54 files changed, 458 insertions, 250 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 73a2a83ee2da..402442402af7 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -137,9 +137,21 @@ static int vlan_dev_hard_header(struct sk_buff *skb, struct net_device *dev,
         return rc;
 }
 
+static inline netdev_tx_t vlan_netpoll_send_skb(struct vlan_dev_priv *vlan, struct sk_buff *skb)
+{
+#ifdef CONFIG_NET_POLL_CONTROLLER
+        if (vlan->netpoll)
+                netpoll_send_skb(vlan->netpoll, skb);
+#else
+        BUG();
+#endif
+        return NETDEV_TX_OK;
+}
+
 static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
                                             struct net_device *dev)
 {
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
         struct vlan_ethhdr *veth = (struct vlan_ethhdr *)(skb->data);
         unsigned int len;
         int ret;
@@ -150,29 +162,30 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
          * OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
          */
         if (veth->h_vlan_proto != htons(ETH_P_8021Q) ||
-            vlan_dev_priv(dev)->flags & VLAN_FLAG_REORDER_HDR) {
+            vlan->flags & VLAN_FLAG_REORDER_HDR) {
                 u16 vlan_tci;
-                vlan_tci = vlan_dev_priv(dev)->vlan_id;
+                vlan_tci = vlan->vlan_id;
                 vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb);
                 skb = __vlan_hwaccel_put_tag(skb, vlan_tci);
         }
 
-        skb->dev = vlan_dev_priv(dev)->real_dev;
+        skb->dev = vlan->real_dev;
         len = skb->len;
-        if (netpoll_tx_running(dev))
-                return skb->dev->netdev_ops->ndo_start_xmit(skb, skb->dev);
+        if (unlikely(netpoll_tx_running(dev)))
+                return vlan_netpoll_send_skb(vlan, skb);
+
         ret = dev_queue_xmit(skb);
 
         if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
                 struct vlan_pcpu_stats *stats;
 
-                stats = this_cpu_ptr(vlan_dev_priv(dev)->vlan_pcpu_stats);
+                stats = this_cpu_ptr(vlan->vlan_pcpu_stats);
                 u64_stats_update_begin(&stats->syncp);
                 stats->tx_packets++;
                 stats->tx_bytes += len;
                 u64_stats_update_end(&stats->syncp);
         } else {
-                this_cpu_inc(vlan_dev_priv(dev)->vlan_pcpu_stats->tx_dropped);
+                this_cpu_inc(vlan->vlan_pcpu_stats->tx_dropped);
         }
 
         return ret;
@@ -669,25 +682,26 @@ static void vlan_dev_poll_controller(struct net_device *dev)
         return;
 }
 
-static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo)
+static int vlan_dev_netpoll_setup(struct net_device *dev, struct netpoll_info *npinfo,
+                                  gfp_t gfp)
 {
-        struct vlan_dev_priv *info = vlan_dev_priv(dev);
-        struct net_device *real_dev = info->real_dev;
+        struct vlan_dev_priv *vlan = vlan_dev_priv(dev);
+        struct net_device *real_dev = vlan->real_dev;
         struct netpoll *netpoll;
         int err = 0;
 
-        netpoll = kzalloc(sizeof(*netpoll), GFP_KERNEL);
+        netpoll = kzalloc(sizeof(*netpoll), gfp);
         err = -ENOMEM;
         if (!netpoll)
                 goto out;
 
-        err = __netpoll_setup(netpoll, real_dev);
+        err = __netpoll_setup(netpoll, real_dev, gfp);
         if (err) {
                 kfree(netpoll);
                 goto out;
         }
 
-        info->netpoll = netpoll;
+        vlan->netpoll = netpoll;
 
 out:
         return err;
@@ -695,19 +709,15 @@ out:
 
 static void vlan_dev_netpoll_cleanup(struct net_device *dev)
 {
-        struct vlan_dev_priv *info = vlan_dev_priv(dev);
-        struct netpoll *netpoll = info->netpoll;
+        struct vlan_dev_priv *vlan= vlan_dev_priv(dev);
+        struct netpoll *netpoll = vlan->netpoll;
 
         if (!netpoll)
                 return;
 
-        info->netpoll = NULL;
-
-        /* Wait for transmitting packets to finish before freeing. */
-        synchronize_rcu_bh();
+        vlan->netpoll = NULL;
 
-        __netpoll_cleanup(netpoll);
-        kfree(netpoll);
+        __netpoll_free_rcu(netpoll);
 }
 #endif /* CONFIG_NET_POLL_CONTROLLER */
 
diff --git a/net/atm/common.c b/net/atm/common.c
index b4b44dbed645..0c0ad930a632 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -812,6 +812,7 @@ int vcc_getsockopt(struct socket *sock, int level, int optname,
 
                 if (!vcc->dev || !test_bit(ATM_VF_ADDR, &vcc->flags))
                         return -ENOTCONN;
+                memset(&pvc, 0, sizeof(pvc));
                 pvc.sap_family = AF_ATMPVC;
                 pvc.sap_addr.itf = vcc->dev->number;
                 pvc.sap_addr.vpi = vcc->vpi;
diff --git a/net/atm/pvc.c b/net/atm/pvc.c
index 3a734919c36c..ae0324021407 100644
--- a/net/atm/pvc.c
+++ b/net/atm/pvc.c
@@ -95,6 +95,7 @@ static int pvc_getname(struct socket *sock, struct sockaddr *sockaddr,
                 return -ENOTCONN;
         *sockaddr_len = sizeof(struct sockaddr_atmpvc);
         addr = (struct sockaddr_atmpvc *)sockaddr;
+        memset(addr, 0, sizeof(*addr));
         addr->sap_family = AF_ATMPVC;
         addr->sap_addr.itf = vcc->dev->number;
         addr->sap_addr.vpi = vcc->vpi;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 41ff978a33f9..715d7e33fba0 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1365,6 +1365,9 @@ static bool hci_resolve_next_name(struct hci_dev *hdev)
                 return false;
 
         e = hci_inquiry_cache_lookup_resolve(hdev, BDADDR_ANY, NAME_NEEDED);
+        if (!e)
+                return false;
+
         if (hci_resolve_name(hdev, e) == 0) {
                 e->name_state = NAME_PENDING;
                 return true;
@@ -1393,12 +1396,20 @@ static void hci_check_pending_name(struct hci_dev *hdev, struct hci_conn *conn,
                 return;
 
         e = hci_inquiry_cache_lookup_resolve(hdev, bdaddr, NAME_PENDING);
-        if (e) {
+        /* If the device was not found in a list of found devices names of which
+         * are pending. there is no need to continue resolving a next name as it
+         * will be done upon receiving another Remote Name Request Complete
+         * Event */
+        if (!e)
+                return;
+
+        list_del(&e->list);
+        if (name) {
                 e->name_state = NAME_KNOWN;
-                list_del(&e->list);
-                if (name)
-                        mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
-                                         e->data.rssi, name, name_len);
+                mgmt_remote_name(hdev, bdaddr, ACL_LINK, 0x00,
+                                 e->data.rssi, name, name_len);
+        } else {
+                e->name_state = NAME_NOT_KNOWN;
         }
 
         if (hci_resolve_next_name(hdev))
@@ -1762,7 +1773,12 @@ static void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 if (conn->type == ACL_LINK) {
                         conn->state = BT_CONFIG;
                         hci_conn_hold(conn);
-                        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+
+                        if (!conn->out && !hci_conn_ssp_enabled(conn) &&
+                            !hci_find_link_key(hdev, &ev->bdaddr))
+                                conn->disc_timeout = HCI_PAIRING_TIMEOUT;
+                        else
+                                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
                 } else
                         conn->state = BT_CONNECTED;
 
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index a7f04de03d79..19fdac78e555 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -694,6 +694,7 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
         *addr_len = sizeof(*haddr);
         haddr->hci_family = AF_BLUETOOTH;
         haddr->hci_dev    = hdev->id;
+        haddr->hci_channel= 0;
 
         release_sock(sk);
         return 0;
@@ -1009,6 +1010,7 @@ static int hci_sock_getsockopt(struct socket *sock, int level, int optname,
                 {
                         struct hci_filter *f = &hci_pi(sk)->filter;
 
+                        memset(&uf, 0, sizeof(uf));
                         uf.type_mask = f->type_mask;
                         uf.opcode    = f->opcode;
                         uf.event_mask[0] = *((u32 *) f->event_mask + 0);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index a8964db04bfb..daa149b7003c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -1181,6 +1181,7 @@ static void l2cap_le_conn_ready(struct l2cap_conn *conn)
         sk = chan->sk;
 
         hci_conn_hold(conn->hcon);
+        conn->hcon->disc_timeout = HCI_DISCONN_TIMEOUT;
 
         bacpy(&bt_sk(sk)->src, conn->src);
         bacpy(&bt_sk(sk)->dst, conn->dst);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e8427e..1497edd191a2 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -245,6 +245,7 @@ static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *l
 
         BT_DBG("sock %p, sk %p", sock, sk);
 
+        memset(la, 0, sizeof(struct sockaddr_l2));
         addr->sa_family = AF_BLUETOOTH;
         *len = sizeof(struct sockaddr_l2);
 
@@ -1174,7 +1175,7 @@ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int p
 
         chan = l2cap_chan_create();
         if (!chan) {
-                l2cap_sock_kill(sk);
+                sk_free(sk);
                 return NULL;
         }
 
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7e1e59645c05..1a17850d093c 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -528,6 +528,7 @@ static int rfcomm_sock_getname(struct socket *sock, struct sockaddr *addr, int *
 
         BT_DBG("sock %p, sk %p", sock, sk);
 
+        memset(sa, 0, sizeof(*sa));
         sa->rc_family  = AF_BLUETOOTH;
         sa->rc_channel = rfcomm_pi(sk)->channel;
         if (peer)
@@ -822,6 +823,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
                 }
 
                 sec.level = rfcomm_pi(sk)->sec_level;
+                sec.key_size = 0;
 
                 len = min_t(unsigned int, len, sizeof(sec));
                 if (copy_to_user(optval, (char *) &sec, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index cb960773c002..56f182393c4c 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
 
         size = sizeof(*dl) + dev_num * sizeof(*di);
 
-        dl = kmalloc(size, GFP_KERNEL);
+        dl = kzalloc(size, GFP_KERNEL);
         if (!dl)
                 return -ENOMEM;
 
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 40bbe25dcff7..3589e21edb09 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -131,6 +131,15 @@ static int sco_conn_del(struct hci_conn *hcon, int err)
                 sco_sock_clear_timer(sk);
                 sco_chan_del(sk, err);
                 bh_unlock_sock(sk);
+
+                sco_conn_lock(conn);
+                conn->sk = NULL;
+                sco_pi(sk)->conn = NULL;
+                sco_conn_unlock(conn);
+
+                if (conn->hcon)
+                        hci_conn_put(conn->hcon);
+
                 sco_sock_kill(sk);
         }
 
@@ -821,16 +830,6 @@ static void sco_chan_del(struct sock *sk, int err)
 
         BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
 
-        if (conn) {
-                sco_conn_lock(conn);
-                conn->sk = NULL;
-                sco_pi(sk)->conn = NULL;
-                sco_conn_unlock(conn);
-
-                if (conn->hcon)
-                        hci_conn_put(conn->hcon);
-        }
-
         sk->sk_state = BT_CLOSED;
         sk->sk_err   = err;
         sk->sk_state_change(sk);
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 16ef0dc85a0a..901a616c8083 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -579,8 +579,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
 
         if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
                 smp = smp_chan_create(conn);
+        else
+                smp = conn->smp_chan;
 
-        smp = conn->smp_chan;
+        if (!smp)
+                return SMP_UNSPECIFIED;
 
         smp->preq[0] = SMP_CMD_PAIRING_REQ;
         memcpy(&smp->preq[1], req, sizeof(*req));
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 333484537600..070e8a68cfc6 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -31,9 +31,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
         struct net_bridge_mdb_entry *mdst;
         struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
 
+        rcu_read_lock();
 #ifdef CONFIG_BRIDGE_NETFILTER
         if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
                 br_nf_pre_routing_finish_bridge_slow(skb);
+                rcu_read_unlock();
                 return NETDEV_TX_OK;
         }
 #endif
@@ -48,7 +50,6 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
         skb_reset_mac_header(skb);
         skb_pull(skb, ETH_HLEN);
 
-        rcu_read_lock();
         if (is_broadcast_ether_addr(dest))
                 br_flood_deliver(br, skb);
         else if (is_multicast_ether_addr(dest)) {
@@ -206,24 +207,23 @@ static void br_poll_controller(struct net_device *br_dev)
 static void br_netpoll_cleanup(struct net_device *dev)
 {
         struct net_bridge *br = netdev_priv(dev);
-        struct net_bridge_port *p, *n;
+        struct net_bridge_port *p;
 
-        list_for_each_entry_safe(p, n, &br->port_list, list) {
+        list_for_each_entry(p, &br->port_list, list)
                 br_netpoll_disable(p);
-        }
 }
 
-static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni)
+static int br_netpoll_setup(struct net_device *dev, struct netpoll_info *ni,
+                            gfp_t gfp)
 {
         struct net_bridge *br = netdev_priv(dev);
-        struct net_bridge_port *p, *n;
+        struct net_bridge_port *p;
         int err = 0;
 
-        list_for_each_entry_safe(p, n, &br->port_list, list) {
+        list_for_each_entry(p, &br->port_list, list) {
                 if (!p->dev)
                         continue;
-
-                err = br_netpoll_enable(p);
+                err = br_netpoll_enable(p, gfp);
                 if (err)
                         goto fail;
         }
@@ -236,17 +236,17 @@ fail:
         goto out;
 }
 
-int br_netpoll_enable(struct net_bridge_port *p)
+int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
 {
         struct netpoll *np;
         int err = 0;
 
-        np = kzalloc(sizeof(*p->np), GFP_KERNEL);
+        np = kzalloc(sizeof(*p->np), gfp);
         err = -ENOMEM;
         if (!np)
                 goto out;
 
-        err = __netpoll_setup(np, p->dev);
+        err = __netpoll_setup(np, p->dev, gfp);
         if (err) {
                 kfree(np);
                 goto out;
@@ -267,11 +267,7 @@ void br_netpoll_disable(struct net_bridge_port *p)
 
         p->np = NULL;
 
-        /* Wait for transmitting packets to finish before freeing. */
-        synchronize_rcu_bh();
-
-        __netpoll_cleanup(np);
-        kfree(np);
+        __netpoll_free_rcu(np);
 }
 
 #endif
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index e9466d412707..02015a505d2a 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -65,7 +65,7 @@ static void __br_deliver(const struct net_bridge_port *to, struct sk_buff *skb)
 {
         skb->dev = to->dev;
 
-        if (unlikely(netpoll_tx_running(to->dev))) {
+        if (unlikely(netpoll_tx_running(to->br->dev))) {
                 if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
                         kfree_skb(skb);
                 else {
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index e1144e1617be..1c8fdc3558cd 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -361,7 +361,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
         if (err)
                 goto err2;
 
-        if (br_netpoll_info(br) && ((err = br_netpoll_enable(p))))
+        if (br_netpoll_info(br) && ((err = br_netpoll_enable(p, GFP_KERNEL))))
                 goto err3;
 
         err = netdev_set_master(dev, br->dev);
@@ -427,6 +427,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
         if (!p || p->br != br)
                 return -EINVAL;
 
+        /* Since more than one interface can be attached to a bridge,
+         * there still maybe an alternate path for netconsole to use;
+         * therefore there is no reason for a NETDEV_RELEASE event.
+         */
         del_nbp(p);
 
         spin_lock_bh(&br->lock);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index a768b2408edf..f507d2af9646 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -316,7 +316,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
                 netpoll_send_skb(np, skb);
 }
 
-extern int br_netpoll_enable(struct net_bridge_port *p);
+extern int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp);
 extern void br_netpoll_disable(struct net_bridge_port *p);
 #else
 static inline struct netpoll_info *br_netpoll_info(struct net_bridge *br)
@@ -329,7 +329,7 @@ static inline void br_netpoll_send_skb(const struct net_bridge_port *p,
 {
 }
 
-static inline int br_netpoll_enable(struct net_bridge_port *p)
+static inline int br_netpoll_enable(struct net_bridge_port *p, gfp_t gfp)
 {
         return 0;
 }
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 69771c04ba8f..e597733affb8 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -94,6 +94,10 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
 
         /* check the version of IP */
         ip_version = skb_header_pointer(skb, 0, 1, &buf);
+        if (!ip_version) {
+                kfree_skb(skb);
+                return -EINVAL;
+        }
 
         switch (*ip_version >> 4) {
         case 4:
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 69e38db28e5f..a8020293f342 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -84,7 +84,6 @@ int ceph_check_fsid(struct ceph_client *client, struct ceph_fsid *fsid)
                         return -1;
                 }
         } else {
-                pr_info("client%lld fsid %pU\n", ceph_client_id(client), fsid);
                 memcpy(&client->fsid, fsid, sizeof(*fsid));
         }
         return 0;
diff --git a/net/ceph/debugfs.c b/net/ceph/debugfs.c
index 54b531a01121..38b5dc1823d4 100644
--- a/net/ceph/debugfs.c
+++ b/net/ceph/debugfs.c
@@ -189,6 +189,9 @@ int ceph_debugfs_client_init(struct ceph_client *client)
         snprintf(name, sizeof(name), "%pU.client%lld", &client->fsid,
                  client->monc.auth->global_id);
 
+        dout("ceph_debugfs_client_init %p %s\n", client, name);
+
+        BUG_ON(client->debugfs_dir);
         client->debugfs_dir = debugfs_create_dir(name, ceph_debugfs_dir);
         if (!client->debugfs_dir)
                 goto out;
@@ -234,6 +237,7 @@ out:
 
 void ceph_debugfs_client_cleanup(struct ceph_client *client)
 {
+        dout("ceph_debugfs_client_cleanup %p\n", client);
         debugfs_remove(client->debugfs_osdmap);
         debugfs_remove(client->debugfs_monmap);
         debugfs_remove(client->osdc.debugfs_file);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index b9796750034a..24c5eea8c45b 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -915,7 +915,6 @@ static int prepare_write_connect(struct ceph_connection *con)
         con->out_connect.authorizer_len = auth ?
                 cpu_to_le32(auth->authorizer_buf_len) : 0;
 
-        con_out_kvec_reset(con);
         con_out_kvec_add(con, sizeof (con->out_connect),
                                         &con->out_connect);
         if (auth && auth->authorizer_buf_len)
@@ -1557,6 +1556,7 @@ static int process_connect(struct ceph_connection *con)
                         return -1;
                 }
                 con->auth_retry = 1;
+                con_out_kvec_reset(con);
                 ret = prepare_write_connect(con);
                 if (ret < 0)
                         return ret;
@@ -1577,6 +1577,7 @@ static int process_connect(struct ceph_connection *con)
                        ENTITY_NAME(con->peer_name),
                        ceph_pr_addr(&con->peer_addr.in_addr));
                 reset_connection(con);
+                con_out_kvec_reset(con);
                 ret = prepare_write_connect(con);
                 if (ret < 0)
                         return ret;
@@ -1601,6 +1602,7 @@ static int process_connect(struct ceph_connection *con)
                      le32_to_cpu(con->out_connect.connect_seq),
                      le32_to_cpu(con->in_reply.connect_seq));
                 con->connect_seq = le32_to_cpu(con->in_reply.connect_seq);
+                con_out_kvec_reset(con);
                 ret = prepare_write_connect(con);
                 if (ret < 0)
                         return ret;
@@ -1617,6 +1619,7 @@ static int process_connect(struct ceph_connection *con)
                      le32_to_cpu(con->in_reply.global_seq));
                 get_global_seq(con->msgr,
                                le32_to_cpu(con->in_reply.global_seq));
+                con_out_kvec_reset(con);
                 ret = prepare_write_connect(con);
                 if (ret < 0)
                         return ret;
@@ -2135,7 +2138,11 @@ more:
                 BUG_ON(con->state != CON_STATE_CONNECTING);
                 con->state = CON_STATE_NEGOTIATING;
 
-                /* Banner is good, exchange connection info */
+                /*
+                 * Received banner is good, exchange connection info.
+                 * Do not reset out_kvec, as sending our banner raced
+                 * with receiving peer banner after connect completed.
+                 */
                 ret = prepare_write_connect(con);
                 if (ret < 0)
                         goto out;
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 105d533b55f3..900ea0f043fc 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -311,6 +311,17 @@ int ceph_monc_open_session(struct ceph_mon_client *monc)
 EXPORT_SYMBOL(ceph_monc_open_session);
 
 /*
+ * We require the fsid and global_id in order to initialize our
+ * debugfs dir.
+ */
+static bool have_debugfs_info(struct ceph_mon_client *monc)
+{
+        dout("have_debugfs_info fsid %d globalid %lld\n",
+             (int)monc->client->have_fsid, monc->auth->global_id);
+        return monc->client->have_fsid && monc->auth->global_id > 0;
+}
+
+/*
  * The monitor responds with mount ack indicate mount success.  The
  * included client ticket allows the client to talk to MDSs and OSDs.
  */
@@ -320,9 +331,12 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
         struct ceph_client *client = monc->client;
         struct ceph_monmap *monmap = NULL, *old = monc->monmap;
         void *p, *end;
+        int had_debugfs_info, init_debugfs = 0;
 
         mutex_lock(&monc->mutex);
 
+        had_debugfs_info = have_debugfs_info(monc);
+
         dout("handle_monmap\n");
         p = msg->front.iov_base;
         end = p + msg->front.iov_len;
@@ -344,12 +358,22 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
 
         if (!client->have_fsid) {
                 client->have_fsid = true;
+                if (!had_debugfs_info && have_debugfs_info(monc)) {
+                        pr_info("client%lld fsid %pU\n",
+                                ceph_client_id(monc->client),
+                                &monc->client->fsid);
+                        init_debugfs = 1;
+                }
                 mutex_unlock(&monc->mutex);
-                /*
-                 * do debugfs initialization without mutex to avoid
-                 * creating a locking dependency
-                 */
-                ceph_debugfs_client_init(client);
+
+                if (init_debugfs) {
+                        /*
+                         * do debugfs initialization without mutex to avoid
+                         * creating a locking dependency
+                         */
+                        ceph_debugfs_client_init(monc->client);
+                }
+
                 goto out_unlocked;
         }
 out:
@@ -865,8 +889,10 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
 {
         int ret;
         int was_auth = 0;
+        int had_debugfs_info, init_debugfs = 0;
 
         mutex_lock(&monc->mutex);
+        had_debugfs_info = have_debugfs_info(monc);
         if (monc->auth->ops)
                 was_auth = monc->auth->ops->is_authenticated(monc->auth);
         monc->pending_auth = 0;
@@ -889,7 +915,22 @@ static void handle_auth_reply(struct ceph_mon_client *monc,
                 __send_subscribe(monc);
                 __resend_generic_request(monc);
         }
+
+        if (!had_debugfs_info && have_debugfs_info(monc)) {
+                pr_info("client%lld fsid %pU\n",
+                        ceph_client_id(monc->client),
+                        &monc->client->fsid);
+                init_debugfs = 1;
+        }
         mutex_unlock(&monc->mutex);
+
+        if (init_debugfs) {
+                /*
+                 * do debugfs initialization without mutex to avoid
+                 * creating a locking dependency
+                 */
+                ceph_debugfs_client_init(monc->client);
+        }
 }
 
 static int __validate_auth(struct ceph_mon_client *monc)
diff --git a/net/core/dev.c b/net/core/dev.c
index a39354ee1432..83988362805e 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1642,6 +1642,19 @@ static inline int deliver_skb(struct sk_buff *skb,
         return pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
 }
 
+static inline bool skb_loop_sk(struct packet_type *ptype, struct sk_buff *skb)
+{
+        if (ptype->af_packet_priv == NULL)
+                return false;
+
+        if (ptype->id_match)
+                return ptype->id_match(ptype, skb->sk);
+        else if ((struct sock *)ptype->af_packet_priv == skb->sk)
+                return true;
+
+        return false;
+}
+
 /*
  *      Support routine. Sends outgoing frames to any network
  *      taps currently in use.
@@ -1659,8 +1672,7 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
                  * they originated from - MvS (miquels@drinkel.ow.org)
                  */
                 if ((ptype->dev == dev || !ptype->dev) &&
-                    (ptype->af_packet_priv == NULL ||
-                     (struct sock *)ptype->af_packet_priv != skb->sk)) {
+                    (!skb_loop_sk(ptype, skb))) {
                         if (pt_prev) {
                                 deliver_skb(skb2, pt_prev, skb->dev);
                                 pt_prev = ptype;
@@ -5732,6 +5744,7 @@ EXPORT_SYMBOL(netdev_refcnt_read);
 
 /**
  * netdev_wait_allrefs - wait until all references are gone.
+ * @dev: target net_device
  *
  * This is called when unregistering network devices.
  *
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index b4c90e42b443..346b1eb83a1f 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -26,6 +26,7 @@
 #include <linux/workqueue.h>
 #include <linux/slab.h>
 #include <linux/export.h>
+#include <linux/if_vlan.h>
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <asm/unaligned.h>
@@ -54,7 +55,7 @@ static atomic_t trapped;
          MAX_UDP_CHUNK)
 
 static void zap_completion_queue(void);
-static void arp_reply(struct sk_buff *skb);
+static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo);
 
 static unsigned int carrier_timeout = 4;
 module_param(carrier_timeout, uint, 0644);
@@ -167,15 +168,24 @@ static void poll_napi(struct net_device *dev)
         struct napi_struct *napi;
         int budget = 16;
 
+        WARN_ON_ONCE(!irqs_disabled());
+
         list_for_each_entry(napi, &dev->napi_list, dev_list) {
+                local_irq_enable();
                 if (napi->poll_owner != smp_processor_id() &&
                     spin_trylock(&napi->poll_lock)) {
-                        budget = poll_one_napi(dev->npinfo, napi, budget);
+                        rcu_read_lock_bh();
+                        budget = poll_one_napi(rcu_dereference_bh(dev->npinfo),
+                                               napi, budget);
+                        rcu_read_unlock_bh();
                         spin_unlock(&napi->poll_lock);
 
-                        if (!budget)
+                        if (!budget) {
+                                local_irq_disable();
                                 break;
+                        }
                 }
+                local_irq_disable();
         }
 }
 
@@ -185,13 +195,14 @@ static void service_arp_queue(struct netpoll_info *npi)
                 struct sk_buff *skb;
 
                 while ((skb = skb_dequeue(&npi->arp_tx)))
-                        arp_reply(skb);
+                        netpoll_arp_reply(skb, npi);
         }
 }
 
 static void netpoll_poll_dev(struct net_device *dev)
 {
         const struct net_device_ops *ops;
+        struct netpoll_info *ni = rcu_dereference_bh(dev->npinfo);
 
         if (!dev || !netif_running(dev))
                 return;
@@ -206,17 +217,18 @@ static void netpoll_poll_dev(struct net_device *dev)
         poll_napi(dev);
 
         if (dev->flags & IFF_SLAVE) {
-                if (dev->npinfo) {
+                if (ni) {
                         struct net_device *bond_dev = dev->master;
                         struct sk_buff *skb;
-                        while ((skb = skb_dequeue(&dev->npinfo->arp_tx))) {
+                        struct netpoll_info *bond_ni = rcu_dereference_bh(bond_dev->npinfo);
+                        while ((skb = skb_dequeue(&ni->arp_tx))) {
                                 skb->dev = bond_dev;
-                                skb_queue_tail(&bond_dev->npinfo->arp_tx, skb);
+                                skb_queue_tail(&bond_ni->arp_tx, skb);
                         }
                 }
         }
 
-        service_arp_queue(dev->npinfo);
+        service_arp_queue(ni);
 
         zap_completion_queue();
 }
@@ -302,6 +314,7 @@ static int netpoll_owner_active(struct net_device *dev)
         return 0;
 }
 
+/* call with IRQ disabled */
 void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                              struct net_device *dev)
 {
@@ -309,8 +322,11 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
         unsigned long tries;
         const struct net_device_ops *ops = dev->netdev_ops;
         /* It is up to the caller to keep npinfo alive. */
-        struct netpoll_info *npinfo = np->dev->npinfo;
+        struct netpoll_info *npinfo;
+
+        WARN_ON_ONCE(!irqs_disabled());
 
+        npinfo = rcu_dereference_bh(np->dev->npinfo);
         if (!npinfo || !netif_running(dev) || !netif_device_present(dev)) {
                 __kfree_skb(skb);
                 return;
@@ -319,16 +335,22 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
         /* don't get messages out of order, and no recursion */
         if (skb_queue_len(&npinfo->txq) == 0 && !netpoll_owner_active(dev)) {
                 struct netdev_queue *txq;
-                unsigned long flags;
 
                 txq = netdev_get_tx_queue(dev, skb_get_queue_mapping(skb));
 
-                local_irq_save(flags);
                 /* try until next clock tick */
                 for (tries = jiffies_to_usecs(1)/USEC_PER_POLL;
                      tries > 0; --tries) {
                         if (__netif_tx_trylock(txq)) {
                                 if (!netif_xmit_stopped(txq)) {
+                                        if (vlan_tx_tag_present(skb) &&
+                                            !(netif_skb_features(skb) & NETIF_F_HW_VLAN_TX)) {
+                                                skb = __vlan_put_tag(skb, vlan_tx_tag_get(skb));
+                                                if (unlikely(!skb))
+                                                        break;
+                                                skb->vlan_tci = 0;
+                                        }
+
                                         status = ops->ndo_start_xmit(skb, dev);
                                         if (status == NETDEV_TX_OK)
                                                 txq_trans_update(txq);
@@ -347,10 +369,9 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                 }
 
                 WARN_ONCE(!irqs_disabled(),
-                        "netpoll_send_skb(): %s enabled interrupts in poll (%pF)\n",
+                        "netpoll_send_skb_on_dev(): %s enabled interrupts in poll (%pF)\n",
                         dev->name, ops->ndo_start_xmit);
 
-                local_irq_restore(flags);
         }
 
         if (status != NETDEV_TX_OK) {
@@ -423,9 +444,8 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
 }
 EXPORT_SYMBOL(netpoll_send_udp);
 
-static void arp_reply(struct sk_buff *skb)
+static void netpoll_arp_reply(struct sk_buff *skb, struct netpoll_info *npinfo)
 {
-        struct netpoll_info *npinfo = skb->dev->npinfo;
         struct arphdr *arp;
         unsigned char *arp_ptr;
         int size, type = ARPOP_REPLY, ptype = ETH_P_ARP;
@@ -543,13 +563,12 @@ static void arp_reply(struct sk_buff *skb)
         spin_unlock_irqrestore(&npinfo->rx_lock, flags);
 }
 
-int __netpoll_rx(struct sk_buff *skb)
+int __netpoll_rx(struct sk_buff *skb, struct netpoll_info *npinfo)
 {
         int proto, len, ulen;
         int hits = 0;
         const struct iphdr *iph;
         struct udphdr *uh;
-        struct netpoll_info *npinfo = skb->dev->npinfo;
         struct netpoll *np, *tmp;
 
         if (list_empty(&npinfo->rx_np))
@@ -565,6 +584,12 @@ int __netpoll_rx(struct sk_buff *skb)
                 return 1;
         }
 
+        if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
+                skb = vlan_untag(skb);
+                if (unlikely(!skb))
+                        goto out;
+        }
+
         proto = ntohs(eth_hdr(skb)->h_proto);
         if (proto != ETH_P_IP)
                 goto out;
@@ -715,7 +740,7 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
 }
 EXPORT_SYMBOL(netpoll_parse_options);
 
-int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
+int __netpoll_setup(struct netpoll *np, struct net_device *ndev, gfp_t gfp)
 {
         struct netpoll_info *npinfo;
         const struct net_device_ops *ops;
@@ -734,7 +759,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
         }
 
         if (!ndev->npinfo) {
-                npinfo = kmalloc(sizeof(*npinfo), GFP_KERNEL);
+                npinfo = kmalloc(sizeof(*npinfo), gfp);
                 if (!npinfo) {
                         err = -ENOMEM;
                         goto out;
@@ -752,7 +777,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
 
                 ops = np->dev->netdev_ops;
                 if (ops->ndo_netpoll_setup) {
-                        err = ops->ndo_netpoll_setup(ndev, npinfo);
+                        err = ops->ndo_netpoll_setup(ndev, npinfo, gfp);
                         if (err)
                                 goto free_npinfo;
                 }
@@ -857,7 +882,7 @@ int netpoll_setup(struct netpoll *np)
         refill_skbs();
 
         rtnl_lock();
-        err = __netpoll_setup(np, ndev);
+        err = __netpoll_setup(np, ndev, GFP_KERNEL);
         rtnl_unlock();
 
         if (err)
@@ -878,6 +903,24 @@ static int __init netpoll_init(void)
 }
 core_initcall(netpoll_init);
 
+static void rcu_cleanup_netpoll_info(struct rcu_head *rcu_head)
+{
+        struct netpoll_info *npinfo =
+                        container_of(rcu_head, struct netpoll_info, rcu);
+
+        skb_queue_purge(&npinfo->arp_tx);
+        skb_queue_purge(&npinfo->txq);
+
+        /* we can't call cancel_delayed_work_sync here, as we are in softirq */
+        cancel_delayed_work(&npinfo->tx_work);
+
+        /* clean after last, unfinished work */
+        __skb_queue_purge(&npinfo->txq);
+        /* now cancel it again */
+        cancel_delayed_work(&npinfo->tx_work);
+        kfree(npinfo);
+}
+
 void __netpoll_cleanup(struct netpoll *np)
 {
         struct netpoll_info *npinfo;
@@ -903,20 +946,24 @@ void __netpoll_cleanup(struct netpoll *np)
                         ops->ndo_netpoll_cleanup(np->dev);
 
                 RCU_INIT_POINTER(np->dev->npinfo, NULL);
+                call_rcu_bh(&npinfo->rcu, rcu_cleanup_netpoll_info);
+        }
+}
+EXPORT_SYMBOL_GPL(__netpoll_cleanup);
 
-                /* avoid racing with NAPI reading npinfo */
-                synchronize_rcu_bh();
+static void rcu_cleanup_netpoll(struct rcu_head *rcu_head)
+{
+        struct netpoll *np = container_of(rcu_head, struct netpoll, rcu);
 
-                skb_queue_purge(&npinfo->arp_tx);
-                skb_queue_purge(&npinfo->txq);
-                cancel_delayed_work_sync(&npinfo->tx_work);
+        __netpoll_cleanup(np);
+        kfree(np);
+}
 
-                /* clean after last, unfinished work */
-                __skb_queue_purge(&npinfo->txq);
-                kfree(npinfo);
-        }
+void __netpoll_free_rcu(struct netpoll *np)
+{
+        call_rcu_bh(&np->rcu, rcu_cleanup_netpoll);
 }
-EXPORT_SYMBOL_GPL(__netpoll_cleanup);
+EXPORT_SYMBOL_GPL(__netpoll_free_rcu);
 
 void netpoll_cleanup(struct netpoll *np)
 {
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index ed0c0431fcd8..c75e3f9d060f 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -101,12 +101,10 @@ static int write_update_netdev_table(struct net_device *dev)
         u32 max_len;
         struct netprio_map *map;
 
-        rtnl_lock();
         max_len = atomic_read(&max_prioidx) + 1;
         map = rtnl_dereference(dev->priomap);
         if (!map || map->priomap_len < max_len)
                 ret = extend_netdev_table(dev, max_len);
-        rtnl_unlock();
 
         return ret;
 }
@@ -256,17 +254,17 @@ static int write_priomap(struct cgroup *cgrp, struct cftype *cft,
         if (!dev)
                 goto out_free_devname;
 
+        rtnl_lock();
         ret = write_update_netdev_table(dev);
         if (ret < 0)
                 goto out_put_dev;
 
-        rcu_read_lock();
-        map = rcu_dereference(dev->priomap);
+        map = rtnl_dereference(dev->priomap);
         if (map)
                 map->priomap[prioidx] = priority;
-        rcu_read_unlock();
 
 out_put_dev:
+        rtnl_unlock();
         dev_put(dev);
 
 out_free_devname:
@@ -277,12 +275,6 @@ out_free_devname:
 void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
 {
         struct task_struct *p;
-        char *tmp = kzalloc(sizeof(char) * PATH_MAX, GFP_KERNEL);
-
-        if (!tmp) {
-                pr_warn("Unable to attach cgrp due to alloc failure!\n");
-                return;
-        }
 
         cgroup_taskset_for_each(p, cgrp, tset) {
                 unsigned int fd;
@@ -296,32 +288,24 @@ void net_prio_attach(struct cgroup *cgrp, struct cgroup_taskset *tset)
                         continue;
                 }
 
-                rcu_read_lock();
+                spin_lock(&files->file_lock);
                 fdt = files_fdtable(files);
                 for (fd = 0; fd < fdt->max_fds; fd++) {
-                        char *path;
                         struct file *file;
                         struct socket *sock;
-                        unsigned long s;
-                        int rv, err = 0;
+                        int err;
 
                         file = fcheck_files(files, fd);
                         if (!file)
                                 continue;
 
-                        path = d_path(&file->f_path, tmp, PAGE_SIZE);
-                        rv = sscanf(path, "socket:[%lu]", &s);
-                        if (rv <= 0)
-                                continue;
-
                         sock = sock_from_file(file, &err);
-                        if (!err)
+                        if (sock)
                                 sock_update_netprioidx(sock->sk, p);
                 }
-                rcu_read_unlock();
+                spin_unlock(&files->file_lock);
                 task_unlock(p);
         }
-        kfree(tmp);
 }
 
 static struct cftype ss_files[] = {
diff --git a/net/core/scm.c b/net/core/scm.c
index 8f6ccfd68ef4..040cebeed45b 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -265,6 +265,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
         for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
              i++, cmfptr++)
         {
+                struct socket *sock;
                 int new_fd;
                 err = security_file_receive(fp[i]);
                 if (err)
@@ -281,6 +282,9 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
                 }
                 /* Bump the usage count and install the file. */
                 get_file(fp[i]);
+                sock = sock_from_file(fp[i], &err);
+                if (sock)
+                        sock_update_netprioidx(sock->sk, current);
                 fd_install(new_fd, fp[i]);
         }
 
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 75c3582a7678..fb85d371a8de 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -246,7 +246,7 @@ static inline int ccid_hc_rx_getsockopt(struct ccid *ccid, struct sock *sk,
                                         u32 __user *optval, int __user *optlen)
 {
         int rc = -ENOPROTOOPT;
-        if (ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
+        if (ccid != NULL && ccid->ccid_ops->ccid_hc_rx_getsockopt != NULL)
                 rc = ccid->ccid_ops->ccid_hc_rx_getsockopt(sk, optname, len,
                                                  optval, optlen);
         return rc;
@@ -257,7 +257,7 @@ static inline int ccid_hc_tx_getsockopt(struct ccid *ccid, struct sock *sk,
                                         u32 __user *optval, int __user *optlen)
 {
         int rc = -ENOPROTOOPT;
-        if (ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
+        if (ccid != NULL && ccid->ccid_ops->ccid_hc_tx_getsockopt != NULL)
                 rc = ccid->ccid_ops->ccid_hc_tx_getsockopt(sk, optname, len,
                                                  optval, optlen);
         return rc;
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index d65e98798eca..119c04317d48 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -535,6 +535,7 @@ static int ccid3_hc_tx_getsockopt(struct sock *sk, const int optname, int len,
         case DCCP_SOCKOPT_CCID_TX_INFO:
                 if (len < sizeof(tfrc))
                         return -EINVAL;
+                memset(&tfrc, 0, sizeof(tfrc));
                 tfrc.tfrctx_x      = hc->tx_x;
                 tfrc.tfrctx_x_recv = hc->tx_x_recv;
                 tfrc.tfrctx_x_calc = hc->tx_x_calc;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index db0cf17c00f7..7f75f21d7b83 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -404,12 +404,15 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
 {
         const struct inet_request_sock *ireq = inet_rsk(req);
         struct inet_sock *newinet = inet_sk(newsk);
-        struct ip_options_rcu *opt = ireq->opt;
+        struct ip_options_rcu *opt;
         struct net *net = sock_net(sk);
         struct flowi4 *fl4;
         struct rtable *rt;
 
         fl4 = &newinet->cork.fl.u.ip4;
+
+        rcu_read_lock();
+        opt = rcu_dereference(newinet->inet_opt);
         flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
                            RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
                            sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -421,11 +424,13 @@ struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
                 goto no_route;
         if (opt && opt->opt.is_strictroute && rt->rt_gateway)
                 goto route_err;
+        rcu_read_unlock();
         return &rt->dst;
 
 route_err:
         ip_rt_put(rt);
 no_route:
+        rcu_read_unlock();
         IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
         return NULL;
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 147ccc3e93db..c196d749daf2 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1338,10 +1338,10 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
         iph->ihl = 5;
         iph->tos = inet->tos;
         iph->frag_off = df;
-        ip_select_ident(iph, &rt->dst, sk);
         iph->ttl = ttl;
         iph->protocol = sk->sk_protocol;
         ip_copy_addrs(iph, fl4);
+        ip_select_ident(iph, &rt->dst, sk);
 
         if (opt) {
                 iph->ihl += opt->optlen>>2;
diff --git a/net/ipv4/netfilter/nf_nat_sip.c b/net/ipv4/netfilter/nf_nat_sip.c
index ea4a23813d26..4ad9cf173992 100644
--- a/net/ipv4/netfilter/nf_nat_sip.c
+++ b/net/ipv4/netfilter/nf_nat_sip.c
@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
         if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
                                     hdr, NULL, &matchoff, &matchlen,
                                     &addr, &port) > 0) {
-                unsigned int matchend, poff, plen, buflen, n;
+                unsigned int olen, matchend, poff, plen, buflen, n;
                 char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
 
                 /* We're only interested in headers related to this
@@ -163,17 +163,18 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                                 goto next;
                 }
 
+                olen = *datalen;
                 if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
                               &addr, port))
                         return NF_DROP;
 
-                matchend = matchoff + matchlen;
+                matchend = matchoff + matchlen + *datalen - olen;
 
                 /* The maddr= parameter (RFC 2361) specifies where to send
                  * the reply. */
                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                                "maddr=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, true) > 0 &&
                     addr.ip == ct->tuplehash[dir].tuple.src.u3.ip &&
                     addr.ip != ct->tuplehash[!dir].tuple.dst.u3.ip) {
                         buflen = sprintf(buffer, "%pI4",
@@ -187,7 +188,7 @@ static unsigned int ip_nat_sip(struct sk_buff *skb, unsigned int dataoff,
                  * from which the server received the request. */
                 if (ct_sip_parse_address_param(ct, *dptr, matchend, *datalen,
                                                "received=", &poff, &plen,
-                                               &addr) > 0 &&
+                                               &addr, false) > 0 &&
                     addr.ip == ct->tuplehash[dir].tuple.dst.u3.ip &&
                     addr.ip != ct->tuplehash[!dir].tuple.src.u3.ip) {
                         buflen = sprintf(buffer, "%pI4",
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index e4ba974f143c..fd9ecb52c66b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2028,7 +2028,6 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
                 }
                 dev_out = net->loopback_dev;
                 fl4->flowi4_oif = dev_out->ifindex;
-                res.fi = NULL;
                 flags |= RTCF_LOCAL;
                 goto make_route;
         }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 767823764016..00a748d14062 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -417,10 +417,12 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 
                 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
                         tp->mtu_info = info;
-                        if (!sock_owned_by_user(sk))
+                        if (!sock_owned_by_user(sk)) {
                                 tcp_v4_mtu_reduced(sk);
-                        else
-                                set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags);
+                        } else {
+                                if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED, &tp->tsq_flags))
+                                        sock_hold(sk);
+                        }
                         goto out;
                 }
 
@@ -1462,6 +1464,7 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
                 goto exit_nonewsk;
 
         newsk->sk_gso_type = SKB_GSO_TCPV4;
+        inet_sk_rx_dst_set(newsk, skb);
 
         newtp                 = tcp_sk(newsk);
         newinet               = inet_sk(newsk);
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index d9c9dcef2de3..6ff7f10dce9d 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -387,8 +387,6 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
                 struct tcp_sock *oldtp = tcp_sk(sk);
                 struct tcp_cookie_values *oldcvp = oldtp->cookie_values;
 
-                newicsk->icsk_af_ops->sk_rx_dst_set(newsk, skb);
-
                 /* TCP Cookie Transactions require space for the cookie pair,
                  * as it differs for each connection.  There is no need to
                  * copy any s_data_payload stored at the original socket.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 20dfd892c86f..d04632673a9e 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -910,14 +910,18 @@ void tcp_release_cb(struct sock *sk)
         if (flags & (1UL << TCP_TSQ_DEFERRED))
                 tcp_tsq_handler(sk);
 
-        if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED))
+        if (flags & (1UL << TCP_WRITE_TIMER_DEFERRED)) {
                 tcp_write_timer_handler(sk);
-
-        if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED))
+                __sock_put(sk);
+        }
+        if (flags & (1UL << TCP_DELACK_TIMER_DEFERRED)) {
                 tcp_delack_timer_handler(sk);
-
-        if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED))
+                __sock_put(sk);
+        }
+        if (flags & (1UL << TCP_MTU_REDUCED_DEFERRED)) {
                 sk->sk_prot->mtu_reduced(sk);
+                __sock_put(sk);
+        }
 }
 EXPORT_SYMBOL(tcp_release_cb);
 
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 6df36ad55a38..b774a03bd1dc 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -252,7 +252,8 @@ static void tcp_delack_timer(unsigned long data)
                 inet_csk(sk)->icsk_ack.blocked = 1;
                 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOCKED);
                 /* deleguate our work to tcp_release_cb() */
-                set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags);
+                if (!test_and_set_bit(TCP_DELACK_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
+                        sock_hold(sk);
         }
         bh_unlock_sock(sk);
         sock_put(sk);
@@ -481,7 +482,8 @@ static void tcp_write_timer(unsigned long data)
                 tcp_write_timer_handler(sk);
         } else {
                 /* deleguate our work to tcp_release_cb() */
-                set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags);
+                if (!test_and_set_bit(TCP_WRITE_TIMER_DEFERRED, &tcp_sk(sk)->tsq_flags))
+                        sock_hold(sk);
         }
         bh_unlock_sock(sk);
         sock_put(sk);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 79181819a24f..6bc85f7c31e3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -494,8 +494,7 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
         struct net_device *dev;
         struct inet6_dev *idev;
 
-        rcu_read_lock();
-        for_each_netdev_rcu(net, dev) {
+        for_each_netdev(net, dev) {
                 idev = __in6_dev_get(dev);
                 if (idev) {
                         int changed = (!idev->cnf.forwarding) ^ (!newf);
@@ -504,7 +503,6 @@ static void addrconf_forward_change(struct net *net, __s32 newf)
                                 dev_forward_change(idev);
                 }
         }
-        rcu_read_unlock();
 }
 
 static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index da2e92d05c15..745a32042950 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -307,10 +307,10 @@ static int __net_init ipv6_proc_init_net(struct net *net)
                 goto proc_dev_snmp6_fail;
         return 0;
 
+proc_dev_snmp6_fail:
+        proc_net_remove(net, "snmp6");
 proc_snmp6_fail:
         proc_net_remove(net, "sockstat6");
-proc_dev_snmp6_fail:
-        proc_net_remove(net, "dev_snmp6");
         return -ENOMEM;
 }
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index bb9ce2b2f377..a3e60cc04a8a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -94,6 +94,18 @@ static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
 }
 #endif
 
+static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
+{
+        struct dst_entry *dst = skb_dst(skb);
+        const struct rt6_info *rt = (const struct rt6_info *)dst;
+
+        dst_hold(dst);
+        sk->sk_rx_dst = dst;
+        inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
+        if (rt->rt6i_node)
+                inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
+}
+
 static void tcp_v6_hash(struct sock *sk)
 {
         if (sk->sk_state != TCP_CLOSE) {
@@ -1270,6 +1282,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 
         newsk->sk_gso_type = SKB_GSO_TCPV6;
         __ip6_dst_store(newsk, dst, NULL, NULL);
+        inet6_sk_rx_dst_set(newsk, skb);
 
         newtcp6sk = (struct tcp6_sock *)newsk;
         inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
@@ -1729,18 +1742,6 @@ static struct timewait_sock_ops tcp6_timewait_sock_ops = {
         .twsk_destructor= tcp_twsk_destructor,
 };
 
-static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb_dst(skb);
-        const struct rt6_info *rt = (const struct rt6_info *)dst;
-
-        dst_hold(dst);
-        sk->sk_rx_dst = dst;
-        inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
-        if (rt->rt6i_node)
-                inet6_sk(sk)->rx_dst_cookie = rt->rt6i_node->fn_sernum;
-}
-
 static const struct inet_connection_sock_af_ops ipv6_specific = {
         .queue_xmit        = inet6_csk_xmit,
         .send_check        = tcp_v6_send_check,
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef39812107b1..f8c4c08ffb60 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -73,6 +73,13 @@ static int xfrm6_get_tos(const struct flowi *fl)
         return 0;
 }
 
+static void xfrm6_init_dst(struct net *net, struct xfrm_dst *xdst)
+{
+        struct rt6_info *rt = (struct rt6_info *)xdst;
+
+        rt6_init_peer(rt, net->ipv6.peers);
+}
+
 static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
                            int nfheader_len)
 {
@@ -286,6 +293,7 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
         .get_saddr =            xfrm6_get_saddr,
         .decode_session =       _decode_session6,
         .get_tos =              xfrm6_get_tos,
+        .init_dst =             xfrm6_init_dst,
         .init_path =            xfrm6_init_path,
         .fill_dst =             xfrm6_fill_dst,
         .blackhole_route =      ip6_blackhole_route,
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 35e1e4bde587..927547171bc7 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -410,6 +410,7 @@ static int l2tp_ip6_getname(struct socket *sock, struct sockaddr *uaddr,
         lsa->l2tp_family = AF_INET6;
         lsa->l2tp_flowinfo = 0;
         lsa->l2tp_scope_id = 0;
+        lsa->l2tp_unused = 0;
         if (peer) {
                 if (!lsk->peer_conn_id)
                         return -ENOTCONN;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index f6fe4d400502..c2190005a114 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -969,14 +969,13 @@ static int llc_ui_getname(struct socket *sock, struct sockaddr *uaddr,
         struct sockaddr_llc sllc;
         struct sock *sk = sock->sk;
         struct llc_sock *llc = llc_sk(sk);
-        int rc = 0;
+        int rc = -EBADF;
 
         memset(&sllc, 0, sizeof(sllc));
         lock_sock(sk);
         if (sock_flag(sk, SOCK_ZAPPED))
                 goto out;
         *uaddrlen = sizeof(sllc);
-        memset(uaddr, 0, *uaddrlen);
         if (peer) {
                 rc = -ENOTCONN;
                 if (sk->sk_state != TCP_ESTABLISHED)
@@ -1206,7 +1205,7 @@ static int __init llc2_init(void)
         rc = llc_proc_init();
         if (rc != 0) {
                 printk(llc_proc_err_msg);
-                goto out_unregister_llc_proto;
+                goto out_station;
         }
         rc = llc_sysctl_init();
         if (rc) {
@@ -1226,7 +1225,8 @@ out_sysctl:
         llc_sysctl_exit();
 out_proc:
         llc_proc_exit();
-out_unregister_llc_proto:
+out_station:
+        llc_station_exit();
         proto_unregister(&llc_proto);
         goto out;
 }
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index e32cab44ea95..dd3e83328ad5 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -42,6 +42,7 @@ static void (*llc_type_handlers[2])(struct llc_sap *sap,
 void llc_add_pack(int type, void (*handler)(struct llc_sap *sap,
                                             struct sk_buff *skb))
 {
+        smp_wmb(); /* ensure initialisation is complete before it's called */
         if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
                 llc_type_handlers[type - 1] = handler;
 }
@@ -50,11 +51,19 @@ void llc_remove_pack(int type)
 {
         if (type == LLC_DEST_SAP || type == LLC_DEST_CONN)
                 llc_type_handlers[type - 1] = NULL;
+        synchronize_net();
 }
 
 void llc_set_station_handler(void (*handler)(struct sk_buff *skb))
 {
+        /* Ensure initialisation is complete before it's called */
+        if (handler)
+                smp_wmb();
+
         llc_station_handler = handler;
+
+        if (!handler)
+                synchronize_net();
 }
 
 /**
@@ -150,6 +159,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
         int dest;
         int (*rcv)(struct sk_buff *, struct net_device *,
                    struct packet_type *, struct net_device *);
+        void (*sta_handler)(struct sk_buff *skb);
+        void (*sap_handler)(struct llc_sap *sap, struct sk_buff *skb);
 
         if (!net_eq(dev_net(dev), &init_net))
                 goto drop;
@@ -182,7 +193,8 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
          */
         rcv = rcu_dereference(sap->rcv_func);
         dest = llc_pdu_type(skb);
-        if (unlikely(!dest || !llc_type_handlers[dest - 1])) {
+        sap_handler = dest ? ACCESS_ONCE(llc_type_handlers[dest - 1]) : NULL;
+        if (unlikely(!sap_handler)) {
                 if (rcv)
                         rcv(skb, dev, pt, orig_dev);
                 else
@@ -193,7 +205,7 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
                         if (cskb)
                                 rcv(cskb, dev, pt, orig_dev);
                 }
-                llc_type_handlers[dest - 1](sap, skb);
+                sap_handler(sap, skb);
         }
         llc_sap_put(sap);
 out:
@@ -202,9 +214,10 @@ drop:
         kfree_skb(skb);
         goto out;
 handle_station:
-        if (!llc_station_handler)
+        sta_handler = ACCESS_ONCE(llc_station_handler);
+        if (!sta_handler)
                 goto drop;
-        llc_station_handler(skb);
+        sta_handler(skb);
         goto out;
 }
 
diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c
index 6828e39ec2ec..b2f2bac2c2a2 100644
--- a/net/llc/llc_station.c
+++ b/net/llc/llc_station.c
@@ -687,12 +687,8 @@ static void llc_station_rcv(struct sk_buff *skb)
         llc_station_state_process(skb);
 }
 
-int __init llc_station_init(void)
+void __init llc_station_init(void)
 {
-        int rc = -ENOBUFS;
-        struct sk_buff *skb;
-        struct llc_station_state_ev *ev;
-
         skb_queue_head_init(&llc_main_station.mac_pdu_q);
         skb_queue_head_init(&llc_main_station.ev_q.list);
         spin_lock_init(&llc_main_station.ev_q.lock);
@@ -700,23 +696,12 @@ int __init llc_station_init(void)
                         (unsigned long)&llc_main_station);
         llc_main_station.ack_timer.expires  = jiffies +
                                                 sysctl_llc_station_ack_timeout;
-        skb = alloc_skb(0, GFP_ATOMIC);
-        if (!skb)
-                goto out;
-        rc = 0;
-        llc_set_station_handler(llc_station_rcv);
-        ev = llc_station_ev(skb);
-        memset(ev, 0, sizeof(*ev));
         llc_main_station.maximum_retry  = 1;
-        llc_main_station.state          = LLC_STATION_STATE_DOWN;
-        ev->type        = LLC_STATION_EV_TYPE_SIMPLE;
-        ev->prim_type   = LLC_STATION_EV_ENABLE_WITHOUT_DUP_ADDR_CHECK;
-        rc = llc_station_next_state(skb);
-out:
-        return rc;
+        llc_main_station.state          = LLC_STATION_STATE_UP;
+        llc_set_station_handler(llc_station_rcv);
 }
 
-void __exit llc_station_exit(void)
+void llc_station_exit(void)
 {
         llc_set_station_handler(NULL);
 }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 84444dda194b..72bf32a84874 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -2759,6 +2759,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
         {
                 struct ip_vs_timeout_user t;
 
+                memset(&t, 0, sizeof(t));
                 __ip_vs_get_timeouts(net, &t);
                 if (copy_to_user(user, &t, sizeof(t)) != 0)
                         ret = -EFAULT;
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 45cf602a76bc..527651a53a45 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -361,23 +361,6 @@ static void evict_oldest_expect(struct nf_conn *master,
         }
 }
 
-static inline int refresh_timer(struct nf_conntrack_expect *i)
-{
-        struct nf_conn_help *master_help = nfct_help(i->master);
-        const struct nf_conntrack_expect_policy *p;
-
-        if (!del_timer(&i->timeout))
-                return 0;
-
-        p = &rcu_dereference_protected(
-                master_help->helper,
-                lockdep_is_held(&nf_conntrack_lock)
-                )->expect_policy[i->class];
-        i->timeout.expires = jiffies + p->timeout * HZ;
-        add_timer(&i->timeout);
-        return 1;
-}
-
 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 {
         const struct nf_conntrack_expect_policy *p;
@@ -386,7 +369,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
         struct nf_conn_help *master_help = nfct_help(master);
         struct nf_conntrack_helper *helper;
         struct net *net = nf_ct_exp_net(expect);
-        struct hlist_node *n;
+        struct hlist_node *n, *next;
         unsigned int h;
         int ret = 1;
 
@@ -395,12 +378,12 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
                 goto out;
         }
         h = nf_ct_expect_dst_hash(&expect->tuple);
-        hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
+        hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) {
                 if (expect_matches(i, expect)) {
-                        /* Refresh timer: if it's dying, ignore.. */
-                        if (refresh_timer(i)) {
-                                ret = 0;
-                                goto out;
+                        if (del_timer(&i->timeout)) {
+                                nf_ct_unlink_expect(i);
+                                nf_ct_expect_put(i);
+                                break;
                         }
                 } else if (expect_clash(i, expect)) {
                         ret = -EBUSY;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 14f67a2cbcb5..da4fc37a8578 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1896,10 +1896,15 @@ static int
 ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
 {
         struct nlattr *cda[CTA_MAX+1];
+        int ret;
 
         nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
 
-        return ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
+        spin_lock_bh(&nf_conntrack_lock);
+        ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
+        spin_unlock_bh(&nf_conntrack_lock);
+
+        return ret;
 }
 
 static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 758a1bacc126..5c0a112aeee6 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -183,12 +183,12 @@ static int media_len(const struct nf_conn *ct, const char *dptr,
         return len + digits_len(ct, dptr, limit, shift);
 }
 
-static int parse_addr(const struct nf_conn *ct, const char *cp,
-                      const char **endp, union nf_inet_addr *addr,
-                      const char *limit)
+static int sip_parse_addr(const struct nf_conn *ct, const char *cp,
+                          const char **endp, union nf_inet_addr *addr,
+                          const char *limit, bool delim)
 {
         const char *end;
-        int ret = 0;
+        int ret;
 
         if (!ct)
                 return 0;
@@ -197,16 +197,28 @@ static int parse_addr(const struct nf_conn *ct, const char *cp,
         switch (nf_ct_l3num(ct)) {
         case AF_INET:
                 ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
+                if (ret == 0)
+                        return 0;
                 break;
         case AF_INET6:
+                if (cp < limit && *cp == '[')
+                        cp++;
+                else if (delim)
+                        return 0;
+
                 ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
+                if (ret == 0)
+                        return 0;
+
+                if (end < limit && *end == ']')
+                        end++;
+                else if (delim)
+                        return 0;
                 break;
         default:
                 BUG();
         }
 
-        if (ret == 0 || end == cp)
-                return 0;
         if (endp)
                 *endp = end;
         return 1;
@@ -219,7 +231,7 @@ static int epaddr_len(const struct nf_conn *ct, const char *dptr,
         union nf_inet_addr addr;
         const char *aux = dptr;
 
-        if (!parse_addr(ct, dptr, &dptr, &addr, limit)) {
+        if (!sip_parse_addr(ct, dptr, &dptr, &addr, limit, true)) {
                 pr_debug("ip: %s parse failed.!\n", dptr);
                 return 0;
         }
@@ -296,7 +308,7 @@ int ct_sip_parse_request(const struct nf_conn *ct,
                 return 0;
         dptr += shift;
 
-        if (!parse_addr(ct, dptr, &end, addr, limit))
+        if (!sip_parse_addr(ct, dptr, &end, addr, limit, true))
                 return -1;
         if (end < limit && *end == ':') {
                 end++;
@@ -550,7 +562,7 @@ int ct_sip_parse_header_uri(const struct nf_conn *ct, const char *dptr,
         if (ret == 0)
                 return ret;
 
-        if (!parse_addr(ct, dptr + *matchoff, &c, addr, limit))
+        if (!sip_parse_addr(ct, dptr + *matchoff, &c, addr, limit, true))
                 return -1;
         if (*c == ':') {
                 c++;
@@ -599,7 +611,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
                                unsigned int dataoff, unsigned int datalen,
                                const char *name,
                                unsigned int *matchoff, unsigned int *matchlen,
-                               union nf_inet_addr *addr)
+                               union nf_inet_addr *addr, bool delim)
 {
         const char *limit = dptr + datalen;
         const char *start, *end;
@@ -613,7 +625,7 @@ int ct_sip_parse_address_param(const struct nf_conn *ct, const char *dptr,
                 return 0;
 
         start += strlen(name);
-        if (!parse_addr(ct, start, &end, addr, limit))
+        if (!sip_parse_addr(ct, start, &end, addr, limit, delim))
                 return 0;
         *matchoff = start - dptr;
         *matchlen = end - start;
@@ -675,6 +687,47 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
         return 1;
 }
 
+static int sdp_parse_addr(const struct nf_conn *ct, const char *cp,
+                          const char **endp, union nf_inet_addr *addr,
+                          const char *limit)
+{
+        const char *end;
+        int ret;
+
+        memset(addr, 0, sizeof(*addr));
+        switch (nf_ct_l3num(ct)) {
+        case AF_INET:
+                ret = in4_pton(cp, limit - cp, (u8 *)&addr->ip, -1, &end);
+                break;
+        case AF_INET6:
+                ret = in6_pton(cp, limit - cp, (u8 *)&addr->ip6, -1, &end);
+                break;
+        default:
+                BUG();
+        }
+
+        if (ret == 0)
+                return 0;
+        if (endp)
+                *endp = end;
+        return 1;
+}
+
+/* skip ip address. returns its length. */
+static int sdp_addr_len(const struct nf_conn *ct, const char *dptr,
+                        const char *limit, int *shift)
+{
+        union nf_inet_addr addr;
+        const char *aux = dptr;
+
+        if (!sdp_parse_addr(ct, dptr, &dptr, &addr, limit)) {
+                pr_debug("ip: %s parse failed.!\n", dptr);
+                return 0;
+        }
+
+        return dptr - aux;
+}
+
 /* SDP header parsing: a SDP session description contains an ordered set of
  * headers, starting with a section containing general session parameters,
  * optionally followed by multiple media descriptions.
@@ -686,10 +739,10 @@ static int ct_sip_parse_transport(struct nf_conn *ct, const char *dptr,
  */
 static const struct sip_header ct_sdp_hdrs[] = {
         [SDP_HDR_VERSION]               = SDP_HDR("v=", NULL, digits_len),
-        [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", epaddr_len),
-        [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", epaddr_len),
-        [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", epaddr_len),
-        [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", epaddr_len),
+        [SDP_HDR_OWNER_IP4]             = SDP_HDR("o=", "IN IP4 ", sdp_addr_len),
+        [SDP_HDR_CONNECTION_IP4]        = SDP_HDR("c=", "IN IP4 ", sdp_addr_len),
+        [SDP_HDR_OWNER_IP6]             = SDP_HDR("o=", "IN IP6 ", sdp_addr_len),
+        [SDP_HDR_CONNECTION_IP6]        = SDP_HDR("c=", "IN IP6 ", sdp_addr_len),
         [SDP_HDR_MEDIA]                 = SDP_HDR("m=", NULL, media_len),
 };
 
@@ -775,8 +828,8 @@ static int ct_sip_parse_sdp_addr(const struct nf_conn *ct, const char *dptr,
         if (ret <= 0)
                 return ret;
 
-        if (!parse_addr(ct, dptr + *matchoff, NULL, addr,
-                        dptr + *matchoff + *matchlen))
+        if (!sdp_parse_addr(ct, dptr + *matchoff, NULL, addr,
+                            dptr + *matchoff + *matchlen))
                 return -1;
         return 1;
 }
@@ -1515,7 +1568,6 @@ static int sip_help_udp(struct sk_buff *skb, unsigned int protoff,
 }
 
 static struct nf_conntrack_helper sip[MAX_PORTS][4] __read_mostly;
-static char sip_names[MAX_PORTS][4][sizeof("sip-65535")] __read_mostly;
 
 static const struct nf_conntrack_expect_policy sip_exp_policy[SIP_EXPECT_MAX + 1] = {
         [SIP_EXPECT_SIGNALLING] = {
@@ -1585,9 +1637,9 @@ static int __init nf_conntrack_sip_init(void)
                         sip[i][j].me = THIS_MODULE;
 
                         if (ports[i] == SIP_PORT)
-                                sprintf(sip_names[i][j], "sip");
+                                sprintf(sip[i][j].name, "sip");
                         else
-                                sprintf(sip_names[i][j], "sip-%u", i);
+                                sprintf(sip[i][j].name, "sip-%u", i);
 
                         pr_debug("port #%u: %u\n", i, ports[i]);
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5463969da45b..1445d73533ed 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,7 +1362,7 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
         if (NULL == siocb->scm)
                 siocb->scm = &scm;
 
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, true);
         if (err < 0)
                 return err;
 
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 8ac890a1a4c0..aee7196aac36 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1273,6 +1273,14 @@ static void __fanout_unlink(struct sock *sk, struct packet_sock *po)
         spin_unlock(&f->lock);
 }
 
+bool match_fanout_group(struct packet_type *ptype, struct sock * sk)
+{
+        if (ptype->af_packet_priv == (void*)((struct packet_sock *)sk)->fanout)
+                return true;
+
+        return false;
+}
+
 static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 {
         struct packet_sock *po = pkt_sk(sk);
@@ -1325,6 +1333,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
                 match->prot_hook.dev = po->prot_hook.dev;
                 match->prot_hook.func = packet_rcv_fanout;
                 match->prot_hook.af_packet_priv = match;
+                match->prot_hook.id_match = match_fanout_group;
                 dev_add_pack(&match->prot_hook);
                 list_add(&match->list, &fanout_list);
         }
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index fe81cc18e9e0..9c0fd0c78814 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -200,13 +200,12 @@ static int tcf_mirred(struct sk_buff *skb, const struct tc_action *a,
 out:
         if (err) {
                 m->tcf_qstats.overlimits++;
-                /* should we be asking for packet to be dropped?
-                 * may make sense for redirect case only
-                 */
-                retval = TC_ACT_SHOT;
-        } else {
+                if (m->tcfm_eaction != TCA_EGRESS_MIRROR)
+                        retval = TC_ACT_SHOT;
+                else
+                        retval = m->tcf_action;
+        } else
                 retval = m->tcf_action;
-        }
         spin_unlock(&m->tcf_lock);
 
         return retval;
diff --git a/net/socket.c b/net/socket.c
index dfe5b66c97e0..a5471f804d99 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2657,6 +2657,7 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
         if (copy_from_user(&ifc32, uifc32, sizeof(struct compat_ifconf)))
                 return -EFAULT;
 
+        memset(&ifc, 0, sizeof(ifc));
         if (ifc32.ifcbuf == 0) {
                 ifc32.ifc_len = 0;
                 ifc.ifc_len = 0;
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index 88f2bf671960..bac973a31367 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -316,7 +316,6 @@ static bool svc_xprt_has_something_to_do(struct svc_xprt *xprt)
  */
 void svc_xprt_enqueue(struct svc_xprt *xprt)
 {
-        struct svc_serv *serv = xprt->xpt_server;
         struct svc_pool *pool;
         struct svc_rqst *rqstp;
         int cpu;
@@ -362,8 +361,6 @@ void svc_xprt_enqueue(struct svc_xprt *xprt)
                                 rqstp, rqstp->rq_xprt);
                 rqstp->rq_xprt = xprt;
                 svc_xprt_get(xprt);
-                rqstp->rq_reserved = serv->sv_max_mesg;
-                atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
                 pool->sp_stats.threads_woken++;
                 wake_up(&rqstp->rq_wait);
         } else {
@@ -640,8 +637,6 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
         if (xprt) {
                 rqstp->rq_xprt = xprt;
                 svc_xprt_get(xprt);
-                rqstp->rq_reserved = serv->sv_max_mesg;
-                atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
 
                 /* As there is a shortage of threads and this request
                  * had to be queued, don't allow the thread to wait so
@@ -738,6 +733,8 @@ int svc_recv(struct svc_rqst *rqstp, long timeout)
                 else
                         len = xprt->xpt_ops->xpo_recvfrom(rqstp);
                 dprintk("svc: got len=%d\n", len);
+                rqstp->rq_reserved = serv->sv_max_mesg;
+                atomic_add(rqstp->rq_reserved, &xprt->xpt_reserved);
         }
         svc_xprt_received(xprt);
 
@@ -794,7 +791,8 @@ int svc_send(struct svc_rqst *rqstp)
 
         /* Grab mutex to serialize outgoing data. */
         mutex_lock(&xprt->xpt_mutex);
-        if (test_bit(XPT_DEAD, &xprt->xpt_flags))
+        if (test_bit(XPT_DEAD, &xprt->xpt_flags)
+                        || test_bit(XPT_CLOSE, &xprt->xpt_flags))
                 len = -ENOTCONN;
         else
                 len = xprt->xpt_ops->xpo_sendto(rqstp);
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 18bc130255a7..998aa8c1807c 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -1129,9 +1129,9 @@ static int svc_tcp_recvfrom(struct svc_rqst *rqstp)
         if (len >= 0)
                 svsk->sk_tcplen += len;
         if (len != want) {
+                svc_tcp_save_pages(svsk, rqstp);
                 if (len < 0 && len != -EAGAIN)
                         goto err_other;
-                svc_tcp_save_pages(svsk, rqstp);
                 dprintk("svc: incomplete TCP record (%d of %d)\n",
                         svsk->sk_tcplen, svsk->sk_reclen);
                 goto err_noclose;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index e4768c180da2..c5ee4ff61364 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1450,7 +1450,7 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
         if (NULL == siocb->scm)
                 siocb->scm = &tmp_scm;
         wait_for_unix_gc();
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, false);
         if (err < 0)
                 return err;
 
@@ -1619,7 +1619,7 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
         if (NULL == siocb->scm)
                 siocb->scm = &tmp_scm;
         wait_for_unix_gc();
-        err = scm_send(sock, msg, siocb->scm);
+        err = scm_send(sock, msg, siocb->scm, false);
         if (err < 0)
                 return err;
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index c5a5165a5927..5a2aa17e4d3c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1357,6 +1357,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
 
                 memset(dst + 1, 0, sizeof(*xdst) - sizeof(*dst));
                 xdst->flo.ops = &xfrm_bundle_fc_ops;
+                if (afinfo->init_dst)
+                        afinfo->init_dst(net, xdst);
         } else
                 xdst = ERR_PTR(-ENOBUFS);