75 files changed, 686 insertions, 310 deletions
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 73a2a83ee2da..402442402af7 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -137,9 +137,21 @@ static int vlan_dev_hard_header(struct sk_buff *skb, struct net_device *dev,
        return rc;
 }
+static inline netdev_tx_t vlan_netpoll_send_skb(struct vlan_dev_priv *vlan, struct sk_buff *skb)
+{
+#ifdef CONFIG_NET_POLL_CONTROLLER
+        if (vlan->netpoll)
+                netpoll_send_skb(vlan->netpoll, skb);
+#else
+        BUG();
+#endif
+        return NETDEV_TX_OK;
+}
 static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
                                            struct net_device *dev)
 {
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
        struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data);
        unsigned int len;
        int ret;
@@ -150,29 +162,30 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
         * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
         */
        if (veth->h_vlan_proto != htons(ETH_P_8021Q) ||
-            vlan_dev_priv(dev)->flags & VLAN_FLAG_REORDER_HDR) {
+            vlan->flags & VLAN_FLAG_REORDER_HDR) {
                u16 vlan_tci;
-                vlan_tci = vlan_dev_priv(dev)->vlan_id;
+                vlan_tci = vlan->vlan_id;
                vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb);
                skb = __vlan_hwaccel_put_tag(skb, vlan_tci);
        }
-        skb->dev = vlan_dev_priv(dev)->real_dev;
+        skb->dev = vlan->real_dev;
        len = skb->len;
-        if (netpoll_tx_running(dev))
+        if (unlikely(netpoll_tx_running(dev)))
-                return skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
+                return vlan_netpoll_send_skb(vlan, skb);
        ret = dev_queue_xmit(skb);
        if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
                struct vlan_pcpu_stats *stats;
-                stats = this_cpu_ptr(vlan_dev_priv(dev)->vlan_pcpu_stats);
+                stats = this_cpu_ptr(vlan->vlan_pcpu_stats);
                u64_stats_update_begin(&stats->syncp);
                stats->tx_packets++;
                stats->tx_bytes += len;
                u64_stats_update_end(&stats->syncp);
        } else {
-                this_cpu_inc(vlan_dev_priv(dev)->vlan_pcpu_stats->tx_dropped);
+                this_cpu_inc(vlan->vlan_pcpu_stats->tx_dropped);
        }
        return ret;
@@ -669,25 +682,26 @@ static void vlan_dev_poll_controller(struct net_device *dev)
        return;
 }
-static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo)
+static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo,
+                                  gfp_t gfp)
 {
-        struct vlan_dev_priv *info = vlan_dev_priv(dev);
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
-        struct net_device *real_dev = info->real_dev;
+        struct net_device *real_dev = vlan->real_dev;
        struct netpoll *netpoll;
        int err = 0;
-        netpoll = kzalloc(sizeof(*netpoll), GFP_KERNEL);
+        netpoll = kzalloc(sizeof(*netpoll), gfp);
        err = -ENOMEM;
        if (!netpoll)
                goto out;
-        err = __netpoll_setup(netpoll, real_dev);
+        err = __netpoll_setup(netpoll, real_dev, gfp);
        if (err) {
                kfree(netpoll);
                goto out;
        }
-        info->netpoll = netpoll;
+        vlan->netpoll = netpoll;
 out:
        return err;
@@ -695,19 +709,15 @@ out:
 static void vlan_dev_netpoll_cleanup(struct net_device *dev)
 {
-        struct vlan_dev_priv *info = vlan_dev_priv(dev);
+        struct vlan_dev_priv *vlan= vlan_dev_priv(dev);
-        struct netpoll *netpoll = info->netpoll;
+        struct netpoll *netpoll = vlan->netpoll;
        if (!netpoll)
                return;
-        info->netpoll = NULL;
+        vlan->netpoll = NULL;
-        /* Wait for transmitting packets to finish before freeing. */
-        synchronize_rcu_bh();
-        __netpoll_cleanup(netpoll);
+        __netpoll_free_rcu(netpoll);
-        kfree(netpoll);
 }
 #endif /* CONFIG_NET_POLL_CONTROLLER */
diff --git a/net/atm/common.c b/net/atm/common.c
index b4b44dbed645..0c0ad930a632 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname,
                if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
                        return -ENOTCONN;
+                memset(&pvc, 0, sizeof(pvc));
                pvc.sap_family = AF_ATMPVC;
                pvc.sap_addr.itf = vcc->dev->number;
                pvc.sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/pvc.c b/net/atm/pvc.c
index 3a734919c36c..ae0324021407 100644
--- a/net/atm/pvc.c
+++ b/net/atm/pvc.c
@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr,
                return -ENOTCONN;
        *sockaddr_len = sizeof(struct sockaddr_atmpvc);
        addr = (struct sockaddr_atmpvc *)sockaddr;
+        memset(addr, 0, sizeof(*addr));
        addr->sap_family = AF_ATMPVC;
        addr->sap_addr.itf = vcc->dev->number;
        addr->sap_addr.vpi = vcc->vpi;
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index b421cc49d2cd..fc866f2e4528 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -200,11 +200,11 @@ void batadv_gw_election(struct batadv_priv *bat_priv)
        if (atomic_read(&bat_priv->gw_mode) != BATADV_GW_MODE_CLIENT)
                goto out;
-        if (!batadv_atomic_dec_not_zero(&bat_priv->gw_reselect))
-                goto out;
        curr_gw = batadv_gw_get_selected_gw_node(bat_priv);
+        if (!batadv_atomic_dec_not_zero(&bat_priv->gw_reselect) && curr_gw)
+                goto out;
        next_gw = batadv_gw_get_best_gw_node(bat_priv);
        if (curr_gw == next_gw)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index a438f4b582fc..99dd8f75b3ff 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -197,6 +197,7 @@ static void batadv_tt_local_event(struct batadv_priv *bat_priv,
 del:
                list_del(&entry->list);
                kfree(entry);
+                kfree(tt_change_node);
                event_removed = true;
                goto unlock;
        }
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 41ff978a33f9..715d7e33fba0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
                return false;
        e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
+        if (!e)
+                return false;
        if (hci_resolve_name(hdev, e) == 0) {
                e->name_state = NAME_PENDING;
                return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
                return;
        e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
-        if (e) {
+        /* If the device was not found in a list of found devices names of which
+         * are pending. there is no need to continue resolving a next name as it
+         * will be done upon receiving another Remote Name Request Complete
+         * Event */
+        if (!e)
+                return;
+        list_del(&e->list);
+        if (name) {
                e->name_state = NAME_KNOWN;
-                list_del(&e->list);
+                mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
-                if (name)
+                                 e->data.rssi, name, name_len);
-                        mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
+        } else {
-                                         e->data.rssi, name, name_len);
+                e->name_state = NAME_NOT_KNOWN;
        }
        if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                if (conn->type == ACL_LINK) {
                        conn->state = BT_CONFIG;
                        hci_conn_hold(conn);
-                        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                        if (!conn->out && !hci_conn_ssp_enabled(conn) &&
+                            !hci_find_link_key(hdev, &ev->bdaddr))
+                                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
+                        else
+                                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
                } else
                        conn->state = BT_CONNECTED;
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index a7f04de03d79..19fdac78e555 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
        *addr_len = sizeof(*haddr);
        haddr->hci_family = AF_BLUETOOTH;
        haddr->hci_dev    = hdev->id;
+        haddr->hci_channel= 0;
        release_sock(sk);
        return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
                {
                        struct hci_filter *f = &hci_pi(sk)->filter;
+                        memset(&uf, 0, sizeof(uf));
                        uf.type_mask = f->type_mask;
                        uf.opcode    = f->opcode;
                        uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a8964db04bfb..daa149b7003c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
        sk = chan->sk;
        hci_conn_hold(conn->hcon);
+        conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
        bacpy(&bt_sk(sk)->src, conn->src);
        bacpy(&bt_sk(sk)->dst, conn->dst);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e8427e..1497edd191a2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
        BT_DBG("sock %p, sk %p", sock, sk);
+        memset(la, 0, sizeof(struct sockaddr_l2));
        addr->sa_family = AF_BLUETOOTH;
        *len = sizeof(struct sockaddr_l2);
@@ -1174,7 +1175,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
        chan = l2cap_chan_create();
        if (!chan) {
-                l2cap_sock_kill(sk);
+                sk_free(sk);
                return NULL;
        }
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7e1e59645c05..1a17850d093c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
        BT_DBG("sock %p, sk %p", sock, sk);
+        memset(sa, 0, sizeof(*sa));
        sa->rc_family  = AF_BLUETOOTH;
        sa->rc_channel = rfcomm_pi(sk)->channel;
        if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
                }
                sec.level = rfcomm_pi(sk)->sec_level;
+                sec.key_size = 0;
                len = min_t(unsigned int, len, sizeof(sec));
                if (copy_to_user(optval, (char *) &sec, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index cb960773c002..56f182393c4c 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
        size = sizeof(*dl) + dev_num * sizeof(*di);
-        dl = kmalloc(size, GFP_KERNEL);
+        dl = kzalloc(size, GFP_KERNEL);
        if (!dl)
                return -ENOMEM;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 40bbe25dcff7..3589e21edb09 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
                sco_sock_clear_timer(sk);
                sco_chan_del(sk, err);
                bh_unlock_sock(sk);
+                sco_conn_lock(conn);
+                conn->sk = NULL;
+                sco_pi(sk)->conn = NULL;
+                sco_conn_unlock(conn);
+                if (conn->hcon)
+                        hci_conn_put(conn->hcon);
                sco_sock_kill(sk);
        }
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
        BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
-        if (conn) {
-                sco_conn_lock(conn);
-                conn->sk = NULL;
-                sco_pi(sk)->conn = NULL;
-                sco_conn_unlock(conn);
-                if (conn->hcon)
-                        hci_conn_put(conn->hcon);
-        }
        sk->sk_state = BT_CLOSED;
        sk->sk_err   = err;
        sk->sk_state_change(sk);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 16ef0dc85a0a..901a616c8083 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
        if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                smp = smp_chan_create(conn);
+        else
+                smp = conn->smp_chan;
-        smp = conn->smp_chan;
+        if (!smp)
+                return SMP_UNSPECIFIED;
        smp->preq[0] = SMP_CMD_PAIRING_REQ;
        memcpy(&smp->preq[1], req, sizeof(*req));
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 333484537600..070e8a68cfc6 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -31,9 +31,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
        struct net_bridge_mdb_entry *mdst;
        struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
+        rcu_read_lock();
 #ifdef CONFIG_BRIDGE_NETFILTER
        if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
                br_nf_pre_routing_finish_bridge_slow(skb);
+                rcu_read_unlock();
                return NETDEV_TX_OK;
        }
 #endif
@@ -48,7 +50,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
        skb_reset_mac_header(skb);
        skb_pull(skb, ETH_HLEN);
-        rcu_read_lock();
        if (is_broadcast_ether_addr(dest))
                br_flood_deliver(br, skb);
        else if (is_multicast_ether_addr(dest)) {
@@ -206,24 +207,23 @@ static void br_poll_controller(struct net_device *br_dev)
 static void br_netpoll_cleanup(struct net_device *dev)
 {
        struct net_bridge *br = netdev_priv(dev);
-        struct net_bridge_port *p, *n;
+        struct net_bridge_port *p;
-        list_for_each_entry_safe(p, n, &br->port_list, list) {
+        list_for_each_entry(p, &br->port_list, list)
                br_netpoll_disable(p);
-        }
 }
-static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni)
+static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni,
+                            gfp_t gfp)
 {
        struct net_bridge *br = netdev_priv(dev);
-        struct net_bridge_port *p, *n;
+        struct net_bridge_port *p;
        int err = 0;
-        list_for_each_entry_safe(p, n, &br->port_list, list) {
+        list_for_each_entry(p, &br->port_list, list) {
                if (!p->dev)
                        continue;
+                err = br_netpoll_enable(p, gfp);
-                err = br_netpoll_enable(p);
                if (err)
                        goto fail;
        }
@@ -236,17 +236,17 @@ fail:
        goto out;
 }
-int br_netpoll_enable(struct net_bridge_port *p)
+int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
 {
        struct netpoll *np;
        int err = 0;
-        np = kzalloc(sizeof(*p->np), GFP_KERNEL);
+        np = kzalloc(sizeof(*p->np), gfp);
        err = -ENOMEM;
        if (!np)
                goto out;
-        err = __netpoll_setup(np, p->dev);
+        err = __netpoll_setup(np, p->dev, gfp);
        if (err) {
                kfree(np);
                goto out;
@@ -267,11 +267,7 @@ void br_netpoll_disable(struct net_bridge_port *p)
        p->np = NULL;
-        /* Wait for transmitting packets to finish before freeing. */
+        __netpoll_free_rcu(np);
-        synchronize_rcu_bh();
-        __netpoll_cleanup(np);
-        kfree(np);
 }
 #endif
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index e9466d412707..02015a505d2a 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -65,7 +65,7 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
 {
        skb->dev = to->dev;
-        if (unlikely(netpoll_tx_running(to->dev))) {
+        if (unlikely(netpoll_tx_running(to->br->dev))) {
                if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
                        kfree_skb(skb);
                else {
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index e1144e1617be..1c8fdc3558cd 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -361,7 +361,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        if (err)
                goto err2;
-        if (br_netpoll_info(br) && ((err = br_netpoll_enable(p))))
+        if (br_netpoll_info(br) && ((err = br_netpoll_enable(p, GFP_KERNEL))))
                goto err3;
        err = netdev_set_master(dev, br->dev);
@@ -427,6 +427,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
        if (!p || p->br != br)
                return -EINVAL;
+        /* Since more than one interface can be attached to a bridge,
+         * there still maybe an alternate path for netconsole to use;
+         * therefore there is no reason for a NETDEV_RELEASE event.
+         */
        del_nbp(p);
        spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index a768b2408edf..f507d2af9646 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -316,7 +316,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
                netpoll_send_skb(np, skb);
 }
-extern int br_netpoll_enable(struct net_bridge_port *p);
+extern int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp);
 extern void br_netpoll_disable(struct net_bridge_port *p);
 #else
 static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br)
@@ -329,7 +329,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
 {
 }
-static inline int br_netpoll_enable(struct net_bridge_port *p)
+static inline int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
 {
        return 0;
 }
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 69771c04ba8f..e597733affb8 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
        /* check the version of IP */
        ip_version = skb_header_pointer(skb, 0, 1, &buf);
+        if (!ip_version) {
+                kfree_skb(skb);
+                return -EINVAL;
+        }
        switch (*ip_version >> 4) {
        case 4:
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 69e38db28e5f..a8020293f342 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -84,7 +84,6 @@ int ceph_check_fsid(struct ceph_client *client, struct ceph_fsid *fsid)
                        return -1;
                }
        } else {
-                pr_info("client%lld fsid %pU\n", ceph_client_id(client), fsid);
                memcpy(&client->fsid, fsid, sizeof(*fsid));
        }
        return 0;
diff --git a/net/ceph/debugfs.c b/net/ceph/debugfs.c
index 54b531a01121..38b5dc1823d4 100644
--- a/net/ceph/debugfs.c
+++ b/net/ceph/debugfs.c
@@ -189,6 +189,9 @@ int ceph_debugfs_client_init(struct ceph_client *client)
        snprintf(name, sizeof(name), "%pU.client%lld", &client->fsid,
                 client->monc.auth->global_id);
+        dout("ceph_debugfs_client_init %p %s\n", client, name);
+        BUG_ON(client->debugfs_dir);
        client->debugfs_dir = debugfs_create_dir(name, ceph_debugfs_dir);
        if (!client->debugfs_dir)
                goto out;
@@ -234,6 +237,7 @@ out:
 void ceph_debugfs_client_cleanup(struct ceph_client *client)
 {
+        dout("ceph_debugfs_client_cleanup %p\n", client);
        debugfs_remove(client->debugfs_osdmap);
        debugfs_remove(client->debugfs_monmap);
        debugfs_remove(client->osdc.debugfs_file);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b9796750034a..24c5eea8c45b 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -915,7 +915,6 @@ static int prepare_write_connect(struct ceph_connection *con)
        con->out_connect.authorizer_len = auth ?
                cpu_to_le32(auth->authorizer_buf_len) : 0;
-        con_out_kvec_reset(con);
        con_out_kvec_add(con, sizeof (con->out_connect),
                                        &con->out_connect);
        if (auth && auth->authorizer_buf_len)
@@ -1557,6 +1556,7 @@ static int process_connect(struct ceph_connection *con)
                        return -1;
                }
                con->auth_retry = 1;
+                con_out_kvec_reset(con);
                ret = prepare_write_connect(con);
                if (ret < 0)
                        return ret;
@@ -1577,6 +1577,7 @@ static int process_connect(struct ceph_connection *con)
                       ENTITY_NAME(con->peer_name),
                       ceph_pr_addr(&con->peer_addr.in_addr));
                reset_connection(con);
+                con_out_kvec_reset(con);
                ret = prepare_write_connect(con);
                if (ret < 0)
                        return ret;
@@ -1601,6 +1602,7 @@ static int process_connect(struct ceph_connection *con)
                     le32_to_cpu(con->out_connect.connect_seq),
                     le32_to_cpu(con->in_reply.connect_seq));
                con->connect_seq = le32_to_cpu(con->in_reply.connect_seq);
+                con_out_kvec_reset(con);
                ret = prepare_write_connect(con);
                if (ret < 0)
                        return ret;
@@ -1617,6 +1619,7 @@ static int process_connect(struct ceph_connection *con)
                     le32_to_cpu(con->in_reply.global_seq));
                get_global_seq(con->msgr,
                               le32_to_cpu(con->in_reply.global_seq));
+                con_out_kvec_reset(con);
                ret = prepare_write_connect(con);
                if (ret < 0)
                        return ret;
@@ -2135,7 +2138,11 @@ more:
                BUG_ON(con->state != CON_STATE_CONNECTING);
                con->state = CON_STATE_NEGOTIATING;
-                /* Banner is good, exchange connection info */
+                /*
+                 * Received banner is good, exchange connection info.
+                 * Do not reset out_kvec, as sending our banner raced
+                 * with receiving peer banner after connect completed.
+                 */
                ret = prepare_write_connect(con);
                if (ret < 0)
                        goto out;
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 105d533b55f3..900ea0f043fc 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -311,6 +311,17 @@ int ceph_monc_open_session(struct ceph_mon_client *monc)
 EXPORT_SYMBOL(ceph_monc_open_session);
 /*
+ * We require the fsid and global_id in order to initialize our
+ * debugfs dir.
+ */
+static bool have_debugfs_info(struct ceph_mon_client *monc)
+{
+        dout("have_debugfs_info fsid %d globalid %lld\n",
+             (int)monc->client->have_fsid, monc->auth->global_id);
+        return monc->client->have_fsid && monc->auth->global_id > 0;
+}
+/*
 * The monitor responds with mount ack indicate mount success.  The
 * included client ticket allows the client to talk to MDSs and OSDs.
 */
@@ -320,9 +331,12 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
        struct ceph_client *client = monc->client;
        struct ceph_monmap *monmap = NULL, *old = monc->monmap;
        void *p, *end;
+        int had_debugfs_info, init_debugfs = 0;
        mutex_lock(&monc->mutex);
+        had_debugfs_info = have_debugfs_info(monc);
        dout("handle_monmap\n");
        p = msg->front.iov_base;
        end = p + msg->front.iov_len;
@@ -344,12 +358,22 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
        if (!client->have_fsid) {
                client->have_fsid = true;
+                if (!had_debugfs_info && have_debugfs_info(monc)) {
+                        pr_info("client%lld fsid %pU\n",
+                                ceph_client_id(monc->client),
+                                &monc->client->fsid);
+                        init_debugfs = 1;
+                }
                mutex_unlock(&monc->mutex);
-                /*
-                 * do debugfs initialization without mutex to avoid
+                if (init_debugfs) {
-                 * creating a locking dependency
+                        /*
-                 */
+                         * do debugfs initialization without mutex to avoid
-                ceph_debugfs_client_init(client);
+                         * creating a locking dependency
+                         */
+                        ceph_debugfs_client_init(monc->client);
+                }
                goto out_unlocked;
        }
 out:
@@ -865,8 +889,10 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
 {
        int ret;
        int was_auth = 0;
+        int had_debugfs_info, init_debugfs = 0;
        mutex_lock(&monc->mutex);
+        had_debugfs_info = have_debugfs_info(monc);
        if (monc->auth->ops)
                was_auth = monc->auth->ops->is_authenticated(monc->auth);
        monc->pending_auth = 0;
@@ -889,7 +915,22 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
                __send_subscribe(monc);
                __resend_generic_request(monc);
        }
+        if (!had_debugfs_info && have_debugfs_info(monc)) {
+                pr_info("client%lld fsid %pU\n",
+                        ceph_client_id(monc->client),
+                        &monc->client->fsid);
+                init_debugfs = 1;
+        }
        mutex_unlock(&monc->mutex);
+        if (init_debugfs) {
+                /*
+                 * do debugfs initialization without mutex to avoid
+                 * creating a locking dependency
+                 */
+                ceph_debugfs_client_init(monc->client);
+        }
 }
 static int __validate_auth(struct ceph_mon_client *monc)
diff --git a/net/core/dev.c b/net/core/dev.c
index 0cb3fe8d8e72..83988362805e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1055,6 +1055,8 @@ rollback:
 */
 int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
 {
+        char *new_ifalias;
        ASSERT_RTNL();
        if (len >= IFALIASZ)
@@ -1068,9 +1070,10 @@ int dev_set_alias(struct net_device *dev, const char *alias, size_t len)
                return 0;
        }
-        dev->ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL);
+        new_ifalias = krealloc(dev->ifalias, len + 1, GFP_KERNEL);
-        if (!dev->ifalias)
+        if (!new_ifalias)
                return -ENOMEM;
+        dev->ifalias = new_ifalias;
        strlcpy(dev->ifalias, alias, len+1);
        return len;
@@ -1639,6 +1642,19 @@ static inline int deliver_skb(struct sk_buff *skb,
        return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
 }
+static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
+{
+        if (ptype->af_packet_priv == NULL)
+                return false;
+        if (ptype->id_match)
+                return ptype->id_match(ptype, skb->sk);
+        else if ((struct sock *)ptype->af_packet_priv == skb->sk)
+                return true;
+        return false;
+}
 /*
 *      Support routine. Sends outgoing frames to any network
 *      taps currently in use.
@@ -1656,8 +1672,7 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
                 * they originated from - MvS (miquels@drinkel.ow.org)
                 */
                if ((ptype->dev == dev || !ptype->dev) &&
-                    (ptype->af_packet_priv == NULL ||
+                    (!skb_loop_sk(ptype, skb))) {
-                     (struct sock *)ptype->af_packet_priv != skb->sk)) {
                        if (pt_prev) {
                                deliver_skb(skb2, pt_prev, skb->dev);
                                pt_prev = ptype;
@@ -2134,6 +2149,9 @@ netdev_features_t netif_skb_features(struct sk_buff *skb)
        __be16 protocol = skb->protocol;
        netdev_features_t features = skb->dev->features;
+        if (skb_shinfo(skb)->gso_segs > skb->dev->gso_max_segs)
+                features &= ~NETIF_F_GSO_MASK;
        if (protocol == htons(ETH_P_8021Q)) {
                struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
                protocol = veh->h_vlan_encapsulated_proto;
@@ -5726,6 +5744,7 @@ EXPORT_SYMBOL(netdev_refcnt_read);
 /**
 * netdev_wait_allrefs - wait until all references are gone.
+ * @dev: target net_device
 *
 * This is called when unregistering network devices.
 *
@@ -5986,6 +6005,7 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
        dev_net_set(dev, &init_net);
        dev->gso_max_size = GSO_MAX_SIZE;
+        dev->gso_max_segs = GSO_MAX_SEGS;
        INIT_LIST_HEAD(&dev->napi_list);
        INIT_LIST_HEAD(&dev->unreg_list);
diff --git a/net/core/dst.c b/net/core/dst.c
index 069d51d29414..56d63612e1e4 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -149,7 +149,15 @@ int dst_discard(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(dst_discard);
-const u32 dst_default_metrics[RTAX_MAX];
+const u32 dst_default_metrics[RTAX_MAX + 1] = {
+        /* This initializer is needed to force linker to place this variable
+         * into const section. Otherwise it might end into bss section.
+         * We really want to avoid false sharing on this variable, and catch
+         * any writes on it.
+         */
+        [RTAX_MAX] = 0xdeadbeef,
+};
 void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
                int initial_ref, int initial_obsolete, unsigned short flags)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index b4c90e42b443..346b1eb83a1f 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -26,6 +26,7 @@
 #include <linux/workqueue.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/if_vlan.h>
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <asm/unaligned.h>
@@ -54,7 +55,7 @@ static atomic_t trapped;
         MAX_UDP_CHUNK)
 static void zap_completion_queue(void);
-static void arp_reply(struct sk_buff *skb);
+static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo);
 static unsigned int carrier_timeout = 4;
 module_param(carrier_timeout, uint, 0644);
@@ -167,15 +168,24 @@ static void poll_napi(struct net_device *dev)
        struct napi_struct *napi;
        int budget = 16;
+        WARN_ON_ONCE(!irqs_disabled());
        list_for_each_entry(napi, &dev->napi_list, dev_list) {
+                local_irq_enable();
                if (napi->poll_owner != smp_processor_id() &&
                    spin_trylock(&napi->poll_lock)) {
-                        budget = poll_one_napi(dev->npinfo, napi, budget);
+                        rcu_read_lock_bh();
+                        budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
+                                               napi, budget);
+                        rcu_read_unlock_bh();
                        spin_unlock(&napi->poll_lock);
-                        if (!budget)
+                        if (!budget) {
+                                local_irq_disable();
                                break;
+                        }
                }
+                local_irq_disable();
        }
 }
@@ -185,13 +195,14 @@ static void service_arp_queue(struct netpoll_info *npi)
                struct sk_buff *skb;
                while ((skb = skb_dequeue(&npi->arp_tx)))
-                        arp_reply(skb);
+                        netpoll_arp_reply(skb, npi);
        }
 }
 static void netpoll_poll_dev(struct net_device *dev)
 {
        const struct net_device_ops *ops;
+        struct netpoll_info *ni = rcu_dereference_bh(dev->npinfo);
        if (!dev || !netif_running(dev))
                return;
@@ -206,17 +217,18 @@ static void netpoll_poll_dev(struct net_device *dev)
        poll_napi(dev);
        if (dev->flags & IFF_SLAVE) {
-                if (dev->npinfo) {
+                if (ni) {
                        struct net_device *bond_dev = dev->master;
                        struct sk_buff *skb;
-                        while ((skb = skb_dequeue(&dev->npinfo->arp_tx))) {
+                        struct netpoll_info *bond_ni = rcu_dereference_bh(bond_dev->npinfo);
+                        while ((skb = skb_dequeue(&ni->arp_tx))) {
                                skb->dev = bond_dev;
-                                skb_queue_tail(&bond_dev->npinfo->arp_tx, skb);
+                                skb_queue_tail(&bond_ni->arp_tx, skb);
                        }
                }
        }
-        service_arp_queue(dev->npinfo);
+        service_arp_queue(ni);
        zap_completion_queue();
 }
@@ -302,6 +314,7 @@ static int netpoll_owner_active(struct net_device *dev)
        return 0;
 }
+/* call with IRQ disabled */
 void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                             struct net_device *dev)
 {
@@ -309,8 +322,11 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
        unsigned long tries;
        const struct net_device_ops *ops = dev->netdev_ops;
        /* It is up to the caller to keep npinfo alive. */
-        struct netpoll_info *npinfo = np->dev->npinfo;
+        struct netpoll_info *npinfo;
+        WARN_ON_ONCE(!irqs_disabled());
+        npinfo = rcu_dereference_bh(np->dev->npinfo);
        if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) {
                __kfree_skb(skb);
                return;
@@ -319,16 +335,22 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
        /* don't get messages out of order, and no recursion */
        if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) {
                struct netdev_queue *txq;
-                unsigned long flags;
                txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb));
-                local_irq_save(flags);
                /* try until next clock tick */
                for (tries = jiffies_to_usecs(1)/USEC_PER_POLL;
                     tries > 0; --tries) {
                        if (__netif_tx_trylock(txq)) {
                                if (!netif_xmit_stopped(txq)) {
+                                        if (vlan_tx_tag_present(skb) &&
+                                            !(netif_skb_features(skb) & NETIF_F_HW_VLAN_TX)) {
+                                                skb = __vlan_put_tag(skb, vlan_tx_tag_get(skb));
+                                                if (unlikely(!skb))
+                                                        break;
+                                                skb->vlan_tci = 0;
+                                        }
                                        status = ops->ndo_start_xmit(skb, dev);
                                        if (status == NETDEV_TX_OK)
                                                txq_trans_update(txq);
@@ -347,10 +369,9 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                }
                WARN_ONCE(!irqs_disabled(),
-                        "netpoll_send_skb(): %s enabled interrupts in poll (%pF)\n",
+                        "netpoll_send_skb_on_dev(): %s enabled interrupts in poll (%pF)\n",
                        dev->name, ops->ndo_start_xmit);
-                local_irq_restore(flags);
        }
        if (status != NETDEV_TX_OK) {
@@ -423,9 +444,8 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
 }
 EXPORT_SYMBOL(netpoll_send_udp);
-static void arp_reply(struct sk_buff *skb)
+static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo)
 {
-        struct netpoll_info *npinfo = skb->dev->npinfo;
        struct arphdr *arp;
        unsigned char *arp_ptr;
        int size, type = ARPOP_REPLY, ptype = ETH_P_ARP;
@@ -543,13 +563,12 @@ static void arp_reply(struct sk_buff *skb)
        spin_unlock_irqrestore(&npinfo->rx_lock, flags);
 }
-int __netpoll_rx(struct sk_buff *skb)
+int __netpoll_rx(struct sk_buff *skb, struct netpoll_info *npinfo)
 {
        int proto, len, ulen;
        int hits = 0;
        const struct iphdr *iph;
        struct udphdr *uh;
-        struct netpoll_info *npinfo = skb->dev->npinfo;
        struct netpoll *np, *tmp;
        if (list_empty(&npinfo->rx_np))
@@ -565,6 +584,12 @@ int __netpoll_rx(struct sk_buff *skb)
                return 1;
        }
+        if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
+                skb = vlan_untag(skb);
+                if (unlikely(!skb))
+                        goto out;
+        }
        proto = ntohs(eth_hdr(skb)->h_proto);
        if (proto != ETH_P_IP)
                goto out;
@@ -715,7 +740,7 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
 }
 EXPORT_SYMBOL(netpoll_parse_options);
-int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
+int __netpoll_setup(struct netpoll *np, struct net_device *ndev, gfp_t gfp)
 {
        struct netpoll_info *npinfo;
        const struct net_device_ops *ops;
@@ -734,7 +759,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
        }
        if (!ndev->npinfo) {
-                npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL);
+                npinfo = kmalloc(sizeof(*npinfo), gfp);
                if (!npinfo) {
                        err = -ENOMEM;
                        goto out;
@@ -752,7 +777,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
                ops = np->dev->netdev_ops;
                if (ops->ndo_netpoll_setup) {
-                        err = ops->ndo_netpoll_setup(ndev, npinfo);
+                        err = ops->ndo_netpoll_setup(ndev, npinfo, gfp);
                        if (err)
                                goto free_npinfo;
                }
@@ -857,7 +882,7 @@ int netpoll_setup(struct netpoll *np)
        refill_skbs();
        rtnl_lock();
-        err = __netpoll_setup(np, ndev);
+        err = __netpoll_setup(np, ndev, GFP_KERNEL);
        rtnl_unlock();
        if (err)
@@ -878,6 +903,24 @@ static int __init netpoll_init(void)
 }
 core_initcall(netpoll_init);
+static void rcu_cleanup_netpoll_info(struct rcu_head *rcu_head)
+{
+        struct netpoll_info *npinfo =
+                        container_of(rcu_head, struct netpoll_info, rcu);
+        skb_queue_purge(&npinfo->arp_tx);
+        skb_queue_purge(&npinfo->txq);
+        /* we can't call cancel_delayed_work_sync here, as we are in softirq */
+        cancel_delayed_work(&npinfo->tx_work);
+        /* clean after last, unfinished work */
+        __skb_queue_purge(&npinfo->txq);
+        /* now cancel it again */
+        cancel_delayed_work(&npinfo->tx_work);
+        kfree(npinfo);
+}
 void __netpoll_cleanup(struct netpoll *np)
 {
        struct netpoll_info *npinfo;
@@ -903,20 +946,24 @@ void __netpoll_cleanup(struct netpoll *np)
                        ops->ndo_netpoll_cleanup(np->dev);
                RCU_INIT_POINTER(np->dev->npinfo, NULL);
+                call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info);
+        }
+}
+EXPORT_SYMBOL_GPL(__netpoll_cleanup);
-                /* avoid racing with NAPI reading npinfo */
+static void rcu_cleanup_netpoll(struct rcu_head *rcu_head)
-                synchronize_rcu_bh();
+{
+        struct netpoll *np = container_of(rcu_head, struct netpoll, rcu);
-                skb_queue_purge(&npinfo->arp_tx);
+        __netpoll_cleanup(np);
-                skb_queue_purge(&npinfo->txq);
+        kfree(np);
-                cancel_delayed_work_sync(&npinfo->tx_work);
+}
-                /* clean after last, unfinished work */
+void __netpoll_free_rcu(struct netpoll *np)
-                __skb_queue_purge(&npinfo->txq);
+{
-                kfree(npinfo);
+        call_rcu_bh(&np->rcu, rcu_cleanup_netpoll);
-        }
 }
-EXPORT_SYMBOL_GPL(__netpoll_cleanup);
+EXPORT_SYMBOL_GPL(__netpoll_free_rcu);
 void netpoll_cleanup(struct netpoll *np)
 {
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index ed0c0431fcd8..c75e3f9d060f 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -101,12 +101,10 @@ static int write_update_netdev_table(struct net_device *dev)
        u32 max_len;
        struct netprio_map *map;
-        rtnl_lock();
        max_len = atomic_read(&max_prioidx) + 1;
        map = rtnl_dereference(dev->priomap);
        if (!map || map->priomap_len < max_len)
                ret = extend_netdev_table(dev, max_len);
-        rtnl_unlock();
        return ret;
 }
@@ -256,17 +254,17 @@ static int write_priomap(struct cgroup *cgrp, struct cftype *cft,
        if (!dev)
                goto out_free_devname;
+        rtnl_lock();
        ret = write_update_netdev_table(dev);
        if (ret < 0)
                goto out_put_dev;
-        rcu_read_lock();
+        map = rtnl_dereference(dev->priomap);
-        map = rcu_dereference(dev->priomap);
        if (map)
                map->priomap[prioidx] = priority;
-        rcu_read_unlock();
 out_put_dev:
+        rtnl_unlock();
        dev_put(dev);
 out_free_devname:
@@ -277,12 +275,6 @@ out_free_devname:
 void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
 {
        struct task_struct *p;
-        char *tmp = kzalloc(sizeof(char) * PATH_MAX, GFP_KERNEL);
-        if (!tmp) {
-                pr_warn("Unable to attach cgrp due to alloc failure!\n");
-                return;
-        }
        cgroup_taskset_for_each(p, cgrp, tset) {
                unsigned int fd;
@@ -296,32 +288,24 @@ void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
                        continue;
                }
-                rcu_read_lock();
+                spin_lock(&files->file_lock);
                fdt = files_fdtable(files);
                for (fd = 0; fd < fdt->max_fds; fd++) {
-                        char *path;
                        struct file *file;
                        struct socket *sock;
-                        unsigned long s;
+                        int err;
-                        int rv, err = 0;
                        file = fcheck_files(files, fd);
                        if (!file)
                                continue;
-                        path = d_path(&file->f_path, tmp, PAGE_SIZE);
-                        rv = sscanf(path, "socket:[%lu]", &s);
-                        if (rv <= 0)
-                                continue;
                        sock = sock_from_file(file, &err);
-                        if (!err)
+                        if (sock)
                                sock_update_netprioidx(sock->sk, p);
                }
-                rcu_read_unlock();
+                spin_unlock(&files->file_lock);
                task_unlock(p);
        }
-        kfree(tmp);
 }
 static struct cftype ss_files[] = {
diff --git a/net/core/scm.c b/net/core/scm.c
index 8f6ccfd68ef4..040cebeed45b 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -265,6 +265,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
        for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
             i++, cmfptr++)
        {
+                struct socket *sock;
                int new_fd;
                err = security_file_receive(fp[i]);
                if (err)
@@ -281,6 +282,9 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
                }
                /* Bump the usage count and install the file. */
                get_file(fp[i]);
+                sock = sock_from_file(fp[i], &err);
+                if (sock)
+                        sock_update_netprioidx(sock->sk, current);
                fd_install(new_fd, fp[i]);
        }
diff --git a/net/core/sock.c b/net/core/sock.c
index 6b654b3ddfda..8f67ced8d6a8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1458,6 +1458,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst)
                } else {
                        sk->sk_route_caps |= NETIF_F_SG | NETIF_F_HW_CSUM;
                        sk->sk_gso_max_size = dst->dev->gso_max_size;
+                        sk->sk_gso_max_segs = dst->dev->gso_max_segs;
                }
        }
 }
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 75c3582a7678..fb85d371a8de 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
                                        u32 __user *optval, int __user *optlen)
 {
        int rc = -ENOPROTOOPT;
-        if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
+        if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
                rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
                                                 optval, optlen);
        return rc;
@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
                                        u32 __user *optval, int __user *optlen)
 {
        int rc = -ENOPROTOOPT;
-        if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
+        if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
                rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
                                                 optval, optlen);
        return rc;
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index d65e98798eca..119c04317d48 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -535,6 +535,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
        case DCCP_SOCKOPT_CCID_TX_INFO:
                if (len < sizeof(tfrc))
                        return -EINVAL;
+                memset(&tfrc, 0, sizeof(tfrc));
                tfrc.tfrctx_x      = hc->tx_x;
                tfrc.tfrctx_x_recv = hc->tx_x_recv;
                tfrc.tfrctx_x_calc = hc->tx_x_calc;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index f0cdb30921c0..57bd978483e1 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -367,7 +367,7 @@ static void __leaf_free_rcu(struct rcu_head *head)
 static inline void free_leaf(struct leaf *l)
 {
-        call_rcu_bh(&l->rcu, __leaf_free_rcu);
+        call_rcu(&l->rcu, __leaf_free_rcu);
 }
 static inline void free_leaf_info(struct leaf_info *leaf)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index db0cf17c00f7..7f75f21d7b83 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -404,12 +404,15 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
        struct inet_sock *newinet = inet_sk(newsk);
-        struct ip_options_rcu *opt = ireq->opt;
+        struct ip_options_rcu *opt;
        struct net *net = sock_net(sk);
        struct flowi4 *fl4;
        struct rtable *rt;
        fl4 = &newinet->cork.fl.u.ip4;
+        rcu_read_lock();
+        opt = rcu_dereference(newinet->inet_opt);
        flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
                           sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -421,11 +424,13 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
                goto no_route;
        if (opt && opt->opt.is_strictroute && rt->rt_gateway)
                goto route_err;
+        rcu_read_unlock();
        return &rt->dst;
 route_err:
        ip_rt_put(rt);
 no_route:
+        rcu_read_unlock();
        IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
        return NULL;
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index ba39a52d18c1..c196d749daf2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -197,7 +197,7 @@ static inline int ip_finish_output2(struct sk_buff *skb)
        neigh = __ipv4_neigh_lookup_noref(dev, nexthop);
        if (unlikely(!neigh))
                neigh = __neigh_create(&arp_tbl, &nexthop, dev, false);
-        if (neigh) {
+        if (!IS_ERR(neigh)) {
                int res = dst_neigh_output(dst, neigh, skb);
                rcu_read_unlock_bh();
@@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
        iph->ihl = 5;
        iph->tos = inet->tos;
        iph->frag_off = df;
-        ip_select_ident(iph, &rt->dst, sk);
        iph->ttl = ttl;
        iph->protocol = sk->sk_protocol;
        ip_copy_addrs(iph, fl4);
+        ip_select_ident(iph, &rt->dst, sk);
        if (opt) {
                iph->ihl += opt->optlen>>2;
@@ -1366,9 +1366,8 @@ out:
        return skb;
 }
-int ip_send_skb(struct sk_buff *skb)
+int ip_send_skb(struct net *net, struct sk_buff *skb)
 {
-        struct net *net = sock_net(skb->sk);
        int err;
        err = ip_local_out(skb);
@@ -1391,7 +1390,7 @@ int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4)
                return 0;
        /* Netfilter gets whole the not fragmented skb. */
-        return ip_send_skb(skb);
+        return ip_send_skb(sock_net(sk), skb);
 }
 /*
@@ -1536,6 +1535,7 @@ void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, __be32 daddr,
                          arg->csumoffset) = csum_fold(csum_add(nskb->csum,
                                                                arg->csum));
                nskb->ip_summed = CHECKSUM_NONE;
+                skb_orphan(nskb);
                skb_set_queue_mapping(nskb, skb_get_queue_mapping(skb));
                ip_push_pending_frames(sk, &fl4);
        }
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index ea4a23813d26..4ad9cf173992 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
        if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
                                    hdr, NULL, &matchoff, &matchlen,
                                    &addr, &port) > 0) {
-                unsigned int matchend, poff, plen, buflen, n;
+                unsigned int olen, matchend, poff, plen, buflen, n;
                char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
                /* We're only interested in headers related to this
@@ -163,17 +163,18 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                                goto next;
                }
+                olen = *datalen;
                if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
                              &addr, port))
                        return NF_DROP;
-                matchend = matchoff + matchlen;
+                matchend = matchoff + matchlen + *datalen - olen;
                /* The maddr= parameter (RFC 2361) specifies where to send
                 * the reply. */
                if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                               "maddr=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, true) > 0 &&
                    addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
                    addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
                        buflen = sprintf(buffer, "%pI4",
@@ -187,7 +188,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                 * from which the server received the request. */
                if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                               "received=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, false) > 0 &&
                    addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
                    addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
                        buflen = sprintf(buffer, "%pI4",
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c035251beb07..fd9ecb52c66b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -70,7 +70,6 @@
 #include <linux/types.h>
 #include <linux/kernel.h>
 #include <linux/mm.h>
-#include <linux/bootmem.h>
 #include <linux/string.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
@@ -80,7 +79,6 @@
 #include <linux/netdevice.h>
 #include <linux/proc_fs.h>
 #include <linux/init.h>
-#include <linux/workqueue.h>
 #include <linux/skbuff.h>
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
@@ -88,11 +86,9 @@
 #include <linux/mroute.h>
 #include <linux/netfilter_ipv4.h>
 #include <linux/random.h>
-#include <linux/jhash.h>
 #include <linux/rcupdate.h>
 #include <linux/times.h>
 #include <linux/slab.h>
-#include <linux/prefetch.h>
 #include <net/dst.h>
 #include <net/net_namespace.h>
 #include <net/protocol.h>
@@ -2032,7 +2028,6 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
                }
                dev_out = net->loopback_dev;
                fl4->flowi4_oif = dev_out->ifindex;
-                res.fi = NULL;
                flags |= RTCF_LOCAL;
                goto make_route;
        }
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e7e6eeae49c0..2109ff4a1daf 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -811,7 +811,9 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
                           old_size_goal + mss_now > xmit_size_goal)) {
                        xmit_size_goal = old_size_goal;
                } else {
-                        tp->xmit_size_goal_segs = xmit_size_goal / mss_now;
+                        tp->xmit_size_goal_segs =
+                                min_t(u16, xmit_size_goal / mss_now,
+                                      sk->sk_gso_max_segs);
                        xmit_size_goal = tp->xmit_size_goal_segs * mss_now;
                }
        }
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 4d4db16e336e..1432cdb0644c 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -291,7 +291,8 @@ bool tcp_is_cwnd_limited(const struct sock *sk, u32 in_flight)
        left = tp->snd_cwnd - in_flight;
        if (sk_can_gso(sk) &&
            left * sysctl_tcp_tso_win_divisor < tp->snd_cwnd &&
-            left * tp->mss_cache < sk->sk_gso_max_size)
+            left * tp->mss_cache < sk->sk_gso_max_size &&
+            left < sk->sk_gso_max_segs)
                return true;
        return left <= tcp_max_tso_deferred_mss(tp);
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 2fd2bc9e3c64..85308b90df80 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5392,6 +5392,8 @@ int tcp_rcv_established(struct sock *sk, struct sk_buff *skb,
 {
        struct tcp_sock *tp = tcp_sk(sk);
+        if (unlikely(sk->sk_rx_dst == NULL))
+                inet_csk(sk)->icsk_af_ops->sk_rx_dst_set(sk, skb);
        /*
         *      Header prediction.
         *      The code loosely follows the one in the famous
@@ -5605,7 +5607,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
        tcp_set_state(sk, TCP_ESTABLISHED);
        if (skb != NULL) {
-                inet_sk_rx_dst_set(sk, skb);
+                icsk->icsk_af_ops->sk_rx_dst_set(sk, skb);
                security_inet_conn_established(sk, skb);
        }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 42b2a6a73092..00a748d14062 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -417,10 +417,12 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
                        tp->mtu_info = info;
-                        if (!sock_owned_by_user(sk))
+                        if (!sock_owned_by_user(sk)) {
                                tcp_v4_mtu_reduced(sk);
-                        else
+                        } else {
-                                set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags);
+                                if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags))
+                                        sock_hold(sk);
+                        }
                        goto out;
                }
@@ -1462,6 +1464,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                goto exit_nonewsk;
        newsk->sk_gso_type = SKB_GSO_TCPV4;
+        inet_sk_rx_dst_set(newsk, skb);
        newtp                 = tcp_sk(newsk);
        newinet               = inet_sk(newsk);
@@ -1627,9 +1630,6 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
                                sk->sk_rx_dst = NULL;
                        }
                }
-                if (unlikely(sk->sk_rx_dst == NULL))
-                        inet_sk_rx_dst_set(sk, skb);
                if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
                        rsk = sk;
                        goto reset;
@@ -1872,10 +1872,21 @@ static struct timewait_sock_ops tcp_timewait_sock_ops = {
        .twsk_destructor= tcp_twsk_destructor,
 };
+void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+{
+        struct dst_entry *dst = skb_dst(skb);
+        dst_hold(dst);
+        sk->sk_rx_dst = dst;
+        inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+}
+EXPORT_SYMBOL(inet_sk_rx_dst_set);
 const struct inet_connection_sock_af_ops ipv4_specific = {
        .queue_xmit        = ip_queue_xmit,
        .send_check        = tcp_v4_send_check,
        .rebuild_header    = inet_sk_rebuild_header,
+        .sk_rx_dst_set     = inet_sk_rx_dst_set,
        .conn_request      = tcp_v4_conn_request,
        .syn_recv_sock     = tcp_v4_syn_recv_sock,
        .net_header_len    = sizeof(struct iphdr),
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 2288a6399e1e..0abe67bb4d3a 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -731,6 +731,18 @@ static int __net_init tcp_net_metrics_init(struct net *net)
 static void __net_exit tcp_net_metrics_exit(struct net *net)
 {
+        unsigned int i;
+        for (i = 0; i < (1U << net->ipv4.tcp_metrics_hash_log) ; i++) {
+                struct tcp_metrics_block *tm, *next;
+                tm = rcu_dereference_protected(net->ipv4.tcp_metrics_hash[i].chain, 1);
+                while (tm) {
+                        next = rcu_dereference_protected(tm->tcpm_next, 1);
+                        kfree(tm);
+                        tm = next;
+                }
+        }
        kfree(net->ipv4.tcp_metrics_hash);
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 232a90c3ec86..6ff7f10dce9d 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -387,8 +387,6 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
                struct tcp_sock *oldtp = tcp_sk(sk);
                struct tcp_cookie_values *oldcvp = oldtp->cookie_values;
-                inet_sk_rx_dst_set(newsk, skb);
                /* TCP Cookie Transactions require space for the cookie pair,
                 * as it differs for each connection.  There is no need to
                 * copy any s_data_payload stored at the original socket.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 3f1bcff0b10b..d04632673a9e 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -910,14 +910,18 @@ void tcp_release_cb(struct sock *sk)
        if (flags & (1UL << TCP_TSQ_DEFERRED))
                tcp_tsq_handler(sk);
-        if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED))
+        if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) {
                tcp_write_timer_handler(sk);
+                __sock_put(sk);
-        if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED))
+        }
+        if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) {
                tcp_delack_timer_handler(sk);
+                __sock_put(sk);
-        if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED))
+        }
+        if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) {
                sk->sk_prot->mtu_reduced(sk);
+                __sock_put(sk);
+        }
 }
 EXPORT_SYMBOL(tcp_release_cb);
@@ -940,7 +944,7 @@ void __init tcp_tasklet_init(void)
 * We cant xmit new skbs from this context, as we might already
 * hold qdisc lock.
 */
-void tcp_wfree(struct sk_buff *skb)
+static void tcp_wfree(struct sk_buff *skb)
 {
        struct sock *sk = skb->sk;
        struct tcp_sock *tp = tcp_sk(sk);
@@ -1522,21 +1526,21 @@ static void tcp_cwnd_validate(struct sock *sk)
 * when we would be allowed to send the split-due-to-Nagle skb fully.
 */
 static unsigned int tcp_mss_split_point(const struct sock *sk, const struct sk_buff *skb,
-                                        unsigned int mss_now, unsigned int cwnd)
+                                        unsigned int mss_now, unsigned int max_segs)
 {
        const struct tcp_sock *tp = tcp_sk(sk);
-        u32 needed, window, cwnd_len;
+        u32 needed, window, max_len;
        window = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq;
-        cwnd_len = mss_now * cwnd;
+        max_len = mss_now * max_segs;
-        if (likely(cwnd_len <= window && skb != tcp_write_queue_tail(sk)))
+        if (likely(max_len <= window && skb != tcp_write_queue_tail(sk)))
-                return cwnd_len;
+                return max_len;
        needed = min(skb->len, window);
-        if (cwnd_len <= needed)
+        if (max_len <= needed)
-                return cwnd_len;
+                return max_len;
        return needed - needed % mss_now;
 }
@@ -1765,7 +1769,8 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb)
        limit = min(send_win, cong_win);
        /* If a full-sized TSO skb can be sent, do it. */
-        if (limit >= sk->sk_gso_max_size)
+        if (limit >= min_t(unsigned int, sk->sk_gso_max_size,
+                           sk->sk_gso_max_segs * tp->mss_cache))
                goto send_now;
        /* Middle in queue won't get any more data, full sendable already? */
@@ -1999,7 +2004,9 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                limit = mss_now;
                if (tso_segs > 1 && !tcp_urg_mode(tp))
                        limit = tcp_mss_split_point(sk, skb, mss_now,
-                                                    cwnd_quota);
+                                                    min_t(unsigned int,
+                                                          cwnd_quota,
+                                                          sk->sk_gso_max_segs));
                if (skb->len > limit &&
                    unlikely(tso_fragment(sk, skb, limit, mss_now, gfp)))
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 6df36ad55a38..b774a03bd1dc 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -252,7 +252,8 @@ static void tcp_delack_timer(unsigned long data)
                inet_csk(sk)->icsk_ack.blocked = 1;
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
                /* deleguate our work to tcp_release_cb() */
-                set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags);
+                if (!test_and_set_bit(TCP_DELACK_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
+                        sock_hold(sk);
        }
        bh_unlock_sock(sk);
        sock_put(sk);
@@ -481,7 +482,8 @@ static void tcp_write_timer(unsigned long data)
                tcp_write_timer_handler(sk);
        } else {
                /* deleguate our work to tcp_release_cb() */
-                set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags);
+                if (!test_and_set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
+                        sock_hold(sk);
        }
        bh_unlock_sock(sk);
        sock_put(sk);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index b4c3582a991f..6f6d1aca3c3d 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -758,7 +758,7 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
                uh->check = CSUM_MANGLED_0;
 send:
-        err = ip_send_skb(skb);
+        err = ip_send_skb(sock_net(sk), skb);
        if (err) {
                if (err == -ENOBUFS && !inet->recverr) {
                        UDP_INC_STATS_USER(sock_net(sk),
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 79181819a24f..6bc85f7c31e3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -494,8 +494,7 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
        struct net_device *dev;
        struct inet6_dev *idev;
-        rcu_read_lock();
+        for_each_netdev(net, dev) {
-        for_each_netdev_rcu(net, dev) {
                idev = __in6_dev_get(dev);
                if (idev) {
                        int changed = (!idev->cnf.forwarding) ^ (!newf);
@@ -504,7 +503,6 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
                                dev_forward_change(idev);
                }
        }
-        rcu_read_unlock();
 }
 static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index da2e92d05c15..745a32042950 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -307,10 +307,10 @@ static int __net_init ipv6_proc_init_net(struct net *net)
                goto proc_dev_snmp6_fail;
        return 0;
+proc_dev_snmp6_fail:
+        proc_net_remove(net, "snmp6");
 proc_snmp6_fail:
        proc_net_remove(net, "sockstat6");
-proc_dev_snmp6_fail:
-        proc_net_remove(net, "dev_snmp6");
        return -ENOMEM;
 }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index c66b90f71c9b..a3e60cc04a8a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -94,6 +94,18 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
 }
 #endif
+static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+{
+        struct dst_entry *dst = skb_dst(skb);
+        const struct rt6_info *rt = (const struct rt6_info *)dst;
+        dst_hold(dst);
+        sk->sk_rx_dst = dst;
+        inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+        if (rt->rt6i_node)
+                inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
+}
 static void tcp_v6_hash(struct sock *sk)
 {
        if (sk->sk_state != TCP_CLOSE) {
@@ -1270,6 +1282,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
        newsk->sk_gso_type = SKB_GSO_TCPV6;
        __ip6_dst_store(newsk, dst, NULL, NULL);
+        inet6_sk_rx_dst_set(newsk, skb);
        newtcp6sk = (struct tcp6_sock *)newsk;
        inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
@@ -1447,7 +1460,17 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
                opt_skb = skb_clone(skb, sk_gfp_atomic(sk, GFP_ATOMIC));
        if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
+                struct dst_entry *dst = sk->sk_rx_dst;
                sock_rps_save_rxhash(sk, skb);
+                if (dst) {
+                        if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
+                            dst->ops->check(dst, np->rx_dst_cookie) == NULL) {
+                                dst_release(dst);
+                                sk->sk_rx_dst = NULL;
+                        }
+                }
                if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
                        goto reset;
                if (opt_skb)
@@ -1705,9 +1728,9 @@ static void tcp_v6_early_demux(struct sk_buff *skb)
                        struct dst_entry *dst = sk->sk_rx_dst;
                        struct inet_sock *icsk = inet_sk(sk);
                        if (dst)
-                                dst = dst_check(dst, 0);
+                                dst = dst_check(dst, inet6_sk(sk)->rx_dst_cookie);
                        if (dst &&
-                            icsk->rx_dst_ifindex == inet6_iif(skb))
+                            icsk->rx_dst_ifindex == skb->skb_iif)
                                skb_dst_set_noref(skb, dst);
                }
        }
@@ -1723,6 +1746,7 @@ static const struct inet_connection_sock_af_ops ipv6_specific = {
        .queue_xmit        = inet6_csk_xmit,
        .send_check        = tcp_v6_send_check,
        .rebuild_header    = inet6_sk_rebuild_header,
+        .sk_rx_dst_set     = inet6_sk_rx_dst_set,
        .conn_request      = tcp_v6_conn_request,
        .syn_recv_sock     = tcp_v6_syn_recv_sock,
        .net_header_len    = sizeof(struct ipv6hdr),
@@ -1754,6 +1778,7 @@ static const struct inet_connection_sock_af_ops ipv6_mapped = {
        .queue_xmit        = ip_queue_xmit,
        .send_check        = tcp_v4_send_check,
        .rebuild_header    = inet_sk_rebuild_header,
+        .sk_rx_dst_set     = inet_sk_rx_dst_set,
        .conn_request      = tcp_v6_conn_request,
        .syn_recv_sock     = tcp_v6_syn_recv_sock,
        .net_header_len    = sizeof(struct iphdr),
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef39812107b1..f8c4c08ffb60 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -73,6 +73,13 @@ static int xfrm6_get_tos(const struct flowi *fl)
        return 0;
 }
+static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
+{
+        struct rt6_info *rt = (struct rt6_info *)xdst;
+        rt6_init_peer(rt, net->ipv6.peers);
+}
 static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
                           int nfheader_len)
 {
@@ -286,6 +293,7 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
        .get_saddr =            xfrm6_get_saddr,
        .decode_session =       _decode_session6,
        .get_tos =              xfrm6_get_tos,
+        .init_dst =             xfrm6_init_dst,
        .init_path =            xfrm6_init_path,
        .fill_dst =             xfrm6_fill_dst,
        .blackhole_route =      ip6_blackhole_route,
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 35e1e4bde587..927547171bc7 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
        lsa->l2tp_family = AF_INET6;
        lsa->l2tp_flowinfo = 0;
        lsa->l2tp_scope_id = 0;
+        lsa->l2tp_unused = 0;
        if (peer) {
                if (!lsk->peer_conn_id)
                        return -ENOTCONN;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index f6fe4d400502..c2190005a114 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
        struct sockaddr_llc sllc;
        struct sock *sk = sock->sk;
        struct llc_sock *llc = llc_sk(sk);
-        int rc = 0;
+        int rc = -EBADF;
        memset(&sllc, 0, sizeof(sllc));
        lock_sock(sk);
        if (sock_flag(sk, SOCK_ZAPPED))
                goto out;
        *uaddrlen = sizeof(sllc);
-        memset(uaddr, 0, *uaddrlen);
        if (peer) {
                rc = -ENOTCONN;
                if (sk->sk_state != TCP_ESTABLISHED)
@@ -1206,7 +1205,7 @@ static int __init llc2_init(void)
        rc = llc_proc_init();
        if (rc != 0) {
                printk(llc_proc_err_msg);
-                goto out_unregister_llc_proto;
+                goto out_station;
        }
        rc = llc_sysctl_init();
        if (rc) {
@@ -1226,7 +1225,8 @@ out_sysctl:
        llc_sysctl_exit();
 out_proc:
        llc_proc_exit();
-out_unregister_llc_proto:
+out_station:
+        llc_station_exit();
        proto_unregister(&llc_proto);
        goto out;
 }
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index e32cab44ea95..dd3e83328ad5 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -42,6 +42,7 @@ static void (*llc_type_handlers[2])(struct llc_sap *sap,
 void llc_add_pack(int type, void (*handler)(struct llc_sap *sap,
                                            struct sk_buff *skb))
 {
+        smp_wmb(); /* ensure initialisation is complete before it's called */
        if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
                llc_type_handlers[type - 1] = handler;
 }
@@ -50,11 +51,19 @@ void llc_remove_pack(int type)
 {
        if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
                llc_type_handlers[type - 1] = NULL;
+        synchronize_net();
 }
 void llc_set_station_handler(void (*handler)(struct sk_buff *skb))
 {
+        /* Ensure initialisation is complete before it's called */
+        if (handler)
+                smp_wmb();
        llc_station_handler = handler;
+        if (!handler)
+                synchronize_net();
 }
 /**
@@ -150,6 +159,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
        int dest;
        int (*rcv)(struct sk_buff *, struct net_device *,
                   struct packet_type *, struct net_device *);
+        void (*sta_handler)(struct sk_buff *skb);
+        void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb);
        if (!net_eq(dev_net(dev), &init_net))
                goto drop;
@@ -182,7 +193,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
         */
        rcv = rcu_dereference(sap->rcv_func);
        dest = llc_pdu_type(skb);
-        if (unlikely(!dest || !llc_type_handlers[dest - 1])) {
+        sap_handler = dest ? ACCESS_ONCE(llc_type_handlers[dest - 1]) : NULL;
+        if (unlikely(!sap_handler)) {
                if (rcv)
                        rcv(skb, dev, pt, orig_dev);
                else
@@ -193,7 +205,7 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
                        if (cskb)
                                rcv(cskb, dev, pt, orig_dev);
                }
-                llc_type_handlers[dest - 1](sap, skb);
+                sap_handler(sap, skb);
        }
        llc_sap_put(sap);
 out:
@@ -202,9 +214,10 @@ drop:
        kfree_skb(skb);
        goto out;
 handle_station:
-        if (!llc_station_handler)
+        sta_handler = ACCESS_ONCE(llc_station_handler);
+        if (!sta_handler)
                goto drop;
-        llc_station_handler(skb);
+        sta_handler(skb);
        goto out;
 }
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index 39a8d8924b9c..b2f2bac2c2a2 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -268,7 +268,7 @@ static int llc_station_ac_send_null_dsap_xid_c(struct sk_buff *skb)
 out:
        return rc;
 free:
-        kfree_skb(skb);
+        kfree_skb(nskb);
        goto out;
 }
@@ -293,7 +293,7 @@ static int llc_station_ac_send_xid_r(struct sk_buff *skb)
 out:
        return rc;
 free:
-        kfree_skb(skb);
+        kfree_skb(nskb);
        goto out;
 }
@@ -322,7 +322,7 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb)
 out:
        return rc;
 free:
-        kfree_skb(skb);
+        kfree_skb(nskb);
        goto out;
 }
@@ -687,12 +687,8 @@ static void llc_station_rcv(struct sk_buff *skb)
        llc_station_state_process(skb);
 }
-int __init llc_station_init(void)
+void __init llc_station_init(void)
 {
-        int rc = -ENOBUFS;
-        struct sk_buff *skb;
-        struct llc_station_state_ev *ev;
        skb_queue_head_init(&llc_main_station.mac_pdu_q);
        skb_queue_head_init(&llc_main_station.ev_q.list);
        spin_lock_init(&llc_main_station.ev_q.lock);
@@ -700,23 +696,12 @@ int __init llc_station_init(void)
                        (unsigned long)&llc_main_station);
        llc_main_station.ack_timer.expires  = jiffies +
                                                sysctl_llc_station_ack_timeout;
-        skb = alloc_skb(0, GFP_ATOMIC);
-        if (!skb)
-                goto out;
-        rc = 0;
-        llc_set_station_handler(llc_station_rcv);
-        ev = llc_station_ev(skb);
-        memset(ev, 0, sizeof(*ev));
        llc_main_station.maximum_retry  = 1;
-        llc_main_station.state          = LLC_STATION_STATE_DOWN;
+        llc_main_station.state          = LLC_STATION_STATE_UP;
-        ev->type        = LLC_STATION_EV_TYPE_SIMPLE;
+        llc_set_station_handler(llc_station_rcv);
-        ev->prim_type   = LLC_STATION_EV_ENABLE_WITHOUT_DUP_ADDR_CHECK;
-        rc = llc_station_next_state(skb);
-out:
-        return rc;
 }
-void __exit llc_station_exit(void)
+void llc_station_exit(void)
 {
        llc_set_station_handler(NULL);
 }
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 6fac18c0423f..85572353a7e3 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -622,6 +622,7 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
        del_timer_sync(&sdata->u.mesh.housekeeping_timer);
        del_timer_sync(&sdata->u.mesh.mesh_path_root_timer);
+        del_timer_sync(&sdata->u.mesh.mesh_path_timer);
        /*
         * If the timer fired while we waited for it, it will have
         * requeued the work. Now the work will be running again
@@ -634,6 +635,8 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
        local->fif_other_bss--;
        atomic_dec(&local->iff_allmultis);
        ieee80211_configure_filter(local);
+        sdata->u.mesh.timers_running = 0;
 }
 static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index cef0c9e79aba..a4a5acdbaa4d 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1430,6 +1430,8 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
        del_timer_sync(&sdata->u.mgd.bcn_mon_timer);
        del_timer_sync(&sdata->u.mgd.timer);
        del_timer_sync(&sdata->u.mgd.chswitch_timer);
+        sdata->u.mgd.timers_running = 0;
 }
 void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index bcaee5d12839..839dd9737989 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -299,7 +299,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
        if (local->scan_req != local->int_scan_req)
                cfg80211_scan_done(local->scan_req, aborted);
        local->scan_req = NULL;
-        local->scan_sdata = NULL;
+        rcu_assign_pointer(local->scan_sdata, NULL);
        local->scanning = 0;
        local->scan_channel = NULL;
@@ -984,7 +984,6 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
                        kfree(local->sched_scan_ies.ie[i]);
                drv_sched_scan_stop(local, sdata);
-                rcu_assign_pointer(local->sched_scan_sdata, NULL);
        }
 out:
        mutex_unlock(&local->mtx);
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 84444dda194b..72bf32a84874 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2759,6 +2759,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        {
                struct ip_vs_timeout_user t;
+                memset(&t, 0, sizeof(t));
                __ip_vs_get_timeouts(net, &t);
                if (copy_to_user(user, &t, sizeof(t)) != 0)
                        ret = -EFAULT;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 45cf602a76bc..527651a53a45 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -361,23 +361,6 @@ static void evict_oldest_expect(struct nf_conn *master,
        }
 }
-static inline int refresh_timer(struct nf_conntrack_expect *i)
-{
-        struct nf_conn_help *master_help = nfct_help(i->master);
-        const struct nf_conntrack_expect_policy *p;
-        if (!del_timer(&i->timeout))
-                return 0;
-        p = &rcu_dereference_protected(
-                master_help->helper,
-                lockdep_is_held(&nf_conntrack_lock)
-                )->expect_policy[i->class];
-        i->timeout.expires = jiffies + p->timeout * HZ;
-        add_timer(&i->timeout);
-        return 1;
-}
 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 {
        const struct nf_conntrack_expect_policy *p;
@@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
        struct nf_conn_help *master_help = nfct_help(master);
        struct nf_conntrack_helper *helper;
        struct net *net = nf_ct_exp_net(expect);
-        struct hlist_node *n;
+        struct hlist_node *n, *next;
        unsigned int h;
        int ret = 1;
@@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
                goto out;
        }
        h = nf_ct_expect_dst_hash(&expect->tuple);
-        hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
+        hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) {
                if (expect_matches(i, expect)) {
-                        /* Refresh timer: if it's dying, ignore.. */
+                        if (del_timer(&i->timeout)) {
-                        if (refresh_timer(i)) {
+                                nf_ct_unlink_expect(i);
-                                ret = 0;
+                                nf_ct_expect_put(i);
-                                goto out;
+                                break;
                        }
                } else if (expect_clash(i, expect)) {
                        ret = -EBUSY;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 14f67a2cbcb5..da4fc37a8578 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1896,10 +1896,15 @@ static int
 ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
 {
        struct nlattr *cda[CTA_MAX+1];
+        int ret;
        nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
-        return ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
+        spin_lock_bh(&nf_conntrack_lock);
+        ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
+        spin_unlock_bh(&nf_conntrack_lock);
+        return ret;
 }
 static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 758a1bacc126..5c0a112aeee6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -183,12 +183,12 @@ static int media_len(const struct nf_conn *ct, const char *dptr,
        return len + digits_len(ct, dptr, limit, shift);
 }
-static int parse_addr(const struct nf_conn *ct, const char *cp,
+static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
-                      const char **endp, union nf_inet_addr *addr,
+                          const char **endp, union nf_inet_addr *addr,
-                      const char *limit)
+                          const char *limit, bool delim)
 {
        const char *end;
-        int ret = 0;
+        int ret;
        if (!ct)
                return 0;
@@ -197,16 +197,28 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
        switch (nf_ct_l3num(ct)) {
        case AF_INET:
                ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
+                if (ret == 0)
+                        return 0;
                break;
        case AF_INET6:
+                if (cp < limit && *cp == '[')
+                        cp++;
+                else if (delim)
+                        return 0;
                ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
+                if (ret == 0)
+                        return 0;
+                if (end < limit && *end == ']')
+                        end++;
+                else if (delim)
+                        return 0;
                break;
        default:
                BUG();
        }
-        if (ret == 0 || end == cp)
-                return 0;
        if (endp)
                *endp = end;
        return 1;
@@ -219,7 +231,7 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
        union nf_inet_addr addr;
        const char *aux = dptr;
-        if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
+        if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
                pr_debug("ip: %s parse failed.!\n", dptr);
                return 0;
        }
@@ -296,7 +308,7 @@ int ct_sip_parse_request(const struct nf_conn *ct,
                return 0;
        dptr += shift;
-        if (!parse_addr(ct, dptr, &end, addr, limit))
+        if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
                return -1;
        if (end < limit && *end == ':') {
                end++;
@@ -550,7 +562,7 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
        if (ret == 0)
                return ret;
-        if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
+        if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
                return -1;
        if (*c == ':') {
                c++;
@@ -599,7 +611,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
                               unsigned int dataoff, unsigned int datalen,
                               const char *name,
                               unsigned int *matchoff, unsigned int *matchlen,
-                               union nf_inet_addr *addr)
+                               union nf_inet_addr *addr, bool delim)
 {
        const char *limit = dptr + datalen;
        const char *start, *end;
@@ -613,7 +625,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
                return 0;
        start += strlen(name);
-        if (!parse_addr(ct, start, &end, addr, limit))
+        if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
                return 0;
        *matchoff = start - dptr;
        *matchlen = end - start;
@@ -675,6 +687,47 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
        return 1;
 }
+static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
+                          const char **endp, union nf_inet_addr *addr,
+                          const char *limit)
+{
+        const char *end;
+        int ret;
+        memset(addr, 0, sizeof(*addr));
+        switch (nf_ct_l3num(ct)) {
+        case AF_INET:
+                ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
+                break;
+        case AF_INET6:
+                ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
+                break;
+        default:
+                BUG();
+        }
+        if (ret == 0)
+                return 0;
+        if (endp)
+                *endp = end;
+        return 1;
+}
+/* skip ip address. returns its length. */
+static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
+                        const char *limit, int *shift)
+{
+        union nf_inet_addr addr;
+        const char *aux = dptr;
+        if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
+                pr_debug("ip: %s parse failed.!\n", dptr);
+                return 0;
+        }
+        return dptr - aux;
+}
 /* SDP header parsing: a SDP session description contains an ordered set of
 * headers, starting with a section containing general session parameters,
 * optionally followed by multiple media descriptions.
@@ -686,10 +739,10 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
 */
 static const struct sip_header ct_sdp_hdrs[] = {
        [SDP_HDR_VERSION]               = SDP_HDR("v=", NULL, digits_len),
-        [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", epaddr_len),
+        [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
-        [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", epaddr_len),
+        [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
-        [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", epaddr_len),
+        [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
-        [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", epaddr_len),
+        [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
        [SDP_HDR_MEDIA]                 = SDP_HDR("m=", NULL, media_len),
 };
@@ -775,8 +828,8 @@ static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
        if (ret <= 0)
                return ret;
-        if (!parse_addr(ct, dptr + *matchoff, NULL, addr,
+        if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
-                        dptr + *matchoff + *matchlen))
+                            dptr + *matchoff + *matchlen))
                return -1;
        return 1;
 }
@@ -1515,7 +1568,6 @@ static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
 }
 static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
-static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
        [SIP_EXPECT_SIGNALLING] = {
@@ -1585,9 +1637,9 @@ static int __init nf_conntrack_sip_init(void)
                        sip[i][j].me = THIS_MODULE;
                        if (ports[i] == SIP_PORT)
-                                sprintf(sip_names[i][j], "sip");
+                                sprintf(sip[i][j].name, "sip");
                        else
-                                sprintf(sip_names[i][j], "sip-%u", i);
+                                sprintf(sip[i][j].name, "sip-%u", i);
                        pr_debug("port #%u: %u\n", i, ports[i]);
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5463969da45b..1445d73533ed 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (NULL == siocb->scm)
                siocb->scm = &scm;
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, true);
        if (err < 0)
                return err;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index ceaca7c134a0..aee7196aac36 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1079,7 +1079,7 @@ static void *packet_current_rx_frame(struct packet_sock *po,
        default:
                WARN(1, "TPACKET version not supported\n");
                BUG();
-                return 0;
+                return NULL;
        }
 }
@@ -1273,6 +1273,14 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
        spin_unlock(&f->lock);
 }
+bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
+{
+        if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
+                return true;
+        return false;
+}
 static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 {
        struct packet_sock *po = pkt_sk(sk);
@@ -1325,6 +1333,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
                match->prot_hook.dev = po->prot_hook.dev;
                match->prot_hook.func = packet_rcv_fanout;
                match->prot_hook.af_packet_priv = match;
+                match->prot_hook.id_match = match_fanout_group;
                dev_add_pack(&match->prot_hook);
                list_add(&match->list, &fanout_list);
        }
@@ -1936,7 +1945,6 @@ static void tpacket_destruct_skb(struct sk_buff *skb)
        if (likely(po->tx_ring.pg_vec)) {
                ph = skb_shinfo(skb)->destructor_arg;
-                BUG_ON(__packet_get_status(po, ph) != TP_STATUS_SENDING);
                BUG_ON(atomic_read(&po->tx_ring.pending) == 0);
                atomic_dec(&po->tx_ring.pending);
                __packet_set_status(po, ph, TP_STATUS_AVAILABLE);
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index f10fb8256442..05d60859d8e3 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -67,6 +67,9 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
        struct tcf_common *pc;
        int ret = 0;
        int err;
+#ifdef CONFIG_GACT_PROB
+        struct tc_gact_p *p_parm = NULL;
+#endif
        if (nla == NULL)
                return -EINVAL;
@@ -82,6 +85,12 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
 #ifndef CONFIG_GACT_PROB
        if (tb[TCA_GACT_PROB] != NULL)
                return -EOPNOTSUPP;
+#else
+        if (tb[TCA_GACT_PROB]) {
+                p_parm = nla_data(tb[TCA_GACT_PROB]);
+                if (p_parm->ptype >= MAX_RAND)
+                        return -EINVAL;
+        }
 #endif
        pc = tcf_hash_check(parm->index, a, bind, &gact_hash_info);
@@ -103,8 +112,7 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
        spin_lock_bh(&gact->tcf_lock);
        gact->tcf_action = parm->action;
 #ifdef CONFIG_GACT_PROB
-        if (tb[TCA_GACT_PROB] != NULL) {
+        if (p_parm) {
-                struct tc_gact_p *p_parm = nla_data(tb[TCA_GACT_PROB]);
                gact->tcfg_paction = p_parm->paction;
                gact->tcfg_pval    = p_parm->pval;
                gact->tcfg_ptype   = p_parm->ptype;
@@ -133,7 +141,7 @@ static int tcf_gact(struct sk_buff *skb, const struct tc_action *a,
        spin_lock(&gact->tcf_lock);
 #ifdef CONFIG_GACT_PROB
-        if (gact->tcfg_ptype && gact_rand[gact->tcfg_ptype] != NULL)
+        if (gact->tcfg_ptype)
                action = gact_rand[gact->tcfg_ptype](gact);
        else
                action = gact->tcf_action;
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 60e281ad0f07..58fb3c7aab9e 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -185,7 +185,12 @@ err3:
 err2:
        kfree(tname);
 err1:
-        kfree(pc);
+        if (ret == ACT_P_CREATED) {
+                if (est)
+                        gen_kill_estimator(&pc->tcfc_bstats,
+                                           &pc->tcfc_rate_est);
+                kfree_rcu(pc, tcfc_rcu);
+        }
        return err;
 }
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index fe81cc18e9e0..9c0fd0c78814 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -200,13 +200,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a,
 out:
        if (err) {
                m->tcf_qstats.overlimits++;
-                /* should we be asking for packet to be dropped?
+                if (m->tcfm_eaction != TCA_EGRESS_MIRROR)
-                 * may make sense for redirect case only
+                        retval = TC_ACT_SHOT;
-                 */
+                else
-                retval = TC_ACT_SHOT;
+                        retval = m->tcf_action;
-        } else {
+        } else
                retval = m->tcf_action;
-        }
        spin_unlock(&m->tcf_lock);
        return retval;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 26aa2f6ce257..45c53ab067a6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -74,7 +74,10 @@ static int tcf_pedit_init(struct nlattr *nla, struct nlattr *est,
                p = to_pedit(pc);
                keys = kmalloc(ksize, GFP_KERNEL);
                if (keys == NULL) {
-                        kfree(pc);
+                        if (est)
+                                gen_kill_estimator(&pc->tcfc_bstats,
+                                                   &pc->tcfc_rate_est);
+                        kfree_rcu(pc, tcfc_rcu);
                        return -ENOMEM;
                }
                ret = ACT_P_CREATED;
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 3922f2a2821b..3714f60f0b3c 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -131,7 +131,10 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
                d = to_defact(pc);
                ret = alloc_defdata(d, defdata);
                if (ret < 0) {
-                        kfree(pc);
+                        if (est)
+                                gen_kill_estimator(&pc->tcfc_bstats,
+                                                   &pc->tcfc_rate_est);
+                        kfree_rcu(pc, tcfc_rcu);
                        return ret;
                }
                d->tcf_action = parm->action;
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 9af01f3df18c..e4723d31fdd5 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -203,6 +203,34 @@ out:
        return index;
 }
+/* Length of the next packet (0 if the queue is empty). */
+static unsigned int qdisc_peek_len(struct Qdisc *sch)
+{
+        struct sk_buff *skb;
+        skb = sch->ops->peek(sch);
+        return skb ? qdisc_pkt_len(skb) : 0;
+}
+static void qfq_deactivate_class(struct qfq_sched *, struct qfq_class *);
+static void qfq_activate_class(struct qfq_sched *q, struct qfq_class *cl,
+                               unsigned int len);
+static void qfq_update_class_params(struct qfq_sched *q, struct qfq_class *cl,
+                                    u32 lmax, u32 inv_w, int delta_w)
+{
+        int i;
+        /* update qfq-specific data */
+        cl->lmax = lmax;
+        cl->inv_w = inv_w;
+        i = qfq_calc_index(cl->inv_w, cl->lmax);
+        cl->grp = &q->groups[i];
+        q->wsum += delta_w;
+}
 static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
                            struct nlattr **tca, unsigned long *arg)
 {
@@ -250,6 +278,8 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
                lmax = 1UL << QFQ_MTU_SHIFT;
        if (cl != NULL) {
+                bool need_reactivation = false;
                if (tca[TCA_RATE]) {
                        err = gen_replace_estimator(&cl->bstats, &cl->rate_est,
                                                    qdisc_root_sleeping_lock(sch),
@@ -258,12 +288,29 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
                                return err;
                }
-                if (inv_w != cl->inv_w) {
+                if (lmax == cl->lmax && inv_w == cl->inv_w)
-                        sch_tree_lock(sch);
+                        return 0; /* nothing to update */
-                        q->wsum += delta_w;
-                        cl->inv_w = inv_w;
+                i = qfq_calc_index(inv_w, lmax);
-                        sch_tree_unlock(sch);
+                sch_tree_lock(sch);
+                if (&q->groups[i] != cl->grp && cl->qdisc->q.qlen > 0) {
+                        /*
+                         * shift cl->F back, to not charge the
+                         * class for the not-yet-served head
+                         * packet
+                         */
+                        cl->F = cl->S;
+                        /* remove class from its slot in the old group */
+                        qfq_deactivate_class(q, cl);
+                        need_reactivation = true;
                }
+                qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
+                if (need_reactivation) /* activate in new group */
+                        qfq_activate_class(q, cl, qdisc_peek_len(cl->qdisc));
+                sch_tree_unlock(sch);
                return 0;
        }
@@ -273,11 +320,8 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
        cl->refcnt = 1;
        cl->common.classid = classid;
-        cl->lmax = lmax;
-        cl->inv_w = inv_w;
-        i = qfq_calc_index(cl->inv_w, cl->lmax);
-        cl->grp = &q->groups[i];
+        qfq_update_class_params(q, cl, lmax, inv_w, delta_w);
        cl->qdisc = qdisc_create_dflt(sch->dev_queue,
                                      &pfifo_qdisc_ops, classid);
@@ -294,7 +338,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
                        return err;
                }
        }
-        q->wsum += weight;
        sch_tree_lock(sch);
        qdisc_class_hash_insert(&q->clhash, &cl->common);
@@ -711,15 +754,6 @@ static void qfq_update_eligible(struct qfq_sched *q, u64 old_V)
        }
 }
-/* What is length of next packet in queue (0 if queue is empty) */
-static unsigned int qdisc_peek_len(struct Qdisc *sch)
-{
-        struct sk_buff *skb;
-        skb = sch->ops->peek(sch);
-        return skb ? qdisc_pkt_len(skb) : 0;
-}
 /*
 * Updates the class, returns true if also the group needs to be updated.
 */
@@ -843,11 +877,8 @@ static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
 static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        struct qfq_sched *q = qdisc_priv(sch);
-        struct qfq_group *grp;
        struct qfq_class *cl;
        int err;
-        u64 roundedS;
-        int s;
        cl = qfq_classify(skb, sch, &err);
        if (cl == NULL) {
@@ -876,11 +907,25 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                return err;
        /* If reach this point, queue q was idle */
-        grp = cl->grp;
+        qfq_activate_class(q, cl, qdisc_pkt_len(skb));
+        return err;
+}
+/*
+ * Handle class switch from idle to backlogged.
+ */
+static void qfq_activate_class(struct qfq_sched *q, struct qfq_class *cl,
+                               unsigned int pkt_len)
+{
+        struct qfq_group *grp = cl->grp;
+        u64 roundedS;
+        int s;
        qfq_update_start(q, cl);
        /* compute new finish time and rounded start. */
-        cl->F = cl->S + (u64)qdisc_pkt_len(skb) * cl->inv_w;
+        cl->F = cl->S + (u64)pkt_len * cl->inv_w;
        roundedS = qfq_round_down(cl->S, grp->slot_shift);
        /*
@@ -917,8 +962,6 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 skip_update:
        qfq_slot_insert(grp, cl, roundedS);
-        return err;
 }
diff --git a/net/socket.c b/net/socket.c
index dfe5b66c97e0..a5471f804d99 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2657,6 +2657,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
        if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
                return -EFAULT;
+        memset(&ifc, 0, sizeof(ifc));
        if (ifc32.ifcbuf == 0) {
                ifc32.ifc_len = 0;
                ifc.ifc_len = 0;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index e4768c180da2..c5ee4ff61364 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
        wait_for_unix_gc();
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, false);
        if (err < 0)
                return err;
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (NULL == siocb->scm)
                siocb->scm = &tmp_scm;
        wait_for_unix_gc();
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, false);
        if (err < 0)
                return err;
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 31b40cc4a9c3..dcd64d5b07aa 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -952,6 +952,11 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
                 */
                synchronize_rcu();
                INIT_LIST_HEAD(&wdev->list);
+                /*
+                 * Ensure that all events have been processed and
+                 * freed.
+                 */
+                cfg80211_process_wdev_events(wdev);
                break;
        case NETDEV_PRE_UP:
                if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 5206c6844fd7..bc7430b54771 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -426,6 +426,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                          struct net_device *dev, enum nl80211_iftype ntype,
                          u32 *flags, struct vif_params *params);
 void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev);
+void cfg80211_process_wdev_events(struct wireless_dev *wdev);
 int cfg80211_can_use_iftype_chan(struct cfg80211_registered_device *rdev,
                                 struct wireless_dev *wdev,
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 2303ee73b50a..2ded3c7fad06 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -680,6 +680,8 @@ static u32 map_regdom_flags(u32 rd_flags)
                channel_flags |= IEEE80211_CHAN_NO_IBSS;
        if (rd_flags & NL80211_RRF_DFS)
                channel_flags |= IEEE80211_CHAN_RADAR;
+        if (rd_flags & NL80211_RRF_NO_OFDM)
+                channel_flags |= IEEE80211_CHAN_NO_OFDM;
        return channel_flags;
 }
@@ -901,7 +903,21 @@ static void handle_channel(struct wiphy *wiphy,
        chan->max_antenna_gain = min(chan->orig_mag,
                (int) MBI_TO_DBI(power_rule->max_antenna_gain));
        chan->max_reg_power = (int) MBM_TO_DBM(power_rule->max_eirp);
-        chan->max_power = min(chan->max_power, chan->max_reg_power);
+        if (chan->orig_mpwr) {
+                /*
+                 * Devices that have their own custom regulatory domain
+                 * but also use WIPHY_FLAG_STRICT_REGULATORY will follow the
+                 * passed country IE power settings.
+                 */
+                if (initiator == NL80211_REGDOM_SET_BY_COUNTRY_IE &&
+                    wiphy->flags & WIPHY_FLAG_CUSTOM_REGULATORY &&
+                    wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY)
+                        chan->max_power = chan->max_reg_power;
+                else
+                        chan->max_power = min(chan->orig_mpwr,
+                                              chan->max_reg_power);
+        } else
+                chan->max_power = chan->max_reg_power;
 }
 static void handle_band(struct wiphy *wiphy,
@@ -1885,6 +1901,7 @@ static void restore_custom_reg_settings(struct wiphy *wiphy)
                        chan->flags = chan->orig_flags;
                        chan->max_antenna_gain = chan->orig_mag;
                        chan->max_power = chan->orig_mpwr;
+                        chan->beacon_found = false;
                }
        }
 }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 26f8cd30f712..994e2f0cc7a8 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -735,7 +735,7 @@ void cfg80211_upload_connect_keys(struct wireless_dev *wdev)
        wdev->connect_keys = NULL;
 }
-static void cfg80211_process_wdev_events(struct wireless_dev *wdev)
+void cfg80211_process_wdev_events(struct wireless_dev *wdev)
 {
        struct cfg80211_event *ev;
        unsigned long flags;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c5a5165a5927..5a2aa17e4d3c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1357,6 +1357,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
                memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
                xdst->flo.ops = &xfrm_bundle_fc_ops;
+                if (afinfo->init_dst)
+                        afinfo->init_dst(net, xdst);
        } else
                xdst = ERR_PTR(-ENOBUFS);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5b228f97d4b3..87cd0e4d4282 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -415,8 +415,17 @@ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer * me)
        if (x->lft.hard_add_expires_seconds) {
                long tmo = x->lft.hard_add_expires_seconds +
                        x->curlft.add_time - now;
-                if (tmo <= 0)
+                if (tmo <= 0) {
-                        goto expired;
+                        if (x->xflags & XFRM_SOFT_EXPIRE) {
+                                /* enter hard expire without soft expire first?!
+                                 * setting a new date could trigger this.
+                                 * workarbound: fix x->curflt.add_time by below:
+                                 */
+                                x->curlft.add_time = now - x->saved_tmo - 1;
+                                tmo = x->lft.hard_add_expires_seconds - x->saved_tmo;
+                        } else
+                                goto expired;
+                }
                if (tmo < next)
                        next = tmo;
        }
@@ -433,10 +442,14 @@ static enum hrtimer_restart xfrm_timer_handler(struct hrtimer * me)
        if (x->lft.soft_add_expires_seconds) {
                long tmo = x->lft.soft_add_expires_seconds +
                        x->curlft.add_time - now;
-                if (tmo <= 0)
+                if (tmo <= 0) {
                        warn = 1;
-                else if (tmo < next)
+                        x->xflags &= ~XFRM_SOFT_EXPIRE;
+                } else if (tmo < next) {
                        next = tmo;
+                        x->xflags |= XFRM_SOFT_EXPIRE;
+                        x->saved_tmo = tmo;
+                }
        }
        if (x->lft.soft_use_expires_seconds) {
                long tmo = x->lft.soft_use_expires_seconds +