71 files changed, 524 insertions, 319 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 7850412f52b7..0eb1a886b370 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -124,6 +124,9 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
        grp->nr_vlans--;
+        if (vlan->flags & VLAN_FLAG_GVRP)
+                vlan_gvrp_request_leave(dev);
        vlan_group_set_device(grp, vlan_id, NULL);
        if (!grp->killall)
                synchronize_net();
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index e34ea9e5e28b..b2ff6c8d3603 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -487,9 +487,6 @@ static int vlan_dev_stop(struct net_device *dev)
        struct vlan_dev_info *vlan = vlan_dev_info(dev);
        struct net_device *real_dev = vlan->real_dev;
-        if (vlan->flags & VLAN_FLAG_GVRP)
-                vlan_gvrp_request_leave(dev);
        dev_mc_unsync(real_dev, dev);
        dev_uc_unsync(real_dev, dev);
        if (dev->flags & IFF_ALLMULTI)
diff --git a/net/9p/client.c b/net/9p/client.c
index 77367745be9b..a9aa2dd66482 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -614,7 +614,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
        err = c->trans_mod->request(c, req);
        if (err < 0) {
-                if (err != -ERESTARTSYS)
+                if (err != -ERESTARTSYS && err != -EFAULT)
                        c->status = Disconnected;
                goto reterr;
        }
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index b58a501cf3d1..a873277cb996 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -674,6 +674,7 @@ int p9dirent_read(char *buf, int len, struct p9_dirent *dirent,
        }
        strcpy(dirent->d_name, nameptr);
+        kfree(nameptr);
 out:
        return fake_pdu.offset;
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index e883172f9aa2..9a70ebdec56e 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -63,7 +63,7 @@ p9_payload_gup(struct p9_req_t *req, size_t *pdata_off, int *pdata_len,
                int nr_pages, u8 rw)
 {
        uint32_t first_page_bytes = 0;
-        uint32_t pdata_mapped_pages;
+        int32_t pdata_mapped_pages;
        struct trans_rpage_info  *rpinfo;
        *pdata_off = (__force size_t)req->tc->pubuf & (PAGE_SIZE-1);
@@ -75,14 +75,9 @@ p9_payload_gup(struct p9_req_t *req, size_t *pdata_off, int *pdata_len,
        rpinfo = req->tc->private;
        pdata_mapped_pages = get_user_pages_fast((unsigned long)req->tc->pubuf,
                        nr_pages, rw, &rpinfo->rp_data[0]);
+        if (pdata_mapped_pages <= 0)
+                return pdata_mapped_pages;
-        if (pdata_mapped_pages < 0) {
-                printk(KERN_ERR "get_user_pages_fast failed:%d udata:%p"
-                                "nr_pages:%d\n", pdata_mapped_pages,
-                                req->tc->pubuf, nr_pages);
-                pdata_mapped_pages = 0;
-                return -EIO;
-        }
        rpinfo->rp_nr_pages = pdata_mapped_pages;
        if (*pdata_off) {
                *pdata_len = first_page_bytes;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c83f618282f7..b5a8afc2be33 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -587,10 +587,8 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        hci_req_cancel(hdev, ENODEV);
        hci_req_lock(hdev);
-        /* Stop timer, it might be running */
-        del_timer_sync(&hdev->cmd_timer);
        if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
+                del_timer_sync(&hdev->cmd_timer);
                hci_req_unlock(hdev);
                return 0;
        }
@@ -629,6 +627,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        /* Drop last sent command */
        if (hdev->sent_cmd) {
+                del_timer_sync(&hdev->cmd_timer);
                kfree_skb(hdev->sent_cmd);
                hdev->sent_cmd = NULL;
        }
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index cebe7588469f..b2570159a044 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2387,8 +2387,6 @@ static inline void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *s
        if (!conn)
                goto unlock;
-        hci_conn_hold(conn);
        conn->remote_cap = ev->capability;
        conn->remote_oob = ev->oob_data;
        conn->remote_auth = ev->authentication;
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index ca27f3a41536..2c8dd4494c63 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1051,6 +1051,7 @@ static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
        tx_skb = skb_clone(skb, GFP_ATOMIC);
        bt_cb(skb)->retries++;
        control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
+        control &= L2CAP_CTRL_SAR;
        if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
                control |= L2CAP_CTRL_FINAL;
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index e2160792e1bc..0c7badad62af 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -164,7 +164,7 @@ rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
                        goto drop;
                /* If STP is turned off, then forward */
-                if (p->br->stp_enabled == BR_NO_STP)
+                if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
                        goto forward;
                if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 008ff6c4eecf..74ef4d4846a4 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -249,11 +249,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
                goto drop;
        }
-        /* Zero out the CB buffer if no options present */
+        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
-        if (iph->ihl == 5) {
+        if (iph->ihl == 5)
-                memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
                return 0;
-        }
        opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
        if (ip_options_compile(dev_net(dev), opt, skb))
@@ -739,7 +737,7 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
                nf_bridge->mask |= BRNF_PKT_TYPE;
        }
-        if (br_parse_ip_options(skb))
+        if (pf == PF_INET && br_parse_ip_options(skb))
                return NF_DROP;
        /* The physdev module checks on this */
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 893669caa8de..1a92b369c820 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1766,7 +1766,7 @@ static int compat_table_info(const struct ebt_table_info *info,
        newinfo->entries_size = size;
-        xt_compat_init_offsets(AF_INET, info->nentries);
+        xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
        return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
                                                        entries, newinfo);
 }
@@ -1882,7 +1882,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        struct xt_match *match;
        struct xt_target *wt;
        void *dst = NULL;
-        int off, pad = 0, ret = 0;
+        int off, pad = 0;
        unsigned int size_kern, entry_offset, match_size = mwt->match_size;
        strlcpy(name, mwt->u.name, sizeof(name));
@@ -1935,13 +1935,6 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
                break;
        }
-        if (!dst) {
-                ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
-                                        off + ebt_compat_entry_padsize());
-                if (ret < 0)
-                        return ret;
-        }
        state->buf_kern_offset += match_size + off;
        state->buf_user_offset += match_size;
        pad = XT_ALIGN(size_kern) - size_kern;
@@ -2016,50 +2009,6 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
        return growth;
 }
-#define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...)          \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct compat_ebt_entry_mwt *__watcher;             \
-                                                            \
-        for (__i = e->watchers_offset;                      \
-             __i < (e)->target_offset;                      \
-             __i += __watcher->watcher_size +               \
-             sizeof(struct compat_ebt_entry_mwt)) {         \
-                __watcher = (void *)(e) + __i;              \
-                __ret = fn(__watcher , ## args);            \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->target_offset)              \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_COMPAT_MATCH_ITERATE(e, fn, args...)            \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct compat_ebt_entry_mwt *__match;               \
-                                                            \
-        for (__i = sizeof(struct ebt_entry);                \
-             __i < (e)->watchers_offset;                    \
-             __i += __match->match_size +                   \
-             sizeof(struct compat_ebt_entry_mwt)) {         \
-                __match = (void *)(e) + __i;                \
-                __ret = fn(__match , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->watchers_offset)            \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
 /* called for all ebt_entry structures. */
 static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
                          unsigned int *total,
@@ -2132,6 +2081,14 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
                }
        }
+        if (state->buf_kern_start == NULL) {
+                unsigned int offset = buf_start - (char *) base;
+                ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
+                if (ret < 0)
+                        return ret;
+        }
        startoff = state->buf_user_offset - startoff;
        BUG_ON(*total < startoff);
@@ -2240,6 +2197,7 @@ static int compat_do_replace(struct net *net, void __user *user,
        xt_compat_lock(NFPROTO_BRIDGE);
+        xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
        ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
        if (ret < 0)
                goto out_unlock;
diff --git a/net/caif/cfdgml.c b/net/caif/cfdgml.c
index 27dab26ad3b8..054fdb5aeb88 100644
--- a/net/caif/cfdgml.c
+++ b/net/caif/cfdgml.c
@@ -13,6 +13,7 @@
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
 #define container_obj(layr) ((struct cfsrvl *) layr)
 #define DGM_CMD_BIT  0x80
@@ -83,6 +84,7 @@ static int cfdgml_receive(struct cflayer *layr, struct cfpkt *pkt)
 static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
 {
+        u8 packet_type;
        u32 zero = 0;
        struct caif_payload_info *info;
        struct cfsrvl *service = container_obj(layr);
@@ -94,7 +96,9 @@ static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        if (cfpkt_getlen(pkt) > DGM_MTU)
                return -EMSGSIZE;
-        cfpkt_add_head(pkt, &zero, 4);
+        cfpkt_add_head(pkt, &zero, 3);
+        packet_type = 0x08; /* B9 set - UNCLASSIFIED */
+        cfpkt_add_head(pkt, &packet_type, 1);
        /* Add info for MUX-layer to route the packet out. */
        info = cfpkt_info(pkt);
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 46f34b2e0478..24f1ffa74b06 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -244,9 +244,9 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                                int phyid)
 {
        struct cfmuxl *muxl = container_obj(layr);
-        struct list_head *node;
+        struct list_head *node, *next;
        struct cflayer *layer;
-        list_for_each(node, &muxl->srvl_list) {
+        list_for_each_safe(node, next, &muxl->srvl_list) {
                layer = list_entry(node, struct cflayer, node);
                if (cfsrvl_phyid_match(layer, phyid))
                        layer->ctrlcmd(layer, ctrl, phyid);
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 57b1aed79014..8a6a05e7c3c8 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1427,9 +1427,14 @@ static int bcm_init(struct sock *sk)
 static int bcm_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        struct bcm_sock *bo = bcm_sk(sk);
+        struct bcm_sock *bo;
        struct bcm_op *op, *next;
+        if (sk == NULL)
+                return 0;
+        bo = bcm_sk(sk);
        /* remove bcm_ops, timer, rx_unregister(), etc. */
        unregister_netdevice_notifier(&bo->notifier);
diff --git a/net/can/raw.c b/net/can/raw.c
index 649acfa7c70a..0eb39a7fdf64 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
 static int raw_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        struct raw_sock *ro = raw_sk(sk);
+        struct raw_sock *ro;
+        if (!sk)
+                return 0;
+        ro = raw_sk(sk);
        unregister_netdevice_notifier(&ro->notifier);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 05f357828a2f..e15a82ccc05f 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2267,6 +2267,19 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags)
        m->more_to_follow = false;
        m->pool = NULL;
+        /* middle */
+        m->middle = NULL;
+        /* data */
+        m->nr_pages = 0;
+        m->page_alignment = 0;
+        m->pages = NULL;
+        m->pagelist = NULL;
+        m->bio = NULL;
+        m->bio_iter = NULL;
+        m->bio_seg = 0;
+        m->trail = NULL;
        /* front */
        if (front_len) {
                if (front_len > PAGE_CACHE_SIZE) {
@@ -2286,19 +2299,6 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags)
        }
        m->front.iov_len = front_len;
-        /* middle */
-        m->middle = NULL;
-        /* data */
-        m->nr_pages = 0;
-        m->page_alignment = 0;
-        m->pages = NULL;
-        m->pagelist = NULL;
-        m->bio = NULL;
-        m->bio_iter = NULL;
-        m->bio_seg = 0;
-        m->trail = NULL;
        dout("ceph_msg_new %p front %d\n", m, front_len);
        return m;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 5a80f41c0cba..6b5dda1cb5df 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -470,8 +470,8 @@ struct ceph_osd_request *ceph_osdc_new_request(struct ceph_osd_client *osdc,
                                         snapc, ops,
                                         use_mempool,
                                         GFP_NOFS, NULL, NULL);
-        if (IS_ERR(req))
+        if (!req)
-                return req;
+                return NULL;
        /* calculate max write size */
        calc_layout(osdc, vino, layout, off, plen, req, ops);
diff --git a/net/core/dev.c b/net/core/dev.c
index 956d3b006e8b..b624fe4d9bd7 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1284,11 +1284,13 @@ static int dev_close_many(struct list_head *head)
 */
 int dev_close(struct net_device *dev)
 {
-        LIST_HEAD(single);
+        if (dev->flags & IFF_UP) {
+                LIST_HEAD(single);
-        list_add(&dev->unreg_list, &single);
+                list_add(&dev->unreg_list, &single);
-        dev_close_many(&single);
+                dev_close_many(&single);
-        list_del(&single);
+                list_del(&single);
+        }
        return 0;
 }
 EXPORT_SYMBOL(dev_close);
@@ -4773,7 +4775,7 @@ static int dev_ifsioc_locked(struct net *net, struct ifreq *ifr, unsigned int cm
                 * is never reached
                 */
                WARN_ON(1);
-                err = -EINVAL;
+                err = -ENOTTY;
                break;
        }
@@ -5041,7 +5043,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                /* Set the per device memory buffer space.
                 * Not applicable in our case */
        case SIOCSIFLINK:
-                return -EINVAL;
+                return -ENOTTY;
        /*
         *      Unknown or private ioctl.
@@ -5062,7 +5064,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                /* Take care of Wireless Extensions */
                if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST)
                        return wext_handle_ioctl(net, &ifr, cmd, arg);
-                return -EINVAL;
+                return -ENOTTY;
        }
 }
@@ -5184,33 +5186,37 @@ u32 netdev_fix_features(struct net_device *dev, u32 features)
        /* Fix illegal checksum combinations */
        if ((features & NETIF_F_HW_CSUM) &&
            (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-                netdev_info(dev, "mixed HW and IP checksum settings.\n");
+                netdev_warn(dev, "mixed HW and IP checksum settings.\n");
                features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM);
        }
        if ((features & NETIF_F_NO_CSUM) &&
            (features & (NETIF_F_HW_CSUM|NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-                netdev_info(dev, "mixed no checksumming and other settings.\n");
+                netdev_warn(dev, "mixed no checksumming and other settings.\n");
                features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM|NETIF_F_HW_CSUM);
        }
        /* Fix illegal SG+CSUM combinations. */
        if ((features & NETIF_F_SG) &&
            !(features & NETIF_F_ALL_CSUM)) {
-                netdev_info(dev,
+                netdev_dbg(dev,
-                            "Dropping NETIF_F_SG since no checksum feature.\n");
+                        "Dropping NETIF_F_SG since no checksum feature.\n");
                features &= ~NETIF_F_SG;
        }
        /* TSO requires that SG is present as well. */
-        if ((features & NETIF_F_TSO) && !(features & NETIF_F_SG)) {
+        if ((features & NETIF_F_ALL_TSO) && !(features & NETIF_F_SG)) {
-                netdev_info(dev, "Dropping NETIF_F_TSO since no SG feature.\n");
+                netdev_dbg(dev, "Dropping TSO features since no SG feature.\n");
-                features &= ~NETIF_F_TSO;
+                features &= ~NETIF_F_ALL_TSO;
        }
+        /* TSO ECN requires that TSO is present as well. */
+        if ((features & NETIF_F_ALL_TSO) == NETIF_F_TSO_ECN)
+                features &= ~NETIF_F_TSO_ECN;
        /* Software GSO depends on SG. */
        if ((features & NETIF_F_GSO) && !(features & NETIF_F_SG)) {
-                netdev_info(dev, "Dropping NETIF_F_GSO since no SG feature.\n");
+                netdev_dbg(dev, "Dropping NETIF_F_GSO since no SG feature.\n");
                features &= ~NETIF_F_GSO;
        }
@@ -5220,13 +5226,13 @@ u32 netdev_fix_features(struct net_device *dev, u32 features)
                if (!((features & NETIF_F_GEN_CSUM) ||
                    (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
                            == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-                        netdev_info(dev,
+                        netdev_dbg(dev,
                                "Dropping NETIF_F_UFO since no checksum offload features.\n");
                        features &= ~NETIF_F_UFO;
                }
                if (!(features & NETIF_F_SG)) {
-                        netdev_info(dev,
+                        netdev_dbg(dev,
                                "Dropping NETIF_F_UFO since no NETIF_F_SG feature.\n");
                        features &= ~NETIF_F_UFO;
                }
@@ -5408,12 +5414,6 @@ int register_netdevice(struct net_device *dev)
        dev->features |= NETIF_F_SOFT_FEATURES;
        dev->wanted_features = dev->features & dev->hw_features;
-        /* Avoid warning from netdev_fix_features() for GSO without SG */
-        if (!(dev->wanted_features & NETIF_F_SG)) {
-                dev->wanted_features &= ~NETIF_F_GSO;
-                dev->features &= ~NETIF_F_GSO;
-        }
        /* Enable GRO and NETIF_F_HIGHDMA for vlans by default,
         * vlan_dev_init() will do the dev->features check, so these features
         * are enabled only if supported by underlying device.
diff --git a/net/dccp/options.c b/net/dccp/options.c
index f06ffcfc8d71..4b2ab657ac8e 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
                case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
                        if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
                                break;
+                        if (len == 0)
+                                goto out_invalid_option;
                        rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
                                                    *value, value + 1, len - 1);
                        if (rc)
diff --git a/net/dsa/Kconfig b/net/dsa/Kconfig
index 87bb5f4de0e8..c53ded2a98df 100644
--- a/net/dsa/Kconfig
+++ b/net/dsa/Kconfig
@@ -41,12 +41,12 @@ config NET_DSA_MV88E6XXX_NEED_PPU
        default n
 config NET_DSA_MV88E6131
-        bool "Marvell 88E6095/6095F/6131 ethernet switch chip support"
+        bool "Marvell 88E6085/6095/6095F/6131 ethernet switch chip support"
        select NET_DSA_MV88E6XXX
        select NET_DSA_MV88E6XXX_NEED_PPU
        select NET_DSA_TAG_DSA
        ---help---
-          This enables support for the Marvell 88E6095/6095F/6131
+          This enables support for the Marvell 88E6085/6095/6095F/6131
          ethernet switch chips.
 config NET_DSA_MV88E6123_61_65
diff --git a/net/dsa/mv88e6131.c b/net/dsa/mv88e6131.c
index 3da418894efc..45f7411e90ba 100644
--- a/net/dsa/mv88e6131.c
+++ b/net/dsa/mv88e6131.c
@@ -207,8 +207,15 @@ static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
         * mode, but do not enable forwarding of unknown unicasts.
         */
        val = 0x0433;
-        if (p == dsa_upstream_port(ds))
+        if (p == dsa_upstream_port(ds)) {
                val |= 0x0104;
+                /*
+                 * On 6085, unknown multicast forward is controlled
+                 * here rather than in Port Control 2 register.
+                 */
+                if (ps->id == ID_6085)
+                        val |= 0x0008;
+        }
        if (ds->dsa_port_mask & (1 << p))
                val |= 0x0100;
        REG_WRITE(addr, 0x04, val);
@@ -251,10 +258,19 @@ static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
         * If this is the upstream port for this switch, enable
         * forwarding of unknown multicast addresses.
         */
-        val = 0x0080 | dsa_upstream_port(ds);
+        if (ps->id == ID_6085)
-        if (p == dsa_upstream_port(ds))
+                /*
-                val |= 0x0040;
+                 * on 6085, bits 3:0 are reserved, bit 6 control ARP
-        REG_WRITE(addr, 0x08, val);
+                 * mirroring, and multicast forward is handled in
+                 * Port Control register.
+                 */
+                REG_WRITE(addr, 0x08, 0x0080);
+        else {
+                val = 0x0080 | dsa_upstream_port(ds);
+                if (p == dsa_upstream_port(ds))
+                        val |= 0x0040;
+                REG_WRITE(addr, 0x08, val);
+        }
        /*
         * Rate Control: disable ingress rate limiting.
diff --git a/net/ieee802154/Makefile b/net/ieee802154/Makefile
index ce2d33582859..5761185f884e 100644
--- a/net/ieee802154/Makefile
+++ b/net/ieee802154/Makefile
@@ -1,5 +1,3 @@
 obj-$(CONFIG_IEEE802154) +=     ieee802154.o af_802154.o
 ieee802154-y            := netlink.o nl-mac.o nl-phy.o nl_policy.o wpan-class.o
 af_802154-y             := af_ieee802154.o raw.o dgram.o
-ccflags-y += -Wall -DDEBUG
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 5345b0bee6df..cd9ca0811cfa 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1680,7 +1680,7 @@ static void __devinet_sysctl_unregister(struct ipv4_devconf *cnf)
                return;
        cnf->sysctl = NULL;
-        unregister_sysctl_table(t->sysctl_header);
+        unregister_net_sysctl_table(t->sysctl_header);
        kfree(t->dev_name);
        kfree(t);
 }
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index e9013d6c1f51..5fe9b8b41df3 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1978,9 +1978,6 @@ struct fib_table *fib_trie_table(u32 id)
        t = (struct trie *) tb->tb_data;
        memset(t, 0, sizeof(*t));
-        if (id == RT_TABLE_LOCAL)
-                pr_info("IPv4 FIB: Using LC-trie version %s\n", VERSION);
        return tb;
 }
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 6c0b7f4a3d7d..38f23e721b80 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -73,7 +73,7 @@ int inet_csk_bind_conflict(const struct sock *sk,
                     !sk2->sk_bound_dev_if ||
                     sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
                        if (!reuse || !sk2->sk_reuse ||
-                            ((1 << sk2->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) {
+                            sk2->sk_state == TCP_LISTEN) {
                                const __be32 sk2_rcv_saddr = sk_rcv_saddr(sk2);
                                if (!sk2_rcv_saddr || !sk_rcv_saddr(sk) ||
                                    sk2_rcv_saddr == sk_rcv_saddr(sk))
@@ -122,8 +122,7 @@ again:
                                            (tb->num_owners < smallest_size || smallest_size == -1)) {
                                                smallest_size = tb->num_owners;
                                                smallest_rover = rover;
-                                                if (atomic_read(&hashinfo->bsockets) > (high - low) + 1 &&
+                                                if (atomic_read(&hashinfo->bsockets) > (high - low) + 1) {
-                                                    !inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb)) {
                                                        spin_unlock(&head->lock);
                                                        snum = smallest_rover;
                                                        goto have_snum;
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index dd1b20eca1a2..9df4e635fb5f 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -354,7 +354,8 @@ static void inetpeer_free_rcu(struct rcu_head *head)
 }
 /* May be called with local BH enabled. */
-static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
+static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base,
+                             struct inet_peer __rcu **stack[PEER_MAXDEPTH])
 {
        int do_free;
@@ -368,7 +369,6 @@ static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
         * We use refcnt=-1 to alert lockless readers this entry is deleted.
         */
        if (atomic_cmpxchg(&p->refcnt, 1, -1) == 1) {
-                struct inet_peer __rcu **stack[PEER_MAXDEPTH];
                struct inet_peer __rcu ***stackptr, ***delp;
                if (lookup(&p->daddr, stack, base) != p)
                        BUG();
@@ -422,7 +422,7 @@ static struct inet_peer_base *peer_to_base(struct inet_peer *p)
 }
 /* May be called with local BH enabled. */
-static int cleanup_once(unsigned long ttl)
+static int cleanup_once(unsigned long ttl, struct inet_peer __rcu **stack[PEER_MAXDEPTH])
 {
        struct inet_peer *p = NULL;
@@ -454,7 +454,7 @@ static int cleanup_once(unsigned long ttl)
                 * happen because of entry limits in route cache. */
                return -1;
-        unlink_from_pool(p, peer_to_base(p));
+        unlink_from_pool(p, peer_to_base(p), stack);
        return 0;
 }
@@ -524,7 +524,7 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
        if (base->total >= inet_peer_threshold)
                /* Remove one less-recently-used entry. */
-                cleanup_once(0);
+                cleanup_once(0, stack);
        return p;
 }
@@ -540,6 +540,7 @@ static void peer_check_expire(unsigned long dummy)
 {
        unsigned long now = jiffies;
        int ttl, total;
+        struct inet_peer __rcu **stack[PEER_MAXDEPTH];
        total = compute_total();
        if (total >= inet_peer_threshold)
@@ -548,7 +549,7 @@ static void peer_check_expire(unsigned long dummy)
                ttl = inet_peer_maxttl
                                - (inet_peer_maxttl - inet_peer_minttl) / HZ *
                                        total / inet_peer_threshold * HZ;
-        while (!cleanup_once(ttl)) {
+        while (!cleanup_once(ttl, stack)) {
                if (jiffies != now)
                        break;
        }
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index a1151b8adf3c..b1d282f11be7 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -223,31 +223,30 @@ static void ip_expire(unsigned long arg)
        if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
                struct sk_buff *head = qp->q.fragments;
+                const struct iphdr *iph;
+                int err;
                rcu_read_lock();
                head->dev = dev_get_by_index_rcu(net, qp->iif);
                if (!head->dev)
                        goto out_rcu_unlock;
+                /* skb dst is stale, drop it, and perform route lookup again */
+                skb_dst_drop(head);
+                iph = ip_hdr(head);
+                err = ip_route_input_noref(head, iph->daddr, iph->saddr,
+                                           iph->tos, head->dev);
+                if (err)
+                        goto out_rcu_unlock;
                /*
-                 * Only search router table for the head fragment,
+                 * Only an end host needs to send an ICMP
-                 * when defraging timeout at PRE_ROUTING HOOK.
+                 * "Fragment Reassembly Timeout" message, per RFC792.
                 */
-                if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+                if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
-                        const struct iphdr *iph = ip_hdr(head);
+                    skb_rtable(head)->rt_type != RTN_LOCAL)
-                        int err = ip_route_input(head, iph->daddr, iph->saddr,
+                        goto out_rcu_unlock;
-                                                 iph->tos, head->dev);
-                        if (unlikely(err))
-                                goto out_rcu_unlock;
-                        /*
-                         * Only an end host needs to send an ICMP
-                         * "Fragment Reassembly Timeout" message, per RFC792.
-                         */
-                        if (skb_rtable(head)->rt_type != RTN_LOCAL)
-                                goto out_rcu_unlock;
-                }
                /* Send an ICMP "Fragment Reassembly Timeout" message. */
                icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 28a736f3442f..2391b24e8251 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -329,7 +329,7 @@ int ip_options_compile(struct net *net,
                                        pp_ptr = optptr + 2;
                                        goto error;
                                }
-                                if (skb) {
+                                if (rt) {
                                        memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
                                        opt->is_changed = 1;
                                }
@@ -371,7 +371,7 @@ int ip_options_compile(struct net *net,
                                                goto error;
                                        }
                                        opt->ts = optptr - iph;
-                                        if (skb) {
+                                        if (rt)  {
                                                memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
                                                timeptr = (__be32*)&optptr[optptr[2]+3];
                                        }
@@ -603,7 +603,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
        unsigned long orefdst;
        int err;
-        if (!opt->srr)
+        if (!opt->srr || !rt)
                return 0;
        if (skb->pkt_type != PACKET_HOST)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index c1acf69858fd..99e6e4bb1c72 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2690,6 +2690,12 @@ static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
+static u32 *ipv4_rt_blackhole_cow_metrics(struct dst_entry *dst,
+                                          unsigned long old)
+{
+        return NULL;
+}
 static struct dst_ops ipv4_dst_blackhole_ops = {
        .family                 =       AF_INET,
        .protocol               =       cpu_to_be16(ETH_P_IP),
@@ -2698,6 +2704,7 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
        .default_mtu            =       ipv4_blackhole_default_mtu,
        .default_advmss         =       ipv4_default_advmss,
        .update_pmtu            =       ipv4_rt_blackhole_update_pmtu,
+        .cow_metrics            =       ipv4_rt_blackhole_cow_metrics,
 };
 struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_orig)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1a456652086b..321e6e84dbcc 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -311,7 +311,6 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_do_large_bitmap,
        },
-#ifdef CONFIG_IP_MULTICAST
        {
                .procname       = "igmp_max_memberships",
                .data           = &sysctl_igmp_max_memberships,
@@ -319,8 +318,6 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
-#endif
        {
                .procname       = "igmp_max_msf",
                .data           = &sysctl_igmp_max_msf,
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 34340c9c95fa..f376b05cca81 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -93,6 +93,7 @@ struct bictcp {
        u32     ack_cnt;        /* number of acks */
        u32     tcp_cwnd;       /* estimated tcp cwnd */
 #define ACK_RATIO_SHIFT 4
+#define ACK_RATIO_LIMIT (32u << ACK_RATIO_SHIFT)
        u16     delayed_ack;    /* estimate the ratio of Packets/ACKs << 4 */
        u8      sample_cnt;     /* number of samples to decide curr_rtt */
        u8      found;          /* the exit point is found? */
@@ -398,8 +399,12 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
        u32 delay;
        if (icsk->icsk_ca_state == TCP_CA_Open) {
-                cnt -= ca->delayed_ack >> ACK_RATIO_SHIFT;
+                u32 ratio = ca->delayed_ack;
-                ca->delayed_ack += cnt;
+                ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
+                ratio += cnt;
+                ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
        }
        /* Some calls are for duplicates without timetamps */
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 571aa96a175c..2d51840e53a1 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -69,7 +69,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm4_prepare_output);
-static int xfrm4_output_finish(struct sk_buff *skb)
+int xfrm4_output_finish(struct sk_buff *skb)
 {
 #ifdef CONFIG_NETFILTER
        if (!skb_dst(skb)->xfrm) {
@@ -86,7 +86,11 @@ static int xfrm4_output_finish(struct sk_buff *skb)
 int xfrm4_output(struct sk_buff *skb)
 {
+        struct dst_entry *dst = skb_dst(skb);
+        struct xfrm_state *x = dst->xfrm;
        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
-                            NULL, skb_dst(skb)->dev, xfrm4_output_finish,
+                            NULL, dst->dev,
+                            x->outer_mode->afinfo->output_finish,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 1717c64628d1..805d63ef4340 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -78,6 +78,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
        .init_tempsel           = __xfrm4_init_tempsel,
        .init_temprop           = xfrm4_init_temprop,
        .output                 = xfrm4_output,
+        .output_finish          = xfrm4_output_finish,
        .extract_input          = xfrm4_extract_input,
        .extract_output         = xfrm4_extract_output,
        .transport_finish       = xfrm4_transport_finish,
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 1493534116df..a7bda0757053 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -4537,7 +4537,7 @@ static void __addrconf_sysctl_unregister(struct ipv6_devconf *p)
        t = p->sysctl;
        p->sysctl = NULL;
-        unregister_sysctl_table(t->sysctl_header);
+        unregister_net_sysctl_table(t->sysctl_header);
        kfree(t->dev_name);
        kfree(t);
 }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 5aa8ec88f194..59dccfbb5b11 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -371,7 +371,7 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        iv = esp_tmp_iv(aead, tmp, seqhilen);
        req = esp_tmp_req(aead, iv);
        asg = esp_req_sg(aead, req);
-        sg = asg + 1;
+        sg = asg + sglists;
        skb->ip_summed = CHECKSUM_NONE;
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index 166054650466..f2c5b0fc0f21 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -44,7 +44,7 @@ int inet6_csk_bind_conflict(const struct sock *sk,
                     !sk2->sk_bound_dev_if ||
                     sk->sk_bound_dev_if == sk2->sk_bound_dev_if) &&
                    (!sk->sk_reuse || !sk2->sk_reuse ||
-                     ((1 << sk2->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) &&
+                     sk2->sk_state == TCP_LISTEN) &&
                     ipv6_rcv_saddr_equal(sk, sk2))
                        break;
        }
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index 28e74488a329..a5a4c5dd5396 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -45,6 +45,8 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        int tcphoff, needs_ack;
        const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
        struct ipv6hdr *ip6h;
+#define DEFAULT_TOS_VALUE       0x0U
+        const __u8 tclass = DEFAULT_TOS_VALUE;
        struct dst_entry *dst = NULL;
        u8 proto;
        struct flowi6 fl6;
@@ -124,7 +126,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        skb_put(nskb, sizeof(struct ipv6hdr));
        skb_reset_network_header(nskb);
        ip6h = ipv6_hdr(nskb);
-        ip6h->version = 6;
+        *(__be32 *)ip6h =  htonl(0x60000000 | (tclass << 20));
        ip6h->hop_limit = ip6_dst_hoplimit(dst);
        ip6h->nexthdr = IPPROTO_TCP;
        ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 843406f14d7b..fd0eec6f88c6 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -153,6 +153,12 @@ static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
+static u32 *ip6_rt_blackhole_cow_metrics(struct dst_entry *dst,
+                                         unsigned long old)
+{
+        return NULL;
+}
 static struct dst_ops ip6_dst_blackhole_ops = {
        .family                 =       AF_INET6,
        .protocol               =       cpu_to_be16(ETH_P_IPV6),
@@ -161,6 +167,7 @@ static struct dst_ops ip6_dst_blackhole_ops = {
        .default_mtu            =       ip6_blackhole_default_mtu,
        .default_advmss         =       ip6_default_advmss,
        .update_pmtu            =       ip6_rt_blackhole_update_pmtu,
+        .cow_metrics            =       ip6_rt_blackhole_cow_metrics,
 };
 static const u32 ip6_template_metrics[RTAX_MAX] = {
@@ -2012,7 +2019,6 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
        rt->dst.output = ip6_output;
        rt->rt6i_dev = net->loopback_dev;
        rt->rt6i_idev = idev;
-        dst_metric_set(&rt->dst, RTAX_HOPLIMIT, -1);
        rt->dst.obsolete = -1;
        rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 15c37746845e..9e305d74b3d4 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1335,7 +1335,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
        skb->ip_summed = CHECKSUM_NONE;
        /* Check if there is enough headroom to insert fragment header. */
-        if ((skb_headroom(skb) < frag_hdr_sz) &&
+        if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
            pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
                goto out;
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8e688b3de9ab..49a91c5f5623 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -79,7 +79,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm6_prepare_output);
-static int xfrm6_output_finish(struct sk_buff *skb)
+int xfrm6_output_finish(struct sk_buff *skb)
 {
 #ifdef CONFIG_NETFILTER
        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
@@ -97,9 +97,9 @@ static int __xfrm6_output(struct sk_buff *skb)
        if ((x && x->props.mode == XFRM_MODE_TUNNEL) &&
            ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
                dst_allfrag(skb_dst(skb)))) {
-                        return ip6_fragment(skb, xfrm6_output_finish);
+                        return ip6_fragment(skb, x->outer_mode->afinfo->output_finish);
        }
-        return xfrm6_output_finish(skb);
+        return x->outer_mode->afinfo->output_finish(skb);
 }
 int xfrm6_output(struct sk_buff *skb)
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index afe941e9415c..248f0b2a7ee9 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -178,6 +178,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
        .tmpl_sort              = __xfrm6_tmpl_sort,
        .state_sort             = __xfrm6_state_sort,
        .output                 = xfrm6_output,
+        .output_finish          = xfrm6_output_finish,
        .extract_input          = xfrm6_extract_input,
        .extract_output         = xfrm6_extract_output,
        .transport_finish       = xfrm6_transport_finish,
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index c9890e25cd4c..cc616974a447 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1297,8 +1297,7 @@ static int irda_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* Note : socket.c set MSG_EOR on SEQPACKET sockets */
        if (msg->msg_flags & ~(MSG_DONTWAIT | MSG_EOR | MSG_CMSG_COMPAT |
                               MSG_NOSIGNAL)) {
-                err = -EINVAL;
+                return -EINVAL;
-                goto out;
        }
        lock_sock(sk);
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index fce9bd3bd3fe..5c04f3e42704 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -667,7 +667,7 @@ MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
 MODULE_DESCRIPTION("L2TP over IP");
 MODULE_VERSION("1.0");
-/* Use the value of SOCK_DGRAM (2) directory, because __stringify does't like
+/* Use the value of SOCK_DGRAM (2) directory, because __stringify doesn't like
 * enums
 */
 MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 2, IPPROTO_L2TP);
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index 058f1e9a9128..903242111317 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
                s32 data_size = ntohs(pdulen) - llc_len;
                if (data_size < 0 ||
-                    ((skb_tail_pointer(skb) -
+                    !pskb_may_pull(skb, data_size))
-                      (u8 *)pdu) - llc_len) < data_size)
                        return 0;
                if (unlikely(pskb_trim_rcsum(skb, data_size)))
                        return 0;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 334213571ad0..44049733c4ea 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1504,6 +1504,8 @@ int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
        enum ieee80211_smps_mode old_req;
        int err;
+        lockdep_assert_held(&sdata->u.mgd.mtx);
        old_req = sdata->u.mgd.req_smps;
        sdata->u.mgd.req_smps = smps_mode;
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index dacace6b1393..9ea7c0d0103f 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -177,9 +177,9 @@ static int ieee80211_set_smps(struct ieee80211_sub_if_data *sdata,
        if (sdata->vif.type != NL80211_IFTYPE_STATION)
                return -EOPNOTSUPP;
-        mutex_lock(&local->iflist_mtx);
+        mutex_lock(&sdata->u.mgd.mtx);
        err = __ieee80211_request_smps(sdata, smps_mode);
-        mutex_unlock(&local->iflist_mtx);
+        mutex_unlock(&sdata->u.mgd.mtx);
        return err;
 }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index ce4596ed1268..bd1224fd216a 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -237,6 +237,10 @@ ieee80211_tx_h_dynamic_ps(struct ieee80211_tx_data *tx)
                                     &local->dynamic_ps_disable_work);
        }
+        /* Don't restart the timer if we're not disassociated */
+        if (!ifmgd->associated)
+                return TX_CONTINUE;
        mod_timer(&local->dynamic_ps_timer, jiffies +
                  msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 00a33242e90c..a274300b6a56 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -343,6 +343,10 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
        ipset_adtfn adtfn = set->variant->adt[adt];
        struct ipmac data;
+        /* MAC can be src only */
+        if (!(flags & IPSET_DIM_TWO_SRC))
+                return 0;
        data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
        if (data.id < map->first_ip || data.id > map->last_ip)
                return -IPSET_ERR_BITMAP_RANGE;
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 9152e69a162d..72d1ac611fdc 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1022,8 +1022,9 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
        if (cb->args[1] >= ip_set_max)
                goto out;
-        pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
        max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
+dump_last:
+        pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
        for (; cb->args[1] < max; cb->args[1]++) {
                index = (ip_set_id_t) cb->args[1];
                set = ip_set_list[index];
@@ -1038,8 +1039,8 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
                 * so that lists (unions of sets) are dumped last.
                 */
                if (cb->args[0] != DUMP_ONE &&
-                    !((cb->args[0] == DUMP_ALL) ^
+                    ((cb->args[0] == DUMP_ALL) ==
-                      (set->type->features & IPSET_DUMP_LAST)))
+                     !!(set->type->features & IPSET_DUMP_LAST)))
                        continue;
                pr_debug("List set: %s\n", set->name);
                if (!cb->args[2]) {
@@ -1083,6 +1084,12 @@ ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
                        goto release_refcount;
                }
        }
+        /* If we dump all sets, continue with dumping last ones */
+        if (cb->args[0] == DUMP_ALL) {
+                cb->args[0] = DUMP_LAST;
+                cb->args[1] = 0;
+                goto dump_last;
+        }
        goto out;
 nla_put_failure:
@@ -1093,11 +1100,6 @@ release_refcount:
                pr_debug("release set %s\n", ip_set_list[index]->name);
                ip_set_put_byindex(index);
        }
-        /* If we dump all sets, continue with dumping last ones */
-        if (cb->args[0] == DUMP_ALL && cb->args[1] >= max && !cb->args[2])
-                cb->args[0] = DUMP_LAST;
 out:
        if (nlh) {
                nlmsg_end(skb, nlh);
diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c
index 2dc6de13ac18..059af3120be7 100644
--- a/net/netfilter/ipvs/ip_vs_app.c
+++ b/net/netfilter/ipvs/ip_vs_app.c
@@ -572,11 +572,11 @@ static const struct file_operations ip_vs_app_fops = {
        .open    = ip_vs_app_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 #endif
-static int __net_init __ip_vs_app_init(struct net *net)
+int __net_init __ip_vs_app_init(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
@@ -585,26 +585,17 @@ static int __net_init __ip_vs_app_init(struct net *net)
        return 0;
 }
-static void __net_exit __ip_vs_app_cleanup(struct net *net)
+void __net_exit __ip_vs_app_cleanup(struct net *net)
 {
        proc_net_remove(net, "ip_vs_app");
 }
-static struct pernet_operations ip_vs_app_ops = {
-        .init = __ip_vs_app_init,
-        .exit = __ip_vs_app_cleanup,
-};
 int __init ip_vs_app_init(void)
 {
-        int rv;
+        return 0;
-        rv = register_pernet_subsys(&ip_vs_app_ops);
-        return rv;
 }
 void ip_vs_app_cleanup(void)
 {
-        unregister_pernet_subsys(&ip_vs_app_ops);
 }
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index c97bd45975be..bf28ac2fc99b 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -1046,7 +1046,7 @@ static const struct file_operations ip_vs_conn_fops = {
        .open    = ip_vs_conn_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 static const char *ip_vs_origin_name(unsigned flags)
@@ -1114,7 +1114,7 @@ static const struct file_operations ip_vs_conn_sync_fops = {
        .open    = ip_vs_conn_sync_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 #endif
@@ -1258,22 +1258,17 @@ int __net_init __ip_vs_conn_init(struct net *net)
        return 0;
 }
-static void __net_exit __ip_vs_conn_cleanup(struct net *net)
+void __net_exit __ip_vs_conn_cleanup(struct net *net)
 {
        /* flush all the connection entries first */
        ip_vs_conn_flush(net);
        proc_net_remove(net, "ip_vs_conn");
        proc_net_remove(net, "ip_vs_conn_sync");
 }
-static struct pernet_operations ipvs_conn_ops = {
-        .init = __ip_vs_conn_init,
-        .exit = __ip_vs_conn_cleanup,
-};
 int __init ip_vs_conn_init(void)
 {
        int idx;
-        int retc;
        /* Compute size and mask */
        ip_vs_conn_tab_size = 1 << ip_vs_conn_tab_bits;
@@ -1309,17 +1304,14 @@ int __init ip_vs_conn_init(void)
                rwlock_init(&__ip_vs_conntbl_lock_array[idx].l);
        }
-        retc = register_pernet_subsys(&ipvs_conn_ops);
        /* calculate the random value for connection hash */
        get_random_bytes(&ip_vs_conn_rnd, sizeof(ip_vs_conn_rnd));
-        return retc;
+        return 0;
 }
 void ip_vs_conn_cleanup(void)
 {
-        unregister_pernet_subsys(&ipvs_conn_ops);
        /* Release the empty cache */
        kmem_cache_destroy(ip_vs_conn_cachep);
        vfree(ip_vs_conn_tab);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 07accf6b2401..a74dae6c5dbc 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1113,6 +1113,9 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
                return NF_ACCEPT;
        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
 #ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6) {
@@ -1343,6 +1346,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
                return NF_ACCEPT; /* The packet looks wrong, ignore */
        net = skb_net(skb);
        pd = ip_vs_proto_data_get(net, cih->protocol);
        if (!pd)
                return NF_ACCEPT;
@@ -1529,6 +1533,11 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
                              IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
                return NF_ACCEPT;
        }
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
        /* Bad... Do not break raw sockets */
@@ -1562,7 +1571,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
                        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
                }
-        net = skb_net(skb);
        /* Protocol supported? */
        pd = ip_vs_proto_data_get(net, iph.protocol);
        if (unlikely(!pd))
@@ -1588,7 +1596,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
-        net = skb_net(skb);
        ipvs = net_ipvs(net);
        /* Check the server status */
        if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
@@ -1743,10 +1750,16 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
                   int (*okfn)(struct sk_buff *))
 {
        int r;
+        struct net *net;
        if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
                return NF_ACCEPT;
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        return ip_vs_in_icmp(skb, &r, hooknum);
 }
@@ -1757,10 +1770,16 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
                      int (*okfn)(struct sk_buff *))
 {
        int r;
+        struct net *net;
        if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
                return NF_ACCEPT;
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        return ip_vs_in_icmp_v6(skb, &r, hooknum);
 }
 #endif
@@ -1884,19 +1903,70 @@ static int __net_init __ip_vs_init(struct net *net)
                pr_err("%s(): no memory.\n", __func__);
                return -ENOMEM;
        }
+        /* Hold the beast until a service is registerd */
+        ipvs->enable = 0;
        ipvs->net = net;
        /* Counters used for creating unique names */
        ipvs->gen = atomic_read(&ipvs_netns_cnt);
        atomic_inc(&ipvs_netns_cnt);
        net->ipvs = ipvs;
+        if (__ip_vs_estimator_init(net) < 0)
+                goto estimator_fail;
+        if (__ip_vs_control_init(net) < 0)
+                goto control_fail;
+        if (__ip_vs_protocol_init(net) < 0)
+                goto protocol_fail;
+        if (__ip_vs_app_init(net) < 0)
+                goto app_fail;
+        if (__ip_vs_conn_init(net) < 0)
+                goto conn_fail;
+        if (__ip_vs_sync_init(net) < 0)
+                goto sync_fail;
        printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n",
                         sizeof(struct netns_ipvs), ipvs->gen);
        return 0;
+/*
+ * Error handling
+ */
+sync_fail:
+        __ip_vs_conn_cleanup(net);
+conn_fail:
+        __ip_vs_app_cleanup(net);
+app_fail:
+        __ip_vs_protocol_cleanup(net);
+protocol_fail:
+        __ip_vs_control_cleanup(net);
+control_fail:
+        __ip_vs_estimator_cleanup(net);
+estimator_fail:
+        return -ENOMEM;
 }
 static void __net_exit __ip_vs_cleanup(struct net *net)
 {
-        IP_VS_DBG(10, "ipvs netns %d released\n", net_ipvs(net)->gen);
+        __ip_vs_service_cleanup(net);   /* ip_vs_flush() with locks */
+        __ip_vs_conn_cleanup(net);
+        __ip_vs_app_cleanup(net);
+        __ip_vs_protocol_cleanup(net);
+        __ip_vs_control_cleanup(net);
+        __ip_vs_estimator_cleanup(net);
+        IP_VS_DBG(2, "ipvs netns %d released\n", net_ipvs(net)->gen);
+}
+static void __net_exit __ip_vs_dev_cleanup(struct net *net)
+{
+        EnterFunction(2);
+        net_ipvs(net)->enable = 0;      /* Disable packet reception */
+        __ip_vs_sync_cleanup(net);
+        LeaveFunction(2);
 }
 static struct pernet_operations ipvs_core_ops = {
@@ -1906,6 +1976,10 @@ static struct pernet_operations ipvs_core_ops = {
        .size = sizeof(struct netns_ipvs),
 };
+static struct pernet_operations ipvs_core_dev_ops = {
+        .exit = __ip_vs_dev_cleanup,
+};
 /*
 *      Initialize IP Virtual Server
 */
@@ -1913,10 +1987,6 @@ static int __init ip_vs_init(void)
 {
        int ret;
-        ret = register_pernet_subsys(&ipvs_core_ops);   /* Alloc ip_vs struct */
-        if (ret < 0)
-                return ret;
        ip_vs_estimator_init();
        ret = ip_vs_control_init();
        if (ret < 0) {
@@ -1944,15 +2014,28 @@ static int __init ip_vs_init(void)
                goto cleanup_conn;
        }
+        ret = register_pernet_subsys(&ipvs_core_ops);   /* Alloc ip_vs struct */
+        if (ret < 0)
+                goto cleanup_sync;
+        ret = register_pernet_device(&ipvs_core_dev_ops);
+        if (ret < 0)
+                goto cleanup_sub;
        ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
        if (ret < 0) {
                pr_err("can't register hooks.\n");
-                goto cleanup_sync;
+                goto cleanup_dev;
        }
        pr_info("ipvs loaded.\n");
        return ret;
+cleanup_dev:
+        unregister_pernet_device(&ipvs_core_dev_ops);
+cleanup_sub:
+        unregister_pernet_subsys(&ipvs_core_ops);
 cleanup_sync:
        ip_vs_sync_cleanup();
  cleanup_conn:
@@ -1964,20 +2047,20 @@ cleanup_sync:
        ip_vs_control_cleanup();
  cleanup_estimator:
        ip_vs_estimator_cleanup();
-        unregister_pernet_subsys(&ipvs_core_ops);       /* free ip_vs struct */
        return ret;
 }
 static void __exit ip_vs_cleanup(void)
 {
        nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
+        unregister_pernet_device(&ipvs_core_dev_ops);
+        unregister_pernet_subsys(&ipvs_core_ops);       /* free ip_vs struct */
        ip_vs_sync_cleanup();
        ip_vs_conn_cleanup();
        ip_vs_app_cleanup();
        ip_vs_protocol_cleanup();
        ip_vs_control_cleanup();
        ip_vs_estimator_cleanup();
-        unregister_pernet_subsys(&ipvs_core_ops);       /* free ip_vs struct */
        pr_info("ipvs unloaded.\n");
 }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index ae47090bf45f..37890f228b19 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -69,6 +69,11 @@ int ip_vs_get_debug_level(void)
 }
 #endif
+/*  Protos */
+static void __ip_vs_del_service(struct ip_vs_service *svc);
 #ifdef CONFIG_IP_VS_IPV6
 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
 static int __ip_vs_addr_is_local_v6(struct net *net,
@@ -1214,6 +1219,8 @@ ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
        write_unlock_bh(&__ip_vs_svc_lock);
        *svc_p = svc;
+        /* Now there is a service - full throttle */
+        ipvs->enable = 1;
        return 0;
@@ -1472,6 +1479,84 @@ static int ip_vs_flush(struct net *net)
        return 0;
 }
+/*
+ *      Delete service by {netns} in the service table.
+ *      Called by __ip_vs_cleanup()
+ */
+void __ip_vs_service_cleanup(struct net *net)
+{
+        EnterFunction(2);
+        /* Check for "full" addressed entries */
+        mutex_lock(&__ip_vs_mutex);
+        ip_vs_flush(net);
+        mutex_unlock(&__ip_vs_mutex);
+        LeaveFunction(2);
+}
+/*
+ * Release dst hold by dst_cache
+ */
+static inline void
+__ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
+{
+        spin_lock_bh(&dest->dst_lock);
+        if (dest->dst_cache && dest->dst_cache->dev == dev) {
+                IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
+                              dev->name,
+                              IP_VS_DBG_ADDR(dest->af, &dest->addr),
+                              ntohs(dest->port),
+                              atomic_read(&dest->refcnt));
+                ip_vs_dst_reset(dest);
+        }
+        spin_unlock_bh(&dest->dst_lock);
+}
+/*
+ * Netdev event receiver
+ * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
+ * a device that is "unregister" it must be released.
+ */
+static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
+                            void *ptr)
+{
+        struct net_device *dev = ptr;
+        struct net *net = dev_net(dev);
+        struct ip_vs_service *svc;
+        struct ip_vs_dest *dest;
+        unsigned int idx;
+        if (event != NETDEV_UNREGISTER)
+                return NOTIFY_DONE;
+        IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
+        EnterFunction(2);
+        mutex_lock(&__ip_vs_mutex);
+        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
+                list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
+                        if (net_eq(svc->net, net)) {
+                                list_for_each_entry(dest, &svc->destinations,
+                                                    n_list) {
+                                        __ip_vs_dev_reset(dest, dev);
+                                }
+                        }
+                }
+                list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
+                        if (net_eq(svc->net, net)) {
+                                list_for_each_entry(dest, &svc->destinations,
+                                                    n_list) {
+                                        __ip_vs_dev_reset(dest, dev);
+                                }
+                        }
+                }
+        }
+        list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) {
+                __ip_vs_dev_reset(dest, dev);
+        }
+        mutex_unlock(&__ip_vs_mutex);
+        LeaveFunction(2);
+        return NOTIFY_DONE;
+}
 /*
 *      Zero counters in a service or all services
@@ -1981,7 +2066,7 @@ static const struct file_operations ip_vs_info_fops = {
        .open    = ip_vs_info_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release_private,
+        .release = seq_release_net,
 };
 #endif
@@ -2024,7 +2109,7 @@ static const struct file_operations ip_vs_stats_fops = {
        .open = ip_vs_stats_seq_open,
        .read = seq_read,
        .llseek = seq_lseek,
-        .release = single_release,
+        .release = single_release_net,
 };
 static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
@@ -2093,7 +2178,7 @@ static const struct file_operations ip_vs_stats_percpu_fops = {
        .open = ip_vs_stats_percpu_seq_open,
        .read = seq_read,
        .llseek = seq_lseek,
-        .release = single_release,
+        .release = single_release_net,
 };
 #endif
@@ -3588,6 +3673,10 @@ void __net_init __ip_vs_control_cleanup_sysctl(struct net *net) { }
 #endif
+static struct notifier_block ip_vs_dst_notifier = {
+        .notifier_call = ip_vs_dst_event,
+};
 int __net_init __ip_vs_control_init(struct net *net)
 {
        int idx;
@@ -3626,7 +3715,7 @@ err:
        return -ENOMEM;
 }
-static void __net_exit __ip_vs_control_cleanup(struct net *net)
+void __net_exit __ip_vs_control_cleanup(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
@@ -3639,11 +3728,6 @@ static void __net_exit __ip_vs_control_cleanup(struct net *net)
        free_percpu(ipvs->tot_stats.cpustats);
 }
-static struct pernet_operations ipvs_control_ops = {
-        .init = __ip_vs_control_init,
-        .exit = __ip_vs_control_cleanup,
-};
 int __init ip_vs_control_init(void)
 {
        int idx;
@@ -3657,33 +3741,32 @@ int __init ip_vs_control_init(void)
                INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
        }
-        ret = register_pernet_subsys(&ipvs_control_ops);
-        if (ret) {
-                pr_err("cannot register namespace.\n");
-                goto err;
-        }
        smp_wmb();      /* Do we really need it now ? */
        ret = nf_register_sockopt(&ip_vs_sockopts);
        if (ret) {
                pr_err("cannot register sockopt.\n");
-                goto err_net;
+                goto err_sock;
        }
        ret = ip_vs_genl_register();
        if (ret) {
                pr_err("cannot register Generic Netlink interface.\n");
-                nf_unregister_sockopt(&ip_vs_sockopts);
+                goto err_genl;
-                goto err_net;
        }
+        ret = register_netdevice_notifier(&ip_vs_dst_notifier);
+        if (ret < 0)
+                goto err_notf;
        LeaveFunction(2);
        return 0;
-err_net:
+err_notf:
-        unregister_pernet_subsys(&ipvs_control_ops);
+        ip_vs_genl_unregister();
-err:
+err_genl:
+        nf_unregister_sockopt(&ip_vs_sockopts);
+err_sock:
        return ret;
 }
@@ -3691,7 +3774,6 @@ err:
 void ip_vs_control_cleanup(void)
 {
        EnterFunction(2);
-        unregister_pernet_subsys(&ipvs_control_ops);
        ip_vs_genl_unregister();
        nf_unregister_sockopt(&ip_vs_sockopts);
        LeaveFunction(2);
diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
index 8c8766ca56ad..508cce98777c 100644
--- a/net/netfilter/ipvs/ip_vs_est.c
+++ b/net/netfilter/ipvs/ip_vs_est.c
@@ -192,7 +192,7 @@ void ip_vs_read_estimator(struct ip_vs_stats_user *dst,
        dst->outbps = (e->outbps + 0xF) >> 5;
 }
-static int __net_init __ip_vs_estimator_init(struct net *net)
+int __net_init __ip_vs_estimator_init(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
@@ -203,24 +203,16 @@ static int __net_init __ip_vs_estimator_init(struct net *net)
        return 0;
 }
-static void __net_exit __ip_vs_estimator_exit(struct net *net)
+void __net_exit __ip_vs_estimator_cleanup(struct net *net)
 {
        del_timer_sync(&net_ipvs(net)->est_timer);
 }
-static struct pernet_operations ip_vs_app_ops = {
-        .init = __ip_vs_estimator_init,
-        .exit = __ip_vs_estimator_exit,
-};
 int __init ip_vs_estimator_init(void)
 {
-        int rv;
+        return 0;
-        rv = register_pernet_subsys(&ip_vs_app_ops);
-        return rv;
 }
 void ip_vs_estimator_cleanup(void)
 {
-        unregister_pernet_subsys(&ip_vs_app_ops);
 }
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c
index 17484a4416ef..eb86028536fc 100644
--- a/net/netfilter/ipvs/ip_vs_proto.c
+++ b/net/netfilter/ipvs/ip_vs_proto.c
@@ -316,7 +316,7 @@ ip_vs_tcpudp_debug_packet(int af, struct ip_vs_protocol *pp,
 /*
 * per network name-space init
 */
-static int __net_init __ip_vs_protocol_init(struct net *net)
+int __net_init __ip_vs_protocol_init(struct net *net)
 {
 #ifdef CONFIG_IP_VS_PROTO_TCP
        register_ip_vs_proto_netns(net, &ip_vs_protocol_tcp);
@@ -336,7 +336,7 @@ static int __net_init __ip_vs_protocol_init(struct net *net)
        return 0;
 }
-static void __net_exit __ip_vs_protocol_cleanup(struct net *net)
+void __net_exit __ip_vs_protocol_cleanup(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
        struct ip_vs_proto_data *pd;
@@ -349,11 +349,6 @@ static void __net_exit __ip_vs_protocol_cleanup(struct net *net)
        }
 }
-static struct pernet_operations ipvs_proto_ops = {
-        .init = __ip_vs_protocol_init,
-        .exit = __ip_vs_protocol_cleanup,
-};
 int __init ip_vs_protocol_init(void)
 {
        char protocols[64];
@@ -382,7 +377,6 @@ int __init ip_vs_protocol_init(void)
        REGISTER_PROTOCOL(&ip_vs_protocol_esp);
 #endif
        pr_info("Registered protocols (%s)\n", &protocols[2]);
-        return register_pernet_subsys(&ipvs_proto_ops);
        return 0;
 }
@@ -393,7 +387,6 @@ void ip_vs_protocol_cleanup(void)
        struct ip_vs_protocol *pp;
        int i;
-        unregister_pernet_subsys(&ipvs_proto_ops);
        /* unregister all the ipvs protocols */
        for (i = 0; i < IP_VS_PROTO_TAB_SIZE; i++) {
                while ((pp = ip_vs_proto_table[i]) != NULL)
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index 3e7961e85e9c..e292e5bddc70 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -1303,13 +1303,18 @@ static struct socket *make_send_sock(struct net *net)
        struct socket *sock;
        int result;
-        /* First create a socket */
+        /* First create a socket move it to right name space later */
-        result = __sock_create(net, PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock, 1);
+        result = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock);
        if (result < 0) {
                pr_err("Error during creation of socket; terminating\n");
                return ERR_PTR(result);
        }
+        /*
+         * Kernel sockets that are a part of a namespace, should not
+         * hold a reference to a namespace in order to allow to stop it.
+         * After sk_change_net should be released using sk_release_kernel.
+         */
+        sk_change_net(sock->sk, net);
        result = set_mcast_if(sock->sk, ipvs->master_mcast_ifn);
        if (result < 0) {
                pr_err("Error setting outbound mcast interface\n");
@@ -1334,8 +1339,8 @@ static struct socket *make_send_sock(struct net *net)
        return sock;
-  error:
+error:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
        return ERR_PTR(result);
 }
@@ -1350,12 +1355,17 @@ static struct socket *make_receive_sock(struct net *net)
        int result;
        /* First create a socket */
-        result = __sock_create(net, PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock, 1);
+        result = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock);
        if (result < 0) {
                pr_err("Error during creation of socket; terminating\n");
                return ERR_PTR(result);
        }
+        /*
+         * Kernel sockets that are a part of a namespace, should not
+         * hold a reference to a namespace in order to allow to stop it.
+         * After sk_change_net should be released using sk_release_kernel.
+         */
+        sk_change_net(sock->sk, net);
        /* it is equivalent to the REUSEADDR option in user-space */
        sock->sk->sk_reuse = 1;
@@ -1377,8 +1387,8 @@ static struct socket *make_receive_sock(struct net *net)
        return sock;
-  error:
+error:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
        return ERR_PTR(result);
 }
@@ -1473,7 +1483,7 @@ static int sync_thread_master(void *data)
                ip_vs_sync_buff_release(sb);
        /* release the sending multicast socket */
-        sock_release(tinfo->sock);
+        sk_release_kernel(tinfo->sock->sk);
        kfree(tinfo);
        return 0;
@@ -1513,7 +1523,7 @@ static int sync_thread_backup(void *data)
        }
        /* release the sending multicast socket */
-        sock_release(tinfo->sock);
+        sk_release_kernel(tinfo->sock->sk);
        kfree(tinfo->buf);
        kfree(tinfo);
@@ -1601,7 +1611,7 @@ outtinfo:
 outbuf:
        kfree(buf);
 outsocket:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
 out:
        return result;
 }
@@ -1610,6 +1620,7 @@ out:
 int stop_sync_thread(struct net *net, int state)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
+        int retc = -EINVAL;
        IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current));
@@ -1629,7 +1640,7 @@ int stop_sync_thread(struct net *net, int state)
                spin_lock_bh(&ipvs->sync_lock);
                ipvs->sync_state &= ~IP_VS_STATE_MASTER;
                spin_unlock_bh(&ipvs->sync_lock);
-                kthread_stop(ipvs->master_thread);
+                retc = kthread_stop(ipvs->master_thread);
                ipvs->master_thread = NULL;
        } else if (state == IP_VS_STATE_BACKUP) {
                if (!ipvs->backup_thread)
@@ -1639,22 +1650,20 @@ int stop_sync_thread(struct net *net, int state)
                        task_pid_nr(ipvs->backup_thread));
                ipvs->sync_state &= ~IP_VS_STATE_BACKUP;
-                kthread_stop(ipvs->backup_thread);
+                retc = kthread_stop(ipvs->backup_thread);
                ipvs->backup_thread = NULL;
-        } else {
-                return -EINVAL;
        }
        /* decrease the module use count */
        ip_vs_use_count_dec();
-        return 0;
+        return retc;
 }
 /*
 * Initialize data struct for each netns
 */
-static int __net_init __ip_vs_sync_init(struct net *net)
+int __net_init __ip_vs_sync_init(struct net *net)
 {
        struct netns_ipvs *ipvs = net_ipvs(net);
@@ -1668,24 +1677,24 @@ static int __net_init __ip_vs_sync_init(struct net *net)
        return 0;
 }
-static void __ip_vs_sync_cleanup(struct net *net)
+void __ip_vs_sync_cleanup(struct net *net)
 {
-        stop_sync_thread(net, IP_VS_STATE_MASTER);
+        int retc;
-        stop_sync_thread(net, IP_VS_STATE_BACKUP);
-}
-static struct pernet_operations ipvs_sync_ops = {
+        retc = stop_sync_thread(net, IP_VS_STATE_MASTER);
-        .init = __ip_vs_sync_init,
+        if (retc && retc != -ESRCH)
-        .exit = __ip_vs_sync_cleanup,
+                pr_err("Failed to stop Master Daemon\n");
-};
+        retc = stop_sync_thread(net, IP_VS_STATE_BACKUP);
+        if (retc && retc != -ESRCH)
+                pr_err("Failed to stop Backup Daemon\n");
+}
 int __init ip_vs_sync_init(void)
 {
-        return register_pernet_subsys(&ipvs_sync_ops);
+        return 0;
 }
 void ip_vs_sync_cleanup(void)
 {
-        unregister_pernet_subsys(&ipvs_sync_ops);
 }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 30bf8a167fc8..482e90c61850 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1334,6 +1334,7 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
        struct nf_conn *ct;
        int err = -EINVAL;
        struct nf_conntrack_helper *helper;
+        struct nf_conn_tstamp *tstamp;
        ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
        if (IS_ERR(ct))
@@ -1451,6 +1452,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
                __set_bit(IPS_EXPECTED_BIT, &ct->status);
                ct->master = master_ct;
        }
+        tstamp = nf_conn_tstamp_find(ct);
+        if (tstamp)
+                tstamp->start = ktime_to_ns(ktime_get_real());
        add_timer(&ct->timeout);
        nf_conntrack_hash_insert(ct);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a9adf4c6b299..8a025a585d2f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -455,6 +455,7 @@ void xt_compat_flush_offsets(u_int8_t af)
                vfree(xt[af].compat_tab);
                xt[af].compat_tab = NULL;
                xt[af].number = 0;
+                xt[af].cur = 0;
        }
 }
 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
@@ -473,8 +474,7 @@ int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
                else
                        return mid ? tmp[mid - 1].delta : 0;
        }
-        WARN_ON_ONCE(1);
+        return left ? tmp[left - 1].delta : 0;
-        return 0;
 }
 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 0a229191e55b..ae8271652efa 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -99,7 +99,7 @@ tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
        u_int8_t orig, nv;
        orig = ipv6_get_dsfield(iph);
-        nv   = (orig & info->tos_mask) ^ info->tos_value;
+        nv   = (orig & ~info->tos_mask) ^ info->tos_value;
        if (orig != nv) {
                if (!skb_make_writable(skb, sizeof(struct iphdr)))
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 481a86fdc409..61805d7b38aa 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,11 +272,6 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
 {
        int ret;
-        if (strcmp(par->table, "raw") == 0) {
-                pr_info("state is undetermined at the time of raw table\n");
-                return -EINVAL;
-        }
        ret = nf_ct_l3proto_try_module_get(par->family);
        if (ret < 0)
                pr_info("cannot load conntrack support for proto=%u\n",
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 061d48cec137..b3babaed7719 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -81,6 +81,7 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
        if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
                pr_warning("Protocol error: set match dimension "
                           "is over the limit!\n");
+                ip_set_nfnl_put(info->match_set.index);
                return -ERANGE;
        }
@@ -135,6 +136,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
                if (index == IPSET_INVALID_ID) {
                        pr_warning("Cannot find del_set index %u as target\n",
                                   info->del_set.index);
+                        if (info->add_set.index != IPSET_INVALID_ID)
+                                ip_set_nfnl_put(info->add_set.index);
                        return -ENOENT;
                }
        }
@@ -142,6 +145,10 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
            info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) {
                pr_warning("Protocol error: SET target dimension "
                           "is over the limit!\n");
+                if (info->add_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->add_set.index);
+                if (info->del_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->del_set.index);
                return -ERANGE;
        }
@@ -192,6 +199,7 @@ set_match_checkentry(const struct xt_mtchk_param *par)
        if (info->match_set.dim > IPSET_DIM_MAX) {
                pr_warning("Protocol error: set match dimension "
                           "is over the limit!\n");
+                ip_set_nfnl_put(info->match_set.index);
                return -ERANGE;
        }
@@ -219,7 +227,7 @@ set_target(struct sk_buff *skb, const struct xt_action_param *par)
        if (info->del_set.index != IPSET_INVALID_ID)
                ip_set_del(info->del_set.index,
                           skb, par->family,
-                           info->add_set.dim,
+                           info->del_set.dim,
                           info->del_set.flags);
        return XT_CONTINUE;
@@ -245,13 +253,19 @@ set_target_checkentry(const struct xt_tgchk_param *par)
                if (index == IPSET_INVALID_ID) {
                        pr_warning("Cannot find del_set index %u as target\n",
                                   info->del_set.index);
+                        if (info->add_set.index != IPSET_INVALID_ID)
+                                ip_set_nfnl_put(info->add_set.index);
                        return -ENOENT;
                }
        }
        if (info->add_set.dim > IPSET_DIM_MAX ||
-            info->del_set.flags > IPSET_DIM_MAX) {
+            info->del_set.dim > IPSET_DIM_MAX) {
                pr_warning("Protocol error: SET target dimension "
                           "is over the limit!\n");
+                if (info->add_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->add_set.index);
+                if (info->del_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->del_set.index);
                return -ERANGE;
        }
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 0698cad61763..1a21c571aa03 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -569,6 +569,8 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
                sctp_assoc_set_primary(asoc, transport);
        if (asoc->peer.active_path == peer)
                asoc->peer.active_path = transport;
+        if (asoc->peer.retran_path == peer)
+                asoc->peer.retran_path = transport;
        if (asoc->peer.last_data_from == peer)
                asoc->peer.last_data_from = transport;
@@ -1323,6 +1325,8 @@ void sctp_assoc_update_retran_path(struct sctp_association *asoc)
        if (t)
                asoc->peer.retran_path = t;
+        else
+                t = asoc->peer.retran_path;
        SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
                                 " %p addr: ",
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index dff27d5e22fd..61b1f5ada96a 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -554,7 +554,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_send_failed(
        memcpy(&ssf->ssf_info, &chunk->sinfo, sizeof(struct sctp_sndrcvinfo));
        /* Per TSVWG discussion with Randy. Allow the application to
-         * resemble a fragmented message.
+         * reassemble a fragmented message.
         */
        ssf->ssf_info.sinfo_flags = chunk->chunk_hdr->flags;
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 8873fd8ddacd..b2198e65d8bb 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -18,14 +18,13 @@ config SUNRPC_XPRT_RDMA
          If unsure, say N.
 config RPCSEC_GSS_KRB5
-        tristate
+        tristate "Secure RPC: Kerberos V mechanism"
        depends on SUNRPC && CRYPTO
-        prompt "Secure RPC: Kerberos V mechanism" if !(NFS_V4 || NFSD_V4)
+        depends on CRYPTO_MD5 && CRYPTO_DES && CRYPTO_CBC && CRYPTO_CTS
+        depends on CRYPTO_ECB && CRYPTO_HMAC && CRYPTO_SHA1 && CRYPTO_AES
+        depends on CRYPTO_ARC4
        default y
        select SUNRPC_GSS
-        select CRYPTO_MD5
-        select CRYPTO_DES
-        select CRYPTO_CBC
        help
          Choose Y here to enable Secure RPC using the Kerberos version 5
          GSS-API mechanism (RFC 1964).
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index f3914d0c5079..339ba64cce1e 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -520,7 +520,7 @@ gss_refresh_upcall(struct rpc_task *task)
                warn_gssd();
                task->tk_timeout = 15*HZ;
                rpc_sleep_on(&pipe_version_rpc_waitqueue, task, NULL);
-                return 0;
+                return -EAGAIN;
        }
        if (IS_ERR(gss_msg)) {
                err = PTR_ERR(gss_msg);
@@ -563,10 +563,12 @@ retry:
        if (PTR_ERR(gss_msg) == -EAGAIN) {
                err = wait_event_interruptible_timeout(pipe_version_waitqueue,
                                pipe_version >= 0, 15*HZ);
+                if (pipe_version < 0) {
+                        warn_gssd();
+                        err = -EACCES;
+                }
                if (err)
                        goto out;
-                if (pipe_version < 0)
-                        warn_gssd();
                goto retry;
        }
        if (IS_ERR(gss_msg)) {
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index e7a96e478f63..8d83f9d48713 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1508,7 +1508,10 @@ call_timeout(struct rpc_task *task)
                if (clnt->cl_chatty)
                        printk(KERN_NOTICE "%s: server %s not responding, timed out\n",
                                clnt->cl_protname, clnt->cl_server);
-                rpc_exit(task, -EIO);
+                if (task->tk_flags & RPC_TASK_TIMEOUT)
+                        rpc_exit(task, -ETIMEDOUT);
+                else
+                        rpc_exit(task, -EIO);
                return;
        }
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 9494c3767356..ce5eb68a9664 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -906,6 +906,7 @@ void xprt_transmit(struct rpc_task *task)
        }
        dprintk("RPC: %5u xmit complete\n", task->tk_pid);
+        task->tk_flags |= RPC_TASK_SENT;
        spin_lock_bh(&xprt->transport_lock);
        xprt->ops->set_retrans_timeout(task);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 3a43a8304768..b1d75beb7e20 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -524,6 +524,8 @@ static int unix_dgram_connect(struct socket *, struct sockaddr *,
                              int, int);
 static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
                                  struct msghdr *, size_t);
+static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
+                                  struct msghdr *, size_t, int);
 static const struct proto_ops unix_stream_ops = {
        .family =       PF_UNIX,
@@ -583,7 +585,7 @@ static const struct proto_ops unix_seqpacket_ops = {
        .setsockopt =   sock_no_setsockopt,
        .getsockopt =   sock_no_getsockopt,
        .sendmsg =      unix_seqpacket_sendmsg,
-        .recvmsg =      unix_dgram_recvmsg,
+        .recvmsg =      unix_seqpacket_recvmsg,
        .mmap =         sock_no_mmap,
        .sendpage =     sock_no_sendpage,
 };
@@ -1699,6 +1701,18 @@ static int unix_seqpacket_sendmsg(struct kiocb *kiocb, struct socket *sock,
        return unix_dgram_sendmsg(kiocb, sock, msg, len);
 }
+static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock,
+                              struct msghdr *msg, size_t size,
+                              int flags)
+{
+        struct sock *sk = sock->sk;
+        if (sk->sk_state != TCP_ESTABLISHED)
+                return -ENOTCONN;
+        return unix_dgram_recvmsg(iocb, sock, msg, size, flags);
+}
 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
 {
        struct unix_sock *u = unix_sk(sk);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 15792d8b6272..b4d745ea8ee1 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1406,6 +1406,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
        struct net *net = xp_net(policy);
        unsigned long now = jiffies;
        struct net_device *dev;
+        struct xfrm_mode *inner_mode;
        struct dst_entry *dst_prev = NULL;
        struct dst_entry *dst0 = NULL;
        int i = 0;
@@ -1436,6 +1437,17 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                        goto put_states;
                }
+                if (xfrm[i]->sel.family == AF_UNSPEC) {
+                        inner_mode = xfrm_ip2inner_mode(xfrm[i],
+                                                        xfrm_af2proto(family));
+                        if (!inner_mode) {
+                                err = -EAFNOSUPPORT;
+                                dst_release(dst);
+                                goto put_states;
+                        }
+                } else
+                        inner_mode = xfrm[i]->inner_mode;
                if (!dst_prev)
                        dst0 = dst1;
                else {
@@ -1464,7 +1476,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                dst1->lastuse = now;
                dst1->input = dst_discard;
-                dst1->output = xfrm[i]->outer_mode->afinfo->output;
+                dst1->output = inner_mode->afinfo->output;
                dst1->next = dst_prev;
                dst_prev = dst1;
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index f218385950ca..47f1b8638df9 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -532,9 +532,12 @@ int xfrm_init_replay(struct xfrm_state *x)
        if (replay_esn) {
                if (replay_esn->replay_window >
-                    replay_esn->bmp_len * sizeof(__u32))
+                    replay_esn->bmp_len * sizeof(__u32) * 8)
                        return -EINVAL;
+        if ((x->props.flags & XFRM_STATE_ESN) && replay_esn->replay_window == 0)
+                return -EINVAL;
        if ((x->props.flags & XFRM_STATE_ESN) && x->replay_esn)
                x->repl = &xfrm_replay_esn;
        else
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5d1d60d3ca83..c658cb3bc7c3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -124,6 +124,9 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
 {
        struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
+        if ((p->flags & XFRM_STATE_ESN) && !rt)
+                return -EINVAL;
        if (!rt)
                return 0;