuymer (maintainer)   <bdschuym@pandora.be>
+ *      Bart De Schuymer                <bdschuym@pandora.be>
- *
- *      Changes:
- *      Apr 29 2003: physdev module support (bdschuym)
- *      Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
- *      Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
- *                   (bdschuym)
- *      Sep 01 2004: add IPv6 filtering (bdschuym)
 *
 *      This program is free software; you can redistribute it and/or
 *      modify it under the terms of the GNU General Public License
@@ -204,15 +197,24 @@ static inline void nf_bridge_save_header(struct sk_buff *skb)
                                         skb->nf_bridge->data, header_size);
 }
-/*
+static inline void nf_bridge_update_protocol(struct sk_buff *skb)
- * When forwarding bridge frames, we save a copy of the original
+{
- * header before processing.
+        if (skb->nf_bridge->mask & BRNF_8021Q)
+                skb->protocol = htons(ETH_P_8021Q);
+        else if (skb->nf_bridge->mask & BRNF_PPPoE)
+                skb->protocol = htons(ETH_P_PPP_SES);
+}
+/* Fill in the header for fragmented IP packets handled by
+ * the IPv4 connection tracking code.
 */
 int nf_bridge_copy_header(struct sk_buff *skb)
 {
        int err;
-        int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
+        unsigned int header_size;
+        nf_bridge_update_protocol(skb);
+        header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
        err = skb_cow_head(skb, header_size);
        if (err)
                return err;
@@ -246,27 +248,48 @@ static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
        skb_dst_set(skb, &rt->u.dst);
        skb->dev = nf_bridge->physindev;
+        nf_bridge_update_protocol(skb);
        nf_bridge_push_encap_header(skb);
-        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
                       br_handle_frame_finish, 1);
        return 0;
 }
-static void __br_dnat_complain(void)
+/* Obtain the correct destination MAC address, while preserving the original
+ * source MAC address. If we already know this address, we just copy it. If we
+ * don't, we use the neighbour framework to find out. In both cases, we make
+ * sure that br_handle_frame_finish() is called afterwards.
+ */
+static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
 {
-        static unsigned long last_complaint;
+        struct nf_bridge_info *nf_bridge = skb->nf_bridge;
+        struct dst_entry *dst;
-        if (jiffies - last_complaint >= 5 * HZ) {
+        skb->dev = bridge_parent(skb->dev);
-                printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
+        if (!skb->dev)
-                       "forwarding to be enabled\n");
+                goto free_skb;
-                last_complaint = jiffies;
+        dst = skb_dst(skb);
+        if (dst->hh) {
+                neigh_hh_bridge(dst->hh, skb);
+                skb->dev = nf_bridge->physindev;
+                return br_handle_frame_finish(skb);
+        } else if (dst->neighbour) {
+                /* the neighbour function below overwrites the complete
+                 * MAC header, so we save the Ethernet source address and
+                 * protocol number. */
+                skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
+                /* tell br_dev_xmit to continue with forwarding */
+                nf_bridge->mask |= BRNF_BRIDGED_DNAT;
+                return dst->neighbour->output(skb);
        }
+free_skb:
+        kfree_skb(skb);
+        return 0;
 }
 /* This requires some explaining. If DNAT has taken place,
- * we will need to fix up the destination Ethernet address,
+ * we will need to fix up the destination Ethernet address.
- * and this is a tricky process.
 *
 * There are two cases to consider:
 * 1. The packet was DNAT'ed to a device in the same bridge
@@ -280,62 +303,29 @@ static void __br_dnat_complain(void)
 * call ip_route_input() and to look at skb->dst->dev, which is
 * changed to the destination device if ip_route_input() succeeds.
 *
- * Let us first consider the case that ip_route_input() succeeds:
+ * Let's first consider the case that ip_route_input() succeeds:
- *
- * If skb->dst->dev equals the logical bridge device the packet
- * came in on, we can consider this bridging. The packet is passed
- * through the neighbour output function to build a new destination
- * MAC address, which will make the packet enter br_nf_local_out()
- * not much later. In that function it is assured that the iptables
- * FORWARD chain is traversed for the packet.
 *
+ * If the output device equals the logical bridge device the packet
+ * came in on, we can consider this bridging. The corresponding MAC
+ * address will be obtained in br_nf_pre_routing_finish_bridge.
 * Otherwise, the packet is considered to be routed and we just
 * change the destination MAC address so that the packet will
 * later be passed up to the IP stack to be routed. For a redirected
 * packet, ip_route_input() will give back the localhost as output device,
 * which differs from the bridge device.
 *
- * Let us now consider the case that ip_route_input() fails:
+ * Let's now consider the case that ip_route_input() fails:
 *
 * This can be because the destination address is martian, in which case
 * the packet will be dropped.
- * After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input()
+ * If IP forwarding is disabled, ip_route_input() will fail, while
- * will fail, while __ip_route_output_key() will return success. The source
+ * ip_route_output_key() can return success. The source
- * address for __ip_route_output_key() is set to zero, so __ip_route_output_key
+ * address for ip_route_output_key() is set to zero, so ip_route_output_key()
 * thinks we're handling a locally generated packet and won't care
- * if IP forwarding is allowed. We send a warning message to the users's
+ * if IP forwarding is enabled. If the output device equals the logical bridge
- * log telling her to put IP forwarding on.
+ * device, we proceed as if ip_route_input() succeeded. If it differs from the
- *
+ * logical bridge port or if ip_route_output_key() fails we drop the packet.
- * ip_route_input() will also fail if there is no route available.
+ */
- * In that case we just drop the packet.
- *
- * --Lennert, 20020411
- * --Bart, 20020416 (updated)
- * --Bart, 20021007 (updated)
- * --Bart, 20062711 (updated) */
-static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
-{
-        if (skb->pkt_type == PACKET_OTHERHOST) {
-                skb->pkt_type = PACKET_HOST;
-                skb->nf_bridge->mask |= BRNF_PKT_TYPE;
-        }
-        skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
-        skb->dev = bridge_parent(skb->dev);
-        if (skb->dev) {
-                struct dst_entry *dst = skb_dst(skb);
-                nf_bridge_pull_encap_header(skb);
-                if (dst->hh)
-                        return neigh_hh_output(dst->hh, skb);
-                else if (dst->neighbour)
-                        return dst->neighbour->output(skb);
-        }
-        kfree_skb(skb);
-        return 0;
-}
 static int br_nf_pre_routing_finish(struct sk_buff *skb)
 {
        struct net_device *dev = skb->dev;
@@ -379,11 +369,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
                                        skb_dst_set(skb, (struct dst_entry *)rt);
                                        goto bridged_dnat;
                                }
-                                /* we are sure that forwarding is disabled, so printing
-                                 * this message is no problem. Note that the packet could
-                                 * still have a martian destination address, in which case
-                                 * the packet could be dropped even if forwarding were enabled */
-                                __br_dnat_complain();
                                dst_release((struct dst_entry *)rt);
                        }
 free_skb:
@@ -392,12 +377,11 @@ free_skb:
                } else {
                        if (skb_dst(skb)->dev == dev) {
 bridged_dnat:
-                                /* Tell br_nf_local_out this is a
-                                 * bridged frame */
-                                nf_bridge->mask |= BRNF_BRIDGED_DNAT;
                                skb->dev = nf_bridge->physindev;
+                                nf_bridge_update_protocol(skb);
                                nf_bridge_push_encap_header(skb);
-                                NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
+                                NF_HOOK_THRESH(NFPROTO_BRIDGE,
+                                               NF_BR_PRE_ROUTING,
                                               skb, skb->dev, NULL,
                                               br_nf_pre_routing_finish_bridge,
                                               1);
@@ -417,8 +401,9 @@ bridged_dnat:
        }
        skb->dev = nf_bridge->physindev;
+        nf_bridge_update_protocol(skb);
        nf_bridge_push_encap_header(skb);
-        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
+        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
                       br_handle_frame_finish, 1);
        return 0;
@@ -437,6 +422,10 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
        nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
        nf_bridge->physindev = skb->dev;
        skb->dev = bridge_parent(skb->dev);
+        if (skb->protocol == htons(ETH_P_8021Q))
+                nf_bridge->mask |= BRNF_8021Q;
+        else if (skb->protocol == htons(ETH_P_PPP_SES))
+                nf_bridge->mask |= BRNF_PPPoE;
        return skb->dev;
 }
@@ -535,7 +524,8 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
        if (!setup_pre_routing(skb))
                return NF_DROP;
-        NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
+        skb->protocol = htons(ETH_P_IPV6);
+        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                br_nf_pre_routing_finish_ipv6);
        return NF_STOLEN;
@@ -607,8 +597,9 @@ static unsigned int br_nf_pre_routing(unsigned int hook, struct sk_buff *skb,
        if (!setup_pre_routing(skb))
                return NF_DROP;
        store_orig_dstaddr(skb);
+        skb->protocol = htons(ETH_P_IP);
-        NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
+        NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                br_nf_pre_routing_finish);
        return NF_STOLEN;
@@ -652,11 +643,13 @@ static int br_nf_forward_finish(struct sk_buff *skb)
                        skb->pkt_type = PACKET_OTHERHOST;
                        nf_bridge->mask ^= BRNF_PKT_TYPE;
                }
+                nf_bridge_update_protocol(skb);
        } else {
                in = *((struct net_device **)(skb->cb));
        }
        nf_bridge_push_encap_header(skb);
-        NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
+        NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
                       skb->dev, br_forward_finish, 1);
        return 0;
 }
@@ -707,6 +700,10 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
        /* The physdev module checks on this */
        nf_bridge->mask |= BRNF_BRIDGED;
        nf_bridge->physoutdev = skb->dev;
+        if (pf == PF_INET)
+                skb->protocol = htons(ETH_P_IP);
+        else
+                skb->protocol = htons(ETH_P_IPV6);
        NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
                br_nf_forward_finish);
@@ -744,60 +741,11 @@ static unsigned int br_nf_forward_arp(unsigned int hook, struct sk_buff *skb,
        return NF_STOLEN;
 }
-/* PF_BRIDGE/LOCAL_OUT ***********************************************
- *
- * This function sees both locally originated IP packets and forwarded
- * IP packets (in both cases the destination device is a bridge
- * device). It also sees bridged-and-DNAT'ed packets.
- *
- * If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
- * and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
- * will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
- * NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
- * will be executed.
- */
-static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
-                                    const struct net_device *in,
-                                    const struct net_device *out,
-                                    int (*okfn)(struct sk_buff *))
-{
-        struct net_device *realindev;
-        struct nf_bridge_info *nf_bridge;
-        if (!skb->nf_bridge)
-                return NF_ACCEPT;
-        /* Need exclusive nf_bridge_info since we might have multiple
-         * different physoutdevs. */
-        if (!nf_bridge_unshare(skb))
-                return NF_DROP;
-        nf_bridge = skb->nf_bridge;
-        if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
-                return NF_ACCEPT;
-        /* Bridged, take PF_BRIDGE/FORWARD.
-         * (see big note in front of br_nf_pre_routing_finish) */
-        nf_bridge->physoutdev = skb->dev;
-        realindev = nf_bridge->physindev;
-        if (nf_bridge->mask & BRNF_PKT_TYPE) {
-                skb->pkt_type = PACKET_OTHERHOST;
-                nf_bridge->mask ^= BRNF_PKT_TYPE;
-        }
-        nf_bridge_push_encap_header(skb);
-        NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
-                br_forward_finish);
-        return NF_STOLEN;
-}
 #if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
 static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 {
-        if (skb->nfct != NULL &&
+        if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
-            (skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) &&
+            skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
-            skb->len > skb->dev->mtu &&
            !skb_is_gso(skb))
                return ip_fragment(skb, br_dev_queue_push_xmit);
        else
@@ -820,21 +768,7 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
        struct net_device *realoutdev = bridge_parent(skb->dev);
        u_int8_t pf;
-#ifdef CONFIG_NETFILTER_DEBUG
+        if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
-        /* Be very paranoid. This probably won't happen anymore, but let's
-         * keep the check just to be sure... */
-        if (skb_mac_header(skb) < skb->head ||
-            skb_mac_header(skb) + ETH_HLEN > skb->data) {
-                printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
-                       "bad mac.raw pointer.\n");
-                goto print_error;
-        }
-#endif
-        if (!nf_bridge)
-                return NF_ACCEPT;
-        if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
                return NF_ACCEPT;
        if (!realoutdev)
@@ -849,13 +783,6 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
        else
                return NF_ACCEPT;
-#ifdef CONFIG_NETFILTER_DEBUG
-        if (skb_dst(skb) == NULL) {
-                printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
-                goto print_error;
-        }
-#endif
        /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
         * about the value of skb->pkt_type. */
        if (skb->pkt_type == PACKET_OTHERHOST) {
@@ -865,24 +792,15 @@ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff *skb,
        nf_bridge_pull_encap_header(skb);
        nf_bridge_save_header(skb);
+        if (pf == PF_INET)
+                skb->protocol = htons(ETH_P_IP);
+        else
+                skb->protocol = htons(ETH_P_IPV6);
        NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
                br_nf_dev_queue_xmit);
        return NF_STOLEN;
-#ifdef CONFIG_NETFILTER_DEBUG
-print_error:
-        if (skb->dev != NULL) {
-                printk("[%s]", skb->dev->name);
-                if (realoutdev)
-                        printk("[%s]", realoutdev->name);
-        }
-        printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
-               skb->data);
-        dump_stack();
-        return NF_ACCEPT;
-#endif
 }
 /* IP/SABOTAGE *****************************************************/
@@ -901,10 +819,8 @@ static unsigned int ip_sabotage_in(unsigned int hook, struct sk_buff *skb,
        return NF_ACCEPT;
 }
-/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent
+/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
- * PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input.
+ * br_dev_queue_push_xmit is called afterwards */
- * For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
- * ip_refrag() can return NF_STOLEN. */
 static struct nf_hook_ops br_nf_ops[] __read_mostly = {
        {
                .hook = br_nf_pre_routing,
@@ -935,13 +851,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
                .priority = NF_BR_PRI_BRNF,
        },
        {
-                .hook = br_nf_local_out,
-                .owner = THIS_MODULE,
-                .pf = PF_BRIDGE,
-                .hooknum = NF_BR_LOCAL_OUT,
-                .priority = NF_BR_PRI_FIRST,
-        },
-        {
                .hook = br_nf_post_routing,
                .owner = THIS_MODULE,
                .pf = PF_BRIDGE,
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index aa56ac2c8829..fe0a79018ab2 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -42,8 +42,8 @@ static int br_fill_ifinfo(struct sk_buff *skb, const struct net_bridge_port *por
        struct nlmsghdr *nlh;
        u8 operstate = netif_running(dev) ? dev->operstate : IF_OPER_DOWN;
-        pr_debug("br_fill_info event %d port %s master %s\n",
+        br_debug(br, "br_fill_info event %d port %s master %s\n",
-                 event, dev->name, br->dev->name);
+                     event, dev->name, br->dev->name);
        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*hdr), flags);
        if (nlh == NULL)
@@ -87,7 +87,9 @@ void br_ifinfo_notify(int event, struct net_bridge_port *port)
        struct sk_buff *skb;
        int err = -ENOBUFS;
-        pr_debug("bridge notify event=%d\n", event);
+        br_debug(port->br, "port %u(%s) event %d\n",
+                 (unsigned)port->port_no, port->dev->name, event);
        skb = nlmsg_new(br_nlmsg_size(), GFP_ATOMIC);
        if (skb == NULL)
                goto errout;
diff --git a/net/bridge/br_notify.c b/net/bridge/br_notify.c
index 1413b72acc7f..717e1fd6133c 100644
--- a/net/bridge/br_notify.c
+++ b/net/bridge/br_notify.c
@@ -34,6 +34,7 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
        struct net_device *dev = ptr;
        struct net_bridge_port *p = dev->br_port;
        struct net_bridge *br;
+        int err;
        /* not a port of a bridge */
        if (p == NULL)
@@ -83,6 +84,12 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
                br_del_if(br, dev);
                break;
+        case NETDEV_CHANGENAME:
+                err = br_sysfs_renameif(p);
+                if (err)
+                        return notifier_from_errno(err);
+                break;
        case NETDEV_PRE_TYPE_CHANGE:
                /* Forbid underlaying device to change its type. */
                return NOTIFY_BAD;
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 3d2d3fe0a97e..0f4a74bc6a9b 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -139,6 +139,10 @@ struct net_bridge_port
        struct hlist_head               mglist;
        struct hlist_node               rlist;
 #endif
+#ifdef CONFIG_SYSFS
+        char                            sysfs_name[IFNAMSIZ];
+#endif
 };
 struct br_cpu_netstats {
@@ -240,6 +244,21 @@ struct br_input_skb_cb {
 # define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb)   (0)
 #endif
+#define br_printk(level, br, format, args...)   \
+        printk(level "%s: " format, (br)->dev->name, ##args)
+#define br_err(__br, format, args...)                   \
+        br_printk(KERN_ERR, __br, format, ##args)
+#define br_warn(__br, format, args...)                  \
+        br_printk(KERN_WARNING, __br, format, ##args)
+#define br_notice(__br, format, args...)                \
+        br_printk(KERN_NOTICE, __br, format, ##args)
+#define br_info(__br, format, args...)                  \
+        br_printk(KERN_INFO, __br, format, ##args)
+#define br_debug(br, format, args...)                   \
+        pr_debug("%s: " format,  (br)->dev->name, ##args)
 extern struct notifier_block br_device_notifier;
 extern const u8 br_group_address[ETH_ALEN];
@@ -253,8 +272,18 @@ static inline int br_is_root_bridge(const struct net_bridge *br)
 extern void br_dev_setup(struct net_device *dev);
 extern netdev_tx_t br_dev_xmit(struct sk_buff *skb,
                               struct net_device *dev);
-extern bool br_devices_support_netpoll(struct net_bridge *br);
+#ifdef CONFIG_NET_POLL_CONTROLLER
-extern void br_netpoll_cleanup(struct net_device *br_dev);
+extern void br_netpoll_cleanup(struct net_device *dev);
+extern void br_netpoll_enable(struct net_bridge *br,
+                              struct net_device *dev);
+extern void br_netpoll_disable(struct net_bridge *br,
+                               struct net_device *dev);
+#else
+#define br_netpoll_cleanup(br)
+#define br_netpoll_enable(br, dev)
+#define br_netpoll_disable(br, dev)
+#endif
 /* br_fdb.c */
 extern int br_fdb_init(void);
@@ -455,6 +484,7 @@ extern void br_ifinfo_notify(int event, struct net_bridge_port *port);
 /* br_sysfs_if.c */
 extern const struct sysfs_ops brport_sysfs_ops;
 extern int br_sysfs_addif(struct net_bridge_port *p);
+extern int br_sysfs_renameif(struct net_bridge_port *p);
 /* br_sysfs_br.c */
 extern int br_sysfs_addbr(struct net_device *dev);
@@ -463,6 +493,7 @@ extern void br_sysfs_delbr(struct net_device *dev);
 #else
 #define br_sysfs_addif(p)       (0)
+#define br_sysfs_renameif(p)    (0)
 #define br_sysfs_addbr(dev)     (0)
 #define br_sysfs_delbr(dev)     do { } while(0)
 #endif /* CONFIG_SYSFS */
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index edcf14b560f6..57186d84d2bd 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -31,10 +31,9 @@ static const char *const br_port_state_names[] = {
 void br_log_state(const struct net_bridge_port *p)
 {
-        pr_info("%s: port %d(%s) entering %s state\n",
+        br_info(p->br, "port %u(%s) entering %s state\n",
-                p->br->dev->name, p->port_no, p->dev->name,
+                (unsigned) p->port_no, p->dev->name,
                br_port_state_names[p->state]);
 }
 /* called under bridge lock */
@@ -300,7 +299,7 @@ void br_topology_change_detection(struct net_bridge *br)
        if (br->stp_enabled != BR_KERNEL_STP)
                return;
-        pr_info("%s: topology change detected, %s\n", br->dev->name,
+        br_info(br, "topology change detected, %s\n",
                isroot ? "propagating" : "sending tcn bpdu");
        if (isroot) {
@@ -469,8 +468,8 @@ void br_received_config_bpdu(struct net_bridge_port *p, struct br_config_bpdu *b
 void br_received_tcn_bpdu(struct net_bridge_port *p)
 {
        if (br_is_designated_port(p)) {
-                pr_info("%s: received tcn bpdu on port %i(%s)\n",
+                br_info(p->br, "port %u(%s) received tcn bpdu\n",
-                       p->br->dev->name, p->port_no, p->dev->name);
+                        (unsigned) p->port_no, p->dev->name);
                br_topology_change_detection(p->br);
                br_topology_change_acknowledge(p);
diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c
index d66cce11f3bf..217bd225a42f 100644
--- a/net/bridge/br_stp_bpdu.c
+++ b/net/bridge/br_stp_bpdu.c
@@ -50,7 +50,7 @@ static void br_send_bpdu(struct net_bridge_port *p,
        llc_mac_hdr_init(skb, p->dev->dev_addr, p->br->group_addr);
-        NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
+        NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
                dev_queue_xmit);
 }
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index d527119e9f54..1d8826914cbf 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -85,17 +85,16 @@ void br_stp_enable_port(struct net_bridge_port *p)
 {
        br_init_port(p);
        br_port_state_selection(p->br);
+        br_log_state(p);
 }
 /* called under bridge lock */
 void br_stp_disable_port(struct net_bridge_port *p)
 {
-        struct net_bridge *br;
+        struct net_bridge *br = p->br;
        int wasroot;
-        br = p->br;
+        br_log_state(p);
-        printk(KERN_INFO "%s: port %i(%s) entering %s state\n",
-               br->dev->name, p->port_no, p->dev->name, "disabled");
        wasroot = br_is_root_bridge(br);
        br_become_designated_port(p);
@@ -127,11 +126,10 @@ static void br_stp_start(struct net_bridge *br)
        r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
        if (r == 0) {
                br->stp_enabled = BR_USER_STP;
-                printk(KERN_INFO "%s: userspace STP started\n", br->dev->name);
+                br_debug(br, "userspace STP started\n");
        } else {
                br->stp_enabled = BR_KERNEL_STP;
-                printk(KERN_INFO "%s: starting userspace STP failed, "
+                br_debug(br, "using kernel STP\n");
-                                "starting kernel STP\n", br->dev->name);
                /* To start timers on any ports left in blocking */
                spin_lock_bh(&br->lock);
@@ -148,9 +146,7 @@ static void br_stp_stop(struct net_bridge *br)
        if (br->stp_enabled == BR_USER_STP) {
                r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
-                printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
+                br_info(br, "userspace STP stopped, return code %d\n", r);
-                        br->dev->name, r);
                /* To start timers on any ports left in blocking */
                spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index 772a140bfdf0..7b22456023c5 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -35,7 +35,7 @@ static void br_hello_timer_expired(unsigned long arg)
 {
        struct net_bridge *br = (struct net_bridge *)arg;
-        pr_debug("%s: hello timer expired\n", br->dev->name);
+        br_debug(br, "hello timer expired\n");
        spin_lock(&br->lock);
        if (br->dev->flags & IFF_UP) {
                br_config_bpdu_generation(br);
@@ -55,13 +55,9 @@ static void br_message_age_timer_expired(unsigned long arg)
        if (p->state == BR_STATE_DISABLED)
                return;
+        br_info(br, "port %u(%s) neighbor %.2x%.2x.%pM lost\n",
-        pr_info("%s: neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)\n",
+                (unsigned) p->port_no, p->dev->name,
-                br->dev->name,
+                id->prio[0], id->prio[1], &id->addr);
-                id->prio[0], id->prio[1],
-                id->addr[0], id->addr[1], id->addr[2],
-                id->addr[3], id->addr[4], id->addr[5],
-                p->port_no, p->dev->name);
        /*
         * According to the spec, the message age timer cannot be
@@ -87,8 +83,8 @@ static void br_forward_delay_timer_expired(unsigned long arg)
        struct net_bridge_port *p = (struct net_bridge_port *) arg;
        struct net_bridge *br = p->br;
-        pr_debug("%s: %d(%s) forward delay timer\n",
+        br_debug(br, "port %u(%s) forward delay timer\n",
-                 br->dev->name, p->port_no, p->dev->name);
+                 (unsigned) p->port_no, p->dev->name);
        spin_lock(&br->lock);
        if (p->state == BR_STATE_LISTENING) {
                p->state = BR_STATE_LEARNING;
@@ -107,7 +103,7 @@ static void br_tcn_timer_expired(unsigned long arg)
 {
        struct net_bridge *br = (struct net_bridge *) arg;
-        pr_debug("%s: tcn timer expired\n", br->dev->name);
+        br_debug(br, "tcn timer expired\n");
        spin_lock(&br->lock);
        if (br->dev->flags & IFF_UP) {
                br_transmit_tcn(br);
@@ -121,7 +117,7 @@ static void br_topology_change_timer_expired(unsigned long arg)
 {
        struct net_bridge *br = (struct net_bridge *) arg;
-        pr_debug("%s: topo change timer expired\n", br->dev->name);
+        br_debug(br, "topo change timer expired\n");
        spin_lock(&br->lock);
        br->topology_change_detected = 0;
        br->topology_change = 0;
@@ -132,8 +128,8 @@ static void br_hold_timer_expired(unsigned long arg)
 {
        struct net_bridge_port *p = (struct net_bridge_port *) arg;
-        pr_debug("%s: %d(%s) hold timer expired\n",
+        br_debug(p->br, "port %u(%s) hold timer expired\n",
-                 p->br->dev->name,  p->port_no, p->dev->name);
+                 (unsigned) p->port_no, p->dev->name);
        spin_lock(&p->br->lock);
        if (p->config_pending)
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index dd321e39e621..486b8f3861d2 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -659,7 +659,7 @@ static struct attribute_group bridge_group = {
 *
 * Returns the number of bytes read.
 */
-static ssize_t brforward_read(struct kobject *kobj,
+static ssize_t brforward_read(struct file *filp, struct kobject *kobj,
                              struct bin_attribute *bin_attr,
                              char *buf, loff_t off, size_t count)
 {
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 0b9916489d6b..fd5799c9bc8d 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -246,7 +246,7 @@ const struct sysfs_ops brport_sysfs_ops = {
 /*
 * Add sysfs entries to ethernet device added to a bridge.
 * Creates a brport subdirectory with bridge attributes.
- * Puts symlink in bridge's brport subdirectory
+ * Puts symlink in bridge's brif subdirectory
 */
 int br_sysfs_addif(struct net_bridge_port *p)
 {
@@ -257,15 +257,37 @@ int br_sysfs_addif(struct net_bridge_port *p)
        err = sysfs_create_link(&p->kobj, &br->dev->dev.kobj,
                                SYSFS_BRIDGE_PORT_LINK);
        if (err)
-                goto out2;
+                return err;
        for (a = brport_attrs; *a; ++a) {
                err = sysfs_create_file(&p->kobj, &((*a)->attr));
                if (err)
-                        goto out2;
+                        return err;
        }
-        err = sysfs_create_link(br->ifobj, &p->kobj, p->dev->name);
+        strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
-out2:
+        return sysfs_create_link(br->ifobj, &p->kobj, p->sysfs_name);
+}
+/* Rename bridge's brif symlink */
+int br_sysfs_renameif(struct net_bridge_port *p)
+{
+        struct net_bridge *br = p->br;
+        int err;
+        /* If a rename fails, the rollback will cause another
+         * rename call with the existing name.
+         */
+        if (!strncmp(p->sysfs_name, p->dev->name, IFNAMSIZ))
+                return 0;
+        err = sysfs_rename_link(br->ifobj, &p->kobj,
+                                p->sysfs_name, p->dev->name);
+        if (err)
+                netdev_notice(br->dev, "unable to rename link %s to %s",
+                              p->sysfs_name, p->dev->name);
+        else
+                strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
        return err;
 }
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c
index 5d1176758ca5..2a449b7ab8fa 100644
--- a/net/bridge/netfilter/ebt_802_3.c
+++ b/net/bridge/netfilter/ebt_802_3.c
@@ -13,7 +13,7 @@
 #include <linux/netfilter_bridge/ebt_802_3.h>
 static bool
-ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_802_3_info *info = par->matchinfo;
        const struct ebt_802_3_hdr *hdr = ebt_802_3_hdr(skb);
@@ -36,14 +36,14 @@ ebt_802_3_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
+static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_802_3_info *info = par->matchinfo;
        if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ebt_802_3_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index b595f091f35b..8b84c581be30 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -7,6 +7,7 @@
 *  August, 2003
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/ip.h>
 #include <linux/if_arp.h>
 #include <linux/module.h>
@@ -128,7 +129,7 @@ static int get_ip_src(const struct sk_buff *skb, __be32 *addr)
 }
 static bool
-ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_among_info *info = par->matchinfo;
        const char *dmac, *smac;
@@ -171,7 +172,7 @@ ebt_among_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
+static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_among_info *info = par->matchinfo;
        const struct ebt_entry_match *em =
@@ -186,24 +187,20 @@ static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
        expected_length += ebt_mac_wormhash_size(wh_src);
        if (em->match_size != EBT_ALIGN(expected_length)) {
-                printk(KERN_WARNING
+                pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
-                       "ebtables: among: wrong size: %d "
+                        em->match_size, expected_length,
-                       "against expected %d, rounded to %Zd\n",
+                        EBT_ALIGN(expected_length));
-                       em->match_size, expected_length,
+                return -EINVAL;
-                       EBT_ALIGN(expected_length));
-                return false;
        }
        if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
-                printk(KERN_WARNING
+                pr_info("dst integrity fail: %x\n", -err);
-                       "ebtables: among: dst integrity fail: %x\n", -err);
+                return -EINVAL;
-                return false;
        }
        if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
-                printk(KERN_WARNING
+                pr_info("src integrity fail: %x\n", -err);
-                       "ebtables: among: src integrity fail: %x\n", -err);
+                return -EINVAL;
-                return false;
        }
-        return true;
+        return 0;
 }
 static struct xt_match ebt_among_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c
index e727697c5847..cd457b891b27 100644
--- a/net/bridge/netfilter/ebt_arp.c
+++ b/net/bridge/netfilter/ebt_arp.c
@@ -16,7 +16,7 @@
 #include <linux/netfilter_bridge/ebt_arp.h>
 static bool
-ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_arp_info *info = par->matchinfo;
        const struct arphdr *ah;
@@ -100,7 +100,7 @@ ebt_arp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_arp_info *info = par->matchinfo;
        const struct ebt_entry *e = par->entryinfo;
@@ -108,10 +108,10 @@ static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
        if ((e->ethproto != htons(ETH_P_ARP) &&
           e->ethproto != htons(ETH_P_RARP)) ||
           e->invflags & EBT_IPROTO)
-                return false;
+                return -EINVAL;
        if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ebt_arp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index f392e9d93f53..070cf134a22f 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -16,7 +16,7 @@
 #include <linux/netfilter_bridge/ebt_arpreply.h>
 static unsigned int
-ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_arpreply_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_arpreply_info *info = par->targinfo;
        const __be32 *siptr, *diptr;
@@ -57,17 +57,17 @@ ebt_arpreply_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return info->target;
 }
-static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
+static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ebt_arpreply_info *info = par->targinfo;
        const struct ebt_entry *e = par->entryinfo;
        if (BASE_CHAIN && info->target == EBT_RETURN)
-                return false;
+                return -EINVAL;
        if (e->ethproto != htons(ETH_P_ARP) ||
            e->invflags & EBT_IPROTO)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 2bb40d728a35..c59f7bfae6e2 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -15,7 +15,7 @@
 #include <linux/netfilter_bridge/ebt_nat.h>
 static unsigned int
-ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_nat_info *info = par->targinfo;
@@ -26,13 +26,13 @@ ebt_dnat_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return info->target;
 }
-static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ebt_nat_info *info = par->targinfo;
        unsigned int hook_mask;
        if (BASE_CHAIN && info->target == EBT_RETURN)
-                return false;
+                return -EINVAL;
        hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
        if ((strcmp(par->table, "nat") != 0 ||
@@ -40,10 +40,10 @@ static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
            (1 << NF_BR_LOCAL_OUT)))) &&
            (strcmp(par->table, "broute") != 0 ||
            hook_mask & ~(1 << NF_BR_BROUTING)))
-                return false;
+                return -EINVAL;
        if (INVALID_TARGET)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target ebt_dnat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c
index 5de6df6f86b8..23bca62d58d2 100644
--- a/net/bridge/netfilter/ebt_ip.c
+++ b/net/bridge/netfilter/ebt_ip.c
@@ -25,7 +25,7 @@ struct tcpudphdr {
 };
 static bool
-ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_ip_info *info = par->matchinfo;
        const struct iphdr *ih;
@@ -77,31 +77,31 @@ ebt_ip_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_ip_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_ip_info *info = par->matchinfo;
        const struct ebt_entry *e = par->entryinfo;
        if (e->ethproto != htons(ETH_P_IP) ||
           e->invflags & EBT_IPROTO)
-                return false;
+                return -EINVAL;
        if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
-                return false;
+                return -EINVAL;
        if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
                if (info->invflags & EBT_IP_PROTO)
-                        return false;
+                        return -EINVAL;
                if (info->protocol != IPPROTO_TCP &&
                    info->protocol != IPPROTO_UDP &&
                    info->protocol != IPPROTO_UDPLITE &&
                    info->protocol != IPPROTO_SCTP &&
                    info->protocol != IPPROTO_DCCP)
-                         return false;
+                         return -EINVAL;
        }
        if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
-                return false;
+                return -EINVAL;
        if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ebt_ip_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index bbf2534ef026..50a46afc2bcc 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -4,7 +4,7 @@
 *      Authors:
 *      Manohar Castelino <manohar.r.castelino@intel.com>
 *      Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
- *      Jan Engelhardt <jengelh@computergmbh.de>
+ *      Jan Engelhardt <jengelh@medozas.de>
 *
 * Summary:
 * This is just a modification of the IPv4 code written by
@@ -28,15 +28,13 @@ struct tcpudphdr {
 };
 static bool
-ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_ip6_info *info = par->matchinfo;
        const struct ipv6hdr *ih6;
        struct ipv6hdr _ip6h;
        const struct tcpudphdr *pptr;
        struct tcpudphdr _ports;
-        struct in6_addr tmp_addr;
-        int i;
        ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
        if (ih6 == NULL)
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (info->bitmask & EBT_IP6_TCLASS &&
           FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
                return false;
-        for (i = 0; i < 4; i++)
+        if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
-                tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
+                                       &info->saddr), EBT_IP6_SOURCE) ||
-                        info->smsk.in6_u.u6_addr32[i];
+            FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
-        if (info->bitmask & EBT_IP6_SOURCE &&
+                                       &info->daddr), EBT_IP6_DEST))
-                FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
-                        EBT_IP6_SOURCE))
-                return false;
-        for (i = 0; i < 4; i++)
-                tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
-                        info->dmsk.in6_u.u6_addr32[i];
-        if (info->bitmask & EBT_IP6_DEST &&
-           FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
                return false;
        if (info->bitmask & EBT_IP6_PROTO) {
                uint8_t nexthdr = ih6->nexthdr;
@@ -90,30 +80,30 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par)
+static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_entry *e = par->entryinfo;
        struct ebt_ip6_info *info = par->matchinfo;
        if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
-                return false;
+                return -EINVAL;
        if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
-                return false;
+                return -EINVAL;
        if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
                if (info->invflags & EBT_IP6_PROTO)
-                        return false;
+                        return -EINVAL;
                if (info->protocol != IPPROTO_TCP &&
                    info->protocol != IPPROTO_UDP &&
                    info->protocol != IPPROTO_UDPLITE &&
                    info->protocol != IPPROTO_SCTP &&
                    info->protocol != IPPROTO_DCCP)
-                        return false;
+                        return -EINVAL;
        }
        if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
-                return false;
+                return -EINVAL;
        if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ebt_ip6_mt_reg __read_mostly = {
@@ -139,4 +129,5 @@ static void __exit ebt_ip6_fini(void)
 module_init(ebt_ip6_init);
 module_exit(ebt_ip6_fini);
 MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
+MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
 MODULE_LICENSE("GPL");
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 7a8182710eb3..517e78befcb2 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -10,6 +10,7 @@
 *  September, 2003
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/netdevice.h>
 #include <linux/spinlock.h>
@@ -31,7 +32,7 @@ static DEFINE_SPINLOCK(limit_lock);
 #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
 static bool
-ebt_limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ebt_limit_info *info = (void *)par->matchinfo;
        unsigned long now = jiffies;
@@ -64,16 +65,16 @@ user2credits(u_int32_t user)
        return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
 }
-static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
+static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
 {
        struct ebt_limit_info *info = par->matchinfo;
        /* Check for overflow. */
        if (info->burst == 0 ||
            user2credits(info->avg * info->burst) < user2credits(info->avg)) {
-                printk("Overflow in ebt_limit, try lower: %u/%u\n",
+                pr_info("overflow, try lower: %u/%u\n",
                        info->avg, info->burst);
-                return false;
+                return -EINVAL;
        }
        /* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
@@ -81,7 +82,7 @@ static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
        info->credit = user2credits(info->avg * info->burst);
        info->credit_cap = user2credits(info->avg * info->burst);
        info->cost = user2credits(info->avg);
-        return true;
+        return 0;
 }
diff --git a/net/bridge/netfilter/ebt_log.c b/net/bridge/netfilter/ebt_log.c
index e873924ddb5d..6e5a8bb9b940 100644
--- a/net/bridge/netfilter/ebt_log.c
+++ b/net/bridge/netfilter/ebt_log.c
@@ -24,16 +24,16 @@
 static DEFINE_SPINLOCK(ebt_log_lock);
-static bool ebt_log_tg_check(const struct xt_tgchk_param *par)
+static int ebt_log_tg_check(const struct xt_tgchk_param *par)
 {
        struct ebt_log_info *info = par->targinfo;
        if (info->bitmask & ~EBT_LOG_MASK)
-                return false;
+                return -EINVAL;
        if (info->loglevel >= 8)
-                return false;
+                return -EINVAL;
        info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
-        return true;
+        return 0;
 }
 struct tcpudphdr
@@ -171,7 +171,7 @@ out:
 }
 static unsigned int
-ebt_log_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_log_info *info = par->targinfo;
        struct nf_loginfo li;
diff --git a/net/bridge/netfilter/ebt_mark.c b/net/bridge/netfilter/ebt_mark.c
index 2b5ce533d6b9..66697cbd0a8b 100644
--- a/net/bridge/netfilter/ebt_mark.c
+++ b/net/bridge/netfilter/ebt_mark.c
@@ -19,7 +19,7 @@
 #include <linux/netfilter_bridge/ebt_mark_t.h>
 static unsigned int
-ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_mark_t_info *info = par->targinfo;
        int action = info->target & -16;
@@ -36,21 +36,21 @@ ebt_mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return info->target | ~EBT_VERDICT_BITS;
 }
-static bool ebt_mark_tg_check(const struct xt_tgchk_param *par)
+static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ebt_mark_t_info *info = par->targinfo;
        int tmp;
        tmp = info->target | ~EBT_VERDICT_BITS;
        if (BASE_CHAIN && tmp == EBT_RETURN)
-                return false;
+                return -EINVAL;
        if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
-                return false;
+                return -EINVAL;
        tmp = info->target & ~EBT_VERDICT_BITS;
        if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
            tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 #ifdef CONFIG_COMPAT
 struct compat_ebt_mark_t_info {
diff --git a/net/bridge/netfilter/ebt_mark_m.c b/net/bridge/netfilter/ebt_mark_m.c
index 8de8c396d913..d98baefc4c7e 100644
--- a/net/bridge/netfilter/ebt_mark_m.c
+++ b/net/bridge/netfilter/ebt_mark_m.c
@@ -13,7 +13,7 @@
 #include <linux/netfilter_bridge/ebt_mark_m.h>
 static bool
-ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_mark_m_info *info = par->matchinfo;
@@ -22,17 +22,17 @@ ebt_mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool ebt_mark_mt_check(const struct xt_mtchk_param *par)
+static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_mark_m_info *info = par->matchinfo;
        if (info->bitmask & ~EBT_MARK_MASK)
-                return false;
+                return -EINVAL;
        if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
-                return false;
+                return -EINVAL;
        if (!info->bitmask)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
diff --git a/net/bridge/netfilter/ebt_nflog.c b/net/bridge/netfilter/ebt_nflog.c
index 40dbd248b9ae..5be68bbcc341 100644
--- a/net/bridge/netfilter/ebt_nflog.c
+++ b/net/bridge/netfilter/ebt_nflog.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_log.h>
 static unsigned int
-ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_nflog_info *info = par->targinfo;
        struct nf_loginfo li;
@@ -35,14 +35,14 @@ ebt_nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return EBT_CONTINUE;
 }
-static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
 {
        struct ebt_nflog_info *info = par->targinfo;
        if (info->flags & ~EBT_NFLOG_MASK)
-                return false;
+                return -EINVAL;
        info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
-        return true;
+        return 0;
 }
 static struct xt_target ebt_nflog_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_pkttype.c b/net/bridge/netfilter/ebt_pkttype.c
index e2a07e6cbef3..496a56515307 100644
--- a/net/bridge/netfilter/ebt_pkttype.c
+++ b/net/bridge/netfilter/ebt_pkttype.c
@@ -13,21 +13,21 @@
 #include <linux/netfilter_bridge/ebt_pkttype.h>
 static bool
-ebt_pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_pkttype_info *info = par->matchinfo;
        return (skb->pkt_type == info->pkt_type) ^ info->invert;
 }
-static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
+static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_pkttype_info *info = par->matchinfo;
        if (info->invert != 0 && info->invert != 1)
-                return false;
+                return -EINVAL;
        /* Allow any pkt_type value */
-        return true;
+        return 0;
 }
 static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_redirect.c b/net/bridge/netfilter/ebt_redirect.c
index 9be8fbcd370b..9e19166ba453 100644
--- a/net/bridge/netfilter/ebt_redirect.c
+++ b/net/bridge/netfilter/ebt_redirect.c
@@ -16,7 +16,7 @@
 #include <linux/netfilter_bridge/ebt_redirect.h>
 static unsigned int
-ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_redirect_info *info = par->targinfo;
@@ -32,23 +32,23 @@ ebt_redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return info->target;
 }
-static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par)
+static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ebt_redirect_info *info = par->targinfo;
        unsigned int hook_mask;
        if (BASE_CHAIN && info->target == EBT_RETURN)
-                return false;
+                return -EINVAL;
        hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
        if ((strcmp(par->table, "nat") != 0 ||
            hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
            (strcmp(par->table, "broute") != 0 ||
            hook_mask & ~(1 << NF_BR_BROUTING)))
-                return false;
+                return -EINVAL;
        if (INVALID_TARGET)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target ebt_redirect_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_snat.c b/net/bridge/netfilter/ebt_snat.c
index 9c7b520765a2..f8f0bd1a1d51 100644
--- a/net/bridge/netfilter/ebt_snat.c
+++ b/net/bridge/netfilter/ebt_snat.c
@@ -17,7 +17,7 @@
 #include <linux/netfilter_bridge/ebt_nat.h>
 static unsigned int
-ebt_snat_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_snat_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ebt_nat_info *info = par->targinfo;
@@ -42,21 +42,21 @@ out:
        return info->target | ~EBT_VERDICT_BITS;
 }
-static bool ebt_snat_tg_check(const struct xt_tgchk_param *par)
+static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ebt_nat_info *info = par->targinfo;
        int tmp;
        tmp = info->target | ~EBT_VERDICT_BITS;
        if (BASE_CHAIN && tmp == EBT_RETURN)
-                return false;
+                return -EINVAL;
        if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
-                return false;
+                return -EINVAL;
        tmp = info->target | EBT_VERDICT_BITS;
        if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target ebt_snat_tg_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 92a93d363765..5b33a2e634a6 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -120,7 +120,7 @@ static bool ebt_filter_config(const struct ebt_stp_info *info,
 }
 static bool
-ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_stp_info *info = par->matchinfo;
        const struct stp_header *sp;
@@ -153,7 +153,7 @@ ebt_stp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
+static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_stp_info *info = par->matchinfo;
        const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
@@ -162,13 +162,13 @@ static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
        if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
            !(info->bitmask & EBT_STP_MASK))
-                return false;
+                return -EINVAL;
        /* Make sure the match only receives stp frames */
        if (compare_ether_addr(e->destmac, bridge_ula) ||
            compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ebt_stp_mt_reg __read_mostly = {
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index f9560f3dbdc7..ae3c7cef1484 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -27,7 +27,7 @@
 *   flushed even if it is not full yet.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/spinlock.h>
@@ -44,9 +44,6 @@
 #include <net/sock.h>
 #include "../br_private.h"
-#define PRINTR(format, args...) do { if (net_ratelimit()) \
-                                printk(format , ## args); } while (0)
 static unsigned int nlbufsiz = NLMSG_GOODSIZE;
 module_param(nlbufsiz, uint, 0600);
 MODULE_PARM_DESC(nlbufsiz, "netlink buffer size (number of bytes) "
@@ -107,15 +104,14 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
        n = max(size, nlbufsiz);
        skb = alloc_skb(n, GFP_ATOMIC);
        if (!skb) {
-                PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "
+                pr_debug("cannot alloc whole buffer of size %ub!\n", n);
-                       "of size %ub!\n", n);
                if (n > size) {
                        /* try to allocate only as much as we need for
                         * current packet */
                        skb = alloc_skb(size, GFP_ATOMIC);
                        if (!skb)
-                                PRINTR(KERN_ERR "ebt_ulog: can't even allocate "
+                                pr_debug("cannot even allocate "
-                                       "buffer of size %ub\n", size);
+                                         "buffer of size %ub\n", size);
                }
        }
@@ -142,8 +138,7 @@ static void ebt_ulog_packet(unsigned int hooknr, const struct sk_buff *skb,
        size = NLMSG_SPACE(sizeof(*pm) + copy_len);
        if (size > nlbufsiz) {
-                PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n",
+                pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz);
-                       size, nlbufsiz);
                return;
        }
@@ -217,8 +212,8 @@ unlock:
        return;
 nlmsg_failure:
-        printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should "
+        pr_debug("error during NLMSG_PUT. This should "
-               "not happen, please report to author.\n");
+                 "not happen, please report to author.\n");
        goto unlock;
 alloc_failure:
        goto unlock;
@@ -248,26 +243,26 @@ static void ebt_log_packet(u_int8_t pf, unsigned int hooknum,
 }
 static unsigned int
-ebt_ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ebt_ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        ebt_ulog_packet(par->hooknum, skb, par->in, par->out,
                        par->targinfo, NULL);
        return EBT_CONTINUE;
 }
-static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
+static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
 {
        struct ebt_ulog_info *uloginfo = par->targinfo;
        if (uloginfo->nlgroup > 31)
-                return false;
+                return -EINVAL;
        uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
        if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
                uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
-        return true;
+        return 0;
 }
 static struct xt_target ebt_ulog_tg_reg __read_mostly = {
@@ -292,8 +287,8 @@ static int __init ebt_ulog_init(void)
        int i;
        if (nlbufsiz >= 128*1024) {
-                printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB,"
+                pr_warning("Netlink buffer has to be <= 128kB,"
-                       " please try a smaller nlbufsiz parameter.\n");
+                           " please try a smaller nlbufsiz parameter.\n");
                return -EINVAL;
        }
@@ -306,13 +301,10 @@ static int __init ebt_ulog_init(void)
        ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
                                          EBT_ULOG_MAXNLGROUPS, NULL, NULL,
                                          THIS_MODULE);
-        if (!ebtulognl) {
+        if (!ebtulognl)
-                printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
-                       "call netlink_kernel_create\n");
                ret = -ENOMEM;
-        } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) {
+        else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
                netlink_kernel_release(ebtulognl);
-        }
        if (ret == 0)
                nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index be1dd2e1f615..87b53b3a921d 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -26,22 +26,17 @@
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_vlan.h>
-static int debug;
 #define MODULE_VERS "0.6"
-module_param(debug, int, 0);
-MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
 MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
 MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
 MODULE_LICENSE("GPL");
-#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
 #define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
 #define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
 static bool
-ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ebt_vlan_info *info = par->matchinfo;
        const struct vlan_hdr *fp;
@@ -84,32 +79,31 @@ ebt_vlan_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
+static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
 {
        struct ebt_vlan_info *info = par->matchinfo;
        const struct ebt_entry *e = par->entryinfo;
        /* Is it 802.1Q frame checked? */
        if (e->ethproto != htons(ETH_P_8021Q)) {
-                DEBUG_MSG
+                pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
-                    ("passed entry proto %2.4X is not 802.1Q (8100)\n",
+                         ntohs(e->ethproto));
-                     (unsigned short) ntohs(e->ethproto));
+                return -EINVAL;
-                return false;
        }
        /* Check for bitmask range
         * True if even one bit is out of mask */
        if (info->bitmask & ~EBT_VLAN_MASK) {
-                DEBUG_MSG("bitmask %2X is out of mask (%2X)\n",
+                pr_debug("bitmask %2X is out of mask (%2X)\n",
-                          info->bitmask, EBT_VLAN_MASK);
+                         info->bitmask, EBT_VLAN_MASK);
-                return false;
+                return -EINVAL;
        }
        /* Check for inversion flags range */
        if (info->invflags & ~EBT_VLAN_MASK) {
-                DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n",
+                pr_debug("inversion flags %2X is out of mask (%2X)\n",
-                          info->invflags, EBT_VLAN_MASK);
+                         info->invflags, EBT_VLAN_MASK);
-                return false;
+                return -EINVAL;
        }
        /* Reserved VLAN ID (VID) values
@@ -121,10 +115,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
        if (GET_BITMASK(EBT_VLAN_ID)) {
                if (!!info->id) { /* if id!=0 => check vid range */
                        if (info->id > VLAN_GROUP_ARRAY_LEN) {
-                                DEBUG_MSG
+                                pr_debug("id %d is out of range (1-4096)\n",
-                                    ("id %d is out of range (1-4096)\n",
+                                         info->id);
-                                     info->id);
+                                return -EINVAL;
-                                return false;
                        }
                        /* Note: This is valid VLAN-tagged frame point.
                         * Any value of user_priority are acceptable,
@@ -137,9 +130,9 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
        if (GET_BITMASK(EBT_VLAN_PRIO)) {
                if ((unsigned char) info->prio > 7) {
-                        DEBUG_MSG("prio %d is out of range (0-7)\n",
+                        pr_debug("prio %d is out of range (0-7)\n",
-                             info->prio);
+                                 info->prio);
-                        return false;
+                        return -EINVAL;
                }
        }
        /* Check for encapsulated proto range - it is possible to be
@@ -147,14 +140,13 @@ static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
         * if_ether.h:  ETH_ZLEN        60   -  Min. octets in frame sans FCS */
        if (GET_BITMASK(EBT_VLAN_ENCAP)) {
                if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
-                        DEBUG_MSG
+                        pr_debug("encap frame length %d is less than "
-                            ("encap frame length %d is less than minimal\n",
+                                 "minimal\n", ntohs(info->encap));
-                             ntohs(info->encap));
+                        return -EINVAL;
-                        return false;
                }
        }
-        return true;
+        return 0;
 }
 static struct xt_match ebt_vlan_mt_reg __read_mostly = {
@@ -169,9 +161,7 @@ static struct xt_match ebt_vlan_mt_reg __read_mostly = {
 static int __init ebt_vlan_init(void)
 {
-        DEBUG_MSG("ebtables 802.1Q extension module v"
+        pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
-                  MODULE_VERS "\n");
-        DEBUG_MSG("module debug=%d\n", !!debug);
        return xt_register_match(&ebt_vlan_mt_reg);
 }
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index f0865fd1e3ec..59ca00e40dec 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -14,8 +14,7 @@
 *  as published by the Free Software Foundation; either version
 *  2 of the License, or (at your option) any later version.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kmod.h>
 #include <linux/module.h>
 #include <linux/vmalloc.h>
@@ -87,7 +86,7 @@ static struct xt_target ebt_standard_target = {
 static inline int
 ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
-               struct xt_target_param *par)
+               struct xt_action_param *par)
 {
        par->target   = w->u.watcher;
        par->targinfo = w->data;
@@ -96,8 +95,9 @@ ebt_do_watcher(const struct ebt_entry_watcher *w, struct sk_buff *skb,
        return 0;
 }
-static inline int ebt_do_match (struct ebt_entry_match *m,
+static inline int
-   const struct sk_buff *skb, struct xt_match_param *par)
+ebt_do_match(struct ebt_entry_match *m, const struct sk_buff *skb,
+             struct xt_action_param *par)
 {
        par->match     = m->u.match;
        par->matchinfo = m->data;
@@ -186,15 +186,13 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
        struct ebt_entries *chaininfo;
        const char *base;
        const struct ebt_table_info *private;
-        bool hotdrop = false;
+        struct xt_action_param acpar;
-        struct xt_match_param mtpar;
-        struct xt_target_param tgpar;
-        mtpar.family  = tgpar.family = NFPROTO_BRIDGE;
+        acpar.family  = NFPROTO_BRIDGE;
-        mtpar.in      = tgpar.in  = in;
+        acpar.in      = in;
-        mtpar.out     = tgpar.out = out;
+        acpar.out     = out;
-        mtpar.hotdrop = &hotdrop;
+        acpar.hotdrop = false;
-        mtpar.hooknum = tgpar.hooknum = hook;
+        acpar.hooknum = hook;
        read_lock_bh(&table->lock);
        private = table->private;
@@ -215,9 +213,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
                if (ebt_basic_match(point, eth_hdr(skb), in, out))
                        goto letscontinue;
-                if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &mtpar) != 0)
+                if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
                        goto letscontinue;
-                if (hotdrop) {
+                if (acpar.hotdrop) {
                        read_unlock_bh(&table->lock);
                        return NF_DROP;
                }
@@ -228,7 +226,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
                /* these should only watch: not modify, nor tell us
                   what to do with the packet */
-                EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &tgpar);
+                EBT_WATCHER_ITERATE(point, ebt_do_watcher, skb, &acpar);
                t = (struct ebt_entry_target *)
                   (((char *)point) + point->target_offset);
@@ -236,9 +234,9 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
                if (!t->u.target->target)
                        verdict = ((struct ebt_standard_target *)t)->verdict;
                else {
-                        tgpar.target   = t->u.target;
+                        acpar.target   = t->u.target;
-                        tgpar.targinfo = t->data;
+                        acpar.targinfo = t->data;
-                        verdict = t->u.target->target(skb, &tgpar);
+                        verdict = t->u.target->target(skb, &acpar);
                }
                if (verdict == EBT_ACCEPT) {
                        read_unlock_bh(&table->lock);
@@ -363,12 +361,9 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
            left - sizeof(struct ebt_entry_match) < m->match_size)
                return -EINVAL;
-        match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
+        match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
-                m->u.name, 0), "ebt_%s", m->u.name);
        if (IS_ERR(match))
                return PTR_ERR(match);
-        if (match == NULL)
-                return -ENOENT;
        m->u.match = match;
        par->match     = match;
@@ -397,13 +392,9 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par,
           left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
                return -EINVAL;
-        watcher = try_then_request_module(
+        watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
-                  xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
-                  "ebt_%s", w->u.name);
        if (IS_ERR(watcher))
                return PTR_ERR(watcher);
-        if (watcher == NULL)
-                return -ENOENT;
        w->u.watcher = watcher;
        par->target   = watcher;
@@ -716,15 +707,10 @@ ebt_check_entry(struct ebt_entry *e, struct net *net,
        t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
        gap = e->next_offset - e->target_offset;
-        target = try_then_request_module(
+        target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
-                 xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
-                 "ebt_%s", t->u.name);
        if (IS_ERR(target)) {
                ret = PTR_ERR(target);
                goto cleanup_watchers;
-        } else if (target == NULL) {
-                ret = -ENOENT;
-                goto cleanup_watchers;
        }
        t->u.target = target;
@@ -2128,7 +2114,7 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
                        return ret;
                new_offset += ret;
                if (offsets_update && new_offset) {
-                        pr_debug("ebtables: change offset %d to %d\n",
+                        pr_debug("change offset %d to %d\n",
                                offsets_update[i], offsets[j] + new_offset);
                        offsets_update[i] = offsets[j] + new_offset;
                }
diff --git a/net/caif/Kconfig b/net/caif/Kconfig
index cd1daf6008bd..ed651786f16b 100644
--- a/net/caif/Kconfig
+++ b/net/caif/Kconfig
@@ -2,10 +2,8 @@
 # CAIF net configurations
 #
-#menu "CAIF Support"
-comment "CAIF Support"
 menuconfig CAIF
-        tristate "Enable CAIF support"
+        tristate "CAIF support"
        select CRC_CCITT
        default n
        ---help---
@@ -45,4 +43,3 @@ config CAIF_NETDEV
        If unsure say Y.
 endif
-#endmenu
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index 024fd5bb2d39..e2b86f1f5a47 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -112,7 +112,6 @@ static void caif_device_destroy(struct net_device *dev)
        spin_unlock_bh(&caifdevs->lock);
        kfree(caifd);
-        return;
 }
 static int transmit(struct cflayer *layer, struct cfpkt *pkt)
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index c3a70c5c893a..3d0e09584fae 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -60,7 +60,7 @@ struct debug_fs_counter {
        atomic_t num_rx_flow_off;
        atomic_t num_rx_flow_on;
 };
-struct debug_fs_counter cnt;
+static struct debug_fs_counter cnt;
 #define dbfs_atomic_inc(v) atomic_inc(v)
 #define dbfs_atomic_dec(v) atomic_dec(v)
 #else
@@ -128,17 +128,17 @@ static void caif_read_unlock(struct sock *sk)
        mutex_unlock(&cf_sk->readlock);
 }
-int sk_rcvbuf_lowwater(struct caifsock *cf_sk)
+static int sk_rcvbuf_lowwater(struct caifsock *cf_sk)
 {
        /* A quarter of full buffer is used a low water mark */
        return cf_sk->sk.sk_rcvbuf / 4;
 }
-void caif_flow_ctrl(struct sock *sk, int mode)
+static void caif_flow_ctrl(struct sock *sk, int mode)
 {
        struct caifsock *cf_sk;
        cf_sk = container_of(sk, struct caifsock, sk);
-        if (cf_sk->layer.dn)
+        if (cf_sk->layer.dn && cf_sk->layer.dn->modemcmd)
                cf_sk->layer.dn->modemcmd(cf_sk->layer.dn, mode);
 }
@@ -146,7 +146,7 @@ void caif_flow_ctrl(struct sock *sk, int mode)
 * Copied from sock.c:sock_queue_rcv_skb(), but changed so packets are
 * not dropped, but CAIF is sending flow off instead.
 */
-int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
        int err;
        int skb_len;
@@ -162,9 +162,8 @@ int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                        atomic_read(&cf_sk->sk.sk_rmem_alloc),
                        sk_rcvbuf_lowwater(cf_sk));
                set_rx_flow_off(cf_sk);
-                if (cf_sk->layer.dn)
+                dbfs_atomic_inc(&cnt.num_rx_flow_off);
-                        cf_sk->layer.dn->modemcmd(cf_sk->layer.dn,
+                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
-                                                CAIF_MODEMCMD_FLOW_OFF_REQ);
        }
        err = sk_filter(sk, skb);
@@ -175,9 +174,8 @@ int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                trace_printk("CAIF: %s():"
                        " sending flow OFF due to rmem_schedule\n",
                        __func__);
-                if (cf_sk->layer.dn)
+                dbfs_atomic_inc(&cnt.num_rx_flow_off);
-                        cf_sk->layer.dn->modemcmd(cf_sk->layer.dn,
+                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
-                                                CAIF_MODEMCMD_FLOW_OFF_REQ);
        }
        skb->dev = NULL;
        skb_set_owner_r(skb, sk);
@@ -285,65 +283,51 @@ static void caif_check_flow_release(struct sock *sk)
 {
        struct caifsock *cf_sk = container_of(sk, struct caifsock, sk);
-        if (cf_sk->layer.dn == NULL || cf_sk->layer.dn->modemcmd == NULL)
-                return;
        if (rx_flow_is_on(cf_sk))
                return;
        if (atomic_read(&sk->sk_rmem_alloc) <= sk_rcvbuf_lowwater(cf_sk)) {
                        dbfs_atomic_inc(&cnt.num_rx_flow_on);
                        set_rx_flow_on(cf_sk);
-                        cf_sk->layer.dn->modemcmd(cf_sk->layer.dn,
+                        caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_ON_REQ);
-                                                CAIF_MODEMCMD_FLOW_ON_REQ);
        }
 }
 /*
- * Copied from sock.c:sock_queue_rcv_skb(), and added check that user buffer
+ * Copied from unix_dgram_recvmsg, but removed credit checks,
- * has sufficient size.
+ * changed locking, address handling and added MSG_TRUNC.
 */
 static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
-                                struct msghdr *m, size_t buf_len, int flags)
+                                struct msghdr *m, size_t len, int flags)
 {
        struct sock *sk = sock->sk;
        struct sk_buff *skb;
-        int ret = 0;
+        int ret;
-        int len;
+        int copylen;
-        if (unlikely(!buf_len))
+        ret = -EOPNOTSUPP;
-                return -EINVAL;
+        if (m->msg_flags&MSG_OOB)
+                goto read_error;
        skb = skb_recv_datagram(sk, flags, 0 , &ret);
        if (!skb)
                goto read_error;
+        copylen = skb->len;
-        len = skb->len;
+        if (len < copylen) {
+                m->msg_flags |= MSG_TRUNC;
-        if (skb && skb->len > buf_len && !(flags & MSG_PEEK)) {
+                copylen = len;
-                len = buf_len;
-                /*
-                 * Push skb back on receive queue if buffer too small.
-                 * This has a built-in race where multi-threaded receive
-                 * may get packet in wrong order, but multiple read does
-                 * not really guarantee ordered delivery anyway.
-                 * Let's optimize for speed without taking locks.
-                 */
-                skb_queue_head(&sk->sk_receive_queue, skb);
-                ret = -EMSGSIZE;
-                goto read_error;
        }
-        ret = skb_copy_datagram_iovec(skb, 0, m->msg_iov, len);
+        ret = skb_copy_datagram_iovec(skb, 0, m->msg_iov, copylen);
        if (ret)
-                goto read_error;
+                goto out_free;
+        ret = (flags & MSG_TRUNC) ? skb->len : copylen;
+out_free:
        skb_free_datagram(sk, skb);
        caif_check_flow_release(sk);
+        return ret;
-        return len;
 read_error:
        return ret;
@@ -920,17 +904,17 @@ wait_connect:
        timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
        release_sock(sk);
-        err = wait_event_interruptible_timeout(*sk_sleep(sk),
+        err = -ERESTARTSYS;
+        timeo = wait_event_interruptible_timeout(*sk_sleep(sk),
                        sk->sk_state != CAIF_CONNECTING,
                        timeo);
        lock_sock(sk);
-        if (err < 0)
+        if (timeo < 0)
                goto out; /* -ERESTARTSYS */
-        if (err == 0 && sk->sk_state != CAIF_CONNECTED) {
-                err = -ETIMEDOUT;
-                goto out;
-        }
+        err = -ETIMEDOUT;
+        if (timeo == 0 && sk->sk_state != CAIF_CONNECTED)
+                goto out;
        if (sk->sk_state != CAIF_CONNECTED) {
                sock->state = SS_UNCONNECTED;
                err = sock_error(sk);
@@ -945,7 +929,6 @@ out:
        return err;
 }
 /*
 * caif_release() - Disconnect a CAIF Socket
 * Copied and modified af_irda.c:irda_release().
@@ -1019,10 +1002,6 @@ static unsigned int caif_poll(struct file *file,
                (sk->sk_shutdown & RCV_SHUTDOWN))
                mask |= POLLIN | POLLRDNORM;
-        /* Connection-based need to check for termination and startup */
-        if (sk->sk_state == CAIF_DISCONNECTED)
-                mask |= POLLHUP;
        /*
         * we set writable also when the other side has shut down the
         * connection. This prevents stuck sockets.
@@ -1194,7 +1173,7 @@ static struct net_proto_family caif_family_ops = {
        .owner = THIS_MODULE,
 };
-int af_caif_init(void)
+static int af_caif_init(void)
 {
        int err = sock_register(&caif_family_ops);
        if (!err)
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index 471c62939fad..df43f264d9fb 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -65,12 +65,11 @@ struct cfcnfg *cfcnfg_create(void)
        struct cfcnfg *this;
        struct cfctrl_rsp *resp;
        /* Initiate this layer */
-        this = kmalloc(sizeof(struct cfcnfg), GFP_ATOMIC);
+        this = kzalloc(sizeof(struct cfcnfg), GFP_ATOMIC);
        if (!this) {
                pr_warning("CAIF: %s(): Out of memory\n", __func__);
                return NULL;
        }
-        memset(this, 0, sizeof(struct cfcnfg));
        this->mux = cfmuxl_create();
        if (!this->mux)
                goto out_of_mem;
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index a521d32cfe56..fcfda98a5e6d 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -44,13 +44,14 @@ struct cflayer *cfctrl_create(void)
        dev_info.id = 0xff;
        memset(this, 0, sizeof(*this));
        cfsrvl_init(&this->serv, 0, &dev_info);
-        spin_lock_init(&this->info_list_lock);
        atomic_set(&this->req_seq_no, 1);
        atomic_set(&this->rsp_seq_no, 1);
        this->serv.layer.receive = cfctrl_recv;
        sprintf(this->serv.layer.name, "ctrl");
        this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
        spin_lock_init(&this->loop_linkid_lock);
+        spin_lock_init(&this->info_list_lock);
+        INIT_LIST_HEAD(&this->list);
        this->loop_linkid = 1;
        return &this->serv.layer;
 }
@@ -112,20 +113,10 @@ bool cfctrl_req_eq(struct cfctrl_request_info *r1,
 void cfctrl_insert_req(struct cfctrl *ctrl,
                              struct cfctrl_request_info *req)
 {
-        struct cfctrl_request_info *p;
        spin_lock(&ctrl->info_list_lock);
-        req->next = NULL;
        atomic_inc(&ctrl->req_seq_no);
        req->sequence_no = atomic_read(&ctrl->req_seq_no);
-        if (ctrl->first_req == NULL) {
+        list_add_tail(&req->list, &ctrl->list);
-                ctrl->first_req = req;
-                spin_unlock(&ctrl->info_list_lock);
-                return;
-        }
-        p = ctrl->first_req;
-        while (p->next != NULL)
-                p = p->next;
-        p->next = req;
        spin_unlock(&ctrl->info_list_lock);
 }
@@ -133,46 +124,28 @@ void cfctrl_insert_req(struct cfctrl *ctrl,
 struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
                                              struct cfctrl_request_info *req)
 {
-        struct cfctrl_request_info *p;
+        struct cfctrl_request_info *p, *tmp, *first;
-        struct cfctrl_request_info *ret;
        spin_lock(&ctrl->info_list_lock);
-        if (ctrl->first_req == NULL) {
+        first = list_first_entry(&ctrl->list, struct cfctrl_request_info, list);
-                spin_unlock(&ctrl->info_list_lock);
-                return NULL;
-        }
-        if (cfctrl_req_eq(req, ctrl->first_req)) {
-                ret = ctrl->first_req;
-                caif_assert(ctrl->first_req);
-                atomic_set(&ctrl->rsp_seq_no,
-                                 ctrl->first_req->sequence_no);
-                ctrl->first_req = ctrl->first_req->next;
-                spin_unlock(&ctrl->info_list_lock);
-                return ret;
-        }
-        p = ctrl->first_req;
+        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
+                if (cfctrl_req_eq(req, p)) {
-        while (p->next != NULL) {
+                        if (p != first)
-                if (cfctrl_req_eq(req, p->next)) {
+                                pr_warning("CAIF: %s(): Requests are not "
-                        pr_warning("CAIF: %s(): Requests are not "
                                        "received in order\n",
                                        __func__);
-                        ret = p->next;
                        atomic_set(&ctrl->rsp_seq_no,
-                                        p->next->sequence_no);
+                                         p->sequence_no);
-                        p->next = p->next->next;
+                        list_del(&p->list);
-                        spin_unlock(&ctrl->info_list_lock);
+                        goto out;
-                        return ret;
                }
-                p = p->next;
        }
+        p = NULL;
+out:
        spin_unlock(&ctrl->info_list_lock);
+        return p;
-        pr_warning("CAIF: %s(): Request does not match\n",
-                   __func__);
-        return NULL;
 }
 struct cfctrl_rsp *cfctrl_get_respfuncs(struct cflayer *layer)
@@ -284,12 +257,11 @@ int cfctrl_linkup_request(struct cflayer *layer,
                           __func__, param->linktype);
                return -EINVAL;
        }
-        req = kmalloc(sizeof(*req), GFP_KERNEL);
+        req = kzalloc(sizeof(*req), GFP_KERNEL);
        if (!req) {
                pr_warning("CAIF: %s(): Out of memory\n", __func__);
                return -ENOMEM;
        }
-        memset(req, 0, sizeof(*req));
        req->client_layer = user_layer;
        req->cmd = CFCTRL_CMD_LINK_SETUP;
        req->param = *param;
@@ -389,31 +361,18 @@ void cfctrl_getstartreason_req(struct cflayer *layer)
 void cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
 {
-        struct cfctrl_request_info *p, *req;
+        struct cfctrl_request_info *p, *tmp;
        struct cfctrl *ctrl = container_obj(layr);
        spin_lock(&ctrl->info_list_lock);
+        pr_warning("CAIF: %s(): enter\n", __func__);
-        if (ctrl->first_req == NULL) {
-                spin_unlock(&ctrl->info_list_lock);
+        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
-                return;
+                if (p->client_layer == adap_layer) {
-        }
+                        pr_warning("CAIF: %s(): cancel req :%d\n", __func__,
+                                        p->sequence_no);
-        if (ctrl->first_req->client_layer == adap_layer) {
+                        list_del(&p->list);
+                        kfree(p);
-                req = ctrl->first_req;
-                ctrl->first_req = ctrl->first_req->next;
-                kfree(req);
-        }
-        p = ctrl->first_req;
-        while (p != NULL && p->next != NULL) {
-                if (p->next->client_layer == adap_layer) {
-                        req = p->next;
-                        p->next = p->next->next;
-                        kfree(p->next);
                }
-                p = p->next;
        }
        spin_unlock(&ctrl->info_list_lock);
@@ -635,7 +594,7 @@ static void cfctrl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
        case _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND:
        case CAIF_CTRLCMD_FLOW_OFF_IND:
                spin_lock(&this->info_list_lock);
-                if (this->first_req != NULL) {
+                if (!list_empty(&this->list)) {
                        pr_debug("CAIF: %s(): Received flow off in "
                                   "control layer", __func__);
                }
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 7372f27f1d32..80c8d332b258 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -174,10 +174,11 @@ struct cflayer *cfmuxl_remove_uplayer(struct cflayer *layr, u8 id)
        spin_lock(&muxl->receive_lock);
        up = get_up(muxl, id);
        if (up == NULL)
-                return NULL;
+                goto out;
        memset(muxl->up_cache, 0, sizeof(muxl->up_cache));
        list_del(&up->node);
        cfsrvl_put(up);
+out:
        spin_unlock(&muxl->receive_lock);
        return up;
 }
diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c
index 83fff2ff6658..a6fdf899741a 100644
--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -238,6 +238,7 @@ int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
        struct sk_buff *lastskb;
        u8 *to;
        const u8 *data = data2;
+        int ret;
        if (unlikely(is_erronous(pkt)))
                return -EPROTO;
        if (unlikely(skb_headroom(skb) < len)) {
@@ -246,9 +247,10 @@ int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
        }
        /* Make sure data is writable */
-        if (unlikely(skb_cow_data(skb, 0, &lastskb) < 0)) {
+        ret = skb_cow_data(skb, 0, &lastskb);
+        if (unlikely(ret < 0)) {
                PKT_ERROR(pkt, "cfpkt_add_head: cow failed\n");
-                return -EPROTO;
+                return ret;
        }
        to = skb_push(skb, len);
@@ -316,6 +318,8 @@ EXPORT_SYMBOL(cfpkt_setlen);
 struct cfpkt *cfpkt_create_uplink(const unsigned char *data, unsigned int len)
 {
        struct cfpkt *pkt = cfpkt_create_pfx(len + PKT_POSTFIX, PKT_PREFIX);
+        if (!pkt)
+                return NULL;
        if (unlikely(data != NULL))
                cfpkt_add_body(pkt, data, len);
        return pkt;
@@ -344,12 +348,13 @@ struct cfpkt *cfpkt_append(struct cfpkt *dstpkt,
        if (dst->tail + neededtailspace > dst->end) {
                /* Create a dumplicate of 'dst' with more tail space */
+                struct cfpkt *tmppkt;
                dstlen = skb_headlen(dst);
                createlen = dstlen + neededtailspace;
-                tmp = pkt_to_skb(
+                tmppkt = cfpkt_create(createlen + PKT_PREFIX + PKT_POSTFIX);
-                        cfpkt_create(createlen + PKT_PREFIX + PKT_POSTFIX));
+                if (tmppkt == NULL)
-                if (!tmp)
                        return NULL;
+                tmp = pkt_to_skb(tmppkt);
                skb_set_tail_pointer(tmp, dstlen);
                tmp->len = dstlen;
                memcpy(tmp->data, dst->data, dstlen);
@@ -368,6 +373,7 @@ struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
 {
        struct sk_buff *skb2;
        struct sk_buff *skb = pkt_to_skb(pkt);
+        struct cfpkt *tmppkt;
        u8 *split = skb->data + pos;
        u16 len2nd = skb_tail_pointer(skb) - split;
@@ -381,9 +387,12 @@ struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
        }
        /* Create a new packet for the second part of the data */
-        skb2 = pkt_to_skb(
+        tmppkt = cfpkt_create_pfx(len2nd + PKT_PREFIX + PKT_POSTFIX,
-                cfpkt_create_pfx(len2nd + PKT_PREFIX + PKT_POSTFIX,
+                                  PKT_PREFIX);
-                                 PKT_PREFIX));
+        if (tmppkt == NULL)
+                return NULL;
+        skb2 = pkt_to_skb(tmppkt);
        if (skb2 == NULL)
                return NULL;
diff --git a/net/caif/cfrfml.c b/net/caif/cfrfml.c
index cd2830fec935..fd27b172fb5d 100644
--- a/net/caif/cfrfml.c
+++ b/net/caif/cfrfml.c
@@ -83,7 +83,7 @@ static int cfrfml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        if (!cfsrvl_ready(service, &ret))
                return ret;
-        if (!cfpkt_getlen(pkt) > CAIF_MAX_PAYLOAD_SIZE) {
+        if (cfpkt_getlen(pkt) > CAIF_MAX_PAYLOAD_SIZE) {
                pr_err("CAIF: %s():Packet too large - size=%d\n",
                        __func__, cfpkt_getlen(pkt));
                return -EOVERFLOW;
diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c
index 06029ea2da2f..965c5baace40 100644
--- a/net/caif/cfserl.c
+++ b/net/caif/cfserl.c
@@ -59,14 +59,18 @@ static int cfserl_receive(struct cflayer *l, struct cfpkt *newpkt)
        u8 stx = CFSERL_STX;
        int ret;
        u16 expectlen = 0;
        caif_assert(newpkt != NULL);
        spin_lock(&layr->sync);
        if (layr->incomplete_frm != NULL) {
                layr->incomplete_frm =
                    cfpkt_append(layr->incomplete_frm, newpkt, expectlen);
                pkt = layr->incomplete_frm;
+                if (pkt == NULL) {
+                        spin_unlock(&layr->sync);
+                        return -ENOMEM;
+                }
        } else {
                pkt = newpkt;
        }
@@ -154,7 +158,6 @@ static int cfserl_receive(struct cflayer *l, struct cfpkt *newpkt)
                        if (layr->usestx) {
                                if (tail_pkt != NULL)
                                        pkt = cfpkt_append(pkt, tail_pkt, 0);
                                /* Start search for next STX if frame failed */
                                continue;
                        } else {
diff --git a/net/caif/cfsrvl.c b/net/caif/cfsrvl.c
index aff31f34528f..6e5b7079a684 100644
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -123,6 +123,12 @@ static int cfservl_modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
                        struct caif_payload_info *info;
                        u8 flow_off = SRVL_FLOW_OFF;
                        pkt = cfpkt_create(SRVL_CTRL_PKT_SIZE);
+                        if (!pkt) {
+                                pr_warning("CAIF: %s(): Out of memory\n",
+                                        __func__);
+                                return -ENOMEM;
+                        }
                        if (cfpkt_add_head(pkt, &flow_off, 1) < 0) {
                                pr_err("CAIF: %s(): Packet is erroneous!\n",
                                        __func__);
diff --git a/net/caif/cfveil.c b/net/caif/cfveil.c
index 0fd827f49491..e04f7d964e83 100644
--- a/net/caif/cfveil.c
+++ b/net/caif/cfveil.c
@@ -84,7 +84,7 @@ static int cfvei_transmit(struct cflayer *layr, struct cfpkt *pkt)
                return ret;
        caif_assert(layr->dn != NULL);
        caif_assert(layr->dn->transmit != NULL);
-        if (!cfpkt_getlen(pkt) > CAIF_MAX_PAYLOAD_SIZE) {
+        if (cfpkt_getlen(pkt) > CAIF_MAX_PAYLOAD_SIZE) {
                pr_warning("CAIF: %s(): Packet too large - size=%d\n",
                           __func__, cfpkt_getlen(pkt));
                return -EOVERFLOW;
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 907dc871fac8..9c65e9deb9c3 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -713,8 +713,6 @@ static void bcm_remove_op(struct bcm_op *op)
                kfree(op->last_frames);
        kfree(op);
-        return;
 }
 static void bcm_rx_unreg(struct net_device *dev, struct bcm_op *op)
diff --git a/net/core/datagram.c b/net/core/datagram.c
index e0097531417a..f5b6f43a4c2e 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -229,15 +229,17 @@ EXPORT_SYMBOL(skb_free_datagram);
 void skb_free_datagram_locked(struct sock *sk, struct sk_buff *skb)
 {
+        bool slow;
        if (likely(atomic_read(&skb->users) == 1))
                smp_rmb();
        else if (likely(!atomic_dec_and_test(&skb->users)))
                return;
-        lock_sock_bh(sk);
+        slow = lock_sock_fast(sk);
        skb_orphan(skb);
        sk_mem_reclaim_partial(sk);
-        unlock_sock_bh(sk);
+        unlock_sock_fast(sk, slow);
        /* skb is now orphaned, can be freed outside of locked section */
        __kfree_skb(skb);
diff --git a/net/core/dev.c b/net/core/dev.c
index 32611c8f1219..2b3bf53bc687 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -954,18 +954,22 @@ int dev_alloc_name(struct net_device *dev, const char *name)
 }
 EXPORT_SYMBOL(dev_alloc_name);
-static int dev_get_valid_name(struct net *net, const char *name, char *buf,
+static int dev_get_valid_name(struct net_device *dev, const char *name, bool fmt)
-                              bool fmt)
 {
+        struct net *net;
+        BUG_ON(!dev_net(dev));
+        net = dev_net(dev);
        if (!dev_valid_name(name))
                return -EINVAL;
        if (fmt && strchr(name, '%'))
-                return __dev_alloc_name(net, name, buf);
+                return dev_alloc_name(dev, name);
        else if (__dev_get_by_name(net, name))
                return -EEXIST;
-        else if (buf != name)
+        else if (dev->name != name)
-                strlcpy(buf, name, IFNAMSIZ);
+                strlcpy(dev->name, name, IFNAMSIZ);
        return 0;
 }
@@ -997,20 +1001,15 @@ int dev_change_name(struct net_device *dev, const char *newname)
        memcpy(oldname, dev->name, IFNAMSIZ);
-        err = dev_get_valid_name(net, newname, dev->name, 1);
+        err = dev_get_valid_name(dev, newname, 1);
        if (err < 0)
                return err;
 rollback:
-        /* For now only devices in the initial network namespace
+        ret = device_rename(&dev->dev, dev->name);
-         * are in sysfs.
+        if (ret) {
-         */
+                memcpy(dev->name, oldname, IFNAMSIZ);
-        if (net_eq(net, &init_net)) {
+                return ret;
-                ret = device_rename(&dev->dev, dev->name);
-                if (ret) {
-                        memcpy(dev->name, oldname, IFNAMSIZ);
-                        return ret;
-                }
        }
        write_lock_bh(&dev_base_lock);
@@ -1454,7 +1453,7 @@ void net_disable_timestamp(void)
 }
 EXPORT_SYMBOL(net_disable_timestamp);
-static inline void net_timestamp(struct sk_buff *skb)
+static inline void net_timestamp_set(struct sk_buff *skb)
 {
        if (atomic_read(&netstamp_needed))
                __net_timestamp(skb);
@@ -1462,6 +1461,12 @@ static inline void net_timestamp(struct sk_buff *skb)
                skb->tstamp.tv64 = 0;
 }
+static inline void net_timestamp_check(struct sk_buff *skb)
+{
+        if (!skb->tstamp.tv64 && atomic_read(&netstamp_needed))
+                __net_timestamp(skb);
+}
 /**
 * dev_forward_skb - loopback an skb to another netif
 *
@@ -1470,7 +1475,7 @@ static inline void net_timestamp(struct sk_buff *skb)
 *
 * return values:
 *      NET_RX_SUCCESS  (no congestion)
- *      NET_RX_DROP     (packet was dropped)
+ *      NET_RX_DROP     (packet was dropped, but freed)
 *
 * dev_forward_skb can be used for injecting an skb from the
 * start_xmit function of one device into the receive queue
@@ -1484,12 +1489,11 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
 {
        skb_orphan(skb);
-        if (!(dev->flags & IFF_UP))
+        if (!(dev->flags & IFF_UP) ||
-                return NET_RX_DROP;
+            (skb->len > (dev->mtu + dev->hard_header_len))) {
+                kfree_skb(skb);
-        if (skb->len > (dev->mtu + dev->hard_header_len))
                return NET_RX_DROP;
+        }
        skb_set_dev(skb, dev);
        skb->tstamp.tv64 = 0;
        skb->pkt_type = PACKET_HOST;
@@ -1509,9 +1513,9 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
 #ifdef CONFIG_NET_CLS_ACT
        if (!(skb->tstamp.tv64 && (G_TC_FROM(skb->tc_verd) & AT_INGRESS)))
-                net_timestamp(skb);
+                net_timestamp_set(skb);
 #else
-        net_timestamp(skb);
+        net_timestamp_set(skb);
 #endif
        rcu_read_lock();
@@ -2047,6 +2051,8 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
                 * waiting to be sent out; and the qdisc is not running -
                 * xmit the skb directly.
                 */
+                if (!(dev->priv_flags & IFF_XMIT_DST_RELEASE))
+                        skb_dst_force(skb);
                __qdisc_update_bstats(q, skb->len);
                if (sch_direct_xmit(skb, q, dev, txq, root_lock))
                        __qdisc_run(q);
@@ -2055,6 +2061,7 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
                rc = NET_XMIT_SUCCESS;
        } else {
+                skb_dst_force(skb);
                rc = qdisc_enqueue_root(skb, q);
                qdisc_run(q);
        }
@@ -2202,6 +2209,7 @@ EXPORT_SYMBOL(dev_queue_xmit);
  =======================================================================*/
 int netdev_max_backlog __read_mostly = 1000;
+int netdev_tstamp_prequeue __read_mostly = 1;
 int netdev_budget __read_mostly = 300;
 int weight_p __read_mostly = 64;            /* old backlog weight */
@@ -2245,11 +2253,9 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
        if (skb_rx_queue_recorded(skb)) {
                u16 index = skb_get_rx_queue(skb);
                if (unlikely(index >= dev->num_rx_queues)) {
-                        if (net_ratelimit()) {
+                        WARN_ONCE(dev->num_rx_queues > 1, "%s received packet "
-                                pr_warning("%s received packet on queue "
+                                "on queue %u, but number of RX queues is %u\n",
-                                        "%u, but number of RX queues is %u\n",
+                                dev->name, index, dev->num_rx_queues);
-                                        dev->name, index, dev->num_rx_queues);
-                        }
                        goto done;
                }
                rxqueue = dev->_rx + index;
@@ -2417,17 +2423,16 @@ static int enqueue_to_backlog(struct sk_buff *skb, int cpu,
                if (skb_queue_len(&sd->input_pkt_queue)) {
 enqueue:
                        __skb_queue_tail(&sd->input_pkt_queue, skb);
-#ifdef CONFIG_RPS
+                        input_queue_tail_incr_save(sd, qtail);
-                        *qtail = sd->input_queue_head +
-                                        skb_queue_len(&sd->input_pkt_queue);
-#endif
                        rps_unlock(sd);
                        local_irq_restore(flags);
                        return NET_RX_SUCCESS;
                }
-                /* Schedule NAPI for backlog device */
+                /* Schedule NAPI for backlog device
-                if (napi_schedule_prep(&sd->backlog)) {
+                 * We can use non atomic operation since we own the queue lock
+                 */
+                if (!__test_and_set_bit(NAPI_STATE_SCHED, &sd->backlog.state)) {
                        if (!rps_ipi_queued(sd))
                                ____napi_schedule(sd, &sd->backlog);
                }
@@ -2466,8 +2471,8 @@ int netif_rx(struct sk_buff *skb)
        if (netpoll_rx(skb))
                return NET_RX_DROP;
-        if (!skb->tstamp.tv64)
+        if (netdev_tstamp_prequeue)
-                net_timestamp(skb);
+                net_timestamp_check(skb);
 #ifdef CONFIG_RPS
        {
@@ -2613,7 +2618,8 @@ static inline struct sk_buff *handle_bridge(struct sk_buff *skb,
 #endif
 #if defined(CONFIG_MACVLAN) || defined(CONFIG_MACVLAN_MODULE)
-struct sk_buff *(*macvlan_handle_frame_hook)(struct sk_buff *skb) __read_mostly;
+struct sk_buff *(*macvlan_handle_frame_hook)(struct macvlan_port *p,
+                                             struct sk_buff *skb) __read_mostly;
 EXPORT_SYMBOL_GPL(macvlan_handle_frame_hook);
 static inline struct sk_buff *handle_macvlan(struct sk_buff *skb,
@@ -2621,14 +2627,17 @@ static inline struct sk_buff *handle_macvlan(struct sk_buff *skb,
                                             int *ret,
                                             struct net_device *orig_dev)
 {
-        if (skb->dev->macvlan_port == NULL)
+        struct macvlan_port *port;
+        port = rcu_dereference(skb->dev->macvlan_port);
+        if (!port)
                return skb;
        if (*pt_prev) {
                *ret = deliver_skb(skb, *pt_prev, orig_dev);
                *pt_prev = NULL;
        }
-        return macvlan_handle_frame_hook(skb);
+        return macvlan_handle_frame_hook(port, skb);
 }
 #else
 #define handle_macvlan(skb, pt_prev, ret, orig_dev)     (skb)
@@ -2784,12 +2793,12 @@ static int __netif_receive_skb(struct sk_buff *skb)
        struct net_device *orig_dev;
        struct net_device *master;
        struct net_device *null_or_orig;
-        struct net_device *null_or_bond;
+        struct net_device *orig_or_bond;
        int ret = NET_RX_DROP;
        __be16 type;
-        if (!skb->tstamp.tv64)
+        if (!netdev_tstamp_prequeue)
-                net_timestamp(skb);
+                net_timestamp_check(skb);
        if (vlan_tx_tag_present(skb) && vlan_hwaccel_do_receive(skb))
                return NET_RX_SUCCESS;
@@ -2801,13 +2810,24 @@ static int __netif_receive_skb(struct sk_buff *skb)
        if (!skb->skb_iif)
                skb->skb_iif = skb->dev->ifindex;
+        /*
+         * bonding note: skbs received on inactive slaves should only
+         * be delivered to pkt handlers that are exact matches.  Also
+         * the deliver_no_wcard flag will be set.  If packet handlers
+         * are sensitive to duplicate packets these skbs will need to
+         * be dropped at the handler.  The vlan accel path may have
+         * already set the deliver_no_wcard flag.
+         */
        null_or_orig = NULL;
        orig_dev = skb->dev;
        master = ACCESS_ONCE(orig_dev->master);
-        if (master) {
+        if (skb->deliver_no_wcard)
-                if (skb_bond_should_drop(skb, master))
+                null_or_orig = orig_dev;
+        else if (master) {
+                if (skb_bond_should_drop(skb, master)) {
+                        skb->deliver_no_wcard = 1;
                        null_or_orig = orig_dev; /* deliver only exact match */
-                else
+                } else
                        skb->dev = master;
        }
@@ -2857,10 +2877,10 @@ ncls:
         * device that may have registered for a specific ptype.  The
         * handler may have to adjust skb->dev and orig_dev.
         */
-        null_or_bond = NULL;
+        orig_or_bond = orig_dev;
        if ((skb->dev->priv_flags & IFF_802_1Q_VLAN) &&
            (vlan_dev_real_dev(skb->dev)->priv_flags & IFF_BONDING)) {
-                null_or_bond = vlan_dev_real_dev(skb->dev);
+                orig_or_bond = vlan_dev_real_dev(skb->dev);
        }
        type = skb->protocol;
@@ -2868,7 +2888,7 @@ ncls:
                        &ptype_base[ntohs(type) & PTYPE_HASH_MASK], list) {
                if (ptype->type == type && (ptype->dev == null_or_orig ||
                     ptype->dev == skb->dev || ptype->dev == orig_dev ||
-                     ptype->dev == null_or_bond)) {
+                     ptype->dev == orig_or_bond)) {
                        if (pt_prev)
                                ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = ptype;
@@ -2907,23 +2927,28 @@ out:
 */
 int netif_receive_skb(struct sk_buff *skb)
 {
+        if (netdev_tstamp_prequeue)
+                net_timestamp_check(skb);
 #ifdef CONFIG_RPS
-        struct rps_dev_flow voidflow, *rflow = &voidflow;
+        {
-        int cpu, ret;
+                struct rps_dev_flow voidflow, *rflow = &voidflow;
+                int cpu, ret;
-        rcu_read_lock();
+                rcu_read_lock();
-        cpu = get_rps_cpu(skb->dev, skb, &rflow);
+                cpu = get_rps_cpu(skb->dev, skb, &rflow);
-        if (cpu >= 0) {
+                if (cpu >= 0) {
-                ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
+                        ret = enqueue_to_backlog(skb, cpu, &rflow->last_qtail);
-                rcu_read_unlock();
+                        rcu_read_unlock();
-        } else {
+                } else {
-                rcu_read_unlock();
+                        rcu_read_unlock();
-                ret = __netif_receive_skb(skb);
+                        ret = __netif_receive_skb(skb);
-        }
+                }
-        return ret;
+                return ret;
+        }
 #else
        return __netif_receive_skb(skb);
 #endif
@@ -2944,7 +2969,7 @@ static void flush_backlog(void *arg)
                if (skb->dev == dev) {
                        __skb_unlink(skb, &sd->input_pkt_queue);
                        kfree_skb(skb);
-                        input_queue_head_add(sd, 1);
+                        input_queue_head_incr(sd);
                }
        }
        rps_unlock(sd);
@@ -2953,6 +2978,7 @@ static void flush_backlog(void *arg)
                if (skb->dev == dev) {
                        __skb_unlink(skb, &sd->process_queue);
                        kfree_skb(skb);
+                        input_queue_head_incr(sd);
                }
        }
 }
@@ -3308,18 +3334,20 @@ static int process_backlog(struct napi_struct *napi, int quota)
                while ((skb = __skb_dequeue(&sd->process_queue))) {
                        local_irq_enable();
                        __netif_receive_skb(skb);
-                        if (++work >= quota)
-                                return work;
                        local_irq_disable();
+                        input_queue_head_incr(sd);
+                        if (++work >= quota) {
+                                local_irq_enable();
+                                return work;
+                        }
                }
                rps_lock(sd);
                qlen = skb_queue_len(&sd->input_pkt_queue);
-                if (qlen) {
+                if (qlen)
-                        input_queue_head_add(sd, qlen);
                        skb_queue_splice_tail_init(&sd->input_pkt_queue,
                                                   &sd->process_queue);
-                }
                if (qlen < quota - work) {
                        /*
                         * Inline a custom version of __napi_complete().
@@ -4945,7 +4973,7 @@ int register_netdevice(struct net_device *dev)
                }
        }
-        ret = dev_get_valid_name(net, dev->name, dev->name, 0);
+        ret = dev_get_valid_name(dev, dev->name, 0);
        if (ret)
                goto err_uninit;
@@ -4974,8 +5002,6 @@ int register_netdevice(struct net_device *dev)
        if (dev->features & NETIF_F_SG)
                dev->features |= NETIF_F_GSO;
-        netdev_initialize_kobject(dev);
        ret = call_netdevice_notifiers(NETDEV_POST_INIT, dev);
        ret = notifier_to_errno(ret);
        if (ret)
@@ -5527,15 +5553,6 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
        if (dev->features & NETIF_F_NETNS_LOCAL)
                goto out;
-#ifdef CONFIG_SYSFS
-        /* Don't allow real devices to be moved when sysfs
-         * is enabled.
-         */
-        err = -EINVAL;
-        if (dev->dev.parent)
-                goto out;
-#endif
        /* Ensure the device has been registrered */
        err = -EINVAL;
        if (dev->reg_state != NETREG_REGISTERED)
@@ -5554,7 +5571,7 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
                /* We get here if we can't use the current device name */
                if (!pat)
                        goto out;
-                if (dev_get_valid_name(net, pat, dev->name, 1))
+                if (dev_get_valid_name(dev, pat, 1))
                        goto out;
        }
@@ -5586,8 +5603,6 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
        dev_uc_flush(dev);
        dev_mc_flush(dev);
-        netdev_unregister_kobject(dev);
        /* Actually switch the network namespace */
        dev_net_set(dev, net);
@@ -5600,7 +5615,7 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
        }
        /* Fixup kobjects */
-        err = netdev_register_kobject(dev);
+        err = device_rename(&dev->dev, dev->name);
        WARN_ON(err);
        /* Add the device back in the hashes */
@@ -5659,12 +5674,14 @@ static int dev_cpu_callback(struct notifier_block *nfb,
        local_irq_enable();
        /* Process offline CPU's input_pkt_queue */
-        while ((skb = __skb_dequeue(&oldsd->input_pkt_queue))) {
+        while ((skb = __skb_dequeue(&oldsd->process_queue))) {
                netif_rx(skb);
-                input_queue_head_add(oldsd, 1);
+                input_queue_head_incr(oldsd);
        }
-        while ((skb = __skb_dequeue(&oldsd->process_queue)))
+        while ((skb = __skb_dequeue(&oldsd->input_pkt_queue))) {
                netif_rx(skb);
+                input_queue_head_incr(oldsd);
+        }
        return NOTIFY_OK;
 }
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index cf208d8042b1..ad41529fb60f 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -172,12 +172,12 @@ out:
        return;
 }
-static void trace_kfree_skb_hit(struct sk_buff *skb, void *location)
+static void trace_kfree_skb_hit(void *ignore, struct sk_buff *skb, void *location)
 {
        trace_drop_common(skb, location);
 }
-static void trace_napi_poll_hit(struct napi_struct *napi)
+static void trace_napi_poll_hit(void *ignore, struct napi_struct *napi)
 {
        struct dm_hw_stat_delta *new_stat;
@@ -225,12 +225,12 @@ static int set_all_monitor_traces(int state)
        switch (state) {
        case TRACE_ON:
-                rc |= register_trace_kfree_skb(trace_kfree_skb_hit);
+                rc |= register_trace_kfree_skb(trace_kfree_skb_hit, NULL);
-                rc |= register_trace_napi_poll(trace_napi_poll_hit);
+                rc |= register_trace_napi_poll(trace_napi_poll_hit, NULL);
                break;
        case TRACE_OFF:
-                rc |= unregister_trace_kfree_skb(trace_kfree_skb_hit);
+                rc |= unregister_trace_kfree_skb(trace_kfree_skb_hit, NULL);
-                rc |= unregister_trace_napi_poll(trace_napi_poll_hit);
+                rc |= unregister_trace_napi_poll(trace_napi_poll_hit, NULL);
                tracepoint_synchronize_unregister();
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 1a7db92037fa..a0f4964033d2 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -522,7 +522,7 @@ static int ethtool_get_rx_ntuple(struct net_device *dev, void __user *useraddr)
                        p += ETH_GSTRING_LEN;
                        num_strings++;
                        goto unknown_filter;
-                };
+                }
                /* now the rest of the filters */
                switch (fsc->fs.flow_type) {
@@ -646,7 +646,7 @@ static int ethtool_get_rx_ntuple(struct net_device *dev, void __user *useraddr)
                        p += ETH_GSTRING_LEN;
                        num_strings++;
                        break;
-                };
+                }
                sprintf(p, "\tVLAN: %d, mask: 0x%x\n",
                        fsc->fs.vlan_tag, fsc->fs.vlan_tag_mask);
                p += ETH_GSTRING_LEN;
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index cf8e70392fe0..785e5276a300 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -107,6 +107,7 @@ static DEFINE_RWLOCK(est_lock);
 /* Protects against soft lockup during large deletion */
 static struct rb_root est_root = RB_ROOT;
+static DEFINE_SPINLOCK(est_tree_lock);
 static void est_timer(unsigned long arg)
 {
@@ -201,7 +202,6 @@ struct gen_estimator *gen_find_node(const struct gnet_stats_basic_packed *bstats
 *
 * Returns 0 on success or a negative error code.
 *
- * NOTE: Called under rtnl_mutex
 */
 int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
                      struct gnet_stats_rate_est *rate_est,
@@ -232,6 +232,7 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
        est->last_packets = bstats->packets;
        est->avpps = rate_est->pps<<10;
+        spin_lock(&est_tree_lock);
        if (!elist[idx].timer.function) {
                INIT_LIST_HEAD(&elist[idx].list);
                setup_timer(&elist[idx].timer, est_timer, idx);
@@ -242,6 +243,7 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
        list_add_rcu(&est->list, &elist[idx].list);
        gen_add_node(est);
+        spin_unlock(&est_tree_lock);
        return 0;
 }
@@ -261,13 +263,13 @@ static void __gen_kill_estimator(struct rcu_head *head)
 *
 * Removes the rate estimator specified by &bstats and &rate_est.
 *
- * NOTE: Called under rtnl_mutex
 */
 void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
                        struct gnet_stats_rate_est *rate_est)
 {
        struct gen_estimator *e;
+        spin_lock(&est_tree_lock);
        while ((e = gen_find_node(bstats, rate_est))) {
                rb_erase(&e->node, &est_root);
@@ -278,6 +280,7 @@ void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
                list_del_rcu(&e->list);
                call_rcu(&e->e_rcu, __gen_kill_estimator);
        }
+        spin_unlock(&est_tree_lock);
 }
 EXPORT_SYMBOL(gen_kill_estimator);
@@ -312,8 +315,14 @@ EXPORT_SYMBOL(gen_replace_estimator);
 bool gen_estimator_active(const struct gnet_stats_basic_packed *bstats,
                          const struct gnet_stats_rate_est *rate_est)
 {
+        bool res;
        ASSERT_RTNL();
-        return gen_find_node(bstats, rate_est) != NULL;
+        spin_lock(&est_tree_lock);
+        res = gen_find_node(bstats, rate_est) != NULL;
+        spin_unlock(&est_tree_lock);
+        return res;
 }
 EXPORT_SYMBOL(gen_estimator_active);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index bff37908bd55..6ba1c0eece03 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -934,6 +934,7 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
                                kfree_skb(buff);
                                NEIGH_CACHE_STAT_INC(neigh->tbl, unres_discards);
                        }
+                        skb_dst_force(skb);
                        __skb_queue_tail(&neigh->arp_queue, skb);
                }
                rc = 1;
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index c57c4b228bb5..99e7052d7323 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -14,7 +14,9 @@
 #include <linux/netdevice.h>
 #include <linux/if_arp.h>
 #include <linux/slab.h>
+#include <linux/nsproxy.h>
 #include <net/sock.h>
+#include <net/net_namespace.h>
 #include <linux/rtnetlink.h>
 #include <linux/wireless.h>
 #include <linux/vmalloc.h>
@@ -467,6 +469,7 @@ static struct attribute_group wireless_group = {
        .attrs = wireless_attrs,
 };
 #endif
+#endif /* CONFIG_SYSFS */
 #ifdef CONFIG_RPS
 /*
@@ -766,7 +769,38 @@ static void rx_queue_remove_kobjects(struct net_device *net)
        kset_unregister(net->queues_kset);
 }
 #endif /* CONFIG_RPS */
-#endif /* CONFIG_SYSFS */
+static const void *net_current_ns(void)
+{
+        return current->nsproxy->net_ns;
+}
+static const void *net_initial_ns(void)
+{
+        return &init_net;
+}
+static const void *net_netlink_ns(struct sock *sk)
+{
+        return sock_net(sk);
+}
+static struct kobj_ns_type_operations net_ns_type_operations = {
+        .type = KOBJ_NS_TYPE_NET,
+        .current_ns = net_current_ns,
+        .netlink_ns = net_netlink_ns,
+        .initial_ns = net_initial_ns,
+};
+static void net_kobj_ns_exit(struct net *net)
+{
+        kobj_ns_exit(KOBJ_NS_TYPE_NET, net);
+}
+static struct pernet_operations kobj_net_ops = {
+        .exit = net_kobj_ns_exit,
+};
 #ifdef CONFIG_HOTPLUG
 static int netdev_uevent(struct device *d, struct kobj_uevent_env *env)
@@ -774,9 +808,6 @@ static int netdev_uevent(struct device *d, struct kobj_uevent_env *env)
        struct net_device *dev = to_net_dev(d);
        int retval;
-        if (!net_eq(dev_net(dev), &init_net))
-                return 0;
        /* pass interface to uevent. */
        retval = add_uevent_var(env, "INTERFACE=%s", dev->name);
        if (retval)
@@ -806,6 +837,13 @@ static void netdev_release(struct device *d)
        kfree((char *)dev - dev->padded);
 }
+static const void *net_namespace(struct device *d)
+{
+        struct net_device *dev;
+        dev = container_of(d, struct net_device, dev);
+        return dev_net(dev);
+}
 static struct class net_class = {
        .name = "net",
        .dev_release = netdev_release,
@@ -815,6 +853,8 @@ static struct class net_class = {
 #ifdef CONFIG_HOTPLUG
        .dev_uevent = netdev_uevent,
 #endif
+        .ns_type = &net_ns_type_operations,
+        .namespace = net_namespace,
 };
 /* Delete sysfs entries but hold kobject reference until after all
@@ -826,9 +866,6 @@ void netdev_unregister_kobject(struct net_device * net)
        kobject_get(&dev->kobj);
-        if (!net_eq(dev_net(net), &init_net))
-                return;
 #ifdef CONFIG_RPS
        rx_queue_remove_kobjects(net);
 #endif
@@ -843,6 +880,7 @@ int netdev_register_kobject(struct net_device *net)
        const struct attribute_group **groups = net->sysfs_groups;
        int error = 0;
+        device_initialize(dev);
        dev->class = &net_class;
        dev->platform_data = net;
        dev->groups = groups;
@@ -865,9 +903,6 @@ int netdev_register_kobject(struct net_device *net)
 #endif
 #endif /* CONFIG_SYSFS */
-        if (!net_eq(dev_net(net), &init_net))
-                return 0;
        error = device_add(dev);
        if (error)
                return error;
@@ -896,13 +931,9 @@ void netdev_class_remove_file(struct class_attribute *class_attr)
 EXPORT_SYMBOL(netdev_class_create_file);
 EXPORT_SYMBOL(netdev_class_remove_file);
-void netdev_initialize_kobject(struct net_device *net)
-{
-        struct device *device = &(net->dev);
-        device_initialize(device);
-}
 int netdev_kobject_init(void)
 {
+        kobj_ns_type_register(&net_ns_type_operations);
+        register_pernet_subsys(&kobj_net_ops);
        return class_register(&net_class);
 }
diff --git a/net/core/net-sysfs.h b/net/core/net-sysfs.h
index 14e7524260b3..805555e8b187 100644
--- a/net/core/net-sysfs.h
+++ b/net/core/net-sysfs.h
@@ -4,5 +4,4 @@
 int netdev_kobject_init(void);
 int netdev_register_kobject(struct net_device *);
 void netdev_unregister_kobject(struct net_device *);
-void netdev_initialize_kobject(struct net_device *);
 #endif
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 2ad68da418df..1dacd7ba8dbb 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -2170,7 +2170,7 @@ static void spin(struct pktgen_dev *pkt_dev, ktime_t spin_until)
        end_time = ktime_now();
        pkt_dev->idle_acc += ktime_to_ns(ktime_sub(end_time, start_time));
-        pkt_dev->next_tx = ktime_add_ns(end_time, pkt_dev->delay);
+        pkt_dev->next_tx = ktime_add_ns(spin_until, pkt_dev->delay);
 }
 static inline void set_pkt_overhead(struct pktgen_dev *pkt_dev)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 23a71cb21273..1a2af24e9e3d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -644,15 +644,48 @@ static void copy_rtnl_link_stats64(void *v, const struct net_device_stats *b)
        memcpy(v, &a, sizeof(a));
 }
+/* All VF info */
 static inline int rtnl_vfinfo_size(const struct net_device *dev)
 {
-        if (dev->dev.parent && dev_is_pci(dev->dev.parent))
+        if (dev->dev.parent && dev_is_pci(dev->dev.parent)) {
-                return dev_num_vf(dev->dev.parent) *
-                        sizeof(struct ifla_vf_info);
+                int num_vfs = dev_num_vf(dev->dev.parent);
-        else
+                size_t size = nla_total_size(sizeof(struct nlattr));
+                size += nla_total_size(num_vfs * sizeof(struct nlattr));
+                size += num_vfs *
+                        (nla_total_size(sizeof(struct ifla_vf_mac)) +
+                         nla_total_size(sizeof(struct ifla_vf_vlan)) +
+                         nla_total_size(sizeof(struct ifla_vf_tx_rate)));
+                return size;
+        } else
                return 0;
 }
+static size_t rtnl_port_size(const struct net_device *dev)
+{
+        size_t port_size = nla_total_size(4)            /* PORT_VF */
+                + nla_total_size(PORT_PROFILE_MAX)      /* PORT_PROFILE */
+                + nla_total_size(sizeof(struct ifla_port_vsi))
+                                                        /* PORT_VSI_TYPE */
+                + nla_total_size(PORT_UUID_MAX)         /* PORT_INSTANCE_UUID */
+                + nla_total_size(PORT_UUID_MAX)         /* PORT_HOST_UUID */
+                + nla_total_size(1)                     /* PROT_VDP_REQUEST */
+                + nla_total_size(2);                    /* PORT_VDP_RESPONSE */
+        size_t vf_ports_size = nla_total_size(sizeof(struct nlattr));
+        size_t vf_port_size = nla_total_size(sizeof(struct nlattr))
+                + port_size;
+        size_t port_self_size = nla_total_size(sizeof(struct nlattr))
+                + port_size;
+        if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
+                return 0;
+        if (dev_num_vf(dev->dev.parent))
+                return port_self_size + vf_ports_size +
+                        vf_port_size * dev_num_vf(dev->dev.parent);
+        else
+                return port_self_size;
+}
 static inline size_t if_nlmsg_size(const struct net_device *dev)
 {
        return NLMSG_ALIGN(sizeof(struct ifinfomsg))
@@ -672,10 +705,86 @@ static inline size_t if_nlmsg_size(const struct net_device *dev)
               + nla_total_size(1) /* IFLA_OPERSTATE */
               + nla_total_size(1) /* IFLA_LINKMODE */
               + nla_total_size(4) /* IFLA_NUM_VF */
-               + nla_total_size(rtnl_vfinfo_size(dev)) /* IFLA_VFINFO */
+               + rtnl_vfinfo_size(dev) /* IFLA_VFINFO_LIST */
+               + rtnl_port_size(dev) /* IFLA_VF_PORTS + IFLA_PORT_SELF */
               + rtnl_link_get_size(dev); /* IFLA_LINKINFO */
 }
+static int rtnl_vf_ports_fill(struct sk_buff *skb, struct net_device *dev)
+{
+        struct nlattr *vf_ports;
+        struct nlattr *vf_port;
+        int vf;
+        int err;
+        vf_ports = nla_nest_start(skb, IFLA_VF_PORTS);
+        if (!vf_ports)
+                return -EMSGSIZE;
+        for (vf = 0; vf < dev_num_vf(dev->dev.parent); vf++) {
+                vf_port = nla_nest_start(skb, IFLA_VF_PORT);
+                if (!vf_port)
+                        goto nla_put_failure;
+                NLA_PUT_U32(skb, IFLA_PORT_VF, vf);
+                err = dev->netdev_ops->ndo_get_vf_port(dev, vf, skb);
+                if (err == -EMSGSIZE)
+                        goto nla_put_failure;
+                if (err) {
+                        nla_nest_cancel(skb, vf_port);
+                        continue;
+                }
+                nla_nest_end(skb, vf_port);
+        }
+        nla_nest_end(skb, vf_ports);
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, vf_ports);
+        return -EMSGSIZE;
+}
+static int rtnl_port_self_fill(struct sk_buff *skb, struct net_device *dev)
+{
+        struct nlattr *port_self;
+        int err;
+        port_self = nla_nest_start(skb, IFLA_PORT_SELF);
+        if (!port_self)
+                return -EMSGSIZE;
+        err = dev->netdev_ops->ndo_get_vf_port(dev, PORT_SELF_VF, skb);
+        if (err) {
+                nla_nest_cancel(skb, port_self);
+                return (err == -EMSGSIZE) ? err : 0;
+        }
+        nla_nest_end(skb, port_self);
+        return 0;
+}
+static int rtnl_port_fill(struct sk_buff *skb, struct net_device *dev)
+{
+        int err;
+        if (!dev->netdev_ops->ndo_get_vf_port || !dev->dev.parent)
+                return 0;
+        err = rtnl_port_self_fill(skb, dev);
+        if (err)
+                return err;
+        if (dev_num_vf(dev->dev.parent)) {
+                err = rtnl_vf_ports_fill(skb, dev);
+                if (err)
+                        return err;
+        }
+        return 0;
+}
 static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                            int type, u32 pid, u32 seq, u32 change,
                            unsigned int flags)
@@ -747,17 +856,46 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                goto nla_put_failure;
        copy_rtnl_link_stats64(nla_data(attr), stats);
+        if (dev->dev.parent)
+                NLA_PUT_U32(skb, IFLA_NUM_VF, dev_num_vf(dev->dev.parent));
        if (dev->netdev_ops->ndo_get_vf_config && dev->dev.parent) {
                int i;
-                struct ifla_vf_info ivi;
-                NLA_PUT_U32(skb, IFLA_NUM_VF, dev_num_vf(dev->dev.parent));
+                struct nlattr *vfinfo, *vf;
-                for (i = 0; i < dev_num_vf(dev->dev.parent); i++) {
+                int num_vfs = dev_num_vf(dev->dev.parent);
+                vfinfo = nla_nest_start(skb, IFLA_VFINFO_LIST);
+                if (!vfinfo)
+                        goto nla_put_failure;
+                for (i = 0; i < num_vfs; i++) {
+                        struct ifla_vf_info ivi;
+                        struct ifla_vf_mac vf_mac;
+                        struct ifla_vf_vlan vf_vlan;
+                        struct ifla_vf_tx_rate vf_tx_rate;
                        if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
                                break;
-                        NLA_PUT(skb, IFLA_VFINFO, sizeof(ivi), &ivi);
+                        vf_mac.vf = vf_vlan.vf = vf_tx_rate.vf = ivi.vf;
+                        memcpy(vf_mac.mac, ivi.mac, sizeof(ivi.mac));
+                        vf_vlan.vlan = ivi.vlan;
+                        vf_vlan.qos = ivi.qos;
+                        vf_tx_rate.rate = ivi.tx_rate;
+                        vf = nla_nest_start(skb, IFLA_VF_INFO);
+                        if (!vf) {
+                                nla_nest_cancel(skb, vfinfo);
+                                goto nla_put_failure;
+                        }
+                        NLA_PUT(skb, IFLA_VF_MAC, sizeof(vf_mac), &vf_mac);
+                        NLA_PUT(skb, IFLA_VF_VLAN, sizeof(vf_vlan), &vf_vlan);
+                        NLA_PUT(skb, IFLA_VF_TX_RATE, sizeof(vf_tx_rate), &vf_tx_rate);
+                        nla_nest_end(skb, vf);
                }
+                nla_nest_end(skb, vfinfo);
        }
+        if (rtnl_port_fill(skb, dev))
+                goto nla_put_failure;
        if (dev->rtnl_link_ops) {
                if (rtnl_link_fill(skb, dev) < 0)
                        goto nla_put_failure;
@@ -818,6 +956,22 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_LINKINFO]         = { .type = NLA_NESTED },
        [IFLA_NET_NS_PID]       = { .type = NLA_U32 },
        [IFLA_IFALIAS]          = { .type = NLA_STRING, .len = IFALIASZ-1 },
+        [IFLA_VFINFO_LIST]      = {. type = NLA_NESTED },
+        [IFLA_VF_PORTS]         = { .type = NLA_NESTED },
+        [IFLA_PORT_SELF]        = { .type = NLA_NESTED },
+};
+EXPORT_SYMBOL(ifla_policy);
+static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
+        [IFLA_INFO_KIND]        = { .type = NLA_STRING },
+        [IFLA_INFO_DATA]        = { .type = NLA_NESTED },
+};
+static const struct nla_policy ifla_vfinfo_policy[IFLA_VF_INFO_MAX+1] = {
+        [IFLA_VF_INFO]          = { .type = NLA_NESTED },
+};
+static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
        [IFLA_VF_MAC]           = { .type = NLA_BINARY,
                                    .len = sizeof(struct ifla_vf_mac) },
        [IFLA_VF_VLAN]          = { .type = NLA_BINARY,
@@ -825,11 +979,19 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_VF_TX_RATE]       = { .type = NLA_BINARY,
                                    .len = sizeof(struct ifla_vf_tx_rate) },
 };
-EXPORT_SYMBOL(ifla_policy);
-static const struct nla_policy ifla_info_policy[IFLA_INFO_MAX+1] = {
+static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {
-        [IFLA_INFO_KIND]        = { .type = NLA_STRING },
+        [IFLA_PORT_VF]          = { .type = NLA_U32 },
-        [IFLA_INFO_DATA]        = { .type = NLA_NESTED },
+        [IFLA_PORT_PROFILE]     = { .type = NLA_STRING,
+                                    .len = PORT_PROFILE_MAX },
+        [IFLA_PORT_VSI_TYPE]    = { .type = NLA_BINARY,
+                                    .len = sizeof(struct ifla_port_vsi)},
+        [IFLA_PORT_INSTANCE_UUID] = { .type = NLA_BINARY,
+                                      .len = PORT_UUID_MAX },
+        [IFLA_PORT_HOST_UUID]   = { .type = NLA_STRING,
+                                    .len = PORT_UUID_MAX },
+        [IFLA_PORT_REQUEST]     = { .type = NLA_U8, },
+        [IFLA_PORT_RESPONSE]    = { .type = NLA_U16, },
 };
 struct net *rtnl_link_get_net(struct net *src_net, struct nlattr *tb[])
@@ -861,6 +1023,52 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
        return 0;
 }
+static int do_setvfinfo(struct net_device *dev, struct nlattr *attr)
+{
+        int rem, err = -EINVAL;
+        struct nlattr *vf;
+        const struct net_device_ops *ops = dev->netdev_ops;
+        nla_for_each_nested(vf, attr, rem) {
+                switch (nla_type(vf)) {
+                case IFLA_VF_MAC: {
+                        struct ifla_vf_mac *ivm;
+                        ivm = nla_data(vf);
+                        err = -EOPNOTSUPP;
+                        if (ops->ndo_set_vf_mac)
+                                err = ops->ndo_set_vf_mac(dev, ivm->vf,
+                                                          ivm->mac);
+                        break;
+                }
+                case IFLA_VF_VLAN: {
+                        struct ifla_vf_vlan *ivv;
+                        ivv = nla_data(vf);
+                        err = -EOPNOTSUPP;
+                        if (ops->ndo_set_vf_vlan)
+                                err = ops->ndo_set_vf_vlan(dev, ivv->vf,
+                                                           ivv->vlan,
+                                                           ivv->qos);
+                        break;
+                }
+                case IFLA_VF_TX_RATE: {
+                        struct ifla_vf_tx_rate *ivt;
+                        ivt = nla_data(vf);
+                        err = -EOPNOTSUPP;
+                        if (ops->ndo_set_vf_tx_rate)
+                                err = ops->ndo_set_vf_tx_rate(dev, ivt->vf,
+                                                              ivt->rate);
+                        break;
+                }
+                default:
+                        err = -EINVAL;
+                        break;
+                }
+                if (err)
+                        break;
+        }
+        return err;
+}
 static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                      struct nlattr **tb, char *ifname, int modified)
 {
@@ -991,37 +1199,63 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                write_unlock_bh(&dev_base_lock);
        }
-        if (tb[IFLA_VF_MAC]) {
+        if (tb[IFLA_VFINFO_LIST]) {
-                struct ifla_vf_mac *ivm;
+                struct nlattr *attr;
-                ivm = nla_data(tb[IFLA_VF_MAC]);
+                int rem;
-                err = -EOPNOTSUPP;
+                nla_for_each_nested(attr, tb[IFLA_VFINFO_LIST], rem) {
-                if (ops->ndo_set_vf_mac)
+                        if (nla_type(attr) != IFLA_VF_INFO) {
-                        err = ops->ndo_set_vf_mac(dev, ivm->vf, ivm->mac);
+                                err = -EINVAL;
-                if (err < 0)
+                                goto errout;
-                        goto errout;
+                        }
-                modified = 1;
+                        err = do_setvfinfo(dev, attr);
+                        if (err < 0)
+                                goto errout;
+                        modified = 1;
+                }
        }
+        err = 0;
+        if (tb[IFLA_VF_PORTS]) {
+                struct nlattr *port[IFLA_PORT_MAX+1];
+                struct nlattr *attr;
+                int vf;
+                int rem;
-        if (tb[IFLA_VF_VLAN]) {
-                struct ifla_vf_vlan *ivv;
-                ivv = nla_data(tb[IFLA_VF_VLAN]);
                err = -EOPNOTSUPP;
-                if (ops->ndo_set_vf_vlan)
+                if (!ops->ndo_set_vf_port)
-                        err = ops->ndo_set_vf_vlan(dev, ivv->vf,
-                                                   ivv->vlan,
-                                                   ivv->qos);
-                if (err < 0)
                        goto errout;
-                modified = 1;
+                nla_for_each_nested(attr, tb[IFLA_VF_PORTS], rem) {
+                        if (nla_type(attr) != IFLA_VF_PORT)
+                                continue;
+                        err = nla_parse_nested(port, IFLA_PORT_MAX,
+                                attr, ifla_port_policy);
+                        if (err < 0)
+                                goto errout;
+                        if (!port[IFLA_PORT_VF]) {
+                                err = -EOPNOTSUPP;
+                                goto errout;
+                        }
+                        vf = nla_get_u32(port[IFLA_PORT_VF]);
+                        err = ops->ndo_set_vf_port(dev, vf, port);
+                        if (err < 0)
+                                goto errout;
+                        modified = 1;
+                }
        }
        err = 0;
-        if (tb[IFLA_VF_TX_RATE]) {
+        if (tb[IFLA_PORT_SELF]) {
-                struct ifla_vf_tx_rate *ivt;
+                struct nlattr *port[IFLA_PORT_MAX+1];
-                ivt = nla_data(tb[IFLA_VF_TX_RATE]);
+                err = nla_parse_nested(port, IFLA_PORT_MAX,
+                        tb[IFLA_PORT_SELF], ifla_port_policy);
+                if (err < 0)
+                        goto errout;
                err = -EOPNOTSUPP;
-                if (ops->ndo_set_vf_tx_rate)
+                if (ops->ndo_set_vf_port)
-                        err = ops->ndo_set_vf_tx_rate(dev, ivt->vf, ivt->rate);
+                        err = ops->ndo_set_vf_port(dev, PORT_SELF_VF, port);
                if (err < 0)
                        goto errout;
                modified = 1;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index a9b0e1f77806..9f07e749d7b1 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -482,22 +482,22 @@ EXPORT_SYMBOL(consume_skb);
 *      reference count dropping and cleans up the skbuff as if it
 *      just came from __alloc_skb().
 */
-int skb_recycle_check(struct sk_buff *skb, int skb_size)
+bool skb_recycle_check(struct sk_buff *skb, int skb_size)
 {
        struct skb_shared_info *shinfo;
        if (irqs_disabled())
-                return 0;
+                return false;
        if (skb_is_nonlinear(skb) || skb->fclone != SKB_FCLONE_UNAVAILABLE)
-                return 0;
+                return false;
        skb_size = SKB_DATA_ALIGN(skb_size + NET_SKB_PAD);
        if (skb_end_pointer(skb) - skb->head < skb_size)
-                return 0;
+                return false;
        if (skb_shared(skb) || skb_cloned(skb))
-                return 0;
+                return false;
        skb_release_head_state(skb);
@@ -509,7 +509,7 @@ int skb_recycle_check(struct sk_buff *skb, int skb_size)
        skb->data = skb->head + NET_SKB_PAD;
        skb_reset_tail_pointer(skb);
-        return 1;
+        return true;
 }
 EXPORT_SYMBOL(skb_recycle_check);
@@ -520,7 +520,7 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
        new->transport_header   = old->transport_header;
        new->network_header     = old->network_header;
        new->mac_header         = old->mac_header;
-        skb_dst_set(new, dst_clone(skb_dst(old)));
+        skb_dst_copy(new, old);
        new->rxhash             = old->rxhash;
 #ifdef CONFIG_XFRM
        new->sp                 = secpath_get(old->sp);
@@ -1406,12 +1406,13 @@ new_page:
 /*
 * Fill page/offset/length into spd, if it can hold more pages.
 */
-static inline int spd_fill_page(struct splice_pipe_desc *spd, struct page *page,
+static inline int spd_fill_page(struct splice_pipe_desc *spd,
+                                struct pipe_inode_info *pipe, struct page *page,
                                unsigned int *len, unsigned int offset,
                                struct sk_buff *skb, int linear,
                                struct sock *sk)
 {
-        if (unlikely(spd->nr_pages == PIPE_BUFFERS))
+        if (unlikely(spd->nr_pages == pipe->buffers))
                return 1;
        if (linear) {
@@ -1447,7 +1448,8 @@ static inline int __splice_segment(struct page *page, unsigned int poff,
                                   unsigned int plen, unsigned int *off,
                                   unsigned int *len, struct sk_buff *skb,
                                   struct splice_pipe_desc *spd, int linear,
-                                   struct sock *sk)
+                                   struct sock *sk,
+                                   struct pipe_inode_info *pipe)
 {
        if (!*len)
                return 1;
@@ -1470,7 +1472,7 @@ static inline int __splice_segment(struct page *page, unsigned int poff,
                /* the linear region may spread across several pages  */
                flen = min_t(unsigned int, flen, PAGE_SIZE - poff);
-                if (spd_fill_page(spd, page, &flen, poff, skb, linear, sk))
+                if (spd_fill_page(spd, pipe, page, &flen, poff, skb, linear, sk))
                        return 1;
                __segment_seek(&page, &poff, &plen, flen);
@@ -1485,9 +1487,9 @@ static inline int __splice_segment(struct page *page, unsigned int poff,
 * Map linear and fragment data from the skb to spd. It reports failure if the
 * pipe is full or if we already spliced the requested length.
 */
-static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
+static int __skb_splice_bits(struct sk_buff *skb, struct pipe_inode_info *pipe,
-                             unsigned int *len, struct splice_pipe_desc *spd,
+                             unsigned int *offset, unsigned int *len,
-                             struct sock *sk)
+                             struct splice_pipe_desc *spd, struct sock *sk)
 {
        int seg;
@@ -1497,7 +1499,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
        if (__splice_segment(virt_to_page(skb->data),
                             (unsigned long) skb->data & (PAGE_SIZE - 1),
                             skb_headlen(skb),
-                             offset, len, skb, spd, 1, sk))
+                             offset, len, skb, spd, 1, sk, pipe))
                return 1;
        /*
@@ -1507,7 +1509,7 @@ static int __skb_splice_bits(struct sk_buff *skb, unsigned int *offset,
                const skb_frag_t *f = &skb_shinfo(skb)->frags[seg];
                if (__splice_segment(f->page, f->page_offset, f->size,
-                                     offset, len, skb, spd, 0, sk))
+                                     offset, len, skb, spd, 0, sk, pipe))
                        return 1;
        }
@@ -1524,8 +1526,8 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
                    struct pipe_inode_info *pipe, unsigned int tlen,
                    unsigned int flags)
 {
-        struct partial_page partial[PIPE_BUFFERS];
+        struct partial_page partial[PIPE_DEF_BUFFERS];
-        struct page *pages[PIPE_BUFFERS];
+        struct page *pages[PIPE_DEF_BUFFERS];
        struct splice_pipe_desc spd = {
                .pages = pages,
                .partial = partial,
@@ -1535,12 +1537,16 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
        };
        struct sk_buff *frag_iter;
        struct sock *sk = skb->sk;
+        int ret = 0;
+        if (splice_grow_spd(pipe, &spd))
+                return -ENOMEM;
        /*
         * __skb_splice_bits() only fails if the output has no room left,
         * so no point in going over the frag_list for the error case.
         */
-        if (__skb_splice_bits(skb, &offset, &tlen, &spd, sk))
+        if (__skb_splice_bits(skb, pipe, &offset, &tlen, &spd, sk))
                goto done;
        else if (!tlen)
                goto done;
@@ -1551,14 +1557,12 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
        skb_walk_frags(skb, frag_iter) {
                if (!tlen)
                        break;
-                if (__skb_splice_bits(frag_iter, &offset, &tlen, &spd, sk))
+                if (__skb_splice_bits(frag_iter, pipe, &offset, &tlen, &spd, sk))
                        break;
        }
 done:
        if (spd.nr_pages) {
-                int ret;
                /*
                 * Drop the socket lock, otherwise we have reverse
                 * locking dependencies between sk_lock and i_mutex
@@ -1571,10 +1575,10 @@ done:
                release_sock(sk);
                ret = splice_to_pipe(pipe, &spd);
                lock_sock(sk);
-                return ret;
        }
-        return 0;
+        splice_shrink_spd(pipe, &spd);
+        return ret;
 }
 /**
@@ -2718,6 +2722,7 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
        *NAPI_GRO_CB(nskb) = *NAPI_GRO_CB(p);
        skb_shinfo(nskb)->frag_list = p;
        skb_shinfo(nskb)->gso_size = pinfo->gso_size;
+        pinfo->gso_size = 0;
        skb_header_release(p);
        nskb->prev = p;
@@ -2960,6 +2965,34 @@ int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer)
 }
 EXPORT_SYMBOL_GPL(skb_cow_data);
+static void sock_rmem_free(struct sk_buff *skb)
+{
+        struct sock *sk = skb->sk;
+        atomic_sub(skb->truesize, &sk->sk_rmem_alloc);
+}
+/*
+ * Note: We dont mem charge error packets (no sk_forward_alloc changes)
+ */
+int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
+{
+        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
+            (unsigned)sk->sk_rcvbuf)
+                return -ENOMEM;
+        skb_orphan(skb);
+        skb->sk = sk;
+        skb->destructor = sock_rmem_free;
+        atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+        skb_queue_tail(&sk->sk_error_queue, skb);
+        if (!sock_flag(sk, SOCK_DEAD))
+                sk->sk_data_ready(sk, skb->len);
+        return 0;
+}
+EXPORT_SYMBOL(sock_queue_err_skb);
 void skb_tstamp_tx(struct sk_buff *orig_skb,
                struct skb_shared_hwtstamps *hwtstamps)
 {
@@ -2991,7 +3024,9 @@ void skb_tstamp_tx(struct sk_buff *orig_skb,
        memset(serr, 0, sizeof(*serr));
        serr->ee.ee_errno = ENOMSG;
        serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
        err = sock_queue_err_skb(sk, skb);
        if (err)
                kfree_skb(skb);
 }
diff --git a/net/core/sock.c b/net/core/sock.c
index 94c4affdda9b..2cf7f9f7e775 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -123,6 +123,7 @@
 #include <linux/net_tstamp.h>
 #include <net/xfrm.h>
 #include <linux/ipsec.h>
+#include <net/cls_cgroup.h>
 #include <linux/filter.h>
@@ -217,6 +218,11 @@ __u32 sysctl_rmem_default __read_mostly = SK_RMEM_MAX;
 int sysctl_optmem_max __read_mostly = sizeof(unsigned long)*(2*UIO_MAXIOV+512);
 EXPORT_SYMBOL(sysctl_optmem_max);
+#if defined(CONFIG_CGROUPS) && !defined(CONFIG_NET_CLS_CGROUP)
+int net_cls_subsys_id = -1;
+EXPORT_SYMBOL_GPL(net_cls_subsys_id);
+#endif
 static int sock_set_timeout(long *timeo_p, char __user *optval, int optlen)
 {
        struct timeval tv;
@@ -307,6 +313,11 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
         */
        skb_len = skb->len;
+        /* we escape from rcu protected region, make sure we dont leak
+         * a norefcounted dst
+         */
+        skb_dst_force(skb);
        spin_lock_irqsave(&list->lock, flags);
        skb->dropcount = atomic_read(&sk->sk_drops);
        __skb_queue_tail(list, skb);
@@ -1045,6 +1056,17 @@ static void sk_prot_free(struct proto *prot, struct sock *sk)
        module_put(owner);
 }
+#ifdef CONFIG_CGROUPS
+void sock_update_classid(struct sock *sk)
+{
+        u32 classid = task_cls_classid(current);
+        if (classid && classid != sk->sk_classid)
+                sk->sk_classid = classid;
+}
+EXPORT_SYMBOL(sock_update_classid);
+#endif
 /**
 *      sk_alloc - All socket objects are allocated here
 *      @net: the applicable net namespace
@@ -1068,6 +1090,8 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
                sock_lock_init(sk);
                sock_net_set(sk, get_net(net));
                atomic_set(&sk->sk_wmem_alloc, 1);
+                sock_update_classid(sk);
        }
        return sk;
@@ -1231,6 +1255,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
        sk->sk_route_caps = dst->dev->features;
        if (sk->sk_route_caps & NETIF_F_GSO)
                sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE;
+        sk->sk_route_caps &= ~sk->sk_route_nocaps;
        if (sk_can_gso(sk)) {
                if (dst->header_len) {
                        sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
@@ -1535,6 +1560,7 @@ static void __release_sock(struct sock *sk)
                do {
                        struct sk_buff *next = skb->next;
+                        WARN_ON_ONCE(skb_dst_is_noref(skb));
                        skb->next = NULL;
                        sk_backlog_rcv(sk, skb);
@@ -1981,6 +2007,39 @@ void release_sock(struct sock *sk)
 }
 EXPORT_SYMBOL(release_sock);
+/**
+ * lock_sock_fast - fast version of lock_sock
+ * @sk: socket
+ *
+ * This version should be used for very small section, where process wont block
+ * return false if fast path is taken
+ *   sk_lock.slock locked, owned = 0, BH disabled
+ * return true if slow path is taken
+ *   sk_lock.slock unlocked, owned = 1, BH enabled
+ */
+bool lock_sock_fast(struct sock *sk)
+{
+        might_sleep();
+        spin_lock_bh(&sk->sk_lock.slock);
+        if (!sk->sk_lock.owned)
+                /*
+                 * Note : We must disable BH
+                 */
+                return false;
+        __lock_sock(sk);
+        sk->sk_lock.owned = 1;
+        spin_unlock(&sk->sk_lock.slock);
+        /*
+         * The sk_lock has mutex_lock() semantics here:
+         */
+        mutex_acquire(&sk->sk_lock.dep_map, 0, 0, _RET_IP_);
+        local_bh_enable();
+        return true;
+}
+EXPORT_SYMBOL(lock_sock_fast);
 int sock_get_timestamp(struct sock *sk, struct timeval __user *userstamp)
 {
        struct timeval tv;
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index dcc7d25996ab..01eee5d984be 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -122,6 +122,13 @@ static struct ctl_table net_core_table[] = {
                .proc_handler   = proc_dointvec
        },
        {
+                .procname       = "netdev_tstamp_prequeue",
+                .data           = &netdev_tstamp_prequeue,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
+        {
                .procname       = "message_cost",
                .data           = &net_ratelimit_state.interval,
                .maxlen         = sizeof(int),
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 58f7bc156850..6beb6a7d6fba 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -124,9 +124,9 @@ static int dccp_rcv_closereq(struct sock *sk, struct sk_buff *skb)
        return queued;
 }
-static u8 dccp_reset_code_convert(const u8 code)
+static u16 dccp_reset_code_convert(const u8 code)
 {
-        const u8 error_code[] = {
+        const u16 error_code[] = {
        [DCCP_RESET_CODE_CLOSED]             = 0,       /* normal termination */
        [DCCP_RESET_CODE_UNSPECIFIED]        = 0,       /* nothing known */
        [DCCP_RESET_CODE_ABORTED]            = ECONNRESET,
@@ -148,7 +148,7 @@ static u8 dccp_reset_code_convert(const u8 code)
 static void dccp_rcv_reset(struct sock *sk, struct sk_buff *skb)
 {
-        u8 err = dccp_reset_code_convert(dccp_hdr_reset(skb)->dccph_reset_code);
+        u16 err = dccp_reset_code_convert(dccp_hdr_reset(skb)->dccph_reset_code);
        sk->sk_err = err;
diff --git a/net/dccp/options.c b/net/dccp/options.c
index 1b08cae9c65b..07395f861d35 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -296,7 +296,7 @@ static inline u8 dccp_ndp_len(const u64 ndp)
 {
        if (likely(ndp <= 0xFF))
                return 1;
-        return likely(ndp <= USHORT_MAX) ? 2 : (ndp <= UINT_MAX ? 4 : 6);
+        return likely(ndp <= USHRT_MAX) ? 2 : (ndp <= UINT_MAX ? 4 : 6);
 }
 int dccp_insert_option(struct sock *sk, struct sk_buff *skb,
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index 615dbe3b43f9..4c409b46aa35 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -1220,17 +1220,14 @@ void dn_dev_down(struct net_device *dev)
 void dn_dev_init_pkt(struct sk_buff *skb)
 {
-        return;
 }
 void dn_dev_veri_pkt(struct sk_buff *skb)
 {
-        return;
 }
 void dn_dev_hello(struct sk_buff *skb)
 {
-        return;
 }
 void dn_dev_devices_off(void)
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c
index deb723dba44b..0363bb95cc7d 100644
--- a/net/decnet/dn_neigh.c
+++ b/net/decnet/dn_neigh.c
@@ -266,7 +266,8 @@ static int dn_long_output(struct sk_buff *skb)
        skb_reset_network_header(skb);
-        return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
+                       neigh->dev, dn_neigh_output_packet);
 }
 static int dn_short_output(struct sk_buff *skb)
@@ -305,7 +306,8 @@ static int dn_short_output(struct sk_buff *skb)
        skb_reset_network_header(skb);
-        return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
+                       neigh->dev, dn_neigh_output_packet);
 }
 /*
@@ -347,7 +349,8 @@ static int dn_phase3_output(struct sk_buff *skb)
        skb_reset_network_header(skb);
-        return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
+                       neigh->dev, dn_neigh_output_packet);
 }
 /*
diff --git a/net/decnet/dn_nsp_in.c b/net/decnet/dn_nsp_in.c
index 25a37299bc65..b430549e2b91 100644
--- a/net/decnet/dn_nsp_in.c
+++ b/net/decnet/dn_nsp_in.c
@@ -810,7 +810,8 @@ free_out:
 int dn_nsp_rx(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_DECnet, NF_DN_LOCAL_IN, skb, skb->dev, NULL, dn_nsp_rx_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_IN, skb, skb->dev, NULL,
+                       dn_nsp_rx_packet);
 }
 /*
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 70ebe74027d5..812e6dff6067 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -264,7 +264,6 @@ static struct dst_entry *dn_dst_negative_advice(struct dst_entry *dst)
 static void dn_dst_link_failure(struct sk_buff *skb)
 {
-        return;
 }
 static inline int compare_keys(struct flowi *fl1, struct flowi *fl2)
@@ -518,7 +517,8 @@ static int dn_route_rx_long(struct sk_buff *skb)
        ptr++;
        cb->hops = *ptr++; /* Visit Count */
-        return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
+                       dn_route_rx_packet);
 drop_it:
        kfree_skb(skb);
@@ -544,7 +544,8 @@ static int dn_route_rx_short(struct sk_buff *skb)
        ptr += 2;
        cb->hops = *ptr & 0x3f;
-        return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
+                       dn_route_rx_packet);
 drop_it:
        kfree_skb(skb);
@@ -646,16 +647,24 @@ int dn_route_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type
                switch(flags & DN_RT_CNTL_MSK) {
                        case DN_RT_PKT_HELO:
-                                return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_route_ptp_hello);
+                                return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
+                                               skb, skb->dev, NULL,
+                                               dn_route_ptp_hello);
                        case DN_RT_PKT_L1RT:
                        case DN_RT_PKT_L2RT:
-                                return NF_HOOK(PF_DECnet, NF_DN_ROUTE, skb, skb->dev, NULL, dn_route_discard);
+                                return NF_HOOK(NFPROTO_DECNET, NF_DN_ROUTE,
+                                               skb, skb->dev, NULL,
+                                               dn_route_discard);
                        case DN_RT_PKT_ERTH:
-                                return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_router_hello);
+                                return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
+                                               skb, skb->dev, NULL,
+                                               dn_neigh_router_hello);
                        case DN_RT_PKT_EEDH:
-                                return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_endnode_hello);
+                                return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
+                                               skb, skb->dev, NULL,
+                                               dn_neigh_endnode_hello);
                }
        } else {
                if (dn->parms.state != DN_DEV_S_RU)
@@ -704,7 +713,8 @@ static int dn_output(struct sk_buff *skb)
        cb->rt_flags |= DN_RT_F_IE;
        cb->hops = 0;
-        return NF_HOOK(PF_DECnet, NF_DN_LOCAL_OUT, skb, NULL, dev, neigh->output);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_OUT, skb, NULL, dev,
+                       neigh->output);
 error:
        if (net_ratelimit())
@@ -753,7 +763,8 @@ static int dn_forward(struct sk_buff *skb)
        if (rt->rt_flags & RTCF_DOREDIRECT)
                cb->rt_flags |= DN_RT_F_IE;
-        return NF_HOOK(PF_DECnet, NF_DN_FORWARD, skb, dev, skb->dev, neigh->output);
+        return NF_HOOK(NFPROTO_DECNET, NF_DN_FORWARD, skb, dev, skb->dev,
+                       neigh->output);
 drop:
        kfree_skb(skb);
diff --git a/net/ieee802154/wpan-class.c b/net/ieee802154/wpan-class.c
index 3d803a1b9fb6..1627ef2e8522 100644
--- a/net/ieee802154/wpan-class.c
+++ b/net/ieee802154/wpan-class.c
@@ -147,13 +147,15 @@ struct wpan_phy *wpan_phy_alloc(size_t priv_size)
        struct wpan_phy *phy = kzalloc(sizeof(*phy) + priv_size,
                        GFP_KERNEL);
+        if (!phy)
+                goto out;
        mutex_lock(&wpan_phy_mutex);
        phy->idx = wpan_phy_idx++;
        if (unlikely(!wpan_phy_idx_valid(phy->idx))) {
                wpan_phy_idx--;
                mutex_unlock(&wpan_phy_mutex);
                kfree(phy);
-                return NULL;
+                goto out;
        }
        mutex_unlock(&wpan_phy_mutex);
@@ -168,6 +170,9 @@ struct wpan_phy *wpan_phy_alloc(size_t priv_size)
        phy->current_page = 0; /* for compatibility */
        return phy;
+out:
+        return NULL;
 }
 EXPORT_SYMBOL(wpan_phy_alloc);
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 8e3a1fd938ab..7c3a7d191249 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -303,7 +303,7 @@ config ARPD
          If unsure, say N.
 config SYN_COOKIES
-        bool "IP: TCP syncookie support (disabled per default)"
+        bool "IP: TCP syncookie support"
        ---help---
          Normal TCP/IP networking is open to an attack known as "SYN
          flooding". This denial-of-service attack prevents legitimate remote
@@ -328,13 +328,13 @@ config SYN_COOKIES
          server is really overloaded. If this happens frequently better turn
          them off.
-          If you say Y here, note that SYN cookies aren't enabled by default;
+          If you say Y here, you can disable SYN cookies at run time by
-          you can enable them by saying Y to "/proc file system support" and
+          saying Y to "/proc file system support" and
          "Sysctl support" below and executing the command
-          echo 1 >/proc/sys/net/ipv4/tcp_syncookies
+          echo 0 > /proc/sys/net/ipv4/tcp_syncookies
-          at boot time after the /proc file system has been mounted.
+          after the /proc file system has been mounted.
          If unsure, say N.
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index c6c43bcd1c6f..551ce564b035 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1573,9 +1573,13 @@ static int __init inet_init(void)
        BUILD_BUG_ON(sizeof(struct inet_skb_parm) > sizeof(dummy_skb->cb));
+        sysctl_local_reserved_ports = kzalloc(65536 / 8, GFP_KERNEL);
+        if (!sysctl_local_reserved_ports)
+                goto out;
        rc = proto_register(&tcp_prot, 1);
        if (rc)
-                goto out;
+                goto out_free_reserved_ports;
        rc = proto_register(&udp_prot, 1);
        if (rc)
@@ -1674,6 +1678,8 @@ out_unregister_udp_proto:
        proto_unregister(&udp_prot);
 out_unregister_tcp_proto:
        proto_unregister(&tcp_prot);
+out_free_reserved_ports:
+        kfree(sysctl_local_reserved_ports);
        goto out;
 }
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 6e747065c202..f094b75810db 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -661,13 +661,13 @@ struct sk_buff *arp_create(int type, int ptype, __be32 dest_ip,
 #endif
 #endif
-#ifdef CONFIG_FDDI
+#if defined(CONFIG_FDDI) || defined(CONFIG_FDDI_MODULE)
        case ARPHRD_FDDI:
                arp->ar_hrd = htons(ARPHRD_ETHER);
                arp->ar_pro = htons(ETH_P_IP);
                break;
 #endif
-#ifdef CONFIG_TR
+#if defined(CONFIG_TR) || defined(CONFIG_TR_MODULE)
        case ARPHRD_IEEE802_TR:
                arp->ar_hrd = htons(ARPHRD_IEEE802);
                arp->ar_pro = htons(ETH_P_IP);
@@ -854,7 +854,7 @@ static int arp_process(struct sk_buff *skb)
        }
        if (arp->ar_op == htons(ARPOP_REQUEST) &&
-            ip_route_input(skb, tip, sip, 0, dev) == 0) {
+            ip_route_input_noref(skb, tip, sip, 0, dev) == 0) {
                rt = skb_rtable(skb);
                addr_type = rt->rt_type;
@@ -1051,7 +1051,7 @@ static int arp_req_set(struct net *net, struct arpreq *r,
                        return -EINVAL;
        }
        switch (dev->type) {
-#ifdef CONFIG_FDDI
+#if defined(CONFIG_FDDI) || defined(CONFIG_FDDI_MODULE)
        case ARPHRD_FDDI:
                /*
                 * According to RFC 1390, FDDI devices should accept ARP
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index c97cd9ff697e..3a92a76ae41d 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -290,8 +290,6 @@ void cipso_v4_cache_invalidate(void)
                cipso_v4_cache[iter].size = 0;
                spin_unlock_bh(&cipso_v4_cache[iter].lock);
        }
-        return;
 }
 /**
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index c98f115fb0fd..79d057a939ba 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1022,8 +1022,6 @@ static void trie_rebalance(struct trie *t, struct tnode *tn)
        rcu_assign_pointer(t->trie, (struct node *)tn);
        tnode_free_flush();
-        return;
 }
 /* only used from updater-side */
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f3d339f728b0..d65e9215bcd7 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -587,20 +587,20 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                        err = __ip_route_output_key(net, &rt2, &fl);
                else {
                        struct flowi fl2 = {};
-                        struct dst_entry *odst;
+                        unsigned long orefdst;
                        fl2.fl4_dst = fl.fl4_src;
                        if (ip_route_output_key(net, &rt2, &fl2))
                                goto relookup_failed;
                        /* Ugh! */
-                        odst = skb_dst(skb_in);
+                        orefdst = skb_in->_skb_refdst; /* save old refdst */
                        err = ip_route_input(skb_in, fl.fl4_dst, fl.fl4_src,
                                             RT_TOS(tos), rt2->u.dst.dev);
                        dst_release(&rt2->u.dst);
                        rt2 = skb_rtable(skb_in);
-                        skb_dst_set(skb_in, odst);
+                        skb_in->_skb_refdst = orefdst; /* restore old refdst */
                }
                if (err)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index e0a3e3537b14..70eb3507c406 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -37,6 +37,9 @@ struct local_ports sysctl_local_ports __read_mostly = {
        .range = { 32768, 61000 },
 };
+unsigned long *sysctl_local_reserved_ports;
+EXPORT_SYMBOL(sysctl_local_reserved_ports);
 void inet_get_local_port_range(int *low, int *high)
 {
        unsigned seq;
@@ -108,6 +111,8 @@ again:
                smallest_size = -1;
                do {
+                        if (inet_is_reserved_local_port(rover))
+                                goto next_nolock;
                        head = &hashinfo->bhash[inet_bhashfn(net, rover,
                                        hashinfo->bhash_size)];
                        spin_lock(&head->lock);
@@ -130,6 +135,7 @@ again:
                        break;
                next:
                        spin_unlock(&head->lock);
+                next_nolock:
                        if (++rover > high)
                                rover = low;
                } while (--remaining > 0);
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 2b79377b468d..d3e160a88219 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -456,6 +456,8 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row,
                local_bh_disable();
                for (i = 1; i <= remaining; i++) {
                        port = low + (i + offset) % remaining;
+                        if (inet_is_reserved_local_port(port))
+                                continue;
                        head = &hinfo->bhash[inet_bhashfn(net, port,
                                        hinfo->bhash_size)];
                        spin_lock(&head->lock);
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index af10942b326c..56cdf68a074c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -112,8 +112,8 @@ int ip_forward(struct sk_buff *skb)
        skb->priority = rt_tos2priority(iph->tos);
-        return NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev,
+        return NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev,
-                       ip_forward_finish);
+                       rt->u.dst.dev, ip_forward_finish);
 sr_failed:
        /*
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index fe381d12ecdd..32618e11076d 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -502,7 +502,6 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
        t->err_time = jiffies;
 out:
        rcu_read_unlock();
-        return;
 }
 static inline void ipgre_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
@@ -538,7 +537,6 @@ static int ipgre_rcv(struct sk_buff *skb)
        struct ip_tunnel *tunnel;
        int    offset = 4;
        __be16 gre_proto;
-        unsigned int len;
        if (!pskb_may_pull(skb, 16))
                goto drop_nolock;
@@ -629,8 +627,6 @@ static int ipgre_rcv(struct sk_buff *skb)
                        tunnel->i_seqno = seqno + 1;
                }
-                len = skb->len;
                /* Warning: All skb pointers will be invalidated! */
                if (tunnel->dev->type == ARPHRD_ETHER) {
                        if (!pskb_may_pull(skb, ETH_HLEN)) {
@@ -644,11 +640,7 @@ static int ipgre_rcv(struct sk_buff *skb)
                        skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
                }
-                stats->rx_packets++;
+                skb_tunnel_rx(skb, tunnel->dev);
-                stats->rx_bytes += len;
-                skb->dev = tunnel->dev;
-                skb_dst_drop(skb);
-                nf_reset(skb);
                skb_reset_network_header(skb);
                ipgre_ecn_decapsulate(iph, skb);
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index f8ab7a380d4a..d930dc5e4d85 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -266,7 +266,7 @@ int ip_local_deliver(struct sk_buff *skb)
                        return 0;
        }
-        return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
+        return NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
                       ip_local_deliver_finish);
 }
@@ -331,8 +331,8 @@ static int ip_rcv_finish(struct sk_buff *skb)
         *      how the packet travels inside Linux networking.
         */
        if (skb_dst(skb) == NULL) {
-                int err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
+                int err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
-                                         skb->dev);
+                                               iph->tos, skb->dev);
                if (unlikely(err)) {
                        if (err == -EHOSTUNREACH)
                                IP_INC_STATS_BH(dev_net(skb->dev),
@@ -444,7 +444,7 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt,
        /* Must drop socket now because of tproxy. */
        skb_orphan(skb);
-        return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL,
+        return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,
                       ip_rcv_finish);
 inhdr_error:
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 4c09a31fd140..ba9836c488ed 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -238,7 +238,6 @@ void ip_options_fragment(struct sk_buff * skb)
        opt->rr_needaddr = 0;
        opt->ts_needaddr = 0;
        opt->ts_needtime = 0;
-        return;
 }
 /*
@@ -601,6 +600,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
        unsigned char *optptr = skb_network_header(skb) + opt->srr;
        struct rtable *rt = skb_rtable(skb);
        struct rtable *rt2;
+        unsigned long orefdst;
        int err;
        if (!opt->srr)
@@ -624,16 +624,16 @@ int ip_options_rcv_srr(struct sk_buff *skb)
                }
                memcpy(&nexthop, &optptr[srrptr-1], 4);
-                rt = skb_rtable(skb);
+                orefdst = skb->_skb_refdst;
                skb_dst_set(skb, NULL);
                err = ip_route_input(skb, nexthop, iph->saddr, iph->tos, skb->dev);
                rt2 = skb_rtable(skb);
                if (err || (rt2->rt_type != RTN_UNICAST && rt2->rt_type != RTN_LOCAL)) {
-                        ip_rt_put(rt2);
+                        skb_dst_drop(skb);
-                        skb_dst_set(skb, &rt->u.dst);
+                        skb->_skb_refdst = orefdst;
                        return -EINVAL;
                }
-                ip_rt_put(rt);
+                refdst_drop(orefdst);
                if (rt2->rt_type != RTN_LOCAL)
                        break;
                /* Superfast 8) loopback forward */
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index f0392191740b..9a4a6c96cb0d 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -96,8 +96,8 @@ int __ip_local_out(struct sk_buff *skb)
        iph->tot_len = htons(skb->len);
        ip_send_check(iph);
-        return nf_hook(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
+        return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
-                       dst_output);
+                       skb_dst(skb)->dev, dst_output);
 }
 int ip_local_out(struct sk_buff *skb)
@@ -272,8 +272,8 @@ int ip_mc_output(struct sk_buff *skb)
                   ) {
                        struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
                        if (newskb)
-                                NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb,
+                                NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
-                                        NULL, newskb->dev,
+                                        newskb, NULL, newskb->dev,
                                        ip_dev_loopback_xmit);
                }
@@ -288,12 +288,12 @@ int ip_mc_output(struct sk_buff *skb)
        if (rt->rt_flags&RTCF_BROADCAST) {
                struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
                if (newskb)
-                        NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, NULL,
+                        NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING, newskb,
-                                newskb->dev, ip_dev_loopback_xmit);
+                                NULL, newskb->dev, ip_dev_loopback_xmit);
        }
-        return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
+        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL,
-                            ip_finish_output,
+                            skb->dev, ip_finish_output,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
@@ -306,7 +306,7 @@ int ip_output(struct sk_buff *skb)
        skb->dev = dev;
        skb->protocol = htons(ETH_P_IP);
-        return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, dev,
+        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev,
                            ip_finish_output,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
@@ -318,10 +318,12 @@ int ip_queue_xmit(struct sk_buff *skb)
        struct ip_options *opt = inet->opt;
        struct rtable *rt;
        struct iphdr *iph;
+        int res;
        /* Skip all of this if the packet is already routed,
         * f.e. by something like SCTP.
         */
+        rcu_read_lock();
        rt = skb_rtable(skb);
        if (rt != NULL)
                goto packet_routed;
@@ -359,7 +361,7 @@ int ip_queue_xmit(struct sk_buff *skb)
                }
                sk_setup_caps(sk, &rt->u.dst);
        }
-        skb_dst_set(skb, dst_clone(&rt->u.dst));
+        skb_dst_set_noref(skb, &rt->u.dst);
 packet_routed:
        if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
@@ -391,9 +393,12 @@ packet_routed:
        skb->priority = sk->sk_priority;
        skb->mark = sk->sk_mark;
-        return ip_local_out(skb);
+        res = ip_local_out(skb);
+        rcu_read_unlock();
+        return res;
 no_route:
+        rcu_read_unlock();
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
        kfree_skb(skb);
        return -EHOSTUNREACH;
@@ -469,6 +474,10 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
        hlen = iph->ihl * 4;
        mtu = dst_mtu(&rt->u.dst) - hlen;       /* Size of data space */
+#ifdef CONFIG_BRIDGE_NETFILTER
+        if (skb->nf_bridge)
+                mtu -= nf_bridge_mtu_reduction(skb);
+#endif
        IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;
        /* When frag_list is given, use it. First, check its validity:
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 0b27b14dcc9d..7fd636711037 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -374,11 +374,8 @@ static int ipip_rcv(struct sk_buff *skb)
                skb->protocol = htons(ETH_P_IP);
                skb->pkt_type = PACKET_HOST;
-                tunnel->dev->stats.rx_packets++;
+                skb_tunnel_rx(skb, tunnel->dev);
-                tunnel->dev->stats.rx_bytes += skb->len;
-                skb->dev = tunnel->dev;
-                skb_dst_drop(skb);
-                nf_reset(skb);
                ipip_ecn_decapsulate(iph, skb);
                netif_rx(skb);
                rcu_read_unlock();
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index eddfd12f55b8..757f25eb9b4b 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -22,7 +22,7 @@
 *                                      overflow.
 *      Carlos Picoto           :       PIMv1 Support
 *      Pavlin Ivanov Radoslavov:       PIMv2 Registers must checksum only PIM header
- *                                      Relax this requrement to work with older peers.
+ *                                      Relax this requirement to work with older peers.
 *
 */
@@ -267,8 +267,10 @@ static void __net_exit ipmr_rules_exit(struct net *net)
 {
        struct mr_table *mrt, *next;
-        list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list)
+        list_for_each_entry_safe(mrt, next, &net->ipv4.mr_tables, list) {
+                list_del(&mrt->list);
                kfree(mrt);
+        }
        fib_rules_unregister(net->ipv4.mr_rules_ops);
 }
 #else
@@ -998,7 +1000,8 @@ ipmr_cache_unresolved(struct mr_table *mrt, vifi_t vifi, struct sk_buff *skb)
                atomic_inc(&mrt->cache_resolve_queue_len);
                list_add(&c->list, &mrt->mfc_unres_queue);
-                mod_timer(&mrt->ipmr_expire_timer, c->mfc_un.unres.expires);
+                if (atomic_read(&mrt->cache_resolve_queue_len) == 1)
+                        mod_timer(&mrt->ipmr_expire_timer, c->mfc_un.unres.expires);
        }
        /*
@@ -1599,13 +1602,12 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
         * not mrouter) cannot join to more than one interface - it will
         * result in receiving multiple packets.
         */
-        NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev,
+        NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, dev,
                ipmr_forward_finish);
        return;
 out_free:
        kfree_skb(skb);
-        return;
 }
 static int ipmr_find_vif(struct mr_table *mrt, struct net_device *dev)
@@ -1830,14 +1832,12 @@ static int __pim_rcv(struct mr_table *mrt, struct sk_buff *skb,
        skb->mac_header = skb->network_header;
        skb_pull(skb, (u8*)encap - skb->data);
        skb_reset_network_header(skb);
-        skb->dev = reg_dev;
        skb->protocol = htons(ETH_P_IP);
        skb->ip_summed = 0;
        skb->pkt_type = PACKET_HOST;
-        skb_dst_drop(skb);
-        reg_dev->stats.rx_bytes += skb->len;
+        skb_tunnel_rx(skb, reg_dev);
-        reg_dev->stats.rx_packets++;
-        nf_reset(skb);
        netif_rx(skb);
        dev_put(reg_dev);
@@ -1913,7 +1913,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
        struct rtattr *mp_head;
        /* If cache is unresolved, don't try to parse IIF and OIF */
-        if (c->mfc_parent > MAXVIFS)
+        if (c->mfc_parent >= MAXVIFS)
                return -ENOENT;
        if (VIF_EXISTS(mrt, c->mfc_parent))
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 82fb43c5c59e..07de855e2175 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -17,7 +17,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
        const struct iphdr *iph = ip_hdr(skb);
        struct rtable *rt;
        struct flowi fl = {};
-        struct dst_entry *odst;
+        unsigned long orefdst;
        unsigned int hh_len;
        unsigned int type;
@@ -51,14 +51,14 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
                if (ip_route_output_key(net, &rt, &fl) != 0)
                        return -1;
-                odst = skb_dst(skb);
+                orefdst = skb->_skb_refdst;
                if (ip_route_input(skb, iph->daddr, iph->saddr,
                                   RT_TOS(iph->tos), rt->u.dst.dev) != 0) {
                        dst_release(&rt->u.dst);
                        return -1;
                }
                dst_release(&rt->u.dst);
-                dst_release(odst);
+                refdst_drop(orefdst);
        }
        if (skb_dst(skb)->error)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f07d77f65751..1ac01b128621 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -49,12 +49,7 @@ MODULE_DESCRIPTION("arptables core");
 #endif
 #ifdef CONFIG_NETFILTER_DEBUG
-#define ARP_NF_ASSERT(x)                                        \
+#define ARP_NF_ASSERT(x)        WARN_ON(!(x))
-do {                                                            \
-        if (!(x))                                               \
-                printk("ARP_NF_ASSERT: %s:%s:%u\n",             \
-                       __func__, __FILE__, __LINE__);   \
-} while(0)
 #else
 #define ARP_NF_ASSERT(x)
 #endif
@@ -224,10 +219,10 @@ static inline int arp_checkentry(const struct arpt_arp *arp)
 }
 static unsigned int
-arpt_error(struct sk_buff *skb, const struct xt_target_param *par)
+arpt_error(struct sk_buff *skb, const struct xt_action_param *par)
 {
        if (net_ratelimit())
-                printk("arp_tables: error: '%s'\n",
+                pr_err("arp_tables: error: '%s'\n",
                       (const char *)par->targinfo);
        return NF_DROP;
@@ -260,12 +255,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        unsigned int verdict = NF_DROP;
        const struct arphdr *arp;
-        bool hotdrop = false;
        struct arpt_entry *e, *back;
        const char *indev, *outdev;
        void *table_base;
        const struct xt_table_info *private;
-        struct xt_target_param tgpar;
+        struct xt_action_param acpar;
        if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
                return NF_DROP;
@@ -280,10 +274,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        e = get_entry(table_base, private->hook_entry[hook]);
        back = get_entry(table_base, private->underflow[hook]);
-        tgpar.in      = in;
+        acpar.in      = in;
-        tgpar.out     = out;
+        acpar.out     = out;
-        tgpar.hooknum = hook;
+        acpar.hooknum = hook;
-        tgpar.family  = NFPROTO_ARP;
+        acpar.family  = NFPROTO_ARP;
+        acpar.hotdrop = false;
        arp = arp_hdr(skb);
        do {
@@ -333,9 +328,9 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                /* Targets which reenter must return
                 * abs. verdicts
                 */
-                tgpar.target   = t->u.kernel.target;
+                acpar.target   = t->u.kernel.target;
-                tgpar.targinfo = t->data;
+                acpar.targinfo = t->data;
-                verdict = t->u.kernel.target->target(skb, &tgpar);
+                verdict = t->u.kernel.target->target(skb, &acpar);
                /* Target might have changed stuff. */
                arp = arp_hdr(skb);
@@ -345,10 +340,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                else
                        /* Verdict */
                        break;
-        } while (!hotdrop);
+        } while (!acpar.hotdrop);
        xt_info_rdunlock_bh();
-        if (hotdrop)
+        if (acpar.hotdrop)
                return NF_DROP;
        else
                return verdict;
@@ -390,7 +385,7 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
                        int visited = e->comefrom & (1 << hook);
                        if (e->comefrom & (1 << NF_ARP_NUMHOOKS)) {
-                                printk("arptables: loop hook %u pos %u %08X.\n",
+                                pr_notice("arptables: loop hook %u pos %u %08X.\n",
                                       hook, pos, e->comefrom);
                                return 0;
                        }
@@ -523,13 +518,11 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
                return ret;
        t = arpt_get_target(e);
-        target = try_then_request_module(xt_find_target(NFPROTO_ARP,
+        target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "arpt_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto out;
        }
        t->u.kernel.target = target;
@@ -651,6 +644,9 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
                if (ret != 0)
                        break;
                ++i;
+                if (strcmp(arpt_get_target(iter)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
        }
        duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
        if (ret != 0)
@@ -1252,14 +1248,12 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
        entry_offset = (void *)e - (void *)base;
        t = compat_arpt_get_target(e);
-        target = try_then_request_module(xt_find_target(NFPROTO_ARP,
+        target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "arpt_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
                         t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto out;
        }
        t->u.kernel.target = target;
@@ -1778,8 +1772,7 @@ struct xt_table *arpt_register_table(struct net *net,
 {
        int ret;
        struct xt_table_info *newinfo;
-        struct xt_table_info bootstrap
+        struct xt_table_info bootstrap = {0};
-                = { 0, 0, 0, { 0 }, { 0 }, { } };
        void *loc_cpu_entry;
        struct xt_table *new_table;
@@ -1830,22 +1823,23 @@ void arpt_unregister_table(struct xt_table *table)
 }
 /* The built-in targets: standard (NULL) and error. */
-static struct xt_target arpt_standard_target __read_mostly = {
+static struct xt_target arpt_builtin_tg[] __read_mostly = {
-        .name           = ARPT_STANDARD_TARGET,
+        {
-        .targetsize     = sizeof(int),
+                .name             = ARPT_STANDARD_TARGET,
-        .family         = NFPROTO_ARP,
+                .targetsize       = sizeof(int),
+                .family           = NFPROTO_ARP,
 #ifdef CONFIG_COMPAT
-        .compatsize     = sizeof(compat_int_t),
+                .compatsize       = sizeof(compat_int_t),
-        .compat_from_user = compat_standard_from_user,
+                .compat_from_user = compat_standard_from_user,
-        .compat_to_user = compat_standard_to_user,
+                .compat_to_user   = compat_standard_to_user,
 #endif
-};
+        },
+        {
-static struct xt_target arpt_error_target __read_mostly = {
+                .name             = ARPT_ERROR_TARGET,
-        .name           = ARPT_ERROR_TARGET,
+                .target           = arpt_error,
-        .target         = arpt_error,
+                .targetsize       = ARPT_FUNCTION_MAXNAMELEN,
-        .targetsize     = ARPT_FUNCTION_MAXNAMELEN,
+                .family           = NFPROTO_ARP,
-        .family         = NFPROTO_ARP,
+        },
 };
 static struct nf_sockopt_ops arpt_sockopts = {
@@ -1889,12 +1883,9 @@ static int __init arp_tables_init(void)
                goto err1;
        /* Noone else will be downing sem now, so we won't sleep */
-        ret = xt_register_target(&arpt_standard_target);
+        ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
        if (ret < 0)
                goto err2;
-        ret = xt_register_target(&arpt_error_target);
-        if (ret < 0)
-                goto err3;
        /* Register setsockopt */
        ret = nf_register_sockopt(&arpt_sockopts);
@@ -1905,9 +1896,7 @@ static int __init arp_tables_init(void)
        return 0;
 err4:
-        xt_unregister_target(&arpt_error_target);
+        xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
-err3:
-        xt_unregister_target(&arpt_standard_target);
 err2:
        unregister_pernet_subsys(&arp_tables_net_ops);
 err1:
@@ -1917,8 +1906,7 @@ err1:
 static void __exit arp_tables_fini(void)
 {
        nf_unregister_sockopt(&arpt_sockopts);
-        xt_unregister_target(&arpt_error_target);
+        xt_unregister_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
-        xt_unregister_target(&arpt_standard_target);
        unregister_pernet_subsys(&arp_tables_net_ops);
 }
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b0d5b1d0a769..e1be7dd1171b 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -9,7 +9,7 @@ MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
 MODULE_DESCRIPTION("arptables arp payload mangle target");
 static unsigned int
-target(struct sk_buff *skb, const struct xt_target_param *par)
+target(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct arpt_mangle *mangle = par->targinfo;
        const struct arphdr *arp;
@@ -54,7 +54,7 @@ target(struct sk_buff *skb, const struct xt_target_param *par)
        return mangle->target;
 }
-static bool checkentry(const struct xt_tgchk_param *par)
+static int checkentry(const struct xt_tgchk_param *par)
 {
        const struct arpt_mangle *mangle = par->targinfo;
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index e2787048aa0a..a4e5fc5df4bf 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -161,8 +161,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
                break;
        case IPQ_COPY_PACKET:
-                if ((entry->skb->ip_summed == CHECKSUM_PARTIAL ||
+                if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
-                     entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
                    (*errp = skb_checksum_help(entry->skb))) {
                        read_unlock_bh(&queue_lock);
                        return NULL;
@@ -462,7 +461,6 @@ __ipq_rcv_skb(struct sk_buff *skb)
        if (flags & NLM_F_ACK)
                netlink_ack(skb, nlh, 0);
-        return;
 }
 static void
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index b29c66df8d1f..4b6c5ca610fc 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -39,24 +39,19 @@ MODULE_DESCRIPTION("IPv4 packet filter");
 /*#define DEBUG_IP_FIREWALL_USER*/
 #ifdef DEBUG_IP_FIREWALL
-#define dprintf(format, args...)  printk(format , ## args)
+#define dprintf(format, args...) pr_info(format , ## args)
 #else
 #define dprintf(format, args...)
 #endif
 #ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
+#define duprintf(format, args...) pr_info(format , ## args)
 #else
 #define duprintf(format, args...)
 #endif
 #ifdef CONFIG_NETFILTER_DEBUG
-#define IP_NF_ASSERT(x)                                         \
+#define IP_NF_ASSERT(x)         WARN_ON(!(x))
-do {                                                            \
-        if (!(x))                                               \
-                printk("IP_NF_ASSERT: %s:%s:%u\n",              \
-                       __func__, __FILE__, __LINE__);   \
-} while(0)
 #else
 #define IP_NF_ASSERT(x)
 #endif
@@ -165,30 +160,14 @@ ip_checkentry(const struct ipt_ip *ip)
 }
 static unsigned int
-ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_error(struct sk_buff *skb, const struct xt_action_param *par)
 {
        if (net_ratelimit())
-                printk("ip_tables: error: `%s'\n",
+                pr_info("error: `%s'\n", (const char *)par->targinfo);
-                       (const char *)par->targinfo);
        return NF_DROP;
 }
-/* Performance critical - called for every packet */
-static inline bool
-do_match(const struct ipt_entry_match *m, const struct sk_buff *skb,
-         struct xt_match_param *par)
-{
-        par->match     = m->u.kernel.match;
-        par->matchinfo = m->data;
-        /* Stop iteration if it doesn't match */
-        if (!m->u.kernel.match->match(skb, par))
-                return true;
-        else
-                return false;
-}
 /* Performance critical */
 static inline struct ipt_entry *
 get_entry(const void *base, unsigned int offset)
@@ -322,19 +301,16 @@ ipt_do_table(struct sk_buff *skb,
             const struct net_device *out,
             struct xt_table *table)
 {
-#define tb_comefrom ((struct ipt_entry *)table_base)->comefrom
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        const struct iphdr *ip;
-        bool hotdrop = false;
        /* Initializing verdict to NF_DROP keeps gcc happy. */
        unsigned int verdict = NF_DROP;
        const char *indev, *outdev;
        const void *table_base;
-        struct ipt_entry *e, *back;
+        struct ipt_entry *e, **jumpstack;
+        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
-        struct xt_match_param mtpar;
+        struct xt_action_param acpar;
-        struct xt_target_param tgpar;
        /* Initialization */
        ip = ip_hdr(skb);
@@ -346,40 +322,47 @@ ipt_do_table(struct sk_buff *skb,
         * things we don't know, ie. tcp syn flag or ports).  If the
         * rule is also a fragment-specific rule, non-fragments won't
         * match it. */
-        mtpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+        acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
-        mtpar.thoff   = ip_hdrlen(skb);
+        acpar.thoff   = ip_hdrlen(skb);
-        mtpar.hotdrop = &hotdrop;
+        acpar.hotdrop = false;
-        mtpar.in      = tgpar.in  = in;
+        acpar.in      = in;
-        mtpar.out     = tgpar.out = out;
+        acpar.out     = out;
-        mtpar.family  = tgpar.family = NFPROTO_IPV4;
+        acpar.family  = NFPROTO_IPV4;
-        mtpar.hooknum = tgpar.hooknum = hook;
+        acpar.hooknum = hook;
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
        xt_info_rdlock_bh();
        private = table->private;
-        table_base = private->entries[smp_processor_id()];
+        cpu        = smp_processor_id();
+        table_base = private->entries[cpu];
+        jumpstack  = (struct ipt_entry **)private->jumpstack[cpu];
+        stackptr   = per_cpu_ptr(private->stackptr, cpu);
+        origptr    = *stackptr;
        e = get_entry(table_base, private->hook_entry[hook]);
-        /* For return from builtin chain */
+        pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
-        back = get_entry(table_base, private->underflow[hook]);
+                 table->name, hook, origptr,
+                 get_entry(table_base, private->underflow[hook]));
        do {
                const struct ipt_entry_target *t;
                const struct xt_entry_match *ematch;
                IP_NF_ASSERT(e);
-                IP_NF_ASSERT(back);
                if (!ip_packet_match(ip, indev, outdev,
-                    &e->ip, mtpar.fragoff)) {
+                    &e->ip, acpar.fragoff)) {
 no_match:
                        e = ipt_next_entry(e);
                        continue;
                }
-                xt_ematch_foreach(ematch, e)
+                xt_ematch_foreach(ematch, e) {
-                        if (do_match(ematch, skb, &mtpar) != 0)
+                        acpar.match     = ematch->u.kernel.match;
+                        acpar.matchinfo = ematch->data;
+                        if (!acpar.match->match(skb, &acpar))
                                goto no_match;
+                }
                ADD_COUNTER(e->counters, ntohs(ip->tot_len), 1);
@@ -404,41 +387,38 @@ ipt_do_table(struct sk_buff *skb,
                                        verdict = (unsigned)(-v) - 1;
                                        break;
                                }
-                                e = back;
+                                if (*stackptr == 0) {
-                                back = get_entry(table_base, back->comefrom);
+                                        e = get_entry(table_base,
+                                            private->underflow[hook]);
+                                        pr_debug("Underflow (this is normal) "
+                                                 "to %p\n", e);
+                                } else {
+                                        e = jumpstack[--*stackptr];
+                                        pr_debug("Pulled %p out from pos %u\n",
+                                                 e, *stackptr);
+                                        e = ipt_next_entry(e);
+                                }
                                continue;
                        }
                        if (table_base + v != ipt_next_entry(e) &&
                            !(e->ip.flags & IPT_F_GOTO)) {
-                                /* Save old back ptr in next entry */
+                                if (*stackptr >= private->stacksize) {
-                                struct ipt_entry *next = ipt_next_entry(e);
+                                        verdict = NF_DROP;
-                                next->comefrom = (void *)back - table_base;
+                                        break;
-                                /* set back pointer to next entry */
+                                }
-                                back = next;
+                                jumpstack[(*stackptr)++] = e;
+                                pr_debug("Pushed %p into pos %u\n",
+                                         e, *stackptr - 1);
                        }
                        e = get_entry(table_base, v);
                        continue;
                }
-                /* Targets which reenter must return
+                acpar.target   = t->u.kernel.target;
-                   abs. verdicts */
+                acpar.targinfo = t->data;
-                tgpar.target   = t->u.kernel.target;
-                tgpar.targinfo = t->data;
-#ifdef CONFIG_NETFILTER_DEBUG
+                verdict = t->u.kernel.target->target(skb, &acpar);
-                tb_comefrom = 0xeeeeeeec;
-#endif
-                verdict = t->u.kernel.target->target(skb, &tgpar);
-#ifdef CONFIG_NETFILTER_DEBUG
-                if (tb_comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) {
-                        printk("Target %s reentered!\n",
-                               t->u.kernel.target->name);
-                        verdict = NF_DROP;
-                }
-                tb_comefrom = 0x57acc001;
-#endif
                /* Target might have changed stuff. */
                ip = ip_hdr(skb);
                if (verdict == IPT_CONTINUE)
@@ -446,18 +426,18 @@ ipt_do_table(struct sk_buff *skb,
                else
                        /* Verdict */
                        break;
-        } while (!hotdrop);
+        } while (!acpar.hotdrop);
        xt_info_rdunlock_bh();
+        pr_debug("Exiting %s; resetting sp from %u to %u\n",
+                 __func__, *stackptr, origptr);
+        *stackptr = origptr;
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
-        if (hotdrop)
+        if (acpar.hotdrop)
                return NF_DROP;
        else return verdict;
 #endif
-#undef tb_comefrom
 }
 /* Figures out from what hook each rule can be called: returns 0 if
@@ -486,7 +466,7 @@ mark_source_chains(const struct xt_table_info *newinfo,
                        int visited = e->comefrom & (1 << hook);
                        if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
-                                printk("iptables: loop hook %u pos %u %08X.\n",
+                                pr_err("iptables: loop hook %u pos %u %08X.\n",
                                       hook, pos, e->comefrom);
                                return 0;
                        }
@@ -591,7 +571,7 @@ check_entry(const struct ipt_entry *e, const char *name)
        const struct ipt_entry_target *t;
        if (!ip_checkentry(&e->ip)) {
-                duprintf("ip_tables: ip check failed %p %s.\n", e, name);
+                duprintf("ip check failed %p %s.\n", e, par->match->name);
                return -EINVAL;
        }
@@ -618,8 +598,7 @@ check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
        ret = xt_check_match(par, m->u.match_size - sizeof(*m),
              ip->proto, ip->invflags & IPT_INV_PROTO);
        if (ret < 0) {
-                duprintf("ip_tables: check failed for `%s'.\n",
+                duprintf("check failed for `%s'.\n", par->match->name);
-                         par.match->name);
                return ret;
        }
        return 0;
@@ -631,12 +610,11 @@ find_check_match(struct ipt_entry_match *m, struct xt_mtchk_param *par)
        struct xt_match *match;
        int ret;
-        match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
+        match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
-                                                      m->u.user.revision),
+                                      m->u.user.revision);
-                                        "ipt_%s", m->u.user.name);
+        if (IS_ERR(match)) {
-        if (IS_ERR(match) || !match) {
                duprintf("find_check_match: `%s' not found\n", m->u.user.name);
-                return match ? PTR_ERR(match) : -ENOENT;
+                return PTR_ERR(match);
        }
        m->u.kernel.match = match;
@@ -667,7 +645,7 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
        ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
              e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
        if (ret < 0) {
-                duprintf("ip_tables: check failed for `%s'.\n",
+                duprintf("check failed for `%s'.\n",
                         t->u.kernel.target->name);
                return ret;
        }
@@ -703,13 +681,11 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
        }
        t = ipt_get_target(e);
-        target = try_then_request_module(xt_find_target(AF_INET,
+        target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "ipt_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto cleanup_matches;
        }
        t->u.kernel.target = target;
@@ -843,6 +819,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                if (ret != 0)
                        return ret;
                ++i;
+                if (strcmp(ipt_get_target(iter)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
        }
        if (i != repl->num_entries) {
@@ -1311,7 +1290,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        if (ret != 0)
                goto free_newinfo;
-        duprintf("ip_tables: Translated table\n");
+        duprintf("Translated table\n");
        ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
                           tmp.num_counters, tmp.counters);
@@ -1476,13 +1455,12 @@ compat_find_calc_match(struct ipt_entry_match *m,
 {
        struct xt_match *match;
-        match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
+        match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
-                                                      m->u.user.revision),
+                                      m->u.user.revision);
-                                        "ipt_%s", m->u.user.name);
+        if (IS_ERR(match)) {
-        if (IS_ERR(match) || !match) {
                duprintf("compat_check_calc_match: `%s' not found\n",
                         m->u.user.name);
-                return match ? PTR_ERR(match) : -ENOENT;
+                return PTR_ERR(match);
        }
        m->u.kernel.match = match;
        *size += xt_compat_match_offset(match);
@@ -1549,14 +1527,12 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
        }
        t = compat_ipt_get_target(e);
-        target = try_then_request_module(xt_find_target(AF_INET,
+        target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "ipt_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
                         t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto release_matches;
        }
        t->u.kernel.target = target;
@@ -2094,8 +2070,7 @@ struct xt_table *ipt_register_table(struct net *net,
 {
        int ret;
        struct xt_table_info *newinfo;
-        struct xt_table_info bootstrap
+        struct xt_table_info bootstrap = {0};
-                = { 0, 0, 0, { 0 }, { 0 }, { } };
        void *loc_cpu_entry;
        struct xt_table *new_table;
@@ -2157,7 +2132,7 @@ icmp_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
 }
 static bool
-icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
+icmp_match(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct icmphdr *ic;
        struct icmphdr _icmph;
@@ -2173,7 +2148,7 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
                 * can't.  Hence, no choice but to drop.
                 */
                duprintf("Dropping evil ICMP tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -2184,31 +2159,31 @@ icmp_match(const struct sk_buff *skb, const struct xt_match_param *par)
                                    !!(icmpinfo->invflags&IPT_ICMP_INV));
 }
-static bool icmp_checkentry(const struct xt_mtchk_param *par)
+static int icmp_checkentry(const struct xt_mtchk_param *par)
 {
        const struct ipt_icmp *icmpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
-        return !(icmpinfo->invflags & ~IPT_ICMP_INV);
+        return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
 }
-/* The built-in targets: standard (NULL) and error. */
+static struct xt_target ipt_builtin_tg[] __read_mostly = {
-static struct xt_target ipt_standard_target __read_mostly = {
+        {
-        .name           = IPT_STANDARD_TARGET,
+                .name             = IPT_STANDARD_TARGET,
-        .targetsize     = sizeof(int),
+                .targetsize       = sizeof(int),
-        .family         = NFPROTO_IPV4,
+                .family           = NFPROTO_IPV4,
 #ifdef CONFIG_COMPAT
-        .compatsize     = sizeof(compat_int_t),
+                .compatsize       = sizeof(compat_int_t),
-        .compat_from_user = compat_standard_from_user,
+                .compat_from_user = compat_standard_from_user,
-        .compat_to_user = compat_standard_to_user,
+                .compat_to_user   = compat_standard_to_user,
 #endif
-};
+        },
+        {
-static struct xt_target ipt_error_target __read_mostly = {
+                .name             = IPT_ERROR_TARGET,
-        .name           = IPT_ERROR_TARGET,
+                .target           = ipt_error,
-        .target         = ipt_error,
+                .targetsize       = IPT_FUNCTION_MAXNAMELEN,
-        .targetsize     = IPT_FUNCTION_MAXNAMELEN,
+                .family           = NFPROTO_IPV4,
-        .family         = NFPROTO_IPV4,
+        },
 };
 static struct nf_sockopt_ops ipt_sockopts = {
@@ -2228,13 +2203,15 @@ static struct nf_sockopt_ops ipt_sockopts = {
        .owner          = THIS_MODULE,
 };
-static struct xt_match icmp_matchstruct __read_mostly = {
+static struct xt_match ipt_builtin_mt[] __read_mostly = {
-        .name           = "icmp",
+        {
-        .match          = icmp_match,
+                .name       = "icmp",
-        .matchsize      = sizeof(struct ipt_icmp),
+                .match      = icmp_match,
-        .checkentry     = icmp_checkentry,
+                .matchsize  = sizeof(struct ipt_icmp),
-        .proto          = IPPROTO_ICMP,
+                .checkentry = icmp_checkentry,
-        .family         = NFPROTO_IPV4,
+                .proto      = IPPROTO_ICMP,
+                .family     = NFPROTO_IPV4,
+        },
 };
 static int __net_init ip_tables_net_init(struct net *net)
@@ -2261,13 +2238,10 @@ static int __init ip_tables_init(void)
                goto err1;
        /* Noone else will be downing sem now, so we won't sleep */
-        ret = xt_register_target(&ipt_standard_target);
+        ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
        if (ret < 0)
                goto err2;
-        ret = xt_register_target(&ipt_error_target);
+        ret = xt_register_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
-        if (ret < 0)
-                goto err3;
-        ret = xt_register_match(&icmp_matchstruct);
        if (ret < 0)
                goto err4;
@@ -2276,15 +2250,13 @@ static int __init ip_tables_init(void)
        if (ret < 0)
                goto err5;
-        printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
+        pr_info("(C) 2000-2006 Netfilter Core Team\n");
        return 0;
 err5:
-        xt_unregister_match(&icmp_matchstruct);
+        xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
 err4:
-        xt_unregister_target(&ipt_error_target);
+        xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
-err3:
-        xt_unregister_target(&ipt_standard_target);
 err2:
        unregister_pernet_subsys(&ip_tables_net_ops);
 err1:
@@ -2295,10 +2267,8 @@ static void __exit ip_tables_fini(void)
 {
        nf_unregister_sockopt(&ipt_sockopts);
-        xt_unregister_match(&icmp_matchstruct);
+        xt_unregister_matches(ipt_builtin_mt, ARRAY_SIZE(ipt_builtin_mt));
-        xt_unregister_target(&ipt_error_target);
+        xt_unregister_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
-        xt_unregister_target(&ipt_standard_target);
        unregister_pernet_subsys(&ip_tables_net_ops);
 }
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index a992dc826f1c..f91c94b9a790 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -9,6 +9,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/proc_fs.h>
 #include <linux/jhash.h>
@@ -239,8 +240,7 @@ clusterip_hashfn(const struct sk_buff *skb,
                break;
        default:
                if (net_ratelimit())
-                        printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n",
+                        pr_info("unknown protocol %u\n", iph->protocol);
-                                iph->protocol);
                sport = dport = 0;
        }
@@ -262,7 +262,7 @@ clusterip_hashfn(const struct sk_buff *skb,
                hashval = 0;
                /* This cannot happen, unless the check function wasn't called
                 * at rule load time */
-                printk("CLUSTERIP: unknown mode `%u'\n", config->hash_mode);
+                pr_info("unknown mode %u\n", config->hash_mode);
                BUG();
                break;
        }
@@ -282,7 +282,7 @@ clusterip_responsible(const struct clusterip_config *config, u_int32_t hash)
 ***********************************************************************/
 static unsigned int
-clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
+clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
        struct nf_conn *ct;
@@ -295,7 +295,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
        ct = nf_ct_get(skb, &ctinfo);
        if (ct == NULL) {
-                printk(KERN_ERR "CLUSTERIP: no conntrack!\n");
+                pr_info("no conntrack!\n");
                        /* FIXME: need to drop invalid ones, since replies
                         * to outgoing connections of other nodes will be
                         * marked as INVALID */
@@ -348,25 +348,24 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool clusterip_tg_check(const struct xt_tgchk_param *par)
+static int clusterip_tg_check(const struct xt_tgchk_param *par)
 {
        struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
        struct clusterip_config *config;
+        int ret;
        if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
            cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
            cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
-                printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n",
+                pr_info("unknown mode %u\n", cipinfo->hash_mode);
-                        cipinfo->hash_mode);
+                return -EINVAL;
-                return false;
        }
        if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
            e->ip.dst.s_addr == 0) {
-                printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
+                pr_info("Please specify destination IP\n");
-                return false;
+                return -EINVAL;
        }
        /* FIXME: further sanity checks */
@@ -374,41 +373,41 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
        config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
        if (!config) {
                if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
-                        printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr);
+                        pr_info("no config found for %pI4, need 'new'\n",
-                        return false;
+                                &e->ip.dst.s_addr);
+                        return -EINVAL;
                } else {
                        struct net_device *dev;
                        if (e->ip.iniface[0] == '\0') {
-                                printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n");
+                                pr_info("Please specify an interface name\n");
-                                return false;
+                                return -EINVAL;
                        }
                        dev = dev_get_by_name(&init_net, e->ip.iniface);
                        if (!dev) {
-                                printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface);
+                                pr_info("no such interface %s\n",
-                                return false;
+                                        e->ip.iniface);
+                                return -ENOENT;
                        }
                        config = clusterip_config_init(cipinfo,
                                                        e->ip.dst.s_addr, dev);
                        if (!config) {
-                                printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n");
+                                pr_info("cannot allocate config\n");
                                dev_put(dev);
-                                return false;
+                                return -ENOMEM;
                        }
                        dev_mc_add(config->dev, config->clustermac);
                }
        }
        cipinfo->config = config;
-        if (nf_ct_l3proto_try_module_get(par->target->family) < 0) {
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                printk(KERN_WARNING "can't load conntrack support for "
+        if (ret < 0)
-                                    "proto=%u\n", par->target->family);
+                pr_info("cannot load conntrack support for proto=%u\n",
-                return false;
+                        par->family);
-        }
+        return ret;
-        return true;
 }
 /* drop reference count of cluster config when rule is deleted */
@@ -422,7 +421,7 @@ static void clusterip_tg_destroy(const struct xt_tgdtor_param *par)
        clusterip_config_put(cipinfo->config);
-        nf_ct_l3proto_module_put(par->target->family);
+        nf_ct_l3proto_module_put(par->family);
 }
 #ifdef CONFIG_COMPAT
@@ -479,8 +478,8 @@ static void arp_print(struct arp_payload *payload)
        }
        hbuffer[--k]='\0';
-        printk("src %pI4@%s, dst %pI4\n",
+        pr_debug("src %pI4@%s, dst %pI4\n",
-                &payload->src_ip, hbuffer, &payload->dst_ip);
+                 &payload->src_ip, hbuffer, &payload->dst_ip);
 }
 #endif
@@ -519,7 +518,7 @@ arp_mangle(unsigned int hook,
         * this wouldn't work, since we didn't subscribe the mcast group on
         * other interfaces */
        if (c->dev != out) {
-                pr_debug("CLUSTERIP: not mangling arp reply on different "
+                pr_debug("not mangling arp reply on different "
                         "interface: cip'%s'-skb'%s'\n",
                         c->dev->name, out->name);
                clusterip_config_put(c);
@@ -530,7 +529,7 @@ arp_mangle(unsigned int hook,
        memcpy(payload->src_hw, c->clustermac, arp->ar_hln);
 #ifdef DEBUG
-        pr_debug(KERN_DEBUG "CLUSTERIP mangled arp reply: ");
+        pr_debug("mangled arp reply: ");
        arp_print(payload);
 #endif
@@ -601,7 +600,8 @@ static void *clusterip_seq_next(struct seq_file *s, void *v, loff_t *pos)
 static void clusterip_seq_stop(struct seq_file *s, void *v)
 {
-        kfree(v);
+        if (!IS_ERR(v))
+                kfree(v);
 }
 static int clusterip_seq_show(struct seq_file *s, void *v)
@@ -706,13 +706,13 @@ static int __init clusterip_tg_init(void)
 #ifdef CONFIG_PROC_FS
        clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
        if (!clusterip_procdir) {
-                printk(KERN_ERR "CLUSTERIP: Unable to proc dir entry\n");
+                pr_err("Unable to proc dir entry\n");
                ret = -ENOMEM;
                goto cleanup_hook;
        }
 #endif /* CONFIG_PROC_FS */
-        printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n",
+        pr_info("ClusterIP Version %s loaded successfully\n",
                CLUSTERIP_VERSION);
        return 0;
@@ -727,8 +727,7 @@ cleanup_target:
 static void __exit clusterip_tg_exit(void)
 {
-        printk(KERN_NOTICE "ClusterIP Version %s unloading\n",
+        pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION);
-                CLUSTERIP_VERSION);
 #ifdef CONFIG_PROC_FS
        remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
 #endif
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index ea5cea2415c1..4bf3dc49ad1e 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -77,7 +77,7 @@ set_ect_tcp(struct sk_buff *skb, const struct ipt_ECN_info *einfo)
 }
 static unsigned int
-ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ecn_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ipt_ECN_info *einfo = par->targinfo;
@@ -93,28 +93,25 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool ecn_tg_check(const struct xt_tgchk_param *par)
+static int ecn_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_ECN_info *einfo = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
        if (einfo->operation & IPT_ECN_OP_MASK) {
-                printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
+                pr_info("unsupported ECN operation %x\n", einfo->operation);
-                        einfo->operation);
+                return -EINVAL;
-                return false;
        }
        if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
-                printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
+                pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
-                        einfo->ip_ect);
+                return -EINVAL;
-                return false;
        }
        if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
            (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
-                printk(KERN_WARNING "ECN: cannot use TCP operations on a "
+                pr_info("cannot use TCP operations on a non-tcp rule\n");
-                       "non-tcp rule\n");
+                return -EINVAL;
-                return false;
        }
-        return true;
+        return 0;
 }
 static struct xt_target ecn_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index ee128efa1c8d..5234f4f3499a 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -9,7 +9,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/spinlock.h>
 #include <linux/skbuff.h>
@@ -367,7 +367,7 @@ static struct nf_loginfo default_loginfo = {
        .type   = NF_LOG_TYPE_LOG,
        .u = {
                .log = {
-                        .level    = 0,
+                        .level    = 5,
                        .logflags = NF_LOG_MASK,
                },
        },
@@ -425,7 +425,7 @@ ipt_log_packet(u_int8_t pf,
 }
 static unsigned int
-log_tg(struct sk_buff *skb, const struct xt_target_param *par)
+log_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ipt_log_info *loginfo = par->targinfo;
        struct nf_loginfo li;
@@ -439,20 +439,19 @@ log_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool log_tg_check(const struct xt_tgchk_param *par)
+static int log_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_log_info *loginfo = par->targinfo;
        if (loginfo->level >= 8) {
-                pr_debug("LOG: level %u >= 8\n", loginfo->level);
+                pr_debug("level %u >= 8\n", loginfo->level);
-                return false;
+                return -EINVAL;
        }
        if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
-                pr_debug("LOG: prefix term %i\n",
+                pr_debug("prefix is not null-terminated\n");
-                         loginfo->prefix[sizeof(loginfo->prefix)-1]);
+                return -EINVAL;
-                return false;
        }
-        return true;
+        return 0;
 }
 static struct xt_target log_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_MASQUERADE.c b/net/ipv4/netfilter/ipt_MASQUERADE.c
index 650b54042b01..d2ed9dc74ebc 100644
--- a/net/ipv4/netfilter/ipt_MASQUERADE.c
+++ b/net/ipv4/netfilter/ipt_MASQUERADE.c
@@ -8,7 +8,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/inetdevice.h>
 #include <linux/ip.h>
@@ -28,23 +28,23 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
 /* FIXME: Multiple targets. --RR */
-static bool masquerade_tg_check(const struct xt_tgchk_param *par)
+static int masquerade_tg_check(const struct xt_tgchk_param *par)
 {
        const struct nf_nat_multi_range_compat *mr = par->targinfo;
        if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
-                pr_debug("masquerade_check: bad MAP_IPS.\n");
+                pr_debug("bad MAP_IPS.\n");
-                return false;
+                return -EINVAL;
        }
        if (mr->rangesize != 1) {
-                pr_debug("masquerade_check: bad rangesize %u\n", mr->rangesize);
+                pr_debug("bad rangesize %u\n", mr->rangesize);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static unsigned int
-masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
+masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct nf_conn *ct;
        struct nf_conn_nat *nat;
@@ -72,7 +72,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
        rt = skb_rtable(skb);
        newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
        if (!newsrc) {
-                printk("MASQUERADE: %s ate my IP address\n", par->out->name);
+                pr_info("%s ate my IP address\n", par->out->name);
                return NF_DROP;
        }
diff --git a/net/ipv4/netfilter/ipt_NETMAP.c b/net/ipv4/netfilter/ipt_NETMAP.c
index 7c29582d4ec8..f43867d1697f 100644
--- a/net/ipv4/netfilter/ipt_NETMAP.c
+++ b/net/ipv4/netfilter/ipt_NETMAP.c
@@ -9,7 +9,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/ip.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
@@ -22,23 +22,23 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
 MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
-static bool netmap_tg_check(const struct xt_tgchk_param *par)
+static int netmap_tg_check(const struct xt_tgchk_param *par)
 {
        const struct nf_nat_multi_range_compat *mr = par->targinfo;
        if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
-                pr_debug("NETMAP:check: bad MAP_IPS.\n");
+                pr_debug("bad MAP_IPS.\n");
-                return false;
+                return -EINVAL;
        }
        if (mr->rangesize != 1) {
-                pr_debug("NETMAP:check: bad rangesize %u.\n", mr->rangesize);
+                pr_debug("bad rangesize %u.\n", mr->rangesize);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static unsigned int
-netmap_tg(struct sk_buff *skb, const struct xt_target_param *par)
+netmap_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REDIRECT.c b/net/ipv4/netfilter/ipt_REDIRECT.c
index 698e5e78685b..18a0656505a0 100644
--- a/net/ipv4/netfilter/ipt_REDIRECT.c
+++ b/net/ipv4/netfilter/ipt_REDIRECT.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/ip.h>
 #include <linux/timer.h>
@@ -26,23 +26,23 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
 /* FIXME: Take multiple ranges --RR */
-static bool redirect_tg_check(const struct xt_tgchk_param *par)
+static int redirect_tg_check(const struct xt_tgchk_param *par)
 {
        const struct nf_nat_multi_range_compat *mr = par->targinfo;
        if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
-                pr_debug("redirect_check: bad MAP_IPS.\n");
+                pr_debug("bad MAP_IPS.\n");
-                return false;
+                return -EINVAL;
        }
        if (mr->rangesize != 1) {
-                pr_debug("redirect_check: bad rangesize %u.\n", mr->rangesize);
+                pr_debug("bad rangesize %u.\n", mr->rangesize);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static unsigned int
-redirect_tg(struct sk_buff *skb, const struct xt_target_param *par)
+redirect_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index a0e8bcf04159..f5f4a888e4ec 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -9,7 +9,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/slab.h>
@@ -136,13 +136,10 @@ static inline void send_unreach(struct sk_buff *skb_in, int code)
 }
 static unsigned int
-reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
+reject_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ipt_reject_info *reject = par->targinfo;
-        /* WARNING: This code causes reentry within iptables.
-           This means that the iptables jump stack is now crap.  We
-           must return an absolute verdict. --RR */
        switch (reject->with) {
        case IPT_ICMP_NET_UNREACHABLE:
                send_unreach(skb, ICMP_NET_UNREACH);
@@ -175,23 +172,23 @@ reject_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return NF_DROP;
 }
-static bool reject_tg_check(const struct xt_tgchk_param *par)
+static int reject_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_reject_info *rejinfo = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
        if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
-                printk("ipt_REJECT: ECHOREPLY no longer supported.\n");
+                pr_info("ECHOREPLY no longer supported.\n");
-                return false;
+                return -EINVAL;
        } else if (rejinfo->with == IPT_TCP_RESET) {
                /* Must specify that it's a TCP packet */
                if (e->ip.proto != IPPROTO_TCP ||
                    (e->ip.invflags & XT_INV_PROTO)) {
-                        printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
+                        pr_info("TCP_RESET invalid for non-tcp\n");
-                        return false;
+                        return -EINVAL;
                }
        }
-        return true;
+        return 0;
 }
 static struct xt_target reject_tg_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c
index 0dbe697f164f..446e0f467a17 100644
--- a/net/ipv4/netfilter/ipt_ULOG.c
+++ b/net/ipv4/netfilter/ipt_ULOG.c
@@ -29,7 +29,7 @@
 *   Specify, after how many hundredths of a second the queue should be
 *   flushed even if it is not full yet.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/spinlock.h>
 #include <linux/socket.h>
@@ -57,8 +57,6 @@ MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NFLOG);
 #define ULOG_NL_EVENT           111             /* Harald's favorite number */
 #define ULOG_MAXNLGROUPS        32              /* numer of nlgroups */
-#define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0)
 static unsigned int nlbufsiz = NLMSG_GOODSIZE;
 module_param(nlbufsiz, uint, 0400);
 MODULE_PARM_DESC(nlbufsiz, "netlink buffer size");
@@ -91,12 +89,12 @@ static void ulog_send(unsigned int nlgroupnum)
        ulog_buff_t *ub = &ulog_buffers[nlgroupnum];
        if (timer_pending(&ub->timer)) {
-                pr_debug("ipt_ULOG: ulog_send: timer was pending, deleting\n");
+                pr_debug("ulog_send: timer was pending, deleting\n");
                del_timer(&ub->timer);
        }
        if (!ub->skb) {
-                pr_debug("ipt_ULOG: ulog_send: nothing to send\n");
+                pr_debug("ulog_send: nothing to send\n");
                return;
        }
@@ -105,7 +103,7 @@ static void ulog_send(unsigned int nlgroupnum)
                ub->lastnlh->nlmsg_type = NLMSG_DONE;
        NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1;
-        pr_debug("ipt_ULOG: throwing %d packets to netlink group %u\n",
+        pr_debug("throwing %d packets to netlink group %u\n",
                 ub->qlen, nlgroupnum + 1);
        netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC);
@@ -118,7 +116,7 @@ static void ulog_send(unsigned int nlgroupnum)
 /* timer function to flush queue in flushtimeout time */
 static void ulog_timer(unsigned long data)
 {
-        pr_debug("ipt_ULOG: timer function called, calling ulog_send\n");
+        pr_debug("timer function called, calling ulog_send\n");
        /* lock to protect against somebody modifying our structure
         * from ipt_ulog_target at the same time */
@@ -139,7 +137,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
        n = max(size, nlbufsiz);
        skb = alloc_skb(n, GFP_ATOMIC);
        if (!skb) {
-                PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n);
+                pr_debug("cannot alloc whole buffer %ub!\n", n);
                if (n > size) {
                        /* try to allocate only as much as we need for
@@ -147,8 +145,7 @@ static struct sk_buff *ulog_alloc_skb(unsigned int size)
                        skb = alloc_skb(size, GFP_ATOMIC);
                        if (!skb)
-                                PRINTR("ipt_ULOG: can't even allocate %ub\n",
+                                pr_debug("cannot even allocate %ub\n", size);
-                                       size);
                }
        }
@@ -199,8 +196,7 @@ static void ipt_ulog_packet(unsigned int hooknum,
                        goto alloc_failure;
        }
-        pr_debug("ipt_ULOG: qlen %d, qthreshold %Zu\n", ub->qlen,
+        pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold);
-                 loginfo->qthreshold);
        /* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */
        nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT,
@@ -273,16 +269,14 @@ static void ipt_ulog_packet(unsigned int hooknum,
        return;
 nlmsg_failure:
-        PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
+        pr_debug("error during NLMSG_PUT\n");
 alloc_failure:
-        PRINTR("ipt_ULOG: Error building netlink message\n");
+        pr_debug("Error building netlink message\n");
        spin_unlock_bh(&ulog_lock);
 }
 static unsigned int
-ulog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ulog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        ipt_ulog_packet(par->hooknum, skb, par->in, par->out,
                        par->targinfo, NULL);
@@ -314,21 +308,20 @@ static void ipt_logfn(u_int8_t pf,
        ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
 }
-static bool ulog_tg_check(const struct xt_tgchk_param *par)
+static int ulog_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_ulog_info *loginfo = par->targinfo;
        if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
-                pr_debug("ipt_ULOG: prefix term %i\n",
+                pr_debug("prefix not null-terminated\n");
-                         loginfo->prefix[sizeof(loginfo->prefix) - 1]);
+                return -EINVAL;
-                return false;
        }
        if (loginfo->qthreshold > ULOG_MAX_QLEN) {
-                pr_debug("ipt_ULOG: queue threshold %Zu > MAX_QLEN\n",
+                pr_debug("queue threshold %Zu > MAX_QLEN\n",
                         loginfo->qthreshold);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 #ifdef CONFIG_COMPAT
@@ -390,10 +383,10 @@ static int __init ulog_tg_init(void)
 {
        int ret, i;
-        pr_debug("ipt_ULOG: init module\n");
+        pr_debug("init module\n");
        if (nlbufsiz > 128*1024) {
-                printk("Netlink buffer has to be <= 128kB\n");
+                pr_warning("Netlink buffer has to be <= 128kB\n");
                return -EINVAL;
        }
@@ -423,7 +416,7 @@ static void __exit ulog_tg_exit(void)
        ulog_buff_t *ub;
        int i;
-        pr_debug("ipt_ULOG: cleanup_module\n");
+        pr_debug("cleanup_module\n");
        if (nflog)
                nf_log_unregister(&ipt_ulog_logger);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
index 3b216be3bc9f..db8bff0fb86d 100644
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ b/net/ipv4/netfilter/ipt_addrtype.c
@@ -8,7 +8,7 @@
 *  it under the terms of the GNU General Public License version 2 as
 *  published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -30,7 +30,7 @@ static inline bool match_type(struct net *net, const struct net_device *dev,
 }
 static bool
-addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct net *net = dev_net(par->in ? par->in : par->out);
        const struct ipt_addrtype_info *info = par->matchinfo;
@@ -48,7 +48,7 @@ addrtype_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 static bool
-addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct net *net = dev_net(par->in ? par->in : par->out);
        const struct ipt_addrtype_info_v1 *info = par->matchinfo;
@@ -70,34 +70,34 @@ addrtype_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
+static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 {
        struct ipt_addrtype_info_v1 *info = par->matchinfo;
        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                printk(KERN_ERR "ipt_addrtype: both incoming and outgoing "
+                pr_info("both incoming and outgoing "
-                                "interface limitation cannot be selected\n");
+                        "interface limitation cannot be selected\n");
-                return false;
+                return -EINVAL;
        }
        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
            (1 << NF_INET_LOCAL_IN)) &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                printk(KERN_ERR "ipt_addrtype: output interface limitation "
+                pr_info("output interface limitation "
-                                "not valid in PRE_ROUTING and INPUT\n");
+                        "not valid in PREROUTING and INPUT\n");
-                return false;
+                return -EINVAL;
        }
        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
            (1 << NF_INET_LOCAL_OUT)) &&
            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
-                printk(KERN_ERR "ipt_addrtype: input interface limitation "
+                pr_info("input interface limitation "
-                                "not valid in POST_ROUTING and OUTPUT\n");
+                        "not valid in POSTROUTING and OUTPUT\n");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b399de..14a2aa8b8a14 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -5,7 +5,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -18,25 +18,19 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
 MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
-#ifdef DEBUG_CONNTRACK
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the spi is matched by the range, 0 otherwise */
 static inline bool
 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
 {
        bool r;
-        duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
+        pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
-                min,spi,max);
+                 invert ? '!' : ' ', min, spi, max);
        r=(spi >= min && spi <= max) ^ invert;
-        duprintf(" result %s\n",r? "PASS" : "FAILED");
+        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
-static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ah_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ip_auth_hdr _ahdr;
        const struct ip_auth_hdr *ah;
@@ -51,8 +45,8 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("Dropping evil AH tinygram.\n");
+                pr_debug("Dropping evil AH tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return 0;
        }
@@ -61,16 +55,16 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                         !!(ahinfo->invflags & IPT_AH_INV_SPI));
 }
-static bool ah_mt_check(const struct xt_mtchk_param *par)
+static int ah_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ipt_ah *ahinfo = par->matchinfo;
        /* Must specify no unknown invflags */
        if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
-                duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
+                pr_debug("unknown flags %X\n", ahinfo->invflags);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match ah_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/ipt_ecn.c b/net/ipv4/netfilter/ipt_ecn.c
index 2a1e56b71908..af6e9c778345 100644
--- a/net/ipv4/netfilter/ipt_ecn.c
+++ b/net/ipv4/netfilter/ipt_ecn.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/ip.h>
 #include <net/ip.h>
@@ -67,7 +67,7 @@ static inline bool match_tcp(const struct sk_buff *skb,
        return true;
 }
-static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ecn_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ipt_ecn_info *info = par->matchinfo;
@@ -78,32 +78,31 @@ static bool ecn_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)) {
                if (ip_hdr(skb)->protocol != IPPROTO_TCP)
                        return false;
-                if (!match_tcp(skb, info, par->hotdrop))
+                if (!match_tcp(skb, info, &par->hotdrop))
                        return false;
        }
        return true;
 }
-static bool ecn_mt_check(const struct xt_mtchk_param *par)
+static int ecn_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ipt_ecn_info *info = par->matchinfo;
        const struct ipt_ip *ip = par->entryinfo;
        if (info->operation & IPT_ECN_OP_MATCH_MASK)
-                return false;
+                return -EINVAL;
        if (info->invert & IPT_ECN_OP_MATCH_MASK)
-                return false;
+                return -EINVAL;
        if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
            ip->proto != IPPROTO_TCP) {
-                printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
+                pr_info("cannot match TCP bits in rule for non-tcp packets\n");
-                       " non-tcp packets\n");
+                return -EINVAL;
-                return false;
        }
-        return true;
+        return 0;
 }
 static struct xt_match ecn_mt_reg __read_mostly = {
diff --git a/net/ipv4/netfilter/iptable_filter.c b/net/ipv4/netfilter/iptable_filter.c
index 55392466daa4..c37641e819f2 100644
--- a/net/ipv4/netfilter/iptable_filter.c
+++ b/net/ipv4/netfilter/iptable_filter.c
@@ -89,7 +89,7 @@ static int __init iptable_filter_init(void)
        int ret;
        if (forward < 0 || forward > NF_MAX_VERDICT) {
-                printk("iptables forward must be 0 or 1\n");
+                pr_err("iptables forward must be 0 or 1\n");
                return -EINVAL;
        }
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 2bb1f87051c4..5a03c02af999 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -382,32 +382,32 @@ static int __init nf_conntrack_l3proto_ipv4_init(void)
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register tcp.\n");
+                pr_err("nf_conntrack_ipv4: can't register tcp.\n");
                goto cleanup_sockopt;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register udp.\n");
+                pr_err("nf_conntrack_ipv4: can't register udp.\n");
                goto cleanup_tcp;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register icmp.\n");
+                pr_err("nf_conntrack_ipv4: can't register icmp.\n");
                goto cleanup_udp;
        }
        ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register ipv4\n");
+                pr_err("nf_conntrack_ipv4: can't register ipv4\n");
                goto cleanup_icmp;
        }
        ret = nf_register_hooks(ipv4_conntrack_ops,
                                ARRAY_SIZE(ipv4_conntrack_ops));
        if (ret < 0) {
-                printk("nf_conntrack_ipv4: can't register hooks.\n");
+                pr_err("nf_conntrack_ipv4: can't register hooks.\n");
                goto cleanup_ipv4;
        }
 #if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 2fb7b76da94f..244f7cb08d68 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -336,12 +336,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
        const struct ip_conntrack_stat *st = v;
        if (v == SEQ_START_TOKEN) {
-                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");
+                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");
                return 0;
        }
        seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "
-                        "%08x %08x %08x %08x %08x  %08x %08x %08x \n",
+                        "%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",
                   nr_conntracks,
                   st->searched,
                   st->found,
@@ -358,7 +358,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
                   st->expect_new,
                   st->expect_create,
-                   st->expect_delete
+                   st->expect_delete,
+                   st->search_restart
                );
        return 0;
 }
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 7e8e6fc75413..5045196d853c 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -10,7 +10,6 @@
 */
 #include <linux/module.h>
-#include <linux/moduleparam.h>
 #include <linux/tcp.h>
 #include <net/tcp.h>
@@ -44,7 +43,7 @@ static int set_addr(struct sk_buff *skb,
                                              addroff, sizeof(buf),
                                              (char *) &buf, sizeof(buf))) {
                        if (net_ratelimit())
-                                printk("nf_nat_h323: nf_nat_mangle_tcp_packet"
+                                pr_notice("nf_nat_h323: nf_nat_mangle_tcp_packet"
                                       " error\n");
                        return -1;
                }
@@ -60,7 +59,7 @@ static int set_addr(struct sk_buff *skb,
                                              addroff, sizeof(buf),
                                              (char *) &buf, sizeof(buf))) {
                        if (net_ratelimit())
-                                printk("nf_nat_h323: nf_nat_mangle_udp_packet"
+                                pr_notice("nf_nat_h323: nf_nat_mangle_udp_packet"
                                       " error\n");
                        return -1;
                }
@@ -216,7 +215,7 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
        /* Run out of expectations */
        if (i >= H323_RTP_CHANNEL_MAX) {
                if (net_ratelimit())
-                        printk("nf_nat_h323: out of expectations\n");
+                        pr_notice("nf_nat_h323: out of expectations\n");
                return 0;
        }
@@ -235,7 +234,7 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
        if (nated_port == 0) {  /* No port available */
                if (net_ratelimit())
-                        printk("nf_nat_h323: out of RTP ports\n");
+                        pr_notice("nf_nat_h323: out of RTP ports\n");
                return 0;
        }
@@ -292,7 +291,7 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
        if (nated_port == 0) {  /* No port available */
                if (net_ratelimit())
-                        printk("nf_nat_h323: out of TCP ports\n");
+                        pr_notice("nf_nat_h323: out of TCP ports\n");
                return 0;
        }
@@ -342,7 +341,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
        if (nated_port == 0) {  /* No port available */
                if (net_ratelimit())
-                        printk("nf_nat_q931: out of TCP ports\n");
+                        pr_notice("nf_nat_q931: out of TCP ports\n");
                return 0;
        }
@@ -426,7 +425,7 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
        if (nated_port == 0) {  /* No port available */
                if (net_ratelimit())
-                        printk("nf_nat_ras: out of TCP ports\n");
+                        pr_notice("nf_nat_ras: out of TCP ports\n");
                return 0;
        }
@@ -508,7 +507,7 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
        if (nated_port == 0) {  /* No port available */
                if (net_ratelimit())
-                        printk("nf_nat_q931: out of TCP ports\n");
+                        pr_notice("nf_nat_q931: out of TCP ports\n");
                return 0;
        }
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index 26de2c1f7fab..98ed78281aee 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -7,6 +7,7 @@
 */
 /* Everything about the rules for NAT. */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/ip.h>
 #include <linux/netfilter.h>
@@ -38,7 +39,7 @@ static const struct xt_table nat_table = {
 /* Source NAT */
 static unsigned int
-ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
@@ -57,7 +58,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_target_param *par)
 }
 static unsigned int
-ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
+ipt_dnat_target(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct nf_conn *ct;
        enum ip_conntrack_info ctinfo;
@@ -74,28 +75,28 @@ ipt_dnat_target(struct sk_buff *skb, const struct xt_target_param *par)
        return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
 }
-static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
 {
        const struct nf_nat_multi_range_compat *mr = par->targinfo;
        /* Must be a valid range */
        if (mr->rangesize != 1) {
-                printk("SNAT: multiple ranges no longer supported\n");
+                pr_info("SNAT: multiple ranges no longer supported\n");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
-static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par)
+static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
 {
        const struct nf_nat_multi_range_compat *mr = par->targinfo;
        /* Must be a valid range */
        if (mr->rangesize != 1) {
-                printk("DNAT: multiple ranges no longer supported\n");
+                pr_info("DNAT: multiple ranges no longer supported\n");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 unsigned int
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index 4d85b6e55f29..1679e2c0963d 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -401,7 +401,7 @@ static unsigned char asn1_octets_decode(struct asn1_ctx *ctx,
        *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
        if (*octets == NULL) {
                if (net_ratelimit())
-                        printk("OOM in bsalg (%d)\n", __LINE__);
+                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                return 0;
        }
@@ -452,7 +452,7 @@ static unsigned char asn1_oid_decode(struct asn1_ctx *ctx,
        *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
        if (*oid == NULL) {
                if (net_ratelimit())
-                        printk("OOM in bsalg (%d)\n", __LINE__);
+                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                return 0;
        }
@@ -729,7 +729,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                        if (*obj == NULL) {
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        (*obj)->syntax.l[0] = l;
@@ -746,7 +746,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                                kfree(p);
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        memcpy((*obj)->syntax.c, p, len);
@@ -761,7 +761,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                        if (*obj == NULL) {
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        if (!asn1_null_decode(ctx, end)) {
@@ -782,7 +782,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                                kfree(lp);
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        memcpy((*obj)->syntax.ul, lp, len);
@@ -803,7 +803,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                                kfree(p);
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        memcpy((*obj)->syntax.uc, p, len);
@@ -821,7 +821,7 @@ static unsigned char snmp_object_decode(struct asn1_ctx *ctx,
                        if (*obj == NULL) {
                                kfree(id);
                                if (net_ratelimit())
-                                        printk("OOM in bsalg (%d)\n", __LINE__);
+                                        pr_notice("OOM in bsalg (%d)\n", __LINE__);
                                return 0;
                        }
                        (*obj)->syntax.ul[0] = ul;
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index c39c9cf6bee6..beb25819c9c9 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -138,9 +138,8 @@ nf_nat_fn(unsigned int hooknum,
                                ret = nf_nat_rule_find(skb, hooknum, in, out,
                                                       ct);
-                        if (ret != NF_ACCEPT) {
+                        if (ret != NF_ACCEPT)
                                return ret;
-                        }
                } else
                        pr_debug("Already setup manip %s for ct %p\n",
                                 maniptype == IP_NAT_MANIP_SRC ? "SRC" : "DST",
@@ -294,12 +293,12 @@ static int __init nf_nat_standalone_init(void)
 #endif
        ret = nf_nat_rule_init();
        if (ret < 0) {
-                printk("nf_nat_init: can't setup rules.\n");
+                pr_err("nf_nat_init: can't setup rules.\n");
                goto cleanup_decode_session;
        }
        ret = nf_register_hooks(nf_nat_ops, ARRAY_SIZE(nf_nat_ops));
        if (ret < 0) {
-                printk("nf_nat_init: can't register hooks.\n");
+                pr_err("nf_nat_init: can't register hooks.\n");
                goto cleanup_rule_init;
        }
        return ret;
diff --git a/net/ipv4/netfilter/nf_nat_tftp.c b/net/ipv4/netfilter/nf_nat_tftp.c
index b096e81500ae..7274a43c7a12 100644
--- a/net/ipv4/netfilter/nf_nat_tftp.c
+++ b/net/ipv4/netfilter/nf_nat_tftp.c
@@ -6,7 +6,6 @@
 */
 #include <linux/module.h>
-#include <linux/moduleparam.h>
 #include <linux/udp.h>
 #include <net/netfilter/nf_nat_helper.h>
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 52ef5af78a45..2c7a1639388a 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -381,8 +381,8 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
                icmp_out_count(net, ((struct icmphdr *)
                        skb_transport_header(skb))->type);
-        err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+        err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
-                      dst_output);
+                      rt->u.dst.dev, dst_output);
        if (err > 0)
                err = net_xmit_errno(err);
        if (err)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index dea3f9264250..560acc677ce4 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2277,8 +2277,8 @@ martian_source:
        goto e_inval;
 }
-int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+int ip_route_input_common(struct sk_buff *skb, __be32 daddr, __be32 saddr,
-                   u8 tos, struct net_device *dev)
+                           u8 tos, struct net_device *dev, bool noref)
 {
        struct rtable * rth;
        unsigned        hash;
@@ -2304,10 +2304,15 @@ int ip_route_input(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                    rth->fl.mark == skb->mark &&
                    net_eq(dev_net(rth->u.dst.dev), net) &&
                    !rt_is_expired(rth)) {
-                        dst_use(&rth->u.dst, jiffies);
+                        if (noref) {
+                                dst_use_noref(&rth->u.dst, jiffies);
+                                skb_dst_set_noref(skb, &rth->u.dst);
+                        } else {
+                                dst_use(&rth->u.dst, jiffies);
+                                skb_dst_set(skb, &rth->u.dst);
+                        }
                        RT_CACHE_STAT_INC(in_hit);
                        rcu_read_unlock();
-                        skb_dst_set(skb, &rth->u.dst);
                        return 0;
                }
                RT_CACHE_STAT_INC(in_hlist_search);
@@ -2350,6 +2355,7 @@ skip_cache:
        }
        return ip_route_input_slow(skb, daddr, saddr, tos, dev);
 }
+EXPORT_SYMBOL(ip_route_input_common);
 static int __mkroute_output(struct rtable **result,
                            struct fib_result *res,
@@ -3033,7 +3039,7 @@ int ip_rt_dump(struct sk_buff *skb,  struct netlink_callback *cb)
                                continue;
                        if (rt_is_expired(rt))
                                continue;
-                        skb_dst_set(skb, dst_clone(&rt->u.dst));
+                        skb_dst_set_noref(skb, &rt->u.dst);
                        if (rt_fill_info(net, skb, NETLINK_CB(cb->skb).pid,
                                         cb->nlh->nlmsg_seq, RTM_NEWROUTE,
                                         1, NLM_F_MULTI) <= 0) {
@@ -3361,5 +3367,4 @@ void __init ip_static_sysctl_init(void)
 #endif
 EXPORT_SYMBOL(__ip_select_ident);
-EXPORT_SYMBOL(ip_route_input);
 EXPORT_SYMBOL(ip_route_output_key);
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 5c24db4a3c91..9f6b22206c52 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -347,7 +347,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                                               { .sport = th->dest,
                                                 .dport = th->source } } };
                security_req_classify_flow(req, &fl);
-                if (ip_route_output_key(&init_net, &rt, &fl)) {
+                if (ip_route_output_key(sock_net(sk), &rt, &fl)) {
                        reqsk_free(req);
                        goto out;
                }
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1cd5c15174b8..d96c1da4b17c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -299,6 +299,13 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = ipv4_local_port_range,
        },
+        {
+                .procname       = "ip_local_reserved_ports",
+                .data           = NULL, /* initialized in sysctl_ipv4_init */
+                .maxlen         = 65536,
+                .mode           = 0644,
+                .proc_handler   = proc_do_large_bitmap,
+        },
 #ifdef CONFIG_IP_MULTICAST
        {
                .procname       = "igmp_max_memberships",
@@ -736,6 +743,16 @@ static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
 static __init int sysctl_ipv4_init(void)
 {
        struct ctl_table_header *hdr;
+        struct ctl_table *i;
+        for (i = ipv4_table; i->procname; i++) {
+                if (strcmp(i->procname, "ip_local_reserved_ports") == 0) {
+                        i->data = sysctl_local_reserved_ports;
+                        break;
+                }
+        }
+        if (!i->procname)
+                return -EINVAL;
        hdr = register_sysctl_paths(net_ipv4_ctl_path, ipv4_table);
        if (hdr == NULL)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 8ce29747ad9b..6596b4feeddc 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2215,7 +2215,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
        default:
                /* fallthru */
                break;
-        };
+        }
        if (optlen < sizeof(int))
                return -EINVAL;
@@ -2840,7 +2840,6 @@ static void __tcp_free_md5sig_pool(struct tcp_md5sig_pool * __percpu *pool)
                        if (p->md5_desc.tfm)
                                crypto_free_hash(p->md5_desc.tfm);
                        kfree(p);
-                        p = NULL;
                }
        }
        free_percpu(pool);
@@ -2938,25 +2937,40 @@ retry:
 EXPORT_SYMBOL(tcp_alloc_md5sig_pool);
-struct tcp_md5sig_pool *__tcp_get_md5sig_pool(int cpu)
+/**
+ *      tcp_get_md5sig_pool - get md5sig_pool for this user
+ *
+ *      We use percpu structure, so if we succeed, we exit with preemption
+ *      and BH disabled, to make sure another thread or softirq handling
+ *      wont try to get same context.
+ */
+struct tcp_md5sig_pool *tcp_get_md5sig_pool(void)
 {
        struct tcp_md5sig_pool * __percpu *p;
-        spin_lock_bh(&tcp_md5sig_pool_lock);
+        local_bh_disable();
+        spin_lock(&tcp_md5sig_pool_lock);
        p = tcp_md5sig_pool;
        if (p)
                tcp_md5sig_users++;
-        spin_unlock_bh(&tcp_md5sig_pool_lock);
+        spin_unlock(&tcp_md5sig_pool_lock);
-        return (p ? *per_cpu_ptr(p, cpu) : NULL);
-}
-EXPORT_SYMBOL(__tcp_get_md5sig_pool);
+        if (p)
+                return *per_cpu_ptr(p, smp_processor_id());
-void __tcp_put_md5sig_pool(void)
+        local_bh_enable();
+        return NULL;
+}
+EXPORT_SYMBOL(tcp_get_md5sig_pool);
+void tcp_put_md5sig_pool(void)
 {
+        local_bh_enable();
        tcp_free_md5sig_pool();
 }
+EXPORT_SYMBOL(tcp_put_md5sig_pool);
-EXPORT_SYMBOL(__tcp_put_md5sig_pool);
 int tcp_md5_hash_header(struct tcp_md5sig_pool *hp,
                        struct tcphdr *th)
diff --git a/net/ipv4/tcp_hybla.c b/net/ipv4/tcp_hybla.c
index c209e054a634..377bc9349371 100644
--- a/net/ipv4/tcp_hybla.c
+++ b/net/ipv4/tcp_hybla.c
@@ -126,8 +126,8 @@ static void hybla_cong_avoid(struct sock *sk, u32 ack, u32 in_flight)
                 * calculate 2^fract in a <<7 value.
                 */
                is_slowstart = 1;
-                increment = ((1 << ca->rho) * hybla_fraction(rho_fractions))
+                increment = ((1 << min(ca->rho, 16U)) *
-                        - 128;
+                        hybla_fraction(rho_fractions)) - 128;
        } else {
                /*
                 * congestion avoidance
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index e82162c211bf..548d575e6cc6 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2639,7 +2639,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
        if (sk->sk_family == AF_INET) {
                printk(KERN_DEBUG "Undo %s %pI4/%u c%u l%u ss%u/%u p%u\n",
                       msg,
-                       &inet->daddr, ntohs(inet->dport),
+                       &inet->inet_daddr, ntohs(inet->inet_dport),
                       tp->snd_cwnd, tcp_left_out(tp),
                       tp->snd_ssthresh, tp->prior_ssthresh,
                       tp->packets_out);
@@ -2649,7 +2649,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
                struct ipv6_pinfo *np = inet6_sk(sk);
                printk(KERN_DEBUG "Undo %s %pI6/%u c%u l%u ss%u/%u p%u\n",
                       msg,
-                       &np->daddr, ntohs(inet->dport),
+                       &np->daddr, ntohs(inet->inet_dport),
                       tp->snd_cwnd, tcp_left_out(tp),
                       tp->snd_ssthresh, tp->prior_ssthresh,
                       tp->packets_out);
@@ -3845,12 +3845,13 @@ void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx,
                                        /* 16-bit multiple */
                                        opt_rx->cookie_plus = opsize;
                                        *hvpp = ptr;
+                                        break;
                                default:
                                        /* ignore option */
                                        break;
-                                };
+                                }
                                break;
-                        };
+                        }
                        ptr += opsize-2;
                        length -= opsize;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 771f8146a2e5..fe193e53af44 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -891,7 +891,7 @@ int tcp_v4_md5_do_add(struct sock *sk, __be32 addr,
                                kfree(newkey);
                                return -ENOMEM;
                        }
-                        sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                        sk_nocaps_add(sk, NETIF_F_GSO_MASK);
                }
                if (tcp_alloc_md5sig_pool(sk) == NULL) {
                        kfree(newkey);
@@ -1021,7 +1021,7 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, char __user *optval,
                        return -EINVAL;
                tp->md5sig_info = p;
-                sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                sk_nocaps_add(sk, NETIF_F_GSO_MASK);
        }
        newkey = kmemdup(cmd.tcpm_key, cmd.tcpm_keylen, sk->sk_allocation);
@@ -1462,7 +1462,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                if (newkey != NULL)
                        tcp_v4_md5_do_add(newsk, newinet->inet_daddr,
                                          newkey, key->keylen);
-                newsk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                sk_nocaps_add(newsk, NETIF_F_GSO_MASK);
        }
 #endif
@@ -1555,6 +1555,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
 #endif
        if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+                sock_rps_save_rxhash(sk, skb->rxhash);
                TCP_CHECK_TIMER(sk);
                if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
                        rsk = sk;
@@ -1579,7 +1580,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
                        }
                        return 0;
                }
-        }
+        } else
+                sock_rps_save_rxhash(sk, skb->rxhash);
        TCP_CHECK_TIMER(sk);
        if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len)) {
@@ -1672,8 +1675,6 @@ process:
        skb->dev = NULL;
-        sock_rps_save_rxhash(sk, skb->rxhash);
        bh_lock_sock_nested(sk);
        ret = 0;
        if (!sock_owned_by_user(sk)) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5db3a2c6cb33..b4ed957f201a 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -668,7 +668,6 @@ static unsigned tcp_synack_options(struct sock *sk,
        u8 cookie_plus = (xvp != NULL && !xvp->cookie_out_never) ?
                         xvp->cookie_plus :
                         0;
-        bool doing_ts = ireq->tstamp_ok;
 #ifdef CONFIG_TCP_MD5SIG
        *md5 = tcp_rsk(req)->af_specific->md5_lookup(sk, req);
@@ -681,7 +680,7 @@ static unsigned tcp_synack_options(struct sock *sk,
                 * rather than TS in order to fit in better with old,
                 * buggy kernels, but that was deemed to be unnecessary.
                 */
-                doing_ts &= !ireq->sack_ok;
+                ireq->tstamp_ok &= !ireq->sack_ok;
        }
 #else
        *md5 = NULL;
@@ -696,7 +695,7 @@ static unsigned tcp_synack_options(struct sock *sk,
                opts->options |= OPTION_WSCALE;
                remaining -= TCPOLEN_WSCALE_ALIGNED;
        }
-        if (likely(doing_ts)) {
+        if (likely(ireq->tstamp_ok)) {
                opts->options |= OPTION_TS;
                opts->tsval = TCP_SKB_CB(skb)->when;
                opts->tsecr = req->ts_recent;
@@ -704,7 +703,7 @@ static unsigned tcp_synack_options(struct sock *sk,
        }
        if (likely(ireq->sack_ok)) {
                opts->options |= OPTION_SACK_ADVERTISE;
-                if (unlikely(!doing_ts))
+                if (unlikely(!ireq->tstamp_ok))
                        remaining -= TCPOLEN_SACKPERM_ALIGNED;
        }
@@ -712,7 +711,7 @@ static unsigned tcp_synack_options(struct sock *sk,
         * If the <SYN> options fit, the same options should fit now!
         */
        if (*md5 == NULL &&
-            doing_ts &&
+            ireq->tstamp_ok &&
            cookie_plus > TCPOLEN_COOKIE_BASE) {
                int need = cookie_plus; /* has TCPOLEN_COOKIE_BASE */
@@ -873,7 +872,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
 #ifdef CONFIG_TCP_MD5SIG
        /* Calculate the MD5 hash, as we have all we need now */
        if (md5) {
-                sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                sk_nocaps_add(sk, NETIF_F_GSO_MASK);
                tp->af_specific->calc_md5_hash(opts.hash_location,
                                               md5, sk, NULL, skb);
        }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 4560b291180b..eec4ff456e33 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -233,7 +233,8 @@ int udp_lib_get_port(struct sock *sk, unsigned short snum,
                         */
                        do {
                                if (low <= snum && snum <= high &&
-                                    !test_bit(snum >> udptable->log, bitmap))
+                                    !test_bit(snum >> udptable->log, bitmap) &&
+                                    !inet_is_reserved_local_port(snum))
                                        goto found;
                                snum += rand;
                        } while (snum != first);
@@ -632,9 +633,9 @@ void __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
        if (!inet->recverr) {
                if (!harderr || sk->sk_state != TCP_ESTABLISHED)
                        goto out;
-        } else {
+        } else
                ip_icmp_error(sk, skb, err, uh->dest, info, (u8 *)(uh+1));
-        }
        sk->sk_err = err;
        sk->sk_error_report(sk);
 out:
@@ -1062,10 +1063,11 @@ static unsigned int first_packet_length(struct sock *sk)
        spin_unlock_bh(&rcvq->lock);
        if (!skb_queue_empty(&list_kill)) {
-                lock_sock_bh(sk);
+                bool slow = lock_sock_fast(sk);
                __skb_queue_purge(&list_kill);
                sk_mem_reclaim_partial(sk);
-                unlock_sock_bh(sk);
+                unlock_sock_fast(sk, slow);
        }
        return res;
 }
@@ -1122,6 +1124,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        int peeked;
        int err;
        int is_udplite = IS_UDPLITE(sk);
+        bool slow;
        /*
         *      Check any passed addresses
@@ -1196,10 +1199,10 @@ out:
        return err;
 csum_copy_err:
-        lock_sock_bh(sk);
+        slow = lock_sock_fast(sk);
        if (!skb_kill_datagram(sk, skb, flags))
                UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
-        unlock_sock_bh(sk);
+        unlock_sock_fast(sk, slow);
        if (noblock)
                return -EAGAIN;
@@ -1536,6 +1539,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
        uh   = udp_hdr(skb);
        ulen = ntohs(uh->len);
+        saddr = ip_hdr(skb)->saddr;
+        daddr = ip_hdr(skb)->daddr;
        if (ulen > skb->len)
                goto short_packet;
@@ -1549,9 +1555,6 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
        if (udp4_csum_init(skb, uh, proto))
                goto csum_error;
-        saddr = ip_hdr(skb)->saddr;
-        daddr = ip_hdr(skb)->daddr;
        if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
                return __udp4_lib_mcast_deliver(net, skb, uh,
                                saddr, daddr, udptable);
@@ -1624,9 +1627,9 @@ int udp_rcv(struct sk_buff *skb)
 void udp_destroy_sock(struct sock *sk)
 {
-        lock_sock_bh(sk);
+        bool slow = lock_sock_fast(sk);
        udp_flush_pending_frames(sk);
-        unlock_sock_bh(sk);
+        unlock_sock_fast(sk, slow);
 }
 /*
@@ -1685,8 +1688,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
                        return -ENOPROTOOPT;
                if (val != 0 && val < 8) /* Illegal coverage: use default (8) */
                        val = 8;
-                else if (val > USHORT_MAX)
+                else if (val > USHRT_MAX)
-                        val = USHORT_MAX;
+                        val = USHRT_MAX;
                up->pcslen = val;
                up->pcflag |= UDPLITE_SEND_CC;
                break;
@@ -1699,8 +1702,8 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
                        return -ENOPROTOOPT;
                if (val != 0 && val < 8) /* Avoid silly minimal values.       */
                        val = 8;
-                else if (val > USHORT_MAX)
+                else if (val > USHRT_MAX)
-                        val = USHORT_MAX;
+                        val = USHRT_MAX;
                up->pcrlen = val;
                up->pcflag |= UDPLITE_RECV_CC;
                break;
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index c791bb63203f..ad8fbb871aa0 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -27,8 +27,8 @@ static inline int xfrm4_rcv_encap_finish(struct sk_buff *skb)
        if (skb_dst(skb) == NULL) {
                const struct iphdr *iph = ip_hdr(skb);
-                if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
+                if (ip_route_input_noref(skb, iph->daddr, iph->saddr,
-                                   skb->dev))
+                                         iph->tos, skb->dev))
                        goto drop;
        }
        return dst_input(skb);
@@ -61,7 +61,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
        iph->tot_len = htons(skb->len);
        ip_send_check(iph);
-        NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
+        NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                xfrm4_rcv_encap_finish);
        return 0;
 }
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index c908bd99bcba..571aa96a175c 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -86,7 +86,7 @@ static int xfrm4_output_finish(struct sk_buff *skb)
 int xfrm4_output(struct sk_buff *skb)
 {
-        return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb,
+        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
                            NULL, skb_dst(skb)->dev, xfrm4_output_finish,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index a578096152ab..36d7437ac054 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -229,6 +229,20 @@ config IPV6_MROUTE
          Experimental support for IPv6 multicast forwarding.
          If unsure, say N.
+config IPV6_MROUTE_MULTIPLE_TABLES
+        bool "IPv6: multicast policy routing"
+        depends on IPV6_MROUTE
+        select FIB_RULES
+        help
+          Normally, a multicast router runs a userspace daemon and decides
+          what to do with a multicast packet based on the source and
+          destination addresses. If you say Y here, the multicast router
+          will also be able to take interfaces and packet marks into
+          account and run multiple instances of userspace daemons
+          simultaneously, each one handling a single table.
+          If unsure, say N.
 config IPV6_PIMSM_V2
        bool "IPv6: PIM-SM version 2 support (EXPERIMENTAL)"
        depends on IPV6_MROUTE
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 3984f52181f4..e1a698df5706 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -553,7 +553,7 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
        if (del_timer(&ifp->timer))
                pr_notice("Timer is still running, when freeing ifa=%p\n", ifp);
-        if (!ifp->dead) {
+        if (ifp->state != INET6_IFADDR_STATE_DEAD) {
                pr_warning("Freeing alive inet6 address %p\n", ifp);
                return;
        }
@@ -648,6 +648,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
        ipv6_addr_copy(&ifa->addr, addr);
        spin_lock_init(&ifa->lock);
+        spin_lock_init(&ifa->state_lock);
        init_timer(&ifa->timer);
        INIT_HLIST_NODE(&ifa->addr_lst);
        ifa->timer.data = (unsigned long) ifa;
@@ -714,13 +715,20 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
 {
        struct inet6_ifaddr *ifa, *ifn;
        struct inet6_dev *idev = ifp->idev;
+        int state;
        int hash;
        int deleted = 0, onlink = 0;
        unsigned long expires = jiffies;
        hash = ipv6_addr_hash(&ifp->addr);
-        ifp->dead = 1;
+        spin_lock_bh(&ifp->state_lock);
+        state = ifp->state;
+        ifp->state = INET6_IFADDR_STATE_DEAD;
+        spin_unlock_bh(&ifp->state_lock);
+        if (state == INET6_IFADDR_STATE_DEAD)
+                goto out;
        spin_lock_bh(&addrconf_hash_lock);
        hlist_del_init_rcu(&ifp->addr_lst);
@@ -818,6 +826,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
                dst_release(&rt->u.dst);
        }
+out:
        in6_ifa_put(ifp);
 }
@@ -1274,7 +1283,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev)
 int ipv6_chk_addr(struct net *net, struct in6_addr *addr,
                  struct net_device *dev, int strict)
 {
-        struct inet6_ifaddr *ifp = NULL;
+        struct inet6_ifaddr *ifp;
        struct hlist_node *node;
        unsigned int hash = ipv6_addr_hash(addr);
@@ -1283,15 +1292,16 @@ int ipv6_chk_addr(struct net *net, struct in6_addr *addr,
                if (!net_eq(dev_net(ifp->idev->dev), net))
                        continue;
                if (ipv6_addr_equal(&ifp->addr, addr) &&
-                    !(ifp->flags&IFA_F_TENTATIVE)) {
+                    !(ifp->flags&IFA_F_TENTATIVE) &&
-                        if (dev == NULL || ifp->idev->dev == dev ||
+                    (dev == NULL || ifp->idev->dev == dev ||
-                            !(ifp->scope&(IFA_LINK|IFA_HOST) || strict))
+                     !(ifp->scope&(IFA_LINK|IFA_HOST) || strict))) {
-                                break;
+                        rcu_read_unlock_bh();
+                        return 1;
                }
        }
-        rcu_read_unlock_bh();
-        return ifp != NULL;
+        rcu_read_unlock_bh();
+        return 0;
 }
 EXPORT_SYMBOL(ipv6_chk_addr);
@@ -1396,10 +1406,27 @@ static void addrconf_dad_stop(struct inet6_ifaddr *ifp, int dad_failed)
                ipv6_del_addr(ifp);
 }
+static int addrconf_dad_end(struct inet6_ifaddr *ifp)
+{
+        int err = -ENOENT;
+        spin_lock(&ifp->state_lock);
+        if (ifp->state == INET6_IFADDR_STATE_DAD) {
+                ifp->state = INET6_IFADDR_STATE_POSTDAD;
+                err = 0;
+        }
+        spin_unlock(&ifp->state_lock);
+        return err;
+}
 void addrconf_dad_failure(struct inet6_ifaddr *ifp)
 {
        struct inet6_dev *idev = ifp->idev;
+        if (addrconf_dad_end(ifp))
+                return;
        if (net_ratelimit())
                printk(KERN_INFO "%s: IPv6 duplicate address %pI6c detected!\n",
                        ifp->idev->dev->name, &ifp->addr);
@@ -2624,6 +2651,7 @@ static int addrconf_ifdown(struct net_device *dev, int how)
        struct inet6_dev *idev;
        struct inet6_ifaddr *ifa;
        LIST_HEAD(keep_list);
+        int state;
        ASSERT_RTNL();
@@ -2664,7 +2692,6 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                ifa = list_first_entry(&idev->tempaddr_list,
                                       struct inet6_ifaddr, tmp_list);
                list_del(&ifa->tmp_list);
-                ifa->dead = 1;
                write_unlock_bh(&idev->lock);
                spin_lock_bh(&ifa->lock);
@@ -2702,23 +2729,35 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                        /* Flag it for later restoration when link comes up */
                        ifa->flags |= IFA_F_TENTATIVE;
-                        in6_ifa_hold(ifa);
+                        ifa->state = INET6_IFADDR_STATE_DAD;
                        write_unlock_bh(&idev->lock);
+                        in6_ifa_hold(ifa);
                } else {
                        list_del(&ifa->if_list);
-                        ifa->dead = 1;
-                        write_unlock_bh(&idev->lock);
                        /* clear hash table */
                        spin_lock_bh(&addrconf_hash_lock);
                        hlist_del_init_rcu(&ifa->addr_lst);
                        spin_unlock_bh(&addrconf_hash_lock);
+                        write_unlock_bh(&idev->lock);
+                        spin_lock_bh(&ifa->state_lock);
+                        state = ifa->state;
+                        ifa->state = INET6_IFADDR_STATE_DEAD;
+                        spin_unlock_bh(&ifa->state_lock);
+                        if (state == INET6_IFADDR_STATE_DEAD)
+                                goto put_ifa;
                }
                __ipv6_ifa_notify(RTM_DELADDR, ifa);
-                if (ifa->dead)
+                if (ifa->state == INET6_IFADDR_STATE_DEAD)
                        atomic_notifier_call_chain(&inet6addr_chain,
                                                   NETDEV_DOWN, ifa);
+put_ifa:
                in6_ifa_put(ifa);
                write_lock_bh(&idev->lock);
@@ -2814,10 +2853,10 @@ static void addrconf_dad_start(struct inet6_ifaddr *ifp, u32 flags)
        net_srandom(ifp->addr.s6_addr32[3]);
        read_lock_bh(&idev->lock);
-        if (ifp->dead)
+        spin_lock(&ifp->lock);
+        if (ifp->state == INET6_IFADDR_STATE_DEAD)
                goto out;
-        spin_lock(&ifp->lock);
        if (dev->flags&(IFF_NOARP|IFF_LOOPBACK) ||
            idev->cnf.accept_dad < 1 ||
            !(ifp->flags&IFA_F_TENTATIVE) ||
@@ -2851,8 +2890,8 @@ static void addrconf_dad_start(struct inet6_ifaddr *ifp, u32 flags)
                ip6_ins_rt(ifp->rt);
        addrconf_dad_kick(ifp);
-        spin_unlock(&ifp->lock);
 out:
+        spin_unlock(&ifp->lock);
        read_unlock_bh(&idev->lock);
 }
@@ -2862,6 +2901,9 @@ static void addrconf_dad_timer(unsigned long data)
        struct inet6_dev *idev = ifp->idev;
        struct in6_addr mcaddr;
+        if (!ifp->probes && addrconf_dad_end(ifp))
+                goto out;
        read_lock(&idev->lock);
        if (idev->dead || !(idev->if_flags & IF_READY)) {
                read_unlock(&idev->lock);
@@ -2869,6 +2911,12 @@ static void addrconf_dad_timer(unsigned long data)
        }
        spin_lock(&ifp->lock);
+        if (ifp->state == INET6_IFADDR_STATE_DEAD) {
+                spin_unlock(&ifp->lock);
+                read_unlock(&idev->lock);
+                goto out;
+        }
        if (ifp->probes == 0) {
                /*
                 * DAD was successful
@@ -2935,12 +2983,10 @@ static void addrconf_dad_run(struct inet6_dev *idev)
        read_lock_bh(&idev->lock);
        list_for_each_entry(ifp, &idev->addr_list, if_list) {
                spin_lock(&ifp->lock);
-                if (!(ifp->flags & IFA_F_TENTATIVE)) {
+                if (ifp->flags & IFA_F_TENTATIVE &&
-                        spin_unlock(&ifp->lock);
+                    ifp->state == INET6_IFADDR_STATE_DAD)
-                        continue;
+                        addrconf_dad_kick(ifp);
-                }
                spin_unlock(&ifp->lock);
-                addrconf_dad_kick(ifp);
        }
        read_unlock_bh(&idev->lock);
 }
@@ -4049,7 +4095,8 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
                addrconf_leave_solict(ifp->idev, &ifp->addr);
                dst_hold(&ifp->rt->u.dst);
-                if (ifp->dead && ip6_del_rt(ifp->rt))
+                if (ifp->state == INET6_IFADDR_STATE_DEAD &&
+                    ip6_del_rt(ifp->rt))
                        dst_free(&ifp->rt->u.dst);
                break;
        }
diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
index ae404c9a746c..8c4348cb1950 100644
--- a/net/ipv6/addrlabel.c
+++ b/net/ipv6/addrlabel.c
@@ -422,10 +422,6 @@ static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh,
            ifal->ifal_prefixlen > 128)
                return -EINVAL;
-        if (ifal->ifal_index &&
-            !__dev_get_by_index(net, ifal->ifal_index))
-                return -EINVAL;
        if (!tb[IFAL_ADDRESS])
                return -EINVAL;
@@ -441,6 +437,10 @@ static int ip6addrlbl_newdel(struct sk_buff *skb, struct nlmsghdr *nlh,
        switch(nlh->nlmsg_type) {
        case RTM_NEWADDRLABEL:
+                if (ifal->ifal_index &&
+                    !__dev_get_by_index(net, ifal->ifal_index))
+                        return -EINVAL;
                err = ip6addrlbl_add(net, pfx, ifal->ifal_prefixlen,
                                     ifal->ifal_index, label,
                                     nlh->nlmsg_flags & NLM_F_REPLACE);
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index d2df3144429b..e733942dafe1 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -200,7 +200,7 @@ lookup_protocol:
        inet_sk(sk)->pinet6 = np = inet6_sk_generic(sk);
        np->hop_limit   = -1;
-        np->mcast_hops  = -1;
+        np->mcast_hops  = IPV6_DEFAULT_MCASTHOPS;
        np->mc_loop     = 1;
        np->pmtudisc    = IPV6_PMTUDISC_WANT;
        np->ipv6only    = net->ipv6.sysctl.bindv6only;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 5959230bc6c1..712684687c9a 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -222,6 +222,8 @@ void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err,
        if (!skb)
                return;
+        skb->protocol = htons(ETH_P_IPV6);
        serr = SKB_EXT_ERR(skb);
        serr->ee.ee_errno = err;
        serr->ee.ee_origin = SO_EE_ORIGIN_ICMP6;
@@ -255,6 +257,8 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi *fl, u32 info)
        if (!skb)
                return;
+        skb->protocol = htons(ETH_P_IPV6);
        skb_put(skb, sizeof(struct ipv6hdr));
        skb_reset_network_header(skb);
        iph = ipv6_hdr(skb);
@@ -358,7 +362,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
                sin->sin6_flowinfo = 0;
                sin->sin6_port = serr->port;
                sin->sin6_scope_id = 0;
-                if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP6) {
+                if (skb->protocol == htons(ETH_P_IPV6)) {
                        ipv6_addr_copy(&sin->sin6_addr,
                                  (struct in6_addr *)(nh + serr->addr_offset));
                        if (np->sndflow)
@@ -380,7 +384,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len)
                sin->sin6_family = AF_INET6;
                sin->sin6_flowinfo = 0;
                sin->sin6_scope_id = 0;
-                if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP6) {
+                if (skb->protocol == htons(ETH_P_IPV6)) {
                        ipv6_addr_copy(&sin->sin6_addr, &ipv6_hdr(skb)->saddr);
                        if (np->rxopt.all)
                                datagram_recv_ctl(sk, msg, skb);
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index ce7992982557..03e62f94ff8e 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -483,7 +483,7 @@ route_done:
                              np->tclass, NULL, &fl, (struct rt6_info*)dst,
                              MSG_DONTWAIT, np->dontfrag);
        if (err) {
-                ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
+                ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS);
                ip6_flush_pending_frames(sk);
                goto out_put;
        }
@@ -565,7 +565,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
                                np->dontfrag);
        if (err) {
-                ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTMSGS);
+                ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS);
                ip6_flush_pending_frames(sk);
                goto out_put;
        }
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 6aa7ee1295c2..a83e9209cecc 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -143,7 +143,7 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
        /* Must drop socket now because of tproxy. */
        skb_orphan(skb);
-        return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL,
+        return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, dev, NULL,
                       ip6_rcv_finish);
 err:
        IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
@@ -236,7 +236,7 @@ discard:
 int ip6_input(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_INET6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
+        return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
                       ip6_input_finish);
 }
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index e7a5f17d5e95..89425af0684c 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -67,8 +67,8 @@ int __ip6_local_out(struct sk_buff *skb)
                len = 0;
        ipv6_hdr(skb)->payload_len = htons(len);
-        return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
+        return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
-                       dst_output);
+                       skb_dst(skb)->dev, dst_output);
 }
 int ip6_local_out(struct sk_buff *skb)
@@ -83,22 +83,6 @@ int ip6_local_out(struct sk_buff *skb)
 }
 EXPORT_SYMBOL_GPL(ip6_local_out);
-static int ip6_output_finish(struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb_dst(skb);
-        if (dst->hh)
-                return neigh_hh_output(dst->hh, skb);
-        else if (dst->neighbour)
-                return dst->neighbour->output(skb);
-        IP6_INC_STATS_BH(dev_net(dst->dev),
-                         ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
-        kfree_skb(skb);
-        return -EINVAL;
-}
 /* dev_loopback_xmit for use with netfilter. */
 static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
 {
@@ -112,8 +96,7 @@ static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
        return 0;
 }
+static int ip6_finish_output2(struct sk_buff *skb)
-static int ip6_output2(struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
        struct net_device *dev = dst->dev;
@@ -125,7 +108,7 @@ static int ip6_output2(struct sk_buff *skb)
                struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
                if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(skb->sk) &&
-                    ((mroute6_socket(dev_net(dev)) &&
+                    ((mroute6_socket(dev_net(dev), skb) &&
                     !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
                     ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
                                         &ipv6_hdr(skb)->saddr))) {
@@ -135,8 +118,8 @@ static int ip6_output2(struct sk_buff *skb)
                           is not supported in any case.
                         */
                        if (newskb)
-                                NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb,
+                                NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
-                                        NULL, newskb->dev,
+                                        newskb, NULL, newskb->dev,
                                        ip6_dev_loopback_xmit);
                        if (ipv6_hdr(skb)->hop_limit == 0) {
@@ -151,8 +134,15 @@ static int ip6_output2(struct sk_buff *skb)
                                skb->len);
        }
-        return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
+        if (dst->hh)
-                       ip6_output_finish);
+                return neigh_hh_output(dst->hh, skb);
+        else if (dst->neighbour)
+                return dst->neighbour->output(skb);
+        IP6_INC_STATS_BH(dev_net(dst->dev),
+                         ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
+        kfree_skb(skb);
+        return -EINVAL;
 }
 static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
@@ -163,21 +153,29 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
               skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
 }
+static int ip6_finish_output(struct sk_buff *skb)
+{
+        if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
+            dst_allfrag(skb_dst(skb)))
+                return ip6_fragment(skb, ip6_finish_output2);
+        else
+                return ip6_finish_output2(skb);
+}
 int ip6_output(struct sk_buff *skb)
 {
+        struct net_device *dev = skb_dst(skb)->dev;
        struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
        if (unlikely(idev->cnf.disable_ipv6)) {
-                IP6_INC_STATS(dev_net(skb_dst(skb)->dev), idev,
+                IP6_INC_STATS(dev_net(dev), idev,
                              IPSTATS_MIB_OUTDISCARDS);
                kfree_skb(skb);
                return 0;
        }
-        if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
+        return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
-                                dst_allfrag(skb_dst(skb)))
+                            ip6_finish_output,
-                return ip6_fragment(skb, ip6_output2);
+                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
-        else
-                return ip6_output2(skb);
 }
 /*
@@ -256,8 +254,8 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
        if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
                IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
                              IPSTATS_MIB_OUT, skb->len);
-                return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
+                return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
-                                dst_output);
+                               dst->dev, dst_output);
        }
        if (net_ratelimit())
@@ -509,7 +507,7 @@ int ip6_forward(struct sk_buff *skb)
        if (mtu < IPV6_MIN_MTU)
                mtu = IPV6_MIN_MTU;
-        if (skb->len > mtu) {
+        if (skb->len > mtu && !skb_is_gso(skb)) {
                /* Again, force OUTPUT device used as source address */
                skb->dev = dst->dev;
                icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
@@ -533,7 +531,7 @@ int ip6_forward(struct sk_buff *skb)
        hdr->hop_limit--;
        IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
-        return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
+        return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
                       ip6_forward_finish);
 error:
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 2599870747ec..8f39893d8081 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -723,14 +723,10 @@ static int ip6_tnl_rcv(struct sk_buff *skb, __u16 protocol,
                skb->protocol = htons(protocol);
                skb->pkt_type = PACKET_HOST;
                memset(skb->cb, 0, sizeof(struct inet6_skb_parm));
-                skb->dev = t->dev;
-                skb_dst_drop(skb);
-                nf_reset(skb);
-                dscp_ecn_decapsulate(t, ipv6h, skb);
+                skb_tunnel_rx(skb, t->dev);
-                t->dev->stats.rx_packets++;
+                dscp_ecn_decapsulate(t, ipv6h, skb);
-                t->dev->stats.rx_bytes += skb->len;
                netif_rx(skb);
                rcu_read_unlock();
                return 0;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 3e333268db89..66078dad7fe8 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -42,6 +42,7 @@
 #include <linux/if_arp.h>
 #include <net/checksum.h>
 #include <net/netlink.h>
+#include <net/fib_rules.h>
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
@@ -51,6 +52,34 @@
 #include <linux/netfilter_ipv6.h>
 #include <net/ip6_checksum.h>
+struct mr6_table {
+        struct list_head        list;
+#ifdef CONFIG_NET_NS
+        struct net              *net;
+#endif
+        u32                     id;
+        struct sock             *mroute6_sk;
+        struct timer_list       ipmr_expire_timer;
+        struct list_head        mfc6_unres_queue;
+        struct list_head        mfc6_cache_array[MFC6_LINES];
+        struct mif_device       vif6_table[MAXMIFS];
+        int                     maxvif;
+        atomic_t                cache_resolve_queue_len;
+        int                     mroute_do_assert;
+        int                     mroute_do_pim;
+#ifdef CONFIG_IPV6_PIMSM_V2
+        int                     mroute_reg_vif_num;
+#endif
+};
+struct ip6mr_rule {
+        struct fib_rule         common;
+};
+struct ip6mr_result {
+        struct mr6_table        *mrt;
+};
 /* Big lock, protecting vif table, mrt cache and mroute socket state.
   Note that the changes are semaphored via rtnl_lock.
 */
@@ -61,9 +90,7 @@ static DEFINE_RWLOCK(mrt_lock);
 *      Multicast router control variables
 */
-#define MIF_EXISTS(_net, _idx) ((_net)->ipv6.vif6_table[_idx].dev != NULL)
+#define MIF_EXISTS(_mrt, _idx) ((_mrt)->vif6_table[_idx].dev != NULL)
-static struct mfc6_cache *mfc_unres_queue;              /* Queue of unresolved entries */
 /* Special spinlock for queue of unresolved entries */
 static DEFINE_SPINLOCK(mfc_unres_lock);
@@ -78,20 +105,235 @@ static DEFINE_SPINLOCK(mfc_unres_lock);
 static struct kmem_cache *mrt_cachep __read_mostly;
-static int ip6_mr_forward(struct sk_buff *skb, struct mfc6_cache *cache);
+static struct mr6_table *ip6mr_new_table(struct net *net, u32 id);
-static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt,
+static void ip6mr_free_table(struct mr6_table *mrt);
+static int ip6_mr_forward(struct net *net, struct mr6_table *mrt,
+                          struct sk_buff *skb, struct mfc6_cache *cache);
+static int ip6mr_cache_report(struct mr6_table *mrt, struct sk_buff *pkt,
                              mifi_t mifi, int assert);
-static int ip6mr_fill_mroute(struct sk_buff *skb, struct mfc6_cache *c, struct rtmsg *rtm);
+static int __ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
-static void mroute_clean_tables(struct net *net);
+                               struct mfc6_cache *c, struct rtmsg *rtm);
+static int ip6mr_rtm_dumproute(struct sk_buff *skb,
+                               struct netlink_callback *cb);
+static void mroute_clean_tables(struct mr6_table *mrt);
+static void ipmr_expire_process(unsigned long arg);
+#ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
+#define ip6mr_for_each_table(mrt, net) \
+        list_for_each_entry_rcu(mrt, &net->ipv6.mr6_tables, list)
+static struct mr6_table *ip6mr_get_table(struct net *net, u32 id)
+{
+        struct mr6_table *mrt;
+        ip6mr_for_each_table(mrt, net) {
+                if (mrt->id == id)
+                        return mrt;
+        }
+        return NULL;
+}
+static int ip6mr_fib_lookup(struct net *net, struct flowi *flp,
+                            struct mr6_table **mrt)
+{
+        struct ip6mr_result res;
+        struct fib_lookup_arg arg = { .result = &res, };
+        int err;
+        err = fib_rules_lookup(net->ipv6.mr6_rules_ops, flp, 0, &arg);
+        if (err < 0)
+                return err;
+        *mrt = res.mrt;
+        return 0;
+}
+static int ip6mr_rule_action(struct fib_rule *rule, struct flowi *flp,
+                             int flags, struct fib_lookup_arg *arg)
+{
+        struct ip6mr_result *res = arg->result;
+        struct mr6_table *mrt;
+        switch (rule->action) {
+        case FR_ACT_TO_TBL:
+                break;
+        case FR_ACT_UNREACHABLE:
+                return -ENETUNREACH;
+        case FR_ACT_PROHIBIT:
+                return -EACCES;
+        case FR_ACT_BLACKHOLE:
+        default:
+                return -EINVAL;
+        }
+        mrt = ip6mr_get_table(rule->fr_net, rule->table);
+        if (mrt == NULL)
+                return -EAGAIN;
+        res->mrt = mrt;
+        return 0;
+}
+static int ip6mr_rule_match(struct fib_rule *rule, struct flowi *flp, int flags)
+{
+        return 1;
+}
+static const struct nla_policy ip6mr_rule_policy[FRA_MAX + 1] = {
+        FRA_GENERIC_POLICY,
+};
+static int ip6mr_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
+                                struct fib_rule_hdr *frh, struct nlattr **tb)
+{
+        return 0;
+}
+static int ip6mr_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
+                              struct nlattr **tb)
+{
+        return 1;
+}
+static int ip6mr_rule_fill(struct fib_rule *rule, struct sk_buff *skb,
+                           struct fib_rule_hdr *frh)
+{
+        frh->dst_len = 0;
+        frh->src_len = 0;
+        frh->tos     = 0;
+        return 0;
+}
+static const struct fib_rules_ops __net_initdata ip6mr_rules_ops_template = {
+        .family         = RTNL_FAMILY_IP6MR,
+        .rule_size      = sizeof(struct ip6mr_rule),
+        .addr_size      = sizeof(struct in6_addr),
+        .action         = ip6mr_rule_action,
+        .match          = ip6mr_rule_match,
+        .configure      = ip6mr_rule_configure,
+        .compare        = ip6mr_rule_compare,
+        .default_pref   = fib_default_rule_pref,
+        .fill           = ip6mr_rule_fill,
+        .nlgroup        = RTNLGRP_IPV6_RULE,
+        .policy         = ip6mr_rule_policy,
+        .owner          = THIS_MODULE,
+};
+static int __net_init ip6mr_rules_init(struct net *net)
+{
+        struct fib_rules_ops *ops;
+        struct mr6_table *mrt;
+        int err;
+        ops = fib_rules_register(&ip6mr_rules_ops_template, net);
+        if (IS_ERR(ops))
+                return PTR_ERR(ops);
+        INIT_LIST_HEAD(&net->ipv6.mr6_tables);
+        mrt = ip6mr_new_table(net, RT6_TABLE_DFLT);
+        if (mrt == NULL) {
+                err = -ENOMEM;
+                goto err1;
+        }
+        err = fib_default_rule_add(ops, 0x7fff, RT6_TABLE_DFLT, 0);
+        if (err < 0)
+                goto err2;
+        net->ipv6.mr6_rules_ops = ops;
+        return 0;
+err2:
+        kfree(mrt);
+err1:
+        fib_rules_unregister(ops);
+        return err;
+}
+static void __net_exit ip6mr_rules_exit(struct net *net)
+{
+        struct mr6_table *mrt, *next;
+        list_for_each_entry_safe(mrt, next, &net->ipv6.mr6_tables, list) {
+                list_del(&mrt->list);
+                ip6mr_free_table(mrt);
+        }
+        fib_rules_unregister(net->ipv6.mr6_rules_ops);
+}
+#else
+#define ip6mr_for_each_table(mrt, net) \
+        for (mrt = net->ipv6.mrt6; mrt; mrt = NULL)
+static struct mr6_table *ip6mr_get_table(struct net *net, u32 id)
+{
+        return net->ipv6.mrt6;
+}
+static int ip6mr_fib_lookup(struct net *net, struct flowi *flp,
+                            struct mr6_table **mrt)
+{
+        *mrt = net->ipv6.mrt6;
+        return 0;
+}
+static int __net_init ip6mr_rules_init(struct net *net)
+{
+        net->ipv6.mrt6 = ip6mr_new_table(net, RT6_TABLE_DFLT);
+        return net->ipv6.mrt6 ? 0 : -ENOMEM;
+}
+static void __net_exit ip6mr_rules_exit(struct net *net)
+{
+        ip6mr_free_table(net->ipv6.mrt6);
+}
+#endif
+static struct mr6_table *ip6mr_new_table(struct net *net, u32 id)
+{
+        struct mr6_table *mrt;
+        unsigned int i;
-static struct timer_list ipmr_expire_timer;
+        mrt = ip6mr_get_table(net, id);
+        if (mrt != NULL)
+                return mrt;
+        mrt = kzalloc(sizeof(*mrt), GFP_KERNEL);
+        if (mrt == NULL)
+                return NULL;
+        mrt->id = id;
+        write_pnet(&mrt->net, net);
+        /* Forwarding cache */
+        for (i = 0; i < MFC6_LINES; i++)
+                INIT_LIST_HEAD(&mrt->mfc6_cache_array[i]);
+        INIT_LIST_HEAD(&mrt->mfc6_unres_queue);
+        setup_timer(&mrt->ipmr_expire_timer, ipmr_expire_process,
+                    (unsigned long)mrt);
+#ifdef CONFIG_IPV6_PIMSM_V2
+        mrt->mroute_reg_vif_num = -1;
+#endif
+#ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
+        list_add_tail_rcu(&mrt->list, &net->ipv6.mr6_tables);
+#endif
+        return mrt;
+}
+static void ip6mr_free_table(struct mr6_table *mrt)
+{
+        del_timer(&mrt->ipmr_expire_timer);
+        mroute_clean_tables(mrt);
+        kfree(mrt);
+}
 #ifdef CONFIG_PROC_FS
 struct ipmr_mfc_iter {
        struct seq_net_private p;
-        struct mfc6_cache **cache;
+        struct mr6_table *mrt;
+        struct list_head *cache;
        int ct;
 };
@@ -99,22 +341,22 @@ struct ipmr_mfc_iter {
 static struct mfc6_cache *ipmr_mfc_seq_idx(struct net *net,
                                           struct ipmr_mfc_iter *it, loff_t pos)
 {
+        struct mr6_table *mrt = it->mrt;
        struct mfc6_cache *mfc;
-        it->cache = net->ipv6.mfc6_cache_array;
        read_lock(&mrt_lock);
-        for (it->ct = 0; it->ct < MFC6_LINES; it->ct++)
+        for (it->ct = 0; it->ct < MFC6_LINES; it->ct++) {
-                for (mfc = net->ipv6.mfc6_cache_array[it->ct];
+                it->cache = &mrt->mfc6_cache_array[it->ct];
-                     mfc; mfc = mfc->next)
+                list_for_each_entry(mfc, it->cache, list)
                        if (pos-- == 0)
                                return mfc;
+        }
        read_unlock(&mrt_lock);
-        it->cache = &mfc_unres_queue;
        spin_lock_bh(&mfc_unres_lock);
-        for (mfc = mfc_unres_queue; mfc; mfc = mfc->next)
+        it->cache = &mrt->mfc6_unres_queue;
-                if (net_eq(mfc6_net(mfc), net) &&
+        list_for_each_entry(mfc, it->cache, list)
-                    pos-- == 0)
+                if (pos-- == 0)
                        return mfc;
        spin_unlock_bh(&mfc_unres_lock);
@@ -122,15 +364,13 @@ static struct mfc6_cache *ipmr_mfc_seq_idx(struct net *net,
        return NULL;
 }
 /*
 *      The /proc interfaces to multicast routing /proc/ip6_mr_cache /proc/ip6_mr_vif
 */
 struct ipmr_vif_iter {
        struct seq_net_private p;
+        struct mr6_table *mrt;
        int ct;
 };
@@ -138,11 +378,13 @@ static struct mif_device *ip6mr_vif_seq_idx(struct net *net,
                                            struct ipmr_vif_iter *iter,
                                            loff_t pos)
 {
-        for (iter->ct = 0; iter->ct < net->ipv6.maxvif; ++iter->ct) {
+        struct mr6_table *mrt = iter->mrt;
-                if (!MIF_EXISTS(net, iter->ct))
+        for (iter->ct = 0; iter->ct < mrt->maxvif; ++iter->ct) {
+                if (!MIF_EXISTS(mrt, iter->ct))
                        continue;
                if (pos-- == 0)
-                        return &net->ipv6.vif6_table[iter->ct];
+                        return &mrt->vif6_table[iter->ct];
        }
        return NULL;
 }
@@ -150,7 +392,15 @@ static struct mif_device *ip6mr_vif_seq_idx(struct net *net,
 static void *ip6mr_vif_seq_start(struct seq_file *seq, loff_t *pos)
        __acquires(mrt_lock)
 {
+        struct ipmr_vif_iter *iter = seq->private;
        struct net *net = seq_file_net(seq);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return ERR_PTR(-ENOENT);
+        iter->mrt = mrt;
        read_lock(&mrt_lock);
        return *pos ? ip6mr_vif_seq_idx(net, seq->private, *pos - 1)
@@ -161,15 +411,16 @@ static void *ip6mr_vif_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 {
        struct ipmr_vif_iter *iter = seq->private;
        struct net *net = seq_file_net(seq);
+        struct mr6_table *mrt = iter->mrt;
        ++*pos;
        if (v == SEQ_START_TOKEN)
                return ip6mr_vif_seq_idx(net, iter, 0);
-        while (++iter->ct < net->ipv6.maxvif) {
+        while (++iter->ct < mrt->maxvif) {
-                if (!MIF_EXISTS(net, iter->ct))
+                if (!MIF_EXISTS(mrt, iter->ct))
                        continue;
-                return &net->ipv6.vif6_table[iter->ct];
+                return &mrt->vif6_table[iter->ct];
        }
        return NULL;
 }
@@ -182,7 +433,8 @@ static void ip6mr_vif_seq_stop(struct seq_file *seq, void *v)
 static int ip6mr_vif_seq_show(struct seq_file *seq, void *v)
 {
-        struct net *net = seq_file_net(seq);
+        struct ipmr_vif_iter *iter = seq->private;
+        struct mr6_table *mrt = iter->mrt;
        if (v == SEQ_START_TOKEN) {
                seq_puts(seq,
@@ -193,7 +445,7 @@ static int ip6mr_vif_seq_show(struct seq_file *seq, void *v)
                seq_printf(seq,
                           "%2td %-10s %8ld %7ld  %8ld %7ld %05X\n",
-                           vif - net->ipv6.vif6_table,
+                           vif - mrt->vif6_table,
                           name, vif->bytes_in, vif->pkt_in,
                           vif->bytes_out, vif->pkt_out,
                           vif->flags);
@@ -224,8 +476,15 @@ static const struct file_operations ip6mr_vif_fops = {
 static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos)
 {
+        struct ipmr_mfc_iter *it = seq->private;
        struct net *net = seq_file_net(seq);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return ERR_PTR(-ENOENT);
+        it->mrt = mrt;
        return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
                : SEQ_START_TOKEN;
 }
@@ -235,35 +494,36 @@ static void *ipmr_mfc_seq_next(struct seq_file *seq, void *v, loff_t *pos)
        struct mfc6_cache *mfc = v;
        struct ipmr_mfc_iter *it = seq->private;
        struct net *net = seq_file_net(seq);
+        struct mr6_table *mrt = it->mrt;
        ++*pos;
        if (v == SEQ_START_TOKEN)
                return ipmr_mfc_seq_idx(net, seq->private, 0);
-        if (mfc->next)
+        if (mfc->list.next != it->cache)
-                return mfc->next;
+                return list_entry(mfc->list.next, struct mfc6_cache, list);
-        if (it->cache == &mfc_unres_queue)
+        if (it->cache == &mrt->mfc6_unres_queue)
                goto end_of_list;
-        BUG_ON(it->cache != net->ipv6.mfc6_cache_array);
+        BUG_ON(it->cache != &mrt->mfc6_cache_array[it->ct]);
        while (++it->ct < MFC6_LINES) {
-                mfc = net->ipv6.mfc6_cache_array[it->ct];
+                it->cache = &mrt->mfc6_cache_array[it->ct];
-                if (mfc)
+                if (list_empty(it->cache))
-                        return mfc;
+                        continue;
+                return list_first_entry(it->cache, struct mfc6_cache, list);
        }
        /* exhausted cache_array, show unresolved */
        read_unlock(&mrt_lock);
-        it->cache = &mfc_unres_queue;
+        it->cache = &mrt->mfc6_unres_queue;
        it->ct = 0;
        spin_lock_bh(&mfc_unres_lock);
-        mfc = mfc_unres_queue;
+        if (!list_empty(it->cache))
-        if (mfc)
+                return list_first_entry(it->cache, struct mfc6_cache, list);
-                return mfc;
 end_of_list:
        spin_unlock_bh(&mfc_unres_lock);
@@ -275,18 +535,17 @@ static void *ipmr_mfc_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 static void ipmr_mfc_seq_stop(struct seq_file *seq, void *v)
 {
        struct ipmr_mfc_iter *it = seq->private;
-        struct net *net = seq_file_net(seq);
+        struct mr6_table *mrt = it->mrt;
-        if (it->cache == &mfc_unres_queue)
+        if (it->cache == &mrt->mfc6_unres_queue)
                spin_unlock_bh(&mfc_unres_lock);
-        else if (it->cache == net->ipv6.mfc6_cache_array)
+        else if (it->cache == mrt->mfc6_cache_array)
                read_unlock(&mrt_lock);
 }
 static int ipmr_mfc_seq_show(struct seq_file *seq, void *v)
 {
        int n;
-        struct net *net = seq_file_net(seq);
        if (v == SEQ_START_TOKEN) {
                seq_puts(seq,
@@ -296,19 +555,20 @@ static int ipmr_mfc_seq_show(struct seq_file *seq, void *v)
        } else {
                const struct mfc6_cache *mfc = v;
                const struct ipmr_mfc_iter *it = seq->private;
+                struct mr6_table *mrt = it->mrt;
                seq_printf(seq, "%pI6 %pI6 %-3hd",
                           &mfc->mf6c_mcastgrp, &mfc->mf6c_origin,
                           mfc->mf6c_parent);
-                if (it->cache != &mfc_unres_queue) {
+                if (it->cache != &mrt->mfc6_unres_queue) {
                        seq_printf(seq, " %8lu %8lu %8lu",
                                   mfc->mfc_un.res.pkt,
                                   mfc->mfc_un.res.bytes,
                                   mfc->mfc_un.res.wrong_if);
                        for (n = mfc->mfc_un.res.minvif;
                             n < mfc->mfc_un.res.maxvif; n++) {
-                                if (MIF_EXISTS(net, n) &&
+                                if (MIF_EXISTS(mrt, n) &&
                                    mfc->mfc_un.res.ttls[n] < 255)
                                        seq_printf(seq,
                                                   " %2d:%-3d",
@@ -355,7 +615,12 @@ static int pim6_rcv(struct sk_buff *skb)
        struct ipv6hdr   *encap;
        struct net_device  *reg_dev = NULL;
        struct net *net = dev_net(skb->dev);
-        int reg_vif_num = net->ipv6.mroute_reg_vif_num;
+        struct mr6_table *mrt;
+        struct flowi fl = {
+                .iif    = skb->dev->ifindex,
+                .mark   = skb->mark,
+        };
+        int reg_vif_num;
        if (!pskb_may_pull(skb, sizeof(*pim) + sizeof(*encap)))
                goto drop;
@@ -378,9 +643,13 @@ static int pim6_rcv(struct sk_buff *skb)
            ntohs(encap->payload_len) + sizeof(*pim) > skb->len)
                goto drop;
+        if (ip6mr_fib_lookup(net, &fl, &mrt) < 0)
+                goto drop;
+        reg_vif_num = mrt->mroute_reg_vif_num;
        read_lock(&mrt_lock);
        if (reg_vif_num >= 0)
-                reg_dev = net->ipv6.vif6_table[reg_vif_num].dev;
+                reg_dev = mrt->vif6_table[reg_vif_num].dev;
        if (reg_dev)
                dev_hold(reg_dev);
        read_unlock(&mrt_lock);
@@ -391,14 +660,12 @@ static int pim6_rcv(struct sk_buff *skb)
        skb->mac_header = skb->network_header;
        skb_pull(skb, (u8 *)encap - skb->data);
        skb_reset_network_header(skb);
-        skb->dev = reg_dev;
        skb->protocol = htons(ETH_P_IPV6);
        skb->ip_summed = 0;
        skb->pkt_type = PACKET_HOST;
-        skb_dst_drop(skb);
-        reg_dev->stats.rx_bytes += skb->len;
+        skb_tunnel_rx(skb, reg_dev);
-        reg_dev->stats.rx_packets++;
-        nf_reset(skb);
        netif_rx(skb);
        dev_put(reg_dev);
        return 0;
@@ -417,12 +684,22 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
                                      struct net_device *dev)
 {
        struct net *net = dev_net(dev);
+        struct mr6_table *mrt;
+        struct flowi fl = {
+                .oif            = dev->ifindex,
+                .iif            = skb->skb_iif,
+                .mark           = skb->mark,
+        };
+        int err;
+        err = ip6mr_fib_lookup(net, &fl, &mrt);
+        if (err < 0)
+                return err;
        read_lock(&mrt_lock);
        dev->stats.tx_bytes += skb->len;
        dev->stats.tx_packets++;
-        ip6mr_cache_report(net, skb, net->ipv6.mroute_reg_vif_num,
+        ip6mr_cache_report(mrt, skb, mrt->mroute_reg_vif_num, MRT6MSG_WHOLEPKT);
-                           MRT6MSG_WHOLEPKT);
        read_unlock(&mrt_lock);
        kfree_skb(skb);
        return NETDEV_TX_OK;
@@ -442,11 +719,17 @@ static void reg_vif_setup(struct net_device *dev)
        dev->features           |= NETIF_F_NETNS_LOCAL;
 }
-static struct net_device *ip6mr_reg_vif(struct net *net)
+static struct net_device *ip6mr_reg_vif(struct net *net, struct mr6_table *mrt)
 {
        struct net_device *dev;
+        char name[IFNAMSIZ];
-        dev = alloc_netdev(0, "pim6reg", reg_vif_setup);
+        if (mrt->id == RT6_TABLE_DFLT)
+                sprintf(name, "pim6reg");
+        else
+                sprintf(name, "pim6reg%u", mrt->id);
+        dev = alloc_netdev(0, name, reg_vif_setup);
        if (dev == NULL)
                return NULL;
@@ -478,15 +761,16 @@ failure:
 *      Delete a VIF entry
 */
-static int mif6_delete(struct net *net, int vifi, struct list_head *head)
+static int mif6_delete(struct mr6_table *mrt, int vifi, struct list_head *head)
 {
        struct mif_device *v;
        struct net_device *dev;
        struct inet6_dev *in6_dev;
-        if (vifi < 0 || vifi >= net->ipv6.maxvif)
+        if (vifi < 0 || vifi >= mrt->maxvif)
                return -EADDRNOTAVAIL;
-        v = &net->ipv6.vif6_table[vifi];
+        v = &mrt->vif6_table[vifi];
        write_lock_bh(&mrt_lock);
        dev = v->dev;
@@ -498,17 +782,17 @@ static int mif6_delete(struct net *net, int vifi, struct list_head *head)
        }
 #ifdef CONFIG_IPV6_PIMSM_V2
-        if (vifi == net->ipv6.mroute_reg_vif_num)
+        if (vifi == mrt->mroute_reg_vif_num)
-                net->ipv6.mroute_reg_vif_num = -1;
+                mrt->mroute_reg_vif_num = -1;
 #endif
-        if (vifi + 1 == net->ipv6.maxvif) {
+        if (vifi + 1 == mrt->maxvif) {
                int tmp;
                for (tmp = vifi - 1; tmp >= 0; tmp--) {
-                        if (MIF_EXISTS(net, tmp))
+                        if (MIF_EXISTS(mrt, tmp))
                                break;
                }
-                net->ipv6.maxvif = tmp + 1;
+                mrt->maxvif = tmp + 1;
        }
        write_unlock_bh(&mrt_lock);
@@ -528,7 +812,6 @@ static int mif6_delete(struct net *net, int vifi, struct list_head *head)
 static inline void ip6mr_cache_free(struct mfc6_cache *c)
 {
-        release_net(mfc6_net(c));
        kmem_cache_free(mrt_cachep, c);
 }
@@ -536,12 +819,12 @@ static inline void ip6mr_cache_free(struct mfc6_cache *c)
   and reporting error to netlink readers.
 */
-static void ip6mr_destroy_unres(struct mfc6_cache *c)
+static void ip6mr_destroy_unres(struct mr6_table *mrt, struct mfc6_cache *c)
 {
+        struct net *net = read_pnet(&mrt->net);
        struct sk_buff *skb;
-        struct net *net = mfc6_net(c);
-        atomic_dec(&net->ipv6.cache_resolve_queue_len);
+        atomic_dec(&mrt->cache_resolve_queue_len);
        while((skb = skb_dequeue(&c->mfc_un.unres.unresolved)) != NULL) {
                if (ipv6_hdr(skb)->version == 0) {
@@ -559,60 +842,59 @@ static void ip6mr_destroy_unres(struct mfc6_cache *c)
 }
-/* Single timer process for all the unresolved queue. */
+/* Timer process for all the unresolved queue. */
-static void ipmr_do_expire_process(unsigned long dummy)
+static void ipmr_do_expire_process(struct mr6_table *mrt)
 {
        unsigned long now = jiffies;
        unsigned long expires = 10 * HZ;
-        struct mfc6_cache *c, **cp;
+        struct mfc6_cache *c, *next;
-        cp = &mfc_unres_queue;
-        while ((c = *cp) != NULL) {
+        list_for_each_entry_safe(c, next, &mrt->mfc6_unres_queue, list) {
                if (time_after(c->mfc_un.unres.expires, now)) {
                        /* not yet... */
                        unsigned long interval = c->mfc_un.unres.expires - now;
                        if (interval < expires)
                                expires = interval;
-                        cp = &c->next;
                        continue;
                }
-                *cp = c->next;
+                list_del(&c->list);
-                ip6mr_destroy_unres(c);
+                ip6mr_destroy_unres(mrt, c);
        }
-        if (mfc_unres_queue != NULL)
+        if (!list_empty(&mrt->mfc6_unres_queue))
-                mod_timer(&ipmr_expire_timer, jiffies + expires);
+                mod_timer(&mrt->ipmr_expire_timer, jiffies + expires);
 }
-static void ipmr_expire_process(unsigned long dummy)
+static void ipmr_expire_process(unsigned long arg)
 {
+        struct mr6_table *mrt = (struct mr6_table *)arg;
        if (!spin_trylock(&mfc_unres_lock)) {
-                mod_timer(&ipmr_expire_timer, jiffies + 1);
+                mod_timer(&mrt->ipmr_expire_timer, jiffies + 1);
                return;
        }
-        if (mfc_unres_queue != NULL)
+        if (!list_empty(&mrt->mfc6_unres_queue))
-                ipmr_do_expire_process(dummy);
+                ipmr_do_expire_process(mrt);
        spin_unlock(&mfc_unres_lock);
 }
 /* Fill oifs list. It is called under write locked mrt_lock. */
-static void ip6mr_update_thresholds(struct mfc6_cache *cache, unsigned char *ttls)
+static void ip6mr_update_thresholds(struct mr6_table *mrt, struct mfc6_cache *cache,
+                                    unsigned char *ttls)
 {
        int vifi;
-        struct net *net = mfc6_net(cache);
        cache->mfc_un.res.minvif = MAXMIFS;
        cache->mfc_un.res.maxvif = 0;
        memset(cache->mfc_un.res.ttls, 255, MAXMIFS);
-        for (vifi = 0; vifi < net->ipv6.maxvif; vifi++) {
+        for (vifi = 0; vifi < mrt->maxvif; vifi++) {
-                if (MIF_EXISTS(net, vifi) &&
+                if (MIF_EXISTS(mrt, vifi) &&
                    ttls[vifi] && ttls[vifi] < 255) {
                        cache->mfc_un.res.ttls[vifi] = ttls[vifi];
                        if (cache->mfc_un.res.minvif > vifi)
@@ -623,16 +905,17 @@ static void ip6mr_update_thresholds(struct mfc6_cache *cache, unsigned char *ttl
        }
 }
-static int mif6_add(struct net *net, struct mif6ctl *vifc, int mrtsock)
+static int mif6_add(struct net *net, struct mr6_table *mrt,
+                    struct mif6ctl *vifc, int mrtsock)
 {
        int vifi = vifc->mif6c_mifi;
-        struct mif_device *v = &net->ipv6.vif6_table[vifi];
+        struct mif_device *v = &mrt->vif6_table[vifi];
        struct net_device *dev;
        struct inet6_dev *in6_dev;
        int err;
        /* Is vif busy ? */
-        if (MIF_EXISTS(net, vifi))
+        if (MIF_EXISTS(mrt, vifi))
                return -EADDRINUSE;
        switch (vifc->mif6c_flags) {
@@ -642,9 +925,9 @@ static int mif6_add(struct net *net, struct mif6ctl *vifc, int mrtsock)
                 * Special Purpose VIF in PIM
                 * All the packets will be sent to the daemon
                 */
-                if (net->ipv6.mroute_reg_vif_num >= 0)
+                if (mrt->mroute_reg_vif_num >= 0)
                        return -EADDRINUSE;
-                dev = ip6mr_reg_vif(net);
+                dev = ip6mr_reg_vif(net, mrt);
                if (!dev)
                        return -ENOBUFS;
                err = dev_set_allmulti(dev, 1);
@@ -694,50 +977,48 @@ static int mif6_add(struct net *net, struct mif6ctl *vifc, int mrtsock)
        v->dev = dev;
 #ifdef CONFIG_IPV6_PIMSM_V2
        if (v->flags & MIFF_REGISTER)
-                net->ipv6.mroute_reg_vif_num = vifi;
+                mrt->mroute_reg_vif_num = vifi;
 #endif
-        if (vifi + 1 > net->ipv6.maxvif)
+        if (vifi + 1 > mrt->maxvif)
-                net->ipv6.maxvif = vifi + 1;
+                mrt->maxvif = vifi + 1;
        write_unlock_bh(&mrt_lock);
        return 0;
 }
-static struct mfc6_cache *ip6mr_cache_find(struct net *net,
+static struct mfc6_cache *ip6mr_cache_find(struct mr6_table *mrt,
                                           struct in6_addr *origin,
                                           struct in6_addr *mcastgrp)
 {
        int line = MFC6_HASH(mcastgrp, origin);
        struct mfc6_cache *c;
-        for (c = net->ipv6.mfc6_cache_array[line]; c; c = c->next) {
+        list_for_each_entry(c, &mrt->mfc6_cache_array[line], list) {
                if (ipv6_addr_equal(&c->mf6c_origin, origin) &&
                    ipv6_addr_equal(&c->mf6c_mcastgrp, mcastgrp))
-                        break;
+                        return c;
        }
-        return c;
+        return NULL;
 }
 /*
 *      Allocate a multicast cache entry
 */
-static struct mfc6_cache *ip6mr_cache_alloc(struct net *net)
+static struct mfc6_cache *ip6mr_cache_alloc(void)
 {
        struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_KERNEL);
        if (c == NULL)
                return NULL;
        c->mfc_un.res.minvif = MAXMIFS;
-        mfc6_net_set(c, net);
        return c;
 }
-static struct mfc6_cache *ip6mr_cache_alloc_unres(struct net *net)
+static struct mfc6_cache *ip6mr_cache_alloc_unres(void)
 {
        struct mfc6_cache *c = kmem_cache_zalloc(mrt_cachep, GFP_ATOMIC);
        if (c == NULL)
                return NULL;
        skb_queue_head_init(&c->mfc_un.unres.unresolved);
        c->mfc_un.unres.expires = jiffies + 10 * HZ;
-        mfc6_net_set(c, net);
        return c;
 }
@@ -745,7 +1026,8 @@ static struct mfc6_cache *ip6mr_cache_alloc_unres(struct net *net)
 *      A cache entry has gone into a resolved state from queued
 */
-static void ip6mr_cache_resolve(struct mfc6_cache *uc, struct mfc6_cache *c)
+static void ip6mr_cache_resolve(struct net *net, struct mr6_table *mrt,
+                                struct mfc6_cache *uc, struct mfc6_cache *c)
 {
        struct sk_buff *skb;
@@ -758,7 +1040,7 @@ static void ip6mr_cache_resolve(struct mfc6_cache *uc, struct mfc6_cache *c)
                        int err;
                        struct nlmsghdr *nlh = (struct nlmsghdr *)skb_pull(skb, sizeof(struct ipv6hdr));
-                        if (ip6mr_fill_mroute(skb, c, NLMSG_DATA(nlh)) > 0) {
+                        if (__ip6mr_fill_mroute(mrt, skb, c, NLMSG_DATA(nlh)) > 0) {
                                nlh->nlmsg_len = skb_tail_pointer(skb) - (u8 *)nlh;
                        } else {
                                nlh->nlmsg_type = NLMSG_ERROR;
@@ -766,9 +1048,9 @@ static void ip6mr_cache_resolve(struct mfc6_cache *uc, struct mfc6_cache *c)
                                skb_trim(skb, nlh->nlmsg_len);
                                ((struct nlmsgerr *)NLMSG_DATA(nlh))->error = -EMSGSIZE;
                        }
-                        err = rtnl_unicast(skb, mfc6_net(uc), NETLINK_CB(skb).pid);
+                        err = rtnl_unicast(skb, net, NETLINK_CB(skb).pid);
                } else
-                        ip6_mr_forward(skb, c);
+                        ip6_mr_forward(net, mrt, skb, c);
        }
 }
@@ -779,8 +1061,8 @@ static void ip6mr_cache_resolve(struct mfc6_cache *uc, struct mfc6_cache *c)
 *      Called under mrt_lock.
 */
-static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt, mifi_t mifi,
+static int ip6mr_cache_report(struct mr6_table *mrt, struct sk_buff *pkt,
-                              int assert)
+                              mifi_t mifi, int assert)
 {
        struct sk_buff *skb;
        struct mrt6msg *msg;
@@ -816,7 +1098,7 @@ static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt, mifi_t mifi,
                msg = (struct mrt6msg *)skb_transport_header(skb);
                msg->im6_mbz = 0;
                msg->im6_msgtype = MRT6MSG_WHOLEPKT;
-                msg->im6_mif = net->ipv6.mroute_reg_vif_num;
+                msg->im6_mif = mrt->mroute_reg_vif_num;
                msg->im6_pad = 0;
                ipv6_addr_copy(&msg->im6_src, &ipv6_hdr(pkt)->saddr);
                ipv6_addr_copy(&msg->im6_dst, &ipv6_hdr(pkt)->daddr);
@@ -851,7 +1133,7 @@ static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt, mifi_t mifi,
        skb->ip_summed = CHECKSUM_UNNECESSARY;
        }
-        if (net->ipv6.mroute6_sk == NULL) {
+        if (mrt->mroute6_sk == NULL) {
                kfree_skb(skb);
                return -EINVAL;
        }
@@ -859,7 +1141,7 @@ static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt, mifi_t mifi,
        /*
         *      Deliver to user space multicast routing algorithms
         */
-        ret = sock_queue_rcv_skb(net->ipv6.mroute6_sk, skb);
+        ret = sock_queue_rcv_skb(mrt->mroute6_sk, skb);
        if (ret < 0) {
                if (net_ratelimit())
                        printk(KERN_WARNING "mroute6: pending queue full, dropping entries.\n");
@@ -874,26 +1156,28 @@ static int ip6mr_cache_report(struct net *net, struct sk_buff *pkt, mifi_t mifi,
 */
 static int
-ip6mr_cache_unresolved(struct net *net, mifi_t mifi, struct sk_buff *skb)
+ip6mr_cache_unresolved(struct mr6_table *mrt, mifi_t mifi, struct sk_buff *skb)
 {
+        bool found = false;
        int err;
        struct mfc6_cache *c;
        spin_lock_bh(&mfc_unres_lock);
-        for (c = mfc_unres_queue; c; c = c->next) {
+        list_for_each_entry(c, &mrt->mfc6_unres_queue, list) {
-                if (net_eq(mfc6_net(c), net) &&
+                if (ipv6_addr_equal(&c->mf6c_mcastgrp, &ipv6_hdr(skb)->daddr) &&
-                    ipv6_addr_equal(&c->mf6c_mcastgrp, &ipv6_hdr(skb)->daddr) &&
+                    ipv6_addr_equal(&c->mf6c_origin, &ipv6_hdr(skb)->saddr)) {
-                    ipv6_addr_equal(&c->mf6c_origin, &ipv6_hdr(skb)->saddr))
+                        found = true;
                        break;
+                }
        }
-        if (c == NULL) {
+        if (!found) {
                /*
                 *      Create a new entry if allowable
                 */
-                if (atomic_read(&net->ipv6.cache_resolve_queue_len) >= 10 ||
+                if (atomic_read(&mrt->cache_resolve_queue_len) >= 10 ||
-                    (c = ip6mr_cache_alloc_unres(net)) == NULL) {
+                    (c = ip6mr_cache_alloc_unres()) == NULL) {
                        spin_unlock_bh(&mfc_unres_lock);
                        kfree_skb(skb);
@@ -910,7 +1194,7 @@ ip6mr_cache_unresolved(struct net *net, mifi_t mifi, struct sk_buff *skb)
                /*
                 *      Reflect first query at pim6sd
                 */
-                err = ip6mr_cache_report(net, skb, mifi, MRT6MSG_NOCACHE);
+                err = ip6mr_cache_report(mrt, skb, mifi, MRT6MSG_NOCACHE);
                if (err < 0) {
                        /* If the report failed throw the cache entry
                           out - Brad Parker
@@ -922,11 +1206,10 @@ ip6mr_cache_unresolved(struct net *net, mifi_t mifi, struct sk_buff *skb)
                        return err;
                }
-                atomic_inc(&net->ipv6.cache_resolve_queue_len);
+                atomic_inc(&mrt->cache_resolve_queue_len);
-                c->next = mfc_unres_queue;
+                list_add(&c->list, &mrt->mfc6_unres_queue);
-                mfc_unres_queue = c;
-                ipmr_do_expire_process(1);
+                ipmr_do_expire_process(mrt);
        }
        /*
@@ -948,19 +1231,18 @@ ip6mr_cache_unresolved(struct net *net, mifi_t mifi, struct sk_buff *skb)
 *      MFC6 cache manipulation by user space
 */
-static int ip6mr_mfc_delete(struct net *net, struct mf6cctl *mfc)
+static int ip6mr_mfc_delete(struct mr6_table *mrt, struct mf6cctl *mfc)
 {
        int line;
-        struct mfc6_cache *c, **cp;
+        struct mfc6_cache *c, *next;
        line = MFC6_HASH(&mfc->mf6cc_mcastgrp.sin6_addr, &mfc->mf6cc_origin.sin6_addr);
-        for (cp = &net->ipv6.mfc6_cache_array[line];
+        list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[line], list) {
-             (c = *cp) != NULL; cp = &c->next) {
                if (ipv6_addr_equal(&c->mf6c_origin, &mfc->mf6cc_origin.sin6_addr) &&
                    ipv6_addr_equal(&c->mf6c_mcastgrp, &mfc->mf6cc_mcastgrp.sin6_addr)) {
                        write_lock_bh(&mrt_lock);
-                        *cp = c->next;
+                        list_del(&c->list);
                        write_unlock_bh(&mrt_lock);
                        ip6mr_cache_free(c);
@@ -975,6 +1257,7 @@ static int ip6mr_device_event(struct notifier_block *this,
 {
        struct net_device *dev = ptr;
        struct net *net = dev_net(dev);
+        struct mr6_table *mrt;
        struct mif_device *v;
        int ct;
        LIST_HEAD(list);
@@ -982,10 +1265,12 @@ static int ip6mr_device_event(struct notifier_block *this,
        if (event != NETDEV_UNREGISTER)
                return NOTIFY_DONE;
-        v = &net->ipv6.vif6_table[0];
+        ip6mr_for_each_table(mrt, net) {
-        for (ct = 0; ct < net->ipv6.maxvif; ct++, v++) {
+                v = &mrt->vif6_table[0];
-                if (v->dev == dev)
+                for (ct = 0; ct < mrt->maxvif; ct++, v++) {
-                        mif6_delete(net, ct, &list);
+                        if (v->dev == dev)
+                                mif6_delete(mrt, ct, &list);
+                }
        }
        unregister_netdevice_many(&list);
@@ -1002,26 +1287,11 @@ static struct notifier_block ip6_mr_notifier = {
 static int __net_init ip6mr_net_init(struct net *net)
 {
-        int err = 0;
+        int err;
-        net->ipv6.vif6_table = kcalloc(MAXMIFS, sizeof(struct mif_device),
-                                       GFP_KERNEL);
-        if (!net->ipv6.vif6_table) {
-                err = -ENOMEM;
-                goto fail;
-        }
-        /* Forwarding cache */
-        net->ipv6.mfc6_cache_array = kcalloc(MFC6_LINES,
-                                             sizeof(struct mfc6_cache *),
-                                             GFP_KERNEL);
-        if (!net->ipv6.mfc6_cache_array) {
-                err = -ENOMEM;
-                goto fail_mfc6_cache;
-        }
-#ifdef CONFIG_IPV6_PIMSM_V2
+        err = ip6mr_rules_init(net);
-        net->ipv6.mroute_reg_vif_num = -1;
+        if (err < 0)
-#endif
+                goto fail;
 #ifdef CONFIG_PROC_FS
        err = -ENOMEM;
@@ -1030,16 +1300,15 @@ static int __net_init ip6mr_net_init(struct net *net)
        if (!proc_net_fops_create(net, "ip6_mr_cache", 0, &ip6mr_mfc_fops))
                goto proc_cache_fail;
 #endif
        return 0;
 #ifdef CONFIG_PROC_FS
 proc_cache_fail:
        proc_net_remove(net, "ip6_mr_vif");
 proc_vif_fail:
-        kfree(net->ipv6.mfc6_cache_array);
+        ip6mr_rules_exit(net);
 #endif
-fail_mfc6_cache:
-        kfree(net->ipv6.vif6_table);
 fail:
        return err;
 }
@@ -1050,9 +1319,7 @@ static void __net_exit ip6mr_net_exit(struct net *net)
        proc_net_remove(net, "ip6_mr_cache");
        proc_net_remove(net, "ip6_mr_vif");
 #endif
-        mroute_clean_tables(net);
+        ip6mr_rules_exit(net);
-        kfree(net->ipv6.mfc6_cache_array);
-        kfree(net->ipv6.vif6_table);
 }
 static struct pernet_operations ip6mr_net_ops = {
@@ -1075,7 +1342,6 @@ int __init ip6_mr_init(void)
        if (err)
                goto reg_pernet_fail;
-        setup_timer(&ipmr_expire_timer, ipmr_expire_process, 0);
        err = register_netdevice_notifier(&ip6_mr_notifier);
        if (err)
                goto reg_notif_fail;
@@ -1086,13 +1352,13 @@ int __init ip6_mr_init(void)
                goto add_proto_fail;
        }
 #endif
+        rtnl_register(RTNL_FAMILY_IP6MR, RTM_GETROUTE, NULL, ip6mr_rtm_dumproute);
        return 0;
 #ifdef CONFIG_IPV6_PIMSM_V2
 add_proto_fail:
        unregister_netdevice_notifier(&ip6_mr_notifier);
 #endif
 reg_notif_fail:
-        del_timer(&ipmr_expire_timer);
        unregister_pernet_subsys(&ip6mr_net_ops);
 reg_pernet_fail:
        kmem_cache_destroy(mrt_cachep);
@@ -1102,15 +1368,16 @@ reg_pernet_fail:
 void ip6_mr_cleanup(void)
 {
        unregister_netdevice_notifier(&ip6_mr_notifier);
-        del_timer(&ipmr_expire_timer);
        unregister_pernet_subsys(&ip6mr_net_ops);
        kmem_cache_destroy(mrt_cachep);
 }
-static int ip6mr_mfc_add(struct net *net, struct mf6cctl *mfc, int mrtsock)
+static int ip6mr_mfc_add(struct net *net, struct mr6_table *mrt,
+                         struct mf6cctl *mfc, int mrtsock)
 {
+        bool found = false;
        int line;
-        struct mfc6_cache *uc, *c, **cp;
+        struct mfc6_cache *uc, *c;
        unsigned char ttls[MAXMIFS];
        int i;
@@ -1126,17 +1393,18 @@ static int ip6mr_mfc_add(struct net *net, struct mf6cctl *mfc, int mrtsock)
        line = MFC6_HASH(&mfc->mf6cc_mcastgrp.sin6_addr, &mfc->mf6cc_origin.sin6_addr);
-        for (cp = &net->ipv6.mfc6_cache_array[line];
+        list_for_each_entry(c, &mrt->mfc6_cache_array[line], list) {
-             (c = *cp) != NULL; cp = &c->next) {
                if (ipv6_addr_equal(&c->mf6c_origin, &mfc->mf6cc_origin.sin6_addr) &&
-                    ipv6_addr_equal(&c->mf6c_mcastgrp, &mfc->mf6cc_mcastgrp.sin6_addr))
+                    ipv6_addr_equal(&c->mf6c_mcastgrp, &mfc->mf6cc_mcastgrp.sin6_addr)) {
+                        found = true;
                        break;
+                }
        }
-        if (c != NULL) {
+        if (found) {
                write_lock_bh(&mrt_lock);
                c->mf6c_parent = mfc->mf6cc_parent;
-                ip6mr_update_thresholds(c, ttls);
+                ip6mr_update_thresholds(mrt, c, ttls);
                if (!mrtsock)
                        c->mfc_flags |= MFC_STATIC;
                write_unlock_bh(&mrt_lock);
@@ -1146,43 +1414,42 @@ static int ip6mr_mfc_add(struct net *net, struct mf6cctl *mfc, int mrtsock)
        if (!ipv6_addr_is_multicast(&mfc->mf6cc_mcastgrp.sin6_addr))
                return -EINVAL;
-        c = ip6mr_cache_alloc(net);
+        c = ip6mr_cache_alloc();
        if (c == NULL)
                return -ENOMEM;
        c->mf6c_origin = mfc->mf6cc_origin.sin6_addr;
        c->mf6c_mcastgrp = mfc->mf6cc_mcastgrp.sin6_addr;
        c->mf6c_parent = mfc->mf6cc_parent;
-        ip6mr_update_thresholds(c, ttls);
+        ip6mr_update_thresholds(mrt, c, ttls);
        if (!mrtsock)
                c->mfc_flags |= MFC_STATIC;
        write_lock_bh(&mrt_lock);
-        c->next = net->ipv6.mfc6_cache_array[line];
+        list_add(&c->list, &mrt->mfc6_cache_array[line]);
-        net->ipv6.mfc6_cache_array[line] = c;
        write_unlock_bh(&mrt_lock);
        /*
         *      Check to see if we resolved a queued list. If so we
         *      need to send on the frames and tidy up.
         */
+        found = false;
        spin_lock_bh(&mfc_unres_lock);
-        for (cp = &mfc_unres_queue; (uc = *cp) != NULL;
+        list_for_each_entry(uc, &mrt->mfc6_unres_queue, list) {
-             cp = &uc->next) {
+                if (ipv6_addr_equal(&uc->mf6c_origin, &c->mf6c_origin) &&
-                if (net_eq(mfc6_net(uc), net) &&
-                    ipv6_addr_equal(&uc->mf6c_origin, &c->mf6c_origin) &&
                    ipv6_addr_equal(&uc->mf6c_mcastgrp, &c->mf6c_mcastgrp)) {
-                        *cp = uc->next;
+                        list_del(&uc->list);
-                        atomic_dec(&net->ipv6.cache_resolve_queue_len);
+                        atomic_dec(&mrt->cache_resolve_queue_len);
+                        found = true;
                        break;
                }
        }
-        if (mfc_unres_queue == NULL)
+        if (list_empty(&mrt->mfc6_unres_queue))
-                del_timer(&ipmr_expire_timer);
+                del_timer(&mrt->ipmr_expire_timer);
        spin_unlock_bh(&mfc_unres_lock);
-        if (uc) {
+        if (found) {
-                ip6mr_cache_resolve(uc, c);
+                ip6mr_cache_resolve(net, mrt, uc, c);
                ip6mr_cache_free(uc);
        }
        return 0;
@@ -1192,17 +1459,18 @@ static int ip6mr_mfc_add(struct net *net, struct mf6cctl *mfc, int mrtsock)
 *      Close the multicast socket, and clear the vif tables etc
 */
-static void mroute_clean_tables(struct net *net)
+static void mroute_clean_tables(struct mr6_table *mrt)
 {
        int i;
        LIST_HEAD(list);
+        struct mfc6_cache *c, *next;
        /*
         *      Shut down all active vif entries
         */
-        for (i = 0; i < net->ipv6.maxvif; i++) {
+        for (i = 0; i < mrt->maxvif; i++) {
-                if (!(net->ipv6.vif6_table[i].flags & VIFF_STATIC))
+                if (!(mrt->vif6_table[i].flags & VIFF_STATIC))
-                        mif6_delete(net, i, &list);
+                        mif6_delete(mrt, i, &list);
        }
        unregister_netdevice_many(&list);
@@ -1210,48 +1478,36 @@ static void mroute_clean_tables(struct net *net)
         *      Wipe the cache
         */
        for (i = 0; i < MFC6_LINES; i++) {
-                struct mfc6_cache *c, **cp;
+                list_for_each_entry_safe(c, next, &mrt->mfc6_cache_array[i], list) {
+                        if (c->mfc_flags & MFC_STATIC)
-                cp = &net->ipv6.mfc6_cache_array[i];
-                while ((c = *cp) != NULL) {
-                        if (c->mfc_flags & MFC_STATIC) {
-                                cp = &c->next;
                                continue;
-                        }
                        write_lock_bh(&mrt_lock);
-                        *cp = c->next;
+                        list_del(&c->list);
                        write_unlock_bh(&mrt_lock);
                        ip6mr_cache_free(c);
                }
        }
-        if (atomic_read(&net->ipv6.cache_resolve_queue_len) != 0) {
+        if (atomic_read(&mrt->cache_resolve_queue_len) != 0) {
-                struct mfc6_cache *c, **cp;
                spin_lock_bh(&mfc_unres_lock);
-                cp = &mfc_unres_queue;
+                list_for_each_entry_safe(c, next, &mrt->mfc6_unres_queue, list) {
-                while ((c = *cp) != NULL) {
+                        list_del(&c->list);
-                        if (!net_eq(mfc6_net(c), net)) {
+                        ip6mr_destroy_unres(mrt, c);
-                                cp = &c->next;
-                                continue;
-                        }
-                        *cp = c->next;
-                        ip6mr_destroy_unres(c);
                }
                spin_unlock_bh(&mfc_unres_lock);
        }
 }
-static int ip6mr_sk_init(struct sock *sk)
+static int ip6mr_sk_init(struct mr6_table *mrt, struct sock *sk)
 {
        int err = 0;
        struct net *net = sock_net(sk);
        rtnl_lock();
        write_lock_bh(&mrt_lock);
-        if (likely(net->ipv6.mroute6_sk == NULL)) {
+        if (likely(mrt->mroute6_sk == NULL)) {
-                net->ipv6.mroute6_sk = sk;
+                mrt->mroute6_sk = sk;
                net->ipv6.devconf_all->mc_forwarding++;
        }
        else
@@ -1265,24 +1521,43 @@ static int ip6mr_sk_init(struct sock *sk)
 int ip6mr_sk_done(struct sock *sk)
 {
-        int err = 0;
+        int err = -EACCES;
        struct net *net = sock_net(sk);
+        struct mr6_table *mrt;
        rtnl_lock();
-        if (sk == net->ipv6.mroute6_sk) {
+        ip6mr_for_each_table(mrt, net) {
-                write_lock_bh(&mrt_lock);
+                if (sk == mrt->mroute6_sk) {
-                net->ipv6.mroute6_sk = NULL;
+                        write_lock_bh(&mrt_lock);
-                net->ipv6.devconf_all->mc_forwarding--;
+                        mrt->mroute6_sk = NULL;
-                write_unlock_bh(&mrt_lock);
+                        net->ipv6.devconf_all->mc_forwarding--;
+                        write_unlock_bh(&mrt_lock);
-                mroute_clean_tables(net);
+                        mroute_clean_tables(mrt);
-        } else
+                        err = 0;
-                err = -EACCES;
+                        break;
+                }
+        }
        rtnl_unlock();
        return err;
 }
+struct sock *mroute6_socket(struct net *net, struct sk_buff *skb)
+{
+        struct mr6_table *mrt;
+        struct flowi fl = {
+                .iif    = skb->skb_iif,
+                .oif    = skb->dev->ifindex,
+                .mark   = skb->mark,
+        };
+        if (ip6mr_fib_lookup(net, &fl, &mrt) < 0)
+                return NULL;
+        return mrt->mroute6_sk;
+}
 /*
 *      Socket options and virtual interface manipulation. The whole
 *      virtual interface system is a complete heap, but unfortunately
@@ -1297,9 +1572,14 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
        struct mf6cctl mfc;
        mifi_t mifi;
        struct net *net = sock_net(sk);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return -ENOENT;
        if (optname != MRT6_INIT) {
-                if (sk != net->ipv6.mroute6_sk && !capable(CAP_NET_ADMIN))
+                if (sk != mrt->mroute6_sk && !capable(CAP_NET_ADMIN))
                        return -EACCES;
        }
@@ -1311,7 +1591,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                if (optlen < sizeof(int))
                        return -EINVAL;
-                return ip6mr_sk_init(sk);
+                return ip6mr_sk_init(mrt, sk);
        case MRT6_DONE:
                return ip6mr_sk_done(sk);
@@ -1324,7 +1604,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                if (vif.mif6c_mifi >= MAXMIFS)
                        return -ENFILE;
                rtnl_lock();
-                ret = mif6_add(net, &vif, sk == net->ipv6.mroute6_sk);
+                ret = mif6_add(net, mrt, &vif, sk == mrt->mroute6_sk);
                rtnl_unlock();
                return ret;
@@ -1334,7 +1614,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                if (copy_from_user(&mifi, optval, sizeof(mifi_t)))
                        return -EFAULT;
                rtnl_lock();
-                ret = mif6_delete(net, mifi, NULL);
+                ret = mif6_delete(mrt, mifi, NULL);
                rtnl_unlock();
                return ret;
@@ -1350,10 +1630,9 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                        return -EFAULT;
                rtnl_lock();
                if (optname == MRT6_DEL_MFC)
-                        ret = ip6mr_mfc_delete(net, &mfc);
+                        ret = ip6mr_mfc_delete(mrt, &mfc);
                else
-                        ret = ip6mr_mfc_add(net, &mfc,
+                        ret = ip6mr_mfc_add(net, mrt, &mfc, sk == mrt->mroute6_sk);
-                                            sk == net->ipv6.mroute6_sk);
                rtnl_unlock();
                return ret;
@@ -1365,7 +1644,7 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                int v;
                if (get_user(v, (int __user *)optval))
                        return -EFAULT;
-                net->ipv6.mroute_do_assert = !!v;
+                mrt->mroute_do_assert = !!v;
                return 0;
        }
@@ -1378,15 +1657,36 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                v = !!v;
                rtnl_lock();
                ret = 0;
-                if (v != net->ipv6.mroute_do_pim) {
+                if (v != mrt->mroute_do_pim) {
-                        net->ipv6.mroute_do_pim = v;
+                        mrt->mroute_do_pim = v;
-                        net->ipv6.mroute_do_assert = v;
+                        mrt->mroute_do_assert = v;
                }
                rtnl_unlock();
                return ret;
        }
 #endif
+#ifdef CONFIG_IPV6_MROUTE_MULTIPLE_TABLES
+        case MRT6_TABLE:
+        {
+                u32 v;
+                if (optlen != sizeof(u32))
+                        return -EINVAL;
+                if (get_user(v, (u32 __user *)optval))
+                        return -EFAULT;
+                if (sk == mrt->mroute6_sk)
+                        return -EBUSY;
+                rtnl_lock();
+                ret = 0;
+                if (!ip6mr_new_table(net, v))
+                        ret = -ENOMEM;
+                raw6_sk(sk)->ip6mr_table = v;
+                rtnl_unlock();
+                return ret;
+        }
+#endif
        /*
         *      Spurious command, or MRT6_VERSION which you cannot
         *      set.
@@ -1406,6 +1706,11 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
        int olr;
        int val;
        struct net *net = sock_net(sk);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return -ENOENT;
        switch (optname) {
        case MRT6_VERSION:
@@ -1413,11 +1718,11 @@ int ip6_mroute_getsockopt(struct sock *sk, int optname, char __user *optval,
                break;
 #ifdef CONFIG_IPV6_PIMSM_V2
        case MRT6_PIM:
-                val = net->ipv6.mroute_do_pim;
+                val = mrt->mroute_do_pim;
                break;
 #endif
        case MRT6_ASSERT:
-                val = net->ipv6.mroute_do_assert;
+                val = mrt->mroute_do_assert;
                break;
        default:
                return -ENOPROTOOPT;
@@ -1448,16 +1753,21 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
        struct mif_device *vif;
        struct mfc6_cache *c;
        struct net *net = sock_net(sk);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return -ENOENT;
        switch (cmd) {
        case SIOCGETMIFCNT_IN6:
                if (copy_from_user(&vr, arg, sizeof(vr)))
                        return -EFAULT;
-                if (vr.mifi >= net->ipv6.maxvif)
+                if (vr.mifi >= mrt->maxvif)
                        return -EINVAL;
                read_lock(&mrt_lock);
-                vif = &net->ipv6.vif6_table[vr.mifi];
+                vif = &mrt->vif6_table[vr.mifi];
-                if (MIF_EXISTS(net, vr.mifi)) {
+                if (MIF_EXISTS(mrt, vr.mifi)) {
                        vr.icount = vif->pkt_in;
                        vr.ocount = vif->pkt_out;
                        vr.ibytes = vif->bytes_in;
@@ -1475,7 +1785,7 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
                        return -EFAULT;
                read_lock(&mrt_lock);
-                c = ip6mr_cache_find(net, &sr.src.sin6_addr, &sr.grp.sin6_addr);
+                c = ip6mr_cache_find(mrt, &sr.src.sin6_addr, &sr.grp.sin6_addr);
                if (c) {
                        sr.pktcnt = c->mfc_un.res.pkt;
                        sr.bytecnt = c->mfc_un.res.bytes;
@@ -1505,11 +1815,11 @@ static inline int ip6mr_forward2_finish(struct sk_buff *skb)
 *      Processing handlers for ip6mr_forward
 */
-static int ip6mr_forward2(struct sk_buff *skb, struct mfc6_cache *c, int vifi)
+static int ip6mr_forward2(struct net *net, struct mr6_table *mrt,
+                          struct sk_buff *skb, struct mfc6_cache *c, int vifi)
 {
        struct ipv6hdr *ipv6h;
-        struct net *net = mfc6_net(c);
+        struct mif_device *vif = &mrt->vif6_table[vifi];
-        struct mif_device *vif = &net->ipv6.vif6_table[vifi];
        struct net_device *dev;
        struct dst_entry *dst;
        struct flowi fl;
@@ -1523,7 +1833,7 @@ static int ip6mr_forward2(struct sk_buff *skb, struct mfc6_cache *c, int vifi)
                vif->bytes_out += skb->len;
                vif->dev->stats.tx_bytes += skb->len;
                vif->dev->stats.tx_packets++;
-                ip6mr_cache_report(net, skb, vifi, MRT6MSG_WHOLEPKT);
+                ip6mr_cache_report(mrt, skb, vifi, MRT6MSG_WHOLEPKT);
                goto out_free;
        }
 #endif
@@ -1570,7 +1880,7 @@ static int ip6mr_forward2(struct sk_buff *skb, struct mfc6_cache *c, int vifi)
        IP6CB(skb)->flags |= IP6SKB_FORWARDED;
-        return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dev,
+        return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dev,
                       ip6mr_forward2_finish);
 out_free:
@@ -1578,22 +1888,22 @@ out_free:
        return 0;
 }
-static int ip6mr_find_vif(struct net_device *dev)
+static int ip6mr_find_vif(struct mr6_table *mrt, struct net_device *dev)
 {
-        struct net *net = dev_net(dev);
        int ct;
-        for (ct = net->ipv6.maxvif - 1; ct >= 0; ct--) {
-                if (net->ipv6.vif6_table[ct].dev == dev)
+        for (ct = mrt->maxvif - 1; ct >= 0; ct--) {
+                if (mrt->vif6_table[ct].dev == dev)
                        break;
        }
        return ct;
 }
-static int ip6_mr_forward(struct sk_buff *skb, struct mfc6_cache *cache)
+static int ip6_mr_forward(struct net *net, struct mr6_table *mrt,
+                          struct sk_buff *skb, struct mfc6_cache *cache)
 {
        int psend = -1;
        int vif, ct;
-        struct net *net = mfc6_net(cache);
        vif = cache->mf6c_parent;
        cache->mfc_un.res.pkt++;
@@ -1602,30 +1912,30 @@ static int ip6_mr_forward(struct sk_buff *skb, struct mfc6_cache *cache)
        /*
         * Wrong interface: drop packet and (maybe) send PIM assert.
         */
-        if (net->ipv6.vif6_table[vif].dev != skb->dev) {
+        if (mrt->vif6_table[vif].dev != skb->dev) {
                int true_vifi;
                cache->mfc_un.res.wrong_if++;
-                true_vifi = ip6mr_find_vif(skb->dev);
+                true_vifi = ip6mr_find_vif(mrt, skb->dev);
-                if (true_vifi >= 0 && net->ipv6.mroute_do_assert &&
+                if (true_vifi >= 0 && mrt->mroute_do_assert &&
                    /* pimsm uses asserts, when switching from RPT to SPT,
                       so that we cannot check that packet arrived on an oif.
                       It is bad, but otherwise we would need to move pretty
                       large chunk of pimd to kernel. Ough... --ANK
                     */
-                    (net->ipv6.mroute_do_pim ||
+                    (mrt->mroute_do_pim ||
                     cache->mfc_un.res.ttls[true_vifi] < 255) &&
                    time_after(jiffies,
                               cache->mfc_un.res.last_assert + MFC_ASSERT_THRESH)) {
                        cache->mfc_un.res.last_assert = jiffies;
-                        ip6mr_cache_report(net, skb, true_vifi, MRT6MSG_WRONGMIF);
+                        ip6mr_cache_report(mrt, skb, true_vifi, MRT6MSG_WRONGMIF);
                }
                goto dont_forward;
        }
-        net->ipv6.vif6_table[vif].pkt_in++;
+        mrt->vif6_table[vif].pkt_in++;
-        net->ipv6.vif6_table[vif].bytes_in += skb->len;
+        mrt->vif6_table[vif].bytes_in += skb->len;
        /*
         *      Forward the frame
@@ -1635,13 +1945,13 @@ static int ip6_mr_forward(struct sk_buff *skb, struct mfc6_cache *cache)
                        if (psend != -1) {
                                struct sk_buff *skb2 = skb_clone(skb, GFP_ATOMIC);
                                if (skb2)
-                                        ip6mr_forward2(skb2, cache, psend);
+                                        ip6mr_forward2(net, mrt, skb2, cache, psend);
                        }
                        psend = ct;
                }
        }
        if (psend != -1) {
-                ip6mr_forward2(skb, cache, psend);
+                ip6mr_forward2(net, mrt, skb, cache, psend);
                return 0;
        }
@@ -1659,9 +1969,19 @@ int ip6_mr_input(struct sk_buff *skb)
 {
        struct mfc6_cache *cache;
        struct net *net = dev_net(skb->dev);
+        struct mr6_table *mrt;
+        struct flowi fl = {
+                .iif    = skb->dev->ifindex,
+                .mark   = skb->mark,
+        };
+        int err;
+        err = ip6mr_fib_lookup(net, &fl, &mrt);
+        if (err < 0)
+                return err;
        read_lock(&mrt_lock);
-        cache = ip6mr_cache_find(net,
+        cache = ip6mr_cache_find(mrt,
                                 &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr);
        /*
@@ -1670,9 +1990,9 @@ int ip6_mr_input(struct sk_buff *skb)
        if (cache == NULL) {
                int vif;
-                vif = ip6mr_find_vif(skb->dev);
+                vif = ip6mr_find_vif(mrt, skb->dev);
                if (vif >= 0) {
-                        int err = ip6mr_cache_unresolved(net, vif, skb);
+                        int err = ip6mr_cache_unresolved(mrt, vif, skb);
                        read_unlock(&mrt_lock);
                        return err;
@@ -1682,7 +2002,7 @@ int ip6_mr_input(struct sk_buff *skb)
                return -ENODEV;
        }
-        ip6_mr_forward(skb, cache);
+        ip6_mr_forward(net, mrt, skb, cache);
        read_unlock(&mrt_lock);
@@ -1690,32 +2010,31 @@ int ip6_mr_input(struct sk_buff *skb)
 }
-static int
+static int __ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
-ip6mr_fill_mroute(struct sk_buff *skb, struct mfc6_cache *c, struct rtmsg *rtm)
+                               struct mfc6_cache *c, struct rtmsg *rtm)
 {
        int ct;
        struct rtnexthop *nhp;
-        struct net *net = mfc6_net(c);
        u8 *b = skb_tail_pointer(skb);
        struct rtattr *mp_head;
        /* If cache is unresolved, don't try to parse IIF and OIF */
-        if (c->mf6c_parent > MAXMIFS)
+        if (c->mf6c_parent >= MAXMIFS)
                return -ENOENT;
-        if (MIF_EXISTS(net, c->mf6c_parent))
+        if (MIF_EXISTS(mrt, c->mf6c_parent))
-                RTA_PUT(skb, RTA_IIF, 4, &net->ipv6.vif6_table[c->mf6c_parent].dev->ifindex);
+                RTA_PUT(skb, RTA_IIF, 4, &mrt->vif6_table[c->mf6c_parent].dev->ifindex);
        mp_head = (struct rtattr *)skb_put(skb, RTA_LENGTH(0));
        for (ct = c->mfc_un.res.minvif; ct < c->mfc_un.res.maxvif; ct++) {
-                if (MIF_EXISTS(net, ct) && c->mfc_un.res.ttls[ct] < 255) {
+                if (MIF_EXISTS(mrt, ct) && c->mfc_un.res.ttls[ct] < 255) {
                        if (skb_tailroom(skb) < RTA_ALIGN(RTA_ALIGN(sizeof(*nhp)) + 4))
                                goto rtattr_failure;
                        nhp = (struct rtnexthop *)skb_put(skb, RTA_ALIGN(sizeof(*nhp)));
                        nhp->rtnh_flags = 0;
                        nhp->rtnh_hops = c->mfc_un.res.ttls[ct];
-                        nhp->rtnh_ifindex = net->ipv6.vif6_table[ct].dev->ifindex;
+                        nhp->rtnh_ifindex = mrt->vif6_table[ct].dev->ifindex;
                        nhp->rtnh_len = sizeof(*nhp);
                }
        }
@@ -1733,11 +2052,16 @@ int ip6mr_get_route(struct net *net,
                    struct sk_buff *skb, struct rtmsg *rtm, int nowait)
 {
        int err;
+        struct mr6_table *mrt;
        struct mfc6_cache *cache;
        struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+        mrt = ip6mr_get_table(net, RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return -ENOENT;
        read_lock(&mrt_lock);
-        cache = ip6mr_cache_find(net, &rt->rt6i_src.addr, &rt->rt6i_dst.addr);
+        cache = ip6mr_cache_find(mrt, &rt->rt6i_src.addr, &rt->rt6i_dst.addr);
        if (!cache) {
                struct sk_buff *skb2;
@@ -1751,7 +2075,7 @@ int ip6mr_get_route(struct net *net,
                }
                dev = skb->dev;
-                if (dev == NULL || (vif = ip6mr_find_vif(dev)) < 0) {
+                if (dev == NULL || (vif = ip6mr_find_vif(mrt, dev)) < 0) {
                        read_unlock(&mrt_lock);
                        return -ENODEV;
                }
@@ -1780,7 +2104,7 @@ int ip6mr_get_route(struct net *net,
                ipv6_addr_copy(&iph->saddr, &rt->rt6i_src.addr);
                ipv6_addr_copy(&iph->daddr, &rt->rt6i_dst.addr);
-                err = ip6mr_cache_unresolved(net, vif, skb2);
+                err = ip6mr_cache_unresolved(mrt, vif, skb2);
                read_unlock(&mrt_lock);
                return err;
@@ -1789,8 +2113,88 @@ int ip6mr_get_route(struct net *net,
        if (!nowait && (rtm->rtm_flags&RTM_F_NOTIFY))
                cache->mfc_flags |= MFC_NOTIFY;
-        err = ip6mr_fill_mroute(skb, cache, rtm);
+        err = __ip6mr_fill_mroute(mrt, skb, cache, rtm);
        read_unlock(&mrt_lock);
        return err;
 }
+static int ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
+                             u32 pid, u32 seq, struct mfc6_cache *c)
+{
+        struct nlmsghdr *nlh;
+        struct rtmsg *rtm;
+        nlh = nlmsg_put(skb, pid, seq, RTM_NEWROUTE, sizeof(*rtm), NLM_F_MULTI);
+        if (nlh == NULL)
+                return -EMSGSIZE;
+        rtm = nlmsg_data(nlh);
+        rtm->rtm_family   = RTNL_FAMILY_IPMR;
+        rtm->rtm_dst_len  = 128;
+        rtm->rtm_src_len  = 128;
+        rtm->rtm_tos      = 0;
+        rtm->rtm_table    = mrt->id;
+        NLA_PUT_U32(skb, RTA_TABLE, mrt->id);
+        rtm->rtm_scope    = RT_SCOPE_UNIVERSE;
+        rtm->rtm_protocol = RTPROT_UNSPEC;
+        rtm->rtm_flags    = 0;
+        NLA_PUT(skb, RTA_SRC, 16, &c->mf6c_origin);
+        NLA_PUT(skb, RTA_DST, 16, &c->mf6c_mcastgrp);
+        if (__ip6mr_fill_mroute(mrt, skb, c, rtm) < 0)
+                goto nla_put_failure;
+        return nlmsg_end(skb, nlh);
+nla_put_failure:
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
+}
+static int ip6mr_rtm_dumproute(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        struct net *net = sock_net(skb->sk);
+        struct mr6_table *mrt;
+        struct mfc6_cache *mfc;
+        unsigned int t = 0, s_t;
+        unsigned int h = 0, s_h;
+        unsigned int e = 0, s_e;
+        s_t = cb->args[0];
+        s_h = cb->args[1];
+        s_e = cb->args[2];
+        read_lock(&mrt_lock);
+        ip6mr_for_each_table(mrt, net) {
+                if (t < s_t)
+                        goto next_table;
+                if (t > s_t)
+                        s_h = 0;
+                for (h = s_h; h < MFC6_LINES; h++) {
+                        list_for_each_entry(mfc, &mrt->mfc6_cache_array[h], list) {
+                                if (e < s_e)
+                                        goto next_entry;
+                                if (ip6mr_fill_mroute(mrt, skb,
+                                                      NETLINK_CB(cb->skb).pid,
+                                                      cb->nlh->nlmsg_seq,
+                                                      mfc) < 0)
+                                        goto done;
+next_entry:
+                                e++;
+                        }
+                        e = s_e = 0;
+                }
+                s_h = 0;
+next_table:
+                t++;
+        }
+done:
+        read_unlock(&mrt_lock);
+        cb->args[2] = e;
+        cb->args[1] = h;
+        cb->args[0] = t;
+        return skb->len;
+}
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 006aee683a0f..ab1622d7d409 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1356,7 +1356,10 @@ static struct sk_buff *mld_newpack(struct net_device *dev, int size)
                     IPV6_TLV_PADN, 0 };
        /* we assume size > sizeof(ra) here */
-        skb = sock_alloc_send_skb(sk, size + LL_ALLOCATED_SPACE(dev), 1, &err);
+        size += LL_ALLOCATED_SPACE(dev);
+        /* limit our allocations to order-0 page */
+        size = min_t(int, size, SKB_MAX_ORDER(0, 0));
+        skb = sock_alloc_send_skb(sk, size, 1, &err);
        if (!skb)
                return NULL;
@@ -1428,7 +1431,7 @@ static void mld_sendpack(struct sk_buff *skb)
        payload_len = skb->len;
-        err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
+        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
                      dst_output);
 out:
        if (!err) {
@@ -1793,7 +1796,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
                goto err_out;
        skb_dst_set(skb, dst);
-        err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
+        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
                      dst_output);
 out:
        if (!err) {
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index da0a4d2adc69..0abdc242ddb7 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -536,7 +536,7 @@ void ndisc_send_skb(struct sk_buff *skb,
        idev = in6_dev_get(dst->dev);
        IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
-        err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
+        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
                      dst_output);
        if (!err) {
                ICMP6MSGOUT_INC_STATS(net, idev, type);
@@ -890,8 +890,6 @@ out:
                in6_ifa_put(ifp);
        else
                in6_dev_put(idev);
-        return;
 }
 static void ndisc_recv_na(struct sk_buff *skb)
@@ -1618,7 +1616,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
        skb_dst_set(buff, dst);
        idev = in6_dev_get(dst->dev);
        IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
-        err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
+        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
                      dst_output);
        if (!err) {
                ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d5ed92b14346..a74951c039b6 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -25,20 +25,6 @@ int ip6_route_me_harder(struct sk_buff *skb)
        };
        dst = ip6_route_output(net, skb->sk, &fl);
-#ifdef CONFIG_XFRM
-        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
-            xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
-                struct dst_entry *dst2 = skb_dst(skb);
-                if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
-                        skb_dst_set(skb, NULL);
-                        return -1;
-                }
-                skb_dst_set(skb, dst2);
-        }
-#endif
        if (dst->error) {
                IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
                LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
@@ -50,6 +36,17 @@ int ip6_route_me_harder(struct sk_buff *skb)
        skb_dst_drop(skb);
        skb_dst_set(skb, dst);
+#ifdef CONFIG_XFRM
+        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
+            xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
+                skb_dst_set(skb, NULL);
+                if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
+                        return -1;
+                skb_dst_set(skb, dst);
+        }
+#endif
        return 0;
 }
 EXPORT_SYMBOL(ip6_route_me_harder);
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index 6a68a74d14a3..8c201743d96d 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -162,8 +162,7 @@ ipq_build_packet_message(struct nf_queue_entry *entry, int *errp)
                break;
        case IPQ_COPY_PACKET:
-                if ((entry->skb->ip_summed == CHECKSUM_PARTIAL ||
+                if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
-                     entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
                    (*errp = skb_checksum_help(entry->skb))) {
                        read_unlock_bh(&queue_lock);
                        return NULL;
@@ -463,7 +462,6 @@ __ipq_rcv_skb(struct sk_buff *skb)
        if (flags & NLM_F_ACK)
                netlink_ack(skb, nlh, 0);
-        return;
 }
 static void
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 9210e312edf1..9d2d68f0e605 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -40,24 +40,19 @@ MODULE_DESCRIPTION("IPv6 packet filter");
 /*#define DEBUG_IP_FIREWALL_USER*/
 #ifdef DEBUG_IP_FIREWALL
-#define dprintf(format, args...)  printk(format , ## args)
+#define dprintf(format, args...) pr_info(format , ## args)
 #else
 #define dprintf(format, args...)
 #endif
 #ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
+#define duprintf(format, args...) pr_info(format , ## args)
 #else
 #define duprintf(format, args...)
 #endif
 #ifdef CONFIG_NETFILTER_DEBUG
-#define IP_NF_ASSERT(x)                                         \
+#define IP_NF_ASSERT(x) WARN_ON(!(x))
-do {                                                            \
-        if (!(x))                                               \
-                printk("IP_NF_ASSERT: %s:%s:%u\n",              \
-                       __func__, __FILE__, __LINE__);   \
-} while(0)
 #else
 #define IP_NF_ASSERT(x)
 #endif
@@ -197,30 +192,14 @@ ip6_checkentry(const struct ip6t_ip6 *ipv6)
 }
 static unsigned int
-ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
+ip6t_error(struct sk_buff *skb, const struct xt_action_param *par)
 {
        if (net_ratelimit())
-                printk("ip6_tables: error: `%s'\n",
+                pr_info("error: `%s'\n", (const char *)par->targinfo);
-                       (const char *)par->targinfo);
        return NF_DROP;
 }
-/* Performance critical - called for every packet */
-static inline bool
-do_match(const struct ip6t_entry_match *m, const struct sk_buff *skb,
-         struct xt_match_param *par)
-{
-        par->match     = m->u.kernel.match;
-        par->matchinfo = m->data;
-        /* Stop iteration if it doesn't match */
-        if (!m->u.kernel.match->match(skb, par))
-                return true;
-        else
-                return false;
-}
 static inline struct ip6t_entry *
 get_entry(const void *base, unsigned int offset)
 {
@@ -352,18 +331,15 @@ ip6t_do_table(struct sk_buff *skb,
              const struct net_device *out,
              struct xt_table *table)
 {
-#define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
-        bool hotdrop = false;
        /* Initializing verdict to NF_DROP keeps gcc happy. */
        unsigned int verdict = NF_DROP;
        const char *indev, *outdev;
        const void *table_base;
-        struct ip6t_entry *e, *back;
+        struct ip6t_entry *e, **jumpstack;
+        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
-        struct xt_match_param mtpar;
+        struct xt_action_param acpar;
-        struct xt_target_param tgpar;
        /* Initialization */
        indev = in ? in->name : nulldevname;
@@ -374,39 +350,42 @@ ip6t_do_table(struct sk_buff *skb,
         * things we don't know, ie. tcp syn flag or ports).  If the
         * rule is also a fragment-specific rule, non-fragments won't
         * match it. */
-        mtpar.hotdrop = &hotdrop;
+        acpar.hotdrop = false;
-        mtpar.in      = tgpar.in  = in;
+        acpar.in      = in;
-        mtpar.out     = tgpar.out = out;
+        acpar.out     = out;
-        mtpar.family  = tgpar.family = NFPROTO_IPV6;
+        acpar.family  = NFPROTO_IPV6;
-        mtpar.hooknum = tgpar.hooknum = hook;
+        acpar.hooknum = hook;
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
        xt_info_rdlock_bh();
        private = table->private;
-        table_base = private->entries[smp_processor_id()];
+        cpu        = smp_processor_id();
+        table_base = private->entries[cpu];
+        jumpstack  = (struct ip6t_entry **)private->jumpstack[cpu];
+        stackptr   = per_cpu_ptr(private->stackptr, cpu);
+        origptr    = *stackptr;
        e = get_entry(table_base, private->hook_entry[hook]);
-        /* For return from builtin chain */
-        back = get_entry(table_base, private->underflow[hook]);
        do {
                const struct ip6t_entry_target *t;
                const struct xt_entry_match *ematch;
                IP_NF_ASSERT(e);
-                IP_NF_ASSERT(back);
                if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
-                    &mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
+                    &acpar.thoff, &acpar.fragoff, &acpar.hotdrop)) {
 no_match:
                        e = ip6t_next_entry(e);
                        continue;
                }
-                xt_ematch_foreach(ematch, e)
+                xt_ematch_foreach(ematch, e) {
-                        if (do_match(ematch, skb, &mtpar) != 0)
+                        acpar.match     = ematch->u.kernel.match;
+                        acpar.matchinfo = ematch->data;
+                        if (!acpar.match->match(skb, &acpar))
                                goto no_match;
+                }
                ADD_COUNTER(e->counters,
                            ntohs(ipv6_hdr(skb)->payload_len) +
@@ -433,62 +412,47 @@ ip6t_do_table(struct sk_buff *skb,
                                        verdict = (unsigned)(-v) - 1;
                                        break;
                                }
-                                e = back;
+                                if (*stackptr == 0)
-                                back = get_entry(table_base, back->comefrom);
+                                        e = get_entry(table_base,
+                                            private->underflow[hook]);
+                                else
+                                        e = ip6t_next_entry(jumpstack[--*stackptr]);
                                continue;
                        }
                        if (table_base + v != ip6t_next_entry(e) &&
                            !(e->ipv6.flags & IP6T_F_GOTO)) {
-                                /* Save old back ptr in next entry */
+                                if (*stackptr >= private->stacksize) {
-                                struct ip6t_entry *next = ip6t_next_entry(e);
+                                        verdict = NF_DROP;
-                                next->comefrom = (void *)back - table_base;
+                                        break;
-                                /* set back pointer to next entry */
+                                }
-                                back = next;
+                                jumpstack[(*stackptr)++] = e;
                        }
                        e = get_entry(table_base, v);
                        continue;
                }
-                /* Targets which reenter must return
+                acpar.target   = t->u.kernel.target;
-                   abs. verdicts */
+                acpar.targinfo = t->data;
-                tgpar.target   = t->u.kernel.target;
-                tgpar.targinfo = t->data;
-#ifdef CONFIG_NETFILTER_DEBUG
-                tb_comefrom = 0xeeeeeeec;
-#endif
-                verdict = t->u.kernel.target->target(skb, &tgpar);
-#ifdef CONFIG_NETFILTER_DEBUG
+                verdict = t->u.kernel.target->target(skb, &acpar);
-                if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) {
-                        printk("Target %s reentered!\n",
-                               t->u.kernel.target->name);
-                        verdict = NF_DROP;
-                }
-                tb_comefrom = 0x57acc001;
-#endif
                if (verdict == IP6T_CONTINUE)
                        e = ip6t_next_entry(e);
                else
                        /* Verdict */
                        break;
-        } while (!hotdrop);
+        } while (!acpar.hotdrop);
-#ifdef CONFIG_NETFILTER_DEBUG
-        tb_comefrom = NETFILTER_LINK_POISON;
-#endif
        xt_info_rdunlock_bh();
+        *stackptr = origptr;
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
-        if (hotdrop)
+        if (acpar.hotdrop)
                return NF_DROP;
        else return verdict;
 #endif
-#undef tb_comefrom
 }
 /* Figures out from what hook each rule can be called: returns 0 if
@@ -517,7 +481,7 @@ mark_source_chains(const struct xt_table_info *newinfo,
                        int visited = e->comefrom & (1 << hook);
                        if (e->comefrom & (1 << NF_INET_NUMHOOKS)) {
-                                printk("iptables: loop hook %u pos %u %08X.\n",
+                                pr_err("iptables: loop hook %u pos %u %08X.\n",
                                       hook, pos, e->comefrom);
                                return 0;
                        }
@@ -661,12 +625,11 @@ find_check_match(struct ip6t_entry_match *m, struct xt_mtchk_param *par)
        struct xt_match *match;
        int ret;
-        match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
+        match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
-                                                      m->u.user.revision),
+                                      m->u.user.revision);
-                                        "ip6t_%s", m->u.user.name);
+        if (IS_ERR(match)) {
-        if (IS_ERR(match) || !match) {
                duprintf("find_check_match: `%s' not found\n", m->u.user.name);
-                return match ? PTR_ERR(match) : -ENOENT;
+                return PTR_ERR(match);
        }
        m->u.kernel.match = match;
@@ -734,13 +697,11 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
        }
        t = ip6t_get_target(e);
-        target = try_then_request_module(xt_find_target(AF_INET6,
+        target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "ip6t_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto cleanup_matches;
        }
        t->u.kernel.target = target;
@@ -873,6 +834,9 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
                if (ret != 0)
                        return ret;
                ++i;
+                if (strcmp(ip6t_get_target(iter)->u.user.name,
+                    XT_ERROR_TARGET) == 0)
+                        ++newinfo->stacksize;
        }
        if (i != repl->num_entries) {
@@ -1509,13 +1473,12 @@ compat_find_calc_match(struct ip6t_entry_match *m,
 {
        struct xt_match *match;
-        match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
+        match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
-                                                      m->u.user.revision),
+                                      m->u.user.revision);
-                                        "ip6t_%s", m->u.user.name);
+        if (IS_ERR(match)) {
-        if (IS_ERR(match) || !match) {
                duprintf("compat_check_calc_match: `%s' not found\n",
                         m->u.user.name);
-                return match ? PTR_ERR(match) : -ENOENT;
+                return PTR_ERR(match);
        }
        m->u.kernel.match = match;
        *size += xt_compat_match_offset(match);
@@ -1582,14 +1545,12 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
        }
        t = compat_ip6t_get_target(e);
-        target = try_then_request_module(xt_find_target(AF_INET6,
+        target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
-                                                        t->u.user.name,
+                                        t->u.user.revision);
-                                                        t->u.user.revision),
+        if (IS_ERR(target)) {
-                                         "ip6t_%s", t->u.user.name);
-        if (IS_ERR(target) || !target) {
                duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
                         t->u.user.name);
-                ret = target ? PTR_ERR(target) : -ENOENT;
+                ret = PTR_ERR(target);
                goto release_matches;
        }
        t->u.kernel.target = target;
@@ -2127,8 +2088,7 @@ struct xt_table *ip6t_register_table(struct net *net,
 {
        int ret;
        struct xt_table_info *newinfo;
-        struct xt_table_info bootstrap
+        struct xt_table_info bootstrap = {0};
-                = { 0, 0, 0, { 0 }, { 0 }, { } };
        void *loc_cpu_entry;
        struct xt_table *new_table;
@@ -2188,7 +2148,7 @@ icmp6_type_code_match(u_int8_t test_type, u_int8_t min_code, u_int8_t max_code,
 }
 static bool
-icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
+icmp6_match(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct icmp6hdr *ic;
        struct icmp6hdr _icmph;
@@ -2204,7 +2164,7 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
                 * can't.  Hence, no choice but to drop.
                 */
                duprintf("Dropping evil ICMP tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -2216,31 +2176,32 @@ icmp6_match(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 /* Called when user tries to insert an entry of this type. */
-static bool icmp6_checkentry(const struct xt_mtchk_param *par)
+static int icmp6_checkentry(const struct xt_mtchk_param *par)
 {
        const struct ip6t_icmp *icmpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
-        return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
+        return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
 }
 /* The built-in targets: standard (NULL) and error. */
-static struct xt_target ip6t_standard_target __read_mostly = {
+static struct xt_target ip6t_builtin_tg[] __read_mostly = {
-        .name           = IP6T_STANDARD_TARGET,
+        {
-        .targetsize     = sizeof(int),
+                .name             = IP6T_STANDARD_TARGET,
-        .family         = NFPROTO_IPV6,
+                .targetsize       = sizeof(int),
+                .family           = NFPROTO_IPV6,
 #ifdef CONFIG_COMPAT
-        .compatsize     = sizeof(compat_int_t),
+                .compatsize       = sizeof(compat_int_t),
-        .compat_from_user = compat_standard_from_user,
+                .compat_from_user = compat_standard_from_user,
-        .compat_to_user = compat_standard_to_user,
+                .compat_to_user   = compat_standard_to_user,
 #endif
-};
+        },
+        {
-static struct xt_target ip6t_error_target __read_mostly = {
+                .name             = IP6T_ERROR_TARGET,
-        .name           = IP6T_ERROR_TARGET,
+                .target           = ip6t_error,
-        .target         = ip6t_error,
+                .targetsize       = IP6T_FUNCTION_MAXNAMELEN,
-        .targetsize     = IP6T_FUNCTION_MAXNAMELEN,
+                .family           = NFPROTO_IPV6,
-        .family         = NFPROTO_IPV6,
+        },
 };
 static struct nf_sockopt_ops ip6t_sockopts = {
@@ -2260,13 +2221,15 @@ static struct nf_sockopt_ops ip6t_sockopts = {
        .owner          = THIS_MODULE,
 };
-static struct xt_match icmp6_matchstruct __read_mostly = {
+static struct xt_match ip6t_builtin_mt[] __read_mostly = {
-        .name           = "icmp6",
+        {
-        .match          = icmp6_match,
+                .name       = "icmp6",
-        .matchsize      = sizeof(struct ip6t_icmp),
+                .match      = icmp6_match,
-        .checkentry     = icmp6_checkentry,
+                .matchsize  = sizeof(struct ip6t_icmp),
-        .proto          = IPPROTO_ICMPV6,
+                .checkentry = icmp6_checkentry,
-        .family         = NFPROTO_IPV6,
+                .proto      = IPPROTO_ICMPV6,
+                .family     = NFPROTO_IPV6,
+        },
 };
 static int __net_init ip6_tables_net_init(struct net *net)
@@ -2293,13 +2256,10 @@ static int __init ip6_tables_init(void)
                goto err1;
        /* Noone else will be downing sem now, so we won't sleep */
-        ret = xt_register_target(&ip6t_standard_target);
+        ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
        if (ret < 0)
                goto err2;
-        ret = xt_register_target(&ip6t_error_target);
+        ret = xt_register_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
-        if (ret < 0)
-                goto err3;
-        ret = xt_register_match(&icmp6_matchstruct);
        if (ret < 0)
                goto err4;
@@ -2308,15 +2268,13 @@ static int __init ip6_tables_init(void)
        if (ret < 0)
                goto err5;
-        printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
+        pr_info("(C) 2000-2006 Netfilter Core Team\n");
        return 0;
 err5:
-        xt_unregister_match(&icmp6_matchstruct);
+        xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
 err4:
-        xt_unregister_target(&ip6t_error_target);
+        xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
-err3:
-        xt_unregister_target(&ip6t_standard_target);
 err2:
        unregister_pernet_subsys(&ip6_tables_net_ops);
 err1:
@@ -2327,10 +2285,8 @@ static void __exit ip6_tables_fini(void)
 {
        nf_unregister_sockopt(&ip6t_sockopts);
-        xt_unregister_match(&icmp6_matchstruct);
+        xt_unregister_matches(ip6t_builtin_mt, ARRAY_SIZE(ip6t_builtin_mt));
-        xt_unregister_target(&ip6t_error_target);
+        xt_unregister_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
-        xt_unregister_target(&ip6t_standard_target);
        unregister_pernet_subsys(&ip6_tables_net_ops);
 }
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index b285fdf19050..af4ee11f2066 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -9,9 +9,8 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
-#include <linux/moduleparam.h>
 #include <linux/skbuff.h>
 #include <linux/if_arp.h>
 #include <linux/ip.h>
@@ -378,7 +377,7 @@ static struct nf_loginfo default_loginfo = {
        .type   = NF_LOG_TYPE_LOG,
        .u = {
                .log = {
-                        .level    = 0,
+                        .level    = 5,
                        .logflags = NF_LOG_MASK,
                },
        },
@@ -437,7 +436,7 @@ ip6t_log_packet(u_int8_t pf,
 }
 static unsigned int
-log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+log_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ip6t_log_info *loginfo = par->targinfo;
        struct nf_loginfo li;
@@ -452,20 +451,19 @@ log_tg6(struct sk_buff *skb, const struct xt_target_param *par)
 }
-static bool log_tg6_check(const struct xt_tgchk_param *par)
+static int log_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct ip6t_log_info *loginfo = par->targinfo;
        if (loginfo->level >= 8) {
-                pr_debug("LOG: level %u >= 8\n", loginfo->level);
+                pr_debug("level %u >= 8\n", loginfo->level);
-                return false;
+                return -EINVAL;
        }
        if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
-                pr_debug("LOG: prefix term %i\n",
+                pr_debug("prefix not null-terminated\n");
-                         loginfo->prefix[sizeof(loginfo->prefix)-1]);
+                return -EINVAL;
-                return false;
        }
-        return true;
+        return 0;
 }
 static struct xt_target log_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 39b50c3768e8..47d227713758 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -14,6 +14,7 @@
 * as published by the Free Software Foundation; either version
 * 2 of the License, or (at your option) any later version.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/gfp.h>
 #include <linux/module.h>
@@ -50,7 +51,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
            (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
-                pr_debug("ip6t_REJECT: addr is not unicast.\n");
+                pr_debug("addr is not unicast.\n");
                return;
        }
@@ -58,7 +59,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
        if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
-                pr_debug("ip6t_REJECT: Can't get TCP header.\n");
+                pr_debug("Cannot get TCP header.\n");
                return;
        }
@@ -66,7 +67,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        /* IP header checks: fragment, too short. */
        if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
-                pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, "
+                pr_debug("proto(%d) != IPPROTO_TCP, "
                         "or too short. otcplen = %d\n",
                         proto, otcplen);
                return;
@@ -77,14 +78,14 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        /* No RST for RST. */
        if (otcph.rst) {
-                pr_debug("ip6t_REJECT: RST is set\n");
+                pr_debug("RST is set\n");
                return;
        }
        /* Check checksum. */
        if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
                            skb_checksum(oldskb, tcphoff, otcplen, 0))) {
-                pr_debug("ip6t_REJECT: TCP checksum is invalid\n");
+                pr_debug("TCP checksum is invalid\n");
                return;
        }
@@ -108,7 +109,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        if (!nskb) {
                if (net_ratelimit())
-                        printk("ip6t_REJECT: Can't alloc skb\n");
+                        pr_debug("cannot alloc skb\n");
                dst_release(dst);
                return;
        }
@@ -174,15 +175,12 @@ send_unreach(struct net *net, struct sk_buff *skb_in, unsigned char code,
 }
 static unsigned int
-reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+reject_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct ip6t_reject_info *reject = par->targinfo;
        struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
        pr_debug("%s: medium point\n", __func__);
-        /* WARNING: This code causes reentry within ip6tables.
-           This means that the ip6tables jump stack is now crap.  We
-           must return an absolute verdict. --RR */
        switch (reject->with) {
        case IP6T_ICMP6_NO_ROUTE:
                send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
@@ -207,30 +205,30 @@ reject_tg6(struct sk_buff *skb, const struct xt_target_param *par)
                break;
        default:
                if (net_ratelimit())
-                        printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
+                        pr_info("case %u not handled yet\n", reject->with);
                break;
        }
        return NF_DROP;
 }
-static bool reject_tg6_check(const struct xt_tgchk_param *par)
+static int reject_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct ip6t_reject_info *rejinfo = par->targinfo;
        const struct ip6t_entry *e = par->entryinfo;
        if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
-                printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
+                pr_info("ECHOREPLY is not supported.\n");
-                return false;
+                return -EINVAL;
        } else if (rejinfo->with == IP6T_TCP_RESET) {
                /* Must specify that it's a TCP packet */
                if (e->ipv6.proto != IPPROTO_TCP ||
                    (e->ipv6.invflags & XT_INV_PROTO)) {
-                        printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
+                        pr_info("TCP_RESET illegal for non-tcp\n");
-                        return false;
+                        return -EINVAL;
                }
        }
-        return true;
+        return 0;
 }
 static struct xt_target reject_tg6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_ah.c b/net/ipv6/netfilter/ip6t_ah.c
index ac0b7c629d78..89cccc5a9c92 100644
--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -29,14 +29,14 @@ spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
 {
        bool r;
-        pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",
+        pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
                 invert ? '!' : ' ', min, spi, max);
        r = (spi >= min && spi <= max) ^ invert;
        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
-static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ah_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ip_auth_hdr _ah;
        const struct ip_auth_hdr *ah;
@@ -48,13 +48,13 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_AUTH, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                return false;
        }
        ah = skb_header_pointer(skb, ptr, sizeof(_ah), &_ah);
        if (ah == NULL) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -87,15 +87,15 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
                !(ahinfo->hdrres && ah->reserved);
 }
-static bool ah_mt6_check(const struct xt_mtchk_param *par)
+static int ah_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_ah *ahinfo = par->matchinfo;
        if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
-                pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
+                pr_debug("unknown flags %X\n", ahinfo->invflags);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match ah_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c
index ca287f6d2bce..aab0706908c5 100644
--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -20,14 +20,14 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
 static bool
-eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+eui64_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        unsigned char eui64[8];
        if (!(skb_mac_header(skb) >= skb->head &&
              skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
            par->fragoff != 0) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
diff --git a/net/ipv6/netfilter/ip6t_frag.c b/net/ipv6/netfilter/ip6t_frag.c
index 7b91c2598ed5..eda898fda6ca 100644
--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ipv6.h>
@@ -27,7 +27,7 @@ static inline bool
 id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
 {
        bool r;
-        pr_debug("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
+        pr_debug("id_match:%c 0x%x <= 0x%x <= 0x%x\n", invert ? '!' : ' ',
                 min, id, max);
        r = (id >= min && id <= max) ^ invert;
        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
@@ -35,7 +35,7 @@ id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
 }
 static bool
-frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+frag_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct frag_hdr _frag;
        const struct frag_hdr *fh;
@@ -46,13 +46,13 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_FRAGMENT, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                return false;
        }
        fh = skb_header_pointer(skb, ptr, sizeof(_frag), &_frag);
        if (fh == NULL) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -102,15 +102,15 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
                  (ntohs(fh->frag_off) & IP6_MF));
 }
-static bool frag_mt6_check(const struct xt_mtchk_param *par)
+static int frag_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_frag *fraginfo = par->matchinfo;
        if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
-                pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
+                pr_debug("unknown flags %X\n", fraginfo->invflags);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match frag_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index e60677519e40..59df051eaef6 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ipv6.h>
@@ -41,8 +41,10 @@ MODULE_ALIAS("ip6t_dst");
 *      5       -> RTALERT 2 x x
 */
+static struct xt_match hbh_mt6_reg[] __read_mostly;
 static bool
-hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+hbh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ipv6_opt_hdr _optsh;
        const struct ipv6_opt_hdr *oh;
@@ -58,16 +60,18 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        unsigned int optlen;
        int err;
-        err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
+        err = ipv6_find_hdr(skb, &ptr,
+                            (par->match == &hbh_mt6_reg[0]) ?
+                            NEXTHDR_HOP : NEXTHDR_DEST, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                return false;
        }
        oh = skb_header_pointer(skb, ptr, sizeof(_optsh), &_optsh);
        if (oh == NULL) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -160,32 +164,32 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        return false;
 }
-static bool hbh_mt6_check(const struct xt_mtchk_param *par)
+static int hbh_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_opts *optsinfo = par->matchinfo;
        if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
-                pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
+                pr_debug("unknown flags %X\n", optsinfo->invflags);
-                return false;
+                return -EINVAL;
        }
        if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
-                pr_debug("ip6t_opts: Not strict - not implemented");
+                pr_debug("Not strict - not implemented");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match hbh_mt6_reg[] __read_mostly = {
        {
+                /* Note, hbh_mt6 relies on the order of hbh_mt6_reg */
                .name           = "hbh",
                .family         = NFPROTO_IPV6,
                .match          = hbh_mt6,
                .matchsize      = sizeof(struct ip6t_opts),
                .checkentry     = hbh_mt6_check,
                .me             = THIS_MODULE,
-                .data           = NEXTHDR_HOP,
        },
        {
                .name           = "dst",
@@ -194,7 +198,6 @@ static struct xt_match hbh_mt6_reg[] __read_mostly = {
                .matchsize      = sizeof(struct ip6t_opts),
                .checkentry     = hbh_mt6_check,
                .me             = THIS_MODULE,
-                .data           = NEXTHDR_DEST,
        },
 };
diff --git a/net/ipv6/netfilter/ip6t_ipv6header.c b/net/ipv6/netfilter/ip6t_ipv6header.c
index 91490ad9302c..54bd9790603f 100644
--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("Xtables: IPv6 header types match");
 MODULE_AUTHOR("Andras Kis-Szabo <kisza@sch.bme.hu>");
 static bool
-ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+ipv6header_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ip6t_ipv6header_info *info = par->matchinfo;
        unsigned int temp;
@@ -118,16 +118,16 @@ ipv6header_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        }
 }
-static bool ipv6header_mt6_check(const struct xt_mtchk_param *par)
+static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_ipv6header_info *info = par->matchinfo;
        /* invflags is 0 or 0xff in hard mode */
        if ((!info->modeflag) && info->invflags != 0x00 &&
            info->invflags != 0xFF)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_match ipv6header_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e66577b..0c90c66b1992 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -11,6 +11,7 @@
 * Based on net/netfilter/xt_tcpudp.c
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/module.h>
 #include <net/ip.h>
@@ -24,12 +25,6 @@
 MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
 MODULE_LICENSE("GPL");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the type is matched by the range, 0 otherwise */
 static inline bool
 type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
@@ -37,7 +32,7 @@ type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
        return (type >= min && type <= max) ^ invert;
 }
-static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool mh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ip6_mh _mh;
        const struct ip6_mh *mh;
@@ -51,15 +46,15 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        if (mh == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil MH tinygram.\n");
+                pr_debug("Dropping evil MH tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
        if (mh->ip6mh_proto != IPPROTO_NONE) {
-                duprintf("Dropping invalid MH Payload Proto: %u\n",
+                pr_debug("Dropping invalid MH Payload Proto: %u\n",
                         mh->ip6mh_proto);
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -67,12 +62,12 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
                          !!(mhinfo->invflags & IP6T_MH_INV_TYPE));
 }
-static bool mh_mt6_check(const struct xt_mtchk_param *par)
+static int mh_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_mh *mhinfo = par->matchinfo;
        /* Must specify no unknown invflags */
-        return !(mhinfo->invflags & ~IP6T_MH_INV_MASK);
+        return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0;
 }
 static struct xt_match mh_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6t_rt.c b/net/ipv6/netfilter/ip6t_rt.c
index b77307fc8743..d8488c50a8e0 100644
--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ipv6.h>
@@ -29,14 +29,14 @@ static inline bool
 segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
 {
        bool r;
-        pr_debug("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x",
+        pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",
                 invert ? '!' : ' ', min, id, max);
        r = (id >= min && id <= max) ^ invert;
        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
-static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool rt_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct ipv6_rt_hdr _route;
        const struct ipv6_rt_hdr *rh;
@@ -52,13 +52,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        err = ipv6_find_hdr(skb, &ptr, NEXTHDR_ROUTING, NULL);
        if (err < 0) {
                if (err != -ENOENT)
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                return false;
        }
        rh = skb_header_pointer(skb, ptr, sizeof(_route), &_route);
        if (rh == NULL) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -183,23 +183,23 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        return false;
 }
-static bool rt_mt6_check(const struct xt_mtchk_param *par)
+static int rt_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_rt *rtinfo = par->matchinfo;
        if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
-                pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
+                pr_debug("unknown flags %X\n", rtinfo->invflags);
-                return false;
+                return -EINVAL;
        }
        if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
            (!(rtinfo->flags & IP6T_RT_TYP) ||
             (rtinfo->rt_type != 0) ||
             (rtinfo->invflags & IP6T_RT_INV_TYP))) {
                pr_debug("`--rt-type 0' required before `--rt-0-*'");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match rt_mt6_reg __read_mostly = {
diff --git a/net/ipv6/netfilter/ip6table_filter.c b/net/ipv6/netfilter/ip6table_filter.c
index d6fc9aff3163..c9e37c8fd62c 100644
--- a/net/ipv6/netfilter/ip6table_filter.c
+++ b/net/ipv6/netfilter/ip6table_filter.c
@@ -81,7 +81,7 @@ static int __init ip6table_filter_init(void)
        int ret;
        if (forward < 0 || forward > NF_MAX_VERDICT) {
-                printk("iptables forward must be 0 or 1\n");
+                pr_err("iptables forward must be 0 or 1\n");
                return -EINVAL;
        }
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 6a102b57f356..679a0a3b7b3c 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -43,7 +43,7 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
        if (skb->len < sizeof(struct iphdr) ||
            ip_hdrlen(skb) < sizeof(struct iphdr)) {
                if (net_ratelimit())
-                        printk("ip6t_hook: happy cracking.\n");
+                        pr_warning("ip6t_hook: happy cracking.\n");
                return NF_ACCEPT;
        }
 #endif
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 996c3f41fecd..ff43461704be 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -280,7 +280,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
        /* root is playing with raw sockets. */
        if (skb->len < sizeof(struct ipv6hdr)) {
                if (net_ratelimit())
-                        printk("ipv6_conntrack_local: packet too short\n");
+                        pr_notice("ipv6_conntrack_local: packet too short\n");
                return NF_ACCEPT;
        }
        return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);
@@ -406,37 +406,37 @@ static int __init nf_conntrack_l3proto_ipv6_init(void)
        ret = nf_ct_frag6_init();
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't initialize frag6.\n");
+                pr_err("nf_conntrack_ipv6: can't initialize frag6.\n");
                return ret;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register tcp.\n");
+                pr_err("nf_conntrack_ipv6: can't register tcp.\n");
                goto cleanup_frag6;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register udp.\n");
+                pr_err("nf_conntrack_ipv6: can't register udp.\n");
                goto cleanup_tcp;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register icmpv6.\n");
+                pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
                goto cleanup_udp;
        }
        ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register ipv6\n");
+                pr_err("nf_conntrack_ipv6: can't register ipv6\n");
                goto cleanup_icmpv6;
        }
        ret = nf_register_hooks(ipv6_conntrack_ops,
                                ARRAY_SIZE(ipv6_conntrack_ops));
        if (ret < 0) {
-                printk("nf_conntrack_ipv6: can't register pre-routing defrag "
+                pr_err("nf_conntrack_ipv6: can't register pre-routing defrag "
                       "hook.\n");
                goto cleanup_ipv6;
        }
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index dd5b9bd61c62..6fb890187de0 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -644,7 +644,7 @@ void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
                s2 = s->next;
                s->next = NULL;
-                NF_HOOK_THRESH(PF_INET6, hooknum, s, in, out, okfn,
+                NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, in, out, okfn,
                               NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
                s = s2;
        }
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 458eabfbe130..566798d69f37 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -168,7 +168,6 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
                        i & 0x100 ?  "Out" : "In", i & 0xff);
                seq_printf(seq, "%-32s\t%lu\n", name, val);
        }
-        return;
 }
 static void snmp6_seq_show_item(struct seq_file *seq, void __percpu **mib,
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 0e3d2dd92078..4a4dcbe4f8b2 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -640,8 +640,8 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
                goto error_fault;
        IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
-        err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
+        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
-                      dst_output);
+                      rt->u.dst.dev, dst_output);
        if (err > 0)
                err = net_xmit_errno(err);
        if (err)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 05ebd7833043..252d76199c41 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -316,7 +316,6 @@ static void rt6_probe(struct rt6_info *rt)
 #else
 static inline void rt6_probe(struct rt6_info *rt)
 {
-        return;
 }
 #endif
@@ -815,7 +814,7 @@ struct dst_entry * ip6_route_output(struct net *net, struct sock *sk,
 {
        int flags = 0;
-        if (fl->oif || rt6_need_strict(&fl->fl6_dst))
+        if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl->fl6_dst))
                flags |= RT6_LOOKUP_F_IFACE;
        if (!ipv6_addr_any(&fl->fl6_src))
@@ -1553,7 +1552,6 @@ void rt6_redirect(struct in6_addr *dest, struct in6_addr *src,
 out:
        dst_release(&rt->u.dst);
-        return;
 }
 /*
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 5abae10cd884..e51e650ea80b 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -566,11 +566,9 @@ static int ipip6_rcv(struct sk_buff *skb)
                        kfree_skb(skb);
                        return 0;
                }
-                tunnel->dev->stats.rx_packets++;
-                tunnel->dev->stats.rx_bytes += skb->len;
+                skb_tunnel_rx(skb, tunnel->dev);
-                skb->dev = tunnel->dev;
-                skb_dst_drop(skb);
-                nf_reset(skb);
                ipip6_ecn_decapsulate(iph, skb);
                netif_rx(skb);
                rcu_read_unlock();
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6603511e3673..2b7c3a100e2c 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -604,7 +604,7 @@ static int tcp_v6_md5_do_add(struct sock *sk, struct in6_addr *peer,
                                kfree(newkey);
                                return -ENOMEM;
                        }
-                        sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                        sk_nocaps_add(sk, NETIF_F_GSO_MASK);
                }
                if (tcp_alloc_md5sig_pool(sk) == NULL) {
                        kfree(newkey);
@@ -741,7 +741,7 @@ static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
                        return -ENOMEM;
                tp->md5sig_info = p;
-                sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
+                sk_nocaps_add(sk, NETIF_F_GSO_MASK);
        }
        newkey = kmemdup(cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 3d7a2c0b836a..87be58673b55 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -328,6 +328,7 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk,
        int err;
        int is_udplite = IS_UDPLITE(sk);
        int is_udp4;
+        bool slow;
        if (addr_len)
                *addr_len=sizeof(struct sockaddr_in6);
@@ -424,7 +425,7 @@ out:
        return err;
 csum_copy_err:
-        lock_sock_bh(sk);
+        slow = lock_sock_fast(sk);
        if (!skb_kill_datagram(sk, skb, flags)) {
                if (is_udp4)
                        UDP_INC_STATS_USER(sock_net(sk),
@@ -433,7 +434,7 @@ csum_copy_err:
                        UDP6_INC_STATS_USER(sock_net(sk),
                                        UDP_MIB_INERRORS, is_udplite);
        }
-        unlock_sock_bh(sk);
+        unlock_sock_fast(sk, slow);
        if (flags & MSG_DONTWAIT)
                return -EAGAIN;
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 2bc98ede1235..f8c3cf842f53 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -42,7 +42,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
        ipv6_hdr(skb)->payload_len = htons(skb->len);
        __skb_push(skb, skb->data - skb_network_header(skb));
-        NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
+        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
                ip6_rcv_finish);
        return -1;
 }
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 0c92112dcba3..6434bd5ce088 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -90,6 +90,6 @@ static int xfrm6_output_finish(struct sk_buff *skb)
 int xfrm6_output(struct sk_buff *skb)
 {
-        return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb_dst(skb)->dev,
+        return NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL,
-                       xfrm6_output_finish);
+                       skb_dst(skb)->dev, xfrm6_output_finish);
 }
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 79a1e5a23e10..fce364c6c71a 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -685,8 +685,6 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
        /* We have a match; send the value.  */
        iriap_getvaluebyclass_response(self, obj->id, IAS_SUCCESS,
                                       attrib->value);
-        return;
 }
 /*
diff --git a/net/irda/irnet/irnet_irda.c b/net/irda/irnet/irnet_irda.c
index df18ab4b6c5e..e98e40d76f4f 100644
--- a/net/irda/irnet/irnet_irda.c
+++ b/net/irda/irnet/irnet_irda.c
@@ -678,7 +678,6 @@ irda_irnet_destroy(irnet_socket *	self)
  self->stsap_sel = 0;
  DEXIT(IRDA_SOCK_TRACE, "\n");
-  return;
 }
@@ -928,7 +927,6 @@ irnet_disconnect_server(irnet_socket *	self,
  irttp_listen(self->tsap);
  DEXIT(IRDA_SERV_TRACE, "\n");
-  return;
 }
 /*------------------------------------------------------------------*/
@@ -1013,7 +1011,6 @@ irnet_destroy_server(void)
  irda_irnet_destroy(&irnet_server.s);
  DEXIT(IRDA_SERV_TRACE, "\n");
-  return;
 }
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 8be324fe08b9..9637e45744fa 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -136,7 +136,6 @@ static void afiucv_pm_complete(struct device *dev)
 #ifdef CONFIG_PM_DEBUG
        printk(KERN_WARNING "afiucv_pm_complete\n");
 #endif
-        return;
 }
 /**
@@ -1620,7 +1619,7 @@ static void iucv_callback_rx(struct iucv_path *path, struct iucv_message *msg)
 save_message:
        save_msg = kzalloc(sizeof(struct sock_msg_q), GFP_ATOMIC | GFP_DMA);
        if (!save_msg)
-                return;
+                goto out_unlock;
        save_msg->path = path;
        save_msg->msg = *msg;
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index fd8b28361a64..f28ad2cc8428 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -632,13 +632,14 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
                iucv_irq_data[cpu] = kmalloc_node(sizeof(struct iucv_irq_data),
                                        GFP_KERNEL|GFP_DMA, cpu_to_node(cpu));
                if (!iucv_irq_data[cpu])
-                        return NOTIFY_BAD;
+                        return notifier_from_errno(-ENOMEM);
                iucv_param[cpu] = kmalloc_node(sizeof(union iucv_param),
                                     GFP_KERNEL|GFP_DMA, cpu_to_node(cpu));
                if (!iucv_param[cpu]) {
                        kfree(iucv_irq_data[cpu]);
                        iucv_irq_data[cpu] = NULL;
-                        return NOTIFY_BAD;
+                        return notifier_from_errno(-ENOMEM);
                }
                iucv_param_irq[cpu] = kmalloc_node(sizeof(union iucv_param),
                                        GFP_KERNEL|GFP_DMA, cpu_to_node(cpu));
@@ -647,7 +648,7 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
                        iucv_param[cpu] = NULL;
                        kfree(iucv_irq_data[cpu]);
                        iucv_irq_data[cpu] = NULL;
-                        return NOTIFY_BAD;
+                        return notifier_from_errno(-ENOMEM);
                }
                break;
        case CPU_UP_CANCELED:
@@ -677,7 +678,7 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
                cpu_clear(cpu, cpumask);
                if (cpus_empty(cpumask))
                        /* Can't offline last IUCV enabled cpu. */
-                        return NOTIFY_BAD;
+                        return notifier_from_errno(-EINVAL);
                smp_call_function_single(cpu, iucv_retrieve_cpu, NULL, 1);
                if (cpus_empty(iucv_irq_cpumask))
                        smp_call_function_single(first_cpu(iucv_buffer_cpumask),
diff --git a/net/key/af_key.c b/net/key/af_key.c
index ba9a3fcc2fed..43040e97c474 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -99,7 +99,7 @@ static void pfkey_sock_destruct(struct sock *sk)
        skb_queue_purge(&sk->sk_receive_queue);
        if (!sock_flag(sk, SOCK_DEAD)) {
-                printk("Attempt to release alive pfkey socket: %p\n", sk);
+                pr_err("Attempt to release alive pfkey socket: %p\n", sk);
                return;
        }
@@ -1402,7 +1402,7 @@ static inline int event2poltype(int event)
        case XFRM_MSG_POLEXPIRE:
        //      return SADB_X_SPDEXPIRE;
        default:
-                printk("pfkey: Unknown policy event %d\n", event);
+                pr_err("pfkey: Unknown policy event %d\n", event);
                break;
        }
@@ -1421,7 +1421,7 @@ static inline int event2keytype(int event)
        case XFRM_MSG_EXPIRE:
                return SADB_EXPIRE;
        default:
-                printk("pfkey: Unknown SA event %d\n", event);
+                pr_err("pfkey: Unknown SA event %d\n", event);
                break;
        }
@@ -2969,7 +2969,7 @@ static int pfkey_send_notify(struct xfrm_state *x, struct km_event *c)
        case XFRM_MSG_NEWAE: /* not yet supported */
                break;
        default:
-                printk("pfkey: Unknown SA event %d\n", c->event);
+                pr_err("pfkey: Unknown SA event %d\n", c->event);
                break;
        }
@@ -2993,7 +2993,7 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_e
                        break;
                return key_notify_policy_flush(c);
        default:
-                printk("pfkey: Unknown policy event %d\n", c->event);
+                pr_err("pfkey: Unknown policy event %d\n", c->event);
                break;
        }
diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
index a432f0ec051c..94e7fca75b85 100644
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -31,7 +31,7 @@ static int llc_mac_header_len(unsigned short devtype)
        case ARPHRD_ETHER:
        case ARPHRD_LOOPBACK:
                return sizeof(struct ethhdr);
-#ifdef CONFIG_TR
+#if defined(CONFIG_TR) || defined(CONFIG_TR_MODULE)
        case ARPHRD_IEEE802_TR:
                return sizeof(struct trh_hdr);
 #endif
diff --git a/net/mac80211/Makefile b/net/mac80211/Makefile
index 04420291e7ad..84b48ba8a77e 100644
--- a/net/mac80211/Makefile
+++ b/net/mac80211/Makefile
@@ -23,7 +23,8 @@ mac80211-y := \
        key.o \
        util.o \
        wme.o \
-        event.o
+        event.o \
+        chan.o
 mac80211-$(CONFIG_MAC80211_LEDS) += led.o
 mac80211-$(CONFIG_MAC80211_DEBUGFS) += \
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index c163d0a149f4..98258b7341e3 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -332,14 +332,16 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
        spin_unlock(&local->ampdu_lock);
-        spin_unlock_bh(&sta->lock);
-        /* send an addBA request */
+        /* prepare tid data */
        sta->ampdu_mlme.dialog_token_allocator++;
        sta->ampdu_mlme.tid_tx[tid]->dialog_token =
                        sta->ampdu_mlme.dialog_token_allocator;
        sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;
+        spin_unlock_bh(&sta->lock);
+        /* send AddBA request */
        ieee80211_send_addba_request(sdata, pubsta->addr, tid,
                         sta->ampdu_mlme.tid_tx[tid]->dialog_token,
                         sta->ampdu_mlme.tid_tx[tid]->ssn,
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index ae37270a0633..c7000a6ca379 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1162,15 +1162,39 @@ static int ieee80211_set_txq_params(struct wiphy *wiphy,
 }
 static int ieee80211_set_channel(struct wiphy *wiphy,
+                                 struct net_device *netdev,
                                 struct ieee80211_channel *chan,
                                 enum nl80211_channel_type channel_type)
 {
        struct ieee80211_local *local = wiphy_priv(wiphy);
+        struct ieee80211_sub_if_data *sdata = NULL;
+        if (netdev)
+                sdata = IEEE80211_DEV_TO_SUB_IF(netdev);
+        switch (ieee80211_get_channel_mode(local, NULL)) {
+        case CHAN_MODE_HOPPING:
+                return -EBUSY;
+        case CHAN_MODE_FIXED:
+                if (local->oper_channel != chan)
+                        return -EBUSY;
+                if (!sdata && local->_oper_channel_type == channel_type)
+                        return 0;
+                break;
+        case CHAN_MODE_UNDEFINED:
+                break;
+        }
        local->oper_channel = chan;
-        local->oper_channel_type = channel_type;
-        return ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        if (!ieee80211_set_channel_type(local, sdata, channel_type))
+                return -EBUSY;
+        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        if (sdata && sdata->vif.type != NL80211_IFTYPE_MONITOR)
+                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_HT);
+        return 0;
 }
 #ifdef CONFIG_PM
@@ -1214,6 +1238,20 @@ static int ieee80211_auth(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_assoc(struct wiphy *wiphy, struct net_device *dev,
                           struct cfg80211_assoc_request *req)
 {
+        struct ieee80211_local *local = wiphy_priv(wiphy);
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        switch (ieee80211_get_channel_mode(local, sdata)) {
+        case CHAN_MODE_HOPPING:
+                return -EBUSY;
+        case CHAN_MODE_FIXED:
+                if (local->oper_channel == req->bss->channel)
+                        break;
+                return -EBUSY;
+        case CHAN_MODE_UNDEFINED:
+                break;
+        }
        return ieee80211_mgd_assoc(IEEE80211_DEV_TO_SUB_IF(dev), req);
 }
@@ -1236,8 +1274,22 @@ static int ieee80211_disassoc(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_join_ibss(struct wiphy *wiphy, struct net_device *dev,
                               struct cfg80211_ibss_params *params)
 {
+        struct ieee80211_local *local = wiphy_priv(wiphy);
        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        switch (ieee80211_get_channel_mode(local, sdata)) {
+        case CHAN_MODE_HOPPING:
+                return -EBUSY;
+        case CHAN_MODE_FIXED:
+                if (!params->channel_fixed)
+                        return -EBUSY;
+                if (local->oper_channel == params->channel)
+                        break;
+                return -EBUSY;
+        case CHAN_MODE_UNDEFINED:
+                break;
+        }
        return ieee80211_ibss_join(sdata, params);
 }
@@ -1366,7 +1418,7 @@ int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
         * association, there's no need to send an action frame.
         */
        if (!sdata->u.mgd.associated ||
-            sdata->local->oper_channel_type == NL80211_CHAN_NO_HT) {
+            sdata->vif.bss_conf.channel_type == NL80211_CHAN_NO_HT) {
                mutex_lock(&sdata->local->iflist_mtx);
                ieee80211_recalc_smps(sdata->local, sdata);
                mutex_unlock(&sdata->local->iflist_mtx);
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
new file mode 100644
index 000000000000..32be11e4c4d9
--- /dev/null
+++ b/net/mac80211/chan.c
@@ -0,0 +1,127 @@
+/*
+ * mac80211 - channel management
+ */
+#include <linux/nl80211.h>
+#include "ieee80211_i.h"
+static enum ieee80211_chan_mode
+__ieee80211_get_channel_mode(struct ieee80211_local *local,
+                             struct ieee80211_sub_if_data *ignore)
+{
+        struct ieee80211_sub_if_data *sdata;
+        WARN_ON(!mutex_is_locked(&local->iflist_mtx));
+        list_for_each_entry(sdata, &local->interfaces, list) {
+                if (sdata == ignore)
+                        continue;
+                if (!ieee80211_sdata_running(sdata))
+                        continue;
+                if (sdata->vif.type == NL80211_IFTYPE_MONITOR)
+                        continue;
+                if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+                    !sdata->u.mgd.associated)
+                        continue;
+                if (sdata->vif.type == NL80211_IFTYPE_ADHOC) {
+                        if (!sdata->u.ibss.ssid_len)
+                                continue;
+                        if (!sdata->u.ibss.fixed_channel)
+                                return CHAN_MODE_HOPPING;
+                }
+                if (sdata->vif.type == NL80211_IFTYPE_AP &&
+                    !sdata->u.ap.beacon)
+                        continue;
+                return CHAN_MODE_FIXED;
+        }
+        return CHAN_MODE_UNDEFINED;
+}
+enum ieee80211_chan_mode
+ieee80211_get_channel_mode(struct ieee80211_local *local,
+                           struct ieee80211_sub_if_data *ignore)
+{
+        enum ieee80211_chan_mode mode;
+        mutex_lock(&local->iflist_mtx);
+        mode = __ieee80211_get_channel_mode(local, ignore);
+        mutex_unlock(&local->iflist_mtx);
+        return mode;
+}
+bool ieee80211_set_channel_type(struct ieee80211_local *local,
+                                struct ieee80211_sub_if_data *sdata,
+                                enum nl80211_channel_type chantype)
+{
+        struct ieee80211_sub_if_data *tmp;
+        enum nl80211_channel_type superchan = NL80211_CHAN_NO_HT;
+        bool result;
+        mutex_lock(&local->iflist_mtx);
+        list_for_each_entry(tmp, &local->interfaces, list) {
+                if (tmp == sdata)
+                        continue;
+                if (!ieee80211_sdata_running(tmp))
+                        continue;
+                switch (tmp->vif.bss_conf.channel_type) {
+                case NL80211_CHAN_NO_HT:
+                case NL80211_CHAN_HT20:
+                        superchan = tmp->vif.bss_conf.channel_type;
+                        break;
+                case NL80211_CHAN_HT40PLUS:
+                        WARN_ON(superchan == NL80211_CHAN_HT40MINUS);
+                        superchan = NL80211_CHAN_HT40PLUS;
+                        break;
+                case NL80211_CHAN_HT40MINUS:
+                        WARN_ON(superchan == NL80211_CHAN_HT40PLUS);
+                        superchan = NL80211_CHAN_HT40MINUS;
+                        break;
+                }
+        }
+        switch (superchan) {
+        case NL80211_CHAN_NO_HT:
+        case NL80211_CHAN_HT20:
+                /*
+                 * allow any change that doesn't go to no-HT
+                 * (if it already is no-HT no change is needed)
+                 */
+                if (chantype == NL80211_CHAN_NO_HT)
+                        break;
+                superchan = chantype;
+                break;
+        case NL80211_CHAN_HT40PLUS:
+        case NL80211_CHAN_HT40MINUS:
+                /* allow smaller bandwidth and same */
+                if (chantype == NL80211_CHAN_NO_HT)
+                        break;
+                if (chantype == NL80211_CHAN_HT20)
+                        break;
+                if (superchan == chantype)
+                        break;
+                result = false;
+                goto out;
+        }
+        local->_oper_channel_type = superchan;
+        if (sdata)
+                sdata->vif.bss_conf.channel_type = chantype;
+        result = true;
+ out:
+        mutex_unlock(&local->iflist_mtx);
+        return result;
+}
diff --git a/net/mac80211/debugfs.h b/net/mac80211/debugfs.h
index 68e6a2050f9a..09cc9be34796 100644
--- a/net/mac80211/debugfs.h
+++ b/net/mac80211/debugfs.h
@@ -7,7 +7,6 @@ extern int mac80211_open_file_generic(struct inode *inode, struct file *file);
 #else
 static inline void debugfs_hw_add(struct ieee80211_local *local)
 {
-        return;
 }
 #endif
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index ee8b63f92f71..9c1da0809160 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -349,7 +349,7 @@ static inline int drv_get_survey(struct ieee80211_local *local, int idx,
                                struct survey_info *survey)
 {
        int ret = -EOPNOTSUPP;
-        if (local->ops->conf_tx)
+        if (local->ops->get_survey)
                ret = local->ops->get_survey(&local->hw, idx, survey);
        /* trace_drv_get_survey(local, idx, survey, ret); */
        return ret;
@@ -371,4 +371,15 @@ static inline void drv_flush(struct ieee80211_local *local, bool drop)
        if (local->ops->flush)
                local->ops->flush(&local->hw, drop);
 }
+static inline void drv_channel_switch(struct ieee80211_local *local,
+                                     struct ieee80211_channel_switch *ch_switch)
+{
+        might_sleep();
+        local->ops->channel_switch(&local->hw, ch_switch);
+        trace_drv_channel_switch(local, ch_switch);
+}
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index ce734b58d07a..6a9b2342a9c2 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -774,6 +774,34 @@ TRACE_EVENT(drv_flush,
        )
 );
+TRACE_EVENT(drv_channel_switch,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_channel_switch *ch_switch),
+        TP_ARGS(local, ch_switch),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u64, timestamp)
+                __field(bool, block_tx)
+                __field(u16, freq)
+                __field(u8, count)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->timestamp = ch_switch->timestamp;
+                __entry->block_tx = ch_switch->block_tx;
+                __entry->freq = ch_switch->channel->center_freq;
+                __entry->count = ch_switch->count;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " new freq:%u count:%d",
+                LOCAL_PR_ARG, __entry->freq, __entry->count
+        )
+);
 /*
 * Tracing for API calls that drivers call.
 */
@@ -992,6 +1020,27 @@ TRACE_EVENT(api_sta_block_awake,
        )
 );
+TRACE_EVENT(api_chswitch_done,
+        TP_PROTO(struct ieee80211_sub_if_data *sdata, bool success),
+        TP_ARGS(sdata, success),
+        TP_STRUCT__entry(
+                VIF_ENTRY
+                __field(bool, success)
+        ),
+        TP_fast_assign(
+                VIF_ASSIGN;
+                __entry->success = success;
+        ),
+        TP_printk(
+                VIF_PR_FMT " success=%d",
+                VIF_PR_ARG, __entry->success
+        )
+);
 /*
 * Tracing for internal functions
 * (which may also be called in response to driver calls)
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index b72ee6435fa3..b2cc1fda6cfd 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -103,7 +103,7 @@ static void __ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
        sdata->drop_unencrypted = capability & WLAN_CAPABILITY_PRIVACY ? 1 : 0;
        local->oper_channel = chan;
-        local->oper_channel_type = NL80211_CHAN_NO_HT;
+        WARN_ON(!ieee80211_set_channel_type(local, sdata, NL80211_CHAN_NO_HT));
        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
        sband = local->hw.wiphy->bands[chan->band];
@@ -911,7 +911,8 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
        /* fix ourselves to that channel now already */
        if (params->channel_fixed) {
                sdata->local->oper_channel = params->channel;
-                sdata->local->oper_channel_type = NL80211_CHAN_NO_HT;
+                WARN_ON(!ieee80211_set_channel_type(sdata->local, sdata,
+                                                    NL80211_CHAN_NO_HT));
        }
        if (params->ie) {
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index cbaf4981e110..1a9e2da37a93 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -767,7 +767,7 @@ struct ieee80211_local {
        enum mac80211_scan_state next_scan_state;
        struct delayed_work scan_work;
        struct ieee80211_sub_if_data *scan_sdata;
-        enum nl80211_channel_type oper_channel_type;
+        enum nl80211_channel_type _oper_channel_type;
        struct ieee80211_channel *oper_channel, *csa_channel;
        /* Temporary remain-on-channel for off-channel operations */
@@ -998,7 +998,8 @@ int ieee80211_max_network_latency(struct notifier_block *nb,
                                  unsigned long data, void *dummy);
 void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                      struct ieee80211_channel_sw_ie *sw_elem,
-                                      struct ieee80211_bss *bss);
+                                      struct ieee80211_bss *bss,
+                                      u64 timestamp);
 void ieee80211_sta_quiesce(struct ieee80211_sub_if_data *sdata);
 void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata);
@@ -1228,6 +1229,20 @@ int ieee80211_wk_remain_on_channel(struct ieee80211_sub_if_data *sdata,
 int ieee80211_wk_cancel_remain_on_channel(
        struct ieee80211_sub_if_data *sdata, u64 cookie);
+/* channel management */
+enum ieee80211_chan_mode {
+        CHAN_MODE_UNDEFINED,
+        CHAN_MODE_HOPPING,
+        CHAN_MODE_FIXED,
+};
+enum ieee80211_chan_mode
+ieee80211_get_channel_mode(struct ieee80211_local *local,
+                           struct ieee80211_sub_if_data *ignore);
+bool ieee80211_set_channel_type(struct ieee80211_local *local,
+                                struct ieee80211_sub_if_data *sdata,
+                                enum nl80211_channel_type chantype);
 #ifdef CONFIG_MAC80211_NOINLINE
 #define debug_noinline noinline
 #else
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 8d4b41787dcf..e8f6e3b252d8 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -140,7 +140,6 @@ static void ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
                                     struct ieee80211_sub_if_data,
                                     u.ap);
-        key->conf.ap_addr = sdata->dev->dev_addr;
        ret = drv_set_key(key->local, SET_KEY, sdata, sta, &key->conf);
        if (!ret) {
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index bd632e1ee2c5..22a384dfab65 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -111,7 +111,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                channel_type = local->tmp_channel_type;
        } else {
                chan = local->oper_channel;
-                channel_type = local->oper_channel_type;
+                channel_type = local->_oper_channel_type;
        }
        if (chan != local->hw.conf.channel ||
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 7e93524459fc..bde81031727a 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -287,8 +287,6 @@ void mesh_mgmt_ies_add(struct sk_buff *skb, struct ieee80211_sub_if_data *sdata)
        *pos++ |= sdata->u.mesh.accepting_plinks ?
            MESHCONF_CAPAB_ACCEPT_PLINKS : 0x00;
        *pos++ = 0x00;
-        return;
 }
 u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata, struct mesh_table *tbl)
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index d89ed7f2592b..0705018d8d1e 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -624,7 +624,6 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
 fail:
        rcu_read_unlock();
        sdata->u.mesh.mshstats.dropped_frames_no_route++;
-        return;
 }
 static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 358226f63b81..f803f8b72a93 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -137,11 +137,14 @@ static u32 ieee80211_enable_ht(struct ieee80211_sub_if_data *sdata,
        struct sta_info *sta;
        u32 changed = 0;
        u16 ht_opmode;
-        bool enable_ht = true, ht_changed;
+        bool enable_ht = true;
+        enum nl80211_channel_type prev_chantype;
        enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
        sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
+        prev_chantype = sdata->vif.bss_conf.channel_type;
        /* HT is not supported */
        if (!sband->ht_cap.ht_supported)
                enable_ht = false;
@@ -172,38 +175,37 @@ static u32 ieee80211_enable_ht(struct ieee80211_sub_if_data *sdata,
                }
        }
-        ht_changed = conf_is_ht(&local->hw.conf) != enable_ht ||
-                     channel_type != local->hw.conf.channel_type;
        if (local->tmp_channel)
                local->tmp_channel_type = channel_type;
-        local->oper_channel_type = channel_type;
-        if (ht_changed) {
+        if (!ieee80211_set_channel_type(local, sdata, channel_type)) {
-                /* channel_type change automatically detected */
+                /* can only fail due to HT40+/- mismatch */
-                ieee80211_hw_config(local, 0);
+                channel_type = NL80211_CHAN_HT20;
+                WARN_ON(!ieee80211_set_channel_type(local, sdata, channel_type));
+        }
+        /* channel_type change automatically detected */
+        ieee80211_hw_config(local, 0);
+        if (prev_chantype != channel_type) {
                rcu_read_lock();
                sta = sta_info_get(sdata, bssid);
                if (sta)
                        rate_control_rate_update(local, sband, sta,
                                                 IEEE80211_RC_HT_CHANGED,
-                                                 local->oper_channel_type);
+                                                 channel_type);
                rcu_read_unlock();
-        }
+        }
-        /* disable HT */
-        if (!enable_ht)
-                return 0;
        ht_opmode = le16_to_cpu(hti->operation_mode);
        /* if bss configuration changed store the new one */
-        if (!sdata->ht_opmode_valid ||
+        if (sdata->ht_opmode_valid != enable_ht ||
-            sdata->vif.bss_conf.ht_operation_mode != ht_opmode) {
+            sdata->vif.bss_conf.ht_operation_mode != ht_opmode ||
+            prev_chantype != channel_type) {
                changed |= BSS_CHANGED_HT;
                sdata->vif.bss_conf.ht_operation_mode = ht_opmode;
-                sdata->ht_opmode_valid = true;
+                sdata->ht_opmode_valid = enable_ht;
        }
        return changed;
@@ -340,7 +342,11 @@ static void ieee80211_chswitch_work(struct work_struct *work)
                goto out;
        sdata->local->oper_channel = sdata->local->csa_channel;
-        ieee80211_hw_config(sdata->local, IEEE80211_CONF_CHANGE_CHANNEL);
+        if (!sdata->local->ops->channel_switch) {
+                /* call "hw_config" only if doing sw channel switch */
+                ieee80211_hw_config(sdata->local,
+                        IEEE80211_CONF_CHANGE_CHANNEL);
+        }
        /* XXX: shouldn't really modify cfg80211-owned data! */
        ifmgd->associated->channel = sdata->local->oper_channel;
@@ -352,6 +358,29 @@ static void ieee80211_chswitch_work(struct work_struct *work)
        mutex_unlock(&ifmgd->mtx);
 }
+void ieee80211_chswitch_done(struct ieee80211_vif *vif, bool success)
+{
+        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_if_managed *ifmgd;
+        sdata = vif_to_sdata(vif);
+        ifmgd = &sdata->u.mgd;
+        trace_api_chswitch_done(sdata, success);
+        if (!success) {
+                /*
+                 * If the channel switch was not successful, stay
+                 * around on the old channel. We currently lack
+                 * good handling of this situation, possibly we
+                 * should just drop the association.
+                 */
+                sdata->local->csa_channel = sdata->local->oper_channel;
+        }
+        ieee80211_queue_work(&sdata->local->hw, &ifmgd->chswitch_work);
+}
+EXPORT_SYMBOL(ieee80211_chswitch_done);
 static void ieee80211_chswitch_timer(unsigned long data)
 {
        struct ieee80211_sub_if_data *sdata =
@@ -368,7 +397,8 @@ static void ieee80211_chswitch_timer(unsigned long data)
 void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                      struct ieee80211_channel_sw_ie *sw_elem,
-                                      struct ieee80211_bss *bss)
+                                      struct ieee80211_bss *bss,
+                                      u64 timestamp)
 {
        struct cfg80211_bss *cbss =
                container_of((void *)bss, struct cfg80211_bss, priv);
@@ -396,10 +426,29 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
        sdata->local->csa_channel = new_ch;
+        if (sdata->local->ops->channel_switch) {
+                /* use driver's channel switch callback */
+                struct ieee80211_channel_switch ch_switch;
+                memset(&ch_switch, 0, sizeof(ch_switch));
+                ch_switch.timestamp = timestamp;
+                if (sw_elem->mode) {
+                        ch_switch.block_tx = true;
+                        ieee80211_stop_queues_by_reason(&sdata->local->hw,
+                                        IEEE80211_QUEUE_STOP_REASON_CSA);
+                }
+                ch_switch.channel = new_ch;
+                ch_switch.count = sw_elem->count;
+                ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
+                drv_channel_switch(sdata->local, &ch_switch);
+                return;
+        }
+        /* channel switch handled in software */
        if (sw_elem->count <= 1) {
                ieee80211_queue_work(&sdata->local->hw, &ifmgd->chswitch_work);
        } else {
-                ieee80211_stop_queues_by_reason(&sdata->local->hw,
+                if (sw_elem->mode)
+                        ieee80211_stop_queues_by_reason(&sdata->local->hw,
                                        IEEE80211_QUEUE_STOP_REASON_CSA);
                ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
                mod_timer(&ifmgd->chswitch_timer,
@@ -507,7 +556,7 @@ void ieee80211_recalc_ps(struct ieee80211_local *local, s32 latency)
                s32 beaconint_us;
                if (latency < 0)
-                        latency = pm_qos_requirement(PM_QOS_NETWORK_LATENCY);
+                        latency = pm_qos_request(PM_QOS_NETWORK_LATENCY);
                beaconint_us = ieee80211_tu_to_usec(
                                        found->vif.bss_conf.beacon_int);
@@ -866,7 +915,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        ieee80211_set_wmm_default(sdata);
        /* channel(_type) changes are handled by ieee80211_hw_config */
-        local->oper_channel_type = NL80211_CHAN_NO_HT;
+        WARN_ON(!ieee80211_set_channel_type(local, sdata, NL80211_CHAN_NO_HT));
        /* on the next assoc, re-program HT parameters */
        sdata->ht_opmode_valid = false;
@@ -883,8 +932,8 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        ieee80211_hw_config(local, config_changed);
-        /* And the BSSID changed -- not very interesting here */
+        /* The BSSID (not really interesting) and HT changed */
-        changed |= BSS_CHANGED_BSSID;
+        changed |= BSS_CHANGED_BSSID | BSS_CHANGED_HT;
        ieee80211_bss_info_change_notify(sdata, changed);
        if (remove_sta)
@@ -1315,7 +1364,8 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                                                        ETH_ALEN) == 0)) {
                struct ieee80211_channel_sw_ie *sw_elem =
                        (struct ieee80211_channel_sw_ie *)elems->ch_switch_elem;
-                ieee80211_sta_process_chanswitch(sdata, sw_elem, bss);
+                ieee80211_sta_process_chanswitch(sdata, sw_elem,
+                                                 bss, rx_status->mactime);
        }
 }
@@ -1642,13 +1692,52 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                        rma = ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
                        break;
                case IEEE80211_STYPE_ACTION:
-                        if (mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
+                        switch (mgmt->u.action.category) {
+                        case WLAN_CATEGORY_BACK: {
+                                struct ieee80211_local *local = sdata->local;
+                                int len = skb->len;
+                                struct sta_info *sta;
+                                rcu_read_lock();
+                                sta = sta_info_get(sdata, mgmt->sa);
+                                if (!sta) {
+                                        rcu_read_unlock();
+                                        break;
+                                }
+                                local_bh_disable();
+                                switch (mgmt->u.action.u.addba_req.action_code) {
+                                case WLAN_ACTION_ADDBA_REQ:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.addba_req)))
+                                                break;
+                                        ieee80211_process_addba_request(local, sta, mgmt, len);
+                                        break;
+                                case WLAN_ACTION_ADDBA_RESP:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.addba_resp)))
+                                                break;
+                                        ieee80211_process_addba_resp(local, sta, mgmt, len);
+                                        break;
+                                case WLAN_ACTION_DELBA:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.delba)))
+                                                break;
+                                        ieee80211_process_delba(sdata, sta, mgmt, len);
+                                        break;
+                                }
+                                local_bh_enable();
+                                rcu_read_unlock();
                                break;
+                                }
-                        ieee80211_sta_process_chanswitch(sdata,
+                        case WLAN_CATEGORY_SPECTRUM_MGMT:
-                                        &mgmt->u.action.u.chan_switch.sw_elem,
+                                ieee80211_sta_process_chanswitch(sdata,
-                                        (void *)ifmgd->associated->priv);
+                                                &mgmt->u.action.u.chan_switch.sw_elem,
-                        break;
+                                                (void *)ifmgd->associated->priv,
+                                                rx_status->mactime);
+                                break;
+                        }
                }
                mutex_unlock(&ifmgd->mtx);
@@ -1671,9 +1760,45 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
        mutex_unlock(&ifmgd->mtx);
        if (skb->len >= 24 + 2 /* mgmt + deauth reason */ &&
-            (fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH)
+            (fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH) {
-                cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);
+                struct ieee80211_local *local = sdata->local;
+                struct ieee80211_work *wk;
+                mutex_lock(&local->work_mtx);
+                list_for_each_entry(wk, &local->work_list, list) {
+                        if (wk->sdata != sdata)
+                                continue;
+                        if (wk->type != IEEE80211_WORK_ASSOC)
+                                continue;
+                        if (memcmp(mgmt->bssid, wk->filter_ta, ETH_ALEN))
+                                continue;
+                        if (memcmp(mgmt->sa, wk->filter_ta, ETH_ALEN))
+                                continue;
+                        /*
+                         * Printing the message only here means we can't
+                         * spuriously print it, but it also means that it
+                         * won't be printed when the frame comes in before
+                         * we even tried to associate or in similar cases.
+                         *
+                         * Ultimately, I suspect cfg80211 should print the
+                         * messages instead.
+                         */
+                        printk(KERN_DEBUG
+                               "%s: deauthenticated from %pM (Reason: %u)\n",
+                               sdata->name, mgmt->bssid,
+                               le16_to_cpu(mgmt->u.deauth.reason_code));
+                        list_del_rcu(&wk->list);
+                        free_work(wk);
+                        break;
+                }
+                mutex_unlock(&local->work_mtx);
+                cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);
+        }
 out:
        kfree_skb(skb);
 }
@@ -2176,7 +2301,8 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
                                continue;
                        if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
-                            wk->type != IEEE80211_WORK_AUTH)
+                            wk->type != IEEE80211_WORK_AUTH &&
+                            wk->type != IEEE80211_WORK_ASSOC)
                                continue;
                        if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
@@ -2266,7 +2392,7 @@ int ieee80211_mgd_action(struct ieee80211_sub_if_data *sdata,
        if ((chan != local->tmp_channel ||
             channel_type != local->tmp_channel_type) &&
            (chan != local->oper_channel ||
-             channel_type != local->oper_channel_type))
+             channel_type != local->_oper_channel_type))
                return -EBUSY;
        skb = dev_alloc_skb(local->hw.extra_tx_headroom + len);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 9a08f2c446c6..be9abc2e6348 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1253,6 +1253,12 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
        if (skb_linearize(rx->skb))
                return RX_DROP_UNUSABLE;
+        /*
+         *  skb_linearize() might change the skb->data and
+         *  previously cached variables (in this case, hdr) need to
+         *  be refreshed with the new data.
+         */
+        hdr = (struct ieee80211_hdr *)rx->skb->data;
        seq = (sc & IEEE80211_SCTL_SEQ) >> 4;
        if (frag == 0) {
@@ -1812,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                return RX_CONTINUE;
        if (ieee80211_is_back_req(bar->frame_control)) {
+                struct {
+                        __le16 control, start_seq_num;
+                } __packed bar_data;
                if (!rx->sta)
                        return RX_DROP_MONITOR;
+                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
+                                  &bar_data, sizeof(bar_data)))
+                        return RX_DROP_MONITOR;
                spin_lock(&rx->sta->lock);
-                tid = le16_to_cpu(bar->control) >> 12;
+                tid = le16_to_cpu(bar_data.control) >> 12;
                if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
                        spin_unlock(&rx->sta->lock);
                        return RX_DROP_MONITOR;
                }
                tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
-                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
+                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
                /* reset session timer */
                if (tid_agg_rx->timeout)
@@ -1929,6 +1944,9 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
                        break;
+                if (sdata->vif.type == NL80211_IFTYPE_STATION)
+                        return ieee80211_sta_rx_mgmt(sdata, rx->skb);
                switch (mgmt->u.action.u.addba_req.action_code) {
                case WLAN_ACTION_ADDBA_REQ:
                        if (len < (IEEE80211_MIN_ACTION_SIZE +
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index e14c44195ae9..e1b0be7a57b9 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -510,7 +510,7 @@ static int ieee80211_scan_state_decision(struct ieee80211_local *local,
                bad_latency = time_after(jiffies +
                                ieee80211_scan_get_channel_time(next_chan),
                                local->leave_oper_channel_time +
-                                usecs_to_jiffies(pm_qos_requirement(PM_QOS_NETWORK_LATENCY)));
+                                usecs_to_jiffies(pm_qos_request(PM_QOS_NETWORK_LATENCY)));
                listen_int_exceeded = time_after(jiffies +
                                ieee80211_scan_get_channel_time(next_chan),
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 730197591ab5..ba9360a475b0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -259,7 +259,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
        skb_queue_head_init(&sta->tx_filtered);
        for (i = 0; i < NUM_RX_DATA_QUEUES; i++)
-                sta->last_seq_ctrl[i] = cpu_to_le16(USHORT_MAX);
+                sta->last_seq_ctrl[i] = cpu_to_le16(USHRT_MAX);
 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
        printk(KERN_DEBUG "%s: Allocated STA %pM\n",
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 48a5e80957f0..df9d45544ca5 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -145,7 +145,7 @@ enum plink_state {
 /**
 * struct sta_ampdu_mlme - STA aggregation information.
 *
- * @tid_state_rx: TID's state in Rx session state machine.
+ * @tid_active_rx: TID's state in Rx session state machine.
 * @tid_rx: aggregation info for Rx per TID
 * @tid_state_tx: TID's state in Tx session state machine.
 * @tid_tx: aggregation info for Tx per TID
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index f3841f43249e..680bcb7093db 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2251,8 +2251,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
        info->control.vif = vif;
-        info->flags |= IEEE80211_TX_CTL_CLEAR_PS_FILT;
+        info->flags |= IEEE80211_TX_CTL_CLEAR_PS_FILT |
-        info->flags |= IEEE80211_TX_CTL_ASSIGN_SEQ;
+                        IEEE80211_TX_CTL_ASSIGN_SEQ |
+                        IEEE80211_TX_CTL_FIRST_FRAGMENT;
 out:
        rcu_read_unlock();
        return skb;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 2b75b4fb68f4..5b79d552780a 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1160,18 +1160,33 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        /* Finally also reconfigure all the BSS information */
        list_for_each_entry(sdata, &local->interfaces, list) {
-                u32 changed = ~0;
+                u32 changed;
                if (!ieee80211_sdata_running(sdata))
                        continue;
+                /* common change flags for all interface types */
+                changed = BSS_CHANGED_ERP_CTS_PROT |
+                          BSS_CHANGED_ERP_PREAMBLE |
+                          BSS_CHANGED_ERP_SLOT |
+                          BSS_CHANGED_HT |
+                          BSS_CHANGED_BASIC_RATES |
+                          BSS_CHANGED_BEACON_INT |
+                          BSS_CHANGED_BSSID |
+                          BSS_CHANGED_CQM;
                switch (sdata->vif.type) {
                case NL80211_IFTYPE_STATION:
-                        /* disable beacon change bits */
+                        changed |= BSS_CHANGED_ASSOC;
-                        changed &= ~(BSS_CHANGED_BEACON |
+                        ieee80211_bss_info_change_notify(sdata, changed);
-                                     BSS_CHANGED_BEACON_ENABLED);
+                        break;
-                        /* fall through */
                case NL80211_IFTYPE_ADHOC:
+                        changed |= BSS_CHANGED_IBSS;
+                        /* fall through */
                case NL80211_IFTYPE_AP:
                case NL80211_IFTYPE_MESH_POINT:
+                        changed |= BSS_CHANGED_BEACON |
+                                   BSS_CHANGED_BEACON_ENABLED;
                        ieee80211_bss_info_change_notify(sdata, changed);
                        break;
                case NL80211_IFTYPE_WDS:
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index 3dd07600199d..be3d4a698692 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -33,6 +33,7 @@
 #define IEEE80211_MAX_PROBE_TRIES 5
 enum work_action {
+        WORK_ACT_MISMATCH,
        WORK_ACT_NONE,
        WORK_ACT_TIMEOUT,
        WORK_ACT_DONE,
@@ -585,7 +586,7 @@ ieee80211_rx_mgmt_auth(struct ieee80211_work *wk,
        u16 auth_alg, auth_transaction, status_code;
        if (wk->type != IEEE80211_WORK_AUTH)
-                return WORK_ACT_NONE;
+                return WORK_ACT_MISMATCH;
        if (len < 24 + 6)
                return WORK_ACT_NONE;
@@ -636,6 +637,9 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee80211_work *wk,
        struct ieee802_11_elems elems;
        u8 *pos;
+        if (wk->type != IEEE80211_WORK_ASSOC)
+                return WORK_ACT_MISMATCH;
        /*
         * AssocResp and ReassocResp have identical structure, so process both
         * of them in this function.
@@ -691,6 +695,12 @@ ieee80211_rx_mgmt_probe_resp(struct ieee80211_work *wk,
        ASSERT_WORK_MTX(local);
+        if (wk->type != IEEE80211_WORK_DIRECT_PROBE)
+                return WORK_ACT_MISMATCH;
+        if (len < 24 + 12)
+                return WORK_ACT_NONE;
        baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt;
        if (baselen > len)
                return WORK_ACT_NONE;
@@ -705,7 +715,7 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
        struct ieee80211_rx_status *rx_status;
        struct ieee80211_mgmt *mgmt;
        struct ieee80211_work *wk;
-        enum work_action rma = WORK_ACT_NONE;
+        enum work_action rma;
        u16 fc;
        rx_status = (struct ieee80211_rx_status *) skb->cb;
@@ -752,7 +762,17 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
                        break;
                default:
                        WARN_ON(1);
+                        rma = WORK_ACT_NONE;
                }
+                /*
+                 * We've either received an unexpected frame, or we have
+                 * multiple work items and need to match the frame to the
+                 * right one.
+                 */
+                if (rma == WORK_ACT_MISMATCH)
+                        continue;
                /*
                 * We've processed this frame for that work, so it can't
                 * belong to another work struct.
@@ -762,6 +782,9 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
        }
        switch (rma) {
+        case WORK_ACT_MISMATCH:
+                /* ignore this unmatched frame */
+                break;
        case WORK_ACT_NONE:
                break;
        case WORK_ACT_DONE:
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 18d77b5c351a..8593a77cfea9 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -314,8 +314,39 @@ config NETFILTER_XTABLES
 if NETFILTER_XTABLES
+comment "Xtables combined modules"
+config NETFILTER_XT_MARK
+        tristate 'nfmark target and match support'
+        default m if NETFILTER_ADVANCED=n
+        ---help---
+        This option adds the "MARK" target and "mark" match.
+        Netfilter mark matching allows you to match packets based on the
+        "nfmark" value in the packet.
+        The target allows you to create rules in the "mangle" table which alter
+        the netfilter mark (nfmark) field associated with the packet.
+        Prior to routing, the nfmark can influence the routing method (see
+        "Use netfilter MARK value as routing key") and can also be used by
+        other subsystems to change their behavior.
+config NETFILTER_XT_CONNMARK
+        tristate 'ctmark target and match support'
+        depends on NF_CONNTRACK
+        depends on NETFILTER_ADVANCED
+        select NF_CONNTRACK_MARK
+        ---help---
+        This option adds the "CONNMARK" target and "connmark" match.
+        Netfilter allows you to store a mark value per connection (a.k.a.
+        ctmark), similarly to the packet mark (nfmark). Using this
+        target and match, you can set and match on this mark.
 # alphabetically ordered list of targets
+comment "Xtables targets"
 config NETFILTER_XT_TARGET_CLASSIFY
        tristate '"CLASSIFY" target support'
        depends on NETFILTER_ADVANCED
@@ -332,15 +363,11 @@ config NETFILTER_XT_TARGET_CONNMARK
        tristate  '"CONNMARK" target support'
        depends on NF_CONNTRACK
        depends on NETFILTER_ADVANCED
-        select NF_CONNTRACK_MARK
+        select NETFILTER_XT_CONNMARK
-        help
+        ---help---
-          This option adds a `CONNMARK' target, which allows one to manipulate
+        This is a backwards-compat option for the user's convenience
-          the connection mark value.  Similar to the MARK target, but
+        (e.g. when running oldconfig). It selects
-          affects the connection mark value rather than the packet mark value.
+        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
-          If you want to compile it as a module, say M here and read
-          <file:Documentation/kbuild/modules.txt>.  The module will be called
-          ipt_CONNMARK.  If unsure, say `N'.
 config NETFILTER_XT_TARGET_CONNSECMARK
        tristate '"CONNSECMARK" target support'
@@ -423,16 +450,12 @@ config NETFILTER_XT_TARGET_LED
 config NETFILTER_XT_TARGET_MARK
        tristate '"MARK" target support'
-        default m if NETFILTER_ADVANCED=n
+        depends on NETFILTER_ADVANCED
-        help
+        select NETFILTER_XT_MARK
-          This option adds a `MARK' target, which allows you to create rules
+        ---help---
-          in the `mangle' table which alter the netfilter mark (nfmark) field
+        This is a backwards-compat option for the user's convenience
-          associated with the packet prior to routing. This can change
+        (e.g. when running oldconfig). It selects
-          the routing method (see `Use netfilter MARK value as routing
+        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
-          key') and can also be used by other subsystems to change their
-          behavior.
-          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_TARGET_NFLOG
        tristate '"NFLOG" target support'
@@ -479,6 +502,15 @@ config NETFILTER_XT_TARGET_RATEEST
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_TARGET_TEE
+        tristate '"TEE" - packet cloning to alternate destiantion'
+        depends on NETFILTER_ADVANCED
+        depends on (IPV6 || IPV6=n)
+        depends on !NF_CONNTRACK || NF_CONNTRACK
+        ---help---
+        This option adds a "TEE" target with which a packet can be cloned and
+        this clone be rerouted to another nexthop.
 config NETFILTER_XT_TARGET_TPROXY
        tristate '"TPROXY" target support (EXPERIMENTAL)'
        depends on EXPERIMENTAL
@@ -552,6 +584,10 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
          This option adds a "TCPOPTSTRIP" target, which allows you to strip
          TCP options from TCP packets.
+# alphabetically ordered list of matches
+comment "Xtables matches"
 config NETFILTER_XT_MATCH_CLUSTER
        tristate '"cluster" match support'
        depends on NF_CONNTRACK
@@ -602,14 +638,11 @@ config NETFILTER_XT_MATCH_CONNMARK
        tristate  '"connmark" connection mark match support'
        depends on NF_CONNTRACK
        depends on NETFILTER_ADVANCED
-        select NF_CONNTRACK_MARK
+        select NETFILTER_XT_CONNMARK
-        help
+        ---help---
-          This option adds a `connmark' match, which allows you to match the
+        This is a backwards-compat option for the user's convenience
-          connection mark value previously set for the session by `CONNMARK'. 
+        (e.g. when running oldconfig). It selects
+        CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
-          If you want to compile it as a module, say M here and read
-          <file:Documentation/kbuild/modules.txt>.  The module will be called
-          ipt_connmark.  If unsure, say `N'.
 config NETFILTER_XT_MATCH_CONNTRACK
        tristate '"conntrack" connection tracking match support'
@@ -733,13 +766,12 @@ config NETFILTER_XT_MATCH_MAC
 config NETFILTER_XT_MATCH_MARK
        tristate '"mark" match support'
-        default m if NETFILTER_ADVANCED=n
+        depends on NETFILTER_ADVANCED
-        help
+        select NETFILTER_XT_MARK
-          Netfilter mark matching allows you to match packets based on the
+        ---help---
-          `nfmark' value in the packet.  This can be set by the MARK target
+        This is a backwards-compat option for the user's convenience
-          (see below).
+        (e.g. when running oldconfig). It selects
+        CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
-          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_MULTIPORT
        tristate '"multiport" Multiple port match support'
@@ -751,6 +783,19 @@ config NETFILTER_XT_MATCH_MULTIPORT
          To compile it as a module, choose M here.  If unsure, say N.
+config NETFILTER_XT_MATCH_OSF
+        tristate '"osf" Passive OS fingerprint match'
+        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
+        help
+          This option selects the Passive OS Fingerprinting match module
+          that allows to passively match the remote operating system by
+          analyzing incoming TCP SYN packets.
+          Rules and loading software can be downloaded from
+          http://www.ioremap.net/projects/osf
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_OWNER
        tristate '"owner" match support'
        depends on NETFILTER_ADVANCED
@@ -836,13 +881,6 @@ config NETFILTER_XT_MATCH_RECENT
        Short options are available by using 'iptables -m recent -h'
        Official Website: <http://snowman.net/projects/ipt_recent/>
-config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-        bool 'Enable obsolete /proc/net/ipt_recent'
-        depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
-        ---help---
-        This option enables the old /proc/net/ipt_recent interface,
-        which has been obsoleted by /proc/net/xt_recent.
 config NETFILTER_XT_MATCH_SCTP
        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
        depends on EXPERIMENTAL
@@ -942,19 +980,6 @@ config NETFILTER_XT_MATCH_U32
          Details and examples are in the kernel module source.
-config NETFILTER_XT_MATCH_OSF
-        tristate '"osf" Passive OS fingerprint match'
-        depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
-        help
-          This option selects the Passive OS Fingerprinting match module
-          that allows to passively match the remote operating system by
-          analyzing incoming TCP SYN packets.
-          Rules and loading software can be downloaded from
-          http://www.ioremap.net/projects/osf
-          To compile it as a module, choose M here.  If unsure, say N.
 endif # NETFILTER_XTABLES
 endmenu
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f873644f02f6..14e3a8fd8180 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -40,15 +40,17 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
 # generic X tables 
 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
+# combos
+obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
+obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
 # targets
 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
-obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
-obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
@@ -57,6 +59,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) += xt_TEE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 # matches
@@ -64,7 +67,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
-obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
@@ -76,7 +78,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
-obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 2c7f185dfae4..2ae747a376a5 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -209,8 +209,14 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                 */
                from.ip = n_cp->vaddr.ip;
                port = n_cp->vport;
-                sprintf(buf, "%u,%u,%u,%u,%u,%u", NIPQUAD(from.ip),
+                snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u",
-                        (ntohs(port)>>8)&255, ntohs(port)&255);
+                         ((unsigned char *)&from.ip)[0],
+                         ((unsigned char *)&from.ip)[1],
+                         ((unsigned char *)&from.ip)[2],
+                         ((unsigned char *)&from.ip)[3],
+                         ntohs(port) >> 8,
+                         ntohs(port) & 0xFF);
                buf_len = strlen(buf);
                /*
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c
index 7fc49f4cf5ad..2d3d5e4b35f8 100644
--- a/net/netfilter/ipvs/ip_vs_proto.c
+++ b/net/netfilter/ipvs/ip_vs_proto.c
@@ -167,26 +167,24 @@ ip_vs_tcpudp_debug_packet_v4(struct ip_vs_protocol *pp,
        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
        if (ih == NULL)
-                sprintf(buf, "%s TRUNCATED", pp->name);
+                sprintf(buf, "TRUNCATED");
        else if (ih->frag_off & htons(IP_OFFSET))
-                sprintf(buf, "%s %pI4->%pI4 frag",
+                sprintf(buf, "%pI4->%pI4 frag", &ih->saddr, &ih->daddr);
-                        pp->name, &ih->saddr, &ih->daddr);
        else {
                __be16 _ports[2], *pptr
 ;
                pptr = skb_header_pointer(skb, offset + ih->ihl*4,
                                          sizeof(_ports), _ports);
                if (pptr == NULL)
-                        sprintf(buf, "%s TRUNCATED %pI4->%pI4",
+                        sprintf(buf, "TRUNCATED %pI4->%pI4",
-                                pp->name, &ih->saddr, &ih->daddr);
+                                &ih->saddr, &ih->daddr);
                else
-                        sprintf(buf, "%s %pI4:%u->%pI4:%u",
+                        sprintf(buf, "%pI4:%u->%pI4:%u",
-                                pp->name,
                                &ih->saddr, ntohs(pptr[0]),
                                &ih->daddr, ntohs(pptr[1]));
        }
-        pr_debug("%s: %s\n", msg, buf);
+        pr_debug("%s: %s %s\n", msg, pp->name, buf);
 }
 #ifdef CONFIG_IP_VS_IPV6
@@ -201,26 +199,24 @@ ip_vs_tcpudp_debug_packet_v6(struct ip_vs_protocol *pp,
        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
        if (ih == NULL)
-                sprintf(buf, "%s TRUNCATED", pp->name);
+                sprintf(buf, "TRUNCATED");
        else if (ih->nexthdr == IPPROTO_FRAGMENT)
-                sprintf(buf, "%s %pI6->%pI6 frag",
+                sprintf(buf, "%pI6->%pI6 frag", &ih->saddr, &ih->daddr);
-                        pp->name, &ih->saddr, &ih->daddr);
        else {
                __be16 _ports[2], *pptr;
                pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr),
                                          sizeof(_ports), _ports);
                if (pptr == NULL)
-                        sprintf(buf, "%s TRUNCATED %pI6->%pI6",
+                        sprintf(buf, "TRUNCATED %pI6->%pI6",
-                                pp->name, &ih->saddr, &ih->daddr);
+                                &ih->saddr, &ih->daddr);
                else
-                        sprintf(buf, "%s %pI6:%u->%pI6:%u",
+                        sprintf(buf, "%pI6:%u->%pI6:%u",
-                                pp->name,
                                &ih->saddr, ntohs(pptr[0]),
                                &ih->daddr, ntohs(pptr[1]));
        }
-        pr_debug("%s: %s\n", msg, buf);
+        pr_debug("%s: %s %s\n", msg, pp->name, buf);
 }
 #endif
diff --git a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
index c30b43c36cd7..1892dfc12fdd 100644
--- a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
@@ -136,12 +136,11 @@ ah_esp_debug_packet_v4(struct ip_vs_protocol *pp, const struct sk_buff *skb,
        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
        if (ih == NULL)
-                sprintf(buf, "%s TRUNCATED", pp->name);
+                sprintf(buf, "TRUNCATED");
        else
-                sprintf(buf, "%s %pI4->%pI4",
+                sprintf(buf, "%pI4->%pI4", &ih->saddr, &ih->daddr);
-                        pp->name, &ih->saddr, &ih->daddr);
-        pr_debug("%s: %s\n", msg, buf);
+        pr_debug("%s: %s %s\n", msg, pp->name, buf);
 }
 #ifdef CONFIG_IP_VS_IPV6
@@ -154,12 +153,11 @@ ah_esp_debug_packet_v6(struct ip_vs_protocol *pp, const struct sk_buff *skb,
        ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
        if (ih == NULL)
-                sprintf(buf, "%s TRUNCATED", pp->name);
+                sprintf(buf, "TRUNCATED");
        else
-                sprintf(buf, "%s %pI6->%pI6",
+                sprintf(buf, "%pI6->%pI6", &ih->saddr, &ih->daddr);
-                        pp->name, &ih->saddr, &ih->daddr);
-        pr_debug("%s: %s\n", msg, buf);
+        pr_debug("%s: %s %s\n", msg, pp->name, buf);
 }
 #endif
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index e450cd6f4eb5..93c15a107b2c 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -270,7 +270,7 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -334,7 +334,7 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET6, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -410,7 +410,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -486,7 +486,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET6, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -785,7 +785,7 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -838,7 +838,7 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET6, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
        LeaveFunction(10);
        return NF_STOLEN;
@@ -912,7 +912,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
        rc = NF_STOLEN;
        goto out;
@@ -987,7 +987,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* Another hack: avoid icmp_send in ip_fragment */
        skb->local_df = 1;
-        IP_VS_XMIT(PF_INET6, skb, rt);
+        IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
        rc = NF_STOLEN;
        goto out;
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 372e80f07a81..13fd2c55e329 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -108,7 +108,7 @@ static int amanda_help(struct sk_buff *skb,
        dataoff = protoff + sizeof(struct udphdr);
        if (dataoff >= skb->len) {
                if (net_ratelimit())
-                        printk("amanda_help: skblen = %u\n", skb->len);
+                        printk(KERN_ERR "amanda_help: skblen = %u\n", skb->len);
                return NF_ACCEPT;
        }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 0c9bbe93cc16..eeeb8bc73982 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -319,8 +319,10 @@ begin:
         * not the expected one, we must restart lookup.
         * We probably met an item that was moved to another chain.
         */
-        if (get_nulls_value(n) != hash)
+        if (get_nulls_value(n) != hash) {
+                NF_CT_STAT_INC(net, search_restart);
                goto begin;
+        }
        local_bh_enable();
        return NULL;
@@ -422,6 +424,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
        spin_lock_bh(&nf_conntrack_lock);
+        /* We have to check the DYING flag inside the lock to prevent
+           a race against nf_ct_get_next_corpse() possibly called from
+           user context, else we insert an already 'dead' hash, blocking
+           further use of that particular connection -JM */
+        if (unlikely(nf_ct_is_dying(ct))) {
+                spin_unlock_bh(&nf_conntrack_lock);
+                return NF_ACCEPT;
+        }
        /* See if there's one in the list already, including reverse:
           NAT could have grabbed it without realizing, since we're
           not in the hash.  If there is, we lost race. */
@@ -1333,7 +1345,7 @@ static int nf_conntrack_init_init_net(void)
        }
        nf_conntrack_max = max_factor * nf_conntrack_htable_size;
-        printk("nf_conntrack version %s (%u buckets, %d max)\n",
+        printk(KERN_INFO "nf_conntrack version %s (%u buckets, %d max)\n",
               NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
               nf_conntrack_max);
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index f516961a83b4..cdcc7649476b 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -85,7 +85,8 @@ int nf_conntrack_register_notifier(struct nf_ct_event_notifier *new)
        struct nf_ct_event_notifier *notify;
        mutex_lock(&nf_ct_ecache_mutex);
-        notify = rcu_dereference(nf_conntrack_event_cb);
+        notify = rcu_dereference_protected(nf_conntrack_event_cb,
+                                           lockdep_is_held(&nf_ct_ecache_mutex));
        if (notify != NULL) {
                ret = -EBUSY;
                goto out_unlock;
@@ -105,7 +106,8 @@ void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *new)
        struct nf_ct_event_notifier *notify;
        mutex_lock(&nf_ct_ecache_mutex);
-        notify = rcu_dereference(nf_conntrack_event_cb);
+        notify = rcu_dereference_protected(nf_conntrack_event_cb,
+                                           lockdep_is_held(&nf_ct_ecache_mutex));
        BUG_ON(notify != new);
        rcu_assign_pointer(nf_conntrack_event_cb, NULL);
        mutex_unlock(&nf_ct_ecache_mutex);
@@ -118,7 +120,8 @@ int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *new)
        struct nf_exp_event_notifier *notify;
        mutex_lock(&nf_ct_ecache_mutex);
-        notify = rcu_dereference(nf_expect_event_cb);
+        notify = rcu_dereference_protected(nf_expect_event_cb,
+                                           lockdep_is_held(&nf_ct_ecache_mutex));
        if (notify != NULL) {
                ret = -EBUSY;
                goto out_unlock;
@@ -138,7 +141,8 @@ void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *new)
        struct nf_exp_event_notifier *notify;
        mutex_lock(&nf_ct_ecache_mutex);
-        notify = rcu_dereference(nf_expect_event_cb);
+        notify = rcu_dereference_protected(nf_expect_event_cb,
+                                           lockdep_is_held(&nf_ct_ecache_mutex));
        BUG_ON(notify != new);
        rcu_assign_pointer(nf_expect_event_cb, NULL);
        mutex_unlock(&nf_ct_ecache_mutex);
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 2ae3169e7633..e17cb7c7dd8f 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -573,8 +573,8 @@ static int __init nf_conntrack_ftp_init(void)
                                 ftp[i][j].tuple.src.l3num, ports[i]);
                        ret = nf_conntrack_helper_register(&ftp[i][j]);
                        if (ret) {
-                                printk("nf_ct_ftp: failed to register helper "
+                                printk(KERN_ERR "nf_ct_ftp: failed to register"
-                                       " for pf: %d port: %d\n",
+                                       " helper for pf: %d port: %d\n",
                                        ftp[i][j].tuple.src.l3num, ports[i]);
                                nf_conntrack_ftp_fini();
                                return ret;
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index a487c8038044..6eaee7c8a337 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -194,8 +194,7 @@ static int get_tpkt_data(struct sk_buff *skb, unsigned int protoff,
                        return 0;
                }
-                if (net_ratelimit())
+                pr_debug("nf_ct_h323: incomplete TPKT (fragmented?)\n");
-                        printk("nf_ct_h323: incomplete TPKT (fragmented?)\n");
                goto clear_out;
        }
@@ -608,7 +607,7 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
      drop:
        spin_unlock_bh(&nf_h323_lock);
        if (net_ratelimit())
-                printk("nf_ct_h245: packet dropped\n");
+                pr_info("nf_ct_h245: packet dropped\n");
        return NF_DROP;
 }
@@ -1153,7 +1152,7 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
      drop:
        spin_unlock_bh(&nf_h323_lock);
        if (net_ratelimit())
-                printk("nf_ct_q931: packet dropped\n");
+                pr_info("nf_ct_q931: packet dropped\n");
        return NF_DROP;
 }
@@ -1728,7 +1727,7 @@ static int ras_help(struct sk_buff *skb, unsigned int protoff,
      drop:
        spin_unlock_bh(&nf_h323_lock);
        if (net_ratelimit())
-                printk("nf_ct_ras: packet dropped\n");
+                pr_info("nf_ct_ras: packet dropped\n");
        return NF_DROP;
 }
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 7673930ca342..b394aa318776 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -235,7 +235,7 @@ static int __init nf_conntrack_irc_init(void)
        char *tmpname;
        if (max_dcc_channels < 1) {
-                printk("nf_ct_irc: max_dcc_channels must not be zero\n");
+                printk(KERN_ERR "nf_ct_irc: max_dcc_channels must not be zero\n");
                return -EINVAL;
        }
@@ -267,7 +267,7 @@ static int __init nf_conntrack_irc_init(void)
                ret = nf_conntrack_helper_register(&irc[i]);
                if (ret) {
-                        printk("nf_ct_irc: failed to register helper "
+                        printk(KERN_ERR "nf_ct_irc: failed to register helper "
                               "for pf: %u port: %u\n",
                               irc[i].tuple.src.l3num, ports[i]);
                        nf_conntrack_irc_fini();
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index afc52f2ee4ac..c42ff6aa441d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -427,6 +427,17 @@ ctnetlink_proto_size(const struct nf_conn *ct)
 }
 static inline size_t
+ctnetlink_counters_size(const struct nf_conn *ct)
+{
+        if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
+                return 0;
+        return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
+               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
+               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
+               ;
+}
+static inline size_t
 ctnetlink_nlmsg_size(const struct nf_conn *ct)
 {
        return NLMSG_ALIGN(sizeof(struct nfgenmsg))
@@ -436,11 +447,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
               + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
               + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
               + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
-#ifdef CONFIG_NF_CT_ACCT
+               + ctnetlink_counters_size(ct)
-               + 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
-               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
-               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
-#endif
               + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
               + nla_total_size(0) /* CTA_PROTOINFO */
               + nla_total_size(0) /* CTA_HELP */
@@ -2050,29 +2057,29 @@ static int __init ctnetlink_init(void)
 {
        int ret;
-        printk("ctnetlink v%s: registering with nfnetlink.\n", version);
+        pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
        ret = nfnetlink_subsys_register(&ctnl_subsys);
        if (ret < 0) {
-                printk("ctnetlink_init: cannot register with nfnetlink.\n");
+                pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
                goto err_out;
        }
        ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
        if (ret < 0) {
-                printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
+                pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
                goto err_unreg_subsys;
        }
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
        ret = nf_conntrack_register_notifier(&ctnl_notifier);
        if (ret < 0) {
-                printk("ctnetlink_init: cannot register notifier.\n");
+                pr_err("ctnetlink_init: cannot register notifier.\n");
                goto err_unreg_exp_subsys;
        }
        ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp);
        if (ret < 0) {
-                printk("ctnetlink_init: cannot expect register notifier.\n");
+                pr_err("ctnetlink_init: cannot expect register notifier.\n");
                goto err_unreg_notifier;
        }
 #endif
@@ -2093,7 +2100,7 @@ err_out:
 static void __exit ctnetlink_exit(void)
 {
-        printk("ctnetlink: unregistering from nfnetlink.\n");
+        pr_info("ctnetlink: unregistering from nfnetlink.\n");
 #ifdef CONFIG_NF_CONNTRACK_EVENTS
        nf_ct_expect_unregister_notifier(&ctnl_notifier_exp);
@@ -2102,7 +2109,6 @@ static void __exit ctnetlink_exit(void)
        nfnetlink_subsys_unregister(&ctnl_exp_subsys);
        nfnetlink_subsys_unregister(&ctnl_subsys);
-        return;
 }
 module_init(ctnetlink_init);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index a44fa75b5178..5886ba1d52a0 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -14,12 +14,10 @@
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/mutex.h>
-#include <linux/skbuff.h>
 #include <linux/vmalloc.h>
 #include <linux/stddef.h>
 #include <linux/err.h>
 #include <linux/percpu.h>
-#include <linux/moduleparam.h>
 #include <linux/notifier.h>
 #include <linux/kernel.h>
 #include <linux/netdevice.h>
@@ -119,9 +117,13 @@ void nf_ct_l3proto_module_put(unsigned short l3proto)
 {
        struct nf_conntrack_l3proto *p;
-        /* rcu_read_lock not necessary since the caller holds a reference */
+        /* rcu_read_lock not necessary since the caller holds a reference, but
+         * taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find()
+         */
+        rcu_read_lock();
        p = __nf_ct_l3proto_find(l3proto);
        module_put(p->me);
+        rcu_read_unlock();
 }
 EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index b68ff15ed979..c6049c2d5ea8 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -717,12 +717,12 @@ static int __init nf_conntrack_proto_sctp_init(void)
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
        if (ret) {
-                printk("nf_conntrack_l4proto_sctp4: protocol register failed\n");
+                pr_err("nf_conntrack_l4proto_sctp4: protocol register failed\n");
                goto out;
        }
        ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
        if (ret) {
-                printk("nf_conntrack_l4proto_sctp6: protocol register failed\n");
+                pr_err("nf_conntrack_l4proto_sctp6: protocol register failed\n");
                goto cleanup_sctp4;
        }
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index c6cd1b84eddd..53d892210a04 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1393,10 +1393,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
        nf_ct_refresh(ct, skb, sip_timeout * HZ);
-        if (skb_is_nonlinear(skb)) {
+        if (unlikely(skb_linearize(skb)))
-                pr_debug("Copy of skbuff not supported yet.\n");
+                return NF_DROP;
-                return NF_ACCEPT;
-        }
        dptr = skb->data + dataoff;
        datalen = skb->len - dataoff;
@@ -1455,10 +1453,8 @@ static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
        nf_ct_refresh(ct, skb, sip_timeout * HZ);
-        if (skb_is_nonlinear(skb)) {
+        if (unlikely(skb_linearize(skb)))
-                pr_debug("Copy of skbuff not supported yet.\n");
+                return NF_DROP;
-                return NF_ACCEPT;
-        }
        dptr = skb->data + dataoff;
        datalen = skb->len - dataoff;
@@ -1549,8 +1545,8 @@ static int __init nf_conntrack_sip_init(void)
                        ret = nf_conntrack_helper_register(&sip[i][j]);
                        if (ret) {
-                                printk("nf_ct_sip: failed to register helper "
+                                printk(KERN_ERR "nf_ct_sip: failed to register"
-                                       "for pf: %u port: %u\n",
+                                       " helper for pf: %u port: %u\n",
                                       sip[i][j].tuple.src.l3num, ports[i]);
                                nf_conntrack_sip_fini();
                                return ret;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index faa8eb3722b9..eb973fcd67ab 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -252,12 +252,12 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
        const struct ip_conntrack_stat *st = v;
        if (v == SEQ_START_TOKEN) {
-                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete\n");
+                seq_printf(seq, "entries  searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error  expect_new expect_create expect_delete search_restart\n");
                return 0;
        }
        seq_printf(seq, "%08x  %08x %08x %08x %08x %08x %08x %08x "
-                        "%08x %08x %08x %08x %08x  %08x %08x %08x \n",
+                        "%08x %08x %08x %08x %08x  %08x %08x %08x %08x\n",
                   nr_conntracks,
                   st->searched,
                   st->found,
@@ -274,7 +274,8 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
                   st->expect_new,
                   st->expect_create,
-                   st->expect_delete
+                   st->expect_delete,
+                   st->search_restart
                );
        return 0;
 }
@@ -445,7 +446,7 @@ out_kmemdup:
        if (net_eq(net, &init_net))
                unregister_sysctl_table(nf_ct_netfilter_header);
 out:
-        printk("nf_conntrack: can't register to sysctl.\n");
+        printk(KERN_ERR "nf_conntrack: can't register to sysctl.\n");
        return -ENOMEM;
 }
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index 46e646b2e9b9..75466fd72f4f 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -138,8 +138,8 @@ static int __init nf_conntrack_tftp_init(void)
                        ret = nf_conntrack_helper_register(&tftp[i][j]);
                        if (ret) {
-                                printk("nf_ct_tftp: failed to register helper "
+                                printk(KERN_ERR "nf_ct_tftp: failed to register"
-                                       "for pf: %u port: %u\n",
+                                       " helper for pf: %u port: %u\n",
                                        tftp[i][j].tuple.src.l3num, ports[i]);
                                nf_conntrack_tftp_fini();
                                return ret;
diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
index bf6609978af7..770f76432ad0 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
@@ -6,7 +6,7 @@
 #include <linux/netdevice.h>
 #ifdef CONFIG_NETFILTER_DEBUG
-#define NFDEBUG(format, args...)  printk(format , ## args)
+#define NFDEBUG(format, args...)  printk(KERN_DEBUG format , ## args)
 #else
 #define NFDEBUG(format, args...)
 #endif
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 015725a5cd50..7df37fd786bc 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -52,7 +52,8 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
        } else {
                /* register at end of list to honor first register win */
                list_add_tail(&logger->list[pf], &nf_loggers_l[pf]);
-                llog = rcu_dereference(nf_loggers[pf]);
+                llog = rcu_dereference_protected(nf_loggers[pf],
+                                                 lockdep_is_held(&nf_log_mutex));
                if (llog == NULL)
                        rcu_assign_pointer(nf_loggers[pf], logger);
        }
@@ -70,7 +71,8 @@ void nf_log_unregister(struct nf_logger *logger)
        mutex_lock(&nf_log_mutex);
        for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) {
-                c_logger = rcu_dereference(nf_loggers[i]);
+                c_logger = rcu_dereference_protected(nf_loggers[i],
+                                                     lockdep_is_held(&nf_log_mutex));
                if (c_logger == logger)
                        rcu_assign_pointer(nf_loggers[i], NULL);
                list_del(&logger->list[i]);
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index c49ef219899e..78b3cf9c519c 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -9,6 +9,7 @@
 #include <linux/rcupdate.h>
 #include <net/protocol.h>
 #include <net/netfilter/nf_queue.h>
+#include <net/dst.h>
 #include "nf_internals.h"
@@ -170,6 +171,7 @@ static int __nf_queue(struct sk_buff *skb,
                        dev_hold(physoutdev);
        }
 #endif
+        skb_dst_force(skb);
        afinfo->saveroute(skb, entry);
        status = qh->outfn(entry, queuenum);
@@ -279,7 +281,6 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
        }
        rcu_read_unlock();
        kfree(entry);
-        return;
 }
 EXPORT_SYMBOL(nf_reinject);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 6afa3d52ea5f..b4a4532823e8 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -18,12 +18,9 @@
 #include <linux/types.h>
 #include <linux/socket.h>
 #include <linux/kernel.h>
-#include <linux/major.h>
-#include <linux/timer.h>
 #include <linux/string.h>
 #include <linux/sockios.h>
 #include <linux/net.h>
-#include <linux/fcntl.h>
 #include <linux/skbuff.h>
 #include <asm/uaccess.h>
 #include <asm/system.h>
@@ -215,13 +212,13 @@ static struct pernet_operations nfnetlink_net_ops = {
 static int __init nfnetlink_init(void)
 {
-        printk("Netfilter messages via NETLINK v%s.\n", nfversion);
+        pr_info("Netfilter messages via NETLINK v%s.\n", nfversion);
        return register_pernet_subsys(&nfnetlink_net_ops);
 }
 static void __exit nfnetlink_exit(void)
 {
-        printk("Removing netfilter NETLINK layer.\n");
+        pr_info("Removing netfilter NETLINK layer.\n");
        unregister_pernet_subsys(&nfnetlink_net_ops);
 }
 module_init(nfnetlink_init);
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 203643fb2c52..fc9a211e629e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -297,7 +297,7 @@ nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
        n = max(inst_size, pkt_size);
        skb = alloc_skb(n, GFP_ATOMIC);
        if (!skb) {
-                PRINTR("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",
+                pr_notice("nfnetlink_log: can't alloc whole buffer (%u bytes)\n",
                        inst_size);
                if (n > pkt_size) {
@@ -306,7 +306,7 @@ nfulnl_alloc_skb(unsigned int inst_size, unsigned int pkt_size)
                        skb = alloc_skb(pkt_size, GFP_ATOMIC);
                        if (!skb)
-                                PRINTR("nfnetlink_log: can't even alloc %u "
+                                pr_err("nfnetlink_log: can't even alloc %u "
                                       "bytes\n", pkt_size);
                }
        }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index e70a6ef1f4f2..12e1ab37fcd8 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -246,8 +246,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
                break;
        case NFQNL_COPY_PACKET:
-                if ((entskb->ip_summed == CHECKSUM_PARTIAL ||
+                if (entskb->ip_summed == CHECKSUM_PARTIAL &&
-                     entskb->ip_summed == CHECKSUM_COMPLETE) &&
                    skb_checksum_help(entskb)) {
                        spin_unlock_bh(&queue->lock);
                        return NULL;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 665f5beef6ad..e34622fa0003 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -12,7 +12,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kernel.h>
 #include <linux/socket.h>
 #include <linux/net.h>
@@ -55,12 +55,6 @@ struct xt_af {
 static struct xt_af *xt;
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
        [NFPROTO_UNSPEC] = "x",
        [NFPROTO_IPV4]   = "ip",
@@ -69,6 +63,9 @@ static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
        [NFPROTO_IPV6]   = "ip6",
 };
+/* Allow this many total (re)entries. */
+static const unsigned int xt_jumpstack_multiplier = 2;
 /* Registration hooks for targets. */
 int
 xt_register_target(struct xt_target *target)
@@ -221,6 +218,17 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
 }
 EXPORT_SYMBOL(xt_find_match);
+struct xt_match *
+xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
+{
+        struct xt_match *match;
+        match = try_then_request_module(xt_find_match(nfproto, name, revision),
+                                        "%st_%s", xt_prefix[nfproto], name);
+        return (match != NULL) ? match : ERR_PTR(-ENOENT);
+}
+EXPORT_SYMBOL_GPL(xt_request_find_match);
 /* Find target, grabs ref.  Returns ERR_PTR() on error. */
 struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
 {
@@ -257,9 +265,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
        target = try_then_request_module(xt_find_target(af, name, revision),
                                         "%st_%s", xt_prefix[af], name);
-        if (IS_ERR(target) || !target)
+        return (target != NULL) ? target : ERR_PTR(-ENOENT);
-                return NULL;
-        return target;
 }
 EXPORT_SYMBOL_GPL(xt_request_find_target);
@@ -361,6 +367,8 @@ static char *textify_hooks(char *buf, size_t size, unsigned int mask)
 int xt_check_match(struct xt_mtchk_param *par,
                   unsigned int size, u_int8_t proto, bool inv_proto)
 {
+        int ret;
        if (XT_ALIGN(par->match->matchsize) != size &&
            par->match->matchsize != -1) {
                /*
@@ -397,8 +405,14 @@ int xt_check_match(struct xt_mtchk_param *par,
                       par->match->proto);
                return -EINVAL;
        }
-        if (par->match->checkentry != NULL && !par->match->checkentry(par))
+        if (par->match->checkentry != NULL) {
-                return -EINVAL;
+                ret = par->match->checkentry(par);
+                if (ret < 0)
+                        return ret;
+                else if (ret > 0)
+                        /* Flag up potential errors. */
+                        return -EIO;
+        }
        return 0;
 }
 EXPORT_SYMBOL_GPL(xt_check_match);
@@ -518,6 +532,8 @@ EXPORT_SYMBOL_GPL(xt_compat_match_to_user);
 int xt_check_target(struct xt_tgchk_param *par,
                    unsigned int size, u_int8_t proto, bool inv_proto)
 {
+        int ret;
        if (XT_ALIGN(par->target->targetsize) != size) {
                pr_err("%s_tables: %s.%u target: invalid size "
                       "%u (kernel) != (user) %u\n",
@@ -549,8 +565,14 @@ int xt_check_target(struct xt_tgchk_param *par,
                       par->target->proto);
                return -EINVAL;
        }
-        if (par->target->checkentry != NULL && !par->target->checkentry(par))
+        if (par->target->checkentry != NULL) {
-                return -EINVAL;
+                ret = par->target->checkentry(par);
+                if (ret < 0)
+                        return ret;
+                else if (ret > 0)
+                        /* Flag up potential errors. */
+                        return -EIO;
+        }
        return 0;
 }
 EXPORT_SYMBOL_GPL(xt_check_target);
@@ -662,6 +684,24 @@ void xt_free_table_info(struct xt_table_info *info)
                else
                        vfree(info->entries[cpu]);
        }
+        if (info->jumpstack != NULL) {
+                if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
+                        for_each_possible_cpu(cpu)
+                                vfree(info->jumpstack[cpu]);
+                } else {
+                        for_each_possible_cpu(cpu)
+                                kfree(info->jumpstack[cpu]);
+                }
+        }
+        if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
+                vfree(info->jumpstack);
+        else
+                kfree(info->jumpstack);
+        free_percpu(info->stackptr);
        kfree(info);
 }
 EXPORT_SYMBOL(xt_free_table_info);
@@ -706,6 +746,44 @@ EXPORT_SYMBOL_GPL(xt_compat_unlock);
 DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
 EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
+static int xt_jumpstack_alloc(struct xt_table_info *i)
+{
+        unsigned int size;
+        int cpu;
+        i->stackptr = alloc_percpu(unsigned int);
+        if (i->stackptr == NULL)
+                return -ENOMEM;
+        size = sizeof(void **) * nr_cpu_ids;
+        if (size > PAGE_SIZE)
+                i->jumpstack = vmalloc(size);
+        else
+                i->jumpstack = kmalloc(size, GFP_KERNEL);
+        if (i->jumpstack == NULL)
+                return -ENOMEM;
+        memset(i->jumpstack, 0, size);
+        i->stacksize *= xt_jumpstack_multiplier;
+        size = sizeof(void *) * i->stacksize;
+        for_each_possible_cpu(cpu) {
+                if (size > PAGE_SIZE)
+                        i->jumpstack[cpu] = vmalloc_node(size,
+                                cpu_to_node(cpu));
+                else
+                        i->jumpstack[cpu] = kmalloc_node(size,
+                                GFP_KERNEL, cpu_to_node(cpu));
+                if (i->jumpstack[cpu] == NULL)
+                        /*
+                         * Freeing will be done later on by the callers. The
+                         * chain is: xt_replace_table -> __do_replace ->
+                         * do_replace -> xt_free_table_info.
+                         */
+                        return -ENOMEM;
+        }
+        return 0;
+}
 struct xt_table_info *
 xt_replace_table(struct xt_table *table,
@@ -714,6 +792,13 @@ xt_replace_table(struct xt_table *table,
              int *error)
 {
        struct xt_table_info *private;
+        int ret;
+        ret = xt_jumpstack_alloc(newinfo);
+        if (ret < 0) {
+                *error = ret;
+                return NULL;
+        }
        /* Do the substitution. */
        local_bh_disable();
@@ -721,7 +806,7 @@ xt_replace_table(struct xt_table *table,
        /* Check inside lock: is the old number correct? */
        if (num_counters != private->number) {
-                duprintf("num_counters != table->private->number (%u/%u)\n",
+                pr_debug("num_counters != table->private->number (%u/%u)\n",
                         num_counters, private->number);
                local_bh_enable();
                *error = -EAGAIN;
@@ -778,7 +863,7 @@ struct xt_table *xt_register_table(struct net *net,
                goto unlock;
        private = table->private;
-        duprintf("table->private->number = %u\n", private->number);
+        pr_debug("table->private->number = %u\n", private->number);
        /* save number of initial entries */
        private->initial_entries = private->number;
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index 011bc80dd2a1..c2c0e4abeb99 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -27,7 +27,7 @@ MODULE_ALIAS("ipt_CLASSIFY");
 MODULE_ALIAS("ip6t_CLASSIFY");
 static unsigned int
-classify_tg(struct sk_buff *skb, const struct xt_target_param *par)
+classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_classify_target_info *clinfo = par->targinfo;
diff --git a/net/netfilter/xt_CONNMARK.c b/net/netfilter/xt_CONNMARK.c
deleted file mode 100644
index 593457068ae1..000000000000
--- a/net/netfilter/xt_CONNMARK.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
- *      xt_CONNMARK - Netfilter module to modify the connection mark values
- *
- *      Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
- *      by Henrik Nordstrom <hno@marasystems.com>
- *      Copyright © CC Computer Consultants GmbH, 2007 - 2008
- *      Jan Engelhardt <jengelh@computergmbh.de>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("Xtables: connection mark modification");
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("ipt_CONNMARK");
-MODULE_ALIAS("ip6t_CONNMARK");
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_CONNMARK.h>
-#include <net/netfilter/nf_conntrack_ecache.h>
-static unsigned int
-connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_connmark_tginfo1 *info = par->targinfo;
-        enum ip_conntrack_info ctinfo;
-        struct nf_conn *ct;
-        u_int32_t newmark;
-        ct = nf_ct_get(skb, &ctinfo);
-        if (ct == NULL)
-                return XT_CONTINUE;
-        switch (info->mode) {
-        case XT_CONNMARK_SET:
-                newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
-                if (ct->mark != newmark) {
-                        ct->mark = newmark;
-                        nf_conntrack_event_cache(IPCT_MARK, ct);
-                }
-                break;
-        case XT_CONNMARK_SAVE:
-                newmark = (ct->mark & ~info->ctmask) ^
-                          (skb->mark & info->nfmask);
-                if (ct->mark != newmark) {
-                        ct->mark = newmark;
-                        nf_conntrack_event_cache(IPCT_MARK, ct);
-                }
-                break;
-        case XT_CONNMARK_RESTORE:
-                newmark = (skb->mark & ~info->nfmask) ^
-                          (ct->mark & info->ctmask);
-                skb->mark = newmark;
-                break;
-        }
-        return XT_CONTINUE;
-}
-static bool connmark_tg_check(const struct xt_tgchk_param *par)
-{
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
-                printk(KERN_WARNING "cannot load conntrack support for "
-                       "proto=%u\n", par->family);
-                return false;
-        }
-        return true;
-}
-static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
-{
-        nf_ct_l3proto_module_put(par->family);
-}
-static struct xt_target connmark_tg_reg __read_mostly = {
-        .name           = "CONNMARK",
-        .revision       = 1,
-        .family         = NFPROTO_UNSPEC,
-        .checkentry     = connmark_tg_check,
-        .target         = connmark_tg,
-        .targetsize     = sizeof(struct xt_connmark_tginfo1),
-        .destroy        = connmark_tg_destroy,
-        .me             = THIS_MODULE,
-};
-static int __init connmark_tg_init(void)
-{
-        return xt_register_target(&connmark_tg_reg);
-}
-static void __exit connmark_tg_exit(void)
-{
-        xt_unregister_target(&connmark_tg_reg);
-}
-module_init(connmark_tg_init);
-module_exit(connmark_tg_exit);
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index b54c3756fdc3..e04dc282e3bb 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -15,6 +15,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter/x_tables.h>
@@ -22,8 +23,6 @@
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
-#define PFX "CONNSECMARK: "
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
 MODULE_DESCRIPTION("Xtables: target for copying between connection and security mark");
@@ -65,7 +64,7 @@ static void secmark_restore(struct sk_buff *skb)
 }
 static unsigned int
-connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+connsecmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_connsecmark_target_info *info = par->targinfo;
@@ -85,15 +84,16 @@ connsecmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
+static int connsecmark_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_connsecmark_target_info *info = par->targinfo;
+        int ret;
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "security") != 0) {
-                printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+                pr_info("target only valid in the \'mangle\' "
-                       "or \'security\' tables, not \'%s\'.\n", par->table);
+                        "or \'security\' tables, not \'%s\'.\n", par->table);
-                return false;
+                return -EINVAL;
        }
        switch (info->mode) {
@@ -102,16 +102,15 @@ static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
                break;
        default:
-                printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
+                pr_info("invalid mode: %hu\n", info->mode);
-                return false;
+                return -EINVAL;
        }
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                printk(KERN_WARNING "can't load conntrack support for "
+        if (ret < 0)
-                                    "proto=%u\n", par->family);
+                pr_info("cannot load conntrack support for proto=%u\n",
-                return false;
+                        par->family);
-        }
+        return ret;
-        return true;
 }
 static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index ee18b231b950..562bf3266e04 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -20,7 +20,7 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 static unsigned int xt_ct_target(struct sk_buff *skb,
-                                 const struct xt_target_param *par)
+                                 const struct xt_action_param *par)
 {
        const struct xt_ct_target_info *info = par->targinfo;
        struct nf_conn *ct = info->ct;
@@ -38,13 +38,13 @@ static unsigned int xt_ct_target(struct sk_buff *skb,
 static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
 {
-        if (par->family == AF_INET) {
+        if (par->family == NFPROTO_IPV4) {
                const struct ipt_entry *e = par->entryinfo;
                if (e->ip.invflags & IPT_INV_PROTO)
                        return 0;
                return e->ip.proto;
-        } else if (par->family == AF_INET6) {
+        } else if (par->family == NFPROTO_IPV6) {
                const struct ip6t_entry *e = par->entryinfo;
                if (e->ipv6.invflags & IP6T_INV_PROTO)
@@ -54,16 +54,17 @@ static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
                return 0;
 }
-static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
+static int xt_ct_tg_check(const struct xt_tgchk_param *par)
 {
        struct xt_ct_target_info *info = par->targinfo;
        struct nf_conntrack_tuple t;
        struct nf_conn_help *help;
        struct nf_conn *ct;
+        int ret = 0;
        u8 proto;
        if (info->flags & ~XT_CT_NOTRACK)
-                return false;
+                return -EINVAL;
        if (info->flags & XT_CT_NOTRACK) {
                ct = &nf_conntrack_untracked;
@@ -76,28 +77,34 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
                goto err1;
 #endif
-        if (nf_ct_l3proto_try_module_get(par->family) < 0)
+        ret = nf_ct_l3proto_try_module_get(par->family);
+        if (ret < 0)
                goto err1;
        memset(&t, 0, sizeof(t));
        ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
+        ret = PTR_ERR(ct);
        if (IS_ERR(ct))
                goto err2;
+        ret = 0;
        if ((info->ct_events || info->exp_events) &&
            !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
                                  GFP_KERNEL))
                goto err3;
        if (info->helper[0]) {
+                ret = -ENOENT;
                proto = xt_ct_find_proto(par);
                if (!proto)
                        goto err3;
+                ret = -ENOMEM;
                help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
                if (help == NULL)
                        goto err3;
+                ret = -ENOENT;
                help->helper = nf_conntrack_helper_try_module_get(info->helper,
                                                                  par->family,
                                                                  proto);
@@ -109,14 +116,14 @@ static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
        __set_bit(IPS_CONFIRMED_BIT, &ct->status);
 out:
        info->ct = ct;
-        return true;
+        return 0;
 err3:
        nf_conntrack_free(ct);
 err2:
        nf_ct_l3proto_module_put(par->family);
 err1:
-        return false;
+        return ret;
 }
 static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
@@ -138,7 +145,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
 static struct xt_target xt_ct_tg __read_mostly = {
        .name           = "CT",
        .family         = NFPROTO_UNSPEC,
-        .targetsize     = XT_ALIGN(sizeof(struct xt_ct_target_info)),
+        .targetsize     = sizeof(struct xt_ct_target_info),
        .checkentry     = xt_ct_tg_check,
        .destroy        = xt_ct_tg_destroy,
        .target         = xt_ct_target,
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 74ce89260056..0a229191e55b 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -9,7 +9,7 @@
 *
 * See RFC2474 for a description of the DSCP field within the IP Header.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -28,7 +28,7 @@ MODULE_ALIAS("ipt_TOS");
 MODULE_ALIAS("ip6t_TOS");
 static unsigned int
-dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
+dscp_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_DSCP_info *dinfo = par->targinfo;
        u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -45,7 +45,7 @@ dscp_tg(struct sk_buff *skb, const struct xt_target_param *par)
 }
 static unsigned int
-dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+dscp_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_DSCP_info *dinfo = par->targinfo;
        u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -60,19 +60,19 @@ dscp_tg6(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool dscp_tg_check(const struct xt_tgchk_param *par)
+static int dscp_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_DSCP_info *info = par->targinfo;
        if (info->dscp > XT_DSCP_MAX) {
-                printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp);
+                pr_info("dscp %x out of range\n", info->dscp);
-                return false;
+                return -EDOM;
        }
-        return true;
+        return 0;
 }
 static unsigned int
-tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
+tos_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_tos_target_info *info = par->targinfo;
        struct iphdr *iph = ip_hdr(skb);
@@ -92,7 +92,7 @@ tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
 }
 static unsigned int
-tos_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_tos_target_info *info = par->targinfo;
        struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 10e789e2d12a..95b084800fcc 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -9,7 +9,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Xtables: Hoplimit/TTL Limit field modification target");
 MODULE_LICENSE("GPL");
 static unsigned int
-ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
+ttl_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct iphdr *iph;
        const struct ipt_TTL_info *info = par->targinfo;
@@ -66,7 +66,7 @@ ttl_tg(struct sk_buff *skb, const struct xt_target_param *par)
 }
 static unsigned int
-hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+hl_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct ipv6hdr *ip6h;
        const struct ip6t_HL_info *info = par->targinfo;
@@ -101,35 +101,33 @@ hl_tg6(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool ttl_tg_check(const struct xt_tgchk_param *par)
+static int ttl_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_TTL_info *info = par->targinfo;
        if (info->mode > IPT_TTL_MAXMODE) {
-                printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",
+                pr_info("TTL: invalid or unknown mode %u\n", info->mode);
-                        info->mode);
+                return -EINVAL;
-                return false;
        }
        if (info->mode != IPT_TTL_SET && info->ttl == 0)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
-static bool hl_tg6_check(const struct xt_tgchk_param *par)
+static int hl_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct ip6t_HL_info *info = par->targinfo;
        if (info->mode > IP6T_HL_MAXMODE) {
-                printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
+                pr_info("invalid or unknown mode %u\n", info->mode);
-                        info->mode);
+                return -EINVAL;
-                return false;
        }
        if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
-                printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
+                pr_info("increment/decrement does not "
                        "make sense with value 0\n");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_target hl_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 3271c8e52153..a4140509eea1 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -18,7 +18,7 @@
 * 02110-1301 USA.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter/x_tables.h>
@@ -32,18 +32,24 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
 MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
+static LIST_HEAD(xt_led_triggers);
+static DEFINE_MUTEX(xt_led_mutex);
 /*
 * This is declared in here (the kernel module) only, to avoid having these
 * dependencies in userspace code.  This is what xt_led_info.internal_data
 * points to.
 */
 struct xt_led_info_internal {
+        struct list_head list;
+        int refcnt;
+        char *trigger_id;
        struct led_trigger netfilter_led_trigger;
        struct timer_list timer;
 };
 static unsigned int
-led_tg(struct sk_buff *skb, const struct xt_target_param *par)
+led_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_led_info *ledinfo = par->targinfo;
        struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
@@ -54,7 +60,7 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
         */
        if ((ledinfo->delay > 0) && ledinfo->always_blink &&
            timer_pending(&ledinternal->timer))
-                led_trigger_event(&ledinternal->netfilter_led_trigger,LED_OFF);
+                led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
        led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
@@ -75,54 +81,86 @@ led_tg(struct sk_buff *skb, const struct xt_target_param *par)
 static void led_timeout_callback(unsigned long data)
 {
-        struct xt_led_info *ledinfo = (struct xt_led_info *)data;
+        struct xt_led_info_internal *ledinternal = (struct xt_led_info_internal *)data;
-        struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
        led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
 }
-static bool led_tg_check(const struct xt_tgchk_param *par)
+static struct xt_led_info_internal *led_trigger_lookup(const char *name)
+{
+        struct xt_led_info_internal *ledinternal;
+        list_for_each_entry(ledinternal, &xt_led_triggers, list) {
+                if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) {
+                        return ledinternal;
+                }
+        }
+        return NULL;
+}
+static int led_tg_check(const struct xt_tgchk_param *par)
 {
        struct xt_led_info *ledinfo = par->targinfo;
        struct xt_led_info_internal *ledinternal;
        int err;
        if (ledinfo->id[0] == '\0') {
-                printk(KERN_ERR KBUILD_MODNAME ": No 'id' parameter given.\n");
+                pr_info("No 'id' parameter given.\n");
-                return false;
+                return -EINVAL;
        }
-        ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
+        mutex_lock(&xt_led_mutex);
-        if (!ledinternal) {
-                printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n");
+        ledinternal = led_trigger_lookup(ledinfo->id);
-                return false;
+        if (ledinternal) {
+                ledinternal->refcnt++;
+                goto out;
        }
-        ledinternal->netfilter_led_trigger.name = ledinfo->id;
+        err = -ENOMEM;
+        ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
+        if (!ledinternal)
+                goto exit_mutex_only;
+        ledinternal->trigger_id = kstrdup(ledinfo->id, GFP_KERNEL);
+        if (!ledinternal->trigger_id)
+                goto exit_internal_alloc;
+        ledinternal->refcnt = 1;
+        ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id;
        err = led_trigger_register(&ledinternal->netfilter_led_trigger);
        if (err) {
-                printk(KERN_CRIT KBUILD_MODNAME
+                pr_warning("led_trigger_register() failed\n");
-                        ": led_trigger_register() failed\n");
                if (err == -EEXIST)
-                        printk(KERN_ERR KBUILD_MODNAME
+                        pr_warning("Trigger name is already in use.\n");
-                                ": Trigger name is already in use.\n");
                goto exit_alloc;
        }
        /* See if we need to set up a timer */
        if (ledinfo->delay > 0)
                setup_timer(&ledinternal->timer, led_timeout_callback,
-                            (unsigned long)ledinfo);
+                            (unsigned long)ledinternal);
+        list_add_tail(&ledinternal->list, &xt_led_triggers);
+out:
+        mutex_unlock(&xt_led_mutex);
        ledinfo->internal_data = ledinternal;
-        return true;
+        return 0;
 exit_alloc:
+        kfree(ledinternal->trigger_id);
+exit_internal_alloc:
        kfree(ledinternal);
-        return false;
+exit_mutex_only:
+        mutex_unlock(&xt_led_mutex);
+        return err;
 }
 static void led_tg_destroy(const struct xt_tgdtor_param *par)
@@ -130,10 +168,23 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
        const struct xt_led_info *ledinfo = par->targinfo;
        struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
+        mutex_lock(&xt_led_mutex);
+        if (--ledinternal->refcnt) {
+                mutex_unlock(&xt_led_mutex);
+                return;
+        }
+        list_del(&ledinternal->list);
        if (ledinfo->delay > 0)
                del_timer_sync(&ledinternal->timer);
        led_trigger_unregister(&ledinternal->netfilter_led_trigger);
+        mutex_unlock(&xt_led_mutex);
+        kfree(ledinternal->trigger_id);
        kfree(ledinternal);
 }
@@ -142,7 +193,7 @@ static struct xt_target led_tg_reg __read_mostly = {
        .revision       = 0,
        .family         = NFPROTO_UNSPEC,
        .target         = led_tg,
-        .targetsize     = XT_ALIGN(sizeof(struct xt_led_info)),
+        .targetsize     = sizeof(struct xt_led_info),
        .checkentry     = led_tg_check,
        .destroy        = led_tg_destroy,
        .me             = THIS_MODULE,
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
deleted file mode 100644
index 225f8d11e173..000000000000
--- a/net/netfilter/xt_MARK.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- *      xt_MARK - Netfilter module to modify the NFMARK field of an skb
- *
- *      (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
- *      Copyright © CC Computer Consultants GmbH, 2007 - 2008
- *      Jan Engelhardt <jengelh@computergmbh.de>
- *
- *      This program is free software; you can redistribute it and/or modify
- *      it under the terms of the GNU General Public License version 2 as
- *      published by the Free Software Foundation.
- */
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_MARK.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("Xtables: packet mark modification");
-MODULE_ALIAS("ipt_MARK");
-MODULE_ALIAS("ip6t_MARK");
-static unsigned int
-mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_mark_tginfo2 *info = par->targinfo;
-        skb->mark = (skb->mark & ~info->mask) ^ info->mark;
-        return XT_CONTINUE;
-}
-static struct xt_target mark_tg_reg __read_mostly = {
-        .name           = "MARK",
-        .revision       = 2,
-        .family         = NFPROTO_UNSPEC,
-        .target         = mark_tg,
-        .targetsize     = sizeof(struct xt_mark_tginfo2),
-        .me             = THIS_MODULE,
-};
-static int __init mark_tg_init(void)
-{
-        return xt_register_target(&mark_tg_reg);
-}
-static void __exit mark_tg_exit(void)
-{
-        xt_unregister_target(&mark_tg_reg);
-}
-module_init(mark_tg_init);
-module_exit(mark_tg_exit);
diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c
index a57c5cf018ec..a17dd0f589b2 100644
--- a/net/netfilter/xt_NFLOG.c
+++ b/net/netfilter/xt_NFLOG.c
@@ -22,7 +22,7 @@ MODULE_ALIAS("ipt_NFLOG");
 MODULE_ALIAS("ip6t_NFLOG");
 static unsigned int
-nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
+nflog_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_nflog_info *info = par->targinfo;
        struct nf_loginfo li;
@@ -37,15 +37,15 @@ nflog_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool nflog_tg_check(const struct xt_tgchk_param *par)
+static int nflog_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_nflog_info *info = par->targinfo;
        if (info->flags & ~XT_NFLOG_MASK)
-                return false;
+                return -EINVAL;
        if (info->prefix[sizeof(info->prefix) - 1] != '\0')
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target nflog_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 12dcd7007c3e..039cce1bde3d 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -31,7 +31,7 @@ static u32 jhash_initval __read_mostly;
 static bool rnd_inited __read_mostly;
 static unsigned int
-nfqueue_tg(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_NFQ_info *tinfo = par->targinfo;
@@ -49,17 +49,6 @@ static u32 hash_v4(const struct sk_buff *skb)
        return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval);
 }
-static unsigned int
-nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
-{
-        const struct xt_NFQ_info_v1 *info = par->targinfo;
-        u32 queue = info->queuenum;
-        if (info->queues_total > 1)
-                queue = hash_v4(skb) % info->queues_total + queue;
-        return NF_QUEUE_NR(queue);
-}
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 static u32 hash_v6(const struct sk_buff *skb)
 {
@@ -73,20 +62,26 @@ static u32 hash_v6(const struct sk_buff *skb)
        return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval);
 }
+#endif
 static unsigned int
-nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_NFQ_info_v1 *info = par->targinfo;
        u32 queue = info->queuenum;
-        if (info->queues_total > 1)
+        if (info->queues_total > 1) {
-                queue = hash_v6(skb) % info->queues_total + queue;
+                if (par->family == NFPROTO_IPV4)
+                        queue = hash_v4(skb) % info->queues_total + queue;
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+                else if (par->family == NFPROTO_IPV6)
+                        queue = hash_v6(skb) % info->queues_total + queue;
+#endif
+        }
        return NF_QUEUE_NR(queue);
 }
-#endif
-static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
+static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
 {
        const struct xt_NFQ_info_v1 *info = par->targinfo;
        u32 maxid;
@@ -97,15 +92,15 @@ static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
        }
        if (info->queues_total == 0) {
                pr_err("NFQUEUE: number of total queues is 0\n");
-                return false;
+                return -EINVAL;
        }
        maxid = info->queues_total - 1 + info->queuenum;
        if (maxid > 0xffff) {
                pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
                       info->queues_total, maxid);
-                return false;
+                return -ERANGE;
        }
-        return true;
+        return 0;
 }
 static struct xt_target nfqueue_tg_reg[] __read_mostly = {
@@ -119,23 +114,12 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
        {
                .name           = "NFQUEUE",
                .revision       = 1,
-                .family         = NFPROTO_IPV4,
+                .family         = NFPROTO_UNSPEC,
-                .checkentry     = nfqueue_tg_v1_check,
-                .target         = nfqueue_tg4_v1,
-                .targetsize     = sizeof(struct xt_NFQ_info_v1),
-                .me             = THIS_MODULE,
-        },
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-        {
-                .name           = "NFQUEUE",
-                .revision       = 1,
-                .family         = NFPROTO_IPV6,
                .checkentry     = nfqueue_tg_v1_check,
-                .target         = nfqueue_tg6_v1,
+                .target         = nfqueue_tg_v1,
                .targetsize     = sizeof(struct xt_NFQ_info_v1),
                .me             = THIS_MODULE,
        },
-#endif
 };
 static int __init nfqueue_tg_init(void)
diff --git a/net/netfilter/xt_NOTRACK.c b/net/netfilter/xt_NOTRACK.c
index e7a0a54fd4ea..512b9123252f 100644
--- a/net/netfilter/xt_NOTRACK.c
+++ b/net/netfilter/xt_NOTRACK.c
@@ -13,7 +13,7 @@ MODULE_ALIAS("ipt_NOTRACK");
 MODULE_ALIAS("ip6t_NOTRACK");
 static unsigned int
-notrack_tg(struct sk_buff *skb, const struct xt_target_param *par)
+notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        /* Previously seen (loopback)? Ignore. */
        if (skb->nfct != NULL)
diff --git a/net/netfilter/xt_RATEEST.c b/net/netfilter/xt_RATEEST.c
index d16d55df4f61..69c01e10f8af 100644
--- a/net/netfilter/xt_RATEEST.c
+++ b/net/netfilter/xt_RATEEST.c
@@ -73,7 +73,7 @@ void xt_rateest_put(struct xt_rateest *est)
 EXPORT_SYMBOL_GPL(xt_rateest_put);
 static unsigned int
-xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
+xt_rateest_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct xt_rateest_target_info *info = par->targinfo;
        struct gnet_stats_basic_packed *stats = &info->est->bstats;
@@ -86,7 +86,7 @@ xt_rateest_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
+static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
 {
        struct xt_rateest_target_info *info = par->targinfo;
        struct xt_rateest *est;
@@ -94,6 +94,7 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
                struct nlattr           opt;
                struct gnet_estimator   est;
        } cfg;
+        int ret;
        if (unlikely(!rnd_inited)) {
                get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
@@ -110,12 +111,13 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
                    (info->interval != est->params.interval ||
                     info->ewma_log != est->params.ewma_log)) {
                        xt_rateest_put(est);
-                        return false;
+                        return -EINVAL;
                }
                info->est = est;
-                return true;
+                return 0;
        }
+        ret = -ENOMEM;
        est = kzalloc(sizeof(*est), GFP_KERNEL);
        if (!est)
                goto err1;
@@ -131,19 +133,19 @@ static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
        cfg.est.interval        = info->interval;
        cfg.est.ewma_log        = info->ewma_log;
-        if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock,
+        ret = gen_new_estimator(&est->bstats, &est->rstats,
-                              &cfg.opt) < 0)
+                                &est->lock, &cfg.opt);
+        if (ret < 0)
                goto err2;
        info->est = est;
        xt_rateest_hash_insert(est);
+        return 0;
-        return true;
 err2:
        kfree(est);
 err1:
-        return false;
+        return ret;
 }
 static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 7a6f9e6f5dfa..23b2d6c486b5 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -12,6 +12,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/selinux.h>
@@ -29,7 +30,7 @@ MODULE_ALIAS("ip6t_SECMARK");
 static u8 mode;
 static unsigned int
-secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        u32 secmark = 0;
        const struct xt_secmark_target_info *info = par->targinfo;
@@ -49,7 +50,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return XT_CONTINUE;
 }
-static bool checkentry_selinux(struct xt_secmark_target_info *info)
+static int checkentry_selinux(struct xt_secmark_target_info *info)
 {
        int err;
        struct xt_secmark_target_selinux_info *sel = &info->u.sel;
@@ -59,58 +60,59 @@ static bool checkentry_selinux(struct xt_secmark_target_info *info)
        err = selinux_string_to_sid(sel->selctx, &sel->selsid);
        if (err) {
                if (err == -EINVAL)
-                        printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
+                        pr_info("invalid SELinux context \'%s\'\n",
-                               sel->selctx);
+                                sel->selctx);
-                return false;
+                return err;
        }
        if (!sel->selsid) {
-                printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
+                pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
-                       sel->selctx);
+                return -ENOENT;
-                return false;
        }
        err = selinux_secmark_relabel_packet_permission(sel->selsid);
        if (err) {
-                printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
+                pr_info("unable to obtain relabeling permission\n");
-                return false;
+                return err;
        }
        selinux_secmark_refcount_inc();
-        return true;
+        return 0;
 }
-static bool secmark_tg_check(const struct xt_tgchk_param *par)
+static int secmark_tg_check(const struct xt_tgchk_param *par)
 {
        struct xt_secmark_target_info *info = par->targinfo;
+        int err;
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "security") != 0) {
-                printk(KERN_INFO PFX "target only valid in the \'mangle\' "
+                pr_info("target only valid in the \'mangle\' "
-                       "or \'security\' tables, not \'%s\'.\n", par->table);
+                        "or \'security\' tables, not \'%s\'.\n", par->table);
-                return false;
+                return -EINVAL;
        }
        if (mode && mode != info->mode) {
-                printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
+                pr_info("mode already set to %hu cannot mix with "
-                       "rules for mode %hu\n", mode, info->mode);
+                        "rules for mode %hu\n", mode, info->mode);
-                return false;
+                return -EINVAL;
        }
        switch (info->mode) {
        case SECMARK_MODE_SEL:
-                if (!checkentry_selinux(info))
+                err = checkentry_selinux(info);
-                        return false;
+                if (err <= 0)
+                        return err;
                break;
        default:
-                printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
+                pr_info("invalid mode: %hu\n", info->mode);
-                return false;
+                return -EINVAL;
        }
        if (!mode)
                mode = info->mode;
-        return true;
+        return 0;
 }
 static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index c5f4b9919e9a..62ec021fbd50 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -7,7 +7,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -68,15 +68,14 @@ tcpmss_mangle_packet(struct sk_buff *skb,
        if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
                if (dst_mtu(skb_dst(skb)) <= minlen) {
                        if (net_ratelimit())
-                                printk(KERN_ERR "xt_TCPMSS: "
+                                pr_err("unknown or invalid path-MTU (%u)\n",
-                                       "unknown or invalid path-MTU (%u)\n",
                                       dst_mtu(skb_dst(skb)));
                        return -1;
                }
                if (in_mtu <= minlen) {
                        if (net_ratelimit())
-                                printk(KERN_ERR "xt_TCPMSS: unknown or "
+                                pr_err("unknown or invalid path-MTU (%u)\n",
-                                       "invalid path-MTU (%u)\n", in_mtu);
+                                       in_mtu);
                        return -1;
                }
                newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
@@ -173,7 +172,7 @@ static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
 }
 static unsigned int
-tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct iphdr *iph = ip_hdr(skb);
        __be16 newlen;
@@ -196,7 +195,7 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_target_param *par)
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
 static unsigned int
-tcpmss_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
        u8 nexthdr;
@@ -236,7 +235,7 @@ static inline bool find_syn_match(const struct xt_entry_match *m)
        return false;
 }
-static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
 {
        const struct xt_tcpmss_info *info = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
@@ -246,19 +245,19 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
            (par->hook_mask & ~((1 << NF_INET_FORWARD) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_POST_ROUTING))) != 0) {
-                printk("xt_TCPMSS: path-MTU clamping only supported in "
+                pr_info("path-MTU clamping only supported in "
-                       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+                        "FORWARD, OUTPUT and POSTROUTING hooks\n");
-                return false;
+                return -EINVAL;
        }
        xt_ematch_foreach(ematch, e)
                if (find_syn_match(ematch))
-                        return true;
+                        return 0;
-        printk("xt_TCPMSS: Only works on TCP SYN packets\n");
+        pr_info("Only works on TCP SYN packets\n");
-        return false;
+        return -EINVAL;
 }
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
-static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
+static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct xt_tcpmss_info *info = par->targinfo;
        const struct ip6t_entry *e = par->entryinfo;
@@ -268,15 +267,15 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
            (par->hook_mask & ~((1 << NF_INET_FORWARD) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_POST_ROUTING))) != 0) {
-                printk("xt_TCPMSS: path-MTU clamping only supported in "
+                pr_info("path-MTU clamping only supported in "
-                       "FORWARD, OUTPUT and POSTROUTING hooks\n");
+                        "FORWARD, OUTPUT and POSTROUTING hooks\n");
-                return false;
+                return -EINVAL;
        }
        xt_ematch_foreach(ematch, e)
                if (find_syn_match(ematch))
-                        return true;
+                        return 0;
-        printk("xt_TCPMSS: Only works on TCP SYN packets\n");
+        pr_info("Only works on TCP SYN packets\n");
-        return false;
+        return -EINVAL;
 }
 #endif
diff --git a/net/netfilter/xt_TCPOPTSTRIP.c b/net/netfilter/xt_TCPOPTSTRIP.c
index 9dd8c8ef63eb..9dc9ecfdd546 100644
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -3,7 +3,6 @@
 *
 * Copyright (C) 2007 Sven Schnelle <svens@bitebene.org>
 * Copyright © CC Computer Consultants GmbH, 2007
- * Contact: Jan Engelhardt <jengelh@computergmbh.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -75,7 +74,7 @@ tcpoptstrip_mangle_packet(struct sk_buff *skb,
 }
 static unsigned int
-tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
+tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 {
        return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
               sizeof(struct iphdr) + sizeof(struct tcphdr));
@@ -83,7 +82,7 @@ tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_target_param *par)
 #if defined(CONFIG_IP6_NF_MANGLE) || defined(CONFIG_IP6_NF_MANGLE_MODULE)
 static unsigned int
-tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_target_param *par)
+tcpoptstrip_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 {
        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
        int tcphoff;
@@ -136,7 +135,7 @@ static void __exit tcpoptstrip_tg_exit(void)
 module_init(tcpoptstrip_tg_init);
 module_exit(tcpoptstrip_tg_exit);
-MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: TCP option stripping");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_TCPOPTSTRIP");
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
new file mode 100644
index 000000000000..859d9fd429c8
--- /dev/null
+++ b/net/netfilter/xt_TEE.c
@@ -0,0 +1,309 @@
+/*
+ *      "TEE" target extension for Xtables
+ *      Copyright © Sebastian Claßen, 2007
+ *      Jan Engelhardt, 2007-2010
+ *
+ *      based on ipt_ROUTE.c from Cédric de Launois
+ *      <delaunois@info.ucl.be>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      version 2 or later, as published by the Free Software Foundation.
+ */
+#include <linux/ip.h>
+#include <linux/module.h>
+#include <linux/percpu.h>
+#include <linux/route.h>
+#include <linux/skbuff.h>
+#include <linux/notifier.h>
+#include <net/checksum.h>
+#include <net/icmp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/ip6_route.h>
+#include <net/route.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_TEE.h>
+#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
+#       define WITH_CONNTRACK 1
+#       include <net/netfilter/nf_conntrack.h>
+#endif
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+#       define WITH_IPV6 1
+#endif
+struct xt_tee_priv {
+        struct notifier_block   notifier;
+        struct xt_tee_tginfo    *tginfo;
+        int                     oif;
+};
+static const union nf_inet_addr tee_zero_address;
+static DEFINE_PER_CPU(bool, tee_active);
+static struct net *pick_net(struct sk_buff *skb)
+{
+#ifdef CONFIG_NET_NS
+        const struct dst_entry *dst;
+        if (skb->dev != NULL)
+                return dev_net(skb->dev);
+        dst = skb_dst(skb);
+        if (dst != NULL && dst->dev != NULL)
+                return dev_net(dst->dev);
+#endif
+        return &init_net;
+}
+static bool
+tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+        const struct iphdr *iph = ip_hdr(skb);
+        struct net *net = pick_net(skb);
+        struct rtable *rt;
+        struct flowi fl;
+        memset(&fl, 0, sizeof(fl));
+        if (info->priv) {
+                if (info->priv->oif == -1)
+                        return false;
+                fl.oif = info->priv->oif;
+        }
+        fl.nl_u.ip4_u.daddr = info->gw.ip;
+        fl.nl_u.ip4_u.tos   = RT_TOS(iph->tos);
+        fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
+        if (ip_route_output_key(net, &rt, &fl) != 0)
+                return false;
+        skb_dst_drop(skb);
+        skb_dst_set(skb, &rt->u.dst);
+        skb->dev      = rt->u.dst.dev;
+        skb->protocol = htons(ETH_P_IP);
+        return true;
+}
+static unsigned int
+tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_tee_tginfo *info = par->targinfo;
+        struct iphdr *iph;
+        if (percpu_read(tee_active))
+                return XT_CONTINUE;
+        /*
+         * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
+         * the original skb, which should continue on its way as if nothing has
+         * happened. The copy should be independently delivered to the TEE
+         * --gateway.
+         */
+        skb = pskb_copy(skb, GFP_ATOMIC);
+        if (skb == NULL)
+                return XT_CONTINUE;
+#ifdef WITH_CONNTRACK
+        /* Avoid counting cloned packets towards the original connection. */
+        nf_conntrack_put(skb->nfct);
+        skb->nfct     = &nf_conntrack_untracked.ct_general;
+        skb->nfctinfo = IP_CT_NEW;
+        nf_conntrack_get(skb->nfct);
+#endif
+        /*
+         * If we are in PREROUTING/INPUT, the checksum must be recalculated
+         * since the length could have changed as a result of defragmentation.
+         *
+         * We also decrease the TTL to mitigate potential TEE loops
+         * between two hosts.
+         *
+         * Set %IP_DF so that the original source is notified of a potentially
+         * decreased MTU on the clone route. IPv6 does this too.
+         */
+        iph = ip_hdr(skb);
+        iph->frag_off |= htons(IP_DF);
+        if (par->hooknum == NF_INET_PRE_ROUTING ||
+            par->hooknum == NF_INET_LOCAL_IN)
+                --iph->ttl;
+        ip_send_check(iph);
+        if (tee_tg_route4(skb, info)) {
+                percpu_write(tee_active, true);
+                ip_local_out(skb);
+                percpu_write(tee_active, false);
+        } else {
+                kfree_skb(skb);
+        }
+        return XT_CONTINUE;
+}
+#ifdef WITH_IPV6
+static bool
+tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
+{
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
+        struct net *net = pick_net(skb);
+        struct dst_entry *dst;
+        struct flowi fl;
+        memset(&fl, 0, sizeof(fl));
+        if (info->priv) {
+                if (info->priv->oif == -1)
+                        return false;
+                fl.oif = info->priv->oif;
+        }
+        fl.nl_u.ip6_u.daddr = info->gw.in6;
+        fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+                                  (iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
+        dst = ip6_route_output(net, NULL, &fl);
+        if (dst == NULL)
+                return false;
+        skb_dst_drop(skb);
+        skb_dst_set(skb, dst);
+        skb->dev      = dst->dev;
+        skb->protocol = htons(ETH_P_IPV6);
+        return true;
+}
+static unsigned int
+tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_tee_tginfo *info = par->targinfo;
+        if (percpu_read(tee_active))
+                return XT_CONTINUE;
+        skb = pskb_copy(skb, GFP_ATOMIC);
+        if (skb == NULL)
+                return XT_CONTINUE;
+#ifdef WITH_CONNTRACK
+        nf_conntrack_put(skb->nfct);
+        skb->nfct     = &nf_conntrack_untracked.ct_general;
+        skb->nfctinfo = IP_CT_NEW;
+        nf_conntrack_get(skb->nfct);
+#endif
+        if (par->hooknum == NF_INET_PRE_ROUTING ||
+            par->hooknum == NF_INET_LOCAL_IN) {
+                struct ipv6hdr *iph = ipv6_hdr(skb);
+                --iph->hop_limit;
+        }
+        if (tee_tg_route6(skb, info)) {
+                percpu_write(tee_active, true);
+                ip6_local_out(skb);
+                percpu_write(tee_active, false);
+        } else {
+                kfree_skb(skb);
+        }
+        return XT_CONTINUE;
+}
+#endif /* WITH_IPV6 */
+static int tee_netdev_event(struct notifier_block *this, unsigned long event,
+                            void *ptr)
+{
+        struct net_device *dev = ptr;
+        struct xt_tee_priv *priv;
+        priv = container_of(this, struct xt_tee_priv, notifier);
+        switch (event) {
+        case NETDEV_REGISTER:
+                if (!strcmp(dev->name, priv->tginfo->oif))
+                        priv->oif = dev->ifindex;
+                break;
+        case NETDEV_UNREGISTER:
+                if (dev->ifindex == priv->oif)
+                        priv->oif = -1;
+                break;
+        case NETDEV_CHANGENAME:
+                if (!strcmp(dev->name, priv->tginfo->oif))
+                        priv->oif = dev->ifindex;
+                else if (dev->ifindex == priv->oif)
+                        priv->oif = -1;
+                break;
+        }
+        return NOTIFY_DONE;
+}
+static int tee_tg_check(const struct xt_tgchk_param *par)
+{
+        struct xt_tee_tginfo *info = par->targinfo;
+        struct xt_tee_priv *priv;
+        /* 0.0.0.0 and :: not allowed */
+        if (memcmp(&info->gw, &tee_zero_address,
+                   sizeof(tee_zero_address)) == 0)
+                return -EINVAL;
+        if (info->oif[0]) {
+                if (info->oif[sizeof(info->oif)-1] != '\0')
+                        return -EINVAL;
+                priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+                if (priv == NULL)
+                        return -ENOMEM;
+                priv->tginfo  = info;
+                priv->oif     = -1;
+                priv->notifier.notifier_call = tee_netdev_event;
+                info->priv    = priv;
+                register_netdevice_notifier(&priv->notifier);
+        } else
+                info->priv = NULL;
+        return 0;
+}
+static void tee_tg_destroy(const struct xt_tgdtor_param *par)
+{
+        struct xt_tee_tginfo *info = par->targinfo;
+        if (info->priv) {
+                unregister_netdevice_notifier(&info->priv->notifier);
+                kfree(info->priv);
+        }
+}
+static struct xt_target tee_tg_reg[] __read_mostly = {
+        {
+                .name       = "TEE",
+                .revision   = 1,
+                .family     = NFPROTO_IPV4,
+                .target     = tee_tg4,
+                .targetsize = sizeof(struct xt_tee_tginfo),
+                .checkentry = tee_tg_check,
+                .destroy    = tee_tg_destroy,
+                .me         = THIS_MODULE,
+        },
+#ifdef WITH_IPV6
+        {
+                .name       = "TEE",
+                .revision   = 1,
+                .family     = NFPROTO_IPV6,
+                .target     = tee_tg6,
+                .targetsize = sizeof(struct xt_tee_tginfo),
+                .checkentry = tee_tg_check,
+                .destroy    = tee_tg_destroy,
+                .me         = THIS_MODULE,
+        },
+#endif
+};
+static int __init tee_tg_init(void)
+{
+        return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+}
+static void __exit tee_tg_exit(void)
+{
+        xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+}
+module_init(tee_tg_init);
+module_exit(tee_tg_exit);
+MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
+MODULE_DESCRIPTION("Xtables: Reroute packet copy");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TEE");
+MODULE_ALIAS("ip6t_TEE");
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 1340c2fa3621..e1a0dedac258 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -9,7 +9,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -25,7 +25,7 @@
 #include <net/netfilter/nf_tproxy_core.h>
 static unsigned int
-tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
+tproxy_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        const struct iphdr *iph = ip_hdr(skb);
        const struct xt_tproxy_target_info *tgi = par->targinfo;
@@ -59,17 +59,17 @@ tproxy_tg(struct sk_buff *skb, const struct xt_target_param *par)
        return NF_DROP;
 }
-static bool tproxy_tg_check(const struct xt_tgchk_param *par)
+static int tproxy_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_ip *i = par->entryinfo;
        if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
            && !(i->invflags & IPT_INV_PROTO))
-                return true;
+                return 0;
-        pr_info("xt_TPROXY: Can be used only in combination with "
+        pr_info("Can be used only in combination with "
                "either -p tcp or -p udp\n");
-        return false;
+        return -EINVAL;
 }
 static struct xt_target tproxy_tg_reg __read_mostly = {
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index fbb04b86c46b..df48967af382 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -11,7 +11,7 @@ MODULE_ALIAS("ipt_TRACE");
 MODULE_ALIAS("ip6t_TRACE");
 static unsigned int
-trace_tg(struct sk_buff *skb, const struct xt_target_param *par)
+trace_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
        skb->nf_trace = 1;
        return XT_CONTINUE;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 225ee3ecd69d..30b95a1c1c89 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -5,6 +5,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/jhash.h>
@@ -85,7 +86,7 @@ xt_cluster_is_multicast_addr(const struct sk_buff *skb, u_int8_t family)
 }
 static bool
-xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct sk_buff *pskb = (struct sk_buff *)skb;
        const struct xt_cluster_match_info *info = par->matchinfo;
@@ -131,22 +132,22 @@ xt_cluster_mt(const struct sk_buff *skb, const struct xt_match_param *par)
               !!(info->flags & XT_CLUSTER_F_INV);
 }
-static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
 {
        struct xt_cluster_match_info *info = par->matchinfo;
        if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
-                printk(KERN_ERR "xt_cluster: you have exceeded the maximum "
+                pr_info("you have exceeded the maximum "
-                                "number of cluster nodes (%u > %u)\n",
+                        "number of cluster nodes (%u > %u)\n",
-                                info->total_nodes, XT_CLUSTER_NODES_MAX);
+                        info->total_nodes, XT_CLUSTER_NODES_MAX);
-                return false;
+                return -EINVAL;
        }
        if (info->node_mask >= (1ULL << info->total_nodes)) {
-                printk(KERN_ERR "xt_cluster: this node mask cannot be "
+                pr_info("this node mask cannot be "
-                                "higher than the total number of nodes\n");
+                        "higher than the total number of nodes\n");
-                return false;
+                return -EDOM;
        }
-        return true;
+        return 0;
 }
 static struct xt_match xt_cluster_match __read_mostly = {
diff --git a/net/netfilter/xt_comment.c b/net/netfilter/xt_comment.c
index e82179832acd..5c861d2f21ca 100644
--- a/net/netfilter/xt_comment.c
+++ b/net/netfilter/xt_comment.c
@@ -16,7 +16,7 @@ MODULE_ALIAS("ipt_comment");
 MODULE_ALIAS("ip6t_comment");
 static bool
-comment_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+comment_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        /* We always match */
        return true;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index 955e6598a7f0..73517835303d 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -1,6 +1,7 @@
 /* Kernel module to match connection tracking byte counter.
 * GPL (C) 2002 Martin Devera (devik@cdi.cz).
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/bitops.h>
 #include <linux/skbuff.h>
@@ -17,7 +18,7 @@ MODULE_ALIAS("ipt_connbytes");
 MODULE_ALIAS("ip6t_connbytes");
 static bool
-connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connbytes_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_connbytes_info *sinfo = par->matchinfo;
        const struct nf_conn *ct;
@@ -92,27 +93,26 @@ connbytes_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                return what >= sinfo->count.from;
 }
-static bool connbytes_mt_check(const struct xt_mtchk_param *par)
+static int connbytes_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_connbytes_info *sinfo = par->matchinfo;
+        int ret;
        if (sinfo->what != XT_CONNBYTES_PKTS &&
            sinfo->what != XT_CONNBYTES_BYTES &&
            sinfo->what != XT_CONNBYTES_AVGPKT)
-                return false;
+                return -EINVAL;
        if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
            sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
            sinfo->direction != XT_CONNBYTES_DIR_BOTH)
-                return false;
+                return -EINVAL;
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
-                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", par->family);
-                return false;
-        }
-        return true;
+        ret = nf_ct_l3proto_try_module_get(par->family);
+        if (ret < 0)
+                pr_info("cannot load conntrack support for proto=%u\n",
+                        par->family);
+        return ret;
 }
 static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 388ca4596098..5c5b6b921b84 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -5,13 +5,13 @@
 *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
 *              only ignore TIME_WAIT or gone connections
 *   (C) CC Computer Consultants GmbH, 2007
- *   Contact: <jengelh@computergmbh.de>
 *
 * based on ...
 *
 * Kernel module to match connection tracking information.
 * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/in.h>
 #include <linux/in6.h>
 #include <linux/ip.h>
@@ -173,7 +173,7 @@ static int count_them(struct net *net,
 }
 static bool
-connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct net *net = dev_net(par->in ? par->in : par->out);
        const struct xt_connlimit_info *info = par->matchinfo;
@@ -206,44 +206,46 @@ connlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (connections < 0) {
                /* kmalloc failed, drop it entirely */
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
        return (connections > info->limit) ^ info->inverse;
 hotdrop:
-        *par->hotdrop = true;
+        par->hotdrop = true;
        return false;
 }
-static bool connlimit_mt_check(const struct xt_mtchk_param *par)
+static int connlimit_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_connlimit_info *info = par->matchinfo;
        unsigned int i;
+        int ret;
        if (unlikely(!connlimit_rnd_inited)) {
                get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
                connlimit_rnd_inited = true;
        }
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                printk(KERN_WARNING "cannot load conntrack support for "
+        if (ret < 0) {
-                       "address family %u\n", par->family);
+                pr_info("cannot load conntrack support for "
-                return false;
+                        "address family %u\n", par->family);
+                return ret;
        }
        /* init private data */
        info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
        if (info->data == NULL) {
                nf_ct_l3proto_module_put(par->family);
-                return false;
+                return -ENOMEM;
        }
        spin_lock_init(&info->data->lock);
        for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
                INIT_LIST_HEAD(&info->data->iphash[i]);
-        return true;
+        return 0;
 }
 static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 122aa8b0147b..7278145e6a68 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -1,10 +1,10 @@
 /*
- *      xt_connmark - Netfilter module to match connection mark values
+ *      xt_connmark - Netfilter module to operate on connection marks
 *
 *      Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
 *      by Henrik Nordstrom <hno@marasystems.com>
 *      Copyright © CC Computer Consultants GmbH, 2007 - 2008
- *      Jan Engelhardt <jengelh@computergmbh.de>
+ *      Jan Engelhardt <jengelh@medozas.de>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -24,17 +24,74 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_ecache.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_connmark.h>
 MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
-MODULE_DESCRIPTION("Xtables: connection mark match");
+MODULE_DESCRIPTION("Xtables: connection mark operations");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_CONNMARK");
+MODULE_ALIAS("ip6t_CONNMARK");
 MODULE_ALIAS("ipt_connmark");
 MODULE_ALIAS("ip6t_connmark");
+static unsigned int
+connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_connmark_tginfo1 *info = par->targinfo;
+        enum ip_conntrack_info ctinfo;
+        struct nf_conn *ct;
+        u_int32_t newmark;
+        ct = nf_ct_get(skb, &ctinfo);
+        if (ct == NULL)
+                return XT_CONTINUE;
+        switch (info->mode) {
+        case XT_CONNMARK_SET:
+                newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
+                if (ct->mark != newmark) {
+                        ct->mark = newmark;
+                        nf_conntrack_event_cache(IPCT_MARK, ct);
+                }
+                break;
+        case XT_CONNMARK_SAVE:
+                newmark = (ct->mark & ~info->ctmask) ^
+                          (skb->mark & info->nfmask);
+                if (ct->mark != newmark) {
+                        ct->mark = newmark;
+                        nf_conntrack_event_cache(IPCT_MARK, ct);
+                }
+                break;
+        case XT_CONNMARK_RESTORE:
+                newmark = (skb->mark & ~info->nfmask) ^
+                          (ct->mark & info->ctmask);
+                skb->mark = newmark;
+                break;
+        }
+        return XT_CONTINUE;
+}
+static int connmark_tg_check(const struct xt_tgchk_param *par)
+{
+        int ret;
+        ret = nf_ct_l3proto_try_module_get(par->family);
+        if (ret < 0)
+                pr_info("cannot load conntrack support for proto=%u\n",
+                        par->family);
+        return ret;
+}
+static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
+{
+        nf_ct_l3proto_module_put(par->family);
+}
 static bool
-connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+connmark_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_connmark_mtinfo1 *info = par->matchinfo;
        enum ip_conntrack_info ctinfo;
@@ -47,14 +104,15 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ((ct->mark & info->mask) == info->mark) ^ info->invert;
 }
-static bool connmark_mt_check(const struct xt_mtchk_param *par)
+static int connmark_mt_check(const struct xt_mtchk_param *par)
 {
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+        int ret;
-                printk(KERN_WARNING "cannot load conntrack support for "
-                       "proto=%u\n", par->family);
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                return false;
+        if (ret < 0)
-        }
+                pr_info("cannot load conntrack support for proto=%u\n",
-        return true;
+                        par->family);
+        return ret;
 }
 static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
@@ -62,6 +120,17 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
        nf_ct_l3proto_module_put(par->family);
 }
+static struct xt_target connmark_tg_reg __read_mostly = {
+        .name           = "CONNMARK",
+        .revision       = 1,
+        .family         = NFPROTO_UNSPEC,
+        .checkentry     = connmark_tg_check,
+        .target         = connmark_tg,
+        .targetsize     = sizeof(struct xt_connmark_tginfo1),
+        .destroy        = connmark_tg_destroy,
+        .me             = THIS_MODULE,
+};
 static struct xt_match connmark_mt_reg __read_mostly = {
        .name           = "connmark",
        .revision       = 1,
@@ -75,12 +144,23 @@ static struct xt_match connmark_mt_reg __read_mostly = {
 static int __init connmark_mt_init(void)
 {
-        return xt_register_match(&connmark_mt_reg);
+        int ret;
+        ret = xt_register_target(&connmark_tg_reg);
+        if (ret < 0)
+                return ret;
+        ret = xt_register_match(&connmark_mt_reg);
+        if (ret < 0) {
+                xt_unregister_target(&connmark_tg_reg);
+                return ret;
+        }
+        return 0;
 }
 static void __exit connmark_mt_exit(void)
 {
        xt_unregister_match(&connmark_mt_reg);
+        xt_unregister_target(&connmark_tg_reg);
 }
 module_init(connmark_mt_init);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index ae66305f0fe5..39681f10291c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -9,7 +9,7 @@
 *      it under the terms of the GNU General Public License version 2 as
 *      published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/ipv6.h>
@@ -113,7 +113,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
 }
 static bool
-conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
+conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
             u16 state_mask, u16 status_mask)
 {
        const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
@@ -191,7 +191,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
 }
 static bool
-conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
@@ -199,21 +199,22 @@ conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 static bool
-conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
+conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
        return conntrack_mt(skb, par, info->state_mask, info->status_mask);
 }
-static bool conntrack_mt_check(const struct xt_mtchk_param *par)
+static int conntrack_mt_check(const struct xt_mtchk_param *par)
 {
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+        int ret;
-                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", par->family);
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                return false;
+        if (ret < 0)
-        }
+                pr_info("cannot load conntrack support for proto=%u\n",
-        return true;
+                        par->family);
+        return ret;
 }
 static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_dccp.c b/net/netfilter/xt_dccp.c
index 395af5943ffd..b63d2a3d80ba 100644
--- a/net/netfilter/xt_dccp.c
+++ b/net/netfilter/xt_dccp.c
@@ -96,7 +96,7 @@ match_option(u_int8_t option, const struct sk_buff *skb, unsigned int protoff,
 }
 static bool
-dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dccp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_dccp_info *info = par->matchinfo;
        const struct dccp_hdr *dh;
@@ -107,7 +107,7 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        dh = skb_header_pointer(skb, par->thoff, sizeof(_dh), &_dh);
        if (dh == NULL) {
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -120,17 +120,21 @@ dccp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                && DCCHECK(match_types(dh, info->typemask),
                           XT_DCCP_TYPE, info->flags, info->invflags)
                && DCCHECK(match_option(info->option, skb, par->thoff, dh,
-                                        par->hotdrop),
+                                        &par->hotdrop),
                           XT_DCCP_OPTION, info->flags, info->invflags);
 }
-static bool dccp_mt_check(const struct xt_mtchk_param *par)
+static int dccp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_dccp_info *info = par->matchinfo;
-        return !(info->flags & ~XT_DCCP_VALID_FLAGS)
+        if (info->flags & ~XT_DCCP_VALID_FLAGS)
-                && !(info->invflags & ~XT_DCCP_VALID_FLAGS)
+                return -EINVAL;
-                && !(info->invflags & ~info->flags);
+        if (info->invflags & ~XT_DCCP_VALID_FLAGS)
+                return -EINVAL;
+        if (info->invflags & ~info->flags)
+                return -EINVAL;
+        return 0;
 }
 static struct xt_match dccp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 0280d3a8c161..64670fc5d0e1 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tos");
 MODULE_ALIAS("ip6t_tos");
 static bool
-dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+dscp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_dscp_info *info = par->matchinfo;
        u_int8_t dscp = ipv4_get_dsfield(ip_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -34,7 +34,7 @@ dscp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 static bool
-dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+dscp_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_dscp_info *info = par->matchinfo;
        u_int8_t dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> XT_DSCP_SHIFT;
@@ -42,23 +42,23 @@ dscp_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        return (dscp == info->dscp) ^ !!info->invert;
 }
-static bool dscp_mt_check(const struct xt_mtchk_param *par)
+static int dscp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_dscp_info *info = par->matchinfo;
        if (info->dscp > XT_DSCP_MAX) {
-                printk(KERN_ERR "xt_dscp: dscp %x out of range\n", info->dscp);
+                pr_info("dscp %x out of range\n", info->dscp);
-                return false;
+                return -EDOM;
        }
-        return true;
+        return 0;
 }
-static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool tos_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_tos_match_info *info = par->matchinfo;
-        if (par->match->family == NFPROTO_IPV4)
+        if (par->family == NFPROTO_IPV4)
                return ((ip_hdr(skb)->tos & info->tos_mask) ==
                       info->tos_value) ^ !!info->invert;
        else
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 609439967c2c..171ba82b5902 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/in.h>
@@ -24,25 +24,19 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
 MODULE_ALIAS("ipt_esp");
 MODULE_ALIAS("ip6t_esp");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the spi is matched by the range, 0 otherwise */
 static inline bool
 spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
 {
        bool r;
-        duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
+        pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
-                 min, spi, max);
+                 invert ? '!' : ' ', min, spi, max);
        r = (spi >= min && spi <= max) ^ invert;
-        duprintf(" result %s\n", r ? "PASS" : "FAILED");
+        pr_debug(" result %s\n", r ? "PASS" : "FAILED");
        return r;
 }
-static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ip_esp_hdr *eh;
        struct ip_esp_hdr _esp;
@@ -57,8 +51,8 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("Dropping evil ESP tinygram.\n");
+                pr_debug("Dropping evil ESP tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -66,16 +60,16 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                         !!(espinfo->invflags & XT_ESP_INV_SPI));
 }
-static bool esp_mt_check(const struct xt_mtchk_param *par)
+static int esp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_esp *espinfo = par->matchinfo;
        if (espinfo->invflags & ~XT_ESP_INV_MASK) {
-                duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
+                pr_debug("unknown flags %X\n", espinfo->invflags);
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match esp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 215a64835de8..b46a8390896d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -7,6 +7,7 @@
 *
 * Development of this code was funded by Astaro AG, http://www.astaro.com/
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/spinlock.h>
 #include <linux/random.h>
@@ -36,7 +37,7 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
 MODULE_ALIAS("ipt_hashlimit");
 MODULE_ALIAS("ip6t_hashlimit");
@@ -80,12 +81,14 @@ struct dsthash_ent {
        struct dsthash_dst dst;
        /* modified structure members in the end */
+        spinlock_t lock;
        unsigned long expires;          /* precalculated expiry time */
        struct {
                unsigned long prev;     /* last modification */
                u_int32_t credit;
                u_int32_t credit_cap, cost;
        } rateinfo;
+        struct rcu_head rcu;
 };
 struct xt_hashlimit_htable {
@@ -142,9 +145,11 @@ dsthash_find(const struct xt_hashlimit_htable *ht,
        u_int32_t hash = hash_dst(ht, dst);
        if (!hlist_empty(&ht->hash[hash])) {
-                hlist_for_each_entry(ent, pos, &ht->hash[hash], node)
+                hlist_for_each_entry_rcu(ent, pos, &ht->hash[hash], node)
-                        if (dst_cmp(ent, dst))
+                        if (dst_cmp(ent, dst)) {
+                                spin_lock(&ent->lock);
                                return ent;
+                        }
        }
        return NULL;
 }
@@ -156,9 +161,10 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
 {
        struct dsthash_ent *ent;
+        spin_lock(&ht->lock);
        /* initialize hash with random val at the time we allocate
         * the first hashtable entry */
-        if (!ht->rnd_initialized) {
+        if (unlikely(!ht->rnd_initialized)) {
                get_random_bytes(&ht->rnd, sizeof(ht->rnd));
                ht->rnd_initialized = true;
        }
@@ -166,106 +172,40 @@ dsthash_alloc_init(struct xt_hashlimit_htable *ht,
        if (ht->cfg.max && ht->count >= ht->cfg.max) {
                /* FIXME: do something. question is what.. */
                if (net_ratelimit())
-                        printk(KERN_WARNING
+                        pr_err("max count of %u reached\n", ht->cfg.max);
-                                "xt_hashlimit: max count of %u reached\n",
+                ent = NULL;
-                                ht->cfg.max);
+        } else
-                return NULL;
+                ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
-        }
-        ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
        if (!ent) {
                if (net_ratelimit())
-                        printk(KERN_ERR
+                        pr_err("cannot allocate dsthash_ent\n");
-                                "xt_hashlimit: can't allocate dsthash_ent\n");
+        } else {
-                return NULL;
+                memcpy(&ent->dst, dst, sizeof(ent->dst));
-        }
+                spin_lock_init(&ent->lock);
-        memcpy(&ent->dst, dst, sizeof(ent->dst));
-        hlist_add_head(&ent->node, &ht->hash[hash_dst(ht, dst)]);
+                spin_lock(&ent->lock);
-        ht->count++;
+                hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
+                ht->count++;
+        }
+        spin_unlock(&ht->lock);
        return ent;
 }
-static inline void
+static void dsthash_free_rcu(struct rcu_head *head)
-dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
 {
-        hlist_del(&ent->node);
+        struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
        kmem_cache_free(hashlimit_cachep, ent);
-        ht->count--;
 }
-static void htable_gc(unsigned long htlong);
-static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_int8_t family)
+static inline void
+dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
 {
-        struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
+        hlist_del_rcu(&ent->node);
-        struct xt_hashlimit_htable *hinfo;
+        call_rcu_bh(&ent->rcu, dsthash_free_rcu);
-        unsigned int size;
+        ht->count--;
-        unsigned int i;
-        if (minfo->cfg.size)
-                size = minfo->cfg.size;
-        else {
-                size = ((totalram_pages << PAGE_SHIFT) / 16384) /
-                       sizeof(struct list_head);
-                if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
-                        size = 8192;
-                if (size < 16)
-                        size = 16;
-        }
-        /* FIXME: don't use vmalloc() here or anywhere else -HW */
-        hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
-                        sizeof(struct list_head) * size);
-        if (!hinfo) {
-                printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
-                return -1;
-        }
-        minfo->hinfo = hinfo;
-        /* copy match config into hashtable config */
-        hinfo->cfg.mode        = minfo->cfg.mode;
-        hinfo->cfg.avg         = minfo->cfg.avg;
-        hinfo->cfg.burst       = minfo->cfg.burst;
-        hinfo->cfg.max         = minfo->cfg.max;
-        hinfo->cfg.gc_interval = minfo->cfg.gc_interval;
-        hinfo->cfg.expire      = minfo->cfg.expire;
-        if (family == NFPROTO_IPV4)
-                hinfo->cfg.srcmask = hinfo->cfg.dstmask = 32;
-        else
-                hinfo->cfg.srcmask = hinfo->cfg.dstmask = 128;
-        hinfo->cfg.size = size;
-        if (!hinfo->cfg.max)
-                hinfo->cfg.max = 8 * hinfo->cfg.size;
-        else if (hinfo->cfg.max < hinfo->cfg.size)
-                hinfo->cfg.max = hinfo->cfg.size;
-        for (i = 0; i < hinfo->cfg.size; i++)
-                INIT_HLIST_HEAD(&hinfo->hash[i]);
-        hinfo->use = 1;
-        hinfo->count = 0;
-        hinfo->family = family;
-        hinfo->rnd_initialized = false;
-        spin_lock_init(&hinfo->lock);
-        hinfo->pde = proc_create_data(minfo->name, 0,
-                (family == NFPROTO_IPV4) ?
-                hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
-                &dl_file_ops, hinfo);
-        if (!hinfo->pde) {
-                vfree(hinfo);
-                return -1;
-        }
-        hinfo->net = net;
-        setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo);
-        hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
-        add_timer(&hinfo->timer);
-        hlist_add_head(&hinfo->node, &hashlimit_net->htables);
-        return 0;
 }
+static void htable_gc(unsigned long htlong);
 static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
                         u_int8_t family)
@@ -288,10 +228,8 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
        /* FIXME: don't use vmalloc() here or anywhere else -HW */
        hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
                        sizeof(struct list_head) * size);
-        if (hinfo == NULL) {
+        if (hinfo == NULL)
-                printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
+                return -ENOMEM;
-                return -1;
-        }
        minfo->hinfo = hinfo;
        /* copy match config into hashtable config */
@@ -317,7 +255,7 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
                &dl_file_ops, hinfo);
        if (hinfo->pde == NULL) {
                vfree(hinfo);
-                return -1;
+                return -ENOMEM;
        }
        hinfo->net = net;
@@ -578,58 +516,7 @@ hashlimit_init_dst(const struct xt_hashlimit_htable *hinfo,
 }
 static bool
-hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+hashlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        const struct xt_hashlimit_info *r = par->matchinfo;
-        struct xt_hashlimit_htable *hinfo = r->hinfo;
-        unsigned long now = jiffies;
-        struct dsthash_ent *dh;
-        struct dsthash_dst dst;
-        if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
-                goto hotdrop;
-        spin_lock_bh(&hinfo->lock);
-        dh = dsthash_find(hinfo, &dst);
-        if (!dh) {
-                dh = dsthash_alloc_init(hinfo, &dst);
-                if (!dh) {
-                        spin_unlock_bh(&hinfo->lock);
-                        goto hotdrop;
-                }
-                dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
-                dh->rateinfo.prev = jiffies;
-                dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
-                                                   hinfo->cfg.burst);
-                dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
-                                                       hinfo->cfg.burst);
-                dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
-        } else {
-                /* update expiration timeout */
-                dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
-                rateinfo_recalc(dh, now);
-        }
-        if (dh->rateinfo.credit >= dh->rateinfo.cost) {
-                /* We're underlimit. */
-                dh->rateinfo.credit -= dh->rateinfo.cost;
-                spin_unlock_bh(&hinfo->lock);
-                return true;
-        }
-        spin_unlock_bh(&hinfo->lock);
-        /* default case: we're overlimit, thus don't match */
-        return false;
-hotdrop:
-        *par->hotdrop = true;
-        return false;
-}
-static bool
-hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
        const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
        struct xt_hashlimit_htable *hinfo = info->hinfo;
@@ -640,15 +527,14 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
                goto hotdrop;
-        spin_lock_bh(&hinfo->lock);
+        rcu_read_lock_bh();
        dh = dsthash_find(hinfo, &dst);
        if (dh == NULL) {
                dh = dsthash_alloc_init(hinfo, &dst);
                if (dh == NULL) {
-                        spin_unlock_bh(&hinfo->lock);
+                        rcu_read_unlock_bh();
                        goto hotdrop;
                }
                dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
                dh->rateinfo.prev = jiffies;
                dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
@@ -665,96 +551,58 @@ hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (dh->rateinfo.credit >= dh->rateinfo.cost) {
                /* below the limit */
                dh->rateinfo.credit -= dh->rateinfo.cost;
-                spin_unlock_bh(&hinfo->lock);
+                spin_unlock(&dh->lock);
+                rcu_read_unlock_bh();
                return !(info->cfg.mode & XT_HASHLIMIT_INVERT);
        }
-        spin_unlock_bh(&hinfo->lock);
+        spin_unlock(&dh->lock);
+        rcu_read_unlock_bh();
        /* default match is underlimit - so over the limit, we need to invert */
        return info->cfg.mode & XT_HASHLIMIT_INVERT;
 hotdrop:
-        *par->hotdrop = true;
+        par->hotdrop = true;
        return false;
 }
-static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
+static int hashlimit_mt_check(const struct xt_mtchk_param *par)
-{
-        struct net *net = par->net;
-        struct xt_hashlimit_info *r = par->matchinfo;
-        /* Check for overflow. */
-        if (r->cfg.burst == 0 ||
-            user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) {
-                printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
-                       r->cfg.avg, r->cfg.burst);
-                return false;
-        }
-        if (r->cfg.mode == 0 ||
-            r->cfg.mode > (XT_HASHLIMIT_HASH_DPT |
-                           XT_HASHLIMIT_HASH_DIP |
-                           XT_HASHLIMIT_HASH_SIP |
-                           XT_HASHLIMIT_HASH_SPT))
-                return false;
-        if (!r->cfg.gc_interval)
-                return false;
-        if (!r->cfg.expire)
-                return false;
-        if (r->name[sizeof(r->name) - 1] != '\0')
-                return false;
-        mutex_lock(&hashlimit_mutex);
-        r->hinfo = htable_find_get(net, r->name, par->match->family);
-        if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) {
-                mutex_unlock(&hashlimit_mutex);
-                return false;
-        }
-        mutex_unlock(&hashlimit_mutex);
-        return true;
-}
-static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
 {
        struct net *net = par->net;
        struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
+        int ret;
        /* Check for overflow. */
        if (info->cfg.burst == 0 ||
            user2credits(info->cfg.avg * info->cfg.burst) <
            user2credits(info->cfg.avg)) {
-                printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
+                pr_info("overflow, try lower: %u/%u\n",
-                       info->cfg.avg, info->cfg.burst);
+                        info->cfg.avg, info->cfg.burst);
-                return false;
+                return -ERANGE;
        }
        if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
-                return false;
+                return -EINVAL;
        if (info->name[sizeof(info->name)-1] != '\0')
-                return false;
+                return -EINVAL;
-        if (par->match->family == NFPROTO_IPV4) {
+        if (par->family == NFPROTO_IPV4) {
                if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
-                        return false;
+                        return -EINVAL;
        } else {
                if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
-                        return false;
+                        return -EINVAL;
        }
        mutex_lock(&hashlimit_mutex);
-        info->hinfo = htable_find_get(net, info->name, par->match->family);
+        info->hinfo = htable_find_get(net, info->name, par->family);
-        if (!info->hinfo && htable_create(net, info, par->match->family) != 0) {
+        if (info->hinfo == NULL) {
-                mutex_unlock(&hashlimit_mutex);
+                ret = htable_create(net, info, par->family);
-                return false;
+                if (ret < 0) {
+                        mutex_unlock(&hashlimit_mutex);
+                        return ret;
+                }
        }
        mutex_unlock(&hashlimit_mutex);
-        return true;
+        return 0;
-}
-static void
-hashlimit_mt_destroy_v0(const struct xt_mtdtor_param *par)
-{
-        const struct xt_hashlimit_info *r = par->matchinfo;
-        htable_put(r->hinfo);
 }
 static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
@@ -764,47 +612,8 @@ static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
        htable_put(info->hinfo);
 }
-#ifdef CONFIG_COMPAT
-struct compat_xt_hashlimit_info {
-        char name[IFNAMSIZ];
-        struct hashlimit_cfg cfg;
-        compat_uptr_t hinfo;
-        compat_uptr_t master;
-};
-static void hashlimit_mt_compat_from_user(void *dst, const void *src)
-{
-        int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
-        memcpy(dst, src, off);
-        memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off);
-}
-static int hashlimit_mt_compat_to_user(void __user *dst, const void *src)
-{
-        int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
-        return copy_to_user(dst, src, off) ? -EFAULT : 0;
-}
-#endif
 static struct xt_match hashlimit_mt_reg[] __read_mostly = {
        {
-                .name           = "hashlimit",
-                .revision       = 0,
-                .family         = NFPROTO_IPV4,
-                .match          = hashlimit_mt_v0,
-                .matchsize      = sizeof(struct xt_hashlimit_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_hashlimit_info),
-                .compat_from_user = hashlimit_mt_compat_from_user,
-                .compat_to_user = hashlimit_mt_compat_to_user,
-#endif
-                .checkentry     = hashlimit_mt_check_v0,
-                .destroy        = hashlimit_mt_destroy_v0,
-                .me             = THIS_MODULE
-        },
-        {
                .name           = "hashlimit",
                .revision       = 1,
                .family         = NFPROTO_IPV4,
@@ -816,20 +625,6 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
        },
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
        {
-                .name           = "hashlimit",
-                .family         = NFPROTO_IPV6,
-                .match          = hashlimit_mt_v0,
-                .matchsize      = sizeof(struct xt_hashlimit_info),
-#ifdef CONFIG_COMPAT
-                .compatsize     = sizeof(struct compat_xt_hashlimit_info),
-                .compat_from_user = hashlimit_mt_compat_from_user,
-                .compat_to_user = hashlimit_mt_compat_to_user,
-#endif
-                .checkentry     = hashlimit_mt_check_v0,
-                .destroy        = hashlimit_mt_destroy_v0,
-                .me             = THIS_MODULE
-        },
-        {
                .name           = "hashlimit",
                .revision       = 1,
                .family         = NFPROTO_IPV6,
@@ -888,12 +683,15 @@ static void dl_seq_stop(struct seq_file *s, void *v)
 static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
                                   struct seq_file *s)
 {
+        int res;
+        spin_lock(&ent->lock);
        /* recalculate to show accurate numbers */
        rateinfo_recalc(ent, jiffies);
        switch (family) {
        case NFPROTO_IPV4:
-                return seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n",
+                res = seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n",
                                 (long)(ent->expires - jiffies)/HZ,
                                 &ent->dst.ip.src,
                                 ntohs(ent->dst.src_port),
@@ -901,9 +699,10 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
                                 ntohs(ent->dst.dst_port),
                                 ent->rateinfo.credit, ent->rateinfo.credit_cap,
                                 ent->rateinfo.cost);
+                break;
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
        case NFPROTO_IPV6:
-                return seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n",
+                res = seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n",
                                 (long)(ent->expires - jiffies)/HZ,
                                 &ent->dst.ip6.src,
                                 ntohs(ent->dst.src_port),
@@ -911,11 +710,14 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
                                 ntohs(ent->dst.dst_port),
                                 ent->rateinfo.credit, ent->rateinfo.credit_cap,
                                 ent->rateinfo.cost);
+                break;
 #endif
        default:
                BUG();
-                return 0;
+                res = 0;
        }
+        spin_unlock(&ent->lock);
+        return res;
 }
 static int dl_seq_show(struct seq_file *s, void *v)
@@ -1024,7 +826,7 @@ static int __init hashlimit_mt_init(void)
                                            sizeof(struct dsthash_ent), 0, 0,
                                            NULL);
        if (!hashlimit_cachep) {
-                printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n");
+                pr_warning("unable to create slab cache\n");
                goto err2;
        }
        return 0;
@@ -1039,9 +841,11 @@ err1:
 static void __exit hashlimit_mt_exit(void)
 {
-        kmem_cache_destroy(hashlimit_cachep);
        xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
        unregister_pernet_subsys(&hashlimit_net_ops);
+        rcu_barrier_bh();
+        kmem_cache_destroy(hashlimit_cachep);
 }
 module_init(hashlimit_mt_init);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 64fc7f277221..9f4ab00c8050 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter.h>
@@ -24,7 +24,7 @@ MODULE_ALIAS("ip6t_helper");
 static bool
-helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+helper_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_helper_info *info = par->matchinfo;
        const struct nf_conn *ct;
@@ -54,17 +54,19 @@ helper_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool helper_mt_check(const struct xt_mtchk_param *par)
+static int helper_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_helper_info *info = par->matchinfo;
+        int ret;
-        if (nf_ct_l3proto_try_module_get(par->family) < 0) {
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                printk(KERN_WARNING "can't load conntrack support for "
+        if (ret < 0) {
-                                    "proto=%u\n", par->family);
+                pr_info("cannot load conntrack support for proto=%u\n",
-                return false;
+                        par->family);
+                return ret;
        }
        info->name[29] = '\0';
-        return true;
+        return 0;
 }
 static void helper_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_hl.c b/net/netfilter/xt_hl.c
index 7726154c87b2..7d12221ead89 100644
--- a/net/netfilter/xt_hl.c
+++ b/net/netfilter/xt_hl.c
@@ -25,7 +25,7 @@ MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_ttl");
 MODULE_ALIAS("ip6t_hl");
-static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool ttl_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ipt_ttl_info *info = par->matchinfo;
        const u8 ttl = ip_hdr(skb)->ttl;
@@ -39,16 +39,12 @@ static bool ttl_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                        return ttl < info->ttl;
                case IPT_TTL_GT:
                        return ttl > info->ttl;
-                default:
-                        printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
-                                info->mode);
-                        return false;
        }
        return false;
 }
-static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool hl_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct ip6t_hl_info *info = par->matchinfo;
        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
@@ -56,20 +52,12 @@ static bool hl_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
        switch (info->mode) {
                case IP6T_HL_EQ:
                        return ip6h->hop_limit == info->hop_limit;
-                        break;
                case IP6T_HL_NE:
                        return ip6h->hop_limit != info->hop_limit;
-                        break;
                case IP6T_HL_LT:
                        return ip6h->hop_limit < info->hop_limit;
-                        break;
                case IP6T_HL_GT:
                        return ip6h->hop_limit > info->hop_limit;
-                        break;
-                default:
-                        printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
-                                info->mode);
-                        return false;
        }
        return false;
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index ffc96387d556..88f7c3511c72 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -8,6 +8,7 @@
 *      it under the terms of the GNU General Public License version 2 as
 *      published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
@@ -16,7 +17,7 @@
 #include <linux/netfilter/xt_iprange.h>
 static bool
-iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
+iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_iprange_mtinfo *info = par->matchinfo;
        const struct iphdr *iph = ip_hdr(skb);
@@ -67,7 +68,7 @@ iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
 }
 static bool
-iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_iprange_mtinfo *info = par->matchinfo;
        const struct ipv6hdr *iph = ipv6_hdr(skb);
diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index c4871ca6c86d..176e5570a999 100644
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_length");
 MODULE_ALIAS("ip6t_length");
 static bool
-length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+length_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_length_info *info = par->matchinfo;
        u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
@@ -30,7 +30,7 @@ length_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 }
 static bool
-length_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
+length_mt6(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_length_info *info = par->matchinfo;
        const u_int16_t pktlen = ntohs(ipv6_hdr(skb)->payload_len) +
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index e5d7e1ffb1a4..32b7a579a032 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -5,6 +5,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/slab.h>
 #include <linux/module.h>
@@ -64,7 +65,7 @@ static DEFINE_SPINLOCK(limit_lock);
 #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
 static bool
-limit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+limit_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_rateinfo *r = par->matchinfo;
        struct xt_limit_priv *priv = r->master;
@@ -98,7 +99,7 @@ user2credits(u_int32_t user)
        return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
 }
-static bool limit_mt_check(const struct xt_mtchk_param *par)
+static int limit_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_rateinfo *r = par->matchinfo;
        struct xt_limit_priv *priv;
@@ -106,14 +107,14 @@ static bool limit_mt_check(const struct xt_mtchk_param *par)
        /* Check for overflow. */
        if (r->burst == 0
            || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
-                printk("Overflow in xt_limit, try lower: %u/%u\n",
+                pr_info("Overflow, try lower: %u/%u\n",
-                       r->avg, r->burst);
+                        r->avg, r->burst);
-                return false;
+                return -ERANGE;
        }
        priv = kmalloc(sizeof(*priv), GFP_KERNEL);
        if (priv == NULL)
-                return false;
+                return -ENOMEM;
        /* For SMP, we only want to use one set of state. */
        r->master = priv;
@@ -125,7 +126,7 @@ static bool limit_mt_check(const struct xt_mtchk_param *par)
                r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
                r->cost = user2credits(r->avg);
        }
-        return true;
+        return 0;
 }
 static void limit_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index c2007116ce5b..8160f6b1435d 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
+#include <linux/if_arp.h>
 #include <linux/if_ether.h>
 #include <linux/etherdevice.h>
@@ -24,16 +25,20 @@ MODULE_DESCRIPTION("Xtables: MAC address match");
 MODULE_ALIAS("ipt_mac");
 MODULE_ALIAS("ip6t_mac");
-static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool mac_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
-    const struct xt_mac_info *info = par->matchinfo;
+        const struct xt_mac_info *info = par->matchinfo;
+        bool ret;
-    /* Is mac pointer valid? */
-    return skb_mac_header(skb) >= skb->head &&
+        if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
-           skb_mac_header(skb) + ETH_HLEN <= skb->data
+                return false;
-           /* If so, compare... */
+        if (skb_mac_header(skb) < skb->head)
-           && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
+                return false;
-                ^ info->invert);
+        if (skb_mac_header(skb) + ETH_HLEN > skb->data)
+                return false;
+        ret  = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0;
+        ret ^= info->invert;
+        return ret;
 }
 static struct xt_match mac_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1db07d8125f8..23345238711b 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,18 +18,38 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("Xtables: packet mark match");
+MODULE_DESCRIPTION("Xtables: packet mark operations");
 MODULE_ALIAS("ipt_mark");
 MODULE_ALIAS("ip6t_mark");
+MODULE_ALIAS("ipt_MARK");
+MODULE_ALIAS("ip6t_MARK");
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_mark_tginfo2 *info = par->targinfo;
+        skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+        return XT_CONTINUE;
+}
 static bool
-mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+mark_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_mark_mtinfo1 *info = par->matchinfo;
        return ((skb->mark & info->mask) == info->mark) ^ info->invert;
 }
+static struct xt_target mark_tg_reg __read_mostly = {
+        .name           = "MARK",
+        .revision       = 2,
+        .family         = NFPROTO_UNSPEC,
+        .target         = mark_tg,
+        .targetsize     = sizeof(struct xt_mark_tginfo2),
+        .me             = THIS_MODULE,
+};
 static struct xt_match mark_mt_reg __read_mostly = {
        .name           = "mark",
        .revision       = 1,
@@ -41,12 +61,23 @@ static struct xt_match mark_mt_reg __read_mostly = {
 static int __init mark_mt_init(void)
 {
-        return xt_register_match(&mark_mt_reg);
+        int ret;
+        ret = xt_register_target(&mark_tg_reg);
+        if (ret < 0)
+                return ret;
+        ret = xt_register_match(&mark_mt_reg);
+        if (ret < 0) {
+                xt_unregister_target(&mark_tg_reg);
+                return ret;
+        }
+        return 0;
 }
 static void __exit mark_mt_exit(void)
 {
        xt_unregister_match(&mark_mt_reg);
+        xt_unregister_target(&mark_tg_reg);
 }
 module_init(mark_mt_init);
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2dd3900..ac1d3c3d09e7 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -8,7 +8,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/types.h>
 #include <linux/udp.h>
@@ -26,29 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
 MODULE_ALIAS("ipt_multiport");
 MODULE_ALIAS("ip6t_multiport");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-/* Returns 1 if the port is matched by the test, 0 otherwise. */
-static inline bool
-ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
-               u_int8_t count, u_int16_t src, u_int16_t dst)
-{
-        unsigned int i;
-        for (i = 0; i < count; i++) {
-                if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src)
-                        return true;
-                if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst)
-                        return true;
-        }
-        return false;
-}
 /* Returns 1 if the port is matched by the test, 0 otherwise. */
 static inline bool
 ports_match_v1(const struct xt_multiport_v1 *minfo,
@@ -63,7 +40,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
                if (minfo->pflags[i]) {
                        /* range port matching */
                        e = minfo->ports[++i];
-                        duprintf("src or dst matches with %d-%d?\n", s, e);
+                        pr_debug("src or dst matches with %d-%d?\n", s, e);
                        if (minfo->flags == XT_MULTIPORT_SOURCE
                            && src >= s && src <= e)
@@ -77,7 +54,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
                                return true ^ minfo->invert;
                } else {
                        /* exact port matching */
-                        duprintf("src or dst matches with %d?\n", s);
+                        pr_debug("src or dst matches with %d?\n", s);
                        if (minfo->flags == XT_MULTIPORT_SOURCE
                            && src == s)
@@ -95,31 +72,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
 }
 static bool
-multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+multiport_mt(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        const __be16 *pptr;
-        __be16 _ports[2];
-        const struct xt_multiport *multiinfo = par->matchinfo;
-        if (par->fragoff != 0)
-                return false;
-        pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports);
-        if (pptr == NULL) {
-                /* We've been asked to examine this packet, and we
-                 * can't.  Hence, no choice but to drop.
-                 */
-                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
-                *par->hotdrop = true;
-                return false;
-        }
-        return ports_match_v0(multiinfo->ports, multiinfo->flags,
-               multiinfo->count, ntohs(pptr[0]), ntohs(pptr[1]));
-}
-static bool
-multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 {
        const __be16 *pptr;
        __be16 _ports[2];
@@ -133,8 +86,8 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                /* We've been asked to examine this packet, and we
                 * can't.  Hence, no choice but to drop.
                 */
-                duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+                pr_debug("Dropping evil offset=0 tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -158,55 +111,28 @@ check(u_int16_t proto,
                && count <= XT_MULTI_PORTS;
 }
-static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt_check(const struct xt_mtchk_param *par)
-{
-        const struct ipt_ip *ip = par->entryinfo;
-        const struct xt_multiport *multiinfo = par->matchinfo;
-        return check(ip->proto, ip->invflags, multiinfo->flags,
-                     multiinfo->count);
-}
-static bool multiport_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ipt_ip *ip = par->entryinfo;
        const struct xt_multiport_v1 *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
-                     multiinfo->count);
+                     multiinfo->count) ? 0 : -EINVAL;
 }
-static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
+static int multiport_mt6_check(const struct xt_mtchk_param *par)
-{
-        const struct ip6t_ip6 *ip = par->entryinfo;
-        const struct xt_multiport *multiinfo = par->matchinfo;
-        return check(ip->proto, ip->invflags, multiinfo->flags,
-                     multiinfo->count);
-}
-static bool multiport_mt6_check(const struct xt_mtchk_param *par)
 {
        const struct ip6t_ip6 *ip = par->entryinfo;
        const struct xt_multiport_v1 *multiinfo = par->matchinfo;
        return check(ip->proto, ip->invflags, multiinfo->flags,
-                     multiinfo->count);
+                     multiinfo->count) ? 0 : -EINVAL;
 }
 static struct xt_match multiport_mt_reg[] __read_mostly = {
        {
                .name           = "multiport",
                .family         = NFPROTO_IPV4,
-                .revision       = 0,
-                .checkentry     = multiport_mt_check_v0,
-                .match          = multiport_mt_v0,
-                .matchsize      = sizeof(struct xt_multiport),
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "multiport",
-                .family         = NFPROTO_IPV4,
                .revision       = 1,
                .checkentry     = multiport_mt_check,
                .match          = multiport_mt,
@@ -216,15 +142,6 @@ static struct xt_match multiport_mt_reg[] __read_mostly = {
        {
                .name           = "multiport",
                .family         = NFPROTO_IPV6,
-                .revision       = 0,
-                .checkentry     = multiport_mt6_check_v0,
-                .match          = multiport_mt_v0,
-                .matchsize      = sizeof(struct xt_multiport),
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "multiport",
-                .family         = NFPROTO_IPV6,
                .revision       = 1,
                .checkentry     = multiport_mt6_check,
                .match          = multiport_mt,
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 4169e200588d..4327e101c047 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -16,7 +16,7 @@
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/kernel.h>
@@ -193,8 +193,8 @@ static inline int xt_osf_ttl(const struct sk_buff *skb, const struct xt_osf_info
        return ip->ttl == f_ttl;
 }
-static bool xt_osf_match_packet(const struct sk_buff *skb,
+static bool
-                const struct xt_match_param *p)
+xt_osf_match_packet(const struct sk_buff *skb, struct xt_action_param *p)
 {
        const struct xt_osf_info *info = p->matchinfo;
        const struct iphdr *ip = ip_hdr(skb);
@@ -382,14 +382,14 @@ static int __init xt_osf_init(void)
        err = nfnetlink_subsys_register(&xt_osf_nfnetlink);
        if (err < 0) {
-                printk(KERN_ERR "Failed (%d) to register OSF nsfnetlink helper.\n", err);
+                pr_err("Failed to register OSF nsfnetlink helper (%d)\n", err);
                goto err_out_exit;
        }
        err = xt_register_match(&xt_osf_match);
        if (err) {
-                printk(KERN_ERR "Failed (%d) to register OS fingerprint "
+                pr_err("Failed to register OS fingerprint "
-                                "matching module.\n", err);
+                       "matching module (%d)\n", err);
                goto err_out_remove;
        }
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c
index d24c76dffee2..772d7389b337 100644
--- a/net/netfilter/xt_owner.c
+++ b/net/netfilter/xt_owner.c
@@ -18,7 +18,7 @@
 #include <linux/netfilter/xt_owner.h>
 static bool
-owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+owner_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_owner_match_info *info = par->matchinfo;
        const struct file *filp;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index 8d28ca5848bc..d7ca16b8b8df 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -7,7 +7,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter_bridge.h>
@@ -22,7 +22,7 @@ MODULE_ALIAS("ip6t_physdev");
 static bool
-physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+physdev_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
        const struct xt_physdev_info *info = par->matchinfo;
@@ -83,25 +83,25 @@ match_outdev:
        return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
 }
-static bool physdev_mt_check(const struct xt_mtchk_param *par)
+static int physdev_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_physdev_info *info = par->matchinfo;
        if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
            info->bitmask & ~XT_PHYSDEV_OP_MASK)
-                return false;
+                return -EINVAL;
        if (info->bitmask & XT_PHYSDEV_OP_OUT &&
            (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
            par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
            (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
-                printk(KERN_WARNING "physdev match: using --physdev-out in the "
+                pr_info("using --physdev-out in the OUTPUT, FORWARD and "
-                       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
+                        "POSTROUTING chains for non-bridged traffic is not "
-                       "traffic is not supported anymore.\n");
+                        "supported anymore.\n");
                if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
-                        return false;
+                        return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match physdev_mt_reg __read_mostly = {
diff --git a/net/netfilter/xt_pkttype.c b/net/netfilter/xt_pkttype.c
index 69da1d3a1d85..5b645cb598fc 100644
--- a/net/netfilter/xt_pkttype.c
+++ b/net/netfilter/xt_pkttype.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ipt_pkttype");
 MODULE_ALIAS("ip6t_pkttype");
 static bool
-pkttype_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+pkttype_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_pkttype_info *info = par->matchinfo;
        u_int8_t type;
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 4cbfebda8fa1..f23e97bb42d7 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -6,7 +6,7 @@
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -110,15 +110,15 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
 }
 static bool
-policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_policy_info *info = par->matchinfo;
        int ret;
        if (info->flags & XT_POLICY_MATCH_IN)
-                ret = match_policy_in(skb, info, par->match->family);
+                ret = match_policy_in(skb, info, par->family);
        else
-                ret = match_policy_out(skb, info, par->match->family);
+                ret = match_policy_out(skb, info, par->family);
        if (ret < 0)
                ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
@@ -128,32 +128,29 @@ policy_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool policy_mt_check(const struct xt_mtchk_param *par)
+static int policy_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_policy_info *info = par->matchinfo;
        if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
-                printk(KERN_ERR "xt_policy: neither incoming nor "
+                pr_info("neither incoming nor outgoing policy selected\n");
-                                "outgoing policy selected\n");
+                return -EINVAL;
-                return false;
        }
        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
            (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
-                printk(KERN_ERR "xt_policy: output policy not valid in "
+                pr_info("output policy not valid in PREROUTING and INPUT\n");
-                                "PRE_ROUTING and INPUT\n");
+                return -EINVAL;
-                return false;
        }
        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
            (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
-                printk(KERN_ERR "xt_policy: input policy not valid in "
+                pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
-                                "POST_ROUTING and OUTPUT\n");
+                return -EINVAL;
-                return false;
        }
        if (info->len > XT_POLICY_MAX_ELEM) {
-                printk(KERN_ERR "xt_policy: too many policy elements\n");
+                pr_info("too many policy elements\n");
-                return false;
+                return -EINVAL;
        }
-        return true;
+        return 0;
 }
 static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_quota.c b/net/netfilter/xt_quota.c
index 2d5562498c43..b4f7dfea5980 100644
--- a/net/netfilter/xt_quota.c
+++ b/net/netfilter/xt_quota.c
@@ -23,7 +23,7 @@ MODULE_ALIAS("ip6t_quota");
 static DEFINE_SPINLOCK(quota_lock);
 static bool
-quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+quota_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct xt_quota_info *q = (void *)par->matchinfo;
        struct xt_quota_priv *priv = q->master;
@@ -44,19 +44,19 @@ quota_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool quota_mt_check(const struct xt_mtchk_param *par)
+static int quota_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_quota_info *q = par->matchinfo;
        if (q->flags & ~XT_QUOTA_MASK)
-                return false;
+                return -EINVAL;
        q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
        if (q->master == NULL)
-                return false;
+                return -ENOMEM;
        q->master->quota = q->quota;
-        return true;
+        return 0;
 }
 static void quota_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_rateest.c b/net/netfilter/xt_rateest.c
index 4fc6a917f6de..76a083184d8e 100644
--- a/net/netfilter/xt_rateest.c
+++ b/net/netfilter/xt_rateest.c
@@ -15,7 +15,7 @@
 static bool
-xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+xt_rateest_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_rateest_match_info *info = par->matchinfo;
        struct gnet_stats_rate_est *r;
@@ -74,10 +74,11 @@ xt_rateest_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
+static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
 {
        struct xt_rateest_match_info *info = par->matchinfo;
        struct xt_rateest *est1, *est2;
+        int ret = false;
        if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
                                     XT_RATEEST_MATCH_REL)) != 1)
@@ -95,6 +96,7 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
                goto err1;
        }
+        ret  = -ENOENT;
        est1 = xt_rateest_lookup(info->name1);
        if (!est1)
                goto err1;
@@ -109,12 +111,12 @@ static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
        info->est1 = est1;
        info->est2 = est2;
-        return true;
+        return 0;
 err2:
        xt_rateest_put(est1);
 err1:
-        return false;
+        return -EINVAL;
 }
 static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_realm.c b/net/netfilter/xt_realm.c
index 484d1689bfde..459a7b256eb2 100644
--- a/net/netfilter/xt_realm.c
+++ b/net/netfilter/xt_realm.c
@@ -22,7 +22,7 @@ MODULE_DESCRIPTION("Xtables: Routing realm match");
 MODULE_ALIAS("ipt_realm");
 static bool
-realm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+realm_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_realm_info *info = par->matchinfo;
        const struct dst_entry *dst = skb_dst(skb);
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 834b736857cb..76aec6a44762 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -12,6 +12,7 @@
 * Author: Stephen Frost <sfrost@snowman.net>
 * Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/init.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
@@ -35,8 +36,8 @@
 #include <linux/netfilter/xt_recent.h>
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
+MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_recent");
 MODULE_ALIAS("ip6t_recent");
@@ -51,14 +52,14 @@ module_param(ip_list_tot, uint, 0400);
 module_param(ip_pkt_list_tot, uint, 0400);
 module_param(ip_list_hash_size, uint, 0400);
 module_param(ip_list_perms, uint, 0400);
-module_param(ip_list_uid, uint, 0400);
+module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
-module_param(ip_list_gid, uint, 0400);
+module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
 MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
 MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
 MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
-MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
-MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
+MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
 struct recent_entry {
        struct list_head        list;
@@ -84,9 +85,6 @@ struct recent_net {
        struct list_head        tables;
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry   *xt_recent;
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-        struct proc_dir_entry   *ipt_recent;
-#endif
 #endif
 };
@@ -147,6 +145,25 @@ static void recent_entry_remove(struct recent_table *t, struct recent_entry *e)
        t->entries--;
 }
+/*
+ * Drop entries with timestamps older then 'time'.
+ */
+static void recent_entry_reap(struct recent_table *t, unsigned long time)
+{
+        struct recent_entry *e;
+        /*
+         * The head of the LRU list is always the oldest entry.
+         */
+        e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
+        /*
+         * The last time stamp is the most recent.
+         */
+        if (time_after(time, e->stamps[e->index-1]))
+                recent_entry_remove(t, e);
+}
 static struct recent_entry *
 recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
                  u_int16_t family, u_int8_t ttl)
@@ -207,7 +224,7 @@ static void recent_table_flush(struct recent_table *t)
 }
 static bool
-recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+recent_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        struct net *net = dev_net(par->in ? par->in : par->out);
        struct recent_net *recent_net = recent_pernet(net);
@@ -218,7 +235,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        u_int8_t ttl;
        bool ret = info->invert;
-        if (par->match->family == NFPROTO_IPV4) {
+        if (par->family == NFPROTO_IPV4) {
                const struct iphdr *iph = ip_hdr(skb);
                if (info->side == XT_RECENT_DEST)
@@ -244,14 +261,14 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        spin_lock_bh(&recent_lock);
        t = recent_table_lookup(recent_net, info->name);
-        e = recent_entry_lookup(t, &addr, par->match->family,
+        e = recent_entry_lookup(t, &addr, par->family,
                                (info->check_set & XT_RECENT_TTL) ? ttl : 0);
        if (e == NULL) {
                if (!(info->check_set & XT_RECENT_SET))
                        goto out;
-                e = recent_entry_init(t, &addr, par->match->family, ttl);
+                e = recent_entry_init(t, &addr, par->family, ttl);
                if (e == NULL)
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                ret = !ret;
                goto out;
        }
@@ -273,6 +290,10 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                                break;
                        }
                }
+                /* info->seconds must be non-zero */
+                if (info->check_set & XT_RECENT_REAP)
+                        recent_entry_reap(t, time);
        }
        if (info->check_set & XT_RECENT_SET ||
@@ -285,7 +306,7 @@ out:
        return ret;
 }
-static bool recent_mt_check(const struct xt_mtchk_param *par)
+static int recent_mt_check(const struct xt_mtchk_param *par)
 {
        struct recent_net *recent_net = recent_pernet(par->net);
        const struct xt_recent_mtinfo *info = par->matchinfo;
@@ -294,41 +315,51 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
        struct proc_dir_entry *pde;
 #endif
        unsigned i;
-        bool ret = false;
+        int ret = -EINVAL;
        if (unlikely(!hash_rnd_inited)) {
                get_random_bytes(&hash_rnd, sizeof(hash_rnd));
                hash_rnd_inited = true;
        }
+        if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
+                pr_info("Unsupported user space flags (%08x)\n",
+                        info->check_set);
+                return -EINVAL;
+        }
        if (hweight8(info->check_set &
                     (XT_RECENT_SET | XT_RECENT_REMOVE |
                      XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
-                return false;
+                return -EINVAL;
        if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
-            (info->seconds || info->hit_count))
+            (info->seconds || info->hit_count ||
-                return false;
+            (info->check_set & XT_RECENT_MODIFIERS)))
+                return -EINVAL;
+        if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
+                return -EINVAL;
        if (info->hit_count > ip_pkt_list_tot) {
-                pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than "
+                pr_info("hitcount (%u) is larger than "
                        "packets to be remembered (%u)\n",
                        info->hit_count, ip_pkt_list_tot);
-                return false;
+                return -EINVAL;
        }
        if (info->name[0] == '\0' ||
            strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
-                return false;
+                return -EINVAL;
        mutex_lock(&recent_mutex);
        t = recent_table_lookup(recent_net, info->name);
        if (t != NULL) {
                t->refcnt++;
-                ret = true;
+                ret = 0;
                goto out;
        }
        t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
                    GFP_KERNEL);
-        if (t == NULL)
+        if (t == NULL) {
+                ret = -ENOMEM;
                goto out;
+        }
        t->refcnt = 1;
        strcpy(t->name, info->name);
        INIT_LIST_HEAD(&t->lru_list);
@@ -339,26 +370,16 @@ static bool recent_mt_check(const struct xt_mtchk_param *par)
                  &recent_mt_fops, t);
        if (pde == NULL) {
                kfree(t);
-                goto out;
+                ret = -ENOMEM;
-        }
-        pde->uid = ip_list_uid;
-        pde->gid = ip_list_gid;
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-        pde = proc_create_data(t->name, ip_list_perms, recent_net->ipt_recent,
-                      &recent_old_fops, t);
-        if (pde == NULL) {
-                remove_proc_entry(t->name, recent_net->xt_recent);
-                kfree(t);
                goto out;
        }
        pde->uid = ip_list_uid;
        pde->gid = ip_list_gid;
 #endif
-#endif
        spin_lock_bh(&recent_lock);
        list_add_tail(&t->list, &recent_net->tables);
        spin_unlock_bh(&recent_lock);
-        ret = true;
+        ret = 0;
 out:
        mutex_unlock(&recent_mutex);
        return ret;
@@ -377,9 +398,6 @@ static void recent_mt_destroy(const struct xt_mtdtor_param *par)
                list_del(&t->list);
                spin_unlock_bh(&recent_lock);
 #ifdef CONFIG_PROC_FS
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-                remove_proc_entry(t->name, recent_net->ipt_recent);
-#endif
                remove_proc_entry(t->name, recent_net->xt_recent);
 #endif
                recent_table_flush(t);
@@ -471,84 +489,6 @@ static int recent_seq_open(struct inode *inode, struct file *file)
        return 0;
 }
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-static int recent_old_seq_open(struct inode *inode, struct file *filp)
-{
-        static bool warned_of_old;
-        if (unlikely(!warned_of_old)) {
-                printk(KERN_INFO KBUILD_MODNAME ": Use of /proc/net/ipt_recent"
-                       " is deprecated; use /proc/net/xt_recent.\n");
-                warned_of_old = true;
-        }
-        return recent_seq_open(inode, filp);
-}
-static ssize_t recent_old_proc_write(struct file *file,
-                                     const char __user *input,
-                                     size_t size, loff_t *loff)
-{
-        const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
-        struct recent_table *t = pde->data;
-        struct recent_entry *e;
-        char buf[sizeof("+255.255.255.255")], *c = buf;
-        union nf_inet_addr addr = {};
-        int add;
-        if (size > sizeof(buf))
-                size = sizeof(buf);
-        if (copy_from_user(buf, input, size))
-                return -EFAULT;
-        c = skip_spaces(c);
-        if (size - (c - buf) < 5)
-                return c - buf;
-        if (!strncmp(c, "clear", 5)) {
-                c += 5;
-                spin_lock_bh(&recent_lock);
-                recent_table_flush(t);
-                spin_unlock_bh(&recent_lock);
-                return c - buf;
-        }
-        switch (*c) {
-        case '-':
-                add = 0;
-                c++;
-                break;
-        case '+':
-                c++;
-        default:
-                add = 1;
-                break;
-        }
-        addr.ip = in_aton(c);
-        spin_lock_bh(&recent_lock);
-        e = recent_entry_lookup(t, &addr, NFPROTO_IPV4, 0);
-        if (e == NULL) {
-                if (add)
-                        recent_entry_init(t, &addr, NFPROTO_IPV4, 0);
-        } else {
-                if (add)
-                        recent_entry_update(t, e);
-                else
-                        recent_entry_remove(t, e);
-        }
-        spin_unlock_bh(&recent_lock);
-        return size;
-}
-static const struct file_operations recent_old_fops = {
-        .open           = recent_old_seq_open,
-        .read           = seq_read,
-        .write          = recent_old_proc_write,
-        .release        = seq_release_private,
-        .owner          = THIS_MODULE,
-};
-#endif
 static ssize_t
 recent_mt_proc_write(struct file *file, const char __user *input,
                     size_t size, loff_t *loff)
@@ -585,7 +525,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
                add = true;
                break;
        default:
-                printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n");
+                pr_info("Need \"+ip\", \"-ip\" or \"/\"\n");
                return -EINVAL;
        }
@@ -600,8 +540,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
        }
        if (!succ) {
-                printk(KERN_INFO KBUILD_MODNAME ": illegal address written "
+                pr_info("illegal address written to procfs\n");
-                       "to procfs\n");
                return -EINVAL;
        }
@@ -637,21 +576,11 @@ static int __net_init recent_proc_net_init(struct net *net)
        recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net);
        if (!recent_net->xt_recent)
                return -ENOMEM;
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-        recent_net->ipt_recent = proc_mkdir("ipt_recent", net->proc_net);
-        if (!recent_net->ipt_recent) {
-                proc_net_remove(net, "xt_recent");
-                return -ENOMEM;
-        }
-#endif
        return 0;
 }
 static void __net_exit recent_proc_net_exit(struct net *net)
 {
-#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
-        proc_net_remove(net, "ipt_recent");
-#endif
        proc_net_remove(net, "xt_recent");
 }
 #else
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada9128f..c04fcf385c59 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <net/ip.h>
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
 MODULE_ALIAS("ipt_sctp");
 MODULE_ALIAS("ip6t_sctp");
-#ifdef DEBUG_SCTP
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 #define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
                                              || (!!((invflag) & (option)) ^ (cond)))
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
        const struct xt_sctp_flag_info *flag_info = info->flag_info;
        int flag_count = info->flag_count;
-#ifdef DEBUG_SCTP
+#ifdef DEBUG
        int i = 0;
 #endif
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
        do {
                sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
                if (sch == NULL || sch->length == 0) {
-                        duprintf("Dropping invalid SCTP packet.\n");
+                        pr_debug("Dropping invalid SCTP packet.\n");
                        *hotdrop = true;
                        return false;
                }
+#ifdef DEBUG
-                duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
+                pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
-                                ++i, offset, sch->type, htons(sch->length), sch->flags);
+                         "\tflags: %x\n",
+                         ++i, offset, sch->type, htons(sch->length),
+                         sch->flags);
+#endif
                offset += (ntohs(sch->length) + 3) & ~3;
-                duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);
+                pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
                if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
                        switch (chunk_match_type) {
@@ -117,24 +114,24 @@ match_packet(const struct sk_buff *skb,
 }
 static bool
-sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+sctp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_sctp_info *info = par->matchinfo;
        const sctp_sctphdr_t *sh;
        sctp_sctphdr_t _sh;
        if (par->fragoff != 0) {
-                duprintf("Dropping non-first fragment.. FIXME\n");
+                pr_debug("Dropping non-first fragment.. FIXME\n");
                return false;
        }
        sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
        if (sh == NULL) {
-                duprintf("Dropping evil TCP offset=0 tinygram.\n");
+                pr_debug("Dropping evil TCP offset=0 tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
-        duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
+        pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
        return  SCCHECK(ntohs(sh->source) >= info->spts[0]
                        && ntohs(sh->source) <= info->spts[1],
@@ -143,22 +140,26 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                        && ntohs(sh->dest) <= info->dpts[1],
                        XT_SCTP_DEST_PORTS, info->flags, info->invflags)
                && SCCHECK(match_packet(skb, par->thoff + sizeof(sctp_sctphdr_t),
-                                        info, par->hotdrop),
+                                        info, &par->hotdrop),
                           XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
 }
-static bool sctp_mt_check(const struct xt_mtchk_param *par)
+static int sctp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_sctp_info *info = par->matchinfo;
-        return !(info->flags & ~XT_SCTP_VALID_FLAGS)
+        if (info->flags & ~XT_SCTP_VALID_FLAGS)
-                && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
+                return -EINVAL;
-                && !(info->invflags & ~info->flags)
+        if (info->invflags & ~XT_SCTP_VALID_FLAGS)
-                && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
+                return -EINVAL;
-                        (info->chunk_match_type &
+        if (info->invflags & ~info->flags)
-                                (SCTP_CHUNK_MATCH_ALL
+                return -EINVAL;
-                                | SCTP_CHUNK_MATCH_ANY
+        if (!(info->flags & XT_SCTP_CHUNK_TYPES))
-                                | SCTP_CHUNK_MATCH_ONLY)));
+                return 0;
+        if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL |
+            SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY))
+                return 0;
+        return -EINVAL;
 }
 static struct xt_match sctp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 6a902564d24f..3d54c236a1ba 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -9,7 +9,7 @@
 * published by the Free Software Foundation.
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter/x_tables.h>
@@ -88,7 +88,7 @@ extract_icmp_fields(const struct sk_buff *skb,
 static bool
-socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
+socket_match(const struct sk_buff *skb, struct xt_action_param *par,
             const struct xt_socket_mtinfo1 *info)
 {
        const struct iphdr *iph = ip_hdr(skb);
@@ -165,8 +165,7 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
                        sk = NULL;
        }
-        pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
+        pr_debug("proto %u %08x:%u -> %08x:%u (orig %08x:%u) sock %p\n",
-                 "(orig %08x:%u) sock %p\n",
                 protocol, ntohl(saddr), ntohs(sport),
                 ntohl(daddr), ntohs(dport),
                 ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk);
@@ -175,13 +174,13 @@ socket_match(const struct sk_buff *skb, const struct xt_match_param *par,
 }
 static bool
-socket_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
 {
        return socket_match(skb, par, NULL);
 }
 static bool
-socket_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
+socket_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 {
        return socket_match(skb, par, par->matchinfo);
 }
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 4c946cbd731f..e12e053d3782 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -21,7 +21,7 @@ MODULE_ALIAS("ipt_state");
 MODULE_ALIAS("ip6t_state");
 static bool
-state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+state_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_state_info *sinfo = par->matchinfo;
        enum ip_conntrack_info ctinfo;
@@ -37,50 +37,40 @@ state_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return (sinfo->statemask & statebit);
 }
-static bool state_mt_check(const struct xt_mtchk_param *par)
+static int state_mt_check(const struct xt_mtchk_param *par)
 {
-        if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
+        int ret;
-                printk(KERN_WARNING "can't load conntrack support for "
-                                    "proto=%u\n", par->match->family);
+        ret = nf_ct_l3proto_try_module_get(par->family);
-                return false;
+        if (ret < 0)
-        }
+                pr_info("cannot load conntrack support for proto=%u\n",
-        return true;
+                        par->family);
+        return ret;
 }
 static void state_mt_destroy(const struct xt_mtdtor_param *par)
 {
-        nf_ct_l3proto_module_put(par->match->family);
+        nf_ct_l3proto_module_put(par->family);
 }
-static struct xt_match state_mt_reg[] __read_mostly = {
+static struct xt_match state_mt_reg __read_mostly = {
-        {
+        .name       = "state",
-                .name           = "state",
+        .family     = NFPROTO_UNSPEC,
-                .family         = NFPROTO_IPV4,
+        .checkentry = state_mt_check,
-                .checkentry     = state_mt_check,
+        .match      = state_mt,
-                .match          = state_mt,
+        .destroy    = state_mt_destroy,
-                .destroy        = state_mt_destroy,
+        .matchsize  = sizeof(struct xt_state_info),
-                .matchsize      = sizeof(struct xt_state_info),
+        .me         = THIS_MODULE,
-                .me             = THIS_MODULE,
-        },
-        {
-                .name           = "state",
-                .family         = NFPROTO_IPV6,
-                .checkentry     = state_mt_check,
-                .match          = state_mt,
-                .destroy        = state_mt_destroy,
-                .matchsize      = sizeof(struct xt_state_info),
-                .me             = THIS_MODULE,
-        },
 };
 static int __init state_mt_init(void)
 {
-        return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
+        return xt_register_match(&state_mt_reg);
 }
 static void __exit state_mt_exit(void)
 {
-        xt_unregister_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
+        xt_unregister_match(&state_mt_reg);
 }
 module_init(state_mt_init);
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 937ce0633e99..96e62b8fd6b1 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -30,7 +30,7 @@ MODULE_ALIAS("ip6t_statistic");
 static DEFINE_SPINLOCK(nth_lock);
 static bool
-statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+statistic_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_statistic_info *info = par->matchinfo;
        bool ret = info->flags & XT_STATISTIC_INVERT;
@@ -53,22 +53,20 @@ statistic_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return ret;
 }
-static bool statistic_mt_check(const struct xt_mtchk_param *par)
+static int statistic_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_statistic_info *info = par->matchinfo;
        if (info->mode > XT_STATISTIC_MODE_MAX ||
            info->flags & ~XT_STATISTIC_MASK)
-                return false;
+                return -EINVAL;
        info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
-        if (info->master == NULL) {
+        if (info->master == NULL)
-                printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n");
+                return -ENOMEM;
-                return false;
-        }
        info->master->count = info->u.nth.count;
-        return true;
+        return 0;
 }
 static void statistic_mt_destroy(const struct xt_mtdtor_param *par)
diff --git a/net/netfilter/xt_string.c b/net/netfilter/xt_string.c
index 96801ffd8af8..d3c48b14ab94 100644
--- a/net/netfilter/xt_string.c
+++ b/net/netfilter/xt_string.c
@@ -23,16 +23,14 @@ MODULE_ALIAS("ipt_string");
 MODULE_ALIAS("ip6t_string");
 static bool
-string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+string_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_string_info *conf = par->matchinfo;
        struct ts_state state;
-        int invert;
+        bool invert;
        memset(&state, 0, sizeof(struct ts_state));
+        invert = conf->u.v1.flags & XT_STRING_FLAG_INVERT;
-        invert = (par->match->revision == 0 ? conf->u.v0.invert :
-                                    conf->u.v1.flags & XT_STRING_FLAG_INVERT);
        return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
                             conf->to_offset, conf->config, &state)
@@ -41,7 +39,7 @@ string_mt(const struct sk_buff *skb, const struct xt_match_param *par)
 #define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
-static bool string_mt_check(const struct xt_mtchk_param *par)
+static int string_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_string_info *conf = par->matchinfo;
        struct ts_config *ts_conf;
@@ -49,26 +47,23 @@ static bool string_mt_check(const struct xt_mtchk_param *par)
        /* Damn, can't handle this case properly with iptables... */
        if (conf->from_offset > conf->to_offset)
-                return false;
+                return -EINVAL;
        if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
-                return false;
+                return -EINVAL;
        if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
-                return false;
+                return -EINVAL;
-        if (par->match->revision == 1) {
+        if (conf->u.v1.flags &
-                if (conf->u.v1.flags &
+            ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
-                    ~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
+                return -EINVAL;
-                        return false;
+        if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
-                if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
+                flags |= TS_IGNORECASE;
-                        flags |= TS_IGNORECASE;
-        }
        ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
                                     GFP_KERNEL, flags);
        if (IS_ERR(ts_conf))
-                return false;
+                return PTR_ERR(ts_conf);
        conf->config = ts_conf;
+        return 0;
-        return true;
 }
 static void string_mt_destroy(const struct xt_mtdtor_param *par)
@@ -76,38 +71,25 @@ static void string_mt_destroy(const struct xt_mtdtor_param *par)
        textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config);
 }
-static struct xt_match xt_string_mt_reg[] __read_mostly = {
+static struct xt_match xt_string_mt_reg __read_mostly = {
-        {
+        .name       = "string",
-                .name           = "string",
+        .revision   = 1,
-                .revision       = 0,
+        .family     = NFPROTO_UNSPEC,
-                .family         = NFPROTO_UNSPEC,
+        .checkentry = string_mt_check,
-                .checkentry     = string_mt_check,
+        .match      = string_mt,
-                .match          = string_mt,
+        .destroy    = string_mt_destroy,
-                .destroy        = string_mt_destroy,
+        .matchsize  = sizeof(struct xt_string_info),
-                .matchsize      = sizeof(struct xt_string_info),
+        .me         = THIS_MODULE,
-                .me             = THIS_MODULE
-        },
-        {
-                .name           = "string",
-                .revision       = 1,
-                .family         = NFPROTO_UNSPEC,
-                .checkentry     = string_mt_check,
-                .match          = string_mt,
-                .destroy        = string_mt_destroy,
-                .matchsize      = sizeof(struct xt_string_info),
-                .me             = THIS_MODULE
-        },
 };
 static int __init string_mt_init(void)
 {
-        return xt_register_matches(xt_string_mt_reg,
+        return xt_register_match(&xt_string_mt_reg);
-                                   ARRAY_SIZE(xt_string_mt_reg));
 }
 static void __exit string_mt_exit(void)
 {
-        xt_unregister_matches(xt_string_mt_reg, ARRAY_SIZE(xt_string_mt_reg));
+        xt_unregister_match(&xt_string_mt_reg);
 }
 module_init(string_mt_init);
diff --git a/net/netfilter/xt_tcpmss.c b/net/netfilter/xt_tcpmss.c
index 4809b34b10f8..c53d4d18eadf 100644
--- a/net/netfilter/xt_tcpmss.c
+++ b/net/netfilter/xt_tcpmss.c
@@ -25,7 +25,7 @@ MODULE_ALIAS("ipt_tcpmss");
 MODULE_ALIAS("ip6t_tcpmss");
 static bool
-tcpmss_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+tcpmss_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_tcpmss_match_info *info = par->matchinfo;
        const struct tcphdr *th;
@@ -73,7 +73,7 @@ out:
        return info->invert;
 dropit:
-        *par->hotdrop = true;
+        par->hotdrop = true;
        return false;
 }
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc4934eed..c14d4645daa3 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/types.h>
 #include <linux/module.h>
 #include <net/ip.h>
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
 MODULE_ALIAS("ip6t_udp");
 MODULE_ALIAS("ip6t_tcp");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
 /* Returns 1 if the port is matched by the range, 0 otherwise */
 static inline bool
 port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
        u_int8_t _opt[60 - sizeof(struct tcphdr)];
        unsigned int i;
-        duprintf("tcp_match: finding option\n");
+        pr_debug("finding option\n");
        if (!optlen)
                return invert;
@@ -68,7 +62,7 @@ tcp_find_option(u_int8_t option,
        return invert;
 }
-static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool tcp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct tcphdr *th;
        struct tcphdr _tcph;
@@ -82,8 +76,8 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                   flag overwrite to pass the direction checks.
                */
                if (par->fragoff == 1) {
-                        duprintf("Dropping evil TCP offset=1 frag.\n");
+                        pr_debug("Dropping evil TCP offset=1 frag.\n");
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                }
                /* Must not be a fragment. */
                return false;
@@ -95,8 +89,8 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (th == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil TCP offset=0 tinygram.\n");
+                pr_debug("Dropping evil TCP offset=0 tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -114,27 +108,27 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                return false;
        if (tcpinfo->option) {
                if (th->doff * 4 < sizeof(_tcph)) {
-                        *par->hotdrop = true;
+                        par->hotdrop = true;
                        return false;
                }
                if (!tcp_find_option(tcpinfo->option, skb, par->thoff,
                                     th->doff*4 - sizeof(_tcph),
                                     tcpinfo->invflags & XT_TCP_INV_OPTION,
-                                     par->hotdrop))
+                                     &par->hotdrop))
                        return false;
        }
        return true;
 }
-static bool tcp_mt_check(const struct xt_mtchk_param *par)
+static int tcp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_tcp *tcpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
-        return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
+        return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
 }
-static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool udp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct udphdr *uh;
        struct udphdr _udph;
@@ -148,8 +142,8 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        if (uh == NULL) {
                /* We've been asked to examine this packet, and we
                   can't.  Hence, no choice but to drop. */
-                duprintf("Dropping evil UDP tinygram.\n");
+                pr_debug("Dropping evil UDP tinygram.\n");
-                *par->hotdrop = true;
+                par->hotdrop = true;
                return false;
        }
@@ -161,12 +155,12 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
                              !!(udpinfo->invflags & XT_UDP_INV_DSTPT));
 }
-static bool udp_mt_check(const struct xt_mtchk_param *par)
+static int udp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_udp *udpinfo = par->matchinfo;
        /* Must specify no unknown invflags */
-        return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
+        return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;
 }
 static struct xt_match tcpudp_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 93acaa59d108..c48975ff8ea2 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -1,7 +1,6 @@
 /*
 *      xt_time
 *      Copyright © CC Computer Consultants GmbH, 2007
- *      Contact: <jengelh@computergmbh.de>
 *
 *      based on ipt_time by Fabrice MARIE <fabrice@netfilter.org>
 *      This is a module which is used for time matching
@@ -149,11 +148,10 @@ static void localtime_3(struct xtm *r, time_t time)
        }
        r->month    = i + 1;
-        return;
 }
 static bool
-time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+time_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_time_info *info = par->matchinfo;
        unsigned int packet_time;
@@ -218,18 +216,18 @@ time_mt(const struct sk_buff *skb, const struct xt_match_param *par)
        return true;
 }
-static bool time_mt_check(const struct xt_mtchk_param *par)
+static int time_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_time_info *info = par->matchinfo;
        if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
            info->daytime_stop > XT_TIME_MAX_DAYTIME) {
-                printk(KERN_WARNING "xt_time: invalid argument - start or "
+                pr_info("invalid argument - start or "
-                       "stop time greater than 23:59:59\n");
+                        "stop time greater than 23:59:59\n");
-                return false;
+                return -EDOM;
        }
-        return true;
+        return 0;
 }
 static struct xt_match xt_time_mt_reg __read_mostly = {
@@ -264,7 +262,7 @@ static void __exit time_mt_exit(void)
 module_init(time_mt_init);
 module_exit(time_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: time-based matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_time");
diff --git a/net/netfilter/xt_u32.c b/net/netfilter/xt_u32.c
index 24a527624500..a95b50342dbb 100644
--- a/net/netfilter/xt_u32.c
+++ b/net/netfilter/xt_u32.c
@@ -3,7 +3,6 @@
 *
 *      Original author: Don Cohen <don@isis.cs3-inc.com>
 *      (C) CC Computer Consultants GmbH, 2007
- *      Contact: <jengelh@computergmbh.de>
 */
 #include <linux/module.h>
@@ -87,7 +86,7 @@ static bool u32_match_it(const struct xt_u32 *data,
        return true;
 }
-static bool u32_mt(const struct sk_buff *skb, const struct xt_match_param *par)
+static bool u32_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_u32 *data = par->matchinfo;
        bool ret;
@@ -117,7 +116,7 @@ static void __exit u32_mt_exit(void)
 module_init(u32_mt_init);
 module_exit(u32_mt_exit);
-MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
+MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
 MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("ipt_u32");
diff --git a/net/netlabel/netlabel_addrlist.h b/net/netlabel/netlabel_addrlist.h
index 07ae7fd82be1..1c1c093cf279 100644
--- a/net/netlabel/netlabel_addrlist.h
+++ b/net/netlabel/netlabel_addrlist.h
@@ -130,7 +130,6 @@ static inline void netlbl_af4list_audit_addr(struct audit_buffer *audit_buf,
                                             int src, const char *dev,
                                             __be32 addr, __be32 mask)
 {
-        return;
 }
 #endif
@@ -203,7 +202,6 @@ static inline void netlbl_af6list_audit_addr(struct audit_buffer *audit_buf,
                                             const struct in6_addr *addr,
                                             const struct in6_addr *mask)
 {
-        return;
 }
 #endif
 #endif /* IPV6 */
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index a3d64aabe2f7..e2b0a680dd56 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -670,7 +670,6 @@ static void netlbl_unlhsh_condremove_iface(struct netlbl_unlhsh_iface *iface)
 unlhsh_condremove_failure:
        spin_unlock(&netlbl_unlhsh_lock);
-        return;
 }
 /**
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 6464a1972a69..a2eb965207d3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -978,6 +978,8 @@ struct netlink_broadcast_data {
        int delivered;
        gfp_t allocation;
        struct sk_buff *skb, *skb2;
+        int (*tx_filter)(struct sock *dsk, struct sk_buff *skb, void *data);
+        void *tx_data;
 };
 static inline int do_one_broadcast(struct sock *sk,
@@ -1020,6 +1022,9 @@ static inline int do_one_broadcast(struct sock *sk,
                p->failure = 1;
                if (nlk->flags & NETLINK_BROADCAST_SEND_ERROR)
                        p->delivery_failure = 1;
+        } else if (p->tx_filter && p->tx_filter(sk, p->skb2, p->tx_data)) {
+                kfree_skb(p->skb2);
+                p->skb2 = NULL;
        } else if (sk_filter(sk, p->skb2)) {
                kfree_skb(p->skb2);
                p->skb2 = NULL;
@@ -1038,8 +1043,10 @@ out:
        return 0;
 }
-int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, u32 pid,
+int netlink_broadcast_filtered(struct sock *ssk, struct sk_buff *skb, u32 pid,
-                      u32 group, gfp_t allocation)
+        u32 group, gfp_t allocation,
+        int (*filter)(struct sock *dsk, struct sk_buff *skb, void *data),
+        void *filter_data)
 {
        struct net *net = sock_net(ssk);
        struct netlink_broadcast_data info;
@@ -1059,6 +1066,8 @@ int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, u32 pid,
        info.allocation = allocation;
        info.skb = skb;
        info.skb2 = NULL;
+        info.tx_filter = filter;
+        info.tx_data = filter_data;
        /* While we sleep in clone, do not allow to change socket list */
@@ -1083,6 +1092,14 @@ int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, u32 pid,
        }
        return -ESRCH;
 }
+EXPORT_SYMBOL(netlink_broadcast_filtered);
+int netlink_broadcast(struct sock *ssk, struct sk_buff *skb, u32 pid,
+                      u32 group, gfp_t allocation)
+{
+        return netlink_broadcast_filtered(ssk, skb, pid, group, allocation,
+                NULL, NULL);
+}
 EXPORT_SYMBOL(netlink_broadcast);
 struct netlink_set_err_data {
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index af4d38bc3b22..94d72e85a475 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -626,6 +626,7 @@ static void pep_sock_close(struct sock *sk, long timeout)
        struct pep_sock *pn = pep_sk(sk);
        int ifindex = 0;
+        sock_hold(sk); /* keep a reference after sk_common_release() */
        sk_common_release(sk);
        lock_sock(sk);
@@ -644,6 +645,7 @@ static void pep_sock_close(struct sock *sk, long timeout)
        if (ifindex)
                gprs_detach(sk);
+        sock_put(sk);
 }
 static int pep_wait_connreq(struct sock *sk, int noblock)
@@ -1043,12 +1045,12 @@ static void pep_sock_unhash(struct sock *sk)
        lock_sock(sk);
        if ((1 << sk->sk_state) & ~(TCPF_CLOSE|TCPF_LISTEN)) {
                skparent = pn->listener;
-                sk_del_node_init(sk);
                release_sock(sk);
-                sk = skparent;
                pn = pep_sk(skparent);
-                lock_sock(sk);
+                lock_sock(skparent);
+                sk_del_node_init(sk);
+                sk = skparent;
        }
        /* Unhash a listening sock only when it is closed
         * and all of its active connected pipes are closed. */
diff --git a/net/rds/ib_cm.c b/net/rds/ib_cm.c
index 10ed0d55f759..f68832798db2 100644
--- a/net/rds/ib_cm.c
+++ b/net/rds/ib_cm.c
@@ -475,6 +475,7 @@ int rds_ib_cm_handle_connect(struct rdma_cm_id *cm_id,
        err = rds_ib_setup_qp(conn);
        if (err) {
                rds_ib_conn_error(conn, "rds_ib_setup_qp failed (%d)\n", err);
+                mutex_unlock(&conn->c_cm_lock);
                goto out;
        }
diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
index a9d951b4fbae..b5dd6ac39be8 100644
--- a/net/rds/iw_cm.c
+++ b/net/rds/iw_cm.c
@@ -452,6 +452,7 @@ int rds_iw_cm_handle_connect(struct rdma_cm_id *cm_id,
        err = rds_iw_setup_qp(conn);
        if (err) {
                rds_iw_conn_error(conn, "rds_iw_setup_qp failed (%d)\n", err);
+                mutex_unlock(&conn->c_cm_lock);
                goto out;
        }
diff --git a/net/rds/tcp_connect.c b/net/rds/tcp_connect.c
index 056256285987..c397524c039c 100644
--- a/net/rds/tcp_connect.c
+++ b/net/rds/tcp_connect.c
@@ -141,7 +141,7 @@ void rds_tcp_conn_shutdown(struct rds_connection *conn)
                release_sock(sock->sk);
                sock_release(sock);
-        };
+        }
        if (tc->t_tinc) {
                rds_inc_put(&tc->t_tinc->ti_inc);
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 019045174fc3..972378f47f3c 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -153,7 +153,7 @@ int tcf_generic_walker(struct sk_buff *skb, struct netlink_callback *cb,
        } else if (type == RTM_GETACTION) {
                return tcf_dump_walker(skb, cb, a, hinfo);
        } else {
-                printk("tcf_generic_walker: unknown action %d\n", type);
+                WARN(1, "tcf_generic_walker: unknown action %d\n", type);
                return -EINVAL;
        }
 }
@@ -403,8 +403,9 @@ void tcf_action_destroy(struct tc_action *act, int bind)
                                module_put(a->ops->owner);
                        act = act->next;
                        kfree(a);
-                } else { /*FIXME: Remove later - catch insertion bugs*/
+                } else {
-                        printk("tcf_action_destroy: BUG? destroying NULL ops\n");
+                        /*FIXME: Remove later - catch insertion bugs*/
+                        WARN(1, "tcf_action_destroy: BUG? destroying NULL ops\n");
                        act = act->next;
                        kfree(a);
                }
@@ -744,7 +745,7 @@ static struct tc_action *create_a(int i)
        act = kzalloc(sizeof(*act), GFP_KERNEL);
        if (act == NULL) {
-                printk("create_a: failed to alloc!\n");
+                pr_debug("create_a: failed to alloc!\n");
                return NULL;
        }
        act->order = i;
@@ -766,13 +767,13 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
        int err = -ENOMEM;
        if (a == NULL) {
-                printk("tca_action_flush: couldnt create tc_action\n");
+                pr_debug("tca_action_flush: couldnt create tc_action\n");
                return err;
        }
        skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
        if (!skb) {
-                printk("tca_action_flush: failed skb alloc\n");
+                pr_debug("tca_action_flush: failed skb alloc\n");
                kfree(a);
                return err;
        }
@@ -979,7 +980,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
                return ret;
        if (tca[TCA_ACT_TAB] == NULL) {
-                printk("tc_ctl_action: received NO action attribs\n");
+                pr_notice("tc_ctl_action: received NO action attribs\n");
                return -EINVAL;
        }
@@ -1056,7 +1057,7 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
        struct nlattr *kind = find_dump_kind(cb->nlh);
        if (kind == NULL) {
-                printk("tc_dump_action: action bad kind\n");
+                pr_info("tc_dump_action: action bad kind\n");
                return 0;
        }
@@ -1069,7 +1070,8 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
        a.ops = a_o;
        if (a_o->walk == NULL) {
-                printk("tc_dump_action: %s !capable of dumping table\n", a_o->kind);
+                WARN(1, "tc_dump_action: %s !capable of dumping table\n",
+                     a_o->kind);
                goto nla_put_failure;
        }
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index e7f796aec657..8406c6654990 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -202,9 +202,9 @@ MODULE_LICENSE("GPL");
 static int __init gact_init_module(void)
 {
 #ifdef CONFIG_GACT_PROB
-        printk("GACT probability on\n");
+        printk(KERN_INFO "GACT probability on\n");
 #else
-        printk("GACT probability NOT on\n");
+        printk(KERN_INFO "GACT probability NOT on\n");
 #endif
        return tcf_register_action(&act_gact_ops);
 }
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index da27a170b6b7..c7e59e6ec349 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -47,8 +47,8 @@ static int ipt_init_target(struct ipt_entry_target *t, char *table, unsigned int
        target = xt_request_find_target(AF_INET, t->u.user.name,
                                        t->u.user.revision);
-        if (!target)
+        if (IS_ERR(target))
-                return -ENOENT;
+                return PTR_ERR(target);
        t->u.kernel.target = target;
        par.table     = table;
@@ -199,7 +199,7 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
 {
        int ret = 0, result = 0;
        struct tcf_ipt *ipt = a->priv;
-        struct xt_target_param par;
+        struct xt_action_param par;
        if (skb_cloned(skb)) {
                if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
@@ -235,7 +235,8 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
                break;
        default:
                if (net_ratelimit())
-                        printk("Bogus netfilter code %d assume ACCEPT\n", ret);
+                        pr_notice("tc filter: Bogus netfilter code"
+                                  " %d assume ACCEPT\n", ret);
                result = TC_POLICE_OK;
                break;
        }
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index c046682054eb..c0b6863e3b87 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -164,8 +164,8 @@ static int tcf_mirred(struct sk_buff *skb, struct tc_action *a,
        dev = m->tcfm_dev;
        if (!(dev->flags & IFF_UP)) {
                if (net_ratelimit())
-                        printk("mirred to Houston: device %s is gone!\n",
+                        pr_notice("tc mirred to Houston: device %s is gone!\n",
-                               dev->name);
+                                  dev->name);
                goto out;
        }
@@ -252,7 +252,7 @@ MODULE_LICENSE("GPL");
 static int __init mirred_init_module(void)
 {
-        printk("Mirror/redirect action on\n");
+        pr_info("Mirror/redirect action on\n");
        return tcf_register_action(&act_mirred_ops);
 }
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index d885ba311564..570949417f38 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -159,6 +159,9 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
                        iph->daddr = new_addr;
                csum_replace4(&iph->check, addr, new_addr);
+        } else if ((iph->frag_off & htons(IP_OFFSET)) ||
+                   iph->protocol != IPPROTO_ICMP) {
+                goto out;
        }
        ihl = iph->ihl * 4;
@@ -247,6 +250,7 @@ static int tcf_nat(struct sk_buff *skb, struct tc_action *a,
                break;
        }
+out:
        return action;
 drop:
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index b7dcfedc802e..50e3d945e1f4 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -125,7 +125,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
 {
        struct tcf_pedit *p = a->priv;
        int i, munged = 0;
-        u8 *pptr;
+        unsigned int off;
        if (!(skb->tc_verd & TC_OK2MUNGE)) {
                /* should we set skb->cloned? */
@@ -134,7 +134,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                }
        }
-        pptr = skb_network_header(skb);
+        off = skb_network_offset(skb);
        spin_lock(&p->tcf_lock);
@@ -144,41 +144,46 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                struct tc_pedit_key *tkey = p->tcfp_keys;
                for (i = p->tcfp_nkeys; i > 0; i--, tkey++) {
-                        u32 *ptr;
+                        u32 *ptr, _data;
                        int offset = tkey->off;
                        if (tkey->offmask) {
-                                if (skb->len > tkey->at) {
+                                char *d, _d;
-                                         char *j = pptr + tkey->at;
-                                         offset += ((*j & tkey->offmask) >>
+                                d = skb_header_pointer(skb, off + tkey->at, 1,
-                                                   tkey->shift);
+                                                       &_d);
-                                } else {
+                                if (!d)
                                        goto bad;
-                                }
+                                offset += (*d & tkey->offmask) >> tkey->shift;
                        }
                        if (offset % 4) {
-                                printk("offset must be on 32 bit boundaries\n");
+                                pr_info("tc filter pedit"
+                                        " offset must be on 32 bit boundaries\n");
                                goto bad;
                        }
                        if (offset > 0 && offset > skb->len) {
-                                printk("offset %d cant exceed pkt length %d\n",
+                                pr_info("tc filter pedit"
+                                        " offset %d cant exceed pkt length %d\n",
                                       offset, skb->len);
                                goto bad;
                        }
-                        ptr = (u32 *)(pptr+offset);
+                        ptr = skb_header_pointer(skb, off + offset, 4, &_data);
+                        if (!ptr)
+                                goto bad;
                        /* just do it, baby */
                        *ptr = ((*ptr & tkey->mask) ^ tkey->val);
+                        if (ptr == &_data)
+                                skb_store_bits(skb, off + offset, ptr, 4);
                        munged++;
                }
                if (munged)
                        skb->tc_verd = SET_TC_MUNGED(skb->tc_verd);
                goto done;
-        } else {
+        } else
-                printk("pedit BUG: index %d\n", p->tcf_index);
+                WARN(1, "pedit BUG: index %d\n", p->tcf_index);
-        }
 bad:
        p->tcf_qstats.overlimits++;
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 622ca809c15c..1b4bc691d7d1 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -49,7 +49,7 @@ static int tcf_simp(struct sk_buff *skb, struct tc_action *a, struct tcf_result
         * Example if this was the 3rd packet and the string was "hello"
         * then it would look like "hello_3" (without quotes)
         **/
-        printk("simple: %s_%d\n",
+        pr_info("simple: %s_%d\n",
               (char *)d->tcfd_defdata, d->tcf_bstats.packets);
        spin_unlock(&d->tcf_lock);
        return d->tcf_action;
@@ -205,7 +205,7 @@ static int __init simp_init_module(void)
 {
        int ret = tcf_register_action(&act_simp_ops);
        if (!ret)
-                printk("Simple TC action Loaded\n");
+                pr_info("Simple TC action Loaded\n");
        return ret;
 }
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 221180384fd7..78ef2c5e130b 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -16,14 +16,11 @@
 #include <linux/errno.h>
 #include <linux/skbuff.h>
 #include <linux/cgroup.h>
+#include <linux/rcupdate.h>
 #include <net/rtnetlink.h>
 #include <net/pkt_cls.h>
+#include <net/sock.h>
-struct cgroup_cls_state
+#include <net/cls_cgroup.h>
-{
-        struct cgroup_subsys_state css;
-        u32 classid;
-};
 static struct cgroup_subsys_state *cgrp_create(struct cgroup_subsys *ss,
                                               struct cgroup *cgrp);
@@ -112,6 +109,10 @@ static int cls_cgroup_classify(struct sk_buff *skb, struct tcf_proto *tp,
        struct cls_cgroup_head *head = tp->root;
        u32 classid;
+        rcu_read_lock();
+        classid = task_cls_state(current)->classid;
+        rcu_read_unlock();
        /*
         * Due to the nature of the classifier it is required to ignore all
         * packets originating from softirq context as accessing `current'
@@ -122,12 +123,12 @@ static int cls_cgroup_classify(struct sk_buff *skb, struct tcf_proto *tp,
         * calls by looking at the number of nested bh disable calls because
         * softirqs always disables bh.
         */
-        if (softirq_count() != SOFTIRQ_OFFSET)
+        if (softirq_count() != SOFTIRQ_OFFSET) {
-                return -1;
+                /* If there is an sk_classid we'll use that. */
+                if (!skb->sk)
-        rcu_read_lock();
+                        return -1;
-        classid = task_cls_state(current)->classid;
+                classid = skb->sk->sk_classid;
-        rcu_read_unlock();
+        }
        if (!classid)
                return -1;
@@ -289,18 +290,35 @@ static struct tcf_proto_ops cls_cgroup_ops __read_mostly = {
 static int __init init_cgroup_cls(void)
 {
-        int ret = register_tcf_proto_ops(&cls_cgroup_ops);
+        int ret;
-        if (ret)
-                return ret;
        ret = cgroup_load_subsys(&net_cls_subsys);
        if (ret)
-                unregister_tcf_proto_ops(&cls_cgroup_ops);
+                goto out;
+#ifndef CONFIG_NET_CLS_CGROUP
+        /* We can't use rcu_assign_pointer because this is an int. */
+        smp_wmb();
+        net_cls_subsys_id = net_cls_subsys.subsys_id;
+#endif
+        ret = register_tcf_proto_ops(&cls_cgroup_ops);
+        if (ret)
+                cgroup_unload_subsys(&net_cls_subsys);
+out:
        return ret;
 }
 static void __exit exit_cgroup_cls(void)
 {
        unregister_tcf_proto_ops(&cls_cgroup_ops);
+#ifndef CONFIG_NET_CLS_CGROUP
+        net_cls_subsys_id = -1;
+        synchronize_rcu();
+#endif
        cgroup_unload_subsys(&net_cls_subsys);
 }
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index 6ed61b10e002..f73542d2cdd0 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -602,7 +602,6 @@ static unsigned long flow_get(struct tcf_proto *tp, u32 handle)
 static void flow_put(struct tcf_proto *tp, unsigned long f)
 {
-        return;
 }
 static int flow_dump(struct tcf_proto *tp, unsigned long fh,
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 593eac056e8d..4f522143811e 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -98,11 +98,11 @@ static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_re
 {
        struct {
                struct tc_u_knode *knode;
-                u8                *ptr;
+                unsigned int      off;
        } stack[TC_U32_MAXDEPTH];
        struct tc_u_hnode *ht = (struct tc_u_hnode*)tp->root;
-        u8 *ptr = skb_network_header(skb);
+        unsigned int off = skb_network_offset(skb);
        struct tc_u_knode *n;
        int sdepth = 0;
        int off2 = 0;
@@ -134,8 +134,14 @@ next_knode:
 #endif
                for (i = n->sel.nkeys; i>0; i--, key++) {
+                        unsigned int toff;
-                        if ((*(__be32*)(ptr+key->off+(off2&key->offmask))^key->val)&key->mask) {
+                        __be32 *data, _data;
+                        toff = off + key->off + (off2 & key->offmask);
+                        data = skb_header_pointer(skb, toff, 4, &_data);
+                        if (!data)
+                                goto out;
+                        if ((*data ^ key->val) & key->mask) {
                                n = n->next;
                                goto next_knode;
                        }
@@ -174,29 +180,45 @@ check_terminal:
                if (sdepth >= TC_U32_MAXDEPTH)
                        goto deadloop;
                stack[sdepth].knode = n;
-                stack[sdepth].ptr = ptr;
+                stack[sdepth].off = off;
                sdepth++;
                ht = n->ht_down;
                sel = 0;
-                if (ht->divisor)
+                if (ht->divisor) {
-                        sel = ht->divisor&u32_hash_fold(*(__be32*)(ptr+n->sel.hoff), &n->sel,n->fshift);
+                        __be32 *data, _data;
+                        data = skb_header_pointer(skb, off + n->sel.hoff, 4,
+                                                  &_data);
+                        if (!data)
+                                goto out;
+                        sel = ht->divisor & u32_hash_fold(*data, &n->sel,
+                                                          n->fshift);
+                }
                if (!(n->sel.flags&(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
                        goto next_ht;
                if (n->sel.flags&(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
                        off2 = n->sel.off + 3;
-                        if (n->sel.flags&TC_U32_VAROFFSET)
+                        if (n->sel.flags & TC_U32_VAROFFSET) {
-                                off2 += ntohs(n->sel.offmask & *(__be16*)(ptr+n->sel.offoff)) >>n->sel.offshift;
+                                __be16 *data, _data;
+                                data = skb_header_pointer(skb,
+                                                          off + n->sel.offoff,
+                                                          2, &_data);
+                                if (!data)
+                                        goto out;
+                                off2 += ntohs(n->sel.offmask & *data) >>
+                                        n->sel.offshift;
+                        }
                        off2 &= ~3;
                }
                if (n->sel.flags&TC_U32_EAT) {
-                        ptr += off2;
+                        off += off2;
                        off2 = 0;
                }
-                if (ptr < skb_tail_pointer(skb))
+                if (off < skb->len)
                        goto next_ht;
        }
@@ -204,14 +226,15 @@ check_terminal:
        if (sdepth--) {
                n = stack[sdepth].knode;
                ht = n->ht_up;
-                ptr = stack[sdepth].ptr;
+                off = stack[sdepth].off;
                goto check_terminal;
        }
+out:
        return -1;
 deadloop:
        if (net_ratelimit())
-                printk("cls_u32: dead loop\n");
+                printk(KERN_WARNING "cls_u32: dead loop\n");
        return -1;
 }
@@ -768,15 +791,15 @@ static struct tcf_proto_ops cls_u32_ops __read_mostly = {
 static int __init init_u32(void)
 {
-        printk("u32 classifier\n");
+        pr_info("u32 classifier\n");
 #ifdef CONFIG_CLS_U32_PERF
-        printk("    Performance counters on\n");
+        pr_info("    Performance counters on\n");
 #endif
 #ifdef CONFIG_NET_CLS_IND
-        printk("    input device check on\n");
+        pr_info("    input device check on\n");
 #endif
 #ifdef CONFIG_NET_CLS_ACT
-        printk("    Actions configured\n");
+        pr_info("    Actions configured\n");
 #endif
        return register_tcf_proto_ops(&cls_u32_ops);
 }
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index e782bdeedc58..5e37da961f80 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -527,7 +527,8 @@ pop_stack:
 stack_overflow:
        if (net_ratelimit())
-                printk("Local stack overflow, increase NET_EMATCH_STACK\n");
+                printk(KERN_WARNING "tc ematch: local stack overflow,"
+                        " increase NET_EMATCH_STACK\n");
        return -1;
 }
 EXPORT_SYMBOL(__tcf_em_tree_match);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 9839b26674f4..b9e8c3b7d406 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1195,6 +1195,11 @@ nla_put_failure:
        return -1;
 }
+static bool tc_qdisc_dump_ignore(struct Qdisc *q)
+{
+        return (q->flags & TCQ_F_BUILTIN) ? true : false;
+}
 static int qdisc_notify(struct net *net, struct sk_buff *oskb,
                        struct nlmsghdr *n, u32 clid,
                        struct Qdisc *old, struct Qdisc *new)
@@ -1206,11 +1211,11 @@ static int qdisc_notify(struct net *net, struct sk_buff *oskb,
        if (!skb)
                return -ENOBUFS;
-        if (old && old->handle) {
+        if (old && !tc_qdisc_dump_ignore(old)) {
                if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
                        goto err_out;
        }
-        if (new) {
+        if (new && !tc_qdisc_dump_ignore(new)) {
                if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
                        goto err_out;
        }
@@ -1223,11 +1228,6 @@ err_out:
        return -EINVAL;
 }
-static bool tc_qdisc_dump_ignore(struct Qdisc *q)
-{
-        return (q->flags & TCQ_F_BUILTIN) ? true : false;
-}
 static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
                              struct netlink_callback *cb,
                              int *q_idx_p, int s_q_idx)
@@ -1637,9 +1637,12 @@ reclassify:
                tp = otp;
                if (verd++ >= MAX_REC_LOOP) {
-                        printk("rule prio %u protocol %02x reclassify loop, "
+                        if (net_ratelimit())
-                               "packet dropped\n",
+                                printk(KERN_NOTICE
-                               tp->prio&0xffff, ntohs(tp->protocol));
+                                       "%s: packet reclassify loop"
+                                          " rule prio %u protocol %02x\n",
+                                       tp->q->ops->id,
+                                       tp->prio & 0xffff, ntohs(tp->protocol));
                        return TC_ACT_SHOT;
                }
                skb->tc_verd = SET_TC_VERD(skb->tc_verd, verd);
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index a969b111bd76..a63029ef3edd 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -26,6 +26,7 @@
 #include <linux/list.h>
 #include <linux/slab.h>
 #include <net/pkt_sched.h>
+#include <net/dst.h>
 /* Main transmission queue. */
@@ -40,6 +41,7 @@
 static inline int dev_requeue_skb(struct sk_buff *skb, struct Qdisc *q)
 {
+        skb_dst_force(skb);
        q->gso_skb = skb;
        q->qstats.requeues++;
        q->q.qlen++;    /* it's still part of the queue */
@@ -179,7 +181,7 @@ static inline int qdisc_restart(struct Qdisc *q)
        skb = dequeue_skb(q);
        if (unlikely(!skb))
                return 0;
+        WARN_ON_ONCE(skb_dst_is_noref(skb));
        root_lock = qdisc_lock(q);
        dev = qdisc_dev(q);
        txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb));
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index b38b39c60752..abd904be4287 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -617,7 +617,6 @@ rtsc_min(struct runtime_sc *rtsc, struct internal_sc *isc, u64 x, u64 y)
        rtsc->y = y;
        rtsc->dx = dx;
        rtsc->dy = dy;
-        return;
 }
 static void
@@ -1155,7 +1154,7 @@ static struct hfsc_class *
 hfsc_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
 {
        struct hfsc_sched *q = qdisc_priv(sch);
-        struct hfsc_class *cl;
+        struct hfsc_class *head, *cl;
        struct tcf_result res;
        struct tcf_proto *tcf;
        int result;
@@ -1166,6 +1165,7 @@ hfsc_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                        return cl;
        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
+        head = &q->root;
        tcf = q->root.filter_list;
        while (tcf && (result = tc_classify(skb, tcf, &res)) >= 0) {
 #ifdef CONFIG_NET_CLS_ACT
@@ -1180,6 +1180,8 @@ hfsc_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                if ((cl = (struct hfsc_class *)res.class) == NULL) {
                        if ((cl = hfsc_find_class(res.classid, sch)) == NULL)
                                break; /* filter selected invalid classid */
+                        if (cl->level >= head->level)
+                                break; /* filter may only point downwards */
                }
                if (cl->level == 0)
@@ -1187,6 +1189,7 @@ hfsc_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                /* apply inner filter chain */
                tcf = cl->filter_list;
+                head = cl;
        }
        /* classification failed, try default class */
diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
index a9e646bdb605..f10e34a68445 100644
--- a/net/sched/sch_ingress.c
+++ b/net/sched/sch_ingress.c
@@ -44,7 +44,6 @@ static void ingress_put(struct Qdisc *sch, unsigned long cl)
 static void ingress_walk(struct Qdisc *sch, struct qdisc_walker *walker)
 {
-        return;
 }
 static struct tcf_proto **ingress_find_tcf(struct Qdisc *sch, unsigned long cl)
diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
index b2aba3f5e6fa..fe91e50f9d98 100644
--- a/net/sched/sch_mq.c
+++ b/net/sched/sch_mq.c
@@ -174,7 +174,6 @@ static unsigned long mq_get(struct Qdisc *sch, u32 classid)
 static void mq_put(struct Qdisc *sch, unsigned long cl)
 {
-        return;
 }
 static int mq_dump_class(struct Qdisc *sch, unsigned long cl,
diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
index c50876cd8704..6ae251279fc2 100644
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -340,7 +340,6 @@ static unsigned long multiq_bind(struct Qdisc *sch, unsigned long parent,
 static void multiq_put(struct Qdisc *q, unsigned long cl)
 {
-        return;
 }
 static int multiq_dump_class(struct Qdisc *sch, unsigned long cl,
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index 81672e0c1b25..0748fb1e3a49 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -303,7 +303,6 @@ static unsigned long prio_bind(struct Qdisc *sch, unsigned long parent, u32 clas
 static void prio_put(struct Qdisc *q, unsigned long cl)
 {
-        return;
 }
 static int prio_dump_class(struct Qdisc *sch, unsigned long cl, struct sk_buff *skb,
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 072cdf442f8e..8d42bb3ba540 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -303,7 +303,6 @@ static unsigned long red_get(struct Qdisc *sch, u32 classid)
 static void red_put(struct Qdisc *sch, unsigned long arg)
 {
-        return;
 }
 static void red_walk(struct Qdisc *sch, struct qdisc_walker *walker)
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 8fb8107ab188..0991c640cd3e 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -273,7 +273,11 @@ static int tbf_change(struct Qdisc* sch, struct nlattr *opt)
        if (max_size < 0)
                goto done;
-        if (qopt->limit > 0) {
+        if (q->qdisc != &noop_qdisc) {
+                err = fifo_set_limit(q->qdisc, qopt->limit);
+                if (err)
+                        goto done;
+        } else if (qopt->limit > 0) {
                child = fifo_create_dflt(sch, &bfifo_qdisc_ops, qopt->limit);
                if (IS_ERR(child)) {
                        err = PTR_ERR(child);
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 3912420cedcc..e41feff19e43 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -816,8 +816,6 @@ void sctp_assoc_del_nonprimary_peers(struct sctp_association *asoc,
                if (t != primary)
                        sctp_assoc_rm_peer(asoc, t);
        }
-        return;
 }
 /* Engage in transport control operations.
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 2a570184e5a9..ea2192444ce6 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -440,11 +440,25 @@ void sctp_icmp_proto_unreachable(struct sock *sk,
 {
        SCTP_DEBUG_PRINTK("%s\n",  __func__);
-        sctp_do_sm(SCTP_EVENT_T_OTHER,
+        if (sock_owned_by_user(sk)) {
-                   SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
+                if (timer_pending(&t->proto_unreach_timer))
-                   asoc->state, asoc->ep, asoc, t,
+                        return;
-                   GFP_ATOMIC);
+                else {
+                        if (!mod_timer(&t->proto_unreach_timer,
+                                                jiffies + (HZ/20)))
+                                sctp_association_hold(asoc);
+                }
+                        
+        } else {
+                if (timer_pending(&t->proto_unreach_timer) &&
+                    del_timer(&t->proto_unreach_timer))
+                        sctp_association_put(asoc);
+                sctp_do_sm(SCTP_EVENT_T_OTHER,
+                           SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
+                           asoc->state, asoc->ep, asoc, t,
+                           GFP_ATOMIC);
+        }
 }
 /* Common lookup code for icmp/icmpv6 error handler. */
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 5d057178ce0c..c04b2eb59186 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -80,7 +80,6 @@ static inline void sctp_outq_head_data(struct sctp_outq *q,
 {
        list_add(&ch->list, &q->out_chunk_list);
        q->out_qlen += ch->skb->len;
-        return;
 }
 /* Take data from the front of the queue. */
@@ -103,7 +102,6 @@ static inline void sctp_outq_tail_data(struct sctp_outq *q,
 {
        list_add_tail(&ch->list, &q->out_chunk_list);
        q->out_qlen += ch->skb->len;
-        return;
 }
 /*
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 784bcc9a979d..61aacfbbaa92 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -181,7 +181,6 @@ static void * sctp_eps_seq_start(struct seq_file *seq, loff_t *pos)
 static void sctp_eps_seq_stop(struct seq_file *seq, void *v)
 {
-        return;
 }
@@ -286,7 +285,6 @@ static void * sctp_assocs_seq_start(struct seq_file *seq, loff_t *pos)
 static void sctp_assocs_seq_stop(struct seq_file *seq, void *v)
 {
-        return;
 }
@@ -409,7 +407,6 @@ static void *sctp_remaddr_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 static void sctp_remaddr_seq_stop(struct seq_file *seq, void *v)
 {
-        return;
 }
 static int sctp_remaddr_seq_show(struct seq_file *seq, void *v)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index d8261f3d7715..bd2a50b482ac 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -141,7 +141,7 @@ int sctp_init_cause_fixed(struct sctp_chunk *chunk, __be16 cause_code,
        len = sizeof(sctp_errhdr_t) + paylen;
        err.length  = htons(len);
-        if (skb_tailroom(chunk->skb) >  len)
+        if (skb_tailroom(chunk->skb) < len)
                return -ENOSPC;
        chunk->subh.err_hdr = sctp_addto_chunk_fixed(chunk,
                                                     sizeof(sctp_errhdr_t),
@@ -1415,7 +1415,7 @@ void *sctp_addto_chunk(struct sctp_chunk *chunk, int len, const void *data)
 void *sctp_addto_chunk_fixed(struct sctp_chunk *chunk,
                             int len, const void *data)
 {
-        if (skb_tailroom(chunk->skb) > len)
+        if (skb_tailroom(chunk->skb) >= len)
                return sctp_addto_chunk(chunk, len, data);
        else
                return NULL;
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 3b7230ef77c2..f5e5e27cac5e 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -397,6 +397,41 @@ out_unlock:
        sctp_transport_put(transport);
 }
+/* Handle the timeout of the ICMP protocol unreachable timer.  Trigger
+ * the correct state machine transition that will close the association.
+ */
+void sctp_generate_proto_unreach_event(unsigned long data)
+{
+        struct sctp_transport *transport = (struct sctp_transport *) data;
+        struct sctp_association *asoc = transport->asoc;
+        
+        sctp_bh_lock_sock(asoc->base.sk);
+        if (sock_owned_by_user(asoc->base.sk)) {
+                SCTP_DEBUG_PRINTK("%s:Sock is busy.\n", __func__);
+                /* Try again later.  */
+                if (!mod_timer(&transport->proto_unreach_timer,
+                                jiffies + (HZ/20)))
+                        sctp_association_hold(asoc);
+                goto out_unlock;
+        }
+        /* Is this structure just waiting around for us to actually
+         * get destroyed?
+         */
+        if (asoc->base.dead)
+                goto out_unlock;
+        sctp_do_sm(SCTP_EVENT_T_OTHER,
+                   SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH),
+                   asoc->state, asoc->ep, asoc, transport, GFP_ATOMIC);
+out_unlock:
+        sctp_bh_unlock_sock(asoc->base.sk);
+        sctp_association_put(asoc);
+}
 /* Inject a SACK Timeout event into the state machine.  */
 static void sctp_generate_sack_event(unsigned long data)
 {
@@ -857,8 +892,6 @@ static void sctp_cmd_process_fwdtsn(struct sctp_ulpq *ulpq,
        sctp_walk_fwdtsn(skip, chunk) {
                sctp_ulpq_skip(ulpq, ntohs(skip->stream), ntohs(skip->ssn));
        }
-        return;
 }
 /* Helper function to remove the association non-primary peer
@@ -877,8 +910,6 @@ static void sctp_cmd_del_non_primary(struct sctp_association *asoc)
                        sctp_assoc_del_peer(asoc, &t->ipaddr);
                }
        }
-        return;
 }
 /* Helper function to set sk_err on a 1-1 style socket. */
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index ba1add0b13c3..ca44917872d2 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5433,6 +5433,8 @@ static long sctp_get_port_local(struct sock *sk, union sctp_addr *addr)
                        rover++;
                        if ((rover < low) || (rover > high))
                                rover = low;
+                        if (inet_is_reserved_local_port(rover))
+                                continue;
                        index = sctp_phashfn(rover);
                        head = &sctp_port_hashtable[index];
                        sctp_spin_lock(&head->lock);
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index fccf4947aff1..132046cb82fc 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -92,6 +92,8 @@ static struct sctp_transport *sctp_transport_init(struct sctp_transport *peer,
                        (unsigned long)peer);
        setup_timer(&peer->hb_timer, sctp_generate_heartbeat_event,
                        (unsigned long)peer);
+        setup_timer(&peer->proto_unreach_timer,
+                    sctp_generate_proto_unreach_event, (unsigned long)peer);
        /* Initialize the 64-bit random nonce sent with heartbeat. */
        get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
@@ -146,6 +148,10 @@ void sctp_transport_free(struct sctp_transport *transport)
            del_timer(&transport->T3_rtx_timer))
                sctp_transport_put(transport);
+        /* Delete the ICMP proto unreachable timer if it's active. */
+        if (timer_pending(&transport->proto_unreach_timer) &&
+            del_timer(&transport->proto_unreach_timer))
+                sctp_association_put(transport->asoc);
        sctp_transport_put(transport);
 }
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 3a448536f0b6..c7f7e49609cb 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -955,7 +955,6 @@ void sctp_ulpq_skip(struct sctp_ulpq *ulpq, __u16 sid, __u16 ssn)
         * ordering and deliver them if needed.
         */
        sctp_ulpq_reap_ordered(ulpq, sid);
-        return;
 }
 static __u16 sctp_ulpq_renege_list(struct sctp_ulpq *ulpq,
@@ -1064,7 +1063,6 @@ void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
        }
        sk_mem_reclaim(asoc->base.sk);
-        return;
 }
diff --git a/net/socket.c b/net/socket.c
index dae8c6b84a09..367d5477d00f 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -94,6 +94,7 @@
 #include <net/compat.h>
 #include <net/wext.h>
+#include <net/cls_cgroup.h>
 #include <net/sock.h>
 #include <linux/netfilter.h>
@@ -558,6 +559,8 @@ static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
        struct sock_iocb *si = kiocb_to_siocb(iocb);
        int err;
+        sock_update_classid(sock->sk);
        si->sock = sock;
        si->scm = NULL;
        si->msg = msg;
@@ -684,6 +687,8 @@ static inline int __sock_recvmsg_nosec(struct kiocb *iocb, struct socket *sock,
 {
        struct sock_iocb *si = kiocb_to_siocb(iocb);
+        sock_update_classid(sock->sk);
        si->sock = sock;
        si->scm = NULL;
        si->msg = msg;
@@ -777,6 +782,8 @@ static ssize_t sock_splice_read(struct file *file, loff_t *ppos,
        if (unlikely(!sock->ops->splice_read))
                return -EINVAL;
+        sock_update_classid(sock->sk);
        return sock->ops->splice_read(sock, ppos, pipe, len, flags);
 }
@@ -2615,7 +2622,7 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
                return dev_ioctl(net, cmd, uifr);
        default:
                return -EINVAL;
-        };
+        }
 }
 static int siocdevprivate_ioctl(struct net *net, unsigned int cmd,
@@ -3069,6 +3076,8 @@ int kernel_setsockopt(struct socket *sock, int level, int optname,
 int kernel_sendpage(struct socket *sock, struct page *page, int offset,
                    size_t size, int flags)
 {
+        sock_update_classid(sock->sk);
        if (sock->ops->sendpage)
                return sock->ops->sendpage(sock, page, offset, size, flags);
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index f394fc190a49..73affb8624fa 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -236,10 +236,15 @@ rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
        list_for_each_entry_safe(cred, next, &cred_unused, cr_lru) {
-                /* Enforce a 60 second garbage collection moratorium */
+                if (nr_to_scan-- == 0)
-                if (time_in_range_open(cred->cr_expire, expired, jiffies) &&
+                        break;
+                /*
+                 * Enforce a 60 second garbage collection moratorium
+                 * Note that the cred_unused list must be time-ordered.
+                 */
+                if (time_in_range(cred->cr_expire, expired, jiffies) &&
                    test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) != 0)
-                        continue;
+                        return 0;
                list_del_init(&cred->cr_lru);
                number_cred_unused--;
@@ -252,13 +257,10 @@ rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
                        get_rpccred(cred);
                        list_add_tail(&cred->cr_lru, free);
                        rpcauth_unhash_cred_locked(cred);
-                        nr_to_scan--;
                }
                spin_unlock(cache_lock);
-                if (nr_to_scan == 0)
-                        break;
        }
-        return nr_to_scan;
+        return (number_cred_unused / 100) * sysctl_vfs_cache_pressure;
 }
 /*
@@ -270,11 +272,12 @@ rpcauth_cache_shrinker(int nr_to_scan, gfp_t gfp_mask)
        LIST_HEAD(free);
        int res;
+        if ((gfp_mask & GFP_KERNEL) != GFP_KERNEL)
+                return (nr_to_scan == 0) ? 0 : -1;
        if (list_empty(&cred_unused))
                return 0;
        spin_lock(&rpc_credcache_lock);
-        nr_to_scan = rpcauth_prune_expired(&free, nr_to_scan);
+        res = rpcauth_prune_expired(&free, nr_to_scan);
-        res = (number_cred_unused / 100) * sysctl_vfs_cache_pressure;
        spin_unlock(&rpc_credcache_lock);
        rpcauth_destroy_credlist(&free);
        return res;
diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile
index 4de8bcf26fa7..74a231735f67 100644
--- a/net/sunrpc/auth_gss/Makefile
+++ b/net/sunrpc/auth_gss/Makefile
@@ -10,7 +10,7 @@ auth_rpcgss-objs := auth_gss.o gss_generic_token.o \
 obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o
 rpcsec_gss_krb5-objs := gss_krb5_mech.o gss_krb5_seal.o gss_krb5_unseal.o \
-        gss_krb5_seqnum.o gss_krb5_wrap.o gss_krb5_crypto.o
+        gss_krb5_seqnum.o gss_krb5_wrap.o gss_krb5_crypto.o gss_krb5_keys.o
 obj-$(CONFIG_RPCSEC_GSS_SPKM3) += rpcsec_gss_spkm3.o
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index c389ccf6437d..8da2a0e68574 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -57,11 +57,14 @@ static const struct rpc_authops authgss_ops;
 static const struct rpc_credops gss_credops;
 static const struct rpc_credops gss_nullops;
+#define GSS_RETRY_EXPIRED 5
+static unsigned int gss_expired_cred_retry_delay = GSS_RETRY_EXPIRED;
 #ifdef RPC_DEBUG
 # define RPCDBG_FACILITY        RPCDBG_AUTH
 #endif
-#define GSS_CRED_SLACK          1024
+#define GSS_CRED_SLACK          (RPC_MAX_AUTH_SIZE * 2)
 /* length of a krb5 verifier (48), plus data added before arguments when
 * using integrity (two 4-byte integers): */
 #define GSS_VERF_SLACK          100
@@ -229,7 +232,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
                p = ERR_PTR(-EFAULT);
                goto err;
        }
-        ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx);
+        ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, GFP_NOFS);
        if (ret < 0) {
                p = ERR_PTR(ret);
                goto err;
@@ -350,6 +353,24 @@ gss_unhash_msg(struct gss_upcall_msg *gss_msg)
 }
 static void
+gss_handle_downcall_result(struct gss_cred *gss_cred, struct gss_upcall_msg *gss_msg)
+{
+        switch (gss_msg->msg.errno) {
+        case 0:
+                if (gss_msg->ctx == NULL)
+                        break;
+                clear_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
+                gss_cred_set_ctx(&gss_cred->gc_base, gss_msg->ctx);
+                break;
+        case -EKEYEXPIRED:
+                set_bit(RPCAUTH_CRED_NEGATIVE, &gss_cred->gc_base.cr_flags);
+        }
+        gss_cred->gc_upcall_timestamp = jiffies;
+        gss_cred->gc_upcall = NULL;
+        rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
+}
+static void
 gss_upcall_callback(struct rpc_task *task)
 {
        struct gss_cred *gss_cred = container_of(task->tk_msg.rpc_cred,
@@ -358,13 +379,9 @@ gss_upcall_callback(struct rpc_task *task)
        struct inode *inode = &gss_msg->inode->vfs_inode;
        spin_lock(&inode->i_lock);
-        if (gss_msg->ctx)
+        gss_handle_downcall_result(gss_cred, gss_msg);
-                gss_cred_set_ctx(task->tk_msg.rpc_cred, gss_msg->ctx);
-        else
-                task->tk_status = gss_msg->msg.errno;
-        gss_cred->gc_upcall = NULL;
-        rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
        spin_unlock(&inode->i_lock);
+        task->tk_status = gss_msg->msg.errno;
        gss_release_msg(gss_msg);
 }
@@ -377,11 +394,12 @@ static void gss_encode_v0_msg(struct gss_upcall_msg *gss_msg)
 static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
                                struct rpc_clnt *clnt, int machine_cred)
 {
+        struct gss_api_mech *mech = gss_msg->auth->mech;
        char *p = gss_msg->databuf;
        int len = 0;
        gss_msg->msg.len = sprintf(gss_msg->databuf, "mech=%s uid=%d ",
-                                   gss_msg->auth->mech->gm_name,
+                                   mech->gm_name,
                                   gss_msg->uid);
        p += gss_msg->msg.len;
        if (clnt->cl_principal) {
@@ -398,6 +416,11 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
                p += len;
                gss_msg->msg.len += len;
        }
+        if (mech->gm_upcall_enctypes) {
+                len = sprintf(p, mech->gm_upcall_enctypes);
+                p += len;
+                gss_msg->msg.len += len;
+        }
        len = sprintf(p, "\n");
        gss_msg->msg.len += len;
@@ -507,18 +530,16 @@ gss_refresh_upcall(struct rpc_task *task)
        spin_lock(&inode->i_lock);
        if (gss_cred->gc_upcall != NULL)
                rpc_sleep_on(&gss_cred->gc_upcall->rpc_waitqueue, task, NULL);
-        else if (gss_msg->ctx != NULL) {
+        else if (gss_msg->ctx == NULL && gss_msg->msg.errno >= 0) {
-                gss_cred_set_ctx(task->tk_msg.rpc_cred, gss_msg->ctx);
-                gss_cred->gc_upcall = NULL;
-                rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
-        } else if (gss_msg->msg.errno >= 0) {
                task->tk_timeout = 0;
                gss_cred->gc_upcall = gss_msg;
                /* gss_upcall_callback will release the reference to gss_upcall_msg */
                atomic_inc(&gss_msg->count);
                rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback);
-        } else
+        } else {
+                gss_handle_downcall_result(gss_cred, gss_msg);
                err = gss_msg->msg.errno;
+        }
        spin_unlock(&inode->i_lock);
        gss_release_msg(gss_msg);
 out:
@@ -1117,6 +1138,23 @@ static int gss_renew_cred(struct rpc_task *task)
        return 0;
 }
+static int gss_cred_is_negative_entry(struct rpc_cred *cred)
+{
+        if (test_bit(RPCAUTH_CRED_NEGATIVE, &cred->cr_flags)) {
+                unsigned long now = jiffies;
+                unsigned long begin, expire;
+                struct gss_cred *gss_cred; 
+                gss_cred = container_of(cred, struct gss_cred, gc_base);
+                begin = gss_cred->gc_upcall_timestamp;
+                expire = begin + gss_expired_cred_retry_delay * HZ;
+                if (time_in_range_open(now, begin, expire))
+                        return 1;
+        }
+        return 0;
+}
 /*
 * Refresh credentials. XXX - finish
 */
@@ -1126,6 +1164,9 @@ gss_refresh(struct rpc_task *task)
        struct rpc_cred *cred = task->tk_msg.rpc_cred;
        int ret = 0;
+        if (gss_cred_is_negative_entry(cred))
+                return -EKEYEXPIRED;
        if (!test_bit(RPCAUTH_CRED_NEW, &cred->cr_flags) &&
                        !test_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags)) {
                ret = gss_renew_cred(task);
@@ -1316,15 +1357,21 @@ gss_wrap_req_priv(struct rpc_cred *cred, struct gss_cl_ctx *ctx,
        inpages = snd_buf->pages + first;
        snd_buf->pages = rqstp->rq_enc_pages;
        snd_buf->page_base -= first << PAGE_CACHE_SHIFT;
-        /* Give the tail its own page, in case we need extra space in the
+        /*
-         * head when wrapping: */
+         * Give the tail its own page, in case we need extra space in the
+         * head when wrapping:
+         *
+         * call_allocate() allocates twice the slack space required
+         * by the authentication flavor to rq_callsize.
+         * For GSS, slack is GSS_CRED_SLACK.
+         */
        if (snd_buf->page_len || snd_buf->tail[0].iov_len) {
                tmp = page_address(rqstp->rq_enc_pages[rqstp->rq_enc_pages_num - 1]);
                memcpy(tmp, snd_buf->tail[0].iov_base, snd_buf->tail[0].iov_len);
                snd_buf->tail[0].iov_base = tmp;
        }
        maj_stat = gss_wrap(ctx->gc_gss_ctx, offset, snd_buf, inpages);
-        /* RPC_SLACK_SPACE should prevent this ever happening: */
+        /* slack space should prevent this ever happening: */
        BUG_ON(snd_buf->len > snd_buf->buflen);
        status = -EIO;
        /* We're assuming that when GSS_S_CONTEXT_EXPIRED, the encryption was
@@ -1573,5 +1620,11 @@ static void __exit exit_rpcsec_gss(void)
 }
 MODULE_LICENSE("GPL");
+module_param_named(expired_cred_retry_delay,
+                   gss_expired_cred_retry_delay,
+                   uint, 0644);
+MODULE_PARM_DESC(expired_cred_retry_delay, "Timeout (in seconds) until "
+                "the RPC engine retries an expired credential");
 module_init(init_rpcsec_gss)
 module_exit(exit_rpcsec_gss)
diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index e9b636176687..75ee993ea057 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -1,7 +1,7 @@
 /*
 *  linux/net/sunrpc/gss_krb5_crypto.c
 *
- *  Copyright (c) 2000 The Regents of the University of Michigan.
+ *  Copyright (c) 2000-2008 The Regents of the University of Michigan.
 *  All rights reserved.
 *
 *  Andy Adamson   <andros@umich.edu>
@@ -41,6 +41,7 @@
 #include <linux/crypto.h>
 #include <linux/highmem.h>
 #include <linux/pagemap.h>
+#include <linux/random.h>
 #include <linux/sunrpc/gss_krb5.h>
 #include <linux/sunrpc/xdr.h>
@@ -58,13 +59,13 @@ krb5_encrypt(
 {
        u32 ret = -EINVAL;
        struct scatterlist sg[1];
-        u8 local_iv[16] = {0};
+        u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
        struct blkcipher_desc desc = { .tfm = tfm, .info = local_iv };
        if (length % crypto_blkcipher_blocksize(tfm) != 0)
                goto out;
-        if (crypto_blkcipher_ivsize(tfm) > 16) {
+        if (crypto_blkcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
                dprintk("RPC:       gss_k5encrypt: tfm iv size too large %d\n",
                        crypto_blkcipher_ivsize(tfm));
                goto out;
@@ -92,13 +93,13 @@ krb5_decrypt(
 {
        u32 ret = -EINVAL;
        struct scatterlist sg[1];
-        u8 local_iv[16] = {0};
+        u8 local_iv[GSS_KRB5_MAX_BLOCKSIZE] = {0};
        struct blkcipher_desc desc = { .tfm = tfm, .info = local_iv };
        if (length % crypto_blkcipher_blocksize(tfm) != 0)
                goto out;
-        if (crypto_blkcipher_ivsize(tfm) > 16) {
+        if (crypto_blkcipher_ivsize(tfm) > GSS_KRB5_MAX_BLOCKSIZE) {
                dprintk("RPC:       gss_k5decrypt: tfm iv size too large %d\n",
                        crypto_blkcipher_ivsize(tfm));
                goto out;
@@ -123,21 +124,155 @@ checksummer(struct scatterlist *sg, void *data)
        return crypto_hash_update(desc, sg, sg->length);
 }
-/* checksum the plaintext data and hdrlen bytes of the token header */
+static int
-s32
+arcfour_hmac_md5_usage_to_salt(unsigned int usage, u8 salt[4])
-make_checksum(char *cksumname, char *header, int hdrlen, struct xdr_buf *body,
+{
-                   int body_offset, struct xdr_netobj *cksum)
+        unsigned int ms_usage;
+        switch (usage) {
+        case KG_USAGE_SIGN:
+                ms_usage = 15;
+                break;
+        case KG_USAGE_SEAL:
+                ms_usage = 13;
+                break;
+        default:
+                return EINVAL;;
+        }
+        salt[0] = (ms_usage >> 0) & 0xff;
+        salt[1] = (ms_usage >> 8) & 0xff;
+        salt[2] = (ms_usage >> 16) & 0xff;
+        salt[3] = (ms_usage >> 24) & 0xff;
+        return 0;
+}
+static u32
+make_checksum_hmac_md5(struct krb5_ctx *kctx, char *header, int hdrlen,
+                       struct xdr_buf *body, int body_offset, u8 *cksumkey,
+                       unsigned int usage, struct xdr_netobj *cksumout)
 {
-        struct hash_desc                desc; /* XXX add to ctx? */
+        struct hash_desc                desc;
        struct scatterlist              sg[1];
        int err;
+        u8 checksumdata[GSS_KRB5_MAX_CKSUM_LEN];
+        u8 rc4salt[4];
+        struct crypto_hash *md5;
+        struct crypto_hash *hmac_md5;
+        if (cksumkey == NULL)
+                return GSS_S_FAILURE;
+        if (cksumout->len < kctx->gk5e->cksumlength) {
+                dprintk("%s: checksum buffer length, %u, too small for %s\n",
+                        __func__, cksumout->len, kctx->gk5e->name);
+                return GSS_S_FAILURE;
+        }
+        if (arcfour_hmac_md5_usage_to_salt(usage, rc4salt)) {
+                dprintk("%s: invalid usage value %u\n", __func__, usage);
+                return GSS_S_FAILURE;
+        }
+        md5 = crypto_alloc_hash("md5", 0, CRYPTO_ALG_ASYNC);
+        if (IS_ERR(md5))
+                return GSS_S_FAILURE;
+        hmac_md5 = crypto_alloc_hash(kctx->gk5e->cksum_name, 0,
+                                     CRYPTO_ALG_ASYNC);
+        if (IS_ERR(hmac_md5)) {
+                crypto_free_hash(md5);
+                return GSS_S_FAILURE;
+        }
+        desc.tfm = md5;
+        desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out;
+        sg_init_one(sg, rc4salt, 4);
+        err = crypto_hash_update(&desc, sg, 4);
+        if (err)
+                goto out;
+        sg_init_one(sg, header, hdrlen);
+        err = crypto_hash_update(&desc, sg, hdrlen);
+        if (err)
+                goto out;
+        err = xdr_process_buf(body, body_offset, body->len - body_offset,
+                              checksummer, &desc);
+        if (err)
+                goto out;
+        err = crypto_hash_final(&desc, checksumdata);
+        if (err)
+                goto out;
+        desc.tfm = hmac_md5;
+        desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out;
+        err = crypto_hash_setkey(hmac_md5, cksumkey, kctx->gk5e->keylength);
+        if (err)
+                goto out;
+        sg_init_one(sg, checksumdata, crypto_hash_digestsize(md5));
+        err = crypto_hash_digest(&desc, sg, crypto_hash_digestsize(md5),
+                                 checksumdata);
+        if (err)
+                goto out;
+        memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
+        cksumout->len = kctx->gk5e->cksumlength;
+out:
+        crypto_free_hash(md5);
+        crypto_free_hash(hmac_md5);
+        return err ? GSS_S_FAILURE : 0;
+}
+/*
+ * checksum the plaintext data and hdrlen bytes of the token header
+ * The checksum is performed over the first 8 bytes of the
+ * gss token header and then over the data body
+ */
+u32
+make_checksum(struct krb5_ctx *kctx, char *header, int hdrlen,
+              struct xdr_buf *body, int body_offset, u8 *cksumkey,
+              unsigned int usage, struct xdr_netobj *cksumout)
+{
+        struct hash_desc                desc;
+        struct scatterlist              sg[1];
+        int err;
+        u8 checksumdata[GSS_KRB5_MAX_CKSUM_LEN];
+        unsigned int checksumlen;
+        if (kctx->gk5e->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR)
+                return make_checksum_hmac_md5(kctx, header, hdrlen,
+                                              body, body_offset,
+                                              cksumkey, usage, cksumout);
+        if (cksumout->len < kctx->gk5e->cksumlength) {
+                dprintk("%s: checksum buffer length, %u, too small for %s\n",
+                        __func__, cksumout->len, kctx->gk5e->name);
+                return GSS_S_FAILURE;
+        }
-        desc.tfm = crypto_alloc_hash(cksumname, 0, CRYPTO_ALG_ASYNC);
+        desc.tfm = crypto_alloc_hash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
        if (IS_ERR(desc.tfm))
                return GSS_S_FAILURE;
-        cksum->len = crypto_hash_digestsize(desc.tfm);
        desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        checksumlen = crypto_hash_digestsize(desc.tfm);
+        if (cksumkey != NULL) {
+                err = crypto_hash_setkey(desc.tfm, cksumkey,
+                                         kctx->gk5e->keylength);
+                if (err)
+                        goto out;
+        }
        err = crypto_hash_init(&desc);
        if (err)
                goto out;
@@ -149,15 +284,109 @@ make_checksum(char *cksumname, char *header, int hdrlen, struct xdr_buf *body,
                              checksummer, &desc);
        if (err)
                goto out;
-        err = crypto_hash_final(&desc, cksum->data);
+        err = crypto_hash_final(&desc, checksumdata);
+        if (err)
+                goto out;
+        switch (kctx->gk5e->ctype) {
+        case CKSUMTYPE_RSA_MD5:
+                err = kctx->gk5e->encrypt(kctx->seq, NULL, checksumdata,
+                                          checksumdata, checksumlen);
+                if (err)
+                        goto out;
+                memcpy(cksumout->data,
+                       checksumdata + checksumlen - kctx->gk5e->cksumlength,
+                       kctx->gk5e->cksumlength);
+                break;
+        case CKSUMTYPE_HMAC_SHA1_DES3:
+                memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
+                break;
+        default:
+                BUG();
+                break;
+        }
+        cksumout->len = kctx->gk5e->cksumlength;
+out:
+        crypto_free_hash(desc.tfm);
+        return err ? GSS_S_FAILURE : 0;
+}
+/*
+ * checksum the plaintext data and hdrlen bytes of the token header
+ * Per rfc4121, sec. 4.2.4, the checksum is performed over the data
+ * body then over the first 16 octets of the MIC token
+ * Inclusion of the header data in the calculation of the
+ * checksum is optional.
+ */
+u32
+make_checksum_v2(struct krb5_ctx *kctx, char *header, int hdrlen,
+                 struct xdr_buf *body, int body_offset, u8 *cksumkey,
+                 unsigned int usage, struct xdr_netobj *cksumout)
+{
+        struct hash_desc desc;
+        struct scatterlist sg[1];
+        int err;
+        u8 checksumdata[GSS_KRB5_MAX_CKSUM_LEN];
+        unsigned int checksumlen;
+        if (kctx->gk5e->keyed_cksum == 0) {
+                dprintk("%s: expected keyed hash for %s\n",
+                        __func__, kctx->gk5e->name);
+                return GSS_S_FAILURE;
+        }
+        if (cksumkey == NULL) {
+                dprintk("%s: no key supplied for %s\n",
+                        __func__, kctx->gk5e->name);
+                return GSS_S_FAILURE;
+        }
+        desc.tfm = crypto_alloc_hash(kctx->gk5e->cksum_name, 0,
+                                                        CRYPTO_ALG_ASYNC);
+        if (IS_ERR(desc.tfm))
+                return GSS_S_FAILURE;
+        checksumlen = crypto_hash_digestsize(desc.tfm);
+        desc.flags = CRYPTO_TFM_REQ_MAY_SLEEP;
+        err = crypto_hash_setkey(desc.tfm, cksumkey, kctx->gk5e->keylength);
+        if (err)
+                goto out;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out;
+        err = xdr_process_buf(body, body_offset, body->len - body_offset,
+                              checksummer, &desc);
+        if (err)
+                goto out;
+        if (header != NULL) {
+                sg_init_one(sg, header, hdrlen);
+                err = crypto_hash_update(&desc, sg, hdrlen);
+                if (err)
+                        goto out;
+        }
+        err = crypto_hash_final(&desc, checksumdata);
+        if (err)
+                goto out;
+        cksumout->len = kctx->gk5e->cksumlength;
+        switch (kctx->gk5e->ctype) {
+        case CKSUMTYPE_HMAC_SHA1_96_AES128:
+        case CKSUMTYPE_HMAC_SHA1_96_AES256:
+                /* note that this truncates the hash */
+                memcpy(cksumout->data, checksumdata, kctx->gk5e->cksumlength);
+                break;
+        default:
+                BUG();
+                break;
+        }
 out:
        crypto_free_hash(desc.tfm);
        return err ? GSS_S_FAILURE : 0;
 }
 struct encryptor_desc {
-        u8 iv[8]; /* XXX hard-coded blocksize */
+        u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
        struct blkcipher_desc desc;
        int pos;
        struct xdr_buf *outbuf;
@@ -198,7 +427,7 @@ encryptor(struct scatterlist *sg, void *data)
        desc->fraglen += sg->length;
        desc->pos += sg->length;
-        fraglen = thislen & 7; /* XXX hardcoded blocksize */
+        fraglen = thislen & (crypto_blkcipher_blocksize(desc->desc.tfm) - 1);
        thislen -= fraglen;
        if (thislen == 0)
@@ -256,7 +485,7 @@ gss_encrypt_xdr_buf(struct crypto_blkcipher *tfm, struct xdr_buf *buf,
 }
 struct decryptor_desc {
-        u8 iv[8]; /* XXX hard-coded blocksize */
+        u8 iv[GSS_KRB5_MAX_BLOCKSIZE];
        struct blkcipher_desc desc;
        struct scatterlist frags[4];
        int fragno;
@@ -278,7 +507,7 @@ decryptor(struct scatterlist *sg, void *data)
        desc->fragno++;
        desc->fraglen += sg->length;
-        fraglen = thislen & 7; /* XXX hardcoded blocksize */
+        fraglen = thislen & (crypto_blkcipher_blocksize(desc->desc.tfm) - 1);
        thislen -= fraglen;
        if (thislen == 0)
@@ -325,3 +554,437 @@ gss_decrypt_xdr_buf(struct crypto_blkcipher *tfm, struct xdr_buf *buf,
        return xdr_process_buf(buf, offset, buf->len - offset, decryptor, &desc);
 }
+/*
+ * This function makes the assumption that it was ultimately called
+ * from gss_wrap().
+ *
+ * The client auth_gss code moves any existing tail data into a
+ * separate page before calling gss_wrap.
+ * The server svcauth_gss code ensures that both the head and the
+ * tail have slack space of RPC_MAX_AUTH_SIZE before calling gss_wrap.
+ *
+ * Even with that guarantee, this function may be called more than
+ * once in the processing of gss_wrap().  The best we can do is
+ * verify at compile-time (see GSS_KRB5_SLACK_CHECK) that the
+ * largest expected shift will fit within RPC_MAX_AUTH_SIZE.
+ * At run-time we can verify that a single invocation of this
+ * function doesn't attempt to use more the RPC_MAX_AUTH_SIZE.
+ */
+int
+xdr_extend_head(struct xdr_buf *buf, unsigned int base, unsigned int shiftlen)
+{
+        u8 *p;
+        if (shiftlen == 0)
+                return 0;
+        BUILD_BUG_ON(GSS_KRB5_MAX_SLACK_NEEDED > RPC_MAX_AUTH_SIZE);
+        BUG_ON(shiftlen > RPC_MAX_AUTH_SIZE);
+        p = buf->head[0].iov_base + base;
+        memmove(p + shiftlen, p, buf->head[0].iov_len - base);
+        buf->head[0].iov_len += shiftlen;
+        buf->len += shiftlen;
+        return 0;
+}
+static u32
+gss_krb5_cts_crypt(struct crypto_blkcipher *cipher, struct xdr_buf *buf,
+                   u32 offset, u8 *iv, struct page **pages, int encrypt)
+{
+        u32 ret;
+        struct scatterlist sg[1];
+        struct blkcipher_desc desc = { .tfm = cipher, .info = iv };
+        u8 data[crypto_blkcipher_blocksize(cipher) * 2];
+        struct page **save_pages;
+        u32 len = buf->len - offset;
+        BUG_ON(len > crypto_blkcipher_blocksize(cipher) * 2);
+        /*
+         * For encryption, we want to read from the cleartext
+         * page cache pages, and write the encrypted data to
+         * the supplied xdr_buf pages.
+         */
+        save_pages = buf->pages;
+        if (encrypt)
+                buf->pages = pages;
+        ret = read_bytes_from_xdr_buf(buf, offset, data, len);
+        buf->pages = save_pages;
+        if (ret)
+                goto out;
+        sg_init_one(sg, data, len);
+        if (encrypt)
+                ret = crypto_blkcipher_encrypt_iv(&desc, sg, sg, len);
+        else
+                ret = crypto_blkcipher_decrypt_iv(&desc, sg, sg, len);
+        if (ret)
+                goto out;
+        ret = write_bytes_to_xdr_buf(buf, offset, data, len);
+out:
+        return ret;
+}
+u32
+gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
+                     struct xdr_buf *buf, int ec, struct page **pages)
+{
+        u32 err;
+        struct xdr_netobj hmac;
+        u8 *cksumkey;
+        u8 *ecptr;
+        struct crypto_blkcipher *cipher, *aux_cipher;
+        int blocksize;
+        struct page **save_pages;
+        int nblocks, nbytes;
+        struct encryptor_desc desc;
+        u32 cbcbytes;
+        unsigned int usage;
+        if (kctx->initiate) {
+                cipher = kctx->initiator_enc;
+                aux_cipher = kctx->initiator_enc_aux;
+                cksumkey = kctx->initiator_integ;
+                usage = KG_USAGE_INITIATOR_SEAL;
+        } else {
+                cipher = kctx->acceptor_enc;
+                aux_cipher = kctx->acceptor_enc_aux;
+                cksumkey = kctx->acceptor_integ;
+                usage = KG_USAGE_ACCEPTOR_SEAL;
+        }
+        blocksize = crypto_blkcipher_blocksize(cipher);
+        /* hide the gss token header and insert the confounder */
+        offset += GSS_KRB5_TOK_HDR_LEN;
+        if (xdr_extend_head(buf, offset, kctx->gk5e->conflen))
+                return GSS_S_FAILURE;
+        gss_krb5_make_confounder(buf->head[0].iov_base + offset, kctx->gk5e->conflen);
+        offset -= GSS_KRB5_TOK_HDR_LEN;
+        if (buf->tail[0].iov_base != NULL) {
+                ecptr = buf->tail[0].iov_base + buf->tail[0].iov_len;
+        } else {
+                buf->tail[0].iov_base = buf->head[0].iov_base
+                                                        + buf->head[0].iov_len;
+                buf->tail[0].iov_len = 0;
+                ecptr = buf->tail[0].iov_base;
+        }
+        memset(ecptr, 'X', ec);
+        buf->tail[0].iov_len += ec;
+        buf->len += ec;
+        /* copy plaintext gss token header after filler (if any) */
+        memcpy(ecptr + ec, buf->head[0].iov_base + offset,
+                                                GSS_KRB5_TOK_HDR_LEN);
+        buf->tail[0].iov_len += GSS_KRB5_TOK_HDR_LEN;
+        buf->len += GSS_KRB5_TOK_HDR_LEN;
+        /* Do the HMAC */
+        hmac.len = GSS_KRB5_MAX_CKSUM_LEN;
+        hmac.data = buf->tail[0].iov_base + buf->tail[0].iov_len;
+        /*
+         * When we are called, pages points to the real page cache
+         * data -- which we can't go and encrypt!  buf->pages points
+         * to scratch pages which we are going to send off to the
+         * client/server.  Swap in the plaintext pages to calculate
+         * the hmac.
+         */
+        save_pages = buf->pages;
+        buf->pages = pages;
+        err = make_checksum_v2(kctx, NULL, 0, buf,
+                               offset + GSS_KRB5_TOK_HDR_LEN,
+                               cksumkey, usage, &hmac);
+        buf->pages = save_pages;
+        if (err)
+                return GSS_S_FAILURE;
+        nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN;
+        nblocks = (nbytes + blocksize - 1) / blocksize;
+        cbcbytes = 0;
+        if (nblocks > 2)
+                cbcbytes = (nblocks - 2) * blocksize;
+        memset(desc.iv, 0, sizeof(desc.iv));
+        if (cbcbytes) {
+                desc.pos = offset + GSS_KRB5_TOK_HDR_LEN;
+                desc.fragno = 0;
+                desc.fraglen = 0;
+                desc.pages = pages;
+                desc.outbuf = buf;
+                desc.desc.info = desc.iv;
+                desc.desc.flags = 0;
+                desc.desc.tfm = aux_cipher;
+                sg_init_table(desc.infrags, 4);
+                sg_init_table(desc.outfrags, 4);
+                err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN,
+                                      cbcbytes, encryptor, &desc);
+                if (err)
+                        goto out_err;
+        }
+        /* Make sure IV carries forward from any CBC results. */
+        err = gss_krb5_cts_crypt(cipher, buf,
+                                 offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes,
+                                 desc.iv, pages, 1);
+        if (err) {
+                err = GSS_S_FAILURE;
+                goto out_err;
+        }
+        /* Now update buf to account for HMAC */
+        buf->tail[0].iov_len += kctx->gk5e->cksumlength;
+        buf->len += kctx->gk5e->cksumlength;
+out_err:
+        if (err)
+                err = GSS_S_FAILURE;
+        return err;
+}
+u32
+gss_krb5_aes_decrypt(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf,
+                     u32 *headskip, u32 *tailskip)
+{
+        struct xdr_buf subbuf;
+        u32 ret = 0;
+        u8 *cksum_key;
+        struct crypto_blkcipher *cipher, *aux_cipher;
+        struct xdr_netobj our_hmac_obj;
+        u8 our_hmac[GSS_KRB5_MAX_CKSUM_LEN];
+        u8 pkt_hmac[GSS_KRB5_MAX_CKSUM_LEN];
+        int nblocks, blocksize, cbcbytes;
+        struct decryptor_desc desc;
+        unsigned int usage;
+        if (kctx->initiate) {
+                cipher = kctx->acceptor_enc;
+                aux_cipher = kctx->acceptor_enc_aux;
+                cksum_key = kctx->acceptor_integ;
+                usage = KG_USAGE_ACCEPTOR_SEAL;
+        } else {
+                cipher = kctx->initiator_enc;
+                aux_cipher = kctx->initiator_enc_aux;
+                cksum_key = kctx->initiator_integ;
+                usage = KG_USAGE_INITIATOR_SEAL;
+        }
+        blocksize = crypto_blkcipher_blocksize(cipher);
+        /* create a segment skipping the header and leaving out the checksum */
+        xdr_buf_subsegment(buf, &subbuf, offset + GSS_KRB5_TOK_HDR_LEN,
+                                    (buf->len - offset - GSS_KRB5_TOK_HDR_LEN -
+                                     kctx->gk5e->cksumlength));
+        nblocks = (subbuf.len + blocksize - 1) / blocksize;
+        cbcbytes = 0;
+        if (nblocks > 2)
+                cbcbytes = (nblocks - 2) * blocksize;
+        memset(desc.iv, 0, sizeof(desc.iv));
+        if (cbcbytes) {
+                desc.fragno = 0;
+                desc.fraglen = 0;
+                desc.desc.info = desc.iv;
+                desc.desc.flags = 0;
+                desc.desc.tfm = aux_cipher;
+                sg_init_table(desc.frags, 4);
+                ret = xdr_process_buf(&subbuf, 0, cbcbytes, decryptor, &desc);
+                if (ret)
+                        goto out_err;
+        }
+        /* Make sure IV carries forward from any CBC results. */
+        ret = gss_krb5_cts_crypt(cipher, &subbuf, cbcbytes, desc.iv, NULL, 0);
+        if (ret)
+                goto out_err;
+        /* Calculate our hmac over the plaintext data */
+        our_hmac_obj.len = sizeof(our_hmac);
+        our_hmac_obj.data = our_hmac;
+        ret = make_checksum_v2(kctx, NULL, 0, &subbuf, 0,
+                               cksum_key, usage, &our_hmac_obj);
+        if (ret)
+                goto out_err;
+        /* Get the packet's hmac value */
+        ret = read_bytes_from_xdr_buf(buf, buf->len - kctx->gk5e->cksumlength,
+                                      pkt_hmac, kctx->gk5e->cksumlength);
+        if (ret)
+                goto out_err;
+        if (memcmp(pkt_hmac, our_hmac, kctx->gk5e->cksumlength) != 0) {
+                ret = GSS_S_BAD_SIG;
+                goto out_err;
+        }
+        *headskip = kctx->gk5e->conflen;
+        *tailskip = kctx->gk5e->cksumlength;
+out_err:
+        if (ret && ret != GSS_S_BAD_SIG)
+                ret = GSS_S_FAILURE;
+        return ret;
+}
+/*
+ * Compute Kseq given the initial session key and the checksum.
+ * Set the key of the given cipher.
+ */
+int
+krb5_rc4_setup_seq_key(struct krb5_ctx *kctx, struct crypto_blkcipher *cipher,
+                       unsigned char *cksum)
+{
+        struct crypto_hash *hmac;
+        struct hash_desc desc;
+        struct scatterlist sg[1];
+        u8 Kseq[GSS_KRB5_MAX_KEYLEN];
+        u32 zeroconstant = 0;
+        int err;
+        dprintk("%s: entered\n", __func__);
+        hmac = crypto_alloc_hash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
+        if (IS_ERR(hmac)) {
+                dprintk("%s: error %ld, allocating hash '%s'\n",
+                        __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name);
+                return PTR_ERR(hmac);
+        }
+        desc.tfm = hmac;
+        desc.flags = 0;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out_err;
+        /* Compute intermediate Kseq from session key */
+        err = crypto_hash_setkey(hmac, kctx->Ksess, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        sg_init_table(sg, 1);
+        sg_set_buf(sg, &zeroconstant, 4);
+        err = crypto_hash_digest(&desc, sg, 4, Kseq);
+        if (err)
+                goto out_err;
+        /* Compute final Kseq from the checksum and intermediate Kseq */
+        err = crypto_hash_setkey(hmac, Kseq, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        sg_set_buf(sg, cksum, 8);
+        err = crypto_hash_digest(&desc, sg, 8, Kseq);
+        if (err)
+                goto out_err;
+        err = crypto_blkcipher_setkey(cipher, Kseq, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        err = 0;
+out_err:
+        crypto_free_hash(hmac);
+        dprintk("%s: returning %d\n", __func__, err);
+        return err;
+}
+/*
+ * Compute Kcrypt given the initial session key and the plaintext seqnum.
+ * Set the key of cipher kctx->enc.
+ */
+int
+krb5_rc4_setup_enc_key(struct krb5_ctx *kctx, struct crypto_blkcipher *cipher,
+                       s32 seqnum)
+{
+        struct crypto_hash *hmac;
+        struct hash_desc desc;
+        struct scatterlist sg[1];
+        u8 Kcrypt[GSS_KRB5_MAX_KEYLEN];
+        u8 zeroconstant[4] = {0};
+        u8 seqnumarray[4];
+        int err, i;
+        dprintk("%s: entered, seqnum %u\n", __func__, seqnum);
+        hmac = crypto_alloc_hash(kctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
+        if (IS_ERR(hmac)) {
+                dprintk("%s: error %ld, allocating hash '%s'\n",
+                        __func__, PTR_ERR(hmac), kctx->gk5e->cksum_name);
+                return PTR_ERR(hmac);
+        }
+        desc.tfm = hmac;
+        desc.flags = 0;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out_err;
+        /* Compute intermediate Kcrypt from session key */
+        for (i = 0; i < kctx->gk5e->keylength; i++)
+                Kcrypt[i] = kctx->Ksess[i] ^ 0xf0;
+        err = crypto_hash_setkey(hmac, Kcrypt, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        sg_init_table(sg, 1);
+        sg_set_buf(sg, zeroconstant, 4);
+        err = crypto_hash_digest(&desc, sg, 4, Kcrypt);
+        if (err)
+                goto out_err;
+        /* Compute final Kcrypt from the seqnum and intermediate Kcrypt */
+        err = crypto_hash_setkey(hmac, Kcrypt, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        seqnumarray[0] = (unsigned char) ((seqnum >> 24) & 0xff);
+        seqnumarray[1] = (unsigned char) ((seqnum >> 16) & 0xff);
+        seqnumarray[2] = (unsigned char) ((seqnum >> 8) & 0xff);
+        seqnumarray[3] = (unsigned char) ((seqnum >> 0) & 0xff);
+        sg_set_buf(sg, seqnumarray, 4);
+        err = crypto_hash_digest(&desc, sg, 4, Kcrypt);
+        if (err)
+                goto out_err;
+        err = crypto_blkcipher_setkey(cipher, Kcrypt, kctx->gk5e->keylength);
+        if (err)
+                goto out_err;
+        err = 0;
+out_err:
+        crypto_free_hash(hmac);
+        dprintk("%s: returning %d\n", __func__, err);
+        return err;
+}
diff --git a/net/sunrpc/auth_gss/gss_krb5_keys.c b/net/sunrpc/auth_gss/gss_krb5_keys.c
new file mode 100644
index 000000000000..76e42e6be755
--- /dev/null
+++ b/net/sunrpc/auth_gss/gss_krb5_keys.c
@@ -0,0 +1,336 @@
+/*
+ * COPYRIGHT (c) 2008
+ * The Regents of the University of Michigan
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
+/*
+ * Copyright (C) 1998 by the FundsXpress, INC.
+ *
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may require
+ * a specific license from the United States Government.  It is the
+ * responsibility of any person or organization contemplating export to
+ * obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of FundsXpress. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  FundsXpress makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+#include <linux/err.h>
+#include <linux/types.h>
+#include <linux/crypto.h>
+#include <linux/sunrpc/gss_krb5.h>
+#include <linux/sunrpc/xdr.h>
+#ifdef RPC_DEBUG
+# define RPCDBG_FACILITY        RPCDBG_AUTH
+#endif
+/*
+ * This is the n-fold function as described in rfc3961, sec 5.1
+ * Taken from MIT Kerberos and modified.
+ */
+static void krb5_nfold(u32 inbits, const u8 *in,
+                       u32 outbits, u8 *out)
+{
+        int a, b, c, lcm;
+        int byte, i, msbit;
+        /* the code below is more readable if I make these bytes
+           instead of bits */
+        inbits >>= 3;
+        outbits >>= 3;
+        /* first compute lcm(n,k) */
+        a = outbits;
+        b = inbits;
+        while (b != 0) {
+                c = b;
+                b = a%b;
+                a = c;
+        }
+        lcm = outbits*inbits/a;
+        /* now do the real work */
+        memset(out, 0, outbits);
+        byte = 0;
+        /* this will end up cycling through k lcm(k,n)/k times, which
+           is correct */
+        for (i = lcm-1; i >= 0; i--) {
+                /* compute the msbit in k which gets added into this byte */
+                msbit = (
+                        /* first, start with the msbit in the first,
+                         * unrotated byte */
+                         ((inbits << 3) - 1)
+                         /* then, for each byte, shift to the right
+                          * for each repetition */
+                         + (((inbits << 3) + 13) * (i/inbits))
+                         /* last, pick out the correct byte within
+                          * that shifted repetition */
+                         + ((inbits - (i % inbits)) << 3)
+                         ) % (inbits << 3);
+                /* pull out the byte value itself */
+                byte += (((in[((inbits - 1) - (msbit >> 3)) % inbits] << 8)|
+                                  (in[((inbits) - (msbit >> 3)) % inbits]))
+                                 >> ((msbit & 7) + 1)) & 0xff;
+                /* do the addition */
+                byte += out[i % outbits];
+                out[i % outbits] = byte & 0xff;
+                /* keep around the carry bit, if any */
+                byte >>= 8;
+        }
+        /* if there's a carry bit left over, add it back in */
+        if (byte) {
+                for (i = outbits - 1; i >= 0; i--) {
+                        /* do the addition */
+                        byte += out[i];
+                        out[i] = byte & 0xff;
+                        /* keep around the carry bit, if any */
+                        byte >>= 8;
+                }
+        }
+}
+/*
+ * This is the DK (derive_key) function as described in rfc3961, sec 5.1
+ * Taken from MIT Kerberos and modified.
+ */
+u32 krb5_derive_key(const struct gss_krb5_enctype *gk5e,
+                    const struct xdr_netobj *inkey,
+                    struct xdr_netobj *outkey,
+                    const struct xdr_netobj *in_constant,
+                    gfp_t gfp_mask)
+{
+        size_t blocksize, keybytes, keylength, n;
+        unsigned char *inblockdata, *outblockdata, *rawkey;
+        struct xdr_netobj inblock, outblock;
+        struct crypto_blkcipher *cipher;
+        u32 ret = EINVAL;
+        blocksize = gk5e->blocksize;
+        keybytes = gk5e->keybytes;
+        keylength = gk5e->keylength;
+        if ((inkey->len != keylength) || (outkey->len != keylength))
+                goto err_return;
+        cipher = crypto_alloc_blkcipher(gk5e->encrypt_name, 0,
+                                        CRYPTO_ALG_ASYNC);
+        if (IS_ERR(cipher))
+                goto err_return;
+        if (crypto_blkcipher_setkey(cipher, inkey->data, inkey->len))
+                goto err_return;
+        /* allocate and set up buffers */
+        ret = ENOMEM;
+        inblockdata = kmalloc(blocksize, gfp_mask);
+        if (inblockdata == NULL)
+                goto err_free_cipher;
+        outblockdata = kmalloc(blocksize, gfp_mask);
+        if (outblockdata == NULL)
+                goto err_free_in;
+        rawkey = kmalloc(keybytes, gfp_mask);
+        if (rawkey == NULL)
+                goto err_free_out;
+        inblock.data = (char *) inblockdata;
+        inblock.len = blocksize;
+        outblock.data = (char *) outblockdata;
+        outblock.len = blocksize;
+        /* initialize the input block */
+        if (in_constant->len == inblock.len) {
+                memcpy(inblock.data, in_constant->data, inblock.len);
+        } else {
+                krb5_nfold(in_constant->len * 8, in_constant->data,
+                           inblock.len * 8, inblock.data);
+        }
+        /* loop encrypting the blocks until enough key bytes are generated */
+        n = 0;
+        while (n < keybytes) {
+                (*(gk5e->encrypt))(cipher, NULL, inblock.data,
+                                   outblock.data, inblock.len);
+                if ((keybytes - n) <= outblock.len) {
+                        memcpy(rawkey + n, outblock.data, (keybytes - n));
+                        break;
+                }
+                memcpy(rawkey + n, outblock.data, outblock.len);
+                memcpy(inblock.data, outblock.data, outblock.len);
+                n += outblock.len;
+        }
+        /* postprocess the key */
+        inblock.data = (char *) rawkey;
+        inblock.len = keybytes;
+        BUG_ON(gk5e->mk_key == NULL);
+        ret = (*(gk5e->mk_key))(gk5e, &inblock, outkey);
+        if (ret) {
+                dprintk("%s: got %d from mk_key function for '%s'\n",
+                        __func__, ret, gk5e->encrypt_name);
+                goto err_free_raw;
+        }
+        /* clean memory, free resources and exit */
+        ret = 0;
+err_free_raw:
+        memset(rawkey, 0, keybytes);
+        kfree(rawkey);
+err_free_out:
+        memset(outblockdata, 0, blocksize);
+        kfree(outblockdata);
+err_free_in:
+        memset(inblockdata, 0, blocksize);
+        kfree(inblockdata);
+err_free_cipher:
+        crypto_free_blkcipher(cipher);
+err_return:
+        return ret;
+}
+#define smask(step) ((1<<step)-1)
+#define pstep(x, step) (((x)&smask(step))^(((x)>>step)&smask(step)))
+#define parity_char(x) pstep(pstep(pstep((x), 4), 2), 1)
+static void mit_des_fixup_key_parity(u8 key[8])
+{
+        int i;
+        for (i = 0; i < 8; i++) {
+                key[i] &= 0xfe;
+                key[i] |= 1^parity_char(key[i]);
+        }
+}
+/*
+ * This is the des3 key derivation postprocess function
+ */
+u32 gss_krb5_des3_make_key(const struct gss_krb5_enctype *gk5e,
+                           struct xdr_netobj *randombits,
+                           struct xdr_netobj *key)
+{
+        int i;
+        u32 ret = EINVAL;
+        if (key->len != 24) {
+                dprintk("%s: key->len is %d\n", __func__, key->len);
+                goto err_out;
+        }
+        if (randombits->len != 21) {
+                dprintk("%s: randombits->len is %d\n",
+                        __func__, randombits->len);
+                goto err_out;
+        }
+        /* take the seven bytes, move them around into the top 7 bits of the
+           8 key bytes, then compute the parity bits.  Do this three times. */
+        for (i = 0; i < 3; i++) {
+                memcpy(key->data + i*8, randombits->data + i*7, 7);
+                key->data[i*8+7] = (((key->data[i*8]&1)<<1) |
+                                    ((key->data[i*8+1]&1)<<2) |
+                                    ((key->data[i*8+2]&1)<<3) |
+                                    ((key->data[i*8+3]&1)<<4) |
+                                    ((key->data[i*8+4]&1)<<5) |
+                                    ((key->data[i*8+5]&1)<<6) |
+                                    ((key->data[i*8+6]&1)<<7));
+                mit_des_fixup_key_parity(key->data + i*8);
+        }
+        ret = 0;
+err_out:
+        return ret;
+}
+/*
+ * This is the aes key derivation postprocess function
+ */
+u32 gss_krb5_aes_make_key(const struct gss_krb5_enctype *gk5e,
+                          struct xdr_netobj *randombits,
+                          struct xdr_netobj *key)
+{
+        u32 ret = EINVAL;
+        if (key->len != 16 && key->len != 32) {
+                dprintk("%s: key->len is %d\n", __func__, key->len);
+                goto err_out;
+        }
+        if (randombits->len != 16 && randombits->len != 32) {
+                dprintk("%s: randombits->len is %d\n",
+                        __func__, randombits->len);
+                goto err_out;
+        }
+        if (randombits->len != key->len) {
+                dprintk("%s: randombits->len is %d, key->len is %d\n",
+                        __func__, randombits->len, key->len);
+                goto err_out;
+        }
+        memcpy(key->data, randombits->data, key->len);
+        ret = 0;
+err_out:
+        return ret;
+}
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index 2deb0ed72ff4..032644610524 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -1,7 +1,7 @@
 /*
 *  linux/net/sunrpc/gss_krb5_mech.c
 *
- *  Copyright (c) 2001 The Regents of the University of Michigan.
+ *  Copyright (c) 2001-2008 The Regents of the University of Michigan.
 *  All rights reserved.
 *
 *  Andy Adamson <andros@umich.edu>
@@ -48,6 +48,143 @@
 # define RPCDBG_FACILITY        RPCDBG_AUTH
 #endif
+static struct gss_api_mech gss_kerberos_mech;   /* forward declaration */
+static const struct gss_krb5_enctype supported_gss_krb5_enctypes[] = {
+        /*
+         * DES (All DES enctypes are mapped to the same gss functionality)
+         */
+        {
+          .etype = ENCTYPE_DES_CBC_RAW,
+          .ctype = CKSUMTYPE_RSA_MD5,
+          .name = "des-cbc-crc",
+          .encrypt_name = "cbc(des)",
+          .cksum_name = "md5",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = NULL,
+          .signalg = SGN_ALG_DES_MAC_MD5,
+          .sealalg = SEAL_ALG_DES,
+          .keybytes = 7,
+          .keylength = 8,
+          .blocksize = 8,
+          .conflen = 8,
+          .cksumlength = 8,
+          .keyed_cksum = 0,
+        },
+        /*
+         * RC4-HMAC
+         */
+        {
+          .etype = ENCTYPE_ARCFOUR_HMAC,
+          .ctype = CKSUMTYPE_HMAC_MD5_ARCFOUR,
+          .name = "rc4-hmac",
+          .encrypt_name = "ecb(arc4)",
+          .cksum_name = "hmac(md5)",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = NULL,
+          .signalg = SGN_ALG_HMAC_MD5,
+          .sealalg = SEAL_ALG_MICROSOFT_RC4,
+          .keybytes = 16,
+          .keylength = 16,
+          .blocksize = 1,
+          .conflen = 8,
+          .cksumlength = 8,
+          .keyed_cksum = 1,
+        },
+        /*
+         * 3DES
+         */
+        {
+          .etype = ENCTYPE_DES3_CBC_RAW,
+          .ctype = CKSUMTYPE_HMAC_SHA1_DES3,
+          .name = "des3-hmac-sha1",
+          .encrypt_name = "cbc(des3_ede)",
+          .cksum_name = "hmac(sha1)",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = gss_krb5_des3_make_key,
+          .signalg = SGN_ALG_HMAC_SHA1_DES3_KD,
+          .sealalg = SEAL_ALG_DES3KD,
+          .keybytes = 21,
+          .keylength = 24,
+          .blocksize = 8,
+          .conflen = 8,
+          .cksumlength = 20,
+          .keyed_cksum = 1,
+        },
+        /*
+         * AES128
+         */
+        {
+          .etype = ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+          .ctype = CKSUMTYPE_HMAC_SHA1_96_AES128,
+          .name = "aes128-cts",
+          .encrypt_name = "cts(cbc(aes))",
+          .cksum_name = "hmac(sha1)",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = gss_krb5_aes_make_key,
+          .encrypt_v2 = gss_krb5_aes_encrypt,
+          .decrypt_v2 = gss_krb5_aes_decrypt,
+          .signalg = -1,
+          .sealalg = -1,
+          .keybytes = 16,
+          .keylength = 16,
+          .blocksize = 16,
+          .conflen = 16,
+          .cksumlength = 12,
+          .keyed_cksum = 1,
+        },
+        /*
+         * AES256
+         */
+        {
+          .etype = ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+          .ctype = CKSUMTYPE_HMAC_SHA1_96_AES256,
+          .name = "aes256-cts",
+          .encrypt_name = "cts(cbc(aes))",
+          .cksum_name = "hmac(sha1)",
+          .encrypt = krb5_encrypt,
+          .decrypt = krb5_decrypt,
+          .mk_key = gss_krb5_aes_make_key,
+          .encrypt_v2 = gss_krb5_aes_encrypt,
+          .decrypt_v2 = gss_krb5_aes_decrypt,
+          .signalg = -1,
+          .sealalg = -1,
+          .keybytes = 32,
+          .keylength = 32,
+          .blocksize = 16,
+          .conflen = 16,
+          .cksumlength = 12,
+          .keyed_cksum = 1,
+        },
+};
+static const int num_supported_enctypes =
+        ARRAY_SIZE(supported_gss_krb5_enctypes);
+static int
+supported_gss_krb5_enctype(int etype)
+{
+        int i;
+        for (i = 0; i < num_supported_enctypes; i++)
+                if (supported_gss_krb5_enctypes[i].etype == etype)
+                        return 1;
+        return 0;
+}
+static const struct gss_krb5_enctype *
+get_gss_krb5_enctype(int etype)
+{
+        int i;
+        for (i = 0; i < num_supported_enctypes; i++)
+                if (supported_gss_krb5_enctypes[i].etype == etype)
+                        return &supported_gss_krb5_enctypes[i];
+        return NULL;
+}
 static const void *
 simple_get_bytes(const void *p, const void *end, void *res, int len)
 {
@@ -78,35 +215,45 @@ simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res)
 }
 static inline const void *
-get_key(const void *p, const void *end, struct crypto_blkcipher **res)
+get_key(const void *p, const void *end,
+        struct krb5_ctx *ctx, struct crypto_blkcipher **res)
 {
        struct xdr_netobj       key;
        int                     alg;
-        char                    *alg_name;
        p = simple_get_bytes(p, end, &alg, sizeof(alg));
        if (IS_ERR(p))
                goto out_err;
+        switch (alg) {
+        case ENCTYPE_DES_CBC_CRC:
+        case ENCTYPE_DES_CBC_MD4:
+        case ENCTYPE_DES_CBC_MD5:
+                /* Map all these key types to ENCTYPE_DES_CBC_RAW */
+                alg = ENCTYPE_DES_CBC_RAW;
+                break;
+        }
+        if (!supported_gss_krb5_enctype(alg)) {
+                printk(KERN_WARNING "gss_kerberos_mech: unsupported "
+                        "encryption key algorithm %d\n", alg);
+                goto out_err;
+        }
        p = simple_get_netobj(p, end, &key);
        if (IS_ERR(p))
                goto out_err;
-        switch (alg) {
+        *res = crypto_alloc_blkcipher(ctx->gk5e->encrypt_name, 0,
-                case ENCTYPE_DES_CBC_RAW:
+                                                        CRYPTO_ALG_ASYNC);
-                        alg_name = "cbc(des)";
-                        break;
-                default:
-                        printk("gss_kerberos_mech: unsupported algorithm %d\n", alg);
-                        goto out_err_free_key;
-        }
-        *res = crypto_alloc_blkcipher(alg_name, 0, CRYPTO_ALG_ASYNC);
        if (IS_ERR(*res)) {
-                printk("gss_kerberos_mech: unable to initialize crypto algorithm %s\n", alg_name);
+                printk(KERN_WARNING "gss_kerberos_mech: unable to initialize "
+                        "crypto algorithm %s\n", ctx->gk5e->encrypt_name);
                *res = NULL;
                goto out_err_free_key;
        }
        if (crypto_blkcipher_setkey(*res, key.data, key.len)) {
-                printk("gss_kerberos_mech: error setting key for crypto algorithm %s\n", alg_name);
+                printk(KERN_WARNING "gss_kerberos_mech: error setting key for "
+                        "crypto algorithm %s\n", ctx->gk5e->encrypt_name);
                goto out_err_free_tfm;
        }
@@ -123,56 +270,55 @@ out_err:
 }
 static int
-gss_import_sec_context_kerberos(const void *p,
+gss_import_v1_context(const void *p, const void *end, struct krb5_ctx *ctx)
-                                size_t len,
-                                struct gss_ctx *ctx_id)
 {
-        const void *end = (const void *)((const char *)p + len);
-        struct  krb5_ctx *ctx;
        int tmp;
-        if (!(ctx = kzalloc(sizeof(*ctx), GFP_NOFS))) {
-                p = ERR_PTR(-ENOMEM);
-                goto out_err;
-        }
        p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate));
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
+        /* Old format supports only DES!  Any other enctype uses new format */
+        ctx->enctype = ENCTYPE_DES_CBC_RAW;
+        ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
+        if (ctx->gk5e == NULL)
+                goto out_err;
        /* The downcall format was designed before we completely understood
         * the uses of the context fields; so it includes some stuff we
         * just give some minimal sanity-checking, and some we ignore
         * completely (like the next twenty bytes): */
        if (unlikely(p + 20 > end || p + 20 < p))
-                goto out_err_free_ctx;
+                goto out_err;
        p += 20;
        p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
        if (tmp != SGN_ALG_DES_MAC_MD5) {
                p = ERR_PTR(-ENOSYS);
-                goto out_err_free_ctx;
+                goto out_err;
        }
        p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
        if (tmp != SEAL_ALG_DES) {
                p = ERR_PTR(-ENOSYS);
-                goto out_err_free_ctx;
+                goto out_err;
        }
        p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime));
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
        p = simple_get_bytes(p, end, &ctx->seq_send, sizeof(ctx->seq_send));
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
        p = simple_get_netobj(p, end, &ctx->mech_used);
        if (IS_ERR(p))
-                goto out_err_free_ctx;
+                goto out_err;
-        p = get_key(p, end, &ctx->enc);
+        p = get_key(p, end, ctx, &ctx->enc);
        if (IS_ERR(p))
                goto out_err_free_mech;
-        p = get_key(p, end, &ctx->seq);
+        p = get_key(p, end, ctx, &ctx->seq);
        if (IS_ERR(p))
                goto out_err_free_key1;
        if (p != end) {
@@ -180,9 +326,6 @@ gss_import_sec_context_kerberos(const void *p,
                goto out_err_free_key2;
        }
-        ctx_id->internal_ctx_id = ctx;
-        dprintk("RPC:       Successfully imported new context.\n");
        return 0;
 out_err_free_key2:
@@ -191,18 +334,378 @@ out_err_free_key1:
        crypto_free_blkcipher(ctx->enc);
 out_err_free_mech:
        kfree(ctx->mech_used.data);
-out_err_free_ctx:
-        kfree(ctx);
 out_err:
        return PTR_ERR(p);
 }
+struct crypto_blkcipher *
+context_v2_alloc_cipher(struct krb5_ctx *ctx, const char *cname, u8 *key)
+{
+        struct crypto_blkcipher *cp;
+        cp = crypto_alloc_blkcipher(cname, 0, CRYPTO_ALG_ASYNC);
+        if (IS_ERR(cp)) {
+                dprintk("gss_kerberos_mech: unable to initialize "
+                        "crypto algorithm %s\n", cname);
+                return NULL;
+        }
+        if (crypto_blkcipher_setkey(cp, key, ctx->gk5e->keylength)) {
+                dprintk("gss_kerberos_mech: error setting key for "
+                        "crypto algorithm %s\n", cname);
+                crypto_free_blkcipher(cp);
+                return NULL;
+        }
+        return cp;
+}
+static inline void
+set_cdata(u8 cdata[GSS_KRB5_K5CLENGTH], u32 usage, u8 seed)
+{
+        cdata[0] = (usage>>24)&0xff;
+        cdata[1] = (usage>>16)&0xff;
+        cdata[2] = (usage>>8)&0xff;
+        cdata[3] = usage&0xff;
+        cdata[4] = seed;
+}
+static int
+context_derive_keys_des3(struct krb5_ctx *ctx, gfp_t gfp_mask)
+{
+        struct xdr_netobj c, keyin, keyout;
+        u8 cdata[GSS_KRB5_K5CLENGTH];
+        u32 err;
+        c.len = GSS_KRB5_K5CLENGTH;
+        c.data = cdata;
+        keyin.data = ctx->Ksess;
+        keyin.len = ctx->gk5e->keylength;
+        keyout.len = ctx->gk5e->keylength;
+        /* seq uses the raw key */
+        ctx->seq = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
+                                           ctx->Ksess);
+        if (ctx->seq == NULL)
+                goto out_err;
+        ctx->enc = context_v2_alloc_cipher(ctx, ctx->gk5e->encrypt_name,
+                                           ctx->Ksess);
+        if (ctx->enc == NULL)
+                goto out_free_seq;
+        /* derive cksum */
+        set_cdata(cdata, KG_USAGE_SIGN, KEY_USAGE_SEED_CHECKSUM);
+        keyout.data = ctx->cksum;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving cksum key\n",
+                        __func__, err);
+                goto out_free_enc;
+        }
+        return 0;
+out_free_enc:
+        crypto_free_blkcipher(ctx->enc);
+out_free_seq:
+        crypto_free_blkcipher(ctx->seq);
+out_err:
+        return -EINVAL;
+}
+/*
+ * Note that RC4 depends on deriving keys using the sequence
+ * number or the checksum of a token.  Therefore, the final keys
+ * cannot be calculated until the token is being constructed!
+ */
+static int
+context_derive_keys_rc4(struct krb5_ctx *ctx)
+{
+        struct crypto_hash *hmac;
+        char sigkeyconstant[] = "signaturekey";
+        int slen = strlen(sigkeyconstant) + 1;  /* include null terminator */
+        struct hash_desc desc;
+        struct scatterlist sg[1];
+        int err;
+        dprintk("RPC:       %s: entered\n", __func__);
+        /*
+         * derive cksum (aka Ksign) key
+         */
+        hmac = crypto_alloc_hash(ctx->gk5e->cksum_name, 0, CRYPTO_ALG_ASYNC);
+        if (IS_ERR(hmac)) {
+                dprintk("%s: error %ld allocating hash '%s'\n",
+                        __func__, PTR_ERR(hmac), ctx->gk5e->cksum_name);
+                err = PTR_ERR(hmac);
+                goto out_err;
+        }
+        err = crypto_hash_setkey(hmac, ctx->Ksess, ctx->gk5e->keylength);
+        if (err)
+                goto out_err_free_hmac;
+        sg_init_table(sg, 1);
+        sg_set_buf(sg, sigkeyconstant, slen);
+        desc.tfm = hmac;
+        desc.flags = 0;
+        err = crypto_hash_init(&desc);
+        if (err)
+                goto out_err_free_hmac;
+        err = crypto_hash_digest(&desc, sg, slen, ctx->cksum);
+        if (err)
+                goto out_err_free_hmac;
+        /*
+         * allocate hash, and blkciphers for data and seqnum encryption
+         */
+        ctx->enc = crypto_alloc_blkcipher(ctx->gk5e->encrypt_name, 0,
+                                          CRYPTO_ALG_ASYNC);
+        if (IS_ERR(ctx->enc)) {
+                err = PTR_ERR(ctx->enc);
+                goto out_err_free_hmac;
+        }
+        ctx->seq = crypto_alloc_blkcipher(ctx->gk5e->encrypt_name, 0,
+                                          CRYPTO_ALG_ASYNC);
+        if (IS_ERR(ctx->seq)) {
+                crypto_free_blkcipher(ctx->enc);
+                err = PTR_ERR(ctx->seq);
+                goto out_err_free_hmac;
+        }
+        dprintk("RPC:       %s: returning success\n", __func__);
+        err = 0;
+out_err_free_hmac:
+        crypto_free_hash(hmac);
+out_err:
+        dprintk("RPC:       %s: returning %d\n", __func__, err);
+        return err;
+}
+static int
+context_derive_keys_new(struct krb5_ctx *ctx, gfp_t gfp_mask)
+{
+        struct xdr_netobj c, keyin, keyout;
+        u8 cdata[GSS_KRB5_K5CLENGTH];
+        u32 err;
+        c.len = GSS_KRB5_K5CLENGTH;
+        c.data = cdata;
+        keyin.data = ctx->Ksess;
+        keyin.len = ctx->gk5e->keylength;
+        keyout.len = ctx->gk5e->keylength;
+        /* initiator seal encryption */
+        set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_ENCRYPTION);
+        keyout.data = ctx->initiator_seal;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving initiator_seal key\n",
+                        __func__, err);
+                goto out_err;
+        }
+        ctx->initiator_enc = context_v2_alloc_cipher(ctx,
+                                                     ctx->gk5e->encrypt_name,
+                                                     ctx->initiator_seal);
+        if (ctx->initiator_enc == NULL)
+                goto out_err;
+        /* acceptor seal encryption */
+        set_cdata(cdata, KG_USAGE_ACCEPTOR_SEAL, KEY_USAGE_SEED_ENCRYPTION);
+        keyout.data = ctx->acceptor_seal;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving acceptor_seal key\n",
+                        __func__, err);
+                goto out_free_initiator_enc;
+        }
+        ctx->acceptor_enc = context_v2_alloc_cipher(ctx,
+                                                    ctx->gk5e->encrypt_name,
+                                                    ctx->acceptor_seal);
+        if (ctx->acceptor_enc == NULL)
+                goto out_free_initiator_enc;
+        /* initiator sign checksum */
+        set_cdata(cdata, KG_USAGE_INITIATOR_SIGN, KEY_USAGE_SEED_CHECKSUM);
+        keyout.data = ctx->initiator_sign;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving initiator_sign key\n",
+                        __func__, err);
+                goto out_free_acceptor_enc;
+        }
+        /* acceptor sign checksum */
+        set_cdata(cdata, KG_USAGE_ACCEPTOR_SIGN, KEY_USAGE_SEED_CHECKSUM);
+        keyout.data = ctx->acceptor_sign;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving acceptor_sign key\n",
+                        __func__, err);
+                goto out_free_acceptor_enc;
+        }
+        /* initiator seal integrity */
+        set_cdata(cdata, KG_USAGE_INITIATOR_SEAL, KEY_USAGE_SEED_INTEGRITY);
+        keyout.data = ctx->initiator_integ;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving initiator_integ key\n",
+                        __func__, err);
+                goto out_free_acceptor_enc;
+        }
+        /* acceptor seal integrity */
+        set_cdata(cdata, KG_USAGE_ACCEPTOR_SEAL, KEY_USAGE_SEED_INTEGRITY);
+        keyout.data = ctx->acceptor_integ;
+        err = krb5_derive_key(ctx->gk5e, &keyin, &keyout, &c, gfp_mask);
+        if (err) {
+                dprintk("%s: Error %d deriving acceptor_integ key\n",
+                        __func__, err);
+                goto out_free_acceptor_enc;
+        }
+        switch (ctx->enctype) {
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                ctx->initiator_enc_aux =
+                        context_v2_alloc_cipher(ctx, "cbc(aes)",
+                                                ctx->initiator_seal);
+                if (ctx->initiator_enc_aux == NULL)
+                        goto out_free_acceptor_enc;
+                ctx->acceptor_enc_aux =
+                        context_v2_alloc_cipher(ctx, "cbc(aes)",
+                                                ctx->acceptor_seal);
+                if (ctx->acceptor_enc_aux == NULL) {
+                        crypto_free_blkcipher(ctx->initiator_enc_aux);
+                        goto out_free_acceptor_enc;
+                }
+        }
+        return 0;
+out_free_acceptor_enc:
+        crypto_free_blkcipher(ctx->acceptor_enc);
+out_free_initiator_enc:
+        crypto_free_blkcipher(ctx->initiator_enc);
+out_err:
+        return -EINVAL;
+}
+static int
+gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
+                gfp_t gfp_mask)
+{
+        int keylen;
+        p = simple_get_bytes(p, end, &ctx->flags, sizeof(ctx->flags));
+        if (IS_ERR(p))
+                goto out_err;
+        ctx->initiate = ctx->flags & KRB5_CTX_FLAG_INITIATOR;
+        p = simple_get_bytes(p, end, &ctx->endtime, sizeof(ctx->endtime));
+        if (IS_ERR(p))
+                goto out_err;
+        p = simple_get_bytes(p, end, &ctx->seq_send64, sizeof(ctx->seq_send64));
+        if (IS_ERR(p))
+                goto out_err;
+        /* set seq_send for use by "older" enctypes */
+        ctx->seq_send = ctx->seq_send64;
+        if (ctx->seq_send64 != ctx->seq_send) {
+                dprintk("%s: seq_send64 %lx, seq_send %x overflow?\n", __func__,
+                        (long unsigned)ctx->seq_send64, ctx->seq_send);
+                goto out_err;
+        }
+        p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
+        if (IS_ERR(p))
+                goto out_err;
+        /* Map ENCTYPE_DES3_CBC_SHA1 to ENCTYPE_DES3_CBC_RAW */
+        if (ctx->enctype == ENCTYPE_DES3_CBC_SHA1)
+                ctx->enctype = ENCTYPE_DES3_CBC_RAW;
+        ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
+        if (ctx->gk5e == NULL) {
+                dprintk("gss_kerberos_mech: unsupported krb5 enctype %u\n",
+                        ctx->enctype);
+                p = ERR_PTR(-EINVAL);
+                goto out_err;
+        }
+        keylen = ctx->gk5e->keylength;
+        p = simple_get_bytes(p, end, ctx->Ksess, keylen);
+        if (IS_ERR(p))
+                goto out_err;
+        if (p != end) {
+                p = ERR_PTR(-EINVAL);
+                goto out_err;
+        }
+        ctx->mech_used.data = kmemdup(gss_kerberos_mech.gm_oid.data,
+                                      gss_kerberos_mech.gm_oid.len, gfp_mask);
+        if (unlikely(ctx->mech_used.data == NULL)) {
+                p = ERR_PTR(-ENOMEM);
+                goto out_err;
+        }
+        ctx->mech_used.len = gss_kerberos_mech.gm_oid.len;
+        switch (ctx->enctype) {
+        case ENCTYPE_DES3_CBC_RAW:
+                return context_derive_keys_des3(ctx, gfp_mask);
+        case ENCTYPE_ARCFOUR_HMAC:
+                return context_derive_keys_rc4(ctx);
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                return context_derive_keys_new(ctx, gfp_mask);
+        default:
+                return -EINVAL;
+        }
+out_err:
+        return PTR_ERR(p);
+}
+static int
+gss_import_sec_context_kerberos(const void *p, size_t len,
+                                struct gss_ctx *ctx_id,
+                                gfp_t gfp_mask)
+{
+        const void *end = (const void *)((const char *)p + len);
+        struct  krb5_ctx *ctx;
+        int ret;
+        ctx = kzalloc(sizeof(*ctx), gfp_mask);
+        if (ctx == NULL)
+                return -ENOMEM;
+        if (len == 85)
+                ret = gss_import_v1_context(p, end, ctx);
+        else
+                ret = gss_import_v2_context(p, end, ctx, gfp_mask);
+        if (ret == 0)
+                ctx_id->internal_ctx_id = ctx;
+        else
+                kfree(ctx);
+        dprintk("RPC:       %s: returning %d\n", __func__, ret);
+        return ret;
+}
 static void
 gss_delete_sec_context_kerberos(void *internal_ctx) {
        struct krb5_ctx *kctx = internal_ctx;
        crypto_free_blkcipher(kctx->seq);
        crypto_free_blkcipher(kctx->enc);
+        crypto_free_blkcipher(kctx->acceptor_enc);
+        crypto_free_blkcipher(kctx->initiator_enc);
+        crypto_free_blkcipher(kctx->acceptor_enc_aux);
+        crypto_free_blkcipher(kctx->initiator_enc_aux);
        kfree(kctx->mech_used.data);
        kfree(kctx);
 }
@@ -241,6 +744,7 @@ static struct gss_api_mech gss_kerberos_mech = {
        .gm_ops         = &gss_kerberos_ops,
        .gm_pf_num      = ARRAY_SIZE(gss_kerberos_pfs),
        .gm_pfs         = gss_kerberos_pfs,
+        .gm_upcall_enctypes = "enctypes=18,17,16,23,3,1,2 ",
 };
 static int __init init_kerberos_module(void)
diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c
index 88fe6e75ed7e..d7941eab7796 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seal.c
@@ -3,7 +3,7 @@
 *
 *  Adapted from MIT Kerberos 5-1.2.1 lib/gssapi/krb5/k5seal.c
 *
- *  Copyright (c) 2000 The Regents of the University of Michigan.
+ *  Copyright (c) 2000-2008 The Regents of the University of Michigan.
 *  All rights reserved.
 *
 *  Andy Adamson        <andros@umich.edu>
@@ -70,53 +70,154 @@
 DEFINE_SPINLOCK(krb5_seq_lock);
-u32
+static char *
-gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
+setup_token(struct krb5_ctx *ctx, struct xdr_netobj *token)
+{
+        __be16 *ptr, *krb5_hdr;
+        int body_size = GSS_KRB5_TOK_HDR_LEN + ctx->gk5e->cksumlength;
+        token->len = g_token_size(&ctx->mech_used, body_size);
+        ptr = (__be16 *)token->data;
+        g_make_token_header(&ctx->mech_used, body_size, (unsigned char **)&ptr);
+        /* ptr now at start of header described in rfc 1964, section 1.2.1: */
+        krb5_hdr = ptr;
+        *ptr++ = KG_TOK_MIC_MSG;
+        *ptr++ = cpu_to_le16(ctx->gk5e->signalg);
+        *ptr++ = SEAL_ALG_NONE;
+        *ptr++ = 0xffff;
+        return (char *)krb5_hdr;
+}
+static void *
+setup_token_v2(struct krb5_ctx *ctx, struct xdr_netobj *token)
+{
+        __be16 *ptr, *krb5_hdr;
+        u8 *p, flags = 0x00;
+        if ((ctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0)
+                flags |= 0x01;
+        if (ctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY)
+                flags |= 0x04;
+        /* Per rfc 4121, sec 4.2.6.1, there is no header,
+         * just start the token */
+        krb5_hdr = ptr = (__be16 *)token->data;
+        *ptr++ = KG2_TOK_MIC;
+        p = (u8 *)ptr;
+        *p++ = flags;
+        *p++ = 0xff;
+        ptr = (__be16 *)p;
+        *ptr++ = 0xffff;
+        *ptr++ = 0xffff;
+        token->len = GSS_KRB5_TOK_HDR_LEN + ctx->gk5e->cksumlength;
+        return krb5_hdr;
+}
+static u32
+gss_get_mic_v1(struct krb5_ctx *ctx, struct xdr_buf *text,
                struct xdr_netobj *token)
 {
-        struct krb5_ctx         *ctx = gss_ctx->internal_ctx_id;
+        char                    cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
-        char                    cksumdata[16];
+        struct xdr_netobj       md5cksum = {.len = sizeof(cksumdata),
-        struct xdr_netobj       md5cksum = {.len = 0, .data = cksumdata};
+                                            .data = cksumdata};
-        unsigned char           *ptr, *msg_start;
+        void                    *ptr;
        s32                     now;
        u32                     seq_send;
+        u8                      *cksumkey;
-        dprintk("RPC:       gss_krb5_seal\n");
+        dprintk("RPC:       %s\n", __func__);
        BUG_ON(ctx == NULL);
        now = get_seconds();
-        token->len = g_token_size(&ctx->mech_used, GSS_KRB5_TOK_HDR_LEN + 8);
+        ptr = setup_token(ctx, token);
-        ptr = token->data;
+        if (ctx->gk5e->keyed_cksum)
-        g_make_token_header(&ctx->mech_used, GSS_KRB5_TOK_HDR_LEN + 8, &ptr);
+                cksumkey = ctx->cksum;
+        else
+                cksumkey = NULL;
-        /* ptr now at header described in rfc 1964, section 1.2.1: */
+        if (make_checksum(ctx, ptr, 8, text, 0, cksumkey,
-        ptr[0] = (unsigned char) ((KG_TOK_MIC_MSG >> 8) & 0xff);
+                          KG_USAGE_SIGN, &md5cksum))
-        ptr[1] = (unsigned char) (KG_TOK_MIC_MSG & 0xff);
+                return GSS_S_FAILURE;
-        msg_start = ptr + GSS_KRB5_TOK_HDR_LEN + 8;
+        memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len);
-        *(__be16 *)(ptr + 2) = htons(SGN_ALG_DES_MAC_MD5);
+        spin_lock(&krb5_seq_lock);
-        memset(ptr + 4, 0xff, 4);
+        seq_send = ctx->seq_send++;
+        spin_unlock(&krb5_seq_lock);
-        if (make_checksum("md5", ptr, 8, text, 0, &md5cksum))
+        if (krb5_make_seq_num(ctx, ctx->seq, ctx->initiate ? 0 : 0xff,
+                              seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8))
                return GSS_S_FAILURE;
-        if (krb5_encrypt(ctx->seq, NULL, md5cksum.data,
+        return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
-                          md5cksum.data, md5cksum.len))
+}
-                return GSS_S_FAILURE;
+u32
+gss_get_mic_v2(struct krb5_ctx *ctx, struct xdr_buf *text,
+                struct xdr_netobj *token)
+{
+        char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
+        struct xdr_netobj cksumobj = { .len = sizeof(cksumdata),
+                                       .data = cksumdata};
+        void *krb5_hdr;
+        s32 now;
+        u64 seq_send;
+        u8 *cksumkey;
+        unsigned int cksum_usage;
-        memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data + md5cksum.len - 8, 8);
+        dprintk("RPC:       %s\n", __func__);
+        krb5_hdr = setup_token_v2(ctx, token);
+        /* Set up the sequence number. Now 64-bits in clear
+         * text and w/o direction indicator */
        spin_lock(&krb5_seq_lock);
-        seq_send = ctx->seq_send++;
+        seq_send = ctx->seq_send64++;
        spin_unlock(&krb5_seq_lock);
+        *((u64 *)(krb5_hdr + 8)) = cpu_to_be64(seq_send);
-        if (krb5_make_seq_num(ctx->seq, ctx->initiate ? 0 : 0xff,
-                              seq_send, ptr + GSS_KRB5_TOK_HDR_LEN,
+        if (ctx->initiate) {
-                              ptr + 8))
+                cksumkey = ctx->initiator_sign;
+                cksum_usage = KG_USAGE_INITIATOR_SIGN;
+        } else {
+                cksumkey = ctx->acceptor_sign;
+                cksum_usage = KG_USAGE_ACCEPTOR_SIGN;
+        }
+        if (make_checksum_v2(ctx, krb5_hdr, GSS_KRB5_TOK_HDR_LEN,
+                             text, 0, cksumkey, cksum_usage, &cksumobj))
                return GSS_S_FAILURE;
+        memcpy(krb5_hdr + GSS_KRB5_TOK_HDR_LEN, cksumobj.data, cksumobj.len);
+        now = get_seconds();
        return (ctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
 }
+u32
+gss_get_mic_kerberos(struct gss_ctx *gss_ctx, struct xdr_buf *text,
+                     struct xdr_netobj *token)
+{
+        struct krb5_ctx         *ctx = gss_ctx->internal_ctx_id;
+        switch (ctx->enctype) {
+        default:
+                BUG();
+        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
+        case ENCTYPE_ARCFOUR_HMAC:
+                return gss_get_mic_v1(ctx, text, token);
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                return gss_get_mic_v2(ctx, text, token);
+        }
+}
diff --git a/net/sunrpc/auth_gss/gss_krb5_seqnum.c b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
index 6331cd6866ec..415c013ba382 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
@@ -39,14 +39,51 @@
 # define RPCDBG_FACILITY        RPCDBG_AUTH
 #endif
+static s32
+krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
+                      unsigned char *cksum, unsigned char *buf)
+{
+        struct crypto_blkcipher *cipher;
+        unsigned char plain[8];
+        s32 code;
+        dprintk("RPC:       %s:\n", __func__);
+        cipher = crypto_alloc_blkcipher(kctx->gk5e->encrypt_name, 0,
+                                        CRYPTO_ALG_ASYNC);
+        if (IS_ERR(cipher))
+                return PTR_ERR(cipher);
+        plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
+        plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
+        plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
+        plain[3] = (unsigned char) ((seqnum >> 0) & 0xff);
+        plain[4] = direction;
+        plain[5] = direction;
+        plain[6] = direction;
+        plain[7] = direction;
+        code = krb5_rc4_setup_seq_key(kctx, cipher, cksum);
+        if (code)
+                goto out;
+        code = krb5_encrypt(cipher, cksum, plain, buf, 8);
+out:
+        crypto_free_blkcipher(cipher);
+        return code;
+}
 s32
-krb5_make_seq_num(struct crypto_blkcipher *key,
+krb5_make_seq_num(struct krb5_ctx *kctx,
+                struct crypto_blkcipher *key,
                int direction,
                u32 seqnum,
                unsigned char *cksum, unsigned char *buf)
 {
        unsigned char plain[8];
+        if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+                return krb5_make_rc4_seq_num(kctx, direction, seqnum,
+                                             cksum, buf);
        plain[0] = (unsigned char) (seqnum & 0xff);
        plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
        plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
@@ -60,17 +97,59 @@ krb5_make_seq_num(struct crypto_blkcipher *key,
        return krb5_encrypt(key, cksum, plain, buf, 8);
 }
+static s32
+krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
+                     unsigned char *buf, int *direction, s32 *seqnum)
+{
+        struct crypto_blkcipher *cipher;
+        unsigned char plain[8];
+        s32 code;
+        dprintk("RPC:       %s:\n", __func__);
+        cipher = crypto_alloc_blkcipher(kctx->gk5e->encrypt_name, 0,
+                                        CRYPTO_ALG_ASYNC);
+        if (IS_ERR(cipher))
+                return PTR_ERR(cipher);
+        code = krb5_rc4_setup_seq_key(kctx, cipher, cksum);
+        if (code)
+                goto out;
+        code = krb5_decrypt(cipher, cksum, buf, plain, 8);
+        if (code)
+                goto out;
+        if ((plain[4] != plain[5]) || (plain[4] != plain[6])
+                                   || (plain[4] != plain[7])) {
+                code = (s32)KG_BAD_SEQ;
+                goto out;
+        }
+        *direction = plain[4];
+        *seqnum = ((plain[0] << 24) | (plain[1] << 16) |
+                                        (plain[2] << 8) | (plain[3]));
+out:
+        crypto_free_blkcipher(cipher);
+        return code;
+}
 s32
-krb5_get_seq_num(struct crypto_blkcipher *key,
+krb5_get_seq_num(struct krb5_ctx *kctx,
               unsigned char *cksum,
               unsigned char *buf,
               int *direction, u32 *seqnum)
 {
        s32 code;
        unsigned char plain[8];
+        struct crypto_blkcipher *key = kctx->seq;
        dprintk("RPC:       krb5_get_seq_num:\n");
+        if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
+                return krb5_get_rc4_seq_num(kctx, cksum, buf,
+                                            direction, seqnum);
        if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
                return code;
diff --git a/net/sunrpc/auth_gss/gss_krb5_unseal.c b/net/sunrpc/auth_gss/gss_krb5_unseal.c
index ce6c247edad0..6cd930f3678f 100644
--- a/net/sunrpc/auth_gss/gss_krb5_unseal.c
+++ b/net/sunrpc/auth_gss/gss_krb5_unseal.c
@@ -3,7 +3,7 @@
 *
 *  Adapted from MIT Kerberos 5-1.2.1 lib/gssapi/krb5/k5unseal.c
 *
- *  Copyright (c) 2000 The Regents of the University of Michigan.
+ *  Copyright (c) 2000-2008 The Regents of the University of Michigan.
 *  All rights reserved.
 *
 *  Andy Adamson   <andros@umich.edu>
@@ -70,20 +70,21 @@
 /* read_token is a mic token, and message_buffer is the data that the mic was
 * supposedly taken over. */
-u32
+static u32
-gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
+gss_verify_mic_v1(struct krb5_ctx *ctx,
                struct xdr_buf *message_buffer, struct xdr_netobj *read_token)
 {
-        struct krb5_ctx         *ctx = gss_ctx->internal_ctx_id;
        int                     signalg;
        int                     sealalg;
-        char                    cksumdata[16];
+        char                    cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
-        struct xdr_netobj       md5cksum = {.len = 0, .data = cksumdata};
+        struct xdr_netobj       md5cksum = {.len = sizeof(cksumdata),
+                                            .data = cksumdata};
        s32                     now;
        int                     direction;
        u32                     seqnum;
        unsigned char           *ptr = (unsigned char *)read_token->data;
        int                     bodysize;
+        u8                      *cksumkey;
        dprintk("RPC:       krb5_read_token\n");
@@ -98,7 +99,7 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        /* XXX sanity-check bodysize?? */
        signalg = ptr[2] + (ptr[3] << 8);
-        if (signalg != SGN_ALG_DES_MAC_MD5)
+        if (signalg != ctx->gk5e->signalg)
                return GSS_S_DEFECTIVE_TOKEN;
        sealalg = ptr[4] + (ptr[5] << 8);
@@ -108,13 +109,17 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        if ((ptr[6] != 0xff) || (ptr[7] != 0xff))
                return GSS_S_DEFECTIVE_TOKEN;
-        if (make_checksum("md5", ptr, 8, message_buffer, 0, &md5cksum))
+        if (ctx->gk5e->keyed_cksum)
-                return GSS_S_FAILURE;
+                cksumkey = ctx->cksum;
+        else
+                cksumkey = NULL;
-        if (krb5_encrypt(ctx->seq, NULL, md5cksum.data, md5cksum.data, 16))
+        if (make_checksum(ctx, ptr, 8, message_buffer, 0,
+                          cksumkey, KG_USAGE_SIGN, &md5cksum))
                return GSS_S_FAILURE;
-        if (memcmp(md5cksum.data + 8, ptr + GSS_KRB5_TOK_HDR_LEN, 8))
+        if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,
+                                        ctx->gk5e->cksumlength))
                return GSS_S_BAD_SIG;
        /* it got through unscathed.  Make sure the context is unexpired */
@@ -126,7 +131,8 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        /* do sequencing checks */
-        if (krb5_get_seq_num(ctx->seq, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8, &direction, &seqnum))
+        if (krb5_get_seq_num(ctx, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8,
+                             &direction, &seqnum))
                return GSS_S_FAILURE;
        if ((ctx->initiate && direction != 0xff) ||
@@ -135,3 +141,86 @@ gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
        return GSS_S_COMPLETE;
 }
+static u32
+gss_verify_mic_v2(struct krb5_ctx *ctx,
+                struct xdr_buf *message_buffer, struct xdr_netobj *read_token)
+{
+        char cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
+        struct xdr_netobj cksumobj = {.len = sizeof(cksumdata),
+                                      .data = cksumdata};
+        s32 now;
+        u64 seqnum;
+        u8 *ptr = read_token->data;
+        u8 *cksumkey;
+        u8 flags;
+        int i;
+        unsigned int cksum_usage;
+        dprintk("RPC:       %s\n", __func__);
+        if (be16_to_cpu(*((__be16 *)ptr)) != KG2_TOK_MIC)
+                return GSS_S_DEFECTIVE_TOKEN;
+        flags = ptr[2];
+        if ((!ctx->initiate && (flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)) ||
+            (ctx->initiate && !(flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)))
+                return GSS_S_BAD_SIG;
+        if (flags & KG2_TOKEN_FLAG_SEALED) {
+                dprintk("%s: token has unexpected sealed flag\n", __func__);
+                return GSS_S_FAILURE;
+        }
+        for (i = 3; i < 8; i++)
+                if (ptr[i] != 0xff)
+                        return GSS_S_DEFECTIVE_TOKEN;
+        if (ctx->initiate) {
+                cksumkey = ctx->acceptor_sign;
+                cksum_usage = KG_USAGE_ACCEPTOR_SIGN;
+        } else {
+                cksumkey = ctx->initiator_sign;
+                cksum_usage = KG_USAGE_INITIATOR_SIGN;
+        }
+        if (make_checksum_v2(ctx, ptr, GSS_KRB5_TOK_HDR_LEN, message_buffer, 0,
+                             cksumkey, cksum_usage, &cksumobj))
+                return GSS_S_FAILURE;
+        if (memcmp(cksumobj.data, ptr + GSS_KRB5_TOK_HDR_LEN,
+                                ctx->gk5e->cksumlength))
+                return GSS_S_BAD_SIG;
+        /* it got through unscathed.  Make sure the context is unexpired */
+        now = get_seconds();
+        if (now > ctx->endtime)
+                return GSS_S_CONTEXT_EXPIRED;
+        /* do sequencing checks */
+        seqnum = be64_to_cpup((__be64 *)ptr + 8);
+        return GSS_S_COMPLETE;
+}
+u32
+gss_verify_mic_kerberos(struct gss_ctx *gss_ctx,
+                        struct xdr_buf *message_buffer,
+                        struct xdr_netobj *read_token)
+{
+        struct krb5_ctx *ctx = gss_ctx->internal_ctx_id;
+        switch (ctx->enctype) {
+        default:
+                BUG();
+        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
+        case ENCTYPE_ARCFOUR_HMAC:
+                return gss_verify_mic_v1(ctx, message_buffer, read_token);
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                return gss_verify_mic_v2(ctx, message_buffer, read_token);
+        }
+}
diff --git a/net/sunrpc/auth_gss/gss_krb5_wrap.c b/net/sunrpc/auth_gss/gss_krb5_wrap.c
index a6e905637e03..2763e3e48db4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_wrap.c
+++ b/net/sunrpc/auth_gss/gss_krb5_wrap.c
@@ -1,3 +1,33 @@
+/*
+ * COPYRIGHT (c) 2008
+ * The Regents of the University of Michigan
+ * ALL RIGHTS RESERVED
+ *
+ * Permission is granted to use, copy, create derivative works
+ * and redistribute this software and such derivative works
+ * for any purpose, so long as the name of The University of
+ * Michigan is not used in any advertising or publicity
+ * pertaining to the use of distribution of this software
+ * without specific, written prior authorization.  If the
+ * above copyright notice or any other identification of the
+ * University of Michigan is included in any copy of any
+ * portion of this software, then the disclaimer below must
+ * also be included.
+ *
+ * THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION
+ * FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY
+ * PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF
+ * MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+ * WITHOUT LIMITATION THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE
+ * REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE
+ * FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR
+ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN
+ * IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGES.
+ */
 #include <linux/types.h>
 #include <linux/jiffies.h>
 #include <linux/sunrpc/gss_krb5.h>
@@ -12,10 +42,7 @@
 static inline int
 gss_krb5_padding(int blocksize, int length)
 {
-        /* Most of the code is block-size independent but currently we
+        return blocksize - (length % blocksize);
-         * use only 8: */
-        BUG_ON(blocksize != 8);
-        return 8 - (length & 7);
 }
 static inline void
@@ -86,8 +113,8 @@ out:
        return 0;
 }
-static void
+void
-make_confounder(char *p, u32 conflen)
+gss_krb5_make_confounder(char *p, u32 conflen)
 {
        static u64 i = 0;
        u64 *q = (u64 *)p;
@@ -127,69 +154,73 @@ make_confounder(char *p, u32 conflen)
 /* XXX factor out common code with seal/unseal. */
-u32
+static u32
-gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
+gss_wrap_kerberos_v1(struct krb5_ctx *kctx, int offset,
                struct xdr_buf *buf, struct page **pages)
 {
-        struct krb5_ctx         *kctx = ctx->internal_ctx_id;
+        char                    cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
-        char                    cksumdata[16];
+        struct xdr_netobj       md5cksum = {.len = sizeof(cksumdata),
-        struct xdr_netobj       md5cksum = {.len = 0, .data = cksumdata};
+                                            .data = cksumdata};
        int                     blocksize = 0, plainlen;
        unsigned char           *ptr, *msg_start;
        s32                     now;
        int                     headlen;
        struct page             **tmp_pages;
        u32                     seq_send;
+        u8                      *cksumkey;
+        u32                     conflen = kctx->gk5e->conflen;
-        dprintk("RPC:       gss_wrap_kerberos\n");
+        dprintk("RPC:       %s\n", __func__);
        now = get_seconds();
        blocksize = crypto_blkcipher_blocksize(kctx->enc);
        gss_krb5_add_padding(buf, offset, blocksize);
        BUG_ON((buf->len - offset) % blocksize);
-        plainlen = blocksize + buf->len - offset;
+        plainlen = conflen + buf->len - offset;
-        headlen = g_token_size(&kctx->mech_used, 24 + plainlen) -
+        headlen = g_token_size(&kctx->mech_used,
-                                                (buf->len - offset);
+                GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength + plainlen) -
+                (buf->len - offset);
        ptr = buf->head[0].iov_base + offset;
        /* shift data to make room for header. */
+        xdr_extend_head(buf, offset, headlen);
        /* XXX Would be cleverer to encrypt while copying. */
-        /* XXX bounds checking, slack, etc. */
-        memmove(ptr + headlen, ptr, buf->head[0].iov_len - offset);
-        buf->head[0].iov_len += headlen;
-        buf->len += headlen;
        BUG_ON((buf->len - offset - headlen) % blocksize);
        g_make_token_header(&kctx->mech_used,
-                                GSS_KRB5_TOK_HDR_LEN + 8 + plainlen, &ptr);
+                                GSS_KRB5_TOK_HDR_LEN +
+                                kctx->gk5e->cksumlength + plainlen, &ptr);
        /* ptr now at header described in rfc 1964, section 1.2.1: */
        ptr[0] = (unsigned char) ((KG_TOK_WRAP_MSG >> 8) & 0xff);
        ptr[1] = (unsigned char) (KG_TOK_WRAP_MSG & 0xff);
-        msg_start = ptr + 24;
+        msg_start = ptr + GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength;
-        *(__be16 *)(ptr + 2) = htons(SGN_ALG_DES_MAC_MD5);
+        *(__be16 *)(ptr + 2) = cpu_to_le16(kctx->gk5e->signalg);
        memset(ptr + 4, 0xff, 4);
-        *(__be16 *)(ptr + 4) = htons(SEAL_ALG_DES);
+        *(__be16 *)(ptr + 4) = cpu_to_le16(kctx->gk5e->sealalg);
-        make_confounder(msg_start, blocksize);
+        gss_krb5_make_confounder(msg_start, conflen);
+        if (kctx->gk5e->keyed_cksum)
+                cksumkey = kctx->cksum;
+        else
+                cksumkey = NULL;
        /* XXXJBF: UGH!: */
        tmp_pages = buf->pages;
        buf->pages = pages;
-        if (make_checksum("md5", ptr, 8, buf,
+        if (make_checksum(kctx, ptr, 8, buf, offset + headlen - conflen,
-                                offset + headlen - blocksize, &md5cksum))
+                                        cksumkey, KG_USAGE_SEAL, &md5cksum))
                return GSS_S_FAILURE;
        buf->pages = tmp_pages;
-        if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+        memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data, md5cksum.len);
-                          md5cksum.data, md5cksum.len))
-                return GSS_S_FAILURE;
-        memcpy(ptr + GSS_KRB5_TOK_HDR_LEN, md5cksum.data + md5cksum.len - 8, 8);
        spin_lock(&krb5_seq_lock);
        seq_send = kctx->seq_send++;
@@ -197,25 +228,42 @@ gss_wrap_kerberos(struct gss_ctx *ctx, int offset,
        /* XXX would probably be more efficient to compute checksum
         * and encrypt at the same time: */
-        if ((krb5_make_seq_num(kctx->seq, kctx->initiate ? 0 : 0xff,
+        if ((krb5_make_seq_num(kctx, kctx->seq, kctx->initiate ? 0 : 0xff,
                               seq_send, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8)))
                return GSS_S_FAILURE;
-        if (gss_encrypt_xdr_buf(kctx->enc, buf, offset + headlen - blocksize,
+        if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) {
-                                                                        pages))
+                struct crypto_blkcipher *cipher;
-                return GSS_S_FAILURE;
+                int err;
+                cipher = crypto_alloc_blkcipher(kctx->gk5e->encrypt_name, 0,
+                                                CRYPTO_ALG_ASYNC);
+                if (IS_ERR(cipher))
+                        return GSS_S_FAILURE;
+                krb5_rc4_setup_enc_key(kctx, cipher, seq_send);
+                err = gss_encrypt_xdr_buf(cipher, buf,
+                                          offset + headlen - conflen, pages);
+                crypto_free_blkcipher(cipher);
+                if (err)
+                        return GSS_S_FAILURE;
+        } else {
+                if (gss_encrypt_xdr_buf(kctx->enc, buf,
+                                        offset + headlen - conflen, pages))
+                        return GSS_S_FAILURE;
+        }
        return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
 }
-u32
+static u32
-gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
+gss_unwrap_kerberos_v1(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
 {
-        struct krb5_ctx         *kctx = ctx->internal_ctx_id;
        int                     signalg;
        int                     sealalg;
-        char                    cksumdata[16];
+        char                    cksumdata[GSS_KRB5_MAX_CKSUM_LEN];
-        struct xdr_netobj       md5cksum = {.len = 0, .data = cksumdata};
+        struct xdr_netobj       md5cksum = {.len = sizeof(cksumdata),
+                                            .data = cksumdata};
        s32                     now;
        int                     direction;
        s32                     seqnum;
@@ -224,6 +272,9 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        void                    *data_start, *orig_start;
        int                     data_len;
        int                     blocksize;
+        u32                     conflen = kctx->gk5e->conflen;
+        int                     crypt_offset;
+        u8                      *cksumkey;
        dprintk("RPC:       gss_unwrap_kerberos\n");
@@ -241,29 +292,65 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        /* get the sign and seal algorithms */
        signalg = ptr[2] + (ptr[3] << 8);
-        if (signalg != SGN_ALG_DES_MAC_MD5)
+        if (signalg != kctx->gk5e->signalg)
                return GSS_S_DEFECTIVE_TOKEN;
        sealalg = ptr[4] + (ptr[5] << 8);
-        if (sealalg != SEAL_ALG_DES)
+        if (sealalg != kctx->gk5e->sealalg)
                return GSS_S_DEFECTIVE_TOKEN;
        if ((ptr[6] != 0xff) || (ptr[7] != 0xff))
                return GSS_S_DEFECTIVE_TOKEN;
-        if (gss_decrypt_xdr_buf(kctx->enc, buf,
+        /*
-                        ptr + GSS_KRB5_TOK_HDR_LEN + 8 - (unsigned char *)buf->head[0].iov_base))
+         * Data starts after token header and checksum.  ptr points
-                return GSS_S_DEFECTIVE_TOKEN;
+         * to the beginning of the token header
+         */
+        crypt_offset = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) -
+                                        (unsigned char *)buf->head[0].iov_base;
+        /*
+         * Need plaintext seqnum to derive encryption key for arcfour-hmac
+         */
+        if (krb5_get_seq_num(kctx, ptr + GSS_KRB5_TOK_HDR_LEN,
+                             ptr + 8, &direction, &seqnum))
+                return GSS_S_BAD_SIG;
-        if (make_checksum("md5", ptr, 8, buf,
+        if ((kctx->initiate && direction != 0xff) ||
-                 ptr + GSS_KRB5_TOK_HDR_LEN + 8 - (unsigned char *)buf->head[0].iov_base, &md5cksum))
+            (!kctx->initiate && direction != 0))
-                return GSS_S_FAILURE;
+                return GSS_S_BAD_SIG;
+        if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC) {
+                struct crypto_blkcipher *cipher;
+                int err;
+                cipher = crypto_alloc_blkcipher(kctx->gk5e->encrypt_name, 0,
+                                                CRYPTO_ALG_ASYNC);
+                if (IS_ERR(cipher))
+                        return GSS_S_FAILURE;
+                krb5_rc4_setup_enc_key(kctx, cipher, seqnum);
-        if (krb5_encrypt(kctx->seq, NULL, md5cksum.data,
+                err = gss_decrypt_xdr_buf(cipher, buf, crypt_offset);
-                           md5cksum.data, md5cksum.len))
+                crypto_free_blkcipher(cipher);
+                if (err)
+                        return GSS_S_DEFECTIVE_TOKEN;
+        } else {
+                if (gss_decrypt_xdr_buf(kctx->enc, buf, crypt_offset))
+                        return GSS_S_DEFECTIVE_TOKEN;
+        }
+        if (kctx->gk5e->keyed_cksum)
+                cksumkey = kctx->cksum;
+        else
+                cksumkey = NULL;
+        if (make_checksum(kctx, ptr, 8, buf, crypt_offset,
+                                        cksumkey, KG_USAGE_SEAL, &md5cksum))
                return GSS_S_FAILURE;
-        if (memcmp(md5cksum.data + 8, ptr + GSS_KRB5_TOK_HDR_LEN, 8))
+        if (memcmp(md5cksum.data, ptr + GSS_KRB5_TOK_HDR_LEN,
+                                                kctx->gk5e->cksumlength))
                return GSS_S_BAD_SIG;
        /* it got through unscathed.  Make sure the context is unexpired */
@@ -275,19 +362,12 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        /* do sequencing checks */
-        if (krb5_get_seq_num(kctx->seq, ptr + GSS_KRB5_TOK_HDR_LEN, ptr + 8,
-                                    &direction, &seqnum))
-                return GSS_S_BAD_SIG;
-        if ((kctx->initiate && direction != 0xff) ||
-            (!kctx->initiate && direction != 0))
-                return GSS_S_BAD_SIG;
        /* Copy the data back to the right position.  XXX: Would probably be
         * better to copy and encrypt at the same time. */
        blocksize = crypto_blkcipher_blocksize(kctx->enc);
-        data_start = ptr + GSS_KRB5_TOK_HDR_LEN + 8 + blocksize;
+        data_start = ptr + (GSS_KRB5_TOK_HDR_LEN + kctx->gk5e->cksumlength) +
+                                        conflen;
        orig_start = buf->head[0].iov_base + offset;
        data_len = (buf->head[0].iov_base + buf->head[0].iov_len) - data_start;
        memmove(orig_start, data_start, data_len);
@@ -299,3 +379,209 @@ gss_unwrap_kerberos(struct gss_ctx *ctx, int offset, struct xdr_buf *buf)
        return GSS_S_COMPLETE;
 }
+/*
+ * We cannot currently handle tokens with rotated data.  We need a
+ * generalized routine to rotate the data in place.  It is anticipated
+ * that we won't encounter rotated data in the general case.
+ */
+static u32
+rotate_left(struct krb5_ctx *kctx, u32 offset, struct xdr_buf *buf, u16 rrc)
+{
+        unsigned int realrrc = rrc % (buf->len - offset - GSS_KRB5_TOK_HDR_LEN);
+        if (realrrc == 0)
+                return 0;
+        dprintk("%s: cannot process token with rotated data: "
+                "rrc %u, realrrc %u\n", __func__, rrc, realrrc);
+        return 1;
+}
+static u32
+gss_wrap_kerberos_v2(struct krb5_ctx *kctx, u32 offset,
+                     struct xdr_buf *buf, struct page **pages)
+{
+        int             blocksize;
+        u8              *ptr, *plainhdr;
+        s32             now;
+        u8              flags = 0x00;
+        __be16          *be16ptr, ec = 0;
+        __be64          *be64ptr;
+        u32             err;
+        dprintk("RPC:       %s\n", __func__);
+        if (kctx->gk5e->encrypt_v2 == NULL)
+                return GSS_S_FAILURE;
+        /* make room for gss token header */
+        if (xdr_extend_head(buf, offset, GSS_KRB5_TOK_HDR_LEN))
+                return GSS_S_FAILURE;
+        /* construct gss token header */
+        ptr = plainhdr = buf->head[0].iov_base + offset;
+        *ptr++ = (unsigned char) ((KG2_TOK_WRAP>>8) & 0xff);
+        *ptr++ = (unsigned char) (KG2_TOK_WRAP & 0xff);
+        if ((kctx->flags & KRB5_CTX_FLAG_INITIATOR) == 0)
+                flags |= KG2_TOKEN_FLAG_SENTBYACCEPTOR;
+        if ((kctx->flags & KRB5_CTX_FLAG_ACCEPTOR_SUBKEY) != 0)
+                flags |= KG2_TOKEN_FLAG_ACCEPTORSUBKEY;
+        /* We always do confidentiality in wrap tokens */
+        flags |= KG2_TOKEN_FLAG_SEALED;
+        *ptr++ = flags;
+        *ptr++ = 0xff;
+        be16ptr = (__be16 *)ptr;
+        blocksize = crypto_blkcipher_blocksize(kctx->acceptor_enc);
+        *be16ptr++ = cpu_to_be16(ec);
+        /* "inner" token header always uses 0 for RRC */
+        *be16ptr++ = cpu_to_be16(0);
+        be64ptr = (__be64 *)be16ptr;
+        spin_lock(&krb5_seq_lock);
+        *be64ptr = cpu_to_be64(kctx->seq_send64++);
+        spin_unlock(&krb5_seq_lock);
+        err = (*kctx->gk5e->encrypt_v2)(kctx, offset, buf, ec, pages);
+        if (err)
+                return err;
+        now = get_seconds();
+        return (kctx->endtime < now) ? GSS_S_CONTEXT_EXPIRED : GSS_S_COMPLETE;
+}
+static u32
+gss_unwrap_kerberos_v2(struct krb5_ctx *kctx, int offset, struct xdr_buf *buf)
+{
+        s32             now;
+        u64             seqnum;
+        u8              *ptr;
+        u8              flags = 0x00;
+        u16             ec, rrc;
+        int             err;
+        u32             headskip, tailskip;
+        u8              decrypted_hdr[GSS_KRB5_TOK_HDR_LEN];
+        unsigned int    movelen;
+        dprintk("RPC:       %s\n", __func__);
+        if (kctx->gk5e->decrypt_v2 == NULL)
+                return GSS_S_FAILURE;
+        ptr = buf->head[0].iov_base + offset;
+        if (be16_to_cpu(*((__be16 *)ptr)) != KG2_TOK_WRAP)
+                return GSS_S_DEFECTIVE_TOKEN;
+        flags = ptr[2];
+        if ((!kctx->initiate && (flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)) ||
+            (kctx->initiate && !(flags & KG2_TOKEN_FLAG_SENTBYACCEPTOR)))
+                return GSS_S_BAD_SIG;
+        if ((flags & KG2_TOKEN_FLAG_SEALED) == 0) {
+                dprintk("%s: token missing expected sealed flag\n", __func__);
+                return GSS_S_DEFECTIVE_TOKEN;
+        }
+        if (ptr[3] != 0xff)
+                return GSS_S_DEFECTIVE_TOKEN;
+        ec = be16_to_cpup((__be16 *)(ptr + 4));
+        rrc = be16_to_cpup((__be16 *)(ptr + 6));
+        seqnum = be64_to_cpup((__be64 *)(ptr + 8));
+        if (rrc != 0) {
+                err = rotate_left(kctx, offset, buf, rrc);
+                if (err)
+                        return GSS_S_FAILURE;
+        }
+        err = (*kctx->gk5e->decrypt_v2)(kctx, offset, buf,
+                                        &headskip, &tailskip);
+        if (err)
+                return GSS_S_FAILURE;
+        /*
+         * Retrieve the decrypted gss token header and verify
+         * it against the original
+         */
+        err = read_bytes_from_xdr_buf(buf,
+                                buf->len - GSS_KRB5_TOK_HDR_LEN - tailskip,
+                                decrypted_hdr, GSS_KRB5_TOK_HDR_LEN);
+        if (err) {
+                dprintk("%s: error %u getting decrypted_hdr\n", __func__, err);
+                return GSS_S_FAILURE;
+        }
+        if (memcmp(ptr, decrypted_hdr, 6)
+                                || memcmp(ptr + 8, decrypted_hdr + 8, 8)) {
+                dprintk("%s: token hdr, plaintext hdr mismatch!\n", __func__);
+                return GSS_S_FAILURE;
+        }
+        /* do sequencing checks */
+        /* it got through unscathed.  Make sure the context is unexpired */
+        now = get_seconds();
+        if (now > kctx->endtime)
+                return GSS_S_CONTEXT_EXPIRED;
+        /*
+         * Move the head data back to the right position in xdr_buf.
+         * We ignore any "ec" data since it might be in the head or
+         * the tail, and we really don't need to deal with it.
+         * Note that buf->head[0].iov_len may indicate the available
+         * head buffer space rather than that actually occupied.
+         */
+        movelen = min_t(unsigned int, buf->head[0].iov_len, buf->len);
+        movelen -= offset + GSS_KRB5_TOK_HDR_LEN + headskip;
+        BUG_ON(offset + GSS_KRB5_TOK_HDR_LEN + headskip + movelen >
+                                                        buf->head[0].iov_len);
+        memmove(ptr, ptr + GSS_KRB5_TOK_HDR_LEN + headskip, movelen);
+        buf->head[0].iov_len -= GSS_KRB5_TOK_HDR_LEN + headskip;
+        buf->len -= GSS_KRB5_TOK_HDR_LEN + headskip;
+        return GSS_S_COMPLETE;
+}
+u32
+gss_wrap_kerberos(struct gss_ctx *gctx, int offset,
+                  struct xdr_buf *buf, struct page **pages)
+{
+        struct krb5_ctx *kctx = gctx->internal_ctx_id;
+        switch (kctx->enctype) {
+        default:
+                BUG();
+        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
+        case ENCTYPE_ARCFOUR_HMAC:
+                return gss_wrap_kerberos_v1(kctx, offset, buf, pages);
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                return gss_wrap_kerberos_v2(kctx, offset, buf, pages);
+        }
+}
+u32
+gss_unwrap_kerberos(struct gss_ctx *gctx, int offset, struct xdr_buf *buf)
+{
+        struct krb5_ctx *kctx = gctx->internal_ctx_id;
+        switch (kctx->enctype) {
+        default:
+                BUG();
+        case ENCTYPE_DES_CBC_RAW:
+        case ENCTYPE_DES3_CBC_RAW:
+        case ENCTYPE_ARCFOUR_HMAC:
+                return gss_unwrap_kerberos_v1(kctx, offset, buf);
+        case ENCTYPE_AES128_CTS_HMAC_SHA1_96:
+        case ENCTYPE_AES256_CTS_HMAC_SHA1_96:
+                return gss_unwrap_kerberos_v2(kctx, offset, buf);
+        }
+}
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index 76e4c6f4ac3c..2689de39dc78 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -249,14 +249,15 @@ EXPORT_SYMBOL_GPL(gss_mech_put);
 int
 gss_import_sec_context(const void *input_token, size_t bufsize,
                       struct gss_api_mech      *mech,
-                       struct gss_ctx           **ctx_id)
+                       struct gss_ctx           **ctx_id,
+                       gfp_t gfp_mask)
 {
-        if (!(*ctx_id = kzalloc(sizeof(**ctx_id), GFP_KERNEL)))
+        if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask)))
                return -ENOMEM;
        (*ctx_id)->mech_type = gss_mech_get(mech);
        return mech->gm_ops
-                ->gss_import_sec_context(input_token, bufsize, *ctx_id);
+                ->gss_import_sec_context(input_token, bufsize, *ctx_id, gfp_mask);
 }
 /* gss_get_mic: compute a mic over message and return mic_token. */
@@ -285,6 +286,20 @@ gss_verify_mic(struct gss_ctx		*context_handle,
                                 mic_token);
 }
+/*
+ * This function is called from both the client and server code.
+ * Each makes guarantees about how much "slack" space is available
+ * for the underlying function in "buf"'s head and tail while
+ * performing the wrap.
+ *
+ * The client and server code allocate RPC_MAX_AUTH_SIZE extra
+ * space in both the head and tail which is available for use by
+ * the wrap function.
+ *
+ * Underlying functions should verify they do not use more than
+ * RPC_MAX_AUTH_SIZE of extra space in either the head or tail
+ * when performing the wrap.
+ */
 u32
 gss_wrap(struct gss_ctx *ctx_id,
         int            offset,
diff --git a/net/sunrpc/auth_gss/gss_spkm3_mech.c b/net/sunrpc/auth_gss/gss_spkm3_mech.c
index 035e1dd6af1b..dc3f1f5ed865 100644
--- a/net/sunrpc/auth_gss/gss_spkm3_mech.c
+++ b/net/sunrpc/auth_gss/gss_spkm3_mech.c
@@ -84,13 +84,14 @@ simple_get_netobj(const void *p, const void *end, struct xdr_netobj *res)
 static int
 gss_import_sec_context_spkm3(const void *p, size_t len,
-                                struct gss_ctx *ctx_id)
+                                struct gss_ctx *ctx_id,
+                                gfp_t gfp_mask)
 {
        const void *end = (const void *)((const char *)p + len);
        struct  spkm3_ctx *ctx;
        int     version;
-        if (!(ctx = kzalloc(sizeof(*ctx), GFP_NOFS)))
+        if (!(ctx = kzalloc(sizeof(*ctx), gfp_mask)))
                goto out_err;
        p = simple_get_bytes(p, end, &version, sizeof(version));
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index b81e790ef9f4..cc385b3a59c2 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -494,7 +494,7 @@ static int rsc_parse(struct cache_detail *cd,
                len = qword_get(&mesg, buf, mlen);
                if (len < 0)
                        goto out;
-                status = gss_import_sec_context(buf, len, gm, &rsci.mechctx);
+                status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, GFP_KERNEL);
                if (status)
                        goto out;
@@ -1315,6 +1315,14 @@ svcauth_gss_wrap_resp_priv(struct svc_rqst *rqstp)
        inpages = resbuf->pages;
        /* XXX: Would be better to write some xdr helper functions for
         * nfs{2,3,4}xdr.c that place the data right, instead of copying: */
+        /*
+         * If there is currently tail data, make sure there is
+         * room for the head, tail, and 2 * RPC_MAX_AUTH_SIZE in
+         * the page, and move the current tail data such that
+         * there is RPC_MAX_AUTH_SIZE slack space available in
+         * both the head and tail.
+         */
        if (resbuf->tail[0].iov_base) {
                BUG_ON(resbuf->tail[0].iov_base >= resbuf->head[0].iov_base
                                                        + PAGE_SIZE);
@@ -1327,6 +1335,13 @@ svcauth_gss_wrap_resp_priv(struct svc_rqst *rqstp)
                        resbuf->tail[0].iov_len);
                resbuf->tail[0].iov_base += RPC_MAX_AUTH_SIZE;
        }
+        /*
+         * If there is no current tail data, make sure there is
+         * room for the head data, and 2 * RPC_MAX_AUTH_SIZE in the
+         * allotted page, and set up tail information such that there
+         * is RPC_MAX_AUTH_SIZE slack space available in both the
+         * head and tail.
+         */
        if (resbuf->tail[0].iov_base == NULL) {
                if (resbuf->head[0].iov_len + 2*RPC_MAX_AUTH_SIZE > PAGE_SIZE)
                        return -ENOMEM;
diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 39bddba53ba1..58de76c8540c 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -28,11 +28,13 @@
 #include <linux/workqueue.h>
 #include <linux/mutex.h>
 #include <linux/pagemap.h>
+#include <linux/smp_lock.h>
 #include <asm/ioctls.h>
 #include <linux/sunrpc/types.h>
 #include <linux/sunrpc/cache.h>
 #include <linux/sunrpc/stats.h>
 #include <linux/sunrpc/rpc_pipe_fs.h>
+#include <linux/smp_lock.h>
 #define  RPCDBG_FACILITY RPCDBG_CACHE
@@ -49,11 +51,17 @@ static void cache_init(struct cache_head *h)
        h->last_refresh = now;
 }
+static inline int cache_is_expired(struct cache_detail *detail, struct cache_head *h)
+{
+        return  (h->expiry_time < get_seconds()) ||
+                (detail->flush_time > h->last_refresh);
+}
 struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
                                       struct cache_head *key, int hash)
 {
        struct cache_head **head,  **hp;
-        struct cache_head *new = NULL;
+        struct cache_head *new = NULL, *freeme = NULL;
        head = &detail->hash_table[hash];
@@ -62,6 +70,9 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
        for (hp=head; *hp != NULL ; hp = &(*hp)->next) {
                struct cache_head *tmp = *hp;
                if (detail->match(tmp, key)) {
+                        if (cache_is_expired(detail, tmp))
+                                /* This entry is expired, we will discard it. */
+                                break;
                        cache_get(tmp);
                        read_unlock(&detail->hash_lock);
                        return tmp;
@@ -86,6 +97,13 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
        for (hp=head; *hp != NULL ; hp = &(*hp)->next) {
                struct cache_head *tmp = *hp;
                if (detail->match(tmp, key)) {
+                        if (cache_is_expired(detail, tmp)) {
+                                *hp = tmp->next;
+                                tmp->next = NULL;
+                                detail->entries --;
+                                freeme = tmp;
+                                break;
+                        }
                        cache_get(tmp);
                        write_unlock(&detail->hash_lock);
                        cache_put(new, detail);
@@ -98,6 +116,8 @@ struct cache_head *sunrpc_cache_lookup(struct cache_detail *detail,
        cache_get(new);
        write_unlock(&detail->hash_lock);
+        if (freeme)
+                cache_put(freeme, detail);
        return new;
 }
 EXPORT_SYMBOL_GPL(sunrpc_cache_lookup);
@@ -183,10 +203,7 @@ static int cache_make_upcall(struct cache_detail *cd, struct cache_head *h)
 static inline int cache_is_valid(struct cache_detail *detail, struct cache_head *h)
 {
-        if (!test_bit(CACHE_VALID, &h->flags) ||
+        if (!test_bit(CACHE_VALID, &h->flags))
-            h->expiry_time < get_seconds())
-                return -EAGAIN;
-        else if (detail->flush_time > h->last_refresh)
                return -EAGAIN;
        else {
                /* entry is valid */
@@ -397,31 +414,27 @@ static int cache_clean(void)
                /* Ok, now to clean this strand */
                cp = & current_detail->hash_table[current_index];
-                ch = *cp;
+                for (ch = *cp ; ch ; cp = & ch->next, ch = *cp) {
-                for (; ch; cp= & ch->next, ch= *cp) {
                        if (current_detail->nextcheck > ch->expiry_time)
                                current_detail->nextcheck = ch->expiry_time+1;
-                        if (ch->expiry_time >= get_seconds() &&
+                        if (!cache_is_expired(current_detail, ch))
-                            ch->last_refresh >= current_detail->flush_time)
                                continue;
-                        if (test_and_clear_bit(CACHE_PENDING, &ch->flags))
-                                cache_dequeue(current_detail, ch);
-                        if (atomic_read(&ch->ref.refcount) == 1)
-                                break;
-                }
-                if (ch) {
                        *cp = ch->next;
                        ch->next = NULL;
                        current_detail->entries--;
                        rv = 1;
+                        break;
                }
                write_unlock(&current_detail->hash_lock);
                d = current_detail;
                if (!ch)
                        current_index ++;
                spin_unlock(&cache_list_lock);
                if (ch) {
+                        if (test_and_clear_bit(CACHE_PENDING, &ch->flags))
+                                cache_dequeue(current_detail, ch);
                        cache_revisit_request(ch);
                        cache_put(ch, d);
                }
@@ -1233,8 +1246,10 @@ static int content_open(struct inode *inode, struct file *file,
        if (!cd || !try_module_get(cd->owner))
                return -EACCES;
        han = __seq_open_private(file, &cache_content_op, sizeof(*han));
-        if (han == NULL)
+        if (han == NULL) {
+                module_put(cd->owner);
                return -ENOMEM;
+        }
        han->cd = cd;
        return 0;
@@ -1331,12 +1346,18 @@ static unsigned int cache_poll_procfs(struct file *filp, poll_table *wait)
        return cache_poll(filp, wait, cd);
 }
-static int cache_ioctl_procfs(struct inode *inode, struct file *filp,
+static long cache_ioctl_procfs(struct file *filp,
-                              unsigned int cmd, unsigned long arg)
+                               unsigned int cmd, unsigned long arg)
 {
+        long ret;
+        struct inode *inode = filp->f_path.dentry->d_inode;
        struct cache_detail *cd = PDE(inode)->data;
-        return cache_ioctl(inode, filp, cmd, arg, cd);
+        lock_kernel();
+        ret = cache_ioctl(inode, filp, cmd, arg, cd);
+        unlock_kernel();
+        return ret;
 }
 static int cache_open_procfs(struct inode *inode, struct file *filp)
@@ -1359,7 +1380,7 @@ static const struct file_operations cache_file_operations_procfs = {
        .read           = cache_read_procfs,
        .write          = cache_write_procfs,
        .poll           = cache_poll_procfs,
-        .ioctl          = cache_ioctl_procfs, /* for FIONREAD */
+        .unlocked_ioctl = cache_ioctl_procfs, /* for FIONREAD */
        .open           = cache_open_procfs,
        .release        = cache_release_procfs,
 };
@@ -1525,12 +1546,18 @@ static unsigned int cache_poll_pipefs(struct file *filp, poll_table *wait)
        return cache_poll(filp, wait, cd);
 }
-static int cache_ioctl_pipefs(struct inode *inode, struct file *filp,
+static long cache_ioctl_pipefs(struct file *filp,
                              unsigned int cmd, unsigned long arg)
 {
+        struct inode *inode = filp->f_dentry->d_inode;
        struct cache_detail *cd = RPC_I(inode)->private;
+        long ret;
-        return cache_ioctl(inode, filp, cmd, arg, cd);
+        lock_kernel();
+        ret = cache_ioctl(inode, filp, cmd, arg, cd);
+        unlock_kernel();
+        return ret;
 }
 static int cache_open_pipefs(struct inode *inode, struct file *filp)
@@ -1553,7 +1580,7 @@ const struct file_operations cache_file_operations_pipefs = {
        .read           = cache_read_pipefs,
        .write          = cache_write_pipefs,
        .poll           = cache_poll_pipefs,
-        .ioctl          = cache_ioctl_pipefs, /* for FIONREAD */
+        .unlocked_ioctl = cache_ioctl_pipefs, /* for FIONREAD */
        .open           = cache_open_pipefs,
        .release        = cache_release_pipefs,
 };
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 19c9983d5360..756fc324db9e 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -556,26 +556,16 @@ static const struct rpc_call_ops rpc_default_ops = {
 */
 struct rpc_task *rpc_run_task(const struct rpc_task_setup *task_setup_data)
 {
-        struct rpc_task *task, *ret;
+        struct rpc_task *task;
        task = rpc_new_task(task_setup_data);
-        if (task == NULL) {
+        if (IS_ERR(task))
-                rpc_release_calldata(task_setup_data->callback_ops,
-                                task_setup_data->callback_data);
-                ret = ERR_PTR(-ENOMEM);
                goto out;
-        }
-        if (task->tk_status != 0) {
-                ret = ERR_PTR(task->tk_status);
-                rpc_put_task(task);
-                goto out;
-        }
        atomic_inc(&task->tk_count);
        rpc_execute(task);
-        ret = task;
 out:
-        return ret;
+        return task;
 }
 EXPORT_SYMBOL_GPL(rpc_run_task);
@@ -657,9 +647,8 @@ struct rpc_task *rpc_run_bc_task(struct rpc_rqst *req,
         * Create an rpc_task to send the data
         */
        task = rpc_new_task(&task_setup_data);
-        if (!task) {
+        if (IS_ERR(task)) {
                xprt_free_bc_request(req);
-                task = ERR_PTR(-ENOMEM);
                goto out;
        }
        task->tk_rqstp = req;
@@ -1518,7 +1507,6 @@ call_refreshresult(struct rpc_task *task)
        task->tk_action = call_refresh;
        if (status != -ETIMEDOUT)
                rpc_delay(task, 3*HZ);
-        return;
 }
 static __be32 *
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index 20e30c6f8355..95ccbcf45d3e 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -27,6 +27,7 @@
 #include <linux/workqueue.h>
 #include <linux/sunrpc/rpc_pipe_fs.h>
 #include <linux/sunrpc/cache.h>
+#include <linux/smp_lock.h>
 static struct vfsmount *rpc_mount __read_mostly;
 static int rpc_mount_count;
@@ -309,8 +310,7 @@ rpc_pipe_poll(struct file *filp, struct poll_table_struct *wait)
 }
 static int
-rpc_pipe_ioctl(struct inode *ino, struct file *filp,
+rpc_pipe_ioctl_unlocked(struct file *filp, unsigned int cmd, unsigned long arg)
-                unsigned int cmd, unsigned long arg)
 {
        struct rpc_inode *rpci = RPC_I(filp->f_path.dentry->d_inode);
        int len;
@@ -331,13 +331,25 @@ rpc_pipe_ioctl(struct inode *ino, struct file *filp,
        }
 }
+static long
+rpc_pipe_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+{
+        long ret;
+        lock_kernel();
+        ret = rpc_pipe_ioctl_unlocked(filp, cmd, arg);
+        unlock_kernel();
+        return ret;
+}
 static const struct file_operations rpc_pipe_fops = {
        .owner          = THIS_MODULE,
        .llseek         = no_llseek,
        .read           = rpc_pipe_read,
        .write          = rpc_pipe_write,
        .poll           = rpc_pipe_poll,
-        .ioctl          = rpc_pipe_ioctl,
+        .unlocked_ioctl = rpc_pipe_ioctl,
        .open           = rpc_pipe_open,
        .release        = rpc_pipe_release,
 };
diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c
index 121105355f60..dac219a56ae1 100644
--- a/net/sunrpc/rpcb_clnt.c
+++ b/net/sunrpc/rpcb_clnt.c
@@ -783,7 +783,7 @@ static int rpcb_dec_getport(struct rpc_rqst *req, __be32 *p,
        port = ntohl(*p);
        dprintk("RPC: %5u PMAP_%s result: %lu\n", task->tk_pid,
                        task->tk_msg.rpc_proc->p_name, port);
-        if (unlikely(port > USHORT_MAX))
+        if (unlikely(port > USHRT_MAX))
                return -EIO;
        rpcb->r_port = port;
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index aae6907fd546..4a843b883b89 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -25,7 +25,6 @@
 #ifdef RPC_DEBUG
 #define RPCDBG_FACILITY         RPCDBG_SCHED
-#define RPC_TASK_MAGIC_ID       0xf00baa
 #endif
 /*
@@ -237,7 +236,6 @@ static void rpc_task_set_debuginfo(struct rpc_task *task)
 {
        static atomic_t rpc_pid;
-        task->tk_magic = RPC_TASK_MAGIC_ID;
        task->tk_pid = atomic_inc_return(&rpc_pid);
 }
 #else
@@ -360,9 +358,6 @@ static void __rpc_do_wake_up_task(struct rpc_wait_queue *queue, struct rpc_task
        dprintk("RPC: %5u __rpc_wake_up_task (now %lu)\n",
                        task->tk_pid, jiffies);
-#ifdef RPC_DEBUG
-        BUG_ON(task->tk_magic != RPC_TASK_MAGIC_ID);
-#endif
        /* Has the task been executed yet? If not, we cannot wake it up! */
        if (!RPC_IS_ACTIVATED(task)) {
                printk(KERN_ERR "RPC: Inactive task (%p) being woken up!\n", task);
@@ -834,7 +829,7 @@ static void rpc_init_task(struct rpc_task *task, const struct rpc_task_setup *ta
        }
        /* starting timestamp */
-        task->tk_start = jiffies;
+        task->tk_start = ktime_get();
        dprintk("RPC:       new task initialized, procpid %u\n",
                                task_pid_nr(current));
@@ -856,16 +851,23 @@ struct rpc_task *rpc_new_task(const struct rpc_task_setup *setup_data)
        if (task == NULL) {
                task = rpc_alloc_task();
-                if (task == NULL)
+                if (task == NULL) {
-                        goto out;
+                        rpc_release_calldata(setup_data->callback_ops,
+                                        setup_data->callback_data);
+                        return ERR_PTR(-ENOMEM);
+                }
                flags = RPC_TASK_DYNAMIC;
        }
        rpc_init_task(task, setup_data);
+        if (task->tk_status < 0) {
+                int err = task->tk_status;
+                rpc_put_task(task);
+                return ERR_PTR(err);
+        }
        task->tk_flags |= flags;
        dprintk("RPC:       allocated task %p\n", task);
-out:
        return task;
 }
@@ -909,9 +911,6 @@ EXPORT_SYMBOL_GPL(rpc_put_task);
 static void rpc_release_task(struct rpc_task *task)
 {
-#ifdef RPC_DEBUG
-        BUG_ON(task->tk_magic != RPC_TASK_MAGIC_ID);
-#endif
        dprintk("RPC: %5u release task\n", task->tk_pid);
        if (!list_empty(&task->tk_task)) {
@@ -923,9 +922,6 @@ static void rpc_release_task(struct rpc_task *task)
        }
        BUG_ON (RPC_IS_QUEUED(task));
-#ifdef RPC_DEBUG
-        task->tk_magic = 0;
-#endif
        /* Wake up anyone who is waiting for task completion */
        rpc_mark_complete_task(task);
diff --git a/net/sunrpc/stats.c b/net/sunrpc/stats.c
index 5785d2037f45..ea1046f3f9a3 100644
--- a/net/sunrpc/stats.c
+++ b/net/sunrpc/stats.c
@@ -144,7 +144,7 @@ void rpc_count_iostats(struct rpc_task *task)
        struct rpc_rqst *req = task->tk_rqstp;
        struct rpc_iostats *stats;
        struct rpc_iostats *op_metrics;
-        long rtt, execute, queue;
+        ktime_t delta;
        if (!task->tk_client || !task->tk_client->cl_metrics || !req)
                return;
@@ -156,23 +156,16 @@ void rpc_count_iostats(struct rpc_task *task)
        op_metrics->om_ntrans += req->rq_ntrans;
        op_metrics->om_timeouts += task->tk_timeouts;
-        op_metrics->om_bytes_sent += task->tk_bytes_sent;
+        op_metrics->om_bytes_sent += req->rq_xmit_bytes_sent;
        op_metrics->om_bytes_recv += req->rq_reply_bytes_recvd;
-        queue = (long)req->rq_xtime - task->tk_start;
+        delta = ktime_sub(req->rq_xtime, task->tk_start);
-        if (queue < 0)
+        op_metrics->om_queue = ktime_add(op_metrics->om_queue, delta);
-                queue = -queue;
-        op_metrics->om_queue += queue;
-        rtt = task->tk_rtt;
+        op_metrics->om_rtt = ktime_add(op_metrics->om_rtt, req->rq_rtt);
-        if (rtt < 0)
-                rtt = -rtt;
-        op_metrics->om_rtt += rtt;
-        execute = (long)jiffies - task->tk_start;
+        delta = ktime_sub(ktime_get(), task->tk_start);
-        if (execute < 0)
+        op_metrics->om_execute = ktime_add(op_metrics->om_execute, delta);
-                execute = -execute;
-        op_metrics->om_execute += execute;
 }
 static void _print_name(struct seq_file *seq, unsigned int op,
@@ -186,8 +179,6 @@ static void _print_name(struct seq_file *seq, unsigned int op,
                seq_printf(seq, "\t%12u: ", op);
 }
-#define MILLISECS_PER_JIFFY     (1000 / HZ)
 void rpc_print_iostats(struct seq_file *seq, struct rpc_clnt *clnt)
 {
        struct rpc_iostats *stats = clnt->cl_metrics;
@@ -214,9 +205,9 @@ void rpc_print_iostats(struct seq_file *seq, struct rpc_clnt *clnt)
                                metrics->om_timeouts,
                                metrics->om_bytes_sent,
                                metrics->om_bytes_recv,
-                                metrics->om_queue * MILLISECS_PER_JIFFY,
+                                ktime_to_ms(metrics->om_queue),
-                                metrics->om_rtt * MILLISECS_PER_JIFFY,
+                                ktime_to_ms(metrics->om_rtt),
-                                metrics->om_execute * MILLISECS_PER_JIFFY);
+                                ktime_to_ms(metrics->om_execute));
        }
 }
 EXPORT_SYMBOL_GPL(rpc_print_iostats);
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 061b2e0f9118..cbc084939dd8 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -744,8 +744,10 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
                if (rqstp->rq_deferred) {
                        svc_xprt_received(xprt);
                        len = svc_deferred_recv(rqstp);
-                } else
+                } else {
                        len = xprt->xpt_ops->xpo_recvfrom(rqstp);
+                        svc_xprt_received(xprt);
+                }
                dprintk("svc: got len=%d\n", len);
        }
@@ -893,12 +895,12 @@ void svc_delete_xprt(struct svc_xprt *xprt)
         */
        if (test_bit(XPT_TEMP, &xprt->xpt_flags))
                serv->sv_tmpcnt--;
+        spin_unlock_bh(&serv->sv_lock);
        while ((dr = svc_deferred_dequeue(xprt)) != NULL)
                kfree(dr);
        svc_xprt_put(xprt);
-        spin_unlock_bh(&serv->sv_lock);
 }
 void svc_close_xprt(struct svc_xprt *xprt)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index ce0d5b35c2ac..7e534dd09077 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -150,7 +150,6 @@ static void svc_set_cmsg_data(struct svc_rqst *rqstp, struct cmsghdr *cmh)
                }
                break;
        }
-        return;
 }
 /*
@@ -547,7 +546,6 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
                        dprintk("svc: recvfrom returned error %d\n", -err);
                        set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
                }
-                svc_xprt_received(&svsk->sk_xprt);
                return -EAGAIN;
        }
        len = svc_addr_len(svc_addr(rqstp));
@@ -562,11 +560,6 @@ static int svc_udp_recvfrom(struct svc_rqst *rqstp)
        svsk->sk_sk->sk_stamp = skb->tstamp;
        set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags); /* there may be more data... */
-        /*
-         * Maybe more packets - kick another thread ASAP.
-         */
-        svc_xprt_received(&svsk->sk_xprt);
        len  = skb->len - sizeof(struct udphdr);
        rqstp->rq_arg.len = len;
@@ -917,7 +910,6 @@ static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
                if (len < want) {
                        dprintk("svc: short recvfrom while reading record "
                                "length (%d of %d)\n", len, want);
-                        svc_xprt_received(&svsk->sk_xprt);
                        goto err_again; /* record header not complete */
                }
@@ -953,7 +945,6 @@ static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
        if (len < svsk->sk_reclen) {
                dprintk("svc: incomplete TCP record (%d of %d)\n",
                        len, svsk->sk_reclen);
-                svc_xprt_received(&svsk->sk_xprt);
                goto err_again; /* record not complete */
        }
        len = svsk->sk_reclen;
@@ -961,14 +952,11 @@ static int svc_tcp_recv_record(struct svc_sock *svsk, struct svc_rqst *rqstp)
        return len;
 error:
-        if (len == -EAGAIN) {
+        if (len == -EAGAIN)
                dprintk("RPC: TCP recv_record got EAGAIN\n");
-                svc_xprt_received(&svsk->sk_xprt);
-        }
        return len;
 err_delete:
        set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
-        svc_xprt_received(&svsk->sk_xprt);
 err_again:
        return -EAGAIN;
 }
@@ -1110,7 +1098,6 @@ out:
        svsk->sk_tcplen = 0;
        svc_xprt_copy_addrs(rqstp, &svsk->sk_xprt);
-        svc_xprt_received(&svsk->sk_xprt);
        if (serv->sv_stats)
                serv->sv_stats->nettcpcnt++;
@@ -1119,7 +1106,6 @@ out:
 err_again:
        if (len == -EAGAIN) {
                dprintk("RPC: TCP recvfrom got EAGAIN\n");
-                svc_xprt_received(&svsk->sk_xprt);
                return len;
        }
 error:
diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index 2763fde88499..a1f82a87d34d 100644
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -762,6 +762,7 @@ int write_bytes_to_xdr_buf(struct xdr_buf *buf, unsigned int base, void *obj, un
        __write_bytes_to_xdr_buf(&subbuf, obj, len);
        return 0;
 }
+EXPORT_SYMBOL_GPL(write_bytes_to_xdr_buf);
 int
 xdr_decode_word(struct xdr_buf *buf, unsigned int base, u32 *obj)
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 699ade68aac1..dcd0132396ba 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -43,6 +43,7 @@
 #include <linux/interrupt.h>
 #include <linux/workqueue.h>
 #include <linux/net.h>
+#include <linux/ktime.h>
 #include <linux/sunrpc/clnt.h>
 #include <linux/sunrpc/metrics.h>
@@ -62,7 +63,6 @@
 * Local functions
 */
 static void     xprt_request_init(struct rpc_task *, struct rpc_xprt *);
-static inline void      do_xprt_reserve(struct rpc_task *);
 static void     xprt_connect_status(struct rpc_task *task);
 static int      __xprt_get_cong(struct rpc_xprt *, struct rpc_task *);
@@ -166,7 +166,6 @@ EXPORT_SYMBOL_GPL(xprt_unregister_transport);
 int xprt_load_transport(const char *transport_name)
 {
        struct xprt_class *t;
-        char module_name[sizeof t->name + 5];
        int result;
        result = 0;
@@ -178,9 +177,7 @@ int xprt_load_transport(const char *transport_name)
                }
        }
        spin_unlock(&xprt_list_lock);
-        strcpy(module_name, "xprt");
+        result = request_module("xprt%s", transport_name);
-        strncat(module_name, transport_name, sizeof t->name);
-        result = request_module(module_name);
 out:
        return result;
 }
@@ -711,12 +708,16 @@ void xprt_connect(struct rpc_task *task)
                if (task->tk_rqstp)
                        task->tk_rqstp->rq_bytes_sent = 0;
-                task->tk_timeout = xprt->connect_timeout;
+                task->tk_timeout = task->tk_rqstp->rq_timeout;
                rpc_sleep_on(&xprt->pending, task, xprt_connect_status);
+                if (test_bit(XPRT_CLOSING, &xprt->state))
+                        return;
+                if (xprt_test_and_set_connecting(xprt))
+                        return;
                xprt->stat.connect_start = jiffies;
                xprt->ops->connect(task);
        }
-        return;
 }
 static void xprt_connect_status(struct rpc_task *task)
@@ -771,25 +772,19 @@ struct rpc_rqst *xprt_lookup_rqst(struct rpc_xprt *xprt, __be32 xid)
 }
 EXPORT_SYMBOL_GPL(xprt_lookup_rqst);
-/**
+static void xprt_update_rtt(struct rpc_task *task)
- * xprt_update_rtt - update an RPC client's RTT state after receiving a reply
- * @task: RPC request that recently completed
- *
- */
-void xprt_update_rtt(struct rpc_task *task)
 {
        struct rpc_rqst *req = task->tk_rqstp;
        struct rpc_rtt *rtt = task->tk_client->cl_rtt;
        unsigned timer = task->tk_msg.rpc_proc->p_timer;
+        long m = usecs_to_jiffies(ktime_to_us(req->rq_rtt));
        if (timer) {
                if (req->rq_ntrans == 1)
-                        rpc_update_rtt(rtt, timer,
+                        rpc_update_rtt(rtt, timer, m);
-                                        (long)jiffies - req->rq_xtime);
                rpc_set_timeo(rtt, timer, req->rq_ntrans - 1);
        }
 }
-EXPORT_SYMBOL_GPL(xprt_update_rtt);
 /**
 * xprt_complete_rqst - called when reply processing is complete
@@ -807,7 +802,9 @@ void xprt_complete_rqst(struct rpc_task *task, int copied)
                        task->tk_pid, ntohl(req->rq_xid), copied);
        xprt->stat.recvs++;
-        task->tk_rtt = (long)jiffies - req->rq_xtime;
+        req->rq_rtt = ktime_sub(ktime_get(), req->rq_xtime);
+        if (xprt->ops->timer != NULL)
+                xprt_update_rtt(task);
        list_del_init(&req->rq_list);
        req->rq_private_buf.len = copied;
@@ -906,7 +903,7 @@ void xprt_transmit(struct rpc_task *task)
                return;
        req->rq_connect_cookie = xprt->connect_cookie;
-        req->rq_xtime = jiffies;
+        req->rq_xtime = ktime_get();
        status = xprt->ops->send_request(task);
        if (status != 0) {
                task->tk_status = status;
@@ -935,7 +932,7 @@ void xprt_transmit(struct rpc_task *task)
        spin_unlock_bh(&xprt->transport_lock);
 }
-static inline void do_xprt_reserve(struct rpc_task *task)
+static void xprt_alloc_slot(struct rpc_task *task)
 {
        struct rpc_xprt *xprt = task->tk_xprt;
@@ -955,6 +952,16 @@ static inline void do_xprt_reserve(struct rpc_task *task)
        rpc_sleep_on(&xprt->backlog, task, NULL);
 }
+static void xprt_free_slot(struct rpc_xprt *xprt, struct rpc_rqst *req)
+{
+        memset(req, 0, sizeof(*req));   /* mark unused */
+        spin_lock(&xprt->reserve_lock);
+        list_add(&req->rq_list, &xprt->free);
+        rpc_wake_up_next(&xprt->backlog);
+        spin_unlock(&xprt->reserve_lock);
+}
 /**
 * xprt_reserve - allocate an RPC request slot
 * @task: RPC task requesting a slot allocation
@@ -968,7 +975,7 @@ void xprt_reserve(struct rpc_task *task)
        task->tk_status = -EIO;
        spin_lock(&xprt->reserve_lock);
-        do_xprt_reserve(task);
+        xprt_alloc_slot(task);
        spin_unlock(&xprt->reserve_lock);
 }
@@ -1006,14 +1013,10 @@ void xprt_release(struct rpc_task *task)
 {
        struct rpc_xprt *xprt;
        struct rpc_rqst *req;
-        int is_bc_request;
        if (!(req = task->tk_rqstp))
                return;
-        /* Preallocated backchannel request? */
-        is_bc_request = bc_prealloc(req);
        xprt = req->rq_xprt;
        rpc_count_iostats(task);
        spin_lock_bh(&xprt->transport_lock);
@@ -1027,21 +1030,16 @@ void xprt_release(struct rpc_task *task)
                mod_timer(&xprt->timer,
                                xprt->last_used + xprt->idle_timeout);
        spin_unlock_bh(&xprt->transport_lock);
-        if (!bc_prealloc(req))
+        if (req->rq_buffer)
                xprt->ops->buf_free(req->rq_buffer);
        task->tk_rqstp = NULL;
        if (req->rq_release_snd_buf)
                req->rq_release_snd_buf(req);
        dprintk("RPC: %5u release request %p\n", task->tk_pid, req);
-        if (likely(!is_bc_request)) {
+        if (likely(!bc_prealloc(req)))
-                memset(req, 0, sizeof(*req));   /* mark unused */
+                xprt_free_slot(xprt, req);
+        else
-                spin_lock(&xprt->reserve_lock);
-                list_add(&req->rq_list, &xprt->free);
-                rpc_wake_up_next(&xprt->backlog);
-                spin_unlock(&xprt->reserve_lock);
-        } else
                xprt_free_bc_request(req);
 }
diff --git a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
index f92e37eb413c..0194de814933 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
@@ -566,7 +566,6 @@ static int rdma_read_complete(struct svc_rqst *rqstp,
                ret, rqstp->rq_arg.len, rqstp->rq_arg.head[0].iov_base,
                rqstp->rq_arg.head[0].iov_len);
-        svc_xprt_received(rqstp->rq_xprt);
        return ret;
 }
@@ -665,7 +664,6 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
                rqstp->rq_arg.head[0].iov_len);
        rqstp->rq_prot = IPPROTO_MAX;
        svc_xprt_copy_addrs(rqstp, xprt);
-        svc_xprt_received(xprt);
        return ret;
 close_out:
@@ -678,6 +676,5 @@ int svc_rdma_recvfrom(struct svc_rqst *rqstp)
         */
        set_bit(XPT_CLOSE, &xprt->xpt_flags);
 defer:
-        svc_xprt_received(xprt);
        return 0;
 }
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 187257b1d880..a85e866a77f7 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c
@@ -305,7 +305,6 @@ xprt_setup_rdma(struct xprt_create *args)
        /* 60 second timeout, no retries */
        xprt->timeout = &xprt_rdma_default_timeout;
        xprt->bind_timeout = (60U * HZ);
-        xprt->connect_timeout = (60U * HZ);
        xprt->reestablish_timeout = (5U * HZ);
        xprt->idle_timeout = (5U * 60 * HZ);
@@ -449,21 +448,19 @@ xprt_rdma_connect(struct rpc_task *task)
        struct rpc_xprt *xprt = (struct rpc_xprt *)task->tk_xprt;
        struct rpcrdma_xprt *r_xprt = rpcx_to_rdmax(xprt);
-        if (!xprt_test_and_set_connecting(xprt)) {
+        if (r_xprt->rx_ep.rep_connected != 0) {
-                if (r_xprt->rx_ep.rep_connected != 0) {
+                /* Reconnect */
-                        /* Reconnect */
+                schedule_delayed_work(&r_xprt->rdma_connect,
-                        schedule_delayed_work(&r_xprt->rdma_connect,
+                        xprt->reestablish_timeout);
-                                xprt->reestablish_timeout);
+                xprt->reestablish_timeout <<= 1;
-                        xprt->reestablish_timeout <<= 1;
+                if (xprt->reestablish_timeout > (30 * HZ))
-                        if (xprt->reestablish_timeout > (30 * HZ))
+                        xprt->reestablish_timeout = (30 * HZ);
-                                xprt->reestablish_timeout = (30 * HZ);
+                else if (xprt->reestablish_timeout < (5 * HZ))
-                        else if (xprt->reestablish_timeout < (5 * HZ))
+                        xprt->reestablish_timeout = (5 * HZ);
-                                xprt->reestablish_timeout = (5 * HZ);
+        } else {
-                } else {
+                schedule_delayed_work(&r_xprt->rdma_connect, 0);
-                        schedule_delayed_work(&r_xprt->rdma_connect, 0);
+                if (!RPC_IS_ASYNC(task))
-                        if (!RPC_IS_ASYNC(task))
+                        flush_scheduled_work();
-                                flush_scheduled_work();
-                }
        }
 }
@@ -677,7 +674,7 @@ xprt_rdma_send_request(struct rpc_task *task)
        if (rpcrdma_ep_post(&r_xprt->rx_ia, &r_xprt->rx_ep, req))
                goto drop_connection;
-        task->tk_bytes_sent += rqst->rq_snd_buf.len;
+        rqst->rq_xmit_bytes_sent += rqst->rq_snd_buf.len;
        rqst->rq_bytes_sent = 0;
        return 0;
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 9847c30b5001..2a9675136c68 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -138,20 +138,6 @@ static ctl_table sunrpc_table[] = {
 #endif
 /*
- * Time out for an RPC UDP socket connect.  UDP socket connects are
- * synchronous, but we set a timeout anyway in case of resource
- * exhaustion on the local host.
- */
-#define XS_UDP_CONN_TO          (5U * HZ)
-/*
- * Wait duration for an RPC TCP connection to be established.  Solaris
- * NFS over TCP uses 60 seconds, for example, which is in line with how
- * long a server takes to reboot.
- */
-#define XS_TCP_CONN_TO          (60U * HZ)
-/*
 * Wait duration for a reply from the RPC portmapper.
 */
 #define XS_BIND_TO              (60U * HZ)
@@ -542,7 +528,7 @@ static int xs_udp_send_request(struct rpc_task *task)
                        xdr->len - req->rq_bytes_sent, status);
        if (status >= 0) {
-                task->tk_bytes_sent += status;
+                req->rq_xmit_bytes_sent += status;
                if (status >= req->rq_slen)
                        return 0;
                /* Still some bytes left; set up for a retry later. */
@@ -638,7 +624,7 @@ static int xs_tcp_send_request(struct rpc_task *task)
                /* If we've sent the entire packet, immediately
                 * reset the count of bytes sent. */
                req->rq_bytes_sent += status;
-                task->tk_bytes_sent += status;
+                req->rq_xmit_bytes_sent += status;
                if (likely(req->rq_bytes_sent >= req->rq_slen)) {
                        req->rq_bytes_sent = 0;
                        return 0;
@@ -858,7 +844,6 @@ static void xs_udp_data_ready(struct sock *sk, int len)
        dst_confirm(skb_dst(skb));
        xprt_adjust_cwnd(task, copied);
-        xprt_update_rtt(task);
        xprt_complete_rqst(task, copied);
 out_unlock:
@@ -1050,8 +1035,6 @@ static inline void xs_tcp_read_common(struct rpc_xprt *xprt,
                if (transport->tcp_flags & TCP_RCV_LAST_FRAG)
                        transport->tcp_flags &= ~TCP_RCV_COPY_DATA;
        }
-        return;
 }
 /*
@@ -2016,9 +1999,6 @@ static void xs_connect(struct rpc_task *task)
        struct rpc_xprt *xprt = task->tk_xprt;
        struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
-        if (xprt_test_and_set_connecting(xprt))
-                return;
        if (transport->sock != NULL && !RPC_IS_SOFTCONN(task)) {
                dprintk("RPC:       xs_connect delayed xprt %p for %lu "
                                "seconds\n",
@@ -2038,16 +2018,6 @@ static void xs_connect(struct rpc_task *task)
        }
 }
-static void xs_tcp_connect(struct rpc_task *task)
-{
-        struct rpc_xprt *xprt = task->tk_xprt;
-        /* Exit if we need to wait for socket shutdown to complete */
-        if (test_bit(XPRT_CLOSING, &xprt->state))
-                return;
-        xs_connect(task);
-}
 /**
 * xs_udp_print_stats - display UDP socket-specifc stats
 * @xprt: rpc_xprt struct containing statistics
@@ -2210,7 +2180,6 @@ static int bc_send_request(struct rpc_task *task)
 static void bc_close(struct rpc_xprt *xprt)
 {
-        return;
 }
 /*
@@ -2220,7 +2189,6 @@ static void bc_close(struct rpc_xprt *xprt)
 static void bc_destroy(struct rpc_xprt *xprt)
 {
-        return;
 }
 static struct rpc_xprt_ops xs_udp_ops = {
@@ -2246,7 +2214,7 @@ static struct rpc_xprt_ops xs_tcp_ops = {
        .release_xprt           = xs_tcp_release_xprt,
        .rpcbind                = rpcb_getport_async,
        .set_port               = xs_set_port,
-        .connect                = xs_tcp_connect,
+        .connect                = xs_connect,
        .buf_alloc              = rpc_malloc,
        .buf_free               = rpc_free,
        .send_request           = xs_tcp_send_request,
@@ -2325,6 +2293,7 @@ static struct rpc_xprt *xs_setup_udp(struct xprt_create *args)
        struct sockaddr *addr = args->dstaddr;
        struct rpc_xprt *xprt;
        struct sock_xprt *transport;
+        struct rpc_xprt *ret;
        xprt = xs_setup_xprt(args, xprt_udp_slot_table_entries);
        if (IS_ERR(xprt))
@@ -2337,7 +2306,6 @@ static struct rpc_xprt *xs_setup_udp(struct xprt_create *args)
        xprt->max_payload = (1U << 16) - (MAX_HEADER << 3);
        xprt->bind_timeout = XS_BIND_TO;
-        xprt->connect_timeout = XS_UDP_CONN_TO;
        xprt->reestablish_timeout = XS_UDP_REEST_TO;
        xprt->idle_timeout = XS_IDLE_DISC_TO;
@@ -2363,8 +2331,8 @@ static struct rpc_xprt *xs_setup_udp(struct xprt_create *args)
                xs_format_peer_addresses(xprt, "udp", RPCBIND_NETID_UDP6);
                break;
        default:
-                kfree(xprt);
+                ret = ERR_PTR(-EAFNOSUPPORT);
-                return ERR_PTR(-EAFNOSUPPORT);
+                goto out_err;
        }
        if (xprt_bound(xprt))
@@ -2379,10 +2347,11 @@ static struct rpc_xprt *xs_setup_udp(struct xprt_create *args)
        if (try_module_get(THIS_MODULE))
                return xprt;
+        ret = ERR_PTR(-EINVAL);
+out_err:
        kfree(xprt->slot);
        kfree(xprt);
-        return ERR_PTR(-EINVAL);
+        return ret;
 }
 static const struct rpc_timeout xs_tcp_default_timeout = {
@@ -2401,6 +2370,7 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args)
        struct sockaddr *addr = args->dstaddr;
        struct rpc_xprt *xprt;
        struct sock_xprt *transport;
+        struct rpc_xprt *ret;
        xprt = xs_setup_xprt(args, xprt_tcp_slot_table_entries);
        if (IS_ERR(xprt))
@@ -2412,7 +2382,6 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args)
        xprt->max_payload = RPC_MAX_FRAGMENT_SIZE;
        xprt->bind_timeout = XS_BIND_TO;
-        xprt->connect_timeout = XS_TCP_CONN_TO;
        xprt->reestablish_timeout = XS_TCP_INIT_REEST_TO;
        xprt->idle_timeout = XS_IDLE_DISC_TO;
@@ -2437,8 +2406,8 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args)
                xs_format_peer_addresses(xprt, "tcp", RPCBIND_NETID_TCP6);
                break;
        default:
-                kfree(xprt);
+                ret = ERR_PTR(-EAFNOSUPPORT);
-                return ERR_PTR(-EAFNOSUPPORT);
+                goto out_err;
        }
        if (xprt_bound(xprt))
@@ -2454,10 +2423,11 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args)
        if (try_module_get(THIS_MODULE))
                return xprt;
+        ret = ERR_PTR(-EINVAL);
+out_err:
        kfree(xprt->slot);
        kfree(xprt);
-        return ERR_PTR(-EINVAL);
+        return ret;
 }
 /**
@@ -2471,9 +2441,7 @@ static struct rpc_xprt *xs_setup_bc_tcp(struct xprt_create *args)
        struct rpc_xprt *xprt;
        struct sock_xprt *transport;
        struct svc_sock *bc_sock;
+        struct rpc_xprt *ret;
-        if (!args->bc_xprt)
-                ERR_PTR(-EINVAL);
        xprt = xs_setup_xprt(args, xprt_tcp_slot_table_entries);
        if (IS_ERR(xprt))
@@ -2488,7 +2456,6 @@ static struct rpc_xprt *xs_setup_bc_tcp(struct xprt_create *args)
        /* backchannel */
        xprt_set_bound(xprt);
        xprt->bind_timeout = 0;
-        xprt->connect_timeout = 0;
        xprt->reestablish_timeout = 0;
        xprt->idle_timeout = 0;
@@ -2514,8 +2481,8 @@ static struct rpc_xprt *xs_setup_bc_tcp(struct xprt_create *args)
                                   RPCBIND_NETID_TCP6);
                break;
        default:
-                kfree(xprt);
+                ret = ERR_PTR(-EAFNOSUPPORT);
-                return ERR_PTR(-EAFNOSUPPORT);
+                goto out_err;
        }
        if (xprt_bound(xprt))
@@ -2537,9 +2504,11 @@ static struct rpc_xprt *xs_setup_bc_tcp(struct xprt_create *args)
        if (try_module_get(THIS_MODULE))
                return xprt;
+        ret = ERR_PTR(-EINVAL);
+out_err:
        kfree(xprt->slot);
        kfree(xprt);
-        return ERR_PTR(-EINVAL);
+        return ret;
 }
 static struct xprt_class        xs_udp_transport = {
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index 53196009160a..ca84212cfbfe 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -82,7 +82,6 @@ static int __net_init sysctl_net_init(struct net *net)
 static void __net_exit sysctl_net_exit(struct net *net)
 {
        WARN_ON(!list_empty(&net->sysctls.list));
-        return;
 }
 static struct pernet_operations sysctl_pernet_ops = {
diff --git a/net/tipc/addr.c b/net/tipc/addr.c
index e5207a11edf6..c048543ffbeb 100644
--- a/net/tipc/addr.c
+++ b/net/tipc/addr.c
@@ -92,3 +92,35 @@ int tipc_addr_node_valid(u32 addr)
        return (tipc_addr_domain_valid(addr) && tipc_node(addr));
 }
+int tipc_in_scope(u32 domain, u32 addr)
+{
+        if (!domain || (domain == addr))
+                return 1;
+        if (domain == (addr & 0xfffff000u)) /* domain <Z.C.0> */
+                return 1;
+        if (domain == (addr & 0xff000000u)) /* domain <Z.0.0> */
+                return 1;
+        return 0;
+}
+/**
+ * tipc_addr_scope - convert message lookup domain to a 2-bit scope value
+ */
+int tipc_addr_scope(u32 domain)
+{
+        if (likely(!domain))
+                return TIPC_ZONE_SCOPE;
+        if (tipc_node(domain))
+                return TIPC_NODE_SCOPE;
+        if (tipc_cluster(domain))
+                return TIPC_CLUSTER_SCOPE;
+        return TIPC_ZONE_SCOPE;
+}
+char *tipc_addr_string_fill(char *string, u32 addr)
+{
+        snprintf(string, 16, "<%u.%u.%u>",
+                 tipc_zone(addr), tipc_cluster(addr), tipc_node(addr));
+        return string;
+}
diff --git a/net/tipc/addr.h b/net/tipc/addr.h
index 3ba67e6ce03e..c1cc5724d8cc 100644
--- a/net/tipc/addr.h
+++ b/net/tipc/addr.h
@@ -67,32 +67,6 @@ static inline int may_route(u32 addr)
        return(addr ^ tipc_own_addr) >> 11;
 }
-static inline int in_scope(u32 domain, u32 addr)
-{
-        if (!domain || (domain == addr))
-                return 1;
-        if (domain == (addr & 0xfffff000u)) /* domain <Z.C.0> */
-                return 1;
-        if (domain == (addr & 0xff000000u)) /* domain <Z.0.0> */
-                return 1;
-        return 0;
-}
-/**
- * addr_scope - convert message lookup domain to equivalent 2-bit scope value
- */
-static inline int addr_scope(u32 domain)
-{
-        if (likely(!domain))
-                return TIPC_ZONE_SCOPE;
-        if (tipc_node(domain))
-                return TIPC_NODE_SCOPE;
-        if (tipc_cluster(domain))
-                return TIPC_CLUSTER_SCOPE;
-        return TIPC_ZONE_SCOPE;
-}
 /**
 * addr_domain - convert 2-bit scope value to equivalent message lookup domain
 *
@@ -110,14 +84,9 @@ static inline int addr_domain(int sc)
        return tipc_addr(tipc_zone(tipc_own_addr), 0, 0);
 }
-static inline char *addr_string_fill(char *string, u32 addr)
-{
-        snprintf(string, 16, "<%u.%u.%u>",
-                 tipc_zone(addr), tipc_cluster(addr), tipc_node(addr));
-        return string;
-}
 int tipc_addr_domain_valid(u32);
 int tipc_addr_node_valid(u32 addr);
+int tipc_in_scope(u32 domain, u32 addr);
+int tipc_addr_scope(u32 domain);
+char *tipc_addr_string_fill(char *string, u32 addr);
 #endif
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 90a051912c03..a008c6689305 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -119,7 +119,7 @@ static struct bclink *bclink = NULL;
 static struct link *bcl = NULL;
 static DEFINE_SPINLOCK(bc_lock);
-const char tipc_bclink_name[] = "multicast-link";
+const char tipc_bclink_name[] = "broadcast-link";
 static u32 buf_seqno(struct sk_buff *buf)
@@ -275,7 +275,7 @@ static void bclink_send_nack(struct tipc_node *n_ptr)
        buf = buf_acquire(INT_H_SIZE);
        if (buf) {
                msg = buf_msg(buf);
-                msg_init(msg, BCAST_PROTOCOL, STATE_MSG,
+                tipc_msg_init(msg, BCAST_PROTOCOL, STATE_MSG,
                         INT_H_SIZE, n_ptr->addr);
                msg_set_mc_netid(msg, tipc_net_id);
                msg_set_bcast_ack(msg, mod(n_ptr->bclink.last_in));
@@ -822,3 +822,113 @@ void tipc_bclink_stop(void)
        spin_unlock_bh(&bc_lock);
 }
+/**
+ * tipc_nmap_add - add a node to a node map
+ */
+void tipc_nmap_add(struct tipc_node_map *nm_ptr, u32 node)
+{
+        int n = tipc_node(node);
+        int w = n / WSIZE;
+        u32 mask = (1 << (n % WSIZE));
+        if ((nm_ptr->map[w] & mask) == 0) {
+                nm_ptr->count++;
+                nm_ptr->map[w] |= mask;
+        }
+}
+/**
+ * tipc_nmap_remove - remove a node from a node map
+ */
+void tipc_nmap_remove(struct tipc_node_map *nm_ptr, u32 node)
+{
+        int n = tipc_node(node);
+        int w = n / WSIZE;
+        u32 mask = (1 << (n % WSIZE));
+        if ((nm_ptr->map[w] & mask) != 0) {
+                nm_ptr->map[w] &= ~mask;
+                nm_ptr->count--;
+        }
+}
+/**
+ * tipc_nmap_diff - find differences between node maps
+ * @nm_a: input node map A
+ * @nm_b: input node map B
+ * @nm_diff: output node map A-B (i.e. nodes of A that are not in B)
+ */
+void tipc_nmap_diff(struct tipc_node_map *nm_a, struct tipc_node_map *nm_b,
+                                  struct tipc_node_map *nm_diff)
+{
+        int stop = ARRAY_SIZE(nm_a->map);
+        int w;
+        int b;
+        u32 map;
+        memset(nm_diff, 0, sizeof(*nm_diff));
+        for (w = 0; w < stop; w++) {
+                map = nm_a->map[w] ^ (nm_a->map[w] & nm_b->map[w]);
+                nm_diff->map[w] = map;
+                if (map != 0) {
+                        for (b = 0 ; b < WSIZE; b++) {
+                                if (map & (1 << b))
+                                        nm_diff->count++;
+                        }
+                }
+        }
+}
+/**
+ * tipc_port_list_add - add a port to a port list, ensuring no duplicates
+ */
+void tipc_port_list_add(struct port_list *pl_ptr, u32 port)
+{
+        struct port_list *item = pl_ptr;
+        int i;
+        int item_sz = PLSIZE;
+        int cnt = pl_ptr->count;
+        for (; ; cnt -= item_sz, item = item->next) {
+                if (cnt < PLSIZE)
+                        item_sz = cnt;
+                for (i = 0; i < item_sz; i++)
+                        if (item->ports[i] == port)
+                                return;
+                if (i < PLSIZE) {
+                        item->ports[i] = port;
+                        pl_ptr->count++;
+                        return;
+                }
+                if (!item->next) {
+                        item->next = kmalloc(sizeof(*item), GFP_ATOMIC);
+                        if (!item->next) {
+                                warn("Incomplete multicast delivery, no memory\n");
+                                return;
+                        }
+                        item->next->next = NULL;
+                }
+        }
+}
+/**
+ * tipc_port_list_free - free dynamically created entries in port_list chain
+ *
+ */
+void tipc_port_list_free(struct port_list *pl_ptr)
+{
+        struct port_list *item;
+        struct port_list *next;
+        for (item = pl_ptr->next; item; item = next) {
+                next = item->next;
+                kfree(item);
+        }
+}
diff --git a/net/tipc/bcast.h b/net/tipc/bcast.h
index 4c1771e95c99..e8c2b81658c7 100644
--- a/net/tipc/bcast.h
+++ b/net/tipc/bcast.h
@@ -72,41 +72,11 @@ struct tipc_node;
 extern const char tipc_bclink_name[];
+void tipc_nmap_add(struct tipc_node_map *nm_ptr, u32 node);
+void tipc_nmap_remove(struct tipc_node_map *nm_ptr, u32 node);
 /**
- * nmap_add - add a node to a node map
+ * tipc_nmap_equal - test for equality of node maps
- */
-static inline void tipc_nmap_add(struct tipc_node_map *nm_ptr, u32 node)
-{
-        int n = tipc_node(node);
-        int w = n / WSIZE;
-        u32 mask = (1 << (n % WSIZE));
-        if ((nm_ptr->map[w] & mask) == 0) {
-                nm_ptr->count++;
-                nm_ptr->map[w] |= mask;
-        }
-}
-/**
- * nmap_remove - remove a node from a node map
- */
-static inline void tipc_nmap_remove(struct tipc_node_map *nm_ptr, u32 node)
-{
-        int n = tipc_node(node);
-        int w = n / WSIZE;
-        u32 mask = (1 << (n % WSIZE));
-        if ((nm_ptr->map[w] & mask) != 0) {
-                nm_ptr->map[w] &= ~mask;
-                nm_ptr->count--;
-        }
-}
-/**
- * nmap_equal - test for equality of node maps
 */
 static inline int tipc_nmap_equal(struct tipc_node_map *nm_a, struct tipc_node_map *nm_b)
@@ -114,84 +84,11 @@ static inline int tipc_nmap_equal(struct tipc_node_map *nm_a, struct tipc_node_m
        return !memcmp(nm_a, nm_b, sizeof(*nm_a));
 }
-/**
+void tipc_nmap_diff(struct tipc_node_map *nm_a, struct tipc_node_map *nm_b,
- * nmap_diff - find differences between node maps
+                                  struct tipc_node_map *nm_diff);
- * @nm_a: input node map A
- * @nm_b: input node map B
- * @nm_diff: output node map A-B (i.e. nodes of A that are not in B)
- */
-static inline void tipc_nmap_diff(struct tipc_node_map *nm_a, struct tipc_node_map *nm_b,
-                                  struct tipc_node_map *nm_diff)
-{
-        int stop = ARRAY_SIZE(nm_a->map);
-        int w;
-        int b;
-        u32 map;
-        memset(nm_diff, 0, sizeof(*nm_diff));
-        for (w = 0; w < stop; w++) {
-                map = nm_a->map[w] ^ (nm_a->map[w] & nm_b->map[w]);
-                nm_diff->map[w] = map;
-                if (map != 0) {
-                        for (b = 0 ; b < WSIZE; b++) {
-                                if (map & (1 << b))
-                                        nm_diff->count++;
-                        }
-                }
-        }
-}
-/**
- * port_list_add - add a port to a port list, ensuring no duplicates
- */
-static inline void tipc_port_list_add(struct port_list *pl_ptr, u32 port)
-{
-        struct port_list *item = pl_ptr;
-        int i;
-        int item_sz = PLSIZE;
-        int cnt = pl_ptr->count;
-        for (; ; cnt -= item_sz, item = item->next) {
-                if (cnt < PLSIZE)
-                        item_sz = cnt;
-                for (i = 0; i < item_sz; i++)
-                        if (item->ports[i] == port)
-                                return;
-                if (i < PLSIZE) {
-                        item->ports[i] = port;
-                        pl_ptr->count++;
-                        return;
-                }
-                if (!item->next) {
-                        item->next = kmalloc(sizeof(*item), GFP_ATOMIC);
-                        if (!item->next) {
-                                warn("Incomplete multicast delivery, no memory\n");
-                                return;
-                        }
-                        item->next->next = NULL;
-                }
-        }
-}
-/**
- * port_list_free - free dynamically created entries in port_list chain
- *
- * Note: First item is on stack, so it doesn't need to be released
- */
-static inline void tipc_port_list_free(struct port_list *pl_ptr)
-{
-        struct port_list *item;
-        struct port_list *next;
-        for (item = pl_ptr->next; item; item = next) {
-                next = item->next;
-                kfree(item);
-        }
-}
+void tipc_port_list_add(struct port_list *pl_ptr, u32 port);
+void tipc_port_list_free(struct port_list *pl_ptr);
 int  tipc_bclink_init(void);
 void tipc_bclink_stop(void);
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 78091375ca12..52ae17b2583e 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -467,6 +467,18 @@ int tipc_bearer_resolve_congestion(struct bearer *b_ptr, struct link *l_ptr)
        return res;
 }
+/**
+ * tipc_bearer_congested - determines if bearer is currently congested
+ */
+int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr)
+{
+        if (unlikely(b_ptr->publ.blocked))
+                return 1;
+        if (likely(list_empty(&b_ptr->cong_links)))
+                return 0;
+        return !tipc_bearer_resolve_congestion(b_ptr, l_ptr);
+}
 /**
 * tipc_enable_bearer - enable bearer with the given name
@@ -493,7 +505,7 @@ int tipc_enable_bearer(const char *name, u32 bcast_scope, u32 priority)
                return -EINVAL;
        }
        if (!tipc_addr_domain_valid(bcast_scope) ||
-            !in_scope(bcast_scope, tipc_own_addr)) {
+            !tipc_in_scope(bcast_scope, tipc_own_addr)) {
                warn("Bearer <%s> rejected, illegal broadcast scope\n", name);
                return -EINVAL;
        }
@@ -571,7 +583,7 @@ restart:
        spin_lock_init(&b_ptr->publ.lock);
        write_unlock_bh(&tipc_net_lock);
        info("Enabled bearer <%s>, discovery domain %s, priority %u\n",
-             name, addr_string_fill(addr_string, bcast_scope), priority);
+             name, tipc_addr_string_fill(addr_string, bcast_scope), priority);
        return 0;
 failed:
        write_unlock_bh(&tipc_net_lock);
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index 000228e93f9e..a850b389663e 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -125,6 +125,7 @@ void tipc_bearer_remove_dest(struct bearer *b_ptr, u32 dest);
 void tipc_bearer_schedule(struct bearer *b_ptr, struct link *l_ptr);
 struct bearer *tipc_bearer_find_interface(const char *if_name);
 int tipc_bearer_resolve_congestion(struct bearer *b_ptr, struct link *l_ptr);
+int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr);
 int tipc_bearer_init(void);
 void tipc_bearer_stop(void);
 void tipc_bearer_lock_push(struct bearer *b_ptr);
@@ -154,17 +155,4 @@ static inline int tipc_bearer_send(struct bearer *b_ptr, struct sk_buff *buf,
        return !b_ptr->media->send_msg(buf, &b_ptr->publ, dest);
 }
-/**
+#endif  /* _TIPC_BEARER_H */
- * tipc_bearer_congested - determines if bearer is currently congested
- */
-static inline int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr)
-{
-        if (unlikely(b_ptr->publ.blocked))
-                return 1;
-        if (likely(list_empty(&b_ptr->cong_links)))
-                return 0;
-        return !tipc_bearer_resolve_congestion(b_ptr, l_ptr);
-}
-#endif
diff --git a/net/tipc/cluster.c b/net/tipc/cluster.c
index a7eac00cd363..e68f705381bc 100644
--- a/net/tipc/cluster.c
+++ b/net/tipc/cluster.c
@@ -238,7 +238,7 @@ static struct sk_buff *tipc_cltr_prepare_routing_msg(u32 data_size, u32 dest)
        if (buf) {
                msg = buf_msg(buf);
                memset((char *)msg, 0, size);
-                msg_init(msg, ROUTE_DISTRIBUTOR, 0, INT_H_SIZE, dest);
+                tipc_msg_init(msg, ROUTE_DISTRIBUTOR, 0, INT_H_SIZE, dest);
        }
        return buf;
 }
diff --git a/net/tipc/config.c b/net/tipc/config.c
index ca3544d030c7..961d1b097146 100644
--- a/net/tipc/config.c
+++ b/net/tipc/config.c
@@ -56,9 +56,6 @@ struct subscr_data {
 struct manager {
        u32 user_ref;
        u32 port_ref;
-        u32 subscr_ref;
-        u32 link_subscriptions;
-        struct list_head link_subscribers;
 };
 static struct manager mng = { 0};
@@ -70,12 +67,6 @@ static int req_tlv_space;		/* request message TLV area size */
 static int rep_headroom;                /* reply message headroom to use */
-void tipc_cfg_link_event(u32 addr, char *name, int up)
-{
-        /* TIPC DOESN'T HANDLE LINK EVENT SUBSCRIPTIONS AT THE MOMENT */
-}
 struct sk_buff *tipc_cfg_reply_alloc(int payload_size)
 {
        struct sk_buff *buf;
@@ -130,12 +121,24 @@ struct sk_buff *tipc_cfg_reply_string_type(u16 tlv_type, char *string)
 }
 #if 0
 /* Now obsolete code for handling commands not yet implemented the new way */
+/*
+ * Some of this code assumed that the manager structure contains two added
+ * fields:
+ *      u32 link_subscriptions;
+ *      struct list_head link_subscribers;
+ * which are currently not present.  These fields may need to be re-introduced
+ * if and when support for link subscriptions is added.
+ */
+void tipc_cfg_link_event(u32 addr, char *name, int up)
+{
+        /* TIPC DOESN'T HANDLE LINK EVENT SUBSCRIPTIONS AT THE MOMENT */
+}
 int tipc_cfg_cmd(const struct tipc_cmd_msg * msg,
                 char *data,
                 u32 sz,
@@ -243,13 +246,48 @@ static void cfg_cmd_event(struct tipc_cmd_msg *msg,
        default:
                rv = tipc_cfg_cmd(msg, data, sz, (u32 *)&msg_sect[1].iov_len, orig);
        }
-        exit:
+exit:
        rmsg.result_len = htonl(msg_sect[1].iov_len);
        rmsg.retval = htonl(rv);
        tipc_cfg_respond(msg_sect, 2u, orig);
 }
 #endif
+#define MAX_STATS_INFO 2000
+static struct sk_buff *tipc_show_stats(void)
+{
+        struct sk_buff *buf;
+        struct tlv_desc *rep_tlv;
+        struct print_buf pb;
+        int str_len;
+        u32 value;
+        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_UNSIGNED))
+                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
+        value = ntohl(*(u32 *)TLV_DATA(req_tlv_area));
+        if (value != 0)
+                return tipc_cfg_reply_error_string("unsupported argument");
+        buf = tipc_cfg_reply_alloc(TLV_SPACE(MAX_STATS_INFO));
+        if (buf == NULL)
+                return NULL;
+        rep_tlv = (struct tlv_desc *)buf->data;
+        tipc_printbuf_init(&pb, (char *)TLV_DATA(rep_tlv), MAX_STATS_INFO);
+        tipc_printf(&pb, "TIPC version " TIPC_MOD_VER "\n");
+        /* Use additional tipc_printf()'s to return more info ... */
+        str_len = tipc_printbuf_validate(&pb);
+        skb_put(buf, TLV_SPACE(str_len));
+        TLV_SET(rep_tlv, TIPC_TLV_ULTRA_STRING, NULL, str_len);
+        return buf;
+}
 static struct sk_buff *cfg_enable_bearer(void)
 {
        struct tipc_bearer_config *args;
@@ -533,6 +571,9 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area
        case TIPC_CMD_DUMP_LOG:
                rep_tlv_buf = tipc_log_dump();
                break;
+        case TIPC_CMD_SHOW_STATS:
+                rep_tlv_buf = tipc_show_stats();
+                break;
        case TIPC_CMD_SET_LINK_TOL:
        case TIPC_CMD_SET_LINK_PRI:
        case TIPC_CMD_SET_LINK_WINDOW:
@@ -667,9 +708,6 @@ int tipc_cfg_init(void)
        struct tipc_name_seq seq;
        int res;
-        memset(&mng, 0, sizeof(mng));
-        INIT_LIST_HEAD(&mng.link_subscribers);
        res = tipc_attach(&mng.user_ref, NULL, NULL);
        if (res)
                goto failed;
diff --git a/net/tipc/core.c b/net/tipc/core.c
index 4e84c8431f32..696468117985 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -49,8 +49,6 @@
 #include "config.h"
-#define TIPC_MOD_VER "2.0.0"
 #ifndef CONFIG_TIPC_ZONES
 #define CONFIG_TIPC_ZONES 3
 #endif
@@ -104,6 +102,30 @@ int tipc_get_mode(void)
 }
 /**
+ * buf_acquire - creates a TIPC message buffer
+ * @size: message size (including TIPC header)
+ *
+ * Returns a new buffer with data pointers set to the specified size.
+ *
+ * NOTE: Headroom is reserved to allow prepending of a data link header.
+ *       There may also be unrequested tailroom present at the buffer's end.
+ */
+struct sk_buff *buf_acquire(u32 size)
+{
+        struct sk_buff *skb;
+        unsigned int buf_size = (BUF_HEADROOM + size + 3) & ~3u;
+        skb = alloc_skb_fclone(buf_size, GFP_ATOMIC);
+        if (skb) {
+                skb_reserve(skb, BUF_HEADROOM);
+                skb_put(skb, size);
+                skb->next = NULL;
+        }
+        return skb;
+}
+/**
 * tipc_core_stop_net - shut down TIPC networking sub-systems
 */
diff --git a/net/tipc/core.h b/net/tipc/core.h
index c58a1d16563a..188799017abd 100644
--- a/net/tipc/core.h
+++ b/net/tipc/core.h
@@ -59,6 +59,9 @@
 #include <linux/slab.h>
 #include <linux/vmalloc.h>
+#define TIPC_MOD_VER "2.0.0"
 /*
 * TIPC sanity test macros
 */
@@ -325,29 +328,7 @@ static inline struct tipc_msg *buf_msg(struct sk_buff *skb)
        return (struct tipc_msg *)skb->data;
 }
-/**
+extern struct sk_buff *buf_acquire(u32 size);
- * buf_acquire - creates a TIPC message buffer
- * @size: message size (including TIPC header)
- *
- * Returns a new buffer with data pointers set to the specified size.
- *
- * NOTE: Headroom is reserved to allow prepending of a data link header.
- *       There may also be unrequested tailroom present at the buffer's end.
- */
-static inline struct sk_buff *buf_acquire(u32 size)
-{
-        struct sk_buff *skb;
-        unsigned int buf_size = (BUF_HEADROOM + size + 3) & ~3u;
-        skb = alloc_skb_fclone(buf_size, GFP_ATOMIC);
-        if (skb) {
-                skb_reserve(skb, BUF_HEADROOM);
-                skb_put(skb, size);
-                skb->next = NULL;
-        }
-        return skb;
-}
 /**
 * buf_discard - frees a TIPC message buffer
diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index 74b7d1e28aec..fc1fcf5e6b53 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -120,7 +120,7 @@ static struct sk_buff *tipc_disc_init_msg(u32 type,
        if (buf) {
                msg = buf_msg(buf);
-                msg_init(msg, LINK_CONFIG, type, DSC_H_SIZE, dest_domain);
+                tipc_msg_init(msg, LINK_CONFIG, type, DSC_H_SIZE, dest_domain);
                msg_set_non_seq(msg, 1);
                msg_set_req_links(msg, req_links);
                msg_set_dest_domain(msg, dest_domain);
@@ -144,7 +144,7 @@ static void disc_dupl_alert(struct bearer *b_ptr, u32 node_addr,
        char media_addr_str[64];
        struct print_buf pb;
-        addr_string_fill(node_addr_str, node_addr);
+        tipc_addr_string_fill(node_addr_str, node_addr);
        tipc_printbuf_init(&pb, media_addr_str, sizeof(media_addr_str));
        tipc_media_addr_printf(&pb, media_addr);
        tipc_printbuf_validate(&pb);
@@ -183,7 +183,7 @@ void tipc_disc_recv_msg(struct sk_buff *buf, struct bearer *b_ptr)
                        disc_dupl_alert(b_ptr, tipc_own_addr, &media_addr);
                return;
        }
-        if (!in_scope(dest, tipc_own_addr))
+        if (!tipc_in_scope(dest, tipc_own_addr))
                return;
        if (is_slave(tipc_own_addr) && is_slave(orig))
                return;
@@ -224,7 +224,7 @@ void tipc_disc_recv_msg(struct sk_buff *buf, struct bearer *b_ptr)
                        memcpy(addr, &media_addr, sizeof(*addr));
                        tipc_link_reset(link);
                }
-                link_fully_up = (link->state == WORKING_WORKING);
+                link_fully_up = link_working_working(link);
                spin_unlock_bh(&n_ptr->lock);
                if ((type == DSC_RESP_MSG) || link_fully_up)
                        return;
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c76e82e5f982..a3616b99529b 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -202,41 +202,6 @@ static unsigned int align(unsigned int i)
        return (i + 3) & ~3u;
 }
-static int link_working_working(struct link *l_ptr)
-{
-        return (l_ptr->state == WORKING_WORKING);
-}
-static int link_working_unknown(struct link *l_ptr)
-{
-        return (l_ptr->state == WORKING_UNKNOWN);
-}
-static int link_reset_unknown(struct link *l_ptr)
-{
-        return (l_ptr->state == RESET_UNKNOWN);
-}
-static int link_reset_reset(struct link *l_ptr)
-{
-        return (l_ptr->state == RESET_RESET);
-}
-static int link_blocked(struct link *l_ptr)
-{
-        return (l_ptr->exp_msg_count || l_ptr->blocked);
-}
-static int link_congested(struct link *l_ptr)
-{
-        return (l_ptr->out_queue_size >= l_ptr->queue_limit[0]);
-}
-static u32 link_max_pkt(struct link *l_ptr)
-{
-        return l_ptr->max_pkt;
-}
 static void link_init_max_pkt(struct link *l_ptr)
 {
        u32 max_pkt;
@@ -468,7 +433,7 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
        l_ptr->pmsg = (struct tipc_msg *)&l_ptr->proto_msg;
        msg = l_ptr->pmsg;
-        msg_init(msg, LINK_PROTOCOL, RESET_MSG, INT_H_SIZE, l_ptr->addr);
+        tipc_msg_init(msg, LINK_PROTOCOL, RESET_MSG, INT_H_SIZE, l_ptr->addr);
        msg_set_size(msg, sizeof(l_ptr->proto_msg));
        msg_set_session(msg, (tipc_random & 0xffff));
        msg_set_bearer_id(msg, b_ptr->identity);
@@ -561,9 +526,8 @@ static int link_schedule_port(struct link *l_ptr, u32 origport, u32 sz)
                        goto exit;
                if (!list_empty(&p_ptr->wait_list))
                        goto exit;
-                p_ptr->congested_link = l_ptr;
                p_ptr->publ.congested = 1;
-                p_ptr->waiting_pkts = 1 + ((sz - 1) / link_max_pkt(l_ptr));
+                p_ptr->waiting_pkts = 1 + ((sz - 1) / l_ptr->max_pkt);
                list_add_tail(&p_ptr->wait_list, &l_ptr->waiting_ports);
                l_ptr->stats.link_congs++;
 exit:
@@ -592,7 +556,6 @@ void tipc_link_wakeup_ports(struct link *l_ptr, int all)
                if (win <= 0)
                        break;
                list_del_init(&p_ptr->wait_list);
-                p_ptr->congested_link = NULL;
                spin_lock_bh(p_ptr->publ.lock);
                p_ptr->publ.congested = 0;
                p_ptr->wakeup(&p_ptr->publ);
@@ -1017,7 +980,7 @@ static int link_bundle_buf(struct link *l_ptr,
                return 0;
        if (skb_tailroom(bundler) < (pad + size))
                return 0;
-        if (link_max_pkt(l_ptr) < (to_pos + size))
+        if (l_ptr->max_pkt < (to_pos + size))
                return 0;
        skb_put(bundler, pad + size);
@@ -1062,9 +1025,9 @@ int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf)
        u32 size = msg_size(msg);
        u32 dsz = msg_data_sz(msg);
        u32 queue_size = l_ptr->out_queue_size;
-        u32 imp = msg_tot_importance(msg);
+        u32 imp = tipc_msg_tot_importance(msg);
        u32 queue_limit = l_ptr->queue_limit[imp];
-        u32 max_packet = link_max_pkt(l_ptr);
+        u32 max_packet = l_ptr->max_pkt;
        msg_set_prevnode(msg, tipc_own_addr);   /* If routed message */
@@ -1127,7 +1090,7 @@ int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf)
                        struct tipc_msg bundler_hdr;
                        if (bundler) {
-                                msg_init(&bundler_hdr, MSG_BUNDLER, OPEN_MSG,
+                                tipc_msg_init(&bundler_hdr, MSG_BUNDLER, OPEN_MSG,
                                         INT_H_SIZE, l_ptr->addr);
                                skb_copy_to_linear_data(bundler, &bundler_hdr,
                                                        INT_H_SIZE);
@@ -1195,7 +1158,7 @@ static int link_send_buf_fast(struct link *l_ptr, struct sk_buff *buf,
        int res = msg_data_sz(msg);
        if (likely(!link_congested(l_ptr))) {
-                if (likely(msg_size(msg) <= link_max_pkt(l_ptr))) {
+                if (likely(msg_size(msg) <= l_ptr->max_pkt)) {
                        if (likely(list_empty(&l_ptr->b_ptr->cong_links))) {
                                link_add_to_outqueue(l_ptr, buf, msg);
                                if (likely(tipc_bearer_send(l_ptr->b_ptr, buf,
@@ -1212,7 +1175,7 @@ static int link_send_buf_fast(struct link *l_ptr, struct sk_buff *buf,
                        }
                }
                else
-                        *used_max_pkt = link_max_pkt(l_ptr);
+                        *used_max_pkt = l_ptr->max_pkt;
        }
        return tipc_link_send_buf(l_ptr, buf);  /* All other cases */
 }
@@ -1280,7 +1243,7 @@ again:
         * (Must not hold any locks while building message.)
         */
-        res = msg_build(hdr, msg_sect, num_sect, sender->publ.max_pkt,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, sender->publ.max_pkt,
                        !sender->user_port, &buf);
        read_lock_bh(&tipc_net_lock);
@@ -1319,7 +1282,7 @@ exit:
                         * then re-try fast path or fragment the message
                         */
-                        sender->publ.max_pkt = link_max_pkt(l_ptr);
+                        sender->publ.max_pkt = l_ptr->max_pkt;
                        tipc_node_unlock(node);
                        read_unlock_bh(&tipc_net_lock);
@@ -1391,7 +1354,7 @@ again:
        /* Prepare reusable fragment header: */
        msg_dbg(hdr, ">FRAGMENTING>");
-        msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
+        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, msg_destnode(hdr));
        msg_set_link_selector(&fragm_hdr, sender->publ.ref);
        msg_set_size(&fragm_hdr, max_pkt);
@@ -1482,8 +1445,8 @@ error:
                        tipc_node_unlock(node);
                        goto reject;
                }
-                if (link_max_pkt(l_ptr) < max_pkt) {
+                if (l_ptr->max_pkt < max_pkt) {
-                        sender->publ.max_pkt = link_max_pkt(l_ptr);
+                        sender->publ.max_pkt = l_ptr->max_pkt;
                        tipc_node_unlock(node);
                        for (; buf_chain; buf_chain = buf) {
                                buf = buf_chain->next;
@@ -1650,7 +1613,7 @@ static void link_reset_all(unsigned long addr)
        tipc_node_lock(n_ptr);
        warn("Resetting all links to %s\n",
-             addr_string_fill(addr_string, n_ptr->addr));
+             tipc_addr_string_fill(addr_string, n_ptr->addr));
        for (i = 0; i < MAX_BEARERS; i++) {
                if (n_ptr->links[i]) {
@@ -1692,7 +1655,7 @@ static void link_retransmit_failure(struct link *l_ptr, struct sk_buff *buf)
                n_ptr = l_ptr->owner->next;
                tipc_node_lock(n_ptr);
-                addr_string_fill(addr_string, n_ptr->addr);
+                tipc_addr_string_fill(addr_string, n_ptr->addr);
                tipc_printf(TIPC_OUTPUT, "Multicast link info for %s\n", addr_string);
                tipc_printf(TIPC_OUTPUT, "Supported: %d,  ", n_ptr->bclink.supported);
                tipc_printf(TIPC_OUTPUT, "Acked: %u\n", n_ptr->bclink.acked);
@@ -2435,7 +2398,7 @@ void tipc_link_changeover(struct link *l_ptr)
                return;
        }
-        msg_init(&tunnel_hdr, CHANGEOVER_PROTOCOL,
+        tipc_msg_init(&tunnel_hdr, CHANGEOVER_PROTOCOL,
                 ORIGINAL_MSG, INT_H_SIZE, l_ptr->addr);
        msg_set_bearer_id(&tunnel_hdr, l_ptr->peer_bearer_id);
        msg_set_msgcnt(&tunnel_hdr, msgcount);
@@ -2490,7 +2453,7 @@ void tipc_link_send_duplicate(struct link *l_ptr, struct link *tunnel)
        struct sk_buff *iter;
        struct tipc_msg tunnel_hdr;
-        msg_init(&tunnel_hdr, CHANGEOVER_PROTOCOL,
+        tipc_msg_init(&tunnel_hdr, CHANGEOVER_PROTOCOL,
                 DUPLICATE_MSG, INT_H_SIZE, l_ptr->addr);
        msg_set_msgcnt(&tunnel_hdr, l_ptr->out_queue_size);
        msg_set_bearer_id(&tunnel_hdr, l_ptr->peer_bearer_id);
@@ -2681,7 +2644,7 @@ int tipc_link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        u32 dsz = msg_data_sz(inmsg);
        unchar *crs = buf->data;
        u32 rest = insize;
-        u32 pack_sz = link_max_pkt(l_ptr);
+        u32 pack_sz = l_ptr->max_pkt;
        u32 fragm_sz = pack_sz - INT_H_SIZE;
        u32 fragm_no = 1;
        u32 destaddr;
@@ -2696,7 +2659,7 @@ int tipc_link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        /* Prepare reusable fragment header: */
-        msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
+        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, destaddr);
        msg_set_link_selector(&fragm_hdr, msg_link_selector(inmsg));
        msg_set_long_msgno(&fragm_hdr, mod(l_ptr->long_msg_seq_no++));
@@ -3127,7 +3090,7 @@ static int tipc_link_stats(const char *name, char *buf, const u32 buf_size)
        tipc_printf(&pb, "Link <%s>\n"
                         "  %s  MTU:%u  Priority:%u  Tolerance:%u ms"
                         "  Window:%u packets\n",
-                    l_ptr->name, status, link_max_pkt(l_ptr),
+                    l_ptr->name, status, l_ptr->max_pkt,
                    l_ptr->priority, l_ptr->tolerance, l_ptr->queue_limit[0]);
        tipc_printf(&pb, "  RX packets:%u fragments:%u/%u bundles:%u/%u\n",
                    l_ptr->next_in_no - l_ptr->stats.recv_info,
@@ -3272,7 +3235,7 @@ u32 tipc_link_get_max_pkt(u32 dest, u32 selector)
                tipc_node_lock(n_ptr);
                l_ptr = n_ptr->active_links[selector & 1];
                if (l_ptr)
-                        res = link_max_pkt(l_ptr);
+                        res = l_ptr->max_pkt;
                tipc_node_unlock(n_ptr);
        }
        read_unlock_bh(&tipc_net_lock);
@@ -3330,9 +3293,7 @@ static void link_print(struct link *l_ptr, struct print_buf *buf,
                if (l_ptr->next_out)
                        tipc_printf(buf, "%u..",
                                    msg_seqno(buf_msg(l_ptr->next_out)));
-                tipc_printf(buf, "%u]",
+                tipc_printf(buf, "%u]", msg_seqno(buf_msg(l_ptr->last_out)));
-                            msg_seqno(buf_msg
-                                      (l_ptr->last_out)), l_ptr->out_queue_size);
                if ((mod(msg_seqno(buf_msg(l_ptr->last_out)) -
                         msg_seqno(buf_msg(l_ptr->first_out)))
                     != (l_ptr->out_queue_size - 1)) ||
diff --git a/net/tipc/link.h b/net/tipc/link.h
index 6a51e38ad25c..2e5385c47d30 100644
--- a/net/tipc/link.h
+++ b/net/tipc/link.h
@@ -292,4 +292,39 @@ static inline u32 lesser(u32 left, u32 right)
        return less_eq(left, right) ? left : right;
 }
+/*
+ * Link status checking routines
+ */
+static inline int link_working_working(struct link *l_ptr)
+{
+        return (l_ptr->state == WORKING_WORKING);
+}
+static inline int link_working_unknown(struct link *l_ptr)
+{
+        return (l_ptr->state == WORKING_UNKNOWN);
+}
+static inline int link_reset_unknown(struct link *l_ptr)
+{
+        return (l_ptr->state == RESET_UNKNOWN);
+}
+static inline int link_reset_reset(struct link *l_ptr)
+{
+        return (l_ptr->state == RESET_RESET);
+}
+static inline int link_blocked(struct link *l_ptr)
+{
+        return (l_ptr->exp_msg_count || l_ptr->blocked);
+}
+static inline int link_congested(struct link *l_ptr)
+{
+        return (l_ptr->out_queue_size >= l_ptr->queue_limit[0]);
+}
 #endif
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 73dcd00d674e..381063817b41 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -40,6 +40,100 @@
 #include "msg.h"
 #include "bearer.h"
+u32 tipc_msg_tot_importance(struct tipc_msg *m)
+{
+        if (likely(msg_isdata(m))) {
+                if (likely(msg_orignode(m) == tipc_own_addr))
+                        return msg_importance(m);
+                return msg_importance(m) + 4;
+        }
+        if ((msg_user(m) == MSG_FRAGMENTER)  &&
+            (msg_type(m) == FIRST_FRAGMENT))
+                return msg_importance(msg_get_wrapped(m));
+        return msg_importance(m);
+}
+void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
+                            u32 hsize, u32 destnode)
+{
+        memset(m, 0, hsize);
+        msg_set_version(m);
+        msg_set_user(m, user);
+        msg_set_hdr_sz(m, hsize);
+        msg_set_size(m, hsize);
+        msg_set_prevnode(m, tipc_own_addr);
+        msg_set_type(m, type);
+        if (!msg_short(m)) {
+                msg_set_orignode(m, tipc_own_addr);
+                msg_set_destnode(m, destnode);
+        }
+}
+/**
+ * tipc_msg_calc_data_size - determine total data size for message
+ */
+int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
+{
+        int dsz = 0;
+        int i;
+        for (i = 0; i < num_sect; i++)
+                dsz += msg_sect[i].iov_len;
+        return dsz;
+}
+/**
+ * tipc_msg_build - create message using specified header and data
+ *
+ * Note: Caller must not hold any locks in case copy_from_user() is interrupted!
+ *
+ * Returns message data size or errno
+ */
+int tipc_msg_build(struct tipc_msg *hdr,
+                            struct iovec const *msg_sect, u32 num_sect,
+                            int max_size, int usrmem, struct sk_buff** buf)
+{
+        int dsz, sz, hsz, pos, res, cnt;
+        dsz = tipc_msg_calc_data_size(msg_sect, num_sect);
+        if (unlikely(dsz > TIPC_MAX_USER_MSG_SIZE)) {
+                *buf = NULL;
+                return -EINVAL;
+        }
+        pos = hsz = msg_hdr_sz(hdr);
+        sz = hsz + dsz;
+        msg_set_size(hdr, sz);
+        if (unlikely(sz > max_size)) {
+                *buf = NULL;
+                return dsz;
+        }
+        *buf = buf_acquire(sz);
+        if (!(*buf))
+                return -ENOMEM;
+        skb_copy_to_linear_data(*buf, hdr, hsz);
+        for (res = 1, cnt = 0; res && (cnt < num_sect); cnt++) {
+                if (likely(usrmem))
+                        res = !copy_from_user((*buf)->data + pos,
+                                              msg_sect[cnt].iov_base,
+                                              msg_sect[cnt].iov_len);
+                else
+                        skb_copy_to_linear_data_offset(*buf, pos,
+                                                       msg_sect[cnt].iov_base,
+                                                       msg_sect[cnt].iov_len);
+                pos += msg_sect[cnt].iov_len;
+        }
+        if (likely(res))
+                return dsz;
+        buf_discard(*buf);
+        *buf = NULL;
+        return -EFAULT;
+}
 #ifdef CONFIG_TIPC_DEBUG
diff --git a/net/tipc/msg.h b/net/tipc/msg.h
index 7ee6ae238147..995d2da35b01 100644
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -708,100 +708,13 @@ static inline void msg_set_dataoctet(struct tipc_msg *m, u32 pos)
 #define DSC_REQ_MSG          0
 #define DSC_RESP_MSG         1
-static inline u32 msg_tot_importance(struct tipc_msg *m)
+u32 tipc_msg_tot_importance(struct tipc_msg *m);
-{
+void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
-        if (likely(msg_isdata(m))) {
+                            u32 hsize, u32 destnode);
-                if (likely(msg_orignode(m) == tipc_own_addr))
+int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect);
-                        return msg_importance(m);
+int tipc_msg_build(struct tipc_msg *hdr,
-                return msg_importance(m) + 4;
-        }
-        if ((msg_user(m) == MSG_FRAGMENTER)  &&
-            (msg_type(m) == FIRST_FRAGMENT))
-                return msg_importance(msg_get_wrapped(m));
-        return msg_importance(m);
-}
-static inline void msg_init(struct tipc_msg *m, u32 user, u32 type,
-                            u32 hsize, u32 destnode)
-{
-        memset(m, 0, hsize);
-        msg_set_version(m);
-        msg_set_user(m, user);
-        msg_set_hdr_sz(m, hsize);
-        msg_set_size(m, hsize);
-        msg_set_prevnode(m, tipc_own_addr);
-        msg_set_type(m, type);
-        if (!msg_short(m)) {
-                msg_set_orignode(m, tipc_own_addr);
-                msg_set_destnode(m, destnode);
-        }
-}
-/**
- * msg_calc_data_size - determine total data size for message
- */
-static inline int msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
-{
-        int dsz = 0;
-        int i;
-        for (i = 0; i < num_sect; i++)
-                dsz += msg_sect[i].iov_len;
-        return dsz;
-}
-/**
- * msg_build - create message using specified header and data
- *
- * Note: Caller must not hold any locks in case copy_from_user() is interrupted!
- *
- * Returns message data size or errno
- */
-static inline int msg_build(struct tipc_msg *hdr,
                            struct iovec const *msg_sect, u32 num_sect,
-                            int max_size, int usrmem, struct sk_buff** buf)
+                            int max_size, int usrmem, struct sk_buff** buf);
-{
-        int dsz, sz, hsz, pos, res, cnt;
-        dsz = msg_calc_data_size(msg_sect, num_sect);
-        if (unlikely(dsz > TIPC_MAX_USER_MSG_SIZE)) {
-                *buf = NULL;
-                return -EINVAL;
-        }
-        pos = hsz = msg_hdr_sz(hdr);
-        sz = hsz + dsz;
-        msg_set_size(hdr, sz);
-        if (unlikely(sz > max_size)) {
-                *buf = NULL;
-                return dsz;
-        }
-        *buf = buf_acquire(sz);
-        if (!(*buf))
-                return -ENOMEM;
-        skb_copy_to_linear_data(*buf, hdr, hsz);
-        for (res = 1, cnt = 0; res && (cnt < num_sect); cnt++) {
-                if (likely(usrmem))
-                        res = !copy_from_user((*buf)->data + pos,
-                                              msg_sect[cnt].iov_base,
-                                              msg_sect[cnt].iov_len);
-                else
-                        skb_copy_to_linear_data_offset(*buf, pos,
-                                                       msg_sect[cnt].iov_base,
-                                                       msg_sect[cnt].iov_len);
-                pos += msg_sect[cnt].iov_len;
-        }
-        if (likely(res))
-                return dsz;
-        buf_discard(*buf);
-        *buf = NULL;
-        return -EFAULT;
-}
 static inline void msg_set_media_addr(struct tipc_msg *m, struct tipc_media_addr *a)
 {
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 10a69894e2fd..6ac3c543250b 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -103,7 +103,7 @@ static struct sk_buff *named_prepare_buf(u32 type, u32 size, u32 dest)
        if (buf != NULL) {
                msg = buf_msg(buf);
-                msg_init(msg, NAME_DISTRIBUTOR, type, LONG_H_SIZE, dest);
+                tipc_msg_init(msg, NAME_DISTRIBUTOR, type, LONG_H_SIZE, dest);
                msg_set_size(msg, LONG_H_SIZE + size);
        }
        return buf;
diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index acab41a48d67..8ba79620db3f 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -627,7 +627,7 @@ u32 tipc_nametbl_translate(u32 type, u32 instance, u32 *destnode)
        struct name_seq *seq;
        u32 ref;
-        if (!in_scope(*destnode, tipc_own_addr))
+        if (!tipc_in_scope(*destnode, tipc_own_addr))
                return 0;
        read_lock_bh(&tipc_nametbl_lock);
diff --git a/net/tipc/net.c b/net/tipc/net.c
index d7cd1e064a80..f61b7694138b 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -219,7 +219,7 @@ void tipc_net_route_msg(struct sk_buff *buf)
        /* Handle message for this node */
        dnode = msg_short(msg) ? tipc_own_addr : msg_destnode(msg);
-        if (in_scope(dnode, tipc_own_addr)) {
+        if (tipc_in_scope(dnode, tipc_own_addr)) {
                if (msg_isdata(msg)) {
                        if (msg_mcast(msg))
                                tipc_port_recv_mcast(buf, NULL);
@@ -277,7 +277,7 @@ int tipc_net_start(u32 addr)
        info("Started in network mode\n");
        info("Own node address %s, network identity %u\n",
-             addr_string_fill(addr_string, tipc_own_addr), tipc_net_id);
+             tipc_addr_string_fill(addr_string, tipc_own_addr), tipc_net_id);
        return 0;
 }
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 17cc394f424f..b634942caba5 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -268,7 +268,7 @@ struct tipc_node *tipc_node_attach_link(struct link *l_ptr)
                if (n_ptr->link_cnt >= 2) {
                        err("Attempt to create third link to %s\n",
-                            addr_string_fill(addr_string, n_ptr->addr));
+                            tipc_addr_string_fill(addr_string, n_ptr->addr));
                        return NULL;
                }
@@ -280,7 +280,7 @@ struct tipc_node *tipc_node_attach_link(struct link *l_ptr)
                }
                err("Attempt to establish second link on <%s> to %s\n",
                    l_ptr->b_ptr->publ.name,
-                    addr_string_fill(addr_string, l_ptr->addr));
+                    tipc_addr_string_fill(addr_string, l_ptr->addr));
        }
        return NULL;
 }
@@ -439,7 +439,7 @@ static void node_lost_contact(struct tipc_node *n_ptr)
                return;
        info("Lost contact with %s\n",
-             addr_string_fill(addr_string, n_ptr->addr));
+             tipc_addr_string_fill(addr_string, n_ptr->addr));
        /* Abort link changeover */
        for (i = 0; i < MAX_BEARERS; i++) {
@@ -602,7 +602,7 @@ u32 tipc_available_nodes(const u32 domain)
        read_lock_bh(&tipc_net_lock);
        for (n_ptr = tipc_nodes; n_ptr; n_ptr = n_ptr->next) {
-                if (!in_scope(domain, n_ptr->addr))
+                if (!tipc_in_scope(domain, n_ptr->addr))
                        continue;
                if (tipc_node_is_up(n_ptr))
                        cnt++;
@@ -651,7 +651,7 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
        /* Add TLVs for all nodes in scope */
        for (n_ptr = tipc_nodes; n_ptr; n_ptr = n_ptr->next) {
-                if (!in_scope(domain, n_ptr->addr))
+                if (!tipc_in_scope(domain, n_ptr->addr))
                        continue;
                node_info.addr = htonl(n_ptr->addr);
                node_info.up = htonl(tipc_node_is_up(n_ptr));
@@ -711,7 +711,7 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        for (n_ptr = tipc_nodes; n_ptr; n_ptr = n_ptr->next) {
                u32 i;
-                if (!in_scope(domain, n_ptr->addr))
+                if (!tipc_in_scope(domain, n_ptr->addr))
                        continue;
                tipc_node_lock(n_ptr);
                for (i = 0; i < MAX_BEARERS; i++) {
diff --git a/net/tipc/port.c b/net/tipc/port.c
index e70d27ea6578..0737680e9266 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -116,7 +116,7 @@ int tipc_multicast(u32 ref, struct tipc_name_seq const *seq, u32 domain,
        msg_set_namelower(hdr, seq->lower);
        msg_set_nameupper(hdr, seq->upper);
        msg_set_hdr_sz(hdr, MCAST_H_SIZE);
-        res = msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
                        !oport->user_port, &buf);
        if (unlikely(!buf))
                return res;
@@ -241,13 +241,12 @@ struct tipc_port *tipc_createport_raw(void *usr_handle,
        p_ptr->publ.max_pkt = MAX_PKT_DEFAULT;
        p_ptr->publ.ref = ref;
        msg = &p_ptr->publ.phdr;
-        msg_init(msg, importance, TIPC_NAMED_MSG, LONG_H_SIZE, 0);
+        tipc_msg_init(msg, importance, TIPC_NAMED_MSG, LONG_H_SIZE, 0);
        msg_set_origport(msg, ref);
        p_ptr->last_in_seqno = 41;
        p_ptr->sent = 1;
        INIT_LIST_HEAD(&p_ptr->wait_list);
        INIT_LIST_HEAD(&p_ptr->subscription.nodesub_list);
-        p_ptr->congested_link = NULL;
        p_ptr->dispatcher = dispatcher;
        p_ptr->wakeup = wakeup;
        p_ptr->user_port = NULL;
@@ -396,7 +395,7 @@ static struct sk_buff *port_build_proto_msg(u32 destport, u32 destnode,
        buf = buf_acquire(LONG_H_SIZE);
        if (buf) {
                msg = buf_msg(buf);
-                msg_init(msg, usr, type, LONG_H_SIZE, destnode);
+                tipc_msg_init(msg, usr, type, LONG_H_SIZE, destnode);
                msg_set_errcode(msg, err);
                msg_set_destport(msg, destport);
                msg_set_origport(msg, origport);
@@ -440,7 +439,7 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err)
                return data_sz;
        }
        rmsg = buf_msg(rbuf);
-        msg_init(rmsg, imp, msg_type(msg), hdr_sz, msg_orignode(msg));
+        tipc_msg_init(rmsg, imp, msg_type(msg), hdr_sz, msg_orignode(msg));
        msg_set_errcode(rmsg, err);
        msg_set_destport(rmsg, msg_origport(msg));
        msg_set_origport(rmsg, msg_destport(msg));
@@ -481,7 +480,7 @@ int tipc_port_reject_sections(struct port *p_ptr, struct tipc_msg *hdr,
        struct sk_buff *buf;
        int res;
-        res = msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
                        !p_ptr->user_port, &buf);
        if (!buf)
                return res;
@@ -1344,7 +1343,7 @@ int tipc_port_recv_sections(struct port *sender, unsigned int num_sect,
        struct sk_buff *buf;
        int res;
-        res = msg_build(&sender->publ.phdr, msg_sect, num_sect,
+        res = tipc_msg_build(&sender->publ.phdr, msg_sect, num_sect,
                        MAX_MSG_SIZE, !sender->user_port, &buf);
        if (likely(buf))
                tipc_port_recv_msg(buf);
@@ -1384,7 +1383,7 @@ int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
        if (port_unreliable(p_ptr)) {
                p_ptr->publ.congested = 0;
                /* Just calculate msg length and return */
-                return msg_calc_data_size(msg_sect, num_sect);
+                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
@@ -1453,7 +1452,7 @@ int tipc_forward2name(u32 ref,
        struct port *p_ptr;
        struct tipc_msg *msg;
        u32 destnode = domain;
-        u32 destport = 0;
+        u32 destport;
        int res;
        p_ptr = tipc_port_deref(ref);
@@ -1467,7 +1466,7 @@ int tipc_forward2name(u32 ref,
        msg_set_hdr_sz(msg, LONG_H_SIZE);
        msg_set_nametype(msg, name->type);
        msg_set_nameinst(msg, name->instance);
-        msg_set_lookup_scope(msg, addr_scope(domain));
+        msg_set_lookup_scope(msg, tipc_addr_scope(domain));
        if (importance <= TIPC_CRITICAL_IMPORTANCE)
                msg_set_importance(msg,importance);
        destport = tipc_nametbl_translate(name->type, name->instance, &destnode);
@@ -1484,7 +1483,7 @@ int tipc_forward2name(u32 ref,
                        return res;
                if (port_unreliable(p_ptr)) {
                        /* Just calculate msg length and return */
-                        return msg_calc_data_size(msg_sect, num_sect);
+                        return tipc_msg_calc_data_size(msg_sect, num_sect);
                }
                return -ELINKCONG;
        }
@@ -1525,7 +1524,7 @@ int tipc_forward_buf2name(u32 ref,
        struct port *p_ptr;
        struct tipc_msg *msg;
        u32 destnode = domain;
-        u32 destport = 0;
+        u32 destport;
        int res;
        p_ptr = (struct port *)tipc_ref_deref(ref);
@@ -1540,7 +1539,7 @@ int tipc_forward_buf2name(u32 ref,
        msg_set_origport(msg, orig->ref);
        msg_set_nametype(msg, name->type);
        msg_set_nameinst(msg, name->instance);
-        msg_set_lookup_scope(msg, addr_scope(domain));
+        msg_set_lookup_scope(msg, tipc_addr_scope(domain));
        msg_set_hdr_sz(msg, LONG_H_SIZE);
        msg_set_size(msg, LONG_H_SIZE + dsz);
        destport = tipc_nametbl_translate(name->type, name->instance, &destnode);
@@ -1620,7 +1619,7 @@ int tipc_forward2port(u32 ref,
                return res;
        if (port_unreliable(p_ptr)) {
                /* Just calculate msg length and return */
-                return msg_calc_data_size(msg_sect, num_sect);
+                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
diff --git a/net/tipc/port.h b/net/tipc/port.h
index ff31ee4a1dc3..8d1652aab298 100644
--- a/net/tipc/port.h
+++ b/net/tipc/port.h
@@ -75,7 +75,6 @@ struct user_port {
 * @wakeup: ptr to routine to call when port is no longer congested
 * @user_port: ptr to user port associated with port (if any)
 * @wait_list: adjacent ports in list of ports waiting on link congestion
- * @congested_link: ptr to congested link port is waiting on
 * @waiting_pkts:
 * @sent:
 * @acked:
@@ -95,7 +94,6 @@ struct port {
        void (*wakeup)(struct tipc_port *);
        struct user_port *user_port;
        struct list_head wait_list;
-        struct link *congested_link;
        u32 waiting_pkts;
        u32 sent;
        u32 acked;
diff --git a/net/wimax/op-rfkill.c b/net/wimax/op-rfkill.c
index e978c7136c97..2609e445fe7d 100644
--- a/net/wimax/op-rfkill.c
+++ b/net/wimax/op-rfkill.c
@@ -43,7 +43,7 @@
 *   wimax_rfkill()             Kernel calling wimax_rfkill()
 *     __wimax_rf_toggle_radio()
 *
- * wimax_rfkill_set_radio_block()  RF-Kill subsytem calling
+ * wimax_rfkill_set_radio_block()  RF-Kill subsystem calling
 *   __wimax_rf_toggle_radio()
 *
 * __wimax_rf_toggle_radio()
diff --git a/net/wimax/stack.c b/net/wimax/stack.c
index 62b1a6662209..ee99e7dfcdba 100644
--- a/net/wimax/stack.c
+++ b/net/wimax/stack.c
@@ -320,7 +320,6 @@ void __wimax_state_change(struct wimax_dev *wimax_dev, enum wimax_st new_state)
 out:
        d_fnend(3, dev, "(wimax_dev %p new_state %u [old %u]) = void\n",
                wimax_dev, new_state, old_state);
-        return;
 }
@@ -362,7 +361,6 @@ void wimax_state_change(struct wimax_dev *wimax_dev, enum wimax_st new_state)
        if (wimax_dev->state > __WIMAX_ST_NULL)
                __wimax_state_change(wimax_dev, new_state);
        mutex_unlock(&wimax_dev->mutex);
-        return;
 }
 EXPORT_SYMBOL_GPL(wimax_state_change);
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index bf1737fc9a7e..b01a6f6397d7 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -10,38 +10,6 @@
 #include "core.h"
 struct ieee80211_channel *
-rdev_fixed_channel(struct cfg80211_registered_device *rdev,
-                   struct wireless_dev *for_wdev)
-{
-        struct wireless_dev *wdev;
-        struct ieee80211_channel *result = NULL;
-        WARN_ON(!mutex_is_locked(&rdev->devlist_mtx));
-        list_for_each_entry(wdev, &rdev->netdev_list, list) {
-                if (wdev == for_wdev)
-                        continue;
-                /*
-                 * Lock manually to tell lockdep about allowed
-                 * nesting here if for_wdev->mtx is held already.
-                 * This is ok as it's all under the rdev devlist
-                 * mutex and as such can only be done once at any
-                 * given time.
-                 */
-                mutex_lock_nested(&wdev->mtx, SINGLE_DEPTH_NESTING);
-                if (wdev->current_bss)
-                        result = wdev->current_bss->pub.channel;
-                wdev_unlock(wdev);
-                if (result)
-                        break;
-        }
-        return result;
-}
-struct ieee80211_channel *
 rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
                  int freq, enum nl80211_channel_type channel_type)
 {
@@ -75,15 +43,22 @@ rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
        return chan;
 }
-int rdev_set_freq(struct cfg80211_registered_device *rdev,
+int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
-                  struct wireless_dev *for_wdev,
+                      struct wireless_dev *wdev, int freq,
-                  int freq, enum nl80211_channel_type channel_type)
+                      enum nl80211_channel_type channel_type)
 {
        struct ieee80211_channel *chan;
        int result;
-        if (rdev_fixed_channel(rdev, for_wdev))
+        if (wdev && wdev->iftype == NL80211_IFTYPE_MONITOR)
-                return -EBUSY;
+                wdev = NULL;
+        if (wdev) {
+                ASSERT_WDEV_LOCK(wdev);
+                if (!netif_running(wdev->netdev))
+                        return -ENETDOWN;
+        }
        if (!rdev->ops->set_channel)
                return -EOPNOTSUPP;
@@ -92,11 +67,14 @@ int rdev_set_freq(struct cfg80211_registered_device *rdev,
        if (!chan)
                return -EINVAL;
-        result = rdev->ops->set_channel(&rdev->wiphy, chan, channel_type);
+        result = rdev->ops->set_channel(&rdev->wiphy,
+                                        wdev ? wdev->netdev : NULL,
+                                        chan, channel_type);
        if (result)
                return result;
-        rdev->channel = chan;
+        if (wdev)
+                wdev->channel = chan;
        return 0;
 }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index b2234b436ead..ae930acf75e9 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -70,9 +70,6 @@ struct cfg80211_registered_device {
        struct work_struct conn_work;
        struct work_struct event_work;
-        /* current channel */
-        struct ieee80211_channel *channel;
        /* must be last because of the way we do wiphy_priv(),
         * and it should at least be aligned to NETDEV_ALIGN */
        struct wiphy wiphy __attribute__((__aligned__(NETDEV_ALIGN)));
@@ -388,14 +385,11 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
 void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev);
 struct ieee80211_channel *
-rdev_fixed_channel(struct cfg80211_registered_device *rdev,
-                   struct wireless_dev *for_wdev);
-struct ieee80211_channel *
 rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
                  int freq, enum nl80211_channel_type channel_type);
-int rdev_set_freq(struct cfg80211_registered_device *rdev,
+int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
-                  struct wireless_dev *for_wdev,
+                      struct wireless_dev *wdev, int freq,
-                  int freq, enum nl80211_channel_type channel_type);
+                      enum nl80211_channel_type channel_type);
 u16 cfg80211_calculate_bitrate(struct rate_info *rate);
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index 6a5acf750174..adcabba02e20 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -81,15 +81,10 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
                         struct cfg80211_cached_keys *connkeys)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct ieee80211_channel *chan;
        int err;
        ASSERT_WDEV_LOCK(wdev);
-        chan = rdev_fixed_channel(rdev, wdev);
-        if (chan && chan != params->channel)
-                return -EBUSY;
        if (wdev->ssid_len)
                return -EALREADY;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 01da83ddcff7..db71150b8040 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -589,6 +589,7 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                i++;
                NLA_PUT_U32(msg, i, NL80211_CMD_SET_WIPHY_NETNS);
        }
+        CMD(set_channel, SET_CHANNEL);
 #undef CMD
@@ -689,10 +690,90 @@ static int parse_txq_params(struct nlattr *tb[],
        return 0;
 }
+static bool nl80211_can_set_dev_channel(struct wireless_dev *wdev)
+{
+        /*
+         * You can only set the channel explicitly for AP, mesh
+         * and WDS type interfaces; all others have their channel
+         * managed via their respective "establish a connection"
+         * command (connect, join, ...)
+         *
+         * Monitors are special as they are normally slaved to
+         * whatever else is going on, so they behave as though
+         * you tried setting the wiphy channel itself.
+         */
+        return !wdev ||
+                wdev->iftype == NL80211_IFTYPE_AP ||
+                wdev->iftype == NL80211_IFTYPE_WDS ||
+                wdev->iftype == NL80211_IFTYPE_MESH_POINT ||
+                wdev->iftype == NL80211_IFTYPE_MONITOR;
+}
+static int __nl80211_set_channel(struct cfg80211_registered_device *rdev,
+                                 struct wireless_dev *wdev,
+                                 struct genl_info *info)
+{
+        enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
+        u32 freq;
+        int result;
+        if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
+                return -EINVAL;
+        if (!nl80211_can_set_dev_channel(wdev))
+                return -EOPNOTSUPP;
+        if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
+                channel_type = nla_get_u32(info->attrs[
+                                   NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
+                if (channel_type != NL80211_CHAN_NO_HT &&
+                    channel_type != NL80211_CHAN_HT20 &&
+                    channel_type != NL80211_CHAN_HT40PLUS &&
+                    channel_type != NL80211_CHAN_HT40MINUS)
+                        return -EINVAL;
+        }
+        freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
+        mutex_lock(&rdev->devlist_mtx);
+        if (wdev) {
+                wdev_lock(wdev);
+                result = cfg80211_set_freq(rdev, wdev, freq, channel_type);
+                wdev_unlock(wdev);
+        } else {
+                result = cfg80211_set_freq(rdev, NULL, freq, channel_type);
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+        return result;
+}
+static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev;
+        struct net_device *netdev;
+        int result;
+        rtnl_lock();
+        result = get_rdev_dev_by_info_ifindex(info, &rdev, &netdev);
+        if (result)
+                goto unlock;
+        result = __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
+ unlock:
+        rtnl_unlock();
+        return result;
+}
 static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev;
-        int result = 0, rem_txq_params = 0;
+        struct net_device *netdev = NULL;
+        struct wireless_dev *wdev;
+        int result, rem_txq_params = 0;
        struct nlattr *nl_txq_params;
        u32 changed;
        u8 retry_short = 0, retry_long = 0;
@@ -701,16 +782,50 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
        rtnl_lock();
+        /*
+         * Try to find the wiphy and netdev. Normally this
+         * function shouldn't need the netdev, but this is
+         * done for backward compatibility -- previously
+         * setting the channel was done per wiphy, but now
+         * it is per netdev. Previous userland like hostapd
+         * also passed a netdev to set_wiphy, so that it is
+         * possible to let that go to the right netdev!
+         */
        mutex_lock(&cfg80211_mutex);
-        rdev = __cfg80211_rdev_from_info(info);
+        if (info->attrs[NL80211_ATTR_IFINDEX]) {
-        if (IS_ERR(rdev)) {
+                int ifindex = nla_get_u32(info->attrs[NL80211_ATTR_IFINDEX]);
-                mutex_unlock(&cfg80211_mutex);
-                result = PTR_ERR(rdev);
+                netdev = dev_get_by_index(genl_info_net(info), ifindex);
-                goto unlock;
+                if (netdev && netdev->ieee80211_ptr) {
+                        rdev = wiphy_to_dev(netdev->ieee80211_ptr->wiphy);
+                        mutex_lock(&rdev->mtx);
+                } else
+                        netdev = NULL;
        }
-        mutex_lock(&rdev->mtx);
+        if (!netdev) {
+                rdev = __cfg80211_rdev_from_info(info);
+                if (IS_ERR(rdev)) {
+                        mutex_unlock(&cfg80211_mutex);
+                        result = PTR_ERR(rdev);
+                        goto unlock;
+                }
+                wdev = NULL;
+                netdev = NULL;
+                result = 0;
+                mutex_lock(&rdev->mtx);
+        } else if (netif_running(netdev) &&
+                   nl80211_can_set_dev_channel(netdev->ieee80211_ptr))
+                wdev = netdev->ieee80211_ptr;
+        else
+                wdev = NULL;
+        /*
+         * end workaround code, by now the rdev is available
+         * and locked, and wdev may or may not be NULL.
+         */
        if (info->attrs[NL80211_ATTR_WIPHY_NAME])
                result = cfg80211_dev_rename(
@@ -749,26 +864,7 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
        }
        if (info->attrs[NL80211_ATTR_WIPHY_FREQ]) {
-                enum nl80211_channel_type channel_type = NL80211_CHAN_NO_HT;
+                result = __nl80211_set_channel(rdev, wdev, info);
-                u32 freq;
-                result = -EINVAL;
-                if (info->attrs[NL80211_ATTR_WIPHY_CHANNEL_TYPE]) {
-                        channel_type = nla_get_u32(info->attrs[
-                                           NL80211_ATTR_WIPHY_CHANNEL_TYPE]);
-                        if (channel_type != NL80211_CHAN_NO_HT &&
-                            channel_type != NL80211_CHAN_HT20 &&
-                            channel_type != NL80211_CHAN_HT40PLUS &&
-                            channel_type != NL80211_CHAN_HT40MINUS)
-                                goto bad_res;
-                }
-                freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
-                mutex_lock(&rdev->devlist_mtx);
-                result = rdev_set_freq(rdev, NULL, freq, channel_type);
-                mutex_unlock(&rdev->devlist_mtx);
                if (result)
                        goto bad_res;
        }
@@ -865,6 +961,8 @@ static int nl80211_set_wiphy(struct sk_buff *skb, struct genl_info *info)
 bad_res:
        mutex_unlock(&rdev->mtx);
+        if (netdev)
+                dev_put(netdev);
 unlock:
        rtnl_unlock();
        return result;
@@ -3562,9 +3660,8 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev;
        struct net_device *dev;
-        struct wireless_dev *wdev;
        struct cfg80211_crypto_settings crypto;
-        struct ieee80211_channel *chan, *fixedchan;
+        struct ieee80211_channel *chan;
        const u8 *bssid, *ssid, *ie = NULL, *prev_bssid = NULL;
        int err, ssid_len, ie_len = 0;
        bool use_mfp = false;
@@ -3607,16 +3704,6 @@ static int nl80211_associate(struct sk_buff *skb, struct genl_info *info)
                goto out;
        }
-        mutex_lock(&rdev->devlist_mtx);
-        wdev = dev->ieee80211_ptr;
-        fixedchan = rdev_fixed_channel(rdev, wdev);
-        if (fixedchan && chan != fixedchan) {
-                err = -EBUSY;
-                mutex_unlock(&rdev->devlist_mtx);
-                goto out;
-        }
-        mutex_unlock(&rdev->devlist_mtx);
        ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
        ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
@@ -4356,9 +4443,10 @@ static int nl80211_remain_on_channel(struct sk_buff *skb,
                if (channel_type != NL80211_CHAN_NO_HT &&
                    channel_type != NL80211_CHAN_HT20 &&
                    channel_type != NL80211_CHAN_HT40PLUS &&
-                    channel_type != NL80211_CHAN_HT40MINUS)
+                    channel_type != NL80211_CHAN_HT40MINUS) {
                        err = -EINVAL;
                        goto out;
+                }
        }
        freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
@@ -4630,9 +4718,10 @@ static int nl80211_action(struct sk_buff *skb, struct genl_info *info)
                if (channel_type != NL80211_CHAN_NO_HT &&
                    channel_type != NL80211_CHAN_HT20 &&
                    channel_type != NL80211_CHAN_HT40PLUS &&
-                    channel_type != NL80211_CHAN_HT40MINUS)
+                    channel_type != NL80211_CHAN_HT40MINUS) {
                        err = -EINVAL;
                        goto out;
+                }
        }
        freq = nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]);
@@ -5186,6 +5275,12 @@ static struct genl_ops nl80211_ops[] = {
                .policy = nl80211_policy,
                .flags = GENL_ADMIN_PERM,
        },
+        {
+                .cmd = NL80211_CMD_SET_CHANNEL,
+                .doit = nl80211_set_channel,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+        },
 };
 static struct genl_multicast_group nl80211_mlme_mcgrp = {
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index a026c6d56bd3..58401d246bda 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -515,7 +515,7 @@ cfg80211_inform_bss(struct wiphy *wiphy,
        privsz = wiphy->bss_priv_size;
-        if (WARN_ON(wiphy->signal_type == NL80211_BSS_SIGNAL_UNSPEC &&
+        if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
                        (signal < 0 || signal > 100)))
                return NULL;
@@ -571,7 +571,7 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
                                      u.probe_resp.variable);
        size_t privsz = wiphy->bss_priv_size;
-        if (WARN_ON(wiphy->signal_type == NL80211_BSS_SIGNAL_UNSPEC &&
+        if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
                    (signal < 0 || signal > 100)))
                return NULL;
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 8ddf5ae0dd03..72222f0074db 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -741,7 +741,6 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
                       const u8 *prev_bssid)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct ieee80211_channel *chan;
        struct cfg80211_bss *bss = NULL;
        int err;
@@ -750,10 +749,6 @@ int __cfg80211_connect(struct cfg80211_registered_device *rdev,
        if (wdev->sme_state != CFG80211_SME_IDLE)
                return -EALREADY;
-        chan = rdev_fixed_channel(rdev, wdev);
-        if (chan && chan != connect->channel)
-                return -EBUSY;
        if (WARN_ON(wdev->connect_keys)) {
                kfree(wdev->connect_keys);
                wdev->connect_keys = NULL;
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index a60a2773b497..96342993cf93 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -782,16 +782,22 @@ int cfg80211_wext_siwfreq(struct net_device *dev,
                return cfg80211_mgd_wext_siwfreq(dev, info, wextfreq, extra);
        case NL80211_IFTYPE_ADHOC:
                return cfg80211_ibss_wext_siwfreq(dev, info, wextfreq, extra);
-        default:
+        case NL80211_IFTYPE_MONITOR:
+        case NL80211_IFTYPE_WDS:
+        case NL80211_IFTYPE_MESH_POINT:
                freq = cfg80211_wext_freq(wdev->wiphy, wextfreq);
                if (freq < 0)
                        return freq;
                if (freq == 0)
                        return -EINVAL;
+                wdev_lock(wdev);
                mutex_lock(&rdev->devlist_mtx);
-                err = rdev_set_freq(rdev, NULL, freq, NL80211_CHAN_NO_HT);
+                err = cfg80211_set_freq(rdev, wdev, freq, NL80211_CHAN_NO_HT);
                mutex_unlock(&rdev->devlist_mtx);
+                wdev_unlock(wdev);
                return err;
+        default:
+                return -EOPNOTSUPP;
        }
 }
 EXPORT_SYMBOL_GPL(cfg80211_wext_siwfreq);
@@ -801,7 +807,6 @@ int cfg80211_wext_giwfreq(struct net_device *dev,
                          struct iw_freq *freq, char *extra)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
-        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
        switch (wdev->iftype) {
        case NL80211_IFTYPE_STATION:
@@ -809,9 +814,9 @@ int cfg80211_wext_giwfreq(struct net_device *dev,
        case NL80211_IFTYPE_ADHOC:
                return cfg80211_ibss_wext_giwfreq(dev, info, freq, extra);
        default:
-                if (!rdev->channel)
+                if (!wdev->channel)
                        return -EINVAL;
-                freq->m = rdev->channel->center_freq;
+                freq->m = wdev->channel->center_freq;
                freq->e = 6;
                return 0;
        }
diff --git a/net/wireless/wext-sme.c b/net/wireless/wext-sme.c
index d5c6140f4cb8..9818198add8a 100644
--- a/net/wireless/wext-sme.c
+++ b/net/wireless/wext-sme.c
@@ -108,7 +108,7 @@ int cfg80211_mgd_wext_siwfreq(struct net_device *dev,
        /* SSID is not set, we just want to switch channel */
        if (chan && !wdev->wext.connect.ssid_len) {
-                err = rdev_set_freq(rdev, wdev, freq, NL80211_CHAN_NO_HT);
+                err = cfg80211_set_freq(rdev, wdev, freq, NL80211_CHAN_NO_HT);
                goto out;
        }
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 296e65e01064..5e86d4e97dce 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -453,7 +453,6 @@ static int x25_setsockopt(struct socket *sock, int level, int optname,
        struct sock *sk = sock->sk;
        int rc = -ENOPROTOOPT;
-        lock_kernel();
        if (level != SOL_X25 || optname != X25_QBITINCL)
                goto out;
@@ -465,10 +464,12 @@ static int x25_setsockopt(struct socket *sock, int level, int optname,
        if (get_user(opt, (int __user *)optval))
                goto out;
-        x25_sk(sk)->qbitincl = !!opt;
+        if (opt)
+                set_bit(X25_Q_BIT_FLAG, &x25_sk(sk)->flags);
+        else
+                clear_bit(X25_Q_BIT_FLAG, &x25_sk(sk)->flags);
        rc = 0;
 out:
-        unlock_kernel();
        return rc;
 }
@@ -478,7 +479,6 @@ static int x25_getsockopt(struct socket *sock, int level, int optname,
        struct sock *sk = sock->sk;
        int val, len, rc = -ENOPROTOOPT;
-        lock_kernel();
        if (level != SOL_X25 || optname != X25_QBITINCL)
                goto out;
@@ -496,10 +496,9 @@ static int x25_getsockopt(struct socket *sock, int level, int optname,
        if (put_user(len, optlen))
                goto out;
-        val = x25_sk(sk)->qbitincl;
+        val = test_bit(X25_Q_BIT_FLAG, &x25_sk(sk)->flags);
        rc = copy_to_user(optval, &val, len) ? -EFAULT : 0;
 out:
-        unlock_kernel();
        return rc;
 }
@@ -583,7 +582,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol,
        x25->t2    = sysctl_x25_ack_holdback_timeout;
        x25->state = X25_STATE_0;
        x25->cudmatchlength = 0;
-        x25->accptapprv = X25_DENY_ACCPT_APPRV;         /* normally no cud  */
+        set_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);     /* normally no cud  */
                                                        /* on call accept   */
        x25->facilities.winsize_in  = X25_DEFAULT_WINDOW_SIZE;
@@ -632,12 +631,12 @@ static struct sock *x25_make_new(struct sock *osk)
        x25->t22        = ox25->t22;
        x25->t23        = ox25->t23;
        x25->t2         = ox25->t2;
+        x25->flags      = ox25->flags;
        x25->facilities = ox25->facilities;
-        x25->qbitincl   = ox25->qbitincl;
        x25->dte_facilities = ox25->dte_facilities;
        x25->cudmatchlength = ox25->cudmatchlength;
-        x25->accptapprv = ox25->accptapprv;
+        clear_bit(X25_INTERRUPT_FLAG, &x25->flags);
        x25_init_timers(sk);
 out:
        return sk;
@@ -1053,8 +1052,8 @@ int x25_rx_call_request(struct sk_buff *skb, struct x25_neigh *nb,
        makex25->vc_facil_mask &= ~X25_MASK_CALLING_AE;
        makex25->cudmatchlength = x25_sk(sk)->cudmatchlength;
-        /* Normally all calls are accepted immediatly */
+        /* Normally all calls are accepted immediately */
-        if(makex25->accptapprv & X25_DENY_ACCPT_APPRV) {
+        if (test_bit(X25_ACCPT_APPRV_FLAG, &makex25->flags)) {
                x25_write_internal(make, X25_CALL_ACCEPTED);
                makex25->state = X25_STATE_3;
        }
@@ -1186,7 +1185,7 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
         *      If the Q BIT Include socket option is in force, the first
         *      byte of the user data is the logical value of the Q Bit.
         */
-        if (x25->qbitincl) {
+        if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
                qbit = skb->data[0];
                skb_pull(skb, 1);
        }
@@ -1242,7 +1241,7 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
                len = rc;
                if (rc < 0)
                        kfree_skb(skb);
-                else if (x25->qbitincl)
+                else if (test_bit(X25_Q_BIT_FLAG, &x25->flags))
                        len++;
        }
@@ -1307,7 +1306,7 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                /*
                 *      No Q bit information on Interrupt data.
                 */
-                if (x25->qbitincl) {
+                if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
                        asmptr  = skb_push(skb, 1);
                        *asmptr = 0x00;
                }
@@ -1325,7 +1324,7 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                skb_pull(skb, x25->neighbour->extended ?
                                X25_EXT_MIN_LEN : X25_STD_MIN_LEN);
-                if (x25->qbitincl) {
+                if (test_bit(X25_Q_BIT_FLAG, &x25->flags)) {
                        asmptr  = skb_push(skb, 1);
                        *asmptr = qbit;
                }
@@ -1576,7 +1575,7 @@ static int x25_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                        rc = -EINVAL;
                        if (sk->sk_state != TCP_CLOSE)
                                break;
-                        x25->accptapprv = X25_ALLOW_ACCPT_APPRV;
+                        clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
                        rc = 0;
                        break;
                }
@@ -1585,7 +1584,8 @@ static int x25_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                        rc = -EINVAL;
                        if (sk->sk_state != TCP_ESTABLISHED)
                                break;
-                        if (x25->accptapprv)    /* must call accptapprv above */
+                        /* must call accptapprv above */
+                        if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags))
                                break;
                        x25_write_internal(sk, X25_CALL_ACCEPTED);
                        x25->state = X25_STATE_3;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 372ac226e648..63178961efac 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -273,7 +273,7 @@ static int x25_state3_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                        break;
                case X25_INTERRUPT_CONFIRMATION:
-                        x25->intflag = 0;
+                        clear_bit(X25_INTERRUPT_FLAG, &x25->flags);
                        break;
                case X25_INTERRUPT:
diff --git a/net/x25/x25_out.c b/net/x25/x25_out.c
index 52351a26b6fc..d00649fb251d 100644
--- a/net/x25/x25_out.c
+++ b/net/x25/x25_out.c
@@ -148,8 +148,9 @@ void x25_kick(struct sock *sk)
        /*
         *      Transmit interrupt data.
         */
-        if (!x25->intflag && skb_peek(&x25->interrupt_out_queue) != NULL) {
+        if (skb_peek(&x25->interrupt_out_queue) != NULL &&
-                x25->intflag = 1;
+                !test_and_set_bit(X25_INTERRUPT_FLAG, &x25->flags)) {
                skb = skb_dequeue(&x25->interrupt_out_queue);
                x25_transmit_link(skb, x25->neighbour);
        }
diff --git a/net/xfrm/xfrm_hash.h b/net/xfrm/xfrm_hash.h
index 1396572d2ade..8e69533d2313 100644
--- a/net/xfrm/xfrm_hash.h
+++ b/net/xfrm/xfrm_hash.h
@@ -55,7 +55,7 @@ static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
        case AF_INET6:
                h ^= __xfrm6_daddr_saddr_hash(daddr, saddr);
                break;
-        };
+        }
        return (h ^ (h >> 16)) & hmask;
 }
@@ -102,7 +102,7 @@ static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short
                h = __xfrm6_daddr_saddr_hash(daddr, saddr);
                break;
-        };
+        }
        h ^= (h >> 16);
        return h & hmask;
 }
@@ -119,7 +119,7 @@ static inline unsigned int __addr_hash(xfrm_address_t *daddr, xfrm_address_t *sa
        case AF_INET6:
                h = __xfrm6_daddr_saddr_hash(daddr, saddr);
                break;
-        };
+        }
        h ^= (h >> 16);
        return h & hmask;
 }
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 6a329158bdfa..a3cca0a94346 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -95,13 +95,13 @@ resume:
                        goto error_nolock;
                }
-                dst = dst_pop(dst);
+                dst = skb_dst_pop(skb);
                if (!dst) {
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
                        err = -EHOSTUNREACH;
                        goto error_nolock;
                }
-                skb_dst_set(skb, dst);
+                skb_dst_set_noref(skb, dst);
                x = dst->xfrm;
        } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 31f4ba43b48f..4bf27d901333 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1805,7 +1805,7 @@ restart:
                        /* EREMOTE tells the caller to generate
                         * a one-shot blackhole route. */
                        dst_release(dst);
-                        xfrm_pols_put(pols, num_pols);
+                        xfrm_pols_put(pols, drop_pols);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
                        return -EREMOTE;
                }
@@ -2153,6 +2153,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
                return 0;
        }
+        skb_dst_force(skb);
        dst = skb_dst(skb);
        res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
@@ -2209,7 +2210,6 @@ EXPORT_SYMBOL(xfrm_dst_ifdown);
 static void xfrm_link_failure(struct sk_buff *skb)
 {
        /* Impossible. Such dst must be popped before reaches point of failure. */
-        return;
 }
 static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a267fbdda525..ba59983aaffe 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1783,7 +1783,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        } else {
                // reset the timers here?
-                printk("Dont know what to do with soft policy expire\n");
+                WARN(1, "Dont know what to do with soft policy expire\n");
        }
        km_policy_expired(xp, p->dir, up->hard, current->pid);
@@ -1883,7 +1883,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
        return 0;
 bad_policy:
-        printk("BAD policy passed\n");
+        WARN(1, "BAD policy passed\n");
 free_state:
        kfree(x);
 nomem:
@@ -2385,8 +2385,9 @@ static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c)
        case XFRM_MSG_FLUSHSA:
                return xfrm_notify_sa_flush(c);
        default:
-                 printk("xfrm_user: Unknown SA event %d\n", c->event);
+                printk(KERN_NOTICE "xfrm_user: Unknown SA event %d\n",
-                 break;
+                       c->event);
+                break;
        }
        return 0;
@@ -2676,7 +2677,8 @@ static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_ev
        case XFRM_MSG_POLEXPIRE:
                return xfrm_exp_policy_notify(xp, dir, c);
        default:
-                printk("xfrm_user: Unknown Policy event %d\n", c->event);
+                printk(KERN_NOTICE "xfrm_user: Unknown Policy event %d\n",
+                       c->event);
        }
        return 0;