52 files changed, 432 insertions, 221 deletions

diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 0eb96f7e44be..2dcff0be8acb 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -43,6 +43,9 @@ int vlan_hwaccel_do_receive(struct sk_buff *skb)
         struct net_device *dev = skb->dev;
         struct vlan_rx_stats     *rx_stats;
 
+        if (unlikely(!is_vlan_dev(dev)))
+                return 0;
+
         skb->dev = vlan_dev_info(dev)->real_dev;
         netif_nit_deliver(skb);
 
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index cfdfd7e2a172..6e2371a493b7 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
         ax25_cb *ax25;
         int err = 0;
 
+        memset(fsa, 0, sizeof(fsa));
         lock_sock(sk);
         ax25 = ax25_sk(sk);
 
@@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *sock, struct sockaddr *uaddr,
 
                 fsa->fsa_ax25.sax25_family = AF_AX25;
                 fsa->fsa_ax25.sax25_call   = ax25->dest_addr;
-                fsa->fsa_ax25.sax25_ndigis = 0;
 
                 if (ax25->digipeat != NULL) {
                         ndigi = ax25->digipeat->ndigi;
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 0b54b7dd8401..dc6020570a32 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -2891,7 +2891,7 @@ static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hd
         struct l2cap_chan_list *list = &conn->chan_list;
         struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
         struct l2cap_conn_rsp rsp;
-        struct sock *parent, *uninitialized_var(sk);
+        struct sock *parent, *sk = NULL;
         int result, status = L2CAP_CS_NO_INFO;
 
         u16 dcid = 0, scid = __le16_to_cpu(req->scid);
@@ -3000,7 +3000,7 @@ sendresp:
                                         L2CAP_INFO_REQ, sizeof(info), &info);
         }
 
-        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
+        if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
                                 result == L2CAP_CR_SUCCESS) {
                 u8 buf[128];
                 l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index eb5b256ffc88..f19e347f56f6 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -437,7 +437,7 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
         ip6h = ipv6_hdr(skb);
 
         *(__force __be32 *)ip6h = htonl(0x60000000);
-        ip6h->payload_len = 8 + sizeof(*mldq);
+        ip6h->payload_len = htons(8 + sizeof(*mldq));
         ip6h->nexthdr = IPPROTO_HOPOPTS;
         ip6h->hop_limit = 1;
         ipv6_addr_set(&ip6h->saddr, 0, 0, 0, 0);
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 08ffe9e4be20..6faa8256e10c 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -125,7 +125,7 @@ struct bcm_sock {
         struct list_head tx_ops;
         unsigned long dropped_usr_msgs;
         struct proc_dir_entry *bcm_proc_read;
-        char procname [9]; /* pointer printed in ASCII with \0 */
+        char procname [20]; /* pointer printed in ASCII with \0 */
 };
 
 static inline struct bcm_sock *bcm_sk(const struct sock *sk)
diff --git a/net/compat.c b/net/compat.c
index 63d260e81472..3649d5895361 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -41,10 +41,12 @@ static inline int iov_from_user_compat_to_kern(struct iovec *kiov,
                 compat_size_t len;
 
                 if (get_user(len, &uiov32->iov_len) ||
-                   get_user(buf, &uiov32->iov_base)) {
-                        tot_len = -EFAULT;
-                        break;
-                }
+                    get_user(buf, &uiov32->iov_base))
+                        return -EFAULT;
+
+                if (len > INT_MAX - tot_len)
+                        len = INT_MAX - tot_len;
+
                 tot_len += len;
                 kiov->iov_base = compat_ptr(buf);
                 kiov->iov_len = (__kernel_size_t) len;
diff --git a/net/core/dev.c b/net/core/dev.c
index 660dd41aaaa6..1dad6c0926f2 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1648,10 +1648,10 @@ EXPORT_SYMBOL(netif_device_attach);
 
 static bool can_checksum_protocol(unsigned long features, __be16 protocol)
 {
-        return ((features & NETIF_F_GEN_CSUM) ||
-                ((features & NETIF_F_IP_CSUM) &&
+        return ((features & NETIF_F_NO_CSUM) ||
+                ((features & NETIF_F_V4_CSUM) &&
                  protocol == htons(ETH_P_IP)) ||
-                ((features & NETIF_F_IPV6_CSUM) &&
+                ((features & NETIF_F_V6_CSUM) &&
                  protocol == htons(ETH_P_IPV6)) ||
                 ((features & NETIF_F_FCOE_CRC) &&
                  protocol == htons(ETH_P_FCOE)));
@@ -2891,6 +2891,15 @@ static int __netif_receive_skb(struct sk_buff *skb)
 ncls:
 #endif
 
+        /* If we got this far with a hardware accelerated VLAN tag, it means
+         * that we were put in promiscuous mode but nobody is interested in
+         * this vid. Drop the packet now to prevent it from getting propagated
+         * to other parts of the stack that won't know how to deal with packets
+         * tagged in this manner.
+         */
+        if (unlikely(vlan_tx_tag_present(skb)))
+                goto bypass;
+
         /* Handle special case of bridge or macvlan */
         rx_handler = rcu_dereference(skb->dev->rx_handler);
         if (rx_handler) {
@@ -2927,6 +2936,7 @@ ncls:
                 }
         }
 
+bypass:
         if (pt_prev) {
                 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
         } else {
diff --git a/net/core/dst.c b/net/core/dst.c
index 6c41b1fac3db..2844639dfb79 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -343,6 +343,7 @@ static int dst_dev_event(struct notifier_block *this, unsigned long event,
 
 static struct notifier_block dst_dev_notifier = {
         .notifier_call  = dst_dev_event,
+        .priority = -10, /* must be called after other network notifiers */
 };
 
 void __init dst_init(void)
diff --git a/net/core/filter.c b/net/core/filter.c
index 52b051f82a01..71a433cdf7d3 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -112,39 +112,41 @@ EXPORT_SYMBOL(sk_filter);
  */
 unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int flen)
 {
-        struct sock_filter *fentry;     /* We walk down these */
         void *ptr;
         u32 A = 0;                      /* Accumulator */
         u32 X = 0;                      /* Index Register */
         u32 mem[BPF_MEMWORDS];          /* Scratch Memory Store */
+        unsigned long memvalid = 0;
         u32 tmp;
         int k;
         int pc;
 
+        BUILD_BUG_ON(BPF_MEMWORDS > BITS_PER_LONG);
         /*
          * Process array of filter instructions.
          */
         for (pc = 0; pc < flen; pc++) {
-                fentry = &filter[pc];
+                const struct sock_filter *fentry = &filter[pc];
+                u32 f_k = fentry->k;
 
                 switch (fentry->code) {
                 case BPF_S_ALU_ADD_X:
                         A += X;
                         continue;
                 case BPF_S_ALU_ADD_K:
-                        A += fentry->k;
+                        A += f_k;
                         continue;
                 case BPF_S_ALU_SUB_X:
                         A -= X;
                         continue;
                 case BPF_S_ALU_SUB_K:
-                        A -= fentry->k;
+                        A -= f_k;
                         continue;
                 case BPF_S_ALU_MUL_X:
                         A *= X;
                         continue;
                 case BPF_S_ALU_MUL_K:
-                        A *= fentry->k;
+                        A *= f_k;
                         continue;
                 case BPF_S_ALU_DIV_X:
                         if (X == 0)
@@ -152,49 +154,49 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
                         A /= X;
                         continue;
                 case BPF_S_ALU_DIV_K:
-                        A /= fentry->k;
+                        A /= f_k;
                         continue;
                 case BPF_S_ALU_AND_X:
                         A &= X;
                         continue;
                 case BPF_S_ALU_AND_K:
-                        A &= fentry->k;
+                        A &= f_k;
                         continue;
                 case BPF_S_ALU_OR_X:
                         A |= X;
                         continue;
                 case BPF_S_ALU_OR_K:
-                        A |= fentry->k;
+                        A |= f_k;
                         continue;
                 case BPF_S_ALU_LSH_X:
                         A <<= X;
                         continue;
                 case BPF_S_ALU_LSH_K:
-                        A <<= fentry->k;
+                        A <<= f_k;
                         continue;
                 case BPF_S_ALU_RSH_X:
                         A >>= X;
                         continue;
                 case BPF_S_ALU_RSH_K:
-                        A >>= fentry->k;
+                        A >>= f_k;
                         continue;
                 case BPF_S_ALU_NEG:
                         A = -A;
                         continue;
                 case BPF_S_JMP_JA:
-                        pc += fentry->k;
+                        pc += f_k;
                         continue;
                 case BPF_S_JMP_JGT_K:
-                        pc += (A > fentry->k) ? fentry->jt : fentry->jf;
+                        pc += (A > f_k) ? fentry->jt : fentry->jf;
                         continue;
                 case BPF_S_JMP_JGE_K:
-                        pc += (A >= fentry->k) ? fentry->jt : fentry->jf;
+                        pc += (A >= f_k) ? fentry->jt : fentry->jf;
                         continue;
                 case BPF_S_JMP_JEQ_K:
-                        pc += (A == fentry->k) ? fentry->jt : fentry->jf;
+                        pc += (A == f_k) ? fentry->jt : fentry->jf;
                         continue;
                 case BPF_S_JMP_JSET_K:
-                        pc += (A & fentry->k) ? fentry->jt : fentry->jf;
+                        pc += (A & f_k) ? fentry->jt : fentry->jf;
                         continue;
                 case BPF_S_JMP_JGT_X:
                         pc += (A > X) ? fentry->jt : fentry->jf;
@@ -209,7 +211,7 @@ unsigned int sk_run_filter(struct sk_buff *skb, struct sock_filter *filter, int
                         pc += (A & X) ? fentry->jt : fentry->jf;
                         continue;
                 case BPF_S_LD_W_ABS:
-                        k = fentry->k;
+                        k = f_k;
 load_w:
                         ptr = load_pointer(skb, k, 4, &tmp);
                         if (ptr != NULL) {
@@ -218,7 +220,7 @@ load_w:
                         }
                         break;
                 case BPF_S_LD_H_ABS:
-                        k = fentry->k;
+                        k = f_k;
 load_h:
                         ptr = load_pointer(skb, k, 2, &tmp);
                         if (ptr != NULL) {
@@ -227,7 +229,7 @@ load_h:
                         }
                         break;
                 case BPF_S_LD_B_ABS:
-                        k = fentry->k;
+                        k = f_k;
 load_b:
                         ptr = load_pointer(skb, k, 1, &tmp);
                         if (ptr != NULL) {
@@ -242,32 +244,34 @@ load_b:
                         X = skb->len;
                         continue;
                 case BPF_S_LD_W_IND:
-                        k = X + fentry->k;
+                        k = X + f_k;
                         goto load_w;
                 case BPF_S_LD_H_IND:
-                        k = X + fentry->k;
+                        k = X + f_k;
                         goto load_h;
                 case BPF_S_LD_B_IND:
-                        k = X + fentry->k;
+                        k = X + f_k;
                         goto load_b;
                 case BPF_S_LDX_B_MSH:
-                        ptr = load_pointer(skb, fentry->k, 1, &tmp);
+                        ptr = load_pointer(skb, f_k, 1, &tmp);
                         if (ptr != NULL) {
                                 X = (*(u8 *)ptr & 0xf) << 2;
                                 continue;
                         }
                         return 0;
                 case BPF_S_LD_IMM:
-                        A = fentry->k;
+                        A = f_k;
                         continue;
                 case BPF_S_LDX_IMM:
-                        X = fentry->k;
+                        X = f_k;
                         continue;
                 case BPF_S_LD_MEM:
-                        A = mem[fentry->k];
+                        A = (memvalid & (1UL << f_k)) ?
+                                mem[f_k] : 0;
                         continue;
                 case BPF_S_LDX_MEM:
-                        X = mem[fentry->k];
+                        X = (memvalid & (1UL << f_k)) ?
+                                mem[f_k] : 0;
                         continue;
                 case BPF_S_MISC_TAX:
                         X = A;
@@ -276,14 +280,16 @@ load_b:
                         A = X;
                         continue;
                 case BPF_S_RET_K:
-                        return fentry->k;
+                        return f_k;
                 case BPF_S_RET_A:
                         return A;
                 case BPF_S_ST:
-                        mem[fentry->k] = A;
+                        memvalid |= 1UL << f_k;
+                        mem[f_k] = A;
                         continue;
                 case BPF_S_STX:
-                        mem[fentry->k] = X;
+                        memvalid |= 1UL << f_k;
+                        mem[f_k] = X;
                         continue;
                 default:
                         WARN_ON(1);
@@ -583,23 +589,16 @@ int sk_chk_filter(struct sock_filter *filter, int flen)
 EXPORT_SYMBOL(sk_chk_filter);
 
 /**
- *      sk_filter_rcu_release: Release a socket filter by rcu_head
+ *      sk_filter_release_rcu - Release a socket filter by rcu_head
  *      @rcu: rcu_head that contains the sk_filter to free
  */
-static void sk_filter_rcu_release(struct rcu_head *rcu)
+void sk_filter_release_rcu(struct rcu_head *rcu)
 {
         struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
 
-        sk_filter_release(fp);
-}
-
-static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp)
-{
-        unsigned int size = sk_filter_len(fp);
-
-        atomic_sub(size, &sk->sk_omem_alloc);
-        call_rcu_bh(&fp->rcu, sk_filter_rcu_release);
+        kfree(fp);
 }
+EXPORT_SYMBOL(sk_filter_release_rcu);
 
 /**
  *      sk_attach_filter - attach a socket filter
@@ -644,7 +643,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
         rcu_read_unlock_bh();
 
         if (old_fp)
-                sk_filter_delayed_uncharge(sk, old_fp);
+                sk_filter_uncharge(sk, old_fp);
         return 0;
 }
 EXPORT_SYMBOL_GPL(sk_attach_filter);
@@ -658,7 +657,7 @@ int sk_detach_filter(struct sock *sk)
         filter = rcu_dereference_bh(sk->sk_filter);
         if (filter) {
                 rcu_assign_pointer(sk->sk_filter, NULL);
-                sk_filter_delayed_uncharge(sk, filter);
+                sk_filter_uncharge(sk, filter);
                 ret = 0;
         }
         rcu_read_unlock_bh();
diff --git a/net/core/iovec.c b/net/core/iovec.c
index e6b133b77ccb..58eb9999f89d 100644
--- a/net/core/iovec.c
+++ b/net/core/iovec.c
@@ -35,10 +35,9 @@
  *      in any case.
  */
 
-long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
+int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
 {
-        int size, ct;
-        long err;
+        int size, ct, err;
 
         if (m->msg_namelen) {
                 if (mode == VERIFY_READ) {
@@ -60,14 +59,13 @@ long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address,
         err = 0;
 
         for (ct = 0; ct < m->msg_iovlen; ct++) {
-                err += iov[ct].iov_len;
-                /*
-                 * Goal is not to verify user data, but to prevent returning
-                 * negative value, which is interpreted as errno.
-                 * Overflow is still possible, but it is harmless.
-                 */
-                if (err < 0)
-                        return -EMSGSIZE;
+                size_t len = iov[ct].iov_len;
+
+                if (len > INT_MAX - err) {
+                        len = INT_MAX - err;
+                        iov[ct].iov_len = len;
+                }
+                err += len;
         }
 
         return err;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index f78d821bd935..29d7bce933f2 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1546,6 +1546,9 @@ replay:
                         snprintf(ifname, IFNAMSIZ, "%s%%d", ops->kind);
 
                 dest_net = rtnl_link_get_net(net, tb);
+                if (IS_ERR(dest_net))
+                        return PTR_ERR(dest_net);
+
                 dev = rtnl_create_link(net, dest_net, ifname, ops, tb);
 
                 if (IS_ERR(dev))
diff --git a/net/core/timestamping.c b/net/core/timestamping.c
index 0ae6c22da85b..c19bb4ee405e 100644
--- a/net/core/timestamping.c
+++ b/net/core/timestamping.c
@@ -96,11 +96,13 @@ bool skb_defer_rx_timestamp(struct sk_buff *skb)
         struct phy_device *phydev;
         unsigned int type;
 
-        skb_push(skb, ETH_HLEN);
+        if (skb_headroom(skb) < ETH_HLEN)
+                return false;
+        __skb_push(skb, ETH_HLEN);
 
         type = classify(skb);
 
-        skb_pull(skb, ETH_HLEN);
+        __skb_pull(skb, ETH_HLEN);
 
         switch (type) {
         case PTP_CLASS_V1_IPV4:
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index d6b93d19790f..cf38f52be4f7 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1556,6 +1556,8 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                         if (r_len > sizeof(struct linkinfo_dn))
                                 r_len = sizeof(struct linkinfo_dn);
 
+                        memset(&link, 0, sizeof(link));
+
                         switch(sock->state) {
                                 case SS_CONNECTING:
                                         link.idn_linkstate = LL_CONNECTING;
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index dc54bd0d083b..172a6a91a214 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -31,6 +31,7 @@
 #include <linux/skbuff.h>
 #include <linux/udp.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/sock.h>
 #include <net/inet_common.h>
 #include <linux/stat.h>
@@ -276,12 +277,12 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 #endif
 #ifdef CONFIG_ECONET_AUNUDP
         struct msghdr udpmsg;
-        struct iovec iov[msg->msg_iovlen+1];
+        struct iovec iov[2];
         struct aunhdr ah;
         struct sockaddr_in udpdest;
         __kernel_size_t size;
-        int i;
         mm_segment_t oldfs;
+        char *userbuf;
 #endif
 
         /*
@@ -297,23 +298,14 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 
         mutex_lock(&econet_mutex);
 
-        if (saddr == NULL) {
-                struct econet_sock *eo = ec_sk(sk);
-
-                addr.station = eo->station;
-                addr.net     = eo->net;
-                port         = eo->port;
-                cb           = eo->cb;
-        } else {
-                if (msg->msg_namelen < sizeof(struct sockaddr_ec)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EINVAL;
-                }
-                addr.station = saddr->addr.station;
-                addr.net = saddr->addr.net;
-                port = saddr->port;
-                cb = saddr->cb;
-        }
+        if (saddr == NULL || msg->msg_namelen < sizeof(struct sockaddr_ec)) {
+                mutex_unlock(&econet_mutex);
+                return -EINVAL;
+        }
+        addr.station = saddr->addr.station;
+        addr.net = saddr->addr.net;
+        port = saddr->port;
+        cb = saddr->cb;
 
         /* Look for a device with the right network number. */
         dev = net2dev_map[addr.net];
@@ -328,17 +320,17 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                 }
         }
 
-        if (len + 15 > dev->mtu) {
-                mutex_unlock(&econet_mutex);
-                return -EMSGSIZE;
-        }
-
         if (dev->type == ARPHRD_ECONET) {
                 /* Real hardware Econet.  We're not worthy etc. */
 #ifdef CONFIG_ECONET_NATIVE
                 unsigned short proto = 0;
                 int res;
 
+                if (len + 15 > dev->mtu) {
+                        mutex_unlock(&econet_mutex);
+                        return -EMSGSIZE;
+                }
+
                 dev_hold(dev);
 
                 skb = sock_alloc_send_skb(sk, len+LL_ALLOCATED_SPACE(dev),
@@ -351,7 +343,6 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 
                 eb = (struct ec_cb *)&skb->cb;
 
-                /* BUG: saddr may be NULL */
                 eb->cookie = saddr->cookie;
                 eb->sec = *saddr;
                 eb->sent = ec_tx_done;
@@ -415,6 +406,11 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                 return -ENETDOWN;               /* No socket - can't send */
         }
 
+        if (len > 32768) {
+                err = -E2BIG;
+                goto error;
+        }
+
         /* Make up a UDP datagram and hand it off to some higher intellect. */
 
         memset(&udpdest, 0, sizeof(udpdest));
@@ -446,36 +442,26 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 
         /* tack our header on the front of the iovec */
         size = sizeof(struct aunhdr);
-        /*
-         * XXX: that is b0rken.  We can't mix userland and kernel pointers
-         * in iovec, since on a lot of platforms copy_from_user() will
-         * *not* work with the kernel and userland ones at the same time,
-         * regardless of what we do with set_fs().  And we are talking about
-         * econet-over-ethernet here, so "it's only ARM anyway" doesn't
-         * apply.  Any suggestions on fixing that code?         -- AV
-         */
         iov[0].iov_base = (void *)&ah;
         iov[0].iov_len = size;
-        for (i = 0; i < msg->msg_iovlen; i++) {
-                void __user *base = msg->msg_iov[i].iov_base;
-                size_t iov_len = msg->msg_iov[i].iov_len;
-                /* Check it now since we switch to KERNEL_DS later. */
-                if (!access_ok(VERIFY_READ, base, iov_len)) {
-                        mutex_unlock(&econet_mutex);
-                        return -EFAULT;
-                }
-                iov[i+1].iov_base = base;
-                iov[i+1].iov_len = iov_len;
-                size += iov_len;
+
+        userbuf = vmalloc(len);
+        if (userbuf == NULL) {
+                err = -ENOMEM;
+                goto error;
         }
 
+        iov[1].iov_base = userbuf;
+        iov[1].iov_len = len;
+        err = memcpy_fromiovec(userbuf, msg->msg_iov, len);
+        if (err)
+                goto error_free_buf;
+
         /* Get a skbuff (no data, just holds our cb information) */
         if ((skb = sock_alloc_send_skb(sk, 0,
                                        msg->msg_flags & MSG_DONTWAIT,
-                                       &err)) == NULL) {
-                mutex_unlock(&econet_mutex);
-                return err;
-        }
+                                       &err)) == NULL)
+                goto error_free_buf;
 
         eb = (struct ec_cb *)&skb->cb;
 
@@ -491,7 +477,7 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
         udpmsg.msg_name = (void *)&udpdest;
         udpmsg.msg_namelen = sizeof(udpdest);
         udpmsg.msg_iov = &iov[0];
-        udpmsg.msg_iovlen = msg->msg_iovlen + 1;
+        udpmsg.msg_iovlen = 2;
         udpmsg.msg_control = NULL;
         udpmsg.msg_controllen = 0;
         udpmsg.msg_flags=0;
@@ -499,9 +485,13 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
         oldfs = get_fs(); set_fs(KERNEL_DS);    /* More privs :-) */
         err = sock_sendmsg(udpsock, &udpmsg, size);
         set_fs(oldfs);
+
+error_free_buf:
+        vfree(userbuf);
 #else
         err = -EPROTOTYPE;
 #endif
+        error:
         mutex_unlock(&econet_mutex);
 
         return err;
@@ -671,6 +661,11 @@ static int ec_dev_ioctl(struct socket *sock, unsigned int cmd, void __user *arg)
         err = 0;
         switch (cmd) {
         case SIOCSIFADDR:
+                if (!capable(CAP_NET_ADMIN)) {
+                        err = -EPERM;
+                        break;
+                }
+
                 edev = dev->ec_ptr;
                 if (edev == NULL) {
                         /* Magic up a new one. */
@@ -856,9 +851,13 @@ static void aun_incoming(struct sk_buff *skb, struct aunhdr *ah, size_t len)
 {
         struct iphdr *ip = ip_hdr(skb);
         unsigned char stn = ntohl(ip->saddr) & 0xff;
+        struct dst_entry *dst = skb_dst(skb);
+        struct ec_device *edev = NULL;
         struct sock *sk = NULL;
         struct sk_buff *newskb;
-        struct ec_device *edev = skb->dev->ec_ptr;
+
+        if (dst)
+                edev = dst->dev->ec_ptr;
 
         if (! edev)
                 goto bad;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index f115ea68a4ef..6adb1abf05e0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
                 /* Values greater than interface MTU won't take effect. However
                  * at the point when this call is done we typically don't yet
                  * know which interface is going to be used */
-                if (val < 8 || val > MAX_TCP_WINDOW) {
+                if (val < TCP_MIN_MSS || val > MAX_TCP_WINDOW) {
                         err = -EINVAL;
                         break;
                 }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 020766292bb0..cb8d305cb5b4 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -415,6 +415,9 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                     !icsk->icsk_backoff)
                         break;
 
+                if (sock_owned_by_user(sk))
+                        break;
+
                 icsk->icsk_backoff--;
                 inet_csk(sk)->icsk_rto = __tcp_set_rto(tp) <<
                                          icsk->icsk_backoff;
@@ -429,11 +432,6 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                 if (remaining) {
                         inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
                                                   remaining, TCP_RTO_MAX);
-                } else if (sock_owned_by_user(sk)) {
-                        /* RTO revert clocked out retransmission,
-                         * but socket is locked. Will defer. */
-                        inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
-                                                  HZ/20, TCP_RTO_MAX);
                 } else {
                         /* RTO revert clocked out retransmission.
                          * Will retransmit now */
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index de3bd8458588..7abecf73add9 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -237,11 +237,10 @@ void tcp_select_initial_window(int __space, __u32 mss,
                 /* when initializing use the value from init_rcv_wnd
                  * rather than the default from above
                  */
-                if (init_rcv_wnd &&
-                    (*rcv_wnd > init_rcv_wnd * mss))
-                        *rcv_wnd = init_rcv_wnd * mss;
-                else if (*rcv_wnd > init_cwnd * mss)
-                        *rcv_wnd = init_cwnd * mss;
+                if (init_rcv_wnd)
+                        *rcv_wnd = min(*rcv_wnd, init_rcv_wnd * mss);
+                else
+                        *rcv_wnd = min(*rcv_wnd, init_cwnd * mss);
         }
 
         /* Set the clamp no higher than max representable value */
@@ -392,27 +391,30 @@ struct tcp_out_options {
  */
 static u8 tcp_cookie_size_check(u8 desired)
 {
-        if (desired > 0) {
+        int cookie_size;
+
+        if (desired > 0)
                 /* previously specified */
                 return desired;
-        }
-        if (sysctl_tcp_cookie_size <= 0) {
+
+        cookie_size = ACCESS_ONCE(sysctl_tcp_cookie_size);
+        if (cookie_size <= 0)
                 /* no default specified */
                 return 0;
-        }
-        if (sysctl_tcp_cookie_size <= TCP_COOKIE_MIN) {
+
+        if (cookie_size <= TCP_COOKIE_MIN)
                 /* value too small, specify minimum */
                 return TCP_COOKIE_MIN;
-        }
-        if (sysctl_tcp_cookie_size >= TCP_COOKIE_MAX) {
+
+        if (cookie_size >= TCP_COOKIE_MAX)
                 /* value too large, specify maximum */
                 return TCP_COOKIE_MAX;
-        }
-        if (0x1 & sysctl_tcp_cookie_size) {
+
+        if (cookie_size & 1)
                 /* 8-bit multiple, illegal, fix it */
-                return (u8)(sysctl_tcp_cookie_size + 0x1);
-        }
-        return (u8)sysctl_tcp_cookie_size;
+                cookie_size++;
+
+        return (u8)cookie_size;
 }
 
 /* Write previously computed TCP options to the packet.
@@ -1519,6 +1521,7 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
         struct tcp_sock *tp = tcp_sk(sk);
         const struct inet_connection_sock *icsk = inet_csk(sk);
         u32 send_win, cong_win, limit, in_flight;
+        int win_divisor;
 
         if (TCP_SKB_CB(skb)->flags & TCPHDR_FIN)
                 goto send_now;
@@ -1550,13 +1553,14 @@ static int tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
         if ((skb != tcp_write_queue_tail(sk)) && (limit >= skb->len))
                 goto send_now;
 
-        if (sysctl_tcp_tso_win_divisor) {
+        win_divisor = ACCESS_ONCE(sysctl_tcp_tso_win_divisor);
+        if (win_divisor) {
                 u32 chunk = min(tp->snd_wnd, tp->snd_cwnd * tp->mss_cache);
 
                 /* If at least some fraction of a window is available,
                  * just use it.
                  */
-                chunk /= sysctl_tcp_tso_win_divisor;
+                chunk /= win_divisor;
                 if (limit >= chunk)
                         goto send_now;
         } else {
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index fce364c6c71a..5b743bdd89ba 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -502,7 +502,8 @@ static void iriap_getvaluebyclass_confirm(struct iriap_cb *self,
                 IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
 
                 /* Make sure the string is null-terminated */
-                fp[n+value_len] = 0x00;
+                if (n + value_len < skb->len)
+                        fp[n + value_len] = 0x00;
                 IRDA_DEBUG(4, "Got string %s\n", fp+n);
 
                 /* Will truncate to IAS_MAX_STRING bytes */
diff --git a/net/irda/parameters.c b/net/irda/parameters.c
index fc1a20565e2d..71cd38c1a67f 100644
--- a/net/irda/parameters.c
+++ b/net/irda/parameters.c
@@ -298,6 +298,8 @@ static int irda_extract_string(void *self, __u8 *buf, int len, __u8 pi,
 
         p.pi = pi;     /* In case handler needs to know */
         p.pl = buf[1]; /* Extract length of value */
+        if (p.pl > 32)
+                p.pl = 32;
 
         IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
                    p.pi, p.pl);
@@ -318,7 +320,7 @@ static int irda_extract_string(void *self, __u8 *buf, int len, __u8 pi,
                    (__u8) str[0], (__u8) str[1]);
 
         /* Null terminate string */
-        str[p.pl+1] = '\0';
+        str[p.pl] = '\0';
 
         p.pv.c = str; /* Handler will need to take a copy */
 
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 226a0ae3bcfd..a2cec796a321 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -676,4 +676,8 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
 MODULE_DESCRIPTION("L2TP over IP");
 MODULE_VERSION("1.0");
-MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, SOCK_DGRAM, IPPROTO_L2TP);
+
+/* Use the value of SOCK_DGRAM (2) directory, because __stringify does't like
+ * enums
+ */
+MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 2, IPPROTO_L2TP);
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 582612998211..e35dbe55f520 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -317,8 +317,9 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
                 goto out;
         rc = -ENODEV;
         rtnl_lock();
+        rcu_read_lock();
         if (sk->sk_bound_dev_if) {
-                llc->dev = dev_get_by_index(&init_net, sk->sk_bound_dev_if);
+                llc->dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if);
                 if (llc->dev) {
                         if (!addr->sllc_arphrd)
                                 addr->sllc_arphrd = llc->dev->type;
@@ -329,13 +330,13 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
                             !llc_mac_match(addr->sllc_mac,
                                            llc->dev->dev_addr)) {
                                 rc = -EINVAL;
-                                dev_put(llc->dev);
                                 llc->dev = NULL;
                         }
                 }
         } else
                 llc->dev = dev_getbyhwaddr(&init_net, addr->sllc_arphrd,
                                            addr->sllc_mac);
+        rcu_read_unlock();
         rtnl_unlock();
         if (!llc->dev)
                 goto out;
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 965b272499fd..2f6903e48dd9 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -172,8 +172,6 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
                                      struct ieee80211_mgmt *mgmt,
                                      size_t len)
 {
-        struct ieee80211_hw *hw = &local->hw;
-        struct ieee80211_conf *conf = &hw->conf;
         struct tid_ampdu_rx *tid_agg_rx;
         u16 capab, tid, timeout, ba_policy, buf_size, start_seq_num, status;
         u8 dialog_token;
@@ -218,13 +216,8 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
                 goto end_no_lock;
         }
         /* determine default buffer size */
-        if (buf_size == 0) {
-                struct ieee80211_supported_band *sband;
-
-                sband = local->hw.wiphy->bands[conf->channel->band];
-                buf_size = IEEE80211_MIN_AMPDU_BUF;
-                buf_size = buf_size << sband->ht_cap.ampdu_factor;
-        }
+        if (buf_size == 0)
+                buf_size = IEEE80211_MAX_AMPDU_BUF;
 
 
         /* examine state machine */
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 29ac8e1a509e..2095602dcc3a 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -634,6 +634,7 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                                  struct sta_info *sta,
                                  struct station_parameters *params)
 {
+        unsigned long flags;
         u32 rates;
         int i, j;
         struct ieee80211_supported_band *sband;
@@ -642,7 +643,7 @@ static void sta_apply_parameters(struct ieee80211_local *local,
 
         sband = local->hw.wiphy->bands[local->oper_channel->band];
 
-        spin_lock_bh(&sta->lock);
+        spin_lock_irqsave(&sta->flaglock, flags);
         mask = params->sta_flags_mask;
         set = params->sta_flags_set;
 
@@ -669,7 +670,7 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                 if (set & BIT(NL80211_STA_FLAG_MFP))
                         sta->flags |= WLAN_STA_MFP;
         }
-        spin_unlock_bh(&sta->lock);
+        spin_unlock_irqrestore(&sta->flaglock, flags);
 
         /*
          * cfg80211 validates this (1-2007) and allows setting the AID
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index c691780725a7..45c99f096c7b 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -435,6 +435,7 @@ struct sta_info *ieee80211_ibss_add_sta(struct ieee80211_sub_if_data *sdata,
         if (!sta)
                 return NULL;
 
+        sta->last_rx = jiffies;
         set_sta_flags(sta, WLAN_STA_AUTHORIZED);
 
         /* make sure mandatory rates are always added */
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 65e0ed6c2975..3546054505ab 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1003,6 +1003,8 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata);
 void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata);
 void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                   struct sk_buff *skb);
+void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata);
+void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata);
 
 /* IBSS code */
 void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local);
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 1b9d87ed143a..3f76484221a2 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -323,6 +323,12 @@ static void __ieee80211_key_destroy(struct ieee80211_key *key)
         if (!key)
                 return;
 
+        /*
+         * Synchronize so the TX path can no longer be using
+         * this key before we free/remove it.
+         */
+        synchronize_rcu();
+
         if (key->local)
                 ieee80211_key_disable_hw_accel(key);
 
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index ded5c3843e06..e8acdb2fb2ca 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -108,7 +108,8 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                 chan = scan_chan;
                 channel_type = NL80211_CHAN_NO_HT;
                 local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
-        } else if (local->tmp_channel) {
+        } else if (local->tmp_channel &&
+                   local->oper_channel != local->tmp_channel) {
                 chan = scan_chan = local->tmp_channel;
                 channel_type = local->tmp_channel_type;
                 local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index ea13a80a476c..1c91f0f3c307 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -412,7 +412,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
         enum plink_event event;
         enum plink_frame_type ftype;
         size_t baselen;
-        bool deactivated;
+        bool deactivated, matches_local = true;
         u8 ie_len;
         u8 *baseaddr;
         __le16 plid, llid, reason;
@@ -487,6 +487,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
         /* Now we will figure out the appropriate event... */
         event = PLINK_UNDEFINED;
         if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) {
+                matches_local = false;
                 switch (ftype) {
                 case PLINK_OPEN:
                         event = OPN_RJCT;
@@ -498,7 +499,15 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                         /* avoid warning */
                         break;
                 }
-                spin_lock_bh(&sta->lock);
+        }
+
+        if (!sta && !matches_local) {
+                rcu_read_unlock();
+                reason = cpu_to_le16(MESH_CAPABILITY_POLICY_VIOLATION);
+                llid = 0;
+                mesh_plink_frame_tx(sdata, PLINK_CLOSE, mgmt->sa, llid,
+                                    plid, reason);
+                return;
         } else if (!sta) {
                 /* ftype == PLINK_OPEN */
                 u32 rates;
@@ -522,7 +531,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                 }
                 event = OPN_ACPT;
                 spin_lock_bh(&sta->lock);
-        } else {
+        } else if (matches_local) {
                 spin_lock_bh(&sta->lock);
                 switch (ftype) {
                 case PLINK_OPEN:
@@ -564,6 +573,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                         rcu_read_unlock();
                         return;
                 }
+        } else {
+                spin_lock_bh(&sta->lock);
         }
 
         mpl_dbg("Mesh plink (peer, state, llid, plid, event): %pM %s %d %d %d\n",
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index b6c163ac22da..4c5eed9446f4 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -109,7 +109,7 @@ static void run_again(struct ieee80211_if_managed *ifmgd,
                 mod_timer(&ifmgd->timer, timeout);
 }
 
-static void mod_beacon_timer(struct ieee80211_sub_if_data *sdata)
+void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata)
 {
         if (sdata->local->hw.flags & IEEE80211_HW_BEACON_FILTER)
                 return;
@@ -118,6 +118,19 @@ static void mod_beacon_timer(struct ieee80211_sub_if_data *sdata)
                   round_jiffies_up(jiffies + IEEE80211_BEACON_LOSS_TIME));
 }
 
+void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+
+        if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
+                return;
+
+        mod_timer(&sdata->u.mgd.conn_mon_timer,
+                  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
+
+        ifmgd->probe_send_count = 0;
+}
+
 static int ecw2cw(int ecw)
 {
         return (1 << ecw) - 1;
@@ -1006,21 +1019,26 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
         if (is_multicast_ether_addr(hdr->addr1))
                 return;
 
-        if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
-                return;
-
-        mod_timer(&sdata->u.mgd.conn_mon_timer,
-                  round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME));
+        ieee80211_sta_reset_conn_monitor(sdata);
 }
 
 static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
 {
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         const u8 *ssid;
+        u8 *dst = ifmgd->associated->bssid;
+        u8 unicast_limit = max(1, IEEE80211_MAX_PROBE_TRIES - 3);
+
+        /*
+         * Try sending broadcast probe requests for the last three
+         * probe requests after the first ones failed since some
+         * buggy APs only support broadcast probe requests.
+         */
+        if (ifmgd->probe_send_count >= unicast_limit)
+                dst = NULL;
 
         ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID);
-        ieee80211_send_probe_req(sdata, ifmgd->associated->bssid,
-                                 ssid + 2, ssid[1], NULL, 0);
+        ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid[1], NULL, 0);
 
         ifmgd->probe_send_count++;
         ifmgd->probe_timeout = jiffies + IEEE80211_PROBE_WAIT;
@@ -1262,7 +1280,7 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
 
         rates = 0;
         basic_rates = 0;
-        sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
+        sband = local->hw.wiphy->bands[wk->chan->band];
 
         for (i = 0; i < elems.supp_rates_len; i++) {
                 int rate = (elems.supp_rates[i] & 0x7f) * 5;
@@ -1298,11 +1316,11 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
                 }
         }
 
-        sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
+        sta->sta.supp_rates[wk->chan->band] = rates;
         sdata->vif.bss_conf.basic_rates = basic_rates;
 
         /* cf. IEEE 802.11 9.2.12 */
-        if (local->hw.conf.channel->band == IEEE80211_BAND_2GHZ &&
+        if (wk->chan->band == IEEE80211_BAND_2GHZ &&
             have_higher_than_11mbit)
                 sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE;
         else
@@ -1362,7 +1380,7 @@ static bool ieee80211_assoc_success(struct ieee80211_work *wk,
          * Also start the timer that will detect beacon loss.
          */
         ieee80211_sta_rx_notify(sdata, (struct ieee80211_hdr *)mgmt);
-        mod_beacon_timer(sdata);
+        ieee80211_sta_reset_beacon_monitor(sdata);
 
         return true;
 }
@@ -1465,7 +1483,7 @@ static void ieee80211_rx_mgmt_probe_resp(struct ieee80211_sub_if_data *sdata,
                  * we have or will be receiving any beacons or data, so let's
                  * schedule the timers again, just in case.
                  */
-                mod_beacon_timer(sdata);
+                ieee80211_sta_reset_beacon_monitor(sdata);
 
                 mod_timer(&ifmgd->conn_mon_timer,
                           round_jiffies_up(jiffies +
@@ -1540,7 +1558,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
         ifmgd->last_beacon_signal = rx_status->signal;
         if (ifmgd->flags & IEEE80211_STA_RESET_SIGNAL_AVE) {
                 ifmgd->flags &= ~IEEE80211_STA_RESET_SIGNAL_AVE;
-                ifmgd->ave_beacon_signal = rx_status->signal;
+                ifmgd->ave_beacon_signal = rx_status->signal * 16;
                 ifmgd->last_cqm_event_signal = 0;
         } else {
                 ifmgd->ave_beacon_signal =
@@ -1588,7 +1606,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
          * Push the beacon loss detection into the future since
          * we are processing a beacon from the AP just now.
          */
-        mod_beacon_timer(sdata);
+        ieee80211_sta_reset_beacon_monitor(sdata);
 
         ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4);
         ncrc = ieee802_11_parse_elems_crc(mgmt->u.beacon.variable,
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index c36b1911987a..cf5ee305785b 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -22,12 +22,16 @@
 static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata)
 {
         struct ieee80211_local *local = sdata->local;
+        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
 
         local->offchannel_ps_enabled = false;
 
         /* FIXME: what to do when local->pspolling is true? */
 
         del_timer_sync(&local->dynamic_ps_timer);
+        del_timer_sync(&ifmgd->bcn_mon_timer);
+        del_timer_sync(&ifmgd->conn_mon_timer);
+
         cancel_work_sync(&local->dynamic_ps_enable_work);
 
         if (local->hw.conf.flags & IEEE80211_CONF_PS) {
@@ -85,6 +89,9 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
                 mod_timer(&local->dynamic_ps_timer, jiffies +
                           msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
         }
+
+        ieee80211_sta_reset_beacon_monitor(sdata);
+        ieee80211_sta_reset_conn_monitor(sdata);
 }
 
 void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local)
diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
index be04d46110fe..82d5750a110a 100644
--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
@@ -328,6 +328,9 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata,
                  * if needed.
                  */
                 for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
+                        /* Skip invalid rates */
+                        if (info->control.rates[i].idx < 0)
+                                break;
                         /* Rate masking supports only legacy rates for now */
                         if (info->control.rates[i].flags & IEEE80211_TX_RC_MCS)
                                 continue;
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index c5b465904e3b..2a18d6602d4a 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -397,8 +397,9 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
             !(info->flags & IEEE80211_TX_STAT_AMPDU))
                 return;
 
-        if (!info->status.ampdu_len) {
-                info->status.ampdu_ack_len = 1;
+        if (!(info->flags & IEEE80211_TX_STAT_AMPDU)) {
+                info->status.ampdu_ack_len =
+                        (info->flags & IEEE80211_TX_STAT_ACK ? 1 : 0);
                 info->status.ampdu_len = 1;
         }
 
@@ -426,7 +427,7 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
                 group = minstrel_ht_get_group_idx(&ar[i]);
                 rate = &mi->groups[group].rates[ar[i].idx % 8];
 
-                if (last && (info->flags & IEEE80211_TX_STAT_ACK))
+                if (last)
                         rate->success += info->status.ampdu_ack_len;
 
                 rate->attempts += ar[i].count * info->status.ampdu_len;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 28624282c5f3..2bec9b9dba09 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1715,6 +1715,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                         if (!fwd_skb && net_ratelimit())
                                 printk(KERN_DEBUG "%s: failed to clone mesh frame\n",
                                                    sdata->name);
+                        if (!fwd_skb)
+                                goto out;
 
                         fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;
                         memcpy(fwd_hdr->addr2, sdata->vif.addr, ETH_ALEN);
@@ -1752,6 +1754,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                 }
         }
 
+ out:
         if (is_multicast_ether_addr(hdr->addr1) ||
             sdata->dev->flags & IFF_PROMISC)
                 return RX_CONTINUE;
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 34da67995d94..6ffa26a9de39 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -58,6 +58,7 @@ static void ieee80211_handle_filtered_frame(struct ieee80211_local *local,
         info->control.vif = &sta->sdata->vif;
         info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING |
                        IEEE80211_TX_INTFL_RETRANSMISSION;
+        info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS;
 
         sta->tx_filtered_count++;
 
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c54db966926b..9d5af5dd0d98 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1694,7 +1694,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 {
         struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        struct ieee80211_tx_info *info;
         int ret = NETDEV_TX_BUSY, head_need;
         u16 ethertype, hdrlen,  meshhdrlen = 0;
         __le16 fc;
@@ -1705,15 +1705,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         int nh_pos, h_pos;
         struct sta_info *sta = NULL;
         u32 sta_flags = 0;
+        struct sk_buff *tmp_skb;
 
         if (unlikely(skb->len < ETH_HLEN)) {
                 ret = NETDEV_TX_OK;
                 goto fail;
         }
 
-        nh_pos = skb_network_header(skb) - skb->data;
-        h_pos = skb_transport_header(skb) - skb->data;
-
         /* convert Ethernet header to proper 802.11 header (based on
          * operation mode) */
         ethertype = (skb->data[12] << 8) | skb->data[13];
@@ -1885,6 +1883,20 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 goto fail;
         }
 
+        /*
+         * If the skb is shared we need to obtain our own copy.
+         */
+        if (skb_shared(skb)) {
+                tmp_skb = skb;
+                skb = skb_copy(skb, GFP_ATOMIC);
+                kfree_skb(tmp_skb);
+
+                if (!skb) {
+                        ret = NETDEV_TX_OK;
+                        goto fail;
+                }
+        }
+
         hdr.frame_control = fc;
         hdr.duration_id = 0;
         hdr.seq_ctrl = 0;
@@ -1903,6 +1915,9 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                 encaps_len = 0;
         }
 
+        nh_pos = skb_network_header(skb) - skb->data;
+        h_pos = skb_transport_header(skb) - skb->data;
+
         skb_pull(skb, skip_header_bytes);
         nh_pos -= skip_header_bytes;
         h_pos -= skip_header_bytes;
@@ -1969,6 +1984,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         skb_set_network_header(skb, nh_pos);
         skb_set_transport_header(skb, h_pos);
 
+        info = IEEE80211_SKB_CB(skb);
         memset(info, 0, sizeof(*info));
 
         dev->trans_start = jiffies;
@@ -2160,6 +2176,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
 
         sdata = vif_to_sdata(vif);
 
+        if (!ieee80211_sdata_running(sdata))
+                goto out;
+
         if (tim_offset)
                 *tim_offset = 0;
         if (tim_length)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index df3eedb142ff..a37a6b188eda 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1260,7 +1260,8 @@ void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls)
         if (!hash) {
                 *vmalloced = 1;
                 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
-                hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
+                hash = __vmalloc(sz, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
+                                 PAGE_KERNEL);
         }
 
         if (hash && nulls)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 23b2d6c486b5..364ad1600129 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -101,7 +101,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
         switch (info->mode) {
         case SECMARK_MODE_SEL:
                 err = checkentry_selinux(info);
-                if (err <= 0)
+                if (err)
                         return err;
                 break;
 
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 9a17f28b1253..9ba70146a4fe 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1610,9 +1610,11 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock,
 
                 err = -EINVAL;
                 vnet_hdr_len = sizeof(vnet_hdr);
-                if ((len -= vnet_hdr_len) < 0)
+                if (len < vnet_hdr_len)
                         goto out_free;
 
+                len -= vnet_hdr_len;
+
                 if (skb_is_gso(skb)) {
                         struct skb_shared_info *sinfo = skb_shinfo(skb);
 
@@ -1719,7 +1721,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
         rcu_read_lock();
         dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
         if (dev)
-                strlcpy(uaddr->sa_data, dev->name, 15);
+                strncpy(uaddr->sa_data, dev->name, 14);
         else
                 memset(uaddr->sa_data, 0, 14);
         rcu_read_unlock();
@@ -1742,6 +1744,7 @@ static int packet_getname(struct socket *sock, struct sockaddr *uaddr,
         sll->sll_family = AF_PACKET;
         sll->sll_ifindex = po->ifindex;
         sll->sll_protocol = po->num;
+        sll->sll_pkttype = 0;
         rcu_read_lock();
         dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
         if (dev) {
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 75fd13bb631b..39989678c2d2 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -474,7 +474,7 @@ static struct rds_rdma_op *rds_rdma_prepare(struct rds_sock *rs,
                 goto out;
         }
 
-        if (args->nr_local > (u64)UINT_MAX) {
+        if (args->nr_local > UIO_MAXIOV) {
                 ret = -EMSGSIZE;
                 goto out;
         }
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index 78ef2c5e130b..08be223fb3dc 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -34,8 +34,6 @@ struct cgroup_subsys net_cls_subsys = {
         .populate       = cgrp_populate,
 #ifdef CONFIG_NET_CLS_CGROUP
         .subsys_id      = net_cls_subsys_id,
-#else
-#define net_cls_subsys_id net_cls_subsys.subsys_id
 #endif
         .module         = THIS_MODULE,
 };
diff --git a/net/socket.c b/net/socket.c
index 2270b941bcc7..58dfc915a3a5 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1651,6 +1651,8 @@ SYSCALL_DEFINE6(sendto, int, fd, void __user *, buff, size_t, len,
         struct iovec iov;
         int fput_needed;
 
+        if (len > INT_MAX)
+                len = INT_MAX;
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
@@ -1708,6 +1710,8 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
         int err, err2;
         int fput_needed;
 
+        if (size > INT_MAX)
+                size = INT_MAX;
         sock = sockfd_lookup_light(fd, &err, &fput_needed);
         if (!sock)
                 goto out;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index fa5549079d79..cbc5b8ccc8be 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1675,7 +1675,7 @@ rpc_verify_header(struct rpc_task *task)
                         rpcauth_invalcred(task);
                         /* Ensure we obtain a new XID! */
                         xprt_release(task);
-                        task->tk_action = call_refresh;
+                        task->tk_action = call_reserve;
                         goto out_retry;
                 case RPC_AUTH_BADCRED:
                 case RPC_AUTH_BADVERF:
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index cbc084939dd8..2f5fb71854d3 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -212,6 +212,7 @@ int svc_create_xprt(struct svc_serv *serv, const char *xprt_name,
         spin_lock(&svc_xprt_class_lock);
         list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
                 struct svc_xprt *newxprt;
+                unsigned short newport;
 
                 if (strcmp(xprt_name, xcl->xcl_name))
                         continue;
@@ -230,8 +231,9 @@ int svc_create_xprt(struct svc_serv *serv, const char *xprt_name,
                 spin_lock_bh(&serv->sv_lock);
                 list_add(&newxprt->xpt_list, &serv->sv_permsocks);
                 spin_unlock_bh(&serv->sv_lock);
+                newport = svc_xprt_local_port(newxprt);
                 clear_bit(XPT_BUSY, &newxprt->xpt_flags);
-                return svc_xprt_local_port(newxprt);
+                return newport;
         }
  err:
         spin_unlock(&svc_xprt_class_lock);
@@ -431,8 +433,13 @@ void svc_xprt_received(struct svc_xprt *xprt)
 {
         BUG_ON(!test_bit(XPT_BUSY, &xprt->xpt_flags));
         xprt->xpt_pool = NULL;
+        /* As soon as we clear busy, the xprt could be closed and
+         * 'put', so we need a reference to call svc_xprt_enqueue with:
+         */
+        svc_xprt_get(xprt);
         clear_bit(XPT_BUSY, &xprt->xpt_flags);
         svc_xprt_enqueue(xprt);
+        svc_xprt_put(xprt);
 }
 EXPORT_SYMBOL_GPL(svc_xprt_received);
 
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 0b39b2451ea5..b4cfe207a6ac 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1343,9 +1343,25 @@ static void unix_destruct_scm(struct sk_buff *skb)
         sock_wfree(skb);
 }
 
+#define MAX_RECURSION_LEVEL 4
+
 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 {
         int i;
+        unsigned char max_level = 0;
+        int unix_sock_count = 0;
+
+        for (i = scm->fp->count - 1; i >= 0; i--) {
+                struct sock *sk = unix_get_socket(scm->fp->fp[i]);
+
+                if (sk) {
+                        unix_sock_count++;
+                        max_level = max(max_level,
+                                        unix_sk(sk)->recursion_level);
+                }
+        }
+        if (unlikely(max_level > MAX_RECURSION_LEVEL))
+                return -ETOOMANYREFS;
 
         /*
          * Need to duplicate file references for the sake of garbage
@@ -1356,9 +1372,11 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
         if (!UNIXCB(skb).fp)
                 return -ENOMEM;
 
-        for (i = scm->fp->count-1; i >= 0; i--)
-                unix_inflight(scm->fp->fp[i]);
-        return 0;
+        if (unix_sock_count) {
+                for (i = scm->fp->count - 1; i >= 0; i--)
+                        unix_inflight(scm->fp->fp[i]);
+        }
+        return max_level;
 }
 
 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
@@ -1393,6 +1411,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
         struct sk_buff *skb;
         long timeo;
         struct scm_cookie tmp_scm;
+        int max_level;
 
         if (NULL == siocb->scm)
                 siocb->scm = &tmp_scm;
@@ -1431,8 +1450,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
                 goto out;
 
         err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (err)
+        if (err < 0)
                 goto out_free;
+        max_level = err + 1;
         unix_get_secdata(siocb->scm, skb);
 
         skb_reset_transport_header(skb);
@@ -1512,6 +1532,8 @@ restart:
         }
 
         skb_queue_tail(&other->sk_receive_queue, skb);
+        if (max_level > unix_sk(other)->recursion_level)
+                unix_sk(other)->recursion_level = max_level;
         unix_state_unlock(other);
         other->sk_data_ready(other, len);
         sock_put(other);
@@ -1542,6 +1564,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
         int sent = 0;
         struct scm_cookie tmp_scm;
         bool fds_sent = false;
+        int max_level;
 
         if (NULL == siocb->scm)
                 siocb->scm = &tmp_scm;
@@ -1605,10 +1628,11 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
 
                 /* Only send the fds in the first buffer */
                 err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                if (err) {
+                if (err < 0) {
                         kfree_skb(skb);
                         goto out_err;
                 }
+                max_level = err + 1;
                 fds_sent = true;
 
                 err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
@@ -1624,6 +1648,8 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                         goto pipe_err_free;
 
                 skb_queue_tail(&other->sk_receive_queue, skb);
+                if (max_level > unix_sk(other)->recursion_level)
+                        unix_sk(other)->recursion_level = max_level;
                 unix_state_unlock(other);
                 other->sk_data_ready(other, size);
                 sent += size;
@@ -1840,6 +1866,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                 unix_state_lock(sk);
                 skb = skb_dequeue(&sk->sk_receive_queue);
                 if (skb == NULL) {
+                        unix_sk(sk)->recursion_level = 0;
                         if (copied >= target)
                                 goto unlock;
 
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index c8df6fda0b1f..f89f83bf828e 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -96,7 +96,7 @@ static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
 unsigned int unix_tot_inflight;
 
 
-static struct sock *unix_get_socket(struct file *filp)
+struct sock *unix_get_socket(struct file *filp)
 {
         struct sock *u_sock = NULL;
         struct inode *inode = filp->f_path.dentry->d_inode;
@@ -259,9 +259,16 @@ static void inc_inflight_move_tail(struct unix_sock *u)
 }
 
 static bool gc_in_progress = false;
+#define UNIX_INFLIGHT_TRIGGER_GC 16000
 
 void wait_for_unix_gc(void)
 {
+        /*
+         * If number of inflight sockets is insane,
+         * force a garbage collect right now.
+         */
+        if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
+                unix_gc();
         wait_event(unix_gc_wait, gc_in_progress == false);
 }
 
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index d0c92dddb26b..d8f443b70b08 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -44,6 +44,36 @@ rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
         return chan;
 }
 
+static bool can_beacon_sec_chan(struct wiphy *wiphy,
+                                struct ieee80211_channel *chan,
+                                enum nl80211_channel_type channel_type)
+{
+        struct ieee80211_channel *sec_chan;
+        int diff;
+
+        switch (channel_type) {
+        case NL80211_CHAN_HT40PLUS:
+                diff = 20;
+        case NL80211_CHAN_HT40MINUS:
+                diff = -20;
+        default:
+                return false;
+        }
+
+        sec_chan = ieee80211_get_channel(wiphy, chan->center_freq + diff);
+        if (!sec_chan)
+                return false;
+
+        /* we'll need a DFS capability later */
+        if (sec_chan->flags & (IEEE80211_CHAN_DISABLED |
+                               IEEE80211_CHAN_PASSIVE_SCAN |
+                               IEEE80211_CHAN_NO_IBSS |
+                               IEEE80211_CHAN_RADAR))
+                return false;
+
+        return true;
+}
+
 int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
                       struct wireless_dev *wdev, int freq,
                       enum nl80211_channel_type channel_type)
@@ -68,6 +98,27 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
         if (!chan)
                 return -EINVAL;
 
+        /* Both channels should be able to initiate communication */
+        if (wdev && (wdev->iftype == NL80211_IFTYPE_ADHOC ||
+                     wdev->iftype == NL80211_IFTYPE_AP ||
+                     wdev->iftype == NL80211_IFTYPE_AP_VLAN ||
+                     wdev->iftype == NL80211_IFTYPE_MESH_POINT)) {
+                switch (channel_type) {
+                case NL80211_CHAN_HT40PLUS:
+                case NL80211_CHAN_HT40MINUS:
+                        if (!can_beacon_sec_chan(&rdev->wiphy, chan,
+                                                 channel_type)) {
+                                printk(KERN_DEBUG
+                                       "cfg80211: Secondary channel not "
+                                       "allowed to initiate communication\n");
+                                return -EINVAL;
+                        }
+                        break;
+                default:
+                        break;
+                }
+        }
+
         result = rdev->ops->set_channel(&rdev->wiphy,
                                         wdev ? wdev->netdev : NULL,
                                         chan, channel_type);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 37902a54e9c1..9a8cde999955 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -761,11 +761,13 @@ static int nl80211_set_channel(struct sk_buff *skb, struct genl_info *info)
 
         result = get_rdev_dev_by_info_ifindex(info, &rdev, &netdev);
         if (result)
-                goto unlock;
+                goto unlock_rtnl;
 
         result = __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info);
 
- unlock:
+        dev_put(netdev);
+        cfg80211_unlock_rdev(rdev);
+ unlock_rtnl:
         rtnl_unlock();
 
         return result;
@@ -4996,7 +4998,7 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
 
         err = get_rdev_dev_by_info_ifindex(info, &rdev, &dev);
         if (err)
-                goto unlock_rdev;
+                goto unlock_rtnl;
 
         wdev = dev->ieee80211_ptr;
 
@@ -5013,9 +5015,10 @@ static int nl80211_set_cqm_rssi(struct genl_info *info,
         err = rdev->ops->set_cqm_rssi_config(wdev->wiphy, dev,
                                              threshold, hysteresis);
 
-unlock_rdev:
+ unlock_rdev:
         cfg80211_unlock_rdev(rdev);
         dev_put(dev);
+ unlock_rtnl:
         rtnl_unlock();
 
         return err;
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index f180db0de66c..edccc093e71b 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -723,7 +723,9 @@ EXPORT_SYMBOL(freq_reg_info);
  * on the wiphy with the target_bw specified. Then we can simply use
  * that below for the desired_bw_khz below.
  */
-static void handle_channel(struct wiphy *wiphy, enum ieee80211_band band,
+static void handle_channel(struct wiphy *wiphy,
+                           enum nl80211_reg_initiator initiator,
+                           enum ieee80211_band band,
                            unsigned int chan_idx)
 {
         int r;
@@ -787,7 +789,9 @@ static void handle_channel(struct wiphy *wiphy, enum ieee80211_band band,
                 chan->max_power = (int) MBM_TO_DBM(power_rule->max_eirp);
 }
 
-static void handle_band(struct wiphy *wiphy, enum ieee80211_band band)
+static void handle_band(struct wiphy *wiphy,
+                        enum ieee80211_band band,
+                        enum nl80211_reg_initiator initiator)
 {
         unsigned int i;
         struct ieee80211_supported_band *sband;
@@ -796,7 +800,7 @@ static void handle_band(struct wiphy *wiphy, enum ieee80211_band band)
         sband = wiphy->bands[band];
 
         for (i = 0; i < sband->n_channels; i++)
-                handle_channel(wiphy, band, i);
+                handle_channel(wiphy, initiator, band, i);
 }
 
 static bool ignore_reg_update(struct wiphy *wiphy,
@@ -812,6 +816,7 @@ static bool ignore_reg_update(struct wiphy *wiphy,
          * desired regulatory domain set
          */
         if (wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY && !wiphy->regd &&
+            initiator != NL80211_REGDOM_SET_BY_COUNTRY_IE &&
             !is_world_regdom(last_request->alpha2))
                 return true;
         return false;
@@ -1033,7 +1038,7 @@ void wiphy_update_regulatory(struct wiphy *wiphy,
                 goto out;
         for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
                 if (wiphy->bands[band])
-                        handle_band(wiphy, band);
+                        handle_band(wiphy, band, initiator);
         }
 out:
         reg_process_beacons(wiphy);
@@ -1170,7 +1175,7 @@ static int ignore_request(struct wiphy *wiphy,
                                 return 0;
                         return -EALREADY;
                 }
-                return REG_INTERSECT;
+                return 0;
         case NL80211_REGDOM_SET_BY_DRIVER:
                 if (last_request->initiator == NL80211_REGDOM_SET_BY_CORE) {
                         if (regdom_changes(pending_request->alpha2))
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 5ca8c7180141..503ebb86ba18 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -650,14 +650,14 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
         bss = container_of(pub, struct cfg80211_internal_bss, pub);
 
         spin_lock_bh(&dev->bss_lock);
+        if (!list_empty(&bss->list)) {
+                list_del_init(&bss->list);
+                dev->bss_generation++;
+                rb_erase(&bss->rbn, &dev->bss_tree);
 
-        list_del(&bss->list);
-        dev->bss_generation++;
-        rb_erase(&bss->rbn, &dev->bss_tree);
-
+                kref_put(&bss->ref, bss_release);
+        }
         spin_unlock_bh(&dev->bss_lock);
-
-        kref_put(&bss->ref, bss_release);
 }
 EXPORT_SYMBOL(cfg80211_unlink_bss);
 
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 771bab00754b..55187c8f6420 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
         while (len > 0) {
                 switch (*p & X25_FAC_CLASS_MASK) {
                 case X25_FAC_CLASS_A:
+                        if (len < 2)
+                                return 0;
                         switch (*p) {
                         case X25_FAC_REVERSE:
                                 if((p[1] & 0x81) == 0x81) {
@@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                         len -= 2;
                         break;
                 case X25_FAC_CLASS_B:
+                        if (len < 3)
+                                return 0;
                         switch (*p) {
                         case X25_FAC_PACKET_SIZE:
                                 facilities->pacsize_in  = p[1];
@@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                         len -= 3;
                         break;
                 case X25_FAC_CLASS_C:
+                        if (len < 4)
+                                return 0;
                         printk(KERN_DEBUG "X.25: unknown facility %02X, "
                                "values %02X, %02X, %02X\n",
                                p[0], p[1], p[2], p[3]);
@@ -132,26 +138,26 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                         len -= 4;
                         break;
                 case X25_FAC_CLASS_D:
+                        if (len < p[1] + 2)
+                                return 0;
                         switch (*p) {
                         case X25_FAC_CALLING_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
-                                        break;
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+                                        return 0;
                                 dte_facs->calling_len = p[2];
                                 memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
                                 *vc_fac_mask |= X25_MASK_CALLING_AE;
                                 break;
                         case X25_FAC_CALLED_AE:
-                                if (p[1] > X25_MAX_DTE_FACIL_LEN)
-                                        break;
+                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
+                                        return 0;
                                 dte_facs->called_len = p[2];
                                 memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
                                 *vc_fac_mask |= X25_MASK_CALLED_AE;
                                 break;
                         default:
                                 printk(KERN_DEBUG "X.25: unknown facility %02X,"
-                                        "length %d, values %02X, %02X, "
-                                        "%02X, %02X\n",
-                                        p[0], p[1], p[2], p[3], p[4], p[5]);
+                                        "length %d\n", p[0], p[1]);
                                 break;
                         }
                         len -= p[1] + 2;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index 63178961efac..f729f022be69 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -119,6 +119,8 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                                                 &x25->vc_facil_mask);
                         if (len > 0)
                                 skb_pull(skb, len);
+                        else
+                                return -1;
                         /*
                          *      Copy any Call User Data.
                          */
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 73e7b954ad28..b25c6463c3e9 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -394,6 +394,7 @@ void __exit x25_link_free(void)
         list_for_each_safe(entry, tmp, &x25_neigh_list) {
                 nb = list_entry(entry, struct x25_neigh, node);
                 __x25_remove_neigh(nb);
+                dev_put(nb->dev);
         }
         write_unlock_bh(&x25_neigh_list_lock);
 }