33 files changed, 175 insertions, 85 deletions

diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 569750010fd3..18e7f5a43dc4 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -770,7 +770,7 @@ static int hidp_setup_hid(struct hidp_session *session,
 
         hid = hid_allocate_device();
         if (IS_ERR(hid))
-                return PTR_ERR(session->hid);
+                return PTR_ERR(hid);
 
         session->hid = hid;
         session->req = req;
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 5129b88c8e5b..1120cf14a548 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1212,6 +1212,7 @@ static void l2cap_monitor_timeout(unsigned long arg)
         bh_lock_sock(sk);
         if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
                 l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk);
+                bh_unlock_sock(sk);
                 return;
         }
 
@@ -3435,8 +3436,8 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
                             (pi->unacked_frames > 0))
                                 __mod_retrans_timer();
 
-                        l2cap_ertm_send(sk);
                         pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                        l2cap_ertm_send(sk);
                 }
                 break;
 
@@ -3471,9 +3472,9 @@ static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, str
                 pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
 
                 if (rx_control & L2CAP_CTRL_POLL) {
-                        l2cap_retransmit_frame(sk, tx_seq);
                         pi->expected_ack_seq = tx_seq;
                         l2cap_drop_acked_frames(sk);
+                        l2cap_retransmit_frame(sk, tx_seq);
                         l2cap_ertm_send(sk);
                         if (pi->conn_state & L2CAP_CONN_WAIT_F) {
                                 pi->srej_save_reqseq = tx_seq;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bd1c65425d4f..0b7f262cd148 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1406,6 +1406,9 @@ static int do_ebt_set_ctl(struct sock *sk,
 {
         int ret;
 
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
+
         switch(cmd) {
         case EBT_SO_SET_ENTRIES:
                 ret = do_replace(sock_net(sk), user, len);
@@ -1425,6 +1428,9 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
         struct ebt_replace tmp;
         struct ebt_table *t;
 
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
+
         if (copy_from_user(&tmp, user, sizeof(tmp)))
                 return -EFAULT;
 
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index a23b45f08ec9..de0c2c726420 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -250,8 +250,7 @@ struct pktgen_dev {
         __u64 count;            /* Default No packets to send */
         __u64 sofar;            /* How many pkts we've sent so far */
         __u64 tx_bytes;         /* How many bytes we've transmitted */
-        __u64 errors;           /* Errors when trying to transmit,
-                                   pkts will be re-sent */
+        __u64 errors;           /* Errors when trying to transmit, */
 
         /* runtime counters relating to clone_skb */
 
@@ -3465,6 +3464,12 @@ static void pktgen_xmit(struct pktgen_dev *pkt_dev)
                 pkt_dev->seq_num++;
                 pkt_dev->tx_bytes += pkt_dev->last_pkt_size;
                 break;
+        case NET_XMIT_DROP:
+        case NET_XMIT_CN:
+        case NET_XMIT_POLICED:
+                /* skb has been consumed */
+                pkt_dev->errors++;
+                break;
         default: /* Drivers are not supposed to return other values! */
                 if (net_ratelimit())
                         pr_info("pktgen: %s xmit error: %d\n",
diff --git a/net/core/sock.c b/net/core/sock.c
index 76ff58d43e26..e1f6f225f012 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1205,6 +1205,10 @@ struct sock *sk_clone(const struct sock *sk, const gfp_t priority)
 
                 if (newsk->sk_prot->sockets_allocated)
                         percpu_counter_inc(newsk->sk_prot->sockets_allocated);
+
+                if (sock_flag(newsk, SOCK_TIMESTAMP) ||
+                    sock_flag(newsk, SOCK_TIMESTAMPING_RX_SOFTWARE))
+                        net_enable_timestamp();
         }
 out:
         return newsk;
diff --git a/net/dccp/probe.c b/net/dccp/probe.c
index dc328425fa20..a1362dc8abb0 100644
--- a/net/dccp/probe.c
+++ b/net/dccp/probe.c
@@ -43,7 +43,7 @@ static int bufsize = 64 * 1024;
 static const char procname[] = "dccpprobe";
 
 static struct {
-        struct kfifo      *fifo;
+        struct kfifo      fifo;
         spinlock_t        lock;
         wait_queue_head_t wait;
         struct timespec   tstart;
@@ -67,7 +67,7 @@ static void printl(const char *fmt, ...)
         len += vscnprintf(tbuf+len, sizeof(tbuf)-len, fmt, args);
         va_end(args);
 
-        kfifo_put(dccpw.fifo, tbuf, len);
+        kfifo_in_locked(&dccpw.fifo, tbuf, len, &dccpw.lock);
         wake_up(&dccpw.wait);
 }
 
@@ -109,7 +109,7 @@ static struct jprobe dccp_send_probe = {
 
 static int dccpprobe_open(struct inode *inode, struct file *file)
 {
-        kfifo_reset(dccpw.fifo);
+        kfifo_reset(&dccpw.fifo);
         getnstimeofday(&dccpw.tstart);
         return 0;
 }
@@ -131,11 +131,11 @@ static ssize_t dccpprobe_read(struct file *file, char __user *buf,
                 return -ENOMEM;
 
         error = wait_event_interruptible(dccpw.wait,
-                                         __kfifo_len(dccpw.fifo) != 0);
+                                         kfifo_len(&dccpw.fifo) != 0);
         if (error)
                 goto out_free;
 
-        cnt = kfifo_get(dccpw.fifo, tbuf, len);
+        cnt = kfifo_out_locked(&dccpw.fifo, tbuf, len, &dccpw.lock);
         error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;
 
 out_free:
@@ -156,10 +156,8 @@ static __init int dccpprobe_init(void)
 
         init_waitqueue_head(&dccpw.wait);
         spin_lock_init(&dccpw.lock);
-        dccpw.fifo = kfifo_alloc(bufsize, GFP_KERNEL, &dccpw.lock);
-        if (IS_ERR(dccpw.fifo))
-                return PTR_ERR(dccpw.fifo);
-
+        if (kfifo_alloc(&dccpw.fifo, bufsize, GFP_KERNEL))
+                return ret;
         if (!proc_net_fops_create(&init_net, procname, S_IRUSR, &dccpprobe_fops))
                 goto err0;
 
@@ -172,14 +170,14 @@ static __init int dccpprobe_init(void)
 err1:
         proc_net_remove(&init_net, procname);
 err0:
-        kfifo_free(dccpw.fifo);
+        kfifo_free(&dccpw.fifo);
         return ret;
 }
 module_init(dccpprobe_init);
 
 static __exit void dccpprobe_exit(void)
 {
-        kfifo_free(dccpw.fifo);
+        kfifo_free(&dccpw.fifo);
         proc_net_remove(&init_net, procname);
         unregister_jprobe(&dccp_send_probe);
 
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5cdbc102a418..040c4f05b653 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1397,6 +1397,7 @@ static struct devinet_sysctl_table {
                 DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
                                         "accept_source_route"),
                 DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
+                DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"),
                 DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
                 DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
                 DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3323168ee52d..82dbf711d6d0 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -252,6 +252,8 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
                 no_addr = in_dev->ifa_list == NULL;
                 rpf = IN_DEV_RPFILTER(in_dev);
                 accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
+                if (mark && !IN_DEV_SRC_VMARK(in_dev))
+                        fl.mark = 0;
         }
         rcu_read_unlock();
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e34013a78ef4..3451799e3dbf 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -254,7 +254,7 @@ int ip_mc_output(struct sk_buff *skb)
          */
 
         if (rt->rt_flags&RTCF_MULTICAST) {
-                if ((!sk || inet_sk(sk)->mc_loop)
+                if (sk_mc_loop(sk)
 #ifdef CONFIG_IP_MROUTE
                 /* Small optimization: do not loopback not local frames,
                    which returned after forwarding; they will be  dropped
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index cd48801a8d6f..eb6d09728633 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -121,10 +121,9 @@ static int ip6_output2(struct sk_buff *skb)
         skb->dev = dev;
 
         if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr)) {
-                struct ipv6_pinfo* np = skb->sk ? inet6_sk(skb->sk) : NULL;
                 struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
 
-                if (!(dev->flags & IFF_LOOPBACK) && (!np || np->mc_loop) &&
+                if (!(dev->flags & IFF_LOOPBACK) && sk_mc_loop(skb->sk) &&
                     ((mroute6_socket(dev_net(dev)) &&
                      !(IP6CB(skb)->flags & IP6SKB_FORWARDED)) ||
                      ipv6_chk_mcast_addr(dev, &ipv6_hdr(skb)->daddr,
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 3b3a95607125..2cddea3bd6be 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -708,7 +708,8 @@ static void ip6_frags_ns_sysctl_unregister(struct net *net)
 
         table = net->ipv6.sysctl.frags_hdr->ctl_table_arg;
         unregister_net_sysctl_table(net->ipv6.sysctl.frags_hdr);
-        kfree(table);
+        if (!net_eq(net, &init_net))
+                kfree(table);
 }
 
 static struct ctl_table_header *ip6_ctl_header;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index db3b27303890..c2bd74c5f8d9 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2630,6 +2630,7 @@ struct ctl_table *ipv6_route_sysctl_init(struct net *net)
                 table[6].data = &net->ipv6.sysctl.ip6_rt_gc_elasticity;
                 table[7].data = &net->ipv6.sysctl.ip6_rt_mtu_expires;
                 table[8].data = &net->ipv6.sysctl.ip6_rt_min_advmss;
+                table[9].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval;
         }
 
         return table;
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 3787455fb696..d7dcee680728 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -34,9 +34,28 @@ void ieee80211_ht_cap_ie_to_sta_ht_cap(struct ieee80211_supported_band *sband,
 
         ht_cap->ht_supported = true;
 
-        ht_cap->cap = le16_to_cpu(ht_cap_ie->cap_info) & sband->ht_cap.cap;
-        ht_cap->cap &= ~IEEE80211_HT_CAP_SM_PS;
-        ht_cap->cap |= sband->ht_cap.cap & IEEE80211_HT_CAP_SM_PS;
+        /*
+         * The bits listed in this expression should be
+         * the same for the peer and us, if the station
+         * advertises more then we can't use those thus
+         * we mask them out.
+         */
+        ht_cap->cap = le16_to_cpu(ht_cap_ie->cap_info) &
+                (sband->ht_cap.cap |
+                 ~(IEEE80211_HT_CAP_LDPC_CODING |
+                   IEEE80211_HT_CAP_SUP_WIDTH_20_40 |
+                   IEEE80211_HT_CAP_GRN_FLD |
+                   IEEE80211_HT_CAP_SGI_20 |
+                   IEEE80211_HT_CAP_SGI_40 |
+                   IEEE80211_HT_CAP_DSSSCCK40));
+        /*
+         * The STBC bits are asymmetric -- if we don't have
+         * TX then mask out the peer's RX and vice versa.
+         */
+        if (!(sband->ht_cap.cap & IEEE80211_HT_CAP_TX_STBC))
+                ht_cap->cap &= ~IEEE80211_HT_CAP_RX_STBC;
+        if (!(sband->ht_cap.cap & IEEE80211_HT_CAP_RX_STBC))
+                ht_cap->cap &= ~IEEE80211_HT_CAP_TX_STBC;
 
         ampdu_info = ht_cap_ie->ampdu_params_info;
         ht_cap->ampdu_factor =
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 10d13856f86c..1f2db647bb5c 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -382,6 +382,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
 struct sta_info *ieee80211_ibss_add_sta(struct ieee80211_sub_if_data *sdata,
                                         u8 *bssid,u8 *addr, u32 supp_rates)
 {
+        struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
         struct ieee80211_local *local = sdata->local;
         struct sta_info *sta;
         int band = local->hw.conf.channel->band;
@@ -397,6 +398,9 @@ struct sta_info *ieee80211_ibss_add_sta(struct ieee80211_sub_if_data *sdata,
                 return NULL;
         }
 
+        if (ifibss->state == IEEE80211_IBSS_MLME_SEARCH)
+                return NULL;
+
         if (compare_ether_addr(bssid, sdata->u.ibss.bssid))
                 return NULL;
 
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 8116d1a96a4a..0d2d94881f1f 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -515,6 +515,8 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
          * and we need some headroom for passing the frame to monitor
          * interfaces, but never both at the same time.
          */
+        BUILD_BUG_ON(IEEE80211_TX_STATUS_HEADROOM !=
+                        sizeof(struct ieee80211_tx_status_rtap_hdr));
         local->tx_headroom = max_t(unsigned int , local->hw.extra_tx_headroom,
                                    sizeof(struct ieee80211_tx_status_rtap_hdr));
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index d8d50fb5e823..c79e59f82fd9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -915,6 +915,14 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
         sdata->u.mgd.flags &= ~(IEEE80211_STA_CONNECTION_POLL |
                                 IEEE80211_STA_BEACON_POLL);
 
+        /*
+         * Always handle WMM once after association regardless
+         * of the first value the AP uses. Setting -1 here has
+         * that effect because the AP values is an unsigned
+         * 4-bit value.
+         */
+        sdata->u.mgd.wmm_last_param_set = -1;
+
         ieee80211_led_assoc(local, 1);
 
         sdata->vif.bss_conf.assoc = 1;
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 8834cc93c716..27ceaefd7bc8 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1419,6 +1419,10 @@ static bool need_dynamic_ps(struct ieee80211_local *local)
         if (!local->ps_sdata)
                 return false;
 
+        /* No point if we're going to suspend */
+        if (local->quiescing)
+                return false;
+
         return true;
 }
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 78a6e924c7e1..dc76267e436e 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1039,7 +1039,19 @@ int ieee80211_reconfig(struct ieee80211_local *local)
 
         /* restart hardware */
         if (local->open_count) {
+                /*
+                 * Upon resume hardware can sometimes be goofy due to
+                 * various platform / driver / bus issues, so restarting
+                 * the device may at times not work immediately. Propagate
+                 * the error.
+                 */
                 res = drv_start(local);
+                if (res) {
+                        WARN(local->suspended, "Harware became unavailable "
+                             "upon resume. This is could be a software issue"
+                             "prior to suspend or a harware issue\n");
+                        return res;
+                }
 
                 ieee80211_led_radio(local, true);
         }
diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index 79a698052218..f2d76238b9b5 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -112,7 +112,8 @@ config	IP_VS_RR
           module, choose M here. If unsure, say N.
  
 config  IP_VS_WRR
-        tristate "weighted round-robin scheduling" 
+        tristate "weighted round-robin scheduling"
+        select GCD
         ---help---
           The weighted robin-robin scheduling algorithm directs network
           connections to different real servers based on server weights
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 6bde12da2fe0..c37ac2d7bec4 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2077,6 +2077,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
         if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
+        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX)
+                return -EINVAL;
+        if (len < 0 || len >  MAX_ARG_LEN)
+                return -EINVAL;
         if (len != set_arglen[SET_CMDID(cmd)]) {
                 pr_err("set_ctl: len %u != %u\n",
                        len, set_arglen[SET_CMDID(cmd)]);
@@ -2352,17 +2356,25 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
 {
         unsigned char arg[128];
         int ret = 0;
+        unsigned int copylen;
 
         if (!capable(CAP_NET_ADMIN))
                 return -EPERM;
 
+        if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_GET_MAX)
+                return -EINVAL;
+
         if (*len < get_arglen[GET_CMDID(cmd)]) {
                 pr_err("get_ctl: len %u < %u\n",
                        *len, get_arglen[GET_CMDID(cmd)]);
                 return -EINVAL;
         }
 
-        if (copy_from_user(arg, user, get_arglen[GET_CMDID(cmd)]) != 0)
+        copylen = get_arglen[GET_CMDID(cmd)];
+        if (copylen > 128)
+                return -EINVAL;
+
+        if (copy_from_user(arg, user, copylen) != 0)
                 return -EFAULT;
 
         if (mutex_lock_interruptible(&__ip_vs_mutex))
diff --git a/net/netfilter/ipvs/ip_vs_wrr.c b/net/netfilter/ipvs/ip_vs_wrr.c
index 6182e8ea0be7..3c115fc19784 100644
--- a/net/netfilter/ipvs/ip_vs_wrr.c
+++ b/net/netfilter/ipvs/ip_vs_wrr.c
@@ -24,6 +24,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/net.h>
+#include <linux/gcd.h>
 
 #include <net/ip_vs.h>
 
@@ -38,20 +39,6 @@ struct ip_vs_wrr_mark {
 };
 
 
-/*
- *    Get the gcd of server weights
- */
-static int gcd(int a, int b)
-{
-        int c;
-
-        while ((c = a % b)) {
-                a = b;
-                b = c;
-        }
-        return b;
-}
-
 static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc)
 {
         struct ip_vs_dest *dest;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 38ea7ef3ccd2..f0732aa18e4f 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -323,24 +323,24 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
                           struct nf_ct_ftp_master *info, int dir,
                           struct sk_buff *skb)
 {
-        unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
+        unsigned int i, oldest;
 
         /* Look for oldest: if we find exact match, we're done. */
         for (i = 0; i < info->seq_aft_nl_num[dir]; i++) {
                 if (info->seq_aft_nl[dir][i] == nl_seq)
                         return;
-
-                if (oldest == info->seq_aft_nl_num[dir] ||
-                    before(info->seq_aft_nl[dir][i],
-                           info->seq_aft_nl[dir][oldest]))
-                        oldest = i;
         }
 
         if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
                 info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-        } else if (oldest != NUM_SEQ_TO_REMEMBER &&
-                   after(nl_seq, info->seq_aft_nl[dir][oldest])) {
-                info->seq_aft_nl[dir][oldest] = nl_seq;
+        } else {
+                if (before(info->seq_aft_nl[dir][0], info->seq_aft_nl[dir][1]))
+                        oldest = 0;
+                else
+                        oldest = 1;
+
+                if (after(nl_seq, info->seq_aft_nl[dir][oldest]))
+                        info->seq_aft_nl[dir][oldest] = nl_seq;
         }
 }
 
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e0516a22be2e..f126d18dbdc4 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1021,8 +1021,20 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 
                 status = TP_STATUS_SEND_REQUEST;
                 err = dev_queue_xmit(skb);
-                if (unlikely(err > 0 && (err = net_xmit_errno(err)) != 0))
-                        goto out_xmit;
+                if (unlikely(err > 0)) {
+                        err = net_xmit_errno(err);
+                        if (err && __packet_get_status(po, ph) ==
+                                   TP_STATUS_AVAILABLE) {
+                                /* skb was destructed already */
+                                skb = NULL;
+                                goto out_status;
+                        }
+                        /*
+                         * skb was dropped but not destructed yet;
+                         * let's treat it like congestion or err < 0
+                         */
+                        err = 0;
+                }
                 packet_increment_head(&po->tx_ring);
                 len_sum += tp_len;
         } while (likely((ph != NULL) ||
@@ -1033,9 +1045,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
         err = len_sum;
         goto out_put;
 
-out_xmit:
-        skb->destructor = sock_wfree;
-        atomic_dec(&po->tx_ring.pending);
 out_status:
         __packet_set_status(po, ph, status);
         kfree_skb(skb);
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index 114df6eec8c3..968e8bac1b5d 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -75,7 +75,7 @@ static void rose_loopback_timer(unsigned long param)
                 lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
                 frametype = skb->data[2];
                 dest      = (rose_address *)(skb->data + 4);
-                lci_o     = 0xFFF - lci_i;
+                lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;
 
                 skb_reset_transport_header(skb);
 
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 89ab66e54740..67fdac9d2d33 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2087,8 +2087,7 @@ static int sctp_setsockopt_autoclose(struct sock *sk, char __user *optval,
         if (copy_from_user(&sp->autoclose, optval, optlen))
                 return -EFAULT;
         /* make sure it won't exceed MAX_SCHEDULE_TIMEOUT */
-        if (sp->autoclose > (MAX_SCHEDULE_TIMEOUT / HZ) )
-                sp->autoclose = (__u32)(MAX_SCHEDULE_TIMEOUT / HZ) ;
+        sp->autoclose = min_t(long, sp->autoclose, MAX_SCHEDULE_TIMEOUT / HZ);
 
         return 0;
 }
diff --git a/net/socket.c b/net/socket.c
index dbfdfa96d29b..769c386bd428 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -312,18 +312,6 @@ static struct file_system_type sock_fs_type = {
         .kill_sb =      kill_anon_super,
 };
 
-static int sockfs_delete_dentry(struct dentry *dentry)
-{
-        /*
-         * At creation time, we pretended this dentry was hashed
-         * (by clearing DCACHE_UNHASHED bit in d_flags)
-         * At delete time, we restore the truth : not hashed.
-         * (so that dput() can proceed correctly)
-         */
-        dentry->d_flags |= DCACHE_UNHASHED;
-        return 0;
-}
-
 /*
  * sockfs_dname() is called from d_path().
  */
@@ -334,7 +322,6 @@ static char *sockfs_dname(struct dentry *dentry, char *buffer, int buflen)
 }
 
 static const struct dentry_operations sockfs_dentry_operations = {
-        .d_delete = sockfs_delete_dentry,
         .d_dname  = sockfs_dname,
 };
 
@@ -374,12 +361,6 @@ static int sock_alloc_file(struct socket *sock, struct file **f, int flags)
         path.mnt = mntget(sock_mnt);
 
         path.dentry->d_op = &sockfs_dentry_operations;
-        /*
-         * We dont want to push this dentry into global dentry hash table.
-         * We pretend dentry is already hashed, by unsetting DCACHE_UNHASHED
-         * This permits a working /proc/$pid/fd/XXX on sockets
-         */
-        path.dentry->d_flags &= ~DCACHE_UNHASHED;
         d_instantiate(path.dentry, SOCK_INODE(sock));
         SOCK_INODE(sock)->i_fop = &socket_file_ops;
 
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 3c3c50f38a1c..f7a7f8380e38 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -644,7 +644,22 @@ gss_pipe_downcall(struct file *filp, const char __user *src, size_t mlen)
         p = gss_fill_context(p, end, ctx, gss_msg->auth->mech);
         if (IS_ERR(p)) {
                 err = PTR_ERR(p);
-                gss_msg->msg.errno = (err == -EAGAIN) ? -EAGAIN : -EACCES;
+                switch (err) {
+                case -EACCES:
+                        gss_msg->msg.errno = err;
+                        err = mlen;
+                        break;
+                case -EFAULT:
+                case -ENOMEM:
+                case -EINVAL:
+                case -ENOSYS:
+                        gss_msg->msg.errno = -EAGAIN;
+                        break;
+                default:
+                        printk(KERN_CRIT "%s: bad return from "
+                                "gss_fill_context: %zd\n", __func__, err);
+                        BUG();
+                }
                 goto err_release_msg;
         }
         gss_msg->ctx = gss_get_ctx(ctx);
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index ef45eba22485..2deb0ed72ff4 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -131,8 +131,10 @@ gss_import_sec_context_kerberos(const void *p,
         struct  krb5_ctx *ctx;
         int tmp;
 
-        if (!(ctx = kzalloc(sizeof(*ctx), GFP_NOFS)))
+        if (!(ctx = kzalloc(sizeof(*ctx), GFP_NOFS))) {
+                p = ERR_PTR(-ENOMEM);
                 goto out_err;
+        }
 
         p = simple_get_bytes(p, end, &ctx->initiate, sizeof(ctx->initiate));
         if (IS_ERR(p))
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index 6efbb0cd3c7c..76e4c6f4ac3c 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -252,7 +252,7 @@ gss_import_sec_context(const void *input_token, size_t bufsize,
                        struct gss_ctx           **ctx_id)
 {
         if (!(*ctx_id = kzalloc(sizeof(**ctx_id), GFP_KERNEL)))
-                return GSS_S_FAILURE;
+                return -ENOMEM;
         (*ctx_id)->mech_type = gss_mech_get(mech);
 
         return mech->gm_ops
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 1c924ee0a1ef..7d1f9e928f69 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -699,7 +699,8 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
         spin_unlock_bh(&pool->sp_lock);
 
         len = 0;
-        if (test_bit(XPT_LISTENER, &xprt->xpt_flags)) {
+        if (test_bit(XPT_LISTENER, &xprt->xpt_flags) &&
+            !test_bit(XPT_CLOSE, &xprt->xpt_flags)) {
                 struct svc_xprt *newxpt;
                 newxpt = xprt->xpt_ops->xpo_accept(xprt);
                 if (newxpt) {
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index 1001db4912f7..82e6002c8d67 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -93,7 +93,18 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
                         }
                 }
 
-                WARN_ON(!bss);
+                /*
+                 * We might be coming here because the driver reported
+                 * a successful association at the same time as the
+                 * user requested a deauth. In that case, we will have
+                 * removed the BSS from the auth_bsses list due to the
+                 * deauth request when the assoc response makes it. If
+                 * the two code paths acquire the lock the other way
+                 * around, that's just the standard situation of a
+                 * deauth being requested while connected.
+                 */
+                if (!bss)
+                        goto out;
         } else if (wdev->conn) {
                 cfg80211_sme_failed_assoc(wdev);
                 /*
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 12dfa62aad18..0c2cbbebca95 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -601,7 +601,7 @@ int cfg80211_wext_siwscan(struct net_device *dev,
         struct cfg80211_registered_device *rdev;
         struct wiphy *wiphy;
         struct iw_scan_req *wreq = NULL;
-        struct cfg80211_scan_request *creq;
+        struct cfg80211_scan_request *creq = NULL;
         int i, err, n_channels = 0;
         enum ieee80211_band band;
 
@@ -694,8 +694,10 @@ int cfg80211_wext_siwscan(struct net_device *dev,
         /* translate "Scan for SSID" request */
         if (wreq) {
                 if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
-                        if (wreq->essid_len > IEEE80211_MAX_SSID_LEN)
-                                return -EINVAL;
+                        if (wreq->essid_len > IEEE80211_MAX_SSID_LEN) {
+                                err = -EINVAL;
+                                goto out;
+                        }
                         memcpy(creq->ssids[0].ssid, wreq->essid, wreq->essid_len);
                         creq->ssids[0].ssid_len = wreq->essid_len;
                 }
@@ -707,12 +709,15 @@ int cfg80211_wext_siwscan(struct net_device *dev,
         err = rdev->ops->scan(wiphy, dev, creq);
         if (err) {
                 rdev->scan_req = NULL;
-                kfree(creq);
+                /* creq will be freed below */
         } else {
                 nl80211_send_scan_start(rdev, dev);
+                /* creq now owned by driver */
+                creq = NULL;
                 dev_hold(dev);
         }
  out:
+        kfree(creq);
         cfg80211_unlock_rdev(rdev);
         return err;
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cb81ca35b0d6..4725a549ad4d 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1445,7 +1445,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
         if (!dev)
                 goto free_dst;
 
-        /* Copy neighbout for reachability confirmation */
+        /* Copy neighbour for reachability confirmation */
         dst0->neighbour = neigh_clone(dst->neighbour);
 
         xfrm_init_path((struct xfrm_dst *)dst0, dst, nfheader_len);