43 files changed, 391 insertions, 223 deletions
diff --git a/net/802/mrp.c b/net/802/mrp.c
index a4cc3229952a..e085bcc754f6 100644
--- a/net/802/mrp.c
+++ b/net/802/mrp.c
@@ -870,8 +870,12 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl)
         * all pending messages before the applicant is gone.
         */
        del_timer_sync(&app->join_timer);
+        spin_lock(&app->lock);
        mrp_mad_event(app, MRP_EVENT_TX);
        mrp_pdu_queue(app);
+        spin_unlock(&app->lock);
        mrp_queue_xmit(app);
        dev_mc_del(dev, appl->group_address);
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index 6277735cd89e..3e30a0f1b908 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -177,7 +177,13 @@ void batadv_mesh_free(struct net_device *soft_iface)
        atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
 }
-int batadv_is_my_mac(const uint8_t *addr)
+/**
+ * batadv_is_my_mac - check if the given mac address belongs to any of the real
+ * interfaces in the current mesh
+ * @bat_priv: the bat priv with all the soft interface information
+ * @addr: the address to check
+ */
+int batadv_is_my_mac(struct batadv_priv *bat_priv, const uint8_t *addr)
 {
        const struct batadv_hard_iface *hard_iface;
@@ -186,6 +192,9 @@ int batadv_is_my_mac(const uint8_t *addr)
                if (hard_iface->if_status != BATADV_IF_ACTIVE)
                        continue;
+                if (hard_iface->soft_iface != bat_priv->soft_iface)
+                        continue;
                if (batadv_compare_eth(hard_iface->net_dev->dev_addr, addr)) {
                        rcu_read_unlock();
                        return 1;
diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h
index f90f5bc8e426..59a0d6af15c8 100644
--- a/net/batman-adv/main.h
+++ b/net/batman-adv/main.h
@@ -165,7 +165,7 @@ extern struct workqueue_struct *batadv_event_workqueue;
 int batadv_mesh_init(struct net_device *soft_iface);
 void batadv_mesh_free(struct net_device *soft_iface);
-int batadv_is_my_mac(const uint8_t *addr);
+int batadv_is_my_mac(struct batadv_priv *bat_priv, const uint8_t *addr);
 struct batadv_hard_iface *
 batadv_seq_print_text_primary_if_get(struct seq_file *seq);
 int batadv_batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
index 6b9a54485314..f7c54305a918 100644
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -1484,7 +1484,7 @@ void batadv_nc_skb_store_sniffed_unicast(struct batadv_priv *bat_priv,
 {
        struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb);
-        if (batadv_is_my_mac(ethhdr->h_dest))
+        if (batadv_is_my_mac(bat_priv, ethhdr->h_dest))
                return;
        /* Set data pointer to MAC header to mimic packets from our tx path */
@@ -1496,6 +1496,7 @@ void batadv_nc_skb_store_sniffed_unicast(struct batadv_priv *bat_priv,
 /**
 * batadv_nc_skb_decode_packet - decode given skb using the decode data stored
 *  in nc_packet
+ * @bat_priv: the bat priv with all the soft interface information
 * @skb: unicast skb to decode
 * @nc_packet: decode data needed to decode the skb
 *
@@ -1503,7 +1504,7 @@ void batadv_nc_skb_store_sniffed_unicast(struct batadv_priv *bat_priv,
 * in case of an error.
 */
 static struct batadv_unicast_packet *
-batadv_nc_skb_decode_packet(struct sk_buff *skb,
+batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
                            struct batadv_nc_packet *nc_packet)
 {
        const int h_size = sizeof(struct batadv_unicast_packet);
@@ -1537,7 +1538,7 @@ batadv_nc_skb_decode_packet(struct sk_buff *skb,
        /* Select the correct unicast header information based on the location
         * of our mac address in the coded_packet header
         */
-        if (batadv_is_my_mac(coded_packet_tmp.second_dest)) {
+        if (batadv_is_my_mac(bat_priv, coded_packet_tmp.second_dest)) {
                /* If we are the second destination the packet was overheard,
                 * so the Ethernet address must be copied to h_dest and
                 * pkt_type changed from PACKET_OTHERHOST to PACKET_HOST
@@ -1608,7 +1609,7 @@ batadv_nc_find_decoding_packet(struct batadv_priv *bat_priv,
        /* Select the correct packet id based on the location of our mac-addr */
        dest = ethhdr->h_source;
-        if (!batadv_is_my_mac(coded->second_dest)) {
+        if (!batadv_is_my_mac(bat_priv, coded->second_dest)) {
                source = coded->second_source;
                packet_id = coded->second_crc;
        } else {
@@ -1675,12 +1676,12 @@ static int batadv_nc_recv_coded_packet(struct sk_buff *skb,
        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* Verify frame is destined for us */
-        if (!batadv_is_my_mac(ethhdr->h_dest) &&
+        if (!batadv_is_my_mac(bat_priv, ethhdr->h_dest) &&
-            !batadv_is_my_mac(coded_packet->second_dest))
+            !batadv_is_my_mac(bat_priv, coded_packet->second_dest))
                return NET_RX_DROP;
        /* Update stat counter */
-        if (batadv_is_my_mac(coded_packet->second_dest))
+        if (batadv_is_my_mac(bat_priv, coded_packet->second_dest))
                batadv_inc_counter(bat_priv, BATADV_CNT_NC_SNIFFED);
        nc_packet = batadv_nc_find_decoding_packet(bat_priv, ethhdr,
@@ -1698,7 +1699,7 @@ static int batadv_nc_recv_coded_packet(struct sk_buff *skb,
                goto free_nc_packet;
        /* Decode the packet */
-        unicast_packet = batadv_nc_skb_decode_packet(skb, nc_packet);
+        unicast_packet = batadv_nc_skb_decode_packet(bat_priv, skb, nc_packet);
        if (!unicast_packet) {
                batadv_inc_counter(bat_priv, BATADV_CNT_NC_DECODE_FAILED);
                goto free_nc_packet;
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 8f88967ff14b..2f1f88923df8 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -403,7 +403,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
                goto out;
        /* not for me */
-        if (!batadv_is_my_mac(ethhdr->h_dest))
+        if (!batadv_is_my_mac(bat_priv, ethhdr->h_dest))
                goto out;
        icmp_packet = (struct batadv_icmp_packet_rr *)skb->data;
@@ -417,7 +417,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
        }
        /* packet for me */
-        if (batadv_is_my_mac(icmp_packet->dst))
+        if (batadv_is_my_mac(bat_priv, icmp_packet->dst))
                return batadv_recv_my_icmp_packet(bat_priv, skb, hdr_size);
        /* TTL exceeded */
@@ -551,6 +551,7 @@ batadv_find_ifalter_router(struct batadv_orig_node *primary_orig,
 /**
 * batadv_check_unicast_packet - Check for malformed unicast packets
+ * @bat_priv: the bat priv with all the soft interface information
 * @skb: packet to check
 * @hdr_size: size of header to pull
 *
@@ -559,7 +560,8 @@ batadv_find_ifalter_router(struct batadv_orig_node *primary_orig,
 * reason: -ENODATA for bad header, -EBADR for broadcast destination or source,
 * and -EREMOTE for non-local (other host) destination.
 */
-static int batadv_check_unicast_packet(struct sk_buff *skb, int hdr_size)
+static int batadv_check_unicast_packet(struct batadv_priv *bat_priv,
+                                       struct sk_buff *skb, int hdr_size)
 {
        struct ethhdr *ethhdr;
@@ -578,7 +580,7 @@ static int batadv_check_unicast_packet(struct sk_buff *skb, int hdr_size)
                return -EBADR;
        /* not for me */
-        if (!batadv_is_my_mac(ethhdr->h_dest))
+        if (!batadv_is_my_mac(bat_priv, ethhdr->h_dest))
                return -EREMOTE;
        return 0;
@@ -593,7 +595,7 @@ int batadv_recv_tt_query(struct sk_buff *skb, struct batadv_hard_iface *recv_if)
        char tt_flag;
        size_t packet_size;
-        if (batadv_check_unicast_packet(skb, hdr_size) < 0)
+        if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0)
                return NET_RX_DROP;
        /* I could need to modify it */
@@ -625,7 +627,7 @@ int batadv_recv_tt_query(struct sk_buff *skb, struct batadv_hard_iface *recv_if)
        case BATADV_TT_RESPONSE:
                batadv_inc_counter(bat_priv, BATADV_CNT_TT_RESPONSE_RX);
-                if (batadv_is_my_mac(tt_query->dst)) {
+                if (batadv_is_my_mac(bat_priv, tt_query->dst)) {
                        /* packet needs to be linearized to access the TT
                         * changes
                         */
@@ -668,14 +670,15 @@ int batadv_recv_roam_adv(struct sk_buff *skb, struct batadv_hard_iface *recv_if)
        struct batadv_roam_adv_packet *roam_adv_packet;
        struct batadv_orig_node *orig_node;
-        if (batadv_check_unicast_packet(skb, sizeof(*roam_adv_packet)) < 0)
+        if (batadv_check_unicast_packet(bat_priv, skb,
+                                        sizeof(*roam_adv_packet)) < 0)
                goto out;
        batadv_inc_counter(bat_priv, BATADV_CNT_TT_ROAM_ADV_RX);
        roam_adv_packet = (struct batadv_roam_adv_packet *)skb->data;
-        if (!batadv_is_my_mac(roam_adv_packet->dst))
+        if (!batadv_is_my_mac(bat_priv, roam_adv_packet->dst))
                return batadv_route_unicast_packet(skb, recv_if);
        /* check if it is a backbone gateway. we don't accept
@@ -981,7 +984,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
         * last time) the packet had an updated information or not
         */
        curr_ttvn = (uint8_t)atomic_read(&bat_priv->tt.vn);
-        if (!batadv_is_my_mac(unicast_packet->dest)) {
+        if (!batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                orig_node = batadv_orig_hash_find(bat_priv,
                                                  unicast_packet->dest);
                /* if it is not possible to find the orig_node representing the
@@ -1059,7 +1062,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
                hdr_size = sizeof(*unicast_4addr_packet);
        /* function returns -EREMOTE for promiscuous packets */
-        check = batadv_check_unicast_packet(skb, hdr_size);
+        check = batadv_check_unicast_packet(bat_priv, skb, hdr_size);
        /* Even though the packet is not for us, we might save it to use for
         * decoding a later received coded packet
@@ -1074,7 +1077,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
                return NET_RX_DROP;
        /* packet for me */
-        if (batadv_is_my_mac(unicast_packet->dest)) {
+        if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                if (is4addr) {
                        batadv_dat_inc_counter(bat_priv,
                                               unicast_4addr_packet->subtype);
@@ -1111,7 +1114,7 @@ int batadv_recv_ucast_frag_packet(struct sk_buff *skb,
        struct sk_buff *new_skb = NULL;
        int ret;
-        if (batadv_check_unicast_packet(skb, hdr_size) < 0)
+        if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0)
                return NET_RX_DROP;
        if (!batadv_check_unicast_ttvn(bat_priv, skb))
@@ -1120,7 +1123,7 @@ int batadv_recv_ucast_frag_packet(struct sk_buff *skb,
        unicast_packet = (struct batadv_unicast_frag_packet *)skb->data;
        /* packet for me */
-        if (batadv_is_my_mac(unicast_packet->dest)) {
+        if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                ret = batadv_frag_reassemble_skb(skb, bat_priv, &new_skb);
                if (ret == NET_RX_DROP)
@@ -1174,13 +1177,13 @@ int batadv_recv_bcast_packet(struct sk_buff *skb,
                goto out;
        /* ignore broadcasts sent by myself */
-        if (batadv_is_my_mac(ethhdr->h_source))
+        if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
                goto out;
        bcast_packet = (struct batadv_bcast_packet *)skb->data;
        /* ignore broadcasts originated by myself */
-        if (batadv_is_my_mac(bcast_packet->orig))
+        if (batadv_is_my_mac(bat_priv, bcast_packet->orig))
                goto out;
        if (bcast_packet->header.ttl < 2)
@@ -1266,14 +1269,14 @@ int batadv_recv_vis_packet(struct sk_buff *skb,
        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* not for me */
-        if (!batadv_is_my_mac(ethhdr->h_dest))
+        if (!batadv_is_my_mac(bat_priv, ethhdr->h_dest))
                return NET_RX_DROP;
        /* ignore own packets */
-        if (batadv_is_my_mac(vis_packet->vis_orig))
+        if (batadv_is_my_mac(bat_priv, vis_packet->vis_orig))
                return NET_RX_DROP;
-        if (batadv_is_my_mac(vis_packet->sender_orig))
+        if (batadv_is_my_mac(bat_priv, vis_packet->sender_orig))
                return NET_RX_DROP;
        switch (vis_packet->vis_type) {
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 932232087449..5e89deeb9542 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1940,7 +1940,7 @@ out:
 bool batadv_send_tt_response(struct batadv_priv *bat_priv,
                             struct batadv_tt_query_packet *tt_request)
 {
-        if (batadv_is_my_mac(tt_request->dst)) {
+        if (batadv_is_my_mac(bat_priv, tt_request->dst)) {
                /* don't answer backbone gws! */
                if (batadv_bla_is_backbone_gw_orig(bat_priv, tt_request->src))
                        return true;
diff --git a/net/batman-adv/vis.c b/net/batman-adv/vis.c
index 962ccf3b8382..1625e5793a89 100644
--- a/net/batman-adv/vis.c
+++ b/net/batman-adv/vis.c
@@ -477,7 +477,7 @@ void batadv_receive_client_update_packet(struct batadv_priv *bat_priv,
        /* Are we the target for this VIS packet? */
        if (vis_server == BATADV_VIS_TYPE_SERVER_SYNC   &&
-            batadv_is_my_mac(vis_packet->target_orig))
+            batadv_is_my_mac(bat_priv, vis_packet->target_orig))
                are_target = 1;
        spin_lock_bh(&bat_priv->vis.hash_lock);
@@ -496,7 +496,7 @@ void batadv_receive_client_update_packet(struct batadv_priv *bat_priv,
                batadv_send_list_add(bat_priv, info);
                /* ... we're not the recipient (and thus need to forward). */
-        } else if (!batadv_is_my_mac(packet->target_orig)) {
+        } else if (!batadv_is_my_mac(bat_priv, packet->target_orig)) {
                batadv_send_list_add(bat_priv, info);
        }
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index f17fcb3097c2..4cdba60926ff 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -67,7 +67,8 @@ void br_port_carrier_check(struct net_bridge_port *p)
        struct net_device *dev = p->dev;
        struct net_bridge *br = p->br;
-        if (netif_running(dev) && netif_oper_up(dev))
+        if (!(p->flags & BR_ADMIN_COST) &&
+            netif_running(dev) && netif_oper_up(dev))
                p->path_cost = port_cost(dev);
        if (!netif_running(br->dev))
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 3cbf5beb3d4b..d2c043a857b6 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -156,6 +156,7 @@ struct net_bridge_port
 #define BR_BPDU_GUARD           0x00000002
 #define BR_ROOT_BLOCK           0x00000004
 #define BR_MULTICAST_FAST_LEAVE 0x00000008
+#define BR_ADMIN_COST           0x00000010
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
        u32                             multicast_startup_queries_sent;
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 0bdb4ebd362b..d45e760141bb 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -288,6 +288,7 @@ int br_stp_set_path_cost(struct net_bridge_port *p, unsigned long path_cost)
            path_cost > BR_MAX_PATH_COST)
                return -ERANGE;
+        p->flags |= BR_ADMIN_COST;
        p->path_cost = path_cost;
        br_configuration_update(p->br);
        br_port_state_selection(p->br);
diff --git a/net/can/gw.c b/net/can/gw.c
index 2dc619db805a..3ee690e8c7d3 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -466,7 +466,7 @@ static int cgw_notifier(struct notifier_block *nb,
                        if (gwj->src.dev == dev || gwj->dst.dev == dev) {
                                hlist_del(&gwj->list);
                                cgw_unregister_filter(gwj);
-                                kfree(gwj);
+                                kmem_cache_free(cgw_cache, gwj);
                        }
                }
        }
@@ -863,7 +863,7 @@ static void cgw_remove_all_jobs(void)
        hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) {
                hlist_del(&gwj->list);
                cgw_unregister_filter(gwj);
-                kfree(gwj);
+                kmem_cache_free(cgw_cache, gwj);
        }
 }
@@ -919,7 +919,7 @@ static int cgw_remove_job(struct sk_buff *skb,  struct nlmsghdr *nlh)
                hlist_del(&gwj->list);
                cgw_unregister_filter(gwj);
-                kfree(gwj);
+                kmem_cache_free(cgw_cache, gwj);
                err = 0;
                break;
        }
diff --git a/net/core/dev.c b/net/core/dev.c
index 8a3cb2c50fbf..9e26b8d9eafe 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2146,6 +2146,9 @@ static void skb_warn_bad_offload(const struct sk_buff *skb)
        struct net_device *dev = skb->dev;
        const char *driver = "";
+        if (!net_ratelimit())
+                return;
        if (dev && dev->dev.parent)
                driver = dev_driver_string(dev->dev.parent);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 589d0abb34a0..18af08a73f0a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1046,7 +1046,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
        rcu_read_lock();
        cb->seq = net->dev_base_seq;
-        if (nlmsg_parse(cb->nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
+        if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
                        ifla_policy) >= 0) {
                if (tb[IFLA_EXT_MASK])
@@ -1896,7 +1896,7 @@ static u16 rtnl_calcit(struct sk_buff *skb, struct nlmsghdr *nlh)
        u32 ext_filter_mask = 0;
        u16 min_ifinfo_dump_size = 0;
-        if (nlmsg_parse(nlh, sizeof(struct rtgenmsg), tb, IFLA_MAX,
+        if (nlmsg_parse(nlh, sizeof(struct ifinfomsg), tb, IFLA_MAX,
                        ifla_policy) >= 0) {
                if (tb[IFLA_EXT_MASK])
                        ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 2759dfd576ae..dfc39d4d48b7 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -587,13 +587,16 @@ static void check_lifetime(struct work_struct *work)
 {
        unsigned long now, next, next_sec, next_sched;
        struct in_ifaddr *ifa;
+        struct hlist_node *n;
        int i;
        now = jiffies;
        next = round_jiffies_up(now + ADDR_CHECK_FREQUENCY);
-        rcu_read_lock();
        for (i = 0; i < IN4_ADDR_HSIZE; i++) {
+                bool change_needed = false;
+                rcu_read_lock();
                hlist_for_each_entry_rcu(ifa, &inet_addr_lst[i], hash) {
                        unsigned long age;
@@ -606,16 +609,7 @@ static void check_lifetime(struct work_struct *work)
                        if (ifa->ifa_valid_lft != INFINITY_LIFE_TIME &&
                            age >= ifa->ifa_valid_lft) {
-                                struct in_ifaddr **ifap ;
+                                change_needed = true;
-                                rtnl_lock();
-                                for (ifap = &ifa->ifa_dev->ifa_list;
-                                     *ifap != NULL; ifap = &ifa->ifa_next) {
-                                        if (*ifap == ifa)
-                                                inet_del_ifa(ifa->ifa_dev,
-                                                             ifap, 1);
-                                }
-                                rtnl_unlock();
                        } else if (ifa->ifa_preferred_lft ==
                                   INFINITY_LIFE_TIME) {
                                continue;
@@ -625,10 +619,8 @@ static void check_lifetime(struct work_struct *work)
                                        next = ifa->ifa_tstamp +
                                               ifa->ifa_valid_lft * HZ;
-                                if (!(ifa->ifa_flags & IFA_F_DEPRECATED)) {
+                                if (!(ifa->ifa_flags & IFA_F_DEPRECATED))
-                                        ifa->ifa_flags |= IFA_F_DEPRECATED;
+                                        change_needed = true;
-                                        rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
-                                }
                        } else if (time_before(ifa->ifa_tstamp +
                                               ifa->ifa_preferred_lft * HZ,
                                               next)) {
@@ -636,8 +628,42 @@ static void check_lifetime(struct work_struct *work)
                                       ifa->ifa_preferred_lft * HZ;
                        }
                }
+                rcu_read_unlock();
+                if (!change_needed)
+                        continue;
+                rtnl_lock();
+                hlist_for_each_entry_safe(ifa, n, &inet_addr_lst[i], hash) {
+                        unsigned long age;
+                        if (ifa->ifa_flags & IFA_F_PERMANENT)
+                                continue;
+                        /* We try to batch several events at once. */
+                        age = (now - ifa->ifa_tstamp +
+                               ADDRCONF_TIMER_FUZZ_MINUS) / HZ;
+                        if (ifa->ifa_valid_lft != INFINITY_LIFE_TIME &&
+                            age >= ifa->ifa_valid_lft) {
+                                struct in_ifaddr **ifap;
+                                for (ifap = &ifa->ifa_dev->ifa_list;
+                                     *ifap != NULL; ifap = &(*ifap)->ifa_next) {
+                                        if (*ifap == ifa) {
+                                                inet_del_ifa(ifa->ifa_dev,
+                                                             ifap, 1);
+                                                break;
+                                        }
+                                }
+                        } else if (ifa->ifa_preferred_lft !=
+                                   INFINITY_LIFE_TIME &&
+                                   age >= ifa->ifa_preferred_lft &&
+                                   !(ifa->ifa_flags & IFA_F_DEPRECATED)) {
+                                ifa->ifa_flags |= IFA_F_DEPRECATED;
+                                rtmsg_ifa(RTM_NEWADDR, ifa, NULL, 0);
+                        }
+                }
+                rtnl_unlock();
        }
-        rcu_read_unlock();
        next_sec = round_jiffies_up(next);
        next_sched = next;
@@ -804,6 +830,8 @@ static int inet_rtm_newaddr(struct sk_buff *skb, struct nlmsghdr *nlh)
                        return -EEXIST;
                ifa = ifa_existing;
                set_ifa_lifetime(ifa, valid_lft, prefered_lft);
+                cancel_delayed_work(&check_lifetime_work);
+                schedule_delayed_work(&check_lifetime_work, 0);
                rtmsg_ifa(RTM_NEWADDR, ifa, nlh, NETLINK_CB(skb).portid);
                blocking_notifier_call_chain(&inetaddr_chain, NETDEV_UP, ifa);
        }
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 3b4f0cd2e63e..4cfe34d4cc96 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -139,8 +139,6 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        /* skb is pure payload to encrypt */
-        err = -ENOMEM;
        esp = x->data;
        aead = esp->aead;
        alen = crypto_aead_authsize(aead);
@@ -176,8 +174,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        }
        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
-        if (!tmp)
+        if (!tmp) {
+                err = -ENOMEM;
                goto error;
+        }
        seqhi = esp_tmp_seqhi(tmp);
        iv = esp_tmp_iv(aead, tmp, seqhilen);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 938520668b2f..b66910aaef4d 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -219,8 +219,7 @@ static void ip_expire(unsigned long arg)
                if (!head->dev)
                        goto out_rcu_unlock;
-                /* skb dst is stale, drop it, and perform route lookup again */
+                /* skb has no dst, perform route lookup again */
-                skb_dst_drop(head);
                iph = ip_hdr(head);
                err = ip_route_input_noref(head, iph->daddr, iph->saddr,
                                           iph->tos, head->dev);
@@ -494,9 +493,16 @@ found:
                qp->q.max_size = skb->len + ihl;
        if (qp->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            qp->q.meat == qp->q.len)
+            qp->q.meat == qp->q.len) {
-                return ip_frag_reasm(qp, prev, dev);
+                unsigned long orefdst = skb->_skb_refdst;
+                skb->_skb_refdst = 0UL;
+                err = ip_frag_reasm(qp, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return err;
+        }
+        skb_dst_drop(skb);
        inet_frag_lru_move(&qp->q);
        return -EINPROGRESS;
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c30130062cd6..c49dcd0284a0 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -66,6 +66,12 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
        return dev_match;
 }
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+        const struct rtable *rt = skb_rtable(skb);
+        return rt && (rt->rt_flags & RTCF_LOCAL);
+}
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_rpfilter_info *info;
@@ -76,7 +82,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
        info = par->matchinfo;
        invert = info->flags & XT_RPFILTER_INVERT;
-        if (par->in->flags & IFF_LOOPBACK)
+        if (rpfilter_is_local(skb))
                return true ^ invert;
        iph = ip_hdr(skb);
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 7f4a5cb8f8d0..b05c96e7af8b 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -348,8 +348,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         * hasn't changed since we received the original syn, but I see
         * no easy way to do this.
         */
-        flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
+        flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
-                           RT_SCOPE_UNIVERSE, IPPROTO_TCP,
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
                           ireq->loc_addr, th->source, th->dest);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 6d9ca35f0c35..aafd052865ba 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -111,6 +111,7 @@ int sysctl_tcp_early_retrans __read_mostly = 3;
 #define FLAG_SND_UNA_ADVANCED   0x400 /* Snd_una was changed (!= FLAG_DATA_ACKED) */
 #define FLAG_DSACKING_ACK       0x800 /* SACK blocks contained D-SACK info */
 #define FLAG_SACK_RENEGING      0x2000 /* snd_una advanced to a sacked seq */
+#define FLAG_UPDATE_TS_RECENT   0x4000 /* tcp_replace_ts_recent() */
 #define FLAG_ACKED              (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
 #define FLAG_NOT_DUP            (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
@@ -3265,6 +3266,27 @@ static void tcp_send_challenge_ack(struct sock *sk)
        }
 }
+static void tcp_store_ts_recent(struct tcp_sock *tp)
+{
+        tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
+        tp->rx_opt.ts_recent_stamp = get_seconds();
+}
+static void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
+{
+        if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
+                /* PAWS bug workaround wrt. ACK frames, the PAWS discard
+                 * extra check below makes sure this can only happen
+                 * for pure ACK frames.  -DaveM
+                 *
+                 * Not only, also it occurs for expired timestamps.
+                 */
+                if (tcp_paws_check(&tp->rx_opt, 0))
+                        tcp_store_ts_recent(tp);
+        }
+}
 /* This routine deals with acks during a TLP episode.
 * Ref: loss detection algorithm in draft-dukkipati-tcpm-tcp-loss-probe.
 */
@@ -3340,6 +3362,12 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        prior_fackets = tp->fackets_out;
        prior_in_flight = tcp_packets_in_flight(tp);
+        /* ts_recent update must be made after we are sure that the packet
+         * is in window.
+         */
+        if (flag & FLAG_UPDATE_TS_RECENT)
+                tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        if (!(flag & FLAG_SLOWPATH) && after(ack, prior_snd_una)) {
                /* Window is constant, pure forward advance.
                 * No more checks are required.
@@ -3636,27 +3664,6 @@ const u8 *tcp_parse_md5sig_option(const struct tcphdr *th)
 EXPORT_SYMBOL(tcp_parse_md5sig_option);
 #endif
-static inline void tcp_store_ts_recent(struct tcp_sock *tp)
-{
-        tp->rx_opt.ts_recent = tp->rx_opt.rcv_tsval;
-        tp->rx_opt.ts_recent_stamp = get_seconds();
-}
-static inline void tcp_replace_ts_recent(struct tcp_sock *tp, u32 seq)
-{
-        if (tp->rx_opt.saw_tstamp && !after(seq, tp->rcv_wup)) {
-                /* PAWS bug workaround wrt. ACK frames, the PAWS discard
-                 * extra check below makes sure this can only happen
-                 * for pure ACK frames.  -DaveM
-                 *
-                 * Not only, also it occurs for expired timestamps.
-                 */
-                if (tcp_paws_check(&tp->rx_opt, 0))
-                        tcp_store_ts_recent(tp);
-        }
-}
 /* Sorry, PAWS as specified is broken wrt. pure-ACKs -DaveM
 *
 * It is not fatal. If this ACK does _not_ change critical state (seqs, window)
@@ -5250,14 +5257,9 @@ slow_path:
                return 0;
 step5:
-        if (tcp_ack(sk, skb, FLAG_SLOWPATH) < 0)
+        if (tcp_ack(sk, skb, FLAG_SLOWPATH | FLAG_UPDATE_TS_RECENT) < 0)
                goto discard;
-        /* ts_recent update must be made after we are sure that the packet
-         * is in window.
-         */
-        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        tcp_rcv_rtt_measure_ts(sk, skb);
        /* Process urgent data. */
@@ -5666,7 +5668,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
        /* step 5: check the ACK field */
        if (true) {
-                int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH) > 0;
+                int acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH |
+                                                  FLAG_UPDATE_TS_RECENT) > 0;
                switch (sk->sk_state) {
                case TCP_SYN_RECV:
@@ -5817,11 +5820,6 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                }
        }
-        /* ts_recent update must be made after we are sure that the packet
-         * is in window.
-         */
-        tcp_replace_ts_recent(tp, TCP_SKB_CB(skb)->seq);
        /* step 6: check the URG bit */
        tcp_urg(sk, skb, th);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 5f28131eb37e..b735c23a961d 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2353,8 +2353,12 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
         */
        TCP_SKB_CB(skb)->when = tcp_time_stamp;
-        /* make sure skb->data is aligned on arches that require it */
+        /* make sure skb->data is aligned on arches that require it
-        if (unlikely(NET_IP_ALIGN && ((unsigned long)skb->data & 3))) {
+         * and check if ack-trimming & collapsing extended the headroom
+         * beyond what csum_start can cover.
+         */
+        if (unlikely((NET_IP_ALIGN && ((unsigned long)skb->data & 3)) ||
+                     skb_headroom(skb) >= 0xFFFF)) {
                struct sk_buff *nskb = __pskb_copy(skb, MAX_TCP_HEADER,
                                                   GFP_ATOMIC);
                return nskb ? tcp_transmit_skb(sk, nskb, 0, GFP_ATOMIC) :
@@ -2666,6 +2670,7 @@ struct sk_buff *tcp_make_synack(struct sock *sk, struct dst_entry *dst,
        skb_reserve(skb, MAX_TCP_HEADER);
        skb_dst_set(skb, dst);
+        security_skb_owned_by(skb, sk);
        mss = dst_metric_advmss(dst);
        if (tp->rx_opt.user_mss && tp->rx_opt.user_mss < mss)
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 28b61e89bbb8..d1ab6ab29a55 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -169,8 +169,6 @@ static void inet6_prefix_notify(int event, struct inet6_dev *idev,
 static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr,
                               struct net_device *dev);
-static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
 static struct ipv6_devconf ipv6_devconf __read_mostly = {
        .forwarding             = 0,
        .hop_limit              = IPV6_DEFAULT_HOPLIMIT,
@@ -910,7 +908,7 @@ out2:
        rcu_read_unlock_bh();
        if (likely(err == 0))
-                atomic_notifier_call_chain(&inet6addr_chain, NETDEV_UP, ifa);
+                inet6addr_notifier_call_chain(NETDEV_UP, ifa);
        else {
                kfree(ifa);
                ifa = ERR_PTR(err);
@@ -1000,7 +998,7 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
        ipv6_ifa_notify(RTM_DELADDR, ifp);
-        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifp);
+        inet6addr_notifier_call_chain(NETDEV_DOWN, ifp);
        /*
         * Purge or update corresponding prefix
@@ -3087,7 +3085,7 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                if (state != INET6_IFADDR_STATE_DEAD) {
                        __ipv6_ifa_notify(RTM_DELADDR, ifa);
-                        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
+                        inet6addr_notifier_call_chain(NETDEV_DOWN, ifa);
                }
                in6_ifa_put(ifa);
@@ -5054,22 +5052,6 @@ static struct pernet_operations addrconf_ops = {
        .exit = addrconf_exit_net,
 };
-/*
- *      Device notifier
- */
-int register_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_register(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(register_inet6addr_notifier);
-int unregister_inet6addr_notifier(struct notifier_block *nb)
-{
-        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
-}
-EXPORT_SYMBOL(unregister_inet6addr_notifier);
 static struct rtnl_af_ops inet6_ops = {
        .family           = AF_INET6,
        .fill_link_af     = inet6_fill_link_af,
diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
index d051e5f4bf34..72104562c864 100644
--- a/net/ipv6/addrconf_core.c
+++ b/net/ipv6/addrconf_core.c
@@ -78,3 +78,22 @@ int __ipv6_addr_type(const struct in6_addr *addr)
 }
 EXPORT_SYMBOL(__ipv6_addr_type);
+static ATOMIC_NOTIFIER_HEAD(inet6addr_chain);
+int register_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_register(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(register_inet6addr_notifier);
+int unregister_inet6addr_notifier(struct notifier_block *nb)
+{
+        return atomic_notifier_chain_unregister(&inet6addr_chain, nb);
+}
+EXPORT_SYMBOL(unregister_inet6addr_notifier);
+int inet6addr_notifier_call_chain(unsigned long val, void *v)
+{
+        return atomic_notifier_call_chain(&inet6addr_chain, val, v);
+}
+EXPORT_SYMBOL(inet6addr_notifier_call_chain);
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 5060d54199ab..e0983f3648a6 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -71,6 +71,12 @@ static bool rpfilter_lookup_reverse6(const struct sk_buff *skb,
        return ret;
 }
+static bool rpfilter_is_local(const struct sk_buff *skb)
+{
+        const struct rt6_info *rt = (const void *) skb_dst(skb);
+        return rt && (rt->rt6i_flags & RTF_LOCAL);
+}
 static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_rpfilter_info *info = par->matchinfo;
@@ -78,7 +84,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
        struct ipv6hdr *iph;
        bool invert = info->flags & XT_RPFILTER_INVERT;
-        if (par->in->flags & IFF_LOOPBACK)
+        if (rpfilter_is_local(skb))
                return true ^ invert;
        iph = ipv6_hdr(skb);
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index e6e44cef8db2..790d9f4b8b0b 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -342,9 +342,17 @@ found:
        }
        if (fq->q.last_in == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) &&
-            fq->q.meat == fq->q.len)
+            fq->q.meat == fq->q.len) {
-                return ip6_frag_reasm(fq, prev, dev);
+                int res;
+                unsigned long orefdst = skb->_skb_refdst;
+                skb->_skb_refdst = 0UL;
+                res = ip6_frag_reasm(fq, prev, dev);
+                skb->_skb_refdst = orefdst;
+                return res;
+        }
+        skb_dst_drop(skb);
        inet_frag_lru_move(&fq->q);
        return -1;
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 29340a9a6fb9..e1b37f5a2691 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -303,7 +303,8 @@ static void iriap_disconnect_indication(void *instance, void *sap,
 {
        struct iriap_cb *self;
-        IRDA_DEBUG(4, "%s(), reason=%s\n", __func__, irlmp_reasons[reason]);
+        IRDA_DEBUG(4, "%s(), reason=%s [%d]\n", __func__,
+                   irlmp_reason_str(reason), reason);
        self = instance;
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index 6115a44c0a24..1064621da6f6 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -66,8 +66,15 @@ const char *irlmp_reasons[] = {
        "LM_LAP_RESET",
        "LM_INIT_DISCONNECT",
        "ERROR, NOT USED",
+        "UNKNOWN",
 };
+const char *irlmp_reason_str(LM_REASON reason)
+{
+        reason = min_t(size_t, reason, ARRAY_SIZE(irlmp_reasons) - 1);
+        return irlmp_reasons[reason];
+}
 /*
 * Function irlmp_init (void)
 *
@@ -747,7 +754,8 @@ void irlmp_disconnect_indication(struct lsap_cb *self, LM_REASON reason,
 {
        struct lsap_cb *lsap;
-        IRDA_DEBUG(1, "%s(), reason=%s\n", __func__, irlmp_reasons[reason]);
+        IRDA_DEBUG(1, "%s(), reason=%s [%d]\n", __func__,
+                   irlmp_reason_str(reason), reason);
        IRDA_ASSERT(self != NULL, return;);
        IRDA_ASSERT(self->magic == LMP_LSAP_MAGIC, return;);
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index e165e8dc962e..ae691651b721 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -49,12 +49,6 @@ static const u8 iprm_shutdown[8] =
 #define TRGCLS_SIZE     (sizeof(((struct iucv_message *)0)->class))
-/* macros to set/get socket control buffer at correct offset */
-#define CB_TAG(skb)     ((skb)->cb)             /* iucv message tag */
-#define CB_TAG_LEN      (sizeof(((struct iucv_message *) 0)->tag))
-#define CB_TRGCLS(skb)  ((skb)->cb + CB_TAG_LEN) /* iucv msg target class */
-#define CB_TRGCLS_LEN   (TRGCLS_SIZE)
 #define __iucv_sock_wait(sk, condition, timeo, ret)                     \
 do {                                                                    \
        DEFINE_WAIT(__wait);                                            \
@@ -1141,7 +1135,7 @@ static int iucv_sock_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* increment and save iucv message tag for msg_completion cbk */
        txmsg.tag = iucv->send_tag++;
-        memcpy(CB_TAG(skb), &txmsg.tag, CB_TAG_LEN);
+        IUCV_SKB_CB(skb)->tag = txmsg.tag;
        if (iucv->transport == AF_IUCV_TRANS_HIPER) {
                atomic_inc(&iucv->msg_sent);
@@ -1224,7 +1218,7 @@ static int iucv_fragment_skb(struct sock *sk, struct sk_buff *skb, int len)
                        return -ENOMEM;
                /* copy target class to control buffer of new skb */
-                memcpy(CB_TRGCLS(nskb), CB_TRGCLS(skb), CB_TRGCLS_LEN);
+                IUCV_SKB_CB(nskb)->class = IUCV_SKB_CB(skb)->class;
                /* copy data fragment */
                memcpy(nskb->data, skb->data + copied, size);
@@ -1256,7 +1250,7 @@ static void iucv_process_message(struct sock *sk, struct sk_buff *skb,
        /* store msg target class in the second 4 bytes of skb ctrl buffer */
        /* Note: the first 4 bytes are reserved for msg tag */
-        memcpy(CB_TRGCLS(skb), &msg->class, CB_TRGCLS_LEN);
+        IUCV_SKB_CB(skb)->class = msg->class;
        /* check for special IPRM messages (e.g. iucv_sock_shutdown) */
        if ((msg->flags & IUCV_IPRMDATA) && len > 7) {
@@ -1292,6 +1286,7 @@ static void iucv_process_message(struct sock *sk, struct sk_buff *skb,
                }
        }
+        IUCV_SKB_CB(skb)->offset = 0;
        if (sock_queue_rcv_skb(sk, skb))
                skb_queue_head(&iucv_sk(sk)->backlog_skb_q, skb);
 }
@@ -1327,6 +1322,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
        unsigned int copied, rlen;
        struct sk_buff *skb, *rskb, *cskb;
        int err = 0;
+        u32 offset;
        msg->msg_namelen = 0;
@@ -1348,13 +1344,14 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                return err;
        }
-        rlen   = skb->len;              /* real length of skb */
+        offset = IUCV_SKB_CB(skb)->offset;
+        rlen   = skb->len - offset;             /* real length of skb */
        copied = min_t(unsigned int, rlen, len);
        if (!rlen)
                sk->sk_shutdown = sk->sk_shutdown | RCV_SHUTDOWN;
        cskb = skb;
-        if (skb_copy_datagram_iovec(cskb, 0, msg->msg_iov, copied)) {
+        if (skb_copy_datagram_iovec(cskb, offset, msg->msg_iov, copied)) {
                if (!(flags & MSG_PEEK))
                        skb_queue_head(&sk->sk_receive_queue, skb);
                return -EFAULT;
@@ -1372,7 +1369,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
         * get the trgcls from the control buffer of the skb due to
         * fragmentation of original iucv message. */
        err = put_cmsg(msg, SOL_IUCV, SCM_IUCV_TRGCLS,
-                        CB_TRGCLS_LEN, CB_TRGCLS(skb));
+                       sizeof(IUCV_SKB_CB(skb)->class),
+                       (void *)&IUCV_SKB_CB(skb)->class);
        if (err) {
                if (!(flags & MSG_PEEK))
                        skb_queue_head(&sk->sk_receive_queue, skb);
@@ -1384,9 +1382,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                /* SOCK_STREAM: re-queue skb if it contains unreceived data */
                if (sk->sk_type == SOCK_STREAM) {
-                        skb_pull(skb, copied);
+                        if (copied < rlen) {
-                        if (skb->len) {
+                                IUCV_SKB_CB(skb)->offset = offset + copied;
-                                skb_queue_head(&sk->sk_receive_queue, skb);
                                goto done;
                        }
                }
@@ -1405,6 +1402,7 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
                spin_lock_bh(&iucv->message_q.lock);
                rskb = skb_dequeue(&iucv->backlog_skb_q);
                while (rskb) {
+                        IUCV_SKB_CB(rskb)->offset = 0;
                        if (sock_queue_rcv_skb(sk, rskb)) {
                                skb_queue_head(&iucv->backlog_skb_q,
                                                rskb);
@@ -1833,7 +1831,7 @@ static void iucv_callback_txdone(struct iucv_path *path,
                spin_lock_irqsave(&list->lock, flags);
                while (list_skb != (struct sk_buff *)list) {
-                        if (!memcmp(&msg->tag, CB_TAG(list_skb), CB_TAG_LEN)) {
+                        if (msg->tag != IUCV_SKB_CB(list_skb)->tag) {
                                this = list_skb;
                                break;
                        }
@@ -2094,6 +2092,7 @@ static int afiucv_hs_callback_rx(struct sock *sk, struct sk_buff *skb)
        skb_pull(skb, sizeof(struct af_iucv_trans_hdr));
        skb_reset_transport_header(skb);
        skb_reset_network_header(skb);
+        IUCV_SKB_CB(skb)->offset = 0;
        spin_lock(&iucv->message_q.lock);
        if (skb_queue_empty(&iucv->backlog_skb_q)) {
                if (sock_queue_rcv_skb(sk, skb)) {
@@ -2198,8 +2197,7 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
                /* fall through and receive zero length data */
        case 0:
                /* plain data frame */
-                memcpy(CB_TRGCLS(skb), &trans_hdr->iucv_hdr.class,
+                IUCV_SKB_CB(skb)->class = trans_hdr->iucv_hdr.class;
-                       CB_TRGCLS_LEN);
                err = afiucv_hs_callback_rx(sk, skb);
                break;
        default:
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 69aaba79a9f7..e8a260f53c16 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -78,7 +78,7 @@ void ieee80211_recalc_txpower(struct ieee80211_sub_if_data *sdata)
                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_TXPOWER);
 }
-u32 ieee80211_idle_off(struct ieee80211_local *local)
+static u32 __ieee80211_idle_off(struct ieee80211_local *local)
 {
        if (!(local->hw.conf.flags & IEEE80211_CONF_IDLE))
                return 0;
@@ -87,7 +87,7 @@ u32 ieee80211_idle_off(struct ieee80211_local *local)
        return IEEE80211_CONF_CHANGE_IDLE;
 }
-static u32 ieee80211_idle_on(struct ieee80211_local *local)
+static u32 __ieee80211_idle_on(struct ieee80211_local *local)
 {
        if (local->hw.conf.flags & IEEE80211_CONF_IDLE)
                return 0;
@@ -98,16 +98,18 @@ static u32 ieee80211_idle_on(struct ieee80211_local *local)
        return IEEE80211_CONF_CHANGE_IDLE;
 }
-void ieee80211_recalc_idle(struct ieee80211_local *local)
+static u32 __ieee80211_recalc_idle(struct ieee80211_local *local,
+                                   bool force_active)
 {
        bool working = false, scanning, active;
        unsigned int led_trig_start = 0, led_trig_stop = 0;
        struct ieee80211_roc_work *roc;
-        u32 change;
        lockdep_assert_held(&local->mtx);
-        active = !list_empty(&local->chanctx_list) || local->monitors;
+        active = force_active ||
+                 !list_empty(&local->chanctx_list) ||
+                 local->monitors;
        if (!local->ops->remain_on_channel) {
                list_for_each_entry(roc, &local->roc_list, list) {
@@ -132,9 +134,18 @@ void ieee80211_recalc_idle(struct ieee80211_local *local)
        ieee80211_mod_tpt_led_trig(local, led_trig_start, led_trig_stop);
        if (working || scanning || active)
-                change = ieee80211_idle_off(local);
+                return __ieee80211_idle_off(local);
-        else
+        return __ieee80211_idle_on(local);
-                change = ieee80211_idle_on(local);
+}
+u32 ieee80211_idle_off(struct ieee80211_local *local)
+{
+        return __ieee80211_recalc_idle(local, true);
+}
+void ieee80211_recalc_idle(struct ieee80211_local *local)
+{
+        u32 change = __ieee80211_recalc_idle(local, false);
        if (change)
                ieee80211_hw_config(local, change);
 }
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index e06dbbf8cb4c..dec42ab1fa91 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3887,8 +3887,16 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
        /* prep auth_data so we don't go into idle on disassoc */
        ifmgd->auth_data = auth_data;
-        if (ifmgd->associated)
+        if (ifmgd->associated) {
-                ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
+                u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+                ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
+                                       WLAN_REASON_UNSPECIFIED,
+                                       false, frame_buf);
+                __cfg80211_send_deauth(sdata->dev, frame_buf,
+                                       sizeof(frame_buf));
+        }
        sdata_info(sdata, "authenticate with %pM\n", req->bss->bssid);
@@ -3948,8 +3956,16 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
        mutex_lock(&ifmgd->mtx);
-        if (ifmgd->associated)
+        if (ifmgd->associated) {
-                ieee80211_set_disassoc(sdata, 0, 0, false, NULL);
+                u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+                ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
+                                       WLAN_REASON_UNSPECIFIED,
+                                       false, frame_buf);
+                __cfg80211_send_deauth(sdata->dev, frame_buf,
+                                       sizeof(frame_buf));
+        }
        if (ifmgd->auth_data && !ifmgd->auth_data->done) {
                err = -EBUSY;
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 0f92dc24cb89..d7df6ac2c6f1 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -339,7 +339,11 @@ bitmap_ipmac_tlist(const struct ip_set *set,
 nla_put_failure:
        nla_nest_cancel(skb, nested);
        ipset_nest_end(skb, atd);
-        return -EMSGSIZE;
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
 }
 static int
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index f2627226a087..10a30b4fc7db 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -104,6 +104,15 @@ hash_ipportnet4_data_flags(struct hash_ipportnet4_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_ipportnet4_data_reset_flags(struct hash_ipportnet4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_ipportnet4_data_match(const struct hash_ipportnet4_elem *elem)
 {
@@ -414,6 +423,15 @@ hash_ipportnet6_data_flags(struct hash_ipportnet6_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_ipportnet6_data_reset_flags(struct hash_ipportnet6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_ipportnet6_data_match(const struct hash_ipportnet6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 4b677cf6bf7d..d6a59154d710 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -87,7 +87,16 @@ hash_net4_data_copy(struct hash_net4_elem *dst,
 static inline void
 hash_net4_data_flags(struct hash_net4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_net4_data_reset_flags(struct hash_net4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
@@ -308,7 +317,16 @@ hash_net6_data_copy(struct hash_net6_elem *dst,
 static inline void
 hash_net6_data_flags(struct hash_net6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_net6_data_reset_flags(struct hash_net6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 6ba985f1c96f..f2b0a3c30130 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -198,7 +198,16 @@ hash_netiface4_data_copy(struct hash_netiface4_elem *dst,
 static inline void
 hash_netiface4_data_flags(struct hash_netiface4_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
+}
+static inline void
+hash_netiface4_data_reset_flags(struct hash_netiface4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
 }
 static inline int
@@ -494,7 +503,7 @@ hash_netiface6_data_copy(struct hash_netiface6_elem *dst,
 static inline void
 hash_netiface6_data_flags(struct hash_netiface6_elem *dst, u32 flags)
 {
-        dst->nomatch = flags & IPSET_FLAG_NOMATCH;
+        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
 static inline int
@@ -504,6 +513,15 @@ hash_netiface6_data_match(const struct hash_netiface6_elem *elem)
 }
 static inline void
+hash_netiface6_data_reset_flags(struct hash_netiface6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
+static inline void
 hash_netiface6_data_zero_out(struct hash_netiface6_elem *elem)
 {
        elem->elem = 0;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index af20c0c5ced2..349deb672a2d 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -104,6 +104,15 @@ hash_netport4_data_flags(struct hash_netport4_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_netport4_data_reset_flags(struct hash_netport4_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_netport4_data_match(const struct hash_netport4_elem *elem)
 {
@@ -375,6 +384,15 @@ hash_netport6_data_flags(struct hash_netport6_elem *dst, u32 flags)
        dst->nomatch = !!(flags & IPSET_FLAG_NOMATCH);
 }
+static inline void
+hash_netport6_data_reset_flags(struct hash_netport6_elem *dst, u32 *flags)
+{
+        if (dst->nomatch) {
+                *flags = IPSET_FLAG_NOMATCH;
+                dst->nomatch = 0;
+        }
+}
 static inline int
 hash_netport6_data_match(const struct hash_netport6_elem *elem)
 {
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 8371c2bac2e4..09c744aa8982 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -174,9 +174,13 @@ list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
 {
        const struct set_elem *e = list_set_elem(map, i);
-        if (i == map->size - 1 && e->id != IPSET_INVALID_ID)
+        if (e->id != IPSET_INVALID_ID) {
-                /* Last element replaced: e.g. add new,before,last */
+                const struct set_elem *x = list_set_elem(map, map->size - 1);
-                ip_set_put_byindex(e->id);
+                /* Last element replaced or pushed off */
+                if (x->id != IPSET_INVALID_ID)
+                        ip_set_put_byindex(x->id);
+        }
        if (with_timeout(map->timeout))
                list_elem_tadd(map, i, id, ip_set_timeout_set(timeout));
        else
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 0e7d423324c3..e0c4373b4747 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1593,10 +1593,8 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                end += strlen("\r\n\r\n") + clen;
                msglen = origlen = end - dptr;
-                if (msglen > datalen) {
+                if (msglen > datalen)
-                        nf_ct_helper_log(skb, ct, "incomplete/bad SIP message");
+                        return NF_ACCEPT;
-                        return NF_DROP;
-                }
                ret = process_sip_msg(skb, ct, protoff, dataoff,
                                      &dptr, &msglen);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 346f871cf096..2e469ca2ca55 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -468,33 +468,22 @@ EXPORT_SYMBOL_GPL(nf_nat_packet);
 struct nf_nat_proto_clean {
        u8      l3proto;
        u8      l4proto;
-        bool    hash;
 };
-/* Clear NAT section of all conntracks, in case we're loaded again. */
+/* kill conntracks with affected NAT section */
-static int nf_nat_proto_clean(struct nf_conn *i, void *data)
+static int nf_nat_proto_remove(struct nf_conn *i, void *data)
 {
        const struct nf_nat_proto_clean *clean = data;
        struct nf_conn_nat *nat = nfct_nat(i);
        if (!nat)
                return 0;
-        if (!(i->status & IPS_SRC_NAT_DONE))
-                return 0;
        if ((clean->l3proto && nf_ct_l3num(i) != clean->l3proto) ||
            (clean->l4proto && nf_ct_protonum(i) != clean->l4proto))
                return 0;
-        if (clean->hash) {
+        return i->status & IPS_NAT_MASK ? 1 : 0;
-                spin_lock_bh(&nf_nat_lock);
-                hlist_del_rcu(&nat->bysource);
-                spin_unlock_bh(&nf_nat_lock);
-        } else {
-                memset(nat, 0, sizeof(*nat));
-                i->status &= ~(IPS_NAT_MASK | IPS_NAT_DONE_MASK |
-                               IPS_SEQ_ADJUST);
-        }
-        return 0;
 }
 static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
@@ -506,16 +495,8 @@ static void nf_nat_l4proto_clean(u8 l3proto, u8 l4proto)
        struct net *net;
        rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
-        synchronize_rcu();
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
        rtnl_unlock();
 }
@@ -527,16 +508,9 @@ static void nf_nat_l3proto_clean(u8 l3proto)
        struct net *net;
        rtnl_lock();
-        /* Step 1 - remove from bysource hash */
-        clean.hash = true;
-        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
-        synchronize_rcu();
-        /* Step 2 - clean NAT section */
-        clean.hash = false;
        for_each_net(net)
-                nf_ct_iterate_cleanup(net, nf_nat_proto_clean, &clean);
+                nf_ct_iterate_cleanup(net, nf_nat_proto_remove, &clean);
        rtnl_unlock();
 }
@@ -774,7 +748,7 @@ static void __net_exit nf_nat_net_exit(struct net *net)
 {
        struct nf_nat_proto_clean clean = {};
-        nf_ct_iterate_cleanup(net, &nf_nat_proto_clean, &clean);
+        nf_ct_iterate_cleanup(net, &nf_nat_proto_remove, &clean);
        synchronize_rcu();
        nf_ct_free_hashtable(net->ct.nat_bysource, net->ct.nat_htable_size);
 }
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 7fcb307dea47..103bd704b5fc 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -1173,7 +1173,7 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock,
        }
        if (sax != NULL) {
-                memset(sax, 0, sizeof(sax));
+                memset(sax, 0, sizeof(*sax));
                sax->sax25_family = AF_NETROM;
                skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call,
                              AX25_ADDR_LEN);
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 7bb5d4f6bb90..d2f9f2e57298 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1681,10 +1681,8 @@ struct sk_buff *ovs_vport_cmd_build_info(struct vport *vport, u32 portid,
                return ERR_PTR(-ENOMEM);
        retval = ovs_vport_cmd_fill_info(vport, skb, portid, seq, 0, cmd);
-        if (retval < 0) {
+        BUG_ON(retval < 0);
-                kfree_skb(skb);
-                return ERR_PTR(retval);
-        }
        return skb;
 }
@@ -1814,25 +1812,33 @@ static int ovs_vport_cmd_set(struct sk_buff *skb, struct genl_info *info)
            nla_get_u32(a[OVS_VPORT_ATTR_TYPE]) != vport->ops->type)
                err = -EINVAL;
+        reply = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!reply) {
+                err = -ENOMEM;
+                goto exit_unlock;
+        }
        if (!err && a[OVS_VPORT_ATTR_OPTIONS])
                err = ovs_vport_set_options(vport, a[OVS_VPORT_ATTR_OPTIONS]);
        if (err)
-                goto exit_unlock;
+                goto exit_free;
        if (a[OVS_VPORT_ATTR_UPCALL_PID])
                vport->upcall_portid = nla_get_u32(a[OVS_VPORT_ATTR_UPCALL_PID]);
-        reply = ovs_vport_cmd_build_info(vport, info->snd_portid, info->snd_seq,
+        err = ovs_vport_cmd_fill_info(vport, reply, info->snd_portid,
-                                         OVS_VPORT_CMD_NEW);
+                                      info->snd_seq, 0, OVS_VPORT_CMD_NEW);
-        if (IS_ERR(reply)) {
+        BUG_ON(err < 0);
-                netlink_set_err(sock_net(skb->sk)->genl_sock, 0,
-                                ovs_dp_vport_multicast_group.id, PTR_ERR(reply));
-                goto exit_unlock;
-        }
        ovs_unlock();
        ovs_notify(reply, info, &ovs_dp_vport_multicast_group);
        return 0;
+        rtnl_unlock();
+        return 0;
+exit_free:
+        kfree_skb(reply);
 exit_unlock:
        ovs_unlock();
        return err;
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index cf9328be75e9..b15321a2228c 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -795,9 +795,9 @@ void ovs_flow_tbl_insert(struct flow_table *table, struct sw_flow *flow)
 void ovs_flow_tbl_remove(struct flow_table *table, struct sw_flow *flow)
 {
+        BUG_ON(table->count == 0);
        hlist_del_rcu(&flow->hash_node[table->node_ver]);
        table->count--;
-        BUG_ON(table->count < 0);
 }
 /* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute.  */
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 1135d8227f9b..9b97172db84a 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -204,7 +204,6 @@ fw_change_attrs(struct net *net, struct tcf_proto *tp, struct fw_filter *f,
        if (err < 0)
                return err;
-        err = -EINVAL;
        if (tb[TCA_FW_CLASSID]) {
                f->res.classid = nla_get_u32(tb[TCA_FW_CLASSID]);
                tcf_bind_filter(tp, &f->res, base);
@@ -218,6 +217,7 @@ fw_change_attrs(struct net *net, struct tcf_proto *tp, struct fw_filter *f,
        }
 #endif /* CONFIG_NET_CLS_IND */
+        err = -EINVAL;
        if (tb[TCA_FW_MASK]) {
                mask = nla_get_u32(tb[TCA_FW_MASK]);
                if (mask != head->mask)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index dcc446e7fbf6..d5f35f15af98 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -304,10 +304,8 @@ static struct rpc_clnt * rpc_new_client(const struct rpc_create_args *args, stru
        err = rpciod_up();
        if (err)
                goto out_no_rpciod;
-        err = -EINVAL;
-        if (!xprt)
-                goto out_no_xprt;
+        err = -EINVAL;
        if (args->version >= program->nrvers)
                goto out_err;
        version = program->version[args->version];
@@ -382,10 +380,9 @@ out_no_principal:
 out_no_stats:
        kfree(clnt);
 out_err:
-        xprt_put(xprt);
-out_no_xprt:
        rpciod_down();
 out_no_rpciod:
+        xprt_put(xprt);
        return ERR_PTR(err);
 }
@@ -512,7 +509,7 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args,
        new = rpc_new_client(args, xprt);
        if (IS_ERR(new)) {
                err = PTR_ERR(new);
-                goto out_put;
+                goto out_err;
        }
        atomic_inc(&clnt->cl_count);
@@ -525,8 +522,6 @@ static struct rpc_clnt *__rpc_clone_client(struct rpc_create_args *args,
        new->cl_chatty = clnt->cl_chatty;
        return new;
-out_put:
-        xprt_put(xprt);
 out_err:
        dprintk("RPC:       %s: returned error %d\n", __func__, err);
        return ERR_PTR(err);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5ca1631de7ef..9efe01113c5c 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1414,7 +1414,7 @@ static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
            !other->sk_socket ||
            test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) {
                UNIXCB(skb).pid  = get_pid(task_tgid(current));
-                current_euid_egid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
+                current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
        }
 }