80 files changed, 526 insertions, 320 deletions

diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 9ee48cb30179..3d33ecf13327 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -368,7 +368,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                 const char *sptr = va_arg(ap, const char *);
                                 uint16_t len = 0;
                                 if (sptr)
-                                        len = min_t(uint16_t, strlen(sptr),
+                                        len = min_t(size_t, strlen(sptr),
                                                                 USHRT_MAX);
 
                                 errcode = p9pdu_writef(pdu, proto_version,
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 5af18d11b518..2a167658bb95 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -192,10 +192,10 @@ static int pack_sg_list(struct scatterlist *sg, int start,
                 s = rest_of_page(data);
                 if (s > count)
                         s = count;
+                BUG_ON(index > limit);
                 sg_set_buf(&sg[index++], data, s);
                 count -= s;
                 data += s;
-                BUG_ON(index > limit);
         }
 
         return index-start;
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index 0301b328cf0f..86852963b7f7 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -1208,9 +1208,7 @@ static int atalk_connect(struct socket *sock, struct sockaddr *uaddr,
         if (addr->sat_addr.s_node == ATADDR_BCAST &&
             !sock_flag(sk, SOCK_BROADCAST)) {
 #if 1
-                printk(KERN_WARNING "%s is broken and did not set "
-                                    "SO_BROADCAST. It will break when 2.2 is "
-                                    "released.\n",
+                pr_warn("atalk_connect: %s is broken and did not set SO_BROADCAST.\n",
                         current->comm);
 #else
                 return -EACCES;
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 840e2c64a301..015471d801b4 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -617,6 +617,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
                          * changes */
                         if (skb_linearize(skb) < 0)
                                 goto out;
+                        /* skb_linearize() possibly changed skb->data */
+                        tt_query = (struct tt_query_packet *)skb->data;
 
                         tt_len = tt_query->tt_data * sizeof(struct tt_change);
 
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index a66c2dcd1088..2ab83d7fb1f8 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -141,13 +141,14 @@ static void tt_orig_list_entry_free_rcu(struct rcu_head *rcu)
         struct tt_orig_list_entry *orig_entry;
 
         orig_entry = container_of(rcu, struct tt_orig_list_entry, rcu);
-        atomic_dec(&orig_entry->orig_node->tt_size);
         orig_node_free_ref(orig_entry->orig_node);
         kfree(orig_entry);
 }
 
 static void tt_orig_list_entry_free_ref(struct tt_orig_list_entry *orig_entry)
 {
+        /* to avoid race conditions, immediately decrease the tt counter */
+        atomic_dec(&orig_entry->orig_node->tt_size);
         call_rcu(&orig_entry->rcu, tt_orig_list_entry_free_rcu);
 }
 
@@ -910,7 +911,6 @@ void tt_global_del_orig(struct bat_priv *bat_priv,
                 }
                 spin_unlock_bh(list_lock);
         }
-        atomic_set(&orig_node->tt_size, 0);
         orig_node->tt_initialised = false;
 }
 
@@ -2031,10 +2031,10 @@ bool is_ap_isolated(struct bat_priv *bat_priv, uint8_t *src, uint8_t *dst)
 {
         struct tt_local_entry *tt_local_entry = NULL;
         struct tt_global_entry *tt_global_entry = NULL;
-        bool ret = true;
+        bool ret = false;
 
         if (!atomic_read(&bat_priv->ap_isolation))
-                return false;
+                goto out;
 
         tt_local_entry = tt_local_hash_find(bat_priv, dst);
         if (!tt_local_entry)
@@ -2044,10 +2044,10 @@ bool is_ap_isolated(struct bat_priv *bat_priv, uint8_t *src, uint8_t *dst)
         if (!tt_global_entry)
                 goto out;
 
-        if (_is_ap_isolated(tt_local_entry, tt_global_entry))
+        if (!_is_ap_isolated(tt_local_entry, tt_global_entry))
                 goto out;
 
-        ret = false;
+        ret = true;
 
 out:
         if (tt_global_entry)
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index 46e7f86acfc9..3e18af4dadc4 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -210,7 +210,7 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
                 }
 
                 if (sk->sk_state == BT_CONNECTED || !newsock ||
-                    test_bit(BT_DEFER_SETUP, &bt_sk(parent)->flags)) {
+                    test_bit(BT_SK_DEFER_SETUP, &bt_sk(parent)->flags)) {
                         bt_accept_unlink(sk);
                         if (newsock)
                                 sock_graft(sk, newsock);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 4eefb7f65cf6..94ad124a4ea3 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3043,6 +3043,50 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
         hci_dev_unlock(hdev);
 }
 
+static void hci_key_refresh_complete_evt(struct hci_dev *hdev,
+                                         struct sk_buff *skb)
+{
+        struct hci_ev_key_refresh_complete *ev = (void *) skb->data;
+        struct hci_conn *conn;
+
+        BT_DBG("%s status %u handle %u", hdev->name, ev->status,
+               __le16_to_cpu(ev->handle));
+
+        hci_dev_lock(hdev);
+
+        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
+        if (!conn)
+                goto unlock;
+
+        if (!ev->status)
+                conn->sec_level = conn->pending_sec_level;
+
+        clear_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags);
+
+        if (ev->status && conn->state == BT_CONNECTED) {
+                hci_acl_disconn(conn, HCI_ERROR_AUTH_FAILURE);
+                hci_conn_put(conn);
+                goto unlock;
+        }
+
+        if (conn->state == BT_CONFIG) {
+                if (!ev->status)
+                        conn->state = BT_CONNECTED;
+
+                hci_proto_connect_cfm(conn, ev->status);
+                hci_conn_put(conn);
+        } else {
+                hci_auth_cfm(conn, ev->status);
+
+                hci_conn_hold(conn);
+                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                hci_conn_put(conn);
+        }
+
+unlock:
+        hci_dev_unlock(hdev);
+}
+
 static inline u8 hci_get_auth_req(struct hci_conn *conn)
 {
         /* If remote requests dedicated bonding follow that lead */
@@ -3559,6 +3603,10 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                 hci_extended_inquiry_result_evt(hdev, skb);
                 break;
 
+        case HCI_EV_KEY_REFRESH_COMPLETE:
+                hci_key_refresh_complete_evt(hdev, skb);
+                break;
+
         case HCI_EV_IO_CAPA_REQUEST:
                 hci_io_capa_request_evt(hdev, skb);
                 break;
diff --git a/net/bluetooth/hidp/Kconfig b/net/bluetooth/hidp/Kconfig
index 4deaca78e91e..9332bc7aa851 100644
--- a/net/bluetooth/hidp/Kconfig
+++ b/net/bluetooth/hidp/Kconfig
@@ -1,6 +1,6 @@
 config BT_HIDP
         tristate "HIDP protocol support"
-        depends on BT && INPUT && HID_SUPPORT
+        depends on BT && INPUT
         select HID
         help
           HIDP (Human Interface Device Protocol) is a transport layer
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 24f144b72a96..4554e80d16a3 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1295,7 +1295,12 @@ static void security_timeout(struct work_struct *work)
         struct l2cap_conn *conn = container_of(work, struct l2cap_conn,
                                                 security_timer.work);
 
-        l2cap_conn_del(conn->hcon, ETIMEDOUT);
+        BT_DBG("conn %p", conn);
+
+        if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
+                smp_chan_destroy(conn);
+                l2cap_conn_del(conn->hcon, ETIMEDOUT);
+        }
 }
 
 static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
@@ -2910,12 +2915,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
         while (len >= L2CAP_CONF_OPT_SIZE) {
                 len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
 
-                switch (type) {
-                case L2CAP_CONF_RFC:
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *)val, olen);
-                        goto done;
-                }
+                if (type != L2CAP_CONF_RFC)
+                        continue;
+
+                if (olen != sizeof(rfc))
+                        break;
+
+                memcpy(&rfc, (void *)val, olen);
+                goto done;
         }
 
         /* Use sane default values in case a misbehaving remote device
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 25d220776079..3e5e3362ea00 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1598,7 +1598,7 @@ static int disconnect(struct sock *sk, struct hci_dev *hdev, void *data,
         else
                 conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->addr.bdaddr);
 
-        if (!conn) {
+        if (!conn || conn->state == BT_OPEN || conn->state == BT_CLOSED) {
                 err = cmd_status(sk, hdev->id, MGMT_OP_DISCONNECT,
                                  MGMT_STATUS_NOT_CONNECTED);
                 goto failed;
@@ -1873,6 +1873,22 @@ static void pairing_complete_cb(struct hci_conn *conn, u8 status)
                 pairing_complete(cmd, mgmt_status(status));
 }
 
+static void le_connect_complete_cb(struct hci_conn *conn, u8 status)
+{
+        struct pending_cmd *cmd;
+
+        BT_DBG("status %u", status);
+
+        if (!status)
+                return;
+
+        cmd = find_pairing(conn);
+        if (!cmd)
+                BT_DBG("Unable to find a pending command");
+        else
+                pairing_complete(cmd, mgmt_status(status));
+}
+
 static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
                        u16 len)
 {
@@ -1934,6 +1950,8 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
         /* For LE, just connecting isn't a proof that the pairing finished */
         if (cp->addr.type == BDADDR_BREDR)
                 conn->connect_cfm_cb = pairing_complete_cb;
+        else
+                conn->connect_cfm_cb = le_connect_complete_cb;
 
         conn->security_cfm_cb = pairing_complete_cb;
         conn->disconn_cfm_cb = pairing_complete_cb;
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6fc7c4708f3e..37df4e9b3896 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -648,7 +648,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
 
         auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
 
-        ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability);
+        ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
         if (ret)
                 return SMP_UNSPECIFIED;
 
@@ -703,7 +703,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
         return 0;
 }
 
-static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
+static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
 {
         struct smp_ltk *key;
         struct hci_conn *hcon = conn->hcon;
@@ -712,6 +712,9 @@ static u8 smp_ltk_encrypt(struct l2cap_conn *conn)
         if (!key)
                 return 0;
 
+        if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
+                return 0;
+
         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
                 return 1;
 
@@ -732,7 +735,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
 
-        if (smp_ltk_encrypt(conn))
+        if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
                 return 0;
 
         if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
@@ -771,7 +774,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
                 return 1;
 
         if (hcon->link_mode & HCI_LM_MASTER)
-                if (smp_ltk_encrypt(conn))
+                if (smp_ltk_encrypt(conn, sec_level))
                         goto done;
 
         if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 0a942fbccc9a..e1144e1617be 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -240,6 +240,7 @@ int br_add_bridge(struct net *net, const char *name)
                 return -ENOMEM;
 
         dev_net_set(dev, net);
+        dev->rtnl_link_ops = &br_link_ops;
 
         res = register_netdev(dev);
         if (res)
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 2080485515f1..fe41260fbf38 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -208,7 +208,7 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[])
         return 0;
 }
 
-static struct rtnl_link_ops br_link_ops __read_mostly = {
+struct rtnl_link_ops br_link_ops __read_mostly = {
         .kind           = "bridge",
         .priv_size      = sizeof(struct net_bridge),
         .setup          = br_dev_setup,
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 1a8ad4fb9a6b..a768b2408edf 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -549,6 +549,7 @@ extern int (*br_fdb_test_addr_hook)(struct net_device *dev, unsigned char *addr)
 #endif
 
 /* br_netlink.c */
+extern struct rtnl_link_ops br_link_ops;
 extern int br_netlink_init(void);
 extern void br_netlink_fini(void);
 extern void br_ifinfo_notify(int event, struct net_bridge_port *port);
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index aa6f716524fd..554b31289607 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -4,8 +4,7 @@
  * Author:      Sjur Brendeland/sjur.brandeland@stericsson.com
  * License terms: GNU General Public License (GPL) version 2
  *
- * Borrowed heavily from file: pn_dev.c. Thanks to
- *  Remi Denis-Courmont <remi.denis-courmont@nokia.com>
+ * Borrowed heavily from file: pn_dev.c. Thanks to Remi Denis-Courmont
  *  and Sakari Ailus <sakari.ailus@nokia.com>
  */
 
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index fb8944355264..78f1cdad5b33 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -220,6 +220,7 @@ static void caif_ctrl_cb(struct cflayer *layr,
                                                 cfsk_hold, cfsk_put);
                 cf_sk->sk.sk_state = CAIF_CONNECTED;
                 set_tx_flow_on(cf_sk);
+                cf_sk->sk.sk_shutdown = 0;
                 cf_sk->sk.sk_state_change(&cf_sk->sk);
                 break;
 
diff --git a/net/can/raw.c b/net/can/raw.c
index cde1b4a20f75..46cca3a91d19 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -681,9 +681,6 @@ static int raw_sendmsg(struct kiocb *iocb, struct socket *sock,
         if (err < 0)
                 goto free_skb;
 
-        /* to be able to check the received tx sock reference in raw_rcv() */
-        skb_shinfo(skb)->tx_flags |= SKBTX_DRV_NEEDS_SK_REF;
-
         skb->dev = dev;
         skb->sk  = sk;
 
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index a776f751edbf..ba4323bce0e9 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -504,13 +504,6 @@ void ceph_destroy_client(struct ceph_client *client)
         /* unmount */
         ceph_osdc_stop(&client->osdc);
 
-        /*
-         * make sure osd connections close out before destroying the
-         * auth module, which is needed to free those connections'
-         * ceph_authorizers.
-         */
-        ceph_msgr_flush();
-
         ceph_monc_stop(&client->monc);
 
         ceph_debugfs_client_cleanup(client);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 524f4e4f598b..b332c3d76059 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -563,6 +563,10 @@ static void prepare_write_message(struct ceph_connection *con)
                 m->hdr.seq = cpu_to_le64(++con->out_seq);
                 m->needs_out_seq = false;
         }
+#ifdef CONFIG_BLOCK
+        else
+                m->bio_iter = NULL;
+#endif
 
         dout("prepare_write_message %p seq %lld type %d len %d+%d+%d %d pgs\n",
              m, con->out_seq, le16_to_cpu(m->hdr.type),
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 10d6008d31f2..d0649a9655be 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -847,6 +847,14 @@ void ceph_monc_stop(struct ceph_mon_client *monc)
 
         mutex_unlock(&monc->mutex);
 
+        /*
+         * flush msgr queue before we destroy ourselves to ensure that:
+         *  - any work that references our embedded con is finished.
+         *  - any osd_client or other work that may reference an authorizer
+         *    finishes before we shut down the auth subsystem.
+         */
+        ceph_msgr_flush();
+
         ceph_auth_destroy(monc->auth);
 
         ceph_msg_put(monc->m_auth);
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 1ffebed5ce0f..ca59e66c9787 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -139,15 +139,15 @@ void ceph_osdc_release_request(struct kref *kref)
 
         if (req->r_request)
                 ceph_msg_put(req->r_request);
-        if (req->r_reply)
-                ceph_msg_put(req->r_reply);
         if (req->r_con_filling_msg) {
                 dout("release_request revoking pages %p from con %p\n",
                      req->r_pages, req->r_con_filling_msg);
                 ceph_con_revoke_message(req->r_con_filling_msg,
                                       req->r_reply);
-                ceph_con_put(req->r_con_filling_msg);
+                req->r_con_filling_msg->ops->put(req->r_con_filling_msg);
         }
+        if (req->r_reply)
+                ceph_msg_put(req->r_reply);
         if (req->r_own_pages)
                 ceph_release_page_vector(req->r_pages,
                                          req->r_num_pages);
@@ -1216,7 +1216,7 @@ static void handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg,
         if (req->r_con_filling_msg == con && req->r_reply == msg) {
                 dout(" dropping con_filling_msg ref %p\n", con);
                 req->r_con_filling_msg = NULL;
-                ceph_con_put(con);
+                con->ops->put(con);
         }
 
         if (!req->r_got_reply) {
@@ -2028,7 +2028,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con,
                 dout("get_reply revoking msg %p from old con %p\n",
                      req->r_reply, req->r_con_filling_msg);
                 ceph_con_revoke_message(req->r_con_filling_msg, req->r_reply);
-                ceph_con_put(req->r_con_filling_msg);
+                req->r_con_filling_msg->ops->put(req->r_con_filling_msg);
                 req->r_con_filling_msg = NULL;
         }
 
@@ -2063,7 +2063,7 @@ static struct ceph_msg *get_reply(struct ceph_connection *con,
 #endif
         }
         *skip = 0;
-        req->r_con_filling_msg = ceph_con_get(con);
+        req->r_con_filling_msg = con->ops->get(con);
         dout("get_reply tid %lld %p\n", tid, m);
 
 out:
diff --git a/net/core/dev.c b/net/core/dev.c
index cd0981977f5c..84f01ba81a34 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1136,8 +1136,8 @@ void dev_load(struct net *net, const char *name)
                 no_module = request_module("netdev-%s", name);
         if (no_module && capable(CAP_SYS_MODULE)) {
                 if (!request_module("%s", name))
-                        pr_err("Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-%s instead.\n",
-                               name);
+                        pr_warn("Loading kernel module for a network device with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-%s instead.\n",
+                                name);
         }
 }
 EXPORT_SYMBOL(dev_load);
@@ -2089,25 +2089,6 @@ static int dev_gso_segment(struct sk_buff *skb, netdev_features_t features)
         return 0;
 }
 
-/*
- * Try to orphan skb early, right before transmission by the device.
- * We cannot orphan skb if tx timestamp is requested or the sk-reference
- * is needed on driver level for other reasons, e.g. see net/can/raw.c
- */
-static inline void skb_orphan_try(struct sk_buff *skb)
-{
-        struct sock *sk = skb->sk;
-
-        if (sk && !skb_shinfo(skb)->tx_flags) {
-                /* skb_tx_hash() wont be able to get sk.
-                 * We copy sk_hash into skb->rxhash
-                 */
-                if (!skb->rxhash)
-                        skb->rxhash = sk->sk_hash;
-                skb_orphan(skb);
-        }
-}
-
 static bool can_checksum_protocol(netdev_features_t features, __be16 protocol)
 {
         return ((features & NETIF_F_GEN_CSUM) ||
@@ -2193,8 +2174,6 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
                 if (!list_empty(&ptype_all))
                         dev_queue_xmit_nit(skb, dev);
 
-                skb_orphan_try(skb);
-
                 features = netif_skb_features(skb);
 
                 if (vlan_tx_tag_present(skb) &&
@@ -2304,7 +2283,7 @@ u16 __skb_tx_hash(const struct net_device *dev, const struct sk_buff *skb,
         if (skb->sk && skb->sk->sk_hash)
                 hash = skb->sk->sk_hash;
         else
-                hash = (__force u16) skb->protocol ^ skb->rxhash;
+                hash = (__force u16) skb->protocol;
         hash = jhash_1word(hash, hashrnd);
 
         return (u16) (((u64) hash * qcount) >> 32) + qoffset;
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index ea5fb9fcc3f5..d23b6682f4e9 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -36,9 +36,6 @@
 #define TRACE_ON 1
 #define TRACE_OFF 0
 
-static void send_dm_alert(struct work_struct *unused);
-
-
 /*
  * Globals, our netlink socket pointer
  * and the work handle that will send up
@@ -48,11 +45,10 @@ static int trace_state = TRACE_OFF;
 static DEFINE_MUTEX(trace_state_mutex);
 
 struct per_cpu_dm_data {
-        struct work_struct dm_alert_work;
-        struct sk_buff __rcu *skb;
-        atomic_t dm_hit_count;
-        struct timer_list send_timer;
-        int cpu;
+        spinlock_t              lock;
+        struct sk_buff          *skb;
+        struct work_struct      dm_alert_work;
+        struct timer_list       send_timer;
 };
 
 struct dm_hw_stat_delta {
@@ -78,13 +74,13 @@ static int dm_delay = 1;
 static unsigned long dm_hw_check_delta = 2*HZ;
 static LIST_HEAD(hw_stats_list);
 
-static void reset_per_cpu_data(struct per_cpu_dm_data *data)
+static struct sk_buff *reset_per_cpu_data(struct per_cpu_dm_data *data)
 {
         size_t al;
         struct net_dm_alert_msg *msg;
         struct nlattr *nla;
         struct sk_buff *skb;
-        struct sk_buff *oskb = rcu_dereference_protected(data->skb, 1);
+        unsigned long flags;
 
         al = sizeof(struct net_dm_alert_msg);
         al += dm_hit_limit * sizeof(struct net_dm_drop_point);
@@ -99,65 +95,40 @@ static void reset_per_cpu_data(struct per_cpu_dm_data *data)
                                   sizeof(struct net_dm_alert_msg));
                 msg = nla_data(nla);
                 memset(msg, 0, al);
-        } else
-                schedule_work_on(data->cpu, &data->dm_alert_work);
-
-        /*
-         * Don't need to lock this, since we are guaranteed to only
-         * run this on a single cpu at a time.
-         * Note also that we only update data->skb if the old and new skb
-         * pointers don't match.  This ensures that we don't continually call
-         * synchornize_rcu if we repeatedly fail to alloc a new netlink message.
-         */
-        if (skb != oskb) {
-                rcu_assign_pointer(data->skb, skb);
-
-                synchronize_rcu();
-
-                atomic_set(&data->dm_hit_count, dm_hit_limit);
+        } else {
+                mod_timer(&data->send_timer, jiffies + HZ / 10);
         }
 
+        spin_lock_irqsave(&data->lock, flags);
+        swap(data->skb, skb);
+        spin_unlock_irqrestore(&data->lock, flags);
+
+        return skb;
 }
 
-static void send_dm_alert(struct work_struct *unused)
+static void send_dm_alert(struct work_struct *work)
 {
         struct sk_buff *skb;
-        struct per_cpu_dm_data *data = &get_cpu_var(dm_cpu_data);
+        struct per_cpu_dm_data *data;
 
-        WARN_ON_ONCE(data->cpu != smp_processor_id());
+        data = container_of(work, struct per_cpu_dm_data, dm_alert_work);
 
-        /*
-         * Grab the skb we're about to send
-         */
-        skb = rcu_dereference_protected(data->skb, 1);
-
-        /*
-         * Replace it with a new one
-         */
-        reset_per_cpu_data(data);
+        skb = reset_per_cpu_data(data);
 
-        /*
-         * Ship it!
-         */
         if (skb)
                 genlmsg_multicast(skb, 0, NET_DM_GRP_ALERT, GFP_KERNEL);
-
-        put_cpu_var(dm_cpu_data);
 }
 
 /*
  * This is the timer function to delay the sending of an alert
  * in the event that more drops will arrive during the
- * hysteresis period.  Note that it operates under the timer interrupt
- * so we don't need to disable preemption here
+ * hysteresis period.
  */
-static void sched_send_work(unsigned long unused)
+static void sched_send_work(unsigned long _data)
 {
-        struct per_cpu_dm_data *data =  &get_cpu_var(dm_cpu_data);
-
-        schedule_work_on(smp_processor_id(), &data->dm_alert_work);
+        struct per_cpu_dm_data *data = (struct per_cpu_dm_data *)_data;
 
-        put_cpu_var(dm_cpu_data);
+        schedule_work(&data->dm_alert_work);
 }
 
 static void trace_drop_common(struct sk_buff *skb, void *location)
@@ -167,33 +138,28 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
         struct nlattr *nla;
         int i;
         struct sk_buff *dskb;
-        struct per_cpu_dm_data *data = &get_cpu_var(dm_cpu_data);
-
+        struct per_cpu_dm_data *data;
+        unsigned long flags;
 
-        rcu_read_lock();
-        dskb = rcu_dereference(data->skb);
+        local_irq_save(flags);
+        data = &__get_cpu_var(dm_cpu_data);
+        spin_lock(&data->lock);
+        dskb = data->skb;
 
         if (!dskb)
                 goto out;
 
-        if (!atomic_add_unless(&data->dm_hit_count, -1, 0)) {
-                /*
-                 * we're already at zero, discard this hit
-                 */
-                goto out;
-        }
-
         nlh = (struct nlmsghdr *)dskb->data;
         nla = genlmsg_data(nlmsg_data(nlh));
         msg = nla_data(nla);
         for (i = 0; i < msg->entries; i++) {
                 if (!memcmp(&location, msg->points[i].pc, sizeof(void *))) {
                         msg->points[i].count++;
-                        atomic_inc(&data->dm_hit_count);
                         goto out;
                 }
         }
-
+        if (msg->entries == dm_hit_limit)
+                goto out;
         /*
          * We need to create a new entry
          */
@@ -205,13 +171,11 @@ static void trace_drop_common(struct sk_buff *skb, void *location)
 
         if (!timer_pending(&data->send_timer)) {
                 data->send_timer.expires = jiffies + dm_delay * HZ;
-                add_timer_on(&data->send_timer, smp_processor_id());
+                add_timer(&data->send_timer);
         }
 
 out:
-        rcu_read_unlock();
-        put_cpu_var(dm_cpu_data);
-        return;
+        spin_unlock_irqrestore(&data->lock, flags);
 }
 
 static void trace_kfree_skb_hit(void *ignore, struct sk_buff *skb, void *location)
@@ -418,11 +382,11 @@ static int __init init_net_drop_monitor(void)
 
         for_each_possible_cpu(cpu) {
                 data = &per_cpu(dm_cpu_data, cpu);
-                data->cpu = cpu;
                 INIT_WORK(&data->dm_alert_work, send_dm_alert);
                 init_timer(&data->send_timer);
-                data->send_timer.data = cpu;
+                data->send_timer.data = (unsigned long)data;
                 data->send_timer.function = sched_send_work;
+                spin_lock_init(&data->lock);
                 reset_per_cpu_data(data);
         }
 
diff --git a/net/core/filter.c b/net/core/filter.c
index a3eddb515d1b..d4ce2dc712e3 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -616,9 +616,9 @@ static int __sk_prepare_filter(struct sk_filter *fp)
 /**
  *      sk_unattached_filter_create - create an unattached filter
  *      @fprog: the filter program
- *      @sk: the socket to use
+ *      @pfp: the unattached filter that is created
  *
- * Create a filter independent ofr any socket. We first run some
+ * Create a filter independent of any socket. We first run some
  * sanity checks on it to make sure it does not explode on us later.
  * If an error occurs or there is insufficient memory for the filter
  * a negative errno code is returned. On success the return is zero.
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index eb09f8bbbf07..d81d026138f0 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2219,9 +2219,7 @@ static int neigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
         rcu_read_lock_bh();
         nht = rcu_dereference_bh(tbl->nht);
 
-        for (h = 0; h < (1 << nht->hash_shift); h++) {
-                if (h < s_h)
-                        continue;
+        for (h = s_h; h < (1 << nht->hash_shift); h++) {
                 if (h > s_h)
                         s_idx = 0;
                 for (n = rcu_dereference_bh(nht->hash_buckets[h]), idx = 0;
@@ -2260,9 +2258,7 @@ static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
 
         read_lock_bh(&tbl->lock);
 
-        for (h = 0; h <= PNEIGH_HASHMASK; h++) {
-                if (h < s_h)
-                        continue;
+        for (h = s_h; h <= PNEIGH_HASHMASK; h++) {
                 if (h > s_h)
                         s_idx = 0;
                 for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
@@ -2297,7 +2293,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
         struct neigh_table *tbl;
         int t, family, s_t;
         int proxy = 0;
-        int err = 0;
+        int err;
 
         read_lock(&neigh_tbl_lock);
         family = ((struct rtgenmsg *) nlmsg_data(cb->nlh))->rtgen_family;
@@ -2311,7 +2307,7 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
 
         s_t = cb->args[0];
 
-        for (tbl = neigh_tables, t = 0; tbl && (err >= 0);
+        for (tbl = neigh_tables, t = 0; tbl;
              tbl = tbl->next, t++) {
                 if (t < s_t || (family && tbl->family != family))
                         continue;
@@ -2322,6 +2318,8 @@ static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
                         err = pneigh_dump_table(tbl, skb, cb);
                 else
                         err = neigh_dump_table(tbl, skb, cb);
+                if (err < 0)
+                        break;
         }
         read_unlock(&neigh_tbl_lock);
 
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 3d84fb9d8873..f9f40b932e4b 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -362,22 +362,23 @@ EXPORT_SYMBOL(netpoll_send_skb_on_dev);
 
 void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
 {
-        int total_len, eth_len, ip_len, udp_len;
+        int total_len, ip_len, udp_len;
         struct sk_buff *skb;
         struct udphdr *udph;
         struct iphdr *iph;
         struct ethhdr *eth;
 
         udp_len = len + sizeof(*udph);
-        ip_len = eth_len = udp_len + sizeof(*iph);
-        total_len = eth_len + ETH_HLEN + NET_IP_ALIGN;
+        ip_len = udp_len + sizeof(*iph);
+        total_len = ip_len + LL_RESERVED_SPACE(np->dev);
 
-        skb = find_skb(np, total_len, total_len - len);
+        skb = find_skb(np, total_len + np->dev->needed_tailroom,
+                       total_len - len);
         if (!skb)
                 return;
 
         skb_copy_to_linear_data(skb, msg, len);
-        skb->len += len;
+        skb_put(skb, len);
 
         skb_push(skb, sizeof(*udph));
         skb_reset_transport_header(skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 016694d62484..46a3d23d259e 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1755,6 +1755,7 @@ int skb_splice_bits(struct sk_buff *skb, unsigned int offset,
         struct splice_pipe_desc spd = {
                 .pages = pages,
                 .partial = partial,
+                .nr_pages_max = MAX_SKB_FRAGS,
                 .flags = flags,
                 .ops = &sock_pipe_buf_ops,
                 .spd_release = sock_spd_release,
@@ -3361,7 +3362,7 @@ EXPORT_SYMBOL(kfree_skb_partial);
  * @to: prior buffer
  * @from: buffer to add
  * @fragstolen: pointer to boolean
- *
+ * @delta_truesize: how much more was allocated than was requested
  */
 bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
                       bool *fragstolen, int *delta_truesize)
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index d4d61b694fab..dfba343b2509 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -560,6 +560,17 @@ bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout)
 }
 EXPORT_SYMBOL(inet_peer_xrlim_allow);
 
+static void inetpeer_inval_rcu(struct rcu_head *head)
+{
+        struct inet_peer *p = container_of(head, struct inet_peer, gc_rcu);
+
+        spin_lock_bh(&gc_lock);
+        list_add_tail(&p->gc_list, &gc_list);
+        spin_unlock_bh(&gc_lock);
+
+        schedule_delayed_work(&gc_work, gc_delay);
+}
+
 void inetpeer_invalidate_tree(int family)
 {
         struct inet_peer *old, *new, *prev;
@@ -576,10 +587,7 @@ void inetpeer_invalidate_tree(int family)
         prev = cmpxchg(&base->root, old, new);
         if (prev == old) {
                 base->total = 0;
-                spin_lock(&gc_lock);
-                list_add_tail(&prev->gc_list, &gc_list);
-                spin_unlock(&gc_lock);
-                schedule_delayed_work(&gc_work, gc_delay);
+                call_rcu(&prev->gc_rcu, inetpeer_inval_rcu);
         }
 
 out:
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index e5c44fc586ab..ab09b126423c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -44,6 +44,7 @@ static int ip_forward_finish(struct sk_buff *skb)
         struct ip_options *opt  = &(IPCB(skb)->opt);
 
         IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
+        IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
 
         if (unlikely(opt->optlen))
                 ip_forward_options(skb);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index a9e519ad6db5..c94bbc6f2ba3 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1574,6 +1574,7 @@ static inline int ipmr_forward_finish(struct sk_buff *skb)
         struct ip_options *opt = &(IPCB(skb)->opt);
 
         IP_INC_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTFORWDATAGRAMS);
+        IP_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), IPSTATS_MIB_OUTOCTETS, skb->len);
 
         if (unlikely(opt->optlen))
                 ip_forward_options(skb);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 0c220a416626..608327661960 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1349,8 +1349,8 @@ static int fib6_walk_continue(struct fib6_walker_t *w)
                         if (w->leaf && fn->fn_flags & RTN_RTINFO) {
                                 int err;
 
-                                if (w->count < w->skip) {
-                                        w->count++;
+                                if (w->skip) {
+                                        w->skip--;
                                         continue;
                                 }
 
@@ -1561,7 +1561,7 @@ static int fib6_age(struct rt6_info *rt, void *arg)
                                 neigh_flags = neigh->flags;
                                 neigh_release(neigh);
                         }
-                        if (neigh_flags & NTF_ROUTER) {
+                        if (!(neigh_flags & NTF_ROUTER)) {
                                 RT6_TRACE("purging route %p via non-router but gateway\n",
                                           rt);
                                 return -1;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 17b8c67998bb..decc21d19c53 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -526,6 +526,7 @@ int ip6_forward(struct sk_buff *skb)
         hdr->hop_limit--;
 
         IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
+        IP6_ADD_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTOCTETS, skb->len);
         return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
                        ip6_forward_finish);
 
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index b15dc08643a4..461e47c8e956 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1886,6 +1886,8 @@ static inline int ip6mr_forward2_finish(struct sk_buff *skb)
 {
         IP6_INC_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
                          IPSTATS_MIB_OUTFORWDATAGRAMS);
+        IP6_ADD_STATS_BH(dev_net(skb_dst(skb)->dev), ip6_dst_idev(skb_dst(skb)),
+                         IPSTATS_MIB_OUTOCTETS, skb->len);
         return dst_output(skb);
 }
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 999a982ad3fd..becb048d18d4 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2957,10 +2957,6 @@ static int __net_init ip6_route_net_init(struct net *net)
         net->ipv6.sysctl.ip6_rt_mtu_expires = 10*60*HZ;
         net->ipv6.sysctl.ip6_rt_min_advmss = IPV6_MIN_MTU - 20 - 40;
 
-#ifdef CONFIG_PROC_FS
-        proc_net_fops_create(net, "ipv6_route", 0, &ipv6_route_proc_fops);
-        proc_net_fops_create(net, "rt6_stats", S_IRUGO, &rt6_stats_seq_fops);
-#endif
         net->ipv6.ip6_rt_gc_expire = 30*HZ;
 
         ret = 0;
@@ -2981,10 +2977,6 @@ out_ip6_dst_ops:
 
 static void __net_exit ip6_route_net_exit(struct net *net)
 {
-#ifdef CONFIG_PROC_FS
-        proc_net_remove(net, "ipv6_route");
-        proc_net_remove(net, "rt6_stats");
-#endif
         kfree(net->ipv6.ip6_null_entry);
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
         kfree(net->ipv6.ip6_prohibit_entry);
@@ -2993,11 +2985,33 @@ static void __net_exit ip6_route_net_exit(struct net *net)
         dst_entries_destroy(&net->ipv6.ip6_dst_ops);
 }
 
+static int __net_init ip6_route_net_init_late(struct net *net)
+{
+#ifdef CONFIG_PROC_FS
+        proc_net_fops_create(net, "ipv6_route", 0, &ipv6_route_proc_fops);
+        proc_net_fops_create(net, "rt6_stats", S_IRUGO, &rt6_stats_seq_fops);
+#endif
+        return 0;
+}
+
+static void __net_exit ip6_route_net_exit_late(struct net *net)
+{
+#ifdef CONFIG_PROC_FS
+        proc_net_remove(net, "ipv6_route");
+        proc_net_remove(net, "rt6_stats");
+#endif
+}
+
 static struct pernet_operations ip6_route_net_ops = {
         .init = ip6_route_net_init,
         .exit = ip6_route_net_exit,
 };
 
+static struct pernet_operations ip6_route_net_late_ops = {
+        .init = ip6_route_net_init_late,
+        .exit = ip6_route_net_exit_late,
+};
+
 static struct notifier_block ip6_route_dev_notifier = {
         .notifier_call = ip6_route_dev_notify,
         .priority = 0,
@@ -3047,19 +3061,25 @@ int __init ip6_route_init(void)
         if (ret)
                 goto xfrm6_init;
 
+        ret = register_pernet_subsys(&ip6_route_net_late_ops);
+        if (ret)
+                goto fib6_rules_init;
+
         ret = -ENOBUFS;
         if (__rtnl_register(PF_INET6, RTM_NEWROUTE, inet6_rtm_newroute, NULL, NULL) ||
             __rtnl_register(PF_INET6, RTM_DELROUTE, inet6_rtm_delroute, NULL, NULL) ||
             __rtnl_register(PF_INET6, RTM_GETROUTE, inet6_rtm_getroute, NULL, NULL))
-                goto fib6_rules_init;
+                goto out_register_late_subsys;
 
         ret = register_netdevice_notifier(&ip6_route_dev_notifier);
         if (ret)
-                goto fib6_rules_init;
+                goto out_register_late_subsys;
 
 out:
         return ret;
 
+out_register_late_subsys:
+        unregister_pernet_subsys(&ip6_route_net_late_ops);
 fib6_rules_init:
         fib6_rules_cleanup();
 xfrm6_init:
@@ -3078,6 +3098,7 @@ out_kmem_cache:
 void ip6_route_cleanup(void)
 {
         unregister_netdevice_notifier(&ip6_route_dev_notifier);
+        unregister_pernet_subsys(&ip6_route_net_late_ops);
         fib6_rules_cleanup();
         xfrm6_fini();
         fib6_gc_cleanup();
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 3a9aec29581a..9df64a50b075 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1212,7 +1212,8 @@ have_isn:
         tcp_rsk(req)->snt_isn = isn;
         tcp_rsk(req)->snt_synack = tcp_time_stamp;
 
-        security_inet_conn_request(sk, skb, req);
+        if (security_inet_conn_request(sk, skb, req))
+                goto drop_and_release;
 
         if (tcp_v6_send_synack(sk, req,
                                (struct request_values *)&tmp_ext,
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 07d7d55a1b93..cd6f7a991d80 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -372,7 +372,6 @@ static int afiucv_hs_send(struct iucv_message *imsg, struct sock *sock,
                         skb_trim(skb, skb->dev->mtu);
         }
         skb->protocol = ETH_P_AF_IUCV;
-        skb_shinfo(skb)->tx_flags |= SKBTX_DRV_NEEDS_SK_REF;
         nskb = skb_clone(skb, GFP_ATOMIC);
         if (!nskb)
                 return -ENOMEM;
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 443591d629ca..47b259fccd27 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -42,6 +42,11 @@ struct l2tp_eth {
         struct sock             *tunnel_sock;
         struct l2tp_session     *session;
         struct list_head        list;
+        atomic_long_t           tx_bytes;
+        atomic_long_t           tx_packets;
+        atomic_long_t           rx_bytes;
+        atomic_long_t           rx_packets;
+        atomic_long_t           rx_errors;
 };
 
 /* via l2tp_session_priv() */
@@ -88,24 +93,40 @@ static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
         struct l2tp_eth *priv = netdev_priv(dev);
         struct l2tp_session *session = priv->session;
 
+        atomic_long_add(skb->len, &priv->tx_bytes);
+        atomic_long_inc(&priv->tx_packets);
+
         l2tp_xmit_skb(session, skb, session->hdr_len);
 
-        dev->stats.tx_bytes += skb->len;
-        dev->stats.tx_packets++;
+        return NETDEV_TX_OK;
+}
 
-        return 0;
+static struct rtnl_link_stats64 *l2tp_eth_get_stats64(struct net_device *dev,
+                                                      struct rtnl_link_stats64 *stats)
+{
+        struct l2tp_eth *priv = netdev_priv(dev);
+
+        stats->tx_bytes   = atomic_long_read(&priv->tx_bytes);
+        stats->tx_packets = atomic_long_read(&priv->tx_packets);
+        stats->rx_bytes   = atomic_long_read(&priv->rx_bytes);
+        stats->rx_packets = atomic_long_read(&priv->rx_packets);
+        stats->rx_errors  = atomic_long_read(&priv->rx_errors);
+        return stats;
 }
 
+
 static struct net_device_ops l2tp_eth_netdev_ops = {
         .ndo_init               = l2tp_eth_dev_init,
         .ndo_uninit             = l2tp_eth_dev_uninit,
         .ndo_start_xmit         = l2tp_eth_dev_xmit,
+        .ndo_get_stats64        = l2tp_eth_get_stats64,
 };
 
 static void l2tp_eth_dev_setup(struct net_device *dev)
 {
         ether_setup(dev);
-        dev->priv_flags &= ~IFF_TX_SKB_SHARING;
+        dev->priv_flags         &= ~IFF_TX_SKB_SHARING;
+        dev->features           |= NETIF_F_LLTX;
         dev->netdev_ops         = &l2tp_eth_netdev_ops;
         dev->destructor         = free_netdev;
 }
@@ -114,17 +135,17 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
 {
         struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
         struct net_device *dev = spriv->dev;
+        struct l2tp_eth *priv = netdev_priv(dev);
 
         if (session->debug & L2TP_MSG_DATA) {
                 unsigned int length;
-                u8 *ptr = skb->data;
 
                 length = min(32u, skb->len);
                 if (!pskb_may_pull(skb, length))
                         goto error;
 
                 pr_debug("%s: eth recv\n", session->name);
-                print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
+                print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, skb->data, length);
         }
 
         if (!pskb_may_pull(skb, sizeof(ETH_HLEN)))
@@ -139,15 +160,15 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
         nf_reset(skb);
 
         if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
-                dev->stats.rx_packets++;
-                dev->stats.rx_bytes += data_len;
-        } else
-                dev->stats.rx_errors++;
-
+                atomic_long_inc(&priv->rx_packets);
+                atomic_long_add(data_len, &priv->rx_bytes);
+        } else {
+                atomic_long_inc(&priv->rx_errors);
+        }
         return;
 
 error:
-        dev->stats.rx_errors++;
+        atomic_long_inc(&priv->rx_errors);
         kfree_skb(skb);
 }
 
@@ -162,6 +183,7 @@ static void l2tp_eth_delete(struct l2tp_session *session)
                 if (dev) {
                         unregister_netdev(dev);
                         spriv->dev = NULL;
+                        module_put(THIS_MODULE);
                 }
         }
 }
@@ -249,6 +271,7 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
         if (rc < 0)
                 goto out_del_dev;
 
+        __module_get(THIS_MODULE);
         /* Must be done after register_netdev() */
         strlcpy(session->ifname, dev->name, IFNAMSIZ);
 
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 70614e7affab..61d8b75d2686 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -464,10 +464,12 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
                                            sk->sk_bound_dev_if);
                 if (IS_ERR(rt))
                         goto no_route;
-                if (connected)
+                if (connected) {
                         sk_setup_caps(sk, &rt->dst);
-                else
-                        dst_release(&rt->dst); /* safe since we hold rcu_read_lock */
+                } else {
+                        skb_dst_set(skb, &rt->dst);
+                        goto xmit;
+                }
         }
 
         /* We dont need to clone dst here, it is guaranteed to not disappear.
@@ -475,6 +477,7 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
          */
         skb_dst_set_noref(skb, &rt->dst);
 
+xmit:
         /* Queue the packet to IP for output */
         rc = ip_queue_xmit(skb, &inet->cork.fl);
         rcu_read_unlock();
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 26ddb699d693..c649188314cc 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -145,15 +145,20 @@ static void sta_rx_agg_session_timer_expired(unsigned long data)
         struct tid_ampdu_rx *tid_rx;
         unsigned long timeout;
 
+        rcu_read_lock();
         tid_rx = rcu_dereference(sta->ampdu_mlme.tid_rx[*ptid]);
-        if (!tid_rx)
+        if (!tid_rx) {
+                rcu_read_unlock();
                 return;
+        }
 
         timeout = tid_rx->last_rx + TU_TO_JIFFIES(tid_rx->timeout);
         if (time_is_after_jiffies(timeout)) {
                 mod_timer(&tid_rx->session_timer, timeout);
+                rcu_read_unlock();
                 return;
         }
+        rcu_read_unlock();
 
 #ifdef CONFIG_MAC80211_HT_DEBUG
         printk(KERN_DEBUG "rx session timer expired on tid %d\n", (u16)*ptid);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 495831ee48f1..7d5108a867ad 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -533,16 +533,16 @@ static void ieee80211_get_et_stats(struct wiphy *wiphy,
                 sinfo.filled = 0;
                 sta_set_sinfo(sta, &sinfo);
 
-                if (sinfo.filled | STATION_INFO_TX_BITRATE)
+                if (sinfo.filled & STATION_INFO_TX_BITRATE)
                         data[i] = 100000 *
                                 cfg80211_calculate_bitrate(&sinfo.txrate);
                 i++;
-                if (sinfo.filled | STATION_INFO_RX_BITRATE)
+                if (sinfo.filled & STATION_INFO_RX_BITRATE)
                         data[i] = 100000 *
                                 cfg80211_calculate_bitrate(&sinfo.rxrate);
                 i++;
 
-                if (sinfo.filled | STATION_INFO_SIGNAL_AVG)
+                if (sinfo.filled & STATION_INFO_SIGNAL_AVG)
                         data[i] = (u8)sinfo.signal_avg;
                 i++;
         } else {
@@ -2093,6 +2093,9 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
         struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
         int i, ret;
 
+        if (!ieee80211_sdata_running(sdata))
+                return -ENETDOWN;
+
         if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
                 ret = drv_set_bitrate_mask(local, sdata, mask);
                 if (ret)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index d4c19a7773db..8664111d0566 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -637,6 +637,18 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 ieee80211_configure_filter(local);
                 break;
         default:
+                mutex_lock(&local->mtx);
+                if (local->hw_roc_dev == sdata->dev &&
+                    local->hw_roc_channel) {
+                        /* ignore return value since this is racy */
+                        drv_cancel_remain_on_channel(local);
+                        ieee80211_queue_work(&local->hw, &local->hw_roc_done);
+                }
+                mutex_unlock(&local->mtx);
+
+                flush_work(&local->hw_roc_start);
+                flush_work(&local->hw_roc_done);
+
                 flush_work(&sdata->work);
                 /*
                  * When we get here, the interface is marked down.
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 04c306308987..a4bb856de08f 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1220,6 +1220,22 @@ static void ieee80211_sta_wmm_params(struct ieee80211_local *local,
         sdata->vif.bss_conf.qos = true;
 }
 
+static void __ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
+{
+        lockdep_assert_held(&sdata->local->mtx);
+
+        sdata->u.mgd.flags &= ~(IEEE80211_STA_CONNECTION_POLL |
+                                IEEE80211_STA_BEACON_POLL);
+        ieee80211_run_deferred_scan(sdata->local);
+}
+
+static void ieee80211_stop_poll(struct ieee80211_sub_if_data *sdata)
+{
+        mutex_lock(&sdata->local->mtx);
+        __ieee80211_stop_poll(sdata);
+        mutex_unlock(&sdata->local->mtx);
+}
+
 static u32 ieee80211_handle_bss_capability(struct ieee80211_sub_if_data *sdata,
                                            u16 capab, bool erp_valid, u8 erp)
 {
@@ -1285,8 +1301,7 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
         sdata->u.mgd.flags |= IEEE80211_STA_RESET_SIGNAL_AVE;
 
         /* just to be sure */
-        sdata->u.mgd.flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                                IEEE80211_STA_BEACON_POLL);
+        ieee80211_stop_poll(sdata);
 
         ieee80211_led_assoc(local, 1);
 
@@ -1327,7 +1342,6 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_local *local = sdata->local;
         struct sta_info *sta;
         u32 changed = 0;
-        u8 bssid[ETH_ALEN];
 
         ASSERT_MGD_MTX(ifmgd);
 
@@ -1337,10 +1351,9 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
         if (WARN_ON(!ifmgd->associated))
                 return;
 
-        memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
+        ieee80211_stop_poll(sdata);
 
         ifmgd->associated = NULL;
-        memset(ifmgd->bssid, 0, ETH_ALEN);
 
         /*
          * we need to commit the associated = NULL change because the
@@ -1360,7 +1373,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
         netif_carrier_off(sdata->dev);
 
         mutex_lock(&local->sta_mtx);
-        sta = sta_info_get(sdata, bssid);
+        sta = sta_info_get(sdata, ifmgd->bssid);
         if (sta) {
                 set_sta_flag(sta, WLAN_STA_BLOCK_BA);
                 ieee80211_sta_tear_down_BA_sessions(sta, tx);
@@ -1369,13 +1382,16 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
 
         /* deauthenticate/disassociate now */
         if (tx || frame_buf)
-                ieee80211_send_deauth_disassoc(sdata, bssid, stype, reason,
-                                               tx, frame_buf);
+                ieee80211_send_deauth_disassoc(sdata, ifmgd->bssid, stype,
+                                               reason, tx, frame_buf);
 
         /* flush out frame */
         if (tx)
                 drv_flush(local, false);
 
+        /* clear bssid only after building the needed mgmt frames */
+        memset(ifmgd->bssid, 0, ETH_ALEN);
+
         /* remove AP and TDLS peers */
         sta_info_flush(local, sdata);
 
@@ -1456,8 +1472,7 @@ static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
                 return;
         }
 
-        ifmgd->flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                          IEEE80211_STA_BEACON_POLL);
+        __ieee80211_stop_poll(sdata);
 
         mutex_lock(&local->iflist_mtx);
         ieee80211_recalc_ps(local, -1);
@@ -1477,7 +1492,6 @@ static void ieee80211_reset_ap_probe(struct ieee80211_sub_if_data *sdata)
                   round_jiffies_up(jiffies +
                                    IEEE80211_CONNECTION_IDLE_TIME));
 out:
-        ieee80211_run_deferred_scan(local);
         mutex_unlock(&local->mtx);
 }
 
@@ -2408,7 +2422,11 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                 net_dbg_ratelimited("%s: cancelling probereq poll due to a received beacon\n",
                                     sdata->name);
 #endif
+                mutex_lock(&local->mtx);
                 ifmgd->flags &= ~IEEE80211_STA_BEACON_POLL;
+                ieee80211_run_deferred_scan(local);
+                mutex_unlock(&local->mtx);
+
                 mutex_lock(&local->iflist_mtx);
                 ieee80211_recalc_ps(local, -1);
                 mutex_unlock(&local->iflist_mtx);
@@ -2595,9 +2613,6 @@ static void ieee80211_sta_connection_lost(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         u8 frame_buf[DEAUTH_DISASSOC_LEN];
 
-        ifmgd->flags &= ~(IEEE80211_STA_CONNECTION_POLL |
-                          IEEE80211_STA_BEACON_POLL);
-
         ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, reason,
                                false, frame_buf);
         mutex_unlock(&ifmgd->mtx);
@@ -2874,8 +2889,7 @@ static void ieee80211_restart_sta_timer(struct ieee80211_sub_if_data *sdata)
         u32 flags;
 
         if (sdata->vif.type == NL80211_IFTYPE_STATION) {
-                sdata->u.mgd.flags &= ~(IEEE80211_STA_BEACON_POLL |
-                                        IEEE80211_STA_CONNECTION_POLL);
+                __ieee80211_stop_poll(sdata);
 
                 /* let's probe the connection once */
                 flags = sdata->local->hw.flags;
@@ -2944,7 +2958,10 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata)
         if (test_and_clear_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running))
                 add_timer(&ifmgd->chswitch_timer);
         ieee80211_sta_reset_beacon_monitor(sdata);
+
+        mutex_lock(&sdata->local->mtx);
         ieee80211_restart_sta_timer(sdata);
+        mutex_unlock(&sdata->local->mtx);
 }
 #endif
 
@@ -3106,7 +3123,7 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
         }
 
         local->oper_channel = cbss->channel;
-        ieee80211_hw_config(local, 0);
+        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
 
         if (!have_sta) {
                 u32 rates = 0, basic_rates = 0;
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index f054e94901a2..935aa4b6deee 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -234,6 +234,22 @@ static void ieee80211_hw_roc_done(struct work_struct *work)
                 return;
         }
 
+        /* was never transmitted */
+        if (local->hw_roc_skb) {
+                u64 cookie;
+
+                cookie = local->hw_roc_cookie ^ 2;
+
+                cfg80211_mgmt_tx_status(local->hw_roc_dev, cookie,
+                                        local->hw_roc_skb->data,
+                                        local->hw_roc_skb->len, false,
+                                        GFP_KERNEL);
+
+                kfree_skb(local->hw_roc_skb);
+                local->hw_roc_skb = NULL;
+                local->hw_roc_skb_for_status = NULL;
+        }
+
         if (!local->hw_roc_for_tx)
                 cfg80211_remain_on_channel_expired(local->hw_roc_dev,
                                                    local->hw_roc_cookie,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 7bcecf73aafb..965e6ec0adb6 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2455,7 +2455,7 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
          * frames that we didn't handle, including returning unknown
          * ones. For all other modes we will return them to the sender,
          * setting the 0x80 bit in the action category, as required by
-         * 802.11-2007 7.3.1.11.
+         * 802.11-2012 9.24.4.
          * Newer versions of hostapd shall also use the management frame
          * registration mechanisms, but older ones still use cooked
          * monitor interfaces so push all frames there.
@@ -2465,6 +2465,9 @@ ieee80211_rx_h_action_return(struct ieee80211_rx_data *rx)
              sdata->vif.type == NL80211_IFTYPE_AP_VLAN))
                 return RX_DROP_MONITOR;
 
+        if (is_multicast_ether_addr(mgmt->da))
+                return RX_DROP_MONITOR;
+
         /* do not return rejected action frames */
         if (mgmt->u.action.category & 0x80)
                 return RX_DROP_UNUSABLE;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f5b1638fbf80..de455f8bbb91 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -378,7 +378,7 @@ static int sta_info_insert_finish(struct sta_info *sta) __acquires(RCU)
         /* make the station visible */
         sta_info_hash_add(local, sta);
 
-        list_add(&sta->list, &local->sta_list);
+        list_add_rcu(&sta->list, &local->sta_list);
 
         set_sta_flag(sta, WLAN_STA_INSERTED);
 
@@ -688,7 +688,7 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
         if (ret)
                 return ret;
 
-        list_del(&sta->list);
+        list_del_rcu(&sta->list);
 
         mutex_lock(&local->key_mtx);
         for (i = 0; i < NUM_DEFAULT_KEYS; i++)
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 3bb24a121c95..a470e1123a55 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -271,6 +271,9 @@ struct sta_ampdu_mlme {
  * @plink_timer: peer link watch timer
  * @plink_timer_was_running: used by suspend/resume to restore timers
  * @t_offset: timing offset relative to this host
+ * @t_offset_setpoint: reference timing offset of this sta to be used when
+ *      calculating clockdrift
+ * @ch_type: peer's channel type
  * @debugfs: debug filesystem info
  * @dead: set to true when sta is unlinked
  * @uploaded: set to true when sta is uploaded to the driver
@@ -278,6 +281,8 @@ struct sta_ampdu_mlme {
  * @sta: station information we share with the driver
  * @sta_state: duplicates information about station state (for debug)
  * @beacon_loss_count: number of times beacon loss has triggered
+ * @supports_40mhz: tracks whether the station advertised 40 MHz support
+ *      as we overwrite its HT parameters with the currently used value
  */
 struct sta_info {
         /* General information, mostly static */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 847215bb2a6f..e453212fa17f 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1737,7 +1737,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
         __le16 fc;
         struct ieee80211_hdr hdr;
         struct ieee80211s_hdr mesh_hdr __maybe_unused;
-        struct mesh_path __maybe_unused *mppath = NULL;
+        struct mesh_path __maybe_unused *mppath = NULL, *mpath = NULL;
         const u8 *encaps_data;
         int encaps_len, skip_header_bytes;
         int nh_pos, h_pos;
@@ -1803,8 +1803,11 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                         goto fail;
                 }
                 rcu_read_lock();
-                if (!is_multicast_ether_addr(skb->data))
-                        mppath = mpp_path_lookup(skb->data, sdata);
+                if (!is_multicast_ether_addr(skb->data)) {
+                        mpath = mesh_path_lookup(skb->data, sdata);
+                        if (!mpath)
+                                mppath = mpp_path_lookup(skb->data, sdata);
+                }
 
                 /*
                  * Use address extension if it is a packet from
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index a44c6807df01..8dd4712620ff 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1271,7 +1271,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                         enum ieee80211_sta_state state;
 
                         for (state = IEEE80211_STA_NOTEXIST;
-                             state < sta->sta_state - 1; state++)
+                             state < sta->sta_state; state++)
                                 WARN_ON(drv_sta_state(local, sta->sdata, sta,
                                                       state, state + 1));
                 }
diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
index 8781d8f904d9..434b6873b352 100644
--- a/net/mac802154/tx.c
+++ b/net/mac802154/tx.c
@@ -83,9 +83,10 @@ netdev_tx_t mac802154_tx(struct mac802154_priv *priv, struct sk_buff *skb,
 {
         struct xmit_work *work;
 
-        if (!(priv->phy->channels_supported[page] & (1 << chan)))
+        if (!(priv->phy->channels_supported[page] & (1 << chan))) {
                 WARN_ON(1);
                 return NETDEV_TX_OK;
+        }
 
         if (!(priv->hw.flags & IEEE802154_HW_OMIT_CKSUM)) {
                 u16 crc = crc_ccitt(0, skb->data, skb->len);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 819c342f5b30..9730882697aa 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -640,6 +640,14 @@ find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
 }
 
 static int
+ip_set_none(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        return -EOPNOTSUPP;
+}
+
+static int
 ip_set_create(struct sock *ctnl, struct sk_buff *skb,
               const struct nlmsghdr *nlh,
               const struct nlattr * const attr[])
@@ -1539,6 +1547,10 @@ nlmsg_failure:
 }
 
 static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
+        [IPSET_CMD_NONE]        = {
+                .call           = ip_set_none,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+        },
         [IPSET_CMD_CREATE]      = {
                 .call           = ip_set_create,
                 .attr_count     = IPSET_ATTR_CMD_MAX,
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index ee863943c826..d5d3607ae7bc 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -38,30 +38,6 @@ struct iface_node {
 
 #define iface_data(n)   (rb_entry(n, struct iface_node, node)->iface)
 
-static inline long
-ifname_compare(const char *_a, const char *_b)
-{
-        const long *a = (const long *)_a;
-        const long *b = (const long *)_b;
-
-        BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
-        if (a[0] != b[0])
-                return a[0] - b[0];
-        if (IFNAMSIZ > sizeof(long)) {
-                if (a[1] != b[1])
-                        return a[1] - b[1];
-        }
-        if (IFNAMSIZ > 2 * sizeof(long)) {
-                if (a[2] != b[2])
-                        return a[2] - b[2];
-        }
-        if (IFNAMSIZ > 3 * sizeof(long)) {
-                if (a[3] != b[3])
-                        return a[3] - b[3];
-        }
-        return 0;
-}
-
 static void
 rbtree_destroy(struct rb_root *root)
 {
@@ -99,7 +75,7 @@ iface_test(struct rb_root *root, const char **iface)
 
         while (n) {
                 const char *d = iface_data(n);
-                long res = ifname_compare(*iface, d);
+                int res = strcmp(*iface, d);
 
                 if (res < 0)
                         n = n->rb_left;
@@ -121,7 +97,7 @@ iface_add(struct rb_root *root, const char **iface)
 
         while (*n) {
                 char *ifname = iface_data(*n);
-                long res = ifname_compare(*iface, ifname);
+                int res = strcmp(*iface, ifname);
 
                 p = *n;
                 if (res < 0)
@@ -366,7 +342,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
         struct hash_netiface4_elem data = { .cidr = HOST_MASK };
         u32 ip = 0, ip_to, last;
         u32 timeout = h->timeout;
-        char iface[IFNAMSIZ] = {};
+        char iface[IFNAMSIZ];
         int ret;
 
         if (unlikely(!tb[IPSET_ATTR_IP] ||
@@ -663,7 +639,7 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
         ipset_adtfn adtfn = set->variant->adt[adt];
         struct hash_netiface6_elem data = { .cidr = HOST_MASK };
         u32 timeout = h->timeout;
-        char iface[IFNAMSIZ] = {};
+        char iface[IFNAMSIZ];
         int ret;
 
         if (unlikely(!tb[IPSET_ATTR_IP] ||
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index dd811b8dd97c..d43e3c122f7b 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -76,19 +76,19 @@ static void __ip_vs_del_service(struct ip_vs_service *svc);
 
 #ifdef CONFIG_IP_VS_IPV6
 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
-static int __ip_vs_addr_is_local_v6(struct net *net,
-                                    const struct in6_addr *addr)
+static bool __ip_vs_addr_is_local_v6(struct net *net,
+                                     const struct in6_addr *addr)
 {
-        struct rt6_info *rt;
         struct flowi6 fl6 = {
                 .daddr = *addr,
         };
+        struct dst_entry *dst = ip6_route_output(net, NULL, &fl6);
+        bool is_local;
 
-        rt = (struct rt6_info *)ip6_route_output(net, NULL, &fl6);
-        if (rt && rt->dst.dev && (rt->dst.dev->flags & IFF_LOOPBACK))
-                return 1;
+        is_local = !dst->error && dst->dev && (dst->dev->flags & IFF_LOOPBACK);
 
-        return 0;
+        dst_release(dst);
+        return is_local;
 }
 #endif
 
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 46d69d7f1bb4..31f50bc3a312 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -270,9 +270,8 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
                 return 0;
 
         /* RTP port is even */
-        port &= htons(~1);
-        rtp_port = port;
-        rtcp_port = htons(ntohs(port) + 1);
+        rtp_port = port & ~htons(1);
+        rtcp_port = port | htons(1);
 
         /* Create expect for RTP */
         if ((rtp_exp = nf_ct_expect_alloc(ct)) == NULL)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 3e797d1fcb94..791d56bbd74a 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -169,8 +169,10 @@ replay:
 
                 err = nla_parse(cda, ss->cb[cb_id].attr_count,
                                 attr, attrlen, ss->cb[cb_id].policy);
-                if (err < 0)
+                if (err < 0) {
+                        rcu_read_unlock();
                         return err;
+                }
 
                 if (nc->call_rcu) {
                         err = nc->call_rcu(net->nfnl, skb, nlh,
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index 0a96a43108ed..1686ca1b53a1 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -32,13 +32,13 @@ MODULE_ALIAS("ipt_HMARK");
 MODULE_ALIAS("ip6t_HMARK");
 
 struct hmark_tuple {
-        u32                     src;
-        u32                     dst;
+        __be32                  src;
+        __be32                  dst;
         union hmark_ports       uports;
-        uint8_t                 proto;
+        u8                      proto;
 };
 
-static inline u32 hmark_addr6_mask(const __u32 *addr32, const __u32 *mask)
+static inline __be32 hmark_addr6_mask(const __be32 *addr32, const __be32 *mask)
 {
         return (addr32[0] & mask[0]) ^
                (addr32[1] & mask[1]) ^
@@ -46,8 +46,8 @@ static inline u32 hmark_addr6_mask(const __u32 *addr32, const __u32 *mask)
                (addr32[3] & mask[3]);
 }
 
-static inline u32
-hmark_addr_mask(int l3num, const __u32 *addr32, const __u32 *mask)
+static inline __be32
+hmark_addr_mask(int l3num, const __be32 *addr32, const __be32 *mask)
 {
         switch (l3num) {
         case AF_INET:
@@ -58,6 +58,22 @@ hmark_addr_mask(int l3num, const __u32 *addr32, const __u32 *mask)
         return 0;
 }
 
+static inline void hmark_swap_ports(union hmark_ports *uports,
+                                    const struct xt_hmark_info *info)
+{
+        union hmark_ports hp;
+        u16 src, dst;
+
+        hp.b32 = (uports->b32 & info->port_mask.b32) | info->port_set.b32;
+        src = ntohs(hp.b16.src);
+        dst = ntohs(hp.b16.dst);
+
+        if (dst > src)
+                uports->v32 = (dst << 16) | src;
+        else
+                uports->v32 = (src << 16) | dst;
+}
+
 static int
 hmark_ct_set_htuple(const struct sk_buff *skb, struct hmark_tuple *t,
                     const struct xt_hmark_info *info)
@@ -74,22 +90,19 @@ hmark_ct_set_htuple(const struct sk_buff *skb, struct hmark_tuple *t,
         otuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
         rtuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
 
-        t->src = hmark_addr_mask(otuple->src.l3num, otuple->src.u3.all,
-                                 info->src_mask.all);
-        t->dst = hmark_addr_mask(otuple->src.l3num, rtuple->src.u3.all,
-                                 info->dst_mask.all);
+        t->src = hmark_addr_mask(otuple->src.l3num, otuple->src.u3.ip6,
+                                 info->src_mask.ip6);
+        t->dst = hmark_addr_mask(otuple->src.l3num, rtuple->src.u3.ip6,
+                                 info->dst_mask.ip6);
 
         if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
                 return 0;
 
         t->proto = nf_ct_protonum(ct);
         if (t->proto != IPPROTO_ICMP) {
-                t->uports.p16.src = otuple->src.u.all;
-                t->uports.p16.dst = rtuple->src.u.all;
-                t->uports.v32 = (t->uports.v32 & info->port_mask.v32) |
-                                info->port_set.v32;
-                if (t->uports.p16.dst < t->uports.p16.src)
-                        swap(t->uports.p16.dst, t->uports.p16.src);
+                t->uports.b16.src = otuple->src.u.all;
+                t->uports.b16.dst = rtuple->src.u.all;
+                hmark_swap_ports(&t->uports, info);
         }
 
         return 0;
@@ -98,15 +111,19 @@ hmark_ct_set_htuple(const struct sk_buff *skb, struct hmark_tuple *t,
 #endif
 }
 
+/* This hash function is endian independent, to ensure consistent hashing if
+ * the cluster is composed of big and little endian systems. */
 static inline u32
 hmark_hash(struct hmark_tuple *t, const struct xt_hmark_info *info)
 {
         u32 hash;
+        u32 src = ntohl(t->src);
+        u32 dst = ntohl(t->dst);
 
-        if (t->dst < t->src)
-                swap(t->src, t->dst);
+        if (dst < src)
+                swap(src, dst);
 
-        hash = jhash_3words(t->src, t->dst, t->uports.v32, info->hashrnd);
+        hash = jhash_3words(src, dst, t->uports.v32, info->hashrnd);
         hash = hash ^ (t->proto & info->proto_mask);
 
         return (((u64)hash * info->hmodulus) >> 32) + info->hoffset;
@@ -126,11 +143,7 @@ hmark_set_tuple_ports(const struct sk_buff *skb, unsigned int nhoff,
         if (skb_copy_bits(skb, nhoff, &t->uports, sizeof(t->uports)) < 0)
                 return;
 
-        t->uports.v32 = (t->uports.v32 & info->port_mask.v32) |
-                        info->port_set.v32;
-
-        if (t->uports.p16.dst < t->uports.p16.src)
-                swap(t->uports.p16.dst, t->uports.p16.src);
+        hmark_swap_ports(&t->uports, info);
 }
 
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
@@ -178,8 +191,8 @@ hmark_pkt_set_htuple_ipv6(const struct sk_buff *skb, struct hmark_tuple *t,
                         return -1;
         }
 noicmp:
-        t->src = hmark_addr6_mask(ip6->saddr.s6_addr32, info->src_mask.all);
-        t->dst = hmark_addr6_mask(ip6->daddr.s6_addr32, info->dst_mask.all);
+        t->src = hmark_addr6_mask(ip6->saddr.s6_addr32, info->src_mask.ip6);
+        t->dst = hmark_addr6_mask(ip6->daddr.s6_addr32, info->dst_mask.ip6);
 
         if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
                 return 0;
@@ -255,11 +268,8 @@ hmark_pkt_set_htuple_ipv4(const struct sk_buff *skb, struct hmark_tuple *t,
                 }
         }
 
-        t->src = (__force u32) ip->saddr;
-        t->dst = (__force u32) ip->daddr;
-
-        t->src &= info->src_mask.ip;
-        t->dst &= info->dst_mask.ip;
+        t->src = ip->saddr & info->src_mask.ip;
+        t->dst = ip->daddr & info->dst_mask.ip;
 
         if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
                 return 0;
diff --git a/net/nfc/llcp/sock.c b/net/nfc/llcp/sock.c
index 3f339b19d140..17a707db40eb 100644
--- a/net/nfc/llcp/sock.c
+++ b/net/nfc/llcp/sock.c
@@ -292,6 +292,9 @@ static int llcp_sock_getname(struct socket *sock, struct sockaddr *addr,
 
         pr_debug("%p\n", sk);
 
+        if (llcp_sock == NULL)
+                return -EBADFD;
+
         addr->sa_family = AF_NFC;
         *len = sizeof(struct sockaddr_nfc_llcp);
 
diff --git a/net/nfc/nci/ntf.c b/net/nfc/nci/ntf.c
index cb2646179e5f..2ab196a9f228 100644
--- a/net/nfc/nci/ntf.c
+++ b/net/nfc/nci/ntf.c
@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_passive_poll(struct nci_dev *ndev,
         nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data));
         data += 2;
 
-        nfca_poll->nfcid1_len = *data++;
+        nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE);
 
         pr_debug("sens_res 0x%x, nfcid1_len %d\n",
                  nfca_poll->sens_res, nfca_poll->nfcid1_len);
@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_passive_poll(struct nci_dev *ndev,
                         struct rf_tech_specific_params_nfcb_poll *nfcb_poll,
                                                      __u8 *data)
 {
-        nfcb_poll->sensb_res_len = *data++;
+        nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE);
 
         pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len);
 
@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_passive_poll(struct nci_dev *ndev,
                                                      __u8 *data)
 {
         nfcf_poll->bit_rate = *data++;
-        nfcf_poll->sensf_res_len = *data++;
+        nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE);
 
         pr_debug("bit_rate %d, sensf_res_len %d\n",
                  nfcf_poll->bit_rate, nfcf_poll->sensf_res_len);
@@ -331,7 +331,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
         switch (ntf->activation_rf_tech_and_mode) {
         case NCI_NFC_A_PASSIVE_POLL_MODE:
                 nfca_poll = &ntf->activation_params.nfca_poll_iso_dep;
-                nfca_poll->rats_res_len = *data++;
+                nfca_poll->rats_res_len = min_t(__u8, *data++, 20);
                 pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len);
                 if (nfca_poll->rats_res_len > 0) {
                         memcpy(nfca_poll->rats_res,
@@ -341,7 +341,7 @@ static int nci_extract_activation_params_iso_dep(struct nci_dev *ndev,
 
         case NCI_NFC_B_PASSIVE_POLL_MODE:
                 nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep;
-                nfcb_poll->attrib_res_len = *data++;
+                nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50);
                 pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len);
                 if (nfcb_poll->attrib_res_len > 0) {
                         memcpy(nfcb_poll->attrib_res,
diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c
index ec1134c9e07f..8b8a6a2b2bad 100644
--- a/net/nfc/rawsock.c
+++ b/net/nfc/rawsock.c
@@ -54,7 +54,10 @@ static int rawsock_release(struct socket *sock)
 {
         struct sock *sk = sock->sk;
 
-        pr_debug("sock=%p\n", sock);
+        pr_debug("sock=%p sk=%p\n", sock, sk);
+
+        if (!sk)
+                return 0;
 
         sock_orphan(sk);
         sock_put(sk);
diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
index 779ce4ff92ec..5a940dbd74a3 100644
--- a/net/phonet/af_phonet.c
+++ b/net/phonet/af_phonet.c
@@ -5,8 +5,8 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
- * Original author: Sakari Ailus <sakari.ailus@nokia.com>
+ * Authors: Sakari Ailus <sakari.ailus@nokia.com>
+ *          Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c
index bf35b4e1a14c..12c30f3e643e 100644
--- a/net/phonet/datagram.c
+++ b/net/phonet/datagram.c
@@ -5,8 +5,8 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
- * Original author: Sakari Ailus <sakari.ailus@nokia.com>
+ * Authors: Sakari Ailus <sakari.ailus@nokia.com>
+ *          Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/pep-gprs.c b/net/phonet/pep-gprs.c
index d01208968c83..a2fba7edfd1f 100644
--- a/net/phonet/pep-gprs.c
+++ b/net/phonet/pep-gprs.c
@@ -5,7 +5,7 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Author: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
+ * Author: Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 9dd4f926f7d1..576f22c9c76e 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -5,7 +5,7 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Author: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
+ * Author: Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
index 36f75a9e2c3d..5bf6341e2dd4 100644
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -5,8 +5,8 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
- * Original author: Sakari Ailus <sakari.ailus@nokia.com>
+ * Authors: Sakari Ailus <sakari.ailus@nokia.com>
+ *          Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index cfdf135fcd69..7dd762a464e5 100644
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -5,8 +5,8 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
- * Original author: Sakari Ailus <sakari.ailus@nokia.com>
+ * Authors: Sakari Ailus <sakari.ailus@nokia.com>
+ *          Remi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/socket.c b/net/phonet/socket.c
index 89cfa9ce4939..0acc943f713a 100644
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -5,8 +5,8 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
- * Original author: Sakari Ailus <sakari.ailus@nokia.com>
+ * Authors: Sakari Ailus <sakari.ailus@nokia.com>
+ *          Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/phonet/sysctl.c b/net/phonet/sysctl.c
index 696348fd31a1..d6bbbbd0af18 100644
--- a/net/phonet/sysctl.c
+++ b/net/phonet/sysctl.c
@@ -5,7 +5,7 @@
  *
  * Copyright (C) 2008 Nokia Corporation.
  *
- * Contact: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
+ * Author: Rémi Denis-Courmont
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 5bc9ab161b37..b16517ee1aaf 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -271,6 +271,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
          */
         asoc->peer.sack_needed = 1;
         asoc->peer.sack_cnt = 0;
+        asoc->peer.sack_generation = 1;
 
         /* Assume that the peer will tell us if he recognizes ASCONF
          * as part of INIT exchange.
diff --git a/net/sctp/output.c b/net/sctp/output.c
index f1b7d4bb591e..6ae47acaaec6 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -248,6 +248,11 @@ static sctp_xmit_t sctp_packet_bundle_sack(struct sctp_packet *pkt,
                 /* If the SACK timer is running, we have a pending SACK */
                 if (timer_pending(timer)) {
                         struct sctp_chunk *sack;
+
+                        if (pkt->transport->sack_generation !=
+                            pkt->transport->asoc->peer.sack_generation)
+                                return retval;
+
                         asoc->a_rwnd = asoc->rwnd;
                         sack = sctp_make_sack(asoc);
                         if (sack) {
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 5942d27b1444..9c90811d1134 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -673,7 +673,9 @@ void sctp_addr_wq_timeout_handler(unsigned long arg)
                                 SCTP_DEBUG_PRINTK("sctp_addrwq_timo_handler: sctp_asconf_mgmt failed\n");
                         sctp_bh_unlock_sock(sk);
                 }
+#if IS_ENABLED(CONFIG_IPV6)
 free_next:
+#endif
                 list_del(&addrw->list);
                 kfree(addrw);
         }
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index a85eeeb55dd0..b6de71efb140 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -734,8 +734,10 @@ struct sctp_chunk *sctp_make_sack(const struct sctp_association *asoc)
         int len;
         __u32 ctsn;
         __u16 num_gabs, num_dup_tsns;
+        struct sctp_association *aptr = (struct sctp_association *)asoc;
         struct sctp_tsnmap *map = (struct sctp_tsnmap *)&asoc->peer.tsn_map;
         struct sctp_gap_ack_block gabs[SCTP_MAX_GABS];
+        struct sctp_transport *trans;
 
         memset(gabs, 0, sizeof(gabs));
         ctsn = sctp_tsnmap_get_ctsn(map);
@@ -805,6 +807,20 @@ struct sctp_chunk *sctp_make_sack(const struct sctp_association *asoc)
                 sctp_addto_chunk(retval, sizeof(__u32) * num_dup_tsns,
                                  sctp_tsnmap_get_dups(map));
 
+        /* Once we have a sack generated, check to see what our sack
+         * generation is, if its 0, reset the transports to 0, and reset
+         * the association generation to 1
+         *
+         * The idea is that zero is never used as a valid generation for the
+         * association so no transport will match after a wrap event like this,
+         * Until the next sack
+         */
+        if (++aptr->peer.sack_generation == 0) {
+                list_for_each_entry(trans, &asoc->peer.transport_addr_list,
+                                    transports)
+                        trans->sack_generation = 0;
+                aptr->peer.sack_generation = 1;
+        }
 nodata:
         return retval;
 }
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index c96d1a81cf42..8716da1a8592 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1268,7 +1268,7 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                 case SCTP_CMD_REPORT_TSN:
                         /* Record the arrival of a TSN.  */
                         error = sctp_tsnmap_mark(&asoc->peer.tsn_map,
-                                                 cmd->obj.u32);
+                                                 cmd->obj.u32, NULL);
                         break;
 
                 case SCTP_CMD_REPORT_FWDTSN:
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index b026ba0c6992..1dcceb6e0ce6 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -68,6 +68,8 @@ static struct sctp_transport *sctp_transport_init(struct sctp_transport *peer,
         peer->af_specific = sctp_get_af_specific(addr->sa.sa_family);
         memset(&peer->saddr, 0, sizeof(union sctp_addr));
 
+        peer->sack_generation = 0;
+
         /* From 6.3.1 RTO Calculation:
          *
          * C1) Until an RTT measurement has been made for a packet sent to the
diff --git a/net/sctp/tsnmap.c b/net/sctp/tsnmap.c
index f1e40cebc981..b5fb7c409023 100644
--- a/net/sctp/tsnmap.c
+++ b/net/sctp/tsnmap.c
@@ -114,7 +114,8 @@ int sctp_tsnmap_check(const struct sctp_tsnmap *map, __u32 tsn)
 
 
 /* Mark this TSN as seen.  */
-int sctp_tsnmap_mark(struct sctp_tsnmap *map, __u32 tsn)
+int sctp_tsnmap_mark(struct sctp_tsnmap *map, __u32 tsn,
+                     struct sctp_transport *trans)
 {
         u16 gap;
 
@@ -133,6 +134,9 @@ int sctp_tsnmap_mark(struct sctp_tsnmap *map, __u32 tsn)
                  */
                 map->max_tsn_seen++;
                 map->cumulative_tsn_ack_point++;
+                if (trans)
+                        trans->sack_generation =
+                                trans->asoc->peer.sack_generation;
                 map->base_tsn++;
         } else {
                 /* Either we already have a gap, or about to record a gap, so
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 8a84017834c2..33d894776192 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -715,7 +715,8 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc,
          * can mark it as received so the tsn_map is updated correctly.
          */
         if (sctp_tsnmap_mark(&asoc->peer.tsn_map,
-                             ntohl(chunk->subh.data_hdr->tsn)))
+                             ntohl(chunk->subh.data_hdr->tsn),
+                             chunk->transport))
                 goto fail_mark;
 
         /* First calculate the padding, so we don't inadvertently
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index f2d1de7f2ffb..f5a6a4f4faf7 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -1051,7 +1051,7 @@ void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
         if (chunk && (freed >= needed)) {
                 __u32 tsn;
                 tsn = ntohl(chunk->subh.data_hdr->tsn);
-                sctp_tsnmap_mark(&asoc->peer.tsn_map, tsn);
+                sctp_tsnmap_mark(&asoc->peer.tsn_map, tsn, chunk->transport);
                 sctp_ulpq_tail_data(ulpq, chunk, gfp);
 
                 sctp_ulpq_partial_delivery(ulpq, chunk, gfp);
diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index 04040476082e..21fde99e5c56 100644
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -71,7 +71,9 @@ static void rpc_purge_list(wait_queue_head_t *waitq, struct list_head *head,
                 msg->errno = err;
                 destroy_msg(msg);
         } while (!list_empty(head));
-        wake_up(waitq);
+
+        if (waitq)
+                wake_up(waitq);
 }
 
 static void
@@ -91,11 +93,9 @@ rpc_timeout_upcall_queue(struct work_struct *work)
         }
         dentry = dget(pipe->dentry);
         spin_unlock(&pipe->lock);
-        if (dentry) {
-                rpc_purge_list(&RPC_I(dentry->d_inode)->waitq,
-                               &free_list, destroy_msg, -ETIMEDOUT);
-                dput(dentry);
-        }
+        rpc_purge_list(dentry ? &RPC_I(dentry->d_inode)->waitq : NULL,
+                        &free_list, destroy_msg, -ETIMEDOUT);
+        dput(dentry);
 }
 
 ssize_t rpc_pipe_generic_upcall(struct file *filp, struct rpc_pipe_msg *msg,
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 7e9baaa1e543..3ee7461926d8 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1374,7 +1374,8 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req,
                                                 sizeof(req->rq_snd_buf));
                 return bc_send(req);
         } else {
-                /* Nothing to do to drop request */
+                /* drop request */
+                xprt_free_bc_request(req);
                 return 0;
         }
 }
diff --git a/net/wireless/ibss.c b/net/wireless/ibss.c
index d2a19b0ff71f..89baa3328411 100644
--- a/net/wireless/ibss.c
+++ b/net/wireless/ibss.c
@@ -42,6 +42,7 @@ void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
         cfg80211_hold_bss(bss_from_pub(bss));
         wdev->current_bss = bss_from_pub(bss);
 
+        wdev->sme_state = CFG80211_SME_CONNECTED;
         cfg80211_upload_connect_keys(wdev);
 
         nl80211_send_ibss_bssid(wiphy_to_dev(wdev->wiphy), dev, bssid,
@@ -60,7 +61,7 @@ void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
         struct cfg80211_event *ev;
         unsigned long flags;
 
-        CFG80211_DEV_WARN_ON(!wdev->ssid_len);
+        CFG80211_DEV_WARN_ON(wdev->sme_state != CFG80211_SME_CONNECTING);
 
         ev = kzalloc(sizeof(*ev), gfp);
         if (!ev)
@@ -115,9 +116,11 @@ int __cfg80211_join_ibss(struct cfg80211_registered_device *rdev,
 #ifdef CONFIG_CFG80211_WEXT
         wdev->wext.ibss.channel = params->channel;
 #endif
+        wdev->sme_state = CFG80211_SME_CONNECTING;
         err = rdev->ops->join_ibss(&rdev->wiphy, dev, params);
         if (err) {
                 wdev->connect_keys = NULL;
+                wdev->sme_state = CFG80211_SME_IDLE;
                 return err;
         }
 
@@ -169,6 +172,7 @@ static void __cfg80211_clear_ibss(struct net_device *dev, bool nowext)
         }
 
         wdev->current_bss = NULL;
+        wdev->sme_state = CFG80211_SME_IDLE;
         wdev->ssid_len = 0;
 #ifdef CONFIG_CFG80211_WEXT
         if (!nowext)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 15f347477a99..baf5704740ee 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1389,7 +1389,7 @@ static void reg_set_request_processed(void)
         spin_unlock(&reg_requests_lock);
 
         if (last_request->initiator == NL80211_REGDOM_SET_BY_USER)
-                cancel_delayed_work_sync(&reg_timeout);
+                cancel_delayed_work(&reg_timeout);
 
         if (need_more_processing)
                 schedule_work(&reg_work);
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 55d99466babb..316cfd00914f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -804,7 +804,7 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
              ntype == NL80211_IFTYPE_P2P_CLIENT))
                 return -EBUSY;
 
-        if (ntype != otype) {
+        if (ntype != otype && netif_running(dev)) {
                 err = cfg80211_can_change_interface(rdev, dev->ieee80211_ptr,
                                                     ntype);
                 if (err)
@@ -935,6 +935,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
                                   enum nl80211_iftype iftype)
 {
         struct wireless_dev *wdev_iter;
+        u32 used_iftypes = BIT(iftype);
         int num[NUM_NL80211_IFTYPES];
         int total = 1;
         int i, j;
@@ -961,6 +962,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
 
                 num[wdev_iter->iftype]++;
                 total++;
+                used_iftypes |= BIT(wdev_iter->iftype);
         }
         mutex_unlock(&rdev->devlist_mtx);
 
@@ -970,6 +972,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
         for (i = 0; i < rdev->wiphy.n_iface_combinations; i++) {
                 const struct ieee80211_iface_combination *c;
                 struct ieee80211_iface_limit *limits;
+                u32 all_iftypes = 0;
 
                 c = &rdev->wiphy.iface_combinations[i];
 
@@ -984,6 +987,7 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
                         if (rdev->wiphy.software_iftypes & BIT(iftype))
                                 continue;
                         for (j = 0; j < c->n_limits; j++) {
+                                all_iftypes |= limits[j].types;
                                 if (!(limits[j].types & BIT(iftype)))
                                         continue;
                                 if (limits[j].max < num[iftype])
@@ -991,7 +995,20 @@ int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
                                 limits[j].max -= num[iftype];
                         }
                 }
-                /* yay, it fits */
+
+                /*
+                 * Finally check that all iftypes that we're currently
+                 * using are actually part of this combination. If they
+                 * aren't then we can't use this combination and have
+                 * to continue to the next.
+                 */
+                if ((all_iftypes & used_iftypes) != used_iftypes)
+                        goto cont;
+
+                /*
+                 * This combination covered all interface types and
+                 * supported the requested numbers, so we're good.
+                 */
                 kfree(limits);
                 return 0;
  cont: