639 files changed, 47782 insertions, 23237 deletions
diff --git a/net/802/garp.c b/net/802/garp.c
index c1df2dad8c6b..16102951d36a 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -554,8 +554,7 @@ static void garp_release_port(struct net_device *dev)
                        return;
        }
        rcu_assign_pointer(dev->garp_port, NULL);
-        synchronize_rcu();
+        kfree_rcu(port, rcu);
-        kfree(port);
 }
 int garp_init_applicant(struct net_device *dev, struct garp_application *appl)
@@ -607,7 +606,6 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
        ASSERT_RTNL();
        rcu_assign_pointer(port->applicants[appl->type], NULL);
-        synchronize_rcu();
        /* Delete timer and generate a final TRANSMIT_PDU event to flush out
         * all pending messages before the applicant is gone. */
@@ -617,7 +615,7 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
        garp_queue_xmit(app);
        dev_mc_del(dev, appl->proto.group_address);
-        kfree(app);
+        kfree_rcu(app, rcu);
        garp_release_port(dev);
 }
 EXPORT_SYMBOL_GPL(garp_uninit_applicant);
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 6e64f7c6a2e9..b2274d1fd605 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -49,11 +49,6 @@ const char vlan_version[] = DRV_VERSION;
 static const char vlan_copyright[] = "Ben Greear <greearb@candelatech.com>";
 static const char vlan_buggyright[] = "David S. Miller <davem@redhat.com>";
-static struct packet_type vlan_packet_type __read_mostly = {
-        .type = cpu_to_be16(ETH_P_8021Q),
-        .func = vlan_skb_recv, /* VLAN receive method */
-};
 /* End of global variables definitions. */
 static void vlan_group_free(struct vlan_group *grp)
@@ -124,10 +119,14 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
        grp->nr_vlans--;
-        vlan_group_set_device(grp, vlan_id, NULL);
+        if (vlan->flags & VLAN_FLAG_GVRP)
-        if (!grp->killall)
+                vlan_gvrp_request_leave(dev);
-                synchronize_net();
+        vlan_group_set_device(grp, vlan_id, NULL);
+        /* Because unregister_netdevice_queue() makes sure at least one rcu
+         * grace period is respected before device freeing,
+         * we dont need to call synchronize_net() here.
+         */
        unregister_netdevice_queue(dev, head);
        /* If the group is now empty, kill off the group. */
@@ -327,10 +326,6 @@ static void vlan_sync_address(struct net_device *dev,
 static void vlan_transfer_features(struct net_device *dev,
                                   struct net_device *vlandev)
 {
-        unsigned long old_features = vlandev->features;
-        vlandev->features &= ~dev->vlan_features;
-        vlandev->features |= dev->features & dev->vlan_features;
        vlandev->gso_max_size = dev->gso_max_size;
        if (dev->features & NETIF_F_HW_VLAN_TX)
@@ -341,8 +336,8 @@ static void vlan_transfer_features(struct net_device *dev,
 #if defined(CONFIG_FCOE) || defined(CONFIG_FCOE_MODULE)
        vlandev->fcoe_ddp_xid = dev->fcoe_ddp_xid;
 #endif
-        if (old_features != vlandev->features)
-                netdev_features_change(vlandev);
+        netdev_update_features(vlandev);
 }
 static void __vlan_device_event(struct net_device *dev, unsigned long event)
@@ -487,9 +482,6 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
                if (dev->reg_state != NETREG_UNREGISTERING)
                        break;
-                /* Delete all VLANs for this dev. */
-                grp->killall = 1;
                for (i = 0; i < VLAN_N_VID; i++) {
                        vlandev = vlan_group_get_device(grp, i);
                        if (!vlandev)
@@ -508,6 +500,18 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
        case NETDEV_PRE_TYPE_CHANGE:
                /* Forbid underlaying device to change its type. */
                return NOTIFY_BAD;
+        case NETDEV_NOTIFY_PEERS:
+        case NETDEV_BONDING_FAILOVER:
+                /* Propagate to vlan devices */
+                for (i = 0; i < VLAN_N_VID; i++) {
+                        vlandev = vlan_group_get_device(grp, i);
+                        if (!vlandev)
+                                continue;
+                        call_netdevice_notifiers(event, vlandev);
+                }
+                break;
        }
 out:
@@ -688,7 +692,6 @@ static int __init vlan_proto_init(void)
        if (err < 0)
                goto err4;
-        dev_add_pack(&vlan_packet_type);
        vlan_ioctl_set(vlan_ioctl_handler);
        return 0;
@@ -709,8 +712,6 @@ static void __exit vlan_cleanup_module(void)
        unregister_netdevice_notifier(&vlan_notifier_block);
-        dev_remove_pack(&vlan_packet_type);
        unregister_pernet_subsys(&vlan_net_ops);
        rcu_barrier(); /* Wait for completion of call_rcu()'s */
diff --git a/net/8021q/vlan.h b/net/8021q/vlan.h
index 5687c9b95f33..c3408def8a19 100644
--- a/net/8021q/vlan.h
+++ b/net/8021q/vlan.h
@@ -75,8 +75,6 @@ static inline struct vlan_dev_info *vlan_dev_info(const struct net_device *dev)
 }
 /* found in vlan_dev.c */
-int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
-                  struct packet_type *ptype, struct net_device *orig_dev);
 void vlan_dev_set_ingress_priority(const struct net_device *dev,
                                   u32 skb_prio, u16 vlan_prio);
 int vlan_dev_set_egress_priority(const struct net_device *dev,
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index ce8e3ab3e7a5..41495dc2a4c9 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -4,7 +4,7 @@
 #include <linux/netpoll.h>
 #include "vlan.h"
-bool vlan_hwaccel_do_receive(struct sk_buff **skbp)
+bool vlan_do_receive(struct sk_buff **skbp)
 {
        struct sk_buff *skb = *skbp;
        u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK;
@@ -88,3 +88,86 @@ gro_result_t vlan_gro_frags(struct napi_struct *napi, struct vlan_group *grp,
        return napi_gro_frags(napi);
 }
 EXPORT_SYMBOL(vlan_gro_frags);
+static struct sk_buff *vlan_check_reorder_header(struct sk_buff *skb)
+{
+        if (vlan_dev_info(skb->dev)->flags & VLAN_FLAG_REORDER_HDR) {
+                if (skb_cow(skb, skb_headroom(skb)) < 0)
+                        skb = NULL;
+                if (skb) {
+                        /* Lifted from Gleb's VLAN code... */
+                        memmove(skb->data - ETH_HLEN,
+                                skb->data - VLAN_ETH_HLEN, 12);
+                        skb->mac_header += VLAN_HLEN;
+                }
+        }
+        return skb;
+}
+static void vlan_set_encap_proto(struct sk_buff *skb, struct vlan_hdr *vhdr)
+{
+        __be16 proto;
+        unsigned char *rawp;
+        /*
+         * Was a VLAN packet, grab the encapsulated protocol, which the layer
+         * three protocols care about.
+         */
+        proto = vhdr->h_vlan_encapsulated_proto;
+        if (ntohs(proto) >= 1536) {
+                skb->protocol = proto;
+                return;
+        }
+        rawp = skb->data;
+        if (*(unsigned short *) rawp == 0xFFFF)
+                /*
+                 * This is a magic hack to spot IPX packets. Older Novell
+                 * breaks the protocol design and runs IPX over 802.3 without
+                 * an 802.2 LLC layer. We look for FFFF which isn't a used
+                 * 802.2 SSAP/DSAP. This won't work for fault tolerant netware
+                 * but does for the rest.
+                 */
+                skb->protocol = htons(ETH_P_802_3);
+        else
+                /*
+                 * Real 802.2 LLC
+                 */
+                skb->protocol = htons(ETH_P_802_2);
+}
+struct sk_buff *vlan_untag(struct sk_buff *skb)
+{
+        struct vlan_hdr *vhdr;
+        u16 vlan_tci;
+        if (unlikely(vlan_tx_tag_present(skb))) {
+                /* vlan_tci is already set-up so leave this for another time */
+                return skb;
+        }
+        skb = skb_share_check(skb, GFP_ATOMIC);
+        if (unlikely(!skb))
+                goto err_free;
+        if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
+                goto err_free;
+        vhdr = (struct vlan_hdr *) skb->data;
+        vlan_tci = ntohs(vhdr->h_vlan_TCI);
+        __vlan_hwaccel_put_tag(skb, vlan_tci);
+        skb_pull_rcsum(skb, VLAN_HLEN);
+        vlan_set_encap_proto(skb, vhdr);
+        skb = vlan_check_reorder_header(skb);
+        if (unlikely(!skb))
+                goto err_free;
+        return skb;
+err_free:
+        kfree_skb(skb);
+        return NULL;
+}
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index be737539f34d..f247f5bff88d 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -65,179 +65,6 @@ static int vlan_dev_rebuild_header(struct sk_buff *skb)
        return 0;
 }
-static inline struct sk_buff *vlan_check_reorder_header(struct sk_buff *skb)
-{
-        if (vlan_dev_info(skb->dev)->flags & VLAN_FLAG_REORDER_HDR) {
-                if (skb_cow(skb, skb_headroom(skb)) < 0)
-                        skb = NULL;
-                if (skb) {
-                        /* Lifted from Gleb's VLAN code... */
-                        memmove(skb->data - ETH_HLEN,
-                                skb->data - VLAN_ETH_HLEN, 12);
-                        skb->mac_header += VLAN_HLEN;
-                }
-        }
-        return skb;
-}
-static inline void vlan_set_encap_proto(struct sk_buff *skb,
-                struct vlan_hdr *vhdr)
-{
-        __be16 proto;
-        unsigned char *rawp;
-        /*
-         * Was a VLAN packet, grab the encapsulated protocol, which the layer
-         * three protocols care about.
-         */
-        proto = vhdr->h_vlan_encapsulated_proto;
-        if (ntohs(proto) >= 1536) {
-                skb->protocol = proto;
-                return;
-        }
-        rawp = skb->data;
-        if (*(unsigned short *)rawp == 0xFFFF)
-                /*
-                 * This is a magic hack to spot IPX packets. Older Novell
-                 * breaks the protocol design and runs IPX over 802.3 without
-                 * an 802.2 LLC layer. We look for FFFF which isn't a used
-                 * 802.2 SSAP/DSAP. This won't work for fault tolerant netware
-                 * but does for the rest.
-                 */
-                skb->protocol = htons(ETH_P_802_3);
-        else
-                /*
-                 * Real 802.2 LLC
-                 */
-                skb->protocol = htons(ETH_P_802_2);
-}
-/*
- *      Determine the packet's protocol ID. The rule here is that we
- *      assume 802.3 if the type field is short enough to be a length.
- *      This is normal practice and works for any 'now in use' protocol.
- *
- *  Also, at this point we assume that we ARE dealing exclusively with
- *  VLAN packets, or packets that should be made into VLAN packets based
- *  on a default VLAN ID.
- *
- *  NOTE:  Should be similar to ethernet/eth.c.
- *
- *  SANITY NOTE:  This method is called when a packet is moving up the stack
- *                towards userland.  To get here, it would have already passed
- *                through the ethernet/eth.c eth_type_trans() method.
- *  SANITY NOTE 2: We are referencing to the VLAN_HDR frields, which MAY be
- *                 stored UNALIGNED in the memory.  RISC systems don't like
- *                 such cases very much...
- *  SANITY NOTE 2a: According to Dave Miller & Alexey, it will always be
- *                  aligned, so there doesn't need to be any of the unaligned
- *                  stuff.  It has been commented out now...  --Ben
- *
- */
-int vlan_skb_recv(struct sk_buff *skb, struct net_device *dev,
-                  struct packet_type *ptype, struct net_device *orig_dev)
-{
-        struct vlan_hdr *vhdr;
-        struct vlan_pcpu_stats *rx_stats;
-        struct net_device *vlan_dev;
-        u16 vlan_id;
-        u16 vlan_tci;
-        skb = skb_share_check(skb, GFP_ATOMIC);
-        if (skb == NULL)
-                goto err_free;
-        if (unlikely(!pskb_may_pull(skb, VLAN_HLEN)))
-                goto err_free;
-        vhdr = (struct vlan_hdr *)skb->data;
-        vlan_tci = ntohs(vhdr->h_vlan_TCI);
-        vlan_id = vlan_tci & VLAN_VID_MASK;
-        rcu_read_lock();
-        vlan_dev = vlan_find_dev(dev, vlan_id);
-        /* If the VLAN device is defined, we use it.
-         * If not, and the VID is 0, it is a 802.1p packet (not
-         * really a VLAN), so we will just netif_rx it later to the
-         * original interface, but with the skb->proto set to the
-         * wrapped proto: we do nothing here.
-         */
-        if (!vlan_dev) {
-                if (vlan_id) {
-                        pr_debug("%s: ERROR: No net_device for VID: %u on dev: %s\n",
-                                 __func__, vlan_id, dev->name);
-                        goto err_unlock;
-                }
-                rx_stats = NULL;
-        } else {
-                skb->dev = vlan_dev;
-                rx_stats = this_cpu_ptr(vlan_dev_info(skb->dev)->vlan_pcpu_stats);
-                u64_stats_update_begin(&rx_stats->syncp);
-                rx_stats->rx_packets++;
-                rx_stats->rx_bytes += skb->len;
-                skb->priority = vlan_get_ingress_priority(skb->dev, vlan_tci);
-                pr_debug("%s: priority: %u for TCI: %hu\n",
-                         __func__, skb->priority, vlan_tci);
-                switch (skb->pkt_type) {
-                case PACKET_BROADCAST:
-                        /* Yeah, stats collect these together.. */
-                        /* stats->broadcast ++; // no such counter :-( */
-                        break;
-                case PACKET_MULTICAST:
-                        rx_stats->rx_multicast++;
-                        break;
-                case PACKET_OTHERHOST:
-                        /* Our lower layer thinks this is not local, let's make
-                         * sure.
-                         * This allows the VLAN to have a different MAC than the
-                         * underlying device, and still route correctly.
-                         */
-                        if (!compare_ether_addr(eth_hdr(skb)->h_dest,
-                                                skb->dev->dev_addr))
-                                skb->pkt_type = PACKET_HOST;
-                        break;
-                default:
-                        break;
-                }
-                u64_stats_update_end(&rx_stats->syncp);
-        }
-        skb_pull_rcsum(skb, VLAN_HLEN);
-        vlan_set_encap_proto(skb, vhdr);
-        if (vlan_dev) {
-                skb = vlan_check_reorder_header(skb);
-                if (!skb) {
-                        rx_stats->rx_errors++;
-                        goto err_unlock;
-                }
-        }
-        netif_rx(skb);
-        rcu_read_unlock();
-        return NET_RX_SUCCESS;
-err_unlock:
-        rcu_read_unlock();
-err_free:
-        atomic_long_inc(&dev->rx_dropped);
-        kfree_skb(skb);
-        return NET_RX_DROP;
-}
 static inline u16
 vlan_dev_get_egress_qos_mask(struct net_device *dev, struct sk_buff *skb)
 {
@@ -487,9 +314,6 @@ static int vlan_dev_stop(struct net_device *dev)
        struct vlan_dev_info *vlan = vlan_dev_info(dev);
        struct net_device *real_dev = vlan->real_dev;
-        if (vlan->flags & VLAN_FLAG_GVRP)
-                vlan_gvrp_request_leave(dev);
        dev_mc_unsync(real_dev, dev);
        dev_uc_unsync(real_dev, dev);
        if (dev->flags & IFF_ALLMULTI)
@@ -625,6 +449,19 @@ static int vlan_dev_fcoe_get_wwn(struct net_device *dev, u64 *wwn, int type)
                rc = ops->ndo_fcoe_get_wwn(real_dev, wwn, type);
        return rc;
 }
+static int vlan_dev_fcoe_ddp_target(struct net_device *dev, u16 xid,
+                                    struct scatterlist *sgl, unsigned int sgc)
+{
+        struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
+        const struct net_device_ops *ops = real_dev->netdev_ops;
+        int rc = 0;
+        if (ops->ndo_fcoe_ddp_target)
+                rc = ops->ndo_fcoe_ddp_target(real_dev, xid, sgl, sgc);
+        return rc;
+}
 #endif
 static void vlan_dev_change_rx_flags(struct net_device *dev, int change)
@@ -691,8 +528,8 @@ static int vlan_dev_init(struct net_device *dev)
                                          (1<<__LINK_STATE_DORMANT))) |
                      (1<<__LINK_STATE_PRESENT);
-        dev->features |= real_dev->features & real_dev->vlan_features;
+        dev->hw_features = NETIF_F_ALL_TX_OFFLOADS;
-        dev->features |= NETIF_F_LLTX;
+        dev->features |= real_dev->vlan_features | NETIF_F_LLTX;
        dev->gso_max_size = real_dev->gso_max_size;
        /* ipv6 shared card related stuff */
@@ -707,6 +544,7 @@ static int vlan_dev_init(struct net_device *dev)
        dev->fcoe_ddp_xid = real_dev->fcoe_ddp_xid;
 #endif
+        dev->needed_headroom = real_dev->needed_headroom;
        if (real_dev->features & NETIF_F_HW_VLAN_TX) {
                dev->header_ops      = real_dev->header_ops;
                dev->hard_header_len = real_dev->hard_header_len;
@@ -745,6 +583,19 @@ static void vlan_dev_uninit(struct net_device *dev)
        }
 }
+static u32 vlan_dev_fix_features(struct net_device *dev, u32 features)
+{
+        struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
+        features &= real_dev->features;
+        features &= real_dev->vlan_features;
+        if (dev_ethtool_get_rx_csum(real_dev))
+                features |= NETIF_F_RXCSUM;
+        features |= NETIF_F_LLTX;
+        return features;
+}
 static int vlan_ethtool_get_settings(struct net_device *dev,
                                     struct ethtool_cmd *cmd)
 {
@@ -760,18 +611,6 @@ static void vlan_ethtool_get_drvinfo(struct net_device *dev,
        strcpy(info->fw_version, "N/A");
 }
-static u32 vlan_ethtool_get_rx_csum(struct net_device *dev)
-{
-        const struct vlan_dev_info *vlan = vlan_dev_info(dev);
-        return dev_ethtool_get_rx_csum(vlan->real_dev);
-}
-static u32 vlan_ethtool_get_flags(struct net_device *dev)
-{
-        const struct vlan_dev_info *vlan = vlan_dev_info(dev);
-        return dev_ethtool_get_flags(vlan->real_dev);
-}
 static struct rtnl_link_stats64 *vlan_dev_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats)
 {
@@ -809,32 +648,10 @@ static struct rtnl_link_stats64 *vlan_dev_get_stats64(struct net_device *dev, st
        return stats;
 }
-static int vlan_ethtool_set_tso(struct net_device *dev, u32 data)
-{
-       if (data) {
-                struct net_device *real_dev = vlan_dev_info(dev)->real_dev;
-                /* Underlying device must support TSO for VLAN-tagged packets
-                 * and must have TSO enabled now.
-                 */
-                if (!(real_dev->vlan_features & NETIF_F_TSO))
-                        return -EOPNOTSUPP;
-                if (!(real_dev->features & NETIF_F_TSO))
-                        return -EINVAL;
-                dev->features |= NETIF_F_TSO;
-        } else {
-                dev->features &= ~NETIF_F_TSO;
-        }
-        return 0;
-}
 static const struct ethtool_ops vlan_ethtool_ops = {
        .get_settings           = vlan_ethtool_get_settings,
        .get_drvinfo            = vlan_ethtool_get_drvinfo,
        .get_link               = ethtool_op_get_link,
-        .get_rx_csum            = vlan_ethtool_get_rx_csum,
-        .get_flags              = vlan_ethtool_get_flags,
-        .set_tso                = vlan_ethtool_set_tso,
 };
 static const struct net_device_ops vlan_netdev_ops = {
@@ -858,7 +675,9 @@ static const struct net_device_ops vlan_netdev_ops = {
        .ndo_fcoe_enable        = vlan_dev_fcoe_enable,
        .ndo_fcoe_disable       = vlan_dev_fcoe_disable,
        .ndo_fcoe_get_wwn       = vlan_dev_fcoe_get_wwn,
+        .ndo_fcoe_ddp_target    = vlan_dev_fcoe_ddp_target,
 #endif
+        .ndo_fix_features       = vlan_dev_fix_features,
 };
 void vlan_setup(struct net_device *dev)
diff --git a/net/8021q/vlanproc.c b/net/8021q/vlanproc.c
index d1314cf18adf..d940c49d168a 100644
--- a/net/8021q/vlanproc.c
+++ b/net/8021q/vlanproc.c
@@ -54,7 +54,7 @@ static const char name_conf[]	 = "config";
 /*
 *      Structures for interfacing with the /proc filesystem.
- *      VLAN creates its own directory /proc/net/vlan with the folowing
+ *      VLAN creates its own directory /proc/net/vlan with the following
 *      entries:
 *      config          device status/configuration
 *      <device>        entry for each  device
diff --git a/net/9p/Makefile b/net/9p/Makefile
index 198a640d53a6..a0874cc1f718 100644
--- a/net/9p/Makefile
+++ b/net/9p/Makefile
@@ -9,6 +9,7 @@ obj-$(CONFIG_NET_9P_RDMA) += 9pnet_rdma.o
        util.o \
        protocol.o \
        trans_fd.o \
+        trans_common.o \
 9pnet_virtio-objs := \
        trans_virtio.o \
diff --git a/net/9p/client.c b/net/9p/client.c
index a848bca9fbff..ceab943dfc49 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -178,7 +178,7 @@ free_and_return:
 * @tag: numeric id for transaction
 *
 * this is a simple array lookup, but will grow the
- * request_slots as necessary to accomodate transaction
+ * request_slots as necessary to accommodate transaction
 * ids which did not previously have a slot.
 *
 * this code relies on the client spinlock to manage locks, its
@@ -223,16 +223,29 @@ static struct p9_req_t *p9_tag_alloc(struct p9_client *c, u16 tag)
        req = &c->reqs[row][col];
        if (!req->tc) {
-                req->wq = kmalloc(sizeof(wait_queue_head_t), GFP_KERNEL);
+                req->wq = kmalloc(sizeof(wait_queue_head_t), GFP_NOFS);
                if (!req->wq) {
                        printk(KERN_ERR "Couldn't grow tag array\n");
                        return ERR_PTR(-ENOMEM);
                }
                init_waitqueue_head(req->wq);
-                req->tc = kmalloc(sizeof(struct p9_fcall)+c->msize,
+                if ((c->trans_mod->pref & P9_TRANS_PREF_PAYLOAD_MASK) ==
-                                                                GFP_KERNEL);
+                                P9_TRANS_PREF_PAYLOAD_SEP) {
-                req->rc = kmalloc(sizeof(struct p9_fcall)+c->msize,
+                        int alloc_msize = min(c->msize, 4096);
-                                                                GFP_KERNEL);
+                        req->tc = kmalloc(sizeof(struct p9_fcall)+alloc_msize,
+                                          GFP_NOFS);
+                        req->tc->capacity = alloc_msize;
+                        req->rc = kmalloc(sizeof(struct p9_fcall)+alloc_msize,
+                                          GFP_NOFS);
+                        req->rc->capacity = alloc_msize;
+                } else {
+                        req->tc = kmalloc(sizeof(struct p9_fcall)+c->msize,
+                                          GFP_NOFS);
+                        req->tc->capacity = c->msize;
+                        req->rc = kmalloc(sizeof(struct p9_fcall)+c->msize,
+                                          GFP_NOFS);
+                        req->rc->capacity = c->msize;
+                }
                if ((!req->tc) || (!req->rc)) {
                        printk(KERN_ERR "Couldn't grow tag array\n");
                        kfree(req->tc);
@@ -243,9 +256,7 @@ static struct p9_req_t *p9_tag_alloc(struct p9_client *c, u16 tag)
                        return ERR_PTR(-ENOMEM);
                }
                req->tc->sdata = (char *) req->tc + sizeof(struct p9_fcall);
-                req->tc->capacity = c->msize;
                req->rc->sdata = (char *) req->rc + sizeof(struct p9_fcall);
-                req->rc->capacity = c->msize;
        }
        p9pdu_reset(req->tc);
@@ -443,6 +454,7 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
 {
        int8_t type;
        int err;
+        int ecode;
        err = p9_parse_header(req->rc, NULL, &type, NULL, 0);
        if (err) {
@@ -450,36 +462,53 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
                return err;
        }
-        if (type == P9_RERROR || type == P9_RLERROR) {
+        if (type != P9_RERROR && type != P9_RLERROR)
-                int ecode;
+                return 0;
-                if (!p9_is_proto_dotl(c)) {
-                        char *ename;
-                        err = p9pdu_readf(req->rc, c->proto_version, "s?d",
-                                                                &ename, &ecode);
-                        if (err)
-                                goto out_err;
-                        if (p9_is_proto_dotu(c))
+        if (!p9_is_proto_dotl(c)) {
-                                err = -ecode;
+                char *ename;
+                if (req->tc->pbuf_size) {
+                        /* Handle user buffers */
+                        size_t len = req->rc->size - req->rc->offset;
+                        if (req->tc->pubuf) {
+                                /* User Buffer */
+                                err = copy_from_user(
+                                        &req->rc->sdata[req->rc->offset],
+                                        req->tc->pubuf, len);
+                                if (err) {
+                                        err = -EFAULT;
+                                        goto out_err;
+                                }
+                        } else {
+                                /* Kernel Buffer */
+                                memmove(&req->rc->sdata[req->rc->offset],
+                                                req->tc->pkbuf, len);
+                        }
+                }
+                err = p9pdu_readf(req->rc, c->proto_version, "s?d",
+                                &ename, &ecode);
+                if (err)
+                        goto out_err;
-                        if (!err || !IS_ERR_VALUE(err)) {
+                if (p9_is_proto_dotu(c))
-                                err = p9_errstr2errno(ename, strlen(ename));
+                        err = -ecode;
-                                P9_DPRINTK(P9_DEBUG_9P, "<<< RERROR (%d) %s\n", -ecode, ename);
+                if (!err || !IS_ERR_VALUE(err)) {
+                        err = p9_errstr2errno(ename, strlen(ename));
-                                kfree(ename);
+                        P9_DPRINTK(P9_DEBUG_9P, "<<< RERROR (%d) %s\n", -ecode,
-                        }
+                                        ename);
-                } else {
-                        err = p9pdu_readf(req->rc, c->proto_version, "d", &ecode);
-                        err = -ecode;
-                        P9_DPRINTK(P9_DEBUG_9P, "<<< RLERROR (%d)\n", -ecode);
+                        kfree(ename);
                }
+        } else {
+                err = p9pdu_readf(req->rc, c->proto_version, "d", &ecode);
+                err = -ecode;
+                P9_DPRINTK(P9_DEBUG_9P, "<<< RLERROR (%d)\n", -ecode);
+        }
-        } else
-                err = 0;
        return err;
@@ -585,7 +614,7 @@ p9_client_rpc(struct p9_client *c, int8_t type, const char *fmt, ...)
        err = c->trans_mod->request(c, req);
        if (err < 0) {
-                if (err != -ERESTARTSYS)
+                if (err != -ERESTARTSYS && err != -EFAULT)
                        c->status = Disconnected;
                goto reterr;
        }
@@ -900,15 +929,15 @@ error:
 }
 EXPORT_SYMBOL(p9_client_attach);
-struct p9_fid *p9_client_walk(struct p9_fid *oldfid, int nwname, char **wnames,
+struct p9_fid *p9_client_walk(struct p9_fid *oldfid, uint16_t nwname,
-        int clone)
+                char **wnames, int clone)
 {
        int err;
        struct p9_client *clnt;
        struct p9_fid *fid;
        struct p9_qid *wqids;
        struct p9_req_t *req;
-        int16_t nwqids, count;
+        uint16_t nwqids, count;
        err = 0;
        wqids = NULL;
@@ -926,7 +955,7 @@ struct p9_fid *p9_client_walk(struct p9_fid *oldfid, int nwname, char **wnames,
                fid = oldfid;
-        P9_DPRINTK(P9_DEBUG_9P, ">>> TWALK fids %d,%d nwname %d wname[0] %s\n",
+        P9_DPRINTK(P9_DEBUG_9P, ">>> TWALK fids %d,%d nwname %ud wname[0] %s\n",
                oldfid->fid, fid->fid, nwname, wnames ? wnames[0] : NULL);
        req = p9_client_rpc(clnt, P9_TWALK, "ddT", oldfid->fid, fid->fid,
@@ -1252,7 +1281,7 @@ int
 p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
                                                                u32 count)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
        char *dataptr;
@@ -1261,7 +1290,6 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
                                        (long long unsigned) offset, count);
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_IOHDRSZ)
@@ -1270,7 +1298,15 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
        if (count < rsize)
                rsize = count;
-        req = p9_client_rpc(clnt, P9_TREAD, "dqd", fid->fid, offset, rsize);
+        /* Don't bother zerocopy form small IO (< 1024) */
+        if (((clnt->trans_mod->pref & P9_TRANS_PREF_PAYLOAD_MASK) ==
+                        P9_TRANS_PREF_PAYLOAD_SEP) && (rsize > 1024)) {
+                req = p9_client_rpc(clnt, P9_TREAD, "dqE", fid->fid, offset,
+                                rsize, data, udata);
+        } else {
+                req = p9_client_rpc(clnt, P9_TREAD, "dqd", fid->fid, offset,
+                                rsize);
+        }
        if (IS_ERR(req)) {
                err = PTR_ERR(req);
                goto error;
@@ -1284,13 +1320,15 @@ p9_client_read(struct p9_fid *fid, char *data, char __user *udata, u64 offset,
        P9_DPRINTK(P9_DEBUG_9P, "<<< RREAD count %d\n", count);
-        if (data) {
+        if (!req->tc->pbuf_size) {
-                memmove(data, dataptr, count);
+                if (data) {
-        } else {
+                        memmove(data, dataptr, count);
-                err = copy_to_user(udata, dataptr, count);
+                } else {
-                if (err) {
+                        err = copy_to_user(udata, dataptr, count);
-                        err = -EFAULT;
+                        if (err) {
-                        goto free_and_error;
+                                err = -EFAULT;
+                                goto free_and_error;
+                        }
                }
        }
        p9_free_req(clnt, req);
@@ -1307,7 +1345,7 @@ int
 p9_client_write(struct p9_fid *fid, char *data, const char __user *udata,
                                                        u64 offset, u32 count)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
@@ -1315,7 +1353,6 @@ p9_client_write(struct p9_fid *fid, char *data, const char __user *udata,
                                fid->fid, (long long unsigned) offset, count);
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_IOHDRSZ)
@@ -1323,12 +1360,21 @@ p9_client_write(struct p9_fid *fid, char *data, const char __user *udata,
        if (count < rsize)
                rsize = count;
-        if (data)
-                req = p9_client_rpc(clnt, P9_TWRITE, "dqD", fid->fid, offset,
+        /* Don't bother zerocopy form small IO (< 1024) */
-                                                                rsize, data);
+        if (((clnt->trans_mod->pref & P9_TRANS_PREF_PAYLOAD_MASK) ==
-        else
+                                P9_TRANS_PREF_PAYLOAD_SEP) && (rsize > 1024)) {
-                req = p9_client_rpc(clnt, P9_TWRITE, "dqU", fid->fid, offset,
+                req = p9_client_rpc(clnt, P9_TWRITE, "dqE", fid->fid, offset,
-                                                                rsize, udata);
+                                rsize, data, udata);
+        } else {
+                if (data)
+                        req = p9_client_rpc(clnt, P9_TWRITE, "dqD", fid->fid,
+                                        offset, rsize, data);
+                else
+                        req = p9_client_rpc(clnt, P9_TWRITE, "dqU", fid->fid,
+                                        offset, rsize, udata);
+        }
        if (IS_ERR(req)) {
                err = PTR_ERR(req);
                goto error;
@@ -1697,7 +1743,7 @@ EXPORT_SYMBOL_GPL(p9_client_xattrcreate);
 int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
 {
-        int err, rsize, total;
+        int err, rsize;
        struct p9_client *clnt;
        struct p9_req_t *req;
        char *dataptr;
@@ -1707,7 +1753,6 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
        err = 0;
        clnt = fid->clnt;
-        total = 0;
        rsize = fid->iounit;
        if (!rsize || rsize > clnt->msize-P9_READDIRHDRSZ)
@@ -1716,7 +1761,14 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
        if (count < rsize)
                rsize = count;
-        req = p9_client_rpc(clnt, P9_TREADDIR, "dqd", fid->fid, offset, rsize);
+        if ((clnt->trans_mod->pref & P9_TRANS_PREF_PAYLOAD_MASK) ==
+                        P9_TRANS_PREF_PAYLOAD_SEP) {
+                req = p9_client_rpc(clnt, P9_TREADDIR, "dqF", fid->fid,
+                                offset, rsize, data);
+        } else {
+                req = p9_client_rpc(clnt, P9_TREADDIR, "dqd", fid->fid,
+                                offset, rsize);
+        }
        if (IS_ERR(req)) {
                err = PTR_ERR(req);
                goto error;
@@ -1730,7 +1782,7 @@ int p9_client_readdir(struct p9_fid *fid, char *data, u32 count, u64 offset)
        P9_DPRINTK(P9_DEBUG_9P, "<<< RREADDIR count %d\n", count);
-        if (data)
+        if (!req->tc->pbuf_size && data)
                memmove(data, dataptr, count);
        p9_free_req(clnt, req);
diff --git a/net/9p/protocol.c b/net/9p/protocol.c
index 1e308f210928..a873277cb996 100644
--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -114,6 +114,26 @@ pdu_write_u(struct p9_fcall *pdu, const char __user *udata, size_t size)
        return size - len;
 }
+static size_t
+pdu_write_urw(struct p9_fcall *pdu, const char *kdata, const char __user *udata,
+                size_t size)
+{
+        BUG_ON(pdu->size > P9_IOHDRSZ);
+        pdu->pubuf = (char __user *)udata;
+        pdu->pkbuf = (char *)kdata;
+        pdu->pbuf_size = size;
+        return 0;
+}
+static size_t
+pdu_write_readdir(struct p9_fcall *pdu, const char *kdata, size_t size)
+{
+        BUG_ON(pdu->size > P9_READDIRHDRSZ);
+        pdu->pkbuf = (char *)kdata;
+        pdu->pbuf_size = size;
+        return 0;
+}
 /*
        b - int8_t
        w - int16_t
@@ -185,7 +205,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                if (errcode)
                                        break;
-                                *sptr = kmalloc(len + 1, GFP_KERNEL);
+                                *sptr = kmalloc(len + 1, GFP_NOFS);
                                if (*sptr == NULL) {
                                        errcode = -EFAULT;
                                        break;
@@ -245,7 +265,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
                        }
                        break;
                case 'T':{
-                                int16_t *nwname = va_arg(ap, int16_t *);
+                                uint16_t *nwname = va_arg(ap, uint16_t *);
                                char ***wnames = va_arg(ap, char ***);
                                errcode = p9pdu_readf(pdu, proto_version,
@@ -253,7 +273,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                if (!errcode) {
                                        *wnames =
                                            kmalloc(sizeof(char *) * *nwname,
-                                                    GFP_KERNEL);
+                                                    GFP_NOFS);
                                        if (!*wnames)
                                                errcode = -ENOMEM;
                                }
@@ -297,7 +317,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                        *wqids =
                                            kmalloc(*nwqid *
                                                    sizeof(struct p9_qid),
-                                                    GFP_KERNEL);
+                                                    GFP_NOFS);
                                        if (*wqids == NULL)
                                                errcode = -ENOMEM;
                                }
@@ -445,6 +465,26 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt,
                                        errcode = -EFAULT;
                        }
                        break;
+                case 'E':{
+                                 int32_t cnt = va_arg(ap, int32_t);
+                                 const char *k = va_arg(ap, const void *);
+                                 const char __user *u = va_arg(ap,
+                                                        const void __user *);
+                                 errcode = p9pdu_writef(pdu, proto_version, "d",
+                                                 cnt);
+                                 if (!errcode && pdu_write_urw(pdu, k, u, cnt))
+                                        errcode = -EFAULT;
+                         }
+                         break;
+                case 'F':{
+                                 int32_t cnt = va_arg(ap, int32_t);
+                                 const char *k = va_arg(ap, const void *);
+                                 errcode = p9pdu_writef(pdu, proto_version, "d",
+                                                 cnt);
+                                 if (!errcode && pdu_write_readdir(pdu, k, cnt))
+                                        errcode = -EFAULT;
+                         }
+                         break;
                case 'U':{
                                int32_t count = va_arg(ap, int32_t);
                                const char __user *udata =
@@ -456,7 +496,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt,
                        }
                        break;
                case 'T':{
-                                int16_t nwname = va_arg(ap, int);
+                                uint16_t nwname = va_arg(ap, int);
                                const char **wnames = va_arg(ap, const char **);
                                errcode = p9pdu_writef(pdu, proto_version, "w",
@@ -579,6 +619,7 @@ EXPORT_SYMBOL(p9stat_read);
 int p9pdu_prepare(struct p9_fcall *pdu, int16_t tag, int8_t type)
 {
+        pdu->id = type;
        return p9pdu_writef(pdu, 0, "dbw", 0, type, tag);
 }
@@ -606,6 +647,10 @@ void p9pdu_reset(struct p9_fcall *pdu)
 {
        pdu->offset = 0;
        pdu->size = 0;
+        pdu->private = NULL;
+        pdu->pubuf = NULL;
+        pdu->pkbuf = NULL;
+        pdu->pbuf_size = 0;
 }
 int p9dirent_read(char *buf, int len, struct p9_dirent *dirent,
@@ -629,6 +674,7 @@ int p9dirent_read(char *buf, int len, struct p9_dirent *dirent,
        }
        strcpy(dirent->d_name, nameptr);
+        kfree(nameptr);
 out:
        return fake_pdu.offset;
diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
new file mode 100644
index 000000000000..9a70ebdec56e
--- /dev/null
+++ b/net/9p/trans_common.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright IBM Corporation, 2010
+ * Author Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+#include <linux/slab.h>
+#include <linux/module.h>
+#include <net/9p/9p.h>
+#include <net/9p/client.h>
+#include <linux/scatterlist.h>
+#include "trans_common.h"
+/**
+ *  p9_release_req_pages - Release pages after the transaction.
+ *  @*private: PDU's private page of struct trans_rpage_info
+ */
+void
+p9_release_req_pages(struct trans_rpage_info *rpinfo)
+{
+        int i = 0;
+        while (rpinfo->rp_data[i] && rpinfo->rp_nr_pages--) {
+                put_page(rpinfo->rp_data[i]);
+                i++;
+        }
+}
+EXPORT_SYMBOL(p9_release_req_pages);
+/**
+ * p9_nr_pages - Return number of pages needed to accommodate the payload.
+ */
+int
+p9_nr_pages(struct p9_req_t *req)
+{
+        unsigned long start_page, end_page;
+        start_page =  (unsigned long)req->tc->pubuf >> PAGE_SHIFT;
+        end_page = ((unsigned long)req->tc->pubuf + req->tc->pbuf_size +
+                        PAGE_SIZE - 1) >> PAGE_SHIFT;
+        return end_page - start_page;
+}
+EXPORT_SYMBOL(p9_nr_pages);
+/**
+ * payload_gup - Translates user buffer into kernel pages and
+ * pins them either for read/write through get_user_pages_fast().
+ * @req: Request to be sent to server.
+ * @pdata_off: data offset into the first page after translation (gup).
+ * @pdata_len: Total length of the IO. gup may not return requested # of pages.
+ * @nr_pages: number of pages to accommodate the payload
+ * @rw: Indicates if the pages are for read or write.
+ */
+int
+p9_payload_gup(struct p9_req_t *req, size_t *pdata_off, int *pdata_len,
+                int nr_pages, u8 rw)
+{
+        uint32_t first_page_bytes = 0;
+        int32_t pdata_mapped_pages;
+        struct trans_rpage_info  *rpinfo;
+        *pdata_off = (__force size_t)req->tc->pubuf & (PAGE_SIZE-1);
+        if (*pdata_off)
+                first_page_bytes = min(((size_t)PAGE_SIZE - *pdata_off),
+                                       req->tc->pbuf_size);
+        rpinfo = req->tc->private;
+        pdata_mapped_pages = get_user_pages_fast((unsigned long)req->tc->pubuf,
+                        nr_pages, rw, &rpinfo->rp_data[0]);
+        if (pdata_mapped_pages <= 0)
+                return pdata_mapped_pages;
+        rpinfo->rp_nr_pages = pdata_mapped_pages;
+        if (*pdata_off) {
+                *pdata_len = first_page_bytes;
+                *pdata_len += min((req->tc->pbuf_size - *pdata_len),
+                                ((size_t)pdata_mapped_pages - 1) << PAGE_SHIFT);
+        } else {
+                *pdata_len = min(req->tc->pbuf_size,
+                                (size_t)pdata_mapped_pages << PAGE_SHIFT);
+        }
+        return 0;
+}
+EXPORT_SYMBOL(p9_payload_gup);
diff --git a/net/9p/trans_common.h b/net/9p/trans_common.h
new file mode 100644
index 000000000000..76309223bb02
--- /dev/null
+++ b/net/9p/trans_common.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright IBM Corporation, 2010
+ * Author Venkateswararao Jujjuri <jvrao@linux.vnet.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it would be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ *
+ */
+/* TRUE if it is user context */
+#define P9_IS_USER_CONTEXT (!segment_eq(get_fs(), KERNEL_DS))
+/**
+ * struct trans_rpage_info - To store mapped page information in PDU.
+ * @rp_alloc:Set if this structure is allocd, not a reuse unused space in pdu.
+ * @rp_nr_pages: Number of mapped pages
+ * @rp_data: Array of page pointers
+ */
+struct trans_rpage_info {
+        u8 rp_alloc;
+        int rp_nr_pages;
+        struct page *rp_data[0];
+};
+void p9_release_req_pages(struct trans_rpage_info *);
+int p9_payload_gup(struct p9_req_t *, size_t *, int *, int, u8);
+int p9_nr_pages(struct p9_req_t *);
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 078eb162d9bf..4a9084395d35 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -153,10 +153,11 @@ struct p9_conn {
        unsigned long wsched;
 };
+static void p9_poll_workfn(struct work_struct *work);
 static DEFINE_SPINLOCK(p9_poll_lock);
 static LIST_HEAD(p9_poll_pending_list);
-static struct workqueue_struct *p9_mux_wq;
+static DECLARE_WORK(p9_poll_work, p9_poll_workfn);
-static struct task_struct *p9_poll_task;
 static void p9_mux_poll_stop(struct p9_conn *m)
 {
@@ -349,7 +350,7 @@ static void p9_read_work(struct work_struct *work)
                if (m->req->rc == NULL) {
                        m->req->rc = kmalloc(sizeof(struct p9_fcall) +
-                                                m->client->msize, GFP_KERNEL);
+                                                m->client->msize, GFP_NOFS);
                        if (!m->req->rc) {
                                m->req = NULL;
                                err = -ENOMEM;
@@ -384,7 +385,7 @@ static void p9_read_work(struct work_struct *work)
                if (n & POLLIN) {
                        P9_DPRINTK(P9_DEBUG_TRANS, "sched read work %p\n", m);
-                        queue_work(p9_mux_wq, &m->rq);
+                        schedule_work(&m->rq);
                } else
                        clear_bit(Rworksched, &m->wsched);
        } else
@@ -497,7 +498,7 @@ static void p9_write_work(struct work_struct *work)
                if (n & POLLOUT) {
                        P9_DPRINTK(P9_DEBUG_TRANS, "sched write work %p\n", m);
-                        queue_work(p9_mux_wq, &m->wq);
+                        schedule_work(&m->wq);
                } else
                        clear_bit(Wworksched, &m->wsched);
        } else
@@ -516,15 +517,14 @@ static int p9_pollwake(wait_queue_t *wait, unsigned mode, int sync, void *key)
                container_of(wait, struct p9_poll_wait, wait);
        struct p9_conn *m = pwait->conn;
        unsigned long flags;
-        DECLARE_WAITQUEUE(dummy_wait, p9_poll_task);
        spin_lock_irqsave(&p9_poll_lock, flags);
        if (list_empty(&m->poll_pending_link))
                list_add_tail(&m->poll_pending_link, &p9_poll_pending_list);
        spin_unlock_irqrestore(&p9_poll_lock, flags);
-        /* perform the default wake up operation */
+        schedule_work(&p9_poll_work);
-        return default_wake_function(&dummy_wait, mode, sync, key);
+        return 1;
 }
 /**
@@ -629,7 +629,7 @@ static void p9_poll_mux(struct p9_conn *m)
                P9_DPRINTK(P9_DEBUG_TRANS, "mux %p can read\n", m);
                if (!test_and_set_bit(Rworksched, &m->wsched)) {
                        P9_DPRINTK(P9_DEBUG_TRANS, "sched read work %p\n", m);
-                        queue_work(p9_mux_wq, &m->rq);
+                        schedule_work(&m->rq);
                }
        }
@@ -639,7 +639,7 @@ static void p9_poll_mux(struct p9_conn *m)
                if ((m->wsize || !list_empty(&m->unsent_req_list)) &&
                    !test_and_set_bit(Wworksched, &m->wsched)) {
                        P9_DPRINTK(P9_DEBUG_TRANS, "sched write work %p\n", m);
-                        queue_work(p9_mux_wq, &m->wq);
+                        schedule_work(&m->wq);
                }
        }
 }
@@ -677,7 +677,7 @@ static int p9_fd_request(struct p9_client *client, struct p9_req_t *req)
                n = p9_fd_poll(m->client, NULL);
        if (n & POLLOUT && !test_and_set_bit(Wworksched, &m->wsched))
-                queue_work(p9_mux_wq, &m->wq);
+                schedule_work(&m->wq);
        return 0;
 }
@@ -716,7 +716,6 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
        substring_t args[MAX_OPT_ARGS];
        int option;
        char *options, *tmp_options;
-        int ret;
        opts->port = P9_PORT;
        opts->rfd = ~0;
@@ -744,7 +743,6 @@ static int parse_opts(char *params, struct p9_fd_opts *opts)
                        if (r < 0) {
                                P9_DPRINTK(P9_DEBUG_ERROR,
                                "integer field, but no integer?\n");
-                                ret = r;
                                continue;
                        }
                }
@@ -1047,12 +1045,12 @@ static struct p9_trans_module p9_fd_trans = {
 *
 */
-static int p9_poll_proc(void *a)
+static void p9_poll_workfn(struct work_struct *work)
 {
        unsigned long flags;
        P9_DPRINTK(P9_DEBUG_TRANS, "start %p\n", current);
- repeat:
        spin_lock_irqsave(&p9_poll_lock, flags);
        while (!list_empty(&p9_poll_pending_list)) {
                struct p9_conn *conn = list_first_entry(&p9_poll_pending_list,
@@ -1067,35 +1065,11 @@ static int p9_poll_proc(void *a)
        }
        spin_unlock_irqrestore(&p9_poll_lock, flags);
-        set_current_state(TASK_INTERRUPTIBLE);
-        if (list_empty(&p9_poll_pending_list)) {
-                P9_DPRINTK(P9_DEBUG_TRANS, "sleeping...\n");
-                schedule();
-        }
-        __set_current_state(TASK_RUNNING);
-        if (!kthread_should_stop())
-                goto repeat;
        P9_DPRINTK(P9_DEBUG_TRANS, "finish\n");
-        return 0;
 }
 int p9_trans_fd_init(void)
 {
-        p9_mux_wq = create_workqueue("v9fs");
-        if (!p9_mux_wq) {
-                printk(KERN_WARNING "v9fs: mux: creating workqueue failed\n");
-                return -ENOMEM;
-        }
-        p9_poll_task = kthread_run(p9_poll_proc, NULL, "v9fs-poll");
-        if (IS_ERR(p9_poll_task)) {
-                destroy_workqueue(p9_mux_wq);
-                printk(KERN_WARNING "v9fs: mux: creating poll task failed\n");
-                return PTR_ERR(p9_poll_task);
-        }
        v9fs_register_trans(&p9_tcp_trans);
        v9fs_register_trans(&p9_unix_trans);
        v9fs_register_trans(&p9_fd_trans);
@@ -1105,10 +1079,8 @@ int p9_trans_fd_init(void)
 void p9_trans_fd_exit(void)
 {
-        kthread_stop(p9_poll_task);
+        flush_work_sync(&p9_poll_work);
        v9fs_unregister_trans(&p9_tcp_trans);
        v9fs_unregister_trans(&p9_unix_trans);
        v9fs_unregister_trans(&p9_fd_trans);
-        destroy_workqueue(p9_mux_wq);
 }
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 17c5ba7551a5..844a7a5607e3 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -59,7 +59,6 @@
                                                 * safely advertise a maxsize
                                                 * of 64k */
-#define P9_RDMA_MAX_SGE (P9_RDMA_MAXSIZE >> PAGE_SHIFT)
 /**
 * struct p9_trans_rdma - RDMA transport instance
 *
@@ -168,7 +167,6 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts)
        substring_t args[MAX_OPT_ARGS];
        int option;
        char *options, *tmp_options;
-        int ret;
        opts->port = P9_PORT;
        opts->sq_depth = P9_RDMA_SQ_DEPTH;
@@ -196,7 +194,6 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts)
                if (r < 0) {
                        P9_DPRINTK(P9_DEBUG_ERROR,
                                   "integer field, but no integer?\n");
-                        ret = r;
                        continue;
                }
                switch (token) {
@@ -425,7 +422,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
        struct p9_rdma_context *rpl_context = NULL;
        /* Allocate an fcall for the reply */
-        rpl_context = kmalloc(sizeof *rpl_context, GFP_KERNEL);
+        rpl_context = kmalloc(sizeof *rpl_context, GFP_NOFS);
        if (!rpl_context) {
                err = -ENOMEM;
                goto err_close;
@@ -438,7 +435,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
         */
        if (!req->rc) {
                req->rc = kmalloc(sizeof(struct p9_fcall)+client->msize,
-                                                                GFP_KERNEL);
+                                  GFP_NOFS);
                if (req->rc) {
                        req->rc->sdata = (char *) req->rc +
                                                sizeof(struct p9_fcall);
@@ -469,7 +466,7 @@ static int rdma_request(struct p9_client *client, struct p9_req_t *req)
        req->rc = NULL;
        /* Post the request */
-        c = kmalloc(sizeof *c, GFP_KERNEL);
+        c = kmalloc(sizeof *c, GFP_NOFS);
        if (!c) {
                err = -ENOMEM;
                goto err_free1;
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index c8f3f72ab20e..244e70742183 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -43,13 +43,17 @@
 #include <net/9p/client.h>
 #include <net/9p/transport.h>
 #include <linux/scatterlist.h>
+#include <linux/swap.h>
 #include <linux/virtio.h>
 #include <linux/virtio_9p.h>
+#include "trans_common.h"
 #define VIRTQUEUE_NUM   128
 /* a single mutex to manage channel initialization and attachment */
 static DEFINE_MUTEX(virtio_9p_lock);
+static DECLARE_WAIT_QUEUE_HEAD(vp_wq);
+static atomic_t vp_pinned = ATOMIC_INIT(0);
 /**
 * struct virtio_chan - per-instance transport information
@@ -77,7 +81,10 @@ struct virtio_chan {
        struct virtqueue *vq;
        int ring_bufs_avail;
        wait_queue_head_t *vc_wq;
+        /* This is global limit. Since we don't have a global structure,
+         * will be placing it in each channel.
+         */
+        int p9_max_pages;
        /* Scatterlist: can be too big for stack. */
        struct scatterlist sg[VIRTQUEUE_NUM];
@@ -140,26 +147,36 @@ static void req_done(struct virtqueue *vq)
        P9_DPRINTK(P9_DEBUG_TRANS, ": request done\n");
-        do {
+        while (1) {
                spin_lock_irqsave(&chan->lock, flags);
                rc = virtqueue_get_buf(chan->vq, &len);
-                if (rc != NULL) {
+                if (rc == NULL) {
-                        if (!chan->ring_bufs_avail) {
-                                chan->ring_bufs_avail = 1;
-                                wake_up(chan->vc_wq);
-                        }
-                        spin_unlock_irqrestore(&chan->lock, flags);
-                        P9_DPRINTK(P9_DEBUG_TRANS, ": rc %p\n", rc);
-                        P9_DPRINTK(P9_DEBUG_TRANS, ": lookup tag %d\n",
-                                        rc->tag);
-                        req = p9_tag_lookup(chan->client, rc->tag);
-                        req->status = REQ_STATUS_RCVD;
-                        p9_client_cb(chan->client, req);
-                } else {
                        spin_unlock_irqrestore(&chan->lock, flags);
+                        break;
+                }
+                chan->ring_bufs_avail = 1;
+                spin_unlock_irqrestore(&chan->lock, flags);
+                /* Wakeup if anyone waiting for VirtIO ring space. */
+                wake_up(chan->vc_wq);
+                P9_DPRINTK(P9_DEBUG_TRANS, ": rc %p\n", rc);
+                P9_DPRINTK(P9_DEBUG_TRANS, ": lookup tag %d\n", rc->tag);
+                req = p9_tag_lookup(chan->client, rc->tag);
+                if (req->tc->private) {
+                        struct trans_rpage_info *rp = req->tc->private;
+                        int p = rp->rp_nr_pages;
+                        /*Release pages */
+                        p9_release_req_pages(rp);
+                        atomic_sub(p, &vp_pinned);
+                        wake_up(&vp_wq);
+                        if (rp->rp_alloc)
+                                kfree(rp);
+                        req->tc->private = NULL;
                }
-        } while (rc != NULL);
+                req->status = REQ_STATUS_RCVD;
+                p9_client_cb(chan->client, req);
+        }
 }
 /**
@@ -203,6 +220,38 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req)
 }
 /**
+ * pack_sg_list_p - Just like pack_sg_list. Instead of taking a buffer,
+ * this takes a list of pages.
+ * @sg: scatter/gather list to pack into
+ * @start: which segment of the sg_list to start at
+ * @pdata_off: Offset into the first page
+ * @**pdata: a list of pages to add into sg.
+ * @count: amount of data to pack into the scatter/gather list
+ */
+static int
+pack_sg_list_p(struct scatterlist *sg, int start, int limit, size_t pdata_off,
+                struct page **pdata, int count)
+{
+        int s;
+        int i = 0;
+        int index = start;
+        if (pdata_off) {
+                s = min((int)(PAGE_SIZE - pdata_off), count);
+                sg_set_page(&sg[index++], pdata[i++], s, pdata_off);
+                count -= s;
+        }
+        while (count) {
+                BUG_ON(index > limit);
+                s = min((int)PAGE_SIZE, count);
+                sg_set_page(&sg[index++], pdata[i++], s, 0);
+                count -= s;
+        }
+        return index-start;
+}
+/**
 * p9_virtio_request - issue a request
 * @client: client instance issuing the request
 * @req: request to be issued
@@ -212,22 +261,114 @@ static int p9_virtio_cancel(struct p9_client *client, struct p9_req_t *req)
 static int
 p9_virtio_request(struct p9_client *client, struct p9_req_t *req)
 {
-        int in, out;
+        int in, out, inp, outp;
        struct virtio_chan *chan = client->trans;
        char *rdata = (char *)req->rc+sizeof(struct p9_fcall);
        unsigned long flags;
-        int err;
+        size_t pdata_off = 0;
+        struct trans_rpage_info *rpinfo = NULL;
+        int err, pdata_len = 0;
        P9_DPRINTK(P9_DEBUG_TRANS, "9p debug: virtio request\n");
-req_retry:
        req->status = REQ_STATUS_SENT;
+        if (req->tc->pbuf_size && (req->tc->pubuf && P9_IS_USER_CONTEXT)) {
+                int nr_pages = p9_nr_pages(req);
+                int rpinfo_size = sizeof(struct trans_rpage_info) +
+                        sizeof(struct page *) * nr_pages;
+                if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
+                        err = wait_event_interruptible(vp_wq,
+                                atomic_read(&vp_pinned) < chan->p9_max_pages);
+                        if (err  == -ERESTARTSYS)
+                                return err;
+                        P9_DPRINTK(P9_DEBUG_TRANS, "9p: May gup pages now.\n");
+                }
+                if (rpinfo_size <= (req->tc->capacity - req->tc->size)) {
+                        /* We can use sdata */
+                        req->tc->private = req->tc->sdata + req->tc->size;
+                        rpinfo = (struct trans_rpage_info *)req->tc->private;
+                        rpinfo->rp_alloc = 0;
+                } else {
+                        req->tc->private = kmalloc(rpinfo_size, GFP_NOFS);
+                        if (!req->tc->private) {
+                                P9_DPRINTK(P9_DEBUG_TRANS, "9p debug: "
+                                        "private kmalloc returned NULL");
+                                return -ENOMEM;
+                        }
+                        rpinfo = (struct trans_rpage_info *)req->tc->private;
+                        rpinfo->rp_alloc = 1;
+                }
+                err = p9_payload_gup(req, &pdata_off, &pdata_len, nr_pages,
+                                req->tc->id == P9_TREAD ? 1 : 0);
+                if (err < 0) {
+                        if (rpinfo->rp_alloc)
+                                kfree(rpinfo);
+                        return err;
+                } else {
+                        atomic_add(rpinfo->rp_nr_pages, &vp_pinned);
+                }
+        }
+req_retry_pinned:
        spin_lock_irqsave(&chan->lock, flags);
+        /* Handle out VirtIO ring buffers */
        out = pack_sg_list(chan->sg, 0, VIRTQUEUE_NUM, req->tc->sdata,
-                                                                req->tc->size);
+                        req->tc->size);
-        in = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM-out, rdata,
-                                                                client->msize);
+        if (req->tc->pbuf_size && (req->tc->id == P9_TWRITE)) {
+                /* We have additional write payload buffer to take care */
+                if (req->tc->pubuf && P9_IS_USER_CONTEXT) {
+                        outp = pack_sg_list_p(chan->sg, out, VIRTQUEUE_NUM,
+                                        pdata_off, rpinfo->rp_data, pdata_len);
+                } else {
+                        char *pbuf;
+                        if (req->tc->pubuf)
+                                pbuf = (__force char *) req->tc->pubuf;
+                        else
+                                pbuf = req->tc->pkbuf;
+                        outp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, pbuf,
+                                        req->tc->pbuf_size);
+                }
+                out += outp;
+        }
+        /* Handle in VirtIO ring buffers */
+        if (req->tc->pbuf_size &&
+                ((req->tc->id == P9_TREAD) || (req->tc->id == P9_TREADDIR))) {
+                /*
+                 * Take care of additional Read payload.
+                 * 11 is the read/write header = PDU Header(7) + IO Size (4).
+                 * Arrange in such a way that server places header in the
+                 * alloced memory and payload onto the user buffer.
+                 */
+                inp = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, rdata, 11);
+                /*
+                 * Running executables in the filesystem may result in
+                 * a read request with kernel buffer as opposed to user buffer.
+                 */
+                if (req->tc->pubuf && P9_IS_USER_CONTEXT) {
+                        in = pack_sg_list_p(chan->sg, out+inp, VIRTQUEUE_NUM,
+                                        pdata_off, rpinfo->rp_data, pdata_len);
+                } else {
+                        char *pbuf;
+                        if (req->tc->pubuf)
+                                pbuf = (__force char *) req->tc->pubuf;
+                        else
+                                pbuf = req->tc->pkbuf;
+                        in = pack_sg_list(chan->sg, out+inp, VIRTQUEUE_NUM,
+                                        pbuf, req->tc->pbuf_size);
+                }
+                in += inp;
+        } else {
+                in = pack_sg_list(chan->sg, out, VIRTQUEUE_NUM, rdata,
+                                client->msize);
+        }
        err = virtqueue_add_buf(chan->vq, chan->sg, out, in, req->tc);
        if (err < 0) {
@@ -240,12 +381,14 @@ req_retry:
                                return err;
                        P9_DPRINTK(P9_DEBUG_TRANS, "9p:Retry virtio request\n");
-                        goto req_retry;
+                        goto req_retry_pinned;
                } else {
                        spin_unlock_irqrestore(&chan->lock, flags);
                        P9_DPRINTK(P9_DEBUG_TRANS,
                                        "9p debug: "
                                        "virtio rpc add_buf returned failure");
+                        if (rpinfo && rpinfo->rp_alloc)
+                                kfree(rpinfo);
                        return -EIO;
                }
        }
@@ -335,6 +478,8 @@ static int p9_virtio_probe(struct virtio_device *vdev)
        }
        init_waitqueue_head(chan->vc_wq);
        chan->ring_bufs_avail = 1;
+        /* Ceiling limit to avoid denial of service attacks */
+        chan->p9_max_pages = nr_free_buffer_pages()/4;
        mutex_lock(&virtio_9p_lock);
        list_add_tail(&chan->chan_list, &virtio_chan_list);
@@ -448,6 +593,7 @@ static struct p9_trans_module p9_virtio_trans = {
        .request = p9_virtio_request,
        .cancel = p9_virtio_cancel,
        .maxsize = PAGE_SIZE*16,
+        .pref = P9_TRANS_PREF_PAYLOAD_SEP,
        .def = 0,
        .owner = THIS_MODULE,
 };
diff --git a/net/9p/util.c b/net/9p/util.c
index e048701a72d2..da6af81e59d9 100644
--- a/net/9p/util.c
+++ b/net/9p/util.c
@@ -67,7 +67,7 @@ EXPORT_SYMBOL(p9_idpool_create);
 /**
 * p9_idpool_destroy - create a new per-connection id pool
- * @p: idpool to destory
+ * @p: idpool to destroy
 */
 void p9_idpool_destroy(struct p9_idpool *p)
@@ -92,7 +92,7 @@ int p9_idpool_get(struct p9_idpool *p)
        unsigned long flags;
 retry:
-        if (idr_pre_get(&p->pool, GFP_KERNEL) == 0)
+        if (idr_pre_get(&p->pool, GFP_NOFS) == 0)
                return 0;
        spin_lock_irqsave(&p->lock, flags);
diff --git a/net/Kconfig b/net/Kconfig
index 72840626284b..878151c772c9 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -221,11 +221,31 @@ config RPS
        depends on SMP && SYSFS && USE_GENERIC_SMP_HELPERS
        default y
+config RFS_ACCEL
+        boolean
+        depends on RPS && GENERIC_HARDIRQS
+        select CPU_RMAP
+        default y
 config XPS
        boolean
        depends on SMP && SYSFS && USE_GENERIC_SMP_HELPERS
        default y
+config HAVE_BPF_JIT
+        bool
+config BPF_JIT
+        bool "enable BPF Just In Time compiler"
+        depends on HAVE_BPF_JIT
+        depends on MODULES
+        ---help---
+          Berkeley Packet Filter filtering capabilities are normally handled
+          by an interpreter. This option allows kernel to generate a native
+          code when filter is loaded in memory. This should speedup
+          packet sniffing (libpcap/tcpdump). Note : Admin should enable
+          this feature changing /proc/sys/net/core/bpf_jit_enable
 menu "Network testing"
 config NET_PKTGEN
diff --git a/net/Makefile b/net/Makefile
index a3330ebe2c53..a51d9465e628 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -19,9 +19,7 @@ obj-$(CONFIG_NETFILTER)		+= netfilter/
 obj-$(CONFIG_INET)              += ipv4/
 obj-$(CONFIG_XFRM)              += xfrm/
 obj-$(CONFIG_UNIX)              += unix/
-ifneq ($(CONFIG_IPV6),)
+obj-$(CONFIG_NET)               += ipv6/
-obj-y                           += ipv6/
-endif
 obj-$(CONFIG_PACKET)            += packet/
 obj-$(CONFIG_NET_KEY)           += key/
 obj-$(CONFIG_BRIDGE)            += bridge/
diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c
index c410b93fda2e..956a5302002a 100644
--- a/net/appletalk/ddp.c
+++ b/net/appletalk/ddp.c
@@ -54,7 +54,6 @@
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/if_arp.h>
-#include <linux/smp_lock.h>
 #include <linux/termios.h>      /* For TIOCOUTQ/INQ */
 #include <linux/compat.h>
 #include <linux/slab.h>
@@ -1052,13 +1051,17 @@ static int atalk_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        lock_kernel();
        if (sk) {
+                sock_hold(sk);
+                lock_sock(sk);
                sock_orphan(sk);
                sock->sk = NULL;
                atalk_destroy_socket(sk);
+                release_sock(sk);
+                sock_put(sk);
        }
-        unlock_kernel();
        return 0;
 }
@@ -1143,7 +1146,7 @@ static int atalk_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if (addr->sat_family != AF_APPLETALK)
                return -EAFNOSUPPORT;
-        lock_kernel();
+        lock_sock(sk);
        if (addr->sat_addr.s_net == htons(ATADDR_ANYNET)) {
                struct atalk_addr *ap = atalk_find_primary();
@@ -1179,7 +1182,7 @@ static int atalk_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        sock_reset_flag(sk, SOCK_ZAPPED);
        err = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return err;
 }
@@ -1215,7 +1218,7 @@ static int atalk_connect(struct socket *sock, struct sockaddr *uaddr,
 #endif
        }
-        lock_kernel();
+        lock_sock(sk);
        err = -EBUSY;
        if (sock_flag(sk, SOCK_ZAPPED))
                if (atalk_autobind(sk) < 0)
@@ -1233,7 +1236,7 @@ static int atalk_connect(struct socket *sock, struct sockaddr *uaddr,
        sk->sk_state = TCP_ESTABLISHED;
        err = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return err;
 }
@@ -1249,7 +1252,7 @@ static int atalk_getname(struct socket *sock, struct sockaddr *uaddr,
        struct atalk_sock *at = at_sk(sk);
        int err;
-        lock_kernel();
+        lock_sock(sk);
        err = -ENOBUFS;
        if (sock_flag(sk, SOCK_ZAPPED))
                if (atalk_autobind(sk) < 0)
@@ -1277,17 +1280,7 @@ static int atalk_getname(struct socket *sock, struct sockaddr *uaddr,
        memcpy(uaddr, &sat, sizeof(sat));
 out:
-        unlock_kernel();
+        release_sock(sk);
-        return err;
-}
-static unsigned int atalk_poll(struct file *file, struct socket *sock,
-                           poll_table *wait)
-{
-        int err;
-        lock_kernel();
-        err = datagram_poll(file, sock, wait);
-        unlock_kernel();
        return err;
 }
@@ -1596,7 +1589,7 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        if (len > DDP_MAXSZ)
                return -EMSGSIZE;
-        lock_kernel();
+        lock_sock(sk);
        if (usat) {
                err = -EBUSY;
                if (sock_flag(sk, SOCK_ZAPPED))
@@ -1651,7 +1644,9 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
                        sk, size, dev->name);
        size += dev->hard_header_len;
+        release_sock(sk);
        skb = sock_alloc_send_skb(sk, size, (flags & MSG_DONTWAIT), &err);
+        lock_sock(sk);
        if (!skb)
                goto out;
@@ -1738,7 +1733,7 @@ static int atalk_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        SOCK_DEBUG(sk, "SK %p: Done write (%Zd).\n", sk, len);
 out:
-        unlock_kernel();
+        release_sock(sk);
        return err ? : len;
 }
@@ -1753,9 +1748,10 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        int err = 0;
        struct sk_buff *skb;
-        lock_kernel();
        skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
                                                flags & MSG_DONTWAIT, &err);
+        lock_sock(sk);
        if (!skb)
                goto out;
@@ -1787,7 +1783,7 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
        skb_free_datagram(sk, skb);     /* Free the datagram. */
 out:
-        unlock_kernel();
+        release_sock(sk);
        return err ? : copied;
 }
@@ -1887,7 +1883,7 @@ static const struct proto_ops atalk_dgram_ops = {
        .socketpair     = sock_no_socketpair,
        .accept         = sock_no_accept,
        .getname        = atalk_getname,
-        .poll           = atalk_poll,
+        .poll           = datagram_poll,
        .ioctl          = atalk_ioctl,
 #ifdef CONFIG_COMPAT
        .compat_ioctl   = atalk_compat_ioctl,
diff --git a/net/atm/br2684.c b/net/atm/br2684.c
index fce2eae8d476..2252c2085dac 100644
--- a/net/atm/br2684.c
+++ b/net/atm/br2684.c
@@ -509,7 +509,7 @@ static int br2684_regvcc(struct atm_vcc *atmvcc, void __user * arg)
        write_lock_irq(&devs_lock);
        net_dev = br2684_find_dev(&be.ifspec);
        if (net_dev == NULL) {
-                pr_err("tried to attach to non-existant device\n");
+                pr_err("tried to attach to non-existent device\n");
                err = -ENXIO;
                goto error;
        }
diff --git a/net/atm/clip.c b/net/atm/clip.c
index d257da50fcfb..1d4be60e1390 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -502,8 +502,6 @@ static int clip_setentry(struct atm_vcc *vcc, __be32 ip)
        struct atmarp_entry *entry;
        int error;
        struct clip_vcc *clip_vcc;
-        struct flowi fl = { .fl4_dst = ip,
-                            .fl4_tos = 1 };
        struct rtable *rt;
        if (vcc->push != clip_push) {
@@ -520,9 +518,9 @@ static int clip_setentry(struct atm_vcc *vcc, __be32 ip)
                unlink_clip_vcc(clip_vcc);
                return 0;
        }
-        error = ip_route_output_key(&init_net, &rt, &fl);
+        rt = ip_route_output(&init_net, ip, 0, 1, 0);
-        if (error)
+        if (IS_ERR(rt))
-                return error;
+                return PTR_ERR(rt);
        neigh = __neigh_lookup(&clip_tbl, &ip, rt->dst.dev, 1);
        ip_rt_put(rt);
        if (!neigh)
diff --git a/net/atm/common.c b/net/atm/common.c
index 1b9c52a02cd3..22b963d06a10 100644
--- a/net/atm/common.c
+++ b/net/atm/common.c
@@ -252,6 +252,7 @@ void atm_dev_release_vccs(struct atm_dev *dev)
        }
        write_unlock_irq(&vcc_sklist_lock);
 }
+EXPORT_SYMBOL(atm_dev_release_vccs);
 static int adjust_tp(struct atm_trafprm *tp, unsigned char aal)
 {
diff --git a/net/atm/lec.c b/net/atm/lec.c
index 38754fdb88ba..25073b6ef474 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -129,7 +129,6 @@ static struct net_device *dev_lec[MAX_LEC_ITF];
 #if defined(CONFIG_BRIDGE) || defined(CONFIG_BRIDGE_MODULE)
 static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
 {
-        struct ethhdr *eth;
        char *buff;
        struct lec_priv *priv;
@@ -138,7 +137,6 @@ static void lec_handle_bridge(struct sk_buff *skb, struct net_device *dev)
         * LE_TOPOLOGY_REQUEST with the same value of Topology Change bit
         * as the Config BPDU has
         */
-        eth = (struct ethhdr *)skb->data;
        buff = skb->data + skb->dev->hard_header_len;
        if (*buff++ == 0x42 && *buff++ == 0x42 && *buff++ == 0x03) {
                struct sock *sk;
@@ -1180,7 +1178,6 @@ static int __init lane_module_init(void)
 static void __exit lane_module_cleanup(void)
 {
        int i;
-        struct lec_priv *priv;
        remove_proc_entry("lec", atm_proc_root);
@@ -1188,7 +1185,6 @@ static void __exit lane_module_cleanup(void)
        for (i = 0; i < MAX_LEC_ITF; i++) {
                if (dev_lec[i] != NULL) {
-                        priv = netdev_priv(dev_lec[i]);
                        unregister_netdev(dev_lec[i]);
                        free_netdev(dev_lec[i]);
                        dev_lec[i] = NULL;
diff --git a/net/atm/lec.h b/net/atm/lec.h
index 9d14d196cc1d..dfc071966463 100644
--- a/net/atm/lec.h
+++ b/net/atm/lec.h
@@ -35,7 +35,7 @@ struct lecdatahdr_8025 {
 * Operations that LANE2 capable device can do. Two first functions
 * are used to make the device do things. See spec 3.1.3 and 3.1.4.
 *
- * The third function is intented for the MPOA component sitting on
+ * The third function is intended for the MPOA component sitting on
 * top of the LANE device. The MPOA component assigns it's own function
 * to (*associate_indicator)() and the LANE device will use that
 * function to tell about TLVs it sees floating through.
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 6da5daeebab7..e7c69f4619ec 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1538,8 +1538,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        }
        /* Build a packet */
-        SOCK_DEBUG(sk, "AX.25: sendto: Addresses built. Building packet.\n");
        /* Assume the worst case */
        size = len + ax25->ax25_dev->dev->hard_header_len;
@@ -1549,8 +1547,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        skb_reserve(skb, size - len);
-        SOCK_DEBUG(sk, "AX.25: Appending user data\n");
        /* User data follows immediately after the AX.25 data */
        if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
                err = -EFAULT;
@@ -1564,8 +1560,6 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        if (!ax25->pidincl)
                *skb_push(skb, 1) = sk->sk_protocol;
-        SOCK_DEBUG(sk, "AX.25: Transmitting buffer\n");
        if (sk->sk_type == SOCK_SEQPACKET) {
                /* Connected mode sockets go via the LAPB machine */
                if (sk->sk_state != TCP_ESTABLISHED) {
@@ -1583,22 +1577,14 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock,
        skb_push(skb, 1 + ax25_addr_size(dp));
-        SOCK_DEBUG(sk, "Building AX.25 Header (dp=%p).\n", dp);
+        /* Building AX.25 Header */
-        if (dp != NULL)
-                SOCK_DEBUG(sk, "Num digipeaters=%d\n", dp->ndigi);
        /* Build an AX.25 header */
        lv = ax25_addr_build(skb->data, &ax25->source_addr, &sax.sax25_call,
                             dp, AX25_COMMAND, AX25_MODULUS);
-        SOCK_DEBUG(sk, "Built header (%d bytes)\n",lv);
        skb_set_transport_header(skb, lv);
-        SOCK_DEBUG(sk, "base=%p pos=%p\n",
-                   skb->data, skb_transport_header(skb));
        *skb_transport_header(skb) = AX25_UI;
        /* Datagram frames go straight out of the door as UI */
diff --git a/net/ax25/ax25_iface.c b/net/ax25/ax25_iface.c
index 5a0dda8df492..60b545e2822a 100644
--- a/net/ax25/ax25_iface.c
+++ b/net/ax25/ax25_iface.c
@@ -58,7 +58,7 @@ EXPORT_SYMBOL_GPL(ax25_register_pid);
 void ax25_protocol_release(unsigned int pid)
 {
-        struct ax25_protocol *s, *protocol;
+        struct ax25_protocol *protocol;
        write_lock_bh(&protocol_list_lock);
        protocol = protocol_list;
@@ -72,7 +72,6 @@ void ax25_protocol_release(unsigned int pid)
        while (protocol != NULL && protocol->next != NULL) {
                if (protocol->next->pid == pid) {
-                        s = protocol->next;
                        protocol->next = protocol->next->next;
                        goto out;
                }
diff --git a/net/batman-adv/Makefile b/net/batman-adv/Makefile
index d936aeccd194..2de93d00631b 100644
--- a/net/batman-adv/Makefile
+++ b/net/batman-adv/Makefile
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+# Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 #
 # Marek Lindner, Simon Wunderlich
 #
diff --git a/net/batman-adv/aggregation.c b/net/batman-adv/aggregation.c
index 3850a3ecf947..a8c32030527c 100644
--- a/net/batman-adv/aggregation.c
+++ b/net/batman-adv/aggregation.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -23,11 +23,12 @@
 #include "aggregation.h"
 #include "send.h"
 #include "routing.h"
+#include "hard-interface.h"
-/* calculate the size of the hna information for a given packet */
+/* calculate the size of the tt information for a given packet */
-static int hna_len(struct batman_packet *batman_packet)
+static int tt_len(struct batman_packet *batman_packet)
 {
-        return batman_packet->num_hna * ETH_ALEN;
+        return batman_packet->num_tt * ETH_ALEN;
 }
 /* return true if new_packet can be aggregated with forw_packet */
@@ -35,7 +36,7 @@ static bool can_aggregate_with(struct batman_packet *new_batman_packet,
                               int packet_len,
                               unsigned long send_time,
                               bool directlink,
-                               struct batman_if *if_incoming,
+                               struct hard_iface *if_incoming,
                               struct forw_packet *forw_packet)
 {
        struct batman_packet *batman_packet =
@@ -95,23 +96,25 @@ static bool can_aggregate_with(struct batman_packet *new_batman_packet,
        return false;
 }
-#define atomic_dec_not_zero(v)          atomic_add_unless((v), -1, 0)
 /* create a new aggregated packet and add this packet to it */
 static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
                                  unsigned long send_time, bool direct_link,
-                                  struct batman_if *if_incoming,
+                                  struct hard_iface *if_incoming,
                                  int own_packet)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct forw_packet *forw_packet_aggr;
        unsigned char *skb_buff;
+        if (!atomic_inc_not_zero(&if_incoming->refcount))
+                return;
        /* own packet should always be scheduled */
        if (!own_packet) {
                if (!atomic_dec_not_zero(&bat_priv->batman_queue_left)) {
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "batman packet queue full\n");
-                        return;
+                        goto out;
                }
        }
@@ -119,7 +122,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
        if (!forw_packet_aggr) {
                if (!own_packet)
                        atomic_inc(&bat_priv->batman_queue_left);
-                return;
+                goto out;
        }
        if ((atomic_read(&bat_priv->aggregated_ogms)) &&
@@ -134,7 +137,7 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
                if (!own_packet)
                        atomic_inc(&bat_priv->batman_queue_left);
                kfree(forw_packet_aggr);
-                return;
+                goto out;
        }
        skb_reserve(forw_packet_aggr->skb, sizeof(struct ethhdr));
@@ -165,6 +168,10 @@ static void new_aggregated_packet(unsigned char *packet_buff, int packet_len,
        queue_delayed_work(bat_event_workqueue,
                           &forw_packet_aggr->delayed_work,
                           send_time - jiffies);
+        return;
+out:
+        hardif_free_ref(if_incoming);
 }
 /* aggregate a new packet into the existing aggregation */
@@ -188,7 +195,7 @@ static void aggregate(struct forw_packet *forw_packet_aggr,
 void add_bat_packet_to_list(struct bat_priv *bat_priv,
                            unsigned char *packet_buff, int packet_len,
-                            struct batman_if *if_incoming, char own_packet,
+                            struct hard_iface *if_incoming, char own_packet,
                            unsigned long send_time)
 {
        /**
@@ -247,11 +254,11 @@ void add_bat_packet_to_list(struct bat_priv *bat_priv,
 /* unpack the aggregated packets and process them one by one */
 void receive_aggr_bat_packet(struct ethhdr *ethhdr, unsigned char *packet_buff,
-                             int packet_len, struct batman_if *if_incoming)
+                             int packet_len, struct hard_iface *if_incoming)
 {
        struct batman_packet *batman_packet;
        int buff_pos = 0;
-        unsigned char *hna_buff;
+        unsigned char *tt_buff;
        batman_packet = (struct batman_packet *)packet_buff;
@@ -260,14 +267,14 @@ void receive_aggr_bat_packet(struct ethhdr *ethhdr, unsigned char *packet_buff,
                   orig_interval. */
                batman_packet->seqno = ntohl(batman_packet->seqno);
-                hna_buff = packet_buff + buff_pos + BAT_PACKET_LEN;
+                tt_buff = packet_buff + buff_pos + BAT_PACKET_LEN;
                receive_bat_packet(ethhdr, batman_packet,
-                                   hna_buff, hna_len(batman_packet),
+                                   tt_buff, tt_len(batman_packet),
                                   if_incoming);
-                buff_pos += BAT_PACKET_LEN + hna_len(batman_packet);
+                buff_pos += BAT_PACKET_LEN + tt_len(batman_packet);
                batman_packet = (struct batman_packet *)
                        (packet_buff + buff_pos);
        } while (aggregated_packet(buff_pos, packet_len,
-                                   batman_packet->num_hna));
+                                   batman_packet->num_tt));
 }
diff --git a/net/batman-adv/aggregation.h b/net/batman-adv/aggregation.h
index 71a91b3da913..7e6d72fbf540 100644
--- a/net/batman-adv/aggregation.h
+++ b/net/batman-adv/aggregation.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -25,9 +25,9 @@
 #include "main.h"
 /* is there another aggregated packet here? */
-static inline int aggregated_packet(int buff_pos, int packet_len, int num_hna)
+static inline int aggregated_packet(int buff_pos, int packet_len, int num_tt)
 {
-        int next_buff_pos = buff_pos + BAT_PACKET_LEN + (num_hna * ETH_ALEN);
+        int next_buff_pos = buff_pos + BAT_PACKET_LEN + (num_tt * ETH_ALEN);
        return (next_buff_pos <= packet_len) &&
                (next_buff_pos <= MAX_AGGREGATION_BYTES);
@@ -35,9 +35,9 @@ static inline int aggregated_packet(int buff_pos, int packet_len, int num_hna)
 void add_bat_packet_to_list(struct bat_priv *bat_priv,
                            unsigned char *packet_buff, int packet_len,
-                            struct batman_if *if_incoming, char own_packet,
+                            struct hard_iface *if_incoming, char own_packet,
                            unsigned long send_time);
 void receive_aggr_bat_packet(struct ethhdr *ethhdr, unsigned char *packet_buff,
-                             int packet_len, struct batman_if *if_incoming);
+                             int packet_len, struct hard_iface *if_incoming);
 #endif /* _NET_BATMAN_ADV_AGGREGATION_H_ */
diff --git a/net/batman-adv/bat_debugfs.c b/net/batman-adv/bat_debugfs.c
index 0ae81d07f102..abaeec5f6247 100644
--- a/net/batman-adv/bat_debugfs.c
+++ b/net/batman-adv/bat_debugfs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -52,7 +52,6 @@ static void emit_log_char(struct debug_log *debug_log, char c)
 static int fdebug_log(struct debug_log *debug_log, char *fmt, ...)
 {
-        int printed_len;
        va_list args;
        static char debug_log_buf[256];
        char *p;
@@ -62,8 +61,7 @@ static int fdebug_log(struct debug_log *debug_log, char *fmt, ...)
        spin_lock_bh(&debug_log->lock);
        va_start(args, fmt);
-        printed_len = vscnprintf(debug_log_buf, sizeof(debug_log_buf),
+        vscnprintf(debug_log_buf, sizeof(debug_log_buf), fmt, args);
-                                 fmt, args);
        va_end(args);
        for (p = debug_log_buf; *p != 0; p++)
@@ -243,13 +241,13 @@ static int softif_neigh_open(struct inode *inode, struct file *file)
 static int transtable_global_open(struct inode *inode, struct file *file)
 {
        struct net_device *net_dev = (struct net_device *)inode->i_private;
-        return single_open(file, hna_global_seq_print_text, net_dev);
+        return single_open(file, tt_global_seq_print_text, net_dev);
 }
 static int transtable_local_open(struct inode *inode, struct file *file)
 {
        struct net_device *net_dev = (struct net_device *)inode->i_private;
-        return single_open(file, hna_local_seq_print_text, net_dev);
+        return single_open(file, tt_local_seq_print_text, net_dev);
 }
 static int vis_data_open(struct inode *inode, struct file *file)
diff --git a/net/batman-adv/bat_debugfs.h b/net/batman-adv/bat_debugfs.h
index 72df532b7d5f..bc9cda3f01e1 100644
--- a/net/batman-adv/bat_debugfs.h
+++ b/net/batman-adv/bat_debugfs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/bat_sysfs.c b/net/batman-adv/bat_sysfs.c
index cd7bb51825f1..497a0700cc3c 100644
--- a/net/batman-adv/bat_sysfs.c
+++ b/net/batman-adv/bat_sysfs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -441,16 +441,16 @@ static ssize_t show_mesh_iface(struct kobject *kobj, struct attribute *attr,
                               char *buff)
 {
        struct net_device *net_dev = kobj_to_netdev(kobj);
-        struct batman_if *batman_if = get_batman_if_by_netdev(net_dev);
+        struct hard_iface *hard_iface = hardif_get_by_netdev(net_dev);
        ssize_t length;
-        if (!batman_if)
+        if (!hard_iface)
                return 0;
-        length = sprintf(buff, "%s\n", batman_if->if_status == IF_NOT_IN_USE ?
+        length = sprintf(buff, "%s\n", hard_iface->if_status == IF_NOT_IN_USE ?
-                         "none" : batman_if->soft_iface->name);
+                         "none" : hard_iface->soft_iface->name);
-        kref_put(&batman_if->refcount, hardif_free_ref);
+        hardif_free_ref(hard_iface);
        return length;
 }
@@ -459,11 +459,11 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr,
                                char *buff, size_t count)
 {
        struct net_device *net_dev = kobj_to_netdev(kobj);
-        struct batman_if *batman_if = get_batman_if_by_netdev(net_dev);
+        struct hard_iface *hard_iface = hardif_get_by_netdev(net_dev);
        int status_tmp = -1;
-        int ret;
+        int ret = count;
-        if (!batman_if)
+        if (!hard_iface)
                return count;
        if (buff[count - 1] == '\n')
@@ -472,7 +472,7 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr,
        if (strlen(buff) >= IFNAMSIZ) {
                pr_err("Invalid parameter for 'mesh_iface' setting received: "
                       "interface name too long '%s'\n", buff);
-                kref_put(&batman_if->refcount, hardif_free_ref);
+                hardif_free_ref(hard_iface);
                return -EINVAL;
        }
@@ -481,30 +481,33 @@ static ssize_t store_mesh_iface(struct kobject *kobj, struct attribute *attr,
        else
                status_tmp = IF_I_WANT_YOU;
-        if ((batman_if->if_status == status_tmp) || ((batman_if->soft_iface) &&
+        if (hard_iface->if_status == status_tmp)
-            (strncmp(batman_if->soft_iface->name, buff, IFNAMSIZ) == 0))) {
+                goto out;
-                kref_put(&batman_if->refcount, hardif_free_ref);
-                return count;
+        if ((hard_iface->soft_iface) &&
+            (strncmp(hard_iface->soft_iface->name, buff, IFNAMSIZ) == 0))
+                goto out;
+        if (!rtnl_trylock()) {
+                ret = -ERESTARTSYS;
+                goto out;
        }
        if (status_tmp == IF_NOT_IN_USE) {
-                rtnl_lock();
+                hardif_disable_interface(hard_iface);
-                hardif_disable_interface(batman_if);
+                goto unlock;
-                rtnl_unlock();
-                kref_put(&batman_if->refcount, hardif_free_ref);
-                return count;
        }
        /* if the interface already is in use */
-        if (batman_if->if_status != IF_NOT_IN_USE) {
+        if (hard_iface->if_status != IF_NOT_IN_USE)
-                rtnl_lock();
+                hardif_disable_interface(hard_iface);
-                hardif_disable_interface(batman_if);
-                rtnl_unlock();
-        }
-        ret = hardif_enable_interface(batman_if, buff);
+        ret = hardif_enable_interface(hard_iface, buff);
-        kref_put(&batman_if->refcount, hardif_free_ref);
+unlock:
+        rtnl_unlock();
+out:
+        hardif_free_ref(hard_iface);
        return ret;
 }
@@ -512,13 +515,13 @@ static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr,
                                 char *buff)
 {
        struct net_device *net_dev = kobj_to_netdev(kobj);
-        struct batman_if *batman_if = get_batman_if_by_netdev(net_dev);
+        struct hard_iface *hard_iface = hardif_get_by_netdev(net_dev);
        ssize_t length;
-        if (!batman_if)
+        if (!hard_iface)
                return 0;
-        switch (batman_if->if_status) {
+        switch (hard_iface->if_status) {
        case IF_TO_BE_REMOVED:
                length = sprintf(buff, "disabling\n");
                break;
@@ -537,7 +540,7 @@ static ssize_t show_iface_status(struct kobject *kobj, struct attribute *attr,
                break;
        }
-        kref_put(&batman_if->refcount, hardif_free_ref);
+        hardif_free_ref(hard_iface);
        return length;
 }
diff --git a/net/batman-adv/bat_sysfs.h b/net/batman-adv/bat_sysfs.h
index 7f186c007b4f..02f1fa7aadfa 100644
--- a/net/batman-adv/bat_sysfs.h
+++ b/net/batman-adv/bat_sysfs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/bitarray.c b/net/batman-adv/bitarray.c
index bbcd8f744cdd..ad2ca925b3e0 100644
--- a/net/batman-adv/bitarray.c
+++ b/net/batman-adv/bitarray.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2006-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich, Marek Lindner
 *
diff --git a/net/batman-adv/bitarray.h b/net/batman-adv/bitarray.h
index ac54017601b1..769c246d1fc1 100644
--- a/net/batman-adv/bitarray.h
+++ b/net/batman-adv/bitarray.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2006-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich, Marek Lindner
 *
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index 0065ffb8d96d..61605a0f3f39 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2009-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -23,63 +23,88 @@
 #include "gateway_client.h"
 #include "gateway_common.h"
 #include "hard-interface.h"
+#include "originator.h"
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/udp.h>
 #include <linux/if_vlan.h>
-static void gw_node_free_ref(struct kref *refcount)
+static void gw_node_free_ref(struct gw_node *gw_node)
 {
-        struct gw_node *gw_node;
+        if (atomic_dec_and_test(&gw_node->refcount))
+                kfree_rcu(gw_node, rcu);
-        gw_node = container_of(refcount, struct gw_node, refcount);
-        kfree(gw_node);
 }
-static void gw_node_free_rcu(struct rcu_head *rcu)
+static struct gw_node *gw_get_selected_gw_node(struct bat_priv *bat_priv)
 {
        struct gw_node *gw_node;
-        gw_node = container_of(rcu, struct gw_node, rcu);
+        rcu_read_lock();
-        kref_put(&gw_node->refcount, gw_node_free_ref);
+        gw_node = rcu_dereference(bat_priv->curr_gw);
-}
+        if (!gw_node)
+                goto out;
-void *gw_get_selected(struct bat_priv *bat_priv)
-{
-        struct gw_node *curr_gateway_tmp = bat_priv->curr_gw;
-        if (!curr_gateway_tmp)
+        if (!atomic_inc_not_zero(&gw_node->refcount))
-                return NULL;
+                gw_node = NULL;
-        return curr_gateway_tmp->orig_node;
+out:
+        rcu_read_unlock();
+        return gw_node;
 }
-void gw_deselect(struct bat_priv *bat_priv)
+struct orig_node *gw_get_selected_orig(struct bat_priv *bat_priv)
 {
-        struct gw_node *gw_node = bat_priv->curr_gw;
+        struct gw_node *gw_node;
+        struct orig_node *orig_node = NULL;
+        gw_node = gw_get_selected_gw_node(bat_priv);
+        if (!gw_node)
+                goto out;
+        rcu_read_lock();
+        orig_node = gw_node->orig_node;
+        if (!orig_node)
+                goto unlock;
-        bat_priv->curr_gw = NULL;
+        if (!atomic_inc_not_zero(&orig_node->refcount))
+                orig_node = NULL;
+unlock:
+        rcu_read_unlock();
+out:
        if (gw_node)
-                kref_put(&gw_node->refcount, gw_node_free_ref);
+                gw_node_free_ref(gw_node);
+        return orig_node;
 }
-static struct gw_node *gw_select(struct bat_priv *bat_priv,
+static void gw_select(struct bat_priv *bat_priv, struct gw_node *new_gw_node)
-                          struct gw_node *new_gw_node)
 {
-        struct gw_node *curr_gw_node = bat_priv->curr_gw;
+        struct gw_node *curr_gw_node;
+        spin_lock_bh(&bat_priv->gw_list_lock);
-        if (new_gw_node)
+        if (new_gw_node && !atomic_inc_not_zero(&new_gw_node->refcount))
-                kref_get(&new_gw_node->refcount);
+                new_gw_node = NULL;
-        bat_priv->curr_gw = new_gw_node;
+        curr_gw_node = bat_priv->curr_gw;
-        return curr_gw_node;
+        rcu_assign_pointer(bat_priv->curr_gw, new_gw_node);
+        if (curr_gw_node)
+                gw_node_free_ref(curr_gw_node);
+        spin_unlock_bh(&bat_priv->gw_list_lock);
+}
+void gw_deselect(struct bat_priv *bat_priv)
+{
+        gw_select(bat_priv, NULL);
 }
 void gw_election(struct bat_priv *bat_priv)
 {
        struct hlist_node *node;
-        struct gw_node *gw_node, *curr_gw_tmp = NULL, *old_gw_node = NULL;
+        struct gw_node *gw_node, *curr_gw = NULL, *curr_gw_tmp = NULL;
+        struct neigh_node *router;
        uint8_t max_tq = 0;
        uint32_t max_gw_factor = 0, tmp_gw_factor = 0;
        int down, up;
@@ -93,28 +118,25 @@ void gw_election(struct bat_priv *bat_priv)
        if (atomic_read(&bat_priv->gw_mode) != GW_MODE_CLIENT)
                return;
-        if (bat_priv->curr_gw)
+        curr_gw = gw_get_selected_gw_node(bat_priv);
-                return;
+        if (curr_gw)
+                goto out;
        rcu_read_lock();
        if (hlist_empty(&bat_priv->gw_list)) {
-                rcu_read_unlock();
+                bat_dbg(DBG_BATMAN, bat_priv,
+                        "Removing selected gateway - "
-                if (bat_priv->curr_gw) {
+                        "no gateway in range\n");
-                        bat_dbg(DBG_BATMAN, bat_priv,
+                gw_deselect(bat_priv);
-                                "Removing selected gateway - "
+                goto unlock;
-                                "no gateway in range\n");
-                        gw_deselect(bat_priv);
-                }
-                return;
        }
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
-                if (!gw_node->orig_node->router)
+                if (gw_node->deleted)
                        continue;
-                if (gw_node->deleted)
+                router = orig_node_get_router(gw_node->orig_node);
+                if (!router)
                        continue;
                switch (atomic_read(&bat_priv->gw_sel_class)) {
@@ -122,15 +144,14 @@ void gw_election(struct bat_priv *bat_priv)
                        gw_bandwidth_to_kbit(gw_node->orig_node->gw_flags,
                                             &down, &up);
-                        tmp_gw_factor = (gw_node->orig_node->router->tq_avg *
+                        tmp_gw_factor = (router->tq_avg * router->tq_avg *
-                                         gw_node->orig_node->router->tq_avg *
                                         down * 100 * 100) /
                                         (TQ_LOCAL_WINDOW_SIZE *
                                         TQ_LOCAL_WINDOW_SIZE * 64);
                        if ((tmp_gw_factor > max_gw_factor) ||
                            ((tmp_gw_factor == max_gw_factor) &&
-                             (gw_node->orig_node->router->tq_avg > max_tq)))
+                             (router->tq_avg > max_tq)))
                                curr_gw_tmp = gw_node;
                        break;
@@ -142,75 +163,83 @@ void gw_election(struct bat_priv *bat_priv)
                          *     soon as a better gateway appears which has
                          *     $routing_class more tq points)
                          **/
-                        if (gw_node->orig_node->router->tq_avg > max_tq)
+                        if (router->tq_avg > max_tq)
                                curr_gw_tmp = gw_node;
                        break;
                }
-                if (gw_node->orig_node->router->tq_avg > max_tq)
+                if (router->tq_avg > max_tq)
-                        max_tq = gw_node->orig_node->router->tq_avg;
+                        max_tq = router->tq_avg;
                if (tmp_gw_factor > max_gw_factor)
                        max_gw_factor = tmp_gw_factor;
+                neigh_node_free_ref(router);
        }
-        if (bat_priv->curr_gw != curr_gw_tmp) {
+        if (curr_gw != curr_gw_tmp) {
-                if ((bat_priv->curr_gw) && (!curr_gw_tmp))
+                router = orig_node_get_router(curr_gw_tmp->orig_node);
+                if (!router)
+                        goto unlock;
+                if ((curr_gw) && (!curr_gw_tmp))
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "Removing selected gateway - "
                                "no gateway in range\n");
-                else if ((!bat_priv->curr_gw) && (curr_gw_tmp))
+                else if ((!curr_gw) && (curr_gw_tmp))
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "Adding route to gateway %pM "
                                "(gw_flags: %i, tq: %i)\n",
                                curr_gw_tmp->orig_node->orig,
                                curr_gw_tmp->orig_node->gw_flags,
-                                curr_gw_tmp->orig_node->router->tq_avg);
+                                router->tq_avg);
                else
                        bat_dbg(DBG_BATMAN, bat_priv,
                                "Changing route to gateway %pM "
                                "(gw_flags: %i, tq: %i)\n",
                                curr_gw_tmp->orig_node->orig,
                                curr_gw_tmp->orig_node->gw_flags,
-                                curr_gw_tmp->orig_node->router->tq_avg);
+                                router->tq_avg);
-                old_gw_node = gw_select(bat_priv, curr_gw_tmp);
+                neigh_node_free_ref(router);
+                gw_select(bat_priv, curr_gw_tmp);
        }
+unlock:
        rcu_read_unlock();
+out:
-        /* the kfree() has to be outside of the rcu lock */
+        if (curr_gw)
-        if (old_gw_node)
+                gw_node_free_ref(curr_gw);
-                kref_put(&old_gw_node->refcount, gw_node_free_ref);
 }
 void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node)
 {
-        struct gw_node *curr_gateway_tmp = bat_priv->curr_gw;
+        struct orig_node *curr_gw_orig;
+        struct neigh_node *router_gw = NULL, *router_orig = NULL;
        uint8_t gw_tq_avg, orig_tq_avg;
-        if (!curr_gateway_tmp)
+        curr_gw_orig = gw_get_selected_orig(bat_priv);
-                return;
+        if (!curr_gw_orig)
-        if (!curr_gateway_tmp->orig_node)
                goto deselect;
-        if (!curr_gateway_tmp->orig_node->router)
+        router_gw = orig_node_get_router(curr_gw_orig);
+        if (!router_gw)
                goto deselect;
        /* this node already is the gateway */
-        if (curr_gateway_tmp->orig_node == orig_node)
+        if (curr_gw_orig == orig_node)
-                return;
+                goto out;
-        if (!orig_node->router)
+        router_orig = orig_node_get_router(orig_node);
-                return;
+        if (!router_orig)
+                goto out;
-        gw_tq_avg = curr_gateway_tmp->orig_node->router->tq_avg;
+        gw_tq_avg = router_gw->tq_avg;
-        orig_tq_avg = orig_node->router->tq_avg;
+        orig_tq_avg = router_orig->tq_avg;
        /* the TQ value has to be better */
        if (orig_tq_avg < gw_tq_avg)
-                return;
+                goto out;
        /**
         * if the routing class is greater than 3 the value tells us how much
@@ -218,7 +247,7 @@ void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node)
         **/
        if ((atomic_read(&bat_priv->gw_sel_class) > 3) &&
            (orig_tq_avg - gw_tq_avg < atomic_read(&bat_priv->gw_sel_class)))
-                return;
+                goto out;
        bat_dbg(DBG_BATMAN, bat_priv,
                "Restarting gateway selection: better gateway found (tq curr: "
@@ -227,6 +256,15 @@ void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node)
 deselect:
        gw_deselect(bat_priv);
+out:
+        if (curr_gw_orig)
+                orig_node_free_ref(curr_gw_orig);
+        if (router_gw)
+                neigh_node_free_ref(router_gw);
+        if (router_orig)
+                neigh_node_free_ref(router_orig);
+        return;
 }
 static void gw_node_add(struct bat_priv *bat_priv,
@@ -242,7 +280,7 @@ static void gw_node_add(struct bat_priv *bat_priv,
        memset(gw_node, 0, sizeof(struct gw_node));
        INIT_HLIST_NODE(&gw_node->list);
        gw_node->orig_node = orig_node;
-        kref_init(&gw_node->refcount);
+        atomic_set(&gw_node->refcount, 1);
        spin_lock_bh(&bat_priv->gw_list_lock);
        hlist_add_head_rcu(&gw_node->list, &bat_priv->gw_list);
@@ -262,7 +300,15 @@ void gw_node_update(struct bat_priv *bat_priv,
                    struct orig_node *orig_node, uint8_t new_gwflags)
 {
        struct hlist_node *node;
-        struct gw_node *gw_node;
+        struct gw_node *gw_node, *curr_gw;
+        /**
+         * Note: We don't need a NULL check here, since curr_gw never gets
+         * dereferenced. If curr_gw is NULL we also should not exit as we may
+         * have this gateway in our list (duplication check!) even though we
+         * have no currently selected gateway.
+         */
+        curr_gw = gw_get_selected_gw_node(bat_priv);
        rcu_read_lock();
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
@@ -283,22 +329,26 @@ void gw_node_update(struct bat_priv *bat_priv,
                                "Gateway %pM removed from gateway list\n",
                                orig_node->orig);
-                        if (gw_node == bat_priv->curr_gw) {
+                        if (gw_node == curr_gw)
-                                rcu_read_unlock();
+                                goto deselect;
-                                gw_deselect(bat_priv);
-                                return;
-                        }
                }
-                rcu_read_unlock();
+                goto unlock;
-                return;
        }
-        rcu_read_unlock();
        if (new_gwflags == 0)
-                return;
+                goto unlock;
        gw_node_add(bat_priv, orig_node, new_gwflags);
+        goto unlock;
+deselect:
+        gw_deselect(bat_priv);
+unlock:
+        rcu_read_unlock();
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
 }
 void gw_node_delete(struct bat_priv *bat_priv, struct orig_node *orig_node)
@@ -308,9 +358,12 @@ void gw_node_delete(struct bat_priv *bat_priv, struct orig_node *orig_node)
 void gw_node_purge(struct bat_priv *bat_priv)
 {
-        struct gw_node *gw_node;
+        struct gw_node *gw_node, *curr_gw;
        struct hlist_node *node, *node_tmp;
        unsigned long timeout = 2 * PURGE_TIMEOUT * HZ;
+        char do_deselect = 0;
+        curr_gw = gw_get_selected_gw_node(bat_priv);
        spin_lock_bh(&bat_priv->gw_list_lock);
@@ -321,75 +374,99 @@ void gw_node_purge(struct bat_priv *bat_priv)
                    atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE)
                        continue;
-                if (bat_priv->curr_gw == gw_node)
+                if (curr_gw == gw_node)
-                        gw_deselect(bat_priv);
+                        do_deselect = 1;
                hlist_del_rcu(&gw_node->list);
-                call_rcu(&gw_node->rcu, gw_node_free_rcu);
+                gw_node_free_ref(gw_node);
        }
        spin_unlock_bh(&bat_priv->gw_list_lock);
+        /* gw_deselect() needs to acquire the gw_list_lock */
+        if (do_deselect)
+                gw_deselect(bat_priv);
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
 }
+/**
+ * fails if orig_node has no router
+ */
 static int _write_buffer_text(struct bat_priv *bat_priv,
                              struct seq_file *seq, struct gw_node *gw_node)
 {
-        int down, up;
+        struct gw_node *curr_gw;
+        struct neigh_node *router;
+        int down, up, ret = -1;
        gw_bandwidth_to_kbit(gw_node->orig_node->gw_flags, &down, &up);
-        return seq_printf(seq, "%s %pM (%3i) %pM [%10s]: %3i - %i%s/%i%s\n",
+        router = orig_node_get_router(gw_node->orig_node);
-                       (bat_priv->curr_gw == gw_node ? "=>" : "  "),
+        if (!router)
-                       gw_node->orig_node->orig,
+                goto out;
-                       gw_node->orig_node->router->tq_avg,
-                       gw_node->orig_node->router->addr,
+        curr_gw = gw_get_selected_gw_node(bat_priv);
-                       gw_node->orig_node->router->if_incoming->net_dev->name,
-                       gw_node->orig_node->gw_flags,
+        ret = seq_printf(seq, "%s %pM (%3i) %pM [%10s]: %3i - %i%s/%i%s\n",
-                       (down > 2048 ? down / 1024 : down),
+                         (curr_gw == gw_node ? "=>" : "  "),
-                       (down > 2048 ? "MBit" : "KBit"),
+                         gw_node->orig_node->orig,
-                       (up > 2048 ? up / 1024 : up),
+                         router->tq_avg, router->addr,
-                       (up > 2048 ? "MBit" : "KBit"));
+                         router->if_incoming->net_dev->name,
+                         gw_node->orig_node->gw_flags,
+                         (down > 2048 ? down / 1024 : down),
+                         (down > 2048 ? "MBit" : "KBit"),
+                         (up > 2048 ? up / 1024 : up),
+                         (up > 2048 ? "MBit" : "KBit"));
+        neigh_node_free_ref(router);
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
+out:
+        return ret;
 }
 int gw_client_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
+        struct hard_iface *primary_if;
        struct gw_node *gw_node;
        struct hlist_node *node;
-        int gw_count = 0;
+        int gw_count = 0, ret = 0;
-        if (!bat_priv->primary_if) {
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - please "
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - please "
-                                  "specify interfaces to enable it\n",
+                                 "specify interfaces to enable it\n",
-                                  net_dev->name);
+                                 net_dev->name);
+                goto out;
        }
-        if (bat_priv->primary_if->if_status != IF_ACTIVE) {
+        if (primary_if->if_status != IF_ACTIVE) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "primary interface not active\n",
-                                       "primary interface not active\n",
+                                 net_dev->name);
-                                       net_dev->name);
+                goto out;
        }
        seq_printf(seq, "      %-12s (%s/%i) %17s [%10s]: gw_class ... "
                   "[B.A.T.M.A.N. adv %s%s, MainIF/MAC: %s/%pM (%s)]\n",
                   "Gateway", "#", TQ_MAX_VALUE, "Nexthop",
                   "outgoingIF", SOURCE_VERSION, REVISION_VERSION_STR,
-                   bat_priv->primary_if->net_dev->name,
+                   primary_if->net_dev->name,
-                   bat_priv->primary_if->net_dev->dev_addr, net_dev->name);
+                   primary_if->net_dev->dev_addr, net_dev->name);
        rcu_read_lock();
        hlist_for_each_entry_rcu(gw_node, node, &bat_priv->gw_list, list) {
                if (gw_node->deleted)
                        continue;
-                if (!gw_node->orig_node->router)
+                /* fails if orig_node has no router */
+                if (_write_buffer_text(bat_priv, seq, gw_node) < 0)
                        continue;
-                _write_buffer_text(bat_priv, seq, gw_node);
                gw_count++;
        }
        rcu_read_unlock();
@@ -397,7 +474,10 @@ int gw_client_seq_print_text(struct seq_file *seq, void *offset)
        if (gw_count == 0)
                seq_printf(seq, "No gateways in range ...\n");
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
@@ -406,6 +486,7 @@ int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
        struct iphdr *iphdr;
        struct ipv6hdr *ipv6hdr;
        struct udphdr *udphdr;
+        struct gw_node *curr_gw;
        unsigned int header_len = 0;
        if (atomic_read(&bat_priv->gw_mode) == GW_MODE_OFF)
@@ -470,8 +551,11 @@ int gw_is_target(struct bat_priv *bat_priv, struct sk_buff *skb)
        if (atomic_read(&bat_priv->gw_mode) == GW_MODE_SERVER)
                return -1;
-        if (!bat_priv->curr_gw)
+        curr_gw = gw_get_selected_gw_node(bat_priv);
+        if (!curr_gw)
                return 0;
+        if (curr_gw)
+                gw_node_free_ref(curr_gw);
        return 1;
 }
diff --git a/net/batman-adv/gateway_client.h b/net/batman-adv/gateway_client.h
index 4585e6549844..1ce8c6066da1 100644
--- a/net/batman-adv/gateway_client.h
+++ b/net/batman-adv/gateway_client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2009-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -24,7 +24,7 @@
 void gw_deselect(struct bat_priv *bat_priv);
 void gw_election(struct bat_priv *bat_priv);
-void *gw_get_selected(struct bat_priv *bat_priv);
+struct orig_node *gw_get_selected_orig(struct bat_priv *bat_priv);
 void gw_check_election(struct bat_priv *bat_priv, struct orig_node *orig_node);
 void gw_node_update(struct bat_priv *bat_priv,
                    struct orig_node *orig_node, uint8_t new_gwflags);
diff --git a/net/batman-adv/gateway_common.c b/net/batman-adv/gateway_common.c
index b962982f017e..50d3a59a3d73 100644
--- a/net/batman-adv/gateway_common.c
+++ b/net/batman-adv/gateway_common.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2009-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/gateway_common.h b/net/batman-adv/gateway_common.h
index 5e728d0b7959..55e527a489fe 100644
--- a/net/batman-adv/gateway_common.h
+++ b/net/batman-adv/gateway_common.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2009-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index 4f95777ce080..dfbfccc9fe40 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -31,36 +31,37 @@
 #include <linux/if_arp.h>
-/* protect update critical side of if_list - but not the content */
-static DEFINE_SPINLOCK(if_list_lock);
-static void hardif_free_rcu(struct rcu_head *rcu)
+static int batman_skb_recv(struct sk_buff *skb,
+                           struct net_device *dev,
+                           struct packet_type *ptype,
+                           struct net_device *orig_dev);
+void hardif_free_rcu(struct rcu_head *rcu)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
-        batman_if = container_of(rcu, struct batman_if, rcu);
+        hard_iface = container_of(rcu, struct hard_iface, rcu);
-        dev_put(batman_if->net_dev);
+        dev_put(hard_iface->net_dev);
-        kref_put(&batman_if->refcount, hardif_free_ref);
+        kfree(hard_iface);
 }
-struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev)
+struct hard_iface *hardif_get_by_netdev(struct net_device *net_dev)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->net_dev == net_dev)
+                if (hard_iface->net_dev == net_dev &&
+                    atomic_inc_not_zero(&hard_iface->refcount))
                        goto out;
        }
-        batman_if = NULL;
+        hard_iface = NULL;
 out:
-        if (batman_if)
-                kref_get(&batman_if->refcount);
        rcu_read_unlock();
-        return batman_if;
+        return hard_iface;
 }
 static int is_valid_iface(struct net_device *net_dev)
@@ -75,13 +76,8 @@ static int is_valid_iface(struct net_device *net_dev)
                return 0;
        /* no batman over batman */
-#ifdef HAVE_NET_DEVICE_OPS
+        if (softif_is_valid(net_dev))
-        if (net_dev->netdev_ops->ndo_start_xmit == interface_tx)
-                return 0;
-#else
-        if (net_dev->hard_start_xmit == interface_tx)
                return 0;
-#endif
        /* Device is being bridged */
        /* if (net_dev->priv_flags & IFF_BRIDGE_PORT)
@@ -90,108 +86,116 @@ static int is_valid_iface(struct net_device *net_dev)
        return 1;
 }
-static struct batman_if *get_active_batman_if(struct net_device *soft_iface)
+static struct hard_iface *hardif_get_active(struct net_device *soft_iface)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->soft_iface != soft_iface)
+                if (hard_iface->soft_iface != soft_iface)
                        continue;
-                if (batman_if->if_status == IF_ACTIVE)
+                if (hard_iface->if_status == IF_ACTIVE &&
+                    atomic_inc_not_zero(&hard_iface->refcount))
                        goto out;
        }
-        batman_if = NULL;
+        hard_iface = NULL;
 out:
-        if (batman_if)
-                kref_get(&batman_if->refcount);
        rcu_read_unlock();
-        return batman_if;
+        return hard_iface;
 }
-static void update_primary_addr(struct bat_priv *bat_priv)
+static void primary_if_update_addr(struct bat_priv *bat_priv)
 {
        struct vis_packet *vis_packet;
+        struct hard_iface *primary_if;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
        vis_packet = (struct vis_packet *)
                                bat_priv->my_vis_info->skb_packet->data;
-        memcpy(vis_packet->vis_orig,
+        memcpy(vis_packet->vis_orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
        memcpy(vis_packet->sender_orig,
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+               primary_if->net_dev->dev_addr, ETH_ALEN);
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
-static void set_primary_if(struct bat_priv *bat_priv,
+static void primary_if_select(struct bat_priv *bat_priv,
-                           struct batman_if *batman_if)
+                              struct hard_iface *new_hard_iface)
 {
+        struct hard_iface *curr_hard_iface;
        struct batman_packet *batman_packet;
-        struct batman_if *old_if;
-        if (batman_if)
+        ASSERT_RTNL();
-                kref_get(&batman_if->refcount);
+        if (new_hard_iface && !atomic_inc_not_zero(&new_hard_iface->refcount))
+                new_hard_iface = NULL;
-        old_if = bat_priv->primary_if;
+        curr_hard_iface = bat_priv->primary_if;
-        bat_priv->primary_if = batman_if;
+        rcu_assign_pointer(bat_priv->primary_if, new_hard_iface);
-        if (old_if)
+        if (curr_hard_iface)
-                kref_put(&old_if->refcount, hardif_free_ref);
+                hardif_free_ref(curr_hard_iface);
-        if (!bat_priv->primary_if)
+        if (!new_hard_iface)
                return;
-        batman_packet = (struct batman_packet *)(batman_if->packet_buff);
+        batman_packet = (struct batman_packet *)(new_hard_iface->packet_buff);
        batman_packet->flags = PRIMARIES_FIRST_HOP;
        batman_packet->ttl = TTL;
-        update_primary_addr(bat_priv);
+        primary_if_update_addr(bat_priv);
        /***
-         * hacky trick to make sure that we send the HNA information via
+         * hacky trick to make sure that we send the TT information via
         * our new primary interface
         */
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
 }
-static bool hardif_is_iface_up(struct batman_if *batman_if)
+static bool hardif_is_iface_up(struct hard_iface *hard_iface)
 {
-        if (batman_if->net_dev->flags & IFF_UP)
+        if (hard_iface->net_dev->flags & IFF_UP)
                return true;
        return false;
 }
-static void update_mac_addresses(struct batman_if *batman_if)
+static void update_mac_addresses(struct hard_iface *hard_iface)
 {
-        memcpy(((struct batman_packet *)(batman_if->packet_buff))->orig,
+        memcpy(((struct batman_packet *)(hard_iface->packet_buff))->orig,
-               batman_if->net_dev->dev_addr, ETH_ALEN);
+               hard_iface->net_dev->dev_addr, ETH_ALEN);
-        memcpy(((struct batman_packet *)(batman_if->packet_buff))->prev_sender,
+        memcpy(((struct batman_packet *)(hard_iface->packet_buff))->prev_sender,
-               batman_if->net_dev->dev_addr, ETH_ALEN);
+               hard_iface->net_dev->dev_addr, ETH_ALEN);
 }
 static void check_known_mac_addr(struct net_device *net_dev)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if ((batman_if->if_status != IF_ACTIVE) &&
+                if ((hard_iface->if_status != IF_ACTIVE) &&
-                    (batman_if->if_status != IF_TO_BE_ACTIVATED))
+                    (hard_iface->if_status != IF_TO_BE_ACTIVATED))
                        continue;
-                if (batman_if->net_dev == net_dev)
+                if (hard_iface->net_dev == net_dev)
                        continue;
-                if (!compare_orig(batman_if->net_dev->dev_addr,
+                if (!compare_eth(hard_iface->net_dev->dev_addr,
-                                  net_dev->dev_addr))
+                                 net_dev->dev_addr))
                        continue;
                pr_warning("The newly added mac address (%pM) already exists "
                           "on: %s\n", net_dev->dev_addr,
-                           batman_if->net_dev->name);
+                           hard_iface->net_dev->name);
                pr_warning("It is strongly recommended to keep mac addresses "
                           "unique to avoid problems!\n");
        }
@@ -201,7 +205,7 @@ static void check_known_mac_addr(struct net_device *net_dev)
 int hardif_min_mtu(struct net_device *soft_iface)
 {
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        /* allow big frames if all devices are capable to do so
         * (have MTU > 1500 + BAT_HEADER_LEN) */
        int min_mtu = ETH_DATA_LEN;
@@ -210,15 +214,15 @@ int hardif_min_mtu(struct net_device *soft_iface)
                goto out;
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if ((batman_if->if_status != IF_ACTIVE) &&
+                if ((hard_iface->if_status != IF_ACTIVE) &&
-                    (batman_if->if_status != IF_TO_BE_ACTIVATED))
+                    (hard_iface->if_status != IF_TO_BE_ACTIVATED))
                        continue;
-                if (batman_if->soft_iface != soft_iface)
+                if (hard_iface->soft_iface != soft_iface)
                        continue;
-                min_mtu = min_t(int, batman_if->net_dev->mtu - BAT_HEADER_LEN,
+                min_mtu = min_t(int, hard_iface->net_dev->mtu - BAT_HEADER_LEN,
                                min_mtu);
        }
        rcu_read_unlock();
@@ -236,260 +240,281 @@ void update_min_mtu(struct net_device *soft_iface)
                soft_iface->mtu = min_mtu;
 }
-static void hardif_activate_interface(struct batman_if *batman_if)
+static void hardif_activate_interface(struct hard_iface *hard_iface)
 {
        struct bat_priv *bat_priv;
+        struct hard_iface *primary_if = NULL;
-        if (batman_if->if_status != IF_INACTIVE)
+        if (hard_iface->if_status != IF_INACTIVE)
-                return;
+                goto out;
-        bat_priv = netdev_priv(batman_if->soft_iface);
+        bat_priv = netdev_priv(hard_iface->soft_iface);
-        update_mac_addresses(batman_if);
+        update_mac_addresses(hard_iface);
-        batman_if->if_status = IF_TO_BE_ACTIVATED;
+        hard_iface->if_status = IF_TO_BE_ACTIVATED;
        /**
         * the first active interface becomes our primary interface or
         * the next active interface after the old primay interface was removed
         */
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                set_primary_if(bat_priv, batman_if);
+        if (!primary_if)
+                primary_if_select(bat_priv, hard_iface);
-        bat_info(batman_if->soft_iface, "Interface activated: %s\n",
+        bat_info(hard_iface->soft_iface, "Interface activated: %s\n",
-                 batman_if->net_dev->name);
+                 hard_iface->net_dev->name);
-        update_min_mtu(batman_if->soft_iface);
+        update_min_mtu(hard_iface->soft_iface);
-        return;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
-static void hardif_deactivate_interface(struct batman_if *batman_if)
+static void hardif_deactivate_interface(struct hard_iface *hard_iface)
 {
-        if ((batman_if->if_status != IF_ACTIVE) &&
+        if ((hard_iface->if_status != IF_ACTIVE) &&
-           (batman_if->if_status != IF_TO_BE_ACTIVATED))
+            (hard_iface->if_status != IF_TO_BE_ACTIVATED))
                return;
-        batman_if->if_status = IF_INACTIVE;
+        hard_iface->if_status = IF_INACTIVE;
-        bat_info(batman_if->soft_iface, "Interface deactivated: %s\n",
+        bat_info(hard_iface->soft_iface, "Interface deactivated: %s\n",
-                 batman_if->net_dev->name);
+                 hard_iface->net_dev->name);
-        update_min_mtu(batman_if->soft_iface);
+        update_min_mtu(hard_iface->soft_iface);
 }
-int hardif_enable_interface(struct batman_if *batman_if, char *iface_name)
+int hardif_enable_interface(struct hard_iface *hard_iface, char *iface_name)
 {
        struct bat_priv *bat_priv;
        struct batman_packet *batman_packet;
+        struct net_device *soft_iface;
+        int ret;
+        if (hard_iface->if_status != IF_NOT_IN_USE)
+                goto out;
-        if (batman_if->if_status != IF_NOT_IN_USE)
+        if (!atomic_inc_not_zero(&hard_iface->refcount))
                goto out;
-        batman_if->soft_iface = dev_get_by_name(&init_net, iface_name);
+        soft_iface = dev_get_by_name(&init_net, iface_name);
-        if (!batman_if->soft_iface) {
+        if (!soft_iface) {
-                batman_if->soft_iface = softif_create(iface_name);
+                soft_iface = softif_create(iface_name);
-                if (!batman_if->soft_iface)
+                if (!soft_iface) {
+                        ret = -ENOMEM;
                        goto err;
+                }
                /* dev_get_by_name() increases the reference counter for us */
-                dev_hold(batman_if->soft_iface);
+                dev_hold(soft_iface);
        }
-        bat_priv = netdev_priv(batman_if->soft_iface);
+        if (!softif_is_valid(soft_iface)) {
-        batman_if->packet_len = BAT_PACKET_LEN;
+                pr_err("Can't create batman mesh interface %s: "
-        batman_if->packet_buff = kmalloc(batman_if->packet_len, GFP_ATOMIC);
+                       "already exists as regular interface\n",
+                       soft_iface->name);
+                dev_put(soft_iface);
+                ret = -EINVAL;
+                goto err;
+        }
+        hard_iface->soft_iface = soft_iface;
+        bat_priv = netdev_priv(hard_iface->soft_iface);
+        hard_iface->packet_len = BAT_PACKET_LEN;
+        hard_iface->packet_buff = kmalloc(hard_iface->packet_len, GFP_ATOMIC);
-        if (!batman_if->packet_buff) {
+        if (!hard_iface->packet_buff) {
-                bat_err(batman_if->soft_iface, "Can't add interface packet "
+                bat_err(hard_iface->soft_iface, "Can't add interface packet "
-                        "(%s): out of memory\n", batman_if->net_dev->name);
+                        "(%s): out of memory\n", hard_iface->net_dev->name);
+                ret = -ENOMEM;
                goto err;
        }
-        batman_packet = (struct batman_packet *)(batman_if->packet_buff);
+        batman_packet = (struct batman_packet *)(hard_iface->packet_buff);
        batman_packet->packet_type = BAT_PACKET;
        batman_packet->version = COMPAT_VERSION;
        batman_packet->flags = 0;
        batman_packet->ttl = 2;
        batman_packet->tq = TQ_MAX_VALUE;
-        batman_packet->num_hna = 0;
+        batman_packet->num_tt = 0;
-        batman_if->if_num = bat_priv->num_ifaces;
+        hard_iface->if_num = bat_priv->num_ifaces;
        bat_priv->num_ifaces++;
-        batman_if->if_status = IF_INACTIVE;
+        hard_iface->if_status = IF_INACTIVE;
-        orig_hash_add_if(batman_if, bat_priv->num_ifaces);
+        orig_hash_add_if(hard_iface, bat_priv->num_ifaces);
-        batman_if->batman_adv_ptype.type = __constant_htons(ETH_P_BATMAN);
+        hard_iface->batman_adv_ptype.type = __constant_htons(ETH_P_BATMAN);
-        batman_if->batman_adv_ptype.func = batman_skb_recv;
+        hard_iface->batman_adv_ptype.func = batman_skb_recv;
-        batman_if->batman_adv_ptype.dev = batman_if->net_dev;
+        hard_iface->batman_adv_ptype.dev = hard_iface->net_dev;
-        kref_get(&batman_if->refcount);
+        dev_add_pack(&hard_iface->batman_adv_ptype);
-        dev_add_pack(&batman_if->batman_adv_ptype);
-        atomic_set(&batman_if->seqno, 1);
+        atomic_set(&hard_iface->seqno, 1);
-        atomic_set(&batman_if->frag_seqno, 1);
+        atomic_set(&hard_iface->frag_seqno, 1);
-        bat_info(batman_if->soft_iface, "Adding interface: %s\n",
+        bat_info(hard_iface->soft_iface, "Adding interface: %s\n",
-                 batman_if->net_dev->name);
+                 hard_iface->net_dev->name);
-        if (atomic_read(&bat_priv->fragmentation) && batman_if->net_dev->mtu <
+        if (atomic_read(&bat_priv->fragmentation) && hard_iface->net_dev->mtu <
                ETH_DATA_LEN + BAT_HEADER_LEN)
-                bat_info(batman_if->soft_iface,
+                bat_info(hard_iface->soft_iface,
                        "The MTU of interface %s is too small (%i) to handle "
                        "the transport of batman-adv packets. Packets going "
                        "over this interface will be fragmented on layer2 "
                        "which could impact the performance. Setting the MTU "
                        "to %zi would solve the problem.\n",
-                        batman_if->net_dev->name, batman_if->net_dev->mtu,
+                        hard_iface->net_dev->name, hard_iface->net_dev->mtu,
                        ETH_DATA_LEN + BAT_HEADER_LEN);
-        if (!atomic_read(&bat_priv->fragmentation) && batman_if->net_dev->mtu <
+        if (!atomic_read(&bat_priv->fragmentation) && hard_iface->net_dev->mtu <
                ETH_DATA_LEN + BAT_HEADER_LEN)
-                bat_info(batman_if->soft_iface,
+                bat_info(hard_iface->soft_iface,
                        "The MTU of interface %s is too small (%i) to handle "
                        "the transport of batman-adv packets. If you experience"
                        " problems getting traffic through try increasing the "
                        "MTU to %zi.\n",
-                        batman_if->net_dev->name, batman_if->net_dev->mtu,
+                        hard_iface->net_dev->name, hard_iface->net_dev->mtu,
                        ETH_DATA_LEN + BAT_HEADER_LEN);
-        if (hardif_is_iface_up(batman_if))
+        if (hardif_is_iface_up(hard_iface))
-                hardif_activate_interface(batman_if);
+                hardif_activate_interface(hard_iface);
        else
-                bat_err(batman_if->soft_iface, "Not using interface %s "
+                bat_err(hard_iface->soft_iface, "Not using interface %s "
                        "(retrying later): interface not active\n",
-                        batman_if->net_dev->name);
+                        hard_iface->net_dev->name);
        /* begin scheduling originator messages on that interface */
-        schedule_own_packet(batman_if);
+        schedule_own_packet(hard_iface);
 out:
        return 0;
 err:
-        return -ENOMEM;
+        hardif_free_ref(hard_iface);
+        return ret;
 }
-void hardif_disable_interface(struct batman_if *batman_if)
+void hardif_disable_interface(struct hard_iface *hard_iface)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+        struct hard_iface *primary_if = NULL;
-        if (batman_if->if_status == IF_ACTIVE)
+        if (hard_iface->if_status == IF_ACTIVE)
-                hardif_deactivate_interface(batman_if);
+                hardif_deactivate_interface(hard_iface);
-        if (batman_if->if_status != IF_INACTIVE)
+        if (hard_iface->if_status != IF_INACTIVE)
-                return;
+                goto out;
-        bat_info(batman_if->soft_iface, "Removing interface: %s\n",
+        bat_info(hard_iface->soft_iface, "Removing interface: %s\n",
-                 batman_if->net_dev->name);
+                 hard_iface->net_dev->name);
-        dev_remove_pack(&batman_if->batman_adv_ptype);
+        dev_remove_pack(&hard_iface->batman_adv_ptype);
-        kref_put(&batman_if->refcount, hardif_free_ref);
        bat_priv->num_ifaces--;
-        orig_hash_del_if(batman_if, bat_priv->num_ifaces);
+        orig_hash_del_if(hard_iface, bat_priv->num_ifaces);
-        if (batman_if == bat_priv->primary_if) {
+        primary_if = primary_if_get_selected(bat_priv);
-                struct batman_if *new_if;
+        if (hard_iface == primary_if) {
+                struct hard_iface *new_if;
-                new_if = get_active_batman_if(batman_if->soft_iface);
+                new_if = hardif_get_active(hard_iface->soft_iface);
-                set_primary_if(bat_priv, new_if);
+                primary_if_select(bat_priv, new_if);
                if (new_if)
-                        kref_put(&new_if->refcount, hardif_free_ref);
+                        hardif_free_ref(new_if);
        }
-        kfree(batman_if->packet_buff);
+        kfree(hard_iface->packet_buff);
-        batman_if->packet_buff = NULL;
+        hard_iface->packet_buff = NULL;
-        batman_if->if_status = IF_NOT_IN_USE;
+        hard_iface->if_status = IF_NOT_IN_USE;
-        /* delete all references to this batman_if */
+        /* delete all references to this hard_iface */
        purge_orig_ref(bat_priv);
-        purge_outstanding_packets(bat_priv, batman_if);
+        purge_outstanding_packets(bat_priv, hard_iface);
-        dev_put(batman_if->soft_iface);
+        dev_put(hard_iface->soft_iface);
        /* nobody uses this interface anymore */
        if (!bat_priv->num_ifaces)
-                softif_destroy(batman_if->soft_iface);
+                softif_destroy(hard_iface->soft_iface);
-        batman_if->soft_iface = NULL;
+        hard_iface->soft_iface = NULL;
+        hardif_free_ref(hard_iface);
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
-static struct batman_if *hardif_add_interface(struct net_device *net_dev)
+static struct hard_iface *hardif_add_interface(struct net_device *net_dev)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        int ret;
+        ASSERT_RTNL();
        ret = is_valid_iface(net_dev);
        if (ret != 1)
                goto out;
        dev_hold(net_dev);
-        batman_if = kmalloc(sizeof(struct batman_if), GFP_ATOMIC);
+        hard_iface = kmalloc(sizeof(struct hard_iface), GFP_ATOMIC);
-        if (!batman_if) {
+        if (!hard_iface) {
                pr_err("Can't add interface (%s): out of memory\n",
                       net_dev->name);
                goto release_dev;
        }
-        ret = sysfs_add_hardif(&batman_if->hardif_obj, net_dev);
+        ret = sysfs_add_hardif(&hard_iface->hardif_obj, net_dev);
        if (ret)
                goto free_if;
-        batman_if->if_num = -1;
+        hard_iface->if_num = -1;
-        batman_if->net_dev = net_dev;
+        hard_iface->net_dev = net_dev;
-        batman_if->soft_iface = NULL;
+        hard_iface->soft_iface = NULL;
-        batman_if->if_status = IF_NOT_IN_USE;
+        hard_iface->if_status = IF_NOT_IN_USE;
-        INIT_LIST_HEAD(&batman_if->list);
+        INIT_LIST_HEAD(&hard_iface->list);
-        kref_init(&batman_if->refcount);
+        /* extra reference for return */
+        atomic_set(&hard_iface->refcount, 2);
-        check_known_mac_addr(batman_if->net_dev);
-        spin_lock(&if_list_lock);
+        check_known_mac_addr(hard_iface->net_dev);
-        list_add_tail_rcu(&batman_if->list, &if_list);
+        list_add_tail_rcu(&hard_iface->list, &hardif_list);
-        spin_unlock(&if_list_lock);
-        /* extra reference for return */
+        return hard_iface;
-        kref_get(&batman_if->refcount);
-        return batman_if;
 free_if:
-        kfree(batman_if);
+        kfree(hard_iface);
 release_dev:
        dev_put(net_dev);
 out:
        return NULL;
 }
-static void hardif_remove_interface(struct batman_if *batman_if)
+static void hardif_remove_interface(struct hard_iface *hard_iface)
 {
+        ASSERT_RTNL();
        /* first deactivate interface */
-        if (batman_if->if_status != IF_NOT_IN_USE)
+        if (hard_iface->if_status != IF_NOT_IN_USE)
-                hardif_disable_interface(batman_if);
+                hardif_disable_interface(hard_iface);
-        if (batman_if->if_status != IF_NOT_IN_USE)
+        if (hard_iface->if_status != IF_NOT_IN_USE)
                return;
-        batman_if->if_status = IF_TO_BE_REMOVED;
+        hard_iface->if_status = IF_TO_BE_REMOVED;
-        sysfs_del_hardif(&batman_if->hardif_obj);
+        sysfs_del_hardif(&hard_iface->hardif_obj);
-        call_rcu(&batman_if->rcu, hardif_free_rcu);
+        hardif_free_ref(hard_iface);
 }
 void hardif_remove_interfaces(void)
 {
-        struct batman_if *batman_if, *batman_if_tmp;
+        struct hard_iface *hard_iface, *hard_iface_tmp;
-        struct list_head if_queue;
-        INIT_LIST_HEAD(&if_queue);
-        spin_lock(&if_list_lock);
-        list_for_each_entry_safe(batman_if, batman_if_tmp, &if_list, list) {
-                list_del_rcu(&batman_if->list);
-                list_add_tail(&batman_if->list, &if_queue);
-        }
-        spin_unlock(&if_list_lock);
        rtnl_lock();
-        list_for_each_entry_safe(batman_if, batman_if_tmp, &if_queue, list) {
+        list_for_each_entry_safe(hard_iface, hard_iface_tmp,
-                hardif_remove_interface(batman_if);
+                                 &hardif_list, list) {
+                list_del_rcu(&hard_iface->list);
+                hardif_remove_interface(hard_iface);
        }
        rtnl_unlock();
 }
@@ -498,66 +523,72 @@ static int hard_if_event(struct notifier_block *this,
                         unsigned long event, void *ptr)
 {
        struct net_device *net_dev = (struct net_device *)ptr;
-        struct batman_if *batman_if = get_batman_if_by_netdev(net_dev);
+        struct hard_iface *hard_iface = hardif_get_by_netdev(net_dev);
+        struct hard_iface *primary_if = NULL;
        struct bat_priv *bat_priv;
-        if (!batman_if && event == NETDEV_REGISTER)
+        if (!hard_iface && event == NETDEV_REGISTER)
-                batman_if = hardif_add_interface(net_dev);
+                hard_iface = hardif_add_interface(net_dev);
-        if (!batman_if)
+        if (!hard_iface)
                goto out;
        switch (event) {
        case NETDEV_UP:
-                hardif_activate_interface(batman_if);
+                hardif_activate_interface(hard_iface);
                break;
        case NETDEV_GOING_DOWN:
        case NETDEV_DOWN:
-                hardif_deactivate_interface(batman_if);
+                hardif_deactivate_interface(hard_iface);
                break;
        case NETDEV_UNREGISTER:
-                spin_lock(&if_list_lock);
+                list_del_rcu(&hard_iface->list);
-                list_del_rcu(&batman_if->list);
-                spin_unlock(&if_list_lock);
-                hardif_remove_interface(batman_if);
+                hardif_remove_interface(hard_iface);
                break;
        case NETDEV_CHANGEMTU:
-                if (batman_if->soft_iface)
+                if (hard_iface->soft_iface)
-                        update_min_mtu(batman_if->soft_iface);
+                        update_min_mtu(hard_iface->soft_iface);
                break;
        case NETDEV_CHANGEADDR:
-                if (batman_if->if_status == IF_NOT_IN_USE)
+                if (hard_iface->if_status == IF_NOT_IN_USE)
                        goto hardif_put;
-                check_known_mac_addr(batman_if->net_dev);
+                check_known_mac_addr(hard_iface->net_dev);
-                update_mac_addresses(batman_if);
+                update_mac_addresses(hard_iface);
+                bat_priv = netdev_priv(hard_iface->soft_iface);
+                primary_if = primary_if_get_selected(bat_priv);
+                if (!primary_if)
+                        goto hardif_put;
-                bat_priv = netdev_priv(batman_if->soft_iface);
+                if (hard_iface == primary_if)
-                if (batman_if == bat_priv->primary_if)
+                        primary_if_update_addr(bat_priv);
-                        update_primary_addr(bat_priv);
                break;
        default:
                break;
        };
 hardif_put:
-        kref_put(&batman_if->refcount, hardif_free_ref);
+        hardif_free_ref(hard_iface);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NOTIFY_DONE;
 }
 /* receive a packet with the batman ethertype coming on a hard
 * interface */
-int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
+static int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
-        struct packet_type *ptype, struct net_device *orig_dev)
+                           struct packet_type *ptype,
+                           struct net_device *orig_dev)
 {
        struct bat_priv *bat_priv;
        struct batman_packet *batman_packet;
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        int ret;
-        batman_if = container_of(ptype, struct batman_if, batman_adv_ptype);
+        hard_iface = container_of(ptype, struct hard_iface, batman_adv_ptype);
        skb = skb_share_check(skb, GFP_ATOMIC);
        /* skb was released by skb_share_check() */
@@ -573,16 +604,16 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
                                || !skb_mac_header(skb)))
                goto err_free;
-        if (!batman_if->soft_iface)
+        if (!hard_iface->soft_iface)
                goto err_free;
-        bat_priv = netdev_priv(batman_if->soft_iface);
+        bat_priv = netdev_priv(hard_iface->soft_iface);
        if (atomic_read(&bat_priv->mesh_state) != MESH_ACTIVE)
                goto err_free;
        /* discard frames on not active interfaces */
-        if (batman_if->if_status != IF_ACTIVE)
+        if (hard_iface->if_status != IF_ACTIVE)
                goto err_free;
        batman_packet = (struct batman_packet *)skb->data;
@@ -600,32 +631,32 @@ int batman_skb_recv(struct sk_buff *skb, struct net_device *dev,
        switch (batman_packet->packet_type) {
                /* batman originator packet */
        case BAT_PACKET:
-                ret = recv_bat_packet(skb, batman_if);
+                ret = recv_bat_packet(skb, hard_iface);
                break;
                /* batman icmp packet */
        case BAT_ICMP:
-                ret = recv_icmp_packet(skb, batman_if);
+                ret = recv_icmp_packet(skb, hard_iface);
                break;
                /* unicast packet */
        case BAT_UNICAST:
-                ret = recv_unicast_packet(skb, batman_if);
+                ret = recv_unicast_packet(skb, hard_iface);
                break;
                /* fragmented unicast packet */
        case BAT_UNICAST_FRAG:
-                ret = recv_ucast_frag_packet(skb, batman_if);
+                ret = recv_ucast_frag_packet(skb, hard_iface);
                break;
                /* broadcast packet */
        case BAT_BCAST:
-                ret = recv_bcast_packet(skb, batman_if);
+                ret = recv_bcast_packet(skb, hard_iface);
                break;
                /* vis packet */
        case BAT_VIS:
-                ret = recv_vis_packet(skb, batman_if);
+                ret = recv_vis_packet(skb, hard_iface);
                break;
        default:
                ret = NET_RX_DROP;
diff --git a/net/batman-adv/hard-interface.h b/net/batman-adv/hard-interface.h
index 30ec3b8db459..64265991460b 100644
--- a/net/batman-adv/hard-interface.h
+++ b/net/batman-adv/hard-interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -31,23 +31,36 @@
 extern struct notifier_block hard_if_notifier;
-struct batman_if *get_batman_if_by_netdev(struct net_device *net_dev);
+struct hard_iface *hardif_get_by_netdev(struct net_device *net_dev);
-int hardif_enable_interface(struct batman_if *batman_if, char *iface_name);
+int hardif_enable_interface(struct hard_iface *hard_iface, char *iface_name);
-void hardif_disable_interface(struct batman_if *batman_if);
+void hardif_disable_interface(struct hard_iface *hard_iface);
 void hardif_remove_interfaces(void);
-int batman_skb_recv(struct sk_buff *skb,
-                                struct net_device *dev,
-                                struct packet_type *ptype,
-                                struct net_device *orig_dev);
 int hardif_min_mtu(struct net_device *soft_iface);
 void update_min_mtu(struct net_device *soft_iface);
+void hardif_free_rcu(struct rcu_head *rcu);
-static inline void hardif_free_ref(struct kref *refcount)
+static inline void hardif_free_ref(struct hard_iface *hard_iface)
 {
-        struct batman_if *batman_if;
+        if (atomic_dec_and_test(&hard_iface->refcount))
+                call_rcu(&hard_iface->rcu, hardif_free_rcu);
+}
+static inline struct hard_iface *primary_if_get_selected(
+                                                struct bat_priv *bat_priv)
+{
+        struct hard_iface *hard_iface;
+        rcu_read_lock();
+        hard_iface = rcu_dereference(bat_priv->primary_if);
+        if (!hard_iface)
+                goto out;
+        if (!atomic_inc_not_zero(&hard_iface->refcount))
+                hard_iface = NULL;
-        batman_if = container_of(refcount, struct batman_if, refcount);
+out:
-        kfree(batman_if);
+        rcu_read_unlock();
+        return hard_iface;
 }
 #endif /* _NET_BATMAN_ADV_HARD_INTERFACE_H_ */
diff --git a/net/batman-adv/hash.c b/net/batman-adv/hash.c
index 26e623eb9def..c5213d8f2cca 100644
--- a/net/batman-adv/hash.c
+++ b/net/batman-adv/hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2006-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich, Marek Lindner
 *
@@ -27,13 +27,16 @@ static void hash_init(struct hashtable_t *hash)
 {
        int i;
-        for (i = 0 ; i < hash->size; i++)
+        for (i = 0 ; i < hash->size; i++) {
                INIT_HLIST_HEAD(&hash->table[i]);
+                spin_lock_init(&hash->list_locks[i]);
+        }
 }
 /* free only the hashtable and the hash itself. */
 void hash_destroy(struct hashtable_t *hash)
 {
+        kfree(hash->list_locks);
        kfree(hash->table);
        kfree(hash);
 }
@@ -43,20 +46,25 @@ struct hashtable_t *hash_new(int size)
 {
        struct hashtable_t *hash;
-        hash = kmalloc(sizeof(struct hashtable_t) , GFP_ATOMIC);
+        hash = kmalloc(sizeof(struct hashtable_t), GFP_ATOMIC);
        if (!hash)
                return NULL;
-        hash->size = size;
        hash->table = kmalloc(sizeof(struct element_t *) * size, GFP_ATOMIC);
+        if (!hash->table)
+                goto free_hash;
-        if (!hash->table) {
+        hash->list_locks = kmalloc(sizeof(spinlock_t) * size, GFP_ATOMIC);
-                kfree(hash);
+        if (!hash->list_locks)
-                return NULL;
+                goto free_table;
-        }
+        hash->size = size;
        hash_init(hash);
        return hash;
+free_table:
+        kfree(hash->table);
+free_hash:
+        kfree(hash);
+        return NULL;
 }
diff --git a/net/batman-adv/hash.h b/net/batman-adv/hash.h
index 09216ade16f1..434822b27473 100644
--- a/net/batman-adv/hash.h
+++ b/net/batman-adv/hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2006-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich, Marek Lindner
 *
@@ -28,32 +28,23 @@
 * compare 2 element datas for their keys,
 * return 0 if same and not 0 if not
 * same */
-typedef int (*hashdata_compare_cb)(void *, void *);
+typedef int (*hashdata_compare_cb)(struct hlist_node *, void *);
 /* the hashfunction, should return an index
 * based on the key in the data of the first
 * argument and the size the second */
 typedef int (*hashdata_choose_cb)(void *, int);
-typedef void (*hashdata_free_cb)(void *, void *);
+typedef void (*hashdata_free_cb)(struct hlist_node *, void *);
-struct element_t {
-        void *data;             /* pointer to the data */
-        struct hlist_node hlist;        /* bucket list pointer */
-};
 struct hashtable_t {
-        struct hlist_head *table;   /* the hashtable itself, with the buckets */
+        struct hlist_head *table;   /* the hashtable itself with the buckets */
+        spinlock_t *list_locks;     /* spinlock for each hash list entry */
        int size;                   /* size of hashtable */
 };
 /* allocates and clears the hash */
 struct hashtable_t *hash_new(int size);
-/* remove element if you already found the element you want to delete and don't
- * need the overhead to find it again with hash_remove().  But usually, you
- * don't want to use this function, as it fiddles with hash-internals. */
-void *hash_remove_element(struct hashtable_t *hash, struct element_t *elem);
 /* free only the hashtable and the hash itself. */
 void hash_destroy(struct hashtable_t *hash);
@@ -64,21 +55,22 @@ static inline void hash_delete(struct hashtable_t *hash,
                               hashdata_free_cb free_cb, void *arg)
 {
        struct hlist_head *head;
-        struct hlist_node *walk, *safe;
+        struct hlist_node *node, *node_tmp;
-        struct element_t *bucket;
+        spinlock_t *list_lock; /* spinlock to protect write access */
        int i;
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
+                list_lock = &hash->list_locks[i];
-                hlist_for_each_safe(walk, safe, head) {
+                spin_lock_bh(list_lock);
-                        bucket = hlist_entry(walk, struct element_t, hlist);
+                hlist_for_each_safe(node, node_tmp, head) {
-                        if (free_cb)
+                        hlist_del_rcu(node);
-                                free_cb(bucket->data, arg);
-                        hlist_del(walk);
+                        if (free_cb)
-                        kfree(bucket);
+                                free_cb(node, arg);
                }
+                spin_unlock_bh(list_lock);
        }
        hash_destroy(hash);
@@ -87,35 +79,41 @@ static inline void hash_delete(struct hashtable_t *hash,
 /* adds data to the hashtable. returns 0 on success, -1 on error */
 static inline int hash_add(struct hashtable_t *hash,
                           hashdata_compare_cb compare,
-                           hashdata_choose_cb choose, void *data)
+                           hashdata_choose_cb choose,
+                           void *data, struct hlist_node *data_node)
 {
        int index;
        struct hlist_head *head;
-        struct hlist_node *walk, *safe;
+        struct hlist_node *node;
-        struct element_t *bucket;
+        spinlock_t *list_lock; /* spinlock to protect write access */
        if (!hash)
-                return -1;
+                goto err;
        index = choose(data, hash->size);
        head = &hash->table[index];
+        list_lock = &hash->list_locks[index];
+        rcu_read_lock();
+        __hlist_for_each_rcu(node, head) {
+                if (!compare(node, data))
+                        continue;
-        hlist_for_each_safe(walk, safe, head) {
+                goto err_unlock;
-                bucket = hlist_entry(walk, struct element_t, hlist);
-                if (compare(bucket->data, data))
-                        return -1;
        }
+        rcu_read_unlock();
        /* no duplicate found in list, add new element */
-        bucket = kmalloc(sizeof(struct element_t), GFP_ATOMIC);
+        spin_lock_bh(list_lock);
+        hlist_add_head_rcu(data_node, head);
-        if (!bucket)
+        spin_unlock_bh(list_lock);
-                return -1;
-        bucket->data = data;
-        hlist_add_head(&bucket->hlist, head);
        return 0;
+err_unlock:
+        rcu_read_unlock();
+err:
+        return -1;
 }
 /* removes data from hash, if found. returns pointer do data on success, so you
@@ -127,50 +125,25 @@ static inline void *hash_remove(struct hashtable_t *hash,
                                hashdata_choose_cb choose, void *data)
 {
        size_t index;
-        struct hlist_node *walk;
+        struct hlist_node *node;
-        struct element_t *bucket;
        struct hlist_head *head;
-        void *data_save;
+        void *data_save = NULL;
        index = choose(data, hash->size);
        head = &hash->table[index];
-        hlist_for_each_entry(bucket, walk, head, hlist) {
+        spin_lock_bh(&hash->list_locks[index]);
-                if (compare(bucket->data, data)) {
+        hlist_for_each(node, head) {
-                        data_save = bucket->data;
+                if (!compare(node, data))
-                        hlist_del(walk);
+                        continue;
-                        kfree(bucket);
-                        return data_save;
-                }
-        }
-        return NULL;
-}
-/* finds data, based on the key in keydata. returns the found data on success,
- * or NULL on error */
-static inline void *hash_find(struct hashtable_t *hash,
-                              hashdata_compare_cb compare,
-                              hashdata_choose_cb choose, void *keydata)
-{
-        int index;
-        struct hlist_head *head;
-        struct hlist_node *walk;
-        struct element_t *bucket;
-        if (!hash)
-                return NULL;
-        index = choose(keydata , hash->size);
-        head = &hash->table[index];
-        hlist_for_each(walk, head) {
+                data_save = node;
-                bucket = hlist_entry(walk, struct element_t, hlist);
+                hlist_del_rcu(node);
-                if (compare(bucket->data, keydata))
+                break;
-                        return bucket->data;
        }
+        spin_unlock_bh(&hash->list_locks[index]);
-        return NULL;
+        return data_save;
 }
 #endif /* _NET_BATMAN_ADV_HASH_H_ */
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index ecf6d7ffab2e..fa22ba2bb832 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -24,7 +24,6 @@
 #include <linux/slab.h>
 #include "icmp_socket.h"
 #include "send.h"
-#include "types.h"
 #include "hash.h"
 #include "originator.h"
 #include "hard-interface.h"
@@ -154,13 +153,13 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
 {
        struct socket_client *socket_client = file->private_data;
        struct bat_priv *bat_priv = socket_client->bat_priv;
+        struct hard_iface *primary_if = NULL;
        struct sk_buff *skb;
        struct icmp_packet_rr *icmp_packet;
-        struct orig_node *orig_node;
+        struct orig_node *orig_node = NULL;
-        struct batman_if *batman_if;
+        struct neigh_node *neigh_node = NULL;
        size_t packet_len = sizeof(struct icmp_packet);
-        uint8_t dstaddr[ETH_ALEN];
        if (len < sizeof(struct icmp_packet)) {
                bat_dbg(DBG_BATMAN, bat_priv,
@@ -169,15 +168,21 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
                return -EINVAL;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                return -EFAULT;
+        if (!primary_if) {
+                len = -EFAULT;
+                goto out;
+        }
        if (len >= sizeof(struct icmp_packet_rr))
                packet_len = sizeof(struct icmp_packet_rr);
        skb = dev_alloc_skb(packet_len + sizeof(struct ethhdr));
-        if (!skb)
+        if (!skb) {
-                return -ENOMEM;
+                len = -ENOMEM;
+                goto out;
+        }
        skb_reserve(skb, sizeof(struct ethhdr));
        icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len);
@@ -220,47 +225,42 @@ static ssize_t bat_socket_write(struct file *file, const char __user *buff,
        if (atomic_read(&bat_priv->mesh_state) != MESH_ACTIVE)
                goto dst_unreach;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, icmp_packet->dst);
-        orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash,
-                                                   compare_orig, choose_orig,
-                                                   icmp_packet->dst));
        if (!orig_node)
-                goto unlock;
+                goto dst_unreach;
-        if (!orig_node->router)
-                goto unlock;
-        batman_if = orig_node->router->if_incoming;
-        memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        neigh_node = orig_node_get_router(orig_node);
+        if (!neigh_node)
+                goto dst_unreach;
-        if (!batman_if)
+        if (!neigh_node->if_incoming)
                goto dst_unreach;
-        if (batman_if->if_status != IF_ACTIVE)
+        if (neigh_node->if_incoming->if_status != IF_ACTIVE)
                goto dst_unreach;
        memcpy(icmp_packet->orig,
-               bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+               primary_if->net_dev->dev_addr, ETH_ALEN);
        if (packet_len == sizeof(struct icmp_packet_rr))
-                memcpy(icmp_packet->rr, batman_if->net_dev->dev_addr, ETH_ALEN);
+                memcpy(icmp_packet->rr,
+                       neigh_node->if_incoming->net_dev->dev_addr, ETH_ALEN);
-        send_skb_packet(skb, batman_if, dstaddr);
+        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
        goto out;
-unlock:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
 dst_unreach:
        icmp_packet->msg_type = DESTINATION_UNREACHABLE;
        bat_socket_add_packet(socket_client, icmp_packet, packet_len);
 free_skb:
        kfree_skb(skb);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        if (neigh_node)
+                neigh_node_free_ref(neigh_node);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
        return len;
 }
diff --git a/net/batman-adv/icmp_socket.h b/net/batman-adv/icmp_socket.h
index bf9b348cde27..462b190fa101 100644
--- a/net/batman-adv/icmp_socket.h
+++ b/net/batman-adv/icmp_socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -22,8 +22,6 @@
 #ifndef _NET_BATMAN_ADV_ICMP_SOCKET_H_
 #define _NET_BATMAN_ADV_ICMP_SOCKET_H_
-#include "types.h"
 #define ICMP_SOCKET "socket"
 void bat_socket_init(void);
diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c
index b827f6a158cb..0a7cee0076f4 100644
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -30,11 +30,13 @@
 #include "translation-table.h"
 #include "hard-interface.h"
 #include "gateway_client.h"
-#include "types.h"
 #include "vis.h"
 #include "hash.h"
-struct list_head if_list;
+/* List manipulations on hardif_list have to be rtnl_lock()'ed,
+ * list traversals just rcu-locked */
+struct list_head hardif_list;
 unsigned char broadcast_addr[] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
@@ -42,7 +44,7 @@ struct workqueue_struct *bat_event_workqueue;
 static int __init batman_init(void)
 {
-        INIT_LIST_HEAD(&if_list);
+        INIT_LIST_HEAD(&hardif_list);
        /* the name should not be longer than 10 chars - see
         * http://lwn.net/Articles/23634/ */
@@ -80,31 +82,31 @@ int mesh_init(struct net_device *soft_iface)
 {
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
-        spin_lock_init(&bat_priv->orig_hash_lock);
        spin_lock_init(&bat_priv->forw_bat_list_lock);
        spin_lock_init(&bat_priv->forw_bcast_list_lock);
-        spin_lock_init(&bat_priv->hna_lhash_lock);
+        spin_lock_init(&bat_priv->tt_lhash_lock);
-        spin_lock_init(&bat_priv->hna_ghash_lock);
+        spin_lock_init(&bat_priv->tt_ghash_lock);
        spin_lock_init(&bat_priv->gw_list_lock);
        spin_lock_init(&bat_priv->vis_hash_lock);
        spin_lock_init(&bat_priv->vis_list_lock);
        spin_lock_init(&bat_priv->softif_neigh_lock);
+        spin_lock_init(&bat_priv->softif_neigh_vid_lock);
        INIT_HLIST_HEAD(&bat_priv->forw_bat_list);
        INIT_HLIST_HEAD(&bat_priv->forw_bcast_list);
        INIT_HLIST_HEAD(&bat_priv->gw_list);
-        INIT_HLIST_HEAD(&bat_priv->softif_neigh_list);
+        INIT_HLIST_HEAD(&bat_priv->softif_neigh_vids);
        if (originator_init(bat_priv) < 1)
                goto err;
-        if (hna_local_init(bat_priv) < 1)
+        if (tt_local_init(bat_priv) < 1)
                goto err;
-        if (hna_global_init(bat_priv) < 1)
+        if (tt_global_init(bat_priv) < 1)
                goto err;
-        hna_local_add(soft_iface, soft_iface->dev_addr);
+        tt_local_add(soft_iface, soft_iface->dev_addr);
        if (vis_init(bat_priv) < 1)
                goto err;
@@ -135,8 +137,8 @@ void mesh_free(struct net_device *soft_iface)
        gw_node_purge(bat_priv);
        originator_free(bat_priv);
-        hna_local_free(bat_priv);
+        tt_local_free(bat_priv);
-        hna_global_free(bat_priv);
+        tt_global_free(bat_priv);
        softif_neigh_purge(bat_priv);
@@ -155,14 +157,14 @@ void dec_module_count(void)
 int is_my_mac(uint8_t *addr)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->if_status != IF_ACTIVE)
+                if (hard_iface->if_status != IF_ACTIVE)
                        continue;
-                if (compare_orig(batman_if->net_dev->dev_addr, addr)) {
+                if (compare_eth(hard_iface->net_dev->dev_addr, addr)) {
                        rcu_read_unlock();
                        return 1;
                }
diff --git a/net/batman-adv/main.h b/net/batman-adv/main.h
index 65106fb61b8f..148b49e02642 100644
--- a/net/batman-adv/main.h
+++ b/net/batman-adv/main.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,9 +22,6 @@
 #ifndef _NET_BATMAN_ADV_MAIN_H_
 #define _NET_BATMAN_ADV_MAIN_H_
-/* Kernel Programming */
-#define LINUX
 #define DRIVER_AUTHOR "Marek Lindner <lindner_marek@yahoo.de>, " \
                      "Simon Wunderlich <siwu@hrz.tu-chemnitz.de>"
 #define DRIVER_DESC   "B.A.T.M.A.N. advanced"
@@ -37,16 +34,18 @@
 #define TQ_MAX_VALUE 255
 #define JITTER 20
-#define TTL 50                    /* Time To Live of broadcast messages */
-#define PURGE_TIMEOUT 200       /* purge originators after time in seconds if no
+ /* Time To Live of broadcast messages */
-                                   * valid packet comes in -> TODO: check
+#define TTL 50
-                                   * influence on TQ_LOCAL_WINDOW_SIZE */
-#define LOCAL_HNA_TIMEOUT 3600 /* in seconds */
+/* purge originators after time in seconds if no valid packet comes in
+ * -> TODO: check influence on TQ_LOCAL_WINDOW_SIZE */
+#define PURGE_TIMEOUT 200
+#define TT_LOCAL_TIMEOUT 3600 /* in seconds */
-#define TQ_LOCAL_WINDOW_SIZE 64   /* sliding packet range of received originator
+/* sliding packet range of received originator messages in squence numbers
-                                   * messages in squence numbers (should be a
+ * (should be a multiple of our word size) */
-                                   * multiple of our word size) */
+#define TQ_LOCAL_WINDOW_SIZE 64
 #define TQ_GLOBAL_WINDOW_SIZE 5
 #define TQ_LOCAL_BIDRECT_SEND_MINIMUM 1
 #define TQ_LOCAL_BIDRECT_RECV_MINIMUM 1
@@ -54,26 +53,24 @@
 #define NUM_WORDS (TQ_LOCAL_WINDOW_SIZE / WORD_BIT_SIZE)
-#define PACKBUFF_SIZE 2000
 #define LOG_BUF_LEN 8192          /* has to be a power of 2 */
 #define VIS_INTERVAL 5000       /* 5 seconds */
-/* how much worse secondary interfaces may be to
+/* how much worse secondary interfaces may be to be considered as bonding
- * to be considered as bonding candidates */
+ * candidates */
 #define BONDING_TQ_THRESHOLD    50
-#define MAX_AGGREGATION_BYTES 512 /* should not be bigger than 512 bytes or
+/* should not be bigger than 512 bytes or change the size of
-                                   * change the size of
+ * forw_packet->direct_link_flags */
-                                   * forw_packet->direct_link_flags */
+#define MAX_AGGREGATION_BYTES 512
 #define MAX_AGGREGATION_MS 100
 #define SOFTIF_NEIGH_TIMEOUT 180000 /* 3 minutes */
+/* don't reset again within 30 seconds */
 #define RESET_PROTECTION_MS 30000
 #define EXPECTED_SEQNO_RANGE    65536
-/* don't reset again within 30 seconds */
 #define MESH_INACTIVE 0
 #define MESH_ACTIVE 1
@@ -88,23 +85,20 @@
 #ifdef pr_fmt
 #undef pr_fmt
 #endif
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt /* Append 'batman-adv: ' before
+/* Append 'batman-adv: ' before kernel messages */
-                                             * kernel messages */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#define DBG_BATMAN 1    /* all messages related to routing / flooding /
+/* all messages related to routing / flooding / broadcasting / etc */
-                         * broadcasting / etc */
+#define DBG_BATMAN 1
-#define DBG_ROUTES 2    /* route or hna added / changed / deleted */
+/* route or tt entry added / changed / deleted */
+#define DBG_ROUTES 2
 #define DBG_ALL 3
-#define LOG_BUF_LEN 8192          /* has to be a power of 2 */
 /*
 *  Vis
 */
-/* #define VIS_SUBCLUSTERS_DISABLED */
 /*
 * Kernel headers
 */
@@ -130,7 +124,7 @@
 #define REVISION_VERSION_STR " "REVISION_VERSION
 #endif
-extern struct list_head if_list;
+extern struct list_head hardif_list;
 extern unsigned char broadcast_addr[];
 extern struct workqueue_struct *bat_event_workqueue;
@@ -158,13 +152,6 @@ static inline void bat_dbg(char type __always_unused,
 }
 #endif
-#define bat_warning(net_dev, fmt, arg...)                               \
-        do {                                                            \
-                struct net_device *_netdev = (net_dev);                 \
-                struct bat_priv *_batpriv = netdev_priv(_netdev);       \
-                bat_dbg(DBG_ALL, _batpriv, fmt, ## arg);                \
-                pr_warning("%s: " fmt, _netdev->name, ## arg);          \
-        } while (0)
 #define bat_info(net_dev, fmt, arg...)                                  \
        do {                                                            \
                struct net_device *_netdev = (net_dev);                 \
@@ -180,4 +167,16 @@ static inline void bat_dbg(char type __always_unused,
                pr_err("%s: " fmt, _netdev->name, ## arg);              \
        } while (0)
+/**
+ * returns 1 if they are the same ethernet addr
+ *
+ * note: can't use compare_ether_addr() as it requires aligned memory
+ */
+static inline int compare_eth(void *data1, void *data2)
+{
+        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
+}
+#define atomic_dec_not_zero(v)  atomic_add_unless((v), -1, 0)
 #endif /* _NET_BATMAN_ADV_MAIN_H_ */
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index 6b7fb6b7e6f9..40a30bbcd147 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2009-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -19,8 +19,6 @@
 *
 */
-/* increase the reference counter for this originator */
 #include "main.h"
 #include "originator.h"
 #include "hash.h"
@@ -44,24 +42,43 @@ int originator_init(struct bat_priv *bat_priv)
        if (bat_priv->orig_hash)
                return 1;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        bat_priv->orig_hash = hash_new(1024);
        if (!bat_priv->orig_hash)
                goto err;
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        start_purge_timer(bat_priv);
        return 1;
 err:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        return 0;
 }
-struct neigh_node *
+void neigh_node_free_ref(struct neigh_node *neigh_node)
-create_neighbor(struct orig_node *orig_node, struct orig_node *orig_neigh_node,
+{
-                uint8_t *neigh, struct batman_if *if_incoming)
+        if (atomic_dec_and_test(&neigh_node->refcount))
+                kfree_rcu(neigh_node, rcu);
+}
+/* increases the refcounter of a found router */
+struct neigh_node *orig_node_get_router(struct orig_node *orig_node)
+{
+        struct neigh_node *router;
+        rcu_read_lock();
+        router = rcu_dereference(orig_node->router);
+        if (router && !atomic_inc_not_zero(&router->refcount))
+                router = NULL;
+        rcu_read_unlock();
+        return router;
+}
+struct neigh_node *create_neighbor(struct orig_node *orig_node,
+                                   struct orig_node *orig_neigh_node,
+                                   uint8_t *neigh,
+                                   struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct neigh_node *neigh_node;
@@ -73,50 +90,95 @@ create_neighbor(struct orig_node *orig_node, struct orig_node *orig_neigh_node,
        if (!neigh_node)
                return NULL;
-        INIT_LIST_HEAD(&neigh_node->list);
+        INIT_HLIST_NODE(&neigh_node->list);
+        INIT_LIST_HEAD(&neigh_node->bonding_list);
+        spin_lock_init(&neigh_node->tq_lock);
        memcpy(neigh_node->addr, neigh, ETH_ALEN);
        neigh_node->orig_node = orig_neigh_node;
        neigh_node->if_incoming = if_incoming;
-        list_add_tail(&neigh_node->list, &orig_node->neigh_list);
+        /* extra reference for return */
+        atomic_set(&neigh_node->refcount, 2);
+        spin_lock_bh(&orig_node->neigh_list_lock);
+        hlist_add_head_rcu(&neigh_node->list, &orig_node->neigh_list);
+        spin_unlock_bh(&orig_node->neigh_list_lock);
        return neigh_node;
 }
-static void free_orig_node(void *data, void *arg)
+static void orig_node_free_rcu(struct rcu_head *rcu)
 {
-        struct list_head *list_pos, *list_pos_tmp;
+        struct hlist_node *node, *node_tmp;
-        struct neigh_node *neigh_node;
+        struct neigh_node *neigh_node, *tmp_neigh_node;
-        struct orig_node *orig_node = (struct orig_node *)data;
+        struct orig_node *orig_node;
-        struct bat_priv *bat_priv = (struct bat_priv *)arg;
-        /* for all neighbors towards this originator ... */
+        orig_node = container_of(rcu, struct orig_node, rcu);
-        list_for_each_safe(list_pos, list_pos_tmp, &orig_node->neigh_list) {
-                neigh_node = list_entry(list_pos, struct neigh_node, list);
+        spin_lock_bh(&orig_node->neigh_list_lock);
-                list_del(list_pos);
+        /* for all bonding members ... */
-                kfree(neigh_node);
+        list_for_each_entry_safe(neigh_node, tmp_neigh_node,
+                                 &orig_node->bond_list, bonding_list) {
+                list_del_rcu(&neigh_node->bonding_list);
+                neigh_node_free_ref(neigh_node);
        }
+        /* for all neighbors towards this originator ... */
+        hlist_for_each_entry_safe(neigh_node, node, node_tmp,
+                                  &orig_node->neigh_list, list) {
+                hlist_del_rcu(&neigh_node->list);
+                neigh_node_free_ref(neigh_node);
+        }
+        spin_unlock_bh(&orig_node->neigh_list_lock);
        frag_list_free(&orig_node->frag_list);
-        hna_global_del_orig(bat_priv, orig_node, "originator timed out");
+        tt_global_del_orig(orig_node->bat_priv, orig_node,
+                            "originator timed out");
        kfree(orig_node->bcast_own);
        kfree(orig_node->bcast_own_sum);
        kfree(orig_node);
 }
+void orig_node_free_ref(struct orig_node *orig_node)
+{
+        if (atomic_dec_and_test(&orig_node->refcount))
+                call_rcu(&orig_node->rcu, orig_node_free_rcu);
+}
 void originator_free(struct bat_priv *bat_priv)
 {
-        if (!bat_priv->orig_hash)
+        struct hashtable_t *hash = bat_priv->orig_hash;
+        struct hlist_node *node, *node_tmp;
+        struct hlist_head *head;
+        spinlock_t *list_lock; /* spinlock to protect write access */
+        struct orig_node *orig_node;
+        int i;
+        if (!hash)
                return;
        cancel_delayed_work_sync(&bat_priv->orig_work);
-        spin_lock_bh(&bat_priv->orig_hash_lock);
-        hash_delete(bat_priv->orig_hash, free_orig_node, bat_priv);
        bat_priv->orig_hash = NULL;
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        for (i = 0; i < hash->size; i++) {
+                head = &hash->table[i];
+                list_lock = &hash->list_locks[i];
+                spin_lock_bh(list_lock);
+                hlist_for_each_entry_safe(orig_node, node, node_tmp,
+                                          head, hash_entry) {
+                        hlist_del_rcu(node);
+                        orig_node_free_ref(orig_node);
+                }
+                spin_unlock_bh(list_lock);
+        }
+        hash_destroy(hash);
 }
 /* this function finds or creates an originator entry for the given
@@ -127,10 +189,7 @@ struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr)
        int size;
        int hash_added;
-        orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash,
+        orig_node = orig_hash_find(bat_priv, addr);
-                                                   compare_orig, choose_orig,
-                                                   addr));
        if (orig_node)
                return orig_node;
@@ -141,16 +200,26 @@ struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr)
        if (!orig_node)
                return NULL;
-        INIT_LIST_HEAD(&orig_node->neigh_list);
+        INIT_HLIST_HEAD(&orig_node->neigh_list);
+        INIT_LIST_HEAD(&orig_node->bond_list);
+        spin_lock_init(&orig_node->ogm_cnt_lock);
+        spin_lock_init(&orig_node->bcast_seqno_lock);
+        spin_lock_init(&orig_node->neigh_list_lock);
+        /* extra reference for return */
+        atomic_set(&orig_node->refcount, 2);
+        orig_node->bat_priv = bat_priv;
        memcpy(orig_node->orig, addr, ETH_ALEN);
        orig_node->router = NULL;
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
        orig_node->bcast_seqno_reset = jiffies - 1
                                        - msecs_to_jiffies(RESET_PROTECTION_MS);
        orig_node->batman_seqno_reset = jiffies - 1
                                        - msecs_to_jiffies(RESET_PROTECTION_MS);
+        atomic_set(&orig_node->bond_candidates, 0);
        size = bat_priv->num_ifaces * sizeof(unsigned long) * NUM_WORDS;
        orig_node->bcast_own = kzalloc(size, GFP_ATOMIC);
@@ -166,8 +235,8 @@ struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr)
        if (!orig_node->bcast_own_sum)
                goto free_bcast_own;
-        hash_added = hash_add(bat_priv->orig_hash, compare_orig, choose_orig,
+        hash_added = hash_add(bat_priv->orig_hash, compare_orig,
-                              orig_node);
+                              choose_orig, orig_node, &orig_node->hash_entry);
        if (hash_added < 0)
                goto free_bcast_own_sum;
@@ -185,23 +254,30 @@ static bool purge_orig_neighbors(struct bat_priv *bat_priv,
                                 struct orig_node *orig_node,
                                 struct neigh_node **best_neigh_node)
 {
-        struct list_head *list_pos, *list_pos_tmp;
+        struct hlist_node *node, *node_tmp;
        struct neigh_node *neigh_node;
        bool neigh_purged = false;
        *best_neigh_node = NULL;
+        spin_lock_bh(&orig_node->neigh_list_lock);
        /* for all neighbors towards this originator ... */
-        list_for_each_safe(list_pos, list_pos_tmp, &orig_node->neigh_list) {
+        hlist_for_each_entry_safe(neigh_node, node, node_tmp,
-                neigh_node = list_entry(list_pos, struct neigh_node, list);
+                                  &orig_node->neigh_list, list) {
                if ((time_after(jiffies,
                        neigh_node->last_valid + PURGE_TIMEOUT * HZ)) ||
                    (neigh_node->if_incoming->if_status == IF_INACTIVE) ||
+                    (neigh_node->if_incoming->if_status == IF_NOT_IN_USE) ||
                    (neigh_node->if_incoming->if_status == IF_TO_BE_REMOVED)) {
-                        if (neigh_node->if_incoming->if_status ==
+                        if ((neigh_node->if_incoming->if_status ==
-                                                        IF_TO_BE_REMOVED)
+                                                                IF_INACTIVE) ||
+                            (neigh_node->if_incoming->if_status ==
+                                                        IF_NOT_IN_USE) ||
+                            (neigh_node->if_incoming->if_status ==
+                                                        IF_TO_BE_REMOVED))
                                bat_dbg(DBG_BATMAN, bat_priv,
                                        "neighbor purge: originator %pM, "
                                        "neighbor: %pM, iface: %s\n",
@@ -215,14 +291,18 @@ static bool purge_orig_neighbors(struct bat_priv *bat_priv,
                                        (neigh_node->last_valid / HZ));
                        neigh_purged = true;
-                        list_del(list_pos);
-                        kfree(neigh_node);
+                        hlist_del_rcu(&neigh_node->list);
+                        bonding_candidate_del(orig_node, neigh_node);
+                        neigh_node_free_ref(neigh_node);
                } else {
                        if ((!*best_neigh_node) ||
                            (neigh_node->tq_avg > (*best_neigh_node)->tq_avg))
                                *best_neigh_node = neigh_node;
                }
        }
+        spin_unlock_bh(&orig_node->neigh_list_lock);
        return neigh_purged;
 }
@@ -243,11 +323,8 @@ static bool purge_orig_node(struct bat_priv *bat_priv,
                                                        &best_neigh_node)) {
                        update_routes(bat_priv, orig_node,
                                      best_neigh_node,
-                                      orig_node->hna_buff,
+                                      orig_node->tt_buff,
-                                      orig_node->hna_buff_len);
+                                      orig_node->tt_buff_len);
-                        /* update bonding candidates, we could have lost
-                         * some candidates. */
-                        update_bonding_candidates(bat_priv, orig_node);
                }
        }
@@ -257,40 +334,38 @@ static bool purge_orig_node(struct bat_priv *bat_priv,
 static void _purge_orig(struct bat_priv *bat_priv)
 {
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk, *safe;
+        struct hlist_node *node, *node_tmp;
        struct hlist_head *head;
-        struct element_t *bucket;
+        spinlock_t *list_lock; /* spinlock to protect write access */
        struct orig_node *orig_node;
        int i;
        if (!hash)
                return;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        /* for all origins... */
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
+                list_lock = &hash->list_locks[i];
-                hlist_for_each_entry_safe(bucket, walk, safe, head, hlist) {
+                spin_lock_bh(list_lock);
-                        orig_node = bucket->data;
+                hlist_for_each_entry_safe(orig_node, node, node_tmp,
+                                          head, hash_entry) {
                        if (purge_orig_node(bat_priv, orig_node)) {
                                if (orig_node->gw_flags)
                                        gw_node_delete(bat_priv, orig_node);
-                                hlist_del(walk);
+                                hlist_del_rcu(node);
-                                kfree(bucket);
+                                orig_node_free_ref(orig_node);
-                                free_orig_node(orig_node, bat_priv);
+                                continue;
                        }
                        if (time_after(jiffies, orig_node->last_frag_packet +
                                                msecs_to_jiffies(FRAG_TIMEOUT)))
                                frag_list_free(&orig_node->frag_list);
                }
+                spin_unlock_bh(list_lock);
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        gw_node_purge(bat_priv);
        gw_election(bat_priv);
@@ -318,79 +393,86 @@ int orig_seq_print_text(struct seq_file *seq, void *offset)
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node, *node_tmp;
        struct hlist_head *head;
-        struct element_t *bucket;
+        struct hard_iface *primary_if;
        struct orig_node *orig_node;
-        struct neigh_node *neigh_node;
+        struct neigh_node *neigh_node, *neigh_node_tmp;
        int batman_count = 0;
        int last_seen_secs;
        int last_seen_msecs;
-        int i;
+        int i, ret = 0;
-        if ((!bat_priv->primary_if) ||
+        primary_if = primary_if_get_selected(bat_priv);
-            (bat_priv->primary_if->if_status != IF_ACTIVE)) {
-                if (!bat_priv->primary_if)
-                        return seq_printf(seq, "BATMAN mesh %s disabled - "
-                                     "please specify interfaces to enable it\n",
-                                     net_dev->name);
-                return seq_printf(seq, "BATMAN mesh %s "
+        if (!primary_if) {
-                                  "disabled - primary interface not active\n",
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                                  net_dev->name);
+                                 "please specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
+        if (primary_if->if_status != IF_ACTIVE) {
+                ret = seq_printf(seq, "BATMAN mesh %s "
+                                 "disabled - primary interface not active\n",
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "[B.A.T.M.A.N. adv %s%s, MainIF/MAC: %s/%pM (%s)]\n",
                   SOURCE_VERSION, REVISION_VERSION_STR,
-                   bat_priv->primary_if->net_dev->name,
+                   primary_if->net_dev->name,
-                   bat_priv->primary_if->net_dev->dev_addr, net_dev->name);
+                   primary_if->net_dev->dev_addr, net_dev->name);
        seq_printf(seq, "  %-15s %s (%s/%i) %17s [%10s]: %20s ...\n",
                   "Originator", "last-seen", "#", TQ_MAX_VALUE, "Nexthop",
                   "outgoingIF", "Potential nexthops");
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
+                        neigh_node = orig_node_get_router(orig_node);
-                        if (!orig_node->router)
+                        if (!neigh_node)
                                continue;
-                        if (orig_node->router->tq_avg == 0)
+                        if (neigh_node->tq_avg == 0)
-                                continue;
+                                goto next;
                        last_seen_secs = jiffies_to_msecs(jiffies -
                                                orig_node->last_valid) / 1000;
                        last_seen_msecs = jiffies_to_msecs(jiffies -
                                                orig_node->last_valid) % 1000;
-                        neigh_node = orig_node->router;
                        seq_printf(seq, "%pM %4i.%03is   (%3i) %pM [%10s]:",
                                   orig_node->orig, last_seen_secs,
                                   last_seen_msecs, neigh_node->tq_avg,
                                   neigh_node->addr,
                                   neigh_node->if_incoming->net_dev->name);
-                        list_for_each_entry(neigh_node, &orig_node->neigh_list,
+                        hlist_for_each_entry_rcu(neigh_node_tmp, node_tmp,
-                                            list) {
+                                                 &orig_node->neigh_list, list) {
-                                seq_printf(seq, " %pM (%3i)", neigh_node->addr,
+                                seq_printf(seq, " %pM (%3i)",
-                                                neigh_node->tq_avg);
+                                           neigh_node_tmp->addr,
+                                           neigh_node_tmp->tq_avg);
                        }
                        seq_printf(seq, "\n");
                        batman_count++;
+next:
+                        neigh_node_free_ref(neigh_node);
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        if (batman_count == 0)
-        if ((batman_count == 0))
                seq_printf(seq, "No batman nodes in range ...\n");
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 static int orig_node_add_if(struct orig_node *orig_node, int max_if_num)
@@ -423,36 +505,36 @@ static int orig_node_add_if(struct orig_node *orig_node, int max_if_num)
        return 0;
 }
-int orig_hash_add_if(struct batman_if *batman_if, int max_if_num)
+int orig_hash_add_if(struct hard_iface *hard_iface, int max_if_num)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct orig_node *orig_node;
-        int i;
+        int i, ret;
        /* resize all orig nodes because orig_node->bcast_own(_sum) depend on
         * if_num */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
+                        spin_lock_bh(&orig_node->ogm_cnt_lock);
+                        ret = orig_node_add_if(orig_node, max_if_num);
+                        spin_unlock_bh(&orig_node->ogm_cnt_lock);
-                        if (orig_node_add_if(orig_node, max_if_num) == -1)
+                        if (ret == -1)
                                goto err;
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        return 0;
 err:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        rcu_read_unlock();
        return -ENOMEM;
 }
@@ -508,57 +590,55 @@ free_own_sum:
        return 0;
 }
-int orig_hash_del_if(struct batman_if *batman_if, int max_if_num)
+int orig_hash_del_if(struct hard_iface *hard_iface, int max_if_num)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
+        struct hard_iface *hard_iface_tmp;
-        struct batman_if *batman_if_tmp;
        struct orig_node *orig_node;
        int i, ret;
        /* resize all orig nodes because orig_node->bcast_own(_sum) depend on
         * if_num */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
+                        spin_lock_bh(&orig_node->ogm_cnt_lock);
                        ret = orig_node_del_if(orig_node, max_if_num,
-                                        batman_if->if_num);
+                                        hard_iface->if_num);
+                        spin_unlock_bh(&orig_node->ogm_cnt_lock);
                        if (ret == -1)
                                goto err;
                }
+                rcu_read_unlock();
        }
        /* renumber remaining batman interfaces _inside_ of orig_hash_lock */
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if_tmp, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface_tmp, &hardif_list, list) {
-                if (batman_if_tmp->if_status == IF_NOT_IN_USE)
+                if (hard_iface_tmp->if_status == IF_NOT_IN_USE)
                        continue;
-                if (batman_if == batman_if_tmp)
+                if (hard_iface == hard_iface_tmp)
                        continue;
-                if (batman_if->soft_iface != batman_if_tmp->soft_iface)
+                if (hard_iface->soft_iface != hard_iface_tmp->soft_iface)
                        continue;
-                if (batman_if_tmp->if_num > batman_if->if_num)
+                if (hard_iface_tmp->if_num > hard_iface->if_num)
-                        batman_if_tmp->if_num--;
+                        hard_iface_tmp->if_num--;
        }
        rcu_read_unlock();
-        batman_if->if_num = -1;
+        hard_iface->if_num = -1;
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        return 0;
 err:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        rcu_read_unlock();
        return -ENOMEM;
 }
diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
index d474ceb2a4eb..e1d641f27aa9 100644
--- a/net/batman-adv/originator.h
+++ b/net/batman-adv/originator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,21 +22,29 @@
 #ifndef _NET_BATMAN_ADV_ORIGINATOR_H_
 #define _NET_BATMAN_ADV_ORIGINATOR_H_
+#include "hash.h"
 int originator_init(struct bat_priv *bat_priv);
 void originator_free(struct bat_priv *bat_priv);
 void purge_orig_ref(struct bat_priv *bat_priv);
+void orig_node_free_ref(struct orig_node *orig_node);
 struct orig_node *get_orig_node(struct bat_priv *bat_priv, uint8_t *addr);
-struct neigh_node *
+struct neigh_node *create_neighbor(struct orig_node *orig_node,
-create_neighbor(struct orig_node *orig_node, struct orig_node *orig_neigh_node,
+                                   struct orig_node *orig_neigh_node,
-                uint8_t *neigh, struct batman_if *if_incoming);
+                                   uint8_t *neigh,
+                                   struct hard_iface *if_incoming);
+void neigh_node_free_ref(struct neigh_node *neigh_node);
+struct neigh_node *orig_node_get_router(struct orig_node *orig_node);
 int orig_seq_print_text(struct seq_file *seq, void *offset);
-int orig_hash_add_if(struct batman_if *batman_if, int max_if_num);
+int orig_hash_add_if(struct hard_iface *hard_iface, int max_if_num);
-int orig_hash_del_if(struct batman_if *batman_if, int max_if_num);
+int orig_hash_del_if(struct hard_iface *hard_iface, int max_if_num);
 /* returns 1 if they are the same originator */
-static inline int compare_orig(void *data1, void *data2)
+static inline int compare_orig(struct hlist_node *node, void *data2)
 {
+        void *data1 = container_of(node, struct orig_node, hash_entry);
        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
 }
@@ -61,4 +69,35 @@ static inline int choose_orig(void *data, int32_t size)
        return hash % size;
 }
+static inline struct orig_node *orig_hash_find(struct bat_priv *bat_priv,
+                                               void *data)
+{
+        struct hashtable_t *hash = bat_priv->orig_hash;
+        struct hlist_head *head;
+        struct hlist_node *node;
+        struct orig_node *orig_node, *orig_node_tmp = NULL;
+        int index;
+        if (!hash)
+                return NULL;
+        index = choose_orig(data, hash->size);
+        head = &hash->table[index];
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
+                if (!compare_eth(orig_node, data))
+                        continue;
+                if (!atomic_inc_not_zero(&orig_node->refcount))
+                        continue;
+                orig_node_tmp = orig_node;
+                break;
+        }
+        rcu_read_unlock();
+        return orig_node_tmp;
+}
 #endif /* _NET_BATMAN_ADV_ORIGINATOR_H_ */
diff --git a/net/batman-adv/packet.h b/net/batman-adv/packet.h
index 2284e8129cb2..eda99650e9f8 100644
--- a/net/batman-adv/packet.h
+++ b/net/batman-adv/packet.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -50,6 +50,7 @@
 /* fragmentation defines */
 #define UNI_FRAG_HEAD 0x01
+#define UNI_FRAG_LARGETAIL 0x02
 struct batman_packet {
        uint8_t  packet_type;
@@ -60,7 +61,7 @@ struct batman_packet {
        uint8_t  orig[6];
        uint8_t  prev_sender[6];
        uint8_t  ttl;
-        uint8_t  num_hna;
+        uint8_t  num_tt;
        uint8_t  gw_flags;  /* flags related to gateway class */
        uint8_t  align;
 } __packed;
@@ -127,8 +128,7 @@ struct vis_packet {
        uint8_t  entries;        /* number of entries behind this struct */
        uint32_t seqno;          /* sequence number */
        uint8_t  ttl;            /* TTL */
-        uint8_t  vis_orig[6];    /* originator that informs about its
+        uint8_t  vis_orig[6];    /* originator that announces its neighbors */
-                                  * neighbors */
        uint8_t  target_orig[6]; /* who should receive this packet */
        uint8_t  sender_orig[6]; /* who sent or rebroadcasted this packet */
 } __packed;
diff --git a/net/batman-adv/ring_buffer.c b/net/batman-adv/ring_buffer.c
index defd37c9be1f..5bb6a619afee 100644
--- a/net/batman-adv/ring_buffer.c
+++ b/net/batman-adv/ring_buffer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/ring_buffer.h b/net/batman-adv/ring_buffer.h
index 6b0cb9aaeba5..0395b2741864 100644
--- a/net/batman-adv/ring_buffer.h
+++ b/net/batman-adv/ring_buffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 8828eddd3f72..bb1c3ec7e3ff 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -28,7 +28,6 @@
 #include "icmp_socket.h"
 #include "translation-table.h"
 #include "originator.h"
-#include "types.h"
 #include "ring_buffer.h"
 #include "vis.h"
 #include "aggregation.h"
@@ -36,176 +35,194 @@
 #include "gateway_client.h"
 #include "unicast.h"
-void slide_own_bcast_window(struct batman_if *batman_if)
+void slide_own_bcast_window(struct hard_iface *hard_iface)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct orig_node *orig_node;
        unsigned long *word;
        int i;
        size_t word_index;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        word_index = batman_if->if_num * NUM_WORDS;
+                        spin_lock_bh(&orig_node->ogm_cnt_lock);
+                        word_index = hard_iface->if_num * NUM_WORDS;
                        word = &(orig_node->bcast_own[word_index]);
                        bit_get_packet(bat_priv, word, 1, 0);
-                        orig_node->bcast_own_sum[batman_if->if_num] =
+                        orig_node->bcast_own_sum[hard_iface->if_num] =
                                bit_packet_count(word);
+                        spin_unlock_bh(&orig_node->ogm_cnt_lock);
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
 }
-static void update_HNA(struct bat_priv *bat_priv, struct orig_node *orig_node,
+static void update_TT(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                       unsigned char *hna_buff, int hna_buff_len)
+                       unsigned char *tt_buff, int tt_buff_len)
 {
-        if ((hna_buff_len != orig_node->hna_buff_len) ||
+        if ((tt_buff_len != orig_node->tt_buff_len) ||
-            ((hna_buff_len > 0) &&
+            ((tt_buff_len > 0) &&
-             (orig_node->hna_buff_len > 0) &&
+             (orig_node->tt_buff_len > 0) &&
-             (memcmp(orig_node->hna_buff, hna_buff, hna_buff_len) != 0))) {
+             (memcmp(orig_node->tt_buff, tt_buff, tt_buff_len) != 0))) {
-                if (orig_node->hna_buff_len > 0)
+                if (orig_node->tt_buff_len > 0)
-                        hna_global_del_orig(bat_priv, orig_node,
+                        tt_global_del_orig(bat_priv, orig_node,
-                                            "originator changed hna");
+                                            "originator changed tt");
-                if ((hna_buff_len > 0) && (hna_buff))
+                if ((tt_buff_len > 0) && (tt_buff))
-                        hna_global_add_orig(bat_priv, orig_node,
+                        tt_global_add_orig(bat_priv, orig_node,
-                                            hna_buff, hna_buff_len);
+                                            tt_buff, tt_buff_len);
        }
 }
 static void update_route(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
                         struct neigh_node *neigh_node,
-                         unsigned char *hna_buff, int hna_buff_len)
+                         unsigned char *tt_buff, int tt_buff_len)
 {
+        struct neigh_node *curr_router;
+        curr_router = orig_node_get_router(orig_node);
        /* route deleted */
-        if ((orig_node->router) && (!neigh_node)) {
+        if ((curr_router) && (!neigh_node)) {
                bat_dbg(DBG_ROUTES, bat_priv, "Deleting route towards: %pM\n",
                        orig_node->orig);
-                hna_global_del_orig(bat_priv, orig_node,
+                tt_global_del_orig(bat_priv, orig_node,
                                    "originator timed out");
-                /* route added */
+        /* route added */
-        } else if ((!orig_node->router) && (neigh_node)) {
+        } else if ((!curr_router) && (neigh_node)) {
                bat_dbg(DBG_ROUTES, bat_priv,
                        "Adding route towards: %pM (via %pM)\n",
                        orig_node->orig, neigh_node->addr);
-                hna_global_add_orig(bat_priv, orig_node,
+                tt_global_add_orig(bat_priv, orig_node,
-                                    hna_buff, hna_buff_len);
+                                    tt_buff, tt_buff_len);
-                /* route changed */
+        /* route changed */
        } else {
                bat_dbg(DBG_ROUTES, bat_priv,
                        "Changing route towards: %pM "
                        "(now via %pM - was via %pM)\n",
                        orig_node->orig, neigh_node->addr,
-                        orig_node->router->addr);
+                        curr_router->addr);
        }
-        orig_node->router = neigh_node;
+        if (curr_router)
+                neigh_node_free_ref(curr_router);
+        /* increase refcount of new best neighbor */
+        if (neigh_node && !atomic_inc_not_zero(&neigh_node->refcount))
+                neigh_node = NULL;
+        spin_lock_bh(&orig_node->neigh_list_lock);
+        rcu_assign_pointer(orig_node->router, neigh_node);
+        spin_unlock_bh(&orig_node->neigh_list_lock);
+        /* decrease refcount of previous best neighbor */
+        if (curr_router)
+                neigh_node_free_ref(curr_router);
 }
 void update_routes(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                   struct neigh_node *neigh_node, unsigned char *hna_buff,
+                   struct neigh_node *neigh_node, unsigned char *tt_buff,
-                   int hna_buff_len)
+                   int tt_buff_len)
 {
+        struct neigh_node *router = NULL;
        if (!orig_node)
-                return;
+                goto out;
+        router = orig_node_get_router(orig_node);
-        if (orig_node->router != neigh_node)
+        if (router != neigh_node)
                update_route(bat_priv, orig_node, neigh_node,
-                             hna_buff, hna_buff_len);
+                             tt_buff, tt_buff_len);
-        /* may be just HNA changed */
+        /* may be just TT changed */
        else
-                update_HNA(bat_priv, orig_node, hna_buff, hna_buff_len);
+                update_TT(bat_priv, orig_node, tt_buff, tt_buff_len);
+out:
+        if (router)
+                neigh_node_free_ref(router);
 }
 static int is_bidirectional_neigh(struct orig_node *orig_node,
                                struct orig_node *orig_neigh_node,
                                struct batman_packet *batman_packet,
-                                struct batman_if *if_incoming)
+                                struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
-        struct neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
+        struct neigh_node *neigh_node = NULL, *tmp_neigh_node;
+        struct hlist_node *node;
        unsigned char total_count;
+        uint8_t orig_eq_count, neigh_rq_count, tq_own;
+        int tq_asym_penalty, ret = 0;
-        if (orig_node == orig_neigh_node) {
+        /* find corresponding one hop neighbor */
-                list_for_each_entry(tmp_neigh_node,
+        rcu_read_lock();
-                                    &orig_node->neigh_list,
+        hlist_for_each_entry_rcu(tmp_neigh_node, node,
-                                    list) {
+                                 &orig_neigh_node->neigh_list, list) {
-                        if (compare_orig(tmp_neigh_node->addr,
+                if (!compare_eth(tmp_neigh_node->addr, orig_neigh_node->orig))
-                                         orig_neigh_node->orig) &&
+                        continue;
-                            (tmp_neigh_node->if_incoming == if_incoming))
-                                neigh_node = tmp_neigh_node;
-                }
-                if (!neigh_node)
+                if (tmp_neigh_node->if_incoming != if_incoming)
-                        neigh_node = create_neighbor(orig_node,
+                        continue;
-                                                     orig_neigh_node,
-                                                     orig_neigh_node->orig,
-                                                     if_incoming);
-                /* create_neighbor failed, return 0 */
-                if (!neigh_node)
-                        return 0;
-                neigh_node->last_valid = jiffies;
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
-        } else {
+                        continue;
-                /* find packet count of corresponding one hop neighbor */
-                list_for_each_entry(tmp_neigh_node,
-                                    &orig_neigh_node->neigh_list, list) {
-                        if (compare_orig(tmp_neigh_node->addr,
-                                         orig_neigh_node->orig) &&
-                            (tmp_neigh_node->if_incoming == if_incoming))
-                                neigh_node = tmp_neigh_node;
-                }
-                if (!neigh_node)
+                neigh_node = tmp_neigh_node;
-                        neigh_node = create_neighbor(orig_neigh_node,
+                break;
-                                                     orig_neigh_node,
-                                                     orig_neigh_node->orig,
-                                                     if_incoming);
-                /* create_neighbor failed, return 0 */
-                if (!neigh_node)
-                        return 0;
        }
+        rcu_read_unlock();
+        if (!neigh_node)
+                neigh_node = create_neighbor(orig_neigh_node,
+                                             orig_neigh_node,
+                                             orig_neigh_node->orig,
+                                             if_incoming);
+        if (!neigh_node)
+                goto out;
+        /* if orig_node is direct neighbour update neigh_node last_valid */
+        if (orig_node == orig_neigh_node)
+                neigh_node->last_valid = jiffies;
        orig_node->last_valid = jiffies;
+        /* find packet count of corresponding one hop neighbor */
+        spin_lock_bh(&orig_node->ogm_cnt_lock);
+        orig_eq_count = orig_neigh_node->bcast_own_sum[if_incoming->if_num];
+        neigh_rq_count = neigh_node->real_packet_count;
+        spin_unlock_bh(&orig_node->ogm_cnt_lock);
        /* pay attention to not get a value bigger than 100 % */
-        total_count = (orig_neigh_node->bcast_own_sum[if_incoming->if_num] >
+        total_count = (orig_eq_count > neigh_rq_count ?
-                       neigh_node->real_packet_count ?
+                       neigh_rq_count : orig_eq_count);
-                       neigh_node->real_packet_count :
-                       orig_neigh_node->bcast_own_sum[if_incoming->if_num]);
        /* if we have too few packets (too less data) we set tq_own to zero */
        /* if we receive too few packets it is not considered bidirectional */
        if ((total_count < TQ_LOCAL_BIDRECT_SEND_MINIMUM) ||
-            (neigh_node->real_packet_count < TQ_LOCAL_BIDRECT_RECV_MINIMUM))
+            (neigh_rq_count < TQ_LOCAL_BIDRECT_RECV_MINIMUM))
-                orig_neigh_node->tq_own = 0;
+                tq_own = 0;
        else
                /* neigh_node->real_packet_count is never zero as we
                 * only purge old information when getting new
                 * information */
-                orig_neigh_node->tq_own = (TQ_MAX_VALUE * total_count) /
+                tq_own = (TQ_MAX_VALUE * total_count) / neigh_rq_count;
-                        neigh_node->real_packet_count;
        /*
         * 1 - ((1-x) ** 3), normalized to TQ_MAX_VALUE this does
@@ -213,20 +230,16 @@ static int is_bidirectional_neigh(struct orig_node *orig_node,
         * punishes asymmetric links more.  This will give a value
         * between 0 and TQ_MAX_VALUE
         */
-        orig_neigh_node->tq_asym_penalty =
+        tq_asym_penalty = TQ_MAX_VALUE - (TQ_MAX_VALUE *
-                TQ_MAX_VALUE -
+                                (TQ_LOCAL_WINDOW_SIZE - neigh_rq_count) *
-                (TQ_MAX_VALUE *
+                                (TQ_LOCAL_WINDOW_SIZE - neigh_rq_count) *
-                 (TQ_LOCAL_WINDOW_SIZE - neigh_node->real_packet_count) *
+                                (TQ_LOCAL_WINDOW_SIZE - neigh_rq_count)) /
-                 (TQ_LOCAL_WINDOW_SIZE - neigh_node->real_packet_count) *
+                                        (TQ_LOCAL_WINDOW_SIZE *
-                 (TQ_LOCAL_WINDOW_SIZE - neigh_node->real_packet_count)) /
+                                         TQ_LOCAL_WINDOW_SIZE *
-                (TQ_LOCAL_WINDOW_SIZE *
+                                         TQ_LOCAL_WINDOW_SIZE);
-                 TQ_LOCAL_WINDOW_SIZE *
-                 TQ_LOCAL_WINDOW_SIZE);
+        batman_packet->tq = ((batman_packet->tq * tq_own * tq_asym_penalty) /
+                                                (TQ_MAX_VALUE * TQ_MAX_VALUE));
-        batman_packet->tq = ((batman_packet->tq *
-                              orig_neigh_node->tq_own *
-                              orig_neigh_node->tq_asym_penalty) /
-                             (TQ_MAX_VALUE * TQ_MAX_VALUE));
        bat_dbg(DBG_BATMAN, bat_priv,
                "bidirectional: "
@@ -234,34 +247,143 @@ static int is_bidirectional_neigh(struct orig_node *orig_node,
                "real recv = %2i, local tq: %3i, asym_penalty: %3i, "
                "total tq: %3i\n",
                orig_node->orig, orig_neigh_node->orig, total_count,
-                neigh_node->real_packet_count, orig_neigh_node->tq_own,
+                neigh_rq_count, tq_own, tq_asym_penalty, batman_packet->tq);
-                orig_neigh_node->tq_asym_penalty, batman_packet->tq);
        /* if link has the minimum required transmission quality
         * consider it bidirectional */
        if (batman_packet->tq >= TQ_TOTAL_BIDRECT_LIMIT)
-                return 1;
+                ret = 1;
-        return 0;
+out:
+        if (neigh_node)
+                neigh_node_free_ref(neigh_node);
+        return ret;
+}
+/* caller must hold the neigh_list_lock */
+void bonding_candidate_del(struct orig_node *orig_node,
+                           struct neigh_node *neigh_node)
+{
+        /* this neighbor is not part of our candidate list */
+        if (list_empty(&neigh_node->bonding_list))
+                goto out;
+        list_del_rcu(&neigh_node->bonding_list);
+        INIT_LIST_HEAD(&neigh_node->bonding_list);
+        neigh_node_free_ref(neigh_node);
+        atomic_dec(&orig_node->bond_candidates);
+out:
+        return;
+}
+static void bonding_candidate_add(struct orig_node *orig_node,
+                                  struct neigh_node *neigh_node)
+{
+        struct hlist_node *node;
+        struct neigh_node *tmp_neigh_node, *router = NULL;
+        uint8_t interference_candidate = 0;
+        spin_lock_bh(&orig_node->neigh_list_lock);
+        /* only consider if it has the same primary address ...  */
+        if (!compare_eth(orig_node->orig,
+                         neigh_node->orig_node->primary_addr))
+                goto candidate_del;
+        router = orig_node_get_router(orig_node);
+        if (!router)
+                goto candidate_del;
+        /* ... and is good enough to be considered */
+        if (neigh_node->tq_avg < router->tq_avg - BONDING_TQ_THRESHOLD)
+                goto candidate_del;
+        /**
+         * check if we have another candidate with the same mac address or
+         * interface. If we do, we won't select this candidate because of
+         * possible interference.
+         */
+        hlist_for_each_entry_rcu(tmp_neigh_node, node,
+                                 &orig_node->neigh_list, list) {
+                if (tmp_neigh_node == neigh_node)
+                        continue;
+                /* we only care if the other candidate is even
+                * considered as candidate. */
+                if (list_empty(&tmp_neigh_node->bonding_list))
+                        continue;
+                if ((neigh_node->if_incoming == tmp_neigh_node->if_incoming) ||
+                    (compare_eth(neigh_node->addr, tmp_neigh_node->addr))) {
+                        interference_candidate = 1;
+                        break;
+                }
+        }
+        /* don't care further if it is an interference candidate */
+        if (interference_candidate)
+                goto candidate_del;
+        /* this neighbor already is part of our candidate list */
+        if (!list_empty(&neigh_node->bonding_list))
+                goto out;
+        if (!atomic_inc_not_zero(&neigh_node->refcount))
+                goto out;
+        list_add_rcu(&neigh_node->bonding_list, &orig_node->bond_list);
+        atomic_inc(&orig_node->bond_candidates);
+        goto out;
+candidate_del:
+        bonding_candidate_del(orig_node, neigh_node);
+out:
+        spin_unlock_bh(&orig_node->neigh_list_lock);
+        if (router)
+                neigh_node_free_ref(router);
+}
+/* copy primary address for bonding */
+static void bonding_save_primary(struct orig_node *orig_node,
+                                 struct orig_node *orig_neigh_node,
+                                 struct batman_packet *batman_packet)
+{
+        if (!(batman_packet->flags & PRIMARIES_FIRST_HOP))
+                return;
+        memcpy(orig_neigh_node->primary_addr, orig_node->orig, ETH_ALEN);
 }
 static void update_orig(struct bat_priv *bat_priv,
                        struct orig_node *orig_node,
                        struct ethhdr *ethhdr,
                        struct batman_packet *batman_packet,
-                        struct batman_if *if_incoming,
+                        struct hard_iface *if_incoming,
-                        unsigned char *hna_buff, int hna_buff_len,
+                        unsigned char *tt_buff, int tt_buff_len,
                        char is_duplicate)
 {
        struct neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
-        int tmp_hna_buff_len;
+        struct neigh_node *router = NULL;
+        struct orig_node *orig_node_tmp;
+        struct hlist_node *node;
+        int tmp_tt_buff_len;
+        uint8_t bcast_own_sum_orig, bcast_own_sum_neigh;
        bat_dbg(DBG_BATMAN, bat_priv, "update_originator(): "
                "Searching and updating originator entry of received packet\n");
-        list_for_each_entry(tmp_neigh_node, &orig_node->neigh_list, list) {
+        rcu_read_lock();
-                if (compare_orig(tmp_neigh_node->addr, ethhdr->h_source) &&
+        hlist_for_each_entry_rcu(tmp_neigh_node, node,
-                    (tmp_neigh_node->if_incoming == if_incoming)) {
+                                 &orig_node->neigh_list, list) {
+                if (compare_eth(tmp_neigh_node->addr, ethhdr->h_source) &&
+                    (tmp_neigh_node->if_incoming == if_incoming) &&
+                     atomic_inc_not_zero(&tmp_neigh_node->refcount)) {
+                        if (neigh_node)
+                                neigh_node_free_ref(neigh_node);
                        neigh_node = tmp_neigh_node;
                        continue;
                }
@@ -269,10 +391,12 @@ static void update_orig(struct bat_priv *bat_priv,
                if (is_duplicate)
                        continue;
+                spin_lock_bh(&tmp_neigh_node->tq_lock);
                ring_buffer_set(tmp_neigh_node->tq_recv,
                                &tmp_neigh_node->tq_index, 0);
                tmp_neigh_node->tq_avg =
                        ring_buffer_avg(tmp_neigh_node->tq_recv);
+                spin_unlock_bh(&tmp_neigh_node->tq_lock);
        }
        if (!neigh_node) {
@@ -280,57 +404,76 @@ static void update_orig(struct bat_priv *bat_priv,
                orig_tmp = get_orig_node(bat_priv, ethhdr->h_source);
                if (!orig_tmp)
-                        return;
+                        goto unlock;
                neigh_node = create_neighbor(orig_node, orig_tmp,
                                             ethhdr->h_source, if_incoming);
+                orig_node_free_ref(orig_tmp);
                if (!neigh_node)
-                        return;
+                        goto unlock;
        } else
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Updating existing last-hop neighbor of originator\n");
+        rcu_read_unlock();
        orig_node->flags = batman_packet->flags;
        neigh_node->last_valid = jiffies;
+        spin_lock_bh(&neigh_node->tq_lock);
        ring_buffer_set(neigh_node->tq_recv,
                        &neigh_node->tq_index,
                        batman_packet->tq);
        neigh_node->tq_avg = ring_buffer_avg(neigh_node->tq_recv);
+        spin_unlock_bh(&neigh_node->tq_lock);
        if (!is_duplicate) {
                orig_node->last_ttl = batman_packet->ttl;
                neigh_node->last_ttl = batman_packet->ttl;
        }
-        tmp_hna_buff_len = (hna_buff_len > batman_packet->num_hna * ETH_ALEN ?
+        bonding_candidate_add(orig_node, neigh_node);
-                            batman_packet->num_hna * ETH_ALEN : hna_buff_len);
+        tmp_tt_buff_len = (tt_buff_len > batman_packet->num_tt * ETH_ALEN ?
+                            batman_packet->num_tt * ETH_ALEN : tt_buff_len);
        /* if this neighbor already is our next hop there is nothing
         * to change */
-        if (orig_node->router == neigh_node)
+        router = orig_node_get_router(orig_node);
-                goto update_hna;
+        if (router == neigh_node)
+                goto update_tt;
        /* if this neighbor does not offer a better TQ we won't consider it */
-        if ((orig_node->router) &&
+        if (router && (router->tq_avg > neigh_node->tq_avg))
-            (orig_node->router->tq_avg > neigh_node->tq_avg))
+                goto update_tt;
-                goto update_hna;
        /* if the TQ is the same and the link not more symetric we
         * won't consider it either */
-        if ((orig_node->router) &&
+        if (router && (neigh_node->tq_avg == router->tq_avg)) {
-             ((neigh_node->tq_avg == orig_node->router->tq_avg) &&
+                orig_node_tmp = router->orig_node;
-             (orig_node->router->orig_node->bcast_own_sum[if_incoming->if_num]
+                spin_lock_bh(&orig_node_tmp->ogm_cnt_lock);
-              >= neigh_node->orig_node->bcast_own_sum[if_incoming->if_num])))
+                bcast_own_sum_orig =
-                goto update_hna;
+                        orig_node_tmp->bcast_own_sum[if_incoming->if_num];
+                spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock);
+                orig_node_tmp = neigh_node->orig_node;
+                spin_lock_bh(&orig_node_tmp->ogm_cnt_lock);
+                bcast_own_sum_neigh =
+                        orig_node_tmp->bcast_own_sum[if_incoming->if_num];
+                spin_unlock_bh(&orig_node_tmp->ogm_cnt_lock);
+                if (bcast_own_sum_orig >= bcast_own_sum_neigh)
+                        goto update_tt;
+        }
        update_routes(bat_priv, orig_node, neigh_node,
-                      hna_buff, tmp_hna_buff_len);
+                      tt_buff, tmp_tt_buff_len);
        goto update_gw;
-update_hna:
+update_tt:
-        update_routes(bat_priv, orig_node, orig_node->router,
+        update_routes(bat_priv, orig_node, router,
-                      hna_buff, tmp_hna_buff_len);
+                      tt_buff, tmp_tt_buff_len);
 update_gw:
        if (orig_node->gw_flags != batman_packet->gw_flags)
@@ -343,6 +486,16 @@ update_gw:
            (atomic_read(&bat_priv->gw_mode) == GW_MODE_CLIENT) &&
            (atomic_read(&bat_priv->gw_sel_class) > 2))
                gw_check_election(bat_priv, orig_node);
+        goto out;
+unlock:
+        rcu_read_unlock();
+out:
+        if (neigh_node)
+                neigh_node_free_ref(neigh_node);
+        if (router)
+                neigh_node_free_ref(router);
 }
 /* checks whether the host restarted and is in the protection time.
@@ -380,34 +533,38 @@ static int window_protected(struct bat_priv *bat_priv,
 */
 static char count_real_packets(struct ethhdr *ethhdr,
                               struct batman_packet *batman_packet,
-                               struct batman_if *if_incoming)
+                               struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
        struct orig_node *orig_node;
        struct neigh_node *tmp_neigh_node;
+        struct hlist_node *node;
        char is_duplicate = 0;
        int32_t seq_diff;
        int need_update = 0;
-        int set_mark;
+        int set_mark, ret = -1;
        orig_node = get_orig_node(bat_priv, batman_packet->orig);
        if (!orig_node)
                return 0;
+        spin_lock_bh(&orig_node->ogm_cnt_lock);
        seq_diff = batman_packet->seqno - orig_node->last_real_seqno;
        /* signalize caller that the packet is to be dropped. */
        if (window_protected(bat_priv, seq_diff,
                             &orig_node->batman_seqno_reset))
-                return -1;
+                goto out;
-        list_for_each_entry(tmp_neigh_node, &orig_node->neigh_list, list) {
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(tmp_neigh_node, node,
+                                 &orig_node->neigh_list, list) {
                is_duplicate |= get_bit_status(tmp_neigh_node->real_bits,
                                               orig_node->last_real_seqno,
                                               batman_packet->seqno);
-                if (compare_orig(tmp_neigh_node->addr, ethhdr->h_source) &&
+                if (compare_eth(tmp_neigh_node->addr, ethhdr->h_source) &&
                    (tmp_neigh_node->if_incoming == if_incoming))
                        set_mark = 1;
                else
@@ -421,6 +578,7 @@ static char count_real_packets(struct ethhdr *ethhdr,
                tmp_neigh_node->real_packet_count =
                        bit_packet_count(tmp_neigh_node->real_bits);
        }
+        rcu_read_unlock();
        if (need_update) {
                bat_dbg(DBG_BATMAN, bat_priv,
@@ -429,124 +587,24 @@ static char count_real_packets(struct ethhdr *ethhdr,
                orig_node->last_real_seqno = batman_packet->seqno;
        }
-        return is_duplicate;
+        ret = is_duplicate;
-}
-/* copy primary address for bonding */
-static void mark_bonding_address(struct bat_priv *bat_priv,
-                                 struct orig_node *orig_node,
-                                 struct orig_node *orig_neigh_node,
-                                 struct batman_packet *batman_packet)
-{
-        if (batman_packet->flags & PRIMARIES_FIRST_HOP)
-                memcpy(orig_neigh_node->primary_addr,
-                       orig_node->orig, ETH_ALEN);
-        return;
-}
-/* mark possible bond.candidates in the neighbor list */
-void update_bonding_candidates(struct bat_priv *bat_priv,
-                               struct orig_node *orig_node)
-{
-        int candidates;
-        int interference_candidate;
-        int best_tq;
-        struct neigh_node *tmp_neigh_node, *tmp_neigh_node2;
-        struct neigh_node *first_candidate, *last_candidate;
-        /* update the candidates for this originator */
-        if (!orig_node->router) {
-                orig_node->bond.candidates = 0;
-                return;
-        }
-        best_tq = orig_node->router->tq_avg;
-        /* update bond.candidates */
-        candidates = 0;
-        /* mark other nodes which also received "PRIMARIES FIRST HOP" packets
-         * as "bonding partner" */
-        /* first, zero the list */
-        list_for_each_entry(tmp_neigh_node, &orig_node->neigh_list, list) {
-                tmp_neigh_node->next_bond_candidate = NULL;
-        }
-        first_candidate = NULL;
-        last_candidate = NULL;
-        list_for_each_entry(tmp_neigh_node, &orig_node->neigh_list, list) {
-                /* only consider if it has the same primary address ...  */
-                if (memcmp(orig_node->orig,
-                                tmp_neigh_node->orig_node->primary_addr,
-                                ETH_ALEN) != 0)
-                        continue;
-                /* ... and is good enough to be considered */
-                if (tmp_neigh_node->tq_avg < best_tq - BONDING_TQ_THRESHOLD)
-                        continue;
-                /* check if we have another candidate with the same
-                 * mac address or interface. If we do, we won't
-                 * select this candidate because of possible interference. */
-                interference_candidate = 0;
-                list_for_each_entry(tmp_neigh_node2,
-                                &orig_node->neigh_list, list) {
-                        if (tmp_neigh_node2 == tmp_neigh_node)
-                                continue;
-                        /* we only care if the other candidate is even
-                         * considered as candidate. */
-                        if (!tmp_neigh_node2->next_bond_candidate)
-                                continue;
-                        if ((tmp_neigh_node->if_incoming ==
-                                tmp_neigh_node2->if_incoming)
-                                || (memcmp(tmp_neigh_node->addr,
-                                tmp_neigh_node2->addr, ETH_ALEN) == 0)) {
-                                interference_candidate = 1;
-                                break;
-                        }
-                }
-                /* don't care further if it is an interference candidate */
-                if (interference_candidate)
-                        continue;
-                if (!first_candidate) {
-                        first_candidate = tmp_neigh_node;
-                        tmp_neigh_node->next_bond_candidate = first_candidate;
-                } else
-                        tmp_neigh_node->next_bond_candidate = last_candidate;
-                last_candidate = tmp_neigh_node;
+out:
+        spin_unlock_bh(&orig_node->ogm_cnt_lock);
-                candidates++;
+        orig_node_free_ref(orig_node);
-        }
+        return ret;
-        if (candidates > 0) {
-                first_candidate->next_bond_candidate = last_candidate;
-                orig_node->bond.selected = first_candidate;
-        }
-        orig_node->bond.candidates = candidates;
 }
 void receive_bat_packet(struct ethhdr *ethhdr,
-                                struct batman_packet *batman_packet,
+                        struct batman_packet *batman_packet,
-                                unsigned char *hna_buff, int hna_buff_len,
+                        unsigned char *tt_buff, int tt_buff_len,
-                                struct batman_if *if_incoming)
+                        struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        struct orig_node *orig_neigh_node, *orig_node;
+        struct neigh_node *router = NULL, *router_router = NULL;
+        struct neigh_node *orig_neigh_router = NULL;
        char has_directlink_flag;
        char is_my_addr = 0, is_my_orig = 0, is_my_oldorig = 0;
        char is_broadcast = 0, is_bidirectional, is_single_hop_neigh;
@@ -573,8 +631,8 @@ void receive_bat_packet(struct ethhdr *ethhdr,
        has_directlink_flag = (batman_packet->flags & DIRECTLINK ? 1 : 0);
-        is_single_hop_neigh = (compare_orig(ethhdr->h_source,
+        is_single_hop_neigh = (compare_eth(ethhdr->h_source,
-                                            batman_packet->orig) ? 1 : 0);
+                                           batman_packet->orig) ? 1 : 0);
        bat_dbg(DBG_BATMAN, bat_priv,
                "Received BATMAN packet via NB: %pM, IF: %s [%pM] "
@@ -587,26 +645,26 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                has_directlink_flag);
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->if_status != IF_ACTIVE)
+                if (hard_iface->if_status != IF_ACTIVE)
                        continue;
-                if (batman_if->soft_iface != if_incoming->soft_iface)
+                if (hard_iface->soft_iface != if_incoming->soft_iface)
                        continue;
-                if (compare_orig(ethhdr->h_source,
+                if (compare_eth(ethhdr->h_source,
-                                 batman_if->net_dev->dev_addr))
+                                hard_iface->net_dev->dev_addr))
                        is_my_addr = 1;
-                if (compare_orig(batman_packet->orig,
+                if (compare_eth(batman_packet->orig,
-                                 batman_if->net_dev->dev_addr))
+                                hard_iface->net_dev->dev_addr))
                        is_my_orig = 1;
-                if (compare_orig(batman_packet->prev_sender,
+                if (compare_eth(batman_packet->prev_sender,
-                                 batman_if->net_dev->dev_addr))
+                                hard_iface->net_dev->dev_addr))
                        is_my_oldorig = 1;
-                if (compare_orig(ethhdr->h_source, broadcast_addr))
+                if (compare_eth(ethhdr->h_source, broadcast_addr))
                        is_broadcast = 1;
        }
        rcu_read_unlock();
@@ -638,7 +696,6 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                int offset;
                orig_neigh_node = get_orig_node(bat_priv, ethhdr->h_source);
                if (!orig_neigh_node)
                        return;
@@ -647,18 +704,22 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                /* if received seqno equals last send seqno save new
                 * seqno for bidirectional check */
                if (has_directlink_flag &&
-                    compare_orig(if_incoming->net_dev->dev_addr,
+                    compare_eth(if_incoming->net_dev->dev_addr,
-                                 batman_packet->orig) &&
+                                batman_packet->orig) &&
                    (batman_packet->seqno - if_incoming_seqno + 2 == 0)) {
                        offset = if_incoming->if_num * NUM_WORDS;
+                        spin_lock_bh(&orig_neigh_node->ogm_cnt_lock);
                        word = &(orig_neigh_node->bcast_own[offset]);
                        bit_mark(word, 0);
                        orig_neigh_node->bcast_own_sum[if_incoming->if_num] =
                                bit_packet_count(word);
+                        spin_unlock_bh(&orig_neigh_node->ogm_cnt_lock);
                }
                bat_dbg(DBG_BATMAN, bat_priv, "Drop packet: "
                        "originator packet from myself (via neighbor)\n");
+                orig_node_free_ref(orig_neigh_node);
                return;
        }
@@ -679,27 +740,28 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: packet within seqno protection time "
                        "(sender: %pM)\n", ethhdr->h_source);
-                return;
+                goto out;
        }
        if (batman_packet->tq == 0) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: originator packet with tq equal 0\n");
-                return;
+                goto out;
        }
+        router = orig_node_get_router(orig_node);
+        if (router)
+                router_router = orig_node_get_router(router->orig_node);
        /* avoid temporary routing loops */
-        if ((orig_node->router) &&
+        if (router && router_router &&
-            (orig_node->router->orig_node->router) &&
+            (compare_eth(router->addr, batman_packet->prev_sender)) &&
-            (compare_orig(orig_node->router->addr,
+            !(compare_eth(batman_packet->orig, batman_packet->prev_sender)) &&
-                          batman_packet->prev_sender)) &&
+            (compare_eth(router->addr, router_router->addr))) {
-            !(compare_orig(batman_packet->orig, batman_packet->prev_sender)) &&
-            (compare_orig(orig_node->router->addr,
-                          orig_node->router->orig_node->router->addr))) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: ignoring all rebroadcast packets that "
                        "may make me loop (sender: %pM)\n", ethhdr->h_source);
-                return;
+                goto out;
        }
        /* if sender is a direct neighbor the sender mac equals
@@ -708,19 +770,23 @@ void receive_bat_packet(struct ethhdr *ethhdr,
                           orig_node :
                           get_orig_node(bat_priv, ethhdr->h_source));
        if (!orig_neigh_node)
-                return;
+                goto out;
+        orig_neigh_router = orig_node_get_router(orig_neigh_node);
        /* drop packet if sender is not a direct neighbor and if we
         * don't route towards it */
-        if (!is_single_hop_neigh && (!orig_neigh_node->router)) {
+        if (!is_single_hop_neigh && (!orig_neigh_router)) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: OGM via unknown neighbor!\n");
-                return;
+                goto out_neigh;
        }
        is_bidirectional = is_bidirectional_neigh(orig_node, orig_neigh_node,
                                                batman_packet, if_incoming);
+        bonding_save_primary(orig_node, orig_neigh_node, batman_packet);
        /* update ranking if it is not a duplicate or has the same
         * seqno and similar ttl as the non-duplicate */
        if (is_bidirectional &&
@@ -728,46 +794,54 @@ void receive_bat_packet(struct ethhdr *ethhdr,
             ((orig_node->last_real_seqno == batman_packet->seqno) &&
              (orig_node->last_ttl - 3 <= batman_packet->ttl))))
                update_orig(bat_priv, orig_node, ethhdr, batman_packet,
-                            if_incoming, hna_buff, hna_buff_len, is_duplicate);
+                            if_incoming, tt_buff, tt_buff_len, is_duplicate);
-        mark_bonding_address(bat_priv, orig_node,
-                             orig_neigh_node, batman_packet);
-        update_bonding_candidates(bat_priv, orig_node);
        /* is single hop (direct) neighbor */
        if (is_single_hop_neigh) {
                /* mark direct link on incoming interface */
                schedule_forward_packet(orig_node, ethhdr, batman_packet,
-                                        1, hna_buff_len, if_incoming);
+                                        1, tt_buff_len, if_incoming);
                bat_dbg(DBG_BATMAN, bat_priv, "Forwarding packet: "
                        "rebroadcast neighbor packet with direct link flag\n");
-                return;
+                goto out_neigh;
        }
        /* multihop originator */
        if (!is_bidirectional) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: not received via bidirectional link\n");
-                return;
+                goto out_neigh;
        }
        if (is_duplicate) {
                bat_dbg(DBG_BATMAN, bat_priv,
                        "Drop packet: duplicate packet received\n");
-                return;
+                goto out_neigh;
        }
        bat_dbg(DBG_BATMAN, bat_priv,
                "Forwarding packet: rebroadcast originator packet\n");
        schedule_forward_packet(orig_node, ethhdr, batman_packet,
-                                0, hna_buff_len, if_incoming);
+                                0, tt_buff_len, if_incoming);
+out_neigh:
+        if ((orig_neigh_node) && (!is_single_hop_neigh))
+                orig_node_free_ref(orig_neigh_node);
+out:
+        if (router)
+                neigh_node_free_ref(router);
+        if (router_router)
+                neigh_node_free_ref(router_router);
+        if (orig_neigh_router)
+                neigh_node_free_ref(orig_neigh_router);
+        orig_node_free_ref(orig_node);
 }
-int recv_bat_packet(struct sk_buff *skb, struct batman_if *batman_if)
+int recv_bat_packet(struct sk_buff *skb, struct hard_iface *hard_iface)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
        struct ethhdr *ethhdr;
        /* drop packet if it has not necessary minimum size */
@@ -794,12 +868,10 @@ int recv_bat_packet(struct sk_buff *skb, struct batman_if *batman_if)
        ethhdr = (struct ethhdr *)skb_mac_header(skb);
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        receive_aggr_bat_packet(ethhdr,
                                skb->data,
                                skb_headlen(skb),
-                                batman_if);
+                                hard_iface);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        kfree_skb(skb);
        return NET_RX_SUCCESS;
@@ -808,135 +880,124 @@ int recv_bat_packet(struct sk_buff *skb, struct batman_if *batman_if)
 static int recv_my_icmp_packet(struct bat_priv *bat_priv,
                               struct sk_buff *skb, size_t icmp_len)
 {
-        struct orig_node *orig_node;
+        struct hard_iface *primary_if = NULL;
+        struct orig_node *orig_node = NULL;
+        struct neigh_node *router = NULL;
        struct icmp_packet_rr *icmp_packet;
-        struct ethhdr *ethhdr;
+        int ret = NET_RX_DROP;
-        struct batman_if *batman_if;
-        int ret;
-        uint8_t dstaddr[ETH_ALEN];
        icmp_packet = (struct icmp_packet_rr *)skb->data;
-        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* add data to device queue */
        if (icmp_packet->msg_type != ECHO_REQUEST) {
                bat_socket_receive_packet(icmp_packet, icmp_len);
-                return NET_RX_DROP;
+                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                return NET_RX_DROP;
+        if (!primary_if)
+                goto out;
        /* answer echo request (ping) */
        /* get routing information */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, icmp_packet->orig);
-        orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash,
+        if (!orig_node)
-                                                   compare_orig, choose_orig,
+                goto out;
-                                                   icmp_packet->orig));
-        ret = NET_RX_DROP;
-        if ((orig_node) && (orig_node->router)) {
-                /* don't lock while sending the packets ... we therefore
-                 * copy the required data before sending */
-                batman_if = orig_node->router->if_incoming;
-                memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
-                /* create a copy of the skb, if needed, to modify it. */
-                if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
-                        return NET_RX_DROP;
-                icmp_packet = (struct icmp_packet_rr *)skb->data;
-                ethhdr = (struct ethhdr *)skb_mac_header(skb);
-                memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
+        router = orig_node_get_router(orig_node);
-                memcpy(icmp_packet->orig,
+        if (!router)
-                       bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+                goto out;
-                icmp_packet->msg_type = ECHO_REPLY;
-                icmp_packet->ttl = TTL;
-                send_skb_packet(skb, batman_if, dstaddr);
+        /* create a copy of the skb, if needed, to modify it. */
-                ret = NET_RX_SUCCESS;
+        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
+                goto out;
-        } else
+        icmp_packet = (struct icmp_packet_rr *)skb->data;
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+        memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
+        icmp_packet->msg_type = ECHO_REPLY;
+        icmp_packet->ttl = TTL;
+        send_skb_packet(skb, router->if_incoming, router->addr);
+        ret = NET_RX_SUCCESS;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        if (router)
+                neigh_node_free_ref(router);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
        return ret;
 }
 static int recv_icmp_ttl_exceeded(struct bat_priv *bat_priv,
-                                  struct sk_buff *skb, size_t icmp_len)
+                                  struct sk_buff *skb)
 {
-        struct orig_node *orig_node;
+        struct hard_iface *primary_if = NULL;
+        struct orig_node *orig_node = NULL;
+        struct neigh_node *router = NULL;
        struct icmp_packet *icmp_packet;
-        struct ethhdr *ethhdr;
+        int ret = NET_RX_DROP;
-        struct batman_if *batman_if;
-        int ret;
-        uint8_t dstaddr[ETH_ALEN];
        icmp_packet = (struct icmp_packet *)skb->data;
-        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* send TTL exceeded if packet is an echo request (traceroute) */
        if (icmp_packet->msg_type != ECHO_REQUEST) {
                pr_debug("Warning - can't forward icmp packet from %pM to "
                         "%pM: ttl exceeded\n", icmp_packet->orig,
                         icmp_packet->dst);
-                return NET_RX_DROP;
+                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                return NET_RX_DROP;
+        if (!primary_if)
+                goto out;
        /* get routing information */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, icmp_packet->orig);
-        orig_node = ((struct orig_node *)
+        if (!orig_node)
-                     hash_find(bat_priv->orig_hash, compare_orig, choose_orig,
+                goto out;
-                               icmp_packet->orig));
-        ret = NET_RX_DROP;
-        if ((orig_node) && (orig_node->router)) {
-                /* don't lock while sending the packets ... we therefore
-                 * copy the required data before sending */
-                batman_if = orig_node->router->if_incoming;
-                memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
-                /* create a copy of the skb, if needed, to modify it. */
-                if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
-                        return NET_RX_DROP;
-                icmp_packet = (struct icmp_packet *) skb->data;
-                ethhdr = (struct ethhdr *)skb_mac_header(skb);
-                memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
+        router = orig_node_get_router(orig_node);
-                memcpy(icmp_packet->orig,
+        if (!router)
-                       bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+                goto out;
-                icmp_packet->msg_type = TTL_EXCEEDED;
-                icmp_packet->ttl = TTL;
-                send_skb_packet(skb, batman_if, dstaddr);
+        /* create a copy of the skb, if needed, to modify it. */
-                ret = NET_RX_SUCCESS;
+        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
+                goto out;
-        } else
+        icmp_packet = (struct icmp_packet *)skb->data;
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+        memcpy(icmp_packet->dst, icmp_packet->orig, ETH_ALEN);
+        memcpy(icmp_packet->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
+        icmp_packet->msg_type = TTL_EXCEEDED;
+        icmp_packet->ttl = TTL;
+        send_skb_packet(skb, router->if_incoming, router->addr);
+        ret = NET_RX_SUCCESS;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        if (router)
+                neigh_node_free_ref(router);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
        return ret;
 }
-int recv_icmp_packet(struct sk_buff *skb, struct batman_if *recv_if)
+int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if)
 {
        struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
        struct icmp_packet_rr *icmp_packet;
        struct ethhdr *ethhdr;
-        struct orig_node *orig_node;
+        struct orig_node *orig_node = NULL;
-        struct batman_if *batman_if;
+        struct neigh_node *router = NULL;
        int hdr_size = sizeof(struct icmp_packet);
-        int ret;
+        int ret = NET_RX_DROP;
-        uint8_t dstaddr[ETH_ALEN];
        /**
         * we truncate all incoming icmp packets if they don't match our size
@@ -946,21 +1007,21 @@ int recv_icmp_packet(struct sk_buff *skb, struct batman_if *recv_if)
        /* drop packet if it has not necessary minimum size */
        if (unlikely(!pskb_may_pull(skb, hdr_size)))
-                return NET_RX_DROP;
+                goto out;
        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* packet with unicast indication but broadcast recipient */
        if (is_broadcast_ether_addr(ethhdr->h_dest))
-                return NET_RX_DROP;
+                goto out;
        /* packet with broadcast sender address */
        if (is_broadcast_ether_addr(ethhdr->h_source))
-                return NET_RX_DROP;
+                goto out;
        /* not for me */
        if (!is_my_mac(ethhdr->h_dest))
-                return NET_RX_DROP;
+                goto out;
        icmp_packet = (struct icmp_packet_rr *)skb->data;
@@ -978,137 +1039,215 @@ int recv_icmp_packet(struct sk_buff *skb, struct batman_if *recv_if)
        /* TTL exceeded */
        if (icmp_packet->ttl < 2)
-                return recv_icmp_ttl_exceeded(bat_priv, skb, hdr_size);
+                return recv_icmp_ttl_exceeded(bat_priv, skb);
-        ret = NET_RX_DROP;
        /* get routing information */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, icmp_packet->dst);
-        orig_node = ((struct orig_node *)
+        if (!orig_node)
-                     hash_find(bat_priv->orig_hash, compare_orig, choose_orig,
+                goto out;
-                               icmp_packet->dst));
-        if ((orig_node) && (orig_node->router)) {
+        router = orig_node_get_router(orig_node);
+        if (!router)
+                goto out;
-                /* don't lock while sending the packets ... we therefore
+        /* create a copy of the skb, if needed, to modify it. */
-                 * copy the required data before sending */
+        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
-                batman_if = orig_node->router->if_incoming;
+                goto out;
-                memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
-                /* create a copy of the skb, if needed, to modify it. */
+        icmp_packet = (struct icmp_packet_rr *)skb->data;
-                if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
-                        return NET_RX_DROP;
-                icmp_packet = (struct icmp_packet_rr *)skb->data;
+        /* decrement ttl */
-                ethhdr = (struct ethhdr *)skb_mac_header(skb);
+        icmp_packet->ttl--;
-                /* decrement ttl */
+        /* route it */
-                icmp_packet->ttl--;
+        send_skb_packet(skb, router->if_incoming, router->addr);
+        ret = NET_RX_SUCCESS;
+out:
+        if (router)
+                neigh_node_free_ref(router);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
+        return ret;
+}
-                /* route it */
+/* In the bonding case, send the packets in a round
-                send_skb_packet(skb, batman_if, dstaddr);
+ * robin fashion over the remaining interfaces.
-                ret = NET_RX_SUCCESS;
+ *
+ * This method rotates the bonding list and increases the
+ * returned router's refcount. */
+static struct neigh_node *find_bond_router(struct orig_node *primary_orig,
+                                           struct hard_iface *recv_if)
+{
+        struct neigh_node *tmp_neigh_node;
+        struct neigh_node *router = NULL, *first_candidate = NULL;
-        } else
+        rcu_read_lock();
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+        list_for_each_entry_rcu(tmp_neigh_node, &primary_orig->bond_list,
+                                bonding_list) {
+                if (!first_candidate)
+                        first_candidate = tmp_neigh_node;
-        return ret;
+                /* recv_if == NULL on the first node. */
+                if (tmp_neigh_node->if_incoming == recv_if)
+                        continue;
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
+                        continue;
+                router = tmp_neigh_node;
+                break;
+        }
+        /* use the first candidate if nothing was found. */
+        if (!router && first_candidate &&
+            atomic_inc_not_zero(&first_candidate->refcount))
+                router = first_candidate;
+        if (!router)
+                goto out;
+        /* selected should point to the next element
+         * after the current router */
+        spin_lock_bh(&primary_orig->neigh_list_lock);
+        /* this is a list_move(), which unfortunately
+         * does not exist as rcu version */
+        list_del_rcu(&primary_orig->bond_list);
+        list_add_rcu(&primary_orig->bond_list,
+                     &router->bonding_list);
+        spin_unlock_bh(&primary_orig->neigh_list_lock);
+out:
+        rcu_read_unlock();
+        return router;
+}
+/* Interface Alternating: Use the best of the
+ * remaining candidates which are not using
+ * this interface.
+ *
+ * Increases the returned router's refcount */
+static struct neigh_node *find_ifalter_router(struct orig_node *primary_orig,
+                                              struct hard_iface *recv_if)
+{
+        struct neigh_node *tmp_neigh_node;
+        struct neigh_node *router = NULL, *first_candidate = NULL;
+        rcu_read_lock();
+        list_for_each_entry_rcu(tmp_neigh_node, &primary_orig->bond_list,
+                                bonding_list) {
+                if (!first_candidate)
+                        first_candidate = tmp_neigh_node;
+                /* recv_if == NULL on the first node. */
+                if (tmp_neigh_node->if_incoming == recv_if)
+                        continue;
+                if (!atomic_inc_not_zero(&tmp_neigh_node->refcount))
+                        continue;
+                /* if we don't have a router yet
+                 * or this one is better, choose it. */
+                if ((!router) ||
+                    (tmp_neigh_node->tq_avg > router->tq_avg)) {
+                        /* decrement refcount of
+                         * previously selected router */
+                        if (router)
+                                neigh_node_free_ref(router);
+                        router = tmp_neigh_node;
+                        atomic_inc_not_zero(&router->refcount);
+                }
+                neigh_node_free_ref(tmp_neigh_node);
+        }
+        /* use the first candidate if nothing was found. */
+        if (!router && first_candidate &&
+            atomic_inc_not_zero(&first_candidate->refcount))
+                router = first_candidate;
+        rcu_read_unlock();
+        return router;
 }
 /* find a suitable router for this originator, and use
- * bonding if possible. */
+ * bonding if possible. increases the found neighbors
+ * refcount.*/
 struct neigh_node *find_router(struct bat_priv *bat_priv,
                               struct orig_node *orig_node,
-                               struct batman_if *recv_if)
+                               struct hard_iface *recv_if)
 {
        struct orig_node *primary_orig_node;
        struct orig_node *router_orig;
-        struct neigh_node *router, *first_candidate, *best_router;
+        struct neigh_node *router;
        static uint8_t zero_mac[ETH_ALEN] = {0, 0, 0, 0, 0, 0};
        int bonding_enabled;
        if (!orig_node)
                return NULL;
-        if (!orig_node->router)
+        router = orig_node_get_router(orig_node);
-                return NULL;
+        if (!router)
+                goto err;
        /* without bonding, the first node should
         * always choose the default router. */
        bonding_enabled = atomic_read(&bat_priv->bonding);
-        if ((!recv_if) && (!bonding_enabled))
+        rcu_read_lock();
-                return orig_node->router;
+        /* select default router to output */
+        router_orig = router->orig_node;
+        if (!router_orig)
+                goto err_unlock;
-        router_orig = orig_node->router->orig_node;
+        if ((!recv_if) && (!bonding_enabled))
+                goto return_router;
        /* if we have something in the primary_addr, we can search
         * for a potential bonding candidate. */
-        if (memcmp(router_orig->primary_addr, zero_mac, ETH_ALEN) == 0)
+        if (compare_eth(router_orig->primary_addr, zero_mac))
-                return orig_node->router;
+                goto return_router;
        /* find the orig_node which has the primary interface. might
         * even be the same as our router_orig in many cases */
-        if (memcmp(router_orig->primary_addr,
+        if (compare_eth(router_orig->primary_addr, router_orig->orig)) {
-                                router_orig->orig, ETH_ALEN) == 0) {
                primary_orig_node = router_orig;
        } else {
-                primary_orig_node = hash_find(bat_priv->orig_hash, compare_orig,
+                primary_orig_node = orig_hash_find(bat_priv,
-                                               choose_orig,
+                                                   router_orig->primary_addr);
-                                               router_orig->primary_addr);
                if (!primary_orig_node)
-                        return orig_node->router;
+                        goto return_router;
+                orig_node_free_ref(primary_orig_node);
        }
        /* with less than 2 candidates, we can't do any
         * bonding and prefer the original router. */
+        if (atomic_read(&primary_orig_node->bond_candidates) < 2)
-        if (primary_orig_node->bond.candidates < 2)
+                goto return_router;
-                return orig_node->router;
        /* all nodes between should choose a candidate which
         * is is not on the interface where the packet came
         * in. */
-        first_candidate = primary_orig_node->bond.selected;
-        router = first_candidate;
-        if (bonding_enabled) {
+        neigh_node_free_ref(router);
-                /* in the bonding case, send the packets in a round
-                 * robin fashion over the remaining interfaces. */
-                do {
-                        /* recv_if == NULL on the first node. */
-                        if (router->if_incoming != recv_if)
-                                break;
-                        router = router->next_bond_candidate;
-                } while (router != first_candidate);
-                primary_orig_node->bond.selected = router->next_bond_candidate;
-        } else {
-                /* if bonding is disabled, use the best of the
-                 * remaining candidates which are not using
-                 * this interface. */
-                best_router = first_candidate;
-                do {
+        if (bonding_enabled)
-                        /* recv_if == NULL on the first node. */
+                router = find_bond_router(primary_orig_node, recv_if);
-                        if ((router->if_incoming != recv_if) &&
+        else
-                                (router->tq_avg > best_router->tq_avg))
+                router = find_ifalter_router(primary_orig_node, recv_if);
-                                        best_router = router;
-                        router = router->next_bond_candidate;
-                } while (router != first_candidate);
-                router = best_router;
-        }
+return_router:
+        rcu_read_unlock();
        return router;
+err_unlock:
+        rcu_read_unlock();
+err:
+        if (router)
+                neigh_node_free_ref(router);
+        return NULL;
 }
 static int check_unicast_packet(struct sk_buff *skb, int hdr_size)
@@ -1136,17 +1275,14 @@ static int check_unicast_packet(struct sk_buff *skb, int hdr_size)
        return 0;
 }
-int route_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if,
+int route_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
-                         int hdr_size)
 {
        struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
-        struct orig_node *orig_node;
+        struct orig_node *orig_node = NULL;
-        struct neigh_node *router;
+        struct neigh_node *neigh_node = NULL;
-        struct batman_if *batman_if;
-        uint8_t dstaddr[ETH_ALEN];
        struct unicast_packet *unicast_packet;
        struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb);
-        int ret;
+        int ret = NET_RX_DROP;
        struct sk_buff *new_skb;
        unicast_packet = (struct unicast_packet *)skb->data;
@@ -1156,53 +1292,48 @@ int route_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if,
                pr_debug("Warning - can't forward unicast packet from %pM to "
                         "%pM: ttl exceeded\n", ethhdr->h_source,
                         unicast_packet->dest);
-                return NET_RX_DROP;
+                goto out;
        }
        /* get routing information */
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, unicast_packet->dest);
-        orig_node = ((struct orig_node *)
-                     hash_find(bat_priv->orig_hash, compare_orig, choose_orig,
-                               unicast_packet->dest));
-        router = find_router(bat_priv, orig_node, recv_if);
-        if (!router) {
+        if (!orig_node)
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+                goto out;
-                return NET_RX_DROP;
-        }
-        /* don't lock while sending the packets ... we therefore
-         * copy the required data before sending */
-        batman_if = router->if_incoming;
+        /* find_router() increases neigh_nodes refcount if found. */
-        memcpy(dstaddr, router->addr, ETH_ALEN);
+        neigh_node = find_router(bat_priv, orig_node, recv_if);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        if (!neigh_node)
+                goto out;
        /* create a copy of the skb, if needed, to modify it. */
        if (skb_cow(skb, sizeof(struct ethhdr)) < 0)
-                return NET_RX_DROP;
+                goto out;
        unicast_packet = (struct unicast_packet *)skb->data;
        if (unicast_packet->packet_type == BAT_UNICAST &&
            atomic_read(&bat_priv->fragmentation) &&
-            skb->len > batman_if->net_dev->mtu)
+            skb->len > neigh_node->if_incoming->net_dev->mtu) {
-                return frag_send_skb(skb, bat_priv, batman_if,
+                ret = frag_send_skb(skb, bat_priv,
-                                     dstaddr);
+                                    neigh_node->if_incoming, neigh_node->addr);
+                goto out;
+        }
        if (unicast_packet->packet_type == BAT_UNICAST_FRAG &&
-            2 * skb->len - hdr_size <= batman_if->net_dev->mtu) {
+            frag_can_reassemble(skb, neigh_node->if_incoming->net_dev->mtu)) {
                ret = frag_reassemble_skb(skb, bat_priv, &new_skb);
                if (ret == NET_RX_DROP)
-                        return NET_RX_DROP;
+                        goto out;
                /* packet was buffered for late merge */
-                if (!new_skb)
+                if (!new_skb) {
-                        return NET_RX_SUCCESS;
+                        ret = NET_RX_SUCCESS;
+                        goto out;
+                }
                skb = new_skb;
                unicast_packet = (struct unicast_packet *)skb->data;
@@ -1212,12 +1343,18 @@ int route_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if,
        unicast_packet->ttl--;
        /* route it */
-        send_skb_packet(skb, batman_if, dstaddr);
+        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
+        ret = NET_RX_SUCCESS;
-        return NET_RX_SUCCESS;
+out:
+        if (neigh_node)
+                neigh_node_free_ref(neigh_node);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
+        return ret;
 }
-int recv_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if)
+int recv_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
 {
        struct unicast_packet *unicast_packet;
        int hdr_size = sizeof(struct unicast_packet);
@@ -1233,10 +1370,10 @@ int recv_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if)
                return NET_RX_SUCCESS;
        }
-        return route_unicast_packet(skb, recv_if, hdr_size);
+        return route_unicast_packet(skb, recv_if);
 }
-int recv_ucast_frag_packet(struct sk_buff *skb, struct batman_if *recv_if)
+int recv_ucast_frag_packet(struct sk_buff *skb, struct hard_iface *recv_if)
 {
        struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
        struct unicast_frag_packet *unicast_packet;
@@ -1266,89 +1403,90 @@ int recv_ucast_frag_packet(struct sk_buff *skb, struct batman_if *recv_if)
                return NET_RX_SUCCESS;
        }
-        return route_unicast_packet(skb, recv_if, hdr_size);
+        return route_unicast_packet(skb, recv_if);
 }
-int recv_bcast_packet(struct sk_buff *skb, struct batman_if *recv_if)
+int recv_bcast_packet(struct sk_buff *skb, struct hard_iface *recv_if)
 {
        struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
-        struct orig_node *orig_node;
+        struct orig_node *orig_node = NULL;
        struct bcast_packet *bcast_packet;
        struct ethhdr *ethhdr;
        int hdr_size = sizeof(struct bcast_packet);
+        int ret = NET_RX_DROP;
        int32_t seq_diff;
        /* drop packet if it has not necessary minimum size */
        if (unlikely(!pskb_may_pull(skb, hdr_size)))
-                return NET_RX_DROP;
+                goto out;
        ethhdr = (struct ethhdr *)skb_mac_header(skb);
        /* packet with broadcast indication but unicast recipient */
        if (!is_broadcast_ether_addr(ethhdr->h_dest))
-                return NET_RX_DROP;
+                goto out;
        /* packet with broadcast sender address */
        if (is_broadcast_ether_addr(ethhdr->h_source))
-                return NET_RX_DROP;
+                goto out;
        /* ignore broadcasts sent by myself */
        if (is_my_mac(ethhdr->h_source))
-                return NET_RX_DROP;
+                goto out;
        bcast_packet = (struct bcast_packet *)skb->data;
        /* ignore broadcasts originated by myself */
        if (is_my_mac(bcast_packet->orig))
-                return NET_RX_DROP;
+                goto out;
        if (bcast_packet->ttl < 2)
-                return NET_RX_DROP;
+                goto out;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
+        orig_node = orig_hash_find(bat_priv, bcast_packet->orig);
-        orig_node = ((struct orig_node *)
-                     hash_find(bat_priv->orig_hash, compare_orig, choose_orig,
-                               bcast_packet->orig));
-        if (!orig_node) {
+        if (!orig_node)
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+                goto out;
-                return NET_RX_DROP;
-        }
+        spin_lock_bh(&orig_node->bcast_seqno_lock);
        /* check whether the packet is a duplicate */
-        if (get_bit_status(orig_node->bcast_bits,
+        if (get_bit_status(orig_node->bcast_bits, orig_node->last_bcast_seqno,
-                           orig_node->last_bcast_seqno,
+                           ntohl(bcast_packet->seqno)))
-                           ntohl(bcast_packet->seqno))) {
+                goto spin_unlock;
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
-                return NET_RX_DROP;
-        }
        seq_diff = ntohl(bcast_packet->seqno) - orig_node->last_bcast_seqno;
        /* check whether the packet is old and the host just restarted. */
        if (window_protected(bat_priv, seq_diff,
-                             &orig_node->bcast_seqno_reset)) {
+                             &orig_node->bcast_seqno_reset))
-                spin_unlock_bh(&bat_priv->orig_hash_lock);
+                goto spin_unlock;
-                return NET_RX_DROP;
-        }
        /* mark broadcast in flood history, update window position
         * if required. */
        if (bit_get_packet(bat_priv, orig_node->bcast_bits, seq_diff, 1))
                orig_node->last_bcast_seqno = ntohl(bcast_packet->seqno);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        spin_unlock_bh(&orig_node->bcast_seqno_lock);
        /* rebroadcast packet */
        add_bcast_packet_to_list(bat_priv, skb);
        /* broadcast for me */
        interface_rx(recv_if->soft_iface, skb, recv_if, hdr_size);
+        ret = NET_RX_SUCCESS;
-        return NET_RX_SUCCESS;
+        goto out;
+spin_unlock:
+        spin_unlock_bh(&orig_node->bcast_seqno_lock);
+out:
+        if (orig_node)
+                orig_node_free_ref(orig_node);
+        return ret;
 }
-int recv_vis_packet(struct sk_buff *skb, struct batman_if *recv_if)
+int recv_vis_packet(struct sk_buff *skb, struct hard_iface *recv_if)
 {
        struct vis_packet *vis_packet;
        struct ethhdr *ethhdr;
diff --git a/net/batman-adv/routing.h b/net/batman-adv/routing.h
index f108f230bfdb..870f29842b28 100644
--- a/net/batman-adv/routing.h
+++ b/net/batman-adv/routing.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,27 +22,25 @@
 #ifndef _NET_BATMAN_ADV_ROUTING_H_
 #define _NET_BATMAN_ADV_ROUTING_H_
-#include "types.h"
+void slide_own_bcast_window(struct hard_iface *hard_iface);
-void slide_own_bcast_window(struct batman_if *batman_if);
 void receive_bat_packet(struct ethhdr *ethhdr,
                                struct batman_packet *batman_packet,
-                                unsigned char *hna_buff, int hna_buff_len,
+                                unsigned char *tt_buff, int tt_buff_len,
-                                struct batman_if *if_incoming);
+                                struct hard_iface *if_incoming);
 void update_routes(struct bat_priv *bat_priv, struct orig_node *orig_node,
-                   struct neigh_node *neigh_node, unsigned char *hna_buff,
+                   struct neigh_node *neigh_node, unsigned char *tt_buff,
-                   int hna_buff_len);
+                   int tt_buff_len);
-int route_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if,
+int route_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-                         int hdr_size);
+int recv_icmp_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_icmp_packet(struct sk_buff *skb, struct batman_if *recv_if);
+int recv_unicast_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_unicast_packet(struct sk_buff *skb, struct batman_if *recv_if);
+int recv_ucast_frag_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_ucast_frag_packet(struct sk_buff *skb, struct batman_if *recv_if);
+int recv_bcast_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_bcast_packet(struct sk_buff *skb, struct batman_if *recv_if);
+int recv_vis_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_vis_packet(struct sk_buff *skb, struct batman_if *recv_if);
+int recv_bat_packet(struct sk_buff *skb, struct hard_iface *recv_if);
-int recv_bat_packet(struct sk_buff *skb, struct batman_if *recv_if);
 struct neigh_node *find_router(struct bat_priv *bat_priv,
-                struct orig_node *orig_node, struct batman_if *recv_if);
+                               struct orig_node *orig_node,
-void update_bonding_candidates(struct bat_priv *bat_priv,
+                               struct hard_iface *recv_if);
-                               struct orig_node *orig_node);
+void bonding_candidate_del(struct orig_node *orig_node,
+                           struct neigh_node *neigh_node);
 #endif /* _NET_BATMAN_ADV_ROUTING_H_ */
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index b89b9f7709ae..33779278f1b2 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -25,7 +25,6 @@
 #include "translation-table.h"
 #include "soft-interface.h"
 #include "hard-interface.h"
-#include "types.h"
 #include "vis.h"
 #include "aggregation.h"
 #include "gateway_common.h"
@@ -49,7 +48,7 @@ static unsigned long own_send_time(struct bat_priv *bat_priv)
 }
 /* when do we schedule a forwarded packet to be sent */
-static unsigned long forward_send_time(struct bat_priv *bat_priv)
+static unsigned long forward_send_time(void)
 {
        return jiffies + msecs_to_jiffies(random32() % (JITTER/2));
 }
@@ -57,20 +56,20 @@ static unsigned long forward_send_time(struct bat_priv *bat_priv)
 /* send out an already prepared packet to the given address via the
 * specified batman interface */
 int send_skb_packet(struct sk_buff *skb,
-                                struct batman_if *batman_if,
+                                struct hard_iface *hard_iface,
                                uint8_t *dst_addr)
 {
        struct ethhdr *ethhdr;
-        if (batman_if->if_status != IF_ACTIVE)
+        if (hard_iface->if_status != IF_ACTIVE)
                goto send_skb_err;
-        if (unlikely(!batman_if->net_dev))
+        if (unlikely(!hard_iface->net_dev))
                goto send_skb_err;
-        if (!(batman_if->net_dev->flags & IFF_UP)) {
+        if (!(hard_iface->net_dev->flags & IFF_UP)) {
                pr_warning("Interface %s is not up - can't send packet via "
-                           "that interface!\n", batman_if->net_dev->name);
+                           "that interface!\n", hard_iface->net_dev->name);
                goto send_skb_err;
        }
@@ -81,7 +80,7 @@ int send_skb_packet(struct sk_buff *skb,
        skb_reset_mac_header(skb);
        ethhdr = (struct ethhdr *) skb_mac_header(skb);
-        memcpy(ethhdr->h_source, batman_if->net_dev->dev_addr, ETH_ALEN);
+        memcpy(ethhdr->h_source, hard_iface->net_dev->dev_addr, ETH_ALEN);
        memcpy(ethhdr->h_dest, dst_addr, ETH_ALEN);
        ethhdr->h_proto = __constant_htons(ETH_P_BATMAN);
@@ -89,7 +88,7 @@ int send_skb_packet(struct sk_buff *skb,
        skb->priority = TC_PRIO_CONTROL;
        skb->protocol = __constant_htons(ETH_P_BATMAN);
-        skb->dev = batman_if->net_dev;
+        skb->dev = hard_iface->net_dev;
        /* dev_queue_xmit() returns a negative result on error.  However on
         * congestion and traffic shaping, it drops and returns NET_XMIT_DROP
@@ -103,16 +102,16 @@ send_skb_err:
 /* Send a packet to a given interface */
 static void send_packet_to_if(struct forw_packet *forw_packet,
-                              struct batman_if *batman_if)
+                              struct hard_iface *hard_iface)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        char *fwd_str;
        uint8_t packet_num;
        int16_t buff_pos;
        struct batman_packet *batman_packet;
        struct sk_buff *skb;
-        if (batman_if->if_status != IF_ACTIVE)
+        if (hard_iface->if_status != IF_ACTIVE)
                return;
        packet_num = 0;
@@ -122,12 +121,12 @@ static void send_packet_to_if(struct forw_packet *forw_packet,
        /* adjust all flags and log packets */
        while (aggregated_packet(buff_pos,
                                 forw_packet->packet_len,
-                                 batman_packet->num_hna)) {
+                                 batman_packet->num_tt)) {
                /* we might have aggregated direct link packets with an
                 * ordinary base packet */
                if ((forw_packet->direct_link_flags & (1 << packet_num)) &&
-                    (forw_packet->if_incoming == batman_if))
+                    (forw_packet->if_incoming == hard_iface))
                        batman_packet->flags |= DIRECTLINK;
                else
                        batman_packet->flags &= ~DIRECTLINK;
@@ -143,10 +142,11 @@ static void send_packet_to_if(struct forw_packet *forw_packet,
                        batman_packet->tq, batman_packet->ttl,
                        (batman_packet->flags & DIRECTLINK ?
                         "on" : "off"),
-                        batman_if->net_dev->name, batman_if->net_dev->dev_addr);
+                        hard_iface->net_dev->name,
+                        hard_iface->net_dev->dev_addr);
                buff_pos += sizeof(struct batman_packet) +
-                        (batman_packet->num_hna * ETH_ALEN);
+                        (batman_packet->num_tt * ETH_ALEN);
                packet_num++;
                batman_packet = (struct batman_packet *)
                        (forw_packet->skb->data + buff_pos);
@@ -155,13 +155,13 @@ static void send_packet_to_if(struct forw_packet *forw_packet,
        /* create clone because function is called more than once */
        skb = skb_clone(forw_packet->skb, GFP_ATOMIC);
        if (skb)
-                send_skb_packet(skb, batman_if, broadcast_addr);
+                send_skb_packet(skb, hard_iface, broadcast_addr);
 }
 /* send a batman packet */
 static void send_packet(struct forw_packet *forw_packet)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        struct net_device *soft_iface;
        struct bat_priv *bat_priv;
        struct batman_packet *batman_packet =
@@ -205,54 +205,56 @@ static void send_packet(struct forw_packet *forw_packet)
        /* broadcast on every interface */
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->soft_iface != soft_iface)
+                if (hard_iface->soft_iface != soft_iface)
                        continue;
-                send_packet_to_if(forw_packet, batman_if);
+                send_packet_to_if(forw_packet, hard_iface);
        }
        rcu_read_unlock();
 }
 static void rebuild_batman_packet(struct bat_priv *bat_priv,
-                                  struct batman_if *batman_if)
+                                  struct hard_iface *hard_iface)
 {
        int new_len;
        unsigned char *new_buff;
        struct batman_packet *batman_packet;
        new_len = sizeof(struct batman_packet) +
-                        (bat_priv->num_local_hna * ETH_ALEN);
+                        (bat_priv->num_local_tt * ETH_ALEN);
        new_buff = kmalloc(new_len, GFP_ATOMIC);
        /* keep old buffer if kmalloc should fail */
        if (new_buff) {
-                memcpy(new_buff, batman_if->packet_buff,
+                memcpy(new_buff, hard_iface->packet_buff,
                       sizeof(struct batman_packet));
                batman_packet = (struct batman_packet *)new_buff;
-                batman_packet->num_hna = hna_local_fill_buffer(bat_priv,
+                batman_packet->num_tt = tt_local_fill_buffer(bat_priv,
                                new_buff + sizeof(struct batman_packet),
                                new_len - sizeof(struct batman_packet));
-                kfree(batman_if->packet_buff);
+                kfree(hard_iface->packet_buff);
-                batman_if->packet_buff = new_buff;
+                hard_iface->packet_buff = new_buff;
-                batman_if->packet_len = new_len;
+                hard_iface->packet_len = new_len;
        }
 }
-void schedule_own_packet(struct batman_if *batman_if)
+void schedule_own_packet(struct hard_iface *hard_iface)
 {
-        struct bat_priv *bat_priv = netdev_priv(batman_if->soft_iface);
+        struct bat_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+        struct hard_iface *primary_if;
        unsigned long send_time;
        struct batman_packet *batman_packet;
        int vis_server;
-        if ((batman_if->if_status == IF_NOT_IN_USE) ||
+        if ((hard_iface->if_status == IF_NOT_IN_USE) ||
-            (batman_if->if_status == IF_TO_BE_REMOVED))
+            (hard_iface->if_status == IF_TO_BE_REMOVED))
                return;
        vis_server = atomic_read(&bat_priv->vis_mode);
+        primary_if = primary_if_get_selected(bat_priv);
        /**
         * the interface gets activated here to avoid race conditions between
@@ -261,53 +263,57 @@ void schedule_own_packet(struct batman_if *batman_if)
         * outdated packets (especially uninitialized mac addresses) in the
         * packet queue
         */
-        if (batman_if->if_status == IF_TO_BE_ACTIVATED)
+        if (hard_iface->if_status == IF_TO_BE_ACTIVATED)
-                batman_if->if_status = IF_ACTIVE;
+                hard_iface->if_status = IF_ACTIVE;
-        /* if local hna has changed and interface is a primary interface */
+        /* if local tt has changed and interface is a primary interface */
-        if ((atomic_read(&bat_priv->hna_local_changed)) &&
+        if ((atomic_read(&bat_priv->tt_local_changed)) &&
-            (batman_if == bat_priv->primary_if))
+            (hard_iface == primary_if))
-                rebuild_batman_packet(bat_priv, batman_if);
+                rebuild_batman_packet(bat_priv, hard_iface);
        /**
         * NOTE: packet_buff might just have been re-allocated in
         * rebuild_batman_packet()
         */
-        batman_packet = (struct batman_packet *)batman_if->packet_buff;
+        batman_packet = (struct batman_packet *)hard_iface->packet_buff;
        /* change sequence number to network order */
        batman_packet->seqno =
-                htonl((uint32_t)atomic_read(&batman_if->seqno));
+                htonl((uint32_t)atomic_read(&hard_iface->seqno));
        if (vis_server == VIS_TYPE_SERVER_SYNC)
                batman_packet->flags |= VIS_SERVER;
        else
                batman_packet->flags &= ~VIS_SERVER;
-        if ((batman_if == bat_priv->primary_if) &&
+        if ((hard_iface == primary_if) &&
            (atomic_read(&bat_priv->gw_mode) == GW_MODE_SERVER))
                batman_packet->gw_flags =
                                (uint8_t)atomic_read(&bat_priv->gw_bandwidth);
        else
                batman_packet->gw_flags = 0;
-        atomic_inc(&batman_if->seqno);
+        atomic_inc(&hard_iface->seqno);
-        slide_own_bcast_window(batman_if);
+        slide_own_bcast_window(hard_iface);
        send_time = own_send_time(bat_priv);
        add_bat_packet_to_list(bat_priv,
-                               batman_if->packet_buff,
+                               hard_iface->packet_buff,
-                               batman_if->packet_len,
+                               hard_iface->packet_len,
-                               batman_if, 1, send_time);
+                               hard_iface, 1, send_time);
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 void schedule_forward_packet(struct orig_node *orig_node,
                             struct ethhdr *ethhdr,
                             struct batman_packet *batman_packet,
-                             uint8_t directlink, int hna_buff_len,
+                             uint8_t directlink, int tt_buff_len,
-                             struct batman_if *if_incoming)
+                             struct hard_iface *if_incoming)
 {
        struct bat_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
+        struct neigh_node *router;
        unsigned char in_tq, in_ttl, tq_avg = 0;
        unsigned long send_time;
@@ -316,6 +322,8 @@ void schedule_forward_packet(struct orig_node *orig_node,
                return;
        }
+        router = orig_node_get_router(orig_node);
        in_tq = batman_packet->tq;
        in_ttl = batman_packet->ttl;
@@ -324,20 +332,22 @@ void schedule_forward_packet(struct orig_node *orig_node,
        /* rebroadcast tq of our best ranking neighbor to ensure the rebroadcast
         * of our best tq value */
-        if ((orig_node->router) && (orig_node->router->tq_avg != 0)) {
+        if (router && router->tq_avg != 0) {
                /* rebroadcast ogm of best ranking neighbor as is */
-                if (!compare_orig(orig_node->router->addr, ethhdr->h_source)) {
+                if (!compare_eth(router->addr, ethhdr->h_source)) {
-                        batman_packet->tq = orig_node->router->tq_avg;
+                        batman_packet->tq = router->tq_avg;
-                        if (orig_node->router->last_ttl)
+                        if (router->last_ttl)
-                                batman_packet->ttl = orig_node->router->last_ttl
+                                batman_packet->ttl = router->last_ttl - 1;
-                                                        - 1;
                }
-                tq_avg = orig_node->router->tq_avg;
+                tq_avg = router->tq_avg;
        }
+        if (router)
+                neigh_node_free_ref(router);
        /* apply hop penalty */
        batman_packet->tq = hop_penalty(batman_packet->tq, bat_priv);
@@ -356,10 +366,10 @@ void schedule_forward_packet(struct orig_node *orig_node,
        else
                batman_packet->flags &= ~DIRECTLINK;
-        send_time = forward_send_time(bat_priv);
+        send_time = forward_send_time();
        add_bat_packet_to_list(bat_priv,
                               (unsigned char *)batman_packet,
-                               sizeof(struct batman_packet) + hna_buff_len,
+                               sizeof(struct batman_packet) + tt_buff_len,
                               if_incoming, 0, send_time);
 }
@@ -367,6 +377,8 @@ static void forw_packet_free(struct forw_packet *forw_packet)
 {
        if (forw_packet->skb)
                kfree_skb(forw_packet->skb);
+        if (forw_packet->if_incoming)
+                hardif_free_ref(forw_packet->if_incoming);
        kfree(forw_packet);
 }
@@ -388,7 +400,6 @@ static void _add_bcast_packet_to_list(struct bat_priv *bat_priv,
                           send_time);
 }
-#define atomic_dec_not_zero(v)          atomic_add_unless((v), -1, 0)
 /* add a broadcast packet to the queue and setup timers. broadcast packets
 * are sent multiple times to increase probability for beeing received.
 *
@@ -399,6 +410,7 @@ static void _add_bcast_packet_to_list(struct bat_priv *bat_priv,
 * skb is freed. */
 int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
 {
+        struct hard_iface *primary_if = NULL;
        struct forw_packet *forw_packet;
        struct bcast_packet *bcast_packet;
@@ -407,8 +419,9 @@ int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
                goto out;
        }
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
-                goto out;
+        if (!primary_if)
+                goto out_and_inc;
        forw_packet = kmalloc(sizeof(struct forw_packet), GFP_ATOMIC);
@@ -426,7 +439,7 @@ int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb)
        skb_reset_mac_header(skb);
        forw_packet->skb = skb;
-        forw_packet->if_incoming = bat_priv->primary_if;
+        forw_packet->if_incoming = primary_if;
        /* how often did we send the bcast packet ? */
        forw_packet->num_packets = 0;
@@ -439,12 +452,14 @@ packet_free:
 out_and_inc:
        atomic_inc(&bat_priv->bcast_queue_left);
 out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NETDEV_TX_BUSY;
 }
 static void send_outstanding_bcast_packet(struct work_struct *work)
 {
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        struct delayed_work *delayed_work =
                container_of(work, struct delayed_work, work);
        struct forw_packet *forw_packet =
@@ -462,14 +477,14 @@ static void send_outstanding_bcast_packet(struct work_struct *work)
        /* rebroadcast packet */
        rcu_read_lock();
-        list_for_each_entry_rcu(batman_if, &if_list, list) {
+        list_for_each_entry_rcu(hard_iface, &hardif_list, list) {
-                if (batman_if->soft_iface != soft_iface)
+                if (hard_iface->soft_iface != soft_iface)
                        continue;
                /* send a copy of the saved skb */
                skb1 = skb_clone(forw_packet->skb, GFP_ATOMIC);
                if (skb1)
-                        send_skb_packet(skb1, batman_if, broadcast_addr);
+                        send_skb_packet(skb1, hard_iface, broadcast_addr);
        }
        rcu_read_unlock();
@@ -522,15 +537,16 @@ out:
 }
 void purge_outstanding_packets(struct bat_priv *bat_priv,
-                               struct batman_if *batman_if)
+                               struct hard_iface *hard_iface)
 {
        struct forw_packet *forw_packet;
        struct hlist_node *tmp_node, *safe_tmp_node;
+        bool pending;
-        if (batman_if)
+        if (hard_iface)
                bat_dbg(DBG_BATMAN, bat_priv,
                        "purge_outstanding_packets(): %s\n",
-                        batman_if->net_dev->name);
+                        hard_iface->net_dev->name);
        else
                bat_dbg(DBG_BATMAN, bat_priv,
                        "purge_outstanding_packets()\n");
@@ -544,8 +560,8 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * if purge_outstanding_packets() was called with an argmument
                 * we delete only packets belonging to the given interface
                 */
-                if ((batman_if) &&
+                if ((hard_iface) &&
-                    (forw_packet->if_incoming != batman_if))
+                    (forw_packet->if_incoming != hard_iface))
                        continue;
                spin_unlock_bh(&bat_priv->forw_bcast_list_lock);
@@ -554,8 +570,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * send_outstanding_bcast_packet() will lock the list to
                 * delete the item from the list
                 */
-                cancel_delayed_work_sync(&forw_packet->delayed_work);
+                pending = cancel_delayed_work_sync(&forw_packet->delayed_work);
                spin_lock_bh(&bat_priv->forw_bcast_list_lock);
+                if (pending) {
+                        hlist_del(&forw_packet->list);
+                        forw_packet_free(forw_packet);
+                }
        }
        spin_unlock_bh(&bat_priv->forw_bcast_list_lock);
@@ -568,8 +589,8 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * if purge_outstanding_packets() was called with an argmument
                 * we delete only packets belonging to the given interface
                 */
-                if ((batman_if) &&
+                if ((hard_iface) &&
-                    (forw_packet->if_incoming != batman_if))
+                    (forw_packet->if_incoming != hard_iface))
                        continue;
                spin_unlock_bh(&bat_priv->forw_bat_list_lock);
@@ -578,8 +599,13 @@ void purge_outstanding_packets(struct bat_priv *bat_priv,
                 * send_outstanding_bat_packet() will lock the list to
                 * delete the item from the list
                 */
-                cancel_delayed_work_sync(&forw_packet->delayed_work);
+                pending = cancel_delayed_work_sync(&forw_packet->delayed_work);
                spin_lock_bh(&bat_priv->forw_bat_list_lock);
+                if (pending) {
+                        hlist_del(&forw_packet->list);
+                        forw_packet_free(forw_packet);
+                }
        }
        spin_unlock_bh(&bat_priv->forw_bat_list_lock);
 }
diff --git a/net/batman-adv/send.h b/net/batman-adv/send.h
index c4cefa8e4f85..247172d71e4b 100644
--- a/net/batman-adv/send.h
+++ b/net/batman-adv/send.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,20 +22,18 @@
 #ifndef _NET_BATMAN_ADV_SEND_H_
 #define _NET_BATMAN_ADV_SEND_H_
-#include "types.h"
 int send_skb_packet(struct sk_buff *skb,
-                                struct batman_if *batman_if,
+                                struct hard_iface *hard_iface,
                                uint8_t *dst_addr);
-void schedule_own_packet(struct batman_if *batman_if);
+void schedule_own_packet(struct hard_iface *hard_iface);
 void schedule_forward_packet(struct orig_node *orig_node,
                             struct ethhdr *ethhdr,
                             struct batman_packet *batman_packet,
-                             uint8_t directlink, int hna_buff_len,
+                             uint8_t directlink, int tt_buff_len,
-                             struct batman_if *if_outgoing);
+                             struct hard_iface *if_outgoing);
 int add_bcast_packet_to_list(struct bat_priv *bat_priv, struct sk_buff *skb);
 void send_outstanding_bat_packet(struct work_struct *work);
 void purge_outstanding_packets(struct bat_priv *bat_priv,
-                               struct batman_if *batman_if);
+                               struct hard_iface *hard_iface);
 #endif /* _NET_BATMAN_ADV_SEND_H_ */
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index e89ede192ed0..d5aa60999e83 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -26,18 +26,15 @@
 #include "send.h"
 #include "bat_debugfs.h"
 #include "translation-table.h"
-#include "types.h"
 #include "hash.h"
 #include "gateway_common.h"
 #include "gateway_client.h"
-#include "send.h"
 #include "bat_sysfs.h"
 #include <linux/slab.h>
 #include <linux/ethtool.h>
 #include <linux/etherdevice.h>
 #include <linux/if_vlan.h>
 #include "unicast.h"
-#include "routing.h"
 static int bat_get_settings(struct net_device *dev, struct ethtool_cmd *cmd);
@@ -46,8 +43,6 @@ static void bat_get_drvinfo(struct net_device *dev,
 static u32 bat_get_msglevel(struct net_device *dev);
 static void bat_set_msglevel(struct net_device *dev, u32 value);
 static u32 bat_get_link(struct net_device *dev);
-static u32 bat_get_rx_csum(struct net_device *dev);
-static int bat_set_rx_csum(struct net_device *dev, u32 data);
 static const struct ethtool_ops bat_ethtool_ops = {
        .get_settings = bat_get_settings,
@@ -55,8 +50,6 @@ static const struct ethtool_ops bat_ethtool_ops = {
        .get_msglevel = bat_get_msglevel,
        .set_msglevel = bat_set_msglevel,
        .get_link = bat_get_link,
-        .get_rx_csum = bat_get_rx_csum,
-        .set_rx_csum = bat_set_rx_csum
 };
 int my_skb_head_push(struct sk_buff *skb, unsigned int len)
@@ -79,141 +72,371 @@ int my_skb_head_push(struct sk_buff *skb, unsigned int len)
        return 0;
 }
-static void softif_neigh_free_ref(struct kref *refcount)
+static void softif_neigh_free_ref(struct softif_neigh *softif_neigh)
 {
-        struct softif_neigh *softif_neigh;
+        if (atomic_dec_and_test(&softif_neigh->refcount))
+                kfree_rcu(softif_neigh, rcu);
-        softif_neigh = container_of(refcount, struct softif_neigh, refcount);
-        kfree(softif_neigh);
 }
-static void softif_neigh_free_rcu(struct rcu_head *rcu)
+static void softif_neigh_vid_free_rcu(struct rcu_head *rcu)
 {
+        struct softif_neigh_vid *softif_neigh_vid;
        struct softif_neigh *softif_neigh;
+        struct hlist_node *node, *node_tmp;
+        struct bat_priv *bat_priv;
+        softif_neigh_vid = container_of(rcu, struct softif_neigh_vid, rcu);
+        bat_priv = softif_neigh_vid->bat_priv;
+        spin_lock_bh(&bat_priv->softif_neigh_lock);
+        hlist_for_each_entry_safe(softif_neigh, node, node_tmp,
+                                  &softif_neigh_vid->softif_neigh_list, list) {
+                hlist_del_rcu(&softif_neigh->list);
+                softif_neigh_free_ref(softif_neigh);
+        }
+        spin_unlock_bh(&bat_priv->softif_neigh_lock);
-        softif_neigh = container_of(rcu, struct softif_neigh, rcu);
+        kfree(softif_neigh_vid);
-        kref_put(&softif_neigh->refcount, softif_neigh_free_ref);
 }
-void softif_neigh_purge(struct bat_priv *bat_priv)
+static void softif_neigh_vid_free_ref(struct softif_neigh_vid *softif_neigh_vid)
 {
-        struct softif_neigh *softif_neigh, *softif_neigh_tmp;
+        if (atomic_dec_and_test(&softif_neigh_vid->refcount))
-        struct hlist_node *node, *node_tmp;
+                call_rcu(&softif_neigh_vid->rcu, softif_neigh_vid_free_rcu);
+}
-        spin_lock_bh(&bat_priv->softif_neigh_lock);
+static struct softif_neigh_vid *softif_neigh_vid_get(struct bat_priv *bat_priv,
+                                                     short vid)
+{
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct hlist_node *node;
-        hlist_for_each_entry_safe(softif_neigh, node, node_tmp,
+        rcu_read_lock();
-                                  &bat_priv->softif_neigh_list, list) {
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
+                                 &bat_priv->softif_neigh_vids, list) {
+                if (softif_neigh_vid->vid != vid)
+                        continue;
-                if ((!time_after(jiffies, softif_neigh->last_seen +
+                if (!atomic_inc_not_zero(&softif_neigh_vid->refcount))
-                                msecs_to_jiffies(SOFTIF_NEIGH_TIMEOUT))) &&
-                    (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE))
                        continue;
-                hlist_del_rcu(&softif_neigh->list);
+                goto out;
+        }
-                if (bat_priv->softif_neigh == softif_neigh) {
+        softif_neigh_vid = kzalloc(sizeof(struct softif_neigh_vid),
-                        bat_dbg(DBG_ROUTES, bat_priv,
+                                   GFP_ATOMIC);
-                                 "Current mesh exit point '%pM' vanished "
+        if (!softif_neigh_vid)
-                                 "(vid: %d).\n",
+                goto out;
-                                 softif_neigh->addr, softif_neigh->vid);
-                        softif_neigh_tmp = bat_priv->softif_neigh;
-                        bat_priv->softif_neigh = NULL;
-                        kref_put(&softif_neigh_tmp->refcount,
-                                 softif_neigh_free_ref);
-                }
-                call_rcu(&softif_neigh->rcu, softif_neigh_free_rcu);
+        softif_neigh_vid->vid = vid;
-        }
+        softif_neigh_vid->bat_priv = bat_priv;
-        spin_unlock_bh(&bat_priv->softif_neigh_lock);
+        /* initialize with 2 - caller decrements counter by one */
+        atomic_set(&softif_neigh_vid->refcount, 2);
+        INIT_HLIST_HEAD(&softif_neigh_vid->softif_neigh_list);
+        INIT_HLIST_NODE(&softif_neigh_vid->list);
+        spin_lock_bh(&bat_priv->softif_neigh_vid_lock);
+        hlist_add_head_rcu(&softif_neigh_vid->list,
+                           &bat_priv->softif_neigh_vids);
+        spin_unlock_bh(&bat_priv->softif_neigh_vid_lock);
+out:
+        rcu_read_unlock();
+        return softif_neigh_vid;
 }
 static struct softif_neigh *softif_neigh_get(struct bat_priv *bat_priv,
                                             uint8_t *addr, short vid)
 {
-        struct softif_neigh *softif_neigh;
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *softif_neigh = NULL;
        struct hlist_node *node;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
        rcu_read_lock();
        hlist_for_each_entry_rcu(softif_neigh, node,
-                                 &bat_priv->softif_neigh_list, list) {
+                                 &softif_neigh_vid->softif_neigh_list,
-                if (memcmp(softif_neigh->addr, addr, ETH_ALEN) != 0)
+                                 list) {
+                if (!compare_eth(softif_neigh->addr, addr))
                        continue;
-                if (softif_neigh->vid != vid)
+                if (!atomic_inc_not_zero(&softif_neigh->refcount))
                        continue;
                softif_neigh->last_seen = jiffies;
-                goto found;
+                goto unlock;
        }
        softif_neigh = kzalloc(sizeof(struct softif_neigh), GFP_ATOMIC);
        if (!softif_neigh)
-                goto out;
+                goto unlock;
        memcpy(softif_neigh->addr, addr, ETH_ALEN);
-        softif_neigh->vid = vid;
        softif_neigh->last_seen = jiffies;
-        kref_init(&softif_neigh->refcount);
+        /* initialize with 2 - caller decrements counter by one */
+        atomic_set(&softif_neigh->refcount, 2);
        INIT_HLIST_NODE(&softif_neigh->list);
        spin_lock_bh(&bat_priv->softif_neigh_lock);
-        hlist_add_head_rcu(&softif_neigh->list, &bat_priv->softif_neigh_list);
+        hlist_add_head_rcu(&softif_neigh->list,
+                           &softif_neigh_vid->softif_neigh_list);
        spin_unlock_bh(&bat_priv->softif_neigh_lock);
-found:
+unlock:
-        kref_get(&softif_neigh->refcount);
+        rcu_read_unlock();
 out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        return softif_neigh;
+}
+static struct softif_neigh *softif_neigh_get_selected(
+                                struct softif_neigh_vid *softif_neigh_vid)
+{
+        struct softif_neigh *softif_neigh;
+        rcu_read_lock();
+        softif_neigh = rcu_dereference(softif_neigh_vid->softif_neigh);
+        if (softif_neigh && !atomic_inc_not_zero(&softif_neigh->refcount))
+                softif_neigh = NULL;
        rcu_read_unlock();
        return softif_neigh;
 }
+static struct softif_neigh *softif_neigh_vid_get_selected(
+                                                struct bat_priv *bat_priv,
+                                                short vid)
+{
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *softif_neigh = NULL;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
+        softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        return softif_neigh;
+}
+static void softif_neigh_vid_select(struct bat_priv *bat_priv,
+                                    struct softif_neigh *new_neigh,
+                                    short vid)
+{
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct softif_neigh *curr_neigh;
+        softif_neigh_vid = softif_neigh_vid_get(bat_priv, vid);
+        if (!softif_neigh_vid)
+                goto out;
+        spin_lock_bh(&bat_priv->softif_neigh_lock);
+        if (new_neigh && !atomic_inc_not_zero(&new_neigh->refcount))
+                new_neigh = NULL;
+        curr_neigh = softif_neigh_vid->softif_neigh;
+        rcu_assign_pointer(softif_neigh_vid->softif_neigh, new_neigh);
+        if ((curr_neigh) && (!new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Removing mesh exit point on vid: %d (prev: %pM).\n",
+                        vid, curr_neigh->addr);
+        else if ((curr_neigh) && (new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Changing mesh exit point on vid: %d from %pM "
+                        "to %pM.\n", vid, curr_neigh->addr, new_neigh->addr);
+        else if ((!curr_neigh) && (new_neigh))
+                bat_dbg(DBG_ROUTES, bat_priv,
+                        "Setting mesh exit point on vid: %d to %pM.\n",
+                        vid, new_neigh->addr);
+        if (curr_neigh)
+                softif_neigh_free_ref(curr_neigh);
+        spin_unlock_bh(&bat_priv->softif_neigh_lock);
+out:
+        if (softif_neigh_vid)
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+}
+static void softif_neigh_vid_deselect(struct bat_priv *bat_priv,
+                                      struct softif_neigh_vid *softif_neigh_vid)
+{
+        struct softif_neigh *curr_neigh;
+        struct softif_neigh *softif_neigh = NULL, *softif_neigh_tmp;
+        struct hard_iface *primary_if = NULL;
+        struct hlist_node *node;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
+        /* find new softif_neigh immediately to avoid temporary loops */
+        rcu_read_lock();
+        curr_neigh = rcu_dereference(softif_neigh_vid->softif_neigh);
+        hlist_for_each_entry_rcu(softif_neigh_tmp, node,
+                                 &softif_neigh_vid->softif_neigh_list,
+                                 list) {
+                if (softif_neigh_tmp == curr_neigh)
+                        continue;
+                /* we got a neighbor but its mac is 'bigger' than ours  */
+                if (memcmp(primary_if->net_dev->dev_addr,
+                           softif_neigh_tmp->addr, ETH_ALEN) < 0)
+                        continue;
+                if (!atomic_inc_not_zero(&softif_neigh_tmp->refcount))
+                        continue;
+                softif_neigh = softif_neigh_tmp;
+                goto unlock;
+        }
+unlock:
+        rcu_read_unlock();
+out:
+        softif_neigh_vid_select(bat_priv, softif_neigh, softif_neigh_vid->vid);
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        if (softif_neigh)
+                softif_neigh_free_ref(softif_neigh);
+}
 int softif_neigh_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
+        struct softif_neigh_vid *softif_neigh_vid;
        struct softif_neigh *softif_neigh;
-        struct hlist_node *node;
+        struct hard_iface *primary_if;
-        size_t buf_size, pos;
+        struct hlist_node *node, *node_tmp;
-        char *buff;
+        struct softif_neigh *curr_softif_neigh;
+        int ret = 0, last_seen_secs, last_seen_msecs;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "please specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
-        if (!bat_priv->primary_if) {
+        if (primary_if->if_status != IF_ACTIVE) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                ret = seq_printf(seq, "BATMAN mesh %s "
-                               "please specify interfaces to enable it\n",
+                                 "disabled - primary interface not active\n",
-                               net_dev->name);
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "Softif neighbor list (%s)\n", net_dev->name);
-        buf_size = 1;
-        /* Estimate length for: "   xx:xx:xx:xx:xx:xx\n" */
        rcu_read_lock();
-        hlist_for_each_entry_rcu(softif_neigh, node,
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
-                                 &bat_priv->softif_neigh_list, list)
+                                 &bat_priv->softif_neigh_vids, list) {
-                buf_size += 30;
+                seq_printf(seq, "     %-15s %s on vid: %d\n",
+                           "Originator", "last-seen", softif_neigh_vid->vid);
+                curr_softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+                hlist_for_each_entry_rcu(softif_neigh, node_tmp,
+                                         &softif_neigh_vid->softif_neigh_list,
+                                         list) {
+                        last_seen_secs = jiffies_to_msecs(jiffies -
+                                                softif_neigh->last_seen) / 1000;
+                        last_seen_msecs = jiffies_to_msecs(jiffies -
+                                                softif_neigh->last_seen) % 1000;
+                        seq_printf(seq, "%s %pM  %3i.%03is\n",
+                                   curr_softif_neigh == softif_neigh
+                                   ? "=>" : "  ", softif_neigh->addr,
+                                   last_seen_secs, last_seen_msecs);
+                }
+                if (curr_softif_neigh)
+                        softif_neigh_free_ref(curr_softif_neigh);
+                seq_printf(seq, "\n");
+        }
        rcu_read_unlock();
-        buff = kmalloc(buf_size, GFP_ATOMIC);
+out:
-        if (!buff)
+        if (primary_if)
-                return -ENOMEM;
+                hardif_free_ref(primary_if);
+        return ret;
+}
-        buff[0] = '\0';
+void softif_neigh_purge(struct bat_priv *bat_priv)
-        pos = 0;
+{
+        struct softif_neigh *softif_neigh, *curr_softif_neigh;
+        struct softif_neigh_vid *softif_neigh_vid;
+        struct hlist_node *node, *node_tmp, *node_tmp2;
+        char do_deselect;
        rcu_read_lock();
-        hlist_for_each_entry_rcu(softif_neigh, node,
+        hlist_for_each_entry_rcu(softif_neigh_vid, node,
-                                 &bat_priv->softif_neigh_list, list) {
+                                 &bat_priv->softif_neigh_vids, list) {
-                pos += snprintf(buff + pos, 31, "%s %pM (vid: %d)\n",
+                if (!atomic_inc_not_zero(&softif_neigh_vid->refcount))
-                                bat_priv->softif_neigh == softif_neigh
+                        continue;
-                                ? "=>" : "  ", softif_neigh->addr,
-                                softif_neigh->vid);
+                curr_softif_neigh = softif_neigh_get_selected(softif_neigh_vid);
+                do_deselect = 0;
+                spin_lock_bh(&bat_priv->softif_neigh_lock);
+                hlist_for_each_entry_safe(softif_neigh, node_tmp, node_tmp2,
+                                          &softif_neigh_vid->softif_neigh_list,
+                                          list) {
+                        if ((!time_after(jiffies, softif_neigh->last_seen +
+                                msecs_to_jiffies(SOFTIF_NEIGH_TIMEOUT))) &&
+                            (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE))
+                                continue;
+                        if (curr_softif_neigh == softif_neigh) {
+                                bat_dbg(DBG_ROUTES, bat_priv,
+                                        "Current mesh exit point on vid: %d "
+                                        "'%pM' vanished.\n",
+                                        softif_neigh_vid->vid,
+                                        softif_neigh->addr);
+                                do_deselect = 1;
+                        }
+                        hlist_del_rcu(&softif_neigh->list);
+                        softif_neigh_free_ref(softif_neigh);
+                }
+                spin_unlock_bh(&bat_priv->softif_neigh_lock);
+                /* soft_neigh_vid_deselect() needs to acquire the
+                 * softif_neigh_lock */
+                if (do_deselect)
+                        softif_neigh_vid_deselect(bat_priv, softif_neigh_vid);
+                if (curr_softif_neigh)
+                        softif_neigh_free_ref(curr_softif_neigh);
+                softif_neigh_vid_free_ref(softif_neigh_vid);
        }
        rcu_read_unlock();
-        seq_printf(seq, "%s", buff);
+        spin_lock_bh(&bat_priv->softif_neigh_vid_lock);
-        kfree(buff);
+        hlist_for_each_entry_safe(softif_neigh_vid, node, node_tmp,
-        return 0;
+                                  &bat_priv->softif_neigh_vids, list) {
+                if (!hlist_empty(&softif_neigh_vid->softif_neigh_list))
+                        continue;
+                hlist_del_rcu(&softif_neigh_vid->list);
+                softif_neigh_vid_free_ref(softif_neigh_vid);
+        }
+        spin_unlock_bh(&bat_priv->softif_neigh_vid_lock);
 }
 static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
@@ -222,7 +445,9 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
        struct bat_priv *bat_priv = netdev_priv(dev);
        struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
        struct batman_packet *batman_packet;
-        struct softif_neigh *softif_neigh, *softif_neigh_tmp;
+        struct softif_neigh *softif_neigh = NULL;
+        struct hard_iface *primary_if = NULL;
+        struct softif_neigh *curr_softif_neigh = NULL;
        if (ntohs(ethhdr->h_proto) == ETH_P_8021Q)
                batman_packet = (struct batman_packet *)
@@ -231,63 +456,52 @@ static void softif_batman_recv(struct sk_buff *skb, struct net_device *dev,
                batman_packet = (struct batman_packet *)(skb->data + ETH_HLEN);
        if (batman_packet->version != COMPAT_VERSION)
-                goto err;
+                goto out;
        if (batman_packet->packet_type != BAT_PACKET)
-                goto err;
+                goto out;
        if (!(batman_packet->flags & PRIMARIES_FIRST_HOP))
-                goto err;
+                goto out;
        if (is_my_mac(batman_packet->orig))
-                goto err;
+                goto out;
        softif_neigh = softif_neigh_get(bat_priv, batman_packet->orig, vid);
        if (!softif_neigh)
-                goto err;
+                goto out;
-        if (bat_priv->softif_neigh == softif_neigh)
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh == softif_neigh)
+                goto out;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto out;
        /* we got a neighbor but its mac is 'bigger' than ours  */
-        if (memcmp(bat_priv->primary_if->net_dev->dev_addr,
+        if (memcmp(primary_if->net_dev->dev_addr,
                   softif_neigh->addr, ETH_ALEN) < 0)
                goto out;
-        /* switch to new 'smallest neighbor' */
-        if ((bat_priv->softif_neigh) &&
-            (memcmp(softif_neigh->addr, bat_priv->softif_neigh->addr,
-                                                        ETH_ALEN) < 0)) {
-                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Changing mesh exit point from %pM (vid: %d) "
-                        "to %pM (vid: %d).\n",
-                         bat_priv->softif_neigh->addr,
-                         bat_priv->softif_neigh->vid,
-                         softif_neigh->addr, softif_neigh->vid);
-                softif_neigh_tmp = bat_priv->softif_neigh;
-                bat_priv->softif_neigh = softif_neigh;
-                kref_put(&softif_neigh_tmp->refcount, softif_neigh_free_ref);
-                /* we need to hold the additional reference */
-                goto err;
-        }
        /* close own batX device and use softif_neigh as exit node */
-        if ((!bat_priv->softif_neigh) &&
+        if (!curr_softif_neigh) {
-            (memcmp(softif_neigh->addr,
+                softif_neigh_vid_select(bat_priv, softif_neigh, vid);
-                    bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN) < 0)) {
+                goto out;
-                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Setting mesh exit point to %pM (vid: %d).\n",
-                        softif_neigh->addr, softif_neigh->vid);
-                bat_priv->softif_neigh = softif_neigh;
-                /* we need to hold the additional reference */
-                goto err;
        }
+        /* switch to new 'smallest neighbor' */
+        if (memcmp(softif_neigh->addr, curr_softif_neigh->addr, ETH_ALEN) < 0)
+                softif_neigh_vid_select(bat_priv, softif_neigh, vid);
 out:
-        kref_put(&softif_neigh->refcount, softif_neigh_free_ref);
-err:
        kfree_skb(skb);
+        if (softif_neigh)
+                softif_neigh_free_ref(softif_neigh);
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return;
 }
@@ -317,11 +531,11 @@ static int interface_set_mac_addr(struct net_device *dev, void *p)
        if (!is_valid_ether_addr(addr->sa_data))
                return -EADDRNOTAVAIL;
-        /* only modify hna-table if it has been initialised before */
+        /* only modify transtable if it has been initialised before */
        if (atomic_read(&bat_priv->mesh_state) == MESH_ACTIVE) {
-                hna_local_remove(bat_priv, dev->dev_addr,
+                tt_local_remove(bat_priv, dev->dev_addr,
                                 "mac address changed");
-                hna_local_add(dev, addr->sa_data);
+                tt_local_add(dev, addr->sa_data);
        }
        memcpy(dev->dev_addr, addr->sa_data, ETH_ALEN);
@@ -343,8 +557,10 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
 {
        struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
+        struct hard_iface *primary_if = NULL;
        struct bcast_packet *bcast_packet;
        struct vlan_ethhdr *vhdr;
+        struct softif_neigh *curr_softif_neigh = NULL;
        int data_len = skb->len, ret;
        short vid = -1;
        bool do_bcast = false;
@@ -372,11 +588,12 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
         * if we have a another chosen mesh exit node in range
         * it will transport the packets to the mesh
         */
-        if ((bat_priv->softif_neigh) && (bat_priv->softif_neigh->vid == vid))
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh)
                goto dropped;
        /* TODO: check this for locks */
-        hna_local_add(soft_iface, ethhdr->h_source);
+        tt_local_add(soft_iface, ethhdr->h_source);
        if (is_multicast_ether_addr(ethhdr->h_dest)) {
                ret = gw_is_target(bat_priv, skb);
@@ -390,7 +607,8 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
        /* ethernet packet should be broadcasted */
        if (do_bcast) {
-                if (!bat_priv->primary_if)
+                primary_if = primary_if_get_selected(bat_priv);
+                if (!primary_if)
                        goto dropped;
                if (my_skb_head_push(skb, sizeof(struct bcast_packet)) < 0)
@@ -406,7 +624,7 @@ int interface_tx(struct sk_buff *skb, struct net_device *soft_iface)
                /* hw address of first interface is the orig mac because only
                 * this mac is known throughout the mesh */
                memcpy(bcast_packet->orig,
-                       bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+                       primary_if->net_dev->dev_addr, ETH_ALEN);
                /* set broadcast sequence number */
                bcast_packet->seqno =
@@ -434,17 +652,22 @@ dropped:
 dropped_freed:
        bat_priv->stats.tx_dropped++;
 end:
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
+        if (primary_if)
+                hardif_free_ref(primary_if);
        return NETDEV_TX_OK;
 }
 void interface_rx(struct net_device *soft_iface,
-                  struct sk_buff *skb, struct batman_if *recv_if,
+                  struct sk_buff *skb, struct hard_iface *recv_if,
                  int hdr_size)
 {
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
        struct unicast_packet *unicast_packet;
        struct ethhdr *ethhdr;
        struct vlan_ethhdr *vhdr;
+        struct softif_neigh *curr_softif_neigh = NULL;
        short vid = -1;
        int ret;
@@ -474,7 +697,8 @@ void interface_rx(struct net_device *soft_iface,
         * if we have a another chosen mesh exit node in range
         * it will transport the packets to the non-mesh network
         */
-        if ((bat_priv->softif_neigh) && (bat_priv->softif_neigh->vid == vid)) {
+        curr_softif_neigh = softif_neigh_vid_get_selected(bat_priv, vid);
+        if (curr_softif_neigh) {
                skb_push(skb, hdr_size);
                unicast_packet = (struct unicast_packet *)skb->data;
@@ -485,8 +709,8 @@ void interface_rx(struct net_device *soft_iface,
                skb_reset_mac_header(skb);
                memcpy(unicast_packet->dest,
-                       bat_priv->softif_neigh->addr, ETH_ALEN);
+                       curr_softif_neigh->addr, ETH_ALEN);
-                ret = route_unicast_packet(skb, recv_if, hdr_size);
+                ret = route_unicast_packet(skb, recv_if);
                if (ret == NET_RX_DROP)
                        goto dropped;
@@ -498,7 +722,7 @@ void interface_rx(struct net_device *soft_iface,
                goto dropped;
        skb->protocol = eth_type_trans(skb, soft_iface);
-        /* should not be neccesary anymore as we use skb_pull_rcsum()
+        /* should not be necessary anymore as we use skb_pull_rcsum()
         * TODO: please verify this and remove this TODO
         * -- Dec 21st 2009, Simon Wunderlich */
@@ -510,11 +734,13 @@ void interface_rx(struct net_device *soft_iface,
        soft_iface->last_rx = jiffies;
        netif_rx(skb);
-        return;
+        goto out;
 dropped:
        kfree_skb(skb);
 out:
+        if (curr_softif_neigh)
+                softif_neigh_free_ref(curr_softif_neigh);
        return;
 }
@@ -548,14 +774,15 @@ static void interface_setup(struct net_device *dev)
        dev->hard_start_xmit = interface_tx;
 #endif
        dev->destructor = free_netdev;
+        dev->tx_queue_len = 0;
        /**
         * can't call min_mtu, because the needed variables
         * have not been initialized yet
         */
        dev->mtu = ETH_DATA_LEN;
-        dev->hard_header_len = BAT_HEADER_LEN; /* reserve more space in the
+        /* reserve more space in the skbuff for our header */
-                                                * skbuff for our header */
+        dev->hard_header_len = BAT_HEADER_LEN;
        /* generate random address */
        random_ether_addr(dev_addr);
@@ -580,7 +807,7 @@ struct net_device *softif_create(char *name)
                goto out;
        }
-        ret = register_netdev(soft_iface);
+        ret = register_netdevice(soft_iface);
        if (ret < 0) {
                pr_err("Unable to register the batman interface '%s': %i\n",
                       name, ret);
@@ -604,11 +831,10 @@ struct net_device *softif_create(char *name)
        atomic_set(&bat_priv->mesh_state, MESH_INACTIVE);
        atomic_set(&bat_priv->bcast_seqno, 1);
-        atomic_set(&bat_priv->hna_local_changed, 0);
+        atomic_set(&bat_priv->tt_local_changed, 0);
        bat_priv->primary_if = NULL;
        bat_priv->num_ifaces = 0;
-        bat_priv->softif_neigh = NULL;
        ret = sysfs_add_meshif(soft_iface);
        if (ret < 0)
@@ -646,12 +872,25 @@ void softif_destroy(struct net_device *soft_iface)
        unregister_netdevice(soft_iface);
 }
+int softif_is_valid(struct net_device *net_dev)
+{
+#ifdef HAVE_NET_DEVICE_OPS
+        if (net_dev->netdev_ops->ndo_start_xmit == interface_tx)
+                return 1;
+#else
+        if (net_dev->hard_start_xmit == interface_tx)
+                return 1;
+#endif
+        return 0;
+}
 /* ethtool */
 static int bat_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
 {
        cmd->supported = 0;
        cmd->advertising = 0;
-        cmd->speed = SPEED_10;
+        ethtool_cmd_speed_set(cmd, SPEED_10);
        cmd->duplex = DUPLEX_FULL;
        cmd->port = PORT_TP;
        cmd->phy_address = 0;
@@ -686,12 +925,3 @@ static u32 bat_get_link(struct net_device *dev)
        return 1;
 }
-static u32 bat_get_rx_csum(struct net_device *dev)
-{
-        return 0;
-}
-static int bat_set_rx_csum(struct net_device *dev, u32 data)
-{
-        return -EOPNOTSUPP;
-}
diff --git a/net/batman-adv/soft-interface.h b/net/batman-adv/soft-interface.h
index 02b77334d10d..4789b6f2a0b3 100644
--- a/net/batman-adv/soft-interface.h
+++ b/net/batman-adv/soft-interface.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner
 *
@@ -27,9 +27,10 @@ int softif_neigh_seq_print_text(struct seq_file *seq, void *offset);
 void softif_neigh_purge(struct bat_priv *bat_priv);
 int interface_tx(struct sk_buff *skb, struct net_device *soft_iface);
 void interface_rx(struct net_device *soft_iface,
-                  struct sk_buff *skb, struct batman_if *recv_if,
+                  struct sk_buff *skb, struct hard_iface *recv_if,
                  int hdr_size);
 struct net_device *softif_create(char *name);
 void softif_destroy(struct net_device *soft_iface);
+int softif_is_valid(struct net_device *net_dev);
 #endif /* _NET_BATMAN_ADV_SOFT_INTERFACE_H_ */
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index a633b5a435e2..7b729660cbfd 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,416 +22,511 @@
 #include "main.h"
 #include "translation-table.h"
 #include "soft-interface.h"
-#include "types.h"
+#include "hard-interface.h"
 #include "hash.h"
 #include "originator.h"
-static void hna_local_purge(struct work_struct *work);
+static void tt_local_purge(struct work_struct *work);
-static void _hna_global_del_orig(struct bat_priv *bat_priv,
+static void _tt_global_del_orig(struct bat_priv *bat_priv,
-                                 struct hna_global_entry *hna_global_entry,
+                                 struct tt_global_entry *tt_global_entry,
                                 char *message);
-static void hna_local_start_timer(struct bat_priv *bat_priv)
+/* returns 1 if they are the same mac addr */
+static int compare_ltt(struct hlist_node *node, void *data2)
 {
-        INIT_DELAYED_WORK(&bat_priv->hna_work, hna_local_purge);
+        void *data1 = container_of(node, struct tt_local_entry, hash_entry);
-        queue_delayed_work(bat_event_workqueue, &bat_priv->hna_work, 10 * HZ);
+        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
+}
+/* returns 1 if they are the same mac addr */
+static int compare_gtt(struct hlist_node *node, void *data2)
+{
+        void *data1 = container_of(node, struct tt_global_entry, hash_entry);
+        return (memcmp(data1, data2, ETH_ALEN) == 0 ? 1 : 0);
+}
+static void tt_local_start_timer(struct bat_priv *bat_priv)
+{
+        INIT_DELAYED_WORK(&bat_priv->tt_work, tt_local_purge);
+        queue_delayed_work(bat_event_workqueue, &bat_priv->tt_work, 10 * HZ);
+}
+static struct tt_local_entry *tt_local_hash_find(struct bat_priv *bat_priv,
+                                                   void *data)
+{
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
+        struct hlist_head *head;
+        struct hlist_node *node;
+        struct tt_local_entry *tt_local_entry, *tt_local_entry_tmp = NULL;
+        int index;
+        if (!hash)
+                return NULL;
+        index = choose_orig(data, hash->size);
+        head = &hash->table[index];
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(tt_local_entry, node, head, hash_entry) {
+                if (!compare_eth(tt_local_entry, data))
+                        continue;
+                tt_local_entry_tmp = tt_local_entry;
+                break;
+        }
+        rcu_read_unlock();
+        return tt_local_entry_tmp;
+}
+static struct tt_global_entry *tt_global_hash_find(struct bat_priv *bat_priv,
+                                                     void *data)
+{
+        struct hashtable_t *hash = bat_priv->tt_global_hash;
+        struct hlist_head *head;
+        struct hlist_node *node;
+        struct tt_global_entry *tt_global_entry;
+        struct tt_global_entry *tt_global_entry_tmp = NULL;
+        int index;
+        if (!hash)
+                return NULL;
+        index = choose_orig(data, hash->size);
+        head = &hash->table[index];
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(tt_global_entry, node, head, hash_entry) {
+                if (!compare_eth(tt_global_entry, data))
+                        continue;
+                tt_global_entry_tmp = tt_global_entry;
+                break;
+        }
+        rcu_read_unlock();
+        return tt_global_entry_tmp;
 }
-int hna_local_init(struct bat_priv *bat_priv)
+int tt_local_init(struct bat_priv *bat_priv)
 {
-        if (bat_priv->hna_local_hash)
+        if (bat_priv->tt_local_hash)
                return 1;
-        bat_priv->hna_local_hash = hash_new(1024);
+        bat_priv->tt_local_hash = hash_new(1024);
-        if (!bat_priv->hna_local_hash)
+        if (!bat_priv->tt_local_hash)
                return 0;
-        atomic_set(&bat_priv->hna_local_changed, 0);
+        atomic_set(&bat_priv->tt_local_changed, 0);
-        hna_local_start_timer(bat_priv);
+        tt_local_start_timer(bat_priv);
        return 1;
 }
-void hna_local_add(struct net_device *soft_iface, uint8_t *addr)
+void tt_local_add(struct net_device *soft_iface, uint8_t *addr)
 {
        struct bat_priv *bat_priv = netdev_priv(soft_iface);
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
        int required_bytes;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_entry =
+        tt_local_entry = tt_local_hash_find(bat_priv, addr);
-                ((struct hna_local_entry *)hash_find(bat_priv->hna_local_hash,
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
-                                                     compare_orig, choose_orig,
-                                                     addr));
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
-        if (hna_local_entry) {
+        if (tt_local_entry) {
-                hna_local_entry->last_seen = jiffies;
+                tt_local_entry->last_seen = jiffies;
                return;
        }
        /* only announce as many hosts as possible in the batman-packet and
-           space in batman_packet->num_hna That also should give a limit to
+           space in batman_packet->num_tt That also should give a limit to
           MAC-flooding. */
-        required_bytes = (bat_priv->num_local_hna + 1) * ETH_ALEN;
+        required_bytes = (bat_priv->num_local_tt + 1) * ETH_ALEN;
        required_bytes += BAT_PACKET_LEN;
        if ((required_bytes > ETH_DATA_LEN) ||
            (atomic_read(&bat_priv->aggregated_ogms) &&
             required_bytes > MAX_AGGREGATION_BYTES) ||
-            (bat_priv->num_local_hna + 1 > 255)) {
+            (bat_priv->num_local_tt + 1 > 255)) {
                bat_dbg(DBG_ROUTES, bat_priv,
-                        "Can't add new local hna entry (%pM): "
+                        "Can't add new local tt entry (%pM): "
-                        "number of local hna entries exceeds packet size\n",
+                        "number of local tt entries exceeds packet size\n",
                        addr);
                return;
        }
        bat_dbg(DBG_ROUTES, bat_priv,
-                "Creating new local hna entry: %pM\n", addr);
+                "Creating new local tt entry: %pM\n", addr);
-        hna_local_entry = kmalloc(sizeof(struct hna_local_entry), GFP_ATOMIC);
+        tt_local_entry = kmalloc(sizeof(struct tt_local_entry), GFP_ATOMIC);
-        if (!hna_local_entry)
+        if (!tt_local_entry)
                return;
-        memcpy(hna_local_entry->addr, addr, ETH_ALEN);
+        memcpy(tt_local_entry->addr, addr, ETH_ALEN);
-        hna_local_entry->last_seen = jiffies;
+        tt_local_entry->last_seen = jiffies;
        /* the batman interface mac address should never be purged */
-        if (compare_orig(addr, soft_iface->dev_addr))
+        if (compare_eth(addr, soft_iface->dev_addr))
-                hna_local_entry->never_purge = 1;
+                tt_local_entry->never_purge = 1;
        else
-                hna_local_entry->never_purge = 0;
+                tt_local_entry->never_purge = 0;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hash_add(bat_priv->hna_local_hash, compare_orig, choose_orig,
+        hash_add(bat_priv->tt_local_hash, compare_ltt, choose_orig,
-                 hna_local_entry);
+                 tt_local_entry, &tt_local_entry->hash_entry);
-        bat_priv->num_local_hna++;
+        bat_priv->num_local_tt++;
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        /* remove address from global hash if present */
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        hna_global_entry = ((struct hna_global_entry *)
+        tt_global_entry = tt_global_hash_find(bat_priv, addr);
-                                hash_find(bat_priv->hna_global_hash,
-                                          compare_orig, choose_orig, addr));
-        if (hna_global_entry)
+        if (tt_global_entry)
-                _hna_global_del_orig(bat_priv, hna_global_entry,
+                _tt_global_del_orig(bat_priv, tt_global_entry,
-                                     "local hna received");
+                                     "local tt received");
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
 }
-int hna_local_fill_buffer(struct bat_priv *bat_priv,
+int tt_local_fill_buffer(struct bat_priv *bat_priv,
                          unsigned char *buff, int buff_len)
 {
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        struct element_t *bucket;
+        struct hlist_node *node;
-        int i;
-        struct hlist_node *walk;
        struct hlist_head *head;
-        int count = 0;
+        int i, count = 0;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
+                hlist_for_each_entry_rcu(tt_local_entry, node,
+                                         head, hash_entry) {
                        if (buff_len < (count + 1) * ETH_ALEN)
                                break;
-                        hna_local_entry = bucket->data;
+                        memcpy(buff + (count * ETH_ALEN), tt_local_entry->addr,
-                        memcpy(buff + (count * ETH_ALEN), hna_local_entry->addr,
                               ETH_ALEN);
                        count++;
                }
+                rcu_read_unlock();
        }
-        /* if we did not get all new local hnas see you next time  ;-) */
+        /* if we did not get all new local tts see you next time  ;-) */
-        if (count == bat_priv->num_local_hna)
+        if (count == bat_priv->num_local_tt)
-                atomic_set(&bat_priv->hna_local_changed, 0);
+                atomic_set(&bat_priv->tt_local_changed, 0);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        return count;
 }
-int hna_local_seq_print_text(struct seq_file *seq, void *offset)
+int tt_local_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        int i;
+        struct hard_iface *primary_if;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        size_t buf_size, pos;
        char *buff;
+        int i, ret = 0;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
+                                 "please specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
-        if (!bat_priv->primary_if) {
+        if (primary_if->if_status != IF_ACTIVE) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                               "please specify interfaces to enable it\n",
+                                 "primary interface not active\n",
-                               net_dev->name);
+                                 net_dev->name);
+                goto out;
        }
        seq_printf(seq, "Locally retrieved addresses (from %s) "
-                   "announced via HNA:\n",
+                   "announced via TT:\n",
                   net_dev->name);
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        buf_size = 1;
        /* Estimate length for: " * xx:xx:xx:xx:xx:xx\n" */
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each(walk, head)
+                rcu_read_lock();
+                __hlist_for_each_rcu(node, head)
                        buf_size += 21;
+                rcu_read_unlock();
        }
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
-                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                spin_unlock_bh(&bat_priv->tt_lhash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
        pos = 0;
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        hna_local_entry = bucket->data;
+                hlist_for_each_entry_rcu(tt_local_entry, node,
+                                         head, hash_entry) {
                        pos += snprintf(buff + pos, 22, " * %pM\n",
-                                        hna_local_entry->addr);
+                                        tt_local_entry->addr);
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
-static void _hna_local_del(void *data, void *arg)
+static void _tt_local_del(struct hlist_node *node, void *arg)
 {
        struct bat_priv *bat_priv = (struct bat_priv *)arg;
+        void *data = container_of(node, struct tt_local_entry, hash_entry);
        kfree(data);
-        bat_priv->num_local_hna--;
+        bat_priv->num_local_tt--;
-        atomic_set(&bat_priv->hna_local_changed, 1);
+        atomic_set(&bat_priv->tt_local_changed, 1);
 }
-static void hna_local_del(struct bat_priv *bat_priv,
+static void tt_local_del(struct bat_priv *bat_priv,
-                          struct hna_local_entry *hna_local_entry,
+                          struct tt_local_entry *tt_local_entry,
                          char *message)
 {
-        bat_dbg(DBG_ROUTES, bat_priv, "Deleting local hna entry (%pM): %s\n",
+        bat_dbg(DBG_ROUTES, bat_priv, "Deleting local tt entry (%pM): %s\n",
-                hna_local_entry->addr, message);
+                tt_local_entry->addr, message);
-        hash_remove(bat_priv->hna_local_hash, compare_orig, choose_orig,
+        hash_remove(bat_priv->tt_local_hash, compare_ltt, choose_orig,
-                    hna_local_entry->addr);
+                    tt_local_entry->addr);
-        _hna_local_del(hna_local_entry, bat_priv);
+        _tt_local_del(&tt_local_entry->hash_entry, bat_priv);
 }
-void hna_local_remove(struct bat_priv *bat_priv,
+void tt_local_remove(struct bat_priv *bat_priv,
                      uint8_t *addr, char *message)
 {
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_entry = (struct hna_local_entry *)
+        tt_local_entry = tt_local_hash_find(bat_priv, addr);
-                hash_find(bat_priv->hna_local_hash, compare_orig, choose_orig,
-                          addr);
-        if (hna_local_entry)
+        if (tt_local_entry)
-                hna_local_del(bat_priv, hna_local_entry, message);
+                tt_local_del(bat_priv, tt_local_entry, message);
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
 }
-static void hna_local_purge(struct work_struct *work)
+static void tt_local_purge(struct work_struct *work)
 {
        struct delayed_work *delayed_work =
                container_of(work, struct delayed_work, work);
        struct bat_priv *bat_priv =
-                container_of(delayed_work, struct bat_priv, hna_work);
+                container_of(delayed_work, struct bat_priv, tt_work);
-        struct hashtable_t *hash = bat_priv->hna_local_hash;
+        struct hashtable_t *hash = bat_priv->tt_local_hash;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        int i;
+        struct hlist_node *node, *node_tmp;
-        struct hlist_node *walk, *safe;
        struct hlist_head *head;
-        struct element_t *bucket;
        unsigned long timeout;
+        int i;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry_safe(bucket, walk, safe, head, hlist) {
+                hlist_for_each_entry_safe(tt_local_entry, node, node_tmp,
-                        hna_local_entry = bucket->data;
+                                          head, hash_entry) {
+                        if (tt_local_entry->never_purge)
+                                continue;
-                        timeout = hna_local_entry->last_seen;
+                        timeout = tt_local_entry->last_seen;
-                        timeout += LOCAL_HNA_TIMEOUT * HZ;
+                        timeout += TT_LOCAL_TIMEOUT * HZ;
-                        if ((!hna_local_entry->never_purge) &&
+                        if (time_before(jiffies, timeout))
-                            time_after(jiffies, timeout))
+                                continue;
-                                hna_local_del(bat_priv, hna_local_entry,
-                                        "address timed out");
+                        tt_local_del(bat_priv, tt_local_entry,
+                                      "address timed out");
                }
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
-        hna_local_start_timer(bat_priv);
+        tt_local_start_timer(bat_priv);
 }
-void hna_local_free(struct bat_priv *bat_priv)
+void tt_local_free(struct bat_priv *bat_priv)
 {
-        if (!bat_priv->hna_local_hash)
+        if (!bat_priv->tt_local_hash)
                return;
-        cancel_delayed_work_sync(&bat_priv->hna_work);
+        cancel_delayed_work_sync(&bat_priv->tt_work);
-        hash_delete(bat_priv->hna_local_hash, _hna_local_del, bat_priv);
+        hash_delete(bat_priv->tt_local_hash, _tt_local_del, bat_priv);
-        bat_priv->hna_local_hash = NULL;
+        bat_priv->tt_local_hash = NULL;
 }
-int hna_global_init(struct bat_priv *bat_priv)
+int tt_global_init(struct bat_priv *bat_priv)
 {
-        if (bat_priv->hna_global_hash)
+        if (bat_priv->tt_global_hash)
                return 1;
-        bat_priv->hna_global_hash = hash_new(1024);
+        bat_priv->tt_global_hash = hash_new(1024);
-        if (!bat_priv->hna_global_hash)
+        if (!bat_priv->tt_global_hash)
                return 0;
        return 1;
 }
-void hna_global_add_orig(struct bat_priv *bat_priv,
+void tt_global_add_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
-                         unsigned char *hna_buff, int hna_buff_len)
+                         unsigned char *tt_buff, int tt_buff_len)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
-        int hna_buff_count = 0;
+        int tt_buff_count = 0;
-        unsigned char *hna_ptr;
+        unsigned char *tt_ptr;
-        while ((hna_buff_count + 1) * ETH_ALEN <= hna_buff_len) {
+        while ((tt_buff_count + 1) * ETH_ALEN <= tt_buff_len) {
-                spin_lock_bh(&bat_priv->hna_ghash_lock);
+                spin_lock_bh(&bat_priv->tt_ghash_lock);
-                hna_ptr = hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_global_entry = (struct hna_global_entry *)
+                tt_global_entry = tt_global_hash_find(bat_priv, tt_ptr);
-                        hash_find(bat_priv->hna_global_hash, compare_orig,
-                                  choose_orig, hna_ptr);
-                if (!hna_global_entry) {
+                if (!tt_global_entry) {
-                        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                        spin_unlock_bh(&bat_priv->tt_ghash_lock);
-                        hna_global_entry =
+                        tt_global_entry =
-                                kmalloc(sizeof(struct hna_global_entry),
+                                kmalloc(sizeof(struct tt_global_entry),
                                        GFP_ATOMIC);
-                        if (!hna_global_entry)
+                        if (!tt_global_entry)
                                break;
-                        memcpy(hna_global_entry->addr, hna_ptr, ETH_ALEN);
+                        memcpy(tt_global_entry->addr, tt_ptr, ETH_ALEN);
                        bat_dbg(DBG_ROUTES, bat_priv,
-                                "Creating new global hna entry: "
+                                "Creating new global tt entry: "
                                "%pM (via %pM)\n",
-                                hna_global_entry->addr, orig_node->orig);
+                                tt_global_entry->addr, orig_node->orig);
-                        spin_lock_bh(&bat_priv->hna_ghash_lock);
+                        spin_lock_bh(&bat_priv->tt_ghash_lock);
-                        hash_add(bat_priv->hna_global_hash, compare_orig,
+                        hash_add(bat_priv->tt_global_hash, compare_gtt,
-                                 choose_orig, hna_global_entry);
+                                 choose_orig, tt_global_entry,
+                                 &tt_global_entry->hash_entry);
                }
-                hna_global_entry->orig_node = orig_node;
+                tt_global_entry->orig_node = orig_node;
-                spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                spin_unlock_bh(&bat_priv->tt_ghash_lock);
                /* remove address from local hash if present */
-                spin_lock_bh(&bat_priv->hna_lhash_lock);
+                spin_lock_bh(&bat_priv->tt_lhash_lock);
-                hna_ptr = hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_local_entry = (struct hna_local_entry *)
+                tt_local_entry = tt_local_hash_find(bat_priv, tt_ptr);
-                        hash_find(bat_priv->hna_local_hash, compare_orig,
-                                  choose_orig, hna_ptr);
-                if (hna_local_entry)
+                if (tt_local_entry)
-                        hna_local_del(bat_priv, hna_local_entry,
+                        tt_local_del(bat_priv, tt_local_entry,
-                                      "global hna received");
+                                      "global tt received");
-                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                spin_unlock_bh(&bat_priv->tt_lhash_lock);
-                hna_buff_count++;
+                tt_buff_count++;
        }
        /* initialize, and overwrite if malloc succeeds */
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
-        orig_node->hna_buff_len = 0;
+        orig_node->tt_buff_len = 0;
-        if (hna_buff_len > 0) {
+        if (tt_buff_len > 0) {
-                orig_node->hna_buff = kmalloc(hna_buff_len, GFP_ATOMIC);
+                orig_node->tt_buff = kmalloc(tt_buff_len, GFP_ATOMIC);
-                if (orig_node->hna_buff) {
+                if (orig_node->tt_buff) {
-                        memcpy(orig_node->hna_buff, hna_buff, hna_buff_len);
+                        memcpy(orig_node->tt_buff, tt_buff, tt_buff_len);
-                        orig_node->hna_buff_len = hna_buff_len;
+                        orig_node->tt_buff_len = tt_buff_len;
                }
        }
 }
-int hna_global_seq_print_text(struct seq_file *seq, void *offset)
+int tt_global_seq_print_text(struct seq_file *seq, void *offset)
 {
        struct net_device *net_dev = (struct net_device *)seq->private;
        struct bat_priv *bat_priv = netdev_priv(net_dev);
-        struct hashtable_t *hash = bat_priv->hna_global_hash;
+        struct hashtable_t *hash = bat_priv->tt_global_hash;
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        int i;
+        struct hard_iface *primary_if;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        size_t buf_size, pos;
        char *buff;
+        int i, ret = 0;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if) {
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - please "
+                                 "specify interfaces to enable it\n",
+                                 net_dev->name);
+                goto out;
+        }
-        if (!bat_priv->primary_if) {
+        if (primary_if->if_status != IF_ACTIVE) {
-                return seq_printf(seq, "BATMAN mesh %s disabled - "
+                ret = seq_printf(seq, "BATMAN mesh %s disabled - "
-                                  "please specify interfaces to enable it\n",
+                                 "primary interface not active\n",
-                                  net_dev->name);
+                                 net_dev->name);
+                goto out;
        }
-        seq_printf(seq, "Globally announced HNAs received via the mesh %s\n",
+        seq_printf(seq,
+                   "Globally announced TT entries received via the mesh %s\n",
                   net_dev->name);
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
        buf_size = 1;
        /* Estimate length for: " * xx:xx:xx:xx:xx:xx via xx:xx:xx:xx:xx:xx\n"*/
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each(walk, head)
+                rcu_read_lock();
+                __hlist_for_each_rcu(node, head)
                        buf_size += 43;
+                rcu_read_unlock();
        }
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
-                spin_unlock_bh(&bat_priv->hna_ghash_lock);
+                spin_unlock_bh(&bat_priv->tt_ghash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
        pos = 0;
@@ -439,96 +534,105 @@ int hna_global_seq_print_text(struct seq_file *seq, void *offset)
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        hna_global_entry = bucket->data;
+                hlist_for_each_entry_rcu(tt_global_entry, node,
+                                         head, hash_entry) {
                        pos += snprintf(buff + pos, 44,
                                        " * %pM via %pM\n",
-                                        hna_global_entry->addr,
+                                        tt_global_entry->addr,
-                                        hna_global_entry->orig_node->orig);
+                                        tt_global_entry->orig_node->orig);
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
-static void _hna_global_del_orig(struct bat_priv *bat_priv,
+static void _tt_global_del_orig(struct bat_priv *bat_priv,
-                                 struct hna_global_entry *hna_global_entry,
+                                 struct tt_global_entry *tt_global_entry,
                                 char *message)
 {
        bat_dbg(DBG_ROUTES, bat_priv,
-                "Deleting global hna entry %pM (via %pM): %s\n",
+                "Deleting global tt entry %pM (via %pM): %s\n",
-                hna_global_entry->addr, hna_global_entry->orig_node->orig,
+                tt_global_entry->addr, tt_global_entry->orig_node->orig,
                message);
-        hash_remove(bat_priv->hna_global_hash, compare_orig, choose_orig,
+        hash_remove(bat_priv->tt_global_hash, compare_gtt, choose_orig,
-                    hna_global_entry->addr);
+                    tt_global_entry->addr);
-        kfree(hna_global_entry);
+        kfree(tt_global_entry);
 }
-void hna_global_del_orig(struct bat_priv *bat_priv,
+void tt_global_del_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node, char *message)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
-        int hna_buff_count = 0;
+        int tt_buff_count = 0;
-        unsigned char *hna_ptr;
+        unsigned char *tt_ptr;
-        if (orig_node->hna_buff_len == 0)
+        if (orig_node->tt_buff_len == 0)
                return;
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        while ((hna_buff_count + 1) * ETH_ALEN <= orig_node->hna_buff_len) {
+        while ((tt_buff_count + 1) * ETH_ALEN <= orig_node->tt_buff_len) {
-                hna_ptr = orig_node->hna_buff + (hna_buff_count * ETH_ALEN);
+                tt_ptr = orig_node->tt_buff + (tt_buff_count * ETH_ALEN);
-                hna_global_entry = (struct hna_global_entry *)
+                tt_global_entry = tt_global_hash_find(bat_priv, tt_ptr);
-                        hash_find(bat_priv->hna_global_hash, compare_orig,
-                                  choose_orig, hna_ptr);
-                if ((hna_global_entry) &&
+                if ((tt_global_entry) &&
-                    (hna_global_entry->orig_node == orig_node))
+                    (tt_global_entry->orig_node == orig_node))
-                        _hna_global_del_orig(bat_priv, hna_global_entry,
+                        _tt_global_del_orig(bat_priv, tt_global_entry,
                                             message);
-                hna_buff_count++;
+                tt_buff_count++;
        }
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
-        orig_node->hna_buff_len = 0;
+        orig_node->tt_buff_len = 0;
-        kfree(orig_node->hna_buff);
+        kfree(orig_node->tt_buff);
-        orig_node->hna_buff = NULL;
+        orig_node->tt_buff = NULL;
 }
-static void hna_global_del(void *data, void *arg)
+static void tt_global_del(struct hlist_node *node, void *arg)
 {
+        void *data = container_of(node, struct tt_global_entry, hash_entry);
        kfree(data);
 }
-void hna_global_free(struct bat_priv *bat_priv)
+void tt_global_free(struct bat_priv *bat_priv)
 {
-        if (!bat_priv->hna_global_hash)
+        if (!bat_priv->tt_global_hash)
                return;
-        hash_delete(bat_priv->hna_global_hash, hna_global_del, NULL);
+        hash_delete(bat_priv->tt_global_hash, tt_global_del, NULL);
-        bat_priv->hna_global_hash = NULL;
+        bat_priv->tt_global_hash = NULL;
 }
 struct orig_node *transtable_search(struct bat_priv *bat_priv, uint8_t *addr)
 {
-        struct hna_global_entry *hna_global_entry;
+        struct tt_global_entry *tt_global_entry;
+        struct orig_node *orig_node = NULL;
-        spin_lock_bh(&bat_priv->hna_ghash_lock);
+        spin_lock_bh(&bat_priv->tt_ghash_lock);
-        hna_global_entry = (struct hna_global_entry *)
+        tt_global_entry = tt_global_hash_find(bat_priv, addr);
-                                hash_find(bat_priv->hna_global_hash,
-                                          compare_orig, choose_orig, addr);
-        spin_unlock_bh(&bat_priv->hna_ghash_lock);
-        if (!hna_global_entry)
+        if (!tt_global_entry)
-                return NULL;
+                goto out;
+        if (!atomic_inc_not_zero(&tt_global_entry->orig_node->refcount))
+                goto out;
+        orig_node = tt_global_entry->orig_node;
-        return hna_global_entry->orig_node;
+out:
+        spin_unlock_bh(&bat_priv->tt_ghash_lock);
+        return orig_node;
 }
diff --git a/net/batman-adv/translation-table.h b/net/batman-adv/translation-table.h
index 10c4c5c319b6..46152c38cc95 100644
--- a/net/batman-adv/translation-table.h
+++ b/net/batman-adv/translation-table.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -22,24 +22,22 @@
 #ifndef _NET_BATMAN_ADV_TRANSLATION_TABLE_H_
 #define _NET_BATMAN_ADV_TRANSLATION_TABLE_H_
-#include "types.h"
+int tt_local_init(struct bat_priv *bat_priv);
+void tt_local_add(struct net_device *soft_iface, uint8_t *addr);
-int hna_local_init(struct bat_priv *bat_priv);
+void tt_local_remove(struct bat_priv *bat_priv,
-void hna_local_add(struct net_device *soft_iface, uint8_t *addr);
-void hna_local_remove(struct bat_priv *bat_priv,
                      uint8_t *addr, char *message);
-int hna_local_fill_buffer(struct bat_priv *bat_priv,
+int tt_local_fill_buffer(struct bat_priv *bat_priv,
                          unsigned char *buff, int buff_len);
-int hna_local_seq_print_text(struct seq_file *seq, void *offset);
+int tt_local_seq_print_text(struct seq_file *seq, void *offset);
-void hna_local_free(struct bat_priv *bat_priv);
+void tt_local_free(struct bat_priv *bat_priv);
-int hna_global_init(struct bat_priv *bat_priv);
+int tt_global_init(struct bat_priv *bat_priv);
-void hna_global_add_orig(struct bat_priv *bat_priv,
+void tt_global_add_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node,
-                         unsigned char *hna_buff, int hna_buff_len);
+                         unsigned char *tt_buff, int tt_buff_len);
-int hna_global_seq_print_text(struct seq_file *seq, void *offset);
+int tt_global_seq_print_text(struct seq_file *seq, void *offset);
-void hna_global_del_orig(struct bat_priv *bat_priv,
+void tt_global_del_orig(struct bat_priv *bat_priv,
                         struct orig_node *orig_node, char *message);
-void hna_global_free(struct bat_priv *bat_priv);
+void tt_global_free(struct bat_priv *bat_priv);
 struct orig_node *transtable_search(struct bat_priv *bat_priv, uint8_t *addr);
 #endif /* _NET_BATMAN_ADV_TRANSLATION_TABLE_H_ */
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index bf3f6f5a12c4..fab70e8b16ee 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
 *
 * Marek Lindner, Simon Wunderlich
 *
@@ -33,7 +33,7 @@
         sizeof(struct bcast_packet))))
-struct batman_if {
+struct hard_iface {
        struct list_head list;
        int16_t if_num;
        char if_status;
@@ -43,7 +43,7 @@ struct batman_if {
        unsigned char *packet_buff;
        int packet_len;
        struct kobject *hardif_obj;
-        struct kref refcount;
+        atomic_t refcount;
        struct packet_type batman_adv_ptype;
        struct net_device *soft_iface;
        struct rcu_head rcu;
@@ -67,36 +67,42 @@ struct batman_if {
 struct orig_node {
        uint8_t orig[ETH_ALEN];
        uint8_t primary_addr[ETH_ALEN];
-        struct neigh_node *router;
+        struct neigh_node __rcu *router; /* rcu protected pointer */
        unsigned long *bcast_own;
        uint8_t *bcast_own_sum;
-        uint8_t tq_own;
-        int tq_asym_penalty;
        unsigned long last_valid;
        unsigned long bcast_seqno_reset;
        unsigned long batman_seqno_reset;
        uint8_t gw_flags;
        uint8_t flags;
-        unsigned char *hna_buff;
+        unsigned char *tt_buff;
-        int16_t hna_buff_len;
+        int16_t tt_buff_len;
        uint32_t last_real_seqno;
        uint8_t last_ttl;
        unsigned long bcast_bits[NUM_WORDS];
        uint32_t last_bcast_seqno;
-        struct list_head neigh_list;
+        struct hlist_head neigh_list;
        struct list_head frag_list;
+        spinlock_t neigh_list_lock; /* protects neigh_list and router */
+        atomic_t refcount;
+        struct rcu_head rcu;
+        struct hlist_node hash_entry;
+        struct bat_priv *bat_priv;
        unsigned long last_frag_packet;
-        struct {
+        /* ogm_cnt_lock protects: bcast_own, bcast_own_sum,
-                uint8_t candidates;
+         * neigh_node->real_bits, neigh_node->real_packet_count */
-                struct neigh_node *selected;
+        spinlock_t ogm_cnt_lock;
-        } bond;
+        /* bcast_seqno_lock protects bcast_bits, last_bcast_seqno */
+        spinlock_t bcast_seqno_lock;
+        atomic_t bond_candidates;
+        struct list_head bond_list;
 };
 struct gw_node {
        struct hlist_node list;
        struct orig_node *orig_node;
        unsigned long deleted;
-        struct kref refcount;
+        atomic_t refcount;
        struct rcu_head rcu;
 };
@@ -105,18 +111,21 @@ struct gw_node {
 *      @last_valid: when last packet via this neighbor was received
 */
 struct neigh_node {
-        struct list_head list;
+        struct hlist_node list;
        uint8_t addr[ETH_ALEN];
        uint8_t real_packet_count;
        uint8_t tq_recv[TQ_GLOBAL_WINDOW_SIZE];
        uint8_t tq_index;
        uint8_t tq_avg;
        uint8_t last_ttl;
-        struct neigh_node *next_bond_candidate;
+        struct list_head bonding_list;
        unsigned long last_valid;
        unsigned long real_bits[NUM_WORDS];
+        atomic_t refcount;
+        struct rcu_head rcu;
        struct orig_node *orig_node;
-        struct batman_if *if_incoming;
+        struct hard_iface *if_incoming;
+        spinlock_t tq_lock;     /* protects: tq_recv, tq_index */
 };
@@ -137,35 +146,34 @@ struct bat_priv {
        atomic_t bcast_queue_left;
        atomic_t batman_queue_left;
        char num_ifaces;
-        struct hlist_head softif_neigh_list;
-        struct softif_neigh *softif_neigh;
        struct debug_log *debug_log;
-        struct batman_if *primary_if;
        struct kobject *mesh_obj;
        struct dentry *debug_dir;
        struct hlist_head forw_bat_list;
        struct hlist_head forw_bcast_list;
        struct hlist_head gw_list;
+        struct hlist_head softif_neigh_vids;
        struct list_head vis_send_list;
        struct hashtable_t *orig_hash;
-        struct hashtable_t *hna_local_hash;
+        struct hashtable_t *tt_local_hash;
-        struct hashtable_t *hna_global_hash;
+        struct hashtable_t *tt_global_hash;
        struct hashtable_t *vis_hash;
-        spinlock_t orig_hash_lock; /* protects orig_hash */
        spinlock_t forw_bat_list_lock; /* protects forw_bat_list */
        spinlock_t forw_bcast_list_lock; /* protects  */
-        spinlock_t hna_lhash_lock; /* protects hna_local_hash */
+        spinlock_t tt_lhash_lock; /* protects tt_local_hash */
-        spinlock_t hna_ghash_lock; /* protects hna_global_hash */
+        spinlock_t tt_ghash_lock; /* protects tt_global_hash */
-        spinlock_t gw_list_lock; /* protects gw_list */
+        spinlock_t gw_list_lock; /* protects gw_list and curr_gw */
        spinlock_t vis_hash_lock; /* protects vis_hash */
        spinlock_t vis_list_lock; /* protects vis_info::recv_list */
        spinlock_t softif_neigh_lock; /* protects soft-interface neigh list */
-        int16_t num_local_hna;
+        spinlock_t softif_neigh_vid_lock; /* protects soft-interface vid list */
-        atomic_t hna_local_changed;
+        int16_t num_local_tt;
-        struct delayed_work hna_work;
+        atomic_t tt_local_changed;
+        struct delayed_work tt_work;
        struct delayed_work orig_work;
        struct delayed_work vis_work;
-        struct gw_node *curr_gw;
+        struct gw_node __rcu *curr_gw;  /* rcu protected pointer */
+        struct hard_iface __rcu *primary_if;  /* rcu protected pointer */
        struct vis_info *my_vis_info;
 };
@@ -184,15 +192,17 @@ struct socket_packet {
        struct icmp_packet_rr icmp_packet;
 };
-struct hna_local_entry {
+struct tt_local_entry {
        uint8_t addr[ETH_ALEN];
        unsigned long last_seen;
        char never_purge;
+        struct hlist_node hash_entry;
 };
-struct hna_global_entry {
+struct tt_global_entry {
        uint8_t addr[ETH_ALEN];
        struct orig_node *orig_node;
+        struct hlist_node hash_entry;
 };
 /**
@@ -208,7 +218,7 @@ struct forw_packet {
        uint32_t direct_link_flags;
        uint8_t num_packets;
        struct delayed_work delayed_work;
-        struct batman_if *if_incoming;
+        struct hard_iface *if_incoming;
 };
 /* While scanning for vis-entries of a particular vis-originator
@@ -242,6 +252,7 @@ struct vis_info {
                             * from.  we should not reply to them. */
        struct list_head send_list;
        struct kref refcount;
+        struct hlist_node hash_entry;
        struct bat_priv *bat_priv;
        /* this packet might be part of the vis send queue. */
        struct sk_buff *skb_packet;
@@ -251,7 +262,7 @@ struct vis_info {
 struct vis_info_entry {
        uint8_t  src[ETH_ALEN];
        uint8_t  dest[ETH_ALEN];
-        uint8_t  quality;       /* quality = 0 means HNA */
+        uint8_t  quality;       /* quality = 0 client */
 } __packed;
 struct recvlist_node {
@@ -259,12 +270,21 @@ struct recvlist_node {
        uint8_t mac[ETH_ALEN];
 };
+struct softif_neigh_vid {
+        struct hlist_node list;
+        struct bat_priv *bat_priv;
+        short vid;
+        atomic_t refcount;
+        struct softif_neigh __rcu *softif_neigh;
+        struct rcu_head rcu;
+        struct hlist_head softif_neigh_list;
+};
 struct softif_neigh {
        struct hlist_node list;
        uint8_t addr[ETH_ALEN];
        unsigned long last_seen;
-        short vid;
+        atomic_t refcount;
-        struct kref refcount;
        struct rcu_head rcu;
 };
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index d1a611322549..19c3daf34ac6 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Andreas Langer
 *
@@ -39,8 +39,8 @@ static struct sk_buff *frag_merge_packet(struct list_head *head,
                (struct unicast_frag_packet *)skb->data;
        struct sk_buff *tmp_skb;
        struct unicast_packet *unicast_packet;
-        int hdr_len = sizeof(struct unicast_packet),
+        int hdr_len = sizeof(struct unicast_packet);
-            uni_diff = sizeof(struct unicast_frag_packet) - hdr_len;
+        int uni_diff = sizeof(struct unicast_frag_packet) - hdr_len;
        /* set skb to the first part and tmp_skb to the second part */
        if (up->flags & UNI_FRAG_HEAD) {
@@ -183,15 +183,10 @@ int frag_reassemble_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
                (struct unicast_frag_packet *)skb->data;
        *new_skb = NULL;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
-        orig_node = ((struct orig_node *)
-                    hash_find(bat_priv->orig_hash, compare_orig, choose_orig,
-                              unicast_packet->orig));
-        if (!orig_node) {
+        orig_node = orig_hash_find(bat_priv, unicast_packet->orig);
-                pr_debug("couldn't find originator in orig_hash\n");
+        if (!orig_node)
                goto out;
-        }
        orig_node->last_frag_packet = jiffies;
@@ -215,32 +210,38 @@ int frag_reassemble_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
        /* if not, merge failed */
        if (*new_skb)
                ret = NET_RX_SUCCESS;
-out:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+out:
+        if (orig_node)
+                orig_node_free_ref(orig_node);
        return ret;
 }
 int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
-                  struct batman_if *batman_if, uint8_t dstaddr[])
+                  struct hard_iface *hard_iface, uint8_t dstaddr[])
 {
        struct unicast_packet tmp_uc, *unicast_packet;
+        struct hard_iface *primary_if;
        struct sk_buff *frag_skb;
        struct unicast_frag_packet *frag1, *frag2;
        int uc_hdr_len = sizeof(struct unicast_packet);
        int ucf_hdr_len = sizeof(struct unicast_frag_packet);
-        int data_len = skb->len;
+        int data_len = skb->len - uc_hdr_len;
+        int large_tail = 0, ret = NET_RX_DROP;
+        uint16_t seqno;
-        if (!bat_priv->primary_if)
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
                goto dropped;
        frag_skb = dev_alloc_skb(data_len - (data_len / 2) + ucf_hdr_len);
        if (!frag_skb)
                goto dropped;
+        skb_reserve(frag_skb, ucf_hdr_len);
        unicast_packet = (struct unicast_packet *) skb->data;
        memcpy(&tmp_uc, unicast_packet, uc_hdr_len);
-        skb_split(skb, frag_skb, data_len / 2);
+        skb_split(skb, frag_skb, data_len / 2 + uc_hdr_len);
        if (my_skb_head_push(skb, ucf_hdr_len - uc_hdr_len) < 0 ||
            my_skb_head_push(frag_skb, ucf_hdr_len) < 0)
@@ -255,26 +256,32 @@ int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
        frag1->version = COMPAT_VERSION;
        frag1->packet_type = BAT_UNICAST_FRAG;
-        memcpy(frag1->orig, bat_priv->primary_if->net_dev->dev_addr, ETH_ALEN);
+        memcpy(frag1->orig, primary_if->net_dev->dev_addr, ETH_ALEN);
        memcpy(frag2, frag1, sizeof(struct unicast_frag_packet));
-        frag1->flags |= UNI_FRAG_HEAD;
+        if (data_len & 1)
-        frag2->flags &= ~UNI_FRAG_HEAD;
+                large_tail = UNI_FRAG_LARGETAIL;
+        frag1->flags = UNI_FRAG_HEAD | large_tail;
+        frag2->flags = large_tail;
-        frag1->seqno = htons((uint16_t)atomic_inc_return(
+        seqno = atomic_add_return(2, &hard_iface->frag_seqno);
-                             &batman_if->frag_seqno));
+        frag1->seqno = htons(seqno - 1);
-        frag2->seqno = htons((uint16_t)atomic_inc_return(
+        frag2->seqno = htons(seqno);
-                             &batman_if->frag_seqno));
-        send_skb_packet(skb, batman_if, dstaddr);
+        send_skb_packet(skb, hard_iface, dstaddr);
-        send_skb_packet(frag_skb, batman_if, dstaddr);
+        send_skb_packet(frag_skb, hard_iface, dstaddr);
-        return NET_RX_SUCCESS;
+        ret = NET_RX_SUCCESS;
+        goto out;
 drop_frag:
        kfree_skb(frag_skb);
 dropped:
        kfree_skb(skb);
-        return NET_RX_DROP;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
@@ -282,44 +289,36 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
        struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
        struct unicast_packet *unicast_packet;
        struct orig_node *orig_node;
-        struct batman_if *batman_if;
+        struct neigh_node *neigh_node;
-        struct neigh_node *router;
        int data_len = skb->len;
-        uint8_t dstaddr[6];
+        int ret = 1;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        /* get routing information */
-        if (is_multicast_ether_addr(ethhdr->h_dest))
+        if (is_multicast_ether_addr(ethhdr->h_dest)) {
-                orig_node = (struct orig_node *)gw_get_selected(bat_priv);
+                orig_node = (struct orig_node *)gw_get_selected_orig(bat_priv);
-        else
+                if (orig_node)
-                orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash,
+                        goto find_router;
-                                                           compare_orig,
+        }
-                                                           choose_orig,
-                                                           ethhdr->h_dest));
-        /* check for hna host */
-        if (!orig_node)
-                orig_node = transtable_search(bat_priv, ethhdr->h_dest);
-        router = find_router(bat_priv, orig_node, NULL);
-        if (!router)
-                goto unlock;
-        /* don't lock while sending the packets ... we therefore
+        /* check for tt host - increases orig_node refcount */
-                * copy the required data before sending */
+        orig_node = transtable_search(bat_priv, ethhdr->h_dest);
-        batman_if = router->if_incoming;
+find_router:
-        memcpy(dstaddr, router->addr, ETH_ALEN);
+        /**
+         * find_router():
+         *  - if orig_node is NULL it returns NULL
+         *  - increases neigh_nodes refcount if found.
+         */
+        neigh_node = find_router(bat_priv, orig_node, NULL);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        if (!neigh_node)
+                goto out;
-        if (batman_if->if_status != IF_ACTIVE)
+        if (neigh_node->if_incoming->if_status != IF_ACTIVE)
-                goto dropped;
+                goto out;
        if (my_skb_head_push(skb, sizeof(struct unicast_packet)) < 0)
-                goto dropped;
+                goto out;
        unicast_packet = (struct unicast_packet *)skb->data;
@@ -333,18 +332,24 @@ int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv)
        if (atomic_read(&bat_priv->fragmentation) &&
            data_len + sizeof(struct unicast_packet) >
-            batman_if->net_dev->mtu) {
+                                neigh_node->if_incoming->net_dev->mtu) {
                /* send frag skb decreases ttl */
                unicast_packet->ttl++;
-                return frag_send_skb(skb, bat_priv, batman_if,
+                ret = frag_send_skb(skb, bat_priv,
-                                     dstaddr);
+                                    neigh_node->if_incoming, neigh_node->addr);
+                goto out;
        }
-        send_skb_packet(skb, batman_if, dstaddr);
-        return 0;
-unlock:
+        send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        ret = 0;
-dropped:
+        goto out;
-        kfree_skb(skb);
-        return 1;
+out:
+        if (neigh_node)
+                neigh_node_free_ref(neigh_node);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
+        if (ret == 1)
+                kfree_skb(skb);
+        return ret;
 }
diff --git a/net/batman-adv/unicast.h b/net/batman-adv/unicast.h
index e32b7867a9a4..16ad7a9242b5 100644
--- a/net/batman-adv/unicast.h
+++ b/net/batman-adv/unicast.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2010-2011 B.A.T.M.A.N. contributors:
 *
 * Andreas Langer
 *
@@ -22,6 +22,8 @@
 #ifndef _NET_BATMAN_ADV_UNICAST_H_
 #define _NET_BATMAN_ADV_UNICAST_H_
+#include "packet.h"
 #define FRAG_TIMEOUT 10000      /* purge frag list entrys after time in ms */
 #define FRAG_BUFFER_SIZE 6      /* number of list elements in buffer */
@@ -30,6 +32,27 @@ int frag_reassemble_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
 void frag_list_free(struct list_head *head);
 int unicast_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv);
 int frag_send_skb(struct sk_buff *skb, struct bat_priv *bat_priv,
-                  struct batman_if *batman_if, uint8_t dstaddr[]);
+                  struct hard_iface *hard_iface, uint8_t dstaddr[]);
+static inline int frag_can_reassemble(struct sk_buff *skb, int mtu)
+{
+        struct unicast_frag_packet *unicast_packet;
+        int uneven_correction = 0;
+        unsigned int merged_size;
+        unicast_packet = (struct unicast_frag_packet *)skb->data;
+        if (unicast_packet->flags & UNI_FRAG_LARGETAIL) {
+                if (unicast_packet->flags & UNI_FRAG_HEAD)
+                        uneven_correction = 1;
+                else
+                        uneven_correction = -1;
+        }
+        merged_size = (skb->len - sizeof(struct unicast_frag_packet)) * 2;
+        merged_size += sizeof(struct unicast_packet) + uneven_correction;
+        return merged_size <= mtu;
+}
 #endif /* _NET_BATMAN_ADV_UNICAST_H_ */
diff --git a/net/batman-adv/vis.c b/net/batman-adv/vis.c
index de1022cacaf7..c39f20cc1ba6 100644
--- a/net/batman-adv/vis.c
+++ b/net/batman-adv/vis.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2008-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich
 *
@@ -68,15 +68,16 @@ static void free_info(struct kref *ref)
 }
 /* Compare two vis packets, used by the hashing algorithm */
-static int vis_info_cmp(void *data1, void *data2)
+static int vis_info_cmp(struct hlist_node *node, void *data2)
 {
        struct vis_info *d1, *d2;
        struct vis_packet *p1, *p2;
-        d1 = data1;
+        d1 = container_of(node, struct vis_info, hash_entry);
        d2 = data2;
        p1 = (struct vis_packet *)d1->skb_packet->data;
        p2 = (struct vis_packet *)d2->skb_packet->data;
-        return compare_orig(p1->vis_orig, p2->vis_orig);
+        return compare_eth(p1->vis_orig, p2->vis_orig);
 }
 /* hash function to choose an entry in a hash table of given size */
@@ -104,6 +105,34 @@ static int vis_info_choose(void *data, int size)
        return hash % size;
 }
+static struct vis_info *vis_hash_find(struct bat_priv *bat_priv,
+                                      void *data)
+{
+        struct hashtable_t *hash = bat_priv->vis_hash;
+        struct hlist_head *head;
+        struct hlist_node *node;
+        struct vis_info *vis_info, *vis_info_tmp = NULL;
+        int index;
+        if (!hash)
+                return NULL;
+        index = vis_info_choose(data, hash->size);
+        head = &hash->table[index];
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(vis_info, node, head, hash_entry) {
+                if (!vis_info_cmp(node, data))
+                        continue;
+                vis_info_tmp = vis_info;
+                break;
+        }
+        rcu_read_unlock();
+        return vis_info_tmp;
+}
 /* insert interface to the list of interfaces of one originator, if it
 * does not already exist in the list */
 static void vis_data_insert_interface(const uint8_t *interface,
@@ -114,7 +143,7 @@ static void vis_data_insert_interface(const uint8_t *interface,
        struct hlist_node *pos;
        hlist_for_each_entry(entry, pos, if_list, list) {
-                if (compare_orig(entry->addr, (void *)interface))
+                if (compare_eth(entry->addr, (void *)interface))
                        return;
        }
@@ -165,8 +194,8 @@ static ssize_t vis_data_read_entry(char *buff, struct vis_info_entry *entry,
 {
        /* maximal length: max(4+17+2, 3+17+1+3+2) == 26 */
        if (primary && entry->quality == 0)
-                return sprintf(buff, "HNA %pM, ", entry->dest);
+                return sprintf(buff, "TT %pM, ", entry->dest);
-        else if (compare_orig(entry->src, src))
+        else if (compare_eth(entry->src, src))
                return sprintf(buff, "TQ %pM %d, ", entry->dest,
                               entry->quality);
@@ -175,9 +204,9 @@ static ssize_t vis_data_read_entry(char *buff, struct vis_info_entry *entry,
 int vis_seq_print_text(struct seq_file *seq, void *offset)
 {
-        struct hlist_node *walk;
+        struct hard_iface *primary_if;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct vis_info *info;
        struct vis_packet *packet;
        struct vis_info_entry *entries;
@@ -187,15 +216,18 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        HLIST_HEAD(vis_if_list);
        struct if_list_entry *entry;
        struct hlist_node *pos, *n;
-        int i, j;
+        int i, j, ret = 0;
        int vis_server = atomic_read(&bat_priv->vis_mode);
        size_t buff_pos, buf_size;
        char *buff;
        int compare;
-        if ((!bat_priv->primary_if) ||
+        primary_if = primary_if_get_selected(bat_priv);
-            (vis_server == VIS_TYPE_CLIENT_UPDATE))
+        if (!primary_if)
-                return 0;
+                goto out;
+        if (vis_server == VIS_TYPE_CLIENT_UPDATE)
+                goto out;
        buf_size = 1;
        /* Estimate length */
@@ -203,8 +235,8 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        info = bucket->data;
+                hlist_for_each_entry_rcu(info, node, head, hash_entry) {
                        packet = (struct vis_packet *)info->skb_packet->data;
                        entries = (struct vis_info_entry *)
                                ((char *)packet + sizeof(struct vis_packet));
@@ -213,7 +245,7 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                if (entries[j].quality == 0)
                                        continue;
                                compare =
-                                 compare_orig(entries[j].src, packet->vis_orig);
+                                 compare_eth(entries[j].src, packet->vis_orig);
                                vis_data_insert_interface(entries[j].src,
                                                          &vis_if_list,
                                                          compare);
@@ -223,7 +255,7 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                buf_size += 18 + 26 * packet->entries;
                                /* add primary/secondary records */
-                                if (compare_orig(entry->addr, packet->vis_orig))
+                                if (compare_eth(entry->addr, packet->vis_orig))
                                        buf_size +=
                                          vis_data_count_prim_sec(&vis_if_list);
@@ -236,12 +268,14 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                kfree(entry);
                        }
                }
+                rcu_read_unlock();
        }
        buff = kmalloc(buf_size, GFP_ATOMIC);
        if (!buff) {
                spin_unlock_bh(&bat_priv->vis_hash_lock);
-                return -ENOMEM;
+                ret = -ENOMEM;
+                goto out;
        }
        buff[0] = '\0';
        buff_pos = 0;
@@ -249,8 +283,8 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        info = bucket->data;
+                hlist_for_each_entry_rcu(info, node, head, hash_entry) {
                        packet = (struct vis_packet *)info->skb_packet->data;
                        entries = (struct vis_info_entry *)
                                ((char *)packet + sizeof(struct vis_packet));
@@ -259,7 +293,7 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                if (entries[j].quality == 0)
                                        continue;
                                compare =
-                                 compare_orig(entries[j].src, packet->vis_orig);
+                                 compare_eth(entries[j].src, packet->vis_orig);
                                vis_data_insert_interface(entries[j].src,
                                                          &vis_if_list,
                                                          compare);
@@ -277,7 +311,7 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                                        entry->primary);
                                /* add primary/secondary records */
-                                if (compare_orig(entry->addr, packet->vis_orig))
+                                if (compare_eth(entry->addr, packet->vis_orig))
                                        buff_pos +=
                                         vis_data_read_prim_sec(buff + buff_pos,
                                                                &vis_if_list);
@@ -291,6 +325,7 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                kfree(entry);
                        }
                }
+                rcu_read_unlock();
        }
        spin_unlock_bh(&bat_priv->vis_hash_lock);
@@ -298,7 +333,10 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
        seq_printf(seq, "%s", buff);
        kfree(buff);
-        return 0;
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
+        return ret;
 }
 /* add the info packet to the send list, if it was not
@@ -345,7 +383,7 @@ static int recv_list_is_in(struct bat_priv *bat_priv,
        spin_lock_bh(&bat_priv->vis_list_lock);
        list_for_each_entry(entry, recv_list, list) {
-                if (memcmp(entry->mac, mac, ETH_ALEN) == 0) {
+                if (compare_eth(entry->mac, mac)) {
                        spin_unlock_bh(&bat_priv->vis_list_lock);
                        return 1;
                }
@@ -381,8 +419,7 @@ static struct vis_info *add_packet(struct bat_priv *bat_priv,
                                                     sizeof(struct vis_packet));
        memcpy(search_packet->vis_orig, vis_packet->vis_orig, ETH_ALEN);
-        old_info = hash_find(bat_priv->vis_hash, vis_info_cmp, vis_info_choose,
+        old_info = vis_hash_find(bat_priv, &search_elem);
-                             &search_elem);
        kfree_skb(search_elem.skb_packet);
        if (old_info) {
@@ -442,7 +479,7 @@ static struct vis_info *add_packet(struct bat_priv *bat_priv,
        /* try to add it */
        hash_added = hash_add(bat_priv->vis_hash, vis_info_cmp, vis_info_choose,
-                              info);
+                              info, &info->hash_entry);
        if (hash_added < 0) {
                /* did not work (for some reason) */
                kref_put(&info->refcount, free_info);
@@ -529,9 +566,9 @@ static int find_best_vis_server(struct bat_priv *bat_priv,
                                struct vis_info *info)
 {
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct neigh_node *router;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct orig_node *orig_node;
        struct vis_packet *packet;
        int best_tq = -1, i;
@@ -541,16 +578,21 @@ static int find_best_vis_server(struct bat_priv *bat_priv,
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        if ((orig_node) && (orig_node->router) &&
+                        router = orig_node_get_router(orig_node);
-                        (orig_node->flags & VIS_SERVER) &&
+                        if (!router)
-                        (orig_node->router->tq_avg > best_tq)) {
+                                continue;
-                                best_tq = orig_node->router->tq_avg;
+                        if ((orig_node->flags & VIS_SERVER) &&
+                            (router->tq_avg > best_tq)) {
+                                best_tq = router->tq_avg;
                                memcpy(packet->target_orig, orig_node->orig,
                                       ETH_ALEN);
                        }
+                        neigh_node_free_ref(router);
                }
+                rcu_read_unlock();
        }
        return best_tq;
@@ -573,21 +615,19 @@ static bool vis_packet_full(struct vis_info *info)
 static int generate_vis_packet(struct bat_priv *bat_priv)
 {
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct orig_node *orig_node;
-        struct neigh_node *neigh_node;
+        struct neigh_node *router;
        struct vis_info *info = (struct vis_info *)bat_priv->my_vis_info;
        struct vis_packet *packet = (struct vis_packet *)info->skb_packet->data;
        struct vis_info_entry *entry;
-        struct hna_local_entry *hna_local_entry;
+        struct tt_local_entry *tt_local_entry;
        int best_tq = -1, i;
        info->first_seen = jiffies;
        packet->vis_type = atomic_read(&bat_priv->vis_mode);
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        memcpy(packet->target_orig, broadcast_addr, ETH_ALEN);
        packet->ttl = TTL;
        packet->seqno = htonl(ntohl(packet->seqno) + 1);
@@ -597,74 +637,74 @@ static int generate_vis_packet(struct bat_priv *bat_priv)
        if (packet->vis_type == VIS_TYPE_CLIENT_UPDATE) {
                best_tq = find_best_vis_server(bat_priv, info);
-                if (best_tq < 0) {
+                if (best_tq < 0)
-                        spin_unlock_bh(&bat_priv->orig_hash_lock);
                        return -1;
-                }
        }
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
-                        neigh_node = orig_node->router;
+                        router = orig_node_get_router(orig_node);
+                        if (!router)
-                        if (!neigh_node)
                                continue;
-                        if (!compare_orig(neigh_node->addr, orig_node->orig))
+                        if (!compare_eth(router->addr, orig_node->orig))
-                                continue;
+                                goto next;
-                        if (neigh_node->if_incoming->if_status != IF_ACTIVE)
+                        if (router->if_incoming->if_status != IF_ACTIVE)
-                                continue;
+                                goto next;
-                        if (neigh_node->tq_avg < 1)
+                        if (router->tq_avg < 1)
-                                continue;
+                                goto next;
                        /* fill one entry into buffer. */
                        entry = (struct vis_info_entry *)
                                      skb_put(info->skb_packet, sizeof(*entry));
                        memcpy(entry->src,
-                               neigh_node->if_incoming->net_dev->dev_addr,
+                               router->if_incoming->net_dev->dev_addr,
                               ETH_ALEN);
                        memcpy(entry->dest, orig_node->orig, ETH_ALEN);
-                        entry->quality = neigh_node->tq_avg;
+                        entry->quality = router->tq_avg;
                        packet->entries++;
-                        if (vis_packet_full(info)) {
+next:
-                                spin_unlock_bh(&bat_priv->orig_hash_lock);
+                        neigh_node_free_ref(router);
-                                return 0;
-                        }
+                        if (vis_packet_full(info))
+                                goto unlock;
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        hash = bat_priv->tt_local_hash;
-        hash = bat_priv->hna_local_hash;
-        spin_lock_bh(&bat_priv->hna_lhash_lock);
+        spin_lock_bh(&bat_priv->tt_lhash_lock);
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                hlist_for_each_entry(tt_local_entry, node, head, hash_entry) {
-                        hna_local_entry = bucket->data;
                        entry = (struct vis_info_entry *)
                                        skb_put(info->skb_packet,
                                                sizeof(*entry));
                        memset(entry->src, 0, ETH_ALEN);
-                        memcpy(entry->dest, hna_local_entry->addr, ETH_ALEN);
+                        memcpy(entry->dest, tt_local_entry->addr, ETH_ALEN);
-                        entry->quality = 0; /* 0 means HNA */
+                        entry->quality = 0; /* 0 means TT */
                        packet->entries++;
                        if (vis_packet_full(info)) {
-                                spin_unlock_bh(&bat_priv->hna_lhash_lock);
+                                spin_unlock_bh(&bat_priv->tt_lhash_lock);
                                return 0;
                        }
                }
        }
-        spin_unlock_bh(&bat_priv->hna_lhash_lock);
+        spin_unlock_bh(&bat_priv->tt_lhash_lock);
+        return 0;
+unlock:
+        rcu_read_unlock();
        return 0;
 }
@@ -674,25 +714,22 @@ static void purge_vis_packets(struct bat_priv *bat_priv)
 {
        int i;
        struct hashtable_t *hash = bat_priv->vis_hash;
-        struct hlist_node *walk, *safe;
+        struct hlist_node *node, *node_tmp;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct vis_info *info;
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry_safe(bucket, walk, safe, head, hlist) {
+                hlist_for_each_entry_safe(info, node, node_tmp,
-                        info = bucket->data;
+                                          head, hash_entry) {
                        /* never purge own data. */
                        if (info == bat_priv->my_vis_info)
                                continue;
                        if (time_after(jiffies,
                                       info->first_seen + VIS_TIMEOUT * HZ)) {
-                                hlist_del(walk);
+                                hlist_del(node);
-                                kfree(bucket);
                                send_list_del(info);
                                kref_put(&info->refcount, free_info);
                        }
@@ -703,103 +740,103 @@ static void purge_vis_packets(struct bat_priv *bat_priv)
 static void broadcast_vis_packet(struct bat_priv *bat_priv,
                                 struct vis_info *info)
 {
+        struct neigh_node *router;
        struct hashtable_t *hash = bat_priv->orig_hash;
-        struct hlist_node *walk;
+        struct hlist_node *node;
        struct hlist_head *head;
-        struct element_t *bucket;
        struct orig_node *orig_node;
        struct vis_packet *packet;
        struct sk_buff *skb;
-        struct batman_if *batman_if;
+        struct hard_iface *hard_iface;
        uint8_t dstaddr[ETH_ALEN];
        int i;
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        packet = (struct vis_packet *)info->skb_packet->data;
        /* send to all routers in range. */
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
-                hlist_for_each_entry(bucket, walk, head, hlist) {
+                rcu_read_lock();
-                        orig_node = bucket->data;
+                hlist_for_each_entry_rcu(orig_node, node, head, hash_entry) {
                        /* if it's a vis server and reachable, send it. */
-                        if ((!orig_node) || (!orig_node->router))
-                                continue;
                        if (!(orig_node->flags & VIS_SERVER))
                                continue;
+                        router = orig_node_get_router(orig_node);
+                        if (!router)
+                                continue;
                        /* don't send it if we already received the packet from
-                        * this node. */
+                         * this node. */
                        if (recv_list_is_in(bat_priv, &info->recv_list,
-                                            orig_node->orig))
+                                            orig_node->orig)) {
+                                neigh_node_free_ref(router);
                                continue;
+                        }
                        memcpy(packet->target_orig, orig_node->orig, ETH_ALEN);
-                        batman_if = orig_node->router->if_incoming;
+                        hard_iface = router->if_incoming;
-                        memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
+                        memcpy(dstaddr, router->addr, ETH_ALEN);
-                        spin_unlock_bh(&bat_priv->orig_hash_lock);
+                        neigh_node_free_ref(router);
                        skb = skb_clone(info->skb_packet, GFP_ATOMIC);
                        if (skb)
-                                send_skb_packet(skb, batman_if, dstaddr);
+                                send_skb_packet(skb, hard_iface, dstaddr);
-                        spin_lock_bh(&bat_priv->orig_hash_lock);
                }
+                rcu_read_unlock();
        }
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
 }
 static void unicast_vis_packet(struct bat_priv *bat_priv,
                               struct vis_info *info)
 {
        struct orig_node *orig_node;
+        struct neigh_node *router = NULL;
        struct sk_buff *skb;
        struct vis_packet *packet;
-        struct batman_if *batman_if;
-        uint8_t dstaddr[ETH_ALEN];
-        spin_lock_bh(&bat_priv->orig_hash_lock);
        packet = (struct vis_packet *)info->skb_packet->data;
-        orig_node = ((struct orig_node *)hash_find(bat_priv->orig_hash,
-                                                   compare_orig, choose_orig,
-                                                   packet->target_orig));
-        if ((!orig_node) || (!orig_node->router))
+        orig_node = orig_hash_find(bat_priv, packet->target_orig);
+        if (!orig_node)
                goto out;
-        /* don't lock while sending the packets ... we therefore
+        router = orig_node_get_router(orig_node);
-         * copy the required data before sending */
+        if (!router)
-        batman_if = orig_node->router->if_incoming;
+                goto out;
-        memcpy(dstaddr, orig_node->router->addr, ETH_ALEN);
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
        skb = skb_clone(info->skb_packet, GFP_ATOMIC);
        if (skb)
-                send_skb_packet(skb, batman_if, dstaddr);
+                send_skb_packet(skb, router->if_incoming, router->addr);
-        return;
 out:
-        spin_unlock_bh(&bat_priv->orig_hash_lock);
+        if (router)
+                neigh_node_free_ref(router);
+        if (orig_node)
+                orig_node_free_ref(orig_node);
 }
 /* only send one vis packet. called from send_vis_packets() */
 static void send_vis_packet(struct bat_priv *bat_priv, struct vis_info *info)
 {
+        struct hard_iface *primary_if;
        struct vis_packet *packet;
+        primary_if = primary_if_get_selected(bat_priv);
+        if (!primary_if)
+                goto out;
        packet = (struct vis_packet *)info->skb_packet->data;
        if (packet->ttl < 2) {
                pr_debug("Error - can't send vis packet: ttl exceeded\n");
-                return;
+                goto out;
        }
-        memcpy(packet->sender_orig, bat_priv->primary_if->net_dev->dev_addr,
+        memcpy(packet->sender_orig, primary_if->net_dev->dev_addr, ETH_ALEN);
-               ETH_ALEN);
        packet->ttl--;
        if (is_broadcast_ether_addr(packet->target_orig))
@@ -807,6 +844,10 @@ static void send_vis_packet(struct bat_priv *bat_priv, struct vis_info *info)
        else
                unicast_vis_packet(bat_priv, info);
        packet->ttl++; /* restore TTL */
+out:
+        if (primary_if)
+                hardif_free_ref(primary_if);
 }
 /* called from timer; send (and maybe generate) vis packet. */
@@ -833,8 +874,7 @@ static void send_vis_packets(struct work_struct *work)
                kref_get(&info->refcount);
                spin_unlock_bh(&bat_priv->vis_hash_lock);
-                if (bat_priv->primary_if)
+                send_vis_packet(bat_priv, info);
-                        send_vis_packet(bat_priv, info);
                spin_lock_bh(&bat_priv->vis_hash_lock);
                send_list_del(info);
@@ -896,7 +936,8 @@ int vis_init(struct bat_priv *bat_priv)
        INIT_LIST_HEAD(&bat_priv->vis_send_list);
        hash_added = hash_add(bat_priv->vis_hash, vis_info_cmp, vis_info_choose,
-                              bat_priv->my_vis_info);
+                              bat_priv->my_vis_info,
+                              &bat_priv->my_vis_info->hash_entry);
        if (hash_added < 0) {
                pr_err("Can't add own vis packet into hash\n");
                /* not in hash, need to remove it manually. */
@@ -918,10 +959,11 @@ err:
 }
 /* Decrease the reference count on a hash item info */
-static void free_info_ref(void *data, void *arg)
+static void free_info_ref(struct hlist_node *node, void *arg)
 {
-        struct vis_info *info = data;
+        struct vis_info *info;
+        info = container_of(node, struct vis_info, hash_entry);
        send_list_del(info);
        kref_put(&info->refcount, free_info);
 }
diff --git a/net/batman-adv/vis.h b/net/batman-adv/vis.h
index 2c3b33089a9b..31b820d07f23 100644
--- a/net/batman-adv/vis.h
+++ b/net/batman-adv/vis.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2010 B.A.T.M.A.N. contributors:
+ * Copyright (C) 2008-2011 B.A.T.M.A.N. contributors:
 *
 * Simon Wunderlich, Marek Lindner
 *
diff --git a/net/bluetooth/Kconfig b/net/bluetooth/Kconfig
index ed371684c133..6ae5ec508587 100644
--- a/net/bluetooth/Kconfig
+++ b/net/bluetooth/Kconfig
@@ -27,31 +27,27 @@ menuconfig BT
          compile it as module (bluetooth).
          To use Linux Bluetooth subsystem, you will need several user-space
-          utilities like hciconfig and hcid.  These utilities and updates to
+          utilities like hciconfig and bluetoothd.  These utilities and updates
-          Bluetooth kernel modules are provided in the BlueZ packages.
+          to Bluetooth kernel modules are provided in the BlueZ packages.  For
-          For more information, see <http://www.bluez.org/>.
+          more information, see <http://www.bluez.org/>.
+if BT != n
 config BT_L2CAP
-        tristate "L2CAP protocol support"
+        bool "L2CAP protocol support"
-        depends on BT
        select CRC16
        help
          L2CAP (Logical Link Control and Adaptation Protocol) provides
          connection oriented and connection-less data transport.  L2CAP
          support is required for most Bluetooth applications.
-          Say Y here to compile L2CAP support into the kernel or say M to
-          compile it as module (l2cap).
 config BT_SCO
-        tristate "SCO links support"
+        bool "SCO links support"
-        depends on BT
        help
          SCO link provides voice transport over Bluetooth.  SCO support is
          required for voice applications like Headset and Audio.
-          Say Y here to compile SCO support into the kernel or say M to
+endif
-          compile it as module (sco).
 source "net/bluetooth/rfcomm/Kconfig"
diff --git a/net/bluetooth/Makefile b/net/bluetooth/Makefile
index 250f954f0213..f04fe9a9d634 100644
--- a/net/bluetooth/Makefile
+++ b/net/bluetooth/Makefile
@@ -3,11 +3,11 @@
 #
 obj-$(CONFIG_BT)        += bluetooth.o
-obj-$(CONFIG_BT_L2CAP)  += l2cap.o
-obj-$(CONFIG_BT_SCO)    += sco.o
 obj-$(CONFIG_BT_RFCOMM) += rfcomm/
 obj-$(CONFIG_BT_BNEP)   += bnep/
 obj-$(CONFIG_BT_CMTP)   += cmtp/
 obj-$(CONFIG_BT_HIDP)   += hidp/
 bluetooth-y := af_bluetooth.o hci_core.o hci_conn.o hci_event.o mgmt.o hci_sock.o hci_sysfs.o lib.o
+bluetooth-$(CONFIG_BT_L2CAP)    += l2cap_core.o l2cap_sock.o
+bluetooth-$(CONFIG_BT_SCO)      += sco.o
diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
index c4cf3f595004..8add9b499912 100644
--- a/net/bluetooth/af_bluetooth.c
+++ b/net/bluetooth/af_bluetooth.c
@@ -40,7 +40,7 @@
 #include <net/bluetooth/bluetooth.h>
-#define VERSION "2.15"
+#define VERSION "2.16"
 /* Bluetooth sockets */
 #define BT_MAX_PROTO    8
@@ -199,14 +199,15 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
        BT_DBG("parent %p", parent);
+        local_bh_disable();
        list_for_each_safe(p, n, &bt_sk(parent)->accept_q) {
                sk = (struct sock *) list_entry(p, struct bt_sock, accept_q);
-                lock_sock(sk);
+                bh_lock_sock(sk);
                /* FIXME: Is this check still needed */
                if (sk->sk_state == BT_CLOSED) {
-                        release_sock(sk);
+                        bh_unlock_sock(sk);
                        bt_accept_unlink(sk);
                        continue;
                }
@@ -216,12 +217,16 @@ struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock)
                        bt_accept_unlink(sk);
                        if (newsock)
                                sock_graft(sk, newsock);
-                        release_sock(sk);
+                        bh_unlock_sock(sk);
+                        local_bh_enable();
                        return sk;
                }
-                release_sock(sk);
+                bh_unlock_sock(sk);
        }
+        local_bh_enable();
        return NULL;
 }
 EXPORT_SYMBOL(bt_accept_dequeue);
@@ -240,7 +245,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
        if (flags & (MSG_OOB))
                return -EOPNOTSUPP;
-        if (!(skb = skb_recv_datagram(sk, flags, noblock, &err))) {
+        skb = skb_recv_datagram(sk, flags, noblock, &err);
+        if (!skb) {
                if (sk->sk_shutdown & RCV_SHUTDOWN)
                        return 0;
                return err;
@@ -323,7 +329,8 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                        if (copied >= target)
                                break;
-                        if ((err = sock_error(sk)) != 0)
+                        err = sock_error(sk);
+                        if (err)
                                break;
                        if (sk->sk_shutdown & RCV_SHUTDOWN)
                                break;
@@ -390,7 +397,7 @@ static inline unsigned int bt_accept_poll(struct sock *parent)
        return 0;
 }
-unsigned int bt_sock_poll(struct file * file, struct socket *sock, poll_table *wait)
+unsigned int bt_sock_poll(struct file *file, struct socket *sock, poll_table *wait)
 {
        struct sock *sk = sock->sk;
        unsigned int mask = 0;
@@ -538,13 +545,39 @@ static int __init bt_init(void)
        BT_INFO("HCI device and connection manager initialized");
-        hci_sock_init();
+        err = hci_sock_init();
+        if (err < 0)
+                goto error;
+        err = l2cap_init();
+        if (err < 0)
+                goto sock_err;
+        err = sco_init();
+        if (err < 0) {
+                l2cap_exit();
+                goto sock_err;
+        }
        return 0;
+sock_err:
+        hci_sock_cleanup();
+error:
+        sock_unregister(PF_BLUETOOTH);
+        bt_sysfs_cleanup();
+        return err;
 }
 static void __exit bt_exit(void)
 {
+        sco_exit();
+        l2cap_exit();
        hci_sock_cleanup();
        sock_unregister(PF_BLUETOOTH);
diff --git a/net/bluetooth/bnep/bnep.h b/net/bluetooth/bnep/bnep.h
index 70672544db86..8e6c06158f8e 100644
--- a/net/bluetooth/bnep/bnep.h
+++ b/net/bluetooth/bnep/bnep.h
@@ -23,88 +23,88 @@
 #include <linux/crc32.h>
 #include <net/bluetooth/bluetooth.h>
-// Limits
+/* Limits */
-#define BNEP_MAX_PROTO_FILTERS     5
+#define BNEP_MAX_PROTO_FILTERS          5
-#define BNEP_MAX_MULTICAST_FILTERS 20
+#define BNEP_MAX_MULTICAST_FILTERS      20
-// UUIDs
+/* UUIDs */
-#define BNEP_BASE_UUID 0x0000000000001000800000805F9B34FB
+#define BNEP_BASE_UUID  0x0000000000001000800000805F9B34FB
-#define BNEP_UUID16    0x02
+#define BNEP_UUID16     0x02
-#define BNEP_UUID32    0x04
+#define BNEP_UUID32     0x04
-#define BNEP_UUID128   0x16
+#define BNEP_UUID128    0x16
-#define BNEP_SVC_PANU  0x1115
+#define BNEP_SVC_PANU   0x1115
-#define BNEP_SVC_NAP   0x1116
+#define BNEP_SVC_NAP    0x1116
-#define BNEP_SVC_GN    0x1117
+#define BNEP_SVC_GN     0x1117
-// Packet types
+/* Packet types */
-#define BNEP_GENERAL               0x00
+#define BNEP_GENERAL                    0x00
-#define BNEP_CONTROL               0x01
+#define BNEP_CONTROL                    0x01
-#define BNEP_COMPRESSED            0x02
+#define BNEP_COMPRESSED                 0x02
-#define BNEP_COMPRESSED_SRC_ONLY   0x03
+#define BNEP_COMPRESSED_SRC_ONLY        0x03
-#define BNEP_COMPRESSED_DST_ONLY   0x04
+#define BNEP_COMPRESSED_DST_ONLY        0x04
-// Control types
+/* Control types */
-#define BNEP_CMD_NOT_UNDERSTOOD    0x00
+#define BNEP_CMD_NOT_UNDERSTOOD         0x00
-#define BNEP_SETUP_CONN_REQ        0x01
+#define BNEP_SETUP_CONN_REQ             0x01
-#define BNEP_SETUP_CONN_RSP        0x02
+#define BNEP_SETUP_CONN_RSP             0x02
-#define BNEP_FILTER_NET_TYPE_SET   0x03
+#define BNEP_FILTER_NET_TYPE_SET        0x03
-#define BNEP_FILTER_NET_TYPE_RSP   0x04
+#define BNEP_FILTER_NET_TYPE_RSP        0x04
-#define BNEP_FILTER_MULTI_ADDR_SET 0x05
+#define BNEP_FILTER_MULTI_ADDR_SET      0x05
-#define BNEP_FILTER_MULTI_ADDR_RSP 0x06
+#define BNEP_FILTER_MULTI_ADDR_RSP      0x06
-// Extension types
+/* Extension types */
-#define BNEP_EXT_CONTROL           0x00
+#define BNEP_EXT_CONTROL 0x00
-// Response messages
+/* Response messages */
-#define BNEP_SUCCESS               0x00
+#define BNEP_SUCCESS 0x00
-#define BNEP_CONN_INVALID_DST      0x01
+#define BNEP_CONN_INVALID_DST 0x01
-#define BNEP_CONN_INVALID_SRC      0x02
+#define BNEP_CONN_INVALID_SRC 0x02
-#define BNEP_CONN_INVALID_SVC      0x03
+#define BNEP_CONN_INVALID_SVC 0x03
-#define BNEP_CONN_NOT_ALLOWED      0x04
+#define BNEP_CONN_NOT_ALLOWED 0x04
-#define BNEP_FILTER_UNSUPPORTED_REQ    0x01
+#define BNEP_FILTER_UNSUPPORTED_REQ     0x01
-#define BNEP_FILTER_INVALID_RANGE      0x02
+#define BNEP_FILTER_INVALID_RANGE       0x02
-#define BNEP_FILTER_INVALID_MCADDR     0x02
+#define BNEP_FILTER_INVALID_MCADDR      0x02
-#define BNEP_FILTER_LIMIT_REACHED      0x03
+#define BNEP_FILTER_LIMIT_REACHED       0x03
-#define BNEP_FILTER_DENIED_SECURITY    0x04
+#define BNEP_FILTER_DENIED_SECURITY     0x04
-// L2CAP settings
+/* L2CAP settings */
-#define BNEP_MTU         1691
+#define BNEP_MTU        1691
-#define BNEP_PSM         0x0f
+#define BNEP_PSM        0x0f
-#define BNEP_FLUSH_TO    0xffff
+#define BNEP_FLUSH_TO   0xffff
-#define BNEP_CONNECT_TO  15
+#define BNEP_CONNECT_TO 15
-#define BNEP_FILTER_TO   15
+#define BNEP_FILTER_TO  15
-// Headers
+/* Headers */
-#define BNEP_TYPE_MASK   0x7f
+#define BNEP_TYPE_MASK  0x7f
-#define BNEP_EXT_HEADER  0x80
+#define BNEP_EXT_HEADER 0x80
 struct bnep_setup_conn_req {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
-        __u8  uuid_size;
+        __u8 uuid_size;
-        __u8  service[0];
+        __u8 service[0];
 } __packed;
 struct bnep_set_filter_req {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
        __be16 len;
-        __u8  list[0];
+        __u8 list[0];
 } __packed;
 struct bnep_control_rsp {
-        __u8  type;
+        __u8 type;
-        __u8  ctrl;
+        __u8 ctrl;
        __be16 resp;
 } __packed;
 struct bnep_ext_hdr {
-        __u8  type;
+        __u8 type;
-        __u8  len;
+        __u8 len;
-        __u8  data[0];
+        __u8 data[0];
 } __packed;
 /* BNEP ioctl defines */
@@ -114,10 +114,10 @@ struct bnep_ext_hdr {
 #define BNEPGETCONNINFO _IOR('B', 211, int)
 struct bnep_connadd_req {
-        int   sock;       // Connected socket
+        int   sock;             /* Connected socket */
        __u32 flags;
        __u16 role;
-        char  device[16]; // Name of the Ethernet device
+        char  device[16];       /* Name of the Ethernet device */
 };
 struct bnep_conndel_req {
@@ -148,14 +148,14 @@ int bnep_del_connection(struct bnep_conndel_req *req);
 int bnep_get_connlist(struct bnep_connlist_req *req);
 int bnep_get_conninfo(struct bnep_conninfo *ci);
-// BNEP sessions
+/* BNEP sessions */
 struct bnep_session {
        struct list_head list;
        unsigned int  role;
        unsigned long state;
        unsigned long flags;
-        atomic_t      killed;
+        struct task_struct *task;
        struct ethhdr eh;
        struct msghdr msg;
@@ -173,7 +173,7 @@ void bnep_sock_cleanup(void);
 static inline int bnep_mc_hash(__u8 *addr)
 {
-        return (crc32_be(~0, addr, ETH_ALEN) >> 26);
+        return crc32_be(~0, addr, ETH_ALEN) >> 26;
 }
 #endif
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index 5868597534e5..ca39fcf010ce 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -36,6 +36,7 @@
 #include <linux/errno.h>
 #include <linux/net.h>
 #include <linux/slab.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/socket.h>
@@ -131,7 +132,8 @@ static int bnep_ctrl_set_netfilter(struct bnep_session *s, __be16 *data, int len
                return -EILSEQ;
        n = get_unaligned_be16(data);
-        data++; len -= 2;
+        data++;
+        len -= 2;
        if (len < n)
                return -EILSEQ;
@@ -176,7 +178,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
                return -EILSEQ;
        n = get_unaligned_be16(data);
-        data += 2; len -= 2;
+        data += 2;
+        len -= 2;
        if (len < n)
                return -EILSEQ;
@@ -187,6 +190,8 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
        n /= (ETH_ALEN * 2);
        if (n > 0) {
+                int i;
                s->mc_filter = 0;
                /* Always send broadcast */
@@ -196,18 +201,22 @@ static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
                for (; n > 0; n--) {
                        u8 a1[6], *a2;
-                        memcpy(a1, data, ETH_ALEN); data += ETH_ALEN;
+                        memcpy(a1, data, ETH_ALEN);
-                        a2 = data; data += ETH_ALEN;
+                        data += ETH_ALEN;
+                        a2 = data;
+                        data += ETH_ALEN;
                        BT_DBG("mc filter %s -> %s",
                                batostr((void *) a1), batostr((void *) a2));
-                        #define INCA(a) { int i = 5; while (i >=0 && ++a[i--] == 0); }
                        /* Iterate from a1 to a2 */
                        set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
                        while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
-                                INCA(a1);
+                                /* Increment a1 */
+                                i = 5;
+                                while (i >= 0 && ++a1[i--] == 0)
+                                        ;
                                set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
                        }
                }
@@ -227,7 +236,8 @@ static int bnep_rx_control(struct bnep_session *s, void *data, int len)
        u8  cmd = *(u8 *)data;
        int err = 0;
-        data++; len--;
+        data++;
+        len--;
        switch (cmd) {
        case BNEP_CMD_NOT_UNDERSTOOD:
@@ -302,7 +312,6 @@ static u8 __bnep_rx_hlen[] = {
        ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
        ETH_ALEN + 2  /* BNEP_COMPRESSED_DST_ONLY */
 };
-#define BNEP_RX_TYPES   (sizeof(__bnep_rx_hlen) - 1)
 static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
 {
@@ -312,9 +321,10 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
        dev->stats.rx_bytes += skb->len;
-        type = *(u8 *) skb->data; skb_pull(skb, 1);
+        type = *(u8 *) skb->data;
+        skb_pull(skb, 1);
-        if ((type & BNEP_TYPE_MASK) > BNEP_RX_TYPES)
+        if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
                goto badframe;
        if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
@@ -367,14 +377,14 @@ static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
        case BNEP_COMPRESSED_DST_ONLY:
                memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb),
-                       ETH_ALEN);
+                                                                ETH_ALEN);
                memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source,
-                       ETH_ALEN + 2);
+                                                                ETH_ALEN + 2);
                break;
        case BNEP_GENERAL:
                memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb),
-                       ETH_ALEN * 2);
+                                                                ETH_ALEN * 2);
                put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
                break;
        }
@@ -470,15 +480,14 @@ static int bnep_session(void *arg)
        BT_DBG("");
-        daemonize("kbnepd %s", dev->name);
        set_user_nice(current, -15);
        init_waitqueue_entry(&wait, current);
        add_wait_queue(sk_sleep(sk), &wait);
-        while (!atomic_read(&s->killed)) {
+        while (!kthread_should_stop()) {
                set_current_state(TASK_INTERRUPTIBLE);
-                // RX
+                /* RX */
                while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
                        skb_orphan(skb);
                        bnep_rx_frame(s, skb);
@@ -487,7 +496,7 @@ static int bnep_session(void *arg)
                if (sk->sk_state != BT_CONNECTED)
                        break;
-                // TX
+                /* TX */
                while ((skb = skb_dequeue(&sk->sk_write_queue)))
                        if (bnep_tx_frame(s, skb))
                                break;
@@ -555,8 +564,8 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        /* session struct allocated as private part of net_device */
        dev = alloc_netdev(sizeof(struct bnep_session),
-                           (*req->device) ? req->device : "bnep%d",
+                                (*req->device) ? req->device : "bnep%d",
-                           bnep_net_setup);
+                                bnep_net_setup);
        if (!dev)
                return -ENOMEM;
@@ -571,7 +580,7 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        s = netdev_priv(dev);
        /* This is rx header therefore addresses are swapped.
-         * ie eh.h_dest is our local address. */
+         * ie. eh.h_dest is our local address. */
        memcpy(s->eh.h_dest,   &src, ETH_ALEN);
        memcpy(s->eh.h_source, &dst, ETH_ALEN);
        memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN);
@@ -597,17 +606,17 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
        SET_NETDEV_DEVTYPE(dev, &bnep_type);
        err = register_netdev(dev);
-        if (err) {
+        if (err)
                goto failed;
-        }
        __bnep_link_session(s);
-        err = kernel_thread(bnep_session, s, CLONE_KERNEL);
+        s->task = kthread_run(bnep_session, s, "kbnepd %s", dev->name);
-        if (err < 0) {
+        if (IS_ERR(s->task)) {
                /* Session thread start failed, gotta cleanup. */
                unregister_netdev(dev);
                __bnep_unlink_session(s);
+                err = PTR_ERR(s->task);
                goto failed;
        }
@@ -631,15 +640,9 @@ int bnep_del_connection(struct bnep_conndel_req *req)
        down_read(&bnep_session_sem);
        s = __bnep_get_session(req->dst);
-        if (s) {
+        if (s)
-                /* Wakeup user-space which is polling for socket errors.
+                kthread_stop(s->task);
-                 * This is temporary hack until we have shutdown in L2CAP */
+        else
-                s->sock->sk->sk_err = EUNATCH;
-                /* Kill session thread */
-                atomic_inc(&s->killed);
-                wake_up_interruptible(sk_sleep(s->sock->sk));
-        } else
                err = -ENOENT;
        up_read(&bnep_session_sem);
@@ -708,8 +711,6 @@ static int __init bnep_init(void)
 {
        char flt[50] = "";
-        l2cap_load();
 #ifdef CONFIG_BT_BNEP_PROTO_FILTER
        strcat(flt, "protocol ");
 #endif
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53b66b1..17800b1d28ea 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -39,10 +39,10 @@
 #include <linux/init.h>
 #include <linux/compat.h>
 #include <linux/gfp.h>
+#include <linux/uaccess.h>
 #include <net/sock.h>
 #include <asm/system.h>
-#include <asm/uaccess.h>
 #include "bnep.h"
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
                        sockfd_put(nsock);
                        return -EBADFD;
                }
+                ca.device[sizeof(ca.device)-1] = 0;
                err = bnep_add_connection(&ca, nsock);
                if (!err) {
diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
index 3487cfe74aec..744233cba244 100644
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/wait.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
@@ -143,7 +144,7 @@ static void cmtp_send_capimsg(struct cmtp_session *session, struct sk_buff *skb)
        skb_queue_tail(&session->transmit, skb);
-        cmtp_schedule(session);
+        wake_up_interruptible(sk_sleep(session->sock->sk));
 }
 static void cmtp_send_interopmsg(struct cmtp_session *session,
@@ -155,7 +156,8 @@ static void cmtp_send_interopmsg(struct cmtp_session *session,
        BT_DBG("session %p subcmd 0x%02x appl %d msgnum %d", session, subcmd, appl, msgnum);
-        if (!(skb = alloc_skb(CAPI_MSG_BASELEN + 6 + len, GFP_ATOMIC))) {
+        skb = alloc_skb(CAPI_MSG_BASELEN + 6 + len, GFP_ATOMIC);
+        if (!skb) {
                BT_ERR("Can't allocate memory for interoperability packet");
                return;
        }
@@ -385,8 +387,7 @@ static void cmtp_reset_ctr(struct capi_ctr *ctrl)
        capi_ctr_down(ctrl);
-        atomic_inc(&session->terminate);
+        kthread_stop(session->task);
-        cmtp_schedule(session);
 }
 static void cmtp_register_appl(struct capi_ctr *ctrl, __u16 appl, capi_register_params *rp)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index 785e79e953c5..db43b54ac9af 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -37,7 +37,7 @@
 #define CMTP_LOOPBACK   0
 struct cmtp_connadd_req {
-        int   sock;     // Connected socket
+        int   sock;     /* Connected socket */
        __u32 flags;
 };
@@ -81,7 +81,7 @@ struct cmtp_session {
        char name[BTNAMSIZ];
-        atomic_t terminate;
+        struct task_struct *task;
        wait_queue_head_t wait;
@@ -121,13 +121,6 @@ void cmtp_detach_device(struct cmtp_session *session);
 void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb);
-static inline void cmtp_schedule(struct cmtp_session *session)
-{
-        struct sock *sk = session->sock->sk;
-        wake_up_interruptible(sk_sleep(sk));
-}
 /* CMTP init defines */
 int cmtp_init_sockets(void);
 void cmtp_cleanup_sockets(void);
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index 8e5f292529ac..c5b11af908be 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
@@ -115,7 +116,8 @@ static inline void cmtp_add_msgpart(struct cmtp_session *session, int id, const
        size = (skb) ? skb->len + count : count;
-        if (!(nskb = alloc_skb(size, GFP_ATOMIC))) {
+        nskb = alloc_skb(size, GFP_ATOMIC);
+        if (!nskb) {
                BT_ERR("Can't allocate memory for CAPI message");
                return;
        }
@@ -216,7 +218,8 @@ static void cmtp_process_transmit(struct cmtp_session *session)
        BT_DBG("session %p", session);
-        if (!(nskb = alloc_skb(session->mtu, GFP_ATOMIC))) {
+        nskb = alloc_skb(session->mtu, GFP_ATOMIC);
+        if (!nskb) {
                BT_ERR("Can't allocate memory for new frame");
                return;
        }
@@ -224,7 +227,8 @@ static void cmtp_process_transmit(struct cmtp_session *session)
        while ((skb = skb_dequeue(&session->transmit))) {
                struct cmtp_scb *scb = (void *) skb->cb;
-                if ((tail = (session->mtu - nskb->len)) < 5) {
+                tail = session->mtu - nskb->len;
+                if (tail < 5) {
                        cmtp_send_frame(session, nskb->data, nskb->len);
                        skb_trim(nskb, 0);
                        tail = session->mtu;
@@ -232,9 +236,12 @@ static void cmtp_process_transmit(struct cmtp_session *session)
                size = min_t(uint, ((tail < 258) ? (tail - 2) : (tail - 3)), skb->len);
-                if ((scb->id < 0) && ((scb->id = cmtp_alloc_block_id(session)) < 0)) {
+                if (scb->id < 0) {
-                        skb_queue_head(&session->transmit, skb);
+                        scb->id = cmtp_alloc_block_id(session);
-                        break;
+                        if (scb->id < 0) {
+                                skb_queue_head(&session->transmit, skb);
+                                break;
+                        }
                }
                if (size < 256) {
@@ -281,12 +288,11 @@ static int cmtp_session(void *arg)
        BT_DBG("session %p", session);
-        daemonize("kcmtpd_ctr_%d", session->num);
        set_user_nice(current, -15);
        init_waitqueue_entry(&wait, current);
        add_wait_queue(sk_sleep(sk), &wait);
-        while (!atomic_read(&session->terminate)) {
+        while (!kthread_should_stop()) {
                set_current_state(TASK_INTERRUPTIBLE);
                if (sk->sk_state != BT_CONNECTED)
@@ -340,7 +346,8 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
        bacpy(&session->bdaddr, &bt_sk(sock->sk)->dst);
-        session->mtu = min_t(uint, l2cap_pi(sock->sk)->omtu, l2cap_pi(sock->sk)->imtu);
+        session->mtu = min_t(uint, l2cap_pi(sock->sk)->chan->omtu,
+                                        l2cap_pi(sock->sk)->chan->imtu);
        BT_DBG("mtu %d", session->mtu);
@@ -364,9 +371,12 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
        __cmtp_link_session(session);
-        err = kernel_thread(cmtp_session, session, CLONE_KERNEL);
+        session->task = kthread_run(cmtp_session, session, "kcmtpd_ctr_%d",
-        if (err < 0)
+                                                                session->num);
+        if (IS_ERR(session->task)) {
+                err = PTR_ERR(session->task);
                goto unlink;
+        }
        if (!(session->flags & (1 << CMTP_LOOPBACK))) {
                err = cmtp_attach_device(session);
@@ -403,9 +413,8 @@ int cmtp_del_connection(struct cmtp_conndel_req *req)
                /* Flush the transmit queue */
                skb_queue_purge(&session->transmit);
-                /* Kill session thread */
+                /* Stop session thread */
-                atomic_inc(&session->terminate);
+                kthread_stop(session->task);
-                cmtp_schedule(session);
        } else
                err = -ENOENT;
@@ -466,8 +475,6 @@ int cmtp_get_conninfo(struct cmtp_conninfo *ci)
 static int __init cmtp_init(void)
 {
-        l2cap_load();
        BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION);
        cmtp_init_sockets();
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 7ea1979a8e4f..3f2dd5c25ae5 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -34,12 +34,12 @@
 #include <linux/file.h>
 #include <linux/compat.h>
 #include <linux/gfp.h>
+#include <linux/uaccess.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
 #include <asm/system.h>
-#include <asm/uaccess.h>
 #include "cmtp.h"
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 99cd8d9d891b..3163330cd4f1 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -45,6 +45,33 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+static void hci_le_connect(struct hci_conn *conn)
+{
+        struct hci_dev *hdev = conn->hdev;
+        struct hci_cp_le_create_conn cp;
+        conn->state = BT_CONNECT;
+        conn->out = 1;
+        conn->link_mode |= HCI_LM_MASTER;
+        memset(&cp, 0, sizeof(cp));
+        cp.scan_interval = cpu_to_le16(0x0004);
+        cp.scan_window = cpu_to_le16(0x0004);
+        bacpy(&cp.peer_addr, &conn->dst);
+        cp.conn_interval_min = cpu_to_le16(0x0008);
+        cp.conn_interval_max = cpu_to_le16(0x0100);
+        cp.supervision_timeout = cpu_to_le16(0x0064);
+        cp.min_ce_len = cpu_to_le16(0x0001);
+        cp.max_ce_len = cpu_to_le16(0x0001);
+        hci_send_cmd(hdev, HCI_OP_LE_CREATE_CONN, sizeof(cp), &cp);
+}
+static void hci_le_connect_cancel(struct hci_conn *conn)
+{
+        hci_send_cmd(conn->hdev, HCI_OP_LE_CREATE_CONN_CANCEL, 0, NULL);
+}
 void hci_acl_connect(struct hci_conn *conn)
 {
        struct hci_dev *hdev = conn->hdev;
@@ -156,6 +183,26 @@ void hci_setup_sync(struct hci_conn *conn, __u16 handle)
        hci_send_cmd(hdev, HCI_OP_SETUP_SYNC_CONN, sizeof(cp), &cp);
 }
+void hci_le_conn_update(struct hci_conn *conn, u16 min, u16 max,
+                                        u16 latency, u16 to_multiplier)
+{
+        struct hci_cp_le_conn_update cp;
+        struct hci_dev *hdev = conn->hdev;
+        memset(&cp, 0, sizeof(cp));
+        cp.handle               = cpu_to_le16(conn->handle);
+        cp.conn_interval_min    = cpu_to_le16(min);
+        cp.conn_interval_max    = cpu_to_le16(max);
+        cp.conn_latency         = cpu_to_le16(latency);
+        cp.supervision_timeout  = cpu_to_le16(to_multiplier);
+        cp.min_ce_len           = cpu_to_le16(0x0001);
+        cp.max_ce_len           = cpu_to_le16(0x0001);
+        hci_send_cmd(hdev, HCI_OP_LE_CONN_UPDATE, sizeof(cp), &cp);
+}
+EXPORT_SYMBOL(hci_le_conn_update);
 /* Device _must_ be locked */
 void hci_sco_setup(struct hci_conn *conn, __u8 status)
 {
@@ -193,8 +240,12 @@ static void hci_conn_timeout(unsigned long arg)
        switch (conn->state) {
        case BT_CONNECT:
        case BT_CONNECT2:
-                if (conn->type == ACL_LINK && conn->out)
+                if (conn->out) {
-                        hci_acl_connect_cancel(conn);
+                        if (conn->type == ACL_LINK)
+                                hci_acl_connect_cancel(conn);
+                        else if (conn->type == LE_LINK)
+                                hci_le_connect_cancel(conn);
+                }
                break;
        case BT_CONFIG:
        case BT_CONNECTED:
@@ -218,6 +269,19 @@ static void hci_conn_idle(unsigned long arg)
        hci_conn_enter_sniff_mode(conn);
 }
+static void hci_conn_auto_accept(unsigned long arg)
+{
+        struct hci_conn *conn = (void *) arg;
+        struct hci_dev *hdev = conn->hdev;
+        hci_dev_lock(hdev);
+        hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY, sizeof(conn->dst),
+                                                                &conn->dst);
+        hci_dev_unlock(hdev);
+}
 struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
 {
        struct hci_conn *conn;
@@ -234,6 +298,9 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        conn->mode  = HCI_CM_ACTIVE;
        conn->state = BT_OPEN;
        conn->auth_type = HCI_AT_GENERAL_BONDING;
+        conn->io_capability = hdev->io_capability;
+        conn->remote_auth = 0xff;
+        conn->key_type = 0xff;
        conn->power_save = 1;
        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
@@ -258,6 +325,8 @@ struct hci_conn *hci_conn_add(struct hci_dev *hdev, int type, bdaddr_t *dst)
        setup_timer(&conn->disc_timer, hci_conn_timeout, (unsigned long)conn);
        setup_timer(&conn->idle_timer, hci_conn_idle, (unsigned long)conn);
+        setup_timer(&conn->auto_accept_timer, hci_conn_auto_accept,
+                                                        (unsigned long) conn);
        atomic_set(&conn->refcnt, 0);
@@ -288,6 +357,8 @@ int hci_conn_del(struct hci_conn *conn)
        del_timer(&conn->disc_timer);
+        del_timer(&conn->auto_accept_timer);
        if (conn->type == ACL_LINK) {
                struct hci_conn *sco = conn->link;
                if (sco)
@@ -295,6 +366,11 @@ int hci_conn_del(struct hci_conn *conn)
                /* Unacked frames */
                hdev->acl_cnt += conn->sent;
+        } else if (conn->type == LE_LINK) {
+                if (hdev->le_pkts)
+                        hdev->le_cnt += conn->sent;
+                else
+                        hdev->acl_cnt += conn->sent;
        } else {
                struct hci_conn *acl = conn->link;
                if (acl) {
@@ -360,15 +436,31 @@ struct hci_dev *hci_get_route(bdaddr_t *dst, bdaddr_t *src)
 }
 EXPORT_SYMBOL(hci_get_route);
-/* Create SCO or ACL connection.
+/* Create SCO, ACL or LE connection.
 * Device _must_ be locked */
 struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8 sec_level, __u8 auth_type)
 {
        struct hci_conn *acl;
        struct hci_conn *sco;
+        struct hci_conn *le;
        BT_DBG("%s dst %s", hdev->name, batostr(dst));
+        if (type == LE_LINK) {
+                le = hci_conn_hash_lookup_ba(hdev, LE_LINK, dst);
+                if (le)
+                        return ERR_PTR(-EBUSY);
+                le = hci_conn_add(hdev, LE_LINK, dst);
+                if (!le)
+                        return ERR_PTR(-ENOMEM);
+                if (le->state == BT_OPEN)
+                        hci_le_connect(le);
+                hci_conn_hold(le);
+                return le;
+        }
        acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
        if (!acl) {
                acl = hci_conn_add(hdev, ACL_LINK, dst);
@@ -461,36 +553,93 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
        return 0;
 }
+/* Encrypt the the link */
+static void hci_conn_encrypt(struct hci_conn *conn)
+{
+        BT_DBG("conn %p", conn);
+        if (!test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend)) {
+                struct hci_cp_set_conn_encrypt cp;
+                cp.handle  = cpu_to_le16(conn->handle);
+                cp.encrypt = 0x01;
+                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT, sizeof(cp),
+                                                                        &cp);
+        }
+}
 /* Enable security */
 int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 {
        BT_DBG("conn %p", conn);
+        /* For sdp we don't need the link key. */
        if (sec_level == BT_SECURITY_SDP)
                return 1;
+        /* For non 2.1 devices and low security level we don't need the link
+           key. */
        if (sec_level == BT_SECURITY_LOW &&
                                (!conn->ssp_mode || !conn->hdev->ssp_mode))
                return 1;
-        if (conn->link_mode & HCI_LM_ENCRYPT)
+        /* For other security levels we need the link key. */
-                return hci_conn_auth(conn, sec_level, auth_type);
+        if (!(conn->link_mode & HCI_LM_AUTH))
+                goto auth;
+        /* An authenticated combination key has sufficient security for any
+           security level. */
+        if (conn->key_type == HCI_LK_AUTH_COMBINATION)
+                goto encrypt;
+        /* An unauthenticated combination key has sufficient security for
+           security level 1 and 2. */
+        if (conn->key_type == HCI_LK_UNAUTH_COMBINATION &&
+                        (sec_level == BT_SECURITY_MEDIUM ||
+                        sec_level == BT_SECURITY_LOW))
+                goto encrypt;
+        /* A combination key has always sufficient security for the security
+           levels 1 or 2. High security level requires the combination key
+           is generated using maximum PIN code length (16).
+           For pre 2.1 units. */
+        if (conn->key_type == HCI_LK_COMBINATION &&
+                        (sec_level != BT_SECURITY_HIGH ||
+                        conn->pin_length == 16))
+                goto encrypt;
+auth:
        if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &conn->pend))
                return 0;
-        if (hci_conn_auth(conn, sec_level, auth_type)) {
+        hci_conn_auth(conn, sec_level, auth_type);
-                struct hci_cp_set_conn_encrypt cp;
+        return 0;
-                cp.handle  = cpu_to_le16(conn->handle);
-                cp.encrypt = 1;
-                hci_send_cmd(conn->hdev, HCI_OP_SET_CONN_ENCRYPT,
-                                                        sizeof(cp), &cp);
-        }
+encrypt:
+        if (conn->link_mode & HCI_LM_ENCRYPT)
+                return 1;
+        hci_conn_encrypt(conn);
        return 0;
 }
 EXPORT_SYMBOL(hci_conn_security);
+/* Check secure link requirement */
+int hci_conn_check_secure(struct hci_conn *conn, __u8 sec_level)
+{
+        BT_DBG("conn %p", conn);
+        if (sec_level != BT_SECURITY_HIGH)
+                return 1; /* Accept if non-secure is required */
+        if (conn->key_type == HCI_LK_AUTH_COMBINATION ||
+                        (conn->key_type == HCI_LK_COMBINATION &&
+                        conn->pin_length == 16))
+                return 1;
+        return 0; /* Reject not secure link */
+}
+EXPORT_SYMBOL(hci_conn_check_secure);
 /* Change link key */
 int hci_conn_change_link_key(struct hci_conn *conn)
 {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 9c4541bc488a..815269b07f20 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -41,6 +41,7 @@
 #include <linux/interrupt.h>
 #include <linux/notifier.h>
 #include <linux/rfkill.h>
+#include <linux/timer.h>
 #include <net/sock.h>
 #include <asm/system.h>
@@ -50,10 +51,11 @@
 #include <net/bluetooth/bluetooth.h>
 #include <net/bluetooth/hci_core.h>
+#define AUTO_OFF_TIMEOUT 2000
 static void hci_cmd_task(unsigned long arg);
 static void hci_rx_task(unsigned long arg);
 static void hci_tx_task(unsigned long arg);
-static void hci_notify(struct hci_dev *hdev, int event);
 static DEFINE_RWLOCK(hci_task_lock);
@@ -95,11 +97,10 @@ void hci_req_complete(struct hci_dev *hdev, __u16 cmd, int result)
 {
        BT_DBG("%s command 0x%04x result 0x%2.2x", hdev->name, cmd, result);
-        /* If the request has set req_last_cmd (typical for multi-HCI
+        /* If this is the init phase check if the completed command matches
-         * command requests) check if the completed command matches
+         * the last init command, and if not just return.
-         * this, and if not just return. Single HCI command requests
+         */
-         * typically leave req_last_cmd as 0 */
+        if (test_bit(HCI_INIT, &hdev->flags) && hdev->init_last_cmd != cmd)
-        if (hdev->req_last_cmd && cmd != hdev->req_last_cmd)
                return;
        if (hdev->req_status == HCI_REQ_PEND) {
@@ -122,7 +123,7 @@ static void hci_req_cancel(struct hci_dev *hdev, int err)
 /* Execute request and wait for completion. */
 static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
-                                unsigned long opt, __u32 timeout)
+                                        unsigned long opt, __u32 timeout)
 {
        DECLARE_WAITQUEUE(wait, current);
        int err = 0;
@@ -156,7 +157,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
                break;
        }
-        hdev->req_last_cmd = hdev->req_status = hdev->req_result = 0;
+        hdev->req_status = hdev->req_result = 0;
        BT_DBG("%s end: err %d", hdev->name, err);
@@ -164,7 +165,7 @@ static int __hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev,
 }
 static inline int hci_request(struct hci_dev *hdev, void (*req)(struct hci_dev *hdev, unsigned long opt),
-                                unsigned long opt, __u32 timeout)
+                                        unsigned long opt, __u32 timeout)
 {
        int ret;
@@ -184,11 +185,13 @@ static void hci_reset_req(struct hci_dev *hdev, unsigned long opt)
        BT_DBG("%s %ld", hdev->name, opt);
        /* Reset device */
+        set_bit(HCI_RESET, &hdev->flags);
        hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
 }
 static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
 {
+        struct hci_cp_delete_stored_link_key cp;
        struct sk_buff *skb;
        __le16 param;
        __u8 flt_type;
@@ -210,8 +213,10 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
        /* Mandatory initialization */
        /* Reset */
-        if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks))
+        if (!test_bit(HCI_QUIRK_NO_RESET, &hdev->quirks)) {
+                        set_bit(HCI_RESET, &hdev->flags);
                        hci_send_cmd(hdev, HCI_OP_RESET, 0, NULL);
+        }
        /* Read Local Supported Features */
        hci_send_cmd(hdev, HCI_OP_READ_LOCAL_FEATURES, 0, NULL);
@@ -252,15 +257,21 @@ static void hci_init_req(struct hci_dev *hdev, unsigned long opt)
        flt_type = HCI_FLT_CLEAR_ALL;
        hci_send_cmd(hdev, HCI_OP_SET_EVENT_FLT, 1, &flt_type);
-        /* Page timeout ~20 secs */
-        param = cpu_to_le16(0x8000);
-        hci_send_cmd(hdev, HCI_OP_WRITE_PG_TIMEOUT, 2, &param);
        /* Connection accept timeout ~20 secs */
        param = cpu_to_le16(0x7d00);
        hci_send_cmd(hdev, HCI_OP_WRITE_CA_TIMEOUT, 2, &param);
-        hdev->req_last_cmd = HCI_OP_WRITE_CA_TIMEOUT;
+        bacpy(&cp.bdaddr, BDADDR_ANY);
+        cp.delete_all = 1;
+        hci_send_cmd(hdev, HCI_OP_DELETE_STORED_LINK_KEY, sizeof(cp), &cp);
+}
+static void hci_le_init_req(struct hci_dev *hdev, unsigned long opt)
+{
+        BT_DBG("%s", hdev->name);
+        /* Read LE buffer size */
+        hci_send_cmd(hdev, HCI_OP_LE_READ_BUFFER_SIZE, 0, NULL);
 }
 static void hci_scan_req(struct hci_dev *hdev, unsigned long opt)
@@ -429,7 +440,8 @@ int hci_inquiry(void __user *arg)
        if (copy_from_user(&ir, ptr, sizeof(ir)))
                return -EFAULT;
-        if (!(hdev = hci_dev_get(ir.dev_id)))
+        hdev = hci_dev_get(ir.dev_id);
+        if (!hdev)
                return -ENODEV;
        hci_dev_lock_bh(hdev);
@@ -455,7 +467,7 @@ int hci_inquiry(void __user *arg)
        /* cache_dump can't sleep. Therefore we allocate temp buffer and then
         * copy it to the user space.
         */
-        buf = kmalloc(sizeof(struct inquiry_info) *max_rsp, GFP_KERNEL);
+        buf = kmalloc(sizeof(struct inquiry_info) * max_rsp, GFP_KERNEL);
        if (!buf) {
                err = -ENOMEM;
                goto done;
@@ -489,7 +501,8 @@ int hci_dev_open(__u16 dev)
        struct hci_dev *hdev;
        int ret = 0;
-        if (!(hdev = hci_dev_get(dev)))
+        hdev = hci_dev_get(dev);
+        if (!hdev)
                return -ENODEV;
        BT_DBG("%s %p", hdev->name, hdev);
@@ -521,11 +534,15 @@ int hci_dev_open(__u16 dev)
        if (!test_bit(HCI_RAW, &hdev->flags)) {
                atomic_set(&hdev->cmd_cnt, 1);
                set_bit(HCI_INIT, &hdev->flags);
+                hdev->init_last_cmd = 0;
-                //__hci_request(hdev, hci_reset_req, 0, HZ);
                ret = __hci_request(hdev, hci_init_req, 0,
                                        msecs_to_jiffies(HCI_INIT_TIMEOUT));
+                if (lmp_le_capable(hdev))
+                        ret = __hci_request(hdev, hci_le_init_req, 0,
+                                        msecs_to_jiffies(HCI_INIT_TIMEOUT));
                clear_bit(HCI_INIT, &hdev->flags);
        }
@@ -533,6 +550,8 @@ int hci_dev_open(__u16 dev)
                hci_dev_hold(hdev);
                set_bit(HCI_UP, &hdev->flags);
                hci_notify(hdev, HCI_DEV_UP);
+                if (!test_bit(HCI_SETUP, &hdev->flags))
+                        mgmt_powered(hdev->id, 1);
        } else {
                /* Init failed, cleanup */
                tasklet_kill(&hdev->rx_task);
@@ -568,6 +587,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        hci_req_lock(hdev);
        if (!test_and_clear_bit(HCI_UP, &hdev->flags)) {
+                del_timer_sync(&hdev->cmd_timer);
                hci_req_unlock(hdev);
                return 0;
        }
@@ -606,6 +626,7 @@ static int hci_dev_do_close(struct hci_dev *hdev)
        /* Drop last sent command */
        if (hdev->sent_cmd) {
+                del_timer_sync(&hdev->cmd_timer);
                kfree_skb(hdev->sent_cmd);
                hdev->sent_cmd = NULL;
        }
@@ -614,6 +635,8 @@ static int hci_dev_do_close(struct hci_dev *hdev)
         * and no tasks are scheduled. */
        hdev->close(hdev);
+        mgmt_powered(hdev->id, 0);
        /* Clear flags */
        hdev->flags = 0;
@@ -664,7 +687,7 @@ int hci_dev_reset(__u16 dev)
                hdev->flush(hdev);
        atomic_set(&hdev->cmd_cnt, 1);
-        hdev->acl_cnt = 0; hdev->sco_cnt = 0;
+        hdev->acl_cnt = 0; hdev->sco_cnt = 0; hdev->le_cnt = 0;
        if (!test_bit(HCI_RAW, &hdev->flags))
                ret = __hci_request(hdev, hci_reset_req, 0,
@@ -793,9 +816,17 @@ int hci_get_dev_list(void __user *arg)
        read_lock_bh(&hci_dev_list_lock);
        list_for_each(p, &hci_dev_list) {
                struct hci_dev *hdev;
                hdev = list_entry(p, struct hci_dev, list);
+                hci_del_off_timer(hdev);
+                if (!test_bit(HCI_MGMT, &hdev->flags))
+                        set_bit(HCI_PAIRABLE, &hdev->flags);
                (dr + n)->dev_id  = hdev->id;
                (dr + n)->dev_opt = hdev->flags;
                if (++n >= dev_num)
                        break;
        }
@@ -823,6 +854,11 @@ int hci_get_dev_info(void __user *arg)
        if (!hdev)
                return -ENODEV;
+        hci_del_off_timer(hdev);
+        if (!test_bit(HCI_MGMT, &hdev->flags))
+                set_bit(HCI_PAIRABLE, &hdev->flags);
        strcpy(di.name, hdev->name);
        di.bdaddr   = hdev->bdaddr;
        di.type     = (hdev->bus & 0x0f) | (hdev->dev_type << 4);
@@ -891,6 +927,281 @@ void hci_free_dev(struct hci_dev *hdev)
 }
 EXPORT_SYMBOL(hci_free_dev);
+static void hci_power_on(struct work_struct *work)
+{
+        struct hci_dev *hdev = container_of(work, struct hci_dev, power_on);
+        BT_DBG("%s", hdev->name);
+        if (hci_dev_open(hdev->id) < 0)
+                return;
+        if (test_bit(HCI_AUTO_OFF, &hdev->flags))
+                mod_timer(&hdev->off_timer,
+                                jiffies + msecs_to_jiffies(AUTO_OFF_TIMEOUT));
+        if (test_and_clear_bit(HCI_SETUP, &hdev->flags))
+                mgmt_index_added(hdev->id);
+}
+static void hci_power_off(struct work_struct *work)
+{
+        struct hci_dev *hdev = container_of(work, struct hci_dev, power_off);
+        BT_DBG("%s", hdev->name);
+        hci_dev_close(hdev->id);
+}
+static void hci_auto_off(unsigned long data)
+{
+        struct hci_dev *hdev = (struct hci_dev *) data;
+        BT_DBG("%s", hdev->name);
+        clear_bit(HCI_AUTO_OFF, &hdev->flags);
+        queue_work(hdev->workqueue, &hdev->power_off);
+}
+void hci_del_off_timer(struct hci_dev *hdev)
+{
+        BT_DBG("%s", hdev->name);
+        clear_bit(HCI_AUTO_OFF, &hdev->flags);
+        del_timer(&hdev->off_timer);
+}
+int hci_uuids_clear(struct hci_dev *hdev)
+{
+        struct list_head *p, *n;
+        list_for_each_safe(p, n, &hdev->uuids) {
+                struct bt_uuid *uuid;
+                uuid = list_entry(p, struct bt_uuid, list);
+                list_del(p);
+                kfree(uuid);
+        }
+        return 0;
+}
+int hci_link_keys_clear(struct hci_dev *hdev)
+{
+        struct list_head *p, *n;
+        list_for_each_safe(p, n, &hdev->link_keys) {
+                struct link_key *key;
+                key = list_entry(p, struct link_key, list);
+                list_del(p);
+                kfree(key);
+        }
+        return 0;
+}
+struct link_key *hci_find_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+        struct list_head *p;
+        list_for_each(p, &hdev->link_keys) {
+                struct link_key *k;
+                k = list_entry(p, struct link_key, list);
+                if (bacmp(bdaddr, &k->bdaddr) == 0)
+                        return k;
+        }
+        return NULL;
+}
+static int hci_persistent_key(struct hci_dev *hdev, struct hci_conn *conn,
+                                                u8 key_type, u8 old_key_type)
+{
+        /* Legacy key */
+        if (key_type < 0x03)
+                return 1;
+        /* Debug keys are insecure so don't store them persistently */
+        if (key_type == HCI_LK_DEBUG_COMBINATION)
+                return 0;
+        /* Changed combination key and there's no previous one */
+        if (key_type == HCI_LK_CHANGED_COMBINATION && old_key_type == 0xff)
+                return 0;
+        /* Security mode 3 case */
+        if (!conn)
+                return 1;
+        /* Neither local nor remote side had no-bonding as requirement */
+        if (conn->auth_type > 0x01 && conn->remote_auth > 0x01)
+                return 1;
+        /* Local side had dedicated bonding as requirement */
+        if (conn->auth_type == 0x02 || conn->auth_type == 0x03)
+                return 1;
+        /* Remote side had dedicated bonding as requirement */
+        if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03)
+                return 1;
+        /* If none of the above criteria match, then don't store the key
+         * persistently */
+        return 0;
+}
+int hci_add_link_key(struct hci_dev *hdev, struct hci_conn *conn, int new_key,
+                                bdaddr_t *bdaddr, u8 *val, u8 type, u8 pin_len)
+{
+        struct link_key *key, *old_key;
+        u8 old_key_type, persistent;
+        old_key = hci_find_link_key(hdev, bdaddr);
+        if (old_key) {
+                old_key_type = old_key->type;
+                key = old_key;
+        } else {
+                old_key_type = conn ? conn->key_type : 0xff;
+                key = kzalloc(sizeof(*key), GFP_ATOMIC);
+                if (!key)
+                        return -ENOMEM;
+                list_add(&key->list, &hdev->link_keys);
+        }
+        BT_DBG("%s key for %s type %u", hdev->name, batostr(bdaddr), type);
+        /* Some buggy controller combinations generate a changed
+         * combination key for legacy pairing even when there's no
+         * previous key */
+        if (type == HCI_LK_CHANGED_COMBINATION &&
+                                        (!conn || conn->remote_auth == 0xff) &&
+                                        old_key_type == 0xff) {
+                type = HCI_LK_COMBINATION;
+                if (conn)
+                        conn->key_type = type;
+        }
+        bacpy(&key->bdaddr, bdaddr);
+        memcpy(key->val, val, 16);
+        key->pin_len = pin_len;
+        if (type == HCI_LK_CHANGED_COMBINATION)
+                key->type = old_key_type;
+        else
+                key->type = type;
+        if (!new_key)
+                return 0;
+        persistent = hci_persistent_key(hdev, conn, type, old_key_type);
+        mgmt_new_key(hdev->id, key, persistent);
+        if (!persistent) {
+                list_del(&key->list);
+                kfree(key);
+        }
+        return 0;
+}
+int hci_remove_link_key(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+        struct link_key *key;
+        key = hci_find_link_key(hdev, bdaddr);
+        if (!key)
+                return -ENOENT;
+        BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+        list_del(&key->list);
+        kfree(key);
+        return 0;
+}
+/* HCI command timer function */
+static void hci_cmd_timer(unsigned long arg)
+{
+        struct hci_dev *hdev = (void *) arg;
+        BT_ERR("%s command tx timeout", hdev->name);
+        atomic_set(&hdev->cmd_cnt, 1);
+        clear_bit(HCI_RESET, &hdev->flags);
+        tasklet_schedule(&hdev->cmd_task);
+}
+struct oob_data *hci_find_remote_oob_data(struct hci_dev *hdev,
+                                                        bdaddr_t *bdaddr)
+{
+        struct oob_data *data;
+        list_for_each_entry(data, &hdev->remote_oob_data, list)
+                if (bacmp(bdaddr, &data->bdaddr) == 0)
+                        return data;
+        return NULL;
+}
+int hci_remove_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr)
+{
+        struct oob_data *data;
+        data = hci_find_remote_oob_data(hdev, bdaddr);
+        if (!data)
+                return -ENOENT;
+        BT_DBG("%s removing %s", hdev->name, batostr(bdaddr));
+        list_del(&data->list);
+        kfree(data);
+        return 0;
+}
+int hci_remote_oob_data_clear(struct hci_dev *hdev)
+{
+        struct oob_data *data, *n;
+        list_for_each_entry_safe(data, n, &hdev->remote_oob_data, list) {
+                list_del(&data->list);
+                kfree(data);
+        }
+        return 0;
+}
+int hci_add_remote_oob_data(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 *hash,
+                                                                u8 *randomizer)
+{
+        struct oob_data *data;
+        data = hci_find_remote_oob_data(hdev, bdaddr);
+        if (!data) {
+                data = kmalloc(sizeof(*data), GFP_ATOMIC);
+                if (!data)
+                        return -ENOMEM;
+                bacpy(&data->bdaddr, bdaddr);
+                list_add(&data->list, &hdev->remote_oob_data);
+        }
+        memcpy(data->hash, hash, sizeof(data->hash));
+        memcpy(data->randomizer, randomizer, sizeof(data->randomizer));
+        BT_DBG("%s for %s", hdev->name, batostr(bdaddr));
+        return 0;
+}
 /* Register HCI device */
 int hci_register_dev(struct hci_dev *hdev)
 {
@@ -923,6 +1234,7 @@ int hci_register_dev(struct hci_dev *hdev)
        hdev->pkt_type  = (HCI_DM1 | HCI_DH1 | HCI_HV1);
        hdev->esco_type = (ESCO_HV1);
        hdev->link_mode = (HCI_LM_ACCEPT);
+        hdev->io_capability = 0x03; /* No Input No Output */
        hdev->idle_timeout = 0;
        hdev->sniff_max_interval = 800;
@@ -936,6 +1248,8 @@ int hci_register_dev(struct hci_dev *hdev)
        skb_queue_head_init(&hdev->cmd_q);
        skb_queue_head_init(&hdev->raw_q);
+        setup_timer(&hdev->cmd_timer, hci_cmd_timer, (unsigned long) hdev);
        for (i = 0; i < NUM_REASSEMBLY; i++)
                hdev->reassembly[i] = NULL;
@@ -948,6 +1262,16 @@ int hci_register_dev(struct hci_dev *hdev)
        INIT_LIST_HEAD(&hdev->blacklist);
+        INIT_LIST_HEAD(&hdev->uuids);
+        INIT_LIST_HEAD(&hdev->link_keys);
+        INIT_LIST_HEAD(&hdev->remote_oob_data);
+        INIT_WORK(&hdev->power_on, hci_power_on);
+        INIT_WORK(&hdev->power_off, hci_power_off);
+        setup_timer(&hdev->off_timer, hci_auto_off, (unsigned long) hdev);
        memset(&hdev->stat, 0, sizeof(struct hci_dev_stats));
        atomic_set(&hdev->promisc, 0);
@@ -969,7 +1293,10 @@ int hci_register_dev(struct hci_dev *hdev)
                }
        }
-        mgmt_index_added(hdev->id);
+        set_bit(HCI_AUTO_OFF, &hdev->flags);
+        set_bit(HCI_SETUP, &hdev->flags);
+        queue_work(hdev->workqueue, &hdev->power_on);
        hci_notify(hdev, HCI_DEV_REG);
        return id;
@@ -999,7 +1326,10 @@ int hci_unregister_dev(struct hci_dev *hdev)
        for (i = 0; i < NUM_REASSEMBLY; i++)
                kfree_skb(hdev->reassembly[i]);
-        mgmt_index_removed(hdev->id);
+        if (!test_bit(HCI_INIT, &hdev->flags) &&
+                                        !test_bit(HCI_SETUP, &hdev->flags))
+                mgmt_index_removed(hdev->id);
        hci_notify(hdev, HCI_DEV_UNREG);
        if (hdev->rfkill) {
@@ -1009,10 +1339,15 @@ int hci_unregister_dev(struct hci_dev *hdev)
        hci_unregister_sysfs(hdev);
+        hci_del_off_timer(hdev);
        destroy_workqueue(hdev->workqueue);
        hci_dev_lock_bh(hdev);
        hci_blacklist_clear(hdev);
+        hci_uuids_clear(hdev);
+        hci_link_keys_clear(hdev);
+        hci_remote_oob_data_clear(hdev);
        hci_dev_unlock_bh(hdev);
        __hci_dev_put(hdev);
@@ -1062,7 +1397,7 @@ int hci_recv_frame(struct sk_buff *skb)
 EXPORT_SYMBOL(hci_recv_frame);
 static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
-                          int count, __u8 index, gfp_t gfp_mask)
+                                                  int count, __u8 index)
 {
        int len = 0;
        int hlen = 0;
@@ -1092,7 +1427,7 @@ static int hci_reassembly(struct hci_dev *hdev, int type, void *data,
                        break;
                }
-                skb = bt_skb_alloc(len, gfp_mask);
+                skb = bt_skb_alloc(len, GFP_ATOMIC);
                if (!skb)
                        return -ENOMEM;
@@ -1178,8 +1513,7 @@ int hci_recv_fragment(struct hci_dev *hdev, int type, void *data, int count)
                return -EILSEQ;
        while (count) {
-                rem = hci_reassembly(hdev, type, data, count,
+                rem = hci_reassembly(hdev, type, data, count, type - 1);
-                                                type - 1, GFP_ATOMIC);
                if (rem < 0)
                        return rem;
@@ -1213,8 +1547,8 @@ int hci_recv_stream_fragment(struct hci_dev *hdev, void *data, int count)
                } else
                        type = bt_cb(skb)->pkt_type;
-                rem = hci_reassembly(hdev, type, data,
+                rem = hci_reassembly(hdev, type, data, count,
-                                        count, STREAM_REASSEMBLY, GFP_ATOMIC);
+                                                        STREAM_REASSEMBLY);
                if (rem < 0)
                        return rem;
@@ -1313,7 +1647,7 @@ static int hci_send_frame(struct sk_buff *skb)
                /* Time stamp */
                __net_timestamp(skb);
-                hci_send_to_sock(hdev, skb);
+                hci_send_to_sock(hdev, skb, NULL);
        }
        /* Get rid of skb owner, prior to sending to the driver. */
@@ -1349,6 +1683,9 @@ int hci_send_cmd(struct hci_dev *hdev, __u16 opcode, __u32 plen, void *param)
        bt_cb(skb)->pkt_type = HCI_COMMAND_PKT;
        skb->dev = (void *) hdev;
+        if (test_bit(HCI_INIT, &hdev->flags))
+                hdev->init_last_cmd = opcode;
        skb_queue_tail(&hdev->cmd_q, skb);
        tasklet_schedule(&hdev->cmd_task);
@@ -1395,7 +1732,7 @@ void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags)
        skb->dev = (void *) hdev;
        bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
-        hci_add_acl_hdr(skb, conn->handle, flags | ACL_START);
+        hci_add_acl_hdr(skb, conn->handle, flags);
        list = skb_shinfo(skb)->frag_list;
        if (!list) {
@@ -1413,12 +1750,15 @@ void hci_send_acl(struct hci_conn *conn, struct sk_buff *skb, __u16 flags)
                spin_lock_bh(&conn->data_q.lock);
                __skb_queue_tail(&conn->data_q, skb);
+                flags &= ~ACL_START;
+                flags |= ACL_CONT;
                do {
                        skb = list; list = list->next;
                        skb->dev = (void *) hdev;
                        bt_cb(skb)->pkt_type = HCI_ACLDATA_PKT;
-                        hci_add_acl_hdr(skb, conn->handle, flags | ACL_CONT);
+                        hci_add_acl_hdr(skb, conn->handle, flags);
                        BT_DBG("%s frag %p len %d", hdev->name, skb, skb->len);
@@ -1486,8 +1826,25 @@ static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int
        }
        if (conn) {
-                int cnt = (type == ACL_LINK ? hdev->acl_cnt : hdev->sco_cnt);
+                int cnt, q;
-                int q = cnt / num;
+                switch (conn->type) {
+                case ACL_LINK:
+                        cnt = hdev->acl_cnt;
+                        break;
+                case SCO_LINK:
+                case ESCO_LINK:
+                        cnt = hdev->sco_cnt;
+                        break;
+                case LE_LINK:
+                        cnt = hdev->le_mtu ? hdev->le_cnt : hdev->acl_cnt;
+                        break;
+                default:
+                        cnt = 0;
+                        BT_ERR("Unknown link type");
+                }
+                q = cnt / num;
                *quote = q ? q : 1;
        } else
                *quote = 0;
@@ -1496,19 +1853,19 @@ static inline struct hci_conn *hci_low_sent(struct hci_dev *hdev, __u8 type, int
        return conn;
 }
-static inline void hci_acl_tx_to(struct hci_dev *hdev)
+static inline void hci_link_tx_to(struct hci_dev *hdev, __u8 type)
 {
        struct hci_conn_hash *h = &hdev->conn_hash;
        struct list_head *p;
        struct hci_conn  *c;
-        BT_ERR("%s ACL tx timeout", hdev->name);
+        BT_ERR("%s link tx timeout", hdev->name);
        /* Kill stalled connections */
        list_for_each(p, &h->list) {
                c = list_entry(p, struct hci_conn, list);
-                if (c->type == ACL_LINK && c->sent) {
+                if (c->type == type && c->sent) {
-                        BT_ERR("%s killing stalled ACL connection %s",
+                        BT_ERR("%s killing stalled connection %s",
                                hdev->name, batostr(&c->dst));
                        hci_acl_disconn(c, 0x13);
                }
@@ -1527,7 +1884,7 @@ static inline void hci_sched_acl(struct hci_dev *hdev)
                /* ACL tx timeout must be longer than maximum
                 * link supervision timeout (40.9 seconds) */
                if (!hdev->acl_cnt && time_after(jiffies, hdev->acl_last_tx + HZ * 45))
-                        hci_acl_tx_to(hdev);
+                        hci_link_tx_to(hdev, ACL_LINK);
        }
        while (hdev->acl_cnt && (conn = hci_low_sent(hdev, ACL_LINK, &quote))) {
@@ -1586,6 +1943,40 @@ static inline void hci_sched_esco(struct hci_dev *hdev)
        }
 }
+static inline void hci_sched_le(struct hci_dev *hdev)
+{
+        struct hci_conn *conn;
+        struct sk_buff *skb;
+        int quote, cnt;
+        BT_DBG("%s", hdev->name);
+        if (!test_bit(HCI_RAW, &hdev->flags)) {
+                /* LE tx timeout must be longer than maximum
+                 * link supervision timeout (40.9 seconds) */
+                if (!hdev->le_cnt && hdev->le_pkts &&
+                                time_after(jiffies, hdev->le_last_tx + HZ * 45))
+                        hci_link_tx_to(hdev, LE_LINK);
+        }
+        cnt = hdev->le_pkts ? hdev->le_cnt : hdev->acl_cnt;
+        while (cnt && (conn = hci_low_sent(hdev, LE_LINK, &quote))) {
+                while (quote-- && (skb = skb_dequeue(&conn->data_q))) {
+                        BT_DBG("skb %p len %d", skb, skb->len);
+                        hci_send_frame(skb);
+                        hdev->le_last_tx = jiffies;
+                        cnt--;
+                        conn->sent++;
+                }
+        }
+        if (hdev->le_pkts)
+                hdev->le_cnt = cnt;
+        else
+                hdev->acl_cnt = cnt;
+}
 static void hci_tx_task(unsigned long arg)
 {
        struct hci_dev *hdev = (struct hci_dev *) arg;
@@ -1593,7 +1984,8 @@ static void hci_tx_task(unsigned long arg)
        read_lock(&hci_task_lock);
-        BT_DBG("%s acl %d sco %d", hdev->name, hdev->acl_cnt, hdev->sco_cnt);
+        BT_DBG("%s acl %d sco %d le %d", hdev->name, hdev->acl_cnt,
+                hdev->sco_cnt, hdev->le_cnt);
        /* Schedule queues and send stuff to HCI driver */
@@ -1603,6 +1995,8 @@ static void hci_tx_task(unsigned long arg)
        hci_sched_esco(hdev);
+        hci_sched_le(hdev);
        /* Send next queued raw (unknown type) packet */
        while ((skb = skb_dequeue(&hdev->raw_q)))
                hci_send_frame(skb);
@@ -1610,7 +2004,7 @@ static void hci_tx_task(unsigned long arg)
        read_unlock(&hci_task_lock);
 }
-/* ----- HCI RX task (incoming data proccessing) ----- */
+/* ----- HCI RX task (incoming data processing) ----- */
 /* ACL data packet */
 static inline void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
@@ -1700,7 +2094,7 @@ static void hci_rx_task(unsigned long arg)
        while ((skb = skb_dequeue(&hdev->rx_q))) {
                if (atomic_read(&hdev->promisc)) {
                        /* Send copy to the sockets */
-                        hci_send_to_sock(hdev, skb);
+                        hci_send_to_sock(hdev, skb, NULL);
                }
                if (test_bit(HCI_RAW, &hdev->flags)) {
@@ -1750,20 +2144,20 @@ static void hci_cmd_task(unsigned long arg)
        BT_DBG("%s cmd %d", hdev->name, atomic_read(&hdev->cmd_cnt));
-        if (!atomic_read(&hdev->cmd_cnt) && time_after(jiffies, hdev->cmd_last_tx + HZ)) {
-                BT_ERR("%s command tx timeout", hdev->name);
-                atomic_set(&hdev->cmd_cnt, 1);
-        }
        /* Send queued commands */
-        if (atomic_read(&hdev->cmd_cnt) && (skb = skb_dequeue(&hdev->cmd_q))) {
+        if (atomic_read(&hdev->cmd_cnt)) {
+                skb = skb_dequeue(&hdev->cmd_q);
+                if (!skb)
+                        return;
                kfree_skb(hdev->sent_cmd);
                hdev->sent_cmd = skb_clone(skb, GFP_ATOMIC);
                if (hdev->sent_cmd) {
                        atomic_dec(&hdev->cmd_cnt);
                        hci_send_frame(skb);
-                        hdev->cmd_last_tx = jiffies;
+                        mod_timer(&hdev->cmd_timer,
+                                  jiffies + msecs_to_jiffies(HCI_CMD_TIMEOUT));
                } else {
                        skb_queue_head(&hdev->cmd_q, skb);
                        tasklet_schedule(&hdev->cmd_task);
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a290854fdaa6..f13ddbf858ba 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -56,7 +56,9 @@ static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
        if (status)
                return;
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_req_complete(hdev, HCI_OP_INQUIRY_CANCEL, status);
@@ -72,7 +74,9 @@ static void hci_cc_exit_periodic_inq(struct hci_dev *hdev, struct sk_buff *skb)
        if (status)
                return;
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_conn_check_pending(hdev);
 }
@@ -183,6 +187,8 @@ static void hci_cc_reset(struct hci_dev *hdev, struct sk_buff *skb)
        BT_DBG("%s status 0x%x", hdev->name, status);
+        clear_bit(HCI_RESET, &hdev->flags);
        hci_req_complete(hdev, HCI_OP_RESET, status);
 }
@@ -193,14 +199,17 @@ static void hci_cc_write_local_name(struct hci_dev *hdev, struct sk_buff *skb)
        BT_DBG("%s status 0x%x", hdev->name, status);
-        if (status)
-                return;
        sent = hci_sent_cmd_data(hdev, HCI_OP_WRITE_LOCAL_NAME);
        if (!sent)
                return;
-        memcpy(hdev->dev_name, sent, 248);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_set_local_name_complete(hdev->id, sent, status);
+        if (status)
+                return;
+        memcpy(hdev->dev_name, sent, HCI_MAX_NAME_LENGTH);
 }
 static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
@@ -212,7 +221,7 @@ static void hci_cc_read_local_name(struct hci_dev *hdev, struct sk_buff *skb)
        if (rp->status)
                return;
-        memcpy(hdev->dev_name, rp->name, 248);
+        memcpy(hdev->dev_name, rp->name, HCI_MAX_NAME_LENGTH);
 }
 static void hci_cc_write_auth_enable(struct hci_dev *hdev, struct sk_buff *skb)
@@ -274,15 +283,24 @@ static void hci_cc_write_scan_enable(struct hci_dev *hdev, struct sk_buff *skb)
        if (!status) {
                __u8 param = *((__u8 *) sent);
+                int old_pscan, old_iscan;
-                clear_bit(HCI_PSCAN, &hdev->flags);
+                old_pscan = test_and_clear_bit(HCI_PSCAN, &hdev->flags);
-                clear_bit(HCI_ISCAN, &hdev->flags);
+                old_iscan = test_and_clear_bit(HCI_ISCAN, &hdev->flags);
-                if (param & SCAN_INQUIRY)
+                if (param & SCAN_INQUIRY) {
                        set_bit(HCI_ISCAN, &hdev->flags);
+                        if (!old_iscan)
+                                mgmt_discoverable(hdev->id, 1);
+                } else if (old_iscan)
+                        mgmt_discoverable(hdev->id, 0);
-                if (param & SCAN_PAGE)
+                if (param & SCAN_PAGE) {
                        set_bit(HCI_PSCAN, &hdev->flags);
+                        if (!old_pscan)
+                                mgmt_connectable(hdev->id, 1);
+                } else if (old_pscan)
+                        mgmt_connectable(hdev->id, 0);
        }
        hci_req_complete(hdev, HCI_OP_WRITE_SCAN_ENABLE, status);
@@ -415,6 +433,115 @@ static void hci_cc_write_ssp_mode(struct hci_dev *hdev, struct sk_buff *skb)
        hdev->ssp_mode = *((__u8 *) sent);
 }
+static u8 hci_get_inquiry_mode(struct hci_dev *hdev)
+{
+        if (hdev->features[6] & LMP_EXT_INQ)
+                return 2;
+        if (hdev->features[3] & LMP_RSSI_INQ)
+                return 1;
+        if (hdev->manufacturer == 11 && hdev->hci_rev == 0x00 &&
+                                                hdev->lmp_subver == 0x0757)
+                return 1;
+        if (hdev->manufacturer == 15) {
+                if (hdev->hci_rev == 0x03 && hdev->lmp_subver == 0x6963)
+                        return 1;
+                if (hdev->hci_rev == 0x09 && hdev->lmp_subver == 0x6963)
+                        return 1;
+                if (hdev->hci_rev == 0x00 && hdev->lmp_subver == 0x6965)
+                        return 1;
+        }
+        if (hdev->manufacturer == 31 && hdev->hci_rev == 0x2005 &&
+                                                hdev->lmp_subver == 0x1805)
+                return 1;
+        return 0;
+}
+static void hci_setup_inquiry_mode(struct hci_dev *hdev)
+{
+        u8 mode;
+        mode = hci_get_inquiry_mode(hdev);
+        hci_send_cmd(hdev, HCI_OP_WRITE_INQUIRY_MODE, 1, &mode);
+}
+static void hci_setup_event_mask(struct hci_dev *hdev)
+{
+        /* The second byte is 0xff instead of 0x9f (two reserved bits
+         * disabled) since a Broadcom 1.2 dongle doesn't respond to the
+         * command otherwise */
+        u8 events[8] = { 0xff, 0xff, 0xfb, 0xff, 0x00, 0x00, 0x00, 0x00 };
+        /* Events for 1.2 and newer controllers */
+        if (hdev->lmp_ver > 1) {
+                events[4] |= 0x01; /* Flow Specification Complete */
+                events[4] |= 0x02; /* Inquiry Result with RSSI */
+                events[4] |= 0x04; /* Read Remote Extended Features Complete */
+                events[5] |= 0x08; /* Synchronous Connection Complete */
+                events[5] |= 0x10; /* Synchronous Connection Changed */
+        }
+        if (hdev->features[3] & LMP_RSSI_INQ)
+                events[4] |= 0x04; /* Inquiry Result with RSSI */
+        if (hdev->features[5] & LMP_SNIFF_SUBR)
+                events[5] |= 0x20; /* Sniff Subrating */
+        if (hdev->features[5] & LMP_PAUSE_ENC)
+                events[5] |= 0x80; /* Encryption Key Refresh Complete */
+        if (hdev->features[6] & LMP_EXT_INQ)
+                events[5] |= 0x40; /* Extended Inquiry Result */
+        if (hdev->features[6] & LMP_NO_FLUSH)
+                events[7] |= 0x01; /* Enhanced Flush Complete */
+        if (hdev->features[7] & LMP_LSTO)
+                events[6] |= 0x80; /* Link Supervision Timeout Changed */
+        if (hdev->features[6] & LMP_SIMPLE_PAIR) {
+                events[6] |= 0x01;      /* IO Capability Request */
+                events[6] |= 0x02;      /* IO Capability Response */
+                events[6] |= 0x04;      /* User Confirmation Request */
+                events[6] |= 0x08;      /* User Passkey Request */
+                events[6] |= 0x10;      /* Remote OOB Data Request */
+                events[6] |= 0x20;      /* Simple Pairing Complete */
+                events[7] |= 0x04;      /* User Passkey Notification */
+                events[7] |= 0x08;      /* Keypress Notification */
+                events[7] |= 0x10;      /* Remote Host Supported
+                                         * Features Notification */
+        }
+        if (hdev->features[4] & LMP_LE)
+                events[7] |= 0x20;      /* LE Meta-Event */
+        hci_send_cmd(hdev, HCI_OP_SET_EVENT_MASK, sizeof(events), events);
+}
+static void hci_setup(struct hci_dev *hdev)
+{
+        hci_setup_event_mask(hdev);
+        if (hdev->lmp_ver > 1)
+                hci_send_cmd(hdev, HCI_OP_READ_LOCAL_COMMANDS, 0, NULL);
+        if (hdev->features[6] & LMP_SIMPLE_PAIR) {
+                u8 mode = 0x01;
+                hci_send_cmd(hdev, HCI_OP_WRITE_SSP_MODE, sizeof(mode), &mode);
+        }
+        if (hdev->features[3] & LMP_RSSI_INQ)
+                hci_setup_inquiry_mode(hdev);
+        if (hdev->features[7] & LMP_INQ_TX_PWR)
+                hci_send_cmd(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, 0, NULL);
+}
 static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_rp_read_local_version *rp = (void *) skb->data;
@@ -426,11 +553,34 @@ static void hci_cc_read_local_version(struct hci_dev *hdev, struct sk_buff *skb)
        hdev->hci_ver = rp->hci_ver;
        hdev->hci_rev = __le16_to_cpu(rp->hci_rev);
+        hdev->lmp_ver = rp->lmp_ver;
        hdev->manufacturer = __le16_to_cpu(rp->manufacturer);
+        hdev->lmp_subver = __le16_to_cpu(rp->lmp_subver);
        BT_DBG("%s manufacturer %d hci ver %d:%d", hdev->name,
                                        hdev->manufacturer,
                                        hdev->hci_ver, hdev->hci_rev);
+        if (test_bit(HCI_INIT, &hdev->flags))
+                hci_setup(hdev);
+}
+static void hci_setup_link_policy(struct hci_dev *hdev)
+{
+        u16 link_policy = 0;
+        if (hdev->features[0] & LMP_RSWITCH)
+                link_policy |= HCI_LP_RSWITCH;
+        if (hdev->features[0] & LMP_HOLD)
+                link_policy |= HCI_LP_HOLD;
+        if (hdev->features[0] & LMP_SNIFF)
+                link_policy |= HCI_LP_SNIFF;
+        if (hdev->features[1] & LMP_PARK)
+                link_policy |= HCI_LP_PARK;
+        link_policy = cpu_to_le16(link_policy);
+        hci_send_cmd(hdev, HCI_OP_WRITE_DEF_LINK_POLICY,
+                                        sizeof(link_policy), &link_policy);
 }
 static void hci_cc_read_local_commands(struct hci_dev *hdev, struct sk_buff *skb)
@@ -440,9 +590,15 @@ static void hci_cc_read_local_commands(struct hci_dev *hdev, struct sk_buff *skb
        BT_DBG("%s status 0x%x", hdev->name, rp->status);
        if (rp->status)
-                return;
+                goto done;
        memcpy(hdev->commands, rp->commands, sizeof(hdev->commands));
+        if (test_bit(HCI_INIT, &hdev->flags) && (hdev->commands[5] & 0x10))
+                hci_setup_link_policy(hdev);
+done:
+        hci_req_complete(hdev, HCI_OP_READ_LOCAL_COMMANDS, rp->status);
 }
 static void hci_cc_read_local_features(struct hci_dev *hdev, struct sk_buff *skb)
@@ -548,16 +704,155 @@ static void hci_cc_write_ca_timeout(struct hci_dev *hdev, struct sk_buff *skb)
        hci_req_complete(hdev, HCI_OP_WRITE_CA_TIMEOUT, status);
 }
+static void hci_cc_delete_stored_link_key(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        hci_req_complete(hdev, HCI_OP_DELETE_STORED_LINK_KEY, status);
+}
+static void hci_cc_set_event_mask(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        hci_req_complete(hdev, HCI_OP_SET_EVENT_MASK, status);
+}
+static void hci_cc_write_inquiry_mode(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        hci_req_complete(hdev, HCI_OP_WRITE_INQUIRY_MODE, status);
+}
+static void hci_cc_read_inq_rsp_tx_power(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        hci_req_complete(hdev, HCI_OP_READ_INQ_RSP_TX_POWER, status);
+}
+static void hci_cc_set_event_flt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        __u8 status = *((__u8 *) skb->data);
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        hci_req_complete(hdev, HCI_OP_SET_EVENT_FLT, status);
+}
+static void hci_cc_pin_code_reply(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_rp_pin_code_reply *rp = (void *) skb->data;
+        struct hci_cp_pin_code_reply *cp;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_pin_code_reply_complete(hdev->id, &rp->bdaddr, rp->status);
+        if (rp->status != 0)
+                return;
+        cp = hci_sent_cmd_data(hdev, HCI_OP_PIN_CODE_REPLY);
+        if (!cp)
+                return;
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
+        if (conn)
+                conn->pin_length = cp->pin_len;
+}
+static void hci_cc_pin_code_neg_reply(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_rp_pin_code_neg_reply *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_pin_code_neg_reply_complete(hdev->id, &rp->bdaddr,
+                                                                rp->status);
+}
+static void hci_cc_le_read_buffer_size(struct hci_dev *hdev,
+                                       struct sk_buff *skb)
+{
+        struct hci_rp_le_read_buffer_size *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        if (rp->status)
+                return;
+        hdev->le_mtu = __le16_to_cpu(rp->le_mtu);
+        hdev->le_pkts = rp->le_max_pkt;
+        hdev->le_cnt = hdev->le_pkts;
+        BT_DBG("%s le mtu %d:%d", hdev->name, hdev->le_mtu, hdev->le_pkts);
+        hci_req_complete(hdev, HCI_OP_LE_READ_BUFFER_SIZE, rp->status);
+}
+static void hci_cc_user_confirm_reply(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_user_confirm_reply_complete(hdev->id, &rp->bdaddr,
+                                                                rp->status);
+}
+static void hci_cc_user_confirm_neg_reply(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_rp_user_confirm_reply *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        if (test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_user_confirm_neg_reply_complete(hdev->id, &rp->bdaddr,
+                                                                rp->status);
+}
+static void hci_cc_read_local_oob_data_reply(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_rp_read_local_oob_data *rp = (void *) skb->data;
+        BT_DBG("%s status 0x%x", hdev->name, rp->status);
+        mgmt_read_local_oob_data_reply_complete(hdev->id, rp->hash,
+                                                rp->randomizer, rp->status);
+}
 static inline void hci_cs_inquiry(struct hci_dev *hdev, __u8 status)
 {
        BT_DBG("%s status 0x%x", hdev->name, status);
        if (status) {
                hci_req_complete(hdev, HCI_OP_INQUIRY, status);
                hci_conn_check_pending(hdev);
-        } else
+                return;
-                set_bit(HCI_INQUIRY, &hdev->flags);
+        }
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                        !test_and_set_bit(HCI_INQUIRY,
+                                                        &hdev->flags))
+                mgmt_discovering(hdev->id, 1);
 }
 static inline void hci_cs_create_conn(struct hci_dev *hdev, __u8 status)
@@ -622,11 +917,14 @@ static void hci_cs_add_sco(struct hci_dev *hdev, __u8 status)
        hci_dev_lock(hdev);
        acl = hci_conn_hash_lookup_handle(hdev, handle);
-        if (acl && (sco = acl->link)) {
+        if (acl) {
-                sco->state = BT_CLOSED;
+                sco = acl->link;
+                if (sco) {
+                        sco->state = BT_CLOSED;
-                hci_proto_connect_cfm(sco, status);
+                        hci_proto_connect_cfm(sco, status);
-                hci_conn_del(sco);
+                        hci_conn_del(sco);
+                }
        }
        hci_dev_unlock(hdev);
@@ -687,7 +985,7 @@ static void hci_cs_set_conn_encrypt(struct hci_dev *hdev, __u8 status)
 }
 static int hci_outgoing_auth_needed(struct hci_dev *hdev,
-                                                struct hci_conn *conn)
+                                                        struct hci_conn *conn)
 {
        if (conn->state != BT_CONFIG || !conn->out)
                return 0;
@@ -723,12 +1021,19 @@ static void hci_cs_remote_name_req(struct hci_dev *hdev, __u8 status)
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
-        if (conn && hci_outgoing_auth_needed(hdev, conn)) {
+        if (!conn)
+                goto unlock;
+        if (!hci_outgoing_auth_needed(hdev, conn))
+                goto unlock;
+        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
                struct hci_cp_auth_requested cp;
                cp.handle = __cpu_to_le16(conn->handle);
                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
        }
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -808,11 +1113,14 @@ static void hci_cs_setup_sync_conn(struct hci_dev *hdev, __u8 status)
        hci_dev_lock(hdev);
        acl = hci_conn_hash_lookup_handle(hdev, handle);
-        if (acl && (sco = acl->link)) {
+        if (acl) {
-                sco->state = BT_CLOSED;
+                sco = acl->link;
+                if (sco) {
+                        sco->state = BT_CLOSED;
-                hci_proto_connect_cfm(sco, status);
+                        hci_proto_connect_cfm(sco, status);
-                hci_conn_del(sco);
+                        hci_conn_del(sco);
+                }
        }
        hci_dev_unlock(hdev);
@@ -872,13 +1180,52 @@ static void hci_cs_exit_sniff_mode(struct hci_dev *hdev, __u8 status)
        hci_dev_unlock(hdev);
 }
+static void hci_cs_le_create_conn(struct hci_dev *hdev, __u8 status)
+{
+        struct hci_cp_le_create_conn *cp;
+        struct hci_conn *conn;
+        BT_DBG("%s status 0x%x", hdev->name, status);
+        cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
+        if (!cp)
+                return;
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
+        BT_DBG("%s bdaddr %s conn %p", hdev->name, batostr(&cp->peer_addr),
+                conn);
+        if (status) {
+                if (conn && conn->state == BT_CONNECT) {
+                        conn->state = BT_CLOSED;
+                        hci_proto_connect_cfm(conn, status);
+                        hci_conn_del(conn);
+                }
+        } else {
+                if (!conn) {
+                        conn = hci_conn_add(hdev, LE_LINK, &cp->peer_addr);
+                        if (conn)
+                                conn->out = 1;
+                        else
+                                BT_ERR("No memory for new connection");
+                }
+        }
+        hci_dev_unlock(hdev);
+}
 static inline void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
        __u8 status = *((__u8 *) skb->data);
        BT_DBG("%s status %d", hdev->name, status);
-        clear_bit(HCI_INQUIRY, &hdev->flags);
+        if (test_bit(HCI_MGMT, &hdev->flags) &&
+                                test_and_clear_bit(HCI_INQUIRY, &hdev->flags))
+                mgmt_discovering(hdev->id, 0);
        hci_req_complete(hdev, HCI_OP_INQUIRY, status);
@@ -898,7 +1245,13 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
        hci_dev_lock(hdev);
-        for (; num_rsp; num_rsp--) {
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
+        for (; num_rsp; num_rsp--, info++) {
                bacpy(&data.bdaddr, &info->bdaddr);
                data.pscan_rep_mode     = info->pscan_rep_mode;
                data.pscan_period_mode  = info->pscan_period_mode;
@@ -907,8 +1260,9 @@ static inline void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *
                data.clock_offset       = info->clock_offset;
                data.rssi               = 0x00;
                data.ssp_mode           = 0x00;
-                info++;
                hci_inquiry_cache_update(hdev, &data);
+                mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class, 0,
+                                                                        NULL);
        }
        hci_dev_unlock(hdev);
@@ -942,6 +1296,7 @@ static inline void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *s
                        conn->state = BT_CONFIG;
                        hci_conn_hold(conn);
                        conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                        mgmt_connected(hdev->id, &ev->bdaddr);
                } else
                        conn->state = BT_CONNECTED;
@@ -970,8 +1325,11 @@ static inline void hci_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *s
                        hci_send_cmd(hdev, HCI_OP_CHANGE_CONN_PTYPE,
                                                        sizeof(cp), &cp);
                }
-        } else
+        } else {
                conn->state = BT_CLOSED;
+                if (conn->type == ACL_LINK)
+                        mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
+        }
        if (conn->type == ACL_LINK)
                hci_sco_setup(conn, ev->status);
@@ -998,7 +1356,8 @@ static inline void hci_conn_request_evt(struct hci_dev *hdev, struct sk_buff *sk
        mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type);
-        if ((mask & HCI_LM_ACCEPT) && !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
+        if ((mask & HCI_LM_ACCEPT) &&
+                        !hci_blacklist_lookup(hdev, &ev->bdaddr)) {
                /* Connection accepted */
                struct inquiry_entry *ie;
                struct hci_conn *conn;
@@ -1068,19 +1427,26 @@ static inline void hci_disconn_complete_evt(struct hci_dev *hdev, struct sk_buff
        BT_DBG("%s status %d", hdev->name, ev->status);
-        if (ev->status)
+        if (ev->status) {
+                mgmt_disconnect_failed(hdev->id);
                return;
+        }
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
-        if (conn) {
+        if (!conn)
-                conn->state = BT_CLOSED;
+                goto unlock;
-                hci_proto_disconn_cfm(conn, ev->reason);
+        conn->state = BT_CLOSED;
-                hci_conn_del(conn);
-        }
+        if (conn->type == ACL_LINK || conn->type == LE_LINK)
+                mgmt_disconnected(hdev->id, &conn->dst);
+        hci_proto_disconn_cfm(conn, ev->reason);
+        hci_conn_del(conn);
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1098,8 +1464,9 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
                if (!ev->status) {
                        conn->link_mode |= HCI_LM_AUTH;
                        conn->sec_level = conn->pending_sec_level;
-                } else
+                } else {
-                        conn->sec_level = BT_SECURITY_LOW;
+                        mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
+                }
                clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
@@ -1152,13 +1519,23 @@ static inline void hci_remote_name_evt(struct hci_dev *hdev, struct sk_buff *skb
        hci_dev_lock(hdev);
+        if (ev->status == 0 && test_bit(HCI_MGMT, &hdev->flags))
+                mgmt_remote_name(hdev->id, &ev->bdaddr, ev->name);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-        if (conn && hci_outgoing_auth_needed(hdev, conn)) {
+        if (!conn)
+                goto unlock;
+        if (!hci_outgoing_auth_needed(hdev, conn))
+                goto unlock;
+        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
                struct hci_cp_auth_requested cp;
                cp.handle = __cpu_to_le16(conn->handle);
                hci_send_cmd(hdev, HCI_OP_AUTH_REQUESTED, sizeof(cp), &cp);
        }
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1393,11 +1770,58 @@ static inline void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *sk
                hci_cc_write_ca_timeout(hdev, skb);
                break;
+        case HCI_OP_DELETE_STORED_LINK_KEY:
+                hci_cc_delete_stored_link_key(hdev, skb);
+                break;
+        case HCI_OP_SET_EVENT_MASK:
+                hci_cc_set_event_mask(hdev, skb);
+                break;
+        case HCI_OP_WRITE_INQUIRY_MODE:
+                hci_cc_write_inquiry_mode(hdev, skb);
+                break;
+        case HCI_OP_READ_INQ_RSP_TX_POWER:
+                hci_cc_read_inq_rsp_tx_power(hdev, skb);
+                break;
+        case HCI_OP_SET_EVENT_FLT:
+                hci_cc_set_event_flt(hdev, skb);
+                break;
+        case HCI_OP_PIN_CODE_REPLY:
+                hci_cc_pin_code_reply(hdev, skb);
+                break;
+        case HCI_OP_PIN_CODE_NEG_REPLY:
+                hci_cc_pin_code_neg_reply(hdev, skb);
+                break;
+        case HCI_OP_READ_LOCAL_OOB_DATA:
+                hci_cc_read_local_oob_data_reply(hdev, skb);
+                break;
+        case HCI_OP_LE_READ_BUFFER_SIZE:
+                hci_cc_le_read_buffer_size(hdev, skb);
+                break;
+        case HCI_OP_USER_CONFIRM_REPLY:
+                hci_cc_user_confirm_reply(hdev, skb);
+                break;
+        case HCI_OP_USER_CONFIRM_NEG_REPLY:
+                hci_cc_user_confirm_neg_reply(hdev, skb);
+                break;
        default:
                BT_DBG("%s opcode 0x%x", hdev->name, opcode);
                break;
        }
+        if (ev->opcode != HCI_OP_NOP)
+                del_timer(&hdev->cmd_timer);
        if (ev->ncmd) {
                atomic_set(&hdev->cmd_cnt, 1);
                if (!skb_queue_empty(&hdev->cmd_q))
@@ -1459,12 +1883,24 @@ static inline void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
                hci_cs_exit_sniff_mode(hdev, ev->status);
                break;
+        case HCI_OP_DISCONNECT:
+                if (ev->status != 0)
+                        mgmt_disconnect_failed(hdev->id);
+                break;
+        case HCI_OP_LE_CREATE_CONN:
+                hci_cs_le_create_conn(hdev, ev->status);
+                break;
        default:
                BT_DBG("%s opcode 0x%x", hdev->name, opcode);
                break;
        }
-        if (ev->ncmd) {
+        if (ev->opcode != HCI_OP_NOP)
+                del_timer(&hdev->cmd_timer);
+        if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
                atomic_set(&hdev->cmd_cnt, 1);
                if (!skb_queue_empty(&hdev->cmd_q))
                        tasklet_schedule(&hdev->cmd_task);
@@ -1529,6 +1965,16 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s
                                hdev->acl_cnt += count;
                                if (hdev->acl_cnt > hdev->acl_pkts)
                                        hdev->acl_cnt = hdev->acl_pkts;
+                        } else if (conn->type == LE_LINK) {
+                                if (hdev->le_pkts) {
+                                        hdev->le_cnt += count;
+                                        if (hdev->le_cnt > hdev->le_pkts)
+                                                hdev->le_cnt = hdev->le_pkts;
+                                } else {
+                                        hdev->acl_cnt += count;
+                                        if (hdev->acl_cnt > hdev->acl_pkts)
+                                                hdev->acl_cnt = hdev->acl_pkts;
+                                }
                        } else {
                                hdev->sco_cnt += count;
                                if (hdev->sco_cnt > hdev->sco_pkts)
@@ -1586,18 +2032,92 @@ static inline void hci_pin_code_request_evt(struct hci_dev *hdev, struct sk_buff
                hci_conn_put(conn);
        }
+        if (!test_bit(HCI_PAIRABLE, &hdev->flags))
+                hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY,
+                                        sizeof(ev->bdaddr), &ev->bdaddr);
+        else if (test_bit(HCI_MGMT, &hdev->flags)) {
+                u8 secure;
+                if (conn->pending_sec_level == BT_SECURITY_HIGH)
+                        secure = 1;
+                else
+                        secure = 0;
+                mgmt_pin_code_request(hdev->id, &ev->bdaddr, secure);
+        }
        hci_dev_unlock(hdev);
 }
 static inline void hci_link_key_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
+        struct hci_ev_link_key_req *ev = (void *) skb->data;
+        struct hci_cp_link_key_reply cp;
+        struct hci_conn *conn;
+        struct link_key *key;
        BT_DBG("%s", hdev->name);
+        if (!test_bit(HCI_LINK_KEYS, &hdev->flags))
+                return;
+        hci_dev_lock(hdev);
+        key = hci_find_link_key(hdev, &ev->bdaddr);
+        if (!key) {
+                BT_DBG("%s link key not found for %s", hdev->name,
+                                                        batostr(&ev->bdaddr));
+                goto not_found;
+        }
+        BT_DBG("%s found key type %u for %s", hdev->name, key->type,
+                                                        batostr(&ev->bdaddr));
+        if (!test_bit(HCI_DEBUG_KEYS, &hdev->flags) &&
+                                key->type == HCI_LK_DEBUG_COMBINATION) {
+                BT_DBG("%s ignoring debug key", hdev->name);
+                goto not_found;
+        }
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+        if (conn) {
+                if (key->type == HCI_LK_UNAUTH_COMBINATION &&
+                                conn->auth_type != 0xff &&
+                                (conn->auth_type & 0x01)) {
+                        BT_DBG("%s ignoring unauthenticated key", hdev->name);
+                        goto not_found;
+                }
+                if (key->type == HCI_LK_COMBINATION && key->pin_len < 16 &&
+                                conn->pending_sec_level == BT_SECURITY_HIGH) {
+                        BT_DBG("%s ignoring key unauthenticated for high \
+                                                        security", hdev->name);
+                        goto not_found;
+                }
+                conn->key_type = key->type;
+                conn->pin_length = key->pin_len;
+        }
+        bacpy(&cp.bdaddr, &ev->bdaddr);
+        memcpy(cp.link_key, key->val, 16);
+        hci_send_cmd(hdev, HCI_OP_LINK_KEY_REPLY, sizeof(cp), &cp);
+        hci_dev_unlock(hdev);
+        return;
+not_found:
+        hci_send_cmd(hdev, HCI_OP_LINK_KEY_NEG_REPLY, 6, &ev->bdaddr);
+        hci_dev_unlock(hdev);
 }
 static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_ev_link_key_notify *ev = (void *) skb->data;
        struct hci_conn *conn;
+        u8 pin_len = 0;
        BT_DBG("%s", hdev->name);
@@ -1607,9 +2127,18 @@ static inline void hci_link_key_notify_evt(struct hci_dev *hdev, struct sk_buff
        if (conn) {
                hci_conn_hold(conn);
                conn->disc_timeout = HCI_DISCONN_TIMEOUT;
+                pin_len = conn->pin_length;
+                if (ev->key_type != HCI_LK_CHANGED_COMBINATION)
+                        conn->key_type = ev->key_type;
                hci_conn_put(conn);
        }
+        if (test_bit(HCI_LINK_KEYS, &hdev->flags))
+                hci_add_link_key(hdev, conn, 1, &ev->bdaddr, ev->link_key,
+                                                        ev->key_type, pin_len);
        hci_dev_unlock(hdev);
 }
@@ -1682,10 +2211,17 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
        hci_dev_lock(hdev);
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
        if ((skb->len - 1) / num_rsp != sizeof(struct inquiry_info_with_rssi)) {
-                struct inquiry_info_with_rssi_and_pscan_mode *info = (void *) (skb->data + 1);
+                struct inquiry_info_with_rssi_and_pscan_mode *info;
+                info = (void *) (skb->data + 1);
-                for (; num_rsp; num_rsp--) {
+                for (; num_rsp; num_rsp--, info++) {
                        bacpy(&data.bdaddr, &info->bdaddr);
                        data.pscan_rep_mode     = info->pscan_rep_mode;
                        data.pscan_period_mode  = info->pscan_period_mode;
@@ -1694,13 +2230,15 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
                        data.clock_offset       = info->clock_offset;
                        data.rssi               = info->rssi;
                        data.ssp_mode           = 0x00;
-                        info++;
                        hci_inquiry_cache_update(hdev, &data);
+                        mgmt_device_found(hdev->id, &info->bdaddr,
+                                                info->dev_class, info->rssi,
+                                                NULL);
                }
        } else {
                struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
-                for (; num_rsp; num_rsp--) {
+                for (; num_rsp; num_rsp--, info++) {
                        bacpy(&data.bdaddr, &info->bdaddr);
                        data.pscan_rep_mode     = info->pscan_rep_mode;
                        data.pscan_period_mode  = info->pscan_period_mode;
@@ -1709,8 +2247,10 @@ static inline void hci_inquiry_result_with_rssi_evt(struct hci_dev *hdev, struct
                        data.clock_offset       = info->clock_offset;
                        data.rssi               = info->rssi;
                        data.ssp_mode           = 0x00;
-                        info++;
                        hci_inquiry_cache_update(hdev, &data);
+                        mgmt_device_found(hdev->id, &info->bdaddr,
+                                                info->dev_class, info->rssi,
+                                                NULL);
                }
        }
@@ -1824,17 +2364,8 @@ static inline void hci_sync_conn_changed_evt(struct hci_dev *hdev, struct sk_buf
 static inline void hci_sniff_subrate_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_ev_sniff_subrate *ev = (void *) skb->data;
-        struct hci_conn *conn;
        BT_DBG("%s status %d", hdev->name, ev->status);
-        hci_dev_lock(hdev);
-        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
-        if (conn) {
-        }
-        hci_dev_unlock(hdev);
 }
 static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
@@ -1848,24 +2379,50 @@ static inline void hci_extended_inquiry_result_evt(struct hci_dev *hdev, struct
        if (!num_rsp)
                return;
+        if (!test_and_set_bit(HCI_INQUIRY, &hdev->flags)) {
+                if (test_bit(HCI_MGMT, &hdev->flags))
+                        mgmt_discovering(hdev->id, 1);
+        }
        hci_dev_lock(hdev);
-        for (; num_rsp; num_rsp--) {
+        for (; num_rsp; num_rsp--, info++) {
                bacpy(&data.bdaddr, &info->bdaddr);
-                data.pscan_rep_mode     = info->pscan_rep_mode;
+                data.pscan_rep_mode     = info->pscan_rep_mode;
-                data.pscan_period_mode  = info->pscan_period_mode;
+                data.pscan_period_mode  = info->pscan_period_mode;
-                data.pscan_mode         = 0x00;
+                data.pscan_mode         = 0x00;
                memcpy(data.dev_class, info->dev_class, 3);
-                data.clock_offset       = info->clock_offset;
+                data.clock_offset       = info->clock_offset;
-                data.rssi               = info->rssi;
+                data.rssi               = info->rssi;
                data.ssp_mode           = 0x01;
-                info++;
                hci_inquiry_cache_update(hdev, &data);
+                mgmt_device_found(hdev->id, &info->bdaddr, info->dev_class,
+                                                info->rssi, info->data);
        }
        hci_dev_unlock(hdev);
 }
+static inline u8 hci_get_auth_req(struct hci_conn *conn)
+{
+        /* If remote requests dedicated bonding follow that lead */
+        if (conn->remote_auth == 0x02 || conn->remote_auth == 0x03) {
+                /* If both remote and local IO capabilities allow MITM
+                 * protection then require it, otherwise don't */
+                if (conn->remote_cap == 0x03 || conn->io_capability == 0x03)
+                        return 0x02;
+                else
+                        return 0x03;
+        }
+        /* If remote requests no-bonding follow that lead */
+        if (conn->remote_auth == 0x00 || conn->remote_auth == 0x01)
+                return conn->remote_auth | (conn->auth_type & 0x01);
+        return conn->auth_type;
+}
 static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_ev_io_capa_request *ev = (void *) skb->data;
@@ -1876,9 +2433,131 @@ static inline void hci_io_capa_request_evt(struct hci_dev *hdev, struct sk_buff
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-        if (conn)
+        if (!conn)
-                hci_conn_hold(conn);
+                goto unlock;
+        hci_conn_hold(conn);
+        if (!test_bit(HCI_MGMT, &hdev->flags))
+                goto unlock;
+        if (test_bit(HCI_PAIRABLE, &hdev->flags) ||
+                        (conn->remote_auth & ~0x01) == HCI_AT_NO_BONDING) {
+                struct hci_cp_io_capability_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                cp.capability = conn->io_capability;
+                conn->auth_type = hci_get_auth_req(conn);
+                cp.authentication = conn->auth_type;
+                if ((conn->out == 0x01 || conn->remote_oob == 0x01) &&
+                                hci_find_remote_oob_data(hdev, &conn->dst))
+                        cp.oob_data = 0x01;
+                else
+                        cp.oob_data = 0x00;
+                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_REPLY,
+                                                        sizeof(cp), &cp);
+        } else {
+                struct hci_cp_io_capability_neg_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                cp.reason = 0x18; /* Pairing not allowed */
+                hci_send_cmd(hdev, HCI_OP_IO_CAPABILITY_NEG_REPLY,
+                                                        sizeof(cp), &cp);
+        }
+unlock:
+        hci_dev_unlock(hdev);
+}
+static inline void hci_io_capa_reply_evt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_ev_io_capa_reply *ev = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s", hdev->name);
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+        if (!conn)
+                goto unlock;
+        conn->remote_cap = ev->capability;
+        conn->remote_oob = ev->oob_data;
+        conn->remote_auth = ev->authentication;
+unlock:
+        hci_dev_unlock(hdev);
+}
+static inline void hci_user_confirm_request_evt(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_ev_user_confirm_req *ev = (void *) skb->data;
+        int loc_mitm, rem_mitm, confirm_hint = 0;
+        struct hci_conn *conn;
+        BT_DBG("%s", hdev->name);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_MGMT, &hdev->flags))
+                goto unlock;
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
+        if (!conn)
+                goto unlock;
+        loc_mitm = (conn->auth_type & 0x01);
+        rem_mitm = (conn->remote_auth & 0x01);
+        /* If we require MITM but the remote device can't provide that
+         * (it has NoInputNoOutput) then reject the confirmation
+         * request. The only exception is when we're dedicated bonding
+         * initiators (connect_cfm_cb set) since then we always have the MITM
+         * bit set. */
+        if (!conn->connect_cfm_cb && loc_mitm && conn->remote_cap == 0x03) {
+                BT_DBG("Rejecting request: remote device can't provide MITM");
+                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_NEG_REPLY,
+                                        sizeof(ev->bdaddr), &ev->bdaddr);
+                goto unlock;
+        }
+        /* If no side requires MITM protection; auto-accept */
+        if ((!loc_mitm || conn->remote_cap == 0x03) &&
+                                (!rem_mitm || conn->io_capability == 0x03)) {
+                /* If we're not the initiators request authorization to
+                 * proceed from user space (mgmt_user_confirm with
+                 * confirm_hint set to 1). */
+                if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
+                        BT_DBG("Confirming auto-accept as acceptor");
+                        confirm_hint = 1;
+                        goto confirm;
+                }
+                BT_DBG("Auto-accept of user confirmation with %ums delay",
+                                                hdev->auto_accept_delay);
+                if (hdev->auto_accept_delay > 0) {
+                        int delay = msecs_to_jiffies(hdev->auto_accept_delay);
+                        mod_timer(&conn->auto_accept_timer, jiffies + delay);
+                        goto unlock;
+                }
+                hci_send_cmd(hdev, HCI_OP_USER_CONFIRM_REPLY,
+                                                sizeof(ev->bdaddr), &ev->bdaddr);
+                goto unlock;
+        }
+confirm:
+        mgmt_user_confirm_request(hdev->id, &ev->bdaddr, ev->passkey,
+                                                                confirm_hint);
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1892,9 +2571,20 @@ static inline void hci_simple_pair_complete_evt(struct hci_dev *hdev, struct sk_
        hci_dev_lock(hdev);
        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
-        if (conn)
+        if (!conn)
-                hci_conn_put(conn);
+                goto unlock;
+        /* To avoid duplicate auth_failed events to user space we check
+         * the HCI_CONN_AUTH_PEND flag which will be set if we
+         * initiated the authentication. A traditional auth_complete
+         * event gets always produced as initiator and is also mapped to
+         * the mgmt_auth_failed event */
+        if (!test_bit(HCI_CONN_AUTH_PEND, &conn->pend) && ev->status != 0)
+                mgmt_auth_failed(hdev->id, &conn->dst, ev->status);
+        hci_conn_put(conn);
+unlock:
        hci_dev_unlock(hdev);
 }
@@ -1914,6 +2604,98 @@ static inline void hci_remote_host_features_evt(struct hci_dev *hdev, struct sk_
        hci_dev_unlock(hdev);
 }
+static inline void hci_remote_oob_data_request_evt(struct hci_dev *hdev,
+                                                        struct sk_buff *skb)
+{
+        struct hci_ev_remote_oob_data_request *ev = (void *) skb->data;
+        struct oob_data *data;
+        BT_DBG("%s", hdev->name);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_MGMT, &hdev->flags))
+                goto unlock;
+        data = hci_find_remote_oob_data(hdev, &ev->bdaddr);
+        if (data) {
+                struct hci_cp_remote_oob_data_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                memcpy(cp.hash, data->hash, sizeof(cp.hash));
+                memcpy(cp.randomizer, data->randomizer, sizeof(cp.randomizer));
+                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_REPLY, sizeof(cp),
+                                                                        &cp);
+        } else {
+                struct hci_cp_remote_oob_data_neg_reply cp;
+                bacpy(&cp.bdaddr, &ev->bdaddr);
+                hci_send_cmd(hdev, HCI_OP_REMOTE_OOB_DATA_NEG_REPLY, sizeof(cp),
+                                                                        &cp);
+        }
+unlock:
+        hci_dev_unlock(hdev);
+}
+static inline void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_ev_le_conn_complete *ev = (void *) skb->data;
+        struct hci_conn *conn;
+        BT_DBG("%s status %d", hdev->name, ev->status);
+        hci_dev_lock(hdev);
+        conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &ev->bdaddr);
+        if (!conn) {
+                conn = hci_conn_add(hdev, LE_LINK, &ev->bdaddr);
+                if (!conn) {
+                        BT_ERR("No memory for new connection");
+                        hci_dev_unlock(hdev);
+                        return;
+                }
+        }
+        if (ev->status) {
+                mgmt_connect_failed(hdev->id, &ev->bdaddr, ev->status);
+                hci_proto_connect_cfm(conn, ev->status);
+                conn->state = BT_CLOSED;
+                hci_conn_del(conn);
+                goto unlock;
+        }
+        mgmt_connected(hdev->id, &ev->bdaddr);
+        conn->handle = __le16_to_cpu(ev->handle);
+        conn->state = BT_CONNECTED;
+        hci_conn_hold_device(conn);
+        hci_conn_add_sysfs(conn);
+        hci_proto_connect_cfm(conn, ev->status);
+unlock:
+        hci_dev_unlock(hdev);
+}
+static inline void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
+{
+        struct hci_ev_le_meta *le_ev = (void *) skb->data;
+        skb_pull(skb, sizeof(*le_ev));
+        switch (le_ev->subevent) {
+        case HCI_EV_LE_CONN_COMPLETE:
+                hci_le_conn_complete_evt(hdev, skb);
+                break;
+        default:
+                break;
+        }
+}
 void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
 {
        struct hci_event_hdr *hdr = (void *) skb->data;
@@ -2042,6 +2824,14 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                hci_io_capa_request_evt(hdev, skb);
                break;
+        case HCI_EV_IO_CAPA_REPLY:
+                hci_io_capa_reply_evt(hdev, skb);
+                break;
+        case HCI_EV_USER_CONFIRM_REQUEST:
+                hci_user_confirm_request_evt(hdev, skb);
+                break;
        case HCI_EV_SIMPLE_PAIR_COMPLETE:
                hci_simple_pair_complete_evt(hdev, skb);
                break;
@@ -2050,6 +2840,14 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
                hci_remote_host_features_evt(hdev, skb);
                break;
+        case HCI_EV_LE_META:
+                hci_le_meta_evt(hdev, skb);
+                break;
+        case HCI_EV_REMOTE_OOB_DATA_REQUEST:
+                hci_remote_oob_data_request_evt(hdev, skb);
+                break;
        default:
                BT_DBG("%s event 0x%x", hdev->name, event);
                break;
@@ -2083,6 +2881,6 @@ void hci_si_event(struct hci_dev *hdev, int type, int dlen, void *data)
        bt_cb(skb)->pkt_type = HCI_EVENT_PKT;
        skb->dev = (void *) hdev;
-        hci_send_to_sock(hdev, skb);
+        hci_send_to_sock(hdev, skb, NULL);
        kfree_skb(skb);
 }
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 29827c77f6ce..295e4a88fff8 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -85,7 +85,8 @@ static struct bt_sock_list hci_sk_list = {
 };
 /* Send frame to RAW socket */
-void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
+void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb,
+                                                        struct sock *skip_sk)
 {
        struct sock *sk;
        struct hlist_node *node;
@@ -97,6 +98,9 @@ void hci_send_to_sock(struct hci_dev *hdev, struct sk_buff *skb)
                struct hci_filter *flt;
                struct sk_buff *nskb;
+                if (sk == skip_sk)
+                        continue;
                if (sk->sk_state != BT_BOUND || hci_pi(sk)->hdev != hdev)
                        continue;
@@ -857,7 +861,7 @@ error:
        return err;
 }
-void __exit hci_sock_cleanup(void)
+void hci_sock_cleanup(void)
 {
        if (bt_sock_unregister(BTPROTO_HCI) < 0)
                BT_ERR("HCI socket unregistration failed");
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 5fce3d6d07b4..a6c3aa8be1f7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -11,7 +11,7 @@
 static struct class *bt_class;
-struct dentry *bt_debugfs = NULL;
+struct dentry *bt_debugfs;
 EXPORT_SYMBOL_GPL(bt_debugfs);
 static inline char *link_typetostr(int type)
@@ -51,8 +51,8 @@ static ssize_t show_link_features(struct device *dev, struct device_attribute *a
                                conn->features[6], conn->features[7]);
 }
-#define LINK_ATTR(_name,_mode,_show,_store) \
+#define LINK_ATTR(_name, _mode, _show, _store) \
-struct device_attribute link_attr_##_name = __ATTR(_name,_mode,_show,_store)
+struct device_attribute link_attr_##_name = __ATTR(_name, _mode, _show, _store)
 static LINK_ATTR(type, S_IRUGO, show_link_type, NULL);
 static LINK_ATTR(address, S_IRUGO, show_link_address, NULL);
@@ -216,13 +216,13 @@ static ssize_t show_type(struct device *dev, struct device_attribute *attr, char
 static ssize_t show_name(struct device *dev, struct device_attribute *attr, char *buf)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        char name[249];
+        char name[HCI_MAX_NAME_LENGTH + 1];
        int i;
-        for (i = 0; i < 248; i++)
+        for (i = 0; i < HCI_MAX_NAME_LENGTH; i++)
                name[i] = hdev->dev_name[i];
-        name[248] = '\0';
+        name[HCI_MAX_NAME_LENGTH] = '\0';
        return sprintf(buf, "%s\n", name);
 }
@@ -277,10 +277,12 @@ static ssize_t show_idle_timeout(struct device *dev, struct device_attribute *at
 static ssize_t store_idle_timeout(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        unsigned int val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
+        rv = kstrtouint(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
        if (val != 0 && (val < 500 || val > 3600000))
                return -EINVAL;
@@ -299,15 +301,14 @@ static ssize_t show_sniff_max_interval(struct device *dev, struct device_attribu
 static ssize_t store_sniff_max_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        u16 val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
-                return -EINVAL;
-        if (val < 0x0002 || val > 0xFFFE || val % 2)
+        rv = kstrtou16(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
-        if (val < hdev->sniff_min_interval)
+        if (val == 0 || val % 2 || val < hdev->sniff_min_interval)
                return -EINVAL;
        hdev->sniff_max_interval = val;
@@ -324,15 +325,14 @@ static ssize_t show_sniff_min_interval(struct device *dev, struct device_attribu
 static ssize_t store_sniff_min_interval(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
 {
        struct hci_dev *hdev = dev_get_drvdata(dev);
-        unsigned long val;
+        u16 val;
+        int rv;
-        if (strict_strtoul(buf, 0, &val) < 0)
+        rv = kstrtou16(buf, 0, &val);
-                return -EINVAL;
+        if (rv < 0)
+                return rv;
-        if (val < 0x0002 || val > 0xFFFE || val % 2)
-                return -EINVAL;
-        if (val > hdev->sniff_max_interval)
+        if (val == 0 || val % 2 || val > hdev->sniff_max_interval)
                return -EINVAL;
        hdev->sniff_min_interval = val;
@@ -461,6 +461,85 @@ static const struct file_operations blacklist_fops = {
        .llseek         = seq_lseek,
        .release        = single_release,
 };
+static void print_bt_uuid(struct seq_file *f, u8 *uuid)
+{
+        u32 data0, data4;
+        u16 data1, data2, data3, data5;
+        memcpy(&data0, &uuid[0], 4);
+        memcpy(&data1, &uuid[4], 2);
+        memcpy(&data2, &uuid[6], 2);
+        memcpy(&data3, &uuid[8], 2);
+        memcpy(&data4, &uuid[10], 4);
+        memcpy(&data5, &uuid[14], 2);
+        seq_printf(f, "%.8x-%.4x-%.4x-%.4x-%.8x%.4x\n",
+                                ntohl(data0), ntohs(data1), ntohs(data2),
+                                ntohs(data3), ntohl(data4), ntohs(data5));
+}
+static int uuids_show(struct seq_file *f, void *p)
+{
+        struct hci_dev *hdev = f->private;
+        struct list_head *l;
+        hci_dev_lock_bh(hdev);
+        list_for_each(l, &hdev->uuids) {
+                struct bt_uuid *uuid;
+                uuid = list_entry(l, struct bt_uuid, list);
+                print_bt_uuid(f, uuid->uuid);
+        }
+        hci_dev_unlock_bh(hdev);
+        return 0;
+}
+static int uuids_open(struct inode *inode, struct file *file)
+{
+        return single_open(file, uuids_show, inode->i_private);
+}
+static const struct file_operations uuids_fops = {
+        .open           = uuids_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = single_release,
+};
+static int auto_accept_delay_set(void *data, u64 val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock_bh(hdev);
+        hdev->auto_accept_delay = val;
+        hci_dev_unlock_bh(hdev);
+        return 0;
+}
+static int auto_accept_delay_get(void *data, u64 *val)
+{
+        struct hci_dev *hdev = data;
+        hci_dev_lock_bh(hdev);
+        *val = hdev->auto_accept_delay;
+        hci_dev_unlock_bh(hdev);
+        return 0;
+}
+DEFINE_SIMPLE_ATTRIBUTE(auto_accept_delay_fops, auto_accept_delay_get,
+                                        auto_accept_delay_set, "%llu\n");
 int hci_register_sysfs(struct hci_dev *hdev)
 {
        struct device *dev = &hdev->dev;
@@ -493,6 +572,10 @@ int hci_register_sysfs(struct hci_dev *hdev)
        debugfs_create_file("blacklist", 0444, hdev->debugfs,
                                                hdev, &blacklist_fops);
+        debugfs_create_file("uuids", 0444, hdev->debugfs, hdev, &uuids_fops);
+        debugfs_create_file("auto_accept_delay", 0444, hdev->debugfs, hdev,
+                                                &auto_accept_delay_fops);
        return 0;
 }
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 29544c21f4b5..c405a954a603 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -36,6 +36,8 @@
 #include <linux/file.h>
 #include <linux/init.h>
 #include <linux/wait.h>
+#include <linux/mutex.h>
+#include <linux/kthread.h>
 #include <net/sock.h>
 #include <linux/input.h>
@@ -54,22 +56,24 @@ static DECLARE_RWSEM(hidp_session_sem);
 static LIST_HEAD(hidp_session_list);
 static unsigned char hidp_keycode[256] = {
-          0,  0,  0,  0, 30, 48, 46, 32, 18, 33, 34, 35, 23, 36, 37, 38,
+          0,   0,   0,   0,  30,  48,  46,  32,  18,  33,  34,  35,  23,  36,
-         50, 49, 24, 25, 16, 19, 31, 20, 22, 47, 17, 45, 21, 44,  2,  3,
+         37,  38,  50,  49,  24,  25,  16,  19,  31,  20,  22,  47,  17,  45,
-          4,  5,  6,  7,  8,  9, 10, 11, 28,  1, 14, 15, 57, 12, 13, 26,
+         21,  44,   2,   3,   4,   5,   6,   7,   8,   9,  10,  11,  28,   1,
-         27, 43, 43, 39, 40, 41, 51, 52, 53, 58, 59, 60, 61, 62, 63, 64,
+         14,  15,  57,  12,  13,  26,  27,  43,  43,  39,  40,  41,  51,  52,
-         65, 66, 67, 68, 87, 88, 99, 70,119,110,102,104,111,107,109,106,
+         53,  58,  59,  60,  61,  62,  63,  64,  65,  66,  67,  68,  87,  88,
-        105,108,103, 69, 98, 55, 74, 78, 96, 79, 80, 81, 75, 76, 77, 71,
+         99,  70, 119, 110, 102, 104, 111, 107, 109, 106, 105, 108, 103,  69,
-         72, 73, 82, 83, 86,127,116,117,183,184,185,186,187,188,189,190,
+         98,  55,  74,  78,  96,  79,  80,  81,  75,  76,  77,  71,  72,  73,
-        191,192,193,194,134,138,130,132,128,129,131,137,133,135,136,113,
+         82,  83,  86, 127, 116, 117, 183, 184, 185, 186, 187, 188, 189, 190,
-        115,114,  0,  0,  0,121,  0, 89, 93,124, 92, 94, 95,  0,  0,  0,
+        191, 192, 193, 194, 134, 138, 130, 132, 128, 129, 131, 137, 133, 135,
-        122,123, 90, 91, 85,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+        136, 113, 115, 114,   0,   0,   0, 121,   0,  89,  93, 124,  92,  94,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+         95,   0,   0,   0, 122, 123,  90,  91,  85,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-          0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,  0,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-         29, 42, 56,125, 97, 54,100,126,164,166,165,163,161,115,114,113,
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
-        150,158,159,128,136,177,178,176,142,152,173,140
+          0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,   0,
+         29,  42,  56, 125,  97,  54, 100, 126, 164, 166, 165, 163, 161, 115,
+        114, 113, 150, 158, 159, 128, 136, 177, 178, 176, 142, 152, 173, 140
 };
 static unsigned char hidp_mkeyspat[] = { 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 };
@@ -157,7 +161,8 @@ static int hidp_queue_event(struct hidp_session *session, struct input_dev *dev,
        session->leds = newleds;
-        if (!(skb = alloc_skb(3, GFP_ATOMIC))) {
+        skb = alloc_skb(3, GFP_ATOMIC);
+        if (!skb) {
                BT_ERR("Can't allocate memory for new frame");
                return -ENOMEM;
        }
@@ -250,7 +255,8 @@ static int __hidp_send_ctrl_message(struct hidp_session *session,
        BT_DBG("session %p data %p size %d", session, data, size);
-        if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
+        skb = alloc_skb(size + 1, GFP_ATOMIC);
+        if (!skb) {
                BT_ERR("Can't allocate memory for new frame");
                return -ENOMEM;
        }
@@ -283,7 +289,8 @@ static int hidp_queue_report(struct hidp_session *session,
        BT_DBG("session %p hid %p data %p size %d", session, session->hid, data, size);
-        if (!(skb = alloc_skb(size + 1, GFP_ATOMIC))) {
+        skb = alloc_skb(size + 1, GFP_ATOMIC);
+        if (!skb) {
                BT_ERR("Can't allocate memory for new frame");
                return -ENOMEM;
        }
@@ -313,32 +320,151 @@ static int hidp_send_report(struct hidp_session *session, struct hid_report *rep
        return hidp_queue_report(session, buf, rsize);
 }
+static int hidp_get_raw_report(struct hid_device *hid,
+                unsigned char report_number,
+                unsigned char *data, size_t count,
+                unsigned char report_type)
+{
+        struct hidp_session *session = hid->driver_data;
+        struct sk_buff *skb;
+        size_t len;
+        int numbered_reports = hid->report_enum[report_type].numbered;
+        switch (report_type) {
+        case HID_FEATURE_REPORT:
+                report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_FEATURE;
+                break;
+        case HID_INPUT_REPORT:
+                report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_INPUT;
+                break;
+        case HID_OUTPUT_REPORT:
+                report_type = HIDP_TRANS_GET_REPORT | HIDP_DATA_RTYPE_OUPUT;
+                break;
+        default:
+                return -EINVAL;
+        }
+        if (mutex_lock_interruptible(&session->report_mutex))
+                return -ERESTARTSYS;
+        /* Set up our wait, and send the report request to the device. */
+        session->waiting_report_type = report_type & HIDP_DATA_RTYPE_MASK;
+        session->waiting_report_number = numbered_reports ? report_number : -1;
+        set_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+        data[0] = report_number;
+        if (hidp_send_ctrl_message(hid->driver_data, report_type, data, 1))
+                goto err_eio;
+        /* Wait for the return of the report. The returned report
+           gets put in session->report_return.  */
+        while (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
+                int res;
+                res = wait_event_interruptible_timeout(session->report_queue,
+                        !test_bit(HIDP_WAITING_FOR_RETURN, &session->flags),
+                        5*HZ);
+                if (res == 0) {
+                        /* timeout */
+                        goto err_eio;
+                }
+                if (res < 0) {
+                        /* signal */
+                        goto err_restartsys;
+                }
+        }
+        skb = session->report_return;
+        if (skb) {
+                len = skb->len < count ? skb->len : count;
+                memcpy(data, skb->data, len);
+                kfree_skb(skb);
+                session->report_return = NULL;
+        } else {
+                /* Device returned a HANDSHAKE, indicating  protocol error. */
+                len = -EIO;
+        }
+        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+        mutex_unlock(&session->report_mutex);
+        return len;
+err_restartsys:
+        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+        mutex_unlock(&session->report_mutex);
+        return -ERESTARTSYS;
+err_eio:
+        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+        mutex_unlock(&session->report_mutex);
+        return -EIO;
+}
 static int hidp_output_raw_report(struct hid_device *hid, unsigned char *data, size_t count,
                unsigned char report_type)
 {
+        struct hidp_session *session = hid->driver_data;
+        int ret;
        switch (report_type) {
        case HID_FEATURE_REPORT:
                report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_FEATURE;
                break;
        case HID_OUTPUT_REPORT:
-                report_type = HIDP_TRANS_DATA | HIDP_DATA_RTYPE_OUPUT;
+                report_type = HIDP_TRANS_SET_REPORT | HIDP_DATA_RTYPE_OUPUT;
                break;
        default:
                return -EINVAL;
        }
+        if (mutex_lock_interruptible(&session->report_mutex))
+                return -ERESTARTSYS;
+        /* Set up our wait, and send the report request to the device. */
+        set_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
        if (hidp_send_ctrl_message(hid->driver_data, report_type,
-                        data, count))
+                        data, count)) {
-                return -ENOMEM;
+                ret = -ENOMEM;
-        return count;
+                goto err;
+        }
+        /* Wait for the ACK from the device. */
+        while (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
+                int res;
+                res = wait_event_interruptible_timeout(session->report_queue,
+                        !test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags),
+                        10*HZ);
+                if (res == 0) {
+                        /* timeout */
+                        ret = -EIO;
+                        goto err;
+                }
+                if (res < 0) {
+                        /* signal */
+                        ret = -ERESTARTSYS;
+                        goto err;
+                }
+        }
+        if (!session->output_report_success) {
+                ret = -EIO;
+                goto err;
+        }
+        ret = count;
+err:
+        clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
+        mutex_unlock(&session->report_mutex);
+        return ret;
 }
 static void hidp_idle_timeout(unsigned long arg)
 {
        struct hidp_session *session = (struct hidp_session *) arg;
-        atomic_inc(&session->terminate);
+        kthread_stop(session->task);
-        hidp_schedule(session);
 }
 static void hidp_set_timer(struct hidp_session *session)
@@ -357,16 +483,22 @@ static void hidp_process_handshake(struct hidp_session *session,
                                        unsigned char param)
 {
        BT_DBG("session %p param 0x%02x", session, param);
+        session->output_report_success = 0; /* default condition */
        switch (param) {
        case HIDP_HSHK_SUCCESSFUL:
                /* FIXME: Call into SET_ GET_ handlers here */
+                session->output_report_success = 1;
                break;
        case HIDP_HSHK_NOT_READY:
        case HIDP_HSHK_ERR_INVALID_REPORT_ID:
        case HIDP_HSHK_ERR_UNSUPPORTED_REQUEST:
        case HIDP_HSHK_ERR_INVALID_PARAMETER:
+                if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags)) {
+                        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+                        wake_up_interruptible(&session->report_queue);
+                }
                /* FIXME: Call into SET_ GET_ handlers here */
                break;
@@ -385,6 +517,12 @@ static void hidp_process_handshake(struct hidp_session *session,
                        HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
                break;
        }
+        /* Wake up the waiting thread. */
+        if (test_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags)) {
+                clear_bit(HIDP_WAITING_FOR_SEND_ACK, &session->flags);
+                wake_up_interruptible(&session->report_queue);
+        }
 }
 static void hidp_process_hid_control(struct hidp_session *session,
@@ -397,15 +535,15 @@ static void hidp_process_hid_control(struct hidp_session *session,
                skb_queue_purge(&session->ctrl_transmit);
                skb_queue_purge(&session->intr_transmit);
-                /* Kill session thread */
+                kthread_stop(session->task);
-                atomic_inc(&session->terminate);
-                hidp_schedule(session);
        }
 }
-static void hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
+/* Returns true if the passed-in skb should be freed by the caller. */
+static int hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
                                unsigned char param)
 {
+        int done_with_skb = 1;
        BT_DBG("session %p skb %p len %d param 0x%02x", session, skb, skb->len, param);
        switch (param) {
@@ -417,7 +555,6 @@ static void hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
                if (session->hid)
                        hid_input_report(session->hid, HID_INPUT_REPORT, skb->data, skb->len, 0);
                break;
        case HIDP_DATA_RTYPE_OTHER:
@@ -429,12 +566,27 @@ static void hidp_process_data(struct hidp_session *session, struct sk_buff *skb,
                __hidp_send_ctrl_message(session,
                        HIDP_TRANS_HANDSHAKE | HIDP_HSHK_ERR_INVALID_PARAMETER, NULL, 0);
        }
+        if (test_bit(HIDP_WAITING_FOR_RETURN, &session->flags) &&
+                                param == session->waiting_report_type) {
+                if (session->waiting_report_number < 0 ||
+                    session->waiting_report_number == skb->data[0]) {
+                        /* hidp_get_raw_report() is waiting on this report. */
+                        session->report_return = skb;
+                        done_with_skb = 0;
+                        clear_bit(HIDP_WAITING_FOR_RETURN, &session->flags);
+                        wake_up_interruptible(&session->report_queue);
+                }
+        }
+        return done_with_skb;
 }
 static void hidp_recv_ctrl_frame(struct hidp_session *session,
                                        struct sk_buff *skb)
 {
        unsigned char hdr, type, param;
+        int free_skb = 1;
        BT_DBG("session %p skb %p len %d", session, skb, skb->len);
@@ -454,7 +606,7 @@ static void hidp_recv_ctrl_frame(struct hidp_session *session,
                break;
        case HIDP_TRANS_DATA:
-                hidp_process_data(session, skb, param);
+                free_skb = hidp_process_data(session, skb, param);
                break;
        default:
@@ -463,7 +615,8 @@ static void hidp_recv_ctrl_frame(struct hidp_session *session,
                break;
        }
-        kfree_skb(skb);
+        if (free_skb)
+                kfree_skb(skb);
 }
 static void hidp_recv_intr_frame(struct hidp_session *session,
@@ -541,32 +694,23 @@ static int hidp_session(void *arg)
        struct sock *ctrl_sk = session->ctrl_sock->sk;
        struct sock *intr_sk = session->intr_sock->sk;
        struct sk_buff *skb;
-        int vendor = 0x0000, product = 0x0000;
        wait_queue_t ctrl_wait, intr_wait;
        BT_DBG("session %p", session);
-        if (session->input) {
-                vendor  = session->input->id.vendor;
-                product = session->input->id.product;
-        }
-        if (session->hid) {
-                vendor  = session->hid->vendor;
-                product = session->hid->product;
-        }
-        daemonize("khidpd_%04x%04x", vendor, product);
        set_user_nice(current, -15);
        init_waitqueue_entry(&ctrl_wait, current);
        init_waitqueue_entry(&intr_wait, current);
        add_wait_queue(sk_sleep(ctrl_sk), &ctrl_wait);
        add_wait_queue(sk_sleep(intr_sk), &intr_wait);
-        while (!atomic_read(&session->terminate)) {
+        session->waiting_for_startup = 0;
+        wake_up_interruptible(&session->startup_queue);
+        while (!kthread_should_stop()) {
                set_current_state(TASK_INTERRUPTIBLE);
-                if (ctrl_sk->sk_state != BT_CONNECTED || intr_sk->sk_state != BT_CONNECTED)
+                if (ctrl_sk->sk_state != BT_CONNECTED ||
+                                intr_sk->sk_state != BT_CONNECTED)
                        break;
                while ((skb = skb_dequeue(&ctrl_sk->sk_receive_queue))) {
@@ -754,6 +898,8 @@ static struct hid_ll_driver hidp_hid_driver = {
        .hidinput_input_event = hidp_hidinput_event,
 };
+/* This function sets up the hid device. It does not add it
+   to the HID system. That is done in hidp_add_connection(). */
 static int hidp_setup_hid(struct hidp_session *session,
                                struct hidp_connadd_req *req)
 {
@@ -793,18 +939,11 @@ static int hidp_setup_hid(struct hidp_session *session,
        hid->dev.parent = hidp_get_device(session);
        hid->ll_driver = &hidp_hid_driver;
+        hid->hid_get_raw_report = hidp_get_raw_report;
        hid->hid_output_raw_report = hidp_output_raw_report;
-        err = hid_add_device(hid);
-        if (err < 0)
-                goto failed;
        return 0;
-failed:
-        hid_destroy_device(hid);
-        session->hid = NULL;
 fault:
        kfree(session->rd_data);
        session->rd_data = NULL;
@@ -815,6 +954,7 @@ fault:
 int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock, struct socket *intr_sock)
 {
        struct hidp_session *session, *s;
+        int vendor, product;
        int err;
        BT_DBG("");
@@ -839,8 +979,10 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        bacpy(&session->bdaddr, &bt_sk(ctrl_sock->sk)->dst);
-        session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->omtu, l2cap_pi(ctrl_sock->sk)->imtu);
+        session->ctrl_mtu = min_t(uint, l2cap_pi(ctrl_sock->sk)->chan->omtu,
-        session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->omtu, l2cap_pi(intr_sock->sk)->imtu);
+                                        l2cap_pi(ctrl_sock->sk)->chan->imtu);
+        session->intr_mtu = min_t(uint, l2cap_pi(intr_sock->sk)->chan->omtu,
+                                        l2cap_pi(intr_sock->sk)->chan->imtu);
        BT_DBG("ctrl mtu %d intr mtu %d", session->ctrl_mtu, session->intr_mtu);
@@ -853,6 +995,10 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        skb_queue_head_init(&session->ctrl_transmit);
        skb_queue_head_init(&session->intr_transmit);
+        mutex_init(&session->report_mutex);
+        init_waitqueue_head(&session->report_queue);
+        init_waitqueue_head(&session->startup_queue);
+        session->waiting_for_startup = 1;
        session->flags   = req->flags & (1 << HIDP_BLUETOOTH_VENDOR_ID);
        session->idle_to = req->idle_to;
@@ -872,9 +1018,32 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        hidp_set_timer(session);
-        err = kernel_thread(hidp_session, session, CLONE_KERNEL);
+        if (session->hid) {
-        if (err < 0)
+                vendor  = session->hid->vendor;
+                product = session->hid->product;
+        } else if (session->input) {
+                vendor  = session->input->id.vendor;
+                product = session->input->id.product;
+        } else {
+                vendor = 0x0000;
+                product = 0x0000;
+        }
+        session->task = kthread_run(hidp_session, session, "khidpd_%04x%04x",
+                                                        vendor, product);
+        if (IS_ERR(session->task)) {
+                err = PTR_ERR(session->task);
                goto unlink;
+        }
+        while (session->waiting_for_startup) {
+                wait_event_interruptible(session->startup_queue,
+                        !session->waiting_for_startup);
+        }
+        err = hid_add_device(session->hid);
+        if (err < 0)
+                goto err_add_device;
        if (session->input) {
                hidp_send_ctrl_message(session,
@@ -888,6 +1057,11 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
        up_write(&hidp_session_sem);
        return 0;
+err_add_device:
+        hid_destroy_device(session->hid);
+        session->hid = NULL;
+        kthread_stop(session->task);
 unlink:
        hidp_del_timer(session);
@@ -937,13 +1111,7 @@ int hidp_del_connection(struct hidp_conndel_req *req)
                        skb_queue_purge(&session->ctrl_transmit);
                        skb_queue_purge(&session->intr_transmit);
-                        /* Wakeup user-space polling for socket errors */
+                        kthread_stop(session->task);
-                        session->intr_sock->sk->sk_err = EUNATCH;
-                        session->ctrl_sock->sk->sk_err = EUNATCH;
-                        /* Kill session thread */
-                        atomic_inc(&session->terminate);
-                        hidp_schedule(session);
                }
        } else
                err = -ENOENT;
@@ -1016,8 +1184,6 @@ static int __init hidp_init(void)
 {
        int ret;
-        l2cap_load();
        BT_INFO("HIDP (Human Interface Emulation) ver %s", VERSION);
        ret = hid_register_driver(&hidp_driver);
diff --git a/net/bluetooth/hidp/hidp.h b/net/bluetooth/hidp/hidp.h
index 8d934a19da0a..12822cde4b49 100644
--- a/net/bluetooth/hidp/hidp.h
+++ b/net/bluetooth/hidp/hidp.h
@@ -80,10 +80,12 @@
 #define HIDP_VIRTUAL_CABLE_UNPLUG       0
 #define HIDP_BOOT_PROTOCOL_MODE         1
 #define HIDP_BLUETOOTH_VENDOR_ID        9
+#define HIDP_WAITING_FOR_RETURN         10
+#define HIDP_WAITING_FOR_SEND_ACK       11
 struct hidp_connadd_req {
-        int   ctrl_sock;        // Connected control socket
+        int   ctrl_sock;        /* Connected control socket */
-        int   intr_sock;        // Connteted interrupt socket
+        int   intr_sock;        /* Connected interrupt socket */
        __u16 parser;
        __u16 rd_size;
        __u8 __user *rd_data;
@@ -140,7 +142,7 @@ struct hidp_session {
        uint ctrl_mtu;
        uint intr_mtu;
-        atomic_t terminate;
+        struct task_struct *task;
        unsigned char keys[8];
        unsigned char leds;
@@ -154,9 +156,22 @@ struct hidp_session {
        struct sk_buff_head ctrl_transmit;
        struct sk_buff_head intr_transmit;
+        /* Used in hidp_get_raw_report() */
+        int waiting_report_type; /* HIDP_DATA_RTYPE_* */
+        int waiting_report_number; /* -1 for not numbered */
+        struct mutex report_mutex;
+        struct sk_buff *report_return;
+        wait_queue_head_t report_queue;
+        /* Used in hidp_output_raw_report() */
+        int output_report_success; /* boolean */
        /* Report descriptor */
        __u8 *rd_data;
        uint rd_size;
+        wait_queue_head_t startup_queue;
+        int waiting_for_startup;
 };
 static inline void hidp_schedule(struct hidp_session *session)
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 250dfd46237d..178ac7f127ad 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -85,7 +85,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
                        return err;
                }
-                if (csock->sk->sk_state != BT_CONNECTED || isock->sk->sk_state != BT_CONNECTED) {
+                if (csock->sk->sk_state != BT_CONNECTED ||
+                                isock->sk->sk_state != BT_CONNECTED) {
                        sockfd_put(csock);
                        sockfd_put(isock);
                        return -EBADFD;
@@ -140,8 +141,8 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 #ifdef CONFIG_COMPAT
 struct compat_hidp_connadd_req {
-        int   ctrl_sock;        // Connected control socket
+        int   ctrl_sock;        /* Connected control socket */
-        int   intr_sock;        // Connteted interrupt socket
+        int   intr_sock;        /* Connected interrupt socket */
        __u16 parser;
        __u16 rd_size;
        compat_uptr_t rd_data;
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
deleted file mode 100644
index 675614e38e14..000000000000
--- a/net/bluetooth/l2cap.c
+++ /dev/null
@@ -1,4930 +0,0 @@
-/*
-   BlueZ - Bluetooth protocol stack for Linux
-   Copyright (C) 2000-2001 Qualcomm Incorporated
-   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
-   Copyright (C) 2010 Google Inc.
-   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License version 2 as
-   published by the Free Software Foundation;
-   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
-   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
-   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
-   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
-   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
-   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
-   SOFTWARE IS DISCLAIMED.
-*/
-/* Bluetooth L2CAP core and sockets. */
-#include <linux/module.h>
-#include <linux/types.h>
-#include <linux/capability.h>
-#include <linux/errno.h>
-#include <linux/kernel.h>
-#include <linux/sched.h>
-#include <linux/slab.h>
-#include <linux/poll.h>
-#include <linux/fcntl.h>
-#include <linux/init.h>
-#include <linux/interrupt.h>
-#include <linux/socket.h>
-#include <linux/skbuff.h>
-#include <linux/list.h>
-#include <linux/device.h>
-#include <linux/debugfs.h>
-#include <linux/seq_file.h>
-#include <linux/uaccess.h>
-#include <linux/crc16.h>
-#include <net/sock.h>
-#include <asm/system.h>
-#include <asm/unaligned.h>
-#include <net/bluetooth/bluetooth.h>
-#include <net/bluetooth/hci_core.h>
-#include <net/bluetooth/l2cap.h>
-#define VERSION "2.15"
-static int disable_ertm;
-static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
-static u8 l2cap_fixed_chan[8] = { 0x02, };
-static const struct proto_ops l2cap_sock_ops;
-static struct workqueue_struct *_busy_wq;
-static struct bt_sock_list l2cap_sk_list = {
-        .lock = __RW_LOCK_UNLOCKED(l2cap_sk_list.lock)
-};
-static void l2cap_busy_work(struct work_struct *work);
-static void __l2cap_sock_close(struct sock *sk, int reason);
-static void l2cap_sock_close(struct sock *sk);
-static void l2cap_sock_kill(struct sock *sk);
-static int l2cap_build_conf_req(struct sock *sk, void *data);
-static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
-                                u8 code, u8 ident, u16 dlen, void *data);
-static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
-/* ---- L2CAP timers ---- */
-static void l2cap_sock_set_timer(struct sock *sk, long timeout)
-{
-        BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
-        sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
-}
-static void l2cap_sock_clear_timer(struct sock *sk)
-{
-        BT_DBG("sock %p state %d", sk, sk->sk_state);
-        sk_stop_timer(sk, &sk->sk_timer);
-}
-static void l2cap_sock_timeout(unsigned long arg)
-{
-        struct sock *sk = (struct sock *) arg;
-        int reason;
-        BT_DBG("sock %p state %d", sk, sk->sk_state);
-        bh_lock_sock(sk);
-        if (sock_owned_by_user(sk)) {
-                /* sk is owned by user. Try again later */
-                l2cap_sock_set_timer(sk, HZ / 5);
-                bh_unlock_sock(sk);
-                sock_put(sk);
-                return;
-        }
-        if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
-                reason = ECONNREFUSED;
-        else if (sk->sk_state == BT_CONNECT &&
-                                l2cap_pi(sk)->sec_level != BT_SECURITY_SDP)
-                reason = ECONNREFUSED;
-        else
-                reason = ETIMEDOUT;
-        __l2cap_sock_close(sk, reason);
-        bh_unlock_sock(sk);
-        l2cap_sock_kill(sk);
-        sock_put(sk);
-}
-/* ---- L2CAP channels ---- */
-static struct sock *__l2cap_get_chan_by_dcid(struct l2cap_chan_list *l, u16 cid)
-{
-        struct sock *s;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->dcid == cid)
-                        break;
-        }
-        return s;
-}
-static struct sock *__l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
-{
-        struct sock *s;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->scid == cid)
-                        break;
-        }
-        return s;
-}
-/* Find channel with given SCID.
- * Returns locked socket */
-static inline struct sock *l2cap_get_chan_by_scid(struct l2cap_chan_list *l, u16 cid)
-{
-        struct sock *s;
-        read_lock(&l->lock);
-        s = __l2cap_get_chan_by_scid(l, cid);
-        if (s)
-                bh_lock_sock(s);
-        read_unlock(&l->lock);
-        return s;
-}
-static struct sock *__l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
-{
-        struct sock *s;
-        for (s = l->head; s; s = l2cap_pi(s)->next_c) {
-                if (l2cap_pi(s)->ident == ident)
-                        break;
-        }
-        return s;
-}
-static inline struct sock *l2cap_get_chan_by_ident(struct l2cap_chan_list *l, u8 ident)
-{
-        struct sock *s;
-        read_lock(&l->lock);
-        s = __l2cap_get_chan_by_ident(l, ident);
-        if (s)
-                bh_lock_sock(s);
-        read_unlock(&l->lock);
-        return s;
-}
-static u16 l2cap_alloc_cid(struct l2cap_chan_list *l)
-{
-        u16 cid = L2CAP_CID_DYN_START;
-        for (; cid < L2CAP_CID_DYN_END; cid++) {
-                if (!__l2cap_get_chan_by_scid(l, cid))
-                        return cid;
-        }
-        return 0;
-}
-static inline void __l2cap_chan_link(struct l2cap_chan_list *l, struct sock *sk)
-{
-        sock_hold(sk);
-        if (l->head)
-                l2cap_pi(l->head)->prev_c = sk;
-        l2cap_pi(sk)->next_c = l->head;
-        l2cap_pi(sk)->prev_c = NULL;
-        l->head = sk;
-}
-static inline void l2cap_chan_unlink(struct l2cap_chan_list *l, struct sock *sk)
-{
-        struct sock *next = l2cap_pi(sk)->next_c, *prev = l2cap_pi(sk)->prev_c;
-        write_lock_bh(&l->lock);
-        if (sk == l->head)
-                l->head = next;
-        if (next)
-                l2cap_pi(next)->prev_c = prev;
-        if (prev)
-                l2cap_pi(prev)->next_c = next;
-        write_unlock_bh(&l->lock);
-        __sock_put(sk);
-}
-static void __l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
-                        l2cap_pi(sk)->psm, l2cap_pi(sk)->dcid);
-        conn->disc_reason = 0x13;
-        l2cap_pi(sk)->conn = conn;
-        if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
-                /* Alloc CID for connection-oriented socket */
-                l2cap_pi(sk)->scid = l2cap_alloc_cid(l);
-        } else if (sk->sk_type == SOCK_DGRAM) {
-                /* Connectionless socket */
-                l2cap_pi(sk)->scid = L2CAP_CID_CONN_LESS;
-                l2cap_pi(sk)->dcid = L2CAP_CID_CONN_LESS;
-                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
-        } else {
-                /* Raw socket can send/recv signalling messages only */
-                l2cap_pi(sk)->scid = L2CAP_CID_SIGNALING;
-                l2cap_pi(sk)->dcid = L2CAP_CID_SIGNALING;
-                l2cap_pi(sk)->omtu = L2CAP_DEFAULT_MTU;
-        }
-        __l2cap_chan_link(l, sk);
-        if (parent)
-                bt_accept_enqueue(parent, sk);
-}
-/* Delete channel.
- * Must be called on the locked socket. */
-static void l2cap_chan_del(struct sock *sk, int err)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        struct sock *parent = bt_sk(sk)->parent;
-        l2cap_sock_clear_timer(sk);
-        BT_DBG("sk %p, conn %p, err %d", sk, conn, err);
-        if (conn) {
-                /* Unlink from channel list */
-                l2cap_chan_unlink(&conn->chan_list, sk);
-                l2cap_pi(sk)->conn = NULL;
-                hci_conn_put(conn->hcon);
-        }
-        sk->sk_state = BT_CLOSED;
-        sock_set_flag(sk, SOCK_ZAPPED);
-        if (err)
-                sk->sk_err = err;
-        if (parent) {
-                bt_accept_unlink(sk);
-                parent->sk_data_ready(parent, 0);
-        } else
-                sk->sk_state_change(sk);
-        skb_queue_purge(TX_QUEUE(sk));
-        if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
-                struct srej_list *l, *tmp;
-                del_timer(&l2cap_pi(sk)->retrans_timer);
-                del_timer(&l2cap_pi(sk)->monitor_timer);
-                del_timer(&l2cap_pi(sk)->ack_timer);
-                skb_queue_purge(SREJ_QUEUE(sk));
-                skb_queue_purge(BUSY_QUEUE(sk));
-                list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
-                        list_del(&l->list);
-                        kfree(l);
-                }
-        }
-}
-static inline u8 l2cap_get_auth_type(struct sock *sk)
-{
-        if (sk->sk_type == SOCK_RAW) {
-                switch (l2cap_pi(sk)->sec_level) {
-                case BT_SECURITY_HIGH:
-                        return HCI_AT_DEDICATED_BONDING_MITM;
-                case BT_SECURITY_MEDIUM:
-                        return HCI_AT_DEDICATED_BONDING;
-                default:
-                        return HCI_AT_NO_BONDING;
-                }
-        } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
-                        return HCI_AT_NO_BONDING_MITM;
-                else
-                        return HCI_AT_NO_BONDING;
-        } else {
-                switch (l2cap_pi(sk)->sec_level) {
-                case BT_SECURITY_HIGH:
-                        return HCI_AT_GENERAL_BONDING_MITM;
-                case BT_SECURITY_MEDIUM:
-                        return HCI_AT_GENERAL_BONDING;
-                default:
-                        return HCI_AT_NO_BONDING;
-                }
-        }
-}
-/* Service level security */
-static inline int l2cap_check_security(struct sock *sk)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        __u8 auth_type;
-        auth_type = l2cap_get_auth_type(sk);
-        return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
-                                                                auth_type);
-}
-static inline u8 l2cap_get_ident(struct l2cap_conn *conn)
-{
-        u8 id;
-        /* Get next available identificator.
-         *    1 - 128 are used by kernel.
-         *  129 - 199 are reserved.
-         *  200 - 254 are used by utilities like l2ping, etc.
-         */
-        spin_lock_bh(&conn->lock);
-        if (++conn->tx_ident > 128)
-                conn->tx_ident = 1;
-        id = conn->tx_ident;
-        spin_unlock_bh(&conn->lock);
-        return id;
-}
-static inline void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
-{
-        struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
-        BT_DBG("code 0x%2.2x", code);
-        if (!skb)
-                return;
-        hci_send_acl(conn->hcon, skb, 0);
-}
-static inline void l2cap_send_sframe(struct l2cap_pinfo *pi, u16 control)
-{
-        struct sk_buff *skb;
-        struct l2cap_hdr *lh;
-        struct l2cap_conn *conn = pi->conn;
-        struct sock *sk = (struct sock *)pi;
-        int count, hlen = L2CAP_HDR_SIZE + 2;
-        if (sk->sk_state != BT_CONNECTED)
-                return;
-        if (pi->fcs == L2CAP_FCS_CRC16)
-                hlen += 2;
-        BT_DBG("pi %p, control 0x%2.2x", pi, control);
-        count = min_t(unsigned int, conn->mtu, hlen);
-        control |= L2CAP_CTRL_FRAME_TYPE;
-        if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
-                control |= L2CAP_CTRL_FINAL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
-        }
-        if (pi->conn_state & L2CAP_CONN_SEND_PBIT) {
-                control |= L2CAP_CTRL_POLL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_PBIT;
-        }
-        skb = bt_skb_alloc(count, GFP_ATOMIC);
-        if (!skb)
-                return;
-        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(pi->dcid);
-        put_unaligned_le16(control, skb_put(skb, 2));
-        if (pi->fcs == L2CAP_FCS_CRC16) {
-                u16 fcs = crc16(0, (u8 *)lh, count - 2);
-                put_unaligned_le16(fcs, skb_put(skb, 2));
-        }
-        hci_send_acl(pi->conn->hcon, skb, 0);
-}
-static inline void l2cap_send_rr_or_rnr(struct l2cap_pinfo *pi, u16 control)
-{
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
-                control |= L2CAP_SUPER_RCV_NOT_READY;
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
-        } else
-                control |= L2CAP_SUPER_RCV_READY;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        l2cap_send_sframe(pi, control);
-}
-static inline int __l2cap_no_conn_pending(struct sock *sk)
-{
-        return !(l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND);
-}
-static void l2cap_do_start(struct sock *sk)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
-                if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
-                        return;
-                if (l2cap_check_security(sk) && __l2cap_no_conn_pending(sk)) {
-                        struct l2cap_conn_req req;
-                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
-                        req.psm  = l2cap_pi(sk)->psm;
-                        l2cap_pi(sk)->ident = l2cap_get_ident(conn);
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_REQ, sizeof(req), &req);
-                }
-        } else {
-                struct l2cap_info_req req;
-                req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
-                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
-                conn->info_ident = l2cap_get_ident(conn);
-                mod_timer(&conn->info_timer, jiffies +
-                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
-                l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(req), &req);
-        }
-}
-static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
-{
-        u32 local_feat_mask = l2cap_feat_mask;
-        if (!disable_ertm)
-                local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
-        switch (mode) {
-        case L2CAP_MODE_ERTM:
-                return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
-        case L2CAP_MODE_STREAMING:
-                return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
-        default:
-                return 0x00;
-        }
-}
-static void l2cap_send_disconn_req(struct l2cap_conn *conn, struct sock *sk, int err)
-{
-        struct l2cap_disconn_req req;
-        if (!conn)
-                return;
-        skb_queue_purge(TX_QUEUE(sk));
-        if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM) {
-                del_timer(&l2cap_pi(sk)->retrans_timer);
-                del_timer(&l2cap_pi(sk)->monitor_timer);
-                del_timer(&l2cap_pi(sk)->ack_timer);
-        }
-        req.dcid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
-        l2cap_send_cmd(conn, l2cap_get_ident(conn),
-                        L2CAP_DISCONN_REQ, sizeof(req), &req);
-        sk->sk_state = BT_DISCONN;
-        sk->sk_err = err;
-}
-/* ---- L2CAP connections ---- */
-static void l2cap_conn_start(struct l2cap_conn *conn)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        struct sock_del_list del, *tmp1, *tmp2;
-        struct sock *sk;
-        BT_DBG("conn %p", conn);
-        INIT_LIST_HEAD(&del.list);
-        read_lock(&l->lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
-                bh_lock_sock(sk);
-                if (sk->sk_type != SOCK_SEQPACKET &&
-                                sk->sk_type != SOCK_STREAM) {
-                        bh_unlock_sock(sk);
-                        continue;
-                }
-                if (sk->sk_state == BT_CONNECT) {
-                        struct l2cap_conn_req req;
-                        if (!l2cap_check_security(sk) ||
-                                        !__l2cap_no_conn_pending(sk)) {
-                                bh_unlock_sock(sk);
-                                continue;
-                        }
-                        if (!l2cap_mode_supported(l2cap_pi(sk)->mode,
-                                        conn->feat_mask)
-                                        && l2cap_pi(sk)->conf_state &
-                                        L2CAP_CONF_STATE2_DEVICE) {
-                                tmp1 = kzalloc(sizeof(struct sock_del_list),
-                                                GFP_ATOMIC);
-                                tmp1->sk = sk;
-                                list_add_tail(&tmp1->list, &del.list);
-                                bh_unlock_sock(sk);
-                                continue;
-                        }
-                        req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
-                        req.psm  = l2cap_pi(sk)->psm;
-                        l2cap_pi(sk)->ident = l2cap_get_ident(conn);
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                L2CAP_CONN_REQ, sizeof(req), &req);
-                } else if (sk->sk_state == BT_CONNECT2) {
-                        struct l2cap_conn_rsp rsp;
-                        char buf[128];
-                        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
-                        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
-                        if (l2cap_check_security(sk)) {
-                                if (bt_sk(sk)->defer_setup) {
-                                        struct sock *parent = bt_sk(sk)->parent;
-                                        rsp.result = cpu_to_le16(L2CAP_CR_PEND);
-                                        rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
-                                        parent->sk_data_ready(parent, 0);
-                                } else {
-                                        sk->sk_state = BT_CONFIG;
-                                        rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
-                                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                                }
-                        } else {
-                                rsp.result = cpu_to_le16(L2CAP_CR_PEND);
-                                rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
-                        }
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT ||
-                                        rsp.result != L2CAP_CR_SUCCESS) {
-                                bh_unlock_sock(sk);
-                                continue;
-                        }
-                        l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                                l2cap_build_conf_req(sk, buf), buf);
-                        l2cap_pi(sk)->num_conf_req++;
-                }
-                bh_unlock_sock(sk);
-        }
-        read_unlock(&l->lock);
-        list_for_each_entry_safe(tmp1, tmp2, &del.list, list) {
-                bh_lock_sock(tmp1->sk);
-                __l2cap_sock_close(tmp1->sk, ECONNRESET);
-                bh_unlock_sock(tmp1->sk);
-                list_del(&tmp1->list);
-                kfree(tmp1);
-        }
-}
-static void l2cap_conn_ready(struct l2cap_conn *conn)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        struct sock *sk;
-        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
-                bh_lock_sock(sk);
-                if (sk->sk_type != SOCK_SEQPACKET &&
-                                sk->sk_type != SOCK_STREAM) {
-                        l2cap_sock_clear_timer(sk);
-                        sk->sk_state = BT_CONNECTED;
-                        sk->sk_state_change(sk);
-                } else if (sk->sk_state == BT_CONNECT)
-                        l2cap_do_start(sk);
-                bh_unlock_sock(sk);
-        }
-        read_unlock(&l->lock);
-}
-/* Notify sockets that we cannot guaranty reliability anymore */
-static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        struct sock *sk;
-        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
-                if (l2cap_pi(sk)->force_reliable)
-                        sk->sk_err = err;
-        }
-        read_unlock(&l->lock);
-}
-static void l2cap_info_timeout(unsigned long arg)
-{
-        struct l2cap_conn *conn = (void *) arg;
-        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
-        conn->info_ident = 0;
-        l2cap_conn_start(conn);
-}
-static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
-{
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        if (conn || status)
-                return conn;
-        conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
-        if (!conn)
-                return NULL;
-        hcon->l2cap_data = conn;
-        conn->hcon = hcon;
-        BT_DBG("hcon %p conn %p", hcon, conn);
-        conn->mtu = hcon->hdev->acl_mtu;
-        conn->src = &hcon->hdev->bdaddr;
-        conn->dst = &hcon->dst;
-        conn->feat_mask = 0;
-        spin_lock_init(&conn->lock);
-        rwlock_init(&conn->chan_list.lock);
-        setup_timer(&conn->info_timer, l2cap_info_timeout,
-                                                (unsigned long) conn);
-        conn->disc_reason = 0x13;
-        return conn;
-}
-static void l2cap_conn_del(struct hci_conn *hcon, int err)
-{
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        struct sock *sk;
-        if (!conn)
-                return;
-        BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
-        kfree_skb(conn->rx_skb);
-        /* Kill channels */
-        while ((sk = conn->chan_list.head)) {
-                bh_lock_sock(sk);
-                l2cap_chan_del(sk, err);
-                bh_unlock_sock(sk);
-                l2cap_sock_kill(sk);
-        }
-        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
-                del_timer_sync(&conn->info_timer);
-        hcon->l2cap_data = NULL;
-        kfree(conn);
-}
-static inline void l2cap_chan_add(struct l2cap_conn *conn, struct sock *sk, struct sock *parent)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        write_lock_bh(&l->lock);
-        __l2cap_chan_add(conn, sk, parent);
-        write_unlock_bh(&l->lock);
-}
-/* ---- Socket interface ---- */
-static struct sock *__l2cap_get_sock_by_addr(__le16 psm, bdaddr_t *src)
-{
-        struct sock *sk;
-        struct hlist_node *node;
-        sk_for_each(sk, node, &l2cap_sk_list.head)
-                if (l2cap_pi(sk)->sport == psm && !bacmp(&bt_sk(sk)->src, src))
-                        goto found;
-        sk = NULL;
-found:
-        return sk;
-}
-/* Find socket with psm and source bdaddr.
- * Returns closest match.
- */
-static struct sock *l2cap_get_sock_by_psm(int state, __le16 psm, bdaddr_t *src)
-{
-        struct sock *sk = NULL, *sk1 = NULL;
-        struct hlist_node *node;
-        read_lock(&l2cap_sk_list.lock);
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
-                if (state && sk->sk_state != state)
-                        continue;
-                if (l2cap_pi(sk)->psm == psm) {
-                        /* Exact match. */
-                        if (!bacmp(&bt_sk(sk)->src, src))
-                                break;
-                        /* Closest match */
-                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
-                                sk1 = sk;
-                }
-        }
-        read_unlock(&l2cap_sk_list.lock);
-        return node ? sk : sk1;
-}
-static void l2cap_sock_destruct(struct sock *sk)
-{
-        BT_DBG("sk %p", sk);
-        skb_queue_purge(&sk->sk_receive_queue);
-        skb_queue_purge(&sk->sk_write_queue);
-}
-static void l2cap_sock_cleanup_listen(struct sock *parent)
-{
-        struct sock *sk;
-        BT_DBG("parent %p", parent);
-        /* Close not yet accepted channels */
-        while ((sk = bt_accept_dequeue(parent, NULL)))
-                l2cap_sock_close(sk);
-        parent->sk_state = BT_CLOSED;
-        sock_set_flag(parent, SOCK_ZAPPED);
-}
-/* Kill socket (only if zapped and orphan)
- * Must be called on unlocked socket.
- */
-static void l2cap_sock_kill(struct sock *sk)
-{
-        if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
-                return;
-        BT_DBG("sk %p state %d", sk, sk->sk_state);
-        /* Kill poor orphan */
-        bt_sock_unlink(&l2cap_sk_list, sk);
-        sock_set_flag(sk, SOCK_DEAD);
-        sock_put(sk);
-}
-static void __l2cap_sock_close(struct sock *sk, int reason)
-{
-        BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
-        switch (sk->sk_state) {
-        case BT_LISTEN:
-                l2cap_sock_cleanup_listen(sk);
-                break;
-        case BT_CONNECTED:
-        case BT_CONFIG:
-                if (sk->sk_type == SOCK_SEQPACKET ||
-                                sk->sk_type == SOCK_STREAM) {
-                        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-                        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
-                        l2cap_send_disconn_req(conn, sk, reason);
-                } else
-                        l2cap_chan_del(sk, reason);
-                break;
-        case BT_CONNECT2:
-                if (sk->sk_type == SOCK_SEQPACKET ||
-                                sk->sk_type == SOCK_STREAM) {
-                        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-                        struct l2cap_conn_rsp rsp;
-                        __u16 result;
-                        if (bt_sk(sk)->defer_setup)
-                                result = L2CAP_CR_SEC_BLOCK;
-                        else
-                                result = L2CAP_CR_BAD_PSM;
-                        sk->sk_state = BT_DISCONN;
-                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
-                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
-                        rsp.result = cpu_to_le16(result);
-                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                } else
-                        l2cap_chan_del(sk, reason);
-                break;
-        case BT_CONNECT:
-        case BT_DISCONN:
-                l2cap_chan_del(sk, reason);
-                break;
-        default:
-                sock_set_flag(sk, SOCK_ZAPPED);
-                break;
-        }
-}
-/* Must be called on unlocked socket. */
-static void l2cap_sock_close(struct sock *sk)
-{
-        l2cap_sock_clear_timer(sk);
-        lock_sock(sk);
-        __l2cap_sock_close(sk, ECONNRESET);
-        release_sock(sk);
-        l2cap_sock_kill(sk);
-}
-static void l2cap_sock_init(struct sock *sk, struct sock *parent)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        BT_DBG("sk %p", sk);
-        if (parent) {
-                sk->sk_type = parent->sk_type;
-                bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
-                pi->imtu = l2cap_pi(parent)->imtu;
-                pi->omtu = l2cap_pi(parent)->omtu;
-                pi->conf_state = l2cap_pi(parent)->conf_state;
-                pi->mode = l2cap_pi(parent)->mode;
-                pi->fcs  = l2cap_pi(parent)->fcs;
-                pi->max_tx = l2cap_pi(parent)->max_tx;
-                pi->tx_win = l2cap_pi(parent)->tx_win;
-                pi->sec_level = l2cap_pi(parent)->sec_level;
-                pi->role_switch = l2cap_pi(parent)->role_switch;
-                pi->force_reliable = l2cap_pi(parent)->force_reliable;
-        } else {
-                pi->imtu = L2CAP_DEFAULT_MTU;
-                pi->omtu = 0;
-                if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
-                        pi->mode = L2CAP_MODE_ERTM;
-                        pi->conf_state |= L2CAP_CONF_STATE2_DEVICE;
-                } else {
-                        pi->mode = L2CAP_MODE_BASIC;
-                }
-                pi->max_tx = L2CAP_DEFAULT_MAX_TX;
-                pi->fcs  = L2CAP_FCS_CRC16;
-                pi->tx_win = L2CAP_DEFAULT_TX_WINDOW;
-                pi->sec_level = BT_SECURITY_LOW;
-                pi->role_switch = 0;
-                pi->force_reliable = 0;
-        }
-        /* Default config options */
-        pi->conf_len = 0;
-        pi->flush_to = L2CAP_DEFAULT_FLUSH_TO;
-        skb_queue_head_init(TX_QUEUE(sk));
-        skb_queue_head_init(SREJ_QUEUE(sk));
-        skb_queue_head_init(BUSY_QUEUE(sk));
-        INIT_LIST_HEAD(SREJ_LIST(sk));
-}
-static struct proto l2cap_proto = {
-        .name           = "L2CAP",
-        .owner          = THIS_MODULE,
-        .obj_size       = sizeof(struct l2cap_pinfo)
-};
-static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
-{
-        struct sock *sk;
-        sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
-        if (!sk)
-                return NULL;
-        sock_init_data(sock, sk);
-        INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
-        sk->sk_destruct = l2cap_sock_destruct;
-        sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
-        sock_reset_flag(sk, SOCK_ZAPPED);
-        sk->sk_protocol = proto;
-        sk->sk_state = BT_OPEN;
-        setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
-        bt_sock_link(&l2cap_sk_list, sk);
-        return sk;
-}
-static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
-                             int kern)
-{
-        struct sock *sk;
-        BT_DBG("sock %p", sock);
-        sock->state = SS_UNCONNECTED;
-        if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
-                        sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
-                return -ESOCKTNOSUPPORT;
-        if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
-                return -EPERM;
-        sock->ops = &l2cap_sock_ops;
-        sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
-        if (!sk)
-                return -ENOMEM;
-        l2cap_sock_init(sk, NULL);
-        return 0;
-}
-static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
-{
-        struct sock *sk = sock->sk;
-        struct sockaddr_l2 la;
-        int len, err = 0;
-        BT_DBG("sk %p", sk);
-        if (!addr || addr->sa_family != AF_BLUETOOTH)
-                return -EINVAL;
-        memset(&la, 0, sizeof(la));
-        len = min_t(unsigned int, sizeof(la), alen);
-        memcpy(&la, addr, len);
-        if (la.l2_cid)
-                return -EINVAL;
-        lock_sock(sk);
-        if (sk->sk_state != BT_OPEN) {
-                err = -EBADFD;
-                goto done;
-        }
-        if (la.l2_psm) {
-                __u16 psm = __le16_to_cpu(la.l2_psm);
-                /* PSM must be odd and lsb of upper byte must be 0 */
-                if ((psm & 0x0101) != 0x0001) {
-                        err = -EINVAL;
-                        goto done;
-                }
-                /* Restrict usage of well-known PSMs */
-                if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) {
-                        err = -EACCES;
-                        goto done;
-                }
-        }
-        write_lock_bh(&l2cap_sk_list.lock);
-        if (la.l2_psm && __l2cap_get_sock_by_addr(la.l2_psm, &la.l2_bdaddr)) {
-                err = -EADDRINUSE;
-        } else {
-                /* Save source address */
-                bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
-                l2cap_pi(sk)->psm   = la.l2_psm;
-                l2cap_pi(sk)->sport = la.l2_psm;
-                sk->sk_state = BT_BOUND;
-                if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
-                                        __le16_to_cpu(la.l2_psm) == 0x0003)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
-        }
-        write_unlock_bh(&l2cap_sk_list.lock);
-done:
-        release_sock(sk);
-        return err;
-}
-static int l2cap_do_connect(struct sock *sk)
-{
-        bdaddr_t *src = &bt_sk(sk)->src;
-        bdaddr_t *dst = &bt_sk(sk)->dst;
-        struct l2cap_conn *conn;
-        struct hci_conn *hcon;
-        struct hci_dev *hdev;
-        __u8 auth_type;
-        int err;
-        BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
-                                                        l2cap_pi(sk)->psm);
-        hdev = hci_get_route(dst, src);
-        if (!hdev)
-                return -EHOSTUNREACH;
-        hci_dev_lock_bh(hdev);
-        err = -ENOMEM;
-        auth_type = l2cap_get_auth_type(sk);
-        hcon = hci_connect(hdev, ACL_LINK, dst,
-                                        l2cap_pi(sk)->sec_level, auth_type);
-        if (!hcon)
-                goto done;
-        conn = l2cap_conn_add(hcon, 0);
-        if (!conn) {
-                hci_conn_put(hcon);
-                goto done;
-        }
-        err = 0;
-        /* Update source addr of the socket */
-        bacpy(src, conn->src);
-        l2cap_chan_add(conn, sk, NULL);
-        sk->sk_state = BT_CONNECT;
-        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
-        if (hcon->state == BT_CONNECTED) {
-                if (sk->sk_type != SOCK_SEQPACKET &&
-                                sk->sk_type != SOCK_STREAM) {
-                        l2cap_sock_clear_timer(sk);
-                        if (l2cap_check_security(sk))
-                                sk->sk_state = BT_CONNECTED;
-                } else
-                        l2cap_do_start(sk);
-        }
-done:
-        hci_dev_unlock_bh(hdev);
-        hci_dev_put(hdev);
-        return err;
-}
-static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
-{
-        struct sock *sk = sock->sk;
-        struct sockaddr_l2 la;
-        int len, err = 0;
-        BT_DBG("sk %p", sk);
-        if (!addr || alen < sizeof(addr->sa_family) ||
-            addr->sa_family != AF_BLUETOOTH)
-                return -EINVAL;
-        memset(&la, 0, sizeof(la));
-        len = min_t(unsigned int, sizeof(la), alen);
-        memcpy(&la, addr, len);
-        if (la.l2_cid)
-                return -EINVAL;
-        lock_sock(sk);
-        if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
-                        && !la.l2_psm) {
-                err = -EINVAL;
-                goto done;
-        }
-        switch (l2cap_pi(sk)->mode) {
-        case L2CAP_MODE_BASIC:
-                break;
-        case L2CAP_MODE_ERTM:
-        case L2CAP_MODE_STREAMING:
-                if (!disable_ertm)
-                        break;
-                /* fall through */
-        default:
-                err = -ENOTSUPP;
-                goto done;
-        }
-        switch (sk->sk_state) {
-        case BT_CONNECT:
-        case BT_CONNECT2:
-        case BT_CONFIG:
-                /* Already connecting */
-                goto wait;
-        case BT_CONNECTED:
-                /* Already connected */
-                err = -EISCONN;
-                goto done;
-        case BT_OPEN:
-        case BT_BOUND:
-                /* Can connect */
-                break;
-        default:
-                err = -EBADFD;
-                goto done;
-        }
-        /* PSM must be odd and lsb of upper byte must be 0 */
-        if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 &&
-                sk->sk_type != SOCK_RAW) {
-                err = -EINVAL;
-                goto done;
-        }
-        /* Set destination address and psm */
-        bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
-        l2cap_pi(sk)->psm = la.l2_psm;
-        err = l2cap_do_connect(sk);
-        if (err)
-                goto done;
-wait:
-        err = bt_sock_wait_state(sk, BT_CONNECTED,
-                        sock_sndtimeo(sk, flags & O_NONBLOCK));
-done:
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_listen(struct socket *sock, int backlog)
-{
-        struct sock *sk = sock->sk;
-        int err = 0;
-        BT_DBG("sk %p backlog %d", sk, backlog);
-        lock_sock(sk);
-        if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
-                        || sk->sk_state != BT_BOUND) {
-                err = -EBADFD;
-                goto done;
-        }
-        switch (l2cap_pi(sk)->mode) {
-        case L2CAP_MODE_BASIC:
-                break;
-        case L2CAP_MODE_ERTM:
-        case L2CAP_MODE_STREAMING:
-                if (!disable_ertm)
-                        break;
-                /* fall through */
-        default:
-                err = -ENOTSUPP;
-                goto done;
-        }
-        if (!l2cap_pi(sk)->psm) {
-                bdaddr_t *src = &bt_sk(sk)->src;
-                u16 psm;
-                err = -EINVAL;
-                write_lock_bh(&l2cap_sk_list.lock);
-                for (psm = 0x1001; psm < 0x1100; psm += 2)
-                        if (!__l2cap_get_sock_by_addr(cpu_to_le16(psm), src)) {
-                                l2cap_pi(sk)->psm   = cpu_to_le16(psm);
-                                l2cap_pi(sk)->sport = cpu_to_le16(psm);
-                                err = 0;
-                                break;
-                        }
-                write_unlock_bh(&l2cap_sk_list.lock);
-                if (err < 0)
-                        goto done;
-        }
-        sk->sk_max_ack_backlog = backlog;
-        sk->sk_ack_backlog = 0;
-        sk->sk_state = BT_LISTEN;
-done:
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
-{
-        DECLARE_WAITQUEUE(wait, current);
-        struct sock *sk = sock->sk, *nsk;
-        long timeo;
-        int err = 0;
-        lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
-        if (sk->sk_state != BT_LISTEN) {
-                err = -EBADFD;
-                goto done;
-        }
-        timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
-        BT_DBG("sk %p timeo %ld", sk, timeo);
-        /* Wait for an incoming connection. (wake-one). */
-        add_wait_queue_exclusive(sk_sleep(sk), &wait);
-        while (!(nsk = bt_accept_dequeue(sk, newsock))) {
-                set_current_state(TASK_INTERRUPTIBLE);
-                if (!timeo) {
-                        err = -EAGAIN;
-                        break;
-                }
-                release_sock(sk);
-                timeo = schedule_timeout(timeo);
-                lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
-                if (sk->sk_state != BT_LISTEN) {
-                        err = -EBADFD;
-                        break;
-                }
-                if (signal_pending(current)) {
-                        err = sock_intr_errno(timeo);
-                        break;
-                }
-        }
-        set_current_state(TASK_RUNNING);
-        remove_wait_queue(sk_sleep(sk), &wait);
-        if (err)
-                goto done;
-        newsock->state = SS_CONNECTED;
-        BT_DBG("new socket %p", nsk);
-done:
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
-{
-        struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
-        struct sock *sk = sock->sk;
-        BT_DBG("sock %p, sk %p", sock, sk);
-        addr->sa_family = AF_BLUETOOTH;
-        *len = sizeof(struct sockaddr_l2);
-        if (peer) {
-                la->l2_psm = l2cap_pi(sk)->psm;
-                bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
-                la->l2_cid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        } else {
-                la->l2_psm = l2cap_pi(sk)->sport;
-                bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
-                la->l2_cid = cpu_to_le16(l2cap_pi(sk)->scid);
-        }
-        return 0;
-}
-static int __l2cap_wait_ack(struct sock *sk)
-{
-        DECLARE_WAITQUEUE(wait, current);
-        int err = 0;
-        int timeo = HZ/5;
-        add_wait_queue(sk_sleep(sk), &wait);
-        while ((l2cap_pi(sk)->unacked_frames > 0 && l2cap_pi(sk)->conn)) {
-                set_current_state(TASK_INTERRUPTIBLE);
-                if (!timeo)
-                        timeo = HZ/5;
-                if (signal_pending(current)) {
-                        err = sock_intr_errno(timeo);
-                        break;
-                }
-                release_sock(sk);
-                timeo = schedule_timeout(timeo);
-                lock_sock(sk);
-                err = sock_error(sk);
-                if (err)
-                        break;
-        }
-        set_current_state(TASK_RUNNING);
-        remove_wait_queue(sk_sleep(sk), &wait);
-        return err;
-}
-static void l2cap_monitor_timeout(unsigned long arg)
-{
-        struct sock *sk = (void *) arg;
-        BT_DBG("sk %p", sk);
-        bh_lock_sock(sk);
-        if (l2cap_pi(sk)->retry_count >= l2cap_pi(sk)->remote_max_tx) {
-                l2cap_send_disconn_req(l2cap_pi(sk)->conn, sk, ECONNABORTED);
-                bh_unlock_sock(sk);
-                return;
-        }
-        l2cap_pi(sk)->retry_count++;
-        __mod_monitor_timer();
-        l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
-        bh_unlock_sock(sk);
-}
-static void l2cap_retrans_timeout(unsigned long arg)
-{
-        struct sock *sk = (void *) arg;
-        BT_DBG("sk %p", sk);
-        bh_lock_sock(sk);
-        l2cap_pi(sk)->retry_count = 1;
-        __mod_monitor_timer();
-        l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
-        l2cap_send_rr_or_rnr(l2cap_pi(sk), L2CAP_CTRL_POLL);
-        bh_unlock_sock(sk);
-}
-static void l2cap_drop_acked_frames(struct sock *sk)
-{
-        struct sk_buff *skb;
-        while ((skb = skb_peek(TX_QUEUE(sk))) &&
-                        l2cap_pi(sk)->unacked_frames) {
-                if (bt_cb(skb)->tx_seq == l2cap_pi(sk)->expected_ack_seq)
-                        break;
-                skb = skb_dequeue(TX_QUEUE(sk));
-                kfree_skb(skb);
-                l2cap_pi(sk)->unacked_frames--;
-        }
-        if (!l2cap_pi(sk)->unacked_frames)
-                del_timer(&l2cap_pi(sk)->retrans_timer);
-}
-static inline void l2cap_do_send(struct sock *sk, struct sk_buff *skb)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        BT_DBG("sk %p, skb %p len %d", sk, skb, skb->len);
-        hci_send_acl(pi->conn->hcon, skb, 0);
-}
-static void l2cap_streaming_send(struct sock *sk)
-{
-        struct sk_buff *skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u16 control, fcs;
-        while ((skb = skb_dequeue(TX_QUEUE(sk)))) {
-                control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
-                control |= pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
-                put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
-                if (pi->fcs == L2CAP_FCS_CRC16) {
-                        fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
-                        put_unaligned_le16(fcs, skb->data + skb->len - 2);
-                }
-                l2cap_do_send(sk, skb);
-                pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
-        }
-}
-static void l2cap_retransmit_one_frame(struct sock *sk, u8 tx_seq)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *skb, *tx_skb;
-        u16 control, fcs;
-        skb = skb_peek(TX_QUEUE(sk));
-        if (!skb)
-                return;
-        do {
-                if (bt_cb(skb)->tx_seq == tx_seq)
-                        break;
-                if (skb_queue_is_last(TX_QUEUE(sk), skb))
-                        return;
-        } while ((skb = skb_queue_next(TX_QUEUE(sk), skb)));
-        if (pi->remote_max_tx &&
-                        bt_cb(skb)->retries == pi->remote_max_tx) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
-                return;
-        }
-        tx_skb = skb_clone(skb, GFP_ATOMIC);
-        bt_cb(skb)->retries++;
-        control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
-        if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
-                control |= L2CAP_CTRL_FINAL;
-                pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
-        }
-        control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
-                        | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
-        put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
-        if (pi->fcs == L2CAP_FCS_CRC16) {
-                fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
-                put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
-        }
-        l2cap_do_send(sk, tx_skb);
-}
-static int l2cap_ertm_send(struct sock *sk)
-{
-        struct sk_buff *skb, *tx_skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u16 control, fcs;
-        int nsent = 0;
-        if (sk->sk_state != BT_CONNECTED)
-                return -ENOTCONN;
-        while ((skb = sk->sk_send_head) && (!l2cap_tx_window_full(sk))) {
-                if (pi->remote_max_tx &&
-                                bt_cb(skb)->retries == pi->remote_max_tx) {
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNABORTED);
-                        break;
-                }
-                tx_skb = skb_clone(skb, GFP_ATOMIC);
-                bt_cb(skb)->retries++;
-                control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
-                control &= L2CAP_CTRL_SAR;
-                if (pi->conn_state & L2CAP_CONN_SEND_FBIT) {
-                        control |= L2CAP_CTRL_FINAL;
-                        pi->conn_state &= ~L2CAP_CONN_SEND_FBIT;
-                }
-                control |= (pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
-                                | (pi->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
-                put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
-                if (pi->fcs == L2CAP_FCS_CRC16) {
-                        fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
-                        put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
-                }
-                l2cap_do_send(sk, tx_skb);
-                __mod_retrans_timer();
-                bt_cb(skb)->tx_seq = pi->next_tx_seq;
-                pi->next_tx_seq = (pi->next_tx_seq + 1) % 64;
-                pi->unacked_frames++;
-                pi->frames_sent++;
-                if (skb_queue_is_last(TX_QUEUE(sk), skb))
-                        sk->sk_send_head = NULL;
-                else
-                        sk->sk_send_head = skb_queue_next(TX_QUEUE(sk), skb);
-                nsent++;
-        }
-        return nsent;
-}
-static int l2cap_retransmit_frames(struct sock *sk)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        int ret;
-        if (!skb_queue_empty(TX_QUEUE(sk)))
-                sk->sk_send_head = TX_QUEUE(sk)->next;
-        pi->next_tx_seq = pi->expected_ack_seq;
-        ret = l2cap_ertm_send(sk);
-        return ret;
-}
-static void l2cap_send_ack(struct l2cap_pinfo *pi)
-{
-        struct sock *sk = (struct sock *)pi;
-        u16 control = 0;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
-                control |= L2CAP_SUPER_RCV_NOT_READY;
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
-                l2cap_send_sframe(pi, control);
-                return;
-        }
-        if (l2cap_ertm_send(sk) > 0)
-                return;
-        control |= L2CAP_SUPER_RCV_READY;
-        l2cap_send_sframe(pi, control);
-}
-static void l2cap_send_srejtail(struct sock *sk)
-{
-        struct srej_list *tail;
-        u16 control;
-        control = L2CAP_SUPER_SELECT_REJECT;
-        control |= L2CAP_CTRL_FINAL;
-        tail = list_entry(SREJ_LIST(sk)->prev, struct srej_list, list);
-        control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        l2cap_send_sframe(l2cap_pi(sk), control);
-}
-static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        struct sk_buff **frag;
-        int err, sent = 0;
-        if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
-                return -EFAULT;
-        sent += count;
-        len  -= count;
-        /* Continuation fragments (no L2CAP header) */
-        frag = &skb_shinfo(skb)->frag_list;
-        while (len) {
-                count = min_t(unsigned int, conn->mtu, len);
-                *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
-                if (!*frag)
-                        return err;
-                if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
-                        return -EFAULT;
-                sent += count;
-                len  -= count;
-                frag = &(*frag)->next;
-        }
-        return sent;
-}
-static struct sk_buff *l2cap_create_connless_pdu(struct sock *sk, struct msghdr *msg, size_t len)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        struct sk_buff *skb;
-        int err, count, hlen = L2CAP_HDR_SIZE + 2;
-        struct l2cap_hdr *lh;
-        BT_DBG("sk %p len %d", sk, (int)len);
-        count = min_t(unsigned int, (conn->mtu - hlen), len);
-        skb = bt_skb_send_alloc(sk, count + hlen,
-                        msg->msg_flags & MSG_DONTWAIT, &err);
-        if (!skb)
-                return ERR_PTR(err);
-        /* Create L2CAP header */
-        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
-        put_unaligned_le16(l2cap_pi(sk)->psm, skb_put(skb, 2));
-        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
-        if (unlikely(err < 0)) {
-                kfree_skb(skb);
-                return ERR_PTR(err);
-        }
-        return skb;
-}
-static struct sk_buff *l2cap_create_basic_pdu(struct sock *sk, struct msghdr *msg, size_t len)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        struct sk_buff *skb;
-        int err, count, hlen = L2CAP_HDR_SIZE;
-        struct l2cap_hdr *lh;
-        BT_DBG("sk %p len %d", sk, (int)len);
-        count = min_t(unsigned int, (conn->mtu - hlen), len);
-        skb = bt_skb_send_alloc(sk, count + hlen,
-                        msg->msg_flags & MSG_DONTWAIT, &err);
-        if (!skb)
-                return ERR_PTR(err);
-        /* Create L2CAP header */
-        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
-        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
-        if (unlikely(err < 0)) {
-                kfree_skb(skb);
-                return ERR_PTR(err);
-        }
-        return skb;
-}
-static struct sk_buff *l2cap_create_iframe_pdu(struct sock *sk, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
-{
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-        struct sk_buff *skb;
-        int err, count, hlen = L2CAP_HDR_SIZE + 2;
-        struct l2cap_hdr *lh;
-        BT_DBG("sk %p len %d", sk, (int)len);
-        if (!conn)
-                return ERR_PTR(-ENOTCONN);
-        if (sdulen)
-                hlen += 2;
-        if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
-                hlen += 2;
-        count = min_t(unsigned int, (conn->mtu - hlen), len);
-        skb = bt_skb_send_alloc(sk, count + hlen,
-                        msg->msg_flags & MSG_DONTWAIT, &err);
-        if (!skb)
-                return ERR_PTR(err);
-        /* Create L2CAP header */
-        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->cid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
-        put_unaligned_le16(control, skb_put(skb, 2));
-        if (sdulen)
-                put_unaligned_le16(sdulen, skb_put(skb, 2));
-        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
-        if (unlikely(err < 0)) {
-                kfree_skb(skb);
-                return ERR_PTR(err);
-        }
-        if (l2cap_pi(sk)->fcs == L2CAP_FCS_CRC16)
-                put_unaligned_le16(0, skb_put(skb, 2));
-        bt_cb(skb)->retries = 0;
-        return skb;
-}
-static inline int l2cap_sar_segment_sdu(struct sock *sk, struct msghdr *msg, size_t len)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *skb;
-        struct sk_buff_head sar_queue;
-        u16 control;
-        size_t size = 0;
-        skb_queue_head_init(&sar_queue);
-        control = L2CAP_SDU_START;
-        skb = l2cap_create_iframe_pdu(sk, msg, pi->remote_mps, control, len);
-        if (IS_ERR(skb))
-                return PTR_ERR(skb);
-        __skb_queue_tail(&sar_queue, skb);
-        len -= pi->remote_mps;
-        size += pi->remote_mps;
-        while (len > 0) {
-                size_t buflen;
-                if (len > pi->remote_mps) {
-                        control = L2CAP_SDU_CONTINUE;
-                        buflen = pi->remote_mps;
-                } else {
-                        control = L2CAP_SDU_END;
-                        buflen = len;
-                }
-                skb = l2cap_create_iframe_pdu(sk, msg, buflen, control, 0);
-                if (IS_ERR(skb)) {
-                        skb_queue_purge(&sar_queue);
-                        return PTR_ERR(skb);
-                }
-                __skb_queue_tail(&sar_queue, skb);
-                len -= buflen;
-                size += buflen;
-        }
-        skb_queue_splice_tail(&sar_queue, TX_QUEUE(sk));
-        if (sk->sk_send_head == NULL)
-                sk->sk_send_head = sar_queue.next;
-        return size;
-}
-static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
-{
-        struct sock *sk = sock->sk;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *skb;
-        u16 control;
-        int err;
-        BT_DBG("sock %p, sk %p", sock, sk);
-        err = sock_error(sk);
-        if (err)
-                return err;
-        if (msg->msg_flags & MSG_OOB)
-                return -EOPNOTSUPP;
-        lock_sock(sk);
-        if (sk->sk_state != BT_CONNECTED) {
-                err = -ENOTCONN;
-                goto done;
-        }
-        /* Connectionless channel */
-        if (sk->sk_type == SOCK_DGRAM) {
-                skb = l2cap_create_connless_pdu(sk, msg, len);
-                if (IS_ERR(skb)) {
-                        err = PTR_ERR(skb);
-                } else {
-                        l2cap_do_send(sk, skb);
-                        err = len;
-                }
-                goto done;
-        }
-        switch (pi->mode) {
-        case L2CAP_MODE_BASIC:
-                /* Check outgoing MTU */
-                if (len > pi->omtu) {
-                        err = -EMSGSIZE;
-                        goto done;
-                }
-                /* Create a basic PDU */
-                skb = l2cap_create_basic_pdu(sk, msg, len);
-                if (IS_ERR(skb)) {
-                        err = PTR_ERR(skb);
-                        goto done;
-                }
-                l2cap_do_send(sk, skb);
-                err = len;
-                break;
-        case L2CAP_MODE_ERTM:
-        case L2CAP_MODE_STREAMING:
-                /* Entire SDU fits into one PDU */
-                if (len <= pi->remote_mps) {
-                        control = L2CAP_SDU_UNSEGMENTED;
-                        skb = l2cap_create_iframe_pdu(sk, msg, len, control, 0);
-                        if (IS_ERR(skb)) {
-                                err = PTR_ERR(skb);
-                                goto done;
-                        }
-                        __skb_queue_tail(TX_QUEUE(sk), skb);
-                        if (sk->sk_send_head == NULL)
-                                sk->sk_send_head = skb;
-                } else {
-                /* Segment SDU into multiples PDUs */
-                        err = l2cap_sar_segment_sdu(sk, msg, len);
-                        if (err < 0)
-                                goto done;
-                }
-                if (pi->mode == L2CAP_MODE_STREAMING) {
-                        l2cap_streaming_send(sk);
-                } else {
-                        if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                        (pi->conn_state & L2CAP_CONN_WAIT_F)) {
-                                err = len;
-                                break;
-                        }
-                        err = l2cap_ertm_send(sk);
-                }
-                if (err >= 0)
-                        err = len;
-                break;
-        default:
-                BT_DBG("bad state %1.1x", pi->mode);
-                err = -EBADFD;
-        }
-done:
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
-{
-        struct sock *sk = sock->sk;
-        lock_sock(sk);
-        if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
-                struct l2cap_conn_rsp rsp;
-                struct l2cap_conn *conn = l2cap_pi(sk)->conn;
-                u8 buf[128];
-                sk->sk_state = BT_CONFIG;
-                rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
-                rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
-                rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
-                rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                l2cap_send_cmd(l2cap_pi(sk)->conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) {
-                        release_sock(sk);
-                        return 0;
-                }
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                l2cap_build_conf_req(sk, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
-                release_sock(sk);
-                return 0;
-        }
-        release_sock(sk);
-        if (sock->type == SOCK_STREAM)
-                return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
-        return bt_sock_recvmsg(iocb, sock, msg, len, flags);
-}
-static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
-{
-        struct sock *sk = sock->sk;
-        struct l2cap_options opts;
-        int len, err = 0;
-        u32 opt;
-        BT_DBG("sk %p", sk);
-        lock_sock(sk);
-        switch (optname) {
-        case L2CAP_OPTIONS:
-                if (sk->sk_state == BT_CONNECTED) {
-                        err = -EINVAL;
-                        break;
-                }
-                opts.imtu     = l2cap_pi(sk)->imtu;
-                opts.omtu     = l2cap_pi(sk)->omtu;
-                opts.flush_to = l2cap_pi(sk)->flush_to;
-                opts.mode     = l2cap_pi(sk)->mode;
-                opts.fcs      = l2cap_pi(sk)->fcs;
-                opts.max_tx   = l2cap_pi(sk)->max_tx;
-                opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
-                len = min_t(unsigned int, sizeof(opts), optlen);
-                if (copy_from_user((char *) &opts, optval, len)) {
-                        err = -EFAULT;
-                        break;
-                }
-                if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
-                        err = -EINVAL;
-                        break;
-                }
-                l2cap_pi(sk)->mode = opts.mode;
-                switch (l2cap_pi(sk)->mode) {
-                case L2CAP_MODE_BASIC:
-                        l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
-                        break;
-                case L2CAP_MODE_ERTM:
-                case L2CAP_MODE_STREAMING:
-                        if (!disable_ertm)
-                                break;
-                        /* fall through */
-                default:
-                        err = -EINVAL;
-                        break;
-                }
-                l2cap_pi(sk)->imtu = opts.imtu;
-                l2cap_pi(sk)->omtu = opts.omtu;
-                l2cap_pi(sk)->fcs  = opts.fcs;
-                l2cap_pi(sk)->max_tx = opts.max_tx;
-                l2cap_pi(sk)->tx_win = (__u8)opts.txwin_size;
-                break;
-        case L2CAP_LM:
-                if (get_user(opt, (u32 __user *) optval)) {
-                        err = -EFAULT;
-                        break;
-                }
-                if (opt & L2CAP_LM_AUTH)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_LOW;
-                if (opt & L2CAP_LM_ENCRYPT)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_MEDIUM;
-                if (opt & L2CAP_LM_SECURE)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_HIGH;
-                l2cap_pi(sk)->role_switch    = (opt & L2CAP_LM_MASTER);
-                l2cap_pi(sk)->force_reliable = (opt & L2CAP_LM_RELIABLE);
-                break;
-        default:
-                err = -ENOPROTOOPT;
-                break;
-        }
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
-{
-        struct sock *sk = sock->sk;
-        struct bt_security sec;
-        int len, err = 0;
-        u32 opt;
-        BT_DBG("sk %p", sk);
-        if (level == SOL_L2CAP)
-                return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
-        if (level != SOL_BLUETOOTH)
-                return -ENOPROTOOPT;
-        lock_sock(sk);
-        switch (optname) {
-        case BT_SECURITY:
-                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
-                                && sk->sk_type != SOCK_RAW) {
-                        err = -EINVAL;
-                        break;
-                }
-                sec.level = BT_SECURITY_LOW;
-                len = min_t(unsigned int, sizeof(sec), optlen);
-                if (copy_from_user((char *) &sec, optval, len)) {
-                        err = -EFAULT;
-                        break;
-                }
-                if (sec.level < BT_SECURITY_LOW ||
-                                        sec.level > BT_SECURITY_HIGH) {
-                        err = -EINVAL;
-                        break;
-                }
-                l2cap_pi(sk)->sec_level = sec.level;
-                break;
-        case BT_DEFER_SETUP:
-                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
-                        err = -EINVAL;
-                        break;
-                }
-                if (get_user(opt, (u32 __user *) optval)) {
-                        err = -EFAULT;
-                        break;
-                }
-                bt_sk(sk)->defer_setup = opt;
-                break;
-        default:
-                err = -ENOPROTOOPT;
-                break;
-        }
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
-{
-        struct sock *sk = sock->sk;
-        struct l2cap_options opts;
-        struct l2cap_conninfo cinfo;
-        int len, err = 0;
-        u32 opt;
-        BT_DBG("sk %p", sk);
-        if (get_user(len, optlen))
-                return -EFAULT;
-        lock_sock(sk);
-        switch (optname) {
-        case L2CAP_OPTIONS:
-                opts.imtu     = l2cap_pi(sk)->imtu;
-                opts.omtu     = l2cap_pi(sk)->omtu;
-                opts.flush_to = l2cap_pi(sk)->flush_to;
-                opts.mode     = l2cap_pi(sk)->mode;
-                opts.fcs      = l2cap_pi(sk)->fcs;
-                opts.max_tx   = l2cap_pi(sk)->max_tx;
-                opts.txwin_size = (__u16)l2cap_pi(sk)->tx_win;
-                len = min_t(unsigned int, len, sizeof(opts));
-                if (copy_to_user(optval, (char *) &opts, len))
-                        err = -EFAULT;
-                break;
-        case L2CAP_LM:
-                switch (l2cap_pi(sk)->sec_level) {
-                case BT_SECURITY_LOW:
-                        opt = L2CAP_LM_AUTH;
-                        break;
-                case BT_SECURITY_MEDIUM:
-                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
-                        break;
-                case BT_SECURITY_HIGH:
-                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
-                                                        L2CAP_LM_SECURE;
-                        break;
-                default:
-                        opt = 0;
-                        break;
-                }
-                if (l2cap_pi(sk)->role_switch)
-                        opt |= L2CAP_LM_MASTER;
-                if (l2cap_pi(sk)->force_reliable)
-                        opt |= L2CAP_LM_RELIABLE;
-                if (put_user(opt, (u32 __user *) optval))
-                        err = -EFAULT;
-                break;
-        case L2CAP_CONNINFO:
-                if (sk->sk_state != BT_CONNECTED &&
-                                        !(sk->sk_state == BT_CONNECT2 &&
-                                                bt_sk(sk)->defer_setup)) {
-                        err = -ENOTCONN;
-                        break;
-                }
-                cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
-                memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
-                len = min_t(unsigned int, len, sizeof(cinfo));
-                if (copy_to_user(optval, (char *) &cinfo, len))
-                        err = -EFAULT;
-                break;
-        default:
-                err = -ENOPROTOOPT;
-                break;
-        }
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
-{
-        struct sock *sk = sock->sk;
-        struct bt_security sec;
-        int len, err = 0;
-        BT_DBG("sk %p", sk);
-        if (level == SOL_L2CAP)
-                return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
-        if (level != SOL_BLUETOOTH)
-                return -ENOPROTOOPT;
-        if (get_user(len, optlen))
-                return -EFAULT;
-        lock_sock(sk);
-        switch (optname) {
-        case BT_SECURITY:
-                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
-                                && sk->sk_type != SOCK_RAW) {
-                        err = -EINVAL;
-                        break;
-                }
-                sec.level = l2cap_pi(sk)->sec_level;
-                len = min_t(unsigned int, len, sizeof(sec));
-                if (copy_to_user(optval, (char *) &sec, len))
-                        err = -EFAULT;
-                break;
-        case BT_DEFER_SETUP:
-                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
-                        err = -EINVAL;
-                        break;
-                }
-                if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
-                        err = -EFAULT;
-                break;
-        default:
-                err = -ENOPROTOOPT;
-                break;
-        }
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_shutdown(struct socket *sock, int how)
-{
-        struct sock *sk = sock->sk;
-        int err = 0;
-        BT_DBG("sock %p, sk %p", sock, sk);
-        if (!sk)
-                return 0;
-        lock_sock(sk);
-        if (!sk->sk_shutdown) {
-                if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
-                        err = __l2cap_wait_ack(sk);
-                sk->sk_shutdown = SHUTDOWN_MASK;
-                l2cap_sock_clear_timer(sk);
-                __l2cap_sock_close(sk, 0);
-                if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
-                        err = bt_sock_wait_state(sk, BT_CLOSED,
-                                                        sk->sk_lingertime);
-        }
-        if (!err && sk->sk_err)
-                err = -sk->sk_err;
-        release_sock(sk);
-        return err;
-}
-static int l2cap_sock_release(struct socket *sock)
-{
-        struct sock *sk = sock->sk;
-        int err;
-        BT_DBG("sock %p, sk %p", sock, sk);
-        if (!sk)
-                return 0;
-        err = l2cap_sock_shutdown(sock, 2);
-        sock_orphan(sk);
-        l2cap_sock_kill(sk);
-        return err;
-}
-static void l2cap_chan_ready(struct sock *sk)
-{
-        struct sock *parent = bt_sk(sk)->parent;
-        BT_DBG("sk %p, parent %p", sk, parent);
-        l2cap_pi(sk)->conf_state = 0;
-        l2cap_sock_clear_timer(sk);
-        if (!parent) {
-                /* Outgoing channel.
-                 * Wake up socket sleeping on connect.
-                 */
-                sk->sk_state = BT_CONNECTED;
-                sk->sk_state_change(sk);
-        } else {
-                /* Incoming channel.
-                 * Wake up socket sleeping on accept.
-                 */
-                parent->sk_data_ready(parent, 0);
-        }
-}
-/* Copy frame to all raw sockets on that connection */
-static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
-{
-        struct l2cap_chan_list *l = &conn->chan_list;
-        struct sk_buff *nskb;
-        struct sock *sk;
-        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
-                if (sk->sk_type != SOCK_RAW)
-                        continue;
-                /* Don't send frame to the socket it came from */
-                if (skb->sk == sk)
-                        continue;
-                nskb = skb_clone(skb, GFP_ATOMIC);
-                if (!nskb)
-                        continue;
-                if (sock_queue_rcv_skb(sk, nskb))
-                        kfree_skb(nskb);
-        }
-        read_unlock(&l->lock);
-}
-/* ---- L2CAP signalling commands ---- */
-static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
-                                u8 code, u8 ident, u16 dlen, void *data)
-{
-        struct sk_buff *skb, **frag;
-        struct l2cap_cmd_hdr *cmd;
-        struct l2cap_hdr *lh;
-        int len, count;
-        BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
-                        conn, code, ident, dlen);
-        len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
-        count = min_t(unsigned int, conn->mtu, len);
-        skb = bt_skb_alloc(count, GFP_ATOMIC);
-        if (!skb)
-                return NULL;
-        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
-        lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
-        lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
-        cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
-        cmd->code  = code;
-        cmd->ident = ident;
-        cmd->len   = cpu_to_le16(dlen);
-        if (dlen) {
-                count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
-                memcpy(skb_put(skb, count), data, count);
-                data += count;
-        }
-        len -= skb->len;
-        /* Continuation fragments (no L2CAP header) */
-        frag = &skb_shinfo(skb)->frag_list;
-        while (len) {
-                count = min_t(unsigned int, conn->mtu, len);
-                *frag = bt_skb_alloc(count, GFP_ATOMIC);
-                if (!*frag)
-                        goto fail;
-                memcpy(skb_put(*frag, count), data, count);
-                len  -= count;
-                data += count;
-                frag = &(*frag)->next;
-        }
-        return skb;
-fail:
-        kfree_skb(skb);
-        return NULL;
-}
-static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
-{
-        struct l2cap_conf_opt *opt = *ptr;
-        int len;
-        len = L2CAP_CONF_OPT_SIZE + opt->len;
-        *ptr += len;
-        *type = opt->type;
-        *olen = opt->len;
-        switch (opt->len) {
-        case 1:
-                *val = *((u8 *) opt->val);
-                break;
-        case 2:
-                *val = get_unaligned_le16(opt->val);
-                break;
-        case 4:
-                *val = get_unaligned_le32(opt->val);
-                break;
-        default:
-                *val = (unsigned long) opt->val;
-                break;
-        }
-        BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
-        return len;
-}
-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
-{
-        struct l2cap_conf_opt *opt = *ptr;
-        BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
-        opt->type = type;
-        opt->len  = len;
-        switch (len) {
-        case 1:
-                *((u8 *) opt->val)  = val;
-                break;
-        case 2:
-                put_unaligned_le16(val, opt->val);
-                break;
-        case 4:
-                put_unaligned_le32(val, opt->val);
-                break;
-        default:
-                memcpy(opt->val, (void *) val, len);
-                break;
-        }
-        *ptr += L2CAP_CONF_OPT_SIZE + len;
-}
-static void l2cap_ack_timeout(unsigned long arg)
-{
-        struct sock *sk = (void *) arg;
-        bh_lock_sock(sk);
-        l2cap_send_ack(l2cap_pi(sk));
-        bh_unlock_sock(sk);
-}
-static inline void l2cap_ertm_init(struct sock *sk)
-{
-        l2cap_pi(sk)->expected_ack_seq = 0;
-        l2cap_pi(sk)->unacked_frames = 0;
-        l2cap_pi(sk)->buffer_seq = 0;
-        l2cap_pi(sk)->num_acked = 0;
-        l2cap_pi(sk)->frames_sent = 0;
-        setup_timer(&l2cap_pi(sk)->retrans_timer,
-                        l2cap_retrans_timeout, (unsigned long) sk);
-        setup_timer(&l2cap_pi(sk)->monitor_timer,
-                        l2cap_monitor_timeout, (unsigned long) sk);
-        setup_timer(&l2cap_pi(sk)->ack_timer,
-                        l2cap_ack_timeout, (unsigned long) sk);
-        __skb_queue_head_init(SREJ_QUEUE(sk));
-        __skb_queue_head_init(BUSY_QUEUE(sk));
-        INIT_WORK(&l2cap_pi(sk)->busy_work, l2cap_busy_work);
-        sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
-}
-static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
-{
-        switch (mode) {
-        case L2CAP_MODE_STREAMING:
-        case L2CAP_MODE_ERTM:
-                if (l2cap_mode_supported(mode, remote_feat_mask))
-                        return mode;
-                /* fall through */
-        default:
-                return L2CAP_MODE_BASIC;
-        }
-}
-static int l2cap_build_conf_req(struct sock *sk, void *data)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct l2cap_conf_req *req = data;
-        struct l2cap_conf_rfc rfc = { .mode = pi->mode };
-        void *ptr = req->data;
-        BT_DBG("sk %p", sk);
-        if (pi->num_conf_req || pi->num_conf_rsp)
-                goto done;
-        switch (pi->mode) {
-        case L2CAP_MODE_STREAMING:
-        case L2CAP_MODE_ERTM:
-                if (pi->conf_state & L2CAP_CONF_STATE2_DEVICE)
-                        break;
-                /* fall through */
-        default:
-                pi->mode = l2cap_select_mode(rfc.mode, pi->conn->feat_mask);
-                break;
-        }
-done:
-        switch (pi->mode) {
-        case L2CAP_MODE_BASIC:
-                if (pi->imtu != L2CAP_DEFAULT_MTU)
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_ERTM) &&
-                                !(pi->conn->feat_mask & L2CAP_FEAT_STREAMING))
-                        break;
-                rfc.mode            = L2CAP_MODE_BASIC;
-                rfc.txwin_size      = 0;
-                rfc.max_transmit    = 0;
-                rfc.retrans_timeout = 0;
-                rfc.monitor_timeout = 0;
-                rfc.max_pdu_size    = 0;
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
-                break;
-        case L2CAP_MODE_ERTM:
-                rfc.mode            = L2CAP_MODE_ERTM;
-                rfc.txwin_size      = pi->tx_win;
-                rfc.max_transmit    = pi->max_tx;
-                rfc.retrans_timeout = 0;
-                rfc.monitor_timeout = 0;
-                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
-                if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
-                        rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-                        break;
-                if (pi->fcs == L2CAP_FCS_NONE ||
-                                pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
-                        pi->fcs = L2CAP_FCS_NONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-                }
-                break;
-        case L2CAP_MODE_STREAMING:
-                rfc.mode            = L2CAP_MODE_STREAMING;
-                rfc.txwin_size      = 0;
-                rfc.max_transmit    = 0;
-                rfc.retrans_timeout = 0;
-                rfc.monitor_timeout = 0;
-                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
-                if (L2CAP_DEFAULT_MAX_PDU_SIZE > pi->conn->mtu - 10)
-                        rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
-                                                        (unsigned long) &rfc);
-                if (!(pi->conn->feat_mask & L2CAP_FEAT_FCS))
-                        break;
-                if (pi->fcs == L2CAP_FCS_NONE ||
-                                pi->conf_state & L2CAP_CONF_NO_FCS_RECV) {
-                        pi->fcs = L2CAP_FCS_NONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, pi->fcs);
-                }
-                break;
-        }
-        /* FIXME: Need actual value of the flush timeout */
-        //if (flush_to != L2CAP_DEFAULT_FLUSH_TO)
-        //   l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO, 2, pi->flush_to);
-        req->dcid  = cpu_to_le16(pi->dcid);
-        req->flags = cpu_to_le16(0);
-        return ptr - data;
-}
-static int l2cap_parse_conf_req(struct sock *sk, void *data)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct l2cap_conf_rsp *rsp = data;
-        void *ptr = rsp->data;
-        void *req = pi->conf_req;
-        int len = pi->conf_len;
-        int type, hint, olen;
-        unsigned long val;
-        struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
-        u16 mtu = L2CAP_DEFAULT_MTU;
-        u16 result = L2CAP_CONF_SUCCESS;
-        BT_DBG("sk %p", sk);
-        while (len >= L2CAP_CONF_OPT_SIZE) {
-                len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
-                hint  = type & L2CAP_CONF_HINT;
-                type &= L2CAP_CONF_MASK;
-                switch (type) {
-                case L2CAP_CONF_MTU:
-                        mtu = val;
-                        break;
-                case L2CAP_CONF_FLUSH_TO:
-                        pi->flush_to = val;
-                        break;
-                case L2CAP_CONF_QOS:
-                        break;
-                case L2CAP_CONF_RFC:
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *) val, olen);
-                        break;
-                case L2CAP_CONF_FCS:
-                        if (val == L2CAP_FCS_NONE)
-                                pi->conf_state |= L2CAP_CONF_NO_FCS_RECV;
-                        break;
-                default:
-                        if (hint)
-                                break;
-                        result = L2CAP_CONF_UNKNOWN;
-                        *((u8 *) ptr++) = type;
-                        break;
-                }
-        }
-        if (pi->num_conf_rsp || pi->num_conf_req > 1)
-                goto done;
-        switch (pi->mode) {
-        case L2CAP_MODE_STREAMING:
-        case L2CAP_MODE_ERTM:
-                if (!(pi->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
-                        pi->mode = l2cap_select_mode(rfc.mode,
-                                        pi->conn->feat_mask);
-                        break;
-                }
-                if (pi->mode != rfc.mode)
-                        return -ECONNREFUSED;
-                break;
-        }
-done:
-        if (pi->mode != rfc.mode) {
-                result = L2CAP_CONF_UNACCEPT;
-                rfc.mode = pi->mode;
-                if (pi->num_conf_rsp == 1)
-                        return -ECONNREFUSED;
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
-        }
-        if (result == L2CAP_CONF_SUCCESS) {
-                /* Configure output options and let the other side know
-                 * which ones we don't like. */
-                if (mtu < L2CAP_DEFAULT_MIN_MTU)
-                        result = L2CAP_CONF_UNACCEPT;
-                else {
-                        pi->omtu = mtu;
-                        pi->conf_state |= L2CAP_CONF_MTU_DONE;
-                }
-                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->omtu);
-                switch (rfc.mode) {
-                case L2CAP_MODE_BASIC:
-                        pi->fcs = L2CAP_FCS_NONE;
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
-                        break;
-                case L2CAP_MODE_ERTM:
-                        pi->remote_tx_win = rfc.txwin_size;
-                        pi->remote_max_tx = rfc.max_transmit;
-                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
-                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
-                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
-                        rfc.retrans_timeout =
-                                le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
-                        rfc.monitor_timeout =
-                                le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
-                        break;
-                case L2CAP_MODE_STREAMING:
-                        if (le16_to_cpu(rfc.max_pdu_size) > pi->conn->mtu - 10)
-                                rfc.max_pdu_size = cpu_to_le16(pi->conn->mtu - 10);
-                        pi->remote_mps = le16_to_cpu(rfc.max_pdu_size);
-                        pi->conf_state |= L2CAP_CONF_MODE_DONE;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
-                        break;
-                default:
-                        result = L2CAP_CONF_UNACCEPT;
-                        memset(&rfc, 0, sizeof(rfc));
-                        rfc.mode = pi->mode;
-                }
-                if (result == L2CAP_CONF_SUCCESS)
-                        pi->conf_state |= L2CAP_CONF_OUTPUT_DONE;
-        }
-        rsp->scid   = cpu_to_le16(pi->dcid);
-        rsp->result = cpu_to_le16(result);
-        rsp->flags  = cpu_to_le16(0x0000);
-        return ptr - data;
-}
-static int l2cap_parse_conf_rsp(struct sock *sk, void *rsp, int len, void *data, u16 *result)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct l2cap_conf_req *req = data;
-        void *ptr = req->data;
-        int type, olen;
-        unsigned long val;
-        struct l2cap_conf_rfc rfc;
-        BT_DBG("sk %p, rsp %p, len %d, req %p", sk, rsp, len, data);
-        while (len >= L2CAP_CONF_OPT_SIZE) {
-                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
-                switch (type) {
-                case L2CAP_CONF_MTU:
-                        if (val < L2CAP_DEFAULT_MIN_MTU) {
-                                *result = L2CAP_CONF_UNACCEPT;
-                                pi->imtu = L2CAP_DEFAULT_MIN_MTU;
-                        } else
-                                pi->imtu = val;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, pi->imtu);
-                        break;
-                case L2CAP_CONF_FLUSH_TO:
-                        pi->flush_to = val;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
-                                                        2, pi->flush_to);
-                        break;
-                case L2CAP_CONF_RFC:
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *)val, olen);
-                        if ((pi->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
-                                                        rfc.mode != pi->mode)
-                                return -ECONNREFUSED;
-                        pi->fcs = 0;
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
-                                        sizeof(rfc), (unsigned long) &rfc);
-                        break;
-                }
-        }
-        if (pi->mode == L2CAP_MODE_BASIC && pi->mode != rfc.mode)
-                return -ECONNREFUSED;
-        pi->mode = rfc.mode;
-        if (*result == L2CAP_CONF_SUCCESS) {
-                switch (rfc.mode) {
-                case L2CAP_MODE_ERTM:
-                        pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
-                        pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
-                        pi->mps    = le16_to_cpu(rfc.max_pdu_size);
-                        break;
-                case L2CAP_MODE_STREAMING:
-                        pi->mps    = le16_to_cpu(rfc.max_pdu_size);
-                }
-        }
-        req->dcid   = cpu_to_le16(pi->dcid);
-        req->flags  = cpu_to_le16(0x0000);
-        return ptr - data;
-}
-static int l2cap_build_conf_rsp(struct sock *sk, void *data, u16 result, u16 flags)
-{
-        struct l2cap_conf_rsp *rsp = data;
-        void *ptr = rsp->data;
-        BT_DBG("sk %p", sk);
-        rsp->scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
-        rsp->result = cpu_to_le16(result);
-        rsp->flags  = cpu_to_le16(flags);
-        return ptr - data;
-}
-static void l2cap_conf_rfc_get(struct sock *sk, void *rsp, int len)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        int type, olen;
-        unsigned long val;
-        struct l2cap_conf_rfc rfc;
-        BT_DBG("sk %p, rsp %p, len %d", sk, rsp, len);
-        if ((pi->mode != L2CAP_MODE_ERTM) && (pi->mode != L2CAP_MODE_STREAMING))
-                return;
-        while (len >= L2CAP_CONF_OPT_SIZE) {
-                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
-                switch (type) {
-                case L2CAP_CONF_RFC:
-                        if (olen == sizeof(rfc))
-                                memcpy(&rfc, (void *)val, olen);
-                        goto done;
-                }
-        }
-done:
-        switch (rfc.mode) {
-        case L2CAP_MODE_ERTM:
-                pi->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
-                pi->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
-                pi->mps    = le16_to_cpu(rfc.max_pdu_size);
-                break;
-        case L2CAP_MODE_STREAMING:
-                pi->mps    = le16_to_cpu(rfc.max_pdu_size);
-        }
-}
-static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
-        if (rej->reason != 0x0000)
-                return 0;
-        if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
-                                        cmd->ident == conn->info_ident) {
-                del_timer(&conn->info_timer);
-                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
-                conn->info_ident = 0;
-                l2cap_conn_start(conn);
-        }
-        return 0;
-}
-static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_chan_list *list = &conn->chan_list;
-        struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
-        struct l2cap_conn_rsp rsp;
-        struct sock *parent, *sk = NULL;
-        int result, status = L2CAP_CS_NO_INFO;
-        u16 dcid = 0, scid = __le16_to_cpu(req->scid);
-        __le16 psm = req->psm;
-        BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
-        /* Check if we have socket listening on psm */
-        parent = l2cap_get_sock_by_psm(BT_LISTEN, psm, conn->src);
-        if (!parent) {
-                result = L2CAP_CR_BAD_PSM;
-                goto sendresp;
-        }
-        bh_lock_sock(parent);
-        /* Check if the ACL is secure enough (if not SDP) */
-        if (psm != cpu_to_le16(0x0001) &&
-                                !hci_conn_check_link_mode(conn->hcon)) {
-                conn->disc_reason = 0x05;
-                result = L2CAP_CR_SEC_BLOCK;
-                goto response;
-        }
-        result = L2CAP_CR_NO_MEM;
-        /* Check for backlog size */
-        if (sk_acceptq_is_full(parent)) {
-                BT_DBG("backlog full %d", parent->sk_ack_backlog);
-                goto response;
-        }
-        sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
-        if (!sk)
-                goto response;
-        write_lock_bh(&list->lock);
-        /* Check if we already have channel with that dcid */
-        if (__l2cap_get_chan_by_dcid(list, scid)) {
-                write_unlock_bh(&list->lock);
-                sock_set_flag(sk, SOCK_ZAPPED);
-                l2cap_sock_kill(sk);
-                goto response;
-        }
-        hci_conn_hold(conn->hcon);
-        l2cap_sock_init(sk, parent);
-        bacpy(&bt_sk(sk)->src, conn->src);
-        bacpy(&bt_sk(sk)->dst, conn->dst);
-        l2cap_pi(sk)->psm  = psm;
-        l2cap_pi(sk)->dcid = scid;
-        __l2cap_chan_add(conn, sk, parent);
-        dcid = l2cap_pi(sk)->scid;
-        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
-        l2cap_pi(sk)->ident = cmd->ident;
-        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
-                if (l2cap_check_security(sk)) {
-                        if (bt_sk(sk)->defer_setup) {
-                                sk->sk_state = BT_CONNECT2;
-                                result = L2CAP_CR_PEND;
-                                status = L2CAP_CS_AUTHOR_PEND;
-                                parent->sk_data_ready(parent, 0);
-                        } else {
-                                sk->sk_state = BT_CONFIG;
-                                result = L2CAP_CR_SUCCESS;
-                                status = L2CAP_CS_NO_INFO;
-                        }
-                } else {
-                        sk->sk_state = BT_CONNECT2;
-                        result = L2CAP_CR_PEND;
-                        status = L2CAP_CS_AUTHEN_PEND;
-                }
-        } else {
-                sk->sk_state = BT_CONNECT2;
-                result = L2CAP_CR_PEND;
-                status = L2CAP_CS_NO_INFO;
-        }
-        write_unlock_bh(&list->lock);
-response:
-        bh_unlock_sock(parent);
-sendresp:
-        rsp.scid   = cpu_to_le16(scid);
-        rsp.dcid   = cpu_to_le16(dcid);
-        rsp.result = cpu_to_le16(result);
-        rsp.status = cpu_to_le16(status);
-        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-        if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
-                struct l2cap_info_req info;
-                info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
-                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
-                conn->info_ident = l2cap_get_ident(conn);
-                mod_timer(&conn->info_timer, jiffies +
-                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
-                l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(info), &info);
-        }
-        if (sk && !(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT) &&
-                                result == L2CAP_CR_SUCCESS) {
-                u8 buf[128];
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
-        }
-        return 0;
-}
-static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
-        u16 scid, dcid, result, status;
-        struct sock *sk;
-        u8 req[128];
-        scid   = __le16_to_cpu(rsp->scid);
-        dcid   = __le16_to_cpu(rsp->dcid);
-        result = __le16_to_cpu(rsp->result);
-        status = __le16_to_cpu(rsp->status);
-        BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
-        if (scid) {
-                sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
-                if (!sk)
-                        return -EFAULT;
-        } else {
-                sk = l2cap_get_chan_by_ident(&conn->chan_list, cmd->ident);
-                if (!sk)
-                        return -EFAULT;
-        }
-        switch (result) {
-        case L2CAP_CR_SUCCESS:
-                sk->sk_state = BT_CONFIG;
-                l2cap_pi(sk)->ident = 0;
-                l2cap_pi(sk)->dcid = dcid;
-                l2cap_pi(sk)->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)
-                        break;
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, req), req);
-                l2cap_pi(sk)->num_conf_req++;
-                break;
-        case L2CAP_CR_PEND:
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                break;
-        default:
-                /* don't delete l2cap channel if sk is owned by user */
-                if (sock_owned_by_user(sk)) {
-                        sk->sk_state = BT_DISCONN;
-                        l2cap_sock_clear_timer(sk);
-                        l2cap_sock_set_timer(sk, HZ / 5);
-                        break;
-                }
-                l2cap_chan_del(sk, ECONNREFUSED);
-                break;
-        }
-        bh_unlock_sock(sk);
-        return 0;
-}
-static inline void set_default_fcs(struct l2cap_pinfo *pi)
-{
-        /* FCS is enabled only in ERTM or streaming mode, if one or both
-         * sides request it.
-         */
-        if (pi->mode != L2CAP_MODE_ERTM && pi->mode != L2CAP_MODE_STREAMING)
-                pi->fcs = L2CAP_FCS_NONE;
-        else if (!(pi->conf_state & L2CAP_CONF_NO_FCS_RECV))
-                pi->fcs = L2CAP_FCS_CRC16;
-}
-static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
-{
-        struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
-        u16 dcid, flags;
-        u8 rsp[64];
-        struct sock *sk;
-        int len;
-        dcid  = __le16_to_cpu(req->dcid);
-        flags = __le16_to_cpu(req->flags);
-        BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
-        if (!sk)
-                return -ENOENT;
-        if (sk->sk_state != BT_CONFIG) {
-                struct l2cap_cmd_rej rej;
-                rej.reason = cpu_to_le16(0x0002);
-                l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
-                                sizeof(rej), &rej);
-                goto unlock;
-        }
-        /* Reject if config buffer is too small. */
-        len = cmd_len - sizeof(*req);
-        if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
-                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(sk, rsp,
-                                        L2CAP_CONF_REJECT, flags), rsp);
-                goto unlock;
-        }
-        /* Store config. */
-        memcpy(l2cap_pi(sk)->conf_req + l2cap_pi(sk)->conf_len, req->data, len);
-        l2cap_pi(sk)->conf_len += len;
-        if (flags & 0x0001) {
-                /* Incomplete config. Send empty response. */
-                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
-                                l2cap_build_conf_rsp(sk, rsp,
-                                        L2CAP_CONF_SUCCESS, 0x0001), rsp);
-                goto unlock;
-        }
-        /* Complete config. */
-        len = l2cap_parse_conf_req(sk, rsp);
-        if (len < 0) {
-                l2cap_send_disconn_req(conn, sk, ECONNRESET);
-                goto unlock;
-        }
-        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
-        l2cap_pi(sk)->num_conf_rsp++;
-        /* Reset config buffer. */
-        l2cap_pi(sk)->conf_len = 0;
-        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE))
-                goto unlock;
-        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_INPUT_DONE) {
-                set_default_fcs(l2cap_pi(sk));
-                sk->sk_state = BT_CONNECTED;
-                l2cap_pi(sk)->next_tx_seq = 0;
-                l2cap_pi(sk)->expected_tx_seq = 0;
-                __skb_queue_head_init(TX_QUEUE(sk));
-                if (l2cap_pi(sk)->mode == L2CAP_MODE_ERTM)
-                        l2cap_ertm_init(sk);
-                l2cap_chan_ready(sk);
-                goto unlock;
-        }
-        if (!(l2cap_pi(sk)->conf_state & L2CAP_CONF_REQ_SENT)) {
-                u8 buf[64];
-                l2cap_pi(sk)->conf_state |= L2CAP_CONF_REQ_SENT;
-                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
-                                        l2cap_build_conf_req(sk, buf), buf);
-                l2cap_pi(sk)->num_conf_req++;
-        }
-unlock:
-        bh_unlock_sock(sk);
-        return 0;
-}
-static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
-        u16 scid, flags, result;
-        struct sock *sk;
-        int len = cmd->len - sizeof(*rsp);
-        scid   = __le16_to_cpu(rsp->scid);
-        flags  = __le16_to_cpu(rsp->flags);
-        result = __le16_to_cpu(rsp->result);
-        BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
-                        scid, flags, result);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
-        if (!sk)
-                return 0;
-        switch (result) {
-        case L2CAP_CONF_SUCCESS:
-                l2cap_conf_rfc_get(sk, rsp->data, len);
-                break;
-        case L2CAP_CONF_UNACCEPT:
-                if (l2cap_pi(sk)->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
-                        char req[64];
-                        if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
-                                l2cap_send_disconn_req(conn, sk, ECONNRESET);
-                                goto done;
-                        }
-                        /* throw out any old stored conf requests */
-                        result = L2CAP_CONF_SUCCESS;
-                        len = l2cap_parse_conf_rsp(sk, rsp->data,
-                                                        len, req, &result);
-                        if (len < 0) {
-                                l2cap_send_disconn_req(conn, sk, ECONNRESET);
-                                goto done;
-                        }
-                        l2cap_send_cmd(conn, l2cap_get_ident(conn),
-                                                L2CAP_CONF_REQ, len, req);
-                        l2cap_pi(sk)->num_conf_req++;
-                        if (result != L2CAP_CONF_SUCCESS)
-                                goto done;
-                        break;
-                }
-        default:
-                sk->sk_err = ECONNRESET;
-                l2cap_sock_set_timer(sk, HZ * 5);
-                l2cap_send_disconn_req(conn, sk, ECONNRESET);
-                goto done;
-        }
-        if (flags & 0x01)
-                goto done;
-        l2cap_pi(sk)->conf_state |= L2CAP_CONF_INPUT_DONE;
-        if (l2cap_pi(sk)->conf_state & L2CAP_CONF_OUTPUT_DONE) {
-                set_default_fcs(l2cap_pi(sk));
-                sk->sk_state = BT_CONNECTED;
-                l2cap_pi(sk)->next_tx_seq = 0;
-                l2cap_pi(sk)->expected_tx_seq = 0;
-                __skb_queue_head_init(TX_QUEUE(sk));
-                if (l2cap_pi(sk)->mode ==  L2CAP_MODE_ERTM)
-                        l2cap_ertm_init(sk);
-                l2cap_chan_ready(sk);
-        }
-done:
-        bh_unlock_sock(sk);
-        return 0;
-}
-static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
-        struct l2cap_disconn_rsp rsp;
-        u16 dcid, scid;
-        struct sock *sk;
-        scid = __le16_to_cpu(req->scid);
-        dcid = __le16_to_cpu(req->dcid);
-        BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid);
-        if (!sk)
-                return 0;
-        rsp.dcid = cpu_to_le16(l2cap_pi(sk)->scid);
-        rsp.scid = cpu_to_le16(l2cap_pi(sk)->dcid);
-        l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
-        sk->sk_shutdown = SHUTDOWN_MASK;
-        /* don't delete l2cap channel if sk is owned by user */
-        if (sock_owned_by_user(sk)) {
-                sk->sk_state = BT_DISCONN;
-                l2cap_sock_clear_timer(sk);
-                l2cap_sock_set_timer(sk, HZ / 5);
-                bh_unlock_sock(sk);
-                return 0;
-        }
-        l2cap_chan_del(sk, ECONNRESET);
-        bh_unlock_sock(sk);
-        l2cap_sock_kill(sk);
-        return 0;
-}
-static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
-        u16 dcid, scid;
-        struct sock *sk;
-        scid = __le16_to_cpu(rsp->scid);
-        dcid = __le16_to_cpu(rsp->dcid);
-        BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, scid);
-        if (!sk)
-                return 0;
-        /* don't delete l2cap channel if sk is owned by user */
-        if (sock_owned_by_user(sk)) {
-                sk->sk_state = BT_DISCONN;
-                l2cap_sock_clear_timer(sk);
-                l2cap_sock_set_timer(sk, HZ / 5);
-                bh_unlock_sock(sk);
-                return 0;
-        }
-        l2cap_chan_del(sk, 0);
-        bh_unlock_sock(sk);
-        l2cap_sock_kill(sk);
-        return 0;
-}
-static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_info_req *req = (struct l2cap_info_req *) data;
-        u16 type;
-        type = __le16_to_cpu(req->type);
-        BT_DBG("type 0x%4.4x", type);
-        if (type == L2CAP_IT_FEAT_MASK) {
-                u8 buf[8];
-                u32 feat_mask = l2cap_feat_mask;
-                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
-                rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
-                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
-                if (!disable_ertm)
-                        feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
-                                                         | L2CAP_FEAT_FCS;
-                put_unaligned_le32(feat_mask, rsp->data);
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(buf), buf);
-        } else if (type == L2CAP_IT_FIXED_CHAN) {
-                u8 buf[12];
-                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
-                rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
-                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
-                memcpy(buf + 4, l2cap_fixed_chan, 8);
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(buf), buf);
-        } else {
-                struct l2cap_info_rsp rsp;
-                rsp.type   = cpu_to_le16(type);
-                rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
-                l2cap_send_cmd(conn, cmd->ident,
-                                        L2CAP_INFO_RSP, sizeof(rsp), &rsp);
-        }
-        return 0;
-}
-static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
-{
-        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
-        u16 type, result;
-        type   = __le16_to_cpu(rsp->type);
-        result = __le16_to_cpu(rsp->result);
-        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
-        del_timer(&conn->info_timer);
-        if (result != L2CAP_IR_SUCCESS) {
-                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
-                conn->info_ident = 0;
-                l2cap_conn_start(conn);
-                return 0;
-        }
-        if (type == L2CAP_IT_FEAT_MASK) {
-                conn->feat_mask = get_unaligned_le32(rsp->data);
-                if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
-                        struct l2cap_info_req req;
-                        req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
-                        conn->info_ident = l2cap_get_ident(conn);
-                        l2cap_send_cmd(conn, conn->info_ident,
-                                        L2CAP_INFO_REQ, sizeof(req), &req);
-                } else {
-                        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
-                        conn->info_ident = 0;
-                        l2cap_conn_start(conn);
-                }
-        } else if (type == L2CAP_IT_FIXED_CHAN) {
-                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
-                conn->info_ident = 0;
-                l2cap_conn_start(conn);
-        }
-        return 0;
-}
-static inline void l2cap_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
-{
-        u8 *data = skb->data;
-        int len = skb->len;
-        struct l2cap_cmd_hdr cmd;
-        int err = 0;
-        l2cap_raw_recv(conn, skb);
-        while (len >= L2CAP_CMD_HDR_SIZE) {
-                u16 cmd_len;
-                memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
-                data += L2CAP_CMD_HDR_SIZE;
-                len  -= L2CAP_CMD_HDR_SIZE;
-                cmd_len = le16_to_cpu(cmd.len);
-                BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
-                if (cmd_len > len || !cmd.ident) {
-                        BT_DBG("corrupted command");
-                        break;
-                }
-                switch (cmd.code) {
-                case L2CAP_COMMAND_REJ:
-                        l2cap_command_rej(conn, &cmd, data);
-                        break;
-                case L2CAP_CONN_REQ:
-                        err = l2cap_connect_req(conn, &cmd, data);
-                        break;
-                case L2CAP_CONN_RSP:
-                        err = l2cap_connect_rsp(conn, &cmd, data);
-                        break;
-                case L2CAP_CONF_REQ:
-                        err = l2cap_config_req(conn, &cmd, cmd_len, data);
-                        break;
-                case L2CAP_CONF_RSP:
-                        err = l2cap_config_rsp(conn, &cmd, data);
-                        break;
-                case L2CAP_DISCONN_REQ:
-                        err = l2cap_disconnect_req(conn, &cmd, data);
-                        break;
-                case L2CAP_DISCONN_RSP:
-                        err = l2cap_disconnect_rsp(conn, &cmd, data);
-                        break;
-                case L2CAP_ECHO_REQ:
-                        l2cap_send_cmd(conn, cmd.ident, L2CAP_ECHO_RSP, cmd_len, data);
-                        break;
-                case L2CAP_ECHO_RSP:
-                        break;
-                case L2CAP_INFO_REQ:
-                        err = l2cap_information_req(conn, &cmd, data);
-                        break;
-                case L2CAP_INFO_RSP:
-                        err = l2cap_information_rsp(conn, &cmd, data);
-                        break;
-                default:
-                        BT_ERR("Unknown signaling command 0x%2.2x", cmd.code);
-                        err = -EINVAL;
-                        break;
-                }
-                if (err) {
-                        struct l2cap_cmd_rej rej;
-                        BT_DBG("error %d", err);
-                        /* FIXME: Map err to a valid reason */
-                        rej.reason = cpu_to_le16(0);
-                        l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
-                }
-                data += cmd_len;
-                len  -= cmd_len;
-        }
-        kfree_skb(skb);
-}
-static int l2cap_check_fcs(struct l2cap_pinfo *pi,  struct sk_buff *skb)
-{
-        u16 our_fcs, rcv_fcs;
-        int hdr_size = L2CAP_HDR_SIZE + 2;
-        if (pi->fcs == L2CAP_FCS_CRC16) {
-                skb_trim(skb, skb->len - 2);
-                rcv_fcs = get_unaligned_le16(skb->data + skb->len);
-                our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
-                if (our_fcs != rcv_fcs)
-                        return -EBADMSG;
-        }
-        return 0;
-}
-static inline void l2cap_send_i_or_rr_or_rnr(struct sock *sk)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u16 control = 0;
-        pi->frames_sent = 0;
-        control |= pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
-                control |= L2CAP_SUPER_RCV_NOT_READY;
-                l2cap_send_sframe(pi, control);
-                pi->conn_state |= L2CAP_CONN_RNR_SENT;
-        }
-        if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY)
-                l2cap_retransmit_frames(sk);
-        l2cap_ertm_send(sk);
-        if (!(pi->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
-                        pi->frames_sent == 0) {
-                control |= L2CAP_SUPER_RCV_READY;
-                l2cap_send_sframe(pi, control);
-        }
-}
-static int l2cap_add_to_srej_queue(struct sock *sk, struct sk_buff *skb, u8 tx_seq, u8 sar)
-{
-        struct sk_buff *next_skb;
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        int tx_seq_offset, next_tx_seq_offset;
-        bt_cb(skb)->tx_seq = tx_seq;
-        bt_cb(skb)->sar = sar;
-        next_skb = skb_peek(SREJ_QUEUE(sk));
-        if (!next_skb) {
-                __skb_queue_tail(SREJ_QUEUE(sk), skb);
-                return 0;
-        }
-        tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
-        if (tx_seq_offset < 0)
-                tx_seq_offset += 64;
-        do {
-                if (bt_cb(next_skb)->tx_seq == tx_seq)
-                        return -EINVAL;
-                next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
-                                                pi->buffer_seq) % 64;
-                if (next_tx_seq_offset < 0)
-                        next_tx_seq_offset += 64;
-                if (next_tx_seq_offset > tx_seq_offset) {
-                        __skb_queue_before(SREJ_QUEUE(sk), next_skb, skb);
-                        return 0;
-                }
-                if (skb_queue_is_last(SREJ_QUEUE(sk), next_skb))
-                        break;
-        } while ((next_skb = skb_queue_next(SREJ_QUEUE(sk), next_skb)));
-        __skb_queue_tail(SREJ_QUEUE(sk), skb);
-        return 0;
-}
-static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *_skb;
-        int err;
-        switch (control & L2CAP_CTRL_SAR) {
-        case L2CAP_SDU_UNSEGMENTED:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU)
-                        goto drop;
-                err = sock_queue_rcv_skb(sk, skb);
-                if (!err)
-                        return err;
-                break;
-        case L2CAP_SDU_START:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU)
-                        goto drop;
-                pi->sdu_len = get_unaligned_le16(skb->data);
-                if (pi->sdu_len > pi->imtu)
-                        goto disconnect;
-                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
-                if (!pi->sdu)
-                        return -ENOMEM;
-                /* pull sdu_len bytes only after alloc, because of Local Busy
-                 * condition we have to be sure that this will be executed
-                 * only once, i.e., when alloc does not fail */
-                skb_pull(skb, 2);
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state |= L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len = skb->len;
-                break;
-        case L2CAP_SDU_CONTINUE:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
-                        goto disconnect;
-                if (!pi->sdu)
-                        goto disconnect;
-                pi->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->sdu_len)
-                        goto drop;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                break;
-        case L2CAP_SDU_END:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
-                        goto disconnect;
-                if (!pi->sdu)
-                        goto disconnect;
-                if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
-                        pi->partial_sdu_len += skb->len;
-                        if (pi->partial_sdu_len > pi->imtu)
-                                goto drop;
-                        if (pi->partial_sdu_len != pi->sdu_len)
-                                goto drop;
-                        memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                }
-                _skb = skb_clone(pi->sdu, GFP_ATOMIC);
-                if (!_skb) {
-                        pi->conn_state |= L2CAP_CONN_SAR_RETRY;
-                        return -ENOMEM;
-                }
-                err = sock_queue_rcv_skb(sk, _skb);
-                if (err < 0) {
-                        kfree_skb(_skb);
-                        pi->conn_state |= L2CAP_CONN_SAR_RETRY;
-                        return err;
-                }
-                pi->conn_state &= ~L2CAP_CONN_SAR_RETRY;
-                pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
-                kfree_skb(pi->sdu);
-                break;
-        }
-        kfree_skb(skb);
-        return 0;
-drop:
-        kfree_skb(pi->sdu);
-        pi->sdu = NULL;
-disconnect:
-        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-        kfree_skb(skb);
-        return 0;
-}
-static int l2cap_try_push_rx_skb(struct sock *sk)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *skb;
-        u16 control;
-        int err;
-        while ((skb = skb_dequeue(BUSY_QUEUE(sk)))) {
-                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
-                err = l2cap_ertm_reassembly_sdu(sk, skb, control);
-                if (err < 0) {
-                        skb_queue_head(BUSY_QUEUE(sk), skb);
-                        return -EBUSY;
-                }
-                pi->buffer_seq = (pi->buffer_seq + 1) % 64;
-        }
-        if (!(pi->conn_state & L2CAP_CONN_RNR_SENT))
-                goto done;
-        control = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
-        l2cap_send_sframe(pi, control);
-        l2cap_pi(sk)->retry_count = 1;
-        del_timer(&pi->retrans_timer);
-        __mod_monitor_timer();
-        l2cap_pi(sk)->conn_state |= L2CAP_CONN_WAIT_F;
-done:
-        pi->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
-        pi->conn_state &= ~L2CAP_CONN_RNR_SENT;
-        BT_DBG("sk %p, Exit local busy", sk);
-        return 0;
-}
-static void l2cap_busy_work(struct work_struct *work)
-{
-        DECLARE_WAITQUEUE(wait, current);
-        struct l2cap_pinfo *pi =
-                container_of(work, struct l2cap_pinfo, busy_work);
-        struct sock *sk = (struct sock *)pi;
-        int n_tries = 0, timeo = HZ/5, err;
-        struct sk_buff *skb;
-        lock_sock(sk);
-        add_wait_queue(sk_sleep(sk), &wait);
-        while ((skb = skb_peek(BUSY_QUEUE(sk)))) {
-                set_current_state(TASK_INTERRUPTIBLE);
-                if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
-                        err = -EBUSY;
-                        l2cap_send_disconn_req(pi->conn, sk, EBUSY);
-                        break;
-                }
-                if (!timeo)
-                        timeo = HZ/5;
-                if (signal_pending(current)) {
-                        err = sock_intr_errno(timeo);
-                        break;
-                }
-                release_sock(sk);
-                timeo = schedule_timeout(timeo);
-                lock_sock(sk);
-                err = sock_error(sk);
-                if (err)
-                        break;
-                if (l2cap_try_push_rx_skb(sk) == 0)
-                        break;
-        }
-        set_current_state(TASK_RUNNING);
-        remove_wait_queue(sk_sleep(sk), &wait);
-        release_sock(sk);
-}
-static int l2cap_push_rx_skb(struct sock *sk, struct sk_buff *skb, u16 control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        int sctrl, err;
-        if (pi->conn_state & L2CAP_CONN_LOCAL_BUSY) {
-                bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
-                __skb_queue_tail(BUSY_QUEUE(sk), skb);
-                return l2cap_try_push_rx_skb(sk);
-        }
-        err = l2cap_ertm_reassembly_sdu(sk, skb, control);
-        if (err >= 0) {
-                pi->buffer_seq = (pi->buffer_seq + 1) % 64;
-                return err;
-        }
-        /* Busy Condition */
-        BT_DBG("sk %p, Enter local busy", sk);
-        pi->conn_state |= L2CAP_CONN_LOCAL_BUSY;
-        bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
-        __skb_queue_tail(BUSY_QUEUE(sk), skb);
-        sctrl = pi->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-        sctrl |= L2CAP_SUPER_RCV_NOT_READY;
-        l2cap_send_sframe(pi, sctrl);
-        pi->conn_state |= L2CAP_CONN_RNR_SENT;
-        del_timer(&pi->ack_timer);
-        queue_work(_busy_wq, &pi->busy_work);
-        return err;
-}
-static int l2cap_streaming_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct sk_buff *_skb;
-        int err = -EINVAL;
-        /*
-         * TODO: We have to notify the userland if some data is lost with the
-         * Streaming Mode.
-         */
-        switch (control & L2CAP_CTRL_SAR) {
-        case L2CAP_SDU_UNSEGMENTED:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
-                        kfree_skb(pi->sdu);
-                        break;
-                }
-                err = sock_queue_rcv_skb(sk, skb);
-                if (!err)
-                        return 0;
-                break;
-        case L2CAP_SDU_START:
-                if (pi->conn_state & L2CAP_CONN_SAR_SDU) {
-                        kfree_skb(pi->sdu);
-                        break;
-                }
-                pi->sdu_len = get_unaligned_le16(skb->data);
-                skb_pull(skb, 2);
-                if (pi->sdu_len > pi->imtu) {
-                        err = -EMSGSIZE;
-                        break;
-                }
-                pi->sdu = bt_skb_alloc(pi->sdu_len, GFP_ATOMIC);
-                if (!pi->sdu) {
-                        err = -ENOMEM;
-                        break;
-                }
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state |= L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len = skb->len;
-                err = 0;
-                break;
-        case L2CAP_SDU_CONTINUE:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
-                        break;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                pi->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->sdu_len)
-                        kfree_skb(pi->sdu);
-                else
-                        err = 0;
-                break;
-        case L2CAP_SDU_END:
-                if (!(pi->conn_state & L2CAP_CONN_SAR_SDU))
-                        break;
-                memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
-                pi->conn_state &= ~L2CAP_CONN_SAR_SDU;
-                pi->partial_sdu_len += skb->len;
-                if (pi->partial_sdu_len > pi->imtu)
-                        goto drop;
-                if (pi->partial_sdu_len == pi->sdu_len) {
-                        _skb = skb_clone(pi->sdu, GFP_ATOMIC);
-                        err = sock_queue_rcv_skb(sk, _skb);
-                        if (err < 0)
-                                kfree_skb(_skb);
-                }
-                err = 0;
-drop:
-                kfree_skb(pi->sdu);
-                break;
-        }
-        kfree_skb(skb);
-        return err;
-}
-static void l2cap_check_srej_gap(struct sock *sk, u8 tx_seq)
-{
-        struct sk_buff *skb;
-        u16 control;
-        while ((skb = skb_peek(SREJ_QUEUE(sk)))) {
-                if (bt_cb(skb)->tx_seq != tx_seq)
-                        break;
-                skb = skb_dequeue(SREJ_QUEUE(sk));
-                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
-                l2cap_ertm_reassembly_sdu(sk, skb, control);
-                l2cap_pi(sk)->buffer_seq_srej =
-                        (l2cap_pi(sk)->buffer_seq_srej + 1) % 64;
-                tx_seq = (tx_seq + 1) % 64;
-        }
-}
-static void l2cap_resend_srejframe(struct sock *sk, u8 tx_seq)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct srej_list *l, *tmp;
-        u16 control;
-        list_for_each_entry_safe(l, tmp, SREJ_LIST(sk), list) {
-                if (l->tx_seq == tx_seq) {
-                        list_del(&l->list);
-                        kfree(l);
-                        return;
-                }
-                control = L2CAP_SUPER_SELECT_REJECT;
-                control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-                l2cap_send_sframe(pi, control);
-                list_del(&l->list);
-                list_add_tail(&l->list, SREJ_LIST(sk));
-        }
-}
-static void l2cap_send_srejframe(struct sock *sk, u8 tx_seq)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        struct srej_list *new;
-        u16 control;
-        while (tx_seq != pi->expected_tx_seq) {
-                control = L2CAP_SUPER_SELECT_REJECT;
-                control |= pi->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
-                l2cap_send_sframe(pi, control);
-                new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
-                new->tx_seq = pi->expected_tx_seq;
-                pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
-                list_add_tail(&new->list, SREJ_LIST(sk));
-        }
-        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
-}
-static inline int l2cap_data_channel_iframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u8 tx_seq = __get_txseq(rx_control);
-        u8 req_seq = __get_reqseq(rx_control);
-        u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
-        int tx_seq_offset, expected_tx_seq_offset;
-        int num_to_ack = (pi->tx_win/6) + 1;
-        int err = 0;
-        BT_DBG("sk %p len %d tx_seq %d rx_control 0x%4.4x", sk, skb->len, tx_seq,
-                                                                rx_control);
-        if (L2CAP_CTRL_FINAL & rx_control &&
-                        l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
-                del_timer(&pi->monitor_timer);
-                if (pi->unacked_frames > 0)
-                        __mod_retrans_timer();
-                pi->conn_state &= ~L2CAP_CONN_WAIT_F;
-        }
-        pi->expected_ack_seq = req_seq;
-        l2cap_drop_acked_frames(sk);
-        if (tx_seq == pi->expected_tx_seq)
-                goto expected;
-        tx_seq_offset = (tx_seq - pi->buffer_seq) % 64;
-        if (tx_seq_offset < 0)
-                tx_seq_offset += 64;
-        /* invalid tx_seq */
-        if (tx_seq_offset >= pi->tx_win) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-                goto drop;
-        }
-        if (pi->conn_state == L2CAP_CONN_LOCAL_BUSY)
-                goto drop;
-        if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
-                struct srej_list *first;
-                first = list_first_entry(SREJ_LIST(sk),
-                                struct srej_list, list);
-                if (tx_seq == first->tx_seq) {
-                        l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
-                        l2cap_check_srej_gap(sk, tx_seq);
-                        list_del(&first->list);
-                        kfree(first);
-                        if (list_empty(SREJ_LIST(sk))) {
-                                pi->buffer_seq = pi->buffer_seq_srej;
-                                pi->conn_state &= ~L2CAP_CONN_SREJ_SENT;
-                                l2cap_send_ack(pi);
-                                BT_DBG("sk %p, Exit SREJ_SENT", sk);
-                        }
-                } else {
-                        struct srej_list *l;
-                        /* duplicated tx_seq */
-                        if (l2cap_add_to_srej_queue(sk, skb, tx_seq, sar) < 0)
-                                goto drop;
-                        list_for_each_entry(l, SREJ_LIST(sk), list) {
-                                if (l->tx_seq == tx_seq) {
-                                        l2cap_resend_srejframe(sk, tx_seq);
-                                        return 0;
-                                }
-                        }
-                        l2cap_send_srejframe(sk, tx_seq);
-                }
-        } else {
-                expected_tx_seq_offset =
-                        (pi->expected_tx_seq - pi->buffer_seq) % 64;
-                if (expected_tx_seq_offset < 0)
-                        expected_tx_seq_offset += 64;
-                /* duplicated tx_seq */
-                if (tx_seq_offset < expected_tx_seq_offset)
-                        goto drop;
-                pi->conn_state |= L2CAP_CONN_SREJ_SENT;
-                BT_DBG("sk %p, Enter SREJ", sk);
-                INIT_LIST_HEAD(SREJ_LIST(sk));
-                pi->buffer_seq_srej = pi->buffer_seq;
-                __skb_queue_head_init(SREJ_QUEUE(sk));
-                __skb_queue_head_init(BUSY_QUEUE(sk));
-                l2cap_add_to_srej_queue(sk, skb, tx_seq, sar);
-                pi->conn_state |= L2CAP_CONN_SEND_PBIT;
-                l2cap_send_srejframe(sk, tx_seq);
-                del_timer(&pi->ack_timer);
-        }
-        return 0;
-expected:
-        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
-        if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
-                bt_cb(skb)->tx_seq = tx_seq;
-                bt_cb(skb)->sar = sar;
-                __skb_queue_tail(SREJ_QUEUE(sk), skb);
-                return 0;
-        }
-        err = l2cap_push_rx_skb(sk, skb, rx_control);
-        if (err < 0)
-                return 0;
-        if (rx_control & L2CAP_CTRL_FINAL) {
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
-                else
-                        l2cap_retransmit_frames(sk);
-        }
-        __mod_ack_timer();
-        pi->num_acked = (pi->num_acked + 1) % num_to_ack;
-        if (pi->num_acked == num_to_ack - 1)
-                l2cap_send_ack(pi);
-        return 0;
-drop:
-        kfree_skb(skb);
-        return 0;
-}
-static inline void l2cap_data_channel_rrframe(struct sock *sk, u16 rx_control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, __get_reqseq(rx_control),
-                                                rx_control);
-        pi->expected_ack_seq = __get_reqseq(rx_control);
-        l2cap_drop_acked_frames(sk);
-        if (rx_control & L2CAP_CTRL_POLL) {
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
-                if (pi->conn_state & L2CAP_CONN_SREJ_SENT) {
-                        if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                        (pi->unacked_frames > 0))
-                                __mod_retrans_timer();
-                        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                        l2cap_send_srejtail(sk);
-                } else {
-                        l2cap_send_i_or_rr_or_rnr(sk);
-                }
-        } else if (rx_control & L2CAP_CTRL_FINAL) {
-                pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
-                else
-                        l2cap_retransmit_frames(sk);
-        } else {
-                if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                (pi->unacked_frames > 0))
-                        __mod_retrans_timer();
-                pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-                if (pi->conn_state & L2CAP_CONN_SREJ_SENT)
-                        l2cap_send_ack(pi);
-                else
-                        l2cap_ertm_send(sk);
-        }
-}
-static inline void l2cap_data_channel_rejframe(struct sock *sk, u16 rx_control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
-        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-        pi->expected_ack_seq = tx_seq;
-        l2cap_drop_acked_frames(sk);
-        if (rx_control & L2CAP_CTRL_FINAL) {
-                if (pi->conn_state & L2CAP_CONN_REJ_ACT)
-                        pi->conn_state &= ~L2CAP_CONN_REJ_ACT;
-                else
-                        l2cap_retransmit_frames(sk);
-        } else {
-                l2cap_retransmit_frames(sk);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F)
-                        pi->conn_state |= L2CAP_CONN_REJ_ACT;
-        }
-}
-static inline void l2cap_data_channel_srejframe(struct sock *sk, u16 rx_control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
-        pi->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
-        if (rx_control & L2CAP_CTRL_POLL) {
-                pi->expected_ack_seq = tx_seq;
-                l2cap_drop_acked_frames(sk);
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
-                l2cap_retransmit_one_frame(sk, tx_seq);
-                l2cap_ertm_send(sk);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F) {
-                        pi->srej_save_reqseq = tx_seq;
-                        pi->conn_state |= L2CAP_CONN_SREJ_ACT;
-                }
-        } else if (rx_control & L2CAP_CTRL_FINAL) {
-                if ((pi->conn_state & L2CAP_CONN_SREJ_ACT) &&
-                                pi->srej_save_reqseq == tx_seq)
-                        pi->conn_state &= ~L2CAP_CONN_SREJ_ACT;
-                else
-                        l2cap_retransmit_one_frame(sk, tx_seq);
-        } else {
-                l2cap_retransmit_one_frame(sk, tx_seq);
-                if (pi->conn_state & L2CAP_CONN_WAIT_F) {
-                        pi->srej_save_reqseq = tx_seq;
-                        pi->conn_state |= L2CAP_CONN_SREJ_ACT;
-                }
-        }
-}
-static inline void l2cap_data_channel_rnrframe(struct sock *sk, u16 rx_control)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u8 tx_seq = __get_reqseq(rx_control);
-        BT_DBG("sk %p, req_seq %d ctrl 0x%4.4x", sk, tx_seq, rx_control);
-        pi->conn_state |= L2CAP_CONN_REMOTE_BUSY;
-        pi->expected_ack_seq = tx_seq;
-        l2cap_drop_acked_frames(sk);
-        if (rx_control & L2CAP_CTRL_POLL)
-                pi->conn_state |= L2CAP_CONN_SEND_FBIT;
-        if (!(pi->conn_state & L2CAP_CONN_SREJ_SENT)) {
-                del_timer(&pi->retrans_timer);
-                if (rx_control & L2CAP_CTRL_POLL)
-                        l2cap_send_rr_or_rnr(pi, L2CAP_CTRL_FINAL);
-                return;
-        }
-        if (rx_control & L2CAP_CTRL_POLL)
-                l2cap_send_srejtail(sk);
-        else
-                l2cap_send_sframe(pi, L2CAP_SUPER_RCV_READY);
-}
-static inline int l2cap_data_channel_sframe(struct sock *sk, u16 rx_control, struct sk_buff *skb)
-{
-        BT_DBG("sk %p rx_control 0x%4.4x len %d", sk, rx_control, skb->len);
-        if (L2CAP_CTRL_FINAL & rx_control &&
-                        l2cap_pi(sk)->conn_state & L2CAP_CONN_WAIT_F) {
-                del_timer(&l2cap_pi(sk)->monitor_timer);
-                if (l2cap_pi(sk)->unacked_frames > 0)
-                        __mod_retrans_timer();
-                l2cap_pi(sk)->conn_state &= ~L2CAP_CONN_WAIT_F;
-        }
-        switch (rx_control & L2CAP_CTRL_SUPERVISE) {
-        case L2CAP_SUPER_RCV_READY:
-                l2cap_data_channel_rrframe(sk, rx_control);
-                break;
-        case L2CAP_SUPER_REJECT:
-                l2cap_data_channel_rejframe(sk, rx_control);
-                break;
-        case L2CAP_SUPER_SELECT_REJECT:
-                l2cap_data_channel_srejframe(sk, rx_control);
-                break;
-        case L2CAP_SUPER_RCV_NOT_READY:
-                l2cap_data_channel_rnrframe(sk, rx_control);
-                break;
-        }
-        kfree_skb(skb);
-        return 0;
-}
-static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
-{
-        struct l2cap_pinfo *pi = l2cap_pi(sk);
-        u16 control;
-        u8 req_seq;
-        int len, next_tx_seq_offset, req_seq_offset;
-        control = get_unaligned_le16(skb->data);
-        skb_pull(skb, 2);
-        len = skb->len;
-        /*
-         * We can just drop the corrupted I-frame here.
-         * Receiver will miss it and start proper recovery
-         * procedures and ask retransmission.
-         */
-        if (l2cap_check_fcs(pi, skb))
-                goto drop;
-        if (__is_sar_start(control) && __is_iframe(control))
-                len -= 2;
-        if (pi->fcs == L2CAP_FCS_CRC16)
-                len -= 2;
-        if (len > pi->mps) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-                goto drop;
-        }
-        req_seq = __get_reqseq(control);
-        req_seq_offset = (req_seq - pi->expected_ack_seq) % 64;
-        if (req_seq_offset < 0)
-                req_seq_offset += 64;
-        next_tx_seq_offset =
-                (pi->next_tx_seq - pi->expected_ack_seq) % 64;
-        if (next_tx_seq_offset < 0)
-                next_tx_seq_offset += 64;
-        /* check for invalid req-seq */
-        if (req_seq_offset > next_tx_seq_offset) {
-                l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-                goto drop;
-        }
-        if (__is_iframe(control)) {
-                if (len < 0) {
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-                        goto drop;
-                }
-                l2cap_data_channel_iframe(sk, control, skb);
-        } else {
-                if (len != 0) {
-                        BT_ERR("%d", len);
-                        l2cap_send_disconn_req(pi->conn, sk, ECONNRESET);
-                        goto drop;
-                }
-                l2cap_data_channel_sframe(sk, control, skb);
-        }
-        return 0;
-drop:
-        kfree_skb(skb);
-        return 0;
-}
-static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
-{
-        struct sock *sk;
-        struct l2cap_pinfo *pi;
-        u16 control;
-        u8 tx_seq;
-        int len;
-        sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
-        if (!sk) {
-                BT_DBG("unknown cid 0x%4.4x", cid);
-                goto drop;
-        }
-        pi = l2cap_pi(sk);
-        BT_DBG("sk %p, len %d", sk, skb->len);
-        if (sk->sk_state != BT_CONNECTED)
-                goto drop;
-        switch (pi->mode) {
-        case L2CAP_MODE_BASIC:
-                /* If socket recv buffers overflows we drop data here
-                 * which is *bad* because L2CAP has to be reliable.
-                 * But we don't have any other choice. L2CAP doesn't
-                 * provide flow control mechanism. */
-                if (pi->imtu < skb->len)
-                        goto drop;
-                if (!sock_queue_rcv_skb(sk, skb))
-                        goto done;
-                break;
-        case L2CAP_MODE_ERTM:
-                if (!sock_owned_by_user(sk)) {
-                        l2cap_ertm_data_rcv(sk, skb);
-                } else {
-                        if (sk_add_backlog(sk, skb))
-                                goto drop;
-                }
-                goto done;
-        case L2CAP_MODE_STREAMING:
-                control = get_unaligned_le16(skb->data);
-                skb_pull(skb, 2);
-                len = skb->len;
-                if (l2cap_check_fcs(pi, skb))
-                        goto drop;
-                if (__is_sar_start(control))
-                        len -= 2;
-                if (pi->fcs == L2CAP_FCS_CRC16)
-                        len -= 2;
-                if (len > pi->mps || len < 0 || __is_sframe(control))
-                        goto drop;
-                tx_seq = __get_txseq(control);
-                if (pi->expected_tx_seq == tx_seq)
-                        pi->expected_tx_seq = (pi->expected_tx_seq + 1) % 64;
-                else
-                        pi->expected_tx_seq = (tx_seq + 1) % 64;
-                l2cap_streaming_reassembly_sdu(sk, skb, control);
-                goto done;
-        default:
-                BT_DBG("sk %p: bad mode 0x%2.2x", sk, pi->mode);
-                break;
-        }
-drop:
-        kfree_skb(skb);
-done:
-        if (sk)
-                bh_unlock_sock(sk);
-        return 0;
-}
-static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
-{
-        struct sock *sk;
-        sk = l2cap_get_sock_by_psm(0, psm, conn->src);
-        if (!sk)
-                goto drop;
-        bh_lock_sock(sk);
-        BT_DBG("sk %p, len %d", sk, skb->len);
-        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
-                goto drop;
-        if (l2cap_pi(sk)->imtu < skb->len)
-                goto drop;
-        if (!sock_queue_rcv_skb(sk, skb))
-                goto done;
-drop:
-        kfree_skb(skb);
-done:
-        if (sk)
-                bh_unlock_sock(sk);
-        return 0;
-}
-static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
-{
-        struct l2cap_hdr *lh = (void *) skb->data;
-        u16 cid, len;
-        __le16 psm;
-        skb_pull(skb, L2CAP_HDR_SIZE);
-        cid = __le16_to_cpu(lh->cid);
-        len = __le16_to_cpu(lh->len);
-        if (len != skb->len) {
-                kfree_skb(skb);
-                return;
-        }
-        BT_DBG("len %d, cid 0x%4.4x", len, cid);
-        switch (cid) {
-        case L2CAP_CID_SIGNALING:
-                l2cap_sig_channel(conn, skb);
-                break;
-        case L2CAP_CID_CONN_LESS:
-                psm = get_unaligned_le16(skb->data);
-                skb_pull(skb, 2);
-                l2cap_conless_channel(conn, psm, skb);
-                break;
-        default:
-                l2cap_data_channel(conn, cid, skb);
-                break;
-        }
-}
-/* ---- L2CAP interface with lower layer (HCI) ---- */
-static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
-{
-        int exact = 0, lm1 = 0, lm2 = 0;
-        register struct sock *sk;
-        struct hlist_node *node;
-        if (type != ACL_LINK)
-                return -EINVAL;
-        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
-        /* Find listening sockets and check their link_mode */
-        read_lock(&l2cap_sk_list.lock);
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
-                if (sk->sk_state != BT_LISTEN)
-                        continue;
-                if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
-                        lm1 |= HCI_LM_ACCEPT;
-                        if (l2cap_pi(sk)->role_switch)
-                                lm1 |= HCI_LM_MASTER;
-                        exact++;
-                } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
-                        lm2 |= HCI_LM_ACCEPT;
-                        if (l2cap_pi(sk)->role_switch)
-                                lm2 |= HCI_LM_MASTER;
-                }
-        }
-        read_unlock(&l2cap_sk_list.lock);
-        return exact ? lm1 : lm2;
-}
-static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
-{
-        struct l2cap_conn *conn;
-        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
-        if (hcon->type != ACL_LINK)
-                return -EINVAL;
-        if (!status) {
-                conn = l2cap_conn_add(hcon, status);
-                if (conn)
-                        l2cap_conn_ready(conn);
-        } else
-                l2cap_conn_del(hcon, bt_err(status));
-        return 0;
-}
-static int l2cap_disconn_ind(struct hci_conn *hcon)
-{
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        BT_DBG("hcon %p", hcon);
-        if (hcon->type != ACL_LINK || !conn)
-                return 0x13;
-        return conn->disc_reason;
-}
-static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
-{
-        BT_DBG("hcon %p reason %d", hcon, reason);
-        if (hcon->type != ACL_LINK)
-                return -EINVAL;
-        l2cap_conn_del(hcon, bt_err(reason));
-        return 0;
-}
-static inline void l2cap_check_encryption(struct sock *sk, u8 encrypt)
-{
-        if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
-                return;
-        if (encrypt == 0x00) {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM) {
-                        l2cap_sock_clear_timer(sk);
-                        l2cap_sock_set_timer(sk, HZ * 5);
-                } else if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
-                        __l2cap_sock_close(sk, ECONNREFUSED);
-        } else {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_MEDIUM)
-                        l2cap_sock_clear_timer(sk);
-        }
-}
-static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
-{
-        struct l2cap_chan_list *l;
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        struct sock *sk;
-        if (!conn)
-                return 0;
-        l = &conn->chan_list;
-        BT_DBG("conn %p", conn);
-        read_lock(&l->lock);
-        for (sk = l->head; sk; sk = l2cap_pi(sk)->next_c) {
-                bh_lock_sock(sk);
-                if (l2cap_pi(sk)->conf_state & L2CAP_CONF_CONNECT_PEND) {
-                        bh_unlock_sock(sk);
-                        continue;
-                }
-                if (!status && (sk->sk_state == BT_CONNECTED ||
-                                                sk->sk_state == BT_CONFIG)) {
-                        l2cap_check_encryption(sk, encrypt);
-                        bh_unlock_sock(sk);
-                        continue;
-                }
-                if (sk->sk_state == BT_CONNECT) {
-                        if (!status) {
-                                struct l2cap_conn_req req;
-                                req.scid = cpu_to_le16(l2cap_pi(sk)->scid);
-                                req.psm  = l2cap_pi(sk)->psm;
-                                l2cap_pi(sk)->ident = l2cap_get_ident(conn);
-                                l2cap_pi(sk)->conf_state |= L2CAP_CONF_CONNECT_PEND;
-                                l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_REQ, sizeof(req), &req);
-                        } else {
-                                l2cap_sock_clear_timer(sk);
-                                l2cap_sock_set_timer(sk, HZ / 10);
-                        }
-                } else if (sk->sk_state == BT_CONNECT2) {
-                        struct l2cap_conn_rsp rsp;
-                        __u16 result;
-                        if (!status) {
-                                sk->sk_state = BT_CONFIG;
-                                result = L2CAP_CR_SUCCESS;
-                        } else {
-                                sk->sk_state = BT_DISCONN;
-                                l2cap_sock_set_timer(sk, HZ / 10);
-                                result = L2CAP_CR_SEC_BLOCK;
-                        }
-                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
-                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
-                        rsp.result = cpu_to_le16(result);
-                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
-                        l2cap_send_cmd(conn, l2cap_pi(sk)->ident,
-                                        L2CAP_CONN_RSP, sizeof(rsp), &rsp);
-                }
-                bh_unlock_sock(sk);
-        }
-        read_unlock(&l->lock);
-        return 0;
-}
-static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
-{
-        struct l2cap_conn *conn = hcon->l2cap_data;
-        if (!conn && !(conn = l2cap_conn_add(hcon, 0)))
-                goto drop;
-        BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
-        if (flags & ACL_START) {
-                struct l2cap_hdr *hdr;
-                struct sock *sk;
-                u16 cid;
-                int len;
-                if (conn->rx_len) {
-                        BT_ERR("Unexpected start frame (len %d)", skb->len);
-                        kfree_skb(conn->rx_skb);
-                        conn->rx_skb = NULL;
-                        conn->rx_len = 0;
-                        l2cap_conn_unreliable(conn, ECOMM);
-                }
-                /* Start fragment always begin with Basic L2CAP header */
-                if (skb->len < L2CAP_HDR_SIZE) {
-                        BT_ERR("Frame is too short (len %d)", skb->len);
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                hdr = (struct l2cap_hdr *) skb->data;
-                len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
-                cid = __le16_to_cpu(hdr->cid);
-                if (len == skb->len) {
-                        /* Complete frame received */
-                        l2cap_recv_frame(conn, skb);
-                        return 0;
-                }
-                BT_DBG("Start: total len %d, frag len %d", len, skb->len);
-                if (skb->len > len) {
-                        BT_ERR("Frame is too long (len %d, expected len %d)",
-                                skb->len, len);
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                sk = l2cap_get_chan_by_scid(&conn->chan_list, cid);
-                if (sk && l2cap_pi(sk)->imtu < len - L2CAP_HDR_SIZE) {
-                        BT_ERR("Frame exceeding recv MTU (len %d, MTU %d)",
-                                        len, l2cap_pi(sk)->imtu);
-                        bh_unlock_sock(sk);
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                if (sk)
-                        bh_unlock_sock(sk);
-                /* Allocate skb for the complete frame (with header) */
-                conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
-                if (!conn->rx_skb)
-                        goto drop;
-                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
-                                                                skb->len);
-                conn->rx_len = len - skb->len;
-        } else {
-                BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
-                if (!conn->rx_len) {
-                        BT_ERR("Unexpected continuation frame (len %d)", skb->len);
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                if (skb->len > conn->rx_len) {
-                        BT_ERR("Fragment is too long (len %d, expected %d)",
-                                        skb->len, conn->rx_len);
-                        kfree_skb(conn->rx_skb);
-                        conn->rx_skb = NULL;
-                        conn->rx_len = 0;
-                        l2cap_conn_unreliable(conn, ECOMM);
-                        goto drop;
-                }
-                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
-                                                                skb->len);
-                conn->rx_len -= skb->len;
-                if (!conn->rx_len) {
-                        /* Complete frame received */
-                        l2cap_recv_frame(conn, conn->rx_skb);
-                        conn->rx_skb = NULL;
-                }
-        }
-drop:
-        kfree_skb(skb);
-        return 0;
-}
-static int l2cap_debugfs_show(struct seq_file *f, void *p)
-{
-        struct sock *sk;
-        struct hlist_node *node;
-        read_lock_bh(&l2cap_sk_list.lock);
-        sk_for_each(sk, node, &l2cap_sk_list.head) {
-                struct l2cap_pinfo *pi = l2cap_pi(sk);
-                seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
-                                        batostr(&bt_sk(sk)->src),
-                                        batostr(&bt_sk(sk)->dst),
-                                        sk->sk_state, __le16_to_cpu(pi->psm),
-                                        pi->scid, pi->dcid,
-                                        pi->imtu, pi->omtu, pi->sec_level);
-        }
-        read_unlock_bh(&l2cap_sk_list.lock);
-        return 0;
-}
-static int l2cap_debugfs_open(struct inode *inode, struct file *file)
-{
-        return single_open(file, l2cap_debugfs_show, inode->i_private);
-}
-static const struct file_operations l2cap_debugfs_fops = {
-        .open           = l2cap_debugfs_open,
-        .read           = seq_read,
-        .llseek         = seq_lseek,
-        .release        = single_release,
-};
-static struct dentry *l2cap_debugfs;
-static const struct proto_ops l2cap_sock_ops = {
-        .family         = PF_BLUETOOTH,
-        .owner          = THIS_MODULE,
-        .release        = l2cap_sock_release,
-        .bind           = l2cap_sock_bind,
-        .connect        = l2cap_sock_connect,
-        .listen         = l2cap_sock_listen,
-        .accept         = l2cap_sock_accept,
-        .getname        = l2cap_sock_getname,
-        .sendmsg        = l2cap_sock_sendmsg,
-        .recvmsg        = l2cap_sock_recvmsg,
-        .poll           = bt_sock_poll,
-        .ioctl          = bt_sock_ioctl,
-        .mmap           = sock_no_mmap,
-        .socketpair     = sock_no_socketpair,
-        .shutdown       = l2cap_sock_shutdown,
-        .setsockopt     = l2cap_sock_setsockopt,
-        .getsockopt     = l2cap_sock_getsockopt
-};
-static const struct net_proto_family l2cap_sock_family_ops = {
-        .family = PF_BLUETOOTH,
-        .owner  = THIS_MODULE,
-        .create = l2cap_sock_create,
-};
-static struct hci_proto l2cap_hci_proto = {
-        .name           = "L2CAP",
-        .id             = HCI_PROTO_L2CAP,
-        .connect_ind    = l2cap_connect_ind,
-        .connect_cfm    = l2cap_connect_cfm,
-        .disconn_ind    = l2cap_disconn_ind,
-        .disconn_cfm    = l2cap_disconn_cfm,
-        .security_cfm   = l2cap_security_cfm,
-        .recv_acldata   = l2cap_recv_acldata
-};
-static int __init l2cap_init(void)
-{
-        int err;
-        err = proto_register(&l2cap_proto, 0);
-        if (err < 0)
-                return err;
-        _busy_wq = create_singlethread_workqueue("l2cap");
-        if (!_busy_wq) {
-                proto_unregister(&l2cap_proto);
-                return -ENOMEM;
-        }
-        err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
-        if (err < 0) {
-                BT_ERR("L2CAP socket registration failed");
-                goto error;
-        }
-        err = hci_register_proto(&l2cap_hci_proto);
-        if (err < 0) {
-                BT_ERR("L2CAP protocol registration failed");
-                bt_sock_unregister(BTPROTO_L2CAP);
-                goto error;
-        }
-        if (bt_debugfs) {
-                l2cap_debugfs = debugfs_create_file("l2cap", 0444,
-                                        bt_debugfs, NULL, &l2cap_debugfs_fops);
-                if (!l2cap_debugfs)
-                        BT_ERR("Failed to create L2CAP debug file");
-        }
-        BT_INFO("L2CAP ver %s", VERSION);
-        BT_INFO("L2CAP socket layer initialized");
-        return 0;
-error:
-        destroy_workqueue(_busy_wq);
-        proto_unregister(&l2cap_proto);
-        return err;
-}
-static void __exit l2cap_exit(void)
-{
-        debugfs_remove(l2cap_debugfs);
-        flush_workqueue(_busy_wq);
-        destroy_workqueue(_busy_wq);
-        if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
-                BT_ERR("L2CAP socket unregistration failed");
-        if (hci_unregister_proto(&l2cap_hci_proto) < 0)
-                BT_ERR("L2CAP protocol unregistration failed");
-        proto_unregister(&l2cap_proto);
-}
-void l2cap_load(void)
-{
-        /* Dummy function to trigger automatic L2CAP module loading by
-         * other modules that use L2CAP sockets but don't use any other
-         * symbols from it. */
-}
-EXPORT_SYMBOL(l2cap_load);
-module_init(l2cap_init);
-module_exit(l2cap_exit);
-module_param(disable_ertm, bool, 0644);
-MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
-MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
-MODULE_DESCRIPTION("Bluetooth L2CAP ver " VERSION);
-MODULE_VERSION(VERSION);
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("bt-proto-0");
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
new file mode 100644
index 000000000000..a86f9ba4f05c
--- /dev/null
+++ b/net/bluetooth/l2cap_core.c
@@ -0,0 +1,4240 @@
+/*
+   BlueZ - Bluetooth protocol stack for Linux
+   Copyright (C) 2000-2001 Qualcomm Incorporated
+   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
+   Copyright (C) 2010 Google Inc.
+   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License version 2 as
+   published by the Free Software Foundation;
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
+   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
+   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
+   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
+   SOFTWARE IS DISCLAIMED.
+*/
+/* Bluetooth L2CAP core. */
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/capability.h>
+#include <linux/errno.h>
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/slab.h>
+#include <linux/poll.h>
+#include <linux/fcntl.h>
+#include <linux/init.h>
+#include <linux/interrupt.h>
+#include <linux/socket.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/device.h>
+#include <linux/debugfs.h>
+#include <linux/seq_file.h>
+#include <linux/uaccess.h>
+#include <linux/crc16.h>
+#include <net/sock.h>
+#include <asm/system.h>
+#include <asm/unaligned.h>
+#include <net/bluetooth/bluetooth.h>
+#include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
+int disable_ertm;
+static u32 l2cap_feat_mask = L2CAP_FEAT_FIXED_CHAN;
+static u8 l2cap_fixed_chan[8] = { 0x02, };
+static struct workqueue_struct *_busy_wq;
+LIST_HEAD(chan_list);
+DEFINE_RWLOCK(chan_list_lock);
+static void l2cap_busy_work(struct work_struct *work);
+static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
+                                u8 code, u8 ident, u16 dlen, void *data);
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
+static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb);
+/* ---- L2CAP channels ---- */
+static struct l2cap_chan *__l2cap_get_chan_by_dcid(struct l2cap_conn *conn, u16 cid)
+{
+        struct l2cap_chan *c;
+        list_for_each_entry(c, &conn->chan_l, list) {
+                if (c->dcid == cid)
+                        return c;
+        }
+        return NULL;
+}
+static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
+{
+        struct l2cap_chan *c;
+        list_for_each_entry(c, &conn->chan_l, list) {
+                if (c->scid == cid)
+                        return c;
+        }
+        return NULL;
+}
+/* Find channel with given SCID.
+ * Returns locked socket */
+static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, u16 cid)
+{
+        struct l2cap_chan *c;
+        read_lock(&conn->chan_lock);
+        c = __l2cap_get_chan_by_scid(conn, cid);
+        if (c)
+                bh_lock_sock(c->sk);
+        read_unlock(&conn->chan_lock);
+        return c;
+}
+static struct l2cap_chan *__l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
+{
+        struct l2cap_chan *c;
+        list_for_each_entry(c, &conn->chan_l, list) {
+                if (c->ident == ident)
+                        return c;
+        }
+        return NULL;
+}
+static inline struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, u8 ident)
+{
+        struct l2cap_chan *c;
+        read_lock(&conn->chan_lock);
+        c = __l2cap_get_chan_by_ident(conn, ident);
+        if (c)
+                bh_lock_sock(c->sk);
+        read_unlock(&conn->chan_lock);
+        return c;
+}
+static struct l2cap_chan *__l2cap_global_chan_by_addr(__le16 psm, bdaddr_t *src)
+{
+        struct l2cap_chan *c;
+        list_for_each_entry(c, &chan_list, global_l) {
+                if (c->sport == psm && !bacmp(&bt_sk(c->sk)->src, src))
+                        goto found;
+        }
+        c = NULL;
+found:
+        return c;
+}
+int l2cap_add_psm(struct l2cap_chan *chan, bdaddr_t *src, __le16 psm)
+{
+        int err;
+        write_lock_bh(&chan_list_lock);
+        if (psm && __l2cap_global_chan_by_addr(psm, src)) {
+                err = -EADDRINUSE;
+                goto done;
+        }
+        if (psm) {
+                chan->psm = psm;
+                chan->sport = psm;
+                err = 0;
+        } else {
+                u16 p;
+                err = -EINVAL;
+                for (p = 0x1001; p < 0x1100; p += 2)
+                        if (!__l2cap_global_chan_by_addr(cpu_to_le16(p), src)) {
+                                chan->psm   = cpu_to_le16(p);
+                                chan->sport = cpu_to_le16(p);
+                                err = 0;
+                                break;
+                        }
+        }
+done:
+        write_unlock_bh(&chan_list_lock);
+        return err;
+}
+int l2cap_add_scid(struct l2cap_chan *chan,  __u16 scid)
+{
+        write_lock_bh(&chan_list_lock);
+        chan->scid = scid;
+        write_unlock_bh(&chan_list_lock);
+        return 0;
+}
+static u16 l2cap_alloc_cid(struct l2cap_conn *conn)
+{
+        u16 cid = L2CAP_CID_DYN_START;
+        for (; cid < L2CAP_CID_DYN_END; cid++) {
+                if (!__l2cap_get_chan_by_scid(conn, cid))
+                        return cid;
+        }
+        return 0;
+}
+struct l2cap_chan *l2cap_chan_create(struct sock *sk)
+{
+        struct l2cap_chan *chan;
+        chan = kzalloc(sizeof(*chan), GFP_ATOMIC);
+        if (!chan)
+                return NULL;
+        chan->sk = sk;
+        write_lock_bh(&chan_list_lock);
+        list_add(&chan->global_l, &chan_list);
+        write_unlock_bh(&chan_list_lock);
+        return chan;
+}
+void l2cap_chan_destroy(struct l2cap_chan *chan)
+{
+        write_lock_bh(&chan_list_lock);
+        list_del(&chan->global_l);
+        write_unlock_bh(&chan_list_lock);
+        kfree(chan);
+}
+static void __l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
+{
+        struct sock *sk = chan->sk;
+        BT_DBG("conn %p, psm 0x%2.2x, dcid 0x%4.4x", conn,
+                        chan->psm, chan->dcid);
+        conn->disc_reason = 0x13;
+        chan->conn = conn;
+        if (sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM) {
+                if (conn->hcon->type == LE_LINK) {
+                        /* LE connection */
+                        chan->omtu = L2CAP_LE_DEFAULT_MTU;
+                        chan->scid = L2CAP_CID_LE_DATA;
+                        chan->dcid = L2CAP_CID_LE_DATA;
+                } else {
+                        /* Alloc CID for connection-oriented socket */
+                        chan->scid = l2cap_alloc_cid(conn);
+                        chan->omtu = L2CAP_DEFAULT_MTU;
+                }
+        } else if (sk->sk_type == SOCK_DGRAM) {
+                /* Connectionless socket */
+                chan->scid = L2CAP_CID_CONN_LESS;
+                chan->dcid = L2CAP_CID_CONN_LESS;
+                chan->omtu = L2CAP_DEFAULT_MTU;
+        } else {
+                /* Raw socket can send/recv signalling messages only */
+                chan->scid = L2CAP_CID_SIGNALING;
+                chan->dcid = L2CAP_CID_SIGNALING;
+                chan->omtu = L2CAP_DEFAULT_MTU;
+        }
+        sock_hold(sk);
+        list_add(&chan->list, &conn->chan_l);
+}
+/* Delete channel.
+ * Must be called on the locked socket. */
+void l2cap_chan_del(struct l2cap_chan *chan, int err)
+{
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
+        struct sock *parent = bt_sk(sk)->parent;
+        l2cap_sock_clear_timer(sk);
+        BT_DBG("chan %p, conn %p, err %d", chan, conn, err);
+        if (conn) {
+                /* Delete from channel list */
+                write_lock_bh(&conn->chan_lock);
+                list_del(&chan->list);
+                write_unlock_bh(&conn->chan_lock);
+                __sock_put(sk);
+                chan->conn = NULL;
+                hci_conn_put(conn->hcon);
+        }
+        sk->sk_state = BT_CLOSED;
+        sock_set_flag(sk, SOCK_ZAPPED);
+        if (err)
+                sk->sk_err = err;
+        if (parent) {
+                bt_accept_unlink(sk);
+                parent->sk_data_ready(parent, 0);
+        } else
+                sk->sk_state_change(sk);
+        if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE &&
+                        chan->conf_state & L2CAP_CONF_INPUT_DONE))
+                return;
+        skb_queue_purge(&chan->tx_q);
+        if (chan->mode == L2CAP_MODE_ERTM) {
+                struct srej_list *l, *tmp;
+                del_timer(&chan->retrans_timer);
+                del_timer(&chan->monitor_timer);
+                del_timer(&chan->ack_timer);
+                skb_queue_purge(&chan->srej_q);
+                skb_queue_purge(&chan->busy_q);
+                list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
+                        list_del(&l->list);
+                        kfree(l);
+                }
+        }
+}
+static inline u8 l2cap_get_auth_type(struct l2cap_chan *chan)
+{
+        struct sock *sk = chan->sk;
+        if (sk->sk_type == SOCK_RAW) {
+                switch (chan->sec_level) {
+                case BT_SECURITY_HIGH:
+                        return HCI_AT_DEDICATED_BONDING_MITM;
+                case BT_SECURITY_MEDIUM:
+                        return HCI_AT_DEDICATED_BONDING;
+                default:
+                        return HCI_AT_NO_BONDING;
+                }
+        } else if (chan->psm == cpu_to_le16(0x0001)) {
+                if (chan->sec_level == BT_SECURITY_LOW)
+                        chan->sec_level = BT_SECURITY_SDP;
+                if (chan->sec_level == BT_SECURITY_HIGH)
+                        return HCI_AT_NO_BONDING_MITM;
+                else
+                        return HCI_AT_NO_BONDING;
+        } else {
+                switch (chan->sec_level) {
+                case BT_SECURITY_HIGH:
+                        return HCI_AT_GENERAL_BONDING_MITM;
+                case BT_SECURITY_MEDIUM:
+                        return HCI_AT_GENERAL_BONDING;
+                default:
+                        return HCI_AT_NO_BONDING;
+                }
+        }
+}
+/* Service level security */
+static inline int l2cap_check_security(struct l2cap_chan *chan)
+{
+        struct l2cap_conn *conn = chan->conn;
+        __u8 auth_type;
+        auth_type = l2cap_get_auth_type(chan);
+        return hci_conn_security(conn->hcon, chan->sec_level, auth_type);
+}
+u8 l2cap_get_ident(struct l2cap_conn *conn)
+{
+        u8 id;
+        /* Get next available identificator.
+         *    1 - 128 are used by kernel.
+         *  129 - 199 are reserved.
+         *  200 - 254 are used by utilities like l2ping, etc.
+         */
+        spin_lock_bh(&conn->lock);
+        if (++conn->tx_ident > 128)
+                conn->tx_ident = 1;
+        id = conn->tx_ident;
+        spin_unlock_bh(&conn->lock);
+        return id;
+}
+void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len, void *data)
+{
+        struct sk_buff *skb = l2cap_build_cmd(conn, code, ident, len, data);
+        u8 flags;
+        BT_DBG("code 0x%2.2x", code);
+        if (!skb)
+                return;
+        if (lmp_no_flush_capable(conn->hcon->hdev))
+                flags = ACL_START_NO_FLUSH;
+        else
+                flags = ACL_START;
+        hci_send_acl(conn->hcon, skb, flags);
+}
+static inline void l2cap_send_sframe(struct l2cap_chan *chan, u16 control)
+{
+        struct sk_buff *skb;
+        struct l2cap_hdr *lh;
+        struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
+        struct l2cap_conn *conn = chan->conn;
+        struct sock *sk = (struct sock *)pi;
+        int count, hlen = L2CAP_HDR_SIZE + 2;
+        u8 flags;
+        if (sk->sk_state != BT_CONNECTED)
+                return;
+        if (chan->fcs == L2CAP_FCS_CRC16)
+                hlen += 2;
+        BT_DBG("chan %p, control 0x%2.2x", chan, control);
+        count = min_t(unsigned int, conn->mtu, hlen);
+        control |= L2CAP_CTRL_FRAME_TYPE;
+        if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
+                control |= L2CAP_CTRL_FINAL;
+                chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+        }
+        if (chan->conn_state & L2CAP_CONN_SEND_PBIT) {
+                control |= L2CAP_CTRL_POLL;
+                chan->conn_state &= ~L2CAP_CONN_SEND_PBIT;
+        }
+        skb = bt_skb_alloc(count, GFP_ATOMIC);
+        if (!skb)
+                return;
+        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
+        lh->len = cpu_to_le16(hlen - L2CAP_HDR_SIZE);
+        lh->cid = cpu_to_le16(chan->dcid);
+        put_unaligned_le16(control, skb_put(skb, 2));
+        if (chan->fcs == L2CAP_FCS_CRC16) {
+                u16 fcs = crc16(0, (u8 *)lh, count - 2);
+                put_unaligned_le16(fcs, skb_put(skb, 2));
+        }
+        if (lmp_no_flush_capable(conn->hcon->hdev))
+                flags = ACL_START_NO_FLUSH;
+        else
+                flags = ACL_START;
+        hci_send_acl(chan->conn->hcon, skb, flags);
+}
+static inline void l2cap_send_rr_or_rnr(struct l2cap_chan *chan, u16 control)
+{
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+                control |= L2CAP_SUPER_RCV_NOT_READY;
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
+        } else
+                control |= L2CAP_SUPER_RCV_READY;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        l2cap_send_sframe(chan, control);
+}
+static inline int __l2cap_no_conn_pending(struct l2cap_chan *chan)
+{
+        return !(chan->conf_state & L2CAP_CONF_CONNECT_PEND);
+}
+static void l2cap_do_start(struct l2cap_chan *chan)
+{
+        struct l2cap_conn *conn = chan->conn;
+        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) {
+                if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE))
+                        return;
+                if (l2cap_check_security(chan) &&
+                                __l2cap_no_conn_pending(chan)) {
+                        struct l2cap_conn_req req;
+                        req.scid = cpu_to_le16(chan->scid);
+                        req.psm  = chan->psm;
+                        chan->ident = l2cap_get_ident(conn);
+                        chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
+                                                        sizeof(req), &req);
+                }
+        } else {
+                struct l2cap_info_req req;
+                req.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
+                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
+                conn->info_ident = l2cap_get_ident(conn);
+                mod_timer(&conn->info_timer, jiffies +
+                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
+                l2cap_send_cmd(conn, conn->info_ident,
+                                        L2CAP_INFO_REQ, sizeof(req), &req);
+        }
+}
+static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask)
+{
+        u32 local_feat_mask = l2cap_feat_mask;
+        if (!disable_ertm)
+                local_feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING;
+        switch (mode) {
+        case L2CAP_MODE_ERTM:
+                return L2CAP_FEAT_ERTM & feat_mask & local_feat_mask;
+        case L2CAP_MODE_STREAMING:
+                return L2CAP_FEAT_STREAMING & feat_mask & local_feat_mask;
+        default:
+                return 0x00;
+        }
+}
+void l2cap_send_disconn_req(struct l2cap_conn *conn, struct l2cap_chan *chan, int err)
+{
+        struct sock *sk;
+        struct l2cap_disconn_req req;
+        if (!conn)
+                return;
+        sk = chan->sk;
+        if (chan->mode == L2CAP_MODE_ERTM) {
+                del_timer(&chan->retrans_timer);
+                del_timer(&chan->monitor_timer);
+                del_timer(&chan->ack_timer);
+        }
+        req.dcid = cpu_to_le16(chan->dcid);
+        req.scid = cpu_to_le16(chan->scid);
+        l2cap_send_cmd(conn, l2cap_get_ident(conn),
+                        L2CAP_DISCONN_REQ, sizeof(req), &req);
+        sk->sk_state = BT_DISCONN;
+        sk->sk_err = err;
+}
+/* ---- L2CAP connections ---- */
+static void l2cap_conn_start(struct l2cap_conn *conn)
+{
+        struct l2cap_chan *chan, *tmp;
+        BT_DBG("conn %p", conn);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry_safe(chan, tmp, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
+                bh_lock_sock(sk);
+                if (sk->sk_type != SOCK_SEQPACKET &&
+                                sk->sk_type != SOCK_STREAM) {
+                        bh_unlock_sock(sk);
+                        continue;
+                }
+                if (sk->sk_state == BT_CONNECT) {
+                        struct l2cap_conn_req req;
+                        if (!l2cap_check_security(chan) ||
+                                        !__l2cap_no_conn_pending(chan)) {
+                                bh_unlock_sock(sk);
+                                continue;
+                        }
+                        if (!l2cap_mode_supported(chan->mode,
+                                        conn->feat_mask)
+                                        && chan->conf_state &
+                                        L2CAP_CONF_STATE2_DEVICE) {
+                                /* __l2cap_sock_close() calls list_del(chan)
+                                 * so release the lock */
+                                read_unlock_bh(&conn->chan_lock);
+                                 __l2cap_sock_close(sk, ECONNRESET);
+                                read_lock_bh(&conn->chan_lock);
+                                bh_unlock_sock(sk);
+                                continue;
+                        }
+                        req.scid = cpu_to_le16(chan->scid);
+                        req.psm  = chan->psm;
+                        chan->ident = l2cap_get_ident(conn);
+                        chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_REQ,
+                                                        sizeof(req), &req);
+                } else if (sk->sk_state == BT_CONNECT2) {
+                        struct l2cap_conn_rsp rsp;
+                        char buf[128];
+                        rsp.scid = cpu_to_le16(chan->dcid);
+                        rsp.dcid = cpu_to_le16(chan->scid);
+                        if (l2cap_check_security(chan)) {
+                                if (bt_sk(sk)->defer_setup) {
+                                        struct sock *parent = bt_sk(sk)->parent;
+                                        rsp.result = cpu_to_le16(L2CAP_CR_PEND);
+                                        rsp.status = cpu_to_le16(L2CAP_CS_AUTHOR_PEND);
+                                        parent->sk_data_ready(parent, 0);
+                                } else {
+                                        sk->sk_state = BT_CONFIG;
+                                        rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
+                                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+                                }
+                        } else {
+                                rsp.result = cpu_to_le16(L2CAP_CR_PEND);
+                                rsp.status = cpu_to_le16(L2CAP_CS_AUTHEN_PEND);
+                        }
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
+                                                        sizeof(rsp), &rsp);
+                        if (chan->conf_state & L2CAP_CONF_REQ_SENT ||
+                                        rsp.result != L2CAP_CR_SUCCESS) {
+                                bh_unlock_sock(sk);
+                                continue;
+                        }
+                        chan->conf_state |= L2CAP_CONF_REQ_SENT;
+                        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                                                l2cap_build_conf_req(chan, buf), buf);
+                        chan->num_conf_req++;
+                }
+                bh_unlock_sock(sk);
+        }
+        read_unlock(&conn->chan_lock);
+}
+/* Find socket with cid and source bdaddr.
+ * Returns closest match, locked.
+ */
+static struct l2cap_chan *l2cap_global_chan_by_scid(int state, __le16 cid, bdaddr_t *src)
+{
+        struct l2cap_chan *c, *c1 = NULL;
+        read_lock(&chan_list_lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
+                if (state && sk->sk_state != state)
+                        continue;
+                if (c->scid == cid) {
+                        /* Exact match. */
+                        if (!bacmp(&bt_sk(sk)->src, src)) {
+                                read_unlock(&chan_list_lock);
+                                return c;
+                        }
+                        /* Closest match */
+                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
+                                c1 = c;
+                }
+        }
+        read_unlock(&chan_list_lock);
+        return c1;
+}
+static void l2cap_le_conn_ready(struct l2cap_conn *conn)
+{
+        struct sock *parent, *sk;
+        struct l2cap_chan *chan, *pchan;
+        BT_DBG("");
+        /* Check if we have socket listening on cid */
+        pchan = l2cap_global_chan_by_scid(BT_LISTEN, L2CAP_CID_LE_DATA,
+                                                        conn->src);
+        if (!pchan)
+                return;
+        parent = pchan->sk;
+        bh_lock_sock(parent);
+        /* Check for backlog size */
+        if (sk_acceptq_is_full(parent)) {
+                BT_DBG("backlog full %d", parent->sk_ack_backlog);
+                goto clean;
+        }
+        sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
+        if (!sk)
+                goto clean;
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                goto clean;
+        }
+        l2cap_pi(sk)->chan = chan;
+        write_lock_bh(&conn->chan_lock);
+        hci_conn_hold(conn->hcon);
+        l2cap_sock_init(sk, parent);
+        bacpy(&bt_sk(sk)->src, conn->src);
+        bacpy(&bt_sk(sk)->dst, conn->dst);
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, chan);
+        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
+        sk->sk_state = BT_CONNECTED;
+        parent->sk_data_ready(parent, 0);
+        write_unlock_bh(&conn->chan_lock);
+clean:
+        bh_unlock_sock(parent);
+}
+static void l2cap_conn_ready(struct l2cap_conn *conn)
+{
+        struct l2cap_chan *chan;
+        BT_DBG("conn %p", conn);
+        if (!conn->hcon->out && conn->hcon->type == LE_LINK)
+                l2cap_le_conn_ready(conn);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
+                bh_lock_sock(sk);
+                if (conn->hcon->type == LE_LINK) {
+                        l2cap_sock_clear_timer(sk);
+                        sk->sk_state = BT_CONNECTED;
+                        sk->sk_state_change(sk);
+                }
+                if (sk->sk_type != SOCK_SEQPACKET &&
+                                sk->sk_type != SOCK_STREAM) {
+                        l2cap_sock_clear_timer(sk);
+                        sk->sk_state = BT_CONNECTED;
+                        sk->sk_state_change(sk);
+                } else if (sk->sk_state == BT_CONNECT)
+                        l2cap_do_start(chan);
+                bh_unlock_sock(sk);
+        }
+        read_unlock(&conn->chan_lock);
+}
+/* Notify sockets that we cannot guaranty reliability anymore */
+static void l2cap_conn_unreliable(struct l2cap_conn *conn, int err)
+{
+        struct l2cap_chan *chan;
+        BT_DBG("conn %p", conn);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
+                if (chan->force_reliable)
+                        sk->sk_err = err;
+        }
+        read_unlock(&conn->chan_lock);
+}
+static void l2cap_info_timeout(unsigned long arg)
+{
+        struct l2cap_conn *conn = (void *) arg;
+        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
+        conn->info_ident = 0;
+        l2cap_conn_start(conn);
+}
+static struct l2cap_conn *l2cap_conn_add(struct hci_conn *hcon, u8 status)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        if (conn || status)
+                return conn;
+        conn = kzalloc(sizeof(struct l2cap_conn), GFP_ATOMIC);
+        if (!conn)
+                return NULL;
+        hcon->l2cap_data = conn;
+        conn->hcon = hcon;
+        BT_DBG("hcon %p conn %p", hcon, conn);
+        if (hcon->hdev->le_mtu && hcon->type == LE_LINK)
+                conn->mtu = hcon->hdev->le_mtu;
+        else
+                conn->mtu = hcon->hdev->acl_mtu;
+        conn->src = &hcon->hdev->bdaddr;
+        conn->dst = &hcon->dst;
+        conn->feat_mask = 0;
+        spin_lock_init(&conn->lock);
+        rwlock_init(&conn->chan_lock);
+        INIT_LIST_HEAD(&conn->chan_l);
+        if (hcon->type != LE_LINK)
+                setup_timer(&conn->info_timer, l2cap_info_timeout,
+                                                (unsigned long) conn);
+        conn->disc_reason = 0x13;
+        return conn;
+}
+static void l2cap_conn_del(struct hci_conn *hcon, int err)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        struct l2cap_chan *chan, *l;
+        struct sock *sk;
+        if (!conn)
+                return;
+        BT_DBG("hcon %p conn %p, err %d", hcon, conn, err);
+        kfree_skb(conn->rx_skb);
+        /* Kill channels */
+        list_for_each_entry_safe(chan, l, &conn->chan_l, list) {
+                sk = chan->sk;
+                bh_lock_sock(sk);
+                l2cap_chan_del(chan, err);
+                bh_unlock_sock(sk);
+                l2cap_sock_kill(sk);
+        }
+        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT)
+                del_timer_sync(&conn->info_timer);
+        hcon->l2cap_data = NULL;
+        kfree(conn);
+}
+static inline void l2cap_chan_add(struct l2cap_conn *conn, struct l2cap_chan *chan)
+{
+        write_lock_bh(&conn->chan_lock);
+        __l2cap_chan_add(conn, chan);
+        write_unlock_bh(&conn->chan_lock);
+}
+/* ---- Socket interface ---- */
+/* Find socket with psm and source bdaddr.
+ * Returns closest match.
+ */
+static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, bdaddr_t *src)
+{
+        struct l2cap_chan *c, *c1 = NULL;
+        read_lock(&chan_list_lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
+                if (state && sk->sk_state != state)
+                        continue;
+                if (c->psm == psm) {
+                        /* Exact match. */
+                        if (!bacmp(&bt_sk(sk)->src, src)) {
+                                read_unlock_bh(&chan_list_lock);
+                                return c;
+                        }
+                        /* Closest match */
+                        if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY))
+                                c1 = c;
+                }
+        }
+        read_unlock(&chan_list_lock);
+        return c1;
+}
+int l2cap_chan_connect(struct l2cap_chan *chan)
+{
+        struct sock *sk = chan->sk;
+        bdaddr_t *src = &bt_sk(sk)->src;
+        bdaddr_t *dst = &bt_sk(sk)->dst;
+        struct l2cap_conn *conn;
+        struct hci_conn *hcon;
+        struct hci_dev *hdev;
+        __u8 auth_type;
+        int err;
+        BT_DBG("%s -> %s psm 0x%2.2x", batostr(src), batostr(dst),
+                                                        chan->psm);
+        hdev = hci_get_route(dst, src);
+        if (!hdev)
+                return -EHOSTUNREACH;
+        hci_dev_lock_bh(hdev);
+        auth_type = l2cap_get_auth_type(chan);
+        if (chan->dcid == L2CAP_CID_LE_DATA)
+                hcon = hci_connect(hdev, LE_LINK, dst,
+                                        chan->sec_level, auth_type);
+        else
+                hcon = hci_connect(hdev, ACL_LINK, dst,
+                                        chan->sec_level, auth_type);
+        if (IS_ERR(hcon)) {
+                err = PTR_ERR(hcon);
+                goto done;
+        }
+        conn = l2cap_conn_add(hcon, 0);
+        if (!conn) {
+                hci_conn_put(hcon);
+                err = -ENOMEM;
+                goto done;
+        }
+        /* Update source addr of the socket */
+        bacpy(src, conn->src);
+        l2cap_chan_add(conn, chan);
+        sk->sk_state = BT_CONNECT;
+        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
+        if (hcon->state == BT_CONNECTED) {
+                if (sk->sk_type != SOCK_SEQPACKET &&
+                                sk->sk_type != SOCK_STREAM) {
+                        l2cap_sock_clear_timer(sk);
+                        if (l2cap_check_security(chan))
+                                sk->sk_state = BT_CONNECTED;
+                } else
+                        l2cap_do_start(chan);
+        }
+        err = 0;
+done:
+        hci_dev_unlock_bh(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+int __l2cap_wait_ack(struct sock *sk)
+{
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        DECLARE_WAITQUEUE(wait, current);
+        int err = 0;
+        int timeo = HZ/5;
+        add_wait_queue(sk_sleep(sk), &wait);
+        while ((chan->unacked_frames > 0 && chan->conn)) {
+                set_current_state(TASK_INTERRUPTIBLE);
+                if (!timeo)
+                        timeo = HZ/5;
+                if (signal_pending(current)) {
+                        err = sock_intr_errno(timeo);
+                        break;
+                }
+                release_sock(sk);
+                timeo = schedule_timeout(timeo);
+                lock_sock(sk);
+                err = sock_error(sk);
+                if (err)
+                        break;
+        }
+        set_current_state(TASK_RUNNING);
+        remove_wait_queue(sk_sleep(sk), &wait);
+        return err;
+}
+static void l2cap_monitor_timeout(unsigned long arg)
+{
+        struct l2cap_chan *chan = (void *) arg;
+        struct sock *sk = chan->sk;
+        BT_DBG("chan %p", chan);
+        bh_lock_sock(sk);
+        if (chan->retry_count >= chan->remote_max_tx) {
+                l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
+                bh_unlock_sock(sk);
+                return;
+        }
+        chan->retry_count++;
+        __mod_monitor_timer();
+        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
+        bh_unlock_sock(sk);
+}
+static void l2cap_retrans_timeout(unsigned long arg)
+{
+        struct l2cap_chan *chan = (void *) arg;
+        struct sock *sk = chan->sk;
+        BT_DBG("chan %p", chan);
+        bh_lock_sock(sk);
+        chan->retry_count = 1;
+        __mod_monitor_timer();
+        chan->conn_state |= L2CAP_CONN_WAIT_F;
+        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_POLL);
+        bh_unlock_sock(sk);
+}
+static void l2cap_drop_acked_frames(struct l2cap_chan *chan)
+{
+        struct sk_buff *skb;
+        while ((skb = skb_peek(&chan->tx_q)) &&
+                        chan->unacked_frames) {
+                if (bt_cb(skb)->tx_seq == chan->expected_ack_seq)
+                        break;
+                skb = skb_dequeue(&chan->tx_q);
+                kfree_skb(skb);
+                chan->unacked_frames--;
+        }
+        if (!chan->unacked_frames)
+                del_timer(&chan->retrans_timer);
+}
+void l2cap_do_send(struct l2cap_chan *chan, struct sk_buff *skb)
+{
+        struct hci_conn *hcon = chan->conn->hcon;
+        u16 flags;
+        BT_DBG("chan %p, skb %p len %d", chan, skb, skb->len);
+        if (!chan->flushable && lmp_no_flush_capable(hcon->hdev))
+                flags = ACL_START_NO_FLUSH;
+        else
+                flags = ACL_START;
+        hci_send_acl(hcon, skb, flags);
+}
+void l2cap_streaming_send(struct l2cap_chan *chan)
+{
+        struct sk_buff *skb;
+        u16 control, fcs;
+        while ((skb = skb_dequeue(&chan->tx_q))) {
+                control = get_unaligned_le16(skb->data + L2CAP_HDR_SIZE);
+                control |= chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT;
+                put_unaligned_le16(control, skb->data + L2CAP_HDR_SIZE);
+                if (chan->fcs == L2CAP_FCS_CRC16) {
+                        fcs = crc16(0, (u8 *)skb->data, skb->len - 2);
+                        put_unaligned_le16(fcs, skb->data + skb->len - 2);
+                }
+                l2cap_do_send(chan, skb);
+                chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
+        }
+}
+static void l2cap_retransmit_one_frame(struct l2cap_chan *chan, u8 tx_seq)
+{
+        struct sk_buff *skb, *tx_skb;
+        u16 control, fcs;
+        skb = skb_peek(&chan->tx_q);
+        if (!skb)
+                return;
+        do {
+                if (bt_cb(skb)->tx_seq == tx_seq)
+                        break;
+                if (skb_queue_is_last(&chan->tx_q, skb))
+                        return;
+        } while ((skb = skb_queue_next(&chan->tx_q, skb)));
+        if (chan->remote_max_tx &&
+                        bt_cb(skb)->retries == chan->remote_max_tx) {
+                l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
+                return;
+        }
+        tx_skb = skb_clone(skb, GFP_ATOMIC);
+        bt_cb(skb)->retries++;
+        control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
+        control &= L2CAP_CTRL_SAR;
+        if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
+                control |= L2CAP_CTRL_FINAL;
+                chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+        }
+        control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
+                        | (tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
+        put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
+        if (chan->fcs == L2CAP_FCS_CRC16) {
+                fcs = crc16(0, (u8 *)tx_skb->data, tx_skb->len - 2);
+                put_unaligned_le16(fcs, tx_skb->data + tx_skb->len - 2);
+        }
+        l2cap_do_send(chan, tx_skb);
+}
+int l2cap_ertm_send(struct l2cap_chan *chan)
+{
+        struct sk_buff *skb, *tx_skb;
+        struct sock *sk = chan->sk;
+        u16 control, fcs;
+        int nsent = 0;
+        if (sk->sk_state != BT_CONNECTED)
+                return -ENOTCONN;
+        while ((skb = chan->tx_send_head) && (!l2cap_tx_window_full(chan))) {
+                if (chan->remote_max_tx &&
+                                bt_cb(skb)->retries == chan->remote_max_tx) {
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNABORTED);
+                        break;
+                }
+                tx_skb = skb_clone(skb, GFP_ATOMIC);
+                bt_cb(skb)->retries++;
+                control = get_unaligned_le16(tx_skb->data + L2CAP_HDR_SIZE);
+                control &= L2CAP_CTRL_SAR;
+                if (chan->conn_state & L2CAP_CONN_SEND_FBIT) {
+                        control |= L2CAP_CTRL_FINAL;
+                        chan->conn_state &= ~L2CAP_CONN_SEND_FBIT;
+                }
+                control |= (chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT)
+                                | (chan->next_tx_seq << L2CAP_CTRL_TXSEQ_SHIFT);
+                put_unaligned_le16(control, tx_skb->data + L2CAP_HDR_SIZE);
+                if (chan->fcs == L2CAP_FCS_CRC16) {
+                        fcs = crc16(0, (u8 *)skb->data, tx_skb->len - 2);
+                        put_unaligned_le16(fcs, skb->data + tx_skb->len - 2);
+                }
+                l2cap_do_send(chan, tx_skb);
+                __mod_retrans_timer();
+                bt_cb(skb)->tx_seq = chan->next_tx_seq;
+                chan->next_tx_seq = (chan->next_tx_seq + 1) % 64;
+                if (bt_cb(skb)->retries == 1)
+                        chan->unacked_frames++;
+                chan->frames_sent++;
+                if (skb_queue_is_last(&chan->tx_q, skb))
+                        chan->tx_send_head = NULL;
+                else
+                        chan->tx_send_head = skb_queue_next(&chan->tx_q, skb);
+                nsent++;
+        }
+        return nsent;
+}
+static int l2cap_retransmit_frames(struct l2cap_chan *chan)
+{
+        int ret;
+        if (!skb_queue_empty(&chan->tx_q))
+                chan->tx_send_head = chan->tx_q.next;
+        chan->next_tx_seq = chan->expected_ack_seq;
+        ret = l2cap_ertm_send(chan);
+        return ret;
+}
+static void l2cap_send_ack(struct l2cap_chan *chan)
+{
+        u16 control = 0;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+                control |= L2CAP_SUPER_RCV_NOT_READY;
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
+                l2cap_send_sframe(chan, control);
+                return;
+        }
+        if (l2cap_ertm_send(chan) > 0)
+                return;
+        control |= L2CAP_SUPER_RCV_READY;
+        l2cap_send_sframe(chan, control);
+}
+static void l2cap_send_srejtail(struct l2cap_chan *chan)
+{
+        struct srej_list *tail;
+        u16 control;
+        control = L2CAP_SUPER_SELECT_REJECT;
+        control |= L2CAP_CTRL_FINAL;
+        tail = list_entry((&chan->srej_l)->prev, struct srej_list, list);
+        control |= tail->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        l2cap_send_sframe(chan, control);
+}
+static inline int l2cap_skbuff_fromiovec(struct sock *sk, struct msghdr *msg, int len, int count, struct sk_buff *skb)
+{
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
+        struct sk_buff **frag;
+        int err, sent = 0;
+        if (memcpy_fromiovec(skb_put(skb, count), msg->msg_iov, count))
+                return -EFAULT;
+        sent += count;
+        len  -= count;
+        /* Continuation fragments (no L2CAP header) */
+        frag = &skb_shinfo(skb)->frag_list;
+        while (len) {
+                count = min_t(unsigned int, conn->mtu, len);
+                *frag = bt_skb_send_alloc(sk, count, msg->msg_flags & MSG_DONTWAIT, &err);
+                if (!*frag)
+                        return err;
+                if (memcpy_fromiovec(skb_put(*frag, count), msg->msg_iov, count))
+                        return -EFAULT;
+                sent += count;
+                len  -= count;
+                frag = &(*frag)->next;
+        }
+        return sent;
+}
+struct sk_buff *l2cap_create_connless_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+{
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
+        struct sk_buff *skb;
+        int err, count, hlen = L2CAP_HDR_SIZE + 2;
+        struct l2cap_hdr *lh;
+        BT_DBG("sk %p len %d", sk, (int)len);
+        count = min_t(unsigned int, (conn->mtu - hlen), len);
+        skb = bt_skb_send_alloc(sk, count + hlen,
+                        msg->msg_flags & MSG_DONTWAIT, &err);
+        if (!skb)
+                return ERR_PTR(err);
+        /* Create L2CAP header */
+        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
+        lh->cid = cpu_to_le16(chan->dcid);
+        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
+        put_unaligned_le16(chan->psm, skb_put(skb, 2));
+        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
+        if (unlikely(err < 0)) {
+                kfree_skb(skb);
+                return ERR_PTR(err);
+        }
+        return skb;
+}
+struct sk_buff *l2cap_create_basic_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+{
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
+        struct sk_buff *skb;
+        int err, count, hlen = L2CAP_HDR_SIZE;
+        struct l2cap_hdr *lh;
+        BT_DBG("sk %p len %d", sk, (int)len);
+        count = min_t(unsigned int, (conn->mtu - hlen), len);
+        skb = bt_skb_send_alloc(sk, count + hlen,
+                        msg->msg_flags & MSG_DONTWAIT, &err);
+        if (!skb)
+                return ERR_PTR(err);
+        /* Create L2CAP header */
+        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
+        lh->cid = cpu_to_le16(chan->dcid);
+        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
+        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
+        if (unlikely(err < 0)) {
+                kfree_skb(skb);
+                return ERR_PTR(err);
+        }
+        return skb;
+}
+struct sk_buff *l2cap_create_iframe_pdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len, u16 control, u16 sdulen)
+{
+        struct sock *sk = chan->sk;
+        struct l2cap_conn *conn = chan->conn;
+        struct sk_buff *skb;
+        int err, count, hlen = L2CAP_HDR_SIZE + 2;
+        struct l2cap_hdr *lh;
+        BT_DBG("sk %p len %d", sk, (int)len);
+        if (!conn)
+                return ERR_PTR(-ENOTCONN);
+        if (sdulen)
+                hlen += 2;
+        if (chan->fcs == L2CAP_FCS_CRC16)
+                hlen += 2;
+        count = min_t(unsigned int, (conn->mtu - hlen), len);
+        skb = bt_skb_send_alloc(sk, count + hlen,
+                        msg->msg_flags & MSG_DONTWAIT, &err);
+        if (!skb)
+                return ERR_PTR(err);
+        /* Create L2CAP header */
+        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
+        lh->cid = cpu_to_le16(chan->dcid);
+        lh->len = cpu_to_le16(len + (hlen - L2CAP_HDR_SIZE));
+        put_unaligned_le16(control, skb_put(skb, 2));
+        if (sdulen)
+                put_unaligned_le16(sdulen, skb_put(skb, 2));
+        err = l2cap_skbuff_fromiovec(sk, msg, len, count, skb);
+        if (unlikely(err < 0)) {
+                kfree_skb(skb);
+                return ERR_PTR(err);
+        }
+        if (chan->fcs == L2CAP_FCS_CRC16)
+                put_unaligned_le16(0, skb_put(skb, 2));
+        bt_cb(skb)->retries = 0;
+        return skb;
+}
+int l2cap_sar_segment_sdu(struct l2cap_chan *chan, struct msghdr *msg, size_t len)
+{
+        struct sk_buff *skb;
+        struct sk_buff_head sar_queue;
+        u16 control;
+        size_t size = 0;
+        skb_queue_head_init(&sar_queue);
+        control = L2CAP_SDU_START;
+        skb = l2cap_create_iframe_pdu(chan, msg, chan->remote_mps, control, len);
+        if (IS_ERR(skb))
+                return PTR_ERR(skb);
+        __skb_queue_tail(&sar_queue, skb);
+        len -= chan->remote_mps;
+        size += chan->remote_mps;
+        while (len > 0) {
+                size_t buflen;
+                if (len > chan->remote_mps) {
+                        control = L2CAP_SDU_CONTINUE;
+                        buflen = chan->remote_mps;
+                } else {
+                        control = L2CAP_SDU_END;
+                        buflen = len;
+                }
+                skb = l2cap_create_iframe_pdu(chan, msg, buflen, control, 0);
+                if (IS_ERR(skb)) {
+                        skb_queue_purge(&sar_queue);
+                        return PTR_ERR(skb);
+                }
+                __skb_queue_tail(&sar_queue, skb);
+                len -= buflen;
+                size += buflen;
+        }
+        skb_queue_splice_tail(&sar_queue, &chan->tx_q);
+        if (chan->tx_send_head == NULL)
+                chan->tx_send_head = sar_queue.next;
+        return size;
+}
+static void l2cap_chan_ready(struct sock *sk)
+{
+        struct sock *parent = bt_sk(sk)->parent;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        BT_DBG("sk %p, parent %p", sk, parent);
+        chan->conf_state = 0;
+        l2cap_sock_clear_timer(sk);
+        if (!parent) {
+                /* Outgoing channel.
+                 * Wake up socket sleeping on connect.
+                 */
+                sk->sk_state = BT_CONNECTED;
+                sk->sk_state_change(sk);
+        } else {
+                /* Incoming channel.
+                 * Wake up socket sleeping on accept.
+                 */
+                parent->sk_data_ready(parent, 0);
+        }
+}
+/* Copy frame to all raw sockets on that connection */
+static void l2cap_raw_recv(struct l2cap_conn *conn, struct sk_buff *skb)
+{
+        struct sk_buff *nskb;
+        struct l2cap_chan *chan;
+        BT_DBG("conn %p", conn);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
+                if (sk->sk_type != SOCK_RAW)
+                        continue;
+                /* Don't send frame to the socket it came from */
+                if (skb->sk == sk)
+                        continue;
+                nskb = skb_clone(skb, GFP_ATOMIC);
+                if (!nskb)
+                        continue;
+                if (sock_queue_rcv_skb(sk, nskb))
+                        kfree_skb(nskb);
+        }
+        read_unlock(&conn->chan_lock);
+}
+/* ---- L2CAP signalling commands ---- */
+static struct sk_buff *l2cap_build_cmd(struct l2cap_conn *conn,
+                                u8 code, u8 ident, u16 dlen, void *data)
+{
+        struct sk_buff *skb, **frag;
+        struct l2cap_cmd_hdr *cmd;
+        struct l2cap_hdr *lh;
+        int len, count;
+        BT_DBG("conn %p, code 0x%2.2x, ident 0x%2.2x, len %d",
+                        conn, code, ident, dlen);
+        len = L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE + dlen;
+        count = min_t(unsigned int, conn->mtu, len);
+        skb = bt_skb_alloc(count, GFP_ATOMIC);
+        if (!skb)
+                return NULL;
+        lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
+        lh->len = cpu_to_le16(L2CAP_CMD_HDR_SIZE + dlen);
+        if (conn->hcon->type == LE_LINK)
+                lh->cid = cpu_to_le16(L2CAP_CID_LE_SIGNALING);
+        else
+                lh->cid = cpu_to_le16(L2CAP_CID_SIGNALING);
+        cmd = (struct l2cap_cmd_hdr *) skb_put(skb, L2CAP_CMD_HDR_SIZE);
+        cmd->code  = code;
+        cmd->ident = ident;
+        cmd->len   = cpu_to_le16(dlen);
+        if (dlen) {
+                count -= L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE;
+                memcpy(skb_put(skb, count), data, count);
+                data += count;
+        }
+        len -= skb->len;
+        /* Continuation fragments (no L2CAP header) */
+        frag = &skb_shinfo(skb)->frag_list;
+        while (len) {
+                count = min_t(unsigned int, conn->mtu, len);
+                *frag = bt_skb_alloc(count, GFP_ATOMIC);
+                if (!*frag)
+                        goto fail;
+                memcpy(skb_put(*frag, count), data, count);
+                len  -= count;
+                data += count;
+                frag = &(*frag)->next;
+        }
+        return skb;
+fail:
+        kfree_skb(skb);
+        return NULL;
+}
+static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen, unsigned long *val)
+{
+        struct l2cap_conf_opt *opt = *ptr;
+        int len;
+        len = L2CAP_CONF_OPT_SIZE + opt->len;
+        *ptr += len;
+        *type = opt->type;
+        *olen = opt->len;
+        switch (opt->len) {
+        case 1:
+                *val = *((u8 *) opt->val);
+                break;
+        case 2:
+                *val = get_unaligned_le16(opt->val);
+                break;
+        case 4:
+                *val = get_unaligned_le32(opt->val);
+                break;
+        default:
+                *val = (unsigned long) opt->val;
+                break;
+        }
+        BT_DBG("type 0x%2.2x len %d val 0x%lx", *type, opt->len, *val);
+        return len;
+}
+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
+{
+        struct l2cap_conf_opt *opt = *ptr;
+        BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
+        opt->type = type;
+        opt->len  = len;
+        switch (len) {
+        case 1:
+                *((u8 *) opt->val)  = val;
+                break;
+        case 2:
+                put_unaligned_le16(val, opt->val);
+                break;
+        case 4:
+                put_unaligned_le32(val, opt->val);
+                break;
+        default:
+                memcpy(opt->val, (void *) val, len);
+                break;
+        }
+        *ptr += L2CAP_CONF_OPT_SIZE + len;
+}
+static void l2cap_ack_timeout(unsigned long arg)
+{
+        struct l2cap_chan *chan = (void *) arg;
+        bh_lock_sock(chan->sk);
+        l2cap_send_ack(chan);
+        bh_unlock_sock(chan->sk);
+}
+static inline void l2cap_ertm_init(struct l2cap_chan *chan)
+{
+        struct sock *sk = chan->sk;
+        chan->expected_ack_seq = 0;
+        chan->unacked_frames = 0;
+        chan->buffer_seq = 0;
+        chan->num_acked = 0;
+        chan->frames_sent = 0;
+        setup_timer(&chan->retrans_timer, l2cap_retrans_timeout,
+                                                        (unsigned long) chan);
+        setup_timer(&chan->monitor_timer, l2cap_monitor_timeout,
+                                                        (unsigned long) chan);
+        setup_timer(&chan->ack_timer, l2cap_ack_timeout, (unsigned long) chan);
+        skb_queue_head_init(&chan->srej_q);
+        skb_queue_head_init(&chan->busy_q);
+        INIT_LIST_HEAD(&chan->srej_l);
+        INIT_WORK(&chan->busy_work, l2cap_busy_work);
+        sk->sk_backlog_rcv = l2cap_ertm_data_rcv;
+}
+static inline __u8 l2cap_select_mode(__u8 mode, __u16 remote_feat_mask)
+{
+        switch (mode) {
+        case L2CAP_MODE_STREAMING:
+        case L2CAP_MODE_ERTM:
+                if (l2cap_mode_supported(mode, remote_feat_mask))
+                        return mode;
+                /* fall through */
+        default:
+                return L2CAP_MODE_BASIC;
+        }
+}
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
+{
+        struct l2cap_conf_req *req = data;
+        struct l2cap_conf_rfc rfc = { .mode = chan->mode };
+        void *ptr = req->data;
+        BT_DBG("chan %p", chan);
+        if (chan->num_conf_req || chan->num_conf_rsp)
+                goto done;
+        switch (chan->mode) {
+        case L2CAP_MODE_STREAMING:
+        case L2CAP_MODE_ERTM:
+                if (chan->conf_state & L2CAP_CONF_STATE2_DEVICE)
+                        break;
+                /* fall through */
+        default:
+                chan->mode = l2cap_select_mode(rfc.mode, chan->conn->feat_mask);
+                break;
+        }
+done:
+        if (chan->imtu != L2CAP_DEFAULT_MTU)
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+        switch (chan->mode) {
+        case L2CAP_MODE_BASIC:
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_ERTM) &&
+                                !(chan->conn->feat_mask & L2CAP_FEAT_STREAMING))
+                        break;
+                rfc.mode            = L2CAP_MODE_BASIC;
+                rfc.txwin_size      = 0;
+                rfc.max_transmit    = 0;
+                rfc.retrans_timeout = 0;
+                rfc.monitor_timeout = 0;
+                rfc.max_pdu_size    = 0;
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+                                                        (unsigned long) &rfc);
+                break;
+        case L2CAP_MODE_ERTM:
+                rfc.mode            = L2CAP_MODE_ERTM;
+                rfc.txwin_size      = chan->tx_win;
+                rfc.max_transmit    = chan->max_tx;
+                rfc.retrans_timeout = 0;
+                rfc.monitor_timeout = 0;
+                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
+                if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
+                        rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+                                                        (unsigned long) &rfc);
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
+                        break;
+                if (chan->fcs == L2CAP_FCS_NONE ||
+                                chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
+                        chan->fcs = L2CAP_FCS_NONE;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
+                }
+                break;
+        case L2CAP_MODE_STREAMING:
+                rfc.mode            = L2CAP_MODE_STREAMING;
+                rfc.txwin_size      = 0;
+                rfc.max_transmit    = 0;
+                rfc.retrans_timeout = 0;
+                rfc.monitor_timeout = 0;
+                rfc.max_pdu_size    = cpu_to_le16(L2CAP_DEFAULT_MAX_PDU_SIZE);
+                if (L2CAP_DEFAULT_MAX_PDU_SIZE > chan->conn->mtu - 10)
+                        rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+                                                        (unsigned long) &rfc);
+                if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
+                        break;
+                if (chan->fcs == L2CAP_FCS_NONE ||
+                                chan->conf_state & L2CAP_CONF_NO_FCS_RECV) {
+                        chan->fcs = L2CAP_FCS_NONE;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
+                }
+                break;
+        }
+        req->dcid  = cpu_to_le16(chan->dcid);
+        req->flags = cpu_to_le16(0);
+        return ptr - data;
+}
+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
+{
+        struct l2cap_conf_rsp *rsp = data;
+        void *ptr = rsp->data;
+        void *req = chan->conf_req;
+        int len = chan->conf_len;
+        int type, hint, olen;
+        unsigned long val;
+        struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+        u16 mtu = L2CAP_DEFAULT_MTU;
+        u16 result = L2CAP_CONF_SUCCESS;
+        BT_DBG("chan %p", chan);
+        while (len >= L2CAP_CONF_OPT_SIZE) {
+                len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
+                hint  = type & L2CAP_CONF_HINT;
+                type &= L2CAP_CONF_MASK;
+                switch (type) {
+                case L2CAP_CONF_MTU:
+                        mtu = val;
+                        break;
+                case L2CAP_CONF_FLUSH_TO:
+                        chan->flush_to = val;
+                        break;
+                case L2CAP_CONF_QOS:
+                        break;
+                case L2CAP_CONF_RFC:
+                        if (olen == sizeof(rfc))
+                                memcpy(&rfc, (void *) val, olen);
+                        break;
+                case L2CAP_CONF_FCS:
+                        if (val == L2CAP_FCS_NONE)
+                                chan->conf_state |= L2CAP_CONF_NO_FCS_RECV;
+                        break;
+                default:
+                        if (hint)
+                                break;
+                        result = L2CAP_CONF_UNKNOWN;
+                        *((u8 *) ptr++) = type;
+                        break;
+                }
+        }
+        if (chan->num_conf_rsp || chan->num_conf_req > 1)
+                goto done;
+        switch (chan->mode) {
+        case L2CAP_MODE_STREAMING:
+        case L2CAP_MODE_ERTM:
+                if (!(chan->conf_state & L2CAP_CONF_STATE2_DEVICE)) {
+                        chan->mode = l2cap_select_mode(rfc.mode,
+                                        chan->conn->feat_mask);
+                        break;
+                }
+                if (chan->mode != rfc.mode)
+                        return -ECONNREFUSED;
+                break;
+        }
+done:
+        if (chan->mode != rfc.mode) {
+                result = L2CAP_CONF_UNACCEPT;
+                rfc.mode = chan->mode;
+                if (chan->num_conf_rsp == 1)
+                        return -ECONNREFUSED;
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+                                        sizeof(rfc), (unsigned long) &rfc);
+        }
+        if (result == L2CAP_CONF_SUCCESS) {
+                /* Configure output options and let the other side know
+                 * which ones we don't like. */
+                if (mtu < L2CAP_DEFAULT_MIN_MTU)
+                        result = L2CAP_CONF_UNACCEPT;
+                else {
+                        chan->omtu = mtu;
+                        chan->conf_state |= L2CAP_CONF_MTU_DONE;
+                }
+                l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
+                switch (rfc.mode) {
+                case L2CAP_MODE_BASIC:
+                        chan->fcs = L2CAP_FCS_NONE;
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
+                        break;
+                case L2CAP_MODE_ERTM:
+                        chan->remote_tx_win = rfc.txwin_size;
+                        chan->remote_max_tx = rfc.max_transmit;
+                        if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
+                                rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+                        chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
+                        rfc.retrans_timeout =
+                                le16_to_cpu(L2CAP_DEFAULT_RETRANS_TO);
+                        rfc.monitor_timeout =
+                                le16_to_cpu(L2CAP_DEFAULT_MONITOR_TO);
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+                                        sizeof(rfc), (unsigned long) &rfc);
+                        break;
+                case L2CAP_MODE_STREAMING:
+                        if (le16_to_cpu(rfc.max_pdu_size) > chan->conn->mtu - 10)
+                                rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+                        chan->remote_mps = le16_to_cpu(rfc.max_pdu_size);
+                        chan->conf_state |= L2CAP_CONF_MODE_DONE;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+                                        sizeof(rfc), (unsigned long) &rfc);
+                        break;
+                default:
+                        result = L2CAP_CONF_UNACCEPT;
+                        memset(&rfc, 0, sizeof(rfc));
+                        rfc.mode = chan->mode;
+                }
+                if (result == L2CAP_CONF_SUCCESS)
+                        chan->conf_state |= L2CAP_CONF_OUTPUT_DONE;
+        }
+        rsp->scid   = cpu_to_le16(chan->dcid);
+        rsp->result = cpu_to_le16(result);
+        rsp->flags  = cpu_to_le16(0x0000);
+        return ptr - data;
+}
+static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
+{
+        struct l2cap_conf_req *req = data;
+        void *ptr = req->data;
+        int type, olen;
+        unsigned long val;
+        struct l2cap_conf_rfc rfc;
+        BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);
+        while (len >= L2CAP_CONF_OPT_SIZE) {
+                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+                switch (type) {
+                case L2CAP_CONF_MTU:
+                        if (val < L2CAP_DEFAULT_MIN_MTU) {
+                                *result = L2CAP_CONF_UNACCEPT;
+                                chan->imtu = L2CAP_DEFAULT_MIN_MTU;
+                        } else
+                                chan->imtu = val;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+                        break;
+                case L2CAP_CONF_FLUSH_TO:
+                        chan->flush_to = val;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
+                                                        2, chan->flush_to);
+                        break;
+                case L2CAP_CONF_RFC:
+                        if (olen == sizeof(rfc))
+                                memcpy(&rfc, (void *)val, olen);
+                        if ((chan->conf_state & L2CAP_CONF_STATE2_DEVICE) &&
+                                                        rfc.mode != chan->mode)
+                                return -ECONNREFUSED;
+                        chan->fcs = 0;
+                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+                                        sizeof(rfc), (unsigned long) &rfc);
+                        break;
+                }
+        }
+        if (chan->mode == L2CAP_MODE_BASIC && chan->mode != rfc.mode)
+                return -ECONNREFUSED;
+        chan->mode = rfc.mode;
+        if (*result == L2CAP_CONF_SUCCESS) {
+                switch (rfc.mode) {
+                case L2CAP_MODE_ERTM:
+                        chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
+                        chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
+                        chan->mps    = le16_to_cpu(rfc.max_pdu_size);
+                        break;
+                case L2CAP_MODE_STREAMING:
+                        chan->mps    = le16_to_cpu(rfc.max_pdu_size);
+                }
+        }
+        req->dcid   = cpu_to_le16(chan->dcid);
+        req->flags  = cpu_to_le16(0x0000);
+        return ptr - data;
+}
+static int l2cap_build_conf_rsp(struct l2cap_chan *chan, void *data, u16 result, u16 flags)
+{
+        struct l2cap_conf_rsp *rsp = data;
+        void *ptr = rsp->data;
+        BT_DBG("chan %p", chan);
+        rsp->scid   = cpu_to_le16(chan->dcid);
+        rsp->result = cpu_to_le16(result);
+        rsp->flags  = cpu_to_le16(flags);
+        return ptr - data;
+}
+void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)
+{
+        struct l2cap_conn_rsp rsp;
+        struct l2cap_conn *conn = chan->conn;
+        u8 buf[128];
+        rsp.scid   = cpu_to_le16(chan->dcid);
+        rsp.dcid   = cpu_to_le16(chan->scid);
+        rsp.result = cpu_to_le16(L2CAP_CR_SUCCESS);
+        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+        l2cap_send_cmd(conn, chan->ident,
+                                L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+        if (chan->conf_state & L2CAP_CONF_REQ_SENT)
+                return;
+        chan->conf_state |= L2CAP_CONF_REQ_SENT;
+        l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                        l2cap_build_conf_req(chan, buf), buf);
+        chan->num_conf_req++;
+}
+static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)
+{
+        int type, olen;
+        unsigned long val;
+        struct l2cap_conf_rfc rfc;
+        BT_DBG("chan %p, rsp %p, len %d", chan, rsp, len);
+        if ((chan->mode != L2CAP_MODE_ERTM) && (chan->mode != L2CAP_MODE_STREAMING))
+                return;
+        while (len >= L2CAP_CONF_OPT_SIZE) {
+                len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
+                switch (type) {
+                case L2CAP_CONF_RFC:
+                        if (olen == sizeof(rfc))
+                                memcpy(&rfc, (void *)val, olen);
+                        goto done;
+                }
+        }
+done:
+        switch (rfc.mode) {
+        case L2CAP_MODE_ERTM:
+                chan->retrans_timeout = le16_to_cpu(rfc.retrans_timeout);
+                chan->monitor_timeout = le16_to_cpu(rfc.monitor_timeout);
+                chan->mps    = le16_to_cpu(rfc.max_pdu_size);
+                break;
+        case L2CAP_MODE_STREAMING:
+                chan->mps    = le16_to_cpu(rfc.max_pdu_size);
+        }
+}
+static inline int l2cap_command_rej(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_cmd_rej *rej = (struct l2cap_cmd_rej *) data;
+        if (rej->reason != 0x0000)
+                return 0;
+        if ((conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_SENT) &&
+                                        cmd->ident == conn->info_ident) {
+                del_timer(&conn->info_timer);
+                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
+                conn->info_ident = 0;
+                l2cap_conn_start(conn);
+        }
+        return 0;
+}
+static inline int l2cap_connect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_conn_req *req = (struct l2cap_conn_req *) data;
+        struct l2cap_conn_rsp rsp;
+        struct l2cap_chan *chan = NULL, *pchan;
+        struct sock *parent, *sk = NULL;
+        int result, status = L2CAP_CS_NO_INFO;
+        u16 dcid = 0, scid = __le16_to_cpu(req->scid);
+        __le16 psm = req->psm;
+        BT_DBG("psm 0x%2.2x scid 0x%4.4x", psm, scid);
+        /* Check if we have socket listening on psm */
+        pchan = l2cap_global_chan_by_psm(BT_LISTEN, psm, conn->src);
+        if (!pchan) {
+                result = L2CAP_CR_BAD_PSM;
+                goto sendresp;
+        }
+        parent = pchan->sk;
+        bh_lock_sock(parent);
+        /* Check if the ACL is secure enough (if not SDP) */
+        if (psm != cpu_to_le16(0x0001) &&
+                                !hci_conn_check_link_mode(conn->hcon)) {
+                conn->disc_reason = 0x05;
+                result = L2CAP_CR_SEC_BLOCK;
+                goto response;
+        }
+        result = L2CAP_CR_NO_MEM;
+        /* Check for backlog size */
+        if (sk_acceptq_is_full(parent)) {
+                BT_DBG("backlog full %d", parent->sk_ack_backlog);
+                goto response;
+        }
+        sk = l2cap_sock_alloc(sock_net(parent), NULL, BTPROTO_L2CAP, GFP_ATOMIC);
+        if (!sk)
+                goto response;
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                goto response;
+        }
+        l2cap_pi(sk)->chan = chan;
+        write_lock_bh(&conn->chan_lock);
+        /* Check if we already have channel with that dcid */
+        if (__l2cap_get_chan_by_dcid(conn, scid)) {
+                write_unlock_bh(&conn->chan_lock);
+                sock_set_flag(sk, SOCK_ZAPPED);
+                l2cap_sock_kill(sk);
+                goto response;
+        }
+        hci_conn_hold(conn->hcon);
+        l2cap_sock_init(sk, parent);
+        bacpy(&bt_sk(sk)->src, conn->src);
+        bacpy(&bt_sk(sk)->dst, conn->dst);
+        chan->psm  = psm;
+        chan->dcid = scid;
+        bt_accept_enqueue(parent, sk);
+        __l2cap_chan_add(conn, chan);
+        dcid = chan->scid;
+        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
+        chan->ident = cmd->ident;
+        if (conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE) {
+                if (l2cap_check_security(chan)) {
+                        if (bt_sk(sk)->defer_setup) {
+                                sk->sk_state = BT_CONNECT2;
+                                result = L2CAP_CR_PEND;
+                                status = L2CAP_CS_AUTHOR_PEND;
+                                parent->sk_data_ready(parent, 0);
+                        } else {
+                                sk->sk_state = BT_CONFIG;
+                                result = L2CAP_CR_SUCCESS;
+                                status = L2CAP_CS_NO_INFO;
+                        }
+                } else {
+                        sk->sk_state = BT_CONNECT2;
+                        result = L2CAP_CR_PEND;
+                        status = L2CAP_CS_AUTHEN_PEND;
+                }
+        } else {
+                sk->sk_state = BT_CONNECT2;
+                result = L2CAP_CR_PEND;
+                status = L2CAP_CS_NO_INFO;
+        }
+        write_unlock_bh(&conn->chan_lock);
+response:
+        bh_unlock_sock(parent);
+sendresp:
+        rsp.scid   = cpu_to_le16(scid);
+        rsp.dcid   = cpu_to_le16(dcid);
+        rsp.result = cpu_to_le16(result);
+        rsp.status = cpu_to_le16(status);
+        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_RSP, sizeof(rsp), &rsp);
+        if (result == L2CAP_CR_PEND && status == L2CAP_CS_NO_INFO) {
+                struct l2cap_info_req info;
+                info.type = cpu_to_le16(L2CAP_IT_FEAT_MASK);
+                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_SENT;
+                conn->info_ident = l2cap_get_ident(conn);
+                mod_timer(&conn->info_timer, jiffies +
+                                        msecs_to_jiffies(L2CAP_INFO_TIMEOUT));
+                l2cap_send_cmd(conn, conn->info_ident,
+                                        L2CAP_INFO_REQ, sizeof(info), &info);
+        }
+        if (chan && !(chan->conf_state & L2CAP_CONF_REQ_SENT) &&
+                                result == L2CAP_CR_SUCCESS) {
+                u8 buf[128];
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
+                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                                        l2cap_build_conf_req(chan, buf), buf);
+                chan->num_conf_req++;
+        }
+        return 0;
+}
+static inline int l2cap_connect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
+        u16 scid, dcid, result, status;
+        struct l2cap_chan *chan;
+        struct sock *sk;
+        u8 req[128];
+        scid   = __le16_to_cpu(rsp->scid);
+        dcid   = __le16_to_cpu(rsp->dcid);
+        result = __le16_to_cpu(rsp->result);
+        status = __le16_to_cpu(rsp->status);
+        BT_DBG("dcid 0x%4.4x scid 0x%4.4x result 0x%2.2x status 0x%2.2x", dcid, scid, result, status);
+        if (scid) {
+                chan = l2cap_get_chan_by_scid(conn, scid);
+                if (!chan)
+                        return -EFAULT;
+        } else {
+                chan = l2cap_get_chan_by_ident(conn, cmd->ident);
+                if (!chan)
+                        return -EFAULT;
+        }
+        sk = chan->sk;
+        switch (result) {
+        case L2CAP_CR_SUCCESS:
+                sk->sk_state = BT_CONFIG;
+                chan->ident = 0;
+                chan->dcid = dcid;
+                chan->conf_state &= ~L2CAP_CONF_CONNECT_PEND;
+                if (chan->conf_state & L2CAP_CONF_REQ_SENT)
+                        break;
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
+                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                                        l2cap_build_conf_req(chan, req), req);
+                chan->num_conf_req++;
+                break;
+        case L2CAP_CR_PEND:
+                chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                break;
+        default:
+                /* don't delete l2cap channel if sk is owned by user */
+                if (sock_owned_by_user(sk)) {
+                        sk->sk_state = BT_DISCONN;
+                        l2cap_sock_clear_timer(sk);
+                        l2cap_sock_set_timer(sk, HZ / 5);
+                        break;
+                }
+                l2cap_chan_del(chan, ECONNREFUSED);
+                break;
+        }
+        bh_unlock_sock(sk);
+        return 0;
+}
+static inline void set_default_fcs(struct l2cap_chan *chan)
+{
+        struct l2cap_pinfo *pi = l2cap_pi(chan->sk);
+        /* FCS is enabled only in ERTM or streaming mode, if one or both
+         * sides request it.
+         */
+        if (chan->mode != L2CAP_MODE_ERTM && chan->mode != L2CAP_MODE_STREAMING)
+                chan->fcs = L2CAP_FCS_NONE;
+        else if (!(pi->chan->conf_state & L2CAP_CONF_NO_FCS_RECV))
+                chan->fcs = L2CAP_FCS_CRC16;
+}
+static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+{
+        struct l2cap_conf_req *req = (struct l2cap_conf_req *) data;
+        u16 dcid, flags;
+        u8 rsp[64];
+        struct l2cap_chan *chan;
+        struct sock *sk;
+        int len;
+        dcid  = __le16_to_cpu(req->dcid);
+        flags = __le16_to_cpu(req->flags);
+        BT_DBG("dcid 0x%4.4x flags 0x%2.2x", dcid, flags);
+        chan = l2cap_get_chan_by_scid(conn, dcid);
+        if (!chan)
+                return -ENOENT;
+        sk = chan->sk;
+        if (sk->sk_state != BT_CONFIG) {
+                struct l2cap_cmd_rej rej;
+                rej.reason = cpu_to_le16(0x0002);
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_COMMAND_REJ,
+                                sizeof(rej), &rej);
+                goto unlock;
+        }
+        /* Reject if config buffer is too small. */
+        len = cmd_len - sizeof(*req);
+        if (chan->conf_len + len > sizeof(chan->conf_req)) {
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+                                l2cap_build_conf_rsp(chan, rsp,
+                                        L2CAP_CONF_REJECT, flags), rsp);
+                goto unlock;
+        }
+        /* Store config. */
+        memcpy(chan->conf_req + chan->conf_len, req->data, len);
+        chan->conf_len += len;
+        if (flags & 0x0001) {
+                /* Incomplete config. Send empty response. */
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+                                l2cap_build_conf_rsp(chan, rsp,
+                                        L2CAP_CONF_SUCCESS, 0x0001), rsp);
+                goto unlock;
+        }
+        /* Complete config. */
+        len = l2cap_parse_conf_req(chan, rsp);
+        if (len < 0) {
+                l2cap_send_disconn_req(conn, chan, ECONNRESET);
+                goto unlock;
+        }
+        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
+        chan->num_conf_rsp++;
+        /* Reset config buffer. */
+        chan->conf_len = 0;
+        if (!(chan->conf_state & L2CAP_CONF_OUTPUT_DONE))
+                goto unlock;
+        if (chan->conf_state & L2CAP_CONF_INPUT_DONE) {
+                set_default_fcs(chan);
+                sk->sk_state = BT_CONNECTED;
+                chan->next_tx_seq = 0;
+                chan->expected_tx_seq = 0;
+                skb_queue_head_init(&chan->tx_q);
+                if (chan->mode == L2CAP_MODE_ERTM)
+                        l2cap_ertm_init(chan);
+                l2cap_chan_ready(sk);
+                goto unlock;
+        }
+        if (!(chan->conf_state & L2CAP_CONF_REQ_SENT)) {
+                u8 buf[64];
+                chan->conf_state |= L2CAP_CONF_REQ_SENT;
+                l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+                                        l2cap_build_conf_req(chan, buf), buf);
+                chan->num_conf_req++;
+        }
+unlock:
+        bh_unlock_sock(sk);
+        return 0;
+}
+static inline int l2cap_config_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
+        u16 scid, flags, result;
+        struct l2cap_chan *chan;
+        struct sock *sk;
+        int len = cmd->len - sizeof(*rsp);
+        scid   = __le16_to_cpu(rsp->scid);
+        flags  = __le16_to_cpu(rsp->flags);
+        result = __le16_to_cpu(rsp->result);
+        BT_DBG("scid 0x%4.4x flags 0x%2.2x result 0x%2.2x",
+                        scid, flags, result);
+        chan = l2cap_get_chan_by_scid(conn, scid);
+        if (!chan)
+                return 0;
+        sk = chan->sk;
+        switch (result) {
+        case L2CAP_CONF_SUCCESS:
+                l2cap_conf_rfc_get(chan, rsp->data, len);
+                break;
+        case L2CAP_CONF_UNACCEPT:
+                if (chan->num_conf_rsp <= L2CAP_CONF_MAX_CONF_RSP) {
+                        char req[64];
+                        if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) {
+                                l2cap_send_disconn_req(conn, chan, ECONNRESET);
+                                goto done;
+                        }
+                        /* throw out any old stored conf requests */
+                        result = L2CAP_CONF_SUCCESS;
+                        len = l2cap_parse_conf_rsp(chan, rsp->data, len,
+                                                                req, &result);
+                        if (len < 0) {
+                                l2cap_send_disconn_req(conn, chan, ECONNRESET);
+                                goto done;
+                        }
+                        l2cap_send_cmd(conn, l2cap_get_ident(conn),
+                                                L2CAP_CONF_REQ, len, req);
+                        chan->num_conf_req++;
+                        if (result != L2CAP_CONF_SUCCESS)
+                                goto done;
+                        break;
+                }
+        default:
+                sk->sk_err = ECONNRESET;
+                l2cap_sock_set_timer(sk, HZ * 5);
+                l2cap_send_disconn_req(conn, chan, ECONNRESET);
+                goto done;
+        }
+        if (flags & 0x01)
+                goto done;
+        chan->conf_state |= L2CAP_CONF_INPUT_DONE;
+        if (chan->conf_state & L2CAP_CONF_OUTPUT_DONE) {
+                set_default_fcs(chan);
+                sk->sk_state = BT_CONNECTED;
+                chan->next_tx_seq = 0;
+                chan->expected_tx_seq = 0;
+                skb_queue_head_init(&chan->tx_q);
+                if (chan->mode ==  L2CAP_MODE_ERTM)
+                        l2cap_ertm_init(chan);
+                l2cap_chan_ready(sk);
+        }
+done:
+        bh_unlock_sock(sk);
+        return 0;
+}
+static inline int l2cap_disconnect_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
+        struct l2cap_disconn_rsp rsp;
+        u16 dcid, scid;
+        struct l2cap_chan *chan;
+        struct sock *sk;
+        scid = __le16_to_cpu(req->scid);
+        dcid = __le16_to_cpu(req->dcid);
+        BT_DBG("scid 0x%4.4x dcid 0x%4.4x", scid, dcid);
+        chan = l2cap_get_chan_by_scid(conn, dcid);
+        if (!chan)
+                return 0;
+        sk = chan->sk;
+        rsp.dcid = cpu_to_le16(chan->scid);
+        rsp.scid = cpu_to_le16(chan->dcid);
+        l2cap_send_cmd(conn, cmd->ident, L2CAP_DISCONN_RSP, sizeof(rsp), &rsp);
+        sk->sk_shutdown = SHUTDOWN_MASK;
+        /* don't delete l2cap channel if sk is owned by user */
+        if (sock_owned_by_user(sk)) {
+                sk->sk_state = BT_DISCONN;
+                l2cap_sock_clear_timer(sk);
+                l2cap_sock_set_timer(sk, HZ / 5);
+                bh_unlock_sock(sk);
+                return 0;
+        }
+        l2cap_chan_del(chan, ECONNRESET);
+        bh_unlock_sock(sk);
+        l2cap_sock_kill(sk);
+        return 0;
+}
+static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
+        u16 dcid, scid;
+        struct l2cap_chan *chan;
+        struct sock *sk;
+        scid = __le16_to_cpu(rsp->scid);
+        dcid = __le16_to_cpu(rsp->dcid);
+        BT_DBG("dcid 0x%4.4x scid 0x%4.4x", dcid, scid);
+        chan = l2cap_get_chan_by_scid(conn, scid);
+        if (!chan)
+                return 0;
+        sk = chan->sk;
+        /* don't delete l2cap channel if sk is owned by user */
+        if (sock_owned_by_user(sk)) {
+                sk->sk_state = BT_DISCONN;
+                l2cap_sock_clear_timer(sk);
+                l2cap_sock_set_timer(sk, HZ / 5);
+                bh_unlock_sock(sk);
+                return 0;
+        }
+        l2cap_chan_del(chan, 0);
+        bh_unlock_sock(sk);
+        l2cap_sock_kill(sk);
+        return 0;
+}
+static inline int l2cap_information_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_info_req *req = (struct l2cap_info_req *) data;
+        u16 type;
+        type = __le16_to_cpu(req->type);
+        BT_DBG("type 0x%4.4x", type);
+        if (type == L2CAP_IT_FEAT_MASK) {
+                u8 buf[8];
+                u32 feat_mask = l2cap_feat_mask;
+                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
+                rsp->type   = cpu_to_le16(L2CAP_IT_FEAT_MASK);
+                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
+                if (!disable_ertm)
+                        feat_mask |= L2CAP_FEAT_ERTM | L2CAP_FEAT_STREAMING
+                                                         | L2CAP_FEAT_FCS;
+                put_unaligned_le32(feat_mask, rsp->data);
+                l2cap_send_cmd(conn, cmd->ident,
+                                        L2CAP_INFO_RSP, sizeof(buf), buf);
+        } else if (type == L2CAP_IT_FIXED_CHAN) {
+                u8 buf[12];
+                struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) buf;
+                rsp->type   = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
+                rsp->result = cpu_to_le16(L2CAP_IR_SUCCESS);
+                memcpy(buf + 4, l2cap_fixed_chan, 8);
+                l2cap_send_cmd(conn, cmd->ident,
+                                        L2CAP_INFO_RSP, sizeof(buf), buf);
+        } else {
+                struct l2cap_info_rsp rsp;
+                rsp.type   = cpu_to_le16(type);
+                rsp.result = cpu_to_le16(L2CAP_IR_NOTSUPP);
+                l2cap_send_cmd(conn, cmd->ident,
+                                        L2CAP_INFO_RSP, sizeof(rsp), &rsp);
+        }
+        return 0;
+}
+static inline int l2cap_information_rsp(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
+        u16 type, result;
+        type   = __le16_to_cpu(rsp->type);
+        result = __le16_to_cpu(rsp->result);
+        BT_DBG("type 0x%4.4x result 0x%2.2x", type, result);
+        /* L2CAP Info req/rsp are unbound to channels, add extra checks */
+        if (cmd->ident != conn->info_ident ||
+                        conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)
+                return 0;
+        del_timer(&conn->info_timer);
+        if (result != L2CAP_IR_SUCCESS) {
+                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
+                conn->info_ident = 0;
+                l2cap_conn_start(conn);
+                return 0;
+        }
+        if (type == L2CAP_IT_FEAT_MASK) {
+                conn->feat_mask = get_unaligned_le32(rsp->data);
+                if (conn->feat_mask & L2CAP_FEAT_FIXED_CHAN) {
+                        struct l2cap_info_req req;
+                        req.type = cpu_to_le16(L2CAP_IT_FIXED_CHAN);
+                        conn->info_ident = l2cap_get_ident(conn);
+                        l2cap_send_cmd(conn, conn->info_ident,
+                                        L2CAP_INFO_REQ, sizeof(req), &req);
+                } else {
+                        conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
+                        conn->info_ident = 0;
+                        l2cap_conn_start(conn);
+                }
+        } else if (type == L2CAP_IT_FIXED_CHAN) {
+                conn->info_state |= L2CAP_INFO_FEAT_MASK_REQ_DONE;
+                conn->info_ident = 0;
+                l2cap_conn_start(conn);
+        }
+        return 0;
+}
+static inline int l2cap_check_conn_param(u16 min, u16 max, u16 latency,
+                                                        u16 to_multiplier)
+{
+        u16 max_latency;
+        if (min > max || min < 6 || max > 3200)
+                return -EINVAL;
+        if (to_multiplier < 10 || to_multiplier > 3200)
+                return -EINVAL;
+        if (max >= to_multiplier * 8)
+                return -EINVAL;
+        max_latency = (to_multiplier * 8 / max) - 1;
+        if (latency > 499 || latency > max_latency)
+                return -EINVAL;
+        return 0;
+}
+static inline int l2cap_conn_param_update_req(struct l2cap_conn *conn,
+                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        struct hci_conn *hcon = conn->hcon;
+        struct l2cap_conn_param_update_req *req;
+        struct l2cap_conn_param_update_rsp rsp;
+        u16 min, max, latency, to_multiplier, cmd_len;
+        int err;
+        if (!(hcon->link_mode & HCI_LM_MASTER))
+                return -EINVAL;
+        cmd_len = __le16_to_cpu(cmd->len);
+        if (cmd_len != sizeof(struct l2cap_conn_param_update_req))
+                return -EPROTO;
+        req = (struct l2cap_conn_param_update_req *) data;
+        min             = __le16_to_cpu(req->min);
+        max             = __le16_to_cpu(req->max);
+        latency         = __le16_to_cpu(req->latency);
+        to_multiplier   = __le16_to_cpu(req->to_multiplier);
+        BT_DBG("min 0x%4.4x max 0x%4.4x latency: 0x%4.4x Timeout: 0x%4.4x",
+                                                min, max, latency, to_multiplier);
+        memset(&rsp, 0, sizeof(rsp));
+        err = l2cap_check_conn_param(min, max, latency, to_multiplier);
+        if (err)
+                rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_REJECTED);
+        else
+                rsp.result = cpu_to_le16(L2CAP_CONN_PARAM_ACCEPTED);
+        l2cap_send_cmd(conn, cmd->ident, L2CAP_CONN_PARAM_UPDATE_RSP,
+                                                        sizeof(rsp), &rsp);
+        if (!err)
+                hci_le_conn_update(hcon, min, max, latency, to_multiplier);
+        return 0;
+}
+static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn,
+                        struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
+{
+        int err = 0;
+        switch (cmd->code) {
+        case L2CAP_COMMAND_REJ:
+                l2cap_command_rej(conn, cmd, data);
+                break;
+        case L2CAP_CONN_REQ:
+                err = l2cap_connect_req(conn, cmd, data);
+                break;
+        case L2CAP_CONN_RSP:
+                err = l2cap_connect_rsp(conn, cmd, data);
+                break;
+        case L2CAP_CONF_REQ:
+                err = l2cap_config_req(conn, cmd, cmd_len, data);
+                break;
+        case L2CAP_CONF_RSP:
+                err = l2cap_config_rsp(conn, cmd, data);
+                break;
+        case L2CAP_DISCONN_REQ:
+                err = l2cap_disconnect_req(conn, cmd, data);
+                break;
+        case L2CAP_DISCONN_RSP:
+                err = l2cap_disconnect_rsp(conn, cmd, data);
+                break;
+        case L2CAP_ECHO_REQ:
+                l2cap_send_cmd(conn, cmd->ident, L2CAP_ECHO_RSP, cmd_len, data);
+                break;
+        case L2CAP_ECHO_RSP:
+                break;
+        case L2CAP_INFO_REQ:
+                err = l2cap_information_req(conn, cmd, data);
+                break;
+        case L2CAP_INFO_RSP:
+                err = l2cap_information_rsp(conn, cmd, data);
+                break;
+        default:
+                BT_ERR("Unknown BR/EDR signaling command 0x%2.2x", cmd->code);
+                err = -EINVAL;
+                break;
+        }
+        return err;
+}
+static inline int l2cap_le_sig_cmd(struct l2cap_conn *conn,
+                                        struct l2cap_cmd_hdr *cmd, u8 *data)
+{
+        switch (cmd->code) {
+        case L2CAP_COMMAND_REJ:
+                return 0;
+        case L2CAP_CONN_PARAM_UPDATE_REQ:
+                return l2cap_conn_param_update_req(conn, cmd, data);
+        case L2CAP_CONN_PARAM_UPDATE_RSP:
+                return 0;
+        default:
+                BT_ERR("Unknown LE signaling command 0x%2.2x", cmd->code);
+                return -EINVAL;
+        }
+}
+static inline void l2cap_sig_channel(struct l2cap_conn *conn,
+                                                        struct sk_buff *skb)
+{
+        u8 *data = skb->data;
+        int len = skb->len;
+        struct l2cap_cmd_hdr cmd;
+        int err;
+        l2cap_raw_recv(conn, skb);
+        while (len >= L2CAP_CMD_HDR_SIZE) {
+                u16 cmd_len;
+                memcpy(&cmd, data, L2CAP_CMD_HDR_SIZE);
+                data += L2CAP_CMD_HDR_SIZE;
+                len  -= L2CAP_CMD_HDR_SIZE;
+                cmd_len = le16_to_cpu(cmd.len);
+                BT_DBG("code 0x%2.2x len %d id 0x%2.2x", cmd.code, cmd_len, cmd.ident);
+                if (cmd_len > len || !cmd.ident) {
+                        BT_DBG("corrupted command");
+                        break;
+                }
+                if (conn->hcon->type == LE_LINK)
+                        err = l2cap_le_sig_cmd(conn, &cmd, data);
+                else
+                        err = l2cap_bredr_sig_cmd(conn, &cmd, cmd_len, data);
+                if (err) {
+                        struct l2cap_cmd_rej rej;
+                        BT_ERR("Wrong link type (%d)", err);
+                        /* FIXME: Map err to a valid reason */
+                        rej.reason = cpu_to_le16(0);
+                        l2cap_send_cmd(conn, cmd.ident, L2CAP_COMMAND_REJ, sizeof(rej), &rej);
+                }
+                data += cmd_len;
+                len  -= cmd_len;
+        }
+        kfree_skb(skb);
+}
+static int l2cap_check_fcs(struct l2cap_chan *chan,  struct sk_buff *skb)
+{
+        u16 our_fcs, rcv_fcs;
+        int hdr_size = L2CAP_HDR_SIZE + 2;
+        if (chan->fcs == L2CAP_FCS_CRC16) {
+                skb_trim(skb, skb->len - 2);
+                rcv_fcs = get_unaligned_le16(skb->data + skb->len);
+                our_fcs = crc16(0, skb->data - hdr_size, skb->len + hdr_size);
+                if (our_fcs != rcv_fcs)
+                        return -EBADMSG;
+        }
+        return 0;
+}
+static inline void l2cap_send_i_or_rr_or_rnr(struct l2cap_chan *chan)
+{
+        u16 control = 0;
+        chan->frames_sent = 0;
+        control |= chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+                control |= L2CAP_SUPER_RCV_NOT_READY;
+                l2cap_send_sframe(chan, control);
+                chan->conn_state |= L2CAP_CONN_RNR_SENT;
+        }
+        if (chan->conn_state & L2CAP_CONN_REMOTE_BUSY)
+                l2cap_retransmit_frames(chan);
+        l2cap_ertm_send(chan);
+        if (!(chan->conn_state & L2CAP_CONN_LOCAL_BUSY) &&
+                        chan->frames_sent == 0) {
+                control |= L2CAP_SUPER_RCV_READY;
+                l2cap_send_sframe(chan, control);
+        }
+}
+static int l2cap_add_to_srej_queue(struct l2cap_chan *chan, struct sk_buff *skb, u8 tx_seq, u8 sar)
+{
+        struct sk_buff *next_skb;
+        int tx_seq_offset, next_tx_seq_offset;
+        bt_cb(skb)->tx_seq = tx_seq;
+        bt_cb(skb)->sar = sar;
+        next_skb = skb_peek(&chan->srej_q);
+        if (!next_skb) {
+                __skb_queue_tail(&chan->srej_q, skb);
+                return 0;
+        }
+        tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
+        if (tx_seq_offset < 0)
+                tx_seq_offset += 64;
+        do {
+                if (bt_cb(next_skb)->tx_seq == tx_seq)
+                        return -EINVAL;
+                next_tx_seq_offset = (bt_cb(next_skb)->tx_seq -
+                                                chan->buffer_seq) % 64;
+                if (next_tx_seq_offset < 0)
+                        next_tx_seq_offset += 64;
+                if (next_tx_seq_offset > tx_seq_offset) {
+                        __skb_queue_before(&chan->srej_q, next_skb, skb);
+                        return 0;
+                }
+                if (skb_queue_is_last(&chan->srej_q, next_skb))
+                        break;
+        } while ((next_skb = skb_queue_next(&chan->srej_q, next_skb)));
+        __skb_queue_tail(&chan->srej_q, skb);
+        return 0;
+}
+static int l2cap_ertm_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
+{
+        struct sk_buff *_skb;
+        int err;
+        switch (control & L2CAP_CTRL_SAR) {
+        case L2CAP_SDU_UNSEGMENTED:
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU)
+                        goto drop;
+                err = sock_queue_rcv_skb(chan->sk, skb);
+                if (!err)
+                        return err;
+                break;
+        case L2CAP_SDU_START:
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU)
+                        goto drop;
+                chan->sdu_len = get_unaligned_le16(skb->data);
+                if (chan->sdu_len > chan->imtu)
+                        goto disconnect;
+                chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
+                if (!chan->sdu)
+                        return -ENOMEM;
+                /* pull sdu_len bytes only after alloc, because of Local Busy
+                 * condition we have to be sure that this will be executed
+                 * only once, i.e., when alloc does not fail */
+                skb_pull(skb, 2);
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                chan->conn_state |= L2CAP_CONN_SAR_SDU;
+                chan->partial_sdu_len = skb->len;
+                break;
+        case L2CAP_SDU_CONTINUE:
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
+                        goto disconnect;
+                if (!chan->sdu)
+                        goto disconnect;
+                chan->partial_sdu_len += skb->len;
+                if (chan->partial_sdu_len > chan->sdu_len)
+                        goto drop;
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                break;
+        case L2CAP_SDU_END:
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
+                        goto disconnect;
+                if (!chan->sdu)
+                        goto disconnect;
+                if (!(chan->conn_state & L2CAP_CONN_SAR_RETRY)) {
+                        chan->partial_sdu_len += skb->len;
+                        if (chan->partial_sdu_len > chan->imtu)
+                                goto drop;
+                        if (chan->partial_sdu_len != chan->sdu_len)
+                                goto drop;
+                        memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                }
+                _skb = skb_clone(chan->sdu, GFP_ATOMIC);
+                if (!_skb) {
+                        chan->conn_state |= L2CAP_CONN_SAR_RETRY;
+                        return -ENOMEM;
+                }
+                err = sock_queue_rcv_skb(chan->sk, _skb);
+                if (err < 0) {
+                        kfree_skb(_skb);
+                        chan->conn_state |= L2CAP_CONN_SAR_RETRY;
+                        return err;
+                }
+                chan->conn_state &= ~L2CAP_CONN_SAR_RETRY;
+                chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
+                kfree_skb(chan->sdu);
+                break;
+        }
+        kfree_skb(skb);
+        return 0;
+drop:
+        kfree_skb(chan->sdu);
+        chan->sdu = NULL;
+disconnect:
+        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+        kfree_skb(skb);
+        return 0;
+}
+static int l2cap_try_push_rx_skb(struct l2cap_chan *chan)
+{
+        struct sk_buff *skb;
+        u16 control;
+        int err;
+        while ((skb = skb_dequeue(&chan->busy_q))) {
+                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
+                err = l2cap_ertm_reassembly_sdu(chan, skb, control);
+                if (err < 0) {
+                        skb_queue_head(&chan->busy_q, skb);
+                        return -EBUSY;
+                }
+                chan->buffer_seq = (chan->buffer_seq + 1) % 64;
+        }
+        if (!(chan->conn_state & L2CAP_CONN_RNR_SENT))
+                goto done;
+        control = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        control |= L2CAP_SUPER_RCV_READY | L2CAP_CTRL_POLL;
+        l2cap_send_sframe(chan, control);
+        chan->retry_count = 1;
+        del_timer(&chan->retrans_timer);
+        __mod_monitor_timer();
+        chan->conn_state |= L2CAP_CONN_WAIT_F;
+done:
+        chan->conn_state &= ~L2CAP_CONN_LOCAL_BUSY;
+        chan->conn_state &= ~L2CAP_CONN_RNR_SENT;
+        BT_DBG("chan %p, Exit local busy", chan);
+        return 0;
+}
+static void l2cap_busy_work(struct work_struct *work)
+{
+        DECLARE_WAITQUEUE(wait, current);
+        struct l2cap_chan *chan =
+                container_of(work, struct l2cap_chan, busy_work);
+        struct sock *sk = chan->sk;
+        int n_tries = 0, timeo = HZ/5, err;
+        struct sk_buff *skb;
+        lock_sock(sk);
+        add_wait_queue(sk_sleep(sk), &wait);
+        while ((skb = skb_peek(&chan->busy_q))) {
+                set_current_state(TASK_INTERRUPTIBLE);
+                if (n_tries++ > L2CAP_LOCAL_BUSY_TRIES) {
+                        err = -EBUSY;
+                        l2cap_send_disconn_req(chan->conn, chan, EBUSY);
+                        break;
+                }
+                if (!timeo)
+                        timeo = HZ/5;
+                if (signal_pending(current)) {
+                        err = sock_intr_errno(timeo);
+                        break;
+                }
+                release_sock(sk);
+                timeo = schedule_timeout(timeo);
+                lock_sock(sk);
+                err = sock_error(sk);
+                if (err)
+                        break;
+                if (l2cap_try_push_rx_skb(chan) == 0)
+                        break;
+        }
+        set_current_state(TASK_RUNNING);
+        remove_wait_queue(sk_sleep(sk), &wait);
+        release_sock(sk);
+}
+static int l2cap_push_rx_skb(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
+{
+        int sctrl, err;
+        if (chan->conn_state & L2CAP_CONN_LOCAL_BUSY) {
+                bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
+                __skb_queue_tail(&chan->busy_q, skb);
+                return l2cap_try_push_rx_skb(chan);
+        }
+        err = l2cap_ertm_reassembly_sdu(chan, skb, control);
+        if (err >= 0) {
+                chan->buffer_seq = (chan->buffer_seq + 1) % 64;
+                return err;
+        }
+        /* Busy Condition */
+        BT_DBG("chan %p, Enter local busy", chan);
+        chan->conn_state |= L2CAP_CONN_LOCAL_BUSY;
+        bt_cb(skb)->sar = control >> L2CAP_CTRL_SAR_SHIFT;
+        __skb_queue_tail(&chan->busy_q, skb);
+        sctrl = chan->buffer_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+        sctrl |= L2CAP_SUPER_RCV_NOT_READY;
+        l2cap_send_sframe(chan, sctrl);
+        chan->conn_state |= L2CAP_CONN_RNR_SENT;
+        del_timer(&chan->ack_timer);
+        queue_work(_busy_wq, &chan->busy_work);
+        return err;
+}
+static int l2cap_streaming_reassembly_sdu(struct l2cap_chan *chan, struct sk_buff *skb, u16 control)
+{
+        struct sk_buff *_skb;
+        int err = -EINVAL;
+        /*
+         * TODO: We have to notify the userland if some data is lost with the
+         * Streaming Mode.
+         */
+        switch (control & L2CAP_CTRL_SAR) {
+        case L2CAP_SDU_UNSEGMENTED:
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
+                        kfree_skb(chan->sdu);
+                        break;
+                }
+                err = sock_queue_rcv_skb(chan->sk, skb);
+                if (!err)
+                        return 0;
+                break;
+        case L2CAP_SDU_START:
+                if (chan->conn_state & L2CAP_CONN_SAR_SDU) {
+                        kfree_skb(chan->sdu);
+                        break;
+                }
+                chan->sdu_len = get_unaligned_le16(skb->data);
+                skb_pull(skb, 2);
+                if (chan->sdu_len > chan->imtu) {
+                        err = -EMSGSIZE;
+                        break;
+                }
+                chan->sdu = bt_skb_alloc(chan->sdu_len, GFP_ATOMIC);
+                if (!chan->sdu) {
+                        err = -ENOMEM;
+                        break;
+                }
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                chan->conn_state |= L2CAP_CONN_SAR_SDU;
+                chan->partial_sdu_len = skb->len;
+                err = 0;
+                break;
+        case L2CAP_SDU_CONTINUE:
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
+                        break;
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                chan->partial_sdu_len += skb->len;
+                if (chan->partial_sdu_len > chan->sdu_len)
+                        kfree_skb(chan->sdu);
+                else
+                        err = 0;
+                break;
+        case L2CAP_SDU_END:
+                if (!(chan->conn_state & L2CAP_CONN_SAR_SDU))
+                        break;
+                memcpy(skb_put(chan->sdu, skb->len), skb->data, skb->len);
+                chan->conn_state &= ~L2CAP_CONN_SAR_SDU;
+                chan->partial_sdu_len += skb->len;
+                if (chan->partial_sdu_len > chan->imtu)
+                        goto drop;
+                if (chan->partial_sdu_len == chan->sdu_len) {
+                        _skb = skb_clone(chan->sdu, GFP_ATOMIC);
+                        err = sock_queue_rcv_skb(chan->sk, _skb);
+                        if (err < 0)
+                                kfree_skb(_skb);
+                }
+                err = 0;
+drop:
+                kfree_skb(chan->sdu);
+                break;
+        }
+        kfree_skb(skb);
+        return err;
+}
+static void l2cap_check_srej_gap(struct l2cap_chan *chan, u8 tx_seq)
+{
+        struct sk_buff *skb;
+        u16 control;
+        while ((skb = skb_peek(&chan->srej_q))) {
+                if (bt_cb(skb)->tx_seq != tx_seq)
+                        break;
+                skb = skb_dequeue(&chan->srej_q);
+                control = bt_cb(skb)->sar << L2CAP_CTRL_SAR_SHIFT;
+                l2cap_ertm_reassembly_sdu(chan, skb, control);
+                chan->buffer_seq_srej =
+                        (chan->buffer_seq_srej + 1) % 64;
+                tx_seq = (tx_seq + 1) % 64;
+        }
+}
+static void l2cap_resend_srejframe(struct l2cap_chan *chan, u8 tx_seq)
+{
+        struct srej_list *l, *tmp;
+        u16 control;
+        list_for_each_entry_safe(l, tmp, &chan->srej_l, list) {
+                if (l->tx_seq == tx_seq) {
+                        list_del(&l->list);
+                        kfree(l);
+                        return;
+                }
+                control = L2CAP_SUPER_SELECT_REJECT;
+                control |= l->tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+                l2cap_send_sframe(chan, control);
+                list_del(&l->list);
+                list_add_tail(&l->list, &chan->srej_l);
+        }
+}
+static void l2cap_send_srejframe(struct l2cap_chan *chan, u8 tx_seq)
+{
+        struct srej_list *new;
+        u16 control;
+        while (tx_seq != chan->expected_tx_seq) {
+                control = L2CAP_SUPER_SELECT_REJECT;
+                control |= chan->expected_tx_seq << L2CAP_CTRL_REQSEQ_SHIFT;
+                l2cap_send_sframe(chan, control);
+                new = kzalloc(sizeof(struct srej_list), GFP_ATOMIC);
+                new->tx_seq = chan->expected_tx_seq;
+                chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
+                list_add_tail(&new->list, &chan->srej_l);
+        }
+        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
+}
+static inline int l2cap_data_channel_iframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
+{
+        u8 tx_seq = __get_txseq(rx_control);
+        u8 req_seq = __get_reqseq(rx_control);
+        u8 sar = rx_control >> L2CAP_CTRL_SAR_SHIFT;
+        int tx_seq_offset, expected_tx_seq_offset;
+        int num_to_ack = (chan->tx_win/6) + 1;
+        int err = 0;
+        BT_DBG("chan %p len %d tx_seq %d rx_control 0x%4.4x", chan, skb->len,
+                                                        tx_seq, rx_control);
+        if (L2CAP_CTRL_FINAL & rx_control &&
+                        chan->conn_state & L2CAP_CONN_WAIT_F) {
+                del_timer(&chan->monitor_timer);
+                if (chan->unacked_frames > 0)
+                        __mod_retrans_timer();
+                chan->conn_state &= ~L2CAP_CONN_WAIT_F;
+        }
+        chan->expected_ack_seq = req_seq;
+        l2cap_drop_acked_frames(chan);
+        if (tx_seq == chan->expected_tx_seq)
+                goto expected;
+        tx_seq_offset = (tx_seq - chan->buffer_seq) % 64;
+        if (tx_seq_offset < 0)
+                tx_seq_offset += 64;
+        /* invalid tx_seq */
+        if (tx_seq_offset >= chan->tx_win) {
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                goto drop;
+        }
+        if (chan->conn_state == L2CAP_CONN_LOCAL_BUSY)
+                goto drop;
+        if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
+                struct srej_list *first;
+                first = list_first_entry(&chan->srej_l,
+                                struct srej_list, list);
+                if (tx_seq == first->tx_seq) {
+                        l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
+                        l2cap_check_srej_gap(chan, tx_seq);
+                        list_del(&first->list);
+                        kfree(first);
+                        if (list_empty(&chan->srej_l)) {
+                                chan->buffer_seq = chan->buffer_seq_srej;
+                                chan->conn_state &= ~L2CAP_CONN_SREJ_SENT;
+                                l2cap_send_ack(chan);
+                                BT_DBG("chan %p, Exit SREJ_SENT", chan);
+                        }
+                } else {
+                        struct srej_list *l;
+                        /* duplicated tx_seq */
+                        if (l2cap_add_to_srej_queue(chan, skb, tx_seq, sar) < 0)
+                                goto drop;
+                        list_for_each_entry(l, &chan->srej_l, list) {
+                                if (l->tx_seq == tx_seq) {
+                                        l2cap_resend_srejframe(chan, tx_seq);
+                                        return 0;
+                                }
+                        }
+                        l2cap_send_srejframe(chan, tx_seq);
+                }
+        } else {
+                expected_tx_seq_offset =
+                        (chan->expected_tx_seq - chan->buffer_seq) % 64;
+                if (expected_tx_seq_offset < 0)
+                        expected_tx_seq_offset += 64;
+                /* duplicated tx_seq */
+                if (tx_seq_offset < expected_tx_seq_offset)
+                        goto drop;
+                chan->conn_state |= L2CAP_CONN_SREJ_SENT;
+                BT_DBG("chan %p, Enter SREJ", chan);
+                INIT_LIST_HEAD(&chan->srej_l);
+                chan->buffer_seq_srej = chan->buffer_seq;
+                __skb_queue_head_init(&chan->srej_q);
+                __skb_queue_head_init(&chan->busy_q);
+                l2cap_add_to_srej_queue(chan, skb, tx_seq, sar);
+                chan->conn_state |= L2CAP_CONN_SEND_PBIT;
+                l2cap_send_srejframe(chan, tx_seq);
+                del_timer(&chan->ack_timer);
+        }
+        return 0;
+expected:
+        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
+        if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
+                bt_cb(skb)->tx_seq = tx_seq;
+                bt_cb(skb)->sar = sar;
+                __skb_queue_tail(&chan->srej_q, skb);
+                return 0;
+        }
+        err = l2cap_push_rx_skb(chan, skb, rx_control);
+        if (err < 0)
+                return 0;
+        if (rx_control & L2CAP_CTRL_FINAL) {
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                else
+                        l2cap_retransmit_frames(chan);
+        }
+        __mod_ack_timer();
+        chan->num_acked = (chan->num_acked + 1) % num_to_ack;
+        if (chan->num_acked == num_to_ack - 1)
+                l2cap_send_ack(chan);
+        return 0;
+drop:
+        kfree_skb(skb);
+        return 0;
+}
+static inline void l2cap_data_channel_rrframe(struct l2cap_chan *chan, u16 rx_control)
+{
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, __get_reqseq(rx_control),
+                                                rx_control);
+        chan->expected_ack_seq = __get_reqseq(rx_control);
+        l2cap_drop_acked_frames(chan);
+        if (rx_control & L2CAP_CTRL_POLL) {
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
+                if (chan->conn_state & L2CAP_CONN_SREJ_SENT) {
+                        if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                                        (chan->unacked_frames > 0))
+                                __mod_retrans_timer();
+                        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                        l2cap_send_srejtail(chan);
+                } else {
+                        l2cap_send_i_or_rr_or_rnr(chan);
+                }
+        } else if (rx_control & L2CAP_CTRL_FINAL) {
+                chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                else
+                        l2cap_retransmit_frames(chan);
+        } else {
+                if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                                (chan->unacked_frames > 0))
+                        __mod_retrans_timer();
+                chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+                if (chan->conn_state & L2CAP_CONN_SREJ_SENT)
+                        l2cap_send_ack(chan);
+                else
+                        l2cap_ertm_send(chan);
+        }
+}
+static inline void l2cap_data_channel_rejframe(struct l2cap_chan *chan, u16 rx_control)
+{
+        u8 tx_seq = __get_reqseq(rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
+        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+        chan->expected_ack_seq = tx_seq;
+        l2cap_drop_acked_frames(chan);
+        if (rx_control & L2CAP_CTRL_FINAL) {
+                if (chan->conn_state & L2CAP_CONN_REJ_ACT)
+                        chan->conn_state &= ~L2CAP_CONN_REJ_ACT;
+                else
+                        l2cap_retransmit_frames(chan);
+        } else {
+                l2cap_retransmit_frames(chan);
+                if (chan->conn_state & L2CAP_CONN_WAIT_F)
+                        chan->conn_state |= L2CAP_CONN_REJ_ACT;
+        }
+}
+static inline void l2cap_data_channel_srejframe(struct l2cap_chan *chan, u16 rx_control)
+{
+        u8 tx_seq = __get_reqseq(rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
+        chan->conn_state &= ~L2CAP_CONN_REMOTE_BUSY;
+        if (rx_control & L2CAP_CTRL_POLL) {
+                chan->expected_ack_seq = tx_seq;
+                l2cap_drop_acked_frames(chan);
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
+                l2cap_retransmit_one_frame(chan, tx_seq);
+                l2cap_ertm_send(chan);
+                if (chan->conn_state & L2CAP_CONN_WAIT_F) {
+                        chan->srej_save_reqseq = tx_seq;
+                        chan->conn_state |= L2CAP_CONN_SREJ_ACT;
+                }
+        } else if (rx_control & L2CAP_CTRL_FINAL) {
+                if ((chan->conn_state & L2CAP_CONN_SREJ_ACT) &&
+                                chan->srej_save_reqseq == tx_seq)
+                        chan->conn_state &= ~L2CAP_CONN_SREJ_ACT;
+                else
+                        l2cap_retransmit_one_frame(chan, tx_seq);
+        } else {
+                l2cap_retransmit_one_frame(chan, tx_seq);
+                if (chan->conn_state & L2CAP_CONN_WAIT_F) {
+                        chan->srej_save_reqseq = tx_seq;
+                        chan->conn_state |= L2CAP_CONN_SREJ_ACT;
+                }
+        }
+}
+static inline void l2cap_data_channel_rnrframe(struct l2cap_chan *chan, u16 rx_control)
+{
+        u8 tx_seq = __get_reqseq(rx_control);
+        BT_DBG("chan %p, req_seq %d ctrl 0x%4.4x", chan, tx_seq, rx_control);
+        chan->conn_state |= L2CAP_CONN_REMOTE_BUSY;
+        chan->expected_ack_seq = tx_seq;
+        l2cap_drop_acked_frames(chan);
+        if (rx_control & L2CAP_CTRL_POLL)
+                chan->conn_state |= L2CAP_CONN_SEND_FBIT;
+        if (!(chan->conn_state & L2CAP_CONN_SREJ_SENT)) {
+                del_timer(&chan->retrans_timer);
+                if (rx_control & L2CAP_CTRL_POLL)
+                        l2cap_send_rr_or_rnr(chan, L2CAP_CTRL_FINAL);
+                return;
+        }
+        if (rx_control & L2CAP_CTRL_POLL)
+                l2cap_send_srejtail(chan);
+        else
+                l2cap_send_sframe(chan, L2CAP_SUPER_RCV_READY);
+}
+static inline int l2cap_data_channel_sframe(struct l2cap_chan *chan, u16 rx_control, struct sk_buff *skb)
+{
+        BT_DBG("chan %p rx_control 0x%4.4x len %d", chan, rx_control, skb->len);
+        if (L2CAP_CTRL_FINAL & rx_control &&
+                        chan->conn_state & L2CAP_CONN_WAIT_F) {
+                del_timer(&chan->monitor_timer);
+                if (chan->unacked_frames > 0)
+                        __mod_retrans_timer();
+                chan->conn_state &= ~L2CAP_CONN_WAIT_F;
+        }
+        switch (rx_control & L2CAP_CTRL_SUPERVISE) {
+        case L2CAP_SUPER_RCV_READY:
+                l2cap_data_channel_rrframe(chan, rx_control);
+                break;
+        case L2CAP_SUPER_REJECT:
+                l2cap_data_channel_rejframe(chan, rx_control);
+                break;
+        case L2CAP_SUPER_SELECT_REJECT:
+                l2cap_data_channel_srejframe(chan, rx_control);
+                break;
+        case L2CAP_SUPER_RCV_NOT_READY:
+                l2cap_data_channel_rnrframe(chan, rx_control);
+                break;
+        }
+        kfree_skb(skb);
+        return 0;
+}
+static int l2cap_ertm_data_rcv(struct sock *sk, struct sk_buff *skb)
+{
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        u16 control;
+        u8 req_seq;
+        int len, next_tx_seq_offset, req_seq_offset;
+        control = get_unaligned_le16(skb->data);
+        skb_pull(skb, 2);
+        len = skb->len;
+        /*
+         * We can just drop the corrupted I-frame here.
+         * Receiver will miss it and start proper recovery
+         * procedures and ask retransmission.
+         */
+        if (l2cap_check_fcs(chan, skb))
+                goto drop;
+        if (__is_sar_start(control) && __is_iframe(control))
+                len -= 2;
+        if (chan->fcs == L2CAP_FCS_CRC16)
+                len -= 2;
+        if (len > chan->mps) {
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                goto drop;
+        }
+        req_seq = __get_reqseq(control);
+        req_seq_offset = (req_seq - chan->expected_ack_seq) % 64;
+        if (req_seq_offset < 0)
+                req_seq_offset += 64;
+        next_tx_seq_offset =
+                (chan->next_tx_seq - chan->expected_ack_seq) % 64;
+        if (next_tx_seq_offset < 0)
+                next_tx_seq_offset += 64;
+        /* check for invalid req-seq */
+        if (req_seq_offset > next_tx_seq_offset) {
+                l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                goto drop;
+        }
+        if (__is_iframe(control)) {
+                if (len < 0) {
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                        goto drop;
+                }
+                l2cap_data_channel_iframe(chan, control, skb);
+        } else {
+                if (len != 0) {
+                        BT_ERR("%d", len);
+                        l2cap_send_disconn_req(chan->conn, chan, ECONNRESET);
+                        goto drop;
+                }
+                l2cap_data_channel_sframe(chan, control, skb);
+        }
+        return 0;
+drop:
+        kfree_skb(skb);
+        return 0;
+}
+static inline int l2cap_data_channel(struct l2cap_conn *conn, u16 cid, struct sk_buff *skb)
+{
+        struct l2cap_chan *chan;
+        struct sock *sk = NULL;
+        struct l2cap_pinfo *pi;
+        u16 control;
+        u8 tx_seq;
+        int len;
+        chan = l2cap_get_chan_by_scid(conn, cid);
+        if (!chan) {
+                BT_DBG("unknown cid 0x%4.4x", cid);
+                goto drop;
+        }
+        sk = chan->sk;
+        pi = l2cap_pi(sk);
+        BT_DBG("chan %p, len %d", chan, skb->len);
+        if (sk->sk_state != BT_CONNECTED)
+                goto drop;
+        switch (chan->mode) {
+        case L2CAP_MODE_BASIC:
+                /* If socket recv buffers overflows we drop data here
+                 * which is *bad* because L2CAP has to be reliable.
+                 * But we don't have any other choice. L2CAP doesn't
+                 * provide flow control mechanism. */
+                if (chan->imtu < skb->len)
+                        goto drop;
+                if (!sock_queue_rcv_skb(sk, skb))
+                        goto done;
+                break;
+        case L2CAP_MODE_ERTM:
+                if (!sock_owned_by_user(sk)) {
+                        l2cap_ertm_data_rcv(sk, skb);
+                } else {
+                        if (sk_add_backlog(sk, skb))
+                                goto drop;
+                }
+                goto done;
+        case L2CAP_MODE_STREAMING:
+                control = get_unaligned_le16(skb->data);
+                skb_pull(skb, 2);
+                len = skb->len;
+                if (l2cap_check_fcs(chan, skb))
+                        goto drop;
+                if (__is_sar_start(control))
+                        len -= 2;
+                if (chan->fcs == L2CAP_FCS_CRC16)
+                        len -= 2;
+                if (len > chan->mps || len < 0 || __is_sframe(control))
+                        goto drop;
+                tx_seq = __get_txseq(control);
+                if (chan->expected_tx_seq == tx_seq)
+                        chan->expected_tx_seq = (chan->expected_tx_seq + 1) % 64;
+                else
+                        chan->expected_tx_seq = (tx_seq + 1) % 64;
+                l2cap_streaming_reassembly_sdu(chan, skb, control);
+                goto done;
+        default:
+                BT_DBG("chan %p: bad mode 0x%2.2x", chan, chan->mode);
+                break;
+        }
+drop:
+        kfree_skb(skb);
+done:
+        if (sk)
+                bh_unlock_sock(sk);
+        return 0;
+}
+static inline int l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, struct sk_buff *skb)
+{
+        struct sock *sk = NULL;
+        struct l2cap_chan *chan;
+        chan = l2cap_global_chan_by_psm(0, psm, conn->src);
+        if (!chan)
+                goto drop;
+        sk = chan->sk;
+        bh_lock_sock(sk);
+        BT_DBG("sk %p, len %d", sk, skb->len);
+        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
+                goto drop;
+        if (l2cap_pi(sk)->chan->imtu < skb->len)
+                goto drop;
+        if (!sock_queue_rcv_skb(sk, skb))
+                goto done;
+drop:
+        kfree_skb(skb);
+done:
+        if (sk)
+                bh_unlock_sock(sk);
+        return 0;
+}
+static inline int l2cap_att_channel(struct l2cap_conn *conn, __le16 cid, struct sk_buff *skb)
+{
+        struct sock *sk = NULL;
+        struct l2cap_chan *chan;
+        chan = l2cap_global_chan_by_scid(0, cid, conn->src);
+        if (!chan)
+                goto drop;
+        sk = chan->sk;
+        bh_lock_sock(sk);
+        BT_DBG("sk %p, len %d", sk, skb->len);
+        if (sk->sk_state != BT_BOUND && sk->sk_state != BT_CONNECTED)
+                goto drop;
+        if (l2cap_pi(sk)->chan->imtu < skb->len)
+                goto drop;
+        if (!sock_queue_rcv_skb(sk, skb))
+                goto done;
+drop:
+        kfree_skb(skb);
+done:
+        if (sk)
+                bh_unlock_sock(sk);
+        return 0;
+}
+static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
+{
+        struct l2cap_hdr *lh = (void *) skb->data;
+        u16 cid, len;
+        __le16 psm;
+        skb_pull(skb, L2CAP_HDR_SIZE);
+        cid = __le16_to_cpu(lh->cid);
+        len = __le16_to_cpu(lh->len);
+        if (len != skb->len) {
+                kfree_skb(skb);
+                return;
+        }
+        BT_DBG("len %d, cid 0x%4.4x", len, cid);
+        switch (cid) {
+        case L2CAP_CID_LE_SIGNALING:
+        case L2CAP_CID_SIGNALING:
+                l2cap_sig_channel(conn, skb);
+                break;
+        case L2CAP_CID_CONN_LESS:
+                psm = get_unaligned_le16(skb->data);
+                skb_pull(skb, 2);
+                l2cap_conless_channel(conn, psm, skb);
+                break;
+        case L2CAP_CID_LE_DATA:
+                l2cap_att_channel(conn, cid, skb);
+                break;
+        default:
+                l2cap_data_channel(conn, cid, skb);
+                break;
+        }
+}
+/* ---- L2CAP interface with lower layer (HCI) ---- */
+static int l2cap_connect_ind(struct hci_dev *hdev, bdaddr_t *bdaddr, u8 type)
+{
+        int exact = 0, lm1 = 0, lm2 = 0;
+        struct l2cap_chan *c;
+        if (type != ACL_LINK)
+                return -EINVAL;
+        BT_DBG("hdev %s, bdaddr %s", hdev->name, batostr(bdaddr));
+        /* Find listening sockets and check their link_mode */
+        read_lock(&chan_list_lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
+                if (sk->sk_state != BT_LISTEN)
+                        continue;
+                if (!bacmp(&bt_sk(sk)->src, &hdev->bdaddr)) {
+                        lm1 |= HCI_LM_ACCEPT;
+                        if (c->role_switch)
+                                lm1 |= HCI_LM_MASTER;
+                        exact++;
+                } else if (!bacmp(&bt_sk(sk)->src, BDADDR_ANY)) {
+                        lm2 |= HCI_LM_ACCEPT;
+                        if (c->role_switch)
+                                lm2 |= HCI_LM_MASTER;
+                }
+        }
+        read_unlock(&chan_list_lock);
+        return exact ? lm1 : lm2;
+}
+static int l2cap_connect_cfm(struct hci_conn *hcon, u8 status)
+{
+        struct l2cap_conn *conn;
+        BT_DBG("hcon %p bdaddr %s status %d", hcon, batostr(&hcon->dst), status);
+        if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
+                return -EINVAL;
+        if (!status) {
+                conn = l2cap_conn_add(hcon, status);
+                if (conn)
+                        l2cap_conn_ready(conn);
+        } else
+                l2cap_conn_del(hcon, bt_err(status));
+        return 0;
+}
+static int l2cap_disconn_ind(struct hci_conn *hcon)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        BT_DBG("hcon %p", hcon);
+        if (hcon->type != ACL_LINK || !conn)
+                return 0x13;
+        return conn->disc_reason;
+}
+static int l2cap_disconn_cfm(struct hci_conn *hcon, u8 reason)
+{
+        BT_DBG("hcon %p reason %d", hcon, reason);
+        if (!(hcon->type == ACL_LINK || hcon->type == LE_LINK))
+                return -EINVAL;
+        l2cap_conn_del(hcon, bt_err(reason));
+        return 0;
+}
+static inline void l2cap_check_encryption(struct l2cap_chan *chan, u8 encrypt)
+{
+        struct sock *sk = chan->sk;
+        if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM)
+                return;
+        if (encrypt == 0x00) {
+                if (chan->sec_level == BT_SECURITY_MEDIUM) {
+                        l2cap_sock_clear_timer(sk);
+                        l2cap_sock_set_timer(sk, HZ * 5);
+                } else if (chan->sec_level == BT_SECURITY_HIGH)
+                        __l2cap_sock_close(sk, ECONNREFUSED);
+        } else {
+                if (chan->sec_level == BT_SECURITY_MEDIUM)
+                        l2cap_sock_clear_timer(sk);
+        }
+}
+static int l2cap_security_cfm(struct hci_conn *hcon, u8 status, u8 encrypt)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        struct l2cap_chan *chan;
+        if (!conn)
+                return 0;
+        BT_DBG("conn %p", conn);
+        read_lock(&conn->chan_lock);
+        list_for_each_entry(chan, &conn->chan_l, list) {
+                struct sock *sk = chan->sk;
+                bh_lock_sock(sk);
+                if (chan->conf_state & L2CAP_CONF_CONNECT_PEND) {
+                        bh_unlock_sock(sk);
+                        continue;
+                }
+                if (!status && (sk->sk_state == BT_CONNECTED ||
+                                                sk->sk_state == BT_CONFIG)) {
+                        l2cap_check_encryption(chan, encrypt);
+                        bh_unlock_sock(sk);
+                        continue;
+                }
+                if (sk->sk_state == BT_CONNECT) {
+                        if (!status) {
+                                struct l2cap_conn_req req;
+                                req.scid = cpu_to_le16(chan->scid);
+                                req.psm  = chan->psm;
+                                chan->ident = l2cap_get_ident(conn);
+                                chan->conf_state |= L2CAP_CONF_CONNECT_PEND;
+                                l2cap_send_cmd(conn, chan->ident,
+                                        L2CAP_CONN_REQ, sizeof(req), &req);
+                        } else {
+                                l2cap_sock_clear_timer(sk);
+                                l2cap_sock_set_timer(sk, HZ / 10);
+                        }
+                } else if (sk->sk_state == BT_CONNECT2) {
+                        struct l2cap_conn_rsp rsp;
+                        __u16 result;
+                        if (!status) {
+                                sk->sk_state = BT_CONFIG;
+                                result = L2CAP_CR_SUCCESS;
+                        } else {
+                                sk->sk_state = BT_DISCONN;
+                                l2cap_sock_set_timer(sk, HZ / 10);
+                                result = L2CAP_CR_SEC_BLOCK;
+                        }
+                        rsp.scid   = cpu_to_le16(chan->dcid);
+                        rsp.dcid   = cpu_to_le16(chan->scid);
+                        rsp.result = cpu_to_le16(result);
+                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
+                                                        sizeof(rsp), &rsp);
+                }
+                bh_unlock_sock(sk);
+        }
+        read_unlock(&conn->chan_lock);
+        return 0;
+}
+static int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
+{
+        struct l2cap_conn *conn = hcon->l2cap_data;
+        if (!conn)
+                conn = l2cap_conn_add(hcon, 0);
+        if (!conn)
+                goto drop;
+        BT_DBG("conn %p len %d flags 0x%x", conn, skb->len, flags);
+        if (!(flags & ACL_CONT)) {
+                struct l2cap_hdr *hdr;
+                struct l2cap_chan *chan;
+                u16 cid;
+                int len;
+                if (conn->rx_len) {
+                        BT_ERR("Unexpected start frame (len %d)", skb->len);
+                        kfree_skb(conn->rx_skb);
+                        conn->rx_skb = NULL;
+                        conn->rx_len = 0;
+                        l2cap_conn_unreliable(conn, ECOMM);
+                }
+                /* Start fragment always begin with Basic L2CAP header */
+                if (skb->len < L2CAP_HDR_SIZE) {
+                        BT_ERR("Frame is too short (len %d)", skb->len);
+                        l2cap_conn_unreliable(conn, ECOMM);
+                        goto drop;
+                }
+                hdr = (struct l2cap_hdr *) skb->data;
+                len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
+                cid = __le16_to_cpu(hdr->cid);
+                if (len == skb->len) {
+                        /* Complete frame received */
+                        l2cap_recv_frame(conn, skb);
+                        return 0;
+                }
+                BT_DBG("Start: total len %d, frag len %d", len, skb->len);
+                if (skb->len > len) {
+                        BT_ERR("Frame is too long (len %d, expected len %d)",
+                                skb->len, len);
+                        l2cap_conn_unreliable(conn, ECOMM);
+                        goto drop;
+                }
+                chan = l2cap_get_chan_by_scid(conn, cid);
+                if (chan && chan->sk) {
+                        struct sock *sk = chan->sk;
+                        if (chan->imtu < len - L2CAP_HDR_SIZE) {
+                                BT_ERR("Frame exceeding recv MTU (len %d, "
+                                                        "MTU %d)", len,
+                                                        chan->imtu);
+                                bh_unlock_sock(sk);
+                                l2cap_conn_unreliable(conn, ECOMM);
+                                goto drop;
+                        }
+                        bh_unlock_sock(sk);
+                }
+                /* Allocate skb for the complete frame (with header) */
+                conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
+                if (!conn->rx_skb)
+                        goto drop;
+                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
+                                                                skb->len);
+                conn->rx_len = len - skb->len;
+        } else {
+                BT_DBG("Cont: frag len %d (expecting %d)", skb->len, conn->rx_len);
+                if (!conn->rx_len) {
+                        BT_ERR("Unexpected continuation frame (len %d)", skb->len);
+                        l2cap_conn_unreliable(conn, ECOMM);
+                        goto drop;
+                }
+                if (skb->len > conn->rx_len) {
+                        BT_ERR("Fragment is too long (len %d, expected %d)",
+                                        skb->len, conn->rx_len);
+                        kfree_skb(conn->rx_skb);
+                        conn->rx_skb = NULL;
+                        conn->rx_len = 0;
+                        l2cap_conn_unreliable(conn, ECOMM);
+                        goto drop;
+                }
+                skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len),
+                                                                skb->len);
+                conn->rx_len -= skb->len;
+                if (!conn->rx_len) {
+                        /* Complete frame received */
+                        l2cap_recv_frame(conn, conn->rx_skb);
+                        conn->rx_skb = NULL;
+                }
+        }
+drop:
+        kfree_skb(skb);
+        return 0;
+}
+static int l2cap_debugfs_show(struct seq_file *f, void *p)
+{
+        struct l2cap_chan *c;
+        read_lock_bh(&chan_list_lock);
+        list_for_each_entry(c, &chan_list, global_l) {
+                struct sock *sk = c->sk;
+                seq_printf(f, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d %d\n",
+                                        batostr(&bt_sk(sk)->src),
+                                        batostr(&bt_sk(sk)->dst),
+                                        sk->sk_state, __le16_to_cpu(c->psm),
+                                        c->scid, c->dcid, c->imtu, c->omtu,
+                                        c->sec_level, c->mode);
+        }
+        read_unlock_bh(&chan_list_lock);
+        return 0;
+}
+static int l2cap_debugfs_open(struct inode *inode, struct file *file)
+{
+        return single_open(file, l2cap_debugfs_show, inode->i_private);
+}
+static const struct file_operations l2cap_debugfs_fops = {
+        .open           = l2cap_debugfs_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = single_release,
+};
+static struct dentry *l2cap_debugfs;
+static struct hci_proto l2cap_hci_proto = {
+        .name           = "L2CAP",
+        .id             = HCI_PROTO_L2CAP,
+        .connect_ind    = l2cap_connect_ind,
+        .connect_cfm    = l2cap_connect_cfm,
+        .disconn_ind    = l2cap_disconn_ind,
+        .disconn_cfm    = l2cap_disconn_cfm,
+        .security_cfm   = l2cap_security_cfm,
+        .recv_acldata   = l2cap_recv_acldata
+};
+int __init l2cap_init(void)
+{
+        int err;
+        err = l2cap_init_sockets();
+        if (err < 0)
+                return err;
+        _busy_wq = create_singlethread_workqueue("l2cap");
+        if (!_busy_wq) {
+                err = -ENOMEM;
+                goto error;
+        }
+        err = hci_register_proto(&l2cap_hci_proto);
+        if (err < 0) {
+                BT_ERR("L2CAP protocol registration failed");
+                bt_sock_unregister(BTPROTO_L2CAP);
+                goto error;
+        }
+        if (bt_debugfs) {
+                l2cap_debugfs = debugfs_create_file("l2cap", 0444,
+                                        bt_debugfs, NULL, &l2cap_debugfs_fops);
+                if (!l2cap_debugfs)
+                        BT_ERR("Failed to create L2CAP debug file");
+        }
+        return 0;
+error:
+        destroy_workqueue(_busy_wq);
+        l2cap_cleanup_sockets();
+        return err;
+}
+void l2cap_exit(void)
+{
+        debugfs_remove(l2cap_debugfs);
+        flush_workqueue(_busy_wq);
+        destroy_workqueue(_busy_wq);
+        if (hci_unregister_proto(&l2cap_hci_proto) < 0)
+                BT_ERR("L2CAP protocol unregistration failed");
+        l2cap_cleanup_sockets();
+}
+module_param(disable_ertm, bool, 0644);
+MODULE_PARM_DESC(disable_ertm, "Disable enhanced retransmission mode");
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
new file mode 100644
index 000000000000..18dc9888d8c2
--- /dev/null
+++ b/net/bluetooth/l2cap_sock.c
@@ -0,0 +1,1119 @@
+/*
+   BlueZ - Bluetooth protocol stack for Linux
+   Copyright (C) 2000-2001 Qualcomm Incorporated
+   Copyright (C) 2009-2010 Gustavo F. Padovan <gustavo@padovan.org>
+   Copyright (C) 2010 Google Inc.
+   Written 2000,2001 by Maxim Krasnyansky <maxk@qualcomm.com>
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License version 2 as
+   published by the Free Software Foundation;
+   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
+   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
+   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
+   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
+   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
+   SOFTWARE IS DISCLAIMED.
+*/
+/* Bluetooth L2CAP sockets. */
+#include <net/bluetooth/bluetooth.h>
+#include <net/bluetooth/hci_core.h>
+#include <net/bluetooth/l2cap.h>
+static const struct proto_ops l2cap_sock_ops;
+/* ---- L2CAP timers ---- */
+static void l2cap_sock_timeout(unsigned long arg)
+{
+        struct sock *sk = (struct sock *) arg;
+        int reason;
+        BT_DBG("sock %p state %d", sk, sk->sk_state);
+        bh_lock_sock(sk);
+        if (sock_owned_by_user(sk)) {
+                /* sk is owned by user. Try again later */
+                l2cap_sock_set_timer(sk, HZ / 5);
+                bh_unlock_sock(sk);
+                sock_put(sk);
+                return;
+        }
+        if (sk->sk_state == BT_CONNECTED || sk->sk_state == BT_CONFIG)
+                reason = ECONNREFUSED;
+        else if (sk->sk_state == BT_CONNECT &&
+                        l2cap_pi(sk)->chan->sec_level != BT_SECURITY_SDP)
+                reason = ECONNREFUSED;
+        else
+                reason = ETIMEDOUT;
+        __l2cap_sock_close(sk, reason);
+        bh_unlock_sock(sk);
+        l2cap_sock_kill(sk);
+        sock_put(sk);
+}
+void l2cap_sock_set_timer(struct sock *sk, long timeout)
+{
+        BT_DBG("sk %p state %d timeout %ld", sk, sk->sk_state, timeout);
+        sk_reset_timer(sk, &sk->sk_timer, jiffies + timeout);
+}
+void l2cap_sock_clear_timer(struct sock *sk)
+{
+        BT_DBG("sock %p state %d", sk, sk->sk_state);
+        sk_stop_timer(sk, &sk->sk_timer);
+}
+static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct sockaddr_l2 la;
+        int len, err = 0;
+        BT_DBG("sk %p", sk);
+        if (!addr || addr->sa_family != AF_BLUETOOTH)
+                return -EINVAL;
+        memset(&la, 0, sizeof(la));
+        len = min_t(unsigned int, sizeof(la), alen);
+        memcpy(&la, addr, len);
+        if (la.l2_cid && la.l2_psm)
+                return -EINVAL;
+        lock_sock(sk);
+        if (sk->sk_state != BT_OPEN) {
+                err = -EBADFD;
+                goto done;
+        }
+        if (la.l2_psm) {
+                __u16 psm = __le16_to_cpu(la.l2_psm);
+                /* PSM must be odd and lsb of upper byte must be 0 */
+                if ((psm & 0x0101) != 0x0001) {
+                        err = -EINVAL;
+                        goto done;
+                }
+                /* Restrict usage of well-known PSMs */
+                if (psm < 0x1001 && !capable(CAP_NET_BIND_SERVICE)) {
+                        err = -EACCES;
+                        goto done;
+                }
+        }
+        if (la.l2_cid)
+                err = l2cap_add_scid(chan, la.l2_cid);
+        else
+                err = l2cap_add_psm(chan, &la.l2_bdaddr, la.l2_psm);
+        if (err < 0)
+                goto done;
+        if (__le16_to_cpu(la.l2_psm) == 0x0001 ||
+                                __le16_to_cpu(la.l2_psm) == 0x0003)
+                chan->sec_level = BT_SECURITY_SDP;
+        bacpy(&bt_sk(sk)->src, &la.l2_bdaddr);
+        sk->sk_state = BT_BOUND;
+done:
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr, int alen, int flags)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct sockaddr_l2 la;
+        int len, err = 0;
+        BT_DBG("sk %p", sk);
+        if (!addr || alen < sizeof(addr->sa_family) ||
+            addr->sa_family != AF_BLUETOOTH)
+                return -EINVAL;
+        memset(&la, 0, sizeof(la));
+        len = min_t(unsigned int, sizeof(la), alen);
+        memcpy(&la, addr, len);
+        if (la.l2_cid && la.l2_psm)
+                return -EINVAL;
+        lock_sock(sk);
+        if ((sk->sk_type == SOCK_SEQPACKET || sk->sk_type == SOCK_STREAM)
+                        && !(la.l2_psm || la.l2_cid)) {
+                err = -EINVAL;
+                goto done;
+        }
+        switch (chan->mode) {
+        case L2CAP_MODE_BASIC:
+                break;
+        case L2CAP_MODE_ERTM:
+        case L2CAP_MODE_STREAMING:
+                if (!disable_ertm)
+                        break;
+                /* fall through */
+        default:
+                err = -ENOTSUPP;
+                goto done;
+        }
+        switch (sk->sk_state) {
+        case BT_CONNECT:
+        case BT_CONNECT2:
+        case BT_CONFIG:
+                /* Already connecting */
+                goto wait;
+        case BT_CONNECTED:
+                /* Already connected */
+                err = -EISCONN;
+                goto done;
+        case BT_OPEN:
+        case BT_BOUND:
+                /* Can connect */
+                break;
+        default:
+                err = -EBADFD;
+                goto done;
+        }
+        /* PSM must be odd and lsb of upper byte must be 0 */
+        if ((__le16_to_cpu(la.l2_psm) & 0x0101) != 0x0001 &&
+                                sk->sk_type != SOCK_RAW && !la.l2_cid) {
+                err = -EINVAL;
+                goto done;
+        }
+        /* Set destination address and psm */
+        bacpy(&bt_sk(sk)->dst, &la.l2_bdaddr);
+        chan->psm = la.l2_psm;
+        chan->dcid = la.l2_cid;
+        err = l2cap_chan_connect(l2cap_pi(sk)->chan);
+        if (err)
+                goto done;
+wait:
+        err = bt_sock_wait_state(sk, BT_CONNECTED,
+                        sock_sndtimeo(sk, flags & O_NONBLOCK));
+done:
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_listen(struct socket *sock, int backlog)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        int err = 0;
+        BT_DBG("sk %p backlog %d", sk, backlog);
+        lock_sock(sk);
+        if ((sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM)
+                        || sk->sk_state != BT_BOUND) {
+                err = -EBADFD;
+                goto done;
+        }
+        switch (chan->mode) {
+        case L2CAP_MODE_BASIC:
+                break;
+        case L2CAP_MODE_ERTM:
+        case L2CAP_MODE_STREAMING:
+                if (!disable_ertm)
+                        break;
+                /* fall through */
+        default:
+                err = -ENOTSUPP;
+                goto done;
+        }
+        sk->sk_max_ack_backlog = backlog;
+        sk->sk_ack_backlog = 0;
+        sk->sk_state = BT_LISTEN;
+done:
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_accept(struct socket *sock, struct socket *newsock, int flags)
+{
+        DECLARE_WAITQUEUE(wait, current);
+        struct sock *sk = sock->sk, *nsk;
+        long timeo;
+        int err = 0;
+        lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+        if (sk->sk_state != BT_LISTEN) {
+                err = -EBADFD;
+                goto done;
+        }
+        timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
+        BT_DBG("sk %p timeo %ld", sk, timeo);
+        /* Wait for an incoming connection. (wake-one). */
+        add_wait_queue_exclusive(sk_sleep(sk), &wait);
+        while (!(nsk = bt_accept_dequeue(sk, newsock))) {
+                set_current_state(TASK_INTERRUPTIBLE);
+                if (!timeo) {
+                        err = -EAGAIN;
+                        break;
+                }
+                release_sock(sk);
+                timeo = schedule_timeout(timeo);
+                lock_sock_nested(sk, SINGLE_DEPTH_NESTING);
+                if (sk->sk_state != BT_LISTEN) {
+                        err = -EBADFD;
+                        break;
+                }
+                if (signal_pending(current)) {
+                        err = sock_intr_errno(timeo);
+                        break;
+                }
+        }
+        set_current_state(TASK_RUNNING);
+        remove_wait_queue(sk_sleep(sk), &wait);
+        if (err)
+                goto done;
+        newsock->state = SS_CONNECTED;
+        BT_DBG("new socket %p", nsk);
+done:
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_getname(struct socket *sock, struct sockaddr *addr, int *len, int peer)
+{
+        struct sockaddr_l2 *la = (struct sockaddr_l2 *) addr;
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        BT_DBG("sock %p, sk %p", sock, sk);
+        addr->sa_family = AF_BLUETOOTH;
+        *len = sizeof(struct sockaddr_l2);
+        if (peer) {
+                la->l2_psm = chan->psm;
+                bacpy(&la->l2_bdaddr, &bt_sk(sk)->dst);
+                la->l2_cid = cpu_to_le16(chan->dcid);
+        } else {
+                la->l2_psm = chan->sport;
+                bacpy(&la->l2_bdaddr, &bt_sk(sk)->src);
+                la->l2_cid = cpu_to_le16(chan->scid);
+        }
+        return 0;
+}
+static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __user *optval, int __user *optlen)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct l2cap_options opts;
+        struct l2cap_conninfo cinfo;
+        int len, err = 0;
+        u32 opt;
+        BT_DBG("sk %p", sk);
+        if (get_user(len, optlen))
+                return -EFAULT;
+        lock_sock(sk);
+        switch (optname) {
+        case L2CAP_OPTIONS:
+                memset(&opts, 0, sizeof(opts));
+                opts.imtu     = chan->imtu;
+                opts.omtu     = chan->omtu;
+                opts.flush_to = chan->flush_to;
+                opts.mode     = chan->mode;
+                opts.fcs      = chan->fcs;
+                opts.max_tx   = chan->max_tx;
+                opts.txwin_size = (__u16)chan->tx_win;
+                len = min_t(unsigned int, len, sizeof(opts));
+                if (copy_to_user(optval, (char *) &opts, len))
+                        err = -EFAULT;
+                break;
+        case L2CAP_LM:
+                switch (chan->sec_level) {
+                case BT_SECURITY_LOW:
+                        opt = L2CAP_LM_AUTH;
+                        break;
+                case BT_SECURITY_MEDIUM:
+                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT;
+                        break;
+                case BT_SECURITY_HIGH:
+                        opt = L2CAP_LM_AUTH | L2CAP_LM_ENCRYPT |
+                                                        L2CAP_LM_SECURE;
+                        break;
+                default:
+                        opt = 0;
+                        break;
+                }
+                if (chan->role_switch)
+                        opt |= L2CAP_LM_MASTER;
+                if (chan->force_reliable)
+                        opt |= L2CAP_LM_RELIABLE;
+                if (put_user(opt, (u32 __user *) optval))
+                        err = -EFAULT;
+                break;
+        case L2CAP_CONNINFO:
+                if (sk->sk_state != BT_CONNECTED &&
+                                        !(sk->sk_state == BT_CONNECT2 &&
+                                                bt_sk(sk)->defer_setup)) {
+                        err = -ENOTCONN;
+                        break;
+                }
+                cinfo.hci_handle = chan->conn->hcon->handle;
+                memcpy(cinfo.dev_class, chan->conn->hcon->dev_class, 3);
+                len = min_t(unsigned int, len, sizeof(cinfo));
+                if (copy_to_user(optval, (char *) &cinfo, len))
+                        err = -EFAULT;
+                break;
+        default:
+                err = -ENOPROTOOPT;
+                break;
+        }
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, char __user *optval, int __user *optlen)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct bt_security sec;
+        int len, err = 0;
+        BT_DBG("sk %p", sk);
+        if (level == SOL_L2CAP)
+                return l2cap_sock_getsockopt_old(sock, optname, optval, optlen);
+        if (level != SOL_BLUETOOTH)
+                return -ENOPROTOOPT;
+        if (get_user(len, optlen))
+                return -EFAULT;
+        lock_sock(sk);
+        switch (optname) {
+        case BT_SECURITY:
+                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
+                                && sk->sk_type != SOCK_RAW) {
+                        err = -EINVAL;
+                        break;
+                }
+                sec.level = chan->sec_level;
+                len = min_t(unsigned int, len, sizeof(sec));
+                if (copy_to_user(optval, (char *) &sec, len))
+                        err = -EFAULT;
+                break;
+        case BT_DEFER_SETUP:
+                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
+                        err = -EINVAL;
+                        break;
+                }
+                if (put_user(bt_sk(sk)->defer_setup, (u32 __user *) optval))
+                        err = -EFAULT;
+                break;
+        case BT_FLUSHABLE:
+                if (put_user(chan->flushable, (u32 __user *) optval))
+                        err = -EFAULT;
+                break;
+        default:
+                err = -ENOPROTOOPT;
+                break;
+        }
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_setsockopt_old(struct socket *sock, int optname, char __user *optval, unsigned int optlen)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct l2cap_options opts;
+        int len, err = 0;
+        u32 opt;
+        BT_DBG("sk %p", sk);
+        lock_sock(sk);
+        switch (optname) {
+        case L2CAP_OPTIONS:
+                if (sk->sk_state == BT_CONNECTED) {
+                        err = -EINVAL;
+                        break;
+                }
+                opts.imtu     = chan->imtu;
+                opts.omtu     = chan->omtu;
+                opts.flush_to = chan->flush_to;
+                opts.mode     = chan->mode;
+                opts.fcs      = chan->fcs;
+                opts.max_tx   = chan->max_tx;
+                opts.txwin_size = (__u16)chan->tx_win;
+                len = min_t(unsigned int, sizeof(opts), optlen);
+                if (copy_from_user((char *) &opts, optval, len)) {
+                        err = -EFAULT;
+                        break;
+                }
+                if (opts.txwin_size > L2CAP_DEFAULT_TX_WINDOW) {
+                        err = -EINVAL;
+                        break;
+                }
+                chan->mode = opts.mode;
+                switch (chan->mode) {
+                case L2CAP_MODE_BASIC:
+                        chan->conf_state &= ~L2CAP_CONF_STATE2_DEVICE;
+                        break;
+                case L2CAP_MODE_ERTM:
+                case L2CAP_MODE_STREAMING:
+                        if (!disable_ertm)
+                                break;
+                        /* fall through */
+                default:
+                        err = -EINVAL;
+                        break;
+                }
+                chan->imtu = opts.imtu;
+                chan->omtu = opts.omtu;
+                chan->fcs  = opts.fcs;
+                chan->max_tx = opts.max_tx;
+                chan->tx_win = (__u8)opts.txwin_size;
+                break;
+        case L2CAP_LM:
+                if (get_user(opt, (u32 __user *) optval)) {
+                        err = -EFAULT;
+                        break;
+                }
+                if (opt & L2CAP_LM_AUTH)
+                        chan->sec_level = BT_SECURITY_LOW;
+                if (opt & L2CAP_LM_ENCRYPT)
+                        chan->sec_level = BT_SECURITY_MEDIUM;
+                if (opt & L2CAP_LM_SECURE)
+                        chan->sec_level = BT_SECURITY_HIGH;
+                chan->role_switch    = (opt & L2CAP_LM_MASTER);
+                chan->force_reliable = (opt & L2CAP_LM_RELIABLE);
+                break;
+        default:
+                err = -ENOPROTOOPT;
+                break;
+        }
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname, char __user *optval, unsigned int optlen)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct bt_security sec;
+        int len, err = 0;
+        u32 opt;
+        BT_DBG("sk %p", sk);
+        if (level == SOL_L2CAP)
+                return l2cap_sock_setsockopt_old(sock, optname, optval, optlen);
+        if (level != SOL_BLUETOOTH)
+                return -ENOPROTOOPT;
+        lock_sock(sk);
+        switch (optname) {
+        case BT_SECURITY:
+                if (sk->sk_type != SOCK_SEQPACKET && sk->sk_type != SOCK_STREAM
+                                && sk->sk_type != SOCK_RAW) {
+                        err = -EINVAL;
+                        break;
+                }
+                sec.level = BT_SECURITY_LOW;
+                len = min_t(unsigned int, sizeof(sec), optlen);
+                if (copy_from_user((char *) &sec, optval, len)) {
+                        err = -EFAULT;
+                        break;
+                }
+                if (sec.level < BT_SECURITY_LOW ||
+                                        sec.level > BT_SECURITY_HIGH) {
+                        err = -EINVAL;
+                        break;
+                }
+                chan->sec_level = sec.level;
+                break;
+        case BT_DEFER_SETUP:
+                if (sk->sk_state != BT_BOUND && sk->sk_state != BT_LISTEN) {
+                        err = -EINVAL;
+                        break;
+                }
+                if (get_user(opt, (u32 __user *) optval)) {
+                        err = -EFAULT;
+                        break;
+                }
+                bt_sk(sk)->defer_setup = opt;
+                break;
+        case BT_FLUSHABLE:
+                if (get_user(opt, (u32 __user *) optval)) {
+                        err = -EFAULT;
+                        break;
+                }
+                if (opt > BT_FLUSHABLE_ON) {
+                        err = -EINVAL;
+                        break;
+                }
+                if (opt == BT_FLUSHABLE_OFF) {
+                        struct l2cap_conn *conn = chan->conn;
+                        /* proceed further only when we have l2cap_conn and
+                           No Flush support in the LM */
+                        if (!conn || !lmp_no_flush_capable(conn->hcon->hdev)) {
+                                err = -EINVAL;
+                                break;
+                        }
+                }
+                chan->flushable = opt;
+                break;
+        default:
+                err = -ENOPROTOOPT;
+                break;
+        }
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct sk_buff *skb;
+        u16 control;
+        int err;
+        BT_DBG("sock %p, sk %p", sock, sk);
+        err = sock_error(sk);
+        if (err)
+                return err;
+        if (msg->msg_flags & MSG_OOB)
+                return -EOPNOTSUPP;
+        lock_sock(sk);
+        if (sk->sk_state != BT_CONNECTED) {
+                err = -ENOTCONN;
+                goto done;
+        }
+        /* Connectionless channel */
+        if (sk->sk_type == SOCK_DGRAM) {
+                skb = l2cap_create_connless_pdu(chan, msg, len);
+                if (IS_ERR(skb)) {
+                        err = PTR_ERR(skb);
+                } else {
+                        l2cap_do_send(chan, skb);
+                        err = len;
+                }
+                goto done;
+        }
+        switch (chan->mode) {
+        case L2CAP_MODE_BASIC:
+                /* Check outgoing MTU */
+                if (len > chan->omtu) {
+                        err = -EMSGSIZE;
+                        goto done;
+                }
+                /* Create a basic PDU */
+                skb = l2cap_create_basic_pdu(chan, msg, len);
+                if (IS_ERR(skb)) {
+                        err = PTR_ERR(skb);
+                        goto done;
+                }
+                l2cap_do_send(chan, skb);
+                err = len;
+                break;
+        case L2CAP_MODE_ERTM:
+        case L2CAP_MODE_STREAMING:
+                /* Entire SDU fits into one PDU */
+                if (len <= chan->remote_mps) {
+                        control = L2CAP_SDU_UNSEGMENTED;
+                        skb = l2cap_create_iframe_pdu(chan, msg, len, control,
+                                                                        0);
+                        if (IS_ERR(skb)) {
+                                err = PTR_ERR(skb);
+                                goto done;
+                        }
+                        __skb_queue_tail(&chan->tx_q, skb);
+                        if (chan->tx_send_head == NULL)
+                                chan->tx_send_head = skb;
+                } else {
+                /* Segment SDU into multiples PDUs */
+                        err = l2cap_sar_segment_sdu(chan, msg, len);
+                        if (err < 0)
+                                goto done;
+                }
+                if (chan->mode == L2CAP_MODE_STREAMING) {
+                        l2cap_streaming_send(chan);
+                        err = len;
+                        break;
+                }
+                if ((chan->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
+                                (chan->conn_state & L2CAP_CONN_WAIT_F)) {
+                        err = len;
+                        break;
+                }
+                err = l2cap_ertm_send(chan);
+                if (err >= 0)
+                        err = len;
+                break;
+        default:
+                BT_DBG("bad state %1.1x", chan->mode);
+                err = -EBADFD;
+        }
+done:
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, size_t len, int flags)
+{
+        struct sock *sk = sock->sk;
+        lock_sock(sk);
+        if (sk->sk_state == BT_CONNECT2 && bt_sk(sk)->defer_setup) {
+                sk->sk_state = BT_CONFIG;
+                __l2cap_connect_rsp_defer(l2cap_pi(sk)->chan);
+                release_sock(sk);
+                return 0;
+        }
+        release_sock(sk);
+        if (sock->type == SOCK_STREAM)
+                return bt_sock_stream_recvmsg(iocb, sock, msg, len, flags);
+        return bt_sock_recvmsg(iocb, sock, msg, len, flags);
+}
+/* Kill socket (only if zapped and orphan)
+ * Must be called on unlocked socket.
+ */
+void l2cap_sock_kill(struct sock *sk)
+{
+        if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket)
+                return;
+        BT_DBG("sk %p state %d", sk, sk->sk_state);
+        /* Kill poor orphan */
+        l2cap_chan_destroy(l2cap_pi(sk)->chan);
+        sock_set_flag(sk, SOCK_DEAD);
+        sock_put(sk);
+}
+/* Must be called on unlocked socket. */
+static void l2cap_sock_close(struct sock *sk)
+{
+        l2cap_sock_clear_timer(sk);
+        lock_sock(sk);
+        __l2cap_sock_close(sk, ECONNRESET);
+        release_sock(sk);
+        l2cap_sock_kill(sk);
+}
+static void l2cap_sock_cleanup_listen(struct sock *parent)
+{
+        struct sock *sk;
+        BT_DBG("parent %p", parent);
+        /* Close not yet accepted channels */
+        while ((sk = bt_accept_dequeue(parent, NULL)))
+                l2cap_sock_close(sk);
+        parent->sk_state = BT_CLOSED;
+        sock_set_flag(parent, SOCK_ZAPPED);
+}
+void __l2cap_sock_close(struct sock *sk, int reason)
+{
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        struct l2cap_conn *conn = chan->conn;
+        BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
+        switch (sk->sk_state) {
+        case BT_LISTEN:
+                l2cap_sock_cleanup_listen(sk);
+                break;
+        case BT_CONNECTED:
+        case BT_CONFIG:
+                if ((sk->sk_type == SOCK_SEQPACKET ||
+                                        sk->sk_type == SOCK_STREAM) &&
+                                        conn->hcon->type == ACL_LINK) {
+                        l2cap_sock_set_timer(sk, sk->sk_sndtimeo);
+                        l2cap_send_disconn_req(conn, chan, reason);
+                } else
+                        l2cap_chan_del(chan, reason);
+                break;
+        case BT_CONNECT2:
+                if ((sk->sk_type == SOCK_SEQPACKET ||
+                                        sk->sk_type == SOCK_STREAM) &&
+                                        conn->hcon->type == ACL_LINK) {
+                        struct l2cap_conn_rsp rsp;
+                        __u16 result;
+                        if (bt_sk(sk)->defer_setup)
+                                result = L2CAP_CR_SEC_BLOCK;
+                        else
+                                result = L2CAP_CR_BAD_PSM;
+                        rsp.scid   = cpu_to_le16(chan->dcid);
+                        rsp.dcid   = cpu_to_le16(chan->scid);
+                        rsp.result = cpu_to_le16(result);
+                        rsp.status = cpu_to_le16(L2CAP_CS_NO_INFO);
+                        l2cap_send_cmd(conn, chan->ident, L2CAP_CONN_RSP,
+                                                        sizeof(rsp), &rsp);
+                }
+                l2cap_chan_del(chan, reason);
+                break;
+        case BT_CONNECT:
+        case BT_DISCONN:
+                l2cap_chan_del(chan, reason);
+                break;
+        default:
+                sock_set_flag(sk, SOCK_ZAPPED);
+                break;
+        }
+}
+static int l2cap_sock_shutdown(struct socket *sock, int how)
+{
+        struct sock *sk = sock->sk;
+        struct l2cap_chan *chan = l2cap_pi(sk)->chan;
+        int err = 0;
+        BT_DBG("sock %p, sk %p", sock, sk);
+        if (!sk)
+                return 0;
+        lock_sock(sk);
+        if (!sk->sk_shutdown) {
+                if (chan->mode == L2CAP_MODE_ERTM)
+                        err = __l2cap_wait_ack(sk);
+                sk->sk_shutdown = SHUTDOWN_MASK;
+                l2cap_sock_clear_timer(sk);
+                __l2cap_sock_close(sk, 0);
+                if (sock_flag(sk, SOCK_LINGER) && sk->sk_lingertime)
+                        err = bt_sock_wait_state(sk, BT_CLOSED,
+                                                        sk->sk_lingertime);
+        }
+        if (!err && sk->sk_err)
+                err = -sk->sk_err;
+        release_sock(sk);
+        return err;
+}
+static int l2cap_sock_release(struct socket *sock)
+{
+        struct sock *sk = sock->sk;
+        int err;
+        BT_DBG("sock %p, sk %p", sock, sk);
+        if (!sk)
+                return 0;
+        err = l2cap_sock_shutdown(sock, 2);
+        sock_orphan(sk);
+        l2cap_sock_kill(sk);
+        return err;
+}
+static void l2cap_sock_destruct(struct sock *sk)
+{
+        BT_DBG("sk %p", sk);
+        skb_queue_purge(&sk->sk_receive_queue);
+        skb_queue_purge(&sk->sk_write_queue);
+}
+void l2cap_sock_init(struct sock *sk, struct sock *parent)
+{
+        struct l2cap_pinfo *pi = l2cap_pi(sk);
+        struct l2cap_chan *chan = pi->chan;
+        BT_DBG("sk %p", sk);
+        if (parent) {
+                struct l2cap_chan *pchan = l2cap_pi(parent)->chan;
+                sk->sk_type = parent->sk_type;
+                bt_sk(sk)->defer_setup = bt_sk(parent)->defer_setup;
+                chan->imtu = pchan->imtu;
+                chan->omtu = pchan->omtu;
+                chan->conf_state = pchan->conf_state;
+                chan->mode = pchan->mode;
+                chan->fcs  = pchan->fcs;
+                chan->max_tx = pchan->max_tx;
+                chan->tx_win = pchan->tx_win;
+                chan->sec_level = pchan->sec_level;
+                chan->role_switch = pchan->role_switch;
+                chan->force_reliable = pchan->force_reliable;
+                chan->flushable = pchan->flushable;
+        } else {
+                chan->imtu = L2CAP_DEFAULT_MTU;
+                chan->omtu = 0;
+                if (!disable_ertm && sk->sk_type == SOCK_STREAM) {
+                        chan->mode = L2CAP_MODE_ERTM;
+                        chan->conf_state |= L2CAP_CONF_STATE2_DEVICE;
+                } else {
+                        chan->mode = L2CAP_MODE_BASIC;
+                }
+                chan->max_tx = L2CAP_DEFAULT_MAX_TX;
+                chan->fcs  = L2CAP_FCS_CRC16;
+                chan->tx_win = L2CAP_DEFAULT_TX_WINDOW;
+                chan->sec_level = BT_SECURITY_LOW;
+                chan->role_switch = 0;
+                chan->force_reliable = 0;
+                chan->flushable = BT_FLUSHABLE_OFF;
+        }
+        /* Default config options */
+        chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
+}
+static struct proto l2cap_proto = {
+        .name           = "L2CAP",
+        .owner          = THIS_MODULE,
+        .obj_size       = sizeof(struct l2cap_pinfo)
+};
+struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio)
+{
+        struct sock *sk;
+        sk = sk_alloc(net, PF_BLUETOOTH, prio, &l2cap_proto);
+        if (!sk)
+                return NULL;
+        sock_init_data(sock, sk);
+        INIT_LIST_HEAD(&bt_sk(sk)->accept_q);
+        sk->sk_destruct = l2cap_sock_destruct;
+        sk->sk_sndtimeo = msecs_to_jiffies(L2CAP_CONN_TIMEOUT);
+        sock_reset_flag(sk, SOCK_ZAPPED);
+        sk->sk_protocol = proto;
+        sk->sk_state = BT_OPEN;
+        setup_timer(&sk->sk_timer, l2cap_sock_timeout, (unsigned long) sk);
+        return sk;
+}
+static int l2cap_sock_create(struct net *net, struct socket *sock, int protocol,
+                             int kern)
+{
+        struct sock *sk;
+        struct l2cap_chan *chan;
+        BT_DBG("sock %p", sock);
+        sock->state = SS_UNCONNECTED;
+        if (sock->type != SOCK_SEQPACKET && sock->type != SOCK_STREAM &&
+                        sock->type != SOCK_DGRAM && sock->type != SOCK_RAW)
+                return -ESOCKTNOSUPPORT;
+        if (sock->type == SOCK_RAW && !kern && !capable(CAP_NET_RAW))
+                return -EPERM;
+        sock->ops = &l2cap_sock_ops;
+        sk = l2cap_sock_alloc(net, sock, protocol, GFP_ATOMIC);
+        if (!sk)
+                return -ENOMEM;
+        chan = l2cap_chan_create(sk);
+        if (!chan) {
+                l2cap_sock_kill(sk);
+                return -ENOMEM;
+        }
+        l2cap_pi(sk)->chan = chan;
+        l2cap_sock_init(sk, NULL);
+        return 0;
+}
+static const struct proto_ops l2cap_sock_ops = {
+        .family         = PF_BLUETOOTH,
+        .owner          = THIS_MODULE,
+        .release        = l2cap_sock_release,
+        .bind           = l2cap_sock_bind,
+        .connect        = l2cap_sock_connect,
+        .listen         = l2cap_sock_listen,
+        .accept         = l2cap_sock_accept,
+        .getname        = l2cap_sock_getname,
+        .sendmsg        = l2cap_sock_sendmsg,
+        .recvmsg        = l2cap_sock_recvmsg,
+        .poll           = bt_sock_poll,
+        .ioctl          = bt_sock_ioctl,
+        .mmap           = sock_no_mmap,
+        .socketpair     = sock_no_socketpair,
+        .shutdown       = l2cap_sock_shutdown,
+        .setsockopt     = l2cap_sock_setsockopt,
+        .getsockopt     = l2cap_sock_getsockopt
+};
+static const struct net_proto_family l2cap_sock_family_ops = {
+        .family = PF_BLUETOOTH,
+        .owner  = THIS_MODULE,
+        .create = l2cap_sock_create,
+};
+int __init l2cap_init_sockets(void)
+{
+        int err;
+        err = proto_register(&l2cap_proto, 0);
+        if (err < 0)
+                return err;
+        err = bt_sock_register(BTPROTO_L2CAP, &l2cap_sock_family_ops);
+        if (err < 0)
+                goto error;
+        BT_INFO("L2CAP socket layer initialized");
+        return 0;
+error:
+        BT_ERR("L2CAP socket registration failed");
+        proto_unregister(&l2cap_proto);
+        return err;
+}
+void l2cap_cleanup_sockets(void)
+{
+        if (bt_sock_unregister(BTPROTO_L2CAP) < 0)
+                BT_ERR("L2CAP socket unregistration failed");
+        proto_unregister(&l2cap_proto);
+}
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index f827fd908380..dae382ce7020 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -22,7 +22,7 @@
 /* Bluetooth HCI Management interface */
-#include <asm/uaccess.h>
+#include <linux/uaccess.h>
 #include <asm/unaligned.h>
 #include <net/bluetooth/bluetooth.h>
@@ -32,13 +32,24 @@
 #define MGMT_VERSION    0
 #define MGMT_REVISION   1
-static int cmd_status(struct sock *sk, u16 cmd, u8 status)
+struct pending_cmd {
+        struct list_head list;
+        __u16 opcode;
+        int index;
+        void *param;
+        struct sock *sk;
+        void *user_data;
+};
+LIST_HEAD(cmd_list);
+static int cmd_status(struct sock *sk, u16 index, u16 cmd, u8 status)
 {
        struct sk_buff *skb;
        struct mgmt_hdr *hdr;
        struct mgmt_ev_cmd_status *ev;
-        BT_DBG("sock %p", sk);
+        BT_DBG("sock %p, index %u, cmd %u, status %u", sk, index, cmd, status);
        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev), GFP_ATOMIC);
        if (!skb)
@@ -47,6 +58,7 @@ static int cmd_status(struct sock *sk, u16 cmd, u8 status)
        hdr = (void *) skb_put(skb, sizeof(*hdr));
        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_STATUS);
+        hdr->index = cpu_to_le16(index);
        hdr->len = cpu_to_le16(sizeof(*ev));
        ev = (void *) skb_put(skb, sizeof(*ev));
@@ -59,29 +71,30 @@ static int cmd_status(struct sock *sk, u16 cmd, u8 status)
        return 0;
 }
-static int read_version(struct sock *sk)
+static int cmd_complete(struct sock *sk, u16 index, u16 cmd, void *rp,
+                                                                size_t rp_len)
 {
        struct sk_buff *skb;
        struct mgmt_hdr *hdr;
        struct mgmt_ev_cmd_complete *ev;
-        struct mgmt_rp_read_version *rp;
        BT_DBG("sock %p", sk);
-        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + sizeof(*rp), GFP_ATOMIC);
+        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + rp_len, GFP_ATOMIC);
        if (!skb)
                return -ENOMEM;
        hdr = (void *) skb_put(skb, sizeof(*hdr));
        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
-        hdr->len = cpu_to_le16(sizeof(*ev) + sizeof(*rp));
+        hdr->index = cpu_to_le16(index);
+        hdr->len = cpu_to_le16(sizeof(*ev) + rp_len);
-        ev = (void *) skb_put(skb, sizeof(*ev));
+        ev = (void *) skb_put(skb, sizeof(*ev) + rp_len);
-        put_unaligned_le16(MGMT_OP_READ_VERSION, &ev->opcode);
+        put_unaligned_le16(cmd, &ev->opcode);
-        rp = (void *) skb_put(skb, sizeof(*rp));
+        if (rp)
-        rp->version = MGMT_VERSION;
+                memcpy(ev->data, rp, rp_len);
-        put_unaligned_le16(MGMT_REVISION, &rp->revision);
        if (sock_queue_rcv_skb(sk, skb) < 0)
                kfree_skb(skb);
@@ -89,16 +102,26 @@ static int read_version(struct sock *sk)
        return 0;
 }
+static int read_version(struct sock *sk)
+{
+        struct mgmt_rp_read_version rp;
+        BT_DBG("sock %p", sk);
+        rp.version = MGMT_VERSION;
+        put_unaligned_le16(MGMT_REVISION, &rp.revision);
+        return cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_VERSION, &rp,
+                                                                sizeof(rp));
+}
 static int read_index_list(struct sock *sk)
 {
-        struct sk_buff *skb;
-        struct mgmt_hdr *hdr;
-        struct mgmt_ev_cmd_complete *ev;
        struct mgmt_rp_read_index_list *rp;
        struct list_head *p;
-        size_t body_len;
+        size_t rp_len;
        u16 count;
-        int i;
+        int i, err;
        BT_DBG("sock %p", sk);
@@ -109,112 +132,1520 @@ static int read_index_list(struct sock *sk)
                count++;
        }
-        body_len = sizeof(*ev) + sizeof(*rp) + (2 * count);
+        rp_len = sizeof(*rp) + (2 * count);
-        skb = alloc_skb(sizeof(*hdr) + body_len, GFP_ATOMIC);
+        rp = kmalloc(rp_len, GFP_ATOMIC);
-        if (!skb)
+        if (!rp) {
+                read_unlock(&hci_dev_list_lock);
                return -ENOMEM;
+        }
-        hdr = (void *) skb_put(skb, sizeof(*hdr));
-        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
-        hdr->len = cpu_to_le16(body_len);
-        ev = (void *) skb_put(skb, sizeof(*ev));
-        put_unaligned_le16(MGMT_OP_READ_INDEX_LIST, &ev->opcode);
-        rp = (void *) skb_put(skb, sizeof(*rp) + (2 * count));
        put_unaligned_le16(count, &rp->num_controllers);
        i = 0;
        list_for_each(p, &hci_dev_list) {
                struct hci_dev *d = list_entry(p, struct hci_dev, list);
+                hci_del_off_timer(d);
+                set_bit(HCI_MGMT, &d->flags);
+                if (test_bit(HCI_SETUP, &d->flags))
+                        continue;
                put_unaligned_le16(d->id, &rp->index[i++]);
                BT_DBG("Added hci%u", d->id);
        }
        read_unlock(&hci_dev_list_lock);
-        if (sock_queue_rcv_skb(sk, skb) < 0)
+        err = cmd_complete(sk, MGMT_INDEX_NONE, MGMT_OP_READ_INDEX_LIST, rp,
-                kfree_skb(skb);
+                                                                        rp_len);
-        return 0;
+        kfree(rp);
+        return err;
 }
-static int read_controller_info(struct sock *sk, unsigned char *data, u16 len)
+static int read_controller_info(struct sock *sk, u16 index)
 {
-        struct sk_buff *skb;
+        struct mgmt_rp_read_info rp;
-        struct mgmt_hdr *hdr;
-        struct mgmt_ev_cmd_complete *ev;
-        struct mgmt_rp_read_info *rp;
-        struct mgmt_cp_read_info *cp;
        struct hci_dev *hdev;
-        u16 dev_id;
-        BT_DBG("sock %p", sk);
+        BT_DBG("sock %p hci%u", sk, index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_READ_INFO, ENODEV);
+        hci_del_off_timer(hdev);
+        hci_dev_lock(hdev);
+        set_bit(HCI_MGMT, &hdev->flags);
+        memset(&rp, 0, sizeof(rp));
+        rp.type = hdev->dev_type;
+        rp.powered = test_bit(HCI_UP, &hdev->flags);
+        rp.connectable = test_bit(HCI_PSCAN, &hdev->flags);
+        rp.discoverable = test_bit(HCI_ISCAN, &hdev->flags);
+        rp.pairable = test_bit(HCI_PSCAN, &hdev->flags);
+        if (test_bit(HCI_AUTH, &hdev->flags))
+                rp.sec_mode = 3;
+        else if (hdev->ssp_mode > 0)
+                rp.sec_mode = 4;
+        else
+                rp.sec_mode = 2;
+        bacpy(&rp.bdaddr, &hdev->bdaddr);
+        memcpy(rp.features, hdev->features, 8);
+        memcpy(rp.dev_class, hdev->dev_class, 3);
+        put_unaligned_le16(hdev->manufacturer, &rp.manufacturer);
+        rp.hci_ver = hdev->hci_ver;
+        put_unaligned_le16(hdev->hci_rev, &rp.hci_rev);
+        memcpy(rp.name, hdev->dev_name, sizeof(hdev->dev_name));
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return cmd_complete(sk, index, MGMT_OP_READ_INFO, &rp, sizeof(rp));
+}
-        if (len != 2)
+static void mgmt_pending_free(struct pending_cmd *cmd)
-                return cmd_status(sk, MGMT_OP_READ_INFO, EINVAL);
+{
+        sock_put(cmd->sk);
+        kfree(cmd->param);
+        kfree(cmd);
+}
+static struct pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
+                                                u16 index, void *data, u16 len)
+{
+        struct pending_cmd *cmd;
+        cmd = kmalloc(sizeof(*cmd), GFP_ATOMIC);
+        if (!cmd)
+                return NULL;
+        cmd->opcode = opcode;
+        cmd->index = index;
+        cmd->param = kmalloc(len, GFP_ATOMIC);
+        if (!cmd->param) {
+                kfree(cmd);
+                return NULL;
+        }
+        if (data)
+                memcpy(cmd->param, data, len);
+        cmd->sk = sk;
+        sock_hold(sk);
+        list_add(&cmd->list, &cmd_list);
+        return cmd;
+}
+static void mgmt_pending_foreach(u16 opcode, int index,
+                                void (*cb)(struct pending_cmd *cmd, void *data),
+                                void *data)
+{
+        struct list_head *p, *n;
+        list_for_each_safe(p, n, &cmd_list) {
+                struct pending_cmd *cmd;
+                cmd = list_entry(p, struct pending_cmd, list);
+                if (cmd->opcode != opcode)
+                        continue;
+                if (index >= 0 && cmd->index != index)
+                        continue;
+                cb(cmd, data);
+        }
+}
+static struct pending_cmd *mgmt_pending_find(u16 opcode, int index)
+{
+        struct list_head *p;
+        list_for_each(p, &cmd_list) {
+                struct pending_cmd *cmd;
+                cmd = list_entry(p, struct pending_cmd, list);
+                if (cmd->opcode != opcode)
+                        continue;
-        skb = alloc_skb(sizeof(*hdr) + sizeof(*ev) + sizeof(*rp), GFP_ATOMIC);
+                if (index >= 0 && cmd->index != index)
+                        continue;
+                return cmd;
+        }
+        return NULL;
+}
+static void mgmt_pending_remove(struct pending_cmd *cmd)
+{
+        list_del(&cmd->list);
+        mgmt_pending_free(cmd);
+}
+static int set_powered(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct mgmt_mode *cp;
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err, up;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_POWERED, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_POWERED, ENODEV);
+        hci_dev_lock(hdev);
+        up = test_bit(HCI_UP, &hdev->flags);
+        if ((cp->val && up) || (!cp->val && !up)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_POWERED, EALREADY);
+                goto failed;
+        }
+        if (mgmt_pending_find(MGMT_OP_SET_POWERED, index)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_POWERED, EBUSY);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_SET_POWERED, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        if (cp->val)
+                queue_work(hdev->workqueue, &hdev->power_on);
+        else
+                queue_work(hdev->workqueue, &hdev->power_off);
+        err = 0;
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_discoverable(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct mgmt_mode *cp;
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        u8 scan;
+        int err;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, ENETDOWN);
+                goto failed;
+        }
+        if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, index) ||
+                        mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, index)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, EBUSY);
+                goto failed;
+        }
+        if (cp->val == test_bit(HCI_ISCAN, &hdev->flags) &&
+                                        test_bit(HCI_PSCAN, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_DISCOVERABLE, EALREADY);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_SET_DISCOVERABLE, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        scan = SCAN_PAGE;
+        if (cp->val)
+                scan |= SCAN_INQUIRY;
+        err = hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_connectable(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct mgmt_mode *cp;
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        u8 scan;
+        int err;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, ENETDOWN);
+                goto failed;
+        }
+        if (mgmt_pending_find(MGMT_OP_SET_DISCOVERABLE, index) ||
+                        mgmt_pending_find(MGMT_OP_SET_CONNECTABLE, index)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, EBUSY);
+                goto failed;
+        }
+        if (cp->val == test_bit(HCI_PSCAN, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_SET_CONNECTABLE, EALREADY);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_SET_CONNECTABLE, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        if (cp->val)
+                scan = SCAN_PAGE;
+        else
+                scan = 0;
+        err = hci_send_cmd(hdev, HCI_OP_WRITE_SCAN_ENABLE, 1, &scan);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int mgmt_event(u16 event, u16 index, void *data, u16 data_len,
+                                                        struct sock *skip_sk)
+{
+        struct sk_buff *skb;
+        struct mgmt_hdr *hdr;
+        skb = alloc_skb(sizeof(*hdr) + data_len, GFP_ATOMIC);
        if (!skb)
                return -ENOMEM;
+        bt_cb(skb)->channel = HCI_CHANNEL_CONTROL;
        hdr = (void *) skb_put(skb, sizeof(*hdr));
-        hdr->opcode = cpu_to_le16(MGMT_EV_CMD_COMPLETE);
+        hdr->opcode = cpu_to_le16(event);
-        hdr->len = cpu_to_le16(sizeof(*ev) + sizeof(*rp));
+        hdr->index = cpu_to_le16(index);
+        hdr->len = cpu_to_le16(data_len);
-        ev = (void *) skb_put(skb, sizeof(*ev));
+        if (data)
-        put_unaligned_le16(MGMT_OP_READ_INFO, &ev->opcode);
+                memcpy(skb_put(skb, data_len), data, data_len);
+        hci_send_to_sock(NULL, skb, skip_sk);
+        kfree_skb(skb);
+        return 0;
+}
+static int send_mode_rsp(struct sock *sk, u16 opcode, u16 index, u8 val)
+{
+        struct mgmt_mode rp;
+        rp.val = val;
+        return cmd_complete(sk, index, opcode, &rp, sizeof(rp));
+}
-        rp = (void *) skb_put(skb, sizeof(*rp));
+static int set_pairable(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct mgmt_mode *cp, ev;
+        struct hci_dev *hdev;
+        int err;
        cp = (void *) data;
-        dev_id = get_unaligned_le16(&cp->index);
-        BT_DBG("request for hci%u", dev_id);
+        BT_DBG("request for hci%u", index);
-        hdev = hci_dev_get(dev_id);
+        if (len != sizeof(*cp))
-        if (!hdev) {
+                return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, EINVAL);
-                kfree_skb(skb);
-                return cmd_status(sk, MGMT_OP_READ_INFO, ENODEV);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_PAIRABLE, ENODEV);
+        hci_dev_lock(hdev);
+        if (cp->val)
+                set_bit(HCI_PAIRABLE, &hdev->flags);
+        else
+                clear_bit(HCI_PAIRABLE, &hdev->flags);
+        err = send_mode_rsp(sk, MGMT_OP_SET_PAIRABLE, index, cp->val);
+        if (err < 0)
+                goto failed;
+        ev.val = cp->val;
+        err = mgmt_event(MGMT_EV_PAIRABLE, index, &ev, sizeof(ev), sk);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+#define EIR_FLAGS               0x01 /* flags */
+#define EIR_UUID16_SOME         0x02 /* 16-bit UUID, more available */
+#define EIR_UUID16_ALL          0x03 /* 16-bit UUID, all listed */
+#define EIR_UUID32_SOME         0x04 /* 32-bit UUID, more available */
+#define EIR_UUID32_ALL          0x05 /* 32-bit UUID, all listed */
+#define EIR_UUID128_SOME        0x06 /* 128-bit UUID, more available */
+#define EIR_UUID128_ALL         0x07 /* 128-bit UUID, all listed */
+#define EIR_NAME_SHORT          0x08 /* shortened local name */
+#define EIR_NAME_COMPLETE       0x09 /* complete local name */
+#define EIR_TX_POWER            0x0A /* transmit power level */
+#define EIR_DEVICE_ID           0x10 /* device ID */
+#define PNP_INFO_SVCLASS_ID             0x1200
+static u8 bluetooth_base_uuid[] = {
+                        0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80,
+                        0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+static u16 get_uuid16(u8 *uuid128)
+{
+        u32 val;
+        int i;
+        for (i = 0; i < 12; i++) {
+                if (bluetooth_base_uuid[i] != uuid128[i])
+                        return 0;
        }
-        hci_dev_lock_bh(hdev);
+        memcpy(&val, &uuid128[12], 4);
-        put_unaligned_le16(hdev->id, &rp->index);
+        val = le32_to_cpu(val);
-        rp->type = hdev->dev_type;
+        if (val > 0xffff)
+                return 0;
-        rp->powered = test_bit(HCI_UP, &hdev->flags);
+        return (u16) val;
-        rp->discoverable = test_bit(HCI_ISCAN, &hdev->flags);
+}
-        rp->pairable = test_bit(HCI_PSCAN, &hdev->flags);
-        if (test_bit(HCI_AUTH, &hdev->flags))
+static void create_eir(struct hci_dev *hdev, u8 *data)
-                rp->sec_mode = 3;
+{
-        else if (hdev->ssp_mode > 0)
+        u8 *ptr = data;
-                rp->sec_mode = 4;
+        u16 eir_len = 0;
+        u16 uuid16_list[HCI_MAX_EIR_LENGTH / sizeof(u16)];
+        int i, truncated = 0;
+        struct list_head *p;
+        size_t name_len;
+        name_len = strlen(hdev->dev_name);
+        if (name_len > 0) {
+                /* EIR Data type */
+                if (name_len > 48) {
+                        name_len = 48;
+                        ptr[1] = EIR_NAME_SHORT;
+                } else
+                        ptr[1] = EIR_NAME_COMPLETE;
+                /* EIR Data length */
+                ptr[0] = name_len + 1;
+                memcpy(ptr + 2, hdev->dev_name, name_len);
+                eir_len += (name_len + 2);
+                ptr += (name_len + 2);
+        }
+        memset(uuid16_list, 0, sizeof(uuid16_list));
+        /* Group all UUID16 types */
+        list_for_each(p, &hdev->uuids) {
+                struct bt_uuid *uuid = list_entry(p, struct bt_uuid, list);
+                u16 uuid16;
+                uuid16 = get_uuid16(uuid->uuid);
+                if (uuid16 == 0)
+                        return;
+                if (uuid16 < 0x1100)
+                        continue;
+                if (uuid16 == PNP_INFO_SVCLASS_ID)
+                        continue;
+                /* Stop if not enough space to put next UUID */
+                if (eir_len + 2 + sizeof(u16) > HCI_MAX_EIR_LENGTH) {
+                        truncated = 1;
+                        break;
+                }
+                /* Check for duplicates */
+                for (i = 0; uuid16_list[i] != 0; i++)
+                        if (uuid16_list[i] == uuid16)
+                                break;
+                if (uuid16_list[i] == 0) {
+                        uuid16_list[i] = uuid16;
+                        eir_len += sizeof(u16);
+                }
+        }
+        if (uuid16_list[0] != 0) {
+                u8 *length = ptr;
+                /* EIR Data type */
+                ptr[1] = truncated ? EIR_UUID16_SOME : EIR_UUID16_ALL;
+                ptr += 2;
+                eir_len += 2;
+                for (i = 0; uuid16_list[i] != 0; i++) {
+                        *ptr++ = (uuid16_list[i] & 0x00ff);
+                        *ptr++ = (uuid16_list[i] & 0xff00) >> 8;
+                }
+                /* EIR Data length */
+                *length = (i * sizeof(u16)) + 1;
+        }
+}
+static int update_eir(struct hci_dev *hdev)
+{
+        struct hci_cp_write_eir cp;
+        if (!(hdev->features[6] & LMP_EXT_INQ))
+                return 0;
+        if (hdev->ssp_mode == 0)
+                return 0;
+        if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
+                return 0;
+        memset(&cp, 0, sizeof(cp));
+        create_eir(hdev, cp.data);
+        if (memcmp(cp.data, hdev->eir, sizeof(cp.data)) == 0)
+                return 0;
+        memcpy(hdev->eir, cp.data, sizeof(cp.data));
+        return hci_send_cmd(hdev, HCI_OP_WRITE_EIR, sizeof(cp), &cp);
+}
+static u8 get_service_classes(struct hci_dev *hdev)
+{
+        struct list_head *p;
+        u8 val = 0;
+        list_for_each(p, &hdev->uuids) {
+                struct bt_uuid *uuid = list_entry(p, struct bt_uuid, list);
+                val |= uuid->svc_hint;
+        }
+        return val;
+}
+static int update_class(struct hci_dev *hdev)
+{
+        u8 cod[3];
+        BT_DBG("%s", hdev->name);
+        if (test_bit(HCI_SERVICE_CACHE, &hdev->flags))
+                return 0;
+        cod[0] = hdev->minor_class;
+        cod[1] = hdev->major_class;
+        cod[2] = get_service_classes(hdev);
+        if (memcmp(cod, hdev->dev_class, 3) == 0)
+                return 0;
+        return hci_send_cmd(hdev, HCI_OP_WRITE_CLASS_OF_DEV, sizeof(cod), cod);
+}
+static int add_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct mgmt_cp_add_uuid *cp;
+        struct hci_dev *hdev;
+        struct bt_uuid *uuid;
+        int err;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_ADD_UUID, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_ADD_UUID, ENODEV);
+        hci_dev_lock(hdev);
+        uuid = kmalloc(sizeof(*uuid), GFP_ATOMIC);
+        if (!uuid) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        memcpy(uuid->uuid, cp->uuid, 16);
+        uuid->svc_hint = cp->svc_hint;
+        list_add(&uuid->list, &hdev->uuids);
+        err = update_class(hdev);
+        if (err < 0)
+                goto failed;
+        err = update_eir(hdev);
+        if (err < 0)
+                goto failed;
+        err = cmd_complete(sk, index, MGMT_OP_ADD_UUID, NULL, 0);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int remove_uuid(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct list_head *p, *n;
+        struct mgmt_cp_remove_uuid *cp;
+        struct hci_dev *hdev;
+        u8 bt_uuid_any[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+        int err, found;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENODEV);
+        hci_dev_lock(hdev);
+        if (memcmp(cp->uuid, bt_uuid_any, 16) == 0) {
+                err = hci_uuids_clear(hdev);
+                goto unlock;
+        }
+        found = 0;
+        list_for_each_safe(p, n, &hdev->uuids) {
+                struct bt_uuid *match = list_entry(p, struct bt_uuid, list);
+                if (memcmp(match->uuid, cp->uuid, 16) != 0)
+                        continue;
+                list_del(&match->list);
+                found++;
+        }
+        if (found == 0) {
+                err = cmd_status(sk, index, MGMT_OP_REMOVE_UUID, ENOENT);
+                goto unlock;
+        }
+        err = update_class(hdev);
+        if (err < 0)
+                goto unlock;
+        err = update_eir(hdev);
+        if (err < 0)
+                goto unlock;
+        err = cmd_complete(sk, index, MGMT_OP_REMOVE_UUID, NULL, 0);
+unlock:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_dev_class(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_set_dev_class *cp;
+        int err;
+        cp = (void *) data;
+        BT_DBG("request for hci%u", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_DEV_CLASS, ENODEV);
+        hci_dev_lock(hdev);
+        hdev->major_class = cp->major;
+        hdev->minor_class = cp->minor;
+        err = update_class(hdev);
+        if (err == 0)
+                err = cmd_complete(sk, index, MGMT_OP_SET_DEV_CLASS, NULL, 0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_service_cache(struct sock *sk, u16 index,  unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_set_service_cache *cp;
+        int err;
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_SERVICE_CACHE, ENODEV);
+        hci_dev_lock(hdev);
+        BT_DBG("hci%u enable %d", index, cp->enable);
+        if (cp->enable) {
+                set_bit(HCI_SERVICE_CACHE, &hdev->flags);
+                err = 0;
+        } else {
+                clear_bit(HCI_SERVICE_CACHE, &hdev->flags);
+                err = update_class(hdev);
+                if (err == 0)
+                        err = update_eir(hdev);
+        }
+        if (err == 0)
+                err = cmd_complete(sk, index, MGMT_OP_SET_SERVICE_CACHE, NULL,
+                                                                        0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int load_keys(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_load_keys *cp;
+        u16 key_count, expected_len;
+        int i;
+        cp = (void *) data;
+        if (len < sizeof(*cp))
+                return -EINVAL;
+        key_count = get_unaligned_le16(&cp->key_count);
+        expected_len = sizeof(*cp) + key_count * sizeof(struct mgmt_key_info);
+        if (expected_len != len) {
+                BT_ERR("load_keys: expected %u bytes, got %u bytes",
+                                                        len, expected_len);
+                return -EINVAL;
+        }
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_LOAD_KEYS, ENODEV);
+        BT_DBG("hci%u debug_keys %u key_count %u", index, cp->debug_keys,
+                                                                key_count);
+        hci_dev_lock(hdev);
+        hci_link_keys_clear(hdev);
+        set_bit(HCI_LINK_KEYS, &hdev->flags);
+        if (cp->debug_keys)
+                set_bit(HCI_DEBUG_KEYS, &hdev->flags);
        else
-                rp->sec_mode = 2;
+                clear_bit(HCI_DEBUG_KEYS, &hdev->flags);
+        for (i = 0; i < key_count; i++) {
+                struct mgmt_key_info *key = &cp->keys[i];
+                hci_add_link_key(hdev, NULL, 0, &key->bdaddr, key->val, key->type,
+                                                                key->pin_len);
+        }
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return 0;
+}
+static int remove_key(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_remove_key *cp;
+        struct hci_conn *conn;
+        int err;
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_REMOVE_KEY, ENODEV);
+        hci_dev_lock(hdev);
+        err = hci_remove_link_key(hdev, &cp->bdaddr);
+        if (err < 0) {
+                err = cmd_status(sk, index, MGMT_OP_REMOVE_KEY, -err);
+                goto unlock;
+        }
-        bacpy(&rp->bdaddr, &hdev->bdaddr);
+        err = 0;
-        memcpy(rp->features, hdev->features, 8);
-        memcpy(rp->dev_class, hdev->dev_class, 3);
+        if (!test_bit(HCI_UP, &hdev->flags) || !cp->disconnect)
-        put_unaligned_le16(hdev->manufacturer, &rp->manufacturer);
+                goto unlock;
-        rp->hci_ver = hdev->hci_ver;
-        put_unaligned_le16(hdev->hci_rev, &rp->hci_rev);
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
+        if (conn) {
+                struct hci_cp_disconnect dc;
+                put_unaligned_le16(conn->handle, &dc.handle);
+                dc.reason = 0x13; /* Remote User Terminated Connection */
+                err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, 0, NULL);
+        }
+unlock:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int disconnect(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_disconnect *cp;
+        struct hci_cp_disconnect dc;
+        struct pending_cmd *cmd;
+        struct hci_conn *conn;
+        int err;
+        BT_DBG("");
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_DISCONNECT, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_DISCONNECT, ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENETDOWN);
+                goto failed;
+        }
+        if (mgmt_pending_find(MGMT_OP_DISCONNECT, index)) {
+                err = cmd_status(sk, index, MGMT_OP_DISCONNECT, EBUSY);
+                goto failed;
+        }
+        conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &cp->bdaddr);
+        if (!conn)
+                conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->bdaddr);
+        if (!conn) {
+                err = cmd_status(sk, index, MGMT_OP_DISCONNECT, ENOTCONN);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_DISCONNECT, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        put_unaligned_le16(conn->handle, &dc.handle);
+        dc.reason = 0x13; /* Remote User Terminated Connection */
+        err = hci_send_cmd(hdev, HCI_OP_DISCONNECT, sizeof(dc), &dc);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int get_connections(struct sock *sk, u16 index)
+{
+        struct mgmt_rp_get_connections *rp;
+        struct hci_dev *hdev;
+        struct list_head *p;
+        size_t rp_len;
+        u16 count;
+        int i, err;
+        BT_DBG("");
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_GET_CONNECTIONS, ENODEV);
+        hci_dev_lock(hdev);
+        count = 0;
+        list_for_each(p, &hdev->conn_hash.list) {
+                count++;
+        }
+        rp_len = sizeof(*rp) + (count * sizeof(bdaddr_t));
+        rp = kmalloc(rp_len, GFP_ATOMIC);
+        if (!rp) {
+                err = -ENOMEM;
+                goto unlock;
+        }
+        put_unaligned_le16(count, &rp->conn_count);
+        read_lock(&hci_dev_list_lock);
+        i = 0;
+        list_for_each(p, &hdev->conn_hash.list) {
+                struct hci_conn *c = list_entry(p, struct hci_conn, list);
+                bacpy(&rp->conn[i++], &c->dst);
+        }
+        read_unlock(&hci_dev_list_lock);
+        err = cmd_complete(sk, index, MGMT_OP_GET_CONNECTIONS, rp, rp_len);
+unlock:
+        kfree(rp);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int pin_code_reply(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_pin_code_reply *cp;
+        struct hci_cp_pin_code_reply reply;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("");
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_PIN_CODE_REPLY, ENETDOWN);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_REPLY, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        bacpy(&reply.bdaddr, &cp->bdaddr);
+        reply.pin_len = cp->pin_len;
+        memcpy(reply.pin_code, cp->pin_code, 16);
+        err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_REPLY, sizeof(reply), &reply);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int pin_code_neg_reply(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_pin_code_neg_reply *cp;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("");
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
+                                                                        EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_PIN_CODE_NEG_REPLY,
+                                                                ENETDOWN);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_PIN_CODE_NEG_REPLY, index,
+                                                                data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        err = hci_send_cmd(hdev, HCI_OP_PIN_CODE_NEG_REPLY, sizeof(cp->bdaddr),
+                                                                &cp->bdaddr);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_io_capability(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_set_io_capability *cp;
+        BT_DBG("");
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_IO_CAPABILITY, ENODEV);
+        hci_dev_lock(hdev);
+        hdev->io_capability = cp->io_capability;
+        BT_DBG("%s IO capability set to 0x%02x", hdev->name,
+                                                        hdev->io_capability);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return cmd_complete(sk, index, MGMT_OP_SET_IO_CAPABILITY, NULL, 0);
+}
+static inline struct pending_cmd *find_pairing(struct hci_conn *conn)
+{
+        struct hci_dev *hdev = conn->hdev;
+        struct list_head *p;
+        list_for_each(p, &cmd_list) {
+                struct pending_cmd *cmd;
+                cmd = list_entry(p, struct pending_cmd, list);
+                if (cmd->opcode != MGMT_OP_PAIR_DEVICE)
+                        continue;
+                if (cmd->index != hdev->id)
+                        continue;
+                if (cmd->user_data != conn)
+                        continue;
+                return cmd;
+        }
+        return NULL;
+}
+static void pairing_complete(struct pending_cmd *cmd, u8 status)
+{
+        struct mgmt_rp_pair_device rp;
+        struct hci_conn *conn = cmd->user_data;
+        bacpy(&rp.bdaddr, &conn->dst);
+        rp.status = status;
+        cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE, &rp, sizeof(rp));
+        /* So we don't get further callbacks for this connection */
+        conn->connect_cfm_cb = NULL;
+        conn->security_cfm_cb = NULL;
+        conn->disconn_cfm_cb = NULL;
+        hci_conn_put(conn);
+        mgmt_pending_remove(cmd);
+}
+static void pairing_complete_cb(struct hci_conn *conn, u8 status)
+{
+        struct pending_cmd *cmd;
+        BT_DBG("status %u", status);
+        cmd = find_pairing(conn);
+        if (!cmd) {
+                BT_DBG("Unable to find a pending command");
+                return;
+        }
+        pairing_complete(cmd, status);
+}
+static int pair_device(struct sock *sk, u16 index, unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_pair_device *cp;
+        struct pending_cmd *cmd;
+        u8 sec_level, auth_type;
+        struct hci_conn *conn;
+        int err;
+        BT_DBG("");
+        cp = (void *) data;
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, ENODEV);
+        hci_dev_lock(hdev);
+        if (cp->io_cap == 0x03) {
+                sec_level = BT_SECURITY_MEDIUM;
+                auth_type = HCI_AT_DEDICATED_BONDING;
+        } else {
+                sec_level = BT_SECURITY_HIGH;
+                auth_type = HCI_AT_DEDICATED_BONDING_MITM;
+        }
+        conn = hci_connect(hdev, ACL_LINK, &cp->bdaddr, sec_level, auth_type);
+        if (IS_ERR(conn)) {
+                err = PTR_ERR(conn);
+                goto unlock;
+        }
+        if (conn->connect_cfm_cb) {
+                hci_conn_put(conn);
+                err = cmd_status(sk, index, MGMT_OP_PAIR_DEVICE, EBUSY);
+                goto unlock;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_PAIR_DEVICE, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                hci_conn_put(conn);
+                goto unlock;
+        }
+        conn->connect_cfm_cb = pairing_complete_cb;
+        conn->security_cfm_cb = pairing_complete_cb;
+        conn->disconn_cfm_cb = pairing_complete_cb;
+        conn->io_capability = cp->io_cap;
+        cmd->user_data = conn;
+        if (conn->state == BT_CONNECTED &&
+                                hci_conn_security(conn, sec_level, auth_type))
+                pairing_complete(cmd, 0);
+        err = 0;
+unlock:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
+                                                        u16 len, int success)
+{
+        struct mgmt_cp_user_confirm_reply *cp = (void *) data;
+        u16 mgmt_op, hci_op;
+        struct pending_cmd *cmd;
+        struct hci_dev *hdev;
+        int err;
+        BT_DBG("");
+        if (success) {
+                mgmt_op = MGMT_OP_USER_CONFIRM_REPLY;
+                hci_op = HCI_OP_USER_CONFIRM_REPLY;
+        } else {
+                mgmt_op = MGMT_OP_USER_CONFIRM_NEG_REPLY;
+                hci_op = HCI_OP_USER_CONFIRM_NEG_REPLY;
+        }
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, mgmt_op, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, mgmt_op, ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, mgmt_op, ENETDOWN);
+                goto failed;
+        }
+        cmd = mgmt_pending_add(sk, mgmt_op, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        err = hci_send_cmd(hdev, hci_op, sizeof(cp->bdaddr), &cp->bdaddr);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int set_local_name(struct sock *sk, u16 index, unsigned char *data,
+                                                                u16 len)
+{
+        struct mgmt_cp_set_local_name *mgmt_cp = (void *) data;
+        struct hci_cp_write_local_name hci_cp;
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("");
+        if (len != sizeof(*mgmt_cp))
+                return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_SET_LOCAL_NAME, ENODEV);
+        hci_dev_lock(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_SET_LOCAL_NAME, index, data, len);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        memcpy(hci_cp.name, mgmt_cp->name, sizeof(hci_cp.name));
+        err = hci_send_cmd(hdev, HCI_OP_WRITE_LOCAL_NAME, sizeof(hci_cp),
+                                                                &hci_cp);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int read_local_oob_data(struct sock *sk, u16 index)
+{
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        if (!test_bit(HCI_UP, &hdev->flags)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                ENETDOWN);
+                goto unlock;
+        }
+        if (!(hdev->features[6] & LMP_SIMPLE_PAIR)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                EOPNOTSUPP);
+                goto unlock;
+        }
+        if (mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index)) {
+                err = cmd_status(sk, index, MGMT_OP_READ_LOCAL_OOB_DATA, EBUSY);
+                goto unlock;
+        }
+        cmd = mgmt_pending_add(sk, MGMT_OP_READ_LOCAL_OOB_DATA, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto unlock;
+        }
+        err = hci_send_cmd(hdev, HCI_OP_READ_LOCAL_OOB_DATA, 0, NULL);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+unlock:
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int add_remote_oob_data(struct sock *sk, u16 index, unsigned char *data,
+                                                                        u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_add_remote_oob_data *cp = (void *) data;
+        int err;
+        BT_DBG("hci%u ", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+                                                                        EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        err = hci_add_remote_oob_data(hdev, &cp->bdaddr, cp->hash,
+                                                                cp->randomizer);
+        if (err < 0)
+                err = cmd_status(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, -err);
+        else
+                err = cmd_complete(sk, index, MGMT_OP_ADD_REMOTE_OOB_DATA, NULL,
+                                                                        0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int remove_remote_oob_data(struct sock *sk, u16 index,
+                                                unsigned char *data, u16 len)
+{
+        struct hci_dev *hdev;
+        struct mgmt_cp_remove_remote_oob_data *cp = (void *) data;
+        int err;
+        BT_DBG("hci%u ", index);
+        if (len != sizeof(*cp))
+                return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        EINVAL);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        ENODEV);
+        hci_dev_lock(hdev);
+        err = hci_remove_remote_oob_data(hdev, &cp->bdaddr);
+        if (err < 0)
+                err = cmd_status(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                        -err);
+        else
+                err = cmd_complete(sk, index, MGMT_OP_REMOVE_REMOTE_OOB_DATA,
+                                                                NULL, 0);
+        hci_dev_unlock(hdev);
+        hci_dev_put(hdev);
+        return err;
+}
+static int start_discovery(struct sock *sk, u16 index)
+{
+        u8 lap[3] = { 0x33, 0x8b, 0x9e };
+        struct hci_cp_inquiry cp;
+        struct pending_cmd *cmd;
+        struct hci_dev *hdev;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_START_DISCOVERY, ENODEV);
+        hci_dev_lock_bh(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_START_DISCOVERY, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        memset(&cp, 0, sizeof(cp));
+        memcpy(&cp.lap, lap, 3);
+        cp.length  = 0x08;
+        cp.num_rsp = 0x00;
+        err = hci_send_cmd(hdev, HCI_OP_INQUIRY, sizeof(cp), &cp);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
        hci_dev_unlock_bh(hdev);
        hci_dev_put(hdev);
-        if (sock_queue_rcv_skb(sk, skb) < 0)
+        return err;
-                kfree_skb(skb);
+}
-        return 0;
+static int stop_discovery(struct sock *sk, u16 index)
+{
+        struct hci_dev *hdev;
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u", index);
+        hdev = hci_dev_get(index);
+        if (!hdev)
+                return cmd_status(sk, index, MGMT_OP_STOP_DISCOVERY, ENODEV);
+        hci_dev_lock_bh(hdev);
+        cmd = mgmt_pending_add(sk, MGMT_OP_STOP_DISCOVERY, index, NULL, 0);
+        if (!cmd) {
+                err = -ENOMEM;
+                goto failed;
+        }
+        err = hci_send_cmd(hdev, HCI_OP_INQUIRY_CANCEL, 0, NULL);
+        if (err < 0)
+                mgmt_pending_remove(cmd);
+failed:
+        hci_dev_unlock_bh(hdev);
+        hci_dev_put(hdev);
+        return err;
 }
 int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
 {
        unsigned char *buf;
        struct mgmt_hdr *hdr;
-        u16 opcode, len;
+        u16 opcode, index, len;
        int err;
        BT_DBG("got %zu bytes", msglen);
@@ -222,7 +1653,7 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
        if (msglen < sizeof(*hdr))
                return -EINVAL;
-        buf = kmalloc(msglen, GFP_ATOMIC);
+        buf = kmalloc(msglen, GFP_KERNEL);
        if (!buf)
                return -ENOMEM;
@@ -233,6 +1664,7 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
        hdr = (struct mgmt_hdr *) buf;
        opcode = get_unaligned_le16(&hdr->opcode);
+        index = get_unaligned_le16(&hdr->index);
        len = get_unaligned_le16(&hdr->len);
        if (len != msglen - sizeof(*hdr)) {
@@ -248,11 +1680,84 @@ int mgmt_control(struct sock *sk, struct msghdr *msg, size_t msglen)
                err = read_index_list(sk);
                break;
        case MGMT_OP_READ_INFO:
-                err = read_controller_info(sk, buf + sizeof(*hdr), len);
+                err = read_controller_info(sk, index);
+                break;
+        case MGMT_OP_SET_POWERED:
+                err = set_powered(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_DISCOVERABLE:
+                err = set_discoverable(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_CONNECTABLE:
+                err = set_connectable(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_PAIRABLE:
+                err = set_pairable(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_ADD_UUID:
+                err = add_uuid(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_REMOVE_UUID:
+                err = remove_uuid(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_DEV_CLASS:
+                err = set_dev_class(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_SERVICE_CACHE:
+                err = set_service_cache(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_LOAD_KEYS:
+                err = load_keys(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_REMOVE_KEY:
+                err = remove_key(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_DISCONNECT:
+                err = disconnect(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_GET_CONNECTIONS:
+                err = get_connections(sk, index);
+                break;
+        case MGMT_OP_PIN_CODE_REPLY:
+                err = pin_code_reply(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_PIN_CODE_NEG_REPLY:
+                err = pin_code_neg_reply(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_SET_IO_CAPABILITY:
+                err = set_io_capability(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_PAIR_DEVICE:
+                err = pair_device(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_USER_CONFIRM_REPLY:
+                err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 1);
+                break;
+        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
+                err = user_confirm_reply(sk, index, buf + sizeof(*hdr), len, 0);
+                break;
+        case MGMT_OP_SET_LOCAL_NAME:
+                err = set_local_name(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_READ_LOCAL_OOB_DATA:
+                err = read_local_oob_data(sk, index);
+                break;
+        case MGMT_OP_ADD_REMOTE_OOB_DATA:
+                err = add_remote_oob_data(sk, index, buf + sizeof(*hdr), len);
+                break;
+        case MGMT_OP_REMOVE_REMOTE_OOB_DATA:
+                err = remove_remote_oob_data(sk, index, buf + sizeof(*hdr),
+                                                                        len);
+                break;
+        case MGMT_OP_START_DISCOVERY:
+                err = start_discovery(sk, index);
+                break;
+        case MGMT_OP_STOP_DISCOVERY:
+                err = stop_discovery(sk, index);
                break;
        default:
                BT_DBG("Unknown op %u", opcode);
-                err = cmd_status(sk, opcode, 0x01);
+                err = cmd_status(sk, index, opcode, 0x01);
                break;
        }
@@ -266,43 +1771,393 @@ done:
        return err;
 }
-static int mgmt_event(u16 event, void *data, u16 data_len)
+int mgmt_index_added(u16 index)
 {
-        struct sk_buff *skb;
+        return mgmt_event(MGMT_EV_INDEX_ADDED, index, NULL, 0, NULL);
-        struct mgmt_hdr *hdr;
+}
-        skb = alloc_skb(sizeof(*hdr) + data_len, GFP_ATOMIC);
+int mgmt_index_removed(u16 index)
-        if (!skb)
+{
-                return -ENOMEM;
+        return mgmt_event(MGMT_EV_INDEX_REMOVED, index, NULL, 0, NULL);
+}
-        bt_cb(skb)->channel = HCI_CHANNEL_CONTROL;
+struct cmd_lookup {
+        u8 val;
+        struct sock *sk;
+};
-        hdr = (void *) skb_put(skb, sizeof(*hdr));
+static void mode_rsp(struct pending_cmd *cmd, void *data)
-        hdr->opcode = cpu_to_le16(event);
+{
-        hdr->len = cpu_to_le16(data_len);
+        struct mgmt_mode *cp = cmd->param;
+        struct cmd_lookup *match = data;
-        memcpy(skb_put(skb, data_len), data, data_len);
+        if (cp->val != match->val)
+                return;
-        hci_send_to_sock(NULL, skb);
+        send_mode_rsp(cmd->sk, cmd->opcode, cmd->index, cp->val);
-        kfree_skb(skb);
-        return 0;
+        list_del(&cmd->list);
+        if (match->sk == NULL) {
+                match->sk = cmd->sk;
+                sock_hold(match->sk);
+        }
+        mgmt_pending_free(cmd);
 }
-int mgmt_index_added(u16 index)
+int mgmt_powered(u16 index, u8 powered)
+{
+        struct mgmt_mode ev;
+        struct cmd_lookup match = { powered, NULL };
+        int ret;
+        mgmt_pending_foreach(MGMT_OP_SET_POWERED, index, mode_rsp, &match);
+        ev.val = powered;
+        ret = mgmt_event(MGMT_EV_POWERED, index, &ev, sizeof(ev), match.sk);
+        if (match.sk)
+                sock_put(match.sk);
+        return ret;
+}
+int mgmt_discoverable(u16 index, u8 discoverable)
 {
-        struct mgmt_ev_index_added ev;
+        struct mgmt_mode ev;
+        struct cmd_lookup match = { discoverable, NULL };
+        int ret;
-        put_unaligned_le16(index, &ev.index);
+        mgmt_pending_foreach(MGMT_OP_SET_DISCOVERABLE, index, mode_rsp, &match);
-        return mgmt_event(MGMT_EV_INDEX_ADDED, &ev, sizeof(ev));
+        ev.val = discoverable;
+        ret = mgmt_event(MGMT_EV_DISCOVERABLE, index, &ev, sizeof(ev),
+                                                                match.sk);
+        if (match.sk)
+                sock_put(match.sk);
+        return ret;
 }
-int mgmt_index_removed(u16 index)
+int mgmt_connectable(u16 index, u8 connectable)
+{
+        struct mgmt_mode ev;
+        struct cmd_lookup match = { connectable, NULL };
+        int ret;
+        mgmt_pending_foreach(MGMT_OP_SET_CONNECTABLE, index, mode_rsp, &match);
+        ev.val = connectable;
+        ret = mgmt_event(MGMT_EV_CONNECTABLE, index, &ev, sizeof(ev), match.sk);
+        if (match.sk)
+                sock_put(match.sk);
+        return ret;
+}
+int mgmt_new_key(u16 index, struct link_key *key, u8 persistent)
+{
+        struct mgmt_ev_new_key ev;
+        memset(&ev, 0, sizeof(ev));
+        ev.store_hint = persistent;
+        bacpy(&ev.key.bdaddr, &key->bdaddr);
+        ev.key.type = key->type;
+        memcpy(ev.key.val, key->val, 16);
+        ev.key.pin_len = key->pin_len;
+        return mgmt_event(MGMT_EV_NEW_KEY, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_connected(u16 index, bdaddr_t *bdaddr)
+{
+        struct mgmt_ev_connected ev;
+        bacpy(&ev.bdaddr, bdaddr);
+        return mgmt_event(MGMT_EV_CONNECTED, index, &ev, sizeof(ev), NULL);
+}
+static void disconnect_rsp(struct pending_cmd *cmd, void *data)
+{
+        struct mgmt_cp_disconnect *cp = cmd->param;
+        struct sock **sk = data;
+        struct mgmt_rp_disconnect rp;
+        bacpy(&rp.bdaddr, &cp->bdaddr);
+        cmd_complete(cmd->sk, cmd->index, MGMT_OP_DISCONNECT, &rp, sizeof(rp));
+        *sk = cmd->sk;
+        sock_hold(*sk);
+        mgmt_pending_remove(cmd);
+}
+int mgmt_disconnected(u16 index, bdaddr_t *bdaddr)
+{
+        struct mgmt_ev_disconnected ev;
+        struct sock *sk = NULL;
+        int err;
+        mgmt_pending_foreach(MGMT_OP_DISCONNECT, index, disconnect_rsp, &sk);
+        bacpy(&ev.bdaddr, bdaddr);
+        err = mgmt_event(MGMT_EV_DISCONNECTED, index, &ev, sizeof(ev), sk);
+        if (sk)
+                sock_put(sk);
+        return err;
+}
+int mgmt_disconnect_failed(u16 index)
+{
+        struct pending_cmd *cmd;
+        int err;
+        cmd = mgmt_pending_find(MGMT_OP_DISCONNECT, index);
+        if (!cmd)
+                return -ENOENT;
+        err = cmd_status(cmd->sk, index, MGMT_OP_DISCONNECT, EIO);
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_connect_failed(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        struct mgmt_ev_connect_failed ev;
+        bacpy(&ev.bdaddr, bdaddr);
+        ev.status = status;
+        return mgmt_event(MGMT_EV_CONNECT_FAILED, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_pin_code_request(u16 index, bdaddr_t *bdaddr, u8 secure)
+{
+        struct mgmt_ev_pin_code_request ev;
+        bacpy(&ev.bdaddr, bdaddr);
+        ev.secure = secure;
+        return mgmt_event(MGMT_EV_PIN_CODE_REQUEST, index, &ev, sizeof(ev),
+                                                                        NULL);
+}
+int mgmt_pin_code_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        struct pending_cmd *cmd;
+        struct mgmt_rp_pin_code_reply rp;
+        int err;
+        cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_REPLY, index);
+        if (!cmd)
+                return -ENOENT;
+        bacpy(&rp.bdaddr, bdaddr);
+        rp.status = status;
+        err = cmd_complete(cmd->sk, index, MGMT_OP_PIN_CODE_REPLY, &rp,
+                                                                sizeof(rp));
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_pin_code_neg_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        struct pending_cmd *cmd;
+        struct mgmt_rp_pin_code_reply rp;
+        int err;
+        cmd = mgmt_pending_find(MGMT_OP_PIN_CODE_NEG_REPLY, index);
+        if (!cmd)
+                return -ENOENT;
+        bacpy(&rp.bdaddr, bdaddr);
+        rp.status = status;
+        err = cmd_complete(cmd->sk, index, MGMT_OP_PIN_CODE_NEG_REPLY, &rp,
+                                                                sizeof(rp));
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_user_confirm_request(u16 index, bdaddr_t *bdaddr, __le32 value,
+                                                        u8 confirm_hint)
+{
+        struct mgmt_ev_user_confirm_request ev;
+        BT_DBG("hci%u", index);
+        bacpy(&ev.bdaddr, bdaddr);
+        ev.confirm_hint = confirm_hint;
+        put_unaligned_le32(value, &ev.value);
+        return mgmt_event(MGMT_EV_USER_CONFIRM_REQUEST, index, &ev, sizeof(ev),
+                                                                        NULL);
+}
+static int confirm_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status,
+                                                                u8 opcode)
 {
-        struct mgmt_ev_index_added ev;
+        struct pending_cmd *cmd;
+        struct mgmt_rp_user_confirm_reply rp;
+        int err;
+        cmd = mgmt_pending_find(opcode, index);
+        if (!cmd)
+                return -ENOENT;
-        put_unaligned_le16(index, &ev.index);
+        bacpy(&rp.bdaddr, bdaddr);
+        rp.status = status;
+        err = cmd_complete(cmd->sk, index, opcode, &rp, sizeof(rp));
-        return mgmt_event(MGMT_EV_INDEX_REMOVED, &ev, sizeof(ev));
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_user_confirm_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        return confirm_reply_complete(index, bdaddr, status,
+                                                MGMT_OP_USER_CONFIRM_REPLY);
+}
+int mgmt_user_confirm_neg_reply_complete(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        return confirm_reply_complete(index, bdaddr, status,
+                                        MGMT_OP_USER_CONFIRM_NEG_REPLY);
+}
+int mgmt_auth_failed(u16 index, bdaddr_t *bdaddr, u8 status)
+{
+        struct mgmt_ev_auth_failed ev;
+        bacpy(&ev.bdaddr, bdaddr);
+        ev.status = status;
+        return mgmt_event(MGMT_EV_AUTH_FAILED, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_set_local_name_complete(u16 index, u8 *name, u8 status)
+{
+        struct pending_cmd *cmd;
+        struct hci_dev *hdev;
+        struct mgmt_cp_set_local_name ev;
+        int err;
+        memset(&ev, 0, sizeof(ev));
+        memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
+        cmd = mgmt_pending_find(MGMT_OP_SET_LOCAL_NAME, index);
+        if (!cmd)
+                goto send_event;
+        if (status) {
+                err = cmd_status(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, EIO);
+                goto failed;
+        }
+        hdev = hci_dev_get(index);
+        if (hdev) {
+                hci_dev_lock_bh(hdev);
+                update_eir(hdev);
+                hci_dev_unlock_bh(hdev);
+                hci_dev_put(hdev);
+        }
+        err = cmd_complete(cmd->sk, index, MGMT_OP_SET_LOCAL_NAME, &ev,
+                                                                sizeof(ev));
+        if (err < 0)
+                goto failed;
+send_event:
+        err = mgmt_event(MGMT_EV_LOCAL_NAME_CHANGED, index, &ev, sizeof(ev),
+                                                        cmd ? cmd->sk : NULL);
+failed:
+        if (cmd)
+                mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_read_local_oob_data_reply_complete(u16 index, u8 *hash, u8 *randomizer,
+                                                                u8 status)
+{
+        struct pending_cmd *cmd;
+        int err;
+        BT_DBG("hci%u status %u", index, status);
+        cmd = mgmt_pending_find(MGMT_OP_READ_LOCAL_OOB_DATA, index);
+        if (!cmd)
+                return -ENOENT;
+        if (status) {
+                err = cmd_status(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                                        EIO);
+        } else {
+                struct mgmt_rp_read_local_oob_data rp;
+                memcpy(rp.hash, hash, sizeof(rp.hash));
+                memcpy(rp.randomizer, randomizer, sizeof(rp.randomizer));
+                err = cmd_complete(cmd->sk, index, MGMT_OP_READ_LOCAL_OOB_DATA,
+                                                        &rp, sizeof(rp));
+        }
+        mgmt_pending_remove(cmd);
+        return err;
+}
+int mgmt_device_found(u16 index, bdaddr_t *bdaddr, u8 *dev_class, s8 rssi,
+                                                                u8 *eir)
+{
+        struct mgmt_ev_device_found ev;
+        memset(&ev, 0, sizeof(ev));
+        bacpy(&ev.bdaddr, bdaddr);
+        memcpy(ev.dev_class, dev_class, sizeof(ev.dev_class));
+        ev.rssi = rssi;
+        if (eir)
+                memcpy(ev.eir, eir, sizeof(ev.eir));
+        return mgmt_event(MGMT_EV_DEVICE_FOUND, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_remote_name(u16 index, bdaddr_t *bdaddr, u8 *name)
+{
+        struct mgmt_ev_remote_name ev;
+        memset(&ev, 0, sizeof(ev));
+        bacpy(&ev.bdaddr, bdaddr);
+        memcpy(ev.name, name, HCI_MAX_NAME_LENGTH);
+        return mgmt_event(MGMT_EV_REMOTE_NAME, index, &ev, sizeof(ev), NULL);
+}
+int mgmt_discovering(u16 index, u8 discovering)
+{
+        return mgmt_event(MGMT_EV_DISCOVERING, index, &discovering,
+                                                sizeof(discovering), NULL);
 }
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 6b83776534fb..5759bb7054f7 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -232,6 +232,8 @@ static int rfcomm_l2sock_create(struct socket **sock)
 static inline int rfcomm_check_security(struct rfcomm_dlc *d)
 {
        struct sock *sk = d->session->sock->sk;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        __u8 auth_type;
        switch (d->sec_level) {
@@ -246,8 +248,7 @@ static inline int rfcomm_check_security(struct rfcomm_dlc *d)
                break;
        }
-        return hci_conn_security(l2cap_pi(sk)->conn->hcon, d->sec_level,
+        return hci_conn_security(conn->hcon, d->sec_level, auth_type);
-                                                                auth_type);
 }
 static void rfcomm_session_timeout(unsigned long arg)
@@ -710,10 +711,10 @@ static struct rfcomm_session *rfcomm_session_create(bdaddr_t *src,
        /* Set L2CAP options */
        sk = sock->sk;
        lock_sock(sk);
-        l2cap_pi(sk)->imtu = l2cap_mtu;
+        l2cap_pi(sk)->chan->imtu = l2cap_mtu;
-        l2cap_pi(sk)->sec_level = sec_level;
+        l2cap_pi(sk)->chan->sec_level = sec_level;
        if (l2cap_ertm)
-                l2cap_pi(sk)->mode = L2CAP_MODE_ERTM;
+                l2cap_pi(sk)->chan->mode = L2CAP_MODE_ERTM;
        release_sock(sk);
        s = rfcomm_session_add(sock, BT_BOUND);
@@ -1241,6 +1242,7 @@ static int rfcomm_recv_disc(struct rfcomm_session *s, u8 dlci)
 void rfcomm_dlc_accept(struct rfcomm_dlc *d)
 {
        struct sock *sk = d->session->sock->sk;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        BT_DBG("dlc %p", d);
@@ -1254,7 +1256,7 @@ void rfcomm_dlc_accept(struct rfcomm_dlc *d)
        rfcomm_dlc_unlock(d);
        if (d->role_switch)
-                hci_conn_switch_role(l2cap_pi(sk)->conn->hcon, 0x00);
+                hci_conn_switch_role(conn->hcon, 0x00);
        rfcomm_send_msc(d->session, 1, d->dlci, d->v24_sig);
 }
@@ -1890,7 +1892,8 @@ static inline void rfcomm_accept_connection(struct rfcomm_session *s)
                /* We should adjust MTU on incoming sessions.
                 * L2CAP MTU minus UIH header and FCS. */
-                s->mtu = min(l2cap_pi(nsock->sk)->omtu, l2cap_pi(nsock->sk)->imtu) - 5;
+                s->mtu = min(l2cap_pi(nsock->sk)->chan->omtu,
+                                l2cap_pi(nsock->sk)->chan->imtu) - 5;
                rfcomm_schedule();
        } else
@@ -1909,7 +1912,7 @@ static inline void rfcomm_check_connection(struct rfcomm_session *s)
                /* We can adjust MTU on outgoing sessions.
                 * L2CAP MTU minus UIH header and FCS. */
-                s->mtu = min(l2cap_pi(sk)->omtu, l2cap_pi(sk)->imtu) - 5;
+                s->mtu = min(l2cap_pi(sk)->chan->omtu, l2cap_pi(sk)->chan->imtu) - 5;
                rfcomm_send_sabm(s, 0);
                break;
@@ -1992,7 +1995,7 @@ static int rfcomm_add_listener(bdaddr_t *ba)
        /* Set L2CAP options */
        sk = sock->sk;
        lock_sock(sk);
-        l2cap_pi(sk)->imtu = l2cap_mtu;
+        l2cap_pi(sk)->chan->imtu = l2cap_mtu;
        release_sock(sk);
        /* Start listening on the socket */
@@ -2093,7 +2096,7 @@ static void rfcomm_security_cfm(struct hci_conn *conn, u8 status, u8 encrypt)
                if (!test_and_clear_bit(RFCOMM_AUTH_PENDING, &d->flags))
                        continue;
-                if (!status)
+                if (!status && hci_conn_check_secure(conn, d->sec_level))
                        set_bit(RFCOMM_AUTH_ACCEPT, &d->flags);
                else
                        set_bit(RFCOMM_AUTH_REJECT, &d->flags);
@@ -2154,8 +2157,6 @@ static int __init rfcomm_init(void)
 {
        int err;
-        l2cap_load();
        hci_register_cb(&rfcomm_cb);
        rfcomm_thread = kthread_run(rfcomm_run, NULL, "krfcommd");
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 66cc1f0c3df8..386cfaffd4b7 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -743,6 +743,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
        struct sock *sk = sock->sk;
        struct sock *l2cap_sk;
        struct rfcomm_conninfo cinfo;
+        struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;
        int len, err = 0;
        u32 opt;
@@ -787,8 +788,8 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u
                l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
-                cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
+                cinfo.hci_handle = conn->hcon->handle;
-                memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
+                memcpy(cinfo.dev_class, conn->hcon->dev_class, 3);
                len = min_t(unsigned int, len, sizeof(cinfo));
                if (copy_to_user(optval, (char *) &cinfo, len))
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index d7b9af4703d0..c258796313e0 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -832,7 +832,7 @@ static int rfcomm_tty_write_room(struct tty_struct *tty)
        return room;
 }
-static int rfcomm_tty_ioctl(struct tty_struct *tty, struct file *filp, unsigned int cmd, unsigned long arg)
+static int rfcomm_tty_ioctl(struct tty_struct *tty, unsigned int cmd, unsigned long arg)
 {
        BT_DBG("tty %p cmd 0x%02x", tty, cmd);
@@ -1091,7 +1091,7 @@ static void rfcomm_tty_hangup(struct tty_struct *tty)
        }
 }
-static int rfcomm_tty_tiocmget(struct tty_struct *tty, struct file *filp)
+static int rfcomm_tty_tiocmget(struct tty_struct *tty)
 {
        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
@@ -1100,7 +1100,7 @@ static int rfcomm_tty_tiocmget(struct tty_struct *tty, struct file *filp)
        return dev->modem_status;
 }
-static int rfcomm_tty_tiocmset(struct tty_struct *tty, struct file *filp, unsigned int set, unsigned int clear)
+static int rfcomm_tty_tiocmset(struct tty_struct *tty, unsigned int set, unsigned int clear)
 {
        struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
        struct rfcomm_dlc *dlc = dev->dlc;
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 960c6d1637da..42fdffd1d76c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -50,8 +50,6 @@
 #include <net/bluetooth/hci_core.h>
 #include <net/bluetooth/sco.h>
-#define VERSION "0.6"
 static int disable_esco;
 static const struct proto_ops sco_sock_ops;
@@ -192,20 +190,21 @@ static int sco_connect(struct sock *sk)
        hci_dev_lock_bh(hdev);
-        err = -ENOMEM;
        if (lmp_esco_capable(hdev) && !disable_esco)
                type = ESCO_LINK;
        else
                type = SCO_LINK;
        hcon = hci_connect(hdev, type, dst, BT_SECURITY_LOW, HCI_AT_NO_BONDING);
-        if (!hcon)
+        if (IS_ERR(hcon)) {
+                err = PTR_ERR(hcon);
                goto done;
+        }
        conn = sco_conn_add(hcon, 0);
        if (!conn) {
                hci_conn_put(hcon);
+                err = -ENOMEM;
                goto done;
        }
@@ -703,6 +702,7 @@ static int sco_sock_getsockopt_old(struct socket *sock, int optname, char __user
                        break;
                }
+                memset(&cinfo, 0, sizeof(cinfo));
                cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
                memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
@@ -1023,7 +1023,7 @@ static struct hci_proto sco_hci_proto = {
        .recv_scodata   = sco_recv_scodata
 };
-static int __init sco_init(void)
+int __init sco_init(void)
 {
        int err;
@@ -1051,7 +1051,6 @@ static int __init sco_init(void)
                        BT_ERR("Failed to create SCO debug file");
        }
-        BT_INFO("SCO (Voice Link) ver %s", VERSION);
        BT_INFO("SCO socket layer initialized");
        return 0;
@@ -1061,7 +1060,7 @@ error:
        return err;
 }
-static void __exit sco_exit(void)
+void __exit sco_exit(void)
 {
        debugfs_remove(sco_debugfs);
@@ -1074,14 +1073,5 @@ static void __exit sco_exit(void)
        proto_unregister(&sco_proto);
 }
-module_init(sco_init);
-module_exit(sco_exit);
 module_param(disable_esco, bool, 0644);
 MODULE_PARM_DESC(disable_esco, "Disable eSCO connection creation");
-MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
-MODULE_DESCRIPTION("Bluetooth SCO ver " VERSION);
-MODULE_VERSION(VERSION);
-MODULE_LICENSE("GPL");
-MODULE_ALIAS("bt-proto-2");
diff --git a/net/bridge/Kconfig b/net/bridge/Kconfig
index 9190ae462cb4..6dee7bf648a9 100644
--- a/net/bridge/Kconfig
+++ b/net/bridge/Kconfig
@@ -6,6 +6,7 @@ config BRIDGE
        tristate "802.1d Ethernet Bridging"
        select LLC
        select STP
+        depends on IPV6 || IPV6=n
        ---help---
          If you say Y here, then your Linux box will be able to act as an
          Ethernet bridge, which means that the different Ethernet segments it
diff --git a/net/bridge/br.c b/net/bridge/br.c
index 84bbb82599b2..f20c4fd915a8 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -104,3 +104,4 @@ module_init(br_init)
 module_exit(br_deinit)
 MODULE_LICENSE("GPL");
 MODULE_VERSION(BR_VERSION);
+MODULE_ALIAS_RTNL_LINK("bridge");
diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 556443566e9c..a6b2f86378c7 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -74,11 +74,23 @@ out:
        return NETDEV_TX_OK;
 }
+static int br_dev_init(struct net_device *dev)
+{
+        struct net_bridge *br = netdev_priv(dev);
+        br->stats = alloc_percpu(struct br_cpu_netstats);
+        if (!br->stats)
+                return -ENOMEM;
+        return 0;
+}
 static int br_dev_open(struct net_device *dev)
 {
        struct net_bridge *br = netdev_priv(dev);
-        br_features_recompute(br);
+        netif_carrier_off(dev);
+        netdev_update_features(dev);
        netif_start_queue(dev);
        br_stp_enable_bridge(br);
        br_multicast_open(br);
@@ -94,6 +106,8 @@ static int br_dev_stop(struct net_device *dev)
 {
        struct net_bridge *br = netdev_priv(dev);
+        netif_carrier_off(dev);
        br_stp_disable_bridge(br);
        br_multicast_stop(br);
@@ -173,48 +187,11 @@ static void br_getinfo(struct net_device *dev, struct ethtool_drvinfo *info)
        strcpy(info->bus_info, "N/A");
 }
-static int br_set_sg(struct net_device *dev, u32 data)
+static u32 br_fix_features(struct net_device *dev, u32 features)
 {
        struct net_bridge *br = netdev_priv(dev);
-        if (data)
+        return br_features_recompute(br, features);
-                br->feature_mask |= NETIF_F_SG;
-        else
-                br->feature_mask &= ~NETIF_F_SG;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_tso(struct net_device *dev, u32 data)
-{
-        struct net_bridge *br = netdev_priv(dev);
-        if (data)
-                br->feature_mask |= NETIF_F_TSO;
-        else
-                br->feature_mask &= ~NETIF_F_TSO;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_tx_csum(struct net_device *dev, u32 data)
-{
-        struct net_bridge *br = netdev_priv(dev);
-        if (data)
-                br->feature_mask |= NETIF_F_NO_CSUM;
-        else
-                br->feature_mask &= ~NETIF_F_ALL_CSUM;
-        br_features_recompute(br);
-        return 0;
-}
-static int br_set_flags(struct net_device *netdev, u32 data)
-{
-        return ethtool_op_set_flags(netdev, data, ETH_FLAG_TXVLAN);
 }
 #ifdef CONFIG_NET_POLL_CONTROLLER
@@ -297,24 +274,30 @@ void br_netpoll_disable(struct net_bridge_port *p)
 #endif
+static int br_add_slave(struct net_device *dev, struct net_device *slave_dev)
+{
+        struct net_bridge *br = netdev_priv(dev);
+        return br_add_if(br, slave_dev);
+}
+static int br_del_slave(struct net_device *dev, struct net_device *slave_dev)
+{
+        struct net_bridge *br = netdev_priv(dev);
+        return br_del_if(br, slave_dev);
+}
 static const struct ethtool_ops br_ethtool_ops = {
        .get_drvinfo    = br_getinfo,
        .get_link       = ethtool_op_get_link,
-        .get_tx_csum    = ethtool_op_get_tx_csum,
-        .set_tx_csum    = br_set_tx_csum,
-        .get_sg         = ethtool_op_get_sg,
-        .set_sg         = br_set_sg,
-        .get_tso        = ethtool_op_get_tso,
-        .set_tso        = br_set_tso,
-        .get_ufo        = ethtool_op_get_ufo,
-        .set_ufo        = ethtool_op_set_ufo,
-        .get_flags      = ethtool_op_get_flags,
-        .set_flags      = br_set_flags,
 };
 static const struct net_device_ops br_netdev_ops = {
        .ndo_open                = br_dev_open,
        .ndo_stop                = br_dev_stop,
+        .ndo_init                = br_dev_init,
        .ndo_start_xmit          = br_dev_xmit,
        .ndo_get_stats64         = br_get_stats64,
        .ndo_set_mac_address     = br_set_mac_address,
@@ -326,6 +309,9 @@ static const struct net_device_ops br_netdev_ops = {
        .ndo_netpoll_cleanup     = br_netpoll_cleanup,
        .ndo_poll_controller     = br_poll_controller,
 #endif
+        .ndo_add_slave           = br_add_slave,
+        .ndo_del_slave           = br_del_slave,
+        .ndo_fix_features        = br_fix_features,
 };
 static void br_dev_free(struct net_device *dev)
@@ -336,18 +322,49 @@ static void br_dev_free(struct net_device *dev)
        free_netdev(dev);
 }
+static struct device_type br_type = {
+        .name   = "bridge",
+};
 void br_dev_setup(struct net_device *dev)
 {
+        struct net_bridge *br = netdev_priv(dev);
        random_ether_addr(dev->dev_addr);
        ether_setup(dev);
        dev->netdev_ops = &br_netdev_ops;
        dev->destructor = br_dev_free;
        SET_ETHTOOL_OPS(dev, &br_ethtool_ops);
+        SET_NETDEV_DEVTYPE(dev, &br_type);
        dev->tx_queue_len = 0;
        dev->priv_flags = IFF_EBRIDGE;
        dev->features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA |
                        NETIF_F_GSO_MASK | NETIF_F_NO_CSUM | NETIF_F_LLTX |
-                        NETIF_F_NETNS_LOCAL | NETIF_F_GSO | NETIF_F_HW_VLAN_TX;
+                        NETIF_F_NETNS_LOCAL | NETIF_F_HW_VLAN_TX;
+        dev->hw_features = NETIF_F_SG | NETIF_F_FRAGLIST | NETIF_F_HIGHDMA |
+                           NETIF_F_GSO_MASK | NETIF_F_NO_CSUM |
+                           NETIF_F_HW_VLAN_TX;
+        br->dev = dev;
+        spin_lock_init(&br->lock);
+        INIT_LIST_HEAD(&br->port_list);
+        spin_lock_init(&br->hash_lock);
+        br->bridge_id.prio[0] = 0x80;
+        br->bridge_id.prio[1] = 0x00;
+        memcpy(br->group_addr, br_group_address, ETH_ALEN);
+        br->stp_enabled = BR_NO_STP;
+        br->designated_root = br->bridge_id;
+        br->bridge_max_age = br->max_age = 20 * HZ;
+        br->bridge_hello_time = br->hello_time = 2 * HZ;
+        br->bridge_forward_delay = br->forward_delay = 15 * HZ;
+        br->ageing_time = 300 * HZ;
+        br_netfilter_rtable_init(br);
+        br_stp_timer_init(br);
+        br_multicast_init(br);
 }
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 88485cc74dc3..e0dfbc151dd7 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -28,6 +28,7 @@
 static struct kmem_cache *br_fdb_cache __read_mostly;
 static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                      const unsigned char *addr);
+static void fdb_notify(const struct net_bridge_fdb_entry *, int);
 static u32 fdb_salt __read_mostly;
@@ -62,7 +63,7 @@ static inline int has_expired(const struct net_bridge *br,
                                  const struct net_bridge_fdb_entry *fdb)
 {
        return !fdb->is_static &&
-                time_before_eq(fdb->ageing_timer + hold_time(br), jiffies);
+                time_before_eq(fdb->updated + hold_time(br), jiffies);
 }
 static inline int br_mac_hash(const unsigned char *mac)
@@ -81,6 +82,7 @@ static void fdb_rcu_free(struct rcu_head *head)
 static inline void fdb_delete(struct net_bridge_fdb_entry *f)
 {
+        fdb_notify(f, RTM_DELNEIGH);
        hlist_del_rcu(&f->hlist);
        call_rcu(&f->rcu, fdb_rcu_free);
 }
@@ -140,7 +142,7 @@ void br_fdb_cleanup(unsigned long _data)
                        unsigned long this_timer;
                        if (f->is_static)
                                continue;
-                        this_timer = f->ageing_timer + delay;
+                        this_timer = f->updated + delay;
                        if (time_before_eq(this_timer, jiffies))
                                fdb_delete(f);
                        else if (time_before(this_timer, next_timer))
@@ -169,7 +171,7 @@ void br_fdb_flush(struct net_bridge *br)
        spin_unlock_bh(&br->hash_lock);
 }
-/* Flush all entries refering to a specific port.
+/* Flush all entries referring to a specific port.
 * if do_all is set also flush static entries
 */
 void br_fdb_delete_by_port(struct net_bridge *br,
@@ -293,7 +295,7 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
                        fe->is_local = f->is_local;
                        if (!f->is_static)
-                                fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->ageing_timer);
+                                fe->ageing_timer_value = jiffies_to_clock_t(jiffies - f->updated);
                        ++fe;
                        ++num;
                }
@@ -305,8 +307,21 @@ int br_fdb_fillbuf(struct net_bridge *br, void *buf,
        return num;
 }
-static inline struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
+static struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
-                                                    const unsigned char *addr)
+                                             const unsigned char *addr)
+{
+        struct hlist_node *h;
+        struct net_bridge_fdb_entry *fdb;
+        hlist_for_each_entry(fdb, h, head, hlist) {
+                if (!compare_ether_addr(fdb->addr.addr, addr))
+                        return fdb;
+        }
+        return NULL;
+}
+static struct net_bridge_fdb_entry *fdb_find_rcu(struct hlist_head *head,
+                                                 const unsigned char *addr)
 {
        struct hlist_node *h;
        struct net_bridge_fdb_entry *fdb;
@@ -320,8 +335,7 @@ static inline struct net_bridge_fdb_entry *fdb_find(struct hlist_head *head,
 static struct net_bridge_fdb_entry *fdb_create(struct hlist_head *head,
                                               struct net_bridge_port *source,
-                                               const unsigned char *addr,
+                                               const unsigned char *addr)
-                                               int is_local)
 {
        struct net_bridge_fdb_entry *fdb;
@@ -329,11 +343,11 @@ static struct net_bridge_fdb_entry *fdb_create(struct hlist_head *head,
        if (fdb) {
                memcpy(fdb->addr.addr, addr, ETH_ALEN);
                fdb->dst = source;
-                fdb->is_local = is_local;
+                fdb->is_local = 0;
-                fdb->is_static = is_local;
+                fdb->is_static = 0;
-                fdb->ageing_timer = jiffies;
+                fdb->updated = fdb->used = jiffies;
                hlist_add_head_rcu(&fdb->hlist, head);
+                fdb_notify(fdb, RTM_NEWNEIGH);
        }
        return fdb;
 }
@@ -360,12 +374,15 @@ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                fdb_delete(fdb);
        }
-        if (!fdb_create(head, source, addr, 1))
+        fdb = fdb_create(head, source, addr);
+        if (!fdb)
                return -ENOMEM;
+        fdb->is_local = fdb->is_static = 1;
        return 0;
 }
+/* Add entry for local address of interface */
 int br_fdb_insert(struct net_bridge *br, struct net_bridge_port *source,
                  const unsigned char *addr)
 {
@@ -392,7 +409,7 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
              source->state == BR_STATE_FORWARDING))
                return;
-        fdb = fdb_find(head, addr);
+        fdb = fdb_find_rcu(head, addr);
        if (likely(fdb)) {
                /* attempt to update an entry for a local interface */
                if (unlikely(fdb->is_local)) {
@@ -403,15 +420,277 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
                } else {
                        /* fastpath: update of existing entry */
                        fdb->dst = source;
-                        fdb->ageing_timer = jiffies;
+                        fdb->updated = jiffies;
                }
        } else {
                spin_lock(&br->hash_lock);
-                if (!fdb_find(head, addr))
+                if (likely(!fdb_find(head, addr)))
-                        fdb_create(head, source, addr, 0);
+                        fdb_create(head, source, addr);
                /* else  we lose race and someone else inserts
                 * it first, don't bother updating
                 */
                spin_unlock(&br->hash_lock);
        }
 }
+static int fdb_to_nud(const struct net_bridge_fdb_entry *fdb)
+{
+        if (fdb->is_local)
+                return NUD_PERMANENT;
+        else if (fdb->is_static)
+                return NUD_NOARP;
+        else if (has_expired(fdb->dst->br, fdb))
+                return NUD_STALE;
+        else
+                return NUD_REACHABLE;
+}
+static int fdb_fill_info(struct sk_buff *skb,
+                         const struct net_bridge_fdb_entry *fdb,
+                         u32 pid, u32 seq, int type, unsigned int flags)
+{
+        unsigned long now = jiffies;
+        struct nda_cacheinfo ci;
+        struct nlmsghdr *nlh;
+        struct ndmsg *ndm;
+        nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
+        if (nlh == NULL)
+                return -EMSGSIZE;
+        ndm = nlmsg_data(nlh);
+        ndm->ndm_family  = AF_BRIDGE;
+        ndm->ndm_pad1    = 0;
+        ndm->ndm_pad2    = 0;
+        ndm->ndm_flags   = 0;
+        ndm->ndm_type    = 0;
+        ndm->ndm_ifindex = fdb->dst->dev->ifindex;
+        ndm->ndm_state   = fdb_to_nud(fdb);
+        NLA_PUT(skb, NDA_LLADDR, ETH_ALEN, &fdb->addr);
+        ci.ndm_used      = jiffies_to_clock_t(now - fdb->used);
+        ci.ndm_confirmed = 0;
+        ci.ndm_updated   = jiffies_to_clock_t(now - fdb->updated);
+        ci.ndm_refcnt    = 0;
+        NLA_PUT(skb, NDA_CACHEINFO, sizeof(ci), &ci);
+        return nlmsg_end(skb, nlh);
+nla_put_failure:
+        nlmsg_cancel(skb, nlh);
+        return -EMSGSIZE;
+}
+static inline size_t fdb_nlmsg_size(void)
+{
+        return NLMSG_ALIGN(sizeof(struct ndmsg))
+                + nla_total_size(ETH_ALEN) /* NDA_LLADDR */
+                + nla_total_size(sizeof(struct nda_cacheinfo));
+}
+static void fdb_notify(const struct net_bridge_fdb_entry *fdb, int type)
+{
+        struct net *net = dev_net(fdb->dst->dev);
+        struct sk_buff *skb;
+        int err = -ENOBUFS;
+        skb = nlmsg_new(fdb_nlmsg_size(), GFP_ATOMIC);
+        if (skb == NULL)
+                goto errout;
+        err = fdb_fill_info(skb, fdb, 0, 0, type, 0);
+        if (err < 0) {
+                /* -EMSGSIZE implies BUG in fdb_nlmsg_size() */
+                WARN_ON(err == -EMSGSIZE);
+                kfree_skb(skb);
+                goto errout;
+        }
+        rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
+        return;
+errout:
+        if (err < 0)
+                rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
+}
+/* Dump information about entries, in response to GETNEIGH */
+int br_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        struct net *net = sock_net(skb->sk);
+        struct net_device *dev;
+        int idx = 0;
+        rcu_read_lock();
+        for_each_netdev_rcu(net, dev) {
+                struct net_bridge *br = netdev_priv(dev);
+                int i;
+                if (!(dev->priv_flags & IFF_EBRIDGE))
+                        continue;
+                for (i = 0; i < BR_HASH_SIZE; i++) {
+                        struct hlist_node *h;
+                        struct net_bridge_fdb_entry *f;
+                        hlist_for_each_entry_rcu(f, h, &br->hash[i], hlist) {
+                                if (idx < cb->args[0])
+                                        goto skip;
+                                if (fdb_fill_info(skb, f,
+                                                  NETLINK_CB(cb->skb).pid,
+                                                  cb->nlh->nlmsg_seq,
+                                                  RTM_NEWNEIGH,
+                                                  NLM_F_MULTI) < 0)
+                                        break;
+skip:
+                                ++idx;
+                        }
+                }
+        }
+        rcu_read_unlock();
+        cb->args[0] = idx;
+        return skb->len;
+}
+/* Create new static fdb entry */
+static int fdb_add_entry(struct net_bridge_port *source, const __u8 *addr,
+                         __u16 state)
+{
+        struct net_bridge *br = source->br;
+        struct hlist_head *head = &br->hash[br_mac_hash(addr)];
+        struct net_bridge_fdb_entry *fdb;
+        fdb = fdb_find(head, addr);
+        if (fdb)
+                return -EEXIST;
+        fdb = fdb_create(head, source, addr);
+        if (!fdb)
+                return -ENOMEM;
+        if (state & NUD_PERMANENT)
+                fdb->is_local = fdb->is_static = 1;
+        else if (state & NUD_NOARP)
+                fdb->is_static = 1;
+        return 0;
+}
+/* Add new permanent fdb entry with RTM_NEWNEIGH */
+int br_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
+{
+        struct net *net = sock_net(skb->sk);
+        struct ndmsg *ndm;
+        struct nlattr *tb[NDA_MAX+1];
+        struct net_device *dev;
+        struct net_bridge_port *p;
+        const __u8 *addr;
+        int err;
+        ASSERT_RTNL();
+        err = nlmsg_parse(nlh, sizeof(*ndm), tb, NDA_MAX, NULL);
+        if (err < 0)
+                return err;
+        ndm = nlmsg_data(nlh);
+        if (ndm->ndm_ifindex == 0) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid ifindex\n");
+                return -EINVAL;
+        }
+        dev = __dev_get_by_index(net, ndm->ndm_ifindex);
+        if (dev == NULL) {
+                pr_info("bridge: RTM_NEWNEIGH with unknown ifindex\n");
+                return -ENODEV;
+        }
+        if (!tb[NDA_LLADDR] || nla_len(tb[NDA_LLADDR]) != ETH_ALEN) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid address\n");
+                return -EINVAL;
+        }
+        addr = nla_data(tb[NDA_LLADDR]);
+        if (!is_valid_ether_addr(addr)) {
+                pr_info("bridge: RTM_NEWNEIGH with invalid ether address\n");
+                return -EINVAL;
+        }
+        p = br_port_get_rtnl(dev);
+        if (p == NULL) {
+                pr_info("bridge: RTM_NEWNEIGH %s not a bridge port\n",
+                        dev->name);
+                return -EINVAL;
+        }
+        spin_lock_bh(&p->br->hash_lock);
+        err = fdb_add_entry(p, addr, ndm->ndm_state);
+        spin_unlock_bh(&p->br->hash_lock);
+        return err;
+}
+static int fdb_delete_by_addr(struct net_bridge_port *p, const u8 *addr)
+{
+        struct net_bridge *br = p->br;
+        struct hlist_head *head = &br->hash[br_mac_hash(addr)];
+        struct net_bridge_fdb_entry *fdb;
+        fdb = fdb_find(head, addr);
+        if (!fdb)
+                return -ENOENT;
+        fdb_delete(fdb);
+        return 0;
+}
+/* Remove neighbor entry with RTM_DELNEIGH */
+int br_fdb_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
+{
+        struct net *net = sock_net(skb->sk);
+        struct ndmsg *ndm;
+        struct net_bridge_port *p;
+        struct nlattr *llattr;
+        const __u8 *addr;
+        struct net_device *dev;
+        int err;
+        ASSERT_RTNL();
+        if (nlmsg_len(nlh) < sizeof(*ndm))
+                return -EINVAL;
+        ndm = nlmsg_data(nlh);
+        if (ndm->ndm_ifindex == 0) {
+                pr_info("bridge: RTM_DELNEIGH with invalid ifindex\n");
+                return -EINVAL;
+        }
+        dev = __dev_get_by_index(net, ndm->ndm_ifindex);
+        if (dev == NULL) {
+                pr_info("bridge: RTM_DELNEIGH with unknown ifindex\n");
+                return -ENODEV;
+        }
+        llattr = nlmsg_find_attr(nlh, sizeof(*ndm), NDA_LLADDR);
+        if (llattr == NULL || nla_len(llattr) != ETH_ALEN) {
+                pr_info("bridge: RTM_DELNEIGH with invalid address\n");
+                return -EINVAL;
+        }
+        addr = nla_data(llattr);
+        p = br_port_get_rtnl(dev);
+        if (p == NULL) {
+                pr_info("bridge: RTM_DELNEIGH %s not a bridge port\n",
+                        dev->name);
+                return -EINVAL;
+        }
+        spin_lock_bh(&p->br->hash_lock);
+        err = fdb_delete_by_addr(p, addr);
+        spin_unlock_bh(&p->br->hash_lock);
+        return err;
+}
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index d9d1e2bac1d6..5dbdfdfc3a34 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -36,8 +36,8 @@ static int port_cost(struct net_device *dev)
        if (dev->ethtool_ops && dev->ethtool_ops->get_settings) {
                struct ethtool_cmd ecmd = { .cmd = ETHTOOL_GSET, };
-                if (!dev->ethtool_ops->get_settings(dev, &ecmd)) {
+                if (!dev_ethtool_get_settings(dev, &ecmd)) {
-                        switch(ecmd.speed) {
+                        switch (ethtool_cmd_speed(&ecmd)) {
                        case SPEED_10000:
                                return 2;
                        case SPEED_1000:
@@ -148,6 +148,8 @@ static void del_nbp(struct net_bridge_port *p)
        netdev_rx_handler_unregister(dev);
+        netdev_set_master(dev, NULL);
        br_multicast_del_port(p);
        kobject_uevent(&p->kobj, KOBJ_REMOVE);
@@ -173,56 +175,6 @@ static void del_br(struct net_bridge *br, struct list_head *head)
        unregister_netdevice_queue(br->dev, head);
 }
-static struct net_device *new_bridge_dev(struct net *net, const char *name)
-{
-        struct net_bridge *br;
-        struct net_device *dev;
-        dev = alloc_netdev(sizeof(struct net_bridge), name,
-                           br_dev_setup);
-        if (!dev)
-                return NULL;
-        dev_net_set(dev, net);
-        br = netdev_priv(dev);
-        br->dev = dev;
-        br->stats = alloc_percpu(struct br_cpu_netstats);
-        if (!br->stats) {
-                free_netdev(dev);
-                return NULL;
-        }
-        spin_lock_init(&br->lock);
-        INIT_LIST_HEAD(&br->port_list);
-        spin_lock_init(&br->hash_lock);
-        br->bridge_id.prio[0] = 0x80;
-        br->bridge_id.prio[1] = 0x00;
-        memcpy(br->group_addr, br_group_address, ETH_ALEN);
-        br->feature_mask = dev->features;
-        br->stp_enabled = BR_NO_STP;
-        br->designated_root = br->bridge_id;
-        br->root_path_cost = 0;
-        br->root_port = 0;
-        br->bridge_max_age = br->max_age = 20 * HZ;
-        br->bridge_hello_time = br->hello_time = 2 * HZ;
-        br->bridge_forward_delay = br->forward_delay = 15 * HZ;
-        br->topology_change = 0;
-        br->topology_change_detected = 0;
-        br->ageing_time = 300 * HZ;
-        br_netfilter_rtable_init(br);
-        br_stp_timer_init(br);
-        br_multicast_init(br);
-        return dev;
-}
 /* find an available port number */
 static int find_portno(struct net_bridge *br)
 {
@@ -275,42 +227,19 @@ static struct net_bridge_port *new_nbp(struct net_bridge *br,
        return p;
 }
-static struct device_type br_type = {
-        .name   = "bridge",
-};
 int br_add_bridge(struct net *net, const char *name)
 {
        struct net_device *dev;
-        int ret;
-        dev = new_bridge_dev(net, name);
+        dev = alloc_netdev(sizeof(struct net_bridge), name,
+                           br_dev_setup);
        if (!dev)
                return -ENOMEM;
-        rtnl_lock();
+        dev_net_set(dev, net);
-        if (strchr(dev->name, '%')) {
-                ret = dev_alloc_name(dev, dev->name);
-                if (ret < 0)
-                        goto out_free;
-        }
-        SET_NETDEV_DEVTYPE(dev, &br_type);
-        ret = register_netdevice(dev);
-        if (ret)
-                goto out_free;
-        ret = br_sysfs_addbr(dev);
-        if (ret)
-                unregister_netdevice(dev);
- out:
-        rtnl_unlock();
-        return ret;
-out_free:
+        return register_netdev(dev);
-        free_netdev(dev);
-        goto out;
 }
 int br_del_bridge(struct net *net, const char *name)
@@ -362,15 +291,15 @@ int br_min_mtu(const struct net_bridge *br)
 /*
 * Recomputes features using slave's features
 */
-void br_features_recompute(struct net_bridge *br)
+u32 br_features_recompute(struct net_bridge *br, u32 features)
 {
        struct net_bridge_port *p;
-        unsigned long features, mask;
+        u32 mask;
-        features = mask = br->feature_mask;
        if (list_empty(&br->port_list))
-                goto done;
+                return features;
+        mask = features;
        features &= ~NETIF_F_ONE_FOR_ALL;
        list_for_each_entry(p, &br->port_list, list) {
@@ -378,8 +307,7 @@ void br_features_recompute(struct net_bridge *br)
                                                     p->dev->features, mask);
        }
-done:
+        return features;
-        br->dev->features = netdev_fix_features(features, NULL);
 }
 /* called with RTNL */
@@ -387,6 +315,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
 {
        struct net_bridge_port *p;
        int err = 0;
+        bool changed_addr;
        /* Don't allow bridging non-ethernet like devices */
        if ((dev->flags & IFF_LOOPBACK) ||
@@ -429,19 +358,24 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        if (br_netpoll_info(br) && ((err = br_netpoll_enable(p))))
                goto err3;
-        err = netdev_rx_handler_register(dev, br_handle_frame, p);
+        err = netdev_set_master(dev, br->dev);
        if (err)
                goto err3;
+        err = netdev_rx_handler_register(dev, br_handle_frame, p);
+        if (err)
+                goto err4;
        dev->priv_flags |= IFF_BRIDGE_PORT;
        dev_disable_lro(dev);
        list_add_rcu(&p->list, &br->port_list);
+        netdev_update_features(br->dev);
        spin_lock_bh(&br->lock);
-        br_stp_recalculate_bridge_id(br);
+        changed_addr = br_stp_recalculate_bridge_id(br);
-        br_features_recompute(br);
        if ((dev->flags & IFF_UP) && netif_carrier_ok(dev) &&
            (br->dev->flags & IFF_UP))
@@ -450,11 +384,17 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
        br_ifinfo_notify(RTM_NEWLINK, p);
+        if (changed_addr)
+                call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
        dev_set_mtu(br->dev, br_min_mtu(br));
        kobject_uevent(&p->kobj, KOBJ_ADD);
        return 0;
+err4:
+        netdev_set_master(dev, NULL);
 err3:
        sysfs_remove_link(br->ifobj, p->dev->name);
 err2:
@@ -483,9 +423,10 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
        spin_lock_bh(&br->lock);
        br_stp_recalculate_bridge_id(br);
-        br_features_recompute(br);
        spin_unlock_bh(&br->lock);
+        netdev_update_features(br->dev);
        return 0;
 }
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 88e4aa9cb1f9..f3ac1e858ee1 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -98,9 +98,10 @@ int br_handle_frame_finish(struct sk_buff *skb)
        }
        if (skb) {
-                if (dst)
+                if (dst) {
+                        dst->used = jiffies;
                        br_forward(dst->dst, skb, skb2);
-                else
+                } else
                        br_flood_forward(br, skb, skb2);
        }
@@ -139,21 +140,22 @@ static inline int is_link_local(const unsigned char *dest)
 * Return NULL if skb is handled
 * note: already called with rcu_read_lock
 */
-struct sk_buff *br_handle_frame(struct sk_buff *skb)
+rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
 {
        struct net_bridge_port *p;
+        struct sk_buff *skb = *pskb;
        const unsigned char *dest = eth_hdr(skb)->h_dest;
        br_should_route_hook_t *rhook;
        if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
-                return skb;
+                return RX_HANDLER_PASS;
        if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
                goto drop;
        skb = skb_share_check(skb, GFP_ATOMIC);
        if (!skb)
-                return NULL;
+                return RX_HANDLER_CONSUMED;
        p = br_port_get_rcu(skb->dev);
@@ -163,14 +165,16 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb)
                        goto drop;
                /* If STP is turned off, then forward */
-                if (p->br->stp_enabled == BR_NO_STP)
+                if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
                        goto forward;
                if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
-                            NULL, br_handle_local_finish))
+                            NULL, br_handle_local_finish)) {
-                        return NULL;    /* frame consumed by filter */
+                        return RX_HANDLER_CONSUMED; /* consumed by filter */
-                else
+                } else {
-                        return skb;     /* continue processing */
+                        *pskb = skb;
+                        return RX_HANDLER_PASS; /* continue processing */
+                }
        }
 forward:
@@ -178,8 +182,10 @@ forward:
        case BR_STATE_FORWARDING:
                rhook = rcu_dereference(br_should_route_hook);
                if (rhook) {
-                        if ((*rhook)(skb))
+                        if ((*rhook)(skb)) {
-                                return skb;
+                                *pskb = skb;
+                                return RX_HANDLER_PASS;
+                        }
                        dest = eth_hdr(skb)->h_dest;
                }
                /* fall through */
@@ -194,5 +200,5 @@ forward:
 drop:
                kfree_skb(skb);
        }
-        return NULL;
+        return RX_HANDLER_CONSUMED;
 }
diff --git a/net/bridge/br_ioctl.c b/net/bridge/br_ioctl.c
index cb43312b846e..7222fe1d5460 100644
--- a/net/bridge/br_ioctl.c
+++ b/net/bridge/br_ioctl.c
@@ -106,7 +106,7 @@ static int add_del_if(struct net_bridge *br, int ifindex, int isadd)
 /*
 * Legacy ioctl's through SIOCDEVPRIVATE
 * This interface is deprecated because it was too difficult to
- * to do the translation for 32/64bit ioctl compatability.
+ * to do the translation for 32/64bit ioctl compatibility.
 */
 static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
 {
@@ -181,40 +181,19 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                spin_lock_bh(&br->lock);
+                return br_set_forward_delay(br, args[1]);
-                br->bridge_forward_delay = clock_t_to_jiffies(args[1]);
-                if (br_is_root_bridge(br))
-                        br->forward_delay = br->bridge_forward_delay;
-                spin_unlock_bh(&br->lock);
-                return 0;
        case BRCTL_SET_BRIDGE_HELLO_TIME:
-        {
-                unsigned long t = clock_t_to_jiffies(args[1]);
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                if (t < HZ)
+                return br_set_hello_time(br, args[1]);
-                        return -EINVAL;
-                spin_lock_bh(&br->lock);
-                br->bridge_hello_time = t;
-                if (br_is_root_bridge(br))
-                        br->hello_time = br->bridge_hello_time;
-                spin_unlock_bh(&br->lock);
-                return 0;
-        }
        case BRCTL_SET_BRIDGE_MAX_AGE:
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                spin_lock_bh(&br->lock);
+                return br_set_max_age(br, args[1]);
-                br->bridge_max_age = clock_t_to_jiffies(args[1]);
-                if (br_is_root_bridge(br))
-                        br->max_age = br->bridge_max_age;
-                spin_unlock_bh(&br->lock);
-                return 0;
        case BRCTL_SET_AGEING_TIME:
                if (!capable(CAP_NET_ADMIN))
@@ -275,19 +254,16 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        case BRCTL_SET_PORT_PRIORITY:
        {
                struct net_bridge_port *p;
-                int ret = 0;
+                int ret;
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
-                if (args[2] >= (1<<(16-BR_PORT_BITS)))
-                        return -ERANGE;
                spin_lock_bh(&br->lock);
                if ((p = br_get_port(br, args[1])) == NULL)
                        ret = -EINVAL;
                else
-                        br_stp_set_port_priority(p, args[2]);
+                        ret = br_stp_set_port_priority(p, args[2]);
                spin_unlock_bh(&br->lock);
                return ret;
        }
@@ -295,15 +271,17 @@ static int old_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
        case BRCTL_SET_PATH_COST:
        {
                struct net_bridge_port *p;
-                int ret = 0;
+                int ret;
                if (!capable(CAP_NET_ADMIN))
                        return -EPERM;
+                spin_lock_bh(&br->lock);
                if ((p = br_get_port(br, args[1])) == NULL)
                        ret = -EINVAL;
                else
-                        br_stp_set_path_cost(p, args[2]);
+                        ret = br_stp_set_path_cost(p, args[2]);
+                spin_unlock_bh(&br->lock);
                return ret;
        }
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 030a002ff8ee..2f14eafdeeab 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -413,7 +413,7 @@ out:
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
 static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
-                                                    struct in6_addr *group)
+                                                    const struct in6_addr *group)
 {
        struct sk_buff *skb;
        struct ipv6hdr *ip6h;
@@ -445,9 +445,9 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
        ip6h->payload_len = htons(8 + sizeof(*mldq));
        ip6h->nexthdr = IPPROTO_HOPOPTS;
        ip6h->hop_limit = 1;
+        ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
        ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
                           &ip6h->saddr);
-        ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
        ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
        hopopt = (u8 *)(ip6h + 1);
@@ -1115,7 +1115,7 @@ static int br_ip4_multicast_query(struct net_bridge *br,
                                  struct net_bridge_port *port,
                                  struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        struct igmphdr *ih = igmp_hdr(skb);
        struct net_bridge_mdb_entry *mp;
        struct igmpv3_query *ih3;
@@ -1190,7 +1190,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                                  struct net_bridge_port *port,
                                  struct sk_buff *skb)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        struct mld_msg *mld = (struct mld_msg *) icmp6_hdr(skb);
        struct net_bridge_mdb_entry *mp;
        struct mld2_query *mld2q;
@@ -1198,7 +1198,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
        struct net_bridge_port_group __rcu **pp;
        unsigned long max_delay;
        unsigned long now = jiffies;
-        struct in6_addr *group = NULL;
+        const struct in6_addr *group = NULL;
        int err = 0;
        spin_lock(&br->multicast_lock);
@@ -1356,7 +1356,7 @@ static int br_multicast_ipv4_rcv(struct net_bridge *br,
                                 struct sk_buff *skb)
 {
        struct sk_buff *skb2 = skb;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct igmphdr *ih;
        unsigned len;
        unsigned offset;
@@ -1452,7 +1452,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
                                 struct sk_buff *skb)
 {
        struct sk_buff *skb2;
-        struct ipv6hdr *ip6h;
+        const struct ipv6hdr *ip6h;
        struct icmp6hdr *icmp6h;
        u8 nexthdr;
        unsigned len;
@@ -1475,7 +1475,7 @@ static int br_multicast_ipv6_rcv(struct net_bridge *br,
            ip6h->payload_len == 0)
                return 0;
-        len = ntohs(ip6h->payload_len);
+        len = ntohs(ip6h->payload_len) + sizeof(*ip6h);
        if (skb->len < len)
                return -EINVAL;
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 4b5b66d07bba..e1f5ec75e91c 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -219,7 +219,7 @@ static inline void nf_bridge_update_protocol(struct sk_buff *skb)
 static int br_parse_ip_options(struct sk_buff *skb)
 {
        struct ip_options *opt;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net_device *dev = skb->dev;
        u32 len;
@@ -249,11 +249,9 @@ static int br_parse_ip_options(struct sk_buff *skb)
                goto drop;
        }
-        /* Zero out the CB buffer if no options present */
+        memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
-        if (iph->ihl == 5) {
+        if (iph->ihl == 5)
-                memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
                return 0;
-        }
        opt->optlen = iph->ihl*4 - sizeof(struct iphdr);
        if (ip_options_compile(dev_net(dev), opt, skb))
@@ -412,10 +410,6 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
        if (dnat_took_place(skb)) {
                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
-                        struct flowi fl = {
-                                .fl4_dst = iph->daddr,
-                                .fl4_tos = RT_TOS(iph->tos),
-                        };
                        struct in_device *in_dev = __in_dev_get_rcu(dev);
                        /* If err equals -EHOSTUNREACH the error is due to a
@@ -428,14 +422,16 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
                        if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev))
                                goto free_skb;
-                        if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
+                        rt = ip_route_output(dev_net(dev), iph->daddr, 0,
+                                             RT_TOS(iph->tos), 0);
+                        if (!IS_ERR(rt)) {
                                /* - Bridged-and-DNAT'ed traffic doesn't
                                 *   require ip_forwarding. */
-                                if (((struct dst_entry *)rt)->dev == dev) {
+                                if (rt->dst.dev == dev) {
-                                        skb_dst_set(skb, (struct dst_entry *)rt);
+                                        skb_dst_set(skb, &rt->dst);
                                        goto bridged_dnat;
                                }
-                                dst_release((struct dst_entry *)rt);
+                                ip_rt_put(rt);
                        }
 free_skb:
                        kfree_skb(skb);
@@ -558,7 +554,7 @@ static unsigned int br_nf_pre_routing_ipv6(unsigned int hook,
                                           const struct net_device *out,
                                           int (*okfn)(struct sk_buff *))
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        u32 pkt_len;
        if (skb->len < sizeof(struct ipv6hdr))
@@ -741,6 +737,9 @@ static unsigned int br_nf_forward_ip(unsigned int hook, struct sk_buff *skb,
                nf_bridge->mask |= BRNF_PKT_TYPE;
        }
+        if (pf == PF_INET && br_parse_ip_options(skb))
+                return NF_DROP;
        /* The physdev module checks on this */
        nf_bridge->mask |= BRNF_BRIDGED;
        nf_bridge->physoutdev = skb->dev;
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index f8bf4c7f842c..ffb0dc4cc0e8 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -12,9 +12,11 @@
 #include <linux/kernel.h>
 #include <linux/slab.h>
+#include <linux/etherdevice.h>
 #include <net/rtnetlink.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
 #include "br_private.h"
 static inline size_t br_nlmsg_size(void)
@@ -118,8 +120,9 @@ static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
        int idx;
        idx = 0;
-        for_each_netdev(net, dev) {
+        rcu_read_lock();
-                struct net_bridge_port *port = br_port_get_rtnl(dev);
+        for_each_netdev_rcu(net, dev) {
+                struct net_bridge_port *port = br_port_get_rcu(dev);
                /* not a bridge port */
                if (!port || idx < cb->args[0])
@@ -133,7 +136,7 @@ static int br_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
 skip:
                ++idx;
        }
+        rcu_read_unlock();
        cb->args[0] = idx;
        return skb->len;
@@ -188,20 +191,61 @@ static int br_rtm_setlink(struct sk_buff *skb,  struct nlmsghdr *nlh, void *arg)
        return 0;
 }
+static int br_validate(struct nlattr *tb[], struct nlattr *data[])
+{
+        if (tb[IFLA_ADDRESS]) {
+                if (nla_len(tb[IFLA_ADDRESS]) != ETH_ALEN)
+                        return -EINVAL;
+                if (!is_valid_ether_addr(nla_data(tb[IFLA_ADDRESS])))
+                        return -EADDRNOTAVAIL;
+        }
+        return 0;
+}
+static struct rtnl_link_ops br_link_ops __read_mostly = {
+        .kind           = "bridge",
+        .priv_size      = sizeof(struct net_bridge),
+        .setup          = br_dev_setup,
+        .validate       = br_validate,
+};
 int __init br_netlink_init(void)
 {
-        if (__rtnl_register(PF_BRIDGE, RTM_GETLINK, NULL, br_dump_ifinfo))
+        int err;
-                return -ENOBUFS;
-        /* Only the first call to __rtnl_register can fail */
+        err = rtnl_link_register(&br_link_ops);
-        __rtnl_register(PF_BRIDGE, RTM_SETLINK, br_rtm_setlink, NULL);
+        if (err < 0)
+                goto err1;
+        err = __rtnl_register(PF_BRIDGE, RTM_GETLINK, NULL, br_dump_ifinfo);
+        if (err)
+                goto err2;
+        err = __rtnl_register(PF_BRIDGE, RTM_SETLINK, br_rtm_setlink, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_NEWNEIGH, br_fdb_add, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_DELNEIGH, br_fdb_delete, NULL);
+        if (err)
+                goto err3;
+        err = __rtnl_register(PF_BRIDGE, RTM_GETNEIGH, NULL, br_fdb_dump);
+        if (err)
+                goto err3;
        return 0;
+err3:
+        rtnl_unregister_all(PF_BRIDGE);
+err2:
+        rtnl_link_unregister(&br_link_ops);
+err1:
+        return err;
 }
 void __exit br_netlink_fini(void)
 {
+        rtnl_link_unregister(&br_link_ops);
        rtnl_unregister_all(PF_BRIDGE);
 }
diff --git a/net/bridge/br_notify.c b/net/bridge/br_notify.c
index 7d337c9b6082..6545ee9591d1 100644
--- a/net/bridge/br_notify.c
+++ b/net/bridge/br_notify.c
@@ -36,6 +36,12 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
        struct net_bridge *br;
        int err;
+        /* register of bridge completed, add sysfs entries */
+        if ((dev->priv_flags & IFF_EBRIDGE) && event == NETDEV_REGISTER) {
+                br_sysfs_addbr(dev);
+                return NOTIFY_DONE;
+        }
        /* not a port of a bridge */
        p = br_port_get_rtnl(dev);
        if (!p)
@@ -60,10 +66,7 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
                break;
        case NETDEV_FEAT_CHANGE:
-                spin_lock_bh(&br->lock);
+                netdev_update_features(br->dev);
-                if (netif_running(br->dev))
-                        br_features_recompute(br);
-                spin_unlock_bh(&br->lock);
                break;
        case NETDEV_DOWN:
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 4e1b620b6be6..54578f274d85 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -64,7 +64,8 @@ struct net_bridge_fdb_entry
        struct net_bridge_port          *dst;
        struct rcu_head                 rcu;
-        unsigned long                   ageing_timer;
+        unsigned long                   updated;
+        unsigned long                   used;
        mac_addr                        addr;
        unsigned char                   is_local;
        unsigned char                   is_static;
@@ -182,7 +183,6 @@ struct net_bridge
        struct br_cpu_netstats __percpu *stats;
        spinlock_t                      hash_lock;
        struct hlist_head               hash[BR_HASH_SIZE];
-        unsigned long                   feature_mask;
 #ifdef CONFIG_BRIDGE_NETFILTER
        struct rtable                   fake_rtable;
        bool                            nf_call_iptables;
@@ -353,6 +353,9 @@ extern int br_fdb_insert(struct net_bridge *br,
 extern void br_fdb_update(struct net_bridge *br,
                          struct net_bridge_port *source,
                          const unsigned char *addr);
+extern int br_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb);
+extern int br_fdb_add(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg);
+extern int br_fdb_delete(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg);
 /* br_forward.c */
 extern void br_deliver(const struct net_bridge_port *to,
@@ -375,11 +378,11 @@ extern int br_add_if(struct net_bridge *br,
 extern int br_del_if(struct net_bridge *br,
              struct net_device *dev);
 extern int br_min_mtu(const struct net_bridge *br);
-extern void br_features_recompute(struct net_bridge *br);
+extern u32 br_features_recompute(struct net_bridge *br, u32 features);
 /* br_input.c */
 extern int br_handle_frame_finish(struct sk_buff *skb);
-extern struct sk_buff *br_handle_frame(struct sk_buff *skb);
+extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb);
 /* br_ioctl.c */
 extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
@@ -491,20 +494,25 @@ extern struct net_bridge_port *br_get_port(struct net_bridge *br,
 extern void br_init_port(struct net_bridge_port *p);
 extern void br_become_designated_port(struct net_bridge_port *p);
+extern int br_set_forward_delay(struct net_bridge *br, unsigned long x);
+extern int br_set_hello_time(struct net_bridge *br, unsigned long x);
+extern int br_set_max_age(struct net_bridge *br, unsigned long x);
 /* br_stp_if.c */
 extern void br_stp_enable_bridge(struct net_bridge *br);
 extern void br_stp_disable_bridge(struct net_bridge *br);
 extern void br_stp_set_enabled(struct net_bridge *br, unsigned long val);
 extern void br_stp_enable_port(struct net_bridge_port *p);
 extern void br_stp_disable_port(struct net_bridge_port *p);
-extern void br_stp_recalculate_bridge_id(struct net_bridge *br);
+extern bool br_stp_recalculate_bridge_id(struct net_bridge *br);
 extern void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *a);
 extern void br_stp_set_bridge_priority(struct net_bridge *br,
                                       u16 newprio);
-extern void br_stp_set_port_priority(struct net_bridge_port *p,
+extern int br_stp_set_port_priority(struct net_bridge_port *p,
-                                     u8 newprio);
+                                    unsigned long newprio);
-extern void br_stp_set_path_cost(struct net_bridge_port *p,
+extern int br_stp_set_path_cost(struct net_bridge_port *p,
-                                 u32 path_cost);
+                                unsigned long path_cost);
 extern ssize_t br_show_bridge_id(char *buf, const struct bridge_id *id);
 /* br_stp_bpdu.c */
diff --git a/net/bridge/br_private_stp.h b/net/bridge/br_private_stp.h
index 8b650f7fbfa0..642ef47a867e 100644
--- a/net/bridge/br_private_stp.h
+++ b/net/bridge/br_private_stp.h
@@ -16,6 +16,19 @@
 #define BPDU_TYPE_CONFIG 0
 #define BPDU_TYPE_TCN 0x80
+/* IEEE 802.1D-1998 timer values */
+#define BR_MIN_HELLO_TIME       (1*HZ)
+#define BR_MAX_HELLO_TIME       (10*HZ)
+#define BR_MIN_FORWARD_DELAY    (2*HZ)
+#define BR_MAX_FORWARD_DELAY    (30*HZ)
+#define BR_MIN_MAX_AGE          (6*HZ)
+#define BR_MAX_MAX_AGE          (40*HZ)
+#define BR_MIN_PATH_COST        1
+#define BR_MAX_PATH_COST        65535
 struct br_config_bpdu
 {
        unsigned        topology_change:1;
diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c
index 57186d84d2bd..bb4383e84de9 100644
--- a/net/bridge/br_stp.c
+++ b/net/bridge/br_stp.c
@@ -375,12 +375,12 @@ static void br_make_forwarding(struct net_bridge_port *p)
        if (p->state != BR_STATE_BLOCKING)
                return;
-        if (br->forward_delay == 0) {
+        if (br->stp_enabled == BR_NO_STP || br->forward_delay == 0) {
                p->state = BR_STATE_FORWARDING;
                br_topology_change_detection(br);
                del_timer(&p->forward_delay_timer);
        }
-        else if (p->br->stp_enabled == BR_KERNEL_STP)
+        else if (br->stp_enabled == BR_KERNEL_STP)
                p->state = BR_STATE_LISTENING;
        else
                p->state = BR_STATE_LEARNING;
@@ -397,28 +397,37 @@ static void br_make_forwarding(struct net_bridge_port *p)
 void br_port_state_selection(struct net_bridge *br)
 {
        struct net_bridge_port *p;
+        unsigned int liveports = 0;
        /* Don't change port states if userspace is handling STP */
        if (br->stp_enabled == BR_USER_STP)
                return;
        list_for_each_entry(p, &br->port_list, list) {
-                if (p->state != BR_STATE_DISABLED) {
+                if (p->state == BR_STATE_DISABLED)
-                        if (p->port_no == br->root_port) {
+                        continue;
-                                p->config_pending = 0;
-                                p->topology_change_ack = 0;
+                if (p->port_no == br->root_port) {
-                                br_make_forwarding(p);
+                        p->config_pending = 0;
-                        } else if (br_is_designated_port(p)) {
+                        p->topology_change_ack = 0;
-                                del_timer(&p->message_age_timer);
+                        br_make_forwarding(p);
-                                br_make_forwarding(p);
+                } else if (br_is_designated_port(p)) {
-                        } else {
+                        del_timer(&p->message_age_timer);
-                                p->config_pending = 0;
+                        br_make_forwarding(p);
-                                p->topology_change_ack = 0;
+                } else {
-                                br_make_blocking(p);
+                        p->config_pending = 0;
-                        }
+                        p->topology_change_ack = 0;
+                        br_make_blocking(p);
                }
+                if (p->state == BR_STATE_FORWARDING)
+                        ++liveports;
        }
+        if (liveports == 0)
+                netif_carrier_off(br->dev);
+        else
+                netif_carrier_on(br->dev);
 }
 /* called under bridge lock */
@@ -475,3 +484,51 @@ void br_received_tcn_bpdu(struct net_bridge_port *p)
                br_topology_change_acknowledge(p);
        }
 }
+/* Change bridge STP parameter */
+int br_set_hello_time(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (t < BR_MIN_HELLO_TIME || t > BR_MAX_HELLO_TIME)
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_hello_time = t;
+        if (br_is_root_bridge(br))
+                br->hello_time = br->bridge_hello_time;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
+int br_set_max_age(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (t < BR_MIN_MAX_AGE || t > BR_MAX_MAX_AGE)
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_max_age = t;
+        if (br_is_root_bridge(br))
+                br->max_age = br->bridge_max_age;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
+int br_set_forward_delay(struct net_bridge *br, unsigned long val)
+{
+        unsigned long t = clock_t_to_jiffies(val);
+        if (br->stp_enabled != BR_NO_STP &&
+            (t < BR_MIN_FORWARD_DELAY || t > BR_MAX_FORWARD_DELAY))
+                return -ERANGE;
+        spin_lock_bh(&br->lock);
+        br->bridge_forward_delay = t;
+        if (br_is_root_bridge(br))
+                br->forward_delay = br->bridge_forward_delay;
+        spin_unlock_bh(&br->lock);
+        return 0;
+}
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 79372d4a4055..6f615b8192f4 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -20,7 +20,7 @@
 /* Port id is composed of priority and port number.
- * NB: least significant bits of priority are dropped to
+ * NB: some bits of priority are dropped to
 *     make room for more ports.
 */
 static inline port_id br_make_port_id(__u8 priority, __u16 port_no)
@@ -29,6 +29,8 @@ static inline port_id br_make_port_id(__u8 priority, __u16 port_no)
                | (port_no & ((1<<BR_PORT_BITS)-1));
 }
+#define BR_MAX_PORT_PRIORITY ((u16)~0 >> BR_PORT_BITS)
 /* called under bridge lock */
 void br_init_port(struct net_bridge_port *p)
 {
@@ -204,7 +206,7 @@ void br_stp_change_bridge_id(struct net_bridge *br, const unsigned char *addr)
 static const unsigned short br_mac_zero_aligned[ETH_ALEN >> 1];
 /* called under bridge lock */
-void br_stp_recalculate_bridge_id(struct net_bridge *br)
+bool br_stp_recalculate_bridge_id(struct net_bridge *br)
 {
        const unsigned char *br_mac_zero =
                        (const unsigned char *)br_mac_zero_aligned;
@@ -213,7 +215,7 @@ void br_stp_recalculate_bridge_id(struct net_bridge *br)
        /* user has chosen a value so keep it */
        if (br->flags & BR_SET_MAC_ADDR)
-                return;
+                return false;
        list_for_each_entry(p, &br->port_list, list) {
                if (addr == br_mac_zero ||
@@ -222,8 +224,11 @@ void br_stp_recalculate_bridge_id(struct net_bridge *br)
        }
-        if (compare_ether_addr(br->bridge_id.addr, addr))
+        if (compare_ether_addr(br->bridge_id.addr, addr) == 0)
-                br_stp_change_bridge_id(br, addr);
+                return false;   /* no change */
+        br_stp_change_bridge_id(br, addr);
+        return true;
 }
 /* called under bridge lock */
@@ -252,10 +257,14 @@ void br_stp_set_bridge_priority(struct net_bridge *br, u16 newprio)
 }
 /* called under bridge lock */
-void br_stp_set_port_priority(struct net_bridge_port *p, u8 newprio)
+int br_stp_set_port_priority(struct net_bridge_port *p, unsigned long newprio)
 {
-        port_id new_port_id = br_make_port_id(newprio, p->port_no);
+        port_id new_port_id;
+        if (newprio > BR_MAX_PORT_PRIORITY)
+                return -ERANGE;
+        new_port_id = br_make_port_id(newprio, p->port_no);
        if (br_is_designated_port(p))
                p->designated_port = new_port_id;
@@ -266,14 +275,21 @@ void br_stp_set_port_priority(struct net_bridge_port *p, u8 newprio)
                br_become_designated_port(p);
                br_port_state_selection(p->br);
        }
+        return 0;
 }
 /* called under bridge lock */
-void br_stp_set_path_cost(struct net_bridge_port *p, u32 path_cost)
+int br_stp_set_path_cost(struct net_bridge_port *p, unsigned long path_cost)
 {
+        if (path_cost < BR_MIN_PATH_COST ||
+            path_cost > BR_MAX_PATH_COST)
+                return -ERANGE;
        p->path_cost = path_cost;
        br_configuration_update(p->br);
        br_port_state_selection(p->br);
+        return 0;
 }
 ssize_t br_show_bridge_id(char *buf, const struct bridge_id *id)
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index 7b22456023c5..3e965140051e 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -94,6 +94,7 @@ static void br_forward_delay_timer_expired(unsigned long arg)
                p->state = BR_STATE_FORWARDING;
                if (br_is_designated_for_some_port(br))
                        br_topology_change_detection(br);
+                netif_carrier_on(br->dev);
        }
        br_log_state(p);
        spin_unlock(&br->lock);
diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
index 5c1e5559ebba..68b893ea8c3a 100644
--- a/net/bridge/br_sysfs_br.c
+++ b/net/bridge/br_sysfs_br.c
@@ -43,9 +43,7 @@ static ssize_t store_bridge_parm(struct device *d,
        if (endp == buf)
                return -EINVAL;
-        spin_lock_bh(&br->lock);
        err = (*set)(br, val);
-        spin_unlock_bh(&br->lock);
        return err ? err : len;
 }
@@ -57,20 +55,11 @@ static ssize_t show_forward_delay(struct device *d,
        return sprintf(buf, "%lu\n", jiffies_to_clock_t(br->forward_delay));
 }
-static int set_forward_delay(struct net_bridge *br, unsigned long val)
-{
-        unsigned long delay = clock_t_to_jiffies(val);
-        br->forward_delay = delay;
-        if (br_is_root_bridge(br))
-                br->bridge_forward_delay = delay;
-        return 0;
-}
 static ssize_t store_forward_delay(struct device *d,
                                   struct device_attribute *attr,
                                   const char *buf, size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_forward_delay);
+        return store_bridge_parm(d, buf, len, br_set_forward_delay);
 }
 static DEVICE_ATTR(forward_delay, S_IRUGO | S_IWUSR,
                   show_forward_delay, store_forward_delay);
@@ -82,24 +71,11 @@ static ssize_t show_hello_time(struct device *d, struct device_attribute *attr,
                       jiffies_to_clock_t(to_bridge(d)->hello_time));
 }
-static int set_hello_time(struct net_bridge *br, unsigned long val)
-{
-        unsigned long t = clock_t_to_jiffies(val);
-        if (t < HZ)
-                return -EINVAL;
-        br->hello_time = t;
-        if (br_is_root_bridge(br))
-                br->bridge_hello_time = t;
-        return 0;
-}
 static ssize_t store_hello_time(struct device *d,
                                struct device_attribute *attr, const char *buf,
                                size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_hello_time);
+        return store_bridge_parm(d, buf, len, br_set_hello_time);
 }
 static DEVICE_ATTR(hello_time, S_IRUGO | S_IWUSR, show_hello_time,
                   store_hello_time);
@@ -111,19 +87,10 @@ static ssize_t show_max_age(struct device *d, struct device_attribute *attr,
                       jiffies_to_clock_t(to_bridge(d)->max_age));
 }
-static int set_max_age(struct net_bridge *br, unsigned long val)
-{
-        unsigned long t = clock_t_to_jiffies(val);
-        br->max_age = t;
-        if (br_is_root_bridge(br))
-                br->bridge_max_age = t;
-        return 0;
-}
 static ssize_t store_max_age(struct device *d, struct device_attribute *attr,
                             const char *buf, size_t len)
 {
-        return store_bridge_parm(d, buf, len, set_max_age);
+        return store_bridge_parm(d, buf, len, br_set_max_age);
 }
 static DEVICE_ATTR(max_age, S_IRUGO | S_IWUSR, show_max_age, store_max_age);
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index fd5799c9bc8d..6229b62749e8 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -23,7 +23,7 @@
 struct brport_attribute {
        struct attribute        attr;
        ssize_t (*show)(struct net_bridge_port *, char *);
-        ssize_t (*store)(struct net_bridge_port *, unsigned long);
+        int (*store)(struct net_bridge_port *, unsigned long);
 };
 #define BRPORT_ATTR(_name,_mode,_show,_store)                   \
@@ -38,27 +38,17 @@ static ssize_t show_path_cost(struct net_bridge_port *p, char *buf)
 {
        return sprintf(buf, "%d\n", p->path_cost);
 }
-static ssize_t store_path_cost(struct net_bridge_port *p, unsigned long v)
-{
-        br_stp_set_path_cost(p, v);
-        return 0;
-}
 static BRPORT_ATTR(path_cost, S_IRUGO | S_IWUSR,
-                   show_path_cost, store_path_cost);
+                   show_path_cost, br_stp_set_path_cost);
 static ssize_t show_priority(struct net_bridge_port *p, char *buf)
 {
        return sprintf(buf, "%d\n", p->priority);
 }
-static ssize_t store_priority(struct net_bridge_port *p, unsigned long v)
-{
-        if (v >= (1<<(16-BR_PORT_BITS)))
-                return -ERANGE;
-        br_stp_set_port_priority(p, v);
-        return 0;
-}
 static BRPORT_ATTR(priority, S_IRUGO | S_IWUSR,
-                         show_priority, store_priority);
+                         show_priority, br_stp_set_port_priority);
 static ssize_t show_designated_root(struct net_bridge_port *p, char *buf)
 {
@@ -136,7 +126,7 @@ static ssize_t show_hold_timer(struct net_bridge_port *p,
 }
 static BRPORT_ATTR(hold_timer, S_IRUGO, show_hold_timer, NULL);
-static ssize_t store_flush(struct net_bridge_port *p, unsigned long v)
+static int store_flush(struct net_bridge_port *p, unsigned long v)
 {
        br_fdb_delete_by_port(p->br, p, 0); // Don't delete local entry
        return 0;
@@ -148,7 +138,7 @@ static ssize_t show_hairpin_mode(struct net_bridge_port *p, char *buf)
        int hairpin_mode = (p->flags & BR_HAIRPIN_MODE) ? 1 : 0;
        return sprintf(buf, "%d\n", hairpin_mode);
 }
-static ssize_t store_hairpin_mode(struct net_bridge_port *p, unsigned long v)
+static int store_hairpin_mode(struct net_bridge_port *p, unsigned long v)
 {
        if (v)
                p->flags |= BR_HAIRPIN_MODE;
@@ -165,7 +155,7 @@ static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
        return sprintf(buf, "%d\n", p->multicast_router);
 }
-static ssize_t store_multicast_router(struct net_bridge_port *p,
+static int store_multicast_router(struct net_bridge_port *p,
                                      unsigned long v)
 {
        return br_multicast_set_port_router(p, v);
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 50a46afc2bcc..2ed0056a39a8 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -22,9 +22,15 @@
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_bridge/ebt_ip6.h>
-struct tcpudphdr {
+union pkthdr {
-        __be16 src;
+        struct {
-        __be16 dst;
+                __be16 src;
+                __be16 dst;
+        } tcpudphdr;
+        struct {
+                u8 type;
+                u8 code;
+        } icmphdr;
 };
 static bool
@@ -33,8 +39,8 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
        const struct ebt_ip6_info *info = par->matchinfo;
        const struct ipv6hdr *ih6;
        struct ipv6hdr _ip6h;
-        const struct tcpudphdr *pptr;
+        const union pkthdr *pptr;
-        struct tcpudphdr _ports;
+        union pkthdr _pkthdr;
        ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
        if (ih6 == NULL)
@@ -56,26 +62,34 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par)
                        return false;
                if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO))
                        return false;
-                if (!(info->bitmask & EBT_IP6_DPORT) &&
+                if (!(info->bitmask & ( EBT_IP6_DPORT |
-                    !(info->bitmask & EBT_IP6_SPORT))
+                                        EBT_IP6_SPORT | EBT_IP6_ICMP6)))
                        return true;
-                pptr = skb_header_pointer(skb, offset_ph, sizeof(_ports),
-                                          &_ports);
+                /* min icmpv6 headersize is 4, so sizeof(_pkthdr) is ok. */
+                pptr = skb_header_pointer(skb, offset_ph, sizeof(_pkthdr),
+                                          &_pkthdr);
                if (pptr == NULL)
                        return false;
                if (info->bitmask & EBT_IP6_DPORT) {
-                        u32 dst = ntohs(pptr->dst);
+                        u16 dst = ntohs(pptr->tcpudphdr.dst);
                        if (FWINV(dst < info->dport[0] ||
                                  dst > info->dport[1], EBT_IP6_DPORT))
                                return false;
                }
                if (info->bitmask & EBT_IP6_SPORT) {
-                        u32 src = ntohs(pptr->src);
+                        u16 src = ntohs(pptr->tcpudphdr.src);
                        if (FWINV(src < info->sport[0] ||
                                  src > info->sport[1], EBT_IP6_SPORT))
                        return false;
                }
-                return true;
+                if ((info->bitmask & EBT_IP6_ICMP6) &&
+                     FWINV(pptr->icmphdr.type < info->icmpv6_type[0] ||
+                           pptr->icmphdr.type > info->icmpv6_type[1] ||
+                           pptr->icmphdr.code < info->icmpv6_code[0] ||
+                           pptr->icmphdr.code > info->icmpv6_code[1],
+                                                        EBT_IP6_ICMP6))
+                        return false;
        }
        return true;
 }
@@ -103,6 +117,14 @@ static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
                return -EINVAL;
        if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
                return -EINVAL;
+        if (info->bitmask & EBT_IP6_ICMP6) {
+                if ((info->invflags & EBT_IP6_PROTO) ||
+                     info->protocol != IPPROTO_ICMPV6)
+                        return -EINVAL;
+                if (info->icmpv6_type[0] > info->icmpv6_type[1] ||
+                    info->icmpv6_code[0] > info->icmpv6_code[1])
+                        return -EINVAL;
+        }
        return 0;
 }
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 16df0532d4b9..1a92b369c820 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, const void __user *user,
        if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name) - 1] = 0;
        countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
        newinfo = vmalloc(sizeof(*newinfo) + countersize);
        if (!newinfo)
@@ -1764,6 +1766,7 @@ static int compat_table_info(const struct ebt_table_info *info,
        newinfo->entries_size = size;
+        xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries);
        return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
                                                        entries, newinfo);
 }
@@ -1879,7 +1882,7 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        struct xt_match *match;
        struct xt_target *wt;
        void *dst = NULL;
-        int off, pad = 0, ret = 0;
+        int off, pad = 0;
        unsigned int size_kern, entry_offset, match_size = mwt->match_size;
        strlcpy(name, mwt->u.name, sizeof(name));
@@ -1932,13 +1935,6 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
                break;
        }
-        if (!dst) {
-                ret = xt_compat_add_offset(NFPROTO_BRIDGE, entry_offset,
-                                        off + ebt_compat_entry_padsize());
-                if (ret < 0)
-                        return ret;
-        }
        state->buf_kern_offset += match_size + off;
        state->buf_user_offset += match_size;
        pad = XT_ALIGN(size_kern) - size_kern;
@@ -2013,50 +2009,6 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
        return growth;
 }
-#define EBT_COMPAT_WATCHER_ITERATE(e, fn, args...)          \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct compat_ebt_entry_mwt *__watcher;             \
-                                                            \
-        for (__i = e->watchers_offset;                      \
-             __i < (e)->target_offset;                      \
-             __i += __watcher->watcher_size +               \
-             sizeof(struct compat_ebt_entry_mwt)) {         \
-                __watcher = (void *)(e) + __i;              \
-                __ret = fn(__watcher , ## args);            \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->target_offset)              \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
-#define EBT_COMPAT_MATCH_ITERATE(e, fn, args...)            \
-({                                                          \
-        unsigned int __i;                                   \
-        int __ret = 0;                                      \
-        struct compat_ebt_entry_mwt *__match;               \
-                                                            \
-        for (__i = sizeof(struct ebt_entry);                \
-             __i < (e)->watchers_offset;                    \
-             __i += __match->match_size +                   \
-             sizeof(struct compat_ebt_entry_mwt)) {         \
-                __match = (void *)(e) + __i;                \
-                __ret = fn(__match , ## args);              \
-                if (__ret != 0)                             \
-                        break;                              \
-        }                                                   \
-        if (__ret == 0) {                                   \
-                if (__i != (e)->watchers_offset)            \
-                        __ret = -EINVAL;                    \
-        }                                                   \
-        __ret;                                              \
-})
 /* called for all ebt_entry structures. */
 static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
                          unsigned int *total,
@@ -2129,6 +2081,14 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
                }
        }
+        if (state->buf_kern_start == NULL) {
+                unsigned int offset = buf_start - (char *) base;
+                ret = xt_compat_add_offset(NFPROTO_BRIDGE, offset, new_offset);
+                if (ret < 0)
+                        return ret;
+        }
        startoff = state->buf_user_offset - startoff;
        BUG_ON(*total < startoff);
@@ -2237,6 +2197,7 @@ static int compat_do_replace(struct net *net, void __user *user,
        xt_compat_lock(NFPROTO_BRIDGE);
+        xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
        ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
        if (ret < 0)
                goto out_unlock;
diff --git a/net/caif/Makefile b/net/caif/Makefile
index 9d38e406e4a4..ebcd4e7e6f47 100644
--- a/net/caif/Makefile
+++ b/net/caif/Makefile
@@ -5,7 +5,7 @@ caif-y := caif_dev.o \
        cffrml.o cfveil.o cfdbgl.o\
        cfserl.o cfdgml.o  \
        cfrfml.o cfvidl.o cfutill.o \
-        cfsrvl.o cfpkt_skbuff.o caif_config_util.o
+        cfsrvl.o cfpkt_skbuff.o
 obj-$(CONFIG_CAIF) += caif.o
 obj-$(CONFIG_CAIF_NETDEV) += chnl_net.o
diff --git a/net/caif/caif_config_util.c b/net/caif/caif_config_util.c
deleted file mode 100644
index d522d8c1703e..000000000000
--- a/net/caif/caif_config_util.c
+++ /dev/null
@@ -1,99 +0,0 @@
-/*
- * Copyright (C) ST-Ericsson AB 2010
- * Author:      Sjur Brendeland sjur.brandeland@stericsson.com
- * License terms: GNU General Public License (GPL) version 2
- */
-#include <linux/module.h>
-#include <linux/spinlock.h>
-#include <net/caif/cfctrl.h>
-#include <net/caif/cfcnfg.h>
-#include <net/caif/caif_dev.h>
-int connect_req_to_link_param(struct cfcnfg *cnfg,
-                                struct caif_connect_request *s,
-                                struct cfctrl_link_param *l)
-{
-        struct dev_info *dev_info;
-        enum cfcnfg_phy_preference pref;
-        int res;
-        memset(l, 0, sizeof(*l));
-        /* In caif protocol low value is high priority */
-        l->priority = CAIF_PRIO_MAX - s->priority + 1;
-        if (s->ifindex != 0){
-                res = cfcnfg_get_id_from_ifi(cnfg, s->ifindex);
-                if (res < 0)
-                        return res;
-                l->phyid = res;
-        }
-        else {
-                switch (s->link_selector) {
-                case CAIF_LINK_HIGH_BANDW:
-                        pref = CFPHYPREF_HIGH_BW;
-                        break;
-                case CAIF_LINK_LOW_LATENCY:
-                        pref = CFPHYPREF_LOW_LAT;
-                        break;
-                default:
-                        return -EINVAL;
-                }
-                dev_info = cfcnfg_get_phyid(cnfg, pref);
-                if (dev_info == NULL)
-                        return -ENODEV;
-                l->phyid = dev_info->id;
-        }
-        switch (s->protocol) {
-        case CAIFPROTO_AT:
-                l->linktype = CFCTRL_SRV_VEI;
-                if (s->sockaddr.u.at.type == CAIF_ATTYPE_PLAIN)
-                        l->chtype = 0x02;
-                else
-                        l->chtype = s->sockaddr.u.at.type;
-                l->endpoint = 0x00;
-                break;
-        case CAIFPROTO_DATAGRAM:
-                l->linktype = CFCTRL_SRV_DATAGRAM;
-                l->chtype = 0x00;
-                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
-                break;
-        case CAIFPROTO_DATAGRAM_LOOP:
-                l->linktype = CFCTRL_SRV_DATAGRAM;
-                l->chtype = 0x03;
-                l->endpoint = 0x00;
-                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
-                break;
-        case CAIFPROTO_RFM:
-                l->linktype = CFCTRL_SRV_RFM;
-                l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
-                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
-                        sizeof(l->u.rfm.volume)-1);
-                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
-                break;
-        case CAIFPROTO_UTIL:
-                l->linktype = CFCTRL_SRV_UTIL;
-                l->endpoint = 0x00;
-                l->chtype = 0x00;
-                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
-                        sizeof(l->u.utility.name)-1);
-                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
-                caif_assert(sizeof(l->u.utility.name) > 10);
-                l->u.utility.paramlen = s->param.size;
-                if (l->u.utility.paramlen > sizeof(l->u.utility.params))
-                        l->u.utility.paramlen = sizeof(l->u.utility.params);
-                memcpy(l->u.utility.params, s->param.data,
-                       l->u.utility.paramlen);
-                break;
-        case CAIFPROTO_DEBUG:
-                l->linktype = CFCTRL_SRV_DBG;
-                l->endpoint = s->sockaddr.u.dbg.service;
-                l->chtype = s->sockaddr.u.dbg.type;
-                break;
-        default:
-                return -EINVAL;
-        }
-        return 0;
-}
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index a42a408306e4..366ca0fb7a29 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -12,49 +12,51 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ":%s(): " fmt, __func__
 #include <linux/version.h>
-#include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/if_arp.h>
 #include <linux/net.h>
 #include <linux/netdevice.h>
-#include <linux/skbuff.h>
+#include <linux/mutex.h>
-#include <linux/sched.h>
-#include <linux/wait.h>
 #include <net/netns/generic.h>
 #include <net/net_namespace.h>
 #include <net/pkt_sched.h>
 #include <net/caif/caif_device.h>
-#include <net/caif/caif_dev.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfcnfg.h>
 MODULE_LICENSE("GPL");
-#define TIMEOUT (HZ*5)
 /* Used for local tracking of the CAIF net devices */
 struct caif_device_entry {
        struct cflayer layer;
        struct list_head list;
-        atomic_t in_use;
-        atomic_t state;
-        u16 phyid;
        struct net_device *netdev;
-        wait_queue_head_t event;
+        int __percpu *pcpu_refcnt;
 };
 struct caif_device_entry_list {
        struct list_head list;
        /* Protects simulanous deletes in list */
-        spinlock_t lock;
+        struct mutex lock;
 };
 struct caif_net {
+        struct cfcnfg *cfg;
        struct caif_device_entry_list caifdevs;
 };
 static int caif_net_id;
-static struct cfcnfg *cfg;
+struct cfcnfg *get_cfcnfg(struct net *net)
+{
+        struct caif_net *caifn;
+        BUG_ON(!net);
+        caifn = net_generic(net, caif_net_id);
+        BUG_ON(!caifn);
+        return caifn->cfg;
+}
+EXPORT_SYMBOL(get_cfcnfg);
 static struct caif_device_entry_list *caif_device_list(struct net *net)
 {
@@ -65,19 +67,39 @@ static struct caif_device_entry_list *caif_device_list(struct net *net)
        return &caifn->caifdevs;
 }
+static void caifd_put(struct caif_device_entry *e)
+{
+        irqsafe_cpu_dec(*e->pcpu_refcnt);
+}
+static void caifd_hold(struct caif_device_entry *e)
+{
+        irqsafe_cpu_inc(*e->pcpu_refcnt);
+}
+static int caifd_refcnt_read(struct caif_device_entry *e)
+{
+        int i, refcnt = 0;
+        for_each_possible_cpu(i)
+                refcnt += *per_cpu_ptr(e->pcpu_refcnt, i);
+        return refcnt;
+}
 /* Allocate new CAIF device. */
 static struct caif_device_entry *caif_device_alloc(struct net_device *dev)
 {
        struct caif_device_entry_list *caifdevs;
        struct caif_device_entry *caifd;
        caifdevs = caif_device_list(dev_net(dev));
        BUG_ON(!caifdevs);
        caifd = kzalloc(sizeof(*caifd), GFP_ATOMIC);
        if (!caifd)
                return NULL;
+        caifd->pcpu_refcnt = alloc_percpu(int);
        caifd->netdev = dev;
-        list_add(&caifd->list, &caifdevs->list);
+        dev_hold(dev);
-        init_waitqueue_head(&caifd->event);
        return caifd;
 }
@@ -87,98 +109,60 @@ static struct caif_device_entry *caif_get(struct net_device *dev)
            caif_device_list(dev_net(dev));
        struct caif_device_entry *caifd;
        BUG_ON(!caifdevs);
-        list_for_each_entry(caifd, &caifdevs->list, list) {
+        list_for_each_entry_rcu(caifd, &caifdevs->list, list) {
                if (caifd->netdev == dev)
                        return caifd;
        }
        return NULL;
 }
-static void caif_device_destroy(struct net_device *dev)
-{
-        struct caif_device_entry_list *caifdevs =
-            caif_device_list(dev_net(dev));
-        struct caif_device_entry *caifd;
-        ASSERT_RTNL();
-        if (dev->type != ARPHRD_CAIF)
-                return;
-        spin_lock_bh(&caifdevs->lock);
-        caifd = caif_get(dev);
-        if (caifd == NULL) {
-                spin_unlock_bh(&caifdevs->lock);
-                return;
-        }
-        list_del(&caifd->list);
-        spin_unlock_bh(&caifdevs->lock);
-        kfree(caifd);
-}
 static int transmit(struct cflayer *layer, struct cfpkt *pkt)
 {
+        int err;
        struct caif_device_entry *caifd =
            container_of(layer, struct caif_device_entry, layer);
-        struct sk_buff *skb, *skb2;
+        struct sk_buff *skb;
-        int ret = -EINVAL;
        skb = cfpkt_tonative(pkt);
        skb->dev = caifd->netdev;
-        /*
-         * Don't allow SKB to be destroyed upon error, but signal resend
-         * notification to clients. We can't rely on the return value as
-         * congestion (NET_XMIT_CN) sometimes drops the packet, sometimes don't.
-         */
-        if (netif_queue_stopped(caifd->netdev))
-                return -EAGAIN;
-        skb2 = skb_get(skb);
-        ret = dev_queue_xmit(skb2);
-        if (!ret)
-                kfree_skb(skb);
-        else
-                return -EAGAIN;
-        return 0;
+        err = dev_queue_xmit(skb);
-}
+        if (err > 0)
+                err = -EIO;
-static int modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
+        return err;
-{
-        struct caif_device_entry *caifd;
-        struct caif_dev_common *caifdev;
-        caifd = container_of(layr, struct caif_device_entry, layer);
-        caifdev = netdev_priv(caifd->netdev);
-        if (ctrl == _CAIF_MODEMCMD_PHYIF_USEFULL) {
-                atomic_set(&caifd->in_use, 1);
-                wake_up_interruptible(&caifd->event);
-        } else if (ctrl == _CAIF_MODEMCMD_PHYIF_USELESS) {
-                atomic_set(&caifd->in_use, 0);
-                wake_up_interruptible(&caifd->event);
-        }
-        return 0;
 }
 /*
- * Stuff received packets to associated sockets.
+ * Stuff received packets into the CAIF stack.
 * On error, returns non-zero and releases the skb.
 */
 static int receive(struct sk_buff *skb, struct net_device *dev,
                   struct packet_type *pkttype, struct net_device *orig_dev)
 {
-        struct net *net;
        struct cfpkt *pkt;
        struct caif_device_entry *caifd;
-        net = dev_net(dev);
        pkt = cfpkt_fromnative(CAIF_DIR_IN, skb);
+        rcu_read_lock();
        caifd = caif_get(dev);
-        if (!caifd || !caifd->layer.up || !caifd->layer.up->receive)
-                return NET_RX_DROP;
-        if (caifd->layer.up->receive(caifd->layer.up, pkt))
+        if (!caifd || !caifd->layer.up || !caifd->layer.up->receive ||
+                        !netif_oper_up(caifd->netdev)) {
+                rcu_read_unlock();
+                kfree_skb(skb);
                return NET_RX_DROP;
+        }
+        /* Hold reference to netdevice while using CAIF stack */
+        caifd_hold(caifd);
+        rcu_read_unlock();
+        caifd->layer.up->receive(caifd->layer.up, pkt);
+        /* Release reference to stack upwards */
+        caifd_put(caifd);
        return 0;
 }
@@ -189,15 +173,25 @@ static struct packet_type caif_packet_type __read_mostly = {
 static void dev_flowctrl(struct net_device *dev, int on)
 {
-        struct caif_device_entry *caifd = caif_get(dev);
+        struct caif_device_entry *caifd;
-        if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd)
+        rcu_read_lock();
+        caifd = caif_get(dev);
+        if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd) {
+                rcu_read_unlock();
                return;
+        }
+        caifd_hold(caifd);
+        rcu_read_unlock();
        caifd->layer.up->ctrlcmd(caifd->layer.up,
                                 on ?
                                 _CAIF_CTRLCMD_PHYIF_FLOW_ON_IND :
                                 _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND,
                                 caifd->layer.id);
+        caifd_put(caifd);
 }
 /* notify Caif of device events */
@@ -208,37 +202,28 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
        struct caif_device_entry *caifd = NULL;
        struct caif_dev_common *caifdev;
        enum cfcnfg_phy_preference pref;
-        int res = -EINVAL;
        enum cfcnfg_phy_type phy_type;
+        struct cfcnfg *cfg;
+        struct caif_device_entry_list *caifdevs =
+            caif_device_list(dev_net(dev));
        if (dev->type != ARPHRD_CAIF)
                return 0;
+        cfg = get_cfcnfg(dev_net(dev));
+        if (cfg == NULL)
+                return 0;
        switch (what) {
        case NETDEV_REGISTER:
-                netdev_info(dev, "register\n");
                caifd = caif_device_alloc(dev);
-                if (caifd == NULL)
+                if (!caifd)
-                        break;
+                        return 0;
                caifdev = netdev_priv(dev);
                caifdev->flowctrl = dev_flowctrl;
-                atomic_set(&caifd->state, what);
-                res = 0;
-                break;
-        case NETDEV_UP:
-                netdev_info(dev, "up\n");
-                caifd = caif_get(dev);
-                if (caifd == NULL)
-                        break;
-                caifdev = netdev_priv(dev);
-                if (atomic_read(&caifd->state) == NETDEV_UP) {
-                        netdev_info(dev, "already up\n");
-                        break;
-                }
-                atomic_set(&caifd->state, what);
                caifd->layer.transmit = transmit;
-                caifd->layer.modemcmd = modemcmd;
                if (caifdev->use_frag)
                        phy_type = CFPHYTYPE_FRAG;
@@ -256,62 +241,94 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what,
                        pref = CFPHYPREF_HIGH_BW;
                        break;
                }
-                dev_hold(dev);
+                strncpy(caifd->layer.name, dev->name,
-                cfcnfg_add_phy_layer(get_caif_conf(),
+                        sizeof(caifd->layer.name) - 1);
+                caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
+                mutex_lock(&caifdevs->lock);
+                list_add_rcu(&caifd->list, &caifdevs->list);
+                cfcnfg_add_phy_layer(cfg,
                                     phy_type,
                                     dev,
                                     &caifd->layer,
-                                     &caifd->phyid,
                                     pref,
                                     caifdev->use_fcs,
                                     caifdev->use_stx);
-                strncpy(caifd->layer.name, dev->name,
+                mutex_unlock(&caifdevs->lock);
-                        sizeof(caifd->layer.name) - 1);
-                caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
                break;
-        case NETDEV_GOING_DOWN:
+        case NETDEV_UP:
+                rcu_read_lock();
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (caifd == NULL) {
+                        rcu_read_unlock();
                        break;
-                netdev_info(dev, "going down\n");
+                }
-                if (atomic_read(&caifd->state) == NETDEV_GOING_DOWN ||
+                cfcnfg_set_phy_state(cfg, &caifd->layer, true);
-                        atomic_read(&caifd->state) == NETDEV_DOWN)
+                rcu_read_unlock();
-                        break;
-                atomic_set(&caifd->state, what);
-                if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd)
-                        return -EINVAL;
-                caifd->layer.up->ctrlcmd(caifd->layer.up,
-                                         _CAIF_CTRLCMD_PHYIF_DOWN_IND,
-                                         caifd->layer.id);
-                might_sleep();
-                res = wait_event_interruptible_timeout(caifd->event,
-                                        atomic_read(&caifd->in_use) == 0,
-                                        TIMEOUT);
                break;
        case NETDEV_DOWN:
+                rcu_read_lock();
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (!caifd || !caifd->layer.up || !caifd->layer.up->ctrlcmd) {
-                        break;
+                        rcu_read_unlock();
-                netdev_info(dev, "down\n");
+                        return -EINVAL;
-                if (atomic_read(&caifd->in_use))
+                }
-                        netdev_warn(dev,
-                                    "Unregistering an active CAIF device\n");
+                cfcnfg_set_phy_state(cfg, &caifd->layer, false);
-                cfcnfg_del_phy_layer(get_caif_conf(), &caifd->layer);
+                caifd_hold(caifd);
-                dev_put(dev);
+                rcu_read_unlock();
-                atomic_set(&caifd->state, what);
+                caifd->layer.up->ctrlcmd(caifd->layer.up,
+                                         _CAIF_CTRLCMD_PHYIF_DOWN_IND,
+                                         caifd->layer.id);
+                caifd_put(caifd);
                break;
        case NETDEV_UNREGISTER:
+                mutex_lock(&caifdevs->lock);
                caifd = caif_get(dev);
-                if (caifd == NULL)
+                if (caifd == NULL) {
+                        mutex_unlock(&caifdevs->lock);
+                        break;
+                }
+                list_del_rcu(&caifd->list);
+                /*
+                 * NETDEV_UNREGISTER is called repeatedly until all reference
+                 * counts for the net-device are released. If references to
+                 * caifd is taken, simply ignore NETDEV_UNREGISTER and wait for
+                 * the next call to NETDEV_UNREGISTER.
+                 *
+                 * If any packets are in flight down the CAIF Stack,
+                 * cfcnfg_del_phy_layer will return nonzero.
+                 * If no packets are in flight, the CAIF Stack associated
+                 * with the net-device un-registering is freed.
+                 */
+                if (caifd_refcnt_read(caifd) != 0 ||
+                        cfcnfg_del_phy_layer(cfg, &caifd->layer) != 0) {
+                        pr_info("Wait for device inuse\n");
+                        /* Enrole device if CAIF Stack is still in use */
+                        list_add_rcu(&caifd->list, &caifdevs->list);
+                        mutex_unlock(&caifdevs->lock);
                        break;
-                netdev_info(dev, "unregister\n");
+                }
-                atomic_set(&caifd->state, what);
-                caif_device_destroy(dev);
+                synchronize_rcu();
+                dev_put(caifd->netdev);
+                free_percpu(caifd->pcpu_refcnt);
+                kfree(caifd);
+                mutex_unlock(&caifdevs->lock);
                break;
        }
        return 0;
@@ -322,61 +339,60 @@ static struct notifier_block caif_device_notifier = {
        .priority = 0,
 };
-struct cfcnfg *get_caif_conf(void)
-{
-        return cfg;
-}
-EXPORT_SYMBOL(get_caif_conf);
-int caif_connect_client(struct caif_connect_request *conn_req,
-                        struct cflayer *client_layer, int *ifindex,
-                        int *headroom, int *tailroom)
-{
-        struct cfctrl_link_param param;
-        int ret;
-        ret = connect_req_to_link_param(get_caif_conf(), conn_req, &param);
-        if (ret)
-                return ret;
-        /* Hook up the adaptation layer. */
-        return cfcnfg_add_adaptation_layer(get_caif_conf(), &param,
-                                        client_layer, ifindex,
-                                        headroom, tailroom);
-}
-EXPORT_SYMBOL(caif_connect_client);
-int caif_disconnect_client(struct cflayer *adap_layer)
-{
-       return cfcnfg_disconn_adapt_layer(get_caif_conf(), adap_layer);
-}
-EXPORT_SYMBOL(caif_disconnect_client);
-void caif_release_client(struct cflayer *adap_layer)
-{
-       cfcnfg_release_adap_layer(adap_layer);
-}
-EXPORT_SYMBOL(caif_release_client);
 /* Per-namespace Caif devices handling */
 static int caif_init_net(struct net *net)
 {
        struct caif_net *caifn = net_generic(net, caif_net_id);
+        BUG_ON(!caifn);
        INIT_LIST_HEAD(&caifn->caifdevs.list);
-        spin_lock_init(&caifn->caifdevs.lock);
+        mutex_init(&caifn->caifdevs.lock);
+        caifn->cfg = cfcnfg_create();
+        if (!caifn->cfg) {
+                pr_warn("can't create cfcnfg\n");
+                return -ENOMEM;
+        }
        return 0;
 }
 static void caif_exit_net(struct net *net)
 {
-        struct net_device *dev;
+        struct caif_device_entry *caifd, *tmp;
-        int res;
+        struct caif_device_entry_list *caifdevs =
+            caif_device_list(net);
+        struct cfcnfg *cfg;
        rtnl_lock();
-        for_each_netdev(net, dev) {
+        mutex_lock(&caifdevs->lock);
-                if (dev->type != ARPHRD_CAIF)
-                        continue;
+        cfg = get_cfcnfg(net);
-                res = dev_close(dev);
+        if (cfg == NULL) {
-                caif_device_destroy(dev);
+                mutex_unlock(&caifdevs->lock);
+                return;
        }
+        list_for_each_entry_safe(caifd, tmp, &caifdevs->list, list) {
+                int i = 0;
+                list_del_rcu(&caifd->list);
+                cfcnfg_set_phy_state(cfg, &caifd->layer, false);
+                while (i < 10 &&
+                        (caifd_refcnt_read(caifd) != 0 ||
+                        cfcnfg_del_phy_layer(cfg, &caifd->layer) != 0)) {
+                        pr_info("Wait for device inuse\n");
+                        msleep(250);
+                        i++;
+                }
+                synchronize_rcu();
+                dev_put(caifd->netdev);
+                free_percpu(caifd->pcpu_refcnt);
+                kfree(caifd);
+        }
+        cfcnfg_remove(cfg);
+        mutex_unlock(&caifdevs->lock);
        rtnl_unlock();
 }
@@ -391,32 +407,23 @@ static struct pernet_operations caif_net_ops = {
 static int __init caif_device_init(void)
 {
        int result;
-        cfg = cfcnfg_create();
-        if (!cfg) {
-                pr_warn("can't create cfcnfg\n");
-                goto err_cfcnfg_create_failed;
-        }
        result = register_pernet_device(&caif_net_ops);
-        if (result) {
+        if (result)
-                kfree(cfg);
-                cfg = NULL;
                return result;
-        }
-        dev_add_pack(&caif_packet_type);
        register_netdevice_notifier(&caif_device_notifier);
+        dev_add_pack(&caif_packet_type);
        return result;
-err_cfcnfg_create_failed:
-        return -ENODEV;
 }
 static void __exit caif_device_exit(void)
 {
-        dev_remove_pack(&caif_packet_type);
        unregister_pernet_device(&caif_net_ops);
        unregister_netdevice_notifier(&caif_device_notifier);
-        cfcnfg_remove(cfg);
+        dev_remove_pack(&caif_packet_type);
 }
 module_init(caif_device_init);
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 8184c031d028..b840395ced1d 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -48,6 +48,7 @@ static struct dentry *debugfsdir;
 #ifdef CONFIG_DEBUG_FS
 struct debug_fs_counter {
        atomic_t caif_nr_socks;
+        atomic_t caif_sock_create;
        atomic_t num_connect_req;
        atomic_t num_connect_resp;
        atomic_t num_connect_fail_resp;
@@ -59,11 +60,11 @@ struct debug_fs_counter {
        atomic_t num_rx_flow_on;
 };
 static struct debug_fs_counter cnt;
-#define dbfs_atomic_inc(v) atomic_inc(v)
+#define dbfs_atomic_inc(v) atomic_inc_return(v)
-#define dbfs_atomic_dec(v) atomic_dec(v)
+#define dbfs_atomic_dec(v) atomic_dec_return(v)
 #else
-#define dbfs_atomic_inc(v)
+#define dbfs_atomic_inc(v) 0
-#define dbfs_atomic_dec(v)
+#define dbfs_atomic_dec(v) 0
 #endif
 struct caifsock {
@@ -155,9 +156,10 @@ static int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
        if (atomic_read(&sk->sk_rmem_alloc) + skb->truesize >=
                (unsigned)sk->sk_rcvbuf && rx_flow_is_on(cf_sk)) {
-                pr_debug("sending flow OFF (queue len = %d %d)\n",
+                if (net_ratelimit())
-                        atomic_read(&cf_sk->sk.sk_rmem_alloc),
+                        pr_debug("sending flow OFF (queue len = %d %d)\n",
-                        sk_rcvbuf_lowwater(cf_sk));
+                                        atomic_read(&cf_sk->sk.sk_rmem_alloc),
+                                        sk_rcvbuf_lowwater(cf_sk));
                set_rx_flow_off(cf_sk);
                dbfs_atomic_inc(&cnt.num_rx_flow_off);
                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
@@ -168,7 +170,8 @@ static int caif_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                return err;
        if (!sk_rmem_schedule(sk, skb->truesize) && rx_flow_is_on(cf_sk)) {
                set_rx_flow_off(cf_sk);
-                pr_debug("sending flow OFF due to rmem_schedule\n");
+                if (net_ratelimit())
+                        pr_debug("sending flow OFF due to rmem_schedule\n");
                dbfs_atomic_inc(&cnt.num_rx_flow_off);
                caif_flow_ctrl(sk, CAIF_MODEMCMD_FLOW_OFF_REQ);
        }
@@ -202,13 +205,25 @@ static int caif_sktrecv_cb(struct cflayer *layr, struct cfpkt *pkt)
        skb = cfpkt_tonative(pkt);
        if (unlikely(cf_sk->sk.sk_state != CAIF_CONNECTED)) {
-                cfpkt_destroy(pkt);
+                kfree_skb(skb);
                return 0;
        }
        caif_queue_rcv_skb(&cf_sk->sk, skb);
        return 0;
 }
+static void cfsk_hold(struct cflayer *layr)
+{
+        struct caifsock *cf_sk = container_of(layr, struct caifsock, layer);
+        sock_hold(&cf_sk->sk);
+}
+static void cfsk_put(struct cflayer *layr)
+{
+        struct caifsock *cf_sk = container_of(layr, struct caifsock, layer);
+        sock_put(&cf_sk->sk);
+}
 /* Packet Control Callback function called from CAIF */
 static void caif_ctrl_cb(struct cflayer *layr,
                                enum caif_ctrlcmd flow,
@@ -232,6 +247,8 @@ static void caif_ctrl_cb(struct cflayer *layr,
        case CAIF_CTRLCMD_INIT_RSP:
                /* We're now connected */
+                caif_client_register_refcnt(&cf_sk->layer,
+                                                cfsk_hold, cfsk_put);
                dbfs_atomic_inc(&cnt.num_connect_resp);
                cf_sk->sk.sk_state = CAIF_CONNECTED;
                set_tx_flow_on(cf_sk);
@@ -242,7 +259,6 @@ static void caif_ctrl_cb(struct cflayer *layr,
                /* We're now disconnected */
                cf_sk->sk.sk_state = CAIF_DISCONNECTED;
                cf_sk->sk.sk_state_change(&cf_sk->sk);
-                cfcnfg_release_adap_layer(&cf_sk->layer);
                break;
        case CAIF_CTRLCMD_INIT_FAIL_RSP:
@@ -519,43 +535,14 @@ static int transmit_skb(struct sk_buff *skb, struct caifsock *cf_sk,
                        int noblock, long timeo)
 {
        struct cfpkt *pkt;
-        int ret, loopcnt = 0;
        pkt = cfpkt_fromnative(CAIF_DIR_OUT, skb);
-        memset(cfpkt_info(pkt), 0, sizeof(struct caif_payload_info));
+        memset(skb->cb, 0, sizeof(struct caif_payload_info));
-        do {
-                ret = -ETIMEDOUT;
+        if (cf_sk->layer.dn == NULL)
+                return -EINVAL;
-                /* Slight paranoia, probably not needed. */
+        return cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
-                if (unlikely(loopcnt++ > 1000)) {
-                        pr_warn("transmit retries failed, error = %d\n", ret);
-                        break;
-                }
-                if (cf_sk->layer.dn != NULL)
-                        ret = cf_sk->layer.dn->transmit(cf_sk->layer.dn, pkt);
-                if (likely(ret >= 0))
-                        break;
-                /* if transmit return -EAGAIN, then retry */
-                if (noblock && ret == -EAGAIN)
-                        break;
-                timeo = caif_wait_for_flow_on(cf_sk, 0, timeo, &ret);
-                if (signal_pending(current)) {
-                        ret = sock_intr_errno(timeo);
-                        break;
-                }
-                if (ret)
-                        break;
-                if (cf_sk->sk.sk_state != CAIF_CONNECTED ||
-                        sock_flag(&cf_sk->sk, SOCK_DEAD) ||
-                        (cf_sk->sk.sk_shutdown & RCV_SHUTDOWN)) {
-                        ret = -EPIPE;
-                        cf_sk->sk.sk_err = EPIPE;
-                        break;
-                }
-        } while (ret == -EAGAIN);
-        return ret;
 }
 /* Copied from af_unix:unix_dgram_sendmsg, and adapted to CAIF */
@@ -620,7 +607,9 @@ static int caif_seqpkt_sendmsg(struct kiocb *kiocb, struct socket *sock,
                goto err;
        ret = transmit_skb(skb, cf_sk, noblock, timeo);
        if (ret < 0)
-                goto err;
+                /* skb is already freed */
+                return ret;
        return len;
 err:
        kfree_skb(skb);
@@ -826,7 +815,7 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
                                sk->sk_state == CAIF_DISCONNECTED);
                if (sk->sk_shutdown & SHUTDOWN_MASK) {
                        /* Allow re-connect after SHUTDOWN_IND */
-                        caif_disconnect_client(&cf_sk->layer);
+                        caif_disconnect_client(sock_net(sk), &cf_sk->layer);
                        break;
                }
                /* No reconnect on a seqpacket socket */
@@ -866,8 +855,10 @@ static int caif_connect(struct socket *sock, struct sockaddr *uaddr,
        dbfs_atomic_inc(&cnt.num_connect_req);
        cf_sk->layer.receive = caif_sktrecv_cb;
-        err = caif_connect_client(&cf_sk->conn_req,
+        err = caif_connect_client(sock_net(sk), &cf_sk->conn_req,
                                &cf_sk->layer, &ifindex, &headroom, &tailroom);
        if (err < 0) {
                cf_sk->sk.sk_socket->state = SS_UNCONNECTED;
                cf_sk->sk.sk_state = CAIF_DISCONNECTED;
@@ -947,13 +938,14 @@ static int caif_release(struct socket *sock)
         * caif_queue_rcv_skb checks SOCK_DEAD holding the queue lock,
         * this ensures no packets when sock is dead.
         */
-        spin_lock(&sk->sk_receive_queue.lock);
+        spin_lock_bh(&sk->sk_receive_queue.lock);
        sock_set_flag(sk, SOCK_DEAD);
-        spin_unlock(&sk->sk_receive_queue.lock);
+        spin_unlock_bh(&sk->sk_receive_queue.lock);
        sock->sk = NULL;
        dbfs_atomic_inc(&cnt.num_disconnect);
+        WARN_ON(IS_ERR(cf_sk->debugfs_socket_dir));
        if (cf_sk->debugfs_socket_dir != NULL)
                debugfs_remove_recursive(cf_sk->debugfs_socket_dir);
@@ -963,13 +955,12 @@ static int caif_release(struct socket *sock)
        if (cf_sk->sk.sk_socket->state == SS_CONNECTED ||
                cf_sk->sk.sk_socket->state == SS_CONNECTING)
-                res = caif_disconnect_client(&cf_sk->layer);
+                res = caif_disconnect_client(sock_net(sk), &cf_sk->layer);
        cf_sk->sk.sk_socket->state = SS_DISCONNECTING;
        wake_up_interruptible_poll(sk_sleep(sk), POLLERR|POLLHUP);
        sock_orphan(sk);
-        cf_sk->layer.dn = NULL;
        sk_stream_kill_queues(&cf_sk->sk);
        release_sock(sk);
        sock_put(sk);
@@ -1060,16 +1051,18 @@ static void caif_sock_destructor(struct sock *sk)
        caif_assert(sk_unhashed(sk));
        caif_assert(!sk->sk_socket);
        if (!sock_flag(sk, SOCK_DEAD)) {
-                pr_info("Attempt to release alive CAIF socket: %p\n", sk);
+                pr_debug("Attempt to release alive CAIF socket: %p\n", sk);
                return;
        }
        sk_stream_kill_queues(&cf_sk->sk);
        dbfs_atomic_dec(&cnt.caif_nr_socks);
+        caif_free_client(&cf_sk->layer);
 }
 static int caif_create(struct net *net, struct socket *sock, int protocol,
                        int kern)
 {
+        int num;
        struct sock *sk = NULL;
        struct caifsock *cf_sk = NULL;
        static struct proto prot = {.name = "PF_CAIF",
@@ -1132,14 +1125,16 @@ static int caif_create(struct net *net, struct socket *sock, int protocol,
        cf_sk->conn_req.protocol = protocol;
        /* Increase the number of sockets created. */
        dbfs_atomic_inc(&cnt.caif_nr_socks);
+        num = dbfs_atomic_inc(&cnt.caif_sock_create);
 #ifdef CONFIG_DEBUG_FS
        if (!IS_ERR(debugfsdir)) {
                /* Fill in some information concerning the misc socket. */
-                snprintf(cf_sk->name, sizeof(cf_sk->name), "cfsk%d",
+                snprintf(cf_sk->name, sizeof(cf_sk->name), "cfsk%d", num);
-                                atomic_read(&cnt.caif_nr_socks));
                cf_sk->debugfs_socket_dir =
                        debugfs_create_dir(cf_sk->name, debugfsdir);
                debugfs_create_u32("sk_state", S_IRUSR | S_IWUSR,
                                cf_sk->debugfs_socket_dir,
                                (u32 *) &cf_sk->sk.sk_state);
@@ -1183,6 +1178,9 @@ static int __init caif_sktinit_module(void)
                debugfs_create_u32("num_sockets", S_IRUSR | S_IWUSR,
                                debugfsdir,
                                (u32 *) &cnt.caif_nr_socks);
+                debugfs_create_u32("num_create", S_IRUSR | S_IWUSR,
+                                debugfsdir,
+                                (u32 *) &cnt.caif_sock_create);
                debugfs_create_u32("num_connect_req", S_IRUSR | S_IWUSR,
                                debugfsdir,
                                (u32 *) &cnt.num_connect_req);
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index c665de778b60..351c2ca7e7b9 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -10,6 +10,7 @@
 #include <linux/stddef.h>
 #include <linux/slab.h>
 #include <linux/netdevice.h>
+#include <linux/module.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfcnfg.h>
@@ -18,20 +19,17 @@
 #include <net/caif/cffrml.h>
 #include <net/caif/cfserl.h>
 #include <net/caif/cfsrvl.h>
+#include <net/caif/caif_dev.h>
-#include <linux/module.h>
-#include <asm/atomic.h>
-#define MAX_PHY_LAYERS 7
-#define PHY_NAME_LEN 20
 #define container_obj(layr) container_of(layr, struct cfcnfg, layer)
-#define RFM_FRAGMENT_SIZE 4030
 /* Information about CAIF physical interfaces held by Config Module in order
 * to manage physical interfaces
 */
 struct cfcnfg_phyinfo {
+        struct list_head node;
+        bool up;
        /* Pointer to the layer below the MUX (framing layer) */
        struct cflayer *frm_layer;
        /* Pointer to the lowest actual physical layer */
@@ -41,9 +39,6 @@ struct cfcnfg_phyinfo {
        /* Preference of the physical in interface */
        enum cfcnfg_phy_preference pref;
-        /* Reference count, number of channels using the device */
-        int phy_ref_count;
        /* Information about the physical device */
        struct dev_info dev_info;
@@ -61,8 +56,8 @@ struct cfcnfg {
        struct cflayer layer;
        struct cflayer *ctrl;
        struct cflayer *mux;
-        u8 last_phyid;
+        struct list_head phys;
-        struct cfcnfg_phyinfo phy_layers[MAX_PHY_LAYERS];
+        struct mutex lock;
 };
 static void cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id,
@@ -78,6 +73,9 @@ struct cfcnfg *cfcnfg_create(void)
 {
        struct cfcnfg *this;
        struct cfctrl_rsp *resp;
+        might_sleep();
        /* Initiate this layer */
        this = kzalloc(sizeof(struct cfcnfg), GFP_ATOMIC);
        if (!this) {
@@ -101,27 +99,33 @@ struct cfcnfg *cfcnfg_create(void)
        resp->radioset_rsp = cfctrl_resp_func;
        resp->linksetup_rsp = cfcnfg_linkup_rsp;
        resp->reject_rsp = cfcnfg_reject_rsp;
+        INIT_LIST_HEAD(&this->phys);
-        this->last_phyid = 1;
        cfmuxl_set_uplayer(this->mux, this->ctrl, 0);
        layer_set_dn(this->ctrl, this->mux);
        layer_set_up(this->ctrl, this);
+        mutex_init(&this->lock);
        return this;
 out_of_mem:
        pr_warn("Out of memory\n");
+        synchronize_rcu();
        kfree(this->mux);
        kfree(this->ctrl);
        kfree(this);
        return NULL;
 }
-EXPORT_SYMBOL(cfcnfg_create);
 void cfcnfg_remove(struct cfcnfg *cfg)
 {
+        might_sleep();
        if (cfg) {
+                synchronize_rcu();
                kfree(cfg->mux);
-                kfree(cfg->ctrl);
+                cfctrl_remove(cfg->ctrl);
                kfree(cfg);
        }
 }
@@ -130,132 +134,96 @@ static void cfctrl_resp_func(void)
 {
 }
+static struct cfcnfg_phyinfo *cfcnfg_get_phyinfo_rcu(struct cfcnfg *cnfg,
+                                                        u8 phyid)
+{
+        struct cfcnfg_phyinfo *phy;
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
+                if (phy->id == phyid)
+                        return phy;
+        return NULL;
+}
 static void cfctrl_enum_resp(void)
 {
 }
-struct dev_info *cfcnfg_get_phyid(struct cfcnfg *cnfg,
+static struct dev_info *cfcnfg_get_phyid(struct cfcnfg *cnfg,
                                  enum cfcnfg_phy_preference phy_pref)
 {
-        u16 i;
        /* Try to match with specified preference */
-        for (i = 1; i < MAX_PHY_LAYERS; i++) {
+        struct cfcnfg_phyinfo *phy;
-                if (cnfg->phy_layers[i].id == i &&
-                     cnfg->phy_layers[i].pref == phy_pref &&
+        list_for_each_entry_rcu(phy, &cnfg->phys, node) {
-                     cnfg->phy_layers[i].frm_layer != NULL) {
+                if (phy->up && phy->pref == phy_pref &&
-                        caif_assert(cnfg->phy_layers != NULL);
+                                phy->frm_layer != NULL)
-                        caif_assert(cnfg->phy_layers[i].id == i);
-                        return &cnfg->phy_layers[i].dev_info;
+                        return &phy->dev_info;
-                }
        }
        /* Otherwise just return something */
-        for (i = 1; i < MAX_PHY_LAYERS; i++) {
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
-                if (cnfg->phy_layers[i].id == i) {
+                if (phy->up)
-                        caif_assert(cnfg->phy_layers != NULL);
+                        return &phy->dev_info;
-                        caif_assert(cnfg->phy_layers[i].id == i);
-                        return &cnfg->phy_layers[i].dev_info;
-                }
-        }
        return NULL;
 }
-static struct cfcnfg_phyinfo *cfcnfg_get_phyinfo(struct cfcnfg *cnfg,
+static int cfcnfg_get_id_from_ifi(struct cfcnfg *cnfg, int ifi)
-                                                        u8 phyid)
 {
-        int i;
+        struct cfcnfg_phyinfo *phy;
-        /* Try to match with specified preference */
-        for (i = 0; i < MAX_PHY_LAYERS; i++)
-                if (cnfg->phy_layers[i].frm_layer != NULL &&
-                    cnfg->phy_layers[i].id == phyid)
-                        return &cnfg->phy_layers[i];
-        return NULL;
-}
-int cfcnfg_get_id_from_ifi(struct cfcnfg *cnfg, int ifi)
+        list_for_each_entry_rcu(phy, &cnfg->phys, node)
-{
+                if (phy->ifindex == ifi && phy->up)
-        int i;
+                        return phy->id;
-        for (i = 0; i < MAX_PHY_LAYERS; i++)
-                if (cnfg->phy_layers[i].frm_layer != NULL &&
-                                cnfg->phy_layers[i].ifindex == ifi)
-                        return i;
        return -ENODEV;
 }
-int cfcnfg_disconn_adapt_layer(struct cfcnfg *cnfg, struct cflayer *adap_layer)
+int caif_disconnect_client(struct net *net, struct cflayer *adap_layer)
 {
        u8 channel_id = 0;
        int ret = 0;
        struct cflayer *servl = NULL;
-        struct cfcnfg_phyinfo *phyinfo = NULL;
+        struct cfcnfg *cfg = get_cfcnfg(net);
-        u8 phyid = 0;
        caif_assert(adap_layer != NULL);
        channel_id = adap_layer->id;
        if (adap_layer->dn == NULL || channel_id == 0) {
                pr_err("adap_layer->dn == NULL or adap_layer->id is 0\n");
                ret = -ENOTCONN;
                goto end;
        }
-        servl = cfmuxl_remove_uplayer(cnfg->mux, channel_id);
+        servl = cfmuxl_remove_uplayer(cfg->mux, channel_id);
        if (servl == NULL) {
-                pr_err("PROTOCOL ERROR - Error removing service_layer Channel_Id(%d)",
+                pr_err("PROTOCOL ERROR - "
-                       channel_id);
+                                "Error removing service_layer Channel_Id(%d)",
+                                channel_id);
                ret = -EINVAL;
                goto end;
        }
-        layer_set_up(servl, NULL);
-        ret = cfctrl_linkdown_req(cnfg->ctrl, channel_id, adap_layer);
+        ret = cfctrl_linkdown_req(cfg->ctrl, channel_id, adap_layer);
-        if (ret)
-                goto end;
-        caif_assert(channel_id == servl->id);
-        if (adap_layer->dn != NULL) {
-                phyid = cfsrvl_getphyid(adap_layer->dn);
-                phyinfo = cfcnfg_get_phyinfo(cnfg, phyid);
-                if (phyinfo == NULL) {
-                        pr_warn("No interface to send disconnect to\n");
-                        ret = -ENODEV;
-                        goto end;
-                }
-                if (phyinfo->id != phyid ||
-                        phyinfo->phy_layer->id != phyid ||
-                        phyinfo->frm_layer->id != phyid) {
-                        pr_err("Inconsistency in phy registration\n");
-                        ret = -EINVAL;
-                        goto end;
-                }
-        }
-        if (phyinfo != NULL && --phyinfo->phy_ref_count == 0 &&
-                phyinfo->phy_layer != NULL &&
-                phyinfo->phy_layer->modemcmd != NULL) {
-                phyinfo->phy_layer->modemcmd(phyinfo->phy_layer,
-                                             _CAIF_MODEMCMD_PHYIF_USELESS);
-        }
 end:
-        cfsrvl_put(servl);
+        cfctrl_cancel_req(cfg->ctrl, adap_layer);
-        cfctrl_cancel_req(cnfg->ctrl, adap_layer);
+        /* Do RCU sync before initiating cleanup */
+        synchronize_rcu();
        if (adap_layer->ctrlcmd != NULL)
                adap_layer->ctrlcmd(adap_layer, CAIF_CTRLCMD_DEINIT_RSP, 0);
        return ret;
 }
-EXPORT_SYMBOL(cfcnfg_disconn_adapt_layer);
+EXPORT_SYMBOL(caif_disconnect_client);
-void cfcnfg_release_adap_layer(struct cflayer *adap_layer)
-{
-        if (adap_layer->dn)
-                cfsrvl_put(adap_layer->dn);
-}
-EXPORT_SYMBOL(cfcnfg_release_adap_layer);
 static void cfcnfg_linkdestroy_rsp(struct cflayer *layer, u8 channel_id)
 {
 }
-int protohead[CFCTRL_SRV_MASK] = {
+static const int protohead[CFCTRL_SRV_MASK] = {
        [CFCTRL_SRV_VEI] = 4,
        [CFCTRL_SRV_DATAGRAM] = 7,
        [CFCTRL_SRV_UTIL] = 4,
@@ -263,49 +231,157 @@ int protohead[CFCTRL_SRV_MASK] = {
        [CFCTRL_SRV_DBG] = 3,
 };
-int cfcnfg_add_adaptation_layer(struct cfcnfg *cnfg,
-                                struct cfctrl_link_param *param,
+static int caif_connect_req_to_link_param(struct cfcnfg *cnfg,
-                                struct cflayer *adap_layer,
+                                   struct caif_connect_request *s,
-                                int *ifindex,
+                                   struct cfctrl_link_param *l)
+{
+        struct dev_info *dev_info;
+        enum cfcnfg_phy_preference pref;
+        int res;
+        memset(l, 0, sizeof(*l));
+        /* In caif protocol low value is high priority */
+        l->priority = CAIF_PRIO_MAX - s->priority + 1;
+        if (s->ifindex != 0) {
+                res = cfcnfg_get_id_from_ifi(cnfg, s->ifindex);
+                if (res < 0)
+                        return res;
+                l->phyid = res;
+        } else {
+                switch (s->link_selector) {
+                case CAIF_LINK_HIGH_BANDW:
+                        pref = CFPHYPREF_HIGH_BW;
+                        break;
+                case CAIF_LINK_LOW_LATENCY:
+                        pref = CFPHYPREF_LOW_LAT;
+                        break;
+                default:
+                        return -EINVAL;
+                }
+                dev_info = cfcnfg_get_phyid(cnfg, pref);
+                if (dev_info == NULL)
+                        return -ENODEV;
+                l->phyid = dev_info->id;
+        }
+        switch (s->protocol) {
+        case CAIFPROTO_AT:
+                l->linktype = CFCTRL_SRV_VEI;
+                l->endpoint = (s->sockaddr.u.at.type >> 2) & 0x3;
+                l->chtype = s->sockaddr.u.at.type & 0x3;
+                break;
+        case CAIFPROTO_DATAGRAM:
+                l->linktype = CFCTRL_SRV_DATAGRAM;
+                l->chtype = 0x00;
+                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
+                break;
+        case CAIFPROTO_DATAGRAM_LOOP:
+                l->linktype = CFCTRL_SRV_DATAGRAM;
+                l->chtype = 0x03;
+                l->endpoint = 0x00;
+                l->u.datagram.connid = s->sockaddr.u.dgm.connection_id;
+                break;
+        case CAIFPROTO_RFM:
+                l->linktype = CFCTRL_SRV_RFM;
+                l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
+                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
+                        sizeof(l->u.rfm.volume)-1);
+                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
+                break;
+        case CAIFPROTO_UTIL:
+                l->linktype = CFCTRL_SRV_UTIL;
+                l->endpoint = 0x00;
+                l->chtype = 0x00;
+                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
+                        sizeof(l->u.utility.name)-1);
+                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
+                caif_assert(sizeof(l->u.utility.name) > 10);
+                l->u.utility.paramlen = s->param.size;
+                if (l->u.utility.paramlen > sizeof(l->u.utility.params))
+                        l->u.utility.paramlen = sizeof(l->u.utility.params);
+                memcpy(l->u.utility.params, s->param.data,
+                       l->u.utility.paramlen);
+                break;
+        case CAIFPROTO_DEBUG:
+                l->linktype = CFCTRL_SRV_DBG;
+                l->endpoint = s->sockaddr.u.dbg.service;
+                l->chtype = s->sockaddr.u.dbg.type;
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+int caif_connect_client(struct net *net, struct caif_connect_request *conn_req,
+                        struct cflayer *adap_layer, int *ifindex,
                                int *proto_head,
                                int *proto_tail)
 {
        struct cflayer *frml;
+        struct cfcnfg_phyinfo *phy;
+        int err;
+        struct cfctrl_link_param param;
+        struct cfcnfg *cfg = get_cfcnfg(net);
+        caif_assert(cfg != NULL);
+        rcu_read_lock();
+        err = caif_connect_req_to_link_param(cfg, conn_req, &param);
+        if (err)
+                goto unlock;
+        phy = cfcnfg_get_phyinfo_rcu(cfg, param.phyid);
+        if (!phy) {
+                err = -ENODEV;
+                goto unlock;
+        }
+        err = -EINVAL;
        if (adap_layer == NULL) {
                pr_err("adap_layer is zero\n");
-                return -EINVAL;
+                goto unlock;
        }
        if (adap_layer->receive == NULL) {
                pr_err("adap_layer->receive is NULL\n");
-                return -EINVAL;
+                goto unlock;
        }
        if (adap_layer->ctrlcmd == NULL) {
                pr_err("adap_layer->ctrlcmd == NULL\n");
-                return -EINVAL;
+                goto unlock;
        }
-        frml = cnfg->phy_layers[param->phyid].frm_layer;
+        err = -ENODEV;
+        frml = phy->frm_layer;
        if (frml == NULL) {
                pr_err("Specified PHY type does not exist!\n");
-                return -ENODEV;
+                goto unlock;
        }
-        caif_assert(param->phyid == cnfg->phy_layers[param->phyid].id);
+        caif_assert(param.phyid == phy->id);
-        caif_assert(cnfg->phy_layers[param->phyid].frm_layer->id ==
+        caif_assert(phy->frm_layer->id ==
-                     param->phyid);
+                     param.phyid);
-        caif_assert(cnfg->phy_layers[param->phyid].phy_layer->id ==
+        caif_assert(phy->phy_layer->id ==
-                     param->phyid);
+                     param.phyid);
-        *ifindex = cnfg->phy_layers[param->phyid].ifindex;
+        *ifindex = phy->ifindex;
+        *proto_tail = 2;
        *proto_head =
-                protohead[param->linktype]+
-                (cnfg->phy_layers[param->phyid].use_stx ? 1 : 0);
-        *proto_tail = 2;
+        protohead[param.linktype] + (phy->use_stx ? 1 : 0);
+        rcu_read_unlock();
        /* FIXME: ENUMERATE INITIALLY WHEN ACTIVATING PHYSICAL INTERFACE */
-        cfctrl_enum_req(cnfg->ctrl, param->phyid);
+        cfctrl_enum_req(cfg->ctrl, param.phyid);
-        return cfctrl_linkup_request(cnfg->ctrl, param, adap_layer);
+        return cfctrl_linkup_request(cfg->ctrl, &param, adap_layer);
+unlock:
+        rcu_read_unlock();
+        return err;
 }
-EXPORT_SYMBOL(cfcnfg_add_adaptation_layer);
+EXPORT_SYMBOL(caif_connect_client);
 static void cfcnfg_reject_rsp(struct cflayer *layer, u8 channel_id,
                             struct cflayer *adapt_layer)
@@ -317,32 +393,37 @@ static void cfcnfg_reject_rsp(struct cflayer *layer, u8 channel_id,
 static void
 cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
-                 u8 phyid, struct cflayer *adapt_layer)
+                  u8 phyid, struct cflayer *adapt_layer)
 {
        struct cfcnfg *cnfg = container_obj(layer);
        struct cflayer *servicel = NULL;
        struct cfcnfg_phyinfo *phyinfo;
        struct net_device *netdev;
+        rcu_read_lock();
        if (adapt_layer == NULL) {
-                pr_debug("link setup response but no client exist, send linkdown back\n");
+                pr_debug("link setup response but no client exist,"
+                                "send linkdown back\n");
                cfctrl_linkdown_req(cnfg->ctrl, channel_id, NULL);
-                return;
+                goto unlock;
        }
        caif_assert(cnfg != NULL);
        caif_assert(phyid != 0);
-        phyinfo = &cnfg->phy_layers[phyid];
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phyid);
+        if (phyinfo == NULL) {
+                pr_err("ERROR: Link Layer Device dissapeared"
+                                "while connecting\n");
+                goto unlock;
+        }
+        caif_assert(phyinfo != NULL);
        caif_assert(phyinfo->id == phyid);
        caif_assert(phyinfo->phy_layer != NULL);
        caif_assert(phyinfo->phy_layer->id == phyid);
-        phyinfo->phy_ref_count++;
-        if (phyinfo->phy_ref_count == 1 &&
-            phyinfo->phy_layer->modemcmd != NULL) {
-                phyinfo->phy_layer->modemcmd(phyinfo->phy_layer,
-                                             _CAIF_MODEMCMD_PHYIF_USEFULL);
-        }
        adapt_layer->id = channel_id;
        switch (serv) {
@@ -350,7 +431,8 @@ cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
                servicel = cfvei_create(channel_id, &phyinfo->dev_info);
                break;
        case CFCTRL_SRV_DATAGRAM:
-                servicel = cfdgml_create(channel_id, &phyinfo->dev_info);
+                servicel = cfdgml_create(channel_id,
+                                        &phyinfo->dev_info);
                break;
        case CFCTRL_SRV_RFM:
                netdev = phyinfo->dev_info.dev;
@@ -367,94 +449,93 @@ cfcnfg_linkup_rsp(struct cflayer *layer, u8 channel_id, enum cfctrl_srv serv,
                servicel = cfdbgl_create(channel_id, &phyinfo->dev_info);
                break;
        default:
-                pr_err("Protocol error. Link setup response - unknown channel type\n");
+                pr_err("Protocol error. Link setup response "
-                return;
+                                "- unknown channel type\n");
+                goto unlock;
        }
        if (!servicel) {
                pr_warn("Out of memory\n");
-                return;
+                goto unlock;
        }
        layer_set_dn(servicel, cnfg->mux);
        cfmuxl_set_uplayer(cnfg->mux, servicel, channel_id);
        layer_set_up(servicel, adapt_layer);
        layer_set_dn(adapt_layer, servicel);
-        cfsrvl_get(servicel);
+        rcu_read_unlock();
        servicel->ctrlcmd(servicel, CAIF_CTRLCMD_INIT_RSP, 0);
+        return;
+unlock:
+        rcu_read_unlock();
 }
 void
 cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
                     struct net_device *dev, struct cflayer *phy_layer,
-                     u16 *phyid, enum cfcnfg_phy_preference pref,
+                     enum cfcnfg_phy_preference pref,
                     bool fcs, bool stx)
 {
        struct cflayer *frml;
        struct cflayer *phy_driver = NULL;
+        struct cfcnfg_phyinfo *phyinfo;
        int i;
+        u8 phyid;
+        mutex_lock(&cnfg->lock);
-        if (cnfg->phy_layers[cnfg->last_phyid].frm_layer == NULL) {
+        /* CAIF protocol allow maximum 6 link-layers */
-                *phyid = cnfg->last_phyid;
+        for (i = 0; i < 7; i++) {
+                phyid = (dev->ifindex + i) & 0x7;
-                /* range: * 1..(MAX_PHY_LAYERS-1) */
+                if (phyid == 0)
-                cnfg->last_phyid =
+                        continue;
-                    (cnfg->last_phyid % (MAX_PHY_LAYERS - 1)) + 1;
+                if (cfcnfg_get_phyinfo_rcu(cnfg, phyid) == NULL)
-        } else {
+                        goto got_phyid;
-                *phyid = 0;
-                for (i = 1; i < MAX_PHY_LAYERS; i++) {
-                        if (cnfg->phy_layers[i].frm_layer == NULL) {
-                                *phyid = i;
-                                break;
-                        }
-                }
-        }
-        if (*phyid == 0) {
-                pr_err("No Available PHY ID\n");
-                return;
        }
+        pr_warn("Too many CAIF Link Layers (max 6)\n");
+        goto out;
+got_phyid:
+        phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
        switch (phy_type) {
        case CFPHYTYPE_FRAG:
                phy_driver =
-                    cfserl_create(CFPHYTYPE_FRAG, *phyid, stx);
+                    cfserl_create(CFPHYTYPE_FRAG, phyid, stx);
                if (!phy_driver) {
                        pr_warn("Out of memory\n");
-                        return;
+                        goto out;
                }
                break;
        case CFPHYTYPE_CAIF:
                phy_driver = NULL;
                break;
        default:
-                pr_err("%d\n", phy_type);
+                goto out;
-                return;
-                break;
        }
+        phy_layer->id = phyid;
-        phy_layer->id = *phyid;
+        phyinfo->pref = pref;
-        cnfg->phy_layers[*phyid].pref = pref;
+        phyinfo->id = phyid;
-        cnfg->phy_layers[*phyid].id = *phyid;
+        phyinfo->dev_info.id = phyid;
-        cnfg->phy_layers[*phyid].dev_info.id = *phyid;
+        phyinfo->dev_info.dev = dev;
-        cnfg->phy_layers[*phyid].dev_info.dev = dev;
+        phyinfo->phy_layer = phy_layer;
-        cnfg->phy_layers[*phyid].phy_layer = phy_layer;
+        phyinfo->ifindex = dev->ifindex;
-        cnfg->phy_layers[*phyid].phy_ref_count = 0;
+        phyinfo->use_stx = stx;
-        cnfg->phy_layers[*phyid].ifindex = dev->ifindex;
+        phyinfo->use_fcs = fcs;
-        cnfg->phy_layers[*phyid].use_stx = stx;
-        cnfg->phy_layers[*phyid].use_fcs = fcs;
        phy_layer->type = phy_type;
-        frml = cffrml_create(*phyid, fcs);
+        frml = cffrml_create(phyid, fcs);
        if (!frml) {
                pr_warn("Out of memory\n");
-                return;
+                kfree(phyinfo);
+                goto out;
        }
-        cnfg->phy_layers[*phyid].frm_layer = frml;
+        phyinfo->frm_layer = frml;
-        cfmuxl_set_dnlayer(cnfg->mux, frml, *phyid);
        layer_set_up(frml, cnfg->mux);
        if (phy_driver != NULL) {
-                phy_driver->id = *phyid;
+                phy_driver->id = phyid;
                layer_set_dn(frml, phy_driver);
                layer_set_up(phy_driver, frml);
                layer_set_dn(phy_driver, phy_layer);
@@ -463,33 +544,95 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, enum cfcnfg_phy_type phy_type,
                layer_set_dn(frml, phy_layer);
                layer_set_up(phy_layer, frml);
        }
+        list_add_rcu(&phyinfo->node, &cnfg->phys);
+out:
+        mutex_unlock(&cnfg->lock);
 }
 EXPORT_SYMBOL(cfcnfg_add_phy_layer);
+int cfcnfg_set_phy_state(struct cfcnfg *cnfg, struct cflayer *phy_layer,
+                bool up)
+{
+        struct cfcnfg_phyinfo *phyinfo;
+        rcu_read_lock();
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phy_layer->id);
+        if (phyinfo == NULL) {
+                rcu_read_unlock();
+                return -ENODEV;
+        }
+        if (phyinfo->up == up) {
+                rcu_read_unlock();
+                return 0;
+        }
+        phyinfo->up = up;
+        if (up) {
+                cffrml_hold(phyinfo->frm_layer);
+                cfmuxl_set_dnlayer(cnfg->mux, phyinfo->frm_layer,
+                                        phy_layer->id);
+        } else {
+                cfmuxl_remove_dnlayer(cnfg->mux, phy_layer->id);
+                cffrml_put(phyinfo->frm_layer);
+        }
+        rcu_read_unlock();
+        return 0;
+}
+EXPORT_SYMBOL(cfcnfg_set_phy_state);
 int cfcnfg_del_phy_layer(struct cfcnfg *cnfg, struct cflayer *phy_layer)
 {
        struct cflayer *frml, *frml_dn;
        u16 phyid;
+        struct cfcnfg_phyinfo *phyinfo;
+        might_sleep();
+        mutex_lock(&cnfg->lock);
        phyid = phy_layer->id;
-        caif_assert(phyid == cnfg->phy_layers[phyid].id);
+        phyinfo = cfcnfg_get_phyinfo_rcu(cnfg, phyid);
-        caif_assert(phy_layer == cnfg->phy_layers[phyid].phy_layer);
+        if (phyinfo == NULL) {
+                mutex_unlock(&cnfg->lock);
+                return 0;
+        }
+        caif_assert(phyid == phyinfo->id);
+        caif_assert(phy_layer == phyinfo->phy_layer);
        caif_assert(phy_layer->id == phyid);
-        caif_assert(cnfg->phy_layers[phyid].frm_layer->id == phyid);
+        caif_assert(phyinfo->frm_layer->id == phyid);
-        memset(&cnfg->phy_layers[phy_layer->id], 0,
+        list_del_rcu(&phyinfo->node);
-               sizeof(struct cfcnfg_phyinfo));
+        synchronize_rcu();
-        frml = cfmuxl_remove_dnlayer(cnfg->mux, phy_layer->id);
+        /* Fail if reference count is not zero */
+        if (cffrml_refcnt_read(phyinfo->frm_layer) != 0) {
+                pr_info("Wait for device inuse\n");
+                list_add_rcu(&phyinfo->node, &cnfg->phys);
+                mutex_unlock(&cnfg->lock);
+                return -EAGAIN;
+        }
+        frml = phyinfo->frm_layer;
        frml_dn = frml->dn;
        cffrml_set_uplayer(frml, NULL);
        cffrml_set_dnlayer(frml, NULL);
-        kfree(frml);
        if (phy_layer != frml_dn) {
                layer_set_up(frml_dn, NULL);
                layer_set_dn(frml_dn, NULL);
-                kfree(frml_dn);
        }
        layer_set_up(phy_layer, NULL);
+        if (phyinfo->phy_layer != frml_dn)
+                kfree(frml_dn);
+        cffrml_free(frml);
+        kfree(phyinfo);
+        mutex_unlock(&cnfg->lock);
        return 0;
 }
 EXPORT_SYMBOL(cfcnfg_del_phy_layer);
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index 3cd8f978e309..0c00a6015dda 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -17,7 +17,6 @@
 #define UTILITY_NAME_LENGTH 16
 #define CFPKT_CTRL_PKT_LEN 20
 #ifdef CAIF_NO_LOOP
 static int handle_loop(struct cfctrl *ctrl,
                              int cmd, struct cfpkt *pkt){
@@ -51,14 +50,31 @@ struct cflayer *cfctrl_create(void)
        this->serv.layer.receive = cfctrl_recv;
        sprintf(this->serv.layer.name, "ctrl");
        this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
+#ifndef CAIF_NO_LOOP
        spin_lock_init(&this->loop_linkid_lock);
+        this->loop_linkid = 1;
+#endif
        spin_lock_init(&this->info_list_lock);
        INIT_LIST_HEAD(&this->list);
-        this->loop_linkid = 1;
        return &this->serv.layer;
 }
-static bool param_eq(struct cfctrl_link_param *p1, struct cfctrl_link_param *p2)
+void cfctrl_remove(struct cflayer *layer)
+{
+        struct cfctrl_request_info *p, *tmp;
+        struct cfctrl *ctrl = container_obj(layer);
+        spin_lock_bh(&ctrl->info_list_lock);
+        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
+                list_del(&p->list);
+                kfree(p);
+        }
+        spin_unlock_bh(&ctrl->info_list_lock);
+        kfree(layer);
+}
+static bool param_eq(const struct cfctrl_link_param *p1,
+                        const struct cfctrl_link_param *p2)
 {
        bool eq =
            p1->linktype == p2->linktype &&
@@ -100,8 +116,8 @@ static bool param_eq(struct cfctrl_link_param *p1, struct cfctrl_link_param *p2)
        return false;
 }
-bool cfctrl_req_eq(struct cfctrl_request_info *r1,
+static bool cfctrl_req_eq(const struct cfctrl_request_info *r1,
-                   struct cfctrl_request_info *r2)
+                          const struct cfctrl_request_info *r2)
 {
        if (r1->cmd != r2->cmd)
                return false;
@@ -112,23 +128,22 @@ bool cfctrl_req_eq(struct cfctrl_request_info *r1,
 }
 /* Insert request at the end */
-void cfctrl_insert_req(struct cfctrl *ctrl,
+static void cfctrl_insert_req(struct cfctrl *ctrl,
                              struct cfctrl_request_info *req)
 {
-        spin_lock(&ctrl->info_list_lock);
+        spin_lock_bh(&ctrl->info_list_lock);
        atomic_inc(&ctrl->req_seq_no);
        req->sequence_no = atomic_read(&ctrl->req_seq_no);
        list_add_tail(&req->list, &ctrl->list);
-        spin_unlock(&ctrl->info_list_lock);
+        spin_unlock_bh(&ctrl->info_list_lock);
 }
 /* Compare and remove request */
-struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
+static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
-                                              struct cfctrl_request_info *req)
+                                                struct cfctrl_request_info *req)
 {
        struct cfctrl_request_info *p, *tmp, *first;
-        spin_lock(&ctrl->info_list_lock);
        first = list_first_entry(&ctrl->list, struct cfctrl_request_info, list);
        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
@@ -144,7 +159,6 @@ struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
        }
        p = NULL;
 out:
-        spin_unlock(&ctrl->info_list_lock);
        return p;
 }
@@ -154,16 +168,6 @@ struct cfctrl_rsp *cfctrl_get_respfuncs(struct cflayer *layer)
        return &this->res;
 }
-void cfctrl_set_dnlayer(struct cflayer *this, struct cflayer *dn)
-{
-        this->dn = dn;
-}
-void cfctrl_set_uplayer(struct cflayer *this, struct cflayer *up)
-{
-        this->up = up;
-}
 static void init_info(struct caif_payload_info *info, struct cfctrl *cfctrl)
 {
        info->hdr_len = 0;
@@ -188,10 +192,6 @@ void cfctrl_enum_req(struct cflayer *layer, u8 physlinkid)
        cfpkt_addbdy(pkt, physlinkid);
        ret =
            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0) {
-                pr_err("Could not transmit enum message\n");
-                cfpkt_destroy(pkt);
-        }
 }
 int cfctrl_linkup_request(struct cflayer *layer,
@@ -205,14 +205,23 @@ int cfctrl_linkup_request(struct cflayer *layer,
        struct cfctrl_request_info *req;
        int ret;
        char utility_name[16];
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
+        struct cfpkt *pkt;
+        if (cfctrl_cancel_req(layer, user_layer) > 0) {
+                /* Slight Paranoia, check if already connecting */
+                pr_err("Duplicate connect request for same client\n");
+                WARN_ON(1);
+                return -EALREADY;
+        }
+        pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
        if (!pkt) {
                pr_warn("Out of memory\n");
                return -ENOMEM;
        }
        cfpkt_addbdy(pkt, CFCTRL_CMD_LINK_SETUP);
-        cfpkt_addbdy(pkt, (param->chtype << 4) + param->linktype);
+        cfpkt_addbdy(pkt, (param->chtype << 4) | param->linktype);
-        cfpkt_addbdy(pkt, (param->priority << 3) + param->phyid);
+        cfpkt_addbdy(pkt, (param->priority << 3) | param->phyid);
        cfpkt_addbdy(pkt, param->endpoint & 0x03);
        switch (param->linktype) {
@@ -275,9 +284,13 @@ int cfctrl_linkup_request(struct cflayer *layer,
        ret =
            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
        if (ret < 0) {
-                pr_err("Could not transmit linksetup request\n");
+                int count;
-                cfpkt_destroy(pkt);
-                return -ENODEV;
+                count = cfctrl_cancel_req(&cfctrl->serv.layer,
+                                                user_layer);
+                if (count != 1)
+                        pr_err("Could not remove request (%d)", count);
+                        return -ENODEV;
        }
        return 0;
 }
@@ -297,80 +310,29 @@ int cfctrl_linkdown_req(struct cflayer *layer, u8 channelid,
        init_info(cfpkt_info(pkt), cfctrl);
        ret =
            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0) {
+#ifndef CAIF_NO_LOOP
-                pr_err("Could not transmit link-down request\n");
+        cfctrl->loop_linkused[channelid] = 0;
-                cfpkt_destroy(pkt);
+#endif
-        }
        return ret;
 }
-void cfctrl_sleep_req(struct cflayer *layer)
+int cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
-{
-        int ret;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
-                pr_warn("Out of memory\n");
-                return;
-        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_SLEEP);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0)
-                cfpkt_destroy(pkt);
-}
-void cfctrl_wake_req(struct cflayer *layer)
-{
-        int ret;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
-                pr_warn("Out of memory\n");
-                return;
-        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_WAKE);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0)
-                cfpkt_destroy(pkt);
-}
-void cfctrl_getstartreason_req(struct cflayer *layer)
-{
-        int ret;
-        struct cfctrl *cfctrl = container_obj(layer);
-        struct cfpkt *pkt = cfpkt_create(CFPKT_CTRL_PKT_LEN);
-        if (!pkt) {
-                pr_warn("Out of memory\n");
-                return;
-        }
-        cfpkt_addbdy(pkt, CFCTRL_CMD_START_REASON);
-        init_info(cfpkt_info(pkt), cfctrl);
-        ret =
-            cfctrl->serv.layer.dn->transmit(cfctrl->serv.layer.dn, pkt);
-        if (ret < 0)
-                cfpkt_destroy(pkt);
-}
-void cfctrl_cancel_req(struct cflayer *layr, struct cflayer *adap_layer)
 {
        struct cfctrl_request_info *p, *tmp;
        struct cfctrl *ctrl = container_obj(layr);
-        spin_lock(&ctrl->info_list_lock);
+        int found = 0;
+        spin_lock_bh(&ctrl->info_list_lock);
        list_for_each_entry_safe(p, tmp, &ctrl->list, list) {
                if (p->client_layer == adap_layer) {
-                        pr_debug("cancel req :%d\n", p->sequence_no);
                        list_del(&p->list);
                        kfree(p);
+                        found++;
                }
        }
-        spin_unlock(&ctrl->info_list_lock);
+        spin_unlock_bh(&ctrl->info_list_lock);
+        return found;
 }
 static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
@@ -522,6 +484,7 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
                        rsp.cmd = cmd;
                        rsp.param = linkparam;
+                        spin_lock_bh(&cfctrl->info_list_lock);
                        req = cfctrl_remove_req(cfctrl, &rsp);
                        if (CFCTRL_ERR_BIT == (CFCTRL_ERR_BIT & cmdrsp) ||
@@ -541,6 +504,8 @@ static int cfctrl_recv(struct cflayer *layer, struct cfpkt *pkt)
                        if (req != NULL)
                                kfree(req);
+                        spin_unlock_bh(&cfctrl->info_list_lock);
                }
                break;
        case CFCTRL_CMD_LINK_DESTROY:
@@ -584,12 +549,29 @@ static void cfctrl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
        switch (ctrl) {
        case _CAIF_CTRLCMD_PHYIF_FLOW_OFF_IND:
        case CAIF_CTRLCMD_FLOW_OFF_IND:
-                spin_lock(&this->info_list_lock);
+                spin_lock_bh(&this->info_list_lock);
                if (!list_empty(&this->list)) {
                        pr_debug("Received flow off in control layer\n");
                }
-                spin_unlock(&this->info_list_lock);
+                spin_unlock_bh(&this->info_list_lock);
                break;
+        case _CAIF_CTRLCMD_PHYIF_DOWN_IND: {
+                struct cfctrl_request_info *p, *tmp;
+                /* Find all connect request and report failure */
+                spin_lock_bh(&this->info_list_lock);
+                list_for_each_entry_safe(p, tmp, &this->list, list) {
+                        if (p->param.phyid == phyid) {
+                                list_del(&p->list);
+                                p->client_layer->ctrlcmd(p->client_layer,
+                                                CAIF_CTRLCMD_INIT_FAIL_RSP,
+                                                phyid);
+                                kfree(p);
+                        }
+                }
+                spin_unlock_bh(&this->info_list_lock);
+                break;
+        }
        default:
                break;
        }
@@ -599,27 +581,33 @@ static void cfctrl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 static int handle_loop(struct cfctrl *ctrl, int cmd, struct cfpkt *pkt)
 {
        static int last_linkid;
+        static int dec;
        u8 linkid, linktype, tmp;
        switch (cmd) {
        case CFCTRL_CMD_LINK_SETUP:
-                spin_lock(&ctrl->loop_linkid_lock);
+                spin_lock_bh(&ctrl->loop_linkid_lock);
-                for (linkid = last_linkid + 1; linkid < 255; linkid++)
+                if (!dec) {
-                        if (!ctrl->loop_linkused[linkid])
+                        for (linkid = last_linkid + 1; linkid < 255; linkid++)
-                                goto found;
+                                if (!ctrl->loop_linkused[linkid])
+                                        goto found;
+                }
+                dec = 1;
                for (linkid = last_linkid - 1; linkid > 0; linkid--)
                        if (!ctrl->loop_linkused[linkid])
                                goto found;
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
-                pr_err("Out of link-ids\n");
-                return -EINVAL;
 found:
+                if (linkid < 10)
+                        dec = 0;
                if (!ctrl->loop_linkused[linkid])
                        ctrl->loop_linkused[linkid] = 1;
                last_linkid = linkid;
                cfpkt_add_trail(pkt, &linkid, 1);
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
                cfpkt_peek_head(pkt, &linktype, 1);
                if (linktype ==  CFCTRL_SRV_UTIL) {
                        tmp = 0x01;
@@ -629,10 +617,10 @@ found:
                break;
        case CFCTRL_CMD_LINK_DESTROY:
-                spin_lock(&ctrl->loop_linkid_lock);
+                spin_lock_bh(&ctrl->loop_linkid_lock);
                cfpkt_peek_head(pkt, &linkid, 1);
                ctrl->loop_linkused[linkid] = 0;
-                spin_unlock(&ctrl->loop_linkid_lock);
+                spin_unlock_bh(&ctrl->loop_linkid_lock);
                break;
        default:
                break;
diff --git a/net/caif/cfdgml.c b/net/caif/cfdgml.c
index d3ed264ad6c4..0382dec84fdc 100644
--- a/net/caif/cfdgml.c
+++ b/net/caif/cfdgml.c
@@ -13,12 +13,12 @@
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
 #define container_obj(layr) ((struct cfsrvl *) layr)
 #define DGM_CMD_BIT  0x80
 #define DGM_FLOW_OFF 0x81
 #define DGM_FLOW_ON  0x80
-#define DGM_CTRL_PKT_SIZE 1
 #define DGM_MTU 1500
 static int cfdgml_receive(struct cflayer *layr, struct cfpkt *pkt);
@@ -84,6 +84,7 @@ static int cfdgml_receive(struct cflayer *layr, struct cfpkt *pkt)
 static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
 {
+        u8 packet_type;
        u32 zero = 0;
        struct caif_payload_info *info;
        struct cfsrvl *service = container_obj(layr);
@@ -95,7 +96,9 @@ static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        if (cfpkt_getlen(pkt) > DGM_MTU)
                return -EMSGSIZE;
-        cfpkt_add_head(pkt, &zero, 4);
+        cfpkt_add_head(pkt, &zero, 3);
+        packet_type = 0x08; /* B9 set - UNCLASSIFIED */
+        cfpkt_add_head(pkt, &packet_type, 1);
        /* Add info for MUX-layer to route the packet out. */
        info = cfpkt_info(pkt);
@@ -105,10 +108,5 @@ static int cfdgml_transmit(struct cflayer *layr, struct cfpkt *pkt)
         */
        info->hdr_len = 4;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
-                u32 tmp32;
-                cfpkt_extr_head(pkt, &tmp32, 4);
-        }
-        return ret;
 }
diff --git a/net/caif/cffrml.c b/net/caif/cffrml.c
index a445043931ae..04204b202718 100644
--- a/net/caif/cffrml.c
+++ b/net/caif/cffrml.c
@@ -12,6 +12,7 @@
 #include <linux/spinlock.h>
 #include <linux/slab.h>
 #include <linux/crc-ccitt.h>
+#include <linux/netdevice.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cffrml.h>
@@ -21,6 +22,7 @@
 struct cffrml {
        struct cflayer layer;
        bool dofcs;             /* !< FCS active */
+        int __percpu            *pcpu_refcnt;
 };
 static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt);
@@ -37,6 +39,12 @@ struct cflayer *cffrml_create(u16 phyid, bool use_fcs)
                pr_warn("Out of memory\n");
                return NULL;
        }
+        this->pcpu_refcnt = alloc_percpu(int);
+        if (this->pcpu_refcnt == NULL) {
+                kfree(this);
+                return NULL;
+        }
        caif_assert(offsetof(struct cffrml, layer) == 0);
        memset(this, 0, sizeof(struct cflayer));
@@ -49,6 +57,13 @@ struct cflayer *cffrml_create(u16 phyid, bool use_fcs)
        return (struct cflayer *) this;
 }
+void cffrml_free(struct cflayer *layer)
+{
+        struct cffrml *this = container_obj(layer);
+        free_percpu(this->pcpu_refcnt);
+        kfree(layer);
+}
 void cffrml_set_uplayer(struct cflayer *this, struct cflayer *up)
 {
        this->up = up;
@@ -112,6 +127,13 @@ static int cffrml_receive(struct cflayer *layr, struct cfpkt *pkt)
                cfpkt_destroy(pkt);
                return -EPROTO;
        }
+        if (layr->up == NULL) {
+                pr_err("Layr up is missing!\n");
+                cfpkt_destroy(pkt);
+                return -EINVAL;
+        }
        return layr->up->receive(layr->up, pkt);
 }
@@ -120,7 +142,6 @@ static int cffrml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        int tmp;
        u16 chks;
        u16 len;
-        int ret;
        struct cffrml *this = container_obj(layr);
        if (this->dofcs) {
                chks = cfpkt_iterate(pkt, cffrml_checksum, 0xffff);
@@ -135,19 +156,44 @@ static int cffrml_transmit(struct cflayer *layr, struct cfpkt *pkt)
        cfpkt_info(pkt)->hdr_len += 2;
        if (cfpkt_erroneous(pkt)) {
                pr_err("Packet is erroneous!\n");
+                cfpkt_destroy(pkt);
                return -EPROTO;
        }
-        ret = layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
+        if (layr->dn == NULL) {
-                /* Remove header on faulty packet. */
+                cfpkt_destroy(pkt);
-                cfpkt_extr_head(pkt, &tmp, 2);
+                return -ENODEV;
        }
-        return ret;
+        return layr->dn->transmit(layr->dn, pkt);
 }
 static void cffrml_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                                        int phyid)
 {
-        if (layr->up->ctrlcmd)
+        if (layr->up && layr->up->ctrlcmd)
                layr->up->ctrlcmd(layr->up, ctrl, layr->id);
 }
+void cffrml_put(struct cflayer *layr)
+{
+        struct cffrml *this = container_obj(layr);
+        if (layr != NULL && this->pcpu_refcnt != NULL)
+                irqsafe_cpu_dec(*this->pcpu_refcnt);
+}
+void cffrml_hold(struct cflayer *layr)
+{
+        struct cffrml *this = container_obj(layr);
+        if (layr != NULL && this->pcpu_refcnt != NULL)
+                irqsafe_cpu_inc(*this->pcpu_refcnt);
+}
+int cffrml_refcnt_read(struct cflayer *layr)
+{
+        int i, refcnt = 0;
+        struct cffrml *this = container_obj(layr);
+        for_each_possible_cpu(i)
+                refcnt += *per_cpu_ptr(this->pcpu_refcnt, i);
+        return refcnt;
+}
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index 46f34b2e0478..2a56df7e0a4b 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -9,6 +9,7 @@
 #include <linux/stddef.h>
 #include <linux/spinlock.h>
 #include <linux/slab.h>
+#include <linux/rculist.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/cfmuxl.h>
 #include <net/caif/cfsrvl.h>
@@ -64,66 +65,31 @@ struct cflayer *cfmuxl_create(void)
 int cfmuxl_set_uplayer(struct cflayer *layr, struct cflayer *up, u8 linkid)
 {
        struct cfmuxl *muxl = container_obj(layr);
-        spin_lock(&muxl->receive_lock);
-        cfsrvl_get(up);
-        list_add(&up->node, &muxl->srvl_list);
-        spin_unlock(&muxl->receive_lock);
-        return 0;
-}
-bool cfmuxl_is_phy_inuse(struct cflayer *layr, u8 phyid)
-{
-        struct list_head *node;
-        struct cflayer *layer;
-        struct cfmuxl *muxl = container_obj(layr);
-        bool match = false;
-        spin_lock(&muxl->receive_lock);
-        list_for_each(node, &muxl->srvl_list) {
-                layer = list_entry(node, struct cflayer, node);
-                if (cfsrvl_phyid_match(layer, phyid)) {
-                        match = true;
-                        break;
-                }
-        }
-        spin_unlock(&muxl->receive_lock);
-        return match;
-}
-u8 cfmuxl_get_phyid(struct cflayer *layr, u8 channel_id)
+        spin_lock_bh(&muxl->receive_lock);
-{
+        list_add_rcu(&up->node, &muxl->srvl_list);
-        struct cflayer *up;
+        spin_unlock_bh(&muxl->receive_lock);
-        int phyid;
+        return 0;
-        struct cfmuxl *muxl = container_obj(layr);
-        spin_lock(&muxl->receive_lock);
-        up = get_up(muxl, channel_id);
-        if (up != NULL)
-                phyid = cfsrvl_getphyid(up);
-        else
-                phyid = 0;
-        spin_unlock(&muxl->receive_lock);
-        return phyid;
 }
 int cfmuxl_set_dnlayer(struct cflayer *layr, struct cflayer *dn, u8 phyid)
 {
        struct cfmuxl *muxl = (struct cfmuxl *) layr;
-        spin_lock(&muxl->transmit_lock);
-        list_add(&dn->node, &muxl->frml_list);
+        spin_lock_bh(&muxl->transmit_lock);
-        spin_unlock(&muxl->transmit_lock);
+        list_add_rcu(&dn->node, &muxl->frml_list);
+        spin_unlock_bh(&muxl->transmit_lock);
        return 0;
 }
 static struct cflayer *get_from_id(struct list_head *list, u16 id)
 {
-        struct list_head *node;
+        struct cflayer *lyr;
-        struct cflayer *layer;
+        list_for_each_entry_rcu(lyr, list, node) {
-        list_for_each(node, list) {
+                if (lyr->id == id)
-                layer = list_entry(node, struct cflayer, node);
+                        return lyr;
-                if (layer->id == id)
-                        return layer;
        }
        return NULL;
 }
@@ -131,41 +97,45 @@ struct cflayer *cfmuxl_remove_dnlayer(struct cflayer *layr, u8 phyid)
 {
        struct cfmuxl *muxl = container_obj(layr);
        struct cflayer *dn;
-        spin_lock(&muxl->transmit_lock);
+        int idx = phyid % DN_CACHE_SIZE;
-        memset(muxl->dn_cache, 0, sizeof(muxl->dn_cache));
+        spin_lock_bh(&muxl->transmit_lock);
+        rcu_assign_pointer(muxl->dn_cache[idx], NULL);
        dn = get_from_id(&muxl->frml_list, phyid);
-        if (dn == NULL) {
+        if (dn == NULL)
-                spin_unlock(&muxl->transmit_lock);
+                goto out;
-                return NULL;
-        }
+        list_del_rcu(&dn->node);
-        list_del(&dn->node);
        caif_assert(dn != NULL);
-        spin_unlock(&muxl->transmit_lock);
+out:
+        spin_unlock_bh(&muxl->transmit_lock);
        return dn;
 }
-/* Invariant: lock is taken */
 static struct cflayer *get_up(struct cfmuxl *muxl, u16 id)
 {
        struct cflayer *up;
        int idx = id % UP_CACHE_SIZE;
-        up = muxl->up_cache[idx];
+        up = rcu_dereference(muxl->up_cache[idx]);
        if (up == NULL || up->id != id) {
+                spin_lock_bh(&muxl->receive_lock);
                up = get_from_id(&muxl->srvl_list, id);
-                muxl->up_cache[idx] = up;
+                rcu_assign_pointer(muxl->up_cache[idx], up);
+                spin_unlock_bh(&muxl->receive_lock);
        }
        return up;
 }
-/* Invariant: lock is taken */
 static struct cflayer *get_dn(struct cfmuxl *muxl, struct dev_info *dev_info)
 {
        struct cflayer *dn;
        int idx = dev_info->id % DN_CACHE_SIZE;
-        dn = muxl->dn_cache[idx];
+        dn = rcu_dereference(muxl->dn_cache[idx]);
        if (dn == NULL || dn->id != dev_info->id) {
+                spin_lock_bh(&muxl->transmit_lock);
                dn = get_from_id(&muxl->frml_list, dev_info->id);
-                muxl->dn_cache[idx] = dn;
+                rcu_assign_pointer(muxl->dn_cache[idx], dn);
+                spin_unlock_bh(&muxl->transmit_lock);
        }
        return dn;
 }
@@ -174,15 +144,17 @@ struct cflayer *cfmuxl_remove_uplayer(struct cflayer *layr, u8 id)
 {
        struct cflayer *up;
        struct cfmuxl *muxl = container_obj(layr);
-        spin_lock(&muxl->receive_lock);
+        int idx = id % UP_CACHE_SIZE;
-        up = get_up(muxl, id);
+        spin_lock_bh(&muxl->receive_lock);
+        up = get_from_id(&muxl->srvl_list, id);
        if (up == NULL)
                goto out;
-        memset(muxl->up_cache, 0, sizeof(muxl->up_cache));
-        list_del(&up->node);
+        rcu_assign_pointer(muxl->up_cache[idx], NULL);
-        cfsrvl_put(up);
+        list_del_rcu(&up->node);
 out:
-        spin_unlock(&muxl->receive_lock);
+        spin_unlock_bh(&muxl->receive_lock);
        return up;
 }
@@ -197,58 +169,78 @@ static int cfmuxl_receive(struct cflayer *layr, struct cfpkt *pkt)
                cfpkt_destroy(pkt);
                return -EPROTO;
        }
+        rcu_read_lock();
-        spin_lock(&muxl->receive_lock);
        up = get_up(muxl, id);
-        spin_unlock(&muxl->receive_lock);
        if (up == NULL) {
-                pr_info("Received data on unknown link ID = %d (0x%x) up == NULL",
+                pr_debug("Received data on unknown link ID = %d (0x%x)"
-                        id, id);
+                        " up == NULL", id, id);
                cfpkt_destroy(pkt);
                /*
                 * Don't return ERROR, since modem misbehaves and sends out
                 * flow on before linksetup response.
                 */
+                rcu_read_unlock();
                return /* CFGLU_EPROT; */ 0;
        }
+        /* We can't hold rcu_lock during receive, so take a ref count instead */
        cfsrvl_get(up);
+        rcu_read_unlock();
        ret = up->receive(up, pkt);
        cfsrvl_put(up);
        return ret;
 }
 static int cfmuxl_transmit(struct cflayer *layr, struct cfpkt *pkt)
 {
-        int ret;
        struct cfmuxl *muxl = container_obj(layr);
+        int err;
        u8 linkid;
        struct cflayer *dn;
        struct caif_payload_info *info = cfpkt_info(pkt);
-        dn = get_dn(muxl, cfpkt_info(pkt)->dev_info);
+        BUG_ON(!info);
+        rcu_read_lock();
+        dn = get_dn(muxl, info->dev_info);
        if (dn == NULL) {
-                pr_warn("Send data on unknown phy ID = %d (0x%x)\n",
+                pr_debug("Send data on unknown phy ID = %d (0x%x)\n",
                        info->dev_info->id, info->dev_info->id);
+                rcu_read_unlock();
+                cfpkt_destroy(pkt);
                return -ENOTCONN;
        }
        info->hdr_len += 1;
        linkid = info->channel_id;
        cfpkt_add_head(pkt, &linkid, 1);
-        ret = dn->transmit(dn, pkt);
-        /* Remove MUX protocol header upon error. */
+        /* We can't hold rcu_lock during receive, so take a ref count instead */
-        if (ret < 0)
+        cffrml_hold(dn);
-                cfpkt_extr_head(pkt, &linkid, 1);
-        return ret;
+        rcu_read_unlock();
+        err = dn->transmit(dn, pkt);
+        cffrml_put(dn);
+        return err;
 }
 static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                                int phyid)
 {
        struct cfmuxl *muxl = container_obj(layr);
-        struct list_head *node;
        struct cflayer *layer;
-        list_for_each(node, &muxl->srvl_list) {
-                layer = list_entry(node, struct cflayer, node);
+        rcu_read_lock();
-                if (cfsrvl_phyid_match(layer, phyid))
+        list_for_each_entry_rcu(layer, &muxl->srvl_list, node) {
+                if (cfsrvl_phyid_match(layer, phyid) && layer->ctrlcmd)
+                        /* NOTE: ctrlcmd is not allowed to block */
                        layer->ctrlcmd(layer, ctrl, phyid);
        }
+        rcu_read_unlock();
 }
diff --git a/net/caif/cfpkt_skbuff.c b/net/caif/cfpkt_skbuff.c
index d7e865e2ff65..75d4bfae1a78 100644
--- a/net/caif/cfpkt_skbuff.c
+++ b/net/caif/cfpkt_skbuff.c
@@ -42,22 +42,22 @@ struct cfpkt_priv_data {
        bool erronous;
 };
-inline struct cfpkt_priv_data *cfpkt_priv(struct cfpkt *pkt)
+static inline struct cfpkt_priv_data *cfpkt_priv(struct cfpkt *pkt)
 {
        return (struct cfpkt_priv_data *) pkt->skb.cb;
 }
-inline bool is_erronous(struct cfpkt *pkt)
+static inline bool is_erronous(struct cfpkt *pkt)
 {
        return cfpkt_priv(pkt)->erronous;
 }
-inline struct sk_buff *pkt_to_skb(struct cfpkt *pkt)
+static inline struct sk_buff *pkt_to_skb(struct cfpkt *pkt)
 {
        return &pkt->skb;
 }
-inline struct cfpkt *skb_to_pkt(struct sk_buff *skb)
+static inline struct cfpkt *skb_to_pkt(struct sk_buff *skb)
 {
        return (struct cfpkt *) skb;
 }
@@ -97,21 +97,20 @@ inline struct cfpkt *cfpkt_create(u16 len)
 {
        return cfpkt_create_pfx(len + PKT_POSTFIX, PKT_PREFIX);
 }
-EXPORT_SYMBOL(cfpkt_create);
 void cfpkt_destroy(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        kfree_skb(skb);
 }
-EXPORT_SYMBOL(cfpkt_destroy);
 inline bool cfpkt_more(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        return skb->len > 0;
 }
-EXPORT_SYMBOL(cfpkt_more);
 int cfpkt_peek_head(struct cfpkt *pkt, void *data, u16 len)
 {
@@ -123,7 +122,6 @@ int cfpkt_peek_head(struct cfpkt *pkt, void *data, u16 len)
        return !cfpkt_extr_head(pkt, data, len) &&
            !cfpkt_add_head(pkt, data, len);
 }
-EXPORT_SYMBOL(cfpkt_peek_head);
 int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len)
 {
@@ -148,7 +146,6 @@ int cfpkt_extr_head(struct cfpkt *pkt, void *data, u16 len)
        memcpy(data, from, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_extr_head);
 int cfpkt_extr_trail(struct cfpkt *pkt, void *dta, u16 len)
 {
@@ -171,13 +168,13 @@ int cfpkt_extr_trail(struct cfpkt *pkt, void *dta, u16 len)
        memcpy(data, from, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_extr_trail);
 int cfpkt_pad_trail(struct cfpkt *pkt, u16 len)
 {
        return cfpkt_add_body(pkt, NULL, len);
 }
-EXPORT_SYMBOL(cfpkt_pad_trail);
 int cfpkt_add_body(struct cfpkt *pkt, const void *data, u16 len)
 {
@@ -226,13 +223,11 @@ int cfpkt_add_body(struct cfpkt *pkt, const void *data, u16 len)
                memcpy(to, data, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_add_body);
 inline int cfpkt_addbdy(struct cfpkt *pkt, u8 data)
 {
        return cfpkt_add_body(pkt, &data, 1);
 }
-EXPORT_SYMBOL(cfpkt_addbdy);
 int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
 {
@@ -259,20 +254,20 @@ int cfpkt_add_head(struct cfpkt *pkt, const void *data2, u16 len)
        memcpy(to, data, len);
        return 0;
 }
-EXPORT_SYMBOL(cfpkt_add_head);
 inline int cfpkt_add_trail(struct cfpkt *pkt, const void *data, u16 len)
 {
        return cfpkt_add_body(pkt, data, len);
 }
-EXPORT_SYMBOL(cfpkt_add_trail);
 inline u16 cfpkt_getlen(struct cfpkt *pkt)
 {
        struct sk_buff *skb = pkt_to_skb(pkt);
        return skb->len;
 }
-EXPORT_SYMBOL(cfpkt_getlen);
 inline u16 cfpkt_iterate(struct cfpkt *pkt,
                            u16 (*iter_func)(u16, void *, u16),
@@ -290,7 +285,7 @@ inline u16 cfpkt_iterate(struct cfpkt *pkt,
        }
        return iter_func(data, pkt->skb.data, cfpkt_getlen(pkt));
 }
-EXPORT_SYMBOL(cfpkt_iterate);
 int cfpkt_setlen(struct cfpkt *pkt, u16 len)
 {
@@ -315,18 +310,6 @@ int cfpkt_setlen(struct cfpkt *pkt, u16 len)
        return cfpkt_getlen(pkt);
 }
-EXPORT_SYMBOL(cfpkt_setlen);
-struct cfpkt *cfpkt_create_uplink(const unsigned char *data, unsigned int len)
-{
-        struct cfpkt *pkt = cfpkt_create_pfx(len + PKT_POSTFIX, PKT_PREFIX);
-        if (!pkt)
-                return NULL;
-        if (unlikely(data != NULL))
-                cfpkt_add_body(pkt, data, len);
-        return pkt;
-}
-EXPORT_SYMBOL(cfpkt_create_uplink);
 struct cfpkt *cfpkt_append(struct cfpkt *dstpkt,
                             struct cfpkt *addpkt,
@@ -368,7 +351,6 @@ struct cfpkt *cfpkt_append(struct cfpkt *dstpkt,
        dst->len += addlen;
        return skb_to_pkt(dst);
 }
-EXPORT_SYMBOL(cfpkt_append);
 struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
 {
@@ -406,174 +388,13 @@ struct cfpkt *cfpkt_split(struct cfpkt *pkt, u16 pos)
        skb2->len += len2nd;
        return skb_to_pkt(skb2);
 }
-EXPORT_SYMBOL(cfpkt_split);
-char *cfpkt_log_pkt(struct cfpkt *pkt, char *buf, int buflen)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        char *p = buf;
-        int i;
-        /*
-         * Sanity check buffer length, it needs to be at least as large as
-         * the header info: ~=50+ bytes
-         */
-        if (buflen < 50)
-                return NULL;
-        snprintf(buf, buflen, "%s: pkt:%p len:%ld(%ld+%ld) {%ld,%ld} data: [",
-                is_erronous(pkt) ? "ERRONOUS-SKB" :
-                 (skb->data_len != 0 ? "COMPLEX-SKB" : "SKB"),
-                 skb,
-                 (long) skb->len,
-                 (long) (skb_tail_pointer(skb) - skb->data),
-                 (long) skb->data_len,
-                 (long) (skb->data - skb->head),
-                 (long) (skb_tail_pointer(skb) - skb->head));
-        p = buf + strlen(buf);
-        for (i = 0; i < skb_tail_pointer(skb) - skb->data && i < 300; i++) {
-                if (p > buf + buflen - 10) {
-                        sprintf(p, "...");
-                        p = buf + strlen(buf);
-                        break;
-                }
-                sprintf(p, "%02x,", skb->data[i]);
-                p = buf + strlen(buf);
-        }
-        sprintf(p, "]\n");
-        return buf;
-}
-EXPORT_SYMBOL(cfpkt_log_pkt);
-int cfpkt_raw_append(struct cfpkt *pkt, void **buf, unsigned int buflen)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        struct sk_buff *lastskb;
-        caif_assert(buf != NULL);
-        if (unlikely(is_erronous(pkt)))
-                return -EPROTO;
-        /* Make sure SKB is writable */
-        if (unlikely(skb_cow_data(skb, 0, &lastskb) < 0)) {
-                PKT_ERROR(pkt, "skb_cow_data failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(skb_linearize(skb) != 0)) {
-                PKT_ERROR(pkt, "linearize failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(skb_tailroom(skb) < buflen)) {
-                PKT_ERROR(pkt, "buffer too short - failed\n");
-                return -EPROTO;
-        }
-        *buf = skb_put(skb, buflen);
-        return 1;
-}
-EXPORT_SYMBOL(cfpkt_raw_append);
-int cfpkt_raw_extract(struct cfpkt *pkt, void **buf, unsigned int buflen)
+bool cfpkt_erroneous(struct cfpkt *pkt)
-{
-        struct sk_buff *skb = pkt_to_skb(pkt);
-        caif_assert(buf != NULL);
-        if (unlikely(is_erronous(pkt)))
-                return -EPROTO;
-        if (unlikely(buflen > skb->len)) {
-                PKT_ERROR(pkt, "buflen too large - failed\n");
-                return -EPROTO;
-        }
-        if (unlikely(buflen > skb_headlen(skb))) {
-                if (unlikely(skb_linearize(skb) != 0)) {
-                        PKT_ERROR(pkt, "linearize failed\n");
-                        return -EPROTO;
-                }
-        }
-        *buf = skb->data;
-        skb_pull(skb, buflen);
-        return 1;
-}
-EXPORT_SYMBOL(cfpkt_raw_extract);
-inline bool cfpkt_erroneous(struct cfpkt *pkt)
 {
        return cfpkt_priv(pkt)->erronous;
 }
-EXPORT_SYMBOL(cfpkt_erroneous);
-struct cfpktq *cfpktq_create(void)
-{
-        struct cfpktq *q = kmalloc(sizeof(struct cfpktq), GFP_ATOMIC);
-        if (!q)
-                return NULL;
-        skb_queue_head_init(&q->head);
-        atomic_set(&q->count, 0);
-        spin_lock_init(&q->lock);
-        return q;
-}
-EXPORT_SYMBOL(cfpktq_create);
-void cfpkt_queue(struct cfpktq *pktq, struct cfpkt *pkt, unsigned short prio)
-{
-        atomic_inc(&pktq->count);
-        spin_lock(&pktq->lock);
-        skb_queue_tail(&pktq->head, pkt_to_skb(pkt));
-        spin_unlock(&pktq->lock);
-}
-EXPORT_SYMBOL(cfpkt_queue);
-struct cfpkt *cfpkt_qpeek(struct cfpktq *pktq)
-{
-        struct cfpkt *tmp;
-        spin_lock(&pktq->lock);
-        tmp = skb_to_pkt(skb_peek(&pktq->head));
-        spin_unlock(&pktq->lock);
-        return tmp;
-}
-EXPORT_SYMBOL(cfpkt_qpeek);
-struct cfpkt *cfpkt_dequeue(struct cfpktq *pktq)
-{
-        struct cfpkt *pkt;
-        spin_lock(&pktq->lock);
-        pkt = skb_to_pkt(skb_dequeue(&pktq->head));
-        if (pkt) {
-                atomic_dec(&pktq->count);
-                caif_assert(atomic_read(&pktq->count) >= 0);
-        }
-        spin_unlock(&pktq->lock);
-        return pkt;
-}
-EXPORT_SYMBOL(cfpkt_dequeue);
-int cfpkt_qcount(struct cfpktq *pktq)
-{
-        return atomic_read(&pktq->count);
-}
-EXPORT_SYMBOL(cfpkt_qcount);
-struct cfpkt *cfpkt_clone_release(struct cfpkt *pkt)
-{
-        struct cfpkt *clone;
-        clone  = skb_to_pkt(skb_clone(pkt_to_skb(pkt), GFP_ATOMIC));
-        /* Free original packet. */
-        cfpkt_destroy(pkt);
-        if (!clone)
-                return NULL;
-        return clone;
-}
-EXPORT_SYMBOL(cfpkt_clone_release);
 struct caif_payload_info *cfpkt_info(struct cfpkt *pkt)
 {
        return (struct caif_payload_info *)&pkt_to_skb(pkt)->cb;
 }
-EXPORT_SYMBOL(cfpkt_info);
diff --git a/net/caif/cfrfml.c b/net/caif/cfrfml.c
index e2fb5fa75795..0deabb440051 100644
--- a/net/caif/cfrfml.c
+++ b/net/caif/cfrfml.c
@@ -31,9 +31,9 @@ struct cfrfml {
        spinlock_t sync;
 };
-static void cfrfml_release(struct kref *kref)
+static void cfrfml_release(struct cflayer *layer)
 {
-        struct cfsrvl *srvl = container_of(kref, struct cfsrvl, ref);
+        struct cfsrvl *srvl = container_of(layer, struct cfsrvl, layer);
        struct cfrfml *rfml = container_obj(&srvl->layer);
        if (rfml->incomplete_frm)
diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c
index 9297f7dea9d8..2715c84cfa87 100644
--- a/net/caif/cfserl.c
+++ b/net/caif/cfserl.c
@@ -25,7 +25,6 @@ struct cfserl {
        spinlock_t sync;
        bool usestx;
 };
-#define STXLEN(layr) (layr->usestx ? 1 : 0)
 static int cfserl_receive(struct cflayer *layr, struct cfpkt *pkt);
 static int cfserl_transmit(struct cflayer *layr, struct cfpkt *pkt);
@@ -180,15 +179,10 @@ static int cfserl_receive(struct cflayer *l, struct cfpkt *newpkt)
 static int cfserl_transmit(struct cflayer *layer, struct cfpkt *newpkt)
 {
        struct cfserl *layr = container_obj(layer);
-        int ret;
        u8 tmp8 = CFSERL_STX;
        if (layr->usestx)
                cfpkt_add_head(newpkt, &tmp8, 1);
-        ret = layer->dn->transmit(layer->dn, newpkt);
+        return layer->dn->transmit(layer->dn, newpkt);
-        if (ret < 0)
-                cfpkt_extr_head(newpkt, &tmp8, 1);
-        return ret;
 }
 static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
diff --git a/net/caif/cfsrvl.c b/net/caif/cfsrvl.c
index ab5e542526bf..535a1e72b366 100644
--- a/net/caif/cfsrvl.c
+++ b/net/caif/cfsrvl.c
@@ -10,6 +10,7 @@
 #include <linux/types.h>
 #include <linux/errno.h>
 #include <linux/slab.h>
+#include <linux/module.h>
 #include <net/caif/caif_layer.h>
 #include <net/caif/cfsrvl.h>
 #include <net/caif/cfpkt.h>
@@ -27,8 +28,8 @@ static void cfservl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 {
        struct cfsrvl *service = container_obj(layr);
-        caif_assert(layr->up != NULL);
+        if (layr->up == NULL || layr->up->ctrlcmd == NULL)
-        caif_assert(layr->up->ctrlcmd != NULL);
+                return;
        switch (ctrl) {
        case CAIF_CTRLCMD_INIT_RSP:
@@ -151,14 +152,9 @@ static int cfservl_modemcmd(struct cflayer *layr, enum caif_modemcmd ctrl)
        return -EINVAL;
 }
-void cfservl_destroy(struct cflayer *layer)
+static void cfsrvl_release(struct cflayer *layer)
 {
-        kfree(layer);
+        struct cfsrvl *service = container_of(layer, struct cfsrvl, layer);
-}
-void cfsrvl_release(struct kref *kref)
-{
-        struct cfsrvl *service = container_of(kref, struct cfsrvl, ref);
        kfree(service);
 }
@@ -178,10 +174,8 @@ void cfsrvl_init(struct cfsrvl *service,
        service->dev_info = *dev_info;
        service->supports_flowctrl = supports_flowctrl;
        service->release = cfsrvl_release;
-        kref_init(&service->ref);
 }
 bool cfsrvl_ready(struct cfsrvl *service, int *err)
 {
        if (service->open && service->modem_flow_on && service->phy_flow_on)
@@ -194,6 +188,7 @@ bool cfsrvl_ready(struct cfsrvl *service, int *err)
        *err = -EAGAIN;
        return false;
 }
 u8 cfsrvl_getphyid(struct cflayer *layer)
 {
        struct cfsrvl *servl = container_obj(layer);
@@ -205,3 +200,26 @@ bool cfsrvl_phyid_match(struct cflayer *layer, int phyid)
        struct cfsrvl *servl = container_obj(layer);
        return servl->dev_info.id == phyid;
 }
+void caif_free_client(struct cflayer *adap_layer)
+{
+        struct cfsrvl *servl;
+        if (adap_layer == NULL || adap_layer->dn == NULL)
+                return;
+        servl = container_obj(adap_layer->dn);
+        servl->release(&servl->layer);
+}
+EXPORT_SYMBOL(caif_free_client);
+void caif_client_register_refcnt(struct cflayer *adapt_layer,
+                                        void (*hold)(struct cflayer *lyr),
+                                        void (*put)(struct cflayer *lyr))
+{
+        struct cfsrvl *service;
+        service = container_of(adapt_layer->dn, struct cfsrvl, layer);
+        WARN_ON(adapt_layer == NULL || adapt_layer->dn == NULL);
+        service->hold = hold;
+        service->put = put;
+}
+EXPORT_SYMBOL(caif_client_register_refcnt);
diff --git a/net/caif/cfutill.c b/net/caif/cfutill.c
index efad410e4c82..98e027db18ed 100644
--- a/net/caif/cfutill.c
+++ b/net/caif/cfutill.c
@@ -20,7 +20,7 @@
 #define UTIL_REMOTE_SHUTDOWN 0x82
 #define UTIL_FLOW_OFF 0x81
 #define UTIL_FLOW_ON  0x80
-#define UTIL_CTRL_PKT_SIZE 1
 static int cfutill_receive(struct cflayer *layr, struct cfpkt *pkt);
 static int cfutill_transmit(struct cflayer *layr, struct cfpkt *pkt);
@@ -100,10 +100,5 @@ static int cfutill_transmit(struct cflayer *layr, struct cfpkt *pkt)
         */
        info->hdr_len = 1;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0) {
-                u32 tmp32;
-                cfpkt_extr_head(pkt, &tmp32, 4);
-        }
-        return ret;
 }
diff --git a/net/caif/cfveil.c b/net/caif/cfveil.c
index 3b425b189a99..3ec83fbc2887 100644
--- a/net/caif/cfveil.c
+++ b/net/caif/cfveil.c
@@ -17,7 +17,7 @@
 #define VEI_FLOW_OFF 0x81
 #define VEI_FLOW_ON  0x80
 #define VEI_SET_PIN  0x82
-#define VEI_CTRL_PKT_SIZE 1
 #define container_obj(layr) container_of(layr, struct cfsrvl, layer)
 static int cfvei_receive(struct cflayer *layr, struct cfpkt *pkt);
@@ -82,13 +82,14 @@ static int cfvei_transmit(struct cflayer *layr, struct cfpkt *pkt)
        int ret;
        struct cfsrvl *service = container_obj(layr);
        if (!cfsrvl_ready(service, &ret))
-                return ret;
+                goto err;
        caif_assert(layr->dn != NULL);
        caif_assert(layr->dn->transmit != NULL);
        if (cfpkt_add_head(pkt, &tmp, 1) < 0) {
                pr_err("Packet is erroneous!\n");
-                return -EPROTO;
+                ret = -EPROTO;
+                goto err;
        }
        /* Add info-> for MUX-layer to route the packet out. */
@@ -96,8 +97,8 @@ static int cfvei_transmit(struct cflayer *layr, struct cfpkt *pkt)
        info->channel_id = service->layer.id;
        info->hdr_len = 1;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0)
+err:
-                cfpkt_extr_head(pkt, &tmp, 1);
+        cfpkt_destroy(pkt);
        return ret;
 }
diff --git a/net/caif/cfvidl.c b/net/caif/cfvidl.c
index bf6fef2a0eff..b2f5989ad455 100644
--- a/net/caif/cfvidl.c
+++ b/net/caif/cfvidl.c
@@ -60,8 +60,5 @@ static int cfvidl_transmit(struct cflayer *layr, struct cfpkt *pkt)
        info = cfpkt_info(pkt);
        info->channel_id = service->layer.id;
        info->dev_info = &service->dev_info;
-        ret = layr->dn->transmit(layr->dn, pkt);
+        return layr->dn->transmit(layr->dn, pkt);
-        if (ret < 0)
-                cfpkt_extr_head(pkt, &videoheader, 4);
-        return ret;
 }
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index 6008d6dc18a0..649ebacaf6bc 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -20,7 +20,6 @@
 #include <linux/caif/if_caif.h>
 #include <net/rtnetlink.h>
 #include <net/caif/caif_layer.h>
-#include <net/caif/cfcnfg.h>
 #include <net/caif/cfpkt.h>
 #include <net/caif/caif_dev.h>
@@ -84,10 +83,11 @@ static int chnl_recv_cb(struct cflayer *layr, struct cfpkt *pkt)
        if (!priv)
                return -EINVAL;
+        skb = (struct sk_buff *) cfpkt_tonative(pkt);
        /* Get length of CAIF packet. */
-        pktlen = cfpkt_getlen(pkt);
+        pktlen = skb->len;
-        skb = (struct sk_buff *) cfpkt_tonative(pkt);
        /* Pass some minimum information and
         * send the packet to the net stack.
         */
@@ -153,6 +153,18 @@ static void close_work(struct work_struct *work)
 }
 static DECLARE_WORK(close_worker, close_work);
+static void chnl_hold(struct cflayer *lyr)
+{
+        struct chnl_net *priv = container_of(lyr, struct chnl_net, chnl);
+        dev_hold(priv->netdev);
+}
+static void chnl_put(struct cflayer *lyr)
+{
+        struct chnl_net *priv = container_of(lyr, struct chnl_net, chnl);
+        dev_put(priv->netdev);
+}
 static void chnl_flowctrl_cb(struct cflayer *layr, enum caif_ctrlcmd flow,
                                int phyid)
 {
@@ -190,6 +202,7 @@ static void chnl_flowctrl_cb(struct cflayer *layr, enum caif_ctrlcmd flow,
                netif_wake_queue(priv->netdev);
                break;
        case CAIF_CTRLCMD_INIT_RSP:
+                caif_client_register_refcnt(&priv->chnl, chnl_hold, chnl_put);
                priv->state = CAIF_CONNECTED;
                priv->flowenabled = true;
                netif_wake_queue(priv->netdev);
@@ -257,8 +270,9 @@ static int chnl_net_open(struct net_device *dev)
        if (priv->state != CAIF_CONNECTING) {
                priv->state = CAIF_CONNECTING;
-                result = caif_connect_client(&priv->conn_req, &priv->chnl,
+                result = caif_connect_client(dev_net(dev), &priv->conn_req,
-                                        &llifindex, &headroom, &tailroom);
+                                                &priv->chnl, &llifindex,
+                                                &headroom, &tailroom);
                if (result != 0) {
                                pr_debug("err: "
                                         "Unable to register and open device,"
@@ -314,7 +328,7 @@ static int chnl_net_open(struct net_device *dev)
        if (result == 0) {
                pr_debug("connect timeout\n");
-                caif_disconnect_client(&priv->chnl);
+                caif_disconnect_client(dev_net(dev), &priv->chnl);
                priv->state = CAIF_DISCONNECTED;
                pr_debug("state disconnected\n");
                result = -ETIMEDOUT;
@@ -330,7 +344,7 @@ static int chnl_net_open(struct net_device *dev)
        return 0;
 error:
-        caif_disconnect_client(&priv->chnl);
+        caif_disconnect_client(dev_net(dev), &priv->chnl);
        priv->state = CAIF_DISCONNECTED;
        pr_debug("state disconnected\n");
        return result;
@@ -344,7 +358,7 @@ static int chnl_net_stop(struct net_device *dev)
        ASSERT_RTNL();
        priv = netdev_priv(dev);
        priv->state = CAIF_DISCONNECTED;
-        caif_disconnect_client(&priv->chnl);
+        caif_disconnect_client(dev_net(dev), &priv->chnl);
        return 0;
 }
@@ -373,11 +387,18 @@ static const struct net_device_ops netdev_ops = {
        .ndo_start_xmit = chnl_net_start_xmit,
 };
+static void chnl_net_destructor(struct net_device *dev)
+{
+        struct chnl_net *priv = netdev_priv(dev);
+        caif_free_client(&priv->chnl);
+        free_netdev(dev);
+}
 static void ipcaif_net_setup(struct net_device *dev)
 {
        struct chnl_net *priv;
        dev->netdev_ops = &netdev_ops;
-        dev->destructor = free_netdev;
+        dev->destructor = chnl_net_destructor;
        dev->flags |= IFF_NOARP;
        dev->flags |= IFF_POINTOPOINT;
        dev->mtu = GPRS_PDP_MTU;
@@ -391,7 +412,7 @@ static void ipcaif_net_setup(struct net_device *dev)
        priv->conn_req.link_selector = CAIF_LINK_HIGH_BANDW;
        priv->conn_req.priority = CAIF_PRIO_LOW;
        /* Insert illegal value */
-        priv->conn_req.sockaddr.u.dgm.connection_id = -1;
+        priv->conn_req.sockaddr.u.dgm.connection_id = 0;
        priv->flowenabled = false;
        init_waitqueue_head(&priv->netmgmt_wq);
@@ -453,6 +474,10 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
                pr_warn("device rtml registration failed\n");
        else
                list_add(&caifdev->list_field, &chnl_net_list);
+        /* Take ifindex as connection-id if null */
+        if (caifdev->conn_req.sockaddr.u.dgm.connection_id == 0)
+                caifdev->conn_req.sockaddr.u.dgm.connection_id = dev->ifindex;
        return ret;
 }
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 702be5a2c956..094fc5332d42 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -84,8 +84,8 @@ static DEFINE_SPINLOCK(can_rcvlists_lock);
 static struct kmem_cache *rcv_cache __read_mostly;
 /* table of registered CAN protocols */
-static struct can_proto *proto_tab[CAN_NPROTO] __read_mostly;
+static const struct can_proto *proto_tab[CAN_NPROTO] __read_mostly;
-static DEFINE_SPINLOCK(proto_tab_lock);
+static DEFINE_MUTEX(proto_tab_lock);
 struct timer_list can_stattimer;   /* timer for statistics update */
 struct s_stats    can_stats;       /* packet statistics */
@@ -95,7 +95,7 @@ struct s_pstats   can_pstats;      /* receive list statistics */
 * af_can socket functions
 */
-static int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 {
        struct sock *sk = sock->sk;
@@ -108,17 +108,36 @@ static int can_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                return -ENOIOCTLCMD;
        }
 }
+EXPORT_SYMBOL(can_ioctl);
 static void can_sock_destruct(struct sock *sk)
 {
        skb_queue_purge(&sk->sk_receive_queue);
 }
+static const struct can_proto *can_get_proto(int protocol)
+{
+        const struct can_proto *cp;
+        rcu_read_lock();
+        cp = rcu_dereference(proto_tab[protocol]);
+        if (cp && !try_module_get(cp->prot->owner))
+                cp = NULL;
+        rcu_read_unlock();
+        return cp;
+}
+static inline void can_put_proto(const struct can_proto *cp)
+{
+        module_put(cp->prot->owner);
+}
 static int can_create(struct net *net, struct socket *sock, int protocol,
                      int kern)
 {
        struct sock *sk;
-        struct can_proto *cp;
+        const struct can_proto *cp;
        int err = 0;
        sock->state = SS_UNCONNECTED;
@@ -129,9 +148,12 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
+        cp = can_get_proto(protocol);
 #ifdef CONFIG_MODULES
-        /* try to load protocol module kernel is modular */
+        if (!cp) {
-        if (!proto_tab[protocol]) {
+                /* try to load protocol module if kernel is modular */
                err = request_module("can-proto-%d", protocol);
                /*
@@ -142,22 +164,18 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
                if (err && printk_ratelimit())
                        printk(KERN_ERR "can: request_module "
                               "(can-proto-%d) failed.\n", protocol);
+                cp = can_get_proto(protocol);
        }
 #endif
-        spin_lock(&proto_tab_lock);
-        cp = proto_tab[protocol];
-        if (cp && !try_module_get(cp->prot->owner))
-                cp = NULL;
-        spin_unlock(&proto_tab_lock);
        /* check for available protocol and correct usage */
        if (!cp)
                return -EPROTONOSUPPORT;
        if (cp->type != sock->type) {
-                err = -EPROTONOSUPPORT;
+                err = -EPROTOTYPE;
                goto errout;
        }
@@ -182,7 +200,7 @@ static int can_create(struct net *net, struct socket *sock, int protocol,
        }
 errout:
-        module_put(cp->prot->owner);
+        can_put_proto(cp);
        return err;
 }
@@ -678,7 +696,7 @@ drop:
 *  -EBUSY  protocol already in use
 *  -ENOBUF if proto_register() fails
 */
-int can_proto_register(struct can_proto *cp)
+int can_proto_register(const struct can_proto *cp)
 {
        int proto = cp->protocol;
        int err = 0;
@@ -693,19 +711,16 @@ int can_proto_register(struct can_proto *cp)
        if (err < 0)
                return err;
-        spin_lock(&proto_tab_lock);
+        mutex_lock(&proto_tab_lock);
        if (proto_tab[proto]) {
                printk(KERN_ERR "can: protocol %d already registered\n",
                       proto);
                err = -EBUSY;
-        } else {
+        } else
-                proto_tab[proto] = cp;
+                rcu_assign_pointer(proto_tab[proto], cp);
-                /* use generic ioctl function if not defined by module */
+        mutex_unlock(&proto_tab_lock);
-                if (!cp->ops->ioctl)
-                        cp->ops->ioctl = can_ioctl;
-        }
-        spin_unlock(&proto_tab_lock);
        if (err < 0)
                proto_unregister(cp->prot);
@@ -718,17 +733,16 @@ EXPORT_SYMBOL(can_proto_register);
 * can_proto_unregister - unregister CAN transport protocol
 * @cp: pointer to CAN protocol structure
 */
-void can_proto_unregister(struct can_proto *cp)
+void can_proto_unregister(const struct can_proto *cp)
 {
        int proto = cp->protocol;
-        spin_lock(&proto_tab_lock);
+        mutex_lock(&proto_tab_lock);
-        if (!proto_tab[proto]) {
+        BUG_ON(proto_tab[proto] != cp);
-                printk(KERN_ERR "BUG: can: protocol %d is not registered\n",
+        rcu_assign_pointer(proto_tab[proto], NULL);
-                       proto);
+        mutex_unlock(&proto_tab_lock);
-        }
-        proto_tab[proto] = NULL;
+        synchronize_rcu();
-        spin_unlock(&proto_tab_lock);
        proto_unregister(cp->prot);
 }
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 092dc88a7c64..cced806098a9 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -387,7 +387,7 @@ static void bcm_tx_timeout_tsklet(unsigned long data)
 }
 /*
- * bcm_tx_timeout_handler - performes cyclic CAN frame transmissions
+ * bcm_tx_timeout_handler - performs cyclic CAN frame transmissions
 */
 static enum hrtimer_restart bcm_tx_timeout_handler(struct hrtimer *hrtimer)
 {
@@ -1427,9 +1427,14 @@ static int bcm_init(struct sock *sk)
 static int bcm_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        struct bcm_sock *bo = bcm_sk(sk);
+        struct bcm_sock *bo;
        struct bcm_op *op, *next;
+        if (sk == NULL)
+                return 0;
+        bo = bcm_sk(sk);
        /* remove bcm_ops, timer, rx_unregister(), etc. */
        unregister_netdevice_notifier(&bo->notifier);
@@ -1569,7 +1574,7 @@ static int bcm_recvmsg(struct kiocb *iocb, struct socket *sock,
        return size;
 }
-static struct proto_ops bcm_ops __read_mostly = {
+static const struct proto_ops bcm_ops = {
        .family        = PF_CAN,
        .release       = bcm_release,
        .bind          = sock_no_bind,
@@ -1578,7 +1583,7 @@ static struct proto_ops bcm_ops __read_mostly = {
        .accept        = sock_no_accept,
        .getname       = sock_no_getname,
        .poll          = datagram_poll,
-        .ioctl         = NULL,          /* use can_ioctl() from af_can.c */
+        .ioctl         = can_ioctl,     /* use can_ioctl() from af_can.c */
        .listen        = sock_no_listen,
        .shutdown      = sock_no_shutdown,
        .setsockopt    = sock_no_setsockopt,
@@ -1596,7 +1601,7 @@ static struct proto bcm_proto __read_mostly = {
        .init       = bcm_init,
 };
-static struct can_proto bcm_can_proto __read_mostly = {
+static const struct can_proto bcm_can_proto = {
        .type       = SOCK_DGRAM,
        .protocol   = CAN_BCM,
        .ops        = &bcm_ops,
diff --git a/net/can/raw.c b/net/can/raw.c
index 883e9d74fddf..dea99a6e596c 100644
--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -305,7 +305,12 @@ static int raw_init(struct sock *sk)
 static int raw_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        struct raw_sock *ro = raw_sk(sk);
+        struct raw_sock *ro;
+        if (!sk)
+                return 0;
+        ro = raw_sk(sk);
        unregister_netdevice_notifier(&ro->notifier);
@@ -742,7 +747,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct socket *sock,
        return size;
 }
-static struct proto_ops raw_ops __read_mostly = {
+static const struct proto_ops raw_ops = {
        .family        = PF_CAN,
        .release       = raw_release,
        .bind          = raw_bind,
@@ -751,7 +756,7 @@ static struct proto_ops raw_ops __read_mostly = {
        .accept        = sock_no_accept,
        .getname       = raw_getname,
        .poll          = datagram_poll,
-        .ioctl         = NULL,          /* use can_ioctl() from af_can.c */
+        .ioctl         = can_ioctl,     /* use can_ioctl() from af_can.c */
        .listen        = sock_no_listen,
        .shutdown      = sock_no_shutdown,
        .setsockopt    = raw_setsockopt,
@@ -769,7 +774,7 @@ static struct proto raw_proto __read_mostly = {
        .init       = raw_init,
 };
-static struct can_proto raw_can_proto __read_mostly = {
+static const struct can_proto raw_can_proto = {
        .type       = SOCK_RAW,
        .protocol   = CAN_RAW,
        .ops        = &raw_ops,
diff --git a/net/ceph/Kconfig b/net/ceph/Kconfig
index ad424049b0cf..be683f2d401f 100644
--- a/net/ceph/Kconfig
+++ b/net/ceph/Kconfig
@@ -4,6 +4,7 @@ config CEPH_LIB
        select LIBCRC32C
        select CRYPTO_AES
        select CRYPTO
+        select KEYS
        default n
        help
          Choose Y or M here to include cephlib, which provides the
diff --git a/net/ceph/armor.c b/net/ceph/armor.c
index eb2a666b0be7..1fc1ee11dfa2 100644
--- a/net/ceph/armor.c
+++ b/net/ceph/armor.c
@@ -78,8 +78,10 @@ int ceph_unarmor(char *dst, const char *src, const char *end)
        while (src < end) {
                int a, b, c, d;
-                if (src < end && src[0] == '\n')
+                if (src[0] == '\n') {
                        src++;
+                        continue;
+                }
                if (src + 4 > end)
                        return -EINVAL;
                a = decode_bits(src[0]);
diff --git a/net/ceph/auth.c b/net/ceph/auth.c
index 549c1f43e1d5..b4bf4ac090f1 100644
--- a/net/ceph/auth.c
+++ b/net/ceph/auth.c
@@ -35,12 +35,12 @@ static int ceph_auth_init_protocol(struct ceph_auth_client *ac, int protocol)
 /*
 * setup, teardown.
 */
-struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret)
+struct ceph_auth_client *ceph_auth_init(const char *name, const struct ceph_crypto_key *key)
 {
        struct ceph_auth_client *ac;
        int ret;
-        dout("auth_init name '%s' secret '%s'\n", name, secret);
+        dout("auth_init name '%s'\n", name);
        ret = -ENOMEM;
        ac = kzalloc(sizeof(*ac), GFP_NOFS);
@@ -52,8 +52,8 @@ struct ceph_auth_client *ceph_auth_init(const char *name, const char *secret)
                ac->name = name;
        else
                ac->name = CEPH_AUTH_NAME_DEFAULT;
-        dout("auth_init name %s secret %s\n", ac->name, secret);
+        dout("auth_init name %s\n", ac->name);
-        ac->secret = secret;
+        ac->key = key;
        return ac;
 out:
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 7fd5dfcf6e18..1587dc6010c6 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -662,14 +662,16 @@ int ceph_x_init(struct ceph_auth_client *ac)
                goto out;
        ret = -EINVAL;
-        if (!ac->secret) {
+        if (!ac->key) {
                pr_err("no secret set (for auth_x protocol)\n");
                goto out_nomem;
        }
-        ret = ceph_crypto_key_unarmor(&xi->secret, ac->secret);
+        ret = ceph_crypto_key_clone(&xi->secret, ac->key);
-        if (ret)
+        if (ret < 0) {
+                pr_err("cannot clone key: %d\n", ret);
                goto out_nomem;
+        }
        xi->starting = true;
        xi->ticket_handlers = RB_ROOT;
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index f3e4a13fea0c..132963abc266 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -5,6 +5,8 @@
 #include <linux/fs.h>
 #include <linux/inet.h>
 #include <linux/in6.h>
+#include <linux/key.h>
+#include <keys/ceph-type.h>
 #include <linux/module.h>
 #include <linux/mount.h>
 #include <linux/parser.h>
@@ -20,6 +22,7 @@
 #include <linux/ceph/decode.h>
 #include <linux/ceph/mon_client.h>
 #include <linux/ceph/auth.h>
+#include "crypto.h"
@@ -62,6 +65,7 @@ const char *ceph_msg_type_name(int type)
        case CEPH_MSG_OSD_MAP: return "osd_map";
        case CEPH_MSG_OSD_OP: return "osd_op";
        case CEPH_MSG_OSD_OPREPLY: return "osd_opreply";
+        case CEPH_MSG_WATCH_NOTIFY: return "watch_notify";
        default: return "unknown";
        }
 }
@@ -116,9 +120,29 @@ int ceph_compare_options(struct ceph_options *new_opt,
        if (ret)
                return ret;
-        ret = strcmp_null(opt1->secret, opt2->secret);
+        if (opt1->key && !opt2->key)
-        if (ret)
+                return -1;
-                return ret;
+        if (!opt1->key && opt2->key)
+                return 1;
+        if (opt1->key && opt2->key) {
+                if (opt1->key->type != opt2->key->type)
+                        return -1;
+                if (opt1->key->created.tv_sec != opt2->key->created.tv_sec)
+                        return -1;
+                if (opt1->key->created.tv_nsec != opt2->key->created.tv_nsec)
+                        return -1;
+                if (opt1->key->len != opt2->key->len)
+                        return -1;
+                if (opt1->key->key && !opt2->key->key)
+                        return -1;
+                if (!opt1->key->key && opt2->key->key)
+                        return 1;
+                if (opt1->key->key && opt2->key->key) {
+                        ret = memcmp(opt1->key->key, opt2->key->key, opt1->key->len);
+                        if (ret)
+                                return ret;
+                }
+        }
        /* any matching mon ip implies a match */
        for (i = 0; i < opt1->num_mon; i++) {
@@ -175,6 +199,7 @@ enum {
        Opt_fsid,
        Opt_name,
        Opt_secret,
+        Opt_key,
        Opt_ip,
        Opt_last_string,
        /* string args above */
@@ -191,6 +216,7 @@ static match_table_t opt_tokens = {
        {Opt_fsid, "fsid=%s"},
        {Opt_name, "name=%s"},
        {Opt_secret, "secret=%s"},
+        {Opt_key, "key=%s"},
        {Opt_ip, "ip=%s"},
        /* string args above */
        {Opt_noshare, "noshare"},
@@ -202,11 +228,56 @@ void ceph_destroy_options(struct ceph_options *opt)
 {
        dout("destroy_options %p\n", opt);
        kfree(opt->name);
-        kfree(opt->secret);
+        if (opt->key) {
+                ceph_crypto_key_destroy(opt->key);
+                kfree(opt->key);
+        }
        kfree(opt);
 }
 EXPORT_SYMBOL(ceph_destroy_options);
+/* get secret from key store */
+static int get_secret(struct ceph_crypto_key *dst, const char *name) {
+        struct key *ukey;
+        int key_err;
+        int err = 0;
+        struct ceph_crypto_key *ckey;
+        ukey = request_key(&key_type_ceph, name, NULL);
+        if (!ukey || IS_ERR(ukey)) {
+                /* request_key errors don't map nicely to mount(2)
+                   errors; don't even try, but still printk */
+                key_err = PTR_ERR(ukey);
+                switch (key_err) {
+                case -ENOKEY:
+                        pr_warning("ceph: Mount failed due to key not found: %s\n", name);
+                        break;
+                case -EKEYEXPIRED:
+                        pr_warning("ceph: Mount failed due to expired key: %s\n", name);
+                        break;
+                case -EKEYREVOKED:
+                        pr_warning("ceph: Mount failed due to revoked key: %s\n", name);
+                        break;
+                default:
+                        pr_warning("ceph: Mount failed due to unknown key error"
+                               " %d: %s\n", key_err, name);
+                }
+                err = -EPERM;
+                goto out;
+        }
+        ckey = ukey->payload.data;
+        err = ceph_crypto_key_clone(dst, ckey);
+        if (err)
+                goto out_key;
+        /* pass through, err is 0 */
+out_key:
+        key_put(ukey);
+out:
+        return err;
+}
 int ceph_parse_options(struct ceph_options **popt, char *options,
                       const char *dev_name, const char *dev_name_end,
                       int (*parse_extra_token)(char *c, void *private),
@@ -294,9 +365,24 @@ int ceph_parse_options(struct ceph_options **popt, char *options,
                                              GFP_KERNEL);
                        break;
                case Opt_secret:
-                        opt->secret = kstrndup(argstr[0].from,
+                        opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
-                                                argstr[0].to-argstr[0].from,
+                        if (!opt->key) {
-                                                GFP_KERNEL);
+                                err = -ENOMEM;
+                                goto out;
+                        }
+                        err = ceph_crypto_key_unarmor(opt->key, argstr[0].from);
+                        if (err < 0)
+                                goto out;
+                        break;
+                case Opt_key:
+                        opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
+                        if (!opt->key) {
+                                err = -ENOMEM;
+                                goto out;
+                        }
+                        err = get_secret(opt->key, argstr[0].from);
+                        if (err < 0)
+                                goto out;
                        break;
                        /* misc */
@@ -393,8 +479,8 @@ void ceph_destroy_client(struct ceph_client *client)
        ceph_osdc_stop(&client->osdc);
        /*
-         * make sure mds and osd connections close out before destroying
+         * make sure osd connections close out before destroying the
-         * the auth module, which is needed to free those connections'
+         * auth module, which is needed to free those connections'
         * ceph_authorizers.
         */
        ceph_msgr_flush();
@@ -495,10 +581,14 @@ static int __init init_ceph_lib(void)
        if (ret < 0)
                goto out;
-        ret = ceph_msgr_init();
+        ret = ceph_crypto_init();
        if (ret < 0)
                goto out_debugfs;
+        ret = ceph_msgr_init();
+        if (ret < 0)
+                goto out_crypto;
        pr_info("loaded (mon/osd proto %d/%d, osdmap %d/%d %d/%d)\n",
                CEPH_MONC_PROTOCOL, CEPH_OSDC_PROTOCOL,
                CEPH_OSDMAP_VERSION, CEPH_OSDMAP_VERSION_EXT,
@@ -506,6 +596,8 @@ static int __init init_ceph_lib(void)
        return 0;
+out_crypto:
+        ceph_crypto_shutdown();
 out_debugfs:
        ceph_debugfs_cleanup();
 out:
@@ -516,6 +608,7 @@ static void __exit exit_ceph_lib(void)
 {
        dout("exit_ceph_lib\n");
        ceph_msgr_exit();
+        ceph_crypto_shutdown();
        ceph_debugfs_cleanup();
 }
diff --git a/net/ceph/crypto.c b/net/ceph/crypto.c
index 7b505b0c983f..5a8009c9e0cd 100644
--- a/net/ceph/crypto.c
+++ b/net/ceph/crypto.c
@@ -5,10 +5,23 @@
 #include <linux/scatterlist.h>
 #include <linux/slab.h>
 #include <crypto/hash.h>
+#include <linux/key-type.h>
+#include <keys/ceph-type.h>
 #include <linux/ceph/decode.h>
 #include "crypto.h"
+int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
+                          const struct ceph_crypto_key *src)
+{
+        memcpy(dst, src, sizeof(struct ceph_crypto_key));
+        dst->key = kmalloc(src->len, GFP_NOFS);
+        if (!dst->key)
+                return -ENOMEM;
+        memcpy(dst->key, src->key, src->len);
+        return 0;
+}
 int ceph_crypto_key_encode(struct ceph_crypto_key *key, void **p, void *end)
 {
        if (*p + sizeof(u16) + sizeof(key->created) +
@@ -410,3 +423,63 @@ int ceph_encrypt2(struct ceph_crypto_key *secret, void *dst, size_t *dst_len,
                return -EINVAL;
        }
 }
+int ceph_key_instantiate(struct key *key, const void *data, size_t datalen)
+{
+        struct ceph_crypto_key *ckey;
+        int ret;
+        void *p;
+        ret = -EINVAL;
+        if (datalen <= 0 || datalen > 32767 || !data)
+                goto err;
+        ret = key_payload_reserve(key, datalen);
+        if (ret < 0)
+                goto err;
+        ret = -ENOMEM;
+        ckey = kmalloc(sizeof(*ckey), GFP_KERNEL);
+        if (!ckey)
+                goto err;
+        /* TODO ceph_crypto_key_decode should really take const input */
+        p = (void*)data;
+        ret = ceph_crypto_key_decode(ckey, &p, (char*)data+datalen);
+        if (ret < 0)
+                goto err_ckey;
+        key->payload.data = ckey;
+        return 0;
+err_ckey:
+        kfree(ckey);
+err:
+        return ret;
+}
+int ceph_key_match(const struct key *key, const void *description)
+{
+        return strcmp(key->description, description) == 0;
+}
+void ceph_key_destroy(struct key *key) {
+        struct ceph_crypto_key *ckey = key->payload.data;
+        ceph_crypto_key_destroy(ckey);
+}
+struct key_type key_type_ceph = {
+        .name           = "ceph",
+        .instantiate    = ceph_key_instantiate,
+        .match          = ceph_key_match,
+        .destroy        = ceph_key_destroy,
+};
+int ceph_crypto_init(void) {
+        return register_key_type(&key_type_ceph);
+}
+void ceph_crypto_shutdown(void) {
+        unregister_key_type(&key_type_ceph);
+}
diff --git a/net/ceph/crypto.h b/net/ceph/crypto.h
index f9eccace592b..1919d1550d75 100644
--- a/net/ceph/crypto.h
+++ b/net/ceph/crypto.h
@@ -19,6 +19,8 @@ static inline void ceph_crypto_key_destroy(struct ceph_crypto_key *key)
        kfree(key->key);
 }
+extern int ceph_crypto_key_clone(struct ceph_crypto_key *dst,
+                                 const struct ceph_crypto_key *src);
 extern int ceph_crypto_key_encode(struct ceph_crypto_key *key,
                                  void **p, void *end);
 extern int ceph_crypto_key_decode(struct ceph_crypto_key *key,
@@ -40,6 +42,8 @@ extern int ceph_encrypt2(struct ceph_crypto_key *secret,
                         void *dst, size_t *dst_len,
                         const void *src1, size_t src1_len,
                         const void *src2, size_t src2_len);
+extern int ceph_crypto_init(void);
+extern void ceph_crypto_shutdown(void);
 /* armor.c */
 extern int ceph_armor(char *dst, const char *src, const char *end);
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 35b36b86d762..e15a82ccc05f 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -336,7 +336,6 @@ static void reset_connection(struct ceph_connection *con)
                ceph_msg_put(con->out_msg);
                con->out_msg = NULL;
        }
-        con->out_keepalive_pending = false;
        con->in_seq = 0;
        con->in_seq_acked = 0;
 }
@@ -1248,8 +1247,6 @@ static int process_connect(struct ceph_connection *con)
                     con->auth_retry);
                if (con->auth_retry == 2) {
                        con->error_msg = "connect authorization failure";
-                        reset_connection(con);
-                        set_bit(CLOSED, &con->state);
                        return -1;
                }
                con->auth_retry = 1;
@@ -1715,14 +1712,6 @@ more:
        /* open the socket first? */
        if (con->sock == NULL) {
-                /*
-                 * if we were STANDBY and are reconnecting _this_
-                 * connection, bump connect_seq now.  Always bump
-                 * global_seq.
-                 */
-                if (test_and_clear_bit(STANDBY, &con->state))
-                        con->connect_seq++;
                prepare_write_banner(msgr, con);
                prepare_write_connect(msgr, con, 1);
                prepare_read_banner(con);
@@ -1951,7 +1940,24 @@ static void con_work(struct work_struct *work)
                                                   work.work);
        mutex_lock(&con->mutex);
+        if (test_and_clear_bit(BACKOFF, &con->state)) {
+                dout("con_work %p backing off\n", con);
+                if (queue_delayed_work(ceph_msgr_wq, &con->work,
+                                       round_jiffies_relative(con->delay))) {
+                        dout("con_work %p backoff %lu\n", con, con->delay);
+                        mutex_unlock(&con->mutex);
+                        return;
+                } else {
+                        con->ops->put(con);
+                        dout("con_work %p FAILED to back off %lu\n", con,
+                             con->delay);
+                }
+        }
+        if (test_bit(STANDBY, &con->state)) {
+                dout("con_work %p STANDBY\n", con);
+                goto done;
+        }
        if (test_bit(CLOSED, &con->state)) { /* e.g. if we are replaced */
                dout("con_work CLOSED\n");
                con_close_socket(con);
@@ -2008,10 +2014,12 @@ static void ceph_fault(struct ceph_connection *con)
        /* Requeue anything that hasn't been acked */
        list_splice_init(&con->out_sent, &con->out_queue);
-        /* If there are no messages in the queue, place the connection
+        /* If there are no messages queued or keepalive pending, place
-         * in a STANDBY state (i.e., don't try to reconnect just yet). */
+         * the connection in a STANDBY state */
-        if (list_empty(&con->out_queue) && !con->out_keepalive_pending) {
+        if (list_empty(&con->out_queue) &&
-                dout("fault setting STANDBY\n");
+            !test_bit(KEEPALIVE_PENDING, &con->state)) {
+                dout("fault %p setting STANDBY clearing WRITE_PENDING\n", con);
+                clear_bit(WRITE_PENDING, &con->state);
                set_bit(STANDBY, &con->state);
        } else {
                /* retry after a delay. */
@@ -2019,11 +2027,24 @@ static void ceph_fault(struct ceph_connection *con)
                        con->delay = BASE_DELAY_INTERVAL;
                else if (con->delay < MAX_DELAY_INTERVAL)
                        con->delay *= 2;
-                dout("fault queueing %p delay %lu\n", con, con->delay);
                con->ops->get(con);
                if (queue_delayed_work(ceph_msgr_wq, &con->work,
-                                       round_jiffies_relative(con->delay)) == 0)
+                                       round_jiffies_relative(con->delay))) {
+                        dout("fault queued %p delay %lu\n", con, con->delay);
+                } else {
                        con->ops->put(con);
+                        dout("fault failed to queue %p delay %lu, backoff\n",
+                             con, con->delay);
+                        /*
+                         * In many cases we see a socket state change
+                         * while con_work is running and end up
+                         * queuing (non-delayed) work, such that we
+                         * can't backoff with a delay.  Set a flag so
+                         * that when con_work restarts we schedule the
+                         * delay then.
+                         */
+                        set_bit(BACKOFF, &con->state);
+                }
        }
 out_unlock:
@@ -2094,6 +2115,19 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
 }
 EXPORT_SYMBOL(ceph_messenger_destroy);
+static void clear_standby(struct ceph_connection *con)
+{
+        /* come back from STANDBY? */
+        if (test_and_clear_bit(STANDBY, &con->state)) {
+                mutex_lock(&con->mutex);
+                dout("clear_standby %p and ++connect_seq\n", con);
+                con->connect_seq++;
+                WARN_ON(test_bit(WRITE_PENDING, &con->state));
+                WARN_ON(test_bit(KEEPALIVE_PENDING, &con->state));
+                mutex_unlock(&con->mutex);
+        }
+}
 /*
 * Queue up an outgoing message on the given connection.
 */
@@ -2126,6 +2160,7 @@ void ceph_con_send(struct ceph_connection *con, struct ceph_msg *msg)
        /* if there wasn't anything waiting to send before, queue
         * new work */
+        clear_standby(con);
        if (test_and_set_bit(WRITE_PENDING, &con->state) == 0)
                queue_con(con);
 }
@@ -2191,6 +2226,8 @@ void ceph_con_revoke_message(struct ceph_connection *con, struct ceph_msg *msg)
 */
 void ceph_con_keepalive(struct ceph_connection *con)
 {
+        dout("con_keepalive %p\n", con);
+        clear_standby(con);
        if (test_and_set_bit(KEEPALIVE_PENDING, &con->state) == 0 &&
            test_and_set_bit(WRITE_PENDING, &con->state) == 0)
                queue_con(con);
@@ -2230,6 +2267,19 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags)
        m->more_to_follow = false;
        m->pool = NULL;
+        /* middle */
+        m->middle = NULL;
+        /* data */
+        m->nr_pages = 0;
+        m->page_alignment = 0;
+        m->pages = NULL;
+        m->pagelist = NULL;
+        m->bio = NULL;
+        m->bio_iter = NULL;
+        m->bio_seg = 0;
+        m->trail = NULL;
        /* front */
        if (front_len) {
                if (front_len > PAGE_CACHE_SIZE) {
@@ -2249,19 +2299,6 @@ struct ceph_msg *ceph_msg_new(int type, int front_len, gfp_t flags)
        }
        m->front.iov_len = front_len;
-        /* middle */
-        m->middle = NULL;
-        /* data */
-        m->nr_pages = 0;
-        m->page_alignment = 0;
-        m->pages = NULL;
-        m->pagelist = NULL;
-        m->bio = NULL;
-        m->bio_iter = NULL;
-        m->bio_seg = 0;
-        m->trail = NULL;
        dout("ceph_msg_new %p front %d\n", m, front_len);
        return m;
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 8a079399174a..cbe31fa45508 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -759,7 +759,7 @@ int ceph_monc_init(struct ceph_mon_client *monc, struct ceph_client *cl)
        /* authentication */
        monc->auth = ceph_auth_init(cl->options->name,
-                                    cl->options->secret);
+                                    cl->options->key);
        if (IS_ERR(monc->auth))
                return PTR_ERR(monc->auth);
        monc->auth->want_keys =
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 3e20a122ffa2..6b5dda1cb5df 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -22,10 +22,15 @@
 #define OSD_OPREPLY_FRONT_LEN   512
 static const struct ceph_connection_operations osd_con_ops;
-static int __kick_requests(struct ceph_osd_client *osdc,
-                          struct ceph_osd *kickosd);
-static void kick_requests(struct ceph_osd_client *osdc, struct ceph_osd *osd);
+static void send_queued(struct ceph_osd_client *osdc);
+static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd);
+static void __register_request(struct ceph_osd_client *osdc,
+                               struct ceph_osd_request *req);
+static void __unregister_linger_request(struct ceph_osd_client *osdc,
+                                        struct ceph_osd_request *req);
+static int __send_request(struct ceph_osd_client *osdc,
+                          struct ceph_osd_request *req);
 static int op_needs_trail(int op)
 {
@@ -34,6 +39,7 @@ static int op_needs_trail(int op)
        case CEPH_OSD_OP_SETXATTR:
        case CEPH_OSD_OP_CMPXATTR:
        case CEPH_OSD_OP_CALL:
+        case CEPH_OSD_OP_NOTIFY:
                return 1;
        default:
                return 0;
@@ -209,6 +215,8 @@ struct ceph_osd_request *ceph_osdc_alloc_request(struct ceph_osd_client *osdc,
        init_completion(&req->r_completion);
        init_completion(&req->r_safe_completion);
        INIT_LIST_HEAD(&req->r_unsafe_item);
+        INIT_LIST_HEAD(&req->r_linger_item);
+        INIT_LIST_HEAD(&req->r_linger_osd);
        req->r_flags = flags;
        WARN_ON((flags & (CEPH_OSD_FLAG_READ|CEPH_OSD_FLAG_WRITE)) == 0);
@@ -315,6 +323,24 @@ static void osd_req_encode_op(struct ceph_osd_request *req,
                break;
        case CEPH_OSD_OP_STARTSYNC:
                break;
+        case CEPH_OSD_OP_NOTIFY:
+                {
+                        __le32 prot_ver = cpu_to_le32(src->watch.prot_ver);
+                        __le32 timeout = cpu_to_le32(src->watch.timeout);
+                        BUG_ON(!req->r_trail);
+                        ceph_pagelist_append(req->r_trail,
+                                                &prot_ver, sizeof(prot_ver));
+                        ceph_pagelist_append(req->r_trail,
+                                                &timeout, sizeof(timeout));
+                }
+        case CEPH_OSD_OP_NOTIFY_ACK:
+        case CEPH_OSD_OP_WATCH:
+                dst->watch.cookie = cpu_to_le64(src->watch.cookie);
+                dst->watch.ver = cpu_to_le64(src->watch.ver);
+                dst->watch.flag = src->watch.flag;
+                break;
        default:
                pr_err("unrecognized osd opcode %d\n", dst->op);
                WARN_ON(1);
@@ -444,8 +470,8 @@ struct ceph_osd_request *ceph_osdc_new_request(struct ceph_osd_client *osdc,
                                         snapc, ops,
                                         use_mempool,
                                         GFP_NOFS, NULL, NULL);
-        if (IS_ERR(req))
+        if (!req)
-                return req;
+                return NULL;
        /* calculate max write size */
        calc_layout(osdc, vino, layout, off, plen, req, ops);
@@ -529,6 +555,51 @@ __lookup_request_ge(struct ceph_osd_client *osdc,
        return NULL;
 }
+/*
+ * Resubmit requests pending on the given osd.
+ */
+static void __kick_osd_requests(struct ceph_osd_client *osdc,
+                                struct ceph_osd *osd)
+{
+        struct ceph_osd_request *req, *nreq;
+        int err;
+        dout("__kick_osd_requests osd%d\n", osd->o_osd);
+        err = __reset_osd(osdc, osd);
+        if (err == -EAGAIN)
+                return;
+        list_for_each_entry(req, &osd->o_requests, r_osd_item) {
+                list_move(&req->r_req_lru_item, &osdc->req_unsent);
+                dout("requeued %p tid %llu osd%d\n", req, req->r_tid,
+                     osd->o_osd);
+                if (!req->r_linger)
+                        req->r_flags |= CEPH_OSD_FLAG_RETRY;
+        }
+        list_for_each_entry_safe(req, nreq, &osd->o_linger_requests,
+                                 r_linger_osd) {
+                /*
+                 * reregister request prior to unregistering linger so
+                 * that r_osd is preserved.
+                 */
+                BUG_ON(!list_empty(&req->r_req_lru_item));
+                __register_request(osdc, req);
+                list_add(&req->r_req_lru_item, &osdc->req_unsent);
+                list_add(&req->r_osd_item, &req->r_osd->o_requests);
+                __unregister_linger_request(osdc, req);
+                dout("requeued lingering %p tid %llu osd%d\n", req, req->r_tid,
+                     osd->o_osd);
+        }
+}
+static void kick_osd_requests(struct ceph_osd_client *osdc,
+                              struct ceph_osd *kickosd)
+{
+        mutex_lock(&osdc->request_mutex);
+        __kick_osd_requests(osdc, kickosd);
+        mutex_unlock(&osdc->request_mutex);
+}
 /*
 * If the osd connection drops, we need to resubmit all requests.
@@ -543,7 +614,8 @@ static void osd_reset(struct ceph_connection *con)
        dout("osd_reset osd%d\n", osd->o_osd);
        osdc = osd->o_osdc;
        down_read(&osdc->map_sem);
-        kick_requests(osdc, osd);
+        kick_osd_requests(osdc, osd);
+        send_queued(osdc);
        up_read(&osdc->map_sem);
 }
@@ -561,6 +633,7 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc)
        atomic_set(&osd->o_ref, 1);
        osd->o_osdc = osdc;
        INIT_LIST_HEAD(&osd->o_requests);
+        INIT_LIST_HEAD(&osd->o_linger_requests);
        INIT_LIST_HEAD(&osd->o_osd_lru);
        osd->o_incarnation = 1;
@@ -650,7 +723,8 @@ static int __reset_osd(struct ceph_osd_client *osdc, struct ceph_osd *osd)
        int ret = 0;
        dout("__reset_osd %p osd%d\n", osd, osd->o_osd);
-        if (list_empty(&osd->o_requests)) {
+        if (list_empty(&osd->o_requests) &&
+            list_empty(&osd->o_linger_requests)) {
                __remove_osd(osdc, osd);
        } else if (memcmp(&osdc->osdmap->osd_addr[osd->o_osd],
                          &osd->o_con.peer_addr,
@@ -723,15 +797,14 @@ static void __cancel_osd_timeout(struct ceph_osd_client *osdc)
 * Register request, assign tid.  If this is the first request, set up
 * the timeout event.
 */
-static void register_request(struct ceph_osd_client *osdc,
+static void __register_request(struct ceph_osd_client *osdc,
-                             struct ceph_osd_request *req)
+                               struct ceph_osd_request *req)
 {
-        mutex_lock(&osdc->request_mutex);
        req->r_tid = ++osdc->last_tid;
        req->r_request->hdr.tid = cpu_to_le64(req->r_tid);
        INIT_LIST_HEAD(&req->r_req_lru_item);
-        dout("register_request %p tid %lld\n", req, req->r_tid);
+        dout("__register_request %p tid %lld\n", req, req->r_tid);
        __insert_request(osdc, req);
        ceph_osdc_get_request(req);
        osdc->num_requests++;
@@ -740,6 +813,13 @@ static void register_request(struct ceph_osd_client *osdc,
                dout(" first request, scheduling timeout\n");
                __schedule_osd_timeout(osdc);
        }
+}
+static void register_request(struct ceph_osd_client *osdc,
+                             struct ceph_osd_request *req)
+{
+        mutex_lock(&osdc->request_mutex);
+        __register_request(osdc, req);
        mutex_unlock(&osdc->request_mutex);
 }
@@ -758,9 +838,13 @@ static void __unregister_request(struct ceph_osd_client *osdc,
                ceph_con_revoke(&req->r_osd->o_con, req->r_request);
                list_del_init(&req->r_osd_item);
-                if (list_empty(&req->r_osd->o_requests))
+                if (list_empty(&req->r_osd->o_requests) &&
+                    list_empty(&req->r_osd->o_linger_requests)) {
+                        dout("moving osd to %p lru\n", req->r_osd);
                        __move_osd_to_lru(osdc, req->r_osd);
-                req->r_osd = NULL;
+                }
+                if (list_empty(&req->r_linger_item))
+                        req->r_osd = NULL;
        }
        ceph_osdc_put_request(req);
@@ -781,20 +865,73 @@ static void __cancel_request(struct ceph_osd_request *req)
                ceph_con_revoke(&req->r_osd->o_con, req->r_request);
                req->r_sent = 0;
        }
-        list_del_init(&req->r_req_lru_item);
 }
+static void __register_linger_request(struct ceph_osd_client *osdc,
+                                    struct ceph_osd_request *req)
+{
+        dout("__register_linger_request %p\n", req);
+        list_add_tail(&req->r_linger_item, &osdc->req_linger);
+        list_add_tail(&req->r_linger_osd, &req->r_osd->o_linger_requests);
+}
+static void __unregister_linger_request(struct ceph_osd_client *osdc,
+                                        struct ceph_osd_request *req)
+{
+        dout("__unregister_linger_request %p\n", req);
+        if (req->r_osd) {
+                list_del_init(&req->r_linger_item);
+                list_del_init(&req->r_linger_osd);
+                if (list_empty(&req->r_osd->o_requests) &&
+                    list_empty(&req->r_osd->o_linger_requests)) {
+                        dout("moving osd to %p lru\n", req->r_osd);
+                        __move_osd_to_lru(osdc, req->r_osd);
+                }
+                if (list_empty(&req->r_osd_item))
+                        req->r_osd = NULL;
+        }
+}
+void ceph_osdc_unregister_linger_request(struct ceph_osd_client *osdc,
+                                         struct ceph_osd_request *req)
+{
+        mutex_lock(&osdc->request_mutex);
+        if (req->r_linger) {
+                __unregister_linger_request(osdc, req);
+                ceph_osdc_put_request(req);
+        }
+        mutex_unlock(&osdc->request_mutex);
+}
+EXPORT_SYMBOL(ceph_osdc_unregister_linger_request);
+void ceph_osdc_set_request_linger(struct ceph_osd_client *osdc,
+                                  struct ceph_osd_request *req)
+{
+        if (!req->r_linger) {
+                dout("set_request_linger %p\n", req);
+                req->r_linger = 1;
+                /*
+                 * caller is now responsible for calling
+                 * unregister_linger_request
+                 */
+                ceph_osdc_get_request(req);
+        }
+}
+EXPORT_SYMBOL(ceph_osdc_set_request_linger);
 /*
 * Pick an osd (the first 'up' osd in the pg), allocate the osd struct
 * (as needed), and set the request r_osd appropriately.  If there is
- * no up osd, set r_osd to NULL.
+ * no up osd, set r_osd to NULL.  Move the request to the appropriate list
+ * (unsent, homeless) or leave on in-flight lru.
 *
 * Return 0 if unchanged, 1 if changed, or negative on error.
 *
 * Caller should hold map_sem for read and request_mutex.
 */
-static int __map_osds(struct ceph_osd_client *osdc,
+static int __map_request(struct ceph_osd_client *osdc,
-                      struct ceph_osd_request *req)
+                         struct ceph_osd_request *req)
 {
        struct ceph_osd_request_head *reqhead = req->r_request->front.iov_base;
        struct ceph_pg pgid;
@@ -802,11 +939,13 @@ static int __map_osds(struct ceph_osd_client *osdc,
        int o = -1, num = 0;
        int err;
-        dout("map_osds %p tid %lld\n", req, req->r_tid);
+        dout("map_request %p tid %lld\n", req, req->r_tid);
        err = ceph_calc_object_layout(&reqhead->layout, req->r_oid,
                                      &req->r_file_layout, osdc->osdmap);
-        if (err)
+        if (err) {
+                list_move(&req->r_req_lru_item, &osdc->req_notarget);
                return err;
+        }
        pgid = reqhead->layout.ol_pgid;
        req->r_pgid = pgid;
@@ -823,7 +962,7 @@ static int __map_osds(struct ceph_osd_client *osdc,
            (req->r_osd == NULL && o == -1))
                return 0;  /* no change */
-        dout("map_osds tid %llu pgid %d.%x osd%d (was osd%d)\n",
+        dout("map_request tid %llu pgid %d.%x osd%d (was osd%d)\n",
             req->r_tid, le32_to_cpu(pgid.pool), le16_to_cpu(pgid.ps), o,
             req->r_osd ? req->r_osd->o_osd : -1);
@@ -841,10 +980,12 @@ static int __map_osds(struct ceph_osd_client *osdc,
        if (!req->r_osd && o >= 0) {
                err = -ENOMEM;
                req->r_osd = create_osd(osdc);
-                if (!req->r_osd)
+                if (!req->r_osd) {
+                        list_move(&req->r_req_lru_item, &osdc->req_notarget);
                        goto out;
+                }
-                dout("map_osds osd %p is osd%d\n", req->r_osd, o);
+                dout("map_request osd %p is osd%d\n", req->r_osd, o);
                req->r_osd->o_osd = o;
                req->r_osd->o_con.peer_name.num = cpu_to_le64(o);
                __insert_osd(osdc, req->r_osd);
@@ -855,6 +996,9 @@ static int __map_osds(struct ceph_osd_client *osdc,
        if (req->r_osd) {
                __remove_osd_from_lru(req->r_osd);
                list_add(&req->r_osd_item, &req->r_osd->o_requests);
+                list_move(&req->r_req_lru_item, &osdc->req_unsent);
+        } else {
+                list_move(&req->r_req_lru_item, &osdc->req_notarget);
        }
        err = 1;   /* osd or pg changed */
@@ -869,16 +1013,6 @@ static int __send_request(struct ceph_osd_client *osdc,
                          struct ceph_osd_request *req)
 {
        struct ceph_osd_request_head *reqhead;
-        int err;
-        err = __map_osds(osdc, req);
-        if (err < 0)
-                return err;
-        if (req->r_osd == NULL) {
-                dout("send_request %p no up osds in pg\n", req);
-                ceph_monc_request_next_osdmap(&osdc->client->monc);
-                return 0;
-        }
        dout("send_request %p tid %llu to osd%d flags %d\n",
             req, req->r_tid, req->r_osd->o_osd, req->r_flags);
@@ -898,6 +1032,21 @@ static int __send_request(struct ceph_osd_client *osdc,
 }
 /*
+ * Send any requests in the queue (req_unsent).
+ */
+static void send_queued(struct ceph_osd_client *osdc)
+{
+        struct ceph_osd_request *req, *tmp;
+        dout("send_queued\n");
+        mutex_lock(&osdc->request_mutex);
+        list_for_each_entry_safe(req, tmp, &osdc->req_unsent, r_req_lru_item) {
+                __send_request(osdc, req);
+        }
+        mutex_unlock(&osdc->request_mutex);
+}
+/*
 * Timeout callback, called every N seconds when 1 or more osd
 * requests has been active for more than N seconds.  When this
 * happens, we ping all OSDs with requests who have timed out to
@@ -916,30 +1065,13 @@ static void handle_timeout(struct work_struct *work)
        unsigned long keepalive =
                osdc->client->options->osd_keepalive_timeout * HZ;
        unsigned long last_stamp = 0;
-        struct rb_node *p;
        struct list_head slow_osds;
        dout("timeout\n");
        down_read(&osdc->map_sem);
        ceph_monc_request_next_osdmap(&osdc->client->monc);
        mutex_lock(&osdc->request_mutex);
-        for (p = rb_first(&osdc->requests); p; p = rb_next(p)) {
-                req = rb_entry(p, struct ceph_osd_request, r_node);
-                if (req->r_resend) {
-                        int err;
-                        dout("osdc resending prev failed %lld\n", req->r_tid);
-                        err = __send_request(osdc, req);
-                        if (err)
-                                dout("osdc failed again on %lld\n", req->r_tid);
-                        else
-                                req->r_resend = false;
-                        continue;
-                }
-        }
        /*
         * reset osds that appear to be _really_ unresponsive.  this
@@ -963,7 +1095,7 @@ static void handle_timeout(struct work_struct *work)
                BUG_ON(!osd);
                pr_warning(" tid %llu timed out on osd%d, will reset osd\n",
                           req->r_tid, osd->o_osd);
-                __kick_requests(osdc, osd);
+                __kick_osd_requests(osdc, osd);
        }
        /*
@@ -991,7 +1123,7 @@ static void handle_timeout(struct work_struct *work)
        __schedule_osd_timeout(osdc);
        mutex_unlock(&osdc->request_mutex);
+        send_queued(osdc);
        up_read(&osdc->map_sem);
 }
@@ -1035,7 +1167,6 @@ static void handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg,
            numops * sizeof(struct ceph_osd_op))
                goto bad;
        dout("handle_reply %p tid %llu result %d\n", msg, tid, (int)result);
        /* lookup */
        mutex_lock(&osdc->request_mutex);
        req = __lookup_request(osdc, tid);
@@ -1079,6 +1210,9 @@ static void handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg,
        dout("handle_reply tid %llu flags %d\n", tid, flags);
+        if (req->r_linger && (flags & CEPH_OSD_FLAG_ONDISK))
+                __register_linger_request(osdc, req);
        /* either this is a read, or we got the safe response */
        if (result < 0 ||
            (flags & CEPH_OSD_FLAG_ONDISK) ||
@@ -1099,6 +1233,7 @@ static void handle_reply(struct ceph_osd_client *osdc, struct ceph_msg *msg,
        }
 done:
+        dout("req=%p req->r_linger=%d\n", req, req->r_linger);
        ceph_osdc_put_request(req);
        return;
@@ -1109,108 +1244,83 @@ bad:
        ceph_msg_dump(msg);
 }
+static void reset_changed_osds(struct ceph_osd_client *osdc)
-static int __kick_requests(struct ceph_osd_client *osdc,
-                          struct ceph_osd *kickosd)
 {
-        struct ceph_osd_request *req;
        struct rb_node *p, *n;
-        int needmap = 0;
-        int err;
-        dout("kick_requests osd%d\n", kickosd ? kickosd->o_osd : -1);
+        for (p = rb_first(&osdc->osds); p; p = n) {
-        if (kickosd) {
+                struct ceph_osd *osd = rb_entry(p, struct ceph_osd, o_node);
-                err = __reset_osd(osdc, kickosd);
-                if (err == -EAGAIN)
+                n = rb_next(p);
-                        return 1;
+                if (!ceph_osd_is_up(osdc->osdmap, osd->o_osd) ||
-        } else {
+                    memcmp(&osd->o_con.peer_addr,
-                for (p = rb_first(&osdc->osds); p; p = n) {
+                           ceph_osd_addr(osdc->osdmap,
-                        struct ceph_osd *osd =
+                                         osd->o_osd),
-                                rb_entry(p, struct ceph_osd, o_node);
+                           sizeof(struct ceph_entity_addr)) != 0)
+                        __reset_osd(osdc, osd);
-                        n = rb_next(p);
-                        if (!ceph_osd_is_up(osdc->osdmap, osd->o_osd) ||
-                            memcmp(&osd->o_con.peer_addr,
-                                   ceph_osd_addr(osdc->osdmap,
-                                                 osd->o_osd),
-                                   sizeof(struct ceph_entity_addr)) != 0)
-                                __reset_osd(osdc, osd);
-                }
        }
+}
+/*
+ * Requeue requests whose mapping to an OSD has changed.  If requests map to
+ * no osd, request a new map.
+ *
+ * Caller should hold map_sem for read and request_mutex.
+ */
+static void kick_requests(struct ceph_osd_client *osdc)
+{
+        struct ceph_osd_request *req, *nreq;
+        struct rb_node *p;
+        int needmap = 0;
+        int err;
+        dout("kick_requests\n");
+        mutex_lock(&osdc->request_mutex);
        for (p = rb_first(&osdc->requests); p; p = rb_next(p)) {
                req = rb_entry(p, struct ceph_osd_request, r_node);
+                err = __map_request(osdc, req);
-                if (req->r_resend) {
+                if (err < 0)
-                        dout(" r_resend set on tid %llu\n", req->r_tid);
+                        continue;  /* error */
-                        __cancel_request(req);
+                if (req->r_osd == NULL) {
-                        goto kick;
+                        dout("%p tid %llu maps to no osd\n", req, req->r_tid);
-                }
+                        needmap++;  /* request a newer map */
-                if (req->r_osd && kickosd == req->r_osd) {
+                } else if (err > 0) {
-                        __cancel_request(req);
+                        dout("%p tid %llu requeued on osd%d\n", req, req->r_tid,
-                        goto kick;
+                             req->r_osd ? req->r_osd->o_osd : -1);
+                        if (!req->r_linger)
+                                req->r_flags |= CEPH_OSD_FLAG_RETRY;
                }
+        }
-                err = __map_osds(osdc, req);
+        list_for_each_entry_safe(req, nreq, &osdc->req_linger,
+                                 r_linger_item) {
+                dout("linger req=%p req->r_osd=%p\n", req, req->r_osd);
+                err = __map_request(osdc, req);
                if (err == 0)
-                        continue;  /* no change */
+                        continue;  /* no change and no osd was specified */
-                if (err < 0) {
+                if (err < 0)
-                        /*
+                        continue;  /* hrm! */
-                         * FIXME: really, we should set the request
-                         * error and fail if this isn't a 'nofail'
-                         * request, but that's a fair bit more
-                         * complicated to do.  So retry!
-                         */
-                        dout(" setting r_resend on %llu\n", req->r_tid);
-                        req->r_resend = true;
-                        continue;
-                }
                if (req->r_osd == NULL) {
                        dout("tid %llu maps to no valid osd\n", req->r_tid);
                        needmap++;  /* request a newer map */
                        continue;
                }
-kick:
+                dout("kicking lingering %p tid %llu osd%d\n", req, req->r_tid,
-                dout("kicking %p tid %llu osd%d\n", req, req->r_tid,
                     req->r_osd ? req->r_osd->o_osd : -1);
-                req->r_flags |= CEPH_OSD_FLAG_RETRY;
+                __unregister_linger_request(osdc, req);
-                err = __send_request(osdc, req);
+                __register_request(osdc, req);
-                if (err) {
-                        dout(" setting r_resend on %llu\n", req->r_tid);
-                        req->r_resend = true;
-                }
        }
-        return needmap;
-}
-/*
- * Resubmit osd requests whose osd or osd address has changed.  Request
- * a new osd map if osds are down, or we are otherwise unable to determine
- * how to direct a request.
- *
- * Close connections to down osds.
- *
- * If @who is specified, resubmit requests for that specific osd.
- *
- * Caller should hold map_sem for read and request_mutex.
- */
-static void kick_requests(struct ceph_osd_client *osdc,
-                          struct ceph_osd *kickosd)
-{
-        int needmap;
-        mutex_lock(&osdc->request_mutex);
-        needmap = __kick_requests(osdc, kickosd);
        mutex_unlock(&osdc->request_mutex);
        if (needmap) {
                dout("%d requests for down osds, need new map\n", needmap);
                ceph_monc_request_next_osdmap(&osdc->client->monc);
        }
 }
 /*
 * Process updated osd map.
 *
@@ -1263,6 +1373,8 @@ void ceph_osdc_handle_map(struct ceph_osd_client *osdc, struct ceph_msg *msg)
                                ceph_osdmap_destroy(osdc->osdmap);
                                osdc->osdmap = newmap;
                        }
+                        kick_requests(osdc);
+                        reset_changed_osds(osdc);
                } else {
                        dout("ignoring incremental map %u len %d\n",
                             epoch, maplen);
@@ -1300,6 +1412,7 @@ void ceph_osdc_handle_map(struct ceph_osd_client *osdc, struct ceph_msg *msg)
                        osdc->osdmap = newmap;
                        if (oldmap)
                                ceph_osdmap_destroy(oldmap);
+                        kick_requests(osdc);
                }
                p += maplen;
                nr_maps--;
@@ -1308,8 +1421,7 @@ void ceph_osdc_handle_map(struct ceph_osd_client *osdc, struct ceph_msg *msg)
 done:
        downgrade_write(&osdc->map_sem);
        ceph_monc_got_osdmap(&osdc->client->monc, osdc->osdmap->epoch);
-        if (newmap)
+        send_queued(osdc);
-                kick_requests(osdc, NULL);
        up_read(&osdc->map_sem);
        wake_up_all(&osdc->client->auth_wq);
        return;
@@ -1322,6 +1434,223 @@ bad:
 }
 /*
+ * watch/notify callback event infrastructure
+ *
+ * These callbacks are used both for watch and notify operations.
+ */
+static void __release_event(struct kref *kref)
+{
+        struct ceph_osd_event *event =
+                container_of(kref, struct ceph_osd_event, kref);
+        dout("__release_event %p\n", event);
+        kfree(event);
+}
+static void get_event(struct ceph_osd_event *event)
+{
+        kref_get(&event->kref);
+}
+void ceph_osdc_put_event(struct ceph_osd_event *event)
+{
+        kref_put(&event->kref, __release_event);
+}
+EXPORT_SYMBOL(ceph_osdc_put_event);
+static void __insert_event(struct ceph_osd_client *osdc,
+                             struct ceph_osd_event *new)
+{
+        struct rb_node **p = &osdc->event_tree.rb_node;
+        struct rb_node *parent = NULL;
+        struct ceph_osd_event *event = NULL;
+        while (*p) {
+                parent = *p;
+                event = rb_entry(parent, struct ceph_osd_event, node);
+                if (new->cookie < event->cookie)
+                        p = &(*p)->rb_left;
+                else if (new->cookie > event->cookie)
+                        p = &(*p)->rb_right;
+                else
+                        BUG();
+        }
+        rb_link_node(&new->node, parent, p);
+        rb_insert_color(&new->node, &osdc->event_tree);
+}
+static struct ceph_osd_event *__find_event(struct ceph_osd_client *osdc,
+                                                u64 cookie)
+{
+        struct rb_node **p = &osdc->event_tree.rb_node;
+        struct rb_node *parent = NULL;
+        struct ceph_osd_event *event = NULL;
+        while (*p) {
+                parent = *p;
+                event = rb_entry(parent, struct ceph_osd_event, node);
+                if (cookie < event->cookie)
+                        p = &(*p)->rb_left;
+                else if (cookie > event->cookie)
+                        p = &(*p)->rb_right;
+                else
+                        return event;
+        }
+        return NULL;
+}
+static void __remove_event(struct ceph_osd_event *event)
+{
+        struct ceph_osd_client *osdc = event->osdc;
+        if (!RB_EMPTY_NODE(&event->node)) {
+                dout("__remove_event removed %p\n", event);
+                rb_erase(&event->node, &osdc->event_tree);
+                ceph_osdc_put_event(event);
+        } else {
+                dout("__remove_event didn't remove %p\n", event);
+        }
+}
+int ceph_osdc_create_event(struct ceph_osd_client *osdc,
+                           void (*event_cb)(u64, u64, u8, void *),
+                           int one_shot, void *data,
+                           struct ceph_osd_event **pevent)
+{
+        struct ceph_osd_event *event;
+        event = kmalloc(sizeof(*event), GFP_NOIO);
+        if (!event)
+                return -ENOMEM;
+        dout("create_event %p\n", event);
+        event->cb = event_cb;
+        event->one_shot = one_shot;
+        event->data = data;
+        event->osdc = osdc;
+        INIT_LIST_HEAD(&event->osd_node);
+        kref_init(&event->kref);   /* one ref for us */
+        kref_get(&event->kref);    /* one ref for the caller */
+        init_completion(&event->completion);
+        spin_lock(&osdc->event_lock);
+        event->cookie = ++osdc->event_count;
+        __insert_event(osdc, event);
+        spin_unlock(&osdc->event_lock);
+        *pevent = event;
+        return 0;
+}
+EXPORT_SYMBOL(ceph_osdc_create_event);
+void ceph_osdc_cancel_event(struct ceph_osd_event *event)
+{
+        struct ceph_osd_client *osdc = event->osdc;
+        dout("cancel_event %p\n", event);
+        spin_lock(&osdc->event_lock);
+        __remove_event(event);
+        spin_unlock(&osdc->event_lock);
+        ceph_osdc_put_event(event); /* caller's */
+}
+EXPORT_SYMBOL(ceph_osdc_cancel_event);
+static void do_event_work(struct work_struct *work)
+{
+        struct ceph_osd_event_work *event_work =
+                container_of(work, struct ceph_osd_event_work, work);
+        struct ceph_osd_event *event = event_work->event;
+        u64 ver = event_work->ver;
+        u64 notify_id = event_work->notify_id;
+        u8 opcode = event_work->opcode;
+        dout("do_event_work completing %p\n", event);
+        event->cb(ver, notify_id, opcode, event->data);
+        complete(&event->completion);
+        dout("do_event_work completed %p\n", event);
+        ceph_osdc_put_event(event);
+        kfree(event_work);
+}
+/*
+ * Process osd watch notifications
+ */
+void handle_watch_notify(struct ceph_osd_client *osdc, struct ceph_msg *msg)
+{
+        void *p, *end;
+        u8 proto_ver;
+        u64 cookie, ver, notify_id;
+        u8 opcode;
+        struct ceph_osd_event *event;
+        struct ceph_osd_event_work *event_work;
+        p = msg->front.iov_base;
+        end = p + msg->front.iov_len;
+        ceph_decode_8_safe(&p, end, proto_ver, bad);
+        ceph_decode_8_safe(&p, end, opcode, bad);
+        ceph_decode_64_safe(&p, end, cookie, bad);
+        ceph_decode_64_safe(&p, end, ver, bad);
+        ceph_decode_64_safe(&p, end, notify_id, bad);
+        spin_lock(&osdc->event_lock);
+        event = __find_event(osdc, cookie);
+        if (event) {
+                get_event(event);
+                if (event->one_shot)
+                        __remove_event(event);
+        }
+        spin_unlock(&osdc->event_lock);
+        dout("handle_watch_notify cookie %lld ver %lld event %p\n",
+             cookie, ver, event);
+        if (event) {
+                event_work = kmalloc(sizeof(*event_work), GFP_NOIO);
+                if (!event_work) {
+                        dout("ERROR: could not allocate event_work\n");
+                        goto done_err;
+                }
+                INIT_WORK(&event_work->work, do_event_work);
+                event_work->event = event;
+                event_work->ver = ver;
+                event_work->notify_id = notify_id;
+                event_work->opcode = opcode;
+                if (!queue_work(osdc->notify_wq, &event_work->work)) {
+                        dout("WARNING: failed to queue notify event work\n");
+                        goto done_err;
+                }
+        }
+        return;
+done_err:
+        complete(&event->completion);
+        ceph_osdc_put_event(event);
+        return;
+bad:
+        pr_err("osdc handle_watch_notify corrupt msg\n");
+        return;
+}
+int ceph_osdc_wait_event(struct ceph_osd_event *event, unsigned long timeout)
+{
+        int err;
+        dout("wait_event %p\n", event);
+        err = wait_for_completion_interruptible_timeout(&event->completion,
+                                                        timeout * HZ);
+        ceph_osdc_put_event(event);
+        if (err > 0)
+                err = 0;
+        dout("wait_event %p returns %d\n", event, err);
+        return err;
+}
+EXPORT_SYMBOL(ceph_osdc_wait_event);
+/*
 * Register request, send initial attempt.
 */
 int ceph_osdc_start_request(struct ceph_osd_client *osdc,
@@ -1347,18 +1676,27 @@ int ceph_osdc_start_request(struct ceph_osd_client *osdc,
         * the request still han't been touched yet.
         */
        if (req->r_sent == 0) {
-                rc = __send_request(osdc, req);
+                rc = __map_request(osdc, req);
-                if (rc) {
+                if (rc < 0)
-                        if (nofail) {
+                        goto out_unlock;
-                                dout("osdc_start_request failed send, "
+                if (req->r_osd == NULL) {
-                                     " marking %lld\n", req->r_tid);
+                        dout("send_request %p no up osds in pg\n", req);
-                                req->r_resend = true;
+                        ceph_monc_request_next_osdmap(&osdc->client->monc);
-                                rc = 0;
+                } else {
-                        } else {
+                        rc = __send_request(osdc, req);
-                                __unregister_request(osdc, req);
+                        if (rc) {
+                                if (nofail) {
+                                        dout("osdc_start_request failed send, "
+                                             " will retry %lld\n", req->r_tid);
+                                        rc = 0;
+                                } else {
+                                        __unregister_request(osdc, req);
+                                }
                        }
                }
        }
+out_unlock:
        mutex_unlock(&osdc->request_mutex);
        up_read(&osdc->map_sem);
        return rc;
@@ -1441,9 +1779,15 @@ int ceph_osdc_init(struct ceph_osd_client *osdc, struct ceph_client *client)
        INIT_LIST_HEAD(&osdc->osd_lru);
        osdc->requests = RB_ROOT;
        INIT_LIST_HEAD(&osdc->req_lru);
+        INIT_LIST_HEAD(&osdc->req_unsent);
+        INIT_LIST_HEAD(&osdc->req_notarget);
+        INIT_LIST_HEAD(&osdc->req_linger);
        osdc->num_requests = 0;
        INIT_DELAYED_WORK(&osdc->timeout_work, handle_timeout);
        INIT_DELAYED_WORK(&osdc->osds_timeout_work, handle_osds_timeout);
+        spin_lock_init(&osdc->event_lock);
+        osdc->event_tree = RB_ROOT;
+        osdc->event_count = 0;
        schedule_delayed_work(&osdc->osds_timeout_work,
           round_jiffies_relative(osdc->client->options->osd_idle_ttl * HZ));
@@ -1463,6 +1807,13 @@ int ceph_osdc_init(struct ceph_osd_client *osdc, struct ceph_client *client)
                                "osd_op_reply");
        if (err < 0)
                goto out_msgpool;
+        osdc->notify_wq = create_singlethread_workqueue("ceph-watch-notify");
+        if (IS_ERR(osdc->notify_wq)) {
+                err = PTR_ERR(osdc->notify_wq);
+                osdc->notify_wq = NULL;
+                goto out_msgpool;
+        }
        return 0;
 out_msgpool:
@@ -1476,6 +1827,8 @@ EXPORT_SYMBOL(ceph_osdc_init);
 void ceph_osdc_stop(struct ceph_osd_client *osdc)
 {
+        flush_workqueue(osdc->notify_wq);
+        destroy_workqueue(osdc->notify_wq);
        cancel_delayed_work_sync(&osdc->timeout_work);
        cancel_delayed_work_sync(&osdc->osds_timeout_work);
        if (osdc->osdmap) {
@@ -1483,6 +1836,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
                osdc->osdmap = NULL;
        }
        remove_old_osds(osdc, 1);
+        WARN_ON(!RB_EMPTY_ROOT(&osdc->osds));
        mempool_destroy(osdc->req_mempool);
        ceph_msgpool_destroy(&osdc->msgpool_op);
        ceph_msgpool_destroy(&osdc->msgpool_op_reply);
@@ -1591,6 +1945,9 @@ static void dispatch(struct ceph_connection *con, struct ceph_msg *msg)
        case CEPH_MSG_OSD_OPREPLY:
                handle_reply(osdc, msg, con);
                break;
+        case CEPH_MSG_WATCH_NOTIFY:
+                handle_watch_notify(osdc, msg);
+                break;
        default:
                pr_err("received unknown message type %d %s\n", type,
@@ -1684,6 +2041,7 @@ static struct ceph_msg *alloc_msg(struct ceph_connection *con,
        switch (type) {
        case CEPH_MSG_OSD_MAP:
+        case CEPH_MSG_WATCH_NOTIFY:
                return ceph_msg_new(type, front, GFP_NOFS);
        case CEPH_MSG_OSD_OPREPLY:
                return get_reply(con, hdr, skip);
diff --git a/net/ceph/pagevec.c b/net/ceph/pagevec.c
index 1a040e64c69f..cd9c21df87d1 100644
--- a/net/ceph/pagevec.c
+++ b/net/ceph/pagevec.c
@@ -16,22 +16,30 @@ struct page **ceph_get_direct_page_vector(const char __user *data,
                                          int num_pages, bool write_page)
 {
        struct page **pages;
-        int rc;
+        int got = 0;
+        int rc = 0;
        pages = kmalloc(sizeof(*pages) * num_pages, GFP_NOFS);
        if (!pages)
                return ERR_PTR(-ENOMEM);
        down_read(&current->mm->mmap_sem);
-        rc = get_user_pages(current, current->mm, (unsigned long)data,
+        while (got < num_pages) {
-                            num_pages, write_page, 0, pages, NULL);
+                rc = get_user_pages(current, current->mm,
+                    (unsigned long)data + ((unsigned long)got * PAGE_SIZE),
+                    num_pages - got, write_page, 0, pages + got, NULL);
+                if (rc < 0)
+                        break;
+                BUG_ON(rc == 0);
+                got += rc;
+        }
        up_read(&current->mm->mmap_sem);
-        if (rc < num_pages)
+        if (rc < 0)
                goto fail;
        return pages;
 fail:
-        ceph_put_page_vector(pages, rc > 0 ? rc : 0, false);
+        ceph_put_page_vector(pages, got, false);
        return ERR_PTR(rc);
 }
 EXPORT_SYMBOL(ceph_get_direct_page_vector);
diff --git a/net/compat.c b/net/compat.c
index 3649d5895361..c578d9382e19 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -722,11 +722,11 @@ EXPORT_SYMBOL(compat_mc_getsockopt);
 /* Argument list sizes for compat_sys_socketcall */
 #define AL(x) ((x) * sizeof(u32))
-static unsigned char nas[20] = {
+static unsigned char nas[21] = {
        AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
        AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
        AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
-        AL(4), AL(5)
+        AL(4), AL(5), AL(4)
 };
 #undef AL
@@ -735,6 +735,13 @@ asmlinkage long compat_sys_sendmsg(int fd, struct compat_msghdr __user *msg, uns
        return sys_sendmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
 }
+asmlinkage long compat_sys_sendmmsg(int fd, struct compat_mmsghdr __user *mmsg,
+                                    unsigned vlen, unsigned int flags)
+{
+        return __sys_sendmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
+                              flags | MSG_CMSG_COMPAT);
+}
 asmlinkage long compat_sys_recvmsg(int fd, struct compat_msghdr __user *msg, unsigned int flags)
 {
        return sys_recvmsg(fd, (struct msghdr __user *)msg, flags | MSG_CMSG_COMPAT);
@@ -780,7 +787,7 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
        u32 a[6];
        u32 a0, a1;
-        if (call < SYS_SOCKET || call > SYS_RECVMMSG)
+        if (call < SYS_SOCKET || call > SYS_SENDMMSG)
                return -EINVAL;
        if (copy_from_user(a, args, nas[call]))
                return -EFAULT;
@@ -839,6 +846,9 @@ asmlinkage long compat_sys_socketcall(int call, u32 __user *args)
        case SYS_SENDMSG:
                ret = compat_sys_sendmsg(a0, compat_ptr(a1), a[2]);
                break;
+        case SYS_SENDMMSG:
+                ret = compat_sys_sendmmsg(a0, compat_ptr(a1), a[2], a[3]);
+                break;
        case SYS_RECVMSG:
                ret = compat_sys_recvmsg(a0, compat_ptr(a1), a[2]);
                break;
diff --git a/net/core/dev.c b/net/core/dev.c
index 8ae6631abcc2..d94537914a71 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -132,6 +132,7 @@
 #include <trace/events/skb.h>
 #include <linux/pci.h>
 #include <linux/inetdevice.h>
+#include <linux/cpu_rmap.h>
 #include "net-sysfs.h"
@@ -947,7 +948,7 @@ int dev_alloc_name(struct net_device *dev, const char *name)
 }
 EXPORT_SYMBOL(dev_alloc_name);
-static int dev_get_valid_name(struct net_device *dev, const char *name, bool fmt)
+static int dev_get_valid_name(struct net_device *dev, const char *name)
 {
        struct net *net;
@@ -957,7 +958,7 @@ static int dev_get_valid_name(struct net_device *dev, const char *name, bool fmt
        if (!dev_valid_name(name))
                return -EINVAL;
-        if (fmt && strchr(name, '%'))
+        if (strchr(name, '%'))
                return dev_alloc_name(dev, name);
        else if (__dev_get_by_name(net, name))
                return -EEXIST;
@@ -994,7 +995,7 @@ int dev_change_name(struct net_device *dev, const char *newname)
        memcpy(oldname, dev->name, IFNAMSIZ);
-        err = dev_get_valid_name(dev, newname, 1);
+        err = dev_get_valid_name(dev, newname);
        if (err < 0)
                return err;
@@ -1006,7 +1007,7 @@ rollback:
        }
        write_lock_bh(&dev_base_lock);
-        hlist_del(&dev->name_hlist);
+        hlist_del_rcu(&dev->name_hlist);
        write_unlock_bh(&dev_base_lock);
        synchronize_rcu();
@@ -1114,13 +1115,21 @@ EXPORT_SYMBOL(netdev_bonding_change);
 void dev_load(struct net *net, const char *name)
 {
        struct net_device *dev;
+        int no_module;
        rcu_read_lock();
        dev = dev_get_by_name_rcu(net, name);
        rcu_read_unlock();
-        if (!dev && capable(CAP_NET_ADMIN))
+        no_module = !dev;
-                request_module("%s", name);
+        if (no_module && capable(CAP_NET_ADMIN))
+                no_module = request_module("netdev-%s", name);
+        if (no_module && capable(CAP_SYS_MODULE)) {
+                if (!request_module("%s", name))
+                        pr_err("Loading kernel module for a network device "
+"with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-%s "
+"instead\n", name);
+        }
 }
 EXPORT_SYMBOL(dev_load);
@@ -1131,9 +1140,6 @@ static int __dev_open(struct net_device *dev)
        ASSERT_RTNL();
-        /*
-         *      Is it even present?
-         */
        if (!netif_device_present(dev))
                return -ENODEV;
@@ -1142,9 +1148,6 @@ static int __dev_open(struct net_device *dev)
        if (ret)
                return ret;
-        /*
-         *      Call device private open method
-         */
        set_bit(__LINK_STATE_START, &dev->state);
        if (ops->ndo_validate_addr)
@@ -1153,31 +1156,12 @@ static int __dev_open(struct net_device *dev)
        if (!ret && ops->ndo_open)
                ret = ops->ndo_open(dev);
-        /*
-         *      If it went open OK then:
-         */
        if (ret)
                clear_bit(__LINK_STATE_START, &dev->state);
        else {
-                /*
-                 *      Set the flags.
-                 */
                dev->flags |= IFF_UP;
-                /*
-                 *      Enable NET_DMA
-                 */
                net_dmaengine_get();
-                /*
-                 *      Initialize multicasting status
-                 */
                dev_set_rx_mode(dev);
-                /*
-                 *      Wakeup transmit queue engine
-                 */
                dev_activate(dev);
        }
@@ -1200,22 +1184,13 @@ int dev_open(struct net_device *dev)
 {
        int ret;
-        /*
-         *      Is it already up?
-         */
        if (dev->flags & IFF_UP)
                return 0;
-        /*
-         *      Open device
-         */
        ret = __dev_open(dev);
        if (ret < 0)
                return ret;
-        /*
-         *      ... and announce new interface.
-         */
        rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING);
        call_netdevice_notifiers(NETDEV_UP, dev);
@@ -1231,10 +1206,6 @@ static int __dev_close_many(struct list_head *head)
        might_sleep();
        list_for_each_entry(dev, head, unreg_list) {
-                /*
-                 *      Tell people we are going down, so that they can
-                 *      prepare to death, when device is still operating.
-                 */
                call_netdevice_notifiers(NETDEV_GOING_DOWN, dev);
                clear_bit(__LINK_STATE_START, &dev->state);
@@ -1263,15 +1234,7 @@ static int __dev_close_many(struct list_head *head)
                if (ops->ndo_stop)
                        ops->ndo_stop(dev);
-                /*
-                 *      Device is now down.
-                 */
                dev->flags &= ~IFF_UP;
-                /*
-                 *      Shutdown NET_DMA
-                 */
                net_dmaengine_put();
        }
@@ -1289,7 +1252,7 @@ static int __dev_close(struct net_device *dev)
        return retval;
 }
-int dev_close_many(struct list_head *head)
+static int dev_close_many(struct list_head *head)
 {
        struct net_device *dev, *tmp;
        LIST_HEAD(tmp_list);
@@ -1300,9 +1263,6 @@ int dev_close_many(struct list_head *head)
        __dev_close_many(head);
-        /*
-         * Tell people we are down
-         */
        list_for_each_entry(dev, head, unreg_list) {
                rtmsg_ifinfo(RTM_NEWLINK, dev, IFF_UP|IFF_RUNNING);
                call_netdevice_notifiers(NETDEV_DOWN, dev);
@@ -1324,11 +1284,13 @@ int dev_close_many(struct list_head *head)
 */
 int dev_close(struct net_device *dev)
 {
-        LIST_HEAD(single);
+        if (dev->flags & IFF_UP) {
+                LIST_HEAD(single);
-        list_add(&dev->unreg_list, &single);
+                list_add(&dev->unreg_list, &single);
-        dev_close_many(&single);
+                dev_close_many(&single);
-        list_del(&single);
+                list_del(&single);
+        }
        return 0;
 }
 EXPORT_SYMBOL(dev_close);
@@ -1344,26 +1306,25 @@ EXPORT_SYMBOL(dev_close);
 */
 void dev_disable_lro(struct net_device *dev)
 {
-        if (dev->ethtool_ops && dev->ethtool_ops->get_flags &&
+        u32 flags;
-            dev->ethtool_ops->set_flags) {
-                u32 flags = dev->ethtool_ops->get_flags(dev);
+        if (dev->ethtool_ops && dev->ethtool_ops->get_flags)
-                if (flags & ETH_FLAG_LRO) {
+                flags = dev->ethtool_ops->get_flags(dev);
-                        flags &= ~ETH_FLAG_LRO;
+        else
-                        dev->ethtool_ops->set_flags(dev, flags);
+                flags = ethtool_op_get_flags(dev);
-                }
-        }
+        if (!(flags & ETH_FLAG_LRO))
-        WARN_ON(dev->features & NETIF_F_LRO);
+                return;
+        __ethtool_set_flags(dev, flags & ~ETH_FLAG_LRO);
+        if (unlikely(dev->features & NETIF_F_LRO))
+                netdev_WARN(dev, "failed to disable LRO!\n");
 }
 EXPORT_SYMBOL(dev_disable_lro);
 static int dev_boot_phase = 1;
-/*
- *      Device change register/unregister. These are not inline or static
- *      as we export them to the world.
- */
 /**
 *      register_netdevice_notifier - register a network notifier block
 *      @nb: notifier
@@ -1465,6 +1426,7 @@ int call_netdevice_notifiers(unsigned long val, struct net_device *dev)
        ASSERT_RTNL();
        return raw_notifier_call_chain(&netdev_chain, val, dev);
 }
+EXPORT_SYMBOL(call_netdevice_notifiers);
 /* When > 0 there are consumers of rx skb time stamps */
 static atomic_t netstamp_needed = ATOMIC_INIT(0);
@@ -1495,6 +1457,27 @@ static inline void net_timestamp_check(struct sk_buff *skb)
                __net_timestamp(skb);
 }
+static inline bool is_skb_forwardable(struct net_device *dev,
+                                      struct sk_buff *skb)
+{
+        unsigned int len;
+        if (!(dev->flags & IFF_UP))
+                return false;
+        len = dev->mtu + dev->hard_header_len + VLAN_HLEN;
+        if (skb->len <= len)
+                return true;
+        /* if TSO is enabled, we don't care about the length as the packet
+         * could be forwarded without being segmented before
+         */
+        if (skb_is_gso(skb))
+                return true;
+        return false;
+}
 /**
 * dev_forward_skb - loopback an skb to another netif
 *
@@ -1518,8 +1501,7 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
        skb_orphan(skb);
        nf_reset(skb);
-        if (unlikely(!(dev->flags & IFF_UP) ||
+        if (unlikely(!is_skb_forwardable(dev, skb))) {
-                     (skb->len > (dev->mtu + dev->hard_header_len + VLAN_HLEN)))) {
                atomic_long_inc(&dev->rx_dropped);
                kfree_skb(skb);
                return NET_RX_DROP;
@@ -1597,6 +1579,48 @@ static void dev_queue_xmit_nit(struct sk_buff *skb, struct net_device *dev)
        rcu_read_unlock();
 }
+/* netif_setup_tc - Handle tc mappings on real_num_tx_queues change
+ * @dev: Network device
+ * @txq: number of queues available
+ *
+ * If real_num_tx_queues is changed the tc mappings may no longer be
+ * valid. To resolve this verify the tc mapping remains valid and if
+ * not NULL the mapping. With no priorities mapping to this
+ * offset/count pair it will no longer be used. In the worst case TC0
+ * is invalid nothing can be done so disable priority mappings. If is
+ * expected that drivers will fix this mapping if they can before
+ * calling netif_set_real_num_tx_queues.
+ */
+static void netif_setup_tc(struct net_device *dev, unsigned int txq)
+{
+        int i;
+        struct netdev_tc_txq *tc = &dev->tc_to_txq[0];
+        /* If TC0 is invalidated disable TC mapping */
+        if (tc->offset + tc->count > txq) {
+                pr_warning("Number of in use tx queues changed "
+                           "invalidating tc mappings. Priority "
+                           "traffic classification disabled!\n");
+                dev->num_tc = 0;
+                return;
+        }
+        /* Invalidated prio to tc mappings set to TC0 */
+        for (i = 1; i < TC_BITMASK + 1; i++) {
+                int q = netdev_get_prio_tc_map(dev, i);
+                tc = &dev->tc_to_txq[q];
+                if (tc->offset + tc->count > txq) {
+                        pr_warning("Number of in use tx queues "
+                                   "changed. Priority %i to tc "
+                                   "mapping %i is no longer valid "
+                                   "setting map to 0\n",
+                                   i, q);
+                        netdev_set_prio_tc_map(dev, i, 0);
+                }
+        }
+}
 /*
 * Routine to help set real_num_tx_queues. To avoid skbs mapped to queues
 * greater then real_num_tx_queues stale skbs on the qdisc must be flushed.
@@ -1608,7 +1632,8 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
        if (txq < 1 || txq > dev->num_tx_queues)
                return -EINVAL;
-        if (dev->reg_state == NETREG_REGISTERED) {
+        if (dev->reg_state == NETREG_REGISTERED ||
+            dev->reg_state == NETREG_UNREGISTERING) {
                ASSERT_RTNL();
                rc = netdev_queue_update_kobjects(dev, dev->real_num_tx_queues,
@@ -1616,6 +1641,9 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
                if (rc)
                        return rc;
+                if (dev->num_tc)
+                        netif_setup_tc(dev, txq);
                if (txq < dev->real_num_tx_queues)
                        qdisc_reset_all_tx_gt(dev, txq);
        }
@@ -1815,7 +1843,7 @@ EXPORT_SYMBOL(skb_checksum_help);
 *      It may return NULL if the skb requires no segmentation.  This is
 *      only possible when GSO is used for verifying header integrity.
 */
-struct sk_buff *skb_gso_segment(struct sk_buff *skb, int features)
+struct sk_buff *skb_gso_segment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EPROTONOSUPPORT);
        struct packet_type *ptype;
@@ -2003,7 +2031,7 @@ static bool can_checksum_protocol(unsigned long features, __be16 protocol)
                 protocol == htons(ETH_P_FCOE)));
 }
-static int harmonize_features(struct sk_buff *skb, __be16 protocol, int features)
+static u32 harmonize_features(struct sk_buff *skb, __be16 protocol, u32 features)
 {
        if (!can_checksum_protocol(features, protocol)) {
                features &= ~NETIF_F_ALL_CSUM;
@@ -2015,10 +2043,10 @@ static int harmonize_features(struct sk_buff *skb, __be16 protocol, int features
        return features;
 }
-int netif_skb_features(struct sk_buff *skb)
+u32 netif_skb_features(struct sk_buff *skb)
 {
        __be16 protocol = skb->protocol;
-        int features = skb->dev->features;
+        u32 features = skb->dev->features;
        if (protocol == htons(ETH_P_8021Q)) {
                struct vlan_ethhdr *veh = (struct vlan_ethhdr *)skb->data;
@@ -2063,10 +2091,10 @@ int dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
        int rc = NETDEV_TX_OK;
        if (likely(!skb->next)) {
-                int features;
+                u32 features;
                /*
-                 * If device doesnt need skb->dst, release it right now while
+                 * If device doesn't need skb->dst, release it right now while
                 * its hot in this cpu cache
                 */
                if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
@@ -2126,7 +2154,7 @@ gso:
                nskb->next = NULL;
                /*
-                 * If device doesnt need nskb->dst, release it right now while
+                 * If device doesn't need nskb->dst, release it right now while
                 * its hot in this cpu cache
                 */
                if (dev->priv_flags & IFF_XMIT_DST_RELEASE)
@@ -2165,6 +2193,8 @@ u16 __skb_tx_hash(const struct net_device *dev, const struct sk_buff *skb,
                  unsigned int num_tx_queues)
 {
        u32 hash;
+        u16 qoffset = 0;
+        u16 qcount = num_tx_queues;
        if (skb_rx_queue_recorded(skb)) {
                hash = skb_get_rx_queue(skb);
@@ -2173,13 +2203,19 @@ u16 __skb_tx_hash(const struct net_device *dev, const struct sk_buff *skb,
                return hash;
        }
+        if (dev->num_tc) {
+                u8 tc = netdev_get_prio_tc_map(dev, skb->priority);
+                qoffset = dev->tc_to_txq[tc].offset;
+                qcount = dev->tc_to_txq[tc].count;
+        }
        if (skb->sk && skb->sk->sk_hash)
                hash = skb->sk->sk_hash;
        else
                hash = (__force u16) skb->protocol ^ skb->rxhash;
        hash = jhash_1word(hash, hashrnd);
-        return (u16) (((u64) hash * num_tx_queues) >> 32);
+        return (u16) (((u64) hash * qcount) >> 32) + qoffset;
 }
 EXPORT_SYMBOL(__skb_tx_hash);
@@ -2276,15 +2312,18 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
                                 struct netdev_queue *txq)
 {
        spinlock_t *root_lock = qdisc_lock(q);
-        bool contended = qdisc_is_running(q);
+        bool contended;
        int rc;
+        qdisc_skb_cb(skb)->pkt_len = skb->len;
+        qdisc_calculate_pkt_len(skb, q);
        /*
         * Heuristic to force contended enqueues to serialize on a
         * separate lock before trying to get qdisc main lock.
         * This permits __QDISC_STATE_RUNNING owner to get the lock more often
         * and dequeue packets faster.
         */
+        contended = qdisc_is_running(q);
        if (unlikely(contended))
                spin_lock(&q->busylock);
@@ -2302,7 +2341,6 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
                if (!(dev->priv_flags & IFF_XMIT_DST_RELEASE))
                        skb_dst_force(skb);
-                qdisc_skb_cb(skb)->pkt_len = skb->len;
                qdisc_bstats_update(q, skb);
                if (sch_direct_xmit(skb, q, dev, txq, root_lock)) {
@@ -2317,7 +2355,7 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
                rc = NET_XMIT_SUCCESS;
        } else {
                skb_dst_force(skb);
-                rc = qdisc_enqueue_root(skb, q);
+                rc = q->enqueue(skb, q) & NET_XMIT_MASK;
                if (qdisc_run_begin(q)) {
                        if (unlikely(contended)) {
                                spin_unlock(&q->busylock);
@@ -2467,8 +2505,8 @@ static inline void ____napi_schedule(struct softnet_data *sd,
 __u32 __skb_get_rxhash(struct sk_buff *skb)
 {
        int nhoff, hash = 0, poff;
-        struct ipv6hdr *ip6;
+        const struct ipv6hdr *ip6;
-        struct iphdr *ip;
+        const struct iphdr *ip;
        u8 ip_proto;
        u32 addr1, addr2, ihl;
        union {
@@ -2483,7 +2521,7 @@ __u32 __skb_get_rxhash(struct sk_buff *skb)
                if (!pskb_may_pull(skb, sizeof(*ip) + nhoff))
                        goto done;
-                ip = (struct iphdr *) (skb->data + nhoff);
+                ip = (const struct iphdr *) (skb->data + nhoff);
                if (ip->frag_off & htons(IP_MF | IP_OFFSET))
                        ip_proto = 0;
                else
@@ -2496,7 +2534,7 @@ __u32 __skb_get_rxhash(struct sk_buff *skb)
                if (!pskb_may_pull(skb, sizeof(*ip6) + nhoff))
                        goto done;
-                ip6 = (struct ipv6hdr *) (skb->data + nhoff);
+                ip6 = (const struct ipv6hdr *) (skb->data + nhoff);
                ip_proto = ip6->nexthdr;
                addr1 = (__force u32) ip6->saddr.s6_addr32[3];
                addr2 = (__force u32) ip6->daddr.s6_addr32[3];
@@ -2536,6 +2574,54 @@ EXPORT_SYMBOL(__skb_get_rxhash);
 struct rps_sock_flow_table __rcu *rps_sock_flow_table __read_mostly;
 EXPORT_SYMBOL(rps_sock_flow_table);
+static struct rps_dev_flow *
+set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
+            struct rps_dev_flow *rflow, u16 next_cpu)
+{
+        u16 tcpu;
+        tcpu = rflow->cpu = next_cpu;
+        if (tcpu != RPS_NO_CPU) {
+#ifdef CONFIG_RFS_ACCEL
+                struct netdev_rx_queue *rxqueue;
+                struct rps_dev_flow_table *flow_table;
+                struct rps_dev_flow *old_rflow;
+                u32 flow_id;
+                u16 rxq_index;
+                int rc;
+                /* Should we steer this flow to a different hardware queue? */
+                if (!skb_rx_queue_recorded(skb) || !dev->rx_cpu_rmap ||
+                    !(dev->features & NETIF_F_NTUPLE))
+                        goto out;
+                rxq_index = cpu_rmap_lookup_index(dev->rx_cpu_rmap, next_cpu);
+                if (rxq_index == skb_get_rx_queue(skb))
+                        goto out;
+                rxqueue = dev->_rx + rxq_index;
+                flow_table = rcu_dereference(rxqueue->rps_flow_table);
+                if (!flow_table)
+                        goto out;
+                flow_id = skb->rxhash & flow_table->mask;
+                rc = dev->netdev_ops->ndo_rx_flow_steer(dev, skb,
+                                                        rxq_index, flow_id);
+                if (rc < 0)
+                        goto out;
+                old_rflow = rflow;
+                rflow = &flow_table->flows[flow_id];
+                rflow->cpu = next_cpu;
+                rflow->filter = rc;
+                if (old_rflow->filter == rflow->filter)
+                        old_rflow->filter = RPS_NO_FILTER;
+        out:
+#endif
+                rflow->last_qtail =
+                        per_cpu(softnet_data, tcpu).input_queue_head;
+        }
+        return rflow;
+}
 /*
 * get_rps_cpu is called from netif_receive_skb and returns the target
 * CPU from the RPS map of the receiving queue for a given skb.
@@ -2607,12 +2693,9 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                if (unlikely(tcpu != next_cpu) &&
                    (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
                     ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
-                      rflow->last_qtail)) >= 0)) {
+                      rflow->last_qtail)) >= 0))
-                        tcpu = rflow->cpu = next_cpu;
+                        rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
-                        if (tcpu != RPS_NO_CPU)
-                                rflow->last_qtail = per_cpu(softnet_data,
-                                    tcpu).input_queue_head;
-                }
                if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
                        *rflowp = rflow;
                        cpu = tcpu;
@@ -2633,6 +2716,46 @@ done:
        return cpu;
 }
+#ifdef CONFIG_RFS_ACCEL
+/**
+ * rps_may_expire_flow - check whether an RFS hardware filter may be removed
+ * @dev: Device on which the filter was set
+ * @rxq_index: RX queue index
+ * @flow_id: Flow ID passed to ndo_rx_flow_steer()
+ * @filter_id: Filter ID returned by ndo_rx_flow_steer()
+ *
+ * Drivers that implement ndo_rx_flow_steer() should periodically call
+ * this function for each installed filter and remove the filters for
+ * which it returns %true.
+ */
+bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
+                         u32 flow_id, u16 filter_id)
+{
+        struct netdev_rx_queue *rxqueue = dev->_rx + rxq_index;
+        struct rps_dev_flow_table *flow_table;
+        struct rps_dev_flow *rflow;
+        bool expire = true;
+        int cpu;
+        rcu_read_lock();
+        flow_table = rcu_dereference(rxqueue->rps_flow_table);
+        if (flow_table && flow_id <= flow_table->mask) {
+                rflow = &flow_table->flows[flow_id];
+                cpu = ACCESS_ONCE(rflow->cpu);
+                if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&
+                    ((int)(per_cpu(softnet_data, cpu).input_queue_head -
+                           rflow->last_qtail) <
+                     (int)(10 * flow_table->mask)))
+                        expire = false;
+        }
+        rcu_read_unlock();
+        return expire;
+}
+EXPORT_SYMBOL(rps_may_expire_flow);
+#endif /* CONFIG_RFS_ACCEL */
 /* Called from hardirq (IPI) context */
 static void rps_trigger_softirq(void *data)
 {
@@ -2850,8 +2973,8 @@ EXPORT_SYMBOL_GPL(br_fdb_test_addr_hook);
 * when CONFIG_NET_CLS_ACT is? otherwise some useless instructions
 * a compare and 2 stores extra right now if we dont have it on
 * but have CONFIG_NET_CLS_ACT
- * NOTE: This doesnt stop any functionality; if you dont have
+ * NOTE: This doesn't stop any functionality; if you dont have
- * the ingress scheduler, you just cant add policies on ingress.
+ * the ingress scheduler, you just can't add policies on ingress.
 *
 */
 static int ing_filter(struct sk_buff *skb, struct netdev_queue *rxq)
@@ -2920,6 +3043,8 @@ out:
 *      on a failure.
 *
 *      The caller must hold the rtnl_mutex.
+ *
+ *      For a general description of rx_handler, see enum rx_handler_result.
 */
 int netdev_rx_handler_register(struct net_device *dev,
                               rx_handler_func_t *rx_handler,
@@ -2954,64 +3079,13 @@ void netdev_rx_handler_unregister(struct net_device *dev)
 }
 EXPORT_SYMBOL_GPL(netdev_rx_handler_unregister);
-static inline void skb_bond_set_mac_by_master(struct sk_buff *skb,
-                                              struct net_device *master)
-{
-        if (skb->pkt_type == PACKET_HOST) {
-                u16 *dest = (u16 *) eth_hdr(skb)->h_dest;
-                memcpy(dest, master->dev_addr, ETH_ALEN);
-        }
-}
-/* On bonding slaves other than the currently active slave, suppress
- * duplicates except for 802.3ad ETH_P_SLOW, alb non-mcast/bcast, and
- * ARP on active-backup slaves with arp_validate enabled.
- */
-int __skb_bond_should_drop(struct sk_buff *skb, struct net_device *master)
-{
-        struct net_device *dev = skb->dev;
-        if (master->priv_flags & IFF_MASTER_ARPMON)
-                dev->last_rx = jiffies;
-        if ((master->priv_flags & IFF_MASTER_ALB) &&
-            (master->priv_flags & IFF_BRIDGE_PORT)) {
-                /* Do address unmangle. The local destination address
-                 * will be always the one master has. Provides the right
-                 * functionality in a bridge.
-                 */
-                skb_bond_set_mac_by_master(skb, master);
-        }
-        if (dev->priv_flags & IFF_SLAVE_INACTIVE) {
-                if ((dev->priv_flags & IFF_SLAVE_NEEDARP) &&
-                    skb->protocol == __cpu_to_be16(ETH_P_ARP))
-                        return 0;
-                if (master->priv_flags & IFF_MASTER_ALB) {
-                        if (skb->pkt_type != PACKET_BROADCAST &&
-                            skb->pkt_type != PACKET_MULTICAST)
-                                return 0;
-                }
-                if (master->priv_flags & IFF_MASTER_8023AD &&
-                    skb->protocol == __cpu_to_be16(ETH_P_SLOW))
-                        return 0;
-                return 1;
-        }
-        return 0;
-}
-EXPORT_SYMBOL(__skb_bond_should_drop);
 static int __netif_receive_skb(struct sk_buff *skb)
 {
        struct packet_type *ptype, *pt_prev;
        rx_handler_func_t *rx_handler;
        struct net_device *orig_dev;
-        struct net_device *master;
+        struct net_device *null_or_dev;
-        struct net_device *null_or_orig;
+        bool deliver_exact = false;
-        struct net_device *orig_or_bond;
        int ret = NET_RX_DROP;
        __be16 type;
@@ -3026,28 +3100,8 @@ static int __netif_receive_skb(struct sk_buff *skb)
        if (!skb->skb_iif)
                skb->skb_iif = skb->dev->ifindex;
-        /*
-         * bonding note: skbs received on inactive slaves should only
-         * be delivered to pkt handlers that are exact matches.  Also
-         * the deliver_no_wcard flag will be set.  If packet handlers
-         * are sensitive to duplicate packets these skbs will need to
-         * be dropped at the handler.
-         */
-        null_or_orig = NULL;
        orig_dev = skb->dev;
-        master = ACCESS_ONCE(orig_dev->master);
-        if (skb->deliver_no_wcard)
-                null_or_orig = orig_dev;
-        else if (master) {
-                if (skb_bond_should_drop(skb, master)) {
-                        skb->deliver_no_wcard = 1;
-                        null_or_orig = orig_dev; /* deliver only exact match */
-                } else
-                        skb->dev = master;
-        }
-        __this_cpu_inc(softnet_data.processed);
        skb_reset_network_header(skb);
        skb_reset_transport_header(skb);
        skb->mac_len = skb->network_header - skb->mac_header;
@@ -3056,6 +3110,16 @@ static int __netif_receive_skb(struct sk_buff *skb)
        rcu_read_lock();
+another_round:
+        __this_cpu_inc(softnet_data.processed);
+        if (skb->protocol == cpu_to_be16(ETH_P_8021Q)) {
+                skb = vlan_untag(skb);
+                if (unlikely(!skb))
+                        goto out;
+        }
 #ifdef CONFIG_NET_CLS_ACT
        if (skb->tc_verd & TC_NCLS) {
                skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
@@ -3064,8 +3128,7 @@ static int __netif_receive_skb(struct sk_buff *skb)
 #endif
        list_for_each_entry_rcu(ptype, &ptype_all, list) {
-                if (ptype->dev == null_or_orig || ptype->dev == skb->dev ||
+                if (!ptype->dev || ptype->dev == skb->dev) {
-                    ptype->dev == orig_dev) {
                        if (pt_prev)
                                ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = ptype;
@@ -3079,16 +3142,24 @@ static int __netif_receive_skb(struct sk_buff *skb)
 ncls:
 #endif
-        /* Handle special case of bridge or macvlan */
        rx_handler = rcu_dereference(skb->dev->rx_handler);
        if (rx_handler) {
                if (pt_prev) {
                        ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = NULL;
                }
-                skb = rx_handler(skb);
+                switch (rx_handler(&skb)) {
-                if (!skb)
+                case RX_HANDLER_CONSUMED:
                        goto out;
+                case RX_HANDLER_ANOTHER:
+                        goto another_round;
+                case RX_HANDLER_EXACT:
+                        deliver_exact = true;
+                case RX_HANDLER_PASS:
+                        break;
+                default:
+                        BUG();
+                }
        }
        if (vlan_tx_tag_present(skb)) {
@@ -3096,31 +3167,22 @@ ncls:
                        ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = NULL;
                }
-                if (vlan_hwaccel_do_receive(&skb)) {
+                if (vlan_do_receive(&skb)) {
                        ret = __netif_receive_skb(skb);
                        goto out;
                } else if (unlikely(!skb))
                        goto out;
        }
-        /*
+        /* deliver only exact match when indicated */
-         * Make sure frames received on VLAN interfaces stacked on
+        null_or_dev = deliver_exact ? skb->dev : NULL;
-         * bonding interfaces still make their way to any base bonding
-         * device that may have registered for a specific ptype.  The
-         * handler may have to adjust skb->dev and orig_dev.
-         */
-        orig_or_bond = orig_dev;
-        if ((skb->dev->priv_flags & IFF_802_1Q_VLAN) &&
-            (vlan_dev_real_dev(skb->dev)->priv_flags & IFF_BONDING)) {
-                orig_or_bond = vlan_dev_real_dev(skb->dev);
-        }
        type = skb->protocol;
        list_for_each_entry_rcu(ptype,
                        &ptype_base[ntohs(type) & PTYPE_HASH_MASK], list) {
-                if (ptype->type == type && (ptype->dev == null_or_orig ||
+                if (ptype->type == type &&
-                     ptype->dev == skb->dev || ptype->dev == orig_dev ||
+                    (ptype->dev == null_or_dev || ptype->dev == skb->dev ||
-                     ptype->dev == orig_or_bond)) {
+                     ptype->dev == orig_dev)) {
                        if (pt_prev)
                                ret = deliver_skb(skb, pt_prev, orig_dev);
                        pt_prev = ptype;
@@ -3726,7 +3788,7 @@ static void net_rx_action(struct softirq_action *h)
                 * with netpoll's poll_napi().  Only the entity which
                 * obtains the lock and sees NAPI_STATE_SCHED set will
                 * actually make the ->poll() call.  Therefore we avoid
-                 * accidently calling ->poll() when NAPI is not scheduled.
+                 * accidentally calling ->poll() when NAPI is not scheduled.
                 */
                work = 0;
                if (test_bit(NAPI_STATE_SCHED, &n->state)) {
@@ -3917,12 +3979,15 @@ void *dev_seq_start(struct seq_file *seq, loff_t *pos)
 void *dev_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 {
-        struct net_device *dev = (v == SEQ_START_TOKEN) ?
+        struct net_device *dev = v;
-                                  first_net_device(seq_file_net(seq)) :
-                                  next_net_device((struct net_device *)v);
+        if (v == SEQ_START_TOKEN)
+                dev = first_net_device_rcu(seq_file_net(seq));
+        else
+                dev = next_net_device_rcu(dev);
        ++*pos;
-        return rcu_dereference(dev);
+        return dev;
 }
 void dev_seq_stop(struct seq_file *seq, void *v)
@@ -4206,15 +4271,14 @@ static int __init dev_proc_init(void)
 /**
- *      netdev_set_master       -       set up master/slave pair
+ *      netdev_set_master       -       set up master pointer
 *      @slave: slave device
 *      @master: new master device
 *
 *      Changes the master device of the slave. Pass %NULL to break the
 *      bonding. The caller must hold the RTNL semaphore. On a failure
 *      a negative errno code is returned. On success the reference counts
- *      are adjusted, %RTM_NEWLINK is sent to the routing socket and the
+ *      are adjusted and the function returns zero.
- *      function returns zero.
 */
 int netdev_set_master(struct net_device *slave, struct net_device *master)
 {
@@ -4234,6 +4298,29 @@ int netdev_set_master(struct net_device *slave, struct net_device *master)
                synchronize_net();
                dev_put(old);
        }
+        return 0;
+}
+EXPORT_SYMBOL(netdev_set_master);
+/**
+ *      netdev_set_bond_master  -       set up bonding master/slave pair
+ *      @slave: slave device
+ *      @master: new master device
+ *
+ *      Changes the master device of the slave. Pass %NULL to break the
+ *      bonding. The caller must hold the RTNL semaphore. On a failure
+ *      a negative errno code is returned. On success %RTM_NEWLINK is sent
+ *      to the routing socket and the function returns zero.
+ */
+int netdev_set_bond_master(struct net_device *slave, struct net_device *master)
+{
+        int err;
+        ASSERT_RTNL();
+        err = netdev_set_master(slave, master);
+        if (err)
+                return err;
        if (master)
                slave->flags |= IFF_SLAVE;
        else
@@ -4242,7 +4329,7 @@ int netdev_set_master(struct net_device *slave, struct net_device *master)
        rtmsg_ifinfo(RTM_NEWLINK, slave, IFF_SLAVE);
        return 0;
 }
-EXPORT_SYMBOL(netdev_set_master);
+EXPORT_SYMBOL(netdev_set_bond_master);
 static void dev_change_rx_flags(struct net_device *dev, int flags)
 {
@@ -4411,6 +4498,30 @@ void dev_set_rx_mode(struct net_device *dev)
 }
 /**
+ *      dev_ethtool_get_settings - call device's ethtool_ops::get_settings()
+ *      @dev: device
+ *      @cmd: memory area for ethtool_ops::get_settings() result
+ *
+ *      The cmd arg is initialized properly (cleared and
+ *      ethtool_cmd::cmd field set to ETHTOOL_GSET).
+ *
+ *      Return device's ethtool_ops::get_settings() result value or
+ *      -EOPNOTSUPP when device doesn't expose
+ *      ethtool_ops::get_settings() operation.
+ */
+int dev_ethtool_get_settings(struct net_device *dev,
+                             struct ethtool_cmd *cmd)
+{
+        if (!dev->ethtool_ops || !dev->ethtool_ops->get_settings)
+                return -EOPNOTSUPP;
+        memset(cmd, 0, sizeof(struct ethtool_cmd));
+        cmd->cmd = ETHTOOL_GSET;
+        return dev->ethtool_ops->get_settings(dev, cmd);
+}
+EXPORT_SYMBOL(dev_ethtool_get_settings);
+/**
 *      dev_get_flags - get flags reported to userspace
 *      @dev: device
 *
@@ -4579,6 +4690,17 @@ int dev_set_mtu(struct net_device *dev, int new_mtu)
 EXPORT_SYMBOL(dev_set_mtu);
 /**
+ *      dev_set_group - Change group this device belongs to
+ *      @dev: device
+ *      @new_group: group this device should belong to
+ */
+void dev_set_group(struct net_device *dev, int new_group)
+{
+        dev->group = new_group;
+}
+EXPORT_SYMBOL(dev_set_group);
+/**
 *      dev_set_mac_address - Change Media Access Control Address
 *      @dev: device
 *      @sa: new address
@@ -4663,7 +4785,7 @@ static int dev_ifsioc_locked(struct net *net, struct ifreq *ifr, unsigned int cm
                 * is never reached
                 */
                WARN_ON(1);
-                err = -EINVAL;
+                err = -ENOTTY;
                break;
        }
@@ -4931,7 +5053,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                /* Set the per device memory buffer space.
                 * Not applicable in our case */
        case SIOCSIFLINK:
-                return -EINVAL;
+                return -ENOTTY;
        /*
         *      Unknown or private ioctl.
@@ -4952,7 +5074,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                /* Take care of Wireless Extensions */
                if (cmd >= SIOCIWFIRST && cmd <= SIOCIWLAST)
                        return wext_handle_ioctl(net, &ifr, cmd, arg);
-                return -EINVAL;
+                return -ENOTTY;
        }
 }
@@ -5004,7 +5126,7 @@ static void rollback_registered_many(struct list_head *head)
                        list_del(&dev->unreg_list);
                        continue;
                }
+                dev->dismantle = true;
                BUG_ON(dev->reg_state != NETREG_REGISTERED);
        }
@@ -5069,41 +5191,59 @@ static void rollback_registered(struct net_device *dev)
        list_del(&single);
 }
-unsigned long netdev_fix_features(unsigned long features, const char *name)
+u32 netdev_fix_features(struct net_device *dev, u32 features)
 {
+        /* Fix illegal checksum combinations */
+        if ((features & NETIF_F_HW_CSUM) &&
+            (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
+                netdev_warn(dev, "mixed HW and IP checksum settings.\n");
+                features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM);
+        }
+        if ((features & NETIF_F_NO_CSUM) &&
+            (features & (NETIF_F_HW_CSUM|NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
+                netdev_warn(dev, "mixed no checksumming and other settings.\n");
+                features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM|NETIF_F_HW_CSUM);
+        }
        /* Fix illegal SG+CSUM combinations. */
        if ((features & NETIF_F_SG) &&
            !(features & NETIF_F_ALL_CSUM)) {
-                if (name)
+                netdev_dbg(dev,
-                        printk(KERN_NOTICE "%s: Dropping NETIF_F_SG since no "
+                        "Dropping NETIF_F_SG since no checksum feature.\n");
-                               "checksum feature.\n", name);
                features &= ~NETIF_F_SG;
        }
        /* TSO requires that SG is present as well. */
-        if ((features & NETIF_F_TSO) && !(features & NETIF_F_SG)) {
+        if ((features & NETIF_F_ALL_TSO) && !(features & NETIF_F_SG)) {
-                if (name)
+                netdev_dbg(dev, "Dropping TSO features since no SG feature.\n");
-                        printk(KERN_NOTICE "%s: Dropping NETIF_F_TSO since no "
+                features &= ~NETIF_F_ALL_TSO;
-                               "SG feature.\n", name);
+        }
-                features &= ~NETIF_F_TSO;
+        /* TSO ECN requires that TSO is present as well. */
+        if ((features & NETIF_F_ALL_TSO) == NETIF_F_TSO_ECN)
+                features &= ~NETIF_F_TSO_ECN;
+        /* Software GSO depends on SG. */
+        if ((features & NETIF_F_GSO) && !(features & NETIF_F_SG)) {
+                netdev_dbg(dev, "Dropping NETIF_F_GSO since no SG feature.\n");
+                features &= ~NETIF_F_GSO;
        }
+        /* UFO needs SG and checksumming */
        if (features & NETIF_F_UFO) {
                /* maybe split UFO into V4 and V6? */
                if (!((features & NETIF_F_GEN_CSUM) ||
                    (features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
                            == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
-                        if (name)
+                        netdev_dbg(dev,
-                                printk(KERN_ERR "%s: Dropping NETIF_F_UFO "
+                                "Dropping NETIF_F_UFO since no checksum offload features.\n");
-                                       "since no checksum offload features.\n",
-                                       name);
                        features &= ~NETIF_F_UFO;
                }
                if (!(features & NETIF_F_SG)) {
-                        if (name)
+                        netdev_dbg(dev,
-                                printk(KERN_ERR "%s: Dropping NETIF_F_UFO "
+                                "Dropping NETIF_F_UFO since no NETIF_F_SG feature.\n");
-                                       "since no NETIF_F_SG feature.\n", name);
                        features &= ~NETIF_F_UFO;
                }
        }
@@ -5112,6 +5252,75 @@ unsigned long netdev_fix_features(unsigned long features, const char *name)
 }
 EXPORT_SYMBOL(netdev_fix_features);
+int __netdev_update_features(struct net_device *dev)
+{
+        u32 features;
+        int err = 0;
+        ASSERT_RTNL();
+        features = netdev_get_wanted_features(dev);
+        if (dev->netdev_ops->ndo_fix_features)
+                features = dev->netdev_ops->ndo_fix_features(dev, features);
+        /* driver might be less strict about feature dependencies */
+        features = netdev_fix_features(dev, features);
+        if (dev->features == features)
+                return 0;
+        netdev_dbg(dev, "Features changed: 0x%08x -> 0x%08x\n",
+                dev->features, features);
+        if (dev->netdev_ops->ndo_set_features)
+                err = dev->netdev_ops->ndo_set_features(dev, features);
+        if (unlikely(err < 0)) {
+                netdev_err(dev,
+                        "set_features() failed (%d); wanted 0x%08x, left 0x%08x\n",
+                        err, features, dev->features);
+                return -1;
+        }
+        if (!err)
+                dev->features = features;
+        return 1;
+}
+/**
+ *      netdev_update_features - recalculate device features
+ *      @dev: the device to check
+ *
+ *      Recalculate dev->features set and send notifications if it
+ *      has changed. Should be called after driver or hardware dependent
+ *      conditions might have changed that influence the features.
+ */
+void netdev_update_features(struct net_device *dev)
+{
+        if (__netdev_update_features(dev))
+                netdev_features_change(dev);
+}
+EXPORT_SYMBOL(netdev_update_features);
+/**
+ *      netdev_change_features - recalculate device features
+ *      @dev: the device to check
+ *
+ *      Recalculate dev->features set and send notifications even
+ *      if they have not changed. Should be called instead of
+ *      netdev_update_features() if also dev->vlan_features might
+ *      have changed to allow the changes to be propagated to stacked
+ *      VLAN devices.
+ */
+void netdev_change_features(struct net_device *dev)
+{
+        __netdev_update_features(dev);
+        netdev_features_change(dev);
+}
+EXPORT_SYMBOL(netdev_change_features);
 /**
 *      netif_stacked_transfer_operstate -      transfer operstate
 *      @rootdev: the root or lower level device to transfer state from
@@ -5228,6 +5437,10 @@ int register_netdevice(struct net_device *dev)
        dev->iflink = -1;
+        ret = dev_get_valid_name(dev, dev->name);
+        if (ret < 0)
+                goto out;
        /* Init, if this function is available */
        if (dev->netdev_ops->ndo_init) {
                ret = dev->netdev_ops->ndo_init(dev);
@@ -5238,35 +5451,25 @@ int register_netdevice(struct net_device *dev)
                }
        }
-        ret = dev_get_valid_name(dev, dev->name, 0);
-        if (ret)
-                goto err_uninit;
        dev->ifindex = dev_new_index(net);
        if (dev->iflink == -1)
                dev->iflink = dev->ifindex;
-        /* Fix illegal checksum combinations */
+        /* Transfer changeable features to wanted_features and enable
-        if ((dev->features & NETIF_F_HW_CSUM) &&
+         * software offloads (GSO and GRO).
-            (dev->features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
+         */
-                printk(KERN_NOTICE "%s: mixed HW and IP checksum settings.\n",
+        dev->hw_features |= NETIF_F_SOFT_FEATURES;
-                       dev->name);
+        dev->features |= NETIF_F_SOFT_FEATURES;
-                dev->features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM);
+        dev->wanted_features = dev->features & dev->hw_features;
-        }
-        if ((dev->features & NETIF_F_NO_CSUM) &&
+        /* Turn on no cache copy if HW is doing checksum */
-            (dev->features & (NETIF_F_HW_CSUM|NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))) {
+        dev->hw_features |= NETIF_F_NOCACHE_COPY;
-                printk(KERN_NOTICE "%s: mixed no checksumming and other settings.\n",
+        if ((dev->features & NETIF_F_ALL_CSUM) &&
-                       dev->name);
+            !(dev->features & NETIF_F_NO_CSUM)) {
-                dev->features &= ~(NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM|NETIF_F_HW_CSUM);
+                dev->wanted_features |= NETIF_F_NOCACHE_COPY;
+                dev->features |= NETIF_F_NOCACHE_COPY;
        }
-        dev->features = netdev_fix_features(dev->features, dev->name);
-        /* Enable software GSO if SG is supported. */
-        if (dev->features & NETIF_F_SG)
-                dev->features |= NETIF_F_GSO;
        /* Enable GRO and NETIF_F_HIGHDMA for vlans by default,
         * vlan_dev_init() will do the dev->features check, so these features
         * are enabled only if supported by underlying device.
@@ -5283,6 +5486,8 @@ int register_netdevice(struct net_device *dev)
                goto err_uninit;
        dev->reg_state = NETREG_REGISTERED;
+        __netdev_update_features(dev);
        /*
         *      Default initial state at registry is that the
         *      device is present.
@@ -5378,19 +5583,7 @@ int register_netdev(struct net_device *dev)
        int err;
        rtnl_lock();
-        /*
-         * If the name is a format string the caller wants us to do a
-         * name allocation.
-         */
-        if (strchr(dev->name, '%')) {
-                err = dev_alloc_name(dev, dev->name);
-                if (err < 0)
-                        goto out;
-        }
        err = register_netdevice(dev);
-out:
        rtnl_unlock();
        return err;
 }
@@ -5687,6 +5880,7 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
 #endif
        strcpy(dev->name, name);
+        dev->group = INIT_NETDEV_GROUP;
        return dev;
 free_all:
@@ -5871,7 +6065,7 @@ int dev_change_net_namespace(struct net_device *dev, struct net *net, const char
                /* We get here if we can't use the current device name */
                if (!pat)
                        goto out;
-                if (dev_get_valid_name(dev, pat, 1))
+                if (dev_get_valid_name(dev, pat) < 0)
                        goto out;
        }
@@ -6001,32 +6195,22 @@ static int dev_cpu_callback(struct notifier_block *nfb,
 *      @one to the master device with current feature set @all.  Will not
 *      enable anything that is off in @mask. Returns the new feature set.
 */
-unsigned long netdev_increment_features(unsigned long all, unsigned long one,
+u32 netdev_increment_features(u32 all, u32 one, u32 mask)
-                                        unsigned long mask)
 {
-        /* If device needs checksumming, downgrade to it. */
+        if (mask & NETIF_F_GEN_CSUM)
-        if (all & NETIF_F_NO_CSUM && !(one & NETIF_F_NO_CSUM))
+                mask |= NETIF_F_ALL_CSUM;
-                all ^= NETIF_F_NO_CSUM | (one & NETIF_F_ALL_CSUM);
+        mask |= NETIF_F_VLAN_CHALLENGED;
-        else if (mask & NETIF_F_ALL_CSUM) {
-                /* If one device supports v4/v6 checksumming, set for all. */
-                if (one & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM) &&
-                    !(all & NETIF_F_GEN_CSUM)) {
-                        all &= ~NETIF_F_ALL_CSUM;
-                        all |= one & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM);
-                }
-                /* If one device supports hw checksumming, set for all. */
+        all |= one & (NETIF_F_ONE_FOR_ALL|NETIF_F_ALL_CSUM) & mask;
-                if (one & NETIF_F_GEN_CSUM && !(all & NETIF_F_GEN_CSUM)) {
+        all &= one | ~NETIF_F_ALL_FOR_ALL;
-                        all &= ~NETIF_F_ALL_CSUM;
-                        all |= NETIF_F_HW_CSUM;
-                }
-        }
-        one |= NETIF_F_ALL_CSUM;
+        /* If device needs checksumming, downgrade to it. */
+        if (all & (NETIF_F_ALL_CSUM & ~NETIF_F_NO_CSUM))
+                all &= ~NETIF_F_NO_CSUM;
-        one |= all & NETIF_F_ONE_FOR_ALL;
+        /* If one device supports hw checksumming, set for all. */
-        all &= one | NETIF_F_LLTX | NETIF_F_GSO | NETIF_F_UFO;
+        if (all & NETIF_F_GEN_CSUM)
-        all |= one & mask & NETIF_F_ONE_FOR_ALL;
+                all &= ~(NETIF_F_ALL_CSUM & ~NETIF_F_GEN_CSUM);
        return all;
 }
@@ -6187,7 +6371,7 @@ static void __net_exit default_device_exit(struct net *net)
                if (dev->rtnl_link_ops)
                        continue;
-                /* Push remaing network devices to init_net */
+                /* Push remaining network devices to init_net */
                snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
                err = dev_change_net_namespace(dev, &init_net, fb_name);
                if (err) {
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index 508f9c18992f..e2e66939ed00 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -68,14 +68,6 @@ static int __hw_addr_add(struct netdev_hw_addr_list *list, unsigned char *addr,
        return __hw_addr_add_ex(list, addr, addr_len, addr_type, false);
 }
-static void ha_rcu_free(struct rcu_head *head)
-{
-        struct netdev_hw_addr *ha;
-        ha = container_of(head, struct netdev_hw_addr, rcu_head);
-        kfree(ha);
-}
 static int __hw_addr_del_ex(struct netdev_hw_addr_list *list,
                            unsigned char *addr, int addr_len,
                            unsigned char addr_type, bool global)
@@ -94,7 +86,7 @@ static int __hw_addr_del_ex(struct netdev_hw_addr_list *list,
                        if (--ha->refcount)
                                return 0;
                        list_del_rcu(&ha->list);
-                        call_rcu(&ha->rcu_head, ha_rcu_free);
+                        kfree_rcu(ha, rcu_head);
                        list->count--;
                        return 0;
                }
@@ -144,7 +136,7 @@ void __hw_addr_del_multiple(struct netdev_hw_addr_list *to_list,
        list_for_each_entry(ha, &from_list->list, list) {
                type = addr_type ? addr_type : ha->type;
-                __hw_addr_del(to_list, ha->addr, addr_len, addr_type);
+                __hw_addr_del(to_list, ha->addr, addr_len, type);
        }
 }
 EXPORT_SYMBOL(__hw_addr_del_multiple);
@@ -197,7 +189,7 @@ void __hw_addr_flush(struct netdev_hw_addr_list *list)
        list_for_each_entry_safe(ha, tmp, &list->list, list) {
                list_del_rcu(&ha->list);
-                call_rcu(&ha->rcu_head, ha_rcu_free);
+                kfree_rcu(ha, rcu_head);
        }
        list->count = 0;
 }
@@ -357,8 +349,8 @@ EXPORT_SYMBOL(dev_addr_add_multiple);
 /**
 *      dev_addr_del_multiple - Delete device addresses by another device
 *      @to_dev: device where the addresses will be deleted
- *      @from_dev: device by which addresses the addresses will be deleted
+ *      @from_dev: device supplying the addresses to be deleted
- *      @addr_type: address type - 0 means type will used from from_dev
+ *      @addr_type: address type - 0 means type will be used from from_dev
 *
 *      Deletes addresses in to device by the list of addresses in from device.
 *
diff --git a/net/core/drop_monitor.c b/net/core/drop_monitor.c
index 36e603c78ce9..7f36b38e060f 100644
--- a/net/core/drop_monitor.c
+++ b/net/core/drop_monitor.c
@@ -207,14 +207,6 @@ static void trace_napi_poll_hit(void *ignore, struct napi_struct *napi)
        rcu_read_unlock();
 }
-static void free_dm_hw_stat(struct rcu_head *head)
-{
-        struct dm_hw_stat_delta *n;
-        n = container_of(head, struct dm_hw_stat_delta, rcu);
-        kfree(n);
-}
 static int set_all_monitor_traces(int state)
 {
        int rc = 0;
@@ -245,7 +237,7 @@ static int set_all_monitor_traces(int state)
                list_for_each_entry_safe(new_stat, temp, &hw_stats_list, list) {
                        if (new_stat->dev == NULL) {
                                list_del_rcu(&new_stat->list);
-                                call_rcu(&new_stat->rcu, free_dm_hw_stat);
+                                kfree_rcu(new_stat, rcu);
                        }
                }
                break;
@@ -314,7 +306,7 @@ static int dropmon_net_event(struct notifier_block *ev_block,
                                new_stat->dev = NULL;
                                if (trace_state == TRACE_OFF) {
                                        list_del_rcu(&new_stat->list);
-                                        call_rcu(&new_stat->rcu, free_dm_hw_stat);
+                                        kfree_rcu(new_stat, rcu);
                                        break;
                                }
                        }
@@ -350,7 +342,7 @@ static int __init init_net_drop_monitor(void)
        struct per_cpu_dm_data *data;
        int cpu, rc;
-        printk(KERN_INFO "Initalizing network drop monitor service\n");
+        printk(KERN_INFO "Initializing network drop monitor service\n");
        if (sizeof(void *) > 8) {
                printk(KERN_ERR "Unable to store program counters on this arch, Drop monitor failed\n");
diff --git a/net/core/dst.c b/net/core/dst.c
index b99c7c7ffce2..81a4fa1c95ed 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -19,6 +19,7 @@
 #include <linux/types.h>
 #include <net/net_namespace.h>
 #include <linux/sched.h>
+#include <linux/prefetch.h>
 #include <net/dst.h>
@@ -33,9 +34,6 @@
 * 3) This list is guarded by a mutex,
 *    so that the gc_task and dst_dev_event() can be synchronized.
 */
-#if RT_CACHE_DEBUG >= 2
-static atomic_t                  dst_total = ATOMIC_INIT(0);
-#endif
 /*
 * We want to keep lock & list close together
@@ -69,10 +67,6 @@ static void dst_gc_task(struct work_struct *work)
        unsigned long expires = ~0L;
        struct dst_entry *dst, *next, head;
        struct dst_entry *last = &head;
-#if RT_CACHE_DEBUG >= 2
-        ktime_t time_start = ktime_get();
-        struct timespec elapsed;
-#endif
        mutex_lock(&dst_gc_mutex);
        next = dst_busy_list;
@@ -146,15 +140,6 @@ loop:
        spin_unlock_bh(&dst_garbage.lock);
        mutex_unlock(&dst_gc_mutex);
-#if RT_CACHE_DEBUG >= 2
-        elapsed = ktime_to_timespec(ktime_sub(ktime_get(), time_start));
-        printk(KERN_DEBUG "dst_total: %d delayed: %d work_perf: %d"
-                " expires: %lu elapsed: %lu us\n",
-                atomic_read(&dst_total), delayed, work_performed,
-                expires,
-                elapsed.tv_sec * USEC_PER_SEC +
-                  elapsed.tv_nsec / NSEC_PER_USEC);
-#endif
 }
 int dst_discard(struct sk_buff *skb)
@@ -164,7 +149,10 @@ int dst_discard(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(dst_discard);
-void *dst_alloc(struct dst_ops *ops)
+const u32 dst_default_metrics[RTAX_MAX];
+void *dst_alloc(struct dst_ops *ops, struct net_device *dev,
+                int initial_ref, int initial_obsolete, int flags)
 {
        struct dst_entry *dst;
@@ -172,17 +160,36 @@ void *dst_alloc(struct dst_ops *ops)
                if (ops->gc(ops))
                        return NULL;
        }
-        dst = kmem_cache_zalloc(ops->kmem_cachep, GFP_ATOMIC);
+        dst = kmem_cache_alloc(ops->kmem_cachep, GFP_ATOMIC);
        if (!dst)
                return NULL;
-        atomic_set(&dst->__refcnt, 0);
+        dst->child = NULL;
+        dst->dev = dev;
+        if (dev)
+                dev_hold(dev);
        dst->ops = ops;
-        dst->lastuse = jiffies;
+        dst_init_metrics(dst, dst_default_metrics, true);
+        dst->expires = 0UL;
        dst->path = dst;
-        dst->input = dst->output = dst_discard;
+        dst->neighbour = NULL;
-#if RT_CACHE_DEBUG >= 2
+        dst->hh = NULL;
-        atomic_inc(&dst_total);
+#ifdef CONFIG_XFRM
+        dst->xfrm = NULL;
 #endif
+        dst->input = dst_discard;
+        dst->output = dst_discard;
+        dst->error = 0;
+        dst->obsolete = initial_obsolete;
+        dst->header_len = 0;
+        dst->trailer_len = 0;
+#ifdef CONFIG_IP_ROUTE_CLASSID
+        dst->tclassid = 0;
+#endif
+        atomic_set(&dst->__refcnt, initial_ref);
+        dst->__use = 0;
+        dst->lastuse = jiffies;
+        dst->flags = flags;
+        dst->next = NULL;
        dst_entries_add(ops, 1);
        return dst;
 }
@@ -242,9 +249,6 @@ again:
                dst->ops->destroy(dst);
        if (dst->dev)
                dev_put(dst->dev);
-#if RT_CACHE_DEBUG >= 2
-        atomic_dec(&dst_total);
-#endif
        kmem_cache_free(dst->ops->kmem_cachep, dst);
        dst = child;
@@ -282,6 +286,42 @@ void dst_release(struct dst_entry *dst)
 }
 EXPORT_SYMBOL(dst_release);
+u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
+{
+        u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC);
+        if (p) {
+                u32 *old_p = __DST_METRICS_PTR(old);
+                unsigned long prev, new;
+                memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
+                new = (unsigned long) p;
+                prev = cmpxchg(&dst->_metrics, old, new);
+                if (prev != old) {
+                        kfree(p);
+                        p = __DST_METRICS_PTR(prev);
+                        if (prev & DST_METRICS_READ_ONLY)
+                                p = NULL;
+                }
+        }
+        return p;
+}
+EXPORT_SYMBOL(dst_cow_metrics_generic);
+/* Caller asserts that dst_metrics_read_only(dst) is false.  */
+void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old)
+{
+        unsigned long prev, new;
+        new = (unsigned long) dst_default_metrics;
+        prev = cmpxchg(&dst->_metrics, old, new);
+        if (prev == old)
+                kfree(__DST_METRICS_PTR(old));
+}
+EXPORT_SYMBOL(__dst_destroy_metrics_generic);
 /**
 * skb_dst_set_noref - sets skb dst, without a reference
 * @skb: buffer
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index ff2302910b5e..84e7304532e6 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -21,6 +21,8 @@
 #include <linux/uaccess.h>
 #include <linux/vmalloc.h>
 #include <linux/slab.h>
+#include <linux/rtnetlink.h>
+#include <linux/sched.h>
 /*
 * Some useful ethtool_ops methods that're device independent.
@@ -34,12 +36,6 @@ u32 ethtool_op_get_link(struct net_device *dev)
 }
 EXPORT_SYMBOL(ethtool_op_get_link);
-u32 ethtool_op_get_rx_csum(struct net_device *dev)
-{
-        return (dev->features & NETIF_F_ALL_CSUM) != 0;
-}
-EXPORT_SYMBOL(ethtool_op_get_rx_csum);
 u32 ethtool_op_get_tx_csum(struct net_device *dev)
 {
        return (dev->features & NETIF_F_ALL_CSUM) != 0;
@@ -55,6 +51,7 @@ int ethtool_op_set_tx_csum(struct net_device *dev, u32 data)
        return 0;
 }
+EXPORT_SYMBOL(ethtool_op_set_tx_csum);
 int ethtool_op_set_tx_hw_csum(struct net_device *dev, u32 data)
 {
@@ -146,9 +143,24 @@ u32 ethtool_op_get_flags(struct net_device *dev)
 }
 EXPORT_SYMBOL(ethtool_op_get_flags);
+/* Check if device can enable (or disable) particular feature coded in "data"
+ * argument. Flags "supported" describe features that can be toggled by device.
+ * If feature can not be toggled, it state (enabled or disabled) must match
+ * hardcoded device features state, otherwise flags are marked as invalid.
+ */
+bool ethtool_invalid_flags(struct net_device *dev, u32 data, u32 supported)
+{
+        u32 features = dev->features & flags_dup_features;
+        /* "data" can contain only flags_dup_features bits,
+         * see __ethtool_set_flags */
+        return (features & ~supported) != (data & ~supported);
+}
+EXPORT_SYMBOL(ethtool_invalid_flags);
 int ethtool_op_set_flags(struct net_device *dev, u32 data, u32 supported)
 {
-        if (data & ~supported)
+        if (ethtool_invalid_flags(dev, data, supported))
                return -EINVAL;
        dev->features = ((dev->features & ~flags_dup_features) |
@@ -171,6 +183,381 @@ EXPORT_SYMBOL(ethtool_ntuple_flush);
 /* Handlers for each ethtool command */
+#define ETHTOOL_DEV_FEATURE_WORDS       1
+static void ethtool_get_features_compat(struct net_device *dev,
+        struct ethtool_get_features_block *features)
+{
+        if (!dev->ethtool_ops)
+                return;
+        /* getting RX checksum */
+        if (dev->ethtool_ops->get_rx_csum)
+                if (dev->ethtool_ops->get_rx_csum(dev))
+                        features[0].active |= NETIF_F_RXCSUM;
+        /* mark legacy-changeable features */
+        if (dev->ethtool_ops->set_sg)
+                features[0].available |= NETIF_F_SG;
+        if (dev->ethtool_ops->set_tx_csum)
+                features[0].available |= NETIF_F_ALL_CSUM;
+        if (dev->ethtool_ops->set_tso)
+                features[0].available |= NETIF_F_ALL_TSO;
+        if (dev->ethtool_ops->set_rx_csum)
+                features[0].available |= NETIF_F_RXCSUM;
+        if (dev->ethtool_ops->set_flags)
+                features[0].available |= flags_dup_features;
+}
+static int ethtool_set_feature_compat(struct net_device *dev,
+        int (*legacy_set)(struct net_device *, u32),
+        struct ethtool_set_features_block *features, u32 mask)
+{
+        u32 do_set;
+        if (!legacy_set)
+                return 0;
+        if (!(features[0].valid & mask))
+                return 0;
+        features[0].valid &= ~mask;
+        do_set = !!(features[0].requested & mask);
+        if (legacy_set(dev, do_set) < 0)
+                netdev_info(dev,
+                        "Legacy feature change (%s) failed for 0x%08x\n",
+                        do_set ? "set" : "clear", mask);
+        return 1;
+}
+static int ethtool_set_features_compat(struct net_device *dev,
+        struct ethtool_set_features_block *features)
+{
+        int compat;
+        if (!dev->ethtool_ops)
+                return 0;
+        compat  = ethtool_set_feature_compat(dev, dev->ethtool_ops->set_sg,
+                features, NETIF_F_SG);
+        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_tx_csum,
+                features, NETIF_F_ALL_CSUM);
+        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_tso,
+                features, NETIF_F_ALL_TSO);
+        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_rx_csum,
+                features, NETIF_F_RXCSUM);
+        compat |= ethtool_set_feature_compat(dev, dev->ethtool_ops->set_flags,
+                features, flags_dup_features);
+        return compat;
+}
+static int ethtool_get_features(struct net_device *dev, void __user *useraddr)
+{
+        struct ethtool_gfeatures cmd = {
+                .cmd = ETHTOOL_GFEATURES,
+                .size = ETHTOOL_DEV_FEATURE_WORDS,
+        };
+        struct ethtool_get_features_block features[ETHTOOL_DEV_FEATURE_WORDS] = {
+                {
+                        .available = dev->hw_features,
+                        .requested = dev->wanted_features,
+                        .active = dev->features,
+                        .never_changed = NETIF_F_NEVER_CHANGE,
+                },
+        };
+        u32 __user *sizeaddr;
+        u32 copy_size;
+        ethtool_get_features_compat(dev, features);
+        sizeaddr = useraddr + offsetof(struct ethtool_gfeatures, size);
+        if (get_user(copy_size, sizeaddr))
+                return -EFAULT;
+        if (copy_size > ETHTOOL_DEV_FEATURE_WORDS)
+                copy_size = ETHTOOL_DEV_FEATURE_WORDS;
+        if (copy_to_user(useraddr, &cmd, sizeof(cmd)))
+                return -EFAULT;
+        useraddr += sizeof(cmd);
+        if (copy_to_user(useraddr, features, copy_size * sizeof(*features)))
+                return -EFAULT;
+        return 0;
+}
+static int ethtool_set_features(struct net_device *dev, void __user *useraddr)
+{
+        struct ethtool_sfeatures cmd;
+        struct ethtool_set_features_block features[ETHTOOL_DEV_FEATURE_WORDS];
+        int ret = 0;
+        if (copy_from_user(&cmd, useraddr, sizeof(cmd)))
+                return -EFAULT;
+        useraddr += sizeof(cmd);
+        if (cmd.size != ETHTOOL_DEV_FEATURE_WORDS)
+                return -EINVAL;
+        if (copy_from_user(features, useraddr, sizeof(features)))
+                return -EFAULT;
+        if (features[0].valid & ~NETIF_F_ETHTOOL_BITS)
+                return -EINVAL;
+        if (ethtool_set_features_compat(dev, features))
+                ret |= ETHTOOL_F_COMPAT;
+        if (features[0].valid & ~dev->hw_features) {
+                features[0].valid &= dev->hw_features;
+                ret |= ETHTOOL_F_UNSUPPORTED;
+        }
+        dev->wanted_features &= ~features[0].valid;
+        dev->wanted_features |= features[0].valid & features[0].requested;
+        __netdev_update_features(dev);
+        if ((dev->wanted_features ^ dev->features) & features[0].valid)
+                ret |= ETHTOOL_F_WISH;
+        return ret;
+}
+static const char netdev_features_strings[ETHTOOL_DEV_FEATURE_WORDS * 32][ETH_GSTRING_LEN] = {
+        /* NETIF_F_SG */              "tx-scatter-gather",
+        /* NETIF_F_IP_CSUM */         "tx-checksum-ipv4",
+        /* NETIF_F_NO_CSUM */         "tx-checksum-unneeded",
+        /* NETIF_F_HW_CSUM */         "tx-checksum-ip-generic",
+        /* NETIF_F_IPV6_CSUM */       "tx-checksum-ipv6",
+        /* NETIF_F_HIGHDMA */         "highdma",
+        /* NETIF_F_FRAGLIST */        "tx-scatter-gather-fraglist",
+        /* NETIF_F_HW_VLAN_TX */      "tx-vlan-hw-insert",
+        /* NETIF_F_HW_VLAN_RX */      "rx-vlan-hw-parse",
+        /* NETIF_F_HW_VLAN_FILTER */  "rx-vlan-filter",
+        /* NETIF_F_VLAN_CHALLENGED */ "vlan-challenged",
+        /* NETIF_F_GSO */             "tx-generic-segmentation",
+        /* NETIF_F_LLTX */            "tx-lockless",
+        /* NETIF_F_NETNS_LOCAL */     "netns-local",
+        /* NETIF_F_GRO */             "rx-gro",
+        /* NETIF_F_LRO */             "rx-lro",
+        /* NETIF_F_TSO */             "tx-tcp-segmentation",
+        /* NETIF_F_UFO */             "tx-udp-fragmentation",
+        /* NETIF_F_GSO_ROBUST */      "tx-gso-robust",
+        /* NETIF_F_TSO_ECN */         "tx-tcp-ecn-segmentation",
+        /* NETIF_F_TSO6 */            "tx-tcp6-segmentation",
+        /* NETIF_F_FSO */             "tx-fcoe-segmentation",
+        "",
+        "",
+        /* NETIF_F_FCOE_CRC */        "tx-checksum-fcoe-crc",
+        /* NETIF_F_SCTP_CSUM */       "tx-checksum-sctp",
+        /* NETIF_F_FCOE_MTU */        "fcoe-mtu",
+        /* NETIF_F_NTUPLE */          "rx-ntuple-filter",
+        /* NETIF_F_RXHASH */          "rx-hashing",
+        /* NETIF_F_RXCSUM */          "rx-checksum",
+        /* NETIF_F_NOCACHE_COPY */    "tx-nocache-copy",
+        /* NETIF_F_LOOPBACK */        "loopback",
+};
+static int __ethtool_get_sset_count(struct net_device *dev, int sset)
+{
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        if (sset == ETH_SS_FEATURES)
+                return ARRAY_SIZE(netdev_features_strings);
+        if (ops && ops->get_sset_count && ops->get_strings)
+                return ops->get_sset_count(dev, sset);
+        else
+                return -EOPNOTSUPP;
+}
+static void __ethtool_get_strings(struct net_device *dev,
+        u32 stringset, u8 *data)
+{
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        if (stringset == ETH_SS_FEATURES)
+                memcpy(data, netdev_features_strings,
+                        sizeof(netdev_features_strings));
+        else
+                /* ops->get_strings is valid because checked earlier */
+                ops->get_strings(dev, stringset, data);
+}
+static u32 ethtool_get_feature_mask(u32 eth_cmd)
+{
+        /* feature masks of legacy discrete ethtool ops */
+        switch (eth_cmd) {
+        case ETHTOOL_GTXCSUM:
+        case ETHTOOL_STXCSUM:
+                return NETIF_F_ALL_CSUM | NETIF_F_SCTP_CSUM;
+        case ETHTOOL_GRXCSUM:
+        case ETHTOOL_SRXCSUM:
+                return NETIF_F_RXCSUM;
+        case ETHTOOL_GSG:
+        case ETHTOOL_SSG:
+                return NETIF_F_SG;
+        case ETHTOOL_GTSO:
+        case ETHTOOL_STSO:
+                return NETIF_F_ALL_TSO;
+        case ETHTOOL_GUFO:
+        case ETHTOOL_SUFO:
+                return NETIF_F_UFO;
+        case ETHTOOL_GGSO:
+        case ETHTOOL_SGSO:
+                return NETIF_F_GSO;
+        case ETHTOOL_GGRO:
+        case ETHTOOL_SGRO:
+                return NETIF_F_GRO;
+        default:
+                BUG();
+        }
+}
+static void *__ethtool_get_one_feature_actor(struct net_device *dev, u32 ethcmd)
+{
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        if (!ops)
+                return NULL;
+        switch (ethcmd) {
+        case ETHTOOL_GTXCSUM:
+                return ops->get_tx_csum;
+        case ETHTOOL_GRXCSUM:
+                return ops->get_rx_csum;
+        case ETHTOOL_SSG:
+                return ops->get_sg;
+        case ETHTOOL_STSO:
+                return ops->get_tso;
+        case ETHTOOL_SUFO:
+                return ops->get_ufo;
+        default:
+                return NULL;
+        }
+}
+static u32 __ethtool_get_rx_csum_oldbug(struct net_device *dev)
+{
+        return !!(dev->features & NETIF_F_ALL_CSUM);
+}
+static int ethtool_get_one_feature(struct net_device *dev,
+        char __user *useraddr, u32 ethcmd)
+{
+        u32 mask = ethtool_get_feature_mask(ethcmd);
+        struct ethtool_value edata = {
+                .cmd = ethcmd,
+                .data = !!(dev->features & mask),
+        };
+        /* compatibility with discrete get_ ops */
+        if (!(dev->hw_features & mask)) {
+                u32 (*actor)(struct net_device *);
+                actor = __ethtool_get_one_feature_actor(dev, ethcmd);
+                /* bug compatibility with old get_rx_csum */
+                if (ethcmd == ETHTOOL_GRXCSUM && !actor)
+                        actor = __ethtool_get_rx_csum_oldbug;
+                if (actor)
+                        edata.data = actor(dev);
+        }
+        if (copy_to_user(useraddr, &edata, sizeof(edata)))
+                return -EFAULT;
+        return 0;
+}
+static int __ethtool_set_tx_csum(struct net_device *dev, u32 data);
+static int __ethtool_set_rx_csum(struct net_device *dev, u32 data);
+static int __ethtool_set_sg(struct net_device *dev, u32 data);
+static int __ethtool_set_tso(struct net_device *dev, u32 data);
+static int __ethtool_set_ufo(struct net_device *dev, u32 data);
+static int ethtool_set_one_feature(struct net_device *dev,
+        void __user *useraddr, u32 ethcmd)
+{
+        struct ethtool_value edata;
+        u32 mask;
+        if (copy_from_user(&edata, useraddr, sizeof(edata)))
+                return -EFAULT;
+        mask = ethtool_get_feature_mask(ethcmd);
+        mask &= dev->hw_features;
+        if (mask) {
+                if (edata.data)
+                        dev->wanted_features |= mask;
+                else
+                        dev->wanted_features &= ~mask;
+                __netdev_update_features(dev);
+                return 0;
+        }
+        /* Driver is not converted to ndo_fix_features or does not
+         * support changing this offload. In the latter case it won't
+         * have corresponding ethtool_ops field set.
+         *
+         * Following part is to be removed after all drivers advertise
+         * their changeable features in netdev->hw_features and stop
+         * using discrete offload setting ops.
+         */
+        switch (ethcmd) {
+        case ETHTOOL_STXCSUM:
+                return __ethtool_set_tx_csum(dev, edata.data);
+        case ETHTOOL_SRXCSUM:
+                return __ethtool_set_rx_csum(dev, edata.data);
+        case ETHTOOL_SSG:
+                return __ethtool_set_sg(dev, edata.data);
+        case ETHTOOL_STSO:
+                return __ethtool_set_tso(dev, edata.data);
+        case ETHTOOL_SUFO:
+                return __ethtool_set_ufo(dev, edata.data);
+        default:
+                return -EOPNOTSUPP;
+        }
+}
+int __ethtool_set_flags(struct net_device *dev, u32 data)
+{
+        u32 changed;
+        if (data & ~flags_dup_features)
+                return -EINVAL;
+        /* legacy set_flags() op */
+        if (dev->ethtool_ops->set_flags) {
+                if (unlikely(dev->hw_features & flags_dup_features))
+                        netdev_warn(dev,
+                                "driver BUG: mixed hw_features and set_flags()\n");
+                return dev->ethtool_ops->set_flags(dev, data);
+        }
+        /* allow changing only bits set in hw_features */
+        changed = (data ^ dev->features) & flags_dup_features;
+        if (changed & ~dev->hw_features)
+                return (changed & dev->hw_features) ? -EINVAL : -EOPNOTSUPP;
+        dev->wanted_features =
+                (dev->wanted_features & ~changed) | (data & dev->hw_features);
+        __netdev_update_features(dev);
+        return 0;
+}
 static int ethtool_get_settings(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_cmd cmd = { .cmd = ETHTOOL_GSET };
@@ -251,14 +638,10 @@ static noinline_for_stack int ethtool_get_sset_info(struct net_device *dev,
                                                    void __user *useraddr)
 {
        struct ethtool_sset_info info;
-        const struct ethtool_ops *ops = dev->ethtool_ops;
        u64 sset_mask;
        int i, idx = 0, n_bits = 0, ret, rc;
        u32 *info_buf = NULL;
-        if (!ops->get_sset_count)
-                return -EOPNOTSUPP;
        if (copy_from_user(&info, useraddr, sizeof(info)))
                return -EFAULT;
@@ -285,7 +668,7 @@ static noinline_for_stack int ethtool_get_sset_info(struct net_device *dev,
                if (!(sset_mask & (1ULL << i)))
                        continue;
-                rc = ops->get_sset_count(dev, i);
+                rc = __ethtool_get_sset_count(dev, i);
                if (rc >= 0) {
                        info.sset_mask |= (1ULL << i);
                        info_buf[idx++] = rc;
@@ -527,6 +910,9 @@ static noinline_for_stack int ethtool_set_rx_ntuple(struct net_device *dev,
        struct ethtool_rx_ntuple_flow_spec_container *fsc = NULL;
        int ret;
+        if (!ops->set_rx_ntuple)
+                return -EOPNOTSUPP;
        if (!(dev->features & NETIF_F_NTUPLE))
                return -EINVAL;
@@ -1060,6 +1446,35 @@ static int ethtool_set_ringparam(struct net_device *dev, void __user *useraddr)
        return dev->ethtool_ops->set_ringparam(dev, &ringparam);
 }
+static noinline_for_stack int ethtool_get_channels(struct net_device *dev,
+                                                   void __user *useraddr)
+{
+        struct ethtool_channels channels = { .cmd = ETHTOOL_GCHANNELS };
+        if (!dev->ethtool_ops->get_channels)
+                return -EOPNOTSUPP;
+        dev->ethtool_ops->get_channels(dev, &channels);
+        if (copy_to_user(useraddr, &channels, sizeof(channels)))
+                return -EFAULT;
+        return 0;
+}
+static noinline_for_stack int ethtool_set_channels(struct net_device *dev,
+                                                   void __user *useraddr)
+{
+        struct ethtool_channels channels;
+        if (!dev->ethtool_ops->set_channels)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&channels, useraddr, sizeof(channels)))
+                return -EFAULT;
+        return dev->ethtool_ops->set_channels(dev, &channels);
+}
 static int ethtool_get_pauseparam(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_pauseparam pauseparam = { ETHTOOL_GPAUSEPARAM };
@@ -1091,6 +1506,12 @@ static int __ethtool_set_sg(struct net_device *dev, u32 data)
 {
        int err;
+        if (!dev->ethtool_ops->set_sg)
+                return -EOPNOTSUPP;
+        if (data && !(dev->features & NETIF_F_ALL_CSUM))
+                return -EINVAL;
        if (!data && dev->ethtool_ops->set_tso) {
                err = dev->ethtool_ops->set_tso(dev, 0);
                if (err)
@@ -1105,145 +1526,55 @@ static int __ethtool_set_sg(struct net_device *dev, u32 data)
        return dev->ethtool_ops->set_sg(dev, data);
 }
-static int ethtool_set_tx_csum(struct net_device *dev, char __user *useraddr)
+static int __ethtool_set_tx_csum(struct net_device *dev, u32 data)
 {
-        struct ethtool_value edata;
        int err;
        if (!dev->ethtool_ops->set_tx_csum)
                return -EOPNOTSUPP;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
+        if (!data && dev->ethtool_ops->set_sg) {
-                return -EFAULT;
-        if (!edata.data && dev->ethtool_ops->set_sg) {
                err = __ethtool_set_sg(dev, 0);
                if (err)
                        return err;
        }
-        return dev->ethtool_ops->set_tx_csum(dev, edata.data);
+        return dev->ethtool_ops->set_tx_csum(dev, data);
 }
-EXPORT_SYMBOL(ethtool_op_set_tx_csum);
-static int ethtool_set_rx_csum(struct net_device *dev, char __user *useraddr)
+static int __ethtool_set_rx_csum(struct net_device *dev, u32 data)
 {
-        struct ethtool_value edata;
        if (!dev->ethtool_ops->set_rx_csum)
                return -EOPNOTSUPP;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
+        if (!data)
-                return -EFAULT;
-        if (!edata.data && dev->ethtool_ops->set_sg)
                dev->features &= ~NETIF_F_GRO;
-        return dev->ethtool_ops->set_rx_csum(dev, edata.data);
+        return dev->ethtool_ops->set_rx_csum(dev, data);
-}
-static int ethtool_set_sg(struct net_device *dev, char __user *useraddr)
-{
-        struct ethtool_value edata;
-        if (!dev->ethtool_ops->set_sg)
-                return -EOPNOTSUPP;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
-                return -EFAULT;
-        if (edata.data &&
-            !(dev->features & NETIF_F_ALL_CSUM))
-                return -EINVAL;
-        return __ethtool_set_sg(dev, edata.data);
 }
-static int ethtool_set_tso(struct net_device *dev, char __user *useraddr)
+static int __ethtool_set_tso(struct net_device *dev, u32 data)
 {
-        struct ethtool_value edata;
        if (!dev->ethtool_ops->set_tso)
                return -EOPNOTSUPP;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
+        if (data && !(dev->features & NETIF_F_SG))
-                return -EFAULT;
-        if (edata.data && !(dev->features & NETIF_F_SG))
                return -EINVAL;
-        return dev->ethtool_ops->set_tso(dev, edata.data);
+        return dev->ethtool_ops->set_tso(dev, data);
 }
-static int ethtool_set_ufo(struct net_device *dev, char __user *useraddr)
+static int __ethtool_set_ufo(struct net_device *dev, u32 data)
 {
-        struct ethtool_value edata;
        if (!dev->ethtool_ops->set_ufo)
                return -EOPNOTSUPP;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
+        if (data && !(dev->features & NETIF_F_SG))
-                return -EFAULT;
-        if (edata.data && !(dev->features & NETIF_F_SG))
                return -EINVAL;
-        if (edata.data && !((dev->features & NETIF_F_GEN_CSUM) ||
+        if (data && !((dev->features & NETIF_F_GEN_CSUM) ||
                (dev->features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
                        == (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM)))
                return -EINVAL;
-        return dev->ethtool_ops->set_ufo(dev, edata.data);
+        return dev->ethtool_ops->set_ufo(dev, data);
-}
-static int ethtool_get_gso(struct net_device *dev, char __user *useraddr)
-{
-        struct ethtool_value edata = { ETHTOOL_GGSO };
-        edata.data = dev->features & NETIF_F_GSO;
-        if (copy_to_user(useraddr, &edata, sizeof(edata)))
-                return -EFAULT;
-        return 0;
-}
-static int ethtool_set_gso(struct net_device *dev, char __user *useraddr)
-{
-        struct ethtool_value edata;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
-                return -EFAULT;
-        if (edata.data)
-                dev->features |= NETIF_F_GSO;
-        else
-                dev->features &= ~NETIF_F_GSO;
-        return 0;
-}
-static int ethtool_get_gro(struct net_device *dev, char __user *useraddr)
-{
-        struct ethtool_value edata = { ETHTOOL_GGRO };
-        edata.data = dev->features & NETIF_F_GRO;
-        if (copy_to_user(useraddr, &edata, sizeof(edata)))
-                return -EFAULT;
-        return 0;
-}
-static int ethtool_set_gro(struct net_device *dev, char __user *useraddr)
-{
-        struct ethtool_value edata;
-        if (copy_from_user(&edata, useraddr, sizeof(edata)))
-                return -EFAULT;
-        if (edata.data) {
-                u32 rxcsum = dev->ethtool_ops->get_rx_csum ?
-                                dev->ethtool_ops->get_rx_csum(dev) :
-                                ethtool_op_get_rx_csum(dev);
-                if (!rxcsum)
-                        return -EINVAL;
-                dev->features |= NETIF_F_GRO;
-        } else
-                dev->features &= ~NETIF_F_GRO;
-        return 0;
 }
 static int ethtool_self_test(struct net_device *dev, char __user *useraddr)
@@ -1287,17 +1618,13 @@ static int ethtool_self_test(struct net_device *dev, char __user *useraddr)
 static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_gstrings gstrings;
-        const struct ethtool_ops *ops = dev->ethtool_ops;
        u8 *data;
        int ret;
-        if (!ops->get_strings || !ops->get_sset_count)
-                return -EOPNOTSUPP;
        if (copy_from_user(&gstrings, useraddr, sizeof(gstrings)))
                return -EFAULT;
-        ret = ops->get_sset_count(dev, gstrings.string_set);
+        ret = __ethtool_get_sset_count(dev, gstrings.string_set);
        if (ret < 0)
                return ret;
@@ -1307,7 +1634,7 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
        if (!data)
                return -ENOMEM;
-        ops->get_strings(dev, gstrings.string_set, data);
+        __ethtool_get_strings(dev, gstrings.string_set, data);
        ret = -EFAULT;
        if (copy_to_user(useraddr, &gstrings, sizeof(gstrings)))
@@ -1317,7 +1644,7 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
                goto out;
        ret = 0;
- out:
+out:
        kfree(data);
        return ret;
 }
@@ -1325,14 +1652,60 @@ static int ethtool_get_strings(struct net_device *dev, void __user *useraddr)
 static int ethtool_phys_id(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_value id;
+        static bool busy;
+        int rc;
-        if (!dev->ethtool_ops->phys_id)
+        if (!dev->ethtool_ops->set_phys_id)
                return -EOPNOTSUPP;
+        if (busy)
+                return -EBUSY;
        if (copy_from_user(&id, useraddr, sizeof(id)))
                return -EFAULT;
-        return dev->ethtool_ops->phys_id(dev, id.data);
+        rc = dev->ethtool_ops->set_phys_id(dev, ETHTOOL_ID_ACTIVE);
+        if (rc < 0)
+                return rc;
+        /* Drop the RTNL lock while waiting, but prevent reentry or
+         * removal of the device.
+         */
+        busy = true;
+        dev_hold(dev);
+        rtnl_unlock();
+        if (rc == 0) {
+                /* Driver will handle this itself */
+                schedule_timeout_interruptible(
+                        id.data ? (id.data * HZ) : MAX_SCHEDULE_TIMEOUT);
+        } else {
+                /* Driver expects to be called at twice the frequency in rc */
+                int n = rc * 2, i, interval = HZ / n;
+                /* Count down seconds */
+                do {
+                        /* Count down iterations per second */
+                        i = n;
+                        do {
+                                rtnl_lock();
+                                rc = dev->ethtool_ops->set_phys_id(dev,
+                                    (i & 1) ? ETHTOOL_ID_OFF : ETHTOOL_ID_ON);
+                                rtnl_unlock();
+                                if (rc)
+                                        break;
+                                schedule_timeout_interruptible(interval);
+                        } while (!signal_pending(current) && --i != 0);
+                } while (!signal_pending(current) &&
+                         (id.data == 0 || --id.data != 0));
+        }
+        rtnl_lock();
+        dev_put(dev);
+        busy = false;
+        (void)dev->ethtool_ops->set_phys_id(dev, ETHTOOL_ID_INACTIVE);
+        return rc;
 }
 static int ethtool_get_stats(struct net_device *dev, void __user *useraddr)
@@ -1450,6 +1823,87 @@ static noinline_for_stack int ethtool_flash_device(struct net_device *dev,
        return dev->ethtool_ops->flash_device(dev, &efl);
 }
+static int ethtool_set_dump(struct net_device *dev,
+                        void __user *useraddr)
+{
+        struct ethtool_dump dump;
+        if (!dev->ethtool_ops->set_dump)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        return dev->ethtool_ops->set_dump(dev, &dump);
+}
+static int ethtool_get_dump_flag(struct net_device *dev,
+                                void __user *useraddr)
+{
+        int ret;
+        struct ethtool_dump dump;
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        if (!dev->ethtool_ops->get_dump_flag)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        ret = ops->get_dump_flag(dev, &dump);
+        if (ret)
+                return ret;
+        if (copy_to_user(useraddr, &dump, sizeof(dump)))
+                return -EFAULT;
+        return 0;
+}
+static int ethtool_get_dump_data(struct net_device *dev,
+                                void __user *useraddr)
+{
+        int ret;
+        __u32 len;
+        struct ethtool_dump dump, tmp;
+        const struct ethtool_ops *ops = dev->ethtool_ops;
+        void *data = NULL;
+        if (!dev->ethtool_ops->get_dump_data ||
+                !dev->ethtool_ops->get_dump_flag)
+                return -EOPNOTSUPP;
+        if (copy_from_user(&dump, useraddr, sizeof(dump)))
+                return -EFAULT;
+        memset(&tmp, 0, sizeof(tmp));
+        tmp.cmd = ETHTOOL_GET_DUMP_FLAG;
+        ret = ops->get_dump_flag(dev, &tmp);
+        if (ret)
+                return ret;
+        len = (tmp.len > dump.len) ? dump.len : tmp.len;
+        if (!len)
+                return -EFAULT;
+        data = vzalloc(tmp.len);
+        if (!data)
+                return -ENOMEM;
+        ret = ops->get_dump_data(dev, &dump, data);
+        if (ret)
+                goto out;
+        if (copy_to_user(useraddr, &dump, sizeof(dump))) {
+                ret = -EFAULT;
+                goto out;
+        }
+        useraddr += offsetof(struct ethtool_dump, data);
+        if (copy_to_user(useraddr, data, len))
+                ret = -EFAULT;
+out:
+        vfree(data);
+        return ret;
+}
 /* The main entry point in this file.  Called from net/core/dev.c */
 int dev_ethtool(struct net *net, struct ifreq *ifr)
@@ -1458,7 +1912,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        void __user *useraddr = ifr->ifr_data;
        u32 ethcmd;
        int rc;
-        unsigned long old_features;
+        u32 old_features;
        if (!dev || !netif_device_present(dev))
                return -ENODEV;
@@ -1500,6 +1954,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_GRXCLSRLCNT:
        case ETHTOOL_GRXCLSRULE:
        case ETHTOOL_GRXCLSRLALL:
+        case ETHTOOL_GFEATURES:
                break;
        default:
                if (!capable(CAP_NET_ADMIN))
@@ -1570,42 +2025,6 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_SPAUSEPARAM:
                rc = ethtool_set_pauseparam(dev, useraddr);
                break;
-        case ETHTOOL_GRXCSUM:
-                rc = ethtool_get_value(dev, useraddr, ethcmd,
-                                       (dev->ethtool_ops->get_rx_csum ?
-                                        dev->ethtool_ops->get_rx_csum :
-                                        ethtool_op_get_rx_csum));
-                break;
-        case ETHTOOL_SRXCSUM:
-                rc = ethtool_set_rx_csum(dev, useraddr);
-                break;
-        case ETHTOOL_GTXCSUM:
-                rc = ethtool_get_value(dev, useraddr, ethcmd,
-                                       (dev->ethtool_ops->get_tx_csum ?
-                                        dev->ethtool_ops->get_tx_csum :
-                                        ethtool_op_get_tx_csum));
-                break;
-        case ETHTOOL_STXCSUM:
-                rc = ethtool_set_tx_csum(dev, useraddr);
-                break;
-        case ETHTOOL_GSG:
-                rc = ethtool_get_value(dev, useraddr, ethcmd,
-                                       (dev->ethtool_ops->get_sg ?
-                                        dev->ethtool_ops->get_sg :
-                                        ethtool_op_get_sg));
-                break;
-        case ETHTOOL_SSG:
-                rc = ethtool_set_sg(dev, useraddr);
-                break;
-        case ETHTOOL_GTSO:
-                rc = ethtool_get_value(dev, useraddr, ethcmd,
-                                       (dev->ethtool_ops->get_tso ?
-                                        dev->ethtool_ops->get_tso :
-                                        ethtool_op_get_tso));
-                break;
-        case ETHTOOL_STSO:
-                rc = ethtool_set_tso(dev, useraddr);
-                break;
        case ETHTOOL_TEST:
                rc = ethtool_self_test(dev, useraddr);
                break;
@@ -1621,21 +2040,6 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_GPERMADDR:
                rc = ethtool_get_perm_addr(dev, useraddr);
                break;
-        case ETHTOOL_GUFO:
-                rc = ethtool_get_value(dev, useraddr, ethcmd,
-                                       (dev->ethtool_ops->get_ufo ?
-                                        dev->ethtool_ops->get_ufo :
-                                        ethtool_op_get_ufo));
-                break;
-        case ETHTOOL_SUFO:
-                rc = ethtool_set_ufo(dev, useraddr);
-                break;
-        case ETHTOOL_GGSO:
-                rc = ethtool_get_gso(dev, useraddr);
-                break;
-        case ETHTOOL_SGSO:
-                rc = ethtool_set_gso(dev, useraddr);
-                break;
        case ETHTOOL_GFLAGS:
                rc = ethtool_get_value(dev, useraddr, ethcmd,
                                       (dev->ethtool_ops->get_flags ?
@@ -1643,8 +2047,7 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
                                        ethtool_op_get_flags));
                break;
        case ETHTOOL_SFLAGS:
-                rc = ethtool_set_value(dev, useraddr,
+                rc = ethtool_set_value(dev, useraddr, __ethtool_set_flags);
-                                       dev->ethtool_ops->set_flags);
                break;
        case ETHTOOL_GPFLAGS:
                rc = ethtool_get_value(dev, useraddr, ethcmd,
@@ -1666,12 +2069,6 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_SRXCLSRLINS:
                rc = ethtool_set_rxnfc(dev, ethcmd, useraddr);
                break;
-        case ETHTOOL_GGRO:
-                rc = ethtool_get_gro(dev, useraddr);
-                break;
-        case ETHTOOL_SGRO:
-                rc = ethtool_set_gro(dev, useraddr);
-                break;
        case ETHTOOL_FLASHDEV:
                rc = ethtool_flash_device(dev, useraddr);
                break;
@@ -1693,6 +2090,45 @@ int dev_ethtool(struct net *net, struct ifreq *ifr)
        case ETHTOOL_SRXFHINDIR:
                rc = ethtool_set_rxfh_indir(dev, useraddr);
                break;
+        case ETHTOOL_GFEATURES:
+                rc = ethtool_get_features(dev, useraddr);
+                break;
+        case ETHTOOL_SFEATURES:
+                rc = ethtool_set_features(dev, useraddr);
+                break;
+        case ETHTOOL_GTXCSUM:
+        case ETHTOOL_GRXCSUM:
+        case ETHTOOL_GSG:
+        case ETHTOOL_GTSO:
+        case ETHTOOL_GUFO:
+        case ETHTOOL_GGSO:
+        case ETHTOOL_GGRO:
+                rc = ethtool_get_one_feature(dev, useraddr, ethcmd);
+                break;
+        case ETHTOOL_STXCSUM:
+        case ETHTOOL_SRXCSUM:
+        case ETHTOOL_SSG:
+        case ETHTOOL_STSO:
+        case ETHTOOL_SUFO:
+        case ETHTOOL_SGSO:
+        case ETHTOOL_SGRO:
+                rc = ethtool_set_one_feature(dev, useraddr, ethcmd);
+                break;
+        case ETHTOOL_GCHANNELS:
+                rc = ethtool_get_channels(dev, useraddr);
+                break;
+        case ETHTOOL_SCHANNELS:
+                rc = ethtool_set_channels(dev, useraddr);
+                break;
+        case ETHTOOL_SET_DUMP:
+                rc = ethtool_set_dump(dev, useraddr);
+                break;
+        case ETHTOOL_GET_DUMP_FLAG:
+                rc = ethtool_get_dump_flag(dev, useraddr);
+                break;
+        case ETHTOOL_GET_DUMP_DATA:
+                rc = ethtool_get_dump_data(dev, useraddr);
+                break;
        default:
                rc = -EOPNOTSUPP;
        }
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index a20e5d3bbfa0..3911586e12e4 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -181,13 +181,13 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 {
        int ret = 0;
-        if (rule->iifindex && (rule->iifindex != fl->iif))
+        if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
                goto out;
-        if (rule->oifindex && (rule->oifindex != fl->oif))
+        if (rule->oifindex && (rule->oifindex != fl->flowi_oif))
                goto out;
-        if ((rule->mark ^ fl->mark) & rule->mark_mask)
+        if ((rule->mark ^ fl->flowi_mark) & rule->mark_mask)
                goto out;
        ret = ops->match(rule, fl, flags);
@@ -590,7 +590,8 @@ static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
        int idx = 0;
        struct fib_rule *rule;
-        list_for_each_entry(rule, &ops->rules_list, list) {
+        rcu_read_lock();
+        list_for_each_entry_rcu(rule, &ops->rules_list, list) {
                if (idx < cb->args[1])
                        goto skip;
diff --git a/net/core/filter.c b/net/core/filter.c
index afc58374ca96..0eb8c4466eaa 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -39,65 +39,6 @@
 #include <linux/filter.h>
 #include <linux/reciprocal_div.h>
-enum {
-        BPF_S_RET_K = 1,
-        BPF_S_RET_A,
-        BPF_S_ALU_ADD_K,
-        BPF_S_ALU_ADD_X,
-        BPF_S_ALU_SUB_K,
-        BPF_S_ALU_SUB_X,
-        BPF_S_ALU_MUL_K,
-        BPF_S_ALU_MUL_X,
-        BPF_S_ALU_DIV_X,
-        BPF_S_ALU_AND_K,
-        BPF_S_ALU_AND_X,
-        BPF_S_ALU_OR_K,
-        BPF_S_ALU_OR_X,
-        BPF_S_ALU_LSH_K,
-        BPF_S_ALU_LSH_X,
-        BPF_S_ALU_RSH_K,
-        BPF_S_ALU_RSH_X,
-        BPF_S_ALU_NEG,
-        BPF_S_LD_W_ABS,
-        BPF_S_LD_H_ABS,
-        BPF_S_LD_B_ABS,
-        BPF_S_LD_W_LEN,
-        BPF_S_LD_W_IND,
-        BPF_S_LD_H_IND,
-        BPF_S_LD_B_IND,
-        BPF_S_LD_IMM,
-        BPF_S_LDX_W_LEN,
-        BPF_S_LDX_B_MSH,
-        BPF_S_LDX_IMM,
-        BPF_S_MISC_TAX,
-        BPF_S_MISC_TXA,
-        BPF_S_ALU_DIV_K,
-        BPF_S_LD_MEM,
-        BPF_S_LDX_MEM,
-        BPF_S_ST,
-        BPF_S_STX,
-        BPF_S_JMP_JA,
-        BPF_S_JMP_JEQ_K,
-        BPF_S_JMP_JEQ_X,
-        BPF_S_JMP_JGE_K,
-        BPF_S_JMP_JGE_X,
-        BPF_S_JMP_JGT_K,
-        BPF_S_JMP_JGT_X,
-        BPF_S_JMP_JSET_K,
-        BPF_S_JMP_JSET_X,
-        /* Ancillary data */
-        BPF_S_ANC_PROTOCOL,
-        BPF_S_ANC_PKTTYPE,
-        BPF_S_ANC_IFINDEX,
-        BPF_S_ANC_NLATTR,
-        BPF_S_ANC_NLATTR_NEST,
-        BPF_S_ANC_MARK,
-        BPF_S_ANC_QUEUE,
-        BPF_S_ANC_HATYPE,
-        BPF_S_ANC_RXHASH,
-        BPF_S_ANC_CPU,
-};
 /* No hurry in this branch */
 static void *__load_pointer(const struct sk_buff *skb, int k, unsigned int size)
 {
@@ -142,14 +83,14 @@ int sk_filter(struct sock *sk, struct sk_buff *skb)
        if (err)
                return err;
-        rcu_read_lock_bh();
+        rcu_read_lock();
-        filter = rcu_dereference_bh(sk->sk_filter);
+        filter = rcu_dereference(sk->sk_filter);
        if (filter) {
-                unsigned int pkt_len = sk_run_filter(skb, filter->insns);
+                unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
                err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
        }
-        rcu_read_unlock_bh();
+        rcu_read_unlock();
        return err;
 }
@@ -425,7 +366,7 @@ EXPORT_SYMBOL(sk_run_filter);
 * As we dont want to clear mem[] array for each packet going through
 * sk_run_filter(), we check that filter loaded by user never try to read
 * a cell if not previously written, and we check all branches to be sure
- * a malicious user doesnt try to abuse us.
+ * a malicious user doesn't try to abuse us.
 */
 static int check_load_and_stores(struct sock_filter *filter, int flen)
 {
@@ -638,6 +579,7 @@ void sk_filter_release_rcu(struct rcu_head *rcu)
 {
        struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
+        bpf_jit_free(fp);
        kfree(fp);
 }
 EXPORT_SYMBOL(sk_filter_release_rcu);
@@ -672,6 +614,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
        atomic_set(&fp->refcnt, 1);
        fp->len = fprog->len;
+        fp->bpf_func = sk_run_filter;
        err = sk_chk_filter(fp->insns, fp->len);
        if (err) {
@@ -679,6 +622,8 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
                return err;
        }
+        bpf_jit_compile(fp);
        old_fp = rcu_dereference_protected(sk->sk_filter,
                                           sock_owned_by_user(sk));
        rcu_assign_pointer(sk->sk_filter, fp);
diff --git a/net/core/flow.c b/net/core/flow.c
index 127c8a7ffd61..990703b8863b 100644
--- a/net/core/flow.c
+++ b/net/core/flow.c
@@ -172,9 +172,9 @@ static void flow_new_hash_rnd(struct flow_cache *fc,
 static u32 flow_hash_code(struct flow_cache *fc,
                          struct flow_cache_percpu *fcp,
-                          struct flowi *key)
+                          const struct flowi *key)
 {
-        u32 *k = (u32 *) key;
+        const u32 *k = (const u32 *) key;
        return jhash2(k, (sizeof(*key) / sizeof(u32)), fcp->hash_rnd)
                & (flow_cache_hash_size(fc) - 1);
@@ -186,17 +186,17 @@ typedef unsigned long flow_compare_t;
 * important assumptions that we can here, such as alignment and
 * constant size.
 */
-static int flow_key_compare(struct flowi *key1, struct flowi *key2)
+static int flow_key_compare(const struct flowi *key1, const struct flowi *key2)
 {
-        flow_compare_t *k1, *k1_lim, *k2;
+        const flow_compare_t *k1, *k1_lim, *k2;
        const int n_elem = sizeof(struct flowi) / sizeof(flow_compare_t);
        BUILD_BUG_ON(sizeof(struct flowi) % sizeof(flow_compare_t));
-        k1 = (flow_compare_t *) key1;
+        k1 = (const flow_compare_t *) key1;
        k1_lim = k1 + n_elem;
-        k2 = (flow_compare_t *) key2;
+        k2 = (const flow_compare_t *) key2;
        do {
                if (*k1++ != *k2++)
@@ -207,7 +207,7 @@ static int flow_key_compare(struct flowi *key1, struct flowi *key2)
 }
 struct flow_cache_object *
-flow_cache_lookup(struct net *net, struct flowi *key, u16 family, u8 dir,
+flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
                  flow_resolve_t resolver, void *ctx)
 {
        struct flow_cache *fc = &flow_cache_global;
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index 7c2373321b74..43b03dd71e85 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -249,13 +249,6 @@ int gen_new_estimator(struct gnet_stats_basic_packed *bstats,
 }
 EXPORT_SYMBOL(gen_new_estimator);
-static void __gen_kill_estimator(struct rcu_head *head)
-{
-        struct gen_estimator *e = container_of(head,
-                                        struct gen_estimator, e_rcu);
-        kfree(e);
-}
 /**
 * gen_kill_estimator - remove a rate estimator
 * @bstats: basic statistics
@@ -279,7 +272,7 @@ void gen_kill_estimator(struct gnet_stats_basic_packed *bstats,
                write_unlock(&est_lock);
                list_del_rcu(&e->list);
-                call_rcu(&e->e_rcu, __gen_kill_estimator);
+                kfree_rcu(e, e_rcu);
        }
        spin_unlock_bh(&est_tree_lock);
 }
diff --git a/net/core/link_watch.c b/net/core/link_watch.c
index 01a1101b5936..a7b342131869 100644
--- a/net/core/link_watch.c
+++ b/net/core/link_watch.c
@@ -129,7 +129,7 @@ static void linkwatch_schedule_work(int urgent)
        if (!cancel_delayed_work(&linkwatch_work))
                return;
-        /* Otherwise we reschedule it again for immediate exection. */
+        /* Otherwise we reschedule it again for immediate execution. */
        schedule_delayed_work(&linkwatch_work, 0);
 }
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 60a902913429..799f06e03a22 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -316,7 +316,7 @@ static struct neigh_hash_table *neigh_hash_alloc(unsigned int entries)
 {
        size_t size = entries * sizeof(struct neighbour *);
        struct neigh_hash_table *ret;
-        struct neighbour **buckets;
+        struct neighbour __rcu **buckets;
        ret = kmalloc(sizeof(*ret), GFP_ATOMIC);
        if (!ret)
@@ -324,14 +324,14 @@ static struct neigh_hash_table *neigh_hash_alloc(unsigned int entries)
        if (size <= PAGE_SIZE)
                buckets = kzalloc(size, GFP_ATOMIC);
        else
-                buckets = (struct neighbour **)
+                buckets = (struct neighbour __rcu **)
                          __get_free_pages(GFP_ATOMIC | __GFP_ZERO,
                                           get_order(size));
        if (!buckets) {
                kfree(ret);
                return NULL;
        }
-        rcu_assign_pointer(ret->hash_buckets, buckets);
+        ret->hash_buckets = buckets;
        ret->hash_mask = entries - 1;
        get_random_bytes(&ret->hash_rnd, sizeof(ret->hash_rnd));
        return ret;
@@ -343,7 +343,7 @@ static void neigh_hash_free_rcu(struct rcu_head *head)
                                                    struct neigh_hash_table,
                                                    rcu);
        size_t size = (nht->hash_mask + 1) * sizeof(struct neighbour *);
-        struct neighbour **buckets = nht->hash_buckets;
+        struct neighbour __rcu **buckets = nht->hash_buckets;
        if (size <= PAGE_SIZE)
                kfree(buckets);
@@ -1540,7 +1540,7 @@ void neigh_table_init_no_netlink(struct neigh_table *tbl)
                panic("cannot create neighbour proc dir entry");
 #endif
-        tbl->nht = neigh_hash_alloc(8);
+        RCU_INIT_POINTER(tbl->nht, neigh_hash_alloc(8));
        phsize = (PNEIGH_HASHMASK + 1) * sizeof(struct pneigh_entry *);
        tbl->phash_buckets = kzalloc(phsize, GFP_KERNEL);
@@ -1602,7 +1602,8 @@ int neigh_table_clear(struct neigh_table *tbl)
        }
        write_unlock(&neigh_tbl_lock);
-        call_rcu(&tbl->nht->rcu, neigh_hash_free_rcu);
+        call_rcu(&rcu_dereference_protected(tbl->nht, 1)->rcu,
+                 neigh_hash_free_rcu);
        tbl->nht = NULL;
        kfree(tbl->phash_buckets);
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index e23c01be5a5b..11b98bc2aa8f 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -28,6 +28,7 @@
 static const char fmt_hex[] = "%#x\n";
 static const char fmt_long_hex[] = "%#lx\n";
 static const char fmt_dec[] = "%d\n";
+static const char fmt_udec[] = "%u\n";
 static const char fmt_ulong[] = "%lu\n";
 static const char fmt_u64[] = "%llu\n";
@@ -99,7 +100,7 @@ NETDEVICE_SHOW(addr_assign_type, fmt_dec);
 NETDEVICE_SHOW(addr_len, fmt_dec);
 NETDEVICE_SHOW(iflink, fmt_dec);
 NETDEVICE_SHOW(ifindex, fmt_dec);
-NETDEVICE_SHOW(features, fmt_long_hex);
+NETDEVICE_SHOW(features, fmt_hex);
 NETDEVICE_SHOW(type, fmt_dec);
 NETDEVICE_SHOW(link_mode, fmt_dec);
@@ -145,13 +146,10 @@ static ssize_t show_speed(struct device *dev,
        if (!rtnl_trylock())
                return restart_syscall();
-        if (netif_running(netdev) &&
+        if (netif_running(netdev)) {
-            netdev->ethtool_ops &&
+                struct ethtool_cmd cmd;
-            netdev->ethtool_ops->get_settings) {
+                if (!dev_ethtool_get_settings(netdev, &cmd))
-                struct ethtool_cmd cmd = { ETHTOOL_GSET };
+                        ret = sprintf(buf, fmt_udec, ethtool_cmd_speed(&cmd));
-                if (!netdev->ethtool_ops->get_settings(netdev, &cmd))
-                        ret = sprintf(buf, fmt_dec, ethtool_cmd_speed(&cmd));
        }
        rtnl_unlock();
        return ret;
@@ -166,13 +164,11 @@ static ssize_t show_duplex(struct device *dev,
        if (!rtnl_trylock())
                return restart_syscall();
-        if (netif_running(netdev) &&
+        if (netif_running(netdev)) {
-            netdev->ethtool_ops &&
+                struct ethtool_cmd cmd;
-            netdev->ethtool_ops->get_settings) {
+                if (!dev_ethtool_get_settings(netdev, &cmd))
-                struct ethtool_cmd cmd = { ETHTOOL_GSET };
+                        ret = sprintf(buf, "%s\n",
+                                      cmd.duplex ? "full" : "half");
-                if (!netdev->ethtool_ops->get_settings(netdev, &cmd))
-                        ret = sprintf(buf, "%s\n", cmd.duplex ? "full" : "half");
        }
        rtnl_unlock();
        return ret;
@@ -295,6 +291,20 @@ static ssize_t show_ifalias(struct device *dev,
        return ret;
 }
+NETDEVICE_SHOW(group, fmt_dec);
+static int change_group(struct net_device *net, unsigned long new_group)
+{
+        dev_set_group(net, (int) new_group);
+        return 0;
+}
+static ssize_t store_group(struct device *dev, struct device_attribute *attr,
+                         const char *buf, size_t len)
+{
+        return netdev_store(dev, attr, buf, len, change_group);
+}
 static struct device_attribute net_class_attributes[] = {
        __ATTR(addr_assign_type, S_IRUGO, show_addr_assign_type, NULL),
        __ATTR(addr_len, S_IRUGO, show_addr_len, NULL),
@@ -316,6 +326,7 @@ static struct device_attribute net_class_attributes[] = {
        __ATTR(flags, S_IRUGO | S_IWUSR, show_flags, store_flags),
        __ATTR(tx_queue_len, S_IRUGO | S_IWUSR, show_tx_queue_len,
               store_tx_queue_len),
+        __ATTR(netdev_group, S_IRUGO | S_IWUSR, show_group, store_group),
        {}
 };
@@ -550,13 +561,6 @@ static ssize_t show_rps_map(struct netdev_rx_queue *queue,
        return len;
 }
-static void rps_map_release(struct rcu_head *rcu)
-{
-        struct rps_map *map = container_of(rcu, struct rps_map, rcu);
-        kfree(map);
-}
 static ssize_t store_rps_map(struct netdev_rx_queue *queue,
                      struct rx_queue_attribute *attribute,
                      const char *buf, size_t len)
@@ -604,7 +608,7 @@ static ssize_t store_rps_map(struct netdev_rx_queue *queue,
        spin_unlock(&rps_map_lock);
        if (old_map)
-                call_rcu(&old_map->rcu, rps_map_release);
+                kfree_rcu(old_map, rcu);
        free_cpumask_var(mask);
        return len;
@@ -713,7 +717,7 @@ static void rx_queue_release(struct kobject *kobj)
        map = rcu_dereference_raw(queue->rps_map);
        if (map) {
                RCU_INIT_POINTER(queue->rps_map, NULL);
-                call_rcu(&map->rcu, rps_map_release);
+                kfree_rcu(map, rcu);
        }
        flow_table = rcu_dereference_raw(queue->rps_flow_table);
@@ -883,21 +887,6 @@ static ssize_t show_xps_map(struct netdev_queue *queue,
        return len;
 }
-static void xps_map_release(struct rcu_head *rcu)
-{
-        struct xps_map *map = container_of(rcu, struct xps_map, rcu);
-        kfree(map);
-}
-static void xps_dev_maps_release(struct rcu_head *rcu)
-{
-        struct xps_dev_maps *dev_maps =
-            container_of(rcu, struct xps_dev_maps, rcu);
-        kfree(dev_maps);
-}
 static DEFINE_MUTEX(xps_map_mutex);
 #define xmap_dereference(P)             \
        rcu_dereference_protected((P), lockdep_is_held(&xps_map_mutex))
@@ -953,7 +942,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
                } else
                        pos = map_len = alloc_len = 0;
-                need_set = cpu_isset(cpu, *mask) && cpu_online(cpu);
+                need_set = cpumask_test_cpu(cpu, mask) && cpu_online(cpu);
 #ifdef CONFIG_NUMA
                if (need_set) {
                        if (numa_node == -2)
@@ -994,7 +983,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
                map = dev_maps ?
                        xmap_dereference(dev_maps->cpu_map[cpu]) : NULL;
                if (map && xmap_dereference(new_dev_maps->cpu_map[cpu]) != map)
-                        call_rcu(&map->rcu, xps_map_release);
+                        kfree_rcu(map, rcu);
                if (new_dev_maps->cpu_map[cpu])
                        nonempty = 1;
        }
@@ -1007,7 +996,7 @@ static ssize_t store_xps_map(struct netdev_queue *queue,
        }
        if (dev_maps)
-                call_rcu(&dev_maps->rcu, xps_dev_maps_release);
+                kfree_rcu(dev_maps, rcu);
        netdev_queue_numa_node_write(queue, (numa_node >= 0) ? numa_node :
                                            NUMA_NO_NODE);
@@ -1069,7 +1058,7 @@ static void netdev_queue_release(struct kobject *kobj)
                                else {
                                        RCU_INIT_POINTER(dev_maps->cpu_map[i],
                                            NULL);
-                                        call_rcu(&map->rcu, xps_map_release);
+                                        kfree_rcu(map, rcu);
                                        map = NULL;
                                }
                        }
@@ -1079,7 +1068,7 @@ static void netdev_queue_release(struct kobject *kobj)
                if (!nonempty) {
                        RCU_INIT_POINTER(dev->xps_maps, NULL);
-                        call_rcu(&dev_maps->rcu, xps_dev_maps_release);
+                        kfree_rcu(dev_maps, rcu);
                }
        }
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 3f860261c5ee..2e2dce6583e1 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -27,14 +27,6 @@ EXPORT_SYMBOL(init_net);
 #define INITIAL_NET_GEN_PTRS    13 /* +1 for len +2 for rcu_head */
-static void net_generic_release(struct rcu_head *rcu)
-{
-        struct net_generic *ng;
-        ng = container_of(rcu, struct net_generic, rcu);
-        kfree(ng);
-}
 static int net_assign_generic(struct net *net, int id, void *data)
 {
        struct net_generic *ng, *old_ng;
@@ -68,7 +60,7 @@ static int net_assign_generic(struct net *net, int id, void *data)
        memcpy(&ng->ptr, &old_ng->ptr, old_ng->len * sizeof(void*));
        rcu_assign_pointer(net->gen, ng);
-        call_rcu(&old_ng->rcu, net_generic_release);
+        kfree_rcu(old_ng, rcu);
 assign:
        ng->ptr[id - 1] = data;
        return 0;
@@ -216,11 +208,14 @@ static void net_free(struct net *net)
        kmem_cache_free(net_cachep, net);
 }
-static struct net *net_create(void)
+struct net *copy_net_ns(unsigned long flags, struct net *old_net)
 {
        struct net *net;
        int rv;
+        if (!(flags & CLONE_NEWNET))
+                return get_net(old_net);
        net = net_alloc();
        if (!net)
                return ERR_PTR(-ENOMEM);
@@ -239,13 +234,6 @@ static struct net *net_create(void)
        return net;
 }
-struct net *copy_net_ns(unsigned long flags, struct net *old_net)
-{
-        if (!(flags & CLONE_NEWNET))
-                return get_net(old_net);
-        return net_create();
-}
 static DEFINE_SPINLOCK(cleanup_list_lock);
 static LIST_HEAD(cleanup_list);  /* Must hold cleanup_list_lock to touch */
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 02dc2cbcbe86..2d7d6d473781 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -193,6 +193,17 @@ void netpoll_poll_dev(struct net_device *dev)
        poll_napi(dev);
+        if (dev->priv_flags & IFF_SLAVE) {
+                if (dev->npinfo) {
+                        struct net_device *bond_dev = dev->master;
+                        struct sk_buff *skb;
+                        while ((skb = skb_dequeue(&dev->npinfo->arp_tx))) {
+                                skb->dev = bond_dev;
+                                skb_queue_tail(&bond_dev->npinfo->arp_tx, skb);
+                        }
+                }
+        }
        service_arp_queue(dev->npinfo);
        zap_completion_queue();
@@ -313,9 +324,7 @@ void netpoll_send_skb_on_dev(struct netpoll *np, struct sk_buff *skb,
                     tries > 0; --tries) {
                        if (__netif_tx_trylock(txq)) {
                                if (!netif_tx_queue_stopped(txq)) {
-                                        dev->priv_flags |= IFF_IN_NETPOLL;
                                        status = ops->ndo_start_xmit(skb, dev);
-                                        dev->priv_flags &= ~IFF_IN_NETPOLL;
                                        if (status == NETDEV_TX_OK)
                                                txq_trans_update(txq);
                                }
@@ -530,7 +539,7 @@ int __netpoll_rx(struct sk_buff *skb)
 {
        int proto, len, ulen;
        int hits = 0;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct udphdr *uh;
        struct netpoll_info *npinfo = skb->dev->npinfo;
        struct netpoll *np, *tmp;
@@ -689,32 +698,8 @@ int netpoll_parse_options(struct netpoll *np, char *opt)
        if (*cur != 0) {
                /* MAC address */
-                if ((delim = strchr(cur, ':')) == NULL)
+                if (!mac_pton(cur, np->remote_mac))
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[0] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[1] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[2] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[3] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                if ((delim = strchr(cur, ':')) == NULL)
-                        goto parse_failed;
-                *delim = 0;
-                np->remote_mac[4] = simple_strtol(cur, NULL, 16);
-                cur = delim + 1;
-                np->remote_mac[5] = simple_strtol(cur, NULL, 16);
        }
        netpoll_print_options(np);
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index a9e7fc4c461f..67870e9fd097 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -156,6 +156,7 @@
 #include <linux/wait.h>
 #include <linux/etherdevice.h>
 #include <linux/kthread.h>
+#include <linux/prefetch.h>
 #include <net/net_namespace.h>
 #include <net/checksum.h>
 #include <net/ipv6.h>
@@ -251,6 +252,7 @@ struct pktgen_dev {
        int max_pkt_size;       /* = ETH_ZLEN; */
        int pkt_overhead;       /* overhead for MPLS, VLANs, IPSEC etc */
        int nfrags;
+        struct page *page;
        u64 delay;              /* nano-seconds */
        __u64 count;            /* Default No packets to send */
@@ -448,7 +450,6 @@ static void pktgen_stop(struct pktgen_thread *t);
 static void pktgen_clear_counters(struct pktgen_dev *pkt_dev);
 static unsigned int scan_ip6(const char *s, char ip[16]);
-static unsigned int fmt_ip6(char *s, const char ip[16]);
 /* Module parameters, defaults. */
 static int pg_count_d __read_mostly = 1000;
@@ -555,21 +556,13 @@ static int pktgen_if_show(struct seq_file *seq, void *v)
                           pkt_dev->skb_priority);
        if (pkt_dev->flags & F_IPV6) {
-                char b1[128], b2[128], b3[128];
-                fmt_ip6(b1, pkt_dev->in6_saddr.s6_addr);
-                fmt_ip6(b2, pkt_dev->min_in6_saddr.s6_addr);
-                fmt_ip6(b3, pkt_dev->max_in6_saddr.s6_addr);
                seq_printf(seq,
-                           "     saddr: %s  min_saddr: %s  max_saddr: %s\n", b1,
+                           "     saddr: %pI6c  min_saddr: %pI6c  max_saddr: %pI6c\n"
-                           b2, b3);
+                           "     daddr: %pI6c  min_daddr: %pI6c  max_daddr: %pI6c\n",
+                           &pkt_dev->in6_saddr,
-                fmt_ip6(b1, pkt_dev->in6_daddr.s6_addr);
+                           &pkt_dev->min_in6_saddr, &pkt_dev->max_in6_saddr,
-                fmt_ip6(b2, pkt_dev->min_in6_daddr.s6_addr);
+                           &pkt_dev->in6_daddr,
-                fmt_ip6(b3, pkt_dev->max_in6_daddr.s6_addr);
+                           &pkt_dev->min_in6_daddr, &pkt_dev->max_in6_daddr);
-                seq_printf(seq,
-                           "     daddr: %s  min_daddr: %s  max_daddr: %s\n", b1,
-                           b2, b3);
        } else {
                seq_printf(seq,
                           "     dst_min: %s  dst_max: %s\n",
@@ -705,10 +698,9 @@ static int pktgen_if_show(struct seq_file *seq, void *v)
                   pkt_dev->cur_src_mac_offset);
        if (pkt_dev->flags & F_IPV6) {
-                char b1[128], b2[128];
+                seq_printf(seq, "     cur_saddr: %pI6c  cur_daddr: %pI6c\n",
-                fmt_ip6(b1, pkt_dev->cur_in6_daddr.s6_addr);
+                                &pkt_dev->cur_in6_saddr,
-                fmt_ip6(b2, pkt_dev->cur_in6_saddr.s6_addr);
+                                &pkt_dev->cur_in6_daddr);
-                seq_printf(seq, "     cur_saddr: %s  cur_daddr: %s\n", b2, b1);
        } else
                seq_printf(seq, "     cur_saddr: 0x%x  cur_daddr: 0x%x\n",
                           pkt_dev->cur_saddr, pkt_dev->cur_daddr);
@@ -1134,6 +1126,10 @@ static ssize_t pktgen_if_write(struct file *file,
                if (node_possible(value)) {
                        pkt_dev->node = value;
                        sprintf(pg_result, "OK: node=%d", pkt_dev->node);
+                        if (pkt_dev->page) {
+                                put_page(pkt_dev->page);
+                                pkt_dev->page = NULL;
+                        }
                }
                else
                        sprintf(pg_result, "ERROR: node not possible");
@@ -1304,7 +1300,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->in6_daddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_daddr, &pkt_dev->in6_daddr);
@@ -1327,7 +1323,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->min_in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->min_in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->min_in6_daddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_daddr,
                               &pkt_dev->min_in6_daddr);
@@ -1350,7 +1346,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->max_in6_daddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->max_in6_daddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->max_in6_daddr);
                if (debug)
                        printk(KERN_DEBUG "pktgen: dst6_max set to: %s\n", buf);
@@ -1371,7 +1367,7 @@ static ssize_t pktgen_if_write(struct file *file,
                buf[len] = 0;
                scan_ip6(buf, pkt_dev->in6_saddr.s6_addr);
-                fmt_ip6(buf, pkt_dev->in6_saddr.s6_addr);
+                snprintf(buf, sizeof(buf), "%pI6c", &pkt_dev->in6_saddr);
                ipv6_addr_copy(&pkt_dev->cur_in6_saddr, &pkt_dev->in6_saddr);
@@ -1425,11 +1421,6 @@ static ssize_t pktgen_if_write(struct file *file,
                return count;
        }
        if (!strcmp(name, "dst_mac")) {
-                char *v = valstr;
-                unsigned char old_dmac[ETH_ALEN];
-                unsigned char *m = pkt_dev->dst_mac;
-                memcpy(old_dmac, pkt_dev->dst_mac, ETH_ALEN);
                len = strn_len(&user_buffer[i], sizeof(valstr) - 1);
                if (len < 0)
                        return len;
@@ -1437,35 +1428,16 @@ static ssize_t pktgen_if_write(struct file *file,
                memset(valstr, 0, sizeof(valstr));
                if (copy_from_user(valstr, &user_buffer[i], len))
                        return -EFAULT;
-                i += len;
-                for (*m = 0; *v && m < pkt_dev->dst_mac + 6; v++) {
-                        int value;
-                        value = hex_to_bin(*v);
-                        if (value >= 0)
-                                *m = *m * 16 + value;
-                        if (*v == ':') {
-                                m++;
-                                *m = 0;
-                        }
-                }
+                if (!mac_pton(valstr, pkt_dev->dst_mac))
+                        return -EINVAL;
                /* Set up Dest MAC */
-                if (compare_ether_addr(old_dmac, pkt_dev->dst_mac))
+                memcpy(&pkt_dev->hh[0], pkt_dev->dst_mac, ETH_ALEN);
-                        memcpy(&(pkt_dev->hh[0]), pkt_dev->dst_mac, ETH_ALEN);
-                sprintf(pg_result, "OK: dstmac");
+                sprintf(pg_result, "OK: dstmac %pM", pkt_dev->dst_mac);
                return count;
        }
        if (!strcmp(name, "src_mac")) {
-                char *v = valstr;
-                unsigned char old_smac[ETH_ALEN];
-                unsigned char *m = pkt_dev->src_mac;
-                memcpy(old_smac, pkt_dev->src_mac, ETH_ALEN);
                len = strn_len(&user_buffer[i], sizeof(valstr) - 1);
                if (len < 0)
                        return len;
@@ -1473,26 +1445,13 @@ static ssize_t pktgen_if_write(struct file *file,
                memset(valstr, 0, sizeof(valstr));
                if (copy_from_user(valstr, &user_buffer[i], len))
                        return -EFAULT;
-                i += len;
-                for (*m = 0; *v && m < pkt_dev->src_mac + 6; v++) {
-                        int value;
-                        value = hex_to_bin(*v);
-                        if (value >= 0)
-                                *m = *m * 16 + value;
-                        if (*v == ':') {
-                                m++;
-                                *m = 0;
-                        }
-                }
+                if (!mac_pton(valstr, pkt_dev->src_mac))
+                        return -EINVAL;
                /* Set up Src MAC */
-                if (compare_ether_addr(old_smac, pkt_dev->src_mac))
+                memcpy(&pkt_dev->hh[6], pkt_dev->src_mac, ETH_ALEN);
-                        memcpy(&(pkt_dev->hh[6]), pkt_dev->src_mac, ETH_ALEN);
-                sprintf(pg_result, "OK: srcmac");
+                sprintf(pg_result, "OK: srcmac %pM", pkt_dev->src_mac);
                return count;
        }
@@ -2509,7 +2468,6 @@ static int pktgen_output_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev)
 {
        struct xfrm_state *x = pkt_dev->flows[pkt_dev->curfl].x;
        int err = 0;
-        struct iphdr *iph;
        if (!x)
                return 0;
@@ -2519,7 +2477,6 @@ static int pktgen_output_ipsec(struct sk_buff *skb, struct pktgen_dev *pkt_dev)
                return 0;
        spin_lock(&x->lock);
-        iph = ip_hdr(skb);
        err = x->outer_mode->output(x, skb);
        if (err)
@@ -2605,6 +2562,72 @@ static inline __be16 build_tci(unsigned int id, unsigned int cfi,
        return htons(id | (cfi << 12) | (prio << 13));
 }
+static void pktgen_finalize_skb(struct pktgen_dev *pkt_dev, struct sk_buff *skb,
+                                int datalen)
+{
+        struct timeval timestamp;
+        struct pktgen_hdr *pgh;
+        pgh = (struct pktgen_hdr *)skb_put(skb, sizeof(*pgh));
+        datalen -= sizeof(*pgh);
+        if (pkt_dev->nfrags <= 0) {
+                memset(skb_put(skb, datalen), 0, datalen);
+        } else {
+                int frags = pkt_dev->nfrags;
+                int i, len;
+                int frag_len;
+                if (frags > MAX_SKB_FRAGS)
+                        frags = MAX_SKB_FRAGS;
+                len = datalen - frags * PAGE_SIZE;
+                if (len > 0) {
+                        memset(skb_put(skb, len), 0, len);
+                        datalen = frags * PAGE_SIZE;
+                }
+                i = 0;
+                frag_len = (datalen/frags) < PAGE_SIZE ?
+                           (datalen/frags) : PAGE_SIZE;
+                while (datalen > 0) {
+                        if (unlikely(!pkt_dev->page)) {
+                                int node = numa_node_id();
+                                if (pkt_dev->node >= 0 && (pkt_dev->flags & F_NODE))
+                                        node = pkt_dev->node;
+                                pkt_dev->page = alloc_pages_node(node, GFP_KERNEL | __GFP_ZERO, 0);
+                                if (!pkt_dev->page)
+                                        break;
+                        }
+                        skb_shinfo(skb)->frags[i].page = pkt_dev->page;
+                        get_page(pkt_dev->page);
+                        skb_shinfo(skb)->frags[i].page_offset = 0;
+                        /*last fragment, fill rest of data*/
+                        if (i == (frags - 1))
+                                skb_shinfo(skb)->frags[i].size =
+                                    (datalen < PAGE_SIZE ? datalen : PAGE_SIZE);
+                        else
+                                skb_shinfo(skb)->frags[i].size = frag_len;
+                        datalen -= skb_shinfo(skb)->frags[i].size;
+                        skb->len += skb_shinfo(skb)->frags[i].size;
+                        skb->data_len += skb_shinfo(skb)->frags[i].size;
+                        i++;
+                        skb_shinfo(skb)->nr_frags = i;
+                }
+        }
+        /* Stamp the time, and sequence number,
+         * convert them to network byte order
+         */
+        pgh->pgh_magic = htonl(PKTGEN_MAGIC);
+        pgh->seq_num = htonl(pkt_dev->seq_num);
+        do_gettimeofday(&timestamp);
+        pgh->tv_sec = htonl(timestamp.tv_sec);
+        pgh->tv_usec = htonl(timestamp.tv_usec);
+}
 static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
                                        struct pktgen_dev *pkt_dev)
 {
@@ -2613,7 +2636,6 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
        struct udphdr *udph;
        int datalen, iplen;
        struct iphdr *iph;
-        struct pktgen_hdr *pgh = NULL;
        __be16 protocol = htons(ETH_P_IP);
        __be32 *mpls;
        __be16 *vlan_tci = NULL;                 /* Encapsulates priority and VLAN ID */
@@ -2729,76 +2751,7 @@ static struct sk_buff *fill_packet_ipv4(struct net_device *odev,
                           pkt_dev->pkt_overhead);
        skb->dev = odev;
        skb->pkt_type = PACKET_HOST;
+        pktgen_finalize_skb(pkt_dev, skb, datalen);
-        if (pkt_dev->nfrags <= 0) {
-                pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
-                memset(pgh + 1, 0, datalen - sizeof(struct pktgen_hdr));
-        } else {
-                int frags = pkt_dev->nfrags;
-                int i, len;
-                pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8);
-                if (frags > MAX_SKB_FRAGS)
-                        frags = MAX_SKB_FRAGS;
-                if (datalen > frags * PAGE_SIZE) {
-                        len = datalen - frags * PAGE_SIZE;
-                        memset(skb_put(skb, len), 0, len);
-                        datalen = frags * PAGE_SIZE;
-                }
-                i = 0;
-                while (datalen > 0) {
-                        struct page *page = alloc_pages(GFP_KERNEL | __GFP_ZERO, 0);
-                        skb_shinfo(skb)->frags[i].page = page;
-                        skb_shinfo(skb)->frags[i].page_offset = 0;
-                        skb_shinfo(skb)->frags[i].size =
-                            (datalen < PAGE_SIZE ? datalen : PAGE_SIZE);
-                        datalen -= skb_shinfo(skb)->frags[i].size;
-                        skb->len += skb_shinfo(skb)->frags[i].size;
-                        skb->data_len += skb_shinfo(skb)->frags[i].size;
-                        i++;
-                        skb_shinfo(skb)->nr_frags = i;
-                }
-                while (i < frags) {
-                        int rem;
-                        if (i == 0)
-                                break;
-                        rem = skb_shinfo(skb)->frags[i - 1].size / 2;
-                        if (rem == 0)
-                                break;
-                        skb_shinfo(skb)->frags[i - 1].size -= rem;
-                        skb_shinfo(skb)->frags[i] =
-                            skb_shinfo(skb)->frags[i - 1];
-                        get_page(skb_shinfo(skb)->frags[i].page);
-                        skb_shinfo(skb)->frags[i].page =
-                            skb_shinfo(skb)->frags[i - 1].page;
-                        skb_shinfo(skb)->frags[i].page_offset +=
-                            skb_shinfo(skb)->frags[i - 1].size;
-                        skb_shinfo(skb)->frags[i].size = rem;
-                        i++;
-                        skb_shinfo(skb)->nr_frags = i;
-                }
-        }
-        /* Stamp the time, and sequence number,
-         * convert them to network byte order
-         */
-        if (pgh) {
-                struct timeval timestamp;
-                pgh->pgh_magic = htonl(PKTGEN_MAGIC);
-                pgh->seq_num = htonl(pkt_dev->seq_num);
-                do_gettimeofday(&timestamp);
-                pgh->tv_sec = htonl(timestamp.tv_sec);
-                pgh->tv_usec = htonl(timestamp.tv_usec);
-        }
 #ifdef CONFIG_XFRM
        if (!process_ipsec(pkt_dev, skb, protocol))
@@ -2899,79 +2852,6 @@ static unsigned int scan_ip6(const char *s, char ip[16])
        return len;
 }
-static char tohex(char hexdigit)
-{
-        return hexdigit > 9 ? hexdigit + 'a' - 10 : hexdigit + '0';
-}
-static int fmt_xlong(char *s, unsigned int i)
-{
-        char *bak = s;
-        *s = tohex((i >> 12) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex((i >> 8) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex((i >> 4) & 0xf);
-        if (s != bak || *s != '0')
-                ++s;
-        *s = tohex(i & 0xf);
-        return s - bak + 1;
-}
-static unsigned int fmt_ip6(char *s, const char ip[16])
-{
-        unsigned int len;
-        unsigned int i;
-        unsigned int temp;
-        unsigned int compressing;
-        int j;
-        len = 0;
-        compressing = 0;
-        for (j = 0; j < 16; j += 2) {
-#ifdef V4MAPPEDPREFIX
-                if (j == 12 && !memcmp(ip, V4mappedprefix, 12)) {
-                        inet_ntoa_r(*(struct in_addr *)(ip + 12), s);
-                        temp = strlen(s);
-                        return len + temp;
-                }
-#endif
-                temp = ((unsigned long)(unsigned char)ip[j] << 8) +
-                    (unsigned long)(unsigned char)ip[j + 1];
-                if (temp == 0) {
-                        if (!compressing) {
-                                compressing = 1;
-                                if (j == 0) {
-                                        *s++ = ':';
-                                        ++len;
-                                }
-                        }
-                } else {
-                        if (compressing) {
-                                compressing = 0;
-                                *s++ = ':';
-                                ++len;
-                        }
-                        i = fmt_xlong(s, temp);
-                        len += i;
-                        s += i;
-                        if (j < 14) {
-                                *s++ = ':';
-                                ++len;
-                        }
-                }
-        }
-        if (compressing) {
-                *s++ = ':';
-                ++len;
-        }
-        *s = 0;
-        return len;
-}
 static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
                                        struct pktgen_dev *pkt_dev)
 {
@@ -2980,7 +2860,6 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
        struct udphdr *udph;
        int datalen;
        struct ipv6hdr *iph;
-        struct pktgen_hdr *pgh = NULL;
        __be16 protocol = htons(ETH_P_IPV6);
        __be32 *mpls;
        __be16 *vlan_tci = NULL;                 /* Encapsulates priority and VLAN ID */
@@ -3083,75 +2962,7 @@ static struct sk_buff *fill_packet_ipv6(struct net_device *odev,
        skb->dev = odev;
        skb->pkt_type = PACKET_HOST;
-        if (pkt_dev->nfrags <= 0)
+        pktgen_finalize_skb(pkt_dev, skb, datalen);
-                pgh = (struct pktgen_hdr *)skb_put(skb, datalen);
-        else {
-                int frags = pkt_dev->nfrags;
-                int i;
-                pgh = (struct pktgen_hdr *)(((char *)(udph)) + 8);
-                if (frags > MAX_SKB_FRAGS)
-                        frags = MAX_SKB_FRAGS;
-                if (datalen > frags * PAGE_SIZE) {
-                        skb_put(skb, datalen - frags * PAGE_SIZE);
-                        datalen = frags * PAGE_SIZE;
-                }
-                i = 0;
-                while (datalen > 0) {
-                        struct page *page = alloc_pages(GFP_KERNEL, 0);
-                        skb_shinfo(skb)->frags[i].page = page;
-                        skb_shinfo(skb)->frags[i].page_offset = 0;
-                        skb_shinfo(skb)->frags[i].size =
-                            (datalen < PAGE_SIZE ? datalen : PAGE_SIZE);
-                        datalen -= skb_shinfo(skb)->frags[i].size;
-                        skb->len += skb_shinfo(skb)->frags[i].size;
-                        skb->data_len += skb_shinfo(skb)->frags[i].size;
-                        i++;
-                        skb_shinfo(skb)->nr_frags = i;
-                }
-                while (i < frags) {
-                        int rem;
-                        if (i == 0)
-                                break;
-                        rem = skb_shinfo(skb)->frags[i - 1].size / 2;
-                        if (rem == 0)
-                                break;
-                        skb_shinfo(skb)->frags[i - 1].size -= rem;
-                        skb_shinfo(skb)->frags[i] =
-                            skb_shinfo(skb)->frags[i - 1];
-                        get_page(skb_shinfo(skb)->frags[i].page);
-                        skb_shinfo(skb)->frags[i].page =
-                            skb_shinfo(skb)->frags[i - 1].page;
-                        skb_shinfo(skb)->frags[i].page_offset +=
-                            skb_shinfo(skb)->frags[i - 1].size;
-                        skb_shinfo(skb)->frags[i].size = rem;
-                        i++;
-                        skb_shinfo(skb)->nr_frags = i;
-                }
-        }
-        /* Stamp the time, and sequence number,
-         * convert them to network byte order
-         * should we update cloned packets too ?
-         */
-        if (pgh) {
-                struct timeval timestamp;
-                pgh->pgh_magic = htonl(PKTGEN_MAGIC);
-                pgh->seq_num = htonl(pkt_dev->seq_num);
-                do_gettimeofday(&timestamp);
-                pgh->tv_sec = htonl(timestamp.tv_sec);
-                pgh->tv_usec = htonl(timestamp.tv_usec);
-        }
-        /* pkt_dev->seq_num++; FF: you really mean this? */
        return skb;
 }
@@ -3321,7 +3132,7 @@ static void show_results(struct pktgen_dev *pkt_dev, int nr_frags)
                                    pkt_dev->started_at);
        ktime_t idle = ns_to_ktime(pkt_dev->idle_acc);
-        p += sprintf(p, "OK: %llu(c%llu+d%llu) nsec, %llu (%dbyte,%dfrags)\n",
+        p += sprintf(p, "OK: %llu(c%llu+d%llu) usec, %llu (%dbyte,%dfrags)\n",
                     (unsigned long long)ktime_to_us(elapsed),
                     (unsigned long long)ktime_to_us(ktime_sub(elapsed, idle)),
                     (unsigned long long)ktime_to_us(idle),
@@ -3812,7 +3623,10 @@ static int __init pktgen_create_thread(int cpu)
        list_add_tail(&t->th_list, &pktgen_threads);
        init_completion(&t->start_done);
-        p = kthread_create(pktgen_thread_worker, t, "kpktgend_%d", cpu);
+        p = kthread_create_on_node(pktgen_thread_worker,
+                                   t,
+                                   cpu_to_node(cpu),
+                                   "kpktgend_%d", cpu);
        if (IS_ERR(p)) {
                pr_err("kernel_thread() failed for cpu %d\n", t->cpu);
                list_del(&t->th_list);
@@ -3884,6 +3698,8 @@ static int pktgen_remove_device(struct pktgen_thread *t,
        free_SAs(pkt_dev);
 #endif
        vfree(pkt_dev->flows);
+        if (pkt_dev->page)
+                put_page(pkt_dev->page);
        kfree(pkt_dev);
        return 0;
 }
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 2d65c6bb24c1..d2ba2597c75a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -196,7 +196,7 @@ EXPORT_SYMBOL_GPL(__rtnl_register);
 * as failure of this function is very unlikely, it can only happen due
 * to lack of memory when allocating the chain to store all message
 * handlers for a protocol. Meant for use in init functions where lack
- * of memory implies no sense in continueing.
+ * of memory implies no sense in continuing.
 */
 void rtnl_register(int protocol, int msgtype,
                   rtnl_doit_func doit, rtnl_dumpit_func dumpit)
@@ -868,6 +868,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
                   netif_running(dev) ? dev->operstate : IF_OPER_DOWN);
        NLA_PUT_U8(skb, IFLA_LINKMODE, dev->link_mode);
        NLA_PUT_U32(skb, IFLA_MTU, dev->mtu);
+        NLA_PUT_U32(skb, IFLA_GROUP, dev->group);
        if (dev->ifindex != dev->iflink)
                NLA_PUT_U32(skb, IFLA_LINK, dev->iflink);
@@ -1006,10 +1007,11 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
        s_h = cb->args[0];
        s_idx = cb->args[1];
+        rcu_read_lock();
        for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
                idx = 0;
                head = &net->dev_index_head[h];
-                hlist_for_each_entry(dev, node, head, index_hlist) {
+                hlist_for_each_entry_rcu(dev, node, head, index_hlist) {
                        if (idx < s_idx)
                                goto cont;
                        if (rtnl_fill_ifinfo(skb, dev, RTM_NEWLINK,
@@ -1022,6 +1024,7 @@ cont:
                }
        }
 out:
+        rcu_read_unlock();
        cb->args[1] = idx;
        cb->args[0] = h;
@@ -1035,6 +1038,7 @@ const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_MAP]              = { .len = sizeof(struct rtnl_link_ifmap) },
        [IFLA_MTU]              = { .type = NLA_U32 },
        [IFLA_LINK]             = { .type = NLA_U32 },
+        [IFLA_MASTER]           = { .type = NLA_U32 },
        [IFLA_TXQLEN]           = { .type = NLA_U32 },
        [IFLA_WEIGHT]           = { .type = NLA_U32 },
        [IFLA_OPERSTATE]        = { .type = NLA_U8 },
@@ -1177,6 +1181,41 @@ static int do_setvfinfo(struct net_device *dev, struct nlattr *attr)
        return err;
 }
+static int do_set_master(struct net_device *dev, int ifindex)
+{
+        struct net_device *master_dev;
+        const struct net_device_ops *ops;
+        int err;
+        if (dev->master) {
+                if (dev->master->ifindex == ifindex)
+                        return 0;
+                ops = dev->master->netdev_ops;
+                if (ops->ndo_del_slave) {
+                        err = ops->ndo_del_slave(dev->master, dev);
+                        if (err)
+                                return err;
+                } else {
+                        return -EOPNOTSUPP;
+                }
+        }
+        if (ifindex) {
+                master_dev = __dev_get_by_index(dev_net(dev), ifindex);
+                if (!master_dev)
+                        return -EINVAL;
+                ops = master_dev->netdev_ops;
+                if (ops->ndo_add_slave) {
+                        err = ops->ndo_add_slave(master_dev, dev);
+                        if (err)
+                                return err;
+                } else {
+                        return -EOPNOTSUPP;
+                }
+        }
+        return 0;
+}
 static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                      struct nlattr **tb, char *ifname, int modified)
 {
@@ -1264,6 +1303,11 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                modified = 1;
        }
+        if (tb[IFLA_GROUP]) {
+                dev_set_group(dev, nla_get_u32(tb[IFLA_GROUP]));
+                modified = 1;
+        }
        /*
         * Interface selected by interface index but interface
         * name provided implies that a name change has been
@@ -1295,6 +1339,13 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
                        goto errout;
        }
+        if (tb[IFLA_MASTER]) {
+                err = do_set_master(dev, nla_get_u32(tb[IFLA_MASTER]));
+                if (err)
+                        goto errout;
+                modified = 1;
+        }
        if (tb[IFLA_TXQLEN])
                dev->tx_queue_len = nla_get_u32(tb[IFLA_TXQLEN]);
@@ -1391,7 +1442,7 @@ static int do_setlink(struct net_device *dev, struct ifinfomsg *ifm,
 errout:
        if (err < 0 && modified && net_ratelimit())
                printk(KERN_WARNING "A link change request failed with "
-                       "some changes comitted already. Interface %s may "
+                       "some changes committed already. Interface %s may "
                       "have been left with an inconsistent configuration, "
                       "please check.\n", dev->name);
@@ -1450,6 +1501,7 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
        char ifname[IFNAMSIZ];
        struct nlattr *tb[IFLA_MAX+1];
        int err;
+        LIST_HEAD(list_kill);
        err = nlmsg_parse(nlh, sizeof(*ifm), tb, IFLA_MAX, ifla_policy);
        if (err < 0)
@@ -1473,7 +1525,9 @@ static int rtnl_dellink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
        if (!ops)
                return -EOPNOTSUPP;
-        ops->dellink(dev, NULL);
+        ops->dellink(dev, &list_kill);
+        unregister_netdevice_many(&list_kill);
+        list_del(&list_kill);
        return 0;
 }
@@ -1521,12 +1575,6 @@ struct net_device *rtnl_create_link(struct net *src_net, struct net *net,
        dev->rtnl_link_state = RTNL_LINK_INITIALIZING;
        dev->real_num_tx_queues = real_num_queues;
-        if (strchr(dev->name, '%')) {
-                err = dev_alloc_name(dev, dev->name);
-                if (err < 0)
-                        goto err_free;
-        }
        if (tb[IFLA_MTU])
                dev->mtu = nla_get_u32(tb[IFLA_MTU]);
        if (tb[IFLA_ADDRESS])
@@ -1541,16 +1589,34 @@ struct net_device *rtnl_create_link(struct net *src_net, struct net *net,
                set_operstate(dev, nla_get_u8(tb[IFLA_OPERSTATE]));
        if (tb[IFLA_LINKMODE])
                dev->link_mode = nla_get_u8(tb[IFLA_LINKMODE]);
+        if (tb[IFLA_GROUP])
+                dev_set_group(dev, nla_get_u32(tb[IFLA_GROUP]));
        return dev;
-err_free:
-        free_netdev(dev);
 err:
        return ERR_PTR(err);
 }
 EXPORT_SYMBOL(rtnl_create_link);
+static int rtnl_group_changelink(struct net *net, int group,
+                struct ifinfomsg *ifm,
+                struct nlattr **tb)
+{
+        struct net_device *dev;
+        int err;
+        for_each_netdev(net, dev) {
+                if (dev->group == group) {
+                        err = do_setlink(dev, ifm, tb, NULL, 0);
+                        if (err < 0)
+                                return err;
+                }
+        }
+        return 0;
+}
 static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
 {
        struct net *net = sock_net(skb->sk);
@@ -1578,10 +1644,12 @@ replay:
        ifm = nlmsg_data(nlh);
        if (ifm->ifi_index > 0)
                dev = __dev_get_by_index(net, ifm->ifi_index);
-        else if (ifname[0])
+        else {
-                dev = __dev_get_by_name(net, ifname);
+                if (ifname[0])
-        else
+                        dev = __dev_get_by_name(net, ifname);
-                dev = NULL;
+                else
+                        dev = NULL;
+        }
        err = validate_linkmsg(dev, tb);
        if (err < 0)
@@ -1645,8 +1713,13 @@ replay:
                        return do_setlink(dev, ifm, tb, ifname, modified);
                }
-                if (!(nlh->nlmsg_flags & NLM_F_CREATE))
+                if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
+                        if (ifm->ifi_index == 0 && tb[IFLA_GROUP])
+                                return rtnl_group_changelink(net,
+                                                nla_get_u32(tb[IFLA_GROUP]),
+                                                ifm, tb);
                        return -ENODEV;
+                }
                if (ifm->ifi_index)
                        return -EOPNOTSUPP;
@@ -1803,7 +1876,6 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
        int min_len;
        int family;
        int type;
-        int err;
        type = nlh->nlmsg_type;
        if (type > RTM_MAX)
@@ -1830,11 +1902,8 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
                if (dumpit == NULL)
                        return -EOPNOTSUPP;
-                __rtnl_unlock();
                rtnl = net->rtnl;
-                err = netlink_dump_start(rtnl, skb, nlh, dumpit, NULL);
+                return netlink_dump_start(rtnl, skb, nlh, dumpit, NULL);
-                rtnl_lock();
-                return err;
        }
        memset(rta_buf, 0, (rtattr_max * sizeof(struct rtattr *)));
@@ -1904,7 +1973,7 @@ static int __net_init rtnetlink_net_init(struct net *net)
 {
        struct sock *sk;
        sk = netlink_kernel_create(net, NETLINK_ROUTE, RTNLGRP_MAX,
-                                   rtnetlink_rcv, &rtnl_mutex, THIS_MODULE);
+                                   rtnetlink_rcv, NULL, THIS_MODULE);
        if (!sk)
                return -ENOMEM;
        net->rtnl = sk;
diff --git a/net/core/scm.c b/net/core/scm.c
index bbe454450801..4c1ef026d695 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -95,7 +95,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
                int fd = fdp[i];
                struct file *file;
-                if (fd < 0 || !(file = fget(fd)))
+                if (fd < 0 || !(file = fget_raw(fd)))
                        return -EBADF;
                *fpp++ = file;
                fpl->count++;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d883dcc78b6b..46cbd28f40f9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -57,6 +57,7 @@
 #include <linux/init.h>
 #include <linux/scatterlist.h>
 #include <linux/errqueue.h>
+#include <linux/prefetch.h>
 #include <net/protocol.h>
 #include <net/dst.h>
@@ -523,7 +524,6 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
        new->ip_summed          = old->ip_summed;
        skb_copy_queue_mapping(new, old);
        new->priority           = old->priority;
-        new->deliver_no_wcard   = old->deliver_no_wcard;
 #if defined(CONFIG_IP_VS) || defined(CONFIG_IP_VS_MODULE)
        new->ipvs_property      = old->ipvs_property;
 #endif
@@ -2268,7 +2268,7 @@ EXPORT_SYMBOL(skb_prepare_seq_read);
 * of bytes already consumed and the next call to
 * skb_seq_read() will return the remaining part of the block.
 *
- * Note 1: The size of each block of data returned can be arbitary,
+ * Note 1: The size of each block of data returned can be arbitrary,
 *       this limitation is the cost for zerocopy seqeuental
 *       reads of potentially non linear data.
 *
@@ -2434,8 +2434,6 @@ int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb,
                        return -ENOMEM;
                /* initialize the next frag */
-                sk->sk_sndmsg_page = page;
-                sk->sk_sndmsg_off = 0;
                skb_fill_page_desc(skb, frg_cnt, page, 0, 0);
                skb->truesize += PAGE_SIZE;
                atomic_add(PAGE_SIZE, &sk->sk_wmem_alloc);
@@ -2455,7 +2453,6 @@ int skb_append_datato_frags(struct sock *sk, struct sk_buff *skb,
                        return -EFAULT;
                /* copy was successful so update the size parameters */
-                sk->sk_sndmsg_off += copy;
                frag->size += copy;
                skb->len += copy;
                skb->data_len += copy;
@@ -2498,7 +2495,7 @@ EXPORT_SYMBOL_GPL(skb_pull_rcsum);
 *      a pointer to the first in a list of new skbs for the segments.
 *      In case of error it returns ERR_PTR(err).
 */
-struct sk_buff *skb_segment(struct sk_buff *skb, int features)
+struct sk_buff *skb_segment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = NULL;
        struct sk_buff *tail = NULL;
@@ -2508,7 +2505,7 @@ struct sk_buff *skb_segment(struct sk_buff *skb, int features)
        unsigned int offset = doffset;
        unsigned int headroom;
        unsigned int len;
-        int sg = features & NETIF_F_SG;
+        int sg = !!(features & NETIF_F_SG);
        int nfrags = skb_shinfo(skb)->nr_frags;
        int err = -ENOMEM;
        int i = 0;
@@ -2997,6 +2994,9 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
        skb->destructor = sock_rmem_free;
        atomic_add(skb->truesize, &sk->sk_rmem_alloc);
+        /* before exiting rcu section, make sure dst is refcounted */
+        skb_dst_force(skb);
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
                sk->sk_data_ready(sk, skb->len);
diff --git a/net/core/sock.c b/net/core/sock.c
index 7dfed792434d..6e819780c232 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -215,7 +215,7 @@ __u32 sysctl_rmem_max __read_mostly = SK_RMEM_MAX;
 __u32 sysctl_wmem_default __read_mostly = SK_WMEM_MAX;
 __u32 sysctl_rmem_default __read_mostly = SK_RMEM_MAX;
-/* Maximal space eaten by iovec or ancilliary data plus some space */
+/* Maximal space eaten by iovec or ancillary data plus some space */
 int sysctl_optmem_max __read_mostly = sizeof(unsigned long)*(2*UIO_MAXIOV+512);
 EXPORT_SYMBOL(sysctl_optmem_max);
@@ -1175,7 +1175,7 @@ static void __sk_free(struct sock *sk)
 void sk_free(struct sock *sk)
 {
        /*
-         * We substract one from sk_wmem_alloc and can know if
+         * We subtract one from sk_wmem_alloc and can know if
         * some packets are still in some tx queue.
         * If not null, sock_wfree() will call __sk_free(sk) later
         */
@@ -1185,10 +1185,10 @@ void sk_free(struct sock *sk)
 EXPORT_SYMBOL(sk_free);
 /*
- * Last sock_put should drop referrence to sk->sk_net. It has already
+ * Last sock_put should drop reference to sk->sk_net. It has already
- * been dropped in sk_change_net. Taking referrence to stopping namespace
+ * been dropped in sk_change_net. Taking reference to stopping namespace
 * is not an option.
- * Take referrence to a socket to remove it from hash _alive_ and after that
+ * Take reference to a socket to remove it from hash _alive_ and after that
 * destroy it in the context of init_net.
 */
 void sk_release_kernel(struct sock *sk)
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 385b6095fdc4..a829e3f60aeb 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -122,6 +122,15 @@ static struct ctl_table net_core_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+#ifdef CONFIG_BPF_JIT
+        {
+                .procname       = "bpf_jit_enable",
+                .data           = &bpf_jit_enable,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
+#endif
        {
                .procname       = "netdev_tstamp_prequeue",
                .data           = &netdev_tstamp_prequeue,
diff --git a/net/core/utils.c b/net/core/utils.c
index 5fea0ab21902..2012bc797f9c 100644
--- a/net/core/utils.c
+++ b/net/core/utils.c
@@ -296,3 +296,27 @@ void inet_proto_csum_replace4(__sum16 *sum, struct sk_buff *skb,
                                csum_unfold(*sum)));
 }
 EXPORT_SYMBOL(inet_proto_csum_replace4);
+int mac_pton(const char *s, u8 *mac)
+{
+        int i;
+        /* XX:XX:XX:XX:XX:XX */
+        if (strlen(s) < 3 * ETH_ALEN - 1)
+                return 0;
+        /* Don't dirty result unless string is valid MAC. */
+        for (i = 0; i < ETH_ALEN; i++) {
+                if (!strchr("0123456789abcdefABCDEF", s[i * 3]))
+                        return 0;
+                if (!strchr("0123456789abcdefABCDEF", s[i * 3 + 1]))
+                        return 0;
+                if (i != ETH_ALEN - 1 && s[i * 3 + 2] != ':')
+                        return 0;
+        }
+        for (i = 0; i < ETH_ALEN; i++) {
+                mac[i] = (hex_to_bin(s[i * 3]) << 4) | hex_to_bin(s[i * 3 + 1]);
+        }
+        return 1;
+}
+EXPORT_SYMBOL(mac_pton);
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index d5074a567289..3609eacaf4ce 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, Intel Corporation.
+ * Copyright (c) 2008-2011, Intel Corporation.
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms and conditions of the GNU General Public License,
@@ -1193,7 +1193,7 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlattr **tb,
                        goto err;
        }
-        if (ieee[DCB_ATTR_IEEE_PFC] && ops->ieee_setets) {
+        if (ieee[DCB_ATTR_IEEE_PFC] && ops->ieee_setpfc) {
                struct ieee_pfc *pfc = nla_data(ieee[DCB_ATTR_IEEE_PFC]);
                err = ops->ieee_setpfc(netdev, pfc);
                if (err)
@@ -1224,6 +1224,59 @@ err:
        return err;
 }
+static int dcbnl_build_peer_app(struct net_device *netdev, struct sk_buff* skb,
+                                int app_nested_type, int app_info_type,
+                                int app_entry_type)
+{
+        struct dcb_peer_app_info info;
+        struct dcb_app *table = NULL;
+        const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops;
+        u16 app_count;
+        int err;
+        /**
+         * retrieve the peer app configuration form the driver. If the driver
+         * handlers fail exit without doing anything
+         */
+        err = ops->peer_getappinfo(netdev, &info, &app_count);
+        if (!err && app_count) {
+                table = kmalloc(sizeof(struct dcb_app) * app_count, GFP_KERNEL);
+                if (!table)
+                        return -ENOMEM;
+                err = ops->peer_getapptable(netdev, table);
+        }
+        if (!err) {
+                u16 i;
+                struct nlattr *app;
+                /**
+                 * build the message, from here on the only possible failure
+                 * is due to the skb size
+                 */
+                err = -EMSGSIZE;
+                app = nla_nest_start(skb, app_nested_type);
+                if (!app)
+                        goto nla_put_failure;
+                if (app_info_type)
+                        NLA_PUT(skb, app_info_type, sizeof(info), &info);
+                for (i = 0; i < app_count; i++)
+                        NLA_PUT(skb, app_entry_type, sizeof(struct dcb_app),
+                                &table[i]);
+                nla_nest_end(skb, app);
+        }
+        err = 0;
+nla_put_failure:
+        kfree(table);
+        return err;
+}
 /* Handle IEEE 802.1Qaz GET commands. */
 static int dcbnl_ieee_get(struct net_device *netdev, struct nlattr **tb,
@@ -1288,6 +1341,30 @@ static int dcbnl_ieee_get(struct net_device *netdev, struct nlattr **tb,
        spin_unlock(&dcb_lock);
        nla_nest_end(skb, app);
+        /* get peer info if available */
+        if (ops->ieee_peer_getets) {
+                struct ieee_ets ets;
+                err = ops->ieee_peer_getets(netdev, &ets);
+                if (!err)
+                        NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+        }
+        if (ops->ieee_peer_getpfc) {
+                struct ieee_pfc pfc;
+                err = ops->ieee_peer_getpfc(netdev, &pfc);
+                if (!err)
+                        NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+        }
+        if (ops->peer_getappinfo && ops->peer_getapptable) {
+                err = dcbnl_build_peer_app(netdev, skb,
+                                           DCB_ATTR_IEEE_PEER_APP,
+                                           DCB_ATTR_IEEE_APP_UNSPEC,
+                                           DCB_ATTR_IEEE_APP);
+                if (err)
+                        goto nla_put_failure;
+        }
        nla_nest_end(skb, ieee);
        nlmsg_end(skb, nlh);
@@ -1441,6 +1518,71 @@ err:
        return ret;
 }
+/* Handle CEE DCBX GET commands. */
+static int dcbnl_cee_get(struct net_device *netdev, struct nlattr **tb,
+                         u32 pid, u32 seq, u16 flags)
+{
+        struct sk_buff *skb;
+        struct nlmsghdr *nlh;
+        struct dcbmsg *dcb;
+        struct nlattr *cee;
+        const struct dcbnl_rtnl_ops *ops = netdev->dcbnl_ops;
+        int err;
+        if (!ops)
+                return -EOPNOTSUPP;
+        skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!skb)
+                return -ENOBUFS;
+        nlh = NLMSG_NEW(skb, pid, seq, RTM_GETDCB, sizeof(*dcb), flags);
+        dcb = NLMSG_DATA(nlh);
+        dcb->dcb_family = AF_UNSPEC;
+        dcb->cmd = DCB_CMD_CEE_GET;
+        NLA_PUT_STRING(skb, DCB_ATTR_IFNAME, netdev->name);
+        cee = nla_nest_start(skb, DCB_ATTR_CEE);
+        if (!cee)
+                goto nla_put_failure;
+        /* get peer info if available */
+        if (ops->cee_peer_getpg) {
+                struct cee_pg pg;
+                err = ops->cee_peer_getpg(netdev, &pg);
+                if (!err)
+                        NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+        }
+        if (ops->cee_peer_getpfc) {
+                struct cee_pfc pfc;
+                err = ops->cee_peer_getpfc(netdev, &pfc);
+                if (!err)
+                        NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);
+        }
+        if (ops->peer_getappinfo && ops->peer_getapptable) {
+                err = dcbnl_build_peer_app(netdev, skb,
+                                           DCB_ATTR_CEE_PEER_APP_TABLE,
+                                           DCB_ATTR_CEE_PEER_APP_INFO,
+                                           DCB_ATTR_CEE_PEER_APP);
+                if (err)
+                        goto nla_put_failure;
+        }
+        nla_nest_end(skb, cee);
+        nlmsg_end(skb, nlh);
+        return rtnl_unicast(skb, &init_net, pid);
+nla_put_failure:
+        nlmsg_cancel(skb, nlh);
+nlmsg_failure:
+        kfree_skb(skb);
+        return -1;
+}
 static int dcb_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
 {
        struct net *net = sock_net(skb->sk);
@@ -1570,6 +1712,10 @@ static int dcb_doit(struct sk_buff *skb, struct nlmsghdr *nlh, void *arg)
                ret = dcbnl_setfeatcfg(netdev, tb, pid, nlh->nlmsg_seq,
                                       nlh->nlmsg_flags);
                goto out;
+        case DCB_CMD_CEE_GET:
+                ret = dcbnl_cee_get(netdev, tb, pid, nlh->nlmsg_seq,
+                                    nlh->nlmsg_flags);
+                goto out;
        default:
                goto errout;
        }
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c
index e96d5e810039..fadecd20d75b 100644
--- a/net/dccp/ccids/ccid2.c
+++ b/net/dccp/ccids/ccid2.c
@@ -583,6 +583,15 @@ done:
        dccp_ackvec_parsed_cleanup(&hc->tx_av_chunks);
 }
+/*
+ * Convert RFC 3390 larger initial window into an equivalent number of packets.
+ * This is based on the numbers specified in RFC 5681, 3.1.
+ */
+static inline u32 rfc3390_bytes_to_packets(const u32 smss)
+{
+        return smss <= 1095 ? 4 : (smss > 2190 ? 2 : 3);
+}
 static int ccid2_hc_tx_init(struct ccid *ccid, struct sock *sk)
 {
        struct ccid2_hc_tx_sock *hc = ccid_priv(ccid);
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 8cde009e8b85..4222e7a654b0 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -614,6 +614,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                /* Caller (dccp_v4_do_rcv) will send Reset */
                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
                return 1;
+        } else if (sk->sk_state == DCCP_CLOSED) {
+                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+                return 1;
        }
        if (sk->sk_state != DCCP_REQUESTING && sk->sk_state != DCCP_RESPOND) {
@@ -668,10 +671,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
        }
        switch (sk->sk_state) {
-        case DCCP_CLOSED:
-                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
-                return 1;
        case DCCP_REQUESTING:
                queued = dccp_rcv_request_sent_state_process(sk, skb, dh, len);
                if (queued >= 0)
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 45a434f94169..8c36adfd1919 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -40,13 +40,15 @@
 int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
+        const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        struct inet_sock *inet = inet_sk(sk);
        struct dccp_sock *dp = dccp_sk(sk);
-        const struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
+        __be16 orig_sport, orig_dport;
-        struct rtable *rt;
        __be32 daddr, nexthop;
-        int tmp;
+        struct flowi4 *fl4;
+        struct rtable *rt;
        int err;
+        struct ip_options_rcu *inet_opt;
        dp->dccps_role = DCCP_ROLE_CLIENT;
@@ -57,37 +59,43 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -EAFNOSUPPORT;
        nexthop = daddr = usin->sin_addr.s_addr;
-        if (inet->opt != NULL && inet->opt->srr) {
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                             sock_owned_by_user(sk));
+        if (inet_opt != NULL && inet_opt->opt.srr) {
                if (daddr == 0)
                        return -EINVAL;
-                nexthop = inet->opt->faddr;
+                nexthop = inet_opt->opt.faddr;
        }
-        tmp = ip_route_connect(&rt, nexthop, inet->inet_saddr,
+        orig_sport = inet->inet_sport;
-                               RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
+        orig_dport = usin->sin_port;
-                               IPPROTO_DCCP,
+        fl4 = &inet->cork.fl.u.ip4;
-                               inet->inet_sport, usin->sin_port, sk, 1);
+        rt = ip_route_connect(fl4, nexthop, inet->inet_saddr,
-        if (tmp < 0)
+                              RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
-                return tmp;
+                              IPPROTO_DCCP,
+                              orig_sport, orig_dport, sk, true);
+        if (IS_ERR(rt))
+                return PTR_ERR(rt);
        if (rt->rt_flags & (RTCF_MULTICAST | RTCF_BROADCAST)) {
                ip_rt_put(rt);
                return -ENETUNREACH;
        }
-        if (inet->opt == NULL || !inet->opt->srr)
+        if (inet_opt == NULL || !inet_opt->opt.srr)
-                daddr = rt->rt_dst;
+                daddr = fl4->daddr;
        if (inet->inet_saddr == 0)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        inet->inet_rcv_saddr = inet->inet_saddr;
        inet->inet_dport = usin->sin_port;
        inet->inet_daddr = daddr;
        inet_csk(sk)->icsk_ext_hdr_len = 0;
-        if (inet->opt != NULL)
+        if (inet_opt)
-                inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen;
+                inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        /*
         * Socket identity is still unknown (sport may be zero).
         * However we set state to DCCP_REQUESTING and not releasing socket
@@ -99,11 +107,12 @@ int dccp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (err != 0)
                goto failure;
-        err = ip_route_newports(&rt, IPPROTO_DCCP, inet->inet_sport,
+        rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
-                                inet->inet_dport, sk);
+                               inet->inet_sport, inet->inet_dport, sk);
-        if (err != 0)
+        if (IS_ERR(rt)) {
+                rt = NULL;
                goto failure;
+        }
        /* OK, now commit destination to socket.  */
        sk_setup_caps(sk, &rt->dst);
@@ -387,32 +396,30 @@ struct sock *dccp_v4_request_recv_sock(struct sock *sk, struct sk_buff *skb,
        if (sk_acceptq_is_full(sk))
                goto exit_overflow;
-        if (dst == NULL && (dst = inet_csk_route_req(sk, req)) == NULL)
-                goto exit;
        newsk = dccp_create_openreq_child(sk, req, skb);
        if (newsk == NULL)
                goto exit_nonewsk;
-        sk_setup_caps(newsk, dst);
        newinet            = inet_sk(newsk);
        ireq               = inet_rsk(req);
        newinet->inet_daddr     = ireq->rmt_addr;
        newinet->inet_rcv_saddr = ireq->loc_addr;
        newinet->inet_saddr     = ireq->loc_addr;
-        newinet->opt       = ireq->opt;
+        newinet->inet_opt       = ireq->opt;
        ireq->opt          = NULL;
        newinet->mc_index  = inet_iif(skb);
        newinet->mc_ttl    = ip_hdr(skb)->ttl;
        newinet->inet_id   = jiffies;
+        if (dst == NULL && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+                goto put_and_exit;
+        sk_setup_caps(newsk, dst);
        dccp_sync_mss(newsk, dst_mtu(dst));
-        if (__inet_inherit_port(sk, newsk) < 0) {
+        if (__inet_inherit_port(sk, newsk) < 0)
-                sock_put(newsk);
+                goto put_and_exit;
-                goto exit;
-        }
        __inet_hash_nolisten(newsk, NULL);
        return newsk;
@@ -424,6 +431,9 @@ exit_nonewsk:
 exit:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
        return NULL;
+put_and_exit:
+        sock_put(newsk);
+        goto exit;
 }
 EXPORT_SYMBOL_GPL(dccp_v4_request_recv_sock);
@@ -461,17 +471,19 @@ static struct dst_entry* dccp_v4_route_skb(struct net *net, struct sock *sk,
                                           struct sk_buff *skb)
 {
        struct rtable *rt;
-        struct flowi fl = { .oif = skb_rtable(skb)->rt_iif,
+        struct flowi4 fl4 = {
-                            .fl4_dst = ip_hdr(skb)->saddr,
+                .flowi4_oif = skb_rtable(skb)->rt_iif,
-                            .fl4_src = ip_hdr(skb)->daddr,
+                .daddr = ip_hdr(skb)->saddr,
-                            .fl4_tos = RT_CONN_FLAGS(sk),
+                .saddr = ip_hdr(skb)->daddr,
-                            .proto = sk->sk_protocol,
+                .flowi4_tos = RT_CONN_FLAGS(sk),
-                            .fl_ip_sport = dccp_hdr(skb)->dccph_dport,
+                .flowi4_proto = sk->sk_protocol,
-                            .fl_ip_dport = dccp_hdr(skb)->dccph_sport
+                .fl4_sport = dccp_hdr(skb)->dccph_dport,
-                          };
+                .fl4_dport = dccp_hdr(skb)->dccph_sport,
+        };
-        security_skb_classify_flow(skb, &fl);
-        if (ip_route_output_flow(net, &rt, &fl, sk, 0)) {
+        security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
+        rt = ip_route_output_flow(net, &fl4, sk);
+        if (IS_ERR(rt)) {
                IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
                return NULL;
        }
@@ -485,8 +497,9 @@ static int dccp_v4_send_response(struct sock *sk, struct request_sock *req,
        int err = -1;
        struct sk_buff *skb;
        struct dst_entry *dst;
+        struct flowi4 fl4;
-        dst = inet_csk_route_req(sk, req);
+        dst = inet_csk_route_req(sk, &fl4, req);
        if (dst == NULL)
                goto out;
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index dca711df9b60..8dc4348774a5 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -54,8 +54,8 @@ static void dccp_v6_hash(struct sock *sk)
 /* add pseudo-header to DCCP checksum stored in skb->csum */
 static inline __sum16 dccp_v6_csum_finish(struct sk_buff *skb,
-                                      struct in6_addr *saddr,
+                                      const struct in6_addr *saddr,
-                                      struct in6_addr *daddr)
+                                      const struct in6_addr *daddr)
 {
        return csum_ipv6_magic(saddr, daddr, skb->len, IPPROTO_DCCP, skb->csum);
 }
@@ -87,7 +87,7 @@ static inline __u32 dccp_v6_init_sequence(struct sk_buff *skb)
 static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                        u8 type, u8 code, int offset, __be32 info)
 {
-        struct ipv6hdr *hdr = (struct ipv6hdr *)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
        const struct dccp_hdr *dh = (struct dccp_hdr *)(skb->data + offset);
        struct dccp_sock *dp;
        struct ipv6_pinfo *np;
@@ -147,30 +147,24 @@ static void dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                dst = __sk_dst_check(sk, np->dst_cookie);
                if (dst == NULL) {
                        struct inet_sock *inet = inet_sk(sk);
-                        struct flowi fl;
+                        struct flowi6 fl6;
                        /* BUGGG_FUTURE: Again, it is not clear how
                           to handle rthdr case. Ignore this complexity
                           for now.
                         */
-                        memset(&fl, 0, sizeof(fl));
+                        memset(&fl6, 0, sizeof(fl6));
-                        fl.proto = IPPROTO_DCCP;
+                        fl6.flowi6_proto = IPPROTO_DCCP;
-                        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+                        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-                        ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+                        ipv6_addr_copy(&fl6.saddr, &np->saddr);
-                        fl.oif = sk->sk_bound_dev_if;
+                        fl6.flowi6_oif = sk->sk_bound_dev_if;
-                        fl.fl_ip_dport = inet->inet_dport;
+                        fl6.fl6_dport = inet->inet_dport;
-                        fl.fl_ip_sport = inet->inet_sport;
+                        fl6.fl6_sport = inet->inet_sport;
-                        security_sk_classify_flow(sk, &fl);
+                        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-                        err = ip6_dst_lookup(sk, &dst, &fl);
+                        dst = ip6_dst_lookup_flow(sk, &fl6, NULL, false);
-                        if (err) {
+                        if (IS_ERR(dst)) {
-                                sk->sk_err_soft = -err;
+                                sk->sk_err_soft = -PTR_ERR(dst);
-                                goto out;
-                        }
-                        err = xfrm_lookup(net, &dst, &fl, sk, 0);
-                        if (err < 0) {
-                                sk->sk_err_soft = -err;
                                goto out;
                        }
                } else
@@ -249,34 +243,30 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
        struct sk_buff *skb;
        struct ipv6_txoptions *opt = NULL;
        struct in6_addr *final_p, final;
-        struct flowi fl;
+        struct flowi6 fl6;
        int err = -1;
        struct dst_entry *dst;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_DCCP;
+        fl6.flowi6_proto = IPPROTO_DCCP;
-        ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
+        ipv6_addr_copy(&fl6.daddr, &ireq6->rmt_addr);
-        ipv6_addr_copy(&fl.fl6_src, &ireq6->loc_addr);
+        ipv6_addr_copy(&fl6.saddr, &ireq6->loc_addr);
-        fl.fl6_flowlabel = 0;
+        fl6.flowlabel = 0;
-        fl.oif = ireq6->iif;
+        fl6.flowi6_oif = ireq6->iif;
-        fl.fl_ip_dport = inet_rsk(req)->rmt_port;
+        fl6.fl6_dport = inet_rsk(req)->rmt_port;
-        fl.fl_ip_sport = inet_rsk(req)->loc_port;
+        fl6.fl6_sport = inet_rsk(req)->loc_port;
-        security_req_classify_flow(req, &fl);
+        security_req_classify_flow(req, flowi6_to_flowi(&fl6));
        opt = np->opt;
-        final_p = fl6_update_dst(&fl, opt, &final);
+        final_p = fl6_update_dst(&fl6, opt, &final);
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-        if (err)
+        if (IS_ERR(dst)) {
-                goto done;
+                err = PTR_ERR(dst);
+                dst = NULL;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0);
-        if (err < 0)
                goto done;
+        }
        skb = dccp_make_response(sk, dst, req);
        if (skb != NULL) {
@@ -285,8 +275,8 @@ static int dccp_v6_send_response(struct sock *sk, struct request_sock *req,
                dh->dccph_checksum = dccp_v6_csum_finish(skb,
                                                         &ireq6->loc_addr,
                                                         &ireq6->rmt_addr);
-                ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
+                ipv6_addr_copy(&fl6.daddr, &ireq6->rmt_addr);
-                err = ip6_xmit(sk, skb, &fl, opt);
+                err = ip6_xmit(sk, skb, &fl6, opt);
                err = net_xmit_eval(err);
        }
@@ -306,9 +296,9 @@ static void dccp_v6_reqsk_destructor(struct request_sock *req)
 static void dccp_v6_ctl_send_reset(struct sock *sk, struct sk_buff *rxskb)
 {
-        struct ipv6hdr *rxip6h;
+        const struct ipv6hdr *rxip6h;
        struct sk_buff *skb;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct net *net = dev_net(skb_dst(rxskb)->dev);
        struct sock *ctl_sk = net->dccp.v6_ctl_sk;
        struct dst_entry *dst;
@@ -327,25 +317,24 @@ static void dccp_v6_ctl_send_reset(struct sock *sk, struct sk_buff *rxskb)
        dccp_hdr(skb)->dccph_checksum = dccp_v6_csum_finish(skb, &rxip6h->saddr,
                                                            &rxip6h->daddr);
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        ipv6_addr_copy(&fl.fl6_dst, &rxip6h->saddr);
+        ipv6_addr_copy(&fl6.daddr, &rxip6h->saddr);
-        ipv6_addr_copy(&fl.fl6_src, &rxip6h->daddr);
+        ipv6_addr_copy(&fl6.saddr, &rxip6h->daddr);
-        fl.proto = IPPROTO_DCCP;
+        fl6.flowi6_proto = IPPROTO_DCCP;
-        fl.oif = inet6_iif(rxskb);
+        fl6.flowi6_oif = inet6_iif(rxskb);
-        fl.fl_ip_dport = dccp_hdr(skb)->dccph_dport;
+        fl6.fl6_dport = dccp_hdr(skb)->dccph_dport;
-        fl.fl_ip_sport = dccp_hdr(skb)->dccph_sport;
+        fl6.fl6_sport = dccp_hdr(skb)->dccph_sport;
-        security_skb_classify_flow(rxskb, &fl);
+        security_skb_classify_flow(rxskb, flowi6_to_flowi(&fl6));
        /* sk = NULL, but it is safe for now. RST socket required. */
-        if (!ip6_dst_lookup(ctl_sk, &dst, &fl)) {
+        dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL, false);
-                if (xfrm_lookup(net, &dst, &fl, NULL, 0) >= 0) {
+        if (!IS_ERR(dst)) {
-                        skb_dst_set(skb, dst);
+                skb_dst_set(skb, dst);
-                        ip6_xmit(ctl_sk, skb, &fl, NULL);
+                ip6_xmit(ctl_sk, skb, &fl6, NULL);
-                        DCCP_INC_STATS_BH(DCCP_MIB_OUTSEGS);
+                DCCP_INC_STATS_BH(DCCP_MIB_OUTSEGS);
-                        DCCP_INC_STATS_BH(DCCP_MIB_OUTRSTS);
+                DCCP_INC_STATS_BH(DCCP_MIB_OUTRSTS);
-                        return;
+                return;
-                }
        }
        kfree_skb(skb);
@@ -484,7 +473,6 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
        struct inet6_request_sock *ireq6 = inet6_rsk(req);
        struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
        struct inet_sock *newinet;
-        struct dccp_sock *newdp;
        struct dccp6_sock *newdp6;
        struct sock *newsk;
        struct ipv6_txoptions *opt;
@@ -498,7 +486,6 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
                        return NULL;
                newdp6 = (struct dccp6_sock *)newsk;
-                newdp = dccp_sk(newsk);
                newinet = inet_sk(newsk);
                newinet->pinet6 = &newdp6->inet6;
                newnp = inet6_sk(newsk);
@@ -540,25 +527,20 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
        if (dst == NULL) {
                struct in6_addr *final_p, final;
-                struct flowi fl;
+                struct flowi6 fl6;
-                memset(&fl, 0, sizeof(fl));
+                memset(&fl6, 0, sizeof(fl6));
-                fl.proto = IPPROTO_DCCP;
+                fl6.flowi6_proto = IPPROTO_DCCP;
-                ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
+                ipv6_addr_copy(&fl6.daddr, &ireq6->rmt_addr);
-                final_p = fl6_update_dst(&fl, opt, &final);
+                final_p = fl6_update_dst(&fl6, opt, &final);
-                ipv6_addr_copy(&fl.fl6_src, &ireq6->loc_addr);
+                ipv6_addr_copy(&fl6.saddr, &ireq6->loc_addr);
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
-                fl.fl_ip_dport = inet_rsk(req)->rmt_port;
+                fl6.fl6_dport = inet_rsk(req)->rmt_port;
-                fl.fl_ip_sport = inet_rsk(req)->loc_port;
+                fl6.fl6_sport = inet_rsk(req)->loc_port;
-                security_sk_classify_flow(sk, &fl);
+                security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-                if (ip6_dst_lookup(sk, &dst, &fl))
+                dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-                        goto out;
+                if (IS_ERR(dst))
-                if (final_p)
-                        ipv6_addr_copy(&fl.fl6_dst, final_p);
-                if ((xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
                        goto out;
        }
@@ -578,7 +560,6 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
        newdp6 = (struct dccp6_sock *)newsk;
        newinet = inet_sk(newsk);
        newinet->pinet6 = &newdp6->inet6;
-        newdp = dccp_sk(newsk);
        newnp = inet6_sk(newsk);
        memcpy(newnp, np, sizeof(struct ipv6_pinfo));
@@ -592,7 +573,7 @@ static struct sock *dccp_v6_request_recv_sock(struct sock *sk,
           First: no IPv4 options.
         */
-        newinet->opt = NULL;
+        newinet->inet_opt = NULL;
        /* Clone RX bits */
        newnp->rxopt.all = np->rxopt.all;
@@ -878,7 +859,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct dccp_sock *dp = dccp_sk(sk);
        struct in6_addr *saddr = NULL, *final_p, final;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        int addr_type;
        int err;
@@ -891,14 +872,14 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        if (usin->sin6_family != AF_INET6)
                return -EAFNOSUPPORT;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (np->sndflow) {
-                fl.fl6_flowlabel = usin->sin6_flowinfo & IPV6_FLOWINFO_MASK;
+                fl6.flowlabel = usin->sin6_flowinfo & IPV6_FLOWINFO_MASK;
-                IP6_ECN_flow_init(fl.fl6_flowlabel);
+                IP6_ECN_flow_init(fl6.flowlabel);
-                if (fl.fl6_flowlabel & IPV6_FLOWLABEL_MASK) {
+                if (fl6.flowlabel & IPV6_FLOWLABEL_MASK) {
                        struct ip6_flowlabel *flowlabel;
-                        flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                        flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                        if (flowlabel == NULL)
                                return -EINVAL;
                        ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
@@ -935,7 +916,7 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        }
        ipv6_addr_copy(&np->daddr, &usin->sin6_addr);
-        np->flow_label = fl.fl6_flowlabel;
+        np->flow_label = fl6.flowlabel;
        /*
         * DCCP over IPv4
@@ -972,33 +953,24 @@ static int dccp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        if (!ipv6_addr_any(&np->rcv_saddr))
                saddr = &np->rcv_saddr;
-        fl.proto = IPPROTO_DCCP;
+        fl6.flowi6_proto = IPPROTO_DCCP;
-        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-        ipv6_addr_copy(&fl.fl6_src, saddr ? saddr : &np->saddr);
+        ipv6_addr_copy(&fl6.saddr, saddr ? saddr : &np->saddr);
-        fl.oif = sk->sk_bound_dev_if;
+        fl6.flowi6_oif = sk->sk_bound_dev_if;
-        fl.fl_ip_dport = usin->sin6_port;
+        fl6.fl6_dport = usin->sin6_port;
-        fl.fl_ip_sport = inet->inet_sport;
+        fl6.fl6_sport = inet->inet_sport;
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-        final_p = fl6_update_dst(&fl, np->opt, &final);
+        final_p = fl6_update_dst(&fl6, np->opt, &final);
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
                goto failure;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
-        if (err < 0) {
-                if (err == -EREMOTE)
-                        err = ip6_dst_blackhole(sk, &dst, &fl);
-                if (err < 0)
-                        goto failure;
        }
        if (saddr == NULL) {
-                saddr = &fl.fl6_src;
+                saddr = &fl6.saddr;
                ipv6_addr_copy(&np->rcv_saddr, saddr);
        }
diff --git a/net/dccp/options.c b/net/dccp/options.c
index f06ffcfc8d71..4b2ab657ac8e 100644
--- a/net/dccp/options.c
+++ b/net/dccp/options.c
@@ -123,6 +123,8 @@ int dccp_parse_options(struct sock *sk, struct dccp_request_sock *dreq,
                case DCCPO_CHANGE_L ... DCCPO_CONFIRM_R:
                        if (pkt_type == DCCP_PKT_DATA)      /* RFC 4340, 6 */
                                break;
+                        if (len == 0)
+                                goto out_invalid_option;
                        rc = dccp_feat_parse_options(sk, dreq, mandatory, opt,
                                                    *value, value + 1, len - 1);
                        if (rc)
diff --git a/net/dccp/output.c b/net/dccp/output.c
index 784d30210543..fab108e51e5a 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -43,7 +43,7 @@ static void dccp_skb_entail(struct sock *sk, struct sk_buff *skb)
 static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
 {
        if (likely(skb != NULL)) {
-                const struct inet_sock *inet = inet_sk(sk);
+                struct inet_sock *inet = inet_sk(sk);
                const struct inet_connection_sock *icsk = inet_csk(sk);
                struct dccp_sock *dp = dccp_sk(sk);
                struct dccp_skb_cb *dcb = DCCP_SKB_CB(skb);
@@ -136,14 +136,14 @@ static int dccp_transmit_skb(struct sock *sk, struct sk_buff *skb)
                DCCP_INC_STATS(DCCP_MIB_OUTSEGS);
-                err = icsk->icsk_af_ops->queue_xmit(skb);
+                err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
                return net_xmit_eval(err);
        }
        return -ENOBUFS;
 }
 /**
- * dccp_determine_ccmps  -  Find out about CCID-specfic packet-size limits
+ * dccp_determine_ccmps  -  Find out about CCID-specific packet-size limits
 * We only consider the HC-sender CCID for setting the CCMPS (RFC 4340, 14.),
 * since the RX CCID is restricted to feedback packets (Acks), which are small
 * in comparison with the data traffic. A value of 0 means "no current CCMPS".
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 2af15b15d1fa..ea3b6ee21fc9 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -908,7 +908,7 @@ static int __dn_connect(struct sock *sk, struct sockaddr_dn *addr, int addrlen,
        struct socket *sock = sk->sk_socket;
        struct dn_scp *scp = DN_SK(sk);
        int err = -EISCONN;
-        struct flowi fl;
+        struct flowidn fld;
        if (sock->state == SS_CONNECTED)
                goto out;
@@ -947,13 +947,13 @@ static int __dn_connect(struct sock *sk, struct sockaddr_dn *addr, int addrlen,
        memcpy(&scp->peer, addr, sizeof(struct sockaddr_dn));
        err = -EHOSTUNREACH;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fld, 0, sizeof(fld));
-        fl.oif = sk->sk_bound_dev_if;
+        fld.flowidn_oif = sk->sk_bound_dev_if;
-        fl.fld_dst = dn_saddr2dn(&scp->peer);
+        fld.daddr = dn_saddr2dn(&scp->peer);
-        fl.fld_src = dn_saddr2dn(&scp->addr);
+        fld.saddr = dn_saddr2dn(&scp->addr);
-        dn_sk_ports_copy(&fl, scp);
+        dn_sk_ports_copy(&fld, scp);
-        fl.proto = DNPROTO_NSP;
+        fld.flowidn_proto = DNPROTO_NSP;
-        if (dn_route_output_sock(&sk->sk_dst_cache, &fl, sk, flags) < 0)
+        if (dn_route_output_sock(&sk->sk_dst_cache, &fld, sk, flags) < 0)
                goto out;
        sk->sk_route_caps = sk->sk_dst_cache->dev->features;
        sock->state = SS_CONNECTING;
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index 0dcaa903e00e..cf26ac74a188 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -332,14 +332,9 @@ static struct dn_ifaddr *dn_dev_alloc_ifa(void)
        return ifa;
 }
-static void dn_dev_free_ifa_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct dn_ifaddr, rcu));
-}
 static void dn_dev_free_ifa(struct dn_ifaddr *ifa)
 {
-        call_rcu(&ifa->rcu, dn_dev_free_ifa_rcu);
+        kfree_rcu(ifa, rcu);
 }
 static void dn_dev_del_ifa(struct dn_dev *dn_db, struct dn_ifaddr __rcu **ifap, int destroy)
@@ -752,7 +747,8 @@ static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
        skip_naddr = cb->args[1];
        idx = 0;
-        for_each_netdev(&init_net, dev) {
+        rcu_read_lock();
+        for_each_netdev_rcu(&init_net, dev) {
                if (idx < skip_ndevs)
                        goto cont;
                else if (idx > skip_ndevs) {
@@ -761,11 +757,11 @@ static int dn_nl_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
                        skip_naddr = 0;
                }
-                if ((dn_db = rtnl_dereference(dev->dn_ptr)) == NULL)
+                if ((dn_db = rcu_dereference(dev->dn_ptr)) == NULL)
                        goto cont;
-                for (ifa = rtnl_dereference(dn_db->ifa_list), dn_idx = 0; ifa;
+                for (ifa = rcu_dereference(dn_db->ifa_list), dn_idx = 0; ifa;
-                     ifa = rtnl_dereference(ifa->ifa_next), dn_idx++) {
+                     ifa = rcu_dereference(ifa->ifa_next), dn_idx++) {
                        if (dn_idx < skip_naddr)
                                continue;
@@ -778,6 +774,7 @@ cont:
                idx++;
        }
 done:
+        rcu_read_unlock();
        cb->args[0] = idx;
        cb->args[1] = dn_idx;
diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 0ef0a81bcd72..1c74ed36ce8f 100644
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -201,7 +201,7 @@ static int dn_fib_check_nh(const struct rtmsg *r, struct dn_fib_info *fi, struct
        int err;
        if (nh->nh_gw) {
-                struct flowi fl;
+                struct flowidn fld;
                struct dn_fib_res res;
                if (nh->nh_flags&RTNH_F_ONLINK) {
@@ -221,15 +221,15 @@ static int dn_fib_check_nh(const struct rtmsg *r, struct dn_fib_info *fi, struct
                        return 0;
                }
-                memset(&fl, 0, sizeof(fl));
+                memset(&fld, 0, sizeof(fld));
-                fl.fld_dst = nh->nh_gw;
+                fld.daddr = nh->nh_gw;
-                fl.oif = nh->nh_oif;
+                fld.flowidn_oif = nh->nh_oif;
-                fl.fld_scope = r->rtm_scope + 1;
+                fld.flowidn_scope = r->rtm_scope + 1;
-                if (fl.fld_scope < RT_SCOPE_LINK)
+                if (fld.flowidn_scope < RT_SCOPE_LINK)
-                        fl.fld_scope = RT_SCOPE_LINK;
+                        fld.flowidn_scope = RT_SCOPE_LINK;
-                if ((err = dn_fib_lookup(&fl, &res)) != 0)
+                if ((err = dn_fib_lookup(&fld, &res)) != 0)
                        return err;
                err = -EINVAL;
@@ -404,7 +404,7 @@ failure:
        return NULL;
 }
-int dn_fib_semantic_match(int type, struct dn_fib_info *fi, const struct flowi *fl, struct dn_fib_res *res)
+int dn_fib_semantic_match(int type, struct dn_fib_info *fi, const struct flowidn *fld, struct dn_fib_res *res)
 {
        int err = dn_fib_props[type].error;
@@ -424,7 +424,8 @@ int dn_fib_semantic_match(int type, struct dn_fib_info *fi, const struct flowi *
                                for_nexthops(fi) {
                                        if (nh->nh_flags & RTNH_F_DEAD)
                                                continue;
-                                        if (!fl->oif || fl->oif == nh->nh_oif)
+                                        if (!fld->flowidn_oif ||
+                                            fld->flowidn_oif == nh->nh_oif)
                                                break;
                                }
                                if (nhsel < fi->fib_nhs) {
@@ -445,7 +446,7 @@ int dn_fib_semantic_match(int type, struct dn_fib_info *fi, const struct flowi *
        return err;
 }
-void dn_fib_select_multipath(const struct flowi *fl, struct dn_fib_res *res)
+void dn_fib_select_multipath(const struct flowidn *fld, struct dn_fib_res *res)
 {
        struct dn_fib_info *fi = res->fi;
        int w;
diff --git a/net/decnet/dn_nsp_out.c b/net/decnet/dn_nsp_out.c
index 2ef115277bea..bd78836a81eb 100644
--- a/net/decnet/dn_nsp_out.c
+++ b/net/decnet/dn_nsp_out.c
@@ -78,7 +78,7 @@ static void dn_nsp_send(struct sk_buff *skb)
        struct sock *sk = skb->sk;
        struct dn_scp *scp = DN_SK(sk);
        struct dst_entry *dst;
-        struct flowi fl;
+        struct flowidn fld;
        skb_reset_transport_header(skb);
        scp->stamp = jiffies;
@@ -91,13 +91,13 @@ try_again:
                return;
        }
-        memset(&fl, 0, sizeof(fl));
+        memset(&fld, 0, sizeof(fld));
-        fl.oif = sk->sk_bound_dev_if;
+        fld.flowidn_oif = sk->sk_bound_dev_if;
-        fl.fld_src = dn_saddr2dn(&scp->addr);
+        fld.saddr = dn_saddr2dn(&scp->addr);
-        fl.fld_dst = dn_saddr2dn(&scp->peer);
+        fld.daddr = dn_saddr2dn(&scp->peer);
-        dn_sk_ports_copy(&fl, scp);
+        dn_sk_ports_copy(&fld, scp);
-        fl.proto = DNPROTO_NSP;
+        fld.flowidn_proto = DNPROTO_NSP;
-        if (dn_route_output_sock(&sk->sk_dst_cache, &fl, sk, 0) == 0) {
+        if (dn_route_output_sock(&sk->sk_dst_cache, &fld, sk, 0) == 0) {
                dst = sk_dst_get(sk);
                sk->sk_route_caps = dst->dev->features;
                goto try_again;
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 5e636365d33c..74544bc6fdec 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -112,6 +112,7 @@ static int dn_dst_gc(struct dst_ops *ops);
 static struct dst_entry *dn_dst_check(struct dst_entry *, __u32);
 static unsigned int dn_dst_default_advmss(const struct dst_entry *dst);
 static unsigned int dn_dst_default_mtu(const struct dst_entry *dst);
+static void dn_dst_destroy(struct dst_entry *);
 static struct dst_entry *dn_dst_negative_advice(struct dst_entry *);
 static void dn_dst_link_failure(struct sk_buff *);
 static void dn_dst_update_pmtu(struct dst_entry *dst, u32 mtu);
@@ -133,11 +134,18 @@ static struct dst_ops dn_dst_ops = {
        .check =                dn_dst_check,
        .default_advmss =       dn_dst_default_advmss,
        .default_mtu =          dn_dst_default_mtu,
+        .cow_metrics =          dst_cow_metrics_generic,
+        .destroy =              dn_dst_destroy,
        .negative_advice =      dn_dst_negative_advice,
        .link_failure =         dn_dst_link_failure,
        .update_pmtu =          dn_dst_update_pmtu,
 };
+static void dn_dst_destroy(struct dst_entry *dst)
+{
+        dst_destroy_metrics_generic(dst);
+}
 static __inline__ unsigned dn_hash(__le16 src, __le16 dst)
 {
        __u16 tmp = (__u16 __force)(src ^ dst);
@@ -274,14 +282,14 @@ static void dn_dst_link_failure(struct sk_buff *skb)
 {
 }
-static inline int compare_keys(struct flowi *fl1, struct flowi *fl2)
+static inline int compare_keys(struct flowidn *fl1, struct flowidn *fl2)
 {
-        return ((fl1->fld_dst ^ fl2->fld_dst) |
+        return ((fl1->daddr ^ fl2->daddr) |
-                (fl1->fld_src ^ fl2->fld_src) |
+                (fl1->saddr ^ fl2->saddr) |
-                (fl1->mark ^ fl2->mark) |
+                (fl1->flowidn_mark ^ fl2->flowidn_mark) |
-                (fl1->fld_scope ^ fl2->fld_scope) |
+                (fl1->flowidn_scope ^ fl2->flowidn_scope) |
-                (fl1->oif ^ fl2->oif) |
+                (fl1->flowidn_oif ^ fl2->flowidn_oif) |
-                (fl1->iif ^ fl2->iif)) == 0;
+                (fl1->flowidn_iif ^ fl2->flowidn_iif)) == 0;
 }
 static int dn_insert_route(struct dn_route *rt, unsigned hash, struct dn_route **rp)
@@ -295,7 +303,7 @@ static int dn_insert_route(struct dn_route *rt, unsigned hash, struct dn_route *
        spin_lock_bh(&dn_rt_hash_table[hash].lock);
        while ((rth = rcu_dereference_protected(*rthp,
                                                lockdep_is_held(&dn_rt_hash_table[hash].lock))) != NULL) {
-                if (compare_keys(&rth->fl, &rt->fl)) {
+                if (compare_keys(&rth->fld, &rt->fld)) {
                        /* Put it first */
                        *rthp = rth->dst.dn_next;
                        rcu_assign_pointer(rth->dst.dn_next,
@@ -814,14 +822,14 @@ static int dn_rt_set_next_hop(struct dn_route *rt, struct dn_fib_res *res)
 {
        struct dn_fib_info *fi = res->fi;
        struct net_device *dev = rt->dst.dev;
+        unsigned int mss_metric;
        struct neighbour *n;
-        unsigned int metric;
        if (fi) {
                if (DN_FIB_RES_GW(*res) &&
                    DN_FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK)
                        rt->rt_gateway = DN_FIB_RES_GW(*res);
-                dst_import_metrics(&rt->dst, fi->fib_metrics);
+                dst_init_metrics(&rt->dst, fi->fib_metrics, true);
        }
        rt->rt_type = res->type;
@@ -834,10 +842,10 @@ static int dn_rt_set_next_hop(struct dn_route *rt, struct dn_fib_res *res)
        if (dst_metric(&rt->dst, RTAX_MTU) > rt->dst.dev->mtu)
                dst_metric_set(&rt->dst, RTAX_MTU, rt->dst.dev->mtu);
-        metric = dst_metric_raw(&rt->dst, RTAX_ADVMSS);
+        mss_metric = dst_metric_raw(&rt->dst, RTAX_ADVMSS);
-        if (metric) {
+        if (mss_metric) {
                unsigned int mss = dn_mss_from_pmtu(dev, dst_mtu(&rt->dst));
-                if (metric > mss)
+                if (mss_metric > mss)
                        dst_metric_set(&rt->dst, RTAX_ADVMSS, mss);
        }
        return 0;
@@ -895,14 +903,16 @@ static inline __le16 dn_fib_rules_map_destination(__le16 daddr, struct dn_fib_re
        return (daddr&~mask)|res->fi->fib_nh->nh_gw;
 }
-static int dn_route_output_slow(struct dst_entry **pprt, const struct flowi *oldflp, int try_hard)
+static int dn_route_output_slow(struct dst_entry **pprt, const struct flowidn *oldflp, int try_hard)
 {
-        struct flowi fl = { .fld_dst = oldflp->fld_dst,
+        struct flowidn fld = {
-                            .fld_src = oldflp->fld_src,
+                .daddr = oldflp->daddr,
-                            .fld_scope = RT_SCOPE_UNIVERSE,
+                .saddr = oldflp->saddr,
-                            .mark = oldflp->mark,
+                .flowidn_scope = RT_SCOPE_UNIVERSE,
-                            .iif = init_net.loopback_dev->ifindex,
+                .flowidn_mark = oldflp->flowidn_mark,
-                            .oif = oldflp->oif };
+                .flowidn_iif = init_net.loopback_dev->ifindex,
+                .flowidn_oif = oldflp->flowidn_oif,
+        };
        struct dn_route *rt = NULL;
        struct net_device *dev_out = NULL, *dev;
        struct neighbour *neigh = NULL;
@@ -916,13 +926,14 @@ static int dn_route_output_slow(struct dst_entry **pprt, const struct flowi *old
        if (decnet_debug_level & 16)
                printk(KERN_DEBUG
                       "dn_route_output_slow: dst=%04x src=%04x mark=%d"
-                       " iif=%d oif=%d\n", le16_to_cpu(oldflp->fld_dst),
+                       " iif=%d oif=%d\n", le16_to_cpu(oldflp->daddr),
-                       le16_to_cpu(oldflp->fld_src),
+                       le16_to_cpu(oldflp->saddr),
-                       oldflp->mark, init_net.loopback_dev->ifindex, oldflp->oif);
+                       oldflp->flowidn_mark, init_net.loopback_dev->ifindex,
+                       oldflp->flowidn_oif);
        /* If we have an output interface, verify its a DECnet device */
-        if (oldflp->oif) {
+        if (oldflp->flowidn_oif) {
-                dev_out = dev_get_by_index(&init_net, oldflp->oif);
+                dev_out = dev_get_by_index(&init_net, oldflp->flowidn_oif);
                err = -ENODEV;
                if (dev_out && dev_out->dn_ptr == NULL) {
                        dev_put(dev_out);
@@ -933,11 +944,11 @@ static int dn_route_output_slow(struct dst_entry **pprt, const struct flowi *old
        }
        /* If we have a source address, verify that its a local address */
-        if (oldflp->fld_src) {
+        if (oldflp->saddr) {
                err = -EADDRNOTAVAIL;
                if (dev_out) {
-                        if (dn_dev_islocal(dev_out, oldflp->fld_src))
+                        if (dn_dev_islocal(dev_out, oldflp->saddr))
                                goto source_ok;
                        dev_put(dev_out);
                        goto out;
@@ -946,11 +957,11 @@ static int dn_route_output_slow(struct dst_entry **pprt, const struct flowi *old
                for_each_netdev_rcu(&init_net, dev) {
                        if (!dev->dn_ptr)
                                continue;
-                        if (!dn_dev_islocal(dev, oldflp->fld_src))
+                        if (!dn_dev_islocal(dev, oldflp->saddr))
                                continue;
                        if ((dev->flags & IFF_LOOPBACK) &&
-                            oldflp->fld_dst &&
+                            oldflp->daddr &&
-                            !dn_dev_islocal(dev, oldflp->fld_dst))
+                            !dn_dev_islocal(dev, oldflp->daddr))
                                continue;
                        dev_out = dev;
@@ -965,22 +976,22 @@ source_ok:
        }
        /* No destination? Assume its local */
-        if (!fl.fld_dst) {
+        if (!fld.daddr) {
-                fl.fld_dst = fl.fld_src;
+                fld.daddr = fld.saddr;
                err = -EADDRNOTAVAIL;
                if (dev_out)
                        dev_put(dev_out);
                dev_out = init_net.loopback_dev;
                dev_hold(dev_out);
-                if (!fl.fld_dst) {
+                if (!fld.daddr) {
-                        fl.fld_dst =
+                        fld.daddr =
-                        fl.fld_src = dnet_select_source(dev_out, 0,
+                        fld.saddr = dnet_select_source(dev_out, 0,
                                                       RT_SCOPE_HOST);
-                        if (!fl.fld_dst)
+                        if (!fld.daddr)
                                goto out;
                }
-                fl.oif = init_net.loopback_dev->ifindex;
+                fld.flowidn_oif = init_net.loopback_dev->ifindex;
                res.type = RTN_LOCAL;
                goto make_route;
        }
@@ -989,8 +1000,8 @@ source_ok:
                printk(KERN_DEBUG
                       "dn_route_output_slow: initial checks complete."
                       " dst=%o4x src=%04x oif=%d try_hard=%d\n",
-                       le16_to_cpu(fl.fld_dst), le16_to_cpu(fl.fld_src),
+                       le16_to_cpu(fld.daddr), le16_to_cpu(fld.saddr),
-                       fl.oif, try_hard);
+                       fld.flowidn_oif, try_hard);
        /*
         * N.B. If the kernel is compiled without router support then
@@ -998,7 +1009,7 @@ source_ok:
         * will always be executed.
         */
        err = -ESRCH;
-        if (try_hard || (err = dn_fib_lookup(&fl, &res)) != 0) {
+        if (try_hard || (err = dn_fib_lookup(&fld, &res)) != 0) {
                struct dn_dev *dn_db;
                if (err != -ESRCH)
                        goto out;
@@ -1013,19 +1024,19 @@ source_ok:
                 * here
                 */
                if (!try_hard) {
-                        neigh = neigh_lookup_nodev(&dn_neigh_table, &init_net, &fl.fld_dst);
+                        neigh = neigh_lookup_nodev(&dn_neigh_table, &init_net, &fld.daddr);
                        if (neigh) {
-                                if ((oldflp->oif &&
+                                if ((oldflp->flowidn_oif &&
-                                    (neigh->dev->ifindex != oldflp->oif)) ||
+                                    (neigh->dev->ifindex != oldflp->flowidn_oif)) ||
-                                    (oldflp->fld_src &&
+                                    (oldflp->saddr &&
                                    (!dn_dev_islocal(neigh->dev,
-                                                      oldflp->fld_src)))) {
+                                                     oldflp->saddr)))) {
                                        neigh_release(neigh);
                                        neigh = NULL;
                                } else {
                                        if (dev_out)
                                                dev_put(dev_out);
-                                        if (dn_dev_islocal(neigh->dev, fl.fld_dst)) {
+                                        if (dn_dev_islocal(neigh->dev, fld.daddr)) {
                                                dev_out = init_net.loopback_dev;
                                                res.type = RTN_LOCAL;
                                        } else {
@@ -1045,7 +1056,7 @@ source_ok:
                        goto out;
                dn_db = rcu_dereference_raw(dev_out->dn_ptr);
                /* Possible improvement - check all devices for local addr */
-                if (dn_dev_islocal(dev_out, fl.fld_dst)) {
+                if (dn_dev_islocal(dev_out, fld.daddr)) {
                        dev_put(dev_out);
                        dev_out = init_net.loopback_dev;
                        dev_hold(dev_out);
@@ -1061,16 +1072,16 @@ select_source:
                if (neigh)
                        gateway = ((struct dn_neigh *)neigh)->addr;
                if (gateway == 0)
-                        gateway = fl.fld_dst;
+                        gateway = fld.daddr;
-                if (fl.fld_src == 0) {
+                if (fld.saddr == 0) {
-                        fl.fld_src = dnet_select_source(dev_out, gateway,
+                        fld.saddr = dnet_select_source(dev_out, gateway,
-                                                         res.type == RTN_LOCAL ?
+                                                       res.type == RTN_LOCAL ?
-                                                         RT_SCOPE_HOST :
+                                                       RT_SCOPE_HOST :
-                                                         RT_SCOPE_LINK);
+                                                       RT_SCOPE_LINK);
-                        if (fl.fld_src == 0 && res.type != RTN_LOCAL)
+                        if (fld.saddr == 0 && res.type != RTN_LOCAL)
                                goto e_addr;
                }
-                fl.oif = dev_out->ifindex;
+                fld.flowidn_oif = dev_out->ifindex;
                goto make_route;
        }
        free_res = 1;
@@ -1079,64 +1090,60 @@ select_source:
                goto e_inval;
        if (res.type == RTN_LOCAL) {
-                if (!fl.fld_src)
+                if (!fld.saddr)
-                        fl.fld_src = fl.fld_dst;
+                        fld.saddr = fld.daddr;
                if (dev_out)
                        dev_put(dev_out);
                dev_out = init_net.loopback_dev;
                dev_hold(dev_out);
-                fl.oif = dev_out->ifindex;
+                fld.flowidn_oif = dev_out->ifindex;
                if (res.fi)
                        dn_fib_info_put(res.fi);
                res.fi = NULL;
                goto make_route;
        }
-        if (res.fi->fib_nhs > 1 && fl.oif == 0)
+        if (res.fi->fib_nhs > 1 && fld.flowidn_oif == 0)
-                dn_fib_select_multipath(&fl, &res);
+                dn_fib_select_multipath(&fld, &res);
        /*
         * We could add some logic to deal with default routes here and
         * get rid of some of the special casing above.
         */
-        if (!fl.fld_src)
+        if (!fld.saddr)
-                fl.fld_src = DN_FIB_RES_PREFSRC(res);
+                fld.saddr = DN_FIB_RES_PREFSRC(res);
        if (dev_out)
                dev_put(dev_out);
        dev_out = DN_FIB_RES_DEV(res);
        dev_hold(dev_out);
-        fl.oif = dev_out->ifindex;
+        fld.flowidn_oif = dev_out->ifindex;
        gateway = DN_FIB_RES_GW(res);
 make_route:
        if (dev_out->flags & IFF_LOOPBACK)
                flags |= RTCF_LOCAL;
-        rt = dst_alloc(&dn_dst_ops);
+        rt = dst_alloc(&dn_dst_ops, dev_out, 1, 0, DST_HOST);
        if (rt == NULL)
                goto e_nobufs;
-        atomic_set(&rt->dst.__refcnt, 1);
+        memset(&rt->fld, 0, sizeof(rt->fld));
-        rt->dst.flags   = DST_HOST;
+        rt->fld.saddr        = oldflp->saddr;
+        rt->fld.daddr        = oldflp->daddr;
-        rt->fl.fld_src    = oldflp->fld_src;
+        rt->fld.flowidn_oif  = oldflp->flowidn_oif;
-        rt->fl.fld_dst    = oldflp->fld_dst;
+        rt->fld.flowidn_iif  = 0;
-        rt->fl.oif        = oldflp->oif;
+        rt->fld.flowidn_mark = oldflp->flowidn_mark;
-        rt->fl.iif        = 0;
-        rt->fl.mark       = oldflp->mark;
-        rt->rt_saddr      = fl.fld_src;
+        rt->rt_saddr      = fld.saddr;
-        rt->rt_daddr      = fl.fld_dst;
+        rt->rt_daddr      = fld.daddr;
-        rt->rt_gateway    = gateway ? gateway : fl.fld_dst;
+        rt->rt_gateway    = gateway ? gateway : fld.daddr;
-        rt->rt_local_src  = fl.fld_src;
+        rt->rt_local_src  = fld.saddr;
-        rt->rt_dst_map    = fl.fld_dst;
+        rt->rt_dst_map    = fld.daddr;
-        rt->rt_src_map    = fl.fld_src;
+        rt->rt_src_map    = fld.saddr;
-        rt->dst.dev = dev_out;
-        dev_hold(dev_out);
        rt->dst.neighbour = neigh;
        neigh = NULL;
@@ -1151,7 +1158,7 @@ make_route:
        if (err)
                goto e_neighbour;
-        hash = dn_hash(rt->fl.fld_src, rt->fl.fld_dst);
+        hash = dn_hash(rt->fld.saddr, rt->fld.daddr);
        dn_insert_route(rt, hash, (struct dn_route **)pprt);
 done:
@@ -1182,20 +1189,20 @@ e_neighbour:
 /*
 * N.B. The flags may be moved into the flowi at some future stage.
 */
-static int __dn_route_output_key(struct dst_entry **pprt, const struct flowi *flp, int flags)
+static int __dn_route_output_key(struct dst_entry **pprt, const struct flowidn *flp, int flags)
 {
-        unsigned hash = dn_hash(flp->fld_src, flp->fld_dst);
+        unsigned hash = dn_hash(flp->saddr, flp->daddr);
        struct dn_route *rt = NULL;
        if (!(flags & MSG_TRYHARD)) {
                rcu_read_lock_bh();
                for (rt = rcu_dereference_bh(dn_rt_hash_table[hash].chain); rt;
                        rt = rcu_dereference_bh(rt->dst.dn_next)) {
-                        if ((flp->fld_dst == rt->fl.fld_dst) &&
+                        if ((flp->daddr == rt->fld.daddr) &&
-                            (flp->fld_src == rt->fl.fld_src) &&
+                            (flp->saddr == rt->fld.saddr) &&
-                            (flp->mark == rt->fl.mark) &&
+                            (flp->flowidn_mark == rt->fld.flowidn_mark) &&
                            dn_is_output_route(rt) &&
-                            (rt->fl.oif == flp->oif)) {
+                            (rt->fld.flowidn_oif == flp->flowidn_oif)) {
                                dst_use(&rt->dst, jiffies);
                                rcu_read_unlock_bh();
                                *pprt = &rt->dst;
@@ -1208,25 +1215,36 @@ static int __dn_route_output_key(struct dst_entry **pprt, const struct flowi *fl
        return dn_route_output_slow(pprt, flp, flags);
 }
-static int dn_route_output_key(struct dst_entry **pprt, struct flowi *flp, int flags)
+static int dn_route_output_key(struct dst_entry **pprt, struct flowidn *flp, int flags)
 {
        int err;
        err = __dn_route_output_key(pprt, flp, flags);
-        if (err == 0 && flp->proto) {
+        if (err == 0 && flp->flowidn_proto) {
-                err = xfrm_lookup(&init_net, pprt, flp, NULL, 0);
+                *pprt = xfrm_lookup(&init_net, *pprt,
+                                    flowidn_to_flowi(flp), NULL, 0);
+                if (IS_ERR(*pprt)) {
+                        err = PTR_ERR(*pprt);
+                        *pprt = NULL;
+                }
        }
        return err;
 }
-int dn_route_output_sock(struct dst_entry **pprt, struct flowi *fl, struct sock *sk, int flags)
+int dn_route_output_sock(struct dst_entry **pprt, struct flowidn *fl, struct sock *sk, int flags)
 {
        int err;
        err = __dn_route_output_key(pprt, fl, flags & MSG_TRYHARD);
-        if (err == 0 && fl->proto) {
+        if (err == 0 && fl->flowidn_proto) {
-                err = xfrm_lookup(&init_net, pprt, fl, sk,
+                if (!(flags & MSG_DONTWAIT))
-                                 (flags & MSG_DONTWAIT) ? 0 : XFRM_LOOKUP_WAIT);
+                        fl->flowidn_flags |= FLOWI_FLAG_CAN_SLEEP;
+                *pprt = xfrm_lookup(&init_net, *pprt,
+                                    flowidn_to_flowi(fl), sk, 0);
+                if (IS_ERR(*pprt)) {
+                        err = PTR_ERR(*pprt);
+                        *pprt = NULL;
+                }
        }
        return err;
 }
@@ -1243,11 +1261,13 @@ static int dn_route_input_slow(struct sk_buff *skb)
        int flags = 0;
        __le16 gateway = 0;
        __le16 local_src = 0;
-        struct flowi fl = { .fld_dst = cb->dst,
+        struct flowidn fld = {
-                            .fld_src = cb->src,
+                .daddr = cb->dst,
-                            .fld_scope = RT_SCOPE_UNIVERSE,
+                .saddr = cb->src,
-                            .mark = skb->mark,
+                .flowidn_scope = RT_SCOPE_UNIVERSE,
-                            .iif = skb->dev->ifindex };
+                .flowidn_mark = skb->mark,
+                .flowidn_iif = skb->dev->ifindex,
+        };
        struct dn_fib_res res = { .fi = NULL, .type = RTN_UNREACHABLE };
        int err = -EINVAL;
        int free_res = 0;
@@ -1258,7 +1278,7 @@ static int dn_route_input_slow(struct sk_buff *skb)
                goto out;
        /* Zero source addresses are not allowed */
-        if (fl.fld_src == 0)
+        if (fld.saddr == 0)
                goto out;
        /*
@@ -1272,7 +1292,7 @@ static int dn_route_input_slow(struct sk_buff *skb)
        if (dn_dev_islocal(in_dev, cb->src))
                goto out;
-        err = dn_fib_lookup(&fl, &res);
+        err = dn_fib_lookup(&fld, &res);
        if (err) {
                if (err != -ESRCH)
                        goto out;
@@ -1284,7 +1304,7 @@ static int dn_route_input_slow(struct sk_buff *skb)
                res.type = RTN_LOCAL;
        } else {
-                __le16 src_map = fl.fld_src;
+                __le16 src_map = fld.saddr;
                free_res = 1;
                out_dev = DN_FIB_RES_DEV(res);
@@ -1297,22 +1317,22 @@ static int dn_route_input_slow(struct sk_buff *skb)
                dev_hold(out_dev);
                if (res.r)
-                        src_map = fl.fld_src; /* no NAT support for now */
+                        src_map = fld.saddr; /* no NAT support for now */
                gateway = DN_FIB_RES_GW(res);
                if (res.type == RTN_NAT) {
-                        fl.fld_dst = dn_fib_rules_map_destination(fl.fld_dst, &res);
+                        fld.daddr = dn_fib_rules_map_destination(fld.daddr, &res);
                        dn_fib_res_put(&res);
                        free_res = 0;
-                        if (dn_fib_lookup(&fl, &res))
+                        if (dn_fib_lookup(&fld, &res))
                                goto e_inval;
                        free_res = 1;
                        if (res.type != RTN_UNICAST)
                                goto e_inval;
                        flags |= RTCF_DNAT;
-                        gateway = fl.fld_dst;
+                        gateway = fld.daddr;
                }
-                fl.fld_src = src_map;
+                fld.saddr = src_map;
        }
        switch(res.type) {
@@ -1326,8 +1346,8 @@ static int dn_route_input_slow(struct sk_buff *skb)
                if (dn_db->parms.forwarding == 0)
                        goto e_inval;
-                if (res.fi->fib_nhs > 1 && fl.oif == 0)
+                if (res.fi->fib_nhs > 1 && fld.flowidn_oif == 0)
-                        dn_fib_select_multipath(&fl, &res);
+                        dn_fib_select_multipath(&fld, &res);
                /*
                 * Check for out_dev == in_dev. We use the RTCF_DOREDIRECT
@@ -1345,8 +1365,8 @@ static int dn_route_input_slow(struct sk_buff *skb)
                break;
        case RTN_LOCAL:
                flags |= RTCF_LOCAL;
-                fl.fld_src = cb->dst;
+                fld.saddr = cb->dst;
-                fl.fld_dst = cb->src;
+                fld.daddr = cb->src;
                /* Routing tables gave us a gateway */
                if (gateway)
@@ -1375,29 +1395,28 @@ static int dn_route_input_slow(struct sk_buff *skb)
        }
 make_route:
-        rt = dst_alloc(&dn_dst_ops);
+        rt = dst_alloc(&dn_dst_ops, out_dev, 0, 0, DST_HOST);
        if (rt == NULL)
                goto e_nobufs;
-        rt->rt_saddr      = fl.fld_src;
+        memset(&rt->fld, 0, sizeof(rt->fld));
-        rt->rt_daddr      = fl.fld_dst;
+        rt->rt_saddr      = fld.saddr;
-        rt->rt_gateway    = fl.fld_dst;
+        rt->rt_daddr      = fld.daddr;
+        rt->rt_gateway    = fld.daddr;
        if (gateway)
                rt->rt_gateway = gateway;
        rt->rt_local_src  = local_src ? local_src : rt->rt_saddr;
-        rt->rt_dst_map    = fl.fld_dst;
+        rt->rt_dst_map    = fld.daddr;
-        rt->rt_src_map    = fl.fld_src;
+        rt->rt_src_map    = fld.saddr;
-        rt->fl.fld_src    = cb->src;
+        rt->fld.saddr        = cb->src;
-        rt->fl.fld_dst    = cb->dst;
+        rt->fld.daddr        = cb->dst;
-        rt->fl.oif        = 0;
+        rt->fld.flowidn_oif  = 0;
-        rt->fl.iif        = in_dev->ifindex;
+        rt->fld.flowidn_iif  = in_dev->ifindex;
-        rt->fl.mark       = fl.mark;
+        rt->fld.flowidn_mark = fld.flowidn_mark;
-        rt->dst.flags = DST_HOST;
        rt->dst.neighbour = neigh;
-        rt->dst.dev = out_dev;
        rt->dst.lastuse = jiffies;
        rt->dst.output = dn_rt_bug;
        switch(res.type) {
@@ -1416,14 +1435,12 @@ make_route:
                        rt->dst.input = dst_discard;
        }
        rt->rt_flags = flags;
-        if (rt->dst.dev)
-                dev_hold(rt->dst.dev);
        err = dn_rt_set_next_hop(rt, &res);
        if (err)
                goto e_neighbour;
-        hash = dn_hash(rt->fl.fld_src, rt->fl.fld_dst);
+        hash = dn_hash(rt->fld.saddr, rt->fld.daddr);
        dn_insert_route(rt, hash, &rt);
        skb_dst_set(skb, &rt->dst);
@@ -1463,11 +1480,11 @@ static int dn_route_input(struct sk_buff *skb)
        rcu_read_lock();
        for(rt = rcu_dereference(dn_rt_hash_table[hash].chain); rt != NULL;
            rt = rcu_dereference(rt->dst.dn_next)) {
-                if ((rt->fl.fld_src == cb->src) &&
+                if ((rt->fld.saddr == cb->src) &&
-                    (rt->fl.fld_dst == cb->dst) &&
+                    (rt->fld.daddr == cb->dst) &&
-                    (rt->fl.oif == 0) &&
+                    (rt->fld.flowidn_oif == 0) &&
-                    (rt->fl.mark == skb->mark) &&
+                    (rt->fld.flowidn_mark == skb->mark) &&
-                    (rt->fl.iif == cb->iif)) {
+                    (rt->fld.flowidn_iif == cb->iif)) {
                        dst_use(&rt->dst, jiffies);
                        rcu_read_unlock();
                        skb_dst_set(skb, (struct dst_entry *)rt);
@@ -1503,9 +1520,9 @@ static int dn_rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
        if (rt->rt_flags & RTCF_NOTIFY)
                r->rtm_flags |= RTM_F_NOTIFY;
        RTA_PUT(skb, RTA_DST, 2, &rt->rt_daddr);
-        if (rt->fl.fld_src) {
+        if (rt->fld.saddr) {
                r->rtm_src_len = 16;
-                RTA_PUT(skb, RTA_SRC, 2, &rt->fl.fld_src);
+                RTA_PUT(skb, RTA_SRC, 2, &rt->fld.saddr);
        }
        if (rt->dst.dev)
                RTA_PUT(skb, RTA_OIF, sizeof(int), &rt->dst.dev->ifindex);
@@ -1524,7 +1541,7 @@ static int dn_rt_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
                               rt->dst.error) < 0)
                goto rtattr_failure;
        if (dn_is_input_route(rt))
-                RTA_PUT(skb, RTA_IIF, sizeof(int), &rt->fl.iif);
+                RTA_PUT(skb, RTA_IIF, sizeof(int), &rt->fld.flowidn_iif);
        nlh->nlmsg_len = skb_tail_pointer(skb) - b;
        return skb->len;
@@ -1547,13 +1564,13 @@ static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void
        struct dn_skb_cb *cb;
        int err;
        struct sk_buff *skb;
-        struct flowi fl;
+        struct flowidn fld;
        if (!net_eq(net, &init_net))
                return -EINVAL;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fld, 0, sizeof(fld));
-        fl.proto = DNPROTO_NSP;
+        fld.flowidn_proto = DNPROTO_NSP;
        skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
        if (skb == NULL)
@@ -1562,15 +1579,15 @@ static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void
        cb = DN_SKB_CB(skb);
        if (rta[RTA_SRC-1])
-                memcpy(&fl.fld_src, RTA_DATA(rta[RTA_SRC-1]), 2);
+                memcpy(&fld.saddr, RTA_DATA(rta[RTA_SRC-1]), 2);
        if (rta[RTA_DST-1])
-                memcpy(&fl.fld_dst, RTA_DATA(rta[RTA_DST-1]), 2);
+                memcpy(&fld.daddr, RTA_DATA(rta[RTA_DST-1]), 2);
        if (rta[RTA_IIF-1])
-                memcpy(&fl.iif, RTA_DATA(rta[RTA_IIF-1]), sizeof(int));
+                memcpy(&fld.flowidn_iif, RTA_DATA(rta[RTA_IIF-1]), sizeof(int));
-        if (fl.iif) {
+        if (fld.flowidn_iif) {
                struct net_device *dev;
-                if ((dev = dev_get_by_index(&init_net, fl.iif)) == NULL) {
+                if ((dev = dev_get_by_index(&init_net, fld.flowidn_iif)) == NULL) {
                        kfree_skb(skb);
                        return -ENODEV;
                }
@@ -1581,8 +1598,8 @@ static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void
                }
                skb->protocol = htons(ETH_P_DNA_RT);
                skb->dev = dev;
-                cb->src = fl.fld_src;
+                cb->src = fld.saddr;
-                cb->dst = fl.fld_dst;
+                cb->dst = fld.daddr;
                local_bh_disable();
                err = dn_route_input(skb);
                local_bh_enable();
@@ -1594,8 +1611,8 @@ static int dn_cache_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, void
                int oif = 0;
                if (rta[RTA_OIF - 1])
                        memcpy(&oif, RTA_DATA(rta[RTA_OIF - 1]), sizeof(int));
-                fl.oif = oif;
+                fld.flowidn_oif = oif;
-                err = dn_route_output_key((struct dst_entry **)&rt, &fl, 0);
+                err = dn_route_output_key((struct dst_entry **)&rt, &fld, 0);
        }
        if (skb->dev)
diff --git a/net/decnet/dn_rules.c b/net/decnet/dn_rules.c
index 6eb91df3c550..f0efb0ccfeca 100644
--- a/net/decnet/dn_rules.c
+++ b/net/decnet/dn_rules.c
@@ -49,14 +49,15 @@ struct dn_fib_rule
 };
-int dn_fib_lookup(struct flowi *flp, struct dn_fib_res *res)
+int dn_fib_lookup(struct flowidn *flp, struct dn_fib_res *res)
 {
        struct fib_lookup_arg arg = {
                .result = res,
        };
        int err;
-        err = fib_rules_lookup(dn_fib_rules_ops, flp, 0, &arg);
+        err = fib_rules_lookup(dn_fib_rules_ops,
+                               flowidn_to_flowi(flp), 0, &arg);
        res->r = arg.rule;
        return err;
@@ -65,6 +66,7 @@ int dn_fib_lookup(struct flowi *flp, struct dn_fib_res *res)
 static int dn_fib_rule_action(struct fib_rule *rule, struct flowi *flp,
                              int flags, struct fib_lookup_arg *arg)
 {
+        struct flowidn *fld = &flp->u.dn;
        int err = -EAGAIN;
        struct dn_fib_table *tbl;
@@ -90,7 +92,7 @@ static int dn_fib_rule_action(struct fib_rule *rule, struct flowi *flp,
        if (tbl == NULL)
                goto errout;
-        err = tbl->lookup(tbl, flp, (struct dn_fib_res *)arg->result);
+        err = tbl->lookup(tbl, fld, (struct dn_fib_res *)arg->result);
        if (err > 0)
                err = -EAGAIN;
 errout:
@@ -104,8 +106,9 @@ static const struct nla_policy dn_fib_rule_policy[FRA_MAX+1] = {
 static int dn_fib_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 {
        struct dn_fib_rule *r = (struct dn_fib_rule *)rule;
-        __le16 daddr = fl->fld_dst;
+        struct flowidn *fld = &fl->u.dn;
-        __le16 saddr = fl->fld_src;
+        __le16 daddr = fld->daddr;
+        __le16 saddr = fld->saddr;
        if (((saddr ^ r->src) & r->srcmask) ||
            ((daddr ^ r->dst) & r->dstmask))
@@ -175,7 +178,7 @@ static int dn_fib_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
 unsigned dnet_addr_type(__le16 addr)
 {
-        struct flowi fl = { .fld_dst = addr };
+        struct flowidn fld = { .daddr = addr };
        struct dn_fib_res res;
        unsigned ret = RTN_UNICAST;
        struct dn_fib_table *tb = dn_fib_get_table(RT_TABLE_LOCAL, 0);
@@ -183,7 +186,7 @@ unsigned dnet_addr_type(__le16 addr)
        res.r = NULL;
        if (tb) {
-                if (!tb->lookup(tb, &fl, &res)) {
+                if (!tb->lookup(tb, &fld, &res)) {
                        ret = res.type;
                        dn_fib_res_put(&res);
                }
diff --git a/net/decnet/dn_table.c b/net/decnet/dn_table.c
index f2abd3755690..bd0a52dd1d40 100644
--- a/net/decnet/dn_table.c
+++ b/net/decnet/dn_table.c
@@ -59,7 +59,6 @@ struct dn_hash
 };
 #define dz_key_0(key)           ((key).datum = 0)
-#define dz_prefix(key,dz)       ((key).datum)
 #define for_nexthops(fi) { int nhsel; const struct dn_fib_nh *nh;\
        for(nhsel = 0, nh = (fi)->fib_nh; nhsel < (fi)->fib_nhs; nh++, nhsel++)
@@ -124,11 +123,11 @@ static inline void dn_rebuild_zone(struct dn_zone *dz,
                                   struct dn_fib_node **old_ht,
                                   int old_divisor)
 {
-        int i;
        struct dn_fib_node *f, **fp, *next;
+        int i;
        for(i = 0; i < old_divisor; i++) {
-                for(f = old_ht[i]; f; f = f->fn_next) {
+                for(f = old_ht[i]; f; f = next) {
                        next = f->fn_next;
                        for(fp = dn_chain_p(f->fn_key, dz);
                                *fp && dn_key_leq((*fp)->fn_key, f->fn_key);
@@ -765,7 +764,7 @@ static int dn_fib_table_flush(struct dn_fib_table *tb)
        return found;
 }
-static int dn_fib_table_lookup(struct dn_fib_table *tb, const struct flowi *flp, struct dn_fib_res *res)
+static int dn_fib_table_lookup(struct dn_fib_table *tb, const struct flowidn *flp, struct dn_fib_res *res)
 {
        int err;
        struct dn_zone *dz;
@@ -774,7 +773,7 @@ static int dn_fib_table_lookup(struct dn_fib_table *tb, const struct flowi *flp,
        read_lock(&dn_fib_tables_lock);
        for(dz = t->dh_zone_list; dz; dz = dz->dz_next) {
                struct dn_fib_node *f;
-                dn_fib_key_t k = dz_key(flp->fld_dst, dz);
+                dn_fib_key_t k = dz_key(flp->daddr, dz);
                for(f = dz_chain(k, dz); f; f = f->fn_next) {
                        if (!dn_key_eq(k, f->fn_key)) {
@@ -789,7 +788,7 @@ static int dn_fib_table_lookup(struct dn_fib_table *tb, const struct flowi *flp,
                        if (f->fn_state&DN_S_ZOMBIE)
                                continue;
-                        if (f->fn_scope < flp->fld_scope)
+                        if (f->fn_scope < flp->flowidn_scope)
                                continue;
                        err = dn_fib_semantic_match(f->fn_type, DN_FIB_INFO(f), flp, res);
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 739435a6af39..cfa7a5e1c5c9 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen)
        size_t result_len = 0;
        const char *data = _data, *end, *opt;
-        kenter("%%%d,%s,'%s',%zu",
+        kenter("%%%d,%s,'%*.*s',%zu",
-               key->serial, key->description, data, datalen);
+               key->serial, key->description,
+               (int)datalen, (int)datalen, data, datalen);
        if (datalen <= 1 || !data || data[datalen - 1] != '\0')
                return -EINVAL;
@@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
                seq_printf(m, ": %u", key->datalen);
 }
+/*
+ * read the DNS data
+ * - the key's semaphore is read-locked
+ */
+static long dns_resolver_read(const struct key *key,
+                              char __user *buffer, size_t buflen)
+{
+        if (key->type_data.x[0])
+                return key->type_data.x[0];
+        return user_read(key, buffer, buflen);
+}
 struct key_type key_type_dns_resolver = {
        .name           = "dns_resolver",
        .instantiate    = dns_resolver_instantiate,
@@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = {
        .revoke         = user_revoke,
        .destroy        = user_destroy,
        .describe       = dns_resolver_describe,
-        .read           = user_read,
+        .read           = dns_resolver_read,
 };
 static int __init init_dns_resolver(void)
diff --git a/net/dsa/Kconfig b/net/dsa/Kconfig
index 87bb5f4de0e8..c53ded2a98df 100644
--- a/net/dsa/Kconfig
+++ b/net/dsa/Kconfig
@@ -41,12 +41,12 @@ config NET_DSA_MV88E6XXX_NEED_PPU
        default n
 config NET_DSA_MV88E6131
-        bool "Marvell 88E6095/6095F/6131 ethernet switch chip support"
+        bool "Marvell 88E6085/6095/6095F/6131 ethernet switch chip support"
        select NET_DSA_MV88E6XXX
        select NET_DSA_MV88E6XXX_NEED_PPU
        select NET_DSA_TAG_DSA
        ---help---
-          This enables support for the Marvell 88E6095/6095F/6131
+          This enables support for the Marvell 88E6085/6095/6095F/6131
          ethernet switch chips.
 config NET_DSA_MV88E6123_61_65
diff --git a/net/dsa/mv88e6060.c b/net/dsa/mv88e6060.c
index 83277f463af7..8f4ff5a2c813 100644
--- a/net/dsa/mv88e6060.c
+++ b/net/dsa/mv88e6060.c
@@ -18,7 +18,7 @@
 static int reg_read(struct dsa_switch *ds, int addr, int reg)
 {
-        return mdiobus_read(ds->master_mii_bus, addr, reg);
+        return mdiobus_read(ds->master_mii_bus, ds->pd->sw_addr + addr, reg);
 }
 #define REG_READ(addr, reg)                                     \
@@ -34,7 +34,8 @@ static int reg_read(struct dsa_switch *ds, int addr, int reg)
 static int reg_write(struct dsa_switch *ds, int addr, int reg, u16 val)
 {
-        return mdiobus_write(ds->master_mii_bus, addr, reg, val);
+        return mdiobus_write(ds->master_mii_bus, ds->pd->sw_addr + addr,
+                             reg, val);
 }
 #define REG_WRITE(addr, reg, val)                               \
@@ -50,7 +51,7 @@ static char *mv88e6060_probe(struct mii_bus *bus, int sw_addr)
 {
        int ret;
-        ret = mdiobus_read(bus, REG_PORT(0), 0x03);
+        ret = mdiobus_read(bus, sw_addr + REG_PORT(0), 0x03);
        if (ret >= 0) {
                ret &= 0xfff0;
                if (ret == 0x0600)
diff --git a/net/dsa/mv88e6131.c b/net/dsa/mv88e6131.c
index bb2b41bc854e..45f7411e90ba 100644
--- a/net/dsa/mv88e6131.c
+++ b/net/dsa/mv88e6131.c
@@ -14,6 +14,13 @@
 #include "dsa_priv.h"
 #include "mv88e6xxx.h"
+/*
+ * Switch product IDs
+ */
+#define ID_6085         0x04a0
+#define ID_6095         0x0950
+#define ID_6131         0x1060
 static char *mv88e6131_probe(struct mii_bus *bus, int sw_addr)
 {
        int ret;
@@ -21,9 +28,11 @@ static char *mv88e6131_probe(struct mii_bus *bus, int sw_addr)
        ret = __mv88e6xxx_reg_read(bus, sw_addr, REG_PORT(0), 0x03);
        if (ret >= 0) {
                ret &= 0xfff0;
-                if (ret == 0x0950)
+                if (ret == ID_6085)
+                        return "Marvell 88E6085";
+                if (ret == ID_6095)
                        return "Marvell 88E6095/88E6095F";
-                if (ret == 0x1060)
+                if (ret == ID_6131)
                        return "Marvell 88E6131";
        }
@@ -124,7 +133,7 @@ static int mv88e6131_setup_global(struct dsa_switch *ds)
         * Ignore removed tag data on doubly tagged packets, disable
         * flow control messages, force flow control priority to the
         * highest, and send all special multicast frames to the CPU
-         * port at the higest priority.
+         * port at the highest priority.
         */
        REG_WRITE(REG_GLOBAL2, 0x05, 0x00ff);
@@ -164,6 +173,7 @@ static int mv88e6131_setup_global(struct dsa_switch *ds)
 static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
 {
+        struct mv88e6xxx_priv_state *ps = (void *)(ds + 1);
        int addr = REG_PORT(p);
        u16 val;
@@ -171,10 +181,13 @@ static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
         * MAC Forcing register: don't force link, speed, duplex
         * or flow control state to any particular values on physical
         * ports, but force the CPU port and all DSA ports to 1000 Mb/s
-         * full duplex.
+         * (100 Mb/s on 6085) full duplex.
         */
        if (dsa_is_cpu_port(ds, p) || ds->dsa_port_mask & (1 << p))
-                REG_WRITE(addr, 0x01, 0x003e);
+                if (ps->id == ID_6085)
+                        REG_WRITE(addr, 0x01, 0x003d); /* 100 Mb/s */
+                else
+                        REG_WRITE(addr, 0x01, 0x003e); /* 1000 Mb/s */
        else
                REG_WRITE(addr, 0x01, 0x0003);
@@ -194,8 +207,15 @@ static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
         * mode, but do not enable forwarding of unknown unicasts.
         */
        val = 0x0433;
-        if (p == dsa_upstream_port(ds))
+        if (p == dsa_upstream_port(ds)) {
                val |= 0x0104;
+                /*
+                 * On 6085, unknown multicast forward is controlled
+                 * here rather than in Port Control 2 register.
+                 */
+                if (ps->id == ID_6085)
+                        val |= 0x0008;
+        }
        if (ds->dsa_port_mask & (1 << p))
                val |= 0x0100;
        REG_WRITE(addr, 0x04, val);
@@ -238,10 +258,19 @@ static int mv88e6131_setup_port(struct dsa_switch *ds, int p)
         * If this is the upstream port for this switch, enable
         * forwarding of unknown multicast addresses.
         */
-        val = 0x0080 | dsa_upstream_port(ds);
+        if (ps->id == ID_6085)
-        if (p == dsa_upstream_port(ds))
+                /*
-                val |= 0x0040;
+                 * on 6085, bits 3:0 are reserved, bit 6 control ARP
-        REG_WRITE(addr, 0x08, val);
+                 * mirroring, and multicast forward is handled in
+                 * Port Control register.
+                 */
+                REG_WRITE(addr, 0x08, 0x0080);
+        else {
+                val = 0x0080 | dsa_upstream_port(ds);
+                if (p == dsa_upstream_port(ds))
+                        val |= 0x0040;
+                REG_WRITE(addr, 0x08, val);
+        }
        /*
         * Rate Control: disable ingress rate limiting.
@@ -286,6 +315,8 @@ static int mv88e6131_setup(struct dsa_switch *ds)
        mv88e6xxx_ppu_state_init(ds);
        mutex_init(&ps->stats_mutex);
+        ps->id = REG_READ(REG_PORT(0), 0x03) & 0xfff0;
        ret = mv88e6131_switch_reset(ds);
        if (ret < 0)
                return ret;
diff --git a/net/dsa/mv88e6xxx.h b/net/dsa/mv88e6xxx.h
index eb0e0aaa9f1b..61156ca26a0d 100644
--- a/net/dsa/mv88e6xxx.h
+++ b/net/dsa/mv88e6xxx.h
@@ -39,6 +39,8 @@ struct mv88e6xxx_priv_state {
         * Hold this mutex over snapshot + dump sequences.
         */
        struct mutex    stats_mutex;
+        int             id; /* switch product id */
 };
 struct mv88e6xxx_hw_stat {
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 64ca2a6fa0d4..0a47b6c37038 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -288,7 +288,6 @@ static const struct ethtool_ops dsa_slave_ethtool_ops = {
        .get_drvinfo            = dsa_slave_get_drvinfo,
        .nway_reset             = dsa_slave_nway_reset,
        .get_link               = dsa_slave_get_link,
-        .set_sg                 = ethtool_op_set_sg,
        .get_strings            = dsa_slave_get_strings,
        .get_ethtool_stats      = dsa_slave_get_ethtool_stats,
        .get_sset_count         = dsa_slave_get_sset_count,
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 0c2826337919..a1d9f3787dd5 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -435,10 +435,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                udpdest.sin_addr.s_addr = htonl(network | addr.station);
        }
+        memset(&ah, 0, sizeof(ah));
        ah.port = port;
        ah.cb = cb & 0x7f;
        ah.code = 2;            /* magic */
-        ah.pad = 0;
        /* tack our header on the front of the iovec */
        size = sizeof(struct aunhdr);
@@ -935,7 +935,6 @@ static void aun_data_available(struct sock *sk, int slen)
        struct sk_buff *skb;
        unsigned char *data;
        struct aunhdr *ah;
-        struct iphdr *ip;
        size_t len;
        while ((skb = skb_recv_datagram(sk, 0, 1, &err)) == NULL) {
@@ -949,7 +948,6 @@ static void aun_data_available(struct sock *sk, int slen)
        data = skb_transport_header(skb) + sizeof(struct udphdr);
        ah = (struct aunhdr *)data;
        len = skb->len - sizeof(struct udphdr);
-        ip = ip_hdr(skb);
        switch (ah->code)
        {
@@ -962,12 +960,6 @@ static void aun_data_available(struct sock *sk, int slen)
        case 4:
                aun_tx_ack(ah->handle, ECTYPE_TRANSMIT_NOT_LISTENING);
                break;
-#if 0
-                /* This isn't quite right yet. */
-        case 5:
-                aun_send_response(ip->saddr, ah->handle, 6, ah->cb);
-                break;
-#endif
        default:
                printk(KERN_DEBUG "unknown AUN packet (type %d)\n", data[0]);
        }
diff --git a/net/ieee802154/Makefile b/net/ieee802154/Makefile
index ce2d33582859..5761185f884e 100644
--- a/net/ieee802154/Makefile
+++ b/net/ieee802154/Makefile
@@ -1,5 +1,3 @@
 obj-$(CONFIG_IEEE802154) +=     ieee802154.o af_802154.o
 ieee802154-y            := netlink.o nl-mac.o nl-phy.o nl_policy.o wpan-class.o
 af_802154-y             := af_ieee802154.o raw.o dgram.o
-ccflags-y += -Wall -DDEBUG
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index a5a1050595d1..cbb505ba9324 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -55,45 +55,9 @@ config IP_ADVANCED_ROUTER
          If unsure, say N here.
-choice
-        prompt "Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure)"
-        depends on IP_ADVANCED_ROUTER
-        default ASK_IP_FIB_HASH
-config ASK_IP_FIB_HASH
-        bool "FIB_HASH"
-        ---help---
-          Current FIB is very proven and good enough for most users.
-config IP_FIB_TRIE
-        bool "FIB_TRIE"
-        ---help---
-          Use new experimental LC-trie as FIB lookup algorithm.
-          This improves lookup performance if you have a large
-          number of routes.
-          LC-trie is a longest matching prefix lookup algorithm which
-          performs better than FIB_HASH for large routing tables.
-          But, it consumes more memory and is more complex.
-          LC-trie is described in:
-          IP-address lookup using LC-tries. Stefan Nilsson and Gunnar Karlsson
-          IEEE Journal on Selected Areas in Communications, 17(6):1083-1092,
-          June 1999
-          An experimental study of compression methods for dynamic tries
-          Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002.
-          <http://www.csc.kth.se/~snilsson/software/dyntrie2/>
-endchoice
-config IP_FIB_HASH
-        def_bool ASK_IP_FIB_HASH || !IP_ADVANCED_ROUTER
 config IP_FIB_TRIE_STATS
        bool "FIB TRIE statistics"
-        depends on IP_FIB_TRIE
+        depends on IP_ADVANCED_ROUTER
        ---help---
          Keep track of statistics on structure of FIB TRIE table.
          Useful for testing and measuring TRIE performance.
@@ -140,6 +104,9 @@ config IP_ROUTE_VERBOSE
          handled by the klogd daemon which is responsible for kernel messages
          ("man klogd").
+config IP_ROUTE_CLASSID
+        bool
 config IP_PNP
        bool "IP: kernel level autoconfiguration"
        help
@@ -657,4 +624,3 @@ config TCP_MD5SIG
          on the Internet.
          If unsure, say N.
diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile
index 4978d22f9a75..f2dc69cffb57 100644
--- a/net/ipv4/Makefile
+++ b/net/ipv4/Makefile
@@ -10,12 +10,10 @@ obj-y     := route.o inetpeer.o protocol.o \
             tcp_minisocks.o tcp_cong.o \
             datagram.o raw.o udp.o udplite.o \
             arp.o icmp.o devinet.o af_inet.o  igmp.o \
-             fib_frontend.o fib_semantics.o \
+             fib_frontend.o fib_semantics.o fib_trie.o \
-             inet_fragment.o
+             inet_fragment.o ping.o
 obj-$(CONFIG_SYSCTL) += sysctl_net_ipv4.o
-obj-$(CONFIG_IP_FIB_HASH) += fib_hash.o
-obj-$(CONFIG_IP_FIB_TRIE) += fib_trie.o
 obj-$(CONFIG_PROC_FS) += proc.o
 obj-$(CONFIG_IP_MULTIPLE_TABLES) += fib_rules.o
 obj-$(CONFIG_IP_MROUTE) += ipmr.o
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 45b89d7bda5a..cc1463156cd0 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -105,6 +105,7 @@
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <net/udplite.h>
+#include <net/ping.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/raw.h>
@@ -153,7 +154,7 @@ void inet_sock_destruct(struct sock *sk)
        WARN_ON(sk->sk_wmem_queued);
        WARN_ON(sk->sk_forward_alloc);
-        kfree(inet->opt);
+        kfree(rcu_dereference_protected(inet->inet_opt, 1));
        dst_release(rcu_dereference_check(sk->sk_dst_cache, 1));
        sk_refcnt_debug_dec(sk);
 }
@@ -1008,6 +1009,14 @@ static struct inet_protosw inetsw_array[] =
                .flags =      INET_PROTOSW_PERMANENT,
       },
+       {
+                .type =       SOCK_DGRAM,
+                .protocol =   IPPROTO_ICMP,
+                .prot =       &ping_prot,
+                .ops =        &inet_dgram_ops,
+                .no_check =   UDP_CSUM_DEFAULT,
+                .flags =      INET_PROTOSW_REUSE,
+       },
       {
               .type =       SOCK_RAW,
@@ -1101,27 +1110,29 @@ int sysctl_ip_dynaddr __read_mostly;
 static int inet_sk_reselect_saddr(struct sock *sk)
 {
        struct inet_sock *inet = inet_sk(sk);
-        int err;
-        struct rtable *rt;
        __be32 old_saddr = inet->inet_saddr;
-        __be32 new_saddr;
        __be32 daddr = inet->inet_daddr;
+        struct flowi4 *fl4;
+        struct rtable *rt;
+        __be32 new_saddr;
+        struct ip_options_rcu *inet_opt;
-        if (inet->opt && inet->opt->srr)
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
-                daddr = inet->opt->faddr;
+                                             sock_owned_by_user(sk));
+        if (inet_opt && inet_opt->opt.srr)
+                daddr = inet_opt->opt.faddr;
        /* Query new route. */
-        err = ip_route_connect(&rt, daddr, 0,
+        fl4 = &inet->cork.fl.u.ip4;
-                               RT_CONN_FLAGS(sk),
+        rt = ip_route_connect(fl4, daddr, 0, RT_CONN_FLAGS(sk),
-                               sk->sk_bound_dev_if,
+                              sk->sk_bound_dev_if, sk->sk_protocol,
-                               sk->sk_protocol,
+                              inet->inet_sport, inet->inet_dport, sk, false);
-                               inet->inet_sport, inet->inet_dport, sk, 0);
+        if (IS_ERR(rt))
-        if (err)
+                return PTR_ERR(rt);
-                return err;
        sk_setup_caps(sk, &rt->dst);
-        new_saddr = rt->rt_src;
+        new_saddr = fl4->saddr;
        if (new_saddr == old_saddr)
                return 0;
@@ -1150,6 +1161,8 @@ int inet_sk_rebuild_header(struct sock *sk)
        struct inet_sock *inet = inet_sk(sk);
        struct rtable *rt = (struct rtable *)__sk_dst_check(sk, 0);
        __be32 daddr;
+        struct ip_options_rcu *inet_opt;
+        struct flowi4 *fl4;
        int err;
        /* Route is OK, nothing to do. */
@@ -1157,28 +1170,23 @@ int inet_sk_rebuild_header(struct sock *sk)
                return 0;
        /* Reroute. */
+        rcu_read_lock();
+        inet_opt = rcu_dereference(inet->inet_opt);
        daddr = inet->inet_daddr;
-        if (inet->opt && inet->opt->srr)
+        if (inet_opt && inet_opt->opt.srr)
-                daddr = inet->opt->faddr;
+                daddr = inet_opt->opt.faddr;
-{
+        rcu_read_unlock();
-        struct flowi fl = {
+        fl4 = &inet->cork.fl.u.ip4;
-                .oif = sk->sk_bound_dev_if,
+        rt = ip_route_output_ports(sock_net(sk), fl4, sk, daddr, inet->inet_saddr,
-                .mark = sk->sk_mark,
+                                   inet->inet_dport, inet->inet_sport,
-                .fl4_dst = daddr,
+                                   sk->sk_protocol, RT_CONN_FLAGS(sk),
-                .fl4_src = inet->inet_saddr,
+                                   sk->sk_bound_dev_if);
-                .fl4_tos = RT_CONN_FLAGS(sk),
+        if (!IS_ERR(rt)) {
-                .proto = sk->sk_protocol,
+                err = 0;
-                .flags = inet_sk_flowi_flags(sk),
-                .fl_ip_sport = inet->inet_sport,
-                .fl_ip_dport = inet->inet_dport,
-        };
-        security_sk_classify_flow(sk, &fl);
-        err = ip_route_output_flow(sock_net(sk), &rt, &fl, sk, 0);
-}
-        if (!err)
                sk_setup_caps(sk, &rt->dst);
-        else {
+        } else {
+                err = PTR_ERR(rt);
                /* Routing failed... */
                sk->sk_route_caps = 0;
                /*
@@ -1198,7 +1206,7 @@ EXPORT_SYMBOL(inet_sk_rebuild_header);
 static int inet_gso_send_check(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        const struct net_protocol *ops;
        int proto;
        int ihl;
@@ -1231,7 +1239,7 @@ out:
        return err;
 }
-static struct sk_buff *inet_gso_segment(struct sk_buff *skb, int features)
+static struct sk_buff *inet_gso_segment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct iphdr *iph;
@@ -1305,7 +1313,7 @@ static struct sk_buff **inet_gro_receive(struct sk_buff **head,
        const struct net_protocol *ops;
        struct sk_buff **pp = NULL;
        struct sk_buff *p;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        unsigned int hlen;
        unsigned int off;
        unsigned int id;
@@ -1528,6 +1536,7 @@ static const struct net_protocol udp_protocol = {
 static const struct net_protocol icmp_protocol = {
        .handler =      icmp_rcv,
+        .err_handler =  ping_err,
        .no_policy =    1,
        .netns_ok =     1,
 };
@@ -1643,6 +1652,10 @@ static int __init inet_init(void)
        if (rc)
                goto out_unregister_udp_proto;
+        rc = proto_register(&ping_prot, 1);
+        if (rc)
+                goto out_unregister_raw_proto;
        /*
         *      Tell SOCKET that we are alive...
         */
@@ -1698,6 +1711,8 @@ static int __init inet_init(void)
        /* Add UDP-Lite (RFC 3828) */
        udplite4_register();
+        ping_init();
        /*
         *      Set the ICMP layer up
         */
@@ -1728,6 +1743,8 @@ static int __init inet_init(void)
        rc = 0;
 out:
        return rc;
+out_unregister_raw_proto:
+        proto_unregister(&raw_prot);
 out_unregister_udp_proto:
        proto_unregister(&udp_prot);
 out_unregister_tcp_proto:
@@ -1752,11 +1769,15 @@ static int __init ipv4_proc_init(void)
                goto out_tcp;
        if (udp4_proc_init())
                goto out_udp;
+        if (ping_proc_init())
+                goto out_ping;
        if (ip_misc_proc_init())
                goto out_misc;
 out:
        return rc;
 out_misc:
+        ping_proc_exit();
+out_ping:
        udp4_proc_exit();
 out_udp:
        tcp4_proc_exit();
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index 86961bec70ab..c1f4154552fc 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -73,7 +73,7 @@ static inline struct scatterlist *ah_req_sg(struct crypto_ahash *ahash,
 * into IP header for icv calculation. Options are already checked
 * for validity, so paranoia is not required. */
-static int ip_clear_mutable_options(struct iphdr *iph, __be32 *daddr)
+static int ip_clear_mutable_options(const struct iphdr *iph, __be32 *daddr)
 {
        unsigned char * optptr = (unsigned char*)(iph+1);
        int  l = iph->ihl*4 - sizeof(struct iphdr);
@@ -201,11 +201,14 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
        top_iph->ttl = 0;
        top_iph->check = 0;
-        ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
+        if (x->props.flags & XFRM_STATE_ALIGN4)
+                ah->hdrlen  = (XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
+        else
+                ah->hdrlen  = (XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len) >> 2) - 2;
        ah->reserved = 0;
        ah->spi = x->id.spi;
-        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output);
+        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg, 0, skb->len);
@@ -299,9 +302,15 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
        nexthdr = ah->nexthdr;
        ah_hlen = (ah->hdrlen + 2) << 2;
-        if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
+        if (x->props.flags & XFRM_STATE_ALIGN4) {
-            ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
+                if (ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_full_len) &&
-                goto out;
+                    ah_hlen != XFRM_ALIGN4(sizeof(*ah) + ahp->icv_trunc_len))
+                        goto out;
+        } else {
+                if (ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_full_len) &&
+                    ah_hlen != XFRM_ALIGN8(sizeof(*ah) + ahp->icv_trunc_len))
+                        goto out;
+        }
        if (!pskb_may_pull(skb, ah_hlen))
                goto out;
@@ -387,7 +396,7 @@ out:
 static void ah4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_auth_hdr *ah = (struct ip_auth_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -395,7 +404,8 @@ static void ah4_err(struct sk_buff *skb, u32 info)
            icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, ah->spi, IPPROTO_AH, AF_INET);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              ah->spi, IPPROTO_AH, AF_INET);
        if (!x)
                return;
        printk(KERN_DEBUG "pmtu discovery on SA AH/%08x/%08x\n",
@@ -450,8 +460,12 @@ static int ah_init_state(struct xfrm_state *x)
        BUG_ON(ahp->icv_trunc_len > MAX_AH_AUTH_LEN);
-        x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
+        if (x->props.flags & XFRM_STATE_ALIGN4)
-                                          ahp->icv_trunc_len);
+                x->props.header_len = XFRM_ALIGN4(sizeof(struct ip_auth_hdr) +
+                                                  ahp->icv_trunc_len);
+        else
+                x->props.header_len = XFRM_ALIGN8(sizeof(struct ip_auth_hdr) +
+                                                  ahp->icv_trunc_len);
        if (x->props.mode == XFRM_MODE_TUNNEL)
                x->props.header_len += sizeof(struct iphdr);
        x->data = ahp;
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 7927589813b5..1b74d3b64371 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -215,6 +215,9 @@ int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
        case ARPHRD_INFINIBAND:
                ip_ib_mc_map(addr, dev->broadcast, haddr);
                return 0;
+        case ARPHRD_IPGRE:
+                ip_ipgre_mc_map(addr, dev->broadcast, haddr);
+                return 0;
        default:
                if (dir) {
                        memcpy(haddr, dev->broadcast, dev->addr_len);
@@ -433,14 +436,13 @@ static int arp_ignore(struct in_device *in_dev, __be32 sip, __be32 tip)
 static int arp_filter(__be32 sip, __be32 tip, struct net_device *dev)
 {
-        struct flowi fl = { .fl4_dst = sip,
-                            .fl4_src = tip };
        struct rtable *rt;
        int flag = 0;
        /*unsigned long now; */
        struct net *net = dev_net(dev);
-        if (ip_route_output_key(net, &rt, &fl) < 0)
+        rt = ip_route_output(net, sip, tip, 0, 0);
+        if (IS_ERR(rt))
                return 1;
        if (rt->dst.dev != dev) {
                NET_INC_STATS_BH(net, LINUX_MIB_ARPFILTER);
@@ -1061,12 +1063,10 @@ static int arp_req_set(struct net *net, struct arpreq *r,
        if (r->arp_flags & ATF_PERM)
                r->arp_flags |= ATF_COM;
        if (dev == NULL) {
-                struct flowi fl = { .fl4_dst = ip,
+                struct rtable *rt = ip_route_output(net, ip, 0, RTO_ONLINK, 0);
-                                    .fl4_tos = RTO_ONLINK };
-                struct rtable *rt;
+                if (IS_ERR(rt))
-                err = ip_route_output_key(net, &rt, &fl);
+                        return PTR_ERR(rt);
-                if (err != 0)
-                        return err;
                dev = rt->dst.dev;
                ip_rt_put(rt);
                if (!dev)
@@ -1177,7 +1177,6 @@ static int arp_req_delete_public(struct net *net, struct arpreq *r,
 static int arp_req_delete(struct net *net, struct arpreq *r,
                          struct net_device *dev)
 {
-        int err;
        __be32 ip;
        if (r->arp_flags & ATF_PUBL)
@@ -1185,12 +1184,9 @@ static int arp_req_delete(struct net *net, struct arpreq *r,
        ip = ((struct sockaddr_in *)&r->arp_pa)->sin_addr.s_addr;
        if (dev == NULL) {
-                struct flowi fl = { .fl4_dst = ip,
+                struct rtable *rt = ip_route_output(net, ip, 0, RTO_ONLINK, 0);
-                                    .fl4_tos = RTO_ONLINK };
+                if (IS_ERR(rt))
-                struct rtable *rt;
+                        return PTR_ERR(rt);
-                err = ip_route_output_key(net, &rt, &fl);
-                if (err != 0)
-                        return err;
                dev = rt->dst.dev;
                ip_rt_put(rt);
                if (!dev)
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 094e150c6260..2b3c23c287cd 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -112,7 +112,7 @@ int cipso_v4_rbm_strictvalid = 1;
 /* The maximum number of category ranges permitted in the ranged category tag
 * (tag #5).  You may note that the IETF draft states that the maximum number
 * of category ranges is 7, but if the low end of the last category range is
- * zero then it is possibile to fit 8 category ranges because the zero should
+ * zero then it is possible to fit 8 category ranges because the zero should
 * be omitted. */
 #define CIPSO_V4_TAG_RNG_CAT_MAX      8
@@ -438,7 +438,7 @@ cache_add_failure:
 *
 * Description:
 * Search the DOI definition list for a DOI definition with a DOI value that
- * matches @doi.  The caller is responsibile for calling rcu_read_[un]lock().
+ * matches @doi.  The caller is responsible for calling rcu_read_[un]lock().
 * Returns a pointer to the DOI definition on success and NULL on failure.
 */
 static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
@@ -1293,7 +1293,7 @@ static int cipso_v4_gentag_rbm(const struct cipso_v4_doi *doi_def,
                        return ret_val;
                /* This will send packets using the "optimized" format when
-                 * possibile as specified in  section 3.4.2.6 of the
+                 * possible as specified in  section 3.4.2.6 of the
                 * CIPSO draft. */
                if (cipso_v4_rbm_optfmt && ret_val > 0 && ret_val <= 10)
                        tag_len = 14;
@@ -1752,7 +1752,7 @@ validate_return:
 }
 /**
- * cipso_v4_error - Send the correct reponse for a bad packet
+ * cipso_v4_error - Send the correct response for a bad packet
 * @skb: the packet
 * @error: the error code
 * @gateway: CIPSO gateway flag
@@ -1857,6 +1857,11 @@ static int cipso_v4_genopt(unsigned char *buf, u32 buf_len,
        return CIPSO_V4_HDR_LEN + ret_val;
 }
+static void opt_kfree_rcu(struct rcu_head *head)
+{
+        kfree(container_of(head, struct ip_options_rcu, rcu));
+}
 /**
 * cipso_v4_sock_setattr - Add a CIPSO option to a socket
 * @sk: the socket
@@ -1879,7 +1884,7 @@ int cipso_v4_sock_setattr(struct sock *sk,
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 opt_len;
-        struct ip_options *opt = NULL;
+        struct ip_options_rcu *old, *opt = NULL;
        struct inet_sock *sk_inet;
        struct inet_connection_sock *sk_conn;
@@ -1915,22 +1920,25 @@ int cipso_v4_sock_setattr(struct sock *sk,
                ret_val = -ENOMEM;
                goto socket_setattr_failure;
        }
-        memcpy(opt->__data, buf, buf_len);
+        memcpy(opt->opt.__data, buf, buf_len);
-        opt->optlen = opt_len;
+        opt->opt.optlen = opt_len;
-        opt->cipso = sizeof(struct iphdr);
+        opt->opt.cipso = sizeof(struct iphdr);
        kfree(buf);
        buf = NULL;
        sk_inet = inet_sk(sk);
+        old = rcu_dereference_protected(sk_inet->inet_opt, sock_owned_by_user(sk));
        if (sk_inet->is_icsk) {
                sk_conn = inet_csk(sk);
-                if (sk_inet->opt)
+                if (old)
-                        sk_conn->icsk_ext_hdr_len -= sk_inet->opt->optlen;
+                        sk_conn->icsk_ext_hdr_len -= old->opt.optlen;
-                sk_conn->icsk_ext_hdr_len += opt->optlen;
+                sk_conn->icsk_ext_hdr_len += opt->opt.optlen;
                sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
        }
-        opt = xchg(&sk_inet->opt, opt);
+        rcu_assign_pointer(sk_inet->inet_opt, opt);
-        kfree(opt);
+        if (old)
+                call_rcu(&old->rcu, opt_kfree_rcu);
        return 0;
@@ -1960,7 +1968,7 @@ int cipso_v4_req_setattr(struct request_sock *req,
        unsigned char *buf = NULL;
        u32 buf_len;
        u32 opt_len;
-        struct ip_options *opt = NULL;
+        struct ip_options_rcu *opt = NULL;
        struct inet_request_sock *req_inet;
        /* We allocate the maximum CIPSO option size here so we are probably
@@ -1988,15 +1996,16 @@ int cipso_v4_req_setattr(struct request_sock *req,
                ret_val = -ENOMEM;
                goto req_setattr_failure;
        }
-        memcpy(opt->__data, buf, buf_len);
+        memcpy(opt->opt.__data, buf, buf_len);
-        opt->optlen = opt_len;
+        opt->opt.optlen = opt_len;
-        opt->cipso = sizeof(struct iphdr);
+        opt->opt.cipso = sizeof(struct iphdr);
        kfree(buf);
        buf = NULL;
        req_inet = inet_rsk(req);
        opt = xchg(&req_inet->opt, opt);
-        kfree(opt);
+        if (opt)
+                call_rcu(&opt->rcu, opt_kfree_rcu);
        return 0;
@@ -2016,34 +2025,34 @@ req_setattr_failure:
 * values on failure.
 *
 */
-static int cipso_v4_delopt(struct ip_options **opt_ptr)
+static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)
 {
        int hdr_delta = 0;
-        struct ip_options *opt = *opt_ptr;
+        struct ip_options_rcu *opt = *opt_ptr;
-        if (opt->srr || opt->rr || opt->ts || opt->router_alert) {
+        if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {
                u8 cipso_len;
                u8 cipso_off;
                unsigned char *cipso_ptr;
                int iter;
                int optlen_new;
-                cipso_off = opt->cipso - sizeof(struct iphdr);
+                cipso_off = opt->opt.cipso - sizeof(struct iphdr);
-                cipso_ptr = &opt->__data[cipso_off];
+                cipso_ptr = &opt->opt.__data[cipso_off];
                cipso_len = cipso_ptr[1];
-                if (opt->srr > opt->cipso)
+                if (opt->opt.srr > opt->opt.cipso)
-                        opt->srr -= cipso_len;
+                        opt->opt.srr -= cipso_len;
-                if (opt->rr > opt->cipso)
+                if (opt->opt.rr > opt->opt.cipso)
-                        opt->rr -= cipso_len;
+                        opt->opt.rr -= cipso_len;
-                if (opt->ts > opt->cipso)
+                if (opt->opt.ts > opt->opt.cipso)
-                        opt->ts -= cipso_len;
+                        opt->opt.ts -= cipso_len;
-                if (opt->router_alert > opt->cipso)
+                if (opt->opt.router_alert > opt->opt.cipso)
-                        opt->router_alert -= cipso_len;
+                        opt->opt.router_alert -= cipso_len;
-                opt->cipso = 0;
+                opt->opt.cipso = 0;
                memmove(cipso_ptr, cipso_ptr + cipso_len,
-                        opt->optlen - cipso_off - cipso_len);
+                        opt->opt.optlen - cipso_off - cipso_len);
                /* determining the new total option length is tricky because of
                 * the padding necessary, the only thing i can think to do at
@@ -2052,21 +2061,21 @@ static int cipso_v4_delopt(struct ip_options **opt_ptr)
                 * from there we can determine the new total option length */
                iter = 0;
                optlen_new = 0;
-                while (iter < opt->optlen)
+                while (iter < opt->opt.optlen)
-                        if (opt->__data[iter] != IPOPT_NOP) {
+                        if (opt->opt.__data[iter] != IPOPT_NOP) {
-                                iter += opt->__data[iter + 1];
+                                iter += opt->opt.__data[iter + 1];
                                optlen_new = iter;
                        } else
                                iter++;
-                hdr_delta = opt->optlen;
+                hdr_delta = opt->opt.optlen;
-                opt->optlen = (optlen_new + 3) & ~3;
+                opt->opt.optlen = (optlen_new + 3) & ~3;
-                hdr_delta -= opt->optlen;
+                hdr_delta -= opt->opt.optlen;
        } else {
                /* only the cipso option was present on the socket so we can
                 * remove the entire option struct */
                *opt_ptr = NULL;
-                hdr_delta = opt->optlen;
+                hdr_delta = opt->opt.optlen;
-                kfree(opt);
+                call_rcu(&opt->rcu, opt_kfree_rcu);
        }
        return hdr_delta;
@@ -2083,15 +2092,15 @@ static int cipso_v4_delopt(struct ip_options **opt_ptr)
 void cipso_v4_sock_delattr(struct sock *sk)
 {
        int hdr_delta;
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
        struct inet_sock *sk_inet;
        sk_inet = inet_sk(sk);
-        opt = sk_inet->opt;
+        opt = rcu_dereference_protected(sk_inet->inet_opt, 1);
-        if (opt == NULL || opt->cipso == 0)
+        if (opt == NULL || opt->opt.cipso == 0)
                return;
-        hdr_delta = cipso_v4_delopt(&sk_inet->opt);
+        hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);
        if (sk_inet->is_icsk && hdr_delta > 0) {
                struct inet_connection_sock *sk_conn = inet_csk(sk);
                sk_conn->icsk_ext_hdr_len -= hdr_delta;
@@ -2109,12 +2118,12 @@ void cipso_v4_sock_delattr(struct sock *sk)
 */
 void cipso_v4_req_delattr(struct request_sock *req)
 {
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
        struct inet_request_sock *req_inet;
        req_inet = inet_rsk(req);
        opt = req_inet->opt;
-        if (opt == NULL || opt->cipso == 0)
+        if (opt == NULL || opt->opt.cipso == 0)
                return;
        cipso_v4_delopt(&req_inet->opt);
@@ -2184,14 +2193,18 @@ getattr_return:
 */
 int cipso_v4_sock_getattr(struct sock *sk, struct netlbl_lsm_secattr *secattr)
 {
-        struct ip_options *opt;
+        struct ip_options_rcu *opt;
+        int res = -ENOMSG;
-        opt = inet_sk(sk)->opt;
+        rcu_read_lock();
-        if (opt == NULL || opt->cipso == 0)
+        opt = rcu_dereference(inet_sk(sk)->inet_opt);
-                return -ENOMSG;
+        if (opt && opt->opt.cipso)
+                res = cipso_v4_getattr(opt->opt.__data +
-        return cipso_v4_getattr(opt->__data + opt->cipso - sizeof(struct iphdr),
+                                                opt->opt.cipso -
-                                secattr);
+                                                sizeof(struct iphdr),
+                                       secattr);
+        rcu_read_unlock();
+        return res;
 }
 /**
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 174be6caa5c8..424fafbc8cb0 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -24,6 +24,7 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct sockaddr_in *usin = (struct sockaddr_in *) uaddr;
+        struct flowi4 *fl4;
        struct rtable *rt;
        __be32 saddr;
        int oif;
@@ -38,6 +39,8 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        sk_dst_reset(sk);
+        lock_sock(sk);
        oif = sk->sk_bound_dev_if;
        saddr = inet->inet_saddr;
        if (ipv4_is_multicast(usin->sin_addr.s_addr)) {
@@ -46,33 +49,39 @@ int ip4_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                if (!saddr)
                        saddr = inet->mc_addr;
        }
-        err = ip_route_connect(&rt, usin->sin_addr.s_addr, saddr,
+        fl4 = &inet->cork.fl.u.ip4;
-                               RT_CONN_FLAGS(sk), oif,
+        rt = ip_route_connect(fl4, usin->sin_addr.s_addr, saddr,
-                               sk->sk_protocol,
+                              RT_CONN_FLAGS(sk), oif,
-                               inet->inet_sport, usin->sin_port, sk, 1);
+                              sk->sk_protocol,
-        if (err) {
+                              inet->inet_sport, usin->sin_port, sk, true);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
                if (err == -ENETUNREACH)
                        IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
-                return err;
+                goto out;
        }
        if ((rt->rt_flags & RTCF_BROADCAST) && !sock_flag(sk, SOCK_BROADCAST)) {
                ip_rt_put(rt);
-                return -EACCES;
+                err = -EACCES;
+                goto out;
        }
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;  /* Update source address */
+                inet->inet_saddr = fl4->saddr;  /* Update source address */
        if (!inet->inet_rcv_saddr) {
-                inet->inet_rcv_saddr = rt->rt_src;
+                inet->inet_rcv_saddr = fl4->saddr;
                if (sk->sk_prot->rehash)
                        sk->sk_prot->rehash(sk);
        }
-        inet->inet_daddr = rt->rt_dst;
+        inet->inet_daddr = fl4->daddr;
        inet->inet_dport = usin->sin_port;
        sk->sk_state = TCP_ESTABLISHED;
        inet->inet_id = jiffies;
        sk_dst_set(sk, &rt->dst);
-        return 0;
+        err = 0;
+out:
+        release_sock(sk);
+        return err;
 }
 EXPORT_SYMBOL(ip4_datagram_connect);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index df4616fce929..0d4a184af16f 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -51,6 +51,7 @@
 #include <linux/inetdevice.h>
 #include <linux/igmp.h>
 #include <linux/slab.h>
+#include <linux/hash.h>
 #ifdef CONFIG_SYSCTL
 #include <linux/sysctl.h>
 #endif
@@ -63,6 +64,8 @@
 #include <net/rtnetlink.h>
 #include <net/net_namespace.h>
+#include "fib_lookup.h"
 static struct ipv4_devconf ipv4_devconf = {
        .data = {
                [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
@@ -92,6 +95,85 @@ static const struct nla_policy ifa_ipv4_policy[IFA_MAX+1] = {
        [IFA_LABEL]             = { .type = NLA_STRING, .len = IFNAMSIZ - 1 },
 };
+/* inet_addr_hash's shifting is dependent upon this IN4_ADDR_HSIZE
+ * value.  So if you change this define, make appropriate changes to
+ * inet_addr_hash as well.
+ */
+#define IN4_ADDR_HSIZE  256
+static struct hlist_head inet_addr_lst[IN4_ADDR_HSIZE];
+static DEFINE_SPINLOCK(inet_addr_hash_lock);
+static inline unsigned int inet_addr_hash(struct net *net, __be32 addr)
+{
+        u32 val = (__force u32) addr ^ hash_ptr(net, 8);
+        return ((val ^ (val >> 8) ^ (val >> 16) ^ (val >> 24)) &
+                (IN4_ADDR_HSIZE - 1));
+}
+static void inet_hash_insert(struct net *net, struct in_ifaddr *ifa)
+{
+        unsigned int hash = inet_addr_hash(net, ifa->ifa_local);
+        spin_lock(&inet_addr_hash_lock);
+        hlist_add_head_rcu(&ifa->hash, &inet_addr_lst[hash]);
+        spin_unlock(&inet_addr_hash_lock);
+}
+static void inet_hash_remove(struct in_ifaddr *ifa)
+{
+        spin_lock(&inet_addr_hash_lock);
+        hlist_del_init_rcu(&ifa->hash);
+        spin_unlock(&inet_addr_hash_lock);
+}
+/**
+ * __ip_dev_find - find the first device with a given source address.
+ * @net: the net namespace
+ * @addr: the source address
+ * @devref: if true, take a reference on the found device
+ *
+ * If a caller uses devref=false, it should be protected by RCU, or RTNL
+ */
+struct net_device *__ip_dev_find(struct net *net, __be32 addr, bool devref)
+{
+        unsigned int hash = inet_addr_hash(net, addr);
+        struct net_device *result = NULL;
+        struct in_ifaddr *ifa;
+        struct hlist_node *node;
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(ifa, node, &inet_addr_lst[hash], hash) {
+                struct net_device *dev = ifa->ifa_dev->dev;
+                if (!net_eq(dev_net(dev), net))
+                        continue;
+                if (ifa->ifa_local == addr) {
+                        result = dev;
+                        break;
+                }
+        }
+        if (!result) {
+                struct flowi4 fl4 = { .daddr = addr };
+                struct fib_result res = { 0 };
+                struct fib_table *local;
+                /* Fallback to FIB local table so that communication
+                 * over loopback subnets work.
+                 */
+                local = fib_get_table(net, RT_TABLE_LOCAL);
+                if (local &&
+                    !fib_table_lookup(local, &fl4, &res, FIB_LOOKUP_NOREF) &&
+                    res.type == RTN_LOCAL)
+                        result = FIB_RES_DEV(res);
+        }
+        if (result && devref)
+                dev_hold(result);
+        rcu_read_unlock();
+        return result;
+}
+EXPORT_SYMBOL(__ip_dev_find);
 static void rtmsg_ifa(int event, struct in_ifaddr *, struct nlmsghdr *, u32);
 static BLOCKING_NOTIFIER_HEAD(inetaddr_chain);
@@ -265,6 +347,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
                        }
                        if (!do_promote) {
+                                inet_hash_remove(ifa);
                                *ifap1 = ifa->ifa_next;
                                rtmsg_ifa(RTM_DELADDR, ifa, nlh, pid);
@@ -278,9 +361,21 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
                }
        }
+        /* On promotion all secondaries from subnet are changing
+         * the primary IP, we must remove all their routes silently
+         * and later to add them back with new prefsrc. Do this
+         * while all addresses are on the device list.
+         */
+        for (ifa = promote; ifa; ifa = ifa->ifa_next) {
+                if (ifa1->ifa_mask == ifa->ifa_mask &&
+                    inet_ifa_match(ifa1->ifa_address, ifa))
+                        fib_del_ifaddr(ifa, ifa1);
+        }
        /* 2. Unlink it */
        *ifap = ifa1->ifa_next;
+        inet_hash_remove(ifa1);
        /* 3. Announce address deletion */
@@ -296,6 +391,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
        blocking_notifier_call_chain(&inetaddr_chain, NETDEV_DOWN, ifa1);
        if (promote) {
+                struct in_ifaddr *next_sec = promote->ifa_next;
                if (prev_prom) {
                        prev_prom->ifa_next = promote->ifa_next;
@@ -307,7 +403,7 @@ static void __inet_del_ifa(struct in_device *in_dev, struct in_ifaddr **ifap,
                rtmsg_ifa(RTM_NEWADDR, promote, nlh, pid);
                blocking_notifier_call_chain(&inetaddr_chain,
                                NETDEV_UP, promote);
-                for (ifa = promote->ifa_next; ifa; ifa = ifa->ifa_next) {
+                for (ifa = next_sec; ifa; ifa = ifa->ifa_next) {
                        if (ifa1->ifa_mask != ifa->ifa_mask ||
                            !inet_ifa_match(ifa1->ifa_address, ifa))
                                        continue;
@@ -368,6 +464,8 @@ static int __inet_insert_ifa(struct in_ifaddr *ifa, struct nlmsghdr *nlh,
        ifa->ifa_next = *ifap;
        *ifap = ifa;
+        inet_hash_insert(dev_net(in_dev->dev), ifa);
        /* Send message first, then call notifier.
           Notifier will trigger FIB update, so that
           listeners of netlink will know about new ifaddr */
@@ -521,6 +619,7 @@ static struct in_ifaddr *rtm_to_ifaddr(struct net *net, struct nlmsghdr *nlh)
        if (tb[IFA_ADDRESS] == NULL)
                tb[IFA_ADDRESS] = tb[IFA_LOCAL];
+        INIT_HLIST_NODE(&ifa->hash);
        ifa->ifa_prefixlen = ifm->ifa_prefixlen;
        ifa->ifa_mask = inet_make_mask(ifm->ifa_prefixlen);
        ifa->ifa_flags = ifm->ifa_flags;
@@ -670,7 +769,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                             ifap = &ifa->ifa_next) {
                                if (!strcmp(ifr.ifr_name, ifa->ifa_label) &&
                                    sin_orig.sin_addr.s_addr ==
-                                                        ifa->ifa_address) {
+                                                        ifa->ifa_local) {
                                        break; /* found */
                                }
                        }
@@ -728,6 +827,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                if (!ifa) {
                        ret = -ENOBUFS;
                        ifa = inet_alloc_ifa();
+                        INIT_HLIST_NODE(&ifa->hash);
                        if (!ifa)
                                break;
                        if (colon)
@@ -1040,8 +1140,8 @@ static void inetdev_send_gratuitous_arp(struct net_device *dev,
                return;
        arp_send(ARPOP_REQUEST, ETH_P_ARP,
-                 ifa->ifa_address, dev,
+                 ifa->ifa_local, dev,
-                 ifa->ifa_address, NULL,
+                 ifa->ifa_local, NULL,
                 dev->dev_addr, NULL);
 }
@@ -1084,6 +1184,7 @@ static int inetdev_event(struct notifier_block *this, unsigned long event,
                        struct in_ifaddr *ifa = inet_alloc_ifa();
                        if (ifa) {
+                                INIT_HLIST_NODE(&ifa->hash);
                                ifa->ifa_local =
                                  ifa->ifa_address = htonl(INADDR_LOOPBACK);
                                ifa->ifa_prefixlen = 8;
@@ -1268,7 +1369,7 @@ errout:
 static size_t inet_get_link_af_size(const struct net_device *dev)
 {
-        struct in_device *in_dev = __in_dev_get_rtnl(dev);
+        struct in_device *in_dev = rcu_dereference_rtnl(dev->ip_ptr);
        if (!in_dev)
                return 0;
@@ -1278,7 +1379,7 @@ static size_t inet_get_link_af_size(const struct net_device *dev)
 static int inet_fill_link_af(struct sk_buff *skb, const struct net_device *dev)
 {
-        struct in_device *in_dev = __in_dev_get_rtnl(dev);
+        struct in_device *in_dev = rcu_dereference_rtnl(dev->ip_ptr);
        struct nlattr *nla;
        int i;
@@ -1579,7 +1680,7 @@ static void __devinet_sysctl_unregister(struct ipv4_devconf *cnf)
                return;
        cnf->sysctl = NULL;
-        unregister_sysctl_table(t->sysctl_header);
+        unregister_net_sysctl_table(t->sysctl_header);
        kfree(t->dev_name);
        kfree(t);
 }
@@ -1720,6 +1821,11 @@ static struct rtnl_af_ops inet_af_ops = {
 void __init devinet_init(void)
 {
+        int i;
+        for (i = 0; i < IN4_ADDR_HSIZE; i++)
+                INIT_HLIST_HEAD(&inet_addr_lst[i]);
        register_pernet_subsys(&devinet_ops);
        register_gifconf(PF_INET, inet_gifconf);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index e42a905180f0..a5b413416da3 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -33,11 +33,14 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu);
 *
 * TODO: Use spare space in skb for this where possible.
 */
-static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
+static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqhilen)
 {
        unsigned int len;
-        len = crypto_aead_ivsize(aead);
+        len = seqhilen;
+        len += crypto_aead_ivsize(aead);
        if (len) {
                len += crypto_aead_alignmask(aead) &
                       ~(crypto_tfm_ctx_alignment() - 1);
@@ -52,10 +55,15 @@ static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
        return kmalloc(len, GFP_ATOMIC);
 }
-static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp)
+static inline __be32 *esp_tmp_seqhi(void *tmp)
+{
+        return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32));
+}
+static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int seqhilen)
 {
        return crypto_aead_ivsize(aead) ?
-               PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) : tmp;
+               PTR_ALIGN((u8 *)tmp + seqhilen,
+                         crypto_aead_alignmask(aead) + 1) : tmp + seqhilen;
 }
 static inline struct aead_givcrypt_request *esp_tmp_givreq(
@@ -122,6 +130,10 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        int plen;
        int tfclen;
        int nfrags;
+        int assoclen;
+        int sglists;
+        int seqhilen;
+        __be32 *seqhi;
        /* skb is pure payload to encrypt */
@@ -151,14 +163,25 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
                goto error;
        nfrags = err;
-        tmp = esp_alloc_tmp(aead, nfrags + 1);
+        assoclen = sizeof(*esph);
+        sglists = 1;
+        seqhilen = 0;
+        if (x->props.flags & XFRM_STATE_ESN) {
+                sglists += 2;
+                seqhilen += sizeof(__be32);
+                assoclen += seqhilen;
+        }
+        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
        if (!tmp)
                goto error;
-        iv = esp_tmp_iv(aead, tmp);
+        seqhi = esp_tmp_seqhi(tmp);
+        iv = esp_tmp_iv(aead, tmp, seqhilen);
        req = esp_tmp_givreq(aead, iv);
        asg = esp_givreq_sg(aead, req);
-        sg = asg + 1;
+        sg = asg + sglists;
        /* Fill padding... */
        tail = skb_tail_pointer(trailer);
@@ -215,19 +238,27 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        }
        esph->spi = x->id.spi;
-        esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output);
+        esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg,
                     esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
                     clen + alen);
-        sg_init_one(asg, esph, sizeof(*esph));
+        if ((x->props.flags & XFRM_STATE_ESN)) {
+                sg_init_table(asg, 3);
+                sg_set_buf(asg, &esph->spi, sizeof(__be32));
+                *seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
+                sg_set_buf(asg + 1, seqhi, seqhilen);
+                sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
+        } else
+                sg_init_one(asg, esph, sizeof(*esph));
        aead_givcrypt_set_callback(req, 0, esp_output_done, skb);
        aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
-        aead_givcrypt_set_assoc(req, asg, sizeof(*esph));
+        aead_givcrypt_set_assoc(req, asg, assoclen);
        aead_givcrypt_set_giv(req, esph->enc_data,
-                              XFRM_SKB_CB(skb)->seq.output);
+                              XFRM_SKB_CB(skb)->seq.output.low);
        ESP_SKB_CB(skb)->tmp = tmp;
        err = crypto_aead_givencrypt(req);
@@ -245,7 +276,7 @@ error:
 static int esp_input_done2(struct sk_buff *skb, int err)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct xfrm_state *x = xfrm_input_state(skb);
        struct esp_data *esp = x->data;
        struct crypto_aead *aead = esp->aead;
@@ -346,6 +377,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        struct sk_buff *trailer;
        int elen = skb->len - sizeof(*esph) - crypto_aead_ivsize(aead);
        int nfrags;
+        int assoclen;
+        int sglists;
+        int seqhilen;
+        __be32 *seqhi;
        void *tmp;
        u8 *iv;
        struct scatterlist *sg;
@@ -362,16 +397,27 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
                goto out;
        nfrags = err;
+        assoclen = sizeof(*esph);
+        sglists = 1;
+        seqhilen = 0;
+        if (x->props.flags & XFRM_STATE_ESN) {
+                sglists += 2;
+                seqhilen += sizeof(__be32);
+                assoclen += seqhilen;
+        }
        err = -ENOMEM;
-        tmp = esp_alloc_tmp(aead, nfrags + 1);
+        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
        if (!tmp)
                goto out;
        ESP_SKB_CB(skb)->tmp = tmp;
-        iv = esp_tmp_iv(aead, tmp);
+        seqhi = esp_tmp_seqhi(tmp);
+        iv = esp_tmp_iv(aead, tmp, seqhilen);
        req = esp_tmp_req(aead, iv);
        asg = esp_req_sg(aead, req);
-        sg = asg + 1;
+        sg = asg + sglists;
        skb->ip_summed = CHECKSUM_NONE;
@@ -382,11 +428,19 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
-        sg_init_one(asg, esph, sizeof(*esph));
+        if ((x->props.flags & XFRM_STATE_ESN)) {
+                sg_init_table(asg, 3);
+                sg_set_buf(asg, &esph->spi, sizeof(__be32));
+                *seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
+                sg_set_buf(asg + 1, seqhi, seqhilen);
+                sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
+        } else
+                sg_init_one(asg, esph, sizeof(*esph));
        aead_request_set_callback(req, 0, esp_input_done, skb);
        aead_request_set_crypt(req, sg, sg, elen, iv);
-        aead_request_set_assoc(req, asg, sizeof(*esph));
+        aead_request_set_assoc(req, asg, assoclen);
        err = crypto_aead_decrypt(req);
        if (err == -EINPROGRESS)
@@ -430,7 +484,7 @@ static u32 esp4_get_mtu(struct xfrm_state *x, int mtu)
 static void esp4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -438,7 +492,8 @@ static void esp4_err(struct sk_buff *skb, u32 info)
            icmp_hdr(skb)->code != ICMP_FRAG_NEEDED)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, esph->spi, IPPROTO_ESP, AF_INET);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              esph->spi, IPPROTO_ESP, AF_INET);
        if (!x)
                return;
        NETDEBUG(KERN_DEBUG "pmtu discovery on SA ESP/%08x/%08x\n",
@@ -500,10 +555,20 @@ static int esp_init_authenc(struct xfrm_state *x)
                goto error;
        err = -ENAMETOOLONG;
-        if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME, "authenc(%s,%s)",
-                     x->aalg ? x->aalg->alg_name : "digest_null",
+        if ((x->props.flags & XFRM_STATE_ESN)) {
-                     x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
-                goto error;
+                             "authencesn(%s,%s)",
+                             x->aalg ? x->aalg->alg_name : "digest_null",
+                             x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                        goto error;
+        } else {
+                if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
+                             "authenc(%s,%s)",
+                             x->aalg ? x->aalg->alg_name : "digest_null",
+                             x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                        goto error;
+        }
        aead = crypto_alloc_aead(authenc_name, 0, 0);
        err = PTR_ERR(aead);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 1d2cdd43a878..22524716fe70 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -44,6 +44,7 @@
 #include <net/arp.h>
 #include <net/ip_fib.h>
 #include <net/rtnetlink.h>
+#include <net/xfrm.h>
 #ifndef CONFIG_IP_MULTIPLE_TABLES
@@ -51,11 +52,11 @@ static int __net_init fib4_rules_init(struct net *net)
 {
        struct fib_table *local_table, *main_table;
-        local_table = fib_hash_table(RT_TABLE_LOCAL);
+        local_table = fib_trie_table(RT_TABLE_LOCAL);
        if (local_table == NULL)
                return -ENOMEM;
-        main_table  = fib_hash_table(RT_TABLE_MAIN);
+        main_table  = fib_trie_table(RT_TABLE_MAIN);
        if (main_table == NULL)
                goto fail;
@@ -82,7 +83,7 @@ struct fib_table *fib_new_table(struct net *net, u32 id)
        if (tb)
                return tb;
-        tb = fib_hash_table(id);
+        tb = fib_trie_table(id);
        if (!tb)
                return NULL;
        h = id & (FIB_TABLE_HASHSZ - 1);
@@ -114,21 +115,6 @@ struct fib_table *fib_get_table(struct net *net, u32 id)
 }
 #endif /* CONFIG_IP_MULTIPLE_TABLES */
-void fib_select_default(struct net *net,
-                        const struct flowi *flp, struct fib_result *res)
-{
-        struct fib_table *tb;
-        int table = RT_TABLE_MAIN;
-#ifdef CONFIG_IP_MULTIPLE_TABLES
-        if (res->r == NULL || res->r->action != FR_ACT_TO_TBL)
-                return;
-        table = res->r->table;
-#endif
-        tb = fib_get_table(net, table);
-        if (FIB_RES_GW(*res) && FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK)
-                fib_table_select_default(tb, flp, res);
-}
 static void fib_flush(struct net *net)
 {
        int flushed = 0;
@@ -147,46 +133,6 @@ static void fib_flush(struct net *net)
                rt_cache_flush(net, -1);
 }
-/**
- * __ip_dev_find - find the first device with a given source address.
- * @net: the net namespace
- * @addr: the source address
- * @devref: if true, take a reference on the found device
- *
- * If a caller uses devref=false, it should be protected by RCU, or RTNL
- */
-struct net_device *__ip_dev_find(struct net *net, __be32 addr, bool devref)
-{
-        struct flowi fl = {
-                .fl4_dst = addr,
-        };
-        struct fib_result res = { 0 };
-        struct net_device *dev = NULL;
-        struct fib_table *local_table;
-#ifdef CONFIG_IP_MULTIPLE_TABLES
-        res.r = NULL;
-#endif
-        rcu_read_lock();
-        local_table = fib_get_table(net, RT_TABLE_LOCAL);
-        if (!local_table ||
-            fib_table_lookup(local_table, &fl, &res, FIB_LOOKUP_NOREF)) {
-                rcu_read_unlock();
-                return NULL;
-        }
-        if (res.type != RTN_LOCAL)
-                goto out;
-        dev = FIB_RES_DEV(res);
-        if (dev && devref)
-                dev_hold(dev);
-out:
-        rcu_read_unlock();
-        return dev;
-}
-EXPORT_SYMBOL(__ip_dev_find);
 /*
 * Find address type as if only "dev" was present in the system. If
 * on_dev is NULL then all interfaces are taken into consideration.
@@ -195,7 +141,7 @@ static inline unsigned __inet_dev_addr_type(struct net *net,
                                            const struct net_device *dev,
                                            __be32 addr)
 {
-        struct flowi            fl = { .fl4_dst = addr };
+        struct flowi4           fl4 = { .daddr = addr };
        struct fib_result       res;
        unsigned ret = RTN_BROADCAST;
        struct fib_table *local_table;
@@ -213,7 +159,7 @@ static inline unsigned __inet_dev_addr_type(struct net *net,
        if (local_table) {
                ret = RTN_UNICAST;
                rcu_read_lock();
-                if (!fib_table_lookup(local_table, &fl, &res, FIB_LOOKUP_NOREF)) {
+                if (!fib_table_lookup(local_table, &fl4, &res, FIB_LOOKUP_NOREF)) {
                        if (!dev || dev == res.fi->fib_dev)
                                ret = res.type;
                }
@@ -243,45 +189,48 @@ EXPORT_SYMBOL(inet_dev_addr_type);
 * - check, that packet arrived from expected physical interface.
 * called with rcu_read_lock()
 */
-int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
+int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos,
-                        struct net_device *dev, __be32 *spec_dst,
+                        int oif, struct net_device *dev, __be32 *spec_dst,
-                        u32 *itag, u32 mark)
+                        u32 *itag)
 {
        struct in_device *in_dev;
-        struct flowi fl = {
+        struct flowi4 fl4;
-                .fl4_dst = src,
-                .fl4_src = dst,
-                .fl4_tos = tos,
-                .mark = mark,
-                .iif = oif
-        };
        struct fib_result res;
        int no_addr, rpf, accept_local;
        bool dev_match;
        int ret;
        struct net *net;
+        fl4.flowi4_oif = 0;
+        fl4.flowi4_iif = oif;
+        fl4.daddr = src;
+        fl4.saddr = dst;
+        fl4.flowi4_tos = tos;
+        fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
        no_addr = rpf = accept_local = 0;
        in_dev = __in_dev_get_rcu(dev);
        if (in_dev) {
                no_addr = in_dev->ifa_list == NULL;
-                rpf = IN_DEV_RPFILTER(in_dev);
+                /* Ignore rp_filter for packets protected by IPsec. */
+                rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev);
                accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
-                if (mark && !IN_DEV_SRC_VMARK(in_dev))
+                fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
-                        fl.mark = 0;
        }
        if (in_dev == NULL)
                goto e_inval;
        net = dev_net(dev);
-        if (fib_lookup(net, &fl, &res))
+        if (fib_lookup(net, &fl4, &res))
                goto last_resort;
        if (res.type != RTN_UNICAST) {
                if (res.type != RTN_LOCAL || !accept_local)
                        goto e_inval;
        }
-        *spec_dst = FIB_RES_PREFSRC(res);
+        *spec_dst = FIB_RES_PREFSRC(net, res);
        fib_combine_itag(itag, &res);
        dev_match = false;
@@ -306,12 +255,12 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
                goto last_resort;
        if (rpf == 1)
                goto e_rpf;
-        fl.oif = dev->ifindex;
+        fl4.flowi4_oif = dev->ifindex;
        ret = 0;
-        if (fib_lookup(net, &fl, &res) == 0) {
+        if (fib_lookup(net, &fl4, &res) == 0) {
                if (res.type == RTN_UNICAST) {
-                        *spec_dst = FIB_RES_PREFSRC(res);
+                        *spec_dst = FIB_RES_PREFSRC(net, res);
                        ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
                }
        }
@@ -775,12 +724,17 @@ void fib_add_ifaddr(struct in_ifaddr *ifa)
        }
 }
-static void fib_del_ifaddr(struct in_ifaddr *ifa)
+/* Delete primary or secondary address.
+ * Optionally, on secondary address promotion consider the addresses
+ * from subnet iprim as deleted, even if they are in device list.
+ * In this case the secondary ifa can be in device list.
+ */
+void fib_del_ifaddr(struct in_ifaddr *ifa, struct in_ifaddr *iprim)
 {
        struct in_device *in_dev = ifa->ifa_dev;
        struct net_device *dev = in_dev->dev;
        struct in_ifaddr *ifa1;
-        struct in_ifaddr *prim = ifa;
+        struct in_ifaddr *prim = ifa, *prim1 = NULL;
        __be32 brd = ifa->ifa_address | ~ifa->ifa_mask;
        __be32 any = ifa->ifa_address & ifa->ifa_mask;
 #define LOCAL_OK        1
@@ -788,17 +742,26 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
 #define BRD0_OK         4
 #define BRD1_OK         8
        unsigned ok = 0;
+        int subnet = 0;         /* Primary network */
+        int gone = 1;           /* Address is missing */
+        int same_prefsrc = 0;   /* Another primary with same IP */
-        if (!(ifa->ifa_flags & IFA_F_SECONDARY))
+        if (ifa->ifa_flags & IFA_F_SECONDARY) {
-                fib_magic(RTM_DELROUTE,
-                          dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
-                          any, ifa->ifa_prefixlen, prim);
-        else {
                prim = inet_ifa_byprefix(in_dev, any, ifa->ifa_mask);
                if (prim == NULL) {
                        printk(KERN_WARNING "fib_del_ifaddr: bug: prim == NULL\n");
                        return;
                }
+                if (iprim && iprim != prim) {
+                        printk(KERN_WARNING "fib_del_ifaddr: bug: iprim != prim\n");
+                        return;
+                }
+        } else if (!ipv4_is_zeronet(any) &&
+                   (any != ifa->ifa_local || ifa->ifa_prefixlen < 32)) {
+                fib_magic(RTM_DELROUTE,
+                          dev->flags & IFF_LOOPBACK ? RTN_LOCAL : RTN_UNICAST,
+                          any, ifa->ifa_prefixlen, prim);
+                subnet = 1;
        }
        /* Deletion is more complicated than add.
@@ -808,6 +771,49 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
         */
        for (ifa1 = in_dev->ifa_list; ifa1; ifa1 = ifa1->ifa_next) {
+                if (ifa1 == ifa) {
+                        /* promotion, keep the IP */
+                        gone = 0;
+                        continue;
+                }
+                /* Ignore IFAs from our subnet */
+                if (iprim && ifa1->ifa_mask == iprim->ifa_mask &&
+                    inet_ifa_match(ifa1->ifa_address, iprim))
+                        continue;
+                /* Ignore ifa1 if it uses different primary IP (prefsrc) */
+                if (ifa1->ifa_flags & IFA_F_SECONDARY) {
+                        /* Another address from our subnet? */
+                        if (ifa1->ifa_mask == prim->ifa_mask &&
+                            inet_ifa_match(ifa1->ifa_address, prim))
+                                prim1 = prim;
+                        else {
+                                /* We reached the secondaries, so
+                                 * same_prefsrc should be determined.
+                                 */
+                                if (!same_prefsrc)
+                                        continue;
+                                /* Search new prim1 if ifa1 is not
+                                 * using the current prim1
+                                 */
+                                if (!prim1 ||
+                                    ifa1->ifa_mask != prim1->ifa_mask ||
+                                    !inet_ifa_match(ifa1->ifa_address, prim1))
+                                        prim1 = inet_ifa_byprefix(in_dev,
+                                                        ifa1->ifa_address,
+                                                        ifa1->ifa_mask);
+                                if (!prim1)
+                                        continue;
+                                if (prim1->ifa_local != prim->ifa_local)
+                                        continue;
+                        }
+                } else {
+                        if (prim->ifa_local != ifa1->ifa_local)
+                                continue;
+                        prim1 = ifa1;
+                        if (prim != prim1)
+                                same_prefsrc = 1;
+                }
                if (ifa->ifa_local == ifa1->ifa_local)
                        ok |= LOCAL_OK;
                if (ifa->ifa_broadcast == ifa1->ifa_broadcast)
@@ -816,19 +822,37 @@ static void fib_del_ifaddr(struct in_ifaddr *ifa)
                        ok |= BRD1_OK;
                if (any == ifa1->ifa_broadcast)
                        ok |= BRD0_OK;
+                /* primary has network specific broadcasts */
+                if (prim1 == ifa1 && ifa1->ifa_prefixlen < 31) {
+                        __be32 brd1 = ifa1->ifa_address | ~ifa1->ifa_mask;
+                        __be32 any1 = ifa1->ifa_address & ifa1->ifa_mask;
+                        if (!ipv4_is_zeronet(any1)) {
+                                if (ifa->ifa_broadcast == brd1 ||
+                                    ifa->ifa_broadcast == any1)
+                                        ok |= BRD_OK;
+                                if (brd == brd1 || brd == any1)
+                                        ok |= BRD1_OK;
+                                if (any == brd1 || any == any1)
+                                        ok |= BRD0_OK;
+                        }
+                }
        }
        if (!(ok & BRD_OK))
                fib_magic(RTM_DELROUTE, RTN_BROADCAST, ifa->ifa_broadcast, 32, prim);
-        if (!(ok & BRD1_OK))
+        if (subnet && ifa->ifa_prefixlen < 31) {
-                fib_magic(RTM_DELROUTE, RTN_BROADCAST, brd, 32, prim);
+                if (!(ok & BRD1_OK))
-        if (!(ok & BRD0_OK))
+                        fib_magic(RTM_DELROUTE, RTN_BROADCAST, brd, 32, prim);
-                fib_magic(RTM_DELROUTE, RTN_BROADCAST, any, 32, prim);
+                if (!(ok & BRD0_OK))
+                        fib_magic(RTM_DELROUTE, RTN_BROADCAST, any, 32, prim);
+        }
        if (!(ok & LOCAL_OK)) {
                fib_magic(RTM_DELROUTE, RTN_LOCAL, ifa->ifa_local, 32, prim);
                /* Check, that this local address finally disappeared. */
-                if (inet_addr_type(dev_net(dev), ifa->ifa_local) != RTN_LOCAL) {
+                if (gone &&
+                    inet_addr_type(dev_net(dev), ifa->ifa_local) != RTN_LOCAL) {
                        /* And the last, but not the least thing.
                         * We must flush stray FIB entries.
                         *
@@ -849,11 +873,11 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb)
 {
        struct fib_result       res;
-        struct flowi            fl = {
+        struct flowi4           fl4 = {
-                .mark = frn->fl_mark,
+                .flowi4_mark = frn->fl_mark,
-                .fl4_dst = frn->fl_addr,
+                .daddr = frn->fl_addr,
-                .fl4_tos = frn->fl_tos,
+                .flowi4_tos = frn->fl_tos,
-                .fl4_scope = frn->fl_scope,
+                .flowi4_scope = frn->fl_scope,
        };
 #ifdef CONFIG_IP_MULTIPLE_TABLES
@@ -866,7 +890,7 @@ static void nl_fib_lookup(struct fib_result_nl *frn, struct fib_table *tb)
                frn->tb_id = tb->tb_id;
                rcu_read_lock();
-                frn->err = fib_table_lookup(tb, &fl, &res, FIB_LOOKUP_NOREF);
+                frn->err = fib_table_lookup(tb, &fl4, &res, FIB_LOOKUP_NOREF);
                if (!frn->err) {
                        frn->prefixlen = res.prefixlen;
@@ -938,6 +962,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
 {
        struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
        struct net_device *dev = ifa->ifa_dev->dev;
+        struct net *net = dev_net(dev);
        switch (event) {
        case NETDEV_UP:
@@ -945,10 +970,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
                fib_sync_up(dev);
 #endif
+                atomic_inc(&net->ipv4.dev_addr_genid);
                rt_cache_flush(dev_net(dev), -1);
                break;
        case NETDEV_DOWN:
-                fib_del_ifaddr(ifa);
+                fib_del_ifaddr(ifa, NULL);
+                atomic_inc(&net->ipv4.dev_addr_genid);
                if (ifa->ifa_dev->ifa_list == NULL) {
                        /* Last address was deleted from this interface.
                         * Disable IP.
@@ -966,6 +993,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
 {
        struct net_device *dev = ptr;
        struct in_device *in_dev = __in_dev_get_rtnl(dev);
+        struct net *net = dev_net(dev);
        if (event == NETDEV_UNREGISTER) {
                fib_disable_ip(dev, 2, -1);
@@ -983,6 +1011,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
                fib_sync_up(dev);
 #endif
+                atomic_inc(&net->ipv4.dev_addr_genid);
                rt_cache_flush(dev_net(dev), -1);
                break;
        case NETDEV_DOWN:
@@ -1041,6 +1070,7 @@ static void ip_fib_net_exit(struct net *net)
        fib4_rules_exit(net);
 #endif
+        rtnl_lock();
        for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
                struct fib_table *tb;
                struct hlist_head *head;
@@ -1053,6 +1083,7 @@ static void ip_fib_net_exit(struct net *net)
                        fib_free_table(tb);
                }
        }
+        rtnl_unlock();
        kfree(net->ipv4.fib_table_hash);
 }
@@ -1101,5 +1132,5 @@ void __init ip_fib_init(void)
        register_netdevice_notifier(&fib_netdev_notifier);
        register_inetaddr_notifier(&fib_inetaddr_notifier);
-        fib_hash_init();
+        fib_trie_init();
 }
diff --git a/net/ipv4/fib_hash.c b/net/ipv4/fib_hash.c
deleted file mode 100644
index b3acb0417b21..000000000000
--- a/net/ipv4/fib_hash.c
+++ /dev/null
@@ -1,1133 +0,0 @@
-/*
- * INET         An implementation of the TCP/IP protocol suite for the LINUX
- *              operating system.  INET is implemented using the  BSD Socket
- *              interface as the means of communication with the user level.
- *
- *              IPv4 FIB: lookup engine and maintenance routines.
- *
- * Authors:     Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
- *
- *              This program is free software; you can redistribute it and/or
- *              modify it under the terms of the GNU General Public License
- *              as published by the Free Software Foundation; either version
- *              2 of the License, or (at your option) any later version.
- */
-#include <asm/uaccess.h>
-#include <asm/system.h>
-#include <linux/bitops.h>
-#include <linux/types.h>
-#include <linux/kernel.h>
-#include <linux/mm.h>
-#include <linux/string.h>
-#include <linux/socket.h>
-#include <linux/sockios.h>
-#include <linux/errno.h>
-#include <linux/in.h>
-#include <linux/inet.h>
-#include <linux/inetdevice.h>
-#include <linux/netdevice.h>
-#include <linux/if_arp.h>
-#include <linux/proc_fs.h>
-#include <linux/skbuff.h>
-#include <linux/netlink.h>
-#include <linux/init.h>
-#include <linux/slab.h>
-#include <net/net_namespace.h>
-#include <net/ip.h>
-#include <net/protocol.h>
-#include <net/route.h>
-#include <net/tcp.h>
-#include <net/sock.h>
-#include <net/ip_fib.h>
-#include "fib_lookup.h"
-static struct kmem_cache *fn_hash_kmem __read_mostly;
-static struct kmem_cache *fn_alias_kmem __read_mostly;
-struct fib_node {
-        struct hlist_node       fn_hash;
-        struct list_head        fn_alias;
-        __be32                  fn_key;
-        struct fib_alias        fn_embedded_alias;
-};
-#define EMBEDDED_HASH_SIZE (L1_CACHE_BYTES / sizeof(struct hlist_head))
-struct fn_zone {
-        struct fn_zone __rcu    *fz_next;       /* Next not empty zone  */
-        struct hlist_head __rcu *fz_hash;       /* Hash table pointer   */
-        seqlock_t               fz_lock;
-        u32                     fz_hashmask;    /* (fz_divisor - 1)     */
-        u8                      fz_order;       /* Zone order (0..32)   */
-        u8                      fz_revorder;    /* 32 - fz_order        */
-        __be32                  fz_mask;        /* inet_make_mask(order) */
-#define FZ_MASK(fz)             ((fz)->fz_mask)
-        struct hlist_head       fz_embedded_hash[EMBEDDED_HASH_SIZE];
-        int                     fz_nent;        /* Number of entries    */
-        int                     fz_divisor;     /* Hash size (mask+1)   */
-};
-struct fn_hash {
-        struct fn_zone          *fn_zones[33];
-        struct fn_zone __rcu    *fn_zone_list;
-};
-static inline u32 fn_hash(__be32 key, struct fn_zone *fz)
-{
-        u32 h = ntohl(key) >> fz->fz_revorder;
-        h ^= (h>>20);
-        h ^= (h>>10);
-        h ^= (h>>5);
-        h &= fz->fz_hashmask;
-        return h;
-}
-static inline __be32 fz_key(__be32 dst, struct fn_zone *fz)
-{
-        return dst & FZ_MASK(fz);
-}
-static unsigned int fib_hash_genid;
-#define FZ_MAX_DIVISOR ((PAGE_SIZE<<MAX_ORDER) / sizeof(struct hlist_head))
-static struct hlist_head *fz_hash_alloc(int divisor)
-{
-        unsigned long size = divisor * sizeof(struct hlist_head);
-        if (size <= PAGE_SIZE)
-                return kzalloc(size, GFP_KERNEL);
-        return (struct hlist_head *)
-                __get_free_pages(GFP_KERNEL | __GFP_ZERO, get_order(size));
-}
-/* The fib hash lock must be held when this is called. */
-static inline void fn_rebuild_zone(struct fn_zone *fz,
-                                   struct hlist_head *old_ht,
-                                   int old_divisor)
-{
-        int i;
-        for (i = 0; i < old_divisor; i++) {
-                struct hlist_node *node, *n;
-                struct fib_node *f;
-                hlist_for_each_entry_safe(f, node, n, &old_ht[i], fn_hash) {
-                        struct hlist_head *new_head;
-                        hlist_del_rcu(&f->fn_hash);
-                        new_head = rcu_dereference_protected(fz->fz_hash, 1) +
-                                   fn_hash(f->fn_key, fz);
-                        hlist_add_head_rcu(&f->fn_hash, new_head);
-                }
-        }
-}
-static void fz_hash_free(struct hlist_head *hash, int divisor)
-{
-        unsigned long size = divisor * sizeof(struct hlist_head);
-        if (size <= PAGE_SIZE)
-                kfree(hash);
-        else
-                free_pages((unsigned long)hash, get_order(size));
-}
-static void fn_rehash_zone(struct fn_zone *fz)
-{
-        struct hlist_head *ht, *old_ht;
-        int old_divisor, new_divisor;
-        u32 new_hashmask;
-        new_divisor = old_divisor = fz->fz_divisor;
-        switch (old_divisor) {
-        case EMBEDDED_HASH_SIZE:
-                new_divisor *= EMBEDDED_HASH_SIZE;
-                break;
-        case EMBEDDED_HASH_SIZE*EMBEDDED_HASH_SIZE:
-                new_divisor *= (EMBEDDED_HASH_SIZE/2);
-                break;
-        default:
-                if ((old_divisor << 1) > FZ_MAX_DIVISOR) {
-                        printk(KERN_CRIT "route.c: bad divisor %d!\n", old_divisor);
-                        return;
-                }
-                new_divisor = (old_divisor << 1);
-                break;
-        }
-        new_hashmask = (new_divisor - 1);
-#if RT_CACHE_DEBUG >= 2
-        printk(KERN_DEBUG "fn_rehash_zone: hash for zone %d grows from %d\n",
-               fz->fz_order, old_divisor);
-#endif
-        ht = fz_hash_alloc(new_divisor);
-        if (ht) {
-                struct fn_zone nfz;
-                memcpy(&nfz, fz, sizeof(nfz));
-                write_seqlock_bh(&fz->fz_lock);
-                old_ht = rcu_dereference_protected(fz->fz_hash, 1);
-                RCU_INIT_POINTER(nfz.fz_hash, ht);
-                nfz.fz_hashmask = new_hashmask;
-                nfz.fz_divisor = new_divisor;
-                fn_rebuild_zone(&nfz, old_ht, old_divisor);
-                fib_hash_genid++;
-                rcu_assign_pointer(fz->fz_hash, ht);
-                fz->fz_hashmask = new_hashmask;
-                fz->fz_divisor = new_divisor;
-                write_sequnlock_bh(&fz->fz_lock);
-                if (old_ht != fz->fz_embedded_hash) {
-                        synchronize_rcu();
-                        fz_hash_free(old_ht, old_divisor);
-                }
-        }
-}
-static void fn_free_node_rcu(struct rcu_head *head)
-{
-        struct fib_node *f = container_of(head, struct fib_node, fn_embedded_alias.rcu);
-        kmem_cache_free(fn_hash_kmem, f);
-}
-static inline void fn_free_node(struct fib_node *f)
-{
-        call_rcu(&f->fn_embedded_alias.rcu, fn_free_node_rcu);
-}
-static void fn_free_alias_rcu(struct rcu_head *head)
-{
-        struct fib_alias *fa = container_of(head, struct fib_alias, rcu);
-        kmem_cache_free(fn_alias_kmem, fa);
-}
-static inline void fn_free_alias(struct fib_alias *fa, struct fib_node *f)
-{
-        fib_release_info(fa->fa_info);
-        if (fa == &f->fn_embedded_alias)
-                fa->fa_info = NULL;
-        else
-                call_rcu(&fa->rcu, fn_free_alias_rcu);
-}
-static struct fn_zone *
-fn_new_zone(struct fn_hash *table, int z)
-{
-        int i;
-        struct fn_zone *fz = kzalloc(sizeof(struct fn_zone), GFP_KERNEL);
-        if (!fz)
-                return NULL;
-        seqlock_init(&fz->fz_lock);
-        fz->fz_divisor = z ? EMBEDDED_HASH_SIZE : 1;
-        fz->fz_hashmask = fz->fz_divisor - 1;
-        RCU_INIT_POINTER(fz->fz_hash, fz->fz_embedded_hash);
-        fz->fz_order = z;
-        fz->fz_revorder = 32 - z;
-        fz->fz_mask = inet_make_mask(z);
-        /* Find the first not empty zone with more specific mask */
-        for (i = z + 1; i <= 32; i++)
-                if (table->fn_zones[i])
-                        break;
-        if (i > 32) {
-                /* No more specific masks, we are the first. */
-                rcu_assign_pointer(fz->fz_next,
-                                   rtnl_dereference(table->fn_zone_list));
-                rcu_assign_pointer(table->fn_zone_list, fz);
-        } else {
-                rcu_assign_pointer(fz->fz_next,
-                                   rtnl_dereference(table->fn_zones[i]->fz_next));
-                rcu_assign_pointer(table->fn_zones[i]->fz_next, fz);
-        }
-        table->fn_zones[z] = fz;
-        fib_hash_genid++;
-        return fz;
-}
-int fib_table_lookup(struct fib_table *tb,
-                     const struct flowi *flp, struct fib_result *res,
-                     int fib_flags)
-{
-        int err;
-        struct fn_zone *fz;
-        struct fn_hash *t = (struct fn_hash *)tb->tb_data;
-        rcu_read_lock();
-        for (fz = rcu_dereference(t->fn_zone_list);
-             fz != NULL;
-             fz = rcu_dereference(fz->fz_next)) {
-                struct hlist_head *head;
-                struct hlist_node *node;
-                struct fib_node *f;
-                __be32 k;
-                unsigned int seq;
-                do {
-                        seq = read_seqbegin(&fz->fz_lock);
-                        k = fz_key(flp->fl4_dst, fz);
-                        head = rcu_dereference(fz->fz_hash) + fn_hash(k, fz);
-                        hlist_for_each_entry_rcu(f, node, head, fn_hash) {
-                                if (f->fn_key != k)
-                                        continue;
-                                err = fib_semantic_match(&f->fn_alias,
-                                                 flp, res,
-                                                 fz->fz_order, fib_flags);
-                                if (err <= 0)
-                                        goto out;
-                        }
-                } while (read_seqretry(&fz->fz_lock, seq));
-        }
-        err = 1;
-out:
-        rcu_read_unlock();
-        return err;
-}
-void fib_table_select_default(struct fib_table *tb,
-                              const struct flowi *flp, struct fib_result *res)
-{
-        int order, last_idx;
-        struct hlist_node *node;
-        struct fib_node *f;
-        struct fib_info *fi = NULL;
-        struct fib_info *last_resort;
-        struct fn_hash *t = (struct fn_hash *)tb->tb_data;
-        struct fn_zone *fz = t->fn_zones[0];
-        struct hlist_head *head;
-        if (fz == NULL)
-                return;
-        last_idx = -1;
-        last_resort = NULL;
-        order = -1;
-        rcu_read_lock();
-        head = rcu_dereference(fz->fz_hash);
-        hlist_for_each_entry_rcu(f, node, head, fn_hash) {
-                struct fib_alias *fa;
-                list_for_each_entry_rcu(fa, &f->fn_alias, fa_list) {
-                        struct fib_info *next_fi = fa->fa_info;
-                        if (fa->fa_scope != res->scope ||
-                            fa->fa_type != RTN_UNICAST)
-                                continue;
-                        if (next_fi->fib_priority > res->fi->fib_priority)
-                                break;
-                        if (!next_fi->fib_nh[0].nh_gw ||
-                            next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
-                                continue;
-                        fib_alias_accessed(fa);
-                        if (fi == NULL) {
-                                if (next_fi != res->fi)
-                                        break;
-                        } else if (!fib_detect_death(fi, order, &last_resort,
-                                                &last_idx, tb->tb_default)) {
-                                fib_result_assign(res, fi);
-                                tb->tb_default = order;
-                                goto out;
-                        }
-                        fi = next_fi;
-                        order++;
-                }
-        }
-        if (order <= 0 || fi == NULL) {
-                tb->tb_default = -1;
-                goto out;
-        }
-        if (!fib_detect_death(fi, order, &last_resort, &last_idx,
-                                tb->tb_default)) {
-                fib_result_assign(res, fi);
-                tb->tb_default = order;
-                goto out;
-        }
-        if (last_idx >= 0)
-                fib_result_assign(res, last_resort);
-        tb->tb_default = last_idx;
-out:
-        rcu_read_unlock();
-}
-/* Insert node F to FZ. */
-static inline void fib_insert_node(struct fn_zone *fz, struct fib_node *f)
-{
-        struct hlist_head *head = rtnl_dereference(fz->fz_hash) + fn_hash(f->fn_key, fz);
-        hlist_add_head_rcu(&f->fn_hash, head);
-}
-/* Return the node in FZ matching KEY. */
-static struct fib_node *fib_find_node(struct fn_zone *fz, __be32 key)
-{
-        struct hlist_head *head = rtnl_dereference(fz->fz_hash) + fn_hash(key, fz);
-        struct hlist_node *node;
-        struct fib_node *f;
-        hlist_for_each_entry_rcu(f, node, head, fn_hash) {
-                if (f->fn_key == key)
-                        return f;
-        }
-        return NULL;
-}
-static struct fib_alias *fib_fast_alloc(struct fib_node *f)
-{
-        struct fib_alias *fa = &f->fn_embedded_alias;
-        if (fa->fa_info != NULL)
-                fa = kmem_cache_alloc(fn_alias_kmem, GFP_KERNEL);
-        return fa;
-}
-/* Caller must hold RTNL. */
-int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
-{
-        struct fn_hash *table = (struct fn_hash *) tb->tb_data;
-        struct fib_node *new_f = NULL;
-        struct fib_node *f;
-        struct fib_alias *fa, *new_fa;
-        struct fn_zone *fz;
-        struct fib_info *fi;
-        u8 tos = cfg->fc_tos;
-        __be32 key;
-        int err;
-        if (cfg->fc_dst_len > 32)
-                return -EINVAL;
-        fz = table->fn_zones[cfg->fc_dst_len];
-        if (!fz && !(fz = fn_new_zone(table, cfg->fc_dst_len)))
-                return -ENOBUFS;
-        key = 0;
-        if (cfg->fc_dst) {
-                if (cfg->fc_dst & ~FZ_MASK(fz))
-                        return -EINVAL;
-                key = fz_key(cfg->fc_dst, fz);
-        }
-        fi = fib_create_info(cfg);
-        if (IS_ERR(fi))
-                return PTR_ERR(fi);
-        if (fz->fz_nent > (fz->fz_divisor<<1) &&
-            fz->fz_divisor < FZ_MAX_DIVISOR &&
-            (cfg->fc_dst_len == 32 ||
-             (1 << cfg->fc_dst_len) > fz->fz_divisor))
-                fn_rehash_zone(fz);
-        f = fib_find_node(fz, key);
-        if (!f)
-                fa = NULL;
-        else
-                fa = fib_find_alias(&f->fn_alias, tos, fi->fib_priority);
-        /* Now fa, if non-NULL, points to the first fib alias
-         * with the same keys [prefix,tos,priority], if such key already
-         * exists or to the node before which we will insert new one.
-         *
-         * If fa is NULL, we will need to allocate a new one and
-         * insert to the head of f.
-         *
-         * If f is NULL, no fib node matched the destination key
-         * and we need to allocate a new one of those as well.
-         */
-        if (fa && fa->fa_tos == tos &&
-            fa->fa_info->fib_priority == fi->fib_priority) {
-                struct fib_alias *fa_first, *fa_match;
-                err = -EEXIST;
-                if (cfg->fc_nlflags & NLM_F_EXCL)
-                        goto out;
-                /* We have 2 goals:
-                 * 1. Find exact match for type, scope, fib_info to avoid
-                 * duplicate routes
-                 * 2. Find next 'fa' (or head), NLM_F_APPEND inserts before it
-                 */
-                fa_match = NULL;
-                fa_first = fa;
-                fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
-                list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
-                        if (fa->fa_tos != tos)
-                                break;
-                        if (fa->fa_info->fib_priority != fi->fib_priority)
-                                break;
-                        if (fa->fa_type == cfg->fc_type &&
-                            fa->fa_scope == cfg->fc_scope &&
-                            fa->fa_info == fi) {
-                                fa_match = fa;
-                                break;
-                        }
-                }
-                if (cfg->fc_nlflags & NLM_F_REPLACE) {
-                        u8 state;
-                        fa = fa_first;
-                        if (fa_match) {
-                                if (fa == fa_match)
-                                        err = 0;
-                                goto out;
-                        }
-                        err = -ENOBUFS;
-                        new_fa = fib_fast_alloc(f);
-                        if (new_fa == NULL)
-                                goto out;
-                        new_fa->fa_tos = fa->fa_tos;
-                        new_fa->fa_info = fi;
-                        new_fa->fa_type = cfg->fc_type;
-                        new_fa->fa_scope = cfg->fc_scope;
-                        state = fa->fa_state;
-                        new_fa->fa_state = state & ~FA_S_ACCESSED;
-                        fib_hash_genid++;
-                        list_replace_rcu(&fa->fa_list, &new_fa->fa_list);
-                        fn_free_alias(fa, f);
-                        if (state & FA_S_ACCESSED)
-                                rt_cache_flush(cfg->fc_nlinfo.nl_net, -1);
-                        rtmsg_fib(RTM_NEWROUTE, key, new_fa, cfg->fc_dst_len,
-                                  tb->tb_id, &cfg->fc_nlinfo, NLM_F_REPLACE);
-                        return 0;
-                }
-                /* Error if we find a perfect match which
-                 * uses the same scope, type, and nexthop
-                 * information.
-                 */
-                if (fa_match)
-                        goto out;
-                if (!(cfg->fc_nlflags & NLM_F_APPEND))
-                        fa = fa_first;
-        }
-        err = -ENOENT;
-        if (!(cfg->fc_nlflags & NLM_F_CREATE))
-                goto out;
-        err = -ENOBUFS;
-        if (!f) {
-                new_f = kmem_cache_zalloc(fn_hash_kmem, GFP_KERNEL);
-                if (new_f == NULL)
-                        goto out;
-                INIT_HLIST_NODE(&new_f->fn_hash);
-                INIT_LIST_HEAD(&new_f->fn_alias);
-                new_f->fn_key = key;
-                f = new_f;
-        }
-        new_fa = fib_fast_alloc(f);
-        if (new_fa == NULL)
-                goto out;
-        new_fa->fa_info = fi;
-        new_fa->fa_tos = tos;
-        new_fa->fa_type = cfg->fc_type;
-        new_fa->fa_scope = cfg->fc_scope;
-        new_fa->fa_state = 0;
-        /*
-         * Insert new entry to the list.
-         */
-        if (new_f)
-                fib_insert_node(fz, new_f);
-        list_add_tail_rcu(&new_fa->fa_list,
-                 (fa ? &fa->fa_list : &f->fn_alias));
-        fib_hash_genid++;
-        if (new_f)
-                fz->fz_nent++;
-        rt_cache_flush(cfg->fc_nlinfo.nl_net, -1);
-        rtmsg_fib(RTM_NEWROUTE, key, new_fa, cfg->fc_dst_len, tb->tb_id,
-                  &cfg->fc_nlinfo, 0);
-        return 0;
-out:
-        if (new_f)
-                kmem_cache_free(fn_hash_kmem, new_f);
-        fib_release_info(fi);
-        return err;
-}
-int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
-{
-        struct fn_hash *table = (struct fn_hash *)tb->tb_data;
-        struct fib_node *f;
-        struct fib_alias *fa, *fa_to_delete;
-        struct fn_zone *fz;
-        __be32 key;
-        if (cfg->fc_dst_len > 32)
-                return -EINVAL;
-        if ((fz  = table->fn_zones[cfg->fc_dst_len]) == NULL)
-                return -ESRCH;
-        key = 0;
-        if (cfg->fc_dst) {
-                if (cfg->fc_dst & ~FZ_MASK(fz))
-                        return -EINVAL;
-                key = fz_key(cfg->fc_dst, fz);
-        }
-        f = fib_find_node(fz, key);
-        if (!f)
-                fa = NULL;
-        else
-                fa = fib_find_alias(&f->fn_alias, cfg->fc_tos, 0);
-        if (!fa)
-                return -ESRCH;
-        fa_to_delete = NULL;
-        fa = list_entry(fa->fa_list.prev, struct fib_alias, fa_list);
-        list_for_each_entry_continue(fa, &f->fn_alias, fa_list) {
-                struct fib_info *fi = fa->fa_info;
-                if (fa->fa_tos != cfg->fc_tos)
-                        break;
-                if ((!cfg->fc_type ||
-                     fa->fa_type == cfg->fc_type) &&
-                    (cfg->fc_scope == RT_SCOPE_NOWHERE ||
-                     fa->fa_scope == cfg->fc_scope) &&
-                    (!cfg->fc_protocol ||
-                     fi->fib_protocol == cfg->fc_protocol) &&
-                    fib_nh_match(cfg, fi) == 0) {
-                        fa_to_delete = fa;
-                        break;
-                }
-        }
-        if (fa_to_delete) {
-                int kill_fn;
-                fa = fa_to_delete;
-                rtmsg_fib(RTM_DELROUTE, key, fa, cfg->fc_dst_len,
-                          tb->tb_id, &cfg->fc_nlinfo, 0);
-                kill_fn = 0;
-                list_del_rcu(&fa->fa_list);
-                if (list_empty(&f->fn_alias)) {
-                        hlist_del_rcu(&f->fn_hash);
-                        kill_fn = 1;
-                }
-                fib_hash_genid++;
-                if (fa->fa_state & FA_S_ACCESSED)
-                        rt_cache_flush(cfg->fc_nlinfo.nl_net, -1);
-                fn_free_alias(fa, f);
-                if (kill_fn) {
-                        fn_free_node(f);
-                        fz->fz_nent--;
-                }
-                return 0;
-        }
-        return -ESRCH;
-}
-static int fn_flush_list(struct fn_zone *fz, int idx)
-{
-        struct hlist_head *head = rtnl_dereference(fz->fz_hash) + idx;
-        struct hlist_node *node, *n;
-        struct fib_node *f;
-        int found = 0;
-        hlist_for_each_entry_safe(f, node, n, head, fn_hash) {
-                struct fib_alias *fa, *fa_node;
-                int kill_f;
-                kill_f = 0;
-                list_for_each_entry_safe(fa, fa_node, &f->fn_alias, fa_list) {
-                        struct fib_info *fi = fa->fa_info;
-                        if (fi && (fi->fib_flags&RTNH_F_DEAD)) {
-                                list_del_rcu(&fa->fa_list);
-                                if (list_empty(&f->fn_alias)) {
-                                        hlist_del_rcu(&f->fn_hash);
-                                        kill_f = 1;
-                                }
-                                fib_hash_genid++;
-                                fn_free_alias(fa, f);
-                                found++;
-                        }
-                }
-                if (kill_f) {
-                        fn_free_node(f);
-                        fz->fz_nent--;
-                }
-        }
-        return found;
-}
-/* caller must hold RTNL. */
-int fib_table_flush(struct fib_table *tb)
-{
-        struct fn_hash *table = (struct fn_hash *) tb->tb_data;
-        struct fn_zone *fz;
-        int found = 0;
-        for (fz = rtnl_dereference(table->fn_zone_list);
-             fz != NULL;
-             fz = rtnl_dereference(fz->fz_next)) {
-                int i;
-                for (i = fz->fz_divisor - 1; i >= 0; i--)
-                        found += fn_flush_list(fz, i);
-        }
-        return found;
-}
-void fib_free_table(struct fib_table *tb)
-{
-        struct fn_hash *table = (struct fn_hash *) tb->tb_data;
-        struct fn_zone *fz, *next;
-        next = table->fn_zone_list;
-        while (next != NULL) {
-                fz = next;
-                next = fz->fz_next;
-                if (fz->fz_hash != fz->fz_embedded_hash)
-                        fz_hash_free(fz->fz_hash, fz->fz_divisor);
-                kfree(fz);
-        }
-        kfree(tb);
-}
-static inline int
-fn_hash_dump_bucket(struct sk_buff *skb, struct netlink_callback *cb,
-                     struct fib_table *tb,
-                     struct fn_zone *fz,
-                     struct hlist_head *head)
-{
-        struct hlist_node *node;
-        struct fib_node *f;
-        int i, s_i;
-        s_i = cb->args[4];
-        i = 0;
-        hlist_for_each_entry_rcu(f, node, head, fn_hash) {
-                struct fib_alias *fa;
-                list_for_each_entry_rcu(fa, &f->fn_alias, fa_list) {
-                        if (i < s_i)
-                                goto next;
-                        if (fib_dump_info(skb, NETLINK_CB(cb->skb).pid,
-                                          cb->nlh->nlmsg_seq,
-                                          RTM_NEWROUTE,
-                                          tb->tb_id,
-                                          fa->fa_type,
-                                          fa->fa_scope,
-                                          f->fn_key,
-                                          fz->fz_order,
-                                          fa->fa_tos,
-                                          fa->fa_info,
-                                          NLM_F_MULTI) < 0) {
-                                cb->args[4] = i;
-                                return -1;
-                        }
-next:
-                        i++;
-                }
-        }
-        cb->args[4] = i;
-        return skb->len;
-}
-static inline int
-fn_hash_dump_zone(struct sk_buff *skb, struct netlink_callback *cb,
-                   struct fib_table *tb,
-                   struct fn_zone *fz)
-{
-        int h, s_h;
-        struct hlist_head *head = rcu_dereference(fz->fz_hash);
-        if (head == NULL)
-                return skb->len;
-        s_h = cb->args[3];
-        for (h = s_h; h < fz->fz_divisor; h++) {
-                if (hlist_empty(head + h))
-                        continue;
-                if (fn_hash_dump_bucket(skb, cb, tb, fz, head + h) < 0) {
-                        cb->args[3] = h;
-                        return -1;
-                }
-                memset(&cb->args[4], 0,
-                       sizeof(cb->args) - 4*sizeof(cb->args[0]));
-        }
-        cb->args[3] = h;
-        return skb->len;
-}
-int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
-                   struct netlink_callback *cb)
-{
-        int m = 0, s_m;
-        struct fn_zone *fz;
-        struct fn_hash *table = (struct fn_hash *)tb->tb_data;
-        s_m = cb->args[2];
-        rcu_read_lock();
-        for (fz = rcu_dereference(table->fn_zone_list);
-             fz != NULL;
-             fz = rcu_dereference(fz->fz_next), m++) {
-                if (m < s_m)
-                        continue;
-                if (fn_hash_dump_zone(skb, cb, tb, fz) < 0) {
-                        cb->args[2] = m;
-                        rcu_read_unlock();
-                        return -1;
-                }
-                memset(&cb->args[3], 0,
-                       sizeof(cb->args) - 3*sizeof(cb->args[0]));
-        }
-        rcu_read_unlock();
-        cb->args[2] = m;
-        return skb->len;
-}
-void __init fib_hash_init(void)
-{
-        fn_hash_kmem = kmem_cache_create("ip_fib_hash", sizeof(struct fib_node),
-                                         0, SLAB_PANIC, NULL);
-        fn_alias_kmem = kmem_cache_create("ip_fib_alias", sizeof(struct fib_alias),
-                                          0, SLAB_PANIC, NULL);
-}
-struct fib_table *fib_hash_table(u32 id)
-{
-        struct fib_table *tb;
-        tb = kmalloc(sizeof(struct fib_table) + sizeof(struct fn_hash),
-                     GFP_KERNEL);
-        if (tb == NULL)
-                return NULL;
-        tb->tb_id = id;
-        tb->tb_default = -1;
-        memset(tb->tb_data, 0, sizeof(struct fn_hash));
-        return tb;
-}
-/* ------------------------------------------------------------------------ */
-#ifdef CONFIG_PROC_FS
-struct fib_iter_state {
-        struct seq_net_private p;
-        struct fn_zone  *zone;
-        int             bucket;
-        struct hlist_head *hash_head;
-        struct fib_node *fn;
-        struct fib_alias *fa;
-        loff_t pos;
-        unsigned int genid;
-        int valid;
-};
-static struct fib_alias *fib_get_first(struct seq_file *seq)
-{
-        struct fib_iter_state *iter = seq->private;
-        struct fib_table *main_table;
-        struct fn_hash *table;
-        main_table = fib_get_table(seq_file_net(seq), RT_TABLE_MAIN);
-        table = (struct fn_hash *)main_table->tb_data;
-        iter->bucket    = 0;
-        iter->hash_head = NULL;
-        iter->fn        = NULL;
-        iter->fa        = NULL;
-        iter->pos       = 0;
-        iter->genid     = fib_hash_genid;
-        iter->valid     = 1;
-        for (iter->zone = rcu_dereference(table->fn_zone_list);
-             iter->zone != NULL;
-             iter->zone = rcu_dereference(iter->zone->fz_next)) {
-                int maxslot;
-                if (!iter->zone->fz_nent)
-                        continue;
-                iter->hash_head = rcu_dereference(iter->zone->fz_hash);
-                maxslot = iter->zone->fz_divisor;
-                for (iter->bucket = 0; iter->bucket < maxslot;
-                     ++iter->bucket, ++iter->hash_head) {
-                        struct hlist_node *node;
-                        struct fib_node *fn;
-                        hlist_for_each_entry(fn, node, iter->hash_head, fn_hash) {
-                                struct fib_alias *fa;
-                                list_for_each_entry(fa, &fn->fn_alias, fa_list) {
-                                        iter->fn = fn;
-                                        iter->fa = fa;
-                                        goto out;
-                                }
-                        }
-                }
-        }
-out:
-        return iter->fa;
-}
-static struct fib_alias *fib_get_next(struct seq_file *seq)
-{
-        struct fib_iter_state *iter = seq->private;
-        struct fib_node *fn;
-        struct fib_alias *fa;
-        /* Advance FA, if any. */
-        fn = iter->fn;
-        fa = iter->fa;
-        if (fa) {
-                BUG_ON(!fn);
-                list_for_each_entry_continue(fa, &fn->fn_alias, fa_list) {
-                        iter->fa = fa;
-                        goto out;
-                }
-        }
-        fa = iter->fa = NULL;
-        /* Advance FN. */
-        if (fn) {
-                struct hlist_node *node = &fn->fn_hash;
-                hlist_for_each_entry_continue(fn, node, fn_hash) {
-                        iter->fn = fn;
-                        list_for_each_entry(fa, &fn->fn_alias, fa_list) {
-                                iter->fa = fa;
-                                goto out;
-                        }
-                }
-        }
-        fn = iter->fn = NULL;
-        /* Advance hash chain. */
-        if (!iter->zone)
-                goto out;
-        for (;;) {
-                struct hlist_node *node;
-                int maxslot;
-                maxslot = iter->zone->fz_divisor;
-                while (++iter->bucket < maxslot) {
-                        iter->hash_head++;
-                        hlist_for_each_entry(fn, node, iter->hash_head, fn_hash) {
-                                list_for_each_entry(fa, &fn->fn_alias, fa_list) {
-                                        iter->fn = fn;
-                                        iter->fa = fa;
-                                        goto out;
-                                }
-                        }
-                }
-                iter->zone = rcu_dereference(iter->zone->fz_next);
-                if (!iter->zone)
-                        goto out;
-                iter->bucket = 0;
-                iter->hash_head = rcu_dereference(iter->zone->fz_hash);
-                hlist_for_each_entry(fn, node, iter->hash_head, fn_hash) {
-                        list_for_each_entry(fa, &fn->fn_alias, fa_list) {
-                                iter->fn = fn;
-                                iter->fa = fa;
-                                goto out;
-                        }
-                }
-        }
-out:
-        iter->pos++;
-        return fa;
-}
-static struct fib_alias *fib_get_idx(struct seq_file *seq, loff_t pos)
-{
-        struct fib_iter_state *iter = seq->private;
-        struct fib_alias *fa;
-        if (iter->valid && pos >= iter->pos && iter->genid == fib_hash_genid) {
-                fa   = iter->fa;
-                pos -= iter->pos;
-        } else
-                fa = fib_get_first(seq);
-        if (fa)
-                while (pos && (fa = fib_get_next(seq)))
-                        --pos;
-        return pos ? NULL : fa;
-}
-static void *fib_seq_start(struct seq_file *seq, loff_t *pos)
-        __acquires(RCU)
-{
-        void *v = NULL;
-        rcu_read_lock();
-        if (fib_get_table(seq_file_net(seq), RT_TABLE_MAIN))
-                v = *pos ? fib_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
-        return v;
-}
-static void *fib_seq_next(struct seq_file *seq, void *v, loff_t *pos)
-{
-        ++*pos;
-        return v == SEQ_START_TOKEN ? fib_get_first(seq) : fib_get_next(seq);
-}
-static void fib_seq_stop(struct seq_file *seq, void *v)
-        __releases(RCU)
-{
-        rcu_read_unlock();
-}
-static unsigned fib_flag_trans(int type, __be32 mask, struct fib_info *fi)
-{
-        static const unsigned type2flags[RTN_MAX + 1] = {
-                [7] = RTF_REJECT,
-                [8] = RTF_REJECT,
-        };
-        unsigned flags = type2flags[type];
-        if (fi && fi->fib_nh->nh_gw)
-                flags |= RTF_GATEWAY;
-        if (mask == htonl(0xFFFFFFFF))
-                flags |= RTF_HOST;
-        flags |= RTF_UP;
-        return flags;
-}
-/*
- *      This outputs /proc/net/route.
- *
- *      It always works in backward compatibility mode.
- *      The format of the file is not supposed to be changed.
- */
-static int fib_seq_show(struct seq_file *seq, void *v)
-{
-        struct fib_iter_state *iter;
-        int len;
-        __be32 prefix, mask;
-        unsigned flags;
-        struct fib_node *f;
-        struct fib_alias *fa;
-        struct fib_info *fi;
-        if (v == SEQ_START_TOKEN) {
-                seq_printf(seq, "%-127s\n", "Iface\tDestination\tGateway "
-                           "\tFlags\tRefCnt\tUse\tMetric\tMask\t\tMTU"
-                           "\tWindow\tIRTT");
-                goto out;
-        }
-        iter    = seq->private;
-        f       = iter->fn;
-        fa      = iter->fa;
-        fi      = fa->fa_info;
-        prefix  = f->fn_key;
-        mask    = FZ_MASK(iter->zone);
-        flags   = fib_flag_trans(fa->fa_type, mask, fi);
-        if (fi)
-                seq_printf(seq,
-                         "%s\t%08X\t%08X\t%04X\t%d\t%u\t%d\t%08X\t%d\t%u\t%u%n",
-                         fi->fib_dev ? fi->fib_dev->name : "*", prefix,
-                         fi->fib_nh->nh_gw, flags, 0, 0, fi->fib_priority,
-                         mask, (fi->fib_advmss ? fi->fib_advmss + 40 : 0),
-                         fi->fib_window,
-                         fi->fib_rtt >> 3, &len);
-        else
-                seq_printf(seq,
-                         "*\t%08X\t%08X\t%04X\t%d\t%u\t%d\t%08X\t%d\t%u\t%u%n",
-                         prefix, 0, flags, 0, 0, 0, mask, 0, 0, 0, &len);
-        seq_printf(seq, "%*s\n", 127 - len, "");
-out:
-        return 0;
-}
-static const struct seq_operations fib_seq_ops = {
-        .start  = fib_seq_start,
-        .next   = fib_seq_next,
-        .stop   = fib_seq_stop,
-        .show   = fib_seq_show,
-};
-static int fib_seq_open(struct inode *inode, struct file *file)
-{
-        return seq_open_net(inode, file, &fib_seq_ops,
-                            sizeof(struct fib_iter_state));
-}
-static const struct file_operations fib_seq_fops = {
-        .owner          = THIS_MODULE,
-        .open           = fib_seq_open,
-        .read           = seq_read,
-        .llseek         = seq_lseek,
-        .release        = seq_release_net,
-};
-int __net_init fib_proc_init(struct net *net)
-{
-        if (!proc_net_fops_create(net, "route", S_IRUGO, &fib_seq_fops))
-                return -ENOMEM;
-        return 0;
-}
-void __net_exit fib_proc_exit(struct net *net)
-{
-        proc_net_remove(net, "route");
-}
-#endif /* CONFIG_PROC_FS */
diff --git a/net/ipv4/fib_lookup.h b/net/ipv4/fib_lookup.h
index c079cc0ec651..af0f14aba169 100644
--- a/net/ipv4/fib_lookup.h
+++ b/net/ipv4/fib_lookup.h
@@ -10,7 +10,6 @@ struct fib_alias {
        struct fib_info         *fa_info;
        u8                      fa_tos;
        u8                      fa_type;
-        u8                      fa_scope;
        u8                      fa_state;
        struct rcu_head         rcu;
 };
@@ -25,14 +24,11 @@ static inline void fib_alias_accessed(struct fib_alias *fa)
 }
 /* Exported by fib_semantics.c */
-extern int fib_semantic_match(struct list_head *head,
-                              const struct flowi *flp,
-                              struct fib_result *res, int prefixlen, int fib_flags);
 extern void fib_release_info(struct fib_info *);
 extern struct fib_info *fib_create_info(struct fib_config *cfg);
 extern int fib_nh_match(struct fib_config *cfg, struct fib_info *fi);
 extern int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
-                         u32 tb_id, u8 type, u8 scope, __be32 dst,
+                         u32 tb_id, u8 type, __be32 dst,
                         int dst_len, u8 tos, struct fib_info *fi,
                         unsigned int);
 extern void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
@@ -51,4 +47,11 @@ static inline void fib_result_assign(struct fib_result *res,
        res->fi = fi;
 }
+struct fib_prop {
+        int     error;
+        u8      scope;
+};
+extern const struct fib_prop fib_props[RTN_MAX + 1];
 #endif /* _FIB_LOOKUP_H */
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 7981a24f5c7b..a53bb1b5b118 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -41,19 +41,19 @@ struct fib4_rule {
        __be32                  srcmask;
        __be32                  dst;
        __be32                  dstmask;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        u32                     tclassid;
 #endif
 };
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
-u32 fib_rules_tclass(struct fib_result *res)
+u32 fib_rules_tclass(const struct fib_result *res)
 {
        return res->r ? ((struct fib4_rule *) res->r)->tclassid : 0;
 }
 #endif
-int fib_lookup(struct net *net, struct flowi *flp, struct fib_result *res)
+int fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
 {
        struct fib_lookup_arg arg = {
                .result = res,
@@ -61,7 +61,7 @@ int fib_lookup(struct net *net, struct flowi *flp, struct fib_result *res)
        };
        int err;
-        err = fib_rules_lookup(net->ipv4.rules_ops, flp, 0, &arg);
+        err = fib_rules_lookup(net->ipv4.rules_ops, flowi4_to_flowi(flp), 0, &arg);
        res->r = arg.rule;
        return err;
@@ -95,7 +95,7 @@ static int fib4_rule_action(struct fib_rule *rule, struct flowi *flp,
        if (!tbl)
                goto errout;
-        err = fib_table_lookup(tbl, flp, (struct fib_result *) arg->result, arg->flags);
+        err = fib_table_lookup(tbl, &flp->u.ip4, (struct fib_result *) arg->result, arg->flags);
        if (err > 0)
                err = -EAGAIN;
 errout:
@@ -106,14 +106,15 @@ errout:
 static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 {
        struct fib4_rule *r = (struct fib4_rule *) rule;
-        __be32 daddr = fl->fl4_dst;
+        struct flowi4 *fl4 = &fl->u.ip4;
-        __be32 saddr = fl->fl4_src;
+        __be32 daddr = fl4->daddr;
+        __be32 saddr = fl4->saddr;
        if (((saddr ^ r->src) & r->srcmask) ||
            ((daddr ^ r->dst) & r->dstmask))
                return 0;
-        if (r->tos && (r->tos != fl->fl4_tos))
+        if (r->tos && (r->tos != fl4->flowi4_tos))
                return 0;
        return 1;
@@ -165,7 +166,7 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
        if (frh->dst_len)
                rule4->dst = nla_get_be32(tb[FRA_DST]);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (tb[FRA_FLOW])
                rule4->tclassid = nla_get_u32(tb[FRA_FLOW]);
 #endif
@@ -195,7 +196,7 @@ static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
        if (frh->tos && (rule4->tos != frh->tos))
                return 0;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (tb[FRA_FLOW] && (rule4->tclassid != nla_get_u32(tb[FRA_FLOW])))
                return 0;
 #endif
@@ -224,7 +225,7 @@ static int fib4_rule_fill(struct fib_rule *rule, struct sk_buff *skb,
        if (rule4->src_len)
                NLA_PUT_BE32(skb, FRA_SRC, rule4->src);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (rule4->tclassid)
                NLA_PUT_U32(skb, FRA_FLOW, rule4->tclassid);
 #endif
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 12d3dc3df1b7..33e2c35b74b7 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -49,7 +49,7 @@
 static DEFINE_SPINLOCK(fib_info_lock);
 static struct hlist_head *fib_info_hash;
 static struct hlist_head *fib_info_laddrhash;
-static unsigned int fib_hash_size;
+static unsigned int fib_info_hash_size;
 static unsigned int fib_info_cnt;
 #define DEVINDEX_HASHBITS 8
@@ -90,11 +90,7 @@ static DEFINE_SPINLOCK(fib_multipath_lock);
 #define endfor_nexthops(fi) }
-static const struct
+const struct fib_prop fib_props[RTN_MAX + 1] = {
-{
-        int     error;
-        u8      scope;
-} fib_props[RTN_MAX + 1] = {
        [RTN_UNSPEC] = {
                .error  = 0,
                .scope  = RT_SCOPE_NOWHERE,
@@ -145,16 +141,8 @@ static const struct
        },
 };
 /* Release a nexthop info record */
-static void free_fib_info_rcu(struct rcu_head *head)
-{
-        struct fib_info *fi = container_of(head, struct fib_info, rcu);
-        kfree(fi);
-}
 void free_fib_info(struct fib_info *fi)
 {
        if (fi->fib_dead == 0) {
@@ -168,7 +156,7 @@ void free_fib_info(struct fib_info *fi)
        } endfor_nexthops(fi);
        fib_info_cnt--;
        release_net(fi->fib_net);
-        call_rcu(&fi->rcu, free_fib_info_rcu);
+        kfree_rcu(fi, rcu);
 }
 void fib_release_info(struct fib_info *fi)
@@ -200,7 +188,7 @@ static inline int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
                    nh->nh_weight != onh->nh_weight ||
 #endif
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                    nh->nh_tclassid != onh->nh_tclassid ||
 #endif
                    ((nh->nh_flags ^ onh->nh_flags) & ~RTNH_F_DEAD))
@@ -221,10 +209,10 @@ static inline unsigned int fib_devindex_hashfn(unsigned int val)
 static inline unsigned int fib_info_hashfn(const struct fib_info *fi)
 {
-        unsigned int mask = (fib_hash_size - 1);
+        unsigned int mask = (fib_info_hash_size - 1);
        unsigned int val = fi->fib_nhs;
-        val ^= fi->fib_protocol;
+        val ^= (fi->fib_protocol << 8) | fi->fib_scope;
        val ^= (__force u32)fi->fib_prefsrc;
        val ^= fi->fib_priority;
        for_nexthops(fi) {
@@ -250,10 +238,11 @@ static struct fib_info *fib_find_info(const struct fib_info *nfi)
                if (fi->fib_nhs != nfi->fib_nhs)
                        continue;
                if (nfi->fib_protocol == fi->fib_protocol &&
+                    nfi->fib_scope == fi->fib_scope &&
                    nfi->fib_prefsrc == fi->fib_prefsrc &&
                    nfi->fib_priority == fi->fib_priority &&
                    memcmp(nfi->fib_metrics, fi->fib_metrics,
-                           sizeof(fi->fib_metrics)) == 0 &&
+                           sizeof(u32) * RTAX_MAX) == 0 &&
                    ((nfi->fib_flags ^ fi->fib_flags) & ~RTNH_F_DEAD) == 0 &&
                    (nfi->fib_nhs == 0 || nh_comp(fi, nfi) == 0))
                        return fi;
@@ -330,7 +319,7 @@ void rtmsg_fib(int event, __be32 key, struct fib_alias *fa,
                goto errout;
        err = fib_dump_info(skb, info->pid, seq, event, tb_id,
-                            fa->fa_type, fa->fa_scope, key, dst_len,
+                            fa->fa_type, key, dst_len,
                            fa->fa_tos, fa->fa_info, nlm_flags);
        if (err < 0) {
                /* -EMSGSIZE implies BUG in fib_nlmsg_size() */
@@ -422,7 +411,7 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
                        nla = nla_find(attrs, attrlen, RTA_GATEWAY);
                        nexthop_nh->nh_gw = nla ? nla_get_be32(nla) : 0;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                        nla = nla_find(attrs, attrlen, RTA_FLOW);
                        nexthop_nh->nh_tclassid = nla ? nla_get_u32(nla) : 0;
 #endif
@@ -476,7 +465,7 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi)
                        nla = nla_find(attrs, attrlen, RTA_GATEWAY);
                        if (nla && nla_get_be32(nla) != nh->nh_gw)
                                return 1;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                        nla = nla_find(attrs, attrlen, RTA_FLOW);
                        if (nla && nla_get_u32(nla) != nh->nh_tclassid)
                                return 1;
@@ -562,16 +551,16 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
                }
                rcu_read_lock();
                {
-                        struct flowi fl = {
+                        struct flowi4 fl4 = {
-                                .fl4_dst = nh->nh_gw,
+                                .daddr = nh->nh_gw,
-                                .fl4_scope = cfg->fc_scope + 1,
+                                .flowi4_scope = cfg->fc_scope + 1,
-                                .oif = nh->nh_oif,
+                                .flowi4_oif = nh->nh_oif,
                        };
                        /* It is not necessary, but requires a bit of thinking */
-                        if (fl.fl4_scope < RT_SCOPE_LINK)
+                        if (fl4.flowi4_scope < RT_SCOPE_LINK)
-                                fl.fl4_scope = RT_SCOPE_LINK;
+                                fl4.flowi4_scope = RT_SCOPE_LINK;
-                        err = fib_lookup(net, &fl, &res);
+                        err = fib_lookup(net, &fl4, &res);
                        if (err) {
                                rcu_read_unlock();
                                return err;
@@ -613,14 +602,14 @@ out:
 static inline unsigned int fib_laddr_hashfn(__be32 val)
 {
-        unsigned int mask = (fib_hash_size - 1);
+        unsigned int mask = (fib_info_hash_size - 1);
        return ((__force u32)val ^
                ((__force u32)val >> 7) ^
                ((__force u32)val >> 14)) & mask;
 }
-static struct hlist_head *fib_hash_alloc(int bytes)
+static struct hlist_head *fib_info_hash_alloc(int bytes)
 {
        if (bytes <= PAGE_SIZE)
                return kzalloc(bytes, GFP_KERNEL);
@@ -630,7 +619,7 @@ static struct hlist_head *fib_hash_alloc(int bytes)
                                         get_order(bytes));
 }
-static void fib_hash_free(struct hlist_head *hash, int bytes)
+static void fib_info_hash_free(struct hlist_head *hash, int bytes)
 {
        if (!hash)
                return;
@@ -641,18 +630,18 @@ static void fib_hash_free(struct hlist_head *hash, int bytes)
                free_pages((unsigned long) hash, get_order(bytes));
 }
-static void fib_hash_move(struct hlist_head *new_info_hash,
+static void fib_info_hash_move(struct hlist_head *new_info_hash,
-                          struct hlist_head *new_laddrhash,
+                               struct hlist_head *new_laddrhash,
-                          unsigned int new_size)
+                               unsigned int new_size)
 {
        struct hlist_head *old_info_hash, *old_laddrhash;
-        unsigned int old_size = fib_hash_size;
+        unsigned int old_size = fib_info_hash_size;
        unsigned int i, bytes;
        spin_lock_bh(&fib_info_lock);
        old_info_hash = fib_info_hash;
        old_laddrhash = fib_info_laddrhash;
-        fib_hash_size = new_size;
+        fib_info_hash_size = new_size;
        for (i = 0; i < old_size; i++) {
                struct hlist_head *head = &fib_info_hash[i];
@@ -693,8 +682,18 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
        spin_unlock_bh(&fib_info_lock);
        bytes = old_size * sizeof(struct hlist_head *);
-        fib_hash_free(old_info_hash, bytes);
+        fib_info_hash_free(old_info_hash, bytes);
-        fib_hash_free(old_laddrhash, bytes);
+        fib_info_hash_free(old_laddrhash, bytes);
+}
+__be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
+{
+        nh->nh_saddr = inet_select_addr(nh->nh_dev,
+                                        nh->nh_gw,
+                                        nh->nh_parent->fib_scope);
+        nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
+        return nh->nh_saddr;
 }
 struct fib_info *fib_create_info(struct fib_config *cfg)
@@ -705,6 +704,9 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
        int nhs = 1;
        struct net *net = cfg->fc_nlinfo.nl_net;
+        if (cfg->fc_type > RTN_MAX)
+                goto err_inval;
        /* Fast check to catch the most weird cases */
        if (fib_props[cfg->fc_type].scope > cfg->fc_scope)
                goto err_inval;
@@ -718,8 +720,8 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
 #endif
        err = -ENOBUFS;
-        if (fib_info_cnt >= fib_hash_size) {
+        if (fib_info_cnt >= fib_info_hash_size) {
-                unsigned int new_size = fib_hash_size << 1;
+                unsigned int new_size = fib_info_hash_size << 1;
                struct hlist_head *new_info_hash;
                struct hlist_head *new_laddrhash;
                unsigned int bytes;
@@ -727,25 +729,32 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                if (!new_size)
                        new_size = 1;
                bytes = new_size * sizeof(struct hlist_head *);
-                new_info_hash = fib_hash_alloc(bytes);
+                new_info_hash = fib_info_hash_alloc(bytes);
-                new_laddrhash = fib_hash_alloc(bytes);
+                new_laddrhash = fib_info_hash_alloc(bytes);
                if (!new_info_hash || !new_laddrhash) {
-                        fib_hash_free(new_info_hash, bytes);
+                        fib_info_hash_free(new_info_hash, bytes);
-                        fib_hash_free(new_laddrhash, bytes);
+                        fib_info_hash_free(new_laddrhash, bytes);
                } else
-                        fib_hash_move(new_info_hash, new_laddrhash, new_size);
+                        fib_info_hash_move(new_info_hash, new_laddrhash, new_size);
-                if (!fib_hash_size)
+                if (!fib_info_hash_size)
                        goto failure;
        }
        fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
        if (fi == NULL)
                goto failure;
+        if (cfg->fc_mx) {
+                fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
+                if (!fi->fib_metrics)
+                        goto failure;
+        } else
+                fi->fib_metrics = (u32 *) dst_default_metrics;
        fib_info_cnt++;
        fi->fib_net = hold_net(net);
        fi->fib_protocol = cfg->fc_protocol;
+        fi->fib_scope = cfg->fc_scope;
        fi->fib_flags = cfg->fc_flags;
        fi->fib_priority = cfg->fc_priority;
        fi->fib_prefsrc = cfg->fc_prefsrc;
@@ -779,7 +788,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                        goto err_inval;
                if (cfg->fc_gw && fi->fib_nh->nh_gw != cfg->fc_gw)
                        goto err_inval;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                if (cfg->fc_flow && fi->fib_nh->nh_tclassid != cfg->fc_flow)
                        goto err_inval;
 #endif
@@ -792,7 +801,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                nh->nh_oif = cfg->fc_oif;
                nh->nh_gw = cfg->fc_gw;
                nh->nh_flags = cfg->fc_flags;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                nh->nh_tclassid = cfg->fc_flow;
 #endif
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
@@ -804,6 +813,17 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                if (cfg->fc_gw || cfg->fc_oif || cfg->fc_mp)
                        goto err_inval;
                goto link_it;
+        } else {
+                switch (cfg->fc_type) {
+                case RTN_UNICAST:
+                case RTN_LOCAL:
+                case RTN_BROADCAST:
+                case RTN_ANYCAST:
+                case RTN_MULTICAST:
+                        break;
+                default:
+                        goto err_inval;
+                }
        }
        if (cfg->fc_scope > RT_SCOPE_HOST)
@@ -835,6 +855,10 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                                goto err_inval;
        }
+        change_nexthops(fi) {
+                fib_info_update_nh_saddr(net, nexthop_nh);
+        } endfor_nexthops(fi)
 link_it:
        ofi = fib_find_info(fi);
        if (ofi) {
@@ -880,86 +904,8 @@ failure:
        return ERR_PTR(err);
 }
-/* Note! fib_semantic_match intentionally uses  RCU list functions. */
-int fib_semantic_match(struct list_head *head, const struct flowi *flp,
-                       struct fib_result *res, int prefixlen, int fib_flags)
-{
-        struct fib_alias *fa;
-        int nh_sel = 0;
-        list_for_each_entry_rcu(fa, head, fa_list) {
-                int err;
-                if (fa->fa_tos &&
-                    fa->fa_tos != flp->fl4_tos)
-                        continue;
-                if (fa->fa_scope < flp->fl4_scope)
-                        continue;
-                fib_alias_accessed(fa);
-                err = fib_props[fa->fa_type].error;
-                if (err == 0) {
-                        struct fib_info *fi = fa->fa_info;
-                        if (fi->fib_flags & RTNH_F_DEAD)
-                                continue;
-                        switch (fa->fa_type) {
-                        case RTN_UNICAST:
-                        case RTN_LOCAL:
-                        case RTN_BROADCAST:
-                        case RTN_ANYCAST:
-                        case RTN_MULTICAST:
-                                for_nexthops(fi) {
-                                        if (nh->nh_flags & RTNH_F_DEAD)
-                                                continue;
-                                        if (!flp->oif || flp->oif == nh->nh_oif)
-                                                break;
-                                }
-#ifdef CONFIG_IP_ROUTE_MULTIPATH
-                                if (nhsel < fi->fib_nhs) {
-                                        nh_sel = nhsel;
-                                        goto out_fill_res;
-                                }
-#else
-                                if (nhsel < 1)
-                                        goto out_fill_res;
-#endif
-                                endfor_nexthops(fi);
-                                continue;
-                        default:
-                                pr_warning("fib_semantic_match bad type %#x\n",
-                                           fa->fa_type);
-                                return -EINVAL;
-                        }
-                }
-                return err;
-        }
-        return 1;
-out_fill_res:
-        res->prefixlen = prefixlen;
-        res->nh_sel = nh_sel;
-        res->type = fa->fa_type;
-        res->scope = fa->fa_scope;
-        res->fi = fa->fa_info;
-        if (!(fib_flags & FIB_LOOKUP_NOREF))
-                atomic_inc(&res->fi->fib_clntref);
-        return 0;
-}
-/* Find appropriate source address to this destination */
-__be32 __fib_res_prefsrc(struct fib_result *res)
-{
-        return inet_select_addr(FIB_RES_DEV(*res), FIB_RES_GW(*res), res->scope);
-}
 int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
-                  u32 tb_id, u8 type, u8 scope, __be32 dst, int dst_len, u8 tos,
+                  u32 tb_id, u8 type, __be32 dst, int dst_len, u8 tos,
                  struct fib_info *fi, unsigned int flags)
 {
        struct nlmsghdr *nlh;
@@ -981,7 +927,7 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
        NLA_PUT_U32(skb, RTA_TABLE, tb_id);
        rtm->rtm_type = type;
        rtm->rtm_flags = fi->fib_flags;
-        rtm->rtm_scope = scope;
+        rtm->rtm_scope = fi->fib_scope;
        rtm->rtm_protocol = fi->fib_protocol;
        if (rtm->rtm_dst_len)
@@ -1002,7 +948,7 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                if (fi->fib_nh->nh_oif)
                        NLA_PUT_U32(skb, RTA_OIF, fi->fib_nh->nh_oif);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                if (fi->fib_nh[0].nh_tclassid)
                        NLA_PUT_U32(skb, RTA_FLOW, fi->fib_nh[0].nh_tclassid);
 #endif
@@ -1027,7 +973,7 @@ int fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                        if (nh->nh_gw)
                                NLA_PUT_BE32(skb, RTA_GATEWAY, nh->nh_gw);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                        if (nh->nh_tclassid)
                                NLA_PUT_U32(skb, RTA_FLOW, nh->nh_tclassid);
 #endif
@@ -1125,6 +1071,62 @@ int fib_sync_down_dev(struct net_device *dev, int force)
        return ret;
 }
+/* Must be invoked inside of an RCU protected region.  */
+void fib_select_default(struct fib_result *res)
+{
+        struct fib_info *fi = NULL, *last_resort = NULL;
+        struct list_head *fa_head = res->fa_head;
+        struct fib_table *tb = res->table;
+        int order = -1, last_idx = -1;
+        struct fib_alias *fa;
+        list_for_each_entry_rcu(fa, fa_head, fa_list) {
+                struct fib_info *next_fi = fa->fa_info;
+                if (next_fi->fib_scope != res->scope ||
+                    fa->fa_type != RTN_UNICAST)
+                        continue;
+                if (next_fi->fib_priority > res->fi->fib_priority)
+                        break;
+                if (!next_fi->fib_nh[0].nh_gw ||
+                    next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
+                        continue;
+                fib_alias_accessed(fa);
+                if (fi == NULL) {
+                        if (next_fi != res->fi)
+                                break;
+                } else if (!fib_detect_death(fi, order, &last_resort,
+                                             &last_idx, tb->tb_default)) {
+                        fib_result_assign(res, fi);
+                        tb->tb_default = order;
+                        goto out;
+                }
+                fi = next_fi;
+                order++;
+        }
+        if (order <= 0 || fi == NULL) {
+                tb->tb_default = -1;
+                goto out;
+        }
+        if (!fib_detect_death(fi, order, &last_resort, &last_idx,
+                                tb->tb_default)) {
+                fib_result_assign(res, fi);
+                tb->tb_default = order;
+                goto out;
+        }
+        if (last_idx >= 0)
+                fib_result_assign(res, last_resort);
+        tb->tb_default = last_idx;
+out:
+        return;
+}
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
 /*
@@ -1189,7 +1191,7 @@ int fib_sync_up(struct net_device *dev)
 * The algorithm is suboptimal, but it provides really
 * fair weighted route distribution.
 */
-void fib_select_multipath(const struct flowi *flp, struct fib_result *res)
+void fib_select_multipath(struct fib_result *res)
 {
        struct fib_info *fi = res->fi;
        int w;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 0f280348e0fd..c779ce96e5b5 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -12,7 +12,7 @@
 *
 *   Hans Liss <hans.liss@its.uu.se>  Uppsala Universitet
 *
- * This work is based on the LPC-trie which is originally descibed in:
+ * This work is based on the LPC-trie which is originally described in:
 *
 * An experimental study of compression methods for dynamic tries
 * Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002.
@@ -95,7 +95,7 @@ typedef unsigned int t_key;
 #define IS_TNODE(n) (!(n->parent & T_LEAF))
 #define IS_LEAF(n) (n->parent & T_LEAF)
-struct node {
+struct rt_trie_node {
        unsigned long parent;
        t_key key;
 };
@@ -126,7 +126,7 @@ struct tnode {
                struct work_struct work;
                struct tnode *tnode_free;
        };
-        struct node *child[0];
+        struct rt_trie_node __rcu *child[0];
 };
 #ifdef CONFIG_IP_FIB_TRIE_STATS
@@ -151,16 +151,16 @@ struct trie_stat {
 };
 struct trie {
-        struct node *trie;
+        struct rt_trie_node __rcu *trie;
 #ifdef CONFIG_IP_FIB_TRIE_STATS
        struct trie_use_stats stats;
 #endif
 };
-static void put_child(struct trie *t, struct tnode *tn, int i, struct node *n);
+static void put_child(struct trie *t, struct tnode *tn, int i, struct rt_trie_node *n);
-static void tnode_put_child_reorg(struct tnode *tn, int i, struct node *n,
+static void tnode_put_child_reorg(struct tnode *tn, int i, struct rt_trie_node *n,
                                  int wasfull);
-static struct node *resize(struct trie *t, struct tnode *tn);
+static struct rt_trie_node *resize(struct trie *t, struct tnode *tn);
 static struct tnode *inflate(struct trie *t, struct tnode *tn);
 static struct tnode *halve(struct trie *t, struct tnode *tn);
 /* tnodes to free after resize(); protected by RTNL */
@@ -177,39 +177,58 @@ static const int sync_pages = 128;
 static struct kmem_cache *fn_alias_kmem __read_mostly;
 static struct kmem_cache *trie_leaf_kmem __read_mostly;
-static inline struct tnode *node_parent(struct node *node)
+/*
+ * caller must hold RTNL
+ */
+static inline struct tnode *node_parent(const struct rt_trie_node *node)
 {
-        return (struct tnode *)(node->parent & ~NODE_TYPE_MASK);
+        unsigned long parent;
+        parent = rcu_dereference_index_check(node->parent, lockdep_rtnl_is_held());
+        return (struct tnode *)(parent & ~NODE_TYPE_MASK);
 }
-static inline struct tnode *node_parent_rcu(struct node *node)
+/*
+ * caller must hold RCU read lock or RTNL
+ */
+static inline struct tnode *node_parent_rcu(const struct rt_trie_node *node)
 {
-        struct tnode *ret = node_parent(node);
+        unsigned long parent;
+        parent = rcu_dereference_index_check(node->parent, rcu_read_lock_held() ||
+                                                           lockdep_rtnl_is_held());
-        return rcu_dereference_rtnl(ret);
+        return (struct tnode *)(parent & ~NODE_TYPE_MASK);
 }
 /* Same as rcu_assign_pointer
 * but that macro() assumes that value is a pointer.
 */
-static inline void node_set_parent(struct node *node, struct tnode *ptr)
+static inline void node_set_parent(struct rt_trie_node *node, struct tnode *ptr)
 {
        smp_wmb();
        node->parent = (unsigned long)ptr | NODE_TYPE(node);
 }
-static inline struct node *tnode_get_child(struct tnode *tn, unsigned int i)
+/*
+ * caller must hold RTNL
+ */
+static inline struct rt_trie_node *tnode_get_child(const struct tnode *tn, unsigned int i)
 {
        BUG_ON(i >= 1U << tn->bits);
-        return tn->child[i];
+        return rtnl_dereference(tn->child[i]);
 }
-static inline struct node *tnode_get_child_rcu(struct tnode *tn, unsigned int i)
+/*
+ * caller must hold RCU read lock or RTNL
+ */
+static inline struct rt_trie_node *tnode_get_child_rcu(const struct tnode *tn, unsigned int i)
 {
-        struct node *ret = tnode_get_child(tn, i);
+        BUG_ON(i >= 1U << tn->bits);
-        return rcu_dereference_rtnl(ret);
+        return rcu_dereference_rtnl(tn->child[i]);
 }
 static inline int tnode_child_length(const struct tnode *tn)
@@ -217,12 +236,12 @@ static inline int tnode_child_length(const struct tnode *tn)
        return 1 << tn->bits;
 }
-static inline t_key mask_pfx(t_key k, unsigned short l)
+static inline t_key mask_pfx(t_key k, unsigned int l)
 {
        return (l == 0) ? 0 : k >> (KEYLENGTH-l) << (KEYLENGTH-l);
 }
-static inline t_key tkey_extract_bits(t_key a, int offset, int bits)
+static inline t_key tkey_extract_bits(t_key a, unsigned int offset, unsigned int bits)
 {
        if (offset < KEYLENGTH)
                return ((t_key)(a << offset)) >> (KEYLENGTH - bits);
@@ -350,14 +369,9 @@ static inline void free_leaf(struct leaf *l)
        call_rcu_bh(&l->rcu, __leaf_free_rcu);
 }
-static void __leaf_info_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct leaf_info, rcu));
-}
 static inline void free_leaf_info(struct leaf_info *leaf)
 {
-        call_rcu(&leaf->rcu, __leaf_info_free_rcu);
+        kfree_rcu(leaf, rcu);
 }
 static struct tnode *tnode_alloc(size_t size)
@@ -378,7 +392,7 @@ static void __tnode_free_rcu(struct rcu_head *head)
 {
        struct tnode *tn = container_of(head, struct tnode, rcu);
        size_t size = sizeof(struct tnode) +
-                      (sizeof(struct node *) << tn->bits);
+                      (sizeof(struct rt_trie_node *) << tn->bits);
        if (size <= PAGE_SIZE)
                kfree(tn);
@@ -402,7 +416,7 @@ static void tnode_free_safe(struct tnode *tn)
        tn->tnode_free = tnode_free_head;
        tnode_free_head = tn;
        tnode_free_size += sizeof(struct tnode) +
-                           (sizeof(struct node *) << tn->bits);
+                           (sizeof(struct rt_trie_node *) << tn->bits);
 }
 static void tnode_free_flush(void)
@@ -443,7 +457,7 @@ static struct leaf_info *leaf_info_new(int plen)
 static struct tnode *tnode_new(t_key key, int pos, int bits)
 {
-        size_t sz = sizeof(struct tnode) + (sizeof(struct node *) << bits);
+        size_t sz = sizeof(struct tnode) + (sizeof(struct rt_trie_node *) << bits);
        struct tnode *tn = tnode_alloc(sz);
        if (tn) {
@@ -456,7 +470,7 @@ static struct tnode *tnode_new(t_key key, int pos, int bits)
        }
        pr_debug("AT %p s=%zu %zu\n", tn, sizeof(struct tnode),
-                 sizeof(struct node) << bits);
+                 sizeof(struct rt_trie_node) << bits);
        return tn;
 }
@@ -465,7 +479,7 @@ static struct tnode *tnode_new(t_key key, int pos, int bits)
 * and no bits are skipped. See discussion in dyntree paper p. 6
 */
-static inline int tnode_full(const struct tnode *tn, const struct node *n)
+static inline int tnode_full(const struct tnode *tn, const struct rt_trie_node *n)
 {
        if (n == NULL || IS_LEAF(n))
                return 0;
@@ -474,7 +488,7 @@ static inline int tnode_full(const struct tnode *tn, const struct node *n)
 }
 static inline void put_child(struct trie *t, struct tnode *tn, int i,
-                             struct node *n)
+                             struct rt_trie_node *n)
 {
        tnode_put_child_reorg(tn, i, n, -1);
 }
@@ -484,10 +498,10 @@ static inline void put_child(struct trie *t, struct tnode *tn, int i,
  * Update the value of full_children and empty_children.
  */
-static void tnode_put_child_reorg(struct tnode *tn, int i, struct node *n,
+static void tnode_put_child_reorg(struct tnode *tn, int i, struct rt_trie_node *n,
                                  int wasfull)
 {
-        struct node *chi = tn->child[i];
+        struct rt_trie_node *chi = rtnl_dereference(tn->child[i]);
        int isfull;
        BUG_ON(i >= 1<<tn->bits);
@@ -515,7 +529,7 @@ static void tnode_put_child_reorg(struct tnode *tn, int i, struct node *n,
 }
 #define MAX_WORK 10
-static struct node *resize(struct trie *t, struct tnode *tn)
+static struct rt_trie_node *resize(struct trie *t, struct tnode *tn)
 {
        int i;
        struct tnode *old_tn;
@@ -605,7 +619,7 @@ static struct node *resize(struct trie *t, struct tnode *tn)
        /* Keep root node larger  */
-        if (!node_parent((struct node *)tn)) {
+        if (!node_parent((struct rt_trie_node *)tn)) {
                inflate_threshold_use = inflate_threshold_root;
                halve_threshold_use = halve_threshold_root;
        } else {
@@ -635,7 +649,7 @@ static struct node *resize(struct trie *t, struct tnode *tn)
        /* Return if at least one inflate is run */
        if (max_work != MAX_WORK)
-                return (struct node *) tn;
+                return (struct rt_trie_node *) tn;
        /*
         * Halve as long as the number of empty children in this
@@ -663,9 +677,9 @@ static struct node *resize(struct trie *t, struct tnode *tn)
        if (tn->empty_children == tnode_child_length(tn) - 1) {
 one_child:
                for (i = 0; i < tnode_child_length(tn); i++) {
-                        struct node *n;
+                        struct rt_trie_node *n;
-                        n = tn->child[i];
+                        n = rtnl_dereference(tn->child[i]);
                        if (!n)
                                continue;
@@ -676,7 +690,21 @@ one_child:
                        return n;
                }
        }
-        return (struct node *) tn;
+        return (struct rt_trie_node *) tn;
+}
+static void tnode_clean_free(struct tnode *tn)
+{
+        int i;
+        struct tnode *tofree;
+        for (i = 0; i < tnode_child_length(tn); i++) {
+                tofree = (struct tnode *)rtnl_dereference(tn->child[i]);
+                if (tofree)
+                        tnode_free(tofree);
+        }
+        tnode_free(tn);
 }
 static struct tnode *inflate(struct trie *t, struct tnode *tn)
@@ -723,14 +751,14 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
                                goto nomem;
                        }
-                        put_child(t, tn, 2*i, (struct node *) left);
+                        put_child(t, tn, 2*i, (struct rt_trie_node *) left);
-                        put_child(t, tn, 2*i+1, (struct node *) right);
+                        put_child(t, tn, 2*i+1, (struct rt_trie_node *) right);
                }
        }
        for (i = 0; i < olen; i++) {
                struct tnode *inode;
-                struct node *node = tnode_get_child(oldtnode, i);
+                struct rt_trie_node *node = tnode_get_child(oldtnode, i);
                struct tnode *left, *right;
                int size, j;
@@ -755,8 +783,8 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
                inode = (struct tnode *) node;
                if (inode->bits == 1) {
-                        put_child(t, tn, 2*i, inode->child[0]);
+                        put_child(t, tn, 2*i, rtnl_dereference(inode->child[0]));
-                        put_child(t, tn, 2*i+1, inode->child[1]);
+                        put_child(t, tn, 2*i+1, rtnl_dereference(inode->child[1]));
                        tnode_free_safe(inode);
                        continue;
@@ -797,8 +825,8 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
                size = tnode_child_length(left);
                for (j = 0; j < size; j++) {
-                        put_child(t, left, j, inode->child[j]);
+                        put_child(t, left, j, rtnl_dereference(inode->child[j]));
-                        put_child(t, right, j, inode->child[j + size]);
+                        put_child(t, right, j, rtnl_dereference(inode->child[j + size]));
                }
                put_child(t, tn, 2*i, resize(t, left));
                put_child(t, tn, 2*i+1, resize(t, right));
@@ -808,24 +836,14 @@ static struct tnode *inflate(struct trie *t, struct tnode *tn)
        tnode_free_safe(oldtnode);
        return tn;
 nomem:
-        {
+        tnode_clean_free(tn);
-                int size = tnode_child_length(tn);
+        return ERR_PTR(-ENOMEM);
-                int j;
-                for (j = 0; j < size; j++)
-                        if (tn->child[j])
-                                tnode_free((struct tnode *)tn->child[j]);
-                tnode_free(tn);
-                return ERR_PTR(-ENOMEM);
-        }
 }
 static struct tnode *halve(struct trie *t, struct tnode *tn)
 {
        struct tnode *oldtnode = tn;
-        struct node *left, *right;
+        struct rt_trie_node *left, *right;
        int i;
        int olen = tnode_child_length(tn);
@@ -856,7 +874,7 @@ static struct tnode *halve(struct trie *t, struct tnode *tn)
                        if (!newn)
                                goto nomem;
-                        put_child(t, tn, i/2, (struct node *)newn);
+                        put_child(t, tn, i/2, (struct rt_trie_node *)newn);
                }
        }
@@ -890,18 +908,8 @@ static struct tnode *halve(struct trie *t, struct tnode *tn)
        tnode_free_safe(oldtnode);
        return tn;
 nomem:
-        {
+        tnode_clean_free(tn);
-                int size = tnode_child_length(tn);
+        return ERR_PTR(-ENOMEM);
-                int j;
-                for (j = 0; j < size; j++)
-                        if (tn->child[j])
-                                tnode_free((struct tnode *)tn->child[j]);
-                tnode_free(tn);
-                return ERR_PTR(-ENOMEM);
-        }
 }
 /* readside must use rcu_read_lock currently dump routines
@@ -958,7 +966,7 @@ fib_find_node(struct trie *t, u32 key)
 {
        int pos;
        struct tnode *tn;
-        struct node *n;
+        struct rt_trie_node *n;
        pos = 0;
        n = rcu_dereference_rtnl(t->trie);
@@ -993,17 +1001,17 @@ static void trie_rebalance(struct trie *t, struct tnode *tn)
        key = tn->key;
-        while (tn != NULL && (tp = node_parent((struct node *)tn)) != NULL) {
+        while (tn != NULL && (tp = node_parent((struct rt_trie_node *)tn)) != NULL) {
                cindex = tkey_extract_bits(key, tp->pos, tp->bits);
                wasfull = tnode_full(tp, tnode_get_child(tp, cindex));
                tn = (struct tnode *) resize(t, (struct tnode *)tn);
                tnode_put_child_reorg((struct tnode *)tp, cindex,
-                                      (struct node *)tn, wasfull);
+                                      (struct rt_trie_node *)tn, wasfull);
-                tp = node_parent((struct node *) tn);
+                tp = node_parent((struct rt_trie_node *) tn);
                if (!tp)
-                        rcu_assign_pointer(t->trie, (struct node *)tn);
+                        rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
                tnode_free_flush();
                if (!tp)
@@ -1015,7 +1023,7 @@ static void trie_rebalance(struct trie *t, struct tnode *tn)
        if (IS_TNODE(tn))
                tn = (struct tnode *)resize(t, (struct tnode *)tn);
-        rcu_assign_pointer(t->trie, (struct node *)tn);
+        rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
        tnode_free_flush();
 }
@@ -1025,7 +1033,7 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
 {
        int pos, newpos;
        struct tnode *tp = NULL, *tn = NULL;
-        struct node *n;
+        struct rt_trie_node *n;
        struct leaf *l;
        int missbit;
        struct list_head *fa_head = NULL;
@@ -1033,7 +1041,7 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
        t_key cindex;
        pos = 0;
-        n = t->trie;
+        n = rtnl_dereference(t->trie);
        /* If we point to NULL, stop. Either the tree is empty and we should
         * just put a new leaf in if, or we have reached an empty child slot,
@@ -1111,10 +1119,10 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
        if (t->trie && n == NULL) {
                /* Case 2: n is NULL, and will just insert a new leaf */
-                node_set_parent((struct node *)l, tp);
+                node_set_parent((struct rt_trie_node *)l, tp);
                cindex = tkey_extract_bits(key, tp->pos, tp->bits);
-                put_child(t, (struct tnode *)tp, cindex, (struct node *)l);
+                put_child(t, (struct tnode *)tp, cindex, (struct rt_trie_node *)l);
        } else {
                /* Case 3: n is a LEAF or a TNODE and the key doesn't match. */
                /*
@@ -1141,18 +1149,18 @@ static struct list_head *fib_insert_node(struct trie *t, u32 key, int plen)
                        return NULL;
                }
-                node_set_parent((struct node *)tn, tp);
+                node_set_parent((struct rt_trie_node *)tn, tp);
                missbit = tkey_extract_bits(key, newpos, 1);
-                put_child(t, tn, missbit, (struct node *)l);
+                put_child(t, tn, missbit, (struct rt_trie_node *)l);
                put_child(t, tn, 1-missbit, n);
                if (tp) {
                        cindex = tkey_extract_bits(key, tp->pos, tp->bits);
                        put_child(t, (struct tnode *)tp, cindex,
-                                  (struct node *)tn);
+                                  (struct rt_trie_node *)tn);
                } else {
-                        rcu_assign_pointer(t->trie, (struct node *)tn);
+                        rcu_assign_pointer(t->trie, (struct rt_trie_node *)tn);
                        tp = tn;
                }
        }
@@ -1245,7 +1253,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
                        if (fa->fa_info->fib_priority != fi->fib_priority)
                                break;
                        if (fa->fa_type == cfg->fc_type &&
-                            fa->fa_scope == cfg->fc_scope &&
                            fa->fa_info == fi) {
                                fa_match = fa;
                                break;
@@ -1271,7 +1278,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
                        new_fa->fa_tos = fa->fa_tos;
                        new_fa->fa_info = fi;
                        new_fa->fa_type = cfg->fc_type;
-                        new_fa->fa_scope = cfg->fc_scope;
                        state = fa->fa_state;
                        new_fa->fa_state = state & ~FA_S_ACCESSED;
@@ -1308,7 +1314,6 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
        new_fa->fa_info = fi;
        new_fa->fa_tos = tos;
        new_fa->fa_type = cfg->fc_type;
-        new_fa->fa_scope = cfg->fc_scope;
        new_fa->fa_state = 0;
        /*
         * Insert new entry to the list.
@@ -1322,6 +1327,9 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
                }
        }
+        if (!plen)
+                tb->tb_num_default++;
        list_add_tail_rcu(&new_fa->fa_list,
                          (fa ? &fa->fa_list : fa_head));
@@ -1340,8 +1348,8 @@ err:
 }
 /* should be called with rcu_read_lock */
-static int check_leaf(struct trie *t, struct leaf *l,
+static int check_leaf(struct fib_table *tb, struct trie *t, struct leaf *l,
-                      t_key key,  const struct flowi *flp,
+                      t_key key,  const struct flowi4 *flp,
                      struct fib_result *res, int fib_flags)
 {
        struct leaf_info *li;
@@ -1349,40 +1357,75 @@ static int check_leaf(struct trie *t, struct leaf *l,
        struct hlist_node *node;
        hlist_for_each_entry_rcu(li, node, hhead, hlist) {
-                int err;
+                struct fib_alias *fa;
                int plen = li->plen;
                __be32 mask = inet_make_mask(plen);
                if (l->key != (key & ntohl(mask)))
                        continue;
-                err = fib_semantic_match(&li->falh, flp, res, plen, fib_flags);
+                list_for_each_entry_rcu(fa, &li->falh, fa_list) {
+                        struct fib_info *fi = fa->fa_info;
+                        int nhsel, err;
+                        if (fa->fa_tos && fa->fa_tos != flp->flowi4_tos)
+                                continue;
+                        if (fa->fa_info->fib_scope < flp->flowi4_scope)
+                                continue;
+                        fib_alias_accessed(fa);
+                        err = fib_props[fa->fa_type].error;
+                        if (err) {
 #ifdef CONFIG_IP_FIB_TRIE_STATS
-                if (err <= 0)
+                                t->stats.semantic_match_passed++;
-                        t->stats.semantic_match_passed++;
+#endif
-                else
+                                return err;
-                        t->stats.semantic_match_miss++;
+                        }
+                        if (fi->fib_flags & RTNH_F_DEAD)
+                                continue;
+                        for (nhsel = 0; nhsel < fi->fib_nhs; nhsel++) {
+                                const struct fib_nh *nh = &fi->fib_nh[nhsel];
+                                if (nh->nh_flags & RTNH_F_DEAD)
+                                        continue;
+                                if (flp->flowi4_oif && flp->flowi4_oif != nh->nh_oif)
+                                        continue;
+#ifdef CONFIG_IP_FIB_TRIE_STATS
+                                t->stats.semantic_match_passed++;
+#endif
+                                res->prefixlen = plen;
+                                res->nh_sel = nhsel;
+                                res->type = fa->fa_type;
+                                res->scope = fa->fa_info->fib_scope;
+                                res->fi = fi;
+                                res->table = tb;
+                                res->fa_head = &li->falh;
+                                if (!(fib_flags & FIB_LOOKUP_NOREF))
+                                        atomic_inc(&res->fi->fib_clntref);
+                                return 0;
+                        }
+                }
+#ifdef CONFIG_IP_FIB_TRIE_STATS
+                t->stats.semantic_match_miss++;
 #endif
-                if (err <= 0)
-                        return err;
        }
        return 1;
 }
-int fib_table_lookup(struct fib_table *tb, const struct flowi *flp,
+int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
                     struct fib_result *res, int fib_flags)
 {
        struct trie *t = (struct trie *) tb->tb_data;
        int ret;
-        struct node *n;
+        struct rt_trie_node *n;
        struct tnode *pn;
-        int pos, bits;
+        unsigned int pos, bits;
-        t_key key = ntohl(flp->fl4_dst);
+        t_key key = ntohl(flp->daddr);
-        int chopped_off;
+        unsigned int chopped_off;
        t_key cindex = 0;
-        int current_prefix_length = KEYLENGTH;
+        unsigned int current_prefix_length = KEYLENGTH;
        struct tnode *cn;
        t_key pref_mismatch;
@@ -1398,7 +1441,7 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi *flp,
        /* Just a leaf? */
        if (IS_LEAF(n)) {
-                ret = check_leaf(t, (struct leaf *)n, key, flp, res, fib_flags);
+                ret = check_leaf(tb, t, (struct leaf *)n, key, flp, res, fib_flags);
                goto found;
        }
@@ -1423,7 +1466,7 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi *flp,
                }
                if (IS_LEAF(n)) {
-                        ret = check_leaf(t, (struct leaf *)n, key, flp, res, fib_flags);
+                        ret = check_leaf(tb, t, (struct leaf *)n, key, flp, res, fib_flags);
                        if (ret > 0)
                                goto backtrace;
                        goto found;
@@ -1541,7 +1584,7 @@ backtrace:
                if (chopped_off <= pn->bits) {
                        cindex &= ~(1 << (chopped_off-1));
                } else {
-                        struct tnode *parent = node_parent_rcu((struct node *) pn);
+                        struct tnode *parent = node_parent_rcu((struct rt_trie_node *) pn);
                        if (!parent)
                                goto failed;
@@ -1568,7 +1611,7 @@ found:
 */
 static void trie_leaf_remove(struct trie *t, struct leaf *l)
 {
-        struct tnode *tp = node_parent((struct node *) l);
+        struct tnode *tp = node_parent((struct rt_trie_node *) l);
        pr_debug("entering trie_leaf_remove(%p)\n", l);
@@ -1629,7 +1672,9 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
                if ((!cfg->fc_type || fa->fa_type == cfg->fc_type) &&
                    (cfg->fc_scope == RT_SCOPE_NOWHERE ||
-                     fa->fa_scope == cfg->fc_scope) &&
+                     fa->fa_info->fib_scope == cfg->fc_scope) &&
+                    (!cfg->fc_prefsrc ||
+                     fi->fib_prefsrc == cfg->fc_prefsrc) &&
                    (!cfg->fc_protocol ||
                     fi->fib_protocol == cfg->fc_protocol) &&
                    fib_nh_match(cfg, fi) == 0) {
@@ -1650,6 +1695,9 @@ int fib_table_delete(struct fib_table *tb, struct fib_config *cfg)
        list_del_rcu(&fa->fa_list);
+        if (!plen)
+                tb->tb_num_default--;
        if (list_empty(fa_head)) {
                hlist_del_rcu(&li->hlist);
                free_leaf_info(li);
@@ -1706,7 +1754,7 @@ static int trie_flush_leaf(struct leaf *l)
 * Scan for the next right leaf starting at node p->child[idx]
 * Since we have back pointer, no recursion necessary.
 */
-static struct leaf *leaf_walk_rcu(struct tnode *p, struct node *c)
+static struct leaf *leaf_walk_rcu(struct tnode *p, struct rt_trie_node *c)
 {
        do {
                t_key idx;
@@ -1722,7 +1770,7 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct node *c)
                                continue;
                        if (IS_LEAF(c)) {
-                                prefetch(p->child[idx]);
+                                prefetch(rcu_dereference_rtnl(p->child[idx]));
                                return (struct leaf *) c;
                        }
@@ -1732,7 +1780,7 @@ static struct leaf *leaf_walk_rcu(struct tnode *p, struct node *c)
                }
                /* Node empty, walk back up to parent */
-                c = (struct node *) p;
+                c = (struct rt_trie_node *) p;
        } while ((p = node_parent_rcu(c)) != NULL);
        return NULL; /* Root of trie */
@@ -1753,7 +1801,7 @@ static struct leaf *trie_firstleaf(struct trie *t)
 static struct leaf *trie_nextleaf(struct leaf *l)
 {
-        struct node *c = (struct node *) l;
+        struct rt_trie_node *c = (struct rt_trie_node *) l;
        struct tnode *p = node_parent_rcu(c);
        if (!p)
@@ -1802,80 +1850,6 @@ void fib_free_table(struct fib_table *tb)
        kfree(tb);
 }
-void fib_table_select_default(struct fib_table *tb,
-                              const struct flowi *flp,
-                              struct fib_result *res)
-{
-        struct trie *t = (struct trie *) tb->tb_data;
-        int order, last_idx;
-        struct fib_info *fi = NULL;
-        struct fib_info *last_resort;
-        struct fib_alias *fa = NULL;
-        struct list_head *fa_head;
-        struct leaf *l;
-        last_idx = -1;
-        last_resort = NULL;
-        order = -1;
-        rcu_read_lock();
-        l = fib_find_node(t, 0);
-        if (!l)
-                goto out;
-        fa_head = get_fa_head(l, 0);
-        if (!fa_head)
-                goto out;
-        if (list_empty(fa_head))
-                goto out;
-        list_for_each_entry_rcu(fa, fa_head, fa_list) {
-                struct fib_info *next_fi = fa->fa_info;
-                if (fa->fa_scope != res->scope ||
-                    fa->fa_type != RTN_UNICAST)
-                        continue;
-                if (next_fi->fib_priority > res->fi->fib_priority)
-                        break;
-                if (!next_fi->fib_nh[0].nh_gw ||
-                    next_fi->fib_nh[0].nh_scope != RT_SCOPE_LINK)
-                        continue;
-                fib_alias_accessed(fa);
-                if (fi == NULL) {
-                        if (next_fi != res->fi)
-                                break;
-                } else if (!fib_detect_death(fi, order, &last_resort,
-                                             &last_idx, tb->tb_default)) {
-                        fib_result_assign(res, fi);
-                        tb->tb_default = order;
-                        goto out;
-                }
-                fi = next_fi;
-                order++;
-        }
-        if (order <= 0 || fi == NULL) {
-                tb->tb_default = -1;
-                goto out;
-        }
-        if (!fib_detect_death(fi, order, &last_resort, &last_idx,
-                                tb->tb_default)) {
-                fib_result_assign(res, fi);
-                tb->tb_default = order;
-                goto out;
-        }
-        if (last_idx >= 0)
-                fib_result_assign(res, last_resort);
-        tb->tb_default = last_idx;
-out:
-        rcu_read_unlock();
-}
 static int fn_trie_dump_fa(t_key key, int plen, struct list_head *fah,
                           struct fib_table *tb,
                           struct sk_buff *skb, struct netlink_callback *cb)
@@ -1900,7 +1874,6 @@ static int fn_trie_dump_fa(t_key key, int plen, struct list_head *fah,
                                  RTM_NEWROUTE,
                                  tb->tb_id,
                                  fa->fa_type,
-                                  fa->fa_scope,
                                  xkey,
                                  plen,
                                  fa->fa_tos,
@@ -1990,7 +1963,7 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
        return skb->len;
 }
-void __init fib_hash_init(void)
+void __init fib_trie_init(void)
 {
        fn_alias_kmem = kmem_cache_create("ip_fib_alias",
                                          sizeof(struct fib_alias),
@@ -2003,8 +1976,7 @@ void __init fib_hash_init(void)
 }
-/* Fix more generic FIB names for init later */
+struct fib_table *fib_trie_table(u32 id)
-struct fib_table *fib_hash_table(u32 id)
 {
        struct fib_table *tb;
        struct trie *t;
@@ -2016,13 +1988,11 @@ struct fib_table *fib_hash_table(u32 id)
        tb->tb_id = id;
        tb->tb_default = -1;
+        tb->tb_num_default = 0;
        t = (struct trie *) tb->tb_data;
        memset(t, 0, sizeof(*t));
-        if (id == RT_TABLE_LOCAL)
-                pr_info("IPv4 FIB: Using LC-trie version %s\n", VERSION);
        return tb;
 }
@@ -2036,7 +2006,7 @@ struct fib_trie_iter {
        unsigned int depth;
 };
-static struct node *fib_trie_get_next(struct fib_trie_iter *iter)
+static struct rt_trie_node *fib_trie_get_next(struct fib_trie_iter *iter)
 {
        struct tnode *tn = iter->tnode;
        unsigned int cindex = iter->index;
@@ -2050,7 +2020,7 @@ static struct node *fib_trie_get_next(struct fib_trie_iter *iter)
                 iter->tnode, iter->index, iter->depth);
 rescan:
        while (cindex < (1<<tn->bits)) {
-                struct node *n = tnode_get_child_rcu(tn, cindex);
+                struct rt_trie_node *n = tnode_get_child_rcu(tn, cindex);
                if (n) {
                        if (IS_LEAF(n)) {
@@ -2069,7 +2039,7 @@ rescan:
        }
        /* Current node exhausted, pop back up */
-        p = node_parent_rcu((struct node *)tn);
+        p = node_parent_rcu((struct rt_trie_node *)tn);
        if (p) {
                cindex = tkey_extract_bits(tn->key, p->pos, p->bits)+1;
                tn = p;
@@ -2081,10 +2051,10 @@ rescan:
        return NULL;
 }
-static struct node *fib_trie_get_first(struct fib_trie_iter *iter,
+static struct rt_trie_node *fib_trie_get_first(struct fib_trie_iter *iter,
                                       struct trie *t)
 {
-        struct node *n;
+        struct rt_trie_node *n;
        if (!t)
                return NULL;
@@ -2108,7 +2078,7 @@ static struct node *fib_trie_get_first(struct fib_trie_iter *iter,
 static void trie_collect_stats(struct trie *t, struct trie_stat *s)
 {
-        struct node *n;
+        struct rt_trie_node *n;
        struct fib_trie_iter iter;
        memset(s, 0, sizeof(*s));
@@ -2181,7 +2151,7 @@ static void trie_show_stats(struct seq_file *seq, struct trie_stat *stat)
        seq_putc(seq, '\n');
        seq_printf(seq, "\tPointers: %u\n", pointers);
-        bytes += sizeof(struct node *) * pointers;
+        bytes += sizeof(struct rt_trie_node *) * pointers;
        seq_printf(seq, "Null ptrs: %u\n", stat->nullpointers);
        seq_printf(seq, "Total size: %u  kB\n", (bytes + 1023) / 1024);
 }
@@ -2262,7 +2232,7 @@ static const struct file_operations fib_triestat_fops = {
        .release = single_release_net,
 };
-static struct node *fib_trie_get_idx(struct seq_file *seq, loff_t pos)
+static struct rt_trie_node *fib_trie_get_idx(struct seq_file *seq, loff_t pos)
 {
        struct fib_trie_iter *iter = seq->private;
        struct net *net = seq_file_net(seq);
@@ -2275,7 +2245,7 @@ static struct node *fib_trie_get_idx(struct seq_file *seq, loff_t pos)
                struct fib_table *tb;
                hlist_for_each_entry_rcu(tb, node, head, tb_hlist) {
-                        struct node *n;
+                        struct rt_trie_node *n;
                        for (n = fib_trie_get_first(iter,
                                                    (struct trie *) tb->tb_data);
@@ -2304,7 +2274,7 @@ static void *fib_trie_seq_next(struct seq_file *seq, void *v, loff_t *pos)
        struct fib_table *tb = iter->tb;
        struct hlist_node *tb_node;
        unsigned int h;
-        struct node *n;
+        struct rt_trie_node *n;
        ++*pos;
        /* next node in same table */
@@ -2314,7 +2284,7 @@ static void *fib_trie_seq_next(struct seq_file *seq, void *v, loff_t *pos)
        /* walk rest of this hash chain */
        h = tb->tb_id & (FIB_TABLE_HASHSZ - 1);
-        while ( (tb_node = rcu_dereference(tb->tb_hlist.next)) ) {
+        while ((tb_node = rcu_dereference(hlist_next_rcu(&tb->tb_hlist)))) {
                tb = hlist_entry(tb_node, struct fib_table, tb_hlist);
                n = fib_trie_get_first(iter, (struct trie *) tb->tb_data);
                if (n)
@@ -2390,7 +2360,7 @@ static inline const char *rtn_type(char *buf, size_t len, unsigned int t)
 static int fib_trie_seq_show(struct seq_file *seq, void *v)
 {
        const struct fib_trie_iter *iter = seq->private;
-        struct node *n = v;
+        struct rt_trie_node *n = v;
        if (!node_parent_rcu(n))
                fib_table_print(seq, iter->tb);
@@ -2422,7 +2392,7 @@ static int fib_trie_seq_show(struct seq_file *seq, void *v)
                                seq_indent(seq, iter->depth+1);
                                seq_printf(seq, "  /%d %s %s", li->plen,
                                           rtn_scope(buf1, sizeof(buf1),
-                                                     fa->fa_scope),
+                                                     fa->fa_info->fib_scope),
                                           rtn_type(buf2, sizeof(buf2),
                                                    fa->fa_type));
                                if (fa->fa_tos)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 4aa1b7f01ea0..5395e45dcce6 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -83,6 +83,7 @@
 #include <net/tcp.h>
 #include <net/udp.h>
 #include <net/raw.h>
+#include <net/ping.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <linux/errno.h>
@@ -108,8 +109,7 @@ struct icmp_bxm {
                __be32         times[3];
        } data;
        int head_len;
-        struct ip_options replyopts;
+        struct ip_options_data replyopts;
-        unsigned char  optbuf[40];
 };
 /* An array of errno for error messages from dest unreach. */
@@ -233,48 +233,11 @@ static inline void icmp_xmit_unlock(struct sock *sk)
 *      Send an ICMP frame.
 */
-/*
+static inline bool icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
- *      Check transmit rate limitation for given message.
+                                      struct flowi4 *fl4, int type, int code)
- *      The rate information is held in the destination cache now.
- *      This function is generic and could be used for other purposes
- *      too. It uses a Token bucket filter as suggested by Alexey Kuznetsov.
- *
- *      Note that the same dst_entry fields are modified by functions in
- *      route.c too, but these work for packet destinations while xrlim_allow
- *      works for icmp destinations. This means the rate limiting information
- *      for one "ip object" is shared - and these ICMPs are twice limited:
- *      by source and by destination.
- *
- *      RFC 1812: 4.3.2.8 SHOULD be able to limit error message rate
- *                        SHOULD allow setting of rate limits
- *
- *      Shared between ICMPv4 and ICMPv6.
- */
-#define XRLIM_BURST_FACTOR 6
-int xrlim_allow(struct dst_entry *dst, int timeout)
-{
-        unsigned long now, token = dst->rate_tokens;
-        int rc = 0;
-        now = jiffies;
-        token += now - dst->rate_last;
-        dst->rate_last = now;
-        if (token > XRLIM_BURST_FACTOR * timeout)
-                token = XRLIM_BURST_FACTOR * timeout;
-        if (token >= timeout) {
-                token -= timeout;
-                rc = 1;
-        }
-        dst->rate_tokens = token;
-        return rc;
-}
-EXPORT_SYMBOL(xrlim_allow);
-static inline int icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
-                int type, int code)
 {
        struct dst_entry *dst = &rt->dst;
-        int rc = 1;
+        bool rc = true;
        if (type > NR_ICMP_TYPES)
                goto out;
@@ -288,8 +251,12 @@ static inline int icmpv4_xrlim_allow(struct net *net, struct rtable *rt,
                goto out;
        /* Limit if icmp type is enabled in ratemask. */
-        if ((1 << type) & net->ipv4.sysctl_icmp_ratemask)
+        if ((1 << type) & net->ipv4.sysctl_icmp_ratemask) {
-                rc = xrlim_allow(dst, net->ipv4.sysctl_icmp_ratelimit);
+                if (!rt->peer)
+                        rt_bind_peer(rt, fl4->daddr, 1);
+                rc = inet_peer_xrlim_allow(rt->peer,
+                                           net->ipv4.sysctl_icmp_ratelimit);
+        }
 out:
        return rc;
 }
@@ -324,13 +291,14 @@ static int icmp_glue_bits(void *from, char *to, int offset, int len, int odd,
 }
 static void icmp_push_reply(struct icmp_bxm *icmp_param,
+                            struct flowi4 *fl4,
                            struct ipcm_cookie *ipc, struct rtable **rt)
 {
        struct sock *sk;
        struct sk_buff *skb;
        sk = icmp_sk(dev_net((*rt)->dst.dev));
-        if (ip_append_data(sk, icmp_glue_bits, icmp_param,
+        if (ip_append_data(sk, fl4, icmp_glue_bits, icmp_param,
                           icmp_param->data_len+icmp_param->head_len,
                           icmp_param->head_len,
                           ipc, rt, MSG_DONTWAIT) < 0) {
@@ -349,7 +317,7 @@ static void icmp_push_reply(struct icmp_bxm *icmp_param,
                                                 icmp_param->head_len, csum);
                icmph->checksum = csum_fold(csum);
                skb->ip_summed = CHECKSUM_NONE;
-                ip_push_pending_frames(sk);
+                ip_push_pending_frames(sk, fl4);
        }
 }
@@ -362,11 +330,12 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
        struct ipcm_cookie ipc;
        struct rtable *rt = skb_rtable(skb);
        struct net *net = dev_net(rt->dst.dev);
+        struct flowi4 fl4;
        struct sock *sk;
        struct inet_sock *inet;
        __be32 daddr;
-        if (ip_options_echo(&icmp_param->replyopts, skb))
+        if (ip_options_echo(&icmp_param->replyopts.opt.opt, skb))
                return;
        sk = icmp_xmit_lock(net);
@@ -377,31 +346,120 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
        icmp_param->data.icmph.checksum = 0;
        inet->tos = ip_hdr(skb)->tos;
-        daddr = ipc.addr = rt->rt_src;
+        daddr = ipc.addr = ip_hdr(skb)->saddr;
        ipc.opt = NULL;
        ipc.tx_flags = 0;
-        if (icmp_param->replyopts.optlen) {
+        if (icmp_param->replyopts.opt.opt.optlen) {
-                ipc.opt = &icmp_param->replyopts;
+                ipc.opt = &icmp_param->replyopts.opt;
-                if (ipc.opt->srr)
+                if (ipc.opt->opt.srr)
-                        daddr = icmp_param->replyopts.faddr;
+                        daddr = icmp_param->replyopts.opt.opt.faddr;
        }
-        {
+        memset(&fl4, 0, sizeof(fl4));
-                struct flowi fl = { .fl4_dst= daddr,
+        fl4.daddr = daddr;
-                                    .fl4_src = rt->rt_spec_dst,
+        fl4.saddr = rt->rt_spec_dst;
-                                    .fl4_tos = RT_TOS(ip_hdr(skb)->tos),
+        fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
-                                    .proto = IPPROTO_ICMP };
+        fl4.flowi4_proto = IPPROTO_ICMP;
-                security_skb_classify_flow(skb, &fl);
+        security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
-                if (ip_route_output_key(net, &rt, &fl))
+        rt = ip_route_output_key(net, &fl4);
-                        goto out_unlock;
+        if (IS_ERR(rt))
-        }
+                goto out_unlock;
-        if (icmpv4_xrlim_allow(net, rt, icmp_param->data.icmph.type,
+        if (icmpv4_xrlim_allow(net, rt, &fl4, icmp_param->data.icmph.type,
                               icmp_param->data.icmph.code))
-                icmp_push_reply(icmp_param, &ipc, &rt);
+                icmp_push_reply(icmp_param, &fl4, &ipc, &rt);
        ip_rt_put(rt);
 out_unlock:
        icmp_xmit_unlock(sk);
 }
+static struct rtable *icmp_route_lookup(struct net *net,
+                                        struct flowi4 *fl4,
+                                        struct sk_buff *skb_in,
+                                        const struct iphdr *iph,
+                                        __be32 saddr, u8 tos,
+                                        int type, int code,
+                                        struct icmp_bxm *param)
+{
+        struct rtable *rt, *rt2;
+        int err;
+        memset(fl4, 0, sizeof(*fl4));
+        fl4->daddr = (param->replyopts.opt.opt.srr ?
+                      param->replyopts.opt.opt.faddr : iph->saddr);
+        fl4->saddr = saddr;
+        fl4->flowi4_tos = RT_TOS(tos);
+        fl4->flowi4_proto = IPPROTO_ICMP;
+        fl4->fl4_icmp_type = type;
+        fl4->fl4_icmp_code = code;
+        security_skb_classify_flow(skb_in, flowi4_to_flowi(fl4));
+        rt = __ip_route_output_key(net, fl4);
+        if (IS_ERR(rt))
+                return rt;
+        /* No need to clone since we're just using its address. */
+        rt2 = rt;
+        rt = (struct rtable *) xfrm_lookup(net, &rt->dst,
+                                           flowi4_to_flowi(fl4), NULL, 0);
+        if (!IS_ERR(rt)) {
+                if (rt != rt2)
+                        return rt;
+        } else if (PTR_ERR(rt) == -EPERM) {
+                rt = NULL;
+        } else
+                return rt;
+        err = xfrm_decode_session_reverse(skb_in, flowi4_to_flowi(fl4), AF_INET);
+        if (err)
+                goto relookup_failed;
+        if (inet_addr_type(net, fl4->saddr) == RTN_LOCAL) {
+                rt2 = __ip_route_output_key(net, fl4);
+                if (IS_ERR(rt2))
+                        err = PTR_ERR(rt2);
+        } else {
+                struct flowi4 fl4_2 = {};
+                unsigned long orefdst;
+                fl4_2.daddr = fl4->saddr;
+                rt2 = ip_route_output_key(net, &fl4_2);
+                if (IS_ERR(rt2)) {
+                        err = PTR_ERR(rt2);
+                        goto relookup_failed;
+                }
+                /* Ugh! */
+                orefdst = skb_in->_skb_refdst; /* save old refdst */
+                err = ip_route_input(skb_in, fl4->daddr, fl4->saddr,
+                                     RT_TOS(tos), rt2->dst.dev);
+                dst_release(&rt2->dst);
+                rt2 = skb_rtable(skb_in);
+                skb_in->_skb_refdst = orefdst; /* restore old refdst */
+        }
+        if (err)
+                goto relookup_failed;
+        rt2 = (struct rtable *) xfrm_lookup(net, &rt2->dst,
+                                            flowi4_to_flowi(fl4), NULL,
+                                            XFRM_LOOKUP_ICMP);
+        if (!IS_ERR(rt2)) {
+                dst_release(&rt->dst);
+                rt = rt2;
+        } else if (PTR_ERR(rt2) == -EPERM) {
+                if (rt)
+                        dst_release(&rt->dst);
+                return rt2;
+        } else {
+                err = PTR_ERR(rt2);
+                goto relookup_failed;
+        }
+        return rt;
+relookup_failed:
+        if (rt)
+                return rt;
+        return ERR_PTR(err);
+}
 /*
 *      Send an ICMP message in response to a situation
@@ -421,6 +479,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
        struct icmp_bxm icmp_param;
        struct rtable *rt = skb_rtable(skb_in);
        struct ipcm_cookie ipc;
+        struct flowi4 fl4;
        __be32 saddr;
        u8  tos;
        struct net *net;
@@ -507,7 +566,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                rcu_read_lock();
                if (rt_is_input_route(rt) &&
                    net->ipv4.sysctl_icmp_errors_use_inbound_ifaddr)
-                        dev = dev_get_by_index_rcu(net, rt->fl.iif);
+                        dev = dev_get_by_index_rcu(net, rt->rt_iif);
                if (dev)
                        saddr = inet_select_addr(dev, 0, RT_SCOPE_LINK);
@@ -520,7 +579,7 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
                                           IPTOS_PREC_INTERNETCONTROL) :
                                          iph->tos;
-        if (ip_options_echo(&icmp_param.replyopts, skb_in))
+        if (ip_options_echo(&icmp_param.replyopts.opt.opt, skb_in))
                goto out_unlock;
@@ -536,90 +595,15 @@ void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
        icmp_param.offset = skb_network_offset(skb_in);
        inet_sk(sk)->tos = tos;
        ipc.addr = iph->saddr;
-        ipc.opt = &icmp_param.replyopts;
+        ipc.opt = &icmp_param.replyopts.opt;
        ipc.tx_flags = 0;
-        {
+        rt = icmp_route_lookup(net, &fl4, skb_in, iph, saddr, tos,
-                struct flowi fl = {
+                               type, code, &icmp_param);
-                        .fl4_dst = icmp_param.replyopts.srr ?
+        if (IS_ERR(rt))
-                                   icmp_param.replyopts.faddr : iph->saddr,
+                goto out_unlock;
-                        .fl4_src = saddr,
-                        .fl4_tos = RT_TOS(tos),
-                        .proto = IPPROTO_ICMP,
-                        .fl_icmp_type = type,
-                        .fl_icmp_code = code,
-                };
-                int err;
-                struct rtable *rt2;
-                security_skb_classify_flow(skb_in, &fl);
-                if (__ip_route_output_key(net, &rt, &fl))
-                        goto out_unlock;
-                /* No need to clone since we're just using its address. */
-                rt2 = rt;
-                if (!fl.nl_u.ip4_u.saddr)
-                        fl.nl_u.ip4_u.saddr = rt->rt_src;
-                err = xfrm_lookup(net, (struct dst_entry **)&rt, &fl, NULL, 0);
-                switch (err) {
-                case 0:
-                        if (rt != rt2)
-                                goto route_done;
-                        break;
-                case -EPERM:
-                        rt = NULL;
-                        break;
-                default:
-                        goto out_unlock;
-                }
-                if (xfrm_decode_session_reverse(skb_in, &fl, AF_INET))
-                        goto relookup_failed;
-                if (inet_addr_type(net, fl.fl4_src) == RTN_LOCAL)
-                        err = __ip_route_output_key(net, &rt2, &fl);
-                else {
-                        struct flowi fl2 = {};
-                        unsigned long orefdst;
-                        fl2.fl4_dst = fl.fl4_src;
-                        if (ip_route_output_key(net, &rt2, &fl2))
-                                goto relookup_failed;
-                        /* Ugh! */
-                        orefdst = skb_in->_skb_refdst; /* save old refdst */
-                        err = ip_route_input(skb_in, fl.fl4_dst, fl.fl4_src,
-                                             RT_TOS(tos), rt2->dst.dev);
-                        dst_release(&rt2->dst);
-                        rt2 = skb_rtable(skb_in);
-                        skb_in->_skb_refdst = orefdst; /* restore old refdst */
-                }
-                if (err)
-                        goto relookup_failed;
-                err = xfrm_lookup(net, (struct dst_entry **)&rt2, &fl, NULL,
-                                  XFRM_LOOKUP_ICMP);
-                switch (err) {
-                case 0:
-                        dst_release(&rt->dst);
-                        rt = rt2;
-                        break;
-                case -EPERM:
-                        goto ende;
-                default:
-relookup_failed:
-                        if (!rt)
-                                goto out_unlock;
-                        break;
-                }
-        }
-route_done:
+        if (!icmpv4_xrlim_allow(net, rt, &fl4, type, code))
-        if (!icmpv4_xrlim_allow(net, rt, type, code))
                goto ende;
        /* RFC says return as much as we can without exceeding 576 bytes. */
@@ -627,7 +611,7 @@ route_done:
        room = dst_mtu(&rt->dst);
        if (room > 576)
                room = 576;
-        room -= sizeof(struct iphdr) + icmp_param.replyopts.optlen;
+        room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen;
        room -= sizeof(struct icmphdr);
        icmp_param.data_len = skb_in->len - icmp_param.offset;
@@ -635,7 +619,7 @@ route_done:
                icmp_param.data_len = room;
        icmp_param.head_len = sizeof(struct icmphdr);
-        icmp_push_reply(&icmp_param, &ipc, &rt);
+        icmp_push_reply(&icmp_param, &fl4, &ipc, &rt);
 ende:
        ip_rt_put(rt);
 out_unlock:
@@ -651,7 +635,7 @@ EXPORT_SYMBOL(icmp_send);
 static void icmp_unreach(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct icmphdr *icmph;
        int hash, protocol;
        const struct net_protocol *ipprot;
@@ -670,7 +654,7 @@ static void icmp_unreach(struct sk_buff *skb)
                goto out_err;
        icmph = icmp_hdr(skb);
-        iph   = (struct iphdr *)skb->data;
+        iph   = (const struct iphdr *)skb->data;
        if (iph->ihl < 5) /* Mangled header, drop. */
                goto out_err;
@@ -718,7 +702,7 @@ static void icmp_unreach(struct sk_buff *skb)
         */
        /*
-         *      Check the other end isnt violating RFC 1122. Some routers send
+         *      Check the other end isn't violating RFC 1122. Some routers send
         *      bogus responses to broadcast frames. If you see this message
         *      first check your netmask matches at both ends, if it does then
         *      get the other vendor to fix their kit.
@@ -743,7 +727,7 @@ static void icmp_unreach(struct sk_buff *skb)
        if (!pskb_may_pull(skb, iph->ihl * 4 + 8))
                goto out;
-        iph = (struct iphdr *)skb->data;
+        iph = (const struct iphdr *)skb->data;
        protocol = iph->protocol;
        /*
@@ -772,7 +756,7 @@ out_err:
 static void icmp_redirect(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        if (skb->len < sizeof(struct iphdr))
                goto out_err;
@@ -783,7 +767,7 @@ static void icmp_redirect(struct sk_buff *skb)
        if (!pskb_may_pull(skb, sizeof(struct iphdr)))
                goto out;
-        iph = (struct iphdr *)skb->data;
+        iph = (const struct iphdr *)skb->data;
        switch (icmp_hdr(skb)->code & 7) {
        case ICMP_REDIR_NET:
@@ -798,6 +782,15 @@ static void icmp_redirect(struct sk_buff *skb)
                               iph->saddr, skb->dev);
                break;
        }
+        /* Ping wants to see redirects.
+         * Let's pretend they are errors of sorts... */
+        if (iph->protocol == IPPROTO_ICMP &&
+            iph->ihl >= 5 &&
+            pskb_may_pull(skb, (iph->ihl<<2)+8)) {
+                ping_err(skb, icmp_hdr(skb)->un.gateway);
+        }
 out:
        return;
 out_err:
@@ -947,12 +940,12 @@ static void icmp_address_reply(struct sk_buff *skb)
                BUG_ON(mp == NULL);
                for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) {
                        if (*mp == ifa->ifa_mask &&
-                            inet_ifa_match(rt->rt_src, ifa))
+                            inet_ifa_match(ip_hdr(skb)->saddr, ifa))
                                break;
                }
                if (!ifa && net_ratelimit()) {
                        printk(KERN_INFO "Wrong address mask %pI4 from %s/%pI4\n",
-                               mp, dev->name, &rt->rt_src);
+                               mp, dev->name, &ip_hdr(skb)->saddr);
                }
        }
 }
@@ -1058,7 +1051,7 @@ error:
 */
 static const struct icmp_control icmp_pointers[NR_ICMP_TYPES + 1] = {
        [ICMP_ECHOREPLY] = {
-                .handler = icmp_discard,
+                .handler = ping_rcv,
        },
        [1] = {
                .handler = icmp_discard,
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index e0e77e297de3..672e476c8c8a 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -149,17 +149,11 @@ static void ip_mc_clear_src(struct ip_mc_list *pmc);
 static int ip_mc_add_src(struct in_device *in_dev, __be32 *pmca, int sfmode,
                         int sfcount, __be32 *psfsrc, int delta);
-static void ip_mc_list_reclaim(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ip_mc_list, rcu));
-}
 static void ip_ma_put(struct ip_mc_list *im)
 {
        if (atomic_dec_and_test(&im->refcnt)) {
                in_dev_put(im->interface);
-                call_rcu(&im->rcu, ip_mc_list_reclaim);
+                kfree_rcu(im, rcu);
        }
 }
@@ -309,6 +303,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        struct iphdr *pip;
        struct igmpv3_report *pig;
        struct net *net = dev_net(dev);
+        struct flowi4 fl4;
        while (1) {
                skb = alloc_skb(size + LL_ALLOCATED_SPACE(dev),
@@ -321,18 +316,11 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        }
        igmp_skb_size(skb) = size;
-        {
+        rt = ip_route_output_ports(net, &fl4, NULL, IGMPV3_ALL_MCR, 0,
-                struct flowi fl = { .oif = dev->ifindex,
+                                   0, 0,
-                                    .fl4_dst = IGMPV3_ALL_MCR,
+                                   IPPROTO_IGMP, 0, dev->ifindex);
-                                    .proto = IPPROTO_IGMP };
+        if (IS_ERR(rt)) {
-                if (ip_route_output_key(net, &rt, &fl)) {
-                        kfree_skb(skb);
-                        return NULL;
-                }
-        }
-        if (rt->rt_src == 0) {
                kfree_skb(skb);
-                ip_rt_put(rt);
                return NULL;
        }
@@ -350,8 +338,8 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
        pip->tos      = 0xc0;
        pip->frag_off = htons(IP_DF);
        pip->ttl      = 1;
-        pip->daddr    = rt->rt_dst;
+        pip->daddr    = fl4.daddr;
-        pip->saddr    = rt->rt_src;
+        pip->saddr    = fl4.saddr;
        pip->protocol = IPPROTO_IGMP;
        pip->tot_len  = 0;      /* filled in later */
        ip_select_ident(pip, &rt->dst, NULL);
@@ -657,6 +645,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        struct net_device *dev = in_dev->dev;
        struct net *net = dev_net(dev);
        __be32  group = pmc ? pmc->multiaddr : 0;
+        struct flowi4 fl4;
        __be32  dst;
        if (type == IGMPV3_HOST_MEMBERSHIP_REPORT)
@@ -666,17 +655,11 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        else
                dst = group;
-        {
+        rt = ip_route_output_ports(net, &fl4, NULL, dst, 0,
-                struct flowi fl = { .oif = dev->ifindex,
+                                   0, 0,
-                                    .fl4_dst = dst,
+                                   IPPROTO_IGMP, 0, dev->ifindex);
-                                    .proto = IPPROTO_IGMP };
+        if (IS_ERR(rt))
-                if (ip_route_output_key(net, &rt, &fl))
-                        return -1;
-        }
-        if (rt->rt_src == 0) {
-                ip_rt_put(rt);
                return -1;
-        }
        skb = alloc_skb(IGMP_SIZE+LL_ALLOCATED_SPACE(dev), GFP_ATOMIC);
        if (skb == NULL) {
@@ -698,7 +681,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
        iph->frag_off = htons(IP_DF);
        iph->ttl      = 1;
        iph->daddr    = dst;
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = fl4.saddr;
        iph->protocol = IPPROTO_IGMP;
        ip_select_ident(iph, &rt->dst, NULL);
        ((u8*)&iph[1])[0] = IPOPT_RA;
@@ -1439,8 +1422,6 @@ void ip_mc_destroy_dev(struct in_device *in_dev)
 /* RTNL is locked */
 static struct in_device *ip_mc_find_dev(struct net *net, struct ip_mreqn *imr)
 {
-        struct flowi fl = { .fl4_dst = imr->imr_multiaddr.s_addr };
-        struct rtable *rt;
        struct net_device *dev = NULL;
        struct in_device *idev = NULL;
@@ -1454,9 +1435,14 @@ static struct in_device *ip_mc_find_dev(struct net *net, struct ip_mreqn *imr)
                        return NULL;
        }
-        if (!dev && !ip_route_output_key(net, &rt, &fl)) {
+        if (!dev) {
-                dev = rt->dst.dev;
+                struct rtable *rt = ip_route_output(net,
-                ip_rt_put(rt);
+                                                    imr->imr_multiaddr.s_addr,
+                                                    0, 0, 0);
+                if (!IS_ERR(rt)) {
+                        dev = rt->dst.dev;
+                        ip_rt_put(rt);
+                }
        }
        if (dev) {
                imr->imr_ifindex = dev->ifindex;
@@ -1836,12 +1822,6 @@ done:
 }
 EXPORT_SYMBOL(ip_mc_join_group);
-static void ip_sf_socklist_reclaim(struct rcu_head *rp)
-{
-        kfree(container_of(rp, struct ip_sf_socklist, rcu));
-        /* sk_omem_alloc should have been decreased by the caller*/
-}
 static int ip_mc_leave_src(struct sock *sk, struct ip_mc_socklist *iml,
                           struct in_device *in_dev)
 {
@@ -1858,18 +1838,10 @@ static int ip_mc_leave_src(struct sock *sk, struct ip_mc_socklist *iml,
        rcu_assign_pointer(iml->sflist, NULL);
        /* decrease mem now to avoid the memleak warning */
        atomic_sub(IP_SFLSIZE(psf->sl_max), &sk->sk_omem_alloc);
-        call_rcu(&psf->rcu, ip_sf_socklist_reclaim);
+        kfree_rcu(psf, rcu);
        return err;
 }
-static void ip_mc_socklist_reclaim(struct rcu_head *rp)
-{
-        kfree(container_of(rp, struct ip_mc_socklist, rcu));
-        /* sk_omem_alloc should have been decreased by the caller*/
-}
 /*
 *      Ask a socket to leave a group.
 */
@@ -1909,7 +1881,7 @@ int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr)
                rtnl_unlock();
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
-                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
+                kfree_rcu(iml, rcu);
                return 0;
        }
        if (!in_dev)
@@ -2026,7 +1998,7 @@ int ip_mc_source(int add, int omode, struct sock *sk, struct
                                newpsl->sl_addr[i] = psl->sl_addr[i];
                        /* decrease mem now to avoid the memleak warning */
                        atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
-                        call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
+                        kfree_rcu(psl, rcu);
                }
                rcu_assign_pointer(pmc->sflist, newpsl);
                psl = newpsl;
@@ -2127,7 +2099,7 @@ int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf, int ifindex)
                        psl->sl_count, psl->sl_addr, 0);
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(IP_SFLSIZE(psl->sl_max), &sk->sk_omem_alloc);
-                call_rcu(&psl->rcu, ip_sf_socklist_reclaim);
+                kfree_rcu(psl, rcu);
        } else
                (void) ip_mc_del_src(in_dev, &msf->imsf_multiaddr, pmc->sfmode,
                        0, NULL, 0);
@@ -2324,18 +2296,18 @@ void ip_mc_drop_socket(struct sock *sk)
                        ip_mc_dec_group(in_dev, iml->multi.imr_multiaddr.s_addr);
                /* decrease mem now to avoid the memleak warning */
                atomic_sub(sizeof(*iml), &sk->sk_omem_alloc);
-                call_rcu(&iml->rcu, ip_mc_socklist_reclaim);
+                kfree_rcu(iml, rcu);
        }
        rtnl_unlock();
 }
-int ip_check_mc(struct in_device *in_dev, __be32 mc_addr, __be32 src_addr, u16 proto)
+/* called with rcu_read_lock() */
+int ip_check_mc_rcu(struct in_device *in_dev, __be32 mc_addr, __be32 src_addr, u16 proto)
 {
        struct ip_mc_list *im;
        struct ip_sf_list *psf;
        int rv = 0;
-        rcu_read_lock();
        for_each_pmc_rcu(in_dev, im) {
                if (im->multiaddr == mc_addr)
                        break;
@@ -2357,7 +2329,6 @@ int ip_check_mc(struct in_device *in_dev, __be32 mc_addr, __be32 src_addr, u16 p
                } else
                        rv = 1; /* unspecified source; tentatively allow */
        }
-        rcu_read_unlock();
        return rv;
 }
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 97e5fb765265..61fac4cabc78 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -73,7 +73,7 @@ int inet_csk_bind_conflict(const struct sock *sk,
                     !sk2->sk_bound_dev_if ||
                     sk->sk_bound_dev_if == sk2->sk_bound_dev_if)) {
                        if (!reuse || !sk2->sk_reuse ||
-                            ((1 << sk2->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) {
+                            sk2->sk_state == TCP_LISTEN) {
                                const __be32 sk2_rcv_saddr = sk_rcv_saddr(sk2);
                                if (!sk2_rcv_saddr || !sk_rcv_saddr(sk) ||
                                    sk2_rcv_saddr == sk_rcv_saddr(sk))
@@ -122,8 +122,7 @@ again:
                                            (tb->num_owners < smallest_size || smallest_size == -1)) {
                                                smallest_size = tb->num_owners;
                                                smallest_rover = rover;
-                                                if (atomic_read(&hashinfo->bsockets) > (high - low) + 1 &&
+                                                if (atomic_read(&hashinfo->bsockets) > (high - low) + 1) {
-                                                    !inet_csk(sk)->icsk_af_ops->bind_conflict(sk, tb)) {
                                                        spin_unlock(&head->lock);
                                                        snum = smallest_rover;
                                                        goto have_snum;
@@ -351,27 +350,24 @@ void inet_csk_reset_keepalive_timer(struct sock *sk, unsigned long len)
 EXPORT_SYMBOL(inet_csk_reset_keepalive_timer);
 struct dst_entry *inet_csk_route_req(struct sock *sk,
+                                     struct flowi4 *fl4,
                                     const struct request_sock *req)
 {
        struct rtable *rt;
        const struct inet_request_sock *ireq = inet_rsk(req);
-        struct ip_options *opt = inet_rsk(req)->opt;
+        struct ip_options_rcu *opt = inet_rsk(req)->opt;
-        struct flowi fl = { .oif = sk->sk_bound_dev_if,
-                            .mark = sk->sk_mark,
-                            .fl4_dst = ((opt && opt->srr) ?
-                                          opt->faddr : ireq->rmt_addr),
-                            .fl4_src = ireq->loc_addr,
-                            .fl4_tos = RT_CONN_FLAGS(sk),
-                            .proto = sk->sk_protocol,
-                            .flags = inet_sk_flowi_flags(sk),
-                            .fl_ip_sport = inet_sk(sk)->inet_sport,
-                            .fl_ip_dport = ireq->rmt_port };
        struct net *net = sock_net(sk);
-        security_req_classify_flow(req, &fl);
+        flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
-        if (ip_route_output_flow(net, &rt, &fl, sk, 0))
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
+                           sk->sk_protocol, inet_sk_flowi_flags(sk),
+                           (opt && opt->opt.srr) ? opt->opt.faddr : ireq->rmt_addr,
+                           ireq->loc_addr, ireq->rmt_port, inet_sk(sk)->inet_sport);
+        security_req_classify_flow(req, flowi4_to_flowi(fl4));
+        rt = ip_route_output_flow(net, fl4, sk);
+        if (IS_ERR(rt))
                goto no_route;
-        if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (opt && opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
                goto route_err;
        return &rt->dst;
@@ -383,6 +379,39 @@ no_route:
 }
 EXPORT_SYMBOL_GPL(inet_csk_route_req);
+struct dst_entry *inet_csk_route_child_sock(struct sock *sk,
+                                            struct sock *newsk,
+                                            const struct request_sock *req)
+{
+        const struct inet_request_sock *ireq = inet_rsk(req);
+        struct inet_sock *newinet = inet_sk(newsk);
+        struct ip_options_rcu *opt = ireq->opt;
+        struct net *net = sock_net(sk);
+        struct flowi4 *fl4;
+        struct rtable *rt;
+        fl4 = &newinet->cork.fl.u.ip4;
+        flowi4_init_output(fl4, sk->sk_bound_dev_if, sk->sk_mark,
+                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
+                           sk->sk_protocol, inet_sk_flowi_flags(sk),
+                           (opt && opt->opt.srr) ? opt->opt.faddr : ireq->rmt_addr,
+                           ireq->loc_addr, ireq->rmt_port, inet_sk(sk)->inet_sport);
+        security_req_classify_flow(req, flowi4_to_flowi(fl4));
+        rt = ip_route_output_flow(net, fl4, sk);
+        if (IS_ERR(rt))
+                goto no_route;
+        if (opt && opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
+                goto route_err;
+        return &rt->dst;
+route_err:
+        ip_rt_put(rt);
+no_route:
+        IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
+        return NULL;
+}
+EXPORT_SYMBOL_GPL(inet_csk_route_child_sock);
 static inline u32 inet_synq_hash(const __be32 raddr, const __be16 rport,
                                 const u32 rnd, const u32 synq_hsize)
 {
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 2ada17129fce..6ffe94ca5bc9 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -124,7 +124,7 @@ static int inet_csk_diag_fill(struct sock *sk,
 #if defined(CONFIG_IPV6) || defined (CONFIG_IPV6_MODULE)
        if (r->idiag_family == AF_INET6) {
-                struct ipv6_pinfo *np = inet6_sk(sk);
+                const struct ipv6_pinfo *np = inet6_sk(sk);
                ipv6_addr_copy((struct in6_addr *)r->id.idiag_src,
                               &np->rcv_saddr);
diff --git a/net/ipv4/inet_lro.c b/net/ipv4/inet_lro.c
index 47038cb6c138..85a0f75dae64 100644
--- a/net/ipv4/inet_lro.c
+++ b/net/ipv4/inet_lro.c
@@ -51,8 +51,8 @@ MODULE_DESCRIPTION("Large Receive Offload (ipv4 / tcp)");
 * Basic tcp checks whether packet is suitable for LRO
 */
-static int lro_tcp_ip_check(struct iphdr *iph, struct tcphdr *tcph,
+static int lro_tcp_ip_check(const struct iphdr *iph, const struct tcphdr *tcph,
-                            int len, struct net_lro_desc *lro_desc)
+                            int len, const struct net_lro_desc *lro_desc)
 {
        /* check ip header: don't aggregate padded frames */
        if (ntohs(iph->tot_len) != len)
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index a96e65674ac3..9df4e635fb5f 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -81,19 +81,19 @@ static const struct inet_peer peer_fake_node = {
 struct inet_peer_base {
        struct inet_peer __rcu *root;
-        spinlock_t      lock;
+        seqlock_t       lock;
        int             total;
 };
 static struct inet_peer_base v4_peers = {
        .root           = peer_avl_empty_rcu,
-        .lock           = __SPIN_LOCK_UNLOCKED(v4_peers.lock),
+        .lock           = __SEQLOCK_UNLOCKED(v4_peers.lock),
        .total          = 0,
 };
 static struct inet_peer_base v6_peers = {
        .root           = peer_avl_empty_rcu,
-        .lock           = __SPIN_LOCK_UNLOCKED(v6_peers.lock),
+        .lock           = __SEQLOCK_UNLOCKED(v6_peers.lock),
        .total          = 0,
 };
@@ -167,9 +167,9 @@ static int addr_compare(const struct inetpeer_addr *a,
        int i, n = (a->family == AF_INET ? 1 : 4);
        for (i = 0; i < n; i++) {
-                if (a->a6[i] == b->a6[i])
+                if (a->addr.a6[i] == b->addr.a6[i])
                        continue;
-                if (a->a6[i] < b->a6[i])
+                if (a->addr.a6[i] < b->addr.a6[i])
                        return -1;
                return 1;
        }
@@ -177,6 +177,9 @@ static int addr_compare(const struct inetpeer_addr *a,
        return 0;
 }
+#define rcu_deref_locked(X, BASE)                               \
+        rcu_dereference_protected(X, lockdep_is_held(&(BASE)->lock.lock))
 /*
 * Called with local BH disabled and the pool lock held.
 */
@@ -187,8 +190,7 @@ static int addr_compare(const struct inetpeer_addr *a,
                                                                \
        stackptr = _stack;                                      \
        *stackptr++ = &_base->root;                             \
-        for (u = rcu_dereference_protected(_base->root,         \
+        for (u = rcu_deref_locked(_base->root, _base);          \
-                        lockdep_is_held(&_base->lock));         \
             u != peer_avl_empty; ) {                           \
                int cmp = addr_compare(_daddr, &u->daddr);      \
                if (cmp == 0)                                   \
@@ -198,23 +200,22 @@ static int addr_compare(const struct inetpeer_addr *a,
                else                                            \
                        v = &u->avl_right;                      \
                *stackptr++ = v;                                \
-                u = rcu_dereference_protected(*v,               \
+                u = rcu_deref_locked(*v, _base);                \
-                        lockdep_is_held(&_base->lock));         \
        }                                                       \
        u;                                                      \
 })
 /*
- * Called with rcu_read_lock_bh()
+ * Called with rcu_read_lock()
 * Because we hold no lock against a writer, its quite possible we fall
 * in an endless loop.
 * But every pointer we follow is guaranteed to be valid thanks to RCU.
 * We exit from this function if number of links exceeds PEER_MAXDEPTH
 */
-static struct inet_peer *lookup_rcu_bh(const struct inetpeer_addr *daddr,
+static struct inet_peer *lookup_rcu(const struct inetpeer_addr *daddr,
-                                       struct inet_peer_base *base)
+                                    struct inet_peer_base *base)
 {
-        struct inet_peer *u = rcu_dereference_bh(base->root);
+        struct inet_peer *u = rcu_dereference(base->root);
        int count = 0;
        while (u != peer_avl_empty) {
@@ -230,9 +231,9 @@ static struct inet_peer *lookup_rcu_bh(const struct inetpeer_addr *daddr,
                        return u;
                }
                if (cmp == -1)
-                        u = rcu_dereference_bh(u->avl_left);
+                        u = rcu_dereference(u->avl_left);
                else
-                        u = rcu_dereference_bh(u->avl_right);
+                        u = rcu_dereference(u->avl_right);
                if (unlikely(++count == PEER_MAXDEPTH))
                        break;
        }
@@ -246,13 +247,11 @@ static struct inet_peer *lookup_rcu_bh(const struct inetpeer_addr *daddr,
        struct inet_peer __rcu **v;                             \
        *stackptr++ = &start->avl_left;                         \
        v = &start->avl_left;                                   \
-        for (u = rcu_dereference_protected(*v,                  \
+        for (u = rcu_deref_locked(*v, base);                    \
-                        lockdep_is_held(&base->lock));          \
             u->avl_right != peer_avl_empty_rcu; ) {            \
                v = &u->avl_right;                              \
                *stackptr++ = v;                                \
-                u = rcu_dereference_protected(*v,               \
+                u = rcu_deref_locked(*v, base);                 \
-                        lockdep_is_held(&base->lock));          \
        }                                                       \
        u;                                                      \
 })
@@ -271,21 +270,16 @@ static void peer_avl_rebalance(struct inet_peer __rcu **stack[],
        while (stackend > stack) {
                nodep = *--stackend;
-                node = rcu_dereference_protected(*nodep,
+                node = rcu_deref_locked(*nodep, base);
-                                lockdep_is_held(&base->lock));
+                l = rcu_deref_locked(node->avl_left, base);
-                l = rcu_dereference_protected(node->avl_left,
+                r = rcu_deref_locked(node->avl_right, base);
-                                lockdep_is_held(&base->lock));
-                r = rcu_dereference_protected(node->avl_right,
-                                lockdep_is_held(&base->lock));
                lh = node_height(l);
                rh = node_height(r);
                if (lh > rh + 1) { /* l: RH+2 */
                        struct inet_peer *ll, *lr, *lrl, *lrr;
                        int lrh;
-                        ll = rcu_dereference_protected(l->avl_left,
+                        ll = rcu_deref_locked(l->avl_left, base);
-                                lockdep_is_held(&base->lock));
+                        lr = rcu_deref_locked(l->avl_right, base);
-                        lr = rcu_dereference_protected(l->avl_right,
-                                lockdep_is_held(&base->lock));
                        lrh = node_height(lr);
                        if (lrh <= node_height(ll)) {   /* ll: RH+1 */
                                RCU_INIT_POINTER(node->avl_left, lr);   /* lr: RH or RH+1 */
@@ -296,10 +290,8 @@ static void peer_avl_rebalance(struct inet_peer __rcu **stack[],
                                l->avl_height = node->avl_height + 1;
                                RCU_INIT_POINTER(*nodep, l);
                        } else { /* ll: RH, lr: RH+1 */
-                                lrl = rcu_dereference_protected(lr->avl_left,
+                                lrl = rcu_deref_locked(lr->avl_left, base);/* lrl: RH or RH-1 */
-                                        lockdep_is_held(&base->lock));  /* lrl: RH or RH-1 */
+                                lrr = rcu_deref_locked(lr->avl_right, base);/* lrr: RH or RH-1 */
-                                lrr = rcu_dereference_protected(lr->avl_right,
-                                        lockdep_is_held(&base->lock));  /* lrr: RH or RH-1 */
                                RCU_INIT_POINTER(node->avl_left, lrr);  /* lrr: RH or RH-1 */
                                RCU_INIT_POINTER(node->avl_right, r);   /* r: RH */
                                node->avl_height = rh + 1; /* node: RH+1 */
@@ -314,10 +306,8 @@ static void peer_avl_rebalance(struct inet_peer __rcu **stack[],
                } else if (rh > lh + 1) { /* r: LH+2 */
                        struct inet_peer *rr, *rl, *rlr, *rll;
                        int rlh;
-                        rr = rcu_dereference_protected(r->avl_right,
+                        rr = rcu_deref_locked(r->avl_right, base);
-                                lockdep_is_held(&base->lock));
+                        rl = rcu_deref_locked(r->avl_left, base);
-                        rl = rcu_dereference_protected(r->avl_left,
-                                lockdep_is_held(&base->lock));
                        rlh = node_height(rl);
                        if (rlh <= node_height(rr)) {   /* rr: LH+1 */
                                RCU_INIT_POINTER(node->avl_right, rl);  /* rl: LH or LH+1 */
@@ -328,10 +318,8 @@ static void peer_avl_rebalance(struct inet_peer __rcu **stack[],
                                r->avl_height = node->avl_height + 1;
                                RCU_INIT_POINTER(*nodep, r);
                        } else { /* rr: RH, rl: RH+1 */
-                                rlr = rcu_dereference_protected(rl->avl_right,
+                                rlr = rcu_deref_locked(rl->avl_right, base);/* rlr: LH or LH-1 */
-                                        lockdep_is_held(&base->lock));  /* rlr: LH or LH-1 */
+                                rll = rcu_deref_locked(rl->avl_left, base);/* rll: LH or LH-1 */
-                                rll = rcu_dereference_protected(rl->avl_left,
-                                        lockdep_is_held(&base->lock));  /* rll: LH or LH-1 */
                                RCU_INIT_POINTER(node->avl_right, rll); /* rll: LH or LH-1 */
                                RCU_INIT_POINTER(node->avl_left, l);    /* l: LH */
                                node->avl_height = lh + 1; /* node: LH+1 */
@@ -366,13 +354,14 @@ static void inetpeer_free_rcu(struct rcu_head *head)
 }
 /* May be called with local BH enabled. */
-static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
+static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base,
+                             struct inet_peer __rcu **stack[PEER_MAXDEPTH])
 {
        int do_free;
        do_free = 0;
-        spin_lock_bh(&base->lock);
+        write_seqlock_bh(&base->lock);
        /* Check the reference counter.  It was artificially incremented by 1
         * in cleanup() function to prevent sudden disappearing.  If we can
         * atomically (because of lockless readers) take this last reference,
@@ -380,7 +369,6 @@ static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
         * We use refcnt=-1 to alert lockless readers this entry is deleted.
         */
        if (atomic_cmpxchg(&p->refcnt, 1, -1) == 1) {
-                struct inet_peer __rcu **stack[PEER_MAXDEPTH];
                struct inet_peer __rcu ***stackptr, ***delp;
                if (lookup(&p->daddr, stack, base) != p)
                        BUG();
@@ -392,8 +380,7 @@ static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
                        /* look for a node to insert instead of p */
                        struct inet_peer *t;
                        t = lookup_rightempty(p, base);
-                        BUG_ON(rcu_dereference_protected(*stackptr[-1],
+                        BUG_ON(rcu_deref_locked(*stackptr[-1], base) != t);
-                                        lockdep_is_held(&base->lock)) != t);
                        **--stackptr = t->avl_left;
                        /* t is removed, t->daddr > x->daddr for any
                         * x in p->avl_left subtree.
@@ -409,10 +396,10 @@ static void unlink_from_pool(struct inet_peer *p, struct inet_peer_base *base)
                base->total--;
                do_free = 1;
        }
-        spin_unlock_bh(&base->lock);
+        write_sequnlock_bh(&base->lock);
        if (do_free)
-                call_rcu_bh(&p->rcu, inetpeer_free_rcu);
+                call_rcu(&p->rcu, inetpeer_free_rcu);
        else
                /* The node is used again.  Decrease the reference counter
                 * back.  The loop "cleanup -> unlink_from_unused
@@ -435,7 +422,7 @@ static struct inet_peer_base *peer_to_base(struct inet_peer *p)
 }
 /* May be called with local BH enabled. */
-static int cleanup_once(unsigned long ttl)
+static int cleanup_once(unsigned long ttl, struct inet_peer __rcu **stack[PEER_MAXDEPTH])
 {
        struct inet_peer *p = NULL;
@@ -467,7 +454,7 @@ static int cleanup_once(unsigned long ttl)
                 * happen because of entry limits in route cache. */
                return -1;
-        unlink_from_pool(p, peer_to_base(p));
+        unlink_from_pool(p, peer_to_base(p), stack);
        return 0;
 }
@@ -477,13 +464,17 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
        struct inet_peer __rcu **stack[PEER_MAXDEPTH], ***stackptr;
        struct inet_peer_base *base = family_to_base(daddr->family);
        struct inet_peer *p;
+        unsigned int sequence;
+        int invalidated;
        /* Look up for the address quickly, lockless.
         * Because of a concurrent writer, we might not find an existing entry.
         */
-        rcu_read_lock_bh();
+        rcu_read_lock();
-        p = lookup_rcu_bh(daddr, base);
+        sequence = read_seqbegin(&base->lock);
-        rcu_read_unlock_bh();
+        p = lookup_rcu(daddr, base);
+        invalidated = read_seqretry(&base->lock, sequence);
+        rcu_read_unlock();
        if (p) {
                /* The existing node has been found.
@@ -493,14 +484,18 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
                return p;
        }
+        /* If no writer did a change during our lookup, we can return early. */
+        if (!create && !invalidated)
+                return NULL;
        /* retry an exact lookup, taking the lock before.
         * At least, nodes should be hot in our cache.
         */
-        spin_lock_bh(&base->lock);
+        write_seqlock_bh(&base->lock);
        p = lookup(daddr, stack, base);
        if (p != peer_avl_empty) {
                atomic_inc(&p->refcnt);
-                spin_unlock_bh(&base->lock);
+                write_sequnlock_bh(&base->lock);
                /* Remove the entry from unused list if it was there. */
                unlink_from_unused(p);
                return p;
@@ -510,8 +505,14 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
                p->daddr = *daddr;
                atomic_set(&p->refcnt, 1);
                atomic_set(&p->rid, 0);
-                atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
+                atomic_set(&p->ip_id_count, secure_ip_id(daddr->addr.a4));
                p->tcp_ts_stamp = 0;
+                p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
+                p->rate_tokens = 0;
+                p->rate_last = 0;
+                p->pmtu_expires = 0;
+                p->pmtu_orig = 0;
+                memset(&p->redirect_learned, 0, sizeof(p->redirect_learned));
                INIT_LIST_HEAD(&p->unused);
@@ -519,11 +520,11 @@ struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
                link_to_pool(p, base);
                base->total++;
        }
-        spin_unlock_bh(&base->lock);
+        write_sequnlock_bh(&base->lock);
        if (base->total >= inet_peer_threshold)
                /* Remove one less-recently-used entry. */
-                cleanup_once(0);
+                cleanup_once(0, stack);
        return p;
 }
@@ -539,6 +540,7 @@ static void peer_check_expire(unsigned long dummy)
 {
        unsigned long now = jiffies;
        int ttl, total;
+        struct inet_peer __rcu **stack[PEER_MAXDEPTH];
        total = compute_total();
        if (total >= inet_peer_threshold)
@@ -547,7 +549,7 @@ static void peer_check_expire(unsigned long dummy)
                ttl = inet_peer_maxttl
                                - (inet_peer_maxttl - inet_peer_minttl) / HZ *
                                        total / inet_peer_threshold * HZ;
-        while (!cleanup_once(ttl)) {
+        while (!cleanup_once(ttl, stack)) {
                if (jiffies != now)
                        break;
        }
@@ -579,3 +581,44 @@ void inet_putpeer(struct inet_peer *p)
        local_bh_enable();
 }
 EXPORT_SYMBOL_GPL(inet_putpeer);
+/*
+ *      Check transmit rate limitation for given message.
+ *      The rate information is held in the inet_peer entries now.
+ *      This function is generic and could be used for other purposes
+ *      too. It uses a Token bucket filter as suggested by Alexey Kuznetsov.
+ *
+ *      Note that the same inet_peer fields are modified by functions in
+ *      route.c too, but these work for packet destinations while xrlim_allow
+ *      works for icmp destinations. This means the rate limiting information
+ *      for one "ip object" is shared - and these ICMPs are twice limited:
+ *      by source and by destination.
+ *
+ *      RFC 1812: 4.3.2.8 SHOULD be able to limit error message rate
+ *                        SHOULD allow setting of rate limits
+ *
+ *      Shared between ICMPv4 and ICMPv6.
+ */
+#define XRLIM_BURST_FACTOR 6
+bool inet_peer_xrlim_allow(struct inet_peer *peer, int timeout)
+{
+        unsigned long now, token;
+        bool rc = false;
+        if (!peer)
+                return true;
+        token = peer->rate_tokens;
+        now = jiffies;
+        token += now - peer->rate_last;
+        peer->rate_last = now;
+        if (token > XRLIM_BURST_FACTOR * timeout)
+                token = XRLIM_BURST_FACTOR * timeout;
+        if (token >= timeout) {
+                token -= timeout;
+                rc = true;
+        }
+        peer->rate_tokens = token;
+        return rc;
+}
+EXPORT_SYMBOL(inet_peer_xrlim_allow);
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 99461f09320f..3b34d1c86270 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -84,7 +84,7 @@ int ip_forward(struct sk_buff *skb)
        rt = skb_rtable(skb);
-        if (opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (opt->is_strictroute && ip_hdr(skb)->daddr != rt->rt_gateway)
                goto sr_failed;
        if (unlikely(skb->len > dst_mtu(&rt->dst) && !skb_is_gso(skb) &&
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index a1151b8adf3c..0ad6035f6366 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -77,22 +77,40 @@ struct ipq {
        struct inet_peer *peer;
 };
-#define IPFRAG_ECN_CLEAR  0x01 /* one frag had INET_ECN_NOT_ECT */
+/* RFC 3168 support :
-#define IPFRAG_ECN_SET_CE 0x04 /* one frag had INET_ECN_CE */
+ * We want to check ECN values of all fragments, do detect invalid combinations.
+ * In ipq->ecn, we store the OR value of each ip4_frag_ecn() fragment value.
+ */
+#define IPFRAG_ECN_NOT_ECT      0x01 /* one frag had ECN_NOT_ECT */
+#define IPFRAG_ECN_ECT_1        0x02 /* one frag had ECN_ECT_1 */
+#define IPFRAG_ECN_ECT_0        0x04 /* one frag had ECN_ECT_0 */
+#define IPFRAG_ECN_CE           0x08 /* one frag had ECN_CE */
 static inline u8 ip4_frag_ecn(u8 tos)
 {
-        tos = (tos & INET_ECN_MASK) + 1;
+        return 1 << (tos & INET_ECN_MASK);
-        /*
-         * After the last operation we have (in binary):
-         * INET_ECN_NOT_ECT => 001
-         * INET_ECN_ECT_1   => 010
-         * INET_ECN_ECT_0   => 011
-         * INET_ECN_CE      => 100
-         */
-        return (tos & 2) ? 0 : tos;
 }
+/* Given the OR values of all fragments, apply RFC 3168 5.3 requirements
+ * Value : 0xff if frame should be dropped.
+ *         0 or INET_ECN_CE value, to be ORed in to final iph->tos field
+ */
+static const u8 ip4_frag_ecn_table[16] = {
+        /* at least one fragment had CE, and others ECT_0 or ECT_1 */
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0]                      = INET_ECN_CE,
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_1]                      = INET_ECN_CE,
+        [IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1]   = INET_ECN_CE,
+        /* invalid combinations : drop frame */
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_0] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_1] = 0xff,
+        [IPFRAG_ECN_NOT_ECT | IPFRAG_ECN_CE | IPFRAG_ECN_ECT_0 | IPFRAG_ECN_ECT_1] = 0xff,
+};
 static struct inet_frags ip4_frags;
 int ip_frag_nqueues(struct net *net)
@@ -223,31 +241,30 @@ static void ip_expire(unsigned long arg)
        if ((qp->q.last_in & INET_FRAG_FIRST_IN) && qp->q.fragments != NULL) {
                struct sk_buff *head = qp->q.fragments;
+                const struct iphdr *iph;
+                int err;
                rcu_read_lock();
                head->dev = dev_get_by_index_rcu(net, qp->iif);
                if (!head->dev)
                        goto out_rcu_unlock;
+                /* skb dst is stale, drop it, and perform route lookup again */
+                skb_dst_drop(head);
+                iph = ip_hdr(head);
+                err = ip_route_input_noref(head, iph->daddr, iph->saddr,
+                                           iph->tos, head->dev);
+                if (err)
+                        goto out_rcu_unlock;
                /*
-                 * Only search router table for the head fragment,
+                 * Only an end host needs to send an ICMP
-                 * when defraging timeout at PRE_ROUTING HOOK.
+                 * "Fragment Reassembly Timeout" message, per RFC792.
                 */
-                if (qp->user == IP_DEFRAG_CONNTRACK_IN && !skb_dst(head)) {
+                if (qp->user == IP_DEFRAG_CONNTRACK_IN &&
-                        const struct iphdr *iph = ip_hdr(head);
+                    skb_rtable(head)->rt_type != RTN_LOCAL)
-                        int err = ip_route_input(head, iph->daddr, iph->saddr,
+                        goto out_rcu_unlock;
-                                                 iph->tos, head->dev);
-                        if (unlikely(err))
-                                goto out_rcu_unlock;
-                        /*
-                         * Only an end host needs to send an ICMP
-                         * "Fragment Reassembly Timeout" message, per RFC792.
-                         */
-                        if (skb_rtable(head)->rt_type != RTN_LOCAL)
-                                goto out_rcu_unlock;
-                }
                /* Send an ICMP "Fragment Reassembly Timeout" message. */
                icmp_send(head, ICMP_TIME_EXCEEDED, ICMP_EXC_FRAGTIME, 0);
@@ -525,9 +542,15 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
        int len;
        int ihlen;
        int err;
+        u8 ecn;
        ipq_kill(qp);
+        ecn = ip4_frag_ecn_table[qp->ecn];
+        if (unlikely(ecn == 0xff)) {
+                err = -EINVAL;
+                goto out_fail;
+        }
        /* Make the one we just received the head. */
        if (prev) {
                head = prev->next;
@@ -606,17 +629,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *prev,
        iph = ip_hdr(head);
        iph->frag_off = 0;
        iph->tot_len = htons(len);
-        /* RFC3168 5.3 Fragmentation support
+        iph->tos |= ecn;
-         * If one fragment had INET_ECN_NOT_ECT,
-         *      reassembled frame also has INET_ECN_NOT_ECT
-         * Elif one fragment had INET_ECN_CE
-         *      reassembled frame also has INET_ECN_CE
-         */
-        if (qp->ecn & IPFRAG_ECN_CLEAR)
-                iph->tos &= ~INET_ECN_MASK;
-        else if (qp->ecn & IPFRAG_ECN_SET_CE)
-                iph->tos |= INET_ECN_CE;
        IP_INC_STATS_BH(net, IPSTATS_MIB_REASMOKS);
        qp->q.fragments = NULL;
        qp->q.fragments_tail = NULL;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 6613edfac28c..8871067560db 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -413,11 +413,6 @@ static struct ip_tunnel *ipgre_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
        dev->rtnl_link_ops = &ipgre_link_ops;
@@ -462,7 +457,7 @@ static void ipgre_err(struct sk_buff *skb, u32 info)
   by themself???
 */
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        __be16       *p = (__be16*)(skb->data+(iph->ihl<<2));
        int grehlen = (iph->ihl<<2) + 4;
        const int type = icmp_hdr(skb)->type;
@@ -534,7 +529,7 @@ out:
        rcu_read_unlock();
 }
-static inline void ipgre_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
+static inline void ipgre_ecn_decapsulate(const struct iphdr *iph, struct sk_buff *skb)
 {
        if (INET_ECN_is_ce(iph->tos)) {
                if (skb->protocol == htons(ETH_P_IP)) {
@@ -546,19 +541,19 @@ static inline void ipgre_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
 }
 static inline u8
-ipgre_ecn_encapsulate(u8 tos, struct iphdr *old_iph, struct sk_buff *skb)
+ipgre_ecn_encapsulate(u8 tos, const struct iphdr *old_iph, struct sk_buff *skb)
 {
        u8 inner = 0;
        if (skb->protocol == htons(ETH_P_IP))
                inner = old_iph->tos;
        else if (skb->protocol == htons(ETH_P_IPV6))
-                inner = ipv6_get_dsfield((struct ipv6hdr *)old_iph);
+                inner = ipv6_get_dsfield((const struct ipv6hdr *)old_iph);
        return INET_ECN_encapsulate(tos, inner);
 }
 static int ipgre_rcv(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        u8     *h;
        __be16    flags;
        __sum16   csum = 0;
@@ -697,8 +692,9 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *old_iph = ip_hdr(skb);
+        const struct iphdr  *old_iph = ip_hdr(skb);
-        struct iphdr  *tiph;
+        const struct iphdr  *tiph;
+        struct flowi4 fl4;
        u8     tos;
        __be16 df;
        struct rtable *rt;                      /* Route to the other host */
@@ -714,7 +710,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
        if (dev->header_ops && dev->type == ARPHRD_IPGRE) {
                gre_hlen = 0;
-                tiph = (struct iphdr *)skb->data;
+                tiph = (const struct iphdr *)skb->data;
        } else {
                gre_hlen = tunnel->hlen;
                tiph = &tunnel->parms.iph;
@@ -735,14 +731,14 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                }
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                else if (skb->protocol == htons(ETH_P_IPV6)) {
-                        struct in6_addr *addr6;
+                        const struct in6_addr *addr6;
                        int addr_type;
                        struct neighbour *neigh = skb_dst(skb)->neighbour;
                        if (neigh == NULL)
                                goto tx_error;
-                        addr6 = (struct in6_addr *)&neigh->primary_key;
+                        addr6 = (const struct in6_addr *)&neigh->primary_key;
                        addr_type = ipv6_addr_type(addr6);
                        if (addr_type == IPV6_ADDR_ANY) {
@@ -766,22 +762,15 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                if (skb->protocol == htons(ETH_P_IP))
                        tos = old_iph->tos;
                else if (skb->protocol == htons(ETH_P_IPV6))
-                        tos = ipv6_get_dsfield((struct ipv6hdr *)old_iph);
+                        tos = ipv6_get_dsfield((const struct ipv6hdr *)old_iph);
        }
-        {
+        rt = ip_route_output_gre(dev_net(dev), &fl4, dst, tiph->saddr,
-                struct flowi fl = {
+                                 tunnel->parms.o_key, RT_TOS(tos),
-                        .oif = tunnel->parms.link,
+                                 tunnel->parms.link);
-                        .fl4_dst = dst,
+        if (IS_ERR(rt)) {
-                        .fl4_src = tiph->saddr,
+                dev->stats.tx_carrier_errors++;
-                        .fl4_tos = RT_TOS(tos),
+                goto tx_error;
-                        .proto = IPPROTO_GRE,
-                        .fl_gre_key = tunnel->parms.o_key
-                };
-                if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
-                        dev->stats.tx_carrier_errors++;
-                        goto tx_error;
-                }
        }
        tdev = rt->dst.dev;
@@ -880,15 +869,15 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_GRE;
        iph->tos                =       ipgre_ecn_encapsulate(tos, old_iph, skb);
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0) {
                if (skb->protocol == htons(ETH_P_IP))
                        iph->ttl = old_iph->ttl;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                else if (skb->protocol == htons(ETH_P_IPV6))
-                        iph->ttl = ((struct ipv6hdr *)old_iph)->hop_limit;
+                        iph->ttl = ((const struct ipv6hdr *)old_iph)->hop_limit;
 #endif
                else
                        iph->ttl = ip4_dst_hoplimit(&rt->dst);
@@ -934,7 +923,7 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        int hlen = LL_MAX_HEADER;
        int mtu = ETH_DATA_LEN;
        int addend = sizeof(struct iphdr) + 4;
@@ -945,17 +934,15 @@ static int ipgre_tunnel_bind_dev(struct net_device *dev)
        /* Guess output device to choose reasonable mtu and needed_headroom */
        if (iph->daddr) {
-                struct flowi fl = {
+                struct flowi4 fl4;
-                        .oif = tunnel->parms.link,
-                        .fl4_dst = iph->daddr,
-                        .fl4_src = iph->saddr,
-                        .fl4_tos = RT_TOS(iph->tos),
-                        .proto = IPPROTO_GRE,
-                        .fl_gre_key = tunnel->parms.o_key
-                };
                struct rtable *rt;
-                if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
+                rt = ip_route_output_gre(dev_net(dev), &fl4,
+                                         iph->daddr, iph->saddr,
+                                         tunnel->parms.o_key,
+                                         RT_TOS(iph->tos),
+                                         tunnel->parms.link);
+                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
                        ip_rt_put(rt);
                }
@@ -1191,7 +1178,7 @@ static int ipgre_header(struct sk_buff *skb, struct net_device *dev,
 static int ipgre_header_parse(const struct sk_buff *skb, unsigned char *haddr)
 {
-        struct iphdr *iph = (struct iphdr *) skb_mac_header(skb);
+        const struct iphdr *iph = (const struct iphdr *) skb_mac_header(skb);
        memcpy(haddr, &iph->saddr, 4);
        return 4;
 }
@@ -1207,17 +1194,16 @@ static int ipgre_open(struct net_device *dev)
        struct ip_tunnel *t = netdev_priv(dev);
        if (ipv4_is_multicast(t->parms.iph.daddr)) {
-                struct flowi fl = {
+                struct flowi4 fl4;
-                        .oif = t->parms.link,
-                        .fl4_dst = t->parms.iph.daddr,
-                        .fl4_src = t->parms.iph.saddr,
-                        .fl4_tos = RT_TOS(t->parms.iph.tos),
-                        .proto = IPPROTO_GRE,
-                        .fl_gre_key = t->parms.o_key
-                };
                struct rtable *rt;
-                if (ip_route_output_key(dev_net(dev), &rt, &fl))
+                rt = ip_route_output_gre(dev_net(dev), &fl4,
+                                         t->parms.iph.daddr,
+                                         t->parms.iph.saddr,
+                                         t->parms.o_key,
+                                         RT_TOS(t->parms.iph.tos),
+                                         t->parms.link);
+                if (IS_ERR(rt))
                        return -EADDRNOTAVAIL;
                dev = rt->dst.dev;
                ip_rt_put(rt);
@@ -1765,4 +1751,4 @@ module_exit(ipgre_fini);
 MODULE_LICENSE("GPL");
 MODULE_ALIAS_RTNL_LINK("gre");
 MODULE_ALIAS_RTNL_LINK("gretap");
-MODULE_ALIAS("gre0");
+MODULE_ALIAS_NETDEV("gre0");
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index d859bcc26cb7..c8f48efc5fd3 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -268,7 +268,7 @@ int ip_local_deliver(struct sk_buff *skb)
 static inline int ip_rcv_options(struct sk_buff *skb)
 {
        struct ip_options *opt;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net_device *dev = skb->dev;
        /* It looks as overkill, because not all
@@ -340,7 +340,7 @@ static int ip_rcv_finish(struct sk_buff *skb)
                }
        }
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (unlikely(skb_dst(skb)->tclassid)) {
                struct ip_rt_acct *st = this_cpu_ptr(ip_rt_acct);
                u32 idx = skb_dst(skb)->tclassid;
@@ -374,7 +374,7 @@ drop:
 */
 int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        u32 len;
        /* When the interface is in promisc. mode, drop all the crap
diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
index 1906fa35860c..c3118e1cd3bb 100644
--- a/net/ipv4/ip_options.c
+++ b/net/ipv4/ip_options.c
@@ -36,8 +36,8 @@
 * saddr is address of outgoing interface.
 */
-void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
+void ip_options_build(struct sk_buff *skb, struct ip_options *opt,
-                            __be32 daddr, struct rtable *rt, int is_frag)
+                      __be32 daddr, struct rtable *rt, int is_frag)
 {
        unsigned char *iph = skb_network_header(skb);
@@ -50,9 +50,9 @@ void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
        if (!is_frag) {
                if (opt->rr_needaddr)
-                        ip_rt_get_source(iph+opt->rr+iph[opt->rr+2]-5, rt);
+                        ip_rt_get_source(iph+opt->rr+iph[opt->rr+2]-5, skb, rt);
                if (opt->ts_needaddr)
-                        ip_rt_get_source(iph+opt->ts+iph[opt->ts+2]-9, rt);
+                        ip_rt_get_source(iph+opt->ts+iph[opt->ts+2]-9, skb, rt);
                if (opt->ts_needtime) {
                        struct timespec tv;
                        __be32 midtime;
@@ -83,9 +83,9 @@ void ip_options_build(struct sk_buff * skb, struct ip_options * opt,
 * NOTE: dopt cannot point to skb.
 */
-int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
+int ip_options_echo(struct ip_options *dopt, struct sk_buff *skb)
 {
-        struct ip_options *sopt;
+        const struct ip_options *sopt;
        unsigned char *sptr, *dptr;
        int soffset, doffset;
        int     optlen;
@@ -95,10 +95,8 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
        sopt = &(IPCB(skb)->opt);
-        if (sopt->optlen == 0) {
+        if (sopt->optlen == 0)
-                dopt->optlen = 0;
                return 0;
-        }
        sptr = skb_network_header(skb);
        dptr = dopt->__data;
@@ -140,11 +138,11 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
                                } else {
                                        dopt->ts_needtime = 0;
-                                        if (soffset + 8 <= optlen) {
+                                        if (soffset + 7 <= optlen) {
                                                __be32 addr;
-                                                memcpy(&addr, sptr+soffset-1, 4);
+                                                memcpy(&addr, dptr+soffset-1, 4);
-                                                if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_LOCAL) {
+                                                if (inet_addr_type(dev_net(skb_dst(skb)->dev), addr) != RTN_UNICAST) {
                                                        dopt->ts_needtime = 1;
                                                        soffset += 8;
                                                }
@@ -157,7 +155,7 @@ int ip_options_echo(struct ip_options * dopt, struct sk_buff * skb)
                dopt->optlen += optlen;
        }
        if (sopt->srr) {
-                unsigned char * start = sptr+sopt->srr;
+                unsigned char *start = sptr+sopt->srr;
                __be32 faddr;
                optlen  = start[1];
@@ -329,7 +327,7 @@ int ip_options_compile(struct net *net,
                                        pp_ptr = optptr + 2;
                                        goto error;
                                }
-                                if (skb) {
+                                if (rt) {
                                        memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
                                        opt->is_changed = 1;
                                }
@@ -371,7 +369,7 @@ int ip_options_compile(struct net *net,
                                                goto error;
                                        }
                                        opt->ts = optptr - iph;
-                                        if (skb) {
+                                        if (rt)  {
                                                memcpy(&optptr[optptr[2]-1], &rt->rt_spec_dst, 4);
                                                timeptr = (__be32*)&optptr[optptr[2]+3];
                                        }
@@ -499,19 +497,19 @@ void ip_options_undo(struct ip_options * opt)
        }
 }
-static struct ip_options *ip_options_get_alloc(const int optlen)
+static struct ip_options_rcu *ip_options_get_alloc(const int optlen)
 {
-        return kzalloc(sizeof(struct ip_options) + ((optlen + 3) & ~3),
+        return kzalloc(sizeof(struct ip_options_rcu) + ((optlen + 3) & ~3),
                       GFP_KERNEL);
 }
-static int ip_options_get_finish(struct net *net, struct ip_options **optp,
+static int ip_options_get_finish(struct net *net, struct ip_options_rcu **optp,
-                                 struct ip_options *opt, int optlen)
+                                 struct ip_options_rcu *opt, int optlen)
 {
        while (optlen & 3)
-                opt->__data[optlen++] = IPOPT_END;
+                opt->opt.__data[optlen++] = IPOPT_END;
-        opt->optlen = optlen;
+        opt->opt.optlen = optlen;
-        if (optlen && ip_options_compile(net, opt, NULL)) {
+        if (optlen && ip_options_compile(net, &opt->opt, NULL)) {
                kfree(opt);
                return -EINVAL;
        }
@@ -520,29 +518,29 @@ static int ip_options_get_finish(struct net *net, struct ip_options **optp,
        return 0;
 }
-int ip_options_get_from_user(struct net *net, struct ip_options **optp,
+int ip_options_get_from_user(struct net *net, struct ip_options_rcu **optp,
                             unsigned char __user *data, int optlen)
 {
-        struct ip_options *opt = ip_options_get_alloc(optlen);
+        struct ip_options_rcu *opt = ip_options_get_alloc(optlen);
        if (!opt)
                return -ENOMEM;
-        if (optlen && copy_from_user(opt->__data, data, optlen)) {
+        if (optlen && copy_from_user(opt->opt.__data, data, optlen)) {
                kfree(opt);
                return -EFAULT;
        }
        return ip_options_get_finish(net, optp, opt, optlen);
 }
-int ip_options_get(struct net *net, struct ip_options **optp,
+int ip_options_get(struct net *net, struct ip_options_rcu **optp,
                   unsigned char *data, int optlen)
 {
-        struct ip_options *opt = ip_options_get_alloc(optlen);
+        struct ip_options_rcu *opt = ip_options_get_alloc(optlen);
        if (!opt)
                return -ENOMEM;
        if (optlen)
-                memcpy(opt->__data, data, optlen);
+                memcpy(opt->opt.__data, data, optlen);
        return ip_options_get_finish(net, optp, opt, optlen);
 }
@@ -555,7 +553,7 @@ void ip_forward_options(struct sk_buff *skb)
        if (opt->rr_needaddr) {
                optptr = (unsigned char *)raw + opt->rr;
-                ip_rt_get_source(&optptr[optptr[2]-5], rt);
+                ip_rt_get_source(&optptr[optptr[2]-5], skb, rt);
                opt->is_changed = 1;
        }
        if (opt->srr_is_hit) {
@@ -569,19 +567,18 @@ void ip_forward_options(struct sk_buff *skb)
                     ) {
                        if (srrptr + 3 > srrspace)
                                break;
-                        if (memcmp(&rt->rt_dst, &optptr[srrptr-1], 4) == 0)
+                        if (memcmp(&ip_hdr(skb)->daddr, &optptr[srrptr-1], 4) == 0)
                                break;
                }
                if (srrptr + 3 <= srrspace) {
                        opt->is_changed = 1;
-                        ip_rt_get_source(&optptr[srrptr-1], rt);
+                        ip_rt_get_source(&optptr[srrptr-1], skb, rt);
-                        ip_hdr(skb)->daddr = rt->rt_dst;
                        optptr[2] = srrptr+4;
                } else if (net_ratelimit())
                        printk(KERN_CRIT "ip_forward(): Argh! Destination lost!\n");
                if (opt->ts_needaddr) {
                        optptr = raw + opt->ts;
-                        ip_rt_get_source(&optptr[optptr[2]-9], rt);
+                        ip_rt_get_source(&optptr[optptr[2]-9], skb, rt);
                        opt->is_changed = 1;
                }
        }
@@ -603,7 +600,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
        unsigned long orefdst;
        int err;
-        if (!opt->srr)
+        if (!rt)
                return 0;
        if (skb->pkt_type != PACKET_HOST)
@@ -637,7 +634,7 @@ int ip_options_rcv_srr(struct sk_buff *skb)
                if (rt2->rt_type != RTN_LOCAL)
                        break;
                /* Superfast 8) loopback forward */
-                memcpy(&iph->daddr, &optptr[srrptr-1], 4);
+                iph->daddr = nexthop;
                opt->is_changed = 1;
        }
        if (srrptr <= srrspace) {
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 04c7b3ba6b39..98af3697c718 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -140,14 +140,14 @@ static inline int ip_select_ttl(struct inet_sock *inet, struct dst_entry *dst)
 *
 */
 int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
-                          __be32 saddr, __be32 daddr, struct ip_options *opt)
+                          __be32 saddr, __be32 daddr, struct ip_options_rcu *opt)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct rtable *rt = skb_rtable(skb);
        struct iphdr *iph;
        /* Build the IP header. */
-        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0));
+        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->opt.optlen : 0));
        skb_reset_network_header(skb);
        iph = ip_hdr(skb);
        iph->version  = 4;
@@ -158,14 +158,14 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
        else
                iph->frag_off = 0;
        iph->ttl      = ip_select_ttl(inet, &rt->dst);
-        iph->daddr    = rt->rt_dst;
+        iph->daddr    = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = saddr;
        iph->protocol = sk->sk_protocol;
        ip_select_ident(iph, &rt->dst, sk);
-        if (opt && opt->optlen) {
+        if (opt && opt->opt.optlen) {
-                iph->ihl += opt->optlen>>2;
+                iph->ihl += opt->opt.optlen>>2;
-                ip_options_build(skb, opt, daddr, rt, 0);
+                ip_options_build(skb, &opt->opt, daddr, rt, 0);
        }
        skb->priority = sk->sk_priority;
@@ -312,11 +312,12 @@ int ip_output(struct sk_buff *skb)
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
-int ip_queue_xmit(struct sk_buff *skb)
+int ip_queue_xmit(struct sk_buff *skb, struct flowi *fl)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
-        struct ip_options *opt = inet->opt;
+        struct ip_options_rcu *inet_opt;
+        struct flowi4 *fl4;
        struct rtable *rt;
        struct iphdr *iph;
        int res;
@@ -325,6 +326,8 @@ int ip_queue_xmit(struct sk_buff *skb)
         * f.e. by something like SCTP.
         */
        rcu_read_lock();
+        inet_opt = rcu_dereference(inet->inet_opt);
+        fl4 = &fl->u.ip4;
        rt = skb_rtable(skb);
        if (rt != NULL)
                goto packet_routed;
@@ -336,38 +339,32 @@ int ip_queue_xmit(struct sk_buff *skb)
                /* Use correct destination address if we have options. */
                daddr = inet->inet_daddr;
-                if(opt && opt->srr)
+                if (inet_opt && inet_opt->opt.srr)
-                        daddr = opt->faddr;
+                        daddr = inet_opt->opt.faddr;
-                {
+                /* If this fails, retransmit mechanism of transport layer will
-                        struct flowi fl = { .oif = sk->sk_bound_dev_if,
+                 * keep trying until route appears or the connection times
-                                            .mark = sk->sk_mark,
+                 * itself out.
-                                            .fl4_dst = daddr,
+                 */
-                                            .fl4_src = inet->inet_saddr,
+                rt = ip_route_output_ports(sock_net(sk), fl4, sk,
-                                            .fl4_tos = RT_CONN_FLAGS(sk),
+                                           daddr, inet->inet_saddr,
-                                            .proto = sk->sk_protocol,
+                                           inet->inet_dport,
-                                            .flags = inet_sk_flowi_flags(sk),
+                                           inet->inet_sport,
-                                            .fl_ip_sport = inet->inet_sport,
+                                           sk->sk_protocol,
-                                            .fl_ip_dport = inet->inet_dport };
+                                           RT_CONN_FLAGS(sk),
+                                           sk->sk_bound_dev_if);
-                        /* If this fails, retransmit mechanism of transport layer will
+                if (IS_ERR(rt))
-                         * keep trying until route appears or the connection times
+                        goto no_route;
-                         * itself out.
-                         */
-                        security_sk_classify_flow(sk, &fl);
-                        if (ip_route_output_flow(sock_net(sk), &rt, &fl, sk, 0))
-                                goto no_route;
-                }
                sk_setup_caps(sk, &rt->dst);
        }
        skb_dst_set_noref(skb, &rt->dst);
 packet_routed:
-        if (opt && opt->is_strictroute && rt->rt_dst != rt->rt_gateway)
+        if (inet_opt && inet_opt->opt.is_strictroute && fl4->daddr != rt->rt_gateway)
                goto no_route;
        /* OK, we know where to send it, allocate and build IP header. */
-        skb_push(skb, sizeof(struct iphdr) + (opt ? opt->optlen : 0));
+        skb_push(skb, sizeof(struct iphdr) + (inet_opt ? inet_opt->opt.optlen : 0));
        skb_reset_network_header(skb);
        iph = ip_hdr(skb);
        *((__be16 *)iph) = htons((4 << 12) | (5 << 8) | (inet->tos & 0xff));
@@ -377,13 +374,13 @@ packet_routed:
                iph->frag_off = 0;
        iph->ttl      = ip_select_ttl(inet, &rt->dst);
        iph->protocol = sk->sk_protocol;
-        iph->saddr    = rt->rt_src;
+        iph->saddr    = fl4->saddr;
-        iph->daddr    = rt->rt_dst;
+        iph->daddr    = fl4->daddr;
        /* Transport layer set skb->h.foo itself. */
-        if (opt && opt->optlen) {
+        if (inet_opt && inet_opt->opt.optlen) {
-                iph->ihl += opt->optlen >> 2;
+                iph->ihl += inet_opt->opt.optlen >> 2;
-                ip_options_build(skb, opt, inet->inet_daddr, rt, 0);
+                ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
        }
        ip_select_ident_more(iph, &rt->dst, sk,
@@ -609,7 +606,7 @@ slow_path:
                /* IF: it doesn't fit, use 'mtu' - the data space left */
                if (len > mtu)
                        len = mtu;
-                /* IF: we are not sending upto and including the packet end
+                /* IF: we are not sending up to and including the packet end
                   then align the next start on an eight byte boundary */
                if (len < left) {
                        len &= ~7;
@@ -733,6 +730,7 @@ csum_page(struct page *page, int offset, int copy)
 }
 static inline int ip_ufo_append_data(struct sock *sk,
+                        struct sk_buff_head *queue,
                        int getfrag(void *from, char *to, int offset, int len,
                               int odd, struct sk_buff *skb),
                        void *from, int length, int hh_len, int fragheaderlen,
@@ -745,7 +743,7 @@ static inline int ip_ufo_append_data(struct sock *sk,
         * device, so create one single skb packet containing complete
         * udp datagram
         */
-        if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) {
+        if ((skb = skb_peek_tail(queue)) == NULL) {
                skb = sock_alloc_send_skb(sk,
                        hh_len + fragheaderlen + transhdrlen + 20,
                        (flags & MSG_DONTWAIT), &err);
@@ -767,40 +765,30 @@ static inline int ip_ufo_append_data(struct sock *sk,
                skb->ip_summed = CHECKSUM_PARTIAL;
                skb->csum = 0;
-                sk->sk_sndmsg_off = 0;
                /* specify the length of each IP datagram fragment */
                skb_shinfo(skb)->gso_size = mtu - fragheaderlen;
                skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
-                __skb_queue_tail(&sk->sk_write_queue, skb);
+                __skb_queue_tail(queue, skb);
        }
        return skb_append_datato_frags(sk, skb, getfrag, from,
                                       (length - transhdrlen));
 }
-/*
+static int __ip_append_data(struct sock *sk,
- *      ip_append_data() and ip_append_page() can make one large IP datagram
+                            struct flowi4 *fl4,
- *      from many pieces of data. Each pieces will be holded on the socket
+                            struct sk_buff_head *queue,
- *      until ip_push_pending_frames() is called. Each piece can be a page
+                            struct inet_cork *cork,
- *      or non-page data.
+                            int getfrag(void *from, char *to, int offset,
- *
+                                        int len, int odd, struct sk_buff *skb),
- *      Not only UDP, other transport protocols - e.g. raw sockets - can use
+                            void *from, int length, int transhdrlen,
- *      this interface potentially.
+                            unsigned int flags)
- *
- *      LATER: length must be adjusted by pad at tail, when it is required.
- */
-int ip_append_data(struct sock *sk,
-                   int getfrag(void *from, char *to, int offset, int len,
-                               int odd, struct sk_buff *skb),
-                   void *from, int length, int transhdrlen,
-                   struct ipcm_cookie *ipc, struct rtable **rtp,
-                   unsigned int flags)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct sk_buff *skb;
-        struct ip_options *opt = NULL;
+        struct ip_options *opt = cork->opt;
        int hh_len;
        int exthdrlen;
        int mtu;
@@ -809,59 +797,20 @@ int ip_append_data(struct sock *sk,
        int offset = 0;
        unsigned int maxfraglen, fragheaderlen;
        int csummode = CHECKSUM_NONE;
-        struct rtable *rt;
+        struct rtable *rt = (struct rtable *)cork->dst;
-        if (flags&MSG_PROBE)
-                return 0;
-        if (skb_queue_empty(&sk->sk_write_queue)) {
+        exthdrlen = transhdrlen ? rt->dst.header_len : 0;
-                /*
+        length += exthdrlen;
-                 * setup for corking.
+        transhdrlen += exthdrlen;
-                 */
+        mtu = cork->fragsize;
-                opt = ipc->opt;
-                if (opt) {
-                        if (inet->cork.opt == NULL) {
-                                inet->cork.opt = kmalloc(sizeof(struct ip_options) + 40, sk->sk_allocation);
-                                if (unlikely(inet->cork.opt == NULL))
-                                        return -ENOBUFS;
-                        }
-                        memcpy(inet->cork.opt, opt, sizeof(struct ip_options)+opt->optlen);
-                        inet->cork.flags |= IPCORK_OPT;
-                        inet->cork.addr = ipc->addr;
-                }
-                rt = *rtp;
-                if (unlikely(!rt))
-                        return -EFAULT;
-                /*
-                 * We steal reference to this route, caller should not release it
-                 */
-                *rtp = NULL;
-                inet->cork.fragsize = mtu = inet->pmtudisc == IP_PMTUDISC_PROBE ?
-                                            rt->dst.dev->mtu :
-                                            dst_mtu(rt->dst.path);
-                inet->cork.dst = &rt->dst;
-                inet->cork.length = 0;
-                sk->sk_sndmsg_page = NULL;
-                sk->sk_sndmsg_off = 0;
-                exthdrlen = rt->dst.header_len;
-                length += exthdrlen;
-                transhdrlen += exthdrlen;
-        } else {
-                rt = (struct rtable *)inet->cork.dst;
-                if (inet->cork.flags & IPCORK_OPT)
-                        opt = inet->cork.opt;
-                transhdrlen = 0;
-                exthdrlen = 0;
-                mtu = inet->cork.fragsize;
-        }
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
        fragheaderlen = sizeof(struct iphdr) + (opt ? opt->optlen : 0);
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen;
-        if (inet->cork.length + length > 0xFFFF - fragheaderlen) {
+        if (cork->length + length > 0xFFFF - fragheaderlen) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport,
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
                               mtu-exthdrlen);
                return -EMSGSIZE;
        }
@@ -876,15 +825,15 @@ int ip_append_data(struct sock *sk,
            !exthdrlen)
                csummode = CHECKSUM_PARTIAL;
-        skb = skb_peek_tail(&sk->sk_write_queue);
+        skb = skb_peek_tail(queue);
-        inet->cork.length += length;
+        cork->length += length;
        if (((length > mtu) || (skb && skb_is_gso(skb))) &&
            (sk->sk_protocol == IPPROTO_UDP) &&
            (rt->dst.dev->features & NETIF_F_UFO)) {
-                err = ip_ufo_append_data(sk, getfrag, from, length, hh_len,
+                err = ip_ufo_append_data(sk, queue, getfrag, from, length,
-                                         fragheaderlen, transhdrlen, mtu,
+                                         hh_len, fragheaderlen, transhdrlen,
-                                         flags);
+                                         mtu, flags);
                if (err)
                        goto error;
                return 0;
@@ -961,7 +910,7 @@ alloc_new_skb:
                                else
                                        /* only the initial fragment is
                                           time stamped */
-                                        ipc->tx_flags = 0;
+                                        cork->tx_flags = 0;
                        }
                        if (skb == NULL)
                                goto error;
@@ -972,7 +921,7 @@ alloc_new_skb:
                        skb->ip_summed = csummode;
                        skb->csum = 0;
                        skb_reserve(skb, hh_len);
-                        skb_shinfo(skb)->tx_flags = ipc->tx_flags;
+                        skb_shinfo(skb)->tx_flags = cork->tx_flags;
                        /*
                         *      Find where to start putting bytes.
@@ -1009,7 +958,7 @@ alloc_new_skb:
                        /*
                         * Put the packet on the pending queue.
                         */
-                        __skb_queue_tail(&sk->sk_write_queue, skb);
+                        __skb_queue_tail(queue, skb);
                        continue;
                }
@@ -1029,8 +978,8 @@ alloc_new_skb:
                } else {
                        int i = skb_shinfo(skb)->nr_frags;
                        skb_frag_t *frag = &skb_shinfo(skb)->frags[i-1];
-                        struct page *page = sk->sk_sndmsg_page;
+                        struct page *page = cork->page;
-                        int off = sk->sk_sndmsg_off;
+                        int off = cork->off;
                        unsigned int left;
                        if (page && (left = PAGE_SIZE - off) > 0) {
@@ -1042,7 +991,7 @@ alloc_new_skb:
                                                goto error;
                                        }
                                        get_page(page);
-                                        skb_fill_page_desc(skb, i, page, sk->sk_sndmsg_off, 0);
+                                        skb_fill_page_desc(skb, i, page, off, 0);
                                        frag = &skb_shinfo(skb)->frags[i];
                                }
                        } else if (i < MAX_SKB_FRAGS) {
@@ -1053,8 +1002,8 @@ alloc_new_skb:
                                        err = -ENOMEM;
                                        goto error;
                                }
-                                sk->sk_sndmsg_page = page;
+                                cork->page = page;
-                                sk->sk_sndmsg_off = 0;
+                                cork->off = 0;
                                skb_fill_page_desc(skb, i, page, 0, 0);
                                frag = &skb_shinfo(skb)->frags[i];
@@ -1066,7 +1015,7 @@ alloc_new_skb:
                                err = -EFAULT;
                                goto error;
                        }
-                        sk->sk_sndmsg_off += copy;
+                        cork->off += copy;
                        frag->size += copy;
                        skb->len += copy;
                        skb->data_len += copy;
@@ -1080,18 +1029,95 @@ alloc_new_skb:
        return 0;
 error:
-        inet->cork.length -= length;
+        cork->length -= length;
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTDISCARDS);
        return err;
 }
-ssize_t ip_append_page(struct sock *sk, struct page *page,
+static int ip_setup_cork(struct sock *sk, struct inet_cork *cork,
+                         struct ipcm_cookie *ipc, struct rtable **rtp)
+{
+        struct inet_sock *inet = inet_sk(sk);
+        struct ip_options_rcu *opt;
+        struct rtable *rt;
+        /*
+         * setup for corking.
+         */
+        opt = ipc->opt;
+        if (opt) {
+                if (cork->opt == NULL) {
+                        cork->opt = kmalloc(sizeof(struct ip_options) + 40,
+                                            sk->sk_allocation);
+                        if (unlikely(cork->opt == NULL))
+                                return -ENOBUFS;
+                }
+                memcpy(cork->opt, &opt->opt, sizeof(struct ip_options) + opt->opt.optlen);
+                cork->flags |= IPCORK_OPT;
+                cork->addr = ipc->addr;
+        }
+        rt = *rtp;
+        if (unlikely(!rt))
+                return -EFAULT;
+        /*
+         * We steal reference to this route, caller should not release it
+         */
+        *rtp = NULL;
+        cork->fragsize = inet->pmtudisc == IP_PMTUDISC_PROBE ?
+                         rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+        cork->dst = &rt->dst;
+        cork->length = 0;
+        cork->tx_flags = ipc->tx_flags;
+        cork->page = NULL;
+        cork->off = 0;
+        return 0;
+}
+/*
+ *      ip_append_data() and ip_append_page() can make one large IP datagram
+ *      from many pieces of data. Each pieces will be holded on the socket
+ *      until ip_push_pending_frames() is called. Each piece can be a page
+ *      or non-page data.
+ *
+ *      Not only UDP, other transport protocols - e.g. raw sockets - can use
+ *      this interface potentially.
+ *
+ *      LATER: length must be adjusted by pad at tail, when it is required.
+ */
+int ip_append_data(struct sock *sk, struct flowi4 *fl4,
+                   int getfrag(void *from, char *to, int offset, int len,
+                               int odd, struct sk_buff *skb),
+                   void *from, int length, int transhdrlen,
+                   struct ipcm_cookie *ipc, struct rtable **rtp,
+                   unsigned int flags)
+{
+        struct inet_sock *inet = inet_sk(sk);
+        int err;
+        if (flags&MSG_PROBE)
+                return 0;
+        if (skb_queue_empty(&sk->sk_write_queue)) {
+                err = ip_setup_cork(sk, &inet->cork.base, ipc, rtp);
+                if (err)
+                        return err;
+        } else {
+                transhdrlen = 0;
+        }
+        return __ip_append_data(sk, fl4, &sk->sk_write_queue, &inet->cork.base, getfrag,
+                                from, length, transhdrlen, flags);
+}
+ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
                       int offset, size_t size, int flags)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct sk_buff *skb;
        struct rtable *rt;
        struct ip_options *opt = NULL;
+        struct inet_cork *cork;
        int hh_len;
        int mtu;
        int len;
@@ -1107,28 +1133,29 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
        if (skb_queue_empty(&sk->sk_write_queue))
                return -EINVAL;
-        rt = (struct rtable *)inet->cork.dst;
+        cork = &inet->cork.base;
-        if (inet->cork.flags & IPCORK_OPT)
+        rt = (struct rtable *)cork->dst;
-                opt = inet->cork.opt;
+        if (cork->flags & IPCORK_OPT)
+                opt = cork->opt;
        if (!(rt->dst.dev->features&NETIF_F_SG))
                return -EOPNOTSUPP;
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
-        mtu = inet->cork.fragsize;
+        mtu = cork->fragsize;
        fragheaderlen = sizeof(struct iphdr) + (opt ? opt->optlen : 0);
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen;
-        if (inet->cork.length + size > 0xFFFF - fragheaderlen) {
+        if (cork->length + size > 0xFFFF - fragheaderlen) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport, mtu);
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport, mtu);
                return -EMSGSIZE;
        }
        if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL)
                return -EINVAL;
-        inet->cork.length += size;
+        cork->length += size;
        if ((size + skb->len > mtu) &&
            (sk->sk_protocol == IPPROTO_UDP) &&
            (rt->dst.dev->features & NETIF_F_UFO)) {
@@ -1223,45 +1250,47 @@ ssize_t	ip_append_page(struct sock *sk, struct page *page,
        return 0;
 error:
-        inet->cork.length -= size;
+        cork->length -= size;
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTDISCARDS);
        return err;
 }
-static void ip_cork_release(struct inet_sock *inet)
+static void ip_cork_release(struct inet_cork *cork)
 {
-        inet->cork.flags &= ~IPCORK_OPT;
+        cork->flags &= ~IPCORK_OPT;
-        kfree(inet->cork.opt);
+        kfree(cork->opt);
-        inet->cork.opt = NULL;
+        cork->opt = NULL;
-        dst_release(inet->cork.dst);
+        dst_release(cork->dst);
-        inet->cork.dst = NULL;
+        cork->dst = NULL;
 }
 /*
 *      Combined all pending IP fragments on the socket as one IP datagram
 *      and push them out.
 */
-int ip_push_pending_frames(struct sock *sk)
+struct sk_buff *__ip_make_skb(struct sock *sk,
+                              struct flowi4 *fl4,
+                              struct sk_buff_head *queue,
+                              struct inet_cork *cork)
 {
        struct sk_buff *skb, *tmp_skb;
        struct sk_buff **tail_skb;
        struct inet_sock *inet = inet_sk(sk);
        struct net *net = sock_net(sk);
        struct ip_options *opt = NULL;
-        struct rtable *rt = (struct rtable *)inet->cork.dst;
+        struct rtable *rt = (struct rtable *)cork->dst;
        struct iphdr *iph;
        __be16 df = 0;
        __u8 ttl;
-        int err = 0;
-        if ((skb = __skb_dequeue(&sk->sk_write_queue)) == NULL)
+        if ((skb = __skb_dequeue(queue)) == NULL)
                goto out;
        tail_skb = &(skb_shinfo(skb)->frag_list);
        /* move skb->data to ip header from ext header */
        if (skb->data < skb_network_header(skb))
                __skb_pull(skb, skb_network_offset(skb));
-        while ((tmp_skb = __skb_dequeue(&sk->sk_write_queue)) != NULL) {
+        while ((tmp_skb = __skb_dequeue(queue)) != NULL) {
                __skb_pull(tmp_skb, skb_network_header_len(skb));
                *tail_skb = tmp_skb;
                tail_skb = &(tmp_skb->next);
@@ -1287,8 +1316,8 @@ int ip_push_pending_frames(struct sock *sk)
             ip_dont_fragment(sk, &rt->dst)))
                df = htons(IP_DF);
-        if (inet->cork.flags & IPCORK_OPT)
+        if (cork->flags & IPCORK_OPT)
-                opt = inet->cork.opt;
+                opt = cork->opt;
        if (rt->rt_type == RTN_MULTICAST)
                ttl = inet->mc_ttl;
@@ -1298,17 +1327,18 @@ int ip_push_pending_frames(struct sock *sk)
        iph = (struct iphdr *)skb->data;
        iph->version = 4;
        iph->ihl = 5;
-        if (opt) {
-                iph->ihl += opt->optlen>>2;
-                ip_options_build(skb, opt, inet->cork.addr, rt, 0);
-        }
        iph->tos = inet->tos;
        iph->frag_off = df;
        ip_select_ident(iph, &rt->dst, sk);
        iph->ttl = ttl;
        iph->protocol = sk->sk_protocol;
-        iph->saddr = rt->rt_src;
+        iph->saddr = fl4->saddr;
-        iph->daddr = rt->rt_dst;
+        iph->daddr = fl4->daddr;
+        if (opt) {
+                iph->ihl += opt->optlen>>2;
+                ip_options_build(skb, opt, cork->addr, rt, 0);
+        }
        skb->priority = sk->sk_priority;
        skb->mark = sk->sk_mark;
@@ -1316,44 +1346,99 @@ int ip_push_pending_frames(struct sock *sk)
         * Steal rt from cork.dst to avoid a pair of atomic_inc/atomic_dec
         * on dst refcount
         */
-        inet->cork.dst = NULL;
+        cork->dst = NULL;
        skb_dst_set(skb, &rt->dst);
        if (iph->protocol == IPPROTO_ICMP)
                icmp_out_count(net, ((struct icmphdr *)
                        skb_transport_header(skb))->type);
-        /* Netfilter gets whole the not fragmented skb. */
+        ip_cork_release(cork);
+out:
+        return skb;
+}
+int ip_send_skb(struct sk_buff *skb)
+{
+        struct net *net = sock_net(skb->sk);
+        int err;
        err = ip_local_out(skb);
        if (err) {
                if (err > 0)
                        err = net_xmit_errno(err);
                if (err)
-                        goto error;
+                        IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);
        }
-out:
-        ip_cork_release(inet);
        return err;
+}
-error:
+int ip_push_pending_frames(struct sock *sk, struct flowi4 *fl4)
-        IP_INC_STATS(net, IPSTATS_MIB_OUTDISCARDS);
+{
-        goto out;
+        struct sk_buff *skb;
+        skb = ip_finish_skb(sk, fl4);
+        if (!skb)
+                return 0;
+        /* Netfilter gets whole the not fragmented skb. */
+        return ip_send_skb(skb);
 }
 /*
 *      Throw away all pending data on the socket.
 */
-void ip_flush_pending_frames(struct sock *sk)
+static void __ip_flush_pending_frames(struct sock *sk,
+                                      struct sk_buff_head *queue,
+                                      struct inet_cork *cork)
 {
        struct sk_buff *skb;
-        while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL)
+        while ((skb = __skb_dequeue_tail(queue)) != NULL)
                kfree_skb(skb);
-        ip_cork_release(inet_sk(sk));
+        ip_cork_release(cork);
 }
+void ip_flush_pending_frames(struct sock *sk)
+{
+        __ip_flush_pending_frames(sk, &sk->sk_write_queue, &inet_sk(sk)->cork.base);
+}
+struct sk_buff *ip_make_skb(struct sock *sk,
+                            struct flowi4 *fl4,
+                            int getfrag(void *from, char *to, int offset,
+                                        int len, int odd, struct sk_buff *skb),
+                            void *from, int length, int transhdrlen,
+                            struct ipcm_cookie *ipc, struct rtable **rtp,
+                            unsigned int flags)
+{
+        struct inet_cork cork;
+        struct sk_buff_head queue;
+        int err;
+        if (flags & MSG_PROBE)
+                return NULL;
+        __skb_queue_head_init(&queue);
+        cork.flags = 0;
+        cork.addr = 0;
+        cork.opt = NULL;
+        err = ip_setup_cork(sk, &cork, ipc, rtp);
+        if (err)
+                return ERR_PTR(err);
+        err = __ip_append_data(sk, fl4, &queue, &cork, getfrag,
+                               from, length, transhdrlen, flags);
+        if (err) {
+                __ip_flush_pending_frames(sk, &queue, &cork);
+                return ERR_PTR(err);
+        }
+        return __ip_make_skb(sk, fl4, &queue, &cork);
+}
 /*
 *      Fetch data from kernel space and fill in checksum if needed.
@@ -1375,45 +1460,39 @@ static int ip_reply_glue_bits(void *dptr, char *to, int offset,
 *      Should run single threaded per socket because it uses the sock
 *      structure to pass arguments.
 */
-void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *arg,
+void ip_send_reply(struct sock *sk, struct sk_buff *skb, __be32 daddr,
-                   unsigned int len)
+                   struct ip_reply_arg *arg, unsigned int len)
 {
        struct inet_sock *inet = inet_sk(sk);
-        struct {
+        struct ip_options_data replyopts;
-                struct ip_options       opt;
-                char                    data[40];
-        } replyopts;
        struct ipcm_cookie ipc;
-        __be32 daddr;
+        struct flowi4 fl4;
        struct rtable *rt = skb_rtable(skb);
-        if (ip_options_echo(&replyopts.opt, skb))
+        if (ip_options_echo(&replyopts.opt.opt, skb))
                return;
-        daddr = ipc.addr = rt->rt_src;
+        ipc.addr = daddr;
        ipc.opt = NULL;
        ipc.tx_flags = 0;
-        if (replyopts.opt.optlen) {
+        if (replyopts.opt.opt.optlen) {
                ipc.opt = &replyopts.opt;
-                if (ipc.opt->srr)
+                if (replyopts.opt.opt.srr)
-                        daddr = replyopts.opt.faddr;
+                        daddr = replyopts.opt.opt.faddr;
        }
-        {
+        flowi4_init_output(&fl4, arg->bound_dev_if, 0,
-                struct flowi fl = { .oif = arg->bound_dev_if,
+                           RT_TOS(ip_hdr(skb)->tos),
-                                    .fl4_dst = daddr,
+                           RT_SCOPE_UNIVERSE, sk->sk_protocol,
-                                    .fl4_src = rt->rt_spec_dst,
+                           ip_reply_arg_flowi_flags(arg),
-                                    .fl4_tos = RT_TOS(ip_hdr(skb)->tos),
+                           daddr, rt->rt_spec_dst,
-                                    .fl_ip_sport = tcp_hdr(skb)->dest,
+                           tcp_hdr(skb)->source, tcp_hdr(skb)->dest);
-                                    .fl_ip_dport = tcp_hdr(skb)->source,
+        security_skb_classify_flow(skb, flowi4_to_flowi(&fl4));
-                                    .proto = sk->sk_protocol,
+        rt = ip_route_output_key(sock_net(sk), &fl4);
-                                    .flags = ip_reply_arg_flowi_flags(arg) };
+        if (IS_ERR(rt))
-                security_skb_classify_flow(skb, &fl);
+                return;
-                if (ip_route_output_key(sock_net(sk), &rt, &fl))
-                        return;
-        }
        /* And let IP do all the hard work.
@@ -1426,7 +1505,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
        sk->sk_priority = skb->priority;
        sk->sk_protocol = ip_hdr(skb)->protocol;
        sk->sk_bound_dev_if = arg->bound_dev_if;
-        ip_append_data(sk, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
+        ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base, len, 0,
                       &ipc, &rt, MSG_DONTWAIT);
        if ((skb = skb_peek(&sk->sk_write_queue)) != NULL) {
                if (arg->csumoffset >= 0)
@@ -1434,7 +1513,7 @@ void ip_send_reply(struct sock *sk, struct sk_buff *skb, struct ip_reply_arg *ar
                          arg->csumoffset) = csum_fold(csum_add(skb->csum,
                                                                arg->csum));
                skb->ip_summed = CHECKSUM_NONE;
-                ip_push_pending_frames(sk);
+                ip_push_pending_frames(sk, &fl4);
        }
        bh_unlock_sock(sk);
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 3948c86e59ca..ab0c9efd1efa 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -131,7 +131,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 {
        struct sockaddr_in sin;
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        __be16 *ports = (__be16 *)skb_transport_header(skb);
        if (skb_transport_offset(skb) + 4 > skb->len)
@@ -451,6 +451,11 @@ out:
 }
+static void opt_kfree_rcu(struct rcu_head *head)
+{
+        kfree(container_of(head, struct ip_options_rcu, rcu));
+}
 /*
 *      Socket option code for IP. This is the end of the line after any
 *      TCP,UDP etc options on an IP socket.
@@ -497,13 +502,16 @@ static int do_ip_setsockopt(struct sock *sk, int level,
        switch (optname) {
        case IP_OPTIONS:
        {
-                struct ip_options *opt = NULL;
+                struct ip_options_rcu *old, *opt = NULL;
                if (optlen > 40)
                        goto e_inval;
                err = ip_options_get_from_user(sock_net(sk), &opt,
                                               optval, optlen);
                if (err)
                        break;
+                old = rcu_dereference_protected(inet->inet_opt,
+                                                sock_owned_by_user(sk));
                if (inet->is_icsk) {
                        struct inet_connection_sock *icsk = inet_csk(sk);
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
@@ -512,17 +520,18 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                               (TCPF_LISTEN | TCPF_CLOSE)) &&
                             inet->inet_daddr != LOOPBACK4_IPV6)) {
 #endif
-                                if (inet->opt)
+                                if (old)
-                                        icsk->icsk_ext_hdr_len -= inet->opt->optlen;
+                                        icsk->icsk_ext_hdr_len -= old->opt.optlen;
                                if (opt)
-                                        icsk->icsk_ext_hdr_len += opt->optlen;
+                                        icsk->icsk_ext_hdr_len += opt->opt.optlen;
                                icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
                        }
 #endif
                }
-                opt = xchg(&inet->opt, opt);
+                rcu_assign_pointer(inet->inet_opt, opt);
-                kfree(opt);
+                if (old)
+                        call_rcu(&old->rcu, opt_kfree_rcu);
                break;
        }
        case IP_PKTINFO:
@@ -1081,12 +1090,16 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
        case IP_OPTIONS:
        {
                unsigned char optbuf[sizeof(struct ip_options)+40];
-                struct ip_options * opt = (struct ip_options *)optbuf;
+                struct ip_options *opt = (struct ip_options *)optbuf;
+                struct ip_options_rcu *inet_opt;
+                inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                                     sock_owned_by_user(sk));
                opt->optlen = 0;
-                if (inet->opt)
+                if (inet_opt)
-                        memcpy(optbuf, inet->opt,
+                        memcpy(optbuf, &inet_opt->opt,
-                               sizeof(struct ip_options)+
+                               sizeof(struct ip_options) +
-                               inet->opt->optlen);
+                               inet_opt->opt.optlen);
                release_sock(sk);
                if (opt->optlen == 0)
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index 629067571f02..c857f6f49b03 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -27,7 +27,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
 {
        struct net *net = dev_net(skb->dev);
        __be32 spi;
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct ip_comp_hdr *ipch = (struct ip_comp_hdr *)(skb->data+(iph->ihl<<2));
        struct xfrm_state *x;
@@ -36,7 +36,7 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
                return;
        spi = htonl(ntohs(ipch->cpi));
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr,
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
                              spi, IPPROTO_COMP, AF_INET);
        if (!x)
                return;
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index 2b097752426b..ab7e5542c1cf 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -87,8 +87,8 @@
 #endif
 /* Define the friendly delay before and after opening net devices */
-#define CONF_PRE_OPEN           500     /* Before opening: 1/2 second */
+#define CONF_POST_OPEN          10      /* After opening: 10 msecs */
-#define CONF_POST_OPEN          1       /* After opening: 1 second */
+#define CONF_CARRIER_TIMEOUT    120000  /* Wait for carrier timeout */
 /* Define the timeout for waiting for a DHCP/BOOTP/RARP reply */
 #define CONF_OPEN_RETRIES       2       /* (Re)open devices twice */
@@ -188,14 +188,14 @@ struct ic_device {
 static struct ic_device *ic_first_dev __initdata = NULL;/* List of open device */
 static struct net_device *ic_dev __initdata = NULL;     /* Selected device */
-static bool __init ic_device_match(struct net_device *dev)
+static bool __init ic_is_init_dev(struct net_device *dev)
 {
-        if (user_dev_name[0] ? !strcmp(dev->name, user_dev_name) :
+        if (dev->flags & IFF_LOOPBACK)
+                return false;
+        return user_dev_name[0] ? !strcmp(dev->name, user_dev_name) :
            (!(dev->flags & IFF_LOOPBACK) &&
             (dev->flags & (IFF_POINTOPOINT|IFF_BROADCAST)) &&
-             strncmp(dev->name, "dummy", 5)))
+             strncmp(dev->name, "dummy", 5));
-                return true;
-        return false;
 }
 static int __init ic_open_devs(void)
@@ -203,6 +203,7 @@ static int __init ic_open_devs(void)
        struct ic_device *d, **last;
        struct net_device *dev;
        unsigned short oflags;
+        unsigned long start;
        last = &ic_first_dev;
        rtnl_lock();
@@ -216,9 +217,7 @@ static int __init ic_open_devs(void)
        }
        for_each_netdev(&init_net, dev) {
-                if (dev->flags & IFF_LOOPBACK)
+                if (ic_is_init_dev(dev)) {
-                        continue;
-                if (ic_device_match(dev)) {
                        int able = 0;
                        if (dev->mtu >= 364)
                                able |= IC_BOOTP;
@@ -252,6 +251,17 @@ static int __init ic_open_devs(void)
                                dev->name, able, d->xid));
                }
        }
+        /* wait for a carrier on at least one device */
+        start = jiffies;
+        while (jiffies - start < msecs_to_jiffies(CONF_CARRIER_TIMEOUT)) {
+                for_each_netdev(&init_net, dev)
+                        if (ic_is_init_dev(dev) && netif_carrier_ok(dev))
+                                goto have_carrier;
+                msleep(1);
+        }
+have_carrier:
        rtnl_unlock();
        *last = NULL;
@@ -1324,14 +1334,13 @@ static int __init wait_for_devices(void)
 {
        int i;
-        msleep(CONF_PRE_OPEN);
        for (i = 0; i < DEVICE_WAIT_MAX; i++) {
                struct net_device *dev;
                int found = 0;
                rtnl_lock();
                for_each_netdev(&init_net, dev) {
-                        if (ic_device_match(dev)) {
+                        if (ic_is_init_dev(dev)) {
                                found = 1;
                                break;
                        }
@@ -1378,7 +1387,7 @@ static int __init ip_auto_config(void)
                return err;
        /* Give drivers a chance to settle */
-        ssleep(CONF_POST_OPEN);
+        msleep(CONF_POST_OPEN);
        /*
         * If the config information is insufficient (e.g., our IP address or
@@ -1444,7 +1453,7 @@ static int __init ip_auto_config(void)
                root_server_addr = addr;
        /*
-         * Use defaults whereever applicable.
+         * Use defaults wherever applicable.
         */
        if (ic_defaults() < 0)
                return -1;
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 988f52fba54a..378b20b7ca6e 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -276,11 +276,6 @@ static struct ip_tunnel * ipip_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
@@ -319,7 +314,7 @@ static int ipip_err(struct sk_buff *skb, u32 info)
   8 bytes of packet payload. It means, that precise relaying of
   ICMP in the real Internet is absolutely infeasible.
 */
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
        struct ip_tunnel *t;
@@ -433,15 +428,16 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *tiph = &tunnel->parms.iph;
+        const struct iphdr  *tiph = &tunnel->parms.iph;
        u8     tos = tunnel->parms.iph.tos;
        __be16 df = tiph->frag_off;
        struct rtable *rt;                      /* Route to the other host */
        struct net_device *tdev;                /* Device to other host */
-        struct iphdr  *old_iph = ip_hdr(skb);
+        const struct iphdr  *old_iph = ip_hdr(skb);
        struct iphdr  *iph;                     /* Our new IP header */
        unsigned int max_headroom;              /* The extra header space needed */
        __be32 dst = tiph->daddr;
+        struct flowi4 fl4;
        int    mtu;
        if (skb->protocol != htons(ETH_P_IP))
@@ -460,19 +456,14 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                        goto tx_error_icmp;
        }
-        {
+        rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
-                struct flowi fl = {
+                                   dst, tiph->saddr,
-                        .oif = tunnel->parms.link,
+                                   0, 0,
-                        .fl4_dst = dst,
+                                   IPPROTO_IPIP, RT_TOS(tos),
-                        .fl4_src= tiph->saddr,
+                                   tunnel->parms.link);
-                        .fl4_tos = RT_TOS(tos),
+        if (IS_ERR(rt)) {
-                        .proto = IPPROTO_IPIP
+                dev->stats.tx_carrier_errors++;
-                };
+                goto tx_error_icmp;
-                if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
-                        dev->stats.tx_carrier_errors++;
-                        goto tx_error_icmp;
-                }
        }
        tdev = rt->dst.dev;
@@ -554,8 +545,8 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPIP;
        iph->tos                =       INET_ECN_encapsulate(tos, old_iph->tos);
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0)
                iph->ttl        =       old_iph->ttl;
@@ -577,22 +568,22 @@ static void ipip_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        tunnel = netdev_priv(dev);
        iph = &tunnel->parms.iph;
        if (iph->daddr) {
-                struct flowi fl = {
-                        .oif = tunnel->parms.link,
-                        .fl4_dst = iph->daddr,
-                        .fl4_src = iph->saddr,
-                        .fl4_tos = RT_TOS(iph->tos),
-                        .proto = IPPROTO_IPIP
-                };
                struct rtable *rt;
+                struct flowi4 fl4;
-                if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
+                rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
+                                           iph->daddr, iph->saddr,
+                                           0, 0,
+                                           IPPROTO_IPIP,
+                                           RT_TOS(iph->tos),
+                                           tunnel->parms.link);
+                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
                        ip_rt_put(rt);
                }
@@ -913,4 +904,4 @@ static void __exit ipip_fini(void)
 module_init(ipip_init);
 module_exit(ipip_fini);
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("tunl0");
+MODULE_ALIAS_NETDEV("tunl0");
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 8b65a12654e7..30a7763c400e 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -148,14 +148,15 @@ static struct mr_table *ipmr_get_table(struct net *net, u32 id)
        return NULL;
 }
-static int ipmr_fib_lookup(struct net *net, struct flowi *flp,
+static int ipmr_fib_lookup(struct net *net, struct flowi4 *flp4,
                           struct mr_table **mrt)
 {
        struct ipmr_result res;
        struct fib_lookup_arg arg = { .result = &res, };
        int err;
-        err = fib_rules_lookup(net->ipv4.mr_rules_ops, flp, 0, &arg);
+        err = fib_rules_lookup(net->ipv4.mr_rules_ops,
+                               flowi4_to_flowi(flp4), 0, &arg);
        if (err < 0)
                return err;
        *mrt = res.mrt;
@@ -283,7 +284,7 @@ static struct mr_table *ipmr_get_table(struct net *net, u32 id)
        return net->ipv4.mrt;
 }
-static int ipmr_fib_lookup(struct net *net, struct flowi *flp,
+static int ipmr_fib_lookup(struct net *net, struct flowi4 *flp4,
                           struct mr_table **mrt)
 {
        *mrt = net->ipv4.mrt;
@@ -435,14 +436,14 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct net *net = dev_net(dev);
        struct mr_table *mrt;
-        struct flowi fl = {
+        struct flowi4 fl4 = {
-                .oif            = dev->ifindex,
+                .flowi4_oif     = dev->ifindex,
-                .iif            = skb->skb_iif,
+                .flowi4_iif     = skb->skb_iif,
-                .mark           = skb->mark,
+                .flowi4_mark    = skb->mark,
        };
        int err;
-        err = ipmr_fib_lookup(net, &fl, &mrt);
+        err = ipmr_fib_lookup(net, &fl4, &mrt);
        if (err < 0) {
                kfree_skb(skb);
                return err;
@@ -1548,7 +1549,7 @@ static struct notifier_block ip_mr_notifier = {
 static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
 {
        struct iphdr *iph;
-        struct iphdr *old_iph = ip_hdr(skb);
+        const struct iphdr *old_iph = ip_hdr(skb);
        skb_push(skb, sizeof(struct iphdr));
        skb->transport_header = skb->network_header;
@@ -1594,6 +1595,7 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
        struct vif_device *vif = &mrt->vif_table[vifi];
        struct net_device *dev;
        struct rtable *rt;
+        struct flowi4 fl4;
        int    encap = 0;
        if (vif->dev == NULL)
@@ -1611,26 +1613,20 @@ static void ipmr_queue_xmit(struct net *net, struct mr_table *mrt,
 #endif
        if (vif->flags & VIFF_TUNNEL) {
-                struct flowi fl = {
+                rt = ip_route_output_ports(net, &fl4, NULL,
-                        .oif = vif->link,
+                                           vif->remote, vif->local,
-                        .fl4_dst = vif->remote,
+                                           0, 0,
-                        .fl4_src = vif->local,
+                                           IPPROTO_IPIP,
-                        .fl4_tos = RT_TOS(iph->tos),
+                                           RT_TOS(iph->tos), vif->link);
-                        .proto = IPPROTO_IPIP
+                if (IS_ERR(rt))
-                };
-                if (ip_route_output_key(net, &rt, &fl))
                        goto out_free;
                encap = sizeof(struct iphdr);
        } else {
-                struct flowi fl = {
+                rt = ip_route_output_ports(net, &fl4, NULL, iph->daddr, 0,
-                        .oif = vif->link,
+                                           0, 0,
-                        .fl4_dst = iph->daddr,
+                                           IPPROTO_IPIP,
-                        .fl4_tos = RT_TOS(iph->tos),
+                                           RT_TOS(iph->tos), vif->link);
-                        .proto = IPPROTO_IPIP
+                if (IS_ERR(rt))
-                };
-                if (ip_route_output_key(net, &rt, &fl))
                        goto out_free;
        }
@@ -1793,6 +1789,26 @@ dont_forward:
        return 0;
 }
+static struct mr_table *ipmr_rt_fib_lookup(struct net *net, struct sk_buff *skb)
+{
+        struct rtable *rt = skb_rtable(skb);
+        struct iphdr *iph = ip_hdr(skb);
+        struct flowi4 fl4 = {
+                .daddr = iph->daddr,
+                .saddr = iph->saddr,
+                .flowi4_tos = iph->tos,
+                .flowi4_oif = rt->rt_oif,
+                .flowi4_iif = rt->rt_iif,
+                .flowi4_mark = rt->rt_mark,
+        };
+        struct mr_table *mrt;
+        int err;
+        err = ipmr_fib_lookup(net, &fl4, &mrt);
+        if (err)
+                return ERR_PTR(err);
+        return mrt;
+}
 /*
 *      Multicast packets for forwarding arrive here
@@ -1805,7 +1821,6 @@ int ip_mr_input(struct sk_buff *skb)
        struct net *net = dev_net(skb->dev);
        int local = skb_rtable(skb)->rt_flags & RTCF_LOCAL;
        struct mr_table *mrt;
-        int err;
        /* Packet is looped back after forward, it should not be
         * forwarded second time, but still can be delivered locally.
@@ -1813,12 +1828,11 @@ int ip_mr_input(struct sk_buff *skb)
        if (IPCB(skb)->flags & IPSKB_FORWARDED)
                goto dont_forward;
-        err = ipmr_fib_lookup(net, &skb_rtable(skb)->fl, &mrt);
+        mrt = ipmr_rt_fib_lookup(net, skb);
-        if (err < 0) {
+        if (IS_ERR(mrt)) {
                kfree_skb(skb);
-                return err;
+                return PTR_ERR(mrt);
        }
        if (!local) {
                if (IPCB(skb)->opt.router_alert) {
                        if (ip_call_ra_chain(skb))
@@ -1946,9 +1960,9 @@ int pim_rcv_v1(struct sk_buff *skb)
        pim = igmp_hdr(skb);
-        if (ipmr_fib_lookup(net, &skb_rtable(skb)->fl, &mrt) < 0)
+        mrt = ipmr_rt_fib_lookup(net, skb);
+        if (IS_ERR(mrt))
                goto drop;
        if (!mrt->mroute_do_pim ||
            pim->group != PIM_V1_VERSION || pim->code != PIM_V1_REGISTER)
                goto drop;
@@ -1978,9 +1992,9 @@ static int pim_rcv(struct sk_buff *skb)
             csum_fold(skb_checksum(skb, 0, skb->len, 0))))
                goto drop;
-        if (ipmr_fib_lookup(net, &skb_rtable(skb)->fl, &mrt) < 0)
+        mrt = ipmr_rt_fib_lookup(net, skb);
+        if (IS_ERR(mrt))
                goto drop;
        if (__pim_rcv(mrt, skb, sizeof(*pim))) {
 drop:
                kfree_skb(skb);
@@ -2027,20 +2041,20 @@ rtattr_failure:
        return -EMSGSIZE;
 }
-int ipmr_get_route(struct net *net,
+int ipmr_get_route(struct net *net, struct sk_buff *skb,
-                   struct sk_buff *skb, struct rtmsg *rtm, int nowait)
+                   __be32 saddr, __be32 daddr,
+                   struct rtmsg *rtm, int nowait)
 {
-        int err;
-        struct mr_table *mrt;
        struct mfc_cache *cache;
-        struct rtable *rt = skb_rtable(skb);
+        struct mr_table *mrt;
+        int err;
        mrt = ipmr_get_table(net, RT_TABLE_DEFAULT);
        if (mrt == NULL)
                return -ENOENT;
        rcu_read_lock();
-        cache = ipmr_cache_find(mrt, rt->rt_src, rt->rt_dst);
+        cache = ipmr_cache_find(mrt, saddr, daddr);
        if (cache == NULL) {
                struct sk_buff *skb2;
@@ -2073,8 +2087,8 @@ int ipmr_get_route(struct net *net,
                skb_reset_network_header(skb2);
                iph = ip_hdr(skb2);
                iph->ihl = sizeof(struct iphdr) >> 2;
-                iph->saddr = rt->rt_src;
+                iph->saddr = saddr;
-                iph->daddr = rt->rt_dst;
+                iph->daddr = daddr;
                iph->version = 0;
                err = ipmr_cache_unresolved(mrt, vif, skb2);
                read_unlock(&mrt_lock);
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index 994a1f29ebbc..4614babdc45f 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -16,7 +16,7 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
        struct net *net = dev_net(skb_dst(skb)->dev);
        const struct iphdr *iph = ip_hdr(skb);
        struct rtable *rt;
-        struct flowi fl = {};
+        struct flowi4 fl4 = {};
        unsigned long orefdst;
        unsigned int hh_len;
        unsigned int type;
@@ -31,14 +31,15 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
         * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
         */
        if (addr_type == RTN_LOCAL) {
-                fl.fl4_dst = iph->daddr;
+                fl4.daddr = iph->daddr;
                if (type == RTN_LOCAL)
-                        fl.fl4_src = iph->saddr;
+                        fl4.saddr = iph->saddr;
-                fl.fl4_tos = RT_TOS(iph->tos);
+                fl4.flowi4_tos = RT_TOS(iph->tos);
-                fl.oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
+                fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
-                fl.mark = skb->mark;
+                fl4.flowi4_mark = skb->mark;
-                fl.flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
+                fl4.flowi4_flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
-                if (ip_route_output_key(net, &rt, &fl) != 0)
+                rt = ip_route_output_key(net, &fl4);
+                if (IS_ERR(rt))
                        return -1;
                /* Drop old route. */
@@ -47,8 +48,9 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
        } else {
                /* non-local src, find valid iif to satisfy
                 * rp-filter when calling ip_route_input. */
-                fl.fl4_dst = iph->saddr;
+                fl4.daddr = iph->saddr;
-                if (ip_route_output_key(net, &rt, &fl) != 0)
+                rt = ip_route_output_key(net, &fl4);
+                if (IS_ERR(rt))
                        return -1;
                orefdst = skb->_skb_refdst;
@@ -66,10 +68,11 @@ int ip_route_me_harder(struct sk_buff *skb, unsigned addr_type)
 #ifdef CONFIG_XFRM
        if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
-            xfrm_decode_session(skb, &fl, AF_INET) == 0) {
+            xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) {
                struct dst_entry *dst = skb_dst(skb);
                skb_dst_set(skb, NULL);
-                if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
+                dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0);
+                if (IS_ERR(dst))
                        return -1;
                skb_dst_set(skb, dst);
        }
@@ -102,7 +105,8 @@ int ip_xfrm_me_harder(struct sk_buff *skb)
                dst = ((struct xfrm_dst *)dst)->route;
        dst_hold(dst);
-        if (xfrm_lookup(dev_net(dst->dev), &dst, &fl, skb->sk, 0) < 0)
+        dst = xfrm_lookup(dev_net(dst->dev), dst, &fl, skb->sk, 0);
+        if (IS_ERR(dst))
                return -1;
        skb_dst_drop(skb);
@@ -217,9 +221,14 @@ static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
        return csum;
 }
-static int nf_ip_route(struct dst_entry **dst, struct flowi *fl)
+static int nf_ip_route(struct net *net, struct dst_entry **dst,
+                       struct flowi *fl, bool strict __always_unused)
 {
-        return ip_route_output_key(&init_net, (struct rtable **)dst, fl);
+        struct rtable *rt = ip_route_output_key(net, &fl->u.ip4);
+        if (IS_ERR(rt))
+                return PTR_ERR(rt);
+        *dst = &rt->dst;
+        return 0;
 }
 static const struct nf_afinfo nf_ip_afinfo = {
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index babd1a2bae5f..1dfc18a03fd4 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -64,16 +64,6 @@ config IP_NF_IPTABLES
 if IP_NF_IPTABLES
 # The matches.
-config IP_NF_MATCH_ADDRTYPE
-        tristate '"addrtype" address type match support'
-        depends on NETFILTER_ADVANCED
-        help
-          This option allows you to match what routing thinks of an address,
-          eg. UNICAST, LOCAL, BROADCAST, ...
-          If you want to compile it as a module, say M here and read
-          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 config IP_NF_MATCH_AH
        tristate '"ah" match support'
        depends on NETFILTER_ADVANCED
@@ -206,8 +196,9 @@ config IP_NF_TARGET_REDIRECT
 config NF_NAT_SNMP_BASIC
        tristate "Basic SNMP-ALG support"
-        depends on NF_NAT
+        depends on NF_CONNTRACK_SNMP && NF_NAT
        depends on NETFILTER_ADVANCED
+        default NF_NAT && NF_CONNTRACK_SNMP
        ---help---
          This module implements an Application Layer Gateway (ALG) for
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 19eb59d01037..dca2082ec683 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -48,7 +48,6 @@ obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 # matches
-obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
 obj-$(CONFIG_IP_NF_MATCH_AH) += ipt_ah.o
 obj-$(CONFIG_IP_NF_MATCH_ECN) += ipt_ecn.o
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index e855fffaed95..fd7a3f68917f 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -76,7 +76,7 @@ static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
 }
 /*
- * Unfortunatly, _b and _mask are not aligned to an int (or long int)
+ * Unfortunately, _b and _mask are not aligned to an int (or long int)
 * Some arches dont care, unrolling the loop is a win on them.
 * For other arches, we only have a 16bit alignement.
 */
@@ -260,6 +260,7 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        void *table_base;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        if (!pskb_may_pull(skb, arp_hdr_len(skb->dev)))
                return NF_DROP;
@@ -267,7 +268,8 @@ unsigned int arpt_do_table(struct sk_buff *skb,
        indev = in ? in->name : nulldevname;
        outdev = out ? out->name : nulldevname;
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        table_base = private->entries[smp_processor_id()];
@@ -338,7 +340,8 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                        /* Verdict */
                        break;
        } while (!acpar.hotdrop);
-        xt_info_rdunlock_bh();
+        xt_write_recseq_end(addend);
+        local_bh_enable();
        if (acpar.hotdrop)
                return NF_DROP;
@@ -712,7 +715,7 @@ static void get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -720,10 +723,10 @@ static void get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i;
@@ -866,6 +869,7 @@ static int compat_table_info(const struct xt_table_info *info,
        memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
        newinfo->initial_entries = 0;
        loc_cpu_entry = info->entries[raw_smp_processor_id()];
+        xt_compat_init_offsets(NFPROTO_ARP, info->number);
        xt_entry_foreach(iter, loc_cpu_entry, info->size) {
                ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
                if (ret != 0)
@@ -1065,6 +1069,7 @@ static int do_replace(struct net *net, const void __user *user,
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1113,6 +1118,7 @@ static int do_add_counters(struct net *net, const void __user *user,
        int ret = 0;
        void *loc_cpu_entry;
        struct arpt_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1169,12 +1175,12 @@ static int do_add_counters(struct net *net, const void __user *user,
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
        loc_cpu_entry = private->entries[curcpu];
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
        xt_table_unlock(t);
@@ -1333,6 +1339,7 @@ static int translate_compat_table(const char *name,
        duprintf("translate_compat_table: size %u\n", info->size);
        j = 0;
        xt_compat_lock(NFPROTO_ARP);
+        xt_compat_init_offsets(NFPROTO_ARP, number);
        /* Walk through entries, checking offsets. */
        xt_entry_foreach(iter0, entry0, total_size) {
                ret = check_compat_entry_size_and_hooks(iter0, info, &size,
@@ -1486,6 +1493,7 @@ static int compat_do_replace(struct net *net, void __user *user,
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1738,6 +1746,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
                        ret = -EFAULT;
                        break;
                }
+                rev.name[sizeof(rev.name)-1] = 0;
                try_then_request_module(xt_find_revision(NFPROTO_ARP, rev.name,
                                                         rev.revision, 1, &ret),
@@ -1869,7 +1878,7 @@ static int __init arp_tables_init(void)
        if (ret < 0)
                goto err1;
-        /* Noone else will be downing sem now, so we won't sleep */
+        /* No one else will be downing sem now, so we won't sleep */
        ret = xt_register_targets(arpt_builtin_tg, ARRAY_SIZE(arpt_builtin_tg));
        if (ret < 0)
                goto err2;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 652efea013dc..764743843503 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -68,15 +68,6 @@ void *ipt_alloc_initial_table(const struct xt_table *info)
 }
 EXPORT_SYMBOL_GPL(ipt_alloc_initial_table);
-/*
-   We keep a set of rules for each CPU, so we can avoid write-locking
-   them in the softirq when updating the counters and therefore
-   only need to read-lock in the softirq; doing a write_lock_bh() in user
-   context stops packets coming through and allows user context to read
-   the counters or update the rules.
-   Hence the start of any table is given by get_table() below.  */
 /* Returns whether matches rule or not. */
 /* Performance critical - called for every packet */
 static inline bool
@@ -311,6 +302,7 @@ ipt_do_table(struct sk_buff *skb,
        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        /* Initialization */
        ip = ip_hdr(skb);
@@ -331,7 +323,8 @@ ipt_do_table(struct sk_buff *skb,
        acpar.hooknum = hook;
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        cpu        = smp_processor_id();
        table_base = private->entries[cpu];
@@ -387,7 +380,7 @@ ipt_do_table(struct sk_buff *skb,
                                        verdict = (unsigned)(-v) - 1;
                                        break;
                                }
-                                if (*stackptr == 0) {
+                                if (*stackptr <= origptr) {
                                        e = get_entry(table_base,
                                            private->underflow[hook]);
                                        pr_debug("Underflow (this is normal) "
@@ -427,10 +420,12 @@ ipt_do_table(struct sk_buff *skb,
                        /* Verdict */
                        break;
        } while (!acpar.hotdrop);
-        xt_info_rdunlock_bh();
        pr_debug("Exiting %s; resetting sp from %u to %u\n",
                 __func__, *stackptr, origptr);
        *stackptr = origptr;
+        xt_write_recseq_end(addend);
+        local_bh_enable();
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
@@ -886,7 +881,7 @@ get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -894,10 +889,10 @@ get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i; /* macro does multi eval of i */
@@ -1063,6 +1058,7 @@ static int compat_table_info(const struct xt_table_info *info,
        memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
        newinfo->initial_entries = 0;
        loc_cpu_entry = info->entries[raw_smp_processor_id()];
+        xt_compat_init_offsets(AF_INET, info->number);
        xt_entry_foreach(iter, loc_cpu_entry, info->size) {
                ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
                if (ret != 0)
@@ -1261,6 +1257,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1310,6 +1307,7 @@ do_add_counters(struct net *net, const void __user *user,
        int ret = 0;
        void *loc_cpu_entry;
        struct ipt_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1366,12 +1364,12 @@ do_add_counters(struct net *net, const void __user *user,
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
        loc_cpu_entry = private->entries[curcpu];
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
        xt_table_unlock(t);
@@ -1664,6 +1662,7 @@ translate_compat_table(struct net *net,
        duprintf("translate_compat_table: size %u\n", info->size);
        j = 0;
        xt_compat_lock(AF_INET);
+        xt_compat_init_offsets(AF_INET, number);
        /* Walk through entries, checking offsets. */
        xt_entry_foreach(iter0, entry0, total_size) {
                ret = check_compat_entry_size_and_hooks(iter0, info, &size,
@@ -1805,6 +1804,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -2034,6 +2034,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                        ret = -EFAULT;
                        break;
                }
+                rev.name[sizeof(rev.name)-1] = 0;
                if (cmd == IPT_SO_GET_REVISION_TARGET)
                        target = 1;
@@ -2228,7 +2229,7 @@ static int __init ip_tables_init(void)
        if (ret < 0)
                goto err1;
-        /* Noone else will be downing sem now, so we won't sleep */
+        /* No one else will be downing sem now, so we won't sleep */
        ret = xt_register_targets(ipt_builtin_tg, ARRAY_SIZE(ipt_builtin_tg));
        if (ret < 0)
                goto err2;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 1e26a4897655..d609ac3cb9a4 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -300,13 +300,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
         * that the ->target() function isn't called after ->destroy() */
        ct = nf_ct_get(skb, &ctinfo);
-        if (ct == NULL) {
+        if (ct == NULL)
-                pr_info("no conntrack!\n");
-                        /* FIXME: need to drop invalid ones, since replies
-                         * to outgoing connections of other nodes will be
-                         * marked as INVALID */
                return NF_DROP;
-        }
        /* special case: ICMP error handling. conntrack distinguishes between
         * error messages (RELATED) and information requests (see below) */
@@ -669,8 +664,11 @@ static ssize_t clusterip_proc_write(struct file *file, const char __user *input,
        char buffer[PROC_WRITELEN+1];
        unsigned long nodenum;
-        if (copy_from_user(buffer, input, PROC_WRITELEN))
+        if (size > PROC_WRITELEN)
+                return -EIO;
+        if (copy_from_user(buffer, input, size))
                return -EFAULT;
+        buffer[size] = 0;
        if (*buffer == '+') {
                nodenum = simple_strtoul(buffer+1, NULL, 10);
diff --git a/net/ipv4/netfilter/ipt_LOG.c b/net/ipv4/netfilter/ipt_LOG.c
index 72ffc8fda2e9..d76d6c9ed946 100644
--- a/net/ipv4/netfilter/ipt_LOG.c
+++ b/net/ipv4/netfilter/ipt_LOG.c
@@ -442,8 +442,7 @@ ipt_log_packet(u_int8_t pf,
        }
 #endif
-        /* MAC logging for input path only. */
+        if (in != NULL)
-        if (in && !out)
                dump_mac_header(m, loginfo, skb);
        dump_packet(m, loginfo, skb, 0);
diff --git a/net/ipv4/netfilter/ipt_addrtype.c b/net/ipv4/netfilter/ipt_addrtype.c
deleted file mode 100644
index db8bff0fb86d..000000000000
--- a/net/ipv4/netfilter/ipt_addrtype.c
+++ /dev/null
@@ -1,134 +0,0 @@
-/*
- *  iptables module to match inet_addr_type() of an ip.
- *
- *  Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
- *  (C) 2007 Laszlo Attila Toth <panther@balabit.hu>
- *
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License version 2 as
- *  published by the Free Software Foundation.
- */
-#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
-#include <linux/kernel.h>
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <linux/ip.h>
-#include <net/route.h>
-#include <linux/netfilter_ipv4/ipt_addrtype.h>
-#include <linux/netfilter/x_tables.h>
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
-MODULE_DESCRIPTION("Xtables: address type match for IPv4");
-static inline bool match_type(struct net *net, const struct net_device *dev,
-                              __be32 addr, u_int16_t mask)
-{
-        return !!(mask & (1 << inet_dev_addr_type(net, dev, addr)));
-}
-static bool
-addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        struct net *net = dev_net(par->in ? par->in : par->out);
-        const struct ipt_addrtype_info *info = par->matchinfo;
-        const struct iphdr *iph = ip_hdr(skb);
-        bool ret = true;
-        if (info->source)
-                ret &= match_type(net, NULL, iph->saddr, info->source) ^
-                       info->invert_source;
-        if (info->dest)
-                ret &= match_type(net, NULL, iph->daddr, info->dest) ^
-                       info->invert_dest;
-        return ret;
-}
-static bool
-addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
-{
-        struct net *net = dev_net(par->in ? par->in : par->out);
-        const struct ipt_addrtype_info_v1 *info = par->matchinfo;
-        const struct iphdr *iph = ip_hdr(skb);
-        const struct net_device *dev = NULL;
-        bool ret = true;
-        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN)
-                dev = par->in;
-        else if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT)
-                dev = par->out;
-        if (info->source)
-                ret &= match_type(net, dev, iph->saddr, info->source) ^
-                       (info->flags & IPT_ADDRTYPE_INVERT_SOURCE);
-        if (ret && info->dest)
-                ret &= match_type(net, dev, iph->daddr, info->dest) ^
-                       !!(info->flags & IPT_ADDRTYPE_INVERT_DEST);
-        return ret;
-}
-static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
-{
-        struct ipt_addrtype_info_v1 *info = par->matchinfo;
-        if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                pr_info("both incoming and outgoing "
-                        "interface limitation cannot be selected\n");
-                return -EINVAL;
-        }
-        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
-            (1 << NF_INET_LOCAL_IN)) &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                pr_info("output interface limitation "
-                        "not valid in PREROUTING and INPUT\n");
-                return -EINVAL;
-        }
-        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
-            (1 << NF_INET_LOCAL_OUT)) &&
-            info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
-                pr_info("input interface limitation "
-                        "not valid in POSTROUTING and OUTPUT\n");
-                return -EINVAL;
-        }
-        return 0;
-}
-static struct xt_match addrtype_mt_reg[] __read_mostly = {
-        {
-                .name           = "addrtype",
-                .family         = NFPROTO_IPV4,
-                .match          = addrtype_mt_v0,
-                .matchsize      = sizeof(struct ipt_addrtype_info),
-                .me             = THIS_MODULE
-        },
-        {
-                .name           = "addrtype",
-                .family         = NFPROTO_IPV4,
-                .revision       = 1,
-                .match          = addrtype_mt_v1,
-                .checkentry     = addrtype_mt_checkentry_v1,
-                .matchsize      = sizeof(struct ipt_addrtype_info_v1),
-                .me             = THIS_MODULE
-        }
-};
-static int __init addrtype_mt_init(void)
-{
-        return xt_register_matches(addrtype_mt_reg,
-                                   ARRAY_SIZE(addrtype_mt_reg));
-}
-static void __exit addrtype_mt_exit(void)
-{
-        xt_unregister_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
-}
-module_init(addrtype_mt_init);
-module_exit(addrtype_mt_exit);
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 294a2a32f293..aef5d1fbe77d 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -60,7 +60,7 @@ ipt_mangle_out(struct sk_buff *skb, const struct net_device *out)
        ret = ipt_do_table(skb, NF_INET_LOCAL_OUT, NULL, out,
                           dev_net(out)->ipv4.iptable_mangle);
        /* Reroute for ANY change. */
-        if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE) {
+        if (ret != NF_DROP && ret != NF_STOLEN) {
                iph = ip_hdr(skb);
                if (iph->saddr != saddr ||
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
index 63f60fc5d26a..5585980fce2e 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
@@ -20,6 +20,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_acct.h>
+#include <linux/rculist_nulls.h>
 struct ct_iter_state {
        struct seq_net_private p;
@@ -35,7 +36,8 @@ static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
        for (st->bucket = 0;
             st->bucket < net->ct.htable_size;
             st->bucket++) {
-                n = rcu_dereference(net->ct.hash[st->bucket].first);
+                n = rcu_dereference(
+                        hlist_nulls_first_rcu(&net->ct.hash[st->bucket]));
                if (!is_a_nulls(n))
                        return n;
        }
@@ -48,13 +50,14 @@ static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
        struct net *net = seq_file_net(seq);
        struct ct_iter_state *st = seq->private;
-        head = rcu_dereference(head->next);
+        head = rcu_dereference(hlist_nulls_next_rcu(head));
        while (is_a_nulls(head)) {
                if (likely(get_nulls_value(head) == st->bucket)) {
                        if (++st->bucket >= net->ct.htable_size)
                                return NULL;
                }
-                head = rcu_dereference(net->ct.hash[st->bucket].first);
+                head = rcu_dereference(
+                        hlist_nulls_first_rcu(&net->ct.hash[st->bucket]));
        }
        return head;
 }
@@ -217,7 +220,8 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
        struct hlist_node *n;
        for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
-                n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
+                n = rcu_dereference(
+                        hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
                if (n)
                        return n;
        }
@@ -230,11 +234,12 @@ static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
        struct net *net = seq_file_net(seq);
        struct ct_expect_iter_state *st = seq->private;
-        head = rcu_dereference(head->next);
+        head = rcu_dereference(hlist_next_rcu(head));
        while (head == NULL) {
                if (++st->bucket >= nf_ct_expect_hsize)
                        return NULL;
-                head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
+                head = rcu_dereference(
+                        hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
        }
        return head;
 }
diff --git a/net/ipv4/netfilter/nf_nat_amanda.c b/net/ipv4/netfilter/nf_nat_amanda.c
index 0f23b3f06df0..703f366fd235 100644
--- a/net/ipv4/netfilter/nf_nat_amanda.c
+++ b/net/ipv4/netfilter/nf_nat_amanda.c
@@ -44,13 +44,13 @@ static unsigned int help(struct sk_buff *skb,
        /* Try to get same port: if not, try to change it. */
        for (port = ntohs(exp->saved_proto.tcp.port); port != 0; port++) {
-                int ret;
+                int res;
                exp->tuple.dst.u.tcp.port = htons(port);
-                ret = nf_ct_expect_related(exp);
+                res = nf_ct_expect_related(exp);
-                if (ret == 0)
+                if (res == 0)
                        break;
-                else if (ret != -EBUSY) {
+                else if (res != -EBUSY) {
                        port = 0;
                        break;
                }
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index c04787ce1a71..9c71b2755ce3 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -221,7 +221,14 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
           manips not an issue.  */
        if (maniptype == IP_NAT_MANIP_SRC &&
            !(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) {
-                if (find_appropriate_src(net, zone, orig_tuple, tuple, range)) {
+                /* try the original tuple first */
+                if (in_range(orig_tuple, range)) {
+                        if (!nf_nat_used_tuple(orig_tuple, ct)) {
+                                *tuple = *orig_tuple;
+                                return;
+                        }
+                } else if (find_appropriate_src(net, zone, orig_tuple, tuple,
+                           range)) {
                        pr_debug("get_unique_tuple: Found current src map\n");
                        if (!nf_nat_used_tuple(tuple, ct))
                                return;
@@ -266,7 +273,6 @@ nf_nat_setup_info(struct nf_conn *ct,
        struct net *net = nf_ct_net(ct);
        struct nf_conntrack_tuple curr_tuple, new_tuple;
        struct nf_conn_nat *nat;
-        int have_to_hash = !(ct->status & IPS_NAT_DONE_MASK);
        /* nat helper or nfctnetlink also setup binding */
        nat = nfct_nat(ct);
@@ -306,8 +312,7 @@ nf_nat_setup_info(struct nf_conn *ct,
                        ct->status |= IPS_DST_NAT;
        }
-        /* Place in source hash if this is the first time. */
+        if (maniptype == IP_NAT_MANIP_SRC) {
-        if (have_to_hash) {
                unsigned int srchash;
                srchash = hash_by_src(net, nf_ct_zone(ct),
@@ -323,9 +328,9 @@ nf_nat_setup_info(struct nf_conn *ct,
        /* It's done. */
        if (maniptype == IP_NAT_MANIP_DST)
-                set_bit(IPS_DST_NAT_DONE_BIT, &ct->status);
+                ct->status |= IPS_DST_NAT_DONE;
        else
-                set_bit(IPS_SRC_NAT_DONE_BIT, &ct->status);
+                ct->status |= IPS_SRC_NAT_DONE;
        return NF_ACCEPT;
 }
@@ -502,7 +507,10 @@ int nf_nat_protocol_register(const struct nf_nat_protocol *proto)
        int ret = 0;
        spin_lock_bh(&nf_nat_lock);
-        if (nf_nat_protos[proto->protonum] != &nf_nat_unknown_protocol) {
+        if (rcu_dereference_protected(
+                        nf_nat_protos[proto->protonum],
+                        lockdep_is_held(&nf_nat_lock)
+                        ) != &nf_nat_unknown_protocol) {
                ret = -EBUSY;
                goto out;
        }
@@ -513,7 +521,7 @@ int nf_nat_protocol_register(const struct nf_nat_protocol *proto)
 }
 EXPORT_SYMBOL(nf_nat_protocol_register);
-/* Noone stores the protocol anywhere; simply delete it. */
+/* No one stores the protocol anywhere; simply delete it. */
 void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto)
 {
        spin_lock_bh(&nf_nat_lock);
@@ -524,7 +532,7 @@ void nf_nat_protocol_unregister(const struct nf_nat_protocol *proto)
 }
 EXPORT_SYMBOL(nf_nat_protocol_unregister);
-/* Noone using conntrack by the time this called. */
+/* No one using conntrack by the time this called. */
 static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
 {
        struct nf_conn_nat *nat = nf_ct_ext_find(ct, NF_CT_EXT_NAT);
@@ -532,7 +540,7 @@ static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
        if (nat == NULL || nat->ct == NULL)
                return;
-        NF_CT_ASSERT(nat->ct->status & IPS_NAT_DONE_MASK);
+        NF_CT_ASSERT(nat->ct->status & IPS_SRC_NAT_DONE);
        spin_lock_bh(&nf_nat_lock);
        hlist_del_rcu(&nat->bysource);
@@ -545,11 +553,10 @@ static void nf_nat_move_storage(void *new, void *old)
        struct nf_conn_nat *old_nat = old;
        struct nf_conn *ct = old_nat->ct;
-        if (!ct || !(ct->status & IPS_NAT_DONE_MASK))
+        if (!ct || !(ct->status & IPS_SRC_NAT_DONE))
                return;
        spin_lock_bh(&nf_nat_lock);
-        new_nat->ct = ct;
        hlist_replace_rcu(&old_nat->bysource, &new_nat->bysource);
        spin_unlock_bh(&nf_nat_lock);
 }
@@ -679,8 +686,7 @@ static int __net_init nf_nat_net_init(struct net *net)
 {
        /* Leave them the same for the moment. */
        net->ipv4.nat_htable_size = net->ct.htable_size;
-        net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&net->ipv4.nat_htable_size,
+        net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&net->ipv4.nat_htable_size, 0);
-                                                       &net->ipv4.nat_vmalloced, 0);
        if (!net->ipv4.nat_bysource)
                return -ENOMEM;
        return 0;
@@ -702,8 +708,7 @@ static void __net_exit nf_nat_net_exit(struct net *net)
 {
        nf_ct_iterate_cleanup(net, &clean_nat, NULL);
        synchronize_rcu();
-        nf_ct_free_hashtable(net->ipv4.nat_bysource, net->ipv4.nat_vmalloced,
+        nf_ct_free_hashtable(net->ipv4.nat_bysource, net->ipv4.nat_htable_size);
-                             net->ipv4.nat_htable_size);
 }
 static struct pernet_operations nf_nat_net_ops = {
diff --git a/net/ipv4/netfilter/nf_nat_helper.c b/net/ipv4/netfilter/nf_nat_helper.c
index 31427fb57aa8..99cfa28b6d38 100644
--- a/net/ipv4/netfilter/nf_nat_helper.c
+++ b/net/ipv4/netfilter/nf_nat_helper.c
@@ -153,7 +153,7 @@ void nf_nat_set_seq_adjust(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
 }
 EXPORT_SYMBOL_GPL(nf_nat_set_seq_adjust);
-static void nf_nat_csum(struct sk_buff *skb, struct iphdr *iph, void *data,
+static void nf_nat_csum(struct sk_buff *skb, const struct iphdr *iph, void *data,
                        int datalen, __sum16 *check, int oldlen)
 {
        struct rtable *rt = skb_rtable(skb);
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index ee5f419d0a56..8812a02078ab 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -54,6 +54,7 @@
 #include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_nat_helper.h>
+#include <linux/netfilter/nf_conntrack_snmp.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("James Morris <jmorris@intercode.com.au>");
@@ -1310,9 +1311,9 @@ static int __init nf_nat_snmp_basic_init(void)
 {
        int ret = 0;
-        ret = nf_conntrack_helper_register(&snmp_helper);
+        BUG_ON(nf_nat_snmp_hook != NULL);
-        if (ret < 0)
+        rcu_assign_pointer(nf_nat_snmp_hook, help);
-                return ret;
        ret = nf_conntrack_helper_register(&snmp_trap_helper);
        if (ret < 0) {
                nf_conntrack_helper_unregister(&snmp_helper);
@@ -1323,7 +1324,7 @@ static int __init nf_nat_snmp_basic_init(void)
 static void __exit nf_nat_snmp_basic_fini(void)
 {
-        nf_conntrack_helper_unregister(&snmp_helper);
+        rcu_assign_pointer(nf_nat_snmp_hook, NULL);
        nf_conntrack_helper_unregister(&snmp_trap_helper);
 }
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 95481fee8bdb..7317bdf1d457 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -31,6 +31,7 @@
 #ifdef CONFIG_XFRM
 static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
 {
+        struct flowi4 *fl4 = &fl->u.ip4;
        const struct nf_conn *ct;
        const struct nf_conntrack_tuple *t;
        enum ip_conntrack_info ctinfo;
@@ -49,25 +50,25 @@ static void nat_decode_session(struct sk_buff *skb, struct flowi *fl)
                statusbit = IPS_SRC_NAT;
        if (ct->status & statusbit) {
-                fl->fl4_dst = t->dst.u3.ip;
+                fl4->daddr = t->dst.u3.ip;
                if (t->dst.protonum == IPPROTO_TCP ||
                    t->dst.protonum == IPPROTO_UDP ||
                    t->dst.protonum == IPPROTO_UDPLITE ||
                    t->dst.protonum == IPPROTO_DCCP ||
                    t->dst.protonum == IPPROTO_SCTP)
-                        fl->fl_ip_dport = t->dst.u.tcp.port;
+                        fl4->fl4_dport = t->dst.u.tcp.port;
        }
        statusbit ^= IPS_NAT_MASK;
        if (ct->status & statusbit) {
-                fl->fl4_src = t->src.u3.ip;
+                fl4->saddr = t->src.u3.ip;
                if (t->dst.protonum == IPPROTO_TCP ||
                    t->dst.protonum == IPPROTO_UDP ||
                    t->dst.protonum == IPPROTO_UDPLITE ||
                    t->dst.protonum == IPPROTO_DCCP ||
                    t->dst.protonum == IPPROTO_SCTP)
-                        fl->fl_ip_sport = t->src.u.tcp.port;
+                        fl4->fl4_sport = t->src.u.tcp.port;
        }
 }
 #endif
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
new file mode 100644
index 000000000000..1f3bb11490c9
--- /dev/null
+++ b/net/ipv4/ping.c
@@ -0,0 +1,935 @@
+/*
+ * INET         An implementation of the TCP/IP protocol suite for the LINUX
+ *              operating system.  INET is implemented using the  BSD Socket
+ *              interface as the means of communication with the user level.
+ *
+ *              "Ping" sockets
+ *
+ *              This program is free software; you can redistribute it and/or
+ *              modify it under the terms of the GNU General Public License
+ *              as published by the Free Software Foundation; either version
+ *              2 of the License, or (at your option) any later version.
+ *
+ * Based on ipv4/udp.c code.
+ *
+ * Authors:     Vasiliy Kulikov / Openwall (for Linux 2.6),
+ *              Pavel Kankovsky (for Linux 2.4.32)
+ *
+ * Pavel gave all rights to bugs to Vasiliy,
+ * none of the bugs are Pavel's now.
+ *
+ */
+#include <asm/system.h>
+#include <linux/uaccess.h>
+#include <linux/types.h>
+#include <linux/fcntl.h>
+#include <linux/socket.h>
+#include <linux/sockios.h>
+#include <linux/in.h>
+#include <linux/errno.h>
+#include <linux/timer.h>
+#include <linux/mm.h>
+#include <linux/inet.h>
+#include <linux/netdevice.h>
+#include <net/snmp.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/icmp.h>
+#include <net/protocol.h>
+#include <linux/skbuff.h>
+#include <linux/proc_fs.h>
+#include <net/sock.h>
+#include <net/ping.h>
+#include <net/icmp.h>
+#include <net/udp.h>
+#include <net/route.h>
+#include <net/inet_common.h>
+#include <net/checksum.h>
+static struct ping_table ping_table;
+static u16 ping_port_rover;
+static inline int ping_hashfn(struct net *net, unsigned num, unsigned mask)
+{
+        int res = (num + net_hash_mix(net)) & mask;
+        pr_debug("hash(%d) = %d\n", num, res);
+        return res;
+}
+static inline struct hlist_nulls_head *ping_hashslot(struct ping_table *table,
+                                             struct net *net, unsigned num)
+{
+        return &table->hash[ping_hashfn(net, num, PING_HTABLE_MASK)];
+}
+static int ping_v4_get_port(struct sock *sk, unsigned short ident)
+{
+        struct hlist_nulls_node *node;
+        struct hlist_nulls_head *hlist;
+        struct inet_sock *isk, *isk2;
+        struct sock *sk2 = NULL;
+        isk = inet_sk(sk);
+        write_lock_bh(&ping_table.lock);
+        if (ident == 0) {
+                u32 i;
+                u16 result = ping_port_rover + 1;
+                for (i = 0; i < (1L << 16); i++, result++) {
+                        if (!result)
+                                result++; /* avoid zero */
+                        hlist = ping_hashslot(&ping_table, sock_net(sk),
+                                            result);
+                        ping_portaddr_for_each_entry(sk2, node, hlist) {
+                                isk2 = inet_sk(sk2);
+                                if (isk2->inet_num == result)
+                                        goto next_port;
+                        }
+                        /* found */
+                        ping_port_rover = ident = result;
+                        break;
+next_port:
+                        ;
+                }
+                if (i >= (1L << 16))
+                        goto fail;
+        } else {
+                hlist = ping_hashslot(&ping_table, sock_net(sk), ident);
+                ping_portaddr_for_each_entry(sk2, node, hlist) {
+                        isk2 = inet_sk(sk2);
+                        if ((isk2->inet_num == ident) &&
+                            (sk2 != sk) &&
+                            (!sk2->sk_reuse || !sk->sk_reuse))
+                                goto fail;
+                }
+        }
+        pr_debug("found port/ident = %d\n", ident);
+        isk->inet_num = ident;
+        if (sk_unhashed(sk)) {
+                pr_debug("was not hashed\n");
+                sock_hold(sk);
+                hlist_nulls_add_head(&sk->sk_nulls_node, hlist);
+                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+        }
+        write_unlock_bh(&ping_table.lock);
+        return 0;
+fail:
+        write_unlock_bh(&ping_table.lock);
+        return 1;
+}
+static void ping_v4_hash(struct sock *sk)
+{
+        pr_debug("ping_v4_hash(sk->port=%u)\n", inet_sk(sk)->inet_num);
+        BUG(); /* "Please do not press this button again." */
+}
+static void ping_v4_unhash(struct sock *sk)
+{
+        struct inet_sock *isk = inet_sk(sk);
+        pr_debug("ping_v4_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+        if (sk_hashed(sk)) {
+                struct hlist_nulls_head *hslot;
+                hslot = ping_hashslot(&ping_table, sock_net(sk), isk->inet_num);
+                write_lock_bh(&ping_table.lock);
+                hlist_nulls_del(&sk->sk_nulls_node);
+                sock_put(sk);
+                isk->inet_num = isk->inet_sport = 0;
+                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
+                write_unlock_bh(&ping_table.lock);
+        }
+}
+static struct sock *ping_v4_lookup(struct net *net, u32 saddr, u32 daddr,
+                                   u16 ident, int dif)
+{
+        struct hlist_nulls_head *hslot = ping_hashslot(&ping_table, net, ident);
+        struct sock *sk = NULL;
+        struct inet_sock *isk;
+        struct hlist_nulls_node *hnode;
+        pr_debug("try to find: num = %d, daddr = %ld, dif = %d\n",
+                         (int)ident, (unsigned long)daddr, dif);
+        read_lock_bh(&ping_table.lock);
+        ping_portaddr_for_each_entry(sk, hnode, hslot) {
+                isk = inet_sk(sk);
+                pr_debug("found: %p: num = %d, daddr = %ld, dif = %d\n", sk,
+                         (int)isk->inet_num, (unsigned long)isk->inet_rcv_saddr,
+                         sk->sk_bound_dev_if);
+                pr_debug("iterate\n");
+                if (isk->inet_num != ident)
+                        continue;
+                if (isk->inet_rcv_saddr && isk->inet_rcv_saddr != daddr)
+                        continue;
+                if (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif)
+                        continue;
+                sock_hold(sk);
+                goto exit;
+        }
+        sk = NULL;
+exit:
+        read_unlock_bh(&ping_table.lock);
+        return sk;
+}
+static void inet_get_ping_group_range_net(struct net *net, gid_t *low,
+                                          gid_t *high)
+{
+        gid_t *data = net->ipv4.sysctl_ping_group_range;
+        unsigned seq;
+        do {
+                seq = read_seqbegin(&sysctl_local_ports.lock);
+                *low = data[0];
+                *high = data[1];
+        } while (read_seqretry(&sysctl_local_ports.lock, seq));
+}
+static int ping_init_sock(struct sock *sk)
+{
+        struct net *net = sock_net(sk);
+        gid_t group = current_egid();
+        gid_t range[2];
+        struct group_info *group_info = get_current_groups();
+        int i, j, count = group_info->ngroups;
+        inet_get_ping_group_range_net(net, range, range+1);
+        if (range[0] <= group && group <= range[1])
+                return 0;
+        for (i = 0; i < group_info->nblocks; i++) {
+                int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
+                for (j = 0; j < cp_count; j++) {
+                        group = group_info->blocks[i][j];
+                        if (range[0] <= group && group <= range[1])
+                                return 0;
+                }
+                count -= cp_count;
+        }
+        return -EACCES;
+}
+static void ping_close(struct sock *sk, long timeout)
+{
+        pr_debug("ping_close(sk=%p,sk->num=%u)\n",
+                inet_sk(sk), inet_sk(sk)->inet_num);
+        pr_debug("isk->refcnt = %d\n", sk->sk_refcnt.counter);
+        sk_common_release(sk);
+}
+/*
+ * We need our own bind because there are no privileged id's == local ports.
+ * Moreover, we don't allow binding to multi- and broadcast addresses.
+ */
+static int ping_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
+{
+        struct sockaddr_in *addr = (struct sockaddr_in *)uaddr;
+        struct inet_sock *isk = inet_sk(sk);
+        unsigned short snum;
+        int chk_addr_ret;
+        int err;
+        if (addr_len < sizeof(struct sockaddr_in))
+                return -EINVAL;
+        pr_debug("ping_v4_bind(sk=%p,sa_addr=%08x,sa_port=%d)\n",
+                sk, addr->sin_addr.s_addr, ntohs(addr->sin_port));
+        chk_addr_ret = inet_addr_type(sock_net(sk), addr->sin_addr.s_addr);
+        if (addr->sin_addr.s_addr == INADDR_ANY)
+                chk_addr_ret = RTN_LOCAL;
+        if ((sysctl_ip_nonlocal_bind == 0 &&
+            isk->freebind == 0 && isk->transparent == 0 &&
+             chk_addr_ret != RTN_LOCAL) ||
+            chk_addr_ret == RTN_MULTICAST ||
+            chk_addr_ret == RTN_BROADCAST)
+                return -EADDRNOTAVAIL;
+        lock_sock(sk);
+        err = -EINVAL;
+        if (isk->inet_num != 0)
+                goto out;
+        err = -EADDRINUSE;
+        isk->inet_rcv_saddr = isk->inet_saddr = addr->sin_addr.s_addr;
+        snum = ntohs(addr->sin_port);
+        if (ping_v4_get_port(sk, snum) != 0) {
+                isk->inet_saddr = isk->inet_rcv_saddr = 0;
+                goto out;
+        }
+        pr_debug("after bind(): num = %d, daddr = %ld, dif = %d\n",
+                (int)isk->inet_num,
+                (unsigned long) isk->inet_rcv_saddr,
+                (int)sk->sk_bound_dev_if);
+        err = 0;
+        if (isk->inet_rcv_saddr)
+                sk->sk_userlocks |= SOCK_BINDADDR_LOCK;
+        if (snum)
+                sk->sk_userlocks |= SOCK_BINDPORT_LOCK;
+        isk->inet_sport = htons(isk->inet_num);
+        isk->inet_daddr = 0;
+        isk->inet_dport = 0;
+        sk_dst_reset(sk);
+out:
+        release_sock(sk);
+        pr_debug("ping_v4_bind -> %d\n", err);
+        return err;
+}
+/*
+ * Is this a supported type of ICMP message?
+ */
+static inline int ping_supported(int type, int code)
+{
+        if (type == ICMP_ECHO && code == 0)
+                return 1;
+        return 0;
+}
+/*
+ * This routine is called by the ICMP module when it gets some
+ * sort of error condition.
+ */
+static int ping_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
+void ping_err(struct sk_buff *skb, u32 info)
+{
+        struct iphdr *iph = (struct iphdr *)skb->data;
+        struct icmphdr *icmph = (struct icmphdr *)(skb->data+(iph->ihl<<2));
+        struct inet_sock *inet_sock;
+        int type = icmph->type;
+        int code = icmph->code;
+        struct net *net = dev_net(skb->dev);
+        struct sock *sk;
+        int harderr;
+        int err;
+        /* We assume the packet has already been checked by icmp_unreach */
+        if (!ping_supported(icmph->type, icmph->code))
+                return;
+        pr_debug("ping_err(type=%04x,code=%04x,id=%04x,seq=%04x)\n", type,
+                code, ntohs(icmph->un.echo.id), ntohs(icmph->un.echo.sequence));
+        sk = ping_v4_lookup(net, iph->daddr, iph->saddr,
+                            ntohs(icmph->un.echo.id), skb->dev->ifindex);
+        if (sk == NULL) {
+                ICMP_INC_STATS_BH(net, ICMP_MIB_INERRORS);
+                pr_debug("no socket, dropping\n");
+                return; /* No socket for error */
+        }
+        pr_debug("err on socket %p\n", sk);
+        err = 0;
+        harderr = 0;
+        inet_sock = inet_sk(sk);
+        switch (type) {
+        default:
+        case ICMP_TIME_EXCEEDED:
+                err = EHOSTUNREACH;
+                break;
+        case ICMP_SOURCE_QUENCH:
+                /* This is not a real error but ping wants to see it.
+                 * Report it with some fake errno. */
+                err = EREMOTEIO;
+                break;
+        case ICMP_PARAMETERPROB:
+                err = EPROTO;
+                harderr = 1;
+                break;
+        case ICMP_DEST_UNREACH:
+                if (code == ICMP_FRAG_NEEDED) { /* Path MTU discovery */
+                        if (inet_sock->pmtudisc != IP_PMTUDISC_DONT) {
+                                err = EMSGSIZE;
+                                harderr = 1;
+                                break;
+                        }
+                        goto out;
+                }
+                err = EHOSTUNREACH;
+                if (code <= NR_ICMP_UNREACH) {
+                        harderr = icmp_err_convert[code].fatal;
+                        err = icmp_err_convert[code].errno;
+                }
+                break;
+        case ICMP_REDIRECT:
+                /* See ICMP_SOURCE_QUENCH */
+                err = EREMOTEIO;
+                break;
+        }
+        /*
+         *      RFC1122: OK.  Passes ICMP errors back to application, as per
+         *      4.1.3.3.
+         */
+        if (!inet_sock->recverr) {
+                if (!harderr || sk->sk_state != TCP_ESTABLISHED)
+                        goto out;
+        } else {
+                ip_icmp_error(sk, skb, err, 0 /* no remote port */,
+                         info, (u8 *)icmph);
+        }
+        sk->sk_err = err;
+        sk->sk_error_report(sk);
+out:
+        sock_put(sk);
+}
+/*
+ *      Copy and checksum an ICMP Echo packet from user space into a buffer.
+ */
+struct pingfakehdr {
+        struct icmphdr icmph;
+        struct iovec *iov;
+        u32 wcheck;
+};
+static int ping_getfrag(void *from, char * to,
+                        int offset, int fraglen, int odd, struct sk_buff *skb)
+{
+        struct pingfakehdr *pfh = (struct pingfakehdr *)from;
+        if (offset == 0) {
+                if (fraglen < sizeof(struct icmphdr))
+                        BUG();
+                if (csum_partial_copy_fromiovecend(to + sizeof(struct icmphdr),
+                            pfh->iov, 0, fraglen - sizeof(struct icmphdr),
+                            &pfh->wcheck))
+                        return -EFAULT;
+                return 0;
+        }
+        if (offset < sizeof(struct icmphdr))
+                BUG();
+        if (csum_partial_copy_fromiovecend
+                        (to, pfh->iov, offset - sizeof(struct icmphdr),
+                         fraglen, &pfh->wcheck))
+                return -EFAULT;
+        return 0;
+}
+static int ping_push_pending_frames(struct sock *sk, struct pingfakehdr *pfh,
+                                    struct flowi4 *fl4)
+{
+        struct sk_buff *skb = skb_peek(&sk->sk_write_queue);
+        pfh->wcheck = csum_partial((char *)&pfh->icmph,
+                sizeof(struct icmphdr), pfh->wcheck);
+        pfh->icmph.checksum = csum_fold(pfh->wcheck);
+        memcpy(icmp_hdr(skb), &pfh->icmph, sizeof(struct icmphdr));
+        skb->ip_summed = CHECKSUM_NONE;
+        return ip_push_pending_frames(sk, fl4);
+}
+static int ping_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+                        size_t len)
+{
+        struct net *net = sock_net(sk);
+        struct flowi4 fl4;
+        struct inet_sock *inet = inet_sk(sk);
+        struct ipcm_cookie ipc;
+        struct icmphdr user_icmph;
+        struct pingfakehdr pfh;
+        struct rtable *rt = NULL;
+        struct ip_options_data opt_copy;
+        int free = 0;
+        u32 saddr, daddr, faddr;
+        u8  tos;
+        int err;
+        pr_debug("ping_sendmsg(sk=%p,sk->num=%u)\n", inet, inet->inet_num);
+        if (len > 0xFFFF)
+                return -EMSGSIZE;
+        /*
+         *      Check the flags.
+         */
+        /* Mirror BSD error message compatibility */
+        if (msg->msg_flags & MSG_OOB)
+                return -EOPNOTSUPP;
+        /*
+         *      Fetch the ICMP header provided by the userland.
+         *      iovec is modified!
+         */
+        if (memcpy_fromiovec((u8 *)&user_icmph, msg->msg_iov,
+                             sizeof(struct icmphdr)))
+                return -EFAULT;
+        if (!ping_supported(user_icmph.type, user_icmph.code))
+                return -EINVAL;
+        /*
+         *      Get and verify the address.
+         */
+        if (msg->msg_name) {
+                struct sockaddr_in *usin = (struct sockaddr_in *)msg->msg_name;
+                if (msg->msg_namelen < sizeof(*usin))
+                        return -EINVAL;
+                if (usin->sin_family != AF_INET)
+                        return -EINVAL;
+                daddr = usin->sin_addr.s_addr;
+                /* no remote port */
+        } else {
+                if (sk->sk_state != TCP_ESTABLISHED)
+                        return -EDESTADDRREQ;
+                daddr = inet->inet_daddr;
+                /* no remote port */
+        }
+        ipc.addr = inet->inet_saddr;
+        ipc.opt = NULL;
+        ipc.oif = sk->sk_bound_dev_if;
+        ipc.tx_flags = 0;
+        err = sock_tx_timestamp(sk, &ipc.tx_flags);
+        if (err)
+                return err;
+        if (msg->msg_controllen) {
+                err = ip_cmsg_send(sock_net(sk), msg, &ipc);
+                if (err)
+                        return err;
+                if (ipc.opt)
+                        free = 1;
+        }
+        if (!ipc.opt) {
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
+        saddr = ipc.addr;
+        ipc.addr = faddr = daddr;
+        if (ipc.opt && ipc.opt->opt.srr) {
+                if (!daddr)
+                        return -EINVAL;
+                faddr = ipc.opt->opt.faddr;
+        }
+        tos = RT_TOS(inet->tos);
+        if (sock_flag(sk, SOCK_LOCALROUTE) ||
+            (msg->msg_flags & MSG_DONTROUTE) ||
+            (ipc.opt && ipc.opt->opt.is_strictroute)) {
+                tos |= RTO_ONLINK;
+        }
+        if (ipv4_is_multicast(daddr)) {
+                if (!ipc.oif)
+                        ipc.oif = inet->mc_index;
+                if (!saddr)
+                        saddr = inet->mc_addr;
+        }
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+                           RT_SCOPE_UNIVERSE, sk->sk_protocol,
+                           inet_sk_flowi_flags(sk), faddr, saddr, 0, 0);
+        security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+        rt = ip_route_output_flow(net, &fl4, sk);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                rt = NULL;
+                if (err == -ENETUNREACH)
+                        IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
+                goto out;
+        }
+        err = -EACCES;
+        if ((rt->rt_flags & RTCF_BROADCAST) &&
+            !sock_flag(sk, SOCK_BROADCAST))
+                goto out;
+        if (msg->msg_flags & MSG_CONFIRM)
+                goto do_confirm;
+back_from_confirm:
+        if (!ipc.addr)
+                ipc.addr = fl4.daddr;
+        lock_sock(sk);
+        pfh.icmph.type = user_icmph.type; /* already checked */
+        pfh.icmph.code = user_icmph.code; /* ditto */
+        pfh.icmph.checksum = 0;
+        pfh.icmph.un.echo.id = inet->inet_sport;
+        pfh.icmph.un.echo.sequence = user_icmph.un.echo.sequence;
+        pfh.iov = msg->msg_iov;
+        pfh.wcheck = 0;
+        err = ip_append_data(sk, &fl4, ping_getfrag, &pfh, len,
+                        0, &ipc, &rt, msg->msg_flags);
+        if (err)
+                ip_flush_pending_frames(sk);
+        else
+                err = ping_push_pending_frames(sk, &pfh, &fl4);
+        release_sock(sk);
+out:
+        ip_rt_put(rt);
+        if (free)
+                kfree(ipc.opt);
+        if (!err) {
+                icmp_out_count(sock_net(sk), user_icmph.type);
+                return len;
+        }
+        return err;
+do_confirm:
+        dst_confirm(&rt->dst);
+        if (!(msg->msg_flags & MSG_PROBE) || len)
+                goto back_from_confirm;
+        err = 0;
+        goto out;
+}
+static int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
+                        size_t len, int noblock, int flags, int *addr_len)
+{
+        struct inet_sock *isk = inet_sk(sk);
+        struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name;
+        struct sk_buff *skb;
+        int copied, err;
+        pr_debug("ping_recvmsg(sk=%p,sk->num=%u)\n", isk, isk->inet_num);
+        if (flags & MSG_OOB)
+                goto out;
+        if (addr_len)
+                *addr_len = sizeof(*sin);
+        if (flags & MSG_ERRQUEUE)
+                return ip_recv_error(sk, msg, len);
+        skb = skb_recv_datagram(sk, flags, noblock, &err);
+        if (!skb)
+                goto out;
+        copied = skb->len;
+        if (copied > len) {
+                msg->msg_flags |= MSG_TRUNC;
+                copied = len;
+        }
+        /* Don't bother checking the checksum */
+        err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+        if (err)
+                goto done;
+        sock_recv_timestamp(msg, sk, skb);
+        /* Copy the address. */
+        if (sin) {
+                sin->sin_family = AF_INET;
+                sin->sin_port = 0 /* skb->h.uh->source */;
+                sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
+                memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+        }
+        if (isk->cmsg_flags)
+                ip_cmsg_recv(msg, skb);
+        err = copied;
+done:
+        skb_free_datagram(sk, skb);
+out:
+        pr_debug("ping_recvmsg -> %d\n", err);
+        return err;
+}
+static int ping_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+{
+        pr_debug("ping_queue_rcv_skb(sk=%p,sk->num=%d,skb=%p)\n",
+                inet_sk(sk), inet_sk(sk)->inet_num, skb);
+        if (sock_queue_rcv_skb(sk, skb) < 0) {
+                ICMP_INC_STATS_BH(sock_net(sk), ICMP_MIB_INERRORS);
+                kfree_skb(skb);
+                pr_debug("ping_queue_rcv_skb -> failed\n");
+                return -1;
+        }
+        return 0;
+}
+/*
+ *      All we need to do is get the socket.
+ */
+void ping_rcv(struct sk_buff *skb)
+{
+        struct sock *sk;
+        struct net *net = dev_net(skb->dev);
+        struct iphdr *iph = ip_hdr(skb);
+        struct icmphdr *icmph = icmp_hdr(skb);
+        u32 saddr = iph->saddr;
+        u32 daddr = iph->daddr;
+        /* We assume the packet has already been checked by icmp_rcv */
+        pr_debug("ping_rcv(skb=%p,id=%04x,seq=%04x)\n",
+                skb, ntohs(icmph->un.echo.id), ntohs(icmph->un.echo.sequence));
+        /* Push ICMP header back */
+        skb_push(skb, skb->data - (u8 *)icmph);
+        sk = ping_v4_lookup(net, saddr, daddr, ntohs(icmph->un.echo.id),
+                            skb->dev->ifindex);
+        if (sk != NULL) {
+                pr_debug("rcv on socket %p\n", sk);
+                ping_queue_rcv_skb(sk, skb_get(skb));
+                sock_put(sk);
+                return;
+        }
+        pr_debug("no socket, dropping\n");
+        /* We're called from icmp_rcv(). kfree_skb() is done there. */
+}
+struct proto ping_prot = {
+        .name =         "PING",
+        .owner =        THIS_MODULE,
+        .init =         ping_init_sock,
+        .close =        ping_close,
+        .connect =      ip4_datagram_connect,
+        .disconnect =   udp_disconnect,
+        .setsockopt =   ip_setsockopt,
+        .getsockopt =   ip_getsockopt,
+        .sendmsg =      ping_sendmsg,
+        .recvmsg =      ping_recvmsg,
+        .bind =         ping_bind,
+        .backlog_rcv =  ping_queue_rcv_skb,
+        .hash =         ping_v4_hash,
+        .unhash =       ping_v4_unhash,
+        .get_port =     ping_v4_get_port,
+        .obj_size =     sizeof(struct inet_sock),
+};
+EXPORT_SYMBOL(ping_prot);
+#ifdef CONFIG_PROC_FS
+static struct sock *ping_get_first(struct seq_file *seq, int start)
+{
+        struct sock *sk;
+        struct ping_iter_state *state = seq->private;
+        struct net *net = seq_file_net(seq);
+        for (state->bucket = start; state->bucket < PING_HTABLE_SIZE;
+             ++state->bucket) {
+                struct hlist_nulls_node *node;
+                struct hlist_nulls_head *hslot;
+                hslot = &ping_table.hash[state->bucket];
+                if (hlist_nulls_empty(hslot))
+                        continue;
+                sk_nulls_for_each(sk, node, hslot) {
+                        if (net_eq(sock_net(sk), net))
+                                goto found;
+                }
+        }
+        sk = NULL;
+found:
+        return sk;
+}
+static struct sock *ping_get_next(struct seq_file *seq, struct sock *sk)
+{
+        struct ping_iter_state *state = seq->private;
+        struct net *net = seq_file_net(seq);
+        do {
+                sk = sk_nulls_next(sk);
+        } while (sk && (!net_eq(sock_net(sk), net)));
+        if (!sk)
+                return ping_get_first(seq, state->bucket + 1);
+        return sk;
+}
+static struct sock *ping_get_idx(struct seq_file *seq, loff_t pos)
+{
+        struct sock *sk = ping_get_first(seq, 0);
+        if (sk)
+                while (pos && (sk = ping_get_next(seq, sk)) != NULL)
+                        --pos;
+        return pos ? NULL : sk;
+}
+static void *ping_seq_start(struct seq_file *seq, loff_t *pos)
+{
+        struct ping_iter_state *state = seq->private;
+        state->bucket = 0;
+        read_lock_bh(&ping_table.lock);
+        return *pos ? ping_get_idx(seq, *pos-1) : SEQ_START_TOKEN;
+}
+static void *ping_seq_next(struct seq_file *seq, void *v, loff_t *pos)
+{
+        struct sock *sk;
+        if (v == SEQ_START_TOKEN)
+                sk = ping_get_idx(seq, 0);
+        else
+                sk = ping_get_next(seq, v);
+        ++*pos;
+        return sk;
+}
+static void ping_seq_stop(struct seq_file *seq, void *v)
+{
+        read_unlock_bh(&ping_table.lock);
+}
+static void ping_format_sock(struct sock *sp, struct seq_file *f,
+                int bucket, int *len)
+{
+        struct inet_sock *inet = inet_sk(sp);
+        __be32 dest = inet->inet_daddr;
+        __be32 src = inet->inet_rcv_saddr;
+        __u16 destp = ntohs(inet->inet_dport);
+        __u16 srcp = ntohs(inet->inet_sport);
+        seq_printf(f, "%5d: %08X:%04X %08X:%04X"
+                " %02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %d%n",
+                bucket, src, srcp, dest, destp, sp->sk_state,
+                sk_wmem_alloc_get(sp),
+                sk_rmem_alloc_get(sp),
+                0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
+                atomic_read(&sp->sk_refcnt), sp,
+                atomic_read(&sp->sk_drops), len);
+}
+static int ping_seq_show(struct seq_file *seq, void *v)
+{
+        if (v == SEQ_START_TOKEN)
+                seq_printf(seq, "%-127s\n",
+                           "  sl  local_address rem_address   st tx_queue "
+                           "rx_queue tr tm->when retrnsmt   uid  timeout "
+                           "inode ref pointer drops");
+        else {
+                struct ping_iter_state *state = seq->private;
+                int len;
+                ping_format_sock(v, seq, state->bucket, &len);
+                seq_printf(seq, "%*s\n", 127 - len, "");
+        }
+        return 0;
+}
+static const struct seq_operations ping_seq_ops = {
+        .show           = ping_seq_show,
+        .start          = ping_seq_start,
+        .next           = ping_seq_next,
+        .stop           = ping_seq_stop,
+};
+static int ping_seq_open(struct inode *inode, struct file *file)
+{
+        return seq_open_net(inode, file, &ping_seq_ops,
+                           sizeof(struct ping_iter_state));
+}
+static const struct file_operations ping_seq_fops = {
+        .open           = ping_seq_open,
+        .read           = seq_read,
+        .llseek         = seq_lseek,
+        .release        = seq_release_net,
+};
+static int ping_proc_register(struct net *net)
+{
+        struct proc_dir_entry *p;
+        int rc = 0;
+        p = proc_net_fops_create(net, "icmp", S_IRUGO, &ping_seq_fops);
+        if (!p)
+                rc = -ENOMEM;
+        return rc;
+}
+static void ping_proc_unregister(struct net *net)
+{
+        proc_net_remove(net, "icmp");
+}
+static int __net_init ping_proc_init_net(struct net *net)
+{
+        return ping_proc_register(net);
+}
+static void __net_exit ping_proc_exit_net(struct net *net)
+{
+        ping_proc_unregister(net);
+}
+static struct pernet_operations ping_net_ops = {
+        .init = ping_proc_init_net,
+        .exit = ping_proc_exit_net,
+};
+int __init ping_proc_init(void)
+{
+        return register_pernet_subsys(&ping_net_ops);
+}
+void ping_proc_exit(void)
+{
+        unregister_pernet_subsys(&ping_net_ops);
+}
+#endif
+void __init ping_init(void)
+{
+        int i;
+        for (i = 0; i < PING_HTABLE_SIZE; i++)
+                INIT_HLIST_NULLS_HEAD(&ping_table.hash[i], i);
+        rwlock_init(&ping_table.lock);
+}
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 6390ba299b3d..11e1780455f2 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -154,7 +154,7 @@ static __inline__ int icmp_filter(struct sock *sk, struct sk_buff *skb)
 * RFC 1122: SHOULD pass TOS value up to the transport layer.
 * -> It does. And not only TOS, but all IP header.
 */
-static int raw_v4_input(struct sk_buff *skb, struct iphdr *iph, int hash)
+static int raw_v4_input(struct sk_buff *skb, const struct iphdr *iph, int hash)
 {
        struct sock *sk;
        struct hlist_head *head;
@@ -247,7 +247,7 @@ static void raw_err(struct sock *sk, struct sk_buff *skb, u32 info)
        }
        if (inet->recverr) {
-                struct iphdr *iph = (struct iphdr *)skb->data;
+                const struct iphdr *iph = (const struct iphdr *)skb->data;
                u8 *payload = skb->data + (iph->ihl << 2);
                if (inet->hdrincl)
@@ -265,7 +265,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
 {
        int hash;
        struct sock *raw_sk;
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct net *net;
        hash = protocol & (RAW_HTABLE_SIZE - 1);
@@ -273,7 +273,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
        read_lock(&raw_v4_hashinfo.lock);
        raw_sk = sk_head(&raw_v4_hashinfo.ht[hash]);
        if (raw_sk != NULL) {
-                iph = (struct iphdr *)skb->data;
+                iph = (const struct iphdr *)skb->data;
                net = dev_net(skb->dev);
                while ((raw_sk = __raw_v4_lookup(net, raw_sk, protocol,
@@ -281,7 +281,7 @@ void raw_icmp_error(struct sk_buff *skb, int protocol, u32 info)
                                                skb->dev->ifindex)) != NULL) {
                        raw_err(raw_sk, skb, info);
                        raw_sk = sk_next(raw_sk);
-                        iph = (struct iphdr *)skb->data;
+                        iph = (const struct iphdr *)skb->data;
                }
        }
        read_unlock(&raw_v4_hashinfo.lock);
@@ -314,9 +314,10 @@ int raw_rcv(struct sock *sk, struct sk_buff *skb)
        return 0;
 }
-static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
+static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
-                        struct rtable **rtp,
+                           void *from, size_t length,
-                        unsigned int flags)
+                           struct rtable **rtp,
+                           unsigned int flags)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct net *net = sock_net(sk);
@@ -327,7 +328,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
        struct rtable *rt = *rtp;
        if (length > rt->dst.dev->mtu) {
-                ip_local_error(sk, EMSGSIZE, rt->rt_dst, inet->inet_dport,
+                ip_local_error(sk, EMSGSIZE, fl4->daddr, inet->inet_dport,
                               rt->dst.dev->mtu);
                return -EMSGSIZE;
        }
@@ -372,7 +373,7 @@ static int raw_send_hdrinc(struct sock *sk, void *from, size_t length,
        if (iphlen >= sizeof(*iph)) {
                if (!iph->saddr)
-                        iph->saddr = rt->rt_src;
+                        iph->saddr = fl4->saddr;
                iph->check   = 0;
                iph->tot_len = htons(length);
                if (!iph->id)
@@ -402,7 +403,7 @@ error:
        return err;
 }
-static int raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int raw_probe_proto_opt(struct flowi4 *fl4, struct msghdr *msg)
 {
        struct iovec *iov;
        u8 __user *type = NULL;
@@ -418,7 +419,7 @@ static int raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                if (!iov)
                        continue;
-                switch (fl->proto) {
+                switch (fl4->flowi4_proto) {
                case IPPROTO_ICMP:
                        /* check if one-byte field is readable or not. */
                        if (iov->iov_base && iov->iov_len < 1)
@@ -433,8 +434,8 @@ static int raw_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                code = iov->iov_base;
                        if (type && code) {
-                                if (get_user(fl->fl_icmp_type, type) ||
+                                if (get_user(fl4->fl4_icmp_type, type) ||
-                                    get_user(fl->fl_icmp_code, code))
+                                    get_user(fl4->fl4_icmp_code, code))
                                        return -EFAULT;
                                probed = 1;
                        }
@@ -455,11 +456,13 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        struct inet_sock *inet = inet_sk(sk);
        struct ipcm_cookie ipc;
        struct rtable *rt = NULL;
+        struct flowi4 fl4;
        int free = 0;
        __be32 daddr;
        __be32 saddr;
        u8  tos;
        int err;
+        struct ip_options_data opt_copy;
        err = -EMSGSIZE;
        if (len > 0xFFFF)
@@ -520,8 +523,18 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        saddr = ipc.addr;
        ipc.addr = daddr;
-        if (!ipc.opt)
+        if (!ipc.opt) {
-                ipc.opt = inet->opt;
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
        if (ipc.opt) {
                err = -EINVAL;
@@ -530,10 +543,10 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                 */
                if (inet->hdrincl)
                        goto done;
-                if (ipc.opt->srr) {
+                if (ipc.opt->opt.srr) {
                        if (!daddr)
                                goto done;
-                        daddr = ipc.opt->faddr;
+                        daddr = ipc.opt->opt.faddr;
                }
        }
        tos = RT_CONN_FLAGS(sk);
@@ -547,26 +560,24 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                        saddr = inet->mc_addr;
        }
-        {
+        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
-                struct flowi fl = { .oif = ipc.oif,
+                           RT_SCOPE_UNIVERSE,
-                                    .mark = sk->sk_mark,
+                           inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
-                                    .fl4_dst = daddr,
+                           FLOWI_FLAG_CAN_SLEEP, daddr, saddr, 0, 0);
-                                    .fl4_src = saddr,
-                                    .fl4_tos = tos,
-                                    .proto = inet->hdrincl ? IPPROTO_RAW :
-                                                             sk->sk_protocol,
-                                  };
-                if (!inet->hdrincl) {
-                        err = raw_probe_proto_opt(&fl, msg);
-                        if (err)
-                                goto done;
-                }
-                security_sk_classify_flow(sk, &fl);
+        if (!inet->hdrincl) {
-                err = ip_route_output_flow(sock_net(sk), &rt, &fl, sk, 1);
+                err = raw_probe_proto_opt(&fl4, msg);
+                if (err)
+                        goto done;
        }
-        if (err)
+        security_sk_classify_flow(sk, flowi4_to_flowi(&fl4));
+        rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                rt = NULL;
                goto done;
+        }
        err = -EACCES;
        if (rt->rt_flags & RTCF_BROADCAST && !sock_flag(sk, SOCK_BROADCAST))
@@ -577,19 +588,20 @@ static int raw_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 back_from_confirm:
        if (inet->hdrincl)
-                err = raw_send_hdrinc(sk, msg->msg_iov, len,
+                err = raw_send_hdrinc(sk, &fl4, msg->msg_iov, len,
-                                        &rt, msg->msg_flags);
+                                      &rt, msg->msg_flags);
         else {
                if (!ipc.addr)
-                        ipc.addr = rt->rt_dst;
+                        ipc.addr = fl4.daddr;
                lock_sock(sk);
-                err = ip_append_data(sk, ip_generic_getfrag, msg->msg_iov, len, 0,
+                err = ip_append_data(sk, &fl4, ip_generic_getfrag,
-                                        &ipc, &rt, msg->msg_flags);
+                                     msg->msg_iov, len, 0,
+                                     &ipc, &rt, msg->msg_flags);
                if (err)
                        ip_flush_pending_frames(sk);
                else if (!(msg->msg_flags & MSG_MORE)) {
-                        err = ip_push_pending_frames(sk);
+                        err = ip_push_pending_frames(sk, &fl4);
                        if (err == -ENOBUFS && !inet->recverr)
                                err = 0;
                }
@@ -616,7 +628,7 @@ do_confirm:
 static void raw_close(struct sock *sk, long timeout)
 {
        /*
-         * Raw sockets may have direct kernel refereneces. Kill them.
+         * Raw sockets may have direct kernel references. Kill them.
         */
        ip_ra_control(sk, 0, NULL);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 6ed6603c2f6d..b24d58e6bbcd 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -109,8 +109,8 @@
 #include <linux/sysctl.h>
 #endif
-#define RT_FL_TOS(oldflp) \
+#define RT_FL_TOS(oldflp4) \
-    ((u32)(oldflp->fl4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
+    ((u32)(oldflp4->flowi4_tos & (IPTOS_RT_MASK | RTO_ONLINK)))
 #define IP_MAX_MTU      0xFFF0
@@ -131,9 +131,6 @@ static int ip_rt_min_pmtu __read_mostly		= 512 + 20 + 20;
 static int ip_rt_min_advmss __read_mostly       = 256;
 static int rt_chain_length_max __read_mostly    = 20;
-static struct delayed_work expires_work;
-static unsigned long expires_ljiffies;
 /*
 *      Interface to generic destination cache.
 */
@@ -152,6 +149,41 @@ static void ipv4_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
 {
 }
+static u32 *ipv4_cow_metrics(struct dst_entry *dst, unsigned long old)
+{
+        struct rtable *rt = (struct rtable *) dst;
+        struct inet_peer *peer;
+        u32 *p = NULL;
+        if (!rt->peer)
+                rt_bind_peer(rt, rt->rt_dst, 1);
+        peer = rt->peer;
+        if (peer) {
+                u32 *old_p = __DST_METRICS_PTR(old);
+                unsigned long prev, new;
+                p = peer->metrics;
+                if (inet_metrics_new(peer))
+                        memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
+                new = (unsigned long) p;
+                prev = cmpxchg(&dst->_metrics, old, new);
+                if (prev != old) {
+                        p = __DST_METRICS_PTR(prev);
+                        if (prev & DST_METRICS_READ_ONLY)
+                                p = NULL;
+                } else {
+                        if (rt->fi) {
+                                fib_info_put(rt->fi);
+                                rt->fi = NULL;
+                        }
+                }
+        }
+        return p;
+}
 static struct dst_ops ipv4_dst_ops = {
        .family =               AF_INET,
        .protocol =             cpu_to_be16(ETH_P_IP),
@@ -159,6 +191,7 @@ static struct dst_ops ipv4_dst_ops = {
        .check =                ipv4_dst_check,
        .default_advmss =       ipv4_default_advmss,
        .default_mtu =          ipv4_default_mtu,
+        .cow_metrics =          ipv4_cow_metrics,
        .destroy =              ipv4_dst_destroy,
        .ifdown =               ipv4_dst_ifdown,
        .negative_advice =      ipv4_negative_advice,
@@ -171,7 +204,7 @@ static struct dst_ops ipv4_dst_ops = {
 const __u8 ip_tos2prio[16] = {
        TC_PRIO_BESTEFFORT,
-        ECN_OR_COST(FILLER),
+        ECN_OR_COST(BESTEFFORT),
        TC_PRIO_BESTEFFORT,
        ECN_OR_COST(BESTEFFORT),
        TC_PRIO_BULK,
@@ -391,7 +424,7 @@ static int rt_cache_seq_show(struct seq_file *seq, void *v)
                        dst_metric(&r->dst, RTAX_WINDOW),
                        (int)((dst_metric(&r->dst, RTAX_RTT) >> 3) +
                              dst_metric(&r->dst, RTAX_RTTVAR)),
-                        r->fl.fl4_tos,
+                        r->rt_key_tos,
                        r->dst.hh ? atomic_read(&r->dst.hh->hh_refcnt) : -1,
                        r->dst.hh ? (r->dst.hh->hh_output ==
                                       dev_queue_xmit) : 0,
@@ -514,7 +547,7 @@ static const struct file_operations rt_cpu_seq_fops = {
        .release = seq_release,
 };
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
 static int rt_acct_proc_show(struct seq_file *m, void *v)
 {
        struct ip_rt_acct *dst, *src;
@@ -567,14 +600,14 @@ static int __net_init ip_rt_do_proc_init(struct net *net)
        if (!pde)
                goto err2;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        pde = proc_create("rt_acct", 0, net->proc_net, &rt_acct_proc_fops);
        if (!pde)
                goto err3;
 #endif
        return 0;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
 err3:
        remove_proc_entry("rt_cache", net->proc_net_stat);
 #endif
@@ -588,7 +621,7 @@ static void __net_exit ip_rt_do_proc_exit(struct net *net)
 {
        remove_proc_entry("rt_cache", net->proc_net_stat);
        remove_proc_entry("rt_cache", net->proc_net);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        remove_proc_entry("rt_acct", net->proc_net);
 #endif
 }
@@ -632,7 +665,7 @@ static inline int rt_fast_clean(struct rtable *rth)
 static inline int rt_valuable(struct rtable *rth)
 {
        return (rth->rt_flags & (RTCF_REDIRECTED | RTCF_NOTIFY)) ||
-                rth->dst.expires;
+                (rth->peer && rth->peer->pmtu_expires);
 }
 static int rt_may_expire(struct rtable *rth, unsigned long tmo1, unsigned long tmo2)
@@ -643,13 +676,7 @@ static int rt_may_expire(struct rtable *rth, unsigned long tmo1, unsigned long t
        if (atomic_read(&rth->dst.__refcnt))
                goto out;
-        ret = 1;
-        if (rth->dst.expires &&
-            time_after_eq(jiffies, rth->dst.expires))
-                goto out;
        age = jiffies - rth->dst.lastuse;
-        ret = 0;
        if ((age <= tmo1 && !rt_fast_clean(rth)) ||
            (age <= tmo2 && rt_valuable(rth)))
                goto out;
@@ -684,22 +711,22 @@ static inline bool rt_caching(const struct net *net)
                net->ipv4.sysctl_rt_cache_rebuild_count;
 }
-static inline bool compare_hash_inputs(const struct flowi *fl1,
+static inline bool compare_hash_inputs(const struct rtable *rt1,
-                                        const struct flowi *fl2)
+                                       const struct rtable *rt2)
 {
-        return ((((__force u32)fl1->fl4_dst ^ (__force u32)fl2->fl4_dst) |
+        return ((((__force u32)rt1->rt_key_dst ^ (__force u32)rt2->rt_key_dst) |
-                ((__force u32)fl1->fl4_src ^ (__force u32)fl2->fl4_src) |
+                ((__force u32)rt1->rt_key_src ^ (__force u32)rt2->rt_key_src) |
-                (fl1->iif ^ fl2->iif)) == 0);
+                (rt1->rt_iif ^ rt2->rt_iif)) == 0);
 }
-static inline int compare_keys(struct flowi *fl1, struct flowi *fl2)
+static inline int compare_keys(struct rtable *rt1, struct rtable *rt2)
 {
-        return (((__force u32)fl1->fl4_dst ^ (__force u32)fl2->fl4_dst) |
+        return (((__force u32)rt1->rt_key_dst ^ (__force u32)rt2->rt_key_dst) |
-                ((__force u32)fl1->fl4_src ^ (__force u32)fl2->fl4_src) |
+                ((__force u32)rt1->rt_key_src ^ (__force u32)rt2->rt_key_src) |
-                (fl1->mark ^ fl2->mark) |
+                (rt1->rt_mark ^ rt2->rt_mark) |
-                (*(u16 *)&fl1->fl4_tos ^ *(u16 *)&fl2->fl4_tos) |
+                (rt1->rt_key_tos ^ rt2->rt_key_tos) |
-                (fl1->oif ^ fl2->oif) |
+                (rt1->rt_oif ^ rt2->rt_oif) |
-                (fl1->iif ^ fl2->iif)) == 0;
+                (rt1->rt_iif ^ rt2->rt_iif)) == 0;
 }
 static inline int compare_netns(struct rtable *rt1, struct rtable *rt2)
@@ -786,106 +813,15 @@ static int has_noalias(const struct rtable *head, const struct rtable *rth)
        const struct rtable *aux = head;
        while (aux != rth) {
-                if (compare_hash_inputs(&aux->fl, &rth->fl))
+                if (compare_hash_inputs(aux, rth))
                        return 0;
                aux = rcu_dereference_protected(aux->dst.rt_next, 1);
        }
        return ONE;
 }
-static void rt_check_expire(void)
-{
-        static unsigned int rover;
-        unsigned int i = rover, goal;
-        struct rtable *rth;
-        struct rtable __rcu **rthp;
-        unsigned long samples = 0;
-        unsigned long sum = 0, sum2 = 0;
-        unsigned long delta;
-        u64 mult;
-        delta = jiffies - expires_ljiffies;
-        expires_ljiffies = jiffies;
-        mult = ((u64)delta) << rt_hash_log;
-        if (ip_rt_gc_timeout > 1)
-                do_div(mult, ip_rt_gc_timeout);
-        goal = (unsigned int)mult;
-        if (goal > rt_hash_mask)
-                goal = rt_hash_mask + 1;
-        for (; goal > 0; goal--) {
-                unsigned long tmo = ip_rt_gc_timeout;
-                unsigned long length;
-                i = (i + 1) & rt_hash_mask;
-                rthp = &rt_hash_table[i].chain;
-                if (need_resched())
-                        cond_resched();
-                samples++;
-                if (rcu_dereference_raw(*rthp) == NULL)
-                        continue;
-                length = 0;
-                spin_lock_bh(rt_hash_lock_addr(i));
-                while ((rth = rcu_dereference_protected(*rthp,
-                                        lockdep_is_held(rt_hash_lock_addr(i)))) != NULL) {
-                        prefetch(rth->dst.rt_next);
-                        if (rt_is_expired(rth)) {
-                                *rthp = rth->dst.rt_next;
-                                rt_free(rth);
-                                continue;
-                        }
-                        if (rth->dst.expires) {
-                                /* Entry is expired even if it is in use */
-                                if (time_before_eq(jiffies, rth->dst.expires)) {
-nofree:
-                                        tmo >>= 1;
-                                        rthp = &rth->dst.rt_next;
-                                        /*
-                                         * We only count entries on
-                                         * a chain with equal hash inputs once
-                                         * so that entries for different QOS
-                                         * levels, and other non-hash input
-                                         * attributes don't unfairly skew
-                                         * the length computation
-                                         */
-                                        length += has_noalias(rt_hash_table[i].chain, rth);
-                                        continue;
-                                }
-                        } else if (!rt_may_expire(rth, tmo, ip_rt_gc_timeout))
-                                goto nofree;
-                        /* Cleanup aged off entries. */
-                        *rthp = rth->dst.rt_next;
-                        rt_free(rth);
-                }
-                spin_unlock_bh(rt_hash_lock_addr(i));
-                sum += length;
-                sum2 += length*length;
-        }
-        if (samples) {
-                unsigned long avg = sum / samples;
-                unsigned long sd = int_sqrt(sum2 / samples - avg*avg);
-                rt_chain_length_max = max_t(unsigned long,
-                                        ip_rt_gc_elasticity,
-                                        (avg + 4*sd) >> FRACT_BITS);
-        }
-        rover = i;
-}
 /*
- * rt_worker_func() is run in process context.
+ * Perturbation of rt_genid by a small quantity [1..256]
- * we call rt_check_expire() to scan part of the hash table
- */
-static void rt_worker_func(struct work_struct *work)
-{
-        rt_check_expire();
-        schedule_delayed_work(&expires_work, ip_rt_gc_interval);
-}
-/*
- * Pertubation of rt_genid by a small quantity [1..256]
 * Using 8 bits of shuffling ensure we can call rt_cache_invalidate()
 * many times (2^24) without giving recent rt_genid.
 * Jenkins hash is strong enough that litle changes of rt_genid are OK.
@@ -1032,10 +968,6 @@ static int rt_garbage_collect(struct dst_ops *ops)
                        break;
                expire >>= 1;
-#if RT_CACHE_DEBUG >= 2
-                printk(KERN_DEBUG "expire>> %u %d %d %d\n", expire,
-                                dst_entries_get_fast(&ipv4_dst_ops), goal, i);
-#endif
                if (dst_entries_get_fast(&ipv4_dst_ops) < ip_rt_max_size)
                        goto out;
@@ -1056,10 +988,6 @@ work_done:
            dst_entries_get_fast(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh ||
            dst_entries_get_slow(&ipv4_dst_ops) < ipv4_dst_ops.gc_thresh)
                expire = ip_rt_gc_timeout;
-#if RT_CACHE_DEBUG >= 2
-        printk(KERN_DEBUG "expire++ %u %d %d %d\n", expire,
-                        dst_entries_get_fast(&ipv4_dst_ops), goal, rover);
-#endif
 out:    return 0;
 }
@@ -1078,8 +1006,8 @@ static int slow_chain_length(const struct rtable *head)
        return length >> FRACT_BITS;
 }
-static int rt_intern_hash(unsigned hash, struct rtable *rt,
+static struct rtable *rt_intern_hash(unsigned hash, struct rtable *rt,
-                          struct rtable **rp, struct sk_buff *skb, int ifindex)
+                                     struct sk_buff *skb, int ifindex)
 {
        struct rtable   *rth, *cand;
        struct rtable __rcu **rthp, **candp;
@@ -1120,7 +1048,7 @@ restart:
                                        printk(KERN_WARNING
                                            "Neighbour table failure & not caching routes.\n");
                                ip_rt_put(rt);
-                                return err;
+                                return ERR_PTR(err);
                        }
                }
@@ -1137,7 +1065,7 @@ restart:
                        rt_free(rth);
                        continue;
                }
-                if (compare_keys(&rth->fl, &rt->fl) && compare_netns(rth, rt)) {
+                if (compare_keys(rth, rt) && compare_netns(rth, rt)) {
                        /* Put it first */
                        *rthp = rth->dst.rt_next;
                        /*
@@ -1157,11 +1085,9 @@ restart:
                        spin_unlock_bh(rt_hash_lock_addr(hash));
                        rt_drop(rt);
-                        if (rp)
+                        if (skb)
-                                *rp = rth;
-                        else
                                skb_dst_set(skb, &rth->dst);
-                        return 0;
+                        return rth;
                }
                if (!atomic_read(&rth->dst.__refcnt)) {
@@ -1202,7 +1128,7 @@ restart:
                        rt_emergency_hash_rebuild(net);
                        spin_unlock_bh(rt_hash_lock_addr(hash));
-                        hash = rt_hash(rt->fl.fl4_dst, rt->fl.fl4_src,
+                        hash = rt_hash(rt->rt_key_dst, rt->rt_key_src,
                                        ifindex, rt_genid(net));
                        goto restart;
                }
@@ -1218,7 +1144,7 @@ restart:
                        if (err != -ENOBUFS) {
                                rt_drop(rt);
-                                return err;
+                                return ERR_PTR(err);
                        }
                        /* Neighbour tables are full and nothing
@@ -1239,25 +1165,15 @@ restart:
                        if (net_ratelimit())
                                printk(KERN_WARNING "ipv4: Neighbour table overflow.\n");
                        rt_drop(rt);
-                        return -ENOBUFS;
+                        return ERR_PTR(-ENOBUFS);
                }
        }
        rt->dst.rt_next = rt_hash_table[hash].chain;
-#if RT_CACHE_DEBUG >= 2
-        if (rt->dst.rt_next) {
-                struct rtable *trt;
-                printk(KERN_DEBUG "rt_cache @%02x: %pI4",
-                       hash, &rt->rt_dst);
-                for (trt = rt->dst.rt_next; trt; trt = trt->dst.rt_next)
-                        printk(" . %pI4", &trt->rt_dst);
-                printk("\n");
-        }
-#endif
        /*
         * Since lookup is lockfree, we must make sure
-         * previous writes to rt are comitted to memory
+         * previous writes to rt are committed to memory
         * before making rt visible to other CPUS.
         */
        rcu_assign_pointer(rt_hash_table[hash].chain, rt);
@@ -1265,21 +1181,28 @@ restart:
        spin_unlock_bh(rt_hash_lock_addr(hash));
 skip_hashing:
-        if (rp)
+        if (skb)
-                *rp = rt;
-        else
                skb_dst_set(skb, &rt->dst);
-        return 0;
+        return rt;
+}
+static atomic_t __rt_peer_genid = ATOMIC_INIT(0);
+static u32 rt_peer_genid(void)
+{
+        return atomic_read(&__rt_peer_genid);
 }
-void rt_bind_peer(struct rtable *rt, int create)
+void rt_bind_peer(struct rtable *rt, __be32 daddr, int create)
 {
        struct inet_peer *peer;
-        peer = inet_getpeer_v4(rt->rt_dst, create);
+        peer = inet_getpeer_v4(daddr, create);
        if (peer && cmpxchg(&rt->peer, NULL, peer) != NULL)
                inet_putpeer(peer);
+        else
+                rt->rt_peer_genid = rt_peer_genid();
 }
 /*
@@ -1308,7 +1231,7 @@ void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more)
        if (rt) {
                if (rt->peer == NULL)
-                        rt_bind_peer(rt, 1);
+                        rt_bind_peer(rt, rt->rt_dst, 1);
                /* If peer is attached to destination, it is never detached,
                   so that we need not to grab a lock to dereference it.
@@ -1349,13 +1272,8 @@ static void rt_del(unsigned hash, struct rtable *rt)
 void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
                    __be32 saddr, struct net_device *dev)
 {
-        int i, k;
        struct in_device *in_dev = __in_dev_get_rcu(dev);
-        struct rtable *rth;
+        struct inet_peer *peer;
-        struct rtable __rcu **rthp;
-        __be32  skeys[2] = { saddr, 0 };
-        int  ikeys[2] = { dev->ifindex, 0 };
-        struct netevent_redirect netevent;
        struct net *net;
        if (!in_dev)
@@ -1367,9 +1285,6 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
            ipv4_is_zeronet(new_gw))
                goto reject_redirect;
-        if (!rt_caching(net))
-                goto reject_redirect;
        if (!IN_DEV_SHARED_MEDIA(in_dev)) {
                if (!inet_addr_onlink(in_dev, new_gw, old_gw))
                        goto reject_redirect;
@@ -1380,91 +1295,13 @@ void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
                        goto reject_redirect;
        }
-        for (i = 0; i < 2; i++) {
+        peer = inet_getpeer_v4(daddr, 1);
-                for (k = 0; k < 2; k++) {
+        if (peer) {
-                        unsigned hash = rt_hash(daddr, skeys[i], ikeys[k],
+                peer->redirect_learned.a4 = new_gw;
-                                                rt_genid(net));
-                        rthp = &rt_hash_table[hash].chain;
-                        while ((rth = rcu_dereference(*rthp)) != NULL) {
-                                struct rtable *rt;
-                                if (rth->fl.fl4_dst != daddr ||
-                                    rth->fl.fl4_src != skeys[i] ||
-                                    rth->fl.oif != ikeys[k] ||
-                                    rt_is_input_route(rth) ||
-                                    rt_is_expired(rth) ||
-                                    !net_eq(dev_net(rth->dst.dev), net)) {
-                                        rthp = &rth->dst.rt_next;
-                                        continue;
-                                }
-                                if (rth->rt_dst != daddr ||
-                                    rth->rt_src != saddr ||
-                                    rth->dst.error ||
-                                    rth->rt_gateway != old_gw ||
-                                    rth->dst.dev != dev)
-                                        break;
-                                dst_hold(&rth->dst);
-                                rt = dst_alloc(&ipv4_dst_ops);
-                                if (rt == NULL) {
-                                        ip_rt_put(rth);
-                                        return;
-                                }
-                                /* Copy all the information. */
-                                *rt = *rth;
-                                rt->dst.__use           = 1;
-                                atomic_set(&rt->dst.__refcnt, 1);
-                                rt->dst.child           = NULL;
-                                if (rt->dst.dev)
-                                        dev_hold(rt->dst.dev);
-                                rt->dst.obsolete        = -1;
-                                rt->dst.lastuse = jiffies;
-                                rt->dst.path            = &rt->dst;
-                                rt->dst.neighbour       = NULL;
-                                rt->dst.hh              = NULL;
-#ifdef CONFIG_XFRM
-                                rt->dst.xfrm            = NULL;
-#endif
-                                rt->rt_genid            = rt_genid(net);
-                                rt->rt_flags            |= RTCF_REDIRECTED;
-                                /* Gateway is different ... */
-                                rt->rt_gateway          = new_gw;
-                                /* Redirect received -> path was valid */
-                                dst_confirm(&rth->dst);
-                                if (rt->peer)
-                                        atomic_inc(&rt->peer->refcnt);
-                                if (arp_bind_neighbour(&rt->dst) ||
-                                    !(rt->dst.neighbour->nud_state &
-                                            NUD_VALID)) {
-                                        if (rt->dst.neighbour)
-                                                neigh_event_send(rt->dst.neighbour, NULL);
-                                        ip_rt_put(rth);
-                                        rt_drop(rt);
-                                        goto do_next;
-                                }
-                                netevent.old = &rth->dst;
+                inet_putpeer(peer);
-                                netevent.new = &rt->dst;
-                                call_netevent_notifiers(NETEVENT_REDIRECT,
-                                                        &netevent);
-                                rt_del(hash, rth);
+                atomic_inc(&__rt_peer_genid);
-                                if (!rt_intern_hash(hash, rt, &rt, NULL, rt->fl.oif))
-                                        ip_rt_put(rt);
-                                goto do_next;
-                        }
-                do_next:
-                        ;
-                }
        }
        return;
@@ -1488,18 +1325,20 @@ static struct dst_entry *ipv4_negative_advice(struct dst_entry *dst)
                if (dst->obsolete > 0) {
                        ip_rt_put(rt);
                        ret = NULL;
-                } else if ((rt->rt_flags & RTCF_REDIRECTED) ||
+                } else if (rt->rt_flags & RTCF_REDIRECTED) {
-                           (rt->dst.expires &&
+                        unsigned hash = rt_hash(rt->rt_key_dst, rt->rt_key_src,
-                            time_after_eq(jiffies, rt->dst.expires))) {
+                                                rt->rt_oif,
-                        unsigned hash = rt_hash(rt->fl.fl4_dst, rt->fl.fl4_src,
-                                                rt->fl.oif,
                                                rt_genid(dev_net(dst->dev)));
-#if RT_CACHE_DEBUG >= 1
-                        printk(KERN_DEBUG "ipv4_negative_advice: redirect to %pI4/%02x dropped\n",
-                                &rt->rt_dst, rt->fl.fl4_tos);
-#endif
                        rt_del(hash, rt);
                        ret = NULL;
+                } else if (rt->peer &&
+                           rt->peer->pmtu_expires &&
+                           time_after_eq(jiffies, rt->peer->pmtu_expires)) {
+                        unsigned long orig = rt->peer->pmtu_expires;
+                        if (cmpxchg(&rt->peer->pmtu_expires, orig, 0) == orig)
+                                dst_metric_set(dst, RTAX_MTU,
+                                               rt->peer->pmtu_orig);
                }
        }
        return ret;
@@ -1525,6 +1364,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
 {
        struct rtable *rt = skb_rtable(skb);
        struct in_device *in_dev;
+        struct inet_peer *peer;
        int log_martians;
        rcu_read_lock();
@@ -1536,36 +1376,44 @@ void ip_rt_send_redirect(struct sk_buff *skb)
        log_martians = IN_DEV_LOG_MARTIANS(in_dev);
        rcu_read_unlock();
+        if (!rt->peer)
+                rt_bind_peer(rt, rt->rt_dst, 1);
+        peer = rt->peer;
+        if (!peer) {
+                icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, rt->rt_gateway);
+                return;
+        }
        /* No redirected packets during ip_rt_redirect_silence;
         * reset the algorithm.
         */
-        if (time_after(jiffies, rt->dst.rate_last + ip_rt_redirect_silence))
+        if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence))
-                rt->dst.rate_tokens = 0;
+                peer->rate_tokens = 0;
        /* Too many ignored redirects; do not send anything
         * set dst.rate_last to the last seen redirected packet.
         */
-        if (rt->dst.rate_tokens >= ip_rt_redirect_number) {
+        if (peer->rate_tokens >= ip_rt_redirect_number) {
-                rt->dst.rate_last = jiffies;
+                peer->rate_last = jiffies;
                return;
        }
        /* Check for load limit; set rate_last to the latest sent
         * redirect.
         */
-        if (rt->dst.rate_tokens == 0 ||
+        if (peer->rate_tokens == 0 ||
            time_after(jiffies,
-                       (rt->dst.rate_last +
+                       (peer->rate_last +
-                        (ip_rt_redirect_load << rt->dst.rate_tokens)))) {
+                        (ip_rt_redirect_load << peer->rate_tokens)))) {
                icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, rt->rt_gateway);
-                rt->dst.rate_last = jiffies;
+                peer->rate_last = jiffies;
-                ++rt->dst.rate_tokens;
+                ++peer->rate_tokens;
 #ifdef CONFIG_IP_ROUTE_VERBOSE
                if (log_martians &&
-                    rt->dst.rate_tokens == ip_rt_redirect_number &&
+                    peer->rate_tokens == ip_rt_redirect_number &&
                    net_ratelimit())
                        printk(KERN_WARNING "host %pI4/if%d ignores redirects for %pI4 to %pI4.\n",
-                                &rt->rt_src, rt->rt_iif,
+                               &ip_hdr(skb)->saddr, rt->rt_iif,
                                &rt->rt_dst, &rt->rt_gateway);
 #endif
        }
@@ -1574,7 +1422,9 @@ void ip_rt_send_redirect(struct sk_buff *skb)
 static int ip_error(struct sk_buff *skb)
 {
        struct rtable *rt = skb_rtable(skb);
+        struct inet_peer *peer;
        unsigned long now;
+        bool send;
        int code;
        switch (rt->dst.error) {
@@ -1594,15 +1444,24 @@ static int ip_error(struct sk_buff *skb)
                        break;
        }
-        now = jiffies;
+        if (!rt->peer)
-        rt->dst.rate_tokens += now - rt->dst.rate_last;
+                rt_bind_peer(rt, rt->rt_dst, 1);
-        if (rt->dst.rate_tokens > ip_rt_error_burst)
+        peer = rt->peer;
-                rt->dst.rate_tokens = ip_rt_error_burst;
-        rt->dst.rate_last = now;
+        send = true;
-        if (rt->dst.rate_tokens >= ip_rt_error_cost) {
+        if (peer) {
-                rt->dst.rate_tokens -= ip_rt_error_cost;
+                now = jiffies;
-                icmp_send(skb, ICMP_DEST_UNREACH, code, 0);
+                peer->rate_tokens += now - peer->rate_last;
+                if (peer->rate_tokens > ip_rt_error_burst)
+                        peer->rate_tokens = ip_rt_error_burst;
+                peer->rate_last = now;
+                if (peer->rate_tokens >= ip_rt_error_cost)
+                        peer->rate_tokens -= ip_rt_error_cost;
+                else
+                        send = false;
        }
+        if (send)
+                icmp_send(skb, ICMP_DEST_UNREACH, code, 0);
 out:    kfree_skb(skb);
        return 0;
@@ -1626,92 +1485,144 @@ static inline unsigned short guess_mtu(unsigned short old_mtu)
        return 68;
 }
-unsigned short ip_rt_frag_needed(struct net *net, struct iphdr *iph,
+unsigned short ip_rt_frag_needed(struct net *net, const struct iphdr *iph,
                                 unsigned short new_mtu,
                                 struct net_device *dev)
 {
-        int i, k;
        unsigned short old_mtu = ntohs(iph->tot_len);
-        struct rtable *rth;
-        int  ikeys[2] = { dev->ifindex, 0 };
-        __be32  skeys[2] = { iph->saddr, 0, };
-        __be32  daddr = iph->daddr;
        unsigned short est_mtu = 0;
+        struct inet_peer *peer;
-        for (k = 0; k < 2; k++) {
+        peer = inet_getpeer_v4(iph->daddr, 1);
-                for (i = 0; i < 2; i++) {
+        if (peer) {
-                        unsigned hash = rt_hash(daddr, skeys[i], ikeys[k],
+                unsigned short mtu = new_mtu;
-                                                rt_genid(net));
-                        rcu_read_lock();
-                        for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
-                             rth = rcu_dereference(rth->dst.rt_next)) {
-                                unsigned short mtu = new_mtu;
-                                if (rth->fl.fl4_dst != daddr ||
-                                    rth->fl.fl4_src != skeys[i] ||
-                                    rth->rt_dst != daddr ||
-                                    rth->rt_src != iph->saddr ||
-                                    rth->fl.oif != ikeys[k] ||
-                                    rt_is_input_route(rth) ||
-                                    dst_metric_locked(&rth->dst, RTAX_MTU) ||
-                                    !net_eq(dev_net(rth->dst.dev), net) ||
-                                    rt_is_expired(rth))
-                                        continue;
-                                if (new_mtu < 68 || new_mtu >= old_mtu) {
+                if (new_mtu < 68 || new_mtu >= old_mtu) {
+                        /* BSD 4.2 derived systems incorrectly adjust
+                         * tot_len by the IP header length, and report
+                         * a zero MTU in the ICMP message.
+                         */
+                        if (mtu == 0 &&
+                            old_mtu >= 68 + (iph->ihl << 2))
+                                old_mtu -= iph->ihl << 2;
+                        mtu = guess_mtu(old_mtu);
+                }
-                                        /* BSD 4.2 compatibility hack :-( */
+                if (mtu < ip_rt_min_pmtu)
-                                        if (mtu == 0 &&
+                        mtu = ip_rt_min_pmtu;
-                                            old_mtu >= dst_mtu(&rth->dst) &&
+                if (!peer->pmtu_expires || mtu < peer->pmtu_learned) {
-                                            old_mtu >= 68 + (iph->ihl << 2))
+                        unsigned long pmtu_expires;
-                                                old_mtu -= iph->ihl << 2;
-                                        mtu = guess_mtu(old_mtu);
+                        pmtu_expires = jiffies + ip_rt_mtu_expires;
-                                }
+                        if (!pmtu_expires)
-                                if (mtu <= dst_mtu(&rth->dst)) {
+                                pmtu_expires = 1UL;
-                                        if (mtu < dst_mtu(&rth->dst)) {
-                                                dst_confirm(&rth->dst);
+                        est_mtu = mtu;
-                                                if (mtu < ip_rt_min_pmtu) {
+                        peer->pmtu_learned = mtu;
-                                                        u32 lock = dst_metric(&rth->dst,
+                        peer->pmtu_expires = pmtu_expires;
-                                                                              RTAX_LOCK);
-                                                        mtu = ip_rt_min_pmtu;
-                                                        lock |= (1 << RTAX_MTU);
-                                                        dst_metric_set(&rth->dst, RTAX_LOCK,
-                                                                       lock);
-                                                }
-                                                dst_metric_set(&rth->dst, RTAX_MTU, mtu);
-                                                dst_set_expires(&rth->dst,
-                                                        ip_rt_mtu_expires);
-                                        }
-                                        est_mtu = mtu;
-                                }
-                        }
-                        rcu_read_unlock();
                }
+                inet_putpeer(peer);
+                atomic_inc(&__rt_peer_genid);
        }
        return est_mtu ? : new_mtu;
 }
+static void check_peer_pmtu(struct dst_entry *dst, struct inet_peer *peer)
+{
+        unsigned long expires = peer->pmtu_expires;
+        if (time_before(jiffies, expires)) {
+                u32 orig_dst_mtu = dst_mtu(dst);
+                if (peer->pmtu_learned < orig_dst_mtu) {
+                        if (!peer->pmtu_orig)
+                                peer->pmtu_orig = dst_metric_raw(dst, RTAX_MTU);
+                        dst_metric_set(dst, RTAX_MTU, peer->pmtu_learned);
+                }
+        } else if (cmpxchg(&peer->pmtu_expires, expires, 0) == expires)
+                dst_metric_set(dst, RTAX_MTU, peer->pmtu_orig);
+}
 static void ip_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
-        if (dst_mtu(dst) > mtu && mtu >= 68 &&
+        struct rtable *rt = (struct rtable *) dst;
-            !(dst_metric_locked(dst, RTAX_MTU))) {
+        struct inet_peer *peer;
-                if (mtu < ip_rt_min_pmtu) {
-                        u32 lock = dst_metric(dst, RTAX_LOCK);
+        dst_confirm(dst);
+        if (!rt->peer)
+                rt_bind_peer(rt, rt->rt_dst, 1);
+        peer = rt->peer;
+        if (peer) {
+                if (mtu < ip_rt_min_pmtu)
                        mtu = ip_rt_min_pmtu;
-                        dst_metric_set(dst, RTAX_LOCK, lock | (1 << RTAX_MTU));
+                if (!peer->pmtu_expires || mtu < peer->pmtu_learned) {
+                        unsigned long pmtu_expires;
+                        pmtu_expires = jiffies + ip_rt_mtu_expires;
+                        if (!pmtu_expires)
+                                pmtu_expires = 1UL;
+                        peer->pmtu_learned = mtu;
+                        peer->pmtu_expires = pmtu_expires;
+                        atomic_inc(&__rt_peer_genid);
+                        rt->rt_peer_genid = rt_peer_genid();
                }
-                dst_metric_set(dst, RTAX_MTU, mtu);
+                check_peer_pmtu(dst, peer);
-                dst_set_expires(dst, ip_rt_mtu_expires);
-                call_netevent_notifiers(NETEVENT_PMTU_UPDATE, dst);
        }
 }
+static int check_peer_redir(struct dst_entry *dst, struct inet_peer *peer)
+{
+        struct rtable *rt = (struct rtable *) dst;
+        __be32 orig_gw = rt->rt_gateway;
+        dst_confirm(&rt->dst);
+        neigh_release(rt->dst.neighbour);
+        rt->dst.neighbour = NULL;
+        rt->rt_gateway = peer->redirect_learned.a4;
+        if (arp_bind_neighbour(&rt->dst) ||
+            !(rt->dst.neighbour->nud_state & NUD_VALID)) {
+                if (rt->dst.neighbour)
+                        neigh_event_send(rt->dst.neighbour, NULL);
+                rt->rt_gateway = orig_gw;
+                return -EAGAIN;
+        } else {
+                rt->rt_flags |= RTCF_REDIRECTED;
+                call_netevent_notifiers(NETEVENT_NEIGH_UPDATE,
+                                        rt->dst.neighbour);
+        }
+        return 0;
+}
 static struct dst_entry *ipv4_dst_check(struct dst_entry *dst, u32 cookie)
 {
-        if (rt_is_expired((struct rtable *)dst))
+        struct rtable *rt = (struct rtable *) dst;
+        if (rt_is_expired(rt))
                return NULL;
+        if (rt->rt_peer_genid != rt_peer_genid()) {
+                struct inet_peer *peer;
+                if (!rt->peer)
+                        rt_bind_peer(rt, rt->rt_dst, 0);
+                peer = rt->peer;
+                if (peer && peer->pmtu_expires)
+                        check_peer_pmtu(dst, peer);
+                if (peer && peer->redirect_learned.a4 &&
+                    peer->redirect_learned.a4 != rt->rt_gateway) {
+                        if (check_peer_redir(dst, peer))
+                                return NULL;
+                }
+                rt->rt_peer_genid = rt_peer_genid();
+        }
        return dst;
 }
@@ -1720,6 +1631,10 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
        struct rtable *rt = (struct rtable *) dst;
        struct inet_peer *peer = rt->peer;
+        if (rt->fi) {
+                fib_info_put(rt->fi);
+                rt->fi = NULL;
+        }
        if (peer) {
                rt->peer = NULL;
                inet_putpeer(peer);
@@ -1734,8 +1649,14 @@ static void ipv4_link_failure(struct sk_buff *skb)
        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0);
        rt = skb_rtable(skb);
-        if (rt)
+        if (rt &&
-                dst_set_expires(&rt->dst, 0);
+            rt->peer &&
+            rt->peer->pmtu_expires) {
+                unsigned long orig = rt->peer->pmtu_expires;
+                if (cmpxchg(&rt->peer->pmtu_expires, orig, 0) == orig)
+                        dst_metric_set(&rt->dst, RTAX_MTU, rt->peer->pmtu_orig);
+        }
 }
 static int ip_rt_bug(struct sk_buff *skb)
@@ -1756,17 +1677,30 @@ static int ip_rt_bug(struct sk_buff *skb)
   in IP options!
 */
-void ip_rt_get_source(u8 *addr, struct rtable *rt)
+void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
 {
        __be32 src;
-        struct fib_result res;
        if (rt_is_output_route(rt))
-                src = rt->rt_src;
+                src = ip_hdr(skb)->saddr;
        else {
+                struct fib_result res;
+                struct flowi4 fl4;
+                struct iphdr *iph;
+                iph = ip_hdr(skb);
+                memset(&fl4, 0, sizeof(fl4));
+                fl4.daddr = iph->daddr;
+                fl4.saddr = iph->saddr;
+                fl4.flowi4_tos = iph->tos;
+                fl4.flowi4_oif = rt->dst.dev->ifindex;
+                fl4.flowi4_iif = skb->dev->ifindex;
+                fl4.flowi4_mark = skb->mark;
                rcu_read_lock();
-                if (fib_lookup(dev_net(rt->dst.dev), &rt->fl, &res) == 0)
+                if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res) == 0)
-                        src = FIB_RES_PREFSRC(res);
+                        src = FIB_RES_PREFSRC(dev_net(rt->dst.dev), res);
                else
                        src = inet_select_addr(rt->dst.dev, rt->rt_gateway,
                                        RT_SCOPE_UNIVERSE);
@@ -1775,7 +1709,7 @@ void ip_rt_get_source(u8 *addr, struct rtable *rt)
        memcpy(addr, &src, 4);
 }
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
 static void set_class_tag(struct rtable *rt, u32 tag)
 {
        if (!(rt->dst.tclassid & 0xFFFF))
@@ -1815,17 +1749,54 @@ static unsigned int ipv4_default_mtu(const struct dst_entry *dst)
        return mtu;
 }
-static void rt_set_nexthop(struct rtable *rt, struct fib_result *res, u32 itag)
+static void rt_init_metrics(struct rtable *rt, const struct flowi4 *fl4,
+                            struct fib_info *fi)
+{
+        struct inet_peer *peer;
+        int create = 0;
+        /* If a peer entry exists for this destination, we must hook
+         * it up in order to get at cached metrics.
+         */
+        if (fl4 && (fl4->flowi4_flags & FLOWI_FLAG_PRECOW_METRICS))
+                create = 1;
+        rt->peer = peer = inet_getpeer_v4(rt->rt_dst, create);
+        if (peer) {
+                rt->rt_peer_genid = rt_peer_genid();
+                if (inet_metrics_new(peer))
+                        memcpy(peer->metrics, fi->fib_metrics,
+                               sizeof(u32) * RTAX_MAX);
+                dst_init_metrics(&rt->dst, peer->metrics, false);
+                if (peer->pmtu_expires)
+                        check_peer_pmtu(&rt->dst, peer);
+                if (peer->redirect_learned.a4 &&
+                    peer->redirect_learned.a4 != rt->rt_gateway) {
+                        rt->rt_gateway = peer->redirect_learned.a4;
+                        rt->rt_flags |= RTCF_REDIRECTED;
+                }
+        } else {
+                if (fi->fib_metrics != (u32 *) dst_default_metrics) {
+                        rt->fi = fi;
+                        atomic_inc(&fi->fib_clntref);
+                }
+                dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+        }
+}
+static void rt_set_nexthop(struct rtable *rt, const struct flowi4 *fl4,
+                           const struct fib_result *res,
+                           struct fib_info *fi, u16 type, u32 itag)
 {
        struct dst_entry *dst = &rt->dst;
-        struct fib_info *fi = res->fi;
        if (fi) {
                if (FIB_RES_GW(*res) &&
                    FIB_RES_NH(*res).nh_scope == RT_SCOPE_LINK)
                        rt->rt_gateway = FIB_RES_GW(*res);
-                dst_import_metrics(dst, fi->fib_metrics);
+                rt_init_metrics(rt, fl4, fi);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                dst->tclassid = FIB_RES_NH(*res).nh_tclassid;
 #endif
        }
@@ -1835,13 +1806,21 @@ static void rt_set_nexthop(struct rtable *rt, struct fib_result *res, u32 itag)
        if (dst_metric_raw(dst, RTAX_ADVMSS) > 65535 - 40)
                dst_metric_set(dst, RTAX_ADVMSS, 65535 - 40);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
 #ifdef CONFIG_IP_MULTIPLE_TABLES
        set_class_tag(rt, fib_rules_tclass(res));
 #endif
        set_class_tag(rt, itag);
 #endif
-        rt->rt_type = res->type;
+}
+static struct rtable *rt_dst_alloc(struct net_device *dev,
+                                   bool nopolicy, bool noxfrm)
+{
+        return dst_alloc(&ipv4_dst_ops, dev, 1, -1,
+                         DST_HOST |
+                         (nopolicy ? DST_NOPOLICY : 0) |
+                         (noxfrm ? DST_NOXFRM : 0));
 }
 /* called in rcu_read_lock() section */
@@ -1869,41 +1848,38 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                        goto e_inval;
                spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK);
        } else {
-                err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst,
+                err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst,
-                                          &itag, 0);
+                                          &itag);
                if (err < 0)
                        goto e_err;
        }
-        rth = dst_alloc(&ipv4_dst_ops);
+        rth = rt_dst_alloc(init_net.loopback_dev,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
        if (!rth)
                goto e_nobufs;
+#ifdef CONFIG_IP_ROUTE_CLASSID
+        rth->dst.tclassid = itag;
+#endif
        rth->dst.output = ip_rt_bug;
-        rth->dst.obsolete = -1;
-        atomic_set(&rth->dst.__refcnt, 1);
+        rth->rt_key_dst = daddr;
-        rth->dst.flags= DST_HOST;
+        rth->rt_key_src = saddr;
-        if (IN_DEV_CONF_GET(in_dev, NOPOLICY))
+        rth->rt_genid   = rt_genid(dev_net(dev));
-                rth->dst.flags |= DST_NOPOLICY;
+        rth->rt_flags   = RTCF_MULTICAST;
-        rth->fl.fl4_dst = daddr;
+        rth->rt_type    = RTN_MULTICAST;
+        rth->rt_key_tos = tos;
        rth->rt_dst     = daddr;
-        rth->fl.fl4_tos = tos;
-        rth->fl.mark    = skb->mark;
-        rth->fl.fl4_src = saddr;
        rth->rt_src     = saddr;
-#ifdef CONFIG_NET_CLS_ROUTE
+        rth->rt_route_iif = dev->ifindex;
-        rth->dst.tclassid = itag;
+        rth->rt_iif     = dev->ifindex;
-#endif
+        rth->rt_oif     = 0;
-        rth->rt_iif     =
+        rth->rt_mark    = skb->mark;
-        rth->fl.iif     = dev->ifindex;
-        rth->dst.dev    = init_net.loopback_dev;
-        dev_hold(rth->dst.dev);
-        rth->fl.oif     = 0;
        rth->rt_gateway = daddr;
        rth->rt_spec_dst= spec_dst;
-        rth->rt_genid   = rt_genid(dev_net(dev));
+        rth->rt_peer_genid = 0;
-        rth->rt_flags   = RTCF_MULTICAST;
+        rth->peer = NULL;
-        rth->rt_type    = RTN_MULTICAST;
+        rth->fi = NULL;
        if (our) {
                rth->dst.input= ip_local_deliver;
                rth->rt_flags |= RTCF_LOCAL;
@@ -1916,7 +1892,10 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        RT_CACHE_STAT_INC(in_slow_mc);
        hash = rt_hash(daddr, saddr, dev->ifindex, rt_genid(dev_net(dev)));
-        return rt_intern_hash(hash, rth, NULL, skb, dev->ifindex);
+        rth = rt_intern_hash(hash, rth, skb, dev->ifindex);
+        err = 0;
+        if (IS_ERR(rth))
+                err = PTR_ERR(rth);
 e_nobufs:
        return -ENOBUFS;
@@ -1959,7 +1938,7 @@ static void ip_handle_martian_source(struct net_device *dev,
 /* called in rcu_read_lock() section */
 static int __mkroute_input(struct sk_buff *skb,
-                           struct fib_result *res,
+                           const struct fib_result *res,
                           struct in_device *in_dev,
                           __be32 daddr, __be32 saddr, u32 tos,
                           struct rtable **result)
@@ -1981,8 +1960,8 @@ static int __mkroute_input(struct sk_buff *skb,
        }
-        err = fib_validate_source(saddr, daddr, tos, FIB_RES_OIF(*res),
+        err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res),
-                                  in_dev->dev, &spec_dst, &itag, skb->mark);
+                                  in_dev->dev, &spec_dst, &itag);
        if (err < 0) {
                ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr,
                                         saddr);
@@ -2013,41 +1992,36 @@ static int __mkroute_input(struct sk_buff *skb,
                }
        }
+        rth = rt_dst_alloc(out_dev->dev,
-        rth = dst_alloc(&ipv4_dst_ops);
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY),
+                           IN_DEV_CONF_GET(out_dev, NOXFRM));
        if (!rth) {
                err = -ENOBUFS;
                goto cleanup;
        }
-        atomic_set(&rth->dst.__refcnt, 1);
+        rth->rt_key_dst = daddr;
-        rth->dst.flags= DST_HOST;
+        rth->rt_key_src = saddr;
-        if (IN_DEV_CONF_GET(in_dev, NOPOLICY))
+        rth->rt_genid = rt_genid(dev_net(rth->dst.dev));
-                rth->dst.flags |= DST_NOPOLICY;
+        rth->rt_flags = flags;
-        if (IN_DEV_CONF_GET(out_dev, NOXFRM))
+        rth->rt_type = res->type;
-                rth->dst.flags |= DST_NOXFRM;
+        rth->rt_key_tos = tos;
-        rth->fl.fl4_dst = daddr;
        rth->rt_dst     = daddr;
-        rth->fl.fl4_tos = tos;
-        rth->fl.mark    = skb->mark;
-        rth->fl.fl4_src = saddr;
        rth->rt_src     = saddr;
+        rth->rt_route_iif = in_dev->dev->ifindex;
+        rth->rt_iif     = in_dev->dev->ifindex;
+        rth->rt_oif     = 0;
+        rth->rt_mark    = skb->mark;
        rth->rt_gateway = daddr;
-        rth->rt_iif     =
-                rth->fl.iif     = in_dev->dev->ifindex;
-        rth->dst.dev    = (out_dev)->dev;
-        dev_hold(rth->dst.dev);
-        rth->fl.oif     = 0;
        rth->rt_spec_dst= spec_dst;
+        rth->rt_peer_genid = 0;
+        rth->peer = NULL;
+        rth->fi = NULL;
-        rth->dst.obsolete = -1;
        rth->dst.input = ip_forward;
        rth->dst.output = ip_output;
-        rth->rt_genid = rt_genid(dev_net(rth->dst.dev));
-        rt_set_nexthop(rth, res, itag);
-        rth->rt_flags = flags;
+        rt_set_nexthop(rth, NULL, res, res->fi, res->type, itag);
        *result = rth;
        err = 0;
@@ -2057,7 +2031,7 @@ static int __mkroute_input(struct sk_buff *skb,
 static int ip_mkroute_input(struct sk_buff *skb,
                            struct fib_result *res,
-                            const struct flowi *fl,
+                            const struct flowi4 *fl4,
                            struct in_device *in_dev,
                            __be32 daddr, __be32 saddr, u32 tos)
 {
@@ -2066,8 +2040,8 @@ static int ip_mkroute_input(struct sk_buff *skb,
        unsigned hash;
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-        if (res->fi && res->fi->fib_nhs > 1 && fl->oif == 0)
+        if (res->fi && res->fi->fib_nhs > 1)
-                fib_select_multipath(fl, res);
+                fib_select_multipath(res);
 #endif
        /* create a routing cache entry */
@@ -2076,9 +2050,12 @@ static int ip_mkroute_input(struct sk_buff *skb,
                return err;
        /* put it into the cache */
-        hash = rt_hash(daddr, saddr, fl->iif,
+        hash = rt_hash(daddr, saddr, fl4->flowi4_iif,
                       rt_genid(dev_net(rth->dst.dev)));
-        return rt_intern_hash(hash, rth, NULL, skb, fl->iif);
+        rth = rt_intern_hash(hash, rth, skb, fl4->flowi4_iif);
+        if (IS_ERR(rth))
+                return PTR_ERR(rth);
+        return 0;
 }
 /*
@@ -2097,12 +2074,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 {
        struct fib_result res;
        struct in_device *in_dev = __in_dev_get_rcu(dev);
-        struct flowi fl = { .fl4_dst    = daddr,
+        struct flowi4   fl4;
-                            .fl4_src    = saddr,
-                            .fl4_tos    = tos,
-                            .fl4_scope  = RT_SCOPE_UNIVERSE,
-                            .mark = skb->mark,
-                            .iif = dev->ifindex };
        unsigned        flags = 0;
        u32             itag = 0;
        struct rtable * rth;
@@ -2139,7 +2111,14 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        /*
         *      Now we are ready to route packet.
         */
-        err = fib_lookup(net, &fl, &res);
+        fl4.flowi4_oif = 0;
+        fl4.flowi4_iif = dev->ifindex;
+        fl4.flowi4_mark = skb->mark;
+        fl4.flowi4_tos = tos;
+        fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
+        fl4.daddr = daddr;
+        fl4.saddr = saddr;
+        err = fib_lookup(net, &fl4, &res);
        if (err != 0) {
                if (!IN_DEV_FORWARD(in_dev))
                        goto e_hostunreach;
@@ -2152,9 +2131,9 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
                goto brd_input;
        if (res.type == RTN_LOCAL) {
-                err = fib_validate_source(saddr, daddr, tos,
+                err = fib_validate_source(skb, saddr, daddr, tos,
                                          net->loopback_dev->ifindex,
-                                          dev, &spec_dst, &itag, skb->mark);
+                                          dev, &spec_dst, &itag);
                if (err < 0)
                        goto martian_source_keep_err;
                if (err)
@@ -2168,7 +2147,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        if (res.type != RTN_UNICAST)
                goto martian_destination;
-        err = ip_mkroute_input(skb, &res, &fl, in_dev, daddr, saddr, tos);
+        err = ip_mkroute_input(skb, &res, &fl4, in_dev, daddr, saddr, tos);
 out:    return err;
 brd_input:
@@ -2178,8 +2157,8 @@ brd_input:
        if (ipv4_is_zeronet(saddr))
                spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK);
        else {
-                err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst,
+                err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst,
-                                          &itag, skb->mark);
+                                          &itag);
                if (err < 0)
                        goto martian_source_keep_err;
                if (err)
@@ -2190,43 +2169,47 @@ brd_input:
        RT_CACHE_STAT_INC(in_brd);
 local_input:
-        rth = dst_alloc(&ipv4_dst_ops);
+        rth = rt_dst_alloc(net->loopback_dev,
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY), false);
        if (!rth)
                goto e_nobufs;
+        rth->dst.input= ip_local_deliver;
        rth->dst.output= ip_rt_bug;
-        rth->dst.obsolete = -1;
+#ifdef CONFIG_IP_ROUTE_CLASSID
-        rth->rt_genid = rt_genid(net);
+        rth->dst.tclassid = itag;
+#endif
-        atomic_set(&rth->dst.__refcnt, 1);
+        rth->rt_key_dst = daddr;
-        rth->dst.flags= DST_HOST;
+        rth->rt_key_src = saddr;
-        if (IN_DEV_CONF_GET(in_dev, NOPOLICY))
+        rth->rt_genid = rt_genid(net);
-                rth->dst.flags |= DST_NOPOLICY;
+        rth->rt_flags   = flags|RTCF_LOCAL;
-        rth->fl.fl4_dst = daddr;
+        rth->rt_type    = res.type;
+        rth->rt_key_tos = tos;
        rth->rt_dst     = daddr;
-        rth->fl.fl4_tos = tos;
-        rth->fl.mark    = skb->mark;
-        rth->fl.fl4_src = saddr;
        rth->rt_src     = saddr;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        rth->dst.tclassid = itag;
 #endif
-        rth->rt_iif     =
+        rth->rt_route_iif = dev->ifindex;
-        rth->fl.iif     = dev->ifindex;
+        rth->rt_iif     = dev->ifindex;
-        rth->dst.dev    = net->loopback_dev;
+        rth->rt_oif     = 0;
-        dev_hold(rth->dst.dev);
+        rth->rt_mark    = skb->mark;
        rth->rt_gateway = daddr;
        rth->rt_spec_dst= spec_dst;
-        rth->dst.input= ip_local_deliver;
+        rth->rt_peer_genid = 0;
-        rth->rt_flags   = flags|RTCF_LOCAL;
+        rth->peer = NULL;
+        rth->fi = NULL;
        if (res.type == RTN_UNREACHABLE) {
                rth->dst.input= ip_error;
                rth->dst.error= -err;
                rth->rt_flags   &= ~RTCF_LOCAL;
        }
-        rth->rt_type    = res.type;
+        hash = rt_hash(daddr, saddr, fl4.flowi4_iif, rt_genid(net));
-        hash = rt_hash(daddr, saddr, fl.iif, rt_genid(net));
+        rth = rt_intern_hash(hash, rth, skb, fl4.flowi4_iif);
-        err = rt_intern_hash(hash, rth, NULL, skb, fl.iif);
+        err = 0;
+        if (IS_ERR(rth))
+                err = PTR_ERR(rth);
        goto out;
 no_route:
@@ -2288,12 +2271,12 @@ int ip_route_input_common(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        for (rth = rcu_dereference(rt_hash_table[hash].chain); rth;
             rth = rcu_dereference(rth->dst.rt_next)) {
-                if ((((__force u32)rth->fl.fl4_dst ^ (__force u32)daddr) |
+                if ((((__force u32)rth->rt_key_dst ^ (__force u32)daddr) |
-                     ((__force u32)rth->fl.fl4_src ^ (__force u32)saddr) |
+                     ((__force u32)rth->rt_key_src ^ (__force u32)saddr) |
-                     (rth->fl.iif ^ iif) |
+                     (rth->rt_iif ^ iif) |
-                     rth->fl.oif |
+                     rth->rt_oif |
-                     (rth->fl.fl4_tos ^ tos)) == 0 &&
+                     (rth->rt_key_tos ^ tos)) == 0 &&
-                    rth->fl.mark == skb->mark &&
+                    rth->rt_mark == skb->mark &&
                    net_eq(dev_net(rth->dst.dev), net) &&
                    !rt_is_expired(rth)) {
                        if (noref) {
@@ -2326,8 +2309,8 @@ skip_cache:
                struct in_device *in_dev = __in_dev_get_rcu(dev);
                if (in_dev) {
-                        int our = ip_check_mc(in_dev, daddr, saddr,
+                        int our = ip_check_mc_rcu(in_dev, daddr, saddr,
-                                              ip_hdr(skb)->protocol);
+                                                  ip_hdr(skb)->protocol);
                        if (our
 #ifdef CONFIG_IP_MROUTE
                                ||
@@ -2351,98 +2334,94 @@ skip_cache:
 EXPORT_SYMBOL(ip_route_input_common);
 /* called with rcu_read_lock() */
-static int __mkroute_output(struct rtable **result,
+static struct rtable *__mkroute_output(const struct fib_result *res,
-                            struct fib_result *res,
+                                       const struct flowi4 *fl4,
-                            const struct flowi *fl,
+                                       __be32 orig_daddr, __be32 orig_saddr,
-                            const struct flowi *oldflp,
+                                       int orig_oif, struct net_device *dev_out,
-                            struct net_device *dev_out,
+                                       unsigned int flags)
-                            unsigned flags)
 {
-        struct rtable *rth;
+        struct fib_info *fi = res->fi;
+        u32 tos = RT_FL_TOS(fl4);
        struct in_device *in_dev;
-        u32 tos = RT_FL_TOS(oldflp);
+        u16 type = res->type;
+        struct rtable *rth;
-        if (ipv4_is_loopback(fl->fl4_src) && !(dev_out->flags & IFF_LOOPBACK))
+        if (ipv4_is_loopback(fl4->saddr) && !(dev_out->flags & IFF_LOOPBACK))
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        if (ipv4_is_lbcast(fl->fl4_dst))
+        if (ipv4_is_lbcast(fl4->daddr))
-                res->type = RTN_BROADCAST;
+                type = RTN_BROADCAST;
-        else if (ipv4_is_multicast(fl->fl4_dst))
+        else if (ipv4_is_multicast(fl4->daddr))
-                res->type = RTN_MULTICAST;
+                type = RTN_MULTICAST;
-        else if (ipv4_is_zeronet(fl->fl4_dst))
+        else if (ipv4_is_zeronet(fl4->daddr))
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
        if (dev_out->flags & IFF_LOOPBACK)
                flags |= RTCF_LOCAL;
        in_dev = __in_dev_get_rcu(dev_out);
        if (!in_dev)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
-        if (res->type == RTN_BROADCAST) {
+        if (type == RTN_BROADCAST) {
                flags |= RTCF_BROADCAST | RTCF_LOCAL;
-                res->fi = NULL;
+                fi = NULL;
-        } else if (res->type == RTN_MULTICAST) {
+        } else if (type == RTN_MULTICAST) {
                flags |= RTCF_MULTICAST | RTCF_LOCAL;
-                if (!ip_check_mc(in_dev, oldflp->fl4_dst, oldflp->fl4_src,
+                if (!ip_check_mc_rcu(in_dev, fl4->daddr, fl4->saddr,
-                                 oldflp->proto))
+                                     fl4->flowi4_proto))
                        flags &= ~RTCF_LOCAL;
                /* If multicast route do not exist use
                 * default one, but do not gateway in this case.
                 * Yes, it is hack.
                 */
-                if (res->fi && res->prefixlen < 4)
+                if (fi && res->prefixlen < 4)
-                        res->fi = NULL;
+                        fi = NULL;
        }
+        rth = rt_dst_alloc(dev_out,
-        rth = dst_alloc(&ipv4_dst_ops);
+                           IN_DEV_CONF_GET(in_dev, NOPOLICY),
+                           IN_DEV_CONF_GET(in_dev, NOXFRM));
        if (!rth)
-                return -ENOBUFS;
+                return ERR_PTR(-ENOBUFS);
-        atomic_set(&rth->dst.__refcnt, 1);
+        rth->dst.output = ip_output;
-        rth->dst.flags= DST_HOST;
-        if (IN_DEV_CONF_GET(in_dev, NOXFRM))
+        rth->rt_key_dst = orig_daddr;
-                rth->dst.flags |= DST_NOXFRM;
+        rth->rt_key_src = orig_saddr;
-        if (IN_DEV_CONF_GET(in_dev, NOPOLICY))
-                rth->dst.flags |= DST_NOPOLICY;
-        rth->fl.fl4_dst = oldflp->fl4_dst;
-        rth->fl.fl4_tos = tos;
-        rth->fl.fl4_src = oldflp->fl4_src;
-        rth->fl.oif     = oldflp->oif;
-        rth->fl.mark    = oldflp->mark;
-        rth->rt_dst     = fl->fl4_dst;
-        rth->rt_src     = fl->fl4_src;
-        rth->rt_iif     = oldflp->oif ? : dev_out->ifindex;
-        /* get references to the devices that are to be hold by the routing
-           cache entry */
-        rth->dst.dev    = dev_out;
-        dev_hold(dev_out);
-        rth->rt_gateway = fl->fl4_dst;
-        rth->rt_spec_dst= fl->fl4_src;
-        rth->dst.output=ip_output;
-        rth->dst.obsolete = -1;
        rth->rt_genid = rt_genid(dev_net(dev_out));
+        rth->rt_flags   = flags;
+        rth->rt_type    = type;
+        rth->rt_key_tos = tos;
+        rth->rt_dst     = fl4->daddr;
+        rth->rt_src     = fl4->saddr;
+        rth->rt_route_iif = 0;
+        rth->rt_iif     = orig_oif ? : dev_out->ifindex;
+        rth->rt_oif     = orig_oif;
+        rth->rt_mark    = fl4->flowi4_mark;
+        rth->rt_gateway = fl4->daddr;
+        rth->rt_spec_dst= fl4->saddr;
+        rth->rt_peer_genid = 0;
+        rth->peer = NULL;
+        rth->fi = NULL;
        RT_CACHE_STAT_INC(out_slow_tot);
        if (flags & RTCF_LOCAL) {
                rth->dst.input = ip_local_deliver;
-                rth->rt_spec_dst = fl->fl4_dst;
+                rth->rt_spec_dst = fl4->daddr;
        }
        if (flags & (RTCF_BROADCAST | RTCF_MULTICAST)) {
-                rth->rt_spec_dst = fl->fl4_src;
+                rth->rt_spec_dst = fl4->saddr;
                if (flags & RTCF_LOCAL &&
                    !(dev_out->flags & IFF_LOOPBACK)) {
                        rth->dst.output = ip_mc_output;
                        RT_CACHE_STAT_INC(out_slow_mc);
                }
 #ifdef CONFIG_IP_MROUTE
-                if (res->type == RTN_MULTICAST) {
+                if (type == RTN_MULTICAST) {
                        if (IN_DEV_MFORWARD(in_dev) &&
-                            !ipv4_is_local_multicast(oldflp->fl4_dst)) {
+                            !ipv4_is_local_multicast(fl4->daddr)) {
                                rth->dst.input = ip_mr_input;
                                rth->dst.output = ip_mc_output;
                        }
@@ -2450,31 +2429,9 @@ static int __mkroute_output(struct rtable **result,
 #endif
        }
-        rt_set_nexthop(rth, res, 0);
+        rt_set_nexthop(rth, fl4, res, fi, type, 0);
-        rth->rt_flags = flags;
+        return rth;
-        *result = rth;
-        return 0;
-}
-/* called with rcu_read_lock() */
-static int ip_mkroute_output(struct rtable **rp,
-                             struct fib_result *res,
-                             const struct flowi *fl,
-                             const struct flowi *oldflp,
-                             struct net_device *dev_out,
-                             unsigned flags)
-{
-        struct rtable *rth = NULL;
-        int err = __mkroute_output(&rth, res, fl, oldflp, dev_out, flags);
-        unsigned hash;
-        if (err == 0) {
-                hash = rt_hash(oldflp->fl4_dst, oldflp->fl4_src, oldflp->oif,
-                               rt_genid(dev_net(dev_out)));
-                err = rt_intern_hash(hash, rth, rp, NULL, oldflp->oif);
-        }
-        return err;
 }
 /*
@@ -2482,34 +2439,37 @@ static int ip_mkroute_output(struct rtable **rp,
 * called with rcu_read_lock();
 */
-static int ip_route_output_slow(struct net *net, struct rtable **rp,
+static struct rtable *ip_route_output_slow(struct net *net, struct flowi4 *fl4)
-                                const struct flowi *oldflp)
+{
-{
-        u32 tos = RT_FL_TOS(oldflp);
-        struct flowi fl = { .fl4_dst = oldflp->fl4_dst,
-                            .fl4_src = oldflp->fl4_src,
-                            .fl4_tos = tos & IPTOS_RT_MASK,
-                            .fl4_scope = ((tos & RTO_ONLINK) ?
-                                          RT_SCOPE_LINK : RT_SCOPE_UNIVERSE),
-                            .mark = oldflp->mark,
-                            .iif = net->loopback_dev->ifindex,
-                            .oif = oldflp->oif };
-        struct fib_result res;
-        unsigned int flags = 0;
        struct net_device *dev_out = NULL;
-        int err;
+        u32 tos = RT_FL_TOS(fl4);
+        unsigned int flags = 0;
+        struct fib_result res;
+        struct rtable *rth;
+        __be32 orig_daddr;
+        __be32 orig_saddr;
+        int orig_oif;
        res.fi          = NULL;
 #ifdef CONFIG_IP_MULTIPLE_TABLES
        res.r           = NULL;
 #endif
-        if (oldflp->fl4_src) {
+        orig_daddr = fl4->daddr;
-                err = -EINVAL;
+        orig_saddr = fl4->saddr;
-                if (ipv4_is_multicast(oldflp->fl4_src) ||
+        orig_oif = fl4->flowi4_oif;
-                    ipv4_is_lbcast(oldflp->fl4_src) ||
-                    ipv4_is_zeronet(oldflp->fl4_src))
+        fl4->flowi4_iif = net->loopback_dev->ifindex;
+        fl4->flowi4_tos = tos & IPTOS_RT_MASK;
+        fl4->flowi4_scope = ((tos & RTO_ONLINK) ?
+                         RT_SCOPE_LINK : RT_SCOPE_UNIVERSE);
+        rcu_read_lock();
+        if (fl4->saddr) {
+                rth = ERR_PTR(-EINVAL);
+                if (ipv4_is_multicast(fl4->saddr) ||
+                    ipv4_is_lbcast(fl4->saddr) ||
+                    ipv4_is_zeronet(fl4->saddr))
                        goto out;
                /* I removed check for oif == dev_out->oif here.
@@ -2520,11 +2480,11 @@ static int ip_route_output_slow(struct net *net, struct rtable **rp,
                      of another iface. --ANK
                 */
-                if (oldflp->oif == 0 &&
+                if (fl4->flowi4_oif == 0 &&
-                    (ipv4_is_multicast(oldflp->fl4_dst) ||
+                    (ipv4_is_multicast(fl4->daddr) ||
-                     ipv4_is_lbcast(oldflp->fl4_dst))) {
+                     ipv4_is_lbcast(fl4->daddr))) {
                        /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
-                        dev_out = __ip_dev_find(net, oldflp->fl4_src, false);
+                        dev_out = __ip_dev_find(net, fl4->saddr, false);
                        if (dev_out == NULL)
                                goto out;
@@ -2543,60 +2503,60 @@ static int ip_route_output_slow(struct net *net, struct rtable **rp,
                           Luckily, this hack is good workaround.
                         */
-                        fl.oif = dev_out->ifindex;
+                        fl4->flowi4_oif = dev_out->ifindex;
                        goto make_route;
                }
-                if (!(oldflp->flags & FLOWI_FLAG_ANYSRC)) {
+                if (!(fl4->flowi4_flags & FLOWI_FLAG_ANYSRC)) {
                        /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
-                        if (!__ip_dev_find(net, oldflp->fl4_src, false))
+                        if (!__ip_dev_find(net, fl4->saddr, false))
                                goto out;
                }
        }
-        if (oldflp->oif) {
+        if (fl4->flowi4_oif) {
-                dev_out = dev_get_by_index_rcu(net, oldflp->oif);
+                dev_out = dev_get_by_index_rcu(net, fl4->flowi4_oif);
-                err = -ENODEV;
+                rth = ERR_PTR(-ENODEV);
                if (dev_out == NULL)
                        goto out;
                /* RACE: Check return value of inet_select_addr instead. */
                if (!(dev_out->flags & IFF_UP) || !__in_dev_get_rcu(dev_out)) {
-                        err = -ENETUNREACH;
+                        rth = ERR_PTR(-ENETUNREACH);
                        goto out;
                }
-                if (ipv4_is_local_multicast(oldflp->fl4_dst) ||
+                if (ipv4_is_local_multicast(fl4->daddr) ||
-                    ipv4_is_lbcast(oldflp->fl4_dst)) {
+                    ipv4_is_lbcast(fl4->daddr)) {
-                        if (!fl.fl4_src)
+                        if (!fl4->saddr)
-                                fl.fl4_src = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
                                                              RT_SCOPE_LINK);
                        goto make_route;
                }
-                if (!fl.fl4_src) {
+                if (fl4->saddr) {
-                        if (ipv4_is_multicast(oldflp->fl4_dst))
+                        if (ipv4_is_multicast(fl4->daddr))
-                                fl.fl4_src = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
-                                                              fl.fl4_scope);
+                                                              fl4->flowi4_scope);
-                        else if (!oldflp->fl4_dst)
+                        else if (!fl4->daddr)
-                                fl.fl4_src = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
                                                              RT_SCOPE_HOST);
                }
        }
-        if (!fl.fl4_dst) {
+        if (!fl4->daddr) {
-                fl.fl4_dst = fl.fl4_src;
+                fl4->daddr = fl4->saddr;
-                if (!fl.fl4_dst)
+                if (!fl4->daddr)
-                        fl.fl4_dst = fl.fl4_src = htonl(INADDR_LOOPBACK);
+                        fl4->daddr = fl4->saddr = htonl(INADDR_LOOPBACK);
                dev_out = net->loopback_dev;
-                fl.oif = net->loopback_dev->ifindex;
+                fl4->flowi4_oif = net->loopback_dev->ifindex;
                res.type = RTN_LOCAL;
                flags |= RTCF_LOCAL;
                goto make_route;
        }
-        if (fib_lookup(net, &fl, &res)) {
+        if (fib_lookup(net, fl4, &res)) {
                res.fi = NULL;
-                if (oldflp->oif) {
+                if (fl4->flowi4_oif) {
                        /* Apparently, routing tables are wrong. Assume,
                           that the destination is on link.
@@ -2615,90 +2575,100 @@ static int ip_route_output_slow(struct net *net, struct rtable **rp,
                           likely IPv6, but we do not.
                         */
-                        if (fl.fl4_src == 0)
+                        if (fl4->saddr == 0)
-                                fl.fl4_src = inet_select_addr(dev_out, 0,
+                                fl4->saddr = inet_select_addr(dev_out, 0,
                                                              RT_SCOPE_LINK);
                        res.type = RTN_UNICAST;
                        goto make_route;
                }
-                err = -ENETUNREACH;
+                rth = ERR_PTR(-ENETUNREACH);
                goto out;
        }
        if (res.type == RTN_LOCAL) {
-                if (!fl.fl4_src) {
+                if (!fl4->saddr) {
                        if (res.fi->fib_prefsrc)
-                                fl.fl4_src = res.fi->fib_prefsrc;
+                                fl4->saddr = res.fi->fib_prefsrc;
                        else
-                                fl.fl4_src = fl.fl4_dst;
+                                fl4->saddr = fl4->daddr;
                }
                dev_out = net->loopback_dev;
-                fl.oif = dev_out->ifindex;
+                fl4->flowi4_oif = dev_out->ifindex;
                res.fi = NULL;
                flags |= RTCF_LOCAL;
                goto make_route;
        }
 #ifdef CONFIG_IP_ROUTE_MULTIPATH
-        if (res.fi->fib_nhs > 1 && fl.oif == 0)
+        if (res.fi->fib_nhs > 1 && fl4->flowi4_oif == 0)
-                fib_select_multipath(&fl, &res);
+                fib_select_multipath(&res);
        else
 #endif
-        if (!res.prefixlen && res.type == RTN_UNICAST && !fl.oif)
+        if (!res.prefixlen &&
-                fib_select_default(net, &fl, &res);
+            res.table->tb_num_default > 1 &&
+            res.type == RTN_UNICAST && !fl4->flowi4_oif)
+                fib_select_default(&res);
-        if (!fl.fl4_src)
+        if (!fl4->saddr)
-                fl.fl4_src = FIB_RES_PREFSRC(res);
+                fl4->saddr = FIB_RES_PREFSRC(net, res);
        dev_out = FIB_RES_DEV(res);
-        fl.oif = dev_out->ifindex;
+        fl4->flowi4_oif = dev_out->ifindex;
 make_route:
-        err = ip_mkroute_output(rp, &res, &fl, oldflp, dev_out, flags);
+        rth = __mkroute_output(&res, fl4, orig_daddr, orig_saddr, orig_oif,
+                               dev_out, flags);
+        if (!IS_ERR(rth)) {
+                unsigned int hash;
-out:    return err;
+                hash = rt_hash(orig_daddr, orig_saddr, orig_oif,
+                               rt_genid(dev_net(dev_out)));
+                rth = rt_intern_hash(hash, rth, NULL, orig_oif);
+        }
+out:
+        rcu_read_unlock();
+        return rth;
 }
-int __ip_route_output_key(struct net *net, struct rtable **rp,
+struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *flp4)
-                          const struct flowi *flp)
 {
-        unsigned int hash;
-        int res;
        struct rtable *rth;
+        unsigned int hash;
        if (!rt_caching(net))
                goto slow_output;
-        hash = rt_hash(flp->fl4_dst, flp->fl4_src, flp->oif, rt_genid(net));
+        hash = rt_hash(flp4->daddr, flp4->saddr, flp4->flowi4_oif, rt_genid(net));
        rcu_read_lock_bh();
        for (rth = rcu_dereference_bh(rt_hash_table[hash].chain); rth;
                rth = rcu_dereference_bh(rth->dst.rt_next)) {
-                if (rth->fl.fl4_dst == flp->fl4_dst &&
+                if (rth->rt_key_dst == flp4->daddr &&
-                    rth->fl.fl4_src == flp->fl4_src &&
+                    rth->rt_key_src == flp4->saddr &&
                    rt_is_output_route(rth) &&
-                    rth->fl.oif == flp->oif &&
+                    rth->rt_oif == flp4->flowi4_oif &&
-                    rth->fl.mark == flp->mark &&
+                    rth->rt_mark == flp4->flowi4_mark &&
-                    !((rth->fl.fl4_tos ^ flp->fl4_tos) &
+                    !((rth->rt_key_tos ^ flp4->flowi4_tos) &
                            (IPTOS_RT_MASK | RTO_ONLINK)) &&
                    net_eq(dev_net(rth->dst.dev), net) &&
                    !rt_is_expired(rth)) {
                        dst_use(&rth->dst, jiffies);
                        RT_CACHE_STAT_INC(out_hit);
                        rcu_read_unlock_bh();
-                        *rp = rth;
+                        if (!flp4->saddr)
-                        return 0;
+                                flp4->saddr = rth->rt_src;
+                        if (!flp4->daddr)
+                                flp4->daddr = rth->rt_dst;
+                        return rth;
                }
                RT_CACHE_STAT_INC(out_hlist_search);
        }
        rcu_read_unlock_bh();
 slow_output:
-        rcu_read_lock();
+        return ip_route_output_slow(net, flp4);
-        res = ip_route_output_slow(net, rp, flp);
-        rcu_read_unlock();
-        return res;
 }
 EXPORT_SYMBOL_GPL(__ip_route_output_key);
@@ -2716,6 +2686,12 @@ static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
+static u32 *ipv4_rt_blackhole_cow_metrics(struct dst_entry *dst,
+                                          unsigned long old)
+{
+        return NULL;
+}
 static struct dst_ops ipv4_dst_blackhole_ops = {
        .family                 =       AF_INET,
        .protocol               =       cpu_to_be16(ETH_P_IP),
@@ -2724,19 +2700,17 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
        .default_mtu            =       ipv4_blackhole_default_mtu,
        .default_advmss         =       ipv4_default_advmss,
        .update_pmtu            =       ipv4_rt_blackhole_update_pmtu,
+        .cow_metrics            =       ipv4_rt_blackhole_cow_metrics,
 };
+struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_orig)
-static int ipv4_dst_blackhole(struct net *net, struct rtable **rp, struct flowi *flp)
 {
-        struct rtable *ort = *rp;
+        struct rtable *rt = dst_alloc(&ipv4_dst_blackhole_ops, NULL, 1, 0, 0);
-        struct rtable *rt = (struct rtable *)
+        struct rtable *ort = (struct rtable *) dst_orig;
-                dst_alloc(&ipv4_dst_blackhole_ops);
        if (rt) {
                struct dst_entry *new = &rt->dst;
-                atomic_set(&new->__refcnt, 1);
                new->__use = 1;
                new->input = dst_discard;
                new->output = dst_discard;
@@ -2746,59 +2720,53 @@ static int ipv4_dst_blackhole(struct net *net, struct rtable **rp, struct flowi
                if (new->dev)
                        dev_hold(new->dev);
-                rt->fl = ort->fl;
+                rt->rt_key_dst = ort->rt_key_dst;
+                rt->rt_key_src = ort->rt_key_src;
+                rt->rt_key_tos = ort->rt_key_tos;
+                rt->rt_route_iif = ort->rt_route_iif;
+                rt->rt_iif = ort->rt_iif;
+                rt->rt_oif = ort->rt_oif;
+                rt->rt_mark = ort->rt_mark;
                rt->rt_genid = rt_genid(net);
                rt->rt_flags = ort->rt_flags;
                rt->rt_type = ort->rt_type;
                rt->rt_dst = ort->rt_dst;
                rt->rt_src = ort->rt_src;
-                rt->rt_iif = ort->rt_iif;
                rt->rt_gateway = ort->rt_gateway;
                rt->rt_spec_dst = ort->rt_spec_dst;
                rt->peer = ort->peer;
                if (rt->peer)
                        atomic_inc(&rt->peer->refcnt);
+                rt->fi = ort->fi;
+                if (rt->fi)
+                        atomic_inc(&rt->fi->fib_clntref);
                dst_free(new);
        }
-        dst_release(&(*rp)->dst);
+        dst_release(dst_orig);
-        *rp = rt;
-        return rt ? 0 : -ENOMEM;
+        return rt ? &rt->dst : ERR_PTR(-ENOMEM);
 }
-int ip_route_output_flow(struct net *net, struct rtable **rp, struct flowi *flp,
+struct rtable *ip_route_output_flow(struct net *net, struct flowi4 *flp4,
-                         struct sock *sk, int flags)
+                                    struct sock *sk)
 {
-        int err;
+        struct rtable *rt = __ip_route_output_key(net, flp4);
-        if ((err = __ip_route_output_key(net, rp, flp)) != 0)
-                return err;
-        if (flp->proto) {
+        if (IS_ERR(rt))
-                if (!flp->fl4_src)
+                return rt;
-                        flp->fl4_src = (*rp)->rt_src;
-                if (!flp->fl4_dst)
-                        flp->fl4_dst = (*rp)->rt_dst;
-                err = __xfrm_lookup(net, (struct dst_entry **)rp, flp, sk,
-                                    flags ? XFRM_LOOKUP_WAIT : 0);
-                if (err == -EREMOTE)
-                        err = ipv4_dst_blackhole(net, rp, flp);
-                return err;
+        if (flp4->flowi4_proto)
-        }
+                rt = (struct rtable *) xfrm_lookup(net, &rt->dst,
+                                                   flowi4_to_flowi(flp4),
+                                                   sk, 0);
-        return 0;
+        return rt;
 }
 EXPORT_SYMBOL_GPL(ip_route_output_flow);
-int ip_route_output_key(struct net *net, struct rtable **rp, struct flowi *flp)
-{
-        return ip_route_output_flow(net, rp, flp, NULL, 0);
-}
-EXPORT_SYMBOL(ip_route_output_key);
 static int rt_fill_info(struct net *net,
                        struct sk_buff *skb, u32 pid, u32 seq, int event,
                        int nowait, unsigned int flags)
@@ -2817,7 +2785,7 @@ static int rt_fill_info(struct net *net,
        r->rtm_family    = AF_INET;
        r->rtm_dst_len  = 32;
        r->rtm_src_len  = 0;
-        r->rtm_tos      = rt->fl.fl4_tos;
+        r->rtm_tos      = rt->rt_key_tos;
        r->rtm_table    = RT_TABLE_MAIN;
        NLA_PUT_U32(skb, RTA_TABLE, RT_TABLE_MAIN);
        r->rtm_type     = rt->rt_type;
@@ -2829,19 +2797,19 @@ static int rt_fill_info(struct net *net,
        NLA_PUT_BE32(skb, RTA_DST, rt->rt_dst);
-        if (rt->fl.fl4_src) {
+        if (rt->rt_key_src) {
                r->rtm_src_len = 32;
-                NLA_PUT_BE32(skb, RTA_SRC, rt->fl.fl4_src);
+                NLA_PUT_BE32(skb, RTA_SRC, rt->rt_key_src);
        }
        if (rt->dst.dev)
                NLA_PUT_U32(skb, RTA_OIF, rt->dst.dev->ifindex);
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (rt->dst.tclassid)
                NLA_PUT_U32(skb, RTA_FLOW, rt->dst.tclassid);
 #endif
        if (rt_is_input_route(rt))
                NLA_PUT_BE32(skb, RTA_PREFSRC, rt->rt_spec_dst);
-        else if (rt->rt_src != rt->fl.fl4_src)
+        else if (rt->rt_src != rt->rt_key_src)
                NLA_PUT_BE32(skb, RTA_PREFSRC, rt->rt_src);
        if (rt->rt_dst != rt->rt_gateway)
@@ -2850,11 +2818,12 @@ static int rt_fill_info(struct net *net,
        if (rtnetlink_put_metrics(skb, dst_metrics_ptr(&rt->dst)) < 0)
                goto nla_put_failure;
-        if (rt->fl.mark)
+        if (rt->rt_mark)
-                NLA_PUT_BE32(skb, RTA_MARK, rt->fl.mark);
+                NLA_PUT_BE32(skb, RTA_MARK, rt->rt_mark);
        error = rt->dst.error;
-        expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
+        expires = (rt->peer && rt->peer->pmtu_expires) ?
+                rt->peer->pmtu_expires - jiffies : 0;
        if (rt->peer) {
                inet_peer_refcheck(rt->peer);
                id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
@@ -2870,7 +2839,9 @@ static int rt_fill_info(struct net *net,
                if (ipv4_is_multicast(dst) && !ipv4_is_local_multicast(dst) &&
                    IPV4_DEVCONF_ALL(net, MC_FORWARDING)) {
-                        int err = ipmr_get_route(net, skb, r, nowait);
+                        int err = ipmr_get_route(net, skb,
+                                                 rt->rt_src, rt->rt_dst,
+                                                 r, nowait);
                        if (err <= 0) {
                                if (!nowait) {
                                        if (err == 0)
@@ -2884,7 +2855,7 @@ static int rt_fill_info(struct net *net,
                        }
                } else
 #endif
-                        NLA_PUT_U32(skb, RTA_IIF, rt->fl.iif);
+                        NLA_PUT_U32(skb, RTA_IIF, rt->rt_iif);
        }
        if (rtnl_put_cacheinfo(skb, &rt->dst, id, ts, tsage,
@@ -2958,14 +2929,18 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
                if (err == 0 && rt->dst.error)
                        err = -rt->dst.error;
        } else {
-                struct flowi fl = {
+                struct flowi4 fl4 = {
-                        .fl4_dst = dst,
+                        .daddr = dst,
-                        .fl4_src = src,
+                        .saddr = src,
-                        .fl4_tos = rtm->rtm_tos,
+                        .flowi4_tos = rtm->rtm_tos,
-                        .oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0,
+                        .flowi4_oif = tb[RTA_OIF] ? nla_get_u32(tb[RTA_OIF]) : 0,
-                        .mark = mark,
+                        .flowi4_mark = mark,
                };
-                err = ip_route_output_key(net, &rt, &fl);
+                rt = ip_route_output_key(net, &fl4);
+                err = 0;
+                if (IS_ERR(rt))
+                        err = PTR_ERR(rt);
        }
        if (err)
@@ -3248,6 +3223,8 @@ static __net_init int rt_genid_init(struct net *net)
 {
        get_random_bytes(&net->ipv4.rt_genid,
                         sizeof(net->ipv4.rt_genid));
+        get_random_bytes(&net->ipv4.dev_addr_genid,
+                         sizeof(net->ipv4.dev_addr_genid));
        return 0;
 }
@@ -3256,9 +3233,9 @@ static __net_initdata struct pernet_operations rt_genid_ops = {
 };
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
 struct ip_rt_acct __percpu *ip_rt_acct __read_mostly;
-#endif /* CONFIG_NET_CLS_ROUTE */
+#endif /* CONFIG_IP_ROUTE_CLASSID */
 static __initdata unsigned long rhash_entries;
 static int __init set_rhash_entries(char *str)
@@ -3274,7 +3251,7 @@ int __init ip_rt_init(void)
 {
        int rc = 0;
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        ip_rt_acct = __alloc_percpu(256 * sizeof(struct ip_rt_acct), __alignof__(struct ip_rt_acct));
        if (!ip_rt_acct)
                panic("IP: failed to allocate ip_rt_acct\n");
@@ -3311,14 +3288,6 @@ int __init ip_rt_init(void)
        devinet_init();
        ip_fib_init();
-        /* All the timers, started at system startup tend
-           to synchronize. Perturb it a bit.
-         */
-        INIT_DELAYED_WORK_DEFERRABLE(&expires_work, rt_worker_func);
-        expires_ljiffies = jiffies;
-        schedule_delayed_work(&expires_work,
-                net_random() % ip_rt_gc_interval + ip_rt_gc_interval);
        if (ip_rt_proc_init())
                printk(KERN_ERR "Unable to create route proc files\n");
 #ifdef CONFIG_XFRM
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 47519205a014..26461492a847 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -321,10 +321,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         * the ACK carries the same options again (see RFC1122 4.2.3.8)
         */
        if (opt && opt->optlen) {
-                int opt_size = sizeof(struct ip_options) + opt->optlen;
+                int opt_size = sizeof(struct ip_options_rcu) + opt->optlen;
                ireq->opt = kmalloc(opt_size, GFP_ATOMIC);
-                if (ireq->opt != NULL && ip_options_echo(ireq->opt, skb)) {
+                if (ireq->opt != NULL && ip_options_echo(&ireq->opt->opt, skb)) {
                        kfree(ireq->opt);
                        ireq->opt = NULL;
                }
@@ -345,17 +345,16 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
         * no easy way to do this.
         */
        {
-                struct flowi fl = { .mark = sk->sk_mark,
+                struct flowi4 fl4;
-                                    .fl4_dst = ((opt && opt->srr) ?
-                                                opt->faddr : ireq->rmt_addr),
+                flowi4_init_output(&fl4, 0, sk->sk_mark, RT_CONN_FLAGS(sk),
-                                    .fl4_src = ireq->loc_addr,
+                                   RT_SCOPE_UNIVERSE, IPPROTO_TCP,
-                                    .fl4_tos = RT_CONN_FLAGS(sk),
+                                   inet_sk_flowi_flags(sk),
-                                    .proto = IPPROTO_TCP,
+                                   (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
-                                    .flags = inet_sk_flowi_flags(sk),
+                                   ireq->loc_addr, th->source, th->dest);
-                                    .fl_ip_sport = th->dest,
+                security_req_classify_flow(req, flowi4_to_flowi(&fl4));
-                                    .fl_ip_dport = th->source };
+                rt = ip_route_output_key(sock_net(sk), &fl4);
-                security_req_classify_flow(req, &fl);
+                if (IS_ERR(rt)) {
-                if (ip_route_output_key(sock_net(sk), &rt, &fl)) {
                        reqsk_free(req);
                        goto out;
                }
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 1a456652086b..57d0752e239a 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -13,6 +13,7 @@
 #include <linux/seqlock.h>
 #include <linux/init.h>
 #include <linux/slab.h>
+#include <linux/nsproxy.h>
 #include <net/snmp.h>
 #include <net/icmp.h>
 #include <net/ip.h>
@@ -21,6 +22,7 @@
 #include <net/udp.h>
 #include <net/cipso_ipv4.h>
 #include <net/inet_frag.h>
+#include <net/ping.h>
 static int zero;
 static int tcp_retr1_max = 255;
@@ -30,6 +32,8 @@ static int tcp_adv_win_scale_min = -31;
 static int tcp_adv_win_scale_max = 31;
 static int ip_ttl_min = 1;
 static int ip_ttl_max = 255;
+static int ip_ping_group_range_min[] = { 0, 0 };
+static int ip_ping_group_range_max[] = { GID_T_MAX, GID_T_MAX };
 /* Update system visible IP port range */
 static void set_local_port_range(int range[2])
@@ -68,6 +72,53 @@ static int ipv4_local_port_range(ctl_table *table, int write,
        return ret;
 }
+void inet_get_ping_group_range_table(struct ctl_table *table, gid_t *low, gid_t *high)
+{
+        gid_t *data = table->data;
+        unsigned seq;
+        do {
+                seq = read_seqbegin(&sysctl_local_ports.lock);
+                *low = data[0];
+                *high = data[1];
+        } while (read_seqretry(&sysctl_local_ports.lock, seq));
+}
+/* Update system visible IP port range */
+static void set_ping_group_range(struct ctl_table *table, int range[2])
+{
+        gid_t *data = table->data;
+        write_seqlock(&sysctl_local_ports.lock);
+        data[0] = range[0];
+        data[1] = range[1];
+        write_sequnlock(&sysctl_local_ports.lock);
+}
+/* Validate changes from /proc interface. */
+static int ipv4_ping_group_range(ctl_table *table, int write,
+                                 void __user *buffer,
+                                 size_t *lenp, loff_t *ppos)
+{
+        int ret;
+        gid_t range[2];
+        ctl_table tmp = {
+                .data = &range,
+                .maxlen = sizeof(range),
+                .mode = table->mode,
+                .extra1 = &ip_ping_group_range_min,
+                .extra2 = &ip_ping_group_range_max,
+        };
+        inet_get_ping_group_range_table(table, range, range + 1);
+        ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
+        if (write && ret == 0)
+                set_ping_group_range(table, range);
+        return ret;
+}
 static int proc_tcp_congestion_control(ctl_table *ctl, int write,
                                       void __user *buffer, size_t *lenp, loff_t *ppos)
 {
@@ -311,7 +362,6 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_do_large_bitmap,
        },
-#ifdef CONFIG_IP_MULTICAST
        {
                .procname       = "igmp_max_memberships",
                .data           = &sysctl_igmp_max_memberships,
@@ -319,8 +369,6 @@ static struct ctl_table ipv4_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
-#endif
        {
                .procname       = "igmp_max_msf",
                .data           = &sysctl_igmp_max_msf,
@@ -680,6 +728,13 @@ static struct ctl_table ipv4_net_table[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+        {
+                .procname       = "ping_group_range",
+                .data           = &init_net.ipv4.sysctl_ping_group_range,
+                .maxlen         = sizeof(init_net.ipv4.sysctl_ping_group_range),
+                .mode           = 0644,
+                .proc_handler   = ipv4_ping_group_range,
+        },
        { }
 };
@@ -714,8 +769,18 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
                        &net->ipv4.sysctl_icmp_ratemask;
                table[6].data =
                        &net->ipv4.sysctl_rt_cache_rebuild_count;
+                table[7].data =
+                        &net->ipv4.sysctl_ping_group_range;
        }
+        /*
+         * Sane defaults - nobody may create ping sockets.
+         * Boot scripts should set this to distro-specific group.
+         */
+        net->ipv4.sysctl_ping_group_range[0] = 1;
+        net->ipv4.sysctl_ping_group_range[1] = 0;
        net->ipv4.sysctl_rt_cache_rebuild_count = 4;
        net->ipv4.ipv4_hdr = register_net_sysctl_table(net,
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 6c11eece262c..054a59d21eb0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -505,6 +505,15 @@ int tcp_ioctl(struct sock *sk, int cmd, unsigned long arg)
                else
                        answ = tp->write_seq - tp->snd_una;
                break;
+        case SIOCOUTQNSD:
+                if (sk->sk_state == TCP_LISTEN)
+                        return -EINVAL;
+                if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV))
+                        answ = 0;
+                else
+                        answ = tp->write_seq - tp->snd_nxt;
+                break;
        default:
                return -ENOIOCTLCMD;
        }
@@ -873,9 +882,7 @@ int tcp_sendpage(struct sock *sk, struct page *page, int offset,
                                        flags);
        lock_sock(sk);
-        TCP_CHECK_TIMER(sk);
        res = do_tcp_sendpages(sk, &page, offset, size, flags);
-        TCP_CHECK_TIMER(sk);
        release_sock(sk);
        return res;
 }
@@ -916,7 +923,6 @@ int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        long timeo;
        lock_sock(sk);
-        TCP_CHECK_TIMER(sk);
        flags = msg->msg_flags;
        timeo = sock_sndtimeo(sk, flags & MSG_DONTWAIT);
@@ -993,7 +999,8 @@ new_segment:
                                /* We have some space in skb head. Superb! */
                                if (copy > skb_tailroom(skb))
                                        copy = skb_tailroom(skb);
-                                if ((err = skb_add_data(skb, from, copy)) != 0)
+                                err = skb_add_data_nocache(sk, skb, from, copy);
+                                if (err)
                                        goto do_fault;
                        } else {
                                int merge = 0;
@@ -1036,8 +1043,8 @@ new_segment:
                                /* Time to copy data. We are close to
                                 * the end! */
-                                err = skb_copy_to_page(sk, from, skb, page,
+                                err = skb_copy_to_page_nocache(sk, from, skb,
-                                                       off, copy);
+                                                               page, off, copy);
                                if (err) {
                                        /* If this page was new, give it to the
                                         * socket so it does not get leaked.
@@ -1104,7 +1111,6 @@ wait_for_memory:
 out:
        if (copied)
                tcp_push(sk, flags, mss_now, tp->nonagle);
-        TCP_CHECK_TIMER(sk);
        release_sock(sk);
        return copied;
@@ -1123,7 +1129,6 @@ do_error:
                goto out;
 out_err:
        err = sk_stream_error(sk, flags, err);
-        TCP_CHECK_TIMER(sk);
        release_sock(sk);
        return err;
 }
@@ -1415,8 +1420,6 @@ int tcp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        lock_sock(sk);
-        TCP_CHECK_TIMER(sk);
        err = -ENOTCONN;
        if (sk->sk_state == TCP_LISTEN)
                goto out;
@@ -1767,12 +1770,10 @@ skip_copy:
        /* Clean up data we have read: This will do ACK frames. */
        tcp_cleanup_rbuf(sk, copied);
-        TCP_CHECK_TIMER(sk);
        release_sock(sk);
        return copied;
 out:
-        TCP_CHECK_TIMER(sk);
        release_sock(sk);
        return err;
@@ -2653,7 +2654,7 @@ int compat_tcp_getsockopt(struct sock *sk, int level, int optname,
 EXPORT_SYMBOL(compat_tcp_getsockopt);
 #endif
-struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features)
+struct sk_buff *tcp_tso_segment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct tcphdr *th;
diff --git a/net/ipv4/tcp_bic.c b/net/ipv4/tcp_bic.c
index 3b53fd1af23f..6187eb4d1dcf 100644
--- a/net/ipv4/tcp_bic.c
+++ b/net/ipv4/tcp_bic.c
@@ -209,7 +209,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt)
 }
-static struct tcp_congestion_ops bictcp = {
+static struct tcp_congestion_ops bictcp __read_mostly = {
        .init           = bictcp_init,
        .ssthresh       = bictcp_recalc_ssthresh,
        .cong_avoid     = bictcp_cong_avoid,
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 71d5f2f29fa6..f376b05cca81 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -39,7 +39,7 @@
 /* Number of delay samples for detecting the increase of delay */
 #define HYSTART_MIN_SAMPLES     8
-#define HYSTART_DELAY_MIN       (2U<<3)
+#define HYSTART_DELAY_MIN       (4U<<3)
 #define HYSTART_DELAY_MAX       (16U<<3)
 #define HYSTART_DELAY_THRESH(x) clamp(x, HYSTART_DELAY_MIN, HYSTART_DELAY_MAX)
@@ -52,6 +52,7 @@ static int tcp_friendliness __read_mostly = 1;
 static int hystart __read_mostly = 1;
 static int hystart_detect __read_mostly = HYSTART_ACK_TRAIN | HYSTART_DELAY;
 static int hystart_low_window __read_mostly = 16;
+static int hystart_ack_delta __read_mostly = 2;
 static u32 cube_rtt_scale __read_mostly;
 static u32 beta_scale __read_mostly;
@@ -75,6 +76,8 @@ MODULE_PARM_DESC(hystart_detect, "hyrbrid slow start detection mechanisms"
                 " 1: packet-train 2: delay 3: both packet-train and delay");
 module_param(hystart_low_window, int, 0644);
 MODULE_PARM_DESC(hystart_low_window, "lower bound cwnd for hybrid slow start");
+module_param(hystart_ack_delta, int, 0644);
+MODULE_PARM_DESC(hystart_ack_delta, "spacing between ack's indicating train (msecs)");
 /* BIC TCP Parameters */
 struct bictcp {
@@ -85,17 +88,18 @@ struct bictcp {
        u32     last_time;      /* time when updated last_cwnd */
        u32     bic_origin_point;/* origin point of bic function */
        u32     bic_K;          /* time to origin point from the beginning of the current epoch */
-        u32     delay_min;      /* min delay */
+        u32     delay_min;      /* min delay (msec << 3) */
        u32     epoch_start;    /* beginning of an epoch */
        u32     ack_cnt;        /* number of acks */
        u32     tcp_cwnd;       /* estimated tcp cwnd */
 #define ACK_RATIO_SHIFT 4
+#define ACK_RATIO_LIMIT (32u << ACK_RATIO_SHIFT)
        u16     delayed_ack;    /* estimate the ratio of Packets/ACKs << 4 */
        u8      sample_cnt;     /* number of samples to decide curr_rtt */
        u8      found;          /* the exit point is found? */
        u32     round_start;    /* beginning of each round */
        u32     end_seq;        /* end_seq of the round */
-        u32     last_jiffies;   /* last time when the ACK spacing is close */
+        u32     last_ack;       /* last time when the ACK spacing is close */
        u32     curr_rtt;       /* the minimum rtt of current round */
 };
@@ -116,12 +120,21 @@ static inline void bictcp_reset(struct bictcp *ca)
        ca->found = 0;
 }
+static inline u32 bictcp_clock(void)
+{
+#if HZ < 1000
+        return ktime_to_ms(ktime_get_real());
+#else
+        return jiffies_to_msecs(jiffies);
+#endif
+}
 static inline void bictcp_hystart_reset(struct sock *sk)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        struct bictcp *ca = inet_csk_ca(sk);
-        ca->round_start = ca->last_jiffies = jiffies;
+        ca->round_start = ca->last_ack = bictcp_clock();
        ca->end_seq = tp->snd_nxt;
        ca->curr_rtt = 0;
        ca->sample_cnt = 0;
@@ -236,8 +249,8 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
         */
        /* change the unit from HZ to bictcp_HZ */
-        t = ((tcp_time_stamp + (ca->delay_min>>3) - ca->epoch_start)
+        t = ((tcp_time_stamp + msecs_to_jiffies(ca->delay_min>>3)
-             << BICTCP_HZ) / HZ;
+              - ca->epoch_start) << BICTCP_HZ) / HZ;
        if (t < ca->bic_K)              /* t - K */
                offs = ca->bic_K - t;
@@ -258,6 +271,13 @@ static inline void bictcp_update(struct bictcp *ca, u32 cwnd)
                ca->cnt = 100 * cwnd;              /* very small increment*/
        }
+        /*
+         * The initial growth of cubic function may be too conservative
+         * when the available bandwidth is still unknown.
+         */
+        if (ca->loss_cwnd == 0 && ca->cnt > 20)
+                ca->cnt = 20;   /* increase cwnd 5% per RTT */
        /* TCP Friendly */
        if (tcp_friendliness) {
                u32 scale = beta_scale;
@@ -339,12 +359,12 @@ static void hystart_update(struct sock *sk, u32 delay)
        struct bictcp *ca = inet_csk_ca(sk);
        if (!(ca->found & hystart_detect)) {
-                u32 curr_jiffies = jiffies;
+                u32 now = bictcp_clock();
                /* first detection parameter - ack-train detection */
-                if (curr_jiffies - ca->last_jiffies <= msecs_to_jiffies(2)) {
+                if ((s32)(now - ca->last_ack) <= hystart_ack_delta) {
-                        ca->last_jiffies = curr_jiffies;
+                        ca->last_ack = now;
-                        if (curr_jiffies - ca->round_start >= ca->delay_min>>4)
+                        if ((s32)(now - ca->round_start) > ca->delay_min >> 4)
                                ca->found |= HYSTART_ACK_TRAIN;
                }
@@ -379,8 +399,12 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
        u32 delay;
        if (icsk->icsk_ca_state == TCP_CA_Open) {
-                cnt -= ca->delayed_ack >> ACK_RATIO_SHIFT;
+                u32 ratio = ca->delayed_ack;
-                ca->delayed_ack += cnt;
+                ratio -= ca->delayed_ack >> ACK_RATIO_SHIFT;
+                ratio += cnt;
+                ca->delayed_ack = min(ratio, ACK_RATIO_LIMIT);
        }
        /* Some calls are for duplicates without timetamps */
@@ -391,7 +415,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
        if ((s32)(tcp_time_stamp - ca->epoch_start) < HZ)
                return;
-        delay = usecs_to_jiffies(rtt_us) << 3;
+        delay = (rtt_us << 3) / USEC_PER_MSEC;
        if (delay == 0)
                delay = 1;
@@ -405,7 +429,7 @@ static void bictcp_acked(struct sock *sk, u32 cnt, s32 rtt_us)
                hystart_update(sk, delay);
 }
-static struct tcp_congestion_ops cubictcp = {
+static struct tcp_congestion_ops cubictcp __read_mostly = {
        .init           = bictcp_init,
        .ssthresh       = bictcp_recalc_ssthresh,
        .cong_avoid     = bictcp_cong_avoid,
@@ -447,6 +471,10 @@ static int __init cubictcp_register(void)
        /* divide by bic_scale and by constant Srtt (100ms) */
        do_div(cube_factor, bic_scale * 10);
+        /* hystart needs ms clock resolution */
+        if (hystart && HZ < 1000)
+                cubictcp.flags |= TCP_CONG_RTT_STAMP;
        return tcp_register_congestion_control(&cubictcp);
 }
diff --git a/net/ipv4/tcp_highspeed.c b/net/ipv4/tcp_highspeed.c
index 8b6caaf75bb9..30f27f6b3655 100644
--- a/net/ipv4/tcp_highspeed.c
+++ b/net/ipv4/tcp_highspeed.c
@@ -158,7 +158,7 @@ static u32 hstcp_ssthresh(struct sock *sk)
 }
-static struct tcp_congestion_ops tcp_highspeed = {
+static struct tcp_congestion_ops tcp_highspeed __read_mostly = {
        .init           = hstcp_init,
        .ssthresh       = hstcp_ssthresh,
        .cong_avoid     = hstcp_cong_avoid,
diff --git a/net/ipv4/tcp_htcp.c b/net/ipv4/tcp_htcp.c
index 7c94a4955416..c1a8175361e8 100644
--- a/net/ipv4/tcp_htcp.c
+++ b/net/ipv4/tcp_htcp.c
@@ -284,7 +284,7 @@ static void htcp_state(struct sock *sk, u8 new_state)
        }
 }
-static struct tcp_congestion_ops htcp = {
+static struct tcp_congestion_ops htcp __read_mostly = {
        .init           = htcp_init,
        .ssthresh       = htcp_recalc_ssthresh,
        .cong_avoid     = htcp_cong_avoid,
diff --git a/net/ipv4/tcp_hybla.c b/net/ipv4/tcp_hybla.c
index 377bc9349371..fe3ecf484b44 100644
--- a/net/ipv4/tcp_hybla.c
+++ b/net/ipv4/tcp_hybla.c
@@ -162,7 +162,7 @@ static void hybla_cong_avoid(struct sock *sk, u32 ack, u32 in_flight)
        tp->snd_cwnd = min_t(u32, tp->snd_cwnd, tp->snd_cwnd_clamp);
 }
-static struct tcp_congestion_ops tcp_hybla = {
+static struct tcp_congestion_ops tcp_hybla __read_mostly = {
        .init           = hybla_init,
        .ssthresh       = tcp_reno_ssthresh,
        .min_cwnd       = tcp_reno_min_cwnd,
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 00ca688d8964..813b43a76fec 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -322,7 +322,7 @@ static void tcp_illinois_info(struct sock *sk, u32 ext,
        }
 }
-static struct tcp_congestion_ops tcp_illinois = {
+static struct tcp_congestion_ops tcp_illinois __read_mostly = {
        .flags          = TCP_CONG_RTT_STAMP,
        .init           = tcp_illinois_init,
        .ssthresh       = tcp_illinois_ssthresh,
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 65f6c0406245..bef9f04c22ba 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -817,7 +817,7 @@ __u32 tcp_init_cwnd(struct tcp_sock *tp, struct dst_entry *dst)
        __u32 cwnd = (dst ? dst_metric(dst, RTAX_INITCWND) : 0);
        if (!cwnd)
-                cwnd = rfc3390_bytes_to_packets(tp->mss_cache);
+                cwnd = TCP_INIT_CWND;
        return min_t(__u32, cwnd, tp->snd_cwnd_clamp);
 }
@@ -2659,7 +2659,7 @@ static void DBGUNDO(struct sock *sk, const char *msg)
 #define DBGUNDO(x...) do { } while (0)
 #endif
-static void tcp_undo_cwr(struct sock *sk, const int undo)
+static void tcp_undo_cwr(struct sock *sk, const bool undo_ssthresh)
 {
        struct tcp_sock *tp = tcp_sk(sk);
@@ -2671,14 +2671,13 @@ static void tcp_undo_cwr(struct sock *sk, const int undo)
                else
                        tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh << 1);
-                if (undo && tp->prior_ssthresh > tp->snd_ssthresh) {
+                if (undo_ssthresh && tp->prior_ssthresh > tp->snd_ssthresh) {
                        tp->snd_ssthresh = tp->prior_ssthresh;
                        TCP_ECN_withdraw_cwr(tp);
                }
        } else {
                tp->snd_cwnd = max(tp->snd_cwnd, tp->snd_ssthresh);
        }
-        tcp_moderate_cwnd(tp);
        tp->snd_cwnd_stamp = tcp_time_stamp;
 }
@@ -2699,7 +2698,7 @@ static int tcp_try_undo_recovery(struct sock *sk)
                 * or our original transmission succeeded.
                 */
                DBGUNDO(sk, inet_csk(sk)->icsk_ca_state == TCP_CA_Loss ? "loss" : "retrans");
-                tcp_undo_cwr(sk, 1);
+                tcp_undo_cwr(sk, true);
                if (inet_csk(sk)->icsk_ca_state == TCP_CA_Loss)
                        mib_idx = LINUX_MIB_TCPLOSSUNDO;
                else
@@ -2726,7 +2725,7 @@ static void tcp_try_undo_dsack(struct sock *sk)
        if (tp->undo_marker && !tp->undo_retrans) {
                DBGUNDO(sk, "D-SACK");
-                tcp_undo_cwr(sk, 1);
+                tcp_undo_cwr(sk, true);
                tp->undo_marker = 0;
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPDSACKUNDO);
        }
@@ -2779,7 +2778,7 @@ static int tcp_try_undo_partial(struct sock *sk, int acked)
                tcp_update_reordering(sk, tcp_fackets_out(tp) + acked, 1);
                DBGUNDO(sk, "Hoe");
-                tcp_undo_cwr(sk, 0);
+                tcp_undo_cwr(sk, false);
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPPARTIALUNDO);
                /* So... Do not make Hoe's retransmit yet.
@@ -2808,7 +2807,7 @@ static int tcp_try_undo_loss(struct sock *sk)
                DBGUNDO(sk, "partial loss");
                tp->lost_out = 0;
-                tcp_undo_cwr(sk, 1);
+                tcp_undo_cwr(sk, true);
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPLOSSUNDO);
                inet_csk(sk)->icsk_retransmits = 0;
                tp->undo_marker = 0;
@@ -2822,8 +2821,11 @@ static int tcp_try_undo_loss(struct sock *sk)
 static inline void tcp_complete_cwr(struct sock *sk)
 {
        struct tcp_sock *tp = tcp_sk(sk);
-        tp->snd_cwnd = min(tp->snd_cwnd, tp->snd_ssthresh);
+        /* Do not moderate cwnd if it's already undone in cwr or recovery */
-        tp->snd_cwnd_stamp = tcp_time_stamp;
+        if (tp->undo_marker && tp->snd_cwnd > tp->snd_ssthresh) {
+                tp->snd_cwnd = tp->snd_ssthresh;
+                tp->snd_cwnd_stamp = tcp_time_stamp;
+        }
        tcp_ca_event(sk, CA_EVENT_COMPLETE_CWR);
 }
@@ -3350,7 +3352,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                                                 net_invalid_timestamp()))
                                        rtt_us = ktime_us_delta(ktime_get_real(),
                                                                last_ackt);
-                                else if (ca_seq_rtt > 0)
+                                else if (ca_seq_rtt >= 0)
                                        rtt_us = jiffies_to_usecs(ca_seq_rtt);
                        }
@@ -3494,7 +3496,7 @@ static void tcp_undo_spur_to_response(struct sock *sk, int flag)
        if (flag & FLAG_ECE)
                tcp_ratehalving_spur_to_response(sk);
        else
-                tcp_undo_cwr(sk, 1);
+                tcp_undo_cwr(sk, true);
 }
 /* F-RTO spurious RTO detection algorithm (RFC4138)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 02f583b3744a..3c8d9b6f1ea4 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -146,13 +146,15 @@ EXPORT_SYMBOL_GPL(tcp_twsk_unique);
 /* This will initiate an outgoing connection. */
 int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
+        struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
        struct inet_sock *inet = inet_sk(sk);
        struct tcp_sock *tp = tcp_sk(sk);
-        struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
+        __be16 orig_sport, orig_dport;
-        struct rtable *rt;
        __be32 daddr, nexthop;
-        int tmp;
+        struct flowi4 *fl4;
+        struct rtable *rt;
        int err;
+        struct ip_options_rcu *inet_opt;
        if (addr_len < sizeof(struct sockaddr_in))
                return -EINVAL;
@@ -161,20 +163,26 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -EAFNOSUPPORT;
        nexthop = daddr = usin->sin_addr.s_addr;
-        if (inet->opt && inet->opt->srr) {
+        inet_opt = rcu_dereference_protected(inet->inet_opt,
+                                             sock_owned_by_user(sk));
+        if (inet_opt && inet_opt->opt.srr) {
                if (!daddr)
                        return -EINVAL;
-                nexthop = inet->opt->faddr;
+                nexthop = inet_opt->opt.faddr;
-        }
+        }
-        tmp = ip_route_connect(&rt, nexthop, inet->inet_saddr,
+        orig_sport = inet->inet_sport;
-                               RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
+        orig_dport = usin->sin_port;
-                               IPPROTO_TCP,
+        fl4 = &inet->cork.fl.u.ip4;
-                               inet->inet_sport, usin->sin_port, sk, 1);
+        rt = ip_route_connect(fl4, nexthop, inet->inet_saddr,
-        if (tmp < 0) {
+                              RT_CONN_FLAGS(sk), sk->sk_bound_dev_if,
-                if (tmp == -ENETUNREACH)
+                              IPPROTO_TCP,
+                              orig_sport, orig_dport, sk, true);
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                if (err == -ENETUNREACH)
                        IP_INC_STATS_BH(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
-                return tmp;
+                return err;
        }
        if (rt->rt_flags & (RTCF_MULTICAST | RTCF_BROADCAST)) {
@@ -182,11 +190,11 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
                return -ENETUNREACH;
        }
-        if (!inet->opt || !inet->opt->srr)
+        if (!inet_opt || !inet_opt->opt.srr)
-                daddr = rt->rt_dst;
+                daddr = fl4->daddr;
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        inet->inet_rcv_saddr = inet->inet_saddr;
        if (tp->rx_opt.ts_recent_stamp && inet->inet_daddr != daddr) {
@@ -197,8 +205,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        }
        if (tcp_death_row.sysctl_tw_recycle &&
-            !tp->rx_opt.ts_recent_stamp && rt->rt_dst == daddr) {
+            !tp->rx_opt.ts_recent_stamp && fl4->daddr == daddr) {
-                struct inet_peer *peer = rt_get_peer(rt);
+                struct inet_peer *peer = rt_get_peer(rt, fl4->daddr);
                /*
                 * VJ's idea. We save last timestamp seen from
                 * the destination in peer table, when entering state
@@ -218,8 +226,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        inet->inet_daddr = daddr;
        inet_csk(sk)->icsk_ext_hdr_len = 0;
-        if (inet->opt)
+        if (inet_opt)
-                inet_csk(sk)->icsk_ext_hdr_len = inet->opt->optlen;
+                inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        tp->rx_opt.mss_clamp = TCP_MSS_DEFAULT;
@@ -233,11 +241,13 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (err)
                goto failure;
-        err = ip_route_newports(&rt, IPPROTO_TCP,
+        rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
-                                inet->inet_sport, inet->inet_dport, sk);
+                               inet->inet_sport, inet->inet_dport, sk);
-        if (err)
+        if (IS_ERR(rt)) {
+                err = PTR_ERR(rt);
+                rt = NULL;
                goto failure;
+        }
        /* OK, now commit destination to socket.  */
        sk->sk_gso_type = SKB_GSO_TCPV4;
        sk_setup_caps(sk, &rt->dst);
@@ -273,7 +283,7 @@ EXPORT_SYMBOL(tcp_v4_connect);
 /*
 * This routine does path mtu discovery as defined in RFC1191.
 */
-static void do_pmtu_discovery(struct sock *sk, struct iphdr *iph, u32 mtu)
+static void do_pmtu_discovery(struct sock *sk, const struct iphdr *iph, u32 mtu)
 {
        struct dst_entry *dst;
        struct inet_sock *inet = inet_sk(sk);
@@ -335,7 +345,7 @@ static void do_pmtu_discovery(struct sock *sk, struct iphdr *iph, u32 mtu)
 void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 {
-        struct iphdr *iph = (struct iphdr *)icmp_skb->data;
+        const struct iphdr *iph = (const struct iphdr *)icmp_skb->data;
        struct tcphdr *th = (struct tcphdr *)(icmp_skb->data + (iph->ihl << 2));
        struct inet_connection_sock *icsk;
        struct tcp_sock *tp;
@@ -641,7 +651,7 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb)
        arg.flags = (sk && inet_sk(sk)->transparent) ? IP_REPLY_ARG_NOSRCCHECK : 0;
        net = dev_net(skb_dst(skb)->dev);
-        ip_send_reply(net->ipv4.tcp_sock, skb,
+        ip_send_reply(net->ipv4.tcp_sock, skb, ip_hdr(skb)->saddr,
                      &arg, arg.iov[0].iov_len);
        TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
@@ -716,7 +726,7 @@ static void tcp_v4_send_ack(struct sk_buff *skb, u32 seq, u32 ack,
        if (oif)
                arg.bound_dev_if = oif;
-        ip_send_reply(net->ipv4.tcp_sock, skb,
+        ip_send_reply(net->ipv4.tcp_sock, skb, ip_hdr(skb)->saddr,
                      &arg, arg.iov[0].iov_len);
        TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
@@ -759,11 +769,12 @@ static int tcp_v4_send_synack(struct sock *sk, struct dst_entry *dst,
                              struct request_values *rvp)
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
+        struct flowi4 fl4;
        int err = -1;
        struct sk_buff * skb;
        /* First, grab a route. */
-        if (!dst && (dst = inet_csk_route_req(sk, req)) == NULL)
+        if (!dst && (dst = inet_csk_route_req(sk, &fl4, req)) == NULL)
                return -1;
        skb = tcp_make_synack(sk, dst, req, rvp);
@@ -814,17 +825,18 @@ static void syn_flood_warning(const struct sk_buff *skb)
 /*
 * Save and compile IPv4 options into the request_sock if needed.
 */
-static struct ip_options *tcp_v4_save_options(struct sock *sk,
+static struct ip_options_rcu *tcp_v4_save_options(struct sock *sk,
-                                              struct sk_buff *skb)
+                                                  struct sk_buff *skb)
 {
-        struct ip_options *opt = &(IPCB(skb)->opt);
+        const struct ip_options *opt = &(IPCB(skb)->opt);
-        struct ip_options *dopt = NULL;
+        struct ip_options_rcu *dopt = NULL;
        if (opt && opt->optlen) {
-                int opt_size = optlength(opt);
+                int opt_size = sizeof(*dopt) + opt->optlen;
                dopt = kmalloc(opt_size, GFP_ATOMIC);
                if (dopt) {
-                        if (ip_options_echo(dopt, skb)) {
+                        if (ip_options_echo(&dopt->opt, skb)) {
                                kfree(dopt);
                                dopt = NULL;
                        }
@@ -1327,6 +1339,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                req->cookie_ts = tmp_opt.tstamp_ok;
        } else if (!isn) {
                struct inet_peer *peer = NULL;
+                struct flowi4 fl4;
                /* VJ's idea. We save last timestamp seen
                 * from the destination in peer table, when entering
@@ -1339,9 +1352,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
                 */
                if (tmp_opt.saw_tstamp &&
                    tcp_death_row.sysctl_tw_recycle &&
-                    (dst = inet_csk_route_req(sk, req)) != NULL &&
+                    (dst = inet_csk_route_req(sk, &fl4, req)) != NULL &&
-                    (peer = rt_get_peer((struct rtable *)dst)) != NULL &&
+                    fl4.daddr == saddr &&
-                    peer->daddr.a4 == saddr) {
+                    (peer = rt_get_peer((struct rtable *)dst, fl4.daddr)) != NULL) {
                        inet_peer_refcheck(peer);
                        if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
                            (s32)(peer->tcp_ts - req->ts_recent) >
@@ -1405,19 +1418,16 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 #ifdef CONFIG_TCP_MD5SIG
        struct tcp_md5sig_key *key;
 #endif
+        struct ip_options_rcu *inet_opt;
        if (sk_acceptq_is_full(sk))
                goto exit_overflow;
-        if (!dst && (dst = inet_csk_route_req(sk, req)) == NULL)
-                goto exit;
        newsk = tcp_create_openreq_child(sk, req, skb);
        if (!newsk)
                goto exit_nonewsk;
        newsk->sk_gso_type = SKB_GSO_TCPV4;
-        sk_setup_caps(newsk, dst);
        newtp                 = tcp_sk(newsk);
        newinet               = inet_sk(newsk);
@@ -1425,15 +1435,21 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
        newinet->inet_daddr   = ireq->rmt_addr;
        newinet->inet_rcv_saddr = ireq->loc_addr;
        newinet->inet_saddr           = ireq->loc_addr;
-        newinet->opt          = ireq->opt;
+        inet_opt              = ireq->opt;
+        rcu_assign_pointer(newinet->inet_opt, inet_opt);
        ireq->opt             = NULL;
        newinet->mc_index     = inet_iif(skb);
        newinet->mc_ttl       = ip_hdr(skb)->ttl;
        inet_csk(newsk)->icsk_ext_hdr_len = 0;
-        if (newinet->opt)
+        if (inet_opt)
-                inet_csk(newsk)->icsk_ext_hdr_len = newinet->opt->optlen;
+                inet_csk(newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
        newinet->inet_id = newtp->write_seq ^ jiffies;
+        if (!dst && (dst = inet_csk_route_child_sock(sk, newsk, req)) == NULL)
+                goto put_and_exit;
+        sk_setup_caps(newsk, dst);
        tcp_mtup_init(newsk);
        tcp_sync_mss(newsk, dst_mtu(dst));
        newtp->advmss = dst_metric_advmss(dst);
@@ -1461,10 +1477,8 @@ struct sock *tcp_v4_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
        }
 #endif
-        if (__inet_inherit_port(sk, newsk) < 0) {
+        if (__inet_inherit_port(sk, newsk) < 0)
-                sock_put(newsk);
+                goto put_and_exit;
-                goto exit;
-        }
        __inet_hash_nolisten(newsk, NULL);
        return newsk;
@@ -1476,6 +1490,9 @@ exit_nonewsk:
 exit:
        NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
        return NULL;
+put_and_exit:
+        sock_put(newsk);
+        goto exit;
 }
 EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
@@ -1556,12 +1573,10 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
                sock_rps_save_rxhash(sk, skb->rxhash);
-                TCP_CHECK_TIMER(sk);
                if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
                        rsk = sk;
                        goto reset;
                }
-                TCP_CHECK_TIMER(sk);
                return 0;
        }
@@ -1583,13 +1598,10 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
        } else
                sock_rps_save_rxhash(sk, skb->rxhash);
-        TCP_CHECK_TIMER(sk);
        if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len)) {
                rsk = sk;
                goto reset;
        }
-        TCP_CHECK_TIMER(sk);
        return 0;
 reset:
@@ -1763,12 +1775,13 @@ struct inet_peer *tcp_v4_get_peer(struct sock *sk, bool *release_it)
        struct inet_sock *inet = inet_sk(sk);
        struct inet_peer *peer;
-        if (!rt || rt->rt_dst != inet->inet_daddr) {
+        if (!rt ||
+            inet->cork.fl.u.ip4.daddr != inet->inet_daddr) {
                peer = inet_getpeer_v4(inet->inet_daddr, 1);
                *release_it = true;
        } else {
                if (!rt->peer)
-                        rt_bind_peer(rt, 1);
+                        rt_bind_peer(rt, inet->inet_daddr, 1);
                peer = rt->peer;
                *release_it = false;
        }
@@ -2526,7 +2539,7 @@ void tcp4_proc_exit(void)
 struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 {
-        struct iphdr *iph = skb_gro_network_header(skb);
+        const struct iphdr *iph = skb_gro_network_header(skb);
        switch (skb->ip_summed) {
        case CHECKSUM_COMPLETE:
@@ -2547,7 +2560,7 @@ struct sk_buff **tcp4_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 int tcp4_gro_complete(struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        th->check = ~tcp_v4_check(skb->len - skb_transport_offset(skb),
diff --git a/net/ipv4/tcp_lp.c b/net/ipv4/tcp_lp.c
index de870377fbba..72f7218b03f5 100644
--- a/net/ipv4/tcp_lp.c
+++ b/net/ipv4/tcp_lp.c
@@ -12,7 +12,7 @@
 *     within cong_avoid.
 *   o Error correcting in remote HZ, therefore remote HZ will be keeped
 *     on checking and updating.
- *   o Handling calculation of One-Way-Delay (OWD) within rtt_sample, sicne
+ *   o Handling calculation of One-Way-Delay (OWD) within rtt_sample, since
 *     OWD have a similar meaning as RTT. Also correct the buggy formular.
 *   o Handle reaction for Early Congestion Indication (ECI) within
 *     pkts_acked, as mentioned within pseudo code.
@@ -313,7 +313,7 @@ static void tcp_lp_pkts_acked(struct sock *sk, u32 num_acked, s32 rtt_us)
        lp->last_drop = tcp_time_stamp;
 }
-static struct tcp_congestion_ops tcp_lp = {
+static struct tcp_congestion_ops tcp_lp __read_mostly = {
        .flags = TCP_CONG_RTT_STAMP,
        .init = tcp_lp_init,
        .ssthresh = tcp_reno_ssthresh,
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index dfa5beb0c1c8..882e0b0964d0 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -73,7 +73,7 @@ static void tcp_event_new_data_sent(struct sock *sk, struct sk_buff *skb)
        tcp_advance_send_head(sk, skb);
        tp->snd_nxt = TCP_SKB_CB(skb)->end_seq;
-        /* Don't override Nagle indefinately with F-RTO */
+        /* Don't override Nagle indefinitely with F-RTO */
        if (tp->frto_counter == 2)
                tp->frto_counter = 3;
@@ -899,7 +899,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it,
                TCP_ADD_STATS(sock_net(sk), TCP_MIB_OUTSEGS,
                              tcp_skb_pcount(skb));
-        err = icsk->icsk_af_ops->queue_xmit(skb);
+        err = icsk->icsk_af_ops->queue_xmit(skb, &inet->cork.fl);
        if (likely(err <= 0))
                return err;
@@ -1003,7 +1003,8 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len,
        int nlen;
        u8 flags;
-        BUG_ON(len > skb->len);
+        if (WARN_ON(len > skb->len))
+                return -EINVAL;
        nsize = skb_headlen(skb) - len;
        if (nsize < 0)
diff --git a/net/ipv4/tcp_scalable.c b/net/ipv4/tcp_scalable.c
index a76513779e2b..8ce55b8aaec8 100644
--- a/net/ipv4/tcp_scalable.c
+++ b/net/ipv4/tcp_scalable.c
@@ -35,7 +35,7 @@ static u32 tcp_scalable_ssthresh(struct sock *sk)
 }
-static struct tcp_congestion_ops tcp_scalable = {
+static struct tcp_congestion_ops tcp_scalable __read_mostly = {
        .ssthresh       = tcp_scalable_ssthresh,
        .cong_avoid     = tcp_scalable_cong_avoid,
        .min_cwnd       = tcp_reno_min_cwnd,
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 74a6aa003657..ecd44b0c45f1 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -259,7 +259,6 @@ static void tcp_delack_timer(unsigned long data)
                tcp_send_ack(sk);
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKS);
        }
-        TCP_CHECK_TIMER(sk);
 out:
        if (tcp_memory_pressure)
@@ -481,7 +480,6 @@ static void tcp_write_timer(unsigned long data)
                tcp_probe_timer(sk);
                break;
        }
-        TCP_CHECK_TIMER(sk);
 out:
        sk_mem_reclaim(sk);
@@ -589,7 +587,6 @@ static void tcp_keepalive_timer (unsigned long data)
                elapsed = keepalive_time_when(tp) - elapsed;
        }
-        TCP_CHECK_TIMER(sk);
        sk_mem_reclaim(sk);
 resched:
diff --git a/net/ipv4/tcp_vegas.c b/net/ipv4/tcp_vegas.c
index c6743eec9b7d..80fa2bfd7ede 100644
--- a/net/ipv4/tcp_vegas.c
+++ b/net/ipv4/tcp_vegas.c
@@ -304,7 +304,7 @@ void tcp_vegas_get_info(struct sock *sk, u32 ext, struct sk_buff *skb)
 }
 EXPORT_SYMBOL_GPL(tcp_vegas_get_info);
-static struct tcp_congestion_ops tcp_vegas = {
+static struct tcp_congestion_ops tcp_vegas __read_mostly = {
        .flags          = TCP_CONG_RTT_STAMP,
        .init           = tcp_vegas_init,
        .ssthresh       = tcp_reno_ssthresh,
diff --git a/net/ipv4/tcp_veno.c b/net/ipv4/tcp_veno.c
index 38bc0b52d745..ac43cd747bce 100644
--- a/net/ipv4/tcp_veno.c
+++ b/net/ipv4/tcp_veno.c
@@ -201,7 +201,7 @@ static u32 tcp_veno_ssthresh(struct sock *sk)
                return max(tp->snd_cwnd >> 1U, 2U);
 }
-static struct tcp_congestion_ops tcp_veno = {
+static struct tcp_congestion_ops tcp_veno __read_mostly = {
        .flags          = TCP_CONG_RTT_STAMP,
        .init           = tcp_veno_init,
        .ssthresh       = tcp_veno_ssthresh,
diff --git a/net/ipv4/tcp_westwood.c b/net/ipv4/tcp_westwood.c
index a534dda5456e..1b91bf48e277 100644
--- a/net/ipv4/tcp_westwood.c
+++ b/net/ipv4/tcp_westwood.c
@@ -272,7 +272,7 @@ static void tcp_westwood_info(struct sock *sk, u32 ext,
 }
-static struct tcp_congestion_ops tcp_westwood = {
+static struct tcp_congestion_ops tcp_westwood __read_mostly = {
        .init           = tcp_westwood_init,
        .ssthresh       = tcp_reno_ssthresh,
        .cong_avoid     = tcp_reno_cong_avoid,
diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
index a0f240358892..05c3b6f0e8e1 100644
--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -20,7 +20,7 @@
 #define TCP_YEAH_DELTA        3 //log minimum fraction of cwnd to be removed on loss
 #define TCP_YEAH_EPSILON      1 //log maximum fraction to be removed on early decongestion
 #define TCP_YEAH_PHY          8 //lin maximum delta from base
-#define TCP_YEAH_RHO         16 //lin minumum number of consecutive rtt to consider competition on loss
+#define TCP_YEAH_RHO         16 //lin minimum number of consecutive rtt to consider competition on loss
 #define TCP_YEAH_ZETA        50 //lin minimum number of state switchs to reset reno_count
 #define TCP_SCALABLE_AI_CNT      100U
@@ -225,7 +225,7 @@ static u32 tcp_yeah_ssthresh(struct sock *sk) {
        return tp->snd_cwnd - reduction;
 }
-static struct tcp_congestion_ops tcp_yeah = {
+static struct tcp_congestion_ops tcp_yeah __read_mostly = {
        .flags          = TCP_CONG_RTT_STAMP,
        .init           = tcp_yeah_init,
        .ssthresh       = tcp_yeah_ssthresh,
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 8157b17959ee..599374f65c76 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -189,7 +189,7 @@ static int udp_lib_lport_inuse2(struct net *net, __u16 num,
 *  @sk:          socket struct in question
 *  @snum:        port number to look up
 *  @saddr_comp:  AF-dependent comparison of bound local IP addresses
- *  @hash2_nulladdr: AF-dependant hash value in secondary hash chains,
+ *  @hash2_nulladdr: AF-dependent hash value in secondary hash chains,
 *                   with NULL address
 */
 int udp_lib_get_port(struct sock *sk, unsigned short snum,
@@ -578,7 +578,7 @@ found:
 void __udp4_lib_err(struct sk_buff *skb, u32 info, struct udp_table *udptable)
 {
        struct inet_sock *inet;
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        struct udphdr *uh = (struct udphdr *)(skb->data+(iph->ihl<<2));
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
@@ -663,75 +663,71 @@ void udp_flush_pending_frames(struct sock *sk)
 EXPORT_SYMBOL(udp_flush_pending_frames);
 /**
- *      udp4_hwcsum_outgoing  -  handle outgoing HW checksumming
+ *      udp4_hwcsum  -  handle outgoing HW checksumming
- *      @sk:    socket we are sending on
 *      @skb:   sk_buff containing the filled-in UDP header
 *              (checksum field must be zeroed out)
+ *      @src:   source IP address
+ *      @dst:   destination IP address
 */
-static void udp4_hwcsum_outgoing(struct sock *sk, struct sk_buff *skb,
+static void udp4_hwcsum(struct sk_buff *skb, __be32 src, __be32 dst)
-                                 __be32 src, __be32 dst, int len)
 {
-        unsigned int offset;
        struct udphdr *uh = udp_hdr(skb);
+        struct sk_buff *frags = skb_shinfo(skb)->frag_list;
+        int offset = skb_transport_offset(skb);
+        int len = skb->len - offset;
+        int hlen = len;
        __wsum csum = 0;
-        if (skb_queue_len(&sk->sk_write_queue) == 1) {
+        if (!frags) {
                /*
                 * Only one fragment on the socket.
                 */
                skb->csum_start = skb_transport_header(skb) - skb->head;
                skb->csum_offset = offsetof(struct udphdr, check);
-                uh->check = ~csum_tcpudp_magic(src, dst, len, IPPROTO_UDP, 0);
+                uh->check = ~csum_tcpudp_magic(src, dst, len,
+                                               IPPROTO_UDP, 0);
        } else {
                /*
                 * HW-checksum won't work as there are two or more
                 * fragments on the socket so that all csums of sk_buffs
                 * should be together
                 */
-                offset = skb_transport_offset(skb);
+                do {
-                skb->csum = skb_checksum(skb, offset, skb->len - offset, 0);
+                        csum = csum_add(csum, frags->csum);
+                        hlen -= frags->len;
+                } while ((frags = frags->next));
+                csum = skb_checksum(skb, offset, hlen, csum);
                skb->ip_summed = CHECKSUM_NONE;
-                skb_queue_walk(&sk->sk_write_queue, skb) {
-                        csum = csum_add(csum, skb->csum);
-                }
                uh->check = csum_tcpudp_magic(src, dst, len, IPPROTO_UDP, csum);
                if (uh->check == 0)
                        uh->check = CSUM_MANGLED_0;
        }
 }
-/*
+static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4)
- * Push out all pending data as one UDP datagram. Socket is locked.
- */
-static int udp_push_pending_frames(struct sock *sk)
 {
-        struct udp_sock  *up = udp_sk(sk);
+        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
-        struct flowi *fl = &inet->cork.fl;
-        struct sk_buff *skb;
        struct udphdr *uh;
        int err = 0;
        int is_udplite = IS_UDPLITE(sk);
+        int offset = skb_transport_offset(skb);
+        int len = skb->len - offset;
        __wsum csum = 0;
-        /* Grab the skbuff where UDP header space exists. */
-        if ((skb = skb_peek(&sk->sk_write_queue)) == NULL)
-                goto out;
        /*
         * Create a UDP header
         */
        uh = udp_hdr(skb);
-        uh->source = fl->fl_ip_sport;
+        uh->source = inet->inet_sport;
-        uh->dest = fl->fl_ip_dport;
+        uh->dest = fl4->fl4_dport;
-        uh->len = htons(up->len);
+        uh->len = htons(len);
        uh->check = 0;
        if (is_udplite)                                  /*     UDP-Lite      */
-                csum  = udplite_csum_outgoing(sk, skb);
+                csum = udplite_csum(skb);
        else if (sk->sk_no_check == UDP_CSUM_NOXMIT) {   /* UDP csum disabled */
@@ -740,20 +736,20 @@ static int udp_push_pending_frames(struct sock *sk)
        } else if (skb->ip_summed == CHECKSUM_PARTIAL) { /* UDP hardware csum */
-                udp4_hwcsum_outgoing(sk, skb, fl->fl4_src, fl->fl4_dst, up->len);
+                udp4_hwcsum(skb, fl4->saddr, fl4->daddr);
                goto send;
-        } else                                           /*   `normal' UDP    */
+        } else
-                csum = udp_csum_outgoing(sk, skb);
+                csum = udp_csum(skb);
        /* add protocol-dependent pseudo-header */
-        uh->check = csum_tcpudp_magic(fl->fl4_src, fl->fl4_dst, up->len,
+        uh->check = csum_tcpudp_magic(fl4->saddr, fl4->daddr, len,
                                      sk->sk_protocol, csum);
        if (uh->check == 0)
                uh->check = CSUM_MANGLED_0;
 send:
-        err = ip_push_pending_frames(sk);
+        err = ip_send_skb(skb);
        if (err) {
                if (err == -ENOBUFS && !inet->recverr) {
                        UDP_INC_STATS_USER(sock_net(sk),
@@ -763,6 +759,26 @@ send:
        } else
                UDP_INC_STATS_USER(sock_net(sk),
                                   UDP_MIB_OUTDATAGRAMS, is_udplite);
+        return err;
+}
+/*
+ * Push out all pending data as one UDP datagram. Socket is locked.
+ */
+static int udp_push_pending_frames(struct sock *sk)
+{
+        struct udp_sock  *up = udp_sk(sk);
+        struct inet_sock *inet = inet_sk(sk);
+        struct flowi4 *fl4 = &inet->cork.fl.u.ip4;
+        struct sk_buff *skb;
+        int err = 0;
+        skb = ip_finish_skb(sk, fl4);
+        if (!skb)
+                goto out;
+        err = udp_send_skb(skb, fl4);
 out:
        up->len = 0;
        up->pending = 0;
@@ -774,6 +790,8 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 {
        struct inet_sock *inet = inet_sk(sk);
        struct udp_sock *up = udp_sk(sk);
+        struct flowi4 fl4_stack;
+        struct flowi4 *fl4;
        int ulen = len;
        struct ipcm_cookie ipc;
        struct rtable *rt = NULL;
@@ -785,6 +803,8 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        int err, is_udplite = IS_UDPLITE(sk);
        int corkreq = up->corkflag || msg->msg_flags&MSG_MORE;
        int (*getfrag)(void *, char *, int, int, int, struct sk_buff *);
+        struct sk_buff *skb;
+        struct ip_options_data opt_copy;
        if (len > 0xFFFF)
                return -EMSGSIZE;
@@ -799,6 +819,9 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
        ipc.opt = NULL;
        ipc.tx_flags = 0;
+        getfrag = is_udplite ? udplite_getfrag : ip_generic_getfrag;
+        fl4 = &inet->cork.fl.u.ip4;
        if (up->pending) {
                /*
                 * There are pending frames.
@@ -856,22 +879,32 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                        free = 1;
                connected = 0;
        }
-        if (!ipc.opt)
+        if (!ipc.opt) {
-                ipc.opt = inet->opt;
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
+                if (inet_opt) {
+                        memcpy(&opt_copy, inet_opt,
+                               sizeof(*inet_opt) + inet_opt->opt.optlen);
+                        ipc.opt = &opt_copy.opt;
+                }
+                rcu_read_unlock();
+        }
        saddr = ipc.addr;
        ipc.addr = faddr = daddr;
-        if (ipc.opt && ipc.opt->srr) {
+        if (ipc.opt && ipc.opt->opt.srr) {
                if (!daddr)
                        return -EINVAL;
-                faddr = ipc.opt->faddr;
+                faddr = ipc.opt->opt.faddr;
                connected = 0;
        }
        tos = RT_TOS(inet->tos);
        if (sock_flag(sk, SOCK_LOCALROUTE) ||
            (msg->msg_flags & MSG_DONTROUTE) ||
-            (ipc.opt && ipc.opt->is_strictroute)) {
+            (ipc.opt && ipc.opt->opt.is_strictroute)) {
                tos |= RTO_ONLINK;
                connected = 0;
        }
@@ -888,20 +921,19 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                rt = (struct rtable *)sk_dst_check(sk, 0);
        if (rt == NULL) {
-                struct flowi fl = { .oif = ipc.oif,
-                                    .mark = sk->sk_mark,
-                                    .fl4_dst = faddr,
-                                    .fl4_src = saddr,
-                                    .fl4_tos = tos,
-                                    .proto = sk->sk_protocol,
-                                    .flags = inet_sk_flowi_flags(sk),
-                                    .fl_ip_sport = inet->inet_sport,
-                                    .fl_ip_dport = dport };
                struct net *net = sock_net(sk);
-                security_sk_classify_flow(sk, &fl);
+                fl4 = &fl4_stack;
-                err = ip_route_output_flow(net, &rt, &fl, sk, 1);
+                flowi4_init_output(fl4, ipc.oif, sk->sk_mark, tos,
-                if (err) {
+                                   RT_SCOPE_UNIVERSE, sk->sk_protocol,
+                                   inet_sk_flowi_flags(sk)|FLOWI_FLAG_CAN_SLEEP,
+                                   faddr, saddr, dport, inet->inet_sport);
+                security_sk_classify_flow(sk, flowi4_to_flowi(fl4));
+                rt = ip_route_output_flow(net, fl4, sk);
+                if (IS_ERR(rt)) {
+                        err = PTR_ERR(rt);
+                        rt = NULL;
                        if (err == -ENETUNREACH)
                                IP_INC_STATS_BH(net, IPSTATS_MIB_OUTNOROUTES);
                        goto out;
@@ -919,9 +951,20 @@ int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
                goto do_confirm;
 back_from_confirm:
-        saddr = rt->rt_src;
+        saddr = fl4->saddr;
        if (!ipc.addr)
-                daddr = ipc.addr = rt->rt_dst;
+                daddr = ipc.addr = fl4->daddr;
+        /* Lockless fast path for the non-corking case. */
+        if (!corkreq) {
+                skb = ip_make_skb(sk, fl4, getfrag, msg->msg_iov, ulen,
+                                  sizeof(struct udphdr), &ipc, &rt,
+                                  msg->msg_flags);
+                err = PTR_ERR(skb);
+                if (skb && !IS_ERR(skb))
+                        err = udp_send_skb(skb, fl4);
+                goto out;
+        }
        lock_sock(sk);
        if (unlikely(up->pending)) {
@@ -936,18 +979,18 @@ back_from_confirm:
        /*
         *      Now cork the socket to pend data.
         */
-        inet->cork.fl.fl4_dst = daddr;
+        fl4 = &inet->cork.fl.u.ip4;
-        inet->cork.fl.fl_ip_dport = dport;
+        fl4->daddr = daddr;
-        inet->cork.fl.fl4_src = saddr;
+        fl4->saddr = saddr;
-        inet->cork.fl.fl_ip_sport = inet->inet_sport;
+        fl4->fl4_dport = dport;
+        fl4->fl4_sport = inet->inet_sport;
        up->pending = AF_INET;
 do_append_data:
        up->len += ulen;
-        getfrag  =  is_udplite ?  udplite_getfrag : ip_generic_getfrag;
+        err = ip_append_data(sk, fl4, getfrag, msg->msg_iov, ulen,
-        err = ip_append_data(sk, getfrag, msg->msg_iov, ulen,
+                             sizeof(struct udphdr), &ipc, &rt,
-                        sizeof(struct udphdr), &ipc, &rt,
+                             corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);
-                        corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);
        if (err)
                udp_flush_pending_frames(sk);
        else if (!corkreq)
@@ -987,6 +1030,7 @@ EXPORT_SYMBOL(udp_sendmsg);
 int udp_sendpage(struct sock *sk, struct page *page, int offset,
                 size_t size, int flags)
 {
+        struct inet_sock *inet = inet_sk(sk);
        struct udp_sock *up = udp_sk(sk);
        int ret;
@@ -1011,7 +1055,8 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
                return -EINVAL;
        }
-        ret = ip_append_page(sk, page, offset, size, flags);
+        ret = ip_append_page(sk, &inet->cork.fl.u.ip4,
+                             page, offset, size, flags);
        if (ret == -EOPNOTSUPP) {
                release_sock(sk);
                return sock_no_sendpage(sk->sk_socket, page, offset,
@@ -2199,7 +2244,7 @@ int udp4_ufo_send_check(struct sk_buff *skb)
        return 0;
 }
-struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, int features)
+struct sk_buff *udp4_ufo_fragment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        unsigned int mss;
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 571aa96a175c..2d51840e53a1 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -69,7 +69,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm4_prepare_output);
-static int xfrm4_output_finish(struct sk_buff *skb)
+int xfrm4_output_finish(struct sk_buff *skb)
 {
 #ifdef CONFIG_NETFILTER
        if (!skb_dst(skb)->xfrm) {
@@ -86,7 +86,11 @@ static int xfrm4_output_finish(struct sk_buff *skb)
 int xfrm4_output(struct sk_buff *skb)
 {
+        struct dst_entry *dst = skb_dst(skb);
+        struct xfrm_state *x = dst->xfrm;
        return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb,
-                            NULL, skb_dst(skb)->dev, xfrm4_output_finish,
+                            NULL, dst->dev,
+                            x->outer_mode->afinfo->output_finish,
                            !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index b057d40addec..981e43eaf704 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -18,47 +18,53 @@
 static struct xfrm_policy_afinfo xfrm4_policy_afinfo;
-static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
+static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
-                                          xfrm_address_t *saddr,
+                                            int tos,
-                                          xfrm_address_t *daddr)
+                                            const xfrm_address_t *saddr,
+                                            const xfrm_address_t *daddr)
 {
-        struct flowi fl = {
-                .fl4_dst = daddr->a4,
-                .fl4_tos = tos,
-        };
-        struct dst_entry *dst;
        struct rtable *rt;
-        int err;
+        memset(fl4, 0, sizeof(*fl4));
+        fl4->daddr = daddr->a4;
+        fl4->flowi4_tos = tos;
        if (saddr)
-                fl.fl4_src = saddr->a4;
+                fl4->saddr = saddr->a4;
+        rt = __ip_route_output_key(net, fl4);
+        if (!IS_ERR(rt))
+                return &rt->dst;
-        err = __ip_route_output_key(net, &rt, &fl);
+        return ERR_CAST(rt);
-        dst = &rt->dst;
+}
-        if (err)
-                dst = ERR_PTR(err);
+static struct dst_entry *xfrm4_dst_lookup(struct net *net, int tos,
-        return dst;
+                                          const xfrm_address_t *saddr,
+                                          const xfrm_address_t *daddr)
+{
+        struct flowi4 fl4;
+        return __xfrm4_dst_lookup(net, &fl4, tos, saddr, daddr);
 }
 static int xfrm4_get_saddr(struct net *net,
                           xfrm_address_t *saddr, xfrm_address_t *daddr)
 {
        struct dst_entry *dst;
-        struct rtable *rt;
+        struct flowi4 fl4;
-        dst = xfrm4_dst_lookup(net, 0, NULL, daddr);
+        dst = __xfrm4_dst_lookup(net, &fl4, 0, NULL, daddr);
        if (IS_ERR(dst))
                return -EHOSTUNREACH;
-        rt = (struct rtable *)dst;
+        saddr->a4 = fl4.saddr;
-        saddr->a4 = rt->rt_src;
        dst_release(dst);
        return 0;
 }
-static int xfrm4_get_tos(struct flowi *fl)
+static int xfrm4_get_tos(const struct flowi *fl)
 {
-        return IPTOS_RT_MASK & fl->fl4_tos; /* Strip ECN bits */
+        return IPTOS_RT_MASK & fl->u.ip4.flowi4_tos; /* Strip ECN bits */
 }
 static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
@@ -68,11 +74,18 @@ static int xfrm4_init_path(struct xfrm_dst *path, struct dst_entry *dst,
 }
 static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
-                          struct flowi *fl)
+                          const struct flowi *fl)
 {
        struct rtable *rt = (struct rtable *)xdst->route;
+        const struct flowi4 *fl4 = &fl->u.ip4;
-        xdst->u.rt.fl = *fl;
+        rt->rt_key_dst = fl4->daddr;
+        rt->rt_key_src = fl4->saddr;
+        rt->rt_key_tos = fl4->flowi4_tos;
+        rt->rt_route_iif = fl4->flowi4_iif;
+        rt->rt_iif = fl4->flowi4_iif;
+        rt->rt_oif = fl4->flowi4_oif;
+        rt->rt_mark = fl4->flowi4_mark;
        xdst->u.dst.dev = dev;
        dev_hold(dev);
@@ -97,11 +110,12 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
 static void
 _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
+        struct flowi4 *fl4 = &fl->u.ip4;
-        memset(fl, 0, sizeof(struct flowi));
+        memset(fl4, 0, sizeof(struct flowi4));
-        fl->mark = skb->mark;
+        fl4->flowi4_mark = skb->mark;
        if (!(iph->frag_off & htons(IP_MF | IP_OFFSET))) {
                switch (iph->protocol) {
@@ -114,8 +128,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                            pskb_may_pull(skb, xprth + 4 - skb->data)) {
                                __be16 *ports = (__be16 *)xprth;
-                                fl->fl_ip_sport = ports[!!reverse];
+                                fl4->fl4_sport = ports[!!reverse];
-                                fl->fl_ip_dport = ports[!reverse];
+                                fl4->fl4_dport = ports[!reverse];
                        }
                        break;
@@ -123,8 +137,8 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                        if (pskb_may_pull(skb, xprth + 2 - skb->data)) {
                                u8 *icmp = xprth;
-                                fl->fl_icmp_type = icmp[0];
+                                fl4->fl4_icmp_type = icmp[0];
-                                fl->fl_icmp_code = icmp[1];
+                                fl4->fl4_icmp_code = icmp[1];
                        }
                        break;
@@ -132,7 +146,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                        if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
                                __be32 *ehdr = (__be32 *)xprth;
-                                fl->fl_ipsec_spi = ehdr[0];
+                                fl4->fl4_ipsec_spi = ehdr[0];
                        }
                        break;
@@ -140,7 +154,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                        if (pskb_may_pull(skb, xprth + 8 - skb->data)) {
                                __be32 *ah_hdr = (__be32*)xprth;
-                                fl->fl_ipsec_spi = ah_hdr[1];
+                                fl4->fl4_ipsec_spi = ah_hdr[1];
                        }
                        break;
@@ -148,7 +162,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                        if (pskb_may_pull(skb, xprth + 4 - skb->data)) {
                                __be16 *ipcomp_hdr = (__be16 *)xprth;
-                                fl->fl_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
+                                fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
                        }
                        break;
@@ -160,20 +174,20 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
                                if (greflags[0] & GRE_KEY) {
                                        if (greflags[0] & GRE_CSUM)
                                                gre_hdr++;
-                                        fl->fl_gre_key = gre_hdr[1];
+                                        fl4->fl4_gre_key = gre_hdr[1];
                                }
                        }
                        break;
                default:
-                        fl->fl_ipsec_spi = 0;
+                        fl4->fl4_ipsec_spi = 0;
                        break;
                }
        }
-        fl->proto = iph->protocol;
+        fl4->flowi4_proto = iph->protocol;
-        fl->fl4_dst = reverse ? iph->saddr : iph->daddr;
+        fl4->daddr = reverse ? iph->saddr : iph->daddr;
-        fl->fl4_src = reverse ? iph->daddr : iph->saddr;
+        fl4->saddr = reverse ? iph->daddr : iph->saddr;
-        fl->fl4_tos = iph->tos;
+        fl4->flowi4_tos = iph->tos;
 }
 static inline int xfrm4_garbage_collect(struct dst_ops *ops)
@@ -196,8 +210,11 @@ static void xfrm4_dst_destroy(struct dst_entry *dst)
 {
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
+        dst_destroy_metrics_generic(dst);
        if (likely(xdst->u.rt.peer))
                inet_putpeer(xdst->u.rt.peer);
        xfrm_dst_destroy(xdst);
 }
@@ -215,6 +232,7 @@ static struct dst_ops xfrm4_dst_ops = {
        .protocol =             cpu_to_be16(ETH_P_IP),
        .gc =                   xfrm4_garbage_collect,
        .update_pmtu =          xfrm4_update_pmtu,
+        .cow_metrics =          dst_cow_metrics_generic,
        .destroy =              xfrm4_dst_destroy,
        .ifdown =               xfrm4_dst_ifdown,
        .local_out =            __ip_local_out,
@@ -230,6 +248,7 @@ static struct xfrm_policy_afinfo xfrm4_policy_afinfo = {
        .get_tos =              xfrm4_get_tos,
        .init_path =            xfrm4_init_path,
        .fill_dst =             xfrm4_fill_dst,
+        .blackhole_route =      ipv4_blackhole_route,
 };
 #ifdef CONFIG_SYSCTL
diff --git a/net/ipv4/xfrm4_state.c b/net/ipv4/xfrm4_state.c
index 47947624eccc..d9ac0a0058b5 100644
--- a/net/ipv4/xfrm4_state.c
+++ b/net/ipv4/xfrm4_state.c
@@ -21,24 +21,26 @@ static int xfrm4_init_flags(struct xfrm_state *x)
 }
 static void
-__xfrm4_init_tempsel(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm4_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
 {
-        sel->daddr.a4 = fl->fl4_dst;
+        const struct flowi4 *fl4 = &fl->u.ip4;
-        sel->saddr.a4 = fl->fl4_src;
-        sel->dport = xfrm_flowi_dport(fl);
+        sel->daddr.a4 = fl4->daddr;
+        sel->saddr.a4 = fl4->saddr;
+        sel->dport = xfrm_flowi_dport(fl, &fl4->uli);
        sel->dport_mask = htons(0xffff);
-        sel->sport = xfrm_flowi_sport(fl);
+        sel->sport = xfrm_flowi_sport(fl, &fl4->uli);
        sel->sport_mask = htons(0xffff);
        sel->family = AF_INET;
        sel->prefixlen_d = 32;
        sel->prefixlen_s = 32;
-        sel->proto = fl->proto;
+        sel->proto = fl4->flowi4_proto;
-        sel->ifindex = fl->oif;
+        sel->ifindex = fl4->flowi4_oif;
 }
 static void
-xfrm4_init_temprop(struct xfrm_state *x, struct xfrm_tmpl *tmpl,
+xfrm4_init_temprop(struct xfrm_state *x, const struct xfrm_tmpl *tmpl,
-                   xfrm_address_t *daddr, xfrm_address_t *saddr)
+                   const xfrm_address_t *daddr, const xfrm_address_t *saddr)
 {
        x->id = tmpl->id;
        if (x->id.daddr.a4 == 0)
@@ -53,7 +55,7 @@ xfrm4_init_temprop(struct xfrm_state *x, struct xfrm_tmpl *tmpl,
 int xfrm4_extract_header(struct sk_buff *skb)
 {
-        struct iphdr *iph = ip_hdr(skb);
+        const struct iphdr *iph = ip_hdr(skb);
        XFRM_MODE_SKB_CB(skb)->ihl = sizeof(*iph);
        XFRM_MODE_SKB_CB(skb)->id = iph->id;
@@ -76,6 +78,7 @@ static struct xfrm_state_afinfo xfrm4_state_afinfo = {
        .init_tempsel           = __xfrm4_init_tempsel,
        .init_temprop           = xfrm4_init_temprop,
        .output                 = xfrm4_output,
+        .output_finish          = xfrm4_output_finish,
        .extract_input          = xfrm4_extract_input,
        .extract_output         = xfrm4_extract_output,
        .transport_finish       = xfrm4_transport_finish,
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index fd6782e3a038..498b927f68be 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -289,19 +289,19 @@ static int snmp6_alloc_dev(struct inet6_dev *idev)
                          sizeof(struct ipstats_mib),
                          __alignof__(struct ipstats_mib)) < 0)
                goto err_ip;
-        if (snmp_mib_init((void __percpu **)idev->stats.icmpv6,
+        idev->stats.icmpv6dev = kzalloc(sizeof(struct icmpv6_mib_device),
-                          sizeof(struct icmpv6_mib),
+                                        GFP_KERNEL);
-                          __alignof__(struct icmpv6_mib)) < 0)
+        if (!idev->stats.icmpv6dev)
                goto err_icmp;
-        if (snmp_mib_init((void __percpu **)idev->stats.icmpv6msg,
+        idev->stats.icmpv6msgdev = kzalloc(sizeof(struct icmpv6msg_mib_device),
-                          sizeof(struct icmpv6msg_mib),
+                                           GFP_KERNEL);
-                          __alignof__(struct icmpv6msg_mib)) < 0)
+        if (!idev->stats.icmpv6msgdev)
                goto err_icmpmsg;
        return 0;
 err_icmpmsg:
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6);
+        kfree(idev->stats.icmpv6dev);
 err_icmp:
        snmp_mib_free((void __percpu **)idev->stats.ipv6);
 err_ip:
@@ -310,19 +310,13 @@ err_ip:
 static void snmp6_free_dev(struct inet6_dev *idev)
 {
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6msg);
+        kfree(idev->stats.icmpv6msgdev);
-        snmp_mib_free((void __percpu **)idev->stats.icmpv6);
+        kfree(idev->stats.icmpv6dev);
        snmp_mib_free((void __percpu **)idev->stats.ipv6);
 }
 /* Nobody refers to this device, we may destroy it. */
-static void in6_dev_finish_destroy_rcu(struct rcu_head *head)
-{
-        struct inet6_dev *idev = container_of(head, struct inet6_dev, rcu);
-        kfree(idev);
-}
 void in6_dev_finish_destroy(struct inet6_dev *idev)
 {
        struct net_device *dev = idev->dev;
@@ -339,7 +333,7 @@ void in6_dev_finish_destroy(struct inet6_dev *idev)
                return;
        }
        snmp6_free_dev(idev);
-        call_rcu(&idev->rcu, in6_dev_finish_destroy_rcu);
+        kfree_rcu(idev, rcu);
 }
 EXPORT_SYMBOL(in6_dev_finish_destroy);
@@ -535,12 +529,6 @@ static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int old)
 }
 #endif
-static void inet6_ifa_finish_destroy_rcu(struct rcu_head *head)
-{
-        struct inet6_ifaddr *ifp = container_of(head, struct inet6_ifaddr, rcu);
-        kfree(ifp);
-}
 /* Nobody refers to this ifaddr, destroy it */
 void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
 {
@@ -561,7 +549,7 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp)
        }
        dst_release(&ifp->rt->dst);
-        call_rcu(&ifp->rcu, inet6_ifa_finish_destroy_rcu);
+        kfree_rcu(ifp, rcu);
 }
 static void
@@ -718,12 +706,9 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
        struct inet6_ifaddr *ifa, *ifn;
        struct inet6_dev *idev = ifp->idev;
        int state;
-        int hash;
        int deleted = 0, onlink = 0;
        unsigned long expires = jiffies;
-        hash = ipv6_addr_hash(&ifp->addr);
        spin_lock_bh(&ifp->state_lock);
        state = ifp->state;
        ifp->state = INET6_IFADDR_STATE_DEAD;
@@ -828,6 +813,8 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
                dst_release(&rt->dst);
        }
+        /* clean up prefsrc entries */
+        rt6_remove_prefsrc(ifp);
 out:
        in6_ifa_put(ifp);
 }
@@ -1087,7 +1074,7 @@ static int ipv6_get_saddr_eval(struct net *net,
        case IPV6_SADDR_RULE_PRIVACY:
            {
                /* Rule 7: Prefer public address
-                 * Note: prefer temprary address if use_tempaddr >= 2
+                 * Note: prefer temporary address if use_tempaddr >= 2
                 */
                int preftmp = dst->prefs & (IPV6_PREFER_SRC_PUBLIC|IPV6_PREFER_SRC_TMP) ?
                                !!(dst->prefs & IPV6_PREFER_SRC_TMP) :
@@ -1284,7 +1271,7 @@ static int ipv6_count_addresses(struct inet6_dev *idev)
        return cnt;
 }
-int ipv6_chk_addr(struct net *net, struct in6_addr *addr,
+int ipv6_chk_addr(struct net *net, const struct in6_addr *addr,
                  struct net_device *dev, int strict)
 {
        struct inet6_ifaddr *ifp;
@@ -1327,7 +1314,7 @@ static bool ipv6_chk_same_addr(struct net *net, const struct in6_addr *addr,
        return false;
 }
-int ipv6_chk_prefix(struct in6_addr *addr, struct net_device *dev)
+int ipv6_chk_prefix(const struct in6_addr *addr, struct net_device *dev)
 {
        struct inet6_dev *idev;
        struct inet6_ifaddr *ifa;
@@ -1458,7 +1445,7 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
 /* Join to solicited addr multicast group. */
-void addrconf_join_solict(struct net_device *dev, struct in6_addr *addr)
+void addrconf_join_solict(struct net_device *dev, const struct in6_addr *addr)
 {
        struct in6_addr maddr;
@@ -1469,7 +1456,7 @@ void addrconf_join_solict(struct net_device *dev, struct in6_addr *addr)
        ipv6_dev_mc_inc(dev, &maddr);
 }
-void addrconf_leave_solict(struct inet6_dev *idev, struct in6_addr *addr)
+void addrconf_leave_solict(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct in6_addr maddr;
@@ -1971,7 +1958,7 @@ ok:
                                         *  to the stored lifetime since we'll
                                         *  be updating the timestamp below,
                                         *  else we'll set it back to the
-                                         *  minumum.
+                                         *  minimum.
                                         */
                                        if (prefered_lft != ifp->prefered_lft) {
                                                valid_lft = stored_lft;
@@ -2114,7 +2101,7 @@ err_exit:
 /*
 *      Manual configuration of address on an interface
 */
-static int inet6_addr_add(struct net *net, int ifindex, struct in6_addr *pfx,
+static int inet6_addr_add(struct net *net, int ifindex, const struct in6_addr *pfx,
                          unsigned int plen, __u8 ifa_flags, __u32 prefered_lft,
                          __u32 valid_lft)
 {
@@ -2188,7 +2175,7 @@ static int inet6_addr_add(struct net *net, int ifindex, struct in6_addr *pfx,
        return PTR_ERR(ifp);
 }
-static int inet6_addr_del(struct net *net, int ifindex, struct in6_addr *pfx,
+static int inet6_addr_del(struct net *net, int ifindex, const struct in6_addr *pfx,
                          unsigned int plen)
 {
        struct inet6_ifaddr *ifp;
@@ -2351,7 +2338,7 @@ static void init_loopback(struct net_device *dev)
        add_addr(idev, &in6addr_loopback, 128, IFA_HOST);
 }
-static void addrconf_add_linklocal(struct inet6_dev *idev, struct in6_addr *addr)
+static void addrconf_add_linklocal(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct inet6_ifaddr * ifp;
        u32 addr_flags = IFA_F_PERMANENT;
@@ -3122,7 +3109,7 @@ void if6_proc_exit(void)
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 /* Check if address is a home address configured on any interface. */
-int ipv6_chk_home_addr(struct net *net, struct in6_addr *addr)
+int ipv6_chk_home_addr(struct net *net, const struct in6_addr *addr)
 {
        int ret = 0;
        struct inet6_ifaddr *ifp = NULL;
@@ -3839,7 +3826,7 @@ static inline size_t inet6_if_nlmsg_size(void)
               + nla_total_size(inet6_ifla6_size()); /* IFLA_PROTINFO */
 }
-static inline void __snmp6_fill_stats(u64 *stats, void __percpu **mib,
+static inline void __snmp6_fill_statsdev(u64 *stats, atomic_long_t *mib,
                                      int items, int bytes)
 {
        int i;
@@ -3849,7 +3836,7 @@ static inline void __snmp6_fill_stats(u64 *stats, void __percpu **mib,
        /* Use put_unaligned() because stats may not be aligned for u64. */
        put_unaligned(items, &stats[0]);
        for (i = 1; i < items; i++)
-                put_unaligned(snmp_fold_field(mib, i), &stats[i]);
+                put_unaligned(atomic_long_read(&mib[i]), &stats[i]);
        memset(&stats[items], 0, pad);
 }
@@ -3878,7 +3865,7 @@ static void snmp6_fill_stats(u64 *stats, struct inet6_dev *idev, int attrtype,
                                     IPSTATS_MIB_MAX, bytes, offsetof(struct ipstats_mib, syncp));
                break;
        case IFLA_INET6_ICMP6STATS:
-                __snmp6_fill_stats(stats, (void __percpu **)idev->stats.icmpv6, ICMP6_MIB_MAX, bytes);
+                __snmp6_fill_statsdev(stats, idev->stats.icmpv6dev->mibs, ICMP6_MIB_MAX, bytes);
                break;
        }
 }
@@ -4540,7 +4527,7 @@ static void __addrconf_sysctl_unregister(struct ipv6_devconf *p)
        t = p->sysctl;
        p->sysctl = NULL;
-        unregister_sysctl_table(t->sysctl_header);
+        unregister_net_sysctl_table(t->sysctl_header);
        kfree(t->dev_name);
        kfree(t);
 }
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 978e80e2c4a8..b7919f901fbf 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -644,41 +644,34 @@ EXPORT_SYMBOL(inet6_unregister_protosw);
 int inet6_sk_rebuild_header(struct sock *sk)
 {
-        int err;
-        struct dst_entry *dst;
        struct ipv6_pinfo *np = inet6_sk(sk);
+        struct dst_entry *dst;
        dst = __sk_dst_check(sk, np->dst_cookie);
        if (dst == NULL) {
                struct inet_sock *inet = inet_sk(sk);
                struct in6_addr *final_p, final;
-                struct flowi fl;
+                struct flowi6 fl6;
-                memset(&fl, 0, sizeof(fl));
+                memset(&fl6, 0, sizeof(fl6));
-                fl.proto = sk->sk_protocol;
+                fl6.flowi6_proto = sk->sk_protocol;
-                ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+                ipv6_addr_copy(&fl6.daddr, &np->daddr);
-                ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+                ipv6_addr_copy(&fl6.saddr, &np->saddr);
-                fl.fl6_flowlabel = np->flow_label;
+                fl6.flowlabel = np->flow_label;
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
-                fl.mark = sk->sk_mark;
+                fl6.flowi6_mark = sk->sk_mark;
-                fl.fl_ip_dport = inet->inet_dport;
+                fl6.fl6_dport = inet->inet_dport;
-                fl.fl_ip_sport = inet->inet_sport;
+                fl6.fl6_sport = inet->inet_sport;
-                security_sk_classify_flow(sk, &fl);
+                security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-                final_p = fl6_update_dst(&fl, np->opt, &final);
+                final_p = fl6_update_dst(&fl6, np->opt, &final);
-                err = ip6_dst_lookup(sk, &dst, &fl);
+                dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-                if (err) {
+                if (IS_ERR(dst)) {
                        sk->sk_route_caps = 0;
-                        return err;
+                        sk->sk_err_soft = -PTR_ERR(dst);
-                }
+                        return PTR_ERR(dst);
-                if (final_p)
-                        ipv6_addr_copy(&fl.fl6_dst, final_p);
-                if ((err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0) {
-                        sk->sk_err_soft = -err;
-                        return err;
                }
                __ip6_dst_store(sk, dst, NULL, NULL);
@@ -747,7 +740,7 @@ static int ipv6_gso_pull_exthdrs(struct sk_buff *skb, int proto)
 static int ipv6_gso_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        const struct inet6_protocol *ops;
        int err = -EINVAL;
@@ -772,7 +765,7 @@ out:
        return err;
 }
-static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, int features)
+static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct ipv6hdr *ipv6h;
@@ -1120,7 +1113,7 @@ static int __init inet6_init(void)
        /*
         *      ipngwg API draft makes clear that the correct semantics
         *      for TCP and UDP is to consider one TCP and UDP instance
-         *      in a host availiable by both INET and INET6 APIs and
+         *      in a host available by both INET and INET6 APIs and
         *      able to communicate via both network protocols.
         */
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 1aba54ae53c4..2195ae651923 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -409,7 +409,7 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
        ah->reserved = 0;
        ah->spi = x->id.spi;
-        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output);
+        ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg, 0, skb->len);
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index 0e5e943446f0..674255f5e6b7 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -44,7 +44,7 @@
 #include <net/checksum.h>
-static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr);
+static int ipv6_dev_ac_dec(struct net_device *dev, const struct in6_addr *addr);
 /* Big ac list lock for all the sockets */
 static DEFINE_RWLOCK(ipv6_sk_ac_lock);
@@ -54,7 +54,7 @@ static DEFINE_RWLOCK(ipv6_sk_ac_lock);
 *      socket join an anycast group
 */
-int ipv6_sock_ac_join(struct sock *sk, int ifindex, struct in6_addr *addr)
+int ipv6_sock_ac_join(struct sock *sk, int ifindex, const struct in6_addr *addr)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct net_device *dev = NULL;
@@ -145,7 +145,7 @@ error:
 /*
 *      socket leave an anycast group
 */
-int ipv6_sock_ac_drop(struct sock *sk, int ifindex, struct in6_addr *addr)
+int ipv6_sock_ac_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct net_device *dev;
@@ -252,7 +252,7 @@ static void aca_put(struct ifacaddr6 *ac)
 /*
 *      device anycast group inc (add if not found)
 */
-int ipv6_dev_ac_inc(struct net_device *dev, struct in6_addr *addr)
+int ipv6_dev_ac_inc(struct net_device *dev, const struct in6_addr *addr)
 {
        struct ifacaddr6 *aca;
        struct inet6_dev *idev;
@@ -324,7 +324,7 @@ out:
 /*
 *      device anycast group decrement
 */
-int __ipv6_dev_ac_dec(struct inet6_dev *idev, struct in6_addr *addr)
+int __ipv6_dev_ac_dec(struct inet6_dev *idev, const struct in6_addr *addr)
 {
        struct ifacaddr6 *aca, *prev_aca;
@@ -358,7 +358,7 @@ int __ipv6_dev_ac_dec(struct inet6_dev *idev, struct in6_addr *addr)
 }
 /* called with rcu_read_lock() */
-static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr)
+static int ipv6_dev_ac_dec(struct net_device *dev, const struct in6_addr *addr)
 {
        struct inet6_dev *idev = __in6_dev_get(dev);
@@ -371,7 +371,7 @@ static int ipv6_dev_ac_dec(struct net_device *dev, struct in6_addr *addr)
 *      check if the interface has this anycast address
 *      called with rcu_read_lock()
 */
-static int ipv6_chk_acast_dev(struct net_device *dev, struct in6_addr *addr)
+static int ipv6_chk_acast_dev(struct net_device *dev, const struct in6_addr *addr)
 {
        struct inet6_dev *idev;
        struct ifacaddr6 *aca;
@@ -392,7 +392,7 @@ static int ipv6_chk_acast_dev(struct net_device *dev, struct in6_addr *addr)
 *      check if given interface (or any, if dev==0) has this anycast address
 */
 int ipv6_chk_acast_addr(struct net *net, struct net_device *dev,
-                        struct in6_addr *addr)
+                        const struct in6_addr *addr)
 {
        int found = 0;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 320bdb877eed..16560336eb72 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -40,7 +40,7 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        struct ipv6_pinfo       *np = inet6_sk(sk);
        struct in6_addr         *daddr, *final_p, final;
        struct dst_entry        *dst;
-        struct flowi            fl;
+        struct flowi6           fl6;
        struct ip6_flowlabel    *flowlabel = NULL;
        struct ipv6_txoptions   *opt;
        int                     addr_type;
@@ -59,11 +59,11 @@ int ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
        if (usin->sin6_family != AF_INET6)
                return -EAFNOSUPPORT;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (np->sndflow) {
-                fl.fl6_flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
+                fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
-                if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
+                if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
-                        flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                        flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                        if (flowlabel == NULL)
                                return -EINVAL;
                        ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
@@ -137,7 +137,7 @@ ipv4_connected:
        }
        ipv6_addr_copy(&np->daddr, daddr);
-        np->flow_label = fl.fl6_flowlabel;
+        np->flow_label = fl6.flowlabel;
        inet->inet_dport = usin->sin6_port;
@@ -146,53 +146,46 @@ ipv4_connected:
         *      destination cache for it.
         */
-        fl.proto = sk->sk_protocol;
+        fl6.flowi6_proto = sk->sk_protocol;
-        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-        ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+        ipv6_addr_copy(&fl6.saddr, &np->saddr);
-        fl.oif = sk->sk_bound_dev_if;
+        fl6.flowi6_oif = sk->sk_bound_dev_if;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
-        fl.fl_ip_dport = inet->inet_dport;
+        fl6.fl6_dport = inet->inet_dport;
-        fl.fl_ip_sport = inet->inet_sport;
+        fl6.fl6_sport = inet->inet_sport;
-        if (!fl.oif && (addr_type&IPV6_ADDR_MULTICAST))
+        if (!fl6.flowi6_oif && (addr_type&IPV6_ADDR_MULTICAST))
-                fl.oif = np->mcast_oif;
+                fl6.flowi6_oif = np->mcast_oif;
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
        opt = flowlabel ? flowlabel->opt : np->opt;
-        final_p = fl6_update_dst(&fl, opt, &final);
+        final_p = fl6_update_dst(&fl6, opt, &final);
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
-        if (err)
+        err = 0;
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
                goto out;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
-        if (err < 0) {
-                if (err == -EREMOTE)
-                        err = ip6_dst_blackhole(sk, &dst, &fl);
-                if (err < 0)
-                        goto out;
        }
        /* source address lookup done in ip6_dst_lookup */
        if (ipv6_addr_any(&np->saddr))
-                ipv6_addr_copy(&np->saddr, &fl.fl6_src);
+                ipv6_addr_copy(&np->saddr, &fl6.saddr);
        if (ipv6_addr_any(&np->rcv_saddr)) {
-                ipv6_addr_copy(&np->rcv_saddr, &fl.fl6_src);
+                ipv6_addr_copy(&np->rcv_saddr, &fl6.saddr);
                inet->inet_rcv_saddr = LOOPBACK4_IPV6;
                if (sk->sk_prot->rehash)
                        sk->sk_prot->rehash(sk);
        }
        ip6_dst_store(sk, dst,
-                      ipv6_addr_equal(&fl.fl6_dst, &np->daddr) ?
+                      ipv6_addr_equal(&fl6.daddr, &np->daddr) ?
                      &np->daddr : NULL,
 #ifdef CONFIG_IPV6_SUBTREES
-                      ipv6_addr_equal(&fl.fl6_src, &np->saddr) ?
+                      ipv6_addr_equal(&fl6.saddr, &np->saddr) ?
                      &np->saddr :
 #endif
                      NULL);
@@ -238,7 +231,7 @@ void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err,
                kfree_skb(skb);
 }
-void ipv6_local_error(struct sock *sk, int err, struct flowi *fl, u32 info)
+void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct sock_exterr_skb *serr;
@@ -257,7 +250,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi *fl, u32 info)
        skb_put(skb, sizeof(struct ipv6hdr));
        skb_reset_network_header(skb);
        iph = ipv6_hdr(skb);
-        ipv6_addr_copy(&iph->daddr, &fl->fl6_dst);
+        ipv6_addr_copy(&iph->daddr, &fl6->daddr);
        serr = SKB_EXT_ERR(skb);
        serr->ee.ee_errno = err;
@@ -268,7 +261,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi *fl, u32 info)
        serr->ee.ee_info = info;
        serr->ee.ee_data = 0;
        serr->addr_offset = (u8 *)&iph->daddr - skb_network_header(skb);
-        serr->port = fl->fl_ip_dport;
+        serr->port = fl6->fl6_dport;
        __skb_pull(skb, skb_tail_pointer(skb) - skb->data);
        skb_reset_transport_header(skb);
@@ -277,7 +270,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi *fl, u32 info)
                kfree_skb(skb);
 }
-void ipv6_local_rxpmtu(struct sock *sk, struct flowi *fl, u32 mtu)
+void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct ipv6hdr *iph;
@@ -294,7 +287,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi *fl, u32 mtu)
        skb_put(skb, sizeof(struct ipv6hdr));
        skb_reset_network_header(skb);
        iph = ipv6_hdr(skb);
-        ipv6_addr_copy(&iph->daddr, &fl->fl6_dst);
+        ipv6_addr_copy(&iph->daddr, &fl6->daddr);
        mtu_info = IP6CBMTU(skb);
        if (!mtu_info) {
@@ -306,7 +299,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi *fl, u32 mtu)
        mtu_info->ip6m_addr.sin6_family = AF_INET6;
        mtu_info->ip6m_addr.sin6_port = 0;
        mtu_info->ip6m_addr.sin6_flowinfo = 0;
-        mtu_info->ip6m_addr.sin6_scope_id = fl->oif;
+        mtu_info->ip6m_addr.sin6_scope_id = fl6->flowi6_oif;
        ipv6_addr_copy(&mtu_info->ip6m_addr.sin6_addr, &ipv6_hdr(skb)->daddr);
        __skb_pull(skb, skb_tail_pointer(skb) - skb->data);
@@ -600,7 +593,7 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
 }
 int datagram_send_ctl(struct net *net,
-                      struct msghdr *msg, struct flowi *fl,
+                      struct msghdr *msg, struct flowi6 *fl6,
                      struct ipv6_txoptions *opt,
                      int *hlimit, int *tclass, int *dontfrag)
 {
@@ -636,16 +629,17 @@ int datagram_send_ctl(struct net *net,
                        src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
                        if (src_info->ipi6_ifindex) {
-                                if (fl->oif && src_info->ipi6_ifindex != fl->oif)
+                                if (fl6->flowi6_oif &&
+                                    src_info->ipi6_ifindex != fl6->flowi6_oif)
                                        return -EINVAL;
-                                fl->oif = src_info->ipi6_ifindex;
+                                fl6->flowi6_oif = src_info->ipi6_ifindex;
                        }
                        addr_type = __ipv6_addr_type(&src_info->ipi6_addr);
                        rcu_read_lock();
-                        if (fl->oif) {
+                        if (fl6->flowi6_oif) {
-                                dev = dev_get_by_index_rcu(net, fl->oif);
+                                dev = dev_get_by_index_rcu(net, fl6->flowi6_oif);
                                if (!dev) {
                                        rcu_read_unlock();
                                        return -ENODEV;
@@ -661,7 +655,7 @@ int datagram_send_ctl(struct net *net,
                                                   strict ? dev : NULL, 0))
                                        err = -EINVAL;
                                else
-                                        ipv6_addr_copy(&fl->fl6_src, &src_info->ipi6_addr);
+                                        ipv6_addr_copy(&fl6->saddr, &src_info->ipi6_addr);
                        }
                        rcu_read_unlock();
@@ -678,13 +672,13 @@ int datagram_send_ctl(struct net *net,
                                goto exit_f;
                        }
-                        if (fl->fl6_flowlabel&IPV6_FLOWINFO_MASK) {
+                        if (fl6->flowlabel&IPV6_FLOWINFO_MASK) {
-                                if ((fl->fl6_flowlabel^*(__be32 *)CMSG_DATA(cmsg))&~IPV6_FLOWINFO_MASK) {
+                                if ((fl6->flowlabel^*(__be32 *)CMSG_DATA(cmsg))&~IPV6_FLOWINFO_MASK) {
                                        err = -EINVAL;
                                        goto exit_f;
                                }
                        }
-                        fl->fl6_flowlabel = IPV6_FLOWINFO_MASK & *(__be32 *)CMSG_DATA(cmsg);
+                        fl6->flowlabel = IPV6_FLOWINFO_MASK & *(__be32 *)CMSG_DATA(cmsg);
                        break;
                case IPV6_2292HOPOPTS:
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 1b5c9825743b..1ac7938dd9ec 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -54,16 +54,20 @@ static u32 esp6_get_mtu(struct xfrm_state *x, int mtu);
 /*
 * Allocate an AEAD request structure with extra space for SG and IV.
 *
- * For alignment considerations the IV is placed at the front, followed
+ * For alignment considerations the upper 32 bits of the sequence number are
- * by the request and finally the SG list.
+ * placed at the front, if present. Followed by the IV, the request and finally
+ * the SG list.
 *
 * TODO: Use spare space in skb for this where possible.
 */
-static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
+static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags, int seqihlen)
 {
        unsigned int len;
-        len = crypto_aead_ivsize(aead);
+        len = seqihlen;
+        len += crypto_aead_ivsize(aead);
        if (len) {
                len += crypto_aead_alignmask(aead) &
                       ~(crypto_tfm_ctx_alignment() - 1);
@@ -78,10 +82,16 @@ static void *esp_alloc_tmp(struct crypto_aead *aead, int nfrags)
        return kmalloc(len, GFP_ATOMIC);
 }
-static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp)
+static inline __be32 *esp_tmp_seqhi(void *tmp)
+{
+        return PTR_ALIGN((__be32 *)tmp, __alignof__(__be32));
+}
+static inline u8 *esp_tmp_iv(struct crypto_aead *aead, void *tmp, int seqhilen)
 {
        return crypto_aead_ivsize(aead) ?
-               PTR_ALIGN((u8 *)tmp, crypto_aead_alignmask(aead) + 1) : tmp;
+               PTR_ALIGN((u8 *)tmp + seqhilen,
+                         crypto_aead_alignmask(aead) + 1) : tmp + seqhilen;
 }
 static inline struct aead_givcrypt_request *esp_tmp_givreq(
@@ -145,8 +155,12 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        int plen;
        int tfclen;
        int nfrags;
+        int assoclen;
+        int sglists;
+        int seqhilen;
        u8 *iv;
        u8 *tail;
+        __be32 *seqhi;
        struct esp_data *esp = x->data;
        /* skb is pure payload to encrypt */
@@ -175,14 +189,25 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
                goto error;
        nfrags = err;
-        tmp = esp_alloc_tmp(aead, nfrags + 1);
+        assoclen = sizeof(*esph);
+        sglists = 1;
+        seqhilen = 0;
+        if (x->props.flags & XFRM_STATE_ESN) {
+                sglists += 2;
+                seqhilen += sizeof(__be32);
+                assoclen += seqhilen;
+        }
+        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
        if (!tmp)
                goto error;
-        iv = esp_tmp_iv(aead, tmp);
+        seqhi = esp_tmp_seqhi(tmp);
+        iv = esp_tmp_iv(aead, tmp, seqhilen);
        req = esp_tmp_givreq(aead, iv);
        asg = esp_givreq_sg(aead, req);
-        sg = asg + 1;
+        sg = asg + sglists;
        /* Fill padding... */
        tail = skb_tail_pointer(trailer);
@@ -204,19 +229,27 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        *skb_mac_header(skb) = IPPROTO_ESP;
        esph->spi = x->id.spi;
-        esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output);
+        esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg,
                     esph->enc_data + crypto_aead_ivsize(aead) - skb->data,
                     clen + alen);
-        sg_init_one(asg, esph, sizeof(*esph));
+        if ((x->props.flags & XFRM_STATE_ESN)) {
+                sg_init_table(asg, 3);
+                sg_set_buf(asg, &esph->spi, sizeof(__be32));
+                *seqhi = htonl(XFRM_SKB_CB(skb)->seq.output.hi);
+                sg_set_buf(asg + 1, seqhi, seqhilen);
+                sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
+        } else
+                sg_init_one(asg, esph, sizeof(*esph));
        aead_givcrypt_set_callback(req, 0, esp_output_done, skb);
        aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
-        aead_givcrypt_set_assoc(req, asg, sizeof(*esph));
+        aead_givcrypt_set_assoc(req, asg, assoclen);
        aead_givcrypt_set_giv(req, esph->enc_data,
-                              XFRM_SKB_CB(skb)->seq.output);
+                              XFRM_SKB_CB(skb)->seq.output.low);
        ESP_SKB_CB(skb)->tmp = tmp;
        err = crypto_aead_givencrypt(req);
@@ -292,8 +325,12 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        struct sk_buff *trailer;
        int elen = skb->len - sizeof(*esph) - crypto_aead_ivsize(aead);
        int nfrags;
+        int assoclen;
+        int sglists;
+        int seqhilen;
        int ret = 0;
        void *tmp;
+        __be32 *seqhi;
        u8 *iv;
        struct scatterlist *sg;
        struct scatterlist *asg;
@@ -314,15 +351,27 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        }
        ret = -ENOMEM;
-        tmp = esp_alloc_tmp(aead, nfrags + 1);
+        assoclen = sizeof(*esph);
+        sglists = 1;
+        seqhilen = 0;
+        if (x->props.flags & XFRM_STATE_ESN) {
+                sglists += 2;
+                seqhilen += sizeof(__be32);
+                assoclen += seqhilen;
+        }
+        tmp = esp_alloc_tmp(aead, nfrags + sglists, seqhilen);
        if (!tmp)
                goto out;
        ESP_SKB_CB(skb)->tmp = tmp;
-        iv = esp_tmp_iv(aead, tmp);
+        seqhi = esp_tmp_seqhi(tmp);
+        iv = esp_tmp_iv(aead, tmp, seqhilen);
        req = esp_tmp_req(aead, iv);
        asg = esp_req_sg(aead, req);
-        sg = asg + 1;
+        sg = asg + sglists;
        skb->ip_summed = CHECKSUM_NONE;
@@ -333,11 +382,19 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg, sizeof(*esph) + crypto_aead_ivsize(aead), elen);
-        sg_init_one(asg, esph, sizeof(*esph));
+        if ((x->props.flags & XFRM_STATE_ESN)) {
+                sg_init_table(asg, 3);
+                sg_set_buf(asg, &esph->spi, sizeof(__be32));
+                *seqhi = XFRM_SKB_CB(skb)->seq.input.hi;
+                sg_set_buf(asg + 1, seqhi, seqhilen);
+                sg_set_buf(asg + 2, &esph->seq_no, sizeof(__be32));
+        } else
+                sg_init_one(asg, esph, sizeof(*esph));
        aead_request_set_callback(req, 0, esp_input_done, skb);
        aead_request_set_crypt(req, sg, sg, elen, iv);
-        aead_request_set_assoc(req, asg, sizeof(*esph));
+        aead_request_set_assoc(req, asg, assoclen);
        ret = crypto_aead_decrypt(req);
        if (ret == -EINPROGRESS)
@@ -373,7 +430,7 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                     u8 type, u8 code, int offset, __be32 info)
 {
        struct net *net = dev_net(skb->dev);
-        struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
@@ -381,7 +438,8 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
            type != ICMPV6_PKT_TOOBIG)
                return;
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, esph->spi, IPPROTO_ESP, AF_INET6);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              esph->spi, IPPROTO_ESP, AF_INET6);
        if (!x)
                return;
        printk(KERN_DEBUG "pmtu discovery on SA ESP/%08x/%pI6\n",
@@ -443,10 +501,20 @@ static int esp_init_authenc(struct xfrm_state *x)
                goto error;
        err = -ENAMETOOLONG;
-        if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME, "authenc(%s,%s)",
-                     x->aalg ? x->aalg->alg_name : "digest_null",
+        if ((x->props.flags & XFRM_STATE_ESN)) {
-                     x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
-                goto error;
+                             "authencesn(%s,%s)",
+                             x->aalg ? x->aalg->alg_name : "digest_null",
+                             x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                        goto error;
+        } else {
+                if (snprintf(authenc_name, CRYPTO_MAX_ALG_NAME,
+                             "authenc(%s,%s)",
+                             x->aalg ? x->aalg->alg_name : "digest_null",
+                             x->ealg->alg_name) >= CRYPTO_MAX_ALG_NAME)
+                        goto error;
+        }
        aead = crypto_alloc_aead(authenc_name, 0, 0);
        err = PTR_ERR(aead);
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 262f105d23b9..79a485e8a700 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -876,22 +876,22 @@ struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space,
 * fl6_update_dst - update flowi destination address with info given
 *                  by srcrt option, if any.
 *
- * @fl: flowi for which fl6_dst is to be updated
+ * @fl6: flowi6 for which daddr is to be updated
 * @opt: struct ipv6_txoptions in which to look for srcrt opt
- * @orig: copy of original fl6_dst address if modified
+ * @orig: copy of original daddr address if modified
 *
 * Returns NULL if no txoptions or no srcrt, otherwise returns orig
- * and initial value of fl->fl6_dst set in orig
+ * and initial value of fl6->daddr set in orig
 */
-struct in6_addr *fl6_update_dst(struct flowi *fl,
+struct in6_addr *fl6_update_dst(struct flowi6 *fl6,
                                const struct ipv6_txoptions *opt,
                                struct in6_addr *orig)
 {
        if (!opt || !opt->srcrt)
                return NULL;
-        ipv6_addr_copy(orig, &fl->fl6_dst);
+        ipv6_addr_copy(orig, &fl6->daddr);
-        ipv6_addr_copy(&fl->fl6_dst, ((struct rt0_hdr *)opt->srcrt)->addr);
+        ipv6_addr_copy(&fl6->daddr, ((struct rt0_hdr *)opt->srcrt)->addr);
        return orig;
 }
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index d829874d8946..34d244df907d 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -29,7 +29,7 @@ struct fib6_rule
        u8                      tclass;
 };
-struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi *fl,
+struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
                                   int flags, pol_lookup_t lookup)
 {
        struct fib_lookup_arg arg = {
@@ -37,7 +37,8 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi *fl,
                .flags = FIB_LOOKUP_NOREF,
        };
-        fib_rules_lookup(net->ipv6.fib6_rules_ops, fl, flags, &arg);
+        fib_rules_lookup(net->ipv6.fib6_rules_ops,
+                         flowi6_to_flowi(fl6), flags, &arg);
        if (arg.result)
                return arg.result;
@@ -49,6 +50,7 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi *fl,
 static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
                            int flags, struct fib_lookup_arg *arg)
 {
+        struct flowi6 *flp6 = &flp->u.ip6;
        struct rt6_info *rt = NULL;
        struct fib6_table *table;
        struct net *net = rule->fr_net;
@@ -71,7 +73,7 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
        table = fib6_get_table(net, rule->table);
        if (table)
-                rt = lookup(net, table, flp, flags);
+                rt = lookup(net, table, flp6, flags);
        if (rt != net->ipv6.ip6_null_entry) {
                struct fib6_rule *r = (struct fib6_rule *)rule;
@@ -86,14 +88,14 @@ static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
                        if (ipv6_dev_get_saddr(net,
                                               ip6_dst_idev(&rt->dst)->dev,
-                                               &flp->fl6_dst,
+                                               &flp6->daddr,
                                               rt6_flags2srcprefs(flags),
                                               &saddr))
                                goto again;
                        if (!ipv6_prefix_equal(&saddr, &r->src.addr,
                                               r->src.plen))
                                goto again;
-                        ipv6_addr_copy(&flp->fl6_src, &saddr);
+                        ipv6_addr_copy(&flp6->saddr, &saddr);
                }
                goto out;
        }
@@ -113,9 +115,10 @@ out:
 static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
 {
        struct fib6_rule *r = (struct fib6_rule *) rule;
+        struct flowi6 *fl6 = &fl->u.ip6;
        if (r->dst.plen &&
-            !ipv6_prefix_equal(&fl->fl6_dst, &r->dst.addr, r->dst.plen))
+            !ipv6_prefix_equal(&fl6->daddr, &r->dst.addr, r->dst.plen))
                return 0;
        /*
@@ -125,14 +128,14 @@ static int fib6_rule_match(struct fib_rule *rule, struct flowi *fl, int flags)
         */
        if (r->src.plen) {
                if (flags & RT6_LOOKUP_F_HAS_SADDR) {
-                        if (!ipv6_prefix_equal(&fl->fl6_src, &r->src.addr,
+                        if (!ipv6_prefix_equal(&fl6->saddr, &r->src.addr,
                                               r->src.plen))
                                return 0;
                } else if (!(r->common.flags & FIB_RULE_FIND_SADDR))
                        return 0;
        }
-        if (r->tclass && r->tclass != ((ntohl(fl->fl6_flowlabel) >> 20) & 0xff))
+        if (r->tclass && r->tclass != ((ntohl(fl6->flowlabel) >> 20) & 0xff))
                return 0;
        return 1;
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 03e62f94ff8e..11900417b1cc 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -157,32 +157,32 @@ static int is_ineligible(struct sk_buff *skb)
 /*
 * Check the ICMP output rate limit
 */
-static inline int icmpv6_xrlim_allow(struct sock *sk, u8 type,
+static inline bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
-                                     struct flowi *fl)
+                                      struct flowi6 *fl6)
 {
        struct dst_entry *dst;
        struct net *net = sock_net(sk);
-        int res = 0;
+        bool res = false;
        /* Informational messages are not limited. */
        if (type & ICMPV6_INFOMSG_MASK)
-                return 1;
+                return true;
        /* Do not limit pmtu discovery, it would break it. */
        if (type == ICMPV6_PKT_TOOBIG)
-                return 1;
+                return true;
        /*
         * Look up the output route.
         * XXX: perhaps the expire for routing entries cloned by
         * this lookup should be more aggressive (not longer than timeout).
         */
-        dst = ip6_route_output(net, sk, fl);
+        dst = ip6_route_output(net, sk, fl6);
        if (dst->error) {
                IP6_INC_STATS(net, ip6_dst_idev(dst),
                              IPSTATS_MIB_OUTNOROUTES);
        } else if (dst->dev && (dst->dev->flags&IFF_LOOPBACK)) {
-                res = 1;
+                res = true;
        } else {
                struct rt6_info *rt = (struct rt6_info *)dst;
                int tmo = net->ipv6.sysctl.icmpv6_time;
@@ -191,7 +191,9 @@ static inline int icmpv6_xrlim_allow(struct sock *sk, u8 type,
                if (rt->rt6i_dst.plen < 128)
                        tmo >>= ((128 - rt->rt6i_dst.plen)>>5);
-                res = xrlim_allow(dst, tmo);
+                if (!rt->rt6i_peer)
+                        rt6_bind_peer(rt, 1);
+                res = inet_peer_xrlim_allow(rt->rt6i_peer, tmo);
        }
        dst_release(dst);
        return res;
@@ -215,7 +217,7 @@ static __inline__ int opt_unrec(struct sk_buff *skb, __u32 offset)
        return (*op & 0xC0) == 0x80;
 }
-static int icmpv6_push_pending_frames(struct sock *sk, struct flowi *fl, struct icmp6hdr *thdr, int len)
+static int icmpv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, struct icmp6hdr *thdr, int len)
 {
        struct sk_buff *skb;
        struct icmp6hdr *icmp6h;
@@ -231,9 +233,9 @@ static int icmpv6_push_pending_frames(struct sock *sk, struct flowi *fl, struct
        if (skb_queue_len(&sk->sk_write_queue) == 1) {
                skb->csum = csum_partial(icmp6h,
                                        sizeof(struct icmp6hdr), skb->csum);
-                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl->fl6_src,
+                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
-                                                      &fl->fl6_dst,
+                                                      &fl6->daddr,
-                                                      len, fl->proto,
+                                                      len, fl6->flowi6_proto,
                                                      skb->csum);
        } else {
                __wsum tmp_csum = 0;
@@ -244,9 +246,9 @@ static int icmpv6_push_pending_frames(struct sock *sk, struct flowi *fl, struct
                tmp_csum = csum_partial(icmp6h,
                                        sizeof(struct icmp6hdr), tmp_csum);
-                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl->fl6_src,
+                icmp6h->icmp6_cksum = csum_ipv6_magic(&fl6->saddr,
-                                                      &fl->fl6_dst,
+                                                      &fl6->daddr,
-                                                      len, fl->proto,
+                                                      len, fl6->flowi6_proto,
                                                      tmp_csum);
        }
        ip6_push_pending_frames(sk);
@@ -298,6 +300,68 @@ static void mip6_addr_swap(struct sk_buff *skb)
 static inline void mip6_addr_swap(struct sk_buff *skb) {}
 #endif
+static struct dst_entry *icmpv6_route_lookup(struct net *net, struct sk_buff *skb,
+                                             struct sock *sk, struct flowi6 *fl6)
+{
+        struct dst_entry *dst, *dst2;
+        struct flowi6 fl2;
+        int err;
+        err = ip6_dst_lookup(sk, &dst, fl6);
+        if (err)
+                return ERR_PTR(err);
+        /*
+         * We won't send icmp if the destination is known
+         * anycast.
+         */
+        if (((struct rt6_info *)dst)->rt6i_flags & RTF_ANYCAST) {
+                LIMIT_NETDEBUG(KERN_DEBUG "icmpv6_send: acast source\n");
+                dst_release(dst);
+                return ERR_PTR(-EINVAL);
+        }
+        /* No need to clone since we're just using its address. */
+        dst2 = dst;
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), sk, 0);
+        if (!IS_ERR(dst)) {
+                if (dst != dst2)
+                        return dst;
+        } else {
+                if (PTR_ERR(dst) == -EPERM)
+                        dst = NULL;
+                else
+                        return dst;
+        }
+        err = xfrm_decode_session_reverse(skb, flowi6_to_flowi(&fl2), AF_INET6);
+        if (err)
+                goto relookup_failed;
+        err = ip6_dst_lookup(sk, &dst2, &fl2);
+        if (err)
+                goto relookup_failed;
+        dst2 = xfrm_lookup(net, dst2, flowi6_to_flowi(&fl2), sk, XFRM_LOOKUP_ICMP);
+        if (!IS_ERR(dst2)) {
+                dst_release(dst);
+                dst = dst2;
+        } else {
+                err = PTR_ERR(dst2);
+                if (err == -EPERM) {
+                        dst_release(dst);
+                        return dst2;
+                } else
+                        goto relookup_failed;
+        }
+relookup_failed:
+        if (dst)
+                return dst;
+        return ERR_PTR(err);
+}
 /*
 *      Send an ICMP message in response to a packet in error
 */
@@ -308,12 +372,10 @@ void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
        struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct sock *sk;
        struct ipv6_pinfo *np;
-        struct in6_addr *saddr = NULL;
+        const struct in6_addr *saddr = NULL;
        struct dst_entry *dst;
-        struct dst_entry *dst2;
        struct icmp6hdr tmp_hdr;
-        struct flowi fl;
+        struct flowi6 fl6;
-        struct flowi fl2;
        struct icmpv6_msg msg;
        int iif = 0;
        int addr_type = 0;
@@ -380,22 +442,22 @@ void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
        mip6_addr_swap(skb);
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_ICMPV6;
+        fl6.flowi6_proto = IPPROTO_ICMPV6;
-        ipv6_addr_copy(&fl.fl6_dst, &hdr->saddr);
+        ipv6_addr_copy(&fl6.daddr, &hdr->saddr);
        if (saddr)
-                ipv6_addr_copy(&fl.fl6_src, saddr);
+                ipv6_addr_copy(&fl6.saddr, saddr);
-        fl.oif = iif;
+        fl6.flowi6_oif = iif;
-        fl.fl_icmp_type = type;
+        fl6.fl6_icmp_type = type;
-        fl.fl_icmp_code = code;
+        fl6.fl6_icmp_code = code;
-        security_skb_classify_flow(skb, &fl);
+        security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
        sk = icmpv6_xmit_lock(net);
        if (sk == NULL)
                return;
        np = inet6_sk(sk);
-        if (!icmpv6_xrlim_allow(sk, type, &fl))
+        if (!icmpv6_xrlim_allow(sk, type, &fl6))
                goto out;
        tmp_hdr.icmp6_type = type;
@@ -403,61 +465,14 @@ void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
        tmp_hdr.icmp6_cksum = 0;
        tmp_hdr.icmp6_pointer = htonl(info);
-        if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst))
+        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
-                fl.oif = np->mcast_oif;
+                fl6.flowi6_oif = np->mcast_oif;
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = icmpv6_route_lookup(net, skb, sk, &fl6);
-        if (err)
+        if (IS_ERR(dst))
                goto out;
-        /*
+        if (ipv6_addr_is_multicast(&fl6.daddr))
-         * We won't send icmp if the destination is known
-         * anycast.
-         */
-        if (((struct rt6_info *)dst)->rt6i_flags & RTF_ANYCAST) {
-                LIMIT_NETDEBUG(KERN_DEBUG "icmpv6_send: acast source\n");
-                goto out_dst_release;
-        }
-        /* No need to clone since we're just using its address. */
-        dst2 = dst;
-        err = xfrm_lookup(net, &dst, &fl, sk, 0);
-        switch (err) {
-        case 0:
-                if (dst != dst2)
-                        goto route_done;
-                break;
-        case -EPERM:
-                dst = NULL;
-                break;
-        default:
-                goto out;
-        }
-        if (xfrm_decode_session_reverse(skb, &fl2, AF_INET6))
-                goto relookup_failed;
-        if (ip6_dst_lookup(sk, &dst2, &fl2))
-                goto relookup_failed;
-        err = xfrm_lookup(net, &dst2, &fl2, sk, XFRM_LOOKUP_ICMP);
-        switch (err) {
-        case 0:
-                dst_release(dst);
-                dst = dst2;
-                break;
-        case -EPERM:
-                goto out_dst_release;
-        default:
-relookup_failed:
-                if (!dst)
-                        goto out;
-                break;
-        }
-route_done:
-        if (ipv6_addr_is_multicast(&fl.fl6_dst))
                hlimit = np->mcast_hops;
        else
                hlimit = np->hop_limit;
@@ -480,14 +495,14 @@ route_done:
        err = ip6_append_data(sk, icmpv6_getfrag, &msg,
                              len + sizeof(struct icmp6hdr),
                              sizeof(struct icmp6hdr), hlimit,
-                              np->tclass, NULL, &fl, (struct rt6_info*)dst,
+                              np->tclass, NULL, &fl6, (struct rt6_info*)dst,
                              MSG_DONTWAIT, np->dontfrag);
        if (err) {
                ICMP6_INC_STATS_BH(net, idev, ICMP6_MIB_OUTERRORS);
                ip6_flush_pending_frames(sk);
                goto out_put;
        }
-        err = icmpv6_push_pending_frames(sk, &fl, &tmp_hdr, len + sizeof(struct icmp6hdr));
+        err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, len + sizeof(struct icmp6hdr));
 out_put:
        if (likely(idev != NULL))
@@ -506,10 +521,10 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
        struct sock *sk;
        struct inet6_dev *idev;
        struct ipv6_pinfo *np;
-        struct in6_addr *saddr = NULL;
+        const struct in6_addr *saddr = NULL;
        struct icmp6hdr *icmph = icmp6_hdr(skb);
        struct icmp6hdr tmp_hdr;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct icmpv6_msg msg;
        struct dst_entry *dst;
        int err = 0;
@@ -523,30 +538,31 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
        memcpy(&tmp_hdr, icmph, sizeof(tmp_hdr));
        tmp_hdr.icmp6_type = ICMPV6_ECHO_REPLY;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_ICMPV6;
+        fl6.flowi6_proto = IPPROTO_ICMPV6;
-        ipv6_addr_copy(&fl.fl6_dst, &ipv6_hdr(skb)->saddr);
+        ipv6_addr_copy(&fl6.daddr, &ipv6_hdr(skb)->saddr);
        if (saddr)
-                ipv6_addr_copy(&fl.fl6_src, saddr);
+                ipv6_addr_copy(&fl6.saddr, saddr);
-        fl.oif = skb->dev->ifindex;
+        fl6.flowi6_oif = skb->dev->ifindex;
-        fl.fl_icmp_type = ICMPV6_ECHO_REPLY;
+        fl6.fl6_icmp_type = ICMPV6_ECHO_REPLY;
-        security_skb_classify_flow(skb, &fl);
+        security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
        sk = icmpv6_xmit_lock(net);
        if (sk == NULL)
                return;
        np = inet6_sk(sk);
-        if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst))
+        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
-                fl.oif = np->mcast_oif;
+                fl6.flowi6_oif = np->mcast_oif;
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        err = ip6_dst_lookup(sk, &dst, &fl6);
        if (err)
                goto out;
-        if ((err = xfrm_lookup(net, &dst, &fl, sk, 0)) < 0)
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
+        if (IS_ERR(dst))
                goto out;
-        if (ipv6_addr_is_multicast(&fl.fl6_dst))
+        if (ipv6_addr_is_multicast(&fl6.daddr))
                hlimit = np->mcast_hops;
        else
                hlimit = np->hop_limit;
@@ -560,7 +576,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
        msg.type = ICMPV6_ECHO_REPLY;
        err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
-                                sizeof(struct icmp6hdr), hlimit, np->tclass, NULL, &fl,
+                                sizeof(struct icmp6hdr), hlimit, np->tclass, NULL, &fl6,
                                (struct rt6_info*)dst, MSG_DONTWAIT,
                                np->dontfrag);
@@ -569,7 +585,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
                ip6_flush_pending_frames(sk);
                goto out_put;
        }
-        err = icmpv6_push_pending_frames(sk, &fl, &tmp_hdr, skb->len + sizeof(struct icmp6hdr));
+        err = icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr, skb->len + sizeof(struct icmp6hdr));
 out_put:
        if (likely(idev != NULL))
@@ -629,8 +645,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
 {
        struct net_device *dev = skb->dev;
        struct inet6_dev *idev = __in6_dev_get(dev);
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
-        struct ipv6hdr *orig_hdr;
+        const struct ipv6hdr *orig_hdr;
        struct icmp6hdr *hdr;
        u8 type;
@@ -768,20 +784,20 @@ drop_no_count:
        return 0;
 }
-void icmpv6_flow_init(struct sock *sk, struct flowi *fl,
+void icmpv6_flow_init(struct sock *sk, struct flowi6 *fl6,
                      u8 type,
                      const struct in6_addr *saddr,
                      const struct in6_addr *daddr,
                      int oif)
 {
-        memset(fl, 0, sizeof(*fl));
+        memset(fl6, 0, sizeof(*fl6));
-        ipv6_addr_copy(&fl->fl6_src, saddr);
+        ipv6_addr_copy(&fl6->saddr, saddr);
-        ipv6_addr_copy(&fl->fl6_dst, daddr);
+        ipv6_addr_copy(&fl6->daddr, daddr);
-        fl->proto               = IPPROTO_ICMPV6;
+        fl6->flowi6_proto       = IPPROTO_ICMPV6;
-        fl->fl_icmp_type        = type;
+        fl6->fl6_icmp_type      = type;
-        fl->fl_icmp_code        = 0;
+        fl6->fl6_icmp_code      = 0;
-        fl->oif                 = oif;
+        fl6->flowi6_oif         = oif;
-        security_sk_classify_flow(sk, fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(fl6));
 }
 /*
diff --git a/net/ipv6/inet6_connection_sock.c b/net/ipv6/inet6_connection_sock.c
index d144e629d2b4..8a58e8cf6646 100644
--- a/net/ipv6/inet6_connection_sock.c
+++ b/net/ipv6/inet6_connection_sock.c
@@ -44,7 +44,7 @@ int inet6_csk_bind_conflict(const struct sock *sk,
                     !sk2->sk_bound_dev_if ||
                     sk->sk_bound_dev_if == sk2->sk_bound_dev_if) &&
                    (!sk->sk_reuse || !sk2->sk_reuse ||
-                     ((1 << sk2->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))) &&
+                     sk2->sk_state == TCP_LISTEN) &&
                     ipv6_rcv_saddr_equal(sk, sk2))
                        break;
        }
@@ -61,26 +61,21 @@ struct dst_entry *inet6_csk_route_req(struct sock *sk,
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct in6_addr *final_p, final;
        struct dst_entry *dst;
-        struct flowi fl;
+        struct flowi6 fl6;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_TCP;
+        fl6.flowi6_proto = IPPROTO_TCP;
-        ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
+        ipv6_addr_copy(&fl6.daddr, &treq->rmt_addr);
-        final_p = fl6_update_dst(&fl, np->opt, &final);
+        final_p = fl6_update_dst(&fl6, np->opt, &final);
-        ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
+        ipv6_addr_copy(&fl6.saddr, &treq->loc_addr);
-        fl.oif = sk->sk_bound_dev_if;
+        fl6.flowi6_oif = sk->sk_bound_dev_if;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
-        fl.fl_ip_dport = inet_rsk(req)->rmt_port;
+        fl6.fl6_dport = inet_rsk(req)->rmt_port;
-        fl.fl_ip_sport = inet_rsk(req)->loc_port;
+        fl6.fl6_sport = inet_rsk(req)->loc_port;
-        security_req_classify_flow(req, &fl);
+        security_req_classify_flow(req, flowi6_to_flowi(&fl6));
-        if (ip6_dst_lookup(sk, &dst, &fl))
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-                return NULL;
+        if (IS_ERR(dst))
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
                return NULL;
        return dst;
@@ -208,47 +203,39 @@ struct dst_entry *__inet6_csk_dst_check(struct sock *sk, u32 cookie)
        return dst;
 }
-int inet6_csk_xmit(struct sk_buff *skb)
+int inet6_csk_xmit(struct sk_buff *skb, struct flowi *fl_unused)
 {
        struct sock *sk = skb->sk;
        struct inet_sock *inet = inet_sk(sk);
        struct ipv6_pinfo *np = inet6_sk(sk);
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        struct in6_addr *final_p, final;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = sk->sk_protocol;
+        fl6.flowi6_proto = sk->sk_protocol;
-        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-        ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+        ipv6_addr_copy(&fl6.saddr, &np->saddr);
-        fl.fl6_flowlabel = np->flow_label;
+        fl6.flowlabel = np->flow_label;
-        IP6_ECN_flow_xmit(sk, fl.fl6_flowlabel);
+        IP6_ECN_flow_xmit(sk, fl6.flowlabel);
-        fl.oif = sk->sk_bound_dev_if;
+        fl6.flowi6_oif = sk->sk_bound_dev_if;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
-        fl.fl_ip_sport = inet->inet_sport;
+        fl6.fl6_sport = inet->inet_sport;
-        fl.fl_ip_dport = inet->inet_dport;
+        fl6.fl6_dport = inet->inet_dport;
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-        final_p = fl6_update_dst(&fl, np->opt, &final);
+        final_p = fl6_update_dst(&fl6, np->opt, &final);
        dst = __inet6_csk_dst_check(sk, np->dst_cookie);
        if (dst == NULL) {
-                int err = ip6_dst_lookup(sk, &dst, &fl);
+                dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-                if (err) {
-                        sk->sk_err_soft = -err;
-                        kfree_skb(skb);
-                        return err;
-                }
-                if (final_p)
-                        ipv6_addr_copy(&fl.fl6_dst, final_p);
-                if ((err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0) {
+                if (IS_ERR(dst)) {
+                        sk->sk_err_soft = -PTR_ERR(dst);
                        sk->sk_route_caps = 0;
                        kfree_skb(skb);
-                        return err;
+                        return PTR_ERR(dst);
                }
                __inet6_csk_dst_store(sk, dst, NULL, NULL);
@@ -257,9 +244,9 @@ int inet6_csk_xmit(struct sk_buff *skb)
        skb_dst_set(skb, dst_clone(dst));
        /* Restore final destination back after routing done */
-        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-        return ip6_xmit(sk, skb, &fl, np->opt);
+        return ip6_xmit(sk, skb, &fl6, np->opt);
 }
 EXPORT_SYMBOL_GPL(inet6_csk_xmit);
diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c
index 633a6c266136..b53197233709 100644
--- a/net/ipv6/inet6_hashtables.c
+++ b/net/ipv6/inet6_hashtables.c
@@ -124,7 +124,7 @@ out:
 }
 EXPORT_SYMBOL(__inet6_lookup_established);
-static int inline compute_score(struct sock *sk, struct net *net,
+static inline int compute_score(struct sock *sk, struct net *net,
                                const unsigned short hnum,
                                const struct in6_addr *daddr,
                                const int dif)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index de382114609b..4076a0b14b20 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -134,9 +134,9 @@ static __inline__ u32 fib6_new_sernum(void)
 # define BITOP_BE32_SWIZZLE     0
 #endif
-static __inline__ __be32 addr_bit_set(void *token, int fn_bit)
+static __inline__ __be32 addr_bit_set(const void *token, int fn_bit)
 {
-        __be32 *addr = token;
+        const __be32 *addr = token;
        /*
         * Here,
         *      1 << ((~fn_bit ^ BITOP_BE32_SWIZZLE) & 0x1f)
@@ -260,10 +260,10 @@ struct fib6_table *fib6_get_table(struct net *net, u32 id)
          return net->ipv6.fib6_main_tbl;
 }
-struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi *fl,
+struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
                                   int flags, pol_lookup_t lookup)
 {
-        return (struct dst_entry *) lookup(net, net->ipv6.fib6_main_tbl, fl, flags);
+        return (struct dst_entry *) lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
 }
 static void __net_init fib6_tables_init(struct net *net)
@@ -394,10 +394,11 @@ static int inet6_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
        arg.net = net;
        w->args = &arg;
+        rcu_read_lock();
        for (h = s_h; h < FIB6_TABLE_HASHSZ; h++, s_e = 0) {
                e = 0;
                head = &net->ipv6.fib_table_hash[h];
-                hlist_for_each_entry(tb, node, head, tb6_hlist) {
+                hlist_for_each_entry_rcu(tb, node, head, tb6_hlist) {
                        if (e < s_e)
                                goto next;
                        res = fib6_dump_table(tb, skb, cb);
@@ -408,6 +409,7 @@ next:
                }
        }
 out:
+        rcu_read_unlock();
        cb->args[1] = e;
        cb->args[0] = h;
@@ -822,7 +824,7 @@ st_failure:
 struct lookup_args {
        int             offset;         /* key offset on rt6_info       */
-        struct in6_addr *addr;          /* search key                   */
+        const struct in6_addr   *addr;          /* search key                   */
 };
 static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
@@ -881,8 +883,8 @@ static struct fib6_node * fib6_lookup_1(struct fib6_node *root,
        return NULL;
 }
-struct fib6_node * fib6_lookup(struct fib6_node *root, struct in6_addr *daddr,
+struct fib6_node * fib6_lookup(struct fib6_node *root, const struct in6_addr *daddr,
-                               struct in6_addr *saddr)
+                               const struct in6_addr *saddr)
 {
        struct fib6_node *fn;
        struct lookup_args args[] = {
@@ -916,7 +918,7 @@ struct fib6_node * fib6_lookup(struct fib6_node *root, struct in6_addr *daddr,
 static struct fib6_node * fib6_locate_1(struct fib6_node *root,
-                                        struct in6_addr *addr,
+                                        const struct in6_addr *addr,
                                        int plen, int offset)
 {
        struct fib6_node *fn;
@@ -946,8 +948,8 @@ static struct fib6_node * fib6_locate_1(struct fib6_node *root,
 }
 struct fib6_node * fib6_locate(struct fib6_node *root,
-                               struct in6_addr *daddr, int dst_len,
+                               const struct in6_addr *daddr, int dst_len,
-                               struct in6_addr *saddr, int src_len)
+                               const struct in6_addr *saddr, int src_len)
 {
        struct fib6_node *fn;
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 13654686aeab..f3caf1b8d572 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -342,7 +342,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
        if (olen > 0) {
                struct msghdr msg;
-                struct flowi flowi;
+                struct flowi6 flowi6;
                int junk;
                err = -ENOMEM;
@@ -358,9 +358,9 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
                msg.msg_controllen = olen;
                msg.msg_control = (void*)(fl->opt+1);
-                flowi.oif = 0;
+                memset(&flowi6, 0, sizeof(flowi6));
-                err = datagram_send_ctl(net, &msg, &flowi, fl->opt, &junk,
+                err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
                                        &junk, &junk);
                if (err)
                        goto done;
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index a83e9209cecc..027c7ff6f1e5 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -57,7 +57,7 @@ inline int ip6_rcv_finish( struct sk_buff *skb)
 int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, struct net_device *orig_dev)
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        u32             pkt_len;
        struct inet6_dev *idev;
        struct net *net = dev_net(skb->dev);
@@ -186,7 +186,7 @@ resubmit:
                int ret;
                if (ipprot->flags & INET6_PROTO_FINAL) {
-                        struct ipv6hdr *hdr;
+                        const struct ipv6hdr *hdr;
                        /* Free reference early: we don't need it any more,
                           and it may hold ip_conntrack module loaded
@@ -242,7 +242,7 @@ int ip6_input(struct sk_buff *skb)
 int ip6_mc_input(struct sk_buff *skb)
 {
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        int deliver;
        IP6_UPD_PO_STATS_BH(dev_net(skb_dst(skb)->dev),
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 5f8d242be3f3..9d4b165837d6 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -174,15 +174,15 @@ int ip6_output(struct sk_buff *skb)
 *      xmit an sk_buff (used by TCP, SCTP and DCCP)
 */
-int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
+int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
             struct ipv6_txoptions *opt)
 {
        struct net *net = sock_net(sk);
        struct ipv6_pinfo *np = inet6_sk(sk);
-        struct in6_addr *first_hop = &fl->fl6_dst;
+        struct in6_addr *first_hop = &fl6->daddr;
        struct dst_entry *dst = skb_dst(skb);
        struct ipv6hdr *hdr;
-        u8  proto = fl->proto;
+        u8  proto = fl6->flowi6_proto;
        int seg_len = skb->len;
        int hlimit = -1;
        int tclass = 0;
@@ -230,13 +230,13 @@ int ip6_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
        if (hlimit < 0)
                hlimit = ip6_dst_hoplimit(dst);
-        *(__be32 *)hdr = htonl(0x60000000 | (tclass << 20)) | fl->fl6_flowlabel;
+        *(__be32 *)hdr = htonl(0x60000000 | (tclass << 20)) | fl6->flowlabel;
        hdr->payload_len = htons(seg_len);
        hdr->nexthdr = proto;
        hdr->hop_limit = hlimit;
-        ipv6_addr_copy(&hdr->saddr, &fl->fl6_src);
+        ipv6_addr_copy(&hdr->saddr, &fl6->saddr);
        ipv6_addr_copy(&hdr->daddr, first_hop);
        skb->priority = sk->sk_priority;
@@ -274,13 +274,10 @@ int ip6_nd_hdr(struct sock *sk, struct sk_buff *skb, struct net_device *dev,
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct ipv6hdr *hdr;
-        int totlen;
        skb->protocol = htons(ETH_P_IPV6);
        skb->dev = dev;
-        totlen = len + sizeof(struct ipv6hdr);
        skb_reset_network_header(skb);
        skb_put(skb, sizeof(struct ipv6hdr));
        hdr = ipv6_hdr(skb);
@@ -479,10 +476,13 @@ int ip6_forward(struct sk_buff *skb)
                else
                        target = &hdr->daddr;
+                if (!rt->rt6i_peer)
+                        rt6_bind_peer(rt, 1);
                /* Limit redirects both by destination (here)
                   and by source (inside ndisc_send_redirect)
                 */
-                if (xrlim_allow(dst, 1*HZ))
+                if (inet_peer_xrlim_allow(rt->rt6i_peer, 1*HZ))
                        ndisc_send_redirect(skb, n, target);
        } else {
                int addrtype = ipv6_addr_type(&hdr->saddr);
@@ -779,7 +779,7 @@ slow_path:
                /* IF: it doesn't fit, use 'mtu' - the data space left */
                if (len > mtu)
                        len = mtu;
-                /* IF: we are not sending upto and including the packet end
+                /* IF: we are not sending up to and including the packet end
                   then align the next start on an eight byte boundary */
                if (len < left) {
                        len &= ~7;
@@ -869,9 +869,9 @@ fail:
        return err;
 }
-static inline int ip6_rt_check(struct rt6key *rt_key,
+static inline int ip6_rt_check(const struct rt6key *rt_key,
-                               struct in6_addr *fl_addr,
+                               const struct in6_addr *fl_addr,
-                               struct in6_addr *addr_cache)
+                               const struct in6_addr *addr_cache)
 {
        return (rt_key->plen != 128 || !ipv6_addr_equal(fl_addr, &rt_key->addr)) &&
                (addr_cache == NULL || !ipv6_addr_equal(fl_addr, addr_cache));
@@ -879,7 +879,7 @@ static inline int ip6_rt_check(struct rt6key *rt_key,
 static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
                                          struct dst_entry *dst,
-                                          struct flowi *fl)
+                                          const struct flowi6 *fl6)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
        struct rt6_info *rt = (struct rt6_info *)dst;
@@ -904,11 +904,11 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk,
         *    sockets.
         * 2. oif also should be the same.
         */
-        if (ip6_rt_check(&rt->rt6i_dst, &fl->fl6_dst, np->daddr_cache) ||
+        if (ip6_rt_check(&rt->rt6i_dst, &fl6->daddr, np->daddr_cache) ||
 #ifdef CONFIG_IPV6_SUBTREES
-            ip6_rt_check(&rt->rt6i_src, &fl->fl6_src, np->saddr_cache) ||
+            ip6_rt_check(&rt->rt6i_src, &fl6->saddr, np->saddr_cache) ||
 #endif
-            (fl->oif && fl->oif != dst->dev->ifindex)) {
+            (fl6->flowi6_oif && fl6->flowi6_oif != dst->dev->ifindex)) {
                dst_release(dst);
                dst = NULL;
        }
@@ -918,22 +918,22 @@ out:
 }
 static int ip6_dst_lookup_tail(struct sock *sk,
-                               struct dst_entry **dst, struct flowi *fl)
+                               struct dst_entry **dst, struct flowi6 *fl6)
 {
        int err;
        struct net *net = sock_net(sk);
        if (*dst == NULL)
-                *dst = ip6_route_output(net, sk, fl);
+                *dst = ip6_route_output(net, sk, fl6);
        if ((err = (*dst)->error))
                goto out_err_release;
-        if (ipv6_addr_any(&fl->fl6_src)) {
+        if (ipv6_addr_any(&fl6->saddr)) {
-                err = ipv6_dev_get_saddr(net, ip6_dst_idev(*dst)->dev,
+                struct rt6_info *rt = (struct rt6_info *) *dst;
-                                         &fl->fl6_dst,
+                err = ip6_route_get_saddr(net, rt, &fl6->daddr,
-                                         sk ? inet6_sk(sk)->srcprefs : 0,
+                                          sk ? inet6_sk(sk)->srcprefs : 0,
-                                         &fl->fl6_src);
+                                          &fl6->saddr);
                if (err)
                        goto out_err_release;
        }
@@ -949,10 +949,10 @@ static int ip6_dst_lookup_tail(struct sock *sk,
         */
        if ((*dst)->neighbour && !((*dst)->neighbour->nud_state & NUD_VALID)) {
                struct inet6_ifaddr *ifp;
-                struct flowi fl_gw;
+                struct flowi6 fl_gw6;
                int redirect;
-                ifp = ipv6_get_ifaddr(net, &fl->fl6_src,
+                ifp = ipv6_get_ifaddr(net, &fl6->saddr,
                                      (*dst)->dev, 1);
                redirect = (ifp && ifp->flags & IFA_F_OPTIMISTIC);
@@ -965,9 +965,9 @@ static int ip6_dst_lookup_tail(struct sock *sk,
                         * default router instead
                         */
                        dst_release(*dst);
-                        memcpy(&fl_gw, fl, sizeof(struct flowi));
+                        memcpy(&fl_gw6, fl6, sizeof(struct flowi6));
-                        memset(&fl_gw.fl6_dst, 0, sizeof(struct in6_addr));
+                        memset(&fl_gw6.daddr, 0, sizeof(struct in6_addr));
-                        *dst = ip6_route_output(net, sk, &fl_gw);
+                        *dst = ip6_route_output(net, sk, &fl_gw6);
                        if ((err = (*dst)->error))
                                goto out_err_release;
                }
@@ -988,43 +988,85 @@ out_err_release:
 *      ip6_dst_lookup - perform route lookup on flow
 *      @sk: socket which provides route info
 *      @dst: pointer to dst_entry * for result
- *      @fl: flow to lookup
+ *      @fl6: flow to lookup
 *
 *      This function performs a route lookup on the given flow.
 *
 *      It returns zero on success, or a standard errno code on error.
 */
-int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
+int ip6_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi6 *fl6)
 {
        *dst = NULL;
-        return ip6_dst_lookup_tail(sk, dst, fl);
+        return ip6_dst_lookup_tail(sk, dst, fl6);
 }
 EXPORT_SYMBOL_GPL(ip6_dst_lookup);
 /**
- *      ip6_sk_dst_lookup - perform socket cached route lookup on flow
+ *      ip6_dst_lookup_flow - perform route lookup on flow with ipsec
+ *      @sk: socket which provides route info
+ *      @fl6: flow to lookup
+ *      @final_dst: final destination address for ipsec lookup
+ *      @can_sleep: we are in a sleepable context
+ *
+ *      This function performs a route lookup on the given flow.
+ *
+ *      It returns a valid dst pointer on success, or a pointer encoded
+ *      error code.
+ */
+struct dst_entry *ip6_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
+                                      const struct in6_addr *final_dst,
+                                      bool can_sleep)
+{
+        struct dst_entry *dst = NULL;
+        int err;
+        err = ip6_dst_lookup_tail(sk, &dst, fl6);
+        if (err)
+                return ERR_PTR(err);
+        if (final_dst)
+                ipv6_addr_copy(&fl6->daddr, final_dst);
+        if (can_sleep)
+                fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
+        return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
+}
+EXPORT_SYMBOL_GPL(ip6_dst_lookup_flow);
+/**
+ *      ip6_sk_dst_lookup_flow - perform socket cached route lookup on flow
 *      @sk: socket which provides the dst cache and route info
- *      @dst: pointer to dst_entry * for result
+ *      @fl6: flow to lookup
- *      @fl: flow to lookup
+ *      @final_dst: final destination address for ipsec lookup
+ *      @can_sleep: we are in a sleepable context
 *
 *      This function performs a route lookup on the given flow with the
 *      possibility of using the cached route in the socket if it is valid.
 *      It will take the socket dst lock when operating on the dst cache.
 *      As a result, this function can only be used in process context.
 *
- *      It returns zero on success, or a standard errno code on error.
+ *      It returns a valid dst pointer on success, or a pointer encoded
+ *      error code.
 */
-int ip6_sk_dst_lookup(struct sock *sk, struct dst_entry **dst, struct flowi *fl)
+struct dst_entry *ip6_sk_dst_lookup_flow(struct sock *sk, struct flowi6 *fl6,
+                                         const struct in6_addr *final_dst,
+                                         bool can_sleep)
 {
-        *dst = NULL;
+        struct dst_entry *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
-        if (sk) {
+        int err;
-                *dst = sk_dst_check(sk, inet6_sk(sk)->dst_cookie);
-                *dst = ip6_sk_dst_check(sk, *dst, fl);
+        dst = ip6_sk_dst_check(sk, dst, fl6);
-        }
+        err = ip6_dst_lookup_tail(sk, &dst, fl6);
+        if (err)
+                return ERR_PTR(err);
+        if (final_dst)
+                ipv6_addr_copy(&fl6->daddr, final_dst);
+        if (can_sleep)
+                fl6->flowi6_flags |= FLOWI_FLAG_CAN_SLEEP;
-        return ip6_dst_lookup_tail(sk, dst, fl);
+        return xfrm_lookup(sock_net(sk), dst, flowi6_to_flowi(fl6), sk, 0);
 }
-EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup);
+EXPORT_SYMBOL_GPL(ip6_sk_dst_lookup_flow);
 static inline int ip6_ufo_append_data(struct sock *sk,
                        int getfrag(void *from, char *to, int offset, int len,
@@ -1061,7 +1103,6 @@ static inline int ip6_ufo_append_data(struct sock *sk,
                skb->ip_summed = CHECKSUM_PARTIAL;
                skb->csum = 0;
-                sk->sk_sndmsg_off = 0;
        }
        err = skb_append_datato_frags(sk,skb, getfrag, from,
@@ -1104,11 +1145,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src,
 int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        int offset, int len, int odd, struct sk_buff *skb),
        void *from, int length, int transhdrlen,
-        int hlimit, int tclass, struct ipv6_txoptions *opt, struct flowi *fl,
+        int hlimit, int tclass, struct ipv6_txoptions *opt, struct flowi6 *fl6,
        struct rt6_info *rt, unsigned int flags, int dontfrag)
 {
        struct inet_sock *inet = inet_sk(sk);
        struct ipv6_pinfo *np = inet6_sk(sk);
+        struct inet_cork *cork;
        struct sk_buff *skb;
        unsigned int maxfraglen, fragheaderlen;
        int exthdrlen;
@@ -1118,9 +1160,11 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        int err;
        int offset = 0;
        int csummode = CHECKSUM_NONE;
+        __u8 tx_flags = 0;
        if (flags&MSG_PROBE)
                return 0;
+        cork = &inet->cork.base;
        if (skb_queue_empty(&sk->sk_write_queue)) {
                /*
                 * setup for corking
@@ -1160,8 +1204,8 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                        /* need source address above miyazawa*/
                }
                dst_hold(&rt->dst);
-                inet->cork.dst = &rt->dst;
+                cork->dst = &rt->dst;
-                inet->cork.fl = *fl;
+                inet->cork.fl.u.ip6 = *fl6;
                np->cork.hop_limit = hlimit;
                np->cork.tclass = tclass;
                mtu = np->pmtudisc == IPV6_PMTUDISC_PROBE ?
@@ -1170,10 +1214,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                        if (np->frag_size)
                                mtu = np->frag_size;
                }
-                inet->cork.fragsize = mtu;
+                cork->fragsize = mtu;
                if (dst_allfrag(rt->dst.path))
-                        inet->cork.flags |= IPCORK_ALLFRAG;
+                        cork->flags |= IPCORK_ALLFRAG;
-                inet->cork.length = 0;
+                cork->length = 0;
                sk->sk_sndmsg_page = NULL;
                sk->sk_sndmsg_off = 0;
                exthdrlen = rt->dst.header_len + (opt ? opt->opt_flen : 0) -
@@ -1181,12 +1225,12 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                length += exthdrlen;
                transhdrlen += exthdrlen;
        } else {
-                rt = (struct rt6_info *)inet->cork.dst;
+                rt = (struct rt6_info *)cork->dst;
-                fl = &inet->cork.fl;
+                fl6 = &inet->cork.fl.u.ip6;
                opt = np->cork.opt;
                transhdrlen = 0;
                exthdrlen = 0;
-                mtu = inet->cork.fragsize;
+                mtu = cork->fragsize;
        }
        hh_len = LL_RESERVED_SPACE(rt->dst.dev);
@@ -1196,12 +1240,19 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - sizeof(struct frag_hdr);
        if (mtu <= sizeof(struct ipv6hdr) + IPV6_MAXPLEN) {
-                if (inet->cork.length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
+                if (cork->length + length > sizeof(struct ipv6hdr) + IPV6_MAXPLEN - fragheaderlen) {
-                        ipv6_local_error(sk, EMSGSIZE, fl, mtu-exthdrlen);
+                        ipv6_local_error(sk, EMSGSIZE, fl6, mtu-exthdrlen);
                        return -EMSGSIZE;
                }
        }
+        /* For UDP, check if TX timestamp is enabled */
+        if (sk->sk_type == SOCK_DGRAM) {
+                err = sock_tx_timestamp(sk, &tx_flags);
+                if (err)
+                        goto error;
+        }
        /*
         * Let's try using as much space as possible.
         * Use MTU if total length of the message fits into the MTU.
@@ -1218,11 +1269,11 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
         * --yoshfuji
         */
-        inet->cork.length += length;
+        cork->length += length;
        if (length > mtu) {
                int proto = sk->sk_protocol;
                if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){
-                        ipv6_local_rxpmtu(sk, fl, mtu-exthdrlen);
+                        ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen);
                        return -EMSGSIZE;
                }
@@ -1243,7 +1294,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
        while (length > 0) {
                /* Check if the remaining data fits into current packet. */
-                copy = (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
+                copy = (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - skb->len;
                if (copy < length)
                        copy = maxfraglen - skb->len;
@@ -1268,7 +1319,7 @@ alloc_new_skb:
                         * we know we need more fragment(s).
                         */
                        datalen = length + fraggap;
-                        if (datalen > (inet->cork.length <= mtu && !(inet->cork.flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
+                        if (datalen > (cork->length <= mtu && !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
                                datalen = maxfraglen - fragheaderlen;
                        fraglen = datalen + fragheaderlen;
@@ -1306,6 +1357,12 @@ alloc_new_skb:
                                                           sk->sk_allocation);
                                if (unlikely(skb == NULL))
                                        err = -ENOBUFS;
+                                else {
+                                        /* Only the initial fragment
+                                         * is time stamped.
+                                         */
+                                        tx_flags = 0;
+                                }
                        }
                        if (skb == NULL)
                                goto error;
@@ -1317,6 +1374,9 @@ alloc_new_skb:
                        /* reserve for fragmentation */
                        skb_reserve(skb, hh_len+sizeof(struct frag_hdr));
+                        if (sk->sk_type == SOCK_DGRAM)
+                                skb_shinfo(skb)->tx_flags = tx_flags;
                        /*
                         *      Find where to start putting bytes
                         */
@@ -1423,7 +1483,7 @@ alloc_new_skb:
        }
        return 0;
 error:
-        inet->cork.length -= length;
+        cork->length -= length;
        IP6_INC_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS);
        return err;
 }
@@ -1439,10 +1499,10 @@ static void ip6_cork_release(struct inet_sock *inet, struct ipv6_pinfo *np)
                np->cork.opt = NULL;
        }
-        if (inet->cork.dst) {
+        if (inet->cork.base.dst) {
-                dst_release(inet->cork.dst);
+                dst_release(inet->cork.base.dst);
-                inet->cork.dst = NULL;
+                inet->cork.base.dst = NULL;
-                inet->cork.flags &= ~IPCORK_ALLFRAG;
+                inet->cork.base.flags &= ~IPCORK_ALLFRAG;
        }
        memset(&inet->cork.fl, 0, sizeof(inet->cork.fl));
 }
@@ -1457,9 +1517,9 @@ int ip6_push_pending_frames(struct sock *sk)
        struct net *net = sock_net(sk);
        struct ipv6hdr *hdr;
        struct ipv6_txoptions *opt = np->cork.opt;
-        struct rt6_info *rt = (struct rt6_info *)inet->cork.dst;
+        struct rt6_info *rt = (struct rt6_info *)inet->cork.base.dst;
-        struct flowi *fl = &inet->cork.fl;
+        struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
-        unsigned char proto = fl->proto;
+        unsigned char proto = fl6->flowi6_proto;
        int err = 0;
        if ((skb = __skb_dequeue(&sk->sk_write_queue)) == NULL)
@@ -1484,7 +1544,7 @@ int ip6_push_pending_frames(struct sock *sk)
        if (np->pmtudisc < IPV6_PMTUDISC_DO)
                skb->local_df = 1;
-        ipv6_addr_copy(final_dst, &fl->fl6_dst);
+        ipv6_addr_copy(final_dst, &fl6->daddr);
        __skb_pull(skb, skb_network_header_len(skb));
        if (opt && opt->opt_flen)
                ipv6_push_frag_opts(skb, opt, &proto);
@@ -1495,12 +1555,12 @@ int ip6_push_pending_frames(struct sock *sk)
        skb_reset_network_header(skb);
        hdr = ipv6_hdr(skb);
-        *(__be32*)hdr = fl->fl6_flowlabel |
+        *(__be32*)hdr = fl6->flowlabel |
                     htonl(0x60000000 | ((int)np->cork.tclass << 20));
        hdr->hop_limit = np->cork.hop_limit;
        hdr->nexthdr = proto;
-        ipv6_addr_copy(&hdr->saddr, &fl->fl6_src);
+        ipv6_addr_copy(&hdr->saddr, &fl6->saddr);
        ipv6_addr_copy(&hdr->daddr, final_dst);
        skb->priority = sk->sk_priority;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 4f4483e697bd..36c2842a86b2 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -57,6 +57,7 @@
 MODULE_AUTHOR("Ville Nuorvala");
 MODULE_DESCRIPTION("IPv6 tunneling device");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS_NETDEV("ip6tnl0");
 #ifdef IP6_TNL_DEBUG
 #define IP6_TNL_TRACE(x...) printk(KERN_DEBUG "%s:" x "\n", __func__)
@@ -161,7 +162,7 @@ static inline void ip6_tnl_dst_store(struct ip6_tnl *t, struct dst_entry *dst)
        for (t = rcu_dereference(start); t; t = rcu_dereference(t->next))
 static struct ip6_tnl *
-ip6_tnl_lookup(struct net *net, struct in6_addr *remote, struct in6_addr *local)
+ip6_tnl_lookup(struct net *net, const struct in6_addr *remote, const struct in6_addr *local)
 {
        unsigned int h0 = HASH(remote);
        unsigned int h1 = HASH(local);
@@ -193,10 +194,10 @@ ip6_tnl_lookup(struct net *net, struct in6_addr *remote, struct in6_addr *local)
 **/
 static struct ip6_tnl __rcu **
-ip6_tnl_bucket(struct ip6_tnl_net *ip6n, struct ip6_tnl_parm *p)
+ip6_tnl_bucket(struct ip6_tnl_net *ip6n, const struct ip6_tnl_parm *p)
 {
-        struct in6_addr *remote = &p->raddr;
+        const struct in6_addr *remote = &p->raddr;
-        struct in6_addr *local = &p->laddr;
+        const struct in6_addr *local = &p->laddr;
        unsigned h = 0;
        int prio = 0;
@@ -279,11 +280,6 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct ip6_tnl_parm *p)
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        t = netdev_priv(dev);
        t->parms = *p;
        err = ip6_tnl_dev_init(dev);
@@ -320,8 +316,8 @@ failed:
 static struct ip6_tnl *ip6_tnl_locate(struct net *net,
                struct ip6_tnl_parm *p, int create)
 {
-        struct in6_addr *remote = &p->raddr;
+        const struct in6_addr *remote = &p->raddr;
-        struct in6_addr *local = &p->laddr;
+        const struct in6_addr *local = &p->laddr;
        struct ip6_tnl __rcu **tp;
        struct ip6_tnl *t;
        struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
@@ -373,7 +369,7 @@ ip6_tnl_dev_uninit(struct net_device *dev)
 static __u16
 parse_tlv_tnl_enc_lim(struct sk_buff *skb, __u8 * raw)
 {
-        struct ipv6hdr *ipv6h = (struct ipv6hdr *) raw;
+        const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) raw;
        __u8 nexthdr = ipv6h->nexthdr;
        __u16 off = sizeof (*ipv6h);
@@ -434,7 +430,7 @@ static int
 ip6_tnl_err(struct sk_buff *skb, __u8 ipproto, struct inet6_skb_parm *opt,
            u8 *type, u8 *code, int *msg, __u32 *info, int offset)
 {
-        struct ipv6hdr *ipv6h = (struct ipv6hdr *) skb->data;
+        const struct ipv6hdr *ipv6h = (const struct ipv6hdr *) skb->data;
        struct ip6_tnl *t;
        int rel_msg = 0;
        u8 rel_type = ICMPV6_DEST_UNREACH;
@@ -534,9 +530,9 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        __u32 rel_info = ntohl(info);
        int err;
        struct sk_buff *skb2;
-        struct iphdr *eiph;
+        const struct iphdr *eiph;
-        struct flowi fl;
        struct rtable *rt;
+        struct flowi4 fl4;
        err = ip6_tnl_err(skb, IPPROTO_IPIP, opt, &rel_type, &rel_code,
                          &rel_msg, &rel_info, offset);
@@ -577,11 +573,11 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        eiph = ip_hdr(skb2);
        /* Try to guess incoming interface */
-        memset(&fl, 0, sizeof(fl));
+        rt = ip_route_output_ports(dev_net(skb->dev), &fl4, NULL,
-        fl.fl4_dst = eiph->saddr;
+                                   eiph->saddr, 0,
-        fl.fl4_tos = RT_TOS(eiph->tos);
+                                   0, 0,
-        fl.proto = IPPROTO_IPIP;
+                                   IPPROTO_IPIP, RT_TOS(eiph->tos), 0);
-        if (ip_route_output_key(dev_net(skb->dev), &rt, &fl))
+        if (IS_ERR(rt))
                goto out;
        skb2->dev = rt->dst.dev;
@@ -590,15 +586,18 @@ ip4ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
                rt = NULL;
-                fl.fl4_dst = eiph->daddr;
+                rt = ip_route_output_ports(dev_net(skb->dev), &fl4, NULL,
-                fl.fl4_src = eiph->saddr;
+                                           eiph->daddr, eiph->saddr,
-                fl.fl4_tos = eiph->tos;
+                                           0, 0,
-                if (ip_route_output_key(dev_net(skb->dev), &rt, &fl) ||
+                                           IPPROTO_IPIP,
+                                           RT_TOS(eiph->tos), 0);
+                if (IS_ERR(rt) ||
                    rt->dst.dev->type != ARPHRD_TUNNEL) {
-                        ip_rt_put(rt);
+                        if (!IS_ERR(rt))
+                                ip_rt_put(rt);
                        goto out;
                }
-                skb_dst_set(skb2, (struct dst_entry *)rt);
+                skb_dst_set(skb2, &rt->dst);
        } else {
                ip_rt_put(rt);
                if (ip_route_input(skb2, eiph->daddr, eiph->saddr, eiph->tos,
@@ -666,8 +665,8 @@ ip6ip6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        return 0;
 }
-static void ip4ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
+static void ip4ip6_dscp_ecn_decapsulate(const struct ip6_tnl *t,
-                                        struct ipv6hdr *ipv6h,
+                                        const struct ipv6hdr *ipv6h,
                                        struct sk_buff *skb)
 {
        __u8 dsfield = ipv6_get_dsfield(ipv6h) & ~INET_ECN_MASK;
@@ -679,8 +678,8 @@ static void ip4ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
                IP_ECN_set_ce(ip_hdr(skb));
 }
-static void ip6ip6_dscp_ecn_decapsulate(struct ip6_tnl *t,
+static void ip6ip6_dscp_ecn_decapsulate(const struct ip6_tnl *t,
-                                        struct ipv6hdr *ipv6h,
+                                        const struct ipv6hdr *ipv6h,
                                        struct sk_buff *skb)
 {
        if (t->parms.flags & IP6_TNL_F_RCV_DSCP_COPY)
@@ -723,12 +722,12 @@ static inline int ip6_tnl_rcv_ctl(struct ip6_tnl *t)
 static int ip6_tnl_rcv(struct sk_buff *skb, __u16 protocol,
                       __u8 ipproto,
-                       void (*dscp_ecn_decapsulate)(struct ip6_tnl *t,
+                       void (*dscp_ecn_decapsulate)(const struct ip6_tnl *t,
-                                                    struct ipv6hdr *ipv6h,
+                                                    const struct ipv6hdr *ipv6h,
                                                    struct sk_buff *skb))
 {
        struct ip6_tnl *t;
-        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
        rcu_read_lock();
@@ -825,7 +824,7 @@ static void init_tel_txopt(struct ipv6_tel_txoption *opt, __u8 encap_limit)
 **/
 static inline int
-ip6_tnl_addr_conflict(struct ip6_tnl *t, struct ipv6hdr *hdr)
+ip6_tnl_addr_conflict(const struct ip6_tnl *t, const struct ipv6hdr *hdr)
 {
        return ipv6_addr_equal(&t->parms.raddr, &hdr->saddr);
 }
@@ -881,7 +880,7 @@ static inline int ip6_tnl_xmit_ctl(struct ip6_tnl *t)
 static int ip6_tnl_xmit2(struct sk_buff *skb,
                         struct net_device *dev,
                         __u8 dsfield,
-                         struct flowi *fl,
+                         struct flowi6 *fl6,
                         int encap_limit,
                         __u32 *pmtu)
 {
@@ -901,10 +900,16 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
        if ((dst = ip6_tnl_dst_check(t)) != NULL)
                dst_hold(dst);
        else {
-                dst = ip6_route_output(net, NULL, fl);
+                dst = ip6_route_output(net, NULL, fl6);
-                if (dst->error || xfrm_lookup(net, &dst, fl, NULL, 0) < 0)
+                if (dst->error)
                        goto tx_err_link_failure;
+                dst = xfrm_lookup(net, dst, flowi6_to_flowi(fl6), NULL, 0);
+                if (IS_ERR(dst)) {
+                        err = PTR_ERR(dst);
+                        dst = NULL;
+                        goto tx_err_link_failure;
+                }
        }
        tdev = dst->dev;
@@ -954,7 +959,7 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
        skb->transport_header = skb->network_header;
-        proto = fl->proto;
+        proto = fl6->flowi6_proto;
        if (encap_limit >= 0) {
                init_tel_txopt(&opt, encap_limit);
                ipv6_push_nfrag_opts(skb, &opt.ops, &proto, NULL);
@@ -962,13 +967,13 @@ static int ip6_tnl_xmit2(struct sk_buff *skb,
        skb_push(skb, sizeof(struct ipv6hdr));
        skb_reset_network_header(skb);
        ipv6h = ipv6_hdr(skb);
-        *(__be32*)ipv6h = fl->fl6_flowlabel | htonl(0x60000000);
+        *(__be32*)ipv6h = fl6->flowlabel | htonl(0x60000000);
        dsfield = INET_ECN_encapsulate(0, dsfield);
        ipv6_change_dsfield(ipv6h, ~INET_ECN_MASK, dsfield);
        ipv6h->hop_limit = t->parms.hop_limit;
        ipv6h->nexthdr = proto;
-        ipv6_addr_copy(&ipv6h->saddr, &fl->fl6_src);
+        ipv6_addr_copy(&ipv6h->saddr, &fl6->saddr);
-        ipv6_addr_copy(&ipv6h->daddr, &fl->fl6_dst);
+        ipv6_addr_copy(&ipv6h->daddr, &fl6->daddr);
        nf_reset(skb);
        pkt_len = skb->len;
        err = ip6_local_out(skb);
@@ -996,9 +1001,9 @@ static inline int
 ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
 {
        struct ip6_tnl *t = netdev_priv(dev);
-        struct iphdr  *iph = ip_hdr(skb);
+        const struct iphdr  *iph = ip_hdr(skb);
        int encap_limit = -1;
-        struct flowi fl;
+        struct flowi6 fl6;
        __u8 dsfield;
        __u32 mtu;
        int err;
@@ -1010,16 +1015,16 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
                encap_limit = t->parms.encap_limit;
-        memcpy(&fl, &t->fl, sizeof (fl));
+        memcpy(&fl6, &t->fl.u.ip6, sizeof (fl6));
-        fl.proto = IPPROTO_IPIP;
+        fl6.flowi6_proto = IPPROTO_IPIP;
        dsfield = ipv4_get_dsfield(iph);
        if ((t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS))
-                fl.fl6_flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT)
+                fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT)
                                          & IPV6_TCLASS_MASK;
-        err = ip6_tnl_xmit2(skb, dev, dsfield, &fl, encap_limit, &mtu);
+        err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
        if (err != 0) {
                /* XXX: send ICMP error even if DF is not set. */
                if (err == -EMSGSIZE)
@@ -1038,7 +1043,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
        int encap_limit = -1;
        __u16 offset;
-        struct flowi fl;
+        struct flowi6 fl6;
        __u8 dsfield;
        __u32 mtu;
        int err;
@@ -1060,16 +1065,16 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        } else if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
                encap_limit = t->parms.encap_limit;
-        memcpy(&fl, &t->fl, sizeof (fl));
+        memcpy(&fl6, &t->fl.u.ip6, sizeof (fl6));
-        fl.proto = IPPROTO_IPV6;
+        fl6.flowi6_proto = IPPROTO_IPV6;
        dsfield = ipv6_get_dsfield(ipv6h);
        if ((t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS))
-                fl.fl6_flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK);
+                fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK);
        if ((t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL))
-                fl.fl6_flowlabel |= (*(__be32 *) ipv6h & IPV6_FLOWLABEL_MASK);
+                fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_FLOWLABEL_MASK);
-        err = ip6_tnl_xmit2(skb, dev, dsfield, &fl, encap_limit, &mtu);
+        err = ip6_tnl_xmit2(skb, dev, dsfield, &fl6, encap_limit, &mtu);
        if (err != 0) {
                if (err == -EMSGSIZE)
                        icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
@@ -1132,21 +1137,21 @@ static void ip6_tnl_link_config(struct ip6_tnl *t)
 {
        struct net_device *dev = t->dev;
        struct ip6_tnl_parm *p = &t->parms;
-        struct flowi *fl = &t->fl;
+        struct flowi6 *fl6 = &t->fl.u.ip6;
        memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
        memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
        /* Set up flowi template */
-        ipv6_addr_copy(&fl->fl6_src, &p->laddr);
+        ipv6_addr_copy(&fl6->saddr, &p->laddr);
-        ipv6_addr_copy(&fl->fl6_dst, &p->raddr);
+        ipv6_addr_copy(&fl6->daddr, &p->raddr);
-        fl->oif = p->link;
+        fl6->flowi6_oif = p->link;
-        fl->fl6_flowlabel = 0;
+        fl6->flowlabel = 0;
        if (!(p->flags&IP6_TNL_F_USE_ORIG_TCLASS))
-                fl->fl6_flowlabel |= IPV6_TCLASS_MASK & p->flowinfo;
+                fl6->flowlabel |= IPV6_TCLASS_MASK & p->flowinfo;
        if (!(p->flags&IP6_TNL_F_USE_ORIG_FLOWLABEL))
-                fl->fl6_flowlabel |= IPV6_FLOWLABEL_MASK & p->flowinfo;
+                fl6->flowlabel |= IPV6_FLOWLABEL_MASK & p->flowinfo;
        ip6_tnl_set_cap(t);
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 0e1d53bcf1e0..82a809901f8e 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -135,14 +135,15 @@ static struct mr6_table *ip6mr_get_table(struct net *net, u32 id)
        return NULL;
 }
-static int ip6mr_fib_lookup(struct net *net, struct flowi *flp,
+static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
                            struct mr6_table **mrt)
 {
        struct ip6mr_result res;
        struct fib_lookup_arg arg = { .result = &res, };
        int err;
-        err = fib_rules_lookup(net->ipv6.mr6_rules_ops, flp, 0, &arg);
+        err = fib_rules_lookup(net->ipv6.mr6_rules_ops,
+                               flowi6_to_flowi(flp6), 0, &arg);
        if (err < 0)
                return err;
        *mrt = res.mrt;
@@ -270,7 +271,7 @@ static struct mr6_table *ip6mr_get_table(struct net *net, u32 id)
        return net->ipv6.mrt6;
 }
-static int ip6mr_fib_lookup(struct net *net, struct flowi *flp,
+static int ip6mr_fib_lookup(struct net *net, struct flowi6 *flp6,
                            struct mr6_table **mrt)
 {
        *mrt = net->ipv6.mrt6;
@@ -617,9 +618,9 @@ static int pim6_rcv(struct sk_buff *skb)
        struct net_device  *reg_dev = NULL;
        struct net *net = dev_net(skb->dev);
        struct mr6_table *mrt;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .iif    = skb->dev->ifindex,
+                .flowi6_iif     = skb->dev->ifindex,
-                .mark   = skb->mark,
+                .flowi6_mark    = skb->mark,
        };
        int reg_vif_num;
@@ -644,7 +645,7 @@ static int pim6_rcv(struct sk_buff *skb)
            ntohs(encap->payload_len) + sizeof(*pim) > skb->len)
                goto drop;
-        if (ip6mr_fib_lookup(net, &fl, &mrt) < 0)
+        if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0)
                goto drop;
        reg_vif_num = mrt->mroute_reg_vif_num;
@@ -662,7 +663,7 @@ static int pim6_rcv(struct sk_buff *skb)
        skb_pull(skb, (u8 *)encap - skb->data);
        skb_reset_network_header(skb);
        skb->protocol = htons(ETH_P_IPV6);
-        skb->ip_summed = 0;
+        skb->ip_summed = CHECKSUM_NONE;
        skb->pkt_type = PACKET_HOST;
        skb_tunnel_rx(skb, reg_dev);
@@ -687,14 +688,14 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
 {
        struct net *net = dev_net(dev);
        struct mr6_table *mrt;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .oif            = dev->ifindex,
+                .flowi6_oif     = dev->ifindex,
-                .iif            = skb->skb_iif,
+                .flowi6_iif     = skb->skb_iif,
-                .mark           = skb->mark,
+                .flowi6_mark    = skb->mark,
        };
        int err;
-        err = ip6mr_fib_lookup(net, &fl, &mrt);
+        err = ip6mr_fib_lookup(net, &fl6, &mrt);
        if (err < 0)
                return err;
@@ -988,8 +989,8 @@ static int mif6_add(struct net *net, struct mr6_table *mrt,
 }
 static struct mfc6_cache *ip6mr_cache_find(struct mr6_table *mrt,
-                                           struct in6_addr *origin,
+                                           const struct in6_addr *origin,
-                                           struct in6_addr *mcastgrp)
+                                           const struct in6_addr *mcastgrp)
 {
        int line = MFC6_HASH(mcastgrp, origin);
        struct mfc6_cache *c;
@@ -1039,7 +1040,6 @@ static void ip6mr_cache_resolve(struct net *net, struct mr6_table *mrt,
        while((skb = __skb_dequeue(&uc->mfc_un.unres.unresolved))) {
                if (ipv6_hdr(skb)->version == 0) {
-                        int err;
                        struct nlmsghdr *nlh = (struct nlmsghdr *)skb_pull(skb, sizeof(struct ipv6hdr));
                        if (__ip6mr_fill_mroute(mrt, skb, c, NLMSG_DATA(nlh)) > 0) {
@@ -1050,7 +1050,7 @@ static void ip6mr_cache_resolve(struct net *net, struct mr6_table *mrt,
                                skb_trim(skb, nlh->nlmsg_len);
                                ((struct nlmsgerr *)NLMSG_DATA(nlh))->error = -EMSGSIZE;
                        }
-                        err = rtnl_unicast(skb, net, NETLINK_CB(skb).pid);
+                        rtnl_unicast(skb, net, NETLINK_CB(skb).pid);
                } else
                        ip6_mr_forward(net, mrt, skb, c);
        }
@@ -1548,13 +1548,13 @@ int ip6mr_sk_done(struct sock *sk)
 struct sock *mroute6_socket(struct net *net, struct sk_buff *skb)
 {
        struct mr6_table *mrt;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .iif    = skb->skb_iif,
+                .flowi6_iif     = skb->skb_iif,
-                .oif    = skb->dev->ifindex,
+                .flowi6_oif     = skb->dev->ifindex,
-                .mark   = skb->mark,
+                .flowi6_mark    = skb->mark,
        };
-        if (ip6mr_fib_lookup(net, &fl, &mrt) < 0)
+        if (ip6mr_fib_lookup(net, &fl6, &mrt) < 0)
                return NULL;
        return mrt->mroute6_sk;
@@ -1898,7 +1898,7 @@ static int ip6mr_forward2(struct net *net, struct mr6_table *mrt,
        struct mif_device *vif = &mrt->vif6_table[vifi];
        struct net_device *dev;
        struct dst_entry *dst;
-        struct flowi fl;
+        struct flowi6 fl6;
        if (vif->dev == NULL)
                goto out_free;
@@ -1916,12 +1916,12 @@ static int ip6mr_forward2(struct net *net, struct mr6_table *mrt,
        ipv6h = ipv6_hdr(skb);
-        fl = (struct flowi) {
+        fl6 = (struct flowi6) {
-                .oif = vif->link,
+                .flowi6_oif = vif->link,
-                .fl6_dst = ipv6h->daddr,
+                .daddr = ipv6h->daddr,
        };
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        if (!dst)
                goto out_free;
@@ -2044,13 +2044,13 @@ int ip6_mr_input(struct sk_buff *skb)
        struct mfc6_cache *cache;
        struct net *net = dev_net(skb->dev);
        struct mr6_table *mrt;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .iif    = skb->dev->ifindex,
+                .flowi6_iif     = skb->dev->ifindex,
-                .mark   = skb->mark,
+                .flowi6_mark    = skb->mark,
        };
        int err;
-        err = ip6mr_fib_lookup(net, &fl, &mrt);
+        err = ip6mr_fib_lookup(net, &fl6, &mrt);
        if (err < 0)
                return err;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 85cccd6ed0b7..bba658d9a03c 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -55,7 +55,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 {
        struct net *net = dev_net(skb->dev);
        __be32 spi;
-        struct ipv6hdr *iph = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;
        struct ip_comp_hdr *ipcomph =
                (struct ip_comp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
@@ -64,7 +64,8 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                return;
        spi = htonl(ntohs(ipcomph->cpi));
-        x = xfrm_state_lookup(net, skb->mark, (xfrm_address_t *)&iph->daddr, spi, IPPROTO_COMP, AF_INET6);
+        x = xfrm_state_lookup(net, skb->mark, (const xfrm_address_t *)&iph->daddr,
+                              spi, IPPROTO_COMP, AF_INET6);
        if (!x)
                return;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index d1770e061c08..9cb191ecaba8 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -444,12 +444,12 @@ sticky_done:
        {
                struct ipv6_txoptions *opt = NULL;
                struct msghdr msg;
-                struct flowi fl;
+                struct flowi6 fl6;
                int junk;
-                fl.fl6_flowlabel = 0;
+                memset(&fl6, 0, sizeof(fl6));
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
-                fl.mark = sk->sk_mark;
+                fl6.flowi6_mark = sk->sk_mark;
                if (optlen == 0)
                        goto update;
@@ -475,7 +475,7 @@ sticky_done:
                msg.msg_controllen = optlen;
                msg.msg_control = (void*)(opt+1);
-                retv = datagram_send_ctl(net, &msg, &fl, opt, &junk, &junk,
+                retv = datagram_send_ctl(net, &msg, &fl6, opt, &junk, &junk,
                                         &junk);
                if (retv)
                        goto done;
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index 49f986d626a0..3e6ebcdb4779 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -92,16 +92,16 @@ static void mld_gq_timer_expire(unsigned long data);
 static void mld_ifc_timer_expire(unsigned long data);
 static void mld_ifc_event(struct inet6_dev *idev);
 static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *pmc);
-static void mld_del_delrec(struct inet6_dev *idev, struct in6_addr *addr);
+static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *addr);
 static void mld_clear_delrec(struct inet6_dev *idev);
 static int sf_setstate(struct ifmcaddr6 *pmc);
 static void sf_markstate(struct ifmcaddr6 *pmc);
 static void ip6_mc_clear_src(struct ifmcaddr6 *pmc);
-static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_del_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta);
-static int ip6_mc_add_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta);
 static int ip6_mc_leave_src(struct sock *sk, struct ipv6_mc_socklist *iml,
                            struct inet6_dev *idev);
@@ -201,10 +201,6 @@ int ipv6_sock_mc_join(struct sock *sk, int ifindex, const struct in6_addr *addr)
        return 0;
 }
-static void ipv6_mc_socklist_reclaim(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ipv6_mc_socklist, rcu));
-}
 /*
 *      socket leave on multicast group
 */
@@ -239,7 +235,7 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
                                (void) ip6_mc_leave_src(sk, mc_lst, NULL);
                        rcu_read_unlock();
                        atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc);
-                        call_rcu(&mc_lst->rcu, ipv6_mc_socklist_reclaim);
+                        kfree_rcu(mc_lst, rcu);
                        return 0;
                }
        }
@@ -250,7 +246,7 @@ int ipv6_sock_mc_drop(struct sock *sk, int ifindex, const struct in6_addr *addr)
 /* called with rcu_read_lock() */
 static struct inet6_dev *ip6_mc_find_dev_rcu(struct net *net,
-                                             struct in6_addr *group,
+                                             const struct in6_addr *group,
                                             int ifindex)
 {
        struct net_device *dev = NULL;
@@ -307,7 +303,7 @@ void ipv6_sock_mc_close(struct sock *sk)
                rcu_read_unlock();
                atomic_sub(sizeof(*mc_lst), &sk->sk_omem_alloc);
-                call_rcu(&mc_lst->rcu, ipv6_mc_socklist_reclaim);
+                kfree_rcu(mc_lst, rcu);
                spin_lock(&ipv6_sk_mc_lock);
        }
@@ -319,7 +315,6 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
 {
        struct in6_addr *source, *group;
        struct ipv6_mc_socklist *pmc;
-        struct net_device *dev;
        struct inet6_dev *idev;
        struct ipv6_pinfo *inet6 = inet6_sk(sk);
        struct ip6_sf_socklist *psl;
@@ -341,7 +336,6 @@ int ip6_mc_source(int add, int omode, struct sock *sk,
                rcu_read_unlock();
                return -ENODEV;
        }
-        dev = idev->dev;
        err = -EADDRNOTAVAIL;
@@ -453,9 +447,8 @@ done:
 int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf)
 {
-        struct in6_addr *group;
+        const struct in6_addr *group;
        struct ipv6_mc_socklist *pmc;
-        struct net_device *dev;
        struct inet6_dev *idev;
        struct ipv6_pinfo *inet6 = inet6_sk(sk);
        struct ip6_sf_socklist *newpsl, *psl;
@@ -478,7 +471,6 @@ int ip6_mc_msfilter(struct sock *sk, struct group_filter *gsf)
                rcu_read_unlock();
                return -ENODEV;
        }
-        dev = idev->dev;
        err = 0;
@@ -546,10 +538,9 @@ int ip6_mc_msfget(struct sock *sk, struct group_filter *gsf,
        struct group_filter __user *optval, int __user *optlen)
 {
        int err, i, count, copycount;
-        struct in6_addr *group;
+        const struct in6_addr *group;
        struct ipv6_mc_socklist *pmc;
        struct inet6_dev *idev;
-        struct net_device *dev;
        struct ipv6_pinfo *inet6 = inet6_sk(sk);
        struct ip6_sf_socklist *psl;
        struct net *net = sock_net(sk);
@@ -566,7 +557,6 @@ int ip6_mc_msfget(struct sock *sk, struct group_filter *gsf,
                rcu_read_unlock();
                return -ENODEV;
        }
-        dev = idev->dev;
        err = -EADDRNOTAVAIL;
        /*
@@ -758,7 +748,7 @@ static void mld_add_delrec(struct inet6_dev *idev, struct ifmcaddr6 *im)
        spin_unlock_bh(&idev->mc_lock);
 }
-static void mld_del_delrec(struct inet6_dev *idev, struct in6_addr *pmca)
+static void mld_del_delrec(struct inet6_dev *idev, const struct in6_addr *pmca)
 {
        struct ifmcaddr6 *pmc, *pmc_prev;
        struct ip6_sf_list *psf, *psf_next;
@@ -1058,7 +1048,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
 /* mark EXCLUDE-mode sources */
 static int mld_xmarksources(struct ifmcaddr6 *pmc, int nsrcs,
-        struct in6_addr *srcs)
+        const struct in6_addr *srcs)
 {
        struct ip6_sf_list *psf;
        int i, scount;
@@ -1086,7 +1076,7 @@ static int mld_xmarksources(struct ifmcaddr6 *pmc, int nsrcs,
 }
 static int mld_marksources(struct ifmcaddr6 *pmc, int nsrcs,
-        struct in6_addr *srcs)
+        const struct in6_addr *srcs)
 {
        struct ip6_sf_list *psf;
        int i, scount;
@@ -1121,7 +1111,7 @@ int igmp6_event_query(struct sk_buff *skb)
 {
        struct mld2_query *mlh2 = NULL;
        struct ifmcaddr6 *ma;
-        struct in6_addr *group;
+        const struct in6_addr *group;
        unsigned long max_delay;
        struct inet6_dev *idev;
        struct mld_msg *mld;
@@ -1402,7 +1392,7 @@ static void mld_sendpack(struct sk_buff *skb)
        struct inet6_dev *idev;
        struct net *net = dev_net(skb->dev);
        int err;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        rcu_read_lock();
@@ -1425,11 +1415,16 @@ static void mld_sendpack(struct sk_buff *skb)
                goto err_out;
        }
-        icmpv6_flow_init(net->ipv6.igmp_sk, &fl, ICMPV6_MLD2_REPORT,
+        icmpv6_flow_init(net->ipv6.igmp_sk, &fl6, ICMPV6_MLD2_REPORT,
                         &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr,
                         skb->dev->ifindex);
-        err = xfrm_lookup(net, &dst, &fl, NULL, 0);
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
+        err = 0;
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
+                dst = NULL;
+        }
        skb_dst_set(skb, dst);
        if (err)
                goto err_out;
@@ -1732,7 +1727,7 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
        u8 ra[8] = { IPPROTO_ICMPV6, 0,
                     IPV6_TLV_ROUTERALERT, 2, 0, 0,
                     IPV6_TLV_PADN, 0 };
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        if (type == ICMPV6_MGM_REDUCTION)
@@ -1792,13 +1787,15 @@ static void igmp6_send(struct in6_addr *addr, struct net_device *dev, int type)
                goto err_out;
        }
-        icmpv6_flow_init(sk, &fl, type,
+        icmpv6_flow_init(sk, &fl6, type,
                         &ipv6_hdr(skb)->saddr, &ipv6_hdr(skb)->daddr,
                         skb->dev->ifindex);
-        err = xfrm_lookup(net, &dst, &fl, NULL, 0);
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
                goto err_out;
+        }
        skb_dst_set(skb, dst);
        err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
@@ -1820,7 +1817,7 @@ err_out:
 }
 static int ip6_mc_del1_src(struct ifmcaddr6 *pmc, int sfmode,
-        struct in6_addr *psfsrc)
+        const struct in6_addr *psfsrc)
 {
        struct ip6_sf_list *psf, *psf_prev;
        int rv = 0;
@@ -1856,8 +1853,8 @@ static int ip6_mc_del1_src(struct ifmcaddr6 *pmc, int sfmode,
        return rv;
 }
-static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_del_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta)
 {
        struct ifmcaddr6 *pmc;
@@ -1917,7 +1914,7 @@ static int ip6_mc_del_src(struct inet6_dev *idev, struct in6_addr *pmca,
 * Add multicast single-source filter to the interface list
 */
 static int ip6_mc_add1_src(struct ifmcaddr6 *pmc, int sfmode,
-        struct in6_addr *psfsrc, int delta)
+        const struct in6_addr *psfsrc, int delta)
 {
        struct ip6_sf_list *psf, *psf_prev;
@@ -2020,8 +2017,8 @@ static int sf_setstate(struct ifmcaddr6 *pmc)
 /*
 * Add multicast source filter list to the interface list
 */
-static int ip6_mc_add_src(struct inet6_dev *idev, struct in6_addr *pmca,
+static int ip6_mc_add_src(struct inet6_dev *idev, const struct in6_addr *pmca,
-                          int sfmode, int sfcount, struct in6_addr *psfsrc,
+                          int sfmode, int sfcount, const struct in6_addr *psfsrc,
                          int delta)
 {
        struct ifmcaddr6 *pmc;
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index d6e9599d0705..43242e6e6103 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -126,7 +126,7 @@ static struct mip6_report_rate_limiter mip6_report_rl = {
 static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data;
        int err = destopt->nexthdr;
@@ -181,8 +181,8 @@ static int mip6_destopt_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 static inline int mip6_report_rl_allow(struct timeval *stamp,
-                                       struct in6_addr *dst,
+                                       const struct in6_addr *dst,
-                                       struct in6_addr *src, int iif)
+                                       const struct in6_addr *src, int iif)
 {
        int allow = 0;
@@ -203,18 +203,20 @@ static inline int mip6_report_rl_allow(struct timeval *stamp,
        return allow;
 }
-static int mip6_destopt_reject(struct xfrm_state *x, struct sk_buff *skb, struct flowi *fl)
+static int mip6_destopt_reject(struct xfrm_state *x, struct sk_buff *skb,
+                               const struct flowi *fl)
 {
        struct net *net = xs_net(x);
        struct inet6_skb_parm *opt = (struct inet6_skb_parm *)skb->cb;
+        const struct flowi6 *fl6 = &fl->u.ip6;
        struct ipv6_destopt_hao *hao = NULL;
        struct xfrm_selector sel;
        int offset;
        struct timeval stamp;
        int err = 0;
-        if (unlikely(fl->proto == IPPROTO_MH &&
+        if (unlikely(fl6->flowi6_proto == IPPROTO_MH &&
-                     fl->fl_mh_type <= IP6_MH_TYPE_MAX))
+                     fl6->fl6_mh_type <= IP6_MH_TYPE_MAX))
                goto out;
        if (likely(opt->dsthao)) {
@@ -239,14 +241,14 @@ static int mip6_destopt_reject(struct xfrm_state *x, struct sk_buff *skb, struct
               sizeof(sel.saddr));
        sel.prefixlen_s = 128;
        sel.family = AF_INET6;
-        sel.proto = fl->proto;
+        sel.proto = fl6->flowi6_proto;
-        sel.dport = xfrm_flowi_dport(fl);
+        sel.dport = xfrm_flowi_dport(fl, &fl6->uli);
        if (sel.dport)
                sel.dport_mask = htons(~0);
-        sel.sport = xfrm_flowi_sport(fl);
+        sel.sport = xfrm_flowi_sport(fl, &fl6->uli);
        if (sel.sport)
                sel.sport_mask = htons(~0);
-        sel.ifindex = fl->oif;
+        sel.ifindex = fl6->flowi6_oif;
        err = km_report(net, IPPROTO_DSTOPTS, &sel,
                        (hao ? (xfrm_address_t *)&hao->addr : NULL));
@@ -347,7 +349,7 @@ static const struct xfrm_type mip6_destopt_type =
 static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data;
        int err = rt2->rt_hdr.nexthdr;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 2342545a5ee9..7596f071d308 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -324,7 +324,7 @@ static inline u8 *ndisc_opt_addr_data(struct nd_opt_hdr *p,
        return lladdr + prepad;
 }
-int ndisc_mc_map(struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
+int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
 {
        switch (dev->type) {
        case ARPHRD_ETHER:
@@ -341,6 +341,8 @@ int ndisc_mc_map(struct in6_addr *addr, char *buf, struct net_device *dev, int d
        case ARPHRD_INFINIBAND:
                ipv6_ib_mc_map(addr, dev->broadcast, buf);
                return 0;
+        case ARPHRD_IPGRE:
+                return ipv6_ipgre_mc_map(addr, dev->broadcast, buf);
        default:
                if (dir) {
                        memcpy(buf, dev->broadcast, dev->addr_len);
@@ -511,7 +513,7 @@ void ndisc_send_skb(struct sk_buff *skb,
                    const struct in6_addr *saddr,
                    struct icmp6hdr *icmp6h)
 {
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        struct net *net = dev_net(dev);
        struct sock *sk = net->ipv6.ndisc_sk;
@@ -521,7 +523,7 @@ void ndisc_send_skb(struct sk_buff *skb,
        type = icmp6h->icmp6_type;
-        icmpv6_flow_init(sk, &fl, type, saddr, daddr, dev->ifindex);
+        icmpv6_flow_init(sk, &fl6, type, saddr, daddr, dev->ifindex);
        dst = icmp6_dst_alloc(dev, neigh, daddr);
        if (!dst) {
@@ -529,8 +531,8 @@ void ndisc_send_skb(struct sk_buff *skb,
                return;
        }
-        err = xfrm_lookup(net, &dst, &fl, NULL, 0);
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
-        if (err < 0) {
+        if (IS_ERR(dst)) {
                kfree_skb(skb);
                return;
        }
@@ -609,6 +611,29 @@ static void ndisc_send_na(struct net_device *dev, struct neighbour *neigh,
                     inc_opt ? ND_OPT_TARGET_LL_ADDR : 0);
 }
+static void ndisc_send_unsol_na(struct net_device *dev)
+{
+        struct inet6_dev *idev;
+        struct inet6_ifaddr *ifa;
+        struct in6_addr mcaddr;
+        idev = in6_dev_get(dev);
+        if (!idev)
+                return;
+        read_lock_bh(&idev->lock);
+        list_for_each_entry(ifa, &idev->addr_list, if_list) {
+                addrconf_addr_solict_mult(&ifa->addr, &mcaddr);
+                ndisc_send_na(dev, NULL, &mcaddr, &ifa->addr,
+                              /*router=*/ !!idev->cnf.forwarding,
+                              /*solicited=*/ false, /*override=*/ true,
+                              /*inc_opt=*/ true);
+        }
+        read_unlock_bh(&idev->lock);
+        in6_dev_put(idev);
+}
 void ndisc_send_ns(struct net_device *dev, struct neighbour *neigh,
                   const struct in6_addr *solicit,
                   const struct in6_addr *daddr, const struct in6_addr *saddr)
@@ -723,8 +748,8 @@ static int pndisc_is_router(const void *pkey,
 static void ndisc_recv_ns(struct sk_buff *skb)
 {
        struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
-        struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
+        const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
        u8 *lladdr = NULL;
        u32 ndoptlen = skb->tail - (skb->transport_header +
                                    offsetof(struct nd_msg, opt));
@@ -899,8 +924,8 @@ out:
 static void ndisc_recv_na(struct sk_buff *skb)
 {
        struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
-        struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
+        const struct in6_addr *daddr = &ipv6_hdr(skb)->daddr;
        u8 *lladdr = NULL;
        u32 ndoptlen = skb->tail - (skb->transport_header +
                                    offsetof(struct nd_msg, opt));
@@ -943,9 +968,10 @@ static void ndisc_recv_na(struct sk_buff *skb)
        }
        ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
        if (ifp) {
-                if (ifp->flags & IFA_F_TENTATIVE) {
+                if (skb->pkt_type != PACKET_LOOPBACK
-                        addrconf_dad_failure(ifp);
+                    && (ifp->flags & IFA_F_TENTATIVE)) {
-                        return;
+                                addrconf_dad_failure(ifp);
+                                return;
                }
                /* What should we make now? The advertisement
                   is invalid, but ndisc specs say nothing
@@ -1012,7 +1038,7 @@ static void ndisc_recv_rs(struct sk_buff *skb)
        unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
        struct neighbour *neigh;
        struct inet6_dev *idev;
-        struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
+        const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
        struct ndisc_options ndopts;
        u8 *lladdr = NULL;
@@ -1409,8 +1435,8 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
 {
        struct inet6_dev *in6_dev;
        struct icmp6hdr *icmph;
-        struct in6_addr *dest;
+        const struct in6_addr *dest;
-        struct in6_addr *target;        /* new first hop to destination */
+        const struct in6_addr *target;  /* new first hop to destination */
        struct neighbour *neigh;
        int on_link = 0;
        struct ndisc_options ndopts;
@@ -1443,7 +1469,7 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
        }
        icmph = icmp6_hdr(skb);
-        target = (struct in6_addr *) (icmph + 1);
+        target = (const struct in6_addr *) (icmph + 1);
        dest = target + 1;
        if (ipv6_addr_is_multicast(dest)) {
@@ -1515,7 +1541,7 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
        struct rt6_info *rt;
        struct dst_entry *dst;
        struct inet6_dev *idev;
-        struct flowi fl;
+        struct flowi6 fl6;
        u8 *opt;
        int rd_len;
        int err;
@@ -1535,15 +1561,15 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
                return;
        }
-        icmpv6_flow_init(sk, &fl, NDISC_REDIRECT,
+        icmpv6_flow_init(sk, &fl6, NDISC_REDIRECT,
                         &saddr_buf, &ipv6_hdr(skb)->saddr, dev->ifindex);
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        if (dst == NULL)
                return;
-        err = xfrm_lookup(net, &dst, &fl, NULL, 0);
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
-        if (err)
+        if (IS_ERR(dst))
                return;
        rt = (struct rt6_info *) dst;
@@ -1553,7 +1579,9 @@ void ndisc_send_redirect(struct sk_buff *skb, struct neighbour *neigh,
                           "ICMPv6 Redirect: destination is not a neighbour.\n");
                goto release;
        }
-        if (!xrlim_allow(dst, 1*HZ))
+        if (!rt->rt6i_peer)
+                rt6_bind_peer(rt, 1);
+        if (inet_peer_xrlim_allow(rt->rt6i_peer, 1*HZ))
                goto release;
        if (dev->addr_len) {
@@ -1718,6 +1746,9 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
                neigh_ifdown(&nd_tbl, dev);
                fib6_run_gc(~0UL, net);
                break;
+        case NETDEV_NOTIFY_PEERS:
+                ndisc_send_unsol_na(dev);
+                break;
        default:
                break;
        }
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 35915e8617f0..30fcee465448 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -13,16 +13,16 @@
 int ip6_route_me_harder(struct sk_buff *skb)
 {
        struct net *net = dev_net(skb_dst(skb)->dev);
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct dst_entry *dst;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
+                .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
-                .mark = skb->mark,
+                .flowi6_mark = skb->mark,
-                .fl6_dst = iph->daddr,
+                .daddr = iph->daddr,
-                .fl6_src = iph->saddr,
+                .saddr = iph->saddr,
        };
-        dst = ip6_route_output(net, skb->sk, &fl);
+        dst = ip6_route_output(net, skb->sk, &fl6);
        if (dst->error) {
                IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
                LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
@@ -37,9 +37,10 @@ int ip6_route_me_harder(struct sk_buff *skb)
 #ifdef CONFIG_XFRM
        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
-            xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
+            xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
                skb_dst_set(skb, NULL);
-                if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
+                dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
+                if (IS_ERR(dst))
                        return -1;
                skb_dst_set(skb, dst);
        }
@@ -66,7 +67,7 @@ static void nf_ip6_saveroute(const struct sk_buff *skb,
        struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
        if (entry->hook == NF_INET_LOCAL_OUT) {
-                struct ipv6hdr *iph = ipv6_hdr(skb);
+                const struct ipv6hdr *iph = ipv6_hdr(skb);
                rt_info->daddr = iph->daddr;
                rt_info->saddr = iph->saddr;
@@ -80,7 +81,7 @@ static int nf_ip6_reroute(struct sk_buff *skb,
        struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
        if (entry->hook == NF_INET_LOCAL_OUT) {
-                struct ipv6hdr *iph = ipv6_hdr(skb);
+                const struct ipv6hdr *iph = ipv6_hdr(skb);
                if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
                    !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
                    skb->mark != rt_info->mark)
@@ -89,16 +90,25 @@ static int nf_ip6_reroute(struct sk_buff *skb,
        return 0;
 }
-static int nf_ip6_route(struct dst_entry **dst, struct flowi *fl)
+static int nf_ip6_route(struct net *net, struct dst_entry **dst,
+                        struct flowi *fl, bool strict)
 {
-        *dst = ip6_route_output(&init_net, NULL, fl);
+        static const struct ipv6_pinfo fake_pinfo;
+        static const struct inet_sock fake_sk = {
+                /* makes ip6_route_output set RT6_LOOKUP_F_IFACE: */
+                .sk.sk_bound_dev_if = 1,
+                .pinet6 = (struct ipv6_pinfo *) &fake_pinfo,
+        };
+        const void *sk = strict ? &fake_sk : NULL;
+        *dst = ip6_route_output(net, sk, &fl->u.ip6);
        return (*dst)->error;
 }
 __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
                             unsigned int dataoff, u_int8_t protocol)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        __sum16 csum = 0;
        switch (skb->ip_summed) {
@@ -132,7 +142,7 @@ static __sum16 nf_ip6_checksum_partial(struct sk_buff *skb, unsigned int hook,
                                       unsigned int dataoff, unsigned int len,
                                       u_int8_t protocol)
 {
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        __wsum hsum;
        __sum16 csum = 0;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 7d227c644f72..94874b0bdcdc 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -340,6 +340,7 @@ ip6t_do_table(struct sk_buff *skb,
        unsigned int *stackptr, origptr, cpu;
        const struct xt_table_info *private;
        struct xt_action_param acpar;
+        unsigned int addend;
        /* Initialization */
        indev = in ? in->name : nulldevname;
@@ -358,7 +359,8 @@ ip6t_do_table(struct sk_buff *skb,
        IP_NF_ASSERT(table->valid_hooks & (1 << hook));
-        xt_info_rdlock_bh();
+        local_bh_disable();
+        addend = xt_write_recseq_begin();
        private = table->private;
        cpu        = smp_processor_id();
        table_base = private->entries[cpu];
@@ -410,7 +412,7 @@ ip6t_do_table(struct sk_buff *skb,
                                        verdict = (unsigned)(-v) - 1;
                                        break;
                                }
-                                if (*stackptr == 0)
+                                if (*stackptr <= origptr)
                                        e = get_entry(table_base,
                                            private->underflow[hook]);
                                else
@@ -441,9 +443,11 @@ ip6t_do_table(struct sk_buff *skb,
                        break;
        } while (!acpar.hotdrop);
-        xt_info_rdunlock_bh();
        *stackptr = origptr;
+        xt_write_recseq_end(addend);
+        local_bh_enable();
 #ifdef DEBUG_ALLOW_ALL
        return NF_ACCEPT;
 #else
@@ -899,7 +903,7 @@ get_counters(const struct xt_table_info *t,
        unsigned int i;
        for_each_possible_cpu(cpu) {
-                seqlock_t *lock = &per_cpu(xt_info_locks, cpu).lock;
+                seqcount_t *s = &per_cpu(xt_recseq, cpu);
                i = 0;
                xt_entry_foreach(iter, t->entries[cpu], t->size) {
@@ -907,10 +911,10 @@ get_counters(const struct xt_table_info *t,
                        unsigned int start;
                        do {
-                                start = read_seqbegin(lock);
+                                start = read_seqcount_begin(s);
                                bcnt = iter->counters.bcnt;
                                pcnt = iter->counters.pcnt;
-                        } while (read_seqretry(lock, start));
+                        } while (read_seqcount_retry(s, start));
                        ADD_COUNTER(counters[i], bcnt, pcnt);
                        ++i;
@@ -1076,6 +1080,7 @@ static int compat_table_info(const struct xt_table_info *info,
        memcpy(newinfo, info, offsetof(struct xt_table_info, entries));
        newinfo->initial_entries = 0;
        loc_cpu_entry = info->entries[raw_smp_processor_id()];
+        xt_compat_init_offsets(AF_INET6, info->number);
        xt_entry_foreach(iter, loc_cpu_entry, info->size) {
                ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo);
                if (ret != 0)
@@ -1274,6 +1279,7 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -1323,6 +1329,7 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
        int ret = 0;
        const void *loc_cpu_entry;
        struct ip6t_entry *iter;
+        unsigned int addend;
 #ifdef CONFIG_COMPAT
        struct compat_xt_counters_info compat_tmp;
@@ -1379,13 +1386,13 @@ do_add_counters(struct net *net, const void __user *user, unsigned int len,
        i = 0;
        /* Choose the copy that is on our node */
        curcpu = smp_processor_id();
-        xt_info_wrlock(curcpu);
+        addend = xt_write_recseq_begin();
        loc_cpu_entry = private->entries[curcpu];
        xt_entry_foreach(iter, loc_cpu_entry, private->size) {
                ADD_COUNTER(iter->counters, paddc[i].bcnt, paddc[i].pcnt);
                ++i;
        }
-        xt_info_wrunlock(curcpu);
+        xt_write_recseq_end(addend);
 unlock_up_free:
        local_bh_enable();
@@ -1576,7 +1583,6 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
                            struct xt_table_info *newinfo, unsigned char *base)
 {
        struct xt_entry_target *t;
-        struct xt_target *target;
        struct ip6t_entry *de;
        unsigned int origsize;
        int ret, h;
@@ -1598,7 +1604,6 @@ compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
        }
        de->target_offset = e->target_offset - (origsize - *size);
        t = compat_ip6t_get_target(e);
-        target = t->u.kernel.target;
        xt_compat_target_from_user(t, dstptr, size);
        de->next_offset = e->next_offset - (origsize - *size);
@@ -1679,6 +1684,7 @@ translate_compat_table(struct net *net,
        duprintf("translate_compat_table: size %u\n", info->size);
        j = 0;
        xt_compat_lock(AF_INET6);
+        xt_compat_init_offsets(AF_INET6, number);
        /* Walk through entries, checking offsets. */
        xt_entry_foreach(iter0, entry0, total_size) {
                ret = check_compat_entry_size_and_hooks(iter0, info, &size,
@@ -1820,6 +1826,7 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
        if (!newinfo)
@@ -2049,6 +2056,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                        ret = -EFAULT;
                        break;
                }
+                rev.name[sizeof(rev.name)-1] = 0;
                if (cmd == IP6T_SO_GET_REVISION_TARGET)
                        target = 1;
@@ -2243,7 +2251,7 @@ static int __init ip6_tables_init(void)
        if (ret < 0)
                goto err1;
-        /* Noone else will be downing sem now, so we won't sleep */
+        /* No one else will be downing sem now, so we won't sleep */
        ret = xt_register_targets(ip6t_builtin_tg, ARRAY_SIZE(ip6t_builtin_tg));
        if (ret < 0)
                goto err2;
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index de338037a736..e6af8d72f26b 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -452,8 +452,7 @@ ip6t_log_packet(u_int8_t pf,
               in ? in->name : "",
               out ? out->name : "");
-        /* MAC logging for input path only. */
+        if (in != NULL)
-        if (in && !out)
                dump_mac_header(m, loginfo, skb);
        dump_packet(m, loginfo, skb, skb_network_offset(skb), 1);
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index bf998feac14e..a5a4c5dd5396 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -45,9 +45,11 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        int tcphoff, needs_ack;
        const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
        struct ipv6hdr *ip6h;
+#define DEFAULT_TOS_VALUE       0x0U
+        const __u8 tclass = DEFAULT_TOS_VALUE;
        struct dst_entry *dst = NULL;
        u8 proto;
-        struct flowi fl;
+        struct flowi6 fl6;
        if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
            (!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
@@ -89,19 +91,20 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
                return;
        }
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_TCP;
+        fl6.flowi6_proto = IPPROTO_TCP;
-        ipv6_addr_copy(&fl.fl6_src, &oip6h->daddr);
+        ipv6_addr_copy(&fl6.saddr, &oip6h->daddr);
-        ipv6_addr_copy(&fl.fl6_dst, &oip6h->saddr);
+        ipv6_addr_copy(&fl6.daddr, &oip6h->saddr);
-        fl.fl_ip_sport = otcph.dest;
+        fl6.fl6_sport = otcph.dest;
-        fl.fl_ip_dport = otcph.source;
+        fl6.fl6_dport = otcph.source;
-        security_skb_classify_flow(oldskb, &fl);
+        security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        if (dst == NULL || dst->error) {
                dst_release(dst);
                return;
        }
-        if (xfrm_lookup(net, &dst, &fl, NULL, 0))
+        dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
+        if (IS_ERR(dst))
                return;
        hh_len = (dst->dev->hard_header_len + 15)&~15;
@@ -123,7 +126,7 @@ static void send_reset(struct net *net, struct sk_buff *oldskb)
        skb_put(nskb, sizeof(struct ipv6hdr));
        skb_reset_network_header(nskb);
        ip6h = ipv6_hdr(nskb);
-        ip6h->version = 6;
+        *(__be32 *)ip6h =  htonl(0x60000000 | (tclass << 20));
        ip6h->hop_limit = ip6_dst_hoplimit(dst);
        ip6h->nexthdr = IPPROTO_TCP;
        ipv6_addr_copy(&ip6h->saddr, &oip6h->daddr);
diff --git a/net/ipv6/netfilter/ip6table_mangle.c b/net/ipv6/netfilter/ip6table_mangle.c
index 679a0a3b7b3c..00d19173db7e 100644
--- a/net/ipv6/netfilter/ip6table_mangle.c
+++ b/net/ipv6/netfilter/ip6table_mangle.c
@@ -64,7 +64,8 @@ ip6t_mangle_out(struct sk_buff *skb, const struct net_device *out)
            (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
             memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
             skb->mark != mark ||
-             ipv6_hdr(skb)->hop_limit != hop_limit))
+             ipv6_hdr(skb)->hop_limit != hop_limit ||
+             flowlabel != *((u_int32_t *)ipv6_hdr(skb))))
                return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
        return ret;
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 79d43aa8fa8d..085727263812 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -45,6 +45,7 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 struct nf_ct_frag6_skb_cb
@@ -73,7 +74,7 @@ static struct inet_frags nf_frags;
 static struct netns_frags nf_init_frags;
 #ifdef CONFIG_SYSCTL
-struct ctl_table nf_ct_frag6_sysctl_table[] = {
+static struct ctl_table nf_ct_frag6_sysctl_table[] = {
        {
                .procname       = "nf_conntrack_frag6_timeout",
                .data           = &nf_init_frags.timeout,
diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
index 97c5b21b9674..cdd6d045e42e 100644
--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c
@@ -71,7 +71,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
        if (reasm == NULL)
                return NF_STOLEN;
-        /* error occured or not fragmented */
+        /* error occurred or not fragmented */
        if (reasm == skb)
                return NF_ACCEPT;
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 24b3558b8e67..18ff5df7ec02 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -141,7 +141,11 @@ static const struct snmp_mib snmp6_udplite6_list[] = {
        SNMP_MIB_SENTINEL
 };
-static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
+/* can be called either with percpu mib (pcpumib != NULL),
+ * or shared one (smib != NULL)
+ */
+static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **pcpumib,
+                                     atomic_long_t *smib)
 {
        char name[32];
        int i;
@@ -158,14 +162,14 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
                snprintf(name, sizeof(name), "Icmp6%s%s",
                        i & 0x100 ? "Out" : "In", p);
                seq_printf(seq, "%-32s\t%lu\n", name,
-                        snmp_fold_field(mib, i));
+                        pcpumib ? snmp_fold_field(pcpumib, i) : atomic_long_read(smib + i));
        }
        /* print by number (nonzero only) - ICMPMsgStat format */
        for (i = 0; i < ICMP6MSG_MIB_MAX; i++) {
                unsigned long val;
-                val = snmp_fold_field(mib, i);
+                val = pcpumib ? snmp_fold_field(pcpumib, i) : atomic_long_read(smib + i);
                if (!val)
                        continue;
                snprintf(name, sizeof(name), "Icmp6%sType%u",
@@ -174,14 +178,22 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, void __percpu **mib)
        }
 }
-static void snmp6_seq_show_item(struct seq_file *seq, void __percpu **mib,
+/* can be called either with percpu mib (pcpumib != NULL),
+ * or shared one (smib != NULL)
+ */
+static void snmp6_seq_show_item(struct seq_file *seq, void __percpu **pcpumib,
+                                atomic_long_t *smib,
                                const struct snmp_mib *itemlist)
 {
        int i;
+        unsigned long val;
-        for (i = 0; itemlist[i].name; i++)
+        for (i = 0; itemlist[i].name; i++) {
-                seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name,
+                val = pcpumib ?
-                           snmp_fold_field(mib, itemlist[i].entry));
+                        snmp_fold_field(pcpumib, itemlist[i].entry) :
+                        atomic_long_read(smib + itemlist[i].entry);
+                seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name, val);
+        }
 }
 static void snmp6_seq_show_item64(struct seq_file *seq, void __percpu **mib,
@@ -201,13 +213,13 @@ static int snmp6_seq_show(struct seq_file *seq, void *v)
        snmp6_seq_show_item64(seq, (void __percpu **)net->mib.ipv6_statistics,
                            snmp6_ipstats_list, offsetof(struct ipstats_mib, syncp));
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.icmpv6_statistics,
-                            snmp6_icmp6_list);
+                            NULL, snmp6_icmp6_list);
        snmp6_seq_show_icmpv6msg(seq,
-                            (void __percpu **)net->mib.icmpv6msg_statistics);
+                            (void __percpu **)net->mib.icmpv6msg_statistics, NULL);
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.udp_stats_in6,
-                            snmp6_udp6_list);
+                            NULL, snmp6_udp6_list);
        snmp6_seq_show_item(seq, (void __percpu **)net->mib.udplite_stats_in6,
-                            snmp6_udplite6_list);
+                            NULL, snmp6_udplite6_list);
        return 0;
 }
@@ -229,11 +241,11 @@ static int snmp6_dev_seq_show(struct seq_file *seq, void *v)
        struct inet6_dev *idev = (struct inet6_dev *)seq->private;
        seq_printf(seq, "%-32s\t%u\n", "ifIndex", idev->dev->ifindex);
-        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.ipv6,
+        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.ipv6, NULL,
                            snmp6_ipstats_list);
-        snmp6_seq_show_item(seq, (void __percpu **)idev->stats.icmpv6,
+        snmp6_seq_show_item(seq, NULL, idev->stats.icmpv6dev->mibs,
                            snmp6_icmp6_list);
-        snmp6_seq_show_icmpv6msg(seq, (void __percpu **)idev->stats.icmpv6msg);
+        snmp6_seq_show_icmpv6msg(seq, NULL, idev->stats.icmpv6msgdev->mibs);
        return 0;
 }
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index c5b0915d106b..ae64984f81aa 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -67,8 +67,8 @@ static struct raw_hashinfo raw_v6_hashinfo = {
 };
 static struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
-                unsigned short num, struct in6_addr *loc_addr,
+                unsigned short num, const struct in6_addr *loc_addr,
-                struct in6_addr *rmt_addr, int dif)
+                const struct in6_addr *rmt_addr, int dif)
 {
        struct hlist_node *node;
        int is_multicast = ipv6_addr_is_multicast(loc_addr);
@@ -124,18 +124,18 @@ static __inline__ int icmpv6_filter(struct sock *sk, struct sk_buff *skb)
 }
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
-static int (*mh_filter)(struct sock *sock, struct sk_buff *skb);
+typedef int mh_filter_t(struct sock *sock, struct sk_buff *skb);
-int rawv6_mh_filter_register(int (*filter)(struct sock *sock,
+static mh_filter_t __rcu *mh_filter __read_mostly;
-                                           struct sk_buff *skb))
+int rawv6_mh_filter_register(mh_filter_t filter)
 {
        rcu_assign_pointer(mh_filter, filter);
        return 0;
 }
 EXPORT_SYMBOL(rawv6_mh_filter_register);
-int rawv6_mh_filter_unregister(int (*filter)(struct sock *sock,
+int rawv6_mh_filter_unregister(mh_filter_t filter)
-                                             struct sk_buff *skb))
 {
        rcu_assign_pointer(mh_filter, NULL);
        synchronize_rcu();
@@ -154,8 +154,8 @@ EXPORT_SYMBOL(rawv6_mh_filter_unregister);
 */
 static int ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
 {
-        struct in6_addr *saddr;
+        const struct in6_addr *saddr;
-        struct in6_addr *daddr;
+        const struct in6_addr *daddr;
        struct sock *sk;
        int delivered = 0;
        __u8 hash;
@@ -193,10 +193,10 @@ static int ipv6_raw_deliver(struct sk_buff *skb, int nexthdr)
                         * policy is placed in rawv6_rcv() because it is
                         * required for each socket.
                         */
-                        int (*filter)(struct sock *sock, struct sk_buff *skb);
+                        mh_filter_t *filter;
                        filter = rcu_dereference(mh_filter);
-                        filtered = filter ? filter(sk, skb) : 0;
+                        filtered = filter ? (*filter)(sk, skb) : 0;
                        break;
                }
 #endif
@@ -348,7 +348,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
 {
        struct sock *sk;
        int hash;
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        struct net *net;
        hash = nexthdr & (RAW_HTABLE_SIZE - 1);
@@ -357,7 +357,7 @@ void raw6_icmp_error(struct sk_buff *skb, int nexthdr,
        sk = sk_head(&raw_v6_hashinfo.ht[hash]);
        if (sk != NULL) {
                /* Note: ipv6_hdr(skb) != skb->data */
-                struct ipv6hdr *ip6h = (struct ipv6hdr *)skb->data;
+                const struct ipv6hdr *ip6h = (const struct ipv6hdr *)skb->data;
                saddr = &ip6h->saddr;
                daddr = &ip6h->daddr;
                net = dev_net(skb->dev);
@@ -524,7 +524,7 @@ csum_copy_err:
        goto out;
 }
-static int rawv6_push_pending_frames(struct sock *sk, struct flowi *fl,
+static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6,
                                     struct raw6_sock *rp)
 {
        struct sk_buff *skb;
@@ -542,8 +542,8 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi *fl,
                goto out;
        offset = rp->offset;
-        total_len = inet_sk(sk)->cork.length - (skb_network_header(skb) -
+        total_len = inet_sk(sk)->cork.base.length - (skb_network_header(skb) -
-                                                skb->data);
+                                                     skb->data);
        if (offset >= total_len - 1) {
                err = -EINVAL;
                ip6_flush_pending_frames(sk);
@@ -586,11 +586,10 @@ static int rawv6_push_pending_frames(struct sock *sk, struct flowi *fl,
        if (unlikely(csum))
                tmp_csum = csum_sub(tmp_csum, csum_unfold(csum));
-        csum = csum_ipv6_magic(&fl->fl6_src,
+        csum = csum_ipv6_magic(&fl6->saddr, &fl6->daddr,
-                                   &fl->fl6_dst,
+                               total_len, fl6->flowi6_proto, tmp_csum);
-                                   total_len, fl->proto, tmp_csum);
-        if (csum == 0 && fl->proto == IPPROTO_UDP)
+        if (csum == 0 && fl6->flowi6_proto == IPPROTO_UDP)
                csum = CSUM_MANGLED_0;
        if (skb_store_bits(skb, offset, &csum, 2))
@@ -603,7 +602,7 @@ out:
 }
 static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
-                        struct flowi *fl, struct dst_entry **dstp,
+                        struct flowi6 *fl6, struct dst_entry **dstp,
                        unsigned int flags)
 {
        struct ipv6_pinfo *np = inet6_sk(sk);
@@ -613,7 +612,7 @@ static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
        struct rt6_info *rt = (struct rt6_info *)*dstp;
        if (length > rt->dst.dev->mtu) {
-                ipv6_local_error(sk, EMSGSIZE, fl, rt->dst.dev->mtu);
+                ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
                return -EMSGSIZE;
        }
        if (flags&MSG_PROBE)
@@ -662,7 +661,7 @@ error:
        return err;
 }
-static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
+static int rawv6_probe_proto_opt(struct flowi6 *fl6, struct msghdr *msg)
 {
        struct iovec *iov;
        u8 __user *type = NULL;
@@ -679,7 +678,7 @@ static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                if (!iov)
                        continue;
-                switch (fl->proto) {
+                switch (fl6->flowi6_proto) {
                case IPPROTO_ICMPV6:
                        /* check if one-byte field is readable or not. */
                        if (iov->iov_base && iov->iov_len < 1)
@@ -694,8 +693,8 @@ static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                                code = iov->iov_base;
                        if (type && code) {
-                                if (get_user(fl->fl_icmp_type, type) ||
+                                if (get_user(fl6->fl6_icmp_type, type) ||
-                                    get_user(fl->fl_icmp_code, code))
+                                    get_user(fl6->fl6_icmp_code, code))
                                        return -EFAULT;
                                probed = 1;
                        }
@@ -706,7 +705,7 @@ static int rawv6_probe_proto_opt(struct flowi *fl, struct msghdr *msg)
                        /* check if type field is readable or not. */
                        if (iov->iov_len > 2 - len) {
                                u8 __user *p = iov->iov_base;
-                                if (get_user(fl->fl_mh_type, &p[2 - len]))
+                                if (get_user(fl6->fl6_mh_type, &p[2 - len]))
                                        return -EFAULT;
                                probed = 1;
                        } else
@@ -735,7 +734,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        struct ipv6_txoptions *opt = NULL;
        struct ip6_flowlabel *flowlabel = NULL;
        struct dst_entry *dst = NULL;
-        struct flowi fl;
+        struct flowi6 fl6;
        int addr_len = msg->msg_namelen;
        int hlimit = -1;
        int tclass = -1;
@@ -756,9 +755,9 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        /*
         *      Get and verify the address.
         */
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
        if (sin6) {
                if (addr_len < SIN6_LEN_RFC2133)
@@ -780,9 +779,9 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                daddr = &sin6->sin6_addr;
                if (np->sndflow) {
-                        fl.fl6_flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK;
+                        fl6.flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK;
-                        if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
+                        if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
-                                flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                                flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                                if (flowlabel == NULL)
                                        return -EINVAL;
                                daddr = &flowlabel->dst;
@@ -800,32 +799,32 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                if (addr_len >= sizeof(struct sockaddr_in6) &&
                    sin6->sin6_scope_id &&
                    ipv6_addr_type(daddr)&IPV6_ADDR_LINKLOCAL)
-                        fl.oif = sin6->sin6_scope_id;
+                        fl6.flowi6_oif = sin6->sin6_scope_id;
        } else {
                if (sk->sk_state != TCP_ESTABLISHED)
                        return -EDESTADDRREQ;
                proto = inet->inet_num;
                daddr = &np->daddr;
-                fl.fl6_flowlabel = np->flow_label;
+                fl6.flowlabel = np->flow_label;
        }
-        if (fl.oif == 0)
+        if (fl6.flowi6_oif == 0)
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
        if (msg->msg_controllen) {
                opt = &opt_space;
                memset(opt, 0, sizeof(struct ipv6_txoptions));
                opt->tot_len = sizeof(struct ipv6_txoptions);
-                err = datagram_send_ctl(sock_net(sk), msg, &fl, opt, &hlimit,
+                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
                                        &tclass, &dontfrag);
                if (err < 0) {
                        fl6_sock_release(flowlabel);
                        return err;
                }
-                if ((fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) {
+                if ((fl6.flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) {
-                        flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                        flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                        if (flowlabel == NULL)
                                return -EINVAL;
                }
@@ -838,40 +837,31 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
                opt = fl6_merge_options(&opt_space, flowlabel, opt);
        opt = ipv6_fixup_options(&opt_space, opt);
-        fl.proto = proto;
+        fl6.flowi6_proto = proto;
-        err = rawv6_probe_proto_opt(&fl, msg);
+        err = rawv6_probe_proto_opt(&fl6, msg);
        if (err)
                goto out;
        if (!ipv6_addr_any(daddr))
-                ipv6_addr_copy(&fl.fl6_dst, daddr);
+                ipv6_addr_copy(&fl6.daddr, daddr);
        else
-                fl.fl6_dst.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
+                fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
-        if (ipv6_addr_any(&fl.fl6_src) && !ipv6_addr_any(&np->saddr))
+        if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))
-                ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+                ipv6_addr_copy(&fl6.saddr, &np->saddr);
-        final_p = fl6_update_dst(&fl, opt, &final);
+        final_p = fl6_update_dst(&fl6, opt, &final);
-        if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst))
+        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
-                fl.oif = np->mcast_oif;
+                fl6.flowi6_oif = np->mcast_oif;
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
                goto out;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
-        if (err < 0) {
-                if (err == -EREMOTE)
-                        err = ip6_dst_blackhole(sk, &dst, &fl);
-                if (err < 0)
-                        goto out;
        }
        if (hlimit < 0) {
-                if (ipv6_addr_is_multicast(&fl.fl6_dst))
+                if (ipv6_addr_is_multicast(&fl6.daddr))
                        hlimit = np->mcast_hops;
                else
                        hlimit = np->hop_limit;
@@ -890,17 +880,17 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
 back_from_confirm:
        if (inet->hdrincl)
-                err = rawv6_send_hdrinc(sk, msg->msg_iov, len, &fl, &dst, msg->msg_flags);
+                err = rawv6_send_hdrinc(sk, msg->msg_iov, len, &fl6, &dst, msg->msg_flags);
        else {
                lock_sock(sk);
                err = ip6_append_data(sk, ip_generic_getfrag, msg->msg_iov,
-                        len, 0, hlimit, tclass, opt, &fl, (struct rt6_info*)dst,
+                        len, 0, hlimit, tclass, opt, &fl6, (struct rt6_info*)dst,
                        msg->msg_flags, dontfrag);
                if (err)
                        ip6_flush_pending_frames(sk);
                else if (!(msg->msg_flags & MSG_MORE))
-                        err = rawv6_push_pending_frames(sk, &fl, rp);
+                        err = rawv6_push_pending_frames(sk, &fl6, rp);
                release_sock(sk);
        }
 done:
@@ -1241,7 +1231,7 @@ struct proto rawv6_prot = {
 static void raw6_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
 {
        struct ipv6_pinfo *np = inet6_sk(sp);
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        dest  = &np->daddr;
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 07beeb06f752..7b954e2539d0 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -224,7 +224,7 @@ out:
 }
 static __inline__ struct frag_queue *
-fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst)
+fq_find(struct net *net, __be32 id, const struct in6_addr *src, const struct in6_addr *dst)
 {
        struct inet_frag_queue *q;
        struct ip6_create_arg arg;
@@ -535,7 +535,7 @@ static int ipv6_frag_rcv(struct sk_buff *skb)
 {
        struct frag_hdr *fhdr;
        struct frag_queue *fq;
-        struct ipv6hdr *hdr = ipv6_hdr(skb);
+        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct net *net = dev_net(skb_dst(skb)->dev);
        IP6_INC_STATS_BH(net, ip6_dst_idev(skb_dst(skb)), IPSTATS_MIB_REASMREQDS);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index a998db6e7895..de2b1decd786 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -89,14 +89,44 @@ static void		ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu);
 #ifdef CONFIG_IPV6_ROUTE_INFO
 static struct rt6_info *rt6_add_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex,
+                                           const struct in6_addr *gwaddr, int ifindex,
                                           unsigned pref);
 static struct rt6_info *rt6_get_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex);
+                                           const struct in6_addr *gwaddr, int ifindex);
 #endif
+static u32 *ipv6_cow_metrics(struct dst_entry *dst, unsigned long old)
+{
+        struct rt6_info *rt = (struct rt6_info *) dst;
+        struct inet_peer *peer;
+        u32 *p = NULL;
+        if (!rt->rt6i_peer)
+                rt6_bind_peer(rt, 1);
+        peer = rt->rt6i_peer;
+        if (peer) {
+                u32 *old_p = __DST_METRICS_PTR(old);
+                unsigned long prev, new;
+                p = peer->metrics;
+                if (inet_metrics_new(peer))
+                        memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
+                new = (unsigned long) p;
+                prev = cmpxchg(&dst->_metrics, old, new);
+                if (prev != old) {
+                        p = __DST_METRICS_PTR(prev);
+                        if (prev & DST_METRICS_READ_ONLY)
+                                p = NULL;
+                }
+        }
+        return p;
+}
 static struct dst_ops ip6_dst_ops_template = {
        .family                 =       AF_INET6,
        .protocol               =       cpu_to_be16(ETH_P_IPV6),
@@ -105,6 +135,7 @@ static struct dst_ops ip6_dst_ops_template = {
        .check                  =       ip6_dst_check,
        .default_advmss         =       ip6_default_advmss,
        .default_mtu            =       ip6_default_mtu,
+        .cow_metrics            =       ipv6_cow_metrics,
        .destroy                =       ip6_dst_destroy,
        .ifdown                 =       ip6_dst_ifdown,
        .negative_advice        =       ip6_negative_advice,
@@ -122,6 +153,12 @@ static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
+static u32 *ip6_rt_blackhole_cow_metrics(struct dst_entry *dst,
+                                         unsigned long old)
+{
+        return NULL;
+}
 static struct dst_ops ip6_dst_blackhole_ops = {
        .family                 =       AF_INET6,
        .protocol               =       cpu_to_be16(ETH_P_IPV6),
@@ -130,6 +167,11 @@ static struct dst_ops ip6_dst_blackhole_ops = {
        .default_mtu            =       ip6_blackhole_default_mtu,
        .default_advmss         =       ip6_default_advmss,
        .update_pmtu            =       ip6_rt_blackhole_update_pmtu,
+        .cow_metrics            =       ip6_rt_blackhole_cow_metrics,
+};
+static const u32 ip6_template_metrics[RTAX_MAX] = {
+        [RTAX_HOPLIMIT - 1] = 255,
 };
 static struct rt6_info ip6_null_entry_template = {
@@ -185,9 +227,14 @@ static struct rt6_info ip6_blk_hole_entry_template = {
 #endif
 /* allocate dst with ip6_dst_ops */
-static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops)
+static inline struct rt6_info *ip6_dst_alloc(struct dst_ops *ops,
+                                             struct net_device *dev)
 {
-        return (struct rt6_info *)dst_alloc(ops);
+        struct rt6_info *rt = dst_alloc(ops, dev, 0, 0, 0);
+        memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry));
+        return rt;
 }
 static void ip6_dst_destroy(struct dst_entry *dst)
@@ -206,6 +253,13 @@ static void ip6_dst_destroy(struct dst_entry *dst)
        }
 }
+static atomic_t __rt6_peer_genid = ATOMIC_INIT(0);
+static u32 rt6_peer_genid(void)
+{
+        return atomic_read(&__rt6_peer_genid);
+}
 void rt6_bind_peer(struct rt6_info *rt, int create)
 {
        struct inet_peer *peer;
@@ -213,6 +267,8 @@ void rt6_bind_peer(struct rt6_info *rt, int create)
        peer = inet_getpeer_v6(&rt->rt6i_dst.addr, create);
        if (peer && cmpxchg(&rt->rt6i_peer, NULL, peer) != NULL)
                inet_putpeer(peer);
+        else
+                rt->rt6i_peer_genid = rt6_peer_genid();
 }
 static void ip6_dst_ifdown(struct dst_entry *dst, struct net_device *dev,
@@ -239,7 +295,7 @@ static __inline__ int rt6_check_expired(const struct rt6_info *rt)
                time_after(jiffies, rt->rt6i_expires);
 }
-static inline int rt6_need_strict(struct in6_addr *daddr)
+static inline int rt6_need_strict(const struct in6_addr *daddr)
 {
        return ipv6_addr_type(daddr) &
                (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL | IPV6_ADDR_LOOPBACK);
@@ -251,7 +307,7 @@ static inline int rt6_need_strict(struct in6_addr *daddr)
 static inline struct rt6_info *rt6_device_match(struct net *net,
                                                    struct rt6_info *rt,
-                                                    struct in6_addr *saddr,
+                                                    const struct in6_addr *saddr,
                                                    int oif,
                                                    int flags)
 {
@@ -463,7 +519,7 @@ static struct rt6_info *rt6_select(struct fib6_node *fn, int oif, int strict)
 #ifdef CONFIG_IPV6_ROUTE_INFO
 int rt6_route_rcv(struct net_device *dev, u8 *opt, int len,
-                  struct in6_addr *gwaddr)
+                  const struct in6_addr *gwaddr)
 {
        struct net *net = dev_net(dev);
        struct route_info *rinfo = (struct route_info *) opt;
@@ -555,17 +611,17 @@ do { \
 static struct rt6_info *ip6_pol_route_lookup(struct net *net,
                                             struct fib6_table *table,
-                                             struct flowi *fl, int flags)
+                                             struct flowi6 *fl6, int flags)
 {
        struct fib6_node *fn;
        struct rt6_info *rt;
        read_lock_bh(&table->tb6_lock);
-        fn = fib6_lookup(&table->tb6_root, &fl->fl6_dst, &fl->fl6_src);
+        fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
 restart:
        rt = fn->leaf;
-        rt = rt6_device_match(net, rt, &fl->fl6_src, fl->oif, flags);
+        rt = rt6_device_match(net, rt, &fl6->saddr, fl6->flowi6_oif, flags);
-        BACKTRACK(net, &fl->fl6_src);
+        BACKTRACK(net, &fl6->saddr);
 out:
        dst_use(&rt->dst, jiffies);
        read_unlock_bh(&table->tb6_lock);
@@ -576,19 +632,19 @@ out:
 struct rt6_info *rt6_lookup(struct net *net, const struct in6_addr *daddr,
                            const struct in6_addr *saddr, int oif, int strict)
 {
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .oif = oif,
+                .flowi6_oif = oif,
-                .fl6_dst = *daddr,
+                .daddr = *daddr,
        };
        struct dst_entry *dst;
        int flags = strict ? RT6_LOOKUP_F_IFACE : 0;
        if (saddr) {
-                memcpy(&fl.fl6_src, saddr, sizeof(*saddr));
+                memcpy(&fl6.saddr, saddr, sizeof(*saddr));
                flags |= RT6_LOOKUP_F_HAS_SADDR;
        }
-        dst = fib6_rule_lookup(net, &fl, flags, ip6_pol_route_lookup);
+        dst = fib6_rule_lookup(net, &fl6, flags, ip6_pol_route_lookup);
        if (dst->error == 0)
                return (struct rt6_info *) dst;
@@ -626,8 +682,8 @@ int ip6_ins_rt(struct rt6_info *rt)
        return __ip6_ins_rt(rt, &info);
 }
-static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, struct in6_addr *daddr,
+static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, const struct in6_addr *daddr,
-                                      struct in6_addr *saddr)
+                                      const struct in6_addr *saddr)
 {
        struct rt6_info *rt;
@@ -695,7 +751,7 @@ static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, struct in6_addr *dad
        return rt;
 }
-static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort, struct in6_addr *daddr)
+static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort, const struct in6_addr *daddr)
 {
        struct rt6_info *rt = ip6_rt_copy(ort);
        if (rt) {
@@ -709,7 +765,7 @@ static struct rt6_info *rt6_alloc_clone(struct rt6_info *ort, struct in6_addr *d
 }
 static struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table, int oif,
-                                      struct flowi *fl, int flags)
+                                      struct flowi6 *fl6, int flags)
 {
        struct fib6_node *fn;
        struct rt6_info *rt, *nrt;
@@ -724,12 +780,12 @@ relookup:
        read_lock_bh(&table->tb6_lock);
 restart_2:
-        fn = fib6_lookup(&table->tb6_root, &fl->fl6_dst, &fl->fl6_src);
+        fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
 restart:
        rt = rt6_select(fn, oif, strict | reachable);
-        BACKTRACK(net, &fl->fl6_src);
+        BACKTRACK(net, &fl6->saddr);
        if (rt == net->ipv6.ip6_null_entry ||
            rt->rt6i_flags & RTF_CACHE)
                goto out;
@@ -738,9 +794,11 @@ restart:
        read_unlock_bh(&table->tb6_lock);
        if (!rt->rt6i_nexthop && !(rt->rt6i_flags & RTF_NONEXTHOP))
-                nrt = rt6_alloc_cow(rt, &fl->fl6_dst, &fl->fl6_src);
+                nrt = rt6_alloc_cow(rt, &fl6->daddr, &fl6->saddr);
+        else if (!(rt->dst.flags & DST_HOST))
+                nrt = rt6_alloc_clone(rt, &fl6->daddr);
        else
-                nrt = rt6_alloc_clone(rt, &fl->fl6_dst);
+                goto out2;
        dst_release(&rt->dst);
        rt = nrt ? : net->ipv6.ip6_null_entry;
@@ -777,74 +835,71 @@ out2:
 }
 static struct rt6_info *ip6_pol_route_input(struct net *net, struct fib6_table *table,
-                                            struct flowi *fl, int flags)
+                                            struct flowi6 *fl6, int flags)
 {
-        return ip6_pol_route(net, table, fl->iif, fl, flags);
+        return ip6_pol_route(net, table, fl6->flowi6_iif, fl6, flags);
 }
 void ip6_route_input(struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct net *net = dev_net(skb->dev);
        int flags = RT6_LOOKUP_F_HAS_SADDR;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .iif = skb->dev->ifindex,
+                .flowi6_iif = skb->dev->ifindex,
-                .fl6_dst = iph->daddr,
+                .daddr = iph->daddr,
-                .fl6_src = iph->saddr,
+                .saddr = iph->saddr,
-                .fl6_flowlabel = (* (__be32 *) iph)&IPV6_FLOWINFO_MASK,
+                .flowlabel = (* (__be32 *) iph)&IPV6_FLOWINFO_MASK,
-                .mark = skb->mark,
+                .flowi6_mark = skb->mark,
-                .proto = iph->nexthdr,
+                .flowi6_proto = iph->nexthdr,
        };
        if (rt6_need_strict(&iph->daddr) && skb->dev->type != ARPHRD_PIMREG)
                flags |= RT6_LOOKUP_F_IFACE;
-        skb_dst_set(skb, fib6_rule_lookup(net, &fl, flags, ip6_pol_route_input));
+        skb_dst_set(skb, fib6_rule_lookup(net, &fl6, flags, ip6_pol_route_input));
 }
 static struct rt6_info *ip6_pol_route_output(struct net *net, struct fib6_table *table,
-                                             struct flowi *fl, int flags)
+                                             struct flowi6 *fl6, int flags)
 {
-        return ip6_pol_route(net, table, fl->oif, fl, flags);
+        return ip6_pol_route(net, table, fl6->flowi6_oif, fl6, flags);
 }
-struct dst_entry * ip6_route_output(struct net *net, struct sock *sk,
+struct dst_entry * ip6_route_output(struct net *net, const struct sock *sk,
-                                    struct flowi *fl)
+                                    struct flowi6 *fl6)
 {
        int flags = 0;
-        if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl->fl6_dst))
+        if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl6->daddr))
                flags |= RT6_LOOKUP_F_IFACE;
-        if (!ipv6_addr_any(&fl->fl6_src))
+        if (!ipv6_addr_any(&fl6->saddr))
                flags |= RT6_LOOKUP_F_HAS_SADDR;
        else if (sk)
                flags |= rt6_srcprefs2flags(inet6_sk(sk)->srcprefs);
-        return fib6_rule_lookup(net, fl, flags, ip6_pol_route_output);
+        return fib6_rule_lookup(net, fl6, flags, ip6_pol_route_output);
 }
 EXPORT_SYMBOL(ip6_route_output);
-int ip6_dst_blackhole(struct sock *sk, struct dst_entry **dstp, struct flowi *fl)
+struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_orig)
 {
-        struct rt6_info *ort = (struct rt6_info *) *dstp;
+        struct rt6_info *rt, *ort = (struct rt6_info *) dst_orig;
-        struct rt6_info *rt = (struct rt6_info *)
-                dst_alloc(&ip6_dst_blackhole_ops);
        struct dst_entry *new = NULL;
+        rt = dst_alloc(&ip6_dst_blackhole_ops, ort->dst.dev, 1, 0, 0);
        if (rt) {
+                memset(&rt->rt6i_table, 0, sizeof(*rt) - sizeof(struct dst_entry));
                new = &rt->dst;
-                atomic_set(&new->__refcnt, 1);
                new->__use = 1;
                new->input = dst_discard;
                new->output = dst_discard;
                dst_copy_metrics(new, &ort->dst);
-                new->dev = ort->dst.dev;
-                if (new->dev)
-                        dev_hold(new->dev);
                rt->rt6i_idev = ort->rt6i_idev;
                if (rt->rt6i_idev)
                        in6_dev_hold(rt->rt6i_idev);
@@ -862,11 +917,9 @@ int ip6_dst_blackhole(struct sock *sk, struct dst_entry **dstp, struct flowi *fl
                dst_free(new);
        }
-        dst_release(*dstp);
+        dst_release(dst_orig);
-        *dstp = new;
+        return new ? new : ERR_PTR(-ENOMEM);
-        return new ? 0 : -ENOMEM;
 }
-EXPORT_SYMBOL_GPL(ip6_dst_blackhole);
 /*
 *      Destination cache support functions
@@ -878,9 +931,14 @@ static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie)
        rt = (struct rt6_info *) dst;
-        if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie))
+        if (rt->rt6i_node && (rt->rt6i_node->fn_sernum == cookie)) {
+                if (rt->rt6i_peer_genid != rt6_peer_genid()) {
+                        if (!rt->rt6i_peer)
+                                rt6_bind_peer(rt, 0);
+                        rt->rt6i_peer_genid = rt6_peer_genid();
+                }
                return dst;
+        }
        return NULL;
 }
@@ -931,7 +989,6 @@ static void ip6_rt_update_pmtu(struct dst_entry *dst, u32 mtu)
                        dst_metric_set(dst, RTAX_FEATURES, features);
                }
                dst_metric_set(dst, RTAX_MTU, mtu);
-                call_netevent_notifiers(NETEVENT_PMTU_UPDATE, dst);
        }
 }
@@ -985,13 +1042,12 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
        if (unlikely(idev == NULL))
                return NULL;
-        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, dev);
        if (unlikely(rt == NULL)) {
                in6_dev_put(idev);
                goto out;
        }
-        dev_hold(dev);
        if (neigh)
                neigh_hold(neigh);
        else {
@@ -1000,7 +1056,6 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
                        neigh = NULL;
        }
-        rt->rt6i_dev      = dev;
        rt->rt6i_idev     = idev;
        rt->rt6i_nexthop  = neigh;
        atomic_set(&rt->dst.__refcnt, 1);
@@ -1028,11 +1083,9 @@ out:
 int icmp6_dst_gc(void)
 {
-        struct dst_entry *dst, *next, **pprev;
+        struct dst_entry *dst, **pprev;
        int more = 0;
-        next = NULL;
        spin_lock_bh(&icmp6_dst_lock);
        pprev = &icmp6_dst_gc_list;
@@ -1161,7 +1214,7 @@ int ip6_route_add(struct fib6_config *cfg)
                goto out;
        }
-        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops, NULL);
        if (rt == NULL) {
                err = -ENOMEM;
@@ -1228,7 +1281,7 @@ int ip6_route_add(struct fib6_config *cfg)
        }
        if (cfg->fc_flags & RTF_GATEWAY) {
-                struct in6_addr *gw_addr;
+                const struct in6_addr *gw_addr;
                int gwa_type;
                gw_addr = &cfg->fc_gateway;
@@ -1281,6 +1334,16 @@ int ip6_route_add(struct fib6_config *cfg)
        if (dev == NULL)
                goto out;
+        if (!ipv6_addr_any(&cfg->fc_prefsrc)) {
+                if (!ipv6_chk_addr(net, &cfg->fc_prefsrc, dev, 0)) {
+                        err = -EINVAL;
+                        goto out;
+                }
+                ipv6_addr_copy(&rt->rt6i_prefsrc.addr, &cfg->fc_prefsrc);
+                rt->rt6i_prefsrc.plen = 128;
+        } else
+                rt->rt6i_prefsrc.plen = 0;
        if (cfg->fc_flags & (RTF_GATEWAY | RTF_NONEXTHOP)) {
                rt->rt6i_nexthop = __neigh_lookup_errno(&nd_tbl, &rt->rt6i_gateway, dev);
                if (IS_ERR(rt->rt6i_nexthop)) {
@@ -1400,16 +1463,16 @@ static int ip6_route_del(struct fib6_config *cfg)
 *      Handle redirects
 */
 struct ip6rd_flowi {
-        struct flowi fl;
+        struct flowi6 fl6;
        struct in6_addr gateway;
 };
 static struct rt6_info *__ip6_route_redirect(struct net *net,
                                             struct fib6_table *table,
-                                             struct flowi *fl,
+                                             struct flowi6 *fl6,
                                             int flags)
 {
-        struct ip6rd_flowi *rdfl = (struct ip6rd_flowi *)fl;
+        struct ip6rd_flowi *rdfl = (struct ip6rd_flowi *)fl6;
        struct rt6_info *rt;
        struct fib6_node *fn;
@@ -1425,7 +1488,7 @@ static struct rt6_info *__ip6_route_redirect(struct net *net,
         */
        read_lock_bh(&table->tb6_lock);
-        fn = fib6_lookup(&table->tb6_root, &fl->fl6_dst, &fl->fl6_src);
+        fn = fib6_lookup(&table->tb6_root, &fl6->daddr, &fl6->saddr);
 restart:
        for (rt = fn->leaf; rt; rt = rt->dst.rt6_next) {
                /*
@@ -1440,7 +1503,7 @@ restart:
                        continue;
                if (!(rt->rt6i_flags & RTF_GATEWAY))
                        continue;
-                if (fl->oif != rt->rt6i_dev->ifindex)
+                if (fl6->flowi6_oif != rt->rt6i_dev->ifindex)
                        continue;
                if (!ipv6_addr_equal(&rdfl->gateway, &rt->rt6i_gateway))
                        continue;
@@ -1449,7 +1512,7 @@ restart:
        if (!rt)
                rt = net->ipv6.ip6_null_entry;
-        BACKTRACK(net, &fl->fl6_src);
+        BACKTRACK(net, &fl6->saddr);
 out:
        dst_hold(&rt->dst);
@@ -1458,18 +1521,18 @@ out:
        return rt;
 };
-static struct rt6_info *ip6_route_redirect(struct in6_addr *dest,
+static struct rt6_info *ip6_route_redirect(const struct in6_addr *dest,
-                                           struct in6_addr *src,
+                                           const struct in6_addr *src,
-                                           struct in6_addr *gateway,
+                                           const struct in6_addr *gateway,
                                           struct net_device *dev)
 {
        int flags = RT6_LOOKUP_F_HAS_SADDR;
        struct net *net = dev_net(dev);
        struct ip6rd_flowi rdfl = {
-                .fl = {
+                .fl6 = {
-                        .oif = dev->ifindex,
+                        .flowi6_oif = dev->ifindex,
-                        .fl6_dst = *dest,
+                        .daddr = *dest,
-                        .fl6_src = *src,
+                        .saddr = *src,
                },
        };
@@ -1478,12 +1541,12 @@ static struct rt6_info *ip6_route_redirect(struct in6_addr *dest,
        if (rt6_need_strict(dest))
                flags |= RT6_LOOKUP_F_IFACE;
-        return (struct rt6_info *)fib6_rule_lookup(net, (struct flowi *)&rdfl,
+        return (struct rt6_info *)fib6_rule_lookup(net, &rdfl.fl6,
                                                   flags, __ip6_route_redirect);
 }
-void rt6_redirect(struct in6_addr *dest, struct in6_addr *src,
+void rt6_redirect(const struct in6_addr *dest, const struct in6_addr *src,
-                  struct in6_addr *saddr,
+                  const struct in6_addr *saddr,
                  struct neighbour *neigh, u8 *lladdr, int on_link)
 {
        struct rt6_info *rt, *nrt = NULL;
@@ -1557,7 +1620,7 @@ out:
 *      i.e. Path MTU discovery
 */
-static void rt6_do_pmtu_disc(struct in6_addr *daddr, struct in6_addr *saddr,
+static void rt6_do_pmtu_disc(const struct in6_addr *daddr, const struct in6_addr *saddr,
                             struct net *net, u32 pmtu, int ifindex)
 {
        struct rt6_info *rt, *nrt;
@@ -1642,7 +1705,7 @@ out:
        dst_release(&rt->dst);
 }
-void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
+void rt6_pmtu_discovery(const struct in6_addr *daddr, const struct in6_addr *saddr,
                        struct net_device *dev, u32 pmtu)
 {
        struct net *net = dev_net(dev);
@@ -1670,7 +1733,8 @@ void rt6_pmtu_discovery(struct in6_addr *daddr, struct in6_addr *saddr,
 static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 {
        struct net *net = dev_net(ort->rt6i_dev);
-        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
+                                            ort->dst.dev);
        if (rt) {
                rt->dst.input = ort->dst.input;
@@ -1678,9 +1742,6 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
                dst_copy_metrics(&rt->dst, &ort->dst);
                rt->dst.error = ort->dst.error;
-                rt->dst.dev = ort->dst.dev;
-                if (rt->dst.dev)
-                        dev_hold(rt->dst.dev);
                rt->rt6i_idev = ort->rt6i_idev;
                if (rt->rt6i_idev)
                        in6_dev_hold(rt->rt6i_idev);
@@ -1695,6 +1756,7 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 #ifdef CONFIG_IPV6_SUBTREES
                memcpy(&rt->rt6i_src, &ort->rt6i_src, sizeof(struct rt6key));
 #endif
+                memcpy(&rt->rt6i_prefsrc, &ort->rt6i_prefsrc, sizeof(struct rt6key));
                rt->rt6i_table = ort->rt6i_table;
        }
        return rt;
@@ -1702,8 +1764,8 @@ static struct rt6_info * ip6_rt_copy(struct rt6_info *ort)
 #ifdef CONFIG_IPV6_ROUTE_INFO
 static struct rt6_info *rt6_get_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex)
+                                           const struct in6_addr *gwaddr, int ifindex)
 {
        struct fib6_node *fn;
        struct rt6_info *rt = NULL;
@@ -1734,8 +1796,8 @@ out:
 }
 static struct rt6_info *rt6_add_route_info(struct net *net,
-                                           struct in6_addr *prefix, int prefixlen,
+                                           const struct in6_addr *prefix, int prefixlen,
-                                           struct in6_addr *gwaddr, int ifindex,
+                                           const struct in6_addr *gwaddr, int ifindex,
                                           unsigned pref)
 {
        struct fib6_config cfg = {
@@ -1763,7 +1825,7 @@ static struct rt6_info *rt6_add_route_info(struct net *net,
 }
 #endif
-struct rt6_info *rt6_get_dflt_router(struct in6_addr *addr, struct net_device *dev)
+struct rt6_info *rt6_get_dflt_router(const struct in6_addr *addr, struct net_device *dev)
 {
        struct rt6_info *rt;
        struct fib6_table *table;
@@ -1785,7 +1847,7 @@ struct rt6_info *rt6_get_dflt_router(struct in6_addr *addr, struct net_device *d
        return rt;
 }
-struct rt6_info *rt6_add_dflt_router(struct in6_addr *gwaddr,
+struct rt6_info *rt6_add_dflt_router(const struct in6_addr *gwaddr,
                                     struct net_device *dev,
                                     unsigned int pref)
 {
@@ -1950,7 +2012,8 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
                                    int anycast)
 {
        struct net *net = dev_net(idev->dev);
-        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops);
+        struct rt6_info *rt = ip6_dst_alloc(&net->ipv6.ip6_dst_ops,
+                                            net->loopback_dev);
        struct neighbour *neigh;
        if (rt == NULL) {
@@ -1960,15 +2023,12 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
                return ERR_PTR(-ENOMEM);
        }
-        dev_hold(net->loopback_dev);
        in6_dev_hold(idev);
        rt->dst.flags = DST_HOST;
        rt->dst.input = ip6_input;
        rt->dst.output = ip6_output;
-        rt->rt6i_dev = net->loopback_dev;
        rt->rt6i_idev = idev;
-        dst_metric_set(&rt->dst, RTAX_HOPLIMIT, -1);
        rt->dst.obsolete = -1;
        rt->rt6i_flags = RTF_UP | RTF_NONEXTHOP;
@@ -1980,12 +2040,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
        if (IS_ERR(neigh)) {
                dst_free(&rt->dst);
-                /* We are casting this because that is the return
+                return ERR_CAST(neigh);
-                 * value type.  But an errno encoded pointer is the
-                 * same regardless of the underlying pointer type,
-                 * and that's what we are returning.  So this is OK.
-                 */
-                return (struct rt6_info *) neigh;
        }
        rt->rt6i_nexthop = neigh;
@@ -1998,6 +2053,55 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
        return rt;
 }
+int ip6_route_get_saddr(struct net *net,
+                        struct rt6_info *rt,
+                        const struct in6_addr *daddr,
+                        unsigned int prefs,
+                        struct in6_addr *saddr)
+{
+        struct inet6_dev *idev = ip6_dst_idev((struct dst_entry*)rt);
+        int err = 0;
+        if (rt->rt6i_prefsrc.plen)
+                ipv6_addr_copy(saddr, &rt->rt6i_prefsrc.addr);
+        else
+                err = ipv6_dev_get_saddr(net, idev ? idev->dev : NULL,
+                                         daddr, prefs, saddr);
+        return err;
+}
+/* remove deleted ip from prefsrc entries */
+struct arg_dev_net_ip {
+        struct net_device *dev;
+        struct net *net;
+        struct in6_addr *addr;
+};
+static int fib6_remove_prefsrc(struct rt6_info *rt, void *arg)
+{
+        struct net_device *dev = ((struct arg_dev_net_ip *)arg)->dev;
+        struct net *net = ((struct arg_dev_net_ip *)arg)->net;
+        struct in6_addr *addr = ((struct arg_dev_net_ip *)arg)->addr;
+        if (((void *)rt->rt6i_dev == dev || dev == NULL) &&
+            rt != net->ipv6.ip6_null_entry &&
+            ipv6_addr_equal(addr, &rt->rt6i_prefsrc.addr)) {
+                /* remove prefsrc entry */
+                rt->rt6i_prefsrc.plen = 0;
+        }
+        return 0;
+}
+void rt6_remove_prefsrc(struct inet6_ifaddr *ifp)
+{
+        struct net *net = dev_net(ifp->idev->dev);
+        struct arg_dev_net_ip adni = {
+                .dev = ifp->idev->dev,
+                .net = net,
+                .addr = &ifp->addr,
+        };
+        fib6_clean_all(net, fib6_remove_prefsrc, 0, &adni);
+}
 struct arg_dev_net {
        struct net_device *dev;
        struct net *net;
@@ -2144,6 +2248,9 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
                nla_memcpy(&cfg->fc_src, tb[RTA_SRC], plen);
        }
+        if (tb[RTA_PREFSRC])
+                nla_memcpy(&cfg->fc_prefsrc, tb[RTA_PREFSRC], 16);
        if (tb[RTA_OIF])
                cfg->fc_ifindex = nla_get_u32(tb[RTA_OIF]);
@@ -2286,13 +2393,17 @@ static int rt6_fill_node(struct net *net,
 #endif
                        NLA_PUT_U32(skb, RTA_IIF, iif);
        } else if (dst) {
-                struct inet6_dev *idev = ip6_dst_idev(&rt->dst);
                struct in6_addr saddr_buf;
-                if (ipv6_dev_get_saddr(net, idev ? idev->dev : NULL,
+                if (ip6_route_get_saddr(net, rt, dst, 0, &saddr_buf) == 0)
-                                       dst, 0, &saddr_buf) == 0)
                        NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf);
        }
+        if (rt->rt6i_prefsrc.plen) {
+                struct in6_addr saddr_buf;
+                ipv6_addr_copy(&saddr_buf, &rt->rt6i_prefsrc.addr);
+                NLA_PUT(skb, RTA_PREFSRC, 16, &saddr_buf);
+        }
        if (rtnetlink_put_metrics(skb, dst_metrics_ptr(&rt->dst)) < 0)
                goto nla_put_failure;
@@ -2346,7 +2457,7 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
        struct rt6_info *rt;
        struct sk_buff *skb;
        struct rtmsg *rtm;
-        struct flowi fl;
+        struct flowi6 fl6;
        int err, iif = 0;
        err = nlmsg_parse(nlh, sizeof(*rtm), tb, RTA_MAX, rtm_ipv6_policy);
@@ -2354,27 +2465,27 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
                goto errout;
        err = -EINVAL;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (tb[RTA_SRC]) {
                if (nla_len(tb[RTA_SRC]) < sizeof(struct in6_addr))
                        goto errout;
-                ipv6_addr_copy(&fl.fl6_src, nla_data(tb[RTA_SRC]));
+                ipv6_addr_copy(&fl6.saddr, nla_data(tb[RTA_SRC]));
        }
        if (tb[RTA_DST]) {
                if (nla_len(tb[RTA_DST]) < sizeof(struct in6_addr))
                        goto errout;
-                ipv6_addr_copy(&fl.fl6_dst, nla_data(tb[RTA_DST]));
+                ipv6_addr_copy(&fl6.daddr, nla_data(tb[RTA_DST]));
        }
        if (tb[RTA_IIF])
                iif = nla_get_u32(tb[RTA_IIF]);
        if (tb[RTA_OIF])
-                fl.oif = nla_get_u32(tb[RTA_OIF]);
+                fl6.flowi6_oif = nla_get_u32(tb[RTA_OIF]);
        if (iif) {
                struct net_device *dev;
@@ -2397,10 +2508,10 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr* nlh, void
        skb_reset_mac_header(skb);
        skb_reserve(skb, MAX_HEADER + sizeof(struct ipv6hdr));
-        rt = (struct rt6_info*) ip6_route_output(net, NULL, &fl);
+        rt = (struct rt6_info*) ip6_route_output(net, NULL, &fl6);
        skb_dst_set(skb, &rt->dst);
-        err = rt6_fill_node(net, skb, rt, &fl.fl6_dst, &fl.fl6_src, iif,
+        err = rt6_fill_node(net, skb, rt, &fl6.daddr, &fl6.saddr, iif,
                            RTM_NEWROUTE, NETLINK_CB(in_skb).pid,
                            nlh->nlmsg_seq, 0, 0, 0);
        if (err < 0) {
@@ -2557,14 +2668,16 @@ static
 int ipv6_sysctl_rtcache_flush(ctl_table *ctl, int write,
                              void __user *buffer, size_t *lenp, loff_t *ppos)
 {
-        struct net *net = current->nsproxy->net_ns;
+        struct net *net;
-        int delay = net->ipv6.sysctl.flush_delay;
+        int delay;
-        if (write) {
+        if (!write)
-                proc_dointvec(ctl, write, buffer, lenp, ppos);
-                fib6_run_gc(delay <= 0 ? ~0UL : (unsigned long)delay, net);
-                return 0;
-        } else
                return -EINVAL;
+        net = (struct net *)ctl->extra1;
+        delay = net->ipv6.sysctl.flush_delay;
+        proc_dointvec(ctl, write, buffer, lenp, ppos);
+        fib6_run_gc(delay <= 0 ? ~0UL : (unsigned long)delay, net);
+        return 0;
 }
 ctl_table ipv6_route_table_template[] = {
@@ -2651,6 +2764,7 @@ struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
        if (table) {
                table[0].data = &net->ipv6.sysctl.flush_delay;
+                table[0].extra1 = net;
                table[1].data = &net->ipv6.ip6_dst_ops.gc_thresh;
                table[2].data = &net->ipv6.sysctl.ip6_rt_max_size;
                table[3].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval;
@@ -2684,7 +2798,8 @@ static int __net_init ip6_route_net_init(struct net *net)
        net->ipv6.ip6_null_entry->dst.path =
                (struct dst_entry *)net->ipv6.ip6_null_entry;
        net->ipv6.ip6_null_entry->dst.ops = &net->ipv6.ip6_dst_ops;
-        dst_metric_set(&net->ipv6.ip6_null_entry->dst, RTAX_HOPLIMIT, 255);
+        dst_init_metrics(&net->ipv6.ip6_null_entry->dst,
+                         ip6_template_metrics, true);
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
        net->ipv6.ip6_prohibit_entry = kmemdup(&ip6_prohibit_entry_template,
@@ -2695,7 +2810,8 @@ static int __net_init ip6_route_net_init(struct net *net)
        net->ipv6.ip6_prohibit_entry->dst.path =
                (struct dst_entry *)net->ipv6.ip6_prohibit_entry;
        net->ipv6.ip6_prohibit_entry->dst.ops = &net->ipv6.ip6_dst_ops;
-        dst_metric_set(&net->ipv6.ip6_prohibit_entry->dst, RTAX_HOPLIMIT, 255);
+        dst_init_metrics(&net->ipv6.ip6_prohibit_entry->dst,
+                         ip6_template_metrics, true);
        net->ipv6.ip6_blk_hole_entry = kmemdup(&ip6_blk_hole_entry_template,
                                               sizeof(*net->ipv6.ip6_blk_hole_entry),
@@ -2705,7 +2821,8 @@ static int __net_init ip6_route_net_init(struct net *net)
        net->ipv6.ip6_blk_hole_entry->dst.path =
                (struct dst_entry *)net->ipv6.ip6_blk_hole_entry;
        net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
-        dst_metric_set(&net->ipv6.ip6_blk_hole_entry->dst, RTAX_HOPLIMIT, 255);
+        dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
+                         ip6_template_metrics, true);
 #endif
        net->ipv6.sysctl.flush_delay = 0;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 8ce38f10a547..1cca5761aea9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -250,11 +250,6 @@ static struct ip_tunnel *ipip6_tunnel_locate(struct net *net,
        dev_net_set(dev, net);
-        if (strchr(name, '%')) {
-                if (dev_alloc_name(dev, name) < 0)
-                        goto failed_free;
-        }
        nt = netdev_priv(dev);
        nt->parms = *parms;
@@ -401,18 +396,13 @@ out:
        return err;
 }
-static void prl_entry_destroy_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct ip_tunnel_prl_entry, rcu_head));
-}
 static void prl_list_destroy_rcu(struct rcu_head *head)
 {
        struct ip_tunnel_prl_entry *p, *n;
        p = container_of(head, struct ip_tunnel_prl_entry, rcu_head);
        do {
-                n = p->next;
+                n = rcu_dereference_protected(p->next, 1);
                kfree(p);
                p = n;
        } while (p);
@@ -421,26 +411,28 @@ static void prl_list_destroy_rcu(struct rcu_head *head)
 static int
 ipip6_tunnel_del_prl(struct ip_tunnel *t, struct ip_tunnel_prl *a)
 {
-        struct ip_tunnel_prl_entry *x, **p;
+        struct ip_tunnel_prl_entry *x;
+        struct ip_tunnel_prl_entry __rcu **p;
        int err = 0;
        ASSERT_RTNL();
        if (a && a->addr != htonl(INADDR_ANY)) {
-                for (p = &t->prl; *p; p = &(*p)->next) {
+                for (p = &t->prl;
-                        if ((*p)->addr == a->addr) {
+                     (x = rtnl_dereference(*p)) != NULL;
-                                x = *p;
+                     p = &x->next) {
+                        if (x->addr == a->addr) {
                                *p = x->next;
-                                call_rcu(&x->rcu_head, prl_entry_destroy_rcu);
+                                kfree_rcu(x, rcu_head);
                                t->prl_count--;
                                goto out;
                        }
                }
                err = -ENXIO;
        } else {
-                if (t->prl) {
+                x = rtnl_dereference(t->prl);
+                if (x) {
                        t->prl_count = 0;
-                        x = t->prl;
                        call_rcu(&x->rcu_head, prl_list_destroy_rcu);
                        t->prl = NULL;
                }
@@ -450,7 +442,7 @@ out:
 }
 static int
-isatap_chksrc(struct sk_buff *skb, struct iphdr *iph, struct ip_tunnel *t)
+isatap_chksrc(struct sk_buff *skb, const struct iphdr *iph, struct ip_tunnel *t)
 {
        struct ip_tunnel_prl_entry *p;
        int ok = 1;
@@ -463,7 +455,8 @@ isatap_chksrc(struct sk_buff *skb, struct iphdr *iph, struct ip_tunnel *t)
                else
                        skb->ndisc_nodetype = NDISC_NODETYPE_NODEFAULT;
        } else {
-                struct in6_addr *addr6 = &ipv6_hdr(skb)->saddr;
+                const struct in6_addr *addr6 = &ipv6_hdr(skb)->saddr;
                if (ipv6_addr_is_isatap(addr6) &&
                    (addr6->s6_addr32[3] == iph->saddr) &&
                    ipv6_chk_prefix(addr6, t->dev))
@@ -497,7 +490,7 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
   8 bytes of packet payload. It means, that precise relaying of
   ICMP in the real Internet is absolutely infeasible.
 */
-        struct iphdr *iph = (struct iphdr*)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
        struct ip_tunnel *t;
@@ -555,7 +548,7 @@ out:
        return err;
 }
-static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
+static inline void ipip6_ecn_decapsulate(const struct iphdr *iph, struct sk_buff *skb)
 {
        if (INET_ECN_is_ce(iph->tos))
                IP6_ECN_set_ce(ipv6_hdr(skb));
@@ -563,7 +556,7 @@ static inline void ipip6_ecn_decapsulate(struct iphdr *iph, struct sk_buff *skb)
 static int ipip6_rcv(struct sk_buff *skb)
 {
-        struct iphdr *iph;
+        const struct iphdr *iph;
        struct ip_tunnel *tunnel;
        if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
@@ -619,7 +612,7 @@ out:
 * comes from 6rd / 6to4 (RFC 3056) addr space.
 */
 static inline
-__be32 try_6rd(struct in6_addr *v6dst, struct ip_tunnel *tunnel)
+__be32 try_6rd(const struct in6_addr *v6dst, struct ip_tunnel *tunnel)
 {
        __be32 dst = 0;
@@ -662,8 +655,8 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
 {
        struct ip_tunnel *tunnel = netdev_priv(dev);
        struct pcpu_tstats *tstats;
-        struct iphdr  *tiph = &tunnel->parms.iph;
+        const struct iphdr  *tiph = &tunnel->parms.iph;
-        struct ipv6hdr *iph6 = ipv6_hdr(skb);
+        const struct ipv6hdr *iph6 = ipv6_hdr(skb);
        u8     tos = tunnel->parms.iph.tos;
        __be16 df = tiph->frag_off;
        struct rtable *rt;                      /* Route to the other host */
@@ -671,8 +664,9 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
        struct iphdr  *iph;                     /* Our new IP header */
        unsigned int max_headroom;              /* The extra header space needed */
        __be32 dst = tiph->daddr;
+        struct flowi4 fl4;
        int    mtu;
-        struct in6_addr *addr6;
+        const struct in6_addr *addr6;
        int addr_type;
        if (skb->protocol != htons(ETH_P_IPV6))
@@ -691,7 +685,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        goto tx_error;
                }
-                addr6 = (struct in6_addr*)&neigh->primary_key;
+                addr6 = (const struct in6_addr*)&neigh->primary_key;
                addr_type = ipv6_addr_type(addr6);
                if ((addr_type & IPV6_ADDR_UNICAST) &&
@@ -716,7 +710,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                        goto tx_error;
                }
-                addr6 = (struct in6_addr*)&neigh->primary_key;
+                addr6 = (const struct in6_addr*)&neigh->primary_key;
                addr_type = ipv6_addr_type(addr6);
                if (addr_type == IPV6_ADDR_ANY) {
@@ -730,16 +724,14 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
                dst = addr6->s6_addr32[3];
        }
-        {
+        rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
-                struct flowi fl = { .fl4_dst = dst,
+                                   dst, tiph->saddr,
-                                    .fl4_src = tiph->saddr,
+                                   0, 0,
-                                    .fl4_tos = RT_TOS(tos),
+                                   IPPROTO_IPV6, RT_TOS(tos),
-                                    .oif = tunnel->parms.link,
+                                   tunnel->parms.link);
-                                    .proto = IPPROTO_IPV6 };
+        if (IS_ERR(rt)) {
-                if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
+                dev->stats.tx_carrier_errors++;
-                        dev->stats.tx_carrier_errors++;
+                goto tx_error_icmp;
-                        goto tx_error_icmp;
-                }
        }
        if (rt->rt_type != RTN_UNICAST) {
                ip_rt_put(rt);
@@ -826,8 +818,8 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPV6;
        iph->tos                =       INET_ECN_encapsulate(tos, ipv6_get_dsfield(iph6));
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       fl4.daddr;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       fl4.saddr;
        if ((iph->ttl = tiph->ttl) == 0)
                iph->ttl        =       iph6->hop_limit;
@@ -849,19 +841,21 @@ static void ipip6_tunnel_bind_dev(struct net_device *dev)
 {
        struct net_device *tdev = NULL;
        struct ip_tunnel *tunnel;
-        struct iphdr *iph;
+        const struct iphdr *iph;
+        struct flowi4 fl4;
        tunnel = netdev_priv(dev);
        iph = &tunnel->parms.iph;
        if (iph->daddr) {
-                struct flowi fl = { .fl4_dst = iph->daddr,
+                struct rtable *rt = ip_route_output_ports(dev_net(dev), &fl4, NULL,
-                                    .fl4_src = iph->saddr,
+                                                          iph->daddr, iph->saddr,
-                                    .fl4_tos = RT_TOS(iph->tos),
+                                                          0, 0,
-                                    .oif = tunnel->parms.link,
+                                                          IPPROTO_IPV6,
-                                    .proto = IPPROTO_IPV6 };
+                                                          RT_TOS(iph->tos),
-                struct rtable *rt;
+                                                          tunnel->parms.link);
-                if (!ip_route_output_key(dev_net(dev), &rt, &fl)) {
+                if (!IS_ERR(rt)) {
                        tdev = rt->dst.dev;
                        ip_rt_put(rt);
                }
@@ -1179,7 +1173,7 @@ static int __net_init ipip6_fb_tunnel_init(struct net_device *dev)
        if (!dev->tstats)
                return -ENOMEM;
        dev_hold(dev);
-        sitn->tunnels_wc[0]     = tunnel;
+        rcu_assign_pointer(sitn->tunnels_wc[0], tunnel);
        return 0;
 }
@@ -1196,11 +1190,12 @@ static void __net_exit sit_destroy_tunnels(struct sit_net *sitn, struct list_hea
        for (prio = 1; prio < 4; prio++) {
                int h;
                for (h = 0; h < HASH_SIZE; h++) {
-                        struct ip_tunnel *t = sitn->tunnels[prio][h];
+                        struct ip_tunnel *t;
+                        t = rtnl_dereference(sitn->tunnels[prio][h]);
                        while (t != NULL) {
                                unregister_netdevice_queue(t->dev, head);
-                                t = t->next;
+                                t = rtnl_dereference(t->next);
                        }
                }
        }
@@ -1290,4 +1285,4 @@ static int __init sit_init(void)
 module_init(sit_init);
 module_exit(sit_cleanup);
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("sit0");
+MODULE_ALIAS_NETDEV("sit0");
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 09fd34f0dbf2..8b9644a8b697 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -66,7 +66,7 @@ static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb,
 static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
                      ipv6_cookie_scratch);
-static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
+static u32 cookie_hash(const struct in6_addr *saddr, const struct in6_addr *daddr,
                       __be16 sport, __be16 dport, u32 count, int c)
 {
        __u32 *tmp = __get_cpu_var(ipv6_cookie_scratch);
@@ -86,7 +86,8 @@ static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
        return tmp[17];
 }
-static __u32 secure_tcp_syn_cookie(struct in6_addr *saddr, struct in6_addr *daddr,
+static __u32 secure_tcp_syn_cookie(const struct in6_addr *saddr,
+                                   const struct in6_addr *daddr,
                                   __be16 sport, __be16 dport, __u32 sseq,
                                   __u32 count, __u32 data)
 {
@@ -96,8 +97,8 @@ static __u32 secure_tcp_syn_cookie(struct in6_addr *saddr, struct in6_addr *dadd
                & COOKIEMASK));
 }
-static __u32 check_tcp_syn_cookie(__u32 cookie, struct in6_addr *saddr,
+static __u32 check_tcp_syn_cookie(__u32 cookie, const struct in6_addr *saddr,
-                                  struct in6_addr *daddr, __be16 sport,
+                                  const struct in6_addr *daddr, __be16 sport,
                                  __be16 dport, __u32 sseq, __u32 count,
                                  __u32 maxdiff)
 {
@@ -116,7 +117,7 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, struct in6_addr *saddr,
 __u32 cookie_v6_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        const struct tcphdr *th = tcp_hdr(skb);
        int mssind;
        const __u16 mss = *mssp;
@@ -138,7 +139,7 @@ __u32 cookie_v6_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
 static inline int cookie_check(struct sk_buff *skb, __u32 cookie)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        const struct tcphdr *th = tcp_hdr(skb);
        __u32 seq = ntohl(th->seq) - 1;
        __u32 mssind = check_tcp_syn_cookie(cookie, &iph->saddr, &iph->daddr,
@@ -232,23 +233,20 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
         */
        {
                struct in6_addr *final_p, final;
-                struct flowi fl;
+                struct flowi6 fl6;
-                memset(&fl, 0, sizeof(fl));
+                memset(&fl6, 0, sizeof(fl6));
-                fl.proto = IPPROTO_TCP;
+                fl6.flowi6_proto = IPPROTO_TCP;
-                ipv6_addr_copy(&fl.fl6_dst, &ireq6->rmt_addr);
+                ipv6_addr_copy(&fl6.daddr, &ireq6->rmt_addr);
-                final_p = fl6_update_dst(&fl, np->opt, &final);
+                final_p = fl6_update_dst(&fl6, np->opt, &final);
-                ipv6_addr_copy(&fl.fl6_src, &ireq6->loc_addr);
+                ipv6_addr_copy(&fl6.saddr, &ireq6->loc_addr);
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
-                fl.mark = sk->sk_mark;
+                fl6.flowi6_mark = sk->sk_mark;
-                fl.fl_ip_dport = inet_rsk(req)->rmt_port;
+                fl6.fl6_dport = inet_rsk(req)->rmt_port;
-                fl.fl_ip_sport = inet_sk(sk)->inet_sport;
+                fl6.fl6_sport = inet_sk(sk)->inet_sport;
-                security_req_classify_flow(req, &fl);
+                security_req_classify_flow(req, flowi6_to_flowi(&fl6));
-                if (ip6_dst_lookup(sk, &dst, &fl))
-                        goto out_free;
+                dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
+                if (IS_ERR(dst))
-                if (final_p)
-                        ipv6_addr_copy(&fl.fl6_dst, final_p);
-                if ((xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
                        goto out_free;
        }
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index 7cb65ef79f9c..6dcf5e7d661b 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -17,6 +17,16 @@
 static struct ctl_table empty[1];
+static ctl_table ipv6_static_skeleton[] = {
+        {
+                .procname       = "neigh",
+                .maxlen         = 0,
+                .mode           = 0555,
+                .child          = empty,
+        },
+        { }
+};
 static ctl_table ipv6_table_template[] = {
        {
                .procname       = "route",
@@ -37,12 +47,6 @@ static ctl_table ipv6_table_template[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
-        {
-                .procname       = "neigh",
-                .maxlen         = 0,
-                .mode           = 0555,
-                .child          = empty,
-        },
        { }
 };
@@ -160,7 +164,7 @@ static struct ctl_table_header *ip6_base;
 int ipv6_static_sysctl_register(void)
 {
-        ip6_base = register_sysctl_paths(net_ipv6_ctl_path, empty);
+        ip6_base = register_sysctl_paths(net_ipv6_ctl_path, ipv6_static_skeleton);
        if (ip6_base == NULL)
                return -ENOMEM;
        return 0;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 20aa95e37359..868366470b4a 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -76,8 +76,8 @@ static void	tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
 static int      tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
 static void     __tcp_v6_send_check(struct sk_buff *skb,
-                                    struct in6_addr *saddr,
+                                    const struct in6_addr *saddr,
-                                    struct in6_addr *daddr);
+                                    const struct in6_addr *daddr);
 static const struct inet_connection_sock_af_ops ipv6_mapped;
 static const struct inet_connection_sock_af_ops ipv6_specific;
@@ -86,7 +86,7 @@ static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
 #else
 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
-                                                   struct in6_addr *addr)
+                                                   const struct in6_addr *addr)
 {
        return NULL;
 }
@@ -106,8 +106,8 @@ static void tcp_v6_hash(struct sock *sk)
 }
 static __inline__ __sum16 tcp_v6_check(int len,
-                                   struct in6_addr *saddr,
+                                   const struct in6_addr *saddr,
-                                   struct in6_addr *daddr,
+                                   const struct in6_addr *daddr,
                                   __wsum base)
 {
        return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
@@ -131,7 +131,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        struct tcp_sock *tp = tcp_sk(sk);
        struct in6_addr *saddr = NULL, *final_p, final;
        struct rt6_info *rt;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        int addr_type;
        int err;
@@ -142,14 +142,14 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        if (usin->sin6_family != AF_INET6)
                return -EAFNOSUPPORT;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (np->sndflow) {
-                fl.fl6_flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
+                fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
-                IP6_ECN_flow_init(fl.fl6_flowlabel);
+                IP6_ECN_flow_init(fl6.flowlabel);
-                if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
+                if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
                        struct ip6_flowlabel *flowlabel;
-                        flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                        flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                        if (flowlabel == NULL)
                                return -EINVAL;
                        ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
@@ -195,7 +195,7 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        }
        ipv6_addr_copy(&np->daddr, &usin->sin6_addr);
-        np->flow_label = fl.fl6_flowlabel;
+        np->flow_label = fl6.flowlabel;
        /*
         *      TCP over IPv4
@@ -242,35 +242,27 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
        if (!ipv6_addr_any(&np->rcv_saddr))
                saddr = &np->rcv_saddr;
-        fl.proto = IPPROTO_TCP;
+        fl6.flowi6_proto = IPPROTO_TCP;
-        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-        ipv6_addr_copy(&fl.fl6_src,
+        ipv6_addr_copy(&fl6.saddr,
                       (saddr ? saddr : &np->saddr));
-        fl.oif = sk->sk_bound_dev_if;
+        fl6.flowi6_oif = sk->sk_bound_dev_if;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
-        fl.fl_ip_dport = usin->sin6_port;
+        fl6.fl6_dport = usin->sin6_port;
-        fl.fl_ip_sport = inet->inet_sport;
+        fl6.fl6_sport = inet->inet_sport;
-        final_p = fl6_update_dst(&fl, np->opt, &final);
+        final_p = fl6_update_dst(&fl6, np->opt, &final);
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
                goto failure;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
-        if (err < 0) {
-                if (err == -EREMOTE)
-                        err = ip6_dst_blackhole(sk, &dst, &fl);
-                if (err < 0)
-                        goto failure;
        }
        if (saddr == NULL) {
-                saddr = &fl.fl6_src;
+                saddr = &fl6.saddr;
                ipv6_addr_copy(&np->rcv_saddr, saddr);
        }
@@ -339,7 +331,7 @@ failure:
 static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                u8 type, u8 code, int offset, __be32 info)
 {
-        struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr*)skb->data;
        const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
        struct ipv6_pinfo *np;
        struct sock *sk;
@@ -385,7 +377,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        np = inet6_sk(sk);
        if (type == ICMPV6_PKT_TOOBIG) {
-                struct dst_entry *dst = NULL;
+                struct dst_entry *dst;
                if (sock_owned_by_user(sk))
                        goto out;
@@ -397,29 +389,25 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                if (dst == NULL) {
                        struct inet_sock *inet = inet_sk(sk);
-                        struct flowi fl;
+                        struct flowi6 fl6;
                        /* BUGGG_FUTURE: Again, it is not clear how
                           to handle rthdr case. Ignore this complexity
                           for now.
                         */
-                        memset(&fl, 0, sizeof(fl));
+                        memset(&fl6, 0, sizeof(fl6));
-                        fl.proto = IPPROTO_TCP;
+                        fl6.flowi6_proto = IPPROTO_TCP;
-                        ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
+                        ipv6_addr_copy(&fl6.daddr, &np->daddr);
-                        ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+                        ipv6_addr_copy(&fl6.saddr, &np->saddr);
-                        fl.oif = sk->sk_bound_dev_if;
+                        fl6.flowi6_oif = sk->sk_bound_dev_if;
-                        fl.mark = sk->sk_mark;
+                        fl6.flowi6_mark = sk->sk_mark;
-                        fl.fl_ip_dport = inet->inet_dport;
+                        fl6.fl6_dport = inet->inet_dport;
-                        fl.fl_ip_sport = inet->inet_sport;
+                        fl6.fl6_sport = inet->inet_sport;
-                        security_skb_classify_flow(skb, &fl);
+                        security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
-                        if ((err = ip6_dst_lookup(sk, &dst, &fl))) {
+                        dst = ip6_dst_lookup_flow(sk, &fl6, NULL, false);
-                                sk->sk_err_soft = -err;
+                        if (IS_ERR(dst)) {
-                                goto out;
+                                sk->sk_err_soft = -PTR_ERR(dst);
-                        }
-                        if ((err = xfrm_lookup(net, &dst, &fl, sk, 0)) < 0) {
-                                sk->sk_err_soft = -err;
                                goto out;
                        }
@@ -494,38 +482,37 @@ static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
        struct sk_buff * skb;
        struct ipv6_txoptions *opt = NULL;
        struct in6_addr * final_p, final;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
-        int err = -1;
+        int err;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = IPPROTO_TCP;
+        fl6.flowi6_proto = IPPROTO_TCP;
-        ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
+        ipv6_addr_copy(&fl6.daddr, &treq->rmt_addr);
-        ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
+        ipv6_addr_copy(&fl6.saddr, &treq->loc_addr);
-        fl.fl6_flowlabel = 0;
+        fl6.flowlabel = 0;
-        fl.oif = treq->iif;
+        fl6.flowi6_oif = treq->iif;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
-        fl.fl_ip_dport = inet_rsk(req)->rmt_port;
+        fl6.fl6_dport = inet_rsk(req)->rmt_port;
-        fl.fl_ip_sport = inet_rsk(req)->loc_port;
+        fl6.fl6_sport = inet_rsk(req)->loc_port;
-        security_req_classify_flow(req, &fl);
+        security_req_classify_flow(req, flowi6_to_flowi(&fl6));
        opt = np->opt;
-        final_p = fl6_update_dst(&fl, opt, &final);
+        final_p = fl6_update_dst(&fl6, opt, &final);
-        err = ip6_dst_lookup(sk, &dst, &fl);
+        dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
+                dst = NULL;
                goto done;
-        if (final_p)
+        }
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        if ((err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
-                goto done;
        skb = tcp_make_synack(sk, dst, req, rvp);
+        err = -ENOMEM;
        if (skb) {
                __tcp_v6_send_check(skb, &treq->loc_addr, &treq->rmt_addr);
-                ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
+                ipv6_addr_copy(&fl6.daddr, &treq->rmt_addr);
-                err = ip6_xmit(sk, skb, &fl, opt);
+                err = ip6_xmit(sk, skb, &fl6, opt);
                err = net_xmit_eval(err);
        }
@@ -564,7 +551,7 @@ static void tcp_v6_reqsk_destructor(struct request_sock *req)
 #ifdef CONFIG_TCP_MD5SIG
 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
-                                                   struct in6_addr *addr)
+                                                   const struct in6_addr *addr)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        int i;
@@ -593,7 +580,7 @@ static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
        return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
 }
-static int tcp_v6_md5_do_add(struct sock *sk, struct in6_addr *peer,
+static int tcp_v6_md5_do_add(struct sock *sk, const struct in6_addr *peer,
                             char *newkey, u8 newkeylen)
 {
        /* Add key to the list */
@@ -658,7 +645,7 @@ static int tcp_v6_md5_add_func(struct sock *sk, struct sock *addr_sk,
                                 newkey, newkeylen);
 }
-static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
+static int tcp_v6_md5_do_del(struct sock *sk, const struct in6_addr *peer)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        int i;
@@ -766,8 +753,8 @@ static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
 }
 static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
-                                        struct in6_addr *daddr,
+                                        const struct in6_addr *daddr,
-                                        struct in6_addr *saddr, int nbytes)
+                                        const struct in6_addr *saddr, int nbytes)
 {
        struct tcp6_pseudohdr *bp;
        struct scatterlist sg;
@@ -784,7 +771,7 @@ static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
 }
 static int tcp_v6_md5_hash_hdr(char *md5_hash, struct tcp_md5sig_key *key,
-                               struct in6_addr *daddr, struct in6_addr *saddr,
+                               const struct in6_addr *daddr, struct in6_addr *saddr,
                               struct tcphdr *th)
 {
        struct tcp_md5sig_pool *hp;
@@ -820,7 +807,7 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
                               struct sock *sk, struct request_sock *req,
                               struct sk_buff *skb)
 {
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        struct tcp_md5sig_pool *hp;
        struct hash_desc *desc;
        struct tcphdr *th = tcp_hdr(skb);
@@ -832,7 +819,7 @@ static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
                saddr = &inet6_rsk(req)->loc_addr;
                daddr = &inet6_rsk(req)->rmt_addr;
        } else {
-                struct ipv6hdr *ip6h = ipv6_hdr(skb);
+                const struct ipv6hdr *ip6h = ipv6_hdr(skb);
                saddr = &ip6h->saddr;
                daddr = &ip6h->daddr;
        }
@@ -870,7 +857,7 @@ static int tcp_v6_inbound_md5_hash (struct sock *sk, struct sk_buff *skb)
 {
        __u8 *hash_location = NULL;
        struct tcp_md5sig_key *hash_expected;
-        struct ipv6hdr *ip6h = ipv6_hdr(skb);
+        const struct ipv6hdr *ip6h = ipv6_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        int genhash;
        u8 newhash[16];
@@ -928,7 +915,7 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
 #endif
 static void __tcp_v6_send_check(struct sk_buff *skb,
-                                struct in6_addr *saddr, struct in6_addr *daddr)
+                                const struct in6_addr *saddr, const struct in6_addr *daddr)
 {
        struct tcphdr *th = tcp_hdr(skb);
@@ -952,7 +939,7 @@ static void tcp_v6_send_check(struct sock *sk, struct sk_buff *skb)
 static int tcp_v6_gso_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        struct tcphdr *th;
        if (!pskb_may_pull(skb, sizeof(*th)))
@@ -970,7 +957,7 @@ static int tcp_v6_gso_send_check(struct sk_buff *skb)
 static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
                                         struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = skb_gro_network_header(skb);
+        const struct ipv6hdr *iph = skb_gro_network_header(skb);
        switch (skb->ip_summed) {
        case CHECKSUM_COMPLETE:
@@ -991,7 +978,7 @@ static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
 static int tcp6_gro_complete(struct sk_buff *skb)
 {
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct tcphdr *th = tcp_hdr(skb);
        th->check = ~tcp_v6_check(skb->len - skb_transport_offset(skb),
@@ -1006,7 +993,7 @@ static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
 {
        struct tcphdr *th = tcp_hdr(skb), *t1;
        struct sk_buff *buff;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct net *net = dev_net(skb_dst(skb)->dev);
        struct sock *ctl_sk = net->ipv6.tcp_sk;
        unsigned int tot_len = sizeof(struct tcphdr);
@@ -1060,34 +1047,33 @@ static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
        }
 #endif
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        ipv6_addr_copy(&fl.fl6_dst, &ipv6_hdr(skb)->saddr);
+        ipv6_addr_copy(&fl6.daddr, &ipv6_hdr(skb)->saddr);
-        ipv6_addr_copy(&fl.fl6_src, &ipv6_hdr(skb)->daddr);
+        ipv6_addr_copy(&fl6.saddr, &ipv6_hdr(skb)->daddr);
        buff->ip_summed = CHECKSUM_PARTIAL;
        buff->csum = 0;
-        __tcp_v6_send_check(buff, &fl.fl6_src, &fl.fl6_dst);
+        __tcp_v6_send_check(buff, &fl6.saddr, &fl6.daddr);
-        fl.proto = IPPROTO_TCP;
+        fl6.flowi6_proto = IPPROTO_TCP;
-        fl.oif = inet6_iif(skb);
+        fl6.flowi6_oif = inet6_iif(skb);
-        fl.fl_ip_dport = t1->dest;
+        fl6.fl6_dport = t1->dest;
-        fl.fl_ip_sport = t1->source;
+        fl6.fl6_sport = t1->source;
-        security_skb_classify_flow(skb, &fl);
+        security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
        /* Pass a socket to ip6_dst_lookup either it is for RST
         * Underlying function will use this to retrieve the network
         * namespace
         */
-        if (!ip6_dst_lookup(ctl_sk, &dst, &fl)) {
+        dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL, false);
-                if (xfrm_lookup(net, &dst, &fl, NULL, 0) >= 0) {
+        if (!IS_ERR(dst)) {
-                        skb_dst_set(buff, dst);
+                skb_dst_set(buff, dst);
-                        ip6_xmit(ctl_sk, buff, &fl, NULL);
+                ip6_xmit(ctl_sk, buff, &fl6, NULL);
-                        TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
+                TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
-                        if (rst)
+                if (rst)
-                                TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS);
+                        TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS);
-                        return;
+                return;
-                }
        }
        kfree_skb(buff);
@@ -1323,7 +1309,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
                    tcp_death_row.sysctl_tw_recycle &&
                    (dst = inet6_csk_route_req(sk, req)) != NULL &&
                    (peer = rt6_get_peer((struct rt6_info *)dst)) != NULL &&
-                    ipv6_addr_equal((struct in6_addr *)peer->daddr.a6,
+                    ipv6_addr_equal((struct in6_addr *)peer->daddr.addr.a6,
                                    &treq->rmt_addr)) {
                        inet_peer_refcheck(peer);
                        if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
@@ -1483,7 +1469,7 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
           First: no IPv4 options.
         */
-        newinet->opt = NULL;
+        newinet->inet_opt = NULL;
        newnp->ipv6_fl_list = NULL;
        /* Clone RX bits */
@@ -1636,10 +1622,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
                opt_skb = skb_clone(skb, GFP_ATOMIC);
        if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
-                TCP_CHECK_TIMER(sk);
+                sock_rps_save_rxhash(sk, skb->rxhash);
                if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
                        goto reset;
-                TCP_CHECK_TIMER(sk);
                if (opt_skb)
                        goto ipv6_pktoptions;
                return 0;
@@ -1665,12 +1650,11 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
                                __kfree_skb(opt_skb);
                        return 0;
                }
-        }
+        } else
+                sock_rps_save_rxhash(sk, skb->rxhash);
-        TCP_CHECK_TIMER(sk);
        if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len))
                goto reset;
-        TCP_CHECK_TIMER(sk);
        if (opt_skb)
                goto ipv6_pktoptions;
        return 0;
@@ -1718,7 +1702,7 @@ ipv6_pktoptions:
 static int tcp_v6_rcv(struct sk_buff *skb)
 {
        struct tcphdr *th;
-        struct ipv6hdr *hdr;
+        const struct ipv6hdr *hdr;
        struct sock *sk;
        int ret;
        struct net *net = dev_net(skb->dev);
@@ -2044,8 +2028,8 @@ static void get_openreq6(struct seq_file *seq,
                         struct sock *sk, struct request_sock *req, int i, int uid)
 {
        int ttd = req->expires - jiffies;
-        struct in6_addr *src = &inet6_rsk(req)->loc_addr;
+        const struct in6_addr *src = &inet6_rsk(req)->loc_addr;
-        struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
+        const struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
        if (ttd < 0)
                ttd = 0;
@@ -2073,7 +2057,7 @@ static void get_openreq6(struct seq_file *seq,
 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
 {
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        int timer_active;
        unsigned long timer_expires;
@@ -2130,7 +2114,7 @@ static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
 static void get_timewait6_sock(struct seq_file *seq,
                               struct inet_timewait_sock *tw, int i)
 {
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
        int ttd = tw->tw_ttd - jiffies;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 9a009c66c8a3..fc0c42a88e54 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -311,7 +311,7 @@ static struct sock *__udp6_lib_lookup_skb(struct sk_buff *skb,
                                          struct udp_table *udptable)
 {
        struct sock *sk;
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        if (unlikely(sk = skb_steal_sock(skb)))
                return sk;
@@ -463,9 +463,9 @@ void __udp6_lib_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                    struct udp_table *udptable)
 {
        struct ipv6_pinfo *np;
-        struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
+        const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
-        struct in6_addr *saddr = &hdr->saddr;
+        const struct in6_addr *saddr = &hdr->saddr;
-        struct in6_addr *daddr = &hdr->daddr;
+        const struct in6_addr *daddr = &hdr->daddr;
        struct udphdr *uh = (struct udphdr*)(skb->data+offset);
        struct sock *sk;
        int err;
@@ -505,6 +505,9 @@ int udpv6_queue_rcv_skb(struct sock * sk, struct sk_buff *skb)
        int rc;
        int is_udplite = IS_UDPLITE(sk);
+        if (!ipv6_addr_any(&inet6_sk(sk)->daddr))
+                sock_rps_save_rxhash(sk, skb->rxhash);
        if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
                goto drop;
@@ -550,8 +553,8 @@ drop_no_sk_drops_inc:
 }
 static struct sock *udp_v6_mcast_next(struct net *net, struct sock *sk,
-                                      __be16 loc_port, struct in6_addr *loc_addr,
+                                      __be16 loc_port, const struct in6_addr *loc_addr,
-                                      __be16 rmt_port, struct in6_addr *rmt_addr,
+                                      __be16 rmt_port, const struct in6_addr *rmt_addr,
                                      int dif)
 {
        struct hlist_nulls_node *node;
@@ -630,7 +633,7 @@ drop:
 * so we don't need to lock the hashes.
 */
 static int __udp6_lib_mcast_deliver(struct net *net, struct sk_buff *skb,
-                struct in6_addr *saddr, struct in6_addr *daddr,
+                const struct in6_addr *saddr, const struct in6_addr *daddr,
                struct udp_table *udptable)
 {
        struct sock *sk, *stack[256 / sizeof(struct sock *)];
@@ -713,7 +716,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
        struct net *net = dev_net(skb->dev);
        struct sock *sk;
        struct udphdr *uh;
-        struct in6_addr *saddr, *daddr;
+        const struct in6_addr *saddr, *daddr;
        u32 ulen = 0;
        if (!pskb_may_pull(skb, sizeof(struct udphdr)))
@@ -886,7 +889,7 @@ static int udp_v6_push_pending_frames(struct sock *sk)
        struct udphdr *uh;
        struct udp_sock  *up = udp_sk(sk);
        struct inet_sock *inet = inet_sk(sk);
-        struct flowi *fl = &inet->cork.fl;
+        struct flowi6 *fl6 = &inet->cork.fl.u.ip6;
        int err = 0;
        int is_udplite = IS_UDPLITE(sk);
        __wsum csum = 0;
@@ -899,23 +902,23 @@ static int udp_v6_push_pending_frames(struct sock *sk)
         * Create a UDP header
         */
        uh = udp_hdr(skb);
-        uh->source = fl->fl_ip_sport;
+        uh->source = fl6->fl6_sport;
-        uh->dest = fl->fl_ip_dport;
+        uh->dest = fl6->fl6_dport;
        uh->len = htons(up->len);
        uh->check = 0;
        if (is_udplite)
                csum = udplite_csum_outgoing(sk, skb);
        else if (skb->ip_summed == CHECKSUM_PARTIAL) { /* UDP hardware csum */
-                udp6_hwcsum_outgoing(sk, skb, &fl->fl6_src, &fl->fl6_dst,
+                udp6_hwcsum_outgoing(sk, skb, &fl6->saddr, &fl6->daddr,
                                     up->len);
                goto send;
        } else
                csum = udp_csum_outgoing(sk, skb);
        /* add protocol-dependent pseudo-header */
-        uh->check = csum_ipv6_magic(&fl->fl6_src, &fl->fl6_dst,
+        uh->check = csum_ipv6_magic(&fl6->saddr, &fl6->daddr,
-                                    up->len, fl->proto, csum   );
+                                    up->len, fl6->flowi6_proto, csum);
        if (uh->check == 0)
                uh->check = CSUM_MANGLED_0;
@@ -947,7 +950,7 @@ int udpv6_sendmsg(struct kiocb *iocb, struct sock *sk,
        struct in6_addr *daddr, *final_p, final;
        struct ipv6_txoptions *opt = NULL;
        struct ip6_flowlabel *flowlabel = NULL;
-        struct flowi fl;
+        struct flowi6 fl6;
        struct dst_entry *dst;
        int addr_len = msg->msg_namelen;
        int ulen = len;
@@ -1030,19 +1033,19 @@ do_udp_sendmsg:
        }
        ulen += sizeof(struct udphdr);
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (sin6) {
                if (sin6->sin6_port == 0)
                        return -EINVAL;
-                fl.fl_ip_dport = sin6->sin6_port;
+                fl6.fl6_dport = sin6->sin6_port;
                daddr = &sin6->sin6_addr;
                if (np->sndflow) {
-                        fl.fl6_flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK;
+                        fl6.flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK;
-                        if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
+                        if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
-                                flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                                flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                                if (flowlabel == NULL)
                                        return -EINVAL;
                                daddr = &flowlabel->dst;
@@ -1060,38 +1063,38 @@ do_udp_sendmsg:
                if (addr_len >= sizeof(struct sockaddr_in6) &&
                    sin6->sin6_scope_id &&
                    ipv6_addr_type(daddr)&IPV6_ADDR_LINKLOCAL)
-                        fl.oif = sin6->sin6_scope_id;
+                        fl6.flowi6_oif = sin6->sin6_scope_id;
        } else {
                if (sk->sk_state != TCP_ESTABLISHED)
                        return -EDESTADDRREQ;
-                fl.fl_ip_dport = inet->inet_dport;
+                fl6.fl6_dport = inet->inet_dport;
                daddr = &np->daddr;
-                fl.fl6_flowlabel = np->flow_label;
+                fl6.flowlabel = np->flow_label;
                connected = 1;
        }
-        if (!fl.oif)
+        if (!fl6.flowi6_oif)
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
-        if (!fl.oif)
+        if (!fl6.flowi6_oif)
-                fl.oif = np->sticky_pktinfo.ipi6_ifindex;
+                fl6.flowi6_oif = np->sticky_pktinfo.ipi6_ifindex;
-        fl.mark = sk->sk_mark;
+        fl6.flowi6_mark = sk->sk_mark;
        if (msg->msg_controllen) {
                opt = &opt_space;
                memset(opt, 0, sizeof(struct ipv6_txoptions));
                opt->tot_len = sizeof(*opt);
-                err = datagram_send_ctl(sock_net(sk), msg, &fl, opt, &hlimit,
+                err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
                                        &tclass, &dontfrag);
                if (err < 0) {
                        fl6_sock_release(flowlabel);
                        return err;
                }
-                if ((fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) {
+                if ((fl6.flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) {
-                        flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
+                        flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
                        if (flowlabel == NULL)
                                return -EINVAL;
                }
@@ -1105,42 +1108,35 @@ do_udp_sendmsg:
                opt = fl6_merge_options(&opt_space, flowlabel, opt);
        opt = ipv6_fixup_options(&opt_space, opt);
-        fl.proto = sk->sk_protocol;
+        fl6.flowi6_proto = sk->sk_protocol;
        if (!ipv6_addr_any(daddr))
-                ipv6_addr_copy(&fl.fl6_dst, daddr);
+                ipv6_addr_copy(&fl6.daddr, daddr);
        else
-                fl.fl6_dst.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
+                fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
-        if (ipv6_addr_any(&fl.fl6_src) && !ipv6_addr_any(&np->saddr))
+        if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))
-                ipv6_addr_copy(&fl.fl6_src, &np->saddr);
+                ipv6_addr_copy(&fl6.saddr, &np->saddr);
-        fl.fl_ip_sport = inet->inet_sport;
+        fl6.fl6_sport = inet->inet_sport;
-        final_p = fl6_update_dst(&fl, opt, &final);
+        final_p = fl6_update_dst(&fl6, opt, &final);
        if (final_p)
                connected = 0;
-        if (!fl.oif && ipv6_addr_is_multicast(&fl.fl6_dst)) {
+        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) {
-                fl.oif = np->mcast_oif;
+                fl6.flowi6_oif = np->mcast_oif;
                connected = 0;
        }
-        security_sk_classify_flow(sk, &fl);
+        security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
-        err = ip6_sk_dst_lookup(sk, &dst, &fl);
+        dst = ip6_sk_dst_lookup_flow(sk, &fl6, final_p, true);
-        if (err)
+        if (IS_ERR(dst)) {
+                err = PTR_ERR(dst);
+                dst = NULL;
                goto out;
-        if (final_p)
-                ipv6_addr_copy(&fl.fl6_dst, final_p);
-        err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
-        if (err < 0) {
-                if (err == -EREMOTE)
-                        err = ip6_dst_blackhole(sk, &dst, &fl);
-                if (err < 0)
-                        goto out;
        }
        if (hlimit < 0) {
-                if (ipv6_addr_is_multicast(&fl.fl6_dst))
+                if (ipv6_addr_is_multicast(&fl6.daddr))
                        hlimit = np->mcast_hops;
                else
                        hlimit = np->hop_limit;
@@ -1175,7 +1171,7 @@ do_append_data:
        up->len += ulen;
        getfrag  =  is_udplite ?  udplite_getfrag : ip_generic_getfrag;
        err = ip6_append_data(sk, getfrag, msg->msg_iov, ulen,
-                sizeof(struct udphdr), hlimit, tclass, opt, &fl,
+                sizeof(struct udphdr), hlimit, tclass, opt, &fl6,
                (struct rt6_info*)dst,
                corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags, dontfrag);
        if (err)
@@ -1188,10 +1184,10 @@ do_append_data:
        if (dst) {
                if (connected) {
                        ip6_dst_store(sk, dst,
-                                      ipv6_addr_equal(&fl.fl6_dst, &np->daddr) ?
+                                      ipv6_addr_equal(&fl6.daddr, &np->daddr) ?
                                      &np->daddr : NULL,
 #ifdef CONFIG_IPV6_SUBTREES
-                                      ipv6_addr_equal(&fl.fl6_src, &np->saddr) ?
+                                      ipv6_addr_equal(&fl6.saddr, &np->saddr) ?
                                      &np->saddr :
 #endif
                                      NULL);
@@ -1282,7 +1278,7 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
 static int udp6_ufo_send_check(struct sk_buff *skb)
 {
-        struct ipv6hdr *ipv6h;
+        const struct ipv6hdr *ipv6h;
        struct udphdr *uh;
        if (!pskb_may_pull(skb, sizeof(*uh)))
@@ -1299,7 +1295,7 @@ static int udp6_ufo_send_check(struct sk_buff *skb)
        return 0;
 }
-static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, int features)
+static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, u32 features)
 {
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        unsigned int mss;
@@ -1332,14 +1328,14 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, int features)
        /* Do software UFO. Complete and fill in the UDP checksum as HW cannot
         * do checksum of UDP packets sent as multiple IP fragments.
         */
-        offset = skb->csum_start - skb_headroom(skb);
+        offset = skb_checksum_start_offset(skb);
        csum = skb_checksum(skb, offset, skb->len- offset, 0);
        offset += skb->csum_offset;
        *(__sum16 *)(skb->data + offset) = csum_fold(csum);
        skb->ip_summed = CHECKSUM_NONE;
        /* Check if there is enough headroom to insert fragment header. */
-        if ((skb_headroom(skb) < frag_hdr_sz) &&
+        if ((skb_mac_header(skb) < skb->head + frag_hdr_sz) &&
            pskb_expand_head(skb, frag_hdr_sz, 0, GFP_ATOMIC))
                goto out;
@@ -1386,7 +1382,7 @@ static void udp6_sock_seq_show(struct seq_file *seq, struct sock *sp, int bucket
 {
        struct inet_sock *inet = inet_sk(sp);
        struct ipv6_pinfo *np = inet6_sk(sp);
-        struct in6_addr *dest, *src;
+        const struct in6_addr *dest, *src;
        __u16 destp, srcp;
        dest  = &np->daddr;
diff --git a/net/ipv6/xfrm6_mode_beet.c b/net/ipv6/xfrm6_mode_beet.c
index bbd48b101bae..3437d7d4eed6 100644
--- a/net/ipv6/xfrm6_mode_beet.c
+++ b/net/ipv6/xfrm6_mode_beet.c
@@ -41,10 +41,8 @@ static int xfrm6_beet_output(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct ipv6hdr *top_iph;
        struct ip_beet_phdr *ph;
-        struct iphdr *iphv4;
        int optlen, hdr_len;
-        iphv4 = ip_hdr(skb);
        hdr_len = 0;
        optlen = XFRM_MODE_SKB_CB(skb)->optlen;
        if (unlikely(optlen))
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index 645cb968d450..4d6edff0498f 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -20,7 +20,7 @@
 static inline void ipip6_ecn_decapsulate(struct sk_buff *skb)
 {
-        struct ipv6hdr *outer_iph = ipv6_hdr(skb);
+        const struct ipv6hdr *outer_iph = ipv6_hdr(skb);
        struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
        if (INET_ECN_is_ce(ipv6_get_dsfield(outer_iph)))
@@ -55,8 +55,8 @@ static int xfrm6_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
                dsfield &= ~INET_ECN_MASK;
        ipv6_change_dsfield(top_iph, 0, dsfield);
        top_iph->hop_limit = ip6_dst_hoplimit(dst->child);
-        ipv6_addr_copy(&top_iph->saddr, (struct in6_addr *)&x->props.saddr);
+        ipv6_addr_copy(&top_iph->saddr, (const struct in6_addr *)&x->props.saddr);
-        ipv6_addr_copy(&top_iph->daddr, (struct in6_addr *)&x->id.daddr);
+        ipv6_addr_copy(&top_iph->daddr, (const struct in6_addr *)&x->id.daddr);
        return 0;
 }
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8e688b3de9ab..49a91c5f5623 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -79,7 +79,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(xfrm6_prepare_output);
-static int xfrm6_output_finish(struct sk_buff *skb)
+int xfrm6_output_finish(struct sk_buff *skb)
 {
 #ifdef CONFIG_NETFILTER
        IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
@@ -97,9 +97,9 @@ static int __xfrm6_output(struct sk_buff *skb)
        if ((x && x->props.mode == XFRM_MODE_TUNNEL) &&
            ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
                dst_allfrag(skb_dst(skb)))) {
-                        return ip6_fragment(skb, xfrm6_output_finish);
+                        return ip6_fragment(skb, x->outer_mode->afinfo->output_finish);
        }
-        return xfrm6_output_finish(skb);
+        return x->outer_mode->afinfo->output_finish(skb);
 }
 int xfrm6_output(struct sk_buff *skb)
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index da87428681cc..d879f7efbd10 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -27,18 +27,19 @@
 static struct xfrm_policy_afinfo xfrm6_policy_afinfo;
 static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos,
-                                          xfrm_address_t *saddr,
+                                          const xfrm_address_t *saddr,
-                                          xfrm_address_t *daddr)
+                                          const xfrm_address_t *daddr)
 {
-        struct flowi fl = {};
+        struct flowi6 fl6;
        struct dst_entry *dst;
        int err;
-        memcpy(&fl.fl6_dst, daddr, sizeof(fl.fl6_dst));
+        memset(&fl6, 0, sizeof(fl6));
+        memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
        if (saddr)
-                memcpy(&fl.fl6_src, saddr, sizeof(fl.fl6_src));
+                memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr));
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        err = dst->error;
        if (dst->error) {
@@ -67,7 +68,7 @@ static int xfrm6_get_saddr(struct net *net,
        return 0;
 }
-static int xfrm6_get_tos(struct flowi *fl)
+static int xfrm6_get_tos(const struct flowi *fl)
 {
        return 0;
 }
@@ -87,7 +88,7 @@ static int xfrm6_init_path(struct xfrm_dst *path, struct dst_entry *dst,
 }
 static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
-                          struct flowi *fl)
+                          const struct flowi *fl)
 {
        struct rt6_info *rt = (struct rt6_info*)xdst->route;
@@ -120,18 +121,19 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
 static inline void
 _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 {
+        struct flowi6 *fl6 = &fl->u.ip6;
        int onlyproto = 0;
        u16 offset = skb_network_header_len(skb);
-        struct ipv6hdr *hdr = ipv6_hdr(skb);
+        const struct ipv6hdr *hdr = ipv6_hdr(skb);
        struct ipv6_opt_hdr *exthdr;
        const unsigned char *nh = skb_network_header(skb);
        u8 nexthdr = nh[IP6CB(skb)->nhoff];
-        memset(fl, 0, sizeof(struct flowi));
+        memset(fl6, 0, sizeof(struct flowi6));
-        fl->mark = skb->mark;
+        fl6->flowi6_mark = skb->mark;
-        ipv6_addr_copy(&fl->fl6_dst, reverse ? &hdr->saddr : &hdr->daddr);
+        ipv6_addr_copy(&fl6->daddr, reverse ? &hdr->saddr : &hdr->daddr);
-        ipv6_addr_copy(&fl->fl6_src, reverse ? &hdr->daddr : &hdr->saddr);
+        ipv6_addr_copy(&fl6->saddr, reverse ? &hdr->daddr : &hdr->saddr);
        while (nh + offset + 1 < skb->data ||
               pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
@@ -158,20 +160,20 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
                             pskb_may_pull(skb, nh + offset + 4 - skb->data))) {
                                __be16 *ports = (__be16 *)exthdr;
-                                fl->fl_ip_sport = ports[!!reverse];
+                                fl6->fl6_sport = ports[!!reverse];
-                                fl->fl_ip_dport = ports[!reverse];
+                                fl6->fl6_dport = ports[!reverse];
                        }
-                        fl->proto = nexthdr;
+                        fl6->flowi6_proto = nexthdr;
                        return;
                case IPPROTO_ICMPV6:
                        if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
                                u8 *icmp = (u8 *)exthdr;
-                                fl->fl_icmp_type = icmp[0];
+                                fl6->fl6_icmp_type = icmp[0];
-                                fl->fl_icmp_code = icmp[1];
+                                fl6->fl6_icmp_code = icmp[1];
                        }
-                        fl->proto = nexthdr;
+                        fl6->flowi6_proto = nexthdr;
                        return;
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
@@ -180,9 +182,9 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
                                struct ip6_mh *mh;
                                mh = (struct ip6_mh *)exthdr;
-                                fl->fl_mh_type = mh->ip6mh_type;
+                                fl6->fl6_mh_type = mh->ip6mh_type;
                        }
-                        fl->proto = nexthdr;
+                        fl6->flowi6_proto = nexthdr;
                        return;
 #endif
@@ -191,8 +193,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
                case IPPROTO_ESP:
                case IPPROTO_COMP:
                default:
-                        fl->fl_ipsec_spi = 0;
+                        fl6->fl6_ipsec_spi = 0;
-                        fl->proto = nexthdr;
+                        fl6->flowi6_proto = nexthdr;
                        return;
                }
        }
@@ -220,6 +222,7 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
        if (likely(xdst->u.rt6.rt6i_idev))
                in6_dev_put(xdst->u.rt6.rt6i_idev);
+        dst_destroy_metrics_generic(dst);
        if (likely(xdst->u.rt6.rt6i_peer))
                inet_putpeer(xdst->u.rt6.rt6i_peer);
        xfrm_dst_destroy(xdst);
@@ -257,6 +260,7 @@ static struct dst_ops xfrm6_dst_ops = {
        .protocol =             cpu_to_be16(ETH_P_IPV6),
        .gc =                   xfrm6_garbage_collect,
        .update_pmtu =          xfrm6_update_pmtu,
+        .cow_metrics =          dst_cow_metrics_generic,
        .destroy =              xfrm6_dst_destroy,
        .ifdown =               xfrm6_dst_ifdown,
        .local_out =            __ip6_local_out,
@@ -272,6 +276,7 @@ static struct xfrm_policy_afinfo xfrm6_policy_afinfo = {
        .get_tos =              xfrm6_get_tos,
        .init_path =            xfrm6_init_path,
        .fill_dst =             xfrm6_fill_dst,
+        .blackhole_route =      ip6_blackhole_route,
 };
 static int __init xfrm6_policy_init(void)
diff --git a/net/ipv6/xfrm6_state.c b/net/ipv6/xfrm6_state.c
index a67575d472a3..248f0b2a7ee9 100644
--- a/net/ipv6/xfrm6_state.c
+++ b/net/ipv6/xfrm6_state.c
@@ -20,26 +20,28 @@
 #include <net/addrconf.h>
 static void
-__xfrm6_init_tempsel(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm6_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
 {
+        const struct flowi6 *fl6 = &fl->u.ip6;
        /* Initialize temporary selector matching only
         * to current session. */
-        ipv6_addr_copy((struct in6_addr *)&sel->daddr, &fl->fl6_dst);
+        ipv6_addr_copy((struct in6_addr *)&sel->daddr, &fl6->daddr);
-        ipv6_addr_copy((struct in6_addr *)&sel->saddr, &fl->fl6_src);
+        ipv6_addr_copy((struct in6_addr *)&sel->saddr, &fl6->saddr);
-        sel->dport = xfrm_flowi_dport(fl);
+        sel->dport = xfrm_flowi_dport(fl, &fl6->uli);
        sel->dport_mask = htons(0xffff);
-        sel->sport = xfrm_flowi_sport(fl);
+        sel->sport = xfrm_flowi_sport(fl, &fl6->uli);
        sel->sport_mask = htons(0xffff);
        sel->family = AF_INET6;
        sel->prefixlen_d = 128;
        sel->prefixlen_s = 128;
-        sel->proto = fl->proto;
+        sel->proto = fl6->flowi6_proto;
-        sel->ifindex = fl->oif;
+        sel->ifindex = fl6->flowi6_oif;
 }
 static void
-xfrm6_init_temprop(struct xfrm_state *x, struct xfrm_tmpl *tmpl,
+xfrm6_init_temprop(struct xfrm_state *x, const struct xfrm_tmpl *tmpl,
-                   xfrm_address_t *daddr, xfrm_address_t *saddr)
+                   const xfrm_address_t *daddr, const xfrm_address_t *saddr)
 {
        x->id = tmpl->id;
        if (ipv6_addr_any((struct in6_addr*)&x->id.daddr))
@@ -176,6 +178,7 @@ static struct xfrm_state_afinfo xfrm6_state_afinfo = {
        .tmpl_sort              = __xfrm6_tmpl_sort,
        .state_sort             = __xfrm6_state_sort,
        .output                 = xfrm6_output,
+        .output_finish          = xfrm6_output_finish,
        .extract_input          = xfrm6_extract_input,
        .extract_output         = xfrm6_extract_output,
        .transport_finish       = xfrm6_transport_finish,
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 2969cad408de..a6770a04e3bd 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -68,7 +68,7 @@ static DEFINE_SPINLOCK(xfrm6_tunnel_spi_lock);
 static struct kmem_cache *xfrm6_tunnel_spi_kmem __read_mostly;
-static inline unsigned xfrm6_tunnel_spi_hash_byaddr(xfrm_address_t *addr)
+static inline unsigned xfrm6_tunnel_spi_hash_byaddr(const xfrm_address_t *addr)
 {
        unsigned h;
@@ -85,7 +85,7 @@ static inline unsigned xfrm6_tunnel_spi_hash_byspi(u32 spi)
        return spi % XFRM6_TUNNEL_SPI_BYSPI_HSIZE;
 }
-static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, xfrm_address_t *saddr)
+static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr)
 {
        struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
        struct xfrm6_tunnel_spi *x6spi;
@@ -101,7 +101,7 @@ static struct xfrm6_tunnel_spi *__xfrm6_tunnel_spi_lookup(struct net *net, xfrm_
        return NULL;
 }
-__be32 xfrm6_tunnel_spi_lookup(struct net *net, xfrm_address_t *saddr)
+__be32 xfrm6_tunnel_spi_lookup(struct net *net, const xfrm_address_t *saddr)
 {
        struct xfrm6_tunnel_spi *x6spi;
        u32 spi;
@@ -237,10 +237,10 @@ static int xfrm6_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
 static int xfrm6_tunnel_rcv(struct sk_buff *skb)
 {
        struct net *net = dev_net(skb->dev);
-        struct ipv6hdr *iph = ipv6_hdr(skb);
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
        __be32 spi;
-        spi = xfrm6_tunnel_spi_lookup(net, (xfrm_address_t *)&iph->saddr);
+        spi = xfrm6_tunnel_spi_lookup(net, (const xfrm_address_t *)&iph->saddr);
        return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi) > 0 ? : 0;
 }
diff --git a/net/ipx/Kconfig b/net/ipx/Kconfig
index 02549cb2c328..e9ad0062fbb6 100644
--- a/net/ipx/Kconfig
+++ b/net/ipx/Kconfig
@@ -3,7 +3,6 @@
 #
 config IPX
        tristate "The IPX protocol"
-        depends on BKL # should be fixable
        select LLC
        ---help---
          This is support for the Novell networking protocol, IPX, commonly
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index da3d21c41d90..9680226640ef 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -42,7 +42,6 @@
 #include <linux/uio.h>
 #include <linux/slab.h>
 #include <linux/skbuff.h>
-#include <linux/smp_lock.h>
 #include <linux/socket.h>
 #include <linux/sockios.h>
 #include <linux/string.h>
@@ -149,7 +148,6 @@ static void ipx_destroy_socket(struct sock *sk)
        ipx_remove_socket(sk);
        skb_queue_purge(&sk->sk_receive_queue);
        sk_refcnt_debug_dec(sk);
-        sock_put(sk);
 }
 /*
@@ -1299,7 +1297,7 @@ static int ipx_setsockopt(struct socket *sock, int level, int optname,
        int opt;
        int rc = -EINVAL;
-        lock_kernel();
+        lock_sock(sk);
        if (optlen != sizeof(int))
                goto out;
@@ -1314,7 +1312,7 @@ static int ipx_setsockopt(struct socket *sock, int level, int optname,
        ipx_sk(sk)->type = opt;
        rc = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1326,7 +1324,7 @@ static int ipx_getsockopt(struct socket *sock, int level, int optname,
        int len;
        int rc = -ENOPROTOOPT;
-        lock_kernel();
+        lock_sock(sk);
        if (!(level == SOL_IPX && optname == IPX_TYPE))
                goto out;
@@ -1347,7 +1345,7 @@ static int ipx_getsockopt(struct socket *sock, int level, int optname,
        rc = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1396,7 +1394,7 @@ static int ipx_release(struct socket *sock)
        if (!sk)
                goto out;
-        lock_kernel();
+        lock_sock(sk);
        if (!sock_flag(sk, SOCK_DEAD))
                sk->sk_state_change(sk);
@@ -1404,7 +1402,8 @@ static int ipx_release(struct socket *sock)
        sock->sk = NULL;
        sk_refcnt_debug_release(sk);
        ipx_destroy_socket(sk);
-        unlock_kernel();
+        release_sock(sk);
+        sock_put(sk);
 out:
        return 0;
 }
@@ -1530,11 +1529,12 @@ out:
 static int ipx_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 {
+        struct sock *sk = sock->sk;
        int rc;
-        lock_kernel();
+        lock_sock(sk);
        rc = __ipx_bind(sock, uaddr, addr_len);
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1551,7 +1551,7 @@ static int ipx_connect(struct socket *sock, struct sockaddr *uaddr,
        sk->sk_state    = TCP_CLOSE;
        sock->state     = SS_UNCONNECTED;
-        lock_kernel();
+        lock_sock(sk);
        if (addr_len != sizeof(*addr))
                goto out;
        addr = (struct sockaddr_ipx *)uaddr;
@@ -1598,7 +1598,7 @@ static int ipx_connect(struct socket *sock, struct sockaddr *uaddr,
                ipxrtr_put(rt);
        rc = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1614,7 +1614,7 @@ static int ipx_getname(struct socket *sock, struct sockaddr *uaddr,
        *uaddr_len = sizeof(struct sockaddr_ipx);
-        lock_kernel();
+        lock_sock(sk);
        if (peer) {
                rc = -ENOTCONN;
                if (sk->sk_state != TCP_ESTABLISHED)
@@ -1649,19 +1649,7 @@ static int ipx_getname(struct socket *sock, struct sockaddr *uaddr,
        rc = 0;
 out:
-        unlock_kernel();
+        release_sock(sk);
-        return rc;
-}
-static unsigned int ipx_datagram_poll(struct file *file, struct socket *sock,
-                           poll_table *wait)
-{
-        int rc;
-        lock_kernel();
-        rc = datagram_poll(file, sock, wait);
-        unlock_kernel();
        return rc;
 }
@@ -1736,7 +1724,7 @@ static int ipx_sendmsg(struct kiocb *iocb, struct socket *sock,
        int rc = -EINVAL;
        int flags = msg->msg_flags;
-        lock_kernel();
+        lock_sock(sk);
        /* Socket gets bound below anyway */
 /*      if (sk->sk_zapped)
                return -EIO; */ /* Socket not bound */
@@ -1788,7 +1776,7 @@ static int ipx_sendmsg(struct kiocb *iocb, struct socket *sock,
        if (rc >= 0)
                rc = len;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1803,7 +1791,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
        struct sk_buff *skb;
        int copied, rc;
-        lock_kernel();
+        lock_sock(sk);
        /* put the autobinding in */
        if (!ipxs->port) {
                struct sockaddr_ipx uaddr;
@@ -1862,7 +1850,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock,
 out_free:
        skb_free_datagram(sk, skb);
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1874,7 +1862,7 @@ static int ipx_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
        struct sock *sk = sock->sk;
        void __user *argp = (void __user *)arg;
-        lock_kernel();
+        lock_sock(sk);
        switch (cmd) {
        case TIOCOUTQ:
                amount = sk->sk_sndbuf - sk_wmem_alloc_get(sk);
@@ -1937,7 +1925,7 @@ static int ipx_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                rc = -ENOIOCTLCMD;
                break;
        }
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1984,7 +1972,7 @@ static const struct proto_ops ipx_dgram_ops = {
        .socketpair     = sock_no_socketpair,
        .accept         = sock_no_accept,
        .getname        = ipx_getname,
-        .poll           = ipx_datagram_poll,
+        .poll           = datagram_poll,
        .ioctl          = ipx_ioctl,
 #ifdef CONFIG_COMPAT
        .compat_ioctl   = ipx_compat_ioctl,
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index c9890e25cd4c..cc616974a447 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1297,8 +1297,7 @@ static int irda_sendmsg(struct kiocb *iocb, struct socket *sock,
        /* Note : socket.c set MSG_EOR on SEQPACKET sockets */
        if (msg->msg_flags & ~(MSG_DONTWAIT | MSG_EOR | MSG_CMSG_COMPAT |
                               MSG_NOSIGNAL)) {
-                err = -EINVAL;
+                return -EINVAL;
-                goto out;
        }
        lock_sock(sk);
diff --git a/net/irda/ircomm/ircomm_core.c b/net/irda/ircomm/ircomm_core.c
index e97082017f4f..52079f19bbbe 100644
--- a/net/irda/ircomm/ircomm_core.c
+++ b/net/irda/ircomm/ircomm_core.c
@@ -244,14 +244,8 @@ EXPORT_SYMBOL(ircomm_connect_request);
 void ircomm_connect_indication(struct ircomm_cb *self, struct sk_buff *skb,
                               struct ircomm_info *info)
 {
-        int clen = 0;
        IRDA_DEBUG(2, "%s()\n", __func__ );
-        /* Check if the packet contains data on the control channel */
-        if (skb->len > 0)
-                clen = skb->data[0];
        /*
         * If there are any data hiding in the control channel, we must
         * deliver it first. The side effect is that the control channel
diff --git a/net/irda/ircomm/ircomm_lmp.c b/net/irda/ircomm/ircomm_lmp.c
index 08fb54dc8c41..3b8095c771d4 100644
--- a/net/irda/ircomm/ircomm_lmp.c
+++ b/net/irda/ircomm/ircomm_lmp.c
@@ -75,7 +75,6 @@ static int ircomm_lmp_connect_response(struct ircomm_cb *self,
                                       struct sk_buff *userdata)
 {
        struct sk_buff *tx_skb;
-        int ret;
        IRDA_DEBUG(0, "%s()\n", __func__ );
@@ -100,9 +99,7 @@ static int ircomm_lmp_connect_response(struct ircomm_cb *self,
                tx_skb = userdata;
        }
-        ret = irlmp_connect_response(self->lsap, tx_skb);
+        return irlmp_connect_response(self->lsap, tx_skb);
-        return 0;
 }
 static int ircomm_lmp_disconnect_request(struct ircomm_cb *self,
diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
index a39cca8331df..b3cc8b3989a9 100644
--- a/net/irda/ircomm/ircomm_tty.c
+++ b/net/irda/ircomm/ircomm_tty.c
@@ -38,6 +38,7 @@
 #include <linux/seq_file.h>
 #include <linux/termios.h>
 #include <linux/tty.h>
+#include <linux/tty_flip.h>
 #include <linux/interrupt.h>
 #include <linux/device.h>               /* for MODULE_ALIAS_CHARDEV_MAJOR */
@@ -1132,7 +1133,6 @@ static int ircomm_tty_data_indication(void *instance, void *sap,
                                      struct sk_buff *skb)
 {
        struct ircomm_tty_cb *self = (struct ircomm_tty_cb *) instance;
-        struct tty_ldisc *ld;
        IRDA_DEBUG(2, "%s()\n", __func__ );
@@ -1161,15 +1161,11 @@ static int ircomm_tty_data_indication(void *instance, void *sap,
        }
        /*
-         * Just give it over to the line discipline. There is no need to
+         * Use flip buffer functions since the code may be called from interrupt
-         * involve the flip buffers, since we are not running in an interrupt
+         * context
-         * handler
         */
+        tty_insert_flip_string(self->tty, skb->data, skb->len);
-        ld = tty_ldisc_ref(self->tty);
+        tty_flip_buffer_push(self->tty);
-        if (ld)
-                ld->ops->receive_buf(self->tty, skb->data, NULL, skb->len);
-        tty_ldisc_deref(ld);
        /* No need to kfree_skb - see ircomm_ttp_data_indication() */
diff --git a/net/irda/ircomm/ircomm_tty_ioctl.c b/net/irda/ircomm/ircomm_tty_ioctl.c
index 24cb3aa2bbfb..77c5e6499f8f 100644
--- a/net/irda/ircomm/ircomm_tty_ioctl.c
+++ b/net/irda/ircomm/ircomm_tty_ioctl.c
@@ -189,12 +189,12 @@ void ircomm_tty_set_termios(struct tty_struct *tty,
 }
 /*
- * Function ircomm_tty_tiocmget (tty, file)
+ * Function ircomm_tty_tiocmget (tty)
 *
 *
 *
 */
-int ircomm_tty_tiocmget(struct tty_struct *tty, struct file *file)
+int ircomm_tty_tiocmget(struct tty_struct *tty)
 {
        struct ircomm_tty_cb *self = (struct ircomm_tty_cb *) tty->driver_data;
        unsigned int result;
@@ -214,12 +214,12 @@ int ircomm_tty_tiocmget(struct tty_struct *tty, struct file *file)
 }
 /*
- * Function ircomm_tty_tiocmset (tty, file, set, clear)
+ * Function ircomm_tty_tiocmset (tty, set, clear)
 *
 *
 *
 */
-int ircomm_tty_tiocmset(struct tty_struct *tty, struct file *file,
+int ircomm_tty_tiocmset(struct tty_struct *tty,
                        unsigned int set, unsigned int clear)
 {
        struct ircomm_tty_cb *self = (struct ircomm_tty_cb *) tty->driver_data;
@@ -365,12 +365,12 @@ static int ircomm_tty_set_serial_info(struct ircomm_tty_cb *self,
 }
 /*
- * Function ircomm_tty_ioctl (tty, file, cmd, arg)
+ * Function ircomm_tty_ioctl (tty, cmd, arg)
 *
 *
 *
 */
-int ircomm_tty_ioctl(struct tty_struct *tty, struct file *file,
+int ircomm_tty_ioctl(struct tty_struct *tty,
                     unsigned int cmd, unsigned long arg)
 {
        struct ircomm_tty_cb *self = (struct ircomm_tty_cb *) tty->driver_data;
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 5b743bdd89ba..36477538cea8 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -656,10 +656,16 @@ static void iriap_getvaluebyclass_indication(struct iriap_cb *self,
        n = 1;
        name_len = fp[n++];
+        IRDA_ASSERT(name_len < IAS_MAX_CLASSNAME + 1, return;);
        memcpy(name, fp+n, name_len); n+=name_len;
        name[name_len] = '\0';
        attr_len = fp[n++];
+        IRDA_ASSERT(attr_len < IAS_MAX_ATTRIBNAME + 1, return;);
        memcpy(attr, fp+n, attr_len); n+=attr_len;
        attr[attr_len] = '\0';
diff --git a/net/irda/irlan/irlan_filter.c b/net/irda/irlan/irlan_filter.c
index 9ff7823abec7..7977be7caf0f 100644
--- a/net/irda/irlan/irlan_filter.c
+++ b/net/irda/irlan/irlan_filter.c
@@ -143,12 +143,8 @@ void irlan_filter_request(struct irlan_cb *self, struct sk_buff *skb)
 */
 void irlan_check_command_param(struct irlan_cb *self, char *param, char *value)
 {
-        __u8 *bytes;
        IRDA_DEBUG(4, "%s()\n", __func__ );
-        bytes = value;
        IRDA_ASSERT(self != NULL, return;);
        IRDA_ASSERT(self->magic == IRLAN_MAGIC, return;);
diff --git a/net/irda/irlan/irlan_provider.c b/net/irda/irlan/irlan_provider.c
index 5cf5e6c872bb..b8af74ab8b68 100644
--- a/net/irda/irlan/irlan_provider.c
+++ b/net/irda/irlan/irlan_provider.c
@@ -128,7 +128,6 @@ static void irlan_provider_connect_indication(void *instance, void *sap,
 {
        struct irlan_cb *self;
        struct tsap_cb *tsap;
-        __u32 saddr, daddr;
        IRDA_DEBUG(0, "%s()\n", __func__ );
@@ -141,8 +140,6 @@ static void irlan_provider_connect_indication(void *instance, void *sap,
        IRDA_ASSERT(tsap == self->provider.tsap_ctrl,return;);
        IRDA_ASSERT(self->provider.state == IRLAN_IDLE, return;);
-        daddr = irttp_get_daddr(tsap);
-        saddr = irttp_get_saddr(tsap);
        self->provider.max_sdu_size = max_sdu_size;
        self->provider.max_header_size = max_header_size;
diff --git a/net/irda/irlap.c b/net/irda/irlap.c
index 783c5f367d29..005b424494a0 100644
--- a/net/irda/irlap.c
+++ b/net/irda/irlap.c
@@ -165,7 +165,7 @@ struct irlap_cb *irlap_open(struct net_device *dev, struct qos_info *qos,
        irlap_apply_default_connection_parameters(self);
-        self->N3 = 3; /* # connections attemts to try before giving up */
+        self->N3 = 3; /* # connections attempts to try before giving up */
        self->state = LAP_NDM;
diff --git a/net/irda/irlap_event.c b/net/irda/irlap_event.c
index d434c8880745..ccd214f9d196 100644
--- a/net/irda/irlap_event.c
+++ b/net/irda/irlap_event.c
@@ -708,7 +708,7 @@ static int irlap_state_reply(struct irlap_cb *self, IRLAP_EVENT event,
                                self->frame_sent = TRUE;
                        }
-                        /* Readjust our timer to accomodate devices
+                        /* Readjust our timer to accommodate devices
                         * doing faster or slower discovery than us...
                         * Jean II */
                        irlap_start_query_timer(self, info->S, info->s);
@@ -931,7 +931,7 @@ static int irlap_state_setup(struct irlap_cb *self, IRLAP_EVENT event,
                irlap_send_rr_frame(self, CMD_FRAME);
                /* The timer is set to half the normal timer to quickly
-                 * detect a failure to negociate the new connection
+                 * detect a failure to negotiate the new connection
                 * parameters. IrLAP 6.11.3.2, note 3.
                 * Note that currently we don't process this failure
                 * properly, as we should do a quick disconnect.
@@ -1052,7 +1052,7 @@ static int irlap_state_xmit_p(struct irlap_cb *self, IRLAP_EVENT event,
                                return -EPROTO;
                        }
-                        /* Substract space used by this skb */
+                        /* Subtract space used by this skb */
                        self->bytes_left -= skb->len;
 #else   /* CONFIG_IRDA_DYNAMIC_WINDOW */
                        /* Window has been adjusted for the max packet
@@ -1808,7 +1808,7 @@ static int irlap_state_xmit_s(struct irlap_cb *self, IRLAP_EVENT event,
                                return -EPROTO; /* Try again later */
                        }
-                        /* Substract space used by this skb */
+                        /* Subtract space used by this skb */
                        self->bytes_left -= skb->len;
 #else   /* CONFIG_IRDA_DYNAMIC_WINDOW */
                        /* Window has been adjusted for the max packet
@@ -2227,8 +2227,6 @@ static int irlap_state_nrm_s(struct irlap_cb *self, IRLAP_EVENT event,
 static int irlap_state_sclose(struct irlap_cb *self, IRLAP_EVENT event,
                              struct sk_buff *skb, struct irlap_info *info)
 {
-        int ret = 0;
        IRDA_DEBUG(1, "%s()\n", __func__);
        IRDA_ASSERT(self != NULL, return -ENODEV;);
@@ -2289,7 +2287,6 @@ static int irlap_state_sclose(struct irlap_cb *self, IRLAP_EVENT event,
                IRDA_DEBUG(1, "%s(), Unknown event %d, (%s)\n", __func__,
                           event, irlap_event[event]);
-                ret = -EINVAL;
                break;
        }
diff --git a/net/irda/irlap_frame.c b/net/irda/irlap_frame.c
index 688222cbf55b..8c004161a843 100644
--- a/net/irda/irlap_frame.c
+++ b/net/irda/irlap_frame.c
@@ -848,7 +848,7 @@ void irlap_send_data_primary_poll(struct irlap_cb *self, struct sk_buff *skb)
         * though IrLAP is currently sending the *last* frame of the
         * tx-window, the driver most likely has only just started
         * sending the *first* frame of the same tx-window.
-         * I.e. we are always at the very begining of or Tx window.
+         * I.e. we are always at the very beginning of or Tx window.
         * Now, we are supposed to set the final timer from the end
         * of our tx-window to let the other peer reply. So, we need
         * to add extra time to compensate for the fact that we
diff --git a/net/irda/irlmp_event.c b/net/irda/irlmp_event.c
index c1fb5db81042..9505a7d06f1a 100644
--- a/net/irda/irlmp_event.c
+++ b/net/irda/irlmp_event.c
@@ -498,7 +498,7 @@ static int irlmp_state_disconnected(struct lsap_cb *self, IRLMP_EVENT event,
        switch (event) {
 #ifdef CONFIG_IRDA_ULTRA
        case LM_UDATA_INDICATION:
-                /* This is most bizzare. Those packets are  aka unreliable
+                /* This is most bizarre. Those packets are  aka unreliable
                 * connected, aka IrLPT or SOCK_DGRAM/IRDAPROTO_UNITDATA.
                 * Why do we pass them as Ultra ??? Jean II */
                irlmp_connless_data_indication(self, skb);
diff --git a/net/irda/irnet/irnet.h b/net/irda/irnet/irnet.h
index 0d82ff5aeff1..979ecb2435a7 100644
--- a/net/irda/irnet/irnet.h
+++ b/net/irda/irnet/irnet.h
@@ -73,7 +73,7 @@
 * Infinite thanks to those brave souls for providing the infrastructure
 * upon which IrNET is built.
 *
- * Thanks to all my collegues in HP for helping me. In particular,
+ * Thanks to all my colleagues in HP for helping me. In particular,
 * thanks to Salil Pradhan and Bill Serra for W2k testing...
 * Thanks to Luiz Magalhaes for irnetd and much testing...
 *
diff --git a/net/irda/irnet/irnet_ppp.c b/net/irda/irnet/irnet_ppp.c
index 7c567b8aa89a..2bb2beb6a373 100644
--- a/net/irda/irnet/irnet_ppp.c
+++ b/net/irda/irnet/irnet_ppp.c
@@ -105,6 +105,9 @@ irnet_ctrl_write(irnet_socket *	ap,
              while(isspace(start[length - 1]))
                length--;
+              DABORT(length < 5 || length > NICKNAME_MAX_LEN + 5,
+                     -EINVAL, CTRL_ERROR, "Invalid nickname.\n");
              /* Copy the name for later reuse */
              memcpy(ap->rname, start + 5, length - 5);
              ap->rname[length - 5] = '\0';
diff --git a/net/irda/irproc.c b/net/irda/irproc.c
index 318766e5dbdf..b9ac598e2116 100644
--- a/net/irda/irproc.c
+++ b/net/irda/irproc.c
@@ -65,15 +65,14 @@ static const struct irda_entry irda_dirs[] = {
 void __init irda_proc_register(void)
 {
        int i;
-        struct proc_dir_entry *d;
        proc_irda = proc_mkdir("irda", init_net.proc_net);
        if (proc_irda == NULL)
                return;
        for (i = 0; i < ARRAY_SIZE(irda_dirs); i++)
-                d = proc_create(irda_dirs[i].name, 0, proc_irda,
+                (void) proc_create(irda_dirs[i].name, 0, proc_irda,
-                                irda_dirs[i].fops);
+                                   irda_dirs[i].fops);
 }
 /*
diff --git a/net/irda/irqueue.c b/net/irda/irqueue.c
index 849aaf0dabb5..9715e6e5900b 100644
--- a/net/irda/irqueue.c
+++ b/net/irda/irqueue.c
@@ -40,7 +40,7 @@
 *      o the hash function for ints is pathetic (but could be changed)
 *      o locking is sometime suspicious (especially during enumeration)
 *      o most users have only a few elements (== overhead)
- *      o most users never use seach, so don't benefit from hashing
+ *      o most users never use search, so don't benefit from hashing
 * Problem already fixed :
 *      o not 64 bit compliant (most users do hashv = (int) self)
 *      o hashbin_remove() is broken => use hashbin_remove_this()
diff --git a/net/irda/irttp.c b/net/irda/irttp.c
index f6054f9ccbe3..9d9af4606970 100644
--- a/net/irda/irttp.c
+++ b/net/irda/irttp.c
@@ -1193,7 +1193,7 @@ EXPORT_SYMBOL(irttp_connect_request);
 /*
 * Function irttp_connect_confirm (handle, qos, skb)
 *
- *    Sevice user confirms TSAP connection with peer.
+ *    Service user confirms TSAP connection with peer.
 *
 */
 static void irttp_connect_confirm(void *instance, void *sap,
diff --git a/net/irda/qos.c b/net/irda/qos.c
index 2b00974e5bae..1b51bcf42394 100644
--- a/net/irda/qos.c
+++ b/net/irda/qos.c
@@ -39,16 +39,16 @@
 #include <net/irda/irlap_frame.h>
 /*
- * Maximum values of the baud rate we negociate with the other end.
+ * Maximum values of the baud rate we negotiate with the other end.
 * Most often, you don't have to change that, because Linux-IrDA will
 * use the maximum offered by the link layer, which usually works fine.
 * In some very rare cases, you may want to limit it to lower speeds...
 */
 int sysctl_max_baud_rate = 16000000;
 /*
- * Maximum value of the lap disconnect timer we negociate with the other end.
+ * Maximum value of the lap disconnect timer we negotiate with the other end.
 * Most often, the value below represent the best compromise, but some user
- * may want to keep the LAP alive longuer or shorter in case of link failure.
+ * may want to keep the LAP alive longer or shorter in case of link failure.
 * Remember that the threshold time (early warning) is fixed to 3s...
 */
 int sysctl_max_noreply_time = 12;
@@ -411,7 +411,7 @@ static void irlap_adjust_qos_settings(struct qos_info *qos)
         * Fix tx data size according to user limits - Jean II
         */
        if (qos->data_size.value > sysctl_max_tx_data_size)
-                /* Allow non discrete adjustement to avoid loosing capacity */
+                /* Allow non discrete adjustement to avoid losing capacity */
                qos->data_size.value = sysctl_max_tx_data_size;
        /*
         * Override Tx window if user request it. - Jean II
diff --git a/net/irda/timer.c b/net/irda/timer.c
index 0335ba0cc593..f418cb2ad49c 100644
--- a/net/irda/timer.c
+++ b/net/irda/timer.c
@@ -59,7 +59,7 @@ void irlap_start_query_timer(struct irlap_cb *self, int S, int s)
         * slot time, plus add some extra time to properly receive the last
         * discovery packet (which is longer due to extra discovery info),
         * to avoid messing with for incomming connections requests and
-         * to accomodate devices that perform discovery slower than us.
+         * to accommodate devices that perform discovery slower than us.
         * Jean II */
        timeout = ((sysctl_slot_timeout * HZ / 1000) * (S - s)
                   + XIDEXTRA_TIMEOUT + SMALLBUSY_TIMEOUT);
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 9637e45744fa..e2013e434d03 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -190,7 +190,6 @@ static int afiucv_pm_freeze(struct device *dev)
 */
 static int afiucv_pm_restore_thaw(struct device *dev)
 {
-        struct iucv_sock *iucv;
        struct sock *sk;
        struct hlist_node *node;
@@ -199,7 +198,6 @@ static int afiucv_pm_restore_thaw(struct device *dev)
 #endif
        read_lock(&iucv_sk_list.lock);
        sk_for_each(sk, node, &iucv_sk_list.head) {
-                iucv = iucv_sk(sk);
                switch (sk->sk_state) {
                case IUCV_CONNECTED:
                        sk->sk_err = EPIPE;
@@ -250,7 +248,7 @@ static struct device *af_iucv_dev;
 *      PRMDATA[0..6]   socket data (max 7 bytes);
 *      PRMDATA[7]      socket data length value (len is 0xff - PRMDATA[7])
 *
- * The socket data length is computed by substracting the socket data length
+ * The socket data length is computed by subtracting the socket data length
 * value from 0xFF.
 * If the socket data len is greater 7, then PRMDATA can be used for special
 * notifications (see iucv_sock_shutdown); and further,
@@ -381,7 +379,6 @@ static void iucv_sock_close(struct sock *sk)
 {
        unsigned char user_data[16];
        struct iucv_sock *iucv = iucv_sk(sk);
-        int err;
        unsigned long timeo;
        iucv_sock_clear_timer(sk);
@@ -394,8 +391,6 @@ static void iucv_sock_close(struct sock *sk)
        case IUCV_CONNECTED:
        case IUCV_DISCONN:
-                err = 0;
                sk->sk_state = IUCV_CLOSING;
                sk->sk_state_change(sk);
@@ -404,7 +399,7 @@ static void iucv_sock_close(struct sock *sk)
                                timeo = sk->sk_lingertime;
                        else
                                timeo = IUCV_DISCONN_TIMEOUT;
-                        err = iucv_sock_wait(sk,
+                        iucv_sock_wait(sk,
                                        iucv_sock_in_state(sk, IUCV_CLOSED, 0),
                                        timeo);
                }
@@ -417,7 +412,7 @@ static void iucv_sock_close(struct sock *sk)
                        low_nmcpy(user_data, iucv->src_name);
                        high_nmcpy(user_data, iucv->dst_name);
                        ASCEBC(user_data, sizeof(user_data));
-                        err = iucv_path_sever(iucv->path, user_data);
+                        iucv_path_sever(iucv->path, user_data);
                        iucv_path_free(iucv->path);
                        iucv->path = NULL;
                }
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 1ee5dab3cfae..a15c01524959 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -128,8 +128,8 @@ struct iucv_irq_list {
 };
 static struct iucv_irq_data *iucv_irq_data[NR_CPUS];
-static cpumask_t iucv_buffer_cpumask = CPU_MASK_NONE;
+static cpumask_t iucv_buffer_cpumask = { CPU_BITS_NONE };
-static cpumask_t iucv_irq_cpumask = CPU_MASK_NONE;
+static cpumask_t iucv_irq_cpumask = { CPU_BITS_NONE };
 /*
 * Queue of interrupt buffers lock for delivery via the tasklet
@@ -406,7 +406,7 @@ static void iucv_allow_cpu(void *data)
        parm->set_mask.ipmask = 0xf8;
        iucv_call_b2f0(IUCV_SETCONTROLMASK, parm);
        /* Set indication that iucv interrupts are allowed for this cpu. */
-        cpu_set(cpu, iucv_irq_cpumask);
+        cpumask_set_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -426,7 +426,7 @@ static void iucv_block_cpu(void *data)
        iucv_call_b2f0(IUCV_SETMASK, parm);
        /* Clear indication that iucv interrupts are allowed for this cpu. */
-        cpu_clear(cpu, iucv_irq_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -451,7 +451,7 @@ static void iucv_block_cpu_almost(void *data)
        iucv_call_b2f0(IUCV_SETCONTROLMASK, parm);
        /* Clear indication that iucv interrupts are allowed for this cpu. */
-        cpu_clear(cpu, iucv_irq_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_irq_cpumask);
 }
 /**
@@ -466,7 +466,7 @@ static void iucv_declare_cpu(void *data)
        union iucv_param *parm;
        int rc;
-        if (cpu_isset(cpu, iucv_buffer_cpumask))
+        if (cpumask_test_cpu(cpu, &iucv_buffer_cpumask))
                return;
        /* Declare interrupt buffer. */
@@ -499,9 +499,9 @@ static void iucv_declare_cpu(void *data)
        }
        /* Set indication that an iucv buffer exists for this cpu. */
-        cpu_set(cpu, iucv_buffer_cpumask);
+        cpumask_set_cpu(cpu, &iucv_buffer_cpumask);
-        if (iucv_nonsmp_handler == 0 || cpus_empty(iucv_irq_cpumask))
+        if (iucv_nonsmp_handler == 0 || cpumask_empty(&iucv_irq_cpumask))
                /* Enable iucv interrupts on this cpu. */
                iucv_allow_cpu(NULL);
        else
@@ -520,7 +520,7 @@ static void iucv_retrieve_cpu(void *data)
        int cpu = smp_processor_id();
        union iucv_param *parm;
-        if (!cpu_isset(cpu, iucv_buffer_cpumask))
+        if (!cpumask_test_cpu(cpu, &iucv_buffer_cpumask))
                return;
        /* Block iucv interrupts. */
@@ -531,7 +531,7 @@ static void iucv_retrieve_cpu(void *data)
        iucv_call_b2f0(IUCV_RETRIEVE_BUFFER, parm);
        /* Clear indication that an iucv buffer exists for this cpu. */
-        cpu_clear(cpu, iucv_buffer_cpumask);
+        cpumask_clear_cpu(cpu, &iucv_buffer_cpumask);
 }
 /**
@@ -546,8 +546,8 @@ static void iucv_setmask_mp(void)
        get_online_cpus();
        for_each_online_cpu(cpu)
                /* Enable all cpus with a declared buffer. */
-                if (cpu_isset(cpu, iucv_buffer_cpumask) &&
+                if (cpumask_test_cpu(cpu, &iucv_buffer_cpumask) &&
-                    !cpu_isset(cpu, iucv_irq_cpumask))
+                    !cpumask_test_cpu(cpu, &iucv_irq_cpumask))
                        smp_call_function_single(cpu, iucv_allow_cpu,
                                                 NULL, 1);
        put_online_cpus();
@@ -564,9 +564,9 @@ static void iucv_setmask_up(void)
        int cpu;
        /* Disable all cpu but the first in cpu_irq_cpumask. */
-        cpumask = iucv_irq_cpumask;
+        cpumask_copy(&cpumask, &iucv_irq_cpumask);
-        cpu_clear(first_cpu(iucv_irq_cpumask), cpumask);
+        cpumask_clear_cpu(cpumask_first(&iucv_irq_cpumask), &cpumask);
-        for_each_cpu_mask_nr(cpu, cpumask)
+        for_each_cpu(cpu, &cpumask)
                smp_call_function_single(cpu, iucv_block_cpu, NULL, 1);
 }
@@ -593,7 +593,7 @@ static int iucv_enable(void)
        rc = -EIO;
        for_each_online_cpu(cpu)
                smp_call_function_single(cpu, iucv_declare_cpu, NULL, 1);
-        if (cpus_empty(iucv_buffer_cpumask))
+        if (cpumask_empty(&iucv_buffer_cpumask))
                /* No cpu could declare an iucv buffer. */
                goto out;
        put_online_cpus();
@@ -675,15 +675,16 @@ static int __cpuinit iucv_cpu_notify(struct notifier_block *self,
        case CPU_DOWN_PREPARE_FROZEN:
                if (!iucv_path_table)
                        break;
-                cpumask = iucv_buffer_cpumask;
+                cpumask_copy(&cpumask, &iucv_buffer_cpumask);
-                cpu_clear(cpu, cpumask);
+                cpumask_clear_cpu(cpu, &cpumask);
-                if (cpus_empty(cpumask))
+                if (cpumask_empty(&cpumask))
                        /* Can't offline last IUCV enabled cpu. */
                        return notifier_from_errno(-EINVAL);
                smp_call_function_single(cpu, iucv_retrieve_cpu, NULL, 1);
-                if (cpus_empty(iucv_irq_cpumask))
+                if (cpumask_empty(&iucv_irq_cpumask))
-                        smp_call_function_single(first_cpu(iucv_buffer_cpumask),
+                        smp_call_function_single(
-                                                 iucv_allow_cpu, NULL, 1);
+                                cpumask_first(&iucv_buffer_cpumask),
+                                iucv_allow_cpu, NULL, 1);
                break;
        }
        return NOTIFY_OK;
@@ -735,7 +736,7 @@ static void iucv_cleanup_queue(void)
        struct iucv_irq_list *p, *n;
        /*
-         * When a path is severed, the pathid can be reused immediatly
+         * When a path is severed, the pathid can be reused immediately
         * on a iucv connect or a connection pending interrupt. Remove
         * all entries from the task queue that refer to a stale pathid
         * (iucv_path_table[ix] == NULL). Only then do the iucv connect
@@ -807,7 +808,7 @@ void iucv_unregister(struct iucv_handler *handler, int smp)
        spin_lock_bh(&iucv_table_lock);
        /* Remove handler from the iucv_handler_list. */
        list_del_init(&handler->list);
-        /* Sever all pathids still refering to the handler. */
+        /* Sever all pathids still referring to the handler. */
        list_for_each_entry_safe(p, n, &handler->paths, list) {
                iucv_sever_pathid(p->pathid, NULL);
                iucv_path_table[p->pathid] = NULL;
@@ -828,14 +829,14 @@ EXPORT_SYMBOL(iucv_unregister);
 static int iucv_reboot_event(struct notifier_block *this,
                             unsigned long event, void *ptr)
 {
-        int i, rc;
+        int i;
        get_online_cpus();
        on_each_cpu(iucv_block_cpu, NULL, 1);
        preempt_disable();
        for (i = 0; i < iucv_max_pathid; i++) {
                if (iucv_path_table[i])
-                        rc = iucv_sever_pathid(i, NULL);
+                        iucv_sever_pathid(i, NULL);
        }
        preempt_enable();
        put_online_cpus();
@@ -866,7 +867,7 @@ int iucv_path_accept(struct iucv_path *path, struct iucv_handler *handler,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -915,7 +916,7 @@ int iucv_path_connect(struct iucv_path *path, struct iucv_handler *handler,
        spin_lock_bh(&iucv_table_lock);
        iucv_cleanup_queue();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -975,7 +976,7 @@ int iucv_path_quiesce(struct iucv_path *path, u8 userdata[16])
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1007,7 +1008,7 @@ int iucv_path_resume(struct iucv_path *path, u8 userdata[16])
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1036,7 +1037,7 @@ int iucv_path_sever(struct iucv_path *path, u8 userdata[16])
        int rc;
        preempt_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1070,7 +1071,7 @@ int iucv_message_purge(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1162,7 +1163,7 @@ int __iucv_message_receive(struct iucv_path *path, struct iucv_message *msg,
        if (msg->flags & IUCV_IPRMDATA)
                return iucv_message_receive_iprmdata(path, msg, flags,
                                                     buffer, size, residual);
-        if (cpus_empty(iucv_buffer_cpumask)) {
+         if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1235,7 +1236,7 @@ int iucv_message_reject(struct iucv_path *path, struct iucv_message *msg)
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1274,7 +1275,7 @@ int iucv_message_reply(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1324,7 +1325,7 @@ int __iucv_message_send(struct iucv_path *path, struct iucv_message *msg,
        union iucv_param *parm;
        int rc;
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1411,7 +1412,7 @@ int iucv_message_send2way(struct iucv_path *path, struct iucv_message *msg,
        int rc;
        local_bh_disable();
-        if (cpus_empty(iucv_buffer_cpumask)) {
+        if (cpumask_empty(&iucv_buffer_cpumask)) {
                rc = -EIO;
                goto out;
        }
@@ -1888,7 +1889,7 @@ static int iucv_pm_freeze(struct device *dev)
        printk(KERN_WARNING "iucv_pm_freeze\n");
 #endif
        if (iucv_pm_state != IUCV_PM_FREEZING) {
-                for_each_cpu_mask_nr(cpu, iucv_irq_cpumask)
+                for_each_cpu(cpu, &iucv_irq_cpumask)
                        smp_call_function_single(cpu, iucv_block_cpu_almost,
                                                 NULL, 1);
                cancel_work_sync(&iucv_work);
@@ -1928,7 +1929,7 @@ static int iucv_pm_thaw(struct device *dev)
                if (rc)
                        goto out;
        }
-        if (cpus_empty(iucv_irq_cpumask)) {
+        if (cpumask_empty(&iucv_irq_cpumask)) {
                if (iucv_nonsmp_handler)
                        /* enable interrupts on one cpu */
                        iucv_allow_cpu(NULL);
@@ -1961,7 +1962,7 @@ static int iucv_pm_restore(struct device *dev)
                pr_warning("Suspending Linux did not completely close all IUCV "
                        "connections\n");
        iucv_pm_state = IUCV_PM_RESTORING;
-        if (cpus_empty(iucv_irq_cpumask)) {
+        if (cpumask_empty(&iucv_irq_cpumask)) {
                rc = iucv_query_maxconn();
                rc = iucv_enable();
                if (rc)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index d87c22df6f1e..d62401c25684 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -70,7 +70,7 @@ static inline struct pfkey_sock *pfkey_sk(struct sock *sk)
        return (struct pfkey_sock *)sk;
 }
-static int pfkey_can_dump(struct sock *sk)
+static int pfkey_can_dump(const struct sock *sk)
 {
        if (3 * atomic_read(&sk->sk_rmem_alloc) <= 2 * sk->sk_rcvbuf)
                return 1;
@@ -303,12 +303,13 @@ static int pfkey_do_dump(struct pfkey_sock *pfk)
        return rc;
 }
-static inline void pfkey_hdr_dup(struct sadb_msg *new, struct sadb_msg *orig)
+static inline void pfkey_hdr_dup(struct sadb_msg *new,
+                                 const struct sadb_msg *orig)
 {
        *new = *orig;
 }
-static int pfkey_error(struct sadb_msg *orig, int err, struct sock *sk)
+static int pfkey_error(const struct sadb_msg *orig, int err, struct sock *sk)
 {
        struct sk_buff *skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_KERNEL);
        struct sadb_msg *hdr;
@@ -369,13 +370,13 @@ static u8 sadb_ext_min_len[] = {
 };
 /* Verify sadb_address_{len,prefixlen} against sa_family.  */
-static int verify_address_len(void *p)
+static int verify_address_len(const void *p)
 {
-        struct sadb_address *sp = p;
+        const struct sadb_address *sp = p;
-        struct sockaddr *addr = (struct sockaddr *)(sp + 1);
+        const struct sockaddr *addr = (const struct sockaddr *)(sp + 1);
-        struct sockaddr_in *sin;
+        const struct sockaddr_in *sin;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-        struct sockaddr_in6 *sin6;
+        const struct sockaddr_in6 *sin6;
 #endif
        int len;
@@ -411,16 +412,16 @@ static int verify_address_len(void *p)
        return 0;
 }
-static inline int pfkey_sec_ctx_len(struct sadb_x_sec_ctx *sec_ctx)
+static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
 {
        return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
                            sec_ctx->sadb_x_ctx_len,
                            sizeof(uint64_t));
 }
-static inline int verify_sec_ctx_len(void *p)
+static inline int verify_sec_ctx_len(const void *p)
 {
-        struct sadb_x_sec_ctx *sec_ctx = (struct sadb_x_sec_ctx *)p;
+        const struct sadb_x_sec_ctx *sec_ctx = p;
        int len = sec_ctx->sadb_x_ctx_len;
        if (len > PAGE_SIZE)
@@ -434,7 +435,7 @@ static inline int verify_sec_ctx_len(void *p)
        return 0;
 }
-static inline struct xfrm_user_sec_ctx *pfkey_sadb2xfrm_user_sec_ctx(struct sadb_x_sec_ctx *sec_ctx)
+static inline struct xfrm_user_sec_ctx *pfkey_sadb2xfrm_user_sec_ctx(const struct sadb_x_sec_ctx *sec_ctx)
 {
        struct xfrm_user_sec_ctx *uctx = NULL;
        int ctx_size = sec_ctx->sadb_x_ctx_len;
@@ -455,16 +456,16 @@ static inline struct xfrm_user_sec_ctx *pfkey_sadb2xfrm_user_sec_ctx(struct sadb
        return uctx;
 }
-static int present_and_same_family(struct sadb_address *src,
+static int present_and_same_family(const struct sadb_address *src,
-                                   struct sadb_address *dst)
+                                   const struct sadb_address *dst)
 {
-        struct sockaddr *s_addr, *d_addr;
+        const struct sockaddr *s_addr, *d_addr;
        if (!src || !dst)
                return 0;
-        s_addr = (struct sockaddr *)(src + 1);
+        s_addr = (const struct sockaddr *)(src + 1);
-        d_addr = (struct sockaddr *)(dst + 1);
+        d_addr = (const struct sockaddr *)(dst + 1);
        if (s_addr->sa_family != d_addr->sa_family)
                return 0;
        if (s_addr->sa_family != AF_INET
@@ -477,15 +478,15 @@ static int present_and_same_family(struct sadb_address *src,
        return 1;
 }
-static int parse_exthdrs(struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void **ext_hdrs)
 {
-        char *p = (char *) hdr;
+        const char *p = (char *) hdr;
        int len = skb->len;
        len -= sizeof(*hdr);
        p += sizeof(*hdr);
        while (len > 0) {
-                struct sadb_ext *ehdr = (struct sadb_ext *) p;
+                const struct sadb_ext *ehdr = (const struct sadb_ext *) p;
                uint16_t ext_type;
                int ext_len;
@@ -514,7 +515,7 @@ static int parse_exthdrs(struct sk_buff *skb, struct sadb_msg *hdr, void **ext_h
                                if (verify_sec_ctx_len(p))
                                        return -EINVAL;
                        }
-                        ext_hdrs[ext_type-1] = p;
+                        ext_hdrs[ext_type-1] = (void *) p;
                }
                p   += ext_len;
                len -= ext_len;
@@ -606,21 +607,21 @@ int pfkey_sockaddr_extract(const struct sockaddr *sa, xfrm_address_t *xaddr)
 }
 static
-int pfkey_sadb_addr2xfrm_addr(struct sadb_address *addr, xfrm_address_t *xaddr)
+int pfkey_sadb_addr2xfrm_addr(const struct sadb_address *addr, xfrm_address_t *xaddr)
 {
        return pfkey_sockaddr_extract((struct sockaddr *)(addr + 1),
                                      xaddr);
 }
-static struct  xfrm_state *pfkey_xfrm_state_lookup(struct net *net, struct sadb_msg *hdr, void **ext_hdrs)
+static struct  xfrm_state *pfkey_xfrm_state_lookup(struct net *net, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
-        struct sadb_sa *sa;
+        const struct sadb_sa *sa;
-        struct sadb_address *addr;
+        const struct sadb_address *addr;
        uint16_t proto;
        unsigned short family;
        xfrm_address_t *xaddr;
-        sa = (struct sadb_sa *) ext_hdrs[SADB_EXT_SA-1];
+        sa = (const struct sadb_sa *) ext_hdrs[SADB_EXT_SA-1];
        if (sa == NULL)
                return NULL;
@@ -629,18 +630,18 @@ static struct  xfrm_state *pfkey_xfrm_state_lookup(struct net *net, struct sadb_
                return NULL;
        /* sadb_address_len should be checked by caller */
-        addr = (struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_DST-1];
+        addr = (const struct sadb_address *) ext_hdrs[SADB_EXT_ADDRESS_DST-1];
        if (addr == NULL)
                return NULL;
-        family = ((struct sockaddr *)(addr + 1))->sa_family;
+        family = ((const struct sockaddr *)(addr + 1))->sa_family;
        switch (family) {
        case AF_INET:
-                xaddr = (xfrm_address_t *)&((struct sockaddr_in *)(addr + 1))->sin_addr;
+                xaddr = (xfrm_address_t *)&((const struct sockaddr_in *)(addr + 1))->sin_addr;
                break;
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
        case AF_INET6:
-                xaddr = (xfrm_address_t *)&((struct sockaddr_in6 *)(addr + 1))->sin6_addr;
+                xaddr = (xfrm_address_t *)&((const struct sockaddr_in6 *)(addr + 1))->sin6_addr;
                break;
 #endif
        default:
@@ -690,9 +691,9 @@ static inline int pfkey_mode_to_xfrm(int mode)
        }
 }
-static unsigned int pfkey_sockaddr_fill(xfrm_address_t *xaddr, __be16 port,
+static unsigned int pfkey_sockaddr_fill(const xfrm_address_t *xaddr, __be16 port,
-                                       struct sockaddr *sa,
+                                        struct sockaddr *sa,
-                                       unsigned short family)
+                                        unsigned short family)
 {
        switch (family) {
        case AF_INET:
@@ -711,7 +712,7 @@ static unsigned int pfkey_sockaddr_fill(xfrm_address_t *xaddr, __be16 port,
                sin6->sin6_family = AF_INET6;
                sin6->sin6_port = port;
                sin6->sin6_flowinfo = 0;
-                ipv6_addr_copy(&sin6->sin6_addr, (struct in6_addr *)xaddr->a6);
+                ipv6_addr_copy(&sin6->sin6_addr, (const struct in6_addr *)xaddr->a6);
                sin6->sin6_scope_id = 0;
                return 128;
            }
@@ -720,7 +721,7 @@ static unsigned int pfkey_sockaddr_fill(xfrm_address_t *xaddr, __be16 port,
        return 0;
 }
-static struct sk_buff *__pfkey_xfrm_state2msg(struct xfrm_state *x,
+static struct sk_buff *__pfkey_xfrm_state2msg(const struct xfrm_state *x,
                                              int add_keys, int hsc)
 {
        struct sk_buff *skb;
@@ -1010,7 +1011,7 @@ static struct sk_buff *__pfkey_xfrm_state2msg(struct xfrm_state *x,
 }
-static inline struct sk_buff *pfkey_xfrm_state2msg(struct xfrm_state *x)
+static inline struct sk_buff *pfkey_xfrm_state2msg(const struct xfrm_state *x)
 {
        struct sk_buff *skb;
@@ -1019,26 +1020,26 @@ static inline struct sk_buff *pfkey_xfrm_state2msg(struct xfrm_state *x)
        return skb;
 }
-static inline struct sk_buff *pfkey_xfrm_state2msg_expire(struct xfrm_state *x,
+static inline struct sk_buff *pfkey_xfrm_state2msg_expire(const struct xfrm_state *x,
                                                          int hsc)
 {
        return __pfkey_xfrm_state2msg(x, 0, hsc);
 }
 static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
-                                                struct sadb_msg *hdr,
+                                                const struct sadb_msg *hdr,
-                                                void **ext_hdrs)
+                                                void * const *ext_hdrs)
 {
        struct xfrm_state *x;
-        struct sadb_lifetime *lifetime;
+        const struct sadb_lifetime *lifetime;
-        struct sadb_sa *sa;
+        const struct sadb_sa *sa;
-        struct sadb_key *key;
+        const struct sadb_key *key;
-        struct sadb_x_sec_ctx *sec_ctx;
+        const struct sadb_x_sec_ctx *sec_ctx;
        uint16_t proto;
        int err;
-        sa = (struct sadb_sa *) ext_hdrs[SADB_EXT_SA-1];
+        sa = (const struct sadb_sa *) ext_hdrs[SADB_EXT_SA-1];
        if (!sa ||
            !present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC-1],
                                     ext_hdrs[SADB_EXT_ADDRESS_DST-1]))
@@ -1077,7 +1078,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
             sa->sadb_sa_encrypt > SADB_X_CALG_MAX) ||
            sa->sadb_sa_encrypt > SADB_EALG_MAX)
                return ERR_PTR(-EINVAL);
-        key = (struct sadb_key*) ext_hdrs[SADB_EXT_KEY_AUTH-1];
+        key = (const struct sadb_key*) ext_hdrs[SADB_EXT_KEY_AUTH-1];
        if (key != NULL &&
            sa->sadb_sa_auth != SADB_X_AALG_NULL &&
            ((key->sadb_key_bits+7) / 8 == 0 ||
@@ -1104,14 +1105,14 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
        if (sa->sadb_sa_flags & SADB_SAFLAGS_NOPMTUDISC)
                x->props.flags |= XFRM_STATE_NOPMTUDISC;
-        lifetime = (struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_HARD-1];
+        lifetime = (const struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_HARD-1];
        if (lifetime != NULL) {
                x->lft.hard_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
                x->lft.hard_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
                x->lft.hard_add_expires_seconds = lifetime->sadb_lifetime_addtime;
                x->lft.hard_use_expires_seconds = lifetime->sadb_lifetime_usetime;
        }
-        lifetime = (struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_SOFT-1];
+        lifetime = (const struct sadb_lifetime*) ext_hdrs[SADB_EXT_LIFETIME_SOFT-1];
        if (lifetime != NULL) {
                x->lft.soft_packet_limit = _KEY2X(lifetime->sadb_lifetime_allocations);
                x->lft.soft_byte_limit = _KEY2X(lifetime->sadb_lifetime_bytes);
@@ -1119,7 +1120,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
                x->lft.soft_use_expires_seconds = lifetime->sadb_lifetime_usetime;
        }
-        sec_ctx = (struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
+        sec_ctx = (const struct sadb_x_sec_ctx *) ext_hdrs[SADB_X_EXT_SEC_CTX-1];
        if (sec_ctx != NULL) {
                struct xfrm_user_sec_ctx *uctx = pfkey_sadb2xfrm_user_sec_ctx(sec_ctx);
@@ -1133,7 +1134,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
                        goto out;
        }
-        key = (struct sadb_key*) ext_hdrs[SADB_EXT_KEY_AUTH-1];
+        key = (const struct sadb_key*) ext_hdrs[SADB_EXT_KEY_AUTH-1];
        if (sa->sadb_sa_auth) {
                int keysize = 0;
                struct xfrm_algo_desc *a = xfrm_aalg_get_byid(sa->sadb_sa_auth);
@@ -1202,7 +1203,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
                                  &x->id.daddr);
        if (ext_hdrs[SADB_X_EXT_SA2-1]) {
-                struct sadb_x_sa2 *sa2 = (void*)ext_hdrs[SADB_X_EXT_SA2-1];
+                const struct sadb_x_sa2 *sa2 = ext_hdrs[SADB_X_EXT_SA2-1];
                int mode = pfkey_mode_to_xfrm(sa2->sadb_x_sa2_mode);
                if (mode < 0) {
                        err = -EINVAL;
@@ -1213,7 +1214,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
        }
        if (ext_hdrs[SADB_EXT_ADDRESS_PROXY-1]) {
-                struct sadb_address *addr = ext_hdrs[SADB_EXT_ADDRESS_PROXY-1];
+                const struct sadb_address *addr = ext_hdrs[SADB_EXT_ADDRESS_PROXY-1];
                /* Nobody uses this, but we try. */
                x->sel.family = pfkey_sadb_addr2xfrm_addr(addr, &x->sel.saddr);
@@ -1224,7 +1225,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
                x->sel.family = x->props.family;
        if (ext_hdrs[SADB_X_EXT_NAT_T_TYPE-1]) {
-                struct sadb_x_nat_t_type* n_type;
+                const struct sadb_x_nat_t_type* n_type;
                struct xfrm_encap_tmpl *natt;
                x->encap = kmalloc(sizeof(*x->encap), GFP_KERNEL);
@@ -1236,12 +1237,12 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
                natt->encap_type = n_type->sadb_x_nat_t_type_type;
                if (ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1]) {
-                        struct sadb_x_nat_t_port* n_port =
+                        const struct sadb_x_nat_t_port *n_port =
                                ext_hdrs[SADB_X_EXT_NAT_T_SPORT-1];
                        natt->encap_sport = n_port->sadb_x_nat_t_port_port;
                }
                if (ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1]) {
-                        struct sadb_x_nat_t_port* n_port =
+                        const struct sadb_x_nat_t_port *n_port =
                                ext_hdrs[SADB_X_EXT_NAT_T_DPORT-1];
                        natt->encap_dport = n_port->sadb_x_nat_t_port_port;
                }
@@ -1261,12 +1262,12 @@ out:
        return ERR_PTR(err);
 }
-static int pfkey_reserved(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_reserved(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        return -EOPNOTSUPP;
 }
-static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        struct sk_buff *resp_skb;
@@ -1365,7 +1366,7 @@ static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, struct sadb_msg *h
        return 0;
 }
-static int pfkey_acquire(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_acquire(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        struct xfrm_state *x;
@@ -1429,7 +1430,7 @@ static inline int event2keytype(int event)
 }
 /* ADD/UPD/DEL */
-static int key_notify_sa(struct xfrm_state *x, struct km_event *c)
+static int key_notify_sa(struct xfrm_state *x, const struct km_event *c)
 {
        struct sk_buff *skb;
        struct sadb_msg *hdr;
@@ -1453,7 +1454,7 @@ static int key_notify_sa(struct xfrm_state *x, struct km_event *c)
        return 0;
 }
-static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_add(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        struct xfrm_state *x;
@@ -1492,7 +1493,7 @@ out:
        return err;
 }
-static int pfkey_delete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_delete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        struct xfrm_state *x;
@@ -1534,7 +1535,7 @@ out:
        return err;
 }
-static int pfkey_get(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_get(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        __u8 proto;
@@ -1570,7 +1571,7 @@ static int pfkey_get(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr,
        return 0;
 }
-static struct sk_buff *compose_sadb_supported(struct sadb_msg *orig,
+static struct sk_buff *compose_sadb_supported(const struct sadb_msg *orig,
                                              gfp_t allocation)
 {
        struct sk_buff *skb;
@@ -1642,7 +1643,7 @@ out_put_algs:
        return skb;
 }
-static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct pfkey_sock *pfk = pfkey_sk(sk);
        struct sk_buff *supp_skb;
@@ -1671,7 +1672,7 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg
        return 0;
 }
-static int unicast_flush_resp(struct sock *sk, struct sadb_msg *ihdr)
+static int unicast_flush_resp(struct sock *sk, const struct sadb_msg *ihdr)
 {
        struct sk_buff *skb;
        struct sadb_msg *hdr;
@@ -1688,7 +1689,7 @@ static int unicast_flush_resp(struct sock *sk, struct sadb_msg *ihdr)
        return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
 }
-static int key_notify_sa_flush(struct km_event *c)
+static int key_notify_sa_flush(const struct km_event *c)
 {
        struct sk_buff *skb;
        struct sadb_msg *hdr;
@@ -1710,7 +1711,7 @@ static int key_notify_sa_flush(struct km_event *c)
        return 0;
 }
-static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        unsigned proto;
@@ -1784,7 +1785,7 @@ static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
        xfrm_state_walk_done(&pfk->dump.u.state);
 }
-static int pfkey_dump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        u8 proto;
        struct pfkey_sock *pfk = pfkey_sk(sk);
@@ -1805,19 +1806,29 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr
        return pfkey_do_dump(pfk);
 }
-static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_promisc(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct pfkey_sock *pfk = pfkey_sk(sk);
        int satype = hdr->sadb_msg_satype;
+        bool reset_errno = false;
        if (hdr->sadb_msg_len == (sizeof(*hdr) / sizeof(uint64_t))) {
-                /* XXX we mangle packet... */
+                reset_errno = true;
-                hdr->sadb_msg_errno = 0;
                if (satype != 0 && satype != 1)
                        return -EINVAL;
                pfk->promisc = satype;
        }
-        pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
+        if (reset_errno && skb_cloned(skb))
+                skb = skb_copy(skb, GFP_KERNEL);
+        else
+                skb = skb_clone(skb, GFP_KERNEL);
+        if (reset_errno && skb) {
+                struct sadb_msg *new_hdr = (struct sadb_msg *) skb->data;
+                new_hdr->sadb_msg_errno = 0;
+        }
+        pfkey_broadcast(skb, GFP_KERNEL, BROADCAST_ALL, NULL, sock_net(sk));
        return 0;
 }
@@ -1921,7 +1932,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
        return 0;
 }
-static inline int pfkey_xfrm_policy2sec_ctx_size(struct xfrm_policy *xp)
+static inline int pfkey_xfrm_policy2sec_ctx_size(const struct xfrm_policy *xp)
 {
  struct xfrm_sec_ctx *xfrm_ctx = xp->security;
@@ -1933,9 +1944,9 @@ static inline int pfkey_xfrm_policy2sec_ctx_size(struct xfrm_policy *xp)
        return 0;
 }
-static int pfkey_xfrm_policy2msg_size(struct xfrm_policy *xp)
+static int pfkey_xfrm_policy2msg_size(const struct xfrm_policy *xp)
 {
-        struct xfrm_tmpl *t;
+        const struct xfrm_tmpl *t;
        int sockaddr_size = pfkey_sockaddr_size(xp->family);
        int socklen = 0;
        int i;
@@ -1955,7 +1966,7 @@ static int pfkey_xfrm_policy2msg_size(struct xfrm_policy *xp)
                pfkey_xfrm_policy2sec_ctx_size(xp);
 }
-static struct sk_buff * pfkey_xfrm_policy2msg_prep(struct xfrm_policy *xp)
+static struct sk_buff * pfkey_xfrm_policy2msg_prep(const struct xfrm_policy *xp)
 {
        struct sk_buff *skb;
        int size;
@@ -1969,7 +1980,7 @@ static struct sk_buff * pfkey_xfrm_policy2msg_prep(struct xfrm_policy *xp)
        return skb;
 }
-static int pfkey_xfrm_policy2msg(struct sk_buff *skb, struct xfrm_policy *xp, int dir)
+static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *xp, int dir)
 {
        struct sadb_msg *hdr;
        struct sadb_address *addr;
@@ -2065,8 +2076,8 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, struct xfrm_policy *xp, in
        pol->sadb_x_policy_priority = xp->priority;
        for (i=0; i<xp->xfrm_nr; i++) {
+                const struct xfrm_tmpl *t = xp->xfrm_vec + i;
                struct sadb_x_ipsecrequest *rq;
-                struct xfrm_tmpl *t = xp->xfrm_vec + i;
                int req_size;
                int mode;
@@ -2123,7 +2134,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, struct xfrm_policy *xp, in
        return 0;
 }
-static int key_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int key_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct sk_buff *out_skb;
        struct sadb_msg *out_hdr;
@@ -2152,7 +2163,7 @@ static int key_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c
 }
-static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_spdadd(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        int err = 0;
@@ -2273,7 +2284,7 @@ out:
        return err;
 }
-static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        int err;
@@ -2350,7 +2361,7 @@ out:
        return err;
 }
-static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, struct sadb_msg *hdr, int dir)
+static int key_pol_get_resp(struct sock *sk, struct xfrm_policy *xp, const struct sadb_msg *hdr, int dir)
 {
        int err;
        struct sk_buff *out_skb;
@@ -2458,7 +2469,7 @@ static int ipsecrequests_to_migrate(struct sadb_x_ipsecrequest *rq1, int len,
 }
 static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
-                         struct sadb_msg *hdr, void **ext_hdrs)
+                         const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        int i, len, ret, err = -EINVAL;
        u8 dir;
@@ -2549,14 +2560,14 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
 }
 #else
 static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
-                         struct sadb_msg *hdr, void **ext_hdrs)
+                         const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        return -ENOPROTOOPT;
 }
 #endif
-static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_spdget(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        unsigned int dir;
@@ -2644,7 +2655,7 @@ static void pfkey_dump_sp_done(struct pfkey_sock *pfk)
        xfrm_policy_walk_done(&pfk->dump.u.policy);
 }
-static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct pfkey_sock *pfk = pfkey_sk(sk);
@@ -2660,7 +2671,7 @@ static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, struct sadb_msg *
        return pfkey_do_dump(pfk);
 }
-static int key_notify_policy_flush(struct km_event *c)
+static int key_notify_policy_flush(const struct km_event *c)
 {
        struct sk_buff *skb_out;
        struct sadb_msg *hdr;
@@ -2680,7 +2691,7 @@ static int key_notify_policy_flush(struct km_event *c)
 }
-static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs)
+static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
        struct net *net = sock_net(sk);
        struct km_event c;
@@ -2709,7 +2720,7 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 }
 typedef int (*pfkey_handler)(struct sock *sk, struct sk_buff *skb,
-                             struct sadb_msg *hdr, void **ext_hdrs);
+                             const struct sadb_msg *hdr, void * const *ext_hdrs);
 static pfkey_handler pfkey_funcs[SADB_MAX + 1] = {
        [SADB_RESERVED]         = pfkey_reserved,
        [SADB_GETSPI]           = pfkey_getspi,
@@ -2736,7 +2747,7 @@ static pfkey_handler pfkey_funcs[SADB_MAX + 1] = {
        [SADB_X_MIGRATE]        = pfkey_migrate,
 };
-static int pfkey_process(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr)
+static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr)
 {
        void *ext_hdrs[SADB_EXT_MAX];
        int err;
@@ -2781,7 +2792,8 @@ static struct sadb_msg *pfkey_get_base_msg(struct sk_buff *skb, int *errp)
        return hdr;
 }
-static inline int aalg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
+static inline int aalg_tmpl_set(const struct xfrm_tmpl *t,
+                                const struct xfrm_algo_desc *d)
 {
        unsigned int id = d->desc.sadb_alg_id;
@@ -2791,7 +2803,8 @@ static inline int aalg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
        return (t->aalgos >> id) & 1;
 }
-static inline int ealg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
+static inline int ealg_tmpl_set(const struct xfrm_tmpl *t,
+                                const struct xfrm_algo_desc *d)
 {
        unsigned int id = d->desc.sadb_alg_id;
@@ -2801,12 +2814,12 @@ static inline int ealg_tmpl_set(struct xfrm_tmpl *t, struct xfrm_algo_desc *d)
        return (t->ealgos >> id) & 1;
 }
-static int count_ah_combs(struct xfrm_tmpl *t)
+static int count_ah_combs(const struct xfrm_tmpl *t)
 {
        int i, sz = 0;
        for (i = 0; ; i++) {
-                struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
+                const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
                if (!aalg)
                        break;
                if (aalg_tmpl_set(t, aalg) && aalg->available)
@@ -2815,12 +2828,12 @@ static int count_ah_combs(struct xfrm_tmpl *t)
        return sz + sizeof(struct sadb_prop);
 }
-static int count_esp_combs(struct xfrm_tmpl *t)
+static int count_esp_combs(const struct xfrm_tmpl *t)
 {
        int i, k, sz = 0;
        for (i = 0; ; i++) {
-                struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
+                const struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
                if (!ealg)
                        break;
@@ -2828,7 +2841,7 @@ static int count_esp_combs(struct xfrm_tmpl *t)
                        continue;
                for (k = 1; ; k++) {
-                        struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
+                        const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
                        if (!aalg)
                                break;
@@ -2839,7 +2852,7 @@ static int count_esp_combs(struct xfrm_tmpl *t)
        return sz + sizeof(struct sadb_prop);
 }
-static void dump_ah_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
+static void dump_ah_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 {
        struct sadb_prop *p;
        int i;
@@ -2851,7 +2864,7 @@ static void dump_ah_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
        memset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));
        for (i = 0; ; i++) {
-                struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
+                const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(i);
                if (!aalg)
                        break;
@@ -2871,7 +2884,7 @@ static void dump_ah_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
        }
 }
-static void dump_esp_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
+static void dump_esp_combs(struct sk_buff *skb, const struct xfrm_tmpl *t)
 {
        struct sadb_prop *p;
        int i, k;
@@ -2883,7 +2896,7 @@ static void dump_esp_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
        memset(p->sadb_prop_reserved, 0, sizeof(p->sadb_prop_reserved));
        for (i=0; ; i++) {
-                struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
+                const struct xfrm_algo_desc *ealg = xfrm_ealg_get_byidx(i);
                if (!ealg)
                        break;
@@ -2892,7 +2905,7 @@ static void dump_esp_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
                for (k = 1; ; k++) {
                        struct sadb_comb *c;
-                        struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
+                        const struct xfrm_algo_desc *aalg = xfrm_aalg_get_byidx(k);
                        if (!aalg)
                                break;
                        if (!(aalg_tmpl_set(t, aalg) && aalg->available))
@@ -2914,12 +2927,12 @@ static void dump_esp_combs(struct sk_buff *skb, struct xfrm_tmpl *t)
        }
 }
-static int key_notify_policy_expire(struct xfrm_policy *xp, struct km_event *c)
+static int key_notify_policy_expire(struct xfrm_policy *xp, const struct km_event *c)
 {
        return 0;
 }
-static int key_notify_sa_expire(struct xfrm_state *x, struct km_event *c)
+static int key_notify_sa_expire(struct xfrm_state *x, const struct km_event *c)
 {
        struct sk_buff *out_skb;
        struct sadb_msg *out_hdr;
@@ -2949,7 +2962,7 @@ static int key_notify_sa_expire(struct xfrm_state *x, struct km_event *c)
        return 0;
 }
-static int pfkey_send_notify(struct xfrm_state *x, struct km_event *c)
+static int pfkey_send_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = x ? xs_net(x) : c->net;
        struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
@@ -2976,7 +2989,7 @@ static int pfkey_send_notify(struct xfrm_state *x, struct km_event *c)
        return 0;
 }
-static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        if (xp && xp->type != XFRM_POLICY_TYPE_MAIN)
                return 0;
@@ -3318,7 +3331,7 @@ static int pfkey_send_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr,
 #ifdef CONFIG_NET_KEY_MIGRATE
 static int set_sadb_address(struct sk_buff *skb, int sasize, int type,
-                            struct xfrm_selector *sel)
+                            const struct xfrm_selector *sel)
 {
        struct sadb_address *addr;
        addr = (struct sadb_address *)skb_put(skb, sizeof(struct sadb_address) + sasize);
@@ -3348,7 +3361,7 @@ static int set_sadb_address(struct sk_buff *skb, int sasize, int type,
 }
-static int set_sadb_kmaddress(struct sk_buff *skb, struct xfrm_kmaddress *k)
+static int set_sadb_kmaddress(struct sk_buff *skb, const struct xfrm_kmaddress *k)
 {
        struct sadb_x_kmaddress *kma;
        u8 *sa;
@@ -3376,7 +3389,7 @@ static int set_sadb_kmaddress(struct sk_buff *skb, struct xfrm_kmaddress *k)
 static int set_ipsecrequest(struct sk_buff *skb,
                            uint8_t proto, uint8_t mode, int level,
                            uint32_t reqid, uint8_t family,
-                            xfrm_address_t *src, xfrm_address_t *dst)
+                            const xfrm_address_t *src, const xfrm_address_t *dst)
 {
        struct sadb_x_ipsecrequest *rq;
        u8 *sa;
@@ -3404,9 +3417,9 @@ static int set_ipsecrequest(struct sk_buff *skb,
 #endif
 #ifdef CONFIG_NET_KEY_MIGRATE
-static int pfkey_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                              struct xfrm_migrate *m, int num_bundles,
+                              const struct xfrm_migrate *m, int num_bundles,
-                              struct xfrm_kmaddress *k)
+                              const struct xfrm_kmaddress *k)
 {
        int i;
        int sasize_sel;
@@ -3415,7 +3428,7 @@ static int pfkey_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
        struct sk_buff *skb;
        struct sadb_msg *hdr;
        struct sadb_x_policy *pol;
-        struct xfrm_migrate *mp;
+        const struct xfrm_migrate *mp;
        if (type != XFRM_POLICY_TYPE_MAIN)
                return 0;
@@ -3513,9 +3526,9 @@ err:
        return -EINVAL;
 }
 #else
-static int pfkey_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int pfkey_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                              struct xfrm_migrate *m, int num_bundles,
+                              const struct xfrm_migrate *m, int num_bundles,
-                              struct xfrm_kmaddress *k)
+                              const struct xfrm_kmaddress *k)
 {
        return -ENOPROTOOPT;
 }
@@ -3655,6 +3668,7 @@ static int pfkey_seq_show(struct seq_file *f, void *v)
 }
 static void *pfkey_seq_start(struct seq_file *f, loff_t *ppos)
+        __acquires(rcu)
 {
        struct net *net = seq_file_net(f);
        struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
@@ -3672,6 +3686,7 @@ static void *pfkey_seq_next(struct seq_file *f, void *v, loff_t *ppos)
 }
 static void pfkey_seq_stop(struct seq_file *f, void *v)
+        __releases(rcu)
 {
        rcu_read_unlock();
 }
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index c64ce0a0bb03..ed8a2335442f 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -954,7 +954,7 @@ static int l2tp_build_l2tpv3_header(struct l2tp_session *session, void *buf)
 }
 static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
-                          size_t data_len)
+                          struct flowi *fl, size_t data_len)
 {
        struct l2tp_tunnel *tunnel = session->tunnel;
        unsigned int len = skb->len;
@@ -987,7 +987,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
        /* Queue the packet to IP for output */
        skb->local_df = 1;
-        error = ip_queue_xmit(skb);
+        error = ip_queue_xmit(skb, fl);
        /* Update stats */
        if (error >= 0) {
@@ -1028,6 +1028,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        int data_len = skb->len;
        struct l2tp_tunnel *tunnel = session->tunnel;
        struct sock *sk = tunnel->sock;
+        struct flowi *fl;
        struct udphdr *uh;
        struct inet_sock *inet;
        __wsum csum;
@@ -1060,14 +1061,21 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                              IPSKB_REROUTED);
        nf_reset(skb);
+        bh_lock_sock(sk);
+        if (sock_owned_by_user(sk)) {
+                dev_kfree_skb(skb);
+                goto out_unlock;
+        }
        /* Get routing info from the tunnel socket */
        skb_dst_drop(skb);
        skb_dst_set(skb, dst_clone(__sk_dst_get(sk)));
+        inet = inet_sk(sk);
+        fl = &inet->cork.fl;
        switch (tunnel->encap) {
        case L2TP_ENCAPTYPE_UDP:
                /* Setup UDP header */
-                inet = inet_sk(sk);
                __skb_push(skb, sizeof(*uh));
                skb_reset_transport_header(skb);
                uh = udp_hdr(skb);
@@ -1105,7 +1113,9 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
        l2tp_skb_set_owner_w(skb, sk);
-        l2tp_xmit_core(session, skb, data_len);
+        l2tp_xmit_core(session, skb, fl, data_len);
+out_unlock:
+        bh_unlock_sock(sk);
 abort:
        return 0;
@@ -1425,16 +1435,15 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        /* Add tunnel to our list */
        INIT_LIST_HEAD(&tunnel->list);
-        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
-        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
-        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-        synchronize_rcu();
        atomic_inc(&l2tp_tunnel_count);
        /* Bump the reference count. The tunnel context is deleted
-         * only when this drops to zero.
+         * only when this drops to zero. Must be done before list insertion
         */
        l2tp_tunnel_inc_refcount(tunnel);
+        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
+        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
        err = 0;
 err:
@@ -1626,7 +1635,6 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
                        hlist_add_head_rcu(&session->global_hlist,
                                           l2tp_session_id_hash_2(pn, session_id));
                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
-                        synchronize_rcu();
                }
                /* Ignore management session in session count value */
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 8d9ce0accc98..a8193f52c13c 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -283,7 +283,7 @@ static __net_init int l2tp_eth_init_net(struct net *net)
        return 0;
 }
-static __net_initdata struct pernet_operations l2tp_eth_net_ops = {
+static struct pernet_operations l2tp_eth_net_ops = {
        .init = l2tp_eth_init_net,
        .id   = &l2tp_eth_net_id,
        .size = sizeof(struct l2tp_eth_net),
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 110efb704c9b..b6466e71f5e1 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -296,12 +296,12 @@ out_in_use:
 static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
 {
-        int rc;
-        struct inet_sock *inet = inet_sk(sk);
        struct sockaddr_l2tpip *lsa = (struct sockaddr_l2tpip *) uaddr;
+        struct inet_sock *inet = inet_sk(sk);
+        struct flowi4 *fl4;
        struct rtable *rt;
        __be32 saddr;
-        int oif;
+        int oif, rc;
        rc = -EINVAL;
        if (addr_len < sizeof(*lsa))
@@ -311,6 +311,8 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        if (lsa->l2tp_family != AF_INET)
                goto out;
+        lock_sock(sk);
        sk_dst_reset(sk);
        oif = sk->sk_bound_dev_if;
@@ -320,11 +322,13 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        if (ipv4_is_multicast(lsa->l2tp_addr.s_addr))
                goto out;
-        rc = ip_route_connect(&rt, lsa->l2tp_addr.s_addr, saddr,
+        fl4 = &inet->cork.fl.u.ip4;
+        rt = ip_route_connect(fl4, lsa->l2tp_addr.s_addr, saddr,
                              RT_CONN_FLAGS(sk), oif,
                              IPPROTO_L2TP,
-                              0, 0, sk, 1);
+                              0, 0, sk, true);
-        if (rc) {
+        if (IS_ERR(rt)) {
+                rc = PTR_ERR(rt);
                if (rc == -ENETUNREACH)
                        IP_INC_STATS_BH(&init_net, IPSTATS_MIB_OUTNOROUTES);
                goto out;
@@ -339,10 +343,10 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        l2tp_ip_sk(sk)->peer_conn_id = lsa->l2tp_conn_id;
        if (!inet->inet_saddr)
-                inet->inet_saddr = rt->rt_src;
+                inet->inet_saddr = fl4->saddr;
        if (!inet->inet_rcv_saddr)
-                inet->inet_rcv_saddr = rt->rt_src;
+                inet->inet_rcv_saddr = fl4->saddr;
-        inet->inet_daddr = rt->rt_dst;
+        inet->inet_daddr = fl4->daddr;
        sk->sk_state = TCP_ESTABLISHED;
        inet->inet_id = jiffies;
@@ -355,6 +359,7 @@ static int l2tp_ip_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len
        rc = 0;
 out:
+        release_sock(sk);
        return rc;
 }
@@ -415,23 +420,28 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
        int rc;
        struct l2tp_ip_sock *lsa = l2tp_ip_sk(sk);
        struct inet_sock *inet = inet_sk(sk);
-        struct ip_options *opt = inet->opt;
        struct rtable *rt = NULL;
+        struct flowi4 *fl4;
        int connected = 0;
        __be32 daddr;
+        lock_sock(sk);
+        rc = -ENOTCONN;
        if (sock_flag(sk, SOCK_DEAD))
-                return -ENOTCONN;
+                goto out;
        /* Get and verify the address. */
        if (msg->msg_name) {
                struct sockaddr_l2tpip *lip = (struct sockaddr_l2tpip *) msg->msg_name;
+                rc = -EINVAL;
                if (msg->msg_namelen < sizeof(*lip))
-                        return -EINVAL;
+                        goto out;
                if (lip->l2tp_family != AF_INET) {
+                        rc = -EAFNOSUPPORT;
                        if (lip->l2tp_family != AF_UNSPEC)
-                                return -EAFNOSUPPORT;
+                                goto out;
                }
                daddr = lip->l2tp_addr.s_addr;
@@ -466,38 +476,39 @@ static int l2tp_ip_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
                goto error;
        }
+        fl4 = &inet->cork.fl.u.ip4;
        if (connected)
                rt = (struct rtable *) __sk_dst_check(sk, 0);
        if (rt == NULL) {
+                struct ip_options_rcu *inet_opt;
+                rcu_read_lock();
+                inet_opt = rcu_dereference(inet->inet_opt);
                /* Use correct destination address if we have options. */
-                if (opt && opt->srr)
+                if (inet_opt && inet_opt->opt.srr)
-                        daddr = opt->faddr;
+                        daddr = inet_opt->opt.faddr;
-                {
+                rcu_read_unlock();
-                        struct flowi fl = { .oif = sk->sk_bound_dev_if,
-                                            .fl4_dst = daddr,
+                /* If this fails, retransmit mechanism of transport layer will
-                                            .fl4_src = inet->inet_saddr,
+                 * keep trying until route appears or the connection times
-                                            .fl4_tos = RT_CONN_FLAGS(sk),
+                 * itself out.
-                                            .proto = sk->sk_protocol,
+                 */
-                                            .flags = inet_sk_flowi_flags(sk),
+                rt = ip_route_output_ports(sock_net(sk), fl4, sk,
-                                            .fl_ip_sport = inet->inet_sport,
+                                           daddr, inet->inet_saddr,
-                                            .fl_ip_dport = inet->inet_dport };
+                                           inet->inet_dport, inet->inet_sport,
+                                           sk->sk_protocol, RT_CONN_FLAGS(sk),
-                        /* If this fails, retransmit mechanism of transport layer will
+                                           sk->sk_bound_dev_if);
-                         * keep trying until route appears or the connection times
+                if (IS_ERR(rt))
-                         * itself out.
+                        goto no_route;
-                         */
-                        security_sk_classify_flow(sk, &fl);
-                        if (ip_route_output_flow(sock_net(sk), &rt, &fl, sk, 0))
-                                goto no_route;
-                }
                sk_setup_caps(sk, &rt->dst);
        }
        skb_dst_set(skb, dst_clone(&rt->dst));
        /* Queue the packet to IP for output */
-        rc = ip_queue_xmit(skb);
+        rc = ip_queue_xmit(skb, &inet->cork.fl);
 error:
        /* Update stats */
@@ -509,12 +520,15 @@ error:
                lsa->tx_errors++;
        }
+out:
+        release_sock(sk);
        return rc;
 no_route:
        IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
        kfree_skb(skb);
-        return -EHOSTUNREACH;
+        rc = -EHOSTUNREACH;
+        goto out;
 }
 static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
@@ -673,7 +687,7 @@ MODULE_AUTHOR("James Chapman <jchapman@katalix.com>");
 MODULE_DESCRIPTION("L2TP over IP");
 MODULE_VERSION("1.0");
-/* Use the value of SOCK_DGRAM (2) directory, because __stringify does't like
+/* Use the value of SOCK_DGRAM (2) directory, because __stringify doesn't like
 * enums
 */
 MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_INET, 2, IPPROTO_L2TP);
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 4c1e540732d7..93a41a09458b 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -795,11 +795,12 @@ int l2tp_nl_register_ops(enum l2tp_pwtype pw_type, const struct l2tp_nl_cmd_ops
                goto out;
        l2tp_nl_cmd_ops[pw_type] = ops;
+        ret = 0;
 out:
        genl_unlock();
 err:
-        return 0;
+        return ret;
 }
 EXPORT_SYMBOL_GPL(l2tp_nl_register_ops);
diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c
index f99687439139..903242111317 100644
--- a/net/llc/llc_input.c
+++ b/net/llc/llc_input.c
@@ -121,8 +121,7 @@ static inline int llc_fixup_skb(struct sk_buff *skb)
                s32 data_size = ntohs(pdulen) - llc_len;
                if (data_size < 0 ||
-                    ((skb_tail_pointer(skb) -
+                    !pskb_may_pull(skb, data_size))
-                      (u8 *)pdu) - llc_len) < data_size)
                        return 0;
                if (unlikely(pskb_trim_rcsum(skb, data_size)))
                        return 0;
@@ -181,25 +180,26 @@ int llc_rcv(struct sk_buff *skb, struct net_device *dev,
         * LLC functionality
         */
        rcv = rcu_dereference(sap->rcv_func);
-        if (rcv) {
-                struct sk_buff *cskb = skb_clone(skb, GFP_ATOMIC);
-                if (cskb)
-                        rcv(cskb, dev, pt, orig_dev);
-        }
        dest = llc_pdu_type(skb);
-        if (unlikely(!dest || !llc_type_handlers[dest - 1]))
+        if (unlikely(!dest || !llc_type_handlers[dest - 1])) {
-                goto drop_put;
+                if (rcv)
-        llc_type_handlers[dest - 1](sap, skb);
+                        rcv(skb, dev, pt, orig_dev);
-out_put:
+                else
+                        kfree_skb(skb);
+        } else {
+                if (rcv) {
+                        struct sk_buff *cskb = skb_clone(skb, GFP_ATOMIC);
+                        if (cskb)
+                                rcv(cskb, dev, pt, orig_dev);
+                }
+                llc_type_handlers[dest - 1](sap, skb);
+        }
        llc_sap_put(sap);
 out:
        return 0;
 drop:
        kfree_skb(skb);
        goto out;
-drop_put:
-        kfree_skb(skb);
-        goto out_put;
 handle_station:
        if (!llc_station_handler)
                goto drop;
diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig
index c766056d0488..f5fdfcbf552a 100644
--- a/net/mac80211/Kconfig
+++ b/net/mac80211/Kconfig
@@ -2,7 +2,6 @@ config MAC80211
        tristate "Generic IEEE 802.11 Networking Stack (mac80211)"
        depends on CFG80211
        select CRYPTO
-        select CRYPTO_ECB
        select CRYPTO_ARC4
        select CRYPTO_AES
        select CRC32
@@ -17,7 +16,7 @@ comment "CFG80211 needs to be enabled for MAC80211"
 if MAC80211 != n
 config MAC80211_HAS_RC
-        def_bool n
+        bool
 config MAC80211_RC_PID
        bool "PID controller based rate control algorithm" if EXPERT
@@ -78,7 +77,7 @@ config MAC80211_RC_DEFAULT
 endif
 comment "Some wireless drivers require a rate control algorithm"
-        depends on MAC80211_HAS_RC=n
+        depends on MAC80211 && MAC80211_HAS_RC=n
 config MAC80211_MESH
        bool "Enable mac80211 mesh networking (pre-802.11s) support"
diff --git a/net/mac80211/aes_ccm.c b/net/mac80211/aes_ccm.c
index 4bd6ef0be380..b9b595c08112 100644
--- a/net/mac80211/aes_ccm.c
+++ b/net/mac80211/aes_ccm.c
@@ -54,13 +54,12 @@ void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *scratch,
                               u8 *cdata, u8 *mic)
 {
        int i, j, last_len, num_blocks;
-        u8 *pos, *cpos, *b, *s_0, *e, *b_0, *aad;
+        u8 *pos, *cpos, *b, *s_0, *e, *b_0;
        b = scratch;
        s_0 = scratch + AES_BLOCK_LEN;
        e = scratch + 2 * AES_BLOCK_LEN;
        b_0 = scratch + 3 * AES_BLOCK_LEN;
-        aad = scratch + 4 * AES_BLOCK_LEN;
        num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN);
        last_len = data_len % AES_BLOCK_LEN;
@@ -94,13 +93,12 @@ int ieee80211_aes_ccm_decrypt(struct crypto_cipher *tfm, u8 *scratch,
                              u8 *cdata, size_t data_len, u8 *mic, u8 *data)
 {
        int i, j, last_len, num_blocks;
-        u8 *pos, *cpos, *b, *s_0, *a, *b_0, *aad;
+        u8 *pos, *cpos, *b, *s_0, *a, *b_0;
        b = scratch;
        s_0 = scratch + AES_BLOCK_LEN;
        a = scratch + 2 * AES_BLOCK_LEN;
        b_0 = scratch + 3 * AES_BLOCK_LEN;
-        aad = scratch + 4 * AES_BLOCK_LEN;
        num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_LEN);
        last_len = data_len % AES_BLOCK_LEN;
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 227ca82eef72..9c0d76cdca92 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -63,7 +63,8 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-        tid_rx = sta->ampdu_mlme.tid_rx[tid];
+        tid_rx = rcu_dereference_protected(sta->ampdu_mlme.tid_rx[tid],
+                                        lockdep_is_held(&sta->ampdu_mlme.mtx));
        if (!tid_rx)
                return;
@@ -76,7 +77,7 @@ void ___ieee80211_stop_rx_ba_session(struct sta_info *sta, u16 tid,
 #endif /* CONFIG_MAC80211_HT_DEBUG */
        if (drv_ampdu_action(local, sta->sdata, IEEE80211_AMPDU_RX_STOP,
-                             &sta->sta, tid, NULL))
+                             &sta->sta, tid, NULL, 0))
                printk(KERN_DEBUG "HW problem - can not stop rx "
                                "aggregation for tid %d\n", tid);
@@ -232,6 +233,9 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
        if (buf_size == 0)
                buf_size = IEEE80211_MAX_AMPDU_BUF;
+        /* make sure the size doesn't exceed the maximum supported by the hw */
+        if (buf_size > local->hw.max_rx_aggregation_subframes)
+                buf_size = local->hw.max_rx_aggregation_subframes;
        /* examine state machine */
        mutex_lock(&sta->ampdu_mlme.mtx);
@@ -287,7 +291,7 @@ void ieee80211_process_addba_request(struct ieee80211_local *local,
        }
        ret = drv_ampdu_action(local, sta->sdata, IEEE80211_AMPDU_RX_START,
-                               &sta->sta, tid, &start_seq_num);
+                               &sta->sta, tid, &start_seq_num, 0);
 #ifdef CONFIG_MAC80211_HT_DEBUG
        printk(KERN_DEBUG "Rx A-MPDU request on tid %d result %d\n", tid, ret);
 #endif /* CONFIG_MAC80211_HT_DEBUG */
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 9cc472c6a6a5..c8be8eff70da 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -136,12 +136,12 @@ void ieee80211_send_bar(struct ieee80211_sub_if_data *sdata, u8 *ra, u16 tid, u1
        ieee80211_tx_skb(sdata, skb);
 }
-static void kfree_tid_tx(struct rcu_head *rcu_head)
+void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx)
 {
-        struct tid_ampdu_tx *tid_tx =
+        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-            container_of(rcu_head, struct tid_ampdu_tx, rcu_head);
+        lockdep_assert_held(&sta->lock);
+        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
-        kfree(tid_tx);
 }
 int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
@@ -149,21 +149,24 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                                    bool tx)
 {
        struct ieee80211_local *local = sta->local;
-        struct tid_ampdu_tx *tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        struct tid_ampdu_tx *tid_tx;
        int ret;
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
-        if (!tid_tx)
-                return -ENOENT;
        spin_lock_bh(&sta->lock);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+        if (!tid_tx) {
+                spin_unlock_bh(&sta->lock);
+                return -ENOENT;
+        }
        if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state)) {
                /* not even started yet! */
-                rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+                ieee80211_assign_tid_tx(sta, tid, NULL);
                spin_unlock_bh(&sta->lock);
-                call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+                kfree_rcu(tid_tx, rcu_head);
                return 0;
        }
@@ -190,7 +193,7 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
        ret = drv_ampdu_action(local, sta->sdata,
                               IEEE80211_AMPDU_TX_STOP,
-                               &sta->sta, tid, NULL);
+                               &sta->sta, tid, NULL, 0);
        /* HW shall not deny going back to legacy */
        if (WARN_ON(ret)) {
@@ -283,13 +286,13 @@ ieee80211_wake_queue_agg(struct ieee80211_local *local, int tid)
 void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
 {
-        struct tid_ampdu_tx *tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        struct tid_ampdu_tx *tid_tx;
        struct ieee80211_local *local = sta->local;
        struct ieee80211_sub_if_data *sdata = sta->sdata;
        u16 start_seq_num;
        int ret;
-        lockdep_assert_held(&sta->ampdu_mlme.mtx);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        /*
         * While we're asking the driver about the aggregation,
@@ -311,18 +314,18 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
        start_seq_num = sta->tid_seq[tid] >> 4;
        ret = drv_ampdu_action(local, sdata, IEEE80211_AMPDU_TX_START,
-                               &sta->sta, tid, &start_seq_num);
+                               &sta->sta, tid, &start_seq_num, 0);
        if (ret) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
                printk(KERN_DEBUG "BA request denied - HW unavailable for"
                                        " tid %d\n", tid);
 #endif
                spin_lock_bh(&sta->lock);
-                rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+                ieee80211_assign_tid_tx(sta, tid, NULL);
                spin_unlock_bh(&sta->lock);
                ieee80211_wake_queue_agg(local, tid);
-                call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+                kfree_rcu(tid_tx, rcu_head);
                return;
        }
@@ -342,7 +345,8 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid)
        /* send AddBA request */
        ieee80211_send_addba_request(sdata, sta->sta.addr, tid,
                                     tid_tx->dialog_token, start_seq_num,
-                                     0x40, tid_tx->timeout);
+                                     local->hw.max_tx_aggregation_subframes,
+                                     tid_tx->timeout);
 }
 int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
@@ -395,9 +399,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
                goto err_unlock_sta;
        }
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        /* check if the TID is not in aggregation flow already */
-        if (tid_tx) {
+        if (tid_tx || sta->ampdu_mlme.tid_start_tx[tid]) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
                printk(KERN_DEBUG "BA request denied - session is not "
                                 "idle on tid %u\n", tid);
@@ -432,8 +436,11 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
        sta->ampdu_mlme.dialog_token_allocator++;
        tid_tx->dialog_token = sta->ampdu_mlme.dialog_token_allocator;
-        /* finally, assign it to the array */
+        /*
-        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], tid_tx);
+         * Finally, assign it to the start array; the work item will
+         * collect it and move it to the normal array.
+         */
+        sta->ampdu_mlme.tid_start_tx[tid] = tid_tx;
        ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
@@ -479,15 +486,19 @@ ieee80211_agg_splice_finish(struct ieee80211_local *local, u16 tid)
 static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
                                         struct sta_info *sta, u16 tid)
 {
+        struct tid_ampdu_tx *tid_tx;
        lockdep_assert_held(&sta->ampdu_mlme.mtx);
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
 #ifdef CONFIG_MAC80211_HT_DEBUG
        printk(KERN_DEBUG "Aggregation is on for tid %d\n", tid);
 #endif
        drv_ampdu_action(local, sta->sdata,
                         IEEE80211_AMPDU_TX_OPERATIONAL,
-                         &sta->sta, tid, NULL);
+                         &sta->sta, tid, NULL, tid_tx->buf_size);
        /*
         * synchronize with TX path, while splicing the TX path
@@ -495,13 +506,13 @@ static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
         */
        spin_lock_bh(&sta->lock);
-        ieee80211_agg_splice_packets(local, sta->ampdu_mlme.tid_tx[tid], tid);
+        ieee80211_agg_splice_packets(local, tid_tx, tid);
        /*
         * Now mark as operational. This will be visible
         * in the TX path, and lets it go lock-free in
         * the common case.
         */
-        set_bit(HT_AGG_STATE_OPERATIONAL, &sta->ampdu_mlme.tid_tx[tid]->state);
+        set_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state);
        ieee80211_agg_splice_finish(local, tid);
        spin_unlock_bh(&sta->lock);
@@ -535,7 +546,7 @@ void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid)
        }
        mutex_lock(&sta->ampdu_mlme.mtx);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (WARN_ON(!tid_tx)) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
@@ -613,7 +624,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                return -EINVAL;
        spin_lock_bh(&sta->lock);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx) {
                ret = -ENOENT;
@@ -669,7 +680,7 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
        mutex_lock(&sta->ampdu_mlme.mtx);
        spin_lock_bh(&sta->lock);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx || !test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
 #ifdef CONFIG_MAC80211_HT_DEBUG
@@ -695,11 +706,11 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
        ieee80211_agg_splice_packets(local, tid_tx, tid);
        /* future packets must not find the tid_tx struct any more */
-        rcu_assign_pointer(sta->ampdu_mlme.tid_tx[tid], NULL);
+        ieee80211_assign_tid_tx(sta, tid, NULL);
        ieee80211_agg_splice_finish(local, tid);
-        call_rcu(&tid_tx->rcu_head, kfree_tid_tx);
+        kfree_rcu(tid_tx, rcu_head);
 unlock_sta:
        spin_unlock_bh(&sta->lock);
@@ -742,13 +753,15 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
 {
        struct tid_ampdu_tx *tid_tx;
        u16 capab, tid;
+        u8 buf_size;
        capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab);
        tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2;
+        buf_size = (capab & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK) >> 6;
        mutex_lock(&sta->ampdu_mlme.mtx);
-        tid_tx = sta->ampdu_mlme.tid_tx[tid];
+        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
        if (!tid_tx)
                goto out;
@@ -767,12 +780,23 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
        if (le16_to_cpu(mgmt->u.action.u.addba_resp.status)
                        == WLAN_STATUS_SUCCESS) {
+                /*
+                 * IEEE 802.11-2007 7.3.1.14:
+                 * In an ADDBA Response frame, when the Status Code field
+                 * is set to 0, the Buffer Size subfield is set to a value
+                 * of at least 1.
+                 */
+                if (!buf_size)
+                        goto out;
                if (test_and_set_bit(HT_AGG_STATE_RESPONSE_RECEIVED,
                                     &tid_tx->state)) {
                        /* ignore duplicate response */
                        goto out;
                }
+                tid_tx->buf_size = buf_size;
                if (test_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state))
                        ieee80211_agg_tx_operational(local, sta, tid);
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 9cd73b11506e..be70c70d3f5b 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -136,7 +136,10 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
        mutex_lock(&sdata->local->sta_mtx);
        if (mac_addr) {
-                sta = sta_info_get_bss(sdata, mac_addr);
+                if (ieee80211_vif_is_mesh(&sdata->vif))
+                        sta = sta_info_get(sdata, mac_addr);
+                else
+                        sta = sta_info_get_bss(sdata, mac_addr);
                if (!sta) {
                        ieee80211_key_free(sdata->local, key);
                        err = -ENOENT;
@@ -157,13 +160,14 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
 static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
                             u8 key_idx, bool pairwise, const u8 *mac_addr)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
+        struct ieee80211_key *key = NULL;
        int ret;
-        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        mutex_lock(&local->sta_mtx);
+        mutex_lock(&local->key_mtx);
-        mutex_lock(&sdata->local->sta_mtx);
        if (mac_addr) {
                ret = -ENOENT;
@@ -172,33 +176,24 @@ static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
                if (!sta)
                        goto out_unlock;
-                if (pairwise) {
+                if (pairwise)
-                        if (sta->ptk) {
+                        key = key_mtx_dereference(local, sta->ptk);
-                                ieee80211_key_free(sdata->local, sta->ptk);
+                else
-                                ret = 0;
+                        key = key_mtx_dereference(local, sta->gtk[key_idx]);
-                        }
+        } else
-                } else {
+                key = key_mtx_dereference(local, sdata->keys[key_idx]);
-                        if (sta->gtk[key_idx]) {
-                                ieee80211_key_free(sdata->local,
-                                                   sta->gtk[key_idx]);
-                                ret = 0;
-                        }
-                }
-                goto out_unlock;
-        }
-        if (!sdata->keys[key_idx]) {
+        if (!key) {
                ret = -ENOENT;
                goto out_unlock;
        }
-        ieee80211_key_free(sdata->local, sdata->keys[key_idx]);
+        __ieee80211_key_free(key);
-        WARN_ON(sdata->keys[key_idx]);
        ret = 0;
 out_unlock:
-        mutex_unlock(&sdata->local->sta_mtx);
+        mutex_unlock(&local->key_mtx);
+        mutex_unlock(&local->sta_mtx);
        return ret;
 }
@@ -228,11 +223,11 @@ static int ieee80211_get_key(struct wiphy *wiphy, struct net_device *dev,
                        goto out;
                if (pairwise)
-                        key = sta->ptk;
+                        key = rcu_dereference(sta->ptk);
                else if (key_idx < NUM_DEFAULT_KEYS)
-                        key = sta->gtk[key_idx];
+                        key = rcu_dereference(sta->gtk[key_idx]);
        } else
-                key = sdata->keys[key_idx];
+                key = rcu_dereference(sdata->keys[key_idx]);
        if (!key)
                goto out;
@@ -316,9 +311,21 @@ static int ieee80211_config_default_mgmt_key(struct wiphy *wiphy,
        return 0;
 }
+static void rate_idx_to_bitrate(struct rate_info *rate, struct sta_info *sta, int idx)
+{
+        if (!(rate->flags & RATE_INFO_FLAGS_MCS)) {
+                struct ieee80211_supported_band *sband;
+                sband = sta->local->hw.wiphy->bands[
+                                sta->local->hw.conf.channel->band];
+                rate->legacy = sband->bitrates[idx].bitrate;
+        } else
+                rate->mcs = idx;
+}
 static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
 {
        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        struct timespec uptime;
        sinfo->generation = sdata->local->sta_generation;
@@ -330,7 +337,13 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                        STATION_INFO_TX_RETRIES |
                        STATION_INFO_TX_FAILED |
                        STATION_INFO_TX_BITRATE |
-                        STATION_INFO_RX_DROP_MISC;
+                        STATION_INFO_RX_BITRATE |
+                        STATION_INFO_RX_DROP_MISC |
+                        STATION_INFO_BSS_PARAM |
+                        STATION_INFO_CONNECTED_TIME;
+        do_posix_clock_monotonic_gettime(&uptime);
+        sinfo->connected_time = uptime.tv_sec - sta->last_connected;
        sinfo->inactive_time = jiffies_to_msecs(jiffies - sta->last_rx);
        sinfo->rx_bytes = sta->rx_bytes;
@@ -355,15 +368,16 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                sinfo->txrate.flags |= RATE_INFO_FLAGS_40_MHZ_WIDTH;
        if (sta->last_tx_rate.flags & IEEE80211_TX_RC_SHORT_GI)
                sinfo->txrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
+        rate_idx_to_bitrate(&sinfo->txrate, sta, sta->last_tx_rate.idx);
-        if (!(sta->last_tx_rate.flags & IEEE80211_TX_RC_MCS)) {
+        sinfo->rxrate.flags = 0;
-                struct ieee80211_supported_band *sband;
+        if (sta->last_rx_rate_flag & RX_FLAG_HT)
-                sband = sta->local->hw.wiphy->bands[
+                sinfo->rxrate.flags |= RATE_INFO_FLAGS_MCS;
-                                sta->local->hw.conf.channel->band];
+        if (sta->last_rx_rate_flag & RX_FLAG_40MHZ)
-                sinfo->txrate.legacy =
+                sinfo->rxrate.flags |= RATE_INFO_FLAGS_40_MHZ_WIDTH;
-                        sband->bitrates[sta->last_tx_rate.idx].bitrate;
+        if (sta->last_rx_rate_flag & RX_FLAG_SHORT_GI)
-        } else
+                sinfo->rxrate.flags |= RATE_INFO_FLAGS_SHORT_GI;
-                sinfo->txrate.mcs = sta->last_tx_rate.idx;
+        rate_idx_to_bitrate(&sinfo->rxrate, sta, sta->last_rx_rate_idx);
        if (ieee80211_vif_is_mesh(&sdata->vif)) {
 #ifdef CONFIG_MAC80211_MESH
@@ -376,6 +390,16 @@ static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                sinfo->plink_state = sta->plink_state;
 #endif
        }
+        sinfo->bss_param.flags = 0;
+        if (sdata->vif.bss_conf.use_cts_prot)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_CTS_PROT;
+        if (sdata->vif.bss_conf.use_short_preamble)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_PREAMBLE;
+        if (sdata->vif.bss_conf.use_short_slot)
+                sinfo->bss_param.flags |= BSS_PARAM_FLAGS_SHORT_SLOT_TIME;
+        sinfo->bss_param.dtim_period = sdata->local->hw.conf.ps_dtim_period;
+        sinfo->bss_param.beacon_interval = sdata->vif.bss_conf.beacon_int;
 }
@@ -439,7 +463,7 @@ static int ieee80211_config_beacon(struct ieee80211_sub_if_data *sdata,
        int size;
        int err = -EINVAL;
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        /* head must not be zero-length */
        if (params->head && !params->head_len)
@@ -534,8 +558,7 @@ static int ieee80211_add_beacon(struct wiphy *wiphy, struct net_device *dev,
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (old)
                return -EALREADY;
@@ -550,8 +573,7 @@ static int ieee80211_set_beacon(struct wiphy *wiphy, struct net_device *dev,
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (!old)
                return -ENOENT;
@@ -565,8 +587,7 @@ static int ieee80211_del_beacon(struct wiphy *wiphy, struct net_device *dev)
        sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-        old = sdata->u.ap.beacon;
+        old = rtnl_dereference(sdata->u.ap.beacon);
        if (!old)
                return -ENOENT;
@@ -662,6 +683,12 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                if (set & BIT(NL80211_STA_FLAG_MFP))
                        sta->flags |= WLAN_STA_MFP;
        }
+        if (mask & BIT(NL80211_STA_FLAG_AUTHENTICATED)) {
+                sta->flags &= ~WLAN_STA_AUTH;
+                if (set & BIT(NL80211_STA_FLAG_AUTHENTICATED))
+                        sta->flags |= WLAN_STA_AUTH;
+        }
        spin_unlock_irqrestore(&sta->flaglock, flags);
        /*
@@ -699,15 +726,29 @@ static void sta_apply_parameters(struct ieee80211_local *local,
                                                  params->ht_capa,
                                                  &sta->sta.ht_cap);
-        if (ieee80211_vif_is_mesh(&sdata->vif) && params->plink_action) {
+        if (ieee80211_vif_is_mesh(&sdata->vif)) {
-                switch (params->plink_action) {
+#ifdef CONFIG_MAC80211_MESH
-                case PLINK_ACTION_OPEN:
+                if (sdata->u.mesh.security & IEEE80211_MESH_SEC_SECURED)
-                        mesh_plink_open(sta);
+                        switch (params->plink_state) {
-                        break;
+                        case NL80211_PLINK_LISTEN:
-                case PLINK_ACTION_BLOCK:
+                        case NL80211_PLINK_ESTAB:
-                        mesh_plink_block(sta);
+                        case NL80211_PLINK_BLOCKED:
-                        break;
+                                sta->plink_state = params->plink_state;
-                }
+                                break;
+                        default:
+                                /*  nothing  */
+                                break;
+                        }
+                else
+                        switch (params->plink_action) {
+                        case PLINK_ACTION_OPEN:
+                                mesh_plink_open(sta);
+                                break;
+                        case PLINK_ACTION_BLOCK:
+                                mesh_plink_block(sta);
+                                break;
+                        }
+#endif
        }
 }
@@ -821,6 +862,10 @@ static int ieee80211_change_station(struct wiphy *wiphy,
        rcu_read_unlock();
+        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+            params->sta_flags_mask & BIT(NL80211_STA_FLAG_AUTHORIZED))
+                ieee80211_recalc_ps(local, -1);
        return 0;
 }
@@ -904,8 +949,10 @@ static int ieee80211_change_mpath(struct wiphy *wiphy,
 static void mpath_set_pinfo(struct mesh_path *mpath, u8 *next_hop,
                            struct mpath_info *pinfo)
 {
-        if (mpath->next_hop)
+        struct sta_info *next_hop_sta = rcu_dereference(mpath->next_hop);
-                memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
+        if (next_hop_sta)
+                memcpy(next_hop, next_hop_sta->sta.addr, ETH_ALEN);
        else
                memset(next_hop, 0, ETH_ALEN);
@@ -1006,26 +1053,30 @@ static int copy_mesh_setup(struct ieee80211_if_mesh *ifmsh,
        u8 *new_ie;
        const u8 *old_ie;
-        /* first allocate the new vendor information element */
+        /* allocate information elements */
        new_ie = NULL;
-        old_ie = ifmsh->vendor_ie;
+        old_ie = ifmsh->ie;
-        ifmsh->vendor_ie_len = setup->vendor_ie_len;
+        if (setup->ie_len) {
-        if (setup->vendor_ie_len) {
+                new_ie = kmemdup(setup->ie, setup->ie_len,
-                new_ie = kmemdup(setup->vendor_ie, setup->vendor_ie_len,
                                GFP_KERNEL);
                if (!new_ie)
                        return -ENOMEM;
        }
+        ifmsh->ie_len = setup->ie_len;
+        ifmsh->ie = new_ie;
+        kfree(old_ie);
        /* now copy the rest of the setup parameters */
        ifmsh->mesh_id_len = setup->mesh_id_len;
        memcpy(ifmsh->mesh_id, setup->mesh_id, ifmsh->mesh_id_len);
        ifmsh->mesh_pp_id = setup->path_sel_proto;
        ifmsh->mesh_pm_id = setup->path_metric;
-        ifmsh->vendor_ie = new_ie;
+        ifmsh->security = IEEE80211_MESH_SEC_NONE;
+        if (setup->is_authenticated)
-        kfree(old_ie);
+                ifmsh->security |= IEEE80211_MESH_SEC_AUTHED;
+        if (setup->is_secure)
+                ifmsh->security |= IEEE80211_MESH_SEC_SECURED;
        return 0;
 }
@@ -1215,6 +1266,9 @@ static int ieee80211_set_channel(struct wiphy *wiphy,
 {
        struct ieee80211_local *local = wiphy_priv(wiphy);
        struct ieee80211_sub_if_data *sdata = NULL;
+        struct ieee80211_channel *old_oper;
+        enum nl80211_channel_type old_oper_type;
+        enum nl80211_channel_type old_vif_oper_type= NL80211_CHAN_NO_HT;
        if (netdev)
                sdata = IEEE80211_DEV_TO_SUB_IF(netdev);
@@ -1232,22 +1286,33 @@ static int ieee80211_set_channel(struct wiphy *wiphy,
                break;
        }
-        local->oper_channel = chan;
+        if (sdata)
+                old_vif_oper_type = sdata->vif.bss_conf.channel_type;
+        old_oper_type = local->_oper_channel_type;
        if (!ieee80211_set_channel_type(local, sdata, channel_type))
                return -EBUSY;
-        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        old_oper = local->oper_channel;
-        if (sdata && sdata->vif.type != NL80211_IFTYPE_MONITOR)
+        local->oper_channel = chan;
+        /* Update driver if changes were actually made. */
+        if ((old_oper != local->oper_channel) ||
+            (old_oper_type != local->_oper_channel_type))
+                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        if ((sdata && sdata->vif.type != NL80211_IFTYPE_MONITOR) &&
+            old_vif_oper_type != sdata->vif.bss_conf.channel_type)
                ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_HT);
        return 0;
 }
 #ifdef CONFIG_PM
-static int ieee80211_suspend(struct wiphy *wiphy)
+static int ieee80211_suspend(struct wiphy *wiphy,
+                             struct cfg80211_wowlan *wowlan)
 {
-        return __ieee80211_suspend(wiphy_priv(wiphy));
+        return __ieee80211_suspend(wiphy_priv(wiphy), wowlan);
 }
 static int ieee80211_resume(struct wiphy *wiphy)
@@ -1274,8 +1339,11 @@ static int ieee80211_scan(struct wiphy *wiphy,
        case NL80211_IFTYPE_P2P_GO:
                if (sdata->local->ops->hw_scan)
                        break;
-                /* FIXME: implement NoA while scanning in software */
+                /*
-                return -EOPNOTSUPP;
+                 * FIXME: implement NoA while scanning in software,
+                 * for now fall through to allow scanning only when
+                 * beaconing hasn't been configured yet
+                 */
        case NL80211_IFTYPE_AP:
                if (sdata->u.ap.beacon)
                        return -EOPNOTSUPP;
@@ -1287,6 +1355,30 @@ static int ieee80211_scan(struct wiphy *wiphy,
        return ieee80211_request_scan(sdata, req);
 }
+static int
+ieee80211_sched_scan_start(struct wiphy *wiphy,
+                           struct net_device *dev,
+                           struct cfg80211_sched_scan_request *req)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        if (!sdata->local->ops->sched_scan_start)
+                return -EOPNOTSUPP;
+        return ieee80211_request_sched_scan_start(sdata, req);
+}
+static int
+ieee80211_sched_scan_stop(struct wiphy *wiphy, struct net_device *dev)
+{
+        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+        if (!sdata->local->ops->sched_scan_stop)
+                return -EOPNOTSUPP;
+        return ieee80211_request_sched_scan_stop(sdata);
+}
 static int ieee80211_auth(struct wiphy *wiphy, struct net_device *dev,
                          struct cfg80211_auth_request *req)
 {
@@ -1471,6 +1563,8 @@ int __ieee80211_request_smps(struct ieee80211_sub_if_data *sdata,
        enum ieee80211_smps_mode old_req;
        int err;
+        lockdep_assert_held(&sdata->u.mgd.mtx);
        old_req = sdata->u.mgd.req_smps;
        sdata->u.mgd.req_smps = smps_mode;
@@ -1576,16 +1670,13 @@ static int ieee80211_set_bitrate_mask(struct wiphy *wiphy,
 {
        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
        struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-        int i;
+        int i, ret;
-        /*
-         * This _could_ be supported by providing a hook for
-         * drivers for this function, but at this point it
-         * doesn't seem worth bothering.
-         */
-        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL)
-                return -EOPNOTSUPP;
+        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
+                ret = drv_set_bitrate_mask(local, sdata, mask);
+                if (ret)
+                        return ret;
+        }
        for (i = 0; i < IEEE80211_NUM_BANDS; i++)
                sdata->rc_rateidx_mask[i] = mask->control[i].legacy;
@@ -1784,6 +1875,33 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev,
        *cookie = (unsigned long) skb;
+        if (is_offchan && local->ops->offchannel_tx) {
+                int ret;
+                IEEE80211_SKB_CB(skb)->band = chan->band;
+                mutex_lock(&local->mtx);
+                if (local->hw_offchan_tx_cookie) {
+                        mutex_unlock(&local->mtx);
+                        return -EBUSY;
+                }
+                /* TODO: bitrate control, TX processing? */
+                ret = drv_offchannel_tx(local, skb, chan, channel_type, wait);
+                if (ret == 0)
+                        local->hw_offchan_tx_cookie = *cookie;
+                mutex_unlock(&local->mtx);
+                /*
+                 * Allow driver to return 1 to indicate it wants to have the
+                 * frame transmitted with a remain_on_channel + regular TX.
+                 */
+                if (ret != 1)
+                        return ret;
+        }
        if (is_offchan && local->ops->remain_on_channel) {
                unsigned int duration;
                int ret;
@@ -1847,6 +1965,7 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev,
        wk->type = IEEE80211_WORK_OFFCHANNEL_TX;
        wk->chan = chan;
+        wk->chan_type = channel_type;
        wk->sdata = sdata;
        wk->done = ieee80211_offchan_tx_done;
        wk->offchan_tx.frame = skb;
@@ -1869,6 +1988,18 @@ static int ieee80211_mgmt_tx_cancel_wait(struct wiphy *wiphy,
        mutex_lock(&local->mtx);
+        if (local->ops->offchannel_tx_cancel_wait &&
+            local->hw_offchan_tx_cookie == cookie) {
+                ret = drv_offchannel_tx_cancel_wait(local);
+                if (!ret)
+                        local->hw_offchan_tx_cookie = 0;
+                mutex_unlock(&local->mtx);
+                return ret;
+        }
        if (local->ops->cancel_remain_on_channel) {
                cookie ^= 2;
                ret = ieee80211_cancel_remain_on_channel_hw(local, cookie);
@@ -1939,6 +2070,21 @@ static int ieee80211_get_antenna(struct wiphy *wiphy, u32 *tx_ant, u32 *rx_ant)
        return drv_get_antenna(local, tx_ant, rx_ant);
 }
+static int ieee80211_set_ringparam(struct wiphy *wiphy, u32 tx, u32 rx)
+{
+        struct ieee80211_local *local = wiphy_priv(wiphy);
+        return drv_set_ringparam(local, tx, rx);
+}
+static void ieee80211_get_ringparam(struct wiphy *wiphy,
+                                    u32 *tx, u32 *tx_max, u32 *rx, u32 *rx_max)
+{
+        struct ieee80211_local *local = wiphy_priv(wiphy);
+        drv_get_ringparam(local, tx, tx_max, rx, rx_max);
+}
 struct cfg80211_ops mac80211_config_ops = {
        .add_virtual_intf = ieee80211_add_iface,
        .del_virtual_intf = ieee80211_del_iface,
@@ -1974,6 +2120,8 @@ struct cfg80211_ops mac80211_config_ops = {
        .suspend = ieee80211_suspend,
        .resume = ieee80211_resume,
        .scan = ieee80211_scan,
+        .sched_scan_start = ieee80211_sched_scan_start,
+        .sched_scan_stop = ieee80211_sched_scan_stop,
        .auth = ieee80211_auth,
        .assoc = ieee80211_assoc,
        .deauth = ieee80211_deauth,
@@ -1996,4 +2144,6 @@ struct cfg80211_ops mac80211_config_ops = {
        .mgmt_frame_register = ieee80211_mgmt_frame_register,
        .set_antenna = ieee80211_set_antenna,
        .get_antenna = ieee80211_get_antenna,
+        .set_ringparam = ieee80211_set_ringparam,
+        .get_ringparam = ieee80211_get_ringparam,
 };
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 5b24740fc0b0..889c3e93e0f4 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -77,6 +77,9 @@ bool ieee80211_set_channel_type(struct ieee80211_local *local,
                switch (tmp->vif.bss_conf.channel_type) {
                case NL80211_CHAN_NO_HT:
                case NL80211_CHAN_HT20:
+                        if (superchan > tmp->vif.bss_conf.channel_type)
+                                break;
                        superchan = tmp->vif.bss_conf.channel_type;
                        break;
                case NL80211_CHAN_HT40PLUS:
diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
index 1f02e599a318..186e02f7cc32 100644
--- a/net/mac80211/debugfs.c
+++ b/net/mac80211/debugfs.c
@@ -37,7 +37,7 @@ int mac80211_format_buffer(char __user *userbuf, size_t count,
        return simple_read_from_buffer(userbuf, count, ppos, buf, res);
 }
-#define DEBUGFS_READONLY_FILE(name, fmt, value...)                      \
+#define DEBUGFS_READONLY_FILE_FN(name, fmt, value...)                   \
 static ssize_t name## _read(struct file *file, char __user *userbuf,    \
                            size_t count, loff_t *ppos)                 \
 {                                                                       \
@@ -45,14 +45,19 @@ static ssize_t name## _read(struct file *file, char __user *userbuf,	\
                                                                        \
        return mac80211_format_buffer(userbuf, count, ppos,             \
                                      fmt "\n", ##value);               \
-}                                                                       \
+}
-                                                                        \
+#define DEBUGFS_READONLY_FILE_OPS(name)                 \
 static const struct file_operations name## _ops = {                     \
        .read = name## _read,                                           \
        .open = mac80211_open_file_generic,                             \
        .llseek = generic_file_llseek,                                  \
 };
+#define DEBUGFS_READONLY_FILE(name, fmt, value...)              \
+        DEBUGFS_READONLY_FILE_FN(name, fmt, value)              \
+        DEBUGFS_READONLY_FILE_OPS(name)
 #define DEBUGFS_ADD(name)                                               \
        debugfs_create_file(#name, 0400, phyd, local, &name## _ops);
@@ -60,6 +65,10 @@ static const struct file_operations name## _ops = {			\
        debugfs_create_file(#name, mode, phyd, local, &name## _ops);
+DEBUGFS_READONLY_FILE(user_power, "%d",
+                      local->user_power_level);
+DEBUGFS_READONLY_FILE(power, "%d",
+                      local->hw.conf.power_level);
 DEBUGFS_READONLY_FILE(frequency, "%d",
                      local->hw.conf.channel->center_freq);
 DEBUGFS_READONLY_FILE(total_ps_buffered, "%d",
@@ -126,7 +135,7 @@ static ssize_t reset_write(struct file *file, const char __user *user_buf,
        struct ieee80211_local *local = file->private_data;
        rtnl_lock();
-        __ieee80211_suspend(&local->hw);
+        __ieee80211_suspend(&local->hw, NULL);
        __ieee80211_resume(&local->hw);
        rtnl_unlock();
@@ -287,11 +296,70 @@ static ssize_t channel_type_read(struct file *file, char __user *user_buf,
        return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
 }
-static const struct file_operations channel_type_ops = {
+static ssize_t hwflags_read(struct file *file, char __user *user_buf,
-        .read = channel_type_read,
+                            size_t count, loff_t *ppos)
-        .open = mac80211_open_file_generic,
+{
-        .llseek = default_llseek,
+        struct ieee80211_local *local = file->private_data;
-};
+        int mxln = 500;
+        ssize_t rv;
+        char *buf = kzalloc(mxln, GFP_KERNEL);
+        int sf = 0; /* how many written so far */
+        sf += snprintf(buf, mxln - sf, "0x%x\n", local->hw.flags);
+        if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL)
+                sf += snprintf(buf + sf, mxln - sf, "HAS_RATE_CONTROL\n");
+        if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS)
+                sf += snprintf(buf + sf, mxln - sf, "RX_INCLUDES_FCS\n");
+        if (local->hw.flags & IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "HOST_BCAST_PS_BUFFERING\n");
+        if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "2GHZ_SHORT_SLOT_INCAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_PREAMBLE_INCAPABLE)
+                sf += snprintf(buf + sf, mxln - sf,
+                               "2GHZ_SHORT_PREAMBLE_INCAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC)
+                sf += snprintf(buf + sf, mxln - sf, "SIGNAL_UNSPEC\n");
+        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
+                sf += snprintf(buf + sf, mxln - sf, "SIGNAL_DBM\n");
+        if (local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD)
+                sf += snprintf(buf + sf, mxln - sf, "NEED_DTIM_PERIOD\n");
+        if (local->hw.flags & IEEE80211_HW_SPECTRUM_MGMT)
+                sf += snprintf(buf + sf, mxln - sf, "SPECTRUM_MGMT\n");
+        if (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION)
+                sf += snprintf(buf + sf, mxln - sf, "AMPDU_AGGREGATION\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_PS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PS\n");
+        if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)
+                sf += snprintf(buf + sf, mxln - sf, "PS_NULLFUNC_STACK\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_PS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_PS\n");
+        if (local->hw.flags & IEEE80211_HW_MFP_CAPABLE)
+                sf += snprintf(buf + sf, mxln - sf, "MFP_CAPABLE\n");
+        if (local->hw.flags & IEEE80211_HW_BEACON_FILTER)
+                sf += snprintf(buf + sf, mxln - sf, "BEACON_FILTER\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_STATIC_SMPS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_STATIC_SMPS\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_SMPS)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_SMPS\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_UAPSD)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_UAPSD\n");
+        if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
+                sf += snprintf(buf + sf, mxln - sf, "REPORTS_TX_ACK_STATUS\n");
+        if (local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
+                sf += snprintf(buf + sf, mxln - sf, "CONNECTION_MONITOR\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_CQM_RSSI)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_CQM_RSSI\n");
+        if (local->hw.flags & IEEE80211_HW_SUPPORTS_PER_STA_GTK)
+                sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PER_STA_GTK\n");
+        if (local->hw.flags & IEEE80211_HW_AP_LINK_PS)
+                sf += snprintf(buf + sf, mxln - sf, "AP_LINK_PS\n");
+        rv = simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
+        kfree(buf);
+        return rv;
+}
 static ssize_t queues_read(struct file *file, char __user *user_buf,
                           size_t count, loff_t *ppos)
@@ -311,11 +379,9 @@ static ssize_t queues_read(struct file *file, char __user *user_buf,
        return simple_read_from_buffer(user_buf, count, ppos, buf, res);
 }
-static const struct file_operations queues_ops = {
+DEBUGFS_READONLY_FILE_OPS(hwflags);
-        .read = queues_read,
+DEBUGFS_READONLY_FILE_OPS(channel_type);
-        .open = mac80211_open_file_generic,
+DEBUGFS_READONLY_FILE_OPS(queues);
-        .llseek = default_llseek,
-};
 /* statistics stuff */
@@ -391,6 +457,9 @@ void debugfs_hw_add(struct ieee80211_local *local)
        DEBUGFS_ADD(uapsd_queues);
        DEBUGFS_ADD(uapsd_max_sp_len);
        DEBUGFS_ADD(channel_type);
+        DEBUGFS_ADD(hwflags);
+        DEBUGFS_ADD(user_power);
+        DEBUGFS_ADD(power);
        statsd = debugfs_create_dir("statistics", phyd);
diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index f7ef3477c24a..33c58b85c911 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -241,16 +241,12 @@ void ieee80211_debugfs_key_add(struct ieee80211_key *key)
        if (!key->debugfs.dir)
                return;
-        rcu_read_lock();
+        sta = key->sta;
-        sta = rcu_dereference(key->sta);
+        if (sta) {
-        if (sta)
                sprintf(buf, "../../stations/%pM", sta->sta.addr);
-        rcu_read_unlock();
-        /* using sta as a boolean is fine outside RCU lock */
-        if (sta)
                key->debugfs.stalink =
                        debugfs_create_symlink("station", key->debugfs.dir, buf);
+        }
        DEBUGFS_ADD(keylen);
        DEBUGFS_ADD(flags);
@@ -286,7 +282,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
        lockdep_assert_held(&sdata->local->key_mtx);
        if (sdata->default_unicast_key) {
-                key = sdata->default_unicast_key;
+                key = key_mtx_dereference(sdata->local,
+                                          sdata->default_unicast_key);
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_unicast_key =
                        debugfs_create_symlink("default_unicast_key",
@@ -297,7 +294,8 @@ void ieee80211_debugfs_key_update_default(struct ieee80211_sub_if_data *sdata)
        }
        if (sdata->default_multicast_key) {
-                key = sdata->default_multicast_key;
+                key = key_mtx_dereference(sdata->local,
+                                          sdata->default_multicast_key);
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_multicast_key =
                        debugfs_create_symlink("default_multicast_key",
@@ -316,9 +314,8 @@ void ieee80211_debugfs_key_add_mgmt_default(struct ieee80211_sub_if_data *sdata)
        if (!sdata->debugfs.dir)
                return;
-        /* this is running under the key lock */
+        key = key_mtx_dereference(sdata->local,
+                                  sdata->default_mgmt_key);
-        key = sdata->default_mgmt_key;
        if (key) {
                sprintf(buf, "../keys/%d", key->debugfs.cnt);
                sdata->debugfs.default_mgmt_key =
diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c
index 2dabdf7680d0..9ea7c0d0103f 100644
--- a/net/mac80211/debugfs_netdev.c
+++ b/net/mac80211/debugfs_netdev.c
@@ -36,7 +36,7 @@ static ssize_t ieee80211_if_read(
                ret = (*format)(sdata, buf, sizeof(buf));
        read_unlock(&dev_base_lock);
-        if (ret != -EINVAL)
+        if (ret >= 0)
                ret = simple_read_from_buffer(userbuf, count, ppos, buf, ret);
        return ret;
@@ -81,6 +81,8 @@ static ssize_t ieee80211_if_fmt_##name(					\
                IEEE80211_IF_FMT(name, field, "%d\n")
 #define IEEE80211_IF_FMT_HEX(name, field)                               \
                IEEE80211_IF_FMT(name, field, "%#x\n")
+#define IEEE80211_IF_FMT_LHEX(name, field)                              \
+                IEEE80211_IF_FMT(name, field, "%#lx\n")
 #define IEEE80211_IF_FMT_SIZE(name, field)                              \
                IEEE80211_IF_FMT(name, field, "%zd\n")
@@ -145,6 +147,9 @@ IEEE80211_IF_FILE(rc_rateidx_mask_2ghz, rc_rateidx_mask[IEEE80211_BAND_2GHZ],
                  HEX);
 IEEE80211_IF_FILE(rc_rateidx_mask_5ghz, rc_rateidx_mask[IEEE80211_BAND_5GHZ],
                  HEX);
+IEEE80211_IF_FILE(flags, flags, HEX);
+IEEE80211_IF_FILE(state, state, LHEX);
+IEEE80211_IF_FILE(channel_type, vif.bss_conf.channel_type, DEC);
 /* STA attributes */
 IEEE80211_IF_FILE(bssid, u.mgd.bssid, MAC);
@@ -172,9 +177,9 @@ static int ieee80211_set_smps(struct ieee80211_sub_if_data *sdata,
        if (sdata->vif.type != NL80211_IFTYPE_STATION)
                return -EOPNOTSUPP;
-        mutex_lock(&local->iflist_mtx);
+        mutex_lock(&sdata->u.mgd.mtx);
        err = __ieee80211_request_smps(sdata, smps_mode);
-        mutex_unlock(&local->iflist_mtx);
+        mutex_unlock(&sdata->u.mgd.mtx);
        return err;
 }
@@ -216,6 +221,104 @@ static ssize_t ieee80211_if_parse_smps(struct ieee80211_sub_if_data *sdata,
 __IEEE80211_IF_FILE_W(smps);
+static ssize_t ieee80211_if_fmt_tkip_mic_test(
+        const struct ieee80211_sub_if_data *sdata, char *buf, int buflen)
+{
+        return -EOPNOTSUPP;
+}
+static int hwaddr_aton(const char *txt, u8 *addr)
+{
+        int i;
+        for (i = 0; i < ETH_ALEN; i++) {
+                int a, b;
+                a = hex_to_bin(*txt++);
+                if (a < 0)
+                        return -1;
+                b = hex_to_bin(*txt++);
+                if (b < 0)
+                        return -1;
+                *addr++ = (a << 4) | b;
+                if (i < 5 && *txt++ != ':')
+                        return -1;
+        }
+        return 0;
+}
+static ssize_t ieee80211_if_parse_tkip_mic_test(
+        struct ieee80211_sub_if_data *sdata, const char *buf, int buflen)
+{
+        struct ieee80211_local *local = sdata->local;
+        u8 addr[ETH_ALEN];
+        struct sk_buff *skb;
+        struct ieee80211_hdr *hdr;
+        __le16 fc;
+        /*
+         * Assume colon-delimited MAC address with possible white space
+         * following.
+         */
+        if (buflen < 3 * ETH_ALEN - 1)
+                return -EINVAL;
+        if (hwaddr_aton(buf, addr) < 0)
+                return -EINVAL;
+        if (!ieee80211_sdata_running(sdata))
+                return -ENOTCONN;
+        skb = dev_alloc_skb(local->hw.extra_tx_headroom + 24 + 100);
+        if (!skb)
+                return -ENOMEM;
+        skb_reserve(skb, local->hw.extra_tx_headroom);
+        hdr = (struct ieee80211_hdr *) skb_put(skb, 24);
+        memset(hdr, 0, 24);
+        fc = cpu_to_le16(IEEE80211_FTYPE_DATA | IEEE80211_STYPE_DATA);
+        switch (sdata->vif.type) {
+        case NL80211_IFTYPE_AP:
+                fc |= cpu_to_le16(IEEE80211_FCTL_FROMDS);
+                /* DA BSSID SA */
+                memcpy(hdr->addr1, addr, ETH_ALEN);
+                memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN);
+                memcpy(hdr->addr3, sdata->vif.addr, ETH_ALEN);
+                break;
+        case NL80211_IFTYPE_STATION:
+                fc |= cpu_to_le16(IEEE80211_FCTL_TODS);
+                /* BSSID SA DA */
+                if (sdata->vif.bss_conf.bssid == NULL) {
+                        dev_kfree_skb(skb);
+                        return -ENOTCONN;
+                }
+                memcpy(hdr->addr1, sdata->vif.bss_conf.bssid, ETH_ALEN);
+                memcpy(hdr->addr2, sdata->vif.addr, ETH_ALEN);
+                memcpy(hdr->addr3, addr, ETH_ALEN);
+                break;
+        default:
+                dev_kfree_skb(skb);
+                return -EOPNOTSUPP;
+        }
+        hdr->frame_control = fc;
+        /*
+         * Add some length to the test frame to make it look bit more valid.
+         * The exact contents does not matter since the recipient is required
+         * to drop this because of the Michael MIC failure.
+         */
+        memset(skb_put(skb, 50), 0, 50);
+        IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_TKIP_MIC_FAILURE;
+        ieee80211_tx_skb(sdata, skb);
+        return buflen;
+}
+__IEEE80211_IF_FILE_W(tkip_mic_test);
 /* AP attributes */
 IEEE80211_IF_FILE(num_sta_ps, u.ap.num_sta_ps, ATOMIC);
 IEEE80211_IF_FILE(dtim_count, u.ap.dtim_count, DEC);
@@ -283,6 +386,9 @@ IEEE80211_IF_FILE(dot11MeshHWMPRootMode,
 static void add_sta_files(struct ieee80211_sub_if_data *sdata)
 {
        DEBUGFS_ADD(drop_unencrypted);
+        DEBUGFS_ADD(flags);
+        DEBUGFS_ADD(state);
+        DEBUGFS_ADD(channel_type);
        DEBUGFS_ADD(rc_rateidx_mask_2ghz);
        DEBUGFS_ADD(rc_rateidx_mask_5ghz);
@@ -291,22 +397,30 @@ static void add_sta_files(struct ieee80211_sub_if_data *sdata)
        DEBUGFS_ADD(last_beacon);
        DEBUGFS_ADD(ave_beacon);
        DEBUGFS_ADD_MODE(smps, 0600);
+        DEBUGFS_ADD_MODE(tkip_mic_test, 0200);
 }
 static void add_ap_files(struct ieee80211_sub_if_data *sdata)
 {
        DEBUGFS_ADD(drop_unencrypted);
+        DEBUGFS_ADD(flags);
+        DEBUGFS_ADD(state);
+        DEBUGFS_ADD(channel_type);
        DEBUGFS_ADD(rc_rateidx_mask_2ghz);
        DEBUGFS_ADD(rc_rateidx_mask_5ghz);
        DEBUGFS_ADD(num_sta_ps);
        DEBUGFS_ADD(dtim_count);
        DEBUGFS_ADD(num_buffered_multicast);
+        DEBUGFS_ADD_MODE(tkip_mic_test, 0200);
 }
 static void add_wds_files(struct ieee80211_sub_if_data *sdata)
 {
        DEBUGFS_ADD(drop_unencrypted);
+        DEBUGFS_ADD(flags);
+        DEBUGFS_ADD(state);
+        DEBUGFS_ADD(channel_type);
        DEBUGFS_ADD(rc_rateidx_mask_2ghz);
        DEBUGFS_ADD(rc_rateidx_mask_5ghz);
@@ -316,12 +430,18 @@ static void add_wds_files(struct ieee80211_sub_if_data *sdata)
 static void add_vlan_files(struct ieee80211_sub_if_data *sdata)
 {
        DEBUGFS_ADD(drop_unencrypted);
+        DEBUGFS_ADD(flags);
+        DEBUGFS_ADD(state);
+        DEBUGFS_ADD(channel_type);
        DEBUGFS_ADD(rc_rateidx_mask_2ghz);
        DEBUGFS_ADD(rc_rateidx_mask_5ghz);
 }
 static void add_monitor_files(struct ieee80211_sub_if_data *sdata)
 {
+        DEBUGFS_ADD(flags);
+        DEBUGFS_ADD(state);
+        DEBUGFS_ADD(channel_type);
 }
 #ifdef CONFIG_MAC80211_MESH
diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
index c04a1396cf8d..a01d2137fddc 100644
--- a/net/mac80211/debugfs_sta.c
+++ b/net/mac80211/debugfs_sta.c
@@ -92,6 +92,31 @@ static ssize_t sta_inactive_ms_read(struct file *file, char __user *userbuf,
 }
 STA_OPS(inactive_ms);
+static ssize_t sta_connected_time_read(struct file *file, char __user *userbuf,
+                                        size_t count, loff_t *ppos)
+{
+        struct sta_info *sta = file->private_data;
+        struct timespec uptime;
+        struct tm result;
+        long connected_time_secs;
+        char buf[100];
+        int res;
+        do_posix_clock_monotonic_gettime(&uptime);
+        connected_time_secs = uptime.tv_sec - sta->last_connected;
+        time_to_tm(connected_time_secs, 0, &result);
+        result.tm_year -= 70;
+        result.tm_mday -= 1;
+        res = scnprintf(buf, sizeof(buf),
+                "years  - %ld\nmonths - %d\ndays   - %d\nclock  - %d:%d:%d\n\n",
+                        result.tm_year, result.tm_mon, result.tm_mday,
+                        result.tm_hour, result.tm_min, result.tm_sec);
+        return simple_read_from_buffer(userbuf, count, ppos, buf, res);
+}
+STA_OPS(connected_time);
 static ssize_t sta_last_seq_ctrl_read(struct file *file, char __user *userbuf,
                                      size_t count, loff_t *ppos)
 {
@@ -324,6 +349,7 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta)
        DEBUGFS_ADD(flags);
        DEBUGFS_ADD(num_ps_buf_frames);
        DEBUGFS_ADD(inactive_ms);
+        DEBUGFS_ADD(connected_time);
        DEBUGFS_ADD(last_seq_ctrl);
        DEBUGFS_ADD(agg_status);
        DEBUGFS_ADD(dev);
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 98d589960a49..eebf7a67daf7 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -5,9 +5,9 @@
 #include "ieee80211_i.h"
 #include "driver-trace.h"
-static inline int drv_tx(struct ieee80211_local *local, struct sk_buff *skb)
+static inline void drv_tx(struct ieee80211_local *local, struct sk_buff *skb)
 {
-        return local->ops->tx(&local->hw, skb);
+        local->ops->tx(&local->hw, skb);
 }
 static inline int drv_start(struct ieee80211_local *local)
@@ -41,6 +41,33 @@ static inline void drv_stop(struct ieee80211_local *local)
        local->started = false;
 }
+#ifdef CONFIG_PM
+static inline int drv_suspend(struct ieee80211_local *local,
+                              struct cfg80211_wowlan *wowlan)
+{
+        int ret;
+        might_sleep();
+        trace_drv_suspend(local);
+        ret = local->ops->suspend(&local->hw, wowlan);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline int drv_resume(struct ieee80211_local *local)
+{
+        int ret;
+        might_sleep();
+        trace_drv_resume(local);
+        ret = local->ops->resume(&local->hw);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+#endif
 static inline int drv_add_interface(struct ieee80211_local *local,
                                    struct ieee80211_vif *vif)
 {
@@ -185,12 +212,39 @@ static inline int drv_hw_scan(struct ieee80211_local *local,
        might_sleep();
-        trace_drv_hw_scan(local, sdata, req);
+        trace_drv_hw_scan(local, sdata);
        ret = local->ops->hw_scan(&local->hw, &sdata->vif, req);
        trace_drv_return_int(local, ret);
        return ret;
 }
+static inline int
+drv_sched_scan_start(struct ieee80211_local *local,
+                     struct ieee80211_sub_if_data *sdata,
+                     struct cfg80211_sched_scan_request *req,
+                     struct ieee80211_sched_scan_ies *ies)
+{
+        int ret;
+        might_sleep();
+        trace_drv_sched_scan_start(local, sdata);
+        ret = local->ops->sched_scan_start(&local->hw, &sdata->vif,
+                                              req, ies);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline void drv_sched_scan_stop(struct ieee80211_local *local,
+                                       struct ieee80211_sub_if_data *sdata)
+{
+        might_sleep();
+        trace_drv_sched_scan_stop(local, sdata);
+        local->ops->sched_scan_stop(&local->hw, &sdata->vif);
+        trace_drv_return_void(local);
+}
 static inline void drv_sw_scan_start(struct ieee80211_local *local)
 {
        might_sleep();
@@ -382,17 +436,17 @@ static inline int drv_ampdu_action(struct ieee80211_local *local,
                                   struct ieee80211_sub_if_data *sdata,
                                   enum ieee80211_ampdu_mlme_action action,
                                   struct ieee80211_sta *sta, u16 tid,
-                                   u16 *ssn)
+                                   u16 *ssn, u8 buf_size)
 {
        int ret = -EOPNOTSUPP;
        might_sleep();
-        trace_drv_ampdu_action(local, sdata, action, sta, tid, ssn);
+        trace_drv_ampdu_action(local, sdata, action, sta, tid, ssn, buf_size);
        if (local->ops->ampdu_action)
                ret = local->ops->ampdu_action(&local->hw, &sdata->vif, action,
-                                               sta, tid, ssn);
+                                               sta, tid, ssn, buf_size);
        trace_drv_return_int(local, ret);
@@ -495,4 +549,92 @@ static inline int drv_cancel_remain_on_channel(struct ieee80211_local *local)
        return ret;
 }
+static inline int drv_offchannel_tx(struct ieee80211_local *local,
+                                    struct sk_buff *skb,
+                                    struct ieee80211_channel *chan,
+                                    enum nl80211_channel_type channel_type,
+                                    unsigned int wait)
+{
+        int ret;
+        might_sleep();
+        trace_drv_offchannel_tx(local, skb, chan, channel_type, wait);
+        ret = local->ops->offchannel_tx(&local->hw, skb, chan,
+                                        channel_type, wait);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline int drv_offchannel_tx_cancel_wait(struct ieee80211_local *local)
+{
+        int ret;
+        might_sleep();
+        trace_drv_offchannel_tx_cancel_wait(local);
+        ret = local->ops->offchannel_tx_cancel_wait(&local->hw);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline int drv_set_ringparam(struct ieee80211_local *local,
+                                    u32 tx, u32 rx)
+{
+        int ret = -ENOTSUPP;
+        might_sleep();
+        trace_drv_set_ringparam(local, tx, rx);
+        if (local->ops->set_ringparam)
+                ret = local->ops->set_ringparam(&local->hw, tx, rx);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
+static inline void drv_get_ringparam(struct ieee80211_local *local,
+                                     u32 *tx, u32 *tx_max, u32 *rx, u32 *rx_max)
+{
+        might_sleep();
+        trace_drv_get_ringparam(local, tx, tx_max, rx, rx_max);
+        if (local->ops->get_ringparam)
+                local->ops->get_ringparam(&local->hw, tx, tx_max, rx, rx_max);
+        trace_drv_return_void(local);
+}
+static inline bool drv_tx_frames_pending(struct ieee80211_local *local)
+{
+        bool ret = false;
+        might_sleep();
+        trace_drv_tx_frames_pending(local);
+        if (local->ops->tx_frames_pending)
+                ret = local->ops->tx_frames_pending(&local->hw);
+        trace_drv_return_bool(local, ret);
+        return ret;
+}
+static inline int drv_set_bitrate_mask(struct ieee80211_local *local,
+                                       struct ieee80211_sub_if_data *sdata,
+                                       const struct cfg80211_bitrate_mask *mask)
+{
+        int ret = -EOPNOTSUPP;
+        might_sleep();
+        trace_drv_set_bitrate_mask(local, sdata, mask);
+        if (local->ops->set_bitrate_mask)
+                ret = local->ops->set_bitrate_mask(&local->hw,
+                                                   &sdata->vif, mask);
+        trace_drv_return_int(local, ret);
+        return ret;
+}
 #endif /* __MAC80211_DRIVER_OPS */
diff --git a/net/mac80211/driver-trace.h b/net/mac80211/driver-trace.h
index 49c84218b2f4..ed9edcbd9aa5 100644
--- a/net/mac80211/driver-trace.h
+++ b/net/mac80211/driver-trace.h
@@ -9,6 +9,11 @@
 #undef TRACE_EVENT
 #define TRACE_EVENT(name, proto, ...) \
 static inline void trace_ ## name(proto) {}
+#undef DECLARE_EVENT_CLASS
+#define DECLARE_EVENT_CLASS(...)
+#undef DEFINE_EVENT
+#define DEFINE_EVENT(evt_class, name, proto, ...) \
+static inline void trace_ ## name(proto) {}
 #endif
 #undef TRACE_SYSTEM
@@ -38,7 +43,7 @@ static inline void trace_ ## name(proto) {}
 * Tracing for driver callbacks.
 */
-TRACE_EVENT(drv_return_void,
+DECLARE_EVENT_CLASS(local_only_evt,
        TP_PROTO(struct ieee80211_local *local),
        TP_ARGS(local),
        TP_STRUCT__entry(
@@ -50,92 +55,142 @@ TRACE_EVENT(drv_return_void,
        TP_printk(LOCAL_PR_FMT, LOCAL_PR_ARG)
 );
-TRACE_EVENT(drv_return_int,
+DECLARE_EVENT_CLASS(local_sdata_addr_evt,
-        TP_PROTO(struct ieee80211_local *local, int ret),
+        TP_PROTO(struct ieee80211_local *local,
-        TP_ARGS(local, ret),
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata),
        TP_STRUCT__entry(
                LOCAL_ENTRY
-                __field(int, ret)
+                VIF_ENTRY
+                __array(char, addr, 6)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
-                __entry->ret = ret;
+                VIF_ASSIGN;
+                memcpy(__entry->addr, sdata->vif.addr, 6);
        ),
-        TP_printk(LOCAL_PR_FMT " - %d", LOCAL_PR_ARG, __entry->ret)
+        TP_printk(
+                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
+        )
 );
-TRACE_EVENT(drv_return_u64,
+DECLARE_EVENT_CLASS(local_u32_evt,
-        TP_PROTO(struct ieee80211_local *local, u64 ret),
+        TP_PROTO(struct ieee80211_local *local, u32 value),
-        TP_ARGS(local, ret),
+        TP_ARGS(local, value),
        TP_STRUCT__entry(
                LOCAL_ENTRY
-                __field(u64, ret)
+                __field(u32, value)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
-                __entry->ret = ret;
+                __entry->value = value;
        ),
-        TP_printk(LOCAL_PR_FMT " - %llu", LOCAL_PR_ARG, __entry->ret)
-);
-TRACE_EVENT(drv_start,
+        TP_printk(
-        TP_PROTO(struct ieee80211_local *local),
+                LOCAL_PR_FMT " value:%d",
+                LOCAL_PR_ARG, __entry->value
+        )
+);
-        TP_ARGS(local),
+DECLARE_EVENT_CLASS(local_sdata_evt,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata),
        TP_STRUCT__entry(
                LOCAL_ENTRY
+                VIF_ENTRY
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
+                VIF_ASSIGN;
        ),
        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
+                LOCAL_PR_FMT VIF_PR_FMT,
+                LOCAL_PR_ARG, VIF_PR_ARG
        )
 );
-TRACE_EVENT(drv_stop,
+DEFINE_EVENT(local_only_evt, drv_return_void,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
-        TP_ARGS(local),
+TRACE_EVENT(drv_return_int,
+        TP_PROTO(struct ieee80211_local *local, int ret),
+        TP_ARGS(local, ret),
        TP_STRUCT__entry(
                LOCAL_ENTRY
+                __field(int, ret)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
+                __entry->ret = ret;
        ),
+        TP_printk(LOCAL_PR_FMT " - %d", LOCAL_PR_ARG, __entry->ret)
-        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
-        )
 );
-TRACE_EVENT(drv_add_interface,
+TRACE_EVENT(drv_return_bool,
-        TP_PROTO(struct ieee80211_local *local,
+        TP_PROTO(struct ieee80211_local *local, bool ret),
-                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, ret),
-        TP_ARGS(local, sdata),
        TP_STRUCT__entry(
                LOCAL_ENTRY
-                VIF_ENTRY
+                __field(bool, ret)
-                __array(char, addr, 6)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->ret = ret;
        ),
+        TP_printk(LOCAL_PR_FMT " - %s", LOCAL_PR_ARG, (__entry->ret) ?
+                  "true" : "false")
+);
+TRACE_EVENT(drv_return_u64,
+        TP_PROTO(struct ieee80211_local *local, u64 ret),
+        TP_ARGS(local, ret),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u64, ret)
+        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
-                VIF_ASSIGN;
+                __entry->ret = ret;
-                memcpy(__entry->addr, sdata->vif.addr, 6);
        ),
+        TP_printk(LOCAL_PR_FMT " - %llu", LOCAL_PR_ARG, __entry->ret)
+);
-        TP_printk(
+DEFINE_EVENT(local_only_evt, drv_start,
-                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
+        TP_PROTO(struct ieee80211_local *local),
-                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
+        TP_ARGS(local)
-        )
+);
+DEFINE_EVENT(local_only_evt, drv_suspend,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_only_evt, drv_resume,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_only_evt, drv_stop,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_sdata_addr_evt, drv_add_interface,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
+        TP_ARGS(local, sdata)
 );
 TRACE_EVENT(drv_change_interface,
@@ -166,27 +221,10 @@ TRACE_EVENT(drv_change_interface,
        )
 );
-TRACE_EVENT(drv_remove_interface,
+DEFINE_EVENT(local_sdata_addr_evt, drv_remove_interface,
-        TP_PROTO(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata),
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata),
-        TP_ARGS(local, sdata),
+        TP_ARGS(local, sdata)
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                VIF_ENTRY
-                __array(char, addr, 6)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                VIF_ASSIGN;
-                memcpy(__entry->addr, sdata->vif.addr, 6);
-        ),
-        TP_printk(
-                LOCAL_PR_FMT  VIF_PR_FMT " addr:%pM",
-                LOCAL_PR_ARG, VIF_PR_ARG, __entry->addr
-        )
 );
 TRACE_EVENT(drv_config,
@@ -416,63 +454,32 @@ TRACE_EVENT(drv_update_tkip_key,
        )
 );
-TRACE_EVENT(drv_hw_scan,
+DEFINE_EVENT(local_sdata_evt, drv_hw_scan,
        TP_PROTO(struct ieee80211_local *local,
-                 struct ieee80211_sub_if_data *sdata,
+                 struct ieee80211_sub_if_data *sdata),
-                 struct cfg80211_scan_request *req),
+        TP_ARGS(local, sdata)
+);
-        TP_ARGS(local, sdata, req),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                VIF_ENTRY
-        ),
-        TP_fast_assign(
+DEFINE_EVENT(local_sdata_evt, drv_sched_scan_start,
-                LOCAL_ASSIGN;
+        TP_PROTO(struct ieee80211_local *local,
-                VIF_ASSIGN;
+                 struct ieee80211_sub_if_data *sdata),
-        ),
+        TP_ARGS(local, sdata)
+);
-        TP_printk(
+DEFINE_EVENT(local_sdata_evt, drv_sched_scan_stop,
-                LOCAL_PR_FMT VIF_PR_FMT,
+        TP_PROTO(struct ieee80211_local *local,
-                LOCAL_PR_ARG,VIF_PR_ARG
+                 struct ieee80211_sub_if_data *sdata),
-        )
+        TP_ARGS(local, sdata)
 );
-TRACE_EVENT(drv_sw_scan_start,
+DEFINE_EVENT(local_only_evt, drv_sw_scan_start,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
-        )
 );
-TRACE_EVENT(drv_sw_scan_complete,
+DEFINE_EVENT(local_only_evt, drv_sw_scan_complete,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
-        )
 );
 TRACE_EVENT(drv_get_stats,
@@ -531,46 +538,14 @@ TRACE_EVENT(drv_get_tkip_seq,
        )
 );
-TRACE_EVENT(drv_set_frag_threshold,
+DEFINE_EVENT(local_u32_evt, drv_set_frag_threshold,
        TP_PROTO(struct ieee80211_local *local, u32 value),
+        TP_ARGS(local, value)
-        TP_ARGS(local, value),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                __field(u32, value)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                __entry->value = value;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT " value:%d",
-                LOCAL_PR_ARG, __entry->value
-        )
 );
-TRACE_EVENT(drv_set_rts_threshold,
+DEFINE_EVENT(local_u32_evt, drv_set_rts_threshold,
        TP_PROTO(struct ieee80211_local *local, u32 value),
+        TP_ARGS(local, value)
-        TP_ARGS(local, value),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-                __field(u32, value)
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-                __entry->value = value;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT " value:%d",
-                LOCAL_PR_ARG, __entry->value
-        )
 );
 TRACE_EVENT(drv_set_coverage_class,
@@ -702,23 +677,9 @@ TRACE_EVENT(drv_conf_tx,
        )
 );
-TRACE_EVENT(drv_get_tsf,
+DEFINE_EVENT(local_only_evt, drv_get_tsf,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT,
-                LOCAL_PR_ARG
-        )
 );
 TRACE_EVENT(drv_set_tsf,
@@ -742,41 +703,14 @@ TRACE_EVENT(drv_set_tsf,
        )
 );
-TRACE_EVENT(drv_reset_tsf,
+DEFINE_EVENT(local_only_evt, drv_reset_tsf,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
-        )
 );
-TRACE_EVENT(drv_tx_last_beacon,
+DEFINE_EVENT(local_only_evt, drv_tx_last_beacon,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT,
-                LOCAL_PR_ARG
-        )
 );
 TRACE_EVENT(drv_ampdu_action,
@@ -784,9 +718,9 @@ TRACE_EVENT(drv_ampdu_action,
                 struct ieee80211_sub_if_data *sdata,
                 enum ieee80211_ampdu_mlme_action action,
                 struct ieee80211_sta *sta, u16 tid,
-                 u16 *ssn),
+                 u16 *ssn, u8 buf_size),
-        TP_ARGS(local, sdata, action, sta, tid, ssn),
+        TP_ARGS(local, sdata, action, sta, tid, ssn, buf_size),
        TP_STRUCT__entry(
                LOCAL_ENTRY
@@ -794,6 +728,7 @@ TRACE_EVENT(drv_ampdu_action,
                __field(u32, action)
                __field(u16, tid)
                __field(u16, ssn)
+                __field(u8, buf_size)
                VIF_ENTRY
        ),
@@ -804,11 +739,13 @@ TRACE_EVENT(drv_ampdu_action,
                __entry->action = action;
                __entry->tid = tid;
                __entry->ssn = ssn ? *ssn : 0;
+                __entry->buf_size = buf_size;
        ),
        TP_printk(
-                LOCAL_PR_FMT VIF_PR_FMT STA_PR_FMT " action:%d tid:%d",
+                LOCAL_PR_FMT VIF_PR_FMT STA_PR_FMT " action:%d tid:%d buf:%d",
-                LOCAL_PR_ARG, VIF_PR_ARG, STA_PR_ARG, __entry->action, __entry->tid
+                LOCAL_PR_ARG, VIF_PR_ARG, STA_PR_ARG, __entry->action,
+                __entry->tid, __entry->buf_size
        )
 );
@@ -959,21 +896,125 @@ TRACE_EVENT(drv_remain_on_channel,
        )
 );
-TRACE_EVENT(drv_cancel_remain_on_channel,
+DEFINE_EVENT(local_only_evt, drv_cancel_remain_on_channel,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
-        TP_ARGS(local),
+TRACE_EVENT(drv_offchannel_tx,
+        TP_PROTO(struct ieee80211_local *local, struct sk_buff *skb,
+                 struct ieee80211_channel *chan,
+                 enum nl80211_channel_type channel_type,
+                 unsigned int wait),
+        TP_ARGS(local, skb, chan, channel_type, wait),
        TP_STRUCT__entry(
                LOCAL_ENTRY
+                __field(int, center_freq)
+                __field(int, channel_type)
+                __field(unsigned int, wait)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
+                __entry->center_freq = chan->center_freq;
+                __entry->channel_type = channel_type;
+                __entry->wait = wait;
        ),
        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
+                LOCAL_PR_FMT " freq:%dMHz, wait:%dms",
+                LOCAL_PR_ARG, __entry->center_freq, __entry->wait
+        )
+);
+TRACE_EVENT(drv_set_ringparam,
+        TP_PROTO(struct ieee80211_local *local, u32 tx, u32 rx),
+        TP_ARGS(local, tx, rx),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u32, tx)
+                __field(u32, rx)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->tx = tx;
+                __entry->rx = rx;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " tx:%d rx %d",
+                LOCAL_PR_ARG, __entry->tx, __entry->rx
+        )
+);
+TRACE_EVENT(drv_get_ringparam,
+        TP_PROTO(struct ieee80211_local *local, u32 *tx, u32 *tx_max,
+                 u32 *rx, u32 *rx_max),
+        TP_ARGS(local, tx, tx_max, rx, rx_max),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                __field(u32, tx)
+                __field(u32, tx_max)
+                __field(u32, rx)
+                __field(u32, rx_max)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                __entry->tx = *tx;
+                __entry->tx_max = *tx_max;
+                __entry->rx = *rx;
+                __entry->rx_max = *rx_max;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT " tx:%d tx_max %d rx %d rx_max %d",
+                LOCAL_PR_ARG,
+                __entry->tx, __entry->tx_max, __entry->rx, __entry->rx_max
+        )
+);
+DEFINE_EVENT(local_only_evt, drv_tx_frames_pending,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_only_evt, drv_offchannel_tx_cancel_wait,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+TRACE_EVENT(drv_set_bitrate_mask,
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sub_if_data *sdata,
+                 const struct cfg80211_bitrate_mask *mask),
+        TP_ARGS(local, sdata, mask),
+        TP_STRUCT__entry(
+                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(u32, legacy_2g)
+                __field(u32, legacy_5g)
+        ),
+        TP_fast_assign(
+                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                __entry->legacy_2g = mask->control[IEEE80211_BAND_2GHZ].legacy;
+                __entry->legacy_5g = mask->control[IEEE80211_BAND_5GHZ].legacy;
+        ),
+        TP_printk(
+                LOCAL_PR_FMT  VIF_PR_FMT " 2G Mask:0x%x 5G Mask:0x%x",
+                LOCAL_PR_ARG, VIF_PR_ARG, __entry->legacy_2g, __entry->legacy_5g
        )
 );
@@ -1069,23 +1110,9 @@ TRACE_EVENT(api_stop_tx_ba_cb,
        )
 );
-TRACE_EVENT(api_restart_hw,
+DEFINE_EVENT(local_only_evt, api_restart_hw,
        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
-        TP_ARGS(local),
-        TP_STRUCT__entry(
-                LOCAL_ENTRY
-        ),
-        TP_fast_assign(
-                LOCAL_ASSIGN;
-        ),
-        TP_printk(
-                LOCAL_PR_FMT,
-                LOCAL_PR_ARG
-        )
 );
 TRACE_EVENT(api_beacon_loss,
@@ -1169,87 +1196,97 @@ TRACE_EVENT(api_scan_completed,
        )
 );
-TRACE_EVENT(api_sta_block_awake,
+TRACE_EVENT(api_sched_scan_results,
-        TP_PROTO(struct ieee80211_local *local,
+        TP_PROTO(struct ieee80211_local *local),
-                 struct ieee80211_sta *sta, bool block),
-        TP_ARGS(local, sta, block),
+        TP_ARGS(local),
        TP_STRUCT__entry(
                LOCAL_ENTRY
-                STA_ENTRY
-                __field(bool, block)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
-                STA_ASSIGN;
-                __entry->block = block;
        ),
        TP_printk(
-                LOCAL_PR_FMT STA_PR_FMT " block:%d",
+                LOCAL_PR_FMT, LOCAL_PR_ARG
-                LOCAL_PR_ARG, STA_PR_FMT, __entry->block
        )
 );
-TRACE_EVENT(api_chswitch_done,
+TRACE_EVENT(api_sched_scan_stopped,
-        TP_PROTO(struct ieee80211_sub_if_data *sdata, bool success),
+        TP_PROTO(struct ieee80211_local *local),
-        TP_ARGS(sdata, success),
+        TP_ARGS(local),
        TP_STRUCT__entry(
-                VIF_ENTRY
+                LOCAL_ENTRY
-                __field(bool, success)
        ),
        TP_fast_assign(
-                VIF_ASSIGN;
+                LOCAL_ASSIGN;
-                __entry->success = success;
        ),
        TP_printk(
-                VIF_PR_FMT " success=%d",
+                LOCAL_PR_FMT, LOCAL_PR_ARG
-                VIF_PR_ARG, __entry->success
        )
 );
-TRACE_EVENT(api_ready_on_channel,
+TRACE_EVENT(api_sta_block_awake,
-        TP_PROTO(struct ieee80211_local *local),
+        TP_PROTO(struct ieee80211_local *local,
+                 struct ieee80211_sta *sta, bool block),
-        TP_ARGS(local),
+        TP_ARGS(local, sta, block),
        TP_STRUCT__entry(
                LOCAL_ENTRY
+                STA_ENTRY
+                __field(bool, block)
        ),
        TP_fast_assign(
                LOCAL_ASSIGN;
+                STA_ASSIGN;
+                __entry->block = block;
        ),
        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
+                LOCAL_PR_FMT STA_PR_FMT " block:%d",
+                LOCAL_PR_ARG, STA_PR_FMT, __entry->block
        )
 );
-TRACE_EVENT(api_remain_on_channel_expired,
+TRACE_EVENT(api_chswitch_done,
-        TP_PROTO(struct ieee80211_local *local),
+        TP_PROTO(struct ieee80211_sub_if_data *sdata, bool success),
-        TP_ARGS(local),
+        TP_ARGS(sdata, success),
        TP_STRUCT__entry(
-                LOCAL_ENTRY
+                VIF_ENTRY
+                __field(bool, success)
        ),
        TP_fast_assign(
-                LOCAL_ASSIGN;
+                VIF_ASSIGN;
+                __entry->success = success;
        ),
        TP_printk(
-                LOCAL_PR_FMT, LOCAL_PR_ARG
+                VIF_PR_FMT " success=%d",
+                VIF_PR_ARG, __entry->success
        )
 );
+DEFINE_EVENT(local_only_evt, api_ready_on_channel,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
+DEFINE_EVENT(local_only_evt, api_remain_on_channel_expired,
+        TP_PROTO(struct ieee80211_local *local),
+        TP_ARGS(local)
+);
 /*
 * Tracing for internal functions
 * (which may also be called in response to driver calls)
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 75d679d75e63..591add22bcc0 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -66,6 +66,9 @@ void ieee80211_ht_cap_ie_to_sta_ht_cap(struct ieee80211_supported_band *sband,
        /* own MCS TX capabilities */
        tx_mcs_set_cap = sband->ht_cap.mcs.tx_params;
+        /* Copy peer MCS TX capabilities, the driver might need them. */
+        ht_cap->mcs.tx_params = ht_cap_ie->mcs.tx_params;
        /* can we TX with MCS rates? */
        if (!(tx_mcs_set_cap & IEEE80211_HT_MCS_TX_DEFINED))
                return;
@@ -79,7 +82,7 @@ void ieee80211_ht_cap_ie_to_sta_ht_cap(struct ieee80211_supported_band *sband,
                max_tx_streams = IEEE80211_HT_MCS_TX_MAX_STREAMS;
        /*
-         * 802.11n D5.0 20.3.5 / 20.6 says:
+         * 802.11n-2009 20.3.5 / 20.6 says:
         * - indices 0 to 7 and 32 are single spatial stream
         * - 8 to 31 are multiple spatial streams using equal modulation
         *   [8..15 for two streams, 16..23 for three and 24..31 for four]
@@ -137,14 +140,29 @@ void ieee80211_ba_session_work(struct work_struct *work)
                                sta, tid, WLAN_BACK_RECIPIENT,
                                WLAN_REASON_QSTA_TIMEOUT, true);
-                tid_tx = sta->ampdu_mlme.tid_tx[tid];
+                tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
-                if (!tid_tx)
+                if (tid_tx) {
-                        continue;
+                        /*
+                         * Assign it over to the normal tid_tx array
+                         * where it "goes live".
+                         */
+                        spin_lock_bh(&sta->lock);
+                        sta->ampdu_mlme.tid_start_tx[tid] = NULL;
+                        /* could there be a race? */
+                        if (sta->ampdu_mlme.tid_tx[tid])
+                                kfree(tid_tx);
+                        else
+                                ieee80211_assign_tid_tx(sta, tid, tid_tx);
+                        spin_unlock_bh(&sta->lock);
-                if (test_bit(HT_AGG_STATE_WANT_START, &tid_tx->state))
                        ieee80211_tx_ba_session_handle_start(sta, tid);
-                else if (test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
+                        continue;
-                                            &tid_tx->state))
+                }
+                tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+                if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
+                                                 &tid_tx->state))
                        ___ieee80211_stop_tx_ba_session(sta, tid,
                                                        WLAN_BACK_INITIATOR,
                                                        true);
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 53c7077ffd4f..421eaa6b0c2b 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -31,7 +31,6 @@
 #define IEEE80211_IBSS_JOIN_TIMEOUT (7 * HZ)
 #define IEEE80211_IBSS_MERGE_INTERVAL (30 * HZ)
-#define IEEE80211_IBSS_MERGE_DELAY 0x400000
 #define IEEE80211_IBSS_INACTIVITY_LIMIT (60 * HZ)
 #define IEEE80211_IBSS_MAX_STA_ENTRIES 128
@@ -41,7 +40,7 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
                                        struct ieee80211_mgmt *mgmt,
                                        size_t len)
 {
-        u16 auth_alg, auth_transaction, status_code;
+        u16 auth_alg, auth_transaction;
        lockdep_assert_held(&sdata->u.ibss.mtx);
@@ -50,7 +49,6 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
        auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
        auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
-        status_code = le16_to_cpu(mgmt->u.auth.status_code);
        /*
         * IEEE 802.11 standard does not require authentication in IBSS
@@ -270,7 +268,8 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
        enum ieee80211_band band = rx_status->band;
        if (elems->ds_params && elems->ds_params_len == 1)
-                freq = ieee80211_channel_to_frequency(elems->ds_params[0]);
+                freq = ieee80211_channel_to_frequency(elems->ds_params[0],
+                                                      band);
        else
                freq = rx_status->freq;
@@ -354,7 +353,7 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
        if (memcmp(cbss->bssid, sdata->u.ibss.bssid, ETH_ALEN) == 0)
                goto put_bss;
-        if (rx_status->flag & RX_FLAG_TSFT) {
+        if (rx_status->flag & RX_FLAG_MACTIME_MPDU) {
                /*
                 * For correct IBSS merging we need mactime; since mactime is
                 * defined as the time the first data symbol of the frame hits
@@ -396,10 +395,6 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
               jiffies);
 #endif
-        /* give slow hardware some time to do the TSF sync */
-        if (rx_timestamp < IEEE80211_IBSS_MERGE_DELAY)
-                goto put_bss;
        if (beacon_timestamp > rx_timestamp) {
 #ifdef CONFIG_MAC80211_IBSS_DEBUG
                printk(KERN_DEBUG "%s: beacon TSF higher than "
@@ -531,8 +526,6 @@ static void ieee80211_sta_merge_ibss(struct ieee80211_sub_if_data *sdata)
 static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
-        struct ieee80211_local *local = sdata->local;
-        struct ieee80211_supported_band *sband;
        u8 bssid[ETH_ALEN];
        u16 capability;
        int i;
@@ -555,8 +548,6 @@ static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
        printk(KERN_DEBUG "%s: Creating new IBSS network, BSSID %pM\n",
               sdata->name, bssid);
-        sband = local->hw.wiphy->bands[ifibss->channel->band];
        capability = WLAN_CAPABILITY_IBSS;
        if (ifibss->privacy)
@@ -663,20 +654,24 @@ static void ieee80211_sta_find_ibss(struct ieee80211_sub_if_data *sdata)
 }
 static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
-                                        struct ieee80211_mgmt *mgmt,
+                                        struct sk_buff *req)
-                                        size_t len)
 {
+        struct ieee80211_mgmt *mgmt = (void *)req->data;
        struct ieee80211_if_ibss *ifibss = &sdata->u.ibss;
        struct ieee80211_local *local = sdata->local;
-        int tx_last_beacon;
+        int tx_last_beacon, len = req->len;
        struct sk_buff *skb;
        struct ieee80211_mgmt *resp;
+        struct sk_buff *presp;
        u8 *pos, *end;
        lockdep_assert_held(&ifibss->mtx);
+        presp = rcu_dereference_protected(ifibss->presp,
+                                          lockdep_is_held(&ifibss->mtx));
        if (ifibss->state != IEEE80211_IBSS_MLME_JOINED ||
-            len < 24 + 2 || !ifibss->presp)
+            len < 24 + 2 || !presp)
                return;
        tx_last_beacon = drv_tx_last_beacon(local);
@@ -688,7 +683,7 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
               mgmt->bssid, tx_last_beacon);
 #endif /* CONFIG_MAC80211_IBSS_DEBUG */
-        if (!tx_last_beacon)
+        if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
                return;
        if (memcmp(mgmt->bssid, ifibss->bssid, ETH_ALEN) != 0 &&
@@ -714,7 +709,7 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
        }
        /* Reply with ProbeResp */
-        skb = skb_copy(ifibss->presp, GFP_KERNEL);
+        skb = skb_copy(presp, GFP_KERNEL);
        if (!skb)
                return;
@@ -785,7 +780,7 @@ void ieee80211_ibss_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
        switch (fc & IEEE80211_FCTL_STYPE) {
        case IEEE80211_STYPE_PROBE_REQ:
-                ieee80211_rx_mgmt_probe_req(sdata, mgmt, skb->len);
+                ieee80211_rx_mgmt_probe_req(sdata, skb);
                break;
        case IEEE80211_STYPE_PROBE_RESP:
                ieee80211_rx_mgmt_probe_resp(sdata, mgmt, skb->len,
@@ -994,7 +989,8 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
        /* remove beacon */
        kfree(sdata->u.ibss.ie);
-        skb = sdata->u.ibss.presp;
+        skb = rcu_dereference_protected(sdata->u.ibss.presp,
+                                        lockdep_is_held(&sdata->u.ibss.mtx));
        rcu_assign_pointer(sdata->u.ibss.presp, NULL);
        sdata->vif.bss_conf.ibss_joined = false;
        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED |
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 533fd32f49ff..2025af52b195 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -97,7 +97,7 @@ struct ieee80211_bss {
        size_t supp_rates_len;
        /*
-         * During assocation, we save an ERP value from a probe response so
+         * During association, we save an ERP value from a probe response so
         * that we can feed ERP info to the driver when handling the
         * association completes. these fields probably won't be up-to-date
         * otherwise, you probably don't want to use them.
@@ -214,7 +214,7 @@ struct beacon_data {
 };
 struct ieee80211_if_ap {
-        struct beacon_data *beacon;
+        struct beacon_data __rcu *beacon;
        struct list_head vlans;
@@ -225,6 +225,7 @@ struct ieee80211_if_ap {
        struct sk_buff_head ps_bc_buf;
        atomic_t num_sta_ps; /* number of stations in PS mode */
        int dtim_count;
+        bool dtim_bc_mc;
 };
 struct ieee80211_if_wds {
@@ -236,7 +237,7 @@ struct ieee80211_if_vlan {
        struct list_head list;
        /* used for all tx if the VLAN is configured to 4-addr mode */
-        struct sta_info *sta;
+        struct sta_info __rcu *sta;
 };
 struct mesh_stats {
@@ -441,7 +442,8 @@ struct ieee80211_if_ibss {
        unsigned long ibss_join_req;
        /* probe response/beacon for IBSS */
-        struct sk_buff *presp, *skb;
+        struct sk_buff __rcu *presp;
+        struct sk_buff *skb;
        enum {
                IEEE80211_IBSS_MLME_SEARCH,
@@ -487,8 +489,13 @@ struct ieee80211_if_mesh {
        struct mesh_config mshcfg;
        u32 mesh_seqnum;
        bool accepting_plinks;
-        const u8 *vendor_ie;
+        const u8 *ie;
-        u8 vendor_ie_len;
+        u8 ie_len;
+        enum {
+                IEEE80211_MESH_SEC_NONE = 0x0,
+                IEEE80211_MESH_SEC_AUTHED = 0x1,
+                IEEE80211_MESH_SEC_SECURED = 0x2,
+        } security;
 };
 #ifdef CONFIG_MAC80211_MESH
@@ -561,9 +568,10 @@ struct ieee80211_sub_if_data {
        struct ieee80211_fragment_entry fragments[IEEE80211_FRAGMENT_MAX];
        unsigned int fragment_next;
-        struct ieee80211_key *keys[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
+        struct ieee80211_key __rcu *keys[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
-        struct ieee80211_key *default_unicast_key, *default_multicast_key;
+        struct ieee80211_key __rcu *default_unicast_key;
-        struct ieee80211_key *default_mgmt_key;
+        struct ieee80211_key __rcu *default_multicast_key;
+        struct ieee80211_key __rcu *default_mgmt_key;
        u16 sequence_number;
        __be16 control_port_protocol;
@@ -654,8 +662,6 @@ struct tpt_led_trigger {
 *      well be on the operating channel
 * @SCAN_HW_SCANNING: The hardware is scanning for us, we have no way to
 *      determine if we are on the operating channel or not
- * @SCAN_OFF_CHANNEL: We're off our operating channel for scanning,
- *      gets only set in conjunction with SCAN_SW_SCANNING
 * @SCAN_COMPLETED: Set for our scan work function when the driver reported
 *      that the scan completed.
 * @SCAN_ABORTED: Set for our scan work function when the driver reported
@@ -664,7 +670,6 @@ struct tpt_led_trigger {
 enum {
        SCAN_SW_SCANNING,
        SCAN_HW_SCANNING,
-        SCAN_OFF_CHANNEL,
        SCAN_COMPLETED,
        SCAN_ABORTED,
 };
@@ -765,8 +770,14 @@ struct ieee80211_local {
        /* device is started */
        bool started;
+        /* wowlan is enabled -- don't reconfig on resume */
+        bool wowlan;
        int tx_headroom; /* required headroom for hardware/radiotap */
+        /* count for keys needing tailroom space allocation */
+        int crypto_tx_tailroom_needed_cnt;
        /* Tasklet and skb queue to process calls from IRQ mode. All frames
         * added to skb_queue will be processed, but frames in
         * skb_queue_unreliable may be dropped if the total length of these
@@ -796,7 +807,7 @@ struct ieee80211_local {
        spinlock_t sta_lock;
        unsigned long num_sta;
        struct list_head sta_list, sta_pending_list;
-        struct sta_info *sta_hash[STA_HASH_SIZE];
+        struct sta_info __rcu *sta_hash[STA_HASH_SIZE];
        struct timer_list sta_cleanup;
        struct work_struct sta_finish_work;
        int sta_generation;
@@ -811,8 +822,8 @@ struct ieee80211_local {
        struct rate_control_ref *rate_ctrl;
-        struct crypto_blkcipher *wep_tx_tfm;
+        struct crypto_cipher *wep_tx_tfm;
-        struct crypto_blkcipher *wep_rx_tfm;
+        struct crypto_cipher *wep_rx_tfm;
        u32 wep_iv;
        /* see iface.c */
@@ -838,6 +849,10 @@ struct ieee80211_local {
        int scan_channel_idx;
        int scan_ies_len;
+        bool sched_scanning;
+        struct ieee80211_sched_scan_ies sched_scan_ies;
+        struct work_struct sched_scan_stopped_work;
        unsigned long leave_oper_channel_time;
        enum mac80211_scan_state next_scan_state;
        struct delayed_work scan_work;
@@ -959,6 +974,7 @@ struct ieee80211_local {
        unsigned int hw_roc_duration;
        u32 hw_roc_cookie;
        bool hw_roc_for_tx;
+        unsigned long hw_offchan_tx_cookie;
        /* dummy netdev for use w/ NAPI */
        struct net_device napi_dev;
@@ -1068,8 +1084,6 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata,
 void ieee80211_configure_filter(struct ieee80211_local *local);
 u32 ieee80211_reset_erp_info(struct ieee80211_sub_if_data *sdata);
-extern bool ieee80211_disable_40mhz_24ghz;
 /* STA code */
 void ieee80211_sta_setup_sdata(struct ieee80211_sub_if_data *sdata);
 int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
@@ -1146,11 +1160,21 @@ ieee80211_rx_bss_get(struct ieee80211_local *local, u8 *bssid, int freq,
 void ieee80211_rx_bss_put(struct ieee80211_local *local,
                          struct ieee80211_bss *bss);
+/* scheduled scan handling */
+int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
+                                       struct cfg80211_sched_scan_request *req);
+int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
+void ieee80211_sched_scan_stopped_work(struct work_struct *work);
 /* off-channel helpers */
-void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local);
+bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local);
-void ieee80211_offchannel_stop_station(struct ieee80211_local *local);
+void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
+                                        bool tell_ap);
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+                                    bool offchannel_ps_enable);
 void ieee80211_offchannel_return(struct ieee80211_local *local,
-                                 bool enable_beaconing);
+                                 bool enable_beaconing,
+                                 bool offchannel_ps_disable);
 void ieee80211_hw_roc_setup(struct ieee80211_local *local);
 /* interface handling */
@@ -1245,7 +1269,8 @@ int ieee80211_reconfig(struct ieee80211_local *local);
 void ieee80211_stop_device(struct ieee80211_local *local);
 #ifdef CONFIG_PM
-int __ieee80211_suspend(struct ieee80211_hw *hw);
+int __ieee80211_suspend(struct ieee80211_hw *hw,
+                        struct cfg80211_wowlan *wowlan);
 static inline int __ieee80211_resume(struct ieee80211_hw *hw)
 {
@@ -1258,7 +1283,8 @@ static inline int __ieee80211_resume(struct ieee80211_hw *hw)
        return ieee80211_reconfig(hw_to_local(hw));
 }
 #else
-static inline int __ieee80211_suspend(struct ieee80211_hw *hw)
+static inline int __ieee80211_suspend(struct ieee80211_hw *hw,
+                                      struct cfg80211_wowlan *wowlan)
 {
        return 0;
 }
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 7a10a8d1b2d0..7dfbe71dc637 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -382,6 +382,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        struct sk_buff *skb, *tmp;
        u32 hw_reconf_flags = 0;
        int i;
+        enum nl80211_channel_type orig_ct;
        if (local->scan_sdata == sdata)
                ieee80211_scan_cancel(local);
@@ -448,7 +449,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
        /* APs need special treatment */
        if (sdata->vif.type == NL80211_IFTYPE_AP) {
                struct ieee80211_sub_if_data *vlan, *tmpsdata;
-                struct beacon_data *old_beacon = sdata->u.ap.beacon;
+                struct beacon_data *old_beacon =
+                        rtnl_dereference(sdata->u.ap.beacon);
                /* sdata_running will return false, so this will disable */
                ieee80211_bss_info_change_notify(sdata,
@@ -542,8 +544,14 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                hw_reconf_flags = 0;
        }
+        /* Re-calculate channel-type, in case there are multiple vifs
+         * on different channel types.
+         */
+        orig_ct = local->_oper_channel_type;
+        ieee80211_set_channel_type(local, NULL, NL80211_CHAN_NO_HT);
        /* do after stop to avoid reconfiguring when we stop anyway */
-        if (hw_reconf_flags)
+        if (hw_reconf_flags || (orig_ct != local->_oper_channel_type))
                ieee80211_hw_config(local, hw_reconf_flags);
        spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
@@ -1137,10 +1145,6 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
                                + IEEE80211_ENCRYPT_HEADROOM;
        ndev->needed_tailroom = IEEE80211_ENCRYPT_TAILROOM;
-        ret = dev_alloc_name(ndev, ndev->name);
-        if (ret < 0)
-                goto fail;
        ieee80211_assign_perm_addr(local, ndev, type);
        memcpy(ndev->dev_addr, ndev->perm_addr, ETH_ALEN);
        SET_NETDEV_DEV(ndev, wiphy_dev(local->hw.wiphy));
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 8c02469b7176..31afd712930d 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -101,6 +101,11 @@ static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
        if (!ret) {
                key->flags |= KEY_FLAG_UPLOADED_TO_HARDWARE;
+                if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) ||
+                      (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV)))
+                        key->local->crypto_tx_tailroom_needed_cnt--;
                return 0;
        }
@@ -156,6 +161,10 @@ static void ieee80211_key_disable_hw_accel(struct ieee80211_key *key)
                          key->conf.keyidx, sta ? sta->addr : bcast_addr, ret);
        key->flags &= ~KEY_FLAG_UPLOADED_TO_HARDWARE;
+        if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) ||
+              (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV)))
+                key->local->crypto_tx_tailroom_needed_cnt++;
 }
 void ieee80211_key_removed(struct ieee80211_key_conf *key_conf)
@@ -186,7 +195,7 @@ static void __ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata,
        assert_key_lock(sdata->local);
        if (idx >= 0 && idx < NUM_DEFAULT_KEYS)
-                key = sdata->keys[idx];
+                key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        if (uni)
                rcu_assign_pointer(sdata->default_unicast_key, key);
@@ -213,7 +222,7 @@ __ieee80211_set_default_mgmt_key(struct ieee80211_sub_if_data *sdata, int idx)
        if (idx >= NUM_DEFAULT_KEYS &&
            idx < NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS)
-                key = sdata->keys[idx];
+                key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        rcu_assign_pointer(sdata->default_mgmt_key, key);
@@ -257,9 +266,15 @@ static void __ieee80211_key_replace(struct ieee80211_sub_if_data *sdata,
                else
                        idx = new->conf.keyidx;
-                defunikey = old && sdata->default_unicast_key == old;
+                defunikey = old &&
-                defmultikey = old && sdata->default_multicast_key == old;
+                        old == key_mtx_dereference(sdata->local,
-                defmgmtkey = old && sdata->default_mgmt_key == old;
+                                                sdata->default_unicast_key);
+                defmultikey = old &&
+                        old == key_mtx_dereference(sdata->local,
+                                                sdata->default_multicast_key);
+                defmgmtkey = old &&
+                        old == key_mtx_dereference(sdata->local,
+                                                sdata->default_mgmt_key);
                if (defunikey && !new)
                        __ieee80211_set_default_key(sdata, -1, true, false);
@@ -342,7 +357,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
                if (IS_ERR(key->u.ccmp.tfm)) {
                        err = PTR_ERR(key->u.ccmp.tfm);
                        kfree(key);
-                        key = ERR_PTR(err);
+                        return ERR_PTR(err);
                }
                break;
        case WLAN_CIPHER_SUITE_AES_CMAC:
@@ -360,7 +375,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
                if (IS_ERR(key->u.aes_cmac.tfm)) {
                        err = PTR_ERR(key->u.aes_cmac.tfm);
                        kfree(key);
-                        key = ERR_PTR(err);
+                        return ERR_PTR(err);
                }
                break;
        }
@@ -388,8 +403,10 @@ static void __ieee80211_key_destroy(struct ieee80211_key *key)
                ieee80211_aes_key_free(key->u.ccmp.tfm);
        if (key->conf.cipher == WLAN_CIPHER_SUITE_AES_CMAC)
                ieee80211_aes_cmac_key_free(key->u.aes_cmac.tfm);
-        if (key->local)
+        if (key->local) {
                ieee80211_debugfs_key_remove(key);
+                key->local->crypto_tx_tailroom_needed_cnt--;
+        }
        kfree(key);
 }
@@ -400,11 +417,12 @@ int ieee80211_key_link(struct ieee80211_key *key,
 {
        struct ieee80211_key *old_key;
        int idx, ret;
-        bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+        bool pairwise;
        BUG_ON(!sdata);
        BUG_ON(!key);
+        pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
        idx = key->conf.keyidx;
        key->local = sdata->local;
        key->sdata = sdata;
@@ -439,17 +457,19 @@ int ieee80211_key_link(struct ieee80211_key *key,
        mutex_lock(&sdata->local->key_mtx);
        if (sta && pairwise)
-                old_key = sta->ptk;
+                old_key = key_mtx_dereference(sdata->local, sta->ptk);
        else if (sta)
-                old_key = sta->gtk[idx];
+                old_key = key_mtx_dereference(sdata->local, sta->gtk[idx]);
        else
-                old_key = sdata->keys[idx];
+                old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
        __ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
        __ieee80211_key_destroy(old_key);
        ieee80211_debugfs_key_add(key);
+        key->local->crypto_tx_tailroom_needed_cnt++;
        ret = ieee80211_key_enable_hw_accel(key);
        mutex_unlock(&sdata->local->key_mtx);
@@ -457,8 +477,11 @@ int ieee80211_key_link(struct ieee80211_key *key,
        return ret;
 }
-static void __ieee80211_key_free(struct ieee80211_key *key)
+void __ieee80211_key_free(struct ieee80211_key *key)
 {
+        if (!key)
+                return;
        /*
         * Replace key with nothingness if it was ever used.
         */
@@ -472,9 +495,6 @@ static void __ieee80211_key_free(struct ieee80211_key *key)
 void ieee80211_key_free(struct ieee80211_local *local,
                        struct ieee80211_key *key)
 {
-        if (!key)
-                return;
        mutex_lock(&local->key_mtx);
        __ieee80211_key_free(key);
        mutex_unlock(&local->key_mtx);
@@ -491,8 +511,12 @@ void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata)
        mutex_lock(&sdata->local->key_mtx);
-        list_for_each_entry(key, &sdata->key_list, list)
+        sdata->local->crypto_tx_tailroom_needed_cnt = 0;
+        list_for_each_entry(key, &sdata->key_list, list) {
+                sdata->local->crypto_tx_tailroom_needed_cnt++;
                ieee80211_key_enable_hw_accel(key);
+        }
        mutex_unlock(&sdata->local->key_mtx);
 }
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index 8106aa1b7466..d801d5351336 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -21,7 +21,6 @@
 #define WEP_IV_LEN              4
 #define WEP_ICV_LEN             4
-#define ALG_TKIP_KEY_LEN        32
 #define ALG_CCMP_KEY_LEN        16
 #define CCMP_HDR_LEN            8
 #define CCMP_MIC_LEN            8
@@ -136,6 +135,7 @@ struct ieee80211_key *ieee80211_key_alloc(u32 cipher, int idx, size_t key_len,
 int __must_check ieee80211_key_link(struct ieee80211_key *key,
                                    struct ieee80211_sub_if_data *sdata,
                                    struct sta_info *sta);
+void __ieee80211_key_free(struct ieee80211_key *key);
 void ieee80211_key_free(struct ieee80211_local *local,
                        struct ieee80211_key *key);
 void ieee80211_set_default_key(struct ieee80211_sub_if_data *sdata, int idx,
@@ -146,4 +146,7 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata);
 void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata);
 void ieee80211_disable_keys(struct ieee80211_sub_if_data *sdata);
+#define key_mtx_dereference(local, ref) \
+        rcu_dereference_protected(ref, lockdep_is_held(&((local)->key_mtx)))
 #endif /* IEEE80211_KEY_H */
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index a46ff06d7cb8..0d7b08db8e56 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -33,12 +33,6 @@
 #include "cfg.h"
 #include "debugfs.h"
-bool ieee80211_disable_40mhz_24ghz;
-module_param(ieee80211_disable_40mhz_24ghz, bool, 0644);
-MODULE_PARM_DESC(ieee80211_disable_40mhz_24ghz,
-                 "Disable 40MHz support in the 2.4GHz band");
 static struct lock_class_key ieee80211_rx_skb_queue_class;
 void ieee80211_configure_filter(struct ieee80211_local *local)
@@ -98,6 +92,47 @@ static void ieee80211_reconfig_filter(struct work_struct *work)
        ieee80211_configure_filter(local);
 }
+/*
+ * Returns true if we are logically configured to be on
+ * the operating channel AND the hardware-conf is currently
+ * configured on the operating channel.  Compares channel-type
+ * as well.
+ */
+bool ieee80211_cfg_on_oper_channel(struct ieee80211_local *local)
+{
+        struct ieee80211_channel *chan, *scan_chan;
+        enum nl80211_channel_type channel_type;
+        /* This logic needs to match logic in ieee80211_hw_config */
+        if (local->scan_channel) {
+                chan = local->scan_channel;
+                /* If scanning on oper channel, use whatever channel-type
+                 * is currently in use.
+                 */
+                if (chan == local->oper_channel)
+                        channel_type = local->_oper_channel_type;
+                else
+                        channel_type = NL80211_CHAN_NO_HT;
+        } else if (local->tmp_channel) {
+                chan = scan_chan = local->tmp_channel;
+                channel_type = local->tmp_channel_type;
+        } else {
+                chan = local->oper_channel;
+                channel_type = local->_oper_channel_type;
+        }
+        if (chan != local->oper_channel ||
+            channel_type != local->_oper_channel_type)
+                return false;
+        /* Check current hardware-config against oper_channel. */
+        if ((local->oper_channel != local->hw.conf.channel) ||
+            (local->_oper_channel_type != local->hw.conf.channel_type))
+                return false;
+        return true;
+}
 int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
 {
        struct ieee80211_channel *chan, *scan_chan;
@@ -110,21 +145,33 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
        scan_chan = local->scan_channel;
+        /* If this off-channel logic ever changes,  ieee80211_on_oper_channel
+         * may need to change as well.
+         */
        offchannel_flag = local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
        if (scan_chan) {
                chan = scan_chan;
-                channel_type = NL80211_CHAN_NO_HT;
+                /* If scanning on oper channel, use whatever channel-type
-                local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
+                 * is currently in use.
-        } else if (local->tmp_channel &&
+                 */
-                   local->oper_channel != local->tmp_channel) {
+                if (chan == local->oper_channel)
+                        channel_type = local->_oper_channel_type;
+                else
+                        channel_type = NL80211_CHAN_NO_HT;
+        } else if (local->tmp_channel) {
                chan = scan_chan = local->tmp_channel;
                channel_type = local->tmp_channel_type;
-                local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
        } else {
                chan = local->oper_channel;
                channel_type = local->_oper_channel_type;
-                local->hw.conf.flags &= ~IEEE80211_CONF_OFFCHANNEL;
        }
+        if (chan != local->oper_channel ||
+            channel_type != local->_oper_channel_type)
+                local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL;
+        else
+                local->hw.conf.flags &= ~IEEE80211_CONF_OFFCHANNEL;
        offchannel_flag ^= local->hw.conf.flags & IEEE80211_CONF_OFFCHANNEL;
        if (offchannel_flag || chan != local->hw.conf.channel ||
@@ -146,7 +193,8 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
                changed |= IEEE80211_CONF_CHANGE_SMPS;
        }
-        if (scan_chan)
+        if ((local->scanning & SCAN_SW_SCANNING) ||
+            (local->scanning & SCAN_HW_SCANNING))
                power = chan->max_power;
        else
                power = local->power_constr_level ?
@@ -231,7 +279,7 @@ void ieee80211_bss_info_change_notify(struct ieee80211_sub_if_data *sdata,
        if (changed & BSS_CHANGED_BEACON_ENABLED) {
                if (local->quiescing || !ieee80211_sdata_running(sdata) ||
-                    test_bit(SCAN_SW_SCANNING, &local->scanning)) {
+                    test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state)) {
                        sdata->vif.bss_conf.enable_beacon = false;
                } else {
                        /*
@@ -310,7 +358,8 @@ static void ieee80211_restart_work(struct work_struct *work)
        flush_workqueue(local->workqueue);
        mutex_lock(&local->mtx);
-        WARN(test_bit(SCAN_HW_SCANNING, &local->scanning),
+        WARN(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
+             local->sched_scanning,
                "%s called with hardware scan in progress\n", __func__);
        mutex_unlock(&local->mtx);
@@ -326,6 +375,9 @@ void ieee80211_restart_hw(struct ieee80211_hw *hw)
        trace_api_restart_hw(local);
+        wiphy_info(hw->wiphy,
+                   "Hardware restart was requested\n");
        /* use this reason, ieee80211_reconfig will unblock it */
        ieee80211_stop_queues_by_reason(hw,
                IEEE80211_QUEUE_STOP_REASON_SUSPEND);
@@ -488,7 +540,9 @@ ieee80211_default_mgmt_stypes[NUM_NL80211_IFTYPES] = {
        },
        [NL80211_IFTYPE_MESH_POINT] = {
                .tx = 0xffff,
-                .rx = BIT(IEEE80211_STYPE_ACTION >> 4),
+                .rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
+                        BIT(IEEE80211_STYPE_AUTH >> 4) |
+                        BIT(IEEE80211_STYPE_DEAUTH >> 4),
        },
 };
@@ -527,8 +581,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        wiphy->flags |= WIPHY_FLAG_NETNS_OK |
                        WIPHY_FLAG_4ADDR_AP |
-                        WIPHY_FLAG_4ADDR_STATION |
+                        WIPHY_FLAG_4ADDR_STATION;
-                        WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS;
        if (!ops->set_key)
                wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
@@ -554,6 +607,7 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        local->hw.queues = 1;
        local->hw.max_rates = 1;
        local->hw.max_report_rates = 0;
+        local->hw.max_rx_aggregation_subframes = IEEE80211_MAX_AMPDU_BUF;
        local->hw.conf.long_frame_max_tx_count = wiphy->retry_long;
        local->hw.conf.short_frame_max_tx_count = wiphy->retry_short;
        local->user_power_level = -1;
@@ -598,6 +652,9 @@ struct ieee80211_hw *ieee80211_alloc_hw(size_t priv_data_len,
        setup_timer(&local->dynamic_ps_timer,
                    ieee80211_dynamic_ps_timer, (unsigned long) local);
+        INIT_WORK(&local->sched_scan_stopped_work,
+                  ieee80211_sched_scan_stopped_work);
        sta_info_init(local);
        for (i = 0; i < IEEE80211_MAX_QUEUES; i++) {
@@ -628,7 +685,7 @@ EXPORT_SYMBOL(ieee80211_alloc_hw);
 int ieee80211_register_hw(struct ieee80211_hw *hw)
 {
        struct ieee80211_local *local = hw_to_local(hw);
-        int result;
+        int result, i;
        enum ieee80211_band band;
        int channels, max_bitrates;
        bool supp_ht;
@@ -643,6 +700,13 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                WLAN_CIPHER_SUITE_AES_CMAC
        };
+        if ((hw->wiphy->wowlan.flags || hw->wiphy->wowlan.n_patterns)
+#ifdef CONFIG_PM
+            && (!local->ops->suspend || !local->ops->resume)
+#endif
+            )
+                return -EINVAL;
        if (hw->max_report_rates == 0)
                hw->max_report_rates = hw->max_rates;
@@ -679,17 +743,30 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                return -ENOMEM;
        /* if low-level driver supports AP, we also support VLAN */
-        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP))
+        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP)) {
-                local->hw.wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN);
+                hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN);
+                hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_AP_VLAN);
+        }
        /* mac80211 always supports monitor */
-        local->hw.wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
+        hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_MONITOR);
+        hw->wiphy->software_iftypes |= BIT(NL80211_IFTYPE_MONITOR);
+        /* mac80211 doesn't support more than 1 channel */
+        for (i = 0; i < hw->wiphy->n_iface_combinations; i++)
+                if (hw->wiphy->iface_combinations[i].num_different_channels > 1)
+                        return -EINVAL;
 #ifndef CONFIG_MAC80211_MESH
        /* mesh depends on Kconfig, but drivers should set it if they want */
        local->hw.wiphy->interface_modes &= ~BIT(NL80211_IFTYPE_MESH_POINT);
 #endif
+        /* if the underlying driver supports mesh, mac80211 will (at least)
+         * provide routing of mesh authentication frames to userspace */
+        if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_MESH_POINT))
+                local->hw.wiphy->flags |= WIPHY_FLAG_MESH_AUTH;
        /* mac80211 supports control port protocol changing */
        local->hw.wiphy->flags |= WIPHY_FLAG_CONTROL_PORT_PROTOCOL;
@@ -768,6 +845,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        if (!local->ops->remain_on_channel)
                local->hw.wiphy->max_remain_on_channel_duration = 5000;
+        if (local->ops->sched_scan_start)
+                local->hw.wiphy->flags |= WIPHY_FLAG_SUPPORTS_SCHED_SCAN;
        result = wiphy_register(local->hw.wiphy);
        if (result < 0)
                goto fail_wiphy_register;
@@ -791,8 +871,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
         * and we need some headroom for passing the frame to monitor
         * interfaces, but never both at the same time.
         */
+#ifndef __CHECKER__
        BUILD_BUG_ON(IEEE80211_TX_STATUS_HEADROOM !=
                        sizeof(struct ieee80211_tx_status_rtap_hdr));
+#endif
        local->tx_headroom = max_t(unsigned int , local->hw.extra_tx_headroom,
                                   sizeof(struct ieee80211_tx_status_rtap_hdr));
@@ -809,10 +891,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        local->dynamic_ps_forced_timeout = -1;
-        result = sta_info_start(local);
-        if (result < 0)
-                goto fail_sta_info;
        result = ieee80211_wep_init(local);
        if (result < 0)
                wiphy_debug(local->hw.wiphy, "Failed to initialize wep: %d\n",
@@ -875,7 +953,6 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
        rtnl_unlock();
        ieee80211_wep_free(local);
        sta_info_stop(local);
- fail_sta_info:
        destroy_workqueue(local->workqueue);
 fail_workqueue:
        wiphy_unregister(local->hw.wiphy);
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index ca3af4685b0a..29e9980c8e60 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -279,57 +279,14 @@ void mesh_mgmt_ies_add(struct sk_buff *skb, struct ieee80211_sub_if_data *sdata)
            MESHCONF_CAPAB_ACCEPT_PLINKS : 0x00;
        *pos++ = 0x00;
-        if (sdata->u.mesh.vendor_ie) {
+        if (sdata->u.mesh.ie) {
-                int len = sdata->u.mesh.vendor_ie_len;
+                int len = sdata->u.mesh.ie_len;
-                const u8 *data = sdata->u.mesh.vendor_ie;
+                const u8 *data = sdata->u.mesh.ie;
                if (skb_tailroom(skb) > len)
                        memcpy(skb_put(skb, len), data, len);
        }
 }
-u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata, struct mesh_table *tbl)
-{
-        /* Use last four bytes of hw addr and interface index as hash index */
-        return jhash_2words(*(u32 *)(addr+2), sdata->dev->ifindex, tbl->hash_rnd)
-                & tbl->hash_mask;
-}
-struct mesh_table *mesh_table_alloc(int size_order)
-{
-        int i;
-        struct mesh_table *newtbl;
-        newtbl = kmalloc(sizeof(struct mesh_table), GFP_KERNEL);
-        if (!newtbl)
-                return NULL;
-        newtbl->hash_buckets = kzalloc(sizeof(struct hlist_head) *
-                        (1 << size_order), GFP_KERNEL);
-        if (!newtbl->hash_buckets) {
-                kfree(newtbl);
-                return NULL;
-        }
-        newtbl->hashwlock = kmalloc(sizeof(spinlock_t) *
-                        (1 << size_order), GFP_KERNEL);
-        if (!newtbl->hashwlock) {
-                kfree(newtbl->hash_buckets);
-                kfree(newtbl);
-                return NULL;
-        }
-        newtbl->size_order = size_order;
-        newtbl->hash_mask = (1 << size_order) - 1;
-        atomic_set(&newtbl->entries,  0);
-        get_random_bytes(&newtbl->hash_rnd,
-                        sizeof(newtbl->hash_rnd));
-        for (i = 0; i <= newtbl->hash_mask; i++)
-                spin_lock_init(&newtbl->hashwlock[i]);
-        return newtbl;
-}
 static void ieee80211_mesh_path_timer(unsigned long data)
 {
@@ -573,8 +530,12 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
        ieee802_11_parse_elems(mgmt->u.probe_resp.variable, len - baselen,
                               &elems);
+        /* ignore beacons from secure mesh peers if our security is off */
+        if (elems.rsn_len && sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE)
+                return;
        if (elems.ds_params && elems.ds_params_len == 1)
-                freq = ieee80211_channel_to_frequency(elems.ds_params[0]);
+                freq = ieee80211_channel_to_frequency(elems.ds_params[0], band);
        else
                freq = rx_status->freq;
@@ -586,9 +547,7 @@ static void ieee80211_mesh_rx_bcn_presp(struct ieee80211_sub_if_data *sdata,
        if (elems.mesh_id && elems.mesh_config &&
            mesh_matches_local(&elems, sdata)) {
                supp_rates = ieee80211_sta_get_rates(local, &elems, band);
+                mesh_neighbour_update(mgmt->sa, supp_rates, sdata, &elems);
-                mesh_neighbour_update(mgmt->sa, supp_rates, sdata,
-                                      mesh_peer_accepts_plinks(&elems));
        }
 }
@@ -598,7 +557,7 @@ static void ieee80211_mesh_rx_mgmt_action(struct ieee80211_sub_if_data *sdata,
                                          struct ieee80211_rx_status *rx_status)
 {
        switch (mgmt->u.action.category) {
-        case WLAN_CATEGORY_MESH_PLINK:
+        case WLAN_CATEGORY_MESH_ACTION:
                mesh_rx_plink_frame(sdata, mgmt, len, rx_status);
                break;
        case WLAN_CATEGORY_MESH_PATH_SEL:
@@ -611,12 +570,9 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                                   struct sk_buff *skb)
 {
        struct ieee80211_rx_status *rx_status;
-        struct ieee80211_if_mesh *ifmsh;
        struct ieee80211_mgmt *mgmt;
        u16 stype;
-        ifmsh = &sdata->u.mesh;
        rx_status = IEEE80211_SKB_RXCB(skb);
        mgmt = (struct ieee80211_mgmt *) skb->data;
        stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE;
@@ -645,7 +601,7 @@ void ieee80211_mesh_work(struct ieee80211_sub_if_data *sdata)
        if (test_and_clear_bit(MESH_WORK_GROW_MPATH_TABLE, &ifmsh->wrkq_flags))
                mesh_mpath_table_grow();
-        if (test_and_clear_bit(MESH_WORK_GROW_MPATH_TABLE, &ifmsh->wrkq_flags))
+        if (test_and_clear_bit(MESH_WORK_GROW_MPP_TABLE, &ifmsh->wrkq_flags))
                mesh_mpp_table_grow();
        if (test_and_clear_bit(MESH_WORK_HOUSEKEEPING, &ifmsh->wrkq_flags))
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index b99e230fe31c..e7c5fddb4804 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -92,7 +92,7 @@ struct mesh_path {
        u8 dst[ETH_ALEN];
        u8 mpp[ETH_ALEN];       /* used for MPP or MAP */
        struct ieee80211_sub_if_data *sdata;
-        struct sta_info *next_hop;
+        struct sta_info __rcu *next_hop;
        struct timer_list timer;
        struct sk_buff_head frame_queue;
        struct rcu_head rcu;
@@ -226,7 +226,8 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
 int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata);
 /* Mesh plinks */
 void mesh_neighbour_update(u8 *hw_addr, u32 rates,
-                struct ieee80211_sub_if_data *sdata, bool add);
+                struct ieee80211_sub_if_data *sdata,
+                struct ieee802_11_elems *ie);
 bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie);
 void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
 void mesh_plink_broken(struct sta_info *sta);
@@ -239,12 +240,8 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata,
 /* Private interfaces */
 /* Mesh tables */
-struct mesh_table *mesh_table_alloc(int size_order);
-void mesh_table_free(struct mesh_table *tbl, bool free_leafs);
 void mesh_mpath_table_grow(void);
 void mesh_mpp_table_grow(void);
-u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata,
-                struct mesh_table *tbl);
 /* Mesh paths */
 int mesh_path_error_tx(u8 ttl, u8 *target, __le32 target_sn, __le16 target_rcode,
                       const u8 *ra, struct ieee80211_sub_if_data *sdata);
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 5bf64d7112b3..2b18053070c1 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -391,7 +391,6 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata,
                            (mpath->flags & MESH_PATH_SN_VALID)) {
                                if (SN_GT(mpath->sn, orig_sn) ||
                                    (mpath->sn == orig_sn &&
-                                     action == MPATH_PREQ &&
                                     new_metric >= mpath->metric)) {
                                        process = false;
                                        fresh_info = false;
@@ -561,6 +560,14 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
 }
+static inline struct sta_info *
+next_hop_deref_protected(struct mesh_path *mpath)
+{
+        return rcu_dereference_protected(mpath->next_hop,
+                                         lockdep_is_held(&mpath->state_lock));
+}
 static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
                                    struct ieee80211_mgmt *mgmt,
                                    u8 *prep_elem, u32 metric)
@@ -600,7 +607,7 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
                spin_unlock_bh(&mpath->state_lock);
                goto fail;
        }
-        memcpy(next_hop, mpath->next_hop->sta.addr, ETH_ALEN);
+        memcpy(next_hop, next_hop_deref_protected(mpath)->sta.addr, ETH_ALEN);
        spin_unlock_bh(&mpath->state_lock);
        --ttl;
        flags = PREP_IE_FLAGS(prep_elem);
@@ -633,7 +640,6 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
        struct mesh_path *mpath;
        u8 ttl;
        u8 *ta, *target_addr;
-        u8 target_flags;
        u32 target_sn;
        u16 target_rcode;
@@ -644,7 +650,6 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
                return;
        }
        ttl--;
-        target_flags = PERR_IE_TARGET_FLAGS(perr_elem);
        target_addr = PERR_IE_TARGET_ADDR(perr_elem);
        target_sn = PERR_IE_TARGET_SN(perr_elem);
        target_rcode = PERR_IE_TARGET_RCODE(perr_elem);
@@ -654,7 +659,8 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
        if (mpath) {
                spin_lock_bh(&mpath->state_lock);
                if (mpath->flags & MESH_PATH_ACTIVE &&
-                    memcmp(ta, mpath->next_hop->sta.addr, ETH_ALEN) == 0 &&
+                    memcmp(ta, next_hop_deref_protected(mpath)->sta.addr,
+                                                        ETH_ALEN) == 0 &&
                    (!(mpath->flags & MESH_PATH_SN_VALID) ||
                    SN_GT(target_sn, mpath->sn))) {
                        mpath->flags &= ~MESH_PATH_ACTIVE;
@@ -675,12 +681,10 @@ static void hwmp_rann_frame_process(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
        struct mesh_path *mpath;
-        u8 *ta;
        u8 ttl, flags, hopcount;
        u8 *orig_addr;
        u32 orig_sn, metric;
-        ta = mgmt->sa;
        ttl = rann->rann_ttl;
        if (ttl <= 1) {
                ifmsh->mshstats.dropped_frames_ttl++;
@@ -918,6 +922,7 @@ int mesh_nexthop_lookup(struct sk_buff *skb,
 {
        struct sk_buff *skb_to_free = NULL;
        struct mesh_path *mpath;
+        struct sta_info *next_hop;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
        u8 *target_addr = hdr->addr3;
        int err = 0;
@@ -945,7 +950,11 @@ int mesh_nexthop_lookup(struct sk_buff *skb,
                        mesh_queue_preq(mpath,
                                        PREQ_Q_F_START | PREQ_Q_F_REFRESH);
                }
-                memcpy(hdr->addr1, mpath->next_hop->sta.addr, ETH_ALEN);
+                next_hop = rcu_dereference(mpath->next_hop);
+                if (next_hop)
+                        memcpy(hdr->addr1, next_hop->sta.addr, ETH_ALEN);
+                else
+                        err = -ENOENT;
        } else {
                struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
                if (!(mpath->flags & MESH_PATH_RESOLVING)) {
@@ -971,20 +980,11 @@ endlookup:
 void mesh_path_timer(unsigned long data)
 {
-        struct ieee80211_sub_if_data *sdata;
+        struct mesh_path *mpath = (void *) data;
-        struct mesh_path *mpath;
+        struct ieee80211_sub_if_data *sdata = mpath->sdata;
-        rcu_read_lock();
-        mpath = (struct mesh_path *) data;
-        mpath = rcu_dereference(mpath);
-        if (!mpath)
-                goto endmpathtimer;
-        sdata = mpath->sdata;
-        if (sdata->local->quiescing) {
+        if (sdata->local->quiescing)
-                rcu_read_unlock();
                return;
-        }
        spin_lock_bh(&mpath->state_lock);
        if (mpath->flags & MESH_PATH_RESOLVED ||
@@ -1001,8 +1001,6 @@ void mesh_path_timer(unsigned long data)
        }
        spin_unlock_bh(&mpath->state_lock);
-endmpathtimer:
-        rcu_read_unlock();
 }
 void
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 8d65b47d9837..83ce48e31913 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -40,6 +40,50 @@ static struct mesh_table *mesh_paths;
 static struct mesh_table *mpp_paths; /* Store paths for MPP&MAP */
 int mesh_paths_generation;
+/* This lock will have the grow table function as writer and add / delete nodes
+ * as readers. When reading the table (i.e. doing lookups) we are well protected
+ * by RCU
+ */
+static DEFINE_RWLOCK(pathtbl_resize_lock);
+static struct mesh_table *mesh_table_alloc(int size_order)
+{
+        int i;
+        struct mesh_table *newtbl;
+        newtbl = kmalloc(sizeof(struct mesh_table), GFP_KERNEL);
+        if (!newtbl)
+                return NULL;
+        newtbl->hash_buckets = kzalloc(sizeof(struct hlist_head) *
+                        (1 << size_order), GFP_KERNEL);
+        if (!newtbl->hash_buckets) {
+                kfree(newtbl);
+                return NULL;
+        }
+        newtbl->hashwlock = kmalloc(sizeof(spinlock_t) *
+                        (1 << size_order), GFP_KERNEL);
+        if (!newtbl->hashwlock) {
+                kfree(newtbl->hash_buckets);
+                kfree(newtbl);
+                return NULL;
+        }
+        newtbl->size_order = size_order;
+        newtbl->hash_mask = (1 << size_order) - 1;
+        atomic_set(&newtbl->entries,  0);
+        get_random_bytes(&newtbl->hash_rnd,
+                        sizeof(newtbl->hash_rnd));
+        for (i = 0; i <= newtbl->hash_mask; i++)
+                spin_lock_init(&newtbl->hashwlock[i]);
+        return newtbl;
+}
 static void __mesh_table_free(struct mesh_table *tbl)
 {
        kfree(tbl->hash_buckets);
@@ -47,7 +91,7 @@ static void __mesh_table_free(struct mesh_table *tbl)
        kfree(tbl);
 }
-void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
+static void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
 {
        struct hlist_head *mesh_hash;
        struct hlist_node *p, *q;
@@ -55,60 +99,56 @@ void mesh_table_free(struct mesh_table *tbl, bool free_leafs)
        mesh_hash = tbl->hash_buckets;
        for (i = 0; i <= tbl->hash_mask; i++) {
-                spin_lock(&tbl->hashwlock[i]);
+                spin_lock_bh(&tbl->hashwlock[i]);
                hlist_for_each_safe(p, q, &mesh_hash[i]) {
                        tbl->free_node(p, free_leafs);
                        atomic_dec(&tbl->entries);
                }
-                spin_unlock(&tbl->hashwlock[i]);
+                spin_unlock_bh(&tbl->hashwlock[i]);
        }
        __mesh_table_free(tbl);
 }
-static struct mesh_table *mesh_table_grow(struct mesh_table *tbl)
+static int mesh_table_grow(struct mesh_table *oldtbl,
+                           struct mesh_table *newtbl)
 {
-        struct mesh_table *newtbl;
        struct hlist_head *oldhash;
        struct hlist_node *p, *q;
        int i;
-        if (atomic_read(&tbl->entries)
+        if (atomic_read(&oldtbl->entries)
-                        < tbl->mean_chain_len * (tbl->hash_mask + 1))
+                        < oldtbl->mean_chain_len * (oldtbl->hash_mask + 1))
-                goto endgrow;
+                return -EAGAIN;
-        newtbl = mesh_table_alloc(tbl->size_order + 1);
-        if (!newtbl)
-                goto endgrow;
-        newtbl->free_node = tbl->free_node;
+        newtbl->free_node = oldtbl->free_node;
-        newtbl->mean_chain_len = tbl->mean_chain_len;
+        newtbl->mean_chain_len = oldtbl->mean_chain_len;
-        newtbl->copy_node = tbl->copy_node;
+        newtbl->copy_node = oldtbl->copy_node;
-        atomic_set(&newtbl->entries, atomic_read(&tbl->entries));
+        atomic_set(&newtbl->entries, atomic_read(&oldtbl->entries));
-        oldhash = tbl->hash_buckets;
+        oldhash = oldtbl->hash_buckets;
-        for (i = 0; i <= tbl->hash_mask; i++)
+        for (i = 0; i <= oldtbl->hash_mask; i++)
                hlist_for_each(p, &oldhash[i])
-                        if (tbl->copy_node(p, newtbl) < 0)
+                        if (oldtbl->copy_node(p, newtbl) < 0)
                                goto errcopy;
-        return newtbl;
+        return 0;
 errcopy:
        for (i = 0; i <= newtbl->hash_mask; i++) {
                hlist_for_each_safe(p, q, &newtbl->hash_buckets[i])
-                        tbl->free_node(p, 0);
+                        oldtbl->free_node(p, 0);
        }
-        __mesh_table_free(newtbl);
+        return -ENOMEM;
-endgrow:
-        return NULL;
 }
+static u32 mesh_table_hash(u8 *addr, struct ieee80211_sub_if_data *sdata,
+                           struct mesh_table *tbl)
+{
+        /* Use last four bytes of hw addr and interface index as hash index */
+        return jhash_2words(*(u32 *)(addr+2), sdata->dev->ifindex, tbl->hash_rnd)
+                & tbl->hash_mask;
+}
-/* This lock will have the grow table function as writer and add / delete nodes
- * as readers. When reading the table (i.e. doing lookups) we are well protected
- * by RCU
- */
-static DEFINE_RWLOCK(pathtbl_resize_lock);
 /**
 *
@@ -280,7 +320,7 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        if (!new_node)
                goto err_node_alloc;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        memcpy(new_mpath->dst, dst, ETH_ALEN);
        new_mpath->sdata = sdata;
        new_mpath->flags = 0;
@@ -295,7 +335,7 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        hash_idx = mesh_table_hash(dst, sdata, mesh_paths);
        bucket = &mesh_paths->hash_buckets[hash_idx];
-        spin_lock(&mesh_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&mesh_paths->hashwlock[hash_idx]);
        err = -EEXIST;
        hlist_for_each_entry(node, n, bucket, list) {
@@ -311,8 +351,8 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        mesh_paths_generation++;
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&mesh_paths->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        if (grow) {
                set_bit(MESH_WORK_GROW_MPATH_TABLE,  &ifmsh->wrkq_flags);
                ieee80211_queue_work(&local->hw, &sdata->work);
@@ -320,8 +360,8 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata)
        return 0;
 err_exists:
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&mesh_paths->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        kfree(new_node);
 err_node_alloc:
        kfree(new_mpath);
@@ -334,15 +374,21 @@ void mesh_mpath_table_grow(void)
 {
        struct mesh_table *oldtbl, *newtbl;
-        write_lock(&pathtbl_resize_lock);
+        rcu_read_lock();
+        newtbl = mesh_table_alloc(rcu_dereference(mesh_paths)->size_order + 1);
+        if (!newtbl)
+                return;
+        write_lock_bh(&pathtbl_resize_lock);
        oldtbl = mesh_paths;
-        newtbl = mesh_table_grow(mesh_paths);
+        if (mesh_table_grow(mesh_paths, newtbl) < 0) {
-        if (!newtbl) {
+                rcu_read_unlock();
-                write_unlock(&pathtbl_resize_lock);
+                __mesh_table_free(newtbl);
+                write_unlock_bh(&pathtbl_resize_lock);
                return;
        }
+        rcu_read_unlock();
        rcu_assign_pointer(mesh_paths, newtbl);
-        write_unlock(&pathtbl_resize_lock);
+        write_unlock_bh(&pathtbl_resize_lock);
        synchronize_rcu();
        mesh_table_free(oldtbl, false);
@@ -352,15 +398,21 @@ void mesh_mpp_table_grow(void)
 {
        struct mesh_table *oldtbl, *newtbl;
-        write_lock(&pathtbl_resize_lock);
+        rcu_read_lock();
+        newtbl = mesh_table_alloc(rcu_dereference(mpp_paths)->size_order + 1);
+        if (!newtbl)
+                return;
+        write_lock_bh(&pathtbl_resize_lock);
        oldtbl = mpp_paths;
-        newtbl = mesh_table_grow(mpp_paths);
+        if (mesh_table_grow(mpp_paths, newtbl) < 0) {
-        if (!newtbl) {
+                rcu_read_unlock();
-                write_unlock(&pathtbl_resize_lock);
+                __mesh_table_free(newtbl);
+                write_unlock_bh(&pathtbl_resize_lock);
                return;
        }
+        rcu_read_unlock();
        rcu_assign_pointer(mpp_paths, newtbl);
-        write_unlock(&pathtbl_resize_lock);
+        write_unlock_bh(&pathtbl_resize_lock);
        synchronize_rcu();
        mesh_table_free(oldtbl, false);
@@ -394,7 +446,7 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        if (!new_node)
                goto err_node_alloc;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        memcpy(new_mpath->dst, dst, ETH_ALEN);
        memcpy(new_mpath->mpp, mpp, ETH_ALEN);
        new_mpath->sdata = sdata;
@@ -407,7 +459,7 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        hash_idx = mesh_table_hash(dst, sdata, mpp_paths);
        bucket = &mpp_paths->hash_buckets[hash_idx];
-        spin_lock(&mpp_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&mpp_paths->hashwlock[hash_idx]);
        err = -EEXIST;
        hlist_for_each_entry(node, n, bucket, list) {
@@ -421,8 +473,8 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
                mpp_paths->mean_chain_len * (mpp_paths->hash_mask + 1))
                grow = 1;
-        spin_unlock(&mpp_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&mpp_paths->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        if (grow) {
                set_bit(MESH_WORK_GROW_MPP_TABLE,  &ifmsh->wrkq_flags);
                ieee80211_queue_work(&local->hw, &sdata->work);
@@ -430,8 +482,8 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata)
        return 0;
 err_exists:
-        spin_unlock(&mpp_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&mpp_paths->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        kfree(new_node);
 err_node_alloc:
        kfree(new_mpath);
@@ -544,11 +596,11 @@ int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
        int hash_idx;
        int err = 0;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        hash_idx = mesh_table_hash(addr, sdata, mesh_paths);
        bucket = &mesh_paths->hash_buckets[hash_idx];
-        spin_lock(&mesh_paths->hashwlock[hash_idx]);
+        spin_lock_bh(&mesh_paths->hashwlock[hash_idx]);
        hlist_for_each_entry(node, n, bucket, list) {
                mpath = node->mpath;
                if (mpath->sdata == sdata &&
@@ -566,8 +618,8 @@ int mesh_path_del(u8 *addr, struct ieee80211_sub_if_data *sdata)
        err = -ENXIO;
 enddel:
        mesh_paths_generation++;
-        spin_unlock(&mesh_paths->hashwlock[hash_idx]);
+        spin_unlock_bh(&mesh_paths->hashwlock[hash_idx]);
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
        return err;
 }
@@ -628,7 +680,7 @@ void mesh_path_discard_frame(struct sk_buff *skb,
 *
 * @mpath: mesh path whose queue has to be freed
 *
- * Locking: the function must me called withing a rcu_read_lock region
+ * Locking: the function must me called within a rcu_read_lock region
 */
 void mesh_path_flush_pending(struct mesh_path *mpath)
 {
@@ -719,7 +771,7 @@ void mesh_path_expire(struct ieee80211_sub_if_data *sdata)
        struct hlist_node *p;
        int i;
-        read_lock(&pathtbl_resize_lock);
+        read_lock_bh(&pathtbl_resize_lock);
        for_each_mesh_entry(mesh_paths, p, node, i) {
                if (node->mpath->sdata != sdata)
                        continue;
@@ -734,7 +786,7 @@ void mesh_path_expire(struct ieee80211_sub_if_data *sdata)
                } else
                        spin_unlock_bh(&mpath->state_lock);
        }
-        read_unlock(&pathtbl_resize_lock);
+        read_unlock_bh(&pathtbl_resize_lock);
 }
 void mesh_pathtbl_unregister(void)
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index 44b53931ba5e..f4adc0917888 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -43,7 +43,7 @@
 #define dot11MeshMaxPeerLinks(s) (s->u.mesh.mshcfg.dot11MeshMaxPeerLinks)
 enum plink_frame_type {
-        PLINK_OPEN = 0,
+        PLINK_OPEN = 1,
        PLINK_CONFIRM,
        PLINK_CLOSE
 };
@@ -83,7 +83,7 @@ void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata)
 */
 static inline void mesh_plink_fsm_restart(struct sta_info *sta)
 {
-        sta->plink_state = PLINK_LISTEN;
+        sta->plink_state = NL80211_PLINK_LISTEN;
        sta->llid = sta->plid = sta->reason = 0;
        sta->plink_retries = 0;
 }
@@ -105,7 +105,7 @@ static struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata,
        if (!sta)
                return NULL;
-        sta->flags = WLAN_STA_AUTHORIZED;
+        sta->flags = WLAN_STA_AUTHORIZED | WLAN_STA_AUTH;
        sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
        rate_control_rate_init(sta);
@@ -126,11 +126,11 @@ static bool __mesh_plink_deactivate(struct sta_info *sta)
        struct ieee80211_sub_if_data *sdata = sta->sdata;
        bool deactivated = false;
-        if (sta->plink_state == PLINK_ESTAB) {
+        if (sta->plink_state == NL80211_PLINK_ESTAB) {
                mesh_plink_dec_estab_count(sdata);
                deactivated = true;
        }
-        sta->plink_state = PLINK_BLOCKED;
+        sta->plink_state = NL80211_PLINK_BLOCKED;
        mesh_path_flush_by_nexthop(sta);
        return deactivated;
@@ -161,7 +161,7 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
                __le16 reason) {
        struct ieee80211_local *local = sdata->local;
        struct sk_buff *skb = dev_alloc_skb(local->hw.extra_tx_headroom + 400 +
-                        sdata->u.mesh.vendor_ie_len);
+                        sdata->u.mesh.ie_len);
        struct ieee80211_mgmt *mgmt;
        bool include_plid = false;
        static const u8 meshpeeringproto[] = { 0x00, 0x0F, 0xAC, 0x2A };
@@ -181,8 +181,8 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
                                          IEEE80211_STYPE_ACTION);
        memcpy(mgmt->da, da, ETH_ALEN);
        memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN);
-        /* BSSID is left zeroed, wildcard value */
+        memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN);
-        mgmt->u.action.category = WLAN_CATEGORY_MESH_PLINK;
+        mgmt->u.action.category = WLAN_CATEGORY_MESH_ACTION;
        mgmt->u.action.u.plink_action.action_code = action;
        if (action == PLINK_CLOSE)
@@ -237,8 +237,9 @@ static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata,
        return 0;
 }
-void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data *sdata,
+void mesh_neighbour_update(u8 *hw_addr, u32 rates,
-                           bool peer_accepting_plinks)
+                struct ieee80211_sub_if_data *sdata,
+                struct ieee802_11_elems *elems)
 {
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
@@ -248,8 +249,14 @@ void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data
        sta = sta_info_get(sdata, hw_addr);
        if (!sta) {
                rcu_read_unlock();
+                /* Userspace handles peer allocation when security is enabled
-                sta = mesh_plink_alloc(sdata, hw_addr, rates);
+                 * */
+                if (sdata->u.mesh.security & IEEE80211_MESH_SEC_AUTHED)
+                        cfg80211_notify_new_peer_candidate(sdata->dev, hw_addr,
+                                        elems->ie_start, elems->total_len,
+                                        GFP_KERNEL);
+                else
+                        sta = mesh_plink_alloc(sdata, hw_addr, rates);
                if (!sta)
                        return;
                if (sta_info_insert_rcu(sta)) {
@@ -260,7 +267,8 @@ void mesh_neighbour_update(u8 *hw_addr, u32 rates, struct ieee80211_sub_if_data
        sta->last_rx = jiffies;
        sta->sta.supp_rates[local->hw.conf.channel->band] = rates;
-        if (peer_accepting_plinks && sta->plink_state == PLINK_LISTEN &&
+        if (mesh_peer_accepts_plinks(elems) &&
+                        sta->plink_state == NL80211_PLINK_LISTEN &&
                        sdata->u.mesh.accepting_plinks &&
                        sdata->u.mesh.mshcfg.auto_open_plinks)
                mesh_plink_open(sta);
@@ -300,8 +308,8 @@ static void mesh_plink_timer(unsigned long data)
        sdata = sta->sdata;
        switch (sta->plink_state) {
-        case PLINK_OPN_RCVD:
+        case NL80211_PLINK_OPN_RCVD:
-        case PLINK_OPN_SNT:
+        case NL80211_PLINK_OPN_SNT:
                /* retry timer */
                if (sta->plink_retries < dot11MeshMaxRetries(sdata)) {
                        u32 rand;
@@ -320,17 +328,17 @@ static void mesh_plink_timer(unsigned long data)
                }
                reason = cpu_to_le16(MESH_MAX_RETRIES);
                /* fall through on else */
-        case PLINK_CNF_RCVD:
+        case NL80211_PLINK_CNF_RCVD:
                /* confirm timer */
                if (!reason)
                        reason = cpu_to_le16(MESH_CONFIRM_TIMEOUT);
-                sta->plink_state = PLINK_HOLDING;
+                sta->plink_state = NL80211_PLINK_HOLDING;
                mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
                spin_unlock_bh(&sta->lock);
                mesh_plink_frame_tx(sdata, PLINK_CLOSE, sta->sta.addr, llid, plid,
                                    reason);
                break;
-        case PLINK_HOLDING:
+        case NL80211_PLINK_HOLDING:
                /* holding timer */
                del_timer(&sta->plink_timer);
                mesh_plink_fsm_restart(sta);
@@ -372,14 +380,17 @@ int mesh_plink_open(struct sta_info *sta)
        __le16 llid;
        struct ieee80211_sub_if_data *sdata = sta->sdata;
+        if (!test_sta_flags(sta, WLAN_STA_AUTH))
+                return -EPERM;
        spin_lock_bh(&sta->lock);
        get_random_bytes(&llid, 2);
        sta->llid = llid;
-        if (sta->plink_state != PLINK_LISTEN) {
+        if (sta->plink_state != NL80211_PLINK_LISTEN) {
                spin_unlock_bh(&sta->lock);
                return -EBUSY;
        }
-        sta->plink_state = PLINK_OPN_SNT;
+        sta->plink_state = NL80211_PLINK_OPN_SNT;
        mesh_plink_timer_set(sta, dot11MeshRetryTimeout(sdata));
        spin_unlock_bh(&sta->lock);
        mpl_dbg("Mesh plink: starting establishment with %pM\n",
@@ -396,7 +407,7 @@ void mesh_plink_block(struct sta_info *sta)
        spin_lock_bh(&sta->lock);
        deactivated = __mesh_plink_deactivate(sta);
-        sta->plink_state = PLINK_BLOCKED;
+        sta->plink_state = NL80211_PLINK_BLOCKED;
        spin_unlock_bh(&sta->lock);
        if (deactivated)
@@ -419,13 +430,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        __le16 plid, llid, reason;
 #ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
        static const char *mplstates[] = {
-                [PLINK_LISTEN] = "LISTEN",
+                [NL80211_PLINK_LISTEN] = "LISTEN",
-                [PLINK_OPN_SNT] = "OPN-SNT",
+                [NL80211_PLINK_OPN_SNT] = "OPN-SNT",
-                [PLINK_OPN_RCVD] = "OPN-RCVD",
+                [NL80211_PLINK_OPN_RCVD] = "OPN-RCVD",
-                [PLINK_CNF_RCVD] = "CNF_RCVD",
+                [NL80211_PLINK_CNF_RCVD] = "CNF_RCVD",
-                [PLINK_ESTAB] = "ESTAB",
+                [NL80211_PLINK_ESTAB] = "ESTAB",
-                [PLINK_HOLDING] = "HOLDING",
+                [NL80211_PLINK_HOLDING] = "HOLDING",
-                [PLINK_BLOCKED] = "BLOCKED"
+                [NL80211_PLINK_BLOCKED] = "BLOCKED"
        };
 #endif
@@ -449,6 +460,11 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                mpl_dbg("Mesh plink: missing necessary peer link ie\n");
                return;
        }
+        if (elems.rsn_len &&
+                        sdata->u.mesh.security == IEEE80211_MESH_SEC_NONE) {
+                mpl_dbg("Mesh plink: can't establish link with secure peer\n");
+                return;
+        }
        ftype = mgmt->u.action.u.plink_action.action_code;
        ie_len = elems.peer_link_len;
@@ -480,7 +496,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                return;
        }
-        if (sta && sta->plink_state == PLINK_BLOCKED) {
+        if (sta && !test_sta_flags(sta, WLAN_STA_AUTH)) {
+                mpl_dbg("Mesh plink: Action frame from non-authed peer\n");
+                rcu_read_unlock();
+                return;
+        }
+        if (sta && sta->plink_state == NL80211_PLINK_BLOCKED) {
                rcu_read_unlock();
                return;
        }
@@ -550,7 +572,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                                event = CNF_ACPT;
                        break;
                case PLINK_CLOSE:
-                        if (sta->plink_state == PLINK_ESTAB)
+                        if (sta->plink_state == NL80211_PLINK_ESTAB)
                                /* Do not check for llid or plid. This does not
                                 * follow the standard but since multiple plinks
                                 * per sta are not supported, it is necessary in
@@ -585,14 +607,14 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
        reason = 0;
        switch (sta->plink_state) {
                /* spin_unlock as soon as state is updated at each case */
-        case PLINK_LISTEN:
+        case NL80211_PLINK_LISTEN:
                switch (event) {
                case CLS_ACPT:
                        mesh_plink_fsm_restart(sta);
                        spin_unlock_bh(&sta->lock);
                        break;
                case OPN_ACPT:
-                        sta->plink_state = PLINK_OPN_RCVD;
+                        sta->plink_state = NL80211_PLINK_OPN_RCVD;
                        sta->plid = plid;
                        get_random_bytes(&llid, 2);
                        sta->llid = llid;
@@ -609,7 +631,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_OPN_SNT:
+        case NL80211_PLINK_OPN_SNT:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -618,7 +640,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -630,7 +652,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case OPN_ACPT:
                        /* retry timer is left untouched */
-                        sta->plink_state = PLINK_OPN_RCVD;
+                        sta->plink_state = NL80211_PLINK_OPN_RCVD;
                        sta->plid = plid;
                        llid = sta->llid;
                        spin_unlock_bh(&sta->lock);
@@ -638,7 +660,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                                            plid, 0);
                        break;
                case CNF_ACPT:
-                        sta->plink_state = PLINK_CNF_RCVD;
+                        sta->plink_state = NL80211_PLINK_CNF_RCVD;
                        if (!mod_plink_timer(sta,
                                             dot11MeshConfirmTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -651,7 +673,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_OPN_RCVD:
+        case NL80211_PLINK_OPN_RCVD:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -660,7 +682,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -678,7 +700,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case CNF_ACPT:
                        del_timer(&sta->plink_timer);
-                        sta->plink_state = PLINK_ESTAB;
+                        sta->plink_state = NL80211_PLINK_ESTAB;
                        spin_unlock_bh(&sta->lock);
                        mesh_plink_inc_estab_count(sdata);
                        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
@@ -691,7 +713,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_CNF_RCVD:
+        case NL80211_PLINK_CNF_RCVD:
                switch (event) {
                case OPN_RJCT:
                case CNF_RJCT:
@@ -700,7 +722,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        if (!reason)
                                reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        if (!mod_plink_timer(sta,
                                             dot11MeshHoldingTimeout(sdata)))
                                sta->ignore_plink_timer = true;
@@ -712,7 +734,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                case OPN_ACPT:
                        del_timer(&sta->plink_timer);
-                        sta->plink_state = PLINK_ESTAB;
+                        sta->plink_state = NL80211_PLINK_ESTAB;
                        spin_unlock_bh(&sta->lock);
                        mesh_plink_inc_estab_count(sdata);
                        ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON);
@@ -727,13 +749,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                }
                break;
-        case PLINK_ESTAB:
+        case NL80211_PLINK_ESTAB:
                switch (event) {
                case CLS_ACPT:
                        reason = cpu_to_le16(MESH_CLOSE_RCVD);
                        sta->reason = reason;
                        deactivated = __mesh_plink_deactivate(sta);
-                        sta->plink_state = PLINK_HOLDING;
+                        sta->plink_state = NL80211_PLINK_HOLDING;
                        llid = sta->llid;
                        mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
                        spin_unlock_bh(&sta->lock);
@@ -753,7 +775,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m
                        break;
                }
                break;
-        case PLINK_HOLDING:
+        case NL80211_PLINK_HOLDING:
                switch (event) {
                case CLS_ACPT:
                        if (del_timer(&sta->plink_timer))
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index c9ceb4d57ab0..4f6b2675e41d 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -28,8 +28,15 @@
 #include "rate.h"
 #include "led.h"
-#define IEEE80211_MAX_NULLFUNC_TRIES 2
+static int max_nullfunc_tries = 2;
-#define IEEE80211_MAX_PROBE_TRIES 5
+module_param(max_nullfunc_tries, int, 0644);
+MODULE_PARM_DESC(max_nullfunc_tries,
+                 "Maximum nullfunc tx tries before disconnecting (reason 4).");
+static int max_probe_tries = 5;
+module_param(max_probe_tries, int, 0644);
+MODULE_PARM_DESC(max_probe_tries,
+                 "Maximum probe tries before disconnecting (reason 4).");
 /*
 * Beacon loss timeout is calculated as N frames times the
@@ -51,7 +58,11 @@
 * a probe request because of beacon loss or for
 * checking the connection still works.
 */
-#define IEEE80211_PROBE_WAIT            (HZ / 2)
+static int probe_wait_ms = 500;
+module_param(probe_wait_ms, int, 0644);
+MODULE_PARM_DESC(probe_wait_ms,
+                 "Maximum time(ms) to wait for probe response"
+                 " before disconnecting (reason 4).");
 /*
 * Weight given to the latest Beacon frame when calculating average signal
@@ -79,20 +90,11 @@ enum rx_mgmt_action {
        /* no action required */
        RX_MGMT_NONE,
-        /* caller must call cfg80211_send_rx_auth() */
-        RX_MGMT_CFG80211_AUTH,
-        /* caller must call cfg80211_send_rx_assoc() */
-        RX_MGMT_CFG80211_ASSOC,
        /* caller must call cfg80211_send_deauth() */
        RX_MGMT_CFG80211_DEAUTH,
        /* caller must call cfg80211_send_disassoc() */
        RX_MGMT_CFG80211_DISASSOC,
-        /* caller must tell cfg80211 about internal error */
-        RX_MGMT_CFG80211_ASSOC_ERROR,
 };
 /* utils */
@@ -134,6 +136,9 @@ void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        if (unlikely(!sdata->u.mgd.associated))
+                return;
        if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR)
                return;
@@ -161,6 +166,7 @@ static u32 ieee80211_enable_ht(struct ieee80211_sub_if_data *sdata,
        struct ieee80211_supported_band *sband;
        struct sta_info *sta;
        u32 changed = 0;
+        int hti_cfreq;
        u16 ht_opmode;
        bool enable_ht = true;
        enum nl80211_channel_type prev_chantype;
@@ -174,10 +180,27 @@ static u32 ieee80211_enable_ht(struct ieee80211_sub_if_data *sdata,
        if (!sband->ht_cap.ht_supported)
                enable_ht = false;
-        /* check that channel matches the right operating channel */
+        if (enable_ht) {
-        if (local->hw.conf.channel->center_freq !=
+                hti_cfreq = ieee80211_channel_to_frequency(hti->control_chan,
-            ieee80211_channel_to_frequency(hti->control_chan))
+                                                           sband->band);
-                enable_ht = false;
+                /* check that channel matches the right operating channel */
+                if (local->hw.conf.channel->center_freq != hti_cfreq) {
+                        /* Some APs mess this up, evidently.
+                         * Netgear WNDR3700 sometimes reports 4 higher than
+                         * the actual channel, for instance.
+                         */
+                        printk(KERN_DEBUG
+                               "%s: Wrong control channel in association"
+                               " response: configured center-freq: %d"
+                               " hti-cfreq: %d  hti->control_chan: %d"
+                               " band: %d.  Disabling HT.\n",
+                               sdata->name,
+                               local->hw.conf.channel->center_freq,
+                               hti_cfreq, hti->control_chan,
+                               sband->band);
+                        enable_ht = false;
+                }
+        }
        if (enable_ht) {
                channel_type = NL80211_CHAN_HT20;
@@ -429,7 +452,8 @@ void ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                container_of((void *)bss, struct cfg80211_bss, priv);
        struct ieee80211_channel *new_ch;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-        int new_freq = ieee80211_channel_to_frequency(sw_elem->new_ch_num);
+        int new_freq = ieee80211_channel_to_frequency(sw_elem->new_ch_num,
+                                                      cbss->channel->band);
        ASSERT_MGD_MTX(ifmgd);
@@ -580,6 +604,37 @@ static void ieee80211_change_ps(struct ieee80211_local *local)
        }
 }
+static bool ieee80211_powersave_allowed(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_if_managed *mgd = &sdata->u.mgd;
+        struct sta_info *sta = NULL;
+        u32 sta_flags = 0;
+        if (!mgd->powersave)
+                return false;
+        if (!mgd->associated)
+                return false;
+        if (!mgd->associated->beacon_ies)
+                return false;
+        if (mgd->flags & (IEEE80211_STA_BEACON_POLL |
+                          IEEE80211_STA_CONNECTION_POLL))
+                return false;
+        rcu_read_lock();
+        sta = sta_info_get(sdata, mgd->bssid);
+        if (sta)
+                sta_flags = get_sta_flags(sta);
+        rcu_read_unlock();
+        if (!(sta_flags & WLAN_STA_AUTHORIZED))
+                return false;
+        return true;
+}
 /* need to hold RTNL or interface lock */
 void ieee80211_recalc_ps(struct ieee80211_local *local, s32 latency)
 {
@@ -600,17 +655,21 @@ void ieee80211_recalc_ps(struct ieee80211_local *local, s32 latency)
        list_for_each_entry(sdata, &local->interfaces, list) {
                if (!ieee80211_sdata_running(sdata))
                        continue;
+                if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                        /* If an AP vif is found, then disable PS
+                         * by setting the count to zero thereby setting
+                         * ps_sdata to NULL.
+                         */
+                        count = 0;
+                        break;
+                }
                if (sdata->vif.type != NL80211_IFTYPE_STATION)
                        continue;
                found = sdata;
                count++;
        }
-        if (count == 1 && found->u.mgd.powersave &&
+        if (count == 1 && ieee80211_powersave_allowed(found)) {
-            found->u.mgd.associated &&
-            found->u.mgd.associated->beacon_ies &&
-            !(found->u.mgd.flags & (IEEE80211_STA_BEACON_POLL |
-                                    IEEE80211_STA_CONNECTION_POLL))) {
                struct ieee80211_conf *conf = &local->hw.conf;
                s32 beaconint_us;
@@ -691,6 +750,8 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
                             dynamic_ps_enable_work);
        struct ieee80211_sub_if_data *sdata = local->ps_sdata;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+        unsigned long flags;
+        int q;
        /* can only happen when PS was just disabled anyway */
        if (!sdata)
@@ -699,9 +760,38 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
        if (local->hw.conf.flags & IEEE80211_CONF_PS)
                return;
+        /*
+         * transmission can be stopped by others which leads to
+         * dynamic_ps_timer expiry. Postpond the ps timer if it
+         * is not the actual idle state.
+         */
+        spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
+        for (q = 0; q < local->hw.queues; q++) {
+                if (local->queue_stop_reasons[q]) {
+                        spin_unlock_irqrestore(&local->queue_stop_reason_lock,
+                                               flags);
+                        mod_timer(&local->dynamic_ps_timer, jiffies +
+                                  msecs_to_jiffies(
+                                  local->hw.conf.dynamic_ps_timeout));
+                        return;
+                }
+        }
+        spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
        if ((local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) &&
-            (!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED)))
+            (!(ifmgd->flags & IEEE80211_STA_NULLFUNC_ACKED))) {
-                ieee80211_send_nullfunc(local, sdata, 1);
+                netif_tx_stop_all_queues(sdata->dev);
+                if (drv_tx_frames_pending(local))
+                        mod_timer(&local->dynamic_ps_timer, jiffies +
+                                  msecs_to_jiffies(
+                                  local->hw.conf.dynamic_ps_timeout));
+                else {
+                        ieee80211_send_nullfunc(local, sdata, 1);
+                        /* Flush to get the tx status of nullfunc frame */
+                        drv_flush(local, false);
+                }
+        }
        if (!((local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) &&
              (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)) ||
@@ -710,6 +800,8 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work)
                local->hw.conf.flags |= IEEE80211_CONF_PS;
                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
        }
+        netif_tx_wake_all_queues(sdata->dev);
 }
 void ieee80211_dynamic_ps_timer(unsigned long data)
@@ -1033,12 +1125,6 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
        if (is_multicast_ether_addr(hdr->addr1))
                return;
-        /*
-         * In case we receive frames after disassociation.
-         */
-        if (!sdata->u.mgd.associated)
-                return;
        ieee80211_sta_reset_conn_monitor(sdata);
 }
@@ -1095,7 +1181,7 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        const u8 *ssid;
        u8 *dst = ifmgd->associated->bssid;
-        u8 unicast_limit = max(1, IEEE80211_MAX_PROBE_TRIES - 3);
+        u8 unicast_limit = max(1, max_probe_tries - 3);
        /*
         * Try sending broadcast probe requests for the last three
@@ -1121,7 +1207,7 @@ static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata)
        }
        ifmgd->probe_send_count++;
-        ifmgd->probe_timeout = jiffies + IEEE80211_PROBE_WAIT;
+        ifmgd->probe_timeout = jiffies + msecs_to_jiffies(probe_wait_ms);
        run_again(ifmgd, ifmgd->probe_timeout);
 }
@@ -1222,7 +1308,8 @@ static void __ieee80211_connection_loss(struct ieee80211_sub_if_data *sdata)
        memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
-        printk(KERN_DEBUG "Connection to AP %pM lost.\n", bssid);
+        printk(KERN_DEBUG "%s: Connection to AP %pM lost.\n",
+               sdata->name, bssid);
        ieee80211_set_disassoc(sdata, true, true);
        mutex_unlock(&ifmgd->mtx);
@@ -1525,7 +1612,8 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
        }
        if (elems->ds_params && elems->ds_params_len == 1)
-                freq = ieee80211_channel_to_frequency(elems->ds_params[0]);
+                freq = ieee80211_channel_to_frequency(elems->ds_params[0],
+                                                      rx_status->band);
        else
                freq = rx_status->freq;
@@ -1966,9 +2054,9 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
                memcpy(bssid, ifmgd->associated->bssid, ETH_ALEN);
                if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS)
-                        max_tries = IEEE80211_MAX_NULLFUNC_TRIES;
+                        max_tries = max_nullfunc_tries;
                else
-                        max_tries = IEEE80211_MAX_PROBE_TRIES;
+                        max_tries = max_probe_tries;
                /* ACK received for nullfunc probing frame */
                if (!ifmgd->probe_send_count)
@@ -1978,9 +2066,9 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
                                wiphy_debug(local->hw.wiphy,
                                            "%s: No ack for nullfunc frame to"
-                                            " AP %pM, try %d\n",
+                                            " AP %pM, try %d/%i\n",
                                            sdata->name, bssid,
-                                            ifmgd->probe_send_count);
+                                            ifmgd->probe_send_count, max_tries);
 #endif
                                ieee80211_mgd_probe_ap_send(sdata);
                        } else {
@@ -2000,17 +2088,17 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
                                    "%s: Failed to send nullfunc to AP %pM"
                                    " after %dms, disconnecting.\n",
                                    sdata->name,
-                                    bssid, (1000 * IEEE80211_PROBE_WAIT)/HZ);
+                                    bssid, probe_wait_ms);
 #endif
                        ieee80211_sta_connection_lost(sdata, bssid);
                } else if (ifmgd->probe_send_count < max_tries) {
 #ifdef CONFIG_MAC80211_VERBOSE_DEBUG
                        wiphy_debug(local->hw.wiphy,
                                    "%s: No probe response from AP %pM"
-                                    " after %dms, try %d\n",
+                                    " after %dms, try %d/%i\n",
                                    sdata->name,
-                                    bssid, (1000 * IEEE80211_PROBE_WAIT)/HZ,
+                                    bssid, probe_wait_ms,
-                                    ifmgd->probe_send_count);
+                                    ifmgd->probe_send_count, max_tries);
 #endif
                        ieee80211_mgd_probe_ap_send(sdata);
                } else {
@@ -2022,7 +2110,7 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
                                    "%s: No probe response from AP %pM"
                                    " after %dms, disconnecting.\n",
                                    sdata->name,
-                                    bssid, (1000 * IEEE80211_PROBE_WAIT)/HZ);
+                                    bssid, probe_wait_ms);
                        ieee80211_sta_connection_lost(sdata, bssid);
                }
@@ -2260,6 +2348,7 @@ int ieee80211_mgd_auth(struct ieee80211_sub_if_data *sdata,
        else
                wk->type = IEEE80211_WORK_DIRECT_PROBE;
        wk->chan = req->bss->channel;
+        wk->chan_type = NL80211_CHAN_NO_HT;
        wk->sdata = sdata;
        wk->done = ieee80211_probe_auth_done;
@@ -2409,6 +2498,7 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
                memcpy(wk->assoc.prev_bssid, req->prev_bssid, ETH_ALEN);
        wk->chan = req->bss->channel;
+        wk->chan_type = NL80211_CHAN_NO_HT;
        wk->sdata = sdata;
        wk->done = ieee80211_assoc_done;
        if (!bss->dtim_period &&
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index b4e52676f3fb..13427b194ced 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -17,10 +17,14 @@
 #include "driver-trace.h"
 /*
- * inform AP that we will go to sleep so that it will buffer the frames
+ * Tell our hardware to disable PS.
- * while we scan
+ * Optionally inform AP that we will go to sleep so that it will buffer
+ * the frames while we are doing off-channel work.  This is optional
+ * because we *may* be doing work on-operating channel, and want our
+ * hardware unconditionally awake, but still let the AP send us normal frames.
 */
-static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata)
+static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata,
+                                           bool tell_ap)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
@@ -41,8 +45,8 @@ static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata)
                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
        }
-        if (!(local->offchannel_ps_enabled) ||
+        if (tell_ap && (!local->offchannel_ps_enabled ||
-            !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK))
+                        !(local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK)))
                /*
                 * If power save was enabled, no need to send a nullfunc
                 * frame because AP knows that we are sleeping. But if the
@@ -77,6 +81,9 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
                 * we are sleeping, let's just enable power save mode in
                 * hardware.
                 */
+                /* TODO:  Only set hardware if CONF_PS changed?
+                 * TODO:  Should we set offchannel_ps_enabled to false?
+                 */
                local->hw.conf.flags |= IEEE80211_CONF_PS;
                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_PS);
        } else if (local->hw.conf.dynamic_ps_timeout > 0) {
@@ -95,63 +102,61 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
        ieee80211_sta_reset_conn_monitor(sdata);
 }
-void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local)
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
+                                    bool offchannel_ps_enable)
 {
        struct ieee80211_sub_if_data *sdata;
+        /*
+         * notify the AP about us leaving the channel and stop all
+         * STA interfaces.
+         */
        mutex_lock(&local->iflist_mtx);
        list_for_each_entry(sdata, &local->interfaces, list) {
                if (!ieee80211_sdata_running(sdata))
                        continue;
-                /* disable beaconing */
+                if (sdata->vif.type != NL80211_IFTYPE_MONITOR)
+                        set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
+                /* Check to see if we should disable beaconing. */
                if (sdata->vif.type == NL80211_IFTYPE_AP ||
                    sdata->vif.type == NL80211_IFTYPE_ADHOC ||
                    sdata->vif.type == NL80211_IFTYPE_MESH_POINT)
                        ieee80211_bss_info_change_notify(
                                sdata, BSS_CHANGED_BEACON_ENABLED);
-                /*
+                if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
-                 * only handle non-STA interfaces here, STA interfaces
-                 * are handled in ieee80211_offchannel_stop_station(),
-                 * e.g., from the background scan state machine.
-                 *
-                 * In addition, do not stop monitor interface to allow it to be
-                 * used from user space controlled off-channel operations.
-                 */
-                if (sdata->vif.type != NL80211_IFTYPE_STATION &&
-                    sdata->vif.type != NL80211_IFTYPE_MONITOR) {
-                        set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
                        netif_tx_stop_all_queues(sdata->dev);
+                        if (offchannel_ps_enable &&
+                            (sdata->vif.type == NL80211_IFTYPE_STATION) &&
+                            sdata->u.mgd.associated)
+                                ieee80211_offchannel_ps_enable(sdata, true);
                }
        }
        mutex_unlock(&local->iflist_mtx);
 }
-void ieee80211_offchannel_stop_station(struct ieee80211_local *local)
+void ieee80211_offchannel_enable_all_ps(struct ieee80211_local *local,
+                                        bool tell_ap)
 {
        struct ieee80211_sub_if_data *sdata;
-        /*
-         * notify the AP about us leaving the channel and stop all STA interfaces
-         */
        mutex_lock(&local->iflist_mtx);
        list_for_each_entry(sdata, &local->interfaces, list) {
                if (!ieee80211_sdata_running(sdata))
                        continue;
-                if (sdata->vif.type == NL80211_IFTYPE_STATION) {
+                if (sdata->vif.type == NL80211_IFTYPE_STATION &&
-                        set_bit(SDATA_STATE_OFFCHANNEL, &sdata->state);
+                    sdata->u.mgd.associated)
-                        netif_tx_stop_all_queues(sdata->dev);
+                        ieee80211_offchannel_ps_enable(sdata, tell_ap);
-                        if (sdata->u.mgd.associated)
-                                ieee80211_offchannel_ps_enable(sdata);
-                }
        }
        mutex_unlock(&local->iflist_mtx);
 }
 void ieee80211_offchannel_return(struct ieee80211_local *local,
-                                 bool enable_beaconing)
+                                 bool enable_beaconing,
+                                 bool offchannel_ps_disable)
 {
        struct ieee80211_sub_if_data *sdata;
@@ -161,7 +166,8 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
                        continue;
                /* Tell AP we're back */
-                if (sdata->vif.type == NL80211_IFTYPE_STATION) {
+                if (offchannel_ps_disable &&
+                    sdata->vif.type == NL80211_IFTYPE_STATION) {
                        if (sdata->u.mgd.associated)
                                ieee80211_offchannel_ps_disable(sdata);
                }
@@ -181,7 +187,7 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
                        netif_tx_wake_all_queues(sdata->dev);
                }
-                /* re-enable beaconing */
+                /* Check to see if we should re-enable beaconing */
                if (enable_beaconing &&
                    (sdata->vif.type == NL80211_IFTYPE_AP ||
                     sdata->vif.type == NL80211_IFTYPE_ADHOC ||
diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
index e37355193ed1..730778a2c90c 100644
--- a/net/mac80211/pm.c
+++ b/net/mac80211/pm.c
@@ -6,7 +6,7 @@
 #include "driver-ops.h"
 #include "led.h"
-int __ieee80211_suspend(struct ieee80211_hw *hw)
+int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
 {
        struct ieee80211_local *local = hw_to_local(hw);
        struct ieee80211_sub_if_data *sdata;
@@ -14,12 +14,23 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        ieee80211_scan_cancel(local);
+        if (hw->flags & IEEE80211_HW_AMPDU_AGGREGATION) {
+                mutex_lock(&local->sta_mtx);
+                list_for_each_entry(sta, &local->sta_list, list) {
+                        set_sta_flags(sta, WLAN_STA_BLOCK_BA);
+                        ieee80211_sta_tear_down_BA_sessions(sta, true);
+                }
+                mutex_unlock(&local->sta_mtx);
+        }
        ieee80211_stop_queues_by_reason(hw,
                        IEEE80211_QUEUE_STOP_REASON_SUSPEND);
        /* flush out all packets */
        synchronize_net();
+        drv_flush(local, false);
        local->quiescing = true;
        /* make quiescing visible to timers everywhere */
        mb();
@@ -36,6 +47,16 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        cancel_work_sync(&local->dynamic_ps_enable_work);
        del_timer_sync(&local->dynamic_ps_timer);
+        local->wowlan = wowlan && local->open_count;
+        if (local->wowlan) {
+                int err = drv_suspend(local, wowlan);
+                if (err) {
+                        local->quiescing = false;
+                        return err;
+                }
+                goto suspend;
+        }
        /* disable keys */
        list_for_each_entry(sdata, &local->interfaces, list)
                ieee80211_disable_keys(sdata);
@@ -43,11 +64,6 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        /* tear down aggregation sessions and remove STAs */
        mutex_lock(&local->sta_mtx);
        list_for_each_entry(sta, &local->sta_list, list) {
-                if (hw->flags & IEEE80211_HW_AMPDU_AGGREGATION) {
-                        set_sta_flags(sta, WLAN_STA_BLOCK_BA);
-                        ieee80211_sta_tear_down_BA_sessions(sta, true);
-                }
                if (sta->uploaded) {
                        sdata = sta->sdata;
                        if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
@@ -98,6 +114,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw)
        if (local->open_count)
                ieee80211_stop_device(local);
+ suspend:
        local->suspended = true;
        /* need suspended to be visible before quiescing is false */
        barrier();
diff --git a/net/mac80211/rc80211_minstrel.c b/net/mac80211/rc80211_minstrel.c
index 778c604d7939..8adac67395f7 100644
--- a/net/mac80211/rc80211_minstrel.c
+++ b/net/mac80211/rc80211_minstrel.c
@@ -417,8 +417,8 @@ minstrel_rate_init(void *priv, struct ieee80211_supported_band *sband,
                        tx_time_single = mr->ack_time + mr->perfect_tx_time;
                        /* contention window */
-                        tx_time_single += t_slot + min(cw, mp->cw_max);
+                        tx_time_single += (t_slot * cw) >> 1;
-                        cw = (cw << 1) | 1;
+                        cw = min((cw << 1) | 1, mp->cw_max);
                        tx_time += tx_time_single;
                        tx_time_cts += tx_time_single + mi->sp_ack_dur;
diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c
index 165a4518bb48..333b5118be6d 100644
--- a/net/mac80211/rc80211_minstrel_ht.c
+++ b/net/mac80211/rc80211_minstrel_ht.c
@@ -259,7 +259,7 @@ minstrel_ht_update_stats(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
                }
        }
-        /* try to sample up to half of the availble rates during each interval */
+        /* try to sample up to half of the available rates during each interval */
        mi->sample_count *= 4;
        cur_prob = 0;
@@ -415,10 +415,8 @@ minstrel_ht_tx_status(void *priv, struct ieee80211_supported_band *sband,
                mi->sample_count--;
        }
-        if (info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) {
+        if (info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE)
                mi->sample_packets += info->status.ampdu_len;
-                minstrel_next_sample_idx(mi);
-        }
        for (i = 0; !last; i++) {
                last = (i == IEEE80211_TX_MAX_RATES - 1) ||
@@ -466,6 +464,7 @@ minstrel_calc_retransmit(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        const struct mcs_group *group;
        unsigned int tx_time, tx_time_rtscts, tx_time_data;
        unsigned int cw = mp->cw_min;
+        unsigned int ctime = 0;
        unsigned int t_slot = 9; /* FIXME */
        unsigned int ampdu_len = MINSTREL_TRUNC(mi->avg_ampdu_len);
@@ -482,13 +481,27 @@ minstrel_calc_retransmit(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
        group = &minstrel_mcs_groups[index / MCS_GROUP_RATES];
        tx_time_data = group->duration[index % MCS_GROUP_RATES] * ampdu_len;
-        tx_time = 2 * (t_slot + mi->overhead + tx_time_data);
-        tx_time_rtscts = 2 * (t_slot + mi->overhead_rtscts + tx_time_data);
+        /* Contention time for first 2 tries */
+        ctime = (t_slot * cw) >> 1;
+        cw = min((cw << 1) | 1, mp->cw_max);
+        ctime += (t_slot * cw) >> 1;
+        cw = min((cw << 1) | 1, mp->cw_max);
+        /* Total TX time for data and Contention after first 2 tries */
+        tx_time = ctime + 2 * (mi->overhead + tx_time_data);
+        tx_time_rtscts = ctime + 2 * (mi->overhead_rtscts + tx_time_data);
+        /* See how many more tries we can fit inside segment size */
        do {
-                cw = (cw << 1) | 1;
+                /* Contention time for this try */
-                cw = min(cw, mp->cw_max);
+                ctime = (t_slot * cw) >> 1;
-                tx_time += cw + t_slot + mi->overhead;
+                cw = min((cw << 1) | 1, mp->cw_max);
-                tx_time_rtscts += cw + t_slot + mi->overhead_rtscts;
+                /* Total TX time after this try */
+                tx_time += ctime + mi->overhead + tx_time_data;
+                tx_time_rtscts += ctime + mi->overhead_rtscts + tx_time_data;
                if (tx_time_rtscts < mp->segment_size)
                        mr->retry_count_rtscts++;
        } while ((tx_time < mp->segment_size) &&
@@ -519,9 +532,7 @@ minstrel_ht_set_rate(struct minstrel_priv *mp, struct minstrel_ht_sta *mi,
                rate->count = mr->retry_count;
        rate->flags = IEEE80211_TX_RC_MCS | group->flags;
-        if (txrc->short_preamble)
+        if (rtscts)
-                rate->flags |= IEEE80211_TX_RC_USE_SHORT_PREAMBLE;
-        if (txrc->rts || rtscts)
                rate->flags |= IEEE80211_TX_RC_USE_RTS_CTS;
        rate->idx = index % MCS_GROUP_RATES + (group->streams - 1) * MCS_GROUP_RATES;
 }
@@ -553,13 +564,14 @@ minstrel_get_sample_rate(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
        sample_idx = sample_table[mg->column][mg->index];
        mr = &mg->rates[sample_idx];
        sample_idx += mi->sample_group * MCS_GROUP_RATES;
+        minstrel_next_sample_idx(mi);
        /*
         * When not using MRR, do not sample if the probability is already
         * higher than 95% to avoid wasting airtime
         */
        if (!mp->has_mrr && (mr->probability > MINSTREL_FRAC(95, 100)))
-                goto next;
+                return -1;
        /*
         * Make sure that lower rates get sampled only occasionally,
@@ -568,17 +580,13 @@ minstrel_get_sample_rate(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
        if (minstrel_get_duration(sample_idx) >
            minstrel_get_duration(mi->max_tp_rate)) {
                if (mr->sample_skipped < 20)
-                        goto next;
+                        return -1;
                if (mi->sample_slow++ > 2)
-                        goto next;
+                        return -1;
        }
        return sample_idx;
-next:
-        minstrel_next_sample_idx(mi);
-        return -1;
 }
 static void
@@ -605,19 +613,46 @@ minstrel_ht_get_rate(void *priv, struct ieee80211_sta *sta, void *priv_sta,
                sample = true;
                minstrel_ht_set_rate(mp, mi, &ar[0], sample_idx,
                        txrc, true, false);
-                minstrel_ht_set_rate(mp, mi, &ar[1], mi->max_tp_rate,
-                        txrc, false, false);
                info->flags |= IEEE80211_TX_CTL_RATE_CTRL_PROBE;
        } else {
                minstrel_ht_set_rate(mp, mi, &ar[0], mi->max_tp_rate,
                        txrc, false, false);
-                minstrel_ht_set_rate(mp, mi, &ar[1], mi->max_tp_rate2,
-                        txrc, false, true);
        }
-        minstrel_ht_set_rate(mp, mi, &ar[2], mi->max_prob_rate, txrc, false, !sample);
-        ar[3].count = 0;
+        if (mp->hw->max_rates >= 3) {
-        ar[3].idx = -1;
+                /*
+                 * At least 3 tx rates supported, use
+                 * sample_rate -> max_tp_rate -> max_prob_rate for sampling and
+                 * max_tp_rate -> max_tp_rate2 -> max_prob_rate by default.
+                 */
+                if (sample_idx >= 0)
+                        minstrel_ht_set_rate(mp, mi, &ar[1], mi->max_tp_rate,
+                                txrc, false, false);
+                else
+                        minstrel_ht_set_rate(mp, mi, &ar[1], mi->max_tp_rate2,
+                                txrc, false, true);
+                minstrel_ht_set_rate(mp, mi, &ar[2], mi->max_prob_rate,
+                                     txrc, false, !sample);
+                ar[3].count = 0;
+                ar[3].idx = -1;
+        } else if (mp->hw->max_rates == 2) {
+                /*
+                 * Only 2 tx rates supported, use
+                 * sample_rate -> max_prob_rate for sampling and
+                 * max_tp_rate -> max_prob_rate by default.
+                 */
+                minstrel_ht_set_rate(mp, mi, &ar[1], mi->max_prob_rate,
+                                     txrc, false, !sample);
+                ar[2].count = 0;
+                ar[2].idx = -1;
+        } else {
+                /* Not using MRR, only use the first rate */
+                ar[1].count = 0;
+                ar[1].idx = -1;
+        }
        mi->total_packets++;
@@ -639,18 +674,14 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
        struct ieee80211_mcs_info *mcs = &sta->ht_cap.mcs;
        struct ieee80211_local *local = hw_to_local(mp->hw);
        u16 sta_cap = sta->ht_cap.cap;
+        int n_supported = 0;
        int ack_dur;
        int stbc;
        int i;
        /* fall back to the old minstrel for legacy stations */
-        if (!sta->ht_cap.ht_supported) {
+        if (!sta->ht_cap.ht_supported)
-                msp->is_ht = false;
+                goto use_legacy;
-                memset(&msp->legacy, 0, sizeof(msp->legacy));
-                msp->legacy.r = msp->ratelist;
-                msp->legacy.sample_table = msp->sample_table;
-                return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
-        }
        BUILD_BUG_ON(ARRAY_SIZE(minstrel_mcs_groups) !=
                MINSTREL_MAX_STREAMS * MINSTREL_STREAM_GROUPS);
@@ -705,7 +736,22 @@ minstrel_ht_update_caps(void *priv, struct ieee80211_supported_band *sband,
                mi->groups[i].supported =
                        mcs->rx_mask[minstrel_mcs_groups[i].streams - 1];
+                if (mi->groups[i].supported)
+                        n_supported++;
        }
+        if (!n_supported)
+                goto use_legacy;
+        return;
+use_legacy:
+        msp->is_ht = false;
+        memset(&msp->legacy, 0, sizeof(msp->legacy));
+        msp->legacy.r = msp->ratelist;
+        msp->legacy.sample_table = msp->sample_table;
+        return mac80211_minstrel.rate_init(priv, sband, sta, &msp->legacy);
 }
 static void
diff --git a/net/mac80211/rc80211_pid.h b/net/mac80211/rc80211_pid.h
index 1a873f00691a..19111c7bf454 100644
--- a/net/mac80211/rc80211_pid.h
+++ b/net/mac80211/rc80211_pid.h
@@ -24,9 +24,6 @@
 /* Fixed point arithmetic shifting amount. */
 #define RC_PID_ARITH_SHIFT              8
-/* Fixed point arithmetic factor. */
-#define RC_PID_ARITH_FACTOR             (1 << RC_PID_ARITH_SHIFT)
 /* Proportional PID component coefficient. */
 #define RC_PID_COEFF_P                  15
 /* Integral PID component coefficient. */
@@ -80,7 +77,7 @@ union rc_pid_event_data {
 };
 struct rc_pid_event {
-        /* The time when the event occured */
+        /* The time when the event occurred */
        unsigned long timestamp;
        /* Event ID number */
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index a6701ed87f0d..7fa8c6be7bf0 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -77,7 +77,7 @@ ieee80211_rx_radiotap_len(struct ieee80211_local *local,
        /* always present fields */
        len = sizeof(struct ieee80211_radiotap_header) + 9;
-        if (status->flag & RX_FLAG_TSFT)
+        if (status->flag & RX_FLAG_MACTIME_MPDU)
                len += 8;
        if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM)
                len += 1;
@@ -85,6 +85,9 @@ ieee80211_rx_radiotap_len(struct ieee80211_local *local,
        if (len & 1) /* padding for RX_FLAGS if necessary */
                len++;
+        if (status->flag & RX_FLAG_HT) /* HT info */
+                len += 3;
        return len;
 }
@@ -120,7 +123,7 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
        /* the order of the following fields is important */
        /* IEEE80211_RADIOTAP_TSFT */
-        if (status->flag & RX_FLAG_TSFT) {
+        if (status->flag & RX_FLAG_MACTIME_MPDU) {
                put_unaligned_le64(status->mactime, pos);
                rthdr->it_present |=
                        cpu_to_le32(1 << IEEE80211_RADIOTAP_TSFT);
@@ -139,11 +142,9 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
        /* IEEE80211_RADIOTAP_RATE */
        if (status->flag & RX_FLAG_HT) {
                /*
-                 * TODO: add following information into radiotap header once
+                 * MCS information is a separate field in radiotap,
-                 * suitable fields are defined for it:
+                 * added below. The byte here is needed as padding
-                 * - MCS index (status->rate_idx)
+                 * for the channel though, so initialise it to 0.
-                 * - HT40 (status->flag & RX_FLAG_40MHZ)
-                 * - short-GI (status->flag & RX_FLAG_SHORT_GI)
                 */
                *pos = 0;
        } else {
@@ -193,6 +194,20 @@ ieee80211_add_rx_radiotap_header(struct ieee80211_local *local,
                rx_flags |= IEEE80211_RADIOTAP_F_RX_BADPLCP;
        put_unaligned_le16(rx_flags, pos);
        pos += 2;
+        if (status->flag & RX_FLAG_HT) {
+                rthdr->it_present |= cpu_to_le32(1 << IEEE80211_RADIOTAP_MCS);
+                *pos++ = IEEE80211_RADIOTAP_MCS_HAVE_MCS |
+                         IEEE80211_RADIOTAP_MCS_HAVE_GI |
+                         IEEE80211_RADIOTAP_MCS_HAVE_BW;
+                *pos = 0;
+                if (status->flag & RX_FLAG_SHORT_GI)
+                        *pos |= IEEE80211_RADIOTAP_MCS_SGI;
+                if (status->flag & RX_FLAG_40MHZ)
+                        *pos |= IEEE80211_RADIOTAP_MCS_BW_40;
+                pos++;
+                *pos++ = status->rate_idx;
+        }
 }
 /*
@@ -367,7 +382,7 @@ static void ieee80211_parse_qos(struct ieee80211_rx_data *rx)
 * specs were sane enough this time around to require padding each A-MSDU
 * subframe to a length that is a multiple of four.
 *
- * Padding like Atheros hardware adds which is inbetween the 802.11 header and
+ * Padding like Atheros hardware adds which is between the 802.11 header and
 * the payload is not supported, the driver is required to move the 802.11
 * header to be directly in front of the payload in that case.
 */
@@ -389,19 +404,15 @@ ieee80211_rx_h_passive_scan(struct ieee80211_rx_data *rx)
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb);
        struct sk_buff *skb = rx->skb;
-        if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN)))
+        if (likely(!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
+                   !local->sched_scanning))
                return RX_CONTINUE;
-        if (test_bit(SCAN_HW_SCANNING, &local->scanning))
+        if (test_bit(SCAN_HW_SCANNING, &local->scanning) ||
+            test_bit(SCAN_SW_SCANNING, &local->scanning) ||
+            local->sched_scanning)
                return ieee80211_scan_rx(rx->sdata, skb);
-        if (test_bit(SCAN_SW_SCANNING, &local->scanning)) {
-                /* drop all the other packets during a software scan anyway */
-                if (ieee80211_scan_rx(rx->sdata, skb) != RX_QUEUED)
-                        dev_kfree_skb(skb);
-                return RX_QUEUED;
-        }
        /* scanning finished during invoking of handlers */
        I802_DEBUG_INC(local->rx_handlers_drop_passive_scan);
        return RX_DROP_UNUSABLE;
@@ -479,22 +490,26 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
         * establisment frame, beacon or probe, drop the frame.
         */
-        if (!rx->sta || sta_plink_state(rx->sta) != PLINK_ESTAB) {
+        if (!rx->sta || sta_plink_state(rx->sta) != NL80211_PLINK_ESTAB) {
                struct ieee80211_mgmt *mgmt;
                if (!ieee80211_is_mgmt(hdr->frame_control))
                        return RX_DROP_MONITOR;
                if (ieee80211_is_action(hdr->frame_control)) {
+                        u8 category;
                        mgmt = (struct ieee80211_mgmt *)hdr;
-                        if (mgmt->u.action.category != WLAN_CATEGORY_MESH_PLINK)
+                        category = mgmt->u.action.category;
+                        if (category != WLAN_CATEGORY_MESH_ACTION &&
+                                category != WLAN_CATEGORY_SELF_PROTECTED)
                                return RX_DROP_MONITOR;
                        return RX_CONTINUE;
                }
                if (ieee80211_is_probe_req(hdr->frame_control) ||
                    ieee80211_is_probe_resp(hdr->frame_control) ||
-                    ieee80211_is_beacon(hdr->frame_control))
+                    ieee80211_is_beacon(hdr->frame_control) ||
+                    ieee80211_is_auth(hdr->frame_control))
                        return RX_CONTINUE;
                return RX_DROP_MONITOR;
@@ -604,7 +619,8 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
                                skipped++;
                                continue;
                        }
-                        if (!time_after(jiffies, tid_agg_rx->reorder_time[j] +
+                        if (skipped &&
+                            !time_after(jiffies, tid_agg_rx->reorder_time[j] +
                                        HT_RX_REORDER_BUF_TIMEOUT))
                                goto set_release_timer;
@@ -641,7 +657,7 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw,
 set_release_timer:
                mod_timer(&tid_agg_rx->reorder_timer,
-                          tid_agg_rx->reorder_time[j] +
+                          tid_agg_rx->reorder_time[j] + 1 +
                          HT_RX_REORDER_BUF_TIMEOUT);
        } else {
                del_timer(&tid_agg_rx->reorder_timer);
@@ -698,6 +714,8 @@ static bool ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw,
        /*
         * If the current MPDU is in the right order and nothing else
         * is stored we can process it directly, no need to buffer it.
+         * If it is first but there's something stored, we may be able
+         * to release frames after this one.
         */
        if (mpdu_seq_num == tid_agg_rx->head_seq_num &&
            tid_agg_rx->stored_mpdu_num == 0) {
@@ -798,7 +816,7 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                                rx->local->dot11FrameDuplicateCount++;
                                rx->sta->num_duplicates++;
                        }
-                        return RX_DROP_MONITOR;
+                        return RX_DROP_UNUSABLE;
                } else
                        rx->sta->last_seq_ctrl[rx->queue] = hdr->seq_ctrl;
        }
@@ -824,18 +842,8 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                      ieee80211_is_pspoll(hdr->frame_control)) &&
                     rx->sdata->vif.type != NL80211_IFTYPE_ADHOC &&
                     rx->sdata->vif.type != NL80211_IFTYPE_WDS &&
-                     (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC)))) {
+                     (!rx->sta || !test_sta_flags(rx->sta, WLAN_STA_ASSOC))))
-                if ((!ieee80211_has_fromds(hdr->frame_control) &&
-                     !ieee80211_has_tods(hdr->frame_control) &&
-                     ieee80211_is_data(hdr->frame_control)) ||
-                    !(status->rx_flags & IEEE80211_RX_RA_MATCH)) {
-                        /* Drop IBSS frames and frames for other hosts
-                         * silently. */
-                        return RX_DROP_MONITOR;
-                }
                return RX_DROP_MONITOR;
-        }
        return RX_CONTINUE;
 }
@@ -1088,7 +1096,8 @@ static void ap_sta_ps_start(struct sta_info *sta)
        atomic_inc(&sdata->bss->num_sta_ps);
        set_sta_flags(sta, WLAN_STA_PS_STA);
-        drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
+        if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
+                drv_sta_notify(local, sdata, STA_NOTIFY_SLEEP, &sta->sta);
 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
        printk(KERN_DEBUG "%s: STA %pM aid %d enters power save mode\n",
               sdata->name, sta->sta.addr, sta->sta.aid);
@@ -1117,6 +1126,27 @@ static void ap_sta_ps_end(struct sta_info *sta)
        ieee80211_sta_ps_deliver_wakeup(sta);
 }
+int ieee80211_sta_ps_transition(struct ieee80211_sta *sta, bool start)
+{
+        struct sta_info *sta_inf = container_of(sta, struct sta_info, sta);
+        bool in_ps;
+        WARN_ON(!(sta_inf->local->hw.flags & IEEE80211_HW_AP_LINK_PS));
+        /* Don't let the same PS state be set twice */
+        in_ps = test_sta_flags(sta_inf, WLAN_STA_PS_STA);
+        if ((start && in_ps) || (!start && !in_ps))
+                return -EINVAL;
+        if (start)
+                ap_sta_ps_start(sta_inf);
+        else
+                ap_sta_ps_end(sta_inf);
+        return 0;
+}
+EXPORT_SYMBOL(ieee80211_sta_ps_transition);
 static ieee80211_rx_result debug_noinline
 ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
 {
@@ -1136,14 +1166,23 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
        if (rx->sdata->vif.type == NL80211_IFTYPE_ADHOC) {
                u8 *bssid = ieee80211_get_bssid(hdr, rx->skb->len,
                                                NL80211_IFTYPE_ADHOC);
-                if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0)
+                if (compare_ether_addr(bssid, rx->sdata->u.ibss.bssid) == 0) {
                        sta->last_rx = jiffies;
+                        if (ieee80211_is_data(hdr->frame_control)) {
+                                sta->last_rx_rate_idx = status->rate_idx;
+                                sta->last_rx_rate_flag = status->flag;
+                        }
+                }
        } else if (!is_multicast_ether_addr(hdr->addr1)) {
                /*
                 * Mesh beacons will update last_rx when if they are found to
                 * match the current local configuration when processed.
                 */
                sta->last_rx = jiffies;
+                if (ieee80211_is_data(hdr->frame_control)) {
+                        sta->last_rx_rate_idx = status->rate_idx;
+                        sta->last_rx_rate_flag = status->flag;
+                }
        }
        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
@@ -1161,7 +1200,8 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
         * Change STA power saving mode only at the end of a frame
         * exchange sequence.
         */
-        if (!ieee80211_has_morefrags(hdr->frame_control) &&
+        if (!(sta->local->hw.flags & IEEE80211_HW_AP_LINK_PS) &&
+            !ieee80211_has_morefrags(hdr->frame_control) &&
            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
            (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
             rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
@@ -1552,21 +1592,43 @@ ieee80211_drop_unencrypted_mgmt(struct ieee80211_rx_data *rx)
 }
 static int
-__ieee80211_data_to_8023(struct ieee80211_rx_data *rx)
+__ieee80211_data_to_8023(struct ieee80211_rx_data *rx, bool *port_control)
 {
        struct ieee80211_sub_if_data *sdata = rx->sdata;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
+        bool check_port_control = false;
+        struct ethhdr *ehdr;
+        int ret;
+        *port_control = false;
        if (ieee80211_has_a4(hdr->frame_control) &&
            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && !sdata->u.vlan.sta)
                return -1;
+        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+            !!sdata->u.mgd.use_4addr != !!ieee80211_has_a4(hdr->frame_control)) {
+                if (!sdata->u.mgd.use_4addr)
+                        return -1;
+                else
+                        check_port_control = true;
+        }
        if (is_multicast_ether_addr(hdr->addr1) &&
-            ((sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta) ||
+            sdata->vif.type == NL80211_IFTYPE_AP_VLAN && sdata->u.vlan.sta)
-             (sdata->vif.type == NL80211_IFTYPE_STATION && sdata->u.mgd.use_4addr)))
                return -1;
-        return ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
+        ret = ieee80211_data_to_8023(rx->skb, sdata->vif.addr, sdata->vif.type);
+        if (ret < 0)
+                return ret;
+        ehdr = (struct ethhdr *) rx->skb->data;
+        if (ehdr->h_proto == rx->sdata->control_port_protocol)
+                *port_control = true;
+        else if (check_port_control)
+                return -1;
+        return 0;
 }
 /*
@@ -1721,7 +1783,7 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx_data *rx)
        ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
                                 rx->sdata->vif.type,
-                                 rx->local->hw.extra_tx_headroom);
+                                 rx->local->hw.extra_tx_headroom, true);
        while (!skb_queue_empty(&frame_list)) {
                rx->skb = __skb_dequeue(&frame_list);
@@ -1864,6 +1926,7 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
        struct net_device *dev = sdata->dev;
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data;
        __le16 fc = hdr->frame_control;
+        bool port_control;
        int err;
        if (unlikely(!ieee80211_is_data(hdr->frame_control)))
@@ -1880,20 +1943,31 @@ ieee80211_rx_h_data(struct ieee80211_rx_data *rx)
            sdata->vif.type == NL80211_IFTYPE_AP)
                return RX_DROP_MONITOR;
-        err = __ieee80211_data_to_8023(rx);
+        err = __ieee80211_data_to_8023(rx, &port_control);
        if (unlikely(err))
                return RX_DROP_UNUSABLE;
        if (!ieee80211_frame_allowed(rx, fc))
                return RX_DROP_MONITOR;
+        if (rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+            unlikely(port_control) && sdata->bss) {
+                sdata = container_of(sdata->bss, struct ieee80211_sub_if_data,
+                                     u.ap);
+                dev = sdata->dev;
+                rx->sdata = sdata;
+        }
        rx->skb->dev = dev;
        dev->stats.rx_packets++;
        dev->stats.rx_bytes += rx->skb->len;
        if (local->ps_sdata && local->hw.conf.dynamic_ps_timeout > 0 &&
-            !is_multicast_ether_addr(((struct ethhdr *)rx->skb->data)->h_dest)) {
+            !is_multicast_ether_addr(
+                    ((struct ethhdr *)rx->skb->data)->h_dest) &&
+            (!local->scanning &&
+             !test_bit(SDATA_STATE_OFFCHANNEL, &sdata->state))) {
                        mod_timer(&local->dynamic_ps_timer, jiffies +
                         msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
        }
@@ -2136,7 +2210,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        goto handled;
                }
                break;
-        case WLAN_CATEGORY_MESH_PLINK:
+        case WLAN_CATEGORY_MESH_ACTION:
                if (!ieee80211_vif_is_mesh(&sdata->vif))
                        break;
                goto queue;
@@ -2299,47 +2373,6 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_data *rx)
        return RX_QUEUED;
 }
-static void ieee80211_rx_michael_mic_report(struct ieee80211_hdr *hdr,
-                                            struct ieee80211_rx_data *rx)
-{
-        int keyidx;
-        unsigned int hdrlen;
-        hdrlen = ieee80211_hdrlen(hdr->frame_control);
-        if (rx->skb->len >= hdrlen + 4)
-                keyidx = rx->skb->data[hdrlen + 3] >> 6;
-        else
-                keyidx = -1;
-        if (!rx->sta) {
-                /*
-                 * Some hardware seem to generate incorrect Michael MIC
-                 * reports; ignore them to avoid triggering countermeasures.
-                 */
-                return;
-        }
-        if (!ieee80211_has_protected(hdr->frame_control))
-                return;
-        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && keyidx) {
-                /*
-                 * APs with pairwise keys should never receive Michael MIC
-                 * errors for non-zero keyidx because these are reserved for
-                 * group keys and only the AP is sending real multicast
-                 * frames in the BSS.
-                 */
-                return;
-        }
-        if (!ieee80211_is_data(hdr->frame_control) &&
-            !ieee80211_is_auth(hdr->frame_control))
-                return;
-        mac80211_ev_michael_mic_failure(rx->sdata, keyidx, hdr, NULL,
-                                        GFP_ATOMIC);
-}
 /* TODO: use IEEE80211_RX_FRAGMENTED */
 static void ieee80211_rx_cooked_monitor(struct ieee80211_rx_data *rx,
                                        struct ieee80211_rate *rate)
@@ -2488,7 +2521,6 @@ static void ieee80211_rx_handlers(struct ieee80211_rx_data *rx)
                 * same TID from the same station
                 */
                rx->skb = skb;
-                rx->flags = 0;
                CALL_RXH(ieee80211_rx_h_decrypt)
                CALL_RXH(ieee80211_rx_h_check_more_data)
@@ -2559,6 +2591,7 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
                .sdata = sta->sdata,
                .local = sta->local,
                .queue = tid,
+                .flags = 0,
        };
        struct tid_ampdu_rx *tid_agg_rx;
@@ -2590,7 +2623,8 @@ static int prepare_for_handlers(struct ieee80211_rx_data *rx,
                        return 0;
                if (!multicast &&
                    compare_ether_addr(sdata->vif.addr, hdr->addr1) != 0) {
-                        if (!(sdata->dev->flags & IFF_PROMISC))
+                        if (!(sdata->dev->flags & IFF_PROMISC) ||
+                            sdata->u.mgd.use_4addr)
                                return 0;
                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
                }
@@ -2639,7 +2673,8 @@ static int prepare_for_handlers(struct ieee80211_rx_data *rx,
                                return 0;
                } else if (!ieee80211_bssid_match(bssid,
                                        sdata->vif.addr)) {
-                        if (!(status->rx_flags & IEEE80211_RX_IN_SCAN))
+                        if (!(status->rx_flags & IEEE80211_RX_IN_SCAN) &&
+                            !ieee80211_is_beacon(hdr->frame_control))
                                return 0;
                        status->rx_flags &= ~IEEE80211_RX_RA_MATCH;
                }
@@ -2681,18 +2716,12 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
        if (!prepares)
                return false;
-        if (status->flag & RX_FLAG_MMIC_ERROR) {
-                if (status->rx_flags & IEEE80211_RX_RA_MATCH)
-                        ieee80211_rx_michael_mic_report(hdr, rx);
-                return false;
-        }
        if (!consume) {
                skb = skb_copy(skb, GFP_ATOMIC);
                if (!skb) {
                        if (net_ratelimit())
                                wiphy_debug(local->hw.wiphy,
-                                        "failed to copy multicast frame for %s\n",
+                                        "failed to copy skb for %s\n",
                                        sdata->name);
                        return true;
                }
@@ -2730,7 +2759,7 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
                local->dot11ReceivedFragmentCount++;
        if (unlikely(test_bit(SCAN_HW_SCANNING, &local->scanning) ||
-                     test_bit(SCAN_OFF_CHANNEL, &local->scanning)))
+                     test_bit(SCAN_SW_SCANNING, &local->scanning)))
                status->rx_flags |= IEEE80211_RX_IN_SCAN;
        if (ieee80211_is_mgmt(fc))
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index fb274db77e3c..d20046b5d8f4 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -15,6 +15,7 @@
 #include <linux/if_arp.h>
 #include <linux/rtnetlink.h>
 #include <linux/pm_qos_params.h>
+#include <linux/slab.h>
 #include <net/sch_generic.h>
 #include <linux/slab.h>
 #include <net/mac80211.h>
@@ -170,7 +171,7 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
                return RX_CONTINUE;
        if (skb->len < 24)
-                return RX_DROP_MONITOR;
+                return RX_CONTINUE;
        presp = ieee80211_is_probe_resp(fc);
        if (presp) {
@@ -196,7 +197,8 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
        ieee802_11_parse_elems(elements, skb->len - baselen, &elems);
        if (elems.ds_params && elems.ds_params_len == 1)
-                freq = ieee80211_channel_to_frequency(elems.ds_params[0]);
+                freq = ieee80211_channel_to_frequency(elems.ds_params[0],
+                                                      rx_status->band);
        else
                freq = rx_status->freq;
@@ -211,6 +213,14 @@ ieee80211_scan_rx(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
        if (bss)
                ieee80211_rx_bss_put(sdata->local, bss);
+        /* If we are on-operating-channel, and this packet is for the
+         * current channel, pass the pkt on up the stack so that
+         * the rest of the stack can make use of it.
+         */
+        if (ieee80211_cfg_on_oper_channel(sdata->local)
+            && (channel == sdata->local->oper_channel))
+                return RX_CONTINUE;
        dev_kfree_skb(skb);
        return RX_QUEUED;
 }
@@ -249,10 +259,12 @@ static bool ieee80211_prep_hw_scan(struct ieee80211_local *local)
        return true;
 }
-static bool __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
+static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
                                       bool was_hw_scan)
 {
        struct ieee80211_local *local = hw_to_local(hw);
+        bool on_oper_chan;
+        bool enable_beacons = false;
        lockdep_assert_held(&local->mtx);
@@ -266,12 +278,12 @@ static bool __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
                aborted = true;
        if (WARN_ON(!local->scan_req))
-                return false;
+                return;
        if (was_hw_scan && !aborted && ieee80211_prep_hw_scan(local)) {
                int rc = drv_hw_scan(local, local->scan_sdata, local->hw_scan_req);
                if (rc == 0)
-                        return false;
+                        return;
        }
        kfree(local->hw_scan_req);
@@ -285,24 +297,28 @@ static bool __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
        local->scanning = 0;
        local->scan_channel = NULL;
-        return true;
+        on_oper_chan = ieee80211_cfg_on_oper_channel(local);
-}
-static void __ieee80211_scan_completed_finish(struct ieee80211_hw *hw,
+        if (was_hw_scan || !on_oper_chan)
-                                              bool was_hw_scan)
+                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
-{
+        else
-        struct ieee80211_local *local = hw_to_local(hw);
+                /* Set power back to normal operating levels. */
+                ieee80211_hw_config(local, 0);
-        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
        if (!was_hw_scan) {
+                bool on_oper_chan2;
                ieee80211_configure_filter(local);
                drv_sw_scan_complete(local);
-                ieee80211_offchannel_return(local, true);
+                on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
+                /* We should always be on-channel at this point. */
+                WARN_ON(!on_oper_chan2);
+                if (on_oper_chan2 && (on_oper_chan != on_oper_chan2))
+                        enable_beacons = true;
+                ieee80211_offchannel_return(local, enable_beacons, true);
        }
-        mutex_lock(&local->mtx);
        ieee80211_recalc_idle(local);
-        mutex_unlock(&local->mtx);
        ieee80211_mlme_notify_scan_completed(local);
        ieee80211_ibss_notify_scan_completed(local);
@@ -340,16 +356,21 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
         */
        drv_sw_scan_start(local);
-        ieee80211_offchannel_stop_beaconing(local);
        local->leave_oper_channel_time = 0;
        local->next_scan_state = SCAN_DECISION;
        local->scan_channel_idx = 0;
-        drv_flush(local, false);
+        /* We always want to use off-channel PS, even if we
+         * are not really leaving oper-channel.  Don't
+         * tell the AP though, as long as we are on-channel.
+         */
+        ieee80211_offchannel_enable_all_ps(local, false);
        ieee80211_configure_filter(local);
+        /* We need to set power level at maximum rate for scanning. */
+        ieee80211_hw_config(local, 0);
        ieee80211_queue_delayed_work(&local->hw,
                                     &local->scan_work,
                                     IEEE80211_CHANNEL_TIME);
@@ -486,7 +507,20 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
        }
        mutex_unlock(&local->iflist_mtx);
-        if (local->scan_channel) {
+        next_chan = local->scan_req->channels[local->scan_channel_idx];
+        if (ieee80211_cfg_on_oper_channel(local)) {
+                /* We're currently on operating channel. */
+                if (next_chan == local->oper_channel)
+                        /* We don't need to move off of operating channel. */
+                        local->next_scan_state = SCAN_SET_CHANNEL;
+                else
+                        /*
+                         * We do need to leave operating channel, as next
+                         * scan is somewhere else.
+                         */
+                        local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
+        } else {
                /*
                 * we're currently scanning a different channel, let's
                 * see if we can scan another channel without interfering
@@ -502,7 +536,6 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
                 *
                 * Otherwise switch back to the operating channel.
                 */
-                next_chan = local->scan_req->channels[local->scan_channel_idx];
                bad_latency = time_after(jiffies +
                                ieee80211_scan_get_channel_time(next_chan),
@@ -520,12 +553,6 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
                        local->next_scan_state = SCAN_ENTER_OPER_CHANNEL;
                else
                        local->next_scan_state = SCAN_SET_CHANNEL;
-        } else {
-                /*
-                 * we're on the operating channel currently, let's
-                 * leave that channel now to scan another one
-                 */
-                local->next_scan_state = SCAN_LEAVE_OPER_CHANNEL;
        }
        *next_delay = 0;
@@ -534,9 +561,10 @@ static void ieee80211_scan_state_decision(struct ieee80211_local *local,
 static void ieee80211_scan_state_leave_oper_channel(struct ieee80211_local *local,
                                                    unsigned long *next_delay)
 {
-        ieee80211_offchannel_stop_station(local);
+        /* PS will already be in off-channel mode,
+         * we do that once at the beginning of scanning.
-        __set_bit(SCAN_OFF_CHANNEL, &local->scanning);
+         */
+        ieee80211_offchannel_stop_vifs(local, false);
        /*
         * What if the nullfunc frames didn't arrive?
@@ -559,15 +587,15 @@ static void ieee80211_scan_state_enter_oper_channel(struct ieee80211_local *loca
 {
        /* switch back to the operating channel */
        local->scan_channel = NULL;
-        ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
+        if (!ieee80211_cfg_on_oper_channel(local))
+                ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
        /*
-         * Only re-enable station mode interface now; beaconing will be
+         * Re-enable vifs and beaconing.  Leave PS
-         * re-enabled once the full scan has been completed.
+         * in off-channel state..will put that back
+         * on-channel at the end of scanning.
         */
-        ieee80211_offchannel_return(local, false);
+        ieee80211_offchannel_return(local, true, false);
-        __clear_bit(SCAN_OFF_CHANNEL, &local->scanning);
        *next_delay = HZ / 5;
        local->next_scan_state = SCAN_DECISION;
@@ -583,8 +611,11 @@ static void ieee80211_scan_state_set_channel(struct ieee80211_local *local,
        chan = local->scan_req->channels[local->scan_channel_idx];
        local->scan_channel = chan;
-        if (ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL))
-                skip = 1;
+        /* Only call hw-config if we really need to change channels. */
+        if (chan != local->hw.conf.channel)
+                if (ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL))
+                        skip = 1;
        /* advance state machine to next channel/band */
        local->scan_channel_idx++;
@@ -642,12 +673,14 @@ void ieee80211_scan_work(struct work_struct *work)
 {
        struct ieee80211_local *local =
                container_of(work, struct ieee80211_local, scan_work.work);
-        struct ieee80211_sub_if_data *sdata = local->scan_sdata;
+        struct ieee80211_sub_if_data *sdata;
        unsigned long next_delay = 0;
-        bool aborted, hw_scan, finish;
+        bool aborted, hw_scan;
        mutex_lock(&local->mtx);
+        sdata = local->scan_sdata;
        if (test_and_clear_bit(SCAN_COMPLETED, &local->scanning)) {
                aborted = test_and_clear_bit(SCAN_ABORTED, &local->scanning);
                goto out_complete;
@@ -711,17 +744,11 @@ void ieee80211_scan_work(struct work_struct *work)
        } while (next_delay == 0);
        ieee80211_queue_delayed_work(&local->hw, &local->scan_work, next_delay);
-        mutex_unlock(&local->mtx);
+        goto out;
-        return;
 out_complete:
        hw_scan = test_bit(SCAN_HW_SCANNING, &local->scanning);
-        finish = __ieee80211_scan_completed(&local->hw, aborted, hw_scan);
+        __ieee80211_scan_completed(&local->hw, aborted, hw_scan);
-        mutex_unlock(&local->mtx);
-        if (finish)
-                __ieee80211_scan_completed_finish(&local->hw, hw_scan);
-        return;
 out:
        mutex_unlock(&local->mtx);
 }
@@ -791,7 +818,6 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
 void ieee80211_scan_cancel(struct ieee80211_local *local)
 {
        bool abortscan;
-        bool finish = false;
        /*
         * We are only canceling software scan, or deferred scan that was not
@@ -811,14 +837,136 @@ void ieee80211_scan_cancel(struct ieee80211_local *local)
        mutex_lock(&local->mtx);
        abortscan = local->scan_req && !test_bit(SCAN_HW_SCANNING, &local->scanning);
-        if (abortscan)
+        if (abortscan) {
-                finish = __ieee80211_scan_completed(&local->hw, true, false);
+                /*
+                 * The scan is canceled, but stop work from being pending.
+                 *
+                 * If the work is currently running, it must be blocked on
+                 * the mutex, but we'll set scan_sdata = NULL and it'll
+                 * simply exit once it acquires the mutex.
+                 */
+                cancel_delayed_work(&local->scan_work);
+                /* and clean up */
+                __ieee80211_scan_completed(&local->hw, true, false);
+        }
        mutex_unlock(&local->mtx);
+}
-        if (abortscan) {
+int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
-                /* The scan is canceled, but stop work from being pending */
+                                       struct cfg80211_sched_scan_request *req)
-                cancel_delayed_work_sync(&local->scan_work);
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret, i;
+        mutex_lock(&sdata->local->mtx);
+        if (local->sched_scanning) {
+                ret = -EBUSY;
+                goto out;
+        }
+        if (!local->ops->sched_scan_start) {
+                ret = -ENOTSUPP;
+                goto out;
        }
-        if (finish)
-                __ieee80211_scan_completed_finish(&local->hw, false);
+        for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
+                local->sched_scan_ies.ie[i] = kzalloc(2 +
+                                                      IEEE80211_MAX_SSID_LEN +
+                                                      local->scan_ies_len,
+                                                      GFP_KERNEL);
+                if (!local->sched_scan_ies.ie[i]) {
+                        ret = -ENOMEM;
+                        goto out_free;
+                }
+                local->sched_scan_ies.len[i] =
+                        ieee80211_build_preq_ies(local,
+                                                 local->sched_scan_ies.ie[i],
+                                                 req->ie, req->ie_len, i,
+                                                 (u32) -1, 0);
+        }
+        ret = drv_sched_scan_start(local, sdata, req,
+                                   &local->sched_scan_ies);
+        if (ret == 0) {
+                local->sched_scanning = true;
+                goto out;
+        }
+out_free:
+        while (i > 0)
+                kfree(local->sched_scan_ies.ie[--i]);
+out:
+        mutex_unlock(&sdata->local->mtx);
+        return ret;
+}
+int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        int ret = 0, i;
+        mutex_lock(&sdata->local->mtx);
+        if (!local->ops->sched_scan_stop) {
+                ret = -ENOTSUPP;
+                goto out;
+        }
+        if (local->sched_scanning) {
+                for (i = 0; i < IEEE80211_NUM_BANDS; i++)
+                        kfree(local->sched_scan_ies.ie[i]);
+                drv_sched_scan_stop(local, sdata);
+                local->sched_scanning = false;
+        }
+out:
+        mutex_unlock(&sdata->local->mtx);
+        return ret;
+}
+void ieee80211_sched_scan_results(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        trace_api_sched_scan_results(local);
+        cfg80211_sched_scan_results(hw->wiphy);
+}
+EXPORT_SYMBOL(ieee80211_sched_scan_results);
+void ieee80211_sched_scan_stopped_work(struct work_struct *work)
+{
+        struct ieee80211_local *local =
+                container_of(work, struct ieee80211_local,
+                             sched_scan_stopped_work);
+        int i;
+        mutex_lock(&local->mtx);
+        if (!local->sched_scanning) {
+                mutex_unlock(&local->mtx);
+                return;
+        }
+        for (i = 0; i < IEEE80211_NUM_BANDS; i++)
+                kfree(local->sched_scan_ies.ie[i]);
+        local->sched_scanning = false;
+        mutex_unlock(&local->mtx);
+        cfg80211_sched_scan_stopped(local->hw.wiphy);
+}
+void ieee80211_sched_scan_stopped(struct ieee80211_hw *hw)
+{
+        struct ieee80211_local *local = hw_to_local(hw);
+        trace_api_sched_scan_stopped(local);
+        ieee80211_queue_work(&local->hw, &local->sched_scan_stopped_work);
 }
+EXPORT_SYMBOL(ieee80211_sched_scan_stopped);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index c426504ed1cf..b83870bf60fa 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -47,9 +47,9 @@
 * Station entries are added by mac80211 when you establish a link with a
 * peer. This means different things for the different type of interfaces
 * we support. For a regular station this mean we add the AP sta when we
- * receive an assocation response from the AP. For IBSS this occurs when
+ * receive an association response from the AP. For IBSS this occurs when
 * get to know about a peer on the same IBSS. For WDS we add the sta for
- * the peer imediately upon device open. When using AP mode we add stations
+ * the peer immediately upon device open. When using AP mode we add stations
 * for each respective station upon request from userspace through nl80211.
 *
 * In order to remove a STA info structure, various sta_info_destroy_*()
@@ -67,7 +67,8 @@ static int sta_info_hash_del(struct ieee80211_local *local,
 {
        struct sta_info *s;
-        s = local->sta_hash[STA_HASH(sta->sta.addr)];
+        s = rcu_dereference_protected(local->sta_hash[STA_HASH(sta->sta.addr)],
+                                      lockdep_is_held(&local->sta_lock));
        if (!s)
                return -ENOENT;
        if (s == sta) {
@@ -76,9 +77,11 @@ static int sta_info_hash_del(struct ieee80211_local *local,
                return 0;
        }
-        while (s->hnext && s->hnext != sta)
+        while (rcu_access_pointer(s->hnext) &&
-                s = s->hnext;
+               rcu_access_pointer(s->hnext) != sta)
-        if (s->hnext) {
+                s = rcu_dereference_protected(s->hnext,
+                                        lockdep_is_held(&local->sta_lock));
+        if (rcu_access_pointer(s->hnext)) {
                rcu_assign_pointer(s->hnext, sta->hnext);
                return 0;
        }
@@ -228,6 +231,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_local *local = sdata->local;
        struct sta_info *sta;
+        struct timespec uptime;
        int i;
        sta = kzalloc(sizeof(*sta) + local->hw.sta_data_size, gfp);
@@ -243,7 +247,10 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
        memcpy(sta->sta.addr, addr, ETH_ALEN);
        sta->local = local;
        sta->sdata = sdata;
+        sta->last_rx = jiffies;
+        do_posix_clock_monotonic_gettime(&uptime);
+        sta->last_connected = uptime.tv_sec;
        ewma_init(&sta->avg_signal, 1024, 8);
        if (sta_prepare_rate_control(local, sta, gfp)) {
@@ -270,7 +277,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
 #ifdef CONFIG_MAC80211_MESH
-        sta->plink_state = PLINK_LISTEN;
+        sta->plink_state = NL80211_PLINK_LISTEN;
        init_timer(&sta->plink_timer);
 #endif
@@ -583,7 +590,6 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
 {
        unsigned long flags;
        struct sk_buff *skb;
-        struct ieee80211_sub_if_data *sdata;
        if (skb_queue_empty(&sta->ps_tx_buf))
                return false;
@@ -600,7 +606,6 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
                if (!skb)
                        break;
-                sdata = sta->sdata;
                local->total_ps_buffered--;
 #ifdef CONFIG_MAC80211_VERBOSE_PS_DEBUG
                printk(KERN_DEBUG "Buffered frame expired (STA %pM)\n",
@@ -608,7 +613,8 @@ static bool sta_info_cleanup_expire_buffered(struct ieee80211_local *local,
 #endif
                dev_kfree_skb(skb);
-                if (skb_queue_empty(&sta->ps_tx_buf))
+                if (skb_queue_empty(&sta->ps_tx_buf) &&
+                    !test_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF))
                        sta_info_clear_tim_bit(sta);
        }
@@ -649,10 +655,12 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
        if (ret)
                return ret;
+        mutex_lock(&local->key_mtx);
        for (i = 0; i < NUM_DEFAULT_KEYS; i++)
-                ieee80211_key_free(local, sta->gtk[i]);
+                __ieee80211_key_free(key_mtx_dereference(local, sta->gtk[i]));
        if (sta->ptk)
-                ieee80211_key_free(local, sta->ptk);
+                __ieee80211_key_free(key_mtx_dereference(local, sta->ptk));
+        mutex_unlock(&local->key_mtx);
        sta->dead = true;
@@ -697,6 +705,8 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
 #endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
        cancel_work_sync(&sta->drv_unblock_wk);
+        cfg80211_del_sta(sdata->dev, sta->sta.addr, GFP_KERNEL);
        rate_control_remove_sta_debugfs(sta);
        ieee80211_sta_debugfs_remove(sta);
@@ -765,9 +775,8 @@ static void sta_info_cleanup(unsigned long data)
        if (!timer_needed)
                return;
-        local->sta_cleanup.expires =
+        mod_timer(&local->sta_cleanup,
-                round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
+                  round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL));
-        add_timer(&local->sta_cleanup);
 }
 void sta_info_init(struct ieee80211_local *local)
@@ -780,14 +789,6 @@ void sta_info_init(struct ieee80211_local *local)
        setup_timer(&local->sta_cleanup, sta_info_cleanup,
                    (unsigned long)local);
-        local->sta_cleanup.expires =
-                round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
-}
-int sta_info_start(struct ieee80211_local *local)
-{
-        add_timer(&local->sta_cleanup);
-        return 0;
 }
 void sta_info_stop(struct ieee80211_local *local)
@@ -899,7 +900,9 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
        struct ieee80211_local *local = sdata->local;
        int sent, buffered;
-        drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
+        clear_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF);
+        if (!(local->hw.flags & IEEE80211_HW_AP_LINK_PS))
+                drv_sta_notify(local, sdata, STA_NOTIFY_AWAKE, &sta->sta);
        if (!skb_queue_empty(&sta->ps_tx_buf))
                sta_info_clear_tim_bit(sta);
@@ -990,3 +993,12 @@ void ieee80211_sta_block_awake(struct ieee80211_hw *hw,
                ieee80211_queue_work(hw, &sta->drv_unblock_wk);
 }
 EXPORT_SYMBOL(ieee80211_sta_block_awake);
+void ieee80211_sta_set_tim(struct ieee80211_sta *pubsta)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        set_sta_flags(sta, WLAN_STA_PS_DRIVER_BUF);
+        sta_info_set_tim_bit(sta);
+}
+EXPORT_SYMBOL(ieee80211_sta_set_tim);
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index bbdd2a86a94b..c6ae8718bd57 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -43,6 +43,8 @@
 *      be in the queues
 * @WLAN_STA_PSPOLL: Station sent PS-poll while driver was keeping
 *      station in power-save mode, reply when the driver unblocks.
+ * @WLAN_STA_PS_DRIVER_BUF: Station has frames pending in driver internal
+ *      buffers. Automatically cleared on station wake-up.
 */
 enum ieee80211_sta_info_flags {
        WLAN_STA_AUTH           = 1<<0,
@@ -58,6 +60,7 @@ enum ieee80211_sta_info_flags {
        WLAN_STA_BLOCK_BA       = 1<<11,
        WLAN_STA_PS_DRIVER      = 1<<12,
        WLAN_STA_PSPOLL         = 1<<13,
+        WLAN_STA_PS_DRIVER_BUF  = 1<<14,
 };
 #define STA_TID_NUM 16
@@ -82,6 +85,7 @@ enum ieee80211_sta_info_flags {
 * @state: session state (see above)
 * @stop_initiator: initiator of a session stop
 * @tx_stop: TX DelBA frame when stopping
+ * @buf_size: reorder buffer size at receiver
 *
 * This structure's lifetime is managed by RCU, assignments to
 * the array holding it must hold the aggregation mutex.
@@ -101,6 +105,7 @@ struct tid_ampdu_tx {
        u8 dialog_token;
        u8 stop_initiator;
        bool tx_stop;
+        u8 buf_size;
 };
 /**
@@ -147,6 +152,7 @@ struct tid_ampdu_rx {
 *
 * @tid_rx: aggregation info for Rx per TID -- RCU protected
 * @tid_tx: aggregation info for Tx per TID
+ * @tid_start_tx: sessions where start was requested
 * @addba_req_num: number of times addBA request has been sent.
 * @dialog_token_allocator: dialog token enumerator for each new session;
 * @work: work struct for starting/stopping aggregation
@@ -158,40 +164,18 @@ struct tid_ampdu_rx {
 struct sta_ampdu_mlme {
        struct mutex mtx;
        /* rx */
-        struct tid_ampdu_rx *tid_rx[STA_TID_NUM];
+        struct tid_ampdu_rx __rcu *tid_rx[STA_TID_NUM];
        unsigned long tid_rx_timer_expired[BITS_TO_LONGS(STA_TID_NUM)];
        /* tx */
        struct work_struct work;
-        struct tid_ampdu_tx *tid_tx[STA_TID_NUM];
+        struct tid_ampdu_tx __rcu *tid_tx[STA_TID_NUM];
+        struct tid_ampdu_tx *tid_start_tx[STA_TID_NUM];
        u8 addba_req_num[STA_TID_NUM];
        u8 dialog_token_allocator;
 };
 /**
- * enum plink_state - state of a mesh peer link finite state machine
- *
- * @PLINK_LISTEN: initial state, considered the implicit state of non existant
- *      mesh peer links
- * @PLINK_OPN_SNT: mesh plink open frame has been sent to this mesh peer
- * @PLINK_OPN_RCVD: mesh plink open frame has been received from this mesh peer
- * @PLINK_CNF_RCVD: mesh plink confirm frame has been received from this mesh
- *      peer
- * @PLINK_ESTAB: mesh peer link is established
- * @PLINK_HOLDING: mesh peer link is being closed or cancelled
- * @PLINK_BLOCKED: all frames transmitted from this mesh plink are discarded
- */
-enum plink_state {
-        PLINK_LISTEN,
-        PLINK_OPN_SNT,
-        PLINK_OPN_RCVD,
-        PLINK_CNF_RCVD,
-        PLINK_ESTAB,
-        PLINK_HOLDING,
-        PLINK_BLOCKED
-};
-/**
 * struct sta_info - STA information
 *
 * This structure collects information about a station that
@@ -207,6 +191,8 @@ enum plink_state {
 * @rate_ctrl_priv: rate control private per-STA pointer
 * @last_tx_rate: rate used for last transmit, to report to userspace as
 *      "the" transmit rate
+ * @last_rx_rate_idx: rx status rate index of the last data packet
+ * @last_rx_rate_flag: rx status flag of the last data packet
 * @lock: used for locking all fields that require locking, see comments
 *      in the header file.
 * @flaglock: spinlock for flags accesses
@@ -222,6 +208,7 @@ enum plink_state {
 * @rx_bytes: Number of bytes received from this STA
 * @wep_weak_iv_count: number of weak WEP IVs received from this station
 * @last_rx: time (in jiffies) when last frame was received from this STA
+ * @last_connected: time (in seconds) when a station got connected
 * @num_duplicates: number of duplicate frames received from this STA
 * @rx_fragments: number of received MPDUs
 * @rx_dropped: number of dropped MPDUs from this STA
@@ -256,11 +243,11 @@ enum plink_state {
 struct sta_info {
        /* General information, mostly static */
        struct list_head list;
-        struct sta_info *hnext;
+        struct sta_info __rcu *hnext;
        struct ieee80211_local *local;
        struct ieee80211_sub_if_data *sdata;
-        struct ieee80211_key *gtk[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
+        struct ieee80211_key __rcu *gtk[NUM_DEFAULT_KEYS + NUM_DEFAULT_MGMT_KEYS];
-        struct ieee80211_key *ptk;
+        struct ieee80211_key __rcu *ptk;
        struct rate_control_ref *rate_ctrl;
        void *rate_ctrl_priv;
        spinlock_t lock;
@@ -291,6 +278,7 @@ struct sta_info {
        unsigned long rx_packets, rx_bytes;
        unsigned long wep_weak_iv_count;
        unsigned long last_rx;
+        long last_connected;
        unsigned long num_duplicates;
        unsigned long rx_fragments;
        unsigned long rx_dropped;
@@ -309,6 +297,8 @@ struct sta_info {
        unsigned long tx_bytes;
        unsigned long tx_fragments;
        struct ieee80211_tx_rate last_tx_rate;
+        int last_rx_rate_idx;
+        int last_rx_rate_flag;
        u16 tid_seq[IEEE80211_QOS_CTL_TID_MASK + 1];
        /*
@@ -328,7 +318,7 @@ struct sta_info {
        u8 plink_retries;
        bool ignore_plink_timer;
        bool plink_timer_was_running;
-        enum plink_state plink_state;
+        enum nl80211_plink_state plink_state;
        u32 plink_timeout;
        struct timer_list plink_timer;
 #endif
@@ -346,12 +336,12 @@ struct sta_info {
        struct ieee80211_sta sta;
 };
-static inline enum plink_state sta_plink_state(struct sta_info *sta)
+static inline enum nl80211_plink_state sta_plink_state(struct sta_info *sta)
 {
 #ifdef CONFIG_MAC80211_MESH
        return sta->plink_state;
 #endif
-        return PLINK_LISTEN;
+        return NL80211_PLINK_LISTEN;
 }
 static inline void set_sta_flags(struct sta_info *sta, const u32 flags)
@@ -410,7 +400,16 @@ static inline u32 get_sta_flags(struct sta_info *sta)
        return ret;
 }
+void ieee80211_assign_tid_tx(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx);
+static inline struct tid_ampdu_tx *
+rcu_dereference_protected_tid_tx(struct sta_info *sta, int tid)
+{
+        return rcu_dereference_protected(sta->ampdu_mlme.tid_tx[tid],
+                                         lockdep_is_held(&sta->lock) ||
+                                         lockdep_is_held(&sta->ampdu_mlme.mtx));
+}
 #define STA_HASH_SIZE 256
 #define STA_HASH(sta) (sta[5])
@@ -491,7 +490,6 @@ void sta_info_set_tim_bit(struct sta_info *sta);
 void sta_info_clear_tim_bit(struct sta_info *sta);
 void sta_info_init(struct ieee80211_local *local);
-int sta_info_start(struct ieee80211_local *local);
 void sta_info_stop(struct ieee80211_local *local);
 int sta_info_flush(struct ieee80211_local *local,
                   struct ieee80211_sub_if_data *sdata);
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 071ac95c4aa0..1658efaa2e8e 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -98,6 +98,10 @@ static void ieee80211_handle_filtered_frame(struct ieee80211_local *local,
         *  (b) always process RX events before TX status events if ordering
         *      can be unknown, for example with different interrupt status
         *      bits.
+         *  (c) if PS mode transitions are manual (i.e. the flag
+         *      %IEEE80211_HW_AP_LINK_PS is set), always process PS state
+         *      changes before calling TX status events if ordering can be
+         *      unknown.
         */
        if (test_sta_flags(sta, WLAN_STA_PS_STA) &&
            skb_queue_len(&sta->tx_filtered) < STA_MAX_TX_BUFFER) {
@@ -185,16 +189,19 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
        bool acked;
        for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
-                /* the HW cannot have attempted that rate */
+                if (info->status.rates[i].idx < 0) {
-                if (i >= hw->max_report_rates) {
+                        break;
+                } else if (i >= hw->max_report_rates) {
+                        /* the HW cannot have attempted that rate */
                        info->status.rates[i].idx = -1;
                        info->status.rates[i].count = 0;
-                } else if (info->status.rates[i].idx >= 0) {
+                        break;
-                        rates_idx = i;
                }
                retry_count += info->status.rates[i].count;
        }
+        rates_idx = i - 1;
        if (retry_count < 0)
                retry_count = 0;
@@ -314,8 +321,6 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                if (info->flags & IEEE80211_TX_STAT_ACK) {
                        local->ps_sdata->u.mgd.flags |=
                                        IEEE80211_STA_NULLFUNC_ACKED;
-                        ieee80211_queue_work(&local->hw,
-                                        &local->dynamic_ps_enable_work);
                } else
                        mod_timer(&local->dynamic_ps_timer, jiffies +
                                        msecs_to_jiffies(10));
@@ -339,6 +344,10 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                        cookie = local->hw_roc_cookie ^ 2;
                        local->hw_roc_skb_for_status = NULL;
                }
+                if (cookie == local->hw_offchan_tx_cookie)
+                        local->hw_offchan_tx_cookie = 0;
                cfg80211_mgmt_tx_status(
                        skb->dev, cookie, skb->data, skb->len,
                        !!(info->flags & IEEE80211_TX_STAT_ACK), GFP_ATOMIC);
@@ -437,3 +446,11 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
        dev_kfree_skb(skb);
 }
 EXPORT_SYMBOL(ieee80211_tx_status);
+void ieee80211_report_low_ack(struct ieee80211_sta *pubsta, u32 num_packets)
+{
+        struct sta_info *sta = container_of(pubsta, struct sta_info, sta);
+        cfg80211_cqm_pktloss_notify(sta->sdata->dev, sta->sta.addr,
+                                    num_packets, GFP_ATOMIC);
+}
+EXPORT_SYMBOL(ieee80211_report_low_ack);
diff --git a/net/mac80211/tkip.c b/net/mac80211/tkip.c
index e840c9cd46db..757e4eb2baf7 100644
--- a/net/mac80211/tkip.c
+++ b/net/mac80211/tkip.c
@@ -202,7 +202,7 @@ EXPORT_SYMBOL(ieee80211_get_tkip_key);
 * @payload_len is the length of payload (_not_ including IV/ICV length).
 * @ta is the transmitter addresses.
 */
-int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *pos, size_t payload_len, u8 *ta)
 {
@@ -223,7 +223,7 @@ int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
 * beginning of the buffer containing IEEE 802.11 header payload, i.e.,
 * including IV, Ext. IV, real data, Michael MIC, ICV. @payload_len is the
 * length of payload, including IV, Ext. IV, MIC, ICV.  */
-int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_decrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *payload, size_t payload_len, u8 *ta,
                                u8 *ra, int only_iv, int queue,
diff --git a/net/mac80211/tkip.h b/net/mac80211/tkip.h
index 7e83dee976fa..1cab9c86978f 100644
--- a/net/mac80211/tkip.h
+++ b/net/mac80211/tkip.h
@@ -15,7 +15,7 @@
 u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16);
-int ieee80211_tkip_encrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm,
                                 struct ieee80211_key *key,
                                 u8 *pos, size_t payload_len, u8 *ta);
 enum {
@@ -24,7 +24,7 @@ enum {
        TKIP_DECRYPT_INVALID_KEYIDX = -2,
        TKIP_DECRYPT_REPLAY = -3,
 };
-int ieee80211_tkip_decrypt_data(struct crypto_blkcipher *tfm,
+int ieee80211_tkip_decrypt_data(struct crypto_cipher *tfm,
                                struct ieee80211_key *key,
                                u8 *payload, size_t payload_len, u8 *ta,
                                u8 *ra, int only_iv, int queue,
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index b0beaa58246b..64e0f7587e6d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -33,10 +33,6 @@
 #include "wme.h"
 #include "rate.h"
-#define IEEE80211_TX_OK         0
-#define IEEE80211_TX_AGAIN      1
-#define IEEE80211_TX_PENDING    2
 /* misc utils */
 static __le16 ieee80211_duration(struct ieee80211_tx_data *tx, int group_addr,
@@ -173,7 +169,7 @@ static __le16 ieee80211_duration(struct ieee80211_tx_data *tx, int group_addr,
        return cpu_to_le16(dur);
 }
-static int inline is_ieee80211_device(struct ieee80211_local *local,
+static inline int is_ieee80211_device(struct ieee80211_local *local,
                                      struct net_device *dev)
 {
        return local == wdev_priv(dev->ieee80211_ptr);
@@ -236,10 +232,15 @@ ieee80211_tx_h_dynamic_ps(struct ieee80211_tx_data *tx)
        if (local->hw.conf.flags & IEEE80211_CONF_PS) {
                ieee80211_stop_queues_by_reason(&local->hw,
                                                IEEE80211_QUEUE_STOP_REASON_PS);
+                ifmgd->flags &= ~IEEE80211_STA_NULLFUNC_ACKED;
                ieee80211_queue_work(&local->hw,
                                     &local->dynamic_ps_disable_work);
        }
+        /* Don't restart the timer if we're not disassociated */
+        if (!ifmgd->associated)
+                return TX_CONTINUE;
        mod_timer(&local->dynamic_ps_timer, jiffies +
                  msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout));
@@ -257,7 +258,8 @@ ieee80211_tx_h_check_assoc(struct ieee80211_tx_data *tx)
        if (unlikely(info->flags & IEEE80211_TX_CTL_INJECTED))
                return TX_CONTINUE;
-        if (unlikely(test_bit(SCAN_OFF_CHANNEL, &tx->local->scanning)) &&
+        if (unlikely(test_bit(SCAN_SW_SCANNING, &tx->local->scanning)) &&
+            test_bit(SDATA_STATE_OFFCHANNEL, &tx->sdata->state) &&
            !ieee80211_is_probe_req(hdr->frame_control) &&
            !ieee80211_is_nullfunc(hdr->frame_control))
                /*
@@ -1038,14 +1040,11 @@ static bool __ieee80211_parse_tx_radiotap(struct ieee80211_tx_data *tx,
        struct ieee80211_radiotap_iterator iterator;
        struct ieee80211_radiotap_header *rthdr =
                (struct ieee80211_radiotap_header *) skb->data;
-        struct ieee80211_supported_band *sband;
        bool hw_frag;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
        int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr, skb->len,
                                                   NULL);
-        sband = tx->local->hw.wiphy->bands[tx->channel->band];
        info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
        tx->flags &= ~IEEE80211_TX_FRAGMENTED;
@@ -1152,7 +1151,7 @@ static bool ieee80211_tx_prep_agg(struct ieee80211_tx_data *tx,
                 *     packet pass through because splicing the frames
                 *     back is already done.
                 */
-                tid_tx = tx->sta->ampdu_mlme.tid_tx[tid];
+                tid_tx = rcu_dereference_protected_tid_tx(tx->sta, tid);
                if (!tid_tx) {
                        /* do nothing, let packet pass through */
@@ -1283,16 +1282,17 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata,
        return TX_CONTINUE;
 }
-static int __ieee80211_tx(struct ieee80211_local *local,
+/*
-                          struct sk_buff **skbp,
+ * Returns false if the frame couldn't be transmitted but was queued instead.
-                          struct sta_info *sta,
+ */
-                          bool txpending)
+static bool __ieee80211_tx(struct ieee80211_local *local, struct sk_buff **skbp,
+                           struct sta_info *sta, bool txpending)
 {
        struct sk_buff *skb = *skbp, *next;
        struct ieee80211_tx_info *info;
        struct ieee80211_sub_if_data *sdata;
        unsigned long flags;
-        int ret, len;
+        int len;
        bool fragm = false;
        while (skb) {
@@ -1300,13 +1300,37 @@ static int __ieee80211_tx(struct ieee80211_local *local,
                __le16 fc;
                spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
-                ret = IEEE80211_TX_OK;
                if (local->queue_stop_reasons[q] ||
-                    (!txpending && !skb_queue_empty(&local->pending[q])))
+                    (!txpending && !skb_queue_empty(&local->pending[q]))) {
-                        ret = IEEE80211_TX_PENDING;
+                        /*
+                         * Since queue is stopped, queue up frames for later
+                         * transmission from the tx-pending tasklet when the
+                         * queue is woken again.
+                         */
+                        do {
+                                next = skb->next;
+                                skb->next = NULL;
+                                /*
+                                 * NB: If txpending is true, next must already
+                                 * be NULL since we must've gone through this
+                                 * loop before already; therefore we can just
+                                 * queue the frame to the head without worrying
+                                 * about reordering of fragments.
+                                 */
+                                if (unlikely(txpending))
+                                        __skb_queue_head(&local->pending[q],
+                                                         skb);
+                                else
+                                        __skb_queue_tail(&local->pending[q],
+                                                         skb);
+                        } while ((skb = next));
+                        spin_unlock_irqrestore(&local->queue_stop_reason_lock,
+                                               flags);
+                        return false;
+                }
                spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
-                if (ret != IEEE80211_TX_OK)
-                        return ret;
                info = IEEE80211_SKB_CB(skb);
@@ -1341,15 +1365,7 @@ static int __ieee80211_tx(struct ieee80211_local *local,
                        info->control.sta = NULL;
                fc = ((struct ieee80211_hdr *)skb->data)->frame_control;
-                ret = drv_tx(local, skb);
+                drv_tx(local, skb);
-                if (WARN_ON(ret != NETDEV_TX_OK && skb->len != len)) {
-                        dev_kfree_skb(skb);
-                        ret = NETDEV_TX_OK;
-                }
-                if (ret != NETDEV_TX_OK) {
-                        info->control.vif = &sdata->vif;
-                        return IEEE80211_TX_AGAIN;
-                }
                ieee80211_tpt_led_trig_tx(local, fc, len);
                *skbp = skb = next;
@@ -1357,7 +1373,7 @@ static int __ieee80211_tx(struct ieee80211_local *local,
                fragm = true;
        }
-        return IEEE80211_TX_OK;
+        return true;
 }
 /*
@@ -1394,7 +1410,8 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
        /* handlers after fragment must be aware of tx info fragmentation! */
        CALL_TXH(ieee80211_tx_h_stats);
        CALL_TXH(ieee80211_tx_h_encrypt);
-        CALL_TXH(ieee80211_tx_h_calculate_duration);
+        if (!(tx->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL))
+                CALL_TXH(ieee80211_tx_h_calculate_duration);
 #undef CALL_TXH
 txh_done:
@@ -1416,23 +1433,21 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
        return 0;
 }
-static void ieee80211_tx(struct ieee80211_sub_if_data *sdata,
+/*
+ * Returns false if the frame couldn't be transmitted but was queued instead.
+ */
+static bool ieee80211_tx(struct ieee80211_sub_if_data *sdata,
                         struct sk_buff *skb, bool txpending)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_tx_data tx;
        ieee80211_tx_result res_prepare;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-        struct sk_buff *next;
+        bool result = true;
-        unsigned long flags;
-        int ret, retries;
-        u16 queue;
-        queue = skb_get_queue_mapping(skb);
        if (unlikely(skb->len < 10)) {
                dev_kfree_skb(skb);
-                return;
+                return true;
        }
        rcu_read_lock();
@@ -1442,85 +1457,19 @@ static void ieee80211_tx(struct ieee80211_sub_if_data *sdata,
        if (unlikely(res_prepare == TX_DROP)) {
                dev_kfree_skb(skb);
-                rcu_read_unlock();
+                goto out;
-                return;
        } else if (unlikely(res_prepare == TX_QUEUED)) {
-                rcu_read_unlock();
+                goto out;
-                return;
        }
        tx.channel = local->hw.conf.channel;
        info->band = tx.channel->band;
-        if (invoke_tx_handlers(&tx))
+        if (!invoke_tx_handlers(&tx))
-                goto out;
+                result = __ieee80211_tx(local, &tx.skb, tx.sta, txpending);
-        retries = 0;
- retry:
-        ret = __ieee80211_tx(local, &tx.skb, tx.sta, txpending);
-        switch (ret) {
-        case IEEE80211_TX_OK:
-                break;
-        case IEEE80211_TX_AGAIN:
-                /*
-                 * Since there are no fragmented frames on A-MPDU
-                 * queues, there's no reason for a driver to reject
-                 * a frame there, warn and drop it.
-                 */
-                if (WARN_ON(info->flags & IEEE80211_TX_CTL_AMPDU))
-                        goto drop;
-                /* fall through */
-        case IEEE80211_TX_PENDING:
-                skb = tx.skb;
-                spin_lock_irqsave(&local->queue_stop_reason_lock, flags);
-                if (local->queue_stop_reasons[queue] ||
-                    !skb_queue_empty(&local->pending[queue])) {
-                        /*
-                         * if queue is stopped, queue up frames for later
-                         * transmission from the tasklet
-                         */
-                        do {
-                                next = skb->next;
-                                skb->next = NULL;
-                                if (unlikely(txpending))
-                                        __skb_queue_head(&local->pending[queue],
-                                                         skb);
-                                else
-                                        __skb_queue_tail(&local->pending[queue],
-                                                         skb);
-                        } while ((skb = next));
-                        spin_unlock_irqrestore(&local->queue_stop_reason_lock,
-                                               flags);
-                } else {
-                        /*
-                         * otherwise retry, but this is a race condition or
-                         * a driver bug (which we warn about if it persists)
-                         */
-                        spin_unlock_irqrestore(&local->queue_stop_reason_lock,
-                                               flags);
-                        retries++;
-                        if (WARN(retries > 10, "tx refused but queue active\n"))
-                                goto drop;
-                        goto retry;
-                }
-        }
 out:
        rcu_read_unlock();
-        return;
+        return result;
- drop:
-        rcu_read_unlock();
-        skb = tx.skb;
-        while (skb) {
-                next = skb->next;
-                dev_kfree_skb(skb);
-                skb = next;
-        }
 }
 /* device xmit handlers */
@@ -1531,12 +1480,7 @@ static int ieee80211_skb_resize(struct ieee80211_local *local,
 {
        int tail_need = 0;
-        /*
+        if (may_encrypt && local->crypto_tx_tailroom_needed_cnt) {
-         * This could be optimised, devices that do full hardware
-         * crypto (including TKIP MMIC) need no tailroom... But we
-         * have no drivers for such devices currently.
-         */
-        if (may_encrypt) {
                tail_need = IEEE80211_ENCRYPT_TAILROOM;
                tail_need -= skb_tailroom(skb);
                tail_need = max_t(int, tail_need, 0);
@@ -1750,7 +1694,7 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
        __le16 fc;
        struct ieee80211_hdr hdr;
        struct ieee80211s_hdr mesh_hdr __maybe_unused;
-        struct mesh_path *mppath = NULL;
+        struct mesh_path __maybe_unused *mppath = NULL;
        const u8 *encaps_data;
        int encaps_len, skip_header_bytes;
        int nh_pos, h_pos;
@@ -1811,27 +1755,28 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                        ret = NETDEV_TX_OK;
                        goto fail;
                }
+                rcu_read_lock();
                if (!is_multicast_ether_addr(skb->data))
                        mppath = mpp_path_lookup(skb->data, sdata);
                /*
-                 * Do not use address extension, if it is a packet from
+                 * Use address extension if it is a packet from
-                 * the same interface and the destination is not being
+                 * another interface or if we know the destination
-                 * proxied by any other mest point.
+                 * is being proxied by a portal (i.e. portal address
+                 * differs from proxied address)
                 */
                if (compare_ether_addr(sdata->vif.addr,
                                       skb->data + ETH_ALEN) == 0 &&
-                    (!mppath || !compare_ether_addr(mppath->mpp, skb->data))) {
+                    !(mppath && compare_ether_addr(mppath->mpp, skb->data))) {
                        hdrlen = ieee80211_fill_mesh_addresses(&hdr, &fc,
                                        skb->data, skb->data + ETH_ALEN);
+                        rcu_read_unlock();
                        meshhdrlen = ieee80211_new_mesh_header(&mesh_hdr,
                                        sdata, NULL, NULL);
                } else {
-                        /* packet from other interface */
                        int is_mesh_mcast = 1;
                        const u8 *mesh_da;
-                        rcu_read_lock();
                        if (is_multicast_ether_addr(skb->data))
                                /* DA TA mSA AE:SA */
                                mesh_da = skb->data;
@@ -2067,6 +2012,11 @@ void ieee80211_clear_tx_pending(struct ieee80211_local *local)
                skb_queue_purge(&local->pending[i]);
 }
+/*
+ * Returns false if the frame couldn't be transmitted but was queued instead,
+ * which in this case means re-queued -- take as an indication to stop sending
+ * more pending frames.
+ */
 static bool ieee80211_tx_pending_skb(struct ieee80211_local *local,
                                     struct sk_buff *skb)
 {
@@ -2074,20 +2024,17 @@ static bool ieee80211_tx_pending_skb(struct ieee80211_local *local,
        struct ieee80211_sub_if_data *sdata;
        struct sta_info *sta;
        struct ieee80211_hdr *hdr;
-        int ret;
+        bool result;
-        bool result = true;
        sdata = vif_to_sdata(info->control.vif);
        if (info->flags & IEEE80211_TX_INTFL_NEED_TXPROCESSING) {
-                ieee80211_tx(sdata, skb, true);
+                result = ieee80211_tx(sdata, skb, true);
        } else {
                hdr = (struct ieee80211_hdr *)skb->data;
                sta = sta_info_get(sdata, hdr->addr1);
-                ret = __ieee80211_tx(local, &skb, sta, true);
+                result = __ieee80211_tx(local, &skb, sta, true);
-                if (ret != IEEE80211_TX_OK)
-                        result = false;
        }
        return result;
@@ -2129,8 +2076,6 @@ void ieee80211_tx_pending(unsigned long data)
                                                flags);
                        txok = ieee80211_tx_pending_skb(local, skb);
-                        if (!txok)
-                                __skb_queue_head(&local->pending[i], skb);
                        spin_lock_irqsave(&local->queue_stop_reason_lock,
                                          flags);
                        if (!txok)
@@ -2178,6 +2123,8 @@ static void ieee80211_beacon_add_tim(struct ieee80211_if_ap *bss,
        if (bss->dtim_count == 0 && !skb_queue_empty(&bss->ps_bc_buf))
                aid0 = 1;
+        bss->dtim_bc_mc = aid0 == 1;
        if (have_bits) {
                /* Find largest even number N1 so that bits numbered 1 through
                 * (N1 x 8) - 1 in the bitmap are 0 and number N2 so that bits
@@ -2241,7 +2188,7 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
        if (sdata->vif.type == NL80211_IFTYPE_AP) {
                ap = &sdata->u.ap;
                beacon = rcu_dereference(ap->beacon);
-                if (ap && beacon) {
+                if (beacon) {
                        /*
                         * headroom, head length,
                         * tail length and maximum TIM length
@@ -2302,9 +2249,14 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
                struct ieee80211_mgmt *mgmt;
                u8 *pos;
+#ifdef CONFIG_MAC80211_MESH
+                if (!sdata->u.mesh.mesh_id_len)
+                        goto out;
+#endif
                /* headroom, head length, tail length and maximum TIM length */
                skb = dev_alloc_skb(local->tx_headroom + 400 +
-                                sdata->u.mesh.vendor_ie_len);
+                                sdata->u.mesh.ie_len);
                if (!skb)
                        goto out;
@@ -2527,7 +2479,6 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
 {
        struct ieee80211_local *local = hw_to_local(hw);
        struct sk_buff *skb = NULL;
-        struct sta_info *sta;
        struct ieee80211_tx_data tx;
        struct ieee80211_sub_if_data *sdata;
        struct ieee80211_if_ap *bss = NULL;
@@ -2543,7 +2494,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
        if (sdata->vif.type != NL80211_IFTYPE_AP || !beacon || !beacon->head)
                goto out;
-        if (bss->dtim_count != 0)
+        if (bss->dtim_count != 0 || !bss->dtim_bc_mc)
                goto out; /* send buffered bc/mc only after DTIM beacon */
        while (1) {
@@ -2569,7 +2520,6 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
        info = IEEE80211_SKB_CB(skb);
-        sta = tx.sta;
        tx.flags |= IEEE80211_TX_PS_BUFFERED;
        tx.channel = local->hw.conf.channel;
        info->band = tx.channel->band;
@@ -2589,8 +2539,9 @@ void ieee80211_tx_skb(struct ieee80211_sub_if_data *sdata, struct sk_buff *skb)
        skb_set_network_header(skb, 0);
        skb_set_transport_header(skb, 0);
-        /* send all internal mgmt frames on VO */
+        /* Send all internal mgmt frames on VO. Accordingly set TID to 7. */
-        skb_set_queue_mapping(skb, 0);
+        skb_set_queue_mapping(skb, IEEE80211_AC_VO);
+        skb->priority = 7;
        /*
         * The other path calling ieee80211_xmit is from the tasklet,
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index d036597aabbe..d3fe2d237485 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -986,12 +986,6 @@ int ieee80211_build_preq_ies(struct ieee80211_local *local, u8 *buffer,
                u16 cap = sband->ht_cap.cap;
                __le16 tmp;
-                if (ieee80211_disable_40mhz_24ghz &&
-                    sband->band == IEEE80211_BAND_2GHZ) {
-                        cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
-                        cap &= ~IEEE80211_HT_CAP_SGI_40;
-                }
                *pos++ = WLAN_EID_HT_CAPABILITY;
                *pos++ = sizeof(struct ieee80211_ht_cap);
                memset(pos, 0, sizeof(struct ieee80211_ht_cap));
@@ -1131,9 +1125,27 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        struct sta_info *sta;
        int res;
+#ifdef CONFIG_PM
        if (local->suspended)
                local->resuming = true;
+        if (local->wowlan) {
+                local->wowlan = false;
+                res = drv_resume(local);
+                if (res < 0) {
+                        local->resuming = false;
+                        return res;
+                }
+                if (res == 0)
+                        goto wake_up;
+                WARN_ON(res > 1);
+                /*
+                 * res is 1, which means the driver requested
+                 * to go through a regular reset on wakeup.
+                 */
+        }
+#endif
        /* restart hardware */
        if (local->open_count) {
                /*
@@ -1264,6 +1276,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                if (ieee80211_sdata_running(sdata))
                        ieee80211_enable_keys(sdata);
+ wake_up:
        ieee80211_wake_queues_by_reason(hw,
                        IEEE80211_QUEUE_STOP_REASON_SUSPEND);
@@ -1296,7 +1309,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                }
        }
-        add_timer(&local->sta_cleanup);
+        mod_timer(&local->sta_cleanup, jiffies + 1);
        mutex_lock(&local->sta_mtx);
        list_for_each_entry(sta, &local->sta_list, list)
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index 2ff6d1e3ed21..a1c6bfd55f0f 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -30,17 +30,15 @@ int ieee80211_wep_init(struct ieee80211_local *local)
        /* start WEP IV from a random value */
        get_random_bytes(&local->wep_iv, WEP_IV_LEN);
-        local->wep_tx_tfm = crypto_alloc_blkcipher("ecb(arc4)", 0,
+        local->wep_tx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC);
-                                                CRYPTO_ALG_ASYNC);
        if (IS_ERR(local->wep_tx_tfm)) {
                local->wep_rx_tfm = ERR_PTR(-EINVAL);
                return PTR_ERR(local->wep_tx_tfm);
        }
-        local->wep_rx_tfm = crypto_alloc_blkcipher("ecb(arc4)", 0,
+        local->wep_rx_tfm = crypto_alloc_cipher("arc4", 0, CRYPTO_ALG_ASYNC);
-                                                CRYPTO_ALG_ASYNC);
        if (IS_ERR(local->wep_rx_tfm)) {
-                crypto_free_blkcipher(local->wep_tx_tfm);
+                crypto_free_cipher(local->wep_tx_tfm);
                local->wep_tx_tfm = ERR_PTR(-EINVAL);
                return PTR_ERR(local->wep_rx_tfm);
        }
@@ -51,9 +49,9 @@ int ieee80211_wep_init(struct ieee80211_local *local)
 void ieee80211_wep_free(struct ieee80211_local *local)
 {
        if (!IS_ERR(local->wep_tx_tfm))
-                crypto_free_blkcipher(local->wep_tx_tfm);
+                crypto_free_cipher(local->wep_tx_tfm);
        if (!IS_ERR(local->wep_rx_tfm))
-                crypto_free_blkcipher(local->wep_rx_tfm);
+                crypto_free_cipher(local->wep_rx_tfm);
 }
 static inline bool ieee80211_wep_weak_iv(u32 iv, int keylen)
@@ -127,12 +125,11 @@ static void ieee80211_wep_remove_iv(struct ieee80211_local *local,
 /* Perform WEP encryption using given key. data buffer must have tailroom
 * for 4-byte ICV. data_len must not include this ICV. Note: this function
 * does _not_ add IV. data = RC4(data | CRC32(data)) */
-int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_encrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len)
 {
-        struct blkcipher_desc desc = { .tfm = tfm };
-        struct scatterlist sg;
        __le32 icv;
+        int i;
        if (IS_ERR(tfm))
                return -1;
@@ -140,9 +137,9 @@ int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
        icv = cpu_to_le32(~crc32_le(~0, data, data_len));
        put_unaligned(icv, (__le32 *)(data + data_len));
-        crypto_blkcipher_setkey(tfm, rc4key, klen);
+        crypto_cipher_setkey(tfm, rc4key, klen);
-        sg_init_one(&sg, data, data_len + WEP_ICV_LEN);
+        for (i = 0; i < data_len + WEP_ICV_LEN; i++)
-        crypto_blkcipher_encrypt(&desc, &sg, &sg, sg.length);
+                crypto_cipher_encrypt_one(tfm, data + i, data + i);
        return 0;
 }
@@ -186,19 +183,18 @@ int ieee80211_wep_encrypt(struct ieee80211_local *local,
 /* Perform WEP decryption using given key. data buffer includes encrypted
 * payload, including 4-byte ICV, but _not_ IV. data_len must not include ICV.
 * Return 0 on success and -1 on ICV mismatch. */
-int ieee80211_wep_decrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_decrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len)
 {
-        struct blkcipher_desc desc = { .tfm = tfm };
-        struct scatterlist sg;
        __le32 crc;
+        int i;
        if (IS_ERR(tfm))
                return -1;
-        crypto_blkcipher_setkey(tfm, rc4key, klen);
+        crypto_cipher_setkey(tfm, rc4key, klen);
-        sg_init_one(&sg, data, data_len + WEP_ICV_LEN);
+        for (i = 0; i < data_len + WEP_ICV_LEN; i++)
-        crypto_blkcipher_decrypt(&desc, &sg, &sg, sg.length);
+                crypto_cipher_decrypt_one(tfm, data + i, data + i);
        crc = cpu_to_le32(~crc32_le(~0, data, data_len));
        if (memcmp(&crc, data + data_len, WEP_ICV_LEN) != 0)
diff --git a/net/mac80211/wep.h b/net/mac80211/wep.h
index 58654ee33518..01e54840a628 100644
--- a/net/mac80211/wep.h
+++ b/net/mac80211/wep.h
@@ -18,12 +18,12 @@
 int ieee80211_wep_init(struct ieee80211_local *local);
 void ieee80211_wep_free(struct ieee80211_local *local);
-int ieee80211_wep_encrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_encrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                                size_t klen, u8 *data, size_t data_len);
 int ieee80211_wep_encrypt(struct ieee80211_local *local,
                          struct sk_buff *skb,
                          const u8 *key, int keylen, int keyidx);
-int ieee80211_wep_decrypt_data(struct crypto_blkcipher *tfm, u8 *rc4key,
+int ieee80211_wep_decrypt_data(struct crypto_cipher *tfm, u8 *rc4key,
                               size_t klen, u8 *data, size_t data_len);
 bool ieee80211_wep_is_weak_iv(struct sk_buff *skb, struct ieee80211_key *key);
diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index 36305e0d06ef..d2e7f0e86677 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -30,7 +30,6 @@
 #define IEEE80211_AUTH_MAX_TRIES 3
 #define IEEE80211_ASSOC_TIMEOUT (HZ / 5)
 #define IEEE80211_ASSOC_MAX_TRIES 3
-#define IEEE80211_MAX_PROBE_TRIES 5
 enum work_action {
        WORK_ACT_MISMATCH,
@@ -66,17 +65,9 @@ static void run_again(struct ieee80211_local *local,
                mod_timer(&local->work_timer, timeout);
 }
-static void work_free_rcu(struct rcu_head *head)
-{
-        struct ieee80211_work *wk =
-                container_of(head, struct ieee80211_work, rcu_head);
-        kfree(wk);
-}
 void free_work(struct ieee80211_work *wk)
 {
-        call_rcu(&wk->rcu_head, work_free_rcu);
+        kfree_rcu(wk, rcu_head);
 }
 static int ieee80211_compatible_rates(const u8 *supp_rates, int supp_rates_len,
@@ -126,12 +117,6 @@ static void ieee80211_add_ht_ie(struct sk_buff *skb, const u8 *ht_info_ie,
        /* determine capability flags */
-        if (ieee80211_disable_40mhz_24ghz &&
-            sband->band == IEEE80211_BAND_2GHZ) {
-                cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
-                cap &= ~IEEE80211_HT_CAP_SGI_40;
-        }
        switch (ht_info->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
        case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
                if (flags & IEEE80211_CHAN_NO_HT40PLUS) {
@@ -205,9 +190,8 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        struct sk_buff *skb;
        struct ieee80211_mgmt *mgmt;
        u8 *pos, qos_info;
-        const u8 *ies;
        size_t offset = 0, noffset;
-        int i, len, count, rates_len, supp_rates_len;
+        int i, count, rates_len, supp_rates_len;
        u16 capab;
        struct ieee80211_supported_band *sband;
        u32 rates = 0;
@@ -292,7 +276,7 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        }
        /* SSID */
-        ies = pos = skb_put(skb, 2 + wk->assoc.ssid_len);
+        pos = skb_put(skb, 2 + wk->assoc.ssid_len);
        *pos++ = WLAN_EID_SSID;
        *pos++ = wk->assoc.ssid_len;
        memcpy(pos, wk->assoc.ssid, wk->assoc.ssid_len);
@@ -302,7 +286,6 @@ static void ieee80211_send_assoc(struct ieee80211_sub_if_data *sdata,
        if (supp_rates_len > 8)
                supp_rates_len = 8;
-        len = sband->n_bitrates;
        pos = skb_put(skb, supp_rates_len + 2);
        *pos++ = WLAN_EID_SUPP_RATES;
        *pos++ = supp_rates_len;
@@ -874,6 +857,44 @@ static void ieee80211_work_rx_queued_mgmt(struct ieee80211_local *local,
        kfree_skb(skb);
 }
+static bool ieee80211_work_ct_coexists(enum nl80211_channel_type wk_ct,
+                                       enum nl80211_channel_type oper_ct)
+{
+        switch (wk_ct) {
+        case NL80211_CHAN_NO_HT:
+                return true;
+        case NL80211_CHAN_HT20:
+                if (oper_ct != NL80211_CHAN_NO_HT)
+                        return true;
+                return false;
+        case NL80211_CHAN_HT40MINUS:
+        case NL80211_CHAN_HT40PLUS:
+                return (wk_ct == oper_ct);
+        }
+        WARN_ON(1); /* shouldn't get here */
+        return false;
+}
+static enum nl80211_channel_type
+ieee80211_calc_ct(enum nl80211_channel_type wk_ct,
+                  enum nl80211_channel_type oper_ct)
+{
+        switch (wk_ct) {
+        case NL80211_CHAN_NO_HT:
+                return oper_ct;
+        case NL80211_CHAN_HT20:
+                if (oper_ct != NL80211_CHAN_NO_HT)
+                        return oper_ct;
+                return wk_ct;
+        case NL80211_CHAN_HT40MINUS:
+        case NL80211_CHAN_HT40PLUS:
+                return wk_ct;
+        }
+        WARN_ON(1); /* shouldn't get here */
+        return wk_ct;
+}
 static void ieee80211_work_timer(unsigned long data)
 {
        struct ieee80211_local *local = (void *) data;
@@ -924,18 +945,52 @@ static void ieee80211_work_work(struct work_struct *work)
                }
                if (!started && !local->tmp_channel) {
+                        bool on_oper_chan;
+                        bool tmp_chan_changed = false;
+                        bool on_oper_chan2;
+                        enum nl80211_channel_type wk_ct;
+                        on_oper_chan = ieee80211_cfg_on_oper_channel(local);
+                        /* Work with existing channel type if possible. */
+                        wk_ct = wk->chan_type;
+                        if (wk->chan == local->hw.conf.channel)
+                                wk_ct = ieee80211_calc_ct(wk->chan_type,
+                                                local->hw.conf.channel_type);
+                        if (local->tmp_channel)
+                                if ((local->tmp_channel != wk->chan) ||
+                                    (local->tmp_channel_type != wk_ct))
+                                        tmp_chan_changed = true;
+                        local->tmp_channel = wk->chan;
+                        local->tmp_channel_type = wk_ct;
                        /*
-                         * TODO: could optimize this by leaving the
+                         * Leave the station vifs in awake mode if they
-                         *       station vifs in awake mode if they
+                         * happen to be on the same channel as
-                         *       happen to be on the same channel as
+                         * the requested channel.
-                         *       the requested channel
                         */
-                        ieee80211_offchannel_stop_beaconing(local);
+                        on_oper_chan2 = ieee80211_cfg_on_oper_channel(local);
-                        ieee80211_offchannel_stop_station(local);
+                        if (on_oper_chan != on_oper_chan2) {
+                                if (on_oper_chan2) {
+                                        /* going off oper channel, PS too */
+                                        ieee80211_offchannel_stop_vifs(local,
+                                                                       true);
+                                        ieee80211_hw_config(local, 0);
+                                } else {
+                                        /* going on channel, but leave PS
+                                         * off-channel. */
+                                        ieee80211_hw_config(local, 0);
+                                        ieee80211_offchannel_return(local,
+                                                                    true,
+                                                                    false);
+                                }
+                        } else if (tmp_chan_changed)
+                                /* Still off-channel, but on some other
+                                 * channel, so update hardware.
+                                 * PS should already be off-channel.
+                                 */
+                                ieee80211_hw_config(local, 0);
-                        local->tmp_channel = wk->chan;
-                        local->tmp_channel_type = wk->chan_type;
-                        ieee80211_hw_config(local, 0);
                        started = true;
                        wk->timeout = jiffies;
                }
@@ -1005,15 +1060,34 @@ static void ieee80211_work_work(struct work_struct *work)
                        continue;
                if (wk->chan != local->tmp_channel)
                        continue;
-                if (wk->chan_type != local->tmp_channel_type)
+                if (ieee80211_work_ct_coexists(wk->chan_type,
+                                               local->tmp_channel_type))
                        continue;
                remain_off_channel = true;
        }
        if (!remain_off_channel && local->tmp_channel) {
+                bool on_oper_chan = ieee80211_cfg_on_oper_channel(local);
                local->tmp_channel = NULL;
-                ieee80211_hw_config(local, 0);
+                /* If tmp_channel wasn't operating channel, then
-                ieee80211_offchannel_return(local, true);
+                 * we need to go back on-channel.
+                 * NOTE:  If we can ever be here while scannning,
+                 * or if the hw_config() channel config logic changes,
+                 * then we may need to do a more thorough check to see if
+                 * we still need to do a hardware config.  Currently,
+                 * we cannot be here while scanning, however.
+                 */
+                if (ieee80211_cfg_on_oper_channel(local) && !on_oper_chan)
+                        ieee80211_hw_config(local, 0);
+                /* At the least, we need to disable offchannel_ps,
+                 * so just go ahead and run the entire offchannel
+                 * return logic here.  We *could* skip enabling
+                 * beaconing if we were already on-oper-channel
+                 * as a future optimization.
+                 */
+                ieee80211_offchannel_return(local, true, true);
                /* give connection some time to breathe */
                run_again(local, jiffies + HZ/2);
        }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bee230d8fd11..9dc3b5f26e80 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -26,13 +26,12 @@
 ieee80211_tx_result
 ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
 {
-        u8 *data, *key, *mic, key_offset;
+        u8 *data, *key, *mic;
        size_t data_len;
        unsigned int hdrlen;
        struct ieee80211_hdr *hdr;
        struct sk_buff *skb = tx->skb;
        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-        int authenticator;
        int tail;
        hdr = (struct ieee80211_hdr *)skb->data;
@@ -47,6 +46,11 @@ ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
        data = skb->data + hdrlen;
        data_len = skb->len - hdrlen;
+        if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE)) {
+                /* Need to use software crypto for the test */
+                info->control.hw_key = NULL;
+        }
        if (info->control.hw_key &&
            !(tx->flags & IEEE80211_TX_FRAGMENTED) &&
            !(tx->key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC)) {
@@ -62,17 +66,11 @@ ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
                    skb_headroom(skb) < TKIP_IV_LEN))
                return TX_DROP;
-#if 0
+        key = &tx->key->conf.key[NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY];
-        authenticator = fc & IEEE80211_FCTL_FROMDS; /* FIX */
-#else
-        authenticator = 1;
-#endif
-        key_offset = authenticator ?
-                NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY :
-                NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY;
-        key = &tx->key->conf.key[key_offset];
        mic = skb_put(skb, MICHAEL_MIC_LEN);
        michael_mic(key, hdr, data, data_len, mic);
+        if (unlikely(info->flags & IEEE80211_TX_INTFL_TKIP_MIC_FAILURE))
+                mic[0]++;
        return TX_CONTINUE;
 }
@@ -81,59 +79,84 @@ ieee80211_tx_h_michael_mic_add(struct ieee80211_tx_data *tx)
 ieee80211_rx_result
 ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
 {
-        u8 *data, *key = NULL, key_offset;
+        u8 *data, *key = NULL;
        size_t data_len;
        unsigned int hdrlen;
        u8 mic[MICHAEL_MIC_LEN];
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
-        int authenticator = 1, wpa_test = 0;
-        /* No way to verify the MIC if the hardware stripped it */
+        /*
-        if (status->flag & RX_FLAG_MMIC_STRIPPED)
+         * it makes no sense to check for MIC errors on anything other
+         * than data frames.
+         */
+        if (!ieee80211_is_data_present(hdr->frame_control))
                return RX_CONTINUE;
+        /*
+         * No way to verify the MIC if the hardware stripped it or
+         * the IV with the key index. In this case we have solely rely
+         * on the driver to set RX_FLAG_MMIC_ERROR in the event of a
+         * MIC failure report.
+         */
+        if (status->flag & (RX_FLAG_MMIC_STRIPPED | RX_FLAG_IV_STRIPPED)) {
+                if (status->flag & RX_FLAG_MMIC_ERROR)
+                        goto mic_fail;
+                if (!(status->flag & RX_FLAG_IV_STRIPPED))
+                        goto update_iv;
+                return RX_CONTINUE;
+        }
+        /*
+         * Some hardware seems to generate Michael MIC failure reports; even
+         * though, the frame was not encrypted with TKIP and therefore has no
+         * MIC. Ignore the flag them to avoid triggering countermeasures.
+         */
        if (!rx->key || rx->key->conf.cipher != WLAN_CIPHER_SUITE_TKIP ||
-            !ieee80211_has_protected(hdr->frame_control) ||
+            !(status->flag & RX_FLAG_DECRYPTED))
-            !ieee80211_is_data_present(hdr->frame_control))
                return RX_CONTINUE;
+        if (rx->sdata->vif.type == NL80211_IFTYPE_AP && rx->key->conf.keyidx) {
+                /*
+                 * APs with pairwise keys should never receive Michael MIC
+                 * errors for non-zero keyidx because these are reserved for
+                 * group keys and only the AP is sending real multicast
+                 * frames in the BSS. (
+                 */
+                return RX_DROP_UNUSABLE;
+        }
+        if (status->flag & RX_FLAG_MMIC_ERROR)
+                goto mic_fail;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
        if (skb->len < hdrlen + MICHAEL_MIC_LEN)
                return RX_DROP_UNUSABLE;
        data = skb->data + hdrlen;
        data_len = skb->len - hdrlen - MICHAEL_MIC_LEN;
+        key = &rx->key->conf.key[NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY];
-#if 0
-        authenticator = fc & IEEE80211_FCTL_TODS; /* FIX */
-#else
-        authenticator = 1;
-#endif
-        key_offset = authenticator ?
-                NL80211_TKIP_DATA_OFFSET_RX_MIC_KEY :
-                NL80211_TKIP_DATA_OFFSET_TX_MIC_KEY;
-        key = &rx->key->conf.key[key_offset];
        michael_mic(key, hdr, data, data_len, mic);
-        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0 || wpa_test) {
+        if (memcmp(mic, data + data_len, MICHAEL_MIC_LEN) != 0)
-                if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
+                goto mic_fail;
-                        return RX_DROP_UNUSABLE;
-                mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
-                                                (void *) skb->data, NULL,
-                                                GFP_ATOMIC);
-                return RX_DROP_UNUSABLE;
-        }
        /* remove Michael MIC from payload */
        skb_trim(skb, skb->len - MICHAEL_MIC_LEN);
+update_iv:
        /* update IV in key information to be able to detect replays */
        rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32;
        rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16;
        return RX_CONTINUE;
+mic_fail:
+        mac80211_ev_michael_mic_failure(rx->sdata, rx->key->conf.keyidx,
+                                        (void *) skb->data, NULL, GFP_ATOMIC);
+        return RX_DROP_UNUSABLE;
 }
@@ -208,7 +231,7 @@ ieee80211_rx_result
 ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
 {
        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) rx->skb->data;
-        int hdrlen, res, hwaccel = 0, wpa_test = 0;
+        int hdrlen, res, hwaccel = 0;
        struct ieee80211_key *key = rx->key;
        struct sk_buff *skb = rx->skb;
        struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
@@ -235,7 +258,7 @@ ieee80211_crypto_tkip_decrypt(struct ieee80211_rx_data *rx)
                                          hdr->addr1, hwaccel, rx->queue,
                                          &rx->tkip_iv32,
                                          &rx->tkip_iv16);
-        if (res != TKIP_DECRYPT_OK || wpa_test)
+        if (res != TKIP_DECRYPT_OK)
                return RX_DROP_UNUSABLE;
        /* Trim ICV */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 1534f2b44caf..32bff6d86cb2 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -85,6 +85,17 @@ config NF_CONNTRACK_EVENTS
          If unsure, say `N'.
+config NF_CONNTRACK_TIMESTAMP
+        bool  'Connection tracking timestamping'
+        depends on NETFILTER_ADVANCED
+        help
+          This option enables support for connection tracking timestamping.
+          This allows you to store the flow start-time and to obtain
+          the flow-stop time (once it has been destroyed) via Connection
+          tracking events.
+          If unsure, say `N'.
 config NF_CT_PROTO_DCCP
        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
        depends on EXPERIMENTAL
@@ -185,9 +196,13 @@ config NF_CONNTRACK_IRC
          To compile it as a module, choose M here.  If unsure, say N.
+config NF_CONNTRACK_BROADCAST
+        tristate
 config NF_CONNTRACK_NETBIOS_NS
        tristate "NetBIOS name service protocol support"
        depends on NETFILTER_ADVANCED
+        select NF_CONNTRACK_BROADCAST
        help
          NetBIOS name service requests are sent as broadcast messages from an
          unprivileged port and responded to with unicast messages to the
@@ -204,6 +219,21 @@ config NF_CONNTRACK_NETBIOS_NS
          To compile it as a module, choose M here.  If unsure, say N.
+config NF_CONNTRACK_SNMP
+        tristate "SNMP service protocol support"
+        depends on NETFILTER_ADVANCED
+        select NF_CONNTRACK_BROADCAST
+        help
+          SNMP service requests are sent as broadcast messages from an
+          unprivileged port and responded to with unicast messages to the
+          same port. This make them hard to firewall properly because connection
+          tracking doesn't deal with broadcasts. This helper tracks locally
+          originating SNMP service requests and the corresponding
+          responses. It relies on correct IP address configuration, specifically
+          netmask and broadcast address.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NF_CONNTRACK_PPTP
        tristate "PPtP protocol support"
        depends on NETFILTER_ADVANCED
@@ -322,10 +352,32 @@ config NETFILTER_XT_CONNMARK
        ctmark), similarly to the packet mark (nfmark). Using this
        target and match, you can set and match on this mark.
+config NETFILTER_XT_SET
+        tristate 'set target and match support'
+        depends on IP_SET
+        depends on NETFILTER_ADVANCED
+        help
+          This option adds the "SET" target and "set" match.
+          Using this target and match, you can add/delete and match
+          elements in the sets created by ipset(8).
+          To compile it as a module, choose M here.  If unsure, say N.
 # alphabetically ordered list of targets
 comment "Xtables targets"
+config NETFILTER_XT_TARGET_AUDIT
+        tristate "AUDIT target support"
+        depends on AUDIT
+        depends on NETFILTER_ADVANCED
+        ---help---
+          This option adds a 'AUDIT' target, which can be used to create
+          audit records for packets dropped/accepted.
+          To compileit as a module, choose M here. If unsure, say N.
 config NETFILTER_XT_TARGET_CHECKSUM
        tristate "CHECKSUM target support"
        depends on IP_NF_MANGLE || IP6_NF_MANGLE
@@ -477,6 +529,7 @@ config NETFILTER_XT_TARGET_NFLOG
 config NETFILTER_XT_TARGET_NFQUEUE
        tristate '"NFQUEUE" target Support'
        depends on NETFILTER_ADVANCED
+        select NETFILTER_NETLINK_QUEUE
        help
          This target replaced the old obsolete QUEUE target.
@@ -596,6 +649,16 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 comment "Xtables matches"
+config NETFILTER_XT_MATCH_ADDRTYPE
+        tristate '"addrtype" address type match support'
+        depends on NETFILTER_ADVANCED
+        ---help---
+          This option allows you to match what routing thinks of an address,
+          eg. UNICAST, LOCAL, BROADCAST, ...
+          If you want to compile it as a module, say M here and read
+          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 config NETFILTER_XT_MATCH_CLUSTER
        tristate '"cluster" match support'
        depends on NF_CONNTRACK
@@ -685,6 +748,15 @@ config NETFILTER_XT_MATCH_DCCP
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+config NETFILTER_XT_MATCH_DEVGROUP
+        tristate '"devgroup" match support'
+        depends on NETFILTER_ADVANCED
+        help
+          This options adds a `devgroup' match, which allows to match on the
+          device group a network device is assigned to.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_DSCP
        tristate '"dscp" and "tos" match support'
        depends on NETFILTER_ADVANCED
@@ -886,7 +958,7 @@ config NETFILTER_XT_MATCH_RATEEST
 config NETFILTER_XT_MATCH_REALM
        tristate  '"realm" match support'
        depends on NETFILTER_ADVANCED
-        select NET_CLS_ROUTE
+        select IP_ROUTE_CLASSID
        help
          This option adds a `realm' match, which allows you to use the realm
          key from the routing subsystem inside iptables.
@@ -1011,4 +1083,6 @@ endif # NETFILTER_XTABLES
 endmenu
+source "net/netfilter/ipset/Kconfig"
 source "net/netfilter/ipvs/Kconfig"
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 441050f31111..1a02853df863 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -1,6 +1,7 @@
 netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
 nf_conntrack-y  := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o nf_conntrack_acct.o
+nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMESTAMP) += nf_conntrack_timestamp.o
 nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
 obj-$(CONFIG_NETFILTER) = netfilter.o
@@ -28,7 +29,9 @@ obj-$(CONFIG_NF_CONNTRACK_AMANDA) += nf_conntrack_amanda.o
 obj-$(CONFIG_NF_CONNTRACK_FTP) += nf_conntrack_ftp.o
 obj-$(CONFIG_NF_CONNTRACK_H323) += nf_conntrack_h323.o
 obj-$(CONFIG_NF_CONNTRACK_IRC) += nf_conntrack_irc.o
+obj-$(CONFIG_NF_CONNTRACK_BROADCAST) += nf_conntrack_broadcast.o
 obj-$(CONFIG_NF_CONNTRACK_NETBIOS_NS) += nf_conntrack_netbios_ns.o
+obj-$(CONFIG_NF_CONNTRACK_SNMP) += nf_conntrack_snmp.o
 obj-$(CONFIG_NF_CONNTRACK_PPTP) += nf_conntrack_pptp.o
 obj-$(CONFIG_NF_CONNTRACK_SANE) += nf_conntrack_sane.o
 obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o
@@ -43,8 +46,10 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 # combos
 obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
+obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
 # targets
+obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CHECKSUM) += xt_CHECKSUM.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
@@ -65,6 +70,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o
 # matches
+obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
@@ -72,6 +78,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
@@ -101,5 +108,8 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o
+# ipset
+obj-$(CONFIG_IP_SET) += ipset/
 # IPVS
 obj-$(CONFIG_IP_VS) += ipvs/
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 4aa614b8a96a..899b71c0ff5d 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -176,13 +176,21 @@ next_hook:
                ret = 1;
        } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
                kfree_skb(skb);
-                ret = -(verdict >> NF_VERDICT_BITS);
+                ret = NF_DROP_GETERR(verdict);
                if (ret == 0)
                        ret = -EPERM;
        } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
-                if (!nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
+                ret = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
-                              verdict >> NF_VERDICT_BITS))
+                               verdict >> NF_VERDICT_QBITS);
-                        goto next_hook;
+                if (ret < 0) {
+                        if (ret == -ECANCELED)
+                                goto next_hook;
+                        if (ret == -ESRCH &&
+                           (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
+                                goto next_hook;
+                        kfree_skb(skb);
+                }
+                ret = 0;
        }
        rcu_read_unlock();
        return ret;
@@ -215,7 +223,7 @@ EXPORT_SYMBOL(skb_make_writable);
 /* This does not belong here, but locally generated errors need it if connection
   tracking in use: without this, connection may not be in hash table, and hence
   manufactured ICMP or RST packets will not be associated with it. */
-void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
+void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *) __rcu __read_mostly;
 EXPORT_SYMBOL(ip_ct_attach);
 void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb)
@@ -232,7 +240,7 @@ void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(nf_ct_attach);
-void (*nf_ct_destroy)(struct nf_conntrack *);
+void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
 EXPORT_SYMBOL(nf_ct_destroy);
 void nf_conntrack_destroy(struct nf_conntrack *nfct)
diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig
new file mode 100644
index 000000000000..2c5b348eb3a8
--- /dev/null
+++ b/net/netfilter/ipset/Kconfig
@@ -0,0 +1,122 @@
+menuconfig IP_SET
+        tristate "IP set support"
+        depends on INET && NETFILTER
+        depends on NETFILTER_NETLINK
+        help
+          This option adds IP set support to the kernel.
+          In order to define and use the sets, you need the userspace utility
+          ipset(8). You can use the sets in netfilter via the "set" match
+          and "SET" target.
+          To compile it as a module, choose M here.  If unsure, say N.
+if IP_SET
+config IP_SET_MAX
+        int "Maximum number of IP sets"
+        default 256
+        range 2 65534
+        depends on IP_SET
+        help
+          You can define here default value of the maximum number 
+          of IP sets for the kernel.
+          The value can be overriden by the 'max_sets' module
+          parameter of the 'ip_set' module.
+config IP_SET_BITMAP_IP
+        tristate "bitmap:ip set support"
+        depends on IP_SET
+        help
+          This option adds the bitmap:ip set type support, by which one
+          can store IPv4 addresses (or network addresse) from a range.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_BITMAP_IPMAC
+        tristate "bitmap:ip,mac set support"
+        depends on IP_SET
+        help
+          This option adds the bitmap:ip,mac set type support, by which one
+          can store IPv4 address and (source) MAC address pairs from a range.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_BITMAP_PORT
+        tristate "bitmap:port set support"
+        depends on IP_SET
+        help
+          This option adds the bitmap:port set type support, by which one
+          can store TCP/UDP port numbers from a range.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_IP
+        tristate "hash:ip set support"
+        depends on IP_SET
+        help
+          This option adds the hash:ip set type support, by which one
+          can store arbitrary IPv4 or IPv6 addresses (or network addresses)
+          in a set.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_IPPORT
+        tristate "hash:ip,port set support"
+        depends on IP_SET
+        help
+          This option adds the hash:ip,port set type support, by which one
+          can store IPv4/IPv6 address and protocol/port pairs.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_IPPORTIP
+        tristate "hash:ip,port,ip set support"
+        depends on IP_SET
+        help
+          This option adds the hash:ip,port,ip set type support, by which
+          one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
+          address triples in a set.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_IPPORTNET
+        tristate "hash:ip,port,net set support"
+        depends on IP_SET
+        help
+          This option adds the hash:ip,port,net set type support, by which
+          one can store IPv4/IPv6 address, protocol/port, and IPv4/IPv6
+          network address/prefix triples in a set.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_NET
+        tristate "hash:net set support"
+        depends on IP_SET
+        help
+          This option adds the hash:net set type support, by which
+          one can store IPv4/IPv6 network address/prefix elements in a set.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_HASH_NETPORT
+        tristate "hash:net,port set support"
+        depends on IP_SET
+        help
+          This option adds the hash:net,port set type support, by which
+          one can store IPv4/IPv6 network address/prefix and
+          protocol/port pairs as elements in a set.
+          To compile it as a module, choose M here.  If unsure, say N.
+config IP_SET_LIST_SET
+        tristate "list:set set support"
+        depends on IP_SET
+        help
+          This option adds the list:set set type support. In this
+          kind of set one can store the name of other sets and it forms
+          an ordered union of the member sets.
+          To compile it as a module, choose M here.  If unsure, say N.
+endif # IP_SET
diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile
new file mode 100644
index 000000000000..5adbdab67bd2
--- /dev/null
+++ b/net/netfilter/ipset/Makefile
@@ -0,0 +1,24 @@
+#
+# Makefile for the ipset modules
+#
+ip_set-y := ip_set_core.o ip_set_getport.o pfxlen.o
+# ipset core
+obj-$(CONFIG_IP_SET) += ip_set.o
+# bitmap types
+obj-$(CONFIG_IP_SET_BITMAP_IP) += ip_set_bitmap_ip.o
+obj-$(CONFIG_IP_SET_BITMAP_IPMAC) += ip_set_bitmap_ipmac.o
+obj-$(CONFIG_IP_SET_BITMAP_PORT) += ip_set_bitmap_port.o
+# hash types
+obj-$(CONFIG_IP_SET_HASH_IP) += ip_set_hash_ip.o
+obj-$(CONFIG_IP_SET_HASH_IPPORT) += ip_set_hash_ipport.o
+obj-$(CONFIG_IP_SET_HASH_IPPORTIP) += ip_set_hash_ipportip.o
+obj-$(CONFIG_IP_SET_HASH_IPPORTNET) += ip_set_hash_ipportnet.o
+obj-$(CONFIG_IP_SET_HASH_NET) += ip_set_hash_net.o
+obj-$(CONFIG_IP_SET_HASH_NETPORT) += ip_set_hash_netport.o
+# list types
+obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
new file mode 100644
index 000000000000..a113ff066928
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -0,0 +1,586 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the bitmap:ip type */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/bitops.h>
+#include <linux/spinlock.h>
+#include <linux/netlink.h>
+#include <linux/jiffies.h>
+#include <linux/timer.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_bitmap.h>
+#define IP_SET_BITMAP_TIMEOUT
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("bitmap:ip type of IP sets");
+MODULE_ALIAS("ip_set_bitmap:ip");
+/* Type structure */
+struct bitmap_ip {
+        void *members;          /* the set members */
+        u32 first_ip;           /* host byte order, included in range */
+        u32 last_ip;            /* host byte order, included in range */
+        u32 elements;           /* number of max elements in the set */
+        u32 hosts;              /* number of hosts in a subnet */
+        size_t memsize;         /* members size */
+        u8 netmask;             /* subnet netmask */
+        u32 timeout;            /* timeout parameter */
+        struct timer_list gc;   /* garbage collection */
+};
+/* Base variant */
+static inline u32
+ip_to_id(const struct bitmap_ip *m, u32 ip)
+{
+        return ((ip & ip_set_hostmask(m->netmask)) - m->first_ip)/m->hosts;
+}
+static int
+bitmap_ip_test(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        return !!test_bit(id, map->members);
+}
+static int
+bitmap_ip_add(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        if (test_and_set_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_ip_del(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        u16 id = *(u16 *)value;
+        if (!test_and_clear_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_ip_list(const struct ip_set *set,
+               struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *atd, *nested;
+        u32 id, first = cb->args[2];
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] < map->elements; cb->args[2]++) {
+                id = cb->args[2];
+                if (!test_bit(id, map->members))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id * map->hosts));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+/* Timeout variant */
+static int
+bitmap_ip_ttest(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ip *map = set->data;
+        const unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        return ip_set_timeout_test(members[id]);
+}
+static int
+bitmap_ip_tadd(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        if (ip_set_timeout_test(members[id]))
+                return -IPSET_ERR_EXIST;
+        members[id] = ip_set_timeout_set(timeout);
+        return 0;
+}
+static int
+bitmap_ip_tdel(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ip *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        int ret = -IPSET_ERR_EXIST;
+        if (ip_set_timeout_test(members[id]))
+                ret = 0;
+        members[id] = IPSET_ELEM_UNSET;
+        return ret;
+}
+static int
+bitmap_ip_tlist(const struct ip_set *set,
+                struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *adt, *nested;
+        u32 id, first = cb->args[2];
+        const unsigned long *members = map->members;
+        adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!adt)
+                return -EMSGSIZE;
+        for (; cb->args[2] < map->elements; cb->args[2]++) {
+                id = cb->args[2];
+                if (!ip_set_timeout_test(members[id]))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, adt);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id * map->hosts));
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                              htonl(ip_set_timeout_get(members[id])));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, adt);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, adt);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+static int
+bitmap_ip_kadt(struct ip_set *set, const struct sk_buff *skb,
+               enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        struct bitmap_ip *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 ip;
+        ip = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
+        if (ip < map->first_ip || ip > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        ip = ip_to_id(map, ip);
+        return adtfn(set, &ip, map->timeout);
+}
+static int
+bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
+               enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        struct bitmap_ip *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 timeout = map->timeout;
+        u32 ip, ip_to, id;
+        int ret = 0;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+        if (ret)
+                return ret;
+        if (ip < map->first_ip || ip > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(map->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST) {
+                id = ip_to_id(map, ip);
+                return adtfn(set, &id, timeout);
+        }
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to) {
+                        swap(ip, ip_to);
+                        if (ip < map->first_ip)
+                                return -IPSET_ERR_BITMAP_RANGE;
+                }
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        if (ip_to > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        for (; !before(ip_to, ip); ip += map->hosts) {
+                id = ip_to_id(map, ip);
+                ret = adtfn(set, &id, timeout);;
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+static void
+bitmap_ip_destroy(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        if (with_timeout(map->timeout))
+                del_timer_sync(&map->gc);
+        ip_set_free(map->members);
+        kfree(map);
+        set->data = NULL;
+}
+static void
+bitmap_ip_flush(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        memset(map->members, 0, map->memsize);
+}
+static int
+bitmap_ip_head(struct ip_set *set, struct sk_buff *skb)
+{
+        const struct bitmap_ip *map = set->data;
+        struct nlattr *nested;
+        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+        if (!nested)
+                goto nla_put_failure;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
+        if (map->netmask != 32)
+                NLA_PUT_U8(skb, IPSET_ATTR_NETMASK, map->netmask);
+        NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+        NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+                      htonl(sizeof(*map) + map->memsize));
+        if (with_timeout(map->timeout))
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+        ipset_nest_end(skb, nested);
+        return 0;
+nla_put_failure:
+        return -EMSGSIZE;
+}
+static bool
+bitmap_ip_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct bitmap_ip *x = a->data;
+        const struct bitmap_ip *y = b->data;
+        return x->first_ip == y->first_ip &&
+               x->last_ip == y->last_ip &&
+               x->netmask == y->netmask &&
+               x->timeout == y->timeout;
+}
+static const struct ip_set_type_variant bitmap_ip = {
+        .kadt   = bitmap_ip_kadt,
+        .uadt   = bitmap_ip_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ip_add,
+                [IPSET_DEL] = bitmap_ip_del,
+                [IPSET_TEST] = bitmap_ip_test,
+        },
+        .destroy = bitmap_ip_destroy,
+        .flush  = bitmap_ip_flush,
+        .head   = bitmap_ip_head,
+        .list   = bitmap_ip_list,
+        .same_set = bitmap_ip_same_set,
+};
+static const struct ip_set_type_variant bitmap_tip = {
+        .kadt   = bitmap_ip_kadt,
+        .uadt   = bitmap_ip_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ip_tadd,
+                [IPSET_DEL] = bitmap_ip_tdel,
+                [IPSET_TEST] = bitmap_ip_ttest,
+        },
+        .destroy = bitmap_ip_destroy,
+        .flush  = bitmap_ip_flush,
+        .head   = bitmap_ip_head,
+        .list   = bitmap_ip_tlist,
+        .same_set = bitmap_ip_same_set,
+};
+static void
+bitmap_ip_gc(unsigned long ul_set)
+{
+        struct ip_set *set = (struct ip_set *) ul_set;
+        struct bitmap_ip *map = set->data;
+        unsigned long *table = map->members;
+        u32 id;
+        /* We run parallel with other readers (test element)
+         * but adding/deleting new entries is locked out */
+        read_lock_bh(&set->lock);
+        for (id = 0; id < map->elements; id++)
+                if (ip_set_timeout_expired(table[id]))
+                        table[id] = IPSET_ELEM_UNSET;
+        read_unlock_bh(&set->lock);
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+static void
+bitmap_ip_gc_init(struct ip_set *set)
+{
+        struct bitmap_ip *map = set->data;
+        init_timer(&map->gc);
+        map->gc.data = (unsigned long) set;
+        map->gc.function = bitmap_ip_gc;
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+/* Create bitmap:ip type of sets */
+static bool
+init_map_ip(struct ip_set *set, struct bitmap_ip *map,
+            u32 first_ip, u32 last_ip,
+            u32 elements, u32 hosts, u8 netmask)
+{
+        map->members = ip_set_alloc(map->memsize);
+        if (!map->members)
+                return false;
+        map->first_ip = first_ip;
+        map->last_ip = last_ip;
+        map->elements = elements;
+        map->hosts = hosts;
+        map->netmask = netmask;
+        map->timeout = IPSET_NO_TIMEOUT;
+        set->data = map;
+        set->family = AF_INET;
+        return true;
+}
+static int
+bitmap_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct bitmap_ip *map;
+        u32 first_ip, last_ip, hosts, elements;
+        u8 netmask = 32;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
+                if (ret)
+                        return ret;
+                if (first_ip > last_ip) {
+                        u32 tmp = first_ip;
+                        first_ip = last_ip;
+                        last_ip = tmp;
+                }
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr >= 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                last_ip = first_ip | ~ip_set_hostmask(cidr);
+        } else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_NETMASK]) {
+                netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
+                if (netmask > 32)
+                        return -IPSET_ERR_INVALID_NETMASK;
+                first_ip &= ip_set_hostmask(netmask);
+                last_ip |= ~ip_set_hostmask(netmask);
+        }
+        if (netmask == 32) {
+                hosts = 1;
+                elements = last_ip - first_ip + 1;
+        } else {
+                u8 mask_bits;
+                u32 mask;
+                mask = range_to_mask(first_ip, last_ip, &mask_bits);
+                if ((!mask && (first_ip || last_ip != 0xFFFFFFFF)) ||
+                    netmask <= mask_bits)
+                        return -IPSET_ERR_BITMAP_RANGE;
+                pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
+                hosts = 2 << (32 - netmask - 1);
+                elements = 2 << (netmask - mask_bits - 1);
+        }
+        if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+                return -IPSET_ERR_BITMAP_RANGE_SIZE;
+        pr_debug("hosts %u, elements %u\n", hosts, elements);
+        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        if (!map)
+                return -ENOMEM;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                map->memsize = elements * sizeof(unsigned long);
+                if (!init_map_ip(set, map, first_ip, last_ip,
+                                 elements, hosts, netmask)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = &bitmap_tip;
+                bitmap_ip_gc_init(set);
+        } else {
+                map->memsize = bitmap_bytes(0, elements - 1);
+                if (!init_map_ip(set, map, first_ip, last_ip,
+                                 elements, hosts, netmask)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                set->variant = &bitmap_ip;
+        }
+        return 0;
+}
+static struct ip_set_type bitmap_ip_type __read_mostly = {
+        .name           = "bitmap:ip",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_INET,
+        .revision       = 0,
+        .create         = bitmap_ip_create,
+        .create_policy  = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_NETMASK]    = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+bitmap_ip_init(void)
+{
+        return ip_set_type_register(&bitmap_ip_type);
+}
+static void __exit
+bitmap_ip_fini(void)
+{
+        ip_set_type_unregister(&bitmap_ip_type);
+}
+module_init(bitmap_ip_init);
+module_exit(bitmap_ip_fini);
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
new file mode 100644
index 000000000000..a274300b6a56
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -0,0 +1,655 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the bitmap:ip,mac type */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/etherdevice.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/if_ether.h>
+#include <linux/netlink.h>
+#include <linux/jiffies.h>
+#include <linux/timer.h>
+#include <net/netlink.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_bitmap.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("bitmap:ip,mac type of IP sets");
+MODULE_ALIAS("ip_set_bitmap:ip,mac");
+enum {
+        MAC_EMPTY,              /* element is not set */
+        MAC_FILLED,             /* element is set with MAC */
+        MAC_UNSET,              /* element is set, without MAC */
+};
+/* Type structure */
+struct bitmap_ipmac {
+        void *members;          /* the set members */
+        u32 first_ip;           /* host byte order, included in range */
+        u32 last_ip;            /* host byte order, included in range */
+        u32 timeout;            /* timeout value */
+        struct timer_list gc;   /* garbage collector */
+        size_t dsize;           /* size of element */
+};
+/* ADT structure for generic function args */
+struct ipmac {
+        u32 id;                 /* id in array */
+        unsigned char *ether;   /* ethernet address */
+};
+/* Member element without and with timeout */
+struct ipmac_elem {
+        unsigned char ether[ETH_ALEN];
+        unsigned char match;
+} __attribute__ ((aligned));
+struct ipmac_telem {
+        unsigned char ether[ETH_ALEN];
+        unsigned char match;
+        unsigned long timeout;
+} __attribute__ ((aligned));
+static inline void *
+bitmap_ipmac_elem(const struct bitmap_ipmac *map, u32 id)
+{
+        return (void *)((char *)map->members + id * map->dsize);
+}
+static inline bool
+bitmap_timeout(const struct bitmap_ipmac *map, u32 id)
+{
+        const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
+        return ip_set_timeout_test(elem->timeout);
+}
+static inline bool
+bitmap_expired(const struct bitmap_ipmac *map, u32 id)
+{
+        const struct ipmac_telem *elem = bitmap_ipmac_elem(map, id);
+        return ip_set_timeout_expired(elem->timeout);
+}
+static inline int
+bitmap_ipmac_exist(const struct ipmac_telem *elem)
+{
+        return elem->match == MAC_UNSET ||
+               (elem->match == MAC_FILLED &&
+                !ip_set_timeout_expired(elem->timeout));
+}
+/* Base variant */
+static int
+bitmap_ipmac_test(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
+        switch (elem->match) {
+        case MAC_UNSET:
+                /* Trigger kernel to fill out the ethernet address */
+                return -EAGAIN;
+        case MAC_FILLED:
+                return data->ether == NULL ||
+                       compare_ether_addr(data->ether, elem->ether) == 0;
+        }
+        return 0;
+}
+static int
+bitmap_ipmac_add(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
+        switch (elem->match) {
+        case MAC_UNSET:
+                if (!data->ether)
+                        /* Already added without ethernet address */
+                        return -IPSET_ERR_EXIST;
+                /* Fill the MAC address */
+                memcpy(elem->ether, data->ether, ETH_ALEN);
+                elem->match = MAC_FILLED;
+                break;
+        case MAC_FILLED:
+                return -IPSET_ERR_EXIST;
+        case MAC_EMPTY:
+                if (data->ether) {
+                        memcpy(elem->ether, data->ether, ETH_ALEN);
+                        elem->match = MAC_FILLED;
+                } else
+                        elem->match = MAC_UNSET;
+        }
+        return 0;
+}
+static int
+bitmap_ipmac_del(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
+        if (elem->match == MAC_EMPTY)
+                return -IPSET_ERR_EXIST;
+        elem->match = MAC_EMPTY;
+        return 0;
+}
+static int
+bitmap_ipmac_list(const struct ip_set *set,
+                  struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ipmac *map = set->data;
+        const struct ipmac_elem *elem;
+        struct nlattr *atd, *nested;
+        u32 id, first = cb->args[2];
+        u32 last = map->last_ip - map->first_ip;
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] <= last; cb->args[2]++) {
+                id = cb->args[2];
+                elem = bitmap_ipmac_elem(map, id);
+                if (elem->match == MAC_EMPTY)
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id));
+                if (elem->match == MAC_FILLED)
+                        NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
+                                elem->ether);
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+/* Timeout variant */
+static int
+bitmap_ipmac_ttest(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        const struct ipmac_elem *elem = bitmap_ipmac_elem(map, data->id);
+        switch (elem->match) {
+        case MAC_UNSET:
+                /* Trigger kernel to fill out the ethernet address */
+                return -EAGAIN;
+        case MAC_FILLED:
+                return (data->ether == NULL ||
+                        compare_ether_addr(data->ether, elem->ether) == 0) &&
+                       !bitmap_expired(map, data->id);
+        }
+        return 0;
+}
+static int
+bitmap_ipmac_tadd(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
+        switch (elem->match) {
+        case MAC_UNSET:
+                if (!data->ether)
+                        /* Already added without ethernet address */
+                        return -IPSET_ERR_EXIST;
+                /* Fill the MAC address and activate the timer */
+                memcpy(elem->ether, data->ether, ETH_ALEN);
+                elem->match = MAC_FILLED;
+                if (timeout == map->timeout)
+                        /* Timeout was not specified, get stored one */
+                        timeout = elem->timeout;
+                elem->timeout = ip_set_timeout_set(timeout);
+                break;
+        case MAC_FILLED:
+                if (!bitmap_expired(map, data->id))
+                        return -IPSET_ERR_EXIST;
+                /* Fall through */
+        case MAC_EMPTY:
+                if (data->ether) {
+                        memcpy(elem->ether, data->ether, ETH_ALEN);
+                        elem->match = MAC_FILLED;
+                } else
+                        elem->match = MAC_UNSET;
+                /* If MAC is unset yet, we store plain timeout value
+                 * because the timer is not activated yet
+                 * and we can reuse it later when MAC is filled out,
+                 * possibly by the kernel */
+                elem->timeout = data->ether ? ip_set_timeout_set(timeout)
+                                            : timeout;
+                break;
+        }
+        return 0;
+}
+static int
+bitmap_ipmac_tdel(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_ipmac *map = set->data;
+        const struct ipmac *data = value;
+        struct ipmac_telem *elem = bitmap_ipmac_elem(map, data->id);
+        if (elem->match == MAC_EMPTY || bitmap_expired(map, data->id))
+                return -IPSET_ERR_EXIST;
+        elem->match = MAC_EMPTY;
+        return 0;
+}
+static int
+bitmap_ipmac_tlist(const struct ip_set *set,
+                   struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_ipmac *map = set->data;
+        const struct ipmac_telem *elem;
+        struct nlattr *atd, *nested;
+        u32 id, first = cb->args[2];
+        u32 timeout, last = map->last_ip - map->first_ip;
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] <= last; cb->args[2]++) {
+                id = cb->args[2];
+                elem = bitmap_ipmac_elem(map, id);
+                if (!bitmap_ipmac_exist(elem))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP,
+                                htonl(map->first_ip + id));
+                if (elem->match == MAC_FILLED)
+                        NLA_PUT(skb, IPSET_ATTR_ETHER, ETH_ALEN,
+                                elem->ether);
+                timeout = elem->match == MAC_UNSET ? elem->timeout
+                                : ip_set_timeout_get(elem->timeout);
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(timeout));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        return -EMSGSIZE;
+}
+static int
+bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
+                  enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        struct bitmap_ipmac *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct ipmac data;
+        /* MAC can be src only */
+        if (!(flags & IPSET_DIM_TWO_SRC))
+                return 0;
+        data.id = ntohl(ip4addr(skb, flags & IPSET_DIM_ONE_SRC));
+        if (data.id < map->first_ip || data.id > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        /* Backward compatibility: we don't check the second flag */
+        if (skb_mac_header(skb) < skb->head ||
+            (skb_mac_header(skb) + ETH_HLEN) > skb->data)
+                return -EINVAL;
+        data.id -= map->first_ip;
+        data.ether = eth_hdr(skb)->h_source;
+        return adtfn(set, &data, map->timeout);
+}
+static int
+bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
+                  enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct bitmap_ipmac *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct ipmac data;
+        u32 timeout = map->timeout;
+        int ret = 0;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &data.id);
+        if (ret)
+                return ret;
+        if (data.id < map->first_ip || data.id > map->last_ip)
+                return -IPSET_ERR_BITMAP_RANGE;
+        if (tb[IPSET_ATTR_ETHER])
+                data.ether = nla_data(tb[IPSET_ATTR_ETHER]);
+        else
+                data.ether = NULL;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(map->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        data.id -= map->first_ip;
+        ret = adtfn(set, &data, timeout);
+        return ip_set_eexist(ret, flags) ? 0 : ret;
+}
+static void
+bitmap_ipmac_destroy(struct ip_set *set)
+{
+        struct bitmap_ipmac *map = set->data;
+        if (with_timeout(map->timeout))
+                del_timer_sync(&map->gc);
+        ip_set_free(map->members);
+        kfree(map);
+        set->data = NULL;
+}
+static void
+bitmap_ipmac_flush(struct ip_set *set)
+{
+        struct bitmap_ipmac *map = set->data;
+        memset(map->members, 0,
+               (map->last_ip - map->first_ip + 1) * map->dsize);
+}
+static int
+bitmap_ipmac_head(struct ip_set *set, struct sk_buff *skb)
+{
+        const struct bitmap_ipmac *map = set->data;
+        struct nlattr *nested;
+        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+        if (!nested)
+                goto nla_put_failure;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, htonl(map->first_ip));
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP_TO, htonl(map->last_ip));
+        NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+        NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+                      htonl(sizeof(*map)
+                            + (map->last_ip - map->first_ip + 1) * map->dsize));
+        if (with_timeout(map->timeout))
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+        ipset_nest_end(skb, nested);
+        return 0;
+nla_put_failure:
+        return -EMSGSIZE;
+}
+static bool
+bitmap_ipmac_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct bitmap_ipmac *x = a->data;
+        const struct bitmap_ipmac *y = b->data;
+        return x->first_ip == y->first_ip &&
+               x->last_ip == y->last_ip &&
+               x->timeout == y->timeout;
+}
+static const struct ip_set_type_variant bitmap_ipmac = {
+        .kadt   = bitmap_ipmac_kadt,
+        .uadt   = bitmap_ipmac_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ipmac_add,
+                [IPSET_DEL] = bitmap_ipmac_del,
+                [IPSET_TEST] = bitmap_ipmac_test,
+        },
+        .destroy = bitmap_ipmac_destroy,
+        .flush  = bitmap_ipmac_flush,
+        .head   = bitmap_ipmac_head,
+        .list   = bitmap_ipmac_list,
+        .same_set = bitmap_ipmac_same_set,
+};
+static const struct ip_set_type_variant bitmap_tipmac = {
+        .kadt   = bitmap_ipmac_kadt,
+        .uadt   = bitmap_ipmac_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_ipmac_tadd,
+                [IPSET_DEL] = bitmap_ipmac_tdel,
+                [IPSET_TEST] = bitmap_ipmac_ttest,
+        },
+        .destroy = bitmap_ipmac_destroy,
+        .flush  = bitmap_ipmac_flush,
+        .head   = bitmap_ipmac_head,
+        .list   = bitmap_ipmac_tlist,
+        .same_set = bitmap_ipmac_same_set,
+};
+static void
+bitmap_ipmac_gc(unsigned long ul_set)
+{
+        struct ip_set *set = (struct ip_set *) ul_set;
+        struct bitmap_ipmac *map = set->data;
+        struct ipmac_telem *elem;
+        u32 id, last = map->last_ip - map->first_ip;
+        /* We run parallel with other readers (test element)
+         * but adding/deleting new entries is locked out */
+        read_lock_bh(&set->lock);
+        for (id = 0; id <= last; id++) {
+                elem = bitmap_ipmac_elem(map, id);
+                if (elem->match == MAC_FILLED &&
+                    ip_set_timeout_expired(elem->timeout))
+                        elem->match = MAC_EMPTY;
+        }
+        read_unlock_bh(&set->lock);
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+static void
+bitmap_ipmac_gc_init(struct ip_set *set)
+{
+        struct bitmap_ipmac *map = set->data;
+        init_timer(&map->gc);
+        map->gc.data = (unsigned long) set;
+        map->gc.function = bitmap_ipmac_gc;
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+/* Create bitmap:ip,mac type of sets */
+static bool
+init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
+               u32 first_ip, u32 last_ip)
+{
+        map->members = ip_set_alloc((last_ip - first_ip + 1) * map->dsize);
+        if (!map->members)
+                return false;
+        map->first_ip = first_ip;
+        map->last_ip = last_ip;
+        map->timeout = IPSET_NO_TIMEOUT;
+        set->data = map;
+        set->family = AF_INET;
+        return true;
+}
+static int
+bitmap_ipmac_create(struct ip_set *set, struct nlattr *tb[],
+                    u32 flags)
+{
+        u32 first_ip, last_ip, elements;
+        struct bitmap_ipmac *map;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &first_ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &last_ip);
+                if (ret)
+                        return ret;
+                if (first_ip > last_ip) {
+                        u32 tmp = first_ip;
+                        first_ip = last_ip;
+                        last_ip = tmp;
+                }
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr >= 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                last_ip = first_ip | ~ip_set_hostmask(cidr);
+        } else
+                return -IPSET_ERR_PROTOCOL;
+        elements = last_ip - first_ip + 1;
+        if (elements > IPSET_BITMAP_MAX_RANGE + 1)
+                return -IPSET_ERR_BITMAP_RANGE_SIZE;
+        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        if (!map)
+                return -ENOMEM;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                map->dsize = sizeof(struct ipmac_telem);
+                if (!init_map_ipmac(set, map, first_ip, last_ip)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = &bitmap_tipmac;
+                bitmap_ipmac_gc_init(set);
+        } else {
+                map->dsize = sizeof(struct ipmac_elem);
+                if (!init_map_ipmac(set, map, first_ip, last_ip)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                set->variant = &bitmap_ipmac;
+        }
+        return 0;
+}
+static struct ip_set_type bitmap_ipmac_type = {
+        .name           = "bitmap:ip,mac",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP | IPSET_TYPE_MAC,
+        .dimension      = IPSET_DIM_TWO,
+        .family         = AF_INET,
+        .revision       = 0,
+        .create         = bitmap_ipmac_create,
+        .create_policy  = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_ETHER]      = { .type = NLA_BINARY, .len  = ETH_ALEN },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+bitmap_ipmac_init(void)
+{
+        return ip_set_type_register(&bitmap_ipmac_type);
+}
+static void __exit
+bitmap_ipmac_fini(void)
+{
+        ip_set_type_unregister(&bitmap_ipmac_type);
+}
+module_init(bitmap_ipmac_init);
+module_exit(bitmap_ipmac_fini);
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
new file mode 100644
index 000000000000..6b38eb8f6ed8
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -0,0 +1,514 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the bitmap:port type */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/netlink.h>
+#include <linux/jiffies.h>
+#include <linux/timer.h>
+#include <net/netlink.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_bitmap.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+#define IP_SET_BITMAP_TIMEOUT
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("bitmap:port type of IP sets");
+MODULE_ALIAS("ip_set_bitmap:port");
+/* Type structure */
+struct bitmap_port {
+        void *members;          /* the set members */
+        u16 first_port;         /* host byte order, included in range */
+        u16 last_port;          /* host byte order, included in range */
+        size_t memsize;         /* members size */
+        u32 timeout;            /* timeout parameter */
+        struct timer_list gc;   /* garbage collection */
+};
+/* Base variant */
+static int
+bitmap_port_test(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_port *map = set->data;
+        u16 id = *(u16 *)value;
+        return !!test_bit(id, map->members);
+}
+static int
+bitmap_port_add(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_port *map = set->data;
+        u16 id = *(u16 *)value;
+        if (test_and_set_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_port_del(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_port *map = set->data;
+        u16 id = *(u16 *)value;
+        if (!test_and_clear_bit(id, map->members))
+                return -IPSET_ERR_EXIST;
+        return 0;
+}
+static int
+bitmap_port_list(const struct ip_set *set,
+                 struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_port *map = set->data;
+        struct nlattr *atd, *nested;
+        u16 id, first = cb->args[2];
+        u16 last = map->last_port - map->first_port;
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] <= last; cb->args[2]++) {
+                id = cb->args[2];
+                if (!test_bit(id, map->members))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
+                              htons(map->first_port + id));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+/* Timeout variant */
+static int
+bitmap_port_ttest(struct ip_set *set, void *value, u32 timeout)
+{
+        const struct bitmap_port *map = set->data;
+        const unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        return ip_set_timeout_test(members[id]);
+}
+static int
+bitmap_port_tadd(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_port *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        if (ip_set_timeout_test(members[id]))
+                return -IPSET_ERR_EXIST;
+        members[id] = ip_set_timeout_set(timeout);
+        return 0;
+}
+static int
+bitmap_port_tdel(struct ip_set *set, void *value, u32 timeout)
+{
+        struct bitmap_port *map = set->data;
+        unsigned long *members = map->members;
+        u16 id = *(u16 *)value;
+        int ret = -IPSET_ERR_EXIST;
+        if (ip_set_timeout_test(members[id]))
+                ret = 0;
+        members[id] = IPSET_ELEM_UNSET;
+        return ret;
+}
+static int
+bitmap_port_tlist(const struct ip_set *set,
+                  struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct bitmap_port *map = set->data;
+        struct nlattr *adt, *nested;
+        u16 id, first = cb->args[2];
+        u16 last = map->last_port - map->first_port;
+        const unsigned long *members = map->members;
+        adt = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!adt)
+                return -EMSGSIZE;
+        for (; cb->args[2] <= last; cb->args[2]++) {
+                id = cb->args[2];
+                if (!ip_set_timeout_test(members[id]))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (id == first) {
+                                nla_nest_cancel(skb, adt);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_NET16(skb, IPSET_ATTR_PORT,
+                              htons(map->first_port + id));
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                              htonl(ip_set_timeout_get(members[id])));
+                ipset_nest_end(skb, nested);
+        }
+        ipset_nest_end(skb, adt);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, adt);
+        if (unlikely(id == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+static int
+bitmap_port_kadt(struct ip_set *set, const struct sk_buff *skb,
+                 enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        struct bitmap_port *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        __be16 __port;
+        u16 port = 0;
+        if (!ip_set_get_ip_port(skb, pf, flags & IPSET_DIM_ONE_SRC, &__port))
+                return -EINVAL;
+        port = ntohs(__port);
+        if (port < map->first_port || port > map->last_port)
+                return -IPSET_ERR_BITMAP_RANGE;
+        port -= map->first_port;
+        return adtfn(set, &port, map->timeout);
+}
+static int
+bitmap_port_uadt(struct ip_set *set, struct nlattr *tb[],
+                 enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        struct bitmap_port *map = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 timeout = map->timeout;
+        u32 port;       /* wraparound */
+        u16 id, port_to;
+        int ret = 0;
+        if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
+        if (port < map->first_port || port > map->last_port)
+                return -IPSET_ERR_BITMAP_RANGE;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(map->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST) {
+                id = port - map->first_port;
+                return adtfn(set, &id, timeout);
+        }
+        if (tb[IPSET_ATTR_PORT_TO]) {
+                port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+                if (port > port_to) {
+                        swap(port, port_to);
+                        if (port < map->first_port)
+                                return -IPSET_ERR_BITMAP_RANGE;
+                }
+        } else
+                port_to = port;
+        if (port_to > map->last_port)
+                return -IPSET_ERR_BITMAP_RANGE;
+        for (; port <= port_to; port++) {
+                id = port - map->first_port;
+                ret = adtfn(set, &id, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+static void
+bitmap_port_destroy(struct ip_set *set)
+{
+        struct bitmap_port *map = set->data;
+        if (with_timeout(map->timeout))
+                del_timer_sync(&map->gc);
+        ip_set_free(map->members);
+        kfree(map);
+        set->data = NULL;
+}
+static void
+bitmap_port_flush(struct ip_set *set)
+{
+        struct bitmap_port *map = set->data;
+        memset(map->members, 0, map->memsize);
+}
+static int
+bitmap_port_head(struct ip_set *set, struct sk_buff *skb)
+{
+        const struct bitmap_port *map = set->data;
+        struct nlattr *nested;
+        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+        if (!nested)
+                goto nla_put_failure;
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, htons(map->first_port));
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT_TO, htons(map->last_port));
+        NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+        NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+                      htonl(sizeof(*map) + map->memsize));
+        if (with_timeout(map->timeout))
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+        ipset_nest_end(skb, nested);
+        return 0;
+nla_put_failure:
+        return -EMSGSIZE;
+}
+static bool
+bitmap_port_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct bitmap_port *x = a->data;
+        const struct bitmap_port *y = b->data;
+        return x->first_port == y->first_port &&
+               x->last_port == y->last_port &&
+               x->timeout == y->timeout;
+}
+static const struct ip_set_type_variant bitmap_port = {
+        .kadt   = bitmap_port_kadt,
+        .uadt   = bitmap_port_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_port_add,
+                [IPSET_DEL] = bitmap_port_del,
+                [IPSET_TEST] = bitmap_port_test,
+        },
+        .destroy = bitmap_port_destroy,
+        .flush  = bitmap_port_flush,
+        .head   = bitmap_port_head,
+        .list   = bitmap_port_list,
+        .same_set = bitmap_port_same_set,
+};
+static const struct ip_set_type_variant bitmap_tport = {
+        .kadt   = bitmap_port_kadt,
+        .uadt   = bitmap_port_uadt,
+        .adt    = {
+                [IPSET_ADD] = bitmap_port_tadd,
+                [IPSET_DEL] = bitmap_port_tdel,
+                [IPSET_TEST] = bitmap_port_ttest,
+        },
+        .destroy = bitmap_port_destroy,
+        .flush  = bitmap_port_flush,
+        .head   = bitmap_port_head,
+        .list   = bitmap_port_tlist,
+        .same_set = bitmap_port_same_set,
+};
+static void
+bitmap_port_gc(unsigned long ul_set)
+{
+        struct ip_set *set = (struct ip_set *) ul_set;
+        struct bitmap_port *map = set->data;
+        unsigned long *table = map->members;
+        u32 id; /* wraparound */
+        u16 last = map->last_port - map->first_port;
+        /* We run parallel with other readers (test element)
+         * but adding/deleting new entries is locked out */
+        read_lock_bh(&set->lock);
+        for (id = 0; id <= last; id++)
+                if (ip_set_timeout_expired(table[id]))
+                        table[id] = IPSET_ELEM_UNSET;
+        read_unlock_bh(&set->lock);
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+static void
+bitmap_port_gc_init(struct ip_set *set)
+{
+        struct bitmap_port *map = set->data;
+        init_timer(&map->gc);
+        map->gc.data = (unsigned long) set;
+        map->gc.function = bitmap_port_gc;
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+/* Create bitmap:ip type of sets */
+static bool
+init_map_port(struct ip_set *set, struct bitmap_port *map,
+              u16 first_port, u16 last_port)
+{
+        map->members = ip_set_alloc(map->memsize);
+        if (!map->members)
+                return false;
+        map->first_port = first_port;
+        map->last_port = last_port;
+        map->timeout = IPSET_NO_TIMEOUT;
+        set->data = map;
+        set->family = AF_UNSPEC;
+        return true;
+}
+static int
+bitmap_port_create(struct ip_set *set, struct nlattr *tb[],
+                 u32 flags)
+{
+        struct bitmap_port *map;
+        u16 first_port, last_port;
+        if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        first_port = ip_set_get_h16(tb[IPSET_ATTR_PORT]);
+        last_port = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (first_port > last_port) {
+                u16 tmp = first_port;
+                first_port = last_port;
+                last_port = tmp;
+        }
+        map = kzalloc(sizeof(*map), GFP_KERNEL);
+        if (!map)
+                return -ENOMEM;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                map->memsize = (last_port - first_port + 1)
+                               * sizeof(unsigned long);
+                if (!init_map_port(set, map, first_port, last_port)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                map->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = &bitmap_tport;
+                bitmap_port_gc_init(set);
+        } else {
+                map->memsize = bitmap_bytes(0, last_port - first_port);
+                pr_debug("memsize: %zu\n", map->memsize);
+                if (!init_map_port(set, map, first_port, last_port)) {
+                        kfree(map);
+                        return -ENOMEM;
+                }
+                set->variant = &bitmap_port;
+        }
+        return 0;
+}
+static struct ip_set_type bitmap_port_type = {
+        .name           = "bitmap:port",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_PORT,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_UNSPEC,
+        .revision       = 0,
+        .create         = bitmap_port_create,
+        .create_policy  = {
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+bitmap_port_init(void)
+{
+        return ip_set_type_register(&bitmap_port_type);
+}
+static void __exit
+bitmap_port_fini(void)
+{
+        ip_set_type_unregister(&bitmap_port_type);
+}
+module_init(bitmap_port_init);
+module_exit(bitmap_port_fini);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
new file mode 100644
index 000000000000..72d1ac611fdc
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -0,0 +1,1708 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module for IP set management */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/moduleparam.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/spinlock.h>
+#include <linux/netlink.h>
+#include <linux/rculist.h>
+#include <linux/version.h>
+#include <net/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/ipset/ip_set.h>
+static LIST_HEAD(ip_set_type_list);             /* all registered set types */
+static DEFINE_MUTEX(ip_set_type_mutex);         /* protects ip_set_type_list */
+static DEFINE_RWLOCK(ip_set_ref_lock);          /* protects the set refs */
+static struct ip_set **ip_set_list;             /* all individual sets */
+static ip_set_id_t ip_set_max = CONFIG_IP_SET_MAX; /* max number of sets */
+#define STREQ(a, b)     (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
+static unsigned int max_sets;
+module_param(max_sets, int, 0600);
+MODULE_PARM_DESC(max_sets, "maximal number of sets");
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("core IP set support");
+MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_IPSET);
+/*
+ * The set types are implemented in modules and registered set types
+ * can be found in ip_set_type_list. Adding/deleting types is
+ * serialized by ip_set_type_mutex.
+ */
+static inline void
+ip_set_type_lock(void)
+{
+        mutex_lock(&ip_set_type_mutex);
+}
+static inline void
+ip_set_type_unlock(void)
+{
+        mutex_unlock(&ip_set_type_mutex);
+}
+/* Register and deregister settype */
+static struct ip_set_type *
+find_set_type(const char *name, u8 family, u8 revision)
+{
+        struct ip_set_type *type;
+        list_for_each_entry_rcu(type, &ip_set_type_list, list)
+                if (STREQ(type->name, name) &&
+                    (type->family == family || type->family == AF_UNSPEC) &&
+                    type->revision == revision)
+                        return type;
+        return NULL;
+}
+/* Unlock, try to load a set type module and lock again */
+static int
+try_to_load_type(const char *name)
+{
+        nfnl_unlock();
+        pr_debug("try to load ip_set_%s\n", name);
+        if (request_module("ip_set_%s", name) < 0) {
+                pr_warning("Can't find ip_set type %s\n", name);
+                nfnl_lock();
+                return -IPSET_ERR_FIND_TYPE;
+        }
+        nfnl_lock();
+        return -EAGAIN;
+}
+/* Find a set type and reference it */
+static int
+find_set_type_get(const char *name, u8 family, u8 revision,
+                  struct ip_set_type **found)
+{
+        struct ip_set_type *type;
+        int err;
+        rcu_read_lock();
+        *found = find_set_type(name, family, revision);
+        if (*found) {
+                err = !try_module_get((*found)->me) ? -EFAULT : 0;
+                goto unlock;
+        }
+        /* Make sure the type is loaded but we don't support the revision */
+        list_for_each_entry_rcu(type, &ip_set_type_list, list)
+                if (STREQ(type->name, name)) {
+                        err = -IPSET_ERR_FIND_TYPE;
+                        goto unlock;
+                }
+        rcu_read_unlock();
+        return try_to_load_type(name);
+unlock:
+        rcu_read_unlock();
+        return err;
+}
+/* Find a given set type by name and family.
+ * If we succeeded, the supported minimal and maximum revisions are
+ * filled out.
+ */
+static int
+find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max)
+{
+        struct ip_set_type *type;
+        bool found = false;
+        *min = 255; *max = 0;
+        rcu_read_lock();
+        list_for_each_entry_rcu(type, &ip_set_type_list, list)
+                if (STREQ(type->name, name) &&
+                    (type->family == family || type->family == AF_UNSPEC)) {
+                        found = true;
+                        if (type->revision < *min)
+                                *min = type->revision;
+                        if (type->revision > *max)
+                                *max = type->revision;
+                }
+        rcu_read_unlock();
+        if (found)
+                return 0;
+        return try_to_load_type(name);
+}
+#define family_name(f)  ((f) == AF_INET ? "inet" : \
+                         (f) == AF_INET6 ? "inet6" : "any")
+/* Register a set type structure. The type is identified by
+ * the unique triple of name, family and revision.
+ */
+int
+ip_set_type_register(struct ip_set_type *type)
+{
+        int ret = 0;
+        if (type->protocol != IPSET_PROTOCOL) {
+                pr_warning("ip_set type %s, family %s, revision %u uses "
+                           "wrong protocol version %u (want %u)\n",
+                           type->name, family_name(type->family),
+                           type->revision, type->protocol, IPSET_PROTOCOL);
+                return -EINVAL;
+        }
+        ip_set_type_lock();
+        if (find_set_type(type->name, type->family, type->revision)) {
+                /* Duplicate! */
+                pr_warning("ip_set type %s, family %s, revision %u "
+                           "already registered!\n", type->name,
+                           family_name(type->family), type->revision);
+                ret = -EINVAL;
+                goto unlock;
+        }
+        list_add_rcu(&type->list, &ip_set_type_list);
+        pr_debug("type %s, family %s, revision %u registered.\n",
+                 type->name, family_name(type->family), type->revision);
+unlock:
+        ip_set_type_unlock();
+        return ret;
+}
+EXPORT_SYMBOL_GPL(ip_set_type_register);
+/* Unregister a set type. There's a small race with ip_set_create */
+void
+ip_set_type_unregister(struct ip_set_type *type)
+{
+        ip_set_type_lock();
+        if (!find_set_type(type->name, type->family, type->revision)) {
+                pr_warning("ip_set type %s, family %s, revision %u "
+                           "not registered\n", type->name,
+                           family_name(type->family), type->revision);
+                goto unlock;
+        }
+        list_del_rcu(&type->list);
+        pr_debug("type %s, family %s, revision %u unregistered.\n",
+                 type->name, family_name(type->family), type->revision);
+unlock:
+        ip_set_type_unlock();
+        synchronize_rcu();
+}
+EXPORT_SYMBOL_GPL(ip_set_type_unregister);
+/* Utility functions */
+void *
+ip_set_alloc(size_t size)
+{
+        void *members = NULL;
+        if (size < KMALLOC_MAX_SIZE)
+                members = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
+        if (members) {
+                pr_debug("%p: allocated with kmalloc\n", members);
+                return members;
+        }
+        members = vzalloc(size);
+        if (!members)
+                return NULL;
+        pr_debug("%p: allocated with vmalloc\n", members);
+        return members;
+}
+EXPORT_SYMBOL_GPL(ip_set_alloc);
+void
+ip_set_free(void *members)
+{
+        pr_debug("%p: free with %s\n", members,
+                 is_vmalloc_addr(members) ? "vfree" : "kfree");
+        if (is_vmalloc_addr(members))
+                vfree(members);
+        else
+                kfree(members);
+}
+EXPORT_SYMBOL_GPL(ip_set_free);
+static inline bool
+flag_nested(const struct nlattr *nla)
+{
+        return nla->nla_type & NLA_F_NESTED;
+}
+static const struct nla_policy ipaddr_policy[IPSET_ATTR_IPADDR_MAX + 1] = {
+        [IPSET_ATTR_IPADDR_IPV4]        = { .type = NLA_U32 },
+        [IPSET_ATTR_IPADDR_IPV6]        = { .type = NLA_BINARY,
+                                            .len = sizeof(struct in6_addr) },
+};
+int
+ip_set_get_ipaddr4(struct nlattr *nla,  __be32 *ipaddr)
+{
+        struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
+        if (unlikely(!flag_nested(nla)))
+                return -IPSET_ERR_PROTOCOL;
+        if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
+                return -IPSET_ERR_PROTOCOL;
+        if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV4)))
+                return -IPSET_ERR_PROTOCOL;
+        *ipaddr = nla_get_be32(tb[IPSET_ATTR_IPADDR_IPV4]);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(ip_set_get_ipaddr4);
+int
+ip_set_get_ipaddr6(struct nlattr *nla, union nf_inet_addr *ipaddr)
+{
+        struct nlattr *tb[IPSET_ATTR_IPADDR_MAX+1];
+        if (unlikely(!flag_nested(nla)))
+                return -IPSET_ERR_PROTOCOL;
+        if (nla_parse_nested(tb, IPSET_ATTR_IPADDR_MAX, nla, ipaddr_policy))
+                return -IPSET_ERR_PROTOCOL;
+        if (unlikely(!ip_set_attr_netorder(tb, IPSET_ATTR_IPADDR_IPV6)))
+                return -IPSET_ERR_PROTOCOL;
+        memcpy(ipaddr, nla_data(tb[IPSET_ATTR_IPADDR_IPV6]),
+                sizeof(struct in6_addr));
+        return 0;
+}
+EXPORT_SYMBOL_GPL(ip_set_get_ipaddr6);
+/*
+ * Creating/destroying/renaming/swapping affect the existence and
+ * the properties of a set. All of these can be executed from userspace
+ * only and serialized by the nfnl mutex indirectly from nfnetlink.
+ *
+ * Sets are identified by their index in ip_set_list and the index
+ * is used by the external references (set/SET netfilter modules).
+ *
+ * The set behind an index may change by swapping only, from userspace.
+ */
+static inline void
+__ip_set_get(ip_set_id_t index)
+{
+        write_lock_bh(&ip_set_ref_lock);
+        ip_set_list[index]->ref++;
+        write_unlock_bh(&ip_set_ref_lock);
+}
+static inline void
+__ip_set_put(ip_set_id_t index)
+{
+        write_lock_bh(&ip_set_ref_lock);
+        BUG_ON(ip_set_list[index]->ref == 0);
+        ip_set_list[index]->ref--;
+        write_unlock_bh(&ip_set_ref_lock);
+}
+/*
+ * Add, del and test set entries from kernel.
+ *
+ * The set behind the index must exist and must be referenced
+ * so it can't be destroyed (or changed) under our foot.
+ */
+int
+ip_set_test(ip_set_id_t index, const struct sk_buff *skb,
+            u8 family, u8 dim, u8 flags)
+{
+        struct ip_set *set = ip_set_list[index];
+        int ret = 0;
+        BUG_ON(set == NULL);
+        pr_debug("set %s, index %u\n", set->name, index);
+        if (dim < set->type->dimension ||
+            !(family == set->family || set->family == AF_UNSPEC))
+                return 0;
+        read_lock_bh(&set->lock);
+        ret = set->variant->kadt(set, skb, IPSET_TEST, family, dim, flags);
+        read_unlock_bh(&set->lock);
+        if (ret == -EAGAIN) {
+                /* Type requests element to be completed */
+                pr_debug("element must be competed, ADD is triggered\n");
+                write_lock_bh(&set->lock);
+                set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags);
+                write_unlock_bh(&set->lock);
+                ret = 1;
+        }
+        /* Convert error codes to nomatch */
+        return (ret < 0 ? 0 : ret);
+}
+EXPORT_SYMBOL_GPL(ip_set_test);
+int
+ip_set_add(ip_set_id_t index, const struct sk_buff *skb,
+           u8 family, u8 dim, u8 flags)
+{
+        struct ip_set *set = ip_set_list[index];
+        int ret;
+        BUG_ON(set == NULL);
+        pr_debug("set %s, index %u\n", set->name, index);
+        if (dim < set->type->dimension ||
+            !(family == set->family || set->family == AF_UNSPEC))
+                return 0;
+        write_lock_bh(&set->lock);
+        ret = set->variant->kadt(set, skb, IPSET_ADD, family, dim, flags);
+        write_unlock_bh(&set->lock);
+        return ret;
+}
+EXPORT_SYMBOL_GPL(ip_set_add);
+int
+ip_set_del(ip_set_id_t index, const struct sk_buff *skb,
+           u8 family, u8 dim, u8 flags)
+{
+        struct ip_set *set = ip_set_list[index];
+        int ret = 0;
+        BUG_ON(set == NULL);
+        pr_debug("set %s, index %u\n", set->name, index);
+        if (dim < set->type->dimension ||
+            !(family == set->family || set->family == AF_UNSPEC))
+                return 0;
+        write_lock_bh(&set->lock);
+        ret = set->variant->kadt(set, skb, IPSET_DEL, family, dim, flags);
+        write_unlock_bh(&set->lock);
+        return ret;
+}
+EXPORT_SYMBOL_GPL(ip_set_del);
+/*
+ * Find set by name, reference it once. The reference makes sure the
+ * thing pointed to, does not go away under our feet.
+ *
+ */
+ip_set_id_t
+ip_set_get_byname(const char *name, struct ip_set **set)
+{
+        ip_set_id_t i, index = IPSET_INVALID_ID;
+        struct ip_set *s;
+        for (i = 0; i < ip_set_max; i++) {
+                s = ip_set_list[i];
+                if (s != NULL && STREQ(s->name, name)) {
+                        __ip_set_get(i);
+                        index = i;
+                        *set = s;
+                }
+        }
+        return index;
+}
+EXPORT_SYMBOL_GPL(ip_set_get_byname);
+/*
+ * If the given set pointer points to a valid set, decrement
+ * reference count by 1. The caller shall not assume the index
+ * to be valid, after calling this function.
+ *
+ */
+void
+ip_set_put_byindex(ip_set_id_t index)
+{
+        if (ip_set_list[index] != NULL)
+                __ip_set_put(index);
+}
+EXPORT_SYMBOL_GPL(ip_set_put_byindex);
+/*
+ * Get the name of a set behind a set index.
+ * We assume the set is referenced, so it does exist and
+ * can't be destroyed. The set cannot be renamed due to
+ * the referencing either.
+ *
+ */
+const char *
+ip_set_name_byindex(ip_set_id_t index)
+{
+        const struct ip_set *set = ip_set_list[index];
+        BUG_ON(set == NULL);
+        BUG_ON(set->ref == 0);
+        /* Referenced, so it's safe */
+        return set->name;
+}
+EXPORT_SYMBOL_GPL(ip_set_name_byindex);
+/*
+ * Routines to call by external subsystems, which do not
+ * call nfnl_lock for us.
+ */
+/*
+ * Find set by name, reference it once. The reference makes sure the
+ * thing pointed to, does not go away under our feet.
+ *
+ * The nfnl mutex is used in the function.
+ */
+ip_set_id_t
+ip_set_nfnl_get(const char *name)
+{
+        struct ip_set *s;
+        ip_set_id_t index;
+        nfnl_lock();
+        index = ip_set_get_byname(name, &s);
+        nfnl_unlock();
+        return index;
+}
+EXPORT_SYMBOL_GPL(ip_set_nfnl_get);
+/*
+ * Find set by index, reference it once. The reference makes sure the
+ * thing pointed to, does not go away under our feet.
+ *
+ * The nfnl mutex is used in the function.
+ */
+ip_set_id_t
+ip_set_nfnl_get_byindex(ip_set_id_t index)
+{
+        if (index > ip_set_max)
+                return IPSET_INVALID_ID;
+        nfnl_lock();
+        if (ip_set_list[index])
+                __ip_set_get(index);
+        else
+                index = IPSET_INVALID_ID;
+        nfnl_unlock();
+        return index;
+}
+EXPORT_SYMBOL_GPL(ip_set_nfnl_get_byindex);
+/*
+ * If the given set pointer points to a valid set, decrement
+ * reference count by 1. The caller shall not assume the index
+ * to be valid, after calling this function.
+ *
+ * The nfnl mutex is used in the function.
+ */
+void
+ip_set_nfnl_put(ip_set_id_t index)
+{
+        nfnl_lock();
+        ip_set_put_byindex(index);
+        nfnl_unlock();
+}
+EXPORT_SYMBOL_GPL(ip_set_nfnl_put);
+/*
+ * Communication protocol with userspace over netlink.
+ *
+ * The commands are serialized by the nfnl mutex.
+ */
+static inline bool
+protocol_failed(const struct nlattr * const tb[])
+{
+        return !tb[IPSET_ATTR_PROTOCOL] ||
+               nla_get_u8(tb[IPSET_ATTR_PROTOCOL]) != IPSET_PROTOCOL;
+}
+static inline u32
+flag_exist(const struct nlmsghdr *nlh)
+{
+        return nlh->nlmsg_flags & NLM_F_EXCL ? 0 : IPSET_FLAG_EXIST;
+}
+static struct nlmsghdr *
+start_msg(struct sk_buff *skb, u32 pid, u32 seq, unsigned int flags,
+          enum ipset_cmd cmd)
+{
+        struct nlmsghdr *nlh;
+        struct nfgenmsg *nfmsg;
+        nlh = nlmsg_put(skb, pid, seq, cmd | (NFNL_SUBSYS_IPSET << 8),
+                        sizeof(*nfmsg), flags);
+        if (nlh == NULL)
+                return NULL;
+        nfmsg = nlmsg_data(nlh);
+        nfmsg->nfgen_family = AF_INET;
+        nfmsg->version = NFNETLINK_V0;
+        nfmsg->res_id = 0;
+        return nlh;
+}
+/* Create a set */
+static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+        [IPSET_ATTR_SETNAME]    = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+        [IPSET_ATTR_TYPENAME]   = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1},
+        [IPSET_ATTR_REVISION]   = { .type = NLA_U8 },
+        [IPSET_ATTR_FAMILY]     = { .type = NLA_U8 },
+        [IPSET_ATTR_DATA]       = { .type = NLA_NESTED },
+};
+static ip_set_id_t
+find_set_id(const char *name)
+{
+        ip_set_id_t i, index = IPSET_INVALID_ID;
+        const struct ip_set *set;
+        for (i = 0; index == IPSET_INVALID_ID && i < ip_set_max; i++) {
+                set = ip_set_list[i];
+                if (set != NULL && STREQ(set->name, name))
+                        index = i;
+        }
+        return index;
+}
+static inline struct ip_set *
+find_set(const char *name)
+{
+        ip_set_id_t index = find_set_id(name);
+        return index == IPSET_INVALID_ID ? NULL : ip_set_list[index];
+}
+static int
+find_free_id(const char *name, ip_set_id_t *index, struct ip_set **set)
+{
+        ip_set_id_t i;
+        *index = IPSET_INVALID_ID;
+        for (i = 0;  i < ip_set_max; i++) {
+                if (ip_set_list[i] == NULL) {
+                        if (*index == IPSET_INVALID_ID)
+                                *index = i;
+                } else if (STREQ(name, ip_set_list[i]->name)) {
+                        /* Name clash */
+                        *set = ip_set_list[i];
+                        return -EEXIST;
+                }
+        }
+        if (*index == IPSET_INVALID_ID)
+                /* No free slot remained */
+                return -IPSET_ERR_MAX_SETS;
+        return 0;
+}
+static int
+ip_set_create(struct sock *ctnl, struct sk_buff *skb,
+              const struct nlmsghdr *nlh,
+              const struct nlattr * const attr[])
+{
+        struct ip_set *set, *clash = NULL;
+        ip_set_id_t index = IPSET_INVALID_ID;
+        struct nlattr *tb[IPSET_ATTR_CREATE_MAX+1] = {};
+        const char *name, *typename;
+        u8 family, revision;
+        u32 flags = flag_exist(nlh);
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     attr[IPSET_ATTR_TYPENAME] == NULL ||
+                     attr[IPSET_ATTR_REVISION] == NULL ||
+                     attr[IPSET_ATTR_FAMILY] == NULL ||
+                     (attr[IPSET_ATTR_DATA] != NULL &&
+                      !flag_nested(attr[IPSET_ATTR_DATA]))))
+                return -IPSET_ERR_PROTOCOL;
+        name = nla_data(attr[IPSET_ATTR_SETNAME]);
+        typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
+        family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
+        revision = nla_get_u8(attr[IPSET_ATTR_REVISION]);
+        pr_debug("setname: %s, typename: %s, family: %s, revision: %u\n",
+                 name, typename, family_name(family), revision);
+        /*
+         * First, and without any locks, allocate and initialize
+         * a normal base set structure.
+         */
+        set = kzalloc(sizeof(struct ip_set), GFP_KERNEL);
+        if (!set)
+                return -ENOMEM;
+        rwlock_init(&set->lock);
+        strlcpy(set->name, name, IPSET_MAXNAMELEN);
+        set->family = family;
+        /*
+         * Next, check that we know the type, and take
+         * a reference on the type, to make sure it stays available
+         * while constructing our new set.
+         *
+         * After referencing the type, we try to create the type
+         * specific part of the set without holding any locks.
+         */
+        ret = find_set_type_get(typename, family, revision, &(set->type));
+        if (ret)
+                goto out;
+        /*
+         * Without holding any locks, create private part.
+         */
+        if (attr[IPSET_ATTR_DATA] &&
+            nla_parse_nested(tb, IPSET_ATTR_CREATE_MAX, attr[IPSET_ATTR_DATA],
+                             set->type->create_policy)) {
+                ret = -IPSET_ERR_PROTOCOL;
+                goto put_out;
+        }
+        ret = set->type->create(set, tb, flags);
+        if (ret != 0)
+                goto put_out;
+        /* BTW, ret==0 here. */
+        /*
+         * Here, we have a valid, constructed set and we are protected
+         * by the nfnl mutex. Find the first free index in ip_set_list
+         * and check clashing.
+         */
+        if ((ret = find_free_id(set->name, &index, &clash)) != 0) {
+                /* If this is the same set and requested, ignore error */
+                if (ret == -EEXIST &&
+                    (flags & IPSET_FLAG_EXIST) &&
+                    STREQ(set->type->name, clash->type->name) &&
+                    set->type->family == clash->type->family &&
+                    set->type->revision == clash->type->revision &&
+                    set->variant->same_set(set, clash))
+                        ret = 0;
+                goto cleanup;
+        }
+        /*
+         * Finally! Add our shiny new set to the list, and be done.
+         */
+        pr_debug("create: '%s' created with index %u!\n", set->name, index);
+        ip_set_list[index] = set;
+        return ret;
+cleanup:
+        set->variant->destroy(set);
+put_out:
+        module_put(set->type->me);
+out:
+        kfree(set);
+        return ret;
+}
+/* Destroy sets */
+static const struct nla_policy
+ip_set_setname_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+        [IPSET_ATTR_SETNAME]    = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+};
+static void
+ip_set_destroy_set(ip_set_id_t index)
+{
+        struct ip_set *set = ip_set_list[index];
+        pr_debug("set: %s\n",  set->name);
+        ip_set_list[index] = NULL;
+        /* Must call it without holding any lock */
+        set->variant->destroy(set);
+        module_put(set->type->me);
+        kfree(set);
+}
+static int
+ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
+               const struct nlmsghdr *nlh,
+               const struct nlattr * const attr[])
+{
+        ip_set_id_t i;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr)))
+                return -IPSET_ERR_PROTOCOL;
+        /* Commands are serialized and references are
+         * protected by the ip_set_ref_lock.
+         * External systems (i.e. xt_set) must call
+         * ip_set_put|get_nfnl_* functions, that way we
+         * can safely check references here.
+         *
+         * list:set timer can only decrement the reference
+         * counter, so if it's already zero, we can proceed
+         * without holding the lock.
+         */
+        read_lock_bh(&ip_set_ref_lock);
+        if (!attr[IPSET_ATTR_SETNAME]) {
+                for (i = 0; i < ip_set_max; i++) {
+                        if (ip_set_list[i] != NULL && ip_set_list[i]->ref) {
+                                ret = IPSET_ERR_BUSY;
+                                goto out;
+                        }
+                }
+                read_unlock_bh(&ip_set_ref_lock);
+                for (i = 0; i < ip_set_max; i++) {
+                        if (ip_set_list[i] != NULL)
+                                ip_set_destroy_set(i);
+                }
+        } else {
+                i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
+                if (i == IPSET_INVALID_ID) {
+                        ret = -ENOENT;
+                        goto out;
+                } else if (ip_set_list[i]->ref) {
+                        ret = -IPSET_ERR_BUSY;
+                        goto out;
+                }
+                read_unlock_bh(&ip_set_ref_lock);
+                ip_set_destroy_set(i);
+        }
+        return 0;
+out:
+        read_unlock_bh(&ip_set_ref_lock);
+        return ret;
+}
+/* Flush sets */
+static void
+ip_set_flush_set(struct ip_set *set)
+{
+        pr_debug("set: %s\n",  set->name);
+        write_lock_bh(&set->lock);
+        set->variant->flush(set);
+        write_unlock_bh(&set->lock);
+}
+static int
+ip_set_flush(struct sock *ctnl, struct sk_buff *skb,
+             const struct nlmsghdr *nlh,
+             const struct nlattr * const attr[])
+{
+        ip_set_id_t i;
+        if (unlikely(protocol_failed(attr)))
+                return -EPROTO;
+        if (!attr[IPSET_ATTR_SETNAME]) {
+                for (i = 0; i < ip_set_max; i++)
+                        if (ip_set_list[i] != NULL)
+                                ip_set_flush_set(ip_set_list[i]);
+        } else {
+                i = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
+                if (i == IPSET_INVALID_ID)
+                        return -ENOENT;
+                ip_set_flush_set(ip_set_list[i]);
+        }
+        return 0;
+}
+/* Rename a set */
+static const struct nla_policy
+ip_set_setname2_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+        [IPSET_ATTR_SETNAME]    = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+        [IPSET_ATTR_SETNAME2]   = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+};
+static int
+ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
+              const struct nlmsghdr *nlh,
+              const struct nlattr * const attr[])
+{
+        struct ip_set *set;
+        const char *name2;
+        ip_set_id_t i;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     attr[IPSET_ATTR_SETNAME2] == NULL))
+                return -IPSET_ERR_PROTOCOL;
+        set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (set == NULL)
+                return -ENOENT;
+        read_lock_bh(&ip_set_ref_lock);
+        if (set->ref != 0) {
+                ret = -IPSET_ERR_REFERENCED;
+                goto out;
+        }
+        name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
+        for (i = 0; i < ip_set_max; i++) {
+                if (ip_set_list[i] != NULL &&
+                    STREQ(ip_set_list[i]->name, name2)) {
+                        ret = -IPSET_ERR_EXIST_SETNAME2;
+                        goto out;
+                }
+        }
+        strncpy(set->name, name2, IPSET_MAXNAMELEN);
+out:
+        read_unlock_bh(&ip_set_ref_lock);
+        return ret;
+}
+/* Swap two sets so that name/index points to the other.
+ * References and set names are also swapped.
+ *
+ * The commands are serialized by the nfnl mutex and references are
+ * protected by the ip_set_ref_lock. The kernel interfaces
+ * do not hold the mutex but the pointer settings are atomic
+ * so the ip_set_list always contains valid pointers to the sets.
+ */
+static int
+ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        struct ip_set *from, *to;
+        ip_set_id_t from_id, to_id;
+        char from_name[IPSET_MAXNAMELEN];
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     attr[IPSET_ATTR_SETNAME2] == NULL))
+                return -IPSET_ERR_PROTOCOL;
+        from_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (from_id == IPSET_INVALID_ID)
+                return -ENOENT;
+        to_id = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME2]));
+        if (to_id == IPSET_INVALID_ID)
+                return -IPSET_ERR_EXIST_SETNAME2;
+        from = ip_set_list[from_id];
+        to = ip_set_list[to_id];
+        /* Features must not change.
+         * Not an artificial restriction anymore, as we must prevent
+         * possible loops created by swapping in setlist type of sets. */
+        if (!(from->type->features == to->type->features &&
+              from->type->family == to->type->family))
+                return -IPSET_ERR_TYPE_MISMATCH;
+        strncpy(from_name, from->name, IPSET_MAXNAMELEN);
+        strncpy(from->name, to->name, IPSET_MAXNAMELEN);
+        strncpy(to->name, from_name, IPSET_MAXNAMELEN);
+        write_lock_bh(&ip_set_ref_lock);
+        swap(from->ref, to->ref);
+        ip_set_list[from_id] = to;
+        ip_set_list[to_id] = from;
+        write_unlock_bh(&ip_set_ref_lock);
+        return 0;
+}
+/* List/save set data */
+#define DUMP_INIT       0L
+#define DUMP_ALL        1L
+#define DUMP_ONE        2L
+#define DUMP_LAST       3L
+static int
+ip_set_dump_done(struct netlink_callback *cb)
+{
+        if (cb->args[2]) {
+                pr_debug("release set %s\n", ip_set_list[cb->args[1]]->name);
+                ip_set_put_byindex((ip_set_id_t) cb->args[1]);
+        }
+        return 0;
+}
+static inline void
+dump_attrs(struct nlmsghdr *nlh)
+{
+        const struct nlattr *attr;
+        int rem;
+        pr_debug("dump nlmsg\n");
+        nlmsg_for_each_attr(attr, nlh, sizeof(struct nfgenmsg), rem) {
+                pr_debug("type: %u, len %u\n", nla_type(attr), attr->nla_len);
+        }
+}
+static int
+dump_init(struct netlink_callback *cb)
+{
+        struct nlmsghdr *nlh = nlmsg_hdr(cb->skb);
+        int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
+        struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
+        struct nlattr *attr = (void *)nlh + min_len;
+        ip_set_id_t index;
+        /* Second pass, so parser can't fail */
+        nla_parse(cda, IPSET_ATTR_CMD_MAX,
+                  attr, nlh->nlmsg_len - min_len, ip_set_setname_policy);
+        /* cb->args[0] : dump single set/all sets
+         *         [1] : set index
+         *         [..]: type specific
+         */
+        if (!cda[IPSET_ATTR_SETNAME]) {
+                cb->args[0] = DUMP_ALL;
+                return 0;
+        }
+        index = find_set_id(nla_data(cda[IPSET_ATTR_SETNAME]));
+        if (index == IPSET_INVALID_ID)
+                return -ENOENT;
+        cb->args[0] = DUMP_ONE;
+        cb->args[1] = index;
+        return 0;
+}
+static int
+ip_set_dump_start(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        ip_set_id_t index = IPSET_INVALID_ID, max;
+        struct ip_set *set = NULL;
+        struct nlmsghdr *nlh = NULL;
+        unsigned int flags = NETLINK_CB(cb->skb).pid ? NLM_F_MULTI : 0;
+        int ret = 0;
+        if (cb->args[0] == DUMP_INIT) {
+                ret = dump_init(cb);
+                if (ret < 0) {
+                        nlh = nlmsg_hdr(cb->skb);
+                        /* We have to create and send the error message
+                         * manually :-( */
+                        if (nlh->nlmsg_flags & NLM_F_ACK)
+                                netlink_ack(cb->skb, nlh, ret);
+                        return ret;
+                }
+        }
+        if (cb->args[1] >= ip_set_max)
+                goto out;
+        max = cb->args[0] == DUMP_ONE ? cb->args[1] + 1 : ip_set_max;
+dump_last:
+        pr_debug("args[0]: %ld args[1]: %ld\n", cb->args[0], cb->args[1]);
+        for (; cb->args[1] < max; cb->args[1]++) {
+                index = (ip_set_id_t) cb->args[1];
+                set = ip_set_list[index];
+                if (set == NULL) {
+                        if (cb->args[0] == DUMP_ONE) {
+                                ret = -ENOENT;
+                                goto out;
+                        }
+                        continue;
+                }
+                /* When dumping all sets, we must dump "sorted"
+                 * so that lists (unions of sets) are dumped last.
+                 */
+                if (cb->args[0] != DUMP_ONE &&
+                    ((cb->args[0] == DUMP_ALL) ==
+                     !!(set->type->features & IPSET_DUMP_LAST)))
+                        continue;
+                pr_debug("List set: %s\n", set->name);
+                if (!cb->args[2]) {
+                        /* Start listing: make sure set won't be destroyed */
+                        pr_debug("reference set\n");
+                        __ip_set_get(index);
+                }
+                nlh = start_msg(skb, NETLINK_CB(cb->skb).pid,
+                                cb->nlh->nlmsg_seq, flags,
+                                IPSET_CMD_LIST);
+                if (!nlh) {
+                        ret = -EMSGSIZE;
+                        goto release_refcount;
+                }
+                NLA_PUT_U8(skb, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+                NLA_PUT_STRING(skb, IPSET_ATTR_SETNAME, set->name);
+                switch (cb->args[2]) {
+                case 0:
+                        /* Core header data */
+                        NLA_PUT_STRING(skb, IPSET_ATTR_TYPENAME,
+                                       set->type->name);
+                        NLA_PUT_U8(skb, IPSET_ATTR_FAMILY,
+                                   set->family);
+                        NLA_PUT_U8(skb, IPSET_ATTR_REVISION,
+                                   set->type->revision);
+                        ret = set->variant->head(set, skb);
+                        if (ret < 0)
+                                goto release_refcount;
+                        /* Fall through and add elements */
+                default:
+                        read_lock_bh(&set->lock);
+                        ret = set->variant->list(set, skb, cb);
+                        read_unlock_bh(&set->lock);
+                        if (!cb->args[2]) {
+                                /* Set is done, proceed with next one */
+                                if (cb->args[0] == DUMP_ONE)
+                                        cb->args[1] = IPSET_INVALID_ID;
+                                else
+                                        cb->args[1]++;
+                        }
+                        goto release_refcount;
+                }
+        }
+        /* If we dump all sets, continue with dumping last ones */
+        if (cb->args[0] == DUMP_ALL) {
+                cb->args[0] = DUMP_LAST;
+                cb->args[1] = 0;
+                goto dump_last;
+        }
+        goto out;
+nla_put_failure:
+        ret = -EFAULT;
+release_refcount:
+        /* If there was an error or set is done, release set */
+        if (ret || !cb->args[2]) {
+                pr_debug("release set %s\n", ip_set_list[index]->name);
+                ip_set_put_byindex(index);
+        }
+out:
+        if (nlh) {
+                nlmsg_end(skb, nlh);
+                pr_debug("nlmsg_len: %u\n", nlh->nlmsg_len);
+                dump_attrs(nlh);
+        }
+        return ret < 0 ? ret : skb->len;
+}
+static int
+ip_set_dump(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        if (unlikely(protocol_failed(attr)))
+                return -IPSET_ERR_PROTOCOL;
+        return netlink_dump_start(ctnl, skb, nlh,
+                                  ip_set_dump_start,
+                                  ip_set_dump_done);
+}
+/* Add, del and test */
+static const struct nla_policy ip_set_adt_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+        [IPSET_ATTR_SETNAME]    = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+        [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        [IPSET_ATTR_DATA]       = { .type = NLA_NESTED },
+        [IPSET_ATTR_ADT]        = { .type = NLA_NESTED },
+};
+static int
+call_ad(struct sock *ctnl, struct sk_buff *skb, struct ip_set *set,
+        struct nlattr *tb[], enum ipset_adt adt,
+        u32 flags, bool use_lineno)
+{
+        int ret, retried = 0;
+        u32 lineno = 0;
+        bool eexist = flags & IPSET_FLAG_EXIST;
+        do {
+                write_lock_bh(&set->lock);
+                ret = set->variant->uadt(set, tb, adt, &lineno, flags);
+                write_unlock_bh(&set->lock);
+        } while (ret == -EAGAIN &&
+                 set->variant->resize &&
+                 (ret = set->variant->resize(set, retried++)) == 0);
+        if (!ret || (ret == -IPSET_ERR_EXIST && eexist))
+                return 0;
+        if (lineno && use_lineno) {
+                /* Error in restore/batch mode: send back lineno */
+                struct nlmsghdr *rep, *nlh = nlmsg_hdr(skb);
+                struct sk_buff *skb2;
+                struct nlmsgerr *errmsg;
+                size_t payload = sizeof(*errmsg) + nlmsg_len(nlh);
+                int min_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
+                struct nlattr *cda[IPSET_ATTR_CMD_MAX+1];
+                struct nlattr *cmdattr;
+                u32 *errline;
+                skb2 = nlmsg_new(payload, GFP_KERNEL);
+                if (skb2 == NULL)
+                        return -ENOMEM;
+                rep = __nlmsg_put(skb2, NETLINK_CB(skb).pid,
+                                  nlh->nlmsg_seq, NLMSG_ERROR, payload, 0);
+                errmsg = nlmsg_data(rep);
+                errmsg->error = ret;
+                memcpy(&errmsg->msg, nlh, nlh->nlmsg_len);
+                cmdattr = (void *)&errmsg->msg + min_len;
+                nla_parse(cda, IPSET_ATTR_CMD_MAX,
+                          cmdattr, nlh->nlmsg_len - min_len,
+                          ip_set_adt_policy);
+                errline = nla_data(cda[IPSET_ATTR_LINENO]);
+                *errline = lineno;
+                netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
+                /* Signal netlink not to send its ACK/errmsg.  */
+                return -EINTR;
+        }
+        return ret;
+}
+static int
+ip_set_uadd(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        struct ip_set *set;
+        struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
+        const struct nlattr *nla;
+        u32 flags = flag_exist(nlh);
+        bool use_lineno;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     !((attr[IPSET_ATTR_DATA] != NULL) ^
+                       (attr[IPSET_ATTR_ADT] != NULL)) ||
+                     (attr[IPSET_ATTR_DATA] != NULL &&
+                      !flag_nested(attr[IPSET_ATTR_DATA])) ||
+                     (attr[IPSET_ATTR_ADT] != NULL &&
+                      (!flag_nested(attr[IPSET_ATTR_ADT]) ||
+                       attr[IPSET_ATTR_LINENO] == NULL))))
+                return -IPSET_ERR_PROTOCOL;
+        set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (set == NULL)
+                return -ENOENT;
+        use_lineno = !!attr[IPSET_ATTR_LINENO];
+        if (attr[IPSET_ATTR_DATA]) {
+                if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
+                                     attr[IPSET_ATTR_DATA],
+                                     set->type->adt_policy))
+                        return -IPSET_ERR_PROTOCOL;
+                ret = call_ad(ctnl, skb, set, tb, IPSET_ADD, flags,
+                              use_lineno);
+        } else {
+                int nla_rem;
+                nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
+                        memset(tb, 0, sizeof(tb));
+                        if (nla_type(nla) != IPSET_ATTR_DATA ||
+                            !flag_nested(nla) ||
+                            nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
+                                             set->type->adt_policy))
+                                return -IPSET_ERR_PROTOCOL;
+                        ret = call_ad(ctnl, skb, set, tb, IPSET_ADD,
+                                      flags, use_lineno);
+                        if (ret < 0)
+                                return ret;
+                }
+        }
+        return ret;
+}
+static int
+ip_set_udel(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        struct ip_set *set;
+        struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
+        const struct nlattr *nla;
+        u32 flags = flag_exist(nlh);
+        bool use_lineno;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     !((attr[IPSET_ATTR_DATA] != NULL) ^
+                       (attr[IPSET_ATTR_ADT] != NULL)) ||
+                     (attr[IPSET_ATTR_DATA] != NULL &&
+                      !flag_nested(attr[IPSET_ATTR_DATA])) ||
+                     (attr[IPSET_ATTR_ADT] != NULL &&
+                      (!flag_nested(attr[IPSET_ATTR_ADT]) ||
+                       attr[IPSET_ATTR_LINENO] == NULL))))
+                return -IPSET_ERR_PROTOCOL;
+        set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (set == NULL)
+                return -ENOENT;
+        use_lineno = !!attr[IPSET_ATTR_LINENO];
+        if (attr[IPSET_ATTR_DATA]) {
+                if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX,
+                                     attr[IPSET_ATTR_DATA],
+                                     set->type->adt_policy))
+                        return -IPSET_ERR_PROTOCOL;
+                ret = call_ad(ctnl, skb, set, tb, IPSET_DEL, flags,
+                              use_lineno);
+        } else {
+                int nla_rem;
+                nla_for_each_nested(nla, attr[IPSET_ATTR_ADT], nla_rem) {
+                        memset(tb, 0, sizeof(*tb));
+                        if (nla_type(nla) != IPSET_ATTR_DATA ||
+                            !flag_nested(nla) ||
+                            nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, nla,
+                                             set->type->adt_policy))
+                                return -IPSET_ERR_PROTOCOL;
+                        ret = call_ad(ctnl, skb, set, tb, IPSET_DEL,
+                                      flags, use_lineno);
+                        if (ret < 0)
+                                return ret;
+                }
+        }
+        return ret;
+}
+static int
+ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
+             const struct nlmsghdr *nlh,
+             const struct nlattr * const attr[])
+{
+        struct ip_set *set;
+        struct nlattr *tb[IPSET_ATTR_ADT_MAX+1] = {};
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL ||
+                     attr[IPSET_ATTR_DATA] == NULL ||
+                     !flag_nested(attr[IPSET_ATTR_DATA])))
+                return -IPSET_ERR_PROTOCOL;
+        set = find_set(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (set == NULL)
+                return -ENOENT;
+        if (nla_parse_nested(tb, IPSET_ATTR_ADT_MAX, attr[IPSET_ATTR_DATA],
+                             set->type->adt_policy))
+                return -IPSET_ERR_PROTOCOL;
+        read_lock_bh(&set->lock);
+        ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0);
+        read_unlock_bh(&set->lock);
+        /* Userspace can't trigger element to be re-added */
+        if (ret == -EAGAIN)
+                ret = 1;
+        return ret < 0 ? ret : ret > 0 ? 0 : -IPSET_ERR_EXIST;
+}
+/* Get headed data of a set */
+static int
+ip_set_header(struct sock *ctnl, struct sk_buff *skb,
+              const struct nlmsghdr *nlh,
+              const struct nlattr * const attr[])
+{
+        const struct ip_set *set;
+        struct sk_buff *skb2;
+        struct nlmsghdr *nlh2;
+        ip_set_id_t index;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_SETNAME] == NULL))
+                return -IPSET_ERR_PROTOCOL;
+        index = find_set_id(nla_data(attr[IPSET_ATTR_SETNAME]));
+        if (index == IPSET_INVALID_ID)
+                return -ENOENT;
+        set = ip_set_list[index];
+        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (skb2 == NULL)
+                return -ENOMEM;
+        nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
+                         IPSET_CMD_HEADER);
+        if (!nlh2)
+                goto nlmsg_failure;
+        NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+        NLA_PUT_STRING(skb2, IPSET_ATTR_SETNAME, set->name);
+        NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, set->type->name);
+        NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, set->family);
+        NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, set->type->revision);
+        nlmsg_end(skb2, nlh2);
+        ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
+        if (ret < 0)
+                return ret;
+        return 0;
+nla_put_failure:
+        nlmsg_cancel(skb2, nlh2);
+nlmsg_failure:
+        kfree_skb(skb2);
+        return -EMSGSIZE;
+}
+/* Get type data */
+static const struct nla_policy ip_set_type_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+        [IPSET_ATTR_TYPENAME]   = { .type = NLA_NUL_STRING,
+                                    .len = IPSET_MAXNAMELEN - 1 },
+        [IPSET_ATTR_FAMILY]     = { .type = NLA_U8 },
+};
+static int
+ip_set_type(struct sock *ctnl, struct sk_buff *skb,
+            const struct nlmsghdr *nlh,
+            const struct nlattr * const attr[])
+{
+        struct sk_buff *skb2;
+        struct nlmsghdr *nlh2;
+        u8 family, min, max;
+        const char *typename;
+        int ret = 0;
+        if (unlikely(protocol_failed(attr) ||
+                     attr[IPSET_ATTR_TYPENAME] == NULL ||
+                     attr[IPSET_ATTR_FAMILY] == NULL))
+                return -IPSET_ERR_PROTOCOL;
+        family = nla_get_u8(attr[IPSET_ATTR_FAMILY]);
+        typename = nla_data(attr[IPSET_ATTR_TYPENAME]);
+        ret = find_set_type_minmax(typename, family, &min, &max);
+        if (ret)
+                return ret;
+        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (skb2 == NULL)
+                return -ENOMEM;
+        nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
+                         IPSET_CMD_TYPE);
+        if (!nlh2)
+                goto nlmsg_failure;
+        NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+        NLA_PUT_STRING(skb2, IPSET_ATTR_TYPENAME, typename);
+        NLA_PUT_U8(skb2, IPSET_ATTR_FAMILY, family);
+        NLA_PUT_U8(skb2, IPSET_ATTR_REVISION, max);
+        NLA_PUT_U8(skb2, IPSET_ATTR_REVISION_MIN, min);
+        nlmsg_end(skb2, nlh2);
+        pr_debug("Send TYPE, nlmsg_len: %u\n", nlh2->nlmsg_len);
+        ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
+        if (ret < 0)
+                return ret;
+        return 0;
+nla_put_failure:
+        nlmsg_cancel(skb2, nlh2);
+nlmsg_failure:
+        kfree_skb(skb2);
+        return -EMSGSIZE;
+}
+/* Get protocol version */
+static const struct nla_policy
+ip_set_protocol_policy[IPSET_ATTR_CMD_MAX + 1] = {
+        [IPSET_ATTR_PROTOCOL]   = { .type = NLA_U8 },
+};
+static int
+ip_set_protocol(struct sock *ctnl, struct sk_buff *skb,
+                const struct nlmsghdr *nlh,
+                const struct nlattr * const attr[])
+{
+        struct sk_buff *skb2;
+        struct nlmsghdr *nlh2;
+        int ret = 0;
+        if (unlikely(attr[IPSET_ATTR_PROTOCOL] == NULL))
+                return -IPSET_ERR_PROTOCOL;
+        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (skb2 == NULL)
+                return -ENOMEM;
+        nlh2 = start_msg(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 0,
+                         IPSET_CMD_PROTOCOL);
+        if (!nlh2)
+                goto nlmsg_failure;
+        NLA_PUT_U8(skb2, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+        nlmsg_end(skb2, nlh2);
+        ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
+        if (ret < 0)
+                return ret;
+        return 0;
+nla_put_failure:
+        nlmsg_cancel(skb2, nlh2);
+nlmsg_failure:
+        kfree_skb(skb2);
+        return -EMSGSIZE;
+}
+static const struct nfnl_callback ip_set_netlink_subsys_cb[IPSET_MSG_MAX] = {
+        [IPSET_CMD_CREATE]      = {
+                .call           = ip_set_create,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_create_policy,
+        },
+        [IPSET_CMD_DESTROY]     = {
+                .call           = ip_set_destroy,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname_policy,
+        },
+        [IPSET_CMD_FLUSH]       = {
+                .call           = ip_set_flush,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname_policy,
+        },
+        [IPSET_CMD_RENAME]      = {
+                .call           = ip_set_rename,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname2_policy,
+        },
+        [IPSET_CMD_SWAP]        = {
+                .call           = ip_set_swap,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname2_policy,
+        },
+        [IPSET_CMD_LIST]        = {
+                .call           = ip_set_dump,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname_policy,
+        },
+        [IPSET_CMD_SAVE]        = {
+                .call           = ip_set_dump,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname_policy,
+        },
+        [IPSET_CMD_ADD] = {
+                .call           = ip_set_uadd,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_adt_policy,
+        },
+        [IPSET_CMD_DEL] = {
+                .call           = ip_set_udel,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_adt_policy,
+        },
+        [IPSET_CMD_TEST]        = {
+                .call           = ip_set_utest,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_adt_policy,
+        },
+        [IPSET_CMD_HEADER]      = {
+                .call           = ip_set_header,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_setname_policy,
+        },
+        [IPSET_CMD_TYPE]        = {
+                .call           = ip_set_type,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_type_policy,
+        },
+        [IPSET_CMD_PROTOCOL]    = {
+                .call           = ip_set_protocol,
+                .attr_count     = IPSET_ATTR_CMD_MAX,
+                .policy         = ip_set_protocol_policy,
+        },
+};
+static struct nfnetlink_subsystem ip_set_netlink_subsys __read_mostly = {
+        .name           = "ip_set",
+        .subsys_id      = NFNL_SUBSYS_IPSET,
+        .cb_count       = IPSET_MSG_MAX,
+        .cb             = ip_set_netlink_subsys_cb,
+};
+/* Interface to iptables/ip6tables */
+static int
+ip_set_sockfn_get(struct sock *sk, int optval, void __user *user, int *len)
+{
+        unsigned *op;
+        void *data;
+        int copylen = *len, ret = 0;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
+        if (optval != SO_IP_SET)
+                return -EBADF;
+        if (*len < sizeof(unsigned))
+                return -EINVAL;
+        data = vmalloc(*len);
+        if (!data)
+                return -ENOMEM;
+        if (copy_from_user(data, user, *len) != 0) {
+                ret = -EFAULT;
+                goto done;
+        }
+        op = (unsigned *) data;
+        if (*op < IP_SET_OP_VERSION) {
+                /* Check the version at the beginning of operations */
+                struct ip_set_req_version *req_version = data;
+                if (req_version->version != IPSET_PROTOCOL) {
+                        ret = -EPROTO;
+                        goto done;
+                }
+        }
+        switch (*op) {
+        case IP_SET_OP_VERSION: {
+                struct ip_set_req_version *req_version = data;
+                if (*len != sizeof(struct ip_set_req_version)) {
+                        ret = -EINVAL;
+                        goto done;
+                }
+                req_version->version = IPSET_PROTOCOL;
+                ret = copy_to_user(user, req_version,
+                                   sizeof(struct ip_set_req_version));
+                goto done;
+        }
+        case IP_SET_OP_GET_BYNAME: {
+                struct ip_set_req_get_set *req_get = data;
+                if (*len != sizeof(struct ip_set_req_get_set)) {
+                        ret = -EINVAL;
+                        goto done;
+                }
+                req_get->set.name[IPSET_MAXNAMELEN - 1] = '\0';
+                nfnl_lock();
+                req_get->set.index = find_set_id(req_get->set.name);
+                nfnl_unlock();
+                goto copy;
+        }
+        case IP_SET_OP_GET_BYINDEX: {
+                struct ip_set_req_get_set *req_get = data;
+                if (*len != sizeof(struct ip_set_req_get_set) ||
+                    req_get->set.index >= ip_set_max) {
+                        ret = -EINVAL;
+                        goto done;
+                }
+                nfnl_lock();
+                strncpy(req_get->set.name,
+                        ip_set_list[req_get->set.index]
+                                ? ip_set_list[req_get->set.index]->name : "",
+                        IPSET_MAXNAMELEN);
+                nfnl_unlock();
+                goto copy;
+        }
+        default:
+                ret = -EBADMSG;
+                goto done;
+        }       /* end of switch(op) */
+copy:
+        ret = copy_to_user(user, data, copylen);
+done:
+        vfree(data);
+        if (ret > 0)
+                ret = 0;
+        return ret;
+}
+static struct nf_sockopt_ops so_set __read_mostly = {
+        .pf             = PF_INET,
+        .get_optmin     = SO_IP_SET,
+        .get_optmax     = SO_IP_SET + 1,
+        .get            = &ip_set_sockfn_get,
+        .owner          = THIS_MODULE,
+};
+static int __init
+ip_set_init(void)
+{
+        int ret;
+        if (max_sets)
+                ip_set_max = max_sets;
+        if (ip_set_max >= IPSET_INVALID_ID)
+                ip_set_max = IPSET_INVALID_ID - 1;
+        ip_set_list = kzalloc(sizeof(struct ip_set *) * ip_set_max,
+                              GFP_KERNEL);
+        if (!ip_set_list) {
+                pr_err("ip_set: Unable to create ip_set_list\n");
+                return -ENOMEM;
+        }
+        ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
+        if (ret != 0) {
+                pr_err("ip_set: cannot register with nfnetlink.\n");
+                kfree(ip_set_list);
+                return ret;
+        }
+        ret = nf_register_sockopt(&so_set);
+        if (ret != 0) {
+                pr_err("SO_SET registry failed: %d\n", ret);
+                nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+                kfree(ip_set_list);
+                return ret;
+        }
+        pr_notice("ip_set: protocol %u\n", IPSET_PROTOCOL);
+        return 0;
+}
+static void __exit
+ip_set_fini(void)
+{
+        /* There can't be any existing set */
+        nf_unregister_sockopt(&so_set);
+        nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+        kfree(ip_set_list);
+        pr_debug("these are the famous last words\n");
+}
+module_init(ip_set_init);
+module_exit(ip_set_fini);
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
new file mode 100644
index 000000000000..757143b2240a
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -0,0 +1,155 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Get Layer-4 data from the packets */
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/icmp.h>
+#include <linux/icmpv6.h>
+#include <linux/sctp.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+/* We must handle non-linear skbs */
+static bool
+get_port(const struct sk_buff *skb, int protocol, unsigned int protooff,
+         bool src, __be16 *port, u8 *proto)
+{
+        switch (protocol) {
+        case IPPROTO_TCP: {
+                struct tcphdr _tcph;
+                const struct tcphdr *th;
+                th = skb_header_pointer(skb, protooff, sizeof(_tcph), &_tcph);
+                if (th == NULL)
+                        /* No choice either */
+                        return false;
+                *port = src ? th->source : th->dest;
+                break;
+        }
+        case IPPROTO_SCTP: {
+                sctp_sctphdr_t _sh;
+                const sctp_sctphdr_t *sh;
+                sh = skb_header_pointer(skb, protooff, sizeof(_sh), &_sh);
+                if (sh == NULL)
+                        /* No choice either */
+                        return false;
+                *port = src ? sh->source : sh->dest;
+                break;
+        }
+        case IPPROTO_UDP:
+        case IPPROTO_UDPLITE: {
+                struct udphdr _udph;
+                const struct udphdr *uh;
+                uh = skb_header_pointer(skb, protooff, sizeof(_udph), &_udph);
+                if (uh == NULL)
+                        /* No choice either */
+                        return false;
+                *port = src ? uh->source : uh->dest;
+                break;
+        }
+        case IPPROTO_ICMP: {
+                struct icmphdr _ich;
+                const struct icmphdr *ic;
+                ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
+                if (ic == NULL)
+                        return false;
+                *port = (__force __be16)htons((ic->type << 8) | ic->code);
+                break;
+        }
+        case IPPROTO_ICMPV6: {
+                struct icmp6hdr _ich;
+                const struct icmp6hdr *ic;
+                ic = skb_header_pointer(skb, protooff, sizeof(_ich), &_ich);
+                if (ic == NULL)
+                        return false;
+                *port = (__force __be16)
+                        htons((ic->icmp6_type << 8) | ic->icmp6_code);
+                break;
+        }
+        default:
+                break;
+        }
+        *proto = protocol;
+        return true;
+}
+bool
+ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
+                    __be16 *port, u8 *proto)
+{
+        const struct iphdr *iph = ip_hdr(skb);
+        unsigned int protooff = ip_hdrlen(skb);
+        int protocol = iph->protocol;
+        /* See comments at tcp_match in ip_tables.c */
+        if (protocol <= 0 || (ntohs(iph->frag_off) & IP_OFFSET))
+                return false;
+        return get_port(skb, protocol, protooff, src, port, proto);
+}
+EXPORT_SYMBOL_GPL(ip_set_get_ip4_port);
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+bool
+ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
+                    __be16 *port, u8 *proto)
+{
+        int protoff;
+        u8 nexthdr;
+        nexthdr = ipv6_hdr(skb)->nexthdr;
+        protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr);
+        if (protoff < 0)
+                return false;
+        return get_port(skb, nexthdr, protoff, src, port, proto);
+}
+EXPORT_SYMBOL_GPL(ip_set_get_ip6_port);
+#endif
+bool
+ip_set_get_ip_port(const struct sk_buff *skb, u8 pf, bool src, __be16 *port)
+{
+        bool ret;
+        u8 proto;
+        switch (pf) {
+        case AF_INET:
+                ret = ip_set_get_ip4_port(skb, src, port, &proto);
+                break;
+        case AF_INET6:
+                ret = ip_set_get_ip6_port(skb, src, port, &proto);
+                break;
+        default:
+                return false;
+        }
+        if (!ret)
+                return ret;
+        switch (proto) {
+        case IPPROTO_TCP:
+        case IPPROTO_UDP:
+                return true;
+        default:
+                return false;
+        }
+}
+EXPORT_SYMBOL_GPL(ip_set_get_ip_port);
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
new file mode 100644
index 000000000000..43bcce200129
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -0,0 +1,464 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:ip type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:ip type of IP sets");
+MODULE_ALIAS("ip_set_hash:ip");
+/* Type specific function prefix */
+#define TYPE            hash_ip
+static bool
+hash_ip_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_ip4_same_set       hash_ip_same_set
+#define hash_ip6_same_set       hash_ip_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_ip4_elem {
+        __be32 ip;
+};
+/* Member elements with timeout support */
+struct hash_ip4_telem {
+        __be32 ip;
+        unsigned long timeout;
+};
+static inline bool
+hash_ip4_data_equal(const struct hash_ip4_elem *ip1,
+                    const struct hash_ip4_elem *ip2)
+{
+        return ip1->ip == ip2->ip;
+}
+static inline bool
+hash_ip4_data_isnull(const struct hash_ip4_elem *elem)
+{
+        return elem->ip == 0;
+}
+static inline void
+hash_ip4_data_copy(struct hash_ip4_elem *dst, const struct hash_ip4_elem *src)
+{
+        dst->ip = src->ip;
+}
+/* Zero valued IP addresses cannot be stored */
+static inline void
+hash_ip4_data_zero_out(struct hash_ip4_elem *elem)
+{
+        elem->ip = 0;
+}
+static inline bool
+hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ip4_data_tlist(struct sk_buff *skb, const struct hash_ip4_elem *data)
+{
+        const struct hash_ip4_telem *tdata =
+                (const struct hash_ip4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define IP_SET_HASH_WITH_NETMASK
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ip4_kadt(struct ip_set *set, const struct sk_buff *skb,
+              enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        __be32 ip;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &ip);
+        ip &= ip_set_netmask(h->netmask);
+        if (ip == 0)
+                return -EINVAL;
+        return adtfn(set, &ip, h->timeout);
+}
+static int
+hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
+              enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        u32 ip, ip_to, hosts, timeout = h->timeout;
+        __be32 nip;
+        int ret = 0;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+        if (ret)
+                return ret;
+        ip &= ip_set_hostmask(h->netmask);
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST) {
+                nip = htonl(ip);
+                if (nip == 0)
+                        return -IPSET_ERR_HASH_ELEM;
+                return adtfn(set, &nip, timeout);
+        }
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to)
+                        swap(ip, ip_to);
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
+        for (; !before(ip_to, ip); ip += hosts) {
+                nip = htonl(ip);
+                if (nip == 0)
+                        return -IPSET_ERR_HASH_ELEM;
+                ret = adtfn(set, &nip, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+static bool
+hash_ip_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout &&
+               x->netmask == y->netmask;
+}
+/* The type variant functions: IPv6 */
+struct hash_ip6_elem {
+        union nf_inet_addr ip;
+};
+struct hash_ip6_telem {
+        union nf_inet_addr ip;
+        unsigned long timeout;
+};
+static inline bool
+hash_ip6_data_equal(const struct hash_ip6_elem *ip1,
+                    const struct hash_ip6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0;
+}
+static inline bool
+hash_ip6_data_isnull(const struct hash_ip6_elem *elem)
+{
+        return ipv6_addr_any(&elem->ip.in6);
+}
+static inline void
+hash_ip6_data_copy(struct hash_ip6_elem *dst, const struct hash_ip6_elem *src)
+{
+        ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
+}
+static inline void
+hash_ip6_data_zero_out(struct hash_ip6_elem *elem)
+{
+        ipv6_addr_set(&elem->ip.in6, 0, 0, 0, 0);
+}
+static inline void
+ip6_netmask(union nf_inet_addr *ip, u8 prefix)
+{
+        ip->ip6[0] &= ip_set_netmask6(prefix)[0];
+        ip->ip6[1] &= ip_set_netmask6(prefix)[1];
+        ip->ip6[2] &= ip_set_netmask6(prefix)[2];
+        ip->ip6[3] &= ip_set_netmask6(prefix)[3];
+}
+static bool
+hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ip6_data_tlist(struct sk_buff *skb, const struct hash_ip6_elem *data)
+{
+        const struct hash_ip6_telem *e =
+                (const struct hash_ip6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ip6_kadt(struct ip_set *set, const struct sk_buff *skb,
+              enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        union nf_inet_addr ip;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &ip.in6);
+        ip6_netmask(&ip, h->netmask);
+        if (ipv6_addr_any(&ip.in6))
+                return -EINVAL;
+        return adtfn(set, &ip, h->timeout);
+}
+static const struct nla_policy hash_ip6_adt_policy[IPSET_ATTR_ADT_MAX + 1] = {
+        [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+        [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+};
+static int
+hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
+              enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        union nf_inet_addr ip;
+        u32 timeout = h->timeout;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
+                     tb[IPSET_ATTR_IP_TO] ||
+                     tb[IPSET_ATTR_CIDR]))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &ip);
+        if (ret)
+                return ret;
+        ip6_netmask(&ip, h->netmask);
+        if (ipv6_addr_any(&ip.in6))
+                return -IPSET_ERR_HASH_ELEM;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        ret = adtfn(set, &ip, timeout);
+        return ip_set_eexist(ret, flags) ? 0 : ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_ip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        u8 netmask, hbits;
+        struct ip_set_hash *h;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        netmask = set->family == AF_INET ? 32 : 128;
+        pr_debug("Create set %s with family %s\n",
+                 set->name, set->family == AF_INET ? "inet" : "inet6");
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        if (tb[IPSET_ATTR_NETMASK]) {
+                netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
+                if ((set->family == AF_INET && netmask > 32) ||
+                    (set->family == AF_INET6 && netmask > 128) ||
+                    netmask == 0)
+                        return -IPSET_ERR_INVALID_NETMASK;
+        }
+        h = kzalloc(sizeof(*h), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        h->netmask = netmask;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_ip4_tvariant : &hash_ip6_tvariant;
+                if (set->family == AF_INET)
+                        hash_ip4_gc_init(set);
+                else
+                        hash_ip6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_ip4_variant : &hash_ip6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_ip_type __read_mostly = {
+        .name           = "hash:ip",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_UNSPEC,
+        .revision       = 0,
+        .create         = hash_ip_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_NETMASK]    = { .type = NLA_U8  },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_ip_init(void)
+{
+        return ip_set_type_register(&hash_ip_type);
+}
+static void __exit
+hash_ip_fini(void)
+{
+        ip_set_type_unregister(&hash_ip_type);
+}
+module_init(hash_ip_init);
+module_exit(hash_ip_fini);
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
new file mode 100644
index 000000000000..14281b6b8074
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -0,0 +1,530 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:ip,port type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:ip,port type of IP sets");
+MODULE_ALIAS("ip_set_hash:ip,port");
+/* Type specific function prefix */
+#define TYPE            hash_ipport
+static bool
+hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_ipport4_same_set   hash_ipport_same_set
+#define hash_ipport6_same_set   hash_ipport_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_ipport4_elem {
+        __be32 ip;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+};
+/* Member elements with timeout support */
+struct hash_ipport4_telem {
+        __be32 ip;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipport4_data_equal(const struct hash_ipport4_elem *ip1,
+                        const struct hash_ipport4_elem *ip2)
+{
+        return ip1->ip == ip2->ip &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipport4_data_isnull(const struct hash_ipport4_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipport4_data_copy(struct hash_ipport4_elem *dst,
+                       const struct hash_ipport4_elem *src)
+{
+        dst->ip = src->ip;
+        dst->port = src->port;
+        dst->proto = src->proto;
+}
+static inline void
+hash_ipport4_data_zero_out(struct hash_ipport4_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_ipport4_data_list(struct sk_buff *skb,
+                       const struct hash_ipport4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipport4_data_tlist(struct sk_buff *skb,
+                        const struct hash_ipport4_elem *data)
+{
+        const struct hash_ipport4_telem *tdata =
+                (const struct hash_ipport4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipport4_kadt(struct ip_set *set, const struct sk_buff *skb,
+                  enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipport4_elem data = { };
+        if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
+                  enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipport4_elem data = { };
+        u32 ip, ip_to, p, port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMP))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST ||
+            !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
+              tb[IPSET_ATTR_PORT_TO])) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        ip = ntohl(data.ip);
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to)
+                        swap(ip, ip_to);
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        port_to = port = ntohs(data.port);
+        if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
+                port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+                if (port > port_to)
+                        swap(port, port_to);
+        }
+        for (; !before(ip_to, ip); ip++)
+                for (p = port; p <= port_to; p++) {
+                        data.ip = htonl(ip);
+                        data.port = htons(p);
+                        ret = adtfn(set, &data, timeout);
+                        if (ret && !ip_set_eexist(ret, flags))
+                                return ret;
+                        else
+                                ret = 0;
+                }
+        return ret;
+}
+static bool
+hash_ipport_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout;
+}
+/* The type variant functions: IPv6 */
+struct hash_ipport6_elem {
+        union nf_inet_addr ip;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+};
+struct hash_ipport6_telem {
+        union nf_inet_addr ip;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipport6_data_equal(const struct hash_ipport6_elem *ip1,
+                        const struct hash_ipport6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipport6_data_isnull(const struct hash_ipport6_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipport6_data_copy(struct hash_ipport6_elem *dst,
+                       const struct hash_ipport6_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_ipport6_data_zero_out(struct hash_ipport6_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_ipport6_data_list(struct sk_buff *skb,
+                       const struct hash_ipport6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipport6_data_tlist(struct sk_buff *skb,
+                        const struct hash_ipport6_elem *data)
+{
+        const struct hash_ipport6_telem *e =
+                (const struct hash_ipport6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipport6_kadt(struct ip_set *set, const struct sk_buff *skb,
+                  enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipport6_elem data = { };
+        if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
+                  enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipport6_elem data = { };
+        u32 port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
+                     tb[IPSET_ATTR_IP_TO] ||
+                     tb[IPSET_ATTR_CIDR]))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMPV6))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        port = ntohs(data.port);
+        port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (port > port_to)
+                swap(port, port_to);
+        for (; port <= port_to; port++) {
+                data.port = htons(port);
+                ret = adtfn(set, &data, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_ipport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct ip_set_hash *h;
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        u8 hbits;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        h = kzalloc(sizeof(*h), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_ipport4_tvariant : &hash_ipport6_tvariant;
+                if (set->family == AF_INET)
+                        hash_ipport4_gc_init(set);
+                else
+                        hash_ipport6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_ipport4_variant : &hash_ipport6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_ipport_type __read_mostly = {
+        .name           = "hash:ip,port",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT,
+        .dimension      = IPSET_DIM_TWO,
+        .family         = AF_UNSPEC,
+        .revision       = 1,
+        .create         = hash_ipport_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_ipport_init(void)
+{
+        return ip_set_type_register(&hash_ipport_type);
+}
+static void __exit
+hash_ipport_fini(void)
+{
+        ip_set_type_unregister(&hash_ipport_type);
+}
+module_init(hash_ipport_init);
+module_exit(hash_ipport_fini);
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
new file mode 100644
index 000000000000..401c8a2531db
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -0,0 +1,548 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:ip,port,ip type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:ip,port,ip type of IP sets");
+MODULE_ALIAS("ip_set_hash:ip,port,ip");
+/* Type specific function prefix */
+#define TYPE            hash_ipportip
+static bool
+hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_ipportip4_same_set hash_ipportip_same_set
+#define hash_ipportip6_same_set hash_ipportip_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_ipportip4_elem {
+        __be32 ip;
+        __be32 ip2;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+};
+/* Member elements with timeout support */
+struct hash_ipportip4_telem {
+        __be32 ip;
+        __be32 ip2;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipportip4_data_equal(const struct hash_ipportip4_elem *ip1,
+                          const struct hash_ipportip4_elem *ip2)
+{
+        return ip1->ip == ip2->ip &&
+               ip1->ip2 == ip2->ip2 &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipportip4_data_isnull(const struct hash_ipportip4_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipportip4_data_copy(struct hash_ipportip4_elem *dst,
+                         const struct hash_ipportip4_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_ipportip4_data_zero_out(struct hash_ipportip4_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_ipportip4_data_list(struct sk_buff *skb,
+                       const struct hash_ipportip4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipportip4_data_tlist(struct sk_buff *skb,
+                        const struct hash_ipportip4_elem *data)
+{
+        const struct hash_ipportip4_telem *tdata =
+                (const struct hash_ipportip4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipportip4_kadt(struct ip_set *set, const struct sk_buff *skb,
+                    enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportip4_elem data = { };
+        if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip);
+        ip4addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
+                    enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportip4_elem data = { };
+        u32 ip, ip_to, p, port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMP))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST ||
+            !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
+              tb[IPSET_ATTR_PORT_TO])) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        ip = ntohl(data.ip);
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to)
+                        swap(ip, ip_to);
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        port_to = port = ntohs(data.port);
+        if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
+                port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+                if (port > port_to)
+                        swap(port, port_to);
+        }
+        for (; !before(ip_to, ip); ip++)
+                for (p = port; p <= port_to; p++) {
+                        data.ip = htonl(ip);
+                        data.port = htons(p);
+                        ret = adtfn(set, &data, timeout);
+                        if (ret && !ip_set_eexist(ret, flags))
+                                return ret;
+                        else
+                                ret = 0;
+                }
+        return ret;
+}
+static bool
+hash_ipportip_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout;
+}
+/* The type variant functions: IPv6 */
+struct hash_ipportip6_elem {
+        union nf_inet_addr ip;
+        union nf_inet_addr ip2;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+};
+struct hash_ipportip6_telem {
+        union nf_inet_addr ip;
+        union nf_inet_addr ip2;
+        __be16 port;
+        u8 proto;
+        u8 padding;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipportip6_data_equal(const struct hash_ipportip6_elem *ip1,
+                          const struct hash_ipportip6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
+               ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipportip6_data_isnull(const struct hash_ipportip6_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipportip6_data_copy(struct hash_ipportip6_elem *dst,
+                         const struct hash_ipportip6_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_ipportip6_data_zero_out(struct hash_ipportip6_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_ipportip6_data_list(struct sk_buff *skb,
+                         const struct hash_ipportip6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipportip6_data_tlist(struct sk_buff *skb,
+                          const struct hash_ipportip6_elem *data)
+{
+        const struct hash_ipportip6_telem *e =
+                (const struct hash_ipportip6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipportip6_kadt(struct ip_set *set, const struct sk_buff *skb,
+                    enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportip6_elem data = { };
+        if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
+        ip6addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
+                    enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportip6_elem data = { };
+        u32 port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
+                     tb[IPSET_ATTR_IP_TO] ||
+                     tb[IPSET_ATTR_CIDR]))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMPV6))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        port = ntohs(data.port);
+        port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (port > port_to)
+                swap(port, port_to);
+        for (; port <= port_to; port++) {
+                data.port = htons(port);
+                ret = adtfn(set, &data, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_ipportip_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct ip_set_hash *h;
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        u8 hbits;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        h = kzalloc(sizeof(*h), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_ipportip4_tvariant : &hash_ipportip6_tvariant;
+                if (set->family == AF_INET)
+                        hash_ipportip4_gc_init(set);
+                else
+                        hash_ipportip6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_ipportip4_variant : &hash_ipportip6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_ipportip_type __read_mostly = {
+        .name           = "hash:ip,port,ip",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
+        .dimension      = IPSET_DIM_THREE,
+        .family         = AF_UNSPEC,
+        .revision       = 1,
+        .create         = hash_ipportip_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP2]        = { .type = NLA_NESTED },
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_ipportip_init(void)
+{
+        return ip_set_type_register(&hash_ipportip_type);
+}
+static void __exit
+hash_ipportip_fini(void)
+{
+        ip_set_type_unregister(&hash_ipportip_type);
+}
+module_init(hash_ipportip_init);
+module_exit(hash_ipportip_fini);
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
new file mode 100644
index 000000000000..4743e5402522
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -0,0 +1,614 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:ip,port,net type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <net/tcp.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:ip,port,net type of IP sets");
+MODULE_ALIAS("ip_set_hash:ip,port,net");
+/* Type specific function prefix */
+#define TYPE            hash_ipportnet
+static bool
+hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_ipportnet4_same_set        hash_ipportnet_same_set
+#define hash_ipportnet6_same_set        hash_ipportnet_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_ipportnet4_elem {
+        __be32 ip;
+        __be32 ip2;
+        __be16 port;
+        u8 cidr;
+        u8 proto;
+};
+/* Member elements with timeout support */
+struct hash_ipportnet4_telem {
+        __be32 ip;
+        __be32 ip2;
+        __be16 port;
+        u8 cidr;
+        u8 proto;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipportnet4_data_equal(const struct hash_ipportnet4_elem *ip1,
+                           const struct hash_ipportnet4_elem *ip2)
+{
+        return ip1->ip == ip2->ip &&
+               ip1->ip2 == ip2->ip2 &&
+               ip1->cidr == ip2->cidr &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipportnet4_data_isnull(const struct hash_ipportnet4_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipportnet4_data_copy(struct hash_ipportnet4_elem *dst,
+                          const struct hash_ipportnet4_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_ipportnet4_data_netmask(struct hash_ipportnet4_elem *elem, u8 cidr)
+{
+        elem->ip2 &= ip_set_netmask(cidr);
+        elem->cidr = cidr;
+}
+static inline void
+hash_ipportnet4_data_zero_out(struct hash_ipportnet4_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_ipportnet4_data_list(struct sk_buff *skb,
+                          const struct hash_ipportnet4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipportnet4_data_tlist(struct sk_buff *skb,
+                           const struct hash_ipportnet4_elem *data)
+{
+        const struct hash_ipportnet4_telem *tdata =
+                (const struct hash_ipportnet4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP2, tdata->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define IP_SET_HASH_WITH_PROTO
+#define IP_SET_HASH_WITH_NETS
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
+                     enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportnet4_elem data =
+                { .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip);
+        ip4addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2);
+        data.ip2 &= ip_set_netmask(data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+                     enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportnet4_elem data = { .cidr = HOST_MASK };
+        u32 ip, ip_to, p, port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP2], &data.ip2);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR2])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        data.ip2 &= ip_set_netmask(data.cidr);
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMP))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST ||
+            !(tb[IPSET_ATTR_IP_TO] || tb[IPSET_ATTR_CIDR] ||
+              tb[IPSET_ATTR_PORT_TO])) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        ip = ntohl(data.ip);
+        if (tb[IPSET_ATTR_IP_TO]) {
+                ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
+                if (ret)
+                        return ret;
+                if (ip > ip_to)
+                        swap(ip, ip_to);
+        } else if (tb[IPSET_ATTR_CIDR]) {
+                u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+                if (cidr > 32)
+                        return -IPSET_ERR_INVALID_CIDR;
+                ip &= ip_set_hostmask(cidr);
+                ip_to = ip | ~ip_set_hostmask(cidr);
+        } else
+                ip_to = ip;
+        port_to = port = ntohs(data.port);
+        if (with_ports && tb[IPSET_ATTR_PORT_TO]) {
+                port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+                if (port > port_to)
+                        swap(port, port_to);
+        }
+        for (; !before(ip_to, ip); ip++)
+                for (p = port; p <= port_to; p++) {
+                        data.ip = htonl(ip);
+                        data.port = htons(p);
+                        ret = adtfn(set, &data, timeout);
+                        if (ret && !ip_set_eexist(ret, flags))
+                                return ret;
+                        else
+                                ret = 0;
+                }
+        return ret;
+}
+static bool
+hash_ipportnet_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout;
+}
+/* The type variant functions: IPv6 */
+struct hash_ipportnet6_elem {
+        union nf_inet_addr ip;
+        union nf_inet_addr ip2;
+        __be16 port;
+        u8 cidr;
+        u8 proto;
+};
+struct hash_ipportnet6_telem {
+        union nf_inet_addr ip;
+        union nf_inet_addr ip2;
+        __be16 port;
+        u8 cidr;
+        u8 proto;
+        unsigned long timeout;
+};
+static inline bool
+hash_ipportnet6_data_equal(const struct hash_ipportnet6_elem *ip1,
+                           const struct hash_ipportnet6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
+               ipv6_addr_cmp(&ip1->ip2.in6, &ip2->ip2.in6) == 0 &&
+               ip1->cidr == ip2->cidr &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto;
+}
+static inline bool
+hash_ipportnet6_data_isnull(const struct hash_ipportnet6_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_ipportnet6_data_copy(struct hash_ipportnet6_elem *dst,
+                          const struct hash_ipportnet6_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_ipportnet6_data_zero_out(struct hash_ipportnet6_elem *elem)
+{
+        elem->proto = 0;
+}
+static inline void
+ip6_netmask(union nf_inet_addr *ip, u8 prefix)
+{
+        ip->ip6[0] &= ip_set_netmask6(prefix)[0];
+        ip->ip6[1] &= ip_set_netmask6(prefix)[1];
+        ip->ip6[2] &= ip_set_netmask6(prefix)[2];
+        ip->ip6[3] &= ip_set_netmask6(prefix)[3];
+}
+static inline void
+hash_ipportnet6_data_netmask(struct hash_ipportnet6_elem *elem, u8 cidr)
+{
+        ip6_netmask(&elem->ip2, cidr);
+        elem->cidr = cidr;
+}
+static bool
+hash_ipportnet6_data_list(struct sk_buff *skb,
+                          const struct hash_ipportnet6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_ipportnet6_data_tlist(struct sk_buff *skb,
+                           const struct hash_ipportnet6_elem *data)
+{
+        const struct hash_ipportnet6_telem *e =
+                (const struct hash_ipportnet6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP2, &data->ip2);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR2, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
+                     enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportnet6_elem data =
+                { .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
+        ip6addrptr(skb, flags & IPSET_DIM_THREE_SRC, &data.ip2.in6);
+        ip6_netmask(&data.ip2, data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
+                     enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_ipportnet6_elem data = { .cidr = HOST_MASK };
+        u32 port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] || !tb[IPSET_ATTR_IP2] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
+                     tb[IPSET_ATTR_IP_TO] ||
+                     tb[IPSET_ATTR_CIDR]))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &data.ip2);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR2])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR2]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        ip6_netmask(&data.ip2, data.cidr);
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMPV6))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        port = ntohs(data.port);
+        port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (port > port_to)
+                swap(port, port_to);
+        for (; port <= port_to; port++) {
+                data.port = htons(port);
+                ret = adtfn(set, &data, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_ipportnet_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct ip_set_hash *h;
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        u8 hbits;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        h = kzalloc(sizeof(*h)
+                    + sizeof(struct ip_set_hash_nets)
+                      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_ipportnet4_tvariant
+                        : &hash_ipportnet6_tvariant;
+                if (set->family == AF_INET)
+                        hash_ipportnet4_gc_init(set);
+                else
+                        hash_ipportnet6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_ipportnet4_variant : &hash_ipportnet6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_ipportnet_type __read_mostly = {
+        .name           = "hash:ip,port,net",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT | IPSET_TYPE_IP2,
+        .dimension      = IPSET_DIM_THREE,
+        .family         = AF_UNSPEC,
+        .revision       = 1,
+        .create         = hash_ipportnet_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP_TO]      = { .type = NLA_NESTED },
+                [IPSET_ATTR_IP2]        = { .type = NLA_NESTED },
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_CIDR2]      = { .type = NLA_U8 },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_ipportnet_init(void)
+{
+        return ip_set_type_register(&hash_ipportnet_type);
+}
+static void __exit
+hash_ipportnet_fini(void)
+{
+        ip_set_type_unregister(&hash_ipportnet_type);
+}
+module_init(hash_ipportnet_init);
+module_exit(hash_ipportnet_fini);
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
new file mode 100644
index 000000000000..c4db202b7da4
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -0,0 +1,458 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:net type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:net type of IP sets");
+MODULE_ALIAS("ip_set_hash:net");
+/* Type specific function prefix */
+#define TYPE            hash_net
+static bool
+hash_net_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_net4_same_set      hash_net_same_set
+#define hash_net6_same_set      hash_net_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_net4_elem {
+        __be32 ip;
+        u16 padding0;
+        u8 padding1;
+        u8 cidr;
+};
+/* Member elements with timeout support */
+struct hash_net4_telem {
+        __be32 ip;
+        u16 padding0;
+        u8 padding1;
+        u8 cidr;
+        unsigned long timeout;
+};
+static inline bool
+hash_net4_data_equal(const struct hash_net4_elem *ip1,
+                    const struct hash_net4_elem *ip2)
+{
+        return ip1->ip == ip2->ip && ip1->cidr == ip2->cidr;
+}
+static inline bool
+hash_net4_data_isnull(const struct hash_net4_elem *elem)
+{
+        return elem->cidr == 0;
+}
+static inline void
+hash_net4_data_copy(struct hash_net4_elem *dst,
+                    const struct hash_net4_elem *src)
+{
+        dst->ip = src->ip;
+        dst->cidr = src->cidr;
+}
+static inline void
+hash_net4_data_netmask(struct hash_net4_elem *elem, u8 cidr)
+{
+        elem->ip &= ip_set_netmask(cidr);
+        elem->cidr = cidr;
+}
+/* Zero CIDR values cannot be stored */
+static inline void
+hash_net4_data_zero_out(struct hash_net4_elem *elem)
+{
+        elem->cidr = 0;
+}
+static bool
+hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_net4_data_tlist(struct sk_buff *skb, const struct hash_net4_elem *data)
+{
+        const struct hash_net4_telem *tdata =
+                (const struct hash_net4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, tdata->cidr);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define IP_SET_HASH_WITH_NETS
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
+               enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_net4_elem data = { .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip);
+        data.ip &= ip_set_netmask(data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
+               enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_net4_elem data = { .cidr = HOST_MASK };
+        u32 timeout = h->timeout;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        data.ip &= ip_set_netmask(data.cidr);
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        ret = adtfn(set, &data, timeout);
+        return ip_set_eexist(ret, flags) ? 0 : ret;
+}
+static bool
+hash_net_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout;
+}
+/* The type variant functions: IPv6 */
+struct hash_net6_elem {
+        union nf_inet_addr ip;
+        u16 padding0;
+        u8 padding1;
+        u8 cidr;
+};
+struct hash_net6_telem {
+        union nf_inet_addr ip;
+        u16 padding0;
+        u8 padding1;
+        u8 cidr;
+        unsigned long timeout;
+};
+static inline bool
+hash_net6_data_equal(const struct hash_net6_elem *ip1,
+                     const struct hash_net6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
+               ip1->cidr == ip2->cidr;
+}
+static inline bool
+hash_net6_data_isnull(const struct hash_net6_elem *elem)
+{
+        return elem->cidr == 0;
+}
+static inline void
+hash_net6_data_copy(struct hash_net6_elem *dst,
+                    const struct hash_net6_elem *src)
+{
+        ipv6_addr_copy(&dst->ip.in6, &src->ip.in6);
+        dst->cidr = src->cidr;
+}
+static inline void
+hash_net6_data_zero_out(struct hash_net6_elem *elem)
+{
+        elem->cidr = 0;
+}
+static inline void
+ip6_netmask(union nf_inet_addr *ip, u8 prefix)
+{
+        ip->ip6[0] &= ip_set_netmask6(prefix)[0];
+        ip->ip6[1] &= ip_set_netmask6(prefix)[1];
+        ip->ip6[2] &= ip_set_netmask6(prefix)[2];
+        ip->ip6[3] &= ip_set_netmask6(prefix)[3];
+}
+static inline void
+hash_net6_data_netmask(struct hash_net6_elem *elem, u8 cidr)
+{
+        ip6_netmask(&elem->ip, cidr);
+        elem->cidr = cidr;
+}
+static bool
+hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_net6_data_tlist(struct sk_buff *skb, const struct hash_net6_elem *data)
+{
+        const struct hash_net6_telem *e =
+                (const struct hash_net6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, e->cidr);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
+               enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_net6_elem data = { .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
+        ip6_netmask(&data.ip, data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
+               enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_net6_elem data = { .cidr = HOST_MASK };
+        u32 timeout = h->timeout;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        ip6_netmask(&data.ip, data.cidr);
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        ret = adtfn(set, &data, timeout);
+        return ip_set_eexist(ret, flags) ? 0 : ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_net_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        struct ip_set_hash *h;
+        u8 hbits;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        h = kzalloc(sizeof(*h)
+                    + sizeof(struct ip_set_hash_nets)
+                      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_net4_tvariant : &hash_net6_tvariant;
+                if (set->family == AF_INET)
+                        hash_net4_gc_init(set);
+                else
+                        hash_net6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_net4_variant : &hash_net6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_net_type __read_mostly = {
+        .name           = "hash:net",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_UNSPEC,
+        .revision       = 0,
+        .create         = hash_net_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_net_init(void)
+{
+        return ip_set_type_register(&hash_net_type);
+}
+static void __exit
+hash_net_fini(void)
+{
+        ip_set_type_unregister(&hash_net_type);
+}
+module_init(hash_net_init);
+module_exit(hash_net_fini);
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
new file mode 100644
index 000000000000..d2a40362dd3a
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -0,0 +1,564 @@
+/* Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the hash:net,port type */
+#include <linux/jhash.h>
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/random.h>
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/ipset/pfxlen.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_getport.h>
+#include <linux/netfilter/ipset/ip_set_hash.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("hash:net,port type of IP sets");
+MODULE_ALIAS("ip_set_hash:net,port");
+/* Type specific function prefix */
+#define TYPE            hash_netport
+static bool
+hash_netport_same_set(const struct ip_set *a, const struct ip_set *b);
+#define hash_netport4_same_set  hash_netport_same_set
+#define hash_netport6_same_set  hash_netport_same_set
+/* The type variant functions: IPv4 */
+/* Member elements without timeout */
+struct hash_netport4_elem {
+        __be32 ip;
+        __be16 port;
+        u8 proto;
+        u8 cidr;
+};
+/* Member elements with timeout support */
+struct hash_netport4_telem {
+        __be32 ip;
+        __be16 port;
+        u8 proto;
+        u8 cidr;
+        unsigned long timeout;
+};
+static inline bool
+hash_netport4_data_equal(const struct hash_netport4_elem *ip1,
+                         const struct hash_netport4_elem *ip2)
+{
+        return ip1->ip == ip2->ip &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto &&
+               ip1->cidr == ip2->cidr;
+}
+static inline bool
+hash_netport4_data_isnull(const struct hash_netport4_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_netport4_data_copy(struct hash_netport4_elem *dst,
+                        const struct hash_netport4_elem *src)
+{
+        dst->ip = src->ip;
+        dst->port = src->port;
+        dst->proto = src->proto;
+        dst->cidr = src->cidr;
+}
+static inline void
+hash_netport4_data_netmask(struct hash_netport4_elem *elem, u8 cidr)
+{
+        elem->ip &= ip_set_netmask(cidr);
+        elem->cidr = cidr;
+}
+static inline void
+hash_netport4_data_zero_out(struct hash_netport4_elem *elem)
+{
+        elem->proto = 0;
+}
+static bool
+hash_netport4_data_list(struct sk_buff *skb,
+                        const struct hash_netport4_elem *data)
+{
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, data->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_netport4_data_tlist(struct sk_buff *skb,
+                         const struct hash_netport4_elem *data)
+{
+        const struct hash_netport4_telem *tdata =
+                (const struct hash_netport4_telem *)data;
+        NLA_PUT_IPADDR4(skb, IPSET_ATTR_IP, tdata->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, tdata->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(tdata->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#define IP_SET_HASH_WITH_PROTO
+#define IP_SET_HASH_WITH_NETS
+#define PF              4
+#define HOST_MASK       32
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
+                   enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_netport4_elem data = {
+                .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        if (!ip_set_get_ip4_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip4addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip);
+        data.ip &= ip_set_netmask(data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
+                   enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_netport4_elem data = { .cidr = HOST_MASK };
+        u32 port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        data.ip &= ip_set_netmask(data.cidr);
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMP))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        port = ntohs(data.port);
+        port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (port > port_to)
+                swap(port, port_to);
+        for (; port <= port_to; port++) {
+                data.port = htons(port);
+                ret = adtfn(set, &data, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+static bool
+hash_netport_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct ip_set_hash *x = a->data;
+        const struct ip_set_hash *y = b->data;
+        /* Resizing changes htable_bits, so we ignore it */
+        return x->maxelem == y->maxelem &&
+               x->timeout == y->timeout;
+}
+/* The type variant functions: IPv6 */
+struct hash_netport6_elem {
+        union nf_inet_addr ip;
+        __be16 port;
+        u8 proto;
+        u8 cidr;
+};
+struct hash_netport6_telem {
+        union nf_inet_addr ip;
+        __be16 port;
+        u8 proto;
+        u8 cidr;
+        unsigned long timeout;
+};
+static inline bool
+hash_netport6_data_equal(const struct hash_netport6_elem *ip1,
+                         const struct hash_netport6_elem *ip2)
+{
+        return ipv6_addr_cmp(&ip1->ip.in6, &ip2->ip.in6) == 0 &&
+               ip1->port == ip2->port &&
+               ip1->proto == ip2->proto &&
+               ip1->cidr == ip2->cidr;
+}
+static inline bool
+hash_netport6_data_isnull(const struct hash_netport6_elem *elem)
+{
+        return elem->proto == 0;
+}
+static inline void
+hash_netport6_data_copy(struct hash_netport6_elem *dst,
+                        const struct hash_netport6_elem *src)
+{
+        memcpy(dst, src, sizeof(*dst));
+}
+static inline void
+hash_netport6_data_zero_out(struct hash_netport6_elem *elem)
+{
+        elem->proto = 0;
+}
+static inline void
+ip6_netmask(union nf_inet_addr *ip, u8 prefix)
+{
+        ip->ip6[0] &= ip_set_netmask6(prefix)[0];
+        ip->ip6[1] &= ip_set_netmask6(prefix)[1];
+        ip->ip6[2] &= ip_set_netmask6(prefix)[2];
+        ip->ip6[3] &= ip_set_netmask6(prefix)[3];
+}
+static inline void
+hash_netport6_data_netmask(struct hash_netport6_elem *elem, u8 cidr)
+{
+        ip6_netmask(&elem->ip, cidr);
+        elem->cidr = cidr;
+}
+static bool
+hash_netport6_data_list(struct sk_buff *skb,
+                        const struct hash_netport6_elem *data)
+{
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &data->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        return 0;
+nla_put_failure:
+        return 1;
+}
+static bool
+hash_netport6_data_tlist(struct sk_buff *skb,
+                         const struct hash_netport6_elem *data)
+{
+        const struct hash_netport6_telem *e =
+                (const struct hash_netport6_telem *)data;
+        NLA_PUT_IPADDR6(skb, IPSET_ATTR_IP, &e->ip);
+        NLA_PUT_NET16(skb, IPSET_ATTR_PORT, data->port);
+        NLA_PUT_U8(skb, IPSET_ATTR_CIDR, data->cidr);
+        NLA_PUT_U8(skb, IPSET_ATTR_PROTO, data->proto);
+        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                      htonl(ip_set_timeout_get(e->timeout)));
+        return 0;
+nla_put_failure:
+        return 1;
+}
+#undef PF
+#undef HOST_MASK
+#define PF              6
+#define HOST_MASK       128
+#include <linux/netfilter/ipset/ip_set_ahash.h>
+static int
+hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
+                   enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_netport6_elem data = {
+                .cidr = h->nets[0].cidr || HOST_MASK };
+        if (data.cidr == 0)
+                return -EINVAL;
+        if (adt == IPSET_TEST)
+                data.cidr = HOST_MASK;
+        if (!ip_set_get_ip6_port(skb, flags & IPSET_DIM_TWO_SRC,
+                                 &data.port, &data.proto))
+                return -EINVAL;
+        ip6addrptr(skb, flags & IPSET_DIM_ONE_SRC, &data.ip.in6);
+        ip6_netmask(&data.ip, data.cidr);
+        return adtfn(set, &data, h->timeout);
+}
+static int
+hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
+                   enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        const struct ip_set_hash *h = set->data;
+        ipset_adtfn adtfn = set->variant->adt[adt];
+        struct hash_netport6_elem data = { .cidr = HOST_MASK };
+        u32 port, port_to;
+        u32 timeout = h->timeout;
+        bool with_ports = false;
+        int ret;
+        if (unlikely(!tb[IPSET_ATTR_IP] ||
+                     !ip_set_attr_netorder(tb, IPSET_ATTR_PORT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_PORT_TO) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &data.ip);
+        if (ret)
+                return ret;
+        if (tb[IPSET_ATTR_CIDR])
+                data.cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
+        if (!data.cidr)
+                return -IPSET_ERR_INVALID_CIDR;
+        ip6_netmask(&data.ip, data.cidr);
+        if (tb[IPSET_ATTR_PORT])
+                data.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
+        else
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_PROTO]) {
+                data.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
+                with_ports = ip_set_proto_with_ports(data.proto);
+                if (data.proto == 0)
+                        return -IPSET_ERR_INVALID_PROTO;
+        } else
+                return -IPSET_ERR_MISSING_PROTO;
+        if (!(with_ports || data.proto == IPPROTO_ICMPV6))
+                data.port = 0;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout(h->timeout))
+                        return -IPSET_ERR_TIMEOUT;
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
+                ret = adtfn(set, &data, timeout);
+                return ip_set_eexist(ret, flags) ? 0 : ret;
+        }
+        port = ntohs(data.port);
+        port_to = ip_set_get_h16(tb[IPSET_ATTR_PORT_TO]);
+        if (port > port_to)
+                swap(port, port_to);
+        for (; port <= port_to; port++) {
+                data.port = htons(port);
+                ret = adtfn(set, &data, timeout);
+                if (ret && !ip_set_eexist(ret, flags))
+                        return ret;
+                else
+                        ret = 0;
+        }
+        return ret;
+}
+/* Create hash:ip type of sets */
+static int
+hash_netport_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        struct ip_set_hash *h;
+        u32 hashsize = IPSET_DEFAULT_HASHSIZE, maxelem = IPSET_DEFAULT_MAXELEM;
+        u8 hbits;
+        if (!(set->family == AF_INET || set->family == AF_INET6))
+                return -IPSET_ERR_INVALID_FAMILY;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_HASHSIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_MAXELEM) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_HASHSIZE]) {
+                hashsize = ip_set_get_h32(tb[IPSET_ATTR_HASHSIZE]);
+                if (hashsize < IPSET_MIMINAL_HASHSIZE)
+                        hashsize = IPSET_MIMINAL_HASHSIZE;
+        }
+        if (tb[IPSET_ATTR_MAXELEM])
+                maxelem = ip_set_get_h32(tb[IPSET_ATTR_MAXELEM]);
+        h = kzalloc(sizeof(*h)
+                    + sizeof(struct ip_set_hash_nets)
+                      * (set->family == AF_INET ? 32 : 128), GFP_KERNEL);
+        if (!h)
+                return -ENOMEM;
+        h->maxelem = maxelem;
+        get_random_bytes(&h->initval, sizeof(h->initval));
+        h->timeout = IPSET_NO_TIMEOUT;
+        hbits = htable_bits(hashsize);
+        h->table = ip_set_alloc(
+                        sizeof(struct htable)
+                        + jhash_size(hbits) * sizeof(struct hbucket));
+        if (!h->table) {
+                kfree(h);
+                return -ENOMEM;
+        }
+        h->table->htable_bits = hbits;
+        set->data = h;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                h->timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+                set->variant = set->family == AF_INET
+                        ? &hash_netport4_tvariant : &hash_netport6_tvariant;
+                if (set->family == AF_INET)
+                        hash_netport4_gc_init(set);
+                else
+                        hash_netport6_gc_init(set);
+        } else {
+                set->variant = set->family == AF_INET
+                        ? &hash_netport4_variant : &hash_netport6_variant;
+        }
+        pr_debug("create %s hashsize %u (%u) maxelem %u: %p(%p)\n",
+                 set->name, jhash_size(h->table->htable_bits),
+                 h->table->htable_bits, h->maxelem, set->data, h->table);
+        return 0;
+}
+static struct ip_set_type hash_netport_type __read_mostly = {
+        .name           = "hash:net,port",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_IP | IPSET_TYPE_PORT,
+        .dimension      = IPSET_DIM_TWO,
+        .family         = AF_UNSPEC,
+        .revision       = 1,
+        .create         = hash_netport_create,
+        .create_policy  = {
+                [IPSET_ATTR_HASHSIZE]   = { .type = NLA_U32 },
+                [IPSET_ATTR_MAXELEM]    = { .type = NLA_U32 },
+                [IPSET_ATTR_PROBES]     = { .type = NLA_U8 },
+                [IPSET_ATTR_RESIZE]     = { .type = NLA_U8  },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_IP]         = { .type = NLA_NESTED },
+                [IPSET_ATTR_PORT]       = { .type = NLA_U16 },
+                [IPSET_ATTR_PORT_TO]    = { .type = NLA_U16 },
+                [IPSET_ATTR_PROTO]      = { .type = NLA_U8 },
+                [IPSET_ATTR_CIDR]       = { .type = NLA_U8 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+hash_netport_init(void)
+{
+        return ip_set_type_register(&hash_netport_type);
+}
+static void __exit
+hash_netport_fini(void)
+{
+        ip_set_type_unregister(&hash_netport_type);
+}
+module_init(hash_netport_init);
+module_exit(hash_netport_fini);
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
new file mode 100644
index 000000000000..e9159e99fc4b
--- /dev/null
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -0,0 +1,577 @@
+/* Copyright (C) 2008-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module implementing an IP set type: the list:set type */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <linux/skbuff.h>
+#include <linux/errno.h>
+#include <linux/netfilter/ipset/ip_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <linux/netfilter/ipset/ip_set_list.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("list:set type of IP sets");
+MODULE_ALIAS("ip_set_list:set");
+/* Member elements without and with timeout */
+struct set_elem {
+        ip_set_id_t id;
+};
+struct set_telem {
+        ip_set_id_t id;
+        unsigned long timeout;
+};
+/* Type structure */
+struct list_set {
+        size_t dsize;           /* element size */
+        u32 size;               /* size of set list array */
+        u32 timeout;            /* timeout value */
+        struct timer_list gc;   /* garbage collection */
+        struct set_elem members[0]; /* the set members */
+};
+static inline struct set_elem *
+list_set_elem(const struct list_set *map, u32 id)
+{
+        return (struct set_elem *)((void *)map->members + id * map->dsize);
+}
+static inline struct set_telem *
+list_set_telem(const struct list_set *map, u32 id)
+{
+        return (struct set_telem *)((void *)map->members + id * map->dsize);
+}
+static inline bool
+list_set_timeout(const struct list_set *map, u32 id)
+{
+        const struct set_telem *elem = list_set_telem(map, id);
+        return ip_set_timeout_test(elem->timeout);
+}
+static inline bool
+list_set_expired(const struct list_set *map, u32 id)
+{
+        const struct set_telem *elem = list_set_telem(map, id);
+        return ip_set_timeout_expired(elem->timeout);
+}
+/* Set list without and with timeout */
+static int
+list_set_kadt(struct ip_set *set, const struct sk_buff *skb,
+              enum ipset_adt adt, u8 pf, u8 dim, u8 flags)
+{
+        struct list_set *map = set->data;
+        struct set_elem *elem;
+        u32 i;
+        int ret;
+        for (i = 0; i < map->size; i++) {
+                elem = list_set_elem(map, i);
+                if (elem->id == IPSET_INVALID_ID)
+                        return 0;
+                if (with_timeout(map->timeout) && list_set_expired(map, i))
+                        continue;
+                switch (adt) {
+                case IPSET_TEST:
+                        ret = ip_set_test(elem->id, skb, pf, dim, flags);
+                        if (ret > 0)
+                                return ret;
+                        break;
+                case IPSET_ADD:
+                        ret = ip_set_add(elem->id, skb, pf, dim, flags);
+                        if (ret == 0)
+                                return ret;
+                        break;
+                case IPSET_DEL:
+                        ret = ip_set_del(elem->id, skb, pf, dim, flags);
+                        if (ret == 0)
+                                return ret;
+                        break;
+                default:
+                        break;
+                }
+        }
+        return -EINVAL;
+}
+static bool
+next_id_eq(const struct list_set *map, u32 i, ip_set_id_t id)
+{
+        const struct set_elem *elem;
+        if (i + 1 < map->size) {
+                elem = list_set_elem(map, i + 1);
+                return !!(elem->id == id &&
+                          !(with_timeout(map->timeout) &&
+                            list_set_expired(map, i + 1)));
+        }
+        return 0;
+}
+static void
+list_elem_add(struct list_set *map, u32 i, ip_set_id_t id)
+{
+        struct set_elem *e;
+        for (; i < map->size; i++) {
+                e = list_set_elem(map, i);
+                swap(e->id, id);
+                if (e->id == IPSET_INVALID_ID)
+                        break;
+        }
+}
+static void
+list_elem_tadd(struct list_set *map, u32 i, ip_set_id_t id,
+               unsigned long timeout)
+{
+        struct set_telem *e;
+        for (; i < map->size; i++) {
+                e = list_set_telem(map, i);
+                swap(e->id, id);
+                swap(e->timeout, timeout);
+                if (e->id == IPSET_INVALID_ID)
+                        break;
+        }
+}
+static int
+list_set_add(struct list_set *map, u32 i, ip_set_id_t id,
+             unsigned long timeout)
+{
+        const struct set_elem *e = list_set_elem(map, i);
+        if (i == map->size - 1 && e->id != IPSET_INVALID_ID)
+                /* Last element replaced: e.g. add new,before,last */
+                ip_set_put_byindex(e->id);
+        if (with_timeout(map->timeout))
+                list_elem_tadd(map, i, id, ip_set_timeout_set(timeout));
+        else
+                list_elem_add(map, i, id);
+        return 0;
+}
+static int
+list_set_del(struct list_set *map, u32 i)
+{
+        struct set_elem *a = list_set_elem(map, i), *b;
+        ip_set_put_byindex(a->id);
+        for (; i < map->size - 1; i++) {
+                b = list_set_elem(map, i + 1);
+                a->id = b->id;
+                if (with_timeout(map->timeout))
+                        ((struct set_telem *)a)->timeout =
+                                ((struct set_telem *)b)->timeout;
+                a = b;
+                if (a->id == IPSET_INVALID_ID)
+                        break;
+        }
+        /* Last element */
+        a->id = IPSET_INVALID_ID;
+        return 0;
+}
+static int
+list_set_uadt(struct ip_set *set, struct nlattr *tb[],
+              enum ipset_adt adt, u32 *lineno, u32 flags)
+{
+        struct list_set *map = set->data;
+        bool with_timeout = with_timeout(map->timeout);
+        int before = 0;
+        u32 timeout = map->timeout;
+        ip_set_id_t id, refid = IPSET_INVALID_ID;
+        const struct set_elem *elem;
+        struct ip_set *s;
+        u32 i;
+        int ret = 0;
+        if (unlikely(!tb[IPSET_ATTR_NAME] ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_CADT_FLAGS)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_LINENO])
+                *lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
+        id = ip_set_get_byname(nla_data(tb[IPSET_ATTR_NAME]), &s);
+        if (id == IPSET_INVALID_ID)
+                return -IPSET_ERR_NAME;
+        /* "Loop detection" */
+        if (s->type->features & IPSET_TYPE_NAME) {
+                ret = -IPSET_ERR_LOOP;
+                goto finish;
+        }
+        if (tb[IPSET_ATTR_CADT_FLAGS]) {
+                u32 f = ip_set_get_h32(tb[IPSET_ATTR_CADT_FLAGS]);
+                before = f & IPSET_FLAG_BEFORE;
+        }
+        if (before && !tb[IPSET_ATTR_NAMEREF]) {
+                ret = -IPSET_ERR_BEFORE;
+                goto finish;
+        }
+        if (tb[IPSET_ATTR_NAMEREF]) {
+                refid = ip_set_get_byname(nla_data(tb[IPSET_ATTR_NAMEREF]),
+                                          &s);
+                if (refid == IPSET_INVALID_ID) {
+                        ret = -IPSET_ERR_NAMEREF;
+                        goto finish;
+                }
+                if (!before)
+                        before = -1;
+        }
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!with_timeout) {
+                        ret = -IPSET_ERR_TIMEOUT;
+                        goto finish;
+                }
+                timeout = ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT]);
+        }
+        switch (adt) {
+        case IPSET_TEST:
+                for (i = 0; i < map->size && !ret; i++) {
+                        elem = list_set_elem(map, i);
+                        if (elem->id == IPSET_INVALID_ID ||
+                            (before != 0 && i + 1 >= map->size))
+                                break;
+                        else if (with_timeout && list_set_expired(map, i))
+                                continue;
+                        else if (before > 0 && elem->id == id)
+                                ret = next_id_eq(map, i, refid);
+                        else if (before < 0 && elem->id == refid)
+                                ret = next_id_eq(map, i, id);
+                        else if (before == 0 && elem->id == id)
+                                ret = 1;
+                }
+                break;
+        case IPSET_ADD:
+                for (i = 0; i < map->size && !ret; i++) {
+                        elem = list_set_elem(map, i);
+                        if (elem->id == id &&
+                            !(with_timeout && list_set_expired(map, i)))
+                                ret = -IPSET_ERR_EXIST;
+                }
+                if (ret == -IPSET_ERR_EXIST)
+                        break;
+                ret = -IPSET_ERR_LIST_FULL;
+                for (i = 0; i < map->size && ret == -IPSET_ERR_LIST_FULL; i++) {
+                        elem = list_set_elem(map, i);
+                        if (elem->id == IPSET_INVALID_ID)
+                                ret = before != 0 ? -IPSET_ERR_REF_EXIST
+                                        : list_set_add(map, i, id, timeout);
+                        else if (elem->id != refid)
+                                continue;
+                        else if (with_timeout && list_set_expired(map, i))
+                                ret = -IPSET_ERR_REF_EXIST;
+                        else if (before)
+                                ret = list_set_add(map, i, id, timeout);
+                        else if (i + 1 < map->size)
+                                ret = list_set_add(map, i + 1, id, timeout);
+                }
+                break;
+        case IPSET_DEL:
+                ret = -IPSET_ERR_EXIST;
+                for (i = 0; i < map->size && ret == -IPSET_ERR_EXIST; i++) {
+                        elem = list_set_elem(map, i);
+                        if (elem->id == IPSET_INVALID_ID) {
+                                ret = before != 0 ? -IPSET_ERR_REF_EXIST
+                                                  : -IPSET_ERR_EXIST;
+                                break;
+                        } else if (with_timeout && list_set_expired(map, i))
+                                continue;
+                        else if (elem->id == id &&
+                                 (before == 0 ||
+                                  (before > 0 &&
+                                   next_id_eq(map, i, refid))))
+                                ret = list_set_del(map, i);
+                        else if (before < 0 &&
+                                 elem->id == refid &&
+                                 next_id_eq(map, i, id))
+                                ret = list_set_del(map, i + 1);
+                }
+                break;
+        default:
+                break;
+        }
+finish:
+        if (refid != IPSET_INVALID_ID)
+                ip_set_put_byindex(refid);
+        if (adt != IPSET_ADD || ret)
+                ip_set_put_byindex(id);
+        return ip_set_eexist(ret, flags) ? 0 : ret;
+}
+static void
+list_set_flush(struct ip_set *set)
+{
+        struct list_set *map = set->data;
+        struct set_elem *elem;
+        u32 i;
+        for (i = 0; i < map->size; i++) {
+                elem = list_set_elem(map, i);
+                if (elem->id != IPSET_INVALID_ID) {
+                        ip_set_put_byindex(elem->id);
+                        elem->id = IPSET_INVALID_ID;
+                }
+        }
+}
+static void
+list_set_destroy(struct ip_set *set)
+{
+        struct list_set *map = set->data;
+        if (with_timeout(map->timeout))
+                del_timer_sync(&map->gc);
+        list_set_flush(set);
+        kfree(map);
+        set->data = NULL;
+}
+static int
+list_set_head(struct ip_set *set, struct sk_buff *skb)
+{
+        const struct list_set *map = set->data;
+        struct nlattr *nested;
+        nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+        if (!nested)
+                goto nla_put_failure;
+        NLA_PUT_NET32(skb, IPSET_ATTR_SIZE, htonl(map->size));
+        if (with_timeout(map->timeout))
+                NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT, htonl(map->timeout));
+        NLA_PUT_NET32(skb, IPSET_ATTR_REFERENCES, htonl(set->ref - 1));
+        NLA_PUT_NET32(skb, IPSET_ATTR_MEMSIZE,
+                      htonl(sizeof(*map) + map->size * map->dsize));
+        ipset_nest_end(skb, nested);
+        return 0;
+nla_put_failure:
+        return -EMSGSIZE;
+}
+static int
+list_set_list(const struct ip_set *set,
+              struct sk_buff *skb, struct netlink_callback *cb)
+{
+        const struct list_set *map = set->data;
+        struct nlattr *atd, *nested;
+        u32 i, first = cb->args[2];
+        const struct set_elem *e;
+        atd = ipset_nest_start(skb, IPSET_ATTR_ADT);
+        if (!atd)
+                return -EMSGSIZE;
+        for (; cb->args[2] < map->size; cb->args[2]++) {
+                i = cb->args[2];
+                e = list_set_elem(map, i);
+                if (e->id == IPSET_INVALID_ID)
+                        goto finish;
+                if (with_timeout(map->timeout) && list_set_expired(map, i))
+                        continue;
+                nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
+                if (!nested) {
+                        if (i == first) {
+                                nla_nest_cancel(skb, atd);
+                                return -EMSGSIZE;
+                        } else
+                                goto nla_put_failure;
+                }
+                NLA_PUT_STRING(skb, IPSET_ATTR_NAME,
+                               ip_set_name_byindex(e->id));
+                if (with_timeout(map->timeout)) {
+                        const struct set_telem *te =
+                                (const struct set_telem *) e;
+                        NLA_PUT_NET32(skb, IPSET_ATTR_TIMEOUT,
+                                      htonl(ip_set_timeout_get(te->timeout)));
+                }
+                ipset_nest_end(skb, nested);
+        }
+finish:
+        ipset_nest_end(skb, atd);
+        /* Set listing finished */
+        cb->args[2] = 0;
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nested);
+        ipset_nest_end(skb, atd);
+        if (unlikely(i == first)) {
+                cb->args[2] = 0;
+                return -EMSGSIZE;
+        }
+        return 0;
+}
+static bool
+list_set_same_set(const struct ip_set *a, const struct ip_set *b)
+{
+        const struct list_set *x = a->data;
+        const struct list_set *y = b->data;
+        return x->size == y->size &&
+               x->timeout == y->timeout;
+}
+static const struct ip_set_type_variant list_set = {
+        .kadt   = list_set_kadt,
+        .uadt   = list_set_uadt,
+        .destroy = list_set_destroy,
+        .flush  = list_set_flush,
+        .head   = list_set_head,
+        .list   = list_set_list,
+        .same_set = list_set_same_set,
+};
+static void
+list_set_gc(unsigned long ul_set)
+{
+        struct ip_set *set = (struct ip_set *) ul_set;
+        struct list_set *map = set->data;
+        struct set_telem *e;
+        u32 i;
+        write_lock_bh(&set->lock);
+        for (i = 0; i < map->size; i++) {
+                e = list_set_telem(map, i);
+                if (e->id != IPSET_INVALID_ID && list_set_expired(map, i))
+                        list_set_del(map, i);
+        }
+        write_unlock_bh(&set->lock);
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+static void
+list_set_gc_init(struct ip_set *set)
+{
+        struct list_set *map = set->data;
+        init_timer(&map->gc);
+        map->gc.data = (unsigned long) set;
+        map->gc.function = list_set_gc;
+        map->gc.expires = jiffies + IPSET_GC_PERIOD(map->timeout) * HZ;
+        add_timer(&map->gc);
+}
+/* Create list:set type of sets */
+static bool
+init_list_set(struct ip_set *set, u32 size, size_t dsize,
+              unsigned long timeout)
+{
+        struct list_set *map;
+        struct set_elem *e;
+        u32 i;
+        map = kzalloc(sizeof(*map) + size * dsize, GFP_KERNEL);
+        if (!map)
+                return false;
+        map->size = size;
+        map->dsize = dsize;
+        map->timeout = timeout;
+        set->data = map;
+        for (i = 0; i < size; i++) {
+                e = list_set_elem(map, i);
+                e->id = IPSET_INVALID_ID;
+        }
+        return true;
+}
+static int
+list_set_create(struct ip_set *set, struct nlattr *tb[], u32 flags)
+{
+        u32 size = IP_SET_LIST_DEFAULT_SIZE;
+        if (unlikely(!ip_set_optattr_netorder(tb, IPSET_ATTR_SIZE) ||
+                     !ip_set_optattr_netorder(tb, IPSET_ATTR_TIMEOUT)))
+                return -IPSET_ERR_PROTOCOL;
+        if (tb[IPSET_ATTR_SIZE])
+                size = ip_set_get_h32(tb[IPSET_ATTR_SIZE]);
+        if (size < IP_SET_LIST_MIN_SIZE)
+                size = IP_SET_LIST_MIN_SIZE;
+        if (tb[IPSET_ATTR_TIMEOUT]) {
+                if (!init_list_set(set, size, sizeof(struct set_telem),
+                                   ip_set_timeout_uget(tb[IPSET_ATTR_TIMEOUT])))
+                        return -ENOMEM;
+                list_set_gc_init(set);
+        } else {
+                if (!init_list_set(set, size, sizeof(struct set_elem),
+                                   IPSET_NO_TIMEOUT))
+                        return -ENOMEM;
+        }
+        set->variant = &list_set;
+        return 0;
+}
+static struct ip_set_type list_set_type __read_mostly = {
+        .name           = "list:set",
+        .protocol       = IPSET_PROTOCOL,
+        .features       = IPSET_TYPE_NAME | IPSET_DUMP_LAST,
+        .dimension      = IPSET_DIM_ONE,
+        .family         = AF_UNSPEC,
+        .revision       = 0,
+        .create         = list_set_create,
+        .create_policy  = {
+                [IPSET_ATTR_SIZE]       = { .type = NLA_U32 },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+        },
+        .adt_policy     = {
+                [IPSET_ATTR_NAME]       = { .type = NLA_STRING,
+                                            .len = IPSET_MAXNAMELEN },
+                [IPSET_ATTR_NAMEREF]    = { .type = NLA_STRING,
+                                            .len = IPSET_MAXNAMELEN },
+                [IPSET_ATTR_TIMEOUT]    = { .type = NLA_U32 },
+                [IPSET_ATTR_LINENO]     = { .type = NLA_U32 },
+                [IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
+        },
+        .me             = THIS_MODULE,
+};
+static int __init
+list_set_init(void)
+{
+        return ip_set_type_register(&list_set_type);
+}
+static void __exit
+list_set_fini(void)
+{
+        ip_set_type_unregister(&list_set_type);
+}
+module_init(list_set_init);
+module_exit(list_set_fini);
diff --git a/net/netfilter/ipset/pfxlen.c b/net/netfilter/ipset/pfxlen.c
new file mode 100644
index 000000000000..23f8c8162214
--- /dev/null
+++ b/net/netfilter/ipset/pfxlen.c
@@ -0,0 +1,291 @@
+#include <linux/netfilter/ipset/pfxlen.h>
+/*
+ * Prefixlen maps for fast conversions, by Jan Engelhardt.
+ */
+#define E(a, b, c, d) \
+        {.ip6 = { \
+                __constant_htonl(a), __constant_htonl(b), \
+                __constant_htonl(c), __constant_htonl(d), \
+        } }
+/*
+ * This table works for both IPv4 and IPv6;
+ * just use prefixlen_netmask_map[prefixlength].ip.
+ */
+const union nf_inet_addr ip_set_netmask_map[] = {
+        E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
+};
+EXPORT_SYMBOL_GPL(ip_set_netmask_map);
+#undef  E
+#define E(a, b, c, d)                                           \
+        {.ip6 = { (__force __be32) a, (__force __be32) b,       \
+                  (__force __be32) c, (__force __be32) d,       \
+        } }
+/*
+ * This table works for both IPv4 and IPv6;
+ * just use prefixlen_hostmask_map[prefixlength].ip.
+ */
+const union nf_inet_addr ip_set_hostmask_map[] = {
+        E(0x00000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0x80000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xC0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xE0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xF0000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xF8000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFC000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFE000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFF000000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFF800000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFC00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFE00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFF00000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFF80000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFC0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFE0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFF0000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFF8000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFC000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFE000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFF000, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFF800, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFC00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFE00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFF00, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFF80, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFC0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFE0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFF0, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFF8, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFC, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFE, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0x00000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0x80000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xC0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xE0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xF0000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xF8000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFC000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFE000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFF000000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFF800000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFC00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFE00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFF00000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFF80000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFC0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFE0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFF0000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFF8000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFC000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFE000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFF000, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFF800, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFC00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFE00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFF00, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFF80, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFC0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFE0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFF0, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFF8, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFC, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFE, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0x80000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x80000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xC0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xE0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF0000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xF8000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFC000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFE000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF000000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFF800000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFC00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFE00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF00000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFF80000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFC0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFE0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF0000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFF8000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFC000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFE000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF000),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFF800),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFC00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFE00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF00),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFF80),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFC0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFE0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF0),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFF8),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFC),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE),
+        E(0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF),
+};
+EXPORT_SYMBOL_GPL(ip_set_hostmask_map);
diff --git a/net/netfilter/ipvs/ip_vs_app.c b/net/netfilter/ipvs/ip_vs_app.c
index a475edee0912..059af3120be7 100644
--- a/net/netfilter/ipvs/ip_vs_app.c
+++ b/net/netfilter/ipvs/ip_vs_app.c
@@ -43,11 +43,8 @@ EXPORT_SYMBOL(register_ip_vs_app);
 EXPORT_SYMBOL(unregister_ip_vs_app);
 EXPORT_SYMBOL(register_ip_vs_app_inc);
-/* ipvs application list head */
-static LIST_HEAD(ip_vs_app_list);
 static DEFINE_MUTEX(__ip_vs_app_mutex);
 /*
 *      Get an ip_vs_app object
 */
@@ -67,7 +64,8 @@ static inline void ip_vs_app_put(struct ip_vs_app *app)
 *      Allocate/initialize app incarnation and register it in proto apps.
 */
 static int
-ip_vs_app_inc_new(struct ip_vs_app *app, __u16 proto, __u16 port)
+ip_vs_app_inc_new(struct net *net, struct ip_vs_app *app, __u16 proto,
+                  __u16 port)
 {
        struct ip_vs_protocol *pp;
        struct ip_vs_app *inc;
@@ -98,7 +96,7 @@ ip_vs_app_inc_new(struct ip_vs_app *app, __u16 proto, __u16 port)
                }
        }
-        ret = pp->register_app(inc);
+        ret = pp->register_app(net, inc);
        if (ret)
                goto out;
@@ -119,7 +117,7 @@ ip_vs_app_inc_new(struct ip_vs_app *app, __u16 proto, __u16 port)
 *      Release app incarnation
 */
 static void
-ip_vs_app_inc_release(struct ip_vs_app *inc)
+ip_vs_app_inc_release(struct net *net, struct ip_vs_app *inc)
 {
        struct ip_vs_protocol *pp;
@@ -127,7 +125,7 @@ ip_vs_app_inc_release(struct ip_vs_app *inc)
                return;
        if (pp->unregister_app)
-                pp->unregister_app(inc);
+                pp->unregister_app(net, inc);
        IP_VS_DBG(9, "%s App %s:%u unregistered\n",
                  pp->name, inc->name, ntohs(inc->port));
@@ -168,13 +166,14 @@ void ip_vs_app_inc_put(struct ip_vs_app *inc)
 *      Register an application incarnation in protocol applications
 */
 int
-register_ip_vs_app_inc(struct ip_vs_app *app, __u16 proto, __u16 port)
+register_ip_vs_app_inc(struct net *net, struct ip_vs_app *app, __u16 proto,
+                       __u16 port)
 {
        int result;
        mutex_lock(&__ip_vs_app_mutex);
-        result = ip_vs_app_inc_new(app, proto, port);
+        result = ip_vs_app_inc_new(net, app, proto, port);
        mutex_unlock(&__ip_vs_app_mutex);
@@ -185,14 +184,15 @@ register_ip_vs_app_inc(struct ip_vs_app *app, __u16 proto, __u16 port)
 /*
 *      ip_vs_app registration routine
 */
-int register_ip_vs_app(struct ip_vs_app *app)
+int register_ip_vs_app(struct net *net, struct ip_vs_app *app)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        /* increase the module use count */
        ip_vs_use_count_inc();
        mutex_lock(&__ip_vs_app_mutex);
-        list_add(&app->a_list, &ip_vs_app_list);
+        list_add(&app->a_list, &ipvs->app_list);
        mutex_unlock(&__ip_vs_app_mutex);
@@ -204,14 +204,14 @@ int register_ip_vs_app(struct ip_vs_app *app)
 *      ip_vs_app unregistration routine
 *      We are sure there are no app incarnations attached to services
 */
-void unregister_ip_vs_app(struct ip_vs_app *app)
+void unregister_ip_vs_app(struct net *net, struct ip_vs_app *app)
 {
        struct ip_vs_app *inc, *nxt;
        mutex_lock(&__ip_vs_app_mutex);
        list_for_each_entry_safe(inc, nxt, &app->incs_list, a_list) {
-                ip_vs_app_inc_release(inc);
+                ip_vs_app_inc_release(net, inc);
        }
        list_del(&app->a_list);
@@ -226,7 +226,8 @@ void unregister_ip_vs_app(struct ip_vs_app *app)
 /*
 *      Bind ip_vs_conn to its ip_vs_app (called by cp constructor)
 */
-int ip_vs_bind_app(struct ip_vs_conn *cp, struct ip_vs_protocol *pp)
+int ip_vs_bind_app(struct ip_vs_conn *cp,
+                   struct ip_vs_protocol *pp)
 {
        return pp->app_conn_bind(cp);
 }
@@ -481,11 +482,11 @@ int ip_vs_app_pkt_in(struct ip_vs_conn *cp, struct sk_buff *skb)
 *      /proc/net/ip_vs_app entry function
 */
-static struct ip_vs_app *ip_vs_app_idx(loff_t pos)
+static struct ip_vs_app *ip_vs_app_idx(struct netns_ipvs *ipvs, loff_t pos)
 {
        struct ip_vs_app *app, *inc;
-        list_for_each_entry(app, &ip_vs_app_list, a_list) {
+        list_for_each_entry(app, &ipvs->app_list, a_list) {
                list_for_each_entry(inc, &app->incs_list, a_list) {
                        if (pos-- == 0)
                                return inc;
@@ -497,19 +498,24 @@ static struct ip_vs_app *ip_vs_app_idx(loff_t pos)
 static void *ip_vs_app_seq_start(struct seq_file *seq, loff_t *pos)
 {
+        struct net *net = seq_file_net(seq);
+        struct netns_ipvs *ipvs = net_ipvs(net);
        mutex_lock(&__ip_vs_app_mutex);
-        return *pos ? ip_vs_app_idx(*pos - 1) : SEQ_START_TOKEN;
+        return *pos ? ip_vs_app_idx(ipvs, *pos - 1) : SEQ_START_TOKEN;
 }
 static void *ip_vs_app_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 {
        struct ip_vs_app *inc, *app;
        struct list_head *e;
+        struct net *net = seq_file_net(seq);
+        struct netns_ipvs *ipvs = net_ipvs(net);
        ++*pos;
        if (v == SEQ_START_TOKEN)
-                return ip_vs_app_idx(0);
+                return ip_vs_app_idx(ipvs, 0);
        inc = v;
        app = inc->app;
@@ -518,7 +524,7 @@ static void *ip_vs_app_seq_next(struct seq_file *seq, void *v, loff_t *pos)
                return list_entry(e, struct ip_vs_app, a_list);
        /* go on to next application */
-        for (e = app->a_list.next; e != &ip_vs_app_list; e = e->next) {
+        for (e = app->a_list.next; e != &ipvs->app_list; e = e->next) {
                app = list_entry(e, struct ip_vs_app, a_list);
                list_for_each_entry(inc, &app->incs_list, a_list) {
                        return inc;
@@ -557,7 +563,8 @@ static const struct seq_operations ip_vs_app_seq_ops = {
 static int ip_vs_app_open(struct inode *inode, struct file *file)
 {
-        return seq_open(file, &ip_vs_app_seq_ops);
+        return seq_open_net(inode, file, &ip_vs_app_seq_ops,
+                            sizeof(struct seq_net_private));
 }
 static const struct file_operations ip_vs_app_fops = {
@@ -565,19 +572,30 @@ static const struct file_operations ip_vs_app_fops = {
        .open    = ip_vs_app_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 #endif
+int __net_init __ip_vs_app_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        INIT_LIST_HEAD(&ipvs->app_list);
+        proc_net_fops_create(net, "ip_vs_app", 0, &ip_vs_app_fops);
+        return 0;
+}
+void __net_exit __ip_vs_app_cleanup(struct net *net)
+{
+        proc_net_remove(net, "ip_vs_app");
+}
 int __init ip_vs_app_init(void)
 {
-        /* we will replace it with proc_net_ipvs_create() soon */
-        proc_net_fops_create(&init_net, "ip_vs_app", 0, &ip_vs_app_fops);
        return 0;
 }
 void ip_vs_app_cleanup(void)
 {
-        proc_net_remove(&init_net, "ip_vs_app");
 }
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index e9adecdc8ca4..bf28ac2fc99b 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -48,35 +48,32 @@
 /*
 * Connection hash size. Default is what was selected at compile time.
 */
-int ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS;
+static int ip_vs_conn_tab_bits = CONFIG_IP_VS_TAB_BITS;
 module_param_named(conn_tab_bits, ip_vs_conn_tab_bits, int, 0444);
 MODULE_PARM_DESC(conn_tab_bits, "Set connections' hash size");
 /* size and mask values */
-int ip_vs_conn_tab_size;
+int ip_vs_conn_tab_size __read_mostly;
-int ip_vs_conn_tab_mask;
+static int ip_vs_conn_tab_mask __read_mostly;
 /*
 *  Connection hash table: for input and output packets lookups of IPVS
 */
-static struct list_head *ip_vs_conn_tab;
+static struct hlist_head *ip_vs_conn_tab __read_mostly;
 /*  SLAB cache for IPVS connections */
 static struct kmem_cache *ip_vs_conn_cachep __read_mostly;
-/*  counter for current IPVS connections */
-static atomic_t ip_vs_conn_count = ATOMIC_INIT(0);
 /*  counter for no client port connections */
 static atomic_t ip_vs_conn_no_cport_cnt = ATOMIC_INIT(0);
 /* random value for IPVS connection hash */
-static unsigned int ip_vs_conn_rnd;
+static unsigned int ip_vs_conn_rnd __read_mostly;
 /*
 *  Fine locking granularity for big connection hash table
 */
-#define CT_LOCKARRAY_BITS  4
+#define CT_LOCKARRAY_BITS  5
 #define CT_LOCKARRAY_SIZE  (1<<CT_LOCKARRAY_BITS)
 #define CT_LOCKARRAY_MASK  (CT_LOCKARRAY_SIZE-1)
@@ -133,19 +130,19 @@ static inline void ct_write_unlock_bh(unsigned key)
 /*
 *      Returns hash value for IPVS connection entry
 */
-static unsigned int ip_vs_conn_hashkey(int af, unsigned proto,
+static unsigned int ip_vs_conn_hashkey(struct net *net, int af, unsigned proto,
                                       const union nf_inet_addr *addr,
                                       __be16 port)
 {
 #ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6)
-                return jhash_3words(jhash(addr, 16, ip_vs_conn_rnd),
+                return (jhash_3words(jhash(addr, 16, ip_vs_conn_rnd),
-                                    (__force u32)port, proto, ip_vs_conn_rnd)
+                                    (__force u32)port, proto, ip_vs_conn_rnd) ^
-                        & ip_vs_conn_tab_mask;
+                        ((size_t)net>>8)) & ip_vs_conn_tab_mask;
 #endif
-        return jhash_3words((__force u32)addr->ip, (__force u32)port, proto,
+        return (jhash_3words((__force u32)addr->ip, (__force u32)port, proto,
-                            ip_vs_conn_rnd)
+                            ip_vs_conn_rnd) ^
-                & ip_vs_conn_tab_mask;
+                ((size_t)net>>8)) & ip_vs_conn_tab_mask;
 }
 static unsigned int ip_vs_conn_hashkey_param(const struct ip_vs_conn_param *p,
@@ -166,18 +163,18 @@ static unsigned int ip_vs_conn_hashkey_param(const struct ip_vs_conn_param *p,
                port = p->vport;
        }
-        return ip_vs_conn_hashkey(p->af, p->protocol, addr, port);
+        return ip_vs_conn_hashkey(p->net, p->af, p->protocol, addr, port);
 }
 static unsigned int ip_vs_conn_hashkey_conn(const struct ip_vs_conn *cp)
 {
        struct ip_vs_conn_param p;
-        ip_vs_conn_fill_param(cp->af, cp->protocol, &cp->caddr, cp->cport,
+        ip_vs_conn_fill_param(ip_vs_conn_net(cp), cp->af, cp->protocol,
-                              NULL, 0, &p);
+                              &cp->caddr, cp->cport, NULL, 0, &p);
-        if (cp->dest && cp->dest->svc->pe) {
+        if (cp->pe) {
-                p.pe = cp->dest->svc->pe;
+                p.pe = cp->pe;
                p.pe_data = cp->pe_data;
                p.pe_data_len = cp->pe_data_len;
        }
@@ -186,7 +183,7 @@ static unsigned int ip_vs_conn_hashkey_conn(const struct ip_vs_conn *cp)
 }
 /*
- *      Hashes ip_vs_conn in ip_vs_conn_tab by proto,addr,port.
+ *      Hashes ip_vs_conn in ip_vs_conn_tab by netns,proto,addr,port.
 *      returns bool success.
 */
 static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
@@ -204,7 +201,7 @@ static inline int ip_vs_conn_hash(struct ip_vs_conn *cp)
        spin_lock(&cp->lock);
        if (!(cp->flags & IP_VS_CONN_F_HASHED)) {
-                list_add(&cp->c_list, &ip_vs_conn_tab[hash]);
+                hlist_add_head(&cp->c_list, &ip_vs_conn_tab[hash]);
                cp->flags |= IP_VS_CONN_F_HASHED;
                atomic_inc(&cp->refcnt);
                ret = 1;
@@ -237,7 +234,7 @@ static inline int ip_vs_conn_unhash(struct ip_vs_conn *cp)
        spin_lock(&cp->lock);
        if (cp->flags & IP_VS_CONN_F_HASHED) {
-                list_del(&cp->c_list);
+                hlist_del(&cp->c_list);
                cp->flags &= ~IP_VS_CONN_F_HASHED;
                atomic_dec(&cp->refcnt);
                ret = 1;
@@ -262,18 +259,20 @@ __ip_vs_conn_in_get(const struct ip_vs_conn_param *p)
 {
        unsigned hash;
        struct ip_vs_conn *cp;
+        struct hlist_node *n;
        hash = ip_vs_conn_hashkey_param(p, false);
        ct_read_lock(hash);
-        list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
+        hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
                if (cp->af == p->af &&
+                    p->cport == cp->cport && p->vport == cp->vport &&
                    ip_vs_addr_equal(p->af, p->caddr, &cp->caddr) &&
                    ip_vs_addr_equal(p->af, p->vaddr, &cp->vaddr) &&
-                    p->cport == cp->cport && p->vport == cp->vport &&
                    ((!p->cport) ^ (!(cp->flags & IP_VS_CONN_F_NO_CPORT))) &&
-                    p->protocol == cp->protocol) {
+                    p->protocol == cp->protocol &&
+                    ip_vs_conn_net_eq(cp, p->net)) {
                        /* HIT */
                        atomic_inc(&cp->refcnt);
                        ct_read_unlock(hash);
@@ -313,23 +312,23 @@ ip_vs_conn_fill_param_proto(int af, const struct sk_buff *skb,
                            struct ip_vs_conn_param *p)
 {
        __be16 _ports[2], *pptr;
+        struct net *net = skb_net(skb);
        pptr = skb_header_pointer(skb, proto_off, sizeof(_ports), _ports);
        if (pptr == NULL)
                return 1;
        if (likely(!inverse))
-                ip_vs_conn_fill_param(af, iph->protocol, &iph->saddr, pptr[0],
+                ip_vs_conn_fill_param(net, af, iph->protocol, &iph->saddr,
-                                      &iph->daddr, pptr[1], p);
+                                      pptr[0], &iph->daddr, pptr[1], p);
        else
-                ip_vs_conn_fill_param(af, iph->protocol, &iph->daddr, pptr[1],
+                ip_vs_conn_fill_param(net, af, iph->protocol, &iph->daddr,
-                                      &iph->saddr, pptr[0], p);
+                                      pptr[1], &iph->saddr, pptr[0], p);
        return 0;
 }
 struct ip_vs_conn *
 ip_vs_conn_in_get_proto(int af, const struct sk_buff *skb,
-                        struct ip_vs_protocol *pp,
                        const struct ip_vs_iphdr *iph,
                        unsigned int proto_off, int inverse)
 {
@@ -347,14 +346,17 @@ struct ip_vs_conn *ip_vs_ct_in_get(const struct ip_vs_conn_param *p)
 {
        unsigned hash;
        struct ip_vs_conn *cp;
+        struct hlist_node *n;
        hash = ip_vs_conn_hashkey_param(p, false);
        ct_read_lock(hash);
-        list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
+        hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
+                if (!ip_vs_conn_net_eq(cp, p->net))
+                        continue;
                if (p->pe_data && p->pe->ct_match) {
-                        if (p->pe->ct_match(p, cp))
+                        if (p->pe == cp->pe && p->pe->ct_match(p, cp))
                                goto out;
                        continue;
                }
@@ -394,6 +396,7 @@ struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p)
 {
        unsigned hash;
        struct ip_vs_conn *cp, *ret=NULL;
+        struct hlist_node *n;
        /*
         *      Check for "full" addressed entries
@@ -402,12 +405,13 @@ struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p)
        ct_read_lock(hash);
-        list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
+        hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
                if (cp->af == p->af &&
+                    p->vport == cp->cport && p->cport == cp->dport &&
                    ip_vs_addr_equal(p->af, p->vaddr, &cp->caddr) &&
                    ip_vs_addr_equal(p->af, p->caddr, &cp->daddr) &&
-                    p->vport == cp->cport && p->cport == cp->dport &&
+                    p->protocol == cp->protocol &&
-                    p->protocol == cp->protocol) {
+                    ip_vs_conn_net_eq(cp, p->net)) {
                        /* HIT */
                        atomic_inc(&cp->refcnt);
                        ret = cp;
@@ -428,7 +432,6 @@ struct ip_vs_conn *ip_vs_conn_out_get(const struct ip_vs_conn_param *p)
 struct ip_vs_conn *
 ip_vs_conn_out_get_proto(int af, const struct sk_buff *skb,
-                         struct ip_vs_protocol *pp,
                         const struct ip_vs_iphdr *iph,
                         unsigned int proto_off, int inverse)
 {
@@ -592,7 +595,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
                        atomic_inc(&dest->inactconns);
        } else {
                /* It is a persistent connection/template, so increase
-                   the peristent connection counter */
+                   the persistent connection counter */
                atomic_inc(&dest->persistconns);
        }
@@ -611,9 +614,9 @@ struct ip_vs_dest *ip_vs_try_bind_dest(struct ip_vs_conn *cp)
        struct ip_vs_dest *dest;
        if ((cp) && (!cp->dest)) {
-                dest = ip_vs_find_dest(cp->af, &cp->daddr, cp->dport,
+                dest = ip_vs_find_dest(ip_vs_conn_net(cp), cp->af, &cp->daddr,
-                                       &cp->vaddr, cp->vport,
+                                       cp->dport, &cp->vaddr, cp->vport,
-                                       cp->protocol);
+                                       cp->protocol, cp->fwmark);
                ip_vs_bind_dest(cp, dest);
                return dest;
        } else
@@ -654,7 +657,7 @@ static inline void ip_vs_unbind_dest(struct ip_vs_conn *cp)
                }
        } else {
                /* It is a persistent connection/template, so decrease
-                   the peristent connection counter */
+                   the persistent connection counter */
                atomic_dec(&dest->persistconns);
        }
@@ -677,6 +680,16 @@ static inline void ip_vs_unbind_dest(struct ip_vs_conn *cp)
        atomic_dec(&dest->refcnt);
 }
+static int expire_quiescent_template(struct netns_ipvs *ipvs,
+                                     struct ip_vs_dest *dest)
+{
+#ifdef CONFIG_SYSCTL
+        return ipvs->sysctl_expire_quiescent_template &&
+                (atomic_read(&dest->weight) == 0);
+#else
+        return 0;
+#endif
+}
 /*
 *      Checking if the destination of a connection template is available.
@@ -686,14 +699,14 @@ static inline void ip_vs_unbind_dest(struct ip_vs_conn *cp)
 int ip_vs_check_template(struct ip_vs_conn *ct)
 {
        struct ip_vs_dest *dest = ct->dest;
+        struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(ct));
        /*
         * Checking the dest server status.
         */
        if ((dest == NULL) ||
            !(dest->flags & IP_VS_DEST_F_AVAILABLE) ||
-            (sysctl_ip_vs_expire_quiescent_template &&
+            expire_quiescent_template(ipvs, dest)) {
-             (atomic_read(&dest->weight) == 0))) {
                IP_VS_DBG_BUF(9, "check_template: dest not available for "
                              "protocol %s s:%s:%d v:%s:%d "
                              "-> d:%s:%d\n",
@@ -730,6 +743,7 @@ int ip_vs_check_template(struct ip_vs_conn *ct)
 static void ip_vs_conn_expire(unsigned long data)
 {
        struct ip_vs_conn *cp = (struct ip_vs_conn *)data;
+        struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(cp));
        cp->timeout = 60*HZ;
@@ -765,13 +779,14 @@ static void ip_vs_conn_expire(unsigned long data)
                if (cp->flags & IP_VS_CONN_F_NFCT)
                        ip_vs_conn_drop_conntrack(cp);
+                ip_vs_pe_put(cp->pe);
                kfree(cp->pe_data);
                if (unlikely(cp->app != NULL))
                        ip_vs_unbind_app(cp);
                ip_vs_unbind_dest(cp);
                if (cp->flags & IP_VS_CONN_F_NO_CPORT)
                        atomic_dec(&ip_vs_conn_no_cport_cnt);
-                atomic_dec(&ip_vs_conn_count);
+                atomic_dec(&ipvs->conn_count);
                kmem_cache_free(ip_vs_conn_cachep, cp);
                return;
@@ -802,10 +817,12 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
 struct ip_vs_conn *
 ip_vs_conn_new(const struct ip_vs_conn_param *p,
               const union nf_inet_addr *daddr, __be16 dport, unsigned flags,
-               struct ip_vs_dest *dest)
+               struct ip_vs_dest *dest, __u32 fwmark)
 {
        struct ip_vs_conn *cp;
-        struct ip_vs_protocol *pp = ip_vs_proto_get(p->protocol);
+        struct netns_ipvs *ipvs = net_ipvs(p->net);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(p->net,
+                                                           p->protocol);
        cp = kmem_cache_zalloc(ip_vs_conn_cachep, GFP_ATOMIC);
        if (cp == NULL) {
@@ -813,8 +830,9 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
                return NULL;
        }
-        INIT_LIST_HEAD(&cp->c_list);
+        INIT_HLIST_NODE(&cp->c_list);
        setup_timer(&cp->timer, ip_vs_conn_expire, (unsigned long)cp);
+        ip_vs_conn_net_set(cp, p->net);
        cp->af             = p->af;
        cp->protocol       = p->protocol;
        ip_vs_addr_copy(p->af, &cp->caddr, p->caddr);
@@ -826,7 +844,10 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
                        &cp->daddr, daddr);
        cp->dport          = dport;
        cp->flags          = flags;
-        if (flags & IP_VS_CONN_F_TEMPLATE && p->pe_data) {
+        cp->fwmark         = fwmark;
+        if (flags & IP_VS_CONN_F_TEMPLATE && p->pe) {
+                ip_vs_pe_get(p->pe);
+                cp->pe = p->pe;
                cp->pe_data = p->pe_data;
                cp->pe_data_len = p->pe_data_len;
        }
@@ -842,7 +863,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
        atomic_set(&cp->n_control, 0);
        atomic_set(&cp->in_pkts, 0);
-        atomic_inc(&ip_vs_conn_count);
+        atomic_inc(&ipvs->conn_count);
        if (flags & IP_VS_CONN_F_NO_CPORT)
                atomic_inc(&ip_vs_conn_no_cport_cnt);
@@ -861,8 +882,8 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
 #endif
                ip_vs_bind_xmit(cp);
-        if (unlikely(pp && atomic_read(&pp->appcnt)))
+        if (unlikely(pd && atomic_read(&pd->appcnt)))
-                ip_vs_bind_app(cp, pp);
+                ip_vs_bind_app(cp, pd->pp);
        /*
         * Allow conntrack to be preserved. By default, conntrack
@@ -871,7 +892,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
         * IP_VS_CONN_F_ONE_PACKET too.
         */
-        if (ip_vs_conntrack_enabled())
+        if (ip_vs_conntrack_enabled(ipvs))
                cp->flags |= IP_VS_CONN_F_NFCT;
        /* Hash it in the ip_vs_conn_tab finally */
@@ -884,18 +905,24 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p,
 *      /proc/net/ip_vs_conn entries
 */
 #ifdef CONFIG_PROC_FS
+struct ip_vs_iter_state {
+        struct seq_net_private  p;
+        struct hlist_head       *l;
+};
 static void *ip_vs_conn_array(struct seq_file *seq, loff_t pos)
 {
        int idx;
        struct ip_vs_conn *cp;
+        struct ip_vs_iter_state *iter = seq->private;
+        struct hlist_node *n;
        for (idx = 0; idx < ip_vs_conn_tab_size; idx++) {
                ct_read_lock_bh(idx);
-                list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
+                hlist_for_each_entry(cp, n, &ip_vs_conn_tab[idx], c_list) {
                        if (pos-- == 0) {
-                                seq->private = &ip_vs_conn_tab[idx];
+                                iter->l = &ip_vs_conn_tab[idx];
-                        return cp;
+                                return cp;
                        }
                }
                ct_read_unlock_bh(idx);
@@ -906,14 +933,18 @@ static void *ip_vs_conn_array(struct seq_file *seq, loff_t pos)
 static void *ip_vs_conn_seq_start(struct seq_file *seq, loff_t *pos)
 {
-        seq->private = NULL;
+        struct ip_vs_iter_state *iter = seq->private;
+        iter->l = NULL;
        return *pos ? ip_vs_conn_array(seq, *pos - 1) :SEQ_START_TOKEN;
 }
 static void *ip_vs_conn_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 {
        struct ip_vs_conn *cp = v;
-        struct list_head *e, *l = seq->private;
+        struct ip_vs_iter_state *iter = seq->private;
+        struct hlist_node *e;
+        struct hlist_head *l = iter->l;
        int idx;
        ++*pos;
@@ -921,27 +952,28 @@ static void *ip_vs_conn_seq_next(struct seq_file *seq, void *v, loff_t *pos)
                return ip_vs_conn_array(seq, 0);
        /* more on same hash chain? */
-        if ((e = cp->c_list.next) != l)
+        if ((e = cp->c_list.next))
-                return list_entry(e, struct ip_vs_conn, c_list);
+                return hlist_entry(e, struct ip_vs_conn, c_list);
        idx = l - ip_vs_conn_tab;
        ct_read_unlock_bh(idx);
        while (++idx < ip_vs_conn_tab_size) {
                ct_read_lock_bh(idx);
-                list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
+                hlist_for_each_entry(cp, e, &ip_vs_conn_tab[idx], c_list) {
-                        seq->private = &ip_vs_conn_tab[idx];
+                        iter->l = &ip_vs_conn_tab[idx];
                        return cp;
                }
                ct_read_unlock_bh(idx);
        }
-        seq->private = NULL;
+        iter->l = NULL;
        return NULL;
 }
 static void ip_vs_conn_seq_stop(struct seq_file *seq, void *v)
 {
-        struct list_head *l = seq->private;
+        struct ip_vs_iter_state *iter = seq->private;
+        struct hlist_head *l = iter->l;
        if (l)
                ct_read_unlock_bh(l - ip_vs_conn_tab);
@@ -955,18 +987,19 @@ static int ip_vs_conn_seq_show(struct seq_file *seq, void *v)
   "Pro FromIP   FPrt ToIP     TPrt DestIP   DPrt State       Expires PEName PEData\n");
        else {
                const struct ip_vs_conn *cp = v;
+                struct net *net = seq_file_net(seq);
                char pe_data[IP_VS_PENAME_MAXLEN + IP_VS_PEDATA_MAXLEN + 3];
                size_t len = 0;
-                if (cp->dest && cp->pe_data &&
+                if (!ip_vs_conn_net_eq(cp, net))
-                    cp->dest->svc->pe->show_pe_data) {
+                        return 0;
+                if (cp->pe_data) {
                        pe_data[0] = ' ';
-                        len = strlen(cp->dest->svc->pe->name);
+                        len = strlen(cp->pe->name);
-                        memcpy(pe_data + 1, cp->dest->svc->pe->name, len);
+                        memcpy(pe_data + 1, cp->pe->name, len);
                        pe_data[len + 1] = ' ';
                        len += 2;
-                        len += cp->dest->svc->pe->show_pe_data(cp,
+                        len += cp->pe->show_pe_data(cp, pe_data + len);
-                                                               pe_data + len);
                }
                pe_data[len] = '\0';
@@ -1004,7 +1037,8 @@ static const struct seq_operations ip_vs_conn_seq_ops = {
 static int ip_vs_conn_open(struct inode *inode, struct file *file)
 {
-        return seq_open(file, &ip_vs_conn_seq_ops);
+        return seq_open_net(inode, file, &ip_vs_conn_seq_ops,
+                            sizeof(struct ip_vs_iter_state));
 }
 static const struct file_operations ip_vs_conn_fops = {
@@ -1012,7 +1046,7 @@ static const struct file_operations ip_vs_conn_fops = {
        .open    = ip_vs_conn_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 static const char *ip_vs_origin_name(unsigned flags)
@@ -1031,6 +1065,10 @@ static int ip_vs_conn_sync_seq_show(struct seq_file *seq, void *v)
   "Pro FromIP   FPrt ToIP     TPrt DestIP   DPrt State       Origin Expires\n");
        else {
                const struct ip_vs_conn *cp = v;
+                struct net *net = seq_file_net(seq);
+                if (!ip_vs_conn_net_eq(cp, net))
+                        return 0;
 #ifdef CONFIG_IP_VS_IPV6
                if (cp->af == AF_INET6)
@@ -1067,7 +1105,8 @@ static const struct seq_operations ip_vs_conn_sync_seq_ops = {
 static int ip_vs_conn_sync_open(struct inode *inode, struct file *file)
 {
-        return seq_open(file, &ip_vs_conn_sync_seq_ops);
+        return seq_open_net(inode, file, &ip_vs_conn_sync_seq_ops,
+                            sizeof(struct ip_vs_iter_state));
 }
 static const struct file_operations ip_vs_conn_sync_fops = {
@@ -1075,7 +1114,7 @@ static const struct file_operations ip_vs_conn_sync_fops = {
        .open    = ip_vs_conn_sync_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release,
+        .release = seq_release_net,
 };
 #endif
@@ -1113,7 +1152,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
 }
 /* Called from keventd and must protect itself from softirqs */
-void ip_vs_random_dropentry(void)
+void ip_vs_random_dropentry(struct net *net)
 {
        int idx;
        struct ip_vs_conn *cp;
@@ -1123,17 +1162,19 @@ void ip_vs_random_dropentry(void)
         */
        for (idx = 0; idx < (ip_vs_conn_tab_size>>5); idx++) {
                unsigned hash = net_random() & ip_vs_conn_tab_mask;
+                struct hlist_node *n;
                /*
                 *  Lock is actually needed in this loop.
                 */
                ct_write_lock_bh(hash);
-                list_for_each_entry(cp, &ip_vs_conn_tab[hash], c_list) {
+                hlist_for_each_entry(cp, n, &ip_vs_conn_tab[hash], c_list) {
                        if (cp->flags & IP_VS_CONN_F_TEMPLATE)
                                /* connection template */
                                continue;
+                        if (!ip_vs_conn_net_eq(cp, net))
+                                continue;
                        if (cp->protocol == IPPROTO_TCP) {
                                switch(cp->state) {
                                case IP_VS_TCP_S_SYN_RECV:
@@ -1168,20 +1209,24 @@ void ip_vs_random_dropentry(void)
 /*
 *      Flush all the connection entries in the ip_vs_conn_tab
 */
-static void ip_vs_conn_flush(void)
+static void ip_vs_conn_flush(struct net *net)
 {
        int idx;
        struct ip_vs_conn *cp;
+        struct netns_ipvs *ipvs = net_ipvs(net);
-  flush_again:
+flush_again:
        for (idx = 0; idx < ip_vs_conn_tab_size; idx++) {
+                struct hlist_node *n;
                /*
                 *  Lock is actually needed in this loop.
                 */
                ct_write_lock_bh(idx);
-                list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
+                hlist_for_each_entry(cp, n, &ip_vs_conn_tab[idx], c_list) {
+                        if (!ip_vs_conn_net_eq(cp, net))
+                                continue;
                        IP_VS_DBG(4, "del connection\n");
                        ip_vs_conn_expire_now(cp);
                        if (cp->control) {
@@ -1194,12 +1239,32 @@ static void ip_vs_conn_flush(void)
        /* the counter may be not NULL, because maybe some conn entries
           are run by slow timer handler or unhashed but still referred */
-        if (atomic_read(&ip_vs_conn_count) != 0) {
+        if (atomic_read(&ipvs->conn_count) != 0) {
                schedule();
                goto flush_again;
        }
 }
+/*
+ * per netns init and exit
+ */
+int __net_init __ip_vs_conn_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        atomic_set(&ipvs->conn_count, 0);
+        proc_net_fops_create(net, "ip_vs_conn", 0, &ip_vs_conn_fops);
+        proc_net_fops_create(net, "ip_vs_conn_sync", 0, &ip_vs_conn_sync_fops);
+        return 0;
+}
+void __net_exit __ip_vs_conn_cleanup(struct net *net)
+{
+        /* flush all the connection entries first */
+        ip_vs_conn_flush(net);
+        proc_net_remove(net, "ip_vs_conn");
+        proc_net_remove(net, "ip_vs_conn_sync");
+}
 int __init ip_vs_conn_init(void)
 {
@@ -1212,8 +1277,7 @@ int __init ip_vs_conn_init(void)
        /*
         * Allocate the connection hash table and initialize its list heads
         */
-        ip_vs_conn_tab = vmalloc(ip_vs_conn_tab_size *
+        ip_vs_conn_tab = vmalloc(ip_vs_conn_tab_size * sizeof(*ip_vs_conn_tab));
-                                 sizeof(struct list_head));
        if (!ip_vs_conn_tab)
                return -ENOMEM;
@@ -1233,32 +1297,22 @@ int __init ip_vs_conn_init(void)
        IP_VS_DBG(0, "Each connection entry needs %Zd bytes at least\n",
                  sizeof(struct ip_vs_conn));
-        for (idx = 0; idx < ip_vs_conn_tab_size; idx++) {
+        for (idx = 0; idx < ip_vs_conn_tab_size; idx++)
-                INIT_LIST_HEAD(&ip_vs_conn_tab[idx]);
+                INIT_HLIST_HEAD(&ip_vs_conn_tab[idx]);
-        }
        for (idx = 0; idx < CT_LOCKARRAY_SIZE; idx++)  {
                rwlock_init(&__ip_vs_conntbl_lock_array[idx].l);
        }
-        proc_net_fops_create(&init_net, "ip_vs_conn", 0, &ip_vs_conn_fops);
-        proc_net_fops_create(&init_net, "ip_vs_conn_sync", 0, &ip_vs_conn_sync_fops);
        /* calculate the random value for connection hash */
        get_random_bytes(&ip_vs_conn_rnd, sizeof(ip_vs_conn_rnd));
        return 0;
 }
 void ip_vs_conn_cleanup(void)
 {
-        /* flush all the connection entries first */
-        ip_vs_conn_flush();
        /* Release the empty cache */
        kmem_cache_destroy(ip_vs_conn_cachep);
-        proc_net_remove(&init_net, "ip_vs_conn");
-        proc_net_remove(&init_net, "ip_vs_conn_sync");
        vfree(ip_vs_conn_tab);
 }
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index b4e51e9c5a04..bfa808f4da13 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -41,6 +41,7 @@
 #include <net/icmp.h>                   /* for icmp_send */
 #include <net/route.h>
 #include <net/ip6_checksum.h>
+#include <net/netns/generic.h>          /* net_generic() */
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
@@ -68,6 +69,12 @@ EXPORT_SYMBOL(ip_vs_conn_put);
 EXPORT_SYMBOL(ip_vs_get_debug_level);
 #endif
+int ip_vs_net_id __read_mostly;
+#ifdef IP_VS_GENERIC_NETNS
+EXPORT_SYMBOL(ip_vs_net_id);
+#endif
+/* netns cnt used for uniqueness */
+static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0);
 /* ID used in ICMP lookups */
 #define icmp_id(icmph)          (((icmph)->un).echo.id)
@@ -108,21 +115,28 @@ static inline void
 ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
 {
        struct ip_vs_dest *dest = cp->dest;
+        struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
        if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
-                spin_lock(&dest->stats.lock);
+                struct ip_vs_cpu_stats *s;
-                dest->stats.ustats.inpkts++;
-                dest->stats.ustats.inbytes += skb->len;
+                s = this_cpu_ptr(dest->stats.cpustats);
-                spin_unlock(&dest->stats.lock);
+                s->ustats.inpkts++;
+                u64_stats_update_begin(&s->syncp);
-                spin_lock(&dest->svc->stats.lock);
+                s->ustats.inbytes += skb->len;
-                dest->svc->stats.ustats.inpkts++;
+                u64_stats_update_end(&s->syncp);
-                dest->svc->stats.ustats.inbytes += skb->len;
-                spin_unlock(&dest->svc->stats.lock);
+                s = this_cpu_ptr(dest->svc->stats.cpustats);
+                s->ustats.inpkts++;
-                spin_lock(&ip_vs_stats.lock);
+                u64_stats_update_begin(&s->syncp);
-                ip_vs_stats.ustats.inpkts++;
+                s->ustats.inbytes += skb->len;
-                ip_vs_stats.ustats.inbytes += skb->len;
+                u64_stats_update_end(&s->syncp);
-                spin_unlock(&ip_vs_stats.lock);
+                s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+                s->ustats.inpkts++;
+                u64_stats_update_begin(&s->syncp);
+                s->ustats.inbytes += skb->len;
+                u64_stats_update_end(&s->syncp);
        }
 }
@@ -131,21 +145,28 @@ static inline void
 ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
 {
        struct ip_vs_dest *dest = cp->dest;
+        struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
        if (dest && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
-                spin_lock(&dest->stats.lock);
+                struct ip_vs_cpu_stats *s;
-                dest->stats.ustats.outpkts++;
-                dest->stats.ustats.outbytes += skb->len;
+                s = this_cpu_ptr(dest->stats.cpustats);
-                spin_unlock(&dest->stats.lock);
+                s->ustats.outpkts++;
+                u64_stats_update_begin(&s->syncp);
-                spin_lock(&dest->svc->stats.lock);
+                s->ustats.outbytes += skb->len;
-                dest->svc->stats.ustats.outpkts++;
+                u64_stats_update_end(&s->syncp);
-                dest->svc->stats.ustats.outbytes += skb->len;
-                spin_unlock(&dest->svc->stats.lock);
+                s = this_cpu_ptr(dest->svc->stats.cpustats);
+                s->ustats.outpkts++;
-                spin_lock(&ip_vs_stats.lock);
+                u64_stats_update_begin(&s->syncp);
-                ip_vs_stats.ustats.outpkts++;
+                s->ustats.outbytes += skb->len;
-                ip_vs_stats.ustats.outbytes += skb->len;
+                u64_stats_update_end(&s->syncp);
-                spin_unlock(&ip_vs_stats.lock);
+                s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+                s->ustats.outpkts++;
+                u64_stats_update_begin(&s->syncp);
+                s->ustats.outbytes += skb->len;
+                u64_stats_update_end(&s->syncp);
        }
 }
@@ -153,41 +174,44 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
 static inline void
 ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
 {
-        spin_lock(&cp->dest->stats.lock);
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
-        cp->dest->stats.ustats.conns++;
+        struct ip_vs_cpu_stats *s;
-        spin_unlock(&cp->dest->stats.lock);
-        spin_lock(&svc->stats.lock);
+        s = this_cpu_ptr(cp->dest->stats.cpustats);
-        svc->stats.ustats.conns++;
+        s->ustats.conns++;
-        spin_unlock(&svc->stats.lock);
-        spin_lock(&ip_vs_stats.lock);
+        s = this_cpu_ptr(svc->stats.cpustats);
-        ip_vs_stats.ustats.conns++;
+        s->ustats.conns++;
-        spin_unlock(&ip_vs_stats.lock);
+        s = this_cpu_ptr(ipvs->tot_stats.cpustats);
+        s->ustats.conns++;
 }
 static inline int
 ip_vs_set_state(struct ip_vs_conn *cp, int direction,
                const struct sk_buff *skb,
-                struct ip_vs_protocol *pp)
+                struct ip_vs_proto_data *pd)
 {
-        if (unlikely(!pp->state_transition))
+        if (unlikely(!pd->pp->state_transition))
                return 0;
-        return pp->state_transition(cp, direction, skb, pp);
+        return pd->pp->state_transition(cp, direction, skb, pd);
 }
-static inline void
+static inline int
 ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
                              struct sk_buff *skb, int protocol,
                              const union nf_inet_addr *caddr, __be16 cport,
                              const union nf_inet_addr *vaddr, __be16 vport,
                              struct ip_vs_conn_param *p)
 {
-        ip_vs_conn_fill_param(svc->af, protocol, caddr, cport, vaddr, vport, p);
+        ip_vs_conn_fill_param(svc->net, svc->af, protocol, caddr, cport, vaddr,
+                              vport, p);
        p->pe = svc->pe;
        if (p->pe && p->pe->fill_param)
-                p->pe->fill_param(p, skb);
+                return p->pe->fill_param(p, skb);
+        return 0;
 }
 /*
@@ -200,7 +224,7 @@ ip_vs_conn_fill_param_persist(const struct ip_vs_service *svc,
 static struct ip_vs_conn *
 ip_vs_sched_persist(struct ip_vs_service *svc,
                    struct sk_buff *skb,
-                    __be16 ports[2])
+                    __be16 src_port, __be16 dst_port, int *ignored)
 {
        struct ip_vs_conn *cp = NULL;
        struct ip_vs_iphdr iph;
@@ -224,8 +248,8 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
        IP_VS_DBG_BUF(6, "p-schedule: src %s:%u dest %s:%u "
                      "mnet %s\n",
-                      IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(ports[0]),
+                      IP_VS_DBG_ADDR(svc->af, &iph.saddr), ntohs(src_port),
-                      IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(ports[1]),
+                      IP_VS_DBG_ADDR(svc->af, &iph.daddr), ntohs(dst_port),
                      IP_VS_DBG_ADDR(svc->af, &snet));
        /*
@@ -247,14 +271,14 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
                const union nf_inet_addr fwmark = { .ip = htonl(svc->fwmark) };
                __be16 vport = 0;
-                if (ports[1] == svc->port) {
+                if (dst_port == svc->port) {
                        /* non-FTP template:
                         * <protocol, caddr, 0, vaddr, vport, daddr, dport>
                         * FTP template:
                         * <protocol, caddr, 0, vaddr, 0, daddr, 0>
                         */
                        if (svc->port != FTPPORT)
-                                vport = ports[1];
+                                vport = dst_port;
                } else {
                        /* Note: persistent fwmark-based services and
                         * persistent port zero service are handled here.
@@ -268,24 +292,31 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
                                vaddr = &fwmark;
                        }
                }
-                ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
+                /* return *ignored = -1 so NF_DROP can be used */
-                                              vaddr, vport, &param);
+                if (ip_vs_conn_fill_param_persist(svc, skb, protocol, &snet, 0,
+                                                  vaddr, vport, &param) < 0) {
+                        *ignored = -1;
+                        return NULL;
+                }
        }
        /* Check if a template already exists */
        ct = ip_vs_ct_in_get(&param);
        if (!ct || !ip_vs_check_template(ct)) {
-                /* No template found or the dest of the connection
+                /*
+                 * No template found or the dest of the connection
                 * template is not available.
+                 * return *ignored=0 i.e. ICMP and NF_DROP
                 */
                dest = svc->scheduler->schedule(svc, skb);
                if (!dest) {
                        IP_VS_DBG(1, "p-schedule: no dest found.\n");
                        kfree(param.pe_data);
+                        *ignored = 0;
                        return NULL;
                }
-                if (ports[1] == svc->port && svc->port != FTPPORT)
+                if (dst_port == svc->port && svc->port != FTPPORT)
                        dport = dest->port;
                /* Create a template
@@ -293,9 +324,10 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
                 * and thus param.pe_data will be destroyed
                 * when the template expires */
                ct = ip_vs_conn_new(&param, &dest->addr, dport,
-                                    IP_VS_CONN_F_TEMPLATE, dest);
+                                    IP_VS_CONN_F_TEMPLATE, dest, skb->mark);
                if (ct == NULL) {
                        kfree(param.pe_data);
+                        *ignored = -1;
                        return NULL;
                }
@@ -306,7 +338,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
                kfree(param.pe_data);
        }
-        dport = ports[1];
+        dport = dst_port;
        if (dport == svc->port && dest->port)
                dport = dest->port;
@@ -317,11 +349,13 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
        /*
         *    Create a new connection according to the template
         */
-        ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr, ports[0],
+        ip_vs_conn_fill_param(svc->net, svc->af, iph.protocol, &iph.saddr,
-                              &iph.daddr, ports[1], &param);
+                              src_port, &iph.daddr, dst_port, &param);
-        cp = ip_vs_conn_new(&param, &dest->addr, dport, flags, dest);
+        cp = ip_vs_conn_new(&param, &dest->addr, dport, flags, dest, skb->mark);
        if (cp == NULL) {
                ip_vs_conn_put(ct);
+                *ignored = -1;
                return NULL;
        }
@@ -341,11 +375,27 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
 *  It selects a server according to the virtual service, and
 *  creates a connection entry.
 *  Protocols supported: TCP, UDP
+ *
+ *  Usage of *ignored
+ *
+ * 1 :   protocol tried to schedule (eg. on SYN), found svc but the
+ *       svc/scheduler decides that this packet should be accepted with
+ *       NF_ACCEPT because it must not be scheduled.
+ *
+ * 0 :   scheduler can not find destination, so try bypass or
+ *       return ICMP and then NF_DROP (ip_vs_leave).
+ *
+ * -1 :  scheduler tried to schedule but fatal error occurred, eg.
+ *       ip_vs_conn_new failure (ENOMEM) or ip_vs_sip_fill_param
+ *       failure such as missing Call-ID, ENOMEM on skb_linearize
+ *       or pe_data. In this case we should return NF_DROP without
+ *       any attempts to send ICMP with ip_vs_leave.
 */
 struct ip_vs_conn *
 ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
-               struct ip_vs_protocol *pp, int *ignored)
+               struct ip_vs_proto_data *pd, int *ignored)
 {
+        struct ip_vs_protocol *pp = pd->pp;
        struct ip_vs_conn *cp = NULL;
        struct ip_vs_iphdr iph;
        struct ip_vs_dest *dest;
@@ -371,12 +421,10 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
        }
        /*
-         * Do not schedule replies from local real server. It is risky
+         *    Do not schedule replies from local real server.
-         * for fwmark services but mostly for persistent services.
         */
        if ((!skb->dev || skb->dev->flags & IFF_LOOPBACK) &&
-            (svc->flags & IP_VS_SVC_F_PERSISTENT || svc->fwmark) &&
+            (cp = pp->conn_in_get(svc->af, skb, &iph, iph.len, 1))) {
-            (cp = pp->conn_in_get(svc->af, skb, pp, &iph, iph.len, 1))) {
                IP_VS_DBG_PKT(12, svc->af, pp, skb, 0,
                              "Not scheduling reply for existing connection");
                __ip_vs_conn_put(cp);
@@ -386,10 +434,10 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
        /*
         *    Persistent service
         */
-        if (svc->flags & IP_VS_SVC_F_PERSISTENT) {
+        if (svc->flags & IP_VS_SVC_F_PERSISTENT)
-                *ignored = 0;
+                return ip_vs_sched_persist(svc, skb, pptr[0], pptr[1], ignored);
-                return ip_vs_sched_persist(svc, skb, pptr);
-        }
+        *ignored = 0;
        /*
         *    Non-persistent service
@@ -402,8 +450,6 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
                return NULL;
        }
-        *ignored = 0;
        dest = svc->scheduler->schedule(svc, skb);
        if (dest == NULL) {
                IP_VS_DBG(1, "Schedule: no dest found.\n");
@@ -419,13 +465,17 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
         */
        {
                struct ip_vs_conn_param p;
-                ip_vs_conn_fill_param(svc->af, iph.protocol, &iph.saddr,
-                                      pptr[0], &iph.daddr, pptr[1], &p);
+                ip_vs_conn_fill_param(svc->net, svc->af, iph.protocol,
+                                      &iph.saddr, pptr[0], &iph.daddr, pptr[1],
+                                      &p);
                cp = ip_vs_conn_new(&p, &dest->addr,
                                    dest->port ? dest->port : pptr[1],
-                                    flags, dest);
+                                    flags, dest, skb->mark);
-                if (!cp)
+                if (!cp) {
+                        *ignored = -1;
                        return NULL;
+                }
        }
        IP_VS_DBG_BUF(6, "Schedule fwd:%c c:%s:%u v:%s:%u "
@@ -447,11 +497,16 @@ ip_vs_schedule(struct ip_vs_service *svc, struct sk_buff *skb,
 *  no destination is available for a new connection.
 */
 int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
-                struct ip_vs_protocol *pp)
+                struct ip_vs_proto_data *pd)
 {
        __be16 _ports[2], *pptr;
        struct ip_vs_iphdr iph;
+#ifdef CONFIG_SYSCTL
+        struct net *net;
+        struct netns_ipvs *ipvs;
        int unicast;
+#endif
        ip_vs_fill_iphdr(svc->af, skb_network_header(skb), &iph);
        pptr = skb_header_pointer(skb, iph.len, sizeof(_ports), _ports);
@@ -460,17 +515,21 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
                return NF_DROP;
        }
+#ifdef CONFIG_SYSCTL
+        net = skb_net(skb);
 #ifdef CONFIG_IP_VS_IPV6
        if (svc->af == AF_INET6)
                unicast = ipv6_addr_type(&iph.daddr.in6) & IPV6_ADDR_UNICAST;
        else
 #endif
-                unicast = (inet_addr_type(&init_net, iph.daddr.ip) == RTN_UNICAST);
+                unicast = (inet_addr_type(net, iph.daddr.ip) == RTN_UNICAST);
        /* if it is fwmark-based service, the cache_bypass sysctl is up
           and the destination is a non-local unicast, then create
           a cache_bypass connection entry */
-        if (sysctl_ip_vs_cache_bypass && svc->fwmark && unicast) {
+        ipvs = net_ipvs(net);
+        if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) {
                int ret, cs;
                struct ip_vs_conn *cp;
                unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
@@ -484,12 +543,12 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
                IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
                {
                        struct ip_vs_conn_param p;
-                        ip_vs_conn_fill_param(svc->af, iph.protocol,
+                        ip_vs_conn_fill_param(svc->net, svc->af, iph.protocol,
                                              &iph.saddr, pptr[0],
                                              &iph.daddr, pptr[1], &p);
                        cp = ip_vs_conn_new(&p, &daddr, 0,
                                            IP_VS_CONN_F_BYPASS | flags,
-                                            NULL);
+                                            NULL, skb->mark);
                        if (!cp)
                                return NF_DROP;
                }
@@ -498,16 +557,17 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
                ip_vs_in_stats(cp, skb);
                /* set state */
-                cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
+                cs = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
                /* transmit the first SYN packet */
-                ret = cp->packet_xmit(skb, cp, pp);
+                ret = cp->packet_xmit(skb, cp, pd->pp);
                /* do not touch skb anymore */
                atomic_inc(&cp->in_pkts);
                ip_vs_conn_put(cp);
                return ret;
        }
+#endif
        /*
         * When the virtual ftp service is presented, packets destined
@@ -544,6 +604,33 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
        return NF_DROP;
 }
+#ifdef CONFIG_SYSCTL
+static int sysctl_snat_reroute(struct sk_buff *skb)
+{
+        struct netns_ipvs *ipvs = net_ipvs(skb_net(skb));
+        return ipvs->sysctl_snat_reroute;
+}
+static int sysctl_nat_icmp_send(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        return ipvs->sysctl_nat_icmp_send;
+}
+static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs)
+{
+        return ipvs->sysctl_expire_nodest_conn;
+}
+#else
+static int sysctl_snat_reroute(struct sk_buff *skb) { return 0; }
+static int sysctl_nat_icmp_send(struct net *net) { return 0; }
+static int sysctl_expire_nodest_conn(struct netns_ipvs *ipvs) { return 0; }
+#endif
 __sum16 ip_vs_checksum_complete(struct sk_buff *skb, int offset)
 {
        return csum_fold(skb_checksum(skb, offset, skb->len - offset, 0));
@@ -576,6 +663,22 @@ static inline int ip_vs_gather_frags_v6(struct sk_buff *skb, u_int32_t user)
 }
 #endif
+static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
+{
+#ifdef CONFIG_IP_VS_IPV6
+        if (af == AF_INET6) {
+                if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
+                        return 1;
+        } else
+#endif
+                if ((sysctl_snat_reroute(skb) ||
+                     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
+                    ip_route_me_harder(skb, RTN_LOCAL) != 0)
+                        return 1;
+        return 0;
+}
 /*
 * Packet has been made sufficiently writable in caller
 * - inout: 1=in->out, 0=out->in
@@ -674,7 +777,7 @@ void ip_vs_nat_icmp_v6(struct sk_buff *skb, struct ip_vs_protocol *pp,
 #endif
 /* Handle relevant response ICMP messages - forward to the right
- * destination host. Used for NAT and local client.
+ * destination host.
 */
 static int handle_response_icmp(int af, struct sk_buff *skb,
                                union nf_inet_addr *snet,
@@ -710,16 +813,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
 #endif
                ip_vs_nat_icmp(skb, pp, cp, 1);
-#ifdef CONFIG_IP_VS_IPV6
+        if (ip_vs_route_me_harder(af, skb))
-        if (af == AF_INET6) {
+                goto out;
-                if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
-                        goto out;
-        } else
-#endif
-                if ((sysctl_ip_vs_snat_reroute ||
-                     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
-                    ip_route_me_harder(skb, RTN_LOCAL) != 0)
-                        goto out;
        /* do the statistics and put it back */
        ip_vs_out_stats(cp, skb);
@@ -808,7 +903,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
        ip_vs_fill_iphdr(AF_INET, cih, &ciph);
        /* The embedded headers contain source and dest in reverse order */
-        cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
+        cp = pp->conn_out_get(AF_INET, skb, &ciph, offset, 1);
        if (!cp)
                return NF_ACCEPT;
@@ -885,7 +980,7 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
        ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
        /* The embedded headers contain source and dest in reverse order */
-        cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
+        cp = pp->conn_out_get(AF_INET6, skb, &ciph, offset, 1);
        if (!cp)
                return NF_ACCEPT;
@@ -921,12 +1016,13 @@ static inline int is_tcp_reset(const struct sk_buff *skb, int nh_len)
 }
 /* Handle response packets: rewrite addresses and send away...
- * Used for NAT and local client.
 */
 static unsigned int
-handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
                struct ip_vs_conn *cp, int ihl)
 {
+        struct ip_vs_protocol *pp = pd->pp;
        IP_VS_DBG_PKT(11, af, pp, skb, 0, "Outgoing packet");
        if (!skb_make_writable(skb, ihl))
@@ -961,21 +1057,13 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
         * if it came from this machine itself.  So re-compute
         * the routing information.
         */
-#ifdef CONFIG_IP_VS_IPV6
+        if (ip_vs_route_me_harder(af, skb))
-        if (af == AF_INET6) {
+                goto drop;
-                if (sysctl_ip_vs_snat_reroute && ip6_route_me_harder(skb) != 0)
-                        goto drop;
-        } else
-#endif
-                if ((sysctl_ip_vs_snat_reroute ||
-                     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
-                    ip_route_me_harder(skb, RTN_LOCAL) != 0)
-                        goto drop;
        IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
        ip_vs_out_stats(cp, skb);
-        ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pp);
+        ip_vs_set_state(cp, IP_VS_DIR_OUTPUT, skb, pd);
        skb->ipvs_property = 1;
        if (!(cp->flags & IP_VS_CONN_F_NFCT))
                ip_vs_notrack(skb);
@@ -999,8 +1087,10 @@ drop:
 static unsigned int
 ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
 {
+        struct net *net = NULL;
        struct ip_vs_iphdr iph;
        struct ip_vs_protocol *pp;
+        struct ip_vs_proto_data *pd;
        struct ip_vs_conn *cp;
        EnterFunction(11);
@@ -1022,6 +1112,10 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
        if (unlikely(!skb_dst(skb)))
                return NF_ACCEPT;
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
 #ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6) {
@@ -1045,9 +1139,10 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
                        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
                }
-        pp = ip_vs_proto_get(iph.protocol);
+        pd = ip_vs_proto_data_get(net, iph.protocol);
-        if (unlikely(!pp))
+        if (unlikely(!pd))
                return NF_ACCEPT;
+        pp = pd->pp;
        /* reassemble IP fragments */
 #ifdef CONFIG_IP_VS_IPV6
@@ -1073,11 +1168,11 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
        /*
         * Check if the packet belongs to an existing entry
         */
-        cp = pp->conn_out_get(af, skb, pp, &iph, iph.len, 0);
+        cp = pp->conn_out_get(af, skb, &iph, iph.len, 0);
        if (likely(cp))
-                return handle_response(af, skb, pp, cp, iph.len);
+                return handle_response(af, skb, pd, cp, iph.len);
-        if (sysctl_ip_vs_nat_icmp_send &&
+        if (sysctl_nat_icmp_send(net) &&
            (pp->protocol == IPPROTO_TCP ||
             pp->protocol == IPPROTO_UDP ||
             pp->protocol == IPPROTO_SCTP)) {
@@ -1087,7 +1182,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
                                          sizeof(_ports), _ports);
                if (pptr == NULL)
                        return NF_ACCEPT;       /* Not for me */
-                if (ip_vs_lookup_real_service(af, iph.protocol,
+                if (ip_vs_lookup_real_service(net, af, iph.protocol,
                                              &iph.saddr,
                                              pptr[0])) {
                        /*
@@ -1202,14 +1297,15 @@ ip_vs_local_reply6(unsigned int hooknum, struct sk_buff *skb,
 static int
 ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 {
+        struct net *net = NULL;
        struct iphdr *iph;
        struct icmphdr  _icmph, *ic;
        struct iphdr    _ciph, *cih;    /* The ip header contained within the ICMP */
        struct ip_vs_iphdr ciph;
        struct ip_vs_conn *cp;
        struct ip_vs_protocol *pp;
+        struct ip_vs_proto_data *pd;
        unsigned int offset, ihl, verdict;
-        union nf_inet_addr snet;
        *related = 1;
@@ -1249,9 +1345,12 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        if (cih == NULL)
                return NF_ACCEPT; /* The packet looks wrong, ignore */
-        pp = ip_vs_proto_get(cih->protocol);
+        net = skb_net(skb);
-        if (!pp)
+        pd = ip_vs_proto_data_get(net, cih->protocol);
+        if (!pd)
                return NF_ACCEPT;
+        pp = pd->pp;
        /* Is the embedded protocol header present? */
        if (unlikely(cih->frag_off & htons(IP_OFFSET) &&
@@ -1265,18 +1364,9 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        ip_vs_fill_iphdr(AF_INET, cih, &ciph);
        /* The embedded headers contain source and dest in reverse order */
-        cp = pp->conn_in_get(AF_INET, skb, pp, &ciph, offset, 1);
+        cp = pp->conn_in_get(AF_INET, skb, &ciph, offset, 1);
-        if (!cp) {
+        if (!cp)
-                /* The packet could also belong to a local client */
-                cp = pp->conn_out_get(AF_INET, skb, pp, &ciph, offset, 1);
-                if (cp) {
-                        snet.ip = iph->saddr;
-                        return handle_response_icmp(AF_INET, skb, &snet,
-                                                    cih->protocol, cp, pp,
-                                                    offset, ihl);
-                }
                return NF_ACCEPT;
-        }
        verdict = NF_DROP;
@@ -1292,15 +1382,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
        ip_vs_in_stats(cp, skb);
        if (IPPROTO_TCP == cih->protocol || IPPROTO_UDP == cih->protocol)
                offset += 2 * sizeof(__u16);
-        verdict = ip_vs_icmp_xmit(skb, cp, pp, offset);
+        verdict = ip_vs_icmp_xmit(skb, cp, pp, offset, hooknum);
-        /* LOCALNODE from FORWARD hook is not supported */
-        if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
-            skb_rtable(skb)->rt_flags & RTCF_LOCAL) {
-                IP_VS_DBG(1, "%s(): "
-                          "local delivery to %pI4 but in FORWARD\n",
-                          __func__, &skb_rtable(skb)->rt_dst);
-                verdict = NF_DROP;
-        }
  out:
        __ip_vs_conn_put(cp);
@@ -1312,6 +1394,7 @@ ip_vs_in_icmp(struct sk_buff *skb, int *related, unsigned int hooknum)
 static int
 ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
 {
+        struct net *net = NULL;
        struct ipv6hdr *iph;
        struct icmp6hdr _icmph, *ic;
        struct ipv6hdr  _ciph, *cih;    /* The ip header contained
@@ -1319,9 +1402,8 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
        struct ip_vs_iphdr ciph;
        struct ip_vs_conn *cp;
        struct ip_vs_protocol *pp;
+        struct ip_vs_proto_data *pd;
        unsigned int offset, verdict;
-        union nf_inet_addr snet;
-        struct rt6_info *rt;
        *related = 1;
@@ -1361,9 +1443,11 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
        if (cih == NULL)
                return NF_ACCEPT; /* The packet looks wrong, ignore */
-        pp = ip_vs_proto_get(cih->nexthdr);
+        net = skb_net(skb);
-        if (!pp)
+        pd = ip_vs_proto_data_get(net, cih->nexthdr);
+        if (!pd)
                return NF_ACCEPT;
+        pp = pd->pp;
        /* Is the embedded protocol header present? */
        /* TODO: we don't support fragmentation at the moment anyways */
@@ -1377,37 +1461,16 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
        ip_vs_fill_iphdr(AF_INET6, cih, &ciph);
        /* The embedded headers contain source and dest in reverse order */
-        cp = pp->conn_in_get(AF_INET6, skb, pp, &ciph, offset, 1);
+        cp = pp->conn_in_get(AF_INET6, skb, &ciph, offset, 1);
-        if (!cp) {
+        if (!cp)
-                /* The packet could also belong to a local client */
-                cp = pp->conn_out_get(AF_INET6, skb, pp, &ciph, offset, 1);
-                if (cp) {
-                        ipv6_addr_copy(&snet.in6, &iph->saddr);
-                        return handle_response_icmp(AF_INET6, skb, &snet,
-                                                    cih->nexthdr,
-                                                    cp, pp, offset,
-                                                    sizeof(struct ipv6hdr));
-                }
                return NF_ACCEPT;
-        }
-        verdict = NF_DROP;
        /* do the statistics and put it back */
        ip_vs_in_stats(cp, skb);
        if (IPPROTO_TCP == cih->nexthdr || IPPROTO_UDP == cih->nexthdr ||
            IPPROTO_SCTP == cih->nexthdr)
                offset += 2 * sizeof(__u16);
-        verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset);
+        verdict = ip_vs_icmp_xmit_v6(skb, cp, pp, offset, hooknum);
-        /* LOCALNODE from FORWARD hook is not supported */
-        if (verdict == NF_ACCEPT && hooknum == NF_INET_FORWARD &&
-            (rt = (struct rt6_info *) skb_dst(skb)) &&
-            rt->rt6i_dev && rt->rt6i_dev->flags & IFF_LOOPBACK) {
-                IP_VS_DBG(1, "%s(): "
-                          "local delivery to %pI6 but in FORWARD\n",
-                          __func__, &rt->rt6i_dst);
-                verdict = NF_DROP;
-        }
        __ip_vs_conn_put(cp);
@@ -1423,10 +1486,13 @@ ip_vs_in_icmp_v6(struct sk_buff *skb, int *related, unsigned int hooknum)
 static unsigned int
 ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
 {
+        struct net *net;
        struct ip_vs_iphdr iph;
        struct ip_vs_protocol *pp;
+        struct ip_vs_proto_data *pd;
        struct ip_vs_conn *cp;
        int ret, restart, pkts;
+        struct netns_ipvs *ipvs;
        /* Already marked as IPVS request or reply? */
        if (skb->ipvs_property)
@@ -1447,6 +1513,11 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
                              IP_VS_DBG_ADDR(af, &iph.daddr), hooknum);
                return NF_ACCEPT;
        }
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
        /* Bad... Do not break raw sockets */
@@ -1481,19 +1552,19 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
                }
        /* Protocol supported? */
-        pp = ip_vs_proto_get(iph.protocol);
+        pd = ip_vs_proto_data_get(net, iph.protocol);
-        if (unlikely(!pp))
+        if (unlikely(!pd))
                return NF_ACCEPT;
+        pp = pd->pp;
        /*
         * Check if the packet belongs to an existing connection entry
         */
-        cp = pp->conn_in_get(af, skb, pp, &iph, iph.len, 0);
+        cp = pp->conn_in_get(af, skb, &iph, iph.len, 0);
        if (unlikely(!cp)) {
                int v;
-                if (!pp->conn_schedule(af, skb, pp, &v, &cp))
+                if (!pp->conn_schedule(af, skb, pd, &v, &cp))
                        return v;
        }
@@ -1505,12 +1576,12 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        IP_VS_DBG_PKT(11, af, pp, skb, 0, "Incoming packet");
+        ipvs = net_ipvs(net);
        /* Check the server status */
        if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
                /* the destination server is not available */
-                if (sysctl_ip_vs_expire_nodest_conn) {
+                if (sysctl_expire_nodest_conn(ipvs)) {
                        /* try to expire the connection immediately */
                        ip_vs_conn_expire_now(cp);
                }
@@ -1521,7 +1592,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
        }
        ip_vs_in_stats(cp, skb);
-        restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pp);
+        restart = ip_vs_set_state(cp, IP_VS_DIR_INPUT, skb, pd);
        if (cp->packet_xmit)
                ret = cp->packet_xmit(skb, cp, pp);
                /* do not touch skb anymore */
@@ -1535,35 +1606,41 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
         *
         * Sync connection if it is about to close to
         * encorage the standby servers to update the connections timeout
+         *
+         * For ONE_PKT let ip_vs_sync_conn() do the filter work.
         */
-        pkts = atomic_add_return(1, &cp->in_pkts);
-        if (af == AF_INET && (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
+        if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+                pkts = sysctl_sync_threshold(ipvs);
+        else
+                pkts = atomic_add_return(1, &cp->in_pkts);
+        if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
            cp->protocol == IPPROTO_SCTP) {
                if ((cp->state == IP_VS_SCTP_S_ESTABLISHED &&
-                        (pkts % sysctl_ip_vs_sync_threshold[1]
+                        (pkts % sysctl_sync_period(ipvs)
-                         == sysctl_ip_vs_sync_threshold[0])) ||
+                         == sysctl_sync_threshold(ipvs))) ||
                                (cp->old_state != cp->state &&
                                 ((cp->state == IP_VS_SCTP_S_CLOSED) ||
                                  (cp->state == IP_VS_SCTP_S_SHUT_ACK_CLI) ||
                                  (cp->state == IP_VS_SCTP_S_SHUT_ACK_SER)))) {
-                        ip_vs_sync_conn(cp);
+                        ip_vs_sync_conn(net, cp);
                        goto out;
                }
        }
        /* Keep this block last: TCP and others with pp->num_states <= 1 */
-        else if (af == AF_INET &&
+        else if ((ipvs->sync_state & IP_VS_STATE_MASTER) &&
-            (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
            (((cp->protocol != IPPROTO_TCP ||
               cp->state == IP_VS_TCP_S_ESTABLISHED) &&
-              (pkts % sysctl_ip_vs_sync_threshold[1]
+              (pkts % sysctl_sync_period(ipvs)
-               == sysctl_ip_vs_sync_threshold[0])) ||
+               == sysctl_sync_threshold(ipvs))) ||
             ((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
              ((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
               (cp->state == IP_VS_TCP_S_CLOSE) ||
               (cp->state == IP_VS_TCP_S_CLOSE_WAIT) ||
               (cp->state == IP_VS_TCP_S_TIME_WAIT)))))
-                ip_vs_sync_conn(cp);
+                ip_vs_sync_conn(net, cp);
 out:
        cp->old_state = cp->state;
@@ -1653,10 +1730,16 @@ ip_vs_forward_icmp(unsigned int hooknum, struct sk_buff *skb,
                   int (*okfn)(struct sk_buff *))
 {
        int r;
+        struct net *net;
        if (ip_hdr(skb)->protocol != IPPROTO_ICMP)
                return NF_ACCEPT;
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        return ip_vs_in_icmp(skb, &r, hooknum);
 }
@@ -1667,10 +1750,16 @@ ip_vs_forward_icmp_v6(unsigned int hooknum, struct sk_buff *skb,
                      int (*okfn)(struct sk_buff *))
 {
        int r;
+        struct net *net;
        if (ipv6_hdr(skb)->nexthdr != IPPROTO_ICMPV6)
                return NF_ACCEPT;
+        /* ipvs enabled in this netns ? */
+        net = skb_net(skb);
+        if (!net_ipvs(net)->enable)
+                return NF_ACCEPT;
        return ip_vs_in_icmp_v6(skb, &r, hooknum);
 }
 #endif
@@ -1782,7 +1871,94 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
        },
 #endif
 };
+/*
+ *      Initialize IP Virtual Server netns mem.
+ */
+static int __net_init __ip_vs_init(struct net *net)
+{
+        struct netns_ipvs *ipvs;
+        ipvs = net_generic(net, ip_vs_net_id);
+        if (ipvs == NULL) {
+                pr_err("%s(): no memory.\n", __func__);
+                return -ENOMEM;
+        }
+        /* Hold the beast until a service is registerd */
+        ipvs->enable = 0;
+        ipvs->net = net;
+        /* Counters used for creating unique names */
+        ipvs->gen = atomic_read(&ipvs_netns_cnt);
+        atomic_inc(&ipvs_netns_cnt);
+        net->ipvs = ipvs;
+        if (__ip_vs_estimator_init(net) < 0)
+                goto estimator_fail;
+        if (__ip_vs_control_init(net) < 0)
+                goto control_fail;
+        if (__ip_vs_protocol_init(net) < 0)
+                goto protocol_fail;
+        if (__ip_vs_app_init(net) < 0)
+                goto app_fail;
+        if (__ip_vs_conn_init(net) < 0)
+                goto conn_fail;
+        if (__ip_vs_sync_init(net) < 0)
+                goto sync_fail;
+        printk(KERN_INFO "IPVS: Creating netns size=%zu id=%d\n",
+                         sizeof(struct netns_ipvs), ipvs->gen);
+        return 0;
+/*
+ * Error handling
+ */
+sync_fail:
+        __ip_vs_conn_cleanup(net);
+conn_fail:
+        __ip_vs_app_cleanup(net);
+app_fail:
+        __ip_vs_protocol_cleanup(net);
+protocol_fail:
+        __ip_vs_control_cleanup(net);
+control_fail:
+        __ip_vs_estimator_cleanup(net);
+estimator_fail:
+        return -ENOMEM;
+}
+static void __net_exit __ip_vs_cleanup(struct net *net)
+{
+        __ip_vs_service_cleanup(net);   /* ip_vs_flush() with locks */
+        __ip_vs_conn_cleanup(net);
+        __ip_vs_app_cleanup(net);
+        __ip_vs_protocol_cleanup(net);
+        __ip_vs_control_cleanup(net);
+        __ip_vs_estimator_cleanup(net);
+        IP_VS_DBG(2, "ipvs netns %d released\n", net_ipvs(net)->gen);
+}
+static void __net_exit __ip_vs_dev_cleanup(struct net *net)
+{
+        EnterFunction(2);
+        net_ipvs(net)->enable = 0;      /* Disable packet reception */
+        __ip_vs_sync_cleanup(net);
+        LeaveFunction(2);
+}
+static struct pernet_operations ipvs_core_ops = {
+        .init = __ip_vs_init,
+        .exit = __ip_vs_cleanup,
+        .id   = &ip_vs_net_id,
+        .size = sizeof(struct netns_ipvs),
+};
+static struct pernet_operations ipvs_core_dev_ops = {
+        .exit = __ip_vs_dev_cleanup,
+};
 /*
 *      Initialize IP Virtual Server
@@ -1792,7 +1968,6 @@ static int __init ip_vs_init(void)
        int ret;
        ip_vs_estimator_init();
        ret = ip_vs_control_init();
        if (ret < 0) {
                pr_err("can't setup control.\n");
@@ -1813,15 +1988,36 @@ static int __init ip_vs_init(void)
                goto cleanup_app;
        }
+        ret = ip_vs_sync_init();
+        if (ret < 0) {
+                pr_err("can't setup sync data.\n");
+                goto cleanup_conn;
+        }
+        ret = register_pernet_subsys(&ipvs_core_ops);   /* Alloc ip_vs struct */
+        if (ret < 0)
+                goto cleanup_sync;
+        ret = register_pernet_device(&ipvs_core_dev_ops);
+        if (ret < 0)
+                goto cleanup_sub;
        ret = nf_register_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
        if (ret < 0) {
                pr_err("can't register hooks.\n");
-                goto cleanup_conn;
+                goto cleanup_dev;
        }
        pr_info("ipvs loaded.\n");
        return ret;
+cleanup_dev:
+        unregister_pernet_device(&ipvs_core_dev_ops);
+cleanup_sub:
+        unregister_pernet_subsys(&ipvs_core_ops);
+cleanup_sync:
+        ip_vs_sync_cleanup();
  cleanup_conn:
        ip_vs_conn_cleanup();
  cleanup_app:
@@ -1837,6 +2033,9 @@ static int __init ip_vs_init(void)
 static void __exit ip_vs_cleanup(void)
 {
        nf_unregister_hooks(ip_vs_ops, ARRAY_SIZE(ip_vs_ops));
+        unregister_pernet_device(&ipvs_core_dev_ops);
+        unregister_pernet_subsys(&ipvs_core_ops);       /* free ip_vs struct */
+        ip_vs_sync_cleanup();
        ip_vs_conn_cleanup();
        ip_vs_app_cleanup();
        ip_vs_protocol_cleanup();
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 22f7ad5101ab..699c79a55657 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -38,6 +38,7 @@
 #include <linux/mutex.h>
 #include <net/net_namespace.h>
+#include <linux/nsproxy.h>
 #include <net/ip.h>
 #ifdef CONFIG_IP_VS_IPV6
 #include <net/ipv6.h>
@@ -57,42 +58,7 @@ static DEFINE_MUTEX(__ip_vs_mutex);
 /* lock for service table */
 static DEFINE_RWLOCK(__ip_vs_svc_lock);
-/* lock for table with the real services */
-static DEFINE_RWLOCK(__ip_vs_rs_lock);
-/* lock for state and timeout tables */
-static DEFINE_SPINLOCK(ip_vs_securetcp_lock);
-/* lock for drop entry handling */
-static DEFINE_SPINLOCK(__ip_vs_dropentry_lock);
-/* lock for drop packet handling */
-static DEFINE_SPINLOCK(__ip_vs_droppacket_lock);
-/* 1/rate drop and drop-entry variables */
-int ip_vs_drop_rate = 0;
-int ip_vs_drop_counter = 0;
-static atomic_t ip_vs_dropentry = ATOMIC_INIT(0);
-/* number of virtual services */
-static int ip_vs_num_services = 0;
 /* sysctl variables */
-static int sysctl_ip_vs_drop_entry = 0;
-static int sysctl_ip_vs_drop_packet = 0;
-static int sysctl_ip_vs_secure_tcp = 0;
-static int sysctl_ip_vs_amemthresh = 1024;
-static int sysctl_ip_vs_am_droprate = 10;
-int sysctl_ip_vs_cache_bypass = 0;
-int sysctl_ip_vs_expire_nodest_conn = 0;
-int sysctl_ip_vs_expire_quiescent_template = 0;
-int sysctl_ip_vs_sync_threshold[2] = { 3, 50 };
-int sysctl_ip_vs_nat_icmp_send = 0;
-#ifdef CONFIG_IP_VS_NFCT
-int sysctl_ip_vs_conntrack;
-#endif
-int sysctl_ip_vs_snat_reroute = 1;
 #ifdef CONFIG_IP_VS_DEBUG
 static int sysctl_ip_vs_debug_level = 0;
@@ -103,29 +69,35 @@ int ip_vs_get_debug_level(void)
 }
 #endif
+/*  Protos */
+static void __ip_vs_del_service(struct ip_vs_service *svc);
 #ifdef CONFIG_IP_VS_IPV6
 /* Taken from rt6_fill_node() in net/ipv6/route.c, is there a better way? */
-static int __ip_vs_addr_is_local_v6(const struct in6_addr *addr)
+static int __ip_vs_addr_is_local_v6(struct net *net,
+                                    const struct in6_addr *addr)
 {
        struct rt6_info *rt;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .oif = 0,
+                .daddr = *addr,
-                .fl6_dst = *addr,
-                .fl6_src = { .s6_addr32 = {0, 0, 0, 0} },
        };
-        rt = (struct rt6_info *)ip6_route_output(&init_net, NULL, &fl);
+        rt = (struct rt6_info *)ip6_route_output(net, NULL, &fl6);
        if (rt && rt->rt6i_dev && (rt->rt6i_dev->flags & IFF_LOOPBACK))
-                        return 1;
+                return 1;
        return 0;
 }
 #endif
+#ifdef CONFIG_SYSCTL
 /*
 *      update_defense_level is called from keventd and from sysctl,
 *      so it needs to protect itself from softirqs
 */
-static void update_defense_level(void)
+static void update_defense_level(struct netns_ipvs *ipvs)
 {
        struct sysinfo i;
        static int old_secure_tcp = 0;
@@ -141,73 +113,73 @@ static void update_defense_level(void)
        /* si_swapinfo(&i); */
        /* availmem = availmem - (i.totalswap - i.freeswap); */
-        nomem = (availmem < sysctl_ip_vs_amemthresh);
+        nomem = (availmem < ipvs->sysctl_amemthresh);
        local_bh_disable();
        /* drop_entry */
-        spin_lock(&__ip_vs_dropentry_lock);
+        spin_lock(&ipvs->dropentry_lock);
-        switch (sysctl_ip_vs_drop_entry) {
+        switch (ipvs->sysctl_drop_entry) {
        case 0:
-                atomic_set(&ip_vs_dropentry, 0);
+                atomic_set(&ipvs->dropentry, 0);
                break;
        case 1:
                if (nomem) {
-                        atomic_set(&ip_vs_dropentry, 1);
+                        atomic_set(&ipvs->dropentry, 1);
-                        sysctl_ip_vs_drop_entry = 2;
+                        ipvs->sysctl_drop_entry = 2;
                } else {
-                        atomic_set(&ip_vs_dropentry, 0);
+                        atomic_set(&ipvs->dropentry, 0);
                }
                break;
        case 2:
                if (nomem) {
-                        atomic_set(&ip_vs_dropentry, 1);
+                        atomic_set(&ipvs->dropentry, 1);
                } else {
-                        atomic_set(&ip_vs_dropentry, 0);
+                        atomic_set(&ipvs->dropentry, 0);
-                        sysctl_ip_vs_drop_entry = 1;
+                        ipvs->sysctl_drop_entry = 1;
                };
                break;
        case 3:
-                atomic_set(&ip_vs_dropentry, 1);
+                atomic_set(&ipvs->dropentry, 1);
                break;
        }
-        spin_unlock(&__ip_vs_dropentry_lock);
+        spin_unlock(&ipvs->dropentry_lock);
        /* drop_packet */
-        spin_lock(&__ip_vs_droppacket_lock);
+        spin_lock(&ipvs->droppacket_lock);
-        switch (sysctl_ip_vs_drop_packet) {
+        switch (ipvs->sysctl_drop_packet) {
        case 0:
-                ip_vs_drop_rate = 0;
+                ipvs->drop_rate = 0;
                break;
        case 1:
                if (nomem) {
-                        ip_vs_drop_rate = ip_vs_drop_counter
+                        ipvs->drop_rate = ipvs->drop_counter
-                                = sysctl_ip_vs_amemthresh /
+                                = ipvs->sysctl_amemthresh /
-                                (sysctl_ip_vs_amemthresh-availmem);
+                                (ipvs->sysctl_amemthresh-availmem);
-                        sysctl_ip_vs_drop_packet = 2;
+                        ipvs->sysctl_drop_packet = 2;
                } else {
-                        ip_vs_drop_rate = 0;
+                        ipvs->drop_rate = 0;
                }
                break;
        case 2:
                if (nomem) {
-                        ip_vs_drop_rate = ip_vs_drop_counter
+                        ipvs->drop_rate = ipvs->drop_counter
-                                = sysctl_ip_vs_amemthresh /
+                                = ipvs->sysctl_amemthresh /
-                                (sysctl_ip_vs_amemthresh-availmem);
+                                (ipvs->sysctl_amemthresh-availmem);
                } else {
-                        ip_vs_drop_rate = 0;
+                        ipvs->drop_rate = 0;
-                        sysctl_ip_vs_drop_packet = 1;
+                        ipvs->sysctl_drop_packet = 1;
                }
                break;
        case 3:
-                ip_vs_drop_rate = sysctl_ip_vs_am_droprate;
+                ipvs->drop_rate = ipvs->sysctl_am_droprate;
                break;
        }
-        spin_unlock(&__ip_vs_droppacket_lock);
+        spin_unlock(&ipvs->droppacket_lock);
        /* secure_tcp */
-        spin_lock(&ip_vs_securetcp_lock);
+        spin_lock(&ipvs->securetcp_lock);
-        switch (sysctl_ip_vs_secure_tcp) {
+        switch (ipvs->sysctl_secure_tcp) {
        case 0:
                if (old_secure_tcp >= 2)
                        to_change = 0;
@@ -216,7 +188,7 @@ static void update_defense_level(void)
                if (nomem) {
                        if (old_secure_tcp < 2)
                                to_change = 1;
-                        sysctl_ip_vs_secure_tcp = 2;
+                        ipvs->sysctl_secure_tcp = 2;
                } else {
                        if (old_secure_tcp >= 2)
                                to_change = 0;
@@ -229,7 +201,7 @@ static void update_defense_level(void)
                } else {
                        if (old_secure_tcp >= 2)
                                to_change = 0;
-                        sysctl_ip_vs_secure_tcp = 1;
+                        ipvs->sysctl_secure_tcp = 1;
                }
                break;
        case 3:
@@ -237,10 +209,11 @@ static void update_defense_level(void)
                        to_change = 1;
                break;
        }
-        old_secure_tcp = sysctl_ip_vs_secure_tcp;
+        old_secure_tcp = ipvs->sysctl_secure_tcp;
        if (to_change >= 0)
-                ip_vs_protocol_timeout_change(sysctl_ip_vs_secure_tcp>1);
+                ip_vs_protocol_timeout_change(ipvs,
-        spin_unlock(&ip_vs_securetcp_lock);
+                                              ipvs->sysctl_secure_tcp > 1);
+        spin_unlock(&ipvs->securetcp_lock);
        local_bh_enable();
 }
@@ -250,17 +223,18 @@ static void update_defense_level(void)
 *      Timer for checking the defense
 */
 #define DEFENSE_TIMER_PERIOD    1*HZ
-static void defense_work_handler(struct work_struct *work);
-static DECLARE_DELAYED_WORK(defense_work, defense_work_handler);
 static void defense_work_handler(struct work_struct *work)
 {
-        update_defense_level();
+        struct netns_ipvs *ipvs =
-        if (atomic_read(&ip_vs_dropentry))
+                container_of(work, struct netns_ipvs, defense_work.work);
-                ip_vs_random_dropentry();
-        schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
+        update_defense_level(ipvs);
+        if (atomic_read(&ipvs->dropentry))
+                ip_vs_random_dropentry(ipvs->net);
+        schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
 }
+#endif
 int
 ip_vs_use_count_inc(void)
@@ -287,33 +261,13 @@ static struct list_head ip_vs_svc_table[IP_VS_SVC_TAB_SIZE];
 /* the service table hashed by fwmark */
 static struct list_head ip_vs_svc_fwm_table[IP_VS_SVC_TAB_SIZE];
-/*
- *      Hash table: for real service lookups
- */
-#define IP_VS_RTAB_BITS 4
-#define IP_VS_RTAB_SIZE (1 << IP_VS_RTAB_BITS)
-#define IP_VS_RTAB_MASK (IP_VS_RTAB_SIZE - 1)
-static struct list_head ip_vs_rtable[IP_VS_RTAB_SIZE];
-/*
- *      Trash for destinations
- */
-static LIST_HEAD(ip_vs_dest_trash);
-/*
- *      FTP & NULL virtual service counters
- */
-static atomic_t ip_vs_ftpsvc_counter = ATOMIC_INIT(0);
-static atomic_t ip_vs_nullsvc_counter = ATOMIC_INIT(0);
 /*
 *      Returns hash value for virtual service
 */
-static __inline__ unsigned
+static inline unsigned
-ip_vs_svc_hashkey(int af, unsigned proto, const union nf_inet_addr *addr,
+ip_vs_svc_hashkey(struct net *net, int af, unsigned proto,
-                  __be16 port)
+                  const union nf_inet_addr *addr, __be16 port)
 {
        register unsigned porth = ntohs(port);
        __be32 addr_fold = addr->ip;
@@ -323,6 +277,7 @@ ip_vs_svc_hashkey(int af, unsigned proto, const union nf_inet_addr *addr,
                addr_fold = addr->ip6[0]^addr->ip6[1]^
                            addr->ip6[2]^addr->ip6[3];
 #endif
+        addr_fold ^= ((size_t)net>>8);
        return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
                & IP_VS_SVC_TAB_MASK;
@@ -331,13 +286,13 @@ ip_vs_svc_hashkey(int af, unsigned proto, const union nf_inet_addr *addr,
 /*
 *      Returns hash value of fwmark for virtual service lookup
 */
-static __inline__ unsigned ip_vs_svc_fwm_hashkey(__u32 fwmark)
+static inline unsigned ip_vs_svc_fwm_hashkey(struct net *net, __u32 fwmark)
 {
-        return fwmark & IP_VS_SVC_TAB_MASK;
+        return (((size_t)net>>8) ^ fwmark) & IP_VS_SVC_TAB_MASK;
 }
 /*
- *      Hashes a service in the ip_vs_svc_table by <proto,addr,port>
+ *      Hashes a service in the ip_vs_svc_table by <netns,proto,addr,port>
 *      or in the ip_vs_svc_fwm_table by fwmark.
 *      Should be called with locked tables.
 */
@@ -353,16 +308,16 @@ static int ip_vs_svc_hash(struct ip_vs_service *svc)
        if (svc->fwmark == 0) {
                /*
-                 *  Hash it by <protocol,addr,port> in ip_vs_svc_table
+                 *  Hash it by <netns,protocol,addr,port> in ip_vs_svc_table
                 */
-                hash = ip_vs_svc_hashkey(svc->af, svc->protocol, &svc->addr,
+                hash = ip_vs_svc_hashkey(svc->net, svc->af, svc->protocol,
-                                         svc->port);
+                                         &svc->addr, svc->port);
                list_add(&svc->s_list, &ip_vs_svc_table[hash]);
        } else {
                /*
-                 *  Hash it by fwmark in ip_vs_svc_fwm_table
+                 *  Hash it by fwmark in svc_fwm_table
                 */
-                hash = ip_vs_svc_fwm_hashkey(svc->fwmark);
+                hash = ip_vs_svc_fwm_hashkey(svc->net, svc->fwmark);
                list_add(&svc->f_list, &ip_vs_svc_fwm_table[hash]);
        }
@@ -374,7 +329,7 @@ static int ip_vs_svc_hash(struct ip_vs_service *svc)
 /*
- *      Unhashes a service from ip_vs_svc_table/ip_vs_svc_fwm_table.
+ *      Unhashes a service from svc_table / svc_fwm_table.
 *      Should be called with locked tables.
 */
 static int ip_vs_svc_unhash(struct ip_vs_service *svc)
@@ -386,10 +341,10 @@ static int ip_vs_svc_unhash(struct ip_vs_service *svc)
        }
        if (svc->fwmark == 0) {
-                /* Remove it from the ip_vs_svc_table table */
+                /* Remove it from the svc_table table */
                list_del(&svc->s_list);
        } else {
-                /* Remove it from the ip_vs_svc_fwm_table table */
+                /* Remove it from the svc_fwm_table table */
                list_del(&svc->f_list);
        }
@@ -400,23 +355,24 @@ static int ip_vs_svc_unhash(struct ip_vs_service *svc)
 /*
- *      Get service by {proto,addr,port} in the service table.
+ *      Get service by {netns, proto,addr,port} in the service table.
 */
 static inline struct ip_vs_service *
-__ip_vs_service_find(int af, __u16 protocol, const union nf_inet_addr *vaddr,
+__ip_vs_service_find(struct net *net, int af, __u16 protocol,
-                    __be16 vport)
+                     const union nf_inet_addr *vaddr, __be16 vport)
 {
        unsigned hash;
        struct ip_vs_service *svc;
        /* Check for "full" addressed entries */
-        hash = ip_vs_svc_hashkey(af, protocol, vaddr, vport);
+        hash = ip_vs_svc_hashkey(net, af, protocol, vaddr, vport);
        list_for_each_entry(svc, &ip_vs_svc_table[hash], s_list){
                if ((svc->af == af)
                    && ip_vs_addr_equal(af, &svc->addr, vaddr)
                    && (svc->port == vport)
-                    && (svc->protocol == protocol)) {
+                    && (svc->protocol == protocol)
+                    && net_eq(svc->net, net)) {
                        /* HIT */
                        return svc;
                }
@@ -430,16 +386,17 @@ __ip_vs_service_find(int af, __u16 protocol, const union nf_inet_addr *vaddr,
 *      Get service by {fwmark} in the service table.
 */
 static inline struct ip_vs_service *
-__ip_vs_svc_fwm_find(int af, __u32 fwmark)
+__ip_vs_svc_fwm_find(struct net *net, int af, __u32 fwmark)
 {
        unsigned hash;
        struct ip_vs_service *svc;
        /* Check for fwmark addressed entries */
-        hash = ip_vs_svc_fwm_hashkey(fwmark);
+        hash = ip_vs_svc_fwm_hashkey(net, fwmark);
        list_for_each_entry(svc, &ip_vs_svc_fwm_table[hash], f_list) {
-                if (svc->fwmark == fwmark && svc->af == af) {
+                if (svc->fwmark == fwmark && svc->af == af
+                    && net_eq(svc->net, net)) {
                        /* HIT */
                        return svc;
                }
@@ -449,42 +406,46 @@ __ip_vs_svc_fwm_find(int af, __u32 fwmark)
 }
 struct ip_vs_service *
-ip_vs_service_get(int af, __u32 fwmark, __u16 protocol,
+ip_vs_service_get(struct net *net, int af, __u32 fwmark, __u16 protocol,
                  const union nf_inet_addr *vaddr, __be16 vport)
 {
        struct ip_vs_service *svc;
+        struct netns_ipvs *ipvs = net_ipvs(net);
        read_lock(&__ip_vs_svc_lock);
        /*
         *      Check the table hashed by fwmark first
         */
-        if (fwmark && (svc = __ip_vs_svc_fwm_find(af, fwmark)))
+        if (fwmark) {
-                goto out;
+                svc = __ip_vs_svc_fwm_find(net, af, fwmark);
+                if (svc)
+                        goto out;
+        }
        /*
         *      Check the table hashed by <protocol,addr,port>
         *      for "full" addressed entries
         */
-        svc = __ip_vs_service_find(af, protocol, vaddr, vport);
+        svc = __ip_vs_service_find(net, af, protocol, vaddr, vport);
        if (svc == NULL
            && protocol == IPPROTO_TCP
-            && atomic_read(&ip_vs_ftpsvc_counter)
+            && atomic_read(&ipvs->ftpsvc_counter)
            && (vport == FTPDATA || ntohs(vport) >= PROT_SOCK)) {
                /*
                 * Check if ftp service entry exists, the packet
                 * might belong to FTP data connections.
                 */
-                svc = __ip_vs_service_find(af, protocol, vaddr, FTPPORT);
+                svc = __ip_vs_service_find(net, af, protocol, vaddr, FTPPORT);
        }
        if (svc == NULL
-            && atomic_read(&ip_vs_nullsvc_counter)) {
+            && atomic_read(&ipvs->nullsvc_counter)) {
                /*
                 * Check if the catch-all port (port zero) exists
                 */
-                svc = __ip_vs_service_find(af, protocol, vaddr, 0);
+                svc = __ip_vs_service_find(net, af, protocol, vaddr, 0);
        }
  out:
@@ -519,6 +480,7 @@ __ip_vs_unbind_svc(struct ip_vs_dest *dest)
                              svc->fwmark,
                              IP_VS_DBG_ADDR(svc->af, &svc->addr),
                              ntohs(svc->port), atomic_read(&svc->usecnt));
+                free_percpu(svc->stats.cpustats);
                kfree(svc);
        }
 }
@@ -545,10 +507,10 @@ static inline unsigned ip_vs_rs_hashkey(int af,
 }
 /*
- *      Hashes ip_vs_dest in ip_vs_rtable by <proto,addr,port>.
+ *      Hashes ip_vs_dest in rs_table by <proto,addr,port>.
 *      should be called with locked tables.
 */
-static int ip_vs_rs_hash(struct ip_vs_dest *dest)
+static int ip_vs_rs_hash(struct netns_ipvs *ipvs, struct ip_vs_dest *dest)
 {
        unsigned hash;
@@ -562,19 +524,19 @@ static int ip_vs_rs_hash(struct ip_vs_dest *dest)
         */
        hash = ip_vs_rs_hashkey(dest->af, &dest->addr, dest->port);
-        list_add(&dest->d_list, &ip_vs_rtable[hash]);
+        list_add(&dest->d_list, &ipvs->rs_table[hash]);
        return 1;
 }
 /*
- *      UNhashes ip_vs_dest from ip_vs_rtable.
+ *      UNhashes ip_vs_dest from rs_table.
 *      should be called with locked tables.
 */
 static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
 {
        /*
-         * Remove it from the ip_vs_rtable table.
+         * Remove it from the rs_table table.
         */
        if (!list_empty(&dest->d_list)) {
                list_del(&dest->d_list);
@@ -588,10 +550,11 @@ static int ip_vs_rs_unhash(struct ip_vs_dest *dest)
 *      Lookup real service by <proto,addr,port> in the real service table.
 */
 struct ip_vs_dest *
-ip_vs_lookup_real_service(int af, __u16 protocol,
+ip_vs_lookup_real_service(struct net *net, int af, __u16 protocol,
                          const union nf_inet_addr *daddr,
                          __be16 dport)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        unsigned hash;
        struct ip_vs_dest *dest;
@@ -601,19 +564,19 @@ ip_vs_lookup_real_service(int af, __u16 protocol,
         */
        hash = ip_vs_rs_hashkey(af, daddr, dport);
-        read_lock(&__ip_vs_rs_lock);
+        read_lock(&ipvs->rs_lock);
-        list_for_each_entry(dest, &ip_vs_rtable[hash], d_list) {
+        list_for_each_entry(dest, &ipvs->rs_table[hash], d_list) {
                if ((dest->af == af)
                    && ip_vs_addr_equal(af, &dest->addr, daddr)
                    && (dest->port == dport)
                    && ((dest->protocol == protocol) ||
                        dest->vfwmark)) {
                        /* HIT */
-                        read_unlock(&__ip_vs_rs_lock);
+                        read_unlock(&ipvs->rs_lock);
                        return dest;
                }
        }
-        read_unlock(&__ip_vs_rs_lock);
+        read_unlock(&ipvs->rs_lock);
        return NULL;
 }
@@ -652,15 +615,16 @@ ip_vs_lookup_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
 * ip_vs_lookup_real_service() looked promissing, but
 * seems not working as expected.
 */
-struct ip_vs_dest *ip_vs_find_dest(int af, const union nf_inet_addr *daddr,
+struct ip_vs_dest *ip_vs_find_dest(struct net  *net, int af,
+                                   const union nf_inet_addr *daddr,
                                   __be16 dport,
                                   const union nf_inet_addr *vaddr,
-                                   __be16 vport, __u16 protocol)
+                                   __be16 vport, __u16 protocol, __u32 fwmark)
 {
        struct ip_vs_dest *dest;
        struct ip_vs_service *svc;
-        svc = ip_vs_service_get(af, 0, protocol, vaddr, vport);
+        svc = ip_vs_service_get(net, af, fwmark, protocol, vaddr, vport);
        if (!svc)
                return NULL;
        dest = ip_vs_lookup_dest(svc, daddr, dport);
@@ -685,11 +649,12 @@ ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
                     __be16 dport)
 {
        struct ip_vs_dest *dest, *nxt;
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
        /*
         * Find the destination in trash
         */
-        list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
+        list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
                IP_VS_DBG_BUF(3, "Destination %u/%s:%u still in trash, "
                              "dest->refcnt=%d\n",
                              dest->vfwmark,
@@ -720,6 +685,7 @@ ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
                        list_del(&dest->n_list);
                        ip_vs_dst_reset(dest);
                        __ip_vs_unbind_svc(dest);
+                        free_percpu(dest->stats.cpustats);
                        kfree(dest);
                }
        }
@@ -737,25 +703,53 @@ ip_vs_trash_get_dest(struct ip_vs_service *svc, const union nf_inet_addr *daddr,
 *  are expired, and the refcnt of each destination in the trash must
 *  be 1, so we simply release them here.
 */
-static void ip_vs_trash_cleanup(void)
+static void ip_vs_trash_cleanup(struct net *net)
 {
        struct ip_vs_dest *dest, *nxt;
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        list_for_each_entry_safe(dest, nxt, &ip_vs_dest_trash, n_list) {
+        list_for_each_entry_safe(dest, nxt, &ipvs->dest_trash, n_list) {
                list_del(&dest->n_list);
                ip_vs_dst_reset(dest);
                __ip_vs_unbind_svc(dest);
+                free_percpu(dest->stats.cpustats);
                kfree(dest);
        }
 }
+static void
+ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
+{
+#define IP_VS_SHOW_STATS_COUNTER(c) dst->c = src->ustats.c - src->ustats0.c
+        spin_lock_bh(&src->lock);
+        IP_VS_SHOW_STATS_COUNTER(conns);
+        IP_VS_SHOW_STATS_COUNTER(inpkts);
+        IP_VS_SHOW_STATS_COUNTER(outpkts);
+        IP_VS_SHOW_STATS_COUNTER(inbytes);
+        IP_VS_SHOW_STATS_COUNTER(outbytes);
+        ip_vs_read_estimator(dst, src);
+        spin_unlock_bh(&src->lock);
+}
 static void
 ip_vs_zero_stats(struct ip_vs_stats *stats)
 {
        spin_lock_bh(&stats->lock);
-        memset(&stats->ustats, 0, sizeof(stats->ustats));
+        /* get current counters as zero point, rates are zeroed */
+#define IP_VS_ZERO_STATS_COUNTER(c) stats->ustats0.c = stats->ustats.c
+        IP_VS_ZERO_STATS_COUNTER(conns);
+        IP_VS_ZERO_STATS_COUNTER(inpkts);
+        IP_VS_ZERO_STATS_COUNTER(outpkts);
+        IP_VS_ZERO_STATS_COUNTER(inbytes);
+        IP_VS_ZERO_STATS_COUNTER(outbytes);
        ip_vs_zero_estimator(stats);
        spin_unlock_bh(&stats->lock);
@@ -768,6 +762,7 @@ static void
 __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
                    struct ip_vs_dest_user_kern *udest, int add)
 {
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
        int conn_flags;
        /* set the weight and the flags */
@@ -780,12 +775,12 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
                conn_flags |= IP_VS_CONN_F_NOOUTPUT;
        } else {
                /*
-                 *    Put the real service in ip_vs_rtable if not present.
+                 *    Put the real service in rs_table if not present.
                 *    For now only for NAT!
                 */
-                write_lock_bh(&__ip_vs_rs_lock);
+                write_lock_bh(&ipvs->rs_lock);
-                ip_vs_rs_hash(dest);
+                ip_vs_rs_hash(ipvs, dest);
-                write_unlock_bh(&__ip_vs_rs_lock);
+                write_unlock_bh(&ipvs->rs_lock);
        }
        atomic_set(&dest->conn_flags, conn_flags);
@@ -808,12 +803,12 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
        dest->u_threshold = udest->u_threshold;
        dest->l_threshold = udest->l_threshold;
-        spin_lock(&dest->dst_lock);
+        spin_lock_bh(&dest->dst_lock);
        ip_vs_dst_reset(dest);
-        spin_unlock(&dest->dst_lock);
+        spin_unlock_bh(&dest->dst_lock);
        if (add)
-                ip_vs_new_estimator(&dest->stats);
+                ip_vs_start_estimator(svc->net, &dest->stats);
        write_lock_bh(&__ip_vs_svc_lock);
@@ -850,12 +845,12 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
                atype = ipv6_addr_type(&udest->addr.in6);
                if ((!(atype & IPV6_ADDR_UNICAST) ||
                        atype & IPV6_ADDR_LINKLOCAL) &&
-                        !__ip_vs_addr_is_local_v6(&udest->addr.in6))
+                        !__ip_vs_addr_is_local_v6(svc->net, &udest->addr.in6))
                        return -EINVAL;
        } else
 #endif
        {
-                atype = inet_addr_type(&init_net, udest->addr.ip);
+                atype = inet_addr_type(svc->net, udest->addr.ip);
                if (atype != RTN_LOCAL && atype != RTN_UNICAST)
                        return -EINVAL;
        }
@@ -865,6 +860,11 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
                pr_err("%s(): no memory.\n", __func__);
                return -ENOMEM;
        }
+        dest->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
+        if (!dest->stats.cpustats) {
+                pr_err("%s() alloc_percpu failed\n", __func__);
+                goto err_alloc;
+        }
        dest->af = svc->af;
        dest->protocol = svc->protocol;
@@ -888,6 +888,10 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
        LeaveFunction(2);
        return 0;
+err_alloc:
+        kfree(dest);
+        return -ENOMEM;
 }
@@ -1006,16 +1010,18 @@ ip_vs_edit_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
 /*
 *      Delete a destination (must be already unlinked from the service)
 */
-static void __ip_vs_del_dest(struct ip_vs_dest *dest)
+static void __ip_vs_del_dest(struct net *net, struct ip_vs_dest *dest)
 {
-        ip_vs_kill_estimator(&dest->stats);
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        ip_vs_stop_estimator(net, &dest->stats);
        /*
         *  Remove it from the d-linked list with the real services.
         */
-        write_lock_bh(&__ip_vs_rs_lock);
+        write_lock_bh(&ipvs->rs_lock);
        ip_vs_rs_unhash(dest);
-        write_unlock_bh(&__ip_vs_rs_lock);
+        write_unlock_bh(&ipvs->rs_lock);
        /*
         *  Decrease the refcnt of the dest, and free the dest
@@ -1034,6 +1040,7 @@ static void __ip_vs_del_dest(struct ip_vs_dest *dest)
                   and only one user context can update virtual service at a
                   time, so the operation here is OK */
                atomic_dec(&dest->svc->refcnt);
+                free_percpu(dest->stats.cpustats);
                kfree(dest);
        } else {
                IP_VS_DBG_BUF(3, "Moving dest %s:%u into trash, "
@@ -1041,7 +1048,7 @@ static void __ip_vs_del_dest(struct ip_vs_dest *dest)
                              IP_VS_DBG_ADDR(dest->af, &dest->addr),
                              ntohs(dest->port),
                              atomic_read(&dest->refcnt));
-                list_add(&dest->n_list, &ip_vs_dest_trash);
+                list_add(&dest->n_list, &ipvs->dest_trash);
                atomic_inc(&dest->refcnt);
        }
 }
@@ -1105,7 +1112,7 @@ ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
        /*
         *      Delete the destination
         */
-        __ip_vs_del_dest(dest);
+        __ip_vs_del_dest(svc->net, dest);
        LeaveFunction(2);
@@ -1117,13 +1124,14 @@ ip_vs_del_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
 *      Add a service into the service hash table
 */
 static int
-ip_vs_add_service(struct ip_vs_service_user_kern *u,
+ip_vs_add_service(struct net *net, struct ip_vs_service_user_kern *u,
                  struct ip_vs_service **svc_p)
 {
        int ret = 0;
        struct ip_vs_scheduler *sched = NULL;
        struct ip_vs_pe *pe = NULL;
        struct ip_vs_service *svc = NULL;
+        struct netns_ipvs *ipvs = net_ipvs(net);
        /* increase the module use count */
        ip_vs_use_count_inc();
@@ -1137,7 +1145,7 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
        }
        if (u->pe_name && *u->pe_name) {
-                pe = ip_vs_pe_get(u->pe_name);
+                pe = ip_vs_pe_getbyname(u->pe_name);
                if (pe == NULL) {
                        pr_info("persistence engine module ip_vs_pe_%s "
                                "not found\n", u->pe_name);
@@ -1159,6 +1167,11 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
                ret = -ENOMEM;
                goto out_err;
        }
+        svc->stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
+        if (!svc->stats.cpustats) {
+                pr_err("%s() alloc_percpu failed\n", __func__);
+                goto out_err;
+        }
        /* I'm the first user of the service */
        atomic_set(&svc->usecnt, 0);
@@ -1172,6 +1185,7 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
        svc->flags = u->flags;
        svc->timeout = u->timeout * HZ;
        svc->netmask = u->netmask;
+        svc->net = net;
        INIT_LIST_HEAD(&svc->destinations);
        rwlock_init(&svc->sched_lock);
@@ -1189,15 +1203,15 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
        /* Update the virtual service counters */
        if (svc->port == FTPPORT)
-                atomic_inc(&ip_vs_ftpsvc_counter);
+                atomic_inc(&ipvs->ftpsvc_counter);
        else if (svc->port == 0)
-                atomic_inc(&ip_vs_nullsvc_counter);
+                atomic_inc(&ipvs->nullsvc_counter);
-        ip_vs_new_estimator(&svc->stats);
+        ip_vs_start_estimator(net, &svc->stats);
        /* Count only IPv4 services for old get/setsockopt interface */
        if (svc->af == AF_INET)
-                ip_vs_num_services++;
+                ipvs->num_services++;
        /* Hash the service into the service table */
        write_lock_bh(&__ip_vs_svc_lock);
@@ -1205,8 +1219,11 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
        write_unlock_bh(&__ip_vs_svc_lock);
        *svc_p = svc;
+        /* Now there is a service - full throttle */
+        ipvs->enable = 1;
        return 0;
 out_err:
        if (svc != NULL) {
                ip_vs_unbind_scheduler(svc);
@@ -1215,6 +1232,8 @@ ip_vs_add_service(struct ip_vs_service_user_kern *u,
                        ip_vs_app_inc_put(svc->inc);
                        local_bh_enable();
                }
+                if (svc->stats.cpustats)
+                        free_percpu(svc->stats.cpustats);
                kfree(svc);
        }
        ip_vs_scheduler_put(sched);
@@ -1248,7 +1267,7 @@ ip_vs_edit_service(struct ip_vs_service *svc, struct ip_vs_service_user_kern *u)
        old_sched = sched;
        if (u->pe_name && *u->pe_name) {
-                pe = ip_vs_pe_get(u->pe_name);
+                pe = ip_vs_pe_getbyname(u->pe_name);
                if (pe == NULL) {
                        pr_info("persistence engine module ip_vs_pe_%s "
                                "not found\n", u->pe_name);
@@ -1334,14 +1353,15 @@ static void __ip_vs_del_service(struct ip_vs_service *svc)
        struct ip_vs_dest *dest, *nxt;
        struct ip_vs_scheduler *old_sched;
        struct ip_vs_pe *old_pe;
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
        pr_info("%s: enter\n", __func__);
        /* Count only IPv4 services for old get/setsockopt interface */
        if (svc->af == AF_INET)
-                ip_vs_num_services--;
+                ipvs->num_services--;
-        ip_vs_kill_estimator(&svc->stats);
+        ip_vs_stop_estimator(svc->net, &svc->stats);
        /* Unbind scheduler */
        old_sched = svc->scheduler;
@@ -1364,16 +1384,16 @@ static void __ip_vs_del_service(struct ip_vs_service *svc)
         */
        list_for_each_entry_safe(dest, nxt, &svc->destinations, n_list) {
                __ip_vs_unlink_dest(svc, dest, 0);
-                __ip_vs_del_dest(dest);
+                __ip_vs_del_dest(svc->net, dest);
        }
        /*
         *    Update the virtual service counters
         */
        if (svc->port == FTPPORT)
-                atomic_dec(&ip_vs_ftpsvc_counter);
+                atomic_dec(&ipvs->ftpsvc_counter);
        else if (svc->port == 0)
-                atomic_dec(&ip_vs_nullsvc_counter);
+                atomic_dec(&ipvs->nullsvc_counter);
        /*
         *    Free the service if nobody refers to it
@@ -1383,6 +1403,7 @@ static void __ip_vs_del_service(struct ip_vs_service *svc)
                              svc->fwmark,
                              IP_VS_DBG_ADDR(svc->af, &svc->addr),
                              ntohs(svc->port), atomic_read(&svc->usecnt));
+                free_percpu(svc->stats.cpustats);
                kfree(svc);
        }
@@ -1428,17 +1449,19 @@ static int ip_vs_del_service(struct ip_vs_service *svc)
 /*
 *      Flush all the virtual services
 */
-static int ip_vs_flush(void)
+static int ip_vs_flush(struct net *net)
 {
        int idx;
        struct ip_vs_service *svc, *nxt;
        /*
-         * Flush the service table hashed by <protocol,addr,port>
+         * Flush the service table hashed by <netns,protocol,addr,port>
         */
        for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
-                list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx], s_list) {
+                list_for_each_entry_safe(svc, nxt, &ip_vs_svc_table[idx],
-                        ip_vs_unlink_service(svc);
+                                         s_list) {
+                        if (net_eq(svc->net, net))
+                                ip_vs_unlink_service(svc);
                }
        }
@@ -1448,13 +1471,92 @@ static int ip_vs_flush(void)
        for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry_safe(svc, nxt,
                                         &ip_vs_svc_fwm_table[idx], f_list) {
-                        ip_vs_unlink_service(svc);
+                        if (net_eq(svc->net, net))
+                                ip_vs_unlink_service(svc);
                }
        }
        return 0;
 }
+/*
+ *      Delete service by {netns} in the service table.
+ *      Called by __ip_vs_cleanup()
+ */
+void __ip_vs_service_cleanup(struct net *net)
+{
+        EnterFunction(2);
+        /* Check for "full" addressed entries */
+        mutex_lock(&__ip_vs_mutex);
+        ip_vs_flush(net);
+        mutex_unlock(&__ip_vs_mutex);
+        LeaveFunction(2);
+}
+/*
+ * Release dst hold by dst_cache
+ */
+static inline void
+__ip_vs_dev_reset(struct ip_vs_dest *dest, struct net_device *dev)
+{
+        spin_lock_bh(&dest->dst_lock);
+        if (dest->dst_cache && dest->dst_cache->dev == dev) {
+                IP_VS_DBG_BUF(3, "Reset dev:%s dest %s:%u ,dest->refcnt=%d\n",
+                              dev->name,
+                              IP_VS_DBG_ADDR(dest->af, &dest->addr),
+                              ntohs(dest->port),
+                              atomic_read(&dest->refcnt));
+                ip_vs_dst_reset(dest);
+        }
+        spin_unlock_bh(&dest->dst_lock);
+}
+/*
+ * Netdev event receiver
+ * Currently only NETDEV_UNREGISTER is handled, i.e. if we hold a reference to
+ * a device that is "unregister" it must be released.
+ */
+static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
+                            void *ptr)
+{
+        struct net_device *dev = ptr;
+        struct net *net = dev_net(dev);
+        struct ip_vs_service *svc;
+        struct ip_vs_dest *dest;
+        unsigned int idx;
+        if (event != NETDEV_UNREGISTER)
+                return NOTIFY_DONE;
+        IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
+        EnterFunction(2);
+        mutex_lock(&__ip_vs_mutex);
+        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
+                list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
+                        if (net_eq(svc->net, net)) {
+                                list_for_each_entry(dest, &svc->destinations,
+                                                    n_list) {
+                                        __ip_vs_dev_reset(dest, dev);
+                                }
+                        }
+                }
+                list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
+                        if (net_eq(svc->net, net)) {
+                                list_for_each_entry(dest, &svc->destinations,
+                                                    n_list) {
+                                        __ip_vs_dev_reset(dest, dev);
+                                }
+                        }
+                }
+        }
+        list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) {
+                __ip_vs_dev_reset(dest, dev);
+        }
+        mutex_unlock(&__ip_vs_mutex);
+        LeaveFunction(2);
+        return NOTIFY_DONE;
+}
 /*
 *      Zero counters in a service or all services
@@ -1472,32 +1574,35 @@ static int ip_vs_zero_service(struct ip_vs_service *svc)
        return 0;
 }
-static int ip_vs_zero_all(void)
+static int ip_vs_zero_all(struct net *net)
 {
        int idx;
        struct ip_vs_service *svc;
        for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
-                        ip_vs_zero_service(svc);
+                        if (net_eq(svc->net, net))
+                                ip_vs_zero_service(svc);
                }
        }
        for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
-                        ip_vs_zero_service(svc);
+                        if (net_eq(svc->net, net))
+                                ip_vs_zero_service(svc);
                }
        }
-        ip_vs_zero_stats(&ip_vs_stats);
+        ip_vs_zero_stats(&net_ipvs(net)->tot_stats);
        return 0;
 }
+#ifdef CONFIG_SYSCTL
 static int
 proc_do_defense_mode(ctl_table *table, int write,
                     void __user *buffer, size_t *lenp, loff_t *ppos)
 {
+        struct net *net = current->nsproxy->net_ns;
        int *valp = table->data;
        int val = *valp;
        int rc;
@@ -1508,13 +1613,12 @@ proc_do_defense_mode(ctl_table *table, int write,
                        /* Restore the correct value */
                        *valp = val;
                } else {
-                        update_defense_level();
+                        update_defense_level(net_ipvs(net));
                }
        }
        return rc;
 }
 static int
 proc_do_sync_threshold(ctl_table *table, int write,
                       void __user *buffer, size_t *lenp, loff_t *ppos)
@@ -1534,45 +1638,54 @@ proc_do_sync_threshold(ctl_table *table, int write,
        return rc;
 }
+static int
+proc_do_sync_mode(ctl_table *table, int write,
+                     void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+        int *valp = table->data;
+        int val = *valp;
+        int rc;
+        rc = proc_dointvec(table, write, buffer, lenp, ppos);
+        if (write && (*valp != val)) {
+                if ((*valp < 0) || (*valp > 1)) {
+                        /* Restore the correct value */
+                        *valp = val;
+                } else {
+                        struct net *net = current->nsproxy->net_ns;
+                        ip_vs_sync_switch_mode(net, val);
+                }
+        }
+        return rc;
+}
 /*
 *      IPVS sysctl table (under the /proc/sys/net/ipv4/vs/)
+ *      Do not change order or insert new entries without
+ *      align with netns init in __ip_vs_control_init()
 */
 static struct ctl_table vs_vars[] = {
        {
                .procname       = "amemthresh",
-                .data           = &sysctl_ip_vs_amemthresh,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
        },
-#ifdef CONFIG_IP_VS_DEBUG
-        {
-                .procname       = "debug_level",
-                .data           = &sysctl_ip_vs_debug_level,
-                .maxlen         = sizeof(int),
-                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
-        },
-#endif
        {
                .procname       = "am_droprate",
-                .data           = &sysctl_ip_vs_am_droprate,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec,
        },
        {
                .procname       = "drop_entry",
-                .data           = &sysctl_ip_vs_drop_entry,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_do_defense_mode,
        },
        {
                .procname       = "drop_packet",
-                .data           = &sysctl_ip_vs_drop_packet,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_do_defense_mode,
@@ -1580,7 +1693,6 @@ static struct ctl_table vs_vars[] = {
 #ifdef CONFIG_IP_VS_NFCT
        {
                .procname       = "conntrack",
-                .data           = &sysctl_ip_vs_conntrack,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
@@ -1588,18 +1700,62 @@ static struct ctl_table vs_vars[] = {
 #endif
        {
                .procname       = "secure_tcp",
-                .data           = &sysctl_ip_vs_secure_tcp,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_do_defense_mode,
        },
        {
                .procname       = "snat_reroute",
-                .data           = &sysctl_ip_vs_snat_reroute,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = &proc_dointvec,
        },
+        {
+                .procname       = "sync_version",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = &proc_do_sync_mode,
+        },
+        {
+                .procname       = "cache_bypass",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+        {
+                .procname       = "expire_nodest_conn",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+        {
+                .procname       = "expire_quiescent_template",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+        {
+                .procname       = "sync_threshold",
+                .maxlen         =
+                        sizeof(((struct netns_ipvs *)0)->sysctl_sync_threshold),
+                .mode           = 0644,
+                .proc_handler   = proc_do_sync_threshold,
+        },
+        {
+                .procname       = "nat_icmp_send",
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+#ifdef CONFIG_IP_VS_DEBUG
+        {
+                .procname       = "debug_level",
+                .data           = &sysctl_ip_vs_debug_level,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+#endif
 #if 0
        {
                .procname       = "timeout_established",
@@ -1686,41 +1842,6 @@ static struct ctl_table vs_vars[] = {
                .proc_handler   = proc_dointvec_jiffies,
        },
 #endif
-        {
-                .procname       = "cache_bypass",
-                .data           = &sysctl_ip_vs_cache_bypass,
-                .maxlen         = sizeof(int),
-                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
-        },
-        {
-                .procname       = "expire_nodest_conn",
-                .data           = &sysctl_ip_vs_expire_nodest_conn,
-                .maxlen         = sizeof(int),
-                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
-        },
-        {
-                .procname       = "expire_quiescent_template",
-                .data           = &sysctl_ip_vs_expire_quiescent_template,
-                .maxlen         = sizeof(int),
-                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
-        },
-        {
-                .procname       = "sync_threshold",
-                .data           = &sysctl_ip_vs_sync_threshold,
-                .maxlen         = sizeof(sysctl_ip_vs_sync_threshold),
-                .mode           = 0644,
-                .proc_handler   = proc_do_sync_threshold,
-        },
-        {
-                .procname       = "nat_icmp_send",
-                .data           = &sysctl_ip_vs_nat_icmp_send,
-                .maxlen         = sizeof(int),
-                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
-        },
        { }
 };
@@ -1731,12 +1852,12 @@ const struct ctl_path net_vs_ctl_path[] = {
        { }
 };
 EXPORT_SYMBOL_GPL(net_vs_ctl_path);
+#endif
-static struct ctl_table_header * sysctl_header;
 #ifdef CONFIG_PROC_FS
 struct ip_vs_iter {
+        struct seq_net_private p;  /* Do not move this, netns depends upon it*/
        struct list_head *table;
        int bucket;
 };
@@ -1763,6 +1884,7 @@ static inline const char *ip_vs_fwd_name(unsigned flags)
 /* Get the Nth entry in the two lists */
 static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
 {
+        struct net *net = seq_file_net(seq);
        struct ip_vs_iter *iter = seq->private;
        int idx;
        struct ip_vs_service *svc;
@@ -1770,7 +1892,7 @@ static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
        /* look in hash by protocol */
        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
-                        if (pos-- == 0){
+                        if (net_eq(svc->net, net) && pos-- == 0) {
                                iter->table = ip_vs_svc_table;
                                iter->bucket = idx;
                                return svc;
@@ -1781,7 +1903,7 @@ static struct ip_vs_service *ip_vs_info_array(struct seq_file *seq, loff_t pos)
        /* keep looking in fwmark */
        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
-                        if (pos-- == 0) {
+                        if (net_eq(svc->net, net) && pos-- == 0) {
                                iter->table = ip_vs_svc_fwm_table;
                                iter->bucket = idx;
                                return svc;
@@ -1935,7 +2057,7 @@ static const struct seq_operations ip_vs_info_seq_ops = {
 static int ip_vs_info_open(struct inode *inode, struct file *file)
 {
-        return seq_open_private(file, &ip_vs_info_seq_ops,
+        return seq_open_net(inode, file, &ip_vs_info_seq_ops,
                        sizeof(struct ip_vs_iter));
 }
@@ -1944,18 +2066,13 @@ static const struct file_operations ip_vs_info_fops = {
        .open    = ip_vs_info_open,
        .read    = seq_read,
        .llseek  = seq_lseek,
-        .release = seq_release_private,
+        .release = seq_release_net,
-};
-#endif
-struct ip_vs_stats ip_vs_stats = {
-        .lock = __SPIN_LOCK_UNLOCKED(ip_vs_stats.lock),
 };
-#ifdef CONFIG_PROC_FS
 static int ip_vs_stats_show(struct seq_file *seq, void *v)
 {
+        struct net *net = seq_file_single_net(seq);
+        struct ip_vs_stats_user show;
 /*               01234567 01234567 01234567 0123456701234567 0123456701234567 */
        seq_puts(seq,
@@ -1963,29 +2080,25 @@ static int ip_vs_stats_show(struct seq_file *seq, void *v)
        seq_printf(seq,
                   "   Conns  Packets  Packets            Bytes            Bytes\n");
-        spin_lock_bh(&ip_vs_stats.lock);
+        ip_vs_copy_stats(&show, &net_ipvs(net)->tot_stats);
-        seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", ip_vs_stats.ustats.conns,
+        seq_printf(seq, "%8X %8X %8X %16LX %16LX\n\n", show.conns,
-                   ip_vs_stats.ustats.inpkts, ip_vs_stats.ustats.outpkts,
+                   show.inpkts, show.outpkts,
-                   (unsigned long long) ip_vs_stats.ustats.inbytes,
+                   (unsigned long long) show.inbytes,
-                   (unsigned long long) ip_vs_stats.ustats.outbytes);
+                   (unsigned long long) show.outbytes);
 /*                 01234567 01234567 01234567 0123456701234567 0123456701234567 */
        seq_puts(seq,
                   " Conns/s   Pkts/s   Pkts/s          Bytes/s          Bytes/s\n");
-        seq_printf(seq,"%8X %8X %8X %16X %16X\n",
+        seq_printf(seq, "%8X %8X %8X %16X %16X\n",
-                        ip_vs_stats.ustats.cps,
+                        show.cps, show.inpps, show.outpps,
-                        ip_vs_stats.ustats.inpps,
+                        show.inbps, show.outbps);
-                        ip_vs_stats.ustats.outpps,
-                        ip_vs_stats.ustats.inbps,
-                        ip_vs_stats.ustats.outbps);
-        spin_unlock_bh(&ip_vs_stats.lock);
        return 0;
 }
 static int ip_vs_stats_seq_open(struct inode *inode, struct file *file)
 {
-        return single_open(file, ip_vs_stats_show, NULL);
+        return single_open_net(inode, file, ip_vs_stats_show);
 }
 static const struct file_operations ip_vs_stats_fops = {
@@ -1993,16 +2106,88 @@ static const struct file_operations ip_vs_stats_fops = {
        .open = ip_vs_stats_seq_open,
        .read = seq_read,
        .llseek = seq_lseek,
-        .release = single_release,
+        .release = single_release_net,
 };
+static int ip_vs_stats_percpu_show(struct seq_file *seq, void *v)
+{
+        struct net *net = seq_file_single_net(seq);
+        struct ip_vs_stats *tot_stats = &net_ipvs(net)->tot_stats;
+        struct ip_vs_cpu_stats *cpustats = tot_stats->cpustats;
+        struct ip_vs_stats_user rates;
+        int i;
+/*               01234567 01234567 01234567 0123456701234567 0123456701234567 */
+        seq_puts(seq,
+                 "       Total Incoming Outgoing         Incoming         Outgoing\n");
+        seq_printf(seq,
+                   "CPU    Conns  Packets  Packets            Bytes            Bytes\n");
+        for_each_possible_cpu(i) {
+                struct ip_vs_cpu_stats *u = per_cpu_ptr(cpustats, i);
+                unsigned int start;
+                __u64 inbytes, outbytes;
+                do {
+                        start = u64_stats_fetch_begin_bh(&u->syncp);
+                        inbytes = u->ustats.inbytes;
+                        outbytes = u->ustats.outbytes;
+                } while (u64_stats_fetch_retry_bh(&u->syncp, start));
+                seq_printf(seq, "%3X %8X %8X %8X %16LX %16LX\n",
+                           i, u->ustats.conns, u->ustats.inpkts,
+                           u->ustats.outpkts, (__u64)inbytes,
+                           (__u64)outbytes);
+        }
+        spin_lock_bh(&tot_stats->lock);
+        seq_printf(seq, "  ~ %8X %8X %8X %16LX %16LX\n\n",
+                   tot_stats->ustats.conns, tot_stats->ustats.inpkts,
+                   tot_stats->ustats.outpkts,
+                   (unsigned long long) tot_stats->ustats.inbytes,
+                   (unsigned long long) tot_stats->ustats.outbytes);
+        ip_vs_read_estimator(&rates, tot_stats);
+        spin_unlock_bh(&tot_stats->lock);
+/*                 01234567 01234567 01234567 0123456701234567 0123456701234567 */
+        seq_puts(seq,
+                   "     Conns/s   Pkts/s   Pkts/s          Bytes/s          Bytes/s\n");
+        seq_printf(seq, "    %8X %8X %8X %16X %16X\n",
+                        rates.cps,
+                        rates.inpps,
+                        rates.outpps,
+                        rates.inbps,
+                        rates.outbps);
+        return 0;
+}
+static int ip_vs_stats_percpu_seq_open(struct inode *inode, struct file *file)
+{
+        return single_open_net(inode, file, ip_vs_stats_percpu_show);
+}
+static const struct file_operations ip_vs_stats_percpu_fops = {
+        .owner = THIS_MODULE,
+        .open = ip_vs_stats_percpu_seq_open,
+        .read = seq_read,
+        .llseek = seq_lseek,
+        .release = single_release_net,
+};
 #endif
 /*
 *      Set timeout values for tcp tcpfin udp in the timeout_table.
 */
-static int ip_vs_set_timeout(struct ip_vs_timeout_user *u)
+static int ip_vs_set_timeout(struct net *net, struct ip_vs_timeout_user *u)
 {
+#if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
+        struct ip_vs_proto_data *pd;
+#endif
        IP_VS_DBG(2, "Setting timeout tcp:%d tcpfin:%d udp:%d\n",
                  u->tcp_timeout,
                  u->tcp_fin_timeout,
@@ -2010,19 +2195,22 @@ static int ip_vs_set_timeout(struct ip_vs_timeout_user *u)
 #ifdef CONFIG_IP_VS_PROTO_TCP
        if (u->tcp_timeout) {
-                ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED]
+                pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
+                pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
                        = u->tcp_timeout * HZ;
        }
        if (u->tcp_fin_timeout) {
-                ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT]
+                pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
+                pd->timeout_table[IP_VS_TCP_S_FIN_WAIT]
                        = u->tcp_fin_timeout * HZ;
        }
 #endif
 #ifdef CONFIG_IP_VS_PROTO_UDP
        if (u->udp_timeout) {
-                ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL]
+                pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
+                pd->timeout_table[IP_VS_UDP_S_NORMAL]
                        = u->udp_timeout * HZ;
        }
 #endif
@@ -2087,6 +2275,7 @@ static void ip_vs_copy_udest_compat(struct ip_vs_dest_user_kern *udest,
 static int
 do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 {
+        struct net *net = sock_net(sk);
        int ret;
        unsigned char arg[MAX_ARG_LEN];
        struct ip_vs_service_user *usvc_compat;
@@ -2121,19 +2310,20 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        if (cmd == IP_VS_SO_SET_FLUSH) {
                /* Flush the virtual service */
-                ret = ip_vs_flush();
+                ret = ip_vs_flush(net);
                goto out_unlock;
        } else if (cmd == IP_VS_SO_SET_TIMEOUT) {
                /* Set timeout values for (tcp tcpfin udp) */
-                ret = ip_vs_set_timeout((struct ip_vs_timeout_user *)arg);
+                ret = ip_vs_set_timeout(net, (struct ip_vs_timeout_user *)arg);
                goto out_unlock;
        } else if (cmd == IP_VS_SO_SET_STARTDAEMON) {
                struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
-                ret = start_sync_thread(dm->state, dm->mcast_ifn, dm->syncid);
+                ret = start_sync_thread(net, dm->state, dm->mcast_ifn,
+                                        dm->syncid);
                goto out_unlock;
        } else if (cmd == IP_VS_SO_SET_STOPDAEMON) {
                struct ip_vs_daemon_user *dm = (struct ip_vs_daemon_user *)arg;
-                ret = stop_sync_thread(dm->state);
+                ret = stop_sync_thread(net, dm->state);
                goto out_unlock;
        }
@@ -2148,7 +2338,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        if (cmd == IP_VS_SO_SET_ZERO) {
                /* if no service address is set, zero counters in all */
                if (!usvc.fwmark && !usvc.addr.ip && !usvc.port) {
-                        ret = ip_vs_zero_all();
+                        ret = ip_vs_zero_all(net);
                        goto out_unlock;
                }
        }
@@ -2165,10 +2355,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
        /* Lookup the exact service by <protocol, addr, port> or fwmark */
        if (usvc.fwmark == 0)
-                svc = __ip_vs_service_find(usvc.af, usvc.protocol,
+                svc = __ip_vs_service_find(net, usvc.af, usvc.protocol,
                                           &usvc.addr, usvc.port);
        else
-                svc = __ip_vs_svc_fwm_find(usvc.af, usvc.fwmark);
+                svc = __ip_vs_svc_fwm_find(net, usvc.af, usvc.fwmark);
        if (cmd != IP_VS_SO_SET_ADD
            && (svc == NULL || svc->protocol != usvc.protocol)) {
@@ -2181,7 +2371,7 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
                if (svc != NULL)
                        ret = -EEXIST;
                else
-                        ret = ip_vs_add_service(&usvc, &svc);
+                        ret = ip_vs_add_service(net, &usvc, &svc);
                break;
        case IP_VS_SO_SET_EDIT:
                ret = ip_vs_edit_service(svc, &usvc);
@@ -2218,14 +2408,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
 static void
-ip_vs_copy_stats(struct ip_vs_stats_user *dst, struct ip_vs_stats *src)
-{
-        spin_lock_bh(&src->lock);
-        memcpy(dst, &src->ustats, sizeof(*dst));
-        spin_unlock_bh(&src->lock);
-}
-static void
 ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
 {
        dst->protocol = src->protocol;
@@ -2241,7 +2423,8 @@ ip_vs_copy_service(struct ip_vs_service_entry *dst, struct ip_vs_service *src)
 }
 static inline int
-__ip_vs_get_service_entries(const struct ip_vs_get_services *get,
+__ip_vs_get_service_entries(struct net *net,
+                            const struct ip_vs_get_services *get,
                            struct ip_vs_get_services __user *uptr)
 {
        int idx, count=0;
@@ -2252,7 +2435,7 @@ __ip_vs_get_service_entries(const struct ip_vs_get_services *get,
        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_table[idx], s_list) {
                        /* Only expose IPv4 entries to old interface */
-                        if (svc->af != AF_INET)
+                        if (svc->af != AF_INET || !net_eq(svc->net, net))
                                continue;
                        if (count >= get->num_services)
@@ -2271,7 +2454,7 @@ __ip_vs_get_service_entries(const struct ip_vs_get_services *get,
        for (idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++) {
                list_for_each_entry(svc, &ip_vs_svc_fwm_table[idx], f_list) {
                        /* Only expose IPv4 entries to old interface */
-                        if (svc->af != AF_INET)
+                        if (svc->af != AF_INET || !net_eq(svc->net, net))
                                continue;
                        if (count >= get->num_services)
@@ -2291,7 +2474,7 @@ __ip_vs_get_service_entries(const struct ip_vs_get_services *get,
 }
 static inline int
-__ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
+__ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
                         struct ip_vs_get_dests __user *uptr)
 {
        struct ip_vs_service *svc;
@@ -2299,9 +2482,9 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
        int ret = 0;
        if (get->fwmark)
-                svc = __ip_vs_svc_fwm_find(AF_INET, get->fwmark);
+                svc = __ip_vs_svc_fwm_find(net, AF_INET, get->fwmark);
        else
-                svc = __ip_vs_service_find(AF_INET, get->protocol, &addr,
+                svc = __ip_vs_service_find(net, AF_INET, get->protocol, &addr,
                                           get->port);
        if (svc) {
@@ -2336,17 +2519,21 @@ __ip_vs_get_dest_entries(const struct ip_vs_get_dests *get,
 }
 static inline void
-__ip_vs_get_timeouts(struct ip_vs_timeout_user *u)
+__ip_vs_get_timeouts(struct net *net, struct ip_vs_timeout_user *u)
 {
+#if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP)
+        struct ip_vs_proto_data *pd;
+#endif
 #ifdef CONFIG_IP_VS_PROTO_TCP
-        u->tcp_timeout =
+        pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
-                ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
+        u->tcp_timeout = pd->timeout_table[IP_VS_TCP_S_ESTABLISHED] / HZ;
-        u->tcp_fin_timeout =
+        u->tcp_fin_timeout = pd->timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
-                ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_FIN_WAIT] / HZ;
 #endif
 #ifdef CONFIG_IP_VS_PROTO_UDP
+        pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
        u->udp_timeout =
-                ip_vs_protocol_udp.timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
+                        pd->timeout_table[IP_VS_UDP_S_NORMAL] / HZ;
 #endif
 }
@@ -2375,7 +2562,10 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        unsigned char arg[128];
        int ret = 0;
        unsigned int copylen;
+        struct net *net = sock_net(sk);
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        BUG_ON(!net);
        if (!capable(CAP_NET_ADMIN))
                return -EPERM;
@@ -2418,7 +2608,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                struct ip_vs_getinfo info;
                info.version = IP_VS_VERSION_CODE;
                info.size = ip_vs_conn_tab_size;
-                info.num_services = ip_vs_num_services;
+                info.num_services = ipvs->num_services;
                if (copy_to_user(user, &info, sizeof(info)) != 0)
                        ret = -EFAULT;
        }
@@ -2437,7 +2627,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                        ret = -EINVAL;
                        goto out;
                }
-                ret = __ip_vs_get_service_entries(get, user);
+                ret = __ip_vs_get_service_entries(net, get, user);
        }
        break;
@@ -2450,10 +2640,11 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                entry = (struct ip_vs_service_entry *)arg;
                addr.ip = entry->addr;
                if (entry->fwmark)
-                        svc = __ip_vs_svc_fwm_find(AF_INET, entry->fwmark);
+                        svc = __ip_vs_svc_fwm_find(net, AF_INET, entry->fwmark);
                else
-                        svc = __ip_vs_service_find(AF_INET, entry->protocol,
+                        svc = __ip_vs_service_find(net, AF_INET,
-                                                   &addr, entry->port);
+                                                   entry->protocol, &addr,
+                                                   entry->port);
                if (svc) {
                        ip_vs_copy_service(entry, svc);
                        if (copy_to_user(user, entry, sizeof(*entry)) != 0)
@@ -2476,7 +2667,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                        ret = -EINVAL;
                        goto out;
                }
-                ret = __ip_vs_get_dest_entries(get, user);
+                ret = __ip_vs_get_dest_entries(net, get, user);
        }
        break;
@@ -2484,7 +2675,7 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
        {
                struct ip_vs_timeout_user t;
-                __ip_vs_get_timeouts(&t);
+                __ip_vs_get_timeouts(net, &t);
                if (copy_to_user(user, &t, sizeof(t)) != 0)
                        ret = -EFAULT;
        }
@@ -2495,15 +2686,17 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
                struct ip_vs_daemon_user d[2];
                memset(&d, 0, sizeof(d));
-                if (ip_vs_sync_state & IP_VS_STATE_MASTER) {
+                if (ipvs->sync_state & IP_VS_STATE_MASTER) {
                        d[0].state = IP_VS_STATE_MASTER;
-                        strlcpy(d[0].mcast_ifn, ip_vs_master_mcast_ifn, sizeof(d[0].mcast_ifn));
+                        strlcpy(d[0].mcast_ifn, ipvs->master_mcast_ifn,
-                        d[0].syncid = ip_vs_master_syncid;
+                                sizeof(d[0].mcast_ifn));
+                        d[0].syncid = ipvs->master_syncid;
                }
-                if (ip_vs_sync_state & IP_VS_STATE_BACKUP) {
+                if (ipvs->sync_state & IP_VS_STATE_BACKUP) {
                        d[1].state = IP_VS_STATE_BACKUP;
-                        strlcpy(d[1].mcast_ifn, ip_vs_backup_mcast_ifn, sizeof(d[1].mcast_ifn));
+                        strlcpy(d[1].mcast_ifn, ipvs->backup_mcast_ifn,
-                        d[1].syncid = ip_vs_backup_syncid;
+                                sizeof(d[1].mcast_ifn));
+                        d[1].syncid = ipvs->backup_syncid;
                }
                if (copy_to_user(user, &d, sizeof(d)) != 0)
                        ret = -EFAULT;
@@ -2542,6 +2735,7 @@ static struct genl_family ip_vs_genl_family = {
        .name           = IPVS_GENL_NAME,
        .version        = IPVS_GENL_VERSION,
        .maxattr        = IPVS_CMD_MAX,
+        .netnsok        = true,         /* Make ipvsadm to work on netns */
 };
 /* Policy used for first-level command attributes */
@@ -2599,31 +2793,29 @@ static const struct nla_policy ip_vs_dest_policy[IPVS_DEST_ATTR_MAX + 1] = {
 static int ip_vs_genl_fill_stats(struct sk_buff *skb, int container_type,
                                 struct ip_vs_stats *stats)
 {
+        struct ip_vs_stats_user ustats;
        struct nlattr *nl_stats = nla_nest_start(skb, container_type);
        if (!nl_stats)
                return -EMSGSIZE;
-        spin_lock_bh(&stats->lock);
+        ip_vs_copy_stats(&ustats, stats);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_CONNS, stats->ustats.conns);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_CONNS, ustats.conns);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPKTS, stats->ustats.inpkts);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPKTS, ustats.inpkts);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPKTS, stats->ustats.outpkts);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPKTS, ustats.outpkts);
-        NLA_PUT_U64(skb, IPVS_STATS_ATTR_INBYTES, stats->ustats.inbytes);
+        NLA_PUT_U64(skb, IPVS_STATS_ATTR_INBYTES, ustats.inbytes);
-        NLA_PUT_U64(skb, IPVS_STATS_ATTR_OUTBYTES, stats->ustats.outbytes);
+        NLA_PUT_U64(skb, IPVS_STATS_ATTR_OUTBYTES, ustats.outbytes);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_CPS, stats->ustats.cps);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_CPS, ustats.cps);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPPS, stats->ustats.inpps);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INPPS, ustats.inpps);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPPS, stats->ustats.outpps);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTPPS, ustats.outpps);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INBPS, stats->ustats.inbps);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_INBPS, ustats.inbps);
-        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTBPS, stats->ustats.outbps);
+        NLA_PUT_U32(skb, IPVS_STATS_ATTR_OUTBPS, ustats.outbps);
-        spin_unlock_bh(&stats->lock);
        nla_nest_end(skb, nl_stats);
        return 0;
 nla_put_failure:
-        spin_unlock_bh(&stats->lock);
        nla_nest_cancel(skb, nl_stats);
        return -EMSGSIZE;
 }
@@ -2696,11 +2888,12 @@ static int ip_vs_genl_dump_services(struct sk_buff *skb,
        int idx = 0, i;
        int start = cb->args[0];
        struct ip_vs_service *svc;
+        struct net *net = skb_sknet(skb);
        mutex_lock(&__ip_vs_mutex);
        for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
                list_for_each_entry(svc, &ip_vs_svc_table[i], s_list) {
-                        if (++idx <= start)
+                        if (++idx <= start || !net_eq(svc->net, net))
                                continue;
                        if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
                                idx--;
@@ -2711,7 +2904,7 @@ static int ip_vs_genl_dump_services(struct sk_buff *skb,
        for (i = 0; i < IP_VS_SVC_TAB_SIZE; i++) {
                list_for_each_entry(svc, &ip_vs_svc_fwm_table[i], f_list) {
-                        if (++idx <= start)
+                        if (++idx <= start || !net_eq(svc->net, net))
                                continue;
                        if (ip_vs_genl_dump_service(skb, svc, cb) < 0) {
                                idx--;
@@ -2727,7 +2920,8 @@ nla_put_failure:
        return skb->len;
 }
-static int ip_vs_genl_parse_service(struct ip_vs_service_user_kern *usvc,
+static int ip_vs_genl_parse_service(struct net *net,
+                                    struct ip_vs_service_user_kern *usvc,
                                    struct nlattr *nla, int full_entry,
                                    struct ip_vs_service **ret_svc)
 {
@@ -2770,9 +2964,9 @@ static int ip_vs_genl_parse_service(struct ip_vs_service_user_kern *usvc,
        }
        if (usvc->fwmark)
-                svc = __ip_vs_svc_fwm_find(usvc->af, usvc->fwmark);
+                svc = __ip_vs_svc_fwm_find(net, usvc->af, usvc->fwmark);
        else
-                svc = __ip_vs_service_find(usvc->af, usvc->protocol,
+                svc = __ip_vs_service_find(net, usvc->af, usvc->protocol,
                                           &usvc->addr, usvc->port);
        *ret_svc = svc;
@@ -2809,13 +3003,14 @@ static int ip_vs_genl_parse_service(struct ip_vs_service_user_kern *usvc,
        return 0;
 }
-static struct ip_vs_service *ip_vs_genl_find_service(struct nlattr *nla)
+static struct ip_vs_service *ip_vs_genl_find_service(struct net *net,
+                                                     struct nlattr *nla)
 {
        struct ip_vs_service_user_kern usvc;
        struct ip_vs_service *svc;
        int ret;
-        ret = ip_vs_genl_parse_service(&usvc, nla, 0, &svc);
+        ret = ip_vs_genl_parse_service(net, &usvc, nla, 0, &svc);
        return ret ? ERR_PTR(ret) : svc;
 }
@@ -2883,6 +3078,7 @@ static int ip_vs_genl_dump_dests(struct sk_buff *skb,
        struct ip_vs_service *svc;
        struct ip_vs_dest *dest;
        struct nlattr *attrs[IPVS_CMD_ATTR_MAX + 1];
+        struct net *net = skb_sknet(skb);
        mutex_lock(&__ip_vs_mutex);
@@ -2891,7 +3087,8 @@ static int ip_vs_genl_dump_dests(struct sk_buff *skb,
                        IPVS_CMD_ATTR_MAX, ip_vs_cmd_policy))
                goto out_err;
-        svc = ip_vs_genl_find_service(attrs[IPVS_CMD_ATTR_SERVICE]);
+        svc = ip_vs_genl_find_service(net, attrs[IPVS_CMD_ATTR_SERVICE]);
        if (IS_ERR(svc) || svc == NULL)
                goto out_err;
@@ -3005,20 +3202,23 @@ nla_put_failure:
 static int ip_vs_genl_dump_daemons(struct sk_buff *skb,
                                   struct netlink_callback *cb)
 {
+        struct net *net = skb_sknet(skb);
+        struct netns_ipvs *ipvs = net_ipvs(net);
        mutex_lock(&__ip_vs_mutex);
-        if ((ip_vs_sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
+        if ((ipvs->sync_state & IP_VS_STATE_MASTER) && !cb->args[0]) {
                if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_MASTER,
-                                           ip_vs_master_mcast_ifn,
+                                           ipvs->master_mcast_ifn,
-                                           ip_vs_master_syncid, cb) < 0)
+                                           ipvs->master_syncid, cb) < 0)
                        goto nla_put_failure;
                cb->args[0] = 1;
        }
-        if ((ip_vs_sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
+        if ((ipvs->sync_state & IP_VS_STATE_BACKUP) && !cb->args[1]) {
                if (ip_vs_genl_dump_daemon(skb, IP_VS_STATE_BACKUP,
-                                           ip_vs_backup_mcast_ifn,
+                                           ipvs->backup_mcast_ifn,
-                                           ip_vs_backup_syncid, cb) < 0)
+                                           ipvs->backup_syncid, cb) < 0)
                        goto nla_put_failure;
                cb->args[1] = 1;
@@ -3030,31 +3230,33 @@ nla_put_failure:
        return skb->len;
 }
-static int ip_vs_genl_new_daemon(struct nlattr **attrs)
+static int ip_vs_genl_new_daemon(struct net *net, struct nlattr **attrs)
 {
        if (!(attrs[IPVS_DAEMON_ATTR_STATE] &&
              attrs[IPVS_DAEMON_ATTR_MCAST_IFN] &&
              attrs[IPVS_DAEMON_ATTR_SYNC_ID]))
                return -EINVAL;
-        return start_sync_thread(nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
+        return start_sync_thread(net,
+                                 nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]),
                                 nla_data(attrs[IPVS_DAEMON_ATTR_MCAST_IFN]),
                                 nla_get_u32(attrs[IPVS_DAEMON_ATTR_SYNC_ID]));
 }
-static int ip_vs_genl_del_daemon(struct nlattr **attrs)
+static int ip_vs_genl_del_daemon(struct net *net, struct nlattr **attrs)
 {
        if (!attrs[IPVS_DAEMON_ATTR_STATE])
                return -EINVAL;
-        return stop_sync_thread(nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
+        return stop_sync_thread(net,
+                                nla_get_u32(attrs[IPVS_DAEMON_ATTR_STATE]));
 }
-static int ip_vs_genl_set_config(struct nlattr **attrs)
+static int ip_vs_genl_set_config(struct net *net, struct nlattr **attrs)
 {
        struct ip_vs_timeout_user t;
-        __ip_vs_get_timeouts(&t);
+        __ip_vs_get_timeouts(net, &t);
        if (attrs[IPVS_CMD_ATTR_TIMEOUT_TCP])
                t.tcp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_TCP]);
@@ -3066,7 +3268,7 @@ static int ip_vs_genl_set_config(struct nlattr **attrs)
        if (attrs[IPVS_CMD_ATTR_TIMEOUT_UDP])
                t.udp_timeout = nla_get_u32(attrs[IPVS_CMD_ATTR_TIMEOUT_UDP]);
-        return ip_vs_set_timeout(&t);
+        return ip_vs_set_timeout(net, &t);
 }
 static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
@@ -3076,16 +3278,20 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
        struct ip_vs_dest_user_kern udest;
        int ret = 0, cmd;
        int need_full_svc = 0, need_full_dest = 0;
+        struct net *net;
+        struct netns_ipvs *ipvs;
+        net = skb_sknet(skb);
+        ipvs = net_ipvs(net);
        cmd = info->genlhdr->cmd;
        mutex_lock(&__ip_vs_mutex);
        if (cmd == IPVS_CMD_FLUSH) {
-                ret = ip_vs_flush();
+                ret = ip_vs_flush(net);
                goto out;
        } else if (cmd == IPVS_CMD_SET_CONFIG) {
-                ret = ip_vs_genl_set_config(info->attrs);
+                ret = ip_vs_genl_set_config(net, info->attrs);
                goto out;
        } else if (cmd == IPVS_CMD_NEW_DAEMON ||
                   cmd == IPVS_CMD_DEL_DAEMON) {
@@ -3101,13 +3307,13 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
                }
                if (cmd == IPVS_CMD_NEW_DAEMON)
-                        ret = ip_vs_genl_new_daemon(daemon_attrs);
+                        ret = ip_vs_genl_new_daemon(net, daemon_attrs);
                else
-                        ret = ip_vs_genl_del_daemon(daemon_attrs);
+                        ret = ip_vs_genl_del_daemon(net, daemon_attrs);
                goto out;
        } else if (cmd == IPVS_CMD_ZERO &&
                   !info->attrs[IPVS_CMD_ATTR_SERVICE]) {
-                ret = ip_vs_zero_all();
+                ret = ip_vs_zero_all(net);
                goto out;
        }
@@ -3117,7 +3323,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
        if (cmd == IPVS_CMD_NEW_SERVICE || cmd == IPVS_CMD_SET_SERVICE)
                need_full_svc = 1;
-        ret = ip_vs_genl_parse_service(&usvc,
+        ret = ip_vs_genl_parse_service(net, &usvc,
                                       info->attrs[IPVS_CMD_ATTR_SERVICE],
                                       need_full_svc, &svc);
        if (ret)
@@ -3147,7 +3353,7 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
        switch (cmd) {
        case IPVS_CMD_NEW_SERVICE:
                if (svc == NULL)
-                        ret = ip_vs_add_service(&usvc, &svc);
+                        ret = ip_vs_add_service(net, &usvc, &svc);
                else
                        ret = -EEXIST;
                break;
@@ -3185,7 +3391,11 @@ static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
        struct sk_buff *msg;
        void *reply;
        int ret, cmd, reply_cmd;
+        struct net *net;
+        struct netns_ipvs *ipvs;
+        net = skb_sknet(skb);
+        ipvs = net_ipvs(net);
        cmd = info->genlhdr->cmd;
        if (cmd == IPVS_CMD_GET_SERVICE)
@@ -3214,7 +3424,8 @@ static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
        {
                struct ip_vs_service *svc;
-                svc = ip_vs_genl_find_service(info->attrs[IPVS_CMD_ATTR_SERVICE]);
+                svc = ip_vs_genl_find_service(net,
+                                              info->attrs[IPVS_CMD_ATTR_SERVICE]);
                if (IS_ERR(svc)) {
                        ret = PTR_ERR(svc);
                        goto out_err;
@@ -3234,7 +3445,7 @@ static int ip_vs_genl_get_cmd(struct sk_buff *skb, struct genl_info *info)
        {
                struct ip_vs_timeout_user t;
-                __ip_vs_get_timeouts(&t);
+                __ip_vs_get_timeouts(net, &t);
 #ifdef CONFIG_IP_VS_PROTO_TCP
                NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP, t.tcp_timeout);
                NLA_PUT_U32(msg, IPVS_CMD_ATTR_TIMEOUT_TCP_FIN,
@@ -3380,62 +3591,186 @@ static void ip_vs_genl_unregister(void)
 /* End of Generic Netlink interface definitions */
+/*
+ * per netns intit/exit func.
+ */
+#ifdef CONFIG_SYSCTL
+int __net_init __ip_vs_control_init_sysctl(struct net *net)
+{
+        int idx;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ctl_table *tbl;
+        atomic_set(&ipvs->dropentry, 0);
+        spin_lock_init(&ipvs->dropentry_lock);
+        spin_lock_init(&ipvs->droppacket_lock);
+        spin_lock_init(&ipvs->securetcp_lock);
+        if (!net_eq(net, &init_net)) {
+                tbl = kmemdup(vs_vars, sizeof(vs_vars), GFP_KERNEL);
+                if (tbl == NULL)
+                        return -ENOMEM;
+        } else
+                tbl = vs_vars;
+        /* Initialize sysctl defaults */
+        idx = 0;
+        ipvs->sysctl_amemthresh = 1024;
+        tbl[idx++].data = &ipvs->sysctl_amemthresh;
+        ipvs->sysctl_am_droprate = 10;
+        tbl[idx++].data = &ipvs->sysctl_am_droprate;
+        tbl[idx++].data = &ipvs->sysctl_drop_entry;
+        tbl[idx++].data = &ipvs->sysctl_drop_packet;
+#ifdef CONFIG_IP_VS_NFCT
+        tbl[idx++].data = &ipvs->sysctl_conntrack;
+#endif
+        tbl[idx++].data = &ipvs->sysctl_secure_tcp;
+        ipvs->sysctl_snat_reroute = 1;
+        tbl[idx++].data = &ipvs->sysctl_snat_reroute;
+        ipvs->sysctl_sync_ver = 1;
+        tbl[idx++].data = &ipvs->sysctl_sync_ver;
+        tbl[idx++].data = &ipvs->sysctl_cache_bypass;
+        tbl[idx++].data = &ipvs->sysctl_expire_nodest_conn;
+        tbl[idx++].data = &ipvs->sysctl_expire_quiescent_template;
+        ipvs->sysctl_sync_threshold[0] = DEFAULT_SYNC_THRESHOLD;
+        ipvs->sysctl_sync_threshold[1] = DEFAULT_SYNC_PERIOD;
+        tbl[idx].data = &ipvs->sysctl_sync_threshold;
+        tbl[idx++].maxlen = sizeof(ipvs->sysctl_sync_threshold);
+        tbl[idx++].data = &ipvs->sysctl_nat_icmp_send;
+        ipvs->sysctl_hdr = register_net_sysctl_table(net, net_vs_ctl_path,
+                                                     tbl);
+        if (ipvs->sysctl_hdr == NULL) {
+                if (!net_eq(net, &init_net))
+                        kfree(tbl);
+                return -ENOMEM;
+        }
+        ip_vs_start_estimator(net, &ipvs->tot_stats);
+        ipvs->sysctl_tbl = tbl;
+        /* Schedule defense work */
+        INIT_DELAYED_WORK(&ipvs->defense_work, defense_work_handler);
+        schedule_delayed_work(&ipvs->defense_work, DEFENSE_TIMER_PERIOD);
+        return 0;
+}
+void __net_init __ip_vs_control_cleanup_sysctl(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        cancel_delayed_work_sync(&ipvs->defense_work);
+        cancel_work_sync(&ipvs->defense_work.work);
+        unregister_net_sysctl_table(ipvs->sysctl_hdr);
+}
+#else
+int __net_init __ip_vs_control_init_sysctl(struct net *net) { return 0; }
+void __net_init __ip_vs_control_cleanup_sysctl(struct net *net) { }
+#endif
+static struct notifier_block ip_vs_dst_notifier = {
+        .notifier_call = ip_vs_dst_event,
+};
+int __net_init __ip_vs_control_init(struct net *net)
+{
+        int idx;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        ipvs->rs_lock = __RW_LOCK_UNLOCKED(ipvs->rs_lock);
+        /* Initialize rs_table */
+        for (idx = 0; idx < IP_VS_RTAB_SIZE; idx++)
+                INIT_LIST_HEAD(&ipvs->rs_table[idx]);
+        INIT_LIST_HEAD(&ipvs->dest_trash);
+        atomic_set(&ipvs->ftpsvc_counter, 0);
+        atomic_set(&ipvs->nullsvc_counter, 0);
+        /* procfs stats */
+        ipvs->tot_stats.cpustats = alloc_percpu(struct ip_vs_cpu_stats);
+        if (!ipvs->tot_stats.cpustats) {
+                pr_err("%s(): alloc_percpu.\n", __func__);
+                return -ENOMEM;
+        }
+        spin_lock_init(&ipvs->tot_stats.lock);
+        proc_net_fops_create(net, "ip_vs", 0, &ip_vs_info_fops);
+        proc_net_fops_create(net, "ip_vs_stats", 0, &ip_vs_stats_fops);
+        proc_net_fops_create(net, "ip_vs_stats_percpu", 0,
+                             &ip_vs_stats_percpu_fops);
+        if (__ip_vs_control_init_sysctl(net))
+                goto err;
+        return 0;
+err:
+        free_percpu(ipvs->tot_stats.cpustats);
+        return -ENOMEM;
+}
+void __net_exit __ip_vs_control_cleanup(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        ip_vs_trash_cleanup(net);
+        ip_vs_stop_estimator(net, &ipvs->tot_stats);
+        __ip_vs_control_cleanup_sysctl(net);
+        proc_net_remove(net, "ip_vs_stats_percpu");
+        proc_net_remove(net, "ip_vs_stats");
+        proc_net_remove(net, "ip_vs");
+        free_percpu(ipvs->tot_stats.cpustats);
+}
 int __init ip_vs_control_init(void)
 {
-        int ret;
        int idx;
+        int ret;
        EnterFunction(2);
-        /* Initialize ip_vs_svc_table, ip_vs_svc_fwm_table, ip_vs_rtable */
+        /* Initialize svc_table, ip_vs_svc_fwm_table, rs_table */
        for(idx = 0; idx < IP_VS_SVC_TAB_SIZE; idx++)  {
                INIT_LIST_HEAD(&ip_vs_svc_table[idx]);
                INIT_LIST_HEAD(&ip_vs_svc_fwm_table[idx]);
        }
-        for(idx = 0; idx < IP_VS_RTAB_SIZE; idx++)  {
-                INIT_LIST_HEAD(&ip_vs_rtable[idx]);
+        smp_wmb();      /* Do we really need it now ? */
-        }
-        smp_wmb();
        ret = nf_register_sockopt(&ip_vs_sockopts);
        if (ret) {
                pr_err("cannot register sockopt.\n");
-                return ret;
+                goto err_sock;
        }
        ret = ip_vs_genl_register();
        if (ret) {
                pr_err("cannot register Generic Netlink interface.\n");
-                nf_unregister_sockopt(&ip_vs_sockopts);
+                goto err_genl;
-                return ret;
        }
-        proc_net_fops_create(&init_net, "ip_vs", 0, &ip_vs_info_fops);
+        ret = register_netdevice_notifier(&ip_vs_dst_notifier);
-        proc_net_fops_create(&init_net, "ip_vs_stats",0, &ip_vs_stats_fops);
+        if (ret < 0)
+                goto err_notf;
-        sysctl_header = register_sysctl_paths(net_vs_ctl_path, vs_vars);
-        ip_vs_new_estimator(&ip_vs_stats);
-        /* Hook the defense timer */
-        schedule_delayed_work(&defense_work, DEFENSE_TIMER_PERIOD);
        LeaveFunction(2);
        return 0;
+err_notf:
+        ip_vs_genl_unregister();
+err_genl:
+        nf_unregister_sockopt(&ip_vs_sockopts);
+err_sock:
+        return ret;
 }
 void ip_vs_control_cleanup(void)
 {
        EnterFunction(2);
-        ip_vs_trash_cleanup();
-        cancel_delayed_work_sync(&defense_work);
-        cancel_work_sync(&defense_work.work);
-        ip_vs_kill_estimator(&ip_vs_stats);
-        unregister_sysctl_table(sysctl_header);
-        proc_net_remove(&init_net, "ip_vs_stats");
-        proc_net_remove(&init_net, "ip_vs");
        ip_vs_genl_unregister();
        nf_unregister_sockopt(&ip_vs_sockopts);
        LeaveFunction(2);
diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
index ff28801962e0..508cce98777c 100644
--- a/net/netfilter/ipvs/ip_vs_est.c
+++ b/net/netfilter/ipvs/ip_vs_est.c
@@ -8,8 +8,12 @@
 *              as published by the Free Software Foundation; either version
 *              2 of the License, or (at your option) any later version.
 *
- * Changes:
+ * Changes:     Hans Schillstrom <hans.schillstrom@ericsson.com>
- *
+ *              Network name space (netns) aware.
+ *              Global data moved to netns i.e struct netns_ipvs
+ *              Affected data: est_list and est_lock.
+ *              estimation_timer() runs with timer per netns.
+ *              get_stats()) do the per cpu summing.
 */
 #define KMSG_COMPONENT "IPVS"
@@ -48,11 +52,42 @@
 */
-static void estimation_timer(unsigned long arg);
+/*
+ * Make a summary from each cpu
+ */
+static void ip_vs_read_cpu_stats(struct ip_vs_stats_user *sum,
+                                 struct ip_vs_cpu_stats *stats)
+{
+        int i;
+        for_each_possible_cpu(i) {
+                struct ip_vs_cpu_stats *s = per_cpu_ptr(stats, i);
+                unsigned int start;
+                __u64 inbytes, outbytes;
+                if (i) {
+                        sum->conns += s->ustats.conns;
+                        sum->inpkts += s->ustats.inpkts;
+                        sum->outpkts += s->ustats.outpkts;
+                        do {
+                                start = u64_stats_fetch_begin(&s->syncp);
+                                inbytes = s->ustats.inbytes;
+                                outbytes = s->ustats.outbytes;
+                        } while (u64_stats_fetch_retry(&s->syncp, start));
+                        sum->inbytes += inbytes;
+                        sum->outbytes += outbytes;
+                } else {
+                        sum->conns = s->ustats.conns;
+                        sum->inpkts = s->ustats.inpkts;
+                        sum->outpkts = s->ustats.outpkts;
+                        do {
+                                start = u64_stats_fetch_begin(&s->syncp);
+                                sum->inbytes = s->ustats.inbytes;
+                                sum->outbytes = s->ustats.outbytes;
+                        } while (u64_stats_fetch_retry(&s->syncp, start));
+                }
+        }
+}
-static LIST_HEAD(est_list);
-static DEFINE_SPINLOCK(est_lock);
-static DEFINE_TIMER(est_timer, estimation_timer, 0, 0);
 static void estimation_timer(unsigned long arg)
 {
@@ -62,12 +97,16 @@ static void estimation_timer(unsigned long arg)
        u32 n_inpkts, n_outpkts;
        u64 n_inbytes, n_outbytes;
        u32 rate;
+        struct net *net = (struct net *)arg;
+        struct netns_ipvs *ipvs;
-        spin_lock(&est_lock);
+        ipvs = net_ipvs(net);
-        list_for_each_entry(e, &est_list, list) {
+        spin_lock(&ipvs->est_lock);
+        list_for_each_entry(e, &ipvs->est_list, list) {
                s = container_of(e, struct ip_vs_stats, est);
                spin_lock(&s->lock);
+                ip_vs_read_cpu_stats(&s->ustats, s->cpustats);
                n_conns = s->ustats.conns;
                n_inpkts = s->ustats.inpkts;
                n_outpkts = s->ustats.outpkts;
@@ -75,81 +114,64 @@ static void estimation_timer(unsigned long arg)
                n_outbytes = s->ustats.outbytes;
                /* scaled by 2^10, but divided 2 seconds */
-                rate = (n_conns - e->last_conns)<<9;
+                rate = (n_conns - e->last_conns) << 9;
                e->last_conns = n_conns;
-                e->cps += ((long)rate - (long)e->cps)>>2;
+                e->cps += ((long)rate - (long)e->cps) >> 2;
-                s->ustats.cps = (e->cps+0x1FF)>>10;
-                rate = (n_inpkts - e->last_inpkts)<<9;
+                rate = (n_inpkts - e->last_inpkts) << 9;
                e->last_inpkts = n_inpkts;
-                e->inpps += ((long)rate - (long)e->inpps)>>2;
+                e->inpps += ((long)rate - (long)e->inpps) >> 2;
-                s->ustats.inpps = (e->inpps+0x1FF)>>10;
-                rate = (n_outpkts - e->last_outpkts)<<9;
+                rate = (n_outpkts - e->last_outpkts) << 9;
                e->last_outpkts = n_outpkts;
-                e->outpps += ((long)rate - (long)e->outpps)>>2;
+                e->outpps += ((long)rate - (long)e->outpps) >> 2;
-                s->ustats.outpps = (e->outpps+0x1FF)>>10;
-                rate = (n_inbytes - e->last_inbytes)<<4;
+                rate = (n_inbytes - e->last_inbytes) << 4;
                e->last_inbytes = n_inbytes;
-                e->inbps += ((long)rate - (long)e->inbps)>>2;
+                e->inbps += ((long)rate - (long)e->inbps) >> 2;
-                s->ustats.inbps = (e->inbps+0xF)>>5;
-                rate = (n_outbytes - e->last_outbytes)<<4;
+                rate = (n_outbytes - e->last_outbytes) << 4;
                e->last_outbytes = n_outbytes;
-                e->outbps += ((long)rate - (long)e->outbps)>>2;
+                e->outbps += ((long)rate - (long)e->outbps) >> 2;
-                s->ustats.outbps = (e->outbps+0xF)>>5;
                spin_unlock(&s->lock);
        }
-        spin_unlock(&est_lock);
+        spin_unlock(&ipvs->est_lock);
-        mod_timer(&est_timer, jiffies + 2*HZ);
+        mod_timer(&ipvs->est_timer, jiffies + 2*HZ);
 }
-void ip_vs_new_estimator(struct ip_vs_stats *stats)
+void ip_vs_start_estimator(struct net *net, struct ip_vs_stats *stats)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        struct ip_vs_estimator *est = &stats->est;
        INIT_LIST_HEAD(&est->list);
-        est->last_conns = stats->ustats.conns;
+        spin_lock_bh(&ipvs->est_lock);
-        est->cps = stats->ustats.cps<<10;
+        list_add(&est->list, &ipvs->est_list);
+        spin_unlock_bh(&ipvs->est_lock);
-        est->last_inpkts = stats->ustats.inpkts;
-        est->inpps = stats->ustats.inpps<<10;
-        est->last_outpkts = stats->ustats.outpkts;
-        est->outpps = stats->ustats.outpps<<10;
-        est->last_inbytes = stats->ustats.inbytes;
-        est->inbps = stats->ustats.inbps<<5;
-        est->last_outbytes = stats->ustats.outbytes;
-        est->outbps = stats->ustats.outbps<<5;
-        spin_lock_bh(&est_lock);
-        list_add(&est->list, &est_list);
-        spin_unlock_bh(&est_lock);
 }
-void ip_vs_kill_estimator(struct ip_vs_stats *stats)
+void ip_vs_stop_estimator(struct net *net, struct ip_vs_stats *stats)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        struct ip_vs_estimator *est = &stats->est;
-        spin_lock_bh(&est_lock);
+        spin_lock_bh(&ipvs->est_lock);
        list_del(&est->list);
-        spin_unlock_bh(&est_lock);
+        spin_unlock_bh(&ipvs->est_lock);
 }
 void ip_vs_zero_estimator(struct ip_vs_stats *stats)
 {
        struct ip_vs_estimator *est = &stats->est;
+        struct ip_vs_stats_user *u = &stats->ustats;
-        /* set counters zero, caller must hold the stats->lock lock */
-        est->last_inbytes = 0;
+        /* reset counters, caller must hold the stats->lock lock */
-        est->last_outbytes = 0;
+        est->last_inbytes = u->inbytes;
-        est->last_conns = 0;
+        est->last_outbytes = u->outbytes;
-        est->last_inpkts = 0;
+        est->last_conns = u->conns;
-        est->last_outpkts = 0;
+        est->last_inpkts = u->inpkts;
+        est->last_outpkts = u->outpkts;
        est->cps = 0;
        est->inpps = 0;
        est->outpps = 0;
@@ -157,13 +179,40 @@ void ip_vs_zero_estimator(struct ip_vs_stats *stats)
        est->outbps = 0;
 }
+/* Get decoded rates */
+void ip_vs_read_estimator(struct ip_vs_stats_user *dst,
+                          struct ip_vs_stats *stats)
+{
+        struct ip_vs_estimator *e = &stats->est;
+        dst->cps = (e->cps + 0x1FF) >> 10;
+        dst->inpps = (e->inpps + 0x1FF) >> 10;
+        dst->outpps = (e->outpps + 0x1FF) >> 10;
+        dst->inbps = (e->inbps + 0xF) >> 5;
+        dst->outbps = (e->outbps + 0xF) >> 5;
+}
+int __net_init __ip_vs_estimator_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        INIT_LIST_HEAD(&ipvs->est_list);
+        spin_lock_init(&ipvs->est_lock);
+        setup_timer(&ipvs->est_timer, estimation_timer, (unsigned long)net);
+        mod_timer(&ipvs->est_timer, jiffies + 2 * HZ);
+        return 0;
+}
+void __net_exit __ip_vs_estimator_cleanup(struct net *net)
+{
+        del_timer_sync(&net_ipvs(net)->est_timer);
+}
 int __init ip_vs_estimator_init(void)
 {
-        mod_timer(&est_timer, jiffies + 2 * HZ);
        return 0;
 }
 void ip_vs_estimator_cleanup(void)
 {
-        del_timer_sync(&est_timer);
 }
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 75455000ad1c..6b5dd6ddaae9 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -157,6 +157,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
        int ret = 0;
        enum ip_conntrack_info ctinfo;
        struct nf_conn *ct;
+        struct net *net;
 #ifdef CONFIG_IP_VS_IPV6
        /* This application helper doesn't work with IPv6 yet,
@@ -197,18 +198,20 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                 */
                {
                        struct ip_vs_conn_param p;
-                        ip_vs_conn_fill_param(AF_INET, iph->protocol,
+                        ip_vs_conn_fill_param(ip_vs_conn_net(cp), AF_INET,
-                                              &from, port, &cp->caddr, 0, &p);
+                                              iph->protocol, &from, port,
+                                              &cp->caddr, 0, &p);
                        n_cp = ip_vs_conn_out_get(&p);
                }
                if (!n_cp) {
                        struct ip_vs_conn_param p;
-                        ip_vs_conn_fill_param(AF_INET, IPPROTO_TCP, &cp->caddr,
+                        ip_vs_conn_fill_param(ip_vs_conn_net(cp),
+                                              AF_INET, IPPROTO_TCP, &cp->caddr,
                                              0, &cp->vaddr, port, &p);
                        n_cp = ip_vs_conn_new(&p, &from, port,
                                              IP_VS_CONN_F_NO_CPORT |
                                              IP_VS_CONN_F_NFCT,
-                                              cp->dest);
+                                              cp->dest, skb->mark);
                        if (!n_cp)
                                return 0;
@@ -257,8 +260,9 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                 * would be adjusted twice.
                 */
+                net = skb_net(skb);
                cp->app_data = NULL;
-                ip_vs_tcp_conn_listen(n_cp);
+                ip_vs_tcp_conn_listen(net, n_cp);
                ip_vs_conn_put(n_cp);
                return ret;
        }
@@ -287,6 +291,7 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
        union nf_inet_addr to;
        __be16 port;
        struct ip_vs_conn *n_cp;
+        struct net *net;
 #ifdef CONFIG_IP_VS_IPV6
        /* This application helper doesn't work with IPv6 yet,
@@ -358,14 +363,15 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
        {
                struct ip_vs_conn_param p;
-                ip_vs_conn_fill_param(AF_INET, iph->protocol, &to, port,
+                ip_vs_conn_fill_param(ip_vs_conn_net(cp), AF_INET,
-                                      &cp->vaddr, htons(ntohs(cp->vport)-1),
+                                      iph->protocol, &to, port, &cp->vaddr,
-                                      &p);
+                                      htons(ntohs(cp->vport)-1), &p);
                n_cp = ip_vs_conn_in_get(&p);
                if (!n_cp) {
                        n_cp = ip_vs_conn_new(&p, &cp->daddr,
                                              htons(ntohs(cp->dport)-1),
-                                              IP_VS_CONN_F_NFCT, cp->dest);
+                                              IP_VS_CONN_F_NFCT, cp->dest,
+                                              skb->mark);
                        if (!n_cp)
                                return 0;
@@ -377,7 +383,8 @@ static int ip_vs_ftp_in(struct ip_vs_app *app, struct ip_vs_conn *cp,
        /*
         *      Move tunnel to listen state
         */
-        ip_vs_tcp_conn_listen(n_cp);
+        net = skb_net(skb);
+        ip_vs_tcp_conn_listen(net, n_cp);
        ip_vs_conn_put(n_cp);
        return 1;
@@ -398,23 +405,22 @@ static struct ip_vs_app ip_vs_ftp = {
        .pkt_in =       ip_vs_ftp_in,
 };
 /*
- *      ip_vs_ftp initialization
+ *      per netns ip_vs_ftp initialization
 */
-static int __init ip_vs_ftp_init(void)
+static int __net_init __ip_vs_ftp_init(struct net *net)
 {
        int i, ret;
        struct ip_vs_app *app = &ip_vs_ftp;
-        ret = register_ip_vs_app(app);
+        ret = register_ip_vs_app(net, app);
        if (ret)
                return ret;
        for (i=0; i<IP_VS_APP_MAX_PORTS; i++) {
                if (!ports[i])
                        continue;
-                ret = register_ip_vs_app_inc(app, app->protocol, ports[i]);
+                ret = register_ip_vs_app_inc(net, app, app->protocol, ports[i]);
                if (ret)
                        break;
                pr_info("%s: loaded support on port[%d] = %d\n",
@@ -422,18 +428,39 @@ static int __init ip_vs_ftp_init(void)
        }
        if (ret)
-                unregister_ip_vs_app(app);
+                unregister_ip_vs_app(net, app);
        return ret;
 }
+/*
+ *      netns exit
+ */
+static void __ip_vs_ftp_exit(struct net *net)
+{
+        struct ip_vs_app *app = &ip_vs_ftp;
+        unregister_ip_vs_app(net, app);
+}
+static struct pernet_operations ip_vs_ftp_ops = {
+        .init = __ip_vs_ftp_init,
+        .exit = __ip_vs_ftp_exit,
+};
+int __init ip_vs_ftp_init(void)
+{
+        int rv;
+        rv = register_pernet_subsys(&ip_vs_ftp_ops);
+        return rv;
+}
 /*
 *      ip_vs_ftp finish.
 */
 static void __exit ip_vs_ftp_exit(void)
 {
-        unregister_ip_vs_app(&ip_vs_ftp);
+        unregister_pernet_subsys(&ip_vs_ftp_ops);
 }
diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
index 9323f8944199..87e40ea77a95 100644
--- a/net/netfilter/ipvs/ip_vs_lblc.c
+++ b/net/netfilter/ipvs/ip_vs_lblc.c
@@ -63,6 +63,8 @@
 #define CHECK_EXPIRE_INTERVAL   (60*HZ)
 #define ENTRY_TIMEOUT           (6*60*HZ)
+#define DEFAULT_EXPIRATION      (24*60*60*HZ)
 /*
 *    It is for full expiration check.
 *    When there is no partial expiration check (garbage collection)
@@ -70,7 +72,6 @@
 *    entries that haven't been touched for a day.
 */
 #define COUNT_FOR_FULL_EXPIRATION   30
-static int sysctl_ip_vs_lblc_expiration = 24*60*60*HZ;
 /*
@@ -113,25 +114,24 @@ struct ip_vs_lblc_table {
 /*
 *      IPVS LBLC sysctl table
 */
+#ifdef CONFIG_SYSCTL
 static ctl_table vs_vars_table[] = {
        {
                .procname       = "lblc_expiration",
-                .data           = &sysctl_ip_vs_lblc_expiration,
+                .data           = NULL,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec_jiffies,
        },
        { }
 };
+#endif
-static struct ctl_table_header * sysctl_header;
 static inline void ip_vs_lblc_free(struct ip_vs_lblc_entry *en)
 {
        list_del(&en->list);
        /*
-         * We don't kfree dest because it is refered either by its service
+         * We don't kfree dest because it is referred either by its service
         * or the trash dest list.
         */
        atomic_dec(&en->dest->refcnt);
@@ -241,6 +241,15 @@ static void ip_vs_lblc_flush(struct ip_vs_lblc_table *tbl)
        }
 }
+static int sysctl_lblc_expiration(struct ip_vs_service *svc)
+{
+#ifdef CONFIG_SYSCTL
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
+        return ipvs->sysctl_lblc_expiration;
+#else
+        return DEFAULT_EXPIRATION;
+#endif
+}
 static inline void ip_vs_lblc_full_check(struct ip_vs_service *svc)
 {
@@ -255,7 +264,8 @@ static inline void ip_vs_lblc_full_check(struct ip_vs_service *svc)
                write_lock(&svc->sched_lock);
                list_for_each_entry_safe(en, nxt, &tbl->bucket[j], list) {
                        if (time_before(now,
-                                        en->lastuse + sysctl_ip_vs_lblc_expiration))
+                                        en->lastuse +
+                                        sysctl_lblc_expiration(svc)))
                                continue;
                        ip_vs_lblc_free(en);
@@ -390,12 +400,7 @@ __ip_vs_lblc_schedule(struct ip_vs_service *svc)
        int loh, doh;
        /*
-         * We think the overhead of processing active connections is fifty
+         * We use the following formula to estimate the load:
-         * times higher than that of inactive connections in average. (This
-         * fifty times might not be accurate, we will change it later.) We
-         * use the following formula to estimate the overhead:
-         *                dest->activeconns*50 + dest->inactconns
-         * and the load:
         *                (dest overhead) / dest->weight
         *
         * Remember -- no floats in kernel mode!!!
@@ -411,8 +416,7 @@ __ip_vs_lblc_schedule(struct ip_vs_service *svc)
                        continue;
                if (atomic_read(&dest->weight) > 0) {
                        least = dest;
-                        loh = atomic_read(&least->activeconns) * 50
+                        loh = ip_vs_dest_conn_overhead(least);
-                                + atomic_read(&least->inactconns);
                        goto nextstage;
                }
        }
@@ -426,8 +430,7 @@ __ip_vs_lblc_schedule(struct ip_vs_service *svc)
                if (dest->flags & IP_VS_DEST_F_OVERLOAD)
                        continue;
-                doh = atomic_read(&dest->activeconns) * 50
+                doh = ip_vs_dest_conn_overhead(dest);
-                        + atomic_read(&dest->inactconns);
                if (loh * atomic_read(&dest->weight) >
                    doh * atomic_read(&least->weight)) {
                        least = dest;
@@ -511,7 +514,7 @@ ip_vs_lblc_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
        /* No cache entry or it is invalid, time to schedule */
        dest = __ip_vs_lblc_schedule(svc);
        if (!dest) {
-                IP_VS_ERR_RL("LBLC: no destination available\n");
+                ip_vs_scheduler_err(svc, "no destination available");
                return NULL;
        }
@@ -543,23 +546,77 @@ static struct ip_vs_scheduler ip_vs_lblc_scheduler =
        .schedule =             ip_vs_lblc_schedule,
 };
+/*
+ *  per netns init.
+ */
+#ifdef CONFIG_SYSCTL
+static int __net_init __ip_vs_lblc_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        if (!net_eq(net, &init_net)) {
+                ipvs->lblc_ctl_table = kmemdup(vs_vars_table,
+                                                sizeof(vs_vars_table),
+                                                GFP_KERNEL);
+                if (ipvs->lblc_ctl_table == NULL)
+                        return -ENOMEM;
+        } else
+                ipvs->lblc_ctl_table = vs_vars_table;
+        ipvs->sysctl_lblc_expiration = DEFAULT_EXPIRATION;
+        ipvs->lblc_ctl_table[0].data = &ipvs->sysctl_lblc_expiration;
+        ipvs->lblc_ctl_header =
+                register_net_sysctl_table(net, net_vs_ctl_path,
+                                          ipvs->lblc_ctl_table);
+        if (!ipvs->lblc_ctl_header) {
+                if (!net_eq(net, &init_net))
+                        kfree(ipvs->lblc_ctl_table);
+                return -ENOMEM;
+        }
+        return 0;
+}
+static void __net_exit __ip_vs_lblc_exit(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        unregister_net_sysctl_table(ipvs->lblc_ctl_header);
+        if (!net_eq(net, &init_net))
+                kfree(ipvs->lblc_ctl_table);
+}
+#else
+static int __net_init __ip_vs_lblc_init(struct net *net) { return 0; }
+static void __net_exit __ip_vs_lblc_exit(struct net *net) { }
+#endif
+static struct pernet_operations ip_vs_lblc_ops = {
+        .init = __ip_vs_lblc_init,
+        .exit = __ip_vs_lblc_exit,
+};
 static int __init ip_vs_lblc_init(void)
 {
        int ret;
-        sysctl_header = register_sysctl_paths(net_vs_ctl_path, vs_vars_table);
+        ret = register_pernet_subsys(&ip_vs_lblc_ops);
+        if (ret)
+                return ret;
        ret = register_ip_vs_scheduler(&ip_vs_lblc_scheduler);
        if (ret)
-                unregister_sysctl_table(sysctl_header);
+                unregister_pernet_subsys(&ip_vs_lblc_ops);
        return ret;
 }
 static void __exit ip_vs_lblc_cleanup(void)
 {
-        unregister_sysctl_table(sysctl_header);
        unregister_ip_vs_scheduler(&ip_vs_lblc_scheduler);
+        unregister_pernet_subsys(&ip_vs_lblc_ops);
 }
diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
index dbeed8ea421a..90f618ab6dda 100644
--- a/net/netfilter/ipvs/ip_vs_lblcr.c
+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
@@ -63,6 +63,8 @@
 #define CHECK_EXPIRE_INTERVAL   (60*HZ)
 #define ENTRY_TIMEOUT           (6*60*HZ)
+#define DEFAULT_EXPIRATION      (24*60*60*HZ)
 /*
 *    It is for full expiration check.
 *    When there is no partial expiration check (garbage collection)
@@ -70,8 +72,6 @@
 *    entries that haven't been touched for a day.
 */
 #define COUNT_FOR_FULL_EXPIRATION   30
-static int sysctl_ip_vs_lblcr_expiration = 24*60*60*HZ;
 /*
 *     for IPVS lblcr entry hash table
@@ -152,7 +152,7 @@ static void ip_vs_dest_set_eraseall(struct ip_vs_dest_set *set)
        write_lock(&set->lock);
        list_for_each_entry_safe(e, ep, &set->list, list) {
                /*
-                 * We don't kfree dest because it is refered either
+                 * We don't kfree dest because it is referred either
                 * by its service or by the trash dest list.
                 */
                atomic_dec(&e->dest->refcnt);
@@ -180,8 +180,7 @@ static inline struct ip_vs_dest *ip_vs_dest_set_min(struct ip_vs_dest_set *set)
                if ((atomic_read(&least->weight) > 0)
                    && (least->flags & IP_VS_DEST_F_AVAILABLE)) {
-                        loh = atomic_read(&least->activeconns) * 50
+                        loh = ip_vs_dest_conn_overhead(least);
-                                + atomic_read(&least->inactconns);
                        goto nextstage;
                }
        }
@@ -194,8 +193,7 @@ static inline struct ip_vs_dest *ip_vs_dest_set_min(struct ip_vs_dest_set *set)
                if (dest->flags & IP_VS_DEST_F_OVERLOAD)
                        continue;
-                doh = atomic_read(&dest->activeconns) * 50
+                doh = ip_vs_dest_conn_overhead(dest);
-                        + atomic_read(&dest->inactconns);
                if ((loh * atomic_read(&dest->weight) >
                     doh * atomic_read(&least->weight))
                    && (dest->flags & IP_VS_DEST_F_AVAILABLE)) {
@@ -230,8 +228,7 @@ static inline struct ip_vs_dest *ip_vs_dest_set_max(struct ip_vs_dest_set *set)
        list_for_each_entry(e, &set->list, list) {
                most = e->dest;
                if (atomic_read(&most->weight) > 0) {
-                        moh = atomic_read(&most->activeconns) * 50
+                        moh = ip_vs_dest_conn_overhead(most);
-                                + atomic_read(&most->inactconns);
                        goto nextstage;
                }
        }
@@ -241,8 +238,7 @@ static inline struct ip_vs_dest *ip_vs_dest_set_max(struct ip_vs_dest_set *set)
  nextstage:
        list_for_each_entry(e, &set->list, list) {
                dest = e->dest;
-                doh = atomic_read(&dest->activeconns) * 50
+                doh = ip_vs_dest_conn_overhead(dest);
-                        + atomic_read(&dest->inactconns);
                /* moh/mw < doh/dw ==> moh*dw < doh*mw, where mw,dw>0 */
                if ((moh * atomic_read(&dest->weight) <
                     doh * atomic_read(&most->weight))
@@ -289,6 +285,7 @@ struct ip_vs_lblcr_table {
 };
+#ifdef CONFIG_SYSCTL
 /*
 *      IPVS LBLCR sysctl table
 */
@@ -296,15 +293,14 @@ struct ip_vs_lblcr_table {
 static ctl_table vs_vars_table[] = {
        {
                .procname       = "lblcr_expiration",
-                .data           = &sysctl_ip_vs_lblcr_expiration,
+                .data           = NULL,
                .maxlen         = sizeof(int),
                .mode           = 0644,
                .proc_handler   = proc_dointvec_jiffies,
        },
        { }
 };
+#endif
-static struct ctl_table_header * sysctl_header;
 static inline void ip_vs_lblcr_free(struct ip_vs_lblcr_entry *en)
 {
@@ -418,6 +414,15 @@ static void ip_vs_lblcr_flush(struct ip_vs_lblcr_table *tbl)
        }
 }
+static int sysctl_lblcr_expiration(struct ip_vs_service *svc)
+{
+#ifdef CONFIG_SYSCTL
+        struct netns_ipvs *ipvs = net_ipvs(svc->net);
+        return ipvs->sysctl_lblcr_expiration;
+#else
+        return DEFAULT_EXPIRATION;
+#endif
+}
 static inline void ip_vs_lblcr_full_check(struct ip_vs_service *svc)
 {
@@ -431,8 +436,8 @@ static inline void ip_vs_lblcr_full_check(struct ip_vs_service *svc)
                write_lock(&svc->sched_lock);
                list_for_each_entry_safe(en, nxt, &tbl->bucket[j], list) {
-                        if (time_after(en->lastuse+sysctl_ip_vs_lblcr_expiration,
+                        if (time_after(en->lastuse +
-                                       now))
+                                       sysctl_lblcr_expiration(svc), now))
                                continue;
                        ip_vs_lblcr_free(en);
@@ -566,12 +571,7 @@ __ip_vs_lblcr_schedule(struct ip_vs_service *svc)
        int loh, doh;
        /*
-         * We think the overhead of processing active connections is fifty
+         * We use the following formula to estimate the load:
-         * times higher than that of inactive connections in average. (This
-         * fifty times might not be accurate, we will change it later.) We
-         * use the following formula to estimate the overhead:
-         *                dest->activeconns*50 + dest->inactconns
-         * and the load:
         *                (dest overhead) / dest->weight
         *
         * Remember -- no floats in kernel mode!!!
@@ -588,8 +588,7 @@ __ip_vs_lblcr_schedule(struct ip_vs_service *svc)
                if (atomic_read(&dest->weight) > 0) {
                        least = dest;
-                        loh = atomic_read(&least->activeconns) * 50
+                        loh = ip_vs_dest_conn_overhead(least);
-                                + atomic_read(&least->inactconns);
                        goto nextstage;
                }
        }
@@ -603,8 +602,7 @@ __ip_vs_lblcr_schedule(struct ip_vs_service *svc)
                if (dest->flags & IP_VS_DEST_F_OVERLOAD)
                        continue;
-                doh = atomic_read(&dest->activeconns) * 50
+                doh = ip_vs_dest_conn_overhead(dest);
-                        + atomic_read(&dest->inactconns);
                if (loh * atomic_read(&dest->weight) >
                    doh * atomic_read(&least->weight)) {
                        least = dest;
@@ -675,7 +673,7 @@ ip_vs_lblcr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                /* More than one destination + enough time passed by, cleanup */
                if (atomic_read(&en->set.size) > 1 &&
                                time_after(jiffies, en->set.lastmod +
-                                sysctl_ip_vs_lblcr_expiration)) {
+                                sysctl_lblcr_expiration(svc))) {
                        struct ip_vs_dest *m;
                        write_lock(&en->set.lock);
@@ -694,7 +692,7 @@ ip_vs_lblcr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                /* The cache entry is invalid, time to schedule */
                dest = __ip_vs_lblcr_schedule(svc);
                if (!dest) {
-                        IP_VS_ERR_RL("LBLCR: no destination available\n");
+                        ip_vs_scheduler_err(svc, "no destination available");
                        read_unlock(&svc->sched_lock);
                        return NULL;
                }
@@ -744,23 +742,77 @@ static struct ip_vs_scheduler ip_vs_lblcr_scheduler =
        .schedule =             ip_vs_lblcr_schedule,
 };
+/*
+ *  per netns init.
+ */
+#ifdef CONFIG_SYSCTL
+static int __net_init __ip_vs_lblcr_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        if (!net_eq(net, &init_net)) {
+                ipvs->lblcr_ctl_table = kmemdup(vs_vars_table,
+                                                sizeof(vs_vars_table),
+                                                GFP_KERNEL);
+                if (ipvs->lblcr_ctl_table == NULL)
+                        return -ENOMEM;
+        } else
+                ipvs->lblcr_ctl_table = vs_vars_table;
+        ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
+        ipvs->lblcr_ctl_table[0].data = &ipvs->sysctl_lblcr_expiration;
+        ipvs->lblcr_ctl_header =
+                register_net_sysctl_table(net, net_vs_ctl_path,
+                                          ipvs->lblcr_ctl_table);
+        if (!ipvs->lblcr_ctl_header) {
+                if (!net_eq(net, &init_net))
+                        kfree(ipvs->lblcr_ctl_table);
+                return -ENOMEM;
+        }
+        return 0;
+}
+static void __net_exit __ip_vs_lblcr_exit(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        unregister_net_sysctl_table(ipvs->lblcr_ctl_header);
+        if (!net_eq(net, &init_net))
+                kfree(ipvs->lblcr_ctl_table);
+}
+#else
+static int __net_init __ip_vs_lblcr_init(struct net *net) { return 0; }
+static void __net_exit __ip_vs_lblcr_exit(struct net *net) { }
+#endif
+static struct pernet_operations ip_vs_lblcr_ops = {
+        .init = __ip_vs_lblcr_init,
+        .exit = __ip_vs_lblcr_exit,
+};
 static int __init ip_vs_lblcr_init(void)
 {
        int ret;
-        sysctl_header = register_sysctl_paths(net_vs_ctl_path, vs_vars_table);
+        ret = register_pernet_subsys(&ip_vs_lblcr_ops);
+        if (ret)
+                return ret;
        ret = register_ip_vs_scheduler(&ip_vs_lblcr_scheduler);
        if (ret)
-                unregister_sysctl_table(sysctl_header);
+                unregister_pernet_subsys(&ip_vs_lblcr_ops);
        return ret;
 }
 static void __exit ip_vs_lblcr_cleanup(void)
 {
-        unregister_sysctl_table(sysctl_header);
        unregister_ip_vs_scheduler(&ip_vs_lblcr_scheduler);
+        unregister_pernet_subsys(&ip_vs_lblcr_ops);
 }
diff --git a/net/netfilter/ipvs/ip_vs_lc.c b/net/netfilter/ipvs/ip_vs_lc.c
index 4f69db1fac56..f391819c0cca 100644
--- a/net/netfilter/ipvs/ip_vs_lc.c
+++ b/net/netfilter/ipvs/ip_vs_lc.c
@@ -22,22 +22,6 @@
 #include <net/ip_vs.h>
-static inline unsigned int
-ip_vs_lc_dest_overhead(struct ip_vs_dest *dest)
-{
-        /*
-         * We think the overhead of processing active connections is 256
-         * times higher than that of inactive connections in average. (This
-         * 256 times might not be accurate, we will change it later) We
-         * use the following formula to estimate the overhead now:
-         *                dest->activeconns*256 + dest->inactconns
-         */
-        return (atomic_read(&dest->activeconns) << 8) +
-                atomic_read(&dest->inactconns);
-}
 /*
 *      Least Connection scheduling
 */
@@ -62,7 +46,7 @@ ip_vs_lc_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                if ((dest->flags & IP_VS_DEST_F_OVERLOAD) ||
                    atomic_read(&dest->weight) == 0)
                        continue;
-                doh = ip_vs_lc_dest_overhead(dest);
+                doh = ip_vs_dest_conn_overhead(dest);
                if (!least || doh < loh) {
                        least = dest;
                        loh = doh;
@@ -70,7 +54,7 @@ ip_vs_lc_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
        }
        if (!least)
-                IP_VS_ERR_RL("LC: no destination available\n");
+                ip_vs_scheduler_err(svc, "no destination available");
        else
                IP_VS_DBG_BUF(6, "LC: server %s:%u activeconns %d "
                              "inactconns %d\n",
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index 4680647cd450..f454c80df0a7 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -141,6 +141,7 @@ static void ip_vs_nfct_expect_callback(struct nf_conn *ct,
        struct nf_conntrack_tuple *orig, new_reply;
        struct ip_vs_conn *cp;
        struct ip_vs_conn_param p;
+        struct net *net = nf_ct_net(ct);
        if (exp->tuple.src.l3num != PF_INET)
                return;
@@ -155,7 +156,7 @@ static void ip_vs_nfct_expect_callback(struct nf_conn *ct,
        /* RS->CLIENT */
        orig = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
-        ip_vs_conn_fill_param(exp->tuple.src.l3num, orig->dst.protonum,
+        ip_vs_conn_fill_param(net, exp->tuple.src.l3num, orig->dst.protonum,
                              &orig->src.u3, orig->src.u.tcp.port,
                              &orig->dst.u3, orig->dst.u.tcp.port, &p);
        cp = ip_vs_conn_out_get(&p);
@@ -268,7 +269,8 @@ void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp)
                " for conn " FMT_CONN "\n",
                __func__, ARG_TUPLE(&tuple), ARG_CONN(cp));
-        h = nf_conntrack_find_get(&init_net, NF_CT_DEFAULT_ZONE, &tuple);
+        h = nf_conntrack_find_get(ip_vs_conn_net(cp), NF_CT_DEFAULT_ZONE,
+                                  &tuple);
        if (h) {
                ct = nf_ct_tuplehash_to_ctrack(h);
                /* Show what happens instead of calling nf_ct_kill() */
diff --git a/net/netfilter/ipvs/ip_vs_nq.c b/net/netfilter/ipvs/ip_vs_nq.c
index c413e1830823..984d9c137d84 100644
--- a/net/netfilter/ipvs/ip_vs_nq.c
+++ b/net/netfilter/ipvs/ip_vs_nq.c
@@ -99,7 +99,7 @@ ip_vs_nq_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
        }
        if (!least) {
-                IP_VS_ERR_RL("NQ: no destination available\n");
+                ip_vs_scheduler_err(svc, "no destination available");
                return NULL;
        }
diff --git a/net/netfilter/ipvs/ip_vs_pe.c b/net/netfilter/ipvs/ip_vs_pe.c
index 3414af70ee12..5cf859ccb31b 100644
--- a/net/netfilter/ipvs/ip_vs_pe.c
+++ b/net/netfilter/ipvs/ip_vs_pe.c
@@ -29,12 +29,11 @@ void ip_vs_unbind_pe(struct ip_vs_service *svc)
 }
 /* Get pe in the pe list by name */
-static struct ip_vs_pe *
+struct ip_vs_pe *__ip_vs_pe_getbyname(const char *pe_name)
-ip_vs_pe_getbyname(const char *pe_name)
 {
        struct ip_vs_pe *pe;
-        IP_VS_DBG(2, "%s(): pe_name \"%s\"\n", __func__,
+        IP_VS_DBG(10, "%s(): pe_name \"%s\"\n", __func__,
                  pe_name);
        spin_lock_bh(&ip_vs_pe_lock);
@@ -60,28 +59,22 @@ ip_vs_pe_getbyname(const char *pe_name)
 }
 /* Lookup pe and try to load it if it doesn't exist */
-struct ip_vs_pe *ip_vs_pe_get(const char *name)
+struct ip_vs_pe *ip_vs_pe_getbyname(const char *name)
 {
        struct ip_vs_pe *pe;
        /* Search for the pe by name */
-        pe = ip_vs_pe_getbyname(name);
+        pe = __ip_vs_pe_getbyname(name);
        /* If pe not found, load the module and search again */
        if (!pe) {
                request_module("ip_vs_pe_%s", name);
-                pe = ip_vs_pe_getbyname(name);
+                pe = __ip_vs_pe_getbyname(name);
        }
        return pe;
 }
-void ip_vs_pe_put(struct ip_vs_pe *pe)
-{
-        if (pe && pe->module)
-                module_put(pe->module);
-}
 /* Register a pe in the pe list */
 int register_ip_vs_pe(struct ip_vs_pe *pe)
 {
diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c
index b8b4e9620f3e..13d607ae9c52 100644
--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -71,6 +71,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
        struct ip_vs_iphdr iph;
        unsigned int dataoff, datalen, matchoff, matchlen;
        const char *dptr;
+        int retc;
        ip_vs_fill_iphdr(p->af, skb_network_header(skb), &iph);
@@ -83,20 +84,21 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb)
        if (dataoff >= skb->len)
                return -EINVAL;
+        if ((retc=skb_linearize(skb)) < 0)
+                return retc;
        dptr = skb->data + dataoff;
        datalen = skb->len - dataoff;
        if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen))
                return -EINVAL;
-        p->pe_data = kmalloc(matchlen, GFP_ATOMIC);
-        if (!p->pe_data)
-                return -ENOMEM;
        /* N.B: pe_data is only set on success,
         * this allows fallback to the default persistence logic on failure
         */
-        memcpy(p->pe_data, dptr + matchoff, matchlen);
+        p->pe_data = kmemdup(dptr + matchoff, matchlen, GFP_ATOMIC);
+        if (!p->pe_data)
+                return -ENOMEM;
        p->pe_data_len = matchlen;
        return 0;
diff --git a/net/netfilter/ipvs/ip_vs_proto.c b/net/netfilter/ipvs/ip_vs_proto.c
index c53998390877..eb86028536fc 100644
--- a/net/netfilter/ipvs/ip_vs_proto.c
+++ b/net/netfilter/ipvs/ip_vs_proto.c
@@ -60,6 +60,35 @@ static int __used __init register_ip_vs_protocol(struct ip_vs_protocol *pp)
        return 0;
 }
+#if defined(CONFIG_IP_VS_PROTO_TCP) || defined(CONFIG_IP_VS_PROTO_UDP) || \
+    defined(CONFIG_IP_VS_PROTO_SCTP) || defined(CONFIG_IP_VS_PROTO_AH) || \
+    defined(CONFIG_IP_VS_PROTO_ESP)
+/*
+ *      register an ipvs protocols netns related data
+ */
+static int
+register_ip_vs_proto_netns(struct net *net, struct ip_vs_protocol *pp)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        unsigned hash = IP_VS_PROTO_HASH(pp->protocol);
+        struct ip_vs_proto_data *pd =
+                        kzalloc(sizeof(struct ip_vs_proto_data), GFP_ATOMIC);
+        if (!pd) {
+                pr_err("%s(): no memory.\n", __func__);
+                return -ENOMEM;
+        }
+        pd->pp = pp;    /* For speed issues */
+        pd->next = ipvs->proto_data_table[hash];
+        ipvs->proto_data_table[hash] = pd;
+        atomic_set(&pd->appcnt, 0);     /* Init app counter */
+        if (pp->init_netns != NULL)
+                pp->init_netns(net, pd);
+        return 0;
+}
+#endif
 /*
 *      unregister an ipvs protocol
@@ -82,6 +111,29 @@ static int unregister_ip_vs_protocol(struct ip_vs_protocol *pp)
        return -ESRCH;
 }
+/*
+ *      unregister an ipvs protocols netns data
+ */
+static int
+unregister_ip_vs_proto_netns(struct net *net, struct ip_vs_proto_data *pd)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_proto_data **pd_p;
+        unsigned hash = IP_VS_PROTO_HASH(pd->pp->protocol);
+        pd_p = &ipvs->proto_data_table[hash];
+        for (; *pd_p; pd_p = &(*pd_p)->next) {
+                if (*pd_p == pd) {
+                        *pd_p = pd->next;
+                        if (pd->pp->exit_netns != NULL)
+                                pd->pp->exit_netns(net, pd);
+                        kfree(pd);
+                        return 0;
+                }
+        }
+        return -ESRCH;
+}
 /*
 *      get ip_vs_protocol object by its proto.
@@ -100,19 +152,44 @@ struct ip_vs_protocol * ip_vs_proto_get(unsigned short proto)
 }
 EXPORT_SYMBOL(ip_vs_proto_get);
+/*
+ *      get ip_vs_protocol object data by netns and proto
+ */
+struct ip_vs_proto_data *
+__ipvs_proto_data_get(struct netns_ipvs *ipvs, unsigned short proto)
+{
+        struct ip_vs_proto_data *pd;
+        unsigned hash = IP_VS_PROTO_HASH(proto);
+        for (pd = ipvs->proto_data_table[hash]; pd; pd = pd->next) {
+                if (pd->pp->protocol == proto)
+                        return pd;
+        }
+        return NULL;
+}
+struct ip_vs_proto_data *
+ip_vs_proto_data_get(struct net *net, unsigned short proto)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        return __ipvs_proto_data_get(ipvs, proto);
+}
+EXPORT_SYMBOL(ip_vs_proto_data_get);
 /*
 *      Propagate event for state change to all protocols
 */
-void ip_vs_protocol_timeout_change(int flags)
+void ip_vs_protocol_timeout_change(struct netns_ipvs *ipvs, int flags)
 {
-        struct ip_vs_protocol *pp;
+        struct ip_vs_proto_data *pd;
        int i;
        for (i = 0; i < IP_VS_PROTO_TAB_SIZE; i++) {
-                for (pp = ip_vs_proto_table[i]; pp; pp = pp->next) {
+                for (pd = ipvs->proto_data_table[i]; pd; pd = pd->next) {
-                        if (pp->timeout_change)
+                        if (pd->pp->timeout_change)
-                                pp->timeout_change(pp, flags);
+                                pd->pp->timeout_change(pd, flags);
                }
        }
 }
@@ -236,6 +313,41 @@ ip_vs_tcpudp_debug_packet(int af, struct ip_vs_protocol *pp,
                ip_vs_tcpudp_debug_packet_v4(pp, skb, offset, msg);
 }
+/*
+ * per network name-space init
+ */
+int __net_init __ip_vs_protocol_init(struct net *net)
+{
+#ifdef CONFIG_IP_VS_PROTO_TCP
+        register_ip_vs_proto_netns(net, &ip_vs_protocol_tcp);
+#endif
+#ifdef CONFIG_IP_VS_PROTO_UDP
+        register_ip_vs_proto_netns(net, &ip_vs_protocol_udp);
+#endif
+#ifdef CONFIG_IP_VS_PROTO_SCTP
+        register_ip_vs_proto_netns(net, &ip_vs_protocol_sctp);
+#endif
+#ifdef CONFIG_IP_VS_PROTO_AH
+        register_ip_vs_proto_netns(net, &ip_vs_protocol_ah);
+#endif
+#ifdef CONFIG_IP_VS_PROTO_ESP
+        register_ip_vs_proto_netns(net, &ip_vs_protocol_esp);
+#endif
+        return 0;
+}
+void __net_exit __ip_vs_protocol_cleanup(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_proto_data *pd;
+        int i;
+        /* unregister all the ipvs proto data for this netns */
+        for (i = 0; i < IP_VS_PROTO_TAB_SIZE; i++) {
+                while ((pd = ipvs->proto_data_table[i]) != NULL)
+                        unregister_ip_vs_proto_netns(net, pd);
+        }
+}
 int __init ip_vs_protocol_init(void)
 {
diff --git a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
index 3a0461117d3f..5b8eb8b12c3e 100644
--- a/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_ah_esp.c
@@ -41,28 +41,30 @@ struct isakmp_hdr {
 #define PORT_ISAKMP     500
 static void
-ah_esp_conn_fill_param_proto(int af, const struct ip_vs_iphdr *iph,
+ah_esp_conn_fill_param_proto(struct net *net, int af,
-                             int inverse, struct ip_vs_conn_param *p)
+                             const struct ip_vs_iphdr *iph, int inverse,
+                             struct ip_vs_conn_param *p)
 {
        if (likely(!inverse))
-                ip_vs_conn_fill_param(af, IPPROTO_UDP,
+                ip_vs_conn_fill_param(net, af, IPPROTO_UDP,
                                      &iph->saddr, htons(PORT_ISAKMP),
                                      &iph->daddr, htons(PORT_ISAKMP), p);
        else
-                ip_vs_conn_fill_param(af, IPPROTO_UDP,
+                ip_vs_conn_fill_param(net, af, IPPROTO_UDP,
                                      &iph->daddr, htons(PORT_ISAKMP),
                                      &iph->saddr, htons(PORT_ISAKMP), p);
 }
 static struct ip_vs_conn *
-ah_esp_conn_in_get(int af, const struct sk_buff *skb, struct ip_vs_protocol *pp,
+ah_esp_conn_in_get(int af, const struct sk_buff *skb,
                   const struct ip_vs_iphdr *iph, unsigned int proto_off,
                   int inverse)
 {
        struct ip_vs_conn *cp;
        struct ip_vs_conn_param p;
+        struct net *net = skb_net(skb);
-        ah_esp_conn_fill_param_proto(af, iph, inverse, &p);
+        ah_esp_conn_fill_param_proto(net, af, iph, inverse, &p);
        cp = ip_vs_conn_in_get(&p);
        if (!cp) {
                /*
@@ -72,7 +74,7 @@ ah_esp_conn_in_get(int af, const struct sk_buff *skb, struct ip_vs_protocol *pp,
                IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for outin packet "
                              "%s%s %s->%s\n",
                              inverse ? "ICMP+" : "",
-                              pp->name,
+                              ip_vs_proto_get(iph->protocol)->name,
                              IP_VS_DBG_ADDR(af, &iph->saddr),
                              IP_VS_DBG_ADDR(af, &iph->daddr));
        }
@@ -83,21 +85,21 @@ ah_esp_conn_in_get(int af, const struct sk_buff *skb, struct ip_vs_protocol *pp,
 static struct ip_vs_conn *
 ah_esp_conn_out_get(int af, const struct sk_buff *skb,
-                    struct ip_vs_protocol *pp,
                    const struct ip_vs_iphdr *iph,
                    unsigned int proto_off,
                    int inverse)
 {
        struct ip_vs_conn *cp;
        struct ip_vs_conn_param p;
+        struct net *net = skb_net(skb);
-        ah_esp_conn_fill_param_proto(af, iph, inverse, &p);
+        ah_esp_conn_fill_param_proto(net, af, iph, inverse, &p);
        cp = ip_vs_conn_out_get(&p);
        if (!cp) {
                IP_VS_DBG_BUF(12, "Unknown ISAKMP entry for inout packet "
                              "%s%s %s->%s\n",
                              inverse ? "ICMP+" : "",
-                              pp->name,
+                              ip_vs_proto_get(iph->protocol)->name,
                              IP_VS_DBG_ADDR(af, &iph->saddr),
                              IP_VS_DBG_ADDR(af, &iph->daddr));
        }
@@ -107,7 +109,7 @@ ah_esp_conn_out_get(int af, const struct sk_buff *skb,
 static int
-ah_esp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+ah_esp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
                     int *verdict, struct ip_vs_conn **cpp)
 {
        /*
@@ -117,26 +119,14 @@ ah_esp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
        return 0;
 }
-static void ah_esp_init(struct ip_vs_protocol *pp)
-{
-        /* nothing to do now */
-}
-static void ah_esp_exit(struct ip_vs_protocol *pp)
-{
-        /* nothing to do now */
-}
 #ifdef CONFIG_IP_VS_PROTO_AH
 struct ip_vs_protocol ip_vs_protocol_ah = {
        .name =                 "AH",
        .protocol =             IPPROTO_AH,
        .num_states =           1,
        .dont_defrag =          1,
-        .init =                 ah_esp_init,
+        .init =                 NULL,
-        .exit =                 ah_esp_exit,
+        .exit =                 NULL,
        .conn_schedule =        ah_esp_conn_schedule,
        .conn_in_get =          ah_esp_conn_in_get,
        .conn_out_get =         ah_esp_conn_out_get,
@@ -149,7 +139,6 @@ struct ip_vs_protocol ip_vs_protocol_ah = {
        .app_conn_bind =        NULL,
        .debug_packet =         ip_vs_tcpudp_debug_packet,
        .timeout_change =       NULL,           /* ISAKMP */
-        .set_state_timeout =    NULL,
 };
 #endif
@@ -159,8 +148,8 @@ struct ip_vs_protocol ip_vs_protocol_esp = {
        .protocol =             IPPROTO_ESP,
        .num_states =           1,
        .dont_defrag =          1,
-        .init =                 ah_esp_init,
+        .init =                 NULL,
-        .exit =                 ah_esp_exit,
+        .exit =                 NULL,
        .conn_schedule =        ah_esp_conn_schedule,
        .conn_in_get =          ah_esp_conn_in_get,
        .conn_out_get =         ah_esp_conn_out_get,
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index 1ea96bcd342b..d12ed53ec95f 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -9,9 +9,10 @@
 #include <net/ip_vs.h>
 static int
-sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
                   int *verdict, struct ip_vs_conn **cpp)
 {
+        struct net *net;
        struct ip_vs_service *svc;
        sctp_chunkhdr_t _schunkh, *sch;
        sctp_sctphdr_t *sh, _sctph;
@@ -27,13 +28,13 @@ sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                                 sizeof(_schunkh), &_schunkh);
        if (sch == NULL)
                return 0;
+        net = skb_net(skb);
        if ((sch->type == SCTP_CID_INIT) &&
-            (svc = ip_vs_service_get(af, skb->mark, iph.protocol,
+            (svc = ip_vs_service_get(net, af, skb->mark, iph.protocol,
                                     &iph.daddr, sh->dest))) {
                int ignored;
-                if (ip_vs_todrop()) {
+                if (ip_vs_todrop(net_ipvs(net))) {
                        /*
                         * It seems that we are very loaded.
                         * We have to drop this packet :(
@@ -46,14 +47,19 @@ sctp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                 * Let the virtual server select a real server for the
                 * incoming connection, and create a connection entry.
                 */
-                *cpp = ip_vs_schedule(svc, skb, pp, &ignored);
+                *cpp = ip_vs_schedule(svc, skb, pd, &ignored);
-                if (!*cpp && !ignored) {
+                if (!*cpp && ignored <= 0) {
-                        *verdict = ip_vs_leave(svc, skb, pp);
+                        if (!ignored)
+                                *verdict = ip_vs_leave(svc, skb, pd);
+                        else {
+                                ip_vs_service_put(svc);
+                                *verdict = NF_DROP;
+                        }
                        return 0;
                }
                ip_vs_service_put(svc);
        }
+        /* NF_ACCEPT */
        return 1;
 }
@@ -560,7 +566,7 @@ static struct ipvs_sctp_nextstate
         * SHUTDOWN sent from the client, waitinf for SHUT ACK from the server
         */
        /*
-         * We recieved the data chuck, keep the state unchanged. I assume
+         * We received the data chuck, keep the state unchanged. I assume
         * that still data chuncks  can be received by both the peers in
         * SHUDOWN state
         */
@@ -627,7 +633,7 @@ static struct ipvs_sctp_nextstate
         * SHUTDOWN sent from the server, waitinf for SHUTDOWN ACK from client
         */
        /*
-         * We recieved the data chuck, keep the state unchanged. I assume
+         * We received the data chuck, keep the state unchanged. I assume
         * that still data chuncks  can be received by both the peers in
         * SHUDOWN state
         */
@@ -695,7 +701,7 @@ static struct ipvs_sctp_nextstate
         * SHUTDOWN ACK from the client, awaiting for SHUTDOWN COM from server
         */
        /*
-         * We recieved the data chuck, keep the state unchanged. I assume
+         * We received the data chuck, keep the state unchanged. I assume
         * that still data chuncks  can be received by both the peers in
         * SHUDOWN state
         */
@@ -765,7 +771,7 @@ static struct ipvs_sctp_nextstate
         * SHUTDOWN ACK from the server, awaiting for SHUTDOWN COM from client
         */
        /*
-         * We recieved the data chuck, keep the state unchanged. I assume
+         * We received the data chuck, keep the state unchanged. I assume
         * that still data chuncks  can be received by both the peers in
         * SHUDOWN state
         */
@@ -856,7 +862,7 @@ static struct ipvs_sctp_nextstate
 /*
 *      Timeout table[state]
 */
-static int sctp_timeouts[IP_VS_SCTP_S_LAST + 1] = {
+static const int sctp_timeouts[IP_VS_SCTP_S_LAST + 1] = {
        [IP_VS_SCTP_S_NONE]         =     2 * HZ,
        [IP_VS_SCTP_S_INIT_CLI]     =     1 * 60 * HZ,
        [IP_VS_SCTP_S_INIT_SER]     =     1 * 60 * HZ,
@@ -900,20 +906,8 @@ static const char *sctp_state_name(int state)
        return "?";
 }
-static void sctp_timeout_change(struct ip_vs_protocol *pp, int flags)
-{
-}
-static int
-sctp_set_state_timeout(struct ip_vs_protocol *pp, char *sname, int to)
-{
-return ip_vs_set_state_timeout(pp->timeout_table, IP_VS_SCTP_S_LAST,
-                                sctp_state_name_table, sname, to);
-}
 static inline int
-set_sctp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
+set_sctp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
                int direction, const struct sk_buff *skb)
 {
        sctp_chunkhdr_t _sctpch, *sch;
@@ -971,7 +965,7 @@ set_sctp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
                IP_VS_DBG_BUF(8, "%s %s  %s:%d->"
                                "%s:%d state: %s->%s conn->refcnt:%d\n",
-                                pp->name,
+                                pd->pp->name,
                                ((direction == IP_VS_DIR_OUTPUT) ?
                                 "output " : "input "),
                                IP_VS_DBG_ADDR(cp->af, &cp->daddr),
@@ -995,75 +989,73 @@ set_sctp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
                        }
                }
        }
+        if (likely(pd))
+                cp->timeout = pd->timeout_table[cp->state = next_state];
+        else    /* What to do ? */
+                cp->timeout = sctp_timeouts[cp->state = next_state];
-         cp->timeout = pp->timeout_table[cp->state = next_state];
+        return 1;
-         return 1;
 }
 static int
 sctp_state_transition(struct ip_vs_conn *cp, int direction,
-                const struct sk_buff *skb, struct ip_vs_protocol *pp)
+                const struct sk_buff *skb, struct ip_vs_proto_data *pd)
 {
        int ret = 0;
        spin_lock(&cp->lock);
-        ret = set_sctp_state(pp, cp, direction, skb);
+        ret = set_sctp_state(pd, cp, direction, skb);
        spin_unlock(&cp->lock);
        return ret;
 }
-/*
- *      Hash table for SCTP application incarnations
- */
-#define SCTP_APP_TAB_BITS        4
-#define SCTP_APP_TAB_SIZE        (1 << SCTP_APP_TAB_BITS)
-#define SCTP_APP_TAB_MASK        (SCTP_APP_TAB_SIZE - 1)
-static struct list_head sctp_apps[SCTP_APP_TAB_SIZE];
-static DEFINE_SPINLOCK(sctp_app_lock);
 static inline __u16 sctp_app_hashkey(__be16 port)
 {
        return (((__force u16)port >> SCTP_APP_TAB_BITS) ^ (__force u16)port)
                & SCTP_APP_TAB_MASK;
 }
-static int sctp_register_app(struct ip_vs_app *inc)
+static int sctp_register_app(struct net *net, struct ip_vs_app *inc)
 {
        struct ip_vs_app *i;
        __u16 hash;
        __be16 port = inc->port;
        int ret = 0;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_SCTP);
        hash = sctp_app_hashkey(port);
-        spin_lock_bh(&sctp_app_lock);
+        spin_lock_bh(&ipvs->sctp_app_lock);
-        list_for_each_entry(i, &sctp_apps[hash], p_list) {
+        list_for_each_entry(i, &ipvs->sctp_apps[hash], p_list) {
                if (i->port == port) {
                        ret = -EEXIST;
                        goto out;
                }
        }
-        list_add(&inc->p_list, &sctp_apps[hash]);
+        list_add(&inc->p_list, &ipvs->sctp_apps[hash]);
-        atomic_inc(&ip_vs_protocol_sctp.appcnt);
+        atomic_inc(&pd->appcnt);
 out:
-        spin_unlock_bh(&sctp_app_lock);
+        spin_unlock_bh(&ipvs->sctp_app_lock);
        return ret;
 }
-static void sctp_unregister_app(struct ip_vs_app *inc)
+static void sctp_unregister_app(struct net *net, struct ip_vs_app *inc)
 {
-        spin_lock_bh(&sctp_app_lock);
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        atomic_dec(&ip_vs_protocol_sctp.appcnt);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_SCTP);
+        spin_lock_bh(&ipvs->sctp_app_lock);
+        atomic_dec(&pd->appcnt);
        list_del(&inc->p_list);
-        spin_unlock_bh(&sctp_app_lock);
+        spin_unlock_bh(&ipvs->sctp_app_lock);
 }
 static int sctp_app_conn_bind(struct ip_vs_conn *cp)
 {
+        struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(cp));
        int hash;
        struct ip_vs_app *inc;
        int result = 0;
@@ -1074,12 +1066,12 @@ static int sctp_app_conn_bind(struct ip_vs_conn *cp)
        /* Lookup application incarnations and bind the right one */
        hash = sctp_app_hashkey(cp->vport);
-        spin_lock(&sctp_app_lock);
+        spin_lock(&ipvs->sctp_app_lock);
-        list_for_each_entry(inc, &sctp_apps[hash], p_list) {
+        list_for_each_entry(inc, &ipvs->sctp_apps[hash], p_list) {
                if (inc->port == cp->vport) {
                        if (unlikely(!ip_vs_app_inc_get(inc)))
                                break;
-                        spin_unlock(&sctp_app_lock);
+                        spin_unlock(&ipvs->sctp_app_lock);
                        IP_VS_DBG_BUF(9, "%s: Binding conn %s:%u->"
                                        "%s:%u to app %s on port %u\n",
@@ -1095,43 +1087,50 @@ static int sctp_app_conn_bind(struct ip_vs_conn *cp)
                        goto out;
                }
        }
-        spin_unlock(&sctp_app_lock);
+        spin_unlock(&ipvs->sctp_app_lock);
 out:
        return result;
 }
-static void ip_vs_sctp_init(struct ip_vs_protocol *pp)
+/* ---------------------------------------------
+ *   timeouts is netns related now.
+ * ---------------------------------------------
+ */
+static void __ip_vs_sctp_init(struct net *net, struct ip_vs_proto_data *pd)
 {
-        IP_VS_INIT_HASH_TABLE(sctp_apps);
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        pp->timeout_table = sctp_timeouts;
-}
+        ip_vs_init_hash_table(ipvs->sctp_apps, SCTP_APP_TAB_SIZE);
+        spin_lock_init(&ipvs->sctp_app_lock);
+        pd->timeout_table = ip_vs_create_timeout_table((int *)sctp_timeouts,
+                                                        sizeof(sctp_timeouts));
+}
-static void ip_vs_sctp_exit(struct ip_vs_protocol *pp)
+static void __ip_vs_sctp_exit(struct net *net, struct ip_vs_proto_data *pd)
 {
+        kfree(pd->timeout_table);
 }
 struct ip_vs_protocol ip_vs_protocol_sctp = {
-        .name = "SCTP",
+        .name           = "SCTP",
-        .protocol = IPPROTO_SCTP,
+        .protocol       = IPPROTO_SCTP,
-        .num_states = IP_VS_SCTP_S_LAST,
+        .num_states     = IP_VS_SCTP_S_LAST,
-        .dont_defrag = 0,
+        .dont_defrag    = 0,
-        .appcnt = ATOMIC_INIT(0),
+        .init           = NULL,
-        .init = ip_vs_sctp_init,
+        .exit           = NULL,
-        .exit = ip_vs_sctp_exit,
+        .init_netns     = __ip_vs_sctp_init,
-        .register_app = sctp_register_app,
+        .exit_netns     = __ip_vs_sctp_exit,
+        .register_app   = sctp_register_app,
        .unregister_app = sctp_unregister_app,
-        .conn_schedule = sctp_conn_schedule,
+        .conn_schedule  = sctp_conn_schedule,
-        .conn_in_get = ip_vs_conn_in_get_proto,
+        .conn_in_get    = ip_vs_conn_in_get_proto,
-        .conn_out_get = ip_vs_conn_out_get_proto,
+        .conn_out_get   = ip_vs_conn_out_get_proto,
-        .snat_handler = sctp_snat_handler,
+        .snat_handler   = sctp_snat_handler,
-        .dnat_handler = sctp_dnat_handler,
+        .dnat_handler   = sctp_dnat_handler,
-        .csum_check = sctp_csum_check,
+        .csum_check     = sctp_csum_check,
-        .state_name = sctp_state_name,
+        .state_name     = sctp_state_name,
        .state_transition = sctp_state_transition,
-        .app_conn_bind = sctp_app_conn_bind,
+        .app_conn_bind  = sctp_app_conn_bind,
-        .debug_packet = ip_vs_tcpudp_debug_packet,
+        .debug_packet   = ip_vs_tcpudp_debug_packet,
-        .timeout_change = sctp_timeout_change,
+        .timeout_change = NULL,
-        .set_state_timeout = sctp_set_state_timeout,
 };
diff --git a/net/netfilter/ipvs/ip_vs_proto_tcp.c b/net/netfilter/ipvs/ip_vs_proto_tcp.c
index f6c5200e2146..c0cc341b840d 100644
--- a/net/netfilter/ipvs/ip_vs_proto_tcp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_tcp.c
@@ -9,8 +9,12 @@
 *              as published by the Free Software Foundation; either version
 *              2 of the License, or (at your option) any later version.
 *
- * Changes:
+ * Changes:     Hans Schillstrom <hans.schillstrom@ericsson.com>
 *
+ *              Network name space (netns) aware.
+ *              Global data moved to netns i.e struct netns_ipvs
+ *              tcp_timeouts table has copy per netns in a hash table per
+ *              protocol ip_vs_proto_data and is handled by netns
 */
 #define KMSG_COMPONENT "IPVS"
@@ -28,9 +32,10 @@
 #include <net/ip_vs.h>
 static int
-tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
                  int *verdict, struct ip_vs_conn **cpp)
 {
+        struct net *net;
        struct ip_vs_service *svc;
        struct tcphdr _tcph, *th;
        struct ip_vs_iphdr iph;
@@ -42,14 +47,14 @@ tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                *verdict = NF_DROP;
                return 0;
        }
+        net = skb_net(skb);
        /* No !th->ack check to allow scheduling on SYN+ACK for Active FTP */
        if (th->syn &&
-            (svc = ip_vs_service_get(af, skb->mark, iph.protocol, &iph.daddr,
+            (svc = ip_vs_service_get(net, af, skb->mark, iph.protocol,
-                                     th->dest))) {
+                                     &iph.daddr, th->dest))) {
                int ignored;
-                if (ip_vs_todrop()) {
+                if (ip_vs_todrop(net_ipvs(net))) {
                        /*
                         * It seems that we are very loaded.
                         * We have to drop this packet :(
@@ -63,13 +68,19 @@ tcp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                 * Let the virtual server select a real server for the
                 * incoming connection, and create a connection entry.
                 */
-                *cpp = ip_vs_schedule(svc, skb, pp, &ignored);
+                *cpp = ip_vs_schedule(svc, skb, pd, &ignored);
-                if (!*cpp && !ignored) {
+                if (!*cpp && ignored <= 0) {
-                        *verdict = ip_vs_leave(svc, skb, pp);
+                        if (!ignored)
+                                *verdict = ip_vs_leave(svc, skb, pd);
+                        else {
+                                ip_vs_service_put(svc);
+                                *verdict = NF_DROP;
+                        }
                        return 0;
                }
                ip_vs_service_put(svc);
        }
+        /* NF_ACCEPT */
        return 1;
 }
@@ -338,7 +349,7 @@ static const int tcp_state_off[IP_VS_DIR_LAST] = {
 /*
 *      Timeout table[state]
 */
-static int tcp_timeouts[IP_VS_TCP_S_LAST+1] = {
+static const int tcp_timeouts[IP_VS_TCP_S_LAST+1] = {
        [IP_VS_TCP_S_NONE]              =       2*HZ,
        [IP_VS_TCP_S_ESTABLISHED]       =       15*60*HZ,
        [IP_VS_TCP_S_SYN_SENT]          =       2*60*HZ,
@@ -437,10 +448,7 @@ static struct tcp_states_t tcp_states_dos [] = {
 /*rst*/ {{sCL, sCL, sCL, sSR, sCL, sCL, sCL, sCL, sLA, sLI, sCL }},
 };
-static struct tcp_states_t *tcp_state_table = tcp_states;
+static void tcp_timeout_change(struct ip_vs_proto_data *pd, int flags)
-static void tcp_timeout_change(struct ip_vs_protocol *pp, int flags)
 {
        int on = (flags & 1);           /* secure_tcp */
@@ -450,14 +458,7 @@ static void tcp_timeout_change(struct ip_vs_protocol *pp, int flags)
        ** for most if not for all of the applications. Something
        ** like "capabilities" (flags) for each object.
        */
-        tcp_state_table = (on? tcp_states_dos : tcp_states);
+        pd->tcp_state_table = (on ? tcp_states_dos : tcp_states);
-}
-static int
-tcp_set_state_timeout(struct ip_vs_protocol *pp, char *sname, int to)
-{
-        return ip_vs_set_state_timeout(pp->timeout_table, IP_VS_TCP_S_LAST,
-                                       tcp_state_name_table, sname, to);
 }
 static inline int tcp_state_idx(struct tcphdr *th)
@@ -474,7 +475,7 @@ static inline int tcp_state_idx(struct tcphdr *th)
 }
 static inline void
-set_tcp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
+set_tcp_state(struct ip_vs_proto_data *pd, struct ip_vs_conn *cp,
              int direction, struct tcphdr *th)
 {
        int state_idx;
@@ -497,7 +498,8 @@ set_tcp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
                goto tcp_state_out;
        }
-        new_state = tcp_state_table[state_off+state_idx].next_state[cp->state];
+        new_state =
+                pd->tcp_state_table[state_off+state_idx].next_state[cp->state];
  tcp_state_out:
        if (new_state != cp->state) {
@@ -505,7 +507,7 @@ set_tcp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
                IP_VS_DBG_BUF(8, "%s %s [%c%c%c%c] %s:%d->"
                              "%s:%d state: %s->%s conn->refcnt:%d\n",
-                              pp->name,
+                              pd->pp->name,
                              ((state_off == TCP_DIR_OUTPUT) ?
                               "output " : "input "),
                              th->syn ? 'S' : '.',
@@ -535,17 +537,19 @@ set_tcp_state(struct ip_vs_protocol *pp, struct ip_vs_conn *cp,
                }
        }
-        cp->timeout = pp->timeout_table[cp->state = new_state];
+        if (likely(pd))
+                cp->timeout = pd->timeout_table[cp->state = new_state];
+        else    /* What to do ? */
+                cp->timeout = tcp_timeouts[cp->state = new_state];
 }
 /*
 *      Handle state transitions
 */
 static int
 tcp_state_transition(struct ip_vs_conn *cp, int direction,
                     const struct sk_buff *skb,
-                     struct ip_vs_protocol *pp)
+                     struct ip_vs_proto_data *pd)
 {
        struct tcphdr _tcph, *th;
@@ -560,23 +564,12 @@ tcp_state_transition(struct ip_vs_conn *cp, int direction,
                return 0;
        spin_lock(&cp->lock);
-        set_tcp_state(pp, cp, direction, th);
+        set_tcp_state(pd, cp, direction, th);
        spin_unlock(&cp->lock);
        return 1;
 }
-/*
- *      Hash table for TCP application incarnations
- */
-#define TCP_APP_TAB_BITS        4
-#define TCP_APP_TAB_SIZE        (1 << TCP_APP_TAB_BITS)
-#define TCP_APP_TAB_MASK        (TCP_APP_TAB_SIZE - 1)
-static struct list_head tcp_apps[TCP_APP_TAB_SIZE];
-static DEFINE_SPINLOCK(tcp_app_lock);
 static inline __u16 tcp_app_hashkey(__be16 port)
 {
        return (((__force u16)port >> TCP_APP_TAB_BITS) ^ (__force u16)port)
@@ -584,44 +577,50 @@ static inline __u16 tcp_app_hashkey(__be16 port)
 }
-static int tcp_register_app(struct ip_vs_app *inc)
+static int tcp_register_app(struct net *net, struct ip_vs_app *inc)
 {
        struct ip_vs_app *i;
        __u16 hash;
        __be16 port = inc->port;
        int ret = 0;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
        hash = tcp_app_hashkey(port);
-        spin_lock_bh(&tcp_app_lock);
+        spin_lock_bh(&ipvs->tcp_app_lock);
-        list_for_each_entry(i, &tcp_apps[hash], p_list) {
+        list_for_each_entry(i, &ipvs->tcp_apps[hash], p_list) {
                if (i->port == port) {
                        ret = -EEXIST;
                        goto out;
                }
        }
-        list_add(&inc->p_list, &tcp_apps[hash]);
+        list_add(&inc->p_list, &ipvs->tcp_apps[hash]);
-        atomic_inc(&ip_vs_protocol_tcp.appcnt);
+        atomic_inc(&pd->appcnt);
  out:
-        spin_unlock_bh(&tcp_app_lock);
+        spin_unlock_bh(&ipvs->tcp_app_lock);
        return ret;
 }
 static void
-tcp_unregister_app(struct ip_vs_app *inc)
+tcp_unregister_app(struct net *net, struct ip_vs_app *inc)
 {
-        spin_lock_bh(&tcp_app_lock);
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        atomic_dec(&ip_vs_protocol_tcp.appcnt);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
+        spin_lock_bh(&ipvs->tcp_app_lock);
+        atomic_dec(&pd->appcnt);
        list_del(&inc->p_list);
-        spin_unlock_bh(&tcp_app_lock);
+        spin_unlock_bh(&ipvs->tcp_app_lock);
 }
 static int
 tcp_app_conn_bind(struct ip_vs_conn *cp)
 {
+        struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(cp));
        int hash;
        struct ip_vs_app *inc;
        int result = 0;
@@ -633,12 +632,12 @@ tcp_app_conn_bind(struct ip_vs_conn *cp)
        /* Lookup application incarnations and bind the right one */
        hash = tcp_app_hashkey(cp->vport);
-        spin_lock(&tcp_app_lock);
+        spin_lock(&ipvs->tcp_app_lock);
-        list_for_each_entry(inc, &tcp_apps[hash], p_list) {
+        list_for_each_entry(inc, &ipvs->tcp_apps[hash], p_list) {
                if (inc->port == cp->vport) {
                        if (unlikely(!ip_vs_app_inc_get(inc)))
                                break;
-                        spin_unlock(&tcp_app_lock);
+                        spin_unlock(&ipvs->tcp_app_lock);
                        IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->"
                                      "%s:%u to app %s on port %u\n",
@@ -655,7 +654,7 @@ tcp_app_conn_bind(struct ip_vs_conn *cp)
                        goto out;
                }
        }
-        spin_unlock(&tcp_app_lock);
+        spin_unlock(&ipvs->tcp_app_lock);
  out:
        return result;
@@ -665,24 +664,35 @@ tcp_app_conn_bind(struct ip_vs_conn *cp)
 /*
 *      Set LISTEN timeout. (ip_vs_conn_put will setup timer)
 */
-void ip_vs_tcp_conn_listen(struct ip_vs_conn *cp)
+void ip_vs_tcp_conn_listen(struct net *net, struct ip_vs_conn *cp)
 {
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_TCP);
        spin_lock(&cp->lock);
        cp->state = IP_VS_TCP_S_LISTEN;
-        cp->timeout = ip_vs_protocol_tcp.timeout_table[IP_VS_TCP_S_LISTEN];
+        cp->timeout = (pd ? pd->timeout_table[IP_VS_TCP_S_LISTEN]
+                           : tcp_timeouts[IP_VS_TCP_S_LISTEN]);
        spin_unlock(&cp->lock);
 }
+/* ---------------------------------------------
-static void ip_vs_tcp_init(struct ip_vs_protocol *pp)
+ *   timeouts is netns related now.
+ * ---------------------------------------------
+ */
+static void __ip_vs_tcp_init(struct net *net, struct ip_vs_proto_data *pd)
 {
-        IP_VS_INIT_HASH_TABLE(tcp_apps);
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        pp->timeout_table = tcp_timeouts;
-}
+        ip_vs_init_hash_table(ipvs->tcp_apps, TCP_APP_TAB_SIZE);
+        spin_lock_init(&ipvs->tcp_app_lock);
+        pd->timeout_table = ip_vs_create_timeout_table((int *)tcp_timeouts,
+                                                        sizeof(tcp_timeouts));
+        pd->tcp_state_table =  tcp_states;
+}
-static void ip_vs_tcp_exit(struct ip_vs_protocol *pp)
+static void __ip_vs_tcp_exit(struct net *net, struct ip_vs_proto_data *pd)
 {
+        kfree(pd->timeout_table);
 }
@@ -691,9 +701,10 @@ struct ip_vs_protocol ip_vs_protocol_tcp = {
        .protocol =             IPPROTO_TCP,
        .num_states =           IP_VS_TCP_S_LAST,
        .dont_defrag =          0,
-        .appcnt =               ATOMIC_INIT(0),
+        .init =                 NULL,
-        .init =                 ip_vs_tcp_init,
+        .exit =                 NULL,
-        .exit =                 ip_vs_tcp_exit,
+        .init_netns =           __ip_vs_tcp_init,
+        .exit_netns =           __ip_vs_tcp_exit,
        .register_app =         tcp_register_app,
        .unregister_app =       tcp_unregister_app,
        .conn_schedule =        tcp_conn_schedule,
@@ -707,5 +718,4 @@ struct ip_vs_protocol ip_vs_protocol_tcp = {
        .app_conn_bind =        tcp_app_conn_bind,
        .debug_packet =         ip_vs_tcpudp_debug_packet,
        .timeout_change =       tcp_timeout_change,
-        .set_state_timeout =    tcp_set_state_timeout,
 };
diff --git a/net/netfilter/ipvs/ip_vs_proto_udp.c b/net/netfilter/ipvs/ip_vs_proto_udp.c
index 9d106a06bb0a..f1282cbe6fe3 100644
--- a/net/netfilter/ipvs/ip_vs_proto_udp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_udp.c
@@ -9,7 +9,8 @@
 *              as published by the Free Software Foundation; either version
 *              2 of the License, or (at your option) any later version.
 *
- * Changes:
+ * Changes:     Hans Schillstrom <hans.schillstrom@ericsson.com>
+ *              Network name space (netns) aware.
 *
 */
@@ -28,9 +29,10 @@
 #include <net/ip6_checksum.h>
 static int
-udp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
+udp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
                  int *verdict, struct ip_vs_conn **cpp)
 {
+        struct net *net;
        struct ip_vs_service *svc;
        struct udphdr _udph, *uh;
        struct ip_vs_iphdr iph;
@@ -42,13 +44,13 @@ udp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                *verdict = NF_DROP;
                return 0;
        }
+        net = skb_net(skb);
-        svc = ip_vs_service_get(af, skb->mark, iph.protocol,
+        svc = ip_vs_service_get(net, af, skb->mark, iph.protocol,
                                &iph.daddr, uh->dest);
        if (svc) {
                int ignored;
-                if (ip_vs_todrop()) {
+                if (ip_vs_todrop(net_ipvs(net))) {
                        /*
                         * It seems that we are very loaded.
                         * We have to drop this packet :(
@@ -62,13 +64,19 @@ udp_conn_schedule(int af, struct sk_buff *skb, struct ip_vs_protocol *pp,
                 * Let the virtual server select a real server for the
                 * incoming connection, and create a connection entry.
                 */
-                *cpp = ip_vs_schedule(svc, skb, pp, &ignored);
+                *cpp = ip_vs_schedule(svc, skb, pd, &ignored);
-                if (!*cpp && !ignored) {
+                if (!*cpp && ignored <= 0) {
-                        *verdict = ip_vs_leave(svc, skb, pp);
+                        if (!ignored)
+                                *verdict = ip_vs_leave(svc, skb, pd);
+                        else {
+                                ip_vs_service_put(svc);
+                                *verdict = NF_DROP;
+                        }
                        return 0;
                }
                ip_vs_service_put(svc);
        }
+        /* NF_ACCEPT */
        return 1;
 }
@@ -338,19 +346,6 @@ udp_csum_check(int af, struct sk_buff *skb, struct ip_vs_protocol *pp)
        return 1;
 }
-/*
- *      Note: the caller guarantees that only one of register_app,
- *      unregister_app or app_conn_bind is called each time.
- */
-#define UDP_APP_TAB_BITS        4
-#define UDP_APP_TAB_SIZE        (1 << UDP_APP_TAB_BITS)
-#define UDP_APP_TAB_MASK        (UDP_APP_TAB_SIZE - 1)
-static struct list_head udp_apps[UDP_APP_TAB_SIZE];
-static DEFINE_SPINLOCK(udp_app_lock);
 static inline __u16 udp_app_hashkey(__be16 port)
 {
        return (((__force u16)port >> UDP_APP_TAB_BITS) ^ (__force u16)port)
@@ -358,44 +353,50 @@ static inline __u16 udp_app_hashkey(__be16 port)
 }
-static int udp_register_app(struct ip_vs_app *inc)
+static int udp_register_app(struct net *net, struct ip_vs_app *inc)
 {
        struct ip_vs_app *i;
        __u16 hash;
        __be16 port = inc->port;
        int ret = 0;
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
        hash = udp_app_hashkey(port);
-        spin_lock_bh(&udp_app_lock);
+        spin_lock_bh(&ipvs->udp_app_lock);
-        list_for_each_entry(i, &udp_apps[hash], p_list) {
+        list_for_each_entry(i, &ipvs->udp_apps[hash], p_list) {
                if (i->port == port) {
                        ret = -EEXIST;
                        goto out;
                }
        }
-        list_add(&inc->p_list, &udp_apps[hash]);
+        list_add(&inc->p_list, &ipvs->udp_apps[hash]);
-        atomic_inc(&ip_vs_protocol_udp.appcnt);
+        atomic_inc(&pd->appcnt);
  out:
-        spin_unlock_bh(&udp_app_lock);
+        spin_unlock_bh(&ipvs->udp_app_lock);
        return ret;
 }
 static void
-udp_unregister_app(struct ip_vs_app *inc)
+udp_unregister_app(struct net *net, struct ip_vs_app *inc)
 {
-        spin_lock_bh(&udp_app_lock);
+        struct ip_vs_proto_data *pd = ip_vs_proto_data_get(net, IPPROTO_UDP);
-        atomic_dec(&ip_vs_protocol_udp.appcnt);
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        spin_lock_bh(&ipvs->udp_app_lock);
+        atomic_dec(&pd->appcnt);
        list_del(&inc->p_list);
-        spin_unlock_bh(&udp_app_lock);
+        spin_unlock_bh(&ipvs->udp_app_lock);
 }
 static int udp_app_conn_bind(struct ip_vs_conn *cp)
 {
+        struct netns_ipvs *ipvs = net_ipvs(ip_vs_conn_net(cp));
        int hash;
        struct ip_vs_app *inc;
        int result = 0;
@@ -407,12 +408,12 @@ static int udp_app_conn_bind(struct ip_vs_conn *cp)
        /* Lookup application incarnations and bind the right one */
        hash = udp_app_hashkey(cp->vport);
-        spin_lock(&udp_app_lock);
+        spin_lock(&ipvs->udp_app_lock);
-        list_for_each_entry(inc, &udp_apps[hash], p_list) {
+        list_for_each_entry(inc, &ipvs->udp_apps[hash], p_list) {
                if (inc->port == cp->vport) {
                        if (unlikely(!ip_vs_app_inc_get(inc)))
                                break;
-                        spin_unlock(&udp_app_lock);
+                        spin_unlock(&ipvs->udp_app_lock);
                        IP_VS_DBG_BUF(9, "%s(): Binding conn %s:%u->"
                                      "%s:%u to app %s on port %u\n",
@@ -429,14 +430,14 @@ static int udp_app_conn_bind(struct ip_vs_conn *cp)
                        goto out;
                }
        }
-        spin_unlock(&udp_app_lock);
+        spin_unlock(&ipvs->udp_app_lock);
  out:
        return result;
 }
-static int udp_timeouts[IP_VS_UDP_S_LAST+1] = {
+static const int udp_timeouts[IP_VS_UDP_S_LAST+1] = {
        [IP_VS_UDP_S_NORMAL]            =       5*60*HZ,
        [IP_VS_UDP_S_LAST]              =       2*HZ,
 };
@@ -446,14 +447,6 @@ static const char *const udp_state_name_table[IP_VS_UDP_S_LAST+1] = {
        [IP_VS_UDP_S_LAST]              =       "BUG!",
 };
-static int
-udp_set_state_timeout(struct ip_vs_protocol *pp, char *sname, int to)
-{
-        return ip_vs_set_state_timeout(pp->timeout_table, IP_VS_UDP_S_LAST,
-                                       udp_state_name_table, sname, to);
-}
 static const char * udp_state_name(int state)
 {
        if (state >= IP_VS_UDP_S_LAST)
@@ -464,20 +457,30 @@ static const char * udp_state_name(int state)
 static int
 udp_state_transition(struct ip_vs_conn *cp, int direction,
                     const struct sk_buff *skb,
-                     struct ip_vs_protocol *pp)
+                     struct ip_vs_proto_data *pd)
 {
-        cp->timeout = pp->timeout_table[IP_VS_UDP_S_NORMAL];
+        if (unlikely(!pd)) {
+                pr_err("UDP no ns data\n");
+                return 0;
+        }
+        cp->timeout = pd->timeout_table[IP_VS_UDP_S_NORMAL];
        return 1;
 }
-static void udp_init(struct ip_vs_protocol *pp)
+static void __udp_init(struct net *net, struct ip_vs_proto_data *pd)
 {
-        IP_VS_INIT_HASH_TABLE(udp_apps);
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        pp->timeout_table = udp_timeouts;
+        ip_vs_init_hash_table(ipvs->udp_apps, UDP_APP_TAB_SIZE);
+        spin_lock_init(&ipvs->udp_app_lock);
+        pd->timeout_table = ip_vs_create_timeout_table((int *)udp_timeouts,
+                                                        sizeof(udp_timeouts));
 }
-static void udp_exit(struct ip_vs_protocol *pp)
+static void __udp_exit(struct net *net, struct ip_vs_proto_data *pd)
 {
+        kfree(pd->timeout_table);
 }
@@ -486,8 +489,10 @@ struct ip_vs_protocol ip_vs_protocol_udp = {
        .protocol =             IPPROTO_UDP,
        .num_states =           IP_VS_UDP_S_LAST,
        .dont_defrag =          0,
-        .init =                 udp_init,
+        .init =                 NULL,
-        .exit =                 udp_exit,
+        .exit =                 NULL,
+        .init_netns =           __udp_init,
+        .exit_netns =           __udp_exit,
        .conn_schedule =        udp_conn_schedule,
        .conn_in_get =          ip_vs_conn_in_get_proto,
        .conn_out_get =         ip_vs_conn_out_get_proto,
@@ -501,5 +506,4 @@ struct ip_vs_protocol ip_vs_protocol_udp = {
        .app_conn_bind =        udp_app_conn_bind,
        .debug_packet =         ip_vs_tcpudp_debug_packet,
        .timeout_change =       NULL,
-        .set_state_timeout =    udp_set_state_timeout,
 };
diff --git a/net/netfilter/ipvs/ip_vs_rr.c b/net/netfilter/ipvs/ip_vs_rr.c
index e210f37d8ea2..c49b388d1085 100644
--- a/net/netfilter/ipvs/ip_vs_rr.c
+++ b/net/netfilter/ipvs/ip_vs_rr.c
@@ -72,7 +72,7 @@ ip_vs_rr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                q = q->next;
        } while (q != p);
        write_unlock(&svc->sched_lock);
-        IP_VS_ERR_RL("RR: no destination available\n");
+        ip_vs_scheduler_err(svc, "no destination available");
        return NULL;
  out:
diff --git a/net/netfilter/ipvs/ip_vs_sched.c b/net/netfilter/ipvs/ip_vs_sched.c
index 076ebe00435d..08dbdd5bc18f 100644
--- a/net/netfilter/ipvs/ip_vs_sched.c
+++ b/net/netfilter/ipvs/ip_vs_sched.c
@@ -29,6 +29,7 @@
 #include <net/ip_vs.h>
+EXPORT_SYMBOL(ip_vs_scheduler_err);
 /*
 *  IPVS scheduler list
 */
@@ -146,6 +147,30 @@ void ip_vs_scheduler_put(struct ip_vs_scheduler *scheduler)
                module_put(scheduler->module);
 }
+/*
+ * Common error output helper for schedulers
+ */
+void ip_vs_scheduler_err(struct ip_vs_service *svc, const char *msg)
+{
+        if (svc->fwmark) {
+                IP_VS_ERR_RL("%s: FWM %u 0x%08X - %s\n",
+                             svc->scheduler->name, svc->fwmark,
+                             svc->fwmark, msg);
+#ifdef CONFIG_IP_VS_IPV6
+        } else if (svc->af == AF_INET6) {
+                IP_VS_ERR_RL("%s: %s [%pI6]:%d - %s\n",
+                             svc->scheduler->name,
+                             ip_vs_proto_name(svc->protocol),
+                             &svc->addr.in6, ntohs(svc->port), msg);
+#endif
+        } else {
+                IP_VS_ERR_RL("%s: %s %pI4:%d - %s\n",
+                             svc->scheduler->name,
+                             ip_vs_proto_name(svc->protocol),
+                             &svc->addr.ip, ntohs(svc->port), msg);
+        }
+}
 /*
 *  Register a scheduler in the scheduler list
diff --git a/net/netfilter/ipvs/ip_vs_sed.c b/net/netfilter/ipvs/ip_vs_sed.c
index 1ab75a9dc400..89ead246ed3d 100644
--- a/net/netfilter/ipvs/ip_vs_sed.c
+++ b/net/netfilter/ipvs/ip_vs_sed.c
@@ -87,7 +87,7 @@ ip_vs_sed_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                        goto nextstage;
                }
        }
-        IP_VS_ERR_RL("SED: no destination available\n");
+        ip_vs_scheduler_err(svc, "no destination available");
        return NULL;
        /*
diff --git a/net/netfilter/ipvs/ip_vs_sh.c b/net/netfilter/ipvs/ip_vs_sh.c
index e6cc174fbc06..b5e2556c581a 100644
--- a/net/netfilter/ipvs/ip_vs_sh.c
+++ b/net/netfilter/ipvs/ip_vs_sh.c
@@ -223,7 +223,7 @@ ip_vs_sh_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
            || !(dest->flags & IP_VS_DEST_F_AVAILABLE)
            || atomic_read(&dest->weight) <= 0
            || is_overloaded(dest)) {
-                IP_VS_ERR_RL("SH: no destination available\n");
+                ip_vs_scheduler_err(svc, "no destination available");
                return NULL;
        }
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index ab85aedea17e..e292e5bddc70 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -5,6 +5,18 @@
 *              high-performance and highly available server based on a
 *              cluster of servers.
 *
+ * Version 1,   is capable of handling both version 0 and 1 messages.
+ *              Version 0 is the plain old format.
+ *              Note Version 0 receivers will just drop Ver 1 messages.
+ *              Version 1 is capable of handle IPv6, Persistence data,
+ *              time-outs, and firewall marks.
+ *              In ver.1 "ip_vs_sync_conn_options" will be sent in netw. order.
+ *              Ver. 0 can be turned on by sysctl -w net.ipv4.vs.sync_version=0
+ *
+ * Definitions  Message: is a complete datagram
+ *              Sync_conn: is a part of a Message
+ *              Param Data is an option to a Sync_conn.
+ *
 * Authors:     Wensong Zhang <wensong@linuxvirtualserver.org>
 *
 * ip_vs_sync:  sync connection info from master load balancer to backups
@@ -15,6 +27,8 @@
 *      Alexandre Cassen        :       Added SyncID support for incoming sync
 *                                      messages filtering.
 *      Justin Ossevoort        :       Fix endian problem on sync message size.
+ *      Hans Schillstrom        :       Added Version 1: i.e. IPv6,
+ *                                      Persistence support, fwmark and time-out.
 */
 #define KMSG_COMPONENT "IPVS"
@@ -35,6 +49,8 @@
 #include <linux/wait.h>
 #include <linux/kernel.h>
+#include <asm/unaligned.h>              /* Used for ntoh_seq and hton_seq */
 #include <net/ip.h>
 #include <net/sock.h>
@@ -43,11 +59,13 @@
 #define IP_VS_SYNC_GROUP 0xe0000051    /* multicast addr - 224.0.0.81 */
 #define IP_VS_SYNC_PORT  8848          /* multicast port */
+#define SYNC_PROTO_VER  1               /* Protocol version in header */
 /*
 *      IPVS sync connection entry
+ *      Version 0, i.e. original version.
 */
-struct ip_vs_sync_conn {
+struct ip_vs_sync_conn_v0 {
        __u8                    reserved;
        /* Protocol, addresses and port numbers */
@@ -71,41 +89,159 @@ struct ip_vs_sync_conn_options {
        struct ip_vs_seq        out_seq;        /* outgoing seq. struct */
 };
+/*
+     Sync Connection format (sync_conn)
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |    Type       |    Protocol   | Ver.  |        Size           |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             Flags                             |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |            State              |         cport                 |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |            vport              |         dport                 |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             fwmark                            |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                             timeout  (in sec.)                |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                              ...                              |
+      |                        IP-Addresses  (v4 or v6)               |
+      |                              ...                              |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  Optional Parameters.
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      | Param. Type    | Param. Length |   Param. data                |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
+      |                              ...                              |
+      |                               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                               | Param Type    | Param. Length |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                           Param  data                         |
+      |         Last Param data should be padded for 32 bit alignment |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+*/
+/*
+ *  Type 0, IPv4 sync connection format
+ */
+struct ip_vs_sync_v4 {
+        __u8                    type;
+        __u8                    protocol;       /* Which protocol (TCP/UDP) */
+        __be16                  ver_size;       /* Version msb 4 bits */
+        /* Flags and state transition */
+        __be32                  flags;          /* status flags */
+        __be16                  state;          /* state info   */
+        /* Protocol, addresses and port numbers */
+        __be16                  cport;
+        __be16                  vport;
+        __be16                  dport;
+        __be32                  fwmark;         /* Firewall mark from skb */
+        __be32                  timeout;        /* cp timeout */
+        __be32                  caddr;          /* client address */
+        __be32                  vaddr;          /* virtual address */
+        __be32                  daddr;          /* destination address */
+        /* The sequence options start here */
+        /* PE data padded to 32bit alignment after seq. options */
+};
+/*
+ * Type 2 messages IPv6
+ */
+struct ip_vs_sync_v6 {
+        __u8                    type;
+        __u8                    protocol;       /* Which protocol (TCP/UDP) */
+        __be16                  ver_size;       /* Version msb 4 bits */
+        /* Flags and state transition */
+        __be32                  flags;          /* status flags */
+        __be16                  state;          /* state info   */
+        /* Protocol, addresses and port numbers */
+        __be16                  cport;
+        __be16                  vport;
+        __be16                  dport;
+        __be32                  fwmark;         /* Firewall mark from skb */
+        __be32                  timeout;        /* cp timeout */
+        struct in6_addr         caddr;          /* client address */
+        struct in6_addr         vaddr;          /* virtual address */
+        struct in6_addr         daddr;          /* destination address */
+        /* The sequence options start here */
+        /* PE data padded to 32bit alignment after seq. options */
+};
+union ip_vs_sync_conn {
+        struct ip_vs_sync_v4    v4;
+        struct ip_vs_sync_v6    v6;
+};
+/* Bits in Type field in above */
+#define STYPE_INET6             0
+#define STYPE_F_INET6           (1 << STYPE_INET6)
+#define SVER_SHIFT              12              /* Shift to get version */
+#define SVER_MASK               0x0fff          /* Mask to strip version */
+#define IPVS_OPT_SEQ_DATA       1
+#define IPVS_OPT_PE_DATA        2
+#define IPVS_OPT_PE_NAME        3
+#define IPVS_OPT_PARAM          7
+#define IPVS_OPT_F_SEQ_DATA     (1 << (IPVS_OPT_SEQ_DATA-1))
+#define IPVS_OPT_F_PE_DATA      (1 << (IPVS_OPT_PE_DATA-1))
+#define IPVS_OPT_F_PE_NAME      (1 << (IPVS_OPT_PE_NAME-1))
+#define IPVS_OPT_F_PARAM        (1 << (IPVS_OPT_PARAM-1))
 struct ip_vs_sync_thread_data {
+        struct net *net;
        struct socket *sock;
        char *buf;
 };
-#define SIMPLE_CONN_SIZE  (sizeof(struct ip_vs_sync_conn))
+/* Version 0 definition of packet sizes */
+#define SIMPLE_CONN_SIZE  (sizeof(struct ip_vs_sync_conn_v0))
 #define FULL_CONN_SIZE  \
-(sizeof(struct ip_vs_sync_conn) + sizeof(struct ip_vs_sync_conn_options))
+(sizeof(struct ip_vs_sync_conn_v0) + sizeof(struct ip_vs_sync_conn_options))
 /*
-  The master mulitcasts messages to the backup load balancers in the
+  The master mulitcasts messages (Datagrams) to the backup load balancers
-  following format.
+  in the following format.
+ Version 1:
+  Note, first byte should be Zero, so ver 0 receivers will drop the packet.
       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      |  Count Conns  |    SyncID     |            Size               |
+      |      0        |    SyncID     |            Size               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  Count Conns  |    Version    |    Reserved, set to Zero      |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      |                    IPVS Sync Connection (1)                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                            .                                  |
-      |                            .                                  |
+      ~                            .                                  ~
      |                            .                                  |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      |                    IPVS Sync Connection (n)                   |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Version 0 Header
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  Count Conns  |    SyncID     |            Size               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                    IPVS Sync Connection (1)                   |
 */
 #define SYNC_MESG_HEADER_LEN    4
 #define MAX_CONNS_PER_SYNCBUFF  255 /* nr_conns in ip_vs_sync_mesg is 8 bit */
-struct ip_vs_sync_mesg {
+/* Version 0 header */
+struct ip_vs_sync_mesg_v0 {
        __u8                    nr_conns;
        __u8                    syncid;
        __u16                   size;
@@ -113,9 +249,16 @@ struct ip_vs_sync_mesg {
        /* ip_vs_sync_conn entries start here */
 };
-/* the maximum length of sync (sending/receiving) message */
+/* Version 1 header */
-static int sync_send_mesg_maxlen;
+struct ip_vs_sync_mesg {
-static int sync_recv_mesg_maxlen;
+        __u8                    reserved;       /* must be zero */
+        __u8                    syncid;
+        __u16                   size;
+        __u8                    nr_conns;
+        __s8                    version;        /* SYNC_PROTO_VER  */
+        __u16                   spare;
+        /* ip_vs_sync_conn entries start here */
+};
 struct ip_vs_sync_buff {
        struct list_head        list;
@@ -127,28 +270,6 @@ struct ip_vs_sync_buff {
        unsigned char           *end;
 };
-/* the sync_buff list head and the lock */
-static LIST_HEAD(ip_vs_sync_queue);
-static DEFINE_SPINLOCK(ip_vs_sync_lock);
-/* current sync_buff for accepting new conn entries */
-static struct ip_vs_sync_buff   *curr_sb = NULL;
-static DEFINE_SPINLOCK(curr_sb_lock);
-/* ipvs sync daemon state */
-volatile int ip_vs_sync_state = IP_VS_STATE_NONE;
-volatile int ip_vs_master_syncid = 0;
-volatile int ip_vs_backup_syncid = 0;
-/* multicast interface name */
-char ip_vs_master_mcast_ifn[IP_VS_IFNAME_MAXLEN];
-char ip_vs_backup_mcast_ifn[IP_VS_IFNAME_MAXLEN];
-/* sync daemon tasks */
-static struct task_struct *sync_master_thread;
-static struct task_struct *sync_backup_thread;
 /* multicast addr */
 static struct sockaddr_in mcast_addr = {
        .sin_family             = AF_INET,
@@ -156,41 +277,71 @@ static struct sockaddr_in mcast_addr = {
        .sin_addr.s_addr        = cpu_to_be32(IP_VS_SYNC_GROUP),
 };
+/*
+ * Copy of struct ip_vs_seq
+ * From unaligned network order to aligned host order
+ */
+static void ntoh_seq(struct ip_vs_seq *no, struct ip_vs_seq *ho)
+{
+        ho->init_seq       = get_unaligned_be32(&no->init_seq);
+        ho->delta          = get_unaligned_be32(&no->delta);
+        ho->previous_delta = get_unaligned_be32(&no->previous_delta);
+}
+/*
+ * Copy of struct ip_vs_seq
+ * From Aligned host order to unaligned network order
+ */
+static void hton_seq(struct ip_vs_seq *ho, struct ip_vs_seq *no)
+{
+        put_unaligned_be32(ho->init_seq, &no->init_seq);
+        put_unaligned_be32(ho->delta, &no->delta);
+        put_unaligned_be32(ho->previous_delta, &no->previous_delta);
+}
-static inline struct ip_vs_sync_buff *sb_dequeue(void)
+static inline struct ip_vs_sync_buff *sb_dequeue(struct netns_ipvs *ipvs)
 {
        struct ip_vs_sync_buff *sb;
-        spin_lock_bh(&ip_vs_sync_lock);
+        spin_lock_bh(&ipvs->sync_lock);
-        if (list_empty(&ip_vs_sync_queue)) {
+        if (list_empty(&ipvs->sync_queue)) {
                sb = NULL;
        } else {
-                sb = list_entry(ip_vs_sync_queue.next,
+                sb = list_entry(ipvs->sync_queue.next,
                                struct ip_vs_sync_buff,
                                list);
                list_del(&sb->list);
        }
-        spin_unlock_bh(&ip_vs_sync_lock);
+        spin_unlock_bh(&ipvs->sync_lock);
        return sb;
 }
-static inline struct ip_vs_sync_buff * ip_vs_sync_buff_create(void)
+/*
+ * Create a new sync buffer for Version 1 proto.
+ */
+static inline struct ip_vs_sync_buff *
+ip_vs_sync_buff_create(struct netns_ipvs *ipvs)
 {
        struct ip_vs_sync_buff *sb;
        if (!(sb=kmalloc(sizeof(struct ip_vs_sync_buff), GFP_ATOMIC)))
                return NULL;
-        if (!(sb->mesg=kmalloc(sync_send_mesg_maxlen, GFP_ATOMIC))) {
+        sb->mesg = kmalloc(ipvs->send_mesg_maxlen, GFP_ATOMIC);
+        if (!sb->mesg) {
                kfree(sb);
                return NULL;
        }
+        sb->mesg->reserved = 0;  /* old nr_conns i.e. must be zeo now */
+        sb->mesg->version = SYNC_PROTO_VER;
+        sb->mesg->syncid = ipvs->master_syncid;
+        sb->mesg->size = sizeof(struct ip_vs_sync_mesg);
        sb->mesg->nr_conns = 0;
-        sb->mesg->syncid = ip_vs_master_syncid;
+        sb->mesg->spare = 0;
-        sb->mesg->size = 4;
+        sb->head = (unsigned char *)sb->mesg + sizeof(struct ip_vs_sync_mesg);
-        sb->head = (unsigned char *)sb->mesg + 4;
+        sb->end = (unsigned char *)sb->mesg + ipvs->send_mesg_maxlen;
-        sb->end = (unsigned char *)sb->mesg + sync_send_mesg_maxlen;
        sb->firstuse = jiffies;
        return sb;
 }
@@ -201,14 +352,16 @@ static inline void ip_vs_sync_buff_release(struct ip_vs_sync_buff *sb)
        kfree(sb);
 }
-static inline void sb_queue_tail(struct ip_vs_sync_buff *sb)
+static inline void sb_queue_tail(struct netns_ipvs *ipvs)
 {
-        spin_lock(&ip_vs_sync_lock);
+        struct ip_vs_sync_buff *sb = ipvs->sync_buff;
-        if (ip_vs_sync_state & IP_VS_STATE_MASTER)
-                list_add_tail(&sb->list, &ip_vs_sync_queue);
+        spin_lock(&ipvs->sync_lock);
+        if (ipvs->sync_state & IP_VS_STATE_MASTER)
+                list_add_tail(&sb->list, &ipvs->sync_queue);
        else
                ip_vs_sync_buff_release(sb);
-        spin_unlock(&ip_vs_sync_lock);
+        spin_unlock(&ipvs->sync_lock);
 }
 /*
@@ -216,36 +369,101 @@ static inline void sb_queue_tail(struct ip_vs_sync_buff *sb)
 *      than the specified time or the specified time is zero.
 */
 static inline struct ip_vs_sync_buff *
-get_curr_sync_buff(unsigned long time)
+get_curr_sync_buff(struct netns_ipvs *ipvs, unsigned long time)
 {
        struct ip_vs_sync_buff *sb;
-        spin_lock_bh(&curr_sb_lock);
+        spin_lock_bh(&ipvs->sync_buff_lock);
-        if (curr_sb && (time == 0 ||
+        if (ipvs->sync_buff &&
-                        time_before(jiffies - curr_sb->firstuse, time))) {
+            time_after_eq(jiffies - ipvs->sync_buff->firstuse, time)) {
-                sb = curr_sb;
+                sb = ipvs->sync_buff;
-                curr_sb = NULL;
+                ipvs->sync_buff = NULL;
        } else
                sb = NULL;
-        spin_unlock_bh(&curr_sb_lock);
+        spin_unlock_bh(&ipvs->sync_buff_lock);
        return sb;
 }
+/*
+ * Switch mode from sending version 0 or 1
+ *  - must handle sync_buf
+ */
+void ip_vs_sync_switch_mode(struct net *net, int mode)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        if (!(ipvs->sync_state & IP_VS_STATE_MASTER))
+                return;
+        if (mode == sysctl_sync_ver(ipvs) || !ipvs->sync_buff)
+                return;
+        spin_lock_bh(&ipvs->sync_buff_lock);
+        /* Buffer empty ? then let buf_create do the job  */
+        if (ipvs->sync_buff->mesg->size <=  sizeof(struct ip_vs_sync_mesg)) {
+                kfree(ipvs->sync_buff);
+                ipvs->sync_buff = NULL;
+        } else {
+                spin_lock_bh(&ipvs->sync_lock);
+                if (ipvs->sync_state & IP_VS_STATE_MASTER)
+                        list_add_tail(&ipvs->sync_buff->list,
+                                      &ipvs->sync_queue);
+                else
+                        ip_vs_sync_buff_release(ipvs->sync_buff);
+                spin_unlock_bh(&ipvs->sync_lock);
+        }
+        spin_unlock_bh(&ipvs->sync_buff_lock);
+}
+/*
+ * Create a new sync buffer for Version 0 proto.
+ */
+static inline struct ip_vs_sync_buff *
+ip_vs_sync_buff_create_v0(struct netns_ipvs *ipvs)
+{
+        struct ip_vs_sync_buff *sb;
+        struct ip_vs_sync_mesg_v0 *mesg;
+        if (!(sb=kmalloc(sizeof(struct ip_vs_sync_buff), GFP_ATOMIC)))
+                return NULL;
+        sb->mesg = kmalloc(ipvs->send_mesg_maxlen, GFP_ATOMIC);
+        if (!sb->mesg) {
+                kfree(sb);
+                return NULL;
+        }
+        mesg = (struct ip_vs_sync_mesg_v0 *)sb->mesg;
+        mesg->nr_conns = 0;
+        mesg->syncid = ipvs->master_syncid;
+        mesg->size = sizeof(struct ip_vs_sync_mesg_v0);
+        sb->head = (unsigned char *)mesg + sizeof(struct ip_vs_sync_mesg_v0);
+        sb->end = (unsigned char *)mesg + ipvs->send_mesg_maxlen;
+        sb->firstuse = jiffies;
+        return sb;
+}
 /*
+ *      Version 0 , could be switched in by sys_ctl.
 *      Add an ip_vs_conn information into the current sync_buff.
- *      Called by ip_vs_in.
 */
-void ip_vs_sync_conn(struct ip_vs_conn *cp)
+void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp)
 {
-        struct ip_vs_sync_mesg *m;
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        struct ip_vs_sync_conn *s;
+        struct ip_vs_sync_mesg_v0 *m;
+        struct ip_vs_sync_conn_v0 *s;
        int len;
-        spin_lock(&curr_sb_lock);
+        if (unlikely(cp->af != AF_INET))
-        if (!curr_sb) {
+                return;
-                if (!(curr_sb=ip_vs_sync_buff_create())) {
+        /* Do not sync ONE PACKET */
-                        spin_unlock(&curr_sb_lock);
+        if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+                return;
+        spin_lock(&ipvs->sync_buff_lock);
+        if (!ipvs->sync_buff) {
+                ipvs->sync_buff =
+                        ip_vs_sync_buff_create_v0(ipvs);
+                if (!ipvs->sync_buff) {
+                        spin_unlock(&ipvs->sync_buff_lock);
                        pr_err("ip_vs_sync_buff_create failed.\n");
                        return;
                }
@@ -253,10 +471,11 @@ void ip_vs_sync_conn(struct ip_vs_conn *cp)
        len = (cp->flags & IP_VS_CONN_F_SEQ_MASK) ? FULL_CONN_SIZE :
                SIMPLE_CONN_SIZE;
-        m = curr_sb->mesg;
+        m = (struct ip_vs_sync_mesg_v0 *)ipvs->sync_buff->mesg;
-        s = (struct ip_vs_sync_conn *)curr_sb->head;
+        s = (struct ip_vs_sync_conn_v0 *)ipvs->sync_buff->head;
        /* copy members */
+        s->reserved = 0;
        s->protocol = cp->protocol;
        s->cport = cp->cport;
        s->vport = cp->vport;
@@ -274,83 +493,365 @@ void ip_vs_sync_conn(struct ip_vs_conn *cp)
        m->nr_conns++;
        m->size += len;
-        curr_sb->head += len;
+        ipvs->sync_buff->head += len;
        /* check if there is a space for next one */
-        if (curr_sb->head+FULL_CONN_SIZE > curr_sb->end) {
+        if (ipvs->sync_buff->head + FULL_CONN_SIZE > ipvs->sync_buff->end) {
-                sb_queue_tail(curr_sb);
+                sb_queue_tail(ipvs);
-                curr_sb = NULL;
+                ipvs->sync_buff = NULL;
        }
-        spin_unlock(&curr_sb_lock);
+        spin_unlock(&ipvs->sync_buff_lock);
        /* synchronize its controller if it has */
        if (cp->control)
-                ip_vs_sync_conn(cp->control);
+                ip_vs_sync_conn(net, cp->control);
 }
+/*
+ *      Add an ip_vs_conn information into the current sync_buff.
+ *      Called by ip_vs_in.
+ *      Sending Version 1 messages
+ */
+void ip_vs_sync_conn(struct net *net, struct ip_vs_conn *cp)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_sync_mesg *m;
+        union ip_vs_sync_conn *s;
+        __u8 *p;
+        unsigned int len, pe_name_len, pad;
+        /* Handle old version of the protocol */
+        if (sysctl_sync_ver(ipvs) == 0) {
+                ip_vs_sync_conn_v0(net, cp);
+                return;
+        }
+        /* Do not sync ONE PACKET */
+        if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+                goto control;
+sloop:
+        /* Sanity checks */
+        pe_name_len = 0;
+        if (cp->pe_data_len) {
+                if (!cp->pe_data || !cp->dest) {
+                        IP_VS_ERR_RL("SYNC, connection pe_data invalid\n");
+                        return;
+                }
+                pe_name_len = strnlen(cp->pe->name, IP_VS_PENAME_MAXLEN);
+        }
+        spin_lock(&ipvs->sync_buff_lock);
+#ifdef CONFIG_IP_VS_IPV6
+        if (cp->af == AF_INET6)
+                len = sizeof(struct ip_vs_sync_v6);
+        else
+#endif
+                len = sizeof(struct ip_vs_sync_v4);
+        if (cp->flags & IP_VS_CONN_F_SEQ_MASK)
+                len += sizeof(struct ip_vs_sync_conn_options) + 2;
+        if (cp->pe_data_len)
+                len += cp->pe_data_len + 2;     /* + Param hdr field */
+        if (pe_name_len)
+                len += pe_name_len + 2;
+        /* check if there is a space for this one  */
+        pad = 0;
+        if (ipvs->sync_buff) {
+                pad = (4 - (size_t)ipvs->sync_buff->head) & 3;
+                if (ipvs->sync_buff->head + len + pad > ipvs->sync_buff->end) {
+                        sb_queue_tail(ipvs);
+                        ipvs->sync_buff = NULL;
+                        pad = 0;
+                }
+        }
+        if (!ipvs->sync_buff) {
+                ipvs->sync_buff = ip_vs_sync_buff_create(ipvs);
+                if (!ipvs->sync_buff) {
+                        spin_unlock(&ipvs->sync_buff_lock);
+                        pr_err("ip_vs_sync_buff_create failed.\n");
+                        return;
+                }
+        }
+        m = ipvs->sync_buff->mesg;
+        p = ipvs->sync_buff->head;
+        ipvs->sync_buff->head += pad + len;
+        m->size += pad + len;
+        /* Add ev. padding from prev. sync_conn */
+        while (pad--)
+                *(p++) = 0;
+        s = (union ip_vs_sync_conn *)p;
+        /* Set message type  & copy members */
+        s->v4.type = (cp->af == AF_INET6 ? STYPE_F_INET6 : 0);
+        s->v4.ver_size = htons(len & SVER_MASK);        /* Version 0 */
+        s->v4.flags = htonl(cp->flags & ~IP_VS_CONN_F_HASHED);
+        s->v4.state = htons(cp->state);
+        s->v4.protocol = cp->protocol;
+        s->v4.cport = cp->cport;
+        s->v4.vport = cp->vport;
+        s->v4.dport = cp->dport;
+        s->v4.fwmark = htonl(cp->fwmark);
+        s->v4.timeout = htonl(cp->timeout / HZ);
+        m->nr_conns++;
+#ifdef CONFIG_IP_VS_IPV6
+        if (cp->af == AF_INET6) {
+                p += sizeof(struct ip_vs_sync_v6);
+                ipv6_addr_copy(&s->v6.caddr, &cp->caddr.in6);
+                ipv6_addr_copy(&s->v6.vaddr, &cp->vaddr.in6);
+                ipv6_addr_copy(&s->v6.daddr, &cp->daddr.in6);
+        } else
+#endif
+        {
+                p += sizeof(struct ip_vs_sync_v4);      /* options ptr */
+                s->v4.caddr = cp->caddr.ip;
+                s->v4.vaddr = cp->vaddr.ip;
+                s->v4.daddr = cp->daddr.ip;
+        }
+        if (cp->flags & IP_VS_CONN_F_SEQ_MASK) {
+                *(p++) = IPVS_OPT_SEQ_DATA;
+                *(p++) = sizeof(struct ip_vs_sync_conn_options);
+                hton_seq((struct ip_vs_seq *)p, &cp->in_seq);
+                p += sizeof(struct ip_vs_seq);
+                hton_seq((struct ip_vs_seq *)p, &cp->out_seq);
+                p += sizeof(struct ip_vs_seq);
+        }
+        /* Handle pe data */
+        if (cp->pe_data_len && cp->pe_data) {
+                *(p++) = IPVS_OPT_PE_DATA;
+                *(p++) = cp->pe_data_len;
+                memcpy(p, cp->pe_data, cp->pe_data_len);
+                p += cp->pe_data_len;
+                if (pe_name_len) {
+                        /* Add PE_NAME */
+                        *(p++) = IPVS_OPT_PE_NAME;
+                        *(p++) = pe_name_len;
+                        memcpy(p, cp->pe->name, pe_name_len);
+                        p += pe_name_len;
+                }
+        }
+        spin_unlock(&ipvs->sync_buff_lock);
+control:
+        /* synchronize its controller if it has */
+        cp = cp->control;
+        if (!cp)
+                return;
+        /*
+         * Reduce sync rate for templates
+         * i.e only increment in_pkts for Templates.
+         */
+        if (cp->flags & IP_VS_CONN_F_TEMPLATE) {
+                int pkts = atomic_add_return(1, &cp->in_pkts);
+                if (pkts % sysctl_sync_period(ipvs) != 1)
+                        return;
+        }
+        goto sloop;
+}
+/*
+ *  fill_param used by version 1
+ */
 static inline int
-ip_vs_conn_fill_param_sync(int af, int protocol,
+ip_vs_conn_fill_param_sync(struct net *net, int af, union ip_vs_sync_conn *sc,
-                           const union nf_inet_addr *caddr, __be16 cport,
+                           struct ip_vs_conn_param *p,
-                           const union nf_inet_addr *vaddr, __be16 vport,
+                           __u8 *pe_data, unsigned int pe_data_len,
-                           struct ip_vs_conn_param *p)
+                           __u8 *pe_name, unsigned int pe_name_len)
 {
-        /* XXX: Need to take into account persistence engine */
+#ifdef CONFIG_IP_VS_IPV6
-        ip_vs_conn_fill_param(af, protocol, caddr, cport, vaddr, vport, p);
+        if (af == AF_INET6)
+                ip_vs_conn_fill_param(net, af, sc->v6.protocol,
+                                      (const union nf_inet_addr *)&sc->v6.caddr,
+                                      sc->v6.cport,
+                                      (const union nf_inet_addr *)&sc->v6.vaddr,
+                                      sc->v6.vport, p);
+        else
+#endif
+                ip_vs_conn_fill_param(net, af, sc->v4.protocol,
+                                      (const union nf_inet_addr *)&sc->v4.caddr,
+                                      sc->v4.cport,
+                                      (const union nf_inet_addr *)&sc->v4.vaddr,
+                                      sc->v4.vport, p);
+        /* Handle pe data */
+        if (pe_data_len) {
+                if (pe_name_len) {
+                        char buff[IP_VS_PENAME_MAXLEN+1];
+                        memcpy(buff, pe_name, pe_name_len);
+                        buff[pe_name_len]=0;
+                        p->pe = __ip_vs_pe_getbyname(buff);
+                        if (!p->pe) {
+                                IP_VS_DBG(3, "BACKUP, no %s engine found/loaded\n",
+                                             buff);
+                                return 1;
+                        }
+                } else {
+                        IP_VS_ERR_RL("BACKUP, Invalid PE parameters\n");
+                        return 1;
+                }
+                p->pe_data = kmemdup(pe_data, pe_data_len, GFP_ATOMIC);
+                if (!p->pe_data) {
+                        if (p->pe->module)
+                                module_put(p->pe->module);
+                        return -ENOMEM;
+                }
+                p->pe_data_len = pe_data_len;
+        }
        return 0;
 }
 /*
- *      Process received multicast message and create the corresponding
+ *  Connection Add / Update.
- *      ip_vs_conn entries.
+ *  Common for version 0 and 1 reception of backup sync_conns.
+ *  Param: ...
+ *         timeout is in sec.
 */
-static void ip_vs_process_message(const char *buffer, const size_t buflen)
+static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
+                            unsigned int flags, unsigned int state,
+                            unsigned int protocol, unsigned int type,
+                            const union nf_inet_addr *daddr, __be16 dport,
+                            unsigned long timeout, __u32 fwmark,
+                            struct ip_vs_sync_conn_options *opt)
 {
-        struct ip_vs_sync_mesg *m = (struct ip_vs_sync_mesg *)buffer;
-        struct ip_vs_sync_conn *s;
-        struct ip_vs_sync_conn_options *opt;
-        struct ip_vs_conn *cp;
-        struct ip_vs_protocol *pp;
        struct ip_vs_dest *dest;
-        struct ip_vs_conn_param param;
+        struct ip_vs_conn *cp;
-        char *p;
+        struct netns_ipvs *ipvs = net_ipvs(net);
-        int i;
-        if (buflen < sizeof(struct ip_vs_sync_mesg)) {
+        if (!(flags & IP_VS_CONN_F_TEMPLATE))
-                IP_VS_ERR_RL("sync message header too short\n");
+                cp = ip_vs_conn_in_get(param);
-                return;
+        else
-        }
+                cp = ip_vs_ct_in_get(param);
-        /* Convert size back to host byte order */
+        if (cp && param->pe_data)       /* Free pe_data */
-        m->size = ntohs(m->size);
+                kfree(param->pe_data);
+        if (!cp) {
+                /*
+                 * Find the appropriate destination for the connection.
+                 * If it is not found the connection will remain unbound
+                 * but still handled.
+                 */
+                dest = ip_vs_find_dest(net, type, daddr, dport, param->vaddr,
+                                       param->vport, protocol, fwmark);
-        if (buflen != m->size) {
+                /*  Set the approprite ativity flag */
-                IP_VS_ERR_RL("bogus sync message size\n");
+                if (protocol == IPPROTO_TCP) {
-                return;
+                        if (state != IP_VS_TCP_S_ESTABLISHED)
+                                flags |= IP_VS_CONN_F_INACTIVE;
+                        else
+                                flags &= ~IP_VS_CONN_F_INACTIVE;
+                } else if (protocol == IPPROTO_SCTP) {
+                        if (state != IP_VS_SCTP_S_ESTABLISHED)
+                                flags |= IP_VS_CONN_F_INACTIVE;
+                        else
+                                flags &= ~IP_VS_CONN_F_INACTIVE;
+                }
+                cp = ip_vs_conn_new(param, daddr, dport, flags, dest, fwmark);
+                if (dest)
+                        atomic_dec(&dest->refcnt);
+                if (!cp) {
+                        if (param->pe_data)
+                                kfree(param->pe_data);
+                        IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
+                        return;
+                }
+        } else if (!cp->dest) {
+                dest = ip_vs_try_bind_dest(cp);
+                if (dest)
+                        atomic_dec(&dest->refcnt);
+        } else if ((cp->dest) && (cp->protocol == IPPROTO_TCP) &&
+                (cp->state != state)) {
+                /* update active/inactive flag for the connection */
+                dest = cp->dest;
+                if (!(cp->flags & IP_VS_CONN_F_INACTIVE) &&
+                        (state != IP_VS_TCP_S_ESTABLISHED)) {
+                        atomic_dec(&dest->activeconns);
+                        atomic_inc(&dest->inactconns);
+                        cp->flags |= IP_VS_CONN_F_INACTIVE;
+                } else if ((cp->flags & IP_VS_CONN_F_INACTIVE) &&
+                        (state == IP_VS_TCP_S_ESTABLISHED)) {
+                        atomic_inc(&dest->activeconns);
+                        atomic_dec(&dest->inactconns);
+                        cp->flags &= ~IP_VS_CONN_F_INACTIVE;
+                }
+        } else if ((cp->dest) && (cp->protocol == IPPROTO_SCTP) &&
+                (cp->state != state)) {
+                dest = cp->dest;
+                if (!(cp->flags & IP_VS_CONN_F_INACTIVE) &&
+                (state != IP_VS_SCTP_S_ESTABLISHED)) {
+                        atomic_dec(&dest->activeconns);
+                        atomic_inc(&dest->inactconns);
+                        cp->flags &= ~IP_VS_CONN_F_INACTIVE;
+                }
        }
-        /* SyncID sanity check */
+        if (opt)
-        if (ip_vs_backup_syncid != 0 && m->syncid != ip_vs_backup_syncid) {
+                memcpy(&cp->in_seq, opt, sizeof(*opt));
-                IP_VS_DBG(7, "Ignoring incoming msg with syncid = %d\n",
+        atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
-                          m->syncid);
+        cp->state = state;
-                return;
+        cp->old_state = cp->state;
+        /*
+         * For Ver 0 messages style
+         *  - Not possible to recover the right timeout for templates
+         *  - can not find the right fwmark
+         *    virtual service. If needed, we can do it for
+         *    non-fwmark persistent services.
+         * Ver 1 messages style.
+         *  - No problem.
+         */
+        if (timeout) {
+                if (timeout > MAX_SCHEDULE_TIMEOUT / HZ)
+                        timeout = MAX_SCHEDULE_TIMEOUT / HZ;
+                cp->timeout = timeout*HZ;
+        } else {
+                struct ip_vs_proto_data *pd;
+                pd = ip_vs_proto_data_get(net, protocol);
+                if (!(flags & IP_VS_CONN_F_TEMPLATE) && pd && pd->timeout_table)
+                        cp->timeout = pd->timeout_table[state];
+                else
+                        cp->timeout = (3*60*HZ);
        }
+        ip_vs_conn_put(cp);
+}
-        p = (char *)buffer + sizeof(struct ip_vs_sync_mesg);
+/*
+ *  Process received multicast message for Version 0
+ */
+static void ip_vs_process_message_v0(struct net *net, const char *buffer,
+                                     const size_t buflen)
+{
+        struct ip_vs_sync_mesg_v0 *m = (struct ip_vs_sync_mesg_v0 *)buffer;
+        struct ip_vs_sync_conn_v0 *s;
+        struct ip_vs_sync_conn_options *opt;
+        struct ip_vs_protocol *pp;
+        struct ip_vs_conn_param param;
+        char *p;
+        int i;
+        p = (char *)buffer + sizeof(struct ip_vs_sync_mesg_v0);
        for (i=0; i<m->nr_conns; i++) {
                unsigned flags, state;
                if (p + SIMPLE_CONN_SIZE > buffer+buflen) {
-                        IP_VS_ERR_RL("bogus conn in sync message\n");
+                        IP_VS_ERR_RL("BACKUP v0, bogus conn\n");
                        return;
                }
-                s = (struct ip_vs_sync_conn *) p;
+                s = (struct ip_vs_sync_conn_v0 *) p;
                flags = ntohs(s->flags) | IP_VS_CONN_F_SYNC;
                flags &= ~IP_VS_CONN_F_HASHED;
                if (flags & IP_VS_CONN_F_SEQ_MASK) {
                        opt = (struct ip_vs_sync_conn_options *)&s[1];
                        p += FULL_CONN_SIZE;
                        if (p > buffer+buflen) {
-                                IP_VS_ERR_RL("bogus conn options in sync message\n");
+                                IP_VS_ERR_RL("BACKUP v0, Dropping buffer bogus conn options\n");
                                return;
                        }
                } else {
@@ -362,118 +863,286 @@ static void ip_vs_process_message(const char *buffer, const size_t buflen)
                if (!(flags & IP_VS_CONN_F_TEMPLATE)) {
                        pp = ip_vs_proto_get(s->protocol);
                        if (!pp) {
-                                IP_VS_ERR_RL("Unsupported protocol %u in sync msg\n",
+                                IP_VS_DBG(2, "BACKUP v0, Unsupported protocol %u\n",
                                        s->protocol);
                                continue;
                        }
                        if (state >= pp->num_states) {
-                                IP_VS_DBG(2, "Invalid %s state %u in sync msg\n",
+                                IP_VS_DBG(2, "BACKUP v0, Invalid %s state %u\n",
                                        pp->name, state);
                                continue;
                        }
                } else {
                        /* protocol in templates is not used for state/timeout */
-                        pp = NULL;
                        if (state > 0) {
-                                IP_VS_DBG(2, "Invalid template state %u in sync msg\n",
+                                IP_VS_DBG(2, "BACKUP v0, Invalid template state %u\n",
                                        state);
                                state = 0;
                        }
                }
-                {
+                ip_vs_conn_fill_param(net, AF_INET, s->protocol,
-                        if (ip_vs_conn_fill_param_sync(AF_INET, s->protocol,
+                                      (const union nf_inet_addr *)&s->caddr,
-                                              (union nf_inet_addr *)&s->caddr,
+                                      s->cport,
-                                              s->cport,
+                                      (const union nf_inet_addr *)&s->vaddr,
-                                              (union nf_inet_addr *)&s->vaddr,
+                                      s->vport, &param);
-                                              s->vport, &param)) {
-                                pr_err("ip_vs_conn_fill_param_sync failed");
+                /* Send timeout as Zero */
-                                return;
+                ip_vs_proc_conn(net, &param, flags, state, s->protocol, AF_INET,
+                                (union nf_inet_addr *)&s->daddr, s->dport,
+                                0, 0, opt);
+        }
+}
+/*
+ * Handle options
+ */
+static inline int ip_vs_proc_seqopt(__u8 *p, unsigned int plen,
+                                    __u32 *opt_flags,
+                                    struct ip_vs_sync_conn_options *opt)
+{
+        struct ip_vs_sync_conn_options *topt;
+        topt = (struct ip_vs_sync_conn_options *)p;
+        if (plen != sizeof(struct ip_vs_sync_conn_options)) {
+                IP_VS_DBG(2, "BACKUP, bogus conn options length\n");
+                return -EINVAL;
+        }
+        if (*opt_flags & IPVS_OPT_F_SEQ_DATA) {
+                IP_VS_DBG(2, "BACKUP, conn options found twice\n");
+                return -EINVAL;
+        }
+        ntoh_seq(&topt->in_seq, &opt->in_seq);
+        ntoh_seq(&topt->out_seq, &opt->out_seq);
+        *opt_flags |= IPVS_OPT_F_SEQ_DATA;
+        return 0;
+}
+static int ip_vs_proc_str(__u8 *p, unsigned int plen, unsigned int *data_len,
+                          __u8 **data, unsigned int maxlen,
+                          __u32 *opt_flags, __u32 flag)
+{
+        if (plen > maxlen) {
+                IP_VS_DBG(2, "BACKUP, bogus par.data len > %d\n", maxlen);
+                return -EINVAL;
+        }
+        if (*opt_flags & flag) {
+                IP_VS_DBG(2, "BACKUP, Par.data found twice 0x%x\n", flag);
+                return -EINVAL;
+        }
+        *data_len = plen;
+        *data = p;
+        *opt_flags |= flag;
+        return 0;
+}
+/*
+ *   Process a Version 1 sync. connection
+ */
+static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end)
+{
+        struct ip_vs_sync_conn_options opt;
+        union  ip_vs_sync_conn *s;
+        struct ip_vs_protocol *pp;
+        struct ip_vs_conn_param param;
+        __u32 flags;
+        unsigned int af, state, pe_data_len=0, pe_name_len=0;
+        __u8 *pe_data=NULL, *pe_name=NULL;
+        __u32 opt_flags=0;
+        int retc=0;
+        s = (union ip_vs_sync_conn *) p;
+        if (s->v6.type & STYPE_F_INET6) {
+#ifdef CONFIG_IP_VS_IPV6
+                af = AF_INET6;
+                p += sizeof(struct ip_vs_sync_v6);
+#else
+                IP_VS_DBG(3,"BACKUP, IPv6 msg received, and IPVS is not compiled for IPv6\n");
+                retc = 10;
+                goto out;
+#endif
+        } else if (!s->v4.type) {
+                af = AF_INET;
+                p += sizeof(struct ip_vs_sync_v4);
+        } else {
+                return -10;
+        }
+        if (p > msg_end)
+                return -20;
+        /* Process optional params check Type & Len. */
+        while (p < msg_end) {
+                int ptype;
+                int plen;
+                if (p+2 > msg_end)
+                        return -30;
+                ptype = *(p++);
+                plen  = *(p++);
+                if (!plen || ((p + plen) > msg_end))
+                        return -40;
+                /* Handle seq option  p = param data */
+                switch (ptype & ~IPVS_OPT_F_PARAM) {
+                case IPVS_OPT_SEQ_DATA:
+                        if (ip_vs_proc_seqopt(p, plen, &opt_flags, &opt))
+                                return -50;
+                        break;
+                case IPVS_OPT_PE_DATA:
+                        if (ip_vs_proc_str(p, plen, &pe_data_len, &pe_data,
+                                           IP_VS_PEDATA_MAXLEN, &opt_flags,
+                                           IPVS_OPT_F_PE_DATA))
+                                return -60;
+                        break;
+                case IPVS_OPT_PE_NAME:
+                        if (ip_vs_proc_str(p, plen,&pe_name_len, &pe_name,
+                                           IP_VS_PENAME_MAXLEN, &opt_flags,
+                                           IPVS_OPT_F_PE_NAME))
+                                return -70;
+                        break;
+                default:
+                        /* Param data mandatory ? */
+                        if (!(ptype & IPVS_OPT_F_PARAM)) {
+                                IP_VS_DBG(3, "BACKUP, Unknown mandatory param %d found\n",
+                                          ptype & ~IPVS_OPT_F_PARAM);
+                                retc = 20;
+                                goto out;
                        }
-                        if (!(flags & IP_VS_CONN_F_TEMPLATE))
-                                cp = ip_vs_conn_in_get(&param);
-                        else
-                                cp = ip_vs_ct_in_get(&param);
                }
-                if (!cp) {
+                p += plen;  /* Next option */
-                        /*
+        }
-                         * Find the appropriate destination for the connection.
-                         * If it is not found the connection will remain unbound
+        /* Get flags and Mask off unsupported */
-                         * but still handled.
+        flags  = ntohl(s->v4.flags) & IP_VS_CONN_F_BACKUP_MASK;
-                         */
+        flags |= IP_VS_CONN_F_SYNC;
-                        dest = ip_vs_find_dest(AF_INET,
+        state = ntohs(s->v4.state);
-                                               (union nf_inet_addr *)&s->daddr,
-                                               s->dport,
+        if (!(flags & IP_VS_CONN_F_TEMPLATE)) {
-                                               (union nf_inet_addr *)&s->vaddr,
+                pp = ip_vs_proto_get(s->v4.protocol);
-                                               s->vport,
+                if (!pp) {
-                                               s->protocol);
+                        IP_VS_DBG(3,"BACKUP, Unsupported protocol %u\n",
-                        /*  Set the approprite ativity flag */
+                                s->v4.protocol);
-                        if (s->protocol == IPPROTO_TCP) {
+                        retc = 30;
-                                if (state != IP_VS_TCP_S_ESTABLISHED)
+                        goto out;
-                                        flags |= IP_VS_CONN_F_INACTIVE;
+                }
-                                else
+                if (state >= pp->num_states) {
-                                        flags &= ~IP_VS_CONN_F_INACTIVE;
+                        IP_VS_DBG(3, "BACKUP, Invalid %s state %u\n",
-                        } else if (s->protocol == IPPROTO_SCTP) {
+                                pp->name, state);
-                                if (state != IP_VS_SCTP_S_ESTABLISHED)
+                        retc = 40;
-                                        flags |= IP_VS_CONN_F_INACTIVE;
+                        goto out;
-                                else
+                }
-                                        flags &= ~IP_VS_CONN_F_INACTIVE;
+        } else {
+                /* protocol in templates is not used for state/timeout */
+                if (state > 0) {
+                        IP_VS_DBG(3, "BACKUP, Invalid template state %u\n",
+                                state);
+                        state = 0;
+                }
+        }
+        if (ip_vs_conn_fill_param_sync(net, af, s, &param, pe_data,
+                                       pe_data_len, pe_name, pe_name_len)) {
+                retc = 50;
+                goto out;
+        }
+        /* If only IPv4, just silent skip IPv6 */
+        if (af == AF_INET)
+                ip_vs_proc_conn(net, &param, flags, state, s->v4.protocol, af,
+                                (union nf_inet_addr *)&s->v4.daddr, s->v4.dport,
+                                ntohl(s->v4.timeout), ntohl(s->v4.fwmark),
+                                (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
+                                );
+#ifdef CONFIG_IP_VS_IPV6
+        else
+                ip_vs_proc_conn(net, &param, flags, state, s->v6.protocol, af,
+                                (union nf_inet_addr *)&s->v6.daddr, s->v6.dport,
+                                ntohl(s->v6.timeout), ntohl(s->v6.fwmark),
+                                (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
+                                );
+#endif
+        return 0;
+        /* Error exit */
+out:
+        IP_VS_DBG(2, "BACKUP, Single msg dropped err:%d\n", retc);
+        return retc;
+}
+/*
+ *      Process received multicast message and create the corresponding
+ *      ip_vs_conn entries.
+ *      Handles Version 0 & 1
+ */
+static void ip_vs_process_message(struct net *net, __u8 *buffer,
+                                  const size_t buflen)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        struct ip_vs_sync_mesg *m2 = (struct ip_vs_sync_mesg *)buffer;
+        __u8 *p, *msg_end;
+        int i, nr_conns;
+        if (buflen < sizeof(struct ip_vs_sync_mesg_v0)) {
+                IP_VS_DBG(2, "BACKUP, message header too short\n");
+                return;
+        }
+        /* Convert size back to host byte order */
+        m2->size = ntohs(m2->size);
+        if (buflen != m2->size) {
+                IP_VS_DBG(2, "BACKUP, bogus message size\n");
+                return;
+        }
+        /* SyncID sanity check */
+        if (ipvs->backup_syncid != 0 && m2->syncid != ipvs->backup_syncid) {
+                IP_VS_DBG(7, "BACKUP, Ignoring syncid = %d\n", m2->syncid);
+                return;
+        }
+        /* Handle version 1  message */
+        if ((m2->version == SYNC_PROTO_VER) && (m2->reserved == 0)
+            && (m2->spare == 0)) {
+                msg_end = buffer + sizeof(struct ip_vs_sync_mesg);
+                nr_conns = m2->nr_conns;
+                for (i=0; i<nr_conns; i++) {
+                        union ip_vs_sync_conn *s;
+                        unsigned size;
+                        int retc;
+                        p = msg_end;
+                        if (p + sizeof(s->v4) > buffer+buflen) {
+                                IP_VS_ERR_RL("BACKUP, Dropping buffer, to small\n");
+                                return;
                        }
-                        cp = ip_vs_conn_new(&param,
+                        s = (union ip_vs_sync_conn *)p;
-                                            (union nf_inet_addr *)&s->daddr,
+                        size = ntohs(s->v4.ver_size) & SVER_MASK;
-                                            s->dport, flags, dest);
+                        msg_end = p + size;
-                        if (dest)
+                        /* Basic sanity checks */
-                                atomic_dec(&dest->refcnt);
+                        if (msg_end  > buffer+buflen) {
-                        if (!cp) {
+                                IP_VS_ERR_RL("BACKUP, Dropping buffer, msg > buffer\n");
-                                pr_err("ip_vs_conn_new failed\n");
                                return;
                        }
-                } else if (!cp->dest) {
+                        if (ntohs(s->v4.ver_size) >> SVER_SHIFT) {
-                        dest = ip_vs_try_bind_dest(cp);
+                                IP_VS_ERR_RL("BACKUP, Dropping buffer, Unknown version %d\n",
-                        if (dest)
+                                              ntohs(s->v4.ver_size) >> SVER_SHIFT);
-                                atomic_dec(&dest->refcnt);
+                                return;
-                } else if ((cp->dest) && (cp->protocol == IPPROTO_TCP) &&
-                           (cp->state != state)) {
-                        /* update active/inactive flag for the connection */
-                        dest = cp->dest;
-                        if (!(cp->flags & IP_VS_CONN_F_INACTIVE) &&
-                                (state != IP_VS_TCP_S_ESTABLISHED)) {
-                                atomic_dec(&dest->activeconns);
-                                atomic_inc(&dest->inactconns);
-                                cp->flags |= IP_VS_CONN_F_INACTIVE;
-                        } else if ((cp->flags & IP_VS_CONN_F_INACTIVE) &&
-                                (state == IP_VS_TCP_S_ESTABLISHED)) {
-                                atomic_inc(&dest->activeconns);
-                                atomic_dec(&dest->inactconns);
-                                cp->flags &= ~IP_VS_CONN_F_INACTIVE;
                        }
-                } else if ((cp->dest) && (cp->protocol == IPPROTO_SCTP) &&
+                        /* Process a single sync_conn */
-                           (cp->state != state)) {
+                        retc = ip_vs_proc_sync_conn(net, p, msg_end);
-                        dest = cp->dest;
+                        if (retc < 0) {
-                        if (!(cp->flags & IP_VS_CONN_F_INACTIVE) &&
+                                IP_VS_ERR_RL("BACKUP, Dropping buffer, Err: %d in decoding\n",
-                             (state != IP_VS_SCTP_S_ESTABLISHED)) {
+                                             retc);
-                            atomic_dec(&dest->activeconns);
+                                return;
-                            atomic_inc(&dest->inactconns);
-                            cp->flags &= ~IP_VS_CONN_F_INACTIVE;
                        }
+                        /* Make sure we have 32 bit alignment */
+                        msg_end = p + ((size + 3) & ~3);
                }
+        } else {
-                if (opt)
+                /* Old type of message */
-                        memcpy(&cp->in_seq, opt, sizeof(*opt));
+                ip_vs_process_message_v0(net, buffer, buflen);
-                atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
+                return;
-                cp->state = state;
-                cp->old_state = cp->state;
-                /*
-                 * We can not recover the right timeout for templates
-                 * in all cases, we can not find the right fwmark
-                 * virtual service. If needed, we can do it for
-                 * non-fwmark persistent services.
-                 */
-                if (!(flags & IP_VS_CONN_F_TEMPLATE) && pp->timeout_table)
-                        cp->timeout = pp->timeout_table[state];
-                else
-                        cp->timeout = (3*60*HZ);
-                ip_vs_conn_put(cp);
        }
 }
@@ -511,8 +1180,10 @@ static int set_mcast_if(struct sock *sk, char *ifname)
 {
        struct net_device *dev;
        struct inet_sock *inet = inet_sk(sk);
+        struct net *net = sock_net(sk);
-        if ((dev = __dev_get_by_name(&init_net, ifname)) == NULL)
+        dev = __dev_get_by_name(net, ifname);
+        if (!dev)
                return -ENODEV;
        if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
@@ -531,30 +1202,33 @@ static int set_mcast_if(struct sock *sk, char *ifname)
 *      Set the maximum length of sync message according to the
 *      specified interface's MTU.
 */
-static int set_sync_mesg_maxlen(int sync_state)
+static int set_sync_mesg_maxlen(struct net *net, int sync_state)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        struct net_device *dev;
        int num;
        if (sync_state == IP_VS_STATE_MASTER) {
-                if ((dev = __dev_get_by_name(&init_net, ip_vs_master_mcast_ifn)) == NULL)
+                dev = __dev_get_by_name(net, ipvs->master_mcast_ifn);
+                if (!dev)
                        return -ENODEV;
                num = (dev->mtu - sizeof(struct iphdr) -
                       sizeof(struct udphdr) -
                       SYNC_MESG_HEADER_LEN - 20) / SIMPLE_CONN_SIZE;
-                sync_send_mesg_maxlen = SYNC_MESG_HEADER_LEN +
+                ipvs->send_mesg_maxlen = SYNC_MESG_HEADER_LEN +
                        SIMPLE_CONN_SIZE * min(num, MAX_CONNS_PER_SYNCBUFF);
                IP_VS_DBG(7, "setting the maximum length of sync sending "
-                          "message %d.\n", sync_send_mesg_maxlen);
+                          "message %d.\n", ipvs->send_mesg_maxlen);
        } else if (sync_state == IP_VS_STATE_BACKUP) {
-                if ((dev = __dev_get_by_name(&init_net, ip_vs_backup_mcast_ifn)) == NULL)
+                dev = __dev_get_by_name(net, ipvs->backup_mcast_ifn);
+                if (!dev)
                        return -ENODEV;
-                sync_recv_mesg_maxlen = dev->mtu -
+                ipvs->recv_mesg_maxlen = dev->mtu -
                        sizeof(struct iphdr) - sizeof(struct udphdr);
                IP_VS_DBG(7, "setting the maximum length of sync receiving "
-                          "message %d.\n", sync_recv_mesg_maxlen);
+                          "message %d.\n", ipvs->recv_mesg_maxlen);
        }
        return 0;
@@ -569,6 +1243,7 @@ static int set_sync_mesg_maxlen(int sync_state)
 static int
 join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
 {
+        struct net *net = sock_net(sk);
        struct ip_mreqn mreq;
        struct net_device *dev;
        int ret;
@@ -576,7 +1251,8 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
        memset(&mreq, 0, sizeof(mreq));
        memcpy(&mreq.imr_multiaddr, addr, sizeof(struct in_addr));
-        if ((dev = __dev_get_by_name(&init_net, ifname)) == NULL)
+        dev = __dev_get_by_name(net, ifname);
+        if (!dev)
                return -ENODEV;
        if (sk->sk_bound_dev_if && dev->ifindex != sk->sk_bound_dev_if)
                return -EINVAL;
@@ -593,11 +1269,13 @@ join_mcast_group(struct sock *sk, struct in_addr *addr, char *ifname)
 static int bind_mcastif_addr(struct socket *sock, char *ifname)
 {
+        struct net *net = sock_net(sock->sk);
        struct net_device *dev;
        __be32 addr;
        struct sockaddr_in sin;
-        if ((dev = __dev_get_by_name(&init_net, ifname)) == NULL)
+        dev = __dev_get_by_name(net, ifname);
+        if (!dev)
                return -ENODEV;
        addr = inet_select_addr(dev, 0, RT_SCOPE_UNIVERSE);
@@ -619,19 +1297,25 @@ static int bind_mcastif_addr(struct socket *sock, char *ifname)
 /*
 *      Set up sending multicast socket over UDP
 */
-static struct socket * make_send_sock(void)
+static struct socket *make_send_sock(struct net *net)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        struct socket *sock;
        int result;
-        /* First create a socket */
+        /* First create a socket move it to right name space later */
        result = sock_create_kern(PF_INET, SOCK_DGRAM, IPPROTO_UDP, &sock);
        if (result < 0) {
                pr_err("Error during creation of socket; terminating\n");
                return ERR_PTR(result);
        }
+        /*
-        result = set_mcast_if(sock->sk, ip_vs_master_mcast_ifn);
+         * Kernel sockets that are a part of a namespace, should not
+         * hold a reference to a namespace in order to allow to stop it.
+         * After sk_change_net should be released using sk_release_kernel.
+         */
+        sk_change_net(sock->sk, net);
+        result = set_mcast_if(sock->sk, ipvs->master_mcast_ifn);
        if (result < 0) {
                pr_err("Error setting outbound mcast interface\n");
                goto error;
@@ -640,7 +1324,7 @@ static struct socket * make_send_sock(void)
        set_mcast_loop(sock->sk, 0);
        set_mcast_ttl(sock->sk, 1);
-        result = bind_mcastif_addr(sock, ip_vs_master_mcast_ifn);
+        result = bind_mcastif_addr(sock, ipvs->master_mcast_ifn);
        if (result < 0) {
                pr_err("Error binding address of the mcast interface\n");
                goto error;
@@ -655,8 +1339,8 @@ static struct socket * make_send_sock(void)
        return sock;
-  error:
+error:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
        return ERR_PTR(result);
 }
@@ -664,8 +1348,9 @@ static struct socket * make_send_sock(void)
 /*
 *      Set up receiving multicast socket over UDP
 */
-static struct socket * make_receive_sock(void)
+static struct socket *make_receive_sock(struct net *net)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
        struct socket *sock;
        int result;
@@ -675,7 +1360,12 @@ static struct socket * make_receive_sock(void)
                pr_err("Error during creation of socket; terminating\n");
                return ERR_PTR(result);
        }
+        /*
+         * Kernel sockets that are a part of a namespace, should not
+         * hold a reference to a namespace in order to allow to stop it.
+         * After sk_change_net should be released using sk_release_kernel.
+         */
+        sk_change_net(sock->sk, net);
        /* it is equivalent to the REUSEADDR option in user-space */
        sock->sk->sk_reuse = 1;
@@ -689,7 +1379,7 @@ static struct socket * make_receive_sock(void)
        /* join the multicast group */
        result = join_mcast_group(sock->sk,
                        (struct in_addr *) &mcast_addr.sin_addr,
-                        ip_vs_backup_mcast_ifn);
+                        ipvs->backup_mcast_ifn);
        if (result < 0) {
                pr_err("Error joining to the multicast group\n");
                goto error;
@@ -697,8 +1387,8 @@ static struct socket * make_receive_sock(void)
        return sock;
-  error:
+error:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
        return ERR_PTR(result);
 }
@@ -760,20 +1450,21 @@ ip_vs_receive(struct socket *sock, char *buffer, const size_t buflen)
 static int sync_thread_master(void *data)
 {
        struct ip_vs_sync_thread_data *tinfo = data;
+        struct netns_ipvs *ipvs = net_ipvs(tinfo->net);
        struct ip_vs_sync_buff *sb;
        pr_info("sync thread started: state = MASTER, mcast_ifn = %s, "
                "syncid = %d\n",
-                ip_vs_master_mcast_ifn, ip_vs_master_syncid);
+                ipvs->master_mcast_ifn, ipvs->master_syncid);
        while (!kthread_should_stop()) {
-                while ((sb = sb_dequeue())) {
+                while ((sb = sb_dequeue(ipvs))) {
                        ip_vs_send_sync_msg(tinfo->sock, sb->mesg);
                        ip_vs_sync_buff_release(sb);
                }
-                /* check if entries stay in curr_sb for 2 seconds */
+                /* check if entries stay in ipvs->sync_buff for 2 seconds */
-                sb = get_curr_sync_buff(2 * HZ);
+                sb = get_curr_sync_buff(ipvs, 2 * HZ);
                if (sb) {
                        ip_vs_send_sync_msg(tinfo->sock, sb->mesg);
                        ip_vs_sync_buff_release(sb);
@@ -783,17 +1474,16 @@ static int sync_thread_master(void *data)
        }
        /* clean up the sync_buff queue */
-        while ((sb=sb_dequeue())) {
+        while ((sb = sb_dequeue(ipvs)))
                ip_vs_sync_buff_release(sb);
-        }
        /* clean up the current sync_buff */
-        if ((sb = get_curr_sync_buff(0))) {
+        sb = get_curr_sync_buff(ipvs, 0);
+        if (sb)
                ip_vs_sync_buff_release(sb);
-        }
        /* release the sending multicast socket */
-        sock_release(tinfo->sock);
+        sk_release_kernel(tinfo->sock->sk);
        kfree(tinfo);
        return 0;
@@ -803,11 +1493,12 @@ static int sync_thread_master(void *data)
 static int sync_thread_backup(void *data)
 {
        struct ip_vs_sync_thread_data *tinfo = data;
+        struct netns_ipvs *ipvs = net_ipvs(tinfo->net);
        int len;
        pr_info("sync thread started: state = BACKUP, mcast_ifn = %s, "
                "syncid = %d\n",
-                ip_vs_backup_mcast_ifn, ip_vs_backup_syncid);
+                ipvs->backup_mcast_ifn, ipvs->backup_syncid);
        while (!kthread_should_stop()) {
                wait_event_interruptible(*sk_sleep(tinfo->sock->sk),
@@ -817,7 +1508,7 @@ static int sync_thread_backup(void *data)
                /* do we have data now? */
                while (!skb_queue_empty(&(tinfo->sock->sk->sk_receive_queue))) {
                        len = ip_vs_receive(tinfo->sock, tinfo->buf,
-                                        sync_recv_mesg_maxlen);
+                                        ipvs->recv_mesg_maxlen);
                        if (len <= 0) {
                                pr_err("receiving message error\n");
                                break;
@@ -826,13 +1517,13 @@ static int sync_thread_backup(void *data)
                        /* disable bottom half, because it accesses the data
                           shared by softirq while getting/creating conns */
                        local_bh_disable();
-                        ip_vs_process_message(tinfo->buf, len);
+                        ip_vs_process_message(tinfo->net, tinfo->buf, len);
                        local_bh_enable();
                }
        }
        /* release the sending multicast socket */
-        sock_release(tinfo->sock);
+        sk_release_kernel(tinfo->sock->sk);
        kfree(tinfo->buf);
        kfree(tinfo);
@@ -840,41 +1531,42 @@ static int sync_thread_backup(void *data)
 }
-int start_sync_thread(int state, char *mcast_ifn, __u8 syncid)
+int start_sync_thread(struct net *net, int state, char *mcast_ifn, __u8 syncid)
 {
        struct ip_vs_sync_thread_data *tinfo;
        struct task_struct **realtask, *task;
        struct socket *sock;
+        struct netns_ipvs *ipvs = net_ipvs(net);
        char *name, *buf = NULL;
        int (*threadfn)(void *data);
        int result = -ENOMEM;
        IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current));
        IP_VS_DBG(7, "Each ip_vs_sync_conn entry needs %Zd bytes\n",
-                  sizeof(struct ip_vs_sync_conn));
+                  sizeof(struct ip_vs_sync_conn_v0));
        if (state == IP_VS_STATE_MASTER) {
-                if (sync_master_thread)
+                if (ipvs->master_thread)
                        return -EEXIST;
-                strlcpy(ip_vs_master_mcast_ifn, mcast_ifn,
+                strlcpy(ipvs->master_mcast_ifn, mcast_ifn,
-                        sizeof(ip_vs_master_mcast_ifn));
+                        sizeof(ipvs->master_mcast_ifn));
-                ip_vs_master_syncid = syncid;
+                ipvs->master_syncid = syncid;
-                realtask = &sync_master_thread;
+                realtask = &ipvs->master_thread;
-                name = "ipvs_syncmaster";
+                name = "ipvs_master:%d";
                threadfn = sync_thread_master;
-                sock = make_send_sock();
+                sock = make_send_sock(net);
        } else if (state == IP_VS_STATE_BACKUP) {
-                if (sync_backup_thread)
+                if (ipvs->backup_thread)
                        return -EEXIST;
-                strlcpy(ip_vs_backup_mcast_ifn, mcast_ifn,
+                strlcpy(ipvs->backup_mcast_ifn, mcast_ifn,
-                        sizeof(ip_vs_backup_mcast_ifn));
+                        sizeof(ipvs->backup_mcast_ifn));
-                ip_vs_backup_syncid = syncid;
+                ipvs->backup_syncid = syncid;
-                realtask = &sync_backup_thread;
+                realtask = &ipvs->backup_thread;
-                name = "ipvs_syncbackup";
+                name = "ipvs_backup:%d";
                threadfn = sync_thread_backup;
-                sock = make_receive_sock();
+                sock = make_receive_sock(net);
        } else {
                return -EINVAL;
        }
@@ -884,9 +1576,9 @@ int start_sync_thread(int state, char *mcast_ifn, __u8 syncid)
                goto out;
        }
-        set_sync_mesg_maxlen(state);
+        set_sync_mesg_maxlen(net, state);
        if (state == IP_VS_STATE_BACKUP) {
-                buf = kmalloc(sync_recv_mesg_maxlen, GFP_KERNEL);
+                buf = kmalloc(ipvs->recv_mesg_maxlen, GFP_KERNEL);
                if (!buf)
                        goto outsocket;
        }
@@ -895,10 +1587,11 @@ int start_sync_thread(int state, char *mcast_ifn, __u8 syncid)
        if (!tinfo)
                goto outbuf;
+        tinfo->net = net;
        tinfo->sock = sock;
        tinfo->buf = buf;
-        task = kthread_run(threadfn, tinfo, name);
+        task = kthread_run(threadfn, tinfo, name, ipvs->gen);
        if (IS_ERR(task)) {
                result = PTR_ERR(task);
                goto outtinfo;
@@ -906,7 +1599,7 @@ int start_sync_thread(int state, char *mcast_ifn, __u8 syncid)
        /* mark as active */
        *realtask = task;
-        ip_vs_sync_state |= state;
+        ipvs->sync_state |= state;
        /* increase the module use count */
        ip_vs_use_count_inc();
@@ -918,22 +1611,25 @@ outtinfo:
 outbuf:
        kfree(buf);
 outsocket:
-        sock_release(sock);
+        sk_release_kernel(sock->sk);
 out:
        return result;
 }
-int stop_sync_thread(int state)
+int stop_sync_thread(struct net *net, int state)
 {
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        int retc = -EINVAL;
        IP_VS_DBG(7, "%s(): pid %d\n", __func__, task_pid_nr(current));
        if (state == IP_VS_STATE_MASTER) {
-                if (!sync_master_thread)
+                if (!ipvs->master_thread)
                        return -ESRCH;
                pr_info("stopping master sync thread %d ...\n",
-                        task_pid_nr(sync_master_thread));
+                        task_pid_nr(ipvs->master_thread));
                /*
                 * The lock synchronizes with sb_queue_tail(), so that we don't
@@ -941,27 +1637,64 @@ int stop_sync_thread(int state)
                 * progress of stopping the master sync daemon.
                 */
-                spin_lock_bh(&ip_vs_sync_lock);
+                spin_lock_bh(&ipvs->sync_lock);
-                ip_vs_sync_state &= ~IP_VS_STATE_MASTER;
+                ipvs->sync_state &= ~IP_VS_STATE_MASTER;
-                spin_unlock_bh(&ip_vs_sync_lock);
+                spin_unlock_bh(&ipvs->sync_lock);
-                kthread_stop(sync_master_thread);
+                retc = kthread_stop(ipvs->master_thread);
-                sync_master_thread = NULL;
+                ipvs->master_thread = NULL;
        } else if (state == IP_VS_STATE_BACKUP) {
-                if (!sync_backup_thread)
+                if (!ipvs->backup_thread)
                        return -ESRCH;
                pr_info("stopping backup sync thread %d ...\n",
-                        task_pid_nr(sync_backup_thread));
+                        task_pid_nr(ipvs->backup_thread));
-                ip_vs_sync_state &= ~IP_VS_STATE_BACKUP;
+                ipvs->sync_state &= ~IP_VS_STATE_BACKUP;
-                kthread_stop(sync_backup_thread);
+                retc = kthread_stop(ipvs->backup_thread);
-                sync_backup_thread = NULL;
+                ipvs->backup_thread = NULL;
-        } else {
-                return -EINVAL;
        }
        /* decrease the module use count */
        ip_vs_use_count_dec();
+        return retc;
+}
+/*
+ * Initialize data struct for each netns
+ */
+int __net_init __ip_vs_sync_init(struct net *net)
+{
+        struct netns_ipvs *ipvs = net_ipvs(net);
+        INIT_LIST_HEAD(&ipvs->sync_queue);
+        spin_lock_init(&ipvs->sync_lock);
+        spin_lock_init(&ipvs->sync_buff_lock);
+        ipvs->sync_mcast_addr.sin_family = AF_INET;
+        ipvs->sync_mcast_addr.sin_port = cpu_to_be16(IP_VS_SYNC_PORT);
+        ipvs->sync_mcast_addr.sin_addr.s_addr = cpu_to_be32(IP_VS_SYNC_GROUP);
+        return 0;
+}
+void __ip_vs_sync_cleanup(struct net *net)
+{
+        int retc;
+        retc = stop_sync_thread(net, IP_VS_STATE_MASTER);
+        if (retc && retc != -ESRCH)
+                pr_err("Failed to stop Master Daemon\n");
+        retc = stop_sync_thread(net, IP_VS_STATE_BACKUP);
+        if (retc && retc != -ESRCH)
+                pr_err("Failed to stop Backup Daemon\n");
+}
+int __init ip_vs_sync_init(void)
+{
        return 0;
 }
+void ip_vs_sync_cleanup(void)
+{
+}
diff --git a/net/netfilter/ipvs/ip_vs_wlc.c b/net/netfilter/ipvs/ip_vs_wlc.c
index bbddfdb10db2..bc1bfc48a17f 100644
--- a/net/netfilter/ipvs/ip_vs_wlc.c
+++ b/net/netfilter/ipvs/ip_vs_wlc.c
@@ -27,22 +27,6 @@
 #include <net/ip_vs.h>
-static inline unsigned int
-ip_vs_wlc_dest_overhead(struct ip_vs_dest *dest)
-{
-        /*
-         * We think the overhead of processing active connections is 256
-         * times higher than that of inactive connections in average. (This
-         * 256 times might not be accurate, we will change it later) We
-         * use the following formula to estimate the overhead now:
-         *                dest->activeconns*256 + dest->inactconns
-         */
-        return (atomic_read(&dest->activeconns) << 8) +
-                atomic_read(&dest->inactconns);
-}
 /*
 *      Weighted Least Connection scheduling
 */
@@ -71,11 +55,11 @@ ip_vs_wlc_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                if (!(dest->flags & IP_VS_DEST_F_OVERLOAD) &&
                    atomic_read(&dest->weight) > 0) {
                        least = dest;
-                        loh = ip_vs_wlc_dest_overhead(least);
+                        loh = ip_vs_dest_conn_overhead(least);
                        goto nextstage;
                }
        }
-        IP_VS_ERR_RL("WLC: no destination available\n");
+        ip_vs_scheduler_err(svc, "no destination available");
        return NULL;
        /*
@@ -85,7 +69,7 @@ ip_vs_wlc_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
        list_for_each_entry_continue(dest, &svc->destinations, n_list) {
                if (dest->flags & IP_VS_DEST_F_OVERLOAD)
                        continue;
-                doh = ip_vs_wlc_dest_overhead(dest);
+                doh = ip_vs_dest_conn_overhead(dest);
                if (loh * atomic_read(&dest->weight) >
                    doh * atomic_read(&least->weight)) {
                        least = dest;
diff --git a/net/netfilter/ipvs/ip_vs_wrr.c b/net/netfilter/ipvs/ip_vs_wrr.c
index 30db633f88f1..1ef41f50723c 100644
--- a/net/netfilter/ipvs/ip_vs_wrr.c
+++ b/net/netfilter/ipvs/ip_vs_wrr.c
@@ -147,8 +147,9 @@ ip_vs_wrr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                        if (mark->cl == mark->cl->next) {
                                /* no dest entry */
-                                IP_VS_ERR_RL("WRR: no destination available: "
+                                ip_vs_scheduler_err(svc,
-                                             "no destinations present\n");
+                                        "no destination available: "
+                                        "no destinations present");
                                dest = NULL;
                                goto out;
                        }
@@ -162,8 +163,8 @@ ip_vs_wrr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                                 */
                                if (mark->cw == 0) {
                                        mark->cl = &svc->destinations;
-                                        IP_VS_ERR_RL("WRR: no destination "
+                                        ip_vs_scheduler_err(svc,
-                                                     "available\n");
+                                                "no destination available");
                                        dest = NULL;
                                        goto out;
                                }
@@ -185,8 +186,9 @@ ip_vs_wrr_schedule(struct ip_vs_service *svc, const struct sk_buff *skb)
                        /* back to the start, and no dest is found.
                           It is only possible when all dests are OVERLOADED */
                        dest = NULL;
-                        IP_VS_ERR_RL("WRR: no destination available: "
+                        ip_vs_scheduler_err(svc,
-                                     "all destinations are overloaded\n");
+                                "no destination available: "
+                                "all destinations are overloaded");
                        goto out;
                }
        }
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 5325a3fbe4ac..ee319a4338b0 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -43,6 +43,13 @@
 #include <net/ip_vs.h>
+enum {
+        IP_VS_RT_MODE_LOCAL     = 1, /* Allow local dest */
+        IP_VS_RT_MODE_NON_LOCAL = 2, /* Allow non-local dest */
+        IP_VS_RT_MODE_RDR       = 4, /* Allow redirect from remote daddr to
+                                      * local
+                                      */
+};
 /*
 *      Destination cache to speed up outgoing route lookup
@@ -77,14 +84,10 @@ __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
        return dst;
 }
-/*
+/* Get route to destination or remote server */
- * Get route to destination or remote server
- * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
- *          &4=Allow redirect from remote daddr to local
- */
 static struct rtable *
 __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
-                   __be32 daddr, u32 rtos, int rt_mode)
+                   __be32 daddr, u32 rtos, int rt_mode, __be32 *ret_saddr)
 {
        struct net *net = dev_net(skb_dst(skb)->dev);
        struct rtable *rt;                      /* Route to the other host */
@@ -95,56 +98,66 @@ __ip_vs_get_out_rt(struct sk_buff *skb, struct ip_vs_dest *dest,
                spin_lock(&dest->dst_lock);
                if (!(rt = (struct rtable *)
                      __ip_vs_dst_check(dest, rtos))) {
-                        struct flowi fl = {
+                        struct flowi4 fl4;
-                                .fl4_dst = dest->addr.ip,
-                                .fl4_tos = rtos,
-                        };
-                        if (ip_route_output_key(net, &rt, &fl)) {
+                        memset(&fl4, 0, sizeof(fl4));
+                        fl4.daddr = dest->addr.ip;
+                        fl4.flowi4_tos = rtos;
+                        rt = ip_route_output_key(net, &fl4);
+                        if (IS_ERR(rt)) {
                                spin_unlock(&dest->dst_lock);
                                IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
                                             &dest->addr.ip);
                                return NULL;
                        }
                        __ip_vs_dst_set(dest, rtos, dst_clone(&rt->dst), 0);
-                        IP_VS_DBG(10, "new dst %pI4, refcnt=%d, rtos=%X\n",
+                        dest->dst_saddr.ip = fl4.saddr;
-                                  &dest->addr.ip,
+                        IP_VS_DBG(10, "new dst %pI4, src %pI4, refcnt=%d, "
+                                  "rtos=%X\n",
+                                  &dest->addr.ip, &dest->dst_saddr.ip,
                                  atomic_read(&rt->dst.__refcnt), rtos);
                }
+                daddr = dest->addr.ip;
+                if (ret_saddr)
+                        *ret_saddr = dest->dst_saddr.ip;
                spin_unlock(&dest->dst_lock);
        } else {
-                struct flowi fl = {
+                struct flowi4 fl4;
-                        .fl4_dst = daddr,
-                        .fl4_tos = rtos,
-                };
-                if (ip_route_output_key(net, &rt, &fl)) {
+                memset(&fl4, 0, sizeof(fl4));
+                fl4.daddr = daddr;
+                fl4.flowi4_tos = rtos;
+                rt = ip_route_output_key(net, &fl4);
+                if (IS_ERR(rt)) {
                        IP_VS_DBG_RL("ip_route_output error, dest: %pI4\n",
                                     &daddr);
                        return NULL;
                }
+                if (ret_saddr)
+                        *ret_saddr = fl4.saddr;
        }
        local = rt->rt_flags & RTCF_LOCAL;
-        if (!((local ? 1 : 2) & rt_mode)) {
+        if (!((local ? IP_VS_RT_MODE_LOCAL : IP_VS_RT_MODE_NON_LOCAL) &
+              rt_mode)) {
                IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI4\n",
                             (rt->rt_flags & RTCF_LOCAL) ?
-                             "local":"non-local", &rt->rt_dst);
+                             "local":"non-local", &daddr);
                ip_rt_put(rt);
                return NULL;
        }
-        if (local && !(rt_mode & 4) && !((ort = skb_rtable(skb)) &&
+        if (local && !(rt_mode & IP_VS_RT_MODE_RDR) &&
-                                         ort->rt_flags & RTCF_LOCAL)) {
+            !((ort = skb_rtable(skb)) && ort->rt_flags & RTCF_LOCAL)) {
                IP_VS_DBG_RL("Redirect from non-local address %pI4 to local "
                             "requires NAT method, dest: %pI4\n",
-                             &ip_hdr(skb)->daddr, &rt->rt_dst);
+                             &ip_hdr(skb)->daddr, &daddr);
                ip_rt_put(rt);
                return NULL;
        }
        if (unlikely(!local && ipv4_is_loopback(ip_hdr(skb)->saddr))) {
                IP_VS_DBG_RL("Stopping traffic from loopback address %pI4 "
                             "to non-local address, dest: %pI4\n",
-                             &ip_hdr(skb)->saddr, &rt->rt_dst);
+                             &ip_hdr(skb)->saddr, &daddr);
                ip_rt_put(rt);
                return NULL;
        }
@@ -169,15 +182,15 @@ __ip_vs_reroute_locally(struct sk_buff *skb)
                        return 0;
                refdst_drop(orefdst);
        } else {
-                struct flowi fl = {
+                struct flowi4 fl4 = {
-                        .fl4_dst = iph->daddr,
+                        .daddr = iph->daddr,
-                        .fl4_src = iph->saddr,
+                        .saddr = iph->saddr,
-                        .fl4_tos = RT_TOS(iph->tos),
+                        .flowi4_tos = RT_TOS(iph->tos),
-                        .mark = skb->mark,
+                        .flowi4_mark = skb->mark,
                };
-                struct rtable *rt;
-                if (ip_route_output_key(net, &rt, &fl))
+                rt = ip_route_output_key(net, &fl4);
+                if (IS_ERR(rt))
                        return 0;
                if (!(rt->rt_flags & RTCF_LOCAL)) {
                        ip_rt_put(rt);
@@ -202,22 +215,27 @@ __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr,
                        struct in6_addr *ret_saddr, int do_xfrm)
 {
        struct dst_entry *dst;
-        struct flowi fl = {
+        struct flowi6 fl6 = {
-                .fl6_dst = *daddr,
+                .daddr = *daddr,
        };
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        if (dst->error)
                goto out_err;
        if (!ret_saddr)
                return dst;
-        if (ipv6_addr_any(&fl.fl6_src) &&
+        if (ipv6_addr_any(&fl6.saddr) &&
            ipv6_dev_get_saddr(net, ip6_dst_idev(dst)->dev,
-                               &fl.fl6_dst, 0, &fl.fl6_src) < 0)
+                               &fl6.daddr, 0, &fl6.saddr) < 0)
                goto out_err;
-        if (do_xfrm && xfrm_lookup(net, &dst, &fl, NULL, 0) < 0)
+        if (do_xfrm) {
-                goto out_err;
+                dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), NULL, 0);
-        ipv6_addr_copy(ret_saddr, &fl.fl6_src);
+                if (IS_ERR(dst)) {
+                        dst = NULL;
+                        goto out_err;
+                }
+        }
+        ipv6_addr_copy(ret_saddr, &fl6.saddr);
        return dst;
 out_err:
@@ -228,8 +246,6 @@ out_err:
 /*
 * Get route to destination or remote server
- * rt_mode: flags, &1=Allow local dest, &2=Allow non-local dest,
- *          &4=Allow redirect from remote daddr to local
 */
 static struct rt6_info *
 __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
@@ -249,7 +265,7 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
                        u32 cookie;
                        dst = __ip_vs_route_output_v6(net, &dest->addr.in6,
-                                                      &dest->dst_saddr,
+                                                      &dest->dst_saddr.in6,
                                                      do_xfrm);
                        if (!dst) {
                                spin_unlock(&dest->dst_lock);
@@ -259,11 +275,11 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
                        cookie = rt->rt6i_node ? rt->rt6i_node->fn_sernum : 0;
                        __ip_vs_dst_set(dest, 0, dst_clone(&rt->dst), cookie);
                        IP_VS_DBG(10, "new dst %pI6, src %pI6, refcnt=%d\n",
-                                  &dest->addr.in6, &dest->dst_saddr,
+                                  &dest->addr.in6, &dest->dst_saddr.in6,
                                  atomic_read(&rt->dst.__refcnt));
                }
                if (ret_saddr)
-                        ipv6_addr_copy(ret_saddr, &dest->dst_saddr);
+                        ipv6_addr_copy(ret_saddr, &dest->dst_saddr.in6);
                spin_unlock(&dest->dst_lock);
        } else {
                dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm);
@@ -273,13 +289,14 @@ __ip_vs_get_out_rt_v6(struct sk_buff *skb, struct ip_vs_dest *dest,
        }
        local = __ip_vs_is_local_route6(rt);
-        if (!((local ? 1 : 2) & rt_mode)) {
+        if (!((local ? IP_VS_RT_MODE_LOCAL : IP_VS_RT_MODE_NON_LOCAL) &
+              rt_mode)) {
                IP_VS_DBG_RL("Stopping traffic to %s address, dest: %pI6\n",
                             local ? "local":"non-local", daddr);
                dst_release(&rt->dst);
                return NULL;
        }
-        if (local && !(rt_mode & 4) &&
+        if (local && !(rt_mode & IP_VS_RT_MODE_RDR) &&
            !((ort = (struct rt6_info *) skb_dst(skb)) &&
              __ip_vs_is_local_route6(ort))) {
                IP_VS_DBG_RL("Redirect from non-local address %pI6 to local "
@@ -384,13 +401,14 @@ ip_vs_bypass_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
-        if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr,
+        if (!(rt = __ip_vs_get_out_rt(skb, NULL, iph->daddr, RT_TOS(iph->tos),
-                                      RT_TOS(iph->tos), 2)))
+                                      IP_VS_RT_MODE_NON_LOCAL, NULL)))
                goto tx_error_icmp;
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
+        if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) &&
+            !skb_is_gso(skb)) {
                ip_rt_put(rt);
                icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
                IP_VS_DBG_RL("%s(): frag needed\n", __func__);
@@ -438,12 +456,13 @@ ip_vs_bypass_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
-        if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0, 2)))
+        if (!(rt = __ip_vs_get_out_rt_v6(skb, NULL, &iph->daddr, NULL, 0,
+                                         IP_VS_RT_MODE_NON_LOCAL)))
                goto tx_error_icmp;
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if (skb->len > mtu) {
+        if (skb->len > mtu && !skb_is_gso(skb)) {
                if (!skb->dev) {
                        struct net *net = dev_net(skb_dst(skb)->dev);
@@ -512,7 +531,10 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        }
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
-                                      RT_TOS(iph->tos), 1|2|4)))
+                                      RT_TOS(iph->tos),
+                                      IP_VS_RT_MODE_LOCAL |
+                                        IP_VS_RT_MODE_NON_LOCAL |
+                                        IP_VS_RT_MODE_RDR, NULL)))
                goto tx_error_icmp;
        local = rt->rt_flags & RTCF_LOCAL;
        /*
@@ -534,7 +556,7 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #endif
        /* From world but DNAT to loopback address? */
-        if (local && ipv4_is_loopback(rt->rt_dst) &&
+        if (local && ipv4_is_loopback(cp->daddr.ip) &&
            rt_is_input_route(skb_rtable(skb))) {
                IP_VS_DBG_RL_PKT(1, AF_INET, pp, skb, 0, "ip_vs_nat_xmit(): "
                                 "stopping DNAT to loopback address");
@@ -543,7 +565,8 @@ ip_vs_nat_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF))) {
+        if ((skb->len > mtu) && (iph->frag_off & htons(IP_DF)) &&
+            !skb_is_gso(skb)) {
                icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
                IP_VS_DBG_RL_PKT(0, AF_INET, pp, skb, 0,
                                 "ip_vs_nat_xmit(): frag needed for");
@@ -626,7 +649,9 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        }
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2|4)))
+                                         0, (IP_VS_RT_MODE_LOCAL |
+                                             IP_VS_RT_MODE_NON_LOCAL |
+                                             IP_VS_RT_MODE_RDR))))
                goto tx_error_icmp;
        local = __ip_vs_is_local_route6(rt);
        /*
@@ -658,7 +683,7 @@ ip_vs_nat_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if (skb->len > mtu) {
+        if (skb->len > mtu && !skb_is_gso(skb)) {
                if (!skb->dev) {
                        struct net *net = dev_net(skb_dst(skb)->dev);
@@ -742,6 +767,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
                  struct ip_vs_protocol *pp)
 {
        struct rtable *rt;                      /* Route to the other host */
+        __be32 saddr;                           /* Source for tunnel */
        struct net_device *tdev;                /* Device to other host */
        struct iphdr  *old_iph = ip_hdr(skb);
        u8     tos = old_iph->tos;
@@ -754,7 +780,9 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
-                                      RT_TOS(tos), 1|2)))
+                                      RT_TOS(tos), IP_VS_RT_MODE_LOCAL |
+                                                   IP_VS_RT_MODE_NON_LOCAL,
+                                                   &saddr)))
                goto tx_error_icmp;
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
@@ -773,8 +801,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        df |= (old_iph->frag_off & htons(IP_DF));
-        if ((old_iph->frag_off & htons(IP_DF))
+        if ((old_iph->frag_off & htons(IP_DF) &&
-            && mtu < ntohs(old_iph->tot_len)) {
+            mtu < ntohs(old_iph->tot_len) && !skb_is_gso(skb))) {
                icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
                IP_VS_DBG_RL("%s(): frag needed\n", __func__);
                goto tx_error_put;
@@ -822,8 +850,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        iph->frag_off           =       df;
        iph->protocol           =       IPPROTO_IPIP;
        iph->tos                =       tos;
-        iph->daddr              =       rt->rt_dst;
+        iph->daddr              =       cp->daddr.ip;
-        iph->saddr              =       rt->rt_src;
+        iph->saddr              =       saddr;
        iph->ttl                =       old_iph->ttl;
        ip_select_ident(iph, &rt->dst, NULL);
@@ -868,7 +896,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6,
-                                         &saddr, 1, 1|2)))
+                                         &saddr, 1, (IP_VS_RT_MODE_LOCAL |
+                                                     IP_VS_RT_MODE_NON_LOCAL))))
                goto tx_error_icmp;
        if (__ip_vs_is_local_route6(rt)) {
                dst_release(&rt->dst);
@@ -886,7 +915,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        if (skb_dst(skb))
                skb_dst(skb)->ops->update_pmtu(skb_dst(skb), mtu);
-        if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr)) {
+        if (mtu < ntohs(old_iph->payload_len) + sizeof(struct ipv6hdr) &&
+            !skb_is_gso(skb)) {
                if (!skb->dev) {
                        struct net *net = dev_net(skb_dst(skb)->dev);
@@ -982,7 +1012,9 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
-                                      RT_TOS(iph->tos), 1|2)))
+                                      RT_TOS(iph->tos),
+                                      IP_VS_RT_MODE_LOCAL |
+                                        IP_VS_RT_MODE_NON_LOCAL, NULL)))
                goto tx_error_icmp;
        if (rt->rt_flags & RTCF_LOCAL) {
                ip_rt_put(rt);
@@ -991,7 +1023,8 @@ ip_vs_dr_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu) {
+        if ((iph->frag_off & htons(IP_DF)) && skb->len > mtu &&
+            !skb_is_gso(skb)) {
                icmp_send(skb, ICMP_DEST_UNREACH,ICMP_FRAG_NEEDED, htonl(mtu));
                ip_rt_put(rt);
                IP_VS_DBG_RL("%s(): frag needed\n", __func__);
@@ -1039,7 +1072,8 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        EnterFunction(10);
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2)))
+                                         0, (IP_VS_RT_MODE_LOCAL |
+                                             IP_VS_RT_MODE_NON_LOCAL))))
                goto tx_error_icmp;
        if (__ip_vs_is_local_route6(rt)) {
                dst_release(&rt->dst);
@@ -1098,12 +1132,13 @@ tx_error:
 */
 int
 ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
-                struct ip_vs_protocol *pp, int offset)
+                struct ip_vs_protocol *pp, int offset, unsigned int hooknum)
 {
        struct rtable   *rt;    /* Route to the other host */
        int mtu;
        int rc;
        int local;
+        int rt_mode;
        EnterFunction(10);
@@ -1124,8 +1159,13 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
         * mangle and send the packet here (only for VS/NAT)
         */
+        /* LOCALNODE from FORWARD hook is not supported */
+        rt_mode = (hooknum != NF_INET_FORWARD) ?
+                  IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
+                  IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
        if (!(rt = __ip_vs_get_out_rt(skb, cp->dest, cp->daddr.ip,
-                                      RT_TOS(ip_hdr(skb)->tos), 1|2|4)))
+                                      RT_TOS(ip_hdr(skb)->tos),
+                                      rt_mode, NULL)))
                goto tx_error_icmp;
        local = rt->rt_flags & RTCF_LOCAL;
@@ -1148,7 +1188,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #endif
        /* From world but DNAT to loopback address? */
-        if (local && ipv4_is_loopback(rt->rt_dst) &&
+        if (local && ipv4_is_loopback(cp->daddr.ip) &&
            rt_is_input_route(skb_rtable(skb))) {
                IP_VS_DBG(1, "%s(): "
                          "stopping DNAT to loopback %pI4\n",
@@ -1158,7 +1198,8 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF))) {
+        if ((skb->len > mtu) && (ip_hdr(skb)->frag_off & htons(IP_DF)) &&
+            !skb_is_gso(skb)) {
                icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu));
                IP_VS_DBG_RL("%s(): frag needed\n", __func__);
                goto tx_error_put;
@@ -1212,12 +1253,13 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
 #ifdef CONFIG_IP_VS_IPV6
 int
 ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
-                struct ip_vs_protocol *pp, int offset)
+                struct ip_vs_protocol *pp, int offset, unsigned int hooknum)
 {
        struct rt6_info *rt;    /* Route to the other host */
        int mtu;
        int rc;
        int local;
+        int rt_mode;
        EnterFunction(10);
@@ -1238,8 +1280,12 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
         * mangle and send the packet here (only for VS/NAT)
         */
+        /* LOCALNODE from FORWARD hook is not supported */
+        rt_mode = (hooknum != NF_INET_FORWARD) ?
+                  IP_VS_RT_MODE_LOCAL | IP_VS_RT_MODE_NON_LOCAL |
+                  IP_VS_RT_MODE_RDR : IP_VS_RT_MODE_NON_LOCAL;
        if (!(rt = __ip_vs_get_out_rt_v6(skb, cp->dest, &cp->daddr.in6, NULL,
-                                         0, 1|2|4)))
+                                         0, rt_mode)))
                goto tx_error_icmp;
        local = __ip_vs_is_local_route6(rt);
@@ -1272,7 +1318,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
        /* MTU checking */
        mtu = dst_mtu(&rt->dst);
-        if (skb->len > mtu) {
+        if (skb->len > mtu && !skb_is_gso(skb)) {
                if (!skb->dev) {
                        struct net *net = dev_net(skb_dst(skb)->dev);
diff --git a/net/netfilter/nf_conntrack_broadcast.c b/net/netfilter/nf_conntrack_broadcast.c
new file mode 100644
index 000000000000..4e99cca61612
--- /dev/null
+++ b/net/netfilter/nf_conntrack_broadcast.c
@@ -0,0 +1,82 @@
+/*
+ *      broadcast connection tracking helper
+ *
+ *      (c) 2005 Patrick McHardy <kaber@trash.net>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+#include <linux/module.h>
+#include <linux/ip.h>
+#include <net/route.h>
+#include <linux/inetdevice.h>
+#include <linux/skbuff.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_expect.h>
+int nf_conntrack_broadcast_help(struct sk_buff *skb,
+                                unsigned int protoff,
+                                struct nf_conn *ct,
+                                enum ip_conntrack_info ctinfo,
+                                unsigned int timeout)
+{
+        struct nf_conntrack_expect *exp;
+        struct iphdr *iph = ip_hdr(skb);
+        struct rtable *rt = skb_rtable(skb);
+        struct in_device *in_dev;
+        struct nf_conn_help *help = nfct_help(ct);
+        __be32 mask = 0;
+        /* we're only interested in locally generated packets */
+        if (skb->sk == NULL)
+                goto out;
+        if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
+                goto out;
+        if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
+                goto out;
+        rcu_read_lock();
+        in_dev = __in_dev_get_rcu(rt->dst.dev);
+        if (in_dev != NULL) {
+                for_primary_ifa(in_dev) {
+                        if (ifa->ifa_broadcast == iph->daddr) {
+                                mask = ifa->ifa_mask;
+                                break;
+                        }
+                } endfor_ifa(in_dev);
+        }
+        rcu_read_unlock();
+        if (mask == 0)
+                goto out;
+        exp = nf_ct_expect_alloc(ct);
+        if (exp == NULL)
+                goto out;
+        exp->tuple                = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+        exp->tuple.src.u.udp.port = help->helper->tuple.src.u.udp.port;
+        exp->mask.src.u3.ip       = mask;
+        exp->mask.src.u.udp.port  = htons(0xFFFF);
+        exp->expectfn             = NULL;
+        exp->flags                = NF_CT_EXPECT_PERMANENT;
+        exp->class                = NF_CT_EXPECT_CLASS_DEFAULT;
+        exp->helper               = NULL;
+        nf_ct_expect_related(exp);
+        nf_ct_expect_put(exp);
+        nf_ct_refresh(ct, skb, timeout * HZ);
+out:
+        return NF_ACCEPT;
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_broadcast_help);
+MODULE_LICENSE("GPL");
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 84f4fcc5884b..2e1c11f78419 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -43,6 +43,7 @@
 #include <net/netfilter/nf_conntrack_acct.h>
 #include <net/netfilter/nf_conntrack_ecache.h>
 #include <net/netfilter/nf_conntrack_zones.h>
+#include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_core.h>
@@ -282,6 +283,11 @@ EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
 static void death_by_timeout(unsigned long ul_conntrack)
 {
        struct nf_conn *ct = (void *)ul_conntrack;
+        struct nf_conn_tstamp *tstamp;
+        tstamp = nf_conn_tstamp_find(ct);
+        if (tstamp && tstamp->stop == 0)
+                tstamp->stop = ktime_to_ns(ktime_get_real());
        if (!test_bit(IPS_DYING_BIT, &ct->status) &&
            unlikely(nf_conntrack_event(IPCT_DESTROY, ct) < 0)) {
@@ -419,6 +425,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
        struct nf_conntrack_tuple_hash *h;
        struct nf_conn *ct;
        struct nf_conn_help *help;
+        struct nf_conn_tstamp *tstamp;
        struct hlist_nulls_node *n;
        enum ip_conntrack_info ctinfo;
        struct net *net;
@@ -446,7 +453,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
           REJECT will give spurious warnings here. */
        /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
-        /* No external references means noone else could have
+        /* No external references means no one else could have
           confirmed us. */
        NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
        pr_debug("Confirming conntrack %p\n", ct);
@@ -486,8 +493,16 @@ __nf_conntrack_confirm(struct sk_buff *skb)
        ct->timeout.expires += jiffies;
        add_timer(&ct->timeout);
        atomic_inc(&ct->ct_general.use);
-        set_bit(IPS_CONFIRMED_BIT, &ct->status);
+        ct->status |= IPS_CONFIRMED;
+        /* set conntrack timestamp, if enabled. */
+        tstamp = nf_conn_tstamp_find(ct);
+        if (tstamp) {
+                if (skb->tstamp.tv64 == 0)
+                        __net_timestamp((struct sk_buff *)skb);
+                tstamp->start = ktime_to_ns(skb->tstamp);
+        }
        /* Since the lookup is lockless, hash insertion must be done after
         * starting the timer and setting the CONFIRMED bit. The RCU barriers
         * guarantee that no other CPU can find the conntrack before the above
@@ -655,7 +670,8 @@ __nf_conntrack_alloc(struct net *net, u16 zone,
         * and ct->tuplehash[IP_CT_DIR_REPLY].hnnode.next unchanged.
         */
        memset(&ct->tuplehash[IP_CT_DIR_MAX], 0,
-               sizeof(*ct) - offsetof(struct nf_conn, tuplehash[IP_CT_DIR_MAX]));
+               offsetof(struct nf_conn, proto) -
+               offsetof(struct nf_conn, tuplehash[IP_CT_DIR_MAX]));
        spin_lock_init(&ct->lock);
        ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
        ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode.pprev = NULL;
@@ -745,6 +761,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
        }
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
+        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
        ecache = tmpl ? nf_ct_ecache_find(tmpl) : NULL;
        nf_ct_ecache_ext_add(ct, ecache ? ecache->ctmask : 0,
@@ -884,7 +901,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
        ret = l3proto->get_l4proto(skb, skb_network_offset(skb),
                                   &dataoff, &protonum);
        if (ret <= 0) {
-                pr_debug("not prepared to track yet or error occured\n");
+                pr_debug("not prepared to track yet or error occurred\n");
                NF_CT_STAT_INC_ATOMIC(net, error);
                NF_CT_STAT_INC_ATOMIC(net, invalid);
                ret = -ret;
@@ -1192,6 +1209,11 @@ struct __nf_ct_flush_report {
 static int kill_report(struct nf_conn *i, void *data)
 {
        struct __nf_ct_flush_report *fr = (struct __nf_ct_flush_report *)data;
+        struct nf_conn_tstamp *tstamp;
+        tstamp = nf_conn_tstamp_find(i);
+        if (tstamp && tstamp->stop == 0)
+                tstamp->stop = ktime_to_ns(ktime_get_real());
        /* If we fail to deliver the event, death_by_timeout() will retry */
        if (nf_conntrack_event_report(IPCT_DESTROY, i,
@@ -1208,9 +1230,9 @@ static int kill_all(struct nf_conn *i, void *data)
        return 1;
 }
-void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size)
+void nf_ct_free_hashtable(void *hash, unsigned int size)
 {
-        if (vmalloced)
+        if (is_vmalloc_addr(hash))
                vfree(hash);
        else
                free_pages((unsigned long)hash,
@@ -1277,9 +1299,9 @@ static void nf_conntrack_cleanup_net(struct net *net)
                goto i_see_dead_people;
        }
-        nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
+        nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
-                             net->ct.htable_size);
        nf_conntrack_ecache_fini(net);
+        nf_conntrack_tstamp_fini(net);
        nf_conntrack_acct_fini(net);
        nf_conntrack_expect_fini(net);
        kmem_cache_destroy(net->ct.nf_conntrack_cachep);
@@ -1307,21 +1329,18 @@ void nf_conntrack_cleanup(struct net *net)
        }
 }
-void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls)
+void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
 {
        struct hlist_nulls_head *hash;
        unsigned int nr_slots, i;
        size_t sz;
-        *vmalloced = 0;
        BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
        nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
        sz = nr_slots * sizeof(struct hlist_nulls_head);
        hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
                                        get_order(sz));
        if (!hash) {
-                *vmalloced = 1;
                printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
                hash = __vmalloc(sz, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
                                 PAGE_KERNEL);
@@ -1337,7 +1356,7 @@ EXPORT_SYMBOL_GPL(nf_ct_alloc_hashtable);
 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 {
-        int i, bucket, vmalloced, old_vmalloced;
+        int i, bucket;
        unsigned int hashsize, old_size;
        struct hlist_nulls_head *hash, *old_hash;
        struct nf_conntrack_tuple_hash *h;
@@ -1354,7 +1373,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
        if (!hashsize)
                return -EINVAL;
-        hash = nf_ct_alloc_hashtable(&hashsize, &vmalloced, 1);
+        hash = nf_ct_alloc_hashtable(&hashsize, 1);
        if (!hash)
                return -ENOMEM;
@@ -1376,15 +1395,13 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
                }
        }
        old_size = init_net.ct.htable_size;
-        old_vmalloced = init_net.ct.hash_vmalloc;
        old_hash = init_net.ct.hash;
        init_net.ct.htable_size = nf_conntrack_htable_size = hashsize;
-        init_net.ct.hash_vmalloc = vmalloced;
        init_net.ct.hash = hash;
        spin_unlock_bh(&nf_conntrack_lock);
-        nf_ct_free_hashtable(old_hash, old_vmalloced, old_size);
+        nf_ct_free_hashtable(old_hash, old_size);
        return 0;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
@@ -1497,8 +1514,7 @@ static int nf_conntrack_init_net(struct net *net)
        }
        net->ct.htable_size = nf_conntrack_htable_size;
-        net->ct.hash = nf_ct_alloc_hashtable(&net->ct.htable_size,
+        net->ct.hash = nf_ct_alloc_hashtable(&net->ct.htable_size, 1);
-                                             &net->ct.hash_vmalloc, 1);
        if (!net->ct.hash) {
                ret = -ENOMEM;
                printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
@@ -1510,6 +1526,9 @@ static int nf_conntrack_init_net(struct net *net)
        ret = nf_conntrack_acct_init(net);
        if (ret < 0)
                goto err_acct;
+        ret = nf_conntrack_tstamp_init(net);
+        if (ret < 0)
+                goto err_tstamp;
        ret = nf_conntrack_ecache_init(net);
        if (ret < 0)
                goto err_ecache;
@@ -1517,12 +1536,13 @@ static int nf_conntrack_init_net(struct net *net)
        return 0;
 err_ecache:
+        nf_conntrack_tstamp_fini(net);
+err_tstamp:
        nf_conntrack_acct_fini(net);
 err_acct:
        nf_conntrack_expect_fini(net);
 err_expect:
-        nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
+        nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
-                             net->ct.htable_size);
 err_hash:
        kmem_cache_destroy(net->ct.nf_conntrack_cachep);
 err_cache:
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index a20fb0bd1efe..cd1e8e0970f2 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -319,7 +319,8 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
        const struct nf_conntrack_expect_policy *p;
        unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
-        atomic_inc(&exp->use);
+        /* two references : one for hash insert, one for the timer */
+        atomic_add(2, &exp->use);
        if (master_help) {
                hlist_add_head(&exp->lnode, &master_help->expectations);
@@ -333,12 +334,14 @@ static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
        setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
                    (unsigned long)exp);
        if (master_help) {
-                p = &master_help->helper->expect_policy[exp->class];
+                p = &rcu_dereference_protected(
+                                master_help->helper,
+                                lockdep_is_held(&nf_conntrack_lock)
+                                )->expect_policy[exp->class];
                exp->timeout.expires = jiffies + p->timeout * HZ;
        }
        add_timer(&exp->timeout);
-        atomic_inc(&exp->use);
        NF_CT_STAT_INC(net, expect_create);
 }
@@ -369,7 +372,10 @@ static inline int refresh_timer(struct nf_conntrack_expect *i)
        if (!del_timer(&i->timeout))
                return 0;
-        p = &master_help->helper->expect_policy[i->class];
+        p = &rcu_dereference_protected(
+                master_help->helper,
+                lockdep_is_held(&nf_conntrack_lock)
+                )->expect_policy[i->class];
        i->timeout.expires = jiffies + p->timeout * HZ;
        add_timer(&i->timeout);
        return 1;
@@ -407,7 +413,10 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
        }
        /* Will be over limit? */
        if (master_help) {
-                p = &master_help->helper->expect_policy[expect->class];
+                p = &rcu_dereference_protected(
+                        master_help->helper,
+                        lockdep_is_held(&nf_conntrack_lock)
+                        )->expect_policy[expect->class];
                if (p->max_expected &&
                    master_help->expecting[expect->class] >= p->max_expected) {
                        evict_oldest_expect(master, expect);
@@ -478,7 +487,7 @@ static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
        struct hlist_node *n;
        for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
-                n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
+                n = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
                if (n)
                        return n;
        }
@@ -491,11 +500,11 @@ static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
        struct net *net = seq_file_net(seq);
        struct ct_expect_iter_state *st = seq->private;
-        head = rcu_dereference(head->next);
+        head = rcu_dereference(hlist_next_rcu(head));
        while (head == NULL) {
                if (++st->bucket >= nf_ct_expect_hsize)
                        return NULL;
-                head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
+                head = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
        }
        return head;
 }
@@ -630,8 +639,7 @@ int nf_conntrack_expect_init(struct net *net)
        }
        net->ct.expect_count = 0;
-        net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
+        net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 0);
-                                                  &net->ct.expect_vmalloc, 0);
        if (net->ct.expect_hash == NULL)
                goto err1;
@@ -653,8 +661,7 @@ err3:
        if (net_eq(net, &init_net))
                kmem_cache_destroy(nf_ct_expect_cachep);
 err2:
-        nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
+        nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
-                             nf_ct_expect_hsize);
 err1:
        return err;
 }
@@ -666,6 +673,5 @@ void nf_conntrack_expect_fini(struct net *net)
                rcu_barrier(); /* Wait for call_rcu() before destroy */
                kmem_cache_destroy(nf_ct_expect_cachep);
        }
-        nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
+        nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
-                             nf_ct_expect_hsize);
 }
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index bd82450c193f..05ecdc281a53 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -68,12 +68,6 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
        return (void *)(*ext) + off;
 }
-static void __nf_ct_ext_free_rcu(struct rcu_head *head)
-{
-        struct nf_ct_ext *ext = container_of(head, struct nf_ct_ext, rcu);
-        kfree(ext);
-}
 void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
 {
        struct nf_ct_ext *old, *new;
@@ -114,7 +108,7 @@ void *__nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
                                        (void *)old + old->offset[i]);
                        rcu_read_unlock();
                }
-                call_rcu(&old->rcu, __nf_ct_ext_free_rcu);
+                kfree_rcu(old, rcu);
                ct->ext = new;
        }
@@ -140,15 +134,16 @@ static void update_alloc_size(struct nf_ct_ext_type *type)
        /* This assumes that extended areas in conntrack for the types
           whose NF_CT_EXT_F_PREALLOC bit set are allocated in order */
        for (i = min; i <= max; i++) {
-                t1 = nf_ct_ext_types[i];
+                t1 = rcu_dereference_protected(nf_ct_ext_types[i],
+                                lockdep_is_held(&nf_ct_ext_type_mutex));
                if (!t1)
                        continue;
-                t1->alloc_size = sizeof(struct nf_ct_ext)
+                t1->alloc_size = ALIGN(sizeof(struct nf_ct_ext), t1->align) +
-                                 + ALIGN(sizeof(struct nf_ct_ext), t1->align)
+                                 t1->len;
-                                 + t1->len;
                for (j = 0; j < NF_CT_EXT_NUM; j++) {
-                        t2 = nf_ct_ext_types[j];
+                        t2 = rcu_dereference_protected(nf_ct_ext_types[j],
+                                lockdep_is_held(&nf_ct_ext_type_mutex));
                        if (t2 == NULL || t2 == t1 ||
                            (t2->flags & NF_CT_EXT_F_PREALLOC) == 0)
                                continue;
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 867882313e49..bcd5ed6b7130 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -631,7 +631,7 @@ static int decode_seqof(bitstr_t *bs, const struct field_t *f,
                CHECK_BOUND(bs, 2);
                count = *bs->cur++;
                count <<= 8;
-                count = *bs->cur++;
+                count += *bs->cur++;
                break;
        case SEMI:
                BYTE_ALIGN(bs);
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index b969025cf82f..18b2ce5c8ced 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -714,7 +714,6 @@ static int callforward_do_filter(const union nf_inet_addr *src,
                                 u_int8_t family)
 {
        const struct nf_afinfo *afinfo;
-        struct flowi fl1, fl2;
        int ret = 0;
        /* rcu_read_lock()ed by nf_hook_slow() */
@@ -722,17 +721,20 @@ static int callforward_do_filter(const union nf_inet_addr *src,
        if (!afinfo)
                return 0;
-        memset(&fl1, 0, sizeof(fl1));
-        memset(&fl2, 0, sizeof(fl2));
        switch (family) {
        case AF_INET: {
+                struct flowi4 fl1, fl2;
                struct rtable *rt1, *rt2;
-                fl1.fl4_dst = src->ip;
+                memset(&fl1, 0, sizeof(fl1));
-                fl2.fl4_dst = dst->ip;
+                fl1.daddr = src->ip;
-                if (!afinfo->route((struct dst_entry **)&rt1, &fl1)) {
-                        if (!afinfo->route((struct dst_entry **)&rt2, &fl2)) {
+                memset(&fl2, 0, sizeof(fl2));
+                fl2.daddr = dst->ip;
+                if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
+                                   flowi4_to_flowi(&fl1), false)) {
+                        if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
+                                           flowi4_to_flowi(&fl2), false)) {
                                if (rt1->rt_gateway == rt2->rt_gateway &&
                                    rt1->dst.dev  == rt2->dst.dev)
                                        ret = 1;
@@ -745,12 +747,18 @@ static int callforward_do_filter(const union nf_inet_addr *src,
 #if defined(CONFIG_NF_CONNTRACK_IPV6) || \
    defined(CONFIG_NF_CONNTRACK_IPV6_MODULE)
        case AF_INET6: {
+                struct flowi6 fl1, fl2;
                struct rt6_info *rt1, *rt2;
-                memcpy(&fl1.fl6_dst, src, sizeof(fl1.fl6_dst));
+                memset(&fl1, 0, sizeof(fl1));
-                memcpy(&fl2.fl6_dst, dst, sizeof(fl2.fl6_dst));
+                ipv6_addr_copy(&fl1.daddr, &src->in6);
-                if (!afinfo->route((struct dst_entry **)&rt1, &fl1)) {
-                        if (!afinfo->route((struct dst_entry **)&rt2, &fl2)) {
+                memset(&fl2, 0, sizeof(fl2));
+                ipv6_addr_copy(&fl2.daddr, &dst->in6);
+                if (!afinfo->route(&init_net, (struct dst_entry **)&rt1,
+                                   flowi6_to_flowi(&fl1), false)) {
+                        if (!afinfo->route(&init_net, (struct dst_entry **)&rt2,
+                                           flowi6_to_flowi(&fl2), false)) {
                                if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
                                            sizeof(rt1->rt6i_gateway)) &&
                                    rt1->dst.dev == rt2->dst.dev)
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 59e1a4cd4e8b..1bdfea357955 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -33,7 +33,6 @@ static DEFINE_MUTEX(nf_ct_helper_mutex);
 static struct hlist_head *nf_ct_helper_hash __read_mostly;
 static unsigned int nf_ct_helper_hsize __read_mostly;
 static unsigned int nf_ct_helper_count __read_mostly;
-static int nf_ct_helper_vmalloc;
 /* Stupid hash, but collision free for the default registrations of the
@@ -158,7 +157,10 @@ static inline int unhelp(struct nf_conntrack_tuple_hash *i,
        struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(i);
        struct nf_conn_help *help = nfct_help(ct);
-        if (help && help->helper == me) {
+        if (help && rcu_dereference_protected(
+                        help->helper,
+                        lockdep_is_held(&nf_conntrack_lock)
+                        ) == me) {
                nf_conntrack_event(IPCT_HELPER, ct);
                rcu_assign_pointer(help->helper, NULL);
        }
@@ -210,7 +212,10 @@ static void __nf_conntrack_helper_unregister(struct nf_conntrack_helper *me,
                hlist_for_each_entry_safe(exp, n, next,
                                          &net->ct.expect_hash[i], hnode) {
                        struct nf_conn_help *help = nfct_help(exp->master);
-                        if ((help->helper == me || exp->helper == me) &&
+                        if ((rcu_dereference_protected(
+                                        help->helper,
+                                        lockdep_is_held(&nf_conntrack_lock)
+                                        ) == me || exp->helper == me) &&
                            del_timer(&exp->timeout)) {
                                nf_ct_unlink_expect(exp);
                                nf_ct_expect_put(exp);
@@ -261,8 +266,7 @@ int nf_conntrack_helper_init(void)
        int err;
        nf_ct_helper_hsize = 1; /* gets rounded up to use one page */
-        nf_ct_helper_hash = nf_ct_alloc_hashtable(&nf_ct_helper_hsize,
+        nf_ct_helper_hash = nf_ct_alloc_hashtable(&nf_ct_helper_hsize, 0);
-                                                  &nf_ct_helper_vmalloc, 0);
        if (!nf_ct_helper_hash)
                return -ENOMEM;
@@ -273,14 +277,12 @@ int nf_conntrack_helper_init(void)
        return 0;
 err1:
-        nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_vmalloc,
+        nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_hsize);
-                             nf_ct_helper_hsize);
        return err;
 }
 void nf_conntrack_helper_fini(void)
 {
        nf_ct_extend_unregister(&helper_extend);
-        nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_vmalloc,
+        nf_ct_free_hashtable(nf_ct_helper_hash, nf_ct_helper_hsize);
-                             nf_ct_helper_hsize);
 }
diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c
index aadde018a072..4c8f30a3d6d2 100644
--- a/net/netfilter/nf_conntrack_netbios_ns.c
+++ b/net/netfilter/nf_conntrack_netbios_ns.c
@@ -18,14 +18,7 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/init.h>
-#include <linux/skbuff.h>
-#include <linux/netdevice.h>
-#include <linux/inetdevice.h>
-#include <linux/if_addr.h>
 #include <linux/in.h>
-#include <linux/ip.h>
-#include <linux/netfilter.h>
-#include <net/route.h>
 #include <net/netfilter/nf_conntrack.h>
 #include <net/netfilter/nf_conntrack_helper.h>
@@ -40,75 +33,26 @@ MODULE_ALIAS("ip_conntrack_netbios_ns");
 MODULE_ALIAS_NFCT_HELPER("netbios_ns");
 static unsigned int timeout __read_mostly = 3;
-module_param(timeout, uint, 0400);
+module_param(timeout, uint, S_IRUSR);
 MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
-static int help(struct sk_buff *skb, unsigned int protoff,
-                struct nf_conn *ct, enum ip_conntrack_info ctinfo)
-{
-        struct nf_conntrack_expect *exp;
-        struct iphdr *iph = ip_hdr(skb);
-        struct rtable *rt = skb_rtable(skb);
-        struct in_device *in_dev;
-        __be32 mask = 0;
-        /* we're only interested in locally generated packets */
-        if (skb->sk == NULL)
-                goto out;
-        if (rt == NULL || !(rt->rt_flags & RTCF_BROADCAST))
-                goto out;
-        if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
-                goto out;
-        rcu_read_lock();
-        in_dev = __in_dev_get_rcu(rt->dst.dev);
-        if (in_dev != NULL) {
-                for_primary_ifa(in_dev) {
-                        if (ifa->ifa_broadcast == iph->daddr) {
-                                mask = ifa->ifa_mask;
-                                break;
-                        }
-                } endfor_ifa(in_dev);
-        }
-        rcu_read_unlock();
-        if (mask == 0)
-                goto out;
-        exp = nf_ct_expect_alloc(ct);
-        if (exp == NULL)
-                goto out;
-        exp->tuple                = ct->tuplehash[IP_CT_DIR_REPLY].tuple;
-        exp->tuple.src.u.udp.port = htons(NMBD_PORT);
-        exp->mask.src.u3.ip       = mask;
-        exp->mask.src.u.udp.port  = htons(0xFFFF);
-        exp->expectfn             = NULL;
-        exp->flags                = NF_CT_EXPECT_PERMANENT;
-        exp->class                = NF_CT_EXPECT_CLASS_DEFAULT;
-        exp->helper               = NULL;
-        nf_ct_expect_related(exp);
-        nf_ct_expect_put(exp);
-        nf_ct_refresh(ct, skb, timeout * HZ);
-out:
-        return NF_ACCEPT;
-}
 static struct nf_conntrack_expect_policy exp_policy = {
        .max_expected   = 1,
 };
+static int netbios_ns_help(struct sk_buff *skb, unsigned int protoff,
+                   struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+{
+        return nf_conntrack_broadcast_help(skb, protoff, ct, ctinfo, timeout);
+}
 static struct nf_conntrack_helper helper __read_mostly = {
        .name                   = "netbios-ns",
-        .tuple.src.l3num        = AF_INET,
+        .tuple.src.l3num        = NFPROTO_IPV4,
        .tuple.src.u.udp.port   = cpu_to_be16(NMBD_PORT),
        .tuple.dst.protonum     = IPPROTO_UDP,
        .me                     = THIS_MODULE,
-        .help                   = help,
+        .help                   = netbios_ns_help,
        .expect_policy          = &exp_policy,
 };
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index eead9db6f899..482e90c61850 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -42,6 +42,7 @@
 #include <net/netfilter/nf_conntrack_tuple.h>
 #include <net/netfilter/nf_conntrack_acct.h>
 #include <net/netfilter/nf_conntrack_zones.h>
+#include <net/netfilter/nf_conntrack_timestamp.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_protocol.h>
@@ -230,6 +231,33 @@ nla_put_failure:
        return -1;
 }
+static int
+ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
+{
+        struct nlattr *nest_count;
+        const struct nf_conn_tstamp *tstamp;
+        tstamp = nf_conn_tstamp_find(ct);
+        if (!tstamp)
+                return 0;
+        nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
+        if (!nest_count)
+                goto nla_put_failure;
+        NLA_PUT_BE64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start));
+        if (tstamp->stop != 0) {
+                NLA_PUT_BE64(skb, CTA_TIMESTAMP_STOP,
+                             cpu_to_be64(tstamp->stop));
+        }
+        nla_nest_end(skb, nest_count);
+        return 0;
+nla_put_failure:
+        return -1;
+}
 #ifdef CONFIG_NF_CONNTRACK_MARK
 static inline int
 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
@@ -404,6 +432,7 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
            ctnetlink_dump_timeout(skb, ct) < 0 ||
            ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
            ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
+            ctnetlink_dump_timestamp(skb, ct) < 0 ||
            ctnetlink_dump_protoinfo(skb, ct) < 0 ||
            ctnetlink_dump_helpinfo(skb, ct) < 0 ||
            ctnetlink_dump_mark(skb, ct) < 0 ||
@@ -471,6 +500,18 @@ ctnetlink_secctx_size(const struct nf_conn *ct)
 }
 static inline size_t
+ctnetlink_timestamp_size(const struct nf_conn *ct)
+{
+#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
+        if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
+                return 0;
+        return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
+#else
+        return 0;
+#endif
+}
+static inline size_t
 ctnetlink_nlmsg_size(const struct nf_conn *ct)
 {
        return NLMSG_ALIGN(sizeof(struct nfgenmsg))
@@ -481,6 +522,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
               + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
               + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
               + ctnetlink_counters_size(ct)
+               + ctnetlink_timestamp_size(ct)
               + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
               + nla_total_size(0) /* CTA_PROTOINFO */
               + nla_total_size(0) /* CTA_HELP */
@@ -571,7 +613,8 @@ ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
        if (events & (1 << IPCT_DESTROY)) {
                if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
-                    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
+                    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
+                    ctnetlink_dump_timestamp(skb, ct) < 0)
                        goto nla_put_failure;
        } else {
                if (ctnetlink_dump_timeout(skb, ct) < 0)
@@ -761,7 +804,7 @@ static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
 static int
 ctnetlink_parse_tuple(const struct nlattr * const cda[],
                      struct nf_conntrack_tuple *tuple,
-                      enum ctattr_tuple type, u_int8_t l3num)
+                      enum ctattr_type type, u_int8_t l3num)
 {
        struct nlattr *tb[CTA_TUPLE_MAX+1];
        int err;
@@ -1291,6 +1334,7 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
        struct nf_conn *ct;
        int err = -EINVAL;
        struct nf_conntrack_helper *helper;
+        struct nf_conn_tstamp *tstamp;
        ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
        if (IS_ERR(ct))
@@ -1358,6 +1402,7 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
        }
        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
+        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
        nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
        /* we must add conntrack extensions before confirmation. */
        ct->status |= IPS_CONFIRMED;
@@ -1376,6 +1421,7 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
        }
 #endif
+        memset(&ct->proto, 0, sizeof(ct->proto));
        if (cda[CTA_PROTOINFO]) {
                err = ctnetlink_change_protoinfo(ct, cda);
                if (err < 0)
@@ -1406,6 +1452,9 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
                __set_bit(IPS_EXPECTED_BIT, &ct->status);
                ct->master = master_ct;
        }
+        tstamp = nf_conn_tstamp_find(ct);
+        if (tstamp)
+                tstamp->start = ktime_to_ns(ktime_get_real());
        add_timer(&ct->timeout);
        nf_conntrack_hash_insert(ct);
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index dc7bb74110df..5701c8dd783c 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -166,6 +166,7 @@ static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto
 int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
 {
        int ret = 0;
+        struct nf_conntrack_l3proto *old;
        if (proto->l3proto >= AF_MAX)
                return -EBUSY;
@@ -174,7 +175,9 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
                return -EINVAL;
        mutex_lock(&nf_ct_proto_mutex);
-        if (nf_ct_l3protos[proto->l3proto] != &nf_conntrack_l3proto_generic) {
+        old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
+                                        lockdep_is_held(&nf_ct_proto_mutex));
+        if (old != &nf_conntrack_l3proto_generic) {
                ret = -EBUSY;
                goto out_unlock;
        }
@@ -201,7 +204,9 @@ void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
        BUG_ON(proto->l3proto >= AF_MAX);
        mutex_lock(&nf_ct_proto_mutex);
-        BUG_ON(nf_ct_l3protos[proto->l3proto] != proto);
+        BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
+                                         lockdep_is_held(&nf_ct_proto_mutex)
+                                         ) != proto);
        rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
                           &nf_conntrack_l3proto_generic);
        nf_ct_l3proto_unregister_sysctl(proto);
@@ -279,7 +284,7 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
        mutex_lock(&nf_ct_proto_mutex);
        if (!nf_ct_protos[l4proto->l3proto]) {
                /* l3proto may be loaded latter. */
-                struct nf_conntrack_l4proto **proto_array;
+                struct nf_conntrack_l4proto __rcu **proto_array;
                int i;
                proto_array = kmalloc(MAX_NF_CT_PROTO *
@@ -291,7 +296,7 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
                }
                for (i = 0; i < MAX_NF_CT_PROTO; i++)
-                        proto_array[i] = &nf_conntrack_l4proto_generic;
+                        RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
                /* Before making proto_array visible to lockless readers,
                 * we must make sure its content is committed to memory.
@@ -299,8 +304,10 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
                smp_wmb();
                nf_ct_protos[l4proto->l3proto] = proto_array;
-        } else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] !=
+        } else if (rcu_dereference_protected(
-                                        &nf_conntrack_l4proto_generic) {
+                        nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+                        lockdep_is_held(&nf_ct_proto_mutex)
+                        ) != &nf_conntrack_l4proto_generic) {
                ret = -EBUSY;
                goto out_unlock;
        }
@@ -331,7 +338,10 @@ void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)
        BUG_ON(l4proto->l3proto >= PF_MAX);
        mutex_lock(&nf_ct_proto_mutex);
-        BUG_ON(nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != l4proto);
+        BUG_ON(rcu_dereference_protected(
+                        nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
+                        lockdep_is_held(&nf_ct_proto_mutex)
+                        ) != l4proto);
        rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
                           &nf_conntrack_l4proto_generic);
        nf_ct_l4proto_unregister_sysctl(l4proto);
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 5292560d6d4a..2e664a69d7db 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -98,7 +98,7 @@ static const char * const dccp_state_names[] = {
 #define sIV     CT_DCCP_INVALID
 /*
- * DCCP state transistion table
+ * DCCP state transition table
 *
 * The assumption is the same as for TCP tracking:
 *
@@ -452,6 +452,9 @@ static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
        ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
        ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
        ct->proto.dccp.state = CT_DCCP_NONE;
+        ct->proto.dccp.last_pkt = DCCP_PKT_REQUEST;
+        ct->proto.dccp.last_dir = IP_CT_DIR_ORIGINAL;
+        ct->proto.dccp.handshake_seq = 0;
        return true;
 out_invalid:
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index c6049c2d5ea8..6772b1154654 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -107,9 +107,9 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
 /* abort        */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
 /* shutdown     */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
-/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/
+/* error        */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't have Stale cookie*/
 /* cookie_echo  */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
-/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */
+/* cookie_ack   */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in orig dir */
 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
        },
        {
@@ -121,7 +121,7 @@ static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
 /* shutdown     */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
 /* error        */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
-/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */
+/* cookie_echo  */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Can't come in reply dir */
 /* cookie_ack   */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
        }
@@ -413,6 +413,7 @@ static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
            test_bit(SCTP_CID_COOKIE_ACK, map))
                return false;
+        memset(&ct->proto.sctp, 0, sizeof(ct->proto.sctp));
        new_state = SCTP_CONNTRACK_MAX;
        for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
                /* Don't need lock here: this conntrack not in circulation yet */
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3fb2b73b24dc..37bf94394be0 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -227,11 +227,11 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
 *      sCL -> sIV
 */
 /*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
-/*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
+/*synack*/ { sIV, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
 /*
 *      sSS -> sSR      Standard open.
 *      sS2 -> sSR      Simultaneous open
- *      sSR -> sSR      Retransmitted SYN/ACK.
+ *      sSR -> sIG      Retransmitted SYN/ACK, ignore it.
 *      sES -> sIG      Late retransmitted SYN/ACK?
 *      sFW -> sIG      Might be SYN/ACK answering ignored SYN
 *      sCW -> sIG
@@ -1066,9 +1066,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
        BUG_ON(th == NULL);
        /* Don't need lock here: this conntrack not in circulation yet */
-        new_state
+        new_state = tcp_conntracks[0][get_conntrack_index(th)][TCP_CONNTRACK_NONE];
-                = tcp_conntracks[0][get_conntrack_index(th)]
-                [TCP_CONNTRACK_NONE];
        /* Invalid: delete conntrack */
        if (new_state >= TCP_CONNTRACK_MAX) {
@@ -1077,6 +1075,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
        }
        if (new_state == TCP_CONNTRACK_SYN_SENT) {
+                memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
                /* SYN packet */
                ct->proto.tcp.seen[0].td_end =
                        segment_seq_plus_len(ntohl(th->seq), skb->len,
@@ -1088,11 +1087,11 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
                        ct->proto.tcp.seen[0].td_end;
                tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
-                ct->proto.tcp.seen[1].flags = 0;
        } else if (nf_ct_tcp_loose == 0) {
                /* Don't try to pick up connections. */
                return false;
        } else {
+                memset(&ct->proto.tcp, 0, sizeof(ct->proto.tcp));
                /*
                 * We are in the middle of a connection,
                 * its history is lost for us.
@@ -1107,7 +1106,6 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
                ct->proto.tcp.seen[0].td_maxend =
                        ct->proto.tcp.seen[0].td_end +
                        ct->proto.tcp.seen[0].td_maxwin;
-                ct->proto.tcp.seen[0].td_scale = 0;
                /* We assume SACK and liberal window checking to handle
                 * window scaling */
@@ -1116,13 +1114,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
                                              IP_CT_TCP_FLAG_BE_LIBERAL;
        }
-        ct->proto.tcp.seen[1].td_end = 0;
-        ct->proto.tcp.seen[1].td_maxend = 0;
-        ct->proto.tcp.seen[1].td_maxwin = 0;
-        ct->proto.tcp.seen[1].td_scale = 0;
        /* tcp_packet will set them */
-        ct->proto.tcp.state = TCP_CONNTRACK_NONE;
        ct->proto.tcp.last_index = TCP_NONE_SET;
        pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index bcf47eb518ef..cb5a28581782 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -707,7 +707,7 @@ static const char *ct_sdp_header_search(const char *dptr, const char *limit,
 }
 /* Locate a SDP header (optionally a substring within the header value),
- * optionally stopping at the first occurence of the term header, parse
+ * optionally stopping at the first occurrence of the term header, parse
 * it and return the offset and length of the data we're interested in.
 */
 int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
@@ -1419,6 +1419,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
        const char *dptr, *end;
        s16 diff, tdiff = 0;
        int ret = NF_ACCEPT;
+        bool term;
        typeof(nf_nat_sip_seq_adjust_hook) nf_nat_sip_seq_adjust;
        if (ctinfo != IP_CT_ESTABLISHED &&
@@ -1453,14 +1454,21 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
                if (dptr + matchoff == end)
                        break;
-                if (end + strlen("\r\n\r\n") > dptr + datalen)
+                term = false;
-                        break;
+                for (; end + strlen("\r\n\r\n") <= dptr + datalen; end++) {
-                if (end[0] != '\r' || end[1] != '\n' ||
+                        if (end[0] == '\r' && end[1] == '\n' &&
-                    end[2] != '\r' || end[3] != '\n')
+                            end[2] == '\r' && end[3] == '\n') {
+                                term = true;
+                                break;
+                        }
+                }
+                if (!term)
                        break;
                end += strlen("\r\n\r\n") + clen;
                msglen = origlen = end - dptr;
+                if (msglen > datalen)
+                        return NF_DROP;
                ret = process_sip_msg(skb, ct, dataoff, &dptr, &msglen);
                if (ret != NF_ACCEPT)
diff --git a/net/netfilter/nf_conntrack_snmp.c b/net/netfilter/nf_conntrack_snmp.c
new file mode 100644
index 000000000000..6e545e26289e
--- /dev/null
+++ b/net/netfilter/nf_conntrack_snmp.c
@@ -0,0 +1,77 @@
+/*
+ *      SNMP service broadcast connection tracking helper
+ *
+ *      (c) 2011 Jiri Olsa <jolsa@redhat.com>
+ *
+ *      This program is free software; you can redistribute it and/or
+ *      modify it under the terms of the GNU General Public License
+ *      as published by the Free Software Foundation; either version
+ *      2 of the License, or (at your option) any later version.
+ */
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/in.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_helper.h>
+#include <net/netfilter/nf_conntrack_expect.h>
+#define SNMP_PORT       161
+MODULE_AUTHOR("Jiri Olsa <jolsa@redhat.com>");
+MODULE_DESCRIPTION("SNMP service broadcast connection tracking helper");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS_NFCT_HELPER("snmp");
+static unsigned int timeout __read_mostly = 30;
+module_param(timeout, uint, S_IRUSR);
+MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
+int (*nf_nat_snmp_hook)(struct sk_buff *skb,
+                        unsigned int protoff,
+                        struct nf_conn *ct,
+                        enum ip_conntrack_info ctinfo);
+EXPORT_SYMBOL_GPL(nf_nat_snmp_hook);
+static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff,
+                struct nf_conn *ct, enum ip_conntrack_info ctinfo)
+{
+        typeof(nf_nat_snmp_hook) nf_nat_snmp;
+        nf_conntrack_broadcast_help(skb, protoff, ct, ctinfo, timeout);
+        nf_nat_snmp = rcu_dereference(nf_nat_snmp_hook);
+        if (nf_nat_snmp && ct->status & IPS_NAT_MASK)
+                return nf_nat_snmp(skb, protoff, ct, ctinfo);
+        return NF_ACCEPT;
+}
+static struct nf_conntrack_expect_policy exp_policy = {
+        .max_expected   = 1,
+};
+static struct nf_conntrack_helper helper __read_mostly = {
+        .name                   = "snmp",
+        .tuple.src.l3num        = NFPROTO_IPV4,
+        .tuple.src.u.udp.port   = cpu_to_be16(SNMP_PORT),
+        .tuple.dst.protonum     = IPPROTO_UDP,
+        .me                     = THIS_MODULE,
+        .help                   = snmp_conntrack_help,
+        .expect_policy          = &exp_policy,
+};
+static int __init nf_conntrack_snmp_init(void)
+{
+        exp_policy.timeout = timeout;
+        return nf_conntrack_helper_register(&helper);
+}
+static void __exit nf_conntrack_snmp_fini(void)
+{
+        nf_conntrack_helper_unregister(&helper);
+}
+module_init(nf_conntrack_snmp_init);
+module_exit(nf_conntrack_snmp_fini);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index b4d7f0f24b27..05e9feb101c3 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -29,6 +29,8 @@
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_acct.h>
 #include <net/netfilter/nf_conntrack_zones.h>
+#include <net/netfilter/nf_conntrack_timestamp.h>
+#include <linux/rculist_nulls.h>
 MODULE_LICENSE("GPL");
@@ -45,6 +47,7 @@ EXPORT_SYMBOL_GPL(print_tuple);
 struct ct_iter_state {
        struct seq_net_private p;
        unsigned int bucket;
+        u_int64_t time_now;
 };
 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
@@ -56,7 +59,7 @@ static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
        for (st->bucket = 0;
             st->bucket < net->ct.htable_size;
             st->bucket++) {
-                n = rcu_dereference(net->ct.hash[st->bucket].first);
+                n = rcu_dereference(hlist_nulls_first_rcu(&net->ct.hash[st->bucket]));
                if (!is_a_nulls(n))
                        return n;
        }
@@ -69,13 +72,15 @@ static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
        struct net *net = seq_file_net(seq);
        struct ct_iter_state *st = seq->private;
-        head = rcu_dereference(head->next);
+        head = rcu_dereference(hlist_nulls_next_rcu(head));
        while (is_a_nulls(head)) {
                if (likely(get_nulls_value(head) == st->bucket)) {
                        if (++st->bucket >= net->ct.htable_size)
                                return NULL;
                }
-                head = rcu_dereference(net->ct.hash[st->bucket].first);
+                head = rcu_dereference(
+                                hlist_nulls_first_rcu(
+                                        &net->ct.hash[st->bucket]));
        }
        return head;
 }
@@ -93,6 +98,9 @@ static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
 static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
        __acquires(RCU)
 {
+        struct ct_iter_state *st = seq->private;
+        st->time_now = ktime_to_ns(ktime_get_real());
        rcu_read_lock();
        return ct_get_idx(seq, *pos);
 }
@@ -132,6 +140,34 @@ static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
 }
 #endif
+#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
+static int ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
+{
+        struct ct_iter_state *st = s->private;
+        struct nf_conn_tstamp *tstamp;
+        s64 delta_time;
+        tstamp = nf_conn_tstamp_find(ct);
+        if (tstamp) {
+                delta_time = st->time_now - tstamp->start;
+                if (delta_time > 0)
+                        delta_time = div_s64(delta_time, NSEC_PER_SEC);
+                else
+                        delta_time = 0;
+                return seq_printf(s, "delta-time=%llu ",
+                                  (unsigned long long)delta_time);
+        }
+        return 0;
+}
+#else
+static inline int
+ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
+{
+        return 0;
+}
+#endif
 /* return 0 on success, 1 in case of error */
 static int ct_seq_show(struct seq_file *s, void *v)
 {
@@ -200,13 +236,16 @@ static int ct_seq_show(struct seq_file *s, void *v)
                goto release;
 #endif
+        if (ct_show_delta_time(s, ct))
+                goto release;
        if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
                goto release;
        ret = 0;
 release:
        nf_ct_put(ct);
-        return 0;
+        return ret;
 }
 static const struct seq_operations ct_seq_ops = {
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
new file mode 100644
index 000000000000..af7dd31af0a1
--- /dev/null
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -0,0 +1,120 @@
+/*
+ * (C) 2010 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation (or any later at your option).
+ */
+#include <linux/netfilter.h>
+#include <linux/slab.h>
+#include <linux/kernel.h>
+#include <linux/moduleparam.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_extend.h>
+#include <net/netfilter/nf_conntrack_timestamp.h>
+static int nf_ct_tstamp __read_mostly;
+module_param_named(tstamp, nf_ct_tstamp, bool, 0644);
+MODULE_PARM_DESC(tstamp, "Enable connection tracking flow timestamping.");
+#ifdef CONFIG_SYSCTL
+static struct ctl_table tstamp_sysctl_table[] = {
+        {
+                .procname       = "nf_conntrack_timestamp",
+                .data           = &init_net.ct.sysctl_tstamp,
+                .maxlen         = sizeof(unsigned int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec,
+        },
+        {}
+};
+#endif /* CONFIG_SYSCTL */
+static struct nf_ct_ext_type tstamp_extend __read_mostly = {
+        .len    = sizeof(struct nf_conn_tstamp),
+        .align  = __alignof__(struct nf_conn_tstamp),
+        .id     = NF_CT_EXT_TSTAMP,
+};
+#ifdef CONFIG_SYSCTL
+static int nf_conntrack_tstamp_init_sysctl(struct net *net)
+{
+        struct ctl_table *table;
+        table = kmemdup(tstamp_sysctl_table, sizeof(tstamp_sysctl_table),
+                        GFP_KERNEL);
+        if (!table)
+                goto out;
+        table[0].data = &net->ct.sysctl_tstamp;
+        net->ct.tstamp_sysctl_header = register_net_sysctl_table(net,
+                        nf_net_netfilter_sysctl_path, table);
+        if (!net->ct.tstamp_sysctl_header) {
+                printk(KERN_ERR "nf_ct_tstamp: can't register to sysctl.\n");
+                goto out_register;
+        }
+        return 0;
+out_register:
+        kfree(table);
+out:
+        return -ENOMEM;
+}
+static void nf_conntrack_tstamp_fini_sysctl(struct net *net)
+{
+        struct ctl_table *table;
+        table = net->ct.tstamp_sysctl_header->ctl_table_arg;
+        unregister_net_sysctl_table(net->ct.tstamp_sysctl_header);
+        kfree(table);
+}
+#else
+static int nf_conntrack_tstamp_init_sysctl(struct net *net)
+{
+        return 0;
+}
+static void nf_conntrack_tstamp_fini_sysctl(struct net *net)
+{
+}
+#endif
+int nf_conntrack_tstamp_init(struct net *net)
+{
+        int ret;
+        net->ct.sysctl_tstamp = nf_ct_tstamp;
+        if (net_eq(net, &init_net)) {
+                ret = nf_ct_extend_register(&tstamp_extend);
+                if (ret < 0) {
+                        printk(KERN_ERR "nf_ct_tstamp: Unable to register "
+                                        "extension\n");
+                        goto out_extend_register;
+                }
+        }
+        ret = nf_conntrack_tstamp_init_sysctl(net);
+        if (ret < 0)
+                goto out_sysctl;
+        return 0;
+out_sysctl:
+        if (net_eq(net, &init_net))
+                nf_ct_extend_unregister(&tstamp_extend);
+out_extend_register:
+        return ret;
+}
+void nf_conntrack_tstamp_fini(struct net *net)
+{
+        nf_conntrack_tstamp_fini_sysctl(net);
+        if (net_eq(net, &init_net))
+                nf_ct_extend_unregister(&tstamp_extend);
+}
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index b07393eab88e..20714edf6cd2 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -85,6 +85,8 @@ EXPORT_SYMBOL(nf_log_unregister);
 int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger)
 {
+        if (pf >= ARRAY_SIZE(nf_loggers))
+                return -EINVAL;
        mutex_lock(&nf_log_mutex);
        if (__find_logger(pf, logger->name) == NULL) {
                mutex_unlock(&nf_log_mutex);
@@ -98,6 +100,8 @@ EXPORT_SYMBOL(nf_log_bind_pf);
 void nf_log_unbind_pf(u_int8_t pf)
 {
+        if (pf >= ARRAY_SIZE(nf_loggers))
+                return;
        mutex_lock(&nf_log_mutex);
        rcu_assign_pointer(nf_loggers[pf], NULL);
        mutex_unlock(&nf_log_mutex);
@@ -161,7 +165,8 @@ static int seq_show(struct seq_file *s, void *v)
        struct nf_logger *t;
        int ret;
-        logger = nf_loggers[*pos];
+        logger = rcu_dereference_protected(nf_loggers[*pos],
+                                           lockdep_is_held(&nf_log_mutex));
        if (!logger)
                ret = seq_printf(s, "%2lld NONE (", *pos);
@@ -249,7 +254,8 @@ static int nf_log_proc_dostring(ctl_table *table, int write,
                mutex_unlock(&nf_log_mutex);
        } else {
                mutex_lock(&nf_log_mutex);
-                logger = nf_loggers[tindex];
+                logger = rcu_dereference_protected(nf_loggers[tindex],
+                                                   lockdep_is_held(&nf_log_mutex));
                if (!logger)
                        table->data = "NONE";
                else
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 74aebed5bd28..5b466cd1272f 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -27,14 +27,17 @@ static DEFINE_MUTEX(queue_handler_mutex);
 int nf_register_queue_handler(u_int8_t pf, const struct nf_queue_handler *qh)
 {
        int ret;
+        const struct nf_queue_handler *old;
        if (pf >= ARRAY_SIZE(queue_handler))
                return -EINVAL;
        mutex_lock(&queue_handler_mutex);
-        if (queue_handler[pf] == qh)
+        old = rcu_dereference_protected(queue_handler[pf],
+                                        lockdep_is_held(&queue_handler_mutex));
+        if (old == qh)
                ret = -EEXIST;
-        else if (queue_handler[pf])
+        else if (old)
                ret = -EBUSY;
        else {
                rcu_assign_pointer(queue_handler[pf], qh);
@@ -49,11 +52,15 @@ EXPORT_SYMBOL(nf_register_queue_handler);
 /* The caller must flush their queue before this */
 int nf_unregister_queue_handler(u_int8_t pf, const struct nf_queue_handler *qh)
 {
+        const struct nf_queue_handler *old;
        if (pf >= ARRAY_SIZE(queue_handler))
                return -EINVAL;
        mutex_lock(&queue_handler_mutex);
-        if (queue_handler[pf] && queue_handler[pf] != qh) {
+        old = rcu_dereference_protected(queue_handler[pf],
+                                        lockdep_is_held(&queue_handler_mutex));
+        if (old && old != qh) {
                mutex_unlock(&queue_handler_mutex);
                return -EINVAL;
        }
@@ -73,7 +80,10 @@ void nf_unregister_queue_handlers(const struct nf_queue_handler *qh)
        mutex_lock(&queue_handler_mutex);
        for (pf = 0; pf < ARRAY_SIZE(queue_handler); pf++)  {
-                if (queue_handler[pf] == qh)
+                if (rcu_dereference_protected(
+                                queue_handler[pf],
+                                lockdep_is_held(&queue_handler_mutex)
+                                ) == qh)
                        rcu_assign_pointer(queue_handler[pf], NULL);
        }
        mutex_unlock(&queue_handler_mutex);
@@ -115,7 +125,7 @@ static int __nf_queue(struct sk_buff *skb,
                      int (*okfn)(struct sk_buff *),
                      unsigned int queuenum)
 {
-        int status;
+        int status = -ENOENT;
        struct nf_queue_entry *entry = NULL;
 #ifdef CONFIG_BRIDGE_NETFILTER
        struct net_device *physindev;
@@ -124,20 +134,24 @@ static int __nf_queue(struct sk_buff *skb,
        const struct nf_afinfo *afinfo;
        const struct nf_queue_handler *qh;
-        /* QUEUE == DROP if noone is waiting, to be safe. */
+        /* QUEUE == DROP if no one is waiting, to be safe. */
        rcu_read_lock();
        qh = rcu_dereference(queue_handler[pf]);
-        if (!qh)
+        if (!qh) {
+                status = -ESRCH;
                goto err_unlock;
+        }
        afinfo = nf_get_afinfo(pf);
        if (!afinfo)
                goto err_unlock;
        entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC);
-        if (!entry)
+        if (!entry) {
+                status = -ENOMEM;
                goto err_unlock;
+        }
        *entry = (struct nf_queue_entry) {
                .skb    = skb,
@@ -151,11 +165,9 @@ static int __nf_queue(struct sk_buff *skb,
        /* If it's going away, ignore hook. */
        if (!try_module_get(entry->elem->owner)) {
-                rcu_read_unlock();
+                status = -ECANCELED;
-                kfree(entry);
+                goto err_unlock;
-                return 0;
        }
        /* Bump dev refs so they don't vanish while packet is out */
        if (indev)
                dev_hold(indev);
@@ -182,14 +194,13 @@ static int __nf_queue(struct sk_buff *skb,
                goto err;
        }
-        return 1;
+        return 0;
 err_unlock:
        rcu_read_unlock();
 err:
-        kfree_skb(skb);
        kfree(entry);
-        return 1;
+        return status;
 }
 int nf_queue(struct sk_buff *skb,
@@ -201,6 +212,8 @@ int nf_queue(struct sk_buff *skb,
             unsigned int queuenum)
 {
        struct sk_buff *segs;
+        int err;
+        unsigned int queued;
        if (!skb_is_gso(skb))
                return __nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
@@ -216,20 +229,35 @@ int nf_queue(struct sk_buff *skb,
        }
        segs = skb_gso_segment(skb, 0);
-        kfree_skb(skb);
+        /* Does not use PTR_ERR to limit the number of error codes that can be
+         * returned by nf_queue.  For instance, callers rely on -ECANCELED to mean
+         * 'ignore this hook'.
+         */
        if (IS_ERR(segs))
-                return 1;
+                return -EINVAL;
+        queued = 0;
+        err = 0;
        do {
                struct sk_buff *nskb = segs->next;
                segs->next = NULL;
-                if (!__nf_queue(segs, elem, pf, hook, indev, outdev, okfn,
+                if (err == 0)
-                                queuenum))
+                        err = __nf_queue(segs, elem, pf, hook, indev,
+                                           outdev, okfn, queuenum);
+                if (err == 0)
+                        queued++;
+                else
                        kfree_skb(segs);
                segs = nskb;
        } while (segs);
-        return 1;
+        /* also free orig skb if only some segments were queued */
+        if (unlikely(err && queued))
+                err = 0;
+        if (err == 0)
+                kfree_skb(skb);
+        return err;
 }
 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
@@ -237,6 +265,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
        struct sk_buff *skb = entry->skb;
        struct list_head *elem = &entry->elem->list;
        const struct nf_afinfo *afinfo;
+        int err;
        rcu_read_lock();
@@ -270,10 +299,17 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
                local_bh_enable();
                break;
        case NF_QUEUE:
-                if (!__nf_queue(skb, elem, entry->pf, entry->hook,
+                err = __nf_queue(skb, elem, entry->pf, entry->hook,
-                                entry->indev, entry->outdev, entry->okfn,
+                                 entry->indev, entry->outdev, entry->okfn,
-                                verdict >> NF_VERDICT_BITS))
+                                 verdict >> NF_VERDICT_QBITS);
-                        goto next_hook;
+                if (err < 0) {
+                        if (err == -ECANCELED)
+                                goto next_hook;
+                        if (err == -ESRCH &&
+                           (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
+                                goto next_hook;
+                        kfree_skb(skb);
+                }
                break;
        case NF_STOLEN:
        default:
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 6a1572b0ab41..e0ee010935e7 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -376,13 +376,11 @@ __build_packet_message(struct nfulnl_instance *inst,
                        unsigned int hooknum,
                        const struct net_device *indev,
                        const struct net_device *outdev,
-                        const struct nf_loginfo *li,
                        const char *prefix, unsigned int plen)
 {
        struct nfulnl_msg_packet_hdr pmsg;
        struct nlmsghdr *nlh;
        struct nfgenmsg *nfmsg;
-        __be32 tmp_uint;
        sk_buff_data_t old_tail = inst->skb->tail;
        nlh = NLMSG_PUT(inst->skb, 0, 0,
@@ -429,7 +427,6 @@ __build_packet_message(struct nfulnl_instance *inst,
        }
        if (outdev) {
-                tmp_uint = htonl(outdev->ifindex);
 #ifndef CONFIG_BRIDGE_NETFILTER
                NLA_PUT_BE32(inst->skb, NFULA_IFINDEX_OUTDEV,
                             htonl(outdev->ifindex));
@@ -652,7 +649,7 @@ nfulnl_log_packet(u_int8_t pf,
        inst->qlen++;
        __build_packet_message(inst, skb, data_len, pf,
-                                hooknum, in, out, li, prefix, plen);
+                                hooknum, in, out, prefix, plen);
        if (inst->qlen >= qthreshold)
                __nfulnl_flush(inst);
@@ -874,19 +871,19 @@ static struct hlist_node *get_first(struct iter_state *st)
        for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
                if (!hlist_empty(&instance_table[st->bucket]))
-                        return rcu_dereference_bh(instance_table[st->bucket].first);
+                        return rcu_dereference_bh(hlist_first_rcu(&instance_table[st->bucket]));
        }
        return NULL;
 }
 static struct hlist_node *get_next(struct iter_state *st, struct hlist_node *h)
 {
-        h = rcu_dereference_bh(h->next);
+        h = rcu_dereference_bh(hlist_next_rcu(h));
        while (!h) {
                if (++st->bucket >= INSTANCE_BUCKETS)
                        return NULL;
-                h = rcu_dereference_bh(instance_table[st->bucket].first);
+                h = rcu_dereference_bh(hlist_first_rcu(&instance_table[st->bucket]));
        }
        return h;
 }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 68e67d19724d..b83123f12b42 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -387,25 +387,31 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
 {
        struct sk_buff *nskb;
        struct nfqnl_instance *queue;
-        int err;
+        int err = -ENOBUFS;
        /* rcu_read_lock()ed by nf_hook_slow() */
        queue = instance_lookup(queuenum);
-        if (!queue)
+        if (!queue) {
+                err = -ESRCH;
                goto err_out;
+        }
-        if (queue->copy_mode == NFQNL_COPY_NONE)
+        if (queue->copy_mode == NFQNL_COPY_NONE) {
+                err = -EINVAL;
                goto err_out;
+        }
        nskb = nfqnl_build_packet_message(queue, entry);
-        if (nskb == NULL)
+        if (nskb == NULL) {
+                err = -ENOMEM;
                goto err_out;
+        }
        spin_lock_bh(&queue->lock);
-        if (!queue->peer_pid)
+        if (!queue->peer_pid) {
+                err = -EINVAL;
                goto err_out_free_nskb;
+        }
        if (queue->queue_total >= queue->queue_maxlen) {
                queue->queue_dropped++;
                if (net_ratelimit())
@@ -432,7 +438,7 @@ err_out_free_nskb:
 err_out_unlock:
        spin_unlock_bh(&queue->lock);
 err_out:
-        return -1;
+        return err;
 }
 static int
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c94237631077..b0869fe3633b 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -23,6 +23,7 @@
 #include <linux/mutex.h>
 #include <linux/mm.h>
 #include <linux/slab.h>
+#include <linux/audit.h>
 #include <net/net_namespace.h>
 #include <linux/netfilter/x_tables.h>
@@ -38,9 +39,8 @@ MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
 #define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
 struct compat_delta {
-        struct compat_delta *next;
+        unsigned int offset; /* offset in kernel */
-        unsigned int offset;
+        int delta; /* delta in 32bit user land */
-        int delta;
 };
 struct xt_af {
@@ -49,7 +49,9 @@ struct xt_af {
        struct list_head target;
 #ifdef CONFIG_COMPAT
        struct mutex compat_mutex;
-        struct compat_delta *compat_offsets;
+        struct compat_delta *compat_tab;
+        unsigned int number; /* number of slots in compat_tab[] */
+        unsigned int cur; /* number of used slots in compat_tab[] */
 #endif
 };
@@ -181,14 +183,14 @@ EXPORT_SYMBOL(xt_unregister_matches);
 /*
 * These are weird, but module loading must not be done with mutex
 * held (since they will register), and we have to have a single
- * function to use try_then_request_module().
+ * function to use.
 */
 /* Find match, grabs ref.  Returns ERR_PTR() on error. */
 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
 {
        struct xt_match *m;
-        int err = 0;
+        int err = -ENOENT;
        if (mutex_lock_interruptible(&xt[af].mutex) != 0)
                return ERR_PTR(-EINTR);
@@ -219,9 +221,13 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
 {
        struct xt_match *match;
-        match = try_then_request_module(xt_find_match(nfproto, name, revision),
+        match = xt_find_match(nfproto, name, revision);
-                                        "%st_%s", xt_prefix[nfproto], name);
+        if (IS_ERR(match)) {
-        return (match != NULL) ? match : ERR_PTR(-ENOENT);
+                request_module("%st_%s", xt_prefix[nfproto], name);
+                match = xt_find_match(nfproto, name, revision);
+        }
+        return match;
 }
 EXPORT_SYMBOL_GPL(xt_request_find_match);
@@ -229,7 +235,7 @@ EXPORT_SYMBOL_GPL(xt_request_find_match);
 struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
 {
        struct xt_target *t;
-        int err = 0;
+        int err = -ENOENT;
        if (mutex_lock_interruptible(&xt[af].mutex) != 0)
                return ERR_PTR(-EINTR);
@@ -259,9 +265,13 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
 {
        struct xt_target *target;
-        target = try_then_request_module(xt_find_target(af, name, revision),
+        target = xt_find_target(af, name, revision);
-                                         "%st_%s", xt_prefix[af], name);
+        if (IS_ERR(target)) {
-        return (target != NULL) ? target : ERR_PTR(-ENOENT);
+                request_module("%st_%s", xt_prefix[af], name);
+                target = xt_find_target(af, name, revision);
+        }
+        return target;
 }
 EXPORT_SYMBOL_GPL(xt_request_find_target);
@@ -414,54 +424,67 @@ int xt_check_match(struct xt_mtchk_param *par,
 EXPORT_SYMBOL_GPL(xt_check_match);
 #ifdef CONFIG_COMPAT
-int xt_compat_add_offset(u_int8_t af, unsigned int offset, short delta)
+int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta)
 {
-        struct compat_delta *tmp;
+        struct xt_af *xp = &xt[af];
-        tmp = kmalloc(sizeof(struct compat_delta), GFP_KERNEL);
+        if (!xp->compat_tab) {
-        if (!tmp)
+                if (!xp->number)
-                return -ENOMEM;
+                        return -EINVAL;
+                xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number);
+                if (!xp->compat_tab)
+                        return -ENOMEM;
+                xp->cur = 0;
+        }
-        tmp->offset = offset;
+        if (xp->cur >= xp->number)
-        tmp->delta = delta;
+                return -EINVAL;
-        if (xt[af].compat_offsets) {
+        if (xp->cur)
-                tmp->next = xt[af].compat_offsets->next;
+                delta += xp->compat_tab[xp->cur - 1].delta;
-                xt[af].compat_offsets->next = tmp;
+        xp->compat_tab[xp->cur].offset = offset;
-        } else {
+        xp->compat_tab[xp->cur].delta = delta;
-                xt[af].compat_offsets = tmp;
+        xp->cur++;
-                tmp->next = NULL;
-        }
        return 0;
 }
 EXPORT_SYMBOL_GPL(xt_compat_add_offset);
 void xt_compat_flush_offsets(u_int8_t af)
 {
-        struct compat_delta *tmp, *next;
+        if (xt[af].compat_tab) {
+                vfree(xt[af].compat_tab);
-        if (xt[af].compat_offsets) {
+                xt[af].compat_tab = NULL;
-                for (tmp = xt[af].compat_offsets; tmp; tmp = next) {
+                xt[af].number = 0;
-                        next = tmp->next;
+                xt[af].cur = 0;
-                        kfree(tmp);
-                }
-                xt[af].compat_offsets = NULL;
        }
 }
 EXPORT_SYMBOL_GPL(xt_compat_flush_offsets);
 int xt_compat_calc_jump(u_int8_t af, unsigned int offset)
 {
-        struct compat_delta *tmp;
+        struct compat_delta *tmp = xt[af].compat_tab;
-        int delta;
+        int mid, left = 0, right = xt[af].cur - 1;
-        for (tmp = xt[af].compat_offsets, delta = 0; tmp; tmp = tmp->next)
+        while (left <= right) {
-                if (tmp->offset < offset)
+                mid = (left + right) >> 1;
-                        delta += tmp->delta;
+                if (offset > tmp[mid].offset)
-        return delta;
+                        left = mid + 1;
+                else if (offset < tmp[mid].offset)
+                        right = mid - 1;
+                else
+                        return mid ? tmp[mid - 1].delta : 0;
+        }
+        return left ? tmp[left - 1].delta : 0;
 }
 EXPORT_SYMBOL_GPL(xt_compat_calc_jump);
+void xt_compat_init_offsets(u_int8_t af, unsigned int number)
+{
+        xt[af].number = number;
+        xt[af].cur = 0;
+}
+EXPORT_SYMBOL(xt_compat_init_offsets);
 int xt_compat_match_offset(const struct xt_match *match)
 {
        u_int16_t csize = match->compatsize ? : match->matchsize;
@@ -739,8 +762,8 @@ void xt_compat_unlock(u_int8_t af)
 EXPORT_SYMBOL_GPL(xt_compat_unlock);
 #endif
-DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
+DEFINE_PER_CPU(seqcount_t, xt_recseq);
-EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
+EXPORT_PER_CPU_SYMBOL_GPL(xt_recseq);
 static int xt_jumpstack_alloc(struct xt_table_info *i)
 {
@@ -820,6 +843,21 @@ xt_replace_table(struct xt_table *table,
         */
        local_bh_enable();
+#ifdef CONFIG_AUDIT
+        if (audit_enabled) {
+                struct audit_buffer *ab;
+                ab = audit_log_start(current->audit_context, GFP_KERNEL,
+                                     AUDIT_NETFILTER_CFG);
+                if (ab) {
+                        audit_log_format(ab, "table=%s family=%u entries=%u",
+                                         table->name, table->af,
+                                         private->number);
+                        audit_log_end(ab);
+                }
+        }
+#endif
        return private;
 }
 EXPORT_SYMBOL_GPL(xt_replace_table);
@@ -1324,10 +1362,7 @@ static int __init xt_init(void)
        int rv;
        for_each_possible_cpu(i) {
-                struct xt_info_lock *lock = &per_cpu(xt_info_locks, i);
+                seqcount_init(&per_cpu(xt_recseq, i));
-                seqlock_init(&lock->lock);
-                lock->readers = 0;
        }
        xt = kmalloc(sizeof(struct xt_af) * NFPROTO_NUMPROTO, GFP_KERNEL);
@@ -1338,7 +1373,7 @@ static int __init xt_init(void)
                mutex_init(&xt[i].mutex);
 #ifdef CONFIG_COMPAT
                mutex_init(&xt[i].compat_mutex);
-                xt[i].compat_offsets = NULL;
+                xt[i].compat_tab = NULL;
 #endif
                INIT_LIST_HEAD(&xt[i].target);
                INIT_LIST_HEAD(&xt[i].match);
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
new file mode 100644
index 000000000000..363a99ec0637
--- /dev/null
+++ b/net/netfilter/xt_AUDIT.c
@@ -0,0 +1,222 @@
+/*
+ * Creates audit record for dropped/accepted packets
+ *
+ * (C) 2010-2011 Thomas Graf <tgraf@redhat.com>
+ * (C) 2010-2011 Red Hat, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/audit.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/if_arp.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_AUDIT.h>
+#include <linux/netfilter_bridge/ebtables.h>
+#include <net/ipv6.h>
+#include <net/ip.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Thomas Graf <tgraf@redhat.com>");
+MODULE_DESCRIPTION("Xtables: creates audit records for dropped/accepted packets");
+MODULE_ALIAS("ipt_AUDIT");
+MODULE_ALIAS("ip6t_AUDIT");
+MODULE_ALIAS("ebt_AUDIT");
+MODULE_ALIAS("arpt_AUDIT");
+static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
+                        unsigned int proto, unsigned int offset)
+{
+        switch (proto) {
+        case IPPROTO_TCP:
+        case IPPROTO_UDP:
+        case IPPROTO_UDPLITE: {
+                const __be16 *pptr;
+                __be16 _ports[2];
+                pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
+                if (pptr == NULL) {
+                        audit_log_format(ab, " truncated=1");
+                        return;
+                }
+                audit_log_format(ab, " sport=%hu dport=%hu",
+                                 ntohs(pptr[0]), ntohs(pptr[1]));
+                }
+                break;
+        case IPPROTO_ICMP:
+        case IPPROTO_ICMPV6: {
+                const u8 *iptr;
+                u8 _ih[2];
+                iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
+                if (iptr == NULL) {
+                        audit_log_format(ab, " truncated=1");
+                        return;
+                }
+                audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
+                                 iptr[0], iptr[1]);
+                }
+                break;
+        }
+}
+static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+{
+        struct iphdr _iph;
+        const struct iphdr *ih;
+        ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
+        if (!ih) {
+                audit_log_format(ab, " truncated=1");
+                return;
+        }
+        audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
+                &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+        if (ntohs(ih->frag_off) & IP_OFFSET) {
+                audit_log_format(ab, " frag=1");
+                return;
+        }
+        audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+}
+static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+{
+        struct ipv6hdr _ip6h;
+        const struct ipv6hdr *ih;
+        u8 nexthdr;
+        int offset;
+        ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
+        if (!ih) {
+                audit_log_format(ab, " truncated=1");
+                return;
+        }
+        nexthdr = ih->nexthdr;
+        offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
+                                  &nexthdr);
+        audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
+                         &ih->saddr, &ih->daddr, nexthdr);
+        if (offset)
+                audit_proto(ab, skb, nexthdr, offset);
+}
+static unsigned int
+audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_audit_info *info = par->targinfo;
+        struct audit_buffer *ab;
+        ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
+        if (ab == NULL)
+                goto errout;
+        audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
+                         info->type, par->hooknum, skb->len,
+                         par->in ? par->in->name : "?",
+                         par->out ? par->out->name : "?");
+        if (skb->mark)
+                audit_log_format(ab, " mark=%#x", skb->mark);
+        if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
+                audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
+                                 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
+                                 ntohs(eth_hdr(skb)->h_proto));
+                if (par->family == NFPROTO_BRIDGE) {
+                        switch (eth_hdr(skb)->h_proto) {
+                        case __constant_htons(ETH_P_IP):
+                                audit_ip4(ab, skb);
+                                break;
+                        case __constant_htons(ETH_P_IPV6):
+                                audit_ip6(ab, skb);
+                                break;
+                        }
+                }
+        }
+        switch (par->family) {
+        case NFPROTO_IPV4:
+                audit_ip4(ab, skb);
+                break;
+        case NFPROTO_IPV6:
+                audit_ip6(ab, skb);
+                break;
+        }
+        audit_log_end(ab);
+errout:
+        return XT_CONTINUE;
+}
+static unsigned int
+audit_tg_ebt(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        audit_tg(skb, par);
+        return EBT_CONTINUE;
+}
+static int audit_tg_check(const struct xt_tgchk_param *par)
+{
+        const struct xt_audit_info *info = par->targinfo;
+        if (info->type > XT_AUDIT_TYPE_MAX) {
+                pr_info("Audit type out of range (valid range: 0..%hhu)\n",
+                        XT_AUDIT_TYPE_MAX);
+                return -ERANGE;
+        }
+        return 0;
+}
+static struct xt_target audit_tg_reg[] __read_mostly = {
+        {
+                .name           = "AUDIT",
+                .family         = NFPROTO_UNSPEC,
+                .target         = audit_tg,
+                .targetsize     = sizeof(struct xt_audit_info),
+                .checkentry     = audit_tg_check,
+                .me             = THIS_MODULE,
+        },
+        {
+                .name           = "AUDIT",
+                .family         = NFPROTO_BRIDGE,
+                .target         = audit_tg_ebt,
+                .targetsize     = sizeof(struct xt_audit_info),
+                .checkentry     = audit_tg_check,
+                .me             = THIS_MODULE,
+        },
+};
+static int __init audit_tg_init(void)
+{
+        return xt_register_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
+}
+static void __exit audit_tg_exit(void)
+{
+        xt_unregister_targets(audit_tg_reg, ARRAY_SIZE(audit_tg_reg));
+}
+module_init(audit_tg_init);
+module_exit(audit_tg_exit);
diff --git a/net/netfilter/xt_CLASSIFY.c b/net/netfilter/xt_CLASSIFY.c
index c2c0e4abeb99..af9c4dadf816 100644
--- a/net/netfilter/xt_CLASSIFY.c
+++ b/net/netfilter/xt_CLASSIFY.c
@@ -19,12 +19,14 @@
 #include <linux/netfilter_ipv6.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CLASSIFY.h>
+#include <linux/netfilter_arp.h>
 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
 MODULE_LICENSE("GPL");
 MODULE_DESCRIPTION("Xtables: Qdisc classification");
 MODULE_ALIAS("ipt_CLASSIFY");
 MODULE_ALIAS("ip6t_CLASSIFY");
+MODULE_ALIAS("arpt_CLASSIFY");
 static unsigned int
 classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
@@ -35,26 +37,36 @@ classify_tg(struct sk_buff *skb, const struct xt_action_param *par)
        return XT_CONTINUE;
 }
-static struct xt_target classify_tg_reg __read_mostly = {
+static struct xt_target classify_tg_reg[] __read_mostly = {
-        .name       = "CLASSIFY",
+        {
-        .revision   = 0,
+                .name       = "CLASSIFY",
-        .family     = NFPROTO_UNSPEC,
+                .revision   = 0,
-        .table      = "mangle",
+                .family     = NFPROTO_UNSPEC,
-        .hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
+                .hooks      = (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_FORWARD) |
-                      (1 << NF_INET_POST_ROUTING),
+                              (1 << NF_INET_POST_ROUTING),
-        .target     = classify_tg,
+                .target     = classify_tg,
-        .targetsize = sizeof(struct xt_classify_target_info),
+                .targetsize = sizeof(struct xt_classify_target_info),
-        .me         = THIS_MODULE,
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "CLASSIFY",
+                .revision   = 0,
+                .family     = NFPROTO_ARP,
+                .hooks      = (1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD),
+                .target     = classify_tg,
+                .targetsize = sizeof(struct xt_classify_target_info),
+                .me         = THIS_MODULE,
+        },
 };
 static int __init classify_tg_init(void)
 {
-        return xt_register_target(&classify_tg_reg);
+        return xt_register_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 static void __exit classify_tg_exit(void)
 {
-        xt_unregister_target(&classify_tg_reg);
+        xt_unregister_targets(classify_tg_reg, ARRAY_SIZE(classify_tg_reg));
 }
 module_init(classify_tg_init);
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 0a229191e55b..ae8271652efa 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -99,7 +99,7 @@ tos_tg6(struct sk_buff *skb, const struct xt_action_param *par)
        u_int8_t orig, nv;
        orig = ipv6_get_dsfield(iph);
-        nv   = (orig & info->tos_mask) ^ info->tos_value;
+        nv   = (orig & ~info->tos_mask) ^ info->tos_value;
        if (orig != nv) {
                if (!skb_make_writable(skb, sizeof(struct iphdr)))
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index be1f22e13545..3bdd443aaf15 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -313,3 +313,5 @@ MODULE_AUTHOR("Timo Teras <ext-timo.teras@nokia.com>");
 MODULE_AUTHOR("Luciano Coelho <luciano.coelho@nokia.com>");
 MODULE_DESCRIPTION("Xtables: idle time monitor");
 MODULE_LICENSE("GPL v2");
+MODULE_ALIAS("ipt_IDLETIMER");
+MODULE_ALIAS("ip6t_IDLETIMER");
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index a4140509eea1..993de2ba89d3 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -31,6 +31,8 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
 MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
+MODULE_ALIAS("ipt_LED");
+MODULE_ALIAS("ip6t_LED");
 static LIST_HEAD(xt_led_triggers);
 static DEFINE_MUTEX(xt_led_mutex);
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 039cce1bde3d..d4f4b5d66b20 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -72,18 +72,31 @@ nfqueue_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
        if (info->queues_total > 1) {
                if (par->family == NFPROTO_IPV4)
-                        queue = hash_v4(skb) % info->queues_total + queue;
+                        queue = (((u64) hash_v4(skb) * info->queues_total) >>
+                                 32) + queue;
 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
                else if (par->family == NFPROTO_IPV6)
-                        queue = hash_v6(skb) % info->queues_total + queue;
+                        queue = (((u64) hash_v6(skb) * info->queues_total) >>
+                                 32) + queue;
 #endif
        }
        return NF_QUEUE_NR(queue);
 }
-static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
+static unsigned int
+nfqueue_tg_v2(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        const struct xt_NFQ_info_v1 *info = par->targinfo;
+        const struct xt_NFQ_info_v2 *info = par->targinfo;
+        unsigned int ret = nfqueue_tg_v1(skb, par);
+        if (info->bypass)
+                ret |= NF_VERDICT_FLAG_QUEUE_BYPASS;
+        return ret;
+}
+static int nfqueue_tg_check(const struct xt_tgchk_param *par)
+{
+        const struct xt_NFQ_info_v2 *info = par->targinfo;
        u32 maxid;
        if (unlikely(!rnd_inited)) {
@@ -100,6 +113,8 @@ static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
                       info->queues_total, maxid);
                return -ERANGE;
        }
+        if (par->target->revision == 2 && info->bypass > 1)
+                return -EINVAL;
        return 0;
 }
@@ -115,11 +130,20 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
                .name           = "NFQUEUE",
                .revision       = 1,
                .family         = NFPROTO_UNSPEC,
-                .checkentry     = nfqueue_tg_v1_check,
+                .checkentry     = nfqueue_tg_check,
                .target         = nfqueue_tg_v1,
                .targetsize     = sizeof(struct xt_NFQ_info_v1),
                .me             = THIS_MODULE,
        },
+        {
+                .name           = "NFQUEUE",
+                .revision       = 2,
+                .family         = NFPROTO_UNSPEC,
+                .checkentry     = nfqueue_tg_check,
+                .target         = nfqueue_tg_v2,
+                .targetsize     = sizeof(struct xt_NFQ_info_v2),
+                .me             = THIS_MODULE,
+        },
 };
 static int __init nfqueue_tg_init(void)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index eb81c380da1b..9e63b43faeed 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -148,20 +148,25 @@ tcpmss_mangle_packet(struct sk_buff *skb,
 static u_int32_t tcpmss_reverse_mtu(const struct sk_buff *skb,
                                    unsigned int family)
 {
-        struct flowi fl = {};
+        struct flowi fl;
        const struct nf_afinfo *ai;
        struct rtable *rt = NULL;
        u_int32_t mtu     = ~0U;
-        if (family == PF_INET)
+        if (family == PF_INET) {
-                fl.fl4_dst = ip_hdr(skb)->saddr;
+                struct flowi4 *fl4 = &fl.u.ip4;
-        else
+                memset(fl4, 0, sizeof(*fl4));
-                fl.fl6_dst = ipv6_hdr(skb)->saddr;
+                fl4->daddr = ip_hdr(skb)->saddr;
+        } else {
+                struct flowi6 *fl6 = &fl.u.ip6;
+                memset(fl6, 0, sizeof(*fl6));
+                ipv6_addr_copy(&fl6->daddr, &ipv6_hdr(skb)->saddr);
+        }
        rcu_read_lock();
        ai = nf_get_afinfo(family);
        if (ai != NULL)
-                ai->route((struct dst_entry **)&rt, &fl);
+                ai->route(&init_net, (struct dst_entry **)&rt, &fl, false);
        rcu_read_unlock();
        if (rt != NULL) {
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 5128a6c4cb2c..5f054a0dbbb1 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -62,18 +62,19 @@ tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
        const struct iphdr *iph = ip_hdr(skb);
        struct net *net = pick_net(skb);
        struct rtable *rt;
-        struct flowi fl;
+        struct flowi4 fl4;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl4, 0, sizeof(fl4));
        if (info->priv) {
                if (info->priv->oif == -1)
                        return false;
-                fl.oif = info->priv->oif;
+                fl4.flowi4_oif = info->priv->oif;
        }
-        fl.fl4_dst = info->gw.ip;
+        fl4.daddr = info->gw.ip;
-        fl.fl4_tos = RT_TOS(iph->tos);
+        fl4.flowi4_tos = RT_TOS(iph->tos);
-        fl.fl4_scope = RT_SCOPE_UNIVERSE;
+        fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
-        if (ip_route_output_key(net, &rt, &fl) != 0)
+        rt = ip_route_output_key(net, &fl4);
+        if (IS_ERR(rt))
                return false;
        skb_dst_drop(skb);
@@ -142,18 +143,18 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
        const struct ipv6hdr *iph = ipv6_hdr(skb);
        struct net *net = pick_net(skb);
        struct dst_entry *dst;
-        struct flowi fl;
+        struct flowi6 fl6;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
        if (info->priv) {
                if (info->priv->oif == -1)
                        return false;
-                fl.oif = info->priv->oif;
+                fl6.flowi6_oif = info->priv->oif;
        }
-        fl.fl6_dst = info->gw.in6;
+        fl6.daddr = info->gw.in6;
-        fl.fl6_flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
+        fl6.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
                           (iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
-        dst = ip6_route_output(net, NULL, &fl);
+        dst = ip6_route_output(net, NULL, &fl6);
        if (dst == NULL)
                return false;
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
new file mode 100644
index 000000000000..b77d383cec78
--- /dev/null
+++ b/net/netfilter/xt_addrtype.c
@@ -0,0 +1,243 @@
+/*
+ *  iptables module to match inet_addr_type() of an ip.
+ *
+ *  Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
+ *  (C) 2007 Laszlo Attila Toth <panther@balabit.hu>
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License version 2 as
+ *  published by the Free Software Foundation.
+ */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/ip.h>
+#include <net/route.h>
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+#include <net/ipv6.h>
+#include <net/ip6_route.h>
+#include <net/ip6_fib.h>
+#endif
+#include <linux/netfilter/xt_addrtype.h>
+#include <linux/netfilter/x_tables.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_DESCRIPTION("Xtables: address type match");
+MODULE_ALIAS("ipt_addrtype");
+MODULE_ALIAS("ip6t_addrtype");
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
+                            const struct in6_addr *addr)
+{
+        const struct nf_afinfo *afinfo;
+        struct flowi6 flow;
+        struct rt6_info *rt;
+        u32 ret;
+        int route_err;
+        memset(&flow, 0, sizeof(flow));
+        ipv6_addr_copy(&flow.daddr, addr);
+        if (dev)
+                flow.flowi6_oif = dev->ifindex;
+        rcu_read_lock();
+        afinfo = nf_get_afinfo(NFPROTO_IPV6);
+        if (afinfo != NULL)
+                route_err = afinfo->route(net, (struct dst_entry **)&rt,
+                                        flowi6_to_flowi(&flow), !!dev);
+        else
+                route_err = 1;
+        rcu_read_unlock();
+        if (route_err)
+                return XT_ADDRTYPE_UNREACHABLE;
+        if (rt->rt6i_flags & RTF_REJECT)
+                ret = XT_ADDRTYPE_UNREACHABLE;
+        else
+                ret = 0;
+        if (rt->rt6i_flags & RTF_LOCAL)
+                ret |= XT_ADDRTYPE_LOCAL;
+        if (rt->rt6i_flags & RTF_ANYCAST)
+                ret |= XT_ADDRTYPE_ANYCAST;
+        dst_release(&rt->dst);
+        return ret;
+}
+static bool match_type6(struct net *net, const struct net_device *dev,
+                                const struct in6_addr *addr, u16 mask)
+{
+        int addr_type = ipv6_addr_type(addr);
+        if ((mask & XT_ADDRTYPE_MULTICAST) &&
+            !(addr_type & IPV6_ADDR_MULTICAST))
+                return false;
+        if ((mask & XT_ADDRTYPE_UNICAST) && !(addr_type & IPV6_ADDR_UNICAST))
+                return false;
+        if ((mask & XT_ADDRTYPE_UNSPEC) && addr_type != IPV6_ADDR_ANY)
+                return false;
+        if ((XT_ADDRTYPE_LOCAL | XT_ADDRTYPE_ANYCAST |
+             XT_ADDRTYPE_UNREACHABLE) & mask)
+                return !!(mask & match_lookup_rt6(net, dev, addr));
+        return true;
+}
+static bool
+addrtype_mt6(struct net *net, const struct net_device *dev,
+        const struct sk_buff *skb, const struct xt_addrtype_info_v1 *info)
+{
+        const struct ipv6hdr *iph = ipv6_hdr(skb);
+        bool ret = true;
+        if (info->source)
+                ret &= match_type6(net, dev, &iph->saddr, info->source) ^
+                       (info->flags & XT_ADDRTYPE_INVERT_SOURCE);
+        if (ret && info->dest)
+                ret &= match_type6(net, dev, &iph->daddr, info->dest) ^
+                       !!(info->flags & XT_ADDRTYPE_INVERT_DEST);
+        return ret;
+}
+#endif
+static inline bool match_type(struct net *net, const struct net_device *dev,
+                              __be32 addr, u_int16_t mask)
+{
+        return !!(mask & (1 << inet_dev_addr_type(net, dev, addr)));
+}
+static bool
+addrtype_mt_v0(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        struct net *net = dev_net(par->in ? par->in : par->out);
+        const struct xt_addrtype_info *info = par->matchinfo;
+        const struct iphdr *iph = ip_hdr(skb);
+        bool ret = true;
+        if (info->source)
+                ret &= match_type(net, NULL, iph->saddr, info->source) ^
+                       info->invert_source;
+        if (info->dest)
+                ret &= match_type(net, NULL, iph->daddr, info->dest) ^
+                       info->invert_dest;
+        return ret;
+}
+static bool
+addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        struct net *net = dev_net(par->in ? par->in : par->out);
+        const struct xt_addrtype_info_v1 *info = par->matchinfo;
+        const struct iphdr *iph;
+        const struct net_device *dev = NULL;
+        bool ret = true;
+        if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN)
+                dev = par->in;
+        else if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
+                dev = par->out;
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+        if (par->family == NFPROTO_IPV6)
+                return addrtype_mt6(net, dev, skb, info);
+#endif
+        iph = ip_hdr(skb);
+        if (info->source)
+                ret &= match_type(net, dev, iph->saddr, info->source) ^
+                       (info->flags & XT_ADDRTYPE_INVERT_SOURCE);
+        if (ret && info->dest)
+                ret &= match_type(net, dev, iph->daddr, info->dest) ^
+                       !!(info->flags & XT_ADDRTYPE_INVERT_DEST);
+        return ret;
+}
+static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
+{
+        struct xt_addrtype_info_v1 *info = par->matchinfo;
+        if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
+            info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+                pr_info("both incoming and outgoing "
+                        "interface limitation cannot be selected\n");
+                return -EINVAL;
+        }
+        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
+            (1 << NF_INET_LOCAL_IN)) &&
+            info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+                pr_info("output interface limitation "
+                        "not valid in PREROUTING and INPUT\n");
+                return -EINVAL;
+        }
+        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
+            (1 << NF_INET_LOCAL_OUT)) &&
+            info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
+                pr_info("input interface limitation "
+                        "not valid in POSTROUTING and OUTPUT\n");
+                return -EINVAL;
+        }
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+        if (par->family == NFPROTO_IPV6) {
+                if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
+                        pr_err("ipv6 BLACKHOLE matching not supported\n");
+                        return -EINVAL;
+                }
+                if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
+                        pr_err("ipv6 PROHIBT (THROW, NAT ..) matching not supported\n");
+                        return -EINVAL;
+                }
+                if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
+                        pr_err("ipv6 does not support BROADCAST matching\n");
+                        return -EINVAL;
+                }
+        }
+#endif
+        return 0;
+}
+static struct xt_match addrtype_mt_reg[] __read_mostly = {
+        {
+                .name           = "addrtype",
+                .family         = NFPROTO_IPV4,
+                .match          = addrtype_mt_v0,
+                .matchsize      = sizeof(struct xt_addrtype_info),
+                .me             = THIS_MODULE
+        },
+        {
+                .name           = "addrtype",
+                .family         = NFPROTO_UNSPEC,
+                .revision       = 1,
+                .match          = addrtype_mt_v1,
+                .checkentry     = addrtype_mt_checkentry_v1,
+                .matchsize      = sizeof(struct xt_addrtype_info_v1),
+                .me             = THIS_MODULE
+        }
+};
+static int __init addrtype_mt_init(void)
+{
+        return xt_register_matches(addrtype_mt_reg,
+                                   ARRAY_SIZE(addrtype_mt_reg));
+}
+static void __exit addrtype_mt_exit(void)
+{
+        xt_unregister_matches(addrtype_mt_reg, ARRAY_SIZE(addrtype_mt_reg));
+}
+module_init(addrtype_mt_init);
+module_exit(addrtype_mt_exit);
diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 5c5b6b921b84..c6d5a83450c9 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -33,17 +33,17 @@
 /* we will save the tuples of all connections we care about */
 struct xt_connlimit_conn {
-        struct list_head list;
+        struct hlist_node               node;
-        struct nf_conntrack_tuple tuple;
+        struct nf_conntrack_tuple       tuple;
+        union nf_inet_addr              addr;
 };
 struct xt_connlimit_data {
-        struct list_head iphash[256];
+        struct hlist_head       iphash[256];
-        spinlock_t lock;
+        spinlock_t              lock;
 };
 static u_int32_t connlimit_rnd __read_mostly;
-static bool connlimit_rnd_inited __read_mostly;
 static inline unsigned int connlimit_iphash(__be32 addr)
 {
@@ -101,9 +101,9 @@ static int count_them(struct net *net,
 {
        const struct nf_conntrack_tuple_hash *found;
        struct xt_connlimit_conn *conn;
-        struct xt_connlimit_conn *tmp;
+        struct hlist_node *pos, *n;
        struct nf_conn *found_ct;
-        struct list_head *hash;
+        struct hlist_head *hash;
        bool addit = true;
        int matches = 0;
@@ -115,7 +115,7 @@ static int count_them(struct net *net,
        rcu_read_lock();
        /* check the saved connections */
-        list_for_each_entry_safe(conn, tmp, hash, list) {
+        hlist_for_each_entry_safe(conn, pos, n, hash, node) {
                found    = nf_conntrack_find_get(net, NF_CT_DEFAULT_ZONE,
                                                 &conn->tuple);
                found_ct = NULL;
@@ -135,7 +135,7 @@ static int count_them(struct net *net,
                if (found == NULL) {
                        /* this one is gone */
-                        list_del(&conn->list);
+                        hlist_del(&conn->node);
                        kfree(conn);
                        continue;
                }
@@ -146,12 +146,12 @@ static int count_them(struct net *net,
                         * closed already -> ditch it
                         */
                        nf_ct_put(found_ct);
-                        list_del(&conn->list);
+                        hlist_del(&conn->node);
                        kfree(conn);
                        continue;
                }
-                if (same_source_net(addr, mask, &conn->tuple.src.u3, family))
+                if (same_source_net(addr, mask, &conn->addr, family))
                        /* same source network -> be counted! */
                        ++matches;
                nf_ct_put(found_ct);
@@ -161,11 +161,12 @@ static int count_them(struct net *net,
        if (addit) {
                /* save the new connection in our list */
-                conn = kzalloc(sizeof(*conn), GFP_ATOMIC);
+                conn = kmalloc(sizeof(*conn), GFP_ATOMIC);
                if (conn == NULL)
                        return -ENOMEM;
                conn->tuple = *tuple;
-                list_add(&conn->list, hash);
+                conn->addr = *addr;
+                hlist_add_head(&conn->node, hash);
                ++matches;
        }
@@ -186,17 +187,19 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
        ct = nf_ct_get(skb, &ctinfo);
        if (ct != NULL)
-                tuple_ptr = &ct->tuplehash[0].tuple;
+                tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
        else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
                                    par->family, &tuple))
                goto hotdrop;
        if (par->family == NFPROTO_IPV6) {
                const struct ipv6hdr *iph = ipv6_hdr(skb);
-                memcpy(&addr.ip6, &iph->saddr, sizeof(iph->saddr));
+                memcpy(&addr.ip6, (info->flags & XT_CONNLIMIT_DADDR) ?
+                       &iph->daddr : &iph->saddr, sizeof(addr.ip6));
        } else {
                const struct iphdr *iph = ip_hdr(skb);
-                addr.ip = iph->saddr;
+                addr.ip = (info->flags & XT_CONNLIMIT_DADDR) ?
+                          iph->daddr : iph->saddr;
        }
        spin_lock_bh(&info->data->lock);
@@ -204,13 +207,12 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
                                 &info->mask, par->family);
        spin_unlock_bh(&info->data->lock);
-        if (connections < 0) {
+        if (connections < 0)
                /* kmalloc failed, drop it entirely */
-                par->hotdrop = true;
+                goto hotdrop;
-                return false;
-        }
-        return (connections > info->limit) ^ info->inverse;
+        return (connections > info->limit) ^
+               !!(info->flags & XT_CONNLIMIT_INVERT);
 hotdrop:
        par->hotdrop = true;
@@ -223,9 +225,13 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
        unsigned int i;
        int ret;
-        if (unlikely(!connlimit_rnd_inited)) {
+        if (unlikely(!connlimit_rnd)) {
-                get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
+                u_int32_t rand;
-                connlimit_rnd_inited = true;
+                do {
+                        get_random_bytes(&rand, sizeof(rand));
+                } while (!rand);
+                cmpxchg(&connlimit_rnd, 0, rand);
        }
        ret = nf_ct_l3proto_try_module_get(par->family);
        if (ret < 0) {
@@ -243,7 +249,7 @@ static int connlimit_mt_check(const struct xt_mtchk_param *par)
        spin_lock_init(&info->data->lock);
        for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
-                INIT_LIST_HEAD(&info->data->iphash[i]);
+                INIT_HLIST_HEAD(&info->data->iphash[i]);
        return 0;
 }
@@ -252,15 +258,15 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
 {
        const struct xt_connlimit_info *info = par->matchinfo;
        struct xt_connlimit_conn *conn;
-        struct xt_connlimit_conn *tmp;
+        struct hlist_node *pos, *n;
-        struct list_head *hash = info->data->iphash;
+        struct hlist_head *hash = info->data->iphash;
        unsigned int i;
        nf_ct_l3proto_module_put(par->family);
        for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i) {
-                list_for_each_entry_safe(conn, tmp, &hash[i], list) {
+                hlist_for_each_entry_safe(conn, pos, n, &hash[i], node) {
-                        list_del(&conn->list);
+                        hlist_del(&conn->node);
                        kfree(conn);
                }
        }
@@ -268,25 +274,38 @@ static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
        kfree(info->data);
 }
-static struct xt_match connlimit_mt_reg __read_mostly = {
+static struct xt_match connlimit_mt_reg[] __read_mostly = {
-        .name       = "connlimit",
+        {
-        .revision   = 0,
+                .name       = "connlimit",
-        .family     = NFPROTO_UNSPEC,
+                .revision   = 0,
-        .checkentry = connlimit_mt_check,
+                .family     = NFPROTO_UNSPEC,
-        .match      = connlimit_mt,
+                .checkentry = connlimit_mt_check,
-        .matchsize  = sizeof(struct xt_connlimit_info),
+                .match      = connlimit_mt,
-        .destroy    = connlimit_mt_destroy,
+                .matchsize  = sizeof(struct xt_connlimit_info),
-        .me         = THIS_MODULE,
+                .destroy    = connlimit_mt_destroy,
+                .me         = THIS_MODULE,
+        },
+        {
+                .name       = "connlimit",
+                .revision   = 1,
+                .family     = NFPROTO_UNSPEC,
+                .checkentry = connlimit_mt_check,
+                .match      = connlimit_mt,
+                .matchsize  = sizeof(struct xt_connlimit_info),
+                .destroy    = connlimit_mt_destroy,
+                .me         = THIS_MODULE,
+        },
 };
 static int __init connlimit_mt_init(void)
 {
-        return xt_register_match(&connlimit_mt_reg);
+        return xt_register_matches(connlimit_mt_reg,
+               ARRAY_SIZE(connlimit_mt_reg));
 }
 static void __exit connlimit_mt_exit(void)
 {
-        xt_unregister_match(&connlimit_mt_reg);
+        xt_unregister_matches(connlimit_mt_reg, ARRAY_SIZE(connlimit_mt_reg));
 }
 module_init(connlimit_mt_init);
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index e536710ad916..61805d7b38aa 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -112,6 +112,54 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
        return true;
 }
+static inline bool
+port_match(u16 min, u16 max, u16 port, bool invert)
+{
+        return (port >= min && port <= max) ^ invert;
+}
+static inline bool
+ct_proto_port_check_v3(const struct xt_conntrack_mtinfo3 *info,
+                       const struct nf_conn *ct)
+{
+        const struct nf_conntrack_tuple *tuple;
+        tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
+        if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+            (nf_ct_protonum(ct) == info->l4proto) ^
+            !(info->invert_flags & XT_CONNTRACK_PROTO))
+                return false;
+        /* Shortcut to match all recognized protocols by using ->src.all. */
+        if ((info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) &&
+            !port_match(info->origsrc_port, info->origsrc_port_high,
+                        ntohs(tuple->src.u.all),
+                        info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT))
+                return false;
+        if ((info->match_flags & XT_CONNTRACK_ORIGDST_PORT) &&
+            !port_match(info->origdst_port, info->origdst_port_high,
+                        ntohs(tuple->dst.u.all),
+                        info->invert_flags & XT_CONNTRACK_ORIGDST_PORT))
+                return false;
+        tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
+        if ((info->match_flags & XT_CONNTRACK_REPLSRC_PORT) &&
+            !port_match(info->replsrc_port, info->replsrc_port_high,
+                        ntohs(tuple->src.u.all),
+                        info->invert_flags & XT_CONNTRACK_REPLSRC_PORT))
+                return false;
+        if ((info->match_flags & XT_CONNTRACK_REPLDST_PORT) &&
+            !port_match(info->repldst_port, info->repldst_port_high,
+                        ntohs(tuple->dst.u.all),
+                        info->invert_flags & XT_CONNTRACK_REPLDST_PORT))
+                return false;
+        return true;
+}
 static bool
 conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
             u16 state_mask, u16 status_mask)
@@ -147,7 +195,7 @@ conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
                return info->match_flags & XT_CONNTRACK_STATE;
        if ((info->match_flags & XT_CONNTRACK_DIRECTION) &&
            (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^
-            !!(info->invert_flags & XT_CONNTRACK_DIRECTION))
+            !(info->invert_flags & XT_CONNTRACK_DIRECTION))
                return false;
        if (info->match_flags & XT_CONNTRACK_ORIGSRC)
@@ -170,8 +218,13 @@ conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
                    !(info->invert_flags & XT_CONNTRACK_REPLDST))
                        return false;
-        if (!ct_proto_port_check(info, ct))
+        if (par->match->revision != 3) {
-                return false;
+                if (!ct_proto_port_check(info, ct))
+                        return false;
+        } else {
+                if (!ct_proto_port_check_v3(par->matchinfo, ct))
+                        return false;
+        }
        if ((info->match_flags & XT_CONNTRACK_STATUS) &&
            (!!(status_mask & ct->status) ^
@@ -207,6 +260,14 @@ conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
        return conntrack_mt(skb, par, info->state_mask, info->status_mask);
 }
+static bool
+conntrack_mt_v3(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_conntrack_mtinfo3 *info = par->matchinfo;
+        return conntrack_mt(skb, par, info->state_mask, info->status_mask);
+}
 static int conntrack_mt_check(const struct xt_mtchk_param *par)
 {
        int ret;
@@ -244,6 +305,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
                .destroy    = conntrack_mt_destroy,
                .me         = THIS_MODULE,
        },
+        {
+                .name       = "conntrack",
+                .revision   = 3,
+                .family     = NFPROTO_UNSPEC,
+                .matchsize  = sizeof(struct xt_conntrack_mtinfo3),
+                .match      = conntrack_mt_v3,
+                .checkentry = conntrack_mt_check,
+                .destroy    = conntrack_mt_destroy,
+                .me         = THIS_MODULE,
+        },
 };
 static int __init conntrack_mt_init(void)
diff --git a/net/netfilter/xt_cpu.c b/net/netfilter/xt_cpu.c
index b39db8a5cbae..c7a2e5466bc4 100644
--- a/net/netfilter/xt_cpu.c
+++ b/net/netfilter/xt_cpu.c
@@ -22,6 +22,8 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Eric Dumazet <eric.dumazet@gmail.com>");
 MODULE_DESCRIPTION("Xtables: CPU match");
+MODULE_ALIAS("ipt_cpu");
+MODULE_ALIAS("ip6t_cpu");
 static int cpu_mt_check(const struct xt_mtchk_param *par)
 {
diff --git a/net/netfilter/xt_devgroup.c b/net/netfilter/xt_devgroup.c
new file mode 100644
index 000000000000..d9202cdd25c9
--- /dev/null
+++ b/net/netfilter/xt_devgroup.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (c) 2011 Patrick McHardy <kaber@trash.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netdevice.h>
+#include <linux/netfilter/xt_devgroup.h>
+#include <linux/netfilter/x_tables.h>
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_LICENSE("GPL");
+MODULE_DESCRIPTION("Xtables: Device group match");
+MODULE_ALIAS("ipt_devgroup");
+MODULE_ALIAS("ip6t_devgroup");
+static bool devgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_devgroup_info *info = par->matchinfo;
+        if (info->flags & XT_DEVGROUP_MATCH_SRC &&
+            (((info->src_group ^ par->in->group) & info->src_mask ? 1 : 0) ^
+             ((info->flags & XT_DEVGROUP_INVERT_SRC) ? 1 : 0)))
+                return false;
+        if (info->flags & XT_DEVGROUP_MATCH_DST &&
+            (((info->dst_group ^ par->out->group) & info->dst_mask ? 1 : 0) ^
+             ((info->flags & XT_DEVGROUP_INVERT_DST) ? 1 : 0)))
+                return false;
+        return true;
+}
+static int devgroup_mt_checkentry(const struct xt_mtchk_param *par)
+{
+        const struct xt_devgroup_info *info = par->matchinfo;
+        if (info->flags & ~(XT_DEVGROUP_MATCH_SRC | XT_DEVGROUP_INVERT_SRC |
+                            XT_DEVGROUP_MATCH_DST | XT_DEVGROUP_INVERT_DST))
+                return -EINVAL;
+        if (info->flags & XT_DEVGROUP_MATCH_SRC &&
+            par->hook_mask & ~((1 << NF_INET_PRE_ROUTING) |
+                               (1 << NF_INET_LOCAL_IN) |
+                               (1 << NF_INET_FORWARD)))
+                return -EINVAL;
+        if (info->flags & XT_DEVGROUP_MATCH_DST &&
+            par->hook_mask & ~((1 << NF_INET_FORWARD) |
+                               (1 << NF_INET_LOCAL_OUT) |
+                               (1 << NF_INET_POST_ROUTING)))
+                return -EINVAL;
+        return 0;
+}
+static struct xt_match devgroup_mt_reg __read_mostly = {
+        .name           = "devgroup",
+        .match          = devgroup_mt,
+        .checkentry     = devgroup_mt_checkentry,
+        .matchsize      = sizeof(struct xt_devgroup_info),
+        .family         = NFPROTO_UNSPEC,
+        .me             = THIS_MODULE
+};
+static int __init devgroup_mt_init(void)
+{
+        return xt_register_match(&devgroup_mt_reg);
+}
+static void __exit devgroup_mt_exit(void)
+{
+        xt_unregister_match(&devgroup_mt_reg);
+}
+module_init(devgroup_mt_init);
+module_exit(devgroup_mt_exit);
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 73c33a42f87f..b46626cddd93 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -31,7 +31,7 @@ iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
                        pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n",
                                 &iph->saddr,
                                 (info->flags & IPRANGE_SRC_INV) ? "(INV) " : "",
-                                 &info->src_max.ip,
+                                 &info->src_min.ip,
                                 &info->src_max.ip);
                        return false;
                }
@@ -76,15 +76,27 @@ iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
                m  = iprange_ipv6_lt(&iph->saddr, &info->src_min.in6);
                m |= iprange_ipv6_lt(&info->src_max.in6, &iph->saddr);
                m ^= !!(info->flags & IPRANGE_SRC_INV);
-                if (m)
+                if (m) {
+                        pr_debug("src IP %pI6 NOT in range %s%pI6-%pI6\n",
+                                 &iph->saddr,
+                                 (info->flags & IPRANGE_SRC_INV) ? "(INV) " : "",
+                                 &info->src_min.in6,
+                                 &info->src_max.in6);
                        return false;
+                }
        }
        if (info->flags & IPRANGE_DST) {
                m  = iprange_ipv6_lt(&iph->daddr, &info->dst_min.in6);
                m |= iprange_ipv6_lt(&info->dst_max.in6, &iph->daddr);
                m ^= !!(info->flags & IPRANGE_DST_INV);
-                if (m)
+                if (m) {
+                        pr_debug("dst IP %pI6 NOT in range %s%pI6-%pI6\n",
+                                 &iph->daddr,
+                                 (info->flags & IPRANGE_DST_INV) ? "(INV) " : "",
+                                 &info->dst_min.in6,
+                                 &info->dst_max.in6);
                        return false;
+                }
        }
        return true;
 }
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 9127a3d8aa35..bb10b0717f1b 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -85,7 +85,7 @@ ipvs_mt(const struct sk_buff *skb, struct xt_action_param *par)
        /*
         * Check if the packet belongs to an existing entry
         */
-        cp = pp->conn_out_get(family, skb, pp, &iph, iph.len, 1 /* inverse */);
+        cp = pp->conn_out_get(family, skb, &iph, iph.len, 1 /* inverse */);
        if (unlikely(cp == NULL)) {
                match = false;
                goto out;
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 4327e101c047..846f895cb656 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -62,13 +62,6 @@ static const struct nla_policy xt_osf_policy[OSF_ATTR_MAX + 1] = {
        [OSF_ATTR_FINGER]       = { .len = sizeof(struct xt_osf_user_finger) },
 };
-static void xt_osf_finger_free_rcu(struct rcu_head *rcu_head)
-{
-        struct xt_osf_finger *f = container_of(rcu_head, struct xt_osf_finger, rcu_head);
-        kfree(f);
-}
 static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
                               const struct nlmsghdr *nlh,
                               const struct nlattr * const osf_attrs[])
@@ -133,7 +126,7 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
                 * We are protected by nfnl mutex.
                 */
                list_del_rcu(&sf->finger_entry);
-                call_rcu(&sf->rcu_head, xt_osf_finger_free_rcu);
+                kfree_rcu(sf, rcu_head);
                err = 0;
                break;
@@ -414,7 +407,7 @@ static void __exit xt_osf_fini(void)
                list_for_each_entry_rcu(f, &xt_osf_fingers[i], finger_entry) {
                        list_del_rcu(&f->finger_entry);
-                        call_rcu(&f->rcu_head, xt_osf_finger_free_rcu);
+                        kfree_rcu(f, rcu_head);
                }
        }
        rcu_read_unlock();
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
new file mode 100644
index 000000000000..b3babaed7719
--- /dev/null
+++ b/net/netfilter/xt_set.c
@@ -0,0 +1,373 @@
+/* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu>
+ *                         Patrick Schaaf <bof@bof.de>
+ *                         Martin Josefsson <gandalf@wlug.westbo.se>
+ * Copyright (C) 2003-2011 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+/* Kernel module which implements the set match and SET target
+ * for netfilter/iptables. */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/version.h>
+#include <linux/netfilter/x_tables.h>
+#include <linux/netfilter/xt_set.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+MODULE_DESCRIPTION("Xtables: IP set match and target module");
+MODULE_ALIAS("xt_SET");
+MODULE_ALIAS("ipt_set");
+MODULE_ALIAS("ip6t_set");
+MODULE_ALIAS("ipt_SET");
+MODULE_ALIAS("ip6t_SET");
+static inline int
+match_set(ip_set_id_t index, const struct sk_buff *skb,
+          u8 pf, u8 dim, u8 flags, int inv)
+{
+        if (ip_set_test(index, skb, pf, dim, flags))
+                inv = !inv;
+        return inv;
+}
+/* Revision 0 interface: backward compatible with netfilter/iptables */
+static bool
+set_match_v0(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_set_info_match_v0 *info = par->matchinfo;
+        return match_set(info->match_set.index, skb, par->family,
+                         info->match_set.u.compat.dim,
+                         info->match_set.u.compat.flags,
+                         info->match_set.u.compat.flags & IPSET_INV_MATCH);
+}
+static void
+compat_flags(struct xt_set_info_v0 *info)
+{
+        u_int8_t i;
+        /* Fill out compatibility data according to enum ip_set_kopt */
+        info->u.compat.dim = IPSET_DIM_ZERO;
+        if (info->u.flags[0] & IPSET_MATCH_INV)
+                info->u.compat.flags |= IPSET_INV_MATCH;
+        for (i = 0; i < IPSET_DIM_MAX-1 && info->u.flags[i]; i++) {
+                info->u.compat.dim++;
+                if (info->u.flags[i] & IPSET_SRC)
+                        info->u.compat.flags |= (1<<info->u.compat.dim);
+        }
+}
+static int
+set_match_v0_checkentry(const struct xt_mtchk_param *par)
+{
+        struct xt_set_info_match_v0 *info = par->matchinfo;
+        ip_set_id_t index;
+        index = ip_set_nfnl_get_byindex(info->match_set.index);
+        if (index == IPSET_INVALID_ID) {
+                pr_warning("Cannot find set indentified by id %u to match\n",
+                           info->match_set.index);
+                return -ENOENT;
+        }
+        if (info->match_set.u.flags[IPSET_DIM_MAX-1] != 0) {
+                pr_warning("Protocol error: set match dimension "
+                           "is over the limit!\n");
+                ip_set_nfnl_put(info->match_set.index);
+                return -ERANGE;
+        }
+        /* Fill out compatibility data */
+        compat_flags(&info->match_set);
+        return 0;
+}
+static void
+set_match_v0_destroy(const struct xt_mtdtor_param *par)
+{
+        struct xt_set_info_match_v0 *info = par->matchinfo;
+        ip_set_nfnl_put(info->match_set.index);
+}
+static unsigned int
+set_target_v0(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_set_info_target_v0 *info = par->targinfo;
+        if (info->add_set.index != IPSET_INVALID_ID)
+                ip_set_add(info->add_set.index, skb, par->family,
+                           info->add_set.u.compat.dim,
+                           info->add_set.u.compat.flags);
+        if (info->del_set.index != IPSET_INVALID_ID)
+                ip_set_del(info->del_set.index, skb, par->family,
+                           info->del_set.u.compat.dim,
+                           info->del_set.u.compat.flags);
+        return XT_CONTINUE;
+}
+static int
+set_target_v0_checkentry(const struct xt_tgchk_param *par)
+{
+        struct xt_set_info_target_v0 *info = par->targinfo;
+        ip_set_id_t index;
+        if (info->add_set.index != IPSET_INVALID_ID) {
+                index = ip_set_nfnl_get_byindex(info->add_set.index);
+                if (index == IPSET_INVALID_ID) {
+                        pr_warning("Cannot find add_set index %u as target\n",
+                                   info->add_set.index);
+                        return -ENOENT;
+                }
+        }
+        if (info->del_set.index != IPSET_INVALID_ID) {
+                index = ip_set_nfnl_get_byindex(info->del_set.index);
+                if (index == IPSET_INVALID_ID) {
+                        pr_warning("Cannot find del_set index %u as target\n",
+                                   info->del_set.index);
+                        if (info->add_set.index != IPSET_INVALID_ID)
+                                ip_set_nfnl_put(info->add_set.index);
+                        return -ENOENT;
+                }
+        }
+        if (info->add_set.u.flags[IPSET_DIM_MAX-1] != 0 ||
+            info->del_set.u.flags[IPSET_DIM_MAX-1] != 0) {
+                pr_warning("Protocol error: SET target dimension "
+                           "is over the limit!\n");
+                if (info->add_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->add_set.index);
+                if (info->del_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->del_set.index);
+                return -ERANGE;
+        }
+        /* Fill out compatibility data */
+        compat_flags(&info->add_set);
+        compat_flags(&info->del_set);
+        return 0;
+}
+static void
+set_target_v0_destroy(const struct xt_tgdtor_param *par)
+{
+        const struct xt_set_info_target_v0 *info = par->targinfo;
+        if (info->add_set.index != IPSET_INVALID_ID)
+                ip_set_nfnl_put(info->add_set.index);
+        if (info->del_set.index != IPSET_INVALID_ID)
+                ip_set_nfnl_put(info->del_set.index);
+}
+/* Revision 1: current interface to netfilter/iptables */
+static bool
+set_match(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_set_info_match *info = par->matchinfo;
+        return match_set(info->match_set.index, skb, par->family,
+                         info->match_set.dim,
+                         info->match_set.flags,
+                         info->match_set.flags & IPSET_INV_MATCH);
+}
+static int
+set_match_checkentry(const struct xt_mtchk_param *par)
+{
+        struct xt_set_info_match *info = par->matchinfo;
+        ip_set_id_t index;
+        index = ip_set_nfnl_get_byindex(info->match_set.index);
+        if (index == IPSET_INVALID_ID) {
+                pr_warning("Cannot find set indentified by id %u to match\n",
+                           info->match_set.index);
+                return -ENOENT;
+        }
+        if (info->match_set.dim > IPSET_DIM_MAX) {
+                pr_warning("Protocol error: set match dimension "
+                           "is over the limit!\n");
+                ip_set_nfnl_put(info->match_set.index);
+                return -ERANGE;
+        }
+        return 0;
+}
+static void
+set_match_destroy(const struct xt_mtdtor_param *par)
+{
+        struct xt_set_info_match *info = par->matchinfo;
+        ip_set_nfnl_put(info->match_set.index);
+}
+static unsigned int
+set_target(struct sk_buff *skb, const struct xt_action_param *par)
+{
+        const struct xt_set_info_target *info = par->targinfo;
+        if (info->add_set.index != IPSET_INVALID_ID)
+                ip_set_add(info->add_set.index,
+                           skb, par->family,
+                           info->add_set.dim,
+                           info->add_set.flags);
+        if (info->del_set.index != IPSET_INVALID_ID)
+                ip_set_del(info->del_set.index,
+                           skb, par->family,
+                           info->del_set.dim,
+                           info->del_set.flags);
+        return XT_CONTINUE;
+}
+static int
+set_target_checkentry(const struct xt_tgchk_param *par)
+{
+        const struct xt_set_info_target *info = par->targinfo;
+        ip_set_id_t index;
+        if (info->add_set.index != IPSET_INVALID_ID) {
+                index = ip_set_nfnl_get_byindex(info->add_set.index);
+                if (index == IPSET_INVALID_ID) {
+                        pr_warning("Cannot find add_set index %u as target\n",
+                                   info->add_set.index);
+                        return -ENOENT;
+                }
+        }
+        if (info->del_set.index != IPSET_INVALID_ID) {
+                index = ip_set_nfnl_get_byindex(info->del_set.index);
+                if (index == IPSET_INVALID_ID) {
+                        pr_warning("Cannot find del_set index %u as target\n",
+                                   info->del_set.index);
+                        if (info->add_set.index != IPSET_INVALID_ID)
+                                ip_set_nfnl_put(info->add_set.index);
+                        return -ENOENT;
+                }
+        }
+        if (info->add_set.dim > IPSET_DIM_MAX ||
+            info->del_set.dim > IPSET_DIM_MAX) {
+                pr_warning("Protocol error: SET target dimension "
+                           "is over the limit!\n");
+                if (info->add_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->add_set.index);
+                if (info->del_set.index != IPSET_INVALID_ID)
+                        ip_set_nfnl_put(info->del_set.index);
+                return -ERANGE;
+        }
+        return 0;
+}
+static void
+set_target_destroy(const struct xt_tgdtor_param *par)
+{
+        const struct xt_set_info_target *info = par->targinfo;
+        if (info->add_set.index != IPSET_INVALID_ID)
+                ip_set_nfnl_put(info->add_set.index);
+        if (info->del_set.index != IPSET_INVALID_ID)
+                ip_set_nfnl_put(info->del_set.index);
+}
+static struct xt_match set_matches[] __read_mostly = {
+        {
+                .name           = "set",
+                .family         = NFPROTO_IPV4,
+                .revision       = 0,
+                .match          = set_match_v0,
+                .matchsize      = sizeof(struct xt_set_info_match_v0),
+                .checkentry     = set_match_v0_checkentry,
+                .destroy        = set_match_v0_destroy,
+                .me             = THIS_MODULE
+        },
+        {
+                .name           = "set",
+                .family         = NFPROTO_IPV4,
+                .revision       = 1,
+                .match          = set_match,
+                .matchsize      = sizeof(struct xt_set_info_match),
+                .checkentry     = set_match_checkentry,
+                .destroy        = set_match_destroy,
+                .me             = THIS_MODULE
+        },
+        {
+                .name           = "set",
+                .family         = NFPROTO_IPV6,
+                .revision       = 1,
+                .match          = set_match,
+                .matchsize      = sizeof(struct xt_set_info_match),
+                .checkentry     = set_match_checkentry,
+                .destroy        = set_match_destroy,
+                .me             = THIS_MODULE
+        },
+};
+static struct xt_target set_targets[] __read_mostly = {
+        {
+                .name           = "SET",
+                .revision       = 0,
+                .family         = NFPROTO_IPV4,
+                .target         = set_target_v0,
+                .targetsize     = sizeof(struct xt_set_info_target_v0),
+                .checkentry     = set_target_v0_checkentry,
+                .destroy        = set_target_v0_destroy,
+                .me             = THIS_MODULE
+        },
+        {
+                .name           = "SET",
+                .revision       = 1,
+                .family         = NFPROTO_IPV4,
+                .target         = set_target,
+                .targetsize     = sizeof(struct xt_set_info_target),
+                .checkentry     = set_target_checkentry,
+                .destroy        = set_target_destroy,
+                .me             = THIS_MODULE
+        },
+        {
+                .name           = "SET",
+                .revision       = 1,
+                .family         = NFPROTO_IPV6,
+                .target         = set_target,
+                .targetsize     = sizeof(struct xt_set_info_target),
+                .checkentry     = set_target_checkentry,
+                .destroy        = set_target_destroy,
+                .me             = THIS_MODULE
+        },
+};
+static int __init xt_set_init(void)
+{
+        int ret = xt_register_matches(set_matches, ARRAY_SIZE(set_matches));
+        if (!ret) {
+                ret = xt_register_targets(set_targets,
+                                          ARRAY_SIZE(set_targets));
+                if (ret)
+                        xt_unregister_matches(set_matches,
+                                              ARRAY_SIZE(set_matches));
+        }
+        return ret;
+}
+static void __exit xt_set_fini(void)
+{
+        xt_unregister_matches(set_matches, ARRAY_SIZE(set_matches));
+        xt_unregister_targets(set_targets, ARRAY_SIZE(set_targets));
+}
+module_init(xt_set_init);
+module_exit(xt_set_fini);
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c
index 5f14c8462e30..bae5756b1626 100644
--- a/net/netlabel/netlabel_cipso_v4.c
+++ b/net/netlabel/netlabel_cipso_v4.c
@@ -422,7 +422,6 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
 {
        int ret_val = -EINVAL;
-        const char *type_str = "(unknown)";
        struct netlbl_audit audit_info;
        if (!info->attrs[NLBL_CIPSOV4_A_DOI] ||
@@ -432,15 +431,12 @@ static int netlbl_cipsov4_add(struct sk_buff *skb, struct genl_info *info)
        netlbl_netlink_auditinfo(skb, &audit_info);
        switch (nla_get_u32(info->attrs[NLBL_CIPSOV4_A_MTYPE])) {
        case CIPSO_V4_MAP_TRANS:
-                type_str = "trans";
                ret_val = netlbl_cipsov4_add_std(info, &audit_info);
                break;
        case CIPSO_V4_MAP_PASS:
-                type_str = "pass";
                ret_val = netlbl_cipsov4_add_pass(info, &audit_info);
                break;
        case CIPSO_V4_MAP_LOCAL:
-                type_str = "local";
                ret_val = netlbl_cipsov4_add_local(info, &audit_info);
                break;
        }
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c
index d37b7f80fa37..de0d8e4cbfb6 100644
--- a/net/netlabel/netlabel_domainhash.c
+++ b/net/netlabel/netlabel_domainhash.c
@@ -109,7 +109,7 @@ static void netlbl_domhsh_free_entry(struct rcu_head *entry)
 *
 * Description:
 * This is the hashing function for the domain hash table, it returns the
- * correct bucket number for the domain.  The caller is responsibile for
+ * correct bucket number for the domain.  The caller is responsible for
 * ensuring that the hash table is protected with either a RCU read lock or the
 * hash table lock.
 *
@@ -134,7 +134,7 @@ static u32 netlbl_domhsh_hash(const char *key)
 *
 * Description:
 * Searches the domain hash table and returns a pointer to the hash table
- * entry if found, otherwise NULL is returned.  The caller is responsibile for
+ * entry if found, otherwise NULL is returned.  The caller is responsible for
 * ensuring that the hash table is protected with either a RCU read lock or the
 * hash table lock.
 *
@@ -165,7 +165,7 @@ static struct netlbl_dom_map *netlbl_domhsh_search(const char *domain)
 * Searches the domain hash table and returns a pointer to the hash table
 * entry if an exact match is found, if an exact match is not present in the
 * hash table then the default entry is returned if valid otherwise NULL is
- * returned.  The caller is responsibile ensuring that the hash table is
+ * returned.  The caller is responsible ensuring that the hash table is
 * protected with either a RCU read lock or the hash table lock.
 *
 */
@@ -193,7 +193,7 @@ static struct netlbl_dom_map *netlbl_domhsh_search_def(const char *domain)
 *
 * Description:
 * Generate an audit record for adding a new NetLabel/LSM mapping entry with
- * the given information.  Caller is responsibile for holding the necessary
+ * the given information.  Caller is responsible for holding the necessary
 * locks.
 *
 */
@@ -605,7 +605,7 @@ int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info)
 *
 * Description:
 * Look through the domain hash table searching for an entry to match @domain,
- * return a pointer to a copy of the entry or NULL.  The caller is responsibile
+ * return a pointer to a copy of the entry or NULL.  The caller is responsible
 * for ensuring that rcu_read_[un]lock() is called.
 *
 */
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 998e85e895d0..4f251b19fbcc 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -259,7 +259,7 @@ add_failure:
 *
 * Description:
 * This function is a helper function used by the LISTALL and LISTDEF command
- * handlers.  The caller is responsibile for ensuring that the RCU read lock
+ * handlers.  The caller is responsible for ensuring that the RCU read lock
 * is held.  Returns zero on success, negative values on failure.
 *
 */
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index e2b0a680dd56..9c38658fba8b 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -154,44 +154,6 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
 */
 /**
- * netlbl_unlhsh_free_addr4 - Frees an IPv4 address entry from the hash table
- * @entry: the entry's RCU field
- *
- * Description:
- * This function is designed to be used as a callback to the call_rcu()
- * function so that memory allocated to a hash table address entry can be
- * released safely.
- *
- */
-static void netlbl_unlhsh_free_addr4(struct rcu_head *entry)
-{
-        struct netlbl_unlhsh_addr4 *ptr;
-        ptr = container_of(entry, struct netlbl_unlhsh_addr4, rcu);
-        kfree(ptr);
-}
-#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-/**
- * netlbl_unlhsh_free_addr6 - Frees an IPv6 address entry from the hash table
- * @entry: the entry's RCU field
- *
- * Description:
- * This function is designed to be used as a callback to the call_rcu()
- * function so that memory allocated to a hash table address entry can be
- * released safely.
- *
- */
-static void netlbl_unlhsh_free_addr6(struct rcu_head *entry)
-{
-        struct netlbl_unlhsh_addr6 *ptr;
-        ptr = container_of(entry, struct netlbl_unlhsh_addr6, rcu);
-        kfree(ptr);
-}
-#endif /* IPv6 */
-/**
 * netlbl_unlhsh_free_iface - Frees an interface entry from the hash table
 * @entry: the entry's RCU field
 *
@@ -568,7 +530,7 @@ static int netlbl_unlhsh_remove_addr4(struct net *net,
        if (entry == NULL)
                return -ENOENT;
-        call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
+        kfree_rcu(entry, rcu);
        return 0;
 }
@@ -629,7 +591,7 @@ static int netlbl_unlhsh_remove_addr6(struct net *net,
        if (entry == NULL)
                return -ENOENT;
-        call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
+        kfree_rcu(entry, rcu);
        return 0;
 }
 #endif /* IPv6 */
diff --git a/net/netlabel/netlabel_user.h b/net/netlabel/netlabel_user.h
index 6caef8b20611..f4fc4c9ad567 100644
--- a/net/netlabel/netlabel_user.h
+++ b/net/netlabel/netlabel_user.h
@@ -49,9 +49,9 @@
 static inline void netlbl_netlink_auditinfo(struct sk_buff *skb,
                                            struct netlbl_audit *audit_info)
 {
-        audit_info->secid = NETLINK_CB(skb).sid;
+        security_task_getsecid(current, &audit_info->secid);
-        audit_info->loginuid = NETLINK_CB(skb).loginuid;
+        audit_info->loginuid = audit_get_loginuid(current);
-        audit_info->sessionid = NETLINK_CB(skb).sessionid;
+        audit_info->sessionid = audit_get_sessionid(current);
 }
 /* NetLabel NETLINK I/O functions */
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 478181d53c55..5fe4f3b04ed3 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1362,17 +1362,8 @@ static int netlink_sendmsg(struct kiocb *kiocb, struct socket *sock,
        NETLINK_CB(skb).pid     = nlk->pid;
        NETLINK_CB(skb).dst_group = dst_group;
-        NETLINK_CB(skb).loginuid = audit_get_loginuid(current);
-        NETLINK_CB(skb).sessionid = audit_get_sessionid(current);
-        security_task_getsecid(current, &(NETLINK_CB(skb).sid));
        memcpy(NETLINK_CREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
-        /* What can I do? Netlink is asynchronous, so that
-           we will have to save current capabilities to
-           check them, when this message will be delivered
-           to corresponding kernel module.   --ANK (980802)
-         */
        err = -EFAULT;
        if (memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len)) {
                kfree_skb(skb);
@@ -1407,7 +1398,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
        int noblock = flags&MSG_DONTWAIT;
        size_t copied;
        struct sk_buff *skb, *data_skb;
-        int err;
+        int err, ret;
        if (flags&MSG_OOB)
                return -EOPNOTSUPP;
@@ -1470,8 +1461,13 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
        skb_free_datagram(sk, skb);
-        if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)
+        if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
-                netlink_dump(sk);
+                ret = netlink_dump(sk);
+                if (ret) {
+                        sk->sk_err = ret;
+                        sk->sk_error_report(sk);
+                }
+        }
        scm_recv(sock, msg, siocb->scm, flags);
 out:
@@ -1570,12 +1566,6 @@ netlink_kernel_release(struct sock *sk)
 }
 EXPORT_SYMBOL(netlink_kernel_release);
-static void listeners_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct listeners, rcu));
-}
 int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
 {
        struct listeners *new, *old;
@@ -1592,7 +1582,7 @@ int __netlink_change_ngroups(struct sock *sk, unsigned int groups)
                memcpy(new->masks, old->masks, NLGRPSZ(tbl->groups));
                rcu_assign_pointer(tbl->listeners, new);
-                call_rcu(&old->rcu, listeners_free_rcu);
+                kfree_rcu(old, rcu);
        }
        tbl->groups = groups;
@@ -1736,6 +1726,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
        struct netlink_callback *cb;
        struct sock *sk;
        struct netlink_sock *nlk;
+        int ret;
        cb = kzalloc(sizeof(*cb), GFP_KERNEL);
        if (cb == NULL)
@@ -1764,9 +1755,13 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
        nlk->cb = cb;
        mutex_unlock(nlk->cb_mutex);
-        netlink_dump(sk);
+        ret = netlink_dump(sk);
        sock_put(sk);
+        if (ret)
+                return ret;
        /* We successfully started a dump, by returning -EINTR we
         * signal not to send ACK even if it was requested.
         */
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 06cb02796a0e..732152f718e0 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -591,7 +591,6 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                return -EINVAL;
        }
        if ((dev = nr_dev_get(&addr->fsa_ax25.sax25_call)) == NULL) {
-                SOCK_DEBUG(sk, "NET/ROM: bind failed: invalid node callsign\n");
                release_sock(sk);
                return -EADDRNOTAVAIL;
        }
@@ -632,7 +631,7 @@ static int nr_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        sock_reset_flag(sk, SOCK_ZAPPED);
        dev_put(dev);
        release_sock(sk);
-        SOCK_DEBUG(sk, "NET/ROM: socket is bound\n");
        return 0;
 }
@@ -1082,8 +1081,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                sax.sax25_call   = nr->dest_addr;
        }
-        SOCK_DEBUG(sk, "NET/ROM: sendto: Addresses built.\n");
        /* Build a packet - the conventional user limit is 236 bytes. We can
           do ludicrously large NetROM frames but must not overflow */
        if (len > 65536) {
@@ -1091,7 +1088,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                goto out;
        }
-        SOCK_DEBUG(sk, "NET/ROM: sendto: building packet.\n");
        size = len + NR_NETWORK_LEN + NR_TRANSPORT_LEN;
        if ((skb = sock_alloc_send_skb(sk, size, msg->msg_flags & MSG_DONTWAIT, &err)) == NULL)
@@ -1105,7 +1101,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
         */
        asmptr = skb_push(skb, NR_TRANSPORT_LEN);
-        SOCK_DEBUG(sk, "Building NET/ROM Header.\n");
        /* Build a NET/ROM Transport header */
@@ -1114,15 +1109,12 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
        *asmptr++ = 0;          /* To be filled in later */
        *asmptr++ = 0;          /*      Ditto            */
        *asmptr++ = NR_INFO;
-        SOCK_DEBUG(sk, "Built header.\n");
        /*
         *      Put the data on the end
         */
        skb_put(skb, len);
-        SOCK_DEBUG(sk, "NET/ROM: Appending user data\n");
        /* User data follows immediately after the NET/ROM transport header */
        if (memcpy_fromiovec(skb_transport_header(skb), msg->msg_iov, len)) {
                kfree_skb(skb);
@@ -1130,8 +1122,6 @@ static int nr_sendmsg(struct kiocb *iocb, struct socket *sock,
                goto out;
        }
-        SOCK_DEBUG(sk, "NET/ROM: Transmitting buffer\n");
        if (sk->sk_state != TCP_ESTABLISHED) {
                kfree_skb(skb);
                err = -ENOTCONN;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 91cb1d71f018..549527bca87a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -164,7 +164,6 @@ struct packet_mreq_max {
 static int packet_set_ring(struct sock *sk, struct tpacket_req *req,
                int closing, int tx_ring);
-#define PGV_FROM_VMALLOC 1
 struct pgv {
        char *buffer;
 };
@@ -466,7 +465,7 @@ retry:
         */
        err = -EMSGSIZE;
-        if (len > dev->mtu + dev->hard_header_len)
+        if (len > dev->mtu + dev->hard_header_len + VLAN_HLEN)
                goto out_unlock;
        if (!skb) {
@@ -497,6 +496,19 @@ retry:
                goto retry;
        }
+        if (len > (dev->mtu + dev->hard_header_len)) {
+                /* Earlier code assumed this would be a VLAN pkt,
+                 * double-check this now that we have the actual
+                 * packet in hand.
+                 */
+                struct ethhdr *ehdr;
+                skb_reset_mac_header(skb);
+                ehdr = eth_hdr(skb);
+                if (ehdr->h_proto != htons(ETH_P_8021Q)) {
+                        err = -EMSGSIZE;
+                        goto out_unlock;
+                }
+        }
        skb->protocol = proto;
        skb->dev = dev;
@@ -523,11 +535,11 @@ static inline unsigned int run_filter(const struct sk_buff *skb,
 {
        struct sk_filter *filter;
-        rcu_read_lock_bh();
+        rcu_read_lock();
-        filter = rcu_dereference_bh(sk->sk_filter);
+        filter = rcu_dereference(sk->sk_filter);
        if (filter != NULL)
-                res = sk_run_filter(skb, filter->insns);
+                res = SK_RUN_FILTER(filter, skb);
-        rcu_read_unlock_bh();
+        rcu_read_unlock();
        return res;
 }
@@ -954,7 +966,6 @@ static int tpacket_fill_skb(struct packet_sock *po, struct sk_buff *skb,
 static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
 {
-        struct socket *sock;
        struct sk_buff *skb;
        struct net_device *dev;
        __be16 proto;
@@ -966,8 +977,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
        int len_sum = 0;
        int status = 0;
-        sock = po->sk.sk_socket;
        mutex_lock(&po->pg_vec_lock);
        err = -EBUSY;
@@ -1200,7 +1209,7 @@ static int packet_snd(struct socket *sock,
        }
        err = -EMSGSIZE;
-        if (!gso_type && (len > dev->mtu+reserve))
+        if (!gso_type && (len > dev->mtu + reserve + VLAN_HLEN))
                goto out_unlock;
        err = -ENOBUFS;
@@ -1225,6 +1234,20 @@ static int packet_snd(struct socket *sock,
        if (err < 0)
                goto out_free;
+        if (!gso_type && (len > dev->mtu + reserve)) {
+                /* Earlier code assumed this would be a VLAN pkt,
+                 * double-check this now that we have the actual
+                 * packet in hand.
+                 */
+                struct ethhdr *ehdr;
+                skb_reset_mac_header(skb);
+                ehdr = eth_hdr(skb);
+                if (ehdr->h_proto != htons(ETH_P_8021Q)) {
+                        err = -EMSGSIZE;
+                        goto out_free;
+                }
+        }
        skb->protocol = proto;
        skb->dev = dev;
        skb->priority = sk->sk_priority;
diff --git a/net/phonet/Kconfig b/net/phonet/Kconfig
index 0d9b8a220a78..6ec7d55b1769 100644
--- a/net/phonet/Kconfig
+++ b/net/phonet/Kconfig
@@ -14,15 +14,3 @@ config PHONET
          To compile this driver as a module, choose M here: the module
          will be called phonet. If unsure, say N.
-config PHONET_PIPECTRLR
-        bool "Phonet Pipe Controller (EXPERIMENTAL)"
-        depends on PHONET && EXPERIMENTAL
-        default N
-        help
-          The Pipe Controller implementation in Phonet stack to support Pipe
-          data with Nokia Slim modems like WG2.5 used on ST-Ericsson U8500
-          platform.
-          This option is incompatible with older Nokia modems.
-          Say N here unless you really know what you are doing.
diff --git a/net/phonet/af_phonet.c b/net/phonet/af_phonet.c
index 1072b2c19d31..c6fffd946d42 100644
--- a/net/phonet/af_phonet.c
+++ b/net/phonet/af_phonet.c
@@ -110,6 +110,7 @@ static int pn_socket_create(struct net *net, struct socket *sock, int protocol,
        sk->sk_protocol = protocol;
        pn = pn_sk(sk);
        pn->sobject = 0;
+        pn->dobject = 0;
        pn->resource = 0;
        sk->sk_prot->init(sk);
        err = 0;
@@ -194,11 +195,7 @@ static int pn_send(struct sk_buff *skb, struct net_device *dev,
        if (skb->pkt_type == PACKET_LOOPBACK) {
                skb_reset_mac_header(skb);
                skb_orphan(skb);
-                if (irq)
+                err = (irq ? netif_rx(skb) : netif_rx_ni(skb)) ? -ENOBUFS : 0;
-                        netif_rx(skb);
-                else
-                        netif_rx_ni(skb);
-                err = 0;
        } else {
                err = dev_hard_header(skb, dev, ntohs(skb->protocol),
                                        NULL, NULL, skb->len);
@@ -207,6 +204,8 @@ static int pn_send(struct sk_buff *skb, struct net_device *dev,
                        goto drop;
                }
                err = dev_queue_xmit(skb);
+                if (unlikely(err > 0))
+                        err = net_xmit_errno(err);
        }
        return err;
@@ -242,8 +241,18 @@ int pn_skb_send(struct sock *sk, struct sk_buff *skb,
        struct net_device *dev;
        struct pn_sock *pn = pn_sk(sk);
        int err;
-        u16 src;
+        u16 src, dst;
-        u8 daddr = pn_sockaddr_get_addr(target), saddr = PN_NO_ADDR;
+        u8 daddr, saddr, res;
+        src = pn->sobject;
+        if (target != NULL) {
+                dst = pn_sockaddr_get_object(target);
+                res = pn_sockaddr_get_resource(target);
+        } else {
+                dst = pn->dobject;
+                res = pn->resource;
+        }
+        daddr = pn_addr(dst);
        err = -EHOSTUNREACH;
        if (sk->sk_bound_dev_if)
@@ -251,10 +260,9 @@ int pn_skb_send(struct sock *sk, struct sk_buff *skb,
        else if (phonet_address_lookup(net, daddr) == 0) {
                dev = phonet_device_get(net);
                skb->pkt_type = PACKET_LOOPBACK;
-        } else if (pn_sockaddr_get_object(target) == 0) {
+        } else if (dst == 0) {
                /* Resource routing (small race until phonet_rcv()) */
-                struct sock *sk = pn_find_sock_by_res(net,
+                struct sock *sk = pn_find_sock_by_res(net, res);
-                                                        target->spn_resource);
                if (sk) {
                        sock_put(sk);
                        dev = phonet_device_get(net);
@@ -271,12 +279,10 @@ int pn_skb_send(struct sock *sk, struct sk_buff *skb,
        if (saddr == PN_NO_ADDR)
                goto drop;
-        src = pn->sobject;
        if (!pn_addr(src))
                src = pn_object(saddr, pn_obj(src));
-        err = pn_send(skb, dev, pn_sockaddr_get_object(target),
+        err = pn_send(skb, dev, dst, src, res, 0);
-                        src, pn_sockaddr_get_resource(target), 0);
        dev_put(dev);
        return err;
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 3e60f2e4e6c2..f17fd841f948 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -42,7 +42,7 @@
 * TCP_ESTABLISHED      connected pipe in enabled state
 *
 * pep_sock locking:
- *  - sk_state, ackq, hlist: sock lock needed
+ *  - sk_state, hlist: sock lock needed
 *  - listener: read only
 *  - pipe_handle: read only
 */
@@ -50,11 +50,6 @@
 #define CREDITS_MAX     10
 #define CREDITS_THR     7
-static const struct sockaddr_pn pipe_srv = {
-        .spn_family = AF_PHONET,
-        .spn_resource = 0xD9, /* pipe service */
-};
 #define pep_sb_size(s) (((s) + 5) & ~3) /* 2-bytes head, 32-bits aligned */
 /* Get the next TLV sub-block. */
@@ -82,236 +77,95 @@ static unsigned char *pep_get_sb(struct sk_buff *skb, u8 *ptype, u8 *plen,
        return data;
 }
-static int pep_reply(struct sock *sk, struct sk_buff *oskb,
+static struct sk_buff *pep_alloc_skb(struct sock *sk, const void *payload,
-                        u8 code, const void *data, int len, gfp_t priority)
+                                        int len, gfp_t priority)
 {
-        const struct pnpipehdr *oph = pnp_hdr(oskb);
+        struct sk_buff *skb = alloc_skb(MAX_PNPIPE_HEADER + len, priority);
-        struct pnpipehdr *ph;
-        struct sk_buff *skb;
-        skb = alloc_skb(MAX_PNPIPE_HEADER + len, priority);
        if (!skb)
-                return -ENOMEM;
+                return NULL;
        skb_set_owner_w(skb, sk);
        skb_reserve(skb, MAX_PNPIPE_HEADER);
        __skb_put(skb, len);
-        skb_copy_to_linear_data(skb, data, len);
+        skb_copy_to_linear_data(skb, payload, len);
-        __skb_push(skb, sizeof(*ph));
+        __skb_push(skb, sizeof(struct pnpipehdr));
        skb_reset_transport_header(skb);
-        ph = pnp_hdr(skb);
+        return skb;
-        ph->utid = oph->utid;
-        ph->message_id = oph->message_id + 1; /* REQ -> RESP */
-        ph->pipe_handle = oph->pipe_handle;
-        ph->error_code = code;
-        return pn_skb_send(sk, skb, &pipe_srv);
-}
-#define PAD 0x00
-#ifdef CONFIG_PHONET_PIPECTRLR
-static u8 pipe_negotiate_fc(u8 *host_fc, u8 *remote_fc, int len)
-{
-        int i, j;
-        u8 base_fc, final_fc;
-        for (i = 0; i < len; i++) {
-                base_fc = host_fc[i];
-                for (j = 0; j < len; j++) {
-                        if (remote_fc[j] == base_fc) {
-                                final_fc = base_fc;
-                                goto done;
-                        }
-                }
-        }
-        return -EINVAL;
-done:
-        return final_fc;
-}
-static int pipe_get_flow_info(struct sock *sk, struct sk_buff *skb,
-                u8 *pref_rx_fc, u8 *req_tx_fc)
-{
-        struct pnpipehdr *hdr;
-        u8 n_sb;
-        if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
-                return -EINVAL;
-        hdr = pnp_hdr(skb);
-        n_sb = hdr->data[4];
-        __skb_pull(skb, sizeof(*hdr) + 4);
-        while (n_sb > 0) {
-                u8 type, buf[3], len = sizeof(buf);
-                u8 *data = pep_get_sb(skb, &type, &len, buf);
-                if (data == NULL)
-                        return -EINVAL;
-                switch (type) {
-                case PN_PIPE_SB_REQUIRED_FC_TX:
-                        if (len < 3 || (data[2] | data[3] | data[4]) > 3)
-                                break;
-                        req_tx_fc[0] = data[2];
-                        req_tx_fc[1] = data[3];
-                        req_tx_fc[2] = data[4];
-                        break;
-                case PN_PIPE_SB_PREFERRED_FC_RX:
-                        if (len < 3 || (data[2] | data[3] | data[4]) > 3)
-                                break;
-                        pref_rx_fc[0] = data[2];
-                        pref_rx_fc[1] = data[3];
-                        pref_rx_fc[2] = data[4];
-                        break;
-                }
-                n_sb--;
-        }
-        return 0;
 }
-static int pipe_handler_send_req(struct sock *sk, u8 utid,
+static int pep_reply(struct sock *sk, struct sk_buff *oskb, u8 code,
-                u8 msg_id, gfp_t priority)
+                        const void *data, int len, gfp_t priority)
 {
-        int len;
+        const struct pnpipehdr *oph = pnp_hdr(oskb);
        struct pnpipehdr *ph;
        struct sk_buff *skb;
-        struct pep_sock *pn = pep_sk(sk);
+        struct sockaddr_pn peer;
-        static const u8 data[4] = {
-                PAD, PAD, PAD, PAD,
-        };
-        switch (msg_id) {
+        skb = pep_alloc_skb(sk, data, len, priority);
-        case PNS_PEP_CONNECT_REQ:
-                len = sizeof(data);
-                break;
-        case PNS_PEP_DISCONNECT_REQ:
-        case PNS_PEP_ENABLE_REQ:
-        case PNS_PEP_DISABLE_REQ:
-                len = 0;
-                break;
-        default:
-                return -EINVAL;
-        }
-        skb = alloc_skb(MAX_PNPIPE_HEADER + len, priority);
        if (!skb)
                return -ENOMEM;
-        skb_set_owner_w(skb, sk);
-        skb_reserve(skb, MAX_PNPIPE_HEADER);
-        if (len) {
-                __skb_put(skb, len);
-                skb_copy_to_linear_data(skb, data, len);
-        }
-        __skb_push(skb, sizeof(*ph));
-        skb_reset_transport_header(skb);
        ph = pnp_hdr(skb);
-        ph->utid = utid;
+        ph->utid = oph->utid;
-        ph->message_id = msg_id;
+        ph->message_id = oph->message_id + 1; /* REQ -> RESP */
-        ph->pipe_handle = pn->pipe_handle;
+        ph->pipe_handle = oph->pipe_handle;
-        ph->error_code = PN_PIPE_NO_ERROR;
+        ph->error_code = code;
-        return pn_skb_send(sk, skb, &pn->remote_pep);
+        pn_skb_get_src_sockaddr(oskb, &peer);
+        return pn_skb_send(sk, skb, &peer);
 }
-static int pipe_handler_send_created_ind(struct sock *sk,
+static int pep_indicate(struct sock *sk, u8 id, u8 code,
-                u8 utid, u8 msg_id)
+                        const void *data, int len, gfp_t priority)
 {
-        int err_code;
+        struct pep_sock *pn = pep_sk(sk);
        struct pnpipehdr *ph;
        struct sk_buff *skb;
-        struct pep_sock *pn = pep_sk(sk);
+        skb = pep_alloc_skb(sk, data, len, priority);
-        static u8 data[4] = {
-                0x03, 0x04,
-        };
-        data[2] = pn->tx_fc;
-        data[3] = pn->rx_fc;
-        /*
-         * actually, below is number of sub-blocks and not error code.
-         * Pipe_created_ind message format does not have any
-         * error code field. However, the Phonet stack will always send
-         * an error code as part of pnpipehdr. So, use that err_code to
-         * specify the number of sub-blocks.
-         */
-        err_code = 0x01;
-        skb = alloc_skb(MAX_PNPIPE_HEADER + sizeof(data), GFP_ATOMIC);
        if (!skb)
                return -ENOMEM;
-        skb_set_owner_w(skb, sk);
-        skb_reserve(skb, MAX_PNPIPE_HEADER);
-        __skb_put(skb, sizeof(data));
-        skb_copy_to_linear_data(skb, data, sizeof(data));
-        __skb_push(skb, sizeof(*ph));
-        skb_reset_transport_header(skb);
        ph = pnp_hdr(skb);
-        ph->utid = utid;
+        ph->utid = 0;
-        ph->message_id = msg_id;
+        ph->message_id = id;
        ph->pipe_handle = pn->pipe_handle;
-        ph->error_code = err_code;
+        ph->data[0] = code;
+        return pn_skb_send(sk, skb, NULL);
-        return pn_skb_send(sk, skb, &pn->remote_pep);
 }
-static int pipe_handler_send_ind(struct sock *sk, u8 utid, u8 msg_id)
+#define PAD 0x00
+static int pipe_handler_request(struct sock *sk, u8 id, u8 code,
+                                const void *data, int len)
 {
-        int err_code;
+        struct pep_sock *pn = pep_sk(sk);
        struct pnpipehdr *ph;
        struct sk_buff *skb;
-        struct pep_sock *pn = pep_sk(sk);
-        /*
-         * actually, below is a filler.
-         * Pipe_enabled/disabled_ind message format does not have any
-         * error code field. However, the Phonet stack will always send
-         * an error code as part of pnpipehdr. So, use that err_code to
-         * specify the filler value.
-         */
-        err_code = 0x0;
-        skb = alloc_skb(MAX_PNPIPE_HEADER, GFP_ATOMIC);
+        skb = pep_alloc_skb(sk, data, len, GFP_KERNEL);
        if (!skb)
                return -ENOMEM;
-        skb_set_owner_w(skb, sk);
-        skb_reserve(skb, MAX_PNPIPE_HEADER);
-        __skb_push(skb, sizeof(*ph));
-        skb_reset_transport_header(skb);
        ph = pnp_hdr(skb);
-        ph->utid = utid;
+        ph->utid = id; /* whatever */
-        ph->message_id = msg_id;
+        ph->message_id = id;
        ph->pipe_handle = pn->pipe_handle;
-        ph->error_code = err_code;
+        ph->data[0] = code;
+        return pn_skb_send(sk, skb, NULL);
-        return pn_skb_send(sk, skb, &pn->remote_pep);
 }
-static int pipe_handler_enable_pipe(struct sock *sk, int enable)
+static int pipe_handler_send_created_ind(struct sock *sk)
 {
-        int utid, req;
+        struct pep_sock *pn = pep_sk(sk);
+        u8 data[4] = {
-        if (enable) {
+                PN_PIPE_SB_NEGOTIATED_FC, pep_sb_size(2),
-                utid = PNS_PIPE_ENABLE_UTID;
+                pn->tx_fc, pn->rx_fc,
-                req = PNS_PEP_ENABLE_REQ;
+        };
-        } else {
-                utid = PNS_PIPE_DISABLE_UTID;
+        return pep_indicate(sk, PNS_PIPE_CREATED_IND, 1 /* sub-blocks */,
-                req = PNS_PEP_DISABLE_REQ;
+                                data, 4, GFP_ATOMIC);
-        }
-        return pipe_handler_send_req(sk, utid, req, GFP_ATOMIC);
 }
-#endif
 static int pep_accept_conn(struct sock *sk, struct sk_buff *skb)
 {
@@ -334,11 +188,12 @@ static int pep_accept_conn(struct sock *sk, struct sk_buff *skb)
                                GFP_KERNEL);
 }
-static int pep_reject_conn(struct sock *sk, struct sk_buff *skb, u8 code)
+static int pep_reject_conn(struct sock *sk, struct sk_buff *skb, u8 code,
+                                gfp_t priority)
 {
        static const u8 data[4] = { PAD, PAD, PAD, 0 /* sub-blocks */ };
        WARN_ON(code == PN_PIPE_NO_ERROR);
-        return pep_reply(sk, skb, code, data, sizeof(data), GFP_ATOMIC);
+        return pep_reply(sk, skb, code, data, sizeof(data), priority);
 }
 /* Control requests are not sent by the pipe service and have a specific
@@ -350,23 +205,21 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
        struct sk_buff *skb;
        struct pnpipehdr *ph;
        struct sockaddr_pn dst;
+        u8 data[4] = {
+                oph->data[0], /* PEP type */
+                code, /* error code, at an unusual offset */
+                PAD, PAD,
+        };
-        skb = alloc_skb(MAX_PNPIPE_HEADER + 4, priority);
+        skb = pep_alloc_skb(sk, data, 4, priority);
        if (!skb)
                return -ENOMEM;
-        skb_set_owner_w(skb, sk);
-        skb_reserve(skb, MAX_PHONET_HEADER);
-        ph = (struct pnpipehdr *)skb_put(skb, sizeof(*ph) + 4);
+        ph = pnp_hdr(skb);
        ph->utid = oph->utid;
        ph->message_id = PNS_PEP_CTRL_RESP;
        ph->pipe_handle = oph->pipe_handle;
        ph->data[0] = oph->data[1]; /* CTRL id */
-        ph->data[1] = oph->data[0]; /* PEP type */
-        ph->data[2] = code; /* error code, at an usual offset */
-        ph->data[3] = PAD;
-        ph->data[4] = PAD;
        pn_skb_get_src_sockaddr(oskb, &dst);
        return pn_skb_send(sk, skb, &dst);
@@ -374,38 +227,15 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
 static int pipe_snd_status(struct sock *sk, u8 type, u8 status, gfp_t priority)
 {
-        struct pep_sock *pn = pep_sk(sk);
+        u8 data[4] = { type, PAD, PAD, status };
-        struct pnpipehdr *ph;
-        struct sk_buff *skb;
-        skb = alloc_skb(MAX_PNPIPE_HEADER + 4, priority);
+        return pep_indicate(sk, PNS_PEP_STATUS_IND, PN_PEP_TYPE_COMMON,
-        if (!skb)
+                                data, 4, priority);
-                return -ENOMEM;
-        skb_set_owner_w(skb, sk);
-        skb_reserve(skb, MAX_PNPIPE_HEADER + 4);
-        __skb_push(skb, sizeof(*ph) + 4);
-        skb_reset_transport_header(skb);
-        ph = pnp_hdr(skb);
-        ph->utid = 0;
-        ph->message_id = PNS_PEP_STATUS_IND;
-        ph->pipe_handle = pn->pipe_handle;
-        ph->pep_type = PN_PEP_TYPE_COMMON;
-        ph->data[1] = type;
-        ph->data[2] = PAD;
-        ph->data[3] = PAD;
-        ph->data[4] = status;
-#ifdef CONFIG_PHONET_PIPECTRLR
-        return pn_skb_send(sk, skb, &pn->remote_pep);
-#else
-        return pn_skb_send(sk, skb, &pipe_srv);
-#endif
 }
 /* Send our RX flow control information to the sender.
 * Socket must be locked. */
-static void pipe_grant_credits(struct sock *sk)
+static void pipe_grant_credits(struct sock *sk, gfp_t priority)
 {
        struct pep_sock *pn = pep_sk(sk);
@@ -415,16 +245,16 @@ static void pipe_grant_credits(struct sock *sk)
        case PN_LEGACY_FLOW_CONTROL: /* TODO */
                break;
        case PN_ONE_CREDIT_FLOW_CONTROL:
-                pipe_snd_status(sk, PN_PEP_IND_FLOW_CONTROL,
+                if (pipe_snd_status(sk, PN_PEP_IND_FLOW_CONTROL,
-                                PEP_IND_READY, GFP_ATOMIC);
+                                        PEP_IND_READY, priority) == 0)
-                pn->rx_credits = 1;
+                        pn->rx_credits = 1;
                break;
        case PN_MULTI_CREDIT_FLOW_CONTROL:
                if ((pn->rx_credits + CREDITS_THR) > CREDITS_MAX)
                        break;
                if (pipe_snd_status(sk, PN_PEP_IND_ID_MCFC_GRANT_CREDITS,
                                        CREDITS_MAX - pn->rx_credits,
-                                        GFP_ATOMIC) == 0)
+                                        priority) == 0)
                        pn->rx_credits = CREDITS_MAX;
                break;
        }
@@ -522,7 +352,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
        switch (hdr->message_id) {
        case PNS_PEP_CONNECT_REQ:
-                pep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE);
+                pep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE, GFP_ATOMIC);
                break;
        case PNS_PEP_DISCONNECT_REQ:
@@ -532,35 +362,11 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
                        sk->sk_state_change(sk);
                break;
-#ifdef CONFIG_PHONET_PIPECTRLR
-        case PNS_PEP_DISCONNECT_RESP:
-                pn->pipe_state = PIPE_IDLE;
-                sk->sk_state = TCP_CLOSE;
-                break;
-#endif
        case PNS_PEP_ENABLE_REQ:
                /* Wait for PNS_PIPE_(ENABLED|REDIRECTED)_IND */
                pep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);
                break;
-#ifdef CONFIG_PHONET_PIPECTRLR
-        case PNS_PEP_ENABLE_RESP:
-                pn->pipe_state = PIPE_ENABLED;
-                pipe_handler_send_ind(sk, PNS_PIPE_ENABLED_IND_UTID,
-                                PNS_PIPE_ENABLED_IND);
-                if (!pn_flow_safe(pn->tx_fc)) {
-                        atomic_set(&pn->tx_credits, 1);
-                        sk->sk_write_space(sk);
-                }
-                if (sk->sk_state == TCP_ESTABLISHED)
-                        break; /* Nothing to do */
-                sk->sk_state = TCP_ESTABLISHED;
-                pipe_grant_credits(sk);
-                break;
-#endif
        case PNS_PEP_RESET_REQ:
                switch (hdr->state_after_reset) {
                case PN_PIPE_DISABLE:
@@ -579,17 +385,6 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
                pep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);
                break;
-#ifdef CONFIG_PHONET_PIPECTRLR
-        case PNS_PEP_DISABLE_RESP:
-                pn->pipe_state = PIPE_DISABLED;
-                atomic_set(&pn->tx_credits, 0);
-                pipe_handler_send_ind(sk, PNS_PIPE_DISABLED_IND_UTID,
-                                PNS_PIPE_DISABLED_IND);
-                sk->sk_state = TCP_SYN_RECV;
-                pn->rx_credits = 0;
-                break;
-#endif
        case PNS_PEP_CTRL_REQ:
                if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
                        atomic_inc(&sk->sk_drops);
@@ -607,7 +402,8 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
                if (!pn_flow_safe(pn->rx_fc)) {
                        err = sock_queue_rcv_skb(sk, skb);
                        if (!err)
-                                return 0;
+                                return NET_RX_SUCCESS;
+                        err = -ENOBUFS;
                        break;
                }
@@ -645,7 +441,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
                if (sk->sk_state == TCP_ESTABLISHED)
                        break; /* Nothing to do */
                sk->sk_state = TCP_ESTABLISHED;
-                pipe_grant_credits(sk);
+                pipe_grant_credits(sk, GFP_ATOMIC);
                break;
        case PNS_PIPE_DISABLED_IND:
@@ -660,7 +456,7 @@ static int pipe_do_rcv(struct sock *sk, struct sk_buff *skb)
        }
 out:
        kfree_skb(skb);
-        return err;
+        return (err == -ENOBUFS) ? NET_RX_DROP : NET_RX_SUCCESS;
 queue:
        skb->dev = NULL;
@@ -669,7 +465,7 @@ queue:
        skb_queue_tail(queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
                sk->sk_data_ready(sk, err);
-        return 0;
+        return NET_RX_SUCCESS;
 }
 /* Destroy connected sock. */
@@ -681,133 +477,126 @@ static void pipe_destruct(struct sock *sk)
        skb_queue_purge(&pn->ctrlreq_queue);
 }
-#ifdef CONFIG_PHONET_PIPECTRLR
+static u8 pipe_negotiate_fc(const u8 *fcs, unsigned n)
-static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)
 {
-        struct pep_sock *pn = pep_sk(sk);
+        unsigned i;
-        u8 host_pref_rx_fc[3] = {3, 2, 1}, host_req_tx_fc[3] = {3, 2, 1};
+        u8 final_fc = PN_NO_FLOW_CONTROL;
-        u8 remote_pref_rx_fc[3], remote_req_tx_fc[3];
-        u8 negotiated_rx_fc, negotiated_tx_fc;
-        int ret;
-        pipe_get_flow_info(sk, skb, remote_pref_rx_fc,
-                        remote_req_tx_fc);
-        negotiated_tx_fc = pipe_negotiate_fc(remote_req_tx_fc,
-                        host_pref_rx_fc,
-                        sizeof(host_pref_rx_fc));
-        negotiated_rx_fc = pipe_negotiate_fc(host_req_tx_fc,
-                        remote_pref_rx_fc,
-                        sizeof(host_pref_rx_fc));
-        pn->pipe_state = PIPE_DISABLED;
-        sk->sk_state = TCP_SYN_RECV;
-        sk->sk_backlog_rcv = pipe_do_rcv;
-        sk->sk_destruct = pipe_destruct;
-        pn->rx_credits = 0;
-        pn->rx_fc = negotiated_rx_fc;
-        pn->tx_fc = negotiated_tx_fc;
-        sk->sk_state_change(sk);
-        ret = pipe_handler_send_created_ind(sk,
+        for (i = 0; i < n; i++) {
-                        PNS_PIPE_CREATED_IND_UTID,
+                u8 fc = fcs[i];
-                        PNS_PIPE_CREATED_IND
-                        );
-        return ret;
+                if (fc > final_fc && fc < PN_MAX_FLOW_CONTROL)
+                        final_fc = fc;
+        }
+        return final_fc;
 }
-#endif
-static int pep_connreq_rcv(struct sock *sk, struct sk_buff *skb)
+static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)
 {
-        struct sock *newsk;
+        struct pep_sock *pn = pep_sk(sk);
-        struct pep_sock *newpn, *pn = pep_sk(sk);
        struct pnpipehdr *hdr;
-        struct sockaddr_pn dst;
+        u8 n_sb;
-        u16 peer_type;
-        u8 pipe_handle, enabled, n_sb;
-        u8 aligned = 0;
        if (!pskb_pull(skb, sizeof(*hdr) + 4))
                return -EINVAL;
        hdr = pnp_hdr(skb);
-        pipe_handle = hdr->pipe_handle;
+        if (hdr->error_code != PN_PIPE_NO_ERROR)
-        switch (hdr->state_after_connect) {
+                return -ECONNREFUSED;
-        case PN_PIPE_DISABLE:
-                enabled = 0;
-                break;
-        case PN_PIPE_ENABLE:
-                enabled = 1;
-                break;
-        default:
-                pep_reject_conn(sk, skb, PN_PIPE_ERR_INVALID_PARAM);
-                return -EINVAL;
-        }
-        peer_type = hdr->other_pep_type << 8;
-        if (unlikely(sk->sk_state != TCP_LISTEN) || sk_acceptq_is_full(sk)) {
-                pep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE);
-                return -ENOBUFS;
-        }
-        /* Parse sub-blocks (options) */
+        /* Parse sub-blocks */
        n_sb = hdr->data[4];
        while (n_sb > 0) {
-                u8 type, buf[1], len = sizeof(buf);
+                u8 type, buf[6], len = sizeof(buf);
                const u8 *data = pep_get_sb(skb, &type, &len, buf);
                if (data == NULL)
                        return -EINVAL;
                switch (type) {
-                case PN_PIPE_SB_CONNECT_REQ_PEP_SUB_TYPE:
+                case PN_PIPE_SB_REQUIRED_FC_TX:
-                        if (len < 1)
+                        if (len < 2 || len < data[0])
-                                return -EINVAL;
+                                break;
-                        peer_type = (peer_type & 0xff00) | data[0];
+                        pn->tx_fc = pipe_negotiate_fc(data + 2, len - 2);
                        break;
-                case PN_PIPE_SB_ALIGNED_DATA:
-                        aligned = data[0] != 0;
+                case PN_PIPE_SB_PREFERRED_FC_RX:
+                        if (len < 2 || len < data[0])
+                                break;
+                        pn->rx_fc = pipe_negotiate_fc(data + 2, len - 2);
                        break;
                }
                n_sb--;
        }
-        skb = skb_clone(skb, GFP_ATOMIC);
+        return pipe_handler_send_created_ind(sk);
-        if (!skb)
+}
-                return -ENOMEM;
-        /* Create a new to-be-accepted sock */
+/* Queue an skb to an actively connected sock.
-        newsk = sk_alloc(sock_net(sk), PF_PHONET, GFP_ATOMIC, sk->sk_prot);
+ * Socket lock must be held. */
-        if (!newsk) {
+static int pipe_handler_do_rcv(struct sock *sk, struct sk_buff *skb)
-                kfree_skb(skb);
+{
-                return -ENOMEM;
+        struct pep_sock *pn = pep_sk(sk);
-        }
+        struct pnpipehdr *hdr = pnp_hdr(skb);
-        sock_init_data(NULL, newsk);
+        int err = NET_RX_SUCCESS;
-        newsk->sk_state = TCP_SYN_RECV;
-        newsk->sk_backlog_rcv = pipe_do_rcv;
-        newsk->sk_protocol = sk->sk_protocol;
-        newsk->sk_destruct = pipe_destruct;
-        newpn = pep_sk(newsk);
+        switch (hdr->message_id) {
-        pn_skb_get_dst_sockaddr(skb, &dst);
+        case PNS_PIPE_ALIGNED_DATA:
-        newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst);
+                __skb_pull(skb, 1);
-        newpn->pn_sk.resource = pn->pn_sk.resource;
+                /* fall through */
-        skb_queue_head_init(&newpn->ctrlreq_queue);
+        case PNS_PIPE_DATA:
-        newpn->pipe_handle = pipe_handle;
+                __skb_pull(skb, 3); /* Pipe data header */
-        atomic_set(&newpn->tx_credits, 0);
+                if (!pn_flow_safe(pn->rx_fc)) {
-        newpn->peer_type = peer_type;
+                        err = sock_queue_rcv_skb(sk, skb);
-        newpn->rx_credits = 0;
+                        if (!err)
-        newpn->rx_fc = newpn->tx_fc = PN_LEGACY_FLOW_CONTROL;
+                                return NET_RX_SUCCESS;
-        newpn->init_enable = enabled;
+                        err = NET_RX_DROP;
-        newpn->aligned = aligned;
+                        break;
+                }
-        BUG_ON(!skb_queue_empty(&newsk->sk_receive_queue));
+                if (pn->rx_credits == 0) {
-        skb_queue_head(&newsk->sk_receive_queue, skb);
+                        atomic_inc(&sk->sk_drops);
-        if (!sock_flag(sk, SOCK_DEAD))
+                        err = NET_RX_DROP;
-                sk->sk_data_ready(sk, 0);
+                        break;
+                }
+                pn->rx_credits--;
+                skb->dev = NULL;
+                skb_set_owner_r(skb, sk);
+                err = skb->len;
+                skb_queue_tail(&sk->sk_receive_queue, skb);
+                if (!sock_flag(sk, SOCK_DEAD))
+                        sk->sk_data_ready(sk, err);
+                return NET_RX_SUCCESS;
-        sk_acceptq_added(sk);
+        case PNS_PEP_CONNECT_RESP:
-        sk_add_node(newsk, &pn->ackq);
+                if (sk->sk_state != TCP_SYN_SENT)
-        return 0;
+                        break;
+                if (!sock_flag(sk, SOCK_DEAD))
+                        sk->sk_state_change(sk);
+                if (pep_connresp_rcv(sk, skb)) {
+                        sk->sk_state = TCP_CLOSE_WAIT;
+                        break;
+                }
+                sk->sk_state = TCP_ESTABLISHED;
+                if (!pn_flow_safe(pn->tx_fc)) {
+                        atomic_set(&pn->tx_credits, 1);
+                        sk->sk_write_space(sk);
+                }
+                pipe_grant_credits(sk, GFP_ATOMIC);
+                break;
+        case PNS_PEP_DISCONNECT_RESP:
+                /* sock should already be dead, nothing to do */
+                break;
+        case PNS_PEP_STATUS_IND:
+                pipe_rcv_status(sk, skb);
+                break;
+        }
+        kfree_skb(skb);
+        return err;
 }
 /* Listening sock must be locked */
@@ -847,7 +636,6 @@ static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)
        struct sock *sknode;
        struct pnpipehdr *hdr;
        struct sockaddr_pn dst;
-        int err = NET_RX_SUCCESS;
        u8 pipe_handle;
        if (!pskb_may_pull(skb, sizeof(*hdr)))
@@ -865,26 +653,18 @@ static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (sknode)
                return sk_receive_skb(sknode, skb, 1);
-        /* Look for a pipe handle pending accept */
-        sknode = pep_find_pipe(&pn->ackq, &dst, pipe_handle);
-        if (sknode) {
-                sock_put(sknode);
-                if (net_ratelimit())
-                        printk(KERN_WARNING"Phonet unconnected PEP ignored");
-                err = NET_RX_DROP;
-                goto drop;
-        }
        switch (hdr->message_id) {
        case PNS_PEP_CONNECT_REQ:
-                err = pep_connreq_rcv(sk, skb);
+                if (sk->sk_state != TCP_LISTEN || sk_acceptq_is_full(sk)) {
-                break;
+                        pep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE,
+                                        GFP_ATOMIC);
-#ifdef CONFIG_PHONET_PIPECTRLR
+                        break;
-        case PNS_PEP_CONNECT_RESP:
+                }
-                err = pep_connresp_rcv(sk, skb);
+                skb_queue_head(&sk->sk_receive_queue, skb);
-                break;
+                sk_acceptq_added(sk);
-#endif
+                if (!sock_flag(sk, SOCK_DEAD))
+                        sk->sk_data_ready(sk, 0);
+                return NET_RX_SUCCESS;
        case PNS_PEP_DISCONNECT_REQ:
                pep_reply(sk, skb, PN_PIPE_NO_ERROR, NULL, 0, GFP_ATOMIC);
@@ -898,12 +678,17 @@ static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)
        case PNS_PEP_ENABLE_REQ:
        case PNS_PEP_DISABLE_REQ:
                /* invalid handle is not even allowed here! */
+                break;
        default:
-                err = NET_RX_DROP;
+                if ((1 << sk->sk_state)
+                                & ~(TCPF_CLOSE|TCPF_LISTEN|TCPF_CLOSE_WAIT))
+                        /* actively connected socket */
+                        return pipe_handler_do_rcv(sk, skb);
        }
 drop:
        kfree_skb(skb);
-        return err;
+        return NET_RX_SUCCESS;
 }
 static int pipe_do_remove(struct sock *sk)
@@ -912,20 +697,16 @@ static int pipe_do_remove(struct sock *sk)
        struct pnpipehdr *ph;
        struct sk_buff *skb;
-        skb = alloc_skb(MAX_PNPIPE_HEADER, GFP_KERNEL);
+        skb = pep_alloc_skb(sk, NULL, 0, GFP_KERNEL);
        if (!skb)
                return -ENOMEM;
-        skb_reserve(skb, MAX_PNPIPE_HEADER);
-        __skb_push(skb, sizeof(*ph));
-        skb_reset_transport_header(skb);
        ph = pnp_hdr(skb);
        ph->utid = 0;
        ph->message_id = PNS_PIPE_REMOVE_REQ;
        ph->pipe_handle = pn->pipe_handle;
        ph->data[0] = PAD;
+        return pn_skb_send(sk, skb, NULL);
-        return pn_skb_send(sk, skb, &pipe_srv);
 }
 /* associated socket ceases to exist */
@@ -938,29 +719,15 @@ static void pep_sock_close(struct sock *sk, long timeout)
        sk_common_release(sk);
        lock_sock(sk);
-        if (sk->sk_state == TCP_LISTEN) {
+        if ((1 << sk->sk_state) & (TCPF_SYN_RECV|TCPF_ESTABLISHED)) {
-                /* Destroy the listen queue */
+                if (sk->sk_backlog_rcv == pipe_do_rcv)
-                struct sock *sknode;
+                        /* Forcefully remove dangling Phonet pipe */
-                struct hlist_node *p, *n;
+                        pipe_do_remove(sk);
+                else
-                sk_for_each_safe(sknode, p, n, &pn->ackq)
+                        pipe_handler_request(sk, PNS_PEP_DISCONNECT_REQ, PAD,
-                        sk_del_node_init(sknode);
+                                                NULL, 0);
-                sk->sk_state = TCP_CLOSE;
-        } else if ((1 << sk->sk_state) & (TCPF_SYN_RECV|TCPF_ESTABLISHED))
-                /* Forcefully remove dangling Phonet pipe */
-                pipe_do_remove(sk);
-#ifdef CONFIG_PHONET_PIPECTRLR
-        if (pn->pipe_state != PIPE_IDLE) {
-                /* send pep disconnect request */
-                pipe_handler_send_req(sk,
-                                PNS_PEP_DISCONNECT_UTID, PNS_PEP_DISCONNECT_REQ,
-                                GFP_KERNEL);
-                pn->pipe_state = PIPE_IDLE;
-                sk->sk_state = TCP_CLOSE;
        }
-#endif
+        sk->sk_state = TCP_CLOSE;
        ifindex = pn->ifindex;
        pn->ifindex = 0;
@@ -971,86 +738,141 @@ static void pep_sock_close(struct sock *sk, long timeout)
        sock_put(sk);
 }
-static int pep_wait_connreq(struct sock *sk, int noblock)
+static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp)
 {
-        struct task_struct *tsk = current;
+        struct pep_sock *pn = pep_sk(sk), *newpn;
-        struct pep_sock *pn = pep_sk(sk);
+        struct sock *newsk = NULL;
-        long timeo = sock_rcvtimeo(sk, noblock);
+        struct sk_buff *skb;
+        struct pnpipehdr *hdr;
-        for (;;) {
+        struct sockaddr_pn dst, src;
-                DEFINE_WAIT(wait);
+        int err;
+        u16 peer_type;
+        u8 pipe_handle, enabled, n_sb;
+        u8 aligned = 0;
-                if (sk->sk_state != TCP_LISTEN)
+        skb = skb_recv_datagram(sk, 0, flags & O_NONBLOCK, errp);
-                        return -EINVAL;
+        if (!skb)
-                if (!hlist_empty(&pn->ackq))
+                return NULL;
-                        break;
-                if (!timeo)
-                        return -EWOULDBLOCK;
-                if (signal_pending(tsk))
-                        return sock_intr_errno(timeo);
-                prepare_to_wait_exclusive(sk_sleep(sk), &wait,
+        lock_sock(sk);
-                                                TASK_INTERRUPTIBLE);
+        if (sk->sk_state != TCP_LISTEN) {
-                release_sock(sk);
+                err = -EINVAL;
-                timeo = schedule_timeout(timeo);
+                goto drop;
-                lock_sock(sk);
-                finish_wait(sk_sleep(sk), &wait);
        }
+        sk_acceptq_removed(sk);
-        return 0;
+        err = -EPROTO;
-}
+        if (!pskb_may_pull(skb, sizeof(*hdr) + 4))
+                goto drop;
-static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp)
+        hdr = pnp_hdr(skb);
-{
+        pipe_handle = hdr->pipe_handle;
-        struct pep_sock *pn = pep_sk(sk);
+        switch (hdr->state_after_connect) {
-        struct sock *newsk = NULL;
+        case PN_PIPE_DISABLE:
-        struct sk_buff *oskb;
+                enabled = 0;
-        int err;
+                break;
+        case PN_PIPE_ENABLE:
+                enabled = 1;
+                break;
+        default:
+                pep_reject_conn(sk, skb, PN_PIPE_ERR_INVALID_PARAM,
+                                GFP_KERNEL);
+                goto drop;
+        }
+        peer_type = hdr->other_pep_type << 8;
-        lock_sock(sk);
+        /* Parse sub-blocks (options) */
-        err = pep_wait_connreq(sk, flags & O_NONBLOCK);
+        n_sb = hdr->data[4];
-        if (err)
+        while (n_sb > 0) {
-                goto out;
+                u8 type, buf[1], len = sizeof(buf);
+                const u8 *data = pep_get_sb(skb, &type, &len, buf);
-        newsk = __sk_head(&pn->ackq);
+                if (data == NULL)
+                        goto drop;
+                switch (type) {
+                case PN_PIPE_SB_CONNECT_REQ_PEP_SUB_TYPE:
+                        if (len < 1)
+                                goto drop;
+                        peer_type = (peer_type & 0xff00) | data[0];
+                        break;
+                case PN_PIPE_SB_ALIGNED_DATA:
+                        aligned = data[0] != 0;
+                        break;
+                }
+                n_sb--;
+        }
-        oskb = skb_dequeue(&newsk->sk_receive_queue);
+        /* Check for duplicate pipe handle */
-        err = pep_accept_conn(newsk, oskb);
+        newsk = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
-        if (err) {
+        if (unlikely(newsk)) {
-                skb_queue_head(&newsk->sk_receive_queue, oskb);
+                __sock_put(newsk);
                newsk = NULL;
-                goto out;
+                pep_reject_conn(sk, skb, PN_PIPE_ERR_PEP_IN_USE, GFP_KERNEL);
+                goto drop;
+        }
+        /* Create a new to-be-accepted sock */
+        newsk = sk_alloc(sock_net(sk), PF_PHONET, GFP_KERNEL, sk->sk_prot);
+        if (!newsk) {
+                pep_reject_conn(sk, skb, PN_PIPE_ERR_OVERLOAD, GFP_KERNEL);
+                err = -ENOBUFS;
+                goto drop;
        }
-        kfree_skb(oskb);
+        sock_init_data(NULL, newsk);
+        newsk->sk_state = TCP_SYN_RECV;
+        newsk->sk_backlog_rcv = pipe_do_rcv;
+        newsk->sk_protocol = sk->sk_protocol;
+        newsk->sk_destruct = pipe_destruct;
+        newpn = pep_sk(newsk);
+        pn_skb_get_dst_sockaddr(skb, &dst);
+        pn_skb_get_src_sockaddr(skb, &src);
+        newpn->pn_sk.sobject = pn_sockaddr_get_object(&dst);
+        newpn->pn_sk.dobject = pn_sockaddr_get_object(&src);
+        newpn->pn_sk.resource = pn_sockaddr_get_resource(&dst);
        sock_hold(sk);
-        pep_sk(newsk)->listener = sk;
+        newpn->listener = sk;
+        skb_queue_head_init(&newpn->ctrlreq_queue);
+        newpn->pipe_handle = pipe_handle;
+        atomic_set(&newpn->tx_credits, 0);
+        newpn->ifindex = 0;
+        newpn->peer_type = peer_type;
+        newpn->rx_credits = 0;
+        newpn->rx_fc = newpn->tx_fc = PN_LEGACY_FLOW_CONTROL;
+        newpn->init_enable = enabled;
+        newpn->aligned = aligned;
-        sock_hold(newsk);
+        err = pep_accept_conn(newsk, skb);
-        sk_del_node_init(newsk);
+        if (err) {
-        sk_acceptq_removed(sk);
+                sock_put(newsk);
+                newsk = NULL;
+                goto drop;
+        }
        sk_add_node(newsk, &pn->hlist);
-        __sock_put(newsk);
+drop:
-out:
        release_sock(sk);
+        kfree_skb(skb);
        *errp = err;
        return newsk;
 }
-#ifdef CONFIG_PHONET_PIPECTRLR
 static int pep_sock_connect(struct sock *sk, struct sockaddr *addr, int len)
 {
        struct pep_sock *pn = pep_sk(sk);
-        struct sockaddr_pn *spn =  (struct sockaddr_pn *)addr;
+        int err;
+        u8 data[4] = { 0 /* sub-blocks */, PAD, PAD, PAD };
-        memcpy(&pn->remote_pep, spn, sizeof(struct sockaddr_pn));
-        return pipe_handler_send_req(sk,
+        pn->pipe_handle = 1; /* anything but INVALID_HANDLE */
-                        PNS_PEP_CONNECT_UTID, PNS_PEP_CONNECT_REQ,
+        err = pipe_handler_request(sk, PNS_PEP_CONNECT_REQ,
-                        GFP_ATOMIC);
+                                        PN_PIPE_ENABLE, data, 4);
+        if (err) {
+                pn->pipe_handle = PN_PIPE_INVALID_HANDLE;
+                return err;
+        }
+        sk->sk_state = TCP_SYN_SENT;
+        return 0;
 }
-#endif
 static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
 {
@@ -1081,10 +903,18 @@ static int pep_init(struct sock *sk)
 {
        struct pep_sock *pn = pep_sk(sk);
-        INIT_HLIST_HEAD(&pn->ackq);
+        sk->sk_destruct = pipe_destruct;
        INIT_HLIST_HEAD(&pn->hlist);
+        pn->listener = NULL;
        skb_queue_head_init(&pn->ctrlreq_queue);
+        atomic_set(&pn->tx_credits, 0);
+        pn->ifindex = 0;
+        pn->peer_type = 0;
        pn->pipe_handle = PN_PIPE_INVALID_HANDLE;
+        pn->rx_credits = 0;
+        pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL;
+        pn->init_enable = 1;
+        pn->aligned = 0;
        return 0;
 }
@@ -1103,18 +933,6 @@ static int pep_setsockopt(struct sock *sk, int level, int optname,
        lock_sock(sk);
        switch (optname) {
-#ifdef CONFIG_PHONET_PIPECTRLR
-        case PNPIPE_PIPE_HANDLE:
-                if (val) {
-                        if (pn->pipe_state > PIPE_IDLE) {
-                                err = -EFAULT;
-                                break;
-                        }
-                        pn->pipe_handle = val;
-                        break;
-                }
-#endif
        case PNPIPE_ENCAP:
                if (val && val != PNPIPE_ENCAP_IP) {
                        err = -EINVAL;
@@ -1141,16 +959,6 @@ static int pep_setsockopt(struct sock *sk, int level, int optname,
                }
                goto out_norel;
-#ifdef CONFIG_PHONET_PIPECTRLR
-        case PNPIPE_ENABLE:
-                if (pn->pipe_state <= PIPE_IDLE) {
-                        err = -ENOTCONN;
-                        break;
-                }
-                err = pipe_handler_enable_pipe(sk, val);
-                break;
-#endif
        default:
                err = -ENOPROTOOPT;
        }
@@ -1180,13 +988,11 @@ static int pep_getsockopt(struct sock *sk, int level, int optname,
                val = pn->ifindex;
                break;
-#ifdef CONFIG_PHONET_PIPECTRLR
+        case PNPIPE_HANDLE:
-        case PNPIPE_ENABLE:
+                val = pn->pipe_handle;
-                if (pn->pipe_state <= PIPE_IDLE)
+                if (val == PN_PIPE_INVALID_HANDLE)
-                        return -ENOTCONN;
+                        return -EINVAL;
-                val = pn->pipe_state != PIPE_DISABLED;
                break;
-#endif
        default:
                return -ENOPROTOOPT;
@@ -1222,11 +1028,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb)
        } else
                ph->message_id = PNS_PIPE_DATA;
        ph->pipe_handle = pn->pipe_handle;
-#ifdef CONFIG_PHONET_PIPECTRLR
+        err = pn_skb_send(sk, skb, NULL);
-        err = pn_skb_send(sk, skb, &pn->remote_pep);
-#else
-        err = pn_skb_send(sk, skb, &pipe_srv);
-#endif
        if (err && pn_flow_safe(pn->tx_fc))
                atomic_inc(&pn->tx_credits);
@@ -1253,7 +1055,7 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk,
        if (!skb)
                return err;
-        skb_reserve(skb, MAX_PHONET_HEADER + 3);
+        skb_reserve(skb, MAX_PHONET_HEADER + 3 + pn->aligned);
        err = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
        if (err < 0)
                goto outfree;
@@ -1355,7 +1157,7 @@ struct sk_buff *pep_read(struct sock *sk)
        struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue);
        if (sk->sk_state == TCP_ESTABLISHED)
-                pipe_grant_credits(sk);
+                pipe_grant_credits(sk, GFP_ATOMIC);
        return skb;
 }
@@ -1400,7 +1202,7 @@ static int pep_recvmsg(struct kiocb *iocb, struct sock *sk,
        }
        if (sk->sk_state == TCP_ESTABLISHED)
-                pipe_grant_credits(sk);
+                pipe_grant_credits(sk, GFP_KERNEL);
        release_sock(sk);
 copy:
        msg->msg_flags |= MSG_EOR;
@@ -1424,9 +1226,9 @@ static void pep_sock_unhash(struct sock *sk)
        lock_sock(sk);
-#ifndef CONFIG_PHONET_PIPECTRLR
+        if (pn->listener != NULL) {
-        if ((1 << sk->sk_state) & ~(TCPF_CLOSE|TCPF_LISTEN)) {
                skparent = pn->listener;
+                pn->listener = NULL;
                release_sock(sk);
                pn = pep_sk(skparent);
@@ -1434,7 +1236,7 @@ static void pep_sock_unhash(struct sock *sk)
                sk_del_node_init(sk);
                sk = skparent;
        }
-#endif
        /* Unhash a listening sock only when it is closed
         * and all of its active connected pipes are closed. */
        if (hlist_empty(&pn->hlist))
@@ -1448,9 +1250,7 @@ static void pep_sock_unhash(struct sock *sk)
 static struct proto pep_proto = {
        .close          = pep_sock_close,
        .accept         = pep_sock_accept,
-#ifdef CONFIG_PHONET_PIPECTRLR
        .connect        = pep_sock_connect,
-#endif
        .ioctl          = pep_ioctl,
        .init           = pep_init,
        .setsockopt     = pep_setsockopt,
diff --git a/net/phonet/pn_dev.c b/net/phonet/pn_dev.c
index 947038ddd04c..d2df8f33160b 100644
--- a/net/phonet/pn_dev.c
+++ b/net/phonet/pn_dev.c
@@ -162,14 +162,6 @@ int phonet_address_add(struct net_device *dev, u8 addr)
        return err;
 }
-static void phonet_device_rcu_free(struct rcu_head *head)
-{
-        struct phonet_device *pnd;
-        pnd = container_of(head, struct phonet_device, rcu);
-        kfree(pnd);
-}
 int phonet_address_del(struct net_device *dev, u8 addr)
 {
        struct phonet_device_list *pndevs = phonet_device_list(dev_net(dev));
@@ -188,7 +180,7 @@ int phonet_address_del(struct net_device *dev, u8 addr)
        mutex_unlock(&pndevs->lock);
        if (pnd)
-                call_rcu(&pnd->rcu, phonet_device_rcu_free);
+                kfree_rcu(pnd, rcu);
        return err;
 }
@@ -426,18 +418,14 @@ int phonet_route_del(struct net_device *dev, u8 daddr)
        return 0;
 }
-struct net_device *phonet_route_get(struct net *net, u8 daddr)
+struct net_device *phonet_route_get_rcu(struct net *net, u8 daddr)
 {
        struct phonet_net *pnn = phonet_pernet(net);
        struct phonet_routes *routes = &pnn->routes;
        struct net_device *dev;
-        ASSERT_RTNL(); /* no need to hold the device */
        daddr >>= 2;
-        rcu_read_lock();
        dev = rcu_dereference(routes->table[daddr]);
-        rcu_read_unlock();
        return dev;
 }
diff --git a/net/phonet/pn_netlink.c b/net/phonet/pn_netlink.c
index 58b3b1f991ed..438accb7a5a8 100644
--- a/net/phonet/pn_netlink.c
+++ b/net/phonet/pn_netlink.c
@@ -264,10 +264,11 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
        struct net *net = sock_net(skb->sk);
        u8 addr, addr_idx = 0, addr_start_idx = cb->args[0];
+        rcu_read_lock();
        for (addr = 0; addr < 64; addr++) {
                struct net_device *dev;
-                dev = phonet_route_get(net, addr << 2);
+                dev = phonet_route_get_rcu(net, addr << 2);
                if (!dev)
                        continue;
@@ -279,6 +280,7 @@ static int route_dumpit(struct sk_buff *skb, struct netlink_callback *cb)
        }
 out:
+        rcu_read_unlock();
        cb->args[0] = addr_idx;
        cb->args[1] = 0;
diff --git a/net/phonet/socket.c b/net/phonet/socket.c
index 25f746d20c1f..8c5bfcef92cb 100644
--- a/net/phonet/socket.c
+++ b/net/phonet/socket.c
@@ -52,7 +52,7 @@ static int pn_socket_release(struct socket *sock)
 static struct  {
        struct hlist_head hlist[PN_HASHSIZE];
-        spinlock_t lock;
+        struct mutex lock;
 } pnsocks;
 void __init pn_sock_init(void)
@@ -61,7 +61,7 @@ void __init pn_sock_init(void)
        for (i = 0; i < PN_HASHSIZE; i++)
                INIT_HLIST_HEAD(pnsocks.hlist + i);
-        spin_lock_init(&pnsocks.lock);
+        mutex_init(&pnsocks.lock);
 }
 static struct hlist_head *pn_hash_list(u16 obj)
@@ -82,9 +82,8 @@ struct sock *pn_find_sock_by_sa(struct net *net, const struct sockaddr_pn *spn)
        u8 res = spn->spn_resource;
        struct hlist_head *hlist = pn_hash_list(obj);
-        spin_lock_bh(&pnsocks.lock);
+        rcu_read_lock();
+        sk_for_each_rcu(sknode, node, hlist) {
-        sk_for_each(sknode, node, hlist) {
                struct pn_sock *pn = pn_sk(sknode);
                BUG_ON(!pn->sobject); /* unbound socket */
@@ -107,8 +106,7 @@ struct sock *pn_find_sock_by_sa(struct net *net, const struct sockaddr_pn *spn)
                sock_hold(sknode);
                break;
        }
+        rcu_read_unlock();
-        spin_unlock_bh(&pnsocks.lock);
        return rval;
 }
@@ -119,7 +117,7 @@ void pn_deliver_sock_broadcast(struct net *net, struct sk_buff *skb)
        struct hlist_head *hlist = pnsocks.hlist;
        unsigned h;
-        spin_lock(&pnsocks.lock);
+        rcu_read_lock();
        for (h = 0; h < PN_HASHSIZE; h++) {
                struct hlist_node *node;
                struct sock *sknode;
@@ -140,25 +138,26 @@ void pn_deliver_sock_broadcast(struct net *net, struct sk_buff *skb)
                }
                hlist++;
        }
-        spin_unlock(&pnsocks.lock);
+        rcu_read_unlock();
 }
 void pn_sock_hash(struct sock *sk)
 {
        struct hlist_head *hlist = pn_hash_list(pn_sk(sk)->sobject);
-        spin_lock_bh(&pnsocks.lock);
+        mutex_lock(&pnsocks.lock);
-        sk_add_node(sk, hlist);
+        sk_add_node_rcu(sk, hlist);
-        spin_unlock_bh(&pnsocks.lock);
+        mutex_unlock(&pnsocks.lock);
 }
 EXPORT_SYMBOL(pn_sock_hash);
 void pn_sock_unhash(struct sock *sk)
 {
-        spin_lock_bh(&pnsocks.lock);
+        mutex_lock(&pnsocks.lock);
-        sk_del_node_init(sk);
+        sk_del_node_init_rcu(sk);
-        spin_unlock_bh(&pnsocks.lock);
+        mutex_unlock(&pnsocks.lock);
        pn_sock_unbind_all_res(sk);
+        synchronize_rcu();
 }
 EXPORT_SYMBOL(pn_sock_unhash);
@@ -225,15 +224,18 @@ static int pn_socket_autobind(struct socket *sock)
        return 0; /* socket was already bound */
 }
-#ifdef CONFIG_PHONET_PIPECTRLR
 static int pn_socket_connect(struct socket *sock, struct sockaddr *addr,
                int len, int flags)
 {
        struct sock *sk = sock->sk;
+        struct pn_sock *pn = pn_sk(sk);
        struct sockaddr_pn *spn = (struct sockaddr_pn *)addr;
-        long timeo;
+        struct task_struct *tsk = current;
+        long timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
        int err;
+        if (pn_socket_autobind(sock))
+                return -ENOBUFS;
        if (len < sizeof(struct sockaddr_pn))
                return -EINVAL;
        if (spn->spn_family != AF_PHONET)
@@ -243,82 +245,61 @@ static int pn_socket_connect(struct socket *sock, struct sockaddr *addr,
        switch (sock->state) {
        case SS_UNCONNECTED:
-                sk->sk_state = TCP_CLOSE;
+                if (sk->sk_state != TCP_CLOSE) {
-                break;
-        case SS_CONNECTING:
-                switch (sk->sk_state) {
-                case TCP_SYN_RECV:
-                        sock->state = SS_CONNECTED;
-                        err = -EISCONN;
-                        goto out;
-                case TCP_CLOSE:
-                        err = -EALREADY;
-                        if (flags & O_NONBLOCK)
-                                goto out;
-                        goto wait_connect;
-                }
-                break;
-        case SS_CONNECTED:
-                switch (sk->sk_state) {
-                case TCP_SYN_RECV:
                        err = -EISCONN;
                        goto out;
-                case TCP_CLOSE:
-                        sock->state = SS_UNCONNECTED;
-                        break;
                }
                break;
-        case SS_DISCONNECTING:
+        case SS_CONNECTING:
-        case SS_FREE:
+                err = -EALREADY;
-                break;
+                goto out;
+        default:
+                err = -EISCONN;
+                goto out;
        }
-        sk->sk_state = TCP_CLOSE;
-        sk_stream_kill_queues(sk);
+        pn->dobject = pn_sockaddr_get_object(spn);
+        pn->resource = pn_sockaddr_get_resource(spn);
        sock->state = SS_CONNECTING;
        err = sk->sk_prot->connect(sk, addr, len);
-        if (err < 0) {
+        if (err) {
                sock->state = SS_UNCONNECTED;
-                sk->sk_state = TCP_CLOSE;
+                pn->dobject = 0;
                goto out;
        }
-        err = -EINPROGRESS;
+        while (sk->sk_state == TCP_SYN_SENT) {
-wait_connect:
+                DEFINE_WAIT(wait);
-        if (sk->sk_state != TCP_SYN_RECV && (flags & O_NONBLOCK))
-                goto out;
-        timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
-        release_sock(sk);
-        err = -ERESTARTSYS;
-        timeo = wait_event_interruptible_timeout(*sk_sleep(sk),
-                        sk->sk_state != TCP_CLOSE,
-                        timeo);
-        lock_sock(sk);
+                if (!timeo) {
-        if (timeo < 0)
+                        err = -EINPROGRESS;
-                goto out; /* -ERESTARTSYS */
+                        goto out;
+                }
-        err = -ETIMEDOUT;
+                if (signal_pending(tsk)) {
-        if (timeo == 0 && sk->sk_state != TCP_SYN_RECV)
+                        err = sock_intr_errno(timeo);
-                goto out;
+                        goto out;
+                }
-        if (sk->sk_state != TCP_SYN_RECV) {
+                prepare_to_wait_exclusive(sk_sleep(sk), &wait,
-                sock->state = SS_UNCONNECTED;
+                                                TASK_INTERRUPTIBLE);
-                err = sock_error(sk);
+                release_sock(sk);
-                if (!err)
+                timeo = schedule_timeout(timeo);
-                        err = -ECONNREFUSED;
+                lock_sock(sk);
-                goto out;
+                finish_wait(sk_sleep(sk), &wait);
        }
-        sock->state = SS_CONNECTED;
-        err = 0;
+        if ((1 << sk->sk_state) & (TCPF_SYN_RECV|TCPF_ESTABLISHED))
+                err = 0;
+        else if (sk->sk_state == TCP_CLOSE_WAIT)
+                err = -ECONNRESET;
+        else
+                err = -ECONNREFUSED;
+        sock->state = err ? SS_UNCONNECTED : SS_CONNECTED;
 out:
        release_sock(sk);
        return err;
 }
-#endif
 static int pn_socket_accept(struct socket *sock, struct socket *newsock,
                                int flags)
@@ -327,6 +308,9 @@ static int pn_socket_accept(struct socket *sock, struct socket *newsock,
        struct sock *newsk;
        int err;
+        if (unlikely(sk->sk_state != TCP_LISTEN))
+                return -EINVAL;
        newsk = sk->sk_prot->accept(sk, flags, &err);
        if (!newsk)
                return err;
@@ -363,13 +347,8 @@ static unsigned int pn_socket_poll(struct file *file, struct socket *sock,
        poll_wait(file, sk_sleep(sk), wait);
-        switch (sk->sk_state) {
+        if (sk->sk_state == TCP_CLOSE)
-        case TCP_LISTEN:
-                return hlist_empty(&pn->ackq) ? 0 : POLLIN;
-        case TCP_CLOSE:
                return POLLERR;
-        }
        if (!skb_queue_empty(&sk->sk_receive_queue))
                mask |= POLLIN | POLLRDNORM;
        if (!skb_queue_empty(&pn->ctrlreq_queue))
@@ -428,19 +407,19 @@ static int pn_socket_listen(struct socket *sock, int backlog)
        struct sock *sk = sock->sk;
        int err = 0;
-        if (sock->state != SS_UNCONNECTED)
-                return -EINVAL;
        if (pn_socket_autobind(sock))
                return -ENOBUFS;
        lock_sock(sk);
-        if (sk->sk_state != TCP_CLOSE) {
+        if (sock->state != SS_UNCONNECTED) {
                err = -EINVAL;
                goto out;
        }
-        sk->sk_state = TCP_LISTEN;
+        if (sk->sk_state != TCP_LISTEN) {
-        sk->sk_ack_backlog = 0;
+                sk->sk_state = TCP_LISTEN;
+                sk->sk_ack_backlog = 0;
+        }
        sk->sk_max_ack_backlog = backlog;
 out:
        release_sock(sk);
@@ -488,11 +467,7 @@ const struct proto_ops phonet_stream_ops = {
        .owner          = THIS_MODULE,
        .release        = pn_socket_release,
        .bind           = pn_socket_bind,
-#ifdef CONFIG_PHONET_PIPECTRLR
        .connect        = pn_socket_connect,
-#else
-        .connect        = sock_no_connect,
-#endif
        .socketpair     = sock_no_socketpair,
        .accept         = pn_socket_accept,
        .getname        = pn_socket_getname,
@@ -572,7 +547,7 @@ static struct sock *pn_sock_get_idx(struct seq_file *seq, loff_t pos)
        unsigned h;
        for (h = 0; h < PN_HASHSIZE; h++) {
-                sk_for_each(sknode, node, hlist) {
+                sk_for_each_rcu(sknode, node, hlist) {
                        if (!net_eq(net, sock_net(sknode)))
                                continue;
                        if (!pos)
@@ -596,9 +571,9 @@ static struct sock *pn_sock_get_next(struct seq_file *seq, struct sock *sk)
 }
 static void *pn_sock_seq_start(struct seq_file *seq, loff_t *pos)
-        __acquires(pnsocks.lock)
+        __acquires(rcu)
 {
-        spin_lock_bh(&pnsocks.lock);
+        rcu_read_lock();
        return *pos ? pn_sock_get_idx(seq, *pos - 1) : SEQ_START_TOKEN;
 }
@@ -615,9 +590,9 @@ static void *pn_sock_seq_next(struct seq_file *seq, void *v, loff_t *pos)
 }
 static void pn_sock_seq_stop(struct seq_file *seq, void *v)
-        __releases(pnsocks.lock)
+        __releases(rcu)
 {
-        spin_unlock_bh(&pnsocks.lock);
+        rcu_read_unlock();
 }
 static int pn_sock_seq_show(struct seq_file *seq, void *v)
@@ -633,8 +608,8 @@ static int pn_sock_seq_show(struct seq_file *seq, void *v)
                seq_printf(seq, "%2d %04X:%04X:%02X %02X %08X:%08X %5d %lu "
                        "%d %p %d%n",
-                        sk->sk_protocol, pn->sobject, 0, pn->resource,
+                        sk->sk_protocol, pn->sobject, pn->dobject,
-                        sk->sk_state,
+                        pn->resource, sk->sk_state,
                        sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
                        sock_i_uid(sk), sock_i_ino(sk),
                        atomic_read(&sk->sk_refcnt), sk,
@@ -745,13 +720,11 @@ void pn_sock_unbind_all_res(struct sock *sk)
        }
        mutex_unlock(&resource_mutex);
-        if (match == 0)
-                return;
-        synchronize_rcu();
        while (match > 0) {
-                sock_put(sk);
+                __sock_put(sk);
                match--;
        }
+        /* Caller is responsible for RCU sync before final sock_put() */
 }
 #ifdef CONFIG_PROC_FS
diff --git a/net/rds/cong.c b/net/rds/cong.c
index 75ea686f27d5..6daaa49d133f 100644
--- a/net/rds/cong.c
+++ b/net/rds/cong.c
@@ -33,8 +33,7 @@
 #include <linux/slab.h>
 #include <linux/types.h>
 #include <linux/rbtree.h>
+#include <linux/bitops.h>
-#include <asm-generic/bitops/le.h>
 #include "rds.h"
@@ -285,7 +284,7 @@ void rds_cong_set_bit(struct rds_cong_map *map, __be16 port)
        i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
        off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
-        generic___set_le_bit(off, (void *)map->m_page_addrs[i]);
+        __set_bit_le(off, (void *)map->m_page_addrs[i]);
 }
 void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
@@ -299,7 +298,7 @@ void rds_cong_clear_bit(struct rds_cong_map *map, __be16 port)
        i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
        off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
-        generic___clear_le_bit(off, (void *)map->m_page_addrs[i]);
+        __clear_bit_le(off, (void *)map->m_page_addrs[i]);
 }
 static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port)
@@ -310,7 +309,7 @@ static int rds_cong_test_bit(struct rds_cong_map *map, __be16 port)
        i = be16_to_cpu(port) / RDS_CONG_MAP_PAGE_BITS;
        off = be16_to_cpu(port) % RDS_CONG_MAP_PAGE_BITS;
-        return generic_test_le_bit(off, (void *)map->m_page_addrs[i]);
+        return test_bit_le(off, (void *)map->m_page_addrs[i]);
 }
 void rds_cong_add_socket(struct rds_sock *rs)
diff --git a/net/rds/ib.c b/net/rds/ib.c
index 4123967d4d65..cce19f95c624 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -364,7 +364,6 @@ void rds_ib_exit(void)
        rds_ib_sysctl_exit();
        rds_ib_recv_exit();
        rds_trans_unregister(&rds_ib_transport);
-        rds_ib_fmr_exit();
 }
 struct rds_transport rds_ib_transport = {
@@ -400,13 +399,9 @@ int rds_ib_init(void)
        INIT_LIST_HEAD(&rds_ib_devices);
-        ret = rds_ib_fmr_init();
-        if (ret)
-                goto out;
        ret = ib_register_client(&rds_ib_client);
        if (ret)
-                goto out_fmr_exit;
+                goto out;
        ret = rds_ib_sysctl_init();
        if (ret)
@@ -430,8 +425,6 @@ out_sysctl:
        rds_ib_sysctl_exit();
 out_ibreg:
        rds_ib_unregister_client();
-out_fmr_exit:
-        rds_ib_fmr_exit();
 out:
        return ret;
 }
diff --git a/net/rds/ib.h b/net/rds/ib.h
index e34ad032b66d..4297d92788dc 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -307,8 +307,6 @@ void *rds_ib_get_mr(struct scatterlist *sg, unsigned long nents,
 void rds_ib_sync_mr(void *trans_private, int dir);
 void rds_ib_free_mr(void *trans_private, int invalidate);
 void rds_ib_flush_mrs(void);
-int rds_ib_fmr_init(void);
-void rds_ib_fmr_exit(void);
 /* ib_recv.c */
 int rds_ib_recv_init(void);
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 18a833c450c8..819c35a0d9cb 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -38,8 +38,6 @@
 #include "ib.h"
 #include "xlist.h"
-static struct workqueue_struct *rds_ib_fmr_wq;
 static DEFINE_PER_CPU(unsigned long, clean_list_grace);
 #define CLEAN_LIST_BUSY_BIT 0
@@ -307,7 +305,7 @@ static struct rds_ib_mr *rds_ib_alloc_fmr(struct rds_ib_device *rds_ibdev)
        int err = 0, iter = 0;
        if (atomic_read(&pool->dirty_count) >= pool->max_items / 10)
-                queue_delayed_work(rds_ib_fmr_wq, &pool->flush_worker, 10);
+                schedule_delayed_work(&pool->flush_worker, 10);
        while (1) {
                ibmr = rds_ib_reuse_fmr(pool);
@@ -696,24 +694,6 @@ out_nolock:
        return ret;
 }
-int rds_ib_fmr_init(void)
-{
-        rds_ib_fmr_wq = create_workqueue("rds_fmr_flushd");
-        if (!rds_ib_fmr_wq)
-                return -ENOMEM;
-        return 0;
-}
-/*
- * By the time this is called all the IB devices should have been torn down and
- * had their pools freed.  As each pool is freed its work struct is waited on,
- * so the pool flushing work queue should be idle by the time we get here.
- */
-void rds_ib_fmr_exit(void)
-{
-        destroy_workqueue(rds_ib_fmr_wq);
-}
 static void rds_ib_mr_pool_flush_worker(struct work_struct *work)
 {
        struct rds_ib_mr_pool *pool = container_of(work, struct rds_ib_mr_pool, flush_worker.work);
@@ -741,7 +721,7 @@ void rds_ib_free_mr(void *trans_private, int invalidate)
        /* If we've pinned too many pages, request a flush */
        if (atomic_read(&pool->free_pinned) >= pool->max_free_pinned ||
            atomic_read(&pool->dirty_count) >= pool->max_items / 10)
-                queue_delayed_work(rds_ib_fmr_wq, &pool->flush_worker, 10);
+                schedule_delayed_work(&pool->flush_worker, 10);
        if (invalidate) {
                if (likely(!in_interrupt())) {
@@ -749,8 +729,7 @@ void rds_ib_free_mr(void *trans_private, int invalidate)
                } else {
                        /* We get here if the user created a MR marked
                         * as use_once and invalidate at the same time. */
-                        queue_delayed_work(rds_ib_fmr_wq,
+                        schedule_delayed_work(&pool->flush_worker, 10);
-                                           &pool->flush_worker, 10);
                }
        }
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 71f373c421bc..7c4dce8fa5e6 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -355,7 +355,7 @@ void rds_ib_send_cq_comp_handler(struct ib_cq *cq, void *context)
 *
 * Conceptually, we have two counters:
 *  -   send credits: this tells us how many WRs we're allowed
- *      to submit without overruning the reciever's queue. For
+ *      to submit without overruning the receiver's queue. For
 *      each SEND WR we post, we decrement this by one.
 *
 *  -   posted credits: this tells us how many WRs we recently
@@ -551,7 +551,10 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
        if (conn->c_loopback
            && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
                rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
-                return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                scat = &rm->data.op_sg[sg];
+                ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                ret = min_t(int, ret, scat->length - conn->c_xmit_data_off);
+                return ret;
        }
        /* FIXME we may overallocate here */
diff --git a/net/rds/iw_cm.c b/net/rds/iw_cm.c
index 712cf2d1f28e..3a60a15d1b4a 100644
--- a/net/rds/iw_cm.c
+++ b/net/rds/iw_cm.c
@@ -181,7 +181,7 @@ static int rds_iw_init_qp_attrs(struct ib_qp_init_attr *attr,
        unsigned int send_size, recv_size;
        int ret;
-        /* The offset of 1 is to accomodate the additional ACK WR. */
+        /* The offset of 1 is to accommodate the additional ACK WR. */
        send_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_send_wr + 1);
        recv_size = min_t(unsigned int, rds_iwdev->max_wrs, rds_iw_sysctl_max_recv_wr + 1);
        rds_iw_ring_resize(send_ring, send_size - 1);
diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c
index 59509e9a9e72..6deaa77495e3 100644
--- a/net/rds/iw_rdma.c
+++ b/net/rds/iw_rdma.c
@@ -122,7 +122,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
 #else
                        /* FIXME - needs to compare the local and remote
                         * ipaddr/port tuple, but the ipaddr is the only
-                         * available infomation in the rds_sock (as the rest are
+                         * available information in the rds_sock (as the rest are
                         * zero'ed.  It doesn't appear to be properly populated
                         * during connection setup...
                         */
diff --git a/net/rds/iw_send.c b/net/rds/iw_send.c
index 6280ea020d4e..545d8ee3efb1 100644
--- a/net/rds/iw_send.c
+++ b/net/rds/iw_send.c
@@ -307,7 +307,7 @@ void rds_iw_send_cq_comp_handler(struct ib_cq *cq, void *context)
 *
 * Conceptually, we have two counters:
 *  -   send credits: this tells us how many WRs we're allowed
- *      to submit without overruning the reciever's queue. For
+ *      to submit without overruning the receiver's queue. For
 *      each SEND WR we post, we decrement this by one.
 *
 *  -   posted credits: this tells us how many WRs we recently
diff --git a/net/rds/loop.c b/net/rds/loop.c
index aeec1d483b17..bca6761a3ca2 100644
--- a/net/rds/loop.c
+++ b/net/rds/loop.c
@@ -61,10 +61,15 @@ static int rds_loop_xmit(struct rds_connection *conn, struct rds_message *rm,
                         unsigned int hdr_off, unsigned int sg,
                         unsigned int off)
 {
+        struct scatterlist *sgp = &rm->data.op_sg[sg];
+        int ret = sizeof(struct rds_header) +
+                        be32_to_cpu(rm->m_inc.i_hdr.h_len);
        /* Do not send cong updates to loopback */
        if (rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
                rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
-                return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                ret = min_t(int, ret, sgp->length - conn->c_xmit_data_off);
+                goto out;
        }
        BUG_ON(hdr_off || sg || off);
@@ -80,8 +85,8 @@ static int rds_loop_xmit(struct rds_connection *conn, struct rds_message *rm,
                            NULL);
        rds_inc_put(&rm->m_inc);
+out:
-        return sizeof(struct rds_header) + be32_to_cpu(rm->m_inc.i_hdr.h_len);
+        return ret;
 }
 /*
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 9542449c0720..da8adac2bf06 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -50,7 +50,6 @@ rdsdebug(char *fmt, ...)
 #define RDS_FRAG_SIZE   ((unsigned int)(1 << RDS_FRAG_SHIFT))
 #define RDS_CONG_MAP_BYTES      (65536 / 8)
-#define RDS_CONG_MAP_LONGS      (RDS_CONG_MAP_BYTES / sizeof(unsigned long))
 #define RDS_CONG_MAP_PAGES      (PAGE_ALIGN(RDS_CONG_MAP_BYTES) / PAGE_SIZE)
 #define RDS_CONG_MAP_PAGE_BITS  (PAGE_SIZE * 8)
diff --git a/net/rds/send.c b/net/rds/send.c
index 35b9c2e9caf1..d58ae5f9339e 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -116,7 +116,7 @@ static void release_in_xmit(struct rds_connection *conn)
 }
 /*
- * We're making the concious trade-off here to only send one message
+ * We're making the conscious trade-off here to only send one message
 * down the connection at a time.
 *   Pro:
 *      - tx queueing is a simple fifo list
diff --git a/net/rfkill/Kconfig b/net/rfkill/Kconfig
index 7fce6dfd2180..48464ca13b24 100644
--- a/net/rfkill/Kconfig
+++ b/net/rfkill/Kconfig
@@ -22,3 +22,14 @@ config RFKILL_INPUT
        depends on RFKILL
        depends on INPUT = y || RFKILL = INPUT
        default y if !EXPERT
+config RFKILL_REGULATOR
+        tristate "Generic rfkill regulator driver"
+        depends on RFKILL || !RFKILL
+        depends on REGULATOR
+        help
+          This options enable controlling radio transmitters connected to
+          voltage regulator using the regulator framework.
+          To compile this driver as a module, choose M here: the module will
+          be called rfkill-regulator.
diff --git a/net/rfkill/Makefile b/net/rfkill/Makefile
index 662105352691..d9a5a58ffd8c 100644
--- a/net/rfkill/Makefile
+++ b/net/rfkill/Makefile
@@ -5,3 +5,4 @@
 rfkill-y                        += core.o
 rfkill-$(CONFIG_RFKILL_INPUT)   += input.o
 obj-$(CONFIG_RFKILL)            += rfkill.o
+obj-$(CONFIG_RFKILL_REGULATOR)  += rfkill-regulator.o
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 0198191b756d..be90640a2774 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -1024,7 +1024,6 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
         * start getting events from elsewhere but hold mtx to get
         * startup events added first
         */
-        list_add(&data->list, &rfkill_fds);
        list_for_each_entry(rfkill, &rfkill_list, node) {
                ev = kzalloc(sizeof(*ev), GFP_KERNEL);
@@ -1033,6 +1032,7 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
                rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
                list_add_tail(&ev->list, &data->events);
        }
+        list_add(&data->list, &rfkill_fds);
        mutex_unlock(&data->mtx);
        mutex_unlock(&rfkill_global_mutex);
diff --git a/net/rfkill/rfkill-regulator.c b/net/rfkill/rfkill-regulator.c
new file mode 100644
index 000000000000..18dc512a10f3
--- /dev/null
+++ b/net/rfkill/rfkill-regulator.c
@@ -0,0 +1,164 @@
+/*
+ * rfkill-regulator.c - Regulator consumer driver for rfkill
+ *
+ * Copyright (C) 2009  Guiming Zhuo <gmzhuo@gmail.com>
+ * Copyright (C) 2011  Antonio Ospite <ospite@studenti.unina.it>
+ *
+ * Implementation inspired by leds-regulator driver.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/err.h>
+#include <linux/slab.h>
+#include <linux/platform_device.h>
+#include <linux/regulator/consumer.h>
+#include <linux/rfkill.h>
+#include <linux/rfkill-regulator.h>
+struct rfkill_regulator_data {
+        struct rfkill *rf_kill;
+        bool reg_enabled;
+        struct regulator *vcc;
+};
+static int rfkill_regulator_set_block(void *data, bool blocked)
+{
+        struct rfkill_regulator_data *rfkill_data = data;
+        pr_debug("%s: blocked: %d\n", __func__, blocked);
+        if (blocked) {
+                if (rfkill_data->reg_enabled) {
+                        regulator_disable(rfkill_data->vcc);
+                        rfkill_data->reg_enabled = 0;
+                }
+        } else {
+                if (!rfkill_data->reg_enabled) {
+                        regulator_enable(rfkill_data->vcc);
+                        rfkill_data->reg_enabled = 1;
+                }
+        }
+        pr_debug("%s: regulator_is_enabled after set_block: %d\n", __func__,
+                regulator_is_enabled(rfkill_data->vcc));
+        return 0;
+}
+struct rfkill_ops rfkill_regulator_ops = {
+        .set_block = rfkill_regulator_set_block,
+};
+static int __devinit rfkill_regulator_probe(struct platform_device *pdev)
+{
+        struct rfkill_regulator_platform_data *pdata = pdev->dev.platform_data;
+        struct rfkill_regulator_data *rfkill_data;
+        struct regulator *vcc;
+        struct rfkill *rf_kill;
+        int ret = 0;
+        if (pdata == NULL) {
+                dev_err(&pdev->dev, "no platform data\n");
+                return -ENODEV;
+        }
+        if (pdata->name == NULL || pdata->type == 0) {
+                dev_err(&pdev->dev, "invalid name or type in platform data\n");
+                return -EINVAL;
+        }
+        vcc = regulator_get_exclusive(&pdev->dev, "vrfkill");
+        if (IS_ERR(vcc)) {
+                dev_err(&pdev->dev, "Cannot get vcc for %s\n", pdata->name);
+                ret = PTR_ERR(vcc);
+                goto out;
+        }
+        rfkill_data = kzalloc(sizeof(*rfkill_data), GFP_KERNEL);
+        if (rfkill_data == NULL) {
+                ret = -ENOMEM;
+                goto err_data_alloc;
+        }
+        rf_kill = rfkill_alloc(pdata->name, &pdev->dev,
+                                pdata->type,
+                                &rfkill_regulator_ops, rfkill_data);
+        if (rf_kill == NULL) {
+                dev_err(&pdev->dev, "Cannot alloc rfkill device\n");
+                ret = -ENOMEM;
+                goto err_rfkill_alloc;
+        }
+        if (regulator_is_enabled(vcc)) {
+                dev_dbg(&pdev->dev, "Regulator already enabled\n");
+                rfkill_data->reg_enabled = 1;
+        }
+        rfkill_data->vcc = vcc;
+        rfkill_data->rf_kill = rf_kill;
+        ret = rfkill_register(rf_kill);
+        if (ret) {
+                dev_err(&pdev->dev, "Cannot register rfkill device\n");
+                goto err_rfkill_register;
+        }
+        platform_set_drvdata(pdev, rfkill_data);
+        dev_info(&pdev->dev, "%s initialized\n", pdata->name);
+        return 0;
+err_rfkill_register:
+        rfkill_destroy(rf_kill);
+err_rfkill_alloc:
+        kfree(rfkill_data);
+err_data_alloc:
+        regulator_put(vcc);
+out:
+        return ret;
+}
+static int __devexit rfkill_regulator_remove(struct platform_device *pdev)
+{
+        struct rfkill_regulator_data *rfkill_data = platform_get_drvdata(pdev);
+        struct rfkill *rf_kill = rfkill_data->rf_kill;
+        rfkill_unregister(rf_kill);
+        rfkill_destroy(rf_kill);
+        regulator_put(rfkill_data->vcc);
+        kfree(rfkill_data);
+        return 0;
+}
+static struct platform_driver rfkill_regulator_driver = {
+        .probe = rfkill_regulator_probe,
+        .remove = __devexit_p(rfkill_regulator_remove),
+        .driver = {
+                .name = "rfkill-regulator",
+                .owner = THIS_MODULE,
+        },
+};
+static int __init rfkill_regulator_init(void)
+{
+        return platform_driver_register(&rfkill_regulator_driver);
+}
+module_init(rfkill_regulator_init);
+static void __exit rfkill_regulator_exit(void)
+{
+        platform_driver_unregister(&rfkill_regulator_driver);
+}
+module_exit(rfkill_regulator_exit);
+MODULE_AUTHOR("Guiming Zhuo <gmzhuo@gmail.com>");
+MODULE_AUTHOR("Antonio Ospite <ospite@studenti.unina.it>");
+MODULE_DESCRIPTION("Regulator consumer driver for rfkill");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:rfkill-regulator");
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index d952e7eac188..f9ea925ad9cb 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -682,10 +682,8 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
                return -EINVAL;
-        if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+        if ((dev = rose_dev_get(&addr->srose_addr)) == NULL)
-                SOCK_DEBUG(sk, "ROSE: bind failed: invalid address\n");
                return -EADDRNOTAVAIL;
-        }
        source = &addr->srose_call;
@@ -716,7 +714,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
        rose_insert_socket(sk);
        sock_reset_flag(sk, SOCK_ZAPPED);
-        SOCK_DEBUG(sk, "ROSE: socket is bound\n");
        return 0;
 }
@@ -803,7 +801,6 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
                rose_insert_socket(sk);         /* Finish the bind */
        }
-rose_try_next_neigh:
        rose->dest_addr   = addr->srose_addr;
        rose->dest_call   = addr->srose_call;
        rose->rand        = ((long)rose & 0xFFFF) + rose->lci;
@@ -865,12 +862,6 @@ rose_try_next_neigh:
        }
        if (sk->sk_state != TCP_ESTABLISHED) {
-        /* Try next neighbour */
-                rose->neighbour = rose_get_neigh(&addr->srose_addr, &cause, &diagnostic, 0);
-                if (rose->neighbour)
-                        goto rose_try_next_neigh;
-                /* No more neighbours */
                sock->state = SS_UNCONNECTED;
                err = sock_error(sk);   /* Always set at this point */
                goto out_release;
@@ -985,7 +976,7 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
        struct sock *make;
        struct rose_sock *make_rose;
        struct rose_facilities_struct facilities;
-        int n, len;
+        int n;
        skb->sk = NULL;         /* Initially we don't know who it's for */
@@ -994,9 +985,9 @@ int rose_rx_call_request(struct sk_buff *skb, struct net_device *dev, struct ros
         */
        memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
-        len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
+        if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
-        len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
+                                   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
-        if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
+                                   &facilities)) {
                rose_transmit_clear_request(neigh, lci, ROSE_INVALID_FACILITY, 76);
                return 0;
        }
@@ -1116,10 +1107,7 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
                        srose.srose_digis[n] = rose->dest_digis[n];
        }
-        SOCK_DEBUG(sk, "ROSE: sendto: Addresses built.\n");
        /* Build a packet */
-        SOCK_DEBUG(sk, "ROSE: sendto: building packet.\n");
        /* Sanity check the packet size */
        if (len > 65535)
                return -EMSGSIZE;
@@ -1134,7 +1122,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
        /*
         *      Put the data on the end
         */
-        SOCK_DEBUG(sk, "ROSE: Appending user data\n");
        skb_reset_transport_header(skb);
        skb_put(skb, len);
@@ -1159,8 +1146,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
         */
        asmptr = skb_push(skb, ROSE_MIN_LEN);
-        SOCK_DEBUG(sk, "ROSE: Building Network Header.\n");
        /* Build a ROSE Network header */
        asmptr[0] = ((rose->lci >> 8) & 0x0F) | ROSE_GFI;
        asmptr[1] = (rose->lci >> 0) & 0xFF;
@@ -1169,10 +1154,6 @@ static int rose_sendmsg(struct kiocb *iocb, struct socket *sock,
        if (qbit)
                asmptr[0] |= ROSE_Q_BIT;
-        SOCK_DEBUG(sk, "ROSE: Built header.\n");
-        SOCK_DEBUG(sk, "ROSE: Transmitting buffer\n");
        if (sk->sk_state != TCP_ESTABLISHED) {
                kfree_skb(skb);
                return -ENOTCONN;
diff --git a/net/rose/rose_loopback.c b/net/rose/rose_loopback.c
index ae4a9d99aec7..344456206b70 100644
--- a/net/rose/rose_loopback.c
+++ b/net/rose/rose_loopback.c
@@ -73,9 +73,20 @@ static void rose_loopback_timer(unsigned long param)
        unsigned int lci_i, lci_o;
        while ((skb = skb_dequeue(&loopback_queue)) != NULL) {
+                if (skb->len < ROSE_MIN_LEN) {
+                        kfree_skb(skb);
+                        continue;
+                }
                lci_i     = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
                frametype = skb->data[2];
-                dest      = (rose_address *)(skb->data + 4);
+                if (frametype == ROSE_CALL_REQUEST &&
+                    (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
+                     skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
+                     ROSE_CALL_REQ_ADDR_LEN_VAL)) {
+                        kfree_skb(skb);
+                        continue;
+                }
+                dest      = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
                lci_o     = ROSE_DEFAULT_MAXVC + 1 - lci_i;
                skb_reset_transport_header(skb);
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index b4fdaac233f7..479cae57d187 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -587,7 +587,7 @@ static int rose_clear_routes(void)
 /*
 *      Check that the device given is a valid AX.25 interface that is "up".
- *      called whith RTNL
+ *      called with RTNL
 */
 static struct net_device *rose_ax25_dev_find(char *devname)
 {
@@ -674,29 +674,34 @@ struct rose_route *rose_route_free_lci(unsigned int lci, struct rose_neigh *neig
 *      Find a neighbour or a route given a ROSE address.
 */
 struct rose_neigh *rose_get_neigh(rose_address *addr, unsigned char *cause,
-        unsigned char *diagnostic, int new)
+        unsigned char *diagnostic, int route_frame)
 {
        struct rose_neigh *res = NULL;
        struct rose_node *node;
        int failed = 0;
        int i;
-        if (!new) spin_lock_bh(&rose_node_list_lock);
+        if (!route_frame) spin_lock_bh(&rose_node_list_lock);
        for (node = rose_node_list; node != NULL; node = node->next) {
                if (rosecmpm(addr, &node->address, node->mask) == 0) {
                        for (i = 0; i < node->count; i++) {
-                                if (new) {
+                                if (node->neighbour[i]->restarted) {
-                                        if (node->neighbour[i]->restarted) {
+                                        res = node->neighbour[i];
-                                                res = node->neighbour[i];
+                                        goto out;
-                                                goto out;
-                                        }
                                }
-                                else {
+                        }
+                }
+        }
+        if (!route_frame) { /* connect request */
+                for (node = rose_node_list; node != NULL; node = node->next) {
+                        if (rosecmpm(addr, &node->address, node->mask) == 0) {
+                                for (i = 0; i < node->count; i++) {
                                        if (!rose_ftimer_running(node->neighbour[i])) {
                                                res = node->neighbour[i];
+                                                failed = 0;
                                                goto out;
-                                        } else
+                                        }
-                                                failed = 1;
+                                        failed = 1;
                                }
                        }
                }
@@ -711,8 +716,7 @@ struct rose_neigh *rose_get_neigh(rose_address *addr, unsigned char *cause,
        }
 out:
-        if (!new) spin_unlock_bh(&rose_node_list_lock);
+        if (!route_frame) spin_unlock_bh(&rose_node_list_lock);
        return res;
 }
@@ -857,7 +861,7 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
        unsigned int lci, new_lci;
        unsigned char cause, diagnostic;
        struct net_device *dev;
-        int len, res = 0;
+        int res = 0;
        char buf[11];
 #if 0
@@ -865,10 +869,17 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
                return res;
 #endif
+        if (skb->len < ROSE_MIN_LEN)
+                return res;
        frametype = skb->data[2];
        lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
-        src_addr  = (rose_address *)(skb->data + 9);
+        if (frametype == ROSE_CALL_REQUEST &&
-        dest_addr = (rose_address *)(skb->data + 4);
+            (skb->len <= ROSE_CALL_REQ_FACILITIES_OFF ||
+             skb->data[ROSE_CALL_REQ_ADDR_LEN_OFF] !=
+             ROSE_CALL_REQ_ADDR_LEN_VAL))
+                return res;
+        src_addr  = (rose_address *)(skb->data + ROSE_CALL_REQ_SRC_ADDR_OFF);
+        dest_addr = (rose_address *)(skb->data + ROSE_CALL_REQ_DEST_ADDR_OFF);
        spin_lock_bh(&rose_neigh_list_lock);
        spin_lock_bh(&rose_route_list_lock);
@@ -1006,12 +1017,11 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
                goto out;
        }
-        len  = (((skb->data[3] >> 4) & 0x0F) + 1) >> 1;
-        len += (((skb->data[3] >> 0) & 0x0F) + 1) >> 1;
        memset(&facilities, 0x00, sizeof(struct rose_facilities_struct));
-        if (!rose_parse_facilities(skb->data + len + 4, &facilities)) {
+        if (!rose_parse_facilities(skb->data + ROSE_CALL_REQ_FACILITIES_OFF,
+                                   skb->len - ROSE_CALL_REQ_FACILITIES_OFF,
+                                   &facilities)) {
                rose_transmit_clear_request(rose_neigh, lci, ROSE_INVALID_FACILITY, 76);
                goto out;
        }
diff --git a/net/rose/rose_subr.c b/net/rose/rose_subr.c
index 1734abba26a2..f6c71caa94b9 100644
--- a/net/rose/rose_subr.c
+++ b/net/rose/rose_subr.c
@@ -142,7 +142,7 @@ void rose_write_internal(struct sock *sk, int frametype)
                *dptr++ = ROSE_GFI | lci1;
                *dptr++ = lci2;
                *dptr++ = frametype;
-                *dptr++ = 0xAA;
+                *dptr++ = ROSE_CALL_REQ_ADDR_LEN_VAL;
                memcpy(dptr, &rose->dest_addr,  ROSE_ADDR_LEN);
                dptr   += ROSE_ADDR_LEN;
                memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN);
@@ -246,12 +246,16 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
        do {
                switch (*p & 0xC0) {
                case 0x00:
+                        if (len < 2)
+                                return -1;
                        p   += 2;
                        n   += 2;
                        len -= 2;
                        break;
                case 0x40:
+                        if (len < 3)
+                                return -1;
                        if (*p == FAC_NATIONAL_RAND)
                                facilities->rand = ((p[1] << 8) & 0xFF00) + ((p[2] << 0) & 0x00FF);
                        p   += 3;
@@ -260,40 +264,61 @@ static int rose_parse_national(unsigned char *p, struct rose_facilities_struct *
                        break;
                case 0x80:
+                        if (len < 4)
+                                return -1;
                        p   += 4;
                        n   += 4;
                        len -= 4;
                        break;
                case 0xC0:
+                        if (len < 2)
+                                return -1;
                        l = p[1];
+                        if (len < 2 + l)
+                                return -1;
                        if (*p == FAC_NATIONAL_DEST_DIGI) {
                                if (!fac_national_digis_received) {
+                                        if (l < AX25_ADDR_LEN)
+                                                return -1;
                                        memcpy(&facilities->source_digis[0], p + 2, AX25_ADDR_LEN);
                                        facilities->source_ndigis = 1;
                                }
                        }
                        else if (*p == FAC_NATIONAL_SRC_DIGI) {
                                if (!fac_national_digis_received) {
+                                        if (l < AX25_ADDR_LEN)
+                                                return -1;
                                        memcpy(&facilities->dest_digis[0], p + 2, AX25_ADDR_LEN);
                                        facilities->dest_ndigis = 1;
                                }
                        }
                        else if (*p == FAC_NATIONAL_FAIL_CALL) {
+                                if (l < AX25_ADDR_LEN)
+                                        return -1;
                                memcpy(&facilities->fail_call, p + 2, AX25_ADDR_LEN);
                        }
                        else if (*p == FAC_NATIONAL_FAIL_ADD) {
+                                if (l < 1 + ROSE_ADDR_LEN)
+                                        return -1;
                                memcpy(&facilities->fail_addr, p + 3, ROSE_ADDR_LEN);
                        }
                        else if (*p == FAC_NATIONAL_DIGIS) {
+                                if (l % AX25_ADDR_LEN)
+                                        return -1;
                                fac_national_digis_received = 1;
                                facilities->source_ndigis = 0;
                                facilities->dest_ndigis   = 0;
                                for (pt = p + 2, lg = 0 ; lg < l ; pt += AX25_ADDR_LEN, lg += AX25_ADDR_LEN) {
-                                        if (pt[6] & AX25_HBIT)
+                                        if (pt[6] & AX25_HBIT) {
+                                                if (facilities->dest_ndigis >= ROSE_MAX_DIGIS)
+                                                        return -1;
                                                memcpy(&facilities->dest_digis[facilities->dest_ndigis++], pt, AX25_ADDR_LEN);
-                                        else
+                                        } else {
+                                                if (facilities->source_ndigis >= ROSE_MAX_DIGIS)
+                                                        return -1;
                                                memcpy(&facilities->source_digis[facilities->source_ndigis++], pt, AX25_ADDR_LEN);
+                                        }
                                }
                        }
                        p   += l + 2;
@@ -314,25 +339,38 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
        do {
                switch (*p & 0xC0) {
                case 0x00:
+                        if (len < 2)
+                                return -1;
                        p   += 2;
                        n   += 2;
                        len -= 2;
                        break;
                case 0x40:
+                        if (len < 3)
+                                return -1;
                        p   += 3;
                        n   += 3;
                        len -= 3;
                        break;
                case 0x80:
+                        if (len < 4)
+                                return -1;
                        p   += 4;
                        n   += 4;
                        len -= 4;
                        break;
                case 0xC0:
+                        if (len < 2)
+                                return -1;
                        l = p[1];
+                        /* Prevent overflows*/
+                        if (l < 10 || l > 20)
+                                return -1;
                        if (*p == FAC_CCITT_DEST_NSAP) {
                                memcpy(&facilities->source_addr, p + 7, ROSE_ADDR_LEN);
                                memcpy(callsign, p + 12,   l - 10);
@@ -355,45 +393,44 @@ static int rose_parse_ccitt(unsigned char *p, struct rose_facilities_struct *fac
        return n;
 }
-int rose_parse_facilities(unsigned char *p,
+int rose_parse_facilities(unsigned char *p, unsigned packet_len,
        struct rose_facilities_struct *facilities)
 {
        int facilities_len, len;
        facilities_len = *p++;
-        if (facilities_len == 0)
+        if (facilities_len == 0 || (unsigned)facilities_len > packet_len)
                return 0;
-        while (facilities_len > 0) {
+        while (facilities_len >= 3 && *p == 0x00) {
-                if (*p == 0x00) {
+                facilities_len--;
-                        facilities_len--;
+                p++;
-                        p++;
+                switch (*p) {
-                        switch (*p) {
+                case FAC_NATIONAL:              /* National */
-                        case FAC_NATIONAL:              /* National */
+                        len = rose_parse_national(p + 1, facilities, facilities_len - 1);
-                                len = rose_parse_national(p + 1, facilities, facilities_len - 1);
+                        break;
-                                facilities_len -= len + 1;
-                                p += len + 1;
+                case FAC_CCITT:         /* CCITT */
-                                break;
+                        len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+                        break;
-                        case FAC_CCITT:         /* CCITT */
-                                len = rose_parse_ccitt(p + 1, facilities, facilities_len - 1);
+                default:
-                                facilities_len -= len + 1;
+                        printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
-                                p += len + 1;
+                        len = 1;
-                                break;
+                        break;
+                }
-                        default:
-                                printk(KERN_DEBUG "ROSE: rose_parse_facilities - unknown facilities family %02X\n", *p);
+                if (len < 0)
-                                facilities_len--;
+                        return 0;
-                                p++;
+                if (WARN_ON(len >= facilities_len))
-                                break;
+                        return 0;
-                        }
+                facilities_len -= len + 1;
-                } else
+                p += len + 1;
-                        break;  /* Error in facilities format */
        }
-        return 1;
+        return facilities_len == 0;
 }
 static int rose_create_facilities(unsigned char *buffer, struct rose_sock *rose)
diff --git a/net/rxrpc/ar-ack.c b/net/rxrpc/ar-ack.c
index b6ffe4e1b84a..f99cfce7ca97 100644
--- a/net/rxrpc/ar-ack.c
+++ b/net/rxrpc/ar-ack.c
@@ -375,7 +375,6 @@ protocol_error:
 */
 static void rxrpc_rotate_tx_window(struct rxrpc_call *call, u32 hard)
 {
-        struct rxrpc_skb_priv *sp;
        unsigned long _skb;
        int tail = call->acks_tail, old_tail;
        int win = CIRC_CNT(call->acks_head, tail, call->acks_winsz);
@@ -387,7 +386,6 @@ static void rxrpc_rotate_tx_window(struct rxrpc_call *call, u32 hard)
        while (call->acks_hard < hard) {
                smp_read_barrier_depends();
                _skb = call->acks_window[tail] & ~1;
-                sp = rxrpc_skb((struct sk_buff *) _skb);
                rxrpc_free_skb((struct sk_buff *) _skb);
                old_tail = tail;
                tail = (tail + 1) & (call->acks_winsz - 1);
diff --git a/net/rxrpc/ar-connevent.c b/net/rxrpc/ar-connevent.c
index 0505cdc4d6d4..e7ed43a54c41 100644
--- a/net/rxrpc/ar-connevent.c
+++ b/net/rxrpc/ar-connevent.c
@@ -259,7 +259,6 @@ void rxrpc_process_connection(struct work_struct *work)
 {
        struct rxrpc_connection *conn =
                container_of(work, struct rxrpc_connection, processor);
-        struct rxrpc_skb_priv *sp;
        struct sk_buff *skb;
        u32 abort_code = RX_PROTOCOL_ERROR;
        int ret;
@@ -276,8 +275,6 @@ void rxrpc_process_connection(struct work_struct *work)
        /* go through the conn-level event packets, releasing the ref on this
         * connection that each one has when we've finished with it */
        while ((skb = skb_dequeue(&conn->rx_queue))) {
-                sp = rxrpc_skb(skb);
                ret = rxrpc_process_event(conn, skb, &abort_code);
                switch (ret) {
                case -EPROTO:
diff --git a/net/rxrpc/ar-error.c b/net/rxrpc/ar-error.c
index d4d1ae26d293..5d6b572a6704 100644
--- a/net/rxrpc/ar-error.c
+++ b/net/rxrpc/ar-error.c
@@ -139,7 +139,7 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        struct rxrpc_transport *trans =
                container_of(work, struct rxrpc_transport, error_handler);
        struct sk_buff *skb;
-        int local, err;
+        int err;
        _enter("");
@@ -157,7 +157,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        switch (ee->ee_origin) {
        case SO_EE_ORIGIN_ICMP:
-                local = 0;
                switch (ee->ee_type) {
                case ICMP_DEST_UNREACH:
                        switch (ee->ee_code) {
@@ -207,7 +206,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        case SO_EE_ORIGIN_LOCAL:
                _proto("Rx Received local error { error=%d }",
                       ee->ee_errno);
-                local = 1;
                break;
        case SO_EE_ORIGIN_NONE:
@@ -215,7 +213,6 @@ void rxrpc_UDP_error_handler(struct work_struct *work)
        default:
                _proto("Rx Received error report { orig=%u }",
                       ee->ee_origin);
-                local = 0;
                break;
        }
diff --git a/net/rxrpc/ar-input.c b/net/rxrpc/ar-input.c
index 89315009bab1..1a2b0633fece 100644
--- a/net/rxrpc/ar-input.c
+++ b/net/rxrpc/ar-input.c
@@ -423,6 +423,7 @@ void rxrpc_fast_process_packet(struct rxrpc_call *call, struct sk_buff *skb)
                        goto protocol_error;
                }
+        case RXRPC_PACKET_TYPE_ACKALL:
        case RXRPC_PACKET_TYPE_ACK:
                /* ACK processing is done in process context */
                read_lock_bh(&call->state_lock);
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index d763793d39de..43ea7de2fc8e 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -25,6 +25,7 @@
 #include <keys/user-type.h>
 #include "ar-internal.h"
+static int rxrpc_vet_description_s(const char *);
 static int rxrpc_instantiate(struct key *, const void *, size_t);
 static int rxrpc_instantiate_s(struct key *, const void *, size_t);
 static void rxrpc_destroy(struct key *);
@@ -52,6 +53,7 @@ EXPORT_SYMBOL(key_type_rxrpc);
 */
 struct key_type key_type_rxrpc_s = {
        .name           = "rxrpc_s",
+        .vet_description = rxrpc_vet_description_s,
        .instantiate    = rxrpc_instantiate_s,
        .match          = user_match,
        .destroy        = rxrpc_destroy_s,
@@ -59,6 +61,23 @@ struct key_type key_type_rxrpc_s = {
 };
 /*
+ * Vet the description for an RxRPC server key
+ */
+static int rxrpc_vet_description_s(const char *desc)
+{
+        unsigned long num;
+        char *p;
+        num = simple_strtoul(desc, &p, 10);
+        if (*p != ':' || num > 65535)
+                return -EINVAL;
+        num = simple_strtoul(p + 1, &p, 10);
+        if (*p || num < 1 || num > 255)
+                return -EINVAL;
+        return 0;
+}
+/*
 * parse an RxKAD type XDR format token
 * - the caller guarantees we have at least 4 words
 */
diff --git a/net/rxrpc/ar-peer.c b/net/rxrpc/ar-peer.c
index a53fb25a64ed..2754f098d436 100644
--- a/net/rxrpc/ar-peer.c
+++ b/net/rxrpc/ar-peer.c
@@ -36,31 +36,16 @@ static void rxrpc_destroy_peer(struct work_struct *work);
 static void rxrpc_assess_MTU_size(struct rxrpc_peer *peer)
 {
        struct rtable *rt;
-        struct flowi fl;
+        struct flowi4 fl4;
-        int ret;
        peer->if_mtu = 1500;
-        memset(&fl, 0, sizeof(fl));
+        rt = ip_route_output_ports(&init_net, &fl4, NULL,
+                                   peer->srx.transport.sin.sin_addr.s_addr, 0,
-        switch (peer->srx.transport.family) {
+                                   htons(7000), htons(7001),
-        case AF_INET:
+                                   IPPROTO_UDP, 0, 0);
-                fl.oif = 0;
+        if (IS_ERR(rt)) {
-                fl.proto = IPPROTO_UDP,
+                _leave(" [route err %ld]", PTR_ERR(rt));
-                fl.fl4_dst = peer->srx.transport.sin.sin_addr.s_addr;
-                fl.fl4_src = 0;
-                fl.fl4_tos = 0;
-                /* assume AFS.CM talking to AFS.FS */
-                fl.fl_ip_sport = htons(7001);
-                fl.fl_ip_dport = htons(7000);
-                break;
-        default:
-                BUG();
-        }
-        ret = ip_route_output_key(&init_net, &rt, &fl);
-        if (ret < 0) {
-                _leave(" [route err %d]", ret);
                return;
        }
@@ -172,6 +157,7 @@ struct rxrpc_peer *rxrpc_get_peer(struct sockaddr_rxrpc *srx, gfp_t gfp)
        /* we can now add the new candidate to the list */
        peer = candidate;
        candidate = NULL;
+        usage = atomic_read(&peer->usage);
        list_add_tail(&peer->link, &rxrpc_peers);
        write_unlock_bh(&rxrpc_peer_lock);
@@ -186,7 +172,7 @@ success:
             &peer->srx.transport.sin.sin_addr,
             ntohs(peer->srx.transport.sin.sin_port));
-        _leave(" = %p {u=%d}", peer, atomic_read(&peer->usage));
+        _leave(" = %p {u=%d}", peer, usage);
        return peer;
        /* we found the peer in the list immediately */
diff --git a/net/rxrpc/ar-transport.c b/net/rxrpc/ar-transport.c
index 5e0226fe587e..92df566930b9 100644
--- a/net/rxrpc/ar-transport.c
+++ b/net/rxrpc/ar-transport.c
@@ -111,6 +111,7 @@ struct rxrpc_transport *rxrpc_get_transport(struct rxrpc_local *local,
        /* we can now add the new candidate to the list */
        trans = candidate;
        candidate = NULL;
+        usage = atomic_read(&trans->usage);
        rxrpc_get_local(trans->local);
        atomic_inc(&trans->peer->usage);
@@ -125,7 +126,7 @@ success:
             trans->local->debug_id,
             trans->peer->debug_id);
-        _leave(" = %p {u=%d}", trans, atomic_read(&trans->usage));
+        _leave(" = %p {u=%d}", trans, usage);
        return trans;
        /* we found the transport in the list immediately */
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index f04d4a484d53..2590e91b3289 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -126,6 +126,17 @@ config NET_SCH_RED
          To compile this code as a module, choose M here: the
          module will be called sch_red.
+config NET_SCH_SFB
+        tristate "Stochastic Fair Blue (SFB)"
+        ---help---
+          Say Y here if you want to use the Stochastic Fair Blue (SFB)
+          packet scheduling algorithm.
+          See the top of <file:net/sched/sch_sfb.c> for more details.
+          To compile this code as a module, choose M here: the
+          module will be called sch_sfb.
 config NET_SCH_SFQ
        tristate "Stochastic Fairness Queueing (SFQ)"
        ---help---
@@ -205,6 +216,40 @@ config NET_SCH_DRR
          If unsure, say N.
+config NET_SCH_MQPRIO
+        tristate "Multi-queue priority scheduler (MQPRIO)"
+        help
+          Say Y here if you want to use the Multi-queue Priority scheduler.
+          This scheduler allows QOS to be offloaded on NICs that have support
+          for offloading QOS schedulers.
+          To compile this driver as a module, choose M here: the module will
+          be called sch_mqprio.
+          If unsure, say N.
+config NET_SCH_CHOKE
+        tristate "CHOose and Keep responsive flow scheduler (CHOKE)"
+        help
+          Say Y here if you want to use the CHOKe packet scheduler (CHOose
+          and Keep for responsive flows, CHOose and Kill for unresponsive
+          flows). This is a variation of RED which trys to penalize flows
+          that monopolize the queue.
+          To compile this code as a module, choose M here: the
+          module will be called sch_choke.
+config NET_SCH_QFQ
+        tristate "Quick Fair Queueing scheduler (QFQ)"
+        help
+          Say Y here if you want to use the Quick Fair Queueing Scheduler (QFQ)
+          packet scheduling algorithm.
+          To compile this driver as a module, choose M here: the module
+          will be called sch_qfq.
+          If unsure, say N.
 config NET_SCH_INGRESS
        tristate "Ingress Qdisc"
        depends on NET_CLS_ACT
@@ -243,7 +288,8 @@ config NET_CLS_TCINDEX
 config NET_CLS_ROUTE4
        tristate "Routing decision (ROUTE)"
-        select NET_CLS_ROUTE
+        depends on INET
+        select IP_ROUTE_CLASSID
        select NET_CLS
        ---help---
          If you say Y here, you will be able to classify packets
@@ -252,9 +298,6 @@ config NET_CLS_ROUTE4
          To compile this code as a module, choose M here: the
          module will be called cls_route.
-config NET_CLS_ROUTE
-        bool
 config NET_CLS_FW
        tristate "Netfilter mark (FW)"
        select NET_CLS
diff --git a/net/sched/Makefile b/net/sched/Makefile
index 960f5dba6304..dc5889c0a15a 100644
--- a/net/sched/Makefile
+++ b/net/sched/Makefile
@@ -24,6 +24,7 @@ obj-$(CONFIG_NET_SCH_RED)	+= sch_red.o
 obj-$(CONFIG_NET_SCH_GRED)      += sch_gred.o
 obj-$(CONFIG_NET_SCH_INGRESS)   += sch_ingress.o 
 obj-$(CONFIG_NET_SCH_DSMARK)    += sch_dsmark.o
+obj-$(CONFIG_NET_SCH_SFB)       += sch_sfb.o
 obj-$(CONFIG_NET_SCH_SFQ)       += sch_sfq.o
 obj-$(CONFIG_NET_SCH_TBF)       += sch_tbf.o
 obj-$(CONFIG_NET_SCH_TEQL)      += sch_teql.o
@@ -32,6 +33,10 @@ obj-$(CONFIG_NET_SCH_MULTIQ)	+= sch_multiq.o
 obj-$(CONFIG_NET_SCH_ATM)       += sch_atm.o
 obj-$(CONFIG_NET_SCH_NETEM)     += sch_netem.o
 obj-$(CONFIG_NET_SCH_DRR)       += sch_drr.o
+obj-$(CONFIG_NET_SCH_MQPRIO)    += sch_mqprio.o
+obj-$(CONFIG_NET_SCH_CHOKE)     += sch_choke.o
+obj-$(CONFIG_NET_SCH_QFQ)       += sch_qfq.o
 obj-$(CONFIG_NET_CLS_U32)       += cls_u32.o
 obj-$(CONFIG_NET_CLS_ROUTE4)    += cls_route.o
 obj-$(CONFIG_NET_CLS_FW)        += cls_fw.o
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 23b25f89e7e0..a606025814a1 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -26,11 +26,6 @@
 #include <net/act_api.h>
 #include <net/netlink.h>
-static void tcf_common_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct tcf_common, tcfc_rcu));
-}
 void tcf_hash_destroy(struct tcf_common *p, struct tcf_hashinfo *hinfo)
 {
        unsigned int h = tcf_hash(p->tcfc_index, hinfo->hmask);
@@ -47,7 +42,7 @@ void tcf_hash_destroy(struct tcf_common *p, struct tcf_hashinfo *hinfo)
                         * gen_estimator est_timer() might access p->tcfc_lock
                         * or bstats, wait a RCU grace period before freeing p
                         */
-                        call_rcu(&p->tcfc_rcu, tcf_common_free_rcu);
+                        kfree_rcu(p, tcfc_rcu);
                        return;
                }
        }
@@ -78,7 +73,7 @@ static int tcf_dump_walker(struct sk_buff *skb, struct netlink_callback *cb,
                           struct tc_action *a, struct tcf_hashinfo *hinfo)
 {
        struct tcf_common *p;
-        int err = 0, index = -1,i = 0, s_i = 0, n_i = 0;
+        int err = 0, index = -1, i = 0, s_i = 0, n_i = 0;
        struct nlattr *nest;
        read_lock_bh(hinfo->lock);
@@ -126,7 +121,7 @@ static int tcf_del_walker(struct sk_buff *skb, struct tc_action *a,
 {
        struct tcf_common *p, *s_p;
        struct nlattr *nest;
-        int i= 0, n_i = 0;
+        int i = 0, n_i = 0;
        nest = nla_nest_start(skb, a->order);
        if (nest == NULL)
@@ -138,7 +133,7 @@ static int tcf_del_walker(struct sk_buff *skb, struct tc_action *a,
                while (p != NULL) {
                        s_p = p->tcfc_next;
                        if (ACT_P_DELETED == tcf_hash_release(p, 0, hinfo))
-                                 module_put(a->ops->owner);
+                                module_put(a->ops->owner);
                        n_i++;
                        p = s_p;
                }
@@ -447,7 +442,8 @@ tcf_action_dump_1(struct sk_buff *skb, struct tc_action *a, int bind, int ref)
        nest = nla_nest_start(skb, TCA_OPTIONS);
        if (nest == NULL)
                goto nla_put_failure;
-        if ((err = tcf_action_dump_old(skb, a, bind, ref)) > 0) {
+        err = tcf_action_dump_old(skb, a, bind, ref);
+        if (err > 0) {
                nla_nest_end(skb, nest);
                return err;
        }
@@ -491,7 +487,7 @@ struct tc_action *tcf_action_init_1(struct nlattr *nla, struct nlattr *est,
        struct tc_action *a;
        struct tc_action_ops *a_o;
        char act_name[IFNAMSIZ];
-        struct nlattr *tb[TCA_ACT_MAX+1];
+        struct nlattr *tb[TCA_ACT_MAX + 1];
        struct nlattr *kind;
        int err;
@@ -549,9 +545,9 @@ struct tc_action *tcf_action_init_1(struct nlattr *nla, struct nlattr *est,
                goto err_free;
        /* module count goes up only when brand new policy is created
-           if it exists and is only bound to in a_o->init() then
+         * if it exists and is only bound to in a_o->init() then
-           ACT_P_CREATED is not returned (a zero is).
+         * ACT_P_CREATED is not returned (a zero is).
-        */
+         */
        if (err != ACT_P_CREATED)
                module_put(a_o->owner);
        a->ops = a_o;
@@ -569,7 +565,7 @@ err_out:
 struct tc_action *tcf_action_init(struct nlattr *nla, struct nlattr *est,
                                  char *name, int ovr, int bind)
 {
-        struct nlattr *tb[TCA_ACT_MAX_PRIO+1];
+        struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
        struct tc_action *head = NULL, *act, *act_prev = NULL;
        int err;
        int i;
@@ -697,7 +693,7 @@ act_get_notify(struct net *net, u32 pid, struct nlmsghdr *n,
 static struct tc_action *
 tcf_action_get_1(struct nlattr *nla, struct nlmsghdr *n, u32 pid)
 {
-        struct nlattr *tb[TCA_ACT_MAX+1];
+        struct nlattr *tb[TCA_ACT_MAX + 1];
        struct tc_action *a;
        int index;
        int err;
@@ -770,7 +766,7 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
        struct tcamsg *t;
        struct netlink_callback dcb;
        struct nlattr *nest;
-        struct nlattr *tb[TCA_ACT_MAX+1];
+        struct nlattr *tb[TCA_ACT_MAX + 1];
        struct nlattr *kind;
        struct tc_action *a = create_a(0);
        int err = -ENOMEM;
@@ -821,7 +817,8 @@ static int tca_action_flush(struct net *net, struct nlattr *nla,
        nlh->nlmsg_flags |= NLM_F_ROOT;
        module_put(a->ops->owner);
        kfree(a);
-        err = rtnetlink_send(skb, net, pid, RTNLGRP_TC, n->nlmsg_flags&NLM_F_ECHO);
+        err = rtnetlink_send(skb, net, pid, RTNLGRP_TC,
+                             n->nlmsg_flags & NLM_F_ECHO);
        if (err > 0)
                return 0;
@@ -842,14 +839,14 @@ tca_action_gd(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
              u32 pid, int event)
 {
        int i, ret;
-        struct nlattr *tb[TCA_ACT_MAX_PRIO+1];
+        struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
        struct tc_action *head = NULL, *act, *act_prev = NULL;
        ret = nla_parse_nested(tb, TCA_ACT_MAX_PRIO, nla, NULL);
        if (ret < 0)
                return ret;
-        if (event == RTM_DELACTION && n->nlmsg_flags&NLM_F_ROOT) {
+        if (event == RTM_DELACTION && n->nlmsg_flags & NLM_F_ROOT) {
                if (tb[1] != NULL)
                        return tca_action_flush(net, tb[1], n, pid);
                else
@@ -892,7 +889,7 @@ tca_action_gd(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
                /* now do the delete */
                tcf_action_destroy(head, 0);
                ret = rtnetlink_send(skb, net, pid, RTNLGRP_TC,
-                                     n->nlmsg_flags&NLM_F_ECHO);
+                                     n->nlmsg_flags & NLM_F_ECHO);
                if (ret > 0)
                        return 0;
                return ret;
@@ -936,7 +933,7 @@ static int tcf_add_notify(struct net *net, struct tc_action *a,
        nlh->nlmsg_len = skb_tail_pointer(skb) - b;
        NETLINK_CB(skb).dst_group = RTNLGRP_TC;
-        err = rtnetlink_send(skb, net, pid, RTNLGRP_TC, flags&NLM_F_ECHO);
+        err = rtnetlink_send(skb, net, pid, RTNLGRP_TC, flags & NLM_F_ECHO);
        if (err > 0)
                err = 0;
        return err;
@@ -967,7 +964,7 @@ tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
        /* dump then free all the actions after update; inserted policy
         * stays intact
-         * */
+         */
        ret = tcf_add_notify(net, act, pid, seq, RTM_NEWACTION, n->nlmsg_flags);
        for (a = act; a; a = act) {
                act = a->next;
@@ -993,17 +990,16 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
                return -EINVAL;
        }
-        /* n->nlmsg_flags&NLM_F_CREATE
+        /* n->nlmsg_flags & NLM_F_CREATE */
-         * */
        switch (n->nlmsg_type) {
        case RTM_NEWACTION:
                /* we are going to assume all other flags
-                 * imply create only if it doesnt exist
+                 * imply create only if it doesn't exist
                 * Note that CREATE | EXCL implies that
                 * but since we want avoid ambiguity (eg when flags
                 * is zero) then just set this
                 */
-                if (n->nlmsg_flags&NLM_F_REPLACE)
+                if (n->nlmsg_flags & NLM_F_REPLACE)
                        ovr = 1;
 replay:
                ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, pid, ovr);
@@ -1028,7 +1024,7 @@ replay:
 static struct nlattr *
 find_dump_kind(const struct nlmsghdr *n)
 {
-        struct nlattr *tb1, *tb2[TCA_ACT_MAX+1];
+        struct nlattr *tb1, *tb2[TCA_ACT_MAX + 1];
        struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
        struct nlattr *nla[TCAA_MAX + 1];
        struct nlattr *kind;
@@ -1071,9 +1067,8 @@ tc_dump_action(struct sk_buff *skb, struct netlink_callback *cb)
        }
        a_o = tc_lookup_action(kind);
-        if (a_o == NULL) {
+        if (a_o == NULL)
                return 0;
-        }
        memset(&a, 0, sizeof(struct tc_action));
        a.ops = a_o;
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 83ddfc07e45d..6cdf9abe475f 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -63,7 +63,7 @@ static int tcf_csum_init(struct nlattr *nla, struct nlattr *est,
        if (nla == NULL)
                return -EINVAL;
-        err = nla_parse_nested(tb, TCA_CSUM_MAX, nla,csum_policy);
+        err = nla_parse_nested(tb, TCA_CSUM_MAX, nla, csum_policy);
        if (err < 0)
                return err;
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index c2ed90a4c0b4..2b4ab4b05ce8 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -50,7 +50,7 @@ static int gact_determ(struct tcf_gact *gact)
 }
 typedef int (*g_rand)(struct tcf_gact *gact);
-static g_rand gact_rand[MAX_RAND]= { NULL, gact_net_rand, gact_determ };
+static g_rand gact_rand[MAX_RAND] = { NULL, gact_net_rand, gact_determ };
 #endif /* CONFIG_GACT_PROB */
 static const struct nla_policy gact_policy[TCA_GACT_MAX + 1] = {
@@ -89,7 +89,7 @@ static int tcf_gact_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(parm->index, est, a, sizeof(*gact),
                                     bind, &gact_idx_gen, &gact_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                ret = ACT_P_CREATED;
        } else {
                if (!ovr) {
@@ -205,9 +205,9 @@ MODULE_LICENSE("GPL");
 static int __init gact_init_module(void)
 {
 #ifdef CONFIG_GACT_PROB
-        printk(KERN_INFO "GACT probability on\n");
+        pr_info("GACT probability on\n");
 #else
-        printk(KERN_INFO "GACT probability NOT on\n");
+        pr_info("GACT probability NOT on\n");
 #endif
        return tcf_register_action(&act_gact_ops);
 }
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index c2a7c20e81c1..9fc211a1b20e 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -138,7 +138,7 @@ static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(index, est, a, sizeof(*ipt), bind,
                                     &ipt_idx_gen, &ipt_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                ret = ACT_P_CREATED;
        } else {
                if (!ovr) {
@@ -162,7 +162,8 @@ static int tcf_ipt_init(struct nlattr *nla, struct nlattr *est,
        if (unlikely(!t))
                goto err2;
-        if ((err = ipt_init_target(t, tname, hook)) < 0)
+        err = ipt_init_target(t, tname, hook);
+        if (err < 0)
                goto err3;
        spin_lock_bh(&ipt->tcf_lock);
@@ -212,8 +213,9 @@ static int tcf_ipt(struct sk_buff *skb, struct tc_action *a,
        bstats_update(&ipt->tcf_bstats, skb);
        /* yes, we have to worry about both in and out dev
-         worry later - danger - this API seems to have changed
+         * worry later - danger - this API seems to have changed
-         from earlier kernels */
+         * from earlier kernels
+         */
        par.in       = skb->dev;
        par.out      = NULL;
        par.hooknum  = ipt->tcfi_hook;
@@ -253,9 +255,9 @@ static int tcf_ipt_dump(struct sk_buff *skb, struct tc_action *a, int bind, int
        struct tc_cnt c;
        /* for simple targets kernel size == user size
-        ** user name = target name
+         * user name = target name
-        ** for foolproof you need to not assume this
+         * for foolproof you need to not assume this
-        */
+         */
        t = kmemdup(ipt->tcfi_t, ipt->tcfi_t->u.user.target_size, GFP_ATOMIC);
        if (unlikely(!t))
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index d765067e99db..961386e2f2c0 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -41,13 +41,13 @@ static struct tcf_hashinfo mirred_hash_info = {
        .lock   =       &mirred_lock,
 };
-static inline int tcf_mirred_release(struct tcf_mirred *m, int bind)
+static int tcf_mirred_release(struct tcf_mirred *m, int bind)
 {
        if (m) {
                if (bind)
                        m->tcf_bindcnt--;
                m->tcf_refcnt--;
-                if(!m->tcf_bindcnt && m->tcf_refcnt <= 0) {
+                if (!m->tcf_bindcnt && m->tcf_refcnt <= 0) {
                        list_del(&m->tcfm_list);
                        if (m->tcfm_dev)
                                dev_put(m->tcfm_dev);
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index 178a4bd7b7cb..762b027650a9 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -69,7 +69,7 @@ static int tcf_nat_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(parm->index, est, a, sizeof(*p), bind,
                                     &nat_idx_gen, &nat_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                p = to_tcf_nat(pc);
                ret = ACT_P_CREATED;
        } else {
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 445bef716f77..7affe9a92757 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -70,7 +70,7 @@ static int tcf_pedit_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(parm->index, est, a, sizeof(*p), bind,
                                     &pedit_idx_gen, &pedit_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                p = to_pedit(pc);
                keys = kmalloc(ksize, GFP_KERNEL);
                if (keys == NULL) {
@@ -127,11 +127,9 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
        int i, munged = 0;
        unsigned int off;
-        if (skb_cloned(skb)) {
+        if (skb_cloned(skb) &&
-                if (pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) {
+            pskb_expand_head(skb, 0, 0, GFP_ATOMIC))
-                        return p->tcf_action;
+                return p->tcf_action;
-                }
-        }
        off = skb_network_offset(skb);
@@ -163,7 +161,7 @@ static int tcf_pedit(struct sk_buff *skb, struct tc_action *a,
                        }
                        if (offset > 0 && offset > skb->len) {
                                pr_info("tc filter pedit"
-                                        " offset %d cant exceed pkt length %d\n",
+                                        " offset %d can't exceed pkt length %d\n",
                                       offset, skb->len);
                                goto bad;
                        }
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index e2f08b1e2e58..b3b9b32f4e00 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -22,8 +22,8 @@
 #include <net/act_api.h>
 #include <net/netlink.h>
-#define L2T(p,L)   qdisc_l2t((p)->tcfp_R_tab, L)
+#define L2T(p, L)   qdisc_l2t((p)->tcfp_R_tab, L)
-#define L2T_P(p,L) qdisc_l2t((p)->tcfp_P_tab, L)
+#define L2T_P(p, L) qdisc_l2t((p)->tcfp_P_tab, L)
 #define POL_TAB_MASK     15
 static struct tcf_common *tcf_police_ht[POL_TAB_MASK + 1];
@@ -37,8 +37,7 @@ static struct tcf_hashinfo police_hash_info = {
 };
 /* old policer structure from before tc actions */
-struct tc_police_compat
+struct tc_police_compat {
-{
        u32                     index;
        int                     action;
        u32                     limit;
@@ -97,11 +96,6 @@ nla_put_failure:
        goto done;
 }
-static void tcf_police_free_rcu(struct rcu_head *head)
-{
-        kfree(container_of(head, struct tcf_police, tcf_rcu));
-}
 static void tcf_police_destroy(struct tcf_police *p)
 {
        unsigned int h = tcf_hash(p->tcf_index, POL_TAB_MASK);
@@ -122,7 +116,7 @@ static void tcf_police_destroy(struct tcf_police *p)
                         * gen_estimator est_timer() might access p->tcf_lock
                         * or bstats, wait a RCU grace period before freeing p
                         */
-                        call_rcu(&p->tcf_rcu, tcf_police_free_rcu);
+                        kfree_rcu(p, tcf_rcu);
                        return;
                }
        }
@@ -139,7 +133,7 @@ static const struct nla_policy police_policy[TCA_POLICE_MAX + 1] = {
 static int tcf_act_police_locate(struct nlattr *nla, struct nlattr *est,
                                 struct tc_action *a, int ovr, int bind)
 {
-        unsigned h;
+        unsigned int h;
        int ret = 0, err;
        struct nlattr *tb[TCA_POLICE_MAX + 1];
        struct tc_police *parm;
@@ -402,7 +396,6 @@ static void __exit
 police_cleanup_module(void)
 {
        tcf_unregister_action(&act_police_ops);
-        rcu_barrier(); /* Wait for completion of call_rcu()'s (tcf_police_free_rcu) */
 }
 module_init(police_init_module);
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 7287cff7af3e..a34a22de60b3 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -47,7 +47,7 @@ static int tcf_simp(struct sk_buff *skb, struct tc_action *a, struct tcf_result
        /* print policy string followed by _ then packet count
         * Example if this was the 3rd packet and the string was "hello"
         * then it would look like "hello_3" (without quotes)
-         **/
+         */
        pr_info("simple: %s_%d\n",
               (char *)d->tcfd_defdata, d->tcf_bstats.packets);
        spin_unlock(&d->tcf_lock);
@@ -125,7 +125,7 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(parm->index, est, a, sizeof(*d), bind,
                                     &simp_idx_gen, &simp_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                d = to_defact(pc);
                ret = alloc_defdata(d, defdata);
@@ -149,7 +149,7 @@ static int tcf_simp_init(struct nlattr *nla, struct nlattr *est,
        return ret;
 }
-static inline int tcf_simp_cleanup(struct tc_action *a, int bind)
+static int tcf_simp_cleanup(struct tc_action *a, int bind)
 {
        struct tcf_defact *d = a->priv;
@@ -158,8 +158,8 @@ static inline int tcf_simp_cleanup(struct tc_action *a, int bind)
        return 0;
 }
-static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
+static int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a,
-                                int bind, int ref)
+                         int bind, int ref)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tcf_defact *d = a->priv;
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index 836f5fee9e58..5f6f0c7c3905 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -113,7 +113,7 @@ static int tcf_skbedit_init(struct nlattr *nla, struct nlattr *est,
                pc = tcf_hash_create(parm->index, est, a, sizeof(*d), bind,
                                     &skbedit_idx_gen, &skbedit_hash_info);
                if (IS_ERR(pc))
-                    return PTR_ERR(pc);
+                        return PTR_ERR(pc);
                d = to_skbedit(pc);
                ret = ACT_P_CREATED;
@@ -144,7 +144,7 @@ static int tcf_skbedit_init(struct nlattr *nla, struct nlattr *est,
        return ret;
 }
-static inline int tcf_skbedit_cleanup(struct tc_action *a, int bind)
+static int tcf_skbedit_cleanup(struct tc_action *a, int bind)
 {
        struct tcf_skbedit *d = a->priv;
@@ -153,8 +153,8 @@ static inline int tcf_skbedit_cleanup(struct tc_action *a, int bind)
        return 0;
 }
-static inline int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
+static int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a,
-                                int bind, int ref)
+                            int bind, int ref)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tcf_skbedit *d = a->priv;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 5fd0c28ef79a..bb2c523f8158 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -85,7 +85,7 @@ int unregister_tcf_proto_ops(struct tcf_proto_ops *ops)
        int rc = -ENOENT;
        write_lock(&cls_mod_lock);
-        for (tp = &tcf_proto_base; (t=*tp) != NULL; tp = &t->next)
+        for (tp = &tcf_proto_base; (t = *tp) != NULL; tp = &t->next)
                if (t == ops)
                        break;
@@ -111,7 +111,7 @@ static inline u32 tcf_auto_prio(struct tcf_proto *tp)
        u32 first = TC_H_MAKE(0xC0000000U, 0U);
        if (tp)
-                first = tp->prio-1;
+                first = tp->prio - 1;
        return first;
 }
@@ -149,7 +149,8 @@ replay:
        if (prio == 0) {
                /* If no priority is given, user wants we allocated it. */
-                if (n->nlmsg_type != RTM_NEWTFILTER || !(n->nlmsg_flags&NLM_F_CREATE))
+                if (n->nlmsg_type != RTM_NEWTFILTER ||
+                    !(n->nlmsg_flags & NLM_F_CREATE))
                        return -ENOENT;
                prio = TC_H_MAKE(0x80000000U, 0U);
        }
@@ -176,7 +177,8 @@ replay:
        }
        /* Is it classful? */
-        if ((cops = q->ops->cl_ops) == NULL)
+        cops = q->ops->cl_ops;
+        if (!cops)
                return -EINVAL;
        if (cops->tcf_chain == NULL)
@@ -196,10 +198,11 @@ replay:
                goto errout;
        /* Check the chain for existence of proto-tcf with this priority */
-        for (back = chain; (tp=*back) != NULL; back = &tp->next) {
+        for (back = chain; (tp = *back) != NULL; back = &tp->next) {
                if (tp->prio >= prio) {
                        if (tp->prio == prio) {
-                                if (!nprio || (tp->protocol != protocol && protocol))
+                                if (!nprio ||
+                                    (tp->protocol != protocol && protocol))
                                        goto errout;
                        } else
                                tp = NULL;
@@ -216,7 +219,8 @@ replay:
                        goto errout;
                err = -ENOENT;
-                if (n->nlmsg_type != RTM_NEWTFILTER || !(n->nlmsg_flags&NLM_F_CREATE))
+                if (n->nlmsg_type != RTM_NEWTFILTER ||
+                    !(n->nlmsg_flags & NLM_F_CREATE))
                        goto errout;
@@ -420,7 +424,8 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
        if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
                return skb->len;
-        if ((dev = __dev_get_by_index(net, tcm->tcm_ifindex)) == NULL)
+        dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+        if (!dev)
                return skb->len;
        if (!tcm->tcm_parent)
@@ -429,7 +434,8 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
                q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
        if (!q)
                goto out;
-        if ((cops = q->ops->cl_ops) == NULL)
+        cops = q->ops->cl_ops;
+        if (!cops)
                goto errout;
        if (cops->tcf_chain == NULL)
                goto errout;
@@ -444,8 +450,9 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
        s_t = cb->args[0];
-        for (tp=*chain, t=0; tp; tp = tp->next, t++) {
+        for (tp = *chain, t = 0; tp; tp = tp->next, t++) {
-                if (t < s_t) continue;
+                if (t < s_t)
+                        continue;
                if (TC_H_MAJ(tcm->tcm_info) &&
                    TC_H_MAJ(tcm->tcm_info) != tp->prio)
                        continue;
@@ -468,10 +475,10 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
                arg.skb = skb;
                arg.cb = cb;
                arg.w.stop = 0;
-                arg.w.skip = cb->args[1]-1;
+                arg.w.skip = cb->args[1] - 1;
                arg.w.count = 0;
                tp->ops->walk(tp, &arg.w);
-                cb->args[1] = arg.w.count+1;
+                cb->args[1] = arg.w.count + 1;
                if (arg.w.stop)
                        break;
        }
diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
index f23d9155b1ef..8be8872dd571 100644
--- a/net/sched/cls_basic.c
+++ b/net/sched/cls_basic.c
@@ -21,14 +21,12 @@
 #include <net/act_api.h>
 #include <net/pkt_cls.h>
-struct basic_head
+struct basic_head {
-{
        u32                     hgenerator;
        struct list_head        flist;
 };
-struct basic_filter
+struct basic_filter {
-{
        u32                     handle;
        struct tcf_exts         exts;
        struct tcf_ematch_tree  ematches;
@@ -92,8 +90,7 @@ static int basic_init(struct tcf_proto *tp)
        return 0;
 }
-static inline void basic_delete_filter(struct tcf_proto *tp,
+static void basic_delete_filter(struct tcf_proto *tp, struct basic_filter *f)
-                                       struct basic_filter *f)
 {
        tcf_unbind_filter(tp, &f->res);
        tcf_exts_destroy(tp, &f->exts);
@@ -135,9 +132,9 @@ static const struct nla_policy basic_policy[TCA_BASIC_MAX + 1] = {
        [TCA_BASIC_EMATCHES]    = { .type = NLA_NESTED },
 };
-static inline int basic_set_parms(struct tcf_proto *tp, struct basic_filter *f,
+static int basic_set_parms(struct tcf_proto *tp, struct basic_filter *f,
-                                  unsigned long base, struct nlattr **tb,
+                           unsigned long base, struct nlattr **tb,
-                                  struct nlattr *est)
+                           struct nlattr *est)
 {
        int err = -EINVAL;
        struct tcf_exts e;
@@ -203,7 +200,7 @@ static int basic_change(struct tcf_proto *tp, unsigned long base, u32 handle,
                } while (--i > 0 && basic_get(tp, head->hgenerator));
                if (i <= 0) {
-                        printk(KERN_ERR "Insufficient number of handles\n");
+                        pr_err("Insufficient number of handles\n");
                        goto errout;
                }
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index d49c40fb7e09..32a335194ca5 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -56,7 +56,8 @@ static struct cgroup_subsys_state *cgrp_create(struct cgroup_subsys *ss,
 {
        struct cgroup_cls_state *cs;
-        if (!(cs = kzalloc(sizeof(*cs), GFP_KERNEL)))
+        cs = kzalloc(sizeof(*cs), GFP_KERNEL);
+        if (!cs)
                return ERR_PTR(-ENOMEM);
        if (cgrp->parent)
@@ -94,8 +95,7 @@ static int cgrp_populate(struct cgroup_subsys *ss, struct cgroup *cgrp)
        return cgroup_add_files(cgrp, ss, ss_files, ARRAY_SIZE(ss_files));
 }
-struct cls_cgroup_head
+struct cls_cgroup_head {
-{
        u32                     handle;
        struct tcf_exts         exts;
        struct tcf_ematch_tree  ematches;
@@ -166,7 +166,7 @@ static int cls_cgroup_change(struct tcf_proto *tp, unsigned long base,
                             u32 handle, struct nlattr **tca,
                             unsigned long *arg)
 {
-        struct nlattr *tb[TCA_CGROUP_MAX+1];
+        struct nlattr *tb[TCA_CGROUP_MAX + 1];
        struct cls_cgroup_head *head = tp->root;
        struct tcf_ematch_tree t;
        struct tcf_exts e;
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index 5b271a18bc3a..8ec01391d988 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -121,7 +121,7 @@ static u32 flow_get_proto_src(struct sk_buff *skb)
                if (!pskb_network_may_pull(skb, sizeof(*iph)))
                        break;
                iph = ip_hdr(skb);
-                if (iph->frag_off & htons(IP_MF|IP_OFFSET))
+                if (iph->frag_off & htons(IP_MF | IP_OFFSET))
                        break;
                poff = proto_ports_offset(iph->protocol);
                if (poff >= 0 &&
@@ -163,7 +163,7 @@ static u32 flow_get_proto_dst(struct sk_buff *skb)
                if (!pskb_network_may_pull(skb, sizeof(*iph)))
                        break;
                iph = ip_hdr(skb);
-                if (iph->frag_off & htons(IP_MF|IP_OFFSET))
+                if (iph->frag_off & htons(IP_MF | IP_OFFSET))
                        break;
                poff = proto_ports_offset(iph->protocol);
                if (poff >= 0 &&
@@ -276,7 +276,7 @@ fallback:
 static u32 flow_get_rtclassid(const struct sk_buff *skb)
 {
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
        if (skb_dst(skb))
                return skb_dst(skb)->tclassid;
 #endif
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 93b0a7b6f9b4..26e7bc4ffb79 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -31,14 +31,12 @@
 #define HTSIZE (PAGE_SIZE/sizeof(struct fw_filter *))
-struct fw_head
+struct fw_head {
-{
        struct fw_filter *ht[HTSIZE];
        u32 mask;
 };
-struct fw_filter
+struct fw_filter {
-{
        struct fw_filter        *next;
        u32                     id;
        struct tcf_result       res;
@@ -53,7 +51,7 @@ static const struct tcf_ext_map fw_ext_map = {
        .police = TCA_FW_POLICE
 };
-static __inline__ int fw_hash(u32 handle)
+static inline int fw_hash(u32 handle)
 {
        if (HTSIZE == 4096)
                return ((handle >> 24) & 0xFFF) ^
@@ -82,14 +80,14 @@ static __inline__ int fw_hash(u32 handle)
 static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
                          struct tcf_result *res)
 {
-        struct fw_head *head = (struct fw_head*)tp->root;
+        struct fw_head *head = (struct fw_head *)tp->root;
        struct fw_filter *f;
        int r;
        u32 id = skb->mark;
        if (head != NULL) {
                id &= head->mask;
-                for (f=head->ht[fw_hash(id)]; f; f=f->next) {
+                for (f = head->ht[fw_hash(id)]; f; f = f->next) {
                        if (f->id == id) {
                                *res = f->res;
 #ifdef CONFIG_NET_CLS_IND
@@ -105,7 +103,8 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
                }
        } else {
                /* old method */
-                if (id && (TC_H_MAJ(id) == 0 || !(TC_H_MAJ(id^tp->q->handle)))) {
+                if (id && (TC_H_MAJ(id) == 0 ||
+                           !(TC_H_MAJ(id ^ tp->q->handle)))) {
                        res->classid = id;
                        res->class = 0;
                        return 0;
@@ -117,13 +116,13 @@ static int fw_classify(struct sk_buff *skb, struct tcf_proto *tp,
 static unsigned long fw_get(struct tcf_proto *tp, u32 handle)
 {
-        struct fw_head *head = (struct fw_head*)tp->root;
+        struct fw_head *head = (struct fw_head *)tp->root;
        struct fw_filter *f;
        if (head == NULL)
                return 0;
-        for (f=head->ht[fw_hash(handle)]; f; f=f->next) {
+        for (f = head->ht[fw_hash(handle)]; f; f = f->next) {
                if (f->id == handle)
                        return (unsigned long)f;
        }
@@ -139,8 +138,7 @@ static int fw_init(struct tcf_proto *tp)
        return 0;
 }
-static inline void
+static void fw_delete_filter(struct tcf_proto *tp, struct fw_filter *f)
-fw_delete_filter(struct tcf_proto *tp, struct fw_filter *f)
 {
        tcf_unbind_filter(tp, &f->res);
        tcf_exts_destroy(tp, &f->exts);
@@ -156,8 +154,8 @@ static void fw_destroy(struct tcf_proto *tp)
        if (head == NULL)
                return;
-        for (h=0; h<HTSIZE; h++) {
+        for (h = 0; h < HTSIZE; h++) {
-                while ((f=head->ht[h]) != NULL) {
+                while ((f = head->ht[h]) != NULL) {
                        head->ht[h] = f->next;
                        fw_delete_filter(tp, f);
                }
@@ -167,14 +165,14 @@ static void fw_destroy(struct tcf_proto *tp)
 static int fw_delete(struct tcf_proto *tp, unsigned long arg)
 {
-        struct fw_head *head = (struct fw_head*)tp->root;
+        struct fw_head *head = (struct fw_head *)tp->root;
-        struct fw_filter *f = (struct fw_filter*)arg;
+        struct fw_filter *f = (struct fw_filter *)arg;
        struct fw_filter **fp;
        if (head == NULL || f == NULL)
                goto out;
-        for (fp=&head->ht[fw_hash(f->id)]; *fp; fp = &(*fp)->next) {
+        for (fp = &head->ht[fw_hash(f->id)]; *fp; fp = &(*fp)->next) {
                if (*fp == f) {
                        tcf_tree_lock(tp);
                        *fp = f->next;
@@ -240,7 +238,7 @@ static int fw_change(struct tcf_proto *tp, unsigned long base,
                     struct nlattr **tca,
                     unsigned long *arg)
 {
-        struct fw_head *head = (struct fw_head*)tp->root;
+        struct fw_head *head = (struct fw_head *)tp->root;
        struct fw_filter *f = (struct fw_filter *) *arg;
        struct nlattr *opt = tca[TCA_OPTIONS];
        struct nlattr *tb[TCA_FW_MAX + 1];
@@ -302,7 +300,7 @@ errout:
 static void fw_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 {
-        struct fw_head *head = (struct fw_head*)tp->root;
+        struct fw_head *head = (struct fw_head *)tp->root;
        int h;
        if (head == NULL)
@@ -332,7 +330,7 @@ static int fw_dump(struct tcf_proto *tp, unsigned long fh,
                   struct sk_buff *skb, struct tcmsg *t)
 {
        struct fw_head *head = (struct fw_head *)tp->root;
-        struct fw_filter *f = (struct fw_filter*)fh;
+        struct fw_filter *f = (struct fw_filter *)fh;
        unsigned char *b = skb_tail_pointer(skb);
        struct nlattr *nest;
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index 694dcd85dec8..a907905376df 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -23,34 +23,30 @@
 #include <net/pkt_cls.h>
 /*
-   1. For now we assume that route tags < 256.
+ * 1. For now we assume that route tags < 256.
-      It allows to use direct table lookups, instead of hash tables.
+ *    It allows to use direct table lookups, instead of hash tables.
-   2. For now we assume that "from TAG" and "fromdev DEV" statements
+ * 2. For now we assume that "from TAG" and "fromdev DEV" statements
-      are mutually  exclusive.
+ *    are mutually  exclusive.
-   3. "to TAG from ANY" has higher priority, than "to ANY from XXX"
+ * 3. "to TAG from ANY" has higher priority, than "to ANY from XXX"
 */
-struct route4_fastmap
+struct route4_fastmap {
-{
        struct route4_filter    *filter;
        u32                     id;
        int                     iif;
 };
-struct route4_head
+struct route4_head {
-{
        struct route4_fastmap   fastmap[16];
-        struct route4_bucket    *table[256+1];
+        struct route4_bucket    *table[256 + 1];
 };
-struct route4_bucket
+struct route4_bucket {
-{
        /* 16 FROM buckets + 16 IIF buckets + 1 wildcard bucket */
-        struct route4_filter    *ht[16+16+1];
+        struct route4_filter    *ht[16 + 16 + 1];
 };
-struct route4_filter
+struct route4_filter {
-{
        struct route4_filter    *next;
        u32                     id;
        int                     iif;
@@ -61,20 +57,20 @@ struct route4_filter
        struct route4_bucket    *bkt;
 };
-#define ROUTE4_FAILURE ((struct route4_filter*)(-1L))
+#define ROUTE4_FAILURE ((struct route4_filter *)(-1L))
 static const struct tcf_ext_map route_ext_map = {
        .police = TCA_ROUTE4_POLICE,
        .action = TCA_ROUTE4_ACT
 };
-static __inline__ int route4_fastmap_hash(u32 id, int iif)
+static inline int route4_fastmap_hash(u32 id, int iif)
 {
-        return id&0xF;
+        return id & 0xF;
 }
-static inline
+static void
-void route4_reset_fastmap(struct Qdisc *q, struct route4_head *head, u32 id)
+route4_reset_fastmap(struct Qdisc *q, struct route4_head *head, u32 id)
 {
        spinlock_t *root_lock = qdisc_root_sleeping_lock(q);
@@ -83,32 +79,33 @@ void route4_reset_fastmap(struct Qdisc *q, struct route4_head *head, u32 id)
        spin_unlock_bh(root_lock);
 }
-static inline void
+static void
 route4_set_fastmap(struct route4_head *head, u32 id, int iif,
                   struct route4_filter *f)
 {
        int h = route4_fastmap_hash(id, iif);
        head->fastmap[h].id = id;
        head->fastmap[h].iif = iif;
        head->fastmap[h].filter = f;
 }
-static __inline__ int route4_hash_to(u32 id)
+static inline int route4_hash_to(u32 id)
 {
-        return id&0xFF;
+        return id & 0xFF;
 }
-static __inline__ int route4_hash_from(u32 id)
+static inline int route4_hash_from(u32 id)
 {
-        return (id>>16)&0xF;
+        return (id >> 16) & 0xF;
 }
-static __inline__ int route4_hash_iif(int iif)
+static inline int route4_hash_iif(int iif)
 {
-        return 16 + ((iif>>16)&0xF);
+        return 16 + ((iif >> 16) & 0xF);
 }
-static __inline__ int route4_hash_wild(void)
+static inline int route4_hash_wild(void)
 {
        return 32;
 }
@@ -131,21 +128,22 @@ static __inline__ int route4_hash_wild(void)
 static int route4_classify(struct sk_buff *skb, struct tcf_proto *tp,
                           struct tcf_result *res)
 {
-        struct route4_head *head = (struct route4_head*)tp->root;
+        struct route4_head *head = (struct route4_head *)tp->root;
        struct dst_entry *dst;
        struct route4_bucket *b;
        struct route4_filter *f;
        u32 id, h;
        int iif, dont_cache = 0;
-        if ((dst = skb_dst(skb)) == NULL)
+        dst = skb_dst(skb);
+        if (!dst)
                goto failure;
        id = dst->tclassid;
        if (head == NULL)
                goto old_method;
-        iif = ((struct rtable*)dst)->fl.iif;
+        iif = ((struct rtable *)dst)->rt_iif;
        h = route4_fastmap_hash(id, iif);
        if (id == head->fastmap[h].id &&
@@ -161,7 +159,8 @@ static int route4_classify(struct sk_buff *skb, struct tcf_proto *tp,
        h = route4_hash_to(id);
 restart:
-        if ((b = head->table[h]) != NULL) {
+        b = head->table[h];
+        if (b) {
                for (f = b->ht[route4_hash_from(id)]; f; f = f->next)
                        if (f->id == id)
                                ROUTE4_APPLY_RESULT();
@@ -197,8 +196,9 @@ old_method:
 static inline u32 to_hash(u32 id)
 {
-        u32 h = id&0xFF;
+        u32 h = id & 0xFF;
-        if (id&0x8000)
+        if (id & 0x8000)
                h += 256;
        return h;
 }
@@ -211,17 +211,17 @@ static inline u32 from_hash(u32 id)
        if (!(id & 0x8000)) {
                if (id > 255)
                        return 256;
-                return id&0xF;
+                return id & 0xF;
        }
-        return 16 + (id&0xF);
+        return 16 + (id & 0xF);
 }
 static unsigned long route4_get(struct tcf_proto *tp, u32 handle)
 {
-        struct route4_head *head = (struct route4_head*)tp->root;
+        struct route4_head *head = (struct route4_head *)tp->root;
        struct route4_bucket *b;
        struct route4_filter *f;
-        unsigned h1, h2;
+        unsigned int h1, h2;
        if (!head)
                return 0;
@@ -230,11 +230,12 @@ static unsigned long route4_get(struct tcf_proto *tp, u32 handle)
        if (h1 > 256)
                return 0;
-        h2 = from_hash(handle>>16);
+        h2 = from_hash(handle >> 16);
        if (h2 > 32)
                return 0;
-        if ((b = head->table[h1]) != NULL) {
+        b = head->table[h1];
+        if (b) {
                for (f = b->ht[h2]; f; f = f->next)
                        if (f->handle == handle)
                                return (unsigned long)f;
@@ -251,7 +252,7 @@ static int route4_init(struct tcf_proto *tp)
        return 0;
 }
-static inline void
+static void
 route4_delete_filter(struct tcf_proto *tp, struct route4_filter *f)
 {
        tcf_unbind_filter(tp, &f->res);
@@ -267,11 +268,12 @@ static void route4_destroy(struct tcf_proto *tp)
        if (head == NULL)
                return;
-        for (h1=0; h1<=256; h1++) {
+        for (h1 = 0; h1 <= 256; h1++) {
                struct route4_bucket *b;
-                if ((b = head->table[h1]) != NULL) {
+                b = head->table[h1];
-                        for (h2=0; h2<=32; h2++) {
+                if (b) {
+                        for (h2 = 0; h2 <= 32; h2++) {
                                struct route4_filter *f;
                                while ((f = b->ht[h2]) != NULL) {
@@ -287,9 +289,9 @@ static void route4_destroy(struct tcf_proto *tp)
 static int route4_delete(struct tcf_proto *tp, unsigned long arg)
 {
-        struct route4_head *head = (struct route4_head*)tp->root;
+        struct route4_head *head = (struct route4_head *)tp->root;
-        struct route4_filter **fp, *f = (struct route4_filter*)arg;
+        struct route4_filter **fp, *f = (struct route4_filter *)arg;
-        unsigned h = 0;
+        unsigned int h = 0;
        struct route4_bucket *b;
        int i;
@@ -299,7 +301,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
        h = f->handle;
        b = f->bkt;
-        for (fp = &b->ht[from_hash(h>>16)]; *fp; fp = &(*fp)->next) {
+        for (fp = &b->ht[from_hash(h >> 16)]; *fp; fp = &(*fp)->next) {
                if (*fp == f) {
                        tcf_tree_lock(tp);
                        *fp = f->next;
@@ -310,7 +312,7 @@ static int route4_delete(struct tcf_proto *tp, unsigned long arg)
                        /* Strip tree */
-                        for (i=0; i<=32; i++)
+                        for (i = 0; i <= 32; i++)
                                if (b->ht[i])
                                        return 0;
@@ -380,7 +382,8 @@ static int route4_set_parms(struct tcf_proto *tp, unsigned long base,
        }
        h1 = to_hash(nhandle);
-        if ((b = head->table[h1]) == NULL) {
+        b = head->table[h1];
+        if (!b) {
                err = -ENOBUFS;
                b = kzalloc(sizeof(struct route4_bucket), GFP_KERNEL);
                if (b == NULL)
@@ -391,6 +394,7 @@ static int route4_set_parms(struct tcf_proto *tp, unsigned long base,
                tcf_tree_unlock(tp);
        } else {
                unsigned int h2 = from_hash(nhandle >> 16);
                err = -EEXIST;
                for (fp = b->ht[h2]; fp; fp = fp->next)
                        if (fp->handle == f->handle)
@@ -444,7 +448,8 @@ static int route4_change(struct tcf_proto *tp, unsigned long base,
        if (err < 0)
                return err;
-        if ((f = (struct route4_filter*)*arg) != NULL) {
+        f = (struct route4_filter *)*arg;
+        if (f) {
                if (f->handle != handle && handle)
                        return -EINVAL;
@@ -481,7 +486,7 @@ static int route4_change(struct tcf_proto *tp, unsigned long base,
 reinsert:
        h = from_hash(f->handle >> 16);
-        for (fp = &f->bkt->ht[h]; (f1=*fp) != NULL; fp = &f1->next)
+        for (fp = &f->bkt->ht[h]; (f1 = *fp) != NULL; fp = &f1->next)
                if (f->handle < f1->handle)
                        break;
@@ -492,7 +497,8 @@ reinsert:
        if (old_handle && f->handle != old_handle) {
                th = to_hash(old_handle);
                h = from_hash(old_handle >> 16);
-                if ((b = head->table[th]) != NULL) {
+                b = head->table[th];
+                if (b) {
                        for (fp = &b->ht[h]; *fp; fp = &(*fp)->next) {
                                if (*fp == f) {
                                        *fp = f->next;
@@ -515,7 +521,7 @@ errout:
 static void route4_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 {
        struct route4_head *head = tp->root;
-        unsigned h, h1;
+        unsigned int h, h1;
        if (head == NULL)
                arg->stop = 1;
@@ -549,7 +555,7 @@ static void route4_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 static int route4_dump(struct tcf_proto *tp, unsigned long fh,
                       struct sk_buff *skb, struct tcmsg *t)
 {
-        struct route4_filter *f = (struct route4_filter*)fh;
+        struct route4_filter *f = (struct route4_filter *)fh;
        unsigned char *b = skb_tail_pointer(skb);
        struct nlattr *nest;
        u32 id;
@@ -563,15 +569,15 @@ static int route4_dump(struct tcf_proto *tp, unsigned long fh,
        if (nest == NULL)
                goto nla_put_failure;
-        if (!(f->handle&0x8000)) {
+        if (!(f->handle & 0x8000)) {
-                id = f->id&0xFF;
+                id = f->id & 0xFF;
                NLA_PUT_U32(skb, TCA_ROUTE4_TO, id);
        }
-        if (f->handle&0x80000000) {
+        if (f->handle & 0x80000000) {
-                if ((f->handle>>16) != 0xFFFF)
+                if ((f->handle >> 16) != 0xFFFF)
                        NLA_PUT_U32(skb, TCA_ROUTE4_IIF, f->iif);
        } else {
-                id = f->id>>16;
+                id = f->id >> 16;
                NLA_PUT_U32(skb, TCA_ROUTE4_FROM, id);
        }
        if (f->res.classid)
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index 425a1790b048..402c44b241a3 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -66,28 +66,25 @@
   powerful classification engine.  */
-struct rsvp_head
+struct rsvp_head {
-{
        u32                     tmap[256/32];
        u32                     hgenerator;
        u8                      tgenerator;
        struct rsvp_session     *ht[256];
 };
-struct rsvp_session
+struct rsvp_session {
-{
        struct rsvp_session     *next;
        __be32                  dst[RSVP_DST_LEN];
        struct tc_rsvp_gpi      dpi;
        u8                      protocol;
        u8                      tunnelid;
        /* 16 (src,sport) hash slots, and one wildcard source slot */
-        struct rsvp_filter      *ht[16+1];
+        struct rsvp_filter      *ht[16 + 1];
 };
-struct rsvp_filter
+struct rsvp_filter {
-{
        struct rsvp_filter      *next;
        __be32                  src[RSVP_DST_LEN];
        struct tc_rsvp_gpi      spi;
@@ -100,17 +97,19 @@ struct rsvp_filter
        struct rsvp_session     *sess;
 };
-static __inline__ unsigned hash_dst(__be32 *dst, u8 protocol, u8 tunnelid)
+static inline unsigned int hash_dst(__be32 *dst, u8 protocol, u8 tunnelid)
 {
-        unsigned h = (__force __u32)dst[RSVP_DST_LEN-1];
+        unsigned int h = (__force __u32)dst[RSVP_DST_LEN - 1];
        h ^= h>>16;
        h ^= h>>8;
        return (h ^ protocol ^ tunnelid) & 0xFF;
 }
-static __inline__ unsigned hash_src(__be32 *src)
+static inline unsigned int hash_src(__be32 *src)
 {
-        unsigned h = (__force __u32)src[RSVP_DST_LEN-1];
+        unsigned int h = (__force __u32)src[RSVP_DST_LEN-1];
        h ^= h>>16;
        h ^= h>>8;
        h ^= h>>4;
@@ -134,10 +133,10 @@ static struct tcf_ext_map rsvp_ext_map = {
 static int rsvp_classify(struct sk_buff *skb, struct tcf_proto *tp,
                         struct tcf_result *res)
 {
-        struct rsvp_session **sht = ((struct rsvp_head*)tp->root)->ht;
+        struct rsvp_session **sht = ((struct rsvp_head *)tp->root)->ht;
        struct rsvp_session *s;
        struct rsvp_filter *f;
-        unsigned h1, h2;
+        unsigned int h1, h2;
        __be32 *dst, *src;
        u8 protocol;
        u8 tunnelid = 0;
@@ -162,13 +161,13 @@ restart:
        src = &nhptr->saddr.s6_addr32[0];
        dst = &nhptr->daddr.s6_addr32[0];
        protocol = nhptr->nexthdr;
-        xprt = ((u8*)nhptr) + sizeof(struct ipv6hdr);
+        xprt = ((u8 *)nhptr) + sizeof(struct ipv6hdr);
 #else
        src = &nhptr->saddr;
        dst = &nhptr->daddr;
        protocol = nhptr->protocol;
-        xprt = ((u8*)nhptr) + (nhptr->ihl<<2);
+        xprt = ((u8 *)nhptr) + (nhptr->ihl<<2);
-        if (nhptr->frag_off & htons(IP_MF|IP_OFFSET))
+        if (nhptr->frag_off & htons(IP_MF | IP_OFFSET))
                return -1;
 #endif
@@ -176,10 +175,10 @@ restart:
        h2 = hash_src(src);
        for (s = sht[h1]; s; s = s->next) {
-                if (dst[RSVP_DST_LEN-1] == s->dst[RSVP_DST_LEN-1] &&
+                if (dst[RSVP_DST_LEN-1] == s->dst[RSVP_DST_LEN - 1] &&
                    protocol == s->protocol &&
                    !(s->dpi.mask &
-                      (*(u32*)(xprt+s->dpi.offset)^s->dpi.key)) &&
+                      (*(u32 *)(xprt + s->dpi.offset) ^ s->dpi.key)) &&
 #if RSVP_DST_LEN == 4
                    dst[0] == s->dst[0] &&
                    dst[1] == s->dst[1] &&
@@ -188,8 +187,8 @@ restart:
                    tunnelid == s->tunnelid) {
                        for (f = s->ht[h2]; f; f = f->next) {
-                                if (src[RSVP_DST_LEN-1] == f->src[RSVP_DST_LEN-1] &&
+                                if (src[RSVP_DST_LEN-1] == f->src[RSVP_DST_LEN - 1] &&
-                                    !(f->spi.mask & (*(u32*)(xprt+f->spi.offset)^f->spi.key))
+                                    !(f->spi.mask & (*(u32 *)(xprt + f->spi.offset) ^ f->spi.key))
 #if RSVP_DST_LEN == 4
                                    &&
                                    src[0] == f->src[0] &&
@@ -205,7 +204,7 @@ matched:
                                                return 0;
                                        tunnelid = f->res.classid;
-                                        nhptr = (void*)(xprt + f->tunnelhdr - sizeof(*nhptr));
+                                        nhptr = (void *)(xprt + f->tunnelhdr - sizeof(*nhptr));
                                        goto restart;
                                }
                        }
@@ -224,11 +223,11 @@ matched:
 static unsigned long rsvp_get(struct tcf_proto *tp, u32 handle)
 {
-        struct rsvp_session **sht = ((struct rsvp_head*)tp->root)->ht;
+        struct rsvp_session **sht = ((struct rsvp_head *)tp->root)->ht;
        struct rsvp_session *s;
        struct rsvp_filter *f;
-        unsigned h1 = handle&0xFF;
+        unsigned int h1 = handle & 0xFF;
-        unsigned h2 = (handle>>8)&0xFF;
+        unsigned int h2 = (handle >> 8) & 0xFF;
        if (h2 > 16)
                return 0;
@@ -258,7 +257,7 @@ static int rsvp_init(struct tcf_proto *tp)
        return -ENOBUFS;
 }
-static inline void
+static void
 rsvp_delete_filter(struct tcf_proto *tp, struct rsvp_filter *f)
 {
        tcf_unbind_filter(tp, &f->res);
@@ -277,13 +276,13 @@ static void rsvp_destroy(struct tcf_proto *tp)
        sht = data->ht;
-        for (h1=0; h1<256; h1++) {
+        for (h1 = 0; h1 < 256; h1++) {
                struct rsvp_session *s;
                while ((s = sht[h1]) != NULL) {
                        sht[h1] = s->next;
-                        for (h2=0; h2<=16; h2++) {
+                        for (h2 = 0; h2 <= 16; h2++) {
                                struct rsvp_filter *f;
                                while ((f = s->ht[h2]) != NULL) {
@@ -299,13 +298,13 @@ static void rsvp_destroy(struct tcf_proto *tp)
 static int rsvp_delete(struct tcf_proto *tp, unsigned long arg)
 {
-        struct rsvp_filter **fp, *f = (struct rsvp_filter*)arg;
+        struct rsvp_filter **fp, *f = (struct rsvp_filter *)arg;
-        unsigned h = f->handle;
+        unsigned int h = f->handle;
        struct rsvp_session **sp;
        struct rsvp_session *s = f->sess;
        int i;
-        for (fp = &s->ht[(h>>8)&0xFF]; *fp; fp = &(*fp)->next) {
+        for (fp = &s->ht[(h >> 8) & 0xFF]; *fp; fp = &(*fp)->next) {
                if (*fp == f) {
                        tcf_tree_lock(tp);
                        *fp = f->next;
@@ -314,12 +313,12 @@ static int rsvp_delete(struct tcf_proto *tp, unsigned long arg)
                        /* Strip tree */
-                        for (i=0; i<=16; i++)
+                        for (i = 0; i <= 16; i++)
                                if (s->ht[i])
                                        return 0;
                        /* OK, session has no flows */
-                        for (sp = &((struct rsvp_head*)tp->root)->ht[h&0xFF];
+                        for (sp = &((struct rsvp_head *)tp->root)->ht[h & 0xFF];
                             *sp; sp = &(*sp)->next) {
                                if (*sp == s) {
                                        tcf_tree_lock(tp);
@@ -337,13 +336,14 @@ static int rsvp_delete(struct tcf_proto *tp, unsigned long arg)
        return 0;
 }
-static unsigned gen_handle(struct tcf_proto *tp, unsigned salt)
+static unsigned int gen_handle(struct tcf_proto *tp, unsigned salt)
 {
        struct rsvp_head *data = tp->root;
        int i = 0xFFFF;
        while (i-- > 0) {
                u32 h;
                if ((data->hgenerator += 0x10000) == 0)
                        data->hgenerator = 0x10000;
                h = data->hgenerator|salt;
@@ -355,10 +355,10 @@ static unsigned gen_handle(struct tcf_proto *tp, unsigned salt)
 static int tunnel_bts(struct rsvp_head *data)
 {
-        int n = data->tgenerator>>5;
+        int n = data->tgenerator >> 5;
-        u32 b = 1<<(data->tgenerator&0x1F);
+        u32 b = 1 << (data->tgenerator & 0x1F);
-        if (data->tmap[n]&b)
+        if (data->tmap[n] & b)
                return 0;
        data->tmap[n] |= b;
        return 1;
@@ -372,10 +372,10 @@ static void tunnel_recycle(struct rsvp_head *data)
        memset(tmap, 0, sizeof(tmap));
-        for (h1=0; h1<256; h1++) {
+        for (h1 = 0; h1 < 256; h1++) {
                struct rsvp_session *s;
                for (s = sht[h1]; s; s = s->next) {
-                        for (h2=0; h2<=16; h2++) {
+                        for (h2 = 0; h2 <= 16; h2++) {
                                struct rsvp_filter *f;
                                for (f = s->ht[h2]; f; f = f->next) {
@@ -395,8 +395,8 @@ static u32 gen_tunnel(struct rsvp_head *data)
 {
        int i, k;
-        for (k=0; k<2; k++) {
+        for (k = 0; k < 2; k++) {
-                for (i=255; i>0; i--) {
+                for (i = 255; i > 0; i--) {
                        if (++data->tgenerator == 0)
                                data->tgenerator = 1;
                        if (tunnel_bts(data))
@@ -428,7 +428,7 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
        struct nlattr *opt = tca[TCA_OPTIONS-1];
        struct nlattr *tb[TCA_RSVP_MAX + 1];
        struct tcf_exts e;
-        unsigned h1, h2;
+        unsigned int h1, h2;
        __be32 *dst;
        int err;
@@ -443,7 +443,8 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
        if (err < 0)
                return err;
-        if ((f = (struct rsvp_filter*)*arg) != NULL) {
+        f = (struct rsvp_filter *)*arg;
+        if (f) {
                /* Node exists: adjust only classid */
                if (f->handle != handle && handle)
@@ -500,7 +501,7 @@ static int rsvp_change(struct tcf_proto *tp, unsigned long base,
                        goto errout;
        }
-        for (sp = &data->ht[h1]; (s=*sp) != NULL; sp = &s->next) {
+        for (sp = &data->ht[h1]; (s = *sp) != NULL; sp = &s->next) {
                if (dst[RSVP_DST_LEN-1] == s->dst[RSVP_DST_LEN-1] &&
                    pinfo && pinfo->protocol == s->protocol &&
                    memcmp(&pinfo->dpi, &s->dpi, sizeof(s->dpi)) == 0 &&
@@ -523,7 +524,7 @@ insert:
                        tcf_exts_change(tp, &f->exts, &e);
                        for (fp = &s->ht[h2]; *fp; fp = &(*fp)->next)
-                                if (((*fp)->spi.mask&f->spi.mask) != f->spi.mask)
+                                if (((*fp)->spi.mask & f->spi.mask) != f->spi.mask)
                                        break;
                        f->next = *fp;
                        wmb();
@@ -567,7 +568,7 @@ errout2:
 static void rsvp_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 {
        struct rsvp_head *head = tp->root;
-        unsigned h, h1;
+        unsigned int h, h1;
        if (arg->stop)
                return;
@@ -598,7 +599,7 @@ static void rsvp_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 static int rsvp_dump(struct tcf_proto *tp, unsigned long fh,
                     struct sk_buff *skb, struct tcmsg *t)
 {
-        struct rsvp_filter *f = (struct rsvp_filter*)fh;
+        struct rsvp_filter *f = (struct rsvp_filter *)fh;
        struct rsvp_session *s;
        unsigned char *b = skb_tail_pointer(skb);
        struct nlattr *nest;
@@ -624,7 +625,7 @@ static int rsvp_dump(struct tcf_proto *tp, unsigned long fh,
        NLA_PUT(skb, TCA_RSVP_PINFO, sizeof(pinfo), &pinfo);
        if (f->res.classid)
                NLA_PUT_U32(skb, TCA_RSVP_CLASSID, f->res.classid);
-        if (((f->handle>>8)&0xFF) != 16)
+        if (((f->handle >> 8) & 0xFF) != 16)
                NLA_PUT(skb, TCA_RSVP_SRC, sizeof(f->src), f->src);
        if (tcf_exts_dump(skb, &f->exts, &rsvp_ext_map) < 0)
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 20ef330bb918..36667fa64237 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -249,7 +249,7 @@ tcindex_set_parms(struct tcf_proto *tp, unsigned long base, u32 handle,
                 * of the hashing index is below the threshold.
                 */
                if ((cp.mask >> cp.shift) < PERFECT_HASH_THRESHOLD)
-                        cp.hash = (cp.mask >> cp.shift)+1;
+                        cp.hash = (cp.mask >> cp.shift) + 1;
                else
                        cp.hash = DEFAULT_HASH_SIZE;
        }
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index b0c2a82178af..3b93fc0c8955 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -42,8 +42,7 @@
 #include <net/act_api.h>
 #include <net/pkt_cls.h>
-struct tc_u_knode
+struct tc_u_knode {
-{
        struct tc_u_knode       *next;
        u32                     handle;
        struct tc_u_hnode       *ht_up;
@@ -63,19 +62,17 @@ struct tc_u_knode
        struct tc_u32_sel       sel;
 };
-struct tc_u_hnode
+struct tc_u_hnode {
-{
        struct tc_u_hnode       *next;
        u32                     handle;
        u32                     prio;
        struct tc_u_common      *tp_c;
        int                     refcnt;
-        unsigned                divisor;
+        unsigned int            divisor;
        struct tc_u_knode       *ht[1];
 };
-struct tc_u_common
+struct tc_u_common {
-{
        struct tc_u_hnode       *hlist;
        struct Qdisc            *q;
        int                     refcnt;
@@ -87,9 +84,11 @@ static const struct tcf_ext_map u32_ext_map = {
        .police = TCA_U32_POLICE
 };
-static __inline__ unsigned u32_hash_fold(__be32 key, struct tc_u32_sel *sel, u8 fshift)
+static inline unsigned int u32_hash_fold(__be32 key,
+                                         const struct tc_u32_sel *sel,
+                                         u8 fshift)
 {
-        unsigned h = ntohl(key & sel->hmask)>>fshift;
+        unsigned int h = ntohl(key & sel->hmask) >> fshift;
        return h;
 }
@@ -101,7 +100,7 @@ static int u32_classify(struct sk_buff *skb, struct tcf_proto *tp, struct tcf_re
                unsigned int      off;
        } stack[TC_U32_MAXDEPTH];
-        struct tc_u_hnode *ht = (struct tc_u_hnode*)tp->root;
+        struct tc_u_hnode *ht = (struct tc_u_hnode *)tp->root;
        unsigned int off = skb_network_offset(skb);
        struct tc_u_knode *n;
        int sdepth = 0;
@@ -120,7 +119,7 @@ next_knode:
                struct tc_u32_key *key = n->sel.keys;
 #ifdef CONFIG_CLS_U32_PERF
-                n->pf->rcnt +=1;
+                n->pf->rcnt += 1;
                j = 0;
 #endif
@@ -133,14 +132,14 @@ next_knode:
                }
 #endif
-                for (i = n->sel.nkeys; i>0; i--, key++) {
+                for (i = n->sel.nkeys; i > 0; i--, key++) {
                        int toff = off + key->off + (off2 & key->offmask);
-                        __be32 *data, _data;
+                        __be32 *data, hdata;
                        if (skb_headroom(skb) + toff > INT_MAX)
                                goto out;
-                        data = skb_header_pointer(skb, toff, 4, &_data);
+                        data = skb_header_pointer(skb, toff, 4, &hdata);
                        if (!data)
                                goto out;
                        if ((*data ^ key->val) & key->mask) {
@@ -148,13 +147,13 @@ next_knode:
                                goto next_knode;
                        }
 #ifdef CONFIG_CLS_U32_PERF
-                        n->pf->kcnts[j] +=1;
+                        n->pf->kcnts[j] += 1;
                        j++;
 #endif
                }
                if (n->ht_down == NULL) {
 check_terminal:
-                        if (n->sel.flags&TC_U32_TERMINAL) {
+                        if (n->sel.flags & TC_U32_TERMINAL) {
                                *res = n->res;
 #ifdef CONFIG_NET_CLS_IND
@@ -164,7 +163,7 @@ check_terminal:
                                }
 #endif
 #ifdef CONFIG_CLS_U32_PERF
-                                n->pf->rhit +=1;
+                                n->pf->rhit += 1;
 #endif
                                r = tcf_exts_exec(skb, &n->exts, res);
                                if (r < 0) {
@@ -188,26 +187,26 @@ check_terminal:
                ht = n->ht_down;
                sel = 0;
                if (ht->divisor) {
-                        __be32 *data, _data;
+                        __be32 *data, hdata;
                        data = skb_header_pointer(skb, off + n->sel.hoff, 4,
-                                                  &_data);
+                                                  &hdata);
                        if (!data)
                                goto out;
                        sel = ht->divisor & u32_hash_fold(*data, &n->sel,
                                                          n->fshift);
                }
-                if (!(n->sel.flags&(TC_U32_VAROFFSET|TC_U32_OFFSET|TC_U32_EAT)))
+                if (!(n->sel.flags & (TC_U32_VAROFFSET | TC_U32_OFFSET | TC_U32_EAT)))
                        goto next_ht;
-                if (n->sel.flags&(TC_U32_OFFSET|TC_U32_VAROFFSET)) {
+                if (n->sel.flags & (TC_U32_OFFSET | TC_U32_VAROFFSET)) {
                        off2 = n->sel.off + 3;
                        if (n->sel.flags & TC_U32_VAROFFSET) {
-                                __be16 *data, _data;
+                                __be16 *data, hdata;
                                data = skb_header_pointer(skb,
                                                          off + n->sel.offoff,
-                                                          2, &_data);
+                                                          2, &hdata);
                                if (!data)
                                        goto out;
                                off2 += ntohs(n->sel.offmask & *data) >>
@@ -215,7 +214,7 @@ check_terminal:
                        }
                        off2 &= ~3;
                }
-                if (n->sel.flags&TC_U32_EAT) {
+                if (n->sel.flags & TC_U32_EAT) {
                        off += off2;
                        off2 = 0;
                }
@@ -236,11 +235,11 @@ out:
 deadloop:
        if (net_ratelimit())
-                printk(KERN_WARNING "cls_u32: dead loop\n");
+                pr_warning("cls_u32: dead loop\n");
        return -1;
 }
-static __inline__ struct tc_u_hnode *
+static struct tc_u_hnode *
 u32_lookup_ht(struct tc_u_common *tp_c, u32 handle)
 {
        struct tc_u_hnode *ht;
@@ -252,10 +251,10 @@ u32_lookup_ht(struct tc_u_common *tp_c, u32 handle)
        return ht;
 }
-static __inline__ struct tc_u_knode *
+static struct tc_u_knode *
 u32_lookup_key(struct tc_u_hnode *ht, u32 handle)
 {
-        unsigned sel;
+        unsigned int sel;
        struct tc_u_knode *n = NULL;
        sel = TC_U32_HASH(handle);
@@ -300,7 +299,7 @@ static u32 gen_new_htid(struct tc_u_common *tp_c)
        do {
                if (++tp_c->hgenerator == 0x7FF)
                        tp_c->hgenerator = 1;
-        } while (--i>0 && u32_lookup_ht(tp_c, (tp_c->hgenerator|0x800)<<20));
+        } while (--i > 0 && u32_lookup_ht(tp_c, (tp_c->hgenerator|0x800)<<20));
        return i > 0 ? (tp_c->hgenerator|0x800)<<20 : 0;
 }
@@ -378,9 +377,9 @@ static int u32_delete_key(struct tcf_proto *tp, struct tc_u_knode* key)
 static void u32_clear_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht)
 {
        struct tc_u_knode *n;
-        unsigned h;
+        unsigned int h;
-        for (h=0; h<=ht->divisor; h++) {
+        for (h = 0; h <= ht->divisor; h++) {
                while ((n = ht->ht[h]) != NULL) {
                        ht->ht[h] = n->next;
@@ -446,13 +445,13 @@ static void u32_destroy(struct tcf_proto *tp)
 static int u32_delete(struct tcf_proto *tp, unsigned long arg)
 {
-        struct tc_u_hnode *ht = (struct tc_u_hnode*)arg;
+        struct tc_u_hnode *ht = (struct tc_u_hnode *)arg;
        if (ht == NULL)
                return 0;
        if (TC_U32_KEY(ht->handle))
-                return u32_delete_key(tp, (struct tc_u_knode*)ht);
+                return u32_delete_key(tp, (struct tc_u_knode *)ht);
        if (tp->root == ht)
                return -EINVAL;
@@ -470,14 +469,14 @@ static int u32_delete(struct tcf_proto *tp, unsigned long arg)
 static u32 gen_new_kid(struct tc_u_hnode *ht, u32 handle)
 {
        struct tc_u_knode *n;
-        unsigned i = 0x7FF;
+        unsigned int i = 0x7FF;
-        for (n=ht->ht[TC_U32_HASH(handle)]; n; n = n->next)
+        for (n = ht->ht[TC_U32_HASH(handle)]; n; n = n->next)
                if (i < TC_U32_NODE(n->handle))
                        i = TC_U32_NODE(n->handle);
        i++;
-        return handle|(i>0xFFF ? 0xFFF : i);
+        return handle | (i > 0xFFF ? 0xFFF : i);
 }
 static const struct nla_policy u32_policy[TCA_U32_MAX + 1] = {
@@ -566,7 +565,8 @@ static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
        if (err < 0)
                return err;
-        if ((n = (struct tc_u_knode*)*arg) != NULL) {
+        n = (struct tc_u_knode *)*arg;
+        if (n) {
                if (TC_U32_KEY(n->handle) == 0)
                        return -EINVAL;
@@ -574,7 +574,7 @@ static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
        }
        if (tb[TCA_U32_DIVISOR]) {
-                unsigned divisor = nla_get_u32(tb[TCA_U32_DIVISOR]);
+                unsigned int divisor = nla_get_u32(tb[TCA_U32_DIVISOR]);
                if (--divisor > 0x100)
                        return -EINVAL;
@@ -585,7 +585,7 @@ static int u32_change(struct tcf_proto *tp, unsigned long base, u32 handle,
                        if (handle == 0)
                                return -ENOMEM;
                }
-                ht = kzalloc(sizeof(*ht) + divisor*sizeof(void*), GFP_KERNEL);
+                ht = kzalloc(sizeof(*ht) + divisor*sizeof(void *), GFP_KERNEL);
                if (ht == NULL)
                        return -ENOBUFS;
                ht->tp_c = tp_c;
@@ -683,7 +683,7 @@ static void u32_walk(struct tcf_proto *tp, struct tcf_walker *arg)
        struct tc_u_common *tp_c = tp->data;
        struct tc_u_hnode *ht;
        struct tc_u_knode *n;
-        unsigned h;
+        unsigned int h;
        if (arg->stop)
                return;
@@ -717,7 +717,7 @@ static void u32_walk(struct tcf_proto *tp, struct tcf_walker *arg)
 static int u32_dump(struct tcf_proto *tp, unsigned long fh,
                     struct sk_buff *skb, struct tcmsg *t)
 {
-        struct tc_u_knode *n = (struct tc_u_knode*)fh;
+        struct tc_u_knode *n = (struct tc_u_knode *)fh;
        struct nlattr *nest;
        if (n == NULL)
@@ -730,8 +730,9 @@ static int u32_dump(struct tcf_proto *tp, unsigned long fh,
                goto nla_put_failure;
        if (TC_U32_KEY(n->handle) == 0) {
-                struct tc_u_hnode *ht = (struct tc_u_hnode*)fh;
+                struct tc_u_hnode *ht = (struct tc_u_hnode *)fh;
-                u32 divisor = ht->divisor+1;
+                u32 divisor = ht->divisor + 1;
                NLA_PUT_U32(skb, TCA_U32_DIVISOR, divisor);
        } else {
                NLA_PUT(skb, TCA_U32_SEL,
@@ -755,7 +756,7 @@ static int u32_dump(struct tcf_proto *tp, unsigned long fh,
                        goto nla_put_failure;
 #ifdef CONFIG_NET_CLS_IND
-                if(strlen(n->indev))
+                if (strlen(n->indev))
                        NLA_PUT_STRING(skb, TCA_U32_INDEV, n->indev);
 #endif
 #ifdef CONFIG_CLS_U32_PERF
diff --git a/net/sched/em_cmp.c b/net/sched/em_cmp.c
index bc450397487a..1c8360a2752a 100644
--- a/net/sched/em_cmp.c
+++ b/net/sched/em_cmp.c
@@ -33,40 +33,41 @@ static int em_cmp_match(struct sk_buff *skb, struct tcf_ematch *em,
                return 0;
        switch (cmp->align) {
-                case TCF_EM_ALIGN_U8:
+        case TCF_EM_ALIGN_U8:
-                        val = *ptr;
+                val = *ptr;
-                        break;
+                break;
-                case TCF_EM_ALIGN_U16:
+        case TCF_EM_ALIGN_U16:
-                        val = get_unaligned_be16(ptr);
+                val = get_unaligned_be16(ptr);
-                        if (cmp_needs_transformation(cmp))
+                if (cmp_needs_transformation(cmp))
-                                val = be16_to_cpu(val);
+                        val = be16_to_cpu(val);
-                        break;
+                break;
-                case TCF_EM_ALIGN_U32:
+        case TCF_EM_ALIGN_U32:
-                        /* Worth checking boundries? The branching seems
+                /* Worth checking boundries? The branching seems
-                         * to get worse. Visit again. */
+                 * to get worse. Visit again.
-                        val = get_unaligned_be32(ptr);
+                 */
+                val = get_unaligned_be32(ptr);
-                        if (cmp_needs_transformation(cmp))
+                if (cmp_needs_transformation(cmp))
-                                val = be32_to_cpu(val);
+                        val = be32_to_cpu(val);
-                        break;
+                break;
-                default:
+        default:
-                        return 0;
+                return 0;
        }
        if (cmp->mask)
                val &= cmp->mask;
        switch (cmp->opnd) {
-                case TCF_EM_OPND_EQ:
+        case TCF_EM_OPND_EQ:
-                        return val == cmp->val;
+                return val == cmp->val;
-                case TCF_EM_OPND_LT:
+        case TCF_EM_OPND_LT:
-                        return val < cmp->val;
+                return val < cmp->val;
-                case TCF_EM_OPND_GT:
+        case TCF_EM_OPND_GT:
-                        return val > cmp->val;
+                return val > cmp->val;
        }
        return 0;
diff --git a/net/sched/em_meta.c b/net/sched/em_meta.c
index 34da5e29ea1a..49130e8abff0 100644
--- a/net/sched/em_meta.c
+++ b/net/sched/em_meta.c
@@ -47,7 +47,7 @@
 *      on the meta type. Obviously, the length of the data must also
 *      be provided for non-numeric types.
 *
- *      Additionaly, type dependant modifiers such as shift operators
+ *      Additionally, type dependent modifiers such as shift operators
 *      or mask may be applied to extend the functionaliy. As of now,
 *      the variable length type supports shifting the byte string to
 *      the right, eating up any number of octets and thus supporting
@@ -73,21 +73,18 @@
 #include <net/pkt_cls.h>
 #include <net/sock.h>
-struct meta_obj
+struct meta_obj {
-{
        unsigned long           value;
        unsigned int            len;
 };
-struct meta_value
+struct meta_value {
-{
        struct tcf_meta_val     hdr;
        unsigned long           val;
        unsigned int            len;
 };
-struct meta_match
+struct meta_match {
-{
        struct meta_value       lvalue;
        struct meta_value       rvalue;
 };
@@ -255,7 +252,7 @@ META_COLLECTOR(int_rtclassid)
        if (unlikely(skb_dst(skb) == NULL))
                *err = -1;
        else
-#ifdef CONFIG_NET_CLS_ROUTE
+#ifdef CONFIG_IP_ROUTE_CLASSID
                dst->value = skb_dst(skb)->tclassid;
 #else
                dst->value = 0;
@@ -267,7 +264,7 @@ META_COLLECTOR(int_rtiif)
        if (unlikely(skb_rtable(skb) == NULL))
                *err = -1;
        else
-                dst->value = skb_rtable(skb)->fl.iif;
+                dst->value = skb_rtable(skb)->rt_iif;
 }
 /**************************************************************************
@@ -404,7 +401,7 @@ META_COLLECTOR(int_sk_sndbuf)
 META_COLLECTOR(int_sk_alloc)
 {
        SKIP_NONLOCAL(skb);
-        dst->value = skb->sk->sk_allocation;
+        dst->value = (__force int) skb->sk->sk_allocation;
 }
 META_COLLECTOR(int_sk_route_caps)
@@ -483,8 +480,7 @@ META_COLLECTOR(int_sk_write_pend)
 * Meta value collectors assignment table
 **************************************************************************/
-struct meta_ops
+struct meta_ops {
-{
        void            (*get)(struct sk_buff *, struct tcf_pkt_info *,
                               struct meta_value *, struct meta_obj *, int *);
 };
@@ -494,7 +490,7 @@ struct meta_ops
 /* Meta value operations table listing all meta value collectors and
 * assigns them to a type and meta id. */
-static struct meta_ops __meta_ops[TCF_META_TYPE_MAX+1][TCF_META_ID_MAX+1] = {
+static struct meta_ops __meta_ops[TCF_META_TYPE_MAX + 1][TCF_META_ID_MAX + 1] = {
        [TCF_META_TYPE_VAR] = {
                [META_ID(DEV)]                  = META_FUNC(var_dev),
                [META_ID(SK_BOUND_IF)]          = META_FUNC(var_sk_bound_if),
@@ -550,7 +546,7 @@ static struct meta_ops __meta_ops[TCF_META_TYPE_MAX+1][TCF_META_ID_MAX+1] = {
        }
 };
-static inline struct meta_ops * meta_ops(struct meta_value *val)
+static inline struct meta_ops *meta_ops(struct meta_value *val)
 {
        return &__meta_ops[meta_type(val)][meta_id(val)];
 }
@@ -649,9 +645,8 @@ static int meta_int_dump(struct sk_buff *skb, struct meta_value *v, int tlv)
 {
        if (v->len == sizeof(unsigned long))
                NLA_PUT(skb, tlv, sizeof(unsigned long), &v->val);
-        else if (v->len == sizeof(u32)) {
+        else if (v->len == sizeof(u32))
                NLA_PUT_U32(skb, tlv, v->val);
-        }
        return 0;
@@ -663,8 +658,7 @@ nla_put_failure:
 * Type specific operations table
 **************************************************************************/
-struct meta_type_ops
+struct meta_type_ops {
-{
        void    (*destroy)(struct meta_value *);
        int     (*compare)(struct meta_obj *, struct meta_obj *);
        int     (*change)(struct meta_value *, struct nlattr *);
@@ -672,7 +666,7 @@ struct meta_type_ops
        int     (*dump)(struct sk_buff *, struct meta_value *, int);
 };
-static struct meta_type_ops __meta_type_ops[TCF_META_TYPE_MAX+1] = {
+static struct meta_type_ops __meta_type_ops[TCF_META_TYPE_MAX + 1] = {
        [TCF_META_TYPE_VAR] = {
                .destroy = meta_var_destroy,
                .compare = meta_var_compare,
@@ -688,7 +682,7 @@ static struct meta_type_ops __meta_type_ops[TCF_META_TYPE_MAX+1] = {
        }
 };
-static inline struct meta_type_ops * meta_type_ops(struct meta_value *v)
+static inline struct meta_type_ops *meta_type_ops(struct meta_value *v)
 {
        return &__meta_type_ops[meta_type(v)];
 }
@@ -713,7 +707,7 @@ static int meta_get(struct sk_buff *skb, struct tcf_pkt_info *info,
                return err;
        if (meta_type_ops(v)->apply_extras)
-            meta_type_ops(v)->apply_extras(v, dst);
+                meta_type_ops(v)->apply_extras(v, dst);
        return 0;
 }
@@ -732,12 +726,12 @@ static int em_meta_match(struct sk_buff *skb, struct tcf_ematch *m,
        r = meta_type_ops(&meta->lvalue)->compare(&l_value, &r_value);
        switch (meta->lvalue.hdr.op) {
-                case TCF_EM_OPND_EQ:
+        case TCF_EM_OPND_EQ:
-                        return !r;
+                return !r;
-                case TCF_EM_OPND_LT:
+        case TCF_EM_OPND_LT:
-                        return r < 0;
+                return r < 0;
-                case TCF_EM_OPND_GT:
+        case TCF_EM_OPND_GT:
-                        return r > 0;
+                return r > 0;
        }
        return 0;
@@ -771,7 +765,7 @@ static inline int meta_change_data(struct meta_value *dst, struct nlattr *nla)
 static inline int meta_is_supported(struct meta_value *val)
 {
-        return (!meta_id(val) || meta_ops(val)->get);
+        return !meta_id(val) || meta_ops(val)->get;
 }
 static const struct nla_policy meta_policy[TCA_EM_META_MAX + 1] = {
diff --git a/net/sched/em_nbyte.c b/net/sched/em_nbyte.c
index 1a4176aee6e5..a3bed07a008b 100644
--- a/net/sched/em_nbyte.c
+++ b/net/sched/em_nbyte.c
@@ -18,8 +18,7 @@
 #include <linux/tc_ematch/tc_em_nbyte.h>
 #include <net/pkt_cls.h>
-struct nbyte_data
+struct nbyte_data {
-{
        struct tcf_em_nbyte     hdr;
        char                    pattern[0];
 };
diff --git a/net/sched/em_text.c b/net/sched/em_text.c
index ea8f566e720c..15d353d2e4be 100644
--- a/net/sched/em_text.c
+++ b/net/sched/em_text.c
@@ -19,8 +19,7 @@
 #include <linux/tc_ematch/tc_em_text.h>
 #include <net/pkt_cls.h>
-struct text_match
+struct text_match {
-{
        u16                     from_offset;
        u16                     to_offset;
        u8                      from_layer;
diff --git a/net/sched/em_u32.c b/net/sched/em_u32.c
index 953f1479f7da..797bdb88c010 100644
--- a/net/sched/em_u32.c
+++ b/net/sched/em_u32.c
@@ -35,7 +35,7 @@ static int em_u32_match(struct sk_buff *skb, struct tcf_ematch *em,
        if (!tcf_valid_offset(skb, ptr, sizeof(u32)))
                return 0;
-        return !(((*(__be32*) ptr)  ^ key->val) & key->mask);
+        return !(((*(__be32 *) ptr)  ^ key->val) & key->mask);
 }
 static struct tcf_ematch_ops em_u32_ops = {
diff --git a/net/sched/ematch.c b/net/sched/ematch.c
index 5e37da961f80..88d93eb92507 100644
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -93,7 +93,7 @@
 static LIST_HEAD(ematch_ops);
 static DEFINE_RWLOCK(ematch_mod_lock);
-static inline struct tcf_ematch_ops * tcf_em_lookup(u16 kind)
+static struct tcf_ematch_ops *tcf_em_lookup(u16 kind)
 {
        struct tcf_ematch_ops *e = NULL;
@@ -163,8 +163,8 @@ void tcf_em_unregister(struct tcf_ematch_ops *ops)
 }
 EXPORT_SYMBOL(tcf_em_unregister);
-static inline struct tcf_ematch * tcf_em_get_match(struct tcf_ematch_tree *tree,
+static inline struct tcf_ematch *tcf_em_get_match(struct tcf_ematch_tree *tree,
-                                                   int index)
+                                                  int index)
 {
        return &tree->matches[index];
 }
@@ -184,7 +184,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
        if (em_hdr->kind == TCF_EM_CONTAINER) {
                /* Special ematch called "container", carries an index
-                 * referencing an external ematch sequence. */
+                 * referencing an external ematch sequence.
+                 */
                u32 ref;
                if (data_len < sizeof(ref))
@@ -195,7 +196,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
                        goto errout;
                /* We do not allow backward jumps to avoid loops and jumps
-                 * to our own position are of course illegal. */
+                 * to our own position are of course illegal.
+                 */
                if (ref <= idx)
                        goto errout;
@@ -208,7 +210,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
                 * which automatically releases the reference again, therefore
                 * the module MUST not be given back under any circumstances
                 * here. Be aware, the destroy function assumes that the
-                 * module is held if the ops field is non zero. */
+                 * module is held if the ops field is non zero.
+                 */
                em->ops = tcf_em_lookup(em_hdr->kind);
                if (em->ops == NULL) {
@@ -221,7 +224,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
                        if (em->ops) {
                                /* We dropped the RTNL mutex in order to
                                 * perform the module load. Tell the caller
-                                 * to replay the request. */
+                                 * to replay the request.
+                                 */
                                module_put(em->ops->owner);
                                err = -EAGAIN;
                        }
@@ -230,7 +234,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
                }
                /* ematch module provides expected length of data, so we
-                 * can do a basic sanity check. */
+                 * can do a basic sanity check.
+                 */
                if (em->ops->datalen && data_len < em->ops->datalen)
                        goto errout;
@@ -246,7 +251,8 @@ static int tcf_em_validate(struct tcf_proto *tp,
                         * TCF_EM_SIMPLE may be specified stating that the
                         * data only consists of a u32 integer and the module
                         * does not expected a memory reference but rather
-                         * the value carried. */
+                         * the value carried.
+                         */
                        if (em_hdr->flags & TCF_EM_SIMPLE) {
                                if (data_len < sizeof(u32))
                                        goto errout;
@@ -334,7 +340,8 @@ int tcf_em_tree_validate(struct tcf_proto *tp, struct nlattr *nla,
         * The array of rt attributes is parsed in the order as they are
         * provided, their type must be incremental from 1 to n. Even
         * if it does not serve any real purpose, a failure of sticking
-         * to this policy will result in parsing failure. */
+         * to this policy will result in parsing failure.
+         */
        for (idx = 0; nla_ok(rt_match, list_len); idx++) {
                err = -EINVAL;
@@ -359,7 +366,8 @@ int tcf_em_tree_validate(struct tcf_proto *tp, struct nlattr *nla,
        /* Check if the number of matches provided by userspace actually
         * complies with the array of matches. The number was used for
         * the validation of references and a mismatch could lead to
-         * undefined references during the matching process. */
+         * undefined references during the matching process.
+         */
        if (idx != tree_hdr->nmatches) {
                err = -EINVAL;
                goto errout_abort;
@@ -449,7 +457,7 @@ int tcf_em_tree_dump(struct sk_buff *skb, struct tcf_ematch_tree *tree, int tlv)
                        .flags = em->flags
                };
-                NLA_PUT(skb, i+1, sizeof(em_hdr), &em_hdr);
+                NLA_PUT(skb, i + 1, sizeof(em_hdr), &em_hdr);
                if (em->ops && em->ops->dump) {
                        if (em->ops->dump(skb, em) < 0)
@@ -478,6 +486,7 @@ static inline int tcf_em_match(struct sk_buff *skb, struct tcf_ematch *em,
                               struct tcf_pkt_info *info)
 {
        int r = em->ops->match(skb, em, info);
        return tcf_em_is_inverted(em) ? !r : r;
 }
@@ -527,8 +536,8 @@ pop_stack:
 stack_overflow:
        if (net_ratelimit())
-                printk(KERN_WARNING "tc ematch: local stack overflow,"
+                pr_warning("tc ematch: local stack overflow,"
-                        " increase NET_EMATCH_STACK\n");
+                           " increase NET_EMATCH_STACK\n");
        return -1;
 }
 EXPORT_SYMBOL(__tcf_em_tree_match);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index b22ca2d1cebc..6b8627661c98 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -187,7 +187,7 @@ int unregister_qdisc(struct Qdisc_ops *qops)
        int err = -ENOENT;
        write_lock(&qdisc_mod_lock);
-        for (qp = &qdisc_base; (q=*qp)!=NULL; qp = &q->next)
+        for (qp = &qdisc_base; (q = *qp) != NULL; qp = &q->next)
                if (q == qops)
                        break;
        if (q) {
@@ -321,7 +321,9 @@ void qdisc_put_rtab(struct qdisc_rate_table *tab)
        if (!tab || --tab->refcnt)
                return;
-        for (rtabp = &qdisc_rtab_list; (rtab=*rtabp) != NULL; rtabp = &rtab->next) {
+        for (rtabp = &qdisc_rtab_list;
+             (rtab = *rtabp) != NULL;
+             rtabp = &rtab->next) {
                if (rtab == tab) {
                        *rtabp = rtab->next;
                        kfree(rtab);
@@ -396,6 +398,11 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt)
        return stab;
 }
+static void stab_kfree_rcu(struct rcu_head *head)
+{
+        kfree(container_of(head, struct qdisc_size_table, rcu));
+}
 void qdisc_put_stab(struct qdisc_size_table *tab)
 {
        if (!tab)
@@ -405,7 +412,7 @@ void qdisc_put_stab(struct qdisc_size_table *tab)
        if (--tab->refcnt == 0) {
                list_del(&tab->list);
-                kfree(tab);
+                call_rcu_bh(&tab->rcu, stab_kfree_rcu);
        }
        spin_unlock(&qdisc_stab_lock);
@@ -428,7 +435,7 @@ nla_put_failure:
        return -1;
 }
-void qdisc_calculate_pkt_len(struct sk_buff *skb, struct qdisc_size_table *stab)
+void __qdisc_calculate_pkt_len(struct sk_buff *skb, const struct qdisc_size_table *stab)
 {
        int pkt_len, slot;
@@ -454,14 +461,13 @@ out:
                pkt_len = 1;
        qdisc_skb_cb(skb)->pkt_len = pkt_len;
 }
-EXPORT_SYMBOL(qdisc_calculate_pkt_len);
+EXPORT_SYMBOL(__qdisc_calculate_pkt_len);
 void qdisc_warn_nonwc(char *txt, struct Qdisc *qdisc)
 {
        if (!(qdisc->flags & TCQ_F_WARN_NONWC)) {
-                printk(KERN_WARNING
+                pr_warn("%s: %s qdisc %X: is non-work-conserving?\n",
-                       "%s: %s qdisc %X: is non-work-conserving?\n",
+                        txt, qdisc->ops->id, qdisc->handle >> 16);
-                       txt, qdisc->ops->id, qdisc->handle >> 16);
                qdisc->flags |= TCQ_F_WARN_NONWC;
        }
 }
@@ -472,7 +478,7 @@ static enum hrtimer_restart qdisc_watchdog(struct hrtimer *timer)
        struct qdisc_watchdog *wd = container_of(timer, struct qdisc_watchdog,
                                                 timer);
-        wd->qdisc->flags &= ~TCQ_F_THROTTLED;
+        qdisc_unthrottled(wd->qdisc);
        __netif_schedule(qdisc_root(wd->qdisc));
        return HRTIMER_NORESTART;
@@ -494,7 +500,7 @@ void qdisc_watchdog_schedule(struct qdisc_watchdog *wd, psched_time_t expires)
                     &qdisc_root_sleeping(wd->qdisc)->state))
                return;
-        wd->qdisc->flags |= TCQ_F_THROTTLED;
+        qdisc_throttled(wd->qdisc);
        time = ktime_set(0, 0);
        time = ktime_add_ns(time, PSCHED_TICKS2NS(expires));
        hrtimer_start(&wd->timer, time, HRTIMER_MODE_ABS);
@@ -504,7 +510,7 @@ EXPORT_SYMBOL(qdisc_watchdog_schedule);
 void qdisc_watchdog_cancel(struct qdisc_watchdog *wd)
 {
        hrtimer_cancel(&wd->timer);
-        wd->qdisc->flags &= ~TCQ_F_THROTTLED;
+        qdisc_unthrottled(wd->qdisc);
 }
 EXPORT_SYMBOL(qdisc_watchdog_cancel);
@@ -625,7 +631,7 @@ static u32 qdisc_alloc_handle(struct net_device *dev)
                        autohandle = TC_H_MAKE(0x80000000U, 0);
        } while (qdisc_lookup(dev, autohandle) && --i > 0);
-        return i>0 ? autohandle : 0;
+        return i > 0 ? autohandle : 0;
 }
 void qdisc_tree_decrease_qlen(struct Qdisc *sch, unsigned int n)
@@ -834,7 +840,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
                                err = PTR_ERR(stab);
                                goto err_out4;
                        }
-                        sch->stab = stab;
+                        rcu_assign_pointer(sch->stab, stab);
                }
                if (tca[TCA_RATE]) {
                        spinlock_t *root_lock;
@@ -874,7 +880,7 @@ err_out4:
         * Any broken qdiscs that would require a ops->reset() here?
         * The qdisc was never in action so it shouldn't be necessary.
         */
-        qdisc_put_stab(sch->stab);
+        qdisc_put_stab(rtnl_dereference(sch->stab));
        if (ops->destroy)
                ops->destroy(sch);
        goto err_out3;
@@ -882,7 +888,7 @@ err_out4:
 static int qdisc_change(struct Qdisc *sch, struct nlattr **tca)
 {
-        struct qdisc_size_table *stab = NULL;
+        struct qdisc_size_table *ostab, *stab = NULL;
        int err = 0;
        if (tca[TCA_OPTIONS]) {
@@ -899,8 +905,9 @@ static int qdisc_change(struct Qdisc *sch, struct nlattr **tca)
                        return PTR_ERR(stab);
        }
-        qdisc_put_stab(sch->stab);
+        ostab = rtnl_dereference(sch->stab);
-        sch->stab = stab;
+        rcu_assign_pointer(sch->stab, stab);
+        qdisc_put_stab(ostab);
        if (tca[TCA_RATE]) {
                /* NB: ignores errors from replace_estimator
@@ -915,9 +922,8 @@ out:
        return 0;
 }
-struct check_loop_arg
+struct check_loop_arg {
-{
+        struct qdisc_walker     w;
-        struct qdisc_walker     w;
        struct Qdisc            *p;
        int                     depth;
 };
@@ -970,7 +976,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        struct Qdisc *p = NULL;
        int err;
-        if ((dev = __dev_get_by_index(net, tcm->tcm_ifindex)) == NULL)
+        dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+        if (!dev)
                return -ENODEV;
        err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -980,12 +987,12 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        if (clid) {
                if (clid != TC_H_ROOT) {
                        if (TC_H_MAJ(clid) != TC_H_MAJ(TC_H_INGRESS)) {
-                                if ((p = qdisc_lookup(dev, TC_H_MAJ(clid))) == NULL)
+                                p = qdisc_lookup(dev, TC_H_MAJ(clid));
+                                if (!p)
                                        return -ENOENT;
                                q = qdisc_leaf(p, clid);
-                        } else { /* ingress */
+                        } else if (dev_ingress_queue(dev)) {
-                                if (dev_ingress_queue(dev))
+                                q = dev_ingress_queue(dev)->qdisc_sleeping;
-                                        q = dev_ingress_queue(dev)->qdisc_sleeping;
                        }
                } else {
                        q = dev->qdisc;
@@ -996,7 +1003,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
                if (tcm->tcm_handle && q->handle != tcm->tcm_handle)
                        return -EINVAL;
        } else {
-                if ((q = qdisc_lookup(dev, tcm->tcm_handle)) == NULL)
+                q = qdisc_lookup(dev, tcm->tcm_handle);
+                if (!q)
                        return -ENOENT;
        }
@@ -1008,7 +1016,8 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
                        return -EINVAL;
                if (q->handle == 0)
                        return -ENOENT;
-                if ((err = qdisc_graft(dev, p, skb, n, clid, NULL, q)) != 0)
+                err = qdisc_graft(dev, p, skb, n, clid, NULL, q);
+                if (err != 0)
                        return err;
        } else {
                qdisc_notify(net, skb, n, clid, NULL, q);
@@ -1017,7 +1026,7 @@ static int tc_get_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
 }
 /*
-   Create/change qdisc.
+ * Create/change qdisc.
 */
 static int tc_modify_qdisc(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
@@ -1036,7 +1045,8 @@ replay:
        clid = tcm->tcm_parent;
        q = p = NULL;
-        if ((dev = __dev_get_by_index(net, tcm->tcm_ifindex)) == NULL)
+        dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+        if (!dev)
                return -ENODEV;
        err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -1046,12 +1056,12 @@ replay:
        if (clid) {
                if (clid != TC_H_ROOT) {
                        if (clid != TC_H_INGRESS) {
-                                if ((p = qdisc_lookup(dev, TC_H_MAJ(clid))) == NULL)
+                                p = qdisc_lookup(dev, TC_H_MAJ(clid));
+                                if (!p)
                                        return -ENOENT;
                                q = qdisc_leaf(p, clid);
-                        } else { /* ingress */
+                        } else if (dev_ingress_queue_create(dev)) {
-                                if (dev_ingress_queue_create(dev))
+                                q = dev_ingress_queue(dev)->qdisc_sleeping;
-                                        q = dev_ingress_queue(dev)->qdisc_sleeping;
                        }
                } else {
                        q = dev->qdisc;
@@ -1063,13 +1073,14 @@ replay:
                if (!q || !tcm->tcm_handle || q->handle != tcm->tcm_handle) {
                        if (tcm->tcm_handle) {
-                                if (q && !(n->nlmsg_flags&NLM_F_REPLACE))
+                                if (q && !(n->nlmsg_flags & NLM_F_REPLACE))
                                        return -EEXIST;
                                if (TC_H_MIN(tcm->tcm_handle))
                                        return -EINVAL;
-                                if ((q = qdisc_lookup(dev, tcm->tcm_handle)) == NULL)
+                                q = qdisc_lookup(dev, tcm->tcm_handle);
+                                if (!q)
                                        goto create_n_graft;
-                                if (n->nlmsg_flags&NLM_F_EXCL)
+                                if (n->nlmsg_flags & NLM_F_EXCL)
                                        return -EEXIST;
                                if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], q->ops->id))
                                        return -EINVAL;
@@ -1079,7 +1090,7 @@ replay:
                                atomic_inc(&q->refcnt);
                                goto graft;
                        } else {
-                                if (q == NULL)
+                                if (!q)
                                        goto create_n_graft;
                                /* This magic test requires explanation.
@@ -1101,9 +1112,9 @@ replay:
                                 *   For now we select create/graft, if
                                 *   user gave KIND, which does not match existing.
                                 */
-                                if ((n->nlmsg_flags&NLM_F_CREATE) &&
+                                if ((n->nlmsg_flags & NLM_F_CREATE) &&
-                                    (n->nlmsg_flags&NLM_F_REPLACE) &&
+                                    (n->nlmsg_flags & NLM_F_REPLACE) &&
-                                    ((n->nlmsg_flags&NLM_F_EXCL) ||
+                                    ((n->nlmsg_flags & NLM_F_EXCL) ||
                                     (tca[TCA_KIND] &&
                                      nla_strcmp(tca[TCA_KIND], q->ops->id))))
                                        goto create_n_graft;
@@ -1118,7 +1129,7 @@ replay:
        /* Change qdisc parameters */
        if (q == NULL)
                return -ENOENT;
-        if (n->nlmsg_flags&NLM_F_EXCL)
+        if (n->nlmsg_flags & NLM_F_EXCL)
                return -EEXIST;
        if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], q->ops->id))
                return -EINVAL;
@@ -1128,7 +1139,7 @@ replay:
        return err;
 create_n_graft:
-        if (!(n->nlmsg_flags&NLM_F_CREATE))
+        if (!(n->nlmsg_flags & NLM_F_CREATE))
                return -ENOENT;
        if (clid == TC_H_INGRESS) {
                if (dev_ingress_queue(dev))
@@ -1175,6 +1186,7 @@ static int tc_fill_qdisc(struct sk_buff *skb, struct Qdisc *q, u32 clid,
        struct nlmsghdr  *nlh;
        unsigned char *b = skb_tail_pointer(skb);
        struct gnet_dump d;
+        struct qdisc_size_table *stab;
        nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*tcm), flags);
        tcm = NLMSG_DATA(nlh);
@@ -1190,7 +1202,8 @@ static int tc_fill_qdisc(struct sk_buff *skb, struct Qdisc *q, u32 clid,
                goto nla_put_failure;
        q->qstats.qlen = q->q.qlen;
-        if (q->stab && qdisc_dump_stab(skb, q->stab) < 0)
+        stab = rtnl_dereference(q->stab);
+        if (stab && qdisc_dump_stab(skb, stab) < 0)
                goto nla_put_failure;
        if (gnet_stats_start_copy_compat(skb, TCA_STATS2, TCA_STATS, TCA_XSTATS,
@@ -1234,16 +1247,19 @@ static int qdisc_notify(struct net *net, struct sk_buff *oskb,
                return -ENOBUFS;
        if (old && !tc_qdisc_dump_ignore(old)) {
-                if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0)
+                if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq,
+                                  0, RTM_DELQDISC) < 0)
                        goto err_out;
        }
        if (new && !tc_qdisc_dump_ignore(new)) {
-                if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
+                if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq,
+                                  old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0)
                        goto err_out;
        }
        if (skb->len)
-                return rtnetlink_send(skb, net, pid, RTNLGRP_TC, n->nlmsg_flags&NLM_F_ECHO);
+                return rtnetlink_send(skb, net, pid, RTNLGRP_TC,
+                                      n->nlmsg_flags & NLM_F_ECHO);
 err_out:
        kfree_skb(skb);
@@ -1275,7 +1291,7 @@ static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb,
                        q_idx++;
                        continue;
                }
-                if (!tc_qdisc_dump_ignore(q) && 
+                if (!tc_qdisc_dump_ignore(q) &&
                    tc_fill_qdisc(skb, q, q->parent, NETLINK_CB(cb->skb).pid,
                                  cb->nlh->nlmsg_seq, NLM_F_MULTI, RTM_NEWQDISC) <= 0)
                        goto done;
@@ -1356,7 +1372,8 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        u32 qid = TC_H_MAJ(clid);
        int err;
-        if ((dev = __dev_get_by_index(net, tcm->tcm_ifindex)) == NULL)
+        dev = __dev_get_by_index(net, tcm->tcm_ifindex);
+        if (!dev)
                return -ENODEV;
        err = nlmsg_parse(n, sizeof(*tcm), tca, TCA_MAX, NULL);
@@ -1391,9 +1408,9 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
                        qid = dev->qdisc->handle;
                /* Now qid is genuine qdisc handle consistent
-                   both with parent and child.
+                 * both with parent and child.
+                 *
-                   TC_H_MAJ(pid) still may be unspecified, complete it now.
+                 * TC_H_MAJ(pid) still may be unspecified, complete it now.
                 */
                if (pid)
                        pid = TC_H_MAKE(qid, pid);
@@ -1403,7 +1420,8 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        }
        /* OK. Locate qdisc */
-        if ((q = qdisc_lookup(dev, qid)) == NULL)
+        q = qdisc_lookup(dev, qid);
+        if (!q)
                return -ENOENT;
        /* An check that it supports classes */
@@ -1423,13 +1441,14 @@ static int tc_ctl_tclass(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
        if (cl == 0) {
                err = -ENOENT;
-                if (n->nlmsg_type != RTM_NEWTCLASS || !(n->nlmsg_flags&NLM_F_CREATE))
+                if (n->nlmsg_type != RTM_NEWTCLASS ||
+                    !(n->nlmsg_flags & NLM_F_CREATE))
                        goto out;
        } else {
                switch (n->nlmsg_type) {
                case RTM_NEWTCLASS:
                        err = -EEXIST;
-                        if (n->nlmsg_flags&NLM_F_EXCL)
+                        if (n->nlmsg_flags & NLM_F_EXCL)
                                goto out;
                        break;
                case RTM_DELTCLASS:
@@ -1521,14 +1540,14 @@ static int tclass_notify(struct net *net, struct sk_buff *oskb,
                return -EINVAL;
        }
-        return rtnetlink_send(skb, net, pid, RTNLGRP_TC, n->nlmsg_flags&NLM_F_ECHO);
+        return rtnetlink_send(skb, net, pid, RTNLGRP_TC,
+                              n->nlmsg_flags & NLM_F_ECHO);
 }
-struct qdisc_dump_args
+struct qdisc_dump_args {
-{
+        struct qdisc_walker     w;
-        struct qdisc_walker w;
+        struct sk_buff          *skb;
-        struct sk_buff *skb;
+        struct netlink_callback *cb;
-        struct netlink_callback *cb;
 };
 static int qdisc_class_dump(struct Qdisc *q, unsigned long cl, struct qdisc_walker *arg)
@@ -1590,7 +1609,7 @@ static int tc_dump_tclass_root(struct Qdisc *root, struct sk_buff *skb,
 static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
 {
-        struct tcmsg *tcm = (struct tcmsg*)NLMSG_DATA(cb->nlh);
+        struct tcmsg *tcm = (struct tcmsg *)NLMSG_DATA(cb->nlh);
        struct net *net = sock_net(skb->sk);
        struct netdev_queue *dev_queue;
        struct net_device *dev;
@@ -1598,7 +1617,8 @@ static int tc_dump_tclass(struct sk_buff *skb, struct netlink_callback *cb)
        if (cb->nlh->nlmsg_len < NLMSG_LENGTH(sizeof(*tcm)))
                return 0;
-        if ((dev = dev_get_by_index(net, tcm->tcm_ifindex)) == NULL)
+        dev = dev_get_by_index(net, tcm->tcm_ifindex);
+        if (!dev)
                return 0;
        s_t = cb->args[0];
@@ -1621,19 +1641,22 @@ done:
 }
 /* Main classifier routine: scans classifier chain attached
-   to this qdisc, (optionally) tests for protocol and asks
+ * to this qdisc, (optionally) tests for protocol and asks
-   specific classifiers.
+ * specific classifiers.
 */
 int tc_classify_compat(struct sk_buff *skb, struct tcf_proto *tp,
                       struct tcf_result *res)
 {
        __be16 protocol = skb->protocol;
-        int err = 0;
+        int err;
        for (; tp; tp = tp->next) {
-                if ((tp->protocol == protocol ||
+                if (tp->protocol != protocol &&
-                     tp->protocol == htons(ETH_P_ALL)) &&
+                    tp->protocol != htons(ETH_P_ALL))
-                    (err = tp->classify(skb, tp, res)) >= 0) {
+                        continue;
+                err = tp->classify(skb, tp, res);
+                if (err >= 0) {
 #ifdef CONFIG_NET_CLS_ACT
                        if (err != TC_ACT_RECLASSIFY && skb->tc_verd)
                                skb->tc_verd = SET_TC_VERD(skb->tc_verd, 0);
@@ -1649,12 +1672,10 @@ int tc_classify(struct sk_buff *skb, struct tcf_proto *tp,
                struct tcf_result *res)
 {
        int err = 0;
-        __be16 protocol;
 #ifdef CONFIG_NET_CLS_ACT
        struct tcf_proto *otp = tp;
 reclassify:
 #endif
-        protocol = skb->protocol;
        err = tc_classify_compat(skb, tp, res);
 #ifdef CONFIG_NET_CLS_ACT
@@ -1664,11 +1685,11 @@ reclassify:
                if (verd++ >= MAX_REC_LOOP) {
                        if (net_ratelimit())
-                                printk(KERN_NOTICE
+                                pr_notice("%s: packet reclassify loop"
-                                       "%s: packet reclassify loop"
                                          " rule prio %u protocol %02x\n",
-                                       tp->q->ops->id,
+                                          tp->q->ops->id,
-                                       tp->prio & 0xffff, ntohs(tp->protocol));
+                                          tp->prio & 0xffff,
+                                          ntohs(tp->protocol));
                        return TC_ACT_SHOT;
                }
                skb->tc_verd = SET_TC_VERD(skb->tc_verd, verd);
@@ -1761,7 +1782,7 @@ static int __init pktsched_init(void)
        err = register_pernet_subsys(&psched_net_ops);
        if (err) {
-                printk(KERN_ERR "pktsched_init: "
+                pr_err("pktsched_init: "
                       "cannot initialize per netns operations\n");
                return err;
        }
diff --git a/net/sched/sch_atm.c b/net/sched/sch_atm.c
index 943d733409d0..3f08158b8688 100644
--- a/net/sched/sch_atm.c
+++ b/net/sched/sch_atm.c
@@ -319,7 +319,7 @@ static int atm_tc_delete(struct Qdisc *sch, unsigned long arg)
         * creation), and one for the reference held when calling delete.
         */
        if (flow->ref < 2) {
-                printk(KERN_ERR "atm_tc_delete: flow->ref == %d\n", flow->ref);
+                pr_err("atm_tc_delete: flow->ref == %d\n", flow->ref);
                return -EINVAL;
        }
        if (flow->ref > 2)
@@ -384,12 +384,12 @@ static int atm_tc_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                        }
                }
                flow = NULL;
-        done:
+done:
-                ;               
+                ;
        }
-        if (!flow)
+        if (!flow) {
                flow = &p->link;
-        else {
+        } else {
                if (flow->vcc)
                        ATM_SKB(skb)->atm_options = flow->vcc->atm_options;
                /*@@@ looks good ... but it's not supposed to work :-) */
@@ -576,8 +576,7 @@ static void atm_tc_destroy(struct Qdisc *sch)
        list_for_each_entry_safe(flow, tmp, &p->flows, list) {
                if (flow->ref > 1)
-                        printk(KERN_ERR "atm_destroy: %p->ref = %d\n", flow,
+                        pr_err("atm_destroy: %p->ref = %d\n", flow, flow->ref);
-                               flow->ref);
                atm_tc_put(sch, (unsigned long)flow);
        }
        tasklet_kill(&p->task);
@@ -616,9 +615,8 @@ static int atm_tc_dump_class(struct Qdisc *sch, unsigned long cl,
        }
        if (flow->excess)
                NLA_PUT_U32(skb, TCA_ATM_EXCESS, flow->classid);
-        else {
+        else
                NLA_PUT_U32(skb, TCA_ATM_EXCESS, 0);
-        }
        nla_nest_end(skb, nest);
        return skb->len;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index 5f63ec58942c..24d94c097b35 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -72,8 +72,7 @@
 struct cbq_sched_data;
-struct cbq_class
+struct cbq_class {
-{
        struct Qdisc_class_common common;
        struct cbq_class        *next_alive;    /* next class with backlog in this priority band */
@@ -139,19 +138,18 @@ struct cbq_class
        int                     refcnt;
        int                     filters;
-        struct cbq_class        *defaults[TC_PRIO_MAX+1];
+        struct cbq_class        *defaults[TC_PRIO_MAX + 1];
 };
-struct cbq_sched_data
+struct cbq_sched_data {
-{
        struct Qdisc_class_hash clhash;                 /* Hash table of all classes */
-        int                     nclasses[TC_CBQ_MAXPRIO+1];
+        int                     nclasses[TC_CBQ_MAXPRIO + 1];
-        unsigned                quanta[TC_CBQ_MAXPRIO+1];
+        unsigned int            quanta[TC_CBQ_MAXPRIO + 1];
        struct cbq_class        link;
-        unsigned                activemask;
+        unsigned int            activemask;
-        struct cbq_class        *active[TC_CBQ_MAXPRIO+1];      /* List of all classes
+        struct cbq_class        *active[TC_CBQ_MAXPRIO + 1];    /* List of all classes
                                                                   with backlog */
 #ifdef CONFIG_NET_CLS_ACT
@@ -162,7 +160,7 @@ struct cbq_sched_data
        int                     tx_len;
        psched_time_t           now;            /* Cached timestamp */
        psched_time_t           now_rt;         /* Cached real time */
-        unsigned                pmask;
+        unsigned int            pmask;
        struct hrtimer          delay_timer;
        struct qdisc_watchdog   watchdog;       /* Watchdog timer,
@@ -175,9 +173,9 @@ struct cbq_sched_data
 };
-#define L2T(cl,len)     qdisc_l2t((cl)->R_tab,len)
+#define L2T(cl, len)    qdisc_l2t((cl)->R_tab, len)
-static __inline__ struct cbq_class *
+static inline struct cbq_class *
 cbq_class_lookup(struct cbq_sched_data *q, u32 classid)
 {
        struct Qdisc_class_common *clc;
@@ -193,25 +191,27 @@ cbq_class_lookup(struct cbq_sched_data *q, u32 classid)
 static struct cbq_class *
 cbq_reclassify(struct sk_buff *skb, struct cbq_class *this)
 {
-        struct cbq_class *cl, *new;
+        struct cbq_class *cl;
-        for (cl = this->tparent; cl; cl = cl->tparent)
+        for (cl = this->tparent; cl; cl = cl->tparent) {
-                if ((new = cl->defaults[TC_PRIO_BESTEFFORT]) != NULL && new != this)
+                struct cbq_class *new = cl->defaults[TC_PRIO_BESTEFFORT];
-                        return new;
+                if (new != NULL && new != this)
+                        return new;
+        }
        return NULL;
 }
 #endif
 /* Classify packet. The procedure is pretty complicated, but
-   it allows us to combine link sharing and priority scheduling
+ * it allows us to combine link sharing and priority scheduling
-   transparently.
+ * transparently.
+ *
-   Namely, you can put link sharing rules (f.e. route based) at root of CBQ,
+ * Namely, you can put link sharing rules (f.e. route based) at root of CBQ,
-   so that it resolves to split nodes. Then packets are classified
+ * so that it resolves to split nodes. Then packets are classified
-   by logical priority, or a more specific classifier may be attached
+ * by logical priority, or a more specific classifier may be attached
-   to the split node.
+ * to the split node.
 */
 static struct cbq_class *
@@ -227,7 +227,7 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
        /*
         *  Step 1. If skb->priority points to one of our classes, use it.
         */
-        if (TC_H_MAJ(prio^sch->handle) == 0 &&
+        if (TC_H_MAJ(prio ^ sch->handle) == 0 &&
            (cl = cbq_class_lookup(q, prio)) != NULL)
                return cl;
@@ -243,10 +243,11 @@ cbq_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                    (result = tc_classify_compat(skb, head->filter_list, &res)) < 0)
                        goto fallback;
-                if ((cl = (void*)res.class) == NULL) {
+                cl = (void *)res.class;
+                if (!cl) {
                        if (TC_H_MAJ(res.classid))
                                cl = cbq_class_lookup(q, res.classid);
-                        else if ((cl = defmap[res.classid&TC_PRIO_MAX]) == NULL)
+                        else if ((cl = defmap[res.classid & TC_PRIO_MAX]) == NULL)
                                cl = defmap[TC_PRIO_BESTEFFORT];
                        if (cl == NULL || cl->level >= head->level)
@@ -282,7 +283,7 @@ fallback:
         * Step 4. No success...
         */
        if (TC_H_MAJ(prio) == 0 &&
-            !(cl = head->defaults[prio&TC_PRIO_MAX]) &&
+            !(cl = head->defaults[prio & TC_PRIO_MAX]) &&
            !(cl = head->defaults[TC_PRIO_BESTEFFORT]))
                return head;
@@ -290,12 +291,12 @@ fallback:
 }
 /*
-   A packet has just been enqueued on the empty class.
+ * A packet has just been enqueued on the empty class.
-   cbq_activate_class adds it to the tail of active class list
+ * cbq_activate_class adds it to the tail of active class list
-   of its priority band.
+ * of its priority band.
 */
-static __inline__ void cbq_activate_class(struct cbq_class *cl)
+static inline void cbq_activate_class(struct cbq_class *cl)
 {
        struct cbq_sched_data *q = qdisc_priv(cl->qdisc);
        int prio = cl->cpriority;
@@ -314,9 +315,9 @@ static __inline__ void cbq_activate_class(struct cbq_class *cl)
 }
 /*
-   Unlink class from active chain.
+ * Unlink class from active chain.
-   Note that this same procedure is done directly in cbq_dequeue*
+ * Note that this same procedure is done directly in cbq_dequeue*
-   during round-robin procedure.
+ * during round-robin procedure.
 */
 static void cbq_deactivate_class(struct cbq_class *this)
@@ -350,7 +351,7 @@ cbq_mark_toplevel(struct cbq_sched_data *q, struct cbq_class *cl)
 {
        int toplevel = q->toplevel;
-        if (toplevel > cl->level && !(cl->q->flags&TCQ_F_THROTTLED)) {
+        if (toplevel > cl->level && !(qdisc_is_throttled(cl->q))) {
                psched_time_t now;
                psched_tdiff_t incr;
@@ -363,7 +364,7 @@ cbq_mark_toplevel(struct cbq_sched_data *q, struct cbq_class *cl)
                                q->toplevel = cl->level;
                                return;
                        }
-                } while ((cl=cl->borrow) != NULL && toplevel > cl->level);
+                } while ((cl = cl->borrow) != NULL && toplevel > cl->level);
        }
 }
@@ -417,11 +418,11 @@ static void cbq_ovl_classic(struct cbq_class *cl)
                delay += cl->offtime;
                /*
-                   Class goes to sleep, so that it will have no
+                 * Class goes to sleep, so that it will have no
-                   chance to work avgidle. Let's forgive it 8)
+                 * chance to work avgidle. Let's forgive it 8)
+                 *
-                   BTW cbq-2.0 has a crap in this
+                 * BTW cbq-2.0 has a crap in this
-                   place, apparently they forgot to shift it by cl->ewma_log.
+                 * place, apparently they forgot to shift it by cl->ewma_log.
                 */
                if (cl->avgidle < 0)
                        delay -= (-cl->avgidle) - ((-cl->avgidle) >> cl->ewma_log);
@@ -438,8 +439,8 @@ static void cbq_ovl_classic(struct cbq_class *cl)
                q->wd_expires = delay;
        /* Dirty work! We must schedule wakeups based on
-           real available rate, rather than leaf rate,
+         * real available rate, rather than leaf rate,
-           which may be tiny (even zero).
+         * which may be tiny (even zero).
         */
        if (q->toplevel == TC_CBQ_MAXLEVEL) {
                struct cbq_class *b;
@@ -459,7 +460,7 @@ static void cbq_ovl_classic(struct cbq_class *cl)
 }
 /* TC_CBQ_OVL_RCLASSIC: penalize by offtime classes in hierarchy, when
-   they go overlimit
+ * they go overlimit
 */
 static void cbq_ovl_rclassic(struct cbq_class *cl)
@@ -594,7 +595,7 @@ static enum hrtimer_restart cbq_undelay(struct hrtimer *timer)
        struct Qdisc *sch = q->watchdog.qdisc;
        psched_time_t now;
        psched_tdiff_t delay = 0;
-        unsigned pmask;
+        unsigned int pmask;
        now = psched_get_time();
@@ -623,7 +624,7 @@ static enum hrtimer_restart cbq_undelay(struct hrtimer *timer)
                hrtimer_start(&q->delay_timer, time, HRTIMER_MODE_ABS);
        }
-        sch->flags &= ~TCQ_F_THROTTLED;
+        qdisc_unthrottled(sch);
        __netif_schedule(qdisc_root(sch));
        return HRTIMER_NORESTART;
 }
@@ -663,15 +664,15 @@ static int cbq_reshape_fail(struct sk_buff *skb, struct Qdisc *child)
 #endif
 /*
-   It is mission critical procedure.
+ * It is mission critical procedure.
+ *
-   We "regenerate" toplevel cutoff, if transmitting class
+ * We "regenerate" toplevel cutoff, if transmitting class
-   has backlog and it is not regulated. It is not part of
+ * has backlog and it is not regulated. It is not part of
-   original CBQ description, but looks more reasonable.
+ * original CBQ description, but looks more reasonable.
-   Probably, it is wrong. This question needs further investigation.
+ * Probably, it is wrong. This question needs further investigation.
-*/
+ */
-static __inline__ void
+static inline void
 cbq_update_toplevel(struct cbq_sched_data *q, struct cbq_class *cl,
                    struct cbq_class *borrowed)
 {
@@ -682,7 +683,7 @@ cbq_update_toplevel(struct cbq_sched_data *q, struct cbq_class *cl,
                                        q->toplevel = borrowed->level;
                                        return;
                                }
-                        } while ((borrowed=borrowed->borrow) != NULL);
+                        } while ((borrowed = borrowed->borrow) != NULL);
                }
 #if 0
        /* It is not necessary now. Uncommenting it
@@ -710,10 +711,10 @@ cbq_update(struct cbq_sched_data *q)
                cl->bstats.bytes += len;
                /*
-                   (now - last) is total time between packet right edges.
+                 * (now - last) is total time between packet right edges.
-                   (last_pktlen/rate) is "virtual" busy time, so that
+                 * (last_pktlen/rate) is "virtual" busy time, so that
+                 *
-                         idle = (now - last) - last_pktlen/rate
+                 *      idle = (now - last) - last_pktlen/rate
                 */
                idle = q->now - cl->last;
@@ -723,9 +724,9 @@ cbq_update(struct cbq_sched_data *q)
                        idle -= L2T(cl, len);
                /* true_avgidle := (1-W)*true_avgidle + W*idle,
-                   where W=2^{-ewma_log}. But cl->avgidle is scaled:
+                 * where W=2^{-ewma_log}. But cl->avgidle is scaled:
-                   cl->avgidle == true_avgidle/W,
+                 * cl->avgidle == true_avgidle/W,
-                   hence:
+                 * hence:
                 */
                        avgidle += idle - (avgidle>>cl->ewma_log);
                }
@@ -739,22 +740,22 @@ cbq_update(struct cbq_sched_data *q)
                        cl->avgidle = avgidle;
                        /* Calculate expected time, when this class
-                           will be allowed to send.
+                         * will be allowed to send.
-                           It will occur, when:
+                         * It will occur, when:
-                           (1-W)*true_avgidle + W*delay = 0, i.e.
+                         * (1-W)*true_avgidle + W*delay = 0, i.e.
-                           idle = (1/W - 1)*(-true_avgidle)
+                         * idle = (1/W - 1)*(-true_avgidle)
-                           or
+                         * or
-                           idle = (1 - W)*(-cl->avgidle);
+                         * idle = (1 - W)*(-cl->avgidle);
                         */
                        idle = (-avgidle) - ((-avgidle) >> cl->ewma_log);
                        /*
-                           That is not all.
+                         * That is not all.
-                           To maintain the rate allocated to the class,
+                         * To maintain the rate allocated to the class,
-                           we add to undertime virtual clock,
+                         * we add to undertime virtual clock,
-                           necessary to complete transmitted packet.
+                         * necessary to complete transmitted packet.
-                           (len/phys_bandwidth has been already passed
+                         * (len/phys_bandwidth has been already passed
-                           to the moment of cbq_update)
+                         * to the moment of cbq_update)
                         */
                        idle -= L2T(&q->link, len);
@@ -776,7 +777,7 @@ cbq_update(struct cbq_sched_data *q)
        cbq_update_toplevel(q, this, q->tx_borrowed);
 }
-static __inline__ struct cbq_class *
+static inline struct cbq_class *
 cbq_under_limit(struct cbq_class *cl)
 {
        struct cbq_sched_data *q = qdisc_priv(cl->qdisc);
@@ -792,16 +793,17 @@ cbq_under_limit(struct cbq_class *cl)
        do {
                /* It is very suspicious place. Now overlimit
-                   action is generated for not bounded classes
+                 * action is generated for not bounded classes
-                   only if link is completely congested.
+                 * only if link is completely congested.
-                   Though it is in agree with ancestor-only paradigm,
+                 * Though it is in agree with ancestor-only paradigm,
-                   it looks very stupid. Particularly,
+                 * it looks very stupid. Particularly,
-                   it means that this chunk of code will either
+                 * it means that this chunk of code will either
-                   never be called or result in strong amplification
+                 * never be called or result in strong amplification
-                   of burstiness. Dangerous, silly, and, however,
+                 * of burstiness. Dangerous, silly, and, however,
-                   no another solution exists.
+                 * no another solution exists.
                 */
-                if ((cl = cl->borrow) == NULL) {
+                cl = cl->borrow;
+                if (!cl) {
                        this_cl->qstats.overlimits++;
                        this_cl->overlimit(this_cl);
                        return NULL;
@@ -814,7 +816,7 @@ cbq_under_limit(struct cbq_class *cl)
        return cl;
 }
-static __inline__ struct sk_buff *
+static inline struct sk_buff *
 cbq_dequeue_prio(struct Qdisc *sch, int prio)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
@@ -838,7 +840,7 @@ cbq_dequeue_prio(struct Qdisc *sch, int prio)
                        if (cl->deficit <= 0) {
                                /* Class exhausted its allotment per
-                                   this round. Switch to the next one.
+                                 * this round. Switch to the next one.
                                 */
                                deficit = 1;
                                cl->deficit += cl->quantum;
@@ -848,8 +850,8 @@ cbq_dequeue_prio(struct Qdisc *sch, int prio)
                        skb = cl->q->dequeue(cl->q);
                        /* Class did not give us any skb :-(
-                           It could occur even if cl->q->q.qlen != 0
+                         * It could occur even if cl->q->q.qlen != 0
-                           f.e. if cl->q == "tbf"
+                         * f.e. if cl->q == "tbf"
                         */
                        if (skb == NULL)
                                goto skip_class;
@@ -878,7 +880,7 @@ cbq_dequeue_prio(struct Qdisc *sch, int prio)
 skip_class:
                        if (cl->q->q.qlen == 0 || prio != cl->cpriority) {
                                /* Class is empty or penalized.
-                                   Unlink it from active chain.
+                                 * Unlink it from active chain.
                                 */
                                cl_prev->next_alive = cl->next_alive;
                                cl->next_alive = NULL;
@@ -917,14 +919,14 @@ next_class:
        return NULL;
 }
-static __inline__ struct sk_buff *
+static inline struct sk_buff *
 cbq_dequeue_1(struct Qdisc *sch)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
        struct sk_buff *skb;
-        unsigned activemask;
+        unsigned int activemask;
-        activemask = q->activemask&0xFF;
+        activemask = q->activemask & 0xFF;
        while (activemask) {
                int prio = ffz(~activemask);
                activemask &= ~(1<<prio);
@@ -949,11 +951,11 @@ cbq_dequeue(struct Qdisc *sch)
        if (q->tx_class) {
                psched_tdiff_t incr2;
                /* Time integrator. We calculate EOS time
-                   by adding expected packet transmission time.
+                 * by adding expected packet transmission time.
-                   If real time is greater, we warp artificial clock,
+                 * If real time is greater, we warp artificial clock,
-                   so that:
+                 * so that:
+                 *
-                   cbq_time = max(real_time, work);
+                 * cbq_time = max(real_time, work);
                 */
                incr2 = L2T(&q->link, q->tx_len);
                q->now += incr2;
@@ -971,27 +973,27 @@ cbq_dequeue(struct Qdisc *sch)
                if (skb) {
                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
-                        sch->flags &= ~TCQ_F_THROTTLED;
+                        qdisc_unthrottled(sch);
                        return skb;
                }
                /* All the classes are overlimit.
+                 *
-                   It is possible, if:
+                 * It is possible, if:
+                 *
-                   1. Scheduler is empty.
+                 * 1. Scheduler is empty.
-                   2. Toplevel cutoff inhibited borrowing.
+                 * 2. Toplevel cutoff inhibited borrowing.
-                   3. Root class is overlimit.
+                 * 3. Root class is overlimit.
+                 *
-                   Reset 2d and 3d conditions and retry.
+                 * Reset 2d and 3d conditions and retry.
+                 *
-                   Note, that NS and cbq-2.0 are buggy, peeking
+                 * Note, that NS and cbq-2.0 are buggy, peeking
-                   an arbitrary class is appropriate for ancestor-only
+                 * an arbitrary class is appropriate for ancestor-only
-                   sharing, but not for toplevel algorithm.
+                 * sharing, but not for toplevel algorithm.
+                 *
-                   Our version is better, but slower, because it requires
+                 * Our version is better, but slower, because it requires
-                   two passes, but it is unavoidable with top-level sharing.
+                 * two passes, but it is unavoidable with top-level sharing.
-                */
+                 */
                if (q->toplevel == TC_CBQ_MAXLEVEL &&
                    q->link.undertime == PSCHED_PASTPERFECT)
@@ -1002,7 +1004,8 @@ cbq_dequeue(struct Qdisc *sch)
        }
        /* No packets in scheduler or nobody wants to give them to us :-(
-           Sigh... start watchdog timer in the last case. */
+         * Sigh... start watchdog timer in the last case.
+         */
        if (sch->q.qlen) {
                sch->qstats.overlimits++;
@@ -1024,13 +1027,14 @@ static void cbq_adjust_levels(struct cbq_class *this)
                int level = 0;
                struct cbq_class *cl;
-                if ((cl = this->children) != NULL) {
+                cl = this->children;
+                if (cl) {
                        do {
                                if (cl->level > level)
                                        level = cl->level;
                        } while ((cl = cl->sibling) != this->children);
                }
-                this->level = level+1;
+                this->level = level + 1;
        } while ((this = this->tparent) != NULL);
 }
@@ -1046,14 +1050,15 @@ static void cbq_normalize_quanta(struct cbq_sched_data *q, int prio)
        for (h = 0; h < q->clhash.hashsize; h++) {
                hlist_for_each_entry(cl, n, &q->clhash.hash[h], common.hnode) {
                        /* BUGGGG... Beware! This expression suffer of
-                           arithmetic overflows!
+                         * arithmetic overflows!
                         */
                        if (cl->priority == prio) {
                                cl->quantum = (cl->weight*cl->allot*q->nclasses[prio])/
                                        q->quanta[prio];
                        }
                        if (cl->quantum <= 0 || cl->quantum>32*qdisc_dev(cl->qdisc)->mtu) {
-                                printk(KERN_WARNING "CBQ: class %08x has bad quantum==%ld, repaired.\n", cl->common.classid, cl->quantum);
+                                pr_warning("CBQ: class %08x has bad quantum==%ld, repaired.\n",
+                                           cl->common.classid, cl->quantum);
                                cl->quantum = qdisc_dev(cl->qdisc)->mtu/2 + 1;
                        }
                }
@@ -1064,18 +1069,18 @@ static void cbq_sync_defmap(struct cbq_class *cl)
 {
        struct cbq_sched_data *q = qdisc_priv(cl->qdisc);
        struct cbq_class *split = cl->split;
-        unsigned h;
+        unsigned int h;
        int i;
        if (split == NULL)
                return;
-        for (i=0; i<=TC_PRIO_MAX; i++) {
+        for (i = 0; i <= TC_PRIO_MAX; i++) {
-                if (split->defaults[i] == cl && !(cl->defmap&(1<<i)))
+                if (split->defaults[i] == cl && !(cl->defmap & (1<<i)))
                        split->defaults[i] = NULL;
        }
-        for (i=0; i<=TC_PRIO_MAX; i++) {
+        for (i = 0; i <= TC_PRIO_MAX; i++) {
                int level = split->level;
                if (split->defaults[i])
@@ -1088,7 +1093,7 @@ static void cbq_sync_defmap(struct cbq_class *cl)
                        hlist_for_each_entry(c, n, &q->clhash.hash[h],
                                             common.hnode) {
                                if (c->split == split && c->level < level &&
-                                    c->defmap&(1<<i)) {
+                                    c->defmap & (1<<i)) {
                                        split->defaults[i] = c;
                                        level = c->level;
                                }
@@ -1102,7 +1107,8 @@ static void cbq_change_defmap(struct cbq_class *cl, u32 splitid, u32 def, u32 ma
        struct cbq_class *split = NULL;
        if (splitid == 0) {
-                if ((split = cl->split) == NULL)
+                split = cl->split;
+                if (!split)
                        return;
                splitid = split->common.classid;
        }
@@ -1120,9 +1126,9 @@ static void cbq_change_defmap(struct cbq_class *cl, u32 splitid, u32 def, u32 ma
                cl->defmap = 0;
                cbq_sync_defmap(cl);
                cl->split = split;
-                cl->defmap = def&mask;
+                cl->defmap = def & mask;
        } else
-                cl->defmap = (cl->defmap&~mask)|(def&mask);
+                cl->defmap = (cl->defmap & ~mask) | (def & mask);
        cbq_sync_defmap(cl);
 }
@@ -1135,7 +1141,7 @@ static void cbq_unlink_class(struct cbq_class *this)
        qdisc_class_hash_remove(&q->clhash, &this->common);
        if (this->tparent) {
-                clp=&this->sibling;
+                clp = &this->sibling;
                cl = *clp;
                do {
                        if (cl == this) {
@@ -1174,7 +1180,7 @@ static void cbq_link_class(struct cbq_class *this)
        }
 }
-static unsigned int cbq_drop(struct Qdisc* sch)
+static unsigned int cbq_drop(struct Qdisc *sch)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
        struct cbq_class *cl, *cl_head;
@@ -1182,7 +1188,8 @@ static unsigned int cbq_drop(struct Qdisc* sch)
        unsigned int len;
        for (prio = TC_CBQ_MAXPRIO; prio >= 0; prio--) {
-                if ((cl_head = q->active[prio]) == NULL)
+                cl_head = q->active[prio];
+                if (!cl_head)
                        continue;
                cl = cl_head;
@@ -1199,13 +1206,13 @@ static unsigned int cbq_drop(struct Qdisc* sch)
 }
 static void
-cbq_reset(struct Qdisc* sch)
+cbq_reset(struct Qdisc *sch)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
        struct cbq_class *cl;
        struct hlist_node *n;
        int prio;
-        unsigned h;
+        unsigned int h;
        q->activemask = 0;
        q->pmask = 0;
@@ -1237,21 +1244,21 @@ cbq_reset(struct Qdisc* sch)
 static int cbq_set_lss(struct cbq_class *cl, struct tc_cbq_lssopt *lss)
 {
-        if (lss->change&TCF_CBQ_LSS_FLAGS) {
+        if (lss->change & TCF_CBQ_LSS_FLAGS) {
-                cl->share = (lss->flags&TCF_CBQ_LSS_ISOLATED) ? NULL : cl->tparent;
+                cl->share = (lss->flags & TCF_CBQ_LSS_ISOLATED) ? NULL : cl->tparent;
-                cl->borrow = (lss->flags&TCF_CBQ_LSS_BOUNDED) ? NULL : cl->tparent;
+                cl->borrow = (lss->flags & TCF_CBQ_LSS_BOUNDED) ? NULL : cl->tparent;
        }
-        if (lss->change&TCF_CBQ_LSS_EWMA)
+        if (lss->change & TCF_CBQ_LSS_EWMA)
                cl->ewma_log = lss->ewma_log;
-        if (lss->change&TCF_CBQ_LSS_AVPKT)
+        if (lss->change & TCF_CBQ_LSS_AVPKT)
                cl->avpkt = lss->avpkt;
-        if (lss->change&TCF_CBQ_LSS_MINIDLE)
+        if (lss->change & TCF_CBQ_LSS_MINIDLE)
                cl->minidle = -(long)lss->minidle;
-        if (lss->change&TCF_CBQ_LSS_MAXIDLE) {
+        if (lss->change & TCF_CBQ_LSS_MAXIDLE) {
                cl->maxidle = lss->maxidle;
                cl->avgidle = lss->maxidle;
        }
-        if (lss->change&TCF_CBQ_LSS_OFFTIME)
+        if (lss->change & TCF_CBQ_LSS_OFFTIME)
                cl->offtime = lss->offtime;
        return 0;
 }
@@ -1279,10 +1286,10 @@ static int cbq_set_wrr(struct cbq_class *cl, struct tc_cbq_wrropt *wrr)
        if (wrr->weight)
                cl->weight = wrr->weight;
        if (wrr->priority) {
-                cl->priority = wrr->priority-1;
+                cl->priority = wrr->priority - 1;
                cl->cpriority = cl->priority;
                if (cl->priority >= cl->priority2)
-                        cl->priority2 = TC_CBQ_MAXPRIO-1;
+                        cl->priority2 = TC_CBQ_MAXPRIO - 1;
        }
        cbq_addprio(q, cl);
@@ -1299,10 +1306,10 @@ static int cbq_set_overlimit(struct cbq_class *cl, struct tc_cbq_ovl *ovl)
                cl->overlimit = cbq_ovl_delay;
                break;
        case TC_CBQ_OVL_LOWPRIO:
-                if (ovl->priority2-1 >= TC_CBQ_MAXPRIO ||
+                if (ovl->priority2 - 1 >= TC_CBQ_MAXPRIO ||
-                    ovl->priority2-1 <= cl->priority)
+                    ovl->priority2 - 1 <= cl->priority)
                        return -EINVAL;
-                cl->priority2 = ovl->priority2-1;
+                cl->priority2 = ovl->priority2 - 1;
                cl->overlimit = cbq_ovl_lowprio;
                break;
        case TC_CBQ_OVL_DROP:
@@ -1381,9 +1388,9 @@ static int cbq_init(struct Qdisc *sch, struct nlattr *opt)
        if (!q->link.q)
                q->link.q = &noop_qdisc;
-        q->link.priority = TC_CBQ_MAXPRIO-1;
+        q->link.priority = TC_CBQ_MAXPRIO - 1;
-        q->link.priority2 = TC_CBQ_MAXPRIO-1;
+        q->link.priority2 = TC_CBQ_MAXPRIO - 1;
-        q->link.cpriority = TC_CBQ_MAXPRIO-1;
+        q->link.cpriority = TC_CBQ_MAXPRIO - 1;
        q->link.ovl_strategy = TC_CBQ_OVL_CLASSIC;
        q->link.overlimit = cbq_ovl_classic;
        q->link.allot = psched_mtu(qdisc_dev(sch));
@@ -1414,7 +1421,7 @@ put_rtab:
        return err;
 }
-static __inline__ int cbq_dump_rate(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_rate(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
@@ -1426,7 +1433,7 @@ nla_put_failure:
        return -1;
 }
-static __inline__ int cbq_dump_lss(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_lss(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tc_cbq_lssopt opt;
@@ -1451,15 +1458,15 @@ nla_put_failure:
        return -1;
 }
-static __inline__ int cbq_dump_wrr(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_wrr(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tc_cbq_wrropt opt;
        opt.flags = 0;
        opt.allot = cl->allot;
-        opt.priority = cl->priority+1;
+        opt.priority = cl->priority + 1;
-        opt.cpriority = cl->cpriority+1;
+        opt.cpriority = cl->cpriority + 1;
        opt.weight = cl->weight;
        NLA_PUT(skb, TCA_CBQ_WRROPT, sizeof(opt), &opt);
        return skb->len;
@@ -1469,13 +1476,13 @@ nla_put_failure:
        return -1;
 }
-static __inline__ int cbq_dump_ovl(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_ovl(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tc_cbq_ovl opt;
        opt.strategy = cl->ovl_strategy;
-        opt.priority2 = cl->priority2+1;
+        opt.priority2 = cl->priority2 + 1;
        opt.pad = 0;
        opt.penalty = cl->penalty;
        NLA_PUT(skb, TCA_CBQ_OVL_STRATEGY, sizeof(opt), &opt);
@@ -1486,7 +1493,7 @@ nla_put_failure:
        return -1;
 }
-static __inline__ int cbq_dump_fopt(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_fopt(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tc_cbq_fopt opt;
@@ -1505,7 +1512,7 @@ nla_put_failure:
 }
 #ifdef CONFIG_NET_CLS_ACT
-static __inline__ int cbq_dump_police(struct sk_buff *skb, struct cbq_class *cl)
+static int cbq_dump_police(struct sk_buff *skb, struct cbq_class *cl)
 {
        unsigned char *b = skb_tail_pointer(skb);
        struct tc_cbq_police opt;
@@ -1569,7 +1576,7 @@ static int
 cbq_dump_class(struct Qdisc *sch, unsigned long arg,
               struct sk_buff *skb, struct tcmsg *tcm)
 {
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        struct nlattr *nest;
        if (cl->tparent)
@@ -1597,7 +1604,7 @@ cbq_dump_class_stats(struct Qdisc *sch, unsigned long arg,
        struct gnet_dump *d)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        cl->qstats.qlen = cl->q->q.qlen;
        cl->xstats.avgidle = cl->avgidle;
@@ -1617,7 +1624,7 @@ cbq_dump_class_stats(struct Qdisc *sch, unsigned long arg,
 static int cbq_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new,
                     struct Qdisc **old)
 {
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        if (new == NULL) {
                new = qdisc_create_dflt(sch->dev_queue,
@@ -1640,10 +1647,9 @@ static int cbq_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new,
        return 0;
 }
-static struct Qdisc *
+static struct Qdisc *cbq_leaf(struct Qdisc *sch, unsigned long arg)
-cbq_leaf(struct Qdisc *sch, unsigned long arg)
 {
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        return cl->q;
 }
@@ -1682,13 +1688,12 @@ static void cbq_destroy_class(struct Qdisc *sch, struct cbq_class *cl)
                kfree(cl);
 }
-static void
+static void cbq_destroy(struct Qdisc *sch)
-cbq_destroy(struct Qdisc* sch)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
        struct hlist_node *n, *next;
        struct cbq_class *cl;
-        unsigned h;
+        unsigned int h;
 #ifdef CONFIG_NET_CLS_ACT
        q->rx_class = NULL;
@@ -1712,7 +1717,7 @@ cbq_destroy(struct Qdisc* sch)
 static void cbq_put(struct Qdisc *sch, unsigned long arg)
 {
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        if (--cl->refcnt == 0) {
 #ifdef CONFIG_NET_CLS_ACT
@@ -1735,7 +1740,7 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t
 {
        int err;
        struct cbq_sched_data *q = qdisc_priv(sch);
-        struct cbq_class *cl = (struct cbq_class*)*arg;
+        struct cbq_class *cl = (struct cbq_class *)*arg;
        struct nlattr *opt = tca[TCA_OPTIONS];
        struct nlattr *tb[TCA_CBQ_MAX + 1];
        struct cbq_class *parent;
@@ -1827,13 +1832,14 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t
        if (classid) {
                err = -EINVAL;
-                if (TC_H_MAJ(classid^sch->handle) || cbq_class_lookup(q, classid))
+                if (TC_H_MAJ(classid ^ sch->handle) ||
+                    cbq_class_lookup(q, classid))
                        goto failure;
        } else {
                int i;
-                classid = TC_H_MAKE(sch->handle,0x8000);
+                classid = TC_H_MAKE(sch->handle, 0x8000);
-                for (i=0; i<0x8000; i++) {
+                for (i = 0; i < 0x8000; i++) {
                        if (++q->hgenerator >= 0x8000)
                                q->hgenerator = 1;
                        if (cbq_class_lookup(q, classid|q->hgenerator) == NULL)
@@ -1890,11 +1896,11 @@ cbq_change_class(struct Qdisc *sch, u32 classid, u32 parentid, struct nlattr **t
        cl->minidle = -0x7FFFFFFF;
        cbq_set_lss(cl, nla_data(tb[TCA_CBQ_LSSOPT]));
        cbq_set_wrr(cl, nla_data(tb[TCA_CBQ_WRROPT]));
-        if (cl->ewma_log==0)
+        if (cl->ewma_log == 0)
                cl->ewma_log = q->link.ewma_log;
-        if (cl->maxidle==0)
+        if (cl->maxidle == 0)
                cl->maxidle = q->link.maxidle;
-        if (cl->avpkt==0)
+        if (cl->avpkt == 0)
                cl->avpkt = q->link.avpkt;
        cl->overlimit = cbq_ovl_classic;
        if (tb[TCA_CBQ_OVL_STRATEGY])
@@ -1920,7 +1926,7 @@ failure:
 static int cbq_delete(struct Qdisc *sch, unsigned long arg)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        unsigned int qlen;
        if (cl->filters || cl->children || cl == &q->link)
@@ -1978,7 +1984,7 @@ static unsigned long cbq_bind_filter(struct Qdisc *sch, unsigned long parent,
                                     u32 classid)
 {
        struct cbq_sched_data *q = qdisc_priv(sch);
-        struct cbq_class *p = (struct cbq_class*)parent;
+        struct cbq_class *p = (struct cbq_class *)parent;
        struct cbq_class *cl = cbq_class_lookup(q, classid);
        if (cl) {
@@ -1992,7 +1998,7 @@ static unsigned long cbq_bind_filter(struct Qdisc *sch, unsigned long parent,
 static void cbq_unbind_filter(struct Qdisc *sch, unsigned long arg)
 {
-        struct cbq_class *cl = (struct cbq_class*)arg;
+        struct cbq_class *cl = (struct cbq_class *)arg;
        cl->filters--;
 }
@@ -2002,7 +2008,7 @@ static void cbq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
        struct cbq_sched_data *q = qdisc_priv(sch);
        struct cbq_class *cl;
        struct hlist_node *n;
-        unsigned h;
+        unsigned int h;
        if (arg->stop)
                return;
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
new file mode 100644
index 000000000000..06afbaeb4c88
--- /dev/null
+++ b/net/sched/sch_choke.c
@@ -0,0 +1,688 @@
+/*
+ * net/sched/sch_choke.c        CHOKE scheduler
+ *
+ * Copyright (c) 2011 Stephen Hemminger <shemminger@vyatta.com>
+ * Copyright (c) 2011 Eric Dumazet <eric.dumazet@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ */
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/skbuff.h>
+#include <linux/reciprocal_div.h>
+#include <linux/vmalloc.h>
+#include <net/pkt_sched.h>
+#include <net/inet_ecn.h>
+#include <net/red.h>
+#include <linux/ip.h>
+#include <net/ip.h>
+#include <linux/ipv6.h>
+#include <net/ipv6.h>
+/*
+   CHOKe stateless AQM for fair bandwidth allocation
+   =================================================
+   CHOKe (CHOose and Keep for responsive flows, CHOose and Kill for
+   unresponsive flows) is a variant of RED that penalizes misbehaving flows but
+   maintains no flow state. The difference from RED is an additional step
+   during the enqueuing process. If average queue size is over the
+   low threshold (qmin), a packet is chosen at random from the queue.
+   If both the new and chosen packet are from the same flow, both
+   are dropped. Unlike RED, CHOKe is not really a "classful" qdisc because it
+   needs to access packets in queue randomly. It has a minimal class
+   interface to allow overriding the builtin flow classifier with
+   filters.
+   Source:
+   R. Pan, B. Prabhakar, and K. Psounis, "CHOKe, A Stateless
+   Active Queue Management Scheme for Approximating Fair Bandwidth Allocation",
+   IEEE INFOCOM, 2000.
+   A. Tang, J. Wang, S. Low, "Understanding CHOKe: Throughput and Spatial
+   Characteristics", IEEE/ACM Transactions on Networking, 2004
+ */
+/* Upper bound on size of sk_buff table (packets) */
+#define CHOKE_MAX_QUEUE (128*1024 - 1)
+struct choke_sched_data {
+/* Parameters */
+        u32              limit;
+        unsigned char    flags;
+        struct red_parms parms;
+/* Variables */
+        struct tcf_proto *filter_list;
+        struct {
+                u32     prob_drop;      /* Early probability drops */
+                u32     prob_mark;      /* Early probability marks */
+                u32     forced_drop;    /* Forced drops, qavg > max_thresh */
+                u32     forced_mark;    /* Forced marks, qavg > max_thresh */
+                u32     pdrop;          /* Drops due to queue limits */
+                u32     other;          /* Drops due to drop() calls */
+                u32     matched;        /* Drops to flow match */
+        } stats;
+        unsigned int     head;
+        unsigned int     tail;
+        unsigned int     tab_mask; /* size - 1 */
+        struct sk_buff **tab;
+};
+/* deliver a random number between 0 and N - 1 */
+static u32 random_N(unsigned int N)
+{
+        return reciprocal_divide(random32(), N);
+}
+/* number of elements in queue including holes */
+static unsigned int choke_len(const struct choke_sched_data *q)
+{
+        return (q->tail - q->head) & q->tab_mask;
+}
+/* Is ECN parameter configured */
+static int use_ecn(const struct choke_sched_data *q)
+{
+        return q->flags & TC_RED_ECN;
+}
+/* Should packets over max just be dropped (versus marked) */
+static int use_harddrop(const struct choke_sched_data *q)
+{
+        return q->flags & TC_RED_HARDDROP;
+}
+/* Move head pointer forward to skip over holes */
+static void choke_zap_head_holes(struct choke_sched_data *q)
+{
+        do {
+                q->head = (q->head + 1) & q->tab_mask;
+                if (q->head == q->tail)
+                        break;
+        } while (q->tab[q->head] == NULL);
+}
+/* Move tail pointer backwards to reuse holes */
+static void choke_zap_tail_holes(struct choke_sched_data *q)
+{
+        do {
+                q->tail = (q->tail - 1) & q->tab_mask;
+                if (q->head == q->tail)
+                        break;
+        } while (q->tab[q->tail] == NULL);
+}
+/* Drop packet from queue array by creating a "hole" */
+static void choke_drop_by_idx(struct Qdisc *sch, unsigned int idx)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct sk_buff *skb = q->tab[idx];
+        q->tab[idx] = NULL;
+        if (idx == q->head)
+                choke_zap_head_holes(q);
+        if (idx == q->tail)
+                choke_zap_tail_holes(q);
+        sch->qstats.backlog -= qdisc_pkt_len(skb);
+        qdisc_drop(skb, sch);
+        qdisc_tree_decrease_qlen(sch, 1);
+        --sch->q.qlen;
+}
+/*
+ * Compare flow of two packets
+ *  Returns true only if source and destination address and port match.
+ *          false for special cases
+ */
+static bool choke_match_flow(struct sk_buff *skb1,
+                             struct sk_buff *skb2)
+{
+        int off1, off2, poff;
+        const u32 *ports1, *ports2;
+        u8 ip_proto;
+        __u32 hash1;
+        if (skb1->protocol != skb2->protocol)
+                return false;
+        /* Use hash value as quick check
+         * Assumes that __skb_get_rxhash makes IP header and ports linear
+         */
+        hash1 = skb_get_rxhash(skb1);
+        if (!hash1 || hash1 != skb_get_rxhash(skb2))
+                return false;
+        /* Probably match, but be sure to avoid hash collisions */
+        off1 = skb_network_offset(skb1);
+        off2 = skb_network_offset(skb2);
+        switch (skb1->protocol) {
+        case __constant_htons(ETH_P_IP): {
+                const struct iphdr *ip1, *ip2;
+                ip1 = (const struct iphdr *) (skb1->data + off1);
+                ip2 = (const struct iphdr *) (skb2->data + off2);
+                ip_proto = ip1->protocol;
+                if (ip_proto != ip2->protocol ||
+                    ip1->saddr != ip2->saddr || ip1->daddr != ip2->daddr)
+                        return false;
+                if ((ip1->frag_off | ip2->frag_off) & htons(IP_MF | IP_OFFSET))
+                        ip_proto = 0;
+                off1 += ip1->ihl * 4;
+                off2 += ip2->ihl * 4;
+                break;
+        }
+        case __constant_htons(ETH_P_IPV6): {
+                const struct ipv6hdr *ip1, *ip2;
+                ip1 = (const struct ipv6hdr *) (skb1->data + off1);
+                ip2 = (const struct ipv6hdr *) (skb2->data + off2);
+                ip_proto = ip1->nexthdr;
+                if (ip_proto != ip2->nexthdr ||
+                    ipv6_addr_cmp(&ip1->saddr, &ip2->saddr) ||
+                    ipv6_addr_cmp(&ip1->daddr, &ip2->daddr))
+                        return false;
+                off1 += 40;
+                off2 += 40;
+        }
+        default: /* Maybe compare MAC header here? */
+                return false;
+        }
+        poff = proto_ports_offset(ip_proto);
+        if (poff < 0)
+                return true;
+        off1 += poff;
+        off2 += poff;
+        ports1 = (__force u32 *)(skb1->data + off1);
+        ports2 = (__force u32 *)(skb2->data + off2);
+        return *ports1 == *ports2;
+}
+struct choke_skb_cb {
+        u16 classid;
+};
+static inline struct choke_skb_cb *choke_skb_cb(const struct sk_buff *skb)
+{
+        BUILD_BUG_ON(sizeof(skb->cb) <
+                sizeof(struct qdisc_skb_cb) + sizeof(struct choke_skb_cb));
+        return (struct choke_skb_cb *)qdisc_skb_cb(skb)->data;
+}
+static inline void choke_set_classid(struct sk_buff *skb, u16 classid)
+{
+        choke_skb_cb(skb)->classid = classid;
+}
+static u16 choke_get_classid(const struct sk_buff *skb)
+{
+        return choke_skb_cb(skb)->classid;
+}
+/*
+ * Classify flow using either:
+ *  1. pre-existing classification result in skb
+ *  2. fast internal classification
+ *  3. use TC filter based classification
+ */
+static bool choke_classify(struct sk_buff *skb,
+                           struct Qdisc *sch, int *qerr)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct tcf_result res;
+        int result;
+        result = tc_classify(skb, q->filter_list, &res);
+        if (result >= 0) {
+#ifdef CONFIG_NET_CLS_ACT
+                switch (result) {
+                case TC_ACT_STOLEN:
+                case TC_ACT_QUEUED:
+                        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
+                case TC_ACT_SHOT:
+                        return false;
+                }
+#endif
+                choke_set_classid(skb, TC_H_MIN(res.classid));
+                return true;
+        }
+        return false;
+}
+/*
+ * Select a packet at random from queue
+ * HACK: since queue can have holes from previous deletion; retry several
+ *   times to find a random skb but then just give up and return the head
+ * Will return NULL if queue is empty (q->head == q->tail)
+ */
+static struct sk_buff *choke_peek_random(const struct choke_sched_data *q,
+                                         unsigned int *pidx)
+{
+        struct sk_buff *skb;
+        int retrys = 3;
+        do {
+                *pidx = (q->head + random_N(choke_len(q))) & q->tab_mask;
+                skb = q->tab[*pidx];
+                if (skb)
+                        return skb;
+        } while (--retrys > 0);
+        return q->tab[*pidx = q->head];
+}
+/*
+ * Compare new packet with random packet in queue
+ * returns true if matched and sets *pidx
+ */
+static bool choke_match_random(const struct choke_sched_data *q,
+                               struct sk_buff *nskb,
+                               unsigned int *pidx)
+{
+        struct sk_buff *oskb;
+        if (q->head == q->tail)
+                return false;
+        oskb = choke_peek_random(q, pidx);
+        if (q->filter_list)
+                return choke_get_classid(nskb) == choke_get_classid(oskb);
+        return choke_match_flow(oskb, nskb);
+}
+static int choke_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct red_parms *p = &q->parms;
+        int ret = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
+        if (q->filter_list) {
+                /* If using external classifiers, get result and record it. */
+                if (!choke_classify(skb, sch, &ret))
+                        goto other_drop;        /* Packet was eaten by filter */
+        }
+        /* Compute average queue usage (see RED) */
+        p->qavg = red_calc_qavg(p, sch->q.qlen);
+        if (red_is_idling(p))
+                red_end_of_idle_period(p);
+        /* Is queue small? */
+        if (p->qavg <= p->qth_min)
+                p->qcount = -1;
+        else {
+                unsigned int idx;
+                /* Draw a packet at random from queue and compare flow */
+                if (choke_match_random(q, skb, &idx)) {
+                        q->stats.matched++;
+                        choke_drop_by_idx(sch, idx);
+                        goto congestion_drop;
+                }
+                /* Queue is large, always mark/drop */
+                if (p->qavg > p->qth_max) {
+                        p->qcount = -1;
+                        sch->qstats.overlimits++;
+                        if (use_harddrop(q) || !use_ecn(q) ||
+                            !INET_ECN_set_ce(skb)) {
+                                q->stats.forced_drop++;
+                                goto congestion_drop;
+                        }
+                        q->stats.forced_mark++;
+                } else if (++p->qcount) {
+                        if (red_mark_probability(p, p->qavg)) {
+                                p->qcount = 0;
+                                p->qR = red_random(p);
+                                sch->qstats.overlimits++;
+                                if (!use_ecn(q) || !INET_ECN_set_ce(skb)) {
+                                        q->stats.prob_drop++;
+                                        goto congestion_drop;
+                                }
+                                q->stats.prob_mark++;
+                        }
+                } else
+                        p->qR = red_random(p);
+        }
+        /* Admit new packet */
+        if (sch->q.qlen < q->limit) {
+                q->tab[q->tail] = skb;
+                q->tail = (q->tail + 1) & q->tab_mask;
+                ++sch->q.qlen;
+                sch->qstats.backlog += qdisc_pkt_len(skb);
+                return NET_XMIT_SUCCESS;
+        }
+        q->stats.pdrop++;
+        sch->qstats.drops++;
+        kfree_skb(skb);
+        return NET_XMIT_DROP;
+ congestion_drop:
+        qdisc_drop(skb, sch);
+        return NET_XMIT_CN;
+ other_drop:
+        if (ret & __NET_XMIT_BYPASS)
+                sch->qstats.drops++;
+        kfree_skb(skb);
+        return ret;
+}
+static struct sk_buff *choke_dequeue(struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct sk_buff *skb;
+        if (q->head == q->tail) {
+                if (!red_is_idling(&q->parms))
+                        red_start_of_idle_period(&q->parms);
+                return NULL;
+        }
+        skb = q->tab[q->head];
+        q->tab[q->head] = NULL;
+        choke_zap_head_holes(q);
+        --sch->q.qlen;
+        sch->qstats.backlog -= qdisc_pkt_len(skb);
+        qdisc_bstats_update(sch, skb);
+        return skb;
+}
+static unsigned int choke_drop(struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        unsigned int len;
+        len = qdisc_queue_drop(sch);
+        if (len > 0)
+                q->stats.other++;
+        else {
+                if (!red_is_idling(&q->parms))
+                        red_start_of_idle_period(&q->parms);
+        }
+        return len;
+}
+static void choke_reset(struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        red_restart(&q->parms);
+}
+static const struct nla_policy choke_policy[TCA_CHOKE_MAX + 1] = {
+        [TCA_CHOKE_PARMS]       = { .len = sizeof(struct tc_red_qopt) },
+        [TCA_CHOKE_STAB]        = { .len = RED_STAB_SIZE },
+};
+static void choke_free(void *addr)
+{
+        if (addr) {
+                if (is_vmalloc_addr(addr))
+                        vfree(addr);
+                else
+                        kfree(addr);
+        }
+}
+static int choke_change(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct nlattr *tb[TCA_CHOKE_MAX + 1];
+        const struct tc_red_qopt *ctl;
+        int err;
+        struct sk_buff **old = NULL;
+        unsigned int mask;
+        if (opt == NULL)
+                return -EINVAL;
+        err = nla_parse_nested(tb, TCA_CHOKE_MAX, opt, choke_policy);
+        if (err < 0)
+                return err;
+        if (tb[TCA_CHOKE_PARMS] == NULL ||
+            tb[TCA_CHOKE_STAB] == NULL)
+                return -EINVAL;
+        ctl = nla_data(tb[TCA_CHOKE_PARMS]);
+        if (ctl->limit > CHOKE_MAX_QUEUE)
+                return -EINVAL;
+        mask = roundup_pow_of_two(ctl->limit + 1) - 1;
+        if (mask != q->tab_mask) {
+                struct sk_buff **ntab;
+                ntab = kcalloc(mask + 1, sizeof(struct sk_buff *), GFP_KERNEL);
+                if (!ntab)
+                        ntab = vzalloc((mask + 1) * sizeof(struct sk_buff *));
+                if (!ntab)
+                        return -ENOMEM;
+                sch_tree_lock(sch);
+                old = q->tab;
+                if (old) {
+                        unsigned int oqlen = sch->q.qlen, tail = 0;
+                        while (q->head != q->tail) {
+                                struct sk_buff *skb = q->tab[q->head];
+                                q->head = (q->head + 1) & q->tab_mask;
+                                if (!skb)
+                                        continue;
+                                if (tail < mask) {
+                                        ntab[tail++] = skb;
+                                        continue;
+                                }
+                                sch->qstats.backlog -= qdisc_pkt_len(skb);
+                                --sch->q.qlen;
+                                qdisc_drop(skb, sch);
+                        }
+                        qdisc_tree_decrease_qlen(sch, oqlen - sch->q.qlen);
+                        q->head = 0;
+                        q->tail = tail;
+                }
+                q->tab_mask = mask;
+                q->tab = ntab;
+        } else
+                sch_tree_lock(sch);
+        q->flags = ctl->flags;
+        q->limit = ctl->limit;
+        red_set_parms(&q->parms, ctl->qth_min, ctl->qth_max, ctl->Wlog,
+                      ctl->Plog, ctl->Scell_log,
+                      nla_data(tb[TCA_CHOKE_STAB]));
+        if (q->head == q->tail)
+                red_end_of_idle_period(&q->parms);
+        sch_tree_unlock(sch);
+        choke_free(old);
+        return 0;
+}
+static int choke_init(struct Qdisc *sch, struct nlattr *opt)
+{
+        return choke_change(sch, opt);
+}
+static int choke_dump(struct Qdisc *sch, struct sk_buff *skb)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct nlattr *opts = NULL;
+        struct tc_red_qopt opt = {
+                .limit          = q->limit,
+                .flags          = q->flags,
+                .qth_min        = q->parms.qth_min >> q->parms.Wlog,
+                .qth_max        = q->parms.qth_max >> q->parms.Wlog,
+                .Wlog           = q->parms.Wlog,
+                .Plog           = q->parms.Plog,
+                .Scell_log      = q->parms.Scell_log,
+        };
+        opts = nla_nest_start(skb, TCA_OPTIONS);
+        if (opts == NULL)
+                goto nla_put_failure;
+        NLA_PUT(skb, TCA_CHOKE_PARMS, sizeof(opt), &opt);
+        return nla_nest_end(skb, opts);
+nla_put_failure:
+        nla_nest_cancel(skb, opts);
+        return -EMSGSIZE;
+}
+static int choke_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        struct tc_choke_xstats st = {
+                .early  = q->stats.prob_drop + q->stats.forced_drop,
+                .marked = q->stats.prob_mark + q->stats.forced_mark,
+                .pdrop  = q->stats.pdrop,
+                .other  = q->stats.other,
+                .matched = q->stats.matched,
+        };
+        return gnet_stats_copy_app(d, &st, sizeof(st));
+}
+static void choke_destroy(struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        tcf_destroy_chain(&q->filter_list);
+        choke_free(q->tab);
+}
+static struct Qdisc *choke_leaf(struct Qdisc *sch, unsigned long arg)
+{
+        return NULL;
+}
+static unsigned long choke_get(struct Qdisc *sch, u32 classid)
+{
+        return 0;
+}
+static void choke_put(struct Qdisc *q, unsigned long cl)
+{
+}
+static unsigned long choke_bind(struct Qdisc *sch, unsigned long parent,
+                                u32 classid)
+{
+        return 0;
+}
+static struct tcf_proto **choke_find_tcf(struct Qdisc *sch, unsigned long cl)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        if (cl)
+                return NULL;
+        return &q->filter_list;
+}
+static int choke_dump_class(struct Qdisc *sch, unsigned long cl,
+                          struct sk_buff *skb, struct tcmsg *tcm)
+{
+        tcm->tcm_handle |= TC_H_MIN(cl);
+        return 0;
+}
+static void choke_walk(struct Qdisc *sch, struct qdisc_walker *arg)
+{
+        if (!arg->stop) {
+                if (arg->fn(sch, 1, arg) < 0) {
+                        arg->stop = 1;
+                        return;
+                }
+                arg->count++;
+        }
+}
+static const struct Qdisc_class_ops choke_class_ops = {
+        .leaf           =       choke_leaf,
+        .get            =       choke_get,
+        .put            =       choke_put,
+        .tcf_chain      =       choke_find_tcf,
+        .bind_tcf       =       choke_bind,
+        .unbind_tcf     =       choke_put,
+        .dump           =       choke_dump_class,
+        .walk           =       choke_walk,
+};
+static struct sk_buff *choke_peek_head(struct Qdisc *sch)
+{
+        struct choke_sched_data *q = qdisc_priv(sch);
+        return (q->head != q->tail) ? q->tab[q->head] : NULL;
+}
+static struct Qdisc_ops choke_qdisc_ops __read_mostly = {
+        .id             =       "choke",
+        .priv_size      =       sizeof(struct choke_sched_data),
+        .enqueue        =       choke_enqueue,
+        .dequeue        =       choke_dequeue,
+        .peek           =       choke_peek_head,
+        .drop           =       choke_drop,
+        .init           =       choke_init,
+        .destroy        =       choke_destroy,
+        .reset          =       choke_reset,
+        .change         =       choke_change,
+        .dump           =       choke_dump,
+        .dump_stats     =       choke_dump_stats,
+        .owner          =       THIS_MODULE,
+};
+static int __init choke_module_init(void)
+{
+        return register_qdisc(&choke_qdisc_ops);
+}
+static void __exit choke_module_exit(void)
+{
+        unregister_qdisc(&choke_qdisc_ops);
+}
+module_init(choke_module_init)
+module_exit(choke_module_exit)
+MODULE_LICENSE("GPL");
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
index 0f7bf3fdfea5..2c790204d042 100644
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -137,10 +137,10 @@ static int dsmark_change(struct Qdisc *sch, u32 classid, u32 parent,
                mask = nla_get_u8(tb[TCA_DSMARK_MASK]);
        if (tb[TCA_DSMARK_VALUE])
-                p->value[*arg-1] = nla_get_u8(tb[TCA_DSMARK_VALUE]);
+                p->value[*arg - 1] = nla_get_u8(tb[TCA_DSMARK_VALUE]);
        if (tb[TCA_DSMARK_MASK])
-                p->mask[*arg-1] = mask;
+                p->mask[*arg - 1] = mask;
        err = 0;
@@ -155,8 +155,8 @@ static int dsmark_delete(struct Qdisc *sch, unsigned long arg)
        if (!dsmark_valid_index(p, arg))
                return -EINVAL;
-        p->mask[arg-1] = 0xff;
+        p->mask[arg - 1] = 0xff;
-        p->value[arg-1] = 0;
+        p->value[arg - 1] = 0;
        return 0;
 }
@@ -175,7 +175,7 @@ static void dsmark_walk(struct Qdisc *sch, struct qdisc_walker *walker)
                if (p->mask[i] == 0xff && !p->value[i])
                        goto ignore;
                if (walker->count >= walker->skip) {
-                        if (walker->fn(sch, i+1, walker) < 0) {
+                        if (walker->fn(sch, i + 1, walker) < 0) {
                                walker->stop = 1;
                                break;
                        }
@@ -304,9 +304,8 @@ static struct sk_buff *dsmark_dequeue(struct Qdisc *sch)
                 * and don't need yet another qdisc as a bypass.
                 */
                if (p->mask[index] != 0xff || p->value[index])
-                        printk(KERN_WARNING
+                        pr_warning("dsmark_dequeue: unsupported protocol %d\n",
-                               "dsmark_dequeue: unsupported protocol %d\n",
+                                   ntohs(skb->protocol));
-                               ntohs(skb->protocol));
                break;
        }
@@ -424,14 +423,14 @@ static int dsmark_dump_class(struct Qdisc *sch, unsigned long cl,
        if (!dsmark_valid_index(p, cl))
                return -EINVAL;
-        tcm->tcm_handle = TC_H_MAKE(TC_H_MAJ(sch->handle), cl-1);
+        tcm->tcm_handle = TC_H_MAKE(TC_H_MAJ(sch->handle), cl - 1);
        tcm->tcm_info = p->q->handle;
        opts = nla_nest_start(skb, TCA_OPTIONS);
        if (opts == NULL)
                goto nla_put_failure;
-        NLA_PUT_U8(skb, TCA_DSMARK_MASK, p->mask[cl-1]);
+        NLA_PUT_U8(skb, TCA_DSMARK_MASK, p->mask[cl - 1]);
-        NLA_PUT_U8(skb, TCA_DSMARK_VALUE, p->value[cl-1]);
+        NLA_PUT_U8(skb, TCA_DSMARK_VALUE, p->value[cl - 1]);
        return nla_nest_end(skb, opts);
diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
index d468b479aa93..66effe2da8e0 100644
--- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c
@@ -19,36 +19,25 @@
 /* 1 band FIFO pseudo-"scheduler" */
-struct fifo_sched_data
+static int bfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
-        u32 limit;
+        if (likely(sch->qstats.backlog + qdisc_pkt_len(skb) <= sch->limit))
-};
-static int bfifo_enqueue(struct sk_buff *skb, struct Qdisc* sch)
-{
-        struct fifo_sched_data *q = qdisc_priv(sch);
-        if (likely(sch->qstats.backlog + qdisc_pkt_len(skb) <= q->limit))
                return qdisc_enqueue_tail(skb, sch);
        return qdisc_reshape_fail(skb, sch);
 }
-static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
-        struct fifo_sched_data *q = qdisc_priv(sch);
+        if (likely(skb_queue_len(&sch->q) < sch->limit))
-        if (likely(skb_queue_len(&sch->q) < q->limit))
                return qdisc_enqueue_tail(skb, sch);
        return qdisc_reshape_fail(skb, sch);
 }
-static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
-        struct fifo_sched_data *q = qdisc_priv(sch);
+        if (likely(skb_queue_len(&sch->q) < sch->limit))
-        if (likely(skb_queue_len(&sch->q) < q->limit))
                return qdisc_enqueue_tail(skb, sch);
        /* queue full, remove one skb to fulfill the limit */
@@ -61,31 +50,40 @@ static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc* sch)
 static int fifo_init(struct Qdisc *sch, struct nlattr *opt)
 {
-        struct fifo_sched_data *q = qdisc_priv(sch);
+        bool bypass;
+        bool is_bfifo = sch->ops == &bfifo_qdisc_ops;
        if (opt == NULL) {
                u32 limit = qdisc_dev(sch)->tx_queue_len ? : 1;
-                if (sch->ops == &bfifo_qdisc_ops)
+                if (is_bfifo)
                        limit *= psched_mtu(qdisc_dev(sch));
-                q->limit = limit;
+                sch->limit = limit;
        } else {
                struct tc_fifo_qopt *ctl = nla_data(opt);
                if (nla_len(opt) < sizeof(*ctl))
                        return -EINVAL;
-                q->limit = ctl->limit;
+                sch->limit = ctl->limit;
        }
+        if (is_bfifo)
+                bypass = sch->limit >= psched_mtu(qdisc_dev(sch));
+        else
+                bypass = sch->limit >= 1;
+        if (bypass)
+                sch->flags |= TCQ_F_CAN_BYPASS;
+        else
+                sch->flags &= ~TCQ_F_CAN_BYPASS;
        return 0;
 }
 static int fifo_dump(struct Qdisc *sch, struct sk_buff *skb)
 {
-        struct fifo_sched_data *q = qdisc_priv(sch);
+        struct tc_fifo_qopt opt = { .limit = sch->limit };
-        struct tc_fifo_qopt opt = { .limit = q->limit };
        NLA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt);
        return skb->len;
@@ -96,7 +94,7 @@ nla_put_failure:
 struct Qdisc_ops pfifo_qdisc_ops __read_mostly = {
        .id             =       "pfifo",
-        .priv_size      =       sizeof(struct fifo_sched_data),
+        .priv_size      =       0,
        .enqueue        =       pfifo_enqueue,
        .dequeue        =       qdisc_dequeue_head,
        .peek           =       qdisc_peek_head,
@@ -111,7 +109,7 @@ EXPORT_SYMBOL(pfifo_qdisc_ops);
 struct Qdisc_ops bfifo_qdisc_ops __read_mostly = {
        .id             =       "bfifo",
-        .priv_size      =       sizeof(struct fifo_sched_data),
+        .priv_size      =       0,
        .enqueue        =       bfifo_enqueue,
        .dequeue        =       qdisc_dequeue_head,
        .peek           =       qdisc_peek_head,
@@ -126,7 +124,7 @@ EXPORT_SYMBOL(bfifo_qdisc_ops);
 struct Qdisc_ops pfifo_head_drop_qdisc_ops __read_mostly = {
        .id             =       "pfifo_head_drop",
-        .priv_size      =       sizeof(struct fifo_sched_data),
+        .priv_size      =       0,
        .enqueue        =       pfifo_tail_enqueue,
        .dequeue        =       qdisc_dequeue_head,
        .peek           =       qdisc_peek_head,
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 1bc698039ae2..c84b65920d1b 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -87,8 +87,8 @@ static inline int handle_dev_cpu_collision(struct sk_buff *skb,
                 */
                kfree_skb(skb);
                if (net_ratelimit())
-                        printk(KERN_WARNING "Dead loop on netdevice %s, "
+                        pr_warning("Dead loop on netdevice %s, fix it urgently!\n",
-                               "fix it urgently!\n", dev_queue->dev->name);
+                                   dev_queue->dev->name);
                ret = qdisc_qlen(q);
        } else {
                /*
@@ -137,8 +137,8 @@ int sch_direct_xmit(struct sk_buff *skb, struct Qdisc *q,
        } else {
                /* Driver returned NETDEV_TX_BUSY - requeue skb */
                if (unlikely (ret != NETDEV_TX_BUSY && net_ratelimit()))
-                        printk(KERN_WARNING "BUG %s code %d qlen %d\n",
+                        pr_warning("BUG %s code %d qlen %d\n",
-                               dev->name, ret, q->q.qlen);
+                                   dev->name, ret, q->q.qlen);
                ret = dev_requeue_skb(skb, q);
        }
@@ -412,8 +412,9 @@ static struct Qdisc noqueue_qdisc = {
 };
-static const u8 prio2band[TC_PRIO_MAX+1] =
+static const u8 prio2band[TC_PRIO_MAX + 1] = {
-        { 1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1 };
+        1, 2, 2, 2, 1, 2, 0, 0 , 1, 1, 1, 1, 1, 1, 1, 1
+};
 /* 3-band FIFO queue: old style, but should be a bit faster than
   generic prio+fifo combination.
@@ -445,7 +446,7 @@ static inline struct sk_buff_head *band2list(struct pfifo_fast_priv *priv,
        return priv->q + band;
 }
-static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc* qdisc)
+static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc)
 {
        if (skb_queue_len(&qdisc->q) < qdisc_dev(qdisc)->tx_queue_len) {
                int band = prio2band[skb->priority & TC_PRIO_MAX];
@@ -460,7 +461,7 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc* qdisc)
        return qdisc_drop(skb, qdisc);
 }
-static struct sk_buff *pfifo_fast_dequeue(struct Qdisc* qdisc)
+static struct sk_buff *pfifo_fast_dequeue(struct Qdisc *qdisc)
 {
        struct pfifo_fast_priv *priv = qdisc_priv(qdisc);
        int band = bitmap2band[priv->bitmap];
@@ -479,7 +480,7 @@ static struct sk_buff *pfifo_fast_dequeue(struct Qdisc* qdisc)
        return NULL;
 }
-static struct sk_buff *pfifo_fast_peek(struct Qdisc* qdisc)
+static struct sk_buff *pfifo_fast_peek(struct Qdisc *qdisc)
 {
        struct pfifo_fast_priv *priv = qdisc_priv(qdisc);
        int band = bitmap2band[priv->bitmap];
@@ -493,7 +494,7 @@ static struct sk_buff *pfifo_fast_peek(struct Qdisc* qdisc)
        return NULL;
 }
-static void pfifo_fast_reset(struct Qdisc* qdisc)
+static void pfifo_fast_reset(struct Qdisc *qdisc)
 {
        int prio;
        struct pfifo_fast_priv *priv = qdisc_priv(qdisc);
@@ -510,7 +511,7 @@ static int pfifo_fast_dump(struct Qdisc *qdisc, struct sk_buff *skb)
 {
        struct tc_prio_qopt opt = { .bands = PFIFO_FAST_BANDS };
-        memcpy(&opt.priomap, prio2band, TC_PRIO_MAX+1);
+        memcpy(&opt.priomap, prio2band, TC_PRIO_MAX + 1);
        NLA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt);
        return skb->len;
@@ -526,6 +527,8 @@ static int pfifo_fast_init(struct Qdisc *qdisc, struct nlattr *opt)
        for (prio = 0; prio < PFIFO_FAST_BANDS; prio++)
                skb_queue_head_init(band2list(priv, prio));
+        /* Can by-pass the queue discipline */
+        qdisc->flags |= TCQ_F_CAN_BYPASS;
        return 0;
 }
@@ -540,27 +543,32 @@ struct Qdisc_ops pfifo_fast_ops __read_mostly = {
        .dump           =       pfifo_fast_dump,
        .owner          =       THIS_MODULE,
 };
+EXPORT_SYMBOL(pfifo_fast_ops);
 struct Qdisc *qdisc_alloc(struct netdev_queue *dev_queue,
                          struct Qdisc_ops *ops)
 {
        void *p;
        struct Qdisc *sch;
-        unsigned int size;
+        unsigned int size = QDISC_ALIGN(sizeof(*sch)) + ops->priv_size;
        int err = -ENOBUFS;
-        /* ensure that the Qdisc and the private data are 64-byte aligned */
-        size = QDISC_ALIGN(sizeof(*sch));
-        size += ops->priv_size + (QDISC_ALIGNTO - 1);
        p = kzalloc_node(size, GFP_KERNEL,
                         netdev_queue_numa_node_read(dev_queue));
        if (!p)
                goto errout;
        sch = (struct Qdisc *) QDISC_ALIGN((unsigned long) p);
-        sch->padded = (char *) sch - (char *) p;
+        /* if we got non aligned memory, ask more and do alignment ourself */
+        if (sch != p) {
+                kfree(p);
+                p = kzalloc_node(size + QDISC_ALIGNTO - 1, GFP_KERNEL,
+                                 netdev_queue_numa_node_read(dev_queue));
+                if (!p)
+                        goto errout;
+                sch = (struct Qdisc *) QDISC_ALIGN((unsigned long) p);
+                sch->padded = (char *) sch - (char *) p;
+        }
        INIT_LIST_HEAD(&sch->list);
        skb_queue_head_init(&sch->q);
        spin_lock_init(&sch->busylock);
@@ -630,7 +638,7 @@ void qdisc_destroy(struct Qdisc *qdisc)
 #ifdef CONFIG_NET_SCHED
        qdisc_list_del(qdisc);
-        qdisc_put_stab(qdisc->stab);
+        qdisc_put_stab(rtnl_dereference(qdisc->stab));
 #endif
        gen_kill_estimator(&qdisc->bstats, &qdisc->rate_est);
        if (ops->reset)
@@ -674,25 +682,21 @@ struct Qdisc *dev_graft_qdisc(struct netdev_queue *dev_queue,
        return oqdisc;
 }
+EXPORT_SYMBOL(dev_graft_qdisc);
 static void attach_one_default_qdisc(struct net_device *dev,
                                     struct netdev_queue *dev_queue,
                                     void *_unused)
 {
-        struct Qdisc *qdisc;
+        struct Qdisc *qdisc = &noqueue_qdisc;
        if (dev->tx_queue_len) {
                qdisc = qdisc_create_dflt(dev_queue,
                                          &pfifo_fast_ops, TC_H_ROOT);
                if (!qdisc) {
-                        printk(KERN_INFO "%s: activation failed\n", dev->name);
+                        netdev_info(dev, "activation failed\n");
                        return;
                }
-                /* Can by-pass the queue discipline for default qdisc */
-                qdisc->flags |= TCQ_F_CAN_BYPASS;
-        } else {
-                qdisc =  &noqueue_qdisc;
        }
        dev_queue->qdisc_sleeping = qdisc;
 }
@@ -761,6 +765,7 @@ void dev_activate(struct net_device *dev)
                dev_watchdog_up(dev);
        }
 }
+EXPORT_SYMBOL(dev_activate);
 static void dev_deactivate_queue(struct net_device *dev,
                                 struct netdev_queue *dev_queue,
@@ -841,6 +846,7 @@ void dev_deactivate(struct net_device *dev)
        dev_deactivate_many(&single);
        list_del(&single);
 }
+EXPORT_SYMBOL(dev_deactivate);
 static void dev_init_scheduler_queue(struct net_device *dev,
                                     struct netdev_queue *dev_queue,
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index 51dcc2aa5c92..b9493a09a870 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -32,8 +32,7 @@
 struct gred_sched_data;
 struct gred_sched;
-struct gred_sched_data
+struct gred_sched_data {
-{
        u32             limit;          /* HARD maximal queue length    */
        u32             DP;             /* the drop pramaters */
        u32             bytesin;        /* bytes seen on virtualQ so far*/
@@ -50,8 +49,7 @@ enum {
        GRED_RIO_MODE,
 };
-struct gred_sched
+struct gred_sched {
-{
        struct gred_sched_data *tab[MAX_DPs];
        unsigned long   flags;
        u32             red_flags;
@@ -150,17 +148,18 @@ static inline int gred_use_harddrop(struct gred_sched *t)
        return t->red_flags & TC_RED_HARDDROP;
 }
-static int gred_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+static int gred_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
-        struct gred_sched_data *q=NULL;
+        struct gred_sched_data *q = NULL;
-        struct gred_sched *t= qdisc_priv(sch);
+        struct gred_sched *t = qdisc_priv(sch);
        unsigned long qavg = 0;
        u16 dp = tc_index_to_dp(skb);
-        if (dp >= t->DPs  || (q = t->tab[dp]) == NULL) {
+        if (dp >= t->DPs || (q = t->tab[dp]) == NULL) {
                dp = t->def;
-                if ((q = t->tab[dp]) == NULL) {
+                q = t->tab[dp];
+                if (!q) {
                        /* Pass through packets not assigned to a DP
                         * if no default DP has been configured. This
                         * allows for DP flows to be left untouched.
@@ -183,7 +182,7 @@ static int gred_enqueue(struct sk_buff *skb, struct Qdisc* sch)
                for (i = 0; i < t->DPs; i++) {
                        if (t->tab[i] && t->tab[i]->prio < q->prio &&
                            !red_is_idling(&t->tab[i]->parms))
-                                qavg +=t->tab[i]->parms.qavg;
+                                qavg += t->tab[i]->parms.qavg;
                }
        }
@@ -203,28 +202,28 @@ static int gred_enqueue(struct sk_buff *skb, struct Qdisc* sch)
                gred_store_wred_set(t, q);
        switch (red_action(&q->parms, q->parms.qavg + qavg)) {
-                case RED_DONT_MARK:
+        case RED_DONT_MARK:
-                        break;
+                break;
-                case RED_PROB_MARK:
+        case RED_PROB_MARK:
-                        sch->qstats.overlimits++;
+                sch->qstats.overlimits++;
-                        if (!gred_use_ecn(t) || !INET_ECN_set_ce(skb)) {
+                if (!gred_use_ecn(t) || !INET_ECN_set_ce(skb)) {
-                                q->stats.prob_drop++;
+                        q->stats.prob_drop++;
-                                goto congestion_drop;
+                        goto congestion_drop;
-                        }
+                }
-                        q->stats.prob_mark++;
+                q->stats.prob_mark++;
-                        break;
+                break;
-                case RED_HARD_MARK:
+        case RED_HARD_MARK:
-                        sch->qstats.overlimits++;
+                sch->qstats.overlimits++;
-                        if (gred_use_harddrop(t) || !gred_use_ecn(t) ||
+                if (gred_use_harddrop(t) || !gred_use_ecn(t) ||
-                            !INET_ECN_set_ce(skb)) {
+                    !INET_ECN_set_ce(skb)) {
-                                q->stats.forced_drop++;
+                        q->stats.forced_drop++;
-                                goto congestion_drop;
+                        goto congestion_drop;
-                        }
+                }
-                        q->stats.forced_mark++;
+                q->stats.forced_mark++;
-                        break;
+                break;
        }
        if (q->backlog + qdisc_pkt_len(skb) <= q->limit) {
@@ -241,7 +240,7 @@ congestion_drop:
        return NET_XMIT_CN;
 }
-static struct sk_buff *gred_dequeue(struct Qdisc* sch)
+static struct sk_buff *gred_dequeue(struct Qdisc *sch)
 {
        struct sk_buff *skb;
        struct gred_sched *t = qdisc_priv(sch);
@@ -254,9 +253,9 @@ static struct sk_buff *gred_dequeue(struct Qdisc* sch)
                if (dp >= t->DPs || (q = t->tab[dp]) == NULL) {
                        if (net_ratelimit())
-                                printk(KERN_WARNING "GRED: Unable to relocate "
+                                pr_warning("GRED: Unable to relocate VQ 0x%x "
-                                       "VQ 0x%x after dequeue, screwing up "
+                                           "after dequeue, screwing up "
-                                       "backlog.\n", tc_index_to_dp(skb));
+                                           "backlog.\n", tc_index_to_dp(skb));
                } else {
                        q->backlog -= qdisc_pkt_len(skb);
@@ -273,7 +272,7 @@ static struct sk_buff *gred_dequeue(struct Qdisc* sch)
        return NULL;
 }
-static unsigned int gred_drop(struct Qdisc* sch)
+static unsigned int gred_drop(struct Qdisc *sch)
 {
        struct sk_buff *skb;
        struct gred_sched *t = qdisc_priv(sch);
@@ -286,9 +285,9 @@ static unsigned int gred_drop(struct Qdisc* sch)
                if (dp >= t->DPs || (q = t->tab[dp]) == NULL) {
                        if (net_ratelimit())
-                                printk(KERN_WARNING "GRED: Unable to relocate "
+                                pr_warning("GRED: Unable to relocate VQ 0x%x "
-                                       "VQ 0x%x while dropping, screwing up "
+                                           "while dropping, screwing up "
-                                       "backlog.\n", tc_index_to_dp(skb));
+                                           "backlog.\n", tc_index_to_dp(skb));
                } else {
                        q->backlog -= len;
                        q->stats.other++;
@@ -308,7 +307,7 @@ static unsigned int gred_drop(struct Qdisc* sch)
 }
-static void gred_reset(struct Qdisc* sch)
+static void gred_reset(struct Qdisc *sch)
 {
        int i;
        struct gred_sched *t = qdisc_priv(sch);
@@ -369,8 +368,8 @@ static inline int gred_change_table_def(struct Qdisc *sch, struct nlattr *dps)
        for (i = table->DPs; i < MAX_DPs; i++) {
                if (table->tab[i]) {
-                        printk(KERN_WARNING "GRED: Warning: Destroying "
+                        pr_warning("GRED: Warning: Destroying "
-                               "shadowed VQ 0x%x\n", i);
+                                   "shadowed VQ 0x%x\n", i);
                        gred_destroy_vq(table->tab[i]);
                        table->tab[i] = NULL;
                }
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 14a799de1c35..6488e6425652 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -81,8 +81,7 @@
 *   that are expensive on 32-bit architectures.
 */
-struct internal_sc
+struct internal_sc {
-{
        u64     sm1;    /* scaled slope of the 1st segment */
        u64     ism1;   /* scaled inverse-slope of the 1st segment */
        u64     dx;     /* the x-projection of the 1st segment */
@@ -92,8 +91,7 @@ struct internal_sc
 };
 /* runtime service curve */
-struct runtime_sc
+struct runtime_sc {
-{
        u64     x;      /* current starting position on x-axis */
        u64     y;      /* current starting position on y-axis */
        u64     sm1;    /* scaled slope of the 1st segment */
@@ -104,15 +102,13 @@ struct runtime_sc
        u64     ism2;   /* scaled inverse-slope of the 2nd segment */
 };
-enum hfsc_class_flags
+enum hfsc_class_flags {
-{
        HFSC_RSC = 0x1,
        HFSC_FSC = 0x2,
        HFSC_USC = 0x4
 };
-struct hfsc_class
+struct hfsc_class {
-{
        struct Qdisc_class_common cl_common;
        unsigned int    refcnt;         /* usage count */
@@ -140,8 +136,8 @@ struct hfsc_class
        u64     cl_cumul;               /* cumulative work in bytes done by
                                           real-time criteria */
-        u64     cl_d;                   /* deadline*/
+        u64     cl_d;                   /* deadline*/
-        u64     cl_e;                   /* eligible time */
+        u64     cl_e;                   /* eligible time */
        u64     cl_vt;                  /* virtual time */
        u64     cl_f;                   /* time when this class will fit for
                                           link-sharing, max(myf, cfmin) */
@@ -176,8 +172,7 @@ struct hfsc_class
        unsigned long   cl_nactive;     /* number of active children */
 };
-struct hfsc_sched
+struct hfsc_sched {
-{
        u16     defcls;                         /* default class id */
        struct hfsc_class root;                 /* root class */
        struct Qdisc_class_hash clhash;         /* class hash */
@@ -693,7 +688,7 @@ init_vf(struct hfsc_class *cl, unsigned int len)
                if (go_active) {
                        n = rb_last(&cl->cl_parent->vt_tree);
                        if (n != NULL) {
-                                max_cl = rb_entry(n, struct hfsc_class,vt_node);
+                                max_cl = rb_entry(n, struct hfsc_class, vt_node);
                                /*
                                 * set vt to the average of the min and max
                                 * classes.  if the parent's period didn't
@@ -1177,8 +1172,10 @@ hfsc_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                        return NULL;
                }
 #endif
-                if ((cl = (struct hfsc_class *)res.class) == NULL) {
+                cl = (struct hfsc_class *)res.class;
-                        if ((cl = hfsc_find_class(res.classid, sch)) == NULL)
+                if (!cl) {
+                        cl = hfsc_find_class(res.classid, sch);
+                        if (!cl)
                                break; /* filter selected invalid classid */
                        if (cl->level >= head->level)
                                break; /* filter may only point downwards */
@@ -1316,7 +1313,7 @@ hfsc_dump_sc(struct sk_buff *skb, int attr, struct internal_sc *sc)
        return -1;
 }
-static inline int
+static int
 hfsc_dump_curves(struct sk_buff *skb, struct hfsc_class *cl)
 {
        if ((cl->cl_flags & HFSC_RSC) &&
@@ -1420,7 +1417,8 @@ hfsc_schedule_watchdog(struct Qdisc *sch)
        struct hfsc_class *cl;
        u64 next_time = 0;
-        if ((cl = eltree_get_minel(q)) != NULL)
+        cl = eltree_get_minel(q);
+        if (cl)
                next_time = cl->cl_e;
        if (q->root.cl_cfmin != 0) {
                if (next_time == 0 || next_time > q->root.cl_cfmin)
@@ -1625,7 +1623,8 @@ hfsc_dequeue(struct Qdisc *sch)
         * find the class with the minimum deadline among
         * the eligible classes.
         */
-        if ((cl = eltree_get_mindl(q, cur_time)) != NULL) {
+        cl = eltree_get_mindl(q, cur_time);
+        if (cl) {
                realtime = 1;
        } else {
                /*
@@ -1664,7 +1663,7 @@ hfsc_dequeue(struct Qdisc *sch)
                set_passive(cl);
        }
-        sch->flags &= ~TCQ_F_THROTTLED;
+        qdisc_unthrottled(sch);
        qdisc_bstats_update(sch, skb);
        sch->q.qlen--;
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index fc12fe6f5597..29b942ce9e82 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -99,9 +99,10 @@ struct htb_class {
                        struct rb_root feed[TC_HTB_NUMPRIO];    /* feed trees */
                        struct rb_node *ptr[TC_HTB_NUMPRIO];    /* current class ptr */
                        /* When class changes from state 1->2 and disconnects from
-                           parent's feed then we lost ptr value and start from the
+                         * parent's feed then we lost ptr value and start from the
-                           first child again. Here we store classid of the
+                         * first child again. Here we store classid of the
-                           last valid ptr (used when ptr is NULL). */
+                         * last valid ptr (used when ptr is NULL).
+                         */
                        u32 last_ptr_id[TC_HTB_NUMPRIO];
                } inner;
        } un;
@@ -182,10 +183,10 @@ static inline struct htb_class *htb_find(u32 handle, struct Qdisc *sch)
 * filters in qdisc and in inner nodes (if higher filter points to the inner
 * node). If we end up with classid MAJOR:0 we enqueue the skb into special
 * internal fifo (direct). These packets then go directly thru. If we still
- * have no valid leaf we try to use MAJOR:default leaf. It still unsuccessfull
+ * have no valid leaf we try to use MAJOR:default leaf. It still unsuccessful
 * then finish and return direct queue.
 */
-#define HTB_DIRECT (struct htb_class*)-1
+#define HTB_DIRECT ((struct htb_class *)-1L)
 static struct htb_class *htb_classify(struct sk_buff *skb, struct Qdisc *sch,
                                      int *qerr)
@@ -197,11 +198,13 @@ static struct htb_class *htb_classify(struct sk_buff *skb, struct Qdisc *sch,
        int result;
        /* allow to select class by setting skb->priority to valid classid;
-           note that nfmark can be used too by attaching filter fw with no
+         * note that nfmark can be used too by attaching filter fw with no
-           rules in it */
+         * rules in it
+         */
        if (skb->priority == sch->handle)
                return HTB_DIRECT;      /* X:0 (direct flow) selected */
-        if ((cl = htb_find(skb->priority, sch)) != NULL && cl->level == 0)
+        cl = htb_find(skb->priority, sch);
+        if (cl && cl->level == 0)
                return cl;
        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
@@ -216,10 +219,12 @@ static struct htb_class *htb_classify(struct sk_buff *skb, struct Qdisc *sch,
                        return NULL;
                }
 #endif
-                if ((cl = (void *)res.class) == NULL) {
+                cl = (void *)res.class;
+                if (!cl) {
                        if (res.classid == sch->handle)
                                return HTB_DIRECT;      /* X:0 (direct flow) */
-                        if ((cl = htb_find(res.classid, sch)) == NULL)
+                        cl = htb_find(res.classid, sch);
+                        if (!cl)
                                break;  /* filter selected invalid classid */
                }
                if (!cl->level)
@@ -378,7 +383,8 @@ static void htb_activate_prios(struct htb_sched *q, struct htb_class *cl)
                        if (p->un.inner.feed[prio].rb_node)
                                /* parent already has its feed in use so that
-                                   reset bit in mask as parent is already ok */
+                                 * reset bit in mask as parent is already ok
+                                 */
                                mask &= ~(1 << prio);
                        htb_add_to_id_tree(p->un.inner.feed + prio, cl, prio);
@@ -413,8 +419,9 @@ static void htb_deactivate_prios(struct htb_sched *q, struct htb_class *cl)
                        if (p->un.inner.ptr[prio] == cl->node + prio) {
                                /* we are removing child which is pointed to from
-                                   parent feed - forget the pointer but remember
+                                 * parent feed - forget the pointer but remember
-                                   classid */
+                                 * classid
+                                 */
                                p->un.inner.last_ptr_id[prio] = cl->common.classid;
                                p->un.inner.ptr[prio] = NULL;
                        }
@@ -663,8 +670,9 @@ static psched_time_t htb_do_events(struct htb_sched *q, int level,
                                   unsigned long start)
 {
        /* don't run for longer than 2 jiffies; 2 is used instead of
-           1 to simplify things when jiffy is going to be incremented
+         * 1 to simplify things when jiffy is going to be incremented
-           too soon */
+         * too soon
+         */
        unsigned long stop_at = start + 2;
        while (time_before(jiffies, stop_at)) {
                struct htb_class *cl;
@@ -687,7 +695,7 @@ static psched_time_t htb_do_events(struct htb_sched *q, int level,
        /* too much load - let's continue after a break for scheduling */
        if (!(q->warned & HTB_WARN_TOOMANYEVENTS)) {
-                printk(KERN_WARNING "htb: too many events!\n");
+                pr_warning("htb: too many events!\n");
                q->warned |= HTB_WARN_TOOMANYEVENTS;
        }
@@ -695,7 +703,8 @@ static psched_time_t htb_do_events(struct htb_sched *q, int level,
 }
 /* Returns class->node+prio from id-tree where classe's id is >= id. NULL
-   is no such one exists. */
+ * is no such one exists.
+ */
 static struct rb_node *htb_id_find_next_upper(int prio, struct rb_node *n,
                                              u32 id)
 {
@@ -739,12 +748,14 @@ static struct htb_class *htb_lookup_leaf(struct rb_root *tree, int prio,
        for (i = 0; i < 65535; i++) {
                if (!*sp->pptr && *sp->pid) {
                        /* ptr was invalidated but id is valid - try to recover
-                           the original or next ptr */
+                         * the original or next ptr
+                         */
                        *sp->pptr =
                            htb_id_find_next_upper(prio, sp->root, *sp->pid);
                }
                *sp->pid = 0;   /* ptr is valid now so that remove this hint as it
-                                   can become out of date quickly */
+                                 * can become out of date quickly
+                                 */
                if (!*sp->pptr) {       /* we are at right end; rewind & go up */
                        *sp->pptr = sp->root;
                        while ((*sp->pptr)->rb_left)
@@ -772,7 +783,8 @@ static struct htb_class *htb_lookup_leaf(struct rb_root *tree, int prio,
 }
 /* dequeues packet at given priority and level; call only if
-   you are sure that there is active class at prio/level */
+ * you are sure that there is active class at prio/level
+ */
 static struct sk_buff *htb_dequeue_tree(struct htb_sched *q, int prio,
                                        int level)
 {
@@ -789,9 +801,10 @@ next:
                        return NULL;
                /* class can be empty - it is unlikely but can be true if leaf
-                   qdisc drops packets in enqueue routine or if someone used
+                 * qdisc drops packets in enqueue routine or if someone used
-                   graft operation on the leaf since last dequeue;
+                 * graft operation on the leaf since last dequeue;
-                   simply deactivate and skip such class */
+                 * simply deactivate and skip such class
+                 */
                if (unlikely(cl->un.leaf.q->q.qlen == 0)) {
                        struct htb_class *next;
                        htb_deactivate(q, cl);
@@ -831,7 +844,8 @@ next:
                                          ptr[0]) + prio);
                }
                /* this used to be after charge_class but this constelation
-                   gives us slightly better performance */
+                 * gives us slightly better performance
+                 */
                if (!cl->un.leaf.q->q.qlen)
                        htb_deactivate(q, cl);
                htb_charge_class(q, cl, level, skb);
@@ -852,7 +866,7 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch)
        if (skb != NULL) {
 ok:
                qdisc_bstats_update(sch, skb);
-                sch->flags &= ~TCQ_F_THROTTLED;
+                qdisc_unthrottled(sch);
                sch->q.qlen--;
                return skb;
        }
@@ -883,6 +897,7 @@ ok:
                m = ~q->row_mask[level];
                while (m != (int)(-1)) {
                        int prio = ffz(m);
                        m |= 1 << prio;
                        skb = htb_dequeue_tree(q, prio, level);
                        if (likely(skb != NULL))
@@ -987,13 +1002,12 @@ static int htb_init(struct Qdisc *sch, struct nlattr *opt)
                return err;
        if (tb[TCA_HTB_INIT] == NULL) {
-                printk(KERN_ERR "HTB: hey probably you have bad tc tool ?\n");
+                pr_err("HTB: hey probably you have bad tc tool ?\n");
                return -EINVAL;
        }
        gopt = nla_data(tb[TCA_HTB_INIT]);
        if (gopt->version != HTB_VER >> 16) {
-                printk(KERN_ERR
+                pr_err("HTB: need tc/htb version %d (minor is %d), you have %d\n",
-                       "HTB: need tc/htb version %d (minor is %d), you have %d\n",
                       HTB_VER >> 16, HTB_VER & 0xffff, gopt->version);
                return -EINVAL;
        }
@@ -1206,9 +1220,10 @@ static void htb_destroy(struct Qdisc *sch)
        cancel_work_sync(&q->work);
        qdisc_watchdog_cancel(&q->watchdog);
        /* This line used to be after htb_destroy_class call below
-           and surprisingly it worked in 2.4. But it must precede it
+         * and surprisingly it worked in 2.4. But it must precede it
-           because filter need its target class alive to be able to call
+         * because filter need its target class alive to be able to call
-           unbind_filter on it (without Oops). */
+         * unbind_filter on it (without Oops).
+         */
        tcf_destroy_chain(&q->filter_list);
        for (i = 0; i < q->clhash.hashsize; i++) {
@@ -1342,11 +1357,12 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                /* check maximal depth */
                if (parent && parent->parent && parent->parent->level < 2) {
-                        printk(KERN_ERR "htb: tree is too deep\n");
+                        pr_err("htb: tree is too deep\n");
                        goto failure;
                }
                err = -ENOBUFS;
-                if ((cl = kzalloc(sizeof(*cl), GFP_KERNEL)) == NULL)
+                cl = kzalloc(sizeof(*cl), GFP_KERNEL);
+                if (!cl)
                        goto failure;
                err = gen_new_estimator(&cl->bstats, &cl->rate_est,
@@ -1366,8 +1382,9 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
                        RB_CLEAR_NODE(&cl->node[prio]);
                /* create leaf qdisc early because it uses kmalloc(GFP_KERNEL)
-                   so that can't be used inside of sch_tree_lock
+                 * so that can't be used inside of sch_tree_lock
-                   -- thanks to Karlis Peisenieks */
+                 * -- thanks to Karlis Peisenieks
+                 */
                new_q = qdisc_create_dflt(sch->dev_queue,
                                          &pfifo_qdisc_ops, classid);
                sch_tree_lock(sch);
@@ -1419,17 +1436,18 @@ static int htb_change_class(struct Qdisc *sch, u32 classid,
        }
        /* it used to be a nasty bug here, we have to check that node
-           is really leaf before changing cl->un.leaf ! */
+         * is really leaf before changing cl->un.leaf !
+         */
        if (!cl->level) {
                cl->quantum = rtab->rate.rate / q->rate2quantum;
                if (!hopt->quantum && cl->quantum < 1000) {
-                        printk(KERN_WARNING
+                        pr_warning(
                               "HTB: quantum of class %X is small. Consider r2q change.\n",
                               cl->common.classid);
                        cl->quantum = 1000;
                }
                if (!hopt->quantum && cl->quantum > 200000) {
-                        printk(KERN_WARNING
+                        pr_warning(
                               "HTB: quantum of class %X is big. Consider r2q change.\n",
                               cl->common.classid);
                        cl->quantum = 200000;
@@ -1478,13 +1496,13 @@ static unsigned long htb_bind_filter(struct Qdisc *sch, unsigned long parent,
        struct htb_class *cl = htb_find(classid, sch);
        /*if (cl && !cl->level) return 0;
-           The line above used to be there to prevent attaching filters to
+         * The line above used to be there to prevent attaching filters to
-           leaves. But at least tc_index filter uses this just to get class
+         * leaves. But at least tc_index filter uses this just to get class
-           for other reasons so that we have to allow for it.
+         * for other reasons so that we have to allow for it.
-           ----
+         * ----
-           19.6.2002 As Werner explained it is ok - bind filter is just
+         * 19.6.2002 As Werner explained it is ok - bind filter is just
-           another way to "lock" the class - unlike "get" this lock can
+         * another way to "lock" the class - unlike "get" this lock can
-           be broken by class during destroy IIUC.
+         * be broken by class during destroy IIUC.
         */
        if (cl)
                cl->filter_cnt++;
diff --git a/net/sched/sch_mq.c b/net/sched/sch_mq.c
index ecc302f4d2a1..ec5cbc848963 100644
--- a/net/sched/sch_mq.c
+++ b/net/sched/sch_mq.c
@@ -61,7 +61,6 @@ static int mq_init(struct Qdisc *sch, struct nlattr *opt)
                                                    TC_H_MIN(ntx + 1)));
                if (qdisc == NULL)
                        goto err;
-                qdisc->flags |= TCQ_F_CAN_BYPASS;
                priv->qdiscs[ntx] = qdisc;
        }
diff --git a/net/sched/sch_mqprio.c b/net/sched/sch_mqprio.c
new file mode 100644
index 000000000000..ea17cbed29ef
--- /dev/null
+++ b/net/sched/sch_mqprio.c
@@ -0,0 +1,418 @@
+/*
+ * net/sched/sch_mqprio.c
+ *
+ * Copyright (c) 2010 John Fastabend <john.r.fastabend@intel.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ */
+#include <linux/types.h>
+#include <linux/slab.h>
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/errno.h>
+#include <linux/skbuff.h>
+#include <net/netlink.h>
+#include <net/pkt_sched.h>
+#include <net/sch_generic.h>
+struct mqprio_sched {
+        struct Qdisc            **qdiscs;
+        int hw_owned;
+};
+static void mqprio_destroy(struct Qdisc *sch)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        struct mqprio_sched *priv = qdisc_priv(sch);
+        unsigned int ntx;
+        if (priv->qdiscs) {
+                for (ntx = 0;
+                     ntx < dev->num_tx_queues && priv->qdiscs[ntx];
+                     ntx++)
+                        qdisc_destroy(priv->qdiscs[ntx]);
+                kfree(priv->qdiscs);
+        }
+        if (priv->hw_owned && dev->netdev_ops->ndo_setup_tc)
+                dev->netdev_ops->ndo_setup_tc(dev, 0);
+        else
+                netdev_set_num_tc(dev, 0);
+}
+static int mqprio_parse_opt(struct net_device *dev, struct tc_mqprio_qopt *qopt)
+{
+        int i, j;
+        /* Verify num_tc is not out of max range */
+        if (qopt->num_tc > TC_MAX_QUEUE)
+                return -EINVAL;
+        /* Verify priority mapping uses valid tcs */
+        for (i = 0; i < TC_BITMASK + 1; i++) {
+                if (qopt->prio_tc_map[i] >= qopt->num_tc)
+                        return -EINVAL;
+        }
+        /* net_device does not support requested operation */
+        if (qopt->hw && !dev->netdev_ops->ndo_setup_tc)
+                return -EINVAL;
+        /* if hw owned qcount and qoffset are taken from LLD so
+         * no reason to verify them here
+         */
+        if (qopt->hw)
+                return 0;
+        for (i = 0; i < qopt->num_tc; i++) {
+                unsigned int last = qopt->offset[i] + qopt->count[i];
+                /* Verify the queue count is in tx range being equal to the
+                 * real_num_tx_queues indicates the last queue is in use.
+                 */
+                if (qopt->offset[i] >= dev->real_num_tx_queues ||
+                    !qopt->count[i] ||
+                    last > dev->real_num_tx_queues)
+                        return -EINVAL;
+                /* Verify that the offset and counts do not overlap */
+                for (j = i + 1; j < qopt->num_tc; j++) {
+                        if (last > qopt->offset[j])
+                                return -EINVAL;
+                }
+        }
+        return 0;
+}
+static int mqprio_init(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        struct mqprio_sched *priv = qdisc_priv(sch);
+        struct netdev_queue *dev_queue;
+        struct Qdisc *qdisc;
+        int i, err = -EOPNOTSUPP;
+        struct tc_mqprio_qopt *qopt = NULL;
+        BUILD_BUG_ON(TC_MAX_QUEUE != TC_QOPT_MAX_QUEUE);
+        BUILD_BUG_ON(TC_BITMASK != TC_QOPT_BITMASK);
+        if (sch->parent != TC_H_ROOT)
+                return -EOPNOTSUPP;
+        if (!netif_is_multiqueue(dev))
+                return -EOPNOTSUPP;
+        if (nla_len(opt) < sizeof(*qopt))
+                return -EINVAL;
+        qopt = nla_data(opt);
+        if (mqprio_parse_opt(dev, qopt))
+                return -EINVAL;
+        /* pre-allocate qdisc, attachment can't fail */
+        priv->qdiscs = kcalloc(dev->num_tx_queues, sizeof(priv->qdiscs[0]),
+                               GFP_KERNEL);
+        if (priv->qdiscs == NULL) {
+                err = -ENOMEM;
+                goto err;
+        }
+        for (i = 0; i < dev->num_tx_queues; i++) {
+                dev_queue = netdev_get_tx_queue(dev, i);
+                qdisc = qdisc_create_dflt(dev_queue, &pfifo_fast_ops,
+                                          TC_H_MAKE(TC_H_MAJ(sch->handle),
+                                                    TC_H_MIN(i + 1)));
+                if (qdisc == NULL) {
+                        err = -ENOMEM;
+                        goto err;
+                }
+                priv->qdiscs[i] = qdisc;
+        }
+        /* If the mqprio options indicate that hardware should own
+         * the queue mapping then run ndo_setup_tc otherwise use the
+         * supplied and verified mapping
+         */
+        if (qopt->hw) {
+                priv->hw_owned = 1;
+                err = dev->netdev_ops->ndo_setup_tc(dev, qopt->num_tc);
+                if (err)
+                        goto err;
+        } else {
+                netdev_set_num_tc(dev, qopt->num_tc);
+                for (i = 0; i < qopt->num_tc; i++)
+                        netdev_set_tc_queue(dev, i,
+                                            qopt->count[i], qopt->offset[i]);
+        }
+        /* Always use supplied priority mappings */
+        for (i = 0; i < TC_BITMASK + 1; i++)
+                netdev_set_prio_tc_map(dev, i, qopt->prio_tc_map[i]);
+        sch->flags |= TCQ_F_MQROOT;
+        return 0;
+err:
+        mqprio_destroy(sch);
+        return err;
+}
+static void mqprio_attach(struct Qdisc *sch)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        struct mqprio_sched *priv = qdisc_priv(sch);
+        struct Qdisc *qdisc;
+        unsigned int ntx;
+        /* Attach underlying qdisc */
+        for (ntx = 0; ntx < dev->num_tx_queues; ntx++) {
+                qdisc = priv->qdiscs[ntx];
+                qdisc = dev_graft_qdisc(qdisc->dev_queue, qdisc);
+                if (qdisc)
+                        qdisc_destroy(qdisc);
+        }
+        kfree(priv->qdiscs);
+        priv->qdiscs = NULL;
+}
+static struct netdev_queue *mqprio_queue_get(struct Qdisc *sch,
+                                             unsigned long cl)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        unsigned long ntx = cl - 1 - netdev_get_num_tc(dev);
+        if (ntx >= dev->num_tx_queues)
+                return NULL;
+        return netdev_get_tx_queue(dev, ntx);
+}
+static int mqprio_graft(struct Qdisc *sch, unsigned long cl, struct Qdisc *new,
+                    struct Qdisc **old)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+        if (!dev_queue)
+                return -EINVAL;
+        if (dev->flags & IFF_UP)
+                dev_deactivate(dev);
+        *old = dev_graft_qdisc(dev_queue, new);
+        if (dev->flags & IFF_UP)
+                dev_activate(dev);
+        return 0;
+}
+static int mqprio_dump(struct Qdisc *sch, struct sk_buff *skb)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        struct mqprio_sched *priv = qdisc_priv(sch);
+        unsigned char *b = skb_tail_pointer(skb);
+        struct tc_mqprio_qopt opt = { 0 };
+        struct Qdisc *qdisc;
+        unsigned int i;
+        sch->q.qlen = 0;
+        memset(&sch->bstats, 0, sizeof(sch->bstats));
+        memset(&sch->qstats, 0, sizeof(sch->qstats));
+        for (i = 0; i < dev->num_tx_queues; i++) {
+                qdisc = netdev_get_tx_queue(dev, i)->qdisc;
+                spin_lock_bh(qdisc_lock(qdisc));
+                sch->q.qlen             += qdisc->q.qlen;
+                sch->bstats.bytes       += qdisc->bstats.bytes;
+                sch->bstats.packets     += qdisc->bstats.packets;
+                sch->qstats.qlen        += qdisc->qstats.qlen;
+                sch->qstats.backlog     += qdisc->qstats.backlog;
+                sch->qstats.drops       += qdisc->qstats.drops;
+                sch->qstats.requeues    += qdisc->qstats.requeues;
+                sch->qstats.overlimits  += qdisc->qstats.overlimits;
+                spin_unlock_bh(qdisc_lock(qdisc));
+        }
+        opt.num_tc = netdev_get_num_tc(dev);
+        memcpy(opt.prio_tc_map, dev->prio_tc_map, sizeof(opt.prio_tc_map));
+        opt.hw = priv->hw_owned;
+        for (i = 0; i < netdev_get_num_tc(dev); i++) {
+                opt.count[i] = dev->tc_to_txq[i].count;
+                opt.offset[i] = dev->tc_to_txq[i].offset;
+        }
+        NLA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt);
+        return skb->len;
+nla_put_failure:
+        nlmsg_trim(skb, b);
+        return -1;
+}
+static struct Qdisc *mqprio_leaf(struct Qdisc *sch, unsigned long cl)
+{
+        struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+        if (!dev_queue)
+                return NULL;
+        return dev_queue->qdisc_sleeping;
+}
+static unsigned long mqprio_get(struct Qdisc *sch, u32 classid)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        unsigned int ntx = TC_H_MIN(classid);
+        if (ntx > dev->num_tx_queues + netdev_get_num_tc(dev))
+                return 0;
+        return ntx;
+}
+static void mqprio_put(struct Qdisc *sch, unsigned long cl)
+{
+}
+static int mqprio_dump_class(struct Qdisc *sch, unsigned long cl,
+                         struct sk_buff *skb, struct tcmsg *tcm)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        if (cl <= netdev_get_num_tc(dev)) {
+                tcm->tcm_parent = TC_H_ROOT;
+                tcm->tcm_info = 0;
+        } else {
+                int i;
+                struct netdev_queue *dev_queue;
+                dev_queue = mqprio_queue_get(sch, cl);
+                tcm->tcm_parent = 0;
+                for (i = 0; i < netdev_get_num_tc(dev); i++) {
+                        struct netdev_tc_txq tc = dev->tc_to_txq[i];
+                        int q_idx = cl - netdev_get_num_tc(dev);
+                        if (q_idx > tc.offset &&
+                            q_idx <= tc.offset + tc.count) {
+                                tcm->tcm_parent =
+                                        TC_H_MAKE(TC_H_MAJ(sch->handle),
+                                                  TC_H_MIN(i + 1));
+                                break;
+                        }
+                }
+                tcm->tcm_info = dev_queue->qdisc_sleeping->handle;
+        }
+        tcm->tcm_handle |= TC_H_MIN(cl);
+        return 0;
+}
+static int mqprio_dump_class_stats(struct Qdisc *sch, unsigned long cl,
+                                   struct gnet_dump *d)
+        __releases(d->lock)
+        __acquires(d->lock)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        if (cl <= netdev_get_num_tc(dev)) {
+                int i;
+                struct Qdisc *qdisc;
+                struct gnet_stats_queue qstats = {0};
+                struct gnet_stats_basic_packed bstats = {0};
+                struct netdev_tc_txq tc = dev->tc_to_txq[cl - 1];
+                /* Drop lock here it will be reclaimed before touching
+                 * statistics this is required because the d->lock we
+                 * hold here is the look on dev_queue->qdisc_sleeping
+                 * also acquired below.
+                 */
+                spin_unlock_bh(d->lock);
+                for (i = tc.offset; i < tc.offset + tc.count; i++) {
+                        qdisc = netdev_get_tx_queue(dev, i)->qdisc;
+                        spin_lock_bh(qdisc_lock(qdisc));
+                        bstats.bytes      += qdisc->bstats.bytes;
+                        bstats.packets    += qdisc->bstats.packets;
+                        qstats.qlen       += qdisc->qstats.qlen;
+                        qstats.backlog    += qdisc->qstats.backlog;
+                        qstats.drops      += qdisc->qstats.drops;
+                        qstats.requeues   += qdisc->qstats.requeues;
+                        qstats.overlimits += qdisc->qstats.overlimits;
+                        spin_unlock_bh(qdisc_lock(qdisc));
+                }
+                /* Reclaim root sleeping lock before completing stats */
+                spin_lock_bh(d->lock);
+                if (gnet_stats_copy_basic(d, &bstats) < 0 ||
+                    gnet_stats_copy_queue(d, &qstats) < 0)
+                        return -1;
+        } else {
+                struct netdev_queue *dev_queue = mqprio_queue_get(sch, cl);
+                sch = dev_queue->qdisc_sleeping;
+                sch->qstats.qlen = sch->q.qlen;
+                if (gnet_stats_copy_basic(d, &sch->bstats) < 0 ||
+                    gnet_stats_copy_queue(d, &sch->qstats) < 0)
+                        return -1;
+        }
+        return 0;
+}
+static void mqprio_walk(struct Qdisc *sch, struct qdisc_walker *arg)
+{
+        struct net_device *dev = qdisc_dev(sch);
+        unsigned long ntx;
+        if (arg->stop)
+                return;
+        /* Walk hierarchy with a virtual class per tc */
+        arg->count = arg->skip;
+        for (ntx = arg->skip;
+             ntx < dev->num_tx_queues + netdev_get_num_tc(dev);
+             ntx++) {
+                if (arg->fn(sch, ntx + 1, arg) < 0) {
+                        arg->stop = 1;
+                        break;
+                }
+                arg->count++;
+        }
+}
+static const struct Qdisc_class_ops mqprio_class_ops = {
+        .graft          = mqprio_graft,
+        .leaf           = mqprio_leaf,
+        .get            = mqprio_get,
+        .put            = mqprio_put,
+        .walk           = mqprio_walk,
+        .dump           = mqprio_dump_class,
+        .dump_stats     = mqprio_dump_class_stats,
+};
+static struct Qdisc_ops mqprio_qdisc_ops __read_mostly = {
+        .cl_ops         = &mqprio_class_ops,
+        .id             = "mqprio",
+        .priv_size      = sizeof(struct mqprio_sched),
+        .init           = mqprio_init,
+        .destroy        = mqprio_destroy,
+        .attach         = mqprio_attach,
+        .dump           = mqprio_dump,
+        .owner          = THIS_MODULE,
+};
+static int __init mqprio_module_init(void)
+{
+        return register_qdisc(&mqprio_qdisc_ops);
+}
+static void __exit mqprio_module_exit(void)
+{
+        unregister_qdisc(&mqprio_qdisc_ops);
+}
+module_init(mqprio_module_init);
+module_exit(mqprio_module_exit);
+MODULE_LICENSE("GPL");
diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
index 436a2e75b322..edc1950e0e77 100644
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -156,7 +156,7 @@ static unsigned int multiq_drop(struct Qdisc *sch)
        unsigned int len;
        struct Qdisc *qdisc;
-        for (band = q->bands-1; band >= 0; band--) {
+        for (band = q->bands - 1; band >= 0; band--) {
                qdisc = q->queues[band];
                if (qdisc->ops->drop) {
                        len = qdisc->ops->drop(qdisc);
@@ -265,7 +265,7 @@ static int multiq_init(struct Qdisc *sch, struct nlattr *opt)
        for (i = 0; i < q->max_bands; i++)
                q->queues[i] = &noop_qdisc;
-        err = multiq_tune(sch,opt);
+        err = multiq_tune(sch, opt);
        if (err)
                kfree(q->queues);
@@ -346,7 +346,7 @@ static int multiq_dump_class(struct Qdisc *sch, unsigned long cl,
        struct multiq_sched_data *q = qdisc_priv(sch);
        tcm->tcm_handle |= TC_H_MIN(cl);
-        tcm->tcm_info = q->queues[cl-1]->handle;
+        tcm->tcm_info = q->queues[cl - 1]->handle;
        return 0;
 }
@@ -378,7 +378,7 @@ static void multiq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
                        arg->count++;
                        continue;
                }
-                if (arg->fn(sch, band+1, arg) < 0) {
+                if (arg->fn(sch, band + 1, arg) < 0) {
                        arg->stop = 1;
                        break;
                }
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 6a3006b38dc5..69c35f6cd13f 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -19,12 +19,13 @@
 #include <linux/kernel.h>
 #include <linux/errno.h>
 #include <linux/skbuff.h>
+#include <linux/vmalloc.h>
 #include <linux/rtnetlink.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
-#define VERSION "1.2"
+#define VERSION "1.3"
 /*      Network Emulation Queuing algorithm.
        ====================================
@@ -47,6 +48,20 @@
         layering other disciplines.  It does not need to do bandwidth
         control either since that can be handled by using token
         bucket or other rate control.
+     Correlated Loss Generator models
+        Added generation of correlated loss according to the
+        "Gilbert-Elliot" model, a 4-state markov model.
+        References:
+        [1] NetemCLG Home http://netgroup.uniroma2.it/NetemCLG
+        [2] S. Salsano, F. Ludovici, A. Ordine, "Definition of a general
+        and intuitive loss model for packet networks and its implementation
+        in the Netem module in the Linux kernel", available in [1]
+        Authors: Stefano Salsano <stefano.salsano at uniroma2.it
+                 Fabio Ludovici <fabio.ludovici at yahoo.it>
 */
 struct netem_sched_data {
@@ -73,6 +88,26 @@ struct netem_sched_data {
                u32  size;
                s16 table[0];
        } *delay_dist;
+        enum  {
+                CLG_RANDOM,
+                CLG_4_STATES,
+                CLG_GILB_ELL,
+        } loss_model;
+        /* Correlated Loss Generation models */
+        struct clgstate {
+                /* state of the Markov chain */
+                u8 state;
+                /* 4-states and Gilbert-Elliot models */
+                u32 a1; /* p13 for 4-states or p for GE */
+                u32 a2; /* p31 for 4-states or r for GE */
+                u32 a3; /* p32 for 4-states or h for GE */
+                u32 a4; /* p14 for 4-states or 1-k for GE */
+                u32 a5; /* p23 used only in 4-states */
+        } clg;
 };
 /* Time stamp put into socket buffer control block */
@@ -115,6 +150,122 @@ static u32 get_crandom(struct crndstate *state)
        return answer;
 }
+/* loss_4state - 4-state model loss generator
+ * Generates losses according to the 4-state Markov chain adopted in
+ * the GI (General and Intuitive) loss model.
+ */
+static bool loss_4state(struct netem_sched_data *q)
+{
+        struct clgstate *clg = &q->clg;
+        u32 rnd = net_random();
+        /*
+         * Makes a comparison between rnd and the transition
+         * probabilities outgoing from the current state, then decides the
+         * next state and if the next packet has to be transmitted or lost.
+         * The four states correspond to:
+         *   1 => successfully transmitted packets within a gap period
+         *   4 => isolated losses within a gap period
+         *   3 => lost packets within a burst period
+         *   2 => successfully transmitted packets within a burst period
+         */
+        switch (clg->state) {
+        case 1:
+                if (rnd < clg->a4) {
+                        clg->state = 4;
+                        return true;
+                } else if (clg->a4 < rnd && rnd < clg->a1) {
+                        clg->state = 3;
+                        return true;
+                } else if (clg->a1 < rnd)
+                        clg->state = 1;
+                break;
+        case 2:
+                if (rnd < clg->a5) {
+                        clg->state = 3;
+                        return true;
+                } else
+                        clg->state = 2;
+                break;
+        case 3:
+                if (rnd < clg->a3)
+                        clg->state = 2;
+                else if (clg->a3 < rnd && rnd < clg->a2 + clg->a3) {
+                        clg->state = 1;
+                        return true;
+                } else if (clg->a2 + clg->a3 < rnd) {
+                        clg->state = 3;
+                        return true;
+                }
+                break;
+        case 4:
+                clg->state = 1;
+                break;
+        }
+        return false;
+}
+/* loss_gilb_ell - Gilbert-Elliot model loss generator
+ * Generates losses according to the Gilbert-Elliot loss model or
+ * its special cases  (Gilbert or Simple Gilbert)
+ *
+ * Makes a comparison between random number and the transition
+ * probabilities outgoing from the current state, then decides the
+ * next state. A second random number is extracted and the comparison
+ * with the loss probability of the current state decides if the next
+ * packet will be transmitted or lost.
+ */
+static bool loss_gilb_ell(struct netem_sched_data *q)
+{
+        struct clgstate *clg = &q->clg;
+        switch (clg->state) {
+        case 1:
+                if (net_random() < clg->a1)
+                        clg->state = 2;
+                if (net_random() < clg->a4)
+                        return true;
+        case 2:
+                if (net_random() < clg->a2)
+                        clg->state = 1;
+                if (clg->a3 > net_random())
+                        return true;
+        }
+        return false;
+}
+static bool loss_event(struct netem_sched_data *q)
+{
+        switch (q->loss_model) {
+        case CLG_RANDOM:
+                /* Random packet drop 0 => none, ~0 => all */
+                return q->loss && q->loss >= get_crandom(&q->loss_cor);
+        case CLG_4_STATES:
+                /* 4state loss model algorithm (used also for GI model)
+                * Extracts a value from the markov 4 state loss generator,
+                * if it is 1 drops a packet and if needed writes the event in
+                * the kernel logs
+                */
+                return loss_4state(q);
+        case CLG_GILB_ELL:
+                /* Gilbert-Elliot loss model algorithm
+                * Extracts a value from the Gilbert-Elliot loss generator,
+                * if it is 1 drops a packet and if needed writes the event in
+                * the kernel logs
+                */
+                return loss_gilb_ell(q);
+        }
+        return false;   /* not reached */
+}
 /* tabledist - return a pseudo-randomly distributed value with mean mu and
 * std deviation sigma.  Uses table lookup to approximate the desired
 * distribution, and a uniformly-distributed pseudo-random source.
@@ -161,14 +312,12 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        int ret;
        int count = 1;
-        pr_debug("netem_enqueue skb=%p\n", skb);
        /* Random duplication */
        if (q->duplicate && q->duplicate >= get_crandom(&q->dup_cor))
                ++count;
-        /* Random packet drop 0 => none, ~0 => all */
+        /* Drop packet? */
-        if (q->loss && q->loss >= get_crandom(&q->loss_cor))
+        if (loss_event(q))
                --count;
        if (count == 0) {
@@ -211,8 +360,8 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        }
        cb = netem_skb_cb(skb);
-        if (q->gap == 0 ||              /* not doing reordering */
+        if (q->gap == 0 ||              /* not doing reordering */
-            q->counter < q->gap ||      /* inside last reordering gap */
+            q->counter < q->gap ||      /* inside last reordering gap */
            q->reorder < get_crandom(&q->reorder_cor)) {
                psched_time_t now;
                psched_tdiff_t delay;
@@ -238,17 +387,18 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                ret = NET_XMIT_SUCCESS;
        }
-        if (likely(ret == NET_XMIT_SUCCESS)) {
+        if (ret != NET_XMIT_SUCCESS) {
-                sch->q.qlen++;
+                if (net_xmit_drop_count(ret)) {
-        } else if (net_xmit_drop_count(ret)) {
+                        sch->qstats.drops++;
-                sch->qstats.drops++;
+                        return ret;
+                }
        }
-        pr_debug("netem: enqueue ret %d\n", ret);
+        sch->q.qlen++;
-        return ret;
+        return NET_XMIT_SUCCESS;
 }
-static unsigned int netem_drop(struct Qdisc* sch)
+static unsigned int netem_drop(struct Qdisc *sch)
 {
        struct netem_sched_data *q = qdisc_priv(sch);
        unsigned int len = 0;
@@ -265,7 +415,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
        struct netem_sched_data *q = qdisc_priv(sch);
        struct sk_buff *skb;
-        if (sch->flags & TCQ_F_THROTTLED)
+        if (qdisc_is_throttled(sch))
                return NULL;
        skb = q->qdisc->ops->peek(q->qdisc);
@@ -287,9 +437,10 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
                        if (G_TC_FROM(skb->tc_verd) & AT_INGRESS)
                                skb->tstamp.tv64 = 0;
 #endif
-                        pr_debug("netem_dequeue: return skb=%p\n", skb);
-                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
+                        qdisc_unthrottled(sch);
+                        qdisc_bstats_update(sch, skb);
                        return skb;
                }
@@ -308,6 +459,16 @@ static void netem_reset(struct Qdisc *sch)
        qdisc_watchdog_cancel(&q->watchdog);
 }
+static void dist_free(struct disttable *d)
+{
+        if (d) {
+                if (is_vmalloc_addr(d))
+                        vfree(d);
+                else
+                        kfree(d);
+        }
+}
 /*
 * Distribution data is a variable size payload containing
 * signed 16 bit values.
@@ -315,16 +476,20 @@ static void netem_reset(struct Qdisc *sch)
 static int get_dist_table(struct Qdisc *sch, const struct nlattr *attr)
 {
        struct netem_sched_data *q = qdisc_priv(sch);
-        unsigned long n = nla_len(attr)/sizeof(__s16);
+        size_t n = nla_len(attr)/sizeof(__s16);
        const __s16 *data = nla_data(attr);
        spinlock_t *root_lock;
        struct disttable *d;
        int i;
+        size_t s;
-        if (n > 65536)
+        if (n > NETEM_DIST_MAX)
                return -EINVAL;
-        d = kmalloc(sizeof(*d) + n*sizeof(d->table[0]), GFP_KERNEL);
+        s = sizeof(struct disttable) + n * sizeof(s16);
+        d = kmalloc(s, GFP_KERNEL);
+        if (!d)
+                d = vmalloc(s);
        if (!d)
                return -ENOMEM;
@@ -335,7 +500,7 @@ static int get_dist_table(struct Qdisc *sch, const struct nlattr *attr)
        root_lock = qdisc_root_sleeping_lock(sch);
        spin_lock_bh(root_lock);
-        kfree(q->delay_dist);
+        dist_free(q->delay_dist);
        q->delay_dist = d;
        spin_unlock_bh(root_lock);
        return 0;
@@ -369,10 +534,66 @@ static void get_corrupt(struct Qdisc *sch, const struct nlattr *attr)
        init_crandom(&q->corrupt_cor, r->correlation);
 }
+static int get_loss_clg(struct Qdisc *sch, const struct nlattr *attr)
+{
+        struct netem_sched_data *q = qdisc_priv(sch);
+        const struct nlattr *la;
+        int rem;
+        nla_for_each_nested(la, attr, rem) {
+                u16 type = nla_type(la);
+                switch(type) {
+                case NETEM_LOSS_GI: {
+                        const struct tc_netem_gimodel *gi = nla_data(la);
+                        if (nla_len(la) != sizeof(struct tc_netem_gimodel)) {
+                                pr_info("netem: incorrect gi model size\n");
+                                return -EINVAL;
+                        }
+                        q->loss_model = CLG_4_STATES;
+                        q->clg.state = 1;
+                        q->clg.a1 = gi->p13;
+                        q->clg.a2 = gi->p31;
+                        q->clg.a3 = gi->p32;
+                        q->clg.a4 = gi->p14;
+                        q->clg.a5 = gi->p23;
+                        break;
+                }
+                case NETEM_LOSS_GE: {
+                        const struct tc_netem_gemodel *ge = nla_data(la);
+                        if (nla_len(la) != sizeof(struct tc_netem_gemodel)) {
+                                pr_info("netem: incorrect gi model size\n");
+                                return -EINVAL;
+                        }
+                        q->loss_model = CLG_GILB_ELL;
+                        q->clg.state = 1;
+                        q->clg.a1 = ge->p;
+                        q->clg.a2 = ge->r;
+                        q->clg.a3 = ge->h;
+                        q->clg.a4 = ge->k1;
+                        break;
+                }
+                default:
+                        pr_info("netem: unknown loss type %u\n", type);
+                        return -EINVAL;
+                }
+        }
+        return 0;
+}
 static const struct nla_policy netem_policy[TCA_NETEM_MAX + 1] = {
        [TCA_NETEM_CORR]        = { .len = sizeof(struct tc_netem_corr) },
        [TCA_NETEM_REORDER]     = { .len = sizeof(struct tc_netem_reorder) },
        [TCA_NETEM_CORRUPT]     = { .len = sizeof(struct tc_netem_corrupt) },
+        [TCA_NETEM_LOSS]        = { .type = NLA_NESTED },
 };
 static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
@@ -380,11 +601,15 @@ static int parse_attr(struct nlattr *tb[], int maxtype, struct nlattr *nla,
 {
        int nested_len = nla_len(nla) - NLA_ALIGN(len);
-        if (nested_len < 0)
+        if (nested_len < 0) {
+                pr_info("netem: invalid attributes len %d\n", nested_len);
                return -EINVAL;
+        }
        if (nested_len >= nla_attr_size(0))
                return nla_parse(tb, maxtype, nla_data(nla) + NLA_ALIGN(len),
                                 nested_len, policy);
        memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1));
        return 0;
 }
@@ -407,7 +632,7 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt)
        ret = fifo_set_limit(q->qdisc, qopt->limit);
        if (ret) {
-                pr_debug("netem: can't set fifo limit\n");
+                pr_info("netem: can't set fifo limit\n");
                return ret;
        }
@@ -440,7 +665,11 @@ static int netem_change(struct Qdisc *sch, struct nlattr *opt)
        if (tb[TCA_NETEM_CORRUPT])
                get_corrupt(sch, tb[TCA_NETEM_CORRUPT]);
-        return 0;
+        q->loss_model = CLG_RANDOM;
+        if (tb[TCA_NETEM_LOSS])
+                ret = get_loss_clg(sch, tb[TCA_NETEM_LOSS]);
+        return ret;
 }
 /*
@@ -535,16 +764,17 @@ static int netem_init(struct Qdisc *sch, struct nlattr *opt)
        qdisc_watchdog_init(&q->watchdog, sch);
+        q->loss_model = CLG_RANDOM;
        q->qdisc = qdisc_create_dflt(sch->dev_queue, &tfifo_qdisc_ops,
                                     TC_H_MAKE(sch->handle, 1));
        if (!q->qdisc) {
-                pr_debug("netem: qdisc create failed\n");
+                pr_notice("netem: qdisc create tfifo qdisc failed\n");
                return -ENOMEM;
        }
        ret = netem_change(sch, opt);
        if (ret) {
-                pr_debug("netem: change failed\n");
+                pr_info("netem: change failed\n");
                qdisc_destroy(q->qdisc);
        }
        return ret;
@@ -556,14 +786,61 @@ static void netem_destroy(struct Qdisc *sch)
        qdisc_watchdog_cancel(&q->watchdog);
        qdisc_destroy(q->qdisc);
-        kfree(q->delay_dist);
+        dist_free(q->delay_dist);
+}
+static int dump_loss_model(const struct netem_sched_data *q,
+                           struct sk_buff *skb)
+{
+        struct nlattr *nest;
+        nest = nla_nest_start(skb, TCA_NETEM_LOSS);
+        if (nest == NULL)
+                goto nla_put_failure;
+        switch (q->loss_model) {
+        case CLG_RANDOM:
+                /* legacy loss model */
+                nla_nest_cancel(skb, nest);
+                return 0;       /* no data */
+        case CLG_4_STATES: {
+                struct tc_netem_gimodel gi = {
+                        .p13 = q->clg.a1,
+                        .p31 = q->clg.a2,
+                        .p32 = q->clg.a3,
+                        .p14 = q->clg.a4,
+                        .p23 = q->clg.a5,
+                };
+                NLA_PUT(skb, NETEM_LOSS_GI, sizeof(gi), &gi);
+                break;
+        }
+        case CLG_GILB_ELL: {
+                struct tc_netem_gemodel ge = {
+                        .p = q->clg.a1,
+                        .r = q->clg.a2,
+                        .h = q->clg.a3,
+                        .k1 = q->clg.a4,
+                };
+                NLA_PUT(skb, NETEM_LOSS_GE, sizeof(ge), &ge);
+                break;
+        }
+        }
+        nla_nest_end(skb, nest);
+        return 0;
+nla_put_failure:
+        nla_nest_cancel(skb, nest);
+        return -1;
 }
 static int netem_dump(struct Qdisc *sch, struct sk_buff *skb)
 {
        const struct netem_sched_data *q = qdisc_priv(sch);
-        unsigned char *b = skb_tail_pointer(skb);
+        struct nlattr *nla = (struct nlattr *) skb_tail_pointer(skb);
-        struct nlattr *nla = (struct nlattr *) b;
        struct tc_netem_qopt qopt;
        struct tc_netem_corr cor;
        struct tc_netem_reorder reorder;
@@ -590,17 +867,87 @@ static int netem_dump(struct Qdisc *sch, struct sk_buff *skb)
        corrupt.correlation = q->corrupt_cor.rho;
        NLA_PUT(skb, TCA_NETEM_CORRUPT, sizeof(corrupt), &corrupt);
-        nla->nla_len = skb_tail_pointer(skb) - b;
+        if (dump_loss_model(q, skb) != 0)
+                goto nla_put_failure;
-        return skb->len;
+        return nla_nest_end(skb, nla);
 nla_put_failure:
-        nlmsg_trim(skb, b);
+        nlmsg_trim(skb, nla);
        return -1;
 }
+static int netem_dump_class(struct Qdisc *sch, unsigned long cl,
+                          struct sk_buff *skb, struct tcmsg *tcm)
+{
+        struct netem_sched_data *q = qdisc_priv(sch);
+        if (cl != 1)    /* only one class */
+                return -ENOENT;
+        tcm->tcm_handle |= TC_H_MIN(1);
+        tcm->tcm_info = q->qdisc->handle;
+        return 0;
+}
+static int netem_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new,
+                     struct Qdisc **old)
+{
+        struct netem_sched_data *q = qdisc_priv(sch);
+        if (new == NULL)
+                new = &noop_qdisc;
+        sch_tree_lock(sch);
+        *old = q->qdisc;
+        q->qdisc = new;
+        qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
+        qdisc_reset(*old);
+        sch_tree_unlock(sch);
+        return 0;
+}
+static struct Qdisc *netem_leaf(struct Qdisc *sch, unsigned long arg)
+{
+        struct netem_sched_data *q = qdisc_priv(sch);
+        return q->qdisc;
+}
+static unsigned long netem_get(struct Qdisc *sch, u32 classid)
+{
+        return 1;
+}
+static void netem_put(struct Qdisc *sch, unsigned long arg)
+{
+}
+static void netem_walk(struct Qdisc *sch, struct qdisc_walker *walker)
+{
+        if (!walker->stop) {
+                if (walker->count >= walker->skip)
+                        if (walker->fn(sch, 1, walker) < 0) {
+                                walker->stop = 1;
+                                return;
+                        }
+                walker->count++;
+        }
+}
+static const struct Qdisc_class_ops netem_class_ops = {
+        .graft          =       netem_graft,
+        .leaf           =       netem_leaf,
+        .get            =       netem_get,
+        .put            =       netem_put,
+        .walk           =       netem_walk,
+        .dump           =       netem_dump_class,
+};
 static struct Qdisc_ops netem_qdisc_ops __read_mostly = {
        .id             =       "netem",
+        .cl_ops         =       &netem_class_ops,
        .priv_size      =       sizeof(struct netem_sched_data),
        .enqueue        =       netem_enqueue,
        .dequeue        =       netem_dequeue,
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index fbd710d619bf..2a318f2dc3e5 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -22,8 +22,7 @@
 #include <net/pkt_sched.h>
-struct prio_sched_data
+struct prio_sched_data {
-{
        int bands;
        struct tcf_proto *filter_list;
        u8  prio2band[TC_PRIO_MAX+1];
@@ -54,7 +53,7 @@ prio_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
                if (!q->filter_list || err < 0) {
                        if (TC_H_MAJ(band))
                                band = 0;
-                        return q->queues[q->prio2band[band&TC_PRIO_MAX]];
+                        return q->queues[q->prio2band[band & TC_PRIO_MAX]];
                }
                band = res.classid;
        }
@@ -106,7 +105,7 @@ static struct sk_buff *prio_peek(struct Qdisc *sch)
        return NULL;
 }
-static struct sk_buff *prio_dequeue(struct Qdisc* sch)
+static struct sk_buff *prio_dequeue(struct Qdisc *sch)
 {
        struct prio_sched_data *q = qdisc_priv(sch);
        int prio;
@@ -124,7 +123,7 @@ static struct sk_buff *prio_dequeue(struct Qdisc* sch)
 }
-static unsigned int prio_drop(struct Qdisc* sch)
+static unsigned int prio_drop(struct Qdisc *sch)
 {
        struct prio_sched_data *q = qdisc_priv(sch);
        int prio;
@@ -143,24 +142,24 @@ static unsigned int prio_drop(struct Qdisc* sch)
 static void
-prio_reset(struct Qdisc* sch)
+prio_reset(struct Qdisc *sch)
 {
        int prio;
        struct prio_sched_data *q = qdisc_priv(sch);
-        for (prio=0; prio<q->bands; prio++)
+        for (prio = 0; prio < q->bands; prio++)
                qdisc_reset(q->queues[prio]);
        sch->q.qlen = 0;
 }
 static void
-prio_destroy(struct Qdisc* sch)
+prio_destroy(struct Qdisc *sch)
 {
        int prio;
        struct prio_sched_data *q = qdisc_priv(sch);
        tcf_destroy_chain(&q->filter_list);
-        for (prio=0; prio<q->bands; prio++)
+        for (prio = 0; prio < q->bands; prio++)
                qdisc_destroy(q->queues[prio]);
 }
@@ -177,7 +176,7 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt)
        if (qopt->bands > TCQ_PRIO_BANDS || qopt->bands < 2)
                return -EINVAL;
-        for (i=0; i<=TC_PRIO_MAX; i++) {
+        for (i = 0; i <= TC_PRIO_MAX; i++) {
                if (qopt->priomap[i] >= qopt->bands)
                        return -EINVAL;
        }
@@ -186,7 +185,7 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt)
        q->bands = qopt->bands;
        memcpy(q->prio2band, qopt->priomap, TC_PRIO_MAX+1);
-        for (i=q->bands; i<TCQ_PRIO_BANDS; i++) {
+        for (i = q->bands; i < TCQ_PRIO_BANDS; i++) {
                struct Qdisc *child = q->queues[i];
                q->queues[i] = &noop_qdisc;
                if (child != &noop_qdisc) {
@@ -196,9 +195,10 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt)
        }
        sch_tree_unlock(sch);
-        for (i=0; i<q->bands; i++) {
+        for (i = 0; i < q->bands; i++) {
                if (q->queues[i] == &noop_qdisc) {
                        struct Qdisc *child, *old;
                        child = qdisc_create_dflt(sch->dev_queue,
                                                  &pfifo_qdisc_ops,
                                                  TC_H_MAKE(sch->handle, i + 1));
@@ -224,7 +224,7 @@ static int prio_init(struct Qdisc *sch, struct nlattr *opt)
        struct prio_sched_data *q = qdisc_priv(sch);
        int i;
-        for (i=0; i<TCQ_PRIO_BANDS; i++)
+        for (i = 0; i < TCQ_PRIO_BANDS; i++)
                q->queues[i] = &noop_qdisc;
        if (opt == NULL) {
@@ -232,7 +232,7 @@ static int prio_init(struct Qdisc *sch, struct nlattr *opt)
        } else {
                int err;
-                if ((err= prio_tune(sch, opt)) != 0)
+                if ((err = prio_tune(sch, opt)) != 0)
                        return err;
        }
        return 0;
@@ -245,7 +245,7 @@ static int prio_dump(struct Qdisc *sch, struct sk_buff *skb)
        struct tc_prio_qopt opt;
        opt.bands = q->bands;
-        memcpy(&opt.priomap, q->prio2band, TC_PRIO_MAX+1);
+        memcpy(&opt.priomap, q->prio2band, TC_PRIO_MAX + 1);
        NLA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt);
@@ -342,7 +342,7 @@ static void prio_walk(struct Qdisc *sch, struct qdisc_walker *arg)
                        arg->count++;
                        continue;
                }
-                if (arg->fn(sch, prio+1, arg) < 0) {
+                if (arg->fn(sch, prio + 1, arg) < 0) {
                        arg->stop = 1;
                        break;
                }
@@ -350,7 +350,7 @@ static void prio_walk(struct Qdisc *sch, struct qdisc_walker *arg)
        }
 }
-static struct tcf_proto ** prio_find_tcf(struct Qdisc *sch, unsigned long cl)
+static struct tcf_proto **prio_find_tcf(struct Qdisc *sch, unsigned long cl)
 {
        struct prio_sched_data *q = qdisc_priv(sch);
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
new file mode 100644
index 000000000000..103343408593
--- /dev/null
+++ b/net/sched/sch_qfq.c
@@ -0,0 +1,1137 @@
+/*
+ * net/sched/sch_qfq.c         Quick Fair Queueing Scheduler.
+ *
+ * Copyright (c) 2009 Fabio Checconi, Luigi Rizzo, and Paolo Valente.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/bitops.h>
+#include <linux/errno.h>
+#include <linux/netdevice.h>
+#include <linux/pkt_sched.h>
+#include <net/sch_generic.h>
+#include <net/pkt_sched.h>
+#include <net/pkt_cls.h>
+/*  Quick Fair Queueing
+    ===================
+    Sources:
+    Fabio Checconi, Luigi Rizzo, and Paolo Valente: "QFQ: Efficient
+    Packet Scheduling with Tight Bandwidth Distribution Guarantees."
+    See also:
+    http://retis.sssup.it/~fabio/linux/qfq/
+ */
+/*
+  Virtual time computations.
+  S, F and V are all computed in fixed point arithmetic with
+  FRAC_BITS decimal bits.
+  QFQ_MAX_INDEX is the maximum index allowed for a group. We need
+        one bit per index.
+  QFQ_MAX_WSHIFT is the maximum power of two supported as a weight.
+  The layout of the bits is as below:
+                   [ MTU_SHIFT ][      FRAC_BITS    ]
+                   [ MAX_INDEX    ][ MIN_SLOT_SHIFT ]
+                                 ^.__grp->index = 0
+                                 *.__grp->slot_shift
+  where MIN_SLOT_SHIFT is derived by difference from the others.
+  The max group index corresponds to Lmax/w_min, where
+  Lmax=1<<MTU_SHIFT, w_min = 1 .
+  From this, and knowing how many groups (MAX_INDEX) we want,
+  we can derive the shift corresponding to each group.
+  Because we often need to compute
+        F = S + len/w_i  and V = V + len/wsum
+  instead of storing w_i store the value
+        inv_w = (1<<FRAC_BITS)/w_i
+  so we can do F = S + len * inv_w * wsum.
+  We use W_TOT in the formulas so we can easily move between
+  static and adaptive weight sum.
+  The per-scheduler-instance data contain all the data structures
+  for the scheduler: bitmaps and bucket lists.
+ */
+/*
+ * Maximum number of consecutive slots occupied by backlogged classes
+ * inside a group.
+ */
+#define QFQ_MAX_SLOTS   32
+/*
+ * Shifts used for class<->group mapping.  We allow class weights that are
+ * in the range [1, 2^MAX_WSHIFT], and we try to map each class i to the
+ * group with the smallest index that can support the L_i / r_i configured
+ * for the class.
+ *
+ * grp->index is the index of the group; and grp->slot_shift
+ * is the shift for the corresponding (scaled) sigma_i.
+ */
+#define QFQ_MAX_INDEX           19
+#define QFQ_MAX_WSHIFT          16
+#define QFQ_MAX_WEIGHT          (1<<QFQ_MAX_WSHIFT)
+#define QFQ_MAX_WSUM            (2*QFQ_MAX_WEIGHT)
+#define FRAC_BITS               30      /* fixed point arithmetic */
+#define ONE_FP                  (1UL << FRAC_BITS)
+#define IWSUM                   (ONE_FP/QFQ_MAX_WSUM)
+#define QFQ_MTU_SHIFT           11
+#define QFQ_MIN_SLOT_SHIFT      (FRAC_BITS + QFQ_MTU_SHIFT - QFQ_MAX_INDEX)
+/*
+ * Possible group states.  These values are used as indexes for the bitmaps
+ * array of struct qfq_queue.
+ */
+enum qfq_state { ER, IR, EB, IB, QFQ_MAX_STATE };
+struct qfq_group;
+struct qfq_class {
+        struct Qdisc_class_common common;
+        unsigned int refcnt;
+        unsigned int filter_cnt;
+        struct gnet_stats_basic_packed bstats;
+        struct gnet_stats_queue qstats;
+        struct gnet_stats_rate_est rate_est;
+        struct Qdisc *qdisc;
+        struct hlist_node next; /* Link for the slot list. */
+        u64 S, F;               /* flow timestamps (exact) */
+        /* group we belong to. In principle we would need the index,
+         * which is log_2(lmax/weight), but we never reference it
+         * directly, only the group.
+         */
+        struct qfq_group *grp;
+        /* these are copied from the flowset. */
+        u32     inv_w;          /* ONE_FP/weight */
+        u32     lmax;           /* Max packet size for this flow. */
+};
+struct qfq_group {
+        u64 S, F;                       /* group timestamps (approx). */
+        unsigned int slot_shift;        /* Slot shift. */
+        unsigned int index;             /* Group index. */
+        unsigned int front;             /* Index of the front slot. */
+        unsigned long full_slots;       /* non-empty slots */
+        /* Array of RR lists of active classes. */
+        struct hlist_head slots[QFQ_MAX_SLOTS];
+};
+struct qfq_sched {
+        struct tcf_proto *filter_list;
+        struct Qdisc_class_hash clhash;
+        u64             V;              /* Precise virtual time. */
+        u32             wsum;           /* weight sum */
+        unsigned long bitmaps[QFQ_MAX_STATE];       /* Group bitmaps. */
+        struct qfq_group groups[QFQ_MAX_INDEX + 1]; /* The groups. */
+};
+static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct Qdisc_class_common *clc;
+        clc = qdisc_class_find(&q->clhash, classid);
+        if (clc == NULL)
+                return NULL;
+        return container_of(clc, struct qfq_class, common);
+}
+static void qfq_purge_queue(struct qfq_class *cl)
+{
+        unsigned int len = cl->qdisc->q.qlen;
+        qdisc_reset(cl->qdisc);
+        qdisc_tree_decrease_qlen(cl->qdisc, len);
+}
+static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = {
+        [TCA_QFQ_WEIGHT] = { .type = NLA_U32 },
+        [TCA_QFQ_LMAX] = { .type = NLA_U32 },
+};
+/*
+ * Calculate a flow index, given its weight and maximum packet length.
+ * index = log_2(maxlen/weight) but we need to apply the scaling.
+ * This is used only once at flow creation.
+ */
+static int qfq_calc_index(u32 inv_w, unsigned int maxlen)
+{
+        u64 slot_size = (u64)maxlen * inv_w;
+        unsigned long size_map;
+        int index = 0;
+        size_map = slot_size >> QFQ_MIN_SLOT_SHIFT;
+        if (!size_map)
+                goto out;
+        index = __fls(size_map) + 1;    /* basically a log_2 */
+        index -= !(slot_size - (1ULL << (index + QFQ_MIN_SLOT_SHIFT - 1)));
+        if (index < 0)
+                index = 0;
+out:
+        pr_debug("qfq calc_index: W = %lu, L = %u, I = %d\n",
+                 (unsigned long) ONE_FP/inv_w, maxlen, index);
+        return index;
+}
+static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+                            struct nlattr **tca, unsigned long *arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)*arg;
+        struct nlattr *tb[TCA_QFQ_MAX + 1];
+        u32 weight, lmax, inv_w;
+        int i, err;
+        if (tca[TCA_OPTIONS] == NULL) {
+                pr_notice("qfq: no options\n");
+                return -EINVAL;
+        }
+        err = nla_parse_nested(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS], qfq_policy);
+        if (err < 0)
+                return err;
+        if (tb[TCA_QFQ_WEIGHT]) {
+                weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]);
+                if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) {
+                        pr_notice("qfq: invalid weight %u\n", weight);
+                        return -EINVAL;
+                }
+        } else
+                weight = 1;
+        inv_w = ONE_FP / weight;
+        weight = ONE_FP / inv_w;
+        if (q->wsum + weight > QFQ_MAX_WSUM) {
+                pr_notice("qfq: total weight out of range (%u + %u)\n",
+                          weight, q->wsum);
+                return -EINVAL;
+        }
+        if (tb[TCA_QFQ_LMAX]) {
+                lmax = nla_get_u32(tb[TCA_QFQ_LMAX]);
+                if (!lmax || lmax > (1UL << QFQ_MTU_SHIFT)) {
+                        pr_notice("qfq: invalid max length %u\n", lmax);
+                        return -EINVAL;
+                }
+        } else
+                lmax = 1UL << QFQ_MTU_SHIFT;
+        if (cl != NULL) {
+                if (tca[TCA_RATE]) {
+                        err = gen_replace_estimator(&cl->bstats, &cl->rate_est,
+                                                    qdisc_root_sleeping_lock(sch),
+                                                    tca[TCA_RATE]);
+                        if (err)
+                                return err;
+                }
+                sch_tree_lock(sch);
+                if (tb[TCA_QFQ_WEIGHT]) {
+                        q->wsum = weight - ONE_FP / cl->inv_w;
+                        cl->inv_w = inv_w;
+                }
+                sch_tree_unlock(sch);
+                return 0;
+        }
+        cl = kzalloc(sizeof(struct qfq_class), GFP_KERNEL);
+        if (cl == NULL)
+                return -ENOBUFS;
+        cl->refcnt = 1;
+        cl->common.classid = classid;
+        cl->lmax = lmax;
+        cl->inv_w = inv_w;
+        i = qfq_calc_index(cl->inv_w, cl->lmax);
+        cl->grp = &q->groups[i];
+        q->wsum += weight;
+        cl->qdisc = qdisc_create_dflt(sch->dev_queue,
+                                      &pfifo_qdisc_ops, classid);
+        if (cl->qdisc == NULL)
+                cl->qdisc = &noop_qdisc;
+        if (tca[TCA_RATE]) {
+                err = gen_new_estimator(&cl->bstats, &cl->rate_est,
+                                        qdisc_root_sleeping_lock(sch),
+                                        tca[TCA_RATE]);
+                if (err) {
+                        qdisc_destroy(cl->qdisc);
+                        kfree(cl);
+                        return err;
+                }
+        }
+        sch_tree_lock(sch);
+        qdisc_class_hash_insert(&q->clhash, &cl->common);
+        sch_tree_unlock(sch);
+        qdisc_class_hash_grow(sch, &q->clhash);
+        *arg = (unsigned long)cl;
+        return 0;
+}
+static void qfq_destroy_class(struct Qdisc *sch, struct qfq_class *cl)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        if (cl->inv_w) {
+                q->wsum -= ONE_FP / cl->inv_w;
+                cl->inv_w = 0;
+        }
+        gen_kill_estimator(&cl->bstats, &cl->rate_est);
+        qdisc_destroy(cl->qdisc);
+        kfree(cl);
+}
+static int qfq_delete_class(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (cl->filter_cnt > 0)
+                return -EBUSY;
+        sch_tree_lock(sch);
+        qfq_purge_queue(cl);
+        qdisc_class_hash_remove(&q->clhash, &cl->common);
+        BUG_ON(--cl->refcnt == 0);
+        /*
+         * This shouldn't happen: we "hold" one cops->get() when called
+         * from tc_ctl_tclass; the destroy method is done from cops->put().
+         */
+        sch_tree_unlock(sch);
+        return 0;
+}
+static unsigned long qfq_get_class(struct Qdisc *sch, u32 classid)
+{
+        struct qfq_class *cl = qfq_find_class(sch, classid);
+        if (cl != NULL)
+                cl->refcnt++;
+        return (unsigned long)cl;
+}
+static void qfq_put_class(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (--cl->refcnt == 0)
+                qfq_destroy_class(sch, cl);
+}
+static struct tcf_proto **qfq_tcf_chain(struct Qdisc *sch, unsigned long cl)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        if (cl)
+                return NULL;
+        return &q->filter_list;
+}
+static unsigned long qfq_bind_tcf(struct Qdisc *sch, unsigned long parent,
+                                  u32 classid)
+{
+        struct qfq_class *cl = qfq_find_class(sch, classid);
+        if (cl != NULL)
+                cl->filter_cnt++;
+        return (unsigned long)cl;
+}
+static void qfq_unbind_tcf(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        cl->filter_cnt--;
+}
+static int qfq_graft_class(struct Qdisc *sch, unsigned long arg,
+                           struct Qdisc *new, struct Qdisc **old)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (new == NULL) {
+                new = qdisc_create_dflt(sch->dev_queue,
+                                        &pfifo_qdisc_ops, cl->common.classid);
+                if (new == NULL)
+                        new = &noop_qdisc;
+        }
+        sch_tree_lock(sch);
+        qfq_purge_queue(cl);
+        *old = cl->qdisc;
+        cl->qdisc = new;
+        sch_tree_unlock(sch);
+        return 0;
+}
+static struct Qdisc *qfq_class_leaf(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        return cl->qdisc;
+}
+static int qfq_dump_class(struct Qdisc *sch, unsigned long arg,
+                          struct sk_buff *skb, struct tcmsg *tcm)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        struct nlattr *nest;
+        tcm->tcm_parent = TC_H_ROOT;
+        tcm->tcm_handle = cl->common.classid;
+        tcm->tcm_info   = cl->qdisc->handle;
+        nest = nla_nest_start(skb, TCA_OPTIONS);
+        if (nest == NULL)
+                goto nla_put_failure;
+        NLA_PUT_U32(skb, TCA_QFQ_WEIGHT, ONE_FP/cl->inv_w);
+        NLA_PUT_U32(skb, TCA_QFQ_LMAX, cl->lmax);
+        return nla_nest_end(skb, nest);
+nla_put_failure:
+        nla_nest_cancel(skb, nest);
+        return -EMSGSIZE;
+}
+static int qfq_dump_class_stats(struct Qdisc *sch, unsigned long arg,
+                                struct gnet_dump *d)
+{
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        struct tc_qfq_stats xstats;
+        memset(&xstats, 0, sizeof(xstats));
+        cl->qdisc->qstats.qlen = cl->qdisc->q.qlen;
+        xstats.weight = ONE_FP/cl->inv_w;
+        xstats.lmax = cl->lmax;
+        if (gnet_stats_copy_basic(d, &cl->bstats) < 0 ||
+            gnet_stats_copy_rate_est(d, &cl->bstats, &cl->rate_est) < 0 ||
+            gnet_stats_copy_queue(d, &cl->qdisc->qstats) < 0)
+                return -1;
+        return gnet_stats_copy_app(d, &xstats, sizeof(xstats));
+}
+static void qfq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct hlist_node *n;
+        unsigned int i;
+        if (arg->stop)
+                return;
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry(cl, n, &q->clhash.hash[i], common.hnode) {
+                        if (arg->count < arg->skip) {
+                                arg->count++;
+                                continue;
+                        }
+                        if (arg->fn(sch, (unsigned long)cl, arg) < 0) {
+                                arg->stop = 1;
+                                return;
+                        }
+                        arg->count++;
+                }
+        }
+}
+static struct qfq_class *qfq_classify(struct sk_buff *skb, struct Qdisc *sch,
+                                      int *qerr)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct tcf_result res;
+        int result;
+        if (TC_H_MAJ(skb->priority ^ sch->handle) == 0) {
+                pr_debug("qfq_classify: found %d\n", skb->priority);
+                cl = qfq_find_class(sch, skb->priority);
+                if (cl != NULL)
+                        return cl;
+        }
+        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
+        result = tc_classify(skb, q->filter_list, &res);
+        if (result >= 0) {
+#ifdef CONFIG_NET_CLS_ACT
+                switch (result) {
+                case TC_ACT_QUEUED:
+                case TC_ACT_STOLEN:
+                        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
+                case TC_ACT_SHOT:
+                        return NULL;
+                }
+#endif
+                cl = (struct qfq_class *)res.class;
+                if (cl == NULL)
+                        cl = qfq_find_class(sch, res.classid);
+                return cl;
+        }
+        return NULL;
+}
+/* Generic comparison function, handling wraparound. */
+static inline int qfq_gt(u64 a, u64 b)
+{
+        return (s64)(a - b) > 0;
+}
+/* Round a precise timestamp to its slotted value. */
+static inline u64 qfq_round_down(u64 ts, unsigned int shift)
+{
+        return ts & ~((1ULL << shift) - 1);
+}
+/* return the pointer to the group with lowest index in the bitmap */
+static inline struct qfq_group *qfq_ffs(struct qfq_sched *q,
+                                        unsigned long bitmap)
+{
+        int index = __ffs(bitmap);
+        return &q->groups[index];
+}
+/* Calculate a mask to mimic what would be ffs_from(). */
+static inline unsigned long mask_from(unsigned long bitmap, int from)
+{
+        return bitmap & ~((1UL << from) - 1);
+}
+/*
+ * The state computation relies on ER=0, IR=1, EB=2, IB=3
+ * First compute eligibility comparing grp->S, q->V,
+ * then check if someone is blocking us and possibly add EB
+ */
+static int qfq_calc_state(struct qfq_sched *q, const struct qfq_group *grp)
+{
+        /* if S > V we are not eligible */
+        unsigned int state = qfq_gt(grp->S, q->V);
+        unsigned long mask = mask_from(q->bitmaps[ER], grp->index);
+        struct qfq_group *next;
+        if (mask) {
+                next = qfq_ffs(q, mask);
+                if (qfq_gt(grp->F, next->F))
+                        state |= EB;
+        }
+        return state;
+}
+/*
+ * In principle
+ *      q->bitmaps[dst] |= q->bitmaps[src] & mask;
+ *      q->bitmaps[src] &= ~mask;
+ * but we should make sure that src != dst
+ */
+static inline void qfq_move_groups(struct qfq_sched *q, unsigned long mask,
+                                   int src, int dst)
+{
+        q->bitmaps[dst] |= q->bitmaps[src] & mask;
+        q->bitmaps[src] &= ~mask;
+}
+static void qfq_unblock_groups(struct qfq_sched *q, int index, u64 old_F)
+{
+        unsigned long mask = mask_from(q->bitmaps[ER], index + 1);
+        struct qfq_group *next;
+        if (mask) {
+                next = qfq_ffs(q, mask);
+                if (!qfq_gt(next->F, old_F))
+                        return;
+        }
+        mask = (1UL << index) - 1;
+        qfq_move_groups(q, mask, EB, ER);
+        qfq_move_groups(q, mask, IB, IR);
+}
+/*
+ * perhaps
+ *
+        old_V ^= q->V;
+        old_V >>= QFQ_MIN_SLOT_SHIFT;
+        if (old_V) {
+                ...
+        }
+ *
+ */
+static void qfq_make_eligible(struct qfq_sched *q, u64 old_V)
+{
+        unsigned long vslot = q->V >> QFQ_MIN_SLOT_SHIFT;
+        unsigned long old_vslot = old_V >> QFQ_MIN_SLOT_SHIFT;
+        if (vslot != old_vslot) {
+                unsigned long mask = (1UL << fls(vslot ^ old_vslot)) - 1;
+                qfq_move_groups(q, mask, IR, ER);
+                qfq_move_groups(q, mask, IB, EB);
+        }
+}
+/*
+ * XXX we should make sure that slot becomes less than 32.
+ * This is guaranteed by the input values.
+ * roundedS is always cl->S rounded on grp->slot_shift bits.
+ */
+static void qfq_slot_insert(struct qfq_group *grp, struct qfq_class *cl,
+                            u64 roundedS)
+{
+        u64 slot = (roundedS - grp->S) >> grp->slot_shift;
+        unsigned int i = (grp->front + slot) % QFQ_MAX_SLOTS;
+        hlist_add_head(&cl->next, &grp->slots[i]);
+        __set_bit(slot, &grp->full_slots);
+}
+/* Maybe introduce hlist_first_entry?? */
+static struct qfq_class *qfq_slot_head(struct qfq_group *grp)
+{
+        return hlist_entry(grp->slots[grp->front].first,
+                           struct qfq_class, next);
+}
+/*
+ * remove the entry from the slot
+ */
+static void qfq_front_slot_remove(struct qfq_group *grp)
+{
+        struct qfq_class *cl = qfq_slot_head(grp);
+        BUG_ON(!cl);
+        hlist_del(&cl->next);
+        if (hlist_empty(&grp->slots[grp->front]))
+                __clear_bit(0, &grp->full_slots);
+}
+/*
+ * Returns the first full queue in a group. As a side effect,
+ * adjust the bucket list so the first non-empty bucket is at
+ * position 0 in full_slots.
+ */
+static struct qfq_class *qfq_slot_scan(struct qfq_group *grp)
+{
+        unsigned int i;
+        pr_debug("qfq slot_scan: grp %u full %#lx\n",
+                 grp->index, grp->full_slots);
+        if (grp->full_slots == 0)
+                return NULL;
+        i = __ffs(grp->full_slots);  /* zero based */
+        if (i > 0) {
+                grp->front = (grp->front + i) % QFQ_MAX_SLOTS;
+                grp->full_slots >>= i;
+        }
+        return qfq_slot_head(grp);
+}
+/*
+ * adjust the bucket list. When the start time of a group decreases,
+ * we move the index down (modulo QFQ_MAX_SLOTS) so we don't need to
+ * move the objects. The mask of occupied slots must be shifted
+ * because we use ffs() to find the first non-empty slot.
+ * This covers decreases in the group's start time, but what about
+ * increases of the start time ?
+ * Here too we should make sure that i is less than 32
+ */
+static void qfq_slot_rotate(struct qfq_group *grp, u64 roundedS)
+{
+        unsigned int i = (grp->S - roundedS) >> grp->slot_shift;
+        grp->full_slots <<= i;
+        grp->front = (grp->front - i) % QFQ_MAX_SLOTS;
+}
+static void qfq_update_eligible(struct qfq_sched *q, u64 old_V)
+{
+        struct qfq_group *grp;
+        unsigned long ineligible;
+        ineligible = q->bitmaps[IR] | q->bitmaps[IB];
+        if (ineligible) {
+                if (!q->bitmaps[ER]) {
+                        grp = qfq_ffs(q, ineligible);
+                        if (qfq_gt(grp->S, q->V))
+                                q->V = grp->S;
+                }
+                qfq_make_eligible(q, old_V);
+        }
+}
+/* What is length of next packet in queue (0 if queue is empty) */
+static unsigned int qdisc_peek_len(struct Qdisc *sch)
+{
+        struct sk_buff *skb;
+        skb = sch->ops->peek(sch);
+        return skb ? qdisc_pkt_len(skb) : 0;
+}
+/*
+ * Updates the class, returns true if also the group needs to be updated.
+ */
+static bool qfq_update_class(struct qfq_group *grp, struct qfq_class *cl)
+{
+        unsigned int len = qdisc_peek_len(cl->qdisc);
+        cl->S = cl->F;
+        if (!len)
+                qfq_front_slot_remove(grp);     /* queue is empty */
+        else {
+                u64 roundedS;
+                cl->F = cl->S + (u64)len * cl->inv_w;
+                roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                if (roundedS == grp->S)
+                        return false;
+                qfq_front_slot_remove(grp);
+                qfq_slot_insert(grp, cl, roundedS);
+        }
+        return true;
+}
+static struct sk_buff *qfq_dequeue(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        struct sk_buff *skb;
+        unsigned int len;
+        u64 old_V;
+        if (!q->bitmaps[ER])
+                return NULL;
+        grp = qfq_ffs(q, q->bitmaps[ER]);
+        cl = qfq_slot_head(grp);
+        skb = qdisc_dequeue_peeked(cl->qdisc);
+        if (!skb) {
+                WARN_ONCE(1, "qfq_dequeue: non-workconserving leaf\n");
+                return NULL;
+        }
+        sch->q.qlen--;
+        qdisc_bstats_update(sch, skb);
+        old_V = q->V;
+        len = qdisc_pkt_len(skb);
+        q->V += (u64)len * IWSUM;
+        pr_debug("qfq dequeue: len %u F %lld now %lld\n",
+                 len, (unsigned long long) cl->F, (unsigned long long) q->V);
+        if (qfq_update_class(grp, cl)) {
+                u64 old_F = grp->F;
+                cl = qfq_slot_scan(grp);
+                if (!cl)
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                else {
+                        u64 roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                        unsigned int s;
+                        if (grp->S == roundedS)
+                                goto skip_unblock;
+                        grp->S = roundedS;
+                        grp->F = roundedS + (2ULL << grp->slot_shift);
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                        s = qfq_calc_state(q, grp);
+                        __set_bit(grp->index, &q->bitmaps[s]);
+                }
+                qfq_unblock_groups(q, grp->index, old_F);
+        }
+skip_unblock:
+        qfq_update_eligible(q, old_V);
+        return skb;
+}
+/*
+ * Assign a reasonable start time for a new flow k in group i.
+ * Admissible values for \hat(F) are multiples of \sigma_i
+ * no greater than V+\sigma_i . Larger values mean that
+ * we had a wraparound so we consider the timestamp to be stale.
+ *
+ * If F is not stale and F >= V then we set S = F.
+ * Otherwise we should assign S = V, but this may violate
+ * the ordering in ER. So, if we have groups in ER, set S to
+ * the F_j of the first group j which would be blocking us.
+ * We are guaranteed not to move S backward because
+ * otherwise our group i would still be blocked.
+ */
+static void qfq_update_start(struct qfq_sched *q, struct qfq_class *cl)
+{
+        unsigned long mask;
+        uint32_t limit, roundedF;
+        int slot_shift = cl->grp->slot_shift;
+        roundedF = qfq_round_down(cl->F, slot_shift);
+        limit = qfq_round_down(q->V, slot_shift) + (1UL << slot_shift);
+        if (!qfq_gt(cl->F, q->V) || qfq_gt(roundedF, limit)) {
+                /* timestamp was stale */
+                mask = mask_from(q->bitmaps[ER], cl->grp->index);
+                if (mask) {
+                        struct qfq_group *next = qfq_ffs(q, mask);
+                        if (qfq_gt(roundedF, next->F)) {
+                                cl->S = next->F;
+                                return;
+                        }
+                }
+                cl->S = q->V;
+        } else  /* timestamp is not stale */
+                cl->S = cl->F;
+}
+static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        int err;
+        u64 roundedS;
+        int s;
+        cl = qfq_classify(skb, sch, &err);
+        if (cl == NULL) {
+                if (err & __NET_XMIT_BYPASS)
+                        sch->qstats.drops++;
+                kfree_skb(skb);
+                return err;
+        }
+        pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
+        err = qdisc_enqueue(skb, cl->qdisc);
+        if (unlikely(err != NET_XMIT_SUCCESS)) {
+                pr_debug("qfq_enqueue: enqueue failed %d\n", err);
+                if (net_xmit_drop_count(err)) {
+                        cl->qstats.drops++;
+                        sch->qstats.drops++;
+                }
+                return err;
+        }
+        bstats_update(&cl->bstats, skb);
+        ++sch->q.qlen;
+        /* If the new skb is not the head of queue, then done here. */
+        if (cl->qdisc->q.qlen != 1)
+                return err;
+        /* If reach this point, queue q was idle */
+        grp = cl->grp;
+        qfq_update_start(q, cl);
+        /* compute new finish time and rounded start. */
+        cl->F = cl->S + (u64)qdisc_pkt_len(skb) * cl->inv_w;
+        roundedS = qfq_round_down(cl->S, grp->slot_shift);
+        /*
+         * insert cl in the correct bucket.
+         * If cl->S >= grp->S we don't need to adjust the
+         * bucket list and simply go to the insertion phase.
+         * Otherwise grp->S is decreasing, we must make room
+         * in the bucket list, and also recompute the group state.
+         * Finally, if there were no flows in this group and nobody
+         * was in ER make sure to adjust V.
+         */
+        if (grp->full_slots) {
+                if (!qfq_gt(grp->S, cl->S))
+                        goto skip_update;
+                /* create a slot for this cl->S */
+                qfq_slot_rotate(grp, roundedS);
+                /* group was surely ineligible, remove */
+                __clear_bit(grp->index, &q->bitmaps[IR]);
+                __clear_bit(grp->index, &q->bitmaps[IB]);
+        } else if (!q->bitmaps[ER] && qfq_gt(roundedS, q->V))
+                q->V = roundedS;
+        grp->S = roundedS;
+        grp->F = roundedS + (2ULL << grp->slot_shift);
+        s = qfq_calc_state(q, grp);
+        __set_bit(grp->index, &q->bitmaps[s]);
+        pr_debug("qfq enqueue: new state %d %#lx S %lld F %lld V %lld\n",
+                 s, q->bitmaps[s],
+                 (unsigned long long) cl->S,
+                 (unsigned long long) cl->F,
+                 (unsigned long long) q->V);
+skip_update:
+        qfq_slot_insert(grp, cl, roundedS);
+        return err;
+}
+static void qfq_slot_remove(struct qfq_sched *q, struct qfq_group *grp,
+                            struct qfq_class *cl)
+{
+        unsigned int i, offset;
+        u64 roundedS;
+        roundedS = qfq_round_down(cl->S, grp->slot_shift);
+        offset = (roundedS - grp->S) >> grp->slot_shift;
+        i = (grp->front + offset) % QFQ_MAX_SLOTS;
+        hlist_del(&cl->next);
+        if (hlist_empty(&grp->slots[i]))
+                __clear_bit(offset, &grp->full_slots);
+}
+/*
+ * called to forcibly destroy a queue.
+ * If the queue is not in the front bucket, or if it has
+ * other queues in the front bucket, we can simply remove
+ * the queue with no other side effects.
+ * Otherwise we must propagate the event up.
+ */
+static void qfq_deactivate_class(struct qfq_sched *q, struct qfq_class *cl)
+{
+        struct qfq_group *grp = cl->grp;
+        unsigned long mask;
+        u64 roundedS;
+        int s;
+        cl->F = cl->S;
+        qfq_slot_remove(q, grp, cl);
+        if (!grp->full_slots) {
+                __clear_bit(grp->index, &q->bitmaps[IR]);
+                __clear_bit(grp->index, &q->bitmaps[EB]);
+                __clear_bit(grp->index, &q->bitmaps[IB]);
+                if (test_bit(grp->index, &q->bitmaps[ER]) &&
+                    !(q->bitmaps[ER] & ~((1UL << grp->index) - 1))) {
+                        mask = q->bitmaps[ER] & ((1UL << grp->index) - 1);
+                        if (mask)
+                                mask = ~((1UL << __fls(mask)) - 1);
+                        else
+                                mask = ~0UL;
+                        qfq_move_groups(q, mask, EB, ER);
+                        qfq_move_groups(q, mask, IB, IR);
+                }
+                __clear_bit(grp->index, &q->bitmaps[ER]);
+        } else if (hlist_empty(&grp->slots[grp->front])) {
+                cl = qfq_slot_scan(grp);
+                roundedS = qfq_round_down(cl->S, grp->slot_shift);
+                if (grp->S != roundedS) {
+                        __clear_bit(grp->index, &q->bitmaps[ER]);
+                        __clear_bit(grp->index, &q->bitmaps[IR]);
+                        __clear_bit(grp->index, &q->bitmaps[EB]);
+                        __clear_bit(grp->index, &q->bitmaps[IB]);
+                        grp->S = roundedS;
+                        grp->F = roundedS + (2ULL << grp->slot_shift);
+                        s = qfq_calc_state(q, grp);
+                        __set_bit(grp->index, &q->bitmaps[s]);
+                }
+        }
+        qfq_update_eligible(q, q->V);
+}
+static void qfq_qlen_notify(struct Qdisc *sch, unsigned long arg)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl = (struct qfq_class *)arg;
+        if (cl->qdisc->q.qlen == 0)
+                qfq_deactivate_class(q, cl);
+}
+static unsigned int qfq_drop(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        unsigned int i, j, len;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                for (j = 0; j < QFQ_MAX_SLOTS; j++) {
+                        struct qfq_class *cl;
+                        struct hlist_node *n;
+                        hlist_for_each_entry(cl, n, &grp->slots[j], next) {
+                                if (!cl->qdisc->ops->drop)
+                                        continue;
+                                len = cl->qdisc->ops->drop(cl->qdisc);
+                                if (len > 0) {
+                                        sch->q.qlen--;
+                                        if (!cl->qdisc->q.qlen)
+                                                qfq_deactivate_class(q, cl);
+                                        return len;
+                                }
+                        }
+                }
+        }
+        return 0;
+}
+static int qfq_init_qdisc(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        int i, j, err;
+        err = qdisc_class_hash_init(&q->clhash);
+        if (err < 0)
+                return err;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                grp->index = i;
+                grp->slot_shift = QFQ_MTU_SHIFT + FRAC_BITS
+                                   - (QFQ_MAX_INDEX - i);
+                for (j = 0; j < QFQ_MAX_SLOTS; j++)
+                        INIT_HLIST_HEAD(&grp->slots[j]);
+        }
+        return 0;
+}
+static void qfq_reset_qdisc(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_group *grp;
+        struct qfq_class *cl;
+        struct hlist_node *n, *tmp;
+        unsigned int i, j;
+        for (i = 0; i <= QFQ_MAX_INDEX; i++) {
+                grp = &q->groups[i];
+                for (j = 0; j < QFQ_MAX_SLOTS; j++) {
+                        hlist_for_each_entry_safe(cl, n, tmp,
+                                                  &grp->slots[j], next) {
+                                qfq_deactivate_class(q, cl);
+                        }
+                }
+        }
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry(cl, n, &q->clhash.hash[i], common.hnode)
+                        qdisc_reset(cl->qdisc);
+        }
+        sch->q.qlen = 0;
+}
+static void qfq_destroy_qdisc(struct Qdisc *sch)
+{
+        struct qfq_sched *q = qdisc_priv(sch);
+        struct qfq_class *cl;
+        struct hlist_node *n, *next;
+        unsigned int i;
+        tcf_destroy_chain(&q->filter_list);
+        for (i = 0; i < q->clhash.hashsize; i++) {
+                hlist_for_each_entry_safe(cl, n, next, &q->clhash.hash[i],
+                                          common.hnode) {
+                        qfq_destroy_class(sch, cl);
+                }
+        }
+        qdisc_class_hash_destroy(&q->clhash);
+}
+static const struct Qdisc_class_ops qfq_class_ops = {
+        .change         = qfq_change_class,
+        .delete         = qfq_delete_class,
+        .get            = qfq_get_class,
+        .put            = qfq_put_class,
+        .tcf_chain      = qfq_tcf_chain,
+        .bind_tcf       = qfq_bind_tcf,
+        .unbind_tcf     = qfq_unbind_tcf,
+        .graft          = qfq_graft_class,
+        .leaf           = qfq_class_leaf,
+        .qlen_notify    = qfq_qlen_notify,
+        .dump           = qfq_dump_class,
+        .dump_stats     = qfq_dump_class_stats,
+        .walk           = qfq_walk,
+};
+static struct Qdisc_ops qfq_qdisc_ops __read_mostly = {
+        .cl_ops         = &qfq_class_ops,
+        .id             = "qfq",
+        .priv_size      = sizeof(struct qfq_sched),
+        .enqueue        = qfq_enqueue,
+        .dequeue        = qfq_dequeue,
+        .peek           = qdisc_peek_dequeued,
+        .drop           = qfq_drop,
+        .init           = qfq_init_qdisc,
+        .reset          = qfq_reset_qdisc,
+        .destroy        = qfq_destroy_qdisc,
+        .owner          = THIS_MODULE,
+};
+static int __init qfq_init(void)
+{
+        return register_qdisc(&qfq_qdisc_ops);
+}
+static void __exit qfq_exit(void)
+{
+        unregister_qdisc(&qfq_qdisc_ops);
+}
+module_init(qfq_init);
+module_exit(qfq_exit);
+MODULE_LICENSE("GPL");
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 9f98dbd32d4c..6649463da1b6 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -36,8 +36,7 @@
        if RED works correctly.
 */
-struct red_sched_data
+struct red_sched_data {
-{
        u32                     limit;          /* HARD maximal queue length */
        unsigned char           flags;
        struct red_parms        parms;
@@ -55,7 +54,7 @@ static inline int red_use_harddrop(struct red_sched_data *q)
        return q->flags & TC_RED_HARDDROP;
 }
-static int red_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+static int red_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        struct red_sched_data *q = qdisc_priv(sch);
        struct Qdisc *child = q->qdisc;
@@ -67,29 +66,29 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc* sch)
                red_end_of_idle_period(&q->parms);
        switch (red_action(&q->parms, q->parms.qavg)) {
-                case RED_DONT_MARK:
+        case RED_DONT_MARK:
-                        break;
+                break;
-                case RED_PROB_MARK:
+        case RED_PROB_MARK:
-                        sch->qstats.overlimits++;
+                sch->qstats.overlimits++;
-                        if (!red_use_ecn(q) || !INET_ECN_set_ce(skb)) {
+                if (!red_use_ecn(q) || !INET_ECN_set_ce(skb)) {
-                                q->stats.prob_drop++;
+                        q->stats.prob_drop++;
-                                goto congestion_drop;
+                        goto congestion_drop;
-                        }
+                }
-                        q->stats.prob_mark++;
+                q->stats.prob_mark++;
-                        break;
+                break;
-                case RED_HARD_MARK:
+        case RED_HARD_MARK:
-                        sch->qstats.overlimits++;
+                sch->qstats.overlimits++;
-                        if (red_use_harddrop(q) || !red_use_ecn(q) ||
+                if (red_use_harddrop(q) || !red_use_ecn(q) ||
-                            !INET_ECN_set_ce(skb)) {
+                    !INET_ECN_set_ce(skb)) {
-                                q->stats.forced_drop++;
+                        q->stats.forced_drop++;
-                                goto congestion_drop;
+                        goto congestion_drop;
-                        }
+                }
-                        q->stats.forced_mark++;
+                q->stats.forced_mark++;
-                        break;
+                break;
        }
        ret = qdisc_enqueue(skb, child);
@@ -106,7 +105,7 @@ congestion_drop:
        return NET_XMIT_CN;
 }
-static struct sk_buff * red_dequeue(struct Qdisc* sch)
+static struct sk_buff *red_dequeue(struct Qdisc *sch)
 {
        struct sk_buff *skb;
        struct red_sched_data *q = qdisc_priv(sch);
@@ -123,7 +122,7 @@ static struct sk_buff * red_dequeue(struct Qdisc* sch)
        return skb;
 }
-static struct sk_buff * red_peek(struct Qdisc* sch)
+static struct sk_buff *red_peek(struct Qdisc *sch)
 {
        struct red_sched_data *q = qdisc_priv(sch);
        struct Qdisc *child = q->qdisc;
@@ -131,7 +130,7 @@ static struct sk_buff * red_peek(struct Qdisc* sch)
        return child->ops->peek(child);
 }
-static unsigned int red_drop(struct Qdisc* sch)
+static unsigned int red_drop(struct Qdisc *sch)
 {
        struct red_sched_data *q = qdisc_priv(sch);
        struct Qdisc *child = q->qdisc;
@@ -150,7 +149,7 @@ static unsigned int red_drop(struct Qdisc* sch)
        return 0;
 }
-static void red_reset(struct Qdisc* sch)
+static void red_reset(struct Qdisc *sch)
 {
        struct red_sched_data *q = qdisc_priv(sch);
@@ -217,7 +216,7 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt)
        return 0;
 }
-static int red_init(struct Qdisc* sch, struct nlattr *opt)
+static int red_init(struct Qdisc *sch, struct nlattr *opt)
 {
        struct red_sched_data *q = qdisc_priv(sch);
diff --git a/net/sched/sch_sfb.c b/net/sched/sch_sfb.c
new file mode 100644
index 000000000000..0a833d0c1f61
--- /dev/null
+++ b/net/sched/sch_sfb.c
@@ -0,0 +1,709 @@
+/*
+ * net/sched/sch_sfb.c    Stochastic Fair Blue
+ *
+ * Copyright (c) 2008-2011 Juliusz Chroboczek <jch@pps.jussieu.fr>
+ * Copyright (c) 2011 Eric Dumazet <eric.dumazet@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * W. Feng, D. Kandlur, D. Saha, K. Shin. Blue:
+ * A New Class of Active Queue Management Algorithms.
+ * U. Michigan CSE-TR-387-99, April 1999.
+ *
+ * http://www.thefengs.com/wuchang/blue/CSE-TR-387-99.pdf
+ *
+ */
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/errno.h>
+#include <linux/skbuff.h>
+#include <linux/random.h>
+#include <linux/jhash.h>
+#include <net/ip.h>
+#include <net/pkt_sched.h>
+#include <net/inet_ecn.h>
+/*
+ * SFB uses two B[l][n] : L x N arrays of bins (L levels, N bins per level)
+ * This implementation uses L = 8 and N = 16
+ * This permits us to split one 32bit hash (provided per packet by rxhash or
+ * external classifier) into 8 subhashes of 4 bits.
+ */
+#define SFB_BUCKET_SHIFT 4
+#define SFB_NUMBUCKETS  (1 << SFB_BUCKET_SHIFT) /* N bins per Level */
+#define SFB_BUCKET_MASK (SFB_NUMBUCKETS - 1)
+#define SFB_LEVELS      (32 / SFB_BUCKET_SHIFT) /* L */
+/* SFB algo uses a virtual queue, named "bin" */
+struct sfb_bucket {
+        u16             qlen; /* length of virtual queue */
+        u16             p_mark; /* marking probability */
+};
+/* We use a double buffering right before hash change
+ * (Section 4.4 of SFB reference : moving hash functions)
+ */
+struct sfb_bins {
+        u32               perturbation; /* jhash perturbation */
+        struct sfb_bucket bins[SFB_LEVELS][SFB_NUMBUCKETS];
+};
+struct sfb_sched_data {
+        struct Qdisc    *qdisc;
+        struct tcf_proto *filter_list;
+        unsigned long   rehash_interval;
+        unsigned long   warmup_time;    /* double buffering warmup time in jiffies */
+        u32             max;
+        u32             bin_size;       /* maximum queue length per bin */
+        u32             increment;      /* d1 */
+        u32             decrement;      /* d2 */
+        u32             limit;          /* HARD maximal queue length */
+        u32             penalty_rate;
+        u32             penalty_burst;
+        u32             tokens_avail;
+        unsigned long   rehash_time;
+        unsigned long   token_time;
+        u8              slot;           /* current active bins (0 or 1) */
+        bool            double_buffering;
+        struct sfb_bins bins[2];
+        struct {
+                u32     earlydrop;
+                u32     penaltydrop;
+                u32     bucketdrop;
+                u32     queuedrop;
+                u32     childdrop;      /* drops in child qdisc */
+                u32     marked;         /* ECN mark */
+        } stats;
+};
+/*
+ * Each queued skb might be hashed on one or two bins
+ * We store in skb_cb the two hash values.
+ * (A zero value means double buffering was not used)
+ */
+struct sfb_skb_cb {
+        u32 hashes[2];
+};
+static inline struct sfb_skb_cb *sfb_skb_cb(const struct sk_buff *skb)
+{
+        BUILD_BUG_ON(sizeof(skb->cb) <
+                sizeof(struct qdisc_skb_cb) + sizeof(struct sfb_skb_cb));
+        return (struct sfb_skb_cb *)qdisc_skb_cb(skb)->data;
+}
+/*
+ * If using 'internal' SFB flow classifier, hash comes from skb rxhash
+ * If using external classifier, hash comes from the classid.
+ */
+static u32 sfb_hash(const struct sk_buff *skb, u32 slot)
+{
+        return sfb_skb_cb(skb)->hashes[slot];
+}
+/* Probabilities are coded as Q0.16 fixed-point values,
+ * with 0xFFFF representing 65535/65536 (almost 1.0)
+ * Addition and subtraction are saturating in [0, 65535]
+ */
+static u32 prob_plus(u32 p1, u32 p2)
+{
+        u32 res = p1 + p2;
+        return min_t(u32, res, SFB_MAX_PROB);
+}
+static u32 prob_minus(u32 p1, u32 p2)
+{
+        return p1 > p2 ? p1 - p2 : 0;
+}
+static void increment_one_qlen(u32 sfbhash, u32 slot, struct sfb_sched_data *q)
+{
+        int i;
+        struct sfb_bucket *b = &q->bins[slot].bins[0][0];
+        for (i = 0; i < SFB_LEVELS; i++) {
+                u32 hash = sfbhash & SFB_BUCKET_MASK;
+                sfbhash >>= SFB_BUCKET_SHIFT;
+                if (b[hash].qlen < 0xFFFF)
+                        b[hash].qlen++;
+                b += SFB_NUMBUCKETS; /* next level */
+        }
+}
+static void increment_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
+{
+        u32 sfbhash;
+        sfbhash = sfb_hash(skb, 0);
+        if (sfbhash)
+                increment_one_qlen(sfbhash, 0, q);
+        sfbhash = sfb_hash(skb, 1);
+        if (sfbhash)
+                increment_one_qlen(sfbhash, 1, q);
+}
+static void decrement_one_qlen(u32 sfbhash, u32 slot,
+                               struct sfb_sched_data *q)
+{
+        int i;
+        struct sfb_bucket *b = &q->bins[slot].bins[0][0];
+        for (i = 0; i < SFB_LEVELS; i++) {
+                u32 hash = sfbhash & SFB_BUCKET_MASK;
+                sfbhash >>= SFB_BUCKET_SHIFT;
+                if (b[hash].qlen > 0)
+                        b[hash].qlen--;
+                b += SFB_NUMBUCKETS; /* next level */
+        }
+}
+static void decrement_qlen(const struct sk_buff *skb, struct sfb_sched_data *q)
+{
+        u32 sfbhash;
+        sfbhash = sfb_hash(skb, 0);
+        if (sfbhash)
+                decrement_one_qlen(sfbhash, 0, q);
+        sfbhash = sfb_hash(skb, 1);
+        if (sfbhash)
+                decrement_one_qlen(sfbhash, 1, q);
+}
+static void decrement_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
+{
+        b->p_mark = prob_minus(b->p_mark, q->decrement);
+}
+static void increment_prob(struct sfb_bucket *b, struct sfb_sched_data *q)
+{
+        b->p_mark = prob_plus(b->p_mark, q->increment);
+}
+static void sfb_zero_all_buckets(struct sfb_sched_data *q)
+{
+        memset(&q->bins, 0, sizeof(q->bins));
+}
+/*
+ * compute max qlen, max p_mark, and avg p_mark
+ */
+static u32 sfb_compute_qlen(u32 *prob_r, u32 *avgpm_r, const struct sfb_sched_data *q)
+{
+        int i;
+        u32 qlen = 0, prob = 0, totalpm = 0;
+        const struct sfb_bucket *b = &q->bins[q->slot].bins[0][0];
+        for (i = 0; i < SFB_LEVELS * SFB_NUMBUCKETS; i++) {
+                if (qlen < b->qlen)
+                        qlen = b->qlen;
+                totalpm += b->p_mark;
+                if (prob < b->p_mark)
+                        prob = b->p_mark;
+                b++;
+        }
+        *prob_r = prob;
+        *avgpm_r = totalpm / (SFB_LEVELS * SFB_NUMBUCKETS);
+        return qlen;
+}
+static void sfb_init_perturbation(u32 slot, struct sfb_sched_data *q)
+{
+        q->bins[slot].perturbation = net_random();
+}
+static void sfb_swap_slot(struct sfb_sched_data *q)
+{
+        sfb_init_perturbation(q->slot, q);
+        q->slot ^= 1;
+        q->double_buffering = false;
+}
+/* Non elastic flows are allowed to use part of the bandwidth, expressed
+ * in "penalty_rate" packets per second, with "penalty_burst" burst
+ */
+static bool sfb_rate_limit(struct sk_buff *skb, struct sfb_sched_data *q)
+{
+        if (q->penalty_rate == 0 || q->penalty_burst == 0)
+                return true;
+        if (q->tokens_avail < 1) {
+                unsigned long age = min(10UL * HZ, jiffies - q->token_time);
+                q->tokens_avail = (age * q->penalty_rate) / HZ;
+                if (q->tokens_avail > q->penalty_burst)
+                        q->tokens_avail = q->penalty_burst;
+                q->token_time = jiffies;
+                if (q->tokens_avail < 1)
+                        return true;
+        }
+        q->tokens_avail--;
+        return false;
+}
+static bool sfb_classify(struct sk_buff *skb, struct sfb_sched_data *q,
+                         int *qerr, u32 *salt)
+{
+        struct tcf_result res;
+        int result;
+        result = tc_classify(skb, q->filter_list, &res);
+        if (result >= 0) {
+#ifdef CONFIG_NET_CLS_ACT
+                switch (result) {
+                case TC_ACT_STOLEN:
+                case TC_ACT_QUEUED:
+                        *qerr = NET_XMIT_SUCCESS | __NET_XMIT_STOLEN;
+                case TC_ACT_SHOT:
+                        return false;
+                }
+#endif
+                *salt = TC_H_MIN(res.classid);
+                return true;
+        }
+        return false;
+}
+static int sfb_enqueue(struct sk_buff *skb, struct Qdisc *sch)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct Qdisc *child = q->qdisc;
+        int i;
+        u32 p_min = ~0;
+        u32 minqlen = ~0;
+        u32 r, slot, salt, sfbhash;
+        int ret = NET_XMIT_SUCCESS | __NET_XMIT_BYPASS;
+        if (q->rehash_interval > 0) {
+                unsigned long limit = q->rehash_time + q->rehash_interval;
+                if (unlikely(time_after(jiffies, limit))) {
+                        sfb_swap_slot(q);
+                        q->rehash_time = jiffies;
+                } else if (unlikely(!q->double_buffering && q->warmup_time > 0 &&
+                                    time_after(jiffies, limit - q->warmup_time))) {
+                        q->double_buffering = true;
+                }
+        }
+        if (q->filter_list) {
+                /* If using external classifiers, get result and record it. */
+                if (!sfb_classify(skb, q, &ret, &salt))
+                        goto other_drop;
+        } else {
+                salt = skb_get_rxhash(skb);
+        }
+        slot = q->slot;
+        sfbhash = jhash_1word(salt, q->bins[slot].perturbation);
+        if (!sfbhash)
+                sfbhash = 1;
+        sfb_skb_cb(skb)->hashes[slot] = sfbhash;
+        for (i = 0; i < SFB_LEVELS; i++) {
+                u32 hash = sfbhash & SFB_BUCKET_MASK;
+                struct sfb_bucket *b = &q->bins[slot].bins[i][hash];
+                sfbhash >>= SFB_BUCKET_SHIFT;
+                if (b->qlen == 0)
+                        decrement_prob(b, q);
+                else if (b->qlen >= q->bin_size)
+                        increment_prob(b, q);
+                if (minqlen > b->qlen)
+                        minqlen = b->qlen;
+                if (p_min > b->p_mark)
+                        p_min = b->p_mark;
+        }
+        slot ^= 1;
+        sfb_skb_cb(skb)->hashes[slot] = 0;
+        if (unlikely(minqlen >= q->max || sch->q.qlen >= q->limit)) {
+                sch->qstats.overlimits++;
+                if (minqlen >= q->max)
+                        q->stats.bucketdrop++;
+                else
+                        q->stats.queuedrop++;
+                goto drop;
+        }
+        if (unlikely(p_min >= SFB_MAX_PROB)) {
+                /* Inelastic flow */
+                if (q->double_buffering) {
+                        sfbhash = jhash_1word(salt, q->bins[slot].perturbation);
+                        if (!sfbhash)
+                                sfbhash = 1;
+                        sfb_skb_cb(skb)->hashes[slot] = sfbhash;
+                        for (i = 0; i < SFB_LEVELS; i++) {
+                                u32 hash = sfbhash & SFB_BUCKET_MASK;
+                                struct sfb_bucket *b = &q->bins[slot].bins[i][hash];
+                                sfbhash >>= SFB_BUCKET_SHIFT;
+                                if (b->qlen == 0)
+                                        decrement_prob(b, q);
+                                else if (b->qlen >= q->bin_size)
+                                        increment_prob(b, q);
+                        }
+                }
+                if (sfb_rate_limit(skb, q)) {
+                        sch->qstats.overlimits++;
+                        q->stats.penaltydrop++;
+                        goto drop;
+                }
+                goto enqueue;
+        }
+        r = net_random() & SFB_MAX_PROB;
+        if (unlikely(r < p_min)) {
+                if (unlikely(p_min > SFB_MAX_PROB / 2)) {
+                        /* If we're marking that many packets, then either
+                         * this flow is unresponsive, or we're badly congested.
+                         * In either case, we want to start dropping packets.
+                         */
+                        if (r < (p_min - SFB_MAX_PROB / 2) * 2) {
+                                q->stats.earlydrop++;
+                                goto drop;
+                        }
+                }
+                if (INET_ECN_set_ce(skb)) {
+                        q->stats.marked++;
+                } else {
+                        q->stats.earlydrop++;
+                        goto drop;
+                }
+        }
+enqueue:
+        ret = qdisc_enqueue(skb, child);
+        if (likely(ret == NET_XMIT_SUCCESS)) {
+                sch->q.qlen++;
+                increment_qlen(skb, q);
+        } else if (net_xmit_drop_count(ret)) {
+                q->stats.childdrop++;
+                sch->qstats.drops++;
+        }
+        return ret;
+drop:
+        qdisc_drop(skb, sch);
+        return NET_XMIT_CN;
+other_drop:
+        if (ret & __NET_XMIT_BYPASS)
+                sch->qstats.drops++;
+        kfree_skb(skb);
+        return ret;
+}
+static struct sk_buff *sfb_dequeue(struct Qdisc *sch)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct Qdisc *child = q->qdisc;
+        struct sk_buff *skb;
+        skb = child->dequeue(q->qdisc);
+        if (skb) {
+                qdisc_bstats_update(sch, skb);
+                sch->q.qlen--;
+                decrement_qlen(skb, q);
+        }
+        return skb;
+}
+static struct sk_buff *sfb_peek(struct Qdisc *sch)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct Qdisc *child = q->qdisc;
+        return child->ops->peek(child);
+}
+/* No sfb_drop -- impossible since the child doesn't return the dropped skb. */
+static void sfb_reset(struct Qdisc *sch)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        qdisc_reset(q->qdisc);
+        sch->q.qlen = 0;
+        q->slot = 0;
+        q->double_buffering = false;
+        sfb_zero_all_buckets(q);
+        sfb_init_perturbation(0, q);
+}
+static void sfb_destroy(struct Qdisc *sch)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        tcf_destroy_chain(&q->filter_list);
+        qdisc_destroy(q->qdisc);
+}
+static const struct nla_policy sfb_policy[TCA_SFB_MAX + 1] = {
+        [TCA_SFB_PARMS] = { .len = sizeof(struct tc_sfb_qopt) },
+};
+static const struct tc_sfb_qopt sfb_default_ops = {
+        .rehash_interval = 600 * MSEC_PER_SEC,
+        .warmup_time = 60 * MSEC_PER_SEC,
+        .limit = 0,
+        .max = 25,
+        .bin_size = 20,
+        .increment = (SFB_MAX_PROB + 500) / 1000, /* 0.1 % */
+        .decrement = (SFB_MAX_PROB + 3000) / 6000,
+        .penalty_rate = 10,
+        .penalty_burst = 20,
+};
+static int sfb_change(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct Qdisc *child;
+        struct nlattr *tb[TCA_SFB_MAX + 1];
+        const struct tc_sfb_qopt *ctl = &sfb_default_ops;
+        u32 limit;
+        int err;
+        if (opt) {
+                err = nla_parse_nested(tb, TCA_SFB_MAX, opt, sfb_policy);
+                if (err < 0)
+                        return -EINVAL;
+                if (tb[TCA_SFB_PARMS] == NULL)
+                        return -EINVAL;
+                ctl = nla_data(tb[TCA_SFB_PARMS]);
+        }
+        limit = ctl->limit;
+        if (limit == 0)
+                limit = max_t(u32, qdisc_dev(sch)->tx_queue_len, 1);
+        child = fifo_create_dflt(sch, &pfifo_qdisc_ops, limit);
+        if (IS_ERR(child))
+                return PTR_ERR(child);
+        sch_tree_lock(sch);
+        qdisc_tree_decrease_qlen(q->qdisc, q->qdisc->q.qlen);
+        qdisc_destroy(q->qdisc);
+        q->qdisc = child;
+        q->rehash_interval = msecs_to_jiffies(ctl->rehash_interval);
+        q->warmup_time = msecs_to_jiffies(ctl->warmup_time);
+        q->rehash_time = jiffies;
+        q->limit = limit;
+        q->increment = ctl->increment;
+        q->decrement = ctl->decrement;
+        q->max = ctl->max;
+        q->bin_size = ctl->bin_size;
+        q->penalty_rate = ctl->penalty_rate;
+        q->penalty_burst = ctl->penalty_burst;
+        q->tokens_avail = ctl->penalty_burst;
+        q->token_time = jiffies;
+        q->slot = 0;
+        q->double_buffering = false;
+        sfb_zero_all_buckets(q);
+        sfb_init_perturbation(0, q);
+        sfb_init_perturbation(1, q);
+        sch_tree_unlock(sch);
+        return 0;
+}
+static int sfb_init(struct Qdisc *sch, struct nlattr *opt)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        q->qdisc = &noop_qdisc;
+        return sfb_change(sch, opt);
+}
+static int sfb_dump(struct Qdisc *sch, struct sk_buff *skb)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct nlattr *opts;
+        struct tc_sfb_qopt opt = {
+                .rehash_interval = jiffies_to_msecs(q->rehash_interval),
+                .warmup_time = jiffies_to_msecs(q->warmup_time),
+                .limit = q->limit,
+                .max = q->max,
+                .bin_size = q->bin_size,
+                .increment = q->increment,
+                .decrement = q->decrement,
+                .penalty_rate = q->penalty_rate,
+                .penalty_burst = q->penalty_burst,
+        };
+        sch->qstats.backlog = q->qdisc->qstats.backlog;
+        opts = nla_nest_start(skb, TCA_OPTIONS);
+        NLA_PUT(skb, TCA_SFB_PARMS, sizeof(opt), &opt);
+        return nla_nest_end(skb, opts);
+nla_put_failure:
+        nla_nest_cancel(skb, opts);
+        return -EMSGSIZE;
+}
+static int sfb_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        struct tc_sfb_xstats st = {
+                .earlydrop = q->stats.earlydrop,
+                .penaltydrop = q->stats.penaltydrop,
+                .bucketdrop = q->stats.bucketdrop,
+                .queuedrop = q->stats.queuedrop,
+                .childdrop = q->stats.childdrop,
+                .marked = q->stats.marked,
+        };
+        st.maxqlen = sfb_compute_qlen(&st.maxprob, &st.avgprob, q);
+        return gnet_stats_copy_app(d, &st, sizeof(st));
+}
+static int sfb_dump_class(struct Qdisc *sch, unsigned long cl,
+                          struct sk_buff *skb, struct tcmsg *tcm)
+{
+        return -ENOSYS;
+}
+static int sfb_graft(struct Qdisc *sch, unsigned long arg, struct Qdisc *new,
+                     struct Qdisc **old)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        if (new == NULL)
+                new = &noop_qdisc;
+        sch_tree_lock(sch);
+        *old = q->qdisc;
+        q->qdisc = new;
+        qdisc_tree_decrease_qlen(*old, (*old)->q.qlen);
+        qdisc_reset(*old);
+        sch_tree_unlock(sch);
+        return 0;
+}
+static struct Qdisc *sfb_leaf(struct Qdisc *sch, unsigned long arg)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        return q->qdisc;
+}
+static unsigned long sfb_get(struct Qdisc *sch, u32 classid)
+{
+        return 1;
+}
+static void sfb_put(struct Qdisc *sch, unsigned long arg)
+{
+}
+static int sfb_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
+                            struct nlattr **tca, unsigned long *arg)
+{
+        return -ENOSYS;
+}
+static int sfb_delete(struct Qdisc *sch, unsigned long cl)
+{
+        return -ENOSYS;
+}
+static void sfb_walk(struct Qdisc *sch, struct qdisc_walker *walker)
+{
+        if (!walker->stop) {
+                if (walker->count >= walker->skip)
+                        if (walker->fn(sch, 1, walker) < 0) {
+                                walker->stop = 1;
+                                return;
+                        }
+                walker->count++;
+        }
+}
+static struct tcf_proto **sfb_find_tcf(struct Qdisc *sch, unsigned long cl)
+{
+        struct sfb_sched_data *q = qdisc_priv(sch);
+        if (cl)
+                return NULL;
+        return &q->filter_list;
+}
+static unsigned long sfb_bind(struct Qdisc *sch, unsigned long parent,
+                              u32 classid)
+{
+        return 0;
+}
+static const struct Qdisc_class_ops sfb_class_ops = {
+        .graft          =       sfb_graft,
+        .leaf           =       sfb_leaf,
+        .get            =       sfb_get,
+        .put            =       sfb_put,
+        .change         =       sfb_change_class,
+        .delete         =       sfb_delete,
+        .walk           =       sfb_walk,
+        .tcf_chain      =       sfb_find_tcf,
+        .bind_tcf       =       sfb_bind,
+        .unbind_tcf     =       sfb_put,
+        .dump           =       sfb_dump_class,
+};
+static struct Qdisc_ops sfb_qdisc_ops __read_mostly = {
+        .id             =       "sfb",
+        .priv_size      =       sizeof(struct sfb_sched_data),
+        .cl_ops         =       &sfb_class_ops,
+        .enqueue        =       sfb_enqueue,
+        .dequeue        =       sfb_dequeue,
+        .peek           =       sfb_peek,
+        .init           =       sfb_init,
+        .reset          =       sfb_reset,
+        .destroy        =       sfb_destroy,
+        .change         =       sfb_change,
+        .dump           =       sfb_dump,
+        .dump_stats     =       sfb_dump_stats,
+        .owner          =       THIS_MODULE,
+};
+static int __init sfb_module_init(void)
+{
+        return register_qdisc(&sfb_qdisc_ops);
+}
+static void __exit sfb_module_exit(void)
+{
+        unregister_qdisc(&sfb_qdisc_ops);
+}
+module_init(sfb_module_init)
+module_exit(sfb_module_exit)
+MODULE_DESCRIPTION("Stochastic Fair Blue queue discipline");
+MODULE_AUTHOR("Juliusz Chroboczek");
+MODULE_AUTHOR("Eric Dumazet");
+MODULE_LICENSE("GPL");
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index edea8cefec6c..7ef87f9eb675 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -21,6 +21,7 @@
 #include <linux/skbuff.h>
 #include <linux/jhash.h>
 #include <linux/slab.h>
+#include <linux/vmalloc.h>
 #include <net/ip.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
@@ -76,7 +77,8 @@
 #define SFQ_DEPTH               128 /* max number of packets per flow */
 #define SFQ_SLOTS               128 /* max number of flows */
 #define SFQ_EMPTY_SLOT          255
-#define SFQ_HASH_DIVISOR        1024
+#define SFQ_DEFAULT_HASH_DIVISOR 1024
 /* We use 16 bits to store allot, and want to handle packets up to 64K
 * Scale allot by 8 (1<<3) so that no overflow occurs.
 */
@@ -92,8 +94,7 @@ typedef unsigned char sfq_index;
 * while following values [SFQ_SLOTS ... SFQ_SLOTS + SFQ_DEPTH - 1]
 * are 'pointers' to dep[] array
 */
-struct sfq_head
+struct sfq_head {
-{
        sfq_index       next;
        sfq_index       prev;
 };
@@ -108,13 +109,12 @@ struct sfq_slot {
        short           allot; /* credit for this slot */
 };
-struct sfq_sched_data
+struct sfq_sched_data {
-{
 /* Parameters */
        int             perturb_period;
-        unsigned        quantum;        /* Allotment per round: MUST BE >= MTU */
+        unsigned int    quantum;        /* Allotment per round: MUST BE >= MTU */
        int             limit;
+        unsigned int    divisor;        /* number of slots in hash table */
 /* Variables */
        struct tcf_proto *filter_list;
        struct timer_list perturb_timer;
@@ -122,7 +122,7 @@ struct sfq_sched_data
        sfq_index       cur_depth;      /* depth of longest slot */
        unsigned short  scaled_quantum; /* SFQ_ALLOT_SIZE(quantum) */
        struct sfq_slot *tail;          /* current slot in round */
-        sfq_index       ht[SFQ_HASH_DIVISOR];   /* Hash table */
+        sfq_index       *ht;            /* Hash table (divisor slots) */
        struct sfq_slot slots[SFQ_SLOTS];
        struct sfq_head dep[SFQ_DEPTH]; /* Linked list of slots, indexed by depth */
 };
@@ -137,12 +137,12 @@ static inline struct sfq_head *sfq_dep_head(struct sfq_sched_data *q, sfq_index
        return &q->dep[val - SFQ_SLOTS];
 }
-static __inline__ unsigned sfq_fold_hash(struct sfq_sched_data *q, u32 h, u32 h1)
+static unsigned int sfq_fold_hash(struct sfq_sched_data *q, u32 h, u32 h1)
 {
-        return jhash_2words(h, h1, q->perturbation) & (SFQ_HASH_DIVISOR - 1);
+        return jhash_2words(h, h1, q->perturbation) & (q->divisor - 1);
 }
-static unsigned sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb)
+static unsigned int sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb)
 {
        u32 h, h2;
@@ -157,19 +157,19 @@ static unsigned sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb)
                iph = ip_hdr(skb);
                h = (__force u32)iph->daddr;
                h2 = (__force u32)iph->saddr ^ iph->protocol;
-                if (iph->frag_off & htons(IP_MF|IP_OFFSET))
+                if (iph->frag_off & htons(IP_MF | IP_OFFSET))
                        break;
                poff = proto_ports_offset(iph->protocol);
                if (poff >= 0 &&
                    pskb_network_may_pull(skb, iph->ihl * 4 + 4 + poff)) {
                        iph = ip_hdr(skb);
-                        h2 ^= *(u32*)((void *)iph + iph->ihl * 4 + poff);
+                        h2 ^= *(u32 *)((void *)iph + iph->ihl * 4 + poff);
                }
                break;
        }
        case htons(ETH_P_IPV6):
        {
-                struct ipv6hdr *iph;
+                const struct ipv6hdr *iph;
                int poff;
                if (!pskb_network_may_pull(skb, sizeof(*iph)))
@@ -181,7 +181,7 @@ static unsigned sfq_hash(struct sfq_sched_data *q, struct sk_buff *skb)
                if (poff >= 0 &&
                    pskb_network_may_pull(skb, sizeof(*iph) + 4 + poff)) {
                        iph = ipv6_hdr(skb);
-                        h2 ^= *(u32*)((void *)iph + sizeof(*iph) + poff);
+                        h2 ^= *(u32 *)((void *)iph + sizeof(*iph) + poff);
                }
                break;
        }
@@ -203,7 +203,7 @@ static unsigned int sfq_classify(struct sk_buff *skb, struct Qdisc *sch,
        if (TC_H_MAJ(skb->priority) == sch->handle &&
            TC_H_MIN(skb->priority) > 0 &&
-            TC_H_MIN(skb->priority) <= SFQ_HASH_DIVISOR)
+            TC_H_MIN(skb->priority) <= q->divisor)
                return TC_H_MIN(skb->priority);
        if (!q->filter_list)
@@ -221,7 +221,7 @@ static unsigned int sfq_classify(struct sk_buff *skb, struct Qdisc *sch,
                        return 0;
                }
 #endif
-                if (TC_H_MIN(res.classid) <= SFQ_HASH_DIVISOR)
+                if (TC_H_MIN(res.classid) <= q->divisor)
                        return TC_H_MIN(res.classid);
        }
        return 0;
@@ -491,13 +491,18 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
        if (opt->nla_len < nla_attr_size(sizeof(*ctl)))
                return -EINVAL;
+        if (ctl->divisor &&
+            (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
+                return -EINVAL;
        sch_tree_lock(sch);
        q->quantum = ctl->quantum ? : psched_mtu(qdisc_dev(sch));
        q->scaled_quantum = SFQ_ALLOT_SIZE(q->quantum);
        q->perturb_period = ctl->perturb_period * HZ;
        if (ctl->limit)
                q->limit = min_t(u32, ctl->limit, SFQ_DEPTH - 1);
+        if (ctl->divisor)
+                q->divisor = ctl->divisor;
        qlen = sch->q.qlen;
        while (sch->q.qlen > q->limit)
                sfq_drop(sch);
@@ -515,15 +520,13 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
 static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
 {
        struct sfq_sched_data *q = qdisc_priv(sch);
+        size_t sz;
        int i;
        q->perturb_timer.function = sfq_perturbation;
        q->perturb_timer.data = (unsigned long)sch;
        init_timer_deferrable(&q->perturb_timer);
-        for (i = 0; i < SFQ_HASH_DIVISOR; i++)
-                q->ht[i] = SFQ_EMPTY_SLOT;
        for (i = 0; i < SFQ_DEPTH; i++) {
                q->dep[i].next = i + SFQ_SLOTS;
                q->dep[i].prev = i + SFQ_SLOTS;
@@ -532,6 +535,7 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
        q->limit = SFQ_DEPTH - 1;
        q->cur_depth = 0;
        q->tail = NULL;
+        q->divisor = SFQ_DEFAULT_HASH_DIVISOR;
        if (opt == NULL) {
                q->quantum = psched_mtu(qdisc_dev(sch));
                q->scaled_quantum = SFQ_ALLOT_SIZE(q->quantum);
@@ -543,10 +547,23 @@ static int sfq_init(struct Qdisc *sch, struct nlattr *opt)
                        return err;
        }
+        sz = sizeof(q->ht[0]) * q->divisor;
+        q->ht = kmalloc(sz, GFP_KERNEL);
+        if (!q->ht && sz > PAGE_SIZE)
+                q->ht = vmalloc(sz);
+        if (!q->ht)
+                return -ENOMEM;
+        for (i = 0; i < q->divisor; i++)
+                q->ht[i] = SFQ_EMPTY_SLOT;
        for (i = 0; i < SFQ_SLOTS; i++) {
                slot_queue_init(&q->slots[i]);
                sfq_link(q, i);
        }
+        if (q->limit >= 1)
+                sch->flags |= TCQ_F_CAN_BYPASS;
+        else
+                sch->flags &= ~TCQ_F_CAN_BYPASS;
        return 0;
 }
@@ -557,6 +574,10 @@ static void sfq_destroy(struct Qdisc *sch)
        tcf_destroy_chain(&q->filter_list);
        q->perturb_period = 0;
        del_timer_sync(&q->perturb_timer);
+        if (is_vmalloc_addr(q->ht))
+                vfree(q->ht);
+        else
+                kfree(q->ht);
 }
 static int sfq_dump(struct Qdisc *sch, struct sk_buff *skb)
@@ -569,7 +590,7 @@ static int sfq_dump(struct Qdisc *sch, struct sk_buff *skb)
        opt.perturb_period = q->perturb_period / HZ;
        opt.limit = q->limit;
-        opt.divisor = SFQ_HASH_DIVISOR;
+        opt.divisor = q->divisor;
        opt.flows = q->limit;
        NLA_PUT(skb, TCA_OPTIONS, sizeof(opt), &opt);
@@ -594,6 +615,8 @@ static unsigned long sfq_get(struct Qdisc *sch, u32 classid)
 static unsigned long sfq_bind(struct Qdisc *sch, unsigned long parent,
                              u32 classid)
 {
+        /* we cannot bypass queue discipline anymore */
+        sch->flags &= ~TCQ_F_CAN_BYPASS;
        return 0;
 }
@@ -647,7 +670,7 @@ static void sfq_walk(struct Qdisc *sch, struct qdisc_walker *arg)
        if (arg->stop)
                return;
-        for (i = 0; i < SFQ_HASH_DIVISOR; i++) {
+        for (i = 0; i < q->divisor; i++) {
                if (q->ht[i] == SFQ_EMPTY_SLOT ||
                    arg->count < arg->skip) {
                        arg->count++;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index e93165820c3f..1dcfb5223a86 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -97,8 +97,7 @@
        changed the limit is not effective anymore.
 */
-struct tbf_sched_data
+struct tbf_sched_data {
-{
 /* Parameters */
        u32             limit;          /* Maximal length of backlog: bytes */
        u32             buffer;         /* Token bucket depth/rate: MUST BE >= MTU/B */
@@ -115,10 +114,10 @@ struct tbf_sched_data
        struct qdisc_watchdog watchdog; /* Watchdog timer */
 };
-#define L2T(q,L)   qdisc_l2t((q)->R_tab,L)
+#define L2T(q, L)   qdisc_l2t((q)->R_tab, L)
-#define L2T_P(q,L) qdisc_l2t((q)->P_tab,L)
+#define L2T_P(q, L) qdisc_l2t((q)->P_tab, L)
-static int tbf_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        struct tbf_sched_data *q = qdisc_priv(sch);
        int ret;
@@ -137,7 +136,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc* sch)
        return NET_XMIT_SUCCESS;
 }
-static unsigned int tbf_drop(struct Qdisc* sch)
+static unsigned int tbf_drop(struct Qdisc *sch)
 {
        struct tbf_sched_data *q = qdisc_priv(sch);
        unsigned int len = 0;
@@ -149,7 +148,7 @@ static unsigned int tbf_drop(struct Qdisc* sch)
        return len;
 }
-static struct sk_buff *tbf_dequeue(struct Qdisc* sch)
+static struct sk_buff *tbf_dequeue(struct Qdisc *sch)
 {
        struct tbf_sched_data *q = qdisc_priv(sch);
        struct sk_buff *skb;
@@ -185,7 +184,7 @@ static struct sk_buff *tbf_dequeue(struct Qdisc* sch)
                        q->tokens = toks;
                        q->ptokens = ptoks;
                        sch->q.qlen--;
-                        sch->flags &= ~TCQ_F_THROTTLED;
+                        qdisc_unthrottled(sch);
                        qdisc_bstats_update(sch, skb);
                        return skb;
                }
@@ -209,7 +208,7 @@ static struct sk_buff *tbf_dequeue(struct Qdisc* sch)
        return NULL;
 }
-static void tbf_reset(struct Qdisc* sch)
+static void tbf_reset(struct Qdisc *sch)
 {
        struct tbf_sched_data *q = qdisc_priv(sch);
@@ -227,7 +226,7 @@ static const struct nla_policy tbf_policy[TCA_TBF_MAX + 1] = {
        [TCA_TBF_PTAB]  = { .type = NLA_BINARY, .len = TC_RTAB_SIZE },
 };
-static int tbf_change(struct Qdisc* sch, struct nlattr *opt)
+static int tbf_change(struct Qdisc *sch, struct nlattr *opt)
 {
        int err;
        struct tbf_sched_data *q = qdisc_priv(sch);
@@ -236,7 +235,7 @@ static int tbf_change(struct Qdisc* sch, struct nlattr *opt)
        struct qdisc_rate_table *rtab = NULL;
        struct qdisc_rate_table *ptab = NULL;
        struct Qdisc *child = NULL;
-        int max_size,n;
+        int max_size, n;
        err = nla_parse_nested(tb, TCA_TBF_PTAB, opt, tbf_policy);
        if (err < 0)
@@ -259,15 +258,18 @@ static int tbf_change(struct Qdisc* sch, struct nlattr *opt)
        }
        for (n = 0; n < 256; n++)
-                if (rtab->data[n] > qopt->buffer) break;
+                if (rtab->data[n] > qopt->buffer)
-        max_size = (n << qopt->rate.cell_log)-1;
+                        break;
+        max_size = (n << qopt->rate.cell_log) - 1;
        if (ptab) {
                int size;
                for (n = 0; n < 256; n++)
-                        if (ptab->data[n] > qopt->mtu) break;
+                        if (ptab->data[n] > qopt->mtu)
-                size = (n << qopt->peakrate.cell_log)-1;
+                                break;
-                if (size < max_size) max_size = size;
+                size = (n << qopt->peakrate.cell_log) - 1;
+                if (size < max_size)
+                        max_size = size;
        }
        if (max_size < 0)
                goto done;
@@ -310,7 +312,7 @@ done:
        return err;
 }
-static int tbf_init(struct Qdisc* sch, struct nlattr *opt)
+static int tbf_init(struct Qdisc *sch, struct nlattr *opt)
 {
        struct tbf_sched_data *q = qdisc_priv(sch);
@@ -422,8 +424,7 @@ static void tbf_walk(struct Qdisc *sch, struct qdisc_walker *walker)
        }
 }
-static const struct Qdisc_class_ops tbf_class_ops =
+static const struct Qdisc_class_ops tbf_class_ops = {
-{
        .graft          =       tbf_graft,
        .leaf           =       tbf_leaf,
        .get            =       tbf_get,
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index d84e7329660f..45cd30098e34 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -53,8 +53,7 @@
      which will not break load balancing, though native slave
      traffic will have the highest priority.  */
-struct teql_master
+struct teql_master {
-{
        struct Qdisc_ops qops;
        struct net_device *dev;
        struct Qdisc *slaves;
@@ -65,22 +64,21 @@ struct teql_master
        unsigned long   tx_dropped;
 };
-struct teql_sched_data
+struct teql_sched_data {
-{
        struct Qdisc *next;
        struct teql_master *m;
        struct neighbour *ncache;
        struct sk_buff_head q;
 };
-#define NEXT_SLAVE(q) (((struct teql_sched_data*)qdisc_priv(q))->next)
+#define NEXT_SLAVE(q) (((struct teql_sched_data *)qdisc_priv(q))->next)
-#define FMASK (IFF_BROADCAST|IFF_POINTOPOINT)
+#define FMASK (IFF_BROADCAST | IFF_POINTOPOINT)
 /* "teql*" qdisc routines */
 static int
-teql_enqueue(struct sk_buff *skb, struct Qdisc* sch)
+teql_enqueue(struct sk_buff *skb, struct Qdisc *sch)
 {
        struct net_device *dev = qdisc_dev(sch);
        struct teql_sched_data *q = qdisc_priv(sch);
@@ -96,7 +94,7 @@ teql_enqueue(struct sk_buff *skb, struct Qdisc* sch)
 }
 static struct sk_buff *
-teql_dequeue(struct Qdisc* sch)
+teql_dequeue(struct Qdisc *sch)
 {
        struct teql_sched_data *dat = qdisc_priv(sch);
        struct netdev_queue *dat_queue;
@@ -118,13 +116,13 @@ teql_dequeue(struct Qdisc* sch)
 }
 static struct sk_buff *
-teql_peek(struct Qdisc* sch)
+teql_peek(struct Qdisc *sch)
 {
        /* teql is meant to be used as root qdisc */
        return NULL;
 }
-static __inline__ void
+static inline void
 teql_neigh_release(struct neighbour *n)
 {
        if (n)
@@ -132,7 +130,7 @@ teql_neigh_release(struct neighbour *n)
 }
 static void
-teql_reset(struct Qdisc* sch)
+teql_reset(struct Qdisc *sch)
 {
        struct teql_sched_data *dat = qdisc_priv(sch);
@@ -142,13 +140,14 @@ teql_reset(struct Qdisc* sch)
 }
 static void
-teql_destroy(struct Qdisc* sch)
+teql_destroy(struct Qdisc *sch)
 {
        struct Qdisc *q, *prev;
        struct teql_sched_data *dat = qdisc_priv(sch);
        struct teql_master *master = dat->m;
-        if ((prev = master->slaves) != NULL) {
+        prev = master->slaves;
+        if (prev) {
                do {
                        q = NEXT_SLAVE(prev);
                        if (q == sch) {
@@ -180,7 +179,7 @@ teql_destroy(struct Qdisc* sch)
 static int teql_qdisc_init(struct Qdisc *sch, struct nlattr *opt)
 {
        struct net_device *dev = qdisc_dev(sch);
-        struct teql_master *m = (struct teql_master*)sch->ops;
+        struct teql_master *m = (struct teql_master *)sch->ops;
        struct teql_sched_data *q = qdisc_priv(sch);
        if (dev->hard_header_len > m->dev->hard_header_len)
@@ -291,7 +290,8 @@ restart:
        nores = 0;
        busy = 0;
-        if ((q = start) == NULL)
+        q = start;
+        if (!q)
                goto drop;
        do {
@@ -356,10 +356,10 @@ drop:
 static int teql_master_open(struct net_device *dev)
 {
-        struct Qdisc * q;
+        struct Qdisc *q;
        struct teql_master *m = netdev_priv(dev);
        int mtu = 0xFFFE;
-        unsigned flags = IFF_NOARP|IFF_MULTICAST;
+        unsigned int flags = IFF_NOARP | IFF_MULTICAST;
        if (m->slaves == NULL)
                return -EUNATCH;
@@ -427,7 +427,7 @@ static int teql_master_mtu(struct net_device *dev, int new_mtu)
                do {
                        if (new_mtu > qdisc_dev(q)->mtu)
                                return -EINVAL;
-                } while ((q=NEXT_SLAVE(q)) != m->slaves);
+                } while ((q = NEXT_SLAVE(q)) != m->slaves);
        }
        dev->mtu = new_mtu;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 5f1fb8bd862d..1a21c571aa03 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -569,6 +569,8 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
                sctp_assoc_set_primary(asoc, transport);
        if (asoc->peer.active_path == peer)
                asoc->peer.active_path = transport;
+        if (asoc->peer.retran_path == peer)
+                asoc->peer.retran_path = transport;
        if (asoc->peer.last_data_from == peer)
                asoc->peer.last_data_from = transport;
@@ -1089,7 +1091,6 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
                             base.inqueue.immediate);
        struct sctp_endpoint *ep;
        struct sctp_chunk *chunk;
-        struct sock *sk;
        struct sctp_inq *inqueue;
        int state;
        sctp_subtype_t subtype;
@@ -1097,7 +1098,6 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
        /* The association should be held so we should be safe. */
        ep = asoc->ep;
-        sk = asoc->base.sk;
        inqueue = &asoc->base.inqueue;
        sctp_association_hold(asoc);
@@ -1325,6 +1325,8 @@ void sctp_assoc_update_retran_path(struct sctp_association *asoc)
        if (t)
                asoc->peer.retran_path = t;
+        else
+                t = asoc->peer.retran_path;
        SCTP_DEBUG_PRINTK_IPADDR("sctp_assoc_update_retran_path:association"
                                 " %p addr: ",
@@ -1595,7 +1597,7 @@ void sctp_assoc_clean_asconf_ack_cache(const struct sctp_association *asoc)
        struct sctp_chunk *ack;
        struct sctp_chunk *tmp;
-        /* We can remove all the entries from the queue upto
+        /* We can remove all the entries from the queue up to
         * the "Peer-Sequence-Number".
         */
        list_for_each_entry_safe(ack, tmp, &asoc->asconf_ack_list,
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index ddbbf7c81fa1..865e68fef21c 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -113,7 +113,7 @@ struct sctp_shared_key *sctp_auth_shkey_create(__u16 key_id, gfp_t gfp)
        return new;
 }
-/* Free the shared key stucture */
+/* Free the shared key structure */
 static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
 {
        BUG_ON(!list_empty(&sh_key->key_list));
@@ -122,7 +122,7 @@ static void sctp_auth_shkey_free(struct sctp_shared_key *sh_key)
        kfree(sh_key);
 }
-/* Destory the entire key list.  This is done during the
+/* Destroy the entire key list.  This is done during the
 * associon and endpoint free process.
 */
 void sctp_auth_destroy_keys(struct list_head *keys)
@@ -324,7 +324,7 @@ static struct sctp_auth_bytes *sctp_auth_asoc_create_secret(
        if (!peer_key_vector || !local_key_vector)
                goto out;
-        /* Figure out the order in wich the key_vectors will be
+        /* Figure out the order in which the key_vectors will be
         * added to the endpoint shared key.
         * SCTP-AUTH, Section 6.1:
         *   This is performed by selecting the numerically smaller key
diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c
index faf71d179e46..83e3011c19ca 100644
--- a/net/sctp/bind_addr.c
+++ b/net/sctp/bind_addr.c
@@ -140,14 +140,12 @@ void sctp_bind_addr_init(struct sctp_bind_addr *bp, __u16 port)
 /* Dispose of the address list. */
 static void sctp_bind_addr_clean(struct sctp_bind_addr *bp)
 {
-        struct sctp_sockaddr_entry *addr;
+        struct sctp_sockaddr_entry *addr, *temp;
-        struct list_head *pos, *temp;
        /* Empty the bind address list. */
-        list_for_each_safe(pos, temp, &bp->address_list) {
+        list_for_each_entry_safe(addr, temp, &bp->address_list, list) {
-                addr = list_entry(pos, struct sctp_sockaddr_entry, list);
+                list_del_rcu(&addr->list);
-                list_del(pos);
+                kfree_rcu(addr, rcu);
-                kfree(addr);
                SCTP_DBG_OBJCNT_DEC(addr);
        }
 }
@@ -219,7 +217,7 @@ int sctp_del_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *del_addr)
        }
        if (found) {
-                call_rcu(&addr->rcu, sctp_local_addr_free);
+                kfree_rcu(addr, rcu);
                SCTP_DBG_OBJCNT_DEC(addr);
                return 0;
        }
diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index bf24fa697de2..ec997cfe0a7e 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -98,7 +98,6 @@ const char *sctp_cname(const sctp_subtype_t cid)
 /* These are printable forms of the states.  */
 const char *const sctp_state_tbl[SCTP_STATE_NUM_STATES] = {
-        "STATE_EMPTY",
        "STATE_CLOSED",
        "STATE_COOKIE_WAIT",
        "STATE_COOKIE_ECHOED",
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index e10acc01c75f..c8cc24e282c3 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -325,6 +325,7 @@ static struct sctp_association *__sctp_endpoint_lookup_assoc(
        struct sctp_transport **transport)
 {
        struct sctp_association *asoc = NULL;
+        struct sctp_association *tmp;
        struct sctp_transport *t = NULL;
        struct sctp_hashbucket *head;
        struct sctp_ep_common *epb;
@@ -333,25 +334,32 @@ static struct sctp_association *__sctp_endpoint_lookup_assoc(
        int rport;
        *transport = NULL;
+        /* If the local port is not set, there can't be any associations
+         * on this endpoint.
+         */
+        if (!ep->base.bind_addr.port)
+                goto out;
        rport = ntohs(paddr->v4.sin_port);
        hash = sctp_assoc_hashfn(ep->base.bind_addr.port, rport);
        head = &sctp_assoc_hashtable[hash];
        read_lock(&head->lock);
        sctp_for_each_hentry(epb, node, &head->chain) {
-                asoc = sctp_assoc(epb);
+                tmp = sctp_assoc(epb);
-                if (asoc->ep != ep || rport != asoc->peer.port)
+                if (tmp->ep != ep || rport != tmp->peer.port)
-                        goto next;
+                        continue;
-                t = sctp_assoc_lookup_paddr(asoc, paddr);
+                t = sctp_assoc_lookup_paddr(tmp, paddr);
                if (t) {
+                        asoc = tmp;
                        *transport = t;
                        break;
                }
-next:
-                asoc = NULL;
        }
        read_unlock(&head->lock);
+out:
        return asoc;
 }
diff --git a/net/sctp/input.c b/net/sctp/input.c
index ea2192444ce6..741ed1648838 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -565,7 +565,7 @@ void sctp_err_finish(struct sock *sk, struct sctp_association *asoc)
 */
 void sctp_v4_err(struct sk_buff *skb, __u32 info)
 {
-        struct iphdr *iph = (struct iphdr *)skb->data;
+        const struct iphdr *iph = (const struct iphdr *)skb->data;
        const int ihlen = iph->ihl * 4;
        const int type = icmp_hdr(skb)->type;
        const int code = icmp_hdr(skb)->code;
@@ -661,7 +661,6 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
 {
        sctp_chunkhdr_t *ch;
        __u8 *ch_end;
-        sctp_errhdr_t *err;
        ch = (sctp_chunkhdr_t *) skb->data;
@@ -697,20 +696,6 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
                if (SCTP_CID_INIT == ch->type && (void *)ch != skb->data)
                        goto discard;
-                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
-                 * or a COOKIE ACK the SCTP Packet should be silently
-                 * discarded.
-                 */
-                if (SCTP_CID_COOKIE_ACK == ch->type)
-                        goto discard;
-                if (SCTP_CID_ERROR == ch->type) {
-                        sctp_walk_errors(err, ch) {
-                                if (SCTP_ERROR_STALE_COOKIE == err->cause)
-                                        goto discard;
-                        }
-                }
                ch = (sctp_chunkhdr_t *) ch_end;
        } while (ch_end < skb_tail_pointer(skb));
@@ -948,14 +933,11 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct sk_buff *skb,
        union sctp_addr addr;
        union sctp_addr *paddr = &addr;
        struct sctphdr *sh = sctp_hdr(skb);
-        sctp_chunkhdr_t *ch;
        union sctp_params params;
        sctp_init_chunk_t *init;
        struct sctp_transport *transport;
        struct sctp_af *af;
-        ch = (sctp_chunkhdr_t *) skb->data;
        /*
         * This code will NOT touch anything inside the chunk--it is
         * strictly READ-ONLY.
@@ -1020,7 +1002,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
        /* Skip over the ADDIP header and find the Address parameter */
        param = (union sctp_addr_param *)(asconf + 1);
-        af = sctp_get_af_specific(param_type2af(param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(param->p.type));
        if (unlikely(!af))
                return NULL;
@@ -1037,7 +1019,7 @@ static struct sctp_association *__sctp_rcv_asconf_lookup(
 *    association.
 *
 * This means that any chunks that can help us identify the association need
-* to be looked at to find this assocation.
+* to be looked at to find this association.
 */
 static struct sctp_association *__sctp_rcv_walk_lookup(struct sk_buff *skb,
                                      const union sctp_addr *laddr,
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 95e0c8eda1a0..0bb0d7cb9f10 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -80,6 +80,13 @@
 #include <asm/uaccess.h>
+static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
+                                         union sctp_addr *s2);
+static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
+                              __be16 port);
+static int sctp_v6_cmp_addr(const union sctp_addr *addr1,
+                            const union sctp_addr *addr2);
 /* Event handler for inet6 address addition/deletion events.
 * The sctp_local_addr_list needs to be protocted by a spin lock since
 * multiple notifiers (say IPv4 and IPv6) may be running at the same
@@ -123,7 +130,7 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
                }
                spin_unlock_bh(&sctp_local_addr_lock);
                if (found)
-                        call_rcu(&addr->rcu, sctp_local_addr_free);
+                        kfree_rcu(addr, rcu);
                break;
        }
@@ -201,76 +208,146 @@ static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport)
 {
        struct sock *sk = skb->sk;
        struct ipv6_pinfo *np = inet6_sk(sk);
-        struct flowi fl;
+        struct flowi6 fl6;
-        memset(&fl, 0, sizeof(fl));
+        memset(&fl6, 0, sizeof(fl6));
-        fl.proto = sk->sk_protocol;
+        fl6.flowi6_proto = sk->sk_protocol;
        /* Fill in the dest address from the route entry passed with the skb
         * and the source address from the transport.
         */
-        ipv6_addr_copy(&fl.fl6_dst, &transport->ipaddr.v6.sin6_addr);
+        ipv6_addr_copy(&fl6.daddr, &transport->ipaddr.v6.sin6_addr);
-        ipv6_addr_copy(&fl.fl6_src, &transport->saddr.v6.sin6_addr);
+        ipv6_addr_copy(&fl6.saddr, &transport->saddr.v6.sin6_addr);
-        fl.fl6_flowlabel = np->flow_label;
+        fl6.flowlabel = np->flow_label;
-        IP6_ECN_flow_xmit(sk, fl.fl6_flowlabel);
+        IP6_ECN_flow_xmit(sk, fl6.flowlabel);
-        if (ipv6_addr_type(&fl.fl6_src) & IPV6_ADDR_LINKLOCAL)
+        if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL)
-                fl.oif = transport->saddr.v6.sin6_scope_id;
+                fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id;
        else
-                fl.oif = sk->sk_bound_dev_if;
+                fl6.flowi6_oif = sk->sk_bound_dev_if;
        if (np->opt && np->opt->srcrt) {
                struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt;
-                ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
+                ipv6_addr_copy(&fl6.daddr, rt0->addr);
        }
        SCTP_DEBUG_PRINTK("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n",
                          __func__, skb, skb->len,
-                          &fl.fl6_src, &fl.fl6_dst);
+                          &fl6.saddr, &fl6.daddr);
        SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
        if (!(transport->param_flags & SPP_PMTUD_ENABLE))
                skb->local_df = 1;
-        return ip6_xmit(sk, skb, &fl, np->opt);
+        return ip6_xmit(sk, skb, &fl6, np->opt);
 }
 /* Returns the dst cache entry for the given source and destination ip
 * addresses.
 */
-static struct dst_entry *sctp_v6_get_dst(struct sctp_association *asoc,
+static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
-                                         union sctp_addr *daddr,
+                            struct flowi *fl, struct sock *sk)
-                                         union sctp_addr *saddr)
 {
-        struct dst_entry *dst;
+        struct sctp_association *asoc = t->asoc;
-        struct flowi fl;
+        struct dst_entry *dst = NULL;
+        struct flowi6 *fl6 = &fl->u.ip6;
+        struct sctp_bind_addr *bp;
+        struct sctp_sockaddr_entry *laddr;
+        union sctp_addr *baddr = NULL;
+        union sctp_addr *daddr = &t->ipaddr;
+        union sctp_addr dst_saddr;
+        __u8 matchlen = 0;
+        __u8 bmatchlen;
+        sctp_scope_t scope;
-        memset(&fl, 0, sizeof(fl));
+        memset(fl6, 0, sizeof(struct flowi6));
-        ipv6_addr_copy(&fl.fl6_dst, &daddr->v6.sin6_addr);
+        ipv6_addr_copy(&fl6->daddr, &daddr->v6.sin6_addr);
+        fl6->fl6_dport = daddr->v6.sin6_port;
+        fl6->flowi6_proto = IPPROTO_SCTP;
        if (ipv6_addr_type(&daddr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
-                fl.oif = daddr->v6.sin6_scope_id;
+                fl6->flowi6_oif = daddr->v6.sin6_scope_id;
+        SCTP_DEBUG_PRINTK("%s: DST=%pI6 ", __func__, &fl6->daddr);
-        SCTP_DEBUG_PRINTK("%s: DST=%pI6 ", __func__, &fl.fl6_dst);
+        if (asoc)
+                fl6->fl6_sport = htons(asoc->base.bind_addr.port);
        if (saddr) {
-                ipv6_addr_copy(&fl.fl6_src, &saddr->v6.sin6_addr);
+                ipv6_addr_copy(&fl6->saddr, &saddr->v6.sin6_addr);
-                SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl.fl6_src);
+                fl6->fl6_sport = saddr->v6.sin6_port;
+                SCTP_DEBUG_PRINTK("SRC=%pI6 - ", &fl6->saddr);
        }
-        dst = ip6_route_output(&init_net, NULL, &fl);
+        dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
-        if (!dst->error) {
+        if (!asoc || saddr)
+                goto out;
+        bp = &asoc->base.bind_addr;
+        scope = sctp_scope(daddr);
+        /* ip6_dst_lookup has filled in the fl6->saddr for us.  Check
+         * to see if we can use it.
+         */
+        if (!IS_ERR(dst)) {
+                /* Walk through the bind address list and look for a bind
+                 * address that matches the source address of the returned dst.
+                 */
+                sctp_v6_to_addr(&dst_saddr, &fl6->saddr, htons(bp->port));
+                rcu_read_lock();
+                list_for_each_entry_rcu(laddr, &bp->address_list, list) {
+                        if (!laddr->valid || (laddr->state != SCTP_ADDR_SRC))
+                                continue;
+                        /* Do not compare against v4 addrs */
+                        if ((laddr->a.sa.sa_family == AF_INET6) &&
+                            (sctp_v6_cmp_addr(&dst_saddr, &laddr->a))) {
+                                rcu_read_unlock();
+                                goto out;
+                        }
+                }
+                rcu_read_unlock();
+                /* None of the bound addresses match the source address of the
+                 * dst. So release it.
+                 */
+                dst_release(dst);
+                dst = NULL;
+        }
+        /* Walk through the bind address list and try to get the
+         * best source address for a given destination.
+         */
+        rcu_read_lock();
+        list_for_each_entry_rcu(laddr, &bp->address_list, list) {
+                if (!laddr->valid && laddr->state != SCTP_ADDR_SRC)
+                        continue;
+                if ((laddr->a.sa.sa_family == AF_INET6) &&
+                    (scope <= sctp_scope(&laddr->a))) {
+                        bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
+                        if (!baddr || (matchlen < bmatchlen)) {
+                                baddr = &laddr->a;
+                                matchlen = bmatchlen;
+                        }
+                }
+        }
+        rcu_read_unlock();
+        if (baddr) {
+                ipv6_addr_copy(&fl6->saddr, &baddr->v6.sin6_addr);
+                fl6->fl6_sport = baddr->v6.sin6_port;
+                dst = ip6_dst_lookup_flow(sk, fl6, NULL, false);
+        }
+out:
+        if (!IS_ERR(dst)) {
                struct rt6_info *rt;
                rt = (struct rt6_info *)dst;
+                t->dst = dst;
                SCTP_DEBUG_PRINTK("rt6_dst:%pI6 rt6_src:%pI6\n",
-                        &rt->rt6i_dst.addr, &rt->rt6i_src.addr);
+                        &rt->rt6i_dst.addr, &fl6->saddr);
-                return dst;
+        } else {
+                t->dst = NULL;
+                SCTP_DEBUG_PRINTK("NO ROUTE\n");
        }
-        SCTP_DEBUG_PRINTK("NO ROUTE\n");
-        dst_release(dst);
-        return NULL;
 }
 /* Returns the number of consecutive initial bits that match in the 2 ipv6
@@ -286,64 +363,18 @@ static inline int sctp_v6_addr_match_len(union sctp_addr *s1,
 * and asoc's bind address list.
 */
 static void sctp_v6_get_saddr(struct sctp_sock *sk,
-                              struct sctp_association *asoc,
+                              struct sctp_transport *t,
-                              struct dst_entry *dst,
+                              struct flowi *fl)
-                              union sctp_addr *daddr,
-                              union sctp_addr *saddr)
 {
-        struct sctp_bind_addr *bp;
+        struct flowi6 *fl6 = &fl->u.ip6;
-        struct sctp_sockaddr_entry *laddr;
+        union sctp_addr *saddr = &t->saddr;
-        sctp_scope_t scope;
-        union sctp_addr *baddr = NULL;
-        __u8 matchlen = 0;
-        __u8 bmatchlen;
-        SCTP_DEBUG_PRINTK("%s: asoc:%p dst:%p daddr:%pI6 ",
-                          __func__, asoc, dst, &daddr->v6.sin6_addr);
-        if (!asoc) {
-                ipv6_dev_get_saddr(sock_net(sctp_opt2sk(sk)),
-                                   dst ? ip6_dst_idev(dst)->dev : NULL,
-                                   &daddr->v6.sin6_addr,
-                                   inet6_sk(&sk->inet.sk)->srcprefs,
-                                   &saddr->v6.sin6_addr);
-                SCTP_DEBUG_PRINTK("saddr from ipv6_get_saddr: %pI6\n",
-                                  &saddr->v6.sin6_addr);
-                return;
-        }
-        scope = sctp_scope(daddr);
-        bp = &asoc->base.bind_addr;
-        /* Go through the bind address list and find the best source address
+        SCTP_DEBUG_PRINTK("%s: asoc:%p dst:%p\n", __func__, t->asoc, t->dst);
-         * that matches the scope of the destination address.
-         */
-        rcu_read_lock();
-        list_for_each_entry_rcu(laddr, &bp->address_list, list) {
-                if (!laddr->valid)
-                        continue;
-                if ((laddr->state == SCTP_ADDR_SRC) &&
-                    (laddr->a.sa.sa_family == AF_INET6) &&
-                    (scope <= sctp_scope(&laddr->a))) {
-                        bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
-                        if (!baddr || (matchlen < bmatchlen)) {
-                                baddr = &laddr->a;
-                                matchlen = bmatchlen;
-                        }
-                }
-        }
-        if (baddr) {
+        if (t->dst) {
-                memcpy(saddr, baddr, sizeof(union sctp_addr));
+                saddr->v6.sin6_family = AF_INET6;
-                SCTP_DEBUG_PRINTK("saddr: %pI6\n", &saddr->v6.sin6_addr);
+                ipv6_addr_copy(&saddr->v6.sin6_addr, &fl6->saddr);
-        } else {
-                pr_err("%s: asoc:%p Could not find a valid source "
-                       "address for the dest:%pI6\n",
-                       __func__, asoc, &daddr->v6.sin6_addr);
        }
-        rcu_read_unlock();
 }
 /* Make a copy of all potential local addresses. */
@@ -465,14 +496,13 @@ static int sctp_v6_to_addr_param(const union sctp_addr *addr,
        return length;
 }
-/* Initialize a sctp_addr from a dst_entry. */
+/* Initialize a sctp_addr from struct in6_addr. */
-static void sctp_v6_dst_saddr(union sctp_addr *addr, struct dst_entry *dst,
+static void sctp_v6_to_addr(union sctp_addr *addr, struct in6_addr *saddr,
                              __be16 port)
 {
-        struct rt6_info *rt = (struct rt6_info *)dst;
        addr->sa.sa_family = AF_INET6;
        addr->v6.sin6_port = port;
-        ipv6_addr_copy(&addr->v6.sin6_addr, &rt->rt6i_src.addr);
+        ipv6_addr_copy(&addr->v6.sin6_addr, saddr);
 }
 /* Compare addresses exactly.
@@ -531,7 +561,7 @@ static int sctp_v6_is_any(const union sctp_addr *addr)
 static int sctp_v6_available(union sctp_addr *addr, struct sctp_sock *sp)
 {
        int type;
-        struct in6_addr *in6 = (struct in6_addr *)&addr->v6.sin6_addr;
+        const struct in6_addr *in6 = (const struct in6_addr *)&addr->v6.sin6_addr;
        type = ipv6_addr_type(in6);
        if (IPV6_ADDR_ANY == type)
@@ -959,7 +989,6 @@ static struct sctp_af sctp_af_inet6 = {
        .to_sk_daddr       = sctp_v6_to_sk_daddr,
        .from_addr_param   = sctp_v6_from_addr_param,
        .to_addr_param     = sctp_v6_to_addr_param,
-        .dst_saddr         = sctp_v6_dst_saddr,
        .cmp_addr          = sctp_v6_cmp_addr,
        .scope             = sctp_v6_scope,
        .addr_valid        = sctp_v6_addr_valid,
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 60600d337a3a..b4f3cf06d8da 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -510,7 +510,7 @@ int sctp_packet_transmit(struct sctp_packet *packet)
                sh->checksum = sctp_end_cksum(crc32);
        } else {
                if (dst->dev->features & NETIF_F_SCTP_CSUM) {
-                        /* no need to seed psuedo checksum for SCTP */
+                        /* no need to seed pseudo checksum for SCTP */
                        nskb->ip_summed = CHECKSUM_PARTIAL;
                        nskb->csum_start = (skb_transport_header(nskb) -
                                            nskb->head);
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 8c6d379b4bb6..1c88c8911dc5 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -131,7 +131,8 @@ static inline int sctp_cacc_skip_3_1_d(struct sctp_transport *primary,
 static inline int sctp_cacc_skip_3_1_f(struct sctp_transport *transport,
                                       int count_of_newacks)
 {
-        if (count_of_newacks < 2 && !transport->cacc.cacc_saw_newack)
+        if (count_of_newacks < 2 &&
+                        (transport && !transport->cacc.cacc_saw_newack))
                return 1;
        return 0;
 }
@@ -177,13 +178,13 @@ static inline int sctp_cacc_skip_3_2(struct sctp_transport *primary, __u32 tsn)
 * 3) If the missing report count for TSN t is to be
 * incremented according to [RFC2960] and
 * [SCTP_STEWART-2002], and CHANGEOVER_ACTIVE is set,
- * then the sender MUST futher execute steps 3.1 and
+ * then the sender MUST further execute steps 3.1 and
 * 3.2 to determine if the missing report count for
 * TSN t SHOULD NOT be incremented.
 *
 * 3.3) If 3.1 and 3.2 do not dictate that the missing
 * report count for t should not be incremented, then
- * the sender SOULD increment missing report count for
+ * the sender SHOULD increment missing report count for
 * t (according to [RFC2960] and [SCTP_STEWART_2002]).
 */
 static inline int sctp_cacc_skip(struct sctp_transport *primary,
@@ -319,7 +320,6 @@ int sctp_outq_tail(struct sctp_outq *q, struct sctp_chunk *chunk)
                 * chunk.
                 */
                switch (q->asoc->state) {
-                case SCTP_STATE_EMPTY:
                case SCTP_STATE_CLOSED:
                case SCTP_STATE_SHUTDOWN_PENDING:
                case SCTP_STATE_SHUTDOWN_SENT:
@@ -545,13 +545,11 @@ static int sctp_outq_flush_rtx(struct sctp_outq *q, struct sctp_packet *pkt,
        struct sctp_transport *transport = pkt->transport;
        sctp_xmit_t status;
        struct sctp_chunk *chunk, *chunk1;
-        struct sctp_association *asoc;
        int fast_rtx;
        int error = 0;
        int timer = 0;
        int done = 0;
-        asoc = q->asoc;
        lqueue = &q->retransmit;
        fast_rtx = q->fast_rtx;
@@ -579,6 +577,13 @@ static int sctp_outq_flush_rtx(struct sctp_outq *q, struct sctp_packet *pkt,
         * try to send as much as possible.
         */
        list_for_each_entry_safe(chunk, chunk1, lqueue, transmitted_list) {
+                /* If the chunk is abandoned, move it to abandoned list. */
+                if (sctp_chunk_abandoned(chunk)) {
+                        list_del_init(&chunk->transmitted_list);
+                        sctp_insert_list(&q->abandoned,
+                                         &chunk->transmitted_list);
+                        continue;
+                }
                /* Make sure that Gap Acked TSNs are not retransmitted.  A
                 * simple approach is just to move such TSNs out of the
@@ -620,9 +625,12 @@ redo:
                        /* If we are retransmitting, we should only
                         * send a single packet.
+                         * Otherwise, try appending this chunk again.
                         */
                        if (rtx_timeout || fast_rtx)
                                done = 1;
+                        else
+                                goto redo;
                        /* Bundle next chunk in the next round.  */
                        break;
@@ -845,7 +853,7 @@ static int sctp_outq_flush(struct sctp_outq *q, int rtx_timeout)
                case SCTP_CID_ECN_CWR:
                case SCTP_CID_ASCONF_ACK:
                        one_packet = 1;
-                        /* Fall throught */
+                        /* Fall through */
                case SCTP_CID_SACK:
                case SCTP_CID_HEARTBEAT:
@@ -1685,8 +1693,9 @@ static void sctp_mark_missing(struct sctp_outq *q,
                        /* SFR-CACC may require us to skip marking
                         * this chunk as missing.
                         */
-                        if (!transport || !sctp_cacc_skip(primary, transport,
+                        if (!transport || !sctp_cacc_skip(primary,
-                                            count_of_newacks, tsn)) {
+                                                chunk->transport,
+                                                count_of_newacks, tsn)) {
                                chunk->tsn_missing_report++;
                                SCTP_DEBUG_PRINTK(
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index e58f9476f29c..67380a29e2e9 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -230,13 +230,6 @@ static void sctp_free_local_addr_list(void)
        }
 }
-void sctp_local_addr_free(struct rcu_head *head)
-{
-        struct sctp_sockaddr_entry *e = container_of(head,
-                                struct sctp_sockaddr_entry, rcu);
-        kfree(e);
-}
 /* Copy the local addresses which are valid for 'scope' into 'bp'.  */
 int sctp_copy_local_addr_list(struct sctp_bind_addr *bp, sctp_scope_t scope,
                              gfp_t gfp, int copy_flags)
@@ -339,13 +332,12 @@ static int sctp_v4_to_addr_param(const union sctp_addr *addr,
 }
 /* Initialize a sctp_addr from a dst_entry. */
-static void sctp_v4_dst_saddr(union sctp_addr *saddr, struct dst_entry *dst,
+static void sctp_v4_dst_saddr(union sctp_addr *saddr, struct flowi4 *fl4,
                              __be16 port)
 {
-        struct rtable *rt = (struct rtable *)dst;
        saddr->v4.sin_family = AF_INET;
        saddr->v4.sin_port = port;
-        saddr->v4.sin_addr.s_addr = rt->rt_src;
+        saddr->v4.sin_addr.s_addr = fl4->saddr;
 }
 /* Compare two addresses exactly. */
@@ -463,37 +455,38 @@ static sctp_scope_t sctp_v4_scope(union sctp_addr *addr)
 * addresses. If an association is passed, trys to get a dst entry with a
 * source address that matches an address in the bind address list.
 */
-static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
+static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
-                                         union sctp_addr *daddr,
+                                struct flowi *fl, struct sock *sk)
-                                         union sctp_addr *saddr)
 {
+        struct sctp_association *asoc = t->asoc;
        struct rtable *rt;
-        struct flowi fl;
+        struct flowi4 *fl4 = &fl->u.ip4;
        struct sctp_bind_addr *bp;
        struct sctp_sockaddr_entry *laddr;
        struct dst_entry *dst = NULL;
+        union sctp_addr *daddr = &t->ipaddr;
        union sctp_addr dst_saddr;
-        memset(&fl, 0x0, sizeof(struct flowi));
+        memset(fl4, 0x0, sizeof(struct flowi4));
-        fl.fl4_dst  = daddr->v4.sin_addr.s_addr;
+        fl4->daddr  = daddr->v4.sin_addr.s_addr;
-        fl.fl_ip_dport = daddr->v4.sin_port;
+        fl4->fl4_dport = daddr->v4.sin_port;
-        fl.proto = IPPROTO_SCTP;
+        fl4->flowi4_proto = IPPROTO_SCTP;
        if (asoc) {
-                fl.fl4_tos = RT_CONN_FLAGS(asoc->base.sk);
+                fl4->flowi4_tos = RT_CONN_FLAGS(asoc->base.sk);
-                fl.oif = asoc->base.sk->sk_bound_dev_if;
+                fl4->flowi4_oif = asoc->base.sk->sk_bound_dev_if;
-                fl.fl_ip_sport = htons(asoc->base.bind_addr.port);
+                fl4->fl4_sport = htons(asoc->base.bind_addr.port);
        }
        if (saddr) {
-                fl.fl4_src = saddr->v4.sin_addr.s_addr;
+                fl4->saddr = saddr->v4.sin_addr.s_addr;
-                fl.fl_ip_sport = saddr->v4.sin_port;
+                fl4->fl4_sport = saddr->v4.sin_port;
        }
        SCTP_DEBUG_PRINTK("%s: DST:%pI4, SRC:%pI4 - ",
-                          __func__, &fl.fl4_dst, &fl.fl4_src);
+                          __func__, &fl4->daddr, &fl4->saddr);
-        if (!ip_route_output_key(&init_net, &rt, &fl)) {
+        rt = ip_route_output_key(&init_net, fl4);
+        if (!IS_ERR(rt))
                dst = &rt->dst;
-        }
        /* If there is no association or if a source address is passed, no
         * more validation is required.
@@ -507,7 +500,7 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
                /* Walk through the bind address list and look for a bind
                 * address that matches the source address of the returned dst.
                 */
-                sctp_v4_dst_saddr(&dst_saddr, dst, htons(bp->port));
+                sctp_v4_dst_saddr(&dst_saddr, fl4, htons(bp->port));
                rcu_read_lock();
                list_for_each_entry_rcu(laddr, &bp->address_list, list) {
                        if (!laddr->valid || (laddr->state != SCTP_ADDR_SRC))
@@ -533,9 +526,10 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
                        continue;
                if ((laddr->state == SCTP_ADDR_SRC) &&
                    (AF_INET == laddr->a.sa.sa_family)) {
-                        fl.fl4_src = laddr->a.v4.sin_addr.s_addr;
+                        fl4->saddr = laddr->a.v4.sin_addr.s_addr;
-                        fl.fl_ip_sport = laddr->a.v4.sin_port;
+                        fl4->fl4_sport = laddr->a.v4.sin_port;
-                        if (!ip_route_output_key(&init_net, &rt, &fl)) {
+                        rt = ip_route_output_key(&init_net, fl4);
+                        if (!IS_ERR(rt)) {
                                dst = &rt->dst;
                                goto out_unlock;
                        }
@@ -545,33 +539,27 @@ static struct dst_entry *sctp_v4_get_dst(struct sctp_association *asoc,
 out_unlock:
        rcu_read_unlock();
 out:
+        t->dst = dst;
        if (dst)
                SCTP_DEBUG_PRINTK("rt_dst:%pI4, rt_src:%pI4\n",
-                                  &rt->rt_dst, &rt->rt_src);
+                                  &fl4->daddr, &fl4->saddr);
        else
                SCTP_DEBUG_PRINTK("NO ROUTE\n");
-        return dst;
 }
 /* For v4, the source address is cached in the route entry(dst). So no need
 * to cache it separately and hence this is an empty routine.
 */
 static void sctp_v4_get_saddr(struct sctp_sock *sk,
-                              struct sctp_association *asoc,
+                              struct sctp_transport *t,
-                              struct dst_entry *dst,
+                              struct flowi *fl)
-                              union sctp_addr *daddr,
-                              union sctp_addr *saddr)
 {
-        struct rtable *rt = (struct rtable *)dst;
+        union sctp_addr *saddr = &t->saddr;
+        struct rtable *rt = (struct rtable *)t->dst;
-        if (!asoc)
-                return;
        if (rt) {
                saddr->v4.sin_family = AF_INET;
-                saddr->v4.sin_port = htons(asoc->base.bind_addr.port);
+                saddr->v4.sin_addr.s_addr = fl->u.ip4.saddr;
-                saddr->v4.sin_addr.s_addr = rt->rt_src;
        }
 }
@@ -680,7 +668,7 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
                }
                spin_unlock_bh(&sctp_local_addr_lock);
                if (found)
-                        call_rcu(&addr->rcu, sctp_local_addr_free);
+                        kfree_rcu(addr, rcu);
                break;
        }
@@ -853,14 +841,14 @@ static inline int sctp_v4_xmit(struct sk_buff *skb,
        SCTP_DEBUG_PRINTK("%s: skb:%p, len:%d, src:%pI4, dst:%pI4\n",
                          __func__, skb, skb->len,
-                          &skb_rtable(skb)->rt_src,
+                          &transport->fl.u.ip4.saddr,
-                          &skb_rtable(skb)->rt_dst);
+                          &transport->fl.u.ip4.daddr);
        inet->pmtudisc = transport->param_flags & SPP_PMTUD_ENABLE ?
                         IP_PMTUDISC_DO : IP_PMTUDISC_DONT;
        SCTP_INC_STATS(SCTP_MIB_OUTSCTPPACKS);
-        return ip_queue_xmit(skb);
+        return ip_queue_xmit(skb, &transport->fl);
 }
 static struct sctp_af sctp_af_inet;
@@ -949,7 +937,6 @@ static struct sctp_af sctp_af_inet = {
        .to_sk_daddr       = sctp_v4_to_sk_daddr,
        .from_addr_param   = sctp_v4_from_addr_param,
        .to_addr_param     = sctp_v4_to_addr_param,
-        .dst_saddr         = sctp_v4_dst_saddr,
        .cmp_addr          = sctp_v4_cmp_addr,
        .addr_valid        = sctp_v4_addr_valid,
        .inaddr_any        = sctp_v4_inaddr_any,
@@ -1204,7 +1191,7 @@ SCTP_STATIC __init int sctp_init(void)
                if ((sctp_assoc_hashsize > (64 * 1024)) && order > 0)
                        continue;
                sctp_assoc_hashtable = (struct sctp_hashbucket *)
-                                        __get_free_pages(GFP_ATOMIC, order);
+                        __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
        } while (!sctp_assoc_hashtable && --order > 0);
        if (!sctp_assoc_hashtable) {
                pr_err("Failed association hash alloc\n");
@@ -1237,7 +1224,7 @@ SCTP_STATIC __init int sctp_init(void)
                if ((sctp_port_hashsize > (64 * 1024)) && order > 0)
                        continue;
                sctp_port_hashtable = (struct sctp_bind_hashbucket *)
-                                        __get_free_pages(GFP_ATOMIC, order);
+                        __get_free_pages(GFP_ATOMIC|__GFP_NOWARN, order);
        } while (!sctp_port_hashtable && --order > 0);
        if (!sctp_port_hashtable) {
                pr_err("Failed bind hash alloc\n");
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index b23428f3c0dd..58eb27fed4b4 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1075,20 +1075,28 @@ nodata:
 /* Make a HEARTBEAT chunk.  */
 struct sctp_chunk *sctp_make_heartbeat(const struct sctp_association *asoc,
-                                  const struct sctp_transport *transport,
+                                  const struct sctp_transport *transport)
-                                  const void *payload, const size_t paylen)
 {
-        struct sctp_chunk *retval = sctp_make_chunk(asoc, SCTP_CID_HEARTBEAT,
+        struct sctp_chunk *retval;
-                                                    0, paylen);
+        sctp_sender_hb_info_t hbinfo;
+        retval = sctp_make_chunk(asoc, SCTP_CID_HEARTBEAT, 0, sizeof(hbinfo));
        if (!retval)
                goto nodata;
+        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
+        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
+        hbinfo.daddr = transport->ipaddr;
+        hbinfo.sent_at = jiffies;
+        hbinfo.hb_nonce = transport->hb_nonce;
        /* Cast away the 'const', as this is just telling the chunk
         * what transport it belongs to.
         */
        retval->transport = (struct sctp_transport *) transport;
-        retval->subh.hbs_hdr = sctp_addto_chunk(retval, paylen, payload);
+        retval->subh.hbs_hdr = sctp_addto_chunk(retval, sizeof(hbinfo),
+                                                &hbinfo);
 nodata:
        return retval;
@@ -2242,14 +2250,17 @@ int sctp_verify_init(const struct sctp_association *asoc,
 * Returns 0 on failure, else success.
 * FIXME:  This is an association method.
 */
-int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
+int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
                      const union sctp_addr *peer_addr,
                      sctp_init_chunk_t *peer_init, gfp_t gfp)
 {
        union sctp_params param;
        struct sctp_transport *transport;
        struct list_head *pos, *temp;
+        struct sctp_af *af;
+        union sctp_addr addr;
        char *cookie;
+        int src_match = 0;
        /* We must include the address that the INIT packet came from.
         * This is the only address that matters for an INIT packet.
@@ -2261,18 +2272,31 @@ int sctp_process_init(struct sctp_association *asoc, sctp_cid_t cid,
         * added as the primary transport.  The source address seems to
         * be a a better choice than any of the embedded addresses.
         */
-        if (peer_addr) {
+        if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
-                if(!sctp_assoc_add_peer(asoc, peer_addr, gfp, SCTP_ACTIVE))
+                goto nomem;
-                        goto nomem;
-        }
+        if (sctp_cmp_addr_exact(sctp_source(chunk), peer_addr))
+                src_match = 1;
        /* Process the initialization parameters.  */
        sctp_walk_params(param, peer_init, init_hdr.params) {
+                if (!src_match && (param.p->type == SCTP_PARAM_IPV4_ADDRESS ||
+                    param.p->type == SCTP_PARAM_IPV6_ADDRESS)) {
+                        af = sctp_get_af_specific(param_type2af(param.p->type));
+                        af->from_addr_param(&addr, param.addr,
+                                            chunk->sctp_hdr->source, 0);
+                        if (sctp_cmp_addr_exact(sctp_source(chunk), &addr))
+                                src_match = 1;
+                }
                if (!sctp_process_param(asoc, param, peer_addr, gfp))
                        goto clean_up;
        }
+        /* source address of chunk may not match any valid address */
+        if (!src_match)
+                goto clean_up;
        /* AUTH: After processing the parameters, make sure that we
         * have all the required info to potentially do authentications.
         */
@@ -2923,7 +2947,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
            asconf_param->param_hdr.type != SCTP_PARAM_SET_PRIMARY)
                return SCTP_ERROR_UNKNOWN_PARAM;
-        switch (addr_param->v4.param_hdr.type) {
+        switch (addr_param->p.type) {
        case SCTP_PARAM_IPV6_ADDRESS:
                if (!asoc->peer.ipv6_address)
                        return SCTP_ERROR_DNS_FAILED;
@@ -2936,7 +2960,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
                return SCTP_ERROR_DNS_FAILED;
        }
-        af = sctp_get_af_specific(param_type2af(addr_param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(addr_param->p.type));
        if (unlikely(!af))
                return SCTP_ERROR_DNS_FAILED;
@@ -3100,16 +3124,16 @@ struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc,
        /* Skip the address parameter and store a pointer to the first
         * asconf parameter.
         */
-        length = ntohs(addr_param->v4.param_hdr.length);
+        length = ntohs(addr_param->p.length);
        asconf_param = (sctp_addip_param_t *)((void *)addr_param + length);
        chunk_len -= length;
        /* create an ASCONF_ACK chunk.
         * Based on the definitions of parameters, we know that the size of
-         * ASCONF_ACK parameters are less than or equal to the twice of ASCONF
+         * ASCONF_ACK parameters are less than or equal to the fourfold of ASCONF
         * parameters.
         */
-        asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 2);
+        asconf_ack = sctp_make_asconf_ack(asoc, serial, chunk_len * 4);
        if (!asconf_ack)
                goto done;
@@ -3177,7 +3201,7 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                        ((void *)asconf_param + sizeof(sctp_addip_param_t));
        /* We have checked the packet before, so we do not check again. */
-        af = sctp_get_af_specific(param_type2af(addr_param->v4.param_hdr.type));
+        af = sctp_get_af_specific(param_type2af(addr_param->p.type));
        af->from_addr_param(&addr, addr_param, htons(bp->port), 0);
        switch (asconf_param->param_hdr.type) {
@@ -3193,11 +3217,8 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                local_bh_enable();
                list_for_each_entry(transport, &asoc->peer.transport_addr_list,
                                transports) {
-                        if (transport->state == SCTP_ACTIVE)
-                                continue;
                        dst_release(transport->dst);
-                        sctp_transport_route(transport, NULL,
+                        transport->dst = NULL;
-                                             sctp_sk(asoc->base.sk));
                }
                break;
        case SCTP_PARAM_DEL_IP:
@@ -3207,8 +3228,7 @@ static void sctp_asconf_param_success(struct sctp_association *asoc,
                list_for_each_entry(transport, &asoc->peer.transport_addr_list,
                                transports) {
                        dst_release(transport->dst);
-                        sctp_transport_route(transport, NULL,
+                        transport->dst = NULL;
-                                             sctp_sk(asoc->base.sk));
                }
                break;
        default:
@@ -3304,7 +3324,7 @@ int sctp_process_asconf_ack(struct sctp_association *asoc,
        /* Skip the address parameter in the last asconf sent and store a
         * pointer to the first asconf parameter.
         */
-        length = ntohs(addr_param->v4.param_hdr.length);
+        length = ntohs(addr_param->p.length);
        asconf_param = (sctp_addip_param_t *)((void *)addr_param + length);
        asconf_len -= length;
@@ -3375,7 +3395,6 @@ struct sctp_chunk *sctp_make_fwdtsn(const struct sctp_association *asoc,
                                    struct sctp_fwdtsn_skip *skiplist)
 {
        struct sctp_chunk *retval = NULL;
-        struct sctp_fwdtsn_chunk *ftsn_chunk;
        struct sctp_fwdtsn_hdr ftsn_hdr;
        struct sctp_fwdtsn_skip skip;
        size_t hint;
@@ -3388,8 +3407,6 @@ struct sctp_chunk *sctp_make_fwdtsn(const struct sctp_association *asoc,
        if (!retval)
                return NULL;
-        ftsn_chunk = (struct sctp_fwdtsn_chunk *)retval->subh.fwdtsn_hdr;
        ftsn_hdr.new_cum_tsn = htonl(new_cum_tsn);
        retval->subh.fwdtsn_hdr =
                sctp_addto_chunk(retval, sizeof(ftsn_hdr), &ftsn_hdr);
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index b21b218d564f..d612ca1ca6c0 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -482,7 +482,7 @@ static void sctp_do_8_2_transport_strike(struct sctp_association *asoc,
         * If the timer was a heartbeat, we only increment error counts
         * when we already have an outstanding HEARTBEAT that has not
         * been acknowledged.
-         * Additionaly, some tranport states inhibit error increments.
+         * Additionally, some tranport states inhibit error increments.
         */
        if (!is_hb) {
                asoc->overall_error_count++;
@@ -595,8 +595,7 @@ static int sctp_cmd_process_init(sctp_cmd_seq_t *commands,
         * fail during INIT processing (due to malloc problems),
         * just return the error and stop processing the stack.
         */
-        if (!sctp_process_init(asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(asoc, chunk, sctp_source(chunk), peer_init, gfp))
-                               sctp_source(chunk), peer_init, gfp))
                error = -ENOMEM;
        else
                error = 0;
@@ -1415,12 +1414,6 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                                        SCTP_RTXR_T3_RTX);
                        break;
-                case SCTP_CMD_TRANSMIT:
-                        /* Kick start transmission. */
-                        error = sctp_outq_uncork(&asoc->outqueue);
-                        local_cork = 0;
-                        break;
                case SCTP_CMD_ECN_CE:
                        /* Do delayed CE processing.   */
                        sctp_do_ecn_ce_work(asoc, cmd->obj.u32);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 4b4eb7c96bbd..7f4a4f8368ee 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -393,8 +393,7 @@ sctp_disposition_t sctp_sf_do_5_1B_init(const struct sctp_endpoint *ep,
                goto nomem_init;
        /* The call, sctp_process_init(), can fail on memory allocation.  */
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
-                               sctp_source(chunk),
                               (sctp_init_chunk_t *)chunk->chunk_hdr,
                               GFP_ATOMIC))
                goto nomem_init;
@@ -551,7 +550,7 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(const struct sctp_endpoint *ep,
                 *
                 * This means that if we only want to abort associations
                 * in an authenticated way (i.e AUTH+ABORT), then we
-                 * can't destroy this association just becuase the packet
+                 * can't destroy this association just because the packet
                 * was malformed.
                 */
                if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
@@ -725,7 +724,7 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(const struct sctp_endpoint *ep,
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk,
                               &chunk->subh.cookie_hdr->c.peer_addr,
                               peer_init, GFP_ATOMIC))
                goto nomem_init;
@@ -942,18 +941,9 @@ static sctp_disposition_t sctp_sf_heartbeat(const struct sctp_endpoint *ep,
 {
        struct sctp_transport *transport = (struct sctp_transport *) arg;
        struct sctp_chunk *reply;
-        sctp_sender_hb_info_t hbinfo;
-        size_t paylen = 0;
-        hbinfo.param_hdr.type = SCTP_PARAM_HEARTBEAT_INFO;
-        hbinfo.param_hdr.length = htons(sizeof(sctp_sender_hb_info_t));
-        hbinfo.daddr = transport->ipaddr;
-        hbinfo.sent_at = jiffies;
-        hbinfo.hb_nonce = transport->hb_nonce;
        /* Send a heartbeat to our peer.  */
-        paylen = sizeof(sctp_sender_hb_info_t);
+        reply = sctp_make_heartbeat(asoc, transport);
-        reply = sctp_make_heartbeat(asoc, transport, &hbinfo, paylen);
        if (!reply)
                return SCTP_DISPOSITION_NOMEM;
@@ -1464,8 +1454,7 @@ static sctp_disposition_t sctp_sf_do_unexpected_init(
         * Verification Tag and Peers Verification tag into a reserved
         * place (local tie-tag and per tie-tag) within the state cookie.
         */
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk),
-                               sctp_source(chunk),
                               (sctp_init_chunk_t *)chunk->chunk_hdr,
                               GFP_ATOMIC))
                goto nomem;
@@ -1546,7 +1535,7 @@ cleanup:
 }
 /*
- * Handle simultanous INIT.
+ * Handle simultaneous INIT.
 * This means we started an INIT and then we got an INIT request from
 * our peer.
 *
@@ -1694,8 +1683,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(const struct sctp_endpoint *ep,
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
-                               sctp_source(chunk), peer_init,
                               GFP_ATOMIC))
                goto nomem;
@@ -1780,8 +1768,7 @@ static sctp_disposition_t sctp_sf_do_dupcook_b(const struct sctp_endpoint *ep,
         * side effects--it is safe to run them here.
         */
        peer_init = &chunk->subh.cookie_hdr->c.peer_init[0];
-        if (!sctp_process_init(new_asoc, chunk->chunk_hdr->type,
+        if (!sctp_process_init(new_asoc, chunk, sctp_source(chunk), peer_init,
-                               sctp_source(chunk), peer_init,
                               GFP_ATOMIC))
                goto nomem;
@@ -2079,7 +2066,7 @@ sctp_disposition_t sctp_sf_shutdown_pending_abort(
         * RFC 2960, Section 3.3.7
         *    If an endpoint receives an ABORT with a format error or for an
         *    association that doesn't exist, it MUST silently discard it.
-         * Becasue the length is "invalid", we can't really discard just
+         * Because the length is "invalid", we can't really discard just
         * as we do not know its true length.  So, to be safe, discard the
         * packet.
         */
@@ -2120,7 +2107,7 @@ sctp_disposition_t sctp_sf_shutdown_sent_abort(const struct sctp_endpoint *ep,
         * RFC 2960, Section 3.3.7
         *    If an endpoint receives an ABORT with a format error or for an
         *    association that doesn't exist, it MUST silently discard it.
-         * Becasue the length is "invalid", we can't really discard just
+         * Because the length is "invalid", we can't really discard just
         * as we do not know its true length.  So, to be safe, discard the
         * packet.
         */
@@ -2381,7 +2368,7 @@ sctp_disposition_t sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
         * RFC 2960, Section 3.3.7
         *    If an endpoint receives an ABORT with a format error or for an
         *    association that doesn't exist, it MUST silently discard it.
-         * Becasue the length is "invalid", we can't really discard just
+         * Because the length is "invalid", we can't really discard just
         * as we do not know its true length.  So, to be safe, discard the
         * packet.
         */
@@ -2412,8 +2399,15 @@ static sctp_disposition_t __sctp_sf_do_9_1_abort(const struct sctp_endpoint *ep,
        /* See if we have an error cause code in the chunk.  */
        len = ntohs(chunk->chunk_hdr->length);
-        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr))
+        if (len >= sizeof(struct sctp_chunkhdr) + sizeof(struct sctp_errhdr)) {
+                sctp_errhdr_t *err;
+                sctp_walk_errors(err, chunk->chunk_hdr);
+                if ((void *)err != (void *)chunk->chunk_end)
+                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
                error = ((sctp_errhdr_t *)chunk->skb->data)->cause;
+        }
        sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNRESET));
        /* ASSOC_FAILED will DELETE_TCB. */
@@ -2448,7 +2442,7 @@ sctp_disposition_t sctp_sf_cookie_wait_abort(const struct sctp_endpoint *ep,
         * RFC 2960, Section 3.3.7
         *    If an endpoint receives an ABORT with a format error or for an
         *    association that doesn't exist, it MUST silently discard it.
-         * Becasue the length is "invalid", we can't really discard just
+         * Because the length is "invalid", we can't really discard just
         * as we do not know its true length.  So, to be safe, discard the
         * packet.
         */
@@ -3204,6 +3198,7 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
                                        sctp_cmd_seq_t *commands)
 {
        struct sctp_chunk *chunk = arg;
+        sctp_errhdr_t *err;
        if (!sctp_vtag_verify(chunk, asoc))
                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
@@ -3212,6 +3207,10 @@ sctp_disposition_t sctp_sf_operr_notify(const struct sctp_endpoint *ep,
        if (!sctp_chunk_length_valid(chunk, sizeof(sctp_operr_chunk_t)))
                return sctp_sf_violation_chunklen(ep, asoc, type, arg,
                                                  commands);
+        sctp_walk_errors(err, chunk->chunk_hdr);
+        if ((void *)err != (void *)chunk->chunk_end)
+                return sctp_sf_violation_paramlen(ep, asoc, type, arg,
+                                                  (void *)err, commands);
        sctp_add_cmd_sf(commands, SCTP_CMD_PROCESS_OPERR,
                        SCTP_CHUNK(chunk));
@@ -3320,8 +3319,10 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
        struct sctp_chunk *chunk = arg;
        struct sk_buff *skb = chunk->skb;
        sctp_chunkhdr_t *ch;
+        sctp_errhdr_t *err;
        __u8 *ch_end;
        int ootb_shut_ack = 0;
+        int ootb_cookie_ack = 0;
        SCTP_INC_STATS(SCTP_MIB_OUTOFBLUES);
@@ -3346,6 +3347,23 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
                if (SCTP_CID_ABORT == ch->type)
                        return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
+                /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR
+                 * or a COOKIE ACK the SCTP Packet should be silently
+                 * discarded.
+                 */
+                if (SCTP_CID_COOKIE_ACK == ch->type)
+                        ootb_cookie_ack = 1;
+                if (SCTP_CID_ERROR == ch->type) {
+                        sctp_walk_errors(err, ch) {
+                                if (SCTP_ERROR_STALE_COOKIE == err->cause) {
+                                        ootb_cookie_ack = 1;
+                                        break;
+                                }
+                        }
+                }
                /* Report violation if chunk len overflows */
                ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
                if (ch_end > skb_tail_pointer(skb))
@@ -3357,6 +3375,8 @@ sctp_disposition_t sctp_sf_ootb(const struct sctp_endpoint *ep,
        if (ootb_shut_ack)
                return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands);
+        else if (ootb_cookie_ack)
+                return sctp_sf_pdiscard(ep, asoc, type, arg, commands);
        else
                return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands);
 }
@@ -3855,7 +3875,7 @@ gen_shutdown:
 }
 /*
- * SCTP-AUTH Section 6.3 Receving authenticated chukns
+ * SCTP-AUTH Section 6.3 Receiving authenticated chukns
 *
 *    The receiver MUST use the HMAC algorithm indicated in the HMAC
 *    Identifier field.  If this algorithm was not specified by the
@@ -4231,7 +4251,7 @@ static sctp_disposition_t sctp_sf_abort_violation(
         *
         * This means that if we only want to abort associations
         * in an authenticated way (i.e AUTH+ABORT), then we
-         * can't destroy this association just becuase the packet
+         * can't destroy this association just because the packet
         * was malformed.
         */
        if (sctp_auth_recv_cid(SCTP_CID_ABORT, asoc))
@@ -4343,8 +4363,9 @@ static sctp_disposition_t sctp_sf_violation_chunklen(
 /*
 * Handle a protocol violation when the parameter length is invalid.
- * "Invalid" length is identified as smaller than the minimal length a
+ * If the length is smaller than the minimum length of a given parameter,
- * given parameter can be.
+ * or accumulated length in multi parameters exceeds the end of the chunk,
+ * the length is considered as invalid.
 */
 static sctp_disposition_t sctp_sf_violation_paramlen(
                                     const struct sctp_endpoint *ep,
@@ -4402,9 +4423,9 @@ static sctp_disposition_t sctp_sf_violation_ctsn(
 }
 /* Handle protocol violation of an invalid chunk bundling.  For example,
- * when we have an association and we recieve bundled INIT-ACK, or
+ * when we have an association and we receive bundled INIT-ACK, or
 * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle"
- * statement from the specs.  Additinally, there might be an attacker
+ * statement from the specs.  Additionally, there might be an attacker
 * on the path and we may not want to continue this communication.
 */
 static sctp_disposition_t sctp_sf_violation_chunk(
@@ -5056,6 +5077,30 @@ sctp_disposition_t sctp_sf_ignore_primitive(
 ***************************************************************************/
 /*
+ * When the SCTP stack has no more user data to send or retransmit, this
+ * notification is given to the user. Also, at the time when a user app
+ * subscribes to this event, if there is no data to be sent or
+ * retransmit, the stack will immediately send up this notification.
+ */
+sctp_disposition_t sctp_sf_do_no_pending_tsn(
+        const struct sctp_endpoint *ep,
+        const struct sctp_association *asoc,
+        const sctp_subtype_t type,
+        void *arg,
+        sctp_cmd_seq_t *commands)
+{
+        struct sctp_ulpevent *event;
+        event = sctp_ulpevent_make_sender_dry_event(asoc, GFP_ATOMIC);
+        if (!event)
+                return SCTP_DISPOSITION_NOMEM;
+        sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(event));
+        return SCTP_DISPOSITION_CONSUME;
+}
+/*
 * Start the shutdown negotiation.
 *
 * From Section 9.2:
diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c
index 546d4387fb3c..0338dc6fdc9d 100644
--- a/net/sctp/sm_statetable.c
+++ b/net/sctp/sm_statetable.c
@@ -107,8 +107,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 #define TYPE_SCTP_FUNC(func) {.fn = func, .name = #func}
 #define TYPE_SCTP_DATA { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -128,8 +126,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_DATA */
 #define TYPE_SCTP_INIT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_1B_init), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -149,8 +145,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_INIT */
 #define TYPE_SCTP_INIT_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_2_3_initack), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -170,8 +164,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_INIT_ACK */
 #define TYPE_SCTP_SACK { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -191,8 +183,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SACK */
 #define TYPE_SCTP_HEARTBEAT { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -213,8 +203,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_HEARTBEAT */
 #define TYPE_SCTP_HEARTBEAT_ACK { \
-        /*  SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -234,8 +222,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_HEARTBEAT_ACK */
 #define TYPE_SCTP_ABORT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_pdiscard), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -255,8 +241,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ABORT */
 #define TYPE_SCTP_SHUTDOWN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -276,8 +260,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SHUTDOWN */
 #define TYPE_SCTP_SHUTDOWN_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -297,8 +279,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_SHUTDOWN_ACK */
 #define TYPE_SCTP_ERROR { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -318,8 +298,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ERROR */
 #define TYPE_SCTP_COOKIE_ECHO { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_5_1D_ce), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -339,8 +317,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_COOKIE_ECHO */
 #define TYPE_SCTP_COOKIE_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -360,8 +336,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_COOKIE_ACK */
 #define TYPE_SCTP_ECN_ECNE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -381,8 +355,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ECN_ECNE */
 #define TYPE_SCTP_ECN_CWR { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -402,8 +374,6 @@ const sctp_sm_table_entry_t *sctp_sm_lookup_event(sctp_event_t event_type,
 } /* TYPE_SCTP_ECN_CWR */
 #define TYPE_SCTP_SHUTDOWN_COMPLETE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -446,8 +416,6 @@ static const sctp_sm_table_entry_t chunk_event_table[SCTP_NUM_BASE_CHUNK_TYPES][
 }; /* state_fn_t chunk_event_table[][] */
 #define TYPE_SCTP_ASCONF { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -467,8 +435,6 @@ static const sctp_sm_table_entry_t chunk_event_table[SCTP_NUM_BASE_CHUNK_TYPES][
 } /* TYPE_SCTP_ASCONF */
 #define TYPE_SCTP_ASCONF_ACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -496,8 +462,6 @@ static const sctp_sm_table_entry_t addip_chunk_event_table[SCTP_NUM_ADDIP_CHUNK_
 }; /*state_fn_t addip_chunk_event_table[][] */
 #define TYPE_SCTP_FWD_TSN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -524,8 +488,6 @@ static const sctp_sm_table_entry_t prsctp_chunk_event_table[SCTP_NUM_PRSCTP_CHUN
 }; /*state_fn_t prsctp_chunk_event_table[][] */
 #define TYPE_SCTP_AUTH { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ootb), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -553,8 +515,6 @@ static const sctp_sm_table_entry_t auth_chunk_event_table[SCTP_NUM_AUTH_CHUNK_TY
 static const sctp_sm_table_entry_t
 chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
-        /* SCTP_STATE_EMPTY */
-        TYPE_SCTP_FUNC(sctp_sf_ootb),
        /* SCTP_STATE_CLOSED */
        TYPE_SCTP_FUNC(sctp_sf_ootb),
        /* SCTP_STATE_COOKIE_WAIT */
@@ -575,8 +535,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 #define TYPE_SCTP_PRIMITIVE_ASSOCIATE  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_do_prm_asoc), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -596,8 +554,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_ASSOCIATE */
 #define TYPE_SCTP_PRIMITIVE_SHUTDOWN  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -617,8 +573,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_SHUTDOWN */
 #define TYPE_SCTP_PRIMITIVE_ABORT  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -638,8 +592,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_ABORT */
 #define TYPE_SCTP_PRIMITIVE_SEND  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -659,8 +611,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_SEND */
 #define TYPE_SCTP_PRIMITIVE_REQUESTHEARTBEAT  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -680,8 +630,6 @@ chunk_event_table_unknown[SCTP_STATE_NUM_STATES] = {
 } /* TYPE_SCTP_PRIMITIVE_REQUESTHEARTBEAT */
 #define TYPE_SCTP_PRIMITIVE_ASCONF { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_error_closed), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -713,8 +661,6 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
 };
 #define TYPE_SCTP_OTHER_NO_PENDING_TSN  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -722,7 +668,7 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
        /* SCTP_STATE_COOKIE_ECHOED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_ESTABLISHED */ \
-        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
+        TYPE_SCTP_FUNC(sctp_sf_do_no_pending_tsn), \
        /* SCTP_STATE_SHUTDOWN_PENDING */ \
        TYPE_SCTP_FUNC(sctp_sf_do_9_2_start_shutdown), \
        /* SCTP_STATE_SHUTDOWN_SENT */ \
@@ -734,8 +680,6 @@ static const sctp_sm_table_entry_t primitive_event_table[SCTP_NUM_PRIMITIVE_TYPE
 }
 #define TYPE_SCTP_OTHER_ICMP_PROTO_UNREACH  { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_ignore_other), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -760,8 +704,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 };
 #define TYPE_SCTP_EVENT_TIMEOUT_NONE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -781,8 +723,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T1_COOKIE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -802,8 +742,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T1_INIT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -823,8 +761,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T2_SHUTDOWN { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -844,8 +780,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T3_RTX { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -865,8 +799,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T4_RTO { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -886,8 +818,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_T5_SHUTDOWN_GUARD { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -907,8 +837,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_HEARTBEAT { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -928,8 +856,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_SACK { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_bug), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
@@ -949,8 +875,6 @@ static const sctp_sm_table_entry_t other_event_table[SCTP_NUM_OTHER_TYPES][SCTP_
 }
 #define TYPE_SCTP_EVENT_TIMEOUT_AUTOCLOSE { \
-        /* SCTP_STATE_EMPTY */ \
-        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_CLOSED */ \
        TYPE_SCTP_FUNC(sctp_sf_timer_ignore), \
        /* SCTP_STATE_COOKIE_WAIT */ \
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 8e02550ff3e8..6766913a53e6 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -658,11 +658,15 @@ static int sctp_bindx_rem(struct sock *sk, struct sockaddr *addrs, int addrcnt)
                        goto err_bindx_rem;
                }
-                if (sa_addr->v4.sin_port != htons(bp->port)) {
+                if (sa_addr->v4.sin_port &&
+                    sa_addr->v4.sin_port != htons(bp->port)) {
                        retval = -EINVAL;
                        goto err_bindx_rem;
                }
+                if (!sa_addr->v4.sin_port)
+                        sa_addr->v4.sin_port = htons(bp->port);
                /* FIXME - There is probably a need to check if sk->sk_saddr and
                 * sk->sk_rcv_addr are currently set to one of the addresses to
                 * be removed. This is something which needs to be looked into
@@ -1193,7 +1197,7 @@ out_free:
 * an endpoint that is multi-homed.  Much like sctp_bindx() this call
 * allows a caller to specify multiple addresses at which a peer can be
 * reached.  The way the SCTP stack uses the list of addresses to set up
- * the association is implementation dependant.  This function only
+ * the association is implementation dependent.  This function only
 * specifies that the stack will try to make use of all the addresses in
 * the list when needed.
 *
@@ -1492,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
        struct sctp_chunk *chunk;
        union sctp_addr to;
        struct sockaddr *msg_name = NULL;
-        struct sctp_sndrcvinfo default_sinfo = { 0 };
+        struct sctp_sndrcvinfo default_sinfo;
        struct sctp_sndrcvinfo *sinfo;
        struct sctp_initmsg *sinit;
        sctp_assoc_t associd = 0;
@@ -1756,6 +1760,7 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                /* If the user didn't specify SNDRCVINFO, make up one with
                 * some defaults.
                 */
+                memset(&default_sinfo, 0, sizeof(default_sinfo));
                default_sinfo.sinfo_stream = asoc->default_stream;
                default_sinfo.sinfo_flags = asoc->default_flags;
                default_sinfo.sinfo_ppid = asoc->default_ppid;
@@ -1786,12 +1791,10 @@ SCTP_STATIC int sctp_sendmsg(struct kiocb *iocb, struct sock *sk,
                goto out_free;
        }
-        if (sinfo) {
+        /* Check for invalid stream. */
-                /* Check for invalid stream. */
+        if (sinfo->sinfo_stream >= asoc->c.sinit_num_ostreams) {
-                if (sinfo->sinfo_stream >= asoc->c.sinit_num_ostreams) {
+                err = -EINVAL;
-                        err = -EINVAL;
+                goto out_free;
-                        goto out_free;
-                }
        }
        timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
@@ -2283,7 +2286,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
                        trans->param_flags =
                                (trans->param_flags & ~SPP_PMTUD) | pmtud_change;
                        if (update) {
-                                sctp_transport_pmtu(trans);
+                                sctp_transport_pmtu(trans, sctp_opt2sk(sp));
                                sctp_assoc_sync_pmtu(asoc);
                        }
                } else if (asoc) {
@@ -2928,7 +2931,6 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
                                             unsigned int optlen)
 {
        struct sctp_sock        *sp;
-        struct sctp_endpoint    *ep;
        struct sctp_association *asoc = NULL;
        struct sctp_setpeerprim prim;
        struct sctp_chunk       *chunk;
@@ -2936,7 +2938,6 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
        int                     err;
        sp = sctp_sk(sk);
-        ep = sp->ep;
        if (!sctp_addip_enable)
                return -EPERM;
@@ -3217,14 +3218,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
        if (optlen < sizeof(struct sctp_hmacalgo))
                return -EINVAL;
-        hmacs = kmalloc(optlen, GFP_KERNEL);
+        hmacs= memdup_user(optval, optlen);
-        if (!hmacs)
+        if (IS_ERR(hmacs))
-                return -ENOMEM;
+                return PTR_ERR(hmacs);
-        if (copy_from_user(hmacs, optval, optlen)) {
-                err = -EFAULT;
-                goto out;
-        }
        idents = hmacs->shmac_num_idents;
        if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
@@ -3259,14 +3255,9 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
        if (optlen <= sizeof(struct sctp_authkey))
                return -EINVAL;
-        authkey = kmalloc(optlen, GFP_KERNEL);
+        authkey= memdup_user(optval, optlen);
-        if (!authkey)
+        if (IS_ERR(authkey))
-                return -ENOMEM;
+                return PTR_ERR(authkey);
-        if (copy_from_user(authkey, optval, optlen)) {
-                ret = -EFAULT;
-                goto out;
-        }
        if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
                ret = -EINVAL;
@@ -5285,6 +5276,55 @@ static int sctp_getsockopt_assoc_number(struct sock *sk, int len,
        return 0;
 }
+/*
+ * 8.2.6. Get the Current Identifiers of Associations
+ *        (SCTP_GET_ASSOC_ID_LIST)
+ *
+ * This option gets the current list of SCTP association identifiers of
+ * the SCTP associations handled by a one-to-many style socket.
+ */
+static int sctp_getsockopt_assoc_ids(struct sock *sk, int len,
+                                    char __user *optval, int __user *optlen)
+{
+        struct sctp_sock *sp = sctp_sk(sk);
+        struct sctp_association *asoc;
+        struct sctp_assoc_ids *ids;
+        u32 num = 0;
+        if (sctp_style(sk, TCP))
+                return -EOPNOTSUPP;
+        if (len < sizeof(struct sctp_assoc_ids))
+                return -EINVAL;
+        list_for_each_entry(asoc, &(sp->ep->asocs), asocs) {
+                num++;
+        }
+        if (len < sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num)
+                return -EINVAL;
+        len = sizeof(struct sctp_assoc_ids) + sizeof(sctp_assoc_t) * num;
+        ids = kmalloc(len, GFP_KERNEL);
+        if (unlikely(!ids))
+                return -ENOMEM;
+        ids->gaids_number_of_ids = num;
+        num = 0;
+        list_for_each_entry(asoc, &(sp->ep->asocs), asocs) {
+                ids->gaids_assoc_id[num++] = asoc->assoc_id;
+        }
+        if (put_user(len, optlen) || copy_to_user(optval, ids, len)) {
+                kfree(ids);
+                return -EFAULT;
+        }
+        kfree(ids);
+        return 0;
+}
 SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
                                char __user *optval, int __user *optlen)
 {
@@ -5417,6 +5457,9 @@ SCTP_STATIC int sctp_getsockopt(struct sock *sk, int level, int optname,
        case SCTP_GET_ASSOC_NUMBER:
                retval = sctp_getsockopt_assoc_number(sk, len, optval, optlen);
                break;
+        case SCTP_GET_ASSOC_ID_LIST:
+                retval = sctp_getsockopt_assoc_ids(sk, len, optval, optlen);
+                break;
        default:
                retval = -ENOPROTOOPT;
                break;
@@ -6102,15 +6145,16 @@ static void __sctp_write_space(struct sctp_association *asoc)
                        wake_up_interruptible(&asoc->wait);
                if (sctp_writeable(sk)) {
-                        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+                        wait_queue_head_t *wq = sk_sleep(sk);
-                                wake_up_interruptible(sk_sleep(sk));
+                        if (wq && waitqueue_active(wq))
+                                wake_up_interruptible(wq);
                        /* Note that we try to include the Async I/O support
                         * here by modeling from the current TCP/UDP code.
                         * We have not tested with it yet.
                         */
-                        if (sock->wq->fasync_list &&
+                        if (!(sk->sk_shutdown & SEND_SHUTDOWN))
-                            !(sk->sk_shutdown & SEND_SHUTDOWN))
                                sock_wake_async(sock,
                                                SOCK_WAKE_SPACE, POLL_OUT);
                }
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index d3ae493d234a..394c57ca2f54 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -211,15 +211,17 @@ void sctp_transport_set_owner(struct sctp_transport *transport,
 }
 /* Initialize the pmtu of a transport. */
-void sctp_transport_pmtu(struct sctp_transport *transport)
+void sctp_transport_pmtu(struct sctp_transport *transport, struct sock *sk)
 {
-        struct dst_entry *dst;
+        /* If we don't have a fresh route, look one up */
+        if (!transport->dst || transport->dst->obsolete > 1) {
-        dst = transport->af_specific->get_dst(NULL, &transport->ipaddr, NULL);
+                dst_release(transport->dst);
+                transport->af_specific->get_dst(transport, &transport->saddr,
+                                                &transport->fl, sk);
+        }
-        if (dst) {
+        if (transport->dst) {
-                transport->pathmtu = dst_mtu(dst);
+                transport->pathmtu = dst_mtu(transport->dst);
-                dst_release(dst);
        } else
                transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
 }
@@ -270,22 +272,19 @@ void sctp_transport_route(struct sctp_transport *transport,
 {
        struct sctp_association *asoc = transport->asoc;
        struct sctp_af *af = transport->af_specific;
-        union sctp_addr *daddr = &transport->ipaddr;
-        struct dst_entry *dst;
-        dst = af->get_dst(asoc, daddr, saddr);
+        af->get_dst(transport, saddr, &transport->fl, sctp_opt2sk(opt));
        if (saddr)
                memcpy(&transport->saddr, saddr, sizeof(union sctp_addr));
        else
-                af->get_saddr(opt, asoc, dst, daddr, &transport->saddr);
+                af->get_saddr(opt, transport, &transport->fl);
-        transport->dst = dst;
        if ((transport->param_flags & SPP_PMTUD_DISABLE) && transport->pathmtu) {
                return;
        }
-        if (dst) {
+        if (transport->dst) {
-                transport->pathmtu = dst_mtu(dst);
+                transport->pathmtu = dst_mtu(transport->dst);
                /* Initialize sk->sk_rcv_saddr, if the transport is the
                 * association's active path for getsockname().
diff --git a/net/sctp/tsnmap.c b/net/sctp/tsnmap.c
index 747d5412c463..f1e40cebc981 100644
--- a/net/sctp/tsnmap.c
+++ b/net/sctp/tsnmap.c
@@ -344,7 +344,7 @@ __u16 sctp_tsnmap_num_gabs(struct sctp_tsnmap *map,
        /* Refresh the gap ack information. */
        if (sctp_tsnmap_has_gap(map)) {
-                __u16 start, end;
+                __u16 start = 0, end = 0;
                sctp_tsnmap_iter_init(map, &iter);
                while (sctp_tsnmap_next_gap_ack(map, &iter,
                                                &start,
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index aa72e89c3ee1..e70e5fc87890 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -554,7 +554,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_send_failed(
        memcpy(&ssf->ssf_info, &chunk->sinfo, sizeof(struct sctp_sndrcvinfo));
        /* Per TSVWG discussion with Randy. Allow the application to
-         * ressemble a fragmented message.
+         * reassemble a fragmented message.
         */
        ssf->ssf_info.sinfo_flags = chunk->chunk_hdr->flags;
@@ -843,7 +843,7 @@ struct sctp_ulpevent *sctp_ulpevent_make_authkey(
        ak = (struct sctp_authkey_event *)
                skb_put(skb, sizeof(struct sctp_authkey_event));
-        ak->auth_type = SCTP_AUTHENTICATION_INDICATION;
+        ak->auth_type = SCTP_AUTHENTICATION_EVENT;
        ak->auth_flags = 0;
        ak->auth_length = sizeof(struct sctp_authkey_event);
@@ -862,6 +862,34 @@ fail:
        return NULL;
 }
+/*
+ * Socket Extensions for SCTP
+ * 6.3.10. SCTP_SENDER_DRY_EVENT
+ */
+struct sctp_ulpevent *sctp_ulpevent_make_sender_dry_event(
+        const struct sctp_association *asoc, gfp_t gfp)
+{
+        struct sctp_ulpevent *event;
+        struct sctp_sender_dry_event *sdry;
+        struct sk_buff *skb;
+        event = sctp_ulpevent_new(sizeof(struct sctp_sender_dry_event),
+                                  MSG_NOTIFICATION, gfp);
+        if (!event)
+                return NULL;
+        skb = sctp_event2skb(event);
+        sdry = (struct sctp_sender_dry_event *)
+                skb_put(skb, sizeof(struct sctp_sender_dry_event));
+        sdry->sender_dry_type = SCTP_SENDER_DRY_EVENT;
+        sdry->sender_dry_flags = 0;
+        sdry->sender_dry_length = sizeof(struct sctp_sender_dry_event);
+        sctp_ulpevent_set_owner(event, asoc);
+        sdry->sender_dry_assoc_id = sctp_assoc2id(asoc);
+        return event;
+}
 /* Return the notification type, assuming this is a notification
 * event.
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index c7f7e49609cb..f2d1de7f2ffb 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -105,11 +105,8 @@ int sctp_ulpq_tail_data(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
                        gfp_t gfp)
 {
        struct sk_buff_head temp;
-        sctp_data_chunk_t *hdr;
        struct sctp_ulpevent *event;
-        hdr = (sctp_data_chunk_t *) chunk->chunk_hdr;
        /* Create an event from the incoming chunk. */
        event = sctp_ulpevent_make_rcvmsg(chunk->asoc, chunk, gfp);
        if (!event)
@@ -243,7 +240,7 @@ int sctp_ulpq_tail_event(struct sctp_ulpq *ulpq, struct sctp_ulpevent *event)
                } else {
                        /*
                         * If fragment interleave is enabled, we
-                         * can queue this to the recieve queue instead
+                         * can queue this to the receive queue instead
                         * of the lobby.
                         */
                        if (sctp_sk(sk)->frag_interleave)
@@ -743,11 +740,9 @@ static void sctp_ulpq_retrieve_ordered(struct sctp_ulpq *ulpq,
        struct sk_buff *pos, *tmp;
        struct sctp_ulpevent *cevent;
        struct sctp_stream *in;
-        __u16 sid, csid;
+        __u16 sid, csid, cssn;
-        __u16 ssn, cssn;
        sid = event->stream;
-        ssn = event->ssn;
        in  = &ulpq->asoc->ssnmap->in;
        event_list = (struct sk_buff_head *) sctp_event2skb(event)->prev;
diff --git a/net/socket.c b/net/socket.c
index ac2219f90d5d..02dc82db3d23 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -240,17 +240,19 @@ static struct kmem_cache *sock_inode_cachep __read_mostly;
 static struct inode *sock_alloc_inode(struct super_block *sb)
 {
        struct socket_alloc *ei;
+        struct socket_wq *wq;
        ei = kmem_cache_alloc(sock_inode_cachep, GFP_KERNEL);
        if (!ei)
                return NULL;
-        ei->socket.wq = kmalloc(sizeof(struct socket_wq), GFP_KERNEL);
+        wq = kmalloc(sizeof(*wq), GFP_KERNEL);
-        if (!ei->socket.wq) {
+        if (!wq) {
                kmem_cache_free(sock_inode_cachep, ei);
                return NULL;
        }
-        init_waitqueue_head(&ei->socket.wq->wait);
+        init_waitqueue_head(&wq->wait);
-        ei->socket.wq->fasync_list = NULL;
+        wq->fasync_list = NULL;
+        RCU_INIT_POINTER(ei->socket.wq, wq);
        ei->socket.state = SS_UNCONNECTED;
        ei->socket.flags = 0;
@@ -261,21 +263,14 @@ static struct inode *sock_alloc_inode(struct super_block *sb)
        return &ei->vfs_inode;
 }
-static void wq_free_rcu(struct rcu_head *head)
-{
-        struct socket_wq *wq = container_of(head, struct socket_wq, rcu);
-        kfree(wq);
-}
 static void sock_destroy_inode(struct inode *inode)
 {
        struct socket_alloc *ei;
+        struct socket_wq *wq;
        ei = container_of(inode, struct socket_alloc, vfs_inode);
-        call_rcu(&ei->socket.wq->rcu, wq_free_rcu);
+        wq = rcu_dereference_protected(ei->socket.wq, 1);
+        kfree_rcu(wq, rcu);
        kmem_cache_free(sock_inode_cachep, ei);
 }
@@ -524,7 +519,7 @@ void sock_release(struct socket *sock)
                module_put(owner);
        }
-        if (sock->wq->fasync_list)
+        if (rcu_dereference_protected(sock->wq, 1)->fasync_list)
                printk(KERN_ERR "sock_release: fasync list not empty!\n");
        percpu_sub(sockets_in_use, 1);
@@ -547,11 +542,10 @@ int sock_tx_timestamp(struct sock *sk, __u8 *tx_flags)
 }
 EXPORT_SYMBOL(sock_tx_timestamp);
-static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+static inline int __sock_sendmsg_nosec(struct kiocb *iocb, struct socket *sock,
-                                 struct msghdr *msg, size_t size)
+                                       struct msghdr *msg, size_t size)
 {
        struct sock_iocb *si = kiocb_to_siocb(iocb);
-        int err;
        sock_update_classid(sock->sk);
@@ -560,13 +554,17 @@ static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
        si->msg = msg;
        si->size = size;
-        err = security_socket_sendmsg(sock, msg, size);
-        if (err)
-                return err;
        return sock->ops->sendmsg(iocb, sock, msg, size);
 }
+static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
+                                 struct msghdr *msg, size_t size)
+{
+        int err = security_socket_sendmsg(sock, msg, size);
+        return err ?: __sock_sendmsg_nosec(iocb, sock, msg, size);
+}
 int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 {
        struct kiocb iocb;
@@ -582,6 +580,20 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
 }
 EXPORT_SYMBOL(sock_sendmsg);
+int sock_sendmsg_nosec(struct socket *sock, struct msghdr *msg, size_t size)
+{
+        struct kiocb iocb;
+        struct sock_iocb siocb;
+        int ret;
+        init_sync_kiocb(&iocb, NULL);
+        iocb.private = &siocb;
+        ret = __sock_sendmsg_nosec(&iocb, sock, msg, size);
+        if (-EIOCBQUEUED == ret)
+                ret = wait_on_sync_kiocb(&iocb);
+        return ret;
+}
 int kernel_sendmsg(struct socket *sock, struct msghdr *msg,
                   struct kvec *vec, size_t num, size_t size)
 {
@@ -1108,15 +1120,16 @@ static int sock_fasync(int fd, struct file *filp, int on)
 {
        struct socket *sock = filp->private_data;
        struct sock *sk = sock->sk;
+        struct socket_wq *wq;
        if (sk == NULL)
                return -EINVAL;
        lock_sock(sk);
+        wq = rcu_dereference_protected(sock->wq, sock_owned_by_user(sk));
+        fasync_helper(fd, filp, on, &wq->fasync_list);
-        fasync_helper(fd, filp, on, &sock->wq->fasync_list);
+        if (!wq->fasync_list)
-        if (!sock->wq->fasync_list)
                sock_reset_flag(sk, SOCK_FASYNC);
        else
                sock_set_flag(sk, SOCK_FASYNC);
@@ -1858,57 +1871,47 @@ SYSCALL_DEFINE2(shutdown, int, fd, int, how)
 #define COMPAT_NAMELEN(msg)     COMPAT_MSG(msg, msg_namelen)
 #define COMPAT_FLAGS(msg)       COMPAT_MSG(msg, msg_flags)
-/*
+static int __sys_sendmsg(struct socket *sock, struct msghdr __user *msg,
- *      BSD sendmsg interface
+                         struct msghdr *msg_sys, unsigned flags, int nosec)
- */
-SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
 {
        struct compat_msghdr __user *msg_compat =
            (struct compat_msghdr __user *)msg;
-        struct socket *sock;
        struct sockaddr_storage address;
        struct iovec iovstack[UIO_FASTIOV], *iov = iovstack;
        unsigned char ctl[sizeof(struct cmsghdr) + 20]
            __attribute__ ((aligned(sizeof(__kernel_size_t))));
        /* 20 is size of ipv6_pktinfo */
        unsigned char *ctl_buf = ctl;
-        struct msghdr msg_sys;
        int err, ctl_len, iov_size, total_len;
-        int fput_needed;
        err = -EFAULT;
        if (MSG_CMSG_COMPAT & flags) {
-                if (get_compat_msghdr(&msg_sys, msg_compat))
+                if (get_compat_msghdr(msg_sys, msg_compat))
                        return -EFAULT;
-        } else if (copy_from_user(&msg_sys, msg, sizeof(struct msghdr)))
+        } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr)))
                return -EFAULT;
-        sock = sockfd_lookup_light(fd, &err, &fput_needed);
-        if (!sock)
-                goto out;
        /* do not move before msg_sys is valid */
        err = -EMSGSIZE;
-        if (msg_sys.msg_iovlen > UIO_MAXIOV)
+        if (msg_sys->msg_iovlen > UIO_MAXIOV)
-                goto out_put;
+                goto out;
        /* Check whether to allocate the iovec area */
        err = -ENOMEM;
-        iov_size = msg_sys.msg_iovlen * sizeof(struct iovec);
+        iov_size = msg_sys->msg_iovlen * sizeof(struct iovec);
-        if (msg_sys.msg_iovlen > UIO_FASTIOV) {
+        if (msg_sys->msg_iovlen > UIO_FASTIOV) {
                iov = sock_kmalloc(sock->sk, iov_size, GFP_KERNEL);
                if (!iov)
-                        goto out_put;
+                        goto out;
        }
        /* This will also move the address data into kernel space */
        if (MSG_CMSG_COMPAT & flags) {
-                err = verify_compat_iovec(&msg_sys, iov,
+                err = verify_compat_iovec(msg_sys, iov,
                                          (struct sockaddr *)&address,
                                          VERIFY_READ);
        } else
-                err = verify_iovec(&msg_sys, iov,
+                err = verify_iovec(msg_sys, iov,
                                   (struct sockaddr *)&address,
                                   VERIFY_READ);
        if (err < 0)
@@ -1917,17 +1920,17 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
        err = -ENOBUFS;
-        if (msg_sys.msg_controllen > INT_MAX)
+        if (msg_sys->msg_controllen > INT_MAX)
                goto out_freeiov;
-        ctl_len = msg_sys.msg_controllen;
+        ctl_len = msg_sys->msg_controllen;
        if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
                err =
-                    cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl,
+                    cmsghdr_from_user_compat_to_kern(msg_sys, sock->sk, ctl,
                                                     sizeof(ctl));
                if (err)
                        goto out_freeiov;
-                ctl_buf = msg_sys.msg_control;
+                ctl_buf = msg_sys->msg_control;
-                ctl_len = msg_sys.msg_controllen;
+                ctl_len = msg_sys->msg_controllen;
        } else if (ctl_len) {
                if (ctl_len > sizeof(ctl)) {
                        ctl_buf = sock_kmalloc(sock->sk, ctl_len, GFP_KERNEL);
@@ -1936,21 +1939,22 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
                }
                err = -EFAULT;
                /*
-                 * Careful! Before this, msg_sys.msg_control contains a user pointer.
+                 * Careful! Before this, msg_sys->msg_control contains a user pointer.
                 * Afterwards, it will be a kernel pointer. Thus the compiler-assisted
                 * checking falls down on this.
                 */
                if (copy_from_user(ctl_buf,
-                                   (void __user __force *)msg_sys.msg_control,
+                                   (void __user __force *)msg_sys->msg_control,
                                   ctl_len))
                        goto out_freectl;
-                msg_sys.msg_control = ctl_buf;
+                msg_sys->msg_control = ctl_buf;
        }
-        msg_sys.msg_flags = flags;
+        msg_sys->msg_flags = flags;
        if (sock->file->f_flags & O_NONBLOCK)
-                msg_sys.msg_flags |= MSG_DONTWAIT;
+                msg_sys->msg_flags |= MSG_DONTWAIT;
-        err = sock_sendmsg(sock, &msg_sys, total_len);
+        err = (nosec ? sock_sendmsg_nosec : sock_sendmsg)(sock, msg_sys,
+                                                          total_len);
 out_freectl:
        if (ctl_buf != ctl)
@@ -1958,12 +1962,114 @@ out_freectl:
 out_freeiov:
        if (iov != iovstack)
                sock_kfree_s(sock->sk, iov, iov_size);
-out_put:
+out:
+        return err;
+}
+/*
+ *      BSD sendmsg interface
+ */
+SYSCALL_DEFINE3(sendmsg, int, fd, struct msghdr __user *, msg, unsigned, flags)
+{
+        int fput_needed, err;
+        struct msghdr msg_sys;
+        struct socket *sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        if (!sock)
+                goto out;
+        err = __sys_sendmsg(sock, msg, &msg_sys, flags, 0);
        fput_light(sock->file, fput_needed);
 out:
        return err;
 }
+/*
+ *      Linux sendmmsg interface
+ */
+int __sys_sendmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
+                   unsigned int flags)
+{
+        int fput_needed, err, datagrams;
+        struct socket *sock;
+        struct mmsghdr __user *entry;
+        struct compat_mmsghdr __user *compat_entry;
+        struct msghdr msg_sys;
+        datagrams = 0;
+        sock = sockfd_lookup_light(fd, &err, &fput_needed);
+        if (!sock)
+                return err;
+        err = sock_error(sock->sk);
+        if (err)
+                goto out_put;
+        entry = mmsg;
+        compat_entry = (struct compat_mmsghdr __user *)mmsg;
+        while (datagrams < vlen) {
+                /*
+                 * No need to ask LSM for more than the first datagram.
+                 */
+                if (MSG_CMSG_COMPAT & flags) {
+                        err = __sys_sendmsg(sock, (struct msghdr __user *)compat_entry,
+                                            &msg_sys, flags, datagrams);
+                        if (err < 0)
+                                break;
+                        err = __put_user(err, &compat_entry->msg_len);
+                        ++compat_entry;
+                } else {
+                        err = __sys_sendmsg(sock, (struct msghdr __user *)entry,
+                                            &msg_sys, flags, datagrams);
+                        if (err < 0)
+                                break;
+                        err = put_user(err, &entry->msg_len);
+                        ++entry;
+                }
+                if (err)
+                        break;
+                ++datagrams;
+        }
+out_put:
+        fput_light(sock->file, fput_needed);
+        if (err == 0)
+                return datagrams;
+        if (datagrams != 0) {
+                /*
+                 * We may send less entries than requested (vlen) if the
+                 * sock is non blocking...
+                 */
+                if (err != -EAGAIN) {
+                        /*
+                         * ... or if sendmsg returns an error after we
+                         * send some datagrams, where we record the
+                         * error to return on the next call or if the
+                         * app asks about it using getsockopt(SO_ERROR).
+                         */
+                        sock->sk->sk_err = -err;
+                }
+                return datagrams;
+        }
+        return err;
+}
+SYSCALL_DEFINE4(sendmmsg, int, fd, struct mmsghdr __user *, mmsg,
+                unsigned int, vlen, unsigned int, flags)
+{
+        return __sys_sendmmsg(fd, mmsg, vlen, flags);
+}
 static int __sys_recvmsg(struct socket *sock, struct msghdr __user *msg,
                         struct msghdr *msg_sys, unsigned flags, int nosec)
 {
@@ -2117,14 +2223,16 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen,
                 */
                if (MSG_CMSG_COMPAT & flags) {
                        err = __sys_recvmsg(sock, (struct msghdr __user *)compat_entry,
-                                            &msg_sys, flags, datagrams);
+                                            &msg_sys, flags & ~MSG_WAITFORONE,
+                                            datagrams);
                        if (err < 0)
                                break;
                        err = __put_user(err, &compat_entry->msg_len);
                        ++compat_entry;
                } else {
                        err = __sys_recvmsg(sock, (struct msghdr __user *)entry,
-                                            &msg_sys, flags, datagrams);
+                                            &msg_sys, flags & ~MSG_WAITFORONE,
+                                            datagrams);
                        if (err < 0)
                                break;
                        err = put_user(err, &entry->msg_len);
@@ -2209,11 +2317,11 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg,
 #ifdef __ARCH_WANT_SYS_SOCKETCALL
 /* Argument list sizes for sys_socketcall */
 #define AL(x) ((x) * sizeof(unsigned long))
-static const unsigned char nargs[20] = {
+static const unsigned char nargs[21] = {
        AL(0), AL(3), AL(3), AL(3), AL(2), AL(3),
        AL(3), AL(3), AL(4), AL(4), AL(4), AL(6),
        AL(6), AL(2), AL(5), AL(5), AL(3), AL(3),
-        AL(4), AL(5)
+        AL(4), AL(5), AL(4)
 };
 #undef AL
@@ -2233,7 +2341,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
        int err;
        unsigned int len;
-        if (call < 1 || call > SYS_RECVMMSG)
+        if (call < 1 || call > SYS_SENDMMSG)
                return -EINVAL;
        len = nargs[call];
@@ -2308,6 +2416,9 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args)
        case SYS_SENDMSG:
                err = sys_sendmsg(a0, (struct msghdr __user *)a1, a[2]);
                break;
+        case SYS_SENDMMSG:
+                err = sys_sendmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3]);
+                break;
        case SYS_RECVMSG:
                err = sys_recvmsg(a0, (struct msghdr __user *)a1, a[2]);
                break;
@@ -2583,23 +2694,123 @@ static int dev_ifconf(struct net *net, struct compat_ifconf __user *uifc32)
 static int ethtool_ioctl(struct net *net, struct compat_ifreq __user *ifr32)
 {
+        struct compat_ethtool_rxnfc __user *compat_rxnfc;
+        bool convert_in = false, convert_out = false;
+        size_t buf_size = ALIGN(sizeof(struct ifreq), 8);
+        struct ethtool_rxnfc __user *rxnfc;
        struct ifreq __user *ifr;
+        u32 rule_cnt = 0, actual_rule_cnt;
+        u32 ethcmd;
        u32 data;
-        void __user *datap;
+        int ret;
-        ifr = compat_alloc_user_space(sizeof(*ifr));
+        if (get_user(data, &ifr32->ifr_ifru.ifru_data))
+                return -EFAULT;
-        if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
+        compat_rxnfc = compat_ptr(data);
+        if (get_user(ethcmd, &compat_rxnfc->cmd))
                return -EFAULT;
-        if (get_user(data, &ifr32->ifr_ifru.ifru_data))
+        /* Most ethtool structures are defined without padding.
+         * Unfortunately struct ethtool_rxnfc is an exception.
+         */
+        switch (ethcmd) {
+        default:
+                break;
+        case ETHTOOL_GRXCLSRLALL:
+                /* Buffer size is variable */
+                if (get_user(rule_cnt, &compat_rxnfc->rule_cnt))
+                        return -EFAULT;
+                if (rule_cnt > KMALLOC_MAX_SIZE / sizeof(u32))
+                        return -ENOMEM;
+                buf_size += rule_cnt * sizeof(u32);
+                /* fall through */
+        case ETHTOOL_GRXRINGS:
+        case ETHTOOL_GRXCLSRLCNT:
+        case ETHTOOL_GRXCLSRULE:
+                convert_out = true;
+                /* fall through */
+        case ETHTOOL_SRXCLSRLDEL:
+        case ETHTOOL_SRXCLSRLINS:
+                buf_size += sizeof(struct ethtool_rxnfc);
+                convert_in = true;
+                break;
+        }
+        ifr = compat_alloc_user_space(buf_size);
+        rxnfc = (void *)ifr + ALIGN(sizeof(struct ifreq), 8);
+        if (copy_in_user(&ifr->ifr_name, &ifr32->ifr_name, IFNAMSIZ))
                return -EFAULT;
-        datap = compat_ptr(data);
+        if (put_user(convert_in ? rxnfc : compat_ptr(data),
-        if (put_user(datap, &ifr->ifr_ifru.ifru_data))
+                     &ifr->ifr_ifru.ifru_data))
                return -EFAULT;
-        return dev_ioctl(net, SIOCETHTOOL, ifr);
+        if (convert_in) {
+                /* We expect there to be holes between fs.m_ext and
+                 * fs.ring_cookie and at the end of fs, but nowhere else.
+                 */
+                BUILD_BUG_ON(offsetof(struct compat_ethtool_rxnfc, fs.m_ext) +
+                             sizeof(compat_rxnfc->fs.m_ext) !=
+                             offsetof(struct ethtool_rxnfc, fs.m_ext) +
+                             sizeof(rxnfc->fs.m_ext));
+                BUILD_BUG_ON(
+                        offsetof(struct compat_ethtool_rxnfc, fs.location) -
+                        offsetof(struct compat_ethtool_rxnfc, fs.ring_cookie) !=
+                        offsetof(struct ethtool_rxnfc, fs.location) -
+                        offsetof(struct ethtool_rxnfc, fs.ring_cookie));
+                if (copy_in_user(rxnfc, compat_rxnfc,
+                                 (void *)(&rxnfc->fs.m_ext + 1) -
+                                 (void *)rxnfc) ||
+                    copy_in_user(&rxnfc->fs.ring_cookie,
+                                 &compat_rxnfc->fs.ring_cookie,
+                                 (void *)(&rxnfc->fs.location + 1) -
+                                 (void *)&rxnfc->fs.ring_cookie) ||
+                    copy_in_user(&rxnfc->rule_cnt, &compat_rxnfc->rule_cnt,
+                                 sizeof(rxnfc->rule_cnt)))
+                        return -EFAULT;
+        }
+        ret = dev_ioctl(net, SIOCETHTOOL, ifr);
+        if (ret)
+                return ret;
+        if (convert_out) {
+                if (copy_in_user(compat_rxnfc, rxnfc,
+                                 (const void *)(&rxnfc->fs.m_ext + 1) -
+                                 (const void *)rxnfc) ||
+                    copy_in_user(&compat_rxnfc->fs.ring_cookie,
+                                 &rxnfc->fs.ring_cookie,
+                                 (const void *)(&rxnfc->fs.location + 1) -
+                                 (const void *)&rxnfc->fs.ring_cookie) ||
+                    copy_in_user(&compat_rxnfc->rule_cnt, &rxnfc->rule_cnt,
+                                 sizeof(rxnfc->rule_cnt)))
+                        return -EFAULT;
+                if (ethcmd == ETHTOOL_GRXCLSRLALL) {
+                        /* As an optimisation, we only copy the actual
+                         * number of rules that the underlying
+                         * function returned.  Since Mallory might
+                         * change the rule count in user memory, we
+                         * check that it is less than the rule count
+                         * originally given (as the user buffer size),
+                         * which has been range-checked.
+                         */
+                        if (get_user(actual_rule_cnt, &rxnfc->rule_cnt))
+                                return -EFAULT;
+                        if (actual_rule_cnt < rule_cnt)
+                                rule_cnt = actual_rule_cnt;
+                        if (copy_in_user(&compat_rxnfc->rule_locs[0],
+                                         &rxnfc->rule_locs[0],
+                                         rule_cnt * sizeof(u32)))
+                                return -EFAULT;
+                }
+        }
+        return 0;
 }
 static int compat_siocwandev(struct net *net, struct compat_ifreq __user *uifr32)
@@ -2643,7 +2854,8 @@ static int bond_ioctl(struct net *net, unsigned int cmd,
                old_fs = get_fs();
                set_fs(KERNEL_DS);
-                err = dev_ioctl(net, cmd, &kifr);
+                err = dev_ioctl(net, cmd,
+                                (struct ifreq __user __force *) &kifr);
                set_fs(old_fs);
                return err;
@@ -2752,7 +2964,7 @@ static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
        old_fs = get_fs();
        set_fs(KERNEL_DS);
-        err = dev_ioctl(net, cmd, (void __user *)&ifr);
+        err = dev_ioctl(net, cmd, (void  __user __force *)&ifr);
        set_fs(old_fs);
        if (cmd == SIOCGIFMAP && !err) {
@@ -2857,7 +3069,8 @@ static int routing_ioctl(struct net *net, struct socket *sock,
                ret |= __get_user(rtdev, &(ur4->rt_dev));
                if (rtdev) {
                        ret |= copy_from_user(devname, compat_ptr(rtdev), 15);
-                        r4.rt_dev = devname; devname[15] = 0;
+                        r4.rt_dev = (char __user __force *)devname;
+                        devname[15] = 0;
                } else
                        r4.rt_dev = NULL;
@@ -2879,7 +3092,7 @@ out:
 /* Since old style bridge ioctl's endup using SIOCDEVPRIVATE
 * for some operations; this forces use of the newer bridge-utils that
- * use compatiable ioctls
+ * use compatible ioctls
 */
 static int old_bridge_ioctl(compat_ulong_t __user *argp)
 {
diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig
index 8873fd8ddacd..b2198e65d8bb 100644
--- a/net/sunrpc/Kconfig
+++ b/net/sunrpc/Kconfig
@@ -18,14 +18,13 @@ config SUNRPC_XPRT_RDMA
          If unsure, say N.
 config RPCSEC_GSS_KRB5
-        tristate
+        tristate "Secure RPC: Kerberos V mechanism"
        depends on SUNRPC && CRYPTO
-        prompt "Secure RPC: Kerberos V mechanism" if !(NFS_V4 || NFSD_V4)
+        depends on CRYPTO_MD5 && CRYPTO_DES && CRYPTO_CBC && CRYPTO_CTS
+        depends on CRYPTO_ECB && CRYPTO_HMAC && CRYPTO_SHA1 && CRYPTO_AES
+        depends on CRYPTO_ARC4
        default y
        select SUNRPC_GSS
-        select CRYPTO_MD5
-        select CRYPTO_DES
-        select CRYPTO_CBC
        help
          Choose Y here to enable Secure RPC using the Kerberos version 5
          GSS-API mechanism (RFC 1964).
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 45dbf1521b9a..339ba64cce1e 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -417,7 +417,7 @@ static void gss_encode_v1_msg(struct gss_upcall_msg *gss_msg,
                gss_msg->msg.len += len;
        }
        if (mech->gm_upcall_enctypes) {
-                len = sprintf(p, mech->gm_upcall_enctypes);
+                len = sprintf(p, "enctypes=%s ", mech->gm_upcall_enctypes);
                p += len;
                gss_msg->msg.len += len;
        }
@@ -520,7 +520,7 @@ gss_refresh_upcall(struct rpc_task *task)
                warn_gssd();
                task->tk_timeout = 15*HZ;
                rpc_sleep_on(&pipe_version_rpc_waitqueue, task, NULL);
-                return 0;
+                return -EAGAIN;
        }
        if (IS_ERR(gss_msg)) {
                err = PTR_ERR(gss_msg);
@@ -563,10 +563,12 @@ retry:
        if (PTR_ERR(gss_msg) == -EAGAIN) {
                err = wait_event_interruptible_timeout(pipe_version_waitqueue,
                                pipe_version >= 0, 15*HZ);
+                if (pipe_version < 0) {
+                        warn_gssd();
+                        err = -EACCES;
+                }
                if (err)
                        goto out;
-                if (pipe_version < 0)
-                        warn_gssd();
                goto retry;
        }
        if (IS_ERR(gss_msg)) {
diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
index f375decc024b..0a9a2ec2e469 100644
--- a/net/sunrpc/auth_gss/gss_krb5_mech.c
+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
@@ -427,7 +427,7 @@ static int
 context_derive_keys_rc4(struct krb5_ctx *ctx)
 {
        struct crypto_hash *hmac;
-        static const char sigkeyconstant[] = "signaturekey";
+        char sigkeyconstant[] = "signaturekey";
        int slen = strlen(sigkeyconstant) + 1;  /* include null terminator */
        struct hash_desc desc;
        struct scatterlist sg[1];
@@ -750,7 +750,7 @@ static struct gss_api_mech gss_kerberos_mech = {
        .gm_ops         = &gss_kerberos_ops,
        .gm_pf_num      = ARRAY_SIZE(gss_kerberos_pfs),
        .gm_pfs         = gss_kerberos_pfs,
-        .gm_upcall_enctypes = "enctypes=18,17,16,23,3,1,2 ",
+        .gm_upcall_enctypes = "18,17,16,23,3,1,2",
 };
 static int __init init_kerberos_module(void)
diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c
index 8b4061049d76..e3c36a274412 100644
--- a/net/sunrpc/auth_gss/gss_mech_switch.c
+++ b/net/sunrpc/auth_gss/gss_mech_switch.c
@@ -160,6 +160,28 @@ gss_mech_get_by_name(const char *name)
 EXPORT_SYMBOL_GPL(gss_mech_get_by_name);
+struct gss_api_mech *
+gss_mech_get_by_OID(struct xdr_netobj *obj)
+{
+        struct gss_api_mech     *pos, *gm = NULL;
+        spin_lock(&registered_mechs_lock);
+        list_for_each_entry(pos, &registered_mechs, gm_list) {
+                if (obj->len == pos->gm_oid.len) {
+                        if (0 == memcmp(obj->data, pos->gm_oid.data, obj->len)) {
+                                if (try_module_get(pos->gm_owner))
+                                        gm = pos;
+                                break;
+                        }
+                }
+        }
+        spin_unlock(&registered_mechs_lock);
+        return gm;
+}
+EXPORT_SYMBOL_GPL(gss_mech_get_by_OID);
 static inline int
 mech_supports_pseudoflavor(struct gss_api_mech *gm, u32 pseudoflavor)
 {
@@ -193,6 +215,22 @@ gss_mech_get_by_pseudoflavor(u32 pseudoflavor)
 EXPORT_SYMBOL_GPL(gss_mech_get_by_pseudoflavor);
+int gss_mech_list_pseudoflavors(rpc_authflavor_t *array_ptr)
+{
+        struct gss_api_mech *pos = NULL;
+        int i = 0;
+        spin_lock(&registered_mechs_lock);
+        list_for_each_entry(pos, &registered_mechs, gm_list) {
+                array_ptr[i] = pos->gm_pfs->pseudoflavor;
+                i++;
+        }
+        spin_unlock(&registered_mechs_lock);
+        return i;
+}
+EXPORT_SYMBOL_GPL(gss_mech_list_pseudoflavors);
 u32
 gss_svc_to_pseudoflavor(struct gss_api_mech *gm, u32 service)
 {
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index bcdae78fdfc6..8d0f7d3c71c8 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1101,7 +1101,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
        /* credential is:
         *   version(==1), proc(0,1,2,3), seq, service (1,2,3), handle
-         * at least 5 u32s, and is preceeded by length, so that makes 6.
+         * at least 5 u32s, and is preceded by length, so that makes 6.
         */
        if (argv->iov_len < 5 * 4)
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 57d344cf2256..8d83f9d48713 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -436,7 +436,9 @@ void rpc_killall_tasks(struct rpc_clnt *clnt)
                if (!(rovr->tk_flags & RPC_TASK_KILLED)) {
                        rovr->tk_flags |= RPC_TASK_KILLED;
                        rpc_exit(rovr, -EIO);
-                        rpc_wake_up_queued_task(rovr->tk_waitqueue, rovr);
+                        if (RPC_IS_QUEUED(rovr))
+                                rpc_wake_up_queued_task(rovr->tk_waitqueue,
+                                                        rovr);
                }
        }
        spin_unlock(&clnt->cl_lock);
@@ -597,6 +599,14 @@ void rpc_task_set_client(struct rpc_task *task, struct rpc_clnt *clnt)
        }
 }
+void rpc_task_reset_client(struct rpc_task *task, struct rpc_clnt *clnt)
+{
+        rpc_task_release_client(task);
+        rpc_task_set_client(task, clnt);
+}
+EXPORT_SYMBOL_GPL(rpc_task_reset_client);
 static void
 rpc_task_set_rpc_message(struct rpc_task *task, const struct rpc_message *msg)
 {
@@ -636,12 +646,6 @@ struct rpc_task *rpc_run_task(const struct rpc_task_setup *task_setup_data)
        rpc_task_set_client(task, task_setup_data->rpc_client);
        rpc_task_set_rpc_message(task, task_setup_data->rpc_message);
-        if (task->tk_status != 0) {
-                int ret = task->tk_status;
-                rpc_put_task(task);
-                return ERR_PTR(ret);
-        }
        if (task->tk_action == NULL)
                rpc_call_start(task);
@@ -1504,7 +1508,10 @@ call_timeout(struct rpc_task *task)
                if (clnt->cl_chatty)
                        printk(KERN_NOTICE "%s: server %s not responding, timed out\n",
                                clnt->cl_protname, clnt->cl_server);
-                rpc_exit(task, -EIO);
+                if (task->tk_flags & RPC_TASK_TIMEOUT)
+                        rpc_exit(task, -ETIMEDOUT);
+                else
+                        rpc_exit(task, -EIO);
                return;
        }
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 243fc09b164e..6b43ee7221d5 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -252,23 +252,37 @@ static void rpc_set_active(struct rpc_task *task)
 /*
 * Mark an RPC call as having completed by clearing the 'active' bit
+ * and then waking up all tasks that were sleeping.
 */
-static void rpc_mark_complete_task(struct rpc_task *task)
+static int rpc_complete_task(struct rpc_task *task)
 {
-        smp_mb__before_clear_bit();
+        void *m = &task->tk_runstate;
+        wait_queue_head_t *wq = bit_waitqueue(m, RPC_TASK_ACTIVE);
+        struct wait_bit_key k = __WAIT_BIT_KEY_INITIALIZER(m, RPC_TASK_ACTIVE);
+        unsigned long flags;
+        int ret;
+        spin_lock_irqsave(&wq->lock, flags);
        clear_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
-        smp_mb__after_clear_bit();
+        ret = atomic_dec_and_test(&task->tk_count);
-        wake_up_bit(&task->tk_runstate, RPC_TASK_ACTIVE);
+        if (waitqueue_active(wq))
+                __wake_up_locked_key(wq, TASK_NORMAL, &k);
+        spin_unlock_irqrestore(&wq->lock, flags);
+        return ret;
 }
 /*
 * Allow callers to wait for completion of an RPC call
+ *
+ * Note the use of out_of_line_wait_on_bit() rather than wait_on_bit()
+ * to enforce taking of the wq->lock and hence avoid races with
+ * rpc_complete_task().
 */
 int __rpc_wait_for_completion_task(struct rpc_task *task, int (*action)(void *))
 {
        if (action == NULL)
                action = rpc_wait_bit_killable;
-        return wait_on_bit(&task->tk_runstate, RPC_TASK_ACTIVE,
+        return out_of_line_wait_on_bit(&task->tk_runstate, RPC_TASK_ACTIVE,
                        action, TASK_KILLABLE);
 }
 EXPORT_SYMBOL_GPL(__rpc_wait_for_completion_task);
@@ -285,15 +299,8 @@ static void rpc_make_runnable(struct rpc_task *task)
        if (rpc_test_and_set_running(task))
                return;
        if (RPC_IS_ASYNC(task)) {
-                int status;
                INIT_WORK(&task->u.tk_work, rpc_async_schedule);
-                status = queue_work(rpciod_workqueue, &task->u.tk_work);
+                queue_work(rpciod_workqueue, &task->u.tk_work);
-                if (status < 0) {
-                        printk(KERN_WARNING "RPC: failed to add task to queue: error: %d!\n", status);
-                        task->tk_status = status;
-                        return;
-                }
        } else
                wake_up_bit(&task->tk_runstate, RPC_TASK_QUEUED);
 }
@@ -623,14 +630,12 @@ static void __rpc_execute(struct rpc_task *task)
                        save_callback = task->tk_callback;
                        task->tk_callback = NULL;
                        save_callback(task);
-                }
+                } else {
+                        /*
-                /*
+                         * Perform the next FSM step.
-                 * Perform the next FSM step.
+                         * tk_action may be NULL when the task has been killed
-                 * tk_action may be NULL when the task has been killed
+                         * by someone else.
-                 * by someone else.
+                         */
-                 */
-                if (!RPC_IS_QUEUED(task)) {
                        if (task->tk_action == NULL)
                                break;
                        task->tk_action(task);
@@ -829,12 +834,6 @@ struct rpc_task *rpc_new_task(const struct rpc_task_setup *setup_data)
        }
        rpc_init_task(task, setup_data);
-        if (task->tk_status < 0) {
-                int err = task->tk_status;
-                rpc_put_task(task);
-                return ERR_PTR(err);
-        }
        task->tk_flags |= flags;
        dprintk("RPC:       allocated task %p\n", task);
        return task;
@@ -857,34 +856,69 @@ static void rpc_async_release(struct work_struct *work)
        rpc_free_task(container_of(work, struct rpc_task, u.tk_work));
 }
-void rpc_put_task(struct rpc_task *task)
+static void rpc_release_resources_task(struct rpc_task *task)
 {
-        if (!atomic_dec_and_test(&task->tk_count))
-                return;
-        /* Release resources */
        if (task->tk_rqstp)
                xprt_release(task);
-        if (task->tk_msg.rpc_cred)
+        if (task->tk_msg.rpc_cred) {
                put_rpccred(task->tk_msg.rpc_cred);
+                task->tk_msg.rpc_cred = NULL;
+        }
        rpc_task_release_client(task);
-        if (task->tk_workqueue != NULL) {
+}
+static void rpc_final_put_task(struct rpc_task *task,
+                struct workqueue_struct *q)
+{
+        if (q != NULL) {
                INIT_WORK(&task->u.tk_work, rpc_async_release);
-                queue_work(task->tk_workqueue, &task->u.tk_work);
+                queue_work(q, &task->u.tk_work);
        } else
                rpc_free_task(task);
 }
+static void rpc_do_put_task(struct rpc_task *task, struct workqueue_struct *q)
+{
+        if (atomic_dec_and_test(&task->tk_count)) {
+                rpc_release_resources_task(task);
+                rpc_final_put_task(task, q);
+        }
+}
+void rpc_put_task(struct rpc_task *task)
+{
+        rpc_do_put_task(task, NULL);
+}
 EXPORT_SYMBOL_GPL(rpc_put_task);
+void rpc_put_task_async(struct rpc_task *task)
+{
+        rpc_do_put_task(task, task->tk_workqueue);
+}
+EXPORT_SYMBOL_GPL(rpc_put_task_async);
 static void rpc_release_task(struct rpc_task *task)
 {
        dprintk("RPC: %5u release task\n", task->tk_pid);
        BUG_ON (RPC_IS_QUEUED(task));
-        /* Wake up anyone who is waiting for task completion */
+        rpc_release_resources_task(task);
-        rpc_mark_complete_task(task);
-        rpc_put_task(task);
+        /*
+         * Note: at this point we have been removed from rpc_clnt->cl_tasks,
+         * so it should be safe to use task->tk_count as a test for whether
+         * or not any other processes still hold references to our rpc_task.
+         */
+        if (atomic_read(&task->tk_count) != 1 + !RPC_IS_ASYNC(task)) {
+                /* Wake up anyone who may be waiting for task completion */
+                if (!rpc_complete_task(task))
+                        return;
+        } else {
+                if (!atomic_dec_and_test(&task->tk_count))
+                        return;
+        }
+        rpc_final_put_task(task, task->tk_workqueue);
 }
 int rpciod_up(void)
@@ -908,7 +942,7 @@ static int rpciod_start(void)
         * Create the rpciod thread and wait for it to start.
         */
        dprintk("RPC:       creating workqueue rpciod\n");
-        wq = alloc_workqueue("rpciod", WQ_RESCUER, 0);
+        wq = alloc_workqueue("rpciod", WQ_MEM_RECLAIM, 0);
        rpciod_workqueue = wq;
        return rpciod_workqueue != NULL;
 }
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index 30916b06c12b..c8e10216c113 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -38,6 +38,14 @@ struct unix_domain {
 extern struct auth_ops svcauth_unix;
+static void svcauth_unix_domain_release(struct auth_domain *dom)
+{
+        struct unix_domain *ud = container_of(dom, struct unix_domain, h);
+        kfree(dom->name);
+        kfree(ud);
+}
 struct auth_domain *unix_domain_find(char *name)
 {
        struct auth_domain *rv;
@@ -47,7 +55,7 @@ struct auth_domain *unix_domain_find(char *name)
        while(1) {
                if (rv) {
                        if (new && rv != &new->h)
-                                auth_domain_put(&new->h);
+                                svcauth_unix_domain_release(&new->h);
                        if (rv->flavour != &svcauth_unix) {
                                auth_domain_put(rv);
@@ -74,14 +82,6 @@ struct auth_domain *unix_domain_find(char *name)
 }
 EXPORT_SYMBOL_GPL(unix_domain_find);
-static void svcauth_unix_domain_release(struct auth_domain *dom)
-{
-        struct unix_domain *ud = container_of(dom, struct unix_domain, h);
-        kfree(dom->name);
-        kfree(ud);
-}
 /**************************************************
 * cache for IP address to unix_domain
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index d802e941d365..b7d435c3f19e 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -420,6 +420,7 @@ static void svc_sock_setbufsize(struct socket *sock, unsigned int snd,
 static void svc_udp_data_ready(struct sock *sk, int count)
 {
        struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data;
+        wait_queue_head_t *wq = sk_sleep(sk);
        if (svsk) {
                dprintk("svc: socket %p(inet %p), count=%d, busy=%d\n",
@@ -428,8 +429,8 @@ static void svc_udp_data_ready(struct sock *sk, int count)
                set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
                svc_xprt_enqueue(&svsk->sk_xprt);
        }
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+        if (wq && waitqueue_active(wq))
-                wake_up_interruptible(sk_sleep(sk));
+                wake_up_interruptible(wq);
 }
 /*
@@ -438,6 +439,7 @@ static void svc_udp_data_ready(struct sock *sk, int count)
 static void svc_write_space(struct sock *sk)
 {
        struct svc_sock *svsk = (struct svc_sock *)(sk->sk_user_data);
+        wait_queue_head_t *wq = sk_sleep(sk);
        if (svsk) {
                dprintk("svc: socket %p(inet %p), write_space busy=%d\n",
@@ -445,10 +447,10 @@ static void svc_write_space(struct sock *sk)
                svc_xprt_enqueue(&svsk->sk_xprt);
        }
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk))) {
+        if (wq && waitqueue_active(wq)) {
                dprintk("RPC svc_write_space: someone sleeping on %p\n",
                       svsk);
-                wake_up_interruptible(sk_sleep(sk));
+                wake_up_interruptible(wq);
        }
 }
@@ -739,6 +741,7 @@ static void svc_udp_init(struct svc_sock *svsk, struct svc_serv *serv)
 static void svc_tcp_listen_data_ready(struct sock *sk, int count_unused)
 {
        struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data;
+        wait_queue_head_t *wq;
        dprintk("svc: socket %p TCP (listen) state change %d\n",
                sk, sk->sk_state);
@@ -761,8 +764,9 @@ static void svc_tcp_listen_data_ready(struct sock *sk, int count_unused)
                        printk("svc: socket %p: no user data\n", sk);
        }
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+        wq = sk_sleep(sk);
-                wake_up_interruptible_all(sk_sleep(sk));
+        if (wq && waitqueue_active(wq))
+                wake_up_interruptible_all(wq);
 }
 /*
@@ -771,6 +775,7 @@ static void svc_tcp_listen_data_ready(struct sock *sk, int count_unused)
 static void svc_tcp_state_change(struct sock *sk)
 {
        struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data;
+        wait_queue_head_t *wq = sk_sleep(sk);
        dprintk("svc: socket %p TCP (connected) state change %d (svsk %p)\n",
                sk, sk->sk_state, sk->sk_user_data);
@@ -781,13 +786,14 @@ static void svc_tcp_state_change(struct sock *sk)
                set_bit(XPT_CLOSE, &svsk->sk_xprt.xpt_flags);
                svc_xprt_enqueue(&svsk->sk_xprt);
        }
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+        if (wq && waitqueue_active(wq))
-                wake_up_interruptible_all(sk_sleep(sk));
+                wake_up_interruptible_all(wq);
 }
 static void svc_tcp_data_ready(struct sock *sk, int count)
 {
        struct svc_sock *svsk = (struct svc_sock *)sk->sk_user_data;
+        wait_queue_head_t *wq = sk_sleep(sk);
        dprintk("svc: socket %p TCP data ready (svsk %p)\n",
                sk, sk->sk_user_data);
@@ -795,8 +801,8 @@ static void svc_tcp_data_ready(struct sock *sk, int count)
                set_bit(XPT_DATA, &svsk->sk_xprt.xpt_flags);
                svc_xprt_enqueue(&svsk->sk_xprt);
        }
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+        if (wq && waitqueue_active(wq))
-                wake_up_interruptible(sk_sleep(sk));
+                wake_up_interruptible(wq);
 }
 /*
@@ -1531,6 +1537,7 @@ static void svc_sock_detach(struct svc_xprt *xprt)
 {
        struct svc_sock *svsk = container_of(xprt, struct svc_sock, sk_xprt);
        struct sock *sk = svsk->sk_sk;
+        wait_queue_head_t *wq;
        dprintk("svc: svc_sock_detach(%p)\n", svsk);
@@ -1539,8 +1546,9 @@ static void svc_sock_detach(struct svc_xprt *xprt)
        sk->sk_data_ready = svsk->sk_odata;
        sk->sk_write_space = svsk->sk_owspace;
-        if (sk_sleep(sk) && waitqueue_active(sk_sleep(sk)))
+        wq = sk_sleep(sk);
-                wake_up_interruptible(sk_sleep(sk));
+        if (wq && waitqueue_active(wq))
+                wake_up_interruptible(wq);
 }
 /*
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 856274d7e85c..ce5eb68a9664 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -202,10 +202,9 @@ int xprt_reserve_xprt(struct rpc_task *task)
                goto out_sleep;
        }
        xprt->snd_task = task;
-        if (req) {
+        req->rq_bytes_sent = 0;
-                req->rq_bytes_sent = 0;
+        req->rq_ntrans++;
-                req->rq_ntrans++;
-        }
        return 1;
 out_sleep:
@@ -213,7 +212,7 @@ out_sleep:
                        task->tk_pid, xprt);
        task->tk_timeout = 0;
        task->tk_status = -EAGAIN;
-        if (req && req->rq_ntrans)
+        if (req->rq_ntrans)
                rpc_sleep_on(&xprt->resend, task, NULL);
        else
                rpc_sleep_on(&xprt->sending, task, NULL);
@@ -907,6 +906,7 @@ void xprt_transmit(struct rpc_task *task)
        }
        dprintk("RPC: %5u xmit complete\n", task->tk_pid);
+        task->tk_flags |= RPC_TASK_SENT;
        spin_lock_bh(&xprt->transport_lock);
        xprt->ops->set_retrans_timeout(task);
@@ -965,7 +965,7 @@ struct rpc_xprt *xprt_alloc(struct net *net, int size, int max_req)
        xprt = kzalloc(size, GFP_KERNEL);
        if (xprt == NULL)
                goto out;
-        kref_init(&xprt->kref);
+        atomic_set(&xprt->count, 1);
        xprt->max_reqs = max_req;
        xprt->slot = kcalloc(max_req, sizeof(struct rpc_rqst), GFP_KERNEL);
@@ -1145,13 +1145,11 @@ found:
 /**
 * xprt_destroy - destroy an RPC transport, killing off all requests.
- * @kref: kref for the transport to destroy
+ * @xprt: transport to destroy
 *
 */
-static void xprt_destroy(struct kref *kref)
+static void xprt_destroy(struct rpc_xprt *xprt)
 {
-        struct rpc_xprt *xprt = container_of(kref, struct rpc_xprt, kref);
        dprintk("RPC:       destroying transport %p\n", xprt);
        xprt->shutdown = 1;
        del_timer_sync(&xprt->timer);
@@ -1175,7 +1173,8 @@ static void xprt_destroy(struct kref *kref)
 */
 void xprt_put(struct rpc_xprt *xprt)
 {
-        kref_put(&xprt->kref, xprt_destroy);
+        if (atomic_dec_and_test(&xprt->count))
+                xprt_destroy(xprt);
 }
 /**
@@ -1185,6 +1184,7 @@ void xprt_put(struct rpc_xprt *xprt)
 */
 struct rpc_xprt *xprt_get(struct rpc_xprt *xprt)
 {
-        kref_get(&xprt->kref);
+        if (atomic_inc_not_zero(&xprt->count))
-        return xprt;
+                return xprt;
+        return NULL;
 }
diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c
index 2ac3f6e8adff..554d0814c875 100644
--- a/net/sunrpc/xprtrdma/rpc_rdma.c
+++ b/net/sunrpc/xprtrdma/rpc_rdma.c
@@ -87,6 +87,8 @@ rpcrdma_convert_iovs(struct xdr_buf *xdrbuf, unsigned int pos,
        enum rpcrdma_chunktype type, struct rpcrdma_mr_seg *seg, int nsegs)
 {
        int len, n = 0, p;
+        int page_base;
+        struct page **ppages;
        if (pos == 0 && xdrbuf->head[0].iov_len) {
                seg[n].mr_page = NULL;
@@ -95,34 +97,32 @@ rpcrdma_convert_iovs(struct xdr_buf *xdrbuf, unsigned int pos,
                ++n;
        }
-        if (xdrbuf->page_len && (xdrbuf->pages[0] != NULL)) {
+        len = xdrbuf->page_len;
-                if (n == nsegs)
+        ppages = xdrbuf->pages + (xdrbuf->page_base >> PAGE_SHIFT);
-                        return 0;
+        page_base = xdrbuf->page_base & ~PAGE_MASK;
-                seg[n].mr_page = xdrbuf->pages[0];
+        p = 0;
-                seg[n].mr_offset = (void *)(unsigned long) xdrbuf->page_base;
+        while (len && n < nsegs) {
-                seg[n].mr_len = min_t(u32,
+                seg[n].mr_page = ppages[p];
-                        PAGE_SIZE - xdrbuf->page_base, xdrbuf->page_len);
+                seg[n].mr_offset = (void *)(unsigned long) page_base;
-                len = xdrbuf->page_len - seg[n].mr_len;
+                seg[n].mr_len = min_t(u32, PAGE_SIZE - page_base, len);
+                BUG_ON(seg[n].mr_len > PAGE_SIZE);
+                len -= seg[n].mr_len;
                ++n;
-                p = 1;
+                ++p;
-                while (len > 0) {
+                page_base = 0;  /* page offset only applies to first page */
-                        if (n == nsegs)
-                                return 0;
-                        seg[n].mr_page = xdrbuf->pages[p];
-                        seg[n].mr_offset = NULL;
-                        seg[n].mr_len = min_t(u32, PAGE_SIZE, len);
-                        len -= seg[n].mr_len;
-                        ++n;
-                        ++p;
-                }
        }
+        /* Message overflows the seg array */
+        if (len && n == nsegs)
+                return 0;
        if (xdrbuf->tail[0].iov_len) {
                /* the rpcrdma protocol allows us to omit any trailing
                 * xdr pad bytes, saving the server an RDMA operation. */
                if (xdrbuf->tail[0].iov_len < 4 && xprt_rdma_pad_optimize)
                        return n;
                if (n == nsegs)
+                        /* Tail remains, but we're out of segments */
                        return 0;
                seg[n].mr_page = NULL;
                seg[n].mr_offset = xdrbuf->tail[0].iov_base;
@@ -296,6 +296,8 @@ rpcrdma_inline_pullup(struct rpc_rqst *rqst, int pad)
        int copy_len;
        unsigned char *srcp, *destp;
        struct rpcrdma_xprt *r_xprt = rpcx_to_rdmax(rqst->rq_xprt);
+        int page_base;
+        struct page **ppages;
        destp = rqst->rq_svec[0].iov_base;
        curlen = rqst->rq_svec[0].iov_len;
@@ -324,28 +326,25 @@ rpcrdma_inline_pullup(struct rpc_rqst *rqst, int pad)
                        __func__, destp + copy_len, curlen);
                rqst->rq_svec[0].iov_len += curlen;
        }
        r_xprt->rx_stats.pullup_copy_count += copy_len;
-        npages = PAGE_ALIGN(rqst->rq_snd_buf.page_base+copy_len) >> PAGE_SHIFT;
+        page_base = rqst->rq_snd_buf.page_base;
+        ppages = rqst->rq_snd_buf.pages + (page_base >> PAGE_SHIFT);
+        page_base &= ~PAGE_MASK;
+        npages = PAGE_ALIGN(page_base+copy_len) >> PAGE_SHIFT;
        for (i = 0; copy_len && i < npages; i++) {
-                if (i == 0)
+                curlen = PAGE_SIZE - page_base;
-                        curlen = PAGE_SIZE - rqst->rq_snd_buf.page_base;
-                else
-                        curlen = PAGE_SIZE;
                if (curlen > copy_len)
                        curlen = copy_len;
                dprintk("RPC:       %s: page %d destp 0x%p len %d curlen %d\n",
                        __func__, i, destp, copy_len, curlen);
-                srcp = kmap_atomic(rqst->rq_snd_buf.pages[i],
+                srcp = kmap_atomic(ppages[i], KM_SKB_SUNRPC_DATA);
-                                        KM_SKB_SUNRPC_DATA);
+                memcpy(destp, srcp+page_base, curlen);
-                if (i == 0)
-                        memcpy(destp, srcp+rqst->rq_snd_buf.page_base, curlen);
-                else
-                        memcpy(destp, srcp, curlen);
                kunmap_atomic(srcp, KM_SKB_SUNRPC_DATA);
                rqst->rq_svec[0].iov_len += curlen;
                destp += curlen;
                copy_len -= curlen;
+                page_base = 0;
        }
        /* header now contains entire send message */
        return pad;
@@ -606,6 +605,8 @@ rpcrdma_inline_fixup(struct rpc_rqst *rqst, char *srcp, int copy_len, int pad)
 {
        int i, npages, curlen, olen;
        char *destp;
+        struct page **ppages;
+        int page_base;
        curlen = rqst->rq_rcv_buf.head[0].iov_len;
        if (curlen > copy_len) {        /* write chunk header fixup */
@@ -624,32 +625,29 @@ rpcrdma_inline_fixup(struct rpc_rqst *rqst, char *srcp, int copy_len, int pad)
        olen = copy_len;
        i = 0;
        rpcx_to_rdmax(rqst->rq_xprt)->rx_stats.fixup_copy_count += olen;
+        page_base = rqst->rq_rcv_buf.page_base;
+        ppages = rqst->rq_rcv_buf.pages + (page_base >> PAGE_SHIFT);
+        page_base &= ~PAGE_MASK;
        if (copy_len && rqst->rq_rcv_buf.page_len) {
-                npages = PAGE_ALIGN(rqst->rq_rcv_buf.page_base +
+                npages = PAGE_ALIGN(page_base +
                        rqst->rq_rcv_buf.page_len) >> PAGE_SHIFT;
                for (; i < npages; i++) {
-                        if (i == 0)
+                        curlen = PAGE_SIZE - page_base;
-                                curlen = PAGE_SIZE - rqst->rq_rcv_buf.page_base;
-                        else
-                                curlen = PAGE_SIZE;
                        if (curlen > copy_len)
                                curlen = copy_len;
                        dprintk("RPC:       %s: page %d"
                                " srcp 0x%p len %d curlen %d\n",
                                __func__, i, srcp, copy_len, curlen);
-                        destp = kmap_atomic(rqst->rq_rcv_buf.pages[i],
+                        destp = kmap_atomic(ppages[i], KM_SKB_SUNRPC_DATA);
-                                                KM_SKB_SUNRPC_DATA);
+                        memcpy(destp + page_base, srcp, curlen);
-                        if (i == 0)
+                        flush_dcache_page(ppages[i]);
-                                memcpy(destp + rqst->rq_rcv_buf.page_base,
-                                                srcp, curlen);
-                        else
-                                memcpy(destp, srcp, curlen);
-                        flush_dcache_page(rqst->rq_rcv_buf.pages[i]);
                        kunmap_atomic(destp, KM_SKB_SUNRPC_DATA);
                        srcp += curlen;
                        copy_len -= curlen;
                        if (copy_len == 0)
                                break;
+                        page_base = 0;
                }
                rqst->rq_rcv_buf.page_len = olen - copy_len;
        } else
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
index 9df1eadc912a..1a10dcd999ea 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -1335,6 +1335,7 @@ void svc_rdma_send_error(struct svcxprt_rdma *xprt, struct rpcrdma_msg *rmsgp,
                                            p, 0, length, DMA_FROM_DEVICE);
        if (ib_dma_mapping_error(xprt->sc_cm_id->device, ctxt->sge[0].addr)) {
                put_page(p);
+                svc_rdma_put_context(ctxt, 1);
                return;
        }
        atomic_inc(&xprt->sc_dma_used);
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 5f4c7b3bc711..d4297dc43dc4 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -144,6 +144,7 @@ rpcrdma_cq_async_error_upcall(struct ib_event *event, void *context)
 static inline
 void rpcrdma_event_process(struct ib_wc *wc)
 {
+        struct rpcrdma_mw *frmr;
        struct rpcrdma_rep *rep =
                        (struct rpcrdma_rep *)(unsigned long) wc->wr_id;
@@ -154,15 +155,23 @@ void rpcrdma_event_process(struct ib_wc *wc)
                return;
        if (IB_WC_SUCCESS != wc->status) {
-                dprintk("RPC:       %s: %s WC status %X, connection lost\n",
+                dprintk("RPC:       %s: WC opcode %d status %X, connection lost\n",
-                        __func__, (wc->opcode & IB_WC_RECV) ? "recv" : "send",
+                        __func__, wc->opcode, wc->status);
-                         wc->status);
                rep->rr_len = ~0U;
-                rpcrdma_schedule_tasklet(rep);
+                if (wc->opcode != IB_WC_FAST_REG_MR && wc->opcode != IB_WC_LOCAL_INV)
+                        rpcrdma_schedule_tasklet(rep);
                return;
        }
        switch (wc->opcode) {
+        case IB_WC_FAST_REG_MR:
+                frmr = (struct rpcrdma_mw *)(unsigned long)wc->wr_id;
+                frmr->r.frmr.state = FRMR_IS_VALID;
+                break;
+        case IB_WC_LOCAL_INV:
+                frmr = (struct rpcrdma_mw *)(unsigned long)wc->wr_id;
+                frmr->r.frmr.state = FRMR_IS_INVALID;
+                break;
        case IB_WC_RECV:
                rep->rr_len = wc->byte_len;
                ib_dma_sync_single_for_cpu(
@@ -1450,6 +1459,12 @@ rpcrdma_map_one(struct rpcrdma_ia *ia, struct rpcrdma_mr_seg *seg, int writing)
                seg->mr_dma = ib_dma_map_single(ia->ri_id->device,
                                seg->mr_offset,
                                seg->mr_dmalen, seg->mr_dir);
+        if (ib_dma_mapping_error(ia->ri_id->device, seg->mr_dma)) {
+                dprintk("RPC:       %s: mr_dma %llx mr_offset %p mr_dma_len %zu\n",
+                        __func__,
+                        (unsigned long long)seg->mr_dma,
+                        seg->mr_offset, seg->mr_dmalen);
+        }
 }
 static void
@@ -1469,7 +1484,8 @@ rpcrdma_register_frmr_external(struct rpcrdma_mr_seg *seg,
                        struct rpcrdma_xprt *r_xprt)
 {
        struct rpcrdma_mr_seg *seg1 = seg;
-        struct ib_send_wr frmr_wr, *bad_wr;
+        struct ib_send_wr invalidate_wr, frmr_wr, *bad_wr, *post_wr;
        u8 key;
        int len, pageoff;
        int i, rc;
@@ -1484,6 +1500,7 @@ rpcrdma_register_frmr_external(struct rpcrdma_mr_seg *seg,
                rpcrdma_map_one(ia, seg, writing);
                seg1->mr_chunk.rl_mw->r.frmr.fr_pgl->page_list[i] = seg->mr_dma;
                len += seg->mr_len;
+                BUG_ON(seg->mr_len > PAGE_SIZE);
                ++seg;
                ++i;
                /* Check for holes */
@@ -1494,26 +1511,45 @@ rpcrdma_register_frmr_external(struct rpcrdma_mr_seg *seg,
        dprintk("RPC:       %s: Using frmr %p to map %d segments\n",
                __func__, seg1->mr_chunk.rl_mw, i);
+        if (unlikely(seg1->mr_chunk.rl_mw->r.frmr.state == FRMR_IS_VALID)) {
+                dprintk("RPC:       %s: frmr %x left valid, posting invalidate.\n",
+                        __func__,
+                        seg1->mr_chunk.rl_mw->r.frmr.fr_mr->rkey);
+                /* Invalidate before using. */
+                memset(&invalidate_wr, 0, sizeof invalidate_wr);
+                invalidate_wr.wr_id = (unsigned long)(void *)seg1->mr_chunk.rl_mw;
+                invalidate_wr.next = &frmr_wr;
+                invalidate_wr.opcode = IB_WR_LOCAL_INV;
+                invalidate_wr.send_flags = IB_SEND_SIGNALED;
+                invalidate_wr.ex.invalidate_rkey =
+                        seg1->mr_chunk.rl_mw->r.frmr.fr_mr->rkey;
+                DECR_CQCOUNT(&r_xprt->rx_ep);
+                post_wr = &invalidate_wr;
+        } else
+                post_wr = &frmr_wr;
        /* Bump the key */
        key = (u8)(seg1->mr_chunk.rl_mw->r.frmr.fr_mr->rkey & 0x000000FF);
        ib_update_fast_reg_key(seg1->mr_chunk.rl_mw->r.frmr.fr_mr, ++key);
        /* Prepare FRMR WR */
        memset(&frmr_wr, 0, sizeof frmr_wr);
+        frmr_wr.wr_id = (unsigned long)(void *)seg1->mr_chunk.rl_mw;
        frmr_wr.opcode = IB_WR_FAST_REG_MR;
-        frmr_wr.send_flags = 0;                 /* unsignaled */
+        frmr_wr.send_flags = IB_SEND_SIGNALED;
        frmr_wr.wr.fast_reg.iova_start = seg1->mr_dma;
        frmr_wr.wr.fast_reg.page_list = seg1->mr_chunk.rl_mw->r.frmr.fr_pgl;
        frmr_wr.wr.fast_reg.page_list_len = i;
        frmr_wr.wr.fast_reg.page_shift = PAGE_SHIFT;
        frmr_wr.wr.fast_reg.length = i << PAGE_SHIFT;
+        BUG_ON(frmr_wr.wr.fast_reg.length < len);
        frmr_wr.wr.fast_reg.access_flags = (writing ?
                                IB_ACCESS_REMOTE_WRITE | IB_ACCESS_LOCAL_WRITE :
                                IB_ACCESS_REMOTE_READ);
        frmr_wr.wr.fast_reg.rkey = seg1->mr_chunk.rl_mw->r.frmr.fr_mr->rkey;
        DECR_CQCOUNT(&r_xprt->rx_ep);
-        rc = ib_post_send(ia->ri_id->qp, &frmr_wr, &bad_wr);
+        rc = ib_post_send(ia->ri_id->qp, post_wr, &bad_wr);
        if (rc) {
                dprintk("RPC:       %s: failed ib_post_send for register,"
@@ -1542,8 +1578,9 @@ rpcrdma_deregister_frmr_external(struct rpcrdma_mr_seg *seg,
                rpcrdma_unmap_one(ia, seg++);
        memset(&invalidate_wr, 0, sizeof invalidate_wr);
+        invalidate_wr.wr_id = (unsigned long)(void *)seg1->mr_chunk.rl_mw;
        invalidate_wr.opcode = IB_WR_LOCAL_INV;
-        invalidate_wr.send_flags = 0;                   /* unsignaled */
+        invalidate_wr.send_flags = IB_SEND_SIGNALED;
        invalidate_wr.ex.invalidate_rkey = seg1->mr_chunk.rl_mw->r.frmr.fr_mr->rkey;
        DECR_CQCOUNT(&r_xprt->rx_ep);
diff --git a/net/sunrpc/xprtrdma/xprt_rdma.h b/net/sunrpc/xprtrdma/xprt_rdma.h
index c7a7eba991bc..cae761a8536c 100644
--- a/net/sunrpc/xprtrdma/xprt_rdma.h
+++ b/net/sunrpc/xprtrdma/xprt_rdma.h
@@ -164,6 +164,7 @@ struct rpcrdma_mr_seg {		/* chunk descriptors */
                                struct {
                                        struct ib_fast_reg_page_list *fr_pgl;
                                        struct ib_mr *fr_mr;
+                                        enum { FRMR_IS_INVALID, FRMR_IS_VALID  } state;
                                } frmr;
                        } r;
                        struct list_head mw_list;
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index c431f5a57960..bf005d3c65ef 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -504,7 +504,7 @@ static int xs_nospace(struct rpc_task *task)
 *   EAGAIN:    The socket was blocked, please call again later to
 *              complete the request
 * ENOTCONN:    Caller needs to invoke connect logic then call again
- *    other:    Some other error occured, the request was not sent
+ *    other:    Some other error occurred, the request was not sent
 */
 static int xs_udp_send_request(struct rpc_task *task)
 {
@@ -590,7 +590,7 @@ static inline void xs_encode_tcp_record_marker(struct xdr_buf *buf)
 *   EAGAIN:    The socket was blocked, please call again later to
 *              complete the request
 * ENOTCONN:    Caller needs to invoke connect logic then call again
- *    other:    Some other error occured, the request was not sent
+ *    other:    Some other error occurred, the request was not sent
 *
 * XXX: In the case of soft timeouts, should we eventually give up
 *      if sendmsg is not able to make progress?
@@ -710,6 +710,8 @@ static void xs_reset_transport(struct sock_xprt *transport)
        if (sk == NULL)
                return;
+        transport->srcport = 0;
        write_lock_bh(&sk->sk_callback_lock);
        transport->inet = NULL;
        transport->sock = NULL;
@@ -1631,7 +1633,8 @@ static struct socket *xs_create_sock(struct rpc_xprt *xprt,
        }
        xs_reclassify_socket(family, sock);
-        if (xs_bind(transport, sock)) {
+        err = xs_bind(transport, sock);
+        if (err) {
                sock_release(sock);
                goto out;
        }
diff --git a/net/tipc/Kconfig b/net/tipc/Kconfig
index 0436927369f3..2c5954b85933 100644
--- a/net/tipc/Kconfig
+++ b/net/tipc/Kconfig
@@ -29,18 +29,6 @@ config TIPC_ADVANCED
          Saying Y here will open some advanced configuration for TIPC.
          Most users do not need to bother; if unsure, just say N.
-config TIPC_NODES
-        int "Maximum number of nodes in a cluster"
-        depends on TIPC_ADVANCED
-        range 8 2047
-        default "255"
-        help
-          Specifies how many nodes can be supported in a TIPC cluster.
-          Can range from 8 to 2047 nodes; default is 255.
-          Setting this to a smaller value saves some memory;
-          setting it to higher allows for more nodes.
 config TIPC_PORTS
        int "Maximum number of ports in a node"
        depends on TIPC_ADVANCED
diff --git a/net/tipc/addr.c b/net/tipc/addr.c
index 88463d9a6f12..a6fdab33877e 100644
--- a/net/tipc/addr.c
+++ b/net/tipc/addr.c
@@ -2,7 +2,7 @@
 * net/tipc/addr.c: TIPC address utility routines
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2004-2005, Wind River Systems
+ * Copyright (c) 2004-2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -41,7 +41,7 @@
 * tipc_addr_domain_valid - validates a network domain address
 *
 * Accepts <Z.C.N>, <Z.C.0>, <Z.0.0>, and <0.0.0>,
- * where Z, C, and N are non-zero and do not exceed the configured limits.
+ * where Z, C, and N are non-zero.
 *
 * Returns 1 if domain address is valid, otherwise 0
 */
@@ -51,10 +51,6 @@ int tipc_addr_domain_valid(u32 addr)
        u32 n = tipc_node(addr);
        u32 c = tipc_cluster(addr);
        u32 z = tipc_zone(addr);
-        u32 max_nodes = tipc_max_nodes;
-        if (n > max_nodes)
-                return 0;
        if (n && (!z || !c))
                return 0;
@@ -66,8 +62,7 @@ int tipc_addr_domain_valid(u32 addr)
 /**
 * tipc_addr_node_valid - validates a proposed network address for this node
 *
- * Accepts <Z.C.N>, where Z, C, and N are non-zero and do not exceed
+ * Accepts <Z.C.N>, where Z, C, and N are non-zero.
- * the configured limits.
 *
 * Returns 1 if address can be used, otherwise 0
 */
@@ -81,9 +76,9 @@ int tipc_in_scope(u32 domain, u32 addr)
 {
        if (!domain || (domain == addr))
                return 1;
-        if (domain == (addr & 0xfffff000u)) /* domain <Z.C.0> */
+        if (domain == tipc_cluster_mask(addr)) /* domain <Z.C.0> */
                return 1;
-        if (domain == (addr & 0xff000000u)) /* domain <Z.0.0> */
+        if (domain == tipc_zone_mask(addr)) /* domain <Z.0.0> */
                return 1;
        return 0;
 }
diff --git a/net/tipc/addr.h b/net/tipc/addr.h
index 2490fadd0caf..e4f35afe3207 100644
--- a/net/tipc/addr.h
+++ b/net/tipc/addr.h
@@ -37,6 +37,19 @@
 #ifndef _TIPC_ADDR_H
 #define _TIPC_ADDR_H
+#define TIPC_ZONE_MASK          0xff000000u
+#define TIPC_CLUSTER_MASK       0xfffff000u
+static inline u32 tipc_zone_mask(u32 addr)
+{
+        return addr & TIPC_ZONE_MASK;
+}
+static inline u32 tipc_cluster_mask(u32 addr)
+{
+        return addr & TIPC_CLUSTER_MASK;
+}
 static inline int in_own_cluster(u32 addr)
 {
        return !((addr ^ tipc_own_addr) >> 12);
@@ -49,14 +62,13 @@ static inline int in_own_cluster(u32 addr)
 * after a network hop.
 */
-static inline int addr_domain(int sc)
+static inline u32 addr_domain(u32 sc)
 {
        if (likely(sc == TIPC_NODE_SCOPE))
                return tipc_own_addr;
        if (sc == TIPC_CLUSTER_SCOPE)
-                return tipc_addr(tipc_zone(tipc_own_addr),
+                return tipc_cluster_mask(tipc_own_addr);
-                                 tipc_cluster(tipc_own_addr), 0);
+        return tipc_zone_mask(tipc_own_addr);
-        return tipc_addr(tipc_zone(tipc_own_addr), 0, 0);
 }
 int tipc_addr_domain_valid(u32);
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 70ab5ef48766..fa68d1e9ff4b 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -3,7 +3,7 @@
 *
 * Copyright (c) 2004-2006, Ericsson AB
 * Copyright (c) 2004, Intel Corporation.
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -44,13 +44,6 @@
 #define BCLINK_WIN_DEFAULT 20           /* bcast link window size (default) */
-/*
- * Loss rate for incoming broadcast frames; used to test retransmission code.
- * Set to N to cause every N'th frame to be discarded; 0 => don't discard any.
- */
-#define TIPC_BCAST_LOSS_RATE 0
 /**
 * struct bcbearer_pair - a pair of bearers used by broadcast link
 * @primary: pointer to primary bearer
@@ -61,8 +54,8 @@
 */
 struct bcbearer_pair {
-        struct bearer *primary;
+        struct tipc_bearer *primary;
-        struct bearer *secondary;
+        struct tipc_bearer *secondary;
 };
 /**
@@ -81,7 +74,7 @@ struct bcbearer_pair {
 */
 struct bcbearer {
-        struct bearer bearer;
+        struct tipc_bearer bearer;
        struct media media;
        struct bcbearer_pair bpairs[MAX_BEARERS];
        struct bcbearer_pair bpairs_temp[TIPC_MAX_LINK_PRI + 1];
@@ -93,6 +86,7 @@ struct bcbearer {
 * struct bclink - link used for broadcast messages
 * @link: (non-standard) broadcast link structure
 * @node: (non-standard) node structure representing b'cast link's peer node
+ * @retransmit_to: node that most recently requested a retransmit
 *
 * Handles sequence numbering, fragmentation, bundling, etc.
 */
@@ -100,6 +94,7 @@ struct bcbearer {
 struct bclink {
        struct link link;
        struct tipc_node node;
+        struct tipc_node *retransmit_to;
 };
@@ -184,6 +179,17 @@ static int bclink_ack_allowed(u32 n)
 /**
+ * tipc_bclink_retransmit_to - get most recent node to request retransmission
+ *
+ * Called with bc_lock locked
+ */
+struct tipc_node *tipc_bclink_retransmit_to(void)
+{
+        return bclink->retransmit_to;
+}
+/**
 * bclink_retransmit_pkt - retransmit broadcast packets
 * @after: sequence number of last packet to *not* retransmit
 * @to: sequence number of last packet to retransmit
@@ -285,6 +291,7 @@ static void bclink_send_nack(struct tipc_node *n_ptr)
                msg = buf_msg(buf);
                tipc_msg_init(msg, BCAST_PROTOCOL, STATE_MSG,
                         INT_H_SIZE, n_ptr->addr);
+                msg_set_non_seq(msg, 1);
                msg_set_mc_netid(msg, tipc_net_id);
                msg_set_bcast_ack(msg, mod(n_ptr->bclink.last_in));
                msg_set_bcgap_after(msg, n_ptr->bclink.gap_after);
@@ -400,13 +407,9 @@ int tipc_bclink_send_msg(struct sk_buff *buf)
        spin_lock_bh(&bc_lock);
        res = tipc_link_send_buf(bcl, buf);
-        if (unlikely(res == -ELINKCONG))
+        if (likely(res > 0))
-                buf_discard(buf);
-        else
                bclink_set_last_sent();
-        if (bcl->out_queue_size > bcl->stats.max_queue_sz)
-                bcl->stats.max_queue_sz = bcl->out_queue_size;
        bcl->stats.queue_sz_counts++;
        bcl->stats.accu_queue_sz += bcl->out_queue_size;
@@ -422,9 +425,6 @@ int tipc_bclink_send_msg(struct sk_buff *buf)
 void tipc_bclink_recv_pkt(struct sk_buff *buf)
 {
-#if (TIPC_BCAST_LOSS_RATE)
-        static int rx_count;
-#endif
        struct tipc_msg *msg = buf_msg(buf);
        struct tipc_node *node = tipc_node_find(msg_prevnode(msg));
        u32 next_in;
@@ -444,10 +444,9 @@ void tipc_bclink_recv_pkt(struct sk_buff *buf)
                        tipc_node_unlock(node);
                        spin_lock_bh(&bc_lock);
                        bcl->stats.recv_nacks++;
-                        bcl->owner->next = node;   /* remember requestor */
+                        bclink->retransmit_to = node;
                        bclink_retransmit_pkt(msg_bcgap_after(msg),
                                              msg_bcgap_to(msg));
-                        bcl->owner->next = NULL;
                        spin_unlock_bh(&bc_lock);
                } else {
                        tipc_bclink_peek_nack(msg_destnode(msg),
@@ -459,14 +458,6 @@ void tipc_bclink_recv_pkt(struct sk_buff *buf)
                return;
        }
-#if (TIPC_BCAST_LOSS_RATE)
-        if (++rx_count == TIPC_BCAST_LOSS_RATE) {
-                rx_count = 0;
-                buf_discard(buf);
-                return;
-        }
-#endif
        tipc_node_lock(node);
 receive:
        deferred = node->bclink.deferred_head;
@@ -574,8 +565,8 @@ static int tipc_bcbearer_send(struct sk_buff *buf,
        bcbearer->remains = tipc_bcast_nmap;
        for (bp_index = 0; bp_index < MAX_BEARERS; bp_index++) {
-                struct bearer *p = bcbearer->bpairs[bp_index].primary;
+                struct tipc_bearer *p = bcbearer->bpairs[bp_index].primary;
-                struct bearer *s = bcbearer->bpairs[bp_index].secondary;
+                struct tipc_bearer *s = bcbearer->bpairs[bp_index].secondary;
                if (!p)
                        break;  /* no more bearers to try */
@@ -584,11 +575,11 @@ static int tipc_bcbearer_send(struct sk_buff *buf,
                if (bcbearer->remains_new.count == bcbearer->remains.count)
                        continue;       /* bearer pair doesn't add anything */
-                if (p->publ.blocked ||
+                if (p->blocked ||
-                    p->media->send_msg(buf, &p->publ, &p->media->bcast_addr)) {
+                    p->media->send_msg(buf, p, &p->media->bcast_addr)) {
                        /* unable to send on primary bearer */
-                        if (!s || s->publ.blocked ||
+                        if (!s || s->blocked ||
-                            s->media->send_msg(buf, &s->publ,
+                            s->media->send_msg(buf, s,
                                               &s->media->bcast_addr)) {
                                /* unable to send on either bearer */
                                continue;
@@ -633,7 +624,7 @@ void tipc_bcbearer_sort(void)
        memset(bp_temp, 0, sizeof(bcbearer->bpairs_temp));
        for (b_index = 0; b_index < MAX_BEARERS; b_index++) {
-                struct bearer *b = &tipc_bearers[b_index];
+                struct tipc_bearer *b = &tipc_bearers[b_index];
                if (!b->active || !b->nodes.count)
                        continue;
@@ -682,12 +673,12 @@ void tipc_bcbearer_sort(void)
 void tipc_bcbearer_push(void)
 {
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        spin_lock_bh(&bc_lock);
        b_ptr = &bcbearer->bearer;
-        if (b_ptr->publ.blocked) {
+        if (b_ptr->blocked) {
-                b_ptr->publ.blocked = 0;
+                b_ptr->blocked = 0;
                tipc_bearer_lock_push(b_ptr);
        }
        spin_unlock_bh(&bc_lock);
diff --git a/net/tipc/bcast.h b/net/tipc/bcast.h
index 51f8c5326ce6..500c97f1c859 100644
--- a/net/tipc/bcast.h
+++ b/net/tipc/bcast.h
@@ -2,7 +2,7 @@
 * net/tipc/bcast.h: Include file for TIPC broadcast code
 *
 * Copyright (c) 2003-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -90,6 +90,7 @@ void tipc_port_list_free(struct port_list *pl_ptr);
 int  tipc_bclink_init(void);
 void tipc_bclink_stop(void);
+struct tipc_node *tipc_bclink_retransmit_to(void);
 void tipc_bclink_acknowledge(struct tipc_node *n_ptr, u32 acked);
 int  tipc_bclink_send_msg(struct sk_buff *buf);
 void tipc_bclink_recv_pkt(struct sk_buff *buf);
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 837b7a467885..85209eadfae6 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -2,7 +2,7 @@
 * net/tipc/bearer.c: TIPC bearer code
 *
 * Copyright (c) 1996-2006, Ericsson AB
- * Copyright (c) 2004-2006, Wind River Systems
+ * Copyright (c) 2004-2006, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -44,7 +44,9 @@
 static struct media media_list[MAX_MEDIA];
 static u32 media_count;
-struct bearer tipc_bearers[MAX_BEARERS];
+struct tipc_bearer tipc_bearers[MAX_BEARERS];
+static void bearer_disable(struct tipc_bearer *b_ptr);
 /**
 * media_name_valid - validate media name
@@ -158,7 +160,6 @@ int  tipc_register_media(u32 media_type,
        m_ptr->disable_bearer = disable;
        m_ptr->addr2str = addr2str;
        memcpy(&m_ptr->bcast_addr, bcast_addr, sizeof(*bcast_addr));
-        m_ptr->bcast = 1;
        strcpy(m_ptr->name, name);
        m_ptr->priority = bearer_priority;
        m_ptr->tolerance = link_tolerance;
@@ -278,13 +279,13 @@ static int bearer_name_validate(const char *name,
 * bearer_find - locates bearer object with matching bearer name
 */
-static struct bearer *bearer_find(const char *name)
+static struct tipc_bearer *bearer_find(const char *name)
 {
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        u32 i;
        for (i = 0, b_ptr = tipc_bearers; i < MAX_BEARERS; i++, b_ptr++) {
-                if (b_ptr->active && (!strcmp(b_ptr->publ.name, name)))
+                if (b_ptr->active && (!strcmp(b_ptr->name, name)))
                        return b_ptr;
        }
        return NULL;
@@ -294,16 +295,16 @@ static struct bearer *bearer_find(const char *name)
 * tipc_bearer_find_interface - locates bearer object with matching interface name
 */
-struct bearer *tipc_bearer_find_interface(const char *if_name)
+struct tipc_bearer *tipc_bearer_find_interface(const char *if_name)
 {
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        char *b_if_name;
        u32 i;
        for (i = 0, b_ptr = tipc_bearers; i < MAX_BEARERS; i++, b_ptr++) {
                if (!b_ptr->active)
                        continue;
-                b_if_name = strchr(b_ptr->publ.name, ':') + 1;
+                b_if_name = strchr(b_ptr->name, ':') + 1;
                if (!strcmp(b_if_name, if_name))
                        return b_ptr;
        }
@@ -318,7 +319,7 @@ struct sk_buff *tipc_bearer_get_names(void)
 {
        struct sk_buff *buf;
        struct media *m_ptr;
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        int i, j;
        buf = tipc_cfg_reply_alloc(MAX_BEARERS * TLV_SPACE(TIPC_MAX_BEARER_NAME));
@@ -331,8 +332,8 @@ struct sk_buff *tipc_bearer_get_names(void)
                        b_ptr = &tipc_bearers[j];
                        if (b_ptr->active && (b_ptr->media == m_ptr)) {
                                tipc_cfg_append_tlv(buf, TIPC_TLV_BEARER_NAME,
-                                                    b_ptr->publ.name,
+                                                    b_ptr->name,
-                                                    strlen(b_ptr->publ.name) + 1);
+                                                    strlen(b_ptr->name) + 1);
                        }
                }
        }
@@ -340,18 +341,18 @@ struct sk_buff *tipc_bearer_get_names(void)
        return buf;
 }
-void tipc_bearer_add_dest(struct bearer *b_ptr, u32 dest)
+void tipc_bearer_add_dest(struct tipc_bearer *b_ptr, u32 dest)
 {
        tipc_nmap_add(&b_ptr->nodes, dest);
-        tipc_disc_update_link_req(b_ptr->link_req);
        tipc_bcbearer_sort();
+        tipc_disc_add_dest(b_ptr->link_req);
 }
-void tipc_bearer_remove_dest(struct bearer *b_ptr, u32 dest)
+void tipc_bearer_remove_dest(struct tipc_bearer *b_ptr, u32 dest)
 {
        tipc_nmap_remove(&b_ptr->nodes, dest);
-        tipc_disc_update_link_req(b_ptr->link_req);
        tipc_bcbearer_sort();
+        tipc_disc_remove_dest(b_ptr->link_req);
 }
 /*
@@ -362,12 +363,12 @@ void tipc_bearer_remove_dest(struct bearer *b_ptr, u32 dest)
 * bearer.lock must be taken before calling
 * Returns binary true(1) ore false(0)
 */
-static int bearer_push(struct bearer *b_ptr)
+static int bearer_push(struct tipc_bearer *b_ptr)
 {
        u32 res = 0;
        struct link *ln, *tln;
-        if (b_ptr->publ.blocked)
+        if (b_ptr->blocked)
                return 0;
        while (!list_empty(&b_ptr->cong_links) && (res != PUSH_FAILED)) {
@@ -382,13 +383,13 @@ static int bearer_push(struct bearer *b_ptr)
        return list_empty(&b_ptr->cong_links);
 }
-void tipc_bearer_lock_push(struct bearer *b_ptr)
+void tipc_bearer_lock_push(struct tipc_bearer *b_ptr)
 {
        int res;
-        spin_lock_bh(&b_ptr->publ.lock);
+        spin_lock_bh(&b_ptr->lock);
        res = bearer_push(b_ptr);
-        spin_unlock_bh(&b_ptr->publ.lock);
+        spin_unlock_bh(&b_ptr->lock);
        if (res)
                tipc_bcbearer_push();
 }
@@ -398,16 +399,14 @@ void tipc_bearer_lock_push(struct bearer *b_ptr)
 * Interrupt enabling new requests after bearer congestion or blocking:
 * See bearer_send().
 */
-void tipc_continue(struct tipc_bearer *tb_ptr)
+void tipc_continue(struct tipc_bearer *b_ptr)
 {
-        struct bearer *b_ptr = (struct bearer *)tb_ptr;
+        spin_lock_bh(&b_ptr->lock);
-        spin_lock_bh(&b_ptr->publ.lock);
        b_ptr->continue_count++;
        if (!list_empty(&b_ptr->cong_links))
                tipc_k_signal((Handler)tipc_bearer_lock_push, (unsigned long)b_ptr);
-        b_ptr->publ.blocked = 0;
+        b_ptr->blocked = 0;
-        spin_unlock_bh(&b_ptr->publ.lock);
+        spin_unlock_bh(&b_ptr->lock);
 }
 /*
@@ -418,7 +417,7 @@ void tipc_continue(struct tipc_bearer *tb_ptr)
 * bearer.lock is busy
 */
-static void tipc_bearer_schedule_unlocked(struct bearer *b_ptr, struct link *l_ptr)
+static void tipc_bearer_schedule_unlocked(struct tipc_bearer *b_ptr, struct link *l_ptr)
 {
        list_move_tail(&l_ptr->link_list, &b_ptr->cong_links);
 }
@@ -431,11 +430,11 @@ static void tipc_bearer_schedule_unlocked(struct bearer *b_ptr, struct link *l_p
 * bearer.lock is free
 */
-void tipc_bearer_schedule(struct bearer *b_ptr, struct link *l_ptr)
+void tipc_bearer_schedule(struct tipc_bearer *b_ptr, struct link *l_ptr)
 {
-        spin_lock_bh(&b_ptr->publ.lock);
+        spin_lock_bh(&b_ptr->lock);
        tipc_bearer_schedule_unlocked(b_ptr, l_ptr);
-        spin_unlock_bh(&b_ptr->publ.lock);
+        spin_unlock_bh(&b_ptr->lock);
 }
@@ -444,18 +443,18 @@ void tipc_bearer_schedule(struct bearer *b_ptr, struct link *l_ptr)
 * and if there is, try to resolve it before returning.
 * 'tipc_net_lock' is read_locked when this function is called
 */
-int tipc_bearer_resolve_congestion(struct bearer *b_ptr, struct link *l_ptr)
+int tipc_bearer_resolve_congestion(struct tipc_bearer *b_ptr, struct link *l_ptr)
 {
        int res = 1;
        if (list_empty(&b_ptr->cong_links))
                return 1;
-        spin_lock_bh(&b_ptr->publ.lock);
+        spin_lock_bh(&b_ptr->lock);
        if (!bearer_push(b_ptr)) {
                tipc_bearer_schedule_unlocked(b_ptr, l_ptr);
                res = 0;
        }
-        spin_unlock_bh(&b_ptr->publ.lock);
+        spin_unlock_bh(&b_ptr->lock);
        return res;
 }
@@ -463,9 +462,9 @@ int tipc_bearer_resolve_congestion(struct bearer *b_ptr, struct link *l_ptr)
 * tipc_bearer_congested - determines if bearer is currently congested
 */
-int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr)
+int tipc_bearer_congested(struct tipc_bearer *b_ptr, struct link *l_ptr)
 {
-        if (unlikely(b_ptr->publ.blocked))
+        if (unlikely(b_ptr->blocked))
                return 1;
        if (likely(list_empty(&b_ptr->cong_links)))
                return 0;
@@ -476,9 +475,9 @@ int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr)
 * tipc_enable_bearer - enable bearer with the given name
 */
-int tipc_enable_bearer(const char *name, u32 bcast_scope, u32 priority)
+int tipc_enable_bearer(const char *name, u32 disc_domain, u32 priority)
 {
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        struct media *m_ptr;
        struct bearer_name b_name;
        char addr_string[16];
@@ -496,9 +495,16 @@ int tipc_enable_bearer(const char *name, u32 bcast_scope, u32 priority)
                warn("Bearer <%s> rejected, illegal name\n", name);
                return -EINVAL;
        }
-        if (!tipc_addr_domain_valid(bcast_scope) ||
+        if (tipc_addr_domain_valid(disc_domain) &&
-            !tipc_in_scope(bcast_scope, tipc_own_addr)) {
+            (disc_domain != tipc_own_addr)) {
-                warn("Bearer <%s> rejected, illegal broadcast scope\n", name);
+                if (tipc_in_scope(disc_domain, tipc_own_addr)) {
+                        disc_domain = tipc_own_addr & TIPC_CLUSTER_MASK;
+                        res = 0;   /* accept any node in own cluster */
+                } else if (in_own_cluster(disc_domain))
+                        res = 0;   /* accept specified node in own cluster */
+        }
+        if (res) {
+                warn("Bearer <%s> rejected, illegal discovery domain\n", name);
                return -EINVAL;
        }
        if ((priority < TIPC_MIN_LINK_PRI ||
@@ -514,7 +520,7 @@ int tipc_enable_bearer(const char *name, u32 bcast_scope, u32 priority)
        if (!m_ptr) {
                warn("Bearer <%s> rejected, media <%s> not registered\n", name,
                     b_name.media_name);
-                goto failed;
+                goto exit;
        }
        if (priority == TIPC_MEDIA_LINK_PRI)
@@ -528,16 +534,16 @@ restart:
                        bearer_id = i;
                        continue;
                }
-                if (!strcmp(name, tipc_bearers[i].publ.name)) {
+                if (!strcmp(name, tipc_bearers[i].name)) {
                        warn("Bearer <%s> rejected, already enabled\n", name);
-                        goto failed;
+                        goto exit;
                }
                if ((tipc_bearers[i].priority == priority) &&
                    (++with_this_prio > 2)) {
                        if (priority-- == 0) {
                                warn("Bearer <%s> rejected, duplicate priority\n",
                                     name);
-                                goto failed;
+                                goto exit;
                        }
                        warn("Bearer <%s> priority adjustment required %u->%u\n",
                             name, priority + 1, priority);
@@ -547,35 +553,36 @@ restart:
        if (bearer_id >= MAX_BEARERS) {
                warn("Bearer <%s> rejected, bearer limit reached (%u)\n",
                     name, MAX_BEARERS);
-                goto failed;
+                goto exit;
        }
        b_ptr = &tipc_bearers[bearer_id];
-        strcpy(b_ptr->publ.name, name);
+        strcpy(b_ptr->name, name);
-        res = m_ptr->enable_bearer(&b_ptr->publ);
+        res = m_ptr->enable_bearer(b_ptr);
        if (res) {
                warn("Bearer <%s> rejected, enable failure (%d)\n", name, -res);
-                goto failed;
+                goto exit;
        }
        b_ptr->identity = bearer_id;
        b_ptr->media = m_ptr;
        b_ptr->net_plane = bearer_id + 'A';
        b_ptr->active = 1;
-        b_ptr->detect_scope = bcast_scope;
        b_ptr->priority = priority;
        INIT_LIST_HEAD(&b_ptr->cong_links);
        INIT_LIST_HEAD(&b_ptr->links);
-        if (m_ptr->bcast) {
+        spin_lock_init(&b_ptr->lock);
-                b_ptr->link_req = tipc_disc_init_link_req(b_ptr, &m_ptr->bcast_addr,
-                                                          bcast_scope, 2);
+        res = tipc_disc_create(b_ptr, &m_ptr->bcast_addr, disc_domain);
+        if (res) {
+                bearer_disable(b_ptr);
+                warn("Bearer <%s> rejected, discovery object creation failed\n",
+                     name);
+                goto exit;
        }
-        spin_lock_init(&b_ptr->publ.lock);
-        write_unlock_bh(&tipc_net_lock);
        info("Enabled bearer <%s>, discovery domain %s, priority %u\n",
-             name, tipc_addr_string_fill(addr_string, bcast_scope), priority);
+             name, tipc_addr_string_fill(addr_string, disc_domain), priority);
-        return 0;
+exit:
-failed:
        write_unlock_bh(&tipc_net_lock);
        return res;
 }
@@ -587,7 +594,7 @@ failed:
 int tipc_block_bearer(const char *name)
 {
-        struct bearer *b_ptr = NULL;
+        struct tipc_bearer *b_ptr = NULL;
        struct link *l_ptr;
        struct link *temp_l_ptr;
@@ -600,8 +607,8 @@ int tipc_block_bearer(const char *name)
        }
        info("Blocking bearer <%s>\n", name);
-        spin_lock_bh(&b_ptr->publ.lock);
+        spin_lock_bh(&b_ptr->lock);
-        b_ptr->publ.blocked = 1;
+        b_ptr->blocked = 1;
        list_for_each_entry_safe(l_ptr, temp_l_ptr, &b_ptr->links, link_list) {
                struct tipc_node *n_ptr = l_ptr->owner;
@@ -609,7 +616,7 @@ int tipc_block_bearer(const char *name)
                tipc_link_reset(l_ptr);
                spin_unlock_bh(&n_ptr->lock);
        }
-        spin_unlock_bh(&b_ptr->publ.lock);
+        spin_unlock_bh(&b_ptr->lock);
        read_unlock_bh(&tipc_net_lock);
        return 0;
 }
@@ -620,27 +627,27 @@ int tipc_block_bearer(const char *name)
 * Note: This routine assumes caller holds tipc_net_lock.
 */
-static void bearer_disable(struct bearer *b_ptr)
+static void bearer_disable(struct tipc_bearer *b_ptr)
 {
        struct link *l_ptr;
        struct link *temp_l_ptr;
-        info("Disabling bearer <%s>\n", b_ptr->publ.name);
+        info("Disabling bearer <%s>\n", b_ptr->name);
-        tipc_disc_stop_link_req(b_ptr->link_req);
+        spin_lock_bh(&b_ptr->lock);
-        spin_lock_bh(&b_ptr->publ.lock);
+        b_ptr->blocked = 1;
-        b_ptr->link_req = NULL;
+        b_ptr->media->disable_bearer(b_ptr);
-        b_ptr->publ.blocked = 1;
-        b_ptr->media->disable_bearer(&b_ptr->publ);
        list_for_each_entry_safe(l_ptr, temp_l_ptr, &b_ptr->links, link_list) {
                tipc_link_delete(l_ptr);
        }
-        spin_unlock_bh(&b_ptr->publ.lock);
+        if (b_ptr->link_req)
-        memset(b_ptr, 0, sizeof(struct bearer));
+                tipc_disc_delete(b_ptr->link_req);
+        spin_unlock_bh(&b_ptr->lock);
+        memset(b_ptr, 0, sizeof(struct tipc_bearer));
 }
 int tipc_disable_bearer(const char *name)
 {
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        int res;
        write_lock_bh(&tipc_net_lock);
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index 85f451d5aacf..31d6172b20fd 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -2,7 +2,7 @@
 * net/tipc/bearer.h: Include file for TIPC bearer code
 *
 * Copyright (c) 1996-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -61,26 +61,7 @@ struct tipc_media_addr {
        } dev_addr;
 };
-/**
+struct tipc_bearer;
- * struct tipc_bearer - TIPC bearer info available to media code
- * @usr_handle: pointer to additional media-specific information about bearer
- * @mtu: max packet size bearer can support
- * @blocked: non-zero if bearer is blocked
- * @lock: spinlock for controlling access to bearer
- * @addr: media-specific address associated with bearer
- * @name: bearer name (format = media:interface)
- *
- * Note: TIPC initializes "name" and "lock" fields; media code is responsible
- * for initialization all other fields when a bearer is enabled.
- */
-struct tipc_bearer {
-        void *usr_handle;
-        u32 mtu;
-        int blocked;
-        spinlock_t lock;
-        struct tipc_media_addr addr;
-        char name[TIPC_MAX_BEARER_NAME];
-};
 /**
 * struct media - TIPC media information available to internal users
@@ -89,7 +70,6 @@ struct tipc_bearer {
 * @disable_bearer: routine which disables a bearer
 * @addr2str: routine which converts bearer's address to string form
 * @bcast_addr: media address used in broadcasting
- * @bcast: non-zero if media supports broadcasting [currently mandatory]
 * @priority: default link (and bearer) priority
 * @tolerance: default time (in ms) before declaring link failure
 * @window: default window (in packets) before declaring link congestion
@@ -106,7 +86,6 @@ struct media {
        char *(*addr2str)(struct tipc_media_addr *a,
                          char *str_buf, int str_size);
        struct tipc_media_addr bcast_addr;
-        int bcast;
        u32 priority;
        u32 tolerance;
        u32 window;
@@ -115,11 +94,15 @@ struct media {
 };
 /**
- * struct bearer - TIPC bearer information available to internal users
+ * struct tipc_bearer - TIPC bearer structure
- * @publ: bearer information available to privileged users
+ * @usr_handle: pointer to additional media-specific information about bearer
+ * @mtu: max packet size bearer can support
+ * @blocked: non-zero if bearer is blocked
+ * @lock: spinlock for controlling access to bearer
+ * @addr: media-specific address associated with bearer
+ * @name: bearer name (format = media:interface)
 * @media: ptr to media structure associated with bearer
 * @priority: default link priority for bearer
- * @detect_scope: network address mask used during automatic link creation
 * @identity: array index of this bearer within TIPC bearer array
 * @link_req: ptr to (optional) structure making periodic link setup requests
 * @links: list of non-congested links associated with bearer
@@ -128,13 +111,20 @@ struct media {
 * @active: non-zero if bearer structure is represents a bearer
 * @net_plane: network plane ('A' through 'H') currently associated with bearer
 * @nodes: indicates which nodes in cluster can be reached through bearer
+ *
+ * Note: media-specific code is responsible for initialization of the fields
+ * indicated below when a bearer is enabled; TIPC's generic bearer code takes
+ * care of initializing all other fields.
 */
+struct tipc_bearer {
-struct bearer {
+        void *usr_handle;                       /* initalized by media */
-        struct tipc_bearer publ;
+        u32 mtu;                                /* initalized by media */
+        int blocked;                            /* initalized by media */
+        struct tipc_media_addr addr;            /* initalized by media */
+        char name[TIPC_MAX_BEARER_NAME];
+        spinlock_t lock;
        struct media *media;
        u32 priority;
-        u32 detect_scope;
        u32 identity;
        struct link_req *link_req;
        struct list_head links;
@@ -152,7 +142,7 @@ struct bearer_name {
 struct link;
-extern struct bearer tipc_bearers[];
+extern struct tipc_bearer tipc_bearers[];
 /*
 * TIPC routines available to supported media types
@@ -173,7 +163,7 @@ void tipc_recv_msg(struct sk_buff *buf, struct tipc_bearer *tb_ptr);
 int  tipc_block_bearer(const char *name);
 void tipc_continue(struct tipc_bearer *tb_ptr);
-int tipc_enable_bearer(const char *bearer_name, u32 bcast_scope, u32 priority);
+int tipc_enable_bearer(const char *bearer_name, u32 disc_domain, u32 priority);
 int tipc_disable_bearer(const char *name);
 /*
@@ -186,14 +176,14 @@ void tipc_media_addr_printf(struct print_buf *pb, struct tipc_media_addr *a);
 struct sk_buff *tipc_media_get_names(void);
 struct sk_buff *tipc_bearer_get_names(void);
-void tipc_bearer_add_dest(struct bearer *b_ptr, u32 dest);
+void tipc_bearer_add_dest(struct tipc_bearer *b_ptr, u32 dest);
-void tipc_bearer_remove_dest(struct bearer *b_ptr, u32 dest);
+void tipc_bearer_remove_dest(struct tipc_bearer *b_ptr, u32 dest);
-void tipc_bearer_schedule(struct bearer *b_ptr, struct link *l_ptr);
+void tipc_bearer_schedule(struct tipc_bearer *b_ptr, struct link *l_ptr);
-struct bearer *tipc_bearer_find_interface(const char *if_name);
+struct tipc_bearer *tipc_bearer_find_interface(const char *if_name);
-int tipc_bearer_resolve_congestion(struct bearer *b_ptr, struct link *l_ptr);
+int tipc_bearer_resolve_congestion(struct tipc_bearer *b_ptr, struct link *l_ptr);
-int tipc_bearer_congested(struct bearer *b_ptr, struct link *l_ptr);
+int tipc_bearer_congested(struct tipc_bearer *b_ptr, struct link *l_ptr);
 void tipc_bearer_stop(void);
-void tipc_bearer_lock_push(struct bearer *b_ptr);
+void tipc_bearer_lock_push(struct tipc_bearer *b_ptr);
 /**
@@ -214,10 +204,11 @@ void tipc_bearer_lock_push(struct bearer *b_ptr);
 * and let TIPC's link code deal with the undelivered message.
 */
-static inline int tipc_bearer_send(struct bearer *b_ptr, struct sk_buff *buf,
+static inline int tipc_bearer_send(struct tipc_bearer *b_ptr,
+                                   struct sk_buff *buf,
                                   struct tipc_media_addr *dest)
 {
-        return !b_ptr->media->send_msg(buf, &b_ptr->publ, dest);
+        return !b_ptr->media->send_msg(buf, b_ptr, dest);
 }
 #endif  /* _TIPC_BEARER_H */
diff --git a/net/tipc/config.c b/net/tipc/config.c
index e16750dcf3c1..b25a396b7e1e 100644
--- a/net/tipc/config.c
+++ b/net/tipc/config.c
@@ -2,7 +2,7 @@
 * net/tipc/config.c: TIPC configuration management code
 *
 * Copyright (c) 2002-2006, Ericsson AB
- * Copyright (c) 2004-2007, Wind River Systems
+ * Copyright (c) 2004-2007, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -148,7 +148,7 @@ static struct sk_buff *cfg_enable_bearer(void)
        args = (struct tipc_bearer_config *)TLV_DATA(req_tlv_area);
        if (tipc_enable_bearer(args->name,
-                               ntohl(args->detect_scope),
+                               ntohl(args->disc_domain),
                               ntohl(args->priority)))
                return tipc_cfg_reply_error_string("unable to enable bearer");
@@ -260,25 +260,6 @@ static struct sk_buff *cfg_set_max_ports(void)
        return tipc_cfg_reply_none();
 }
-static struct sk_buff *cfg_set_max_nodes(void)
-{
-        u32 value;
-        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_UNSIGNED))
-                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
-        value = ntohl(*(__be32 *)TLV_DATA(req_tlv_area));
-        if (value == tipc_max_nodes)
-                return tipc_cfg_reply_none();
-        if (value != delimit(value, 8, 2047))
-                return tipc_cfg_reply_error_string(TIPC_CFG_INVALID_VALUE
-                                                   " (max nodes must be 8-2047)");
-        if (tipc_mode == TIPC_NET_MODE)
-                return tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
-                        " (cannot change max nodes once TIPC has joined a network)");
-        tipc_max_nodes = value;
-        return tipc_cfg_reply_none();
-}
 static struct sk_buff *cfg_set_netid(void)
 {
        u32 value;
@@ -397,9 +378,6 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area
        case TIPC_CMD_SET_MAX_SUBSCR:
                rep_tlv_buf = cfg_set_max_subscriptions();
                break;
-        case TIPC_CMD_SET_MAX_NODES:
-                rep_tlv_buf = cfg_set_max_nodes();
-                break;
        case TIPC_CMD_SET_NETID:
                rep_tlv_buf = cfg_set_netid();
                break;
@@ -415,9 +393,6 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area
        case TIPC_CMD_GET_MAX_SUBSCR:
                rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_max_subscriptions);
                break;
-        case TIPC_CMD_GET_MAX_NODES:
-                rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_max_nodes);
-                break;
        case TIPC_CMD_GET_NETID:
                rep_tlv_buf = tipc_cfg_reply_unsigned(tipc_net_id);
                break;
@@ -431,6 +406,8 @@ struct sk_buff *tipc_cfg_do_cmd(u32 orig_node, u16 cmd, const void *request_area
        case TIPC_CMD_GET_MAX_SLAVES:
        case TIPC_CMD_SET_MAX_CLUSTERS:
        case TIPC_CMD_GET_MAX_CLUSTERS:
+        case TIPC_CMD_SET_MAX_NODES:
+        case TIPC_CMD_GET_MAX_NODES:
                rep_tlv_buf = tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
                                                          " (obsolete command)");
                break;
diff --git a/net/tipc/core.c b/net/tipc/core.c
index e071579e0850..943b6af84265 100644
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -2,7 +2,7 @@
 * net/tipc/core.c: TIPC module code
 *
 * Copyright (c) 2003-2006, Ericsson AB
- * Copyright (c) 2005-2006, Wind River Systems
+ * Copyright (c) 2005-2006, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -41,10 +41,6 @@
 #include "config.h"
-#ifndef CONFIG_TIPC_NODES
-#define CONFIG_TIPC_NODES 255
-#endif
 #ifndef CONFIG_TIPC_PORTS
 #define CONFIG_TIPC_PORTS 8191
 #endif
@@ -57,7 +53,6 @@
 int tipc_mode = TIPC_NOT_RUNNING;
 int tipc_random;
-atomic_t tipc_user_count = ATOMIC_INIT(0);
 const char tipc_alphabet[] =
        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.";
@@ -65,7 +60,6 @@ const char tipc_alphabet[] =
 /* configurable TIPC parameters */
 u32 tipc_own_addr;
-int tipc_max_nodes;
 int tipc_max_ports;
 int tipc_max_subscriptions;
 int tipc_max_publications;
@@ -185,15 +179,13 @@ static int __init tipc_init(void)
        if (tipc_log_resize(CONFIG_TIPC_LOG) != 0)
                warn("Unable to create log buffer\n");
-        info("Activated (version " TIPC_MOD_VER
+        info("Activated (version " TIPC_MOD_VER ")\n");
-             " compiled " __DATE__ " " __TIME__ ")\n");
        tipc_own_addr = 0;
        tipc_remote_management = 1;
        tipc_max_publications = 10000;
        tipc_max_subscriptions = 2000;
        tipc_max_ports = CONFIG_TIPC_PORTS;
-        tipc_max_nodes = CONFIG_TIPC_NODES;
        tipc_net_id = 4711;
        res = tipc_core_start();
diff --git a/net/tipc/core.h b/net/tipc/core.h
index 997158546e25..436dda1159d2 100644
--- a/net/tipc/core.h
+++ b/net/tipc/core.h
@@ -2,7 +2,7 @@
 * net/tipc/core.h: Include file for TIPC global declarations
 *
 * Copyright (c) 2005-2006, Ericsson AB
- * Copyright (c) 2005-2007, Wind River Systems
+ * Copyright (c) 2005-2007, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -147,7 +147,6 @@ void tipc_msg_dbg(struct print_buf *, struct tipc_msg *, const char *);
 */
 extern u32 tipc_own_addr;
-extern int tipc_max_nodes;
 extern int tipc_max_ports;
 extern int tipc_max_subscriptions;
 extern int tipc_max_publications;
@@ -161,7 +160,6 @@ extern int tipc_remote_management;
 extern int tipc_mode;
 extern int tipc_random;
 extern const char tipc_alphabet[];
-extern atomic_t tipc_user_count;
 /*
diff --git a/net/tipc/discover.c b/net/tipc/discover.c
index fa026bd91a68..0987933155b9 100644
--- a/net/tipc/discover.c
+++ b/net/tipc/discover.c
@@ -2,7 +2,7 @@
 * net/tipc/discover.c
 *
 * Copyright (c) 2003-2006, Ericsson AB
- * Copyright (c) 2005-2006, Wind River Systems
+ * Copyright (c) 2005-2006, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -39,26 +39,26 @@
 #include "discover.h"
 #define TIPC_LINK_REQ_INIT      125     /* min delay during bearer start up */
-#define TIPC_LINK_REQ_FAST      2000    /* normal delay if bearer has no links */
+#define TIPC_LINK_REQ_FAST      1000    /* max delay if bearer has no links */
-#define TIPC_LINK_REQ_SLOW      600000  /* normal delay if bearer has links */
+#define TIPC_LINK_REQ_SLOW      60000   /* max delay if bearer has links */
+#define TIPC_LINK_REQ_INACTIVE  0xffffffff /* indicates no timer in use */
-/*
- * TODO: Most of the inter-cluster setup stuff should be
- * rewritten, and be made conformant with specification.
- */
 /**
 * struct link_req - information about an ongoing link setup request
 * @bearer: bearer issuing requests
 * @dest: destination address for request messages
+ * @domain: network domain to which links can be established
+ * @num_nodes: number of nodes currently discovered (i.e. with an active link)
 * @buf: request message to be (repeatedly) sent
 * @timer: timer governing period between requests
 * @timer_intv: current interval between requests (in ms)
 */
 struct link_req {
-        struct bearer *bearer;
+        struct tipc_bearer *bearer;
        struct tipc_media_addr dest;
+        u32 domain;
+        int num_nodes;
        struct sk_buff *buf;
        struct timer_list timer;
        unsigned int timer_intv;
@@ -67,27 +67,24 @@ struct link_req {
 /**
 * tipc_disc_init_msg - initialize a link setup message
 * @type: message type (request or response)
- * @req_links: number of links associated with message
 * @dest_domain: network domain of node(s) which should respond to message
 * @b_ptr: ptr to bearer issuing message
 */
 static struct sk_buff *tipc_disc_init_msg(u32 type,
-                                          u32 req_links,
                                          u32 dest_domain,
-                                          struct bearer *b_ptr)
+                                          struct tipc_bearer *b_ptr)
 {
-        struct sk_buff *buf = tipc_buf_acquire(DSC_H_SIZE);
+        struct sk_buff *buf = tipc_buf_acquire(INT_H_SIZE);
        struct tipc_msg *msg;
        if (buf) {
                msg = buf_msg(buf);
-                tipc_msg_init(msg, LINK_CONFIG, type, DSC_H_SIZE, dest_domain);
+                tipc_msg_init(msg, LINK_CONFIG, type, INT_H_SIZE, dest_domain);
                msg_set_non_seq(msg, 1);
-                msg_set_req_links(msg, req_links);
                msg_set_dest_domain(msg, dest_domain);
                msg_set_bc_netid(msg, tipc_net_id);
-                msg_set_media_addr(msg, &b_ptr->publ.addr);
+                msg_set_media_addr(msg, &b_ptr->addr);
        }
        return buf;
 }
@@ -99,7 +96,7 @@ static struct sk_buff *tipc_disc_init_msg(u32 type,
 * @media_addr: media address advertised by duplicated node
 */
-static void disc_dupl_alert(struct bearer *b_ptr, u32 node_addr,
+static void disc_dupl_alert(struct tipc_bearer *b_ptr, u32 node_addr,
                            struct tipc_media_addr *media_addr)
 {
        char node_addr_str[16];
@@ -111,7 +108,7 @@ static void disc_dupl_alert(struct bearer *b_ptr, u32 node_addr,
        tipc_media_addr_printf(&pb, media_addr);
        tipc_printbuf_validate(&pb);
        warn("Duplicate %s using %s seen on <%s>\n",
-             node_addr_str, media_addr_str, b_ptr->publ.name);
+             node_addr_str, media_addr_str, b_ptr->name);
 }
 /**
@@ -120,19 +117,23 @@ static void disc_dupl_alert(struct bearer *b_ptr, u32 node_addr,
 * @b_ptr: bearer that message arrived on
 */
-void tipc_disc_recv_msg(struct sk_buff *buf, struct bearer *b_ptr)
+void tipc_disc_recv_msg(struct sk_buff *buf, struct tipc_bearer *b_ptr)
 {
+        struct tipc_node *n_ptr;
        struct link *link;
-        struct tipc_media_addr media_addr;
+        struct tipc_media_addr media_addr, *addr;
+        struct sk_buff *rbuf;
        struct tipc_msg *msg = buf_msg(buf);
        u32 dest = msg_dest_domain(msg);
        u32 orig = msg_prevnode(msg);
        u32 net_id = msg_bc_netid(msg);
        u32 type = msg_type(msg);
+        int link_fully_up;
        msg_get_media_addr(msg, &media_addr);
        buf_discard(buf);
+        /* Validate discovery message from requesting node */
        if (net_id != tipc_net_id)
                return;
        if (!tipc_addr_domain_valid(dest))
@@ -140,104 +141,127 @@ void tipc_disc_recv_msg(struct sk_buff *buf, struct bearer *b_ptr)
        if (!tipc_addr_node_valid(orig))
                return;
        if (orig == tipc_own_addr) {
-                if (memcmp(&media_addr, &b_ptr->publ.addr, sizeof(media_addr)))
+                if (memcmp(&media_addr, &b_ptr->addr, sizeof(media_addr)))
                        disc_dupl_alert(b_ptr, tipc_own_addr, &media_addr);
                return;
        }
        if (!tipc_in_scope(dest, tipc_own_addr))
                return;
-        if (in_own_cluster(orig)) {
+        if (!tipc_in_scope(b_ptr->link_req->domain, orig))
-                /* Always accept link here */
+                return;
-                struct sk_buff *rbuf;
-                struct tipc_media_addr *addr;
-                struct tipc_node *n_ptr = tipc_node_find(orig);
-                int link_fully_up;
-                if (n_ptr == NULL) {
-                        n_ptr = tipc_node_create(orig);
-                        if (!n_ptr)
-                                return;
-                }
-                spin_lock_bh(&n_ptr->lock);
-                /* Don't talk to neighbor during cleanup after last session */
-                if (n_ptr->cleanup_required) {
+        /* Locate structure corresponding to requesting node */
-                        spin_unlock_bh(&n_ptr->lock);
+        n_ptr = tipc_node_find(orig);
+        if (!n_ptr) {
+                n_ptr = tipc_node_create(orig);
+                if (!n_ptr)
                        return;
-                }
+        }
+        tipc_node_lock(n_ptr);
+        /* Don't talk to neighbor during cleanup after last session */
+        if (n_ptr->cleanup_required) {
+                tipc_node_unlock(n_ptr);
+                return;
+        }
+        link = n_ptr->links[b_ptr->identity];
-                link = n_ptr->links[b_ptr->identity];
+        /* Create a link endpoint for this bearer, if necessary */
+        if (!link) {
+                link = tipc_link_create(n_ptr, b_ptr, &media_addr);
                if (!link) {
-                        link = tipc_link_create(b_ptr, orig, &media_addr);
+                        tipc_node_unlock(n_ptr);
-                        if (!link) {
+                        return;
-                                spin_unlock_bh(&n_ptr->lock);
-                                return;
-                        }
-                }
-                addr = &link->media_addr;
-                if (memcmp(addr, &media_addr, sizeof(*addr))) {
-                        if (tipc_link_is_up(link) || (!link->started)) {
-                                disc_dupl_alert(b_ptr, orig, &media_addr);
-                                spin_unlock_bh(&n_ptr->lock);
-                                return;
-                        }
-                        warn("Resetting link <%s>, peer interface address changed\n",
-                             link->name);
-                        memcpy(addr, &media_addr, sizeof(*addr));
-                        tipc_link_reset(link);
                }
-                link_fully_up = link_working_working(link);
+        }
-                spin_unlock_bh(&n_ptr->lock);
-                if ((type == DSC_RESP_MSG) || link_fully_up)
+        /*
+         * Ensure requesting node's media address is correct
+         *
+         * If media address doesn't match and the link is working, reject the
+         * request (must be from a duplicate node).
+         *
+         * If media address doesn't match and the link is not working, accept
+         * the new media address and reset the link to ensure it starts up
+         * cleanly.
+         */
+        addr = &link->media_addr;
+        if (memcmp(addr, &media_addr, sizeof(*addr))) {
+                if (tipc_link_is_up(link) || (!link->started)) {
+                        disc_dupl_alert(b_ptr, orig, &media_addr);
+                        tipc_node_unlock(n_ptr);
                        return;
-                rbuf = tipc_disc_init_msg(DSC_RESP_MSG, 1, orig, b_ptr);
+                }
-                if (rbuf != NULL) {
+                warn("Resetting link <%s>, peer interface address changed\n",
-                        b_ptr->media->send_msg(rbuf, &b_ptr->publ, &media_addr);
+                     link->name);
+                memcpy(addr, &media_addr, sizeof(*addr));
+                tipc_link_reset(link);
+        }
+        /* Accept discovery message & send response, if necessary */
+        link_fully_up = link_working_working(link);
+        if ((type == DSC_REQ_MSG) && !link_fully_up && !b_ptr->blocked) {
+                rbuf = tipc_disc_init_msg(DSC_RESP_MSG, orig, b_ptr);
+                if (rbuf) {
+                        b_ptr->media->send_msg(rbuf, b_ptr, &media_addr);
                        buf_discard(rbuf);
                }
        }
+        tipc_node_unlock(n_ptr);
 }
 /**
- * tipc_disc_stop_link_req - stop sending periodic link setup requests
+ * disc_update - update frequency of periodic link setup requests
 * @req: ptr to link request structure
+ *
+ * Reinitiates discovery process if discovery object has no associated nodes
+ * and is either not currently searching or is searching at a slow rate
 */
-void tipc_disc_stop_link_req(struct link_req *req)
+static void disc_update(struct link_req *req)
 {
-        if (!req)
+        if (!req->num_nodes) {
-                return;
+                if ((req->timer_intv == TIPC_LINK_REQ_INACTIVE) ||
+                    (req->timer_intv > TIPC_LINK_REQ_FAST)) {
+                        req->timer_intv = TIPC_LINK_REQ_INIT;
+                        k_start_timer(&req->timer, req->timer_intv);
+                }
+        }
+}
-        k_cancel_timer(&req->timer);
+/**
-        k_term_timer(&req->timer);
+ * tipc_disc_add_dest - increment set of discovered nodes
-        buf_discard(req->buf);
+ * @req: ptr to link request structure
-        kfree(req);
+ */
+void tipc_disc_add_dest(struct link_req *req)
+{
+        req->num_nodes++;
 }
 /**
- * tipc_disc_update_link_req - update frequency of periodic link setup requests
+ * tipc_disc_remove_dest - decrement set of discovered nodes
 * @req: ptr to link request structure
 */
-void tipc_disc_update_link_req(struct link_req *req)
+void tipc_disc_remove_dest(struct link_req *req)
 {
-        if (!req)
+        req->num_nodes--;
-                return;
+        disc_update(req);
+}
-        if (req->timer_intv == TIPC_LINK_REQ_SLOW) {
+/**
-                if (!req->bearer->nodes.count) {
+ * disc_send_msg - send link setup request message
-                        req->timer_intv = TIPC_LINK_REQ_FAST;
+ * @req: ptr to link request structure
-                        k_start_timer(&req->timer, req->timer_intv);
+ */
-                }
-        } else if (req->timer_intv == TIPC_LINK_REQ_FAST) {
+static void disc_send_msg(struct link_req *req)
-                if (req->bearer->nodes.count) {
+{
-                        req->timer_intv = TIPC_LINK_REQ_SLOW;
+        if (!req->bearer->blocked)
-                        k_start_timer(&req->timer, req->timer_intv);
+                tipc_bearer_send(req->bearer, req->buf, &req->dest);
-                }
-        } else {
-                /* leave timer "as is" if haven't yet reached a "normal" rate */
-        }
 }
 /**
@@ -249,58 +273,86 @@ void tipc_disc_update_link_req(struct link_req *req)
 static void disc_timeout(struct link_req *req)
 {
-        spin_lock_bh(&req->bearer->publ.lock);
+        int max_delay;
-        req->bearer->media->send_msg(req->buf, &req->bearer->publ, &req->dest);
+        spin_lock_bh(&req->bearer->lock);
-        if ((req->timer_intv == TIPC_LINK_REQ_SLOW) ||
+        /* Stop searching if only desired node has been found */
-            (req->timer_intv == TIPC_LINK_REQ_FAST)) {
-                /* leave timer interval "as is" if already at a "normal" rate */
+        if (tipc_node(req->domain) && req->num_nodes) {
-        } else {
+                req->timer_intv = TIPC_LINK_REQ_INACTIVE;
-                req->timer_intv *= 2;
+                goto exit;
-                if (req->timer_intv > TIPC_LINK_REQ_FAST)
-                        req->timer_intv = TIPC_LINK_REQ_FAST;
-                if ((req->timer_intv == TIPC_LINK_REQ_FAST) &&
-                    (req->bearer->nodes.count))
-                        req->timer_intv = TIPC_LINK_REQ_SLOW;
        }
-        k_start_timer(&req->timer, req->timer_intv);
-        spin_unlock_bh(&req->bearer->publ.lock);
+        /*
+         * Send discovery message, then update discovery timer
+         *
+         * Keep doubling time between requests until limit is reached;
+         * hold at fast polling rate if don't have any associated nodes,
+         * otherwise hold at slow polling rate
+         */
+        disc_send_msg(req);
+        req->timer_intv *= 2;
+        if (req->num_nodes)
+                max_delay = TIPC_LINK_REQ_SLOW;
+        else
+                max_delay = TIPC_LINK_REQ_FAST;
+        if (req->timer_intv > max_delay)
+                req->timer_intv = max_delay;
+        k_start_timer(&req->timer, req->timer_intv);
+exit:
+        spin_unlock_bh(&req->bearer->lock);
 }
 /**
- * tipc_disc_init_link_req - start sending periodic link setup requests
+ * tipc_disc_create - create object to send periodic link setup requests
 * @b_ptr: ptr to bearer issuing requests
 * @dest: destination address for request messages
- * @dest_domain: network domain of node(s) which should respond to message
+ * @dest_domain: network domain to which links can be established
- * @req_links: max number of desired links
 *
- * Returns pointer to link request structure, or NULL if unable to create.
+ * Returns 0 if successful, otherwise -errno.
 */
-struct link_req *tipc_disc_init_link_req(struct bearer *b_ptr,
+int tipc_disc_create(struct tipc_bearer *b_ptr,
-                                         const struct tipc_media_addr *dest,
+                     struct tipc_media_addr *dest, u32 dest_domain)
-                                         u32 dest_domain,
-                                         u32 req_links)
 {
        struct link_req *req;
        req = kmalloc(sizeof(*req), GFP_ATOMIC);
        if (!req)
-                return NULL;
+                return -ENOMEM;
-        req->buf = tipc_disc_init_msg(DSC_REQ_MSG, req_links, dest_domain, b_ptr);
+        req->buf = tipc_disc_init_msg(DSC_REQ_MSG, dest_domain, b_ptr);
        if (!req->buf) {
                kfree(req);
-                return NULL;
+                return -ENOMSG;
        }
        memcpy(&req->dest, dest, sizeof(*dest));
        req->bearer = b_ptr;
+        req->domain = dest_domain;
+        req->num_nodes = 0;
        req->timer_intv = TIPC_LINK_REQ_INIT;
        k_init_timer(&req->timer, (Handler)disc_timeout, (unsigned long)req);
        k_start_timer(&req->timer, req->timer_intv);
-        return req;
+        b_ptr->link_req = req;
+        disc_send_msg(req);
+        return 0;
+}
+/**
+ * tipc_disc_delete - destroy object sending periodic link setup requests
+ * @req: ptr to link request structure
+ */
+void tipc_disc_delete(struct link_req *req)
+{
+        k_cancel_timer(&req->timer);
+        k_term_timer(&req->timer);
+        buf_discard(req->buf);
+        kfree(req);
 }
diff --git a/net/tipc/discover.h b/net/tipc/discover.h
index d2c3cffb79fc..a3af595b86cb 100644
--- a/net/tipc/discover.h
+++ b/net/tipc/discover.h
@@ -2,7 +2,7 @@
 * net/tipc/discover.h
 *
 * Copyright (c) 2003-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -39,13 +39,11 @@
 struct link_req;
-struct link_req *tipc_disc_init_link_req(struct bearer *b_ptr,
+int tipc_disc_create(struct tipc_bearer *b_ptr, struct tipc_media_addr *dest,
-                                         const struct tipc_media_addr *dest,
+                     u32 dest_domain);
-                                         u32 dest_domain,
+void tipc_disc_delete(struct link_req *req);
-                                         u32 req_links);
+void tipc_disc_add_dest(struct link_req *req);
-void tipc_disc_update_link_req(struct link_req *req);
+void tipc_disc_remove_dest(struct link_req *req);
-void tipc_disc_stop_link_req(struct link_req *req);
+void tipc_disc_recv_msg(struct sk_buff *buf, struct tipc_bearer *b_ptr);
-void tipc_disc_recv_msg(struct sk_buff *buf, struct bearer *b_ptr);
 #endif
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 18702f58d111..5ed4b4f7452d 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2,7 +2,7 @@
 * net/tipc/link.c: TIPC link code
 *
 * Copyright (c) 1996-2007, Ericsson AB
- * Copyright (c) 2004-2007, Wind River Systems
+ * Copyright (c) 2004-2007, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -90,9 +90,10 @@ static void link_handle_out_of_seq_msg(struct link *l_ptr,
 static void link_recv_proto_msg(struct link *l_ptr, struct sk_buff *buf);
 static int  link_recv_changeover_msg(struct link **l_ptr, struct sk_buff **buf);
 static void link_set_supervision_props(struct link *l_ptr, u32 tolerance);
-static int  link_send_sections_long(struct port *sender,
+static int  link_send_sections_long(struct tipc_port *sender,
                                    struct iovec const *msg_sect,
-                                    u32 num_sect, u32 destnode);
+                                    u32 num_sect, unsigned int total_len,
+                                    u32 destnode);
 static void link_check_defragm_bufs(struct link *l_ptr);
 static void link_state_event(struct link *l_ptr, u32 event);
 static void link_reset_statistics(struct link *l_ptr);
@@ -113,7 +114,7 @@ static void link_init_max_pkt(struct link *l_ptr)
 {
        u32 max_pkt;
-        max_pkt = (l_ptr->b_ptr->publ.mtu & ~3);
+        max_pkt = (l_ptr->b_ptr->mtu & ~3);
        if (max_pkt > MAX_MSG_SIZE)
                max_pkt = MAX_MSG_SIZE;
@@ -246,9 +247,6 @@ static void link_timeout(struct link *l_ptr)
        l_ptr->stats.accu_queue_sz += l_ptr->out_queue_size;
        l_ptr->stats.queue_sz_counts++;
-        if (l_ptr->out_queue_size > l_ptr->stats.max_queue_sz)
-                l_ptr->stats.max_queue_sz = l_ptr->out_queue_size;
        if (l_ptr->first_out) {
                struct tipc_msg *msg = buf_msg(l_ptr->first_out);
                u32 length = msg_size(msg);
@@ -296,19 +294,35 @@ static void link_set_timer(struct link *l_ptr, u32 time)
 /**
 * tipc_link_create - create a new link
+ * @n_ptr: pointer to associated node
 * @b_ptr: pointer to associated bearer
- * @peer: network address of node at other end of link
 * @media_addr: media address to use when sending messages over link
 *
 * Returns pointer to link.
 */
-struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
+struct link *tipc_link_create(struct tipc_node *n_ptr,
+                              struct tipc_bearer *b_ptr,
                              const struct tipc_media_addr *media_addr)
 {
        struct link *l_ptr;
        struct tipc_msg *msg;
        char *if_name;
+        char addr_string[16];
+        u32 peer = n_ptr->addr;
+        if (n_ptr->link_cnt >= 2) {
+                tipc_addr_string_fill(addr_string, n_ptr->addr);
+                err("Attempt to establish third link to %s\n", addr_string);
+                return NULL;
+        }
+        if (n_ptr->links[b_ptr->identity]) {
+                tipc_addr_string_fill(addr_string, n_ptr->addr);
+                err("Attempt to establish second link on <%s> to %s\n",
+                    b_ptr->name, addr_string);
+                return NULL;
+        }
        l_ptr = kzalloc(sizeof(*l_ptr), GFP_ATOMIC);
        if (!l_ptr) {
@@ -317,7 +331,7 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
        }
        l_ptr->addr = peer;
-        if_name = strchr(b_ptr->publ.name, ':') + 1;
+        if_name = strchr(b_ptr->name, ':') + 1;
        sprintf(l_ptr->name, "%u.%u.%u:%s-%u.%u.%u:",
                tipc_zone(tipc_own_addr), tipc_cluster(tipc_own_addr),
                tipc_node(tipc_own_addr),
@@ -325,6 +339,7 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
                tipc_zone(peer), tipc_cluster(peer), tipc_node(peer));
                /* note: peer i/f is appended to link name by reset/activate */
        memcpy(&l_ptr->media_addr, media_addr, sizeof(*media_addr));
+        l_ptr->owner = n_ptr;
        l_ptr->checkpoint = 1;
        l_ptr->b_ptr = b_ptr;
        link_set_supervision_props(l_ptr, b_ptr->media->tolerance);
@@ -348,11 +363,7 @@ struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
        link_reset_statistics(l_ptr);
-        l_ptr->owner = tipc_node_attach_link(l_ptr);
+        tipc_node_attach_link(n_ptr, l_ptr);
-        if (!l_ptr->owner) {
-                kfree(l_ptr);
-                return NULL;
-        }
        k_init_timer(&l_ptr->timer, (Handler)link_timeout, (unsigned long)l_ptr);
        list_add_tail(&l_ptr->link_list, &b_ptr->links);
@@ -391,7 +402,9 @@ void tipc_link_delete(struct link *l_ptr)
 static void link_start(struct link *l_ptr)
 {
+        tipc_node_lock(l_ptr->owner);
        link_state_event(l_ptr, STARTING_EVT);
+        tipc_node_unlock(l_ptr->owner);
 }
 /**
@@ -406,7 +419,7 @@ static void link_start(struct link *l_ptr)
 static int link_schedule_port(struct link *l_ptr, u32 origport, u32 sz)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        spin_lock_bh(&tipc_port_list_lock);
        p_ptr = tipc_port_lock(origport);
@@ -415,7 +428,7 @@ static int link_schedule_port(struct link *l_ptr, u32 origport, u32 sz)
                        goto exit;
                if (!list_empty(&p_ptr->wait_list))
                        goto exit;
-                p_ptr->publ.congested = 1;
+                p_ptr->congested = 1;
                p_ptr->waiting_pkts = 1 + ((sz - 1) / l_ptr->max_pkt);
                list_add_tail(&p_ptr->wait_list, &l_ptr->waiting_ports);
                l_ptr->stats.link_congs++;
@@ -428,8 +441,8 @@ exit:
 void tipc_link_wakeup_ports(struct link *l_ptr, int all)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
-        struct port *temp_p_ptr;
+        struct tipc_port *temp_p_ptr;
        int win = l_ptr->queue_limit[0] - l_ptr->out_queue_size;
        if (all)
@@ -445,11 +458,11 @@ void tipc_link_wakeup_ports(struct link *l_ptr, int all)
                if (win <= 0)
                        break;
                list_del_init(&p_ptr->wait_list);
-                spin_lock_bh(p_ptr->publ.lock);
+                spin_lock_bh(p_ptr->lock);
-                p_ptr->publ.congested = 0;
+                p_ptr->congested = 0;
-                p_ptr->wakeup(&p_ptr->publ);
+                p_ptr->wakeup(p_ptr);
                win -= p_ptr->waiting_pkts;
-                spin_unlock_bh(p_ptr->publ.lock);
+                spin_unlock_bh(p_ptr->lock);
        }
 exit:
@@ -549,7 +562,7 @@ void tipc_link_reset(struct link *l_ptr)
        tipc_node_link_down(l_ptr->owner, l_ptr);
        tipc_bearer_remove_dest(l_ptr->b_ptr, l_ptr->addr);
-        if (was_active_link && tipc_node_has_active_links(l_ptr->owner) &&
+        if (was_active_link && tipc_node_active_links(l_ptr->owner) &&
            l_ptr->owner->permit_changeover) {
                l_ptr->reset_checkpoint = checkpoint;
                l_ptr->exp_msg_count = START_CHANGEOVER;
@@ -824,7 +837,29 @@ static void link_add_to_outqueue(struct link *l_ptr,
                l_ptr->last_out = buf;
        } else
                l_ptr->first_out = l_ptr->last_out = buf;
        l_ptr->out_queue_size++;
+        if (l_ptr->out_queue_size > l_ptr->stats.max_queue_sz)
+                l_ptr->stats.max_queue_sz = l_ptr->out_queue_size;
+}
+static void link_add_chain_to_outqueue(struct link *l_ptr,
+                                       struct sk_buff *buf_chain,
+                                       u32 long_msgno)
+{
+        struct sk_buff *buf;
+        struct tipc_msg *msg;
+        if (!l_ptr->next_out)
+                l_ptr->next_out = buf_chain;
+        while (buf_chain) {
+                buf = buf_chain;
+                buf_chain = buf_chain->next;
+                msg = buf_msg(buf);
+                msg_set_long_msgno(msg, long_msgno);
+                link_add_to_outqueue(l_ptr, buf, msg);
+        }
 }
 /*
@@ -849,8 +884,9 @@ int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf)
        if (unlikely(queue_size >= queue_limit)) {
                if (imp <= TIPC_CRITICAL_IMPORTANCE) {
-                        return link_schedule_port(l_ptr, msg_origport(msg),
+                        link_schedule_port(l_ptr, msg_origport(msg), size);
-                                                  size);
+                        buf_discard(buf);
+                        return -ELINKCONG;
                }
                buf_discard(buf);
                if (imp > CONN_MANAGER) {
@@ -867,9 +903,6 @@ int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf)
        /* Packet can be queued or sent: */
-        if (queue_size > l_ptr->stats.max_queue_sz)
-                l_ptr->stats.max_queue_sz = queue_size;
        if (likely(!tipc_bearer_congested(l_ptr->b_ptr, l_ptr) &&
                   !link_congested(l_ptr))) {
                link_add_to_outqueue(l_ptr, buf, msg);
@@ -1027,12 +1060,13 @@ int tipc_send_buf_fast(struct sk_buff *buf, u32 destnode)
 * except for total message length.
 * Returns user data length or errno.
 */
-int tipc_link_send_sections_fast(struct port *sender,
+int tipc_link_send_sections_fast(struct tipc_port *sender,
                                 struct iovec const *msg_sect,
                                 const u32 num_sect,
+                                 unsigned int total_len,
                                 u32 destaddr)
 {
-        struct tipc_msg *hdr = &sender->publ.phdr;
+        struct tipc_msg *hdr = &sender->phdr;
        struct link *l_ptr;
        struct sk_buff *buf;
        struct tipc_node *node;
@@ -1045,8 +1079,8 @@ again:
         * (Must not hold any locks while building message.)
         */
-        res = tipc_msg_build(hdr, msg_sect, num_sect, sender->publ.max_pkt,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len,
-                        !sender->user_port, &buf);
+                             sender->max_pkt, !sender->user_port, &buf);
        read_lock_bh(&tipc_net_lock);
        node = tipc_node_find(destaddr);
@@ -1056,9 +1090,7 @@ again:
                if (likely(l_ptr)) {
                        if (likely(buf)) {
                                res = link_send_buf_fast(l_ptr, buf,
-                                                         &sender->publ.max_pkt);
+                                                         &sender->max_pkt);
-                                if (unlikely(res < 0))
-                                        buf_discard(buf);
 exit:
                                tipc_node_unlock(node);
                                read_unlock_bh(&tipc_net_lock);
@@ -1075,7 +1107,7 @@ exit:
                        if (link_congested(l_ptr) ||
                            !list_empty(&l_ptr->b_ptr->cong_links)) {
                                res = link_schedule_port(l_ptr,
-                                                         sender->publ.ref, res);
+                                                         sender->ref, res);
                                goto exit;
                        }
@@ -1084,16 +1116,17 @@ exit:
                         * then re-try fast path or fragment the message
                         */
-                        sender->publ.max_pkt = l_ptr->max_pkt;
+                        sender->max_pkt = l_ptr->max_pkt;
                        tipc_node_unlock(node);
                        read_unlock_bh(&tipc_net_lock);
-                        if ((msg_hdr_sz(hdr) + res) <= sender->publ.max_pkt)
+                        if ((msg_hdr_sz(hdr) + res) <= sender->max_pkt)
                                goto again;
                        return link_send_sections_long(sender, msg_sect,
-                                                       num_sect, destaddr);
+                                                       num_sect, total_len,
+                                                       destaddr);
                }
                tipc_node_unlock(node);
        }
@@ -1105,7 +1138,7 @@ exit:
                return tipc_reject_msg(buf, TIPC_ERR_NO_NODE);
        if (res >= 0)
                return tipc_port_reject_sections(sender, hdr, msg_sect, num_sect,
-                                                 TIPC_ERR_NO_NODE);
+                                                 total_len, TIPC_ERR_NO_NODE);
        return res;
 }
@@ -1123,15 +1156,16 @@ exit:
 *
 * Returns user data length or errno.
 */
-static int link_send_sections_long(struct port *sender,
+static int link_send_sections_long(struct tipc_port *sender,
                                   struct iovec const *msg_sect,
                                   u32 num_sect,
+                                   unsigned int total_len,
                                   u32 destaddr)
 {
        struct link *l_ptr;
        struct tipc_node *node;
-        struct tipc_msg *hdr = &sender->publ.phdr;
+        struct tipc_msg *hdr = &sender->phdr;
-        u32 dsz = msg_data_sz(hdr);
+        u32 dsz = total_len;
        u32 max_pkt, fragm_sz, rest;
        struct tipc_msg fragm_hdr;
        struct sk_buff *buf, *buf_chain, *prev;
@@ -1142,7 +1176,7 @@ static int link_send_sections_long(struct port *sender,
 again:
        fragm_no = 1;
-        max_pkt = sender->publ.max_pkt - INT_H_SIZE;
+        max_pkt = sender->max_pkt - INT_H_SIZE;
                /* leave room for tunnel header in case of link changeover */
        fragm_sz = max_pkt - INT_H_SIZE;
                /* leave room for fragmentation header in each fragment */
@@ -1157,7 +1191,6 @@ again:
        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, msg_destnode(hdr));
-        msg_set_link_selector(&fragm_hdr, sender->publ.ref);
        msg_set_size(&fragm_hdr, max_pkt);
        msg_set_fragm_no(&fragm_hdr, 1);
@@ -1238,13 +1271,13 @@ error:
        node = tipc_node_find(destaddr);
        if (likely(node)) {
                tipc_node_lock(node);
-                l_ptr = node->active_links[sender->publ.ref & 1];
+                l_ptr = node->active_links[sender->ref & 1];
                if (!l_ptr) {
                        tipc_node_unlock(node);
                        goto reject;
                }
                if (l_ptr->max_pkt < max_pkt) {
-                        sender->publ.max_pkt = l_ptr->max_pkt;
+                        sender->max_pkt = l_ptr->max_pkt;
                        tipc_node_unlock(node);
                        for (; buf_chain; buf_chain = buf) {
                                buf = buf_chain->next;
@@ -1259,28 +1292,15 @@ reject:
                        buf_discard(buf_chain);
                }
                return tipc_port_reject_sections(sender, hdr, msg_sect, num_sect,
-                                                 TIPC_ERR_NO_NODE);
+                                                 total_len, TIPC_ERR_NO_NODE);
        }
-        /* Append whole chain to send queue: */
+        /* Append chain of fragments to send queue & send them */
-        buf = buf_chain;
+        l_ptr->long_msg_seq_no++;
-        l_ptr->long_msg_seq_no = mod(l_ptr->long_msg_seq_no + 1);
+        link_add_chain_to_outqueue(l_ptr, buf_chain, l_ptr->long_msg_seq_no);
-        if (!l_ptr->next_out)
+        l_ptr->stats.sent_fragments += fragm_no;
-                l_ptr->next_out = buf_chain;
        l_ptr->stats.sent_fragmented++;
-        while (buf) {
-                struct sk_buff *next = buf->next;
-                struct tipc_msg *msg = buf_msg(buf);
-                l_ptr->stats.sent_fragments++;
-                msg_set_long_msgno(msg, l_ptr->long_msg_seq_no);
-                link_add_to_outqueue(l_ptr, buf, msg);
-                buf = next;
-        }
-        /* Send it, if possible: */
        tipc_link_push_queue(l_ptr);
        tipc_node_unlock(node);
        return dsz;
@@ -1441,7 +1461,7 @@ static void link_retransmit_failure(struct link *l_ptr, struct sk_buff *buf)
                info("Outstanding acks: %lu\n",
                     (unsigned long) TIPC_SKB_CB(buf)->handle);
-                n_ptr = l_ptr->owner->next;
+                n_ptr = tipc_bclink_retransmit_to();
                tipc_node_lock(n_ptr);
                tipc_addr_string_fill(addr_string, n_ptr->addr);
@@ -1595,11 +1615,10 @@ static int link_recv_buf_validate(struct sk_buff *buf)
 * structure (i.e. cannot be NULL), but bearer can be inactive.
 */
-void tipc_recv_msg(struct sk_buff *head, struct tipc_bearer *tb_ptr)
+void tipc_recv_msg(struct sk_buff *head, struct tipc_bearer *b_ptr)
 {
        read_lock_bh(&tipc_net_lock);
        while (head) {
-                struct bearer *b_ptr = (struct bearer *)tb_ptr;
                struct tipc_node *n_ptr;
                struct link *l_ptr;
                struct sk_buff *crs;
@@ -1735,10 +1754,6 @@ deliver:
                                                tipc_node_unlock(n_ptr);
                                                tipc_link_recv_bundle(buf);
                                                continue;
-                                        case ROUTE_DISTRIBUTOR:
-                                                tipc_node_unlock(n_ptr);
-                                                buf_discard(buf);
-                                                continue;
                                        case NAME_DISTRIBUTOR:
                                                tipc_node_unlock(n_ptr);
                                                tipc_named_recv(buf);
@@ -1765,6 +1780,10 @@ deliver:
                                                        goto protocol_check;
                                                }
                                                break;
+                                        default:
+                                                buf_discard(buf);
+                                                buf = NULL;
+                                                break;
                                        }
                                }
                                tipc_node_unlock(n_ptr);
@@ -1900,6 +1919,7 @@ void tipc_link_send_proto_msg(struct link *l_ptr, u32 msg_typ, int probe_msg,
        struct sk_buff *buf = NULL;
        struct tipc_msg *msg = l_ptr->pmsg;
        u32 msg_size = sizeof(l_ptr->proto_msg);
+        int r_flag;
        if (link_blocked(l_ptr))
                return;
@@ -1950,15 +1970,14 @@ void tipc_link_send_proto_msg(struct link *l_ptr, u32 msg_typ, int probe_msg,
                msg_set_ack(msg, mod(l_ptr->reset_checkpoint - 1));
                msg_set_seq_gap(msg, 0);
                msg_set_next_sent(msg, 1);
+                msg_set_probe(msg, 0);
                msg_set_link_tolerance(msg, l_ptr->tolerance);
                msg_set_linkprio(msg, l_ptr->priority);
                msg_set_max_pkt(msg, l_ptr->max_pkt_target);
        }
-        if (tipc_node_has_redundant_links(l_ptr->owner))
+        r_flag = (l_ptr->owner->working_links > tipc_link_is_up(l_ptr));
-                msg_set_redundant_link(msg);
+        msg_set_redundant_link(msg, r_flag);
-        else
-                msg_clear_redundant_link(msg);
        msg_set_linkprio(msg, l_ptr->priority);
        /* Ensure sequence number will not fit : */
@@ -1978,7 +1997,6 @@ void tipc_link_send_proto_msg(struct link *l_ptr, u32 msg_typ, int probe_msg,
                skb_copy_to_linear_data(buf, msg, sizeof(l_ptr->proto_msg));
                return;
        }
-        msg_set_timestamp(msg, jiffies_to_msecs(jiffies));
        /* Message can be sent */
@@ -2066,7 +2084,7 @@ static void link_recv_proto_msg(struct link *l_ptr, struct sk_buff *buf)
                l_ptr->peer_bearer_id = msg_bearer_id(msg);
                /* Synchronize broadcast sequence numbers */
-                if (!tipc_node_has_redundant_links(l_ptr->owner))
+                if (!tipc_node_redundant_links(l_ptr->owner))
                        l_ptr->owner->bclink.last_in = mod(msg_last_bcast(msg));
                break;
        case STATE_MSG:
@@ -2397,6 +2415,8 @@ void tipc_link_recv_bundle(struct sk_buff *buf)
 */
 static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
 {
+        struct sk_buff *buf_chain = NULL;
+        struct sk_buff *buf_chain_tail = (struct sk_buff *)&buf_chain;
        struct tipc_msg *inmsg = buf_msg(buf);
        struct tipc_msg fragm_hdr;
        u32 insize = msg_size(inmsg);
@@ -2405,7 +2425,7 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        u32 rest = insize;
        u32 pack_sz = l_ptr->max_pkt;
        u32 fragm_sz = pack_sz - INT_H_SIZE;
-        u32 fragm_no = 1;
+        u32 fragm_no = 0;
        u32 destaddr;
        if (msg_short(inmsg))
@@ -2413,17 +2433,10 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
        else
                destaddr = msg_destnode(inmsg);
-        if (msg_routed(inmsg))
-                msg_set_prevnode(inmsg, tipc_own_addr);
        /* Prepare reusable fragment header: */
        tipc_msg_init(&fragm_hdr, MSG_FRAGMENTER, FIRST_FRAGMENT,
                 INT_H_SIZE, destaddr);
-        msg_set_link_selector(&fragm_hdr, msg_link_selector(inmsg));
-        msg_set_long_msgno(&fragm_hdr, mod(l_ptr->long_msg_seq_no++));
-        msg_set_fragm_no(&fragm_hdr, fragm_no);
-        l_ptr->stats.sent_fragmented++;
        /* Chop up message: */
@@ -2436,27 +2449,37 @@ static int link_send_long_buf(struct link *l_ptr, struct sk_buff *buf)
                }
                fragm = tipc_buf_acquire(fragm_sz + INT_H_SIZE);
                if (fragm == NULL) {
-                        warn("Link unable to fragment message\n");
+                        buf_discard(buf);
-                        dsz = -ENOMEM;
+                        while (buf_chain) {
-                        goto exit;
+                                buf = buf_chain;
+                                buf_chain = buf_chain->next;
+                                buf_discard(buf);
+                        }
+                        return -ENOMEM;
                }
                msg_set_size(&fragm_hdr, fragm_sz + INT_H_SIZE);
+                fragm_no++;
+                msg_set_fragm_no(&fragm_hdr, fragm_no);
                skb_copy_to_linear_data(fragm, &fragm_hdr, INT_H_SIZE);
                skb_copy_to_linear_data_offset(fragm, INT_H_SIZE, crs,
                                               fragm_sz);
-                /*  Send queued messages first, if any: */
+                buf_chain_tail->next = fragm;
+                buf_chain_tail = fragm;
-                l_ptr->stats.sent_fragments++;
-                tipc_link_send_buf(l_ptr, fragm);
-                if (!tipc_link_is_up(l_ptr))
-                        return dsz;
-                msg_set_fragm_no(&fragm_hdr, ++fragm_no);
                rest -= fragm_sz;
                crs += fragm_sz;
                msg_set_type(&fragm_hdr, FRAGMENT);
        }
-exit:
        buf_discard(buf);
+        /* Append chain of fragments to send queue & send them */
+        l_ptr->long_msg_seq_no++;
+        link_add_chain_to_outqueue(l_ptr, buf_chain, l_ptr->long_msg_seq_no);
+        l_ptr->stats.sent_fragments += fragm_no;
+        l_ptr->stats.sent_fragmented++;
+        tipc_link_push_queue(l_ptr);
        return dsz;
 }
@@ -2464,7 +2487,7 @@ exit:
 * A pending message being re-assembled must store certain values
 * to handle subsequent fragments correctly. The following functions
 * help storing these values in unused, available fields in the
- * pending message. This makes dynamic memory allocation unecessary.
+ * pending message. This makes dynamic memory allocation unnecessary.
 */
 static void set_long_msg_seqno(struct sk_buff *buf, u32 seqno)
@@ -2618,6 +2641,9 @@ static void link_check_defragm_bufs(struct link *l_ptr)
 static void link_set_supervision_props(struct link *l_ptr, u32 tolerance)
 {
+        if ((tolerance < TIPC_MIN_LINK_TOL) || (tolerance > TIPC_MAX_LINK_TOL))
+                return;
        l_ptr->tolerance = tolerance;
        l_ptr->continuity_interval =
                ((tolerance / 4) > 500) ? 500 : tolerance / 4;
@@ -2658,7 +2684,7 @@ void tipc_link_set_queue_limits(struct link *l_ptr, u32 window)
 static struct link *link_find_link(const char *name, struct tipc_node **node)
 {
        struct link_name link_name_parts;
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        struct link *l_ptr;
        if (!link_name_validate(name, &link_name_parts))
@@ -2961,7 +2987,7 @@ static void link_print(struct link *l_ptr, const char *str)
        tipc_printf(buf, str);
        tipc_printf(buf, "Link %x<%s>:",
-                    l_ptr->addr, l_ptr->b_ptr->publ.name);
+                    l_ptr->addr, l_ptr->b_ptr->name);
 #ifdef CONFIG_TIPC_DEBUG
        if (link_reset_reset(l_ptr) || link_reset_unknown(l_ptr))
@@ -2981,9 +3007,9 @@ static void link_print(struct link *l_ptr, const char *str)
                     != (l_ptr->out_queue_size - 1)) ||
                    (l_ptr->last_out->next != NULL)) {
                        tipc_printf(buf, "\nSend queue inconsistency\n");
-                        tipc_printf(buf, "first_out= %x ", l_ptr->first_out);
+                        tipc_printf(buf, "first_out= %p ", l_ptr->first_out);
-                        tipc_printf(buf, "next_out= %x ", l_ptr->next_out);
+                        tipc_printf(buf, "next_out= %p ", l_ptr->next_out);
-                        tipc_printf(buf, "last_out= %x ", l_ptr->last_out);
+                        tipc_printf(buf, "last_out= %p ", l_ptr->last_out);
                }
        } else
                tipc_printf(buf, "[]");
diff --git a/net/tipc/link.h b/net/tipc/link.h
index 70967e637027..74fbecab1ea0 100644
--- a/net/tipc/link.h
+++ b/net/tipc/link.h
@@ -2,7 +2,7 @@
 * net/tipc/link.h: Include file for TIPC link code
 *
 * Copyright (c) 1995-2006, Ericsson AB
- * Copyright (c) 2004-2005, Wind River Systems
+ * Copyright (c) 2004-2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -122,7 +122,7 @@ struct link {
        u32 checkpoint;
        u32 peer_session;
        u32 peer_bearer_id;
-        struct bearer *b_ptr;
+        struct tipc_bearer *b_ptr;
        u32 tolerance;
        u32 continuity_interval;
        u32 abort_limit;
@@ -196,24 +196,19 @@ struct link {
                u32 bearer_congs;
                u32 deferred_recv;
                u32 duplicates;
+                u32 max_queue_sz;       /* send queue size high water mark */
-                /* for statistical profiling of send queue size */
+                u32 accu_queue_sz;      /* used for send queue size profiling */
+                u32 queue_sz_counts;    /* used for send queue size profiling */
-                u32 max_queue_sz;
+                u32 msg_length_counts;  /* used for message length profiling */
-                u32 accu_queue_sz;
+                u32 msg_lengths_total;  /* used for message length profiling */
-                u32 queue_sz_counts;
+                u32 msg_length_profile[7]; /* used for msg. length profiling */
-                /* for statistical profiling of message lengths */
-                u32 msg_length_counts;
-                u32 msg_lengths_total;
-                u32 msg_length_profile[7];
        } stats;
 };
-struct port;
+struct tipc_port;
-struct link *tipc_link_create(struct bearer *b_ptr, const u32 peer,
+struct link *tipc_link_create(struct tipc_node *n_ptr,
+                              struct tipc_bearer *b_ptr,
                              const struct tipc_media_addr *media_addr);
 void tipc_link_delete(struct link *l_ptr);
 void tipc_link_changeover(struct link *l_ptr);
@@ -230,9 +225,10 @@ void tipc_link_reset(struct link *l_ptr);
 int tipc_link_send(struct sk_buff *buf, u32 dest, u32 selector);
 int tipc_link_send_buf(struct link *l_ptr, struct sk_buff *buf);
 u32 tipc_link_get_max_pkt(u32 dest, u32 selector);
-int tipc_link_send_sections_fast(struct port *sender,
+int tipc_link_send_sections_fast(struct tipc_port *sender,
                                 struct iovec const *msg_sect,
                                 const u32 num_sect,
+                                 unsigned int total_len,
                                 u32 destnode);
 void tipc_link_recv_bundle(struct sk_buff *buf);
 int  tipc_link_recv_fragment(struct sk_buff **pending,
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index bb6180c4fcbb..03e57bf92c73 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -2,7 +2,7 @@
 * net/tipc/msg.c: TIPC message header routines
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -68,20 +68,6 @@ void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
 }
 /**
- * tipc_msg_calc_data_size - determine total data size for message
- */
-int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
-{
-        int dsz = 0;
-        int i;
-        for (i = 0; i < num_sect; i++)
-                dsz += msg_sect[i].iov_len;
-        return dsz;
-}
-/**
 * tipc_msg_build - create message using specified header and data
 *
 * Note: Caller must not hold any locks in case copy_from_user() is interrupted!
@@ -89,18 +75,13 @@ int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect)
 * Returns message data size or errno
 */
-int tipc_msg_build(struct tipc_msg *hdr,
+int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
-                            struct iovec const *msg_sect, u32 num_sect,
+                   u32 num_sect, unsigned int total_len,
                            int max_size, int usrmem, struct sk_buff **buf)
 {
        int dsz, sz, hsz, pos, res, cnt;
-        dsz = tipc_msg_calc_data_size(msg_sect, num_sect);
+        dsz = total_len;
-        if (unlikely(dsz > TIPC_MAX_USER_MSG_SIZE)) {
-                *buf = NULL;
-                return -EINVAL;
-        }
        pos = hsz = msg_hdr_sz(hdr);
        sz = hsz + dsz;
        msg_set_size(hdr, sz);
@@ -192,8 +173,6 @@ void tipc_msg_dbg(struct print_buf *buf, struct tipc_msg *msg, const char *str)
                default:
                        tipc_printf(buf, "UNKNOWN TYPE %u", msg_type(msg));
                }
-                if (msg_routed(msg) && !msg_non_seq(msg))
-                        tipc_printf(buf, "ROUT:");
                if (msg_reroute_cnt(msg))
                        tipc_printf(buf, "REROUTED(%u):",
                                    msg_reroute_cnt(msg));
@@ -210,8 +189,6 @@ void tipc_msg_dbg(struct print_buf *buf, struct tipc_msg *msg, const char *str)
                default:
                        tipc_printf(buf, "UNKNOWN:%x", msg_type(msg));
                }
-                if (msg_routed(msg))
-                        tipc_printf(buf, "ROUT:");
                if (msg_reroute_cnt(msg))
                        tipc_printf(buf, "REROUTED(%u):",
                                    msg_reroute_cnt(msg));
@@ -232,13 +209,10 @@ void tipc_msg_dbg(struct print_buf *buf, struct tipc_msg *msg, const char *str)
                default:
                        tipc_printf(buf, "UNKNOWN TYPE:%x", msg_type(msg));
                }
-                if (msg_routed(msg))
-                        tipc_printf(buf, "ROUT:");
                if (msg_reroute_cnt(msg))
                        tipc_printf(buf, "REROUTED(%u):", msg_reroute_cnt(msg));
                break;
        case LINK_PROTOCOL:
-                tipc_printf(buf, "PROT:TIM(%u):", msg_timestamp(msg));
                switch (msg_type(msg)) {
                case STATE_MSG:
                        tipc_printf(buf, "STATE:");
@@ -275,33 +249,6 @@ void tipc_msg_dbg(struct print_buf *buf, struct tipc_msg *msg, const char *str)
                        tipc_printf(buf, "UNKNOWN TYPE:%x", msg_type(msg));
                }
                break;
-        case ROUTE_DISTRIBUTOR:
-                tipc_printf(buf, "ROUTING_MNG:");
-                switch (msg_type(msg)) {
-                case EXT_ROUTING_TABLE:
-                        tipc_printf(buf, "EXT_TBL:");
-                        tipc_printf(buf, "TO:%x:", msg_remote_node(msg));
-                        break;
-                case LOCAL_ROUTING_TABLE:
-                        tipc_printf(buf, "LOCAL_TBL:");
-                        tipc_printf(buf, "TO:%x:", msg_remote_node(msg));
-                        break;
-                case SLAVE_ROUTING_TABLE:
-                        tipc_printf(buf, "DP_TBL:");
-                        tipc_printf(buf, "TO:%x:", msg_remote_node(msg));
-                        break;
-                case ROUTE_ADDITION:
-                        tipc_printf(buf, "ADD:");
-                        tipc_printf(buf, "TO:%x:", msg_remote_node(msg));
-                        break;
-                case ROUTE_REMOVAL:
-                        tipc_printf(buf, "REMOVE:");
-                        tipc_printf(buf, "TO:%x:", msg_remote_node(msg));
-                        break;
-                default:
-                        tipc_printf(buf, "UNKNOWN TYPE:%x", msg_type(msg));
-                }
-                break;
        case LINK_CONFIG:
                tipc_printf(buf, "CFG:");
                switch (msg_type(msg)) {
@@ -381,20 +328,15 @@ void tipc_msg_dbg(struct print_buf *buf, struct tipc_msg *msg, const char *str)
                        tipc_printf(buf, ":OPRT(%u):", msg_origport(msg));
                        tipc_printf(buf, ":DPRT(%u):", msg_destport(msg));
                }
-                if (msg_routed(msg) && !msg_non_seq(msg))
-                        tipc_printf(buf, ":TSEQN(%u)", msg_transp_seqno(msg));
        }
        if (msg_user(msg) == NAME_DISTRIBUTOR) {
                tipc_printf(buf, ":ONOD(%x):", msg_orignode(msg));
                tipc_printf(buf, ":DNOD(%x):", msg_destnode(msg));
-                if (msg_routed(msg))
-                        tipc_printf(buf, ":CSEQN(%u)", msg_transp_seqno(msg));
        }
        if (msg_user(msg) ==  LINK_CONFIG) {
                u32 *raw = (u32 *)msg;
                struct tipc_media_addr *orig = (struct tipc_media_addr *)&raw[5];
-                tipc_printf(buf, ":REQL(%u):", msg_req_links(msg));
                tipc_printf(buf, ":DDOM(%x):", msg_dest_domain(msg));
                tipc_printf(buf, ":NETID(%u):", msg_bc_netid(msg));
                tipc_media_addr_printf(buf, orig);
diff --git a/net/tipc/msg.h b/net/tipc/msg.h
index 92c4c4fd7b3f..8452454731fa 100644
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -2,7 +2,7 @@
 * net/tipc/msg.h: Include file for TIPC message header routines
 *
 * Copyright (c) 2000-2007, Ericsson AB
- * Copyright (c) 2005-2008, Wind River Systems
+ * Copyright (c) 2005-2008, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -39,41 +39,24 @@
 #include "bearer.h"
+/*
+ * Constants and routines used to read and write TIPC payload message headers
+ *
+ * Note: Some items are also used with TIPC internal message headers
+ */
 #define TIPC_VERSION              2
 /*
- *              TIPC user data message header format, version 2:
+ * Payload message users are defined in TIPC's public API:
- *
+ * - TIPC_LOW_IMPORTANCE
- *
+ * - TIPC_MEDIUM_IMPORTANCE
- *     1 0 9 8 7 6 5 4|3 2 1 0 9 8 7 6|5 4 3 2 1 0 9 8|7 6 5 4 3 2 1 0
+ * - TIPC_HIGH_IMPORTANCE
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * - TIPC_CRITICAL_IMPORTANCE
- * w0:|vers | user  |hdr sz |n|d|s|-|          message size           |
+ */
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w1:|mstyp| error |rer cnt|lsc|opt p|      broadcast ack no         |
+/*
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * Payload message types
- * w2:|        link level ack no      |   broadcast/link level seq no |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w3:|                       previous node                           |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w4:|                      originating port                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w5:|                      destination port                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w6:|                      originating node                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w7:|                      destination node                         |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w8:|            name type / transport sequence number              |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * w9:|              name instance/multicast lower bound              |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- * wA:|                    multicast upper bound                      |
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *    /                                                               /
- *    \                           options                             \
- *    /                                                               /
- *    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- *
 */
 #define TIPC_CONN_MSG           0
@@ -81,6 +64,9 @@
 #define TIPC_NAMED_MSG          2
 #define TIPC_DIRECT_MSG         3
+/*
+ * Message header sizes
+ */
 #define SHORT_H_SIZE              24    /* Connected, in-cluster messages */
 #define DIR_MSG_H_SIZE            32    /* Directly addressed messages */
@@ -421,13 +407,6 @@ static inline int msg_is_dest(struct tipc_msg *m, u32 d)
        return msg_short(m) || (msg_destnode(m) == d);
 }
-static inline u32 msg_routed(struct tipc_msg *m)
-{
-        if (likely(msg_short(m)))
-                return 0;
-        return (msg_destnode(m) ^ msg_orignode(m)) >> 11;
-}
 static inline u32 msg_nametype(struct tipc_msg *m)
 {
        return msg_word(m, 8);
@@ -438,26 +417,6 @@ static inline void msg_set_nametype(struct tipc_msg *m, u32 n)
        msg_set_word(m, 8, n);
 }
-static inline u32 msg_transp_seqno(struct tipc_msg *m)
-{
-        return msg_word(m, 8);
-}
-static inline void msg_set_timestamp(struct tipc_msg *m, u32 n)
-{
-        msg_set_word(m, 8, n);
-}
-static inline u32 msg_timestamp(struct tipc_msg *m)
-{
-        return msg_word(m, 8);
-}
-static inline void msg_set_transp_seqno(struct tipc_msg *m, u32 n)
-{
-        msg_set_word(m, 8, n);
-}
 static inline u32 msg_nameinst(struct tipc_msg *m)
 {
        return msg_word(m, 9);
@@ -500,40 +459,11 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 /*
-                TIPC internal message header format, version 2
+ * Constants and routines used to read and write TIPC internal message headers
+ */
-       1 0 9 8 7 6 5 4|3 2 1 0 9 8 7 6|5 4 3 2 1 0 9 8|7 6 5 4 3 2 1 0
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w0:|vers |msg usr|hdr sz |n|resrv|            packet size          |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w1:|m typ|      sequence gap       |       broadcast ack no        |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w2:| link level ack no/bc_gap_from |     seq no / bcast_gap_to     |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w3:|                       previous node                           |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w4:|  next sent broadcast/fragm no | next sent pkt/ fragm msg no   |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w5:|          session no           |rsv=0|r|berid|link prio|netpl|p|
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w6:|                      originating node                         |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w7:|                      destination node                         |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w8:|                   transport sequence number                   |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-   w9:|   msg count / bcast tag       |       link tolerance          |
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      \                                                               \
-      /                     User Specific Data                        /
-      \                                                               \
-      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-      NB: CONN_MANAGER use data message format. LINK_CONFIG has own format.
-*/
 /*
- * Internal users
+ * Internal message users
 */
 #define  BCAST_PROTOCOL       5
@@ -545,10 +475,9 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 #define  NAME_DISTRIBUTOR     11
 #define  MSG_FRAGMENTER       12
 #define  LINK_CONFIG          13
-#define  DSC_H_SIZE           40
 /*
- *  Connection management protocol messages
+ *  Connection management protocol message types
 */
 #define CONN_PROBE        0
@@ -556,12 +485,41 @@ static inline struct tipc_msg *msg_get_wrapped(struct tipc_msg *m)
 #define CONN_ACK          2
 /*
- * Name distributor messages
+ * Name distributor message types
 */
 #define PUBLICATION       0
 #define WITHDRAWAL        1
+/*
+ * Segmentation message types
+ */
+#define FIRST_FRAGMENT          0
+#define FRAGMENT                1
+#define LAST_FRAGMENT           2
+/*
+ * Link management protocol message types
+ */
+#define STATE_MSG               0
+#define RESET_MSG               1
+#define ACTIVATE_MSG            2
+/*
+ * Changeover tunnel message types
+ */
+#define DUPLICATE_MSG           0
+#define ORIGINAL_MSG            1
+/*
+ * Config protocol message types
+ */
+#define DSC_REQ_MSG             0
+#define DSC_RESP_MSG            1
 /*
 * Word 1
@@ -577,16 +535,6 @@ static inline void msg_set_seq_gap(struct tipc_msg *m, u32 n)
        msg_set_bits(m, 1, 16, 0x1fff, n);
 }
-static inline u32 msg_req_links(struct tipc_msg *m)
-{
-        return msg_bits(m, 1, 16, 0xfff);
-}
-static inline void msg_set_req_links(struct tipc_msg *m, u32 n)
-{
-        msg_set_bits(m, 1, 16, 0xfff, n);
-}
 /*
 * Word 2
@@ -749,14 +697,9 @@ static inline u32 msg_redundant_link(struct tipc_msg *m)
        return msg_bits(m, 5, 12, 0x1);
 }
-static inline void msg_set_redundant_link(struct tipc_msg *m)
+static inline void msg_set_redundant_link(struct tipc_msg *m, u32 r)
 {
-        msg_set_bits(m, 5, 12, 0x1, 1);
+        msg_set_bits(m, 5, 12, 0x1, r);
-}
-static inline void msg_clear_redundant_link(struct tipc_msg *m)
-{
-        msg_set_bits(m, 5, 12, 0x1, 0);
 }
@@ -804,65 +747,11 @@ static inline void msg_set_link_tolerance(struct tipc_msg *m, u32 n)
        msg_set_bits(m, 9, 0, 0xffff, n);
 }
-/*
- * Routing table message data
- */
-static inline u32 msg_remote_node(struct tipc_msg *m)
-{
-        return msg_word(m, msg_hdr_sz(m)/4);
-}
-static inline void msg_set_remote_node(struct tipc_msg *m, u32 a)
-{
-        msg_set_word(m, msg_hdr_sz(m)/4, a);
-}
-/*
- * Segmentation message types
- */
-#define FIRST_FRAGMENT     0
-#define FRAGMENT           1
-#define LAST_FRAGMENT      2
-/*
- * Link management protocol message types
- */
-#define STATE_MSG       0
-#define RESET_MSG       1
-#define ACTIVATE_MSG    2
-/*
- * Changeover tunnel message types
- */
-#define DUPLICATE_MSG    0
-#define ORIGINAL_MSG     1
-/*
- * Routing table message types
- */
-#define EXT_ROUTING_TABLE    0
-#define LOCAL_ROUTING_TABLE  1          /* obsoleted */
-#define SLAVE_ROUTING_TABLE  2
-#define ROUTE_ADDITION       3
-#define ROUTE_REMOVAL        4
-/*
- * Config protocol message types
- */
-#define DSC_REQ_MSG          0
-#define DSC_RESP_MSG         1
 u32 tipc_msg_tot_importance(struct tipc_msg *m);
 void tipc_msg_init(struct tipc_msg *m, u32 user, u32 type,
                            u32 hsize, u32 destnode);
-int tipc_msg_calc_data_size(struct iovec const *msg_sect, u32 num_sect);
+int tipc_msg_build(struct tipc_msg *hdr, struct iovec const *msg_sect,
-int tipc_msg_build(struct tipc_msg *hdr,
+                   u32 num_sect, unsigned int total_len,
-                            struct iovec const *msg_sect, u32 num_sect,
                            int max_size, int usrmem, struct sk_buff **buf);
 static inline void msg_set_media_addr(struct tipc_msg *m, struct tipc_media_addr *a)
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 483c226c9581..80025a1b3bfd 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -2,7 +2,7 @@
 * net/tipc/name_distr.c: TIPC name distribution code
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -109,11 +109,9 @@ static void named_cluster_distribute(struct sk_buff *buf)
 {
        struct sk_buff *buf_copy;
        struct tipc_node *n_ptr;
-        u32 n_num;
-        for (n_num = 1; n_num <= tipc_net.highest_node; n_num++) {
+        list_for_each_entry(n_ptr, &tipc_node_list, list) {
-                n_ptr = tipc_net.nodes[n_num];
+                if (tipc_node_active_links(n_ptr)) {
-                if (n_ptr && tipc_node_has_active_links(n_ptr)) {
                        buf_copy = skb_copy(buf, GFP_ATOMIC);
                        if (!buf_copy)
                                break;
@@ -162,7 +160,7 @@ void tipc_named_withdraw(struct publication *publ)
        buf = named_prepare_buf(WITHDRAWAL, ITEM_SIZE, 0);
        if (!buf) {
-                warn("Withdrawl distribution failure\n");
+                warn("Withdrawal distribution failure\n");
                return;
        }
@@ -214,17 +212,16 @@ exit:
 }
 /**
- * node_is_down - remove publication associated with a failed node
+ * named_purge_publ - remove publication associated with a failed node
 *
 * Invoked for each publication issued by a newly failed node.
 * Removes publication structure from name table & deletes it.
 * In rare cases the link may have come back up again when this
 * function is called, and we have two items representing the same
 * publication. Nudge this item's key to distinguish it from the other.
- * (Note: Publication's node subscription is already unsubscribed.)
 */
-static void node_is_down(struct publication *publ)
+static void named_purge_publ(struct publication *publ)
 {
        struct publication *p;
@@ -232,6 +229,8 @@ static void node_is_down(struct publication *publ)
        publ->key += 1222345;
        p = tipc_nametbl_remove_publ(publ->type, publ->lower,
                                     publ->node, publ->ref, publ->key);
+        if (p)
+                tipc_nodesub_unsubscribe(&p->subscr);
        write_unlock_bh(&tipc_nametbl_lock);
        if (p != publ) {
@@ -268,7 +267,8 @@ void tipc_named_recv(struct sk_buff *buf)
                                tipc_nodesub_subscribe(&publ->subscr,
                                                       msg_orignode(msg),
                                                       publ,
-                                                       (net_ev_handler)node_is_down);
+                                                       (net_ev_handler)
+                                                       named_purge_publ);
                        }
                } else if (msg_type(msg) == WITHDRAWAL) {
                        publ = tipc_nametbl_remove_publ(ntohl(item->type),
diff --git a/net/tipc/net.c b/net/tipc/net.c
index 9bacfd00b91e..68b3dd637291 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -2,7 +2,7 @@
 * net/tipc/net.c: TIPC network routing code
 *
 * Copyright (c) 1995-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -39,6 +39,7 @@
 #include "name_distr.h"
 #include "subscr.h"
 #include "port.h"
+#include "node.h"
 #include "config.h"
 /*
@@ -108,26 +109,6 @@
 */
 DEFINE_RWLOCK(tipc_net_lock);
-struct network tipc_net;
-static int net_start(void)
-{
-        tipc_net.nodes = kcalloc(tipc_max_nodes + 1,
-                                 sizeof(*tipc_net.nodes), GFP_ATOMIC);
-        tipc_net.highest_node = 0;
-        return tipc_net.nodes ? 0 : -ENOMEM;
-}
-static void net_stop(void)
-{
-        u32 n_num;
-        for (n_num = 1; n_num <= tipc_net.highest_node; n_num++)
-                tipc_node_delete(tipc_net.nodes[n_num]);
-        kfree(tipc_net.nodes);
-        tipc_net.nodes = NULL;
-}
 static void net_route_named_msg(struct sk_buff *buf)
 {
@@ -217,9 +198,6 @@ int tipc_net_start(u32 addr)
        tipc_named_reinit();
        tipc_port_reinit();
-        res = net_start();
-        if (res)
-                return res;
        res = tipc_bclink_init();
        if (res)
                return res;
@@ -235,14 +213,16 @@ int tipc_net_start(u32 addr)
 void tipc_net_stop(void)
 {
+        struct tipc_node *node, *t_node;
        if (tipc_mode != TIPC_NET_MODE)
                return;
        write_lock_bh(&tipc_net_lock);
        tipc_bearer_stop();
        tipc_mode = TIPC_NODE_MODE;
        tipc_bclink_stop();
-        net_stop();
+        list_for_each_entry_safe(node, t_node, &tipc_node_list, list)
+                tipc_node_delete(node);
        write_unlock_bh(&tipc_net_lock);
        info("Left network mode\n");
 }
diff --git a/net/tipc/net.h b/net/tipc/net.h
index 4ae59ad04893..9eb4b9e220eb 100644
--- a/net/tipc/net.h
+++ b/net/tipc/net.h
@@ -2,7 +2,7 @@
 * net/tipc/net.h: Include file for TIPC network routing code
 *
 * Copyright (c) 1995-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -37,23 +37,6 @@
 #ifndef _TIPC_NET_H
 #define _TIPC_NET_H
-struct tipc_node;
-/**
- * struct network - TIPC network structure
- * @nodes: array of pointers to all nodes within cluster
- * @highest_node: id of highest numbered node within cluster
- * @links: number of (unicast) links to cluster
- */
-struct network {
-        struct tipc_node **nodes;
-        u32 highest_node;
-        u32 links;
-};
-extern struct network tipc_net;
 extern rwlock_t tipc_net_lock;
 void tipc_net_route_msg(struct sk_buff *buf);
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 3af53e327f49..2d106ef4fa4c 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2,7 +2,7 @@
 * net/tipc/node.c: TIPC node management routines
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005-2006, Wind River Systems
+ * Copyright (c) 2005-2006, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -44,9 +44,33 @@ static void node_established_contact(struct tipc_node *n_ptr);
 static DEFINE_SPINLOCK(node_create_lock);
+static struct hlist_head node_htable[NODE_HTABLE_SIZE];
+LIST_HEAD(tipc_node_list);
+static u32 tipc_num_nodes;
+static atomic_t tipc_num_links = ATOMIC_INIT(0);
 u32 tipc_own_tag;
 /**
+ * tipc_node_find - locate specified node object, if it exists
+ */
+struct tipc_node *tipc_node_find(u32 addr)
+{
+        struct tipc_node *node;
+        struct hlist_node *pos;
+        if (unlikely(!in_own_cluster(addr)))
+                return NULL;
+        hlist_for_each_entry(node, pos, &node_htable[tipc_hashfn(addr)], hash) {
+                if (node->addr == addr)
+                        return node;
+        }
+        return NULL;
+}
+/**
 * tipc_node_create - create neighboring node
 *
 * Currently, this routine is called by neighbor discovery code, which holds
@@ -58,8 +82,7 @@ u32 tipc_own_tag;
 struct tipc_node *tipc_node_create(u32 addr)
 {
-        struct tipc_node *n_ptr;
+        struct tipc_node *n_ptr, *temp_node;
-        u32 n_num;
        spin_lock_bh(&node_create_lock);
@@ -78,12 +101,19 @@ struct tipc_node *tipc_node_create(u32 addr)
        n_ptr->addr = addr;
        spin_lock_init(&n_ptr->lock);
+        INIT_HLIST_NODE(&n_ptr->hash);
+        INIT_LIST_HEAD(&n_ptr->list);
        INIT_LIST_HEAD(&n_ptr->nsub);
-        n_num = tipc_node(addr);
+        hlist_add_head(&n_ptr->hash, &node_htable[tipc_hashfn(addr)]);
-        tipc_net.nodes[n_num] = n_ptr;
-        if (n_num > tipc_net.highest_node)
+        list_for_each_entry(temp_node, &tipc_node_list, list) {
-                tipc_net.highest_node = n_num;
+                if (n_ptr->addr < temp_node->addr)
+                        break;
+        }
+        list_add_tail(&n_ptr->list, &temp_node->list);
+        tipc_num_nodes++;
        spin_unlock_bh(&node_create_lock);
        return n_ptr;
@@ -91,18 +121,11 @@ struct tipc_node *tipc_node_create(u32 addr)
 void tipc_node_delete(struct tipc_node *n_ptr)
 {
-        u32 n_num;
+        list_del(&n_ptr->list);
+        hlist_del(&n_ptr->hash);
-        if (!n_ptr)
-                return;
-        n_num = tipc_node(n_ptr->addr);
-        tipc_net.nodes[n_num] = NULL;
        kfree(n_ptr);
-        while (!tipc_net.nodes[tipc_net.highest_node])
+        tipc_num_nodes--;
-                if (--tipc_net.highest_node == 0)
-                        break;
 }
@@ -200,54 +223,32 @@ void tipc_node_link_down(struct tipc_node *n_ptr, struct link *l_ptr)
                node_lost_contact(n_ptr);
 }
-int tipc_node_has_active_links(struct tipc_node *n_ptr)
+int tipc_node_active_links(struct tipc_node *n_ptr)
 {
        return n_ptr->active_links[0] != NULL;
 }
-int tipc_node_has_redundant_links(struct tipc_node *n_ptr)
+int tipc_node_redundant_links(struct tipc_node *n_ptr)
 {
        return n_ptr->working_links > 1;
 }
 int tipc_node_is_up(struct tipc_node *n_ptr)
 {
-        return tipc_node_has_active_links(n_ptr);
+        return tipc_node_active_links(n_ptr);
 }
-struct tipc_node *tipc_node_attach_link(struct link *l_ptr)
+void tipc_node_attach_link(struct tipc_node *n_ptr, struct link *l_ptr)
 {
-        struct tipc_node *n_ptr = tipc_node_find(l_ptr->addr);
+        n_ptr->links[l_ptr->b_ptr->identity] = l_ptr;
+        atomic_inc(&tipc_num_links);
-        if (!n_ptr)
+        n_ptr->link_cnt++;
-                n_ptr = tipc_node_create(l_ptr->addr);
-        if (n_ptr) {
-                u32 bearer_id = l_ptr->b_ptr->identity;
-                char addr_string[16];
-                if (n_ptr->link_cnt >= 2) {
-                        err("Attempt to create third link to %s\n",
-                            tipc_addr_string_fill(addr_string, n_ptr->addr));
-                        return NULL;
-                }
-                if (!n_ptr->links[bearer_id]) {
-                        n_ptr->links[bearer_id] = l_ptr;
-                        tipc_net.links++;
-                        n_ptr->link_cnt++;
-                        return n_ptr;
-                }
-                err("Attempt to establish second link on <%s> to %s\n",
-                    l_ptr->b_ptr->publ.name,
-                    tipc_addr_string_fill(addr_string, l_ptr->addr));
-        }
-        return NULL;
 }
 void tipc_node_detach_link(struct tipc_node *n_ptr, struct link *l_ptr)
 {
        n_ptr->links[l_ptr->b_ptr->identity] = NULL;
-        tipc_net.links--;
+        atomic_dec(&tipc_num_links);
        n_ptr->link_cnt--;
 }
@@ -327,7 +328,6 @@ static void node_cleanup_finished(unsigned long node_addr)
 static void node_lost_contact(struct tipc_node *n_ptr)
 {
-        struct tipc_node_subscr *ns, *tns;
        char addr_string[16];
        u32 i;
@@ -365,12 +365,7 @@ static void node_lost_contact(struct tipc_node *n_ptr)
        }
        /* Notify subscribers */
-        list_for_each_entry_safe(ns, tns, &n_ptr->nsub, nodesub_list) {
+        tipc_nodesub_notify(n_ptr);
-                ns->node = NULL;
-                list_del_init(&ns->nodesub_list);
-                tipc_k_signal((Handler)ns->handle_node_down,
-                              (unsigned long)ns->usr_handle);
-        }
        /* Prevent re-contact with node until all cleanup is done */
@@ -385,7 +380,6 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
        struct tipc_node *n_ptr;
        struct tipc_node_info node_info;
        u32 payload_size;
-        u32 n_num;
        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_NET_ADDR))
                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
@@ -396,15 +390,14 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
                                                   " (network address)");
        read_lock_bh(&tipc_net_lock);
-        if (!tipc_net.nodes) {
+        if (!tipc_num_nodes) {
                read_unlock_bh(&tipc_net_lock);
                return tipc_cfg_reply_none();
        }
        /* For now, get space for all other nodes */
-        payload_size = TLV_SPACE(sizeof(node_info)) *
+        payload_size = TLV_SPACE(sizeof(node_info)) * tipc_num_nodes;
-                (tipc_net.highest_node - 1);
        if (payload_size > 32768u) {
                read_unlock_bh(&tipc_net_lock);
                return tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
@@ -418,9 +411,8 @@ struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space)
        /* Add TLVs for all nodes in scope */
-        for (n_num = 1; n_num <= tipc_net.highest_node; n_num++) {
+        list_for_each_entry(n_ptr, &tipc_node_list, list) {
-                n_ptr = tipc_net.nodes[n_num];
+                if (!tipc_in_scope(domain, n_ptr->addr))
-                if (!n_ptr || !tipc_in_scope(domain, n_ptr->addr))
                        continue;
                node_info.addr = htonl(n_ptr->addr);
                node_info.up = htonl(tipc_node_is_up(n_ptr));
@@ -439,7 +431,6 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        struct tipc_node *n_ptr;
        struct tipc_link_info link_info;
        u32 payload_size;
-        u32 n_num;
        if (!TLV_CHECK(req_tlv_area, req_tlv_space, TIPC_TLV_NET_ADDR))
                return tipc_cfg_reply_error_string(TIPC_CFG_TLV_ERROR);
@@ -456,7 +447,8 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        /* Get space for all unicast links + multicast link */
-        payload_size = TLV_SPACE(sizeof(link_info)) * (tipc_net.links + 1);
+        payload_size = TLV_SPACE(sizeof(link_info)) *
+                (atomic_read(&tipc_num_links) + 1);
        if (payload_size > 32768u) {
                read_unlock_bh(&tipc_net_lock);
                return tipc_cfg_reply_error_string(TIPC_CFG_NOT_SUPPORTED
@@ -470,18 +462,17 @@ struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space)
        /* Add TLV for broadcast link */
-        link_info.dest = htonl(tipc_own_addr & 0xfffff00);
+        link_info.dest = htonl(tipc_cluster_mask(tipc_own_addr));
        link_info.up = htonl(1);
        strlcpy(link_info.str, tipc_bclink_name, TIPC_MAX_LINK_NAME);
        tipc_cfg_append_tlv(buf, TIPC_TLV_LINK_INFO, &link_info, sizeof(link_info));
        /* Add TLVs for any other links in scope */
-        for (n_num = 1; n_num <= tipc_net.highest_node; n_num++) {
+        list_for_each_entry(n_ptr, &tipc_node_list, list) {
                u32 i;
-                n_ptr = tipc_net.nodes[n_num];
+                if (!tipc_in_scope(domain, n_ptr->addr))
-                if (!n_ptr || !tipc_in_scope(domain, n_ptr->addr))
                        continue;
                tipc_node_lock(n_ptr);
                for (i = 0; i < MAX_BEARERS; i++) {
diff --git a/net/tipc/node.h b/net/tipc/node.h
index 206a8efa410e..5c61afc7a0b9 100644
--- a/net/tipc/node.h
+++ b/net/tipc/node.h
@@ -2,7 +2,7 @@
 * net/tipc/node.h: Include file for TIPC node management routines
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -46,7 +46,8 @@
 * struct tipc_node - TIPC node structure
 * @addr: network address of node
 * @lock: spinlock governing access to structure
- * @next: pointer to next node in sorted list of cluster's nodes
+ * @hash: links to adjacent nodes in unsorted hash chain
+ * @list: links to adjacent nodes in sorted list of cluster's nodes
 * @nsub: list of "node down" subscriptions monitoring node
 * @active_links: pointers to active links to node
 * @links: pointers to all links to node
@@ -69,7 +70,8 @@
 struct tipc_node {
        u32 addr;
        spinlock_t lock;
-        struct tipc_node *next;
+        struct hlist_node hash;
+        struct list_head list;
        struct list_head nsub;
        struct link *active_links[2];
        struct link *links[MAX_BEARERS];
@@ -90,27 +92,35 @@ struct tipc_node {
        } bclink;
 };
+#define NODE_HTABLE_SIZE 512
+extern struct list_head tipc_node_list;
+/*
+ * A trivial power-of-two bitmask technique is used for speed, since this
+ * operation is done for every incoming TIPC packet. The number of hash table
+ * entries has been chosen so that no hash chain exceeds 8 nodes and will
+ * usually be much smaller (typically only a single node).
+ */
+static inline unsigned int tipc_hashfn(u32 addr)
+{
+        return addr & (NODE_HTABLE_SIZE - 1);
+}
 extern u32 tipc_own_tag;
+struct tipc_node *tipc_node_find(u32 addr);
 struct tipc_node *tipc_node_create(u32 addr);
 void tipc_node_delete(struct tipc_node *n_ptr);
-struct tipc_node *tipc_node_attach_link(struct link *l_ptr);
+void tipc_node_attach_link(struct tipc_node *n_ptr, struct link *l_ptr);
 void tipc_node_detach_link(struct tipc_node *n_ptr, struct link *l_ptr);
 void tipc_node_link_down(struct tipc_node *n_ptr, struct link *l_ptr);
 void tipc_node_link_up(struct tipc_node *n_ptr, struct link *l_ptr);
-int tipc_node_has_active_links(struct tipc_node *n_ptr);
+int tipc_node_active_links(struct tipc_node *n_ptr);
-int tipc_node_has_redundant_links(struct tipc_node *n_ptr);
+int tipc_node_redundant_links(struct tipc_node *n_ptr);
 int tipc_node_is_up(struct tipc_node *n_ptr);
 struct sk_buff *tipc_node_get_links(const void *req_tlv_area, int req_tlv_space);
 struct sk_buff *tipc_node_get_nodes(const void *req_tlv_area, int req_tlv_space);
-static inline struct tipc_node *tipc_node_find(u32 addr)
-{
-        if (likely(in_own_cluster(addr)))
-                return tipc_net.nodes[tipc_node(addr)];
-        return NULL;
-}
 static inline void tipc_node_lock(struct tipc_node *n_ptr)
 {
        spin_lock_bh(&n_ptr->lock);
diff --git a/net/tipc/node_subscr.c b/net/tipc/node_subscr.c
index 018a55332d91..c3c2815ae630 100644
--- a/net/tipc/node_subscr.c
+++ b/net/tipc/node_subscr.c
@@ -2,7 +2,7 @@
 * net/tipc/node_subscr.c: TIPC "node down" subscription handling
 *
 * Copyright (c) 1995-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -76,3 +76,22 @@ void tipc_nodesub_unsubscribe(struct tipc_node_subscr *node_sub)
        list_del_init(&node_sub->nodesub_list);
        tipc_node_unlock(node_sub->node);
 }
+/**
+ * tipc_nodesub_notify - notify subscribers that a node is unreachable
+ *
+ * Note: node is locked by caller
+ */
+void tipc_nodesub_notify(struct tipc_node *node)
+{
+        struct tipc_node_subscr *ns;
+        list_for_each_entry(ns, &node->nsub, nodesub_list) {
+                if (ns->handle_node_down) {
+                        tipc_k_signal((Handler)ns->handle_node_down,
+                                      (unsigned long)ns->usr_handle);
+                        ns->handle_node_down = NULL;
+                }
+        }
+}
diff --git a/net/tipc/node_subscr.h b/net/tipc/node_subscr.h
index 006ed739f515..4bc2ca0867a1 100644
--- a/net/tipc/node_subscr.h
+++ b/net/tipc/node_subscr.h
@@ -2,7 +2,7 @@
 * net/tipc/node_subscr.h: Include file for TIPC "node down" subscription handling
 *
 * Copyright (c) 1995-2006, Ericsson AB
- * Copyright (c) 2005, Wind River Systems
+ * Copyright (c) 2005, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -59,5 +59,6 @@ struct tipc_node_subscr {
 void tipc_nodesub_subscribe(struct tipc_node_subscr *node_sub, u32 addr,
                            void *usr_handle, net_ev_handler handle_down);
 void tipc_nodesub_unsubscribe(struct tipc_node_subscr *node_sub);
+void tipc_nodesub_notify(struct tipc_node *node);
 #endif
diff --git a/net/tipc/port.c b/net/tipc/port.c
index 067bab2a0b98..c68dc956a423 100644
--- a/net/tipc/port.c
+++ b/net/tipc/port.c
@@ -2,7 +2,7 @@
 * net/tipc/port.c: TIPC port code
 *
 * Copyright (c) 1992-2007, Ericsson AB
- * Copyright (c) 2004-2008, Wind River Systems
+ * Copyright (c) 2004-2008, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -54,33 +54,19 @@ static DEFINE_SPINLOCK(queue_lock);
 static LIST_HEAD(ports);
 static void port_handle_node_down(unsigned long ref);
-static struct sk_buff *port_build_self_abort_msg(struct port *, u32 err);
+static struct sk_buff *port_build_self_abort_msg(struct tipc_port *, u32 err);
-static struct sk_buff *port_build_peer_abort_msg(struct port *, u32 err);
+static struct sk_buff *port_build_peer_abort_msg(struct tipc_port *, u32 err);
 static void port_timeout(unsigned long ref);
-static u32 port_peernode(struct port *p_ptr)
+static u32 port_peernode(struct tipc_port *p_ptr)
 {
-        return msg_destnode(&p_ptr->publ.phdr);
+        return msg_destnode(&p_ptr->phdr);
 }
-static u32 port_peerport(struct port *p_ptr)
+static u32 port_peerport(struct tipc_port *p_ptr)
 {
-        return msg_destport(&p_ptr->publ.phdr);
+        return msg_destport(&p_ptr->phdr);
-}
-static u32 port_out_seqno(struct port *p_ptr)
-{
-        return msg_transp_seqno(&p_ptr->publ.phdr);
-}
-static void port_incr_out_seqno(struct port *p_ptr)
-{
-        struct tipc_msg *m = &p_ptr->publ.phdr;
-        if (likely(!msg_routed(m)))
-                return;
-        msg_set_transp_seqno(m, (msg_transp_seqno(m) + 1));
 }
 /**
@@ -88,13 +74,14 @@ static void port_incr_out_seqno(struct port *p_ptr)
 */
 int tipc_multicast(u32 ref, struct tipc_name_seq const *seq,
-                   u32 num_sect, struct iovec const *msg_sect)
+                   u32 num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
        struct tipc_msg *hdr;
        struct sk_buff *buf;
        struct sk_buff *ibuf = NULL;
        struct port_list dports = {0, NULL, };
-        struct port *oport = tipc_port_deref(ref);
+        struct tipc_port *oport = tipc_port_deref(ref);
        int ext_targets;
        int res;
@@ -103,13 +90,16 @@ int tipc_multicast(u32 ref, struct tipc_name_seq const *seq,
        /* Create multicast message */
-        hdr = &oport->publ.phdr;
+        hdr = &oport->phdr;
        msg_set_type(hdr, TIPC_MCAST_MSG);
+        msg_set_lookup_scope(hdr, TIPC_CLUSTER_SCOPE);
+        msg_set_destport(hdr, 0);
+        msg_set_destnode(hdr, 0);
        msg_set_nametype(hdr, seq->type);
        msg_set_namelower(hdr, seq->lower);
        msg_set_nameupper(hdr, seq->upper);
        msg_set_hdr_sz(hdr, MCAST_H_SIZE);
-        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len, MAX_MSG_SIZE,
                        !oport->user_port, &buf);
        if (unlikely(!buf))
                return res;
@@ -175,6 +165,7 @@ void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp)
        /* Deliver a copy of message to each destination port */
        if (dp->count != 0) {
+                msg_set_destnode(msg, tipc_own_addr);
                if (dp->count == 1) {
                        msg_set_destport(msg, dp->ports[0]);
                        tipc_port_recv_msg(buf);
@@ -211,7 +202,7 @@ struct tipc_port *tipc_createport_raw(void *usr_handle,
                        void (*wakeup)(struct tipc_port *),
                        const u32 importance)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        u32 ref;
@@ -220,21 +211,19 @@ struct tipc_port *tipc_createport_raw(void *usr_handle,
                warn("Port creation failed, no memory\n");
                return NULL;
        }
-        ref = tipc_ref_acquire(p_ptr, &p_ptr->publ.lock);
+        ref = tipc_ref_acquire(p_ptr, &p_ptr->lock);
        if (!ref) {
                warn("Port creation failed, reference table exhausted\n");
                kfree(p_ptr);
                return NULL;
        }
-        p_ptr->publ.usr_handle = usr_handle;
+        p_ptr->usr_handle = usr_handle;
-        p_ptr->publ.max_pkt = MAX_PKT_DEFAULT;
+        p_ptr->max_pkt = MAX_PKT_DEFAULT;
-        p_ptr->publ.ref = ref;
+        p_ptr->ref = ref;
-        msg = &p_ptr->publ.phdr;
+        msg = &p_ptr->phdr;
        tipc_msg_init(msg, importance, TIPC_NAMED_MSG, LONG_H_SIZE, 0);
        msg_set_origport(msg, ref);
-        p_ptr->last_in_seqno = 41;
-        p_ptr->sent = 1;
        INIT_LIST_HEAD(&p_ptr->wait_list);
        INIT_LIST_HEAD(&p_ptr->subscription.nodesub_list);
        p_ptr->dispatcher = dispatcher;
@@ -246,12 +235,12 @@ struct tipc_port *tipc_createport_raw(void *usr_handle,
        INIT_LIST_HEAD(&p_ptr->port_list);
        list_add_tail(&p_ptr->port_list, &ports);
        spin_unlock_bh(&tipc_port_list_lock);
-        return &(p_ptr->publ);
+        return p_ptr;
 }
 int tipc_deleteport(u32 ref)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct sk_buff *buf = NULL;
        tipc_withdraw(ref, 0, NULL);
@@ -263,7 +252,7 @@ int tipc_deleteport(u32 ref)
        tipc_port_unlock(p_ptr);
        k_cancel_timer(&p_ptr->timer);
-        if (p_ptr->publ.connected) {
+        if (p_ptr->connected) {
                buf = port_build_peer_abort_msg(p_ptr, TIPC_ERR_NO_PORT);
                tipc_nodesub_unsubscribe(&p_ptr->subscription);
        }
@@ -279,14 +268,14 @@ int tipc_deleteport(u32 ref)
        return 0;
 }
-static int port_unreliable(struct port *p_ptr)
+static int port_unreliable(struct tipc_port *p_ptr)
 {
-        return msg_src_droppable(&p_ptr->publ.phdr);
+        return msg_src_droppable(&p_ptr->phdr);
 }
 int tipc_portunreliable(u32 ref, unsigned int *isunreliable)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
@@ -298,24 +287,24 @@ int tipc_portunreliable(u32 ref, unsigned int *isunreliable)
 int tipc_set_portunreliable(u32 ref, unsigned int isunreliable)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        msg_set_src_droppable(&p_ptr->publ.phdr, (isunreliable != 0));
+        msg_set_src_droppable(&p_ptr->phdr, (isunreliable != 0));
        tipc_port_unlock(p_ptr);
        return 0;
 }
-static int port_unreturnable(struct port *p_ptr)
+static int port_unreturnable(struct tipc_port *p_ptr)
 {
-        return msg_dest_droppable(&p_ptr->publ.phdr);
+        return msg_dest_droppable(&p_ptr->phdr);
 }
 int tipc_portunreturnable(u32 ref, unsigned int *isunrejectable)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
@@ -327,12 +316,12 @@ int tipc_portunreturnable(u32 ref, unsigned int *isunrejectable)
 int tipc_set_portunreturnable(u32 ref, unsigned int isunrejectable)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        msg_set_dest_droppable(&p_ptr->publ.phdr, (isunrejectable != 0));
+        msg_set_dest_droppable(&p_ptr->phdr, (isunrejectable != 0));
        tipc_port_unlock(p_ptr);
        return 0;
 }
@@ -345,7 +334,7 @@ int tipc_set_portunreturnable(u32 ref, unsigned int isunrejectable)
 static struct sk_buff *port_build_proto_msg(u32 destport, u32 destnode,
                                            u32 origport, u32 orignode,
                                            u32 usr, u32 type, u32 err,
-                                            u32 seqno, u32 ack)
+                                            u32 ack)
 {
        struct sk_buff *buf;
        struct tipc_msg *msg;
@@ -358,7 +347,6 @@ static struct sk_buff *port_build_proto_msg(u32 destport, u32 destnode,
                msg_set_destport(msg, destport);
                msg_set_origport(msg, origport);
                msg_set_orignode(msg, orignode);
-                msg_set_transp_seqno(msg, seqno);
                msg_set_msgcnt(msg, ack);
        }
        return buf;
@@ -413,10 +401,10 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err)
        /* send self-abort message when rejecting on a connected port */
        if (msg_connected(msg)) {
                struct sk_buff *abuf = NULL;
-                struct port *p_ptr = tipc_port_lock(msg_destport(msg));
+                struct tipc_port *p_ptr = tipc_port_lock(msg_destport(msg));
                if (p_ptr) {
-                        if (p_ptr->publ.connected)
+                        if (p_ptr->connected)
                                abuf = port_build_self_abort_msg(p_ptr, err);
                        tipc_port_unlock(p_ptr);
                }
@@ -429,14 +417,14 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err)
        return data_sz;
 }
-int tipc_port_reject_sections(struct port *p_ptr, struct tipc_msg *hdr,
+int tipc_port_reject_sections(struct tipc_port *p_ptr, struct tipc_msg *hdr,
                              struct iovec const *msg_sect, u32 num_sect,
-                              int err)
+                              unsigned int total_len, int err)
 {
        struct sk_buff *buf;
        int res;
-        res = tipc_msg_build(hdr, msg_sect, num_sect, MAX_MSG_SIZE,
+        res = tipc_msg_build(hdr, msg_sect, num_sect, total_len, MAX_MSG_SIZE,
                        !p_ptr->user_port, &buf);
        if (!buf)
                return res;
@@ -446,13 +434,13 @@ int tipc_port_reject_sections(struct port *p_ptr, struct tipc_msg *hdr,
 static void port_timeout(unsigned long ref)
 {
-        struct port *p_ptr = tipc_port_lock(ref);
+        struct tipc_port *p_ptr = tipc_port_lock(ref);
        struct sk_buff *buf = NULL;
        if (!p_ptr)
                return;
-        if (!p_ptr->publ.connected) {
+        if (!p_ptr->connected) {
                tipc_port_unlock(p_ptr);
                return;
        }
@@ -463,14 +451,12 @@ static void port_timeout(unsigned long ref)
        } else {
                buf = port_build_proto_msg(port_peerport(p_ptr),
                                           port_peernode(p_ptr),
-                                           p_ptr->publ.ref,
+                                           p_ptr->ref,
                                           tipc_own_addr,
                                           CONN_MANAGER,
                                           CONN_PROBE,
                                           TIPC_OK,
-                                           port_out_seqno(p_ptr),
                                           0);
-                port_incr_out_seqno(p_ptr);
                p_ptr->probing_state = PROBING;
                k_start_timer(&p_ptr->timer, p_ptr->probing_interval);
        }
@@ -481,7 +467,7 @@ static void port_timeout(unsigned long ref)
 static void port_handle_node_down(unsigned long ref)
 {
-        struct port *p_ptr = tipc_port_lock(ref);
+        struct tipc_port *p_ptr = tipc_port_lock(ref);
        struct sk_buff *buf = NULL;
        if (!p_ptr)
@@ -492,73 +478,71 @@ static void port_handle_node_down(unsigned long ref)
 }
-static struct sk_buff *port_build_self_abort_msg(struct port *p_ptr, u32 err)
+static struct sk_buff *port_build_self_abort_msg(struct tipc_port *p_ptr, u32 err)
 {
-        u32 imp = msg_importance(&p_ptr->publ.phdr);
+        u32 imp = msg_importance(&p_ptr->phdr);
-        if (!p_ptr->publ.connected)
+        if (!p_ptr->connected)
                return NULL;
        if (imp < TIPC_CRITICAL_IMPORTANCE)
                imp++;
-        return port_build_proto_msg(p_ptr->publ.ref,
+        return port_build_proto_msg(p_ptr->ref,
                                    tipc_own_addr,
                                    port_peerport(p_ptr),
                                    port_peernode(p_ptr),
                                    imp,
                                    TIPC_CONN_MSG,
                                    err,
-                                    p_ptr->last_in_seqno + 1,
                                    0);
 }
-static struct sk_buff *port_build_peer_abort_msg(struct port *p_ptr, u32 err)
+static struct sk_buff *port_build_peer_abort_msg(struct tipc_port *p_ptr, u32 err)
 {
-        u32 imp = msg_importance(&p_ptr->publ.phdr);
+        u32 imp = msg_importance(&p_ptr->phdr);
-        if (!p_ptr->publ.connected)
+        if (!p_ptr->connected)
                return NULL;
        if (imp < TIPC_CRITICAL_IMPORTANCE)
                imp++;
        return port_build_proto_msg(port_peerport(p_ptr),
                                    port_peernode(p_ptr),
-                                    p_ptr->publ.ref,
+                                    p_ptr->ref,
                                    tipc_own_addr,
                                    imp,
                                    TIPC_CONN_MSG,
                                    err,
-                                    port_out_seqno(p_ptr),
                                    0);
 }
 void tipc_port_recv_proto_msg(struct sk_buff *buf)
 {
        struct tipc_msg *msg = buf_msg(buf);
-        struct port *p_ptr = tipc_port_lock(msg_destport(msg));
+        struct tipc_port *p_ptr = tipc_port_lock(msg_destport(msg));
        u32 err = TIPC_OK;
        struct sk_buff *r_buf = NULL;
        struct sk_buff *abort_buf = NULL;
        if (!p_ptr) {
                err = TIPC_ERR_NO_PORT;
-        } else if (p_ptr->publ.connected) {
+        } else if (p_ptr->connected) {
                if ((port_peernode(p_ptr) != msg_orignode(msg)) ||
                    (port_peerport(p_ptr) != msg_origport(msg))) {
                        err = TIPC_ERR_NO_PORT;
                } else if (msg_type(msg) == CONN_ACK) {
                        int wakeup = tipc_port_congested(p_ptr) &&
-                                     p_ptr->publ.congested &&
+                                     p_ptr->congested &&
                                     p_ptr->wakeup;
                        p_ptr->acked += msg_msgcnt(msg);
                        if (tipc_port_congested(p_ptr))
                                goto exit;
-                        p_ptr->publ.congested = 0;
+                        p_ptr->congested = 0;
                        if (!wakeup)
                                goto exit;
-                        p_ptr->wakeup(&p_ptr->publ);
+                        p_ptr->wakeup(p_ptr);
                        goto exit;
                }
-        } else if (p_ptr->publ.published) {
+        } else if (p_ptr->published) {
                err = TIPC_ERR_NO_PORT;
        }
        if (err) {
@@ -569,7 +553,6 @@ void tipc_port_recv_proto_msg(struct sk_buff *buf)
                                             TIPC_HIGH_IMPORTANCE,
                                             TIPC_CONN_MSG,
                                             err,
-                                             0,
                                             0);
                goto exit;
        }
@@ -583,11 +566,9 @@ void tipc_port_recv_proto_msg(struct sk_buff *buf)
                                             CONN_MANAGER,
                                             CONN_PROBE_REPLY,
                                             TIPC_OK,
-                                             port_out_seqno(p_ptr),
                                             0);
        }
        p_ptr->probing_state = CONFIRMED;
-        port_incr_out_seqno(p_ptr);
 exit:
        if (p_ptr)
                tipc_port_unlock(p_ptr);
@@ -596,29 +577,29 @@ exit:
        buf_discard(buf);
 }
-static void port_print(struct port *p_ptr, struct print_buf *buf, int full_id)
+static void port_print(struct tipc_port *p_ptr, struct print_buf *buf, int full_id)
 {
        struct publication *publ;
        if (full_id)
                tipc_printf(buf, "<%u.%u.%u:%u>:",
                            tipc_zone(tipc_own_addr), tipc_cluster(tipc_own_addr),
-                            tipc_node(tipc_own_addr), p_ptr->publ.ref);
+                            tipc_node(tipc_own_addr), p_ptr->ref);
        else
-                tipc_printf(buf, "%-10u:", p_ptr->publ.ref);
+                tipc_printf(buf, "%-10u:", p_ptr->ref);
-        if (p_ptr->publ.connected) {
+        if (p_ptr->connected) {
                u32 dport = port_peerport(p_ptr);
                u32 destnode = port_peernode(p_ptr);
                tipc_printf(buf, " connected to <%u.%u.%u:%u>",
                            tipc_zone(destnode), tipc_cluster(destnode),
                            tipc_node(destnode), dport);
-                if (p_ptr->publ.conn_type != 0)
+                if (p_ptr->conn_type != 0)
                        tipc_printf(buf, " via {%u,%u}",
-                                    p_ptr->publ.conn_type,
+                                    p_ptr->conn_type,
-                                    p_ptr->publ.conn_instance);
+                                    p_ptr->conn_instance);
-        } else if (p_ptr->publ.published) {
+        } else if (p_ptr->published) {
                tipc_printf(buf, " bound to");
                list_for_each_entry(publ, &p_ptr->publications, pport_list) {
                        if (publ->lower == publ->upper)
@@ -639,7 +620,7 @@ struct sk_buff *tipc_port_get_ports(void)
        struct sk_buff *buf;
        struct tlv_desc *rep_tlv;
        struct print_buf pb;
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        int str_len;
        buf = tipc_cfg_reply_alloc(TLV_SPACE(MAX_PORT_QUERY));
@@ -650,9 +631,9 @@ struct sk_buff *tipc_port_get_ports(void)
        tipc_printbuf_init(&pb, TLV_DATA(rep_tlv), MAX_PORT_QUERY);
        spin_lock_bh(&tipc_port_list_lock);
        list_for_each_entry(p_ptr, &ports, port_list) {
-                spin_lock_bh(p_ptr->publ.lock);
+                spin_lock_bh(p_ptr->lock);
                port_print(p_ptr, &pb, 0);
-                spin_unlock_bh(p_ptr->publ.lock);
+                spin_unlock_bh(p_ptr->lock);
        }
        spin_unlock_bh(&tipc_port_list_lock);
        str_len = tipc_printbuf_validate(&pb);
@@ -665,12 +646,12 @@ struct sk_buff *tipc_port_get_ports(void)
 void tipc_port_reinit(void)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        spin_lock_bh(&tipc_port_list_lock);
        list_for_each_entry(p_ptr, &ports, port_list) {
-                msg = &p_ptr->publ.phdr;
+                msg = &p_ptr->phdr;
                if (msg_orignode(msg) == tipc_own_addr)
                        break;
                msg_set_prevnode(msg, tipc_own_addr);
@@ -695,7 +676,7 @@ static void port_dispatcher_sigh(void *dummy)
        spin_unlock_bh(&queue_lock);
        while (buf) {
-                struct port *p_ptr;
+                struct tipc_port *p_ptr;
                struct user_port *up_ptr;
                struct tipc_portid orig;
                struct tipc_name_seq dseq;
@@ -720,8 +701,8 @@ static void port_dispatcher_sigh(void *dummy)
                orig.node = msg_orignode(msg);
                up_ptr = p_ptr->user_port;
                usr_handle = up_ptr->usr_handle;
-                connected = p_ptr->publ.connected;
+                connected = p_ptr->connected;
-                published = p_ptr->publ.published;
+                published = p_ptr->published;
                if (unlikely(msg_errcode(msg)))
                        goto err;
@@ -732,6 +713,7 @@ static void port_dispatcher_sigh(void *dummy)
                                tipc_conn_msg_event cb = up_ptr->conn_msg_cb;
                                u32 peer_port = port_peerport(p_ptr);
                                u32 peer_node = port_peernode(p_ptr);
+                                u32 dsz;
                                tipc_port_unlock(p_ptr);
                                if (unlikely(!cb))
@@ -742,13 +724,14 @@ static void port_dispatcher_sigh(void *dummy)
                                } else if ((msg_origport(msg) != peer_port) ||
                                           (msg_orignode(msg) != peer_node))
                                        goto reject;
-                                if (unlikely(++p_ptr->publ.conn_unacked >=
+                                dsz = msg_data_sz(msg);
-                                             TIPC_FLOW_CONTROL_WIN))
+                                if (unlikely(dsz &&
+                                             (++p_ptr->conn_unacked >=
+                                              TIPC_FLOW_CONTROL_WIN)))
                                        tipc_acknowledge(dref,
-                                                         p_ptr->publ.conn_unacked);
+                                                         p_ptr->conn_unacked);
                                skb_pull(buf, msg_hdr_sz(msg));
-                                cb(usr_handle, dref, &buf, msg_data(msg),
+                                cb(usr_handle, dref, &buf, msg_data(msg), dsz);
-                                   msg_data_sz(msg));
                                break;
                        }
                case TIPC_DIRECT_MSG:{
@@ -872,7 +855,7 @@ static u32 port_dispatcher(struct tipc_port *dummy, struct sk_buff *buf)
 static void port_wakeup_sh(unsigned long ref)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct user_port *up_ptr;
        tipc_continue_event cb = NULL;
        void *uh = NULL;
@@ -898,14 +881,14 @@ static void port_wakeup(struct tipc_port *p_ptr)
 void tipc_acknowledge(u32 ref, u32 ack)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct sk_buff *buf = NULL;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return;
-        if (p_ptr->publ.connected) {
+        if (p_ptr->connected) {
-                p_ptr->publ.conn_unacked -= ack;
+                p_ptr->conn_unacked -= ack;
                buf = port_build_proto_msg(port_peerport(p_ptr),
                                           port_peernode(p_ptr),
                                           ref,
@@ -913,7 +896,6 @@ void tipc_acknowledge(u32 ref, u32 ack)
                                           CONN_MANAGER,
                                           CONN_ACK,
                                           TIPC_OK,
-                                           port_out_seqno(p_ptr),
                                           ack);
        }
        tipc_port_unlock(p_ptr);
@@ -936,14 +918,14 @@ int tipc_createport(void *usr_handle,
                    u32 *portref)
 {
        struct user_port *up_ptr;
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        up_ptr = kmalloc(sizeof(*up_ptr), GFP_ATOMIC);
        if (!up_ptr) {
                warn("Port creation failed, no memory\n");
                return -ENOMEM;
        }
-        p_ptr = (struct port *)tipc_createport_raw(NULL, port_dispatcher,
+        p_ptr = (struct tipc_port *)tipc_createport_raw(NULL, port_dispatcher,
                                                   port_wakeup, importance);
        if (!p_ptr) {
                kfree(up_ptr);
@@ -952,7 +934,7 @@ int tipc_createport(void *usr_handle,
        p_ptr->user_port = up_ptr;
        up_ptr->usr_handle = usr_handle;
-        up_ptr->ref = p_ptr->publ.ref;
+        up_ptr->ref = p_ptr->ref;
        up_ptr->err_cb = error_cb;
        up_ptr->named_err_cb = named_error_cb;
        up_ptr->conn_err_cb = conn_error_cb;
@@ -960,26 +942,26 @@ int tipc_createport(void *usr_handle,
        up_ptr->named_msg_cb = named_msg_cb;
        up_ptr->conn_msg_cb = conn_msg_cb;
        up_ptr->continue_event_cb = continue_event_cb;
-        *portref = p_ptr->publ.ref;
+        *portref = p_ptr->ref;
        tipc_port_unlock(p_ptr);
        return 0;
 }
 int tipc_portimportance(u32 ref, unsigned int *importance)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        *importance = (unsigned int)msg_importance(&p_ptr->publ.phdr);
+        *importance = (unsigned int)msg_importance(&p_ptr->phdr);
        tipc_port_unlock(p_ptr);
        return 0;
 }
 int tipc_set_portimportance(u32 ref, unsigned int imp)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        if (imp > TIPC_CRITICAL_IMPORTANCE)
                return -EINVAL;
@@ -987,7 +969,7 @@ int tipc_set_portimportance(u32 ref, unsigned int imp)
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        msg_set_importance(&p_ptr->publ.phdr, (u32)imp);
+        msg_set_importance(&p_ptr->phdr, (u32)imp);
        tipc_port_unlock(p_ptr);
        return 0;
 }
@@ -995,7 +977,7 @@ int tipc_set_portimportance(u32 ref, unsigned int imp)
 int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct publication *publ;
        u32 key;
        int res = -EINVAL;
@@ -1004,7 +986,7 @@ int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
        if (!p_ptr)
                return -EINVAL;
-        if (p_ptr->publ.connected)
+        if (p_ptr->connected)
                goto exit;
        if (seq->lower > seq->upper)
                goto exit;
@@ -1016,11 +998,11 @@ int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
                goto exit;
        }
        publ = tipc_nametbl_publish(seq->type, seq->lower, seq->upper,
-                                    scope, p_ptr->publ.ref, key);
+                                    scope, p_ptr->ref, key);
        if (publ) {
                list_add(&publ->pport_list, &p_ptr->publications);
                p_ptr->pub_count++;
-                p_ptr->publ.published = 1;
+                p_ptr->published = 1;
                res = 0;
        }
 exit:
@@ -1030,7 +1012,7 @@ exit:
 int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct publication *publ;
        struct publication *tpubl;
        int res = -EINVAL;
@@ -1063,37 +1045,37 @@ int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
                }
        }
        if (list_empty(&p_ptr->publications))
-                p_ptr->publ.published = 0;
+                p_ptr->published = 0;
        tipc_port_unlock(p_ptr);
        return res;
 }
 int tipc_connect2port(u32 ref, struct tipc_portid const *peer)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        int res = -EINVAL;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        if (p_ptr->publ.published || p_ptr->publ.connected)
+        if (p_ptr->published || p_ptr->connected)
                goto exit;
        if (!peer->ref)
                goto exit;
-        msg = &p_ptr->publ.phdr;
+        msg = &p_ptr->phdr;
        msg_set_destnode(msg, peer->node);
        msg_set_destport(msg, peer->ref);
        msg_set_orignode(msg, tipc_own_addr);
-        msg_set_origport(msg, p_ptr->publ.ref);
+        msg_set_origport(msg, p_ptr->ref);
-        msg_set_transp_seqno(msg, 42);
        msg_set_type(msg, TIPC_CONN_MSG);
+        msg_set_lookup_scope(msg, 0);
        msg_set_hdr_sz(msg, SHORT_H_SIZE);
        p_ptr->probing_interval = PROBING_INTERVAL;
        p_ptr->probing_state = CONFIRMED;
-        p_ptr->publ.connected = 1;
+        p_ptr->connected = 1;
        k_start_timer(&p_ptr->timer, p_ptr->probing_interval);
        tipc_nodesub_subscribe(&p_ptr->subscription, peer->node,
@@ -1102,7 +1084,7 @@ int tipc_connect2port(u32 ref, struct tipc_portid const *peer)
        res = 0;
 exit:
        tipc_port_unlock(p_ptr);
-        p_ptr->publ.max_pkt = tipc_link_get_max_pkt(peer->node, ref);
+        p_ptr->max_pkt = tipc_link_get_max_pkt(peer->node, ref);
        return res;
 }
@@ -1120,7 +1102,7 @@ int tipc_disconnect_port(struct tipc_port *tp_ptr)
                tp_ptr->connected = 0;
                /* let timer expire on it's own to avoid deadlock! */
                tipc_nodesub_unsubscribe(
-                        &((struct port *)tp_ptr)->subscription);
+                        &((struct tipc_port *)tp_ptr)->subscription);
                res = 0;
        } else {
                res = -ENOTCONN;
@@ -1135,7 +1117,7 @@ int tipc_disconnect_port(struct tipc_port *tp_ptr)
 int tipc_disconnect(u32 ref)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        int res;
        p_ptr = tipc_port_lock(ref);
@@ -1151,15 +1133,15 @@ int tipc_disconnect(u32 ref)
 */
 int tipc_shutdown(u32 ref)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct sk_buff *buf = NULL;
        p_ptr = tipc_port_lock(ref);
        if (!p_ptr)
                return -EINVAL;
-        if (p_ptr->publ.connected) {
+        if (p_ptr->connected) {
-                u32 imp = msg_importance(&p_ptr->publ.phdr);
+                u32 imp = msg_importance(&p_ptr->phdr);
                if (imp < TIPC_CRITICAL_IMPORTANCE)
                        imp++;
                buf = port_build_proto_msg(port_peerport(p_ptr),
@@ -1169,7 +1151,6 @@ int tipc_shutdown(u32 ref)
                                           imp,
                                           TIPC_CONN_MSG,
                                           TIPC_CONN_SHUTDOWN,
-                                           port_out_seqno(p_ptr),
                                           0);
        }
        tipc_port_unlock(p_ptr);
@@ -1182,13 +1163,14 @@ int tipc_shutdown(u32 ref)
 *                        message for this node.
 */
-static int tipc_port_recv_sections(struct port *sender, unsigned int num_sect,
+static int tipc_port_recv_sections(struct tipc_port *sender, unsigned int num_sect,
-                                   struct iovec const *msg_sect)
+                                   struct iovec const *msg_sect,
+                                   unsigned int total_len)
 {
        struct sk_buff *buf;
        int res;
-        res = tipc_msg_build(&sender->publ.phdr, msg_sect, num_sect,
+        res = tipc_msg_build(&sender->phdr, msg_sect, num_sect, total_len,
                        MAX_MSG_SIZE, !sender->user_port, &buf);
        if (likely(buf))
                tipc_port_recv_msg(buf);
@@ -1199,36 +1181,37 @@ static int tipc_port_recv_sections(struct port *sender, unsigned int num_sect,
 * tipc_send - send message sections on connection
 */
-int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
+int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect,
+              unsigned int total_len)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        u32 destnode;
        int res;
        p_ptr = tipc_port_deref(ref);
-        if (!p_ptr || !p_ptr->publ.connected)
+        if (!p_ptr || !p_ptr->connected)
                return -EINVAL;
-        p_ptr->publ.congested = 1;
+        p_ptr->congested = 1;
        if (!tipc_port_congested(p_ptr)) {
                destnode = port_peernode(p_ptr);
                if (likely(destnode != tipc_own_addr))
                        res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect,
-                                                           destnode);
+                                                           total_len, destnode);
                else
-                        res = tipc_port_recv_sections(p_ptr, num_sect, msg_sect);
+                        res = tipc_port_recv_sections(p_ptr, num_sect, msg_sect,
+                                                      total_len);
                if (likely(res != -ELINKCONG)) {
-                        port_incr_out_seqno(p_ptr);
+                        p_ptr->congested = 0;
-                        p_ptr->publ.congested = 0;
+                        if (res > 0)
-                        p_ptr->sent++;
+                                p_ptr->sent++;
                        return res;
                }
        }
        if (port_unreliable(p_ptr)) {
-                p_ptr->publ.congested = 0;
+                p_ptr->congested = 0;
-                /* Just calculate msg length and return */
+                return total_len;
-                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
@@ -1238,19 +1221,20 @@ int tipc_send(u32 ref, unsigned int num_sect, struct iovec const *msg_sect)
 */
 int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
-           unsigned int num_sect, struct iovec const *msg_sect)
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        u32 destnode = domain;
        u32 destport;
        int res;
        p_ptr = tipc_port_deref(ref);
-        if (!p_ptr || p_ptr->publ.connected)
+        if (!p_ptr || p_ptr->connected)
                return -EINVAL;
-        msg = &p_ptr->publ.phdr;
+        msg = &p_ptr->phdr;
        msg_set_type(msg, TIPC_NAMED_MSG);
        msg_set_orignode(msg, tipc_own_addr);
        msg_set_origport(msg, ref);
@@ -1263,21 +1247,25 @@ int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
        msg_set_destport(msg, destport);
        if (likely(destport)) {
-                p_ptr->sent++;
                if (likely(destnode == tipc_own_addr))
-                        return tipc_port_recv_sections(p_ptr, num_sect, msg_sect);
+                        res = tipc_port_recv_sections(p_ptr, num_sect,
-                res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect,
+                                                      msg_sect, total_len);
-                                                   destnode);
+                else
-                if (likely(res != -ELINKCONG))
+                        res = tipc_link_send_sections_fast(p_ptr, msg_sect,
+                                                           num_sect, total_len,
+                                                           destnode);
+                if (likely(res != -ELINKCONG)) {
+                        if (res > 0)
+                                p_ptr->sent++;
                        return res;
+                }
                if (port_unreliable(p_ptr)) {
-                        /* Just calculate msg length and return */
+                        return total_len;
-                        return tipc_msg_calc_data_size(msg_sect, num_sect);
                }
                return -ELINKCONG;
        }
        return tipc_port_reject_sections(p_ptr, msg, msg_sect, num_sect,
-                                         TIPC_ERR_NO_NAME);
+                                         total_len, TIPC_ERR_NO_NAME);
 }
 /**
@@ -1285,32 +1273,39 @@ int tipc_send2name(u32 ref, struct tipc_name const *name, unsigned int domain,
 */
 int tipc_send2port(u32 ref, struct tipc_portid const *dest,
-           unsigned int num_sect, struct iovec const *msg_sect)
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        int res;
        p_ptr = tipc_port_deref(ref);
-        if (!p_ptr || p_ptr->publ.connected)
+        if (!p_ptr || p_ptr->connected)
                return -EINVAL;
-        msg = &p_ptr->publ.phdr;
+        msg = &p_ptr->phdr;
        msg_set_type(msg, TIPC_DIRECT_MSG);
+        msg_set_lookup_scope(msg, 0);
        msg_set_orignode(msg, tipc_own_addr);
        msg_set_origport(msg, ref);
        msg_set_destnode(msg, dest->node);
        msg_set_destport(msg, dest->ref);
        msg_set_hdr_sz(msg, DIR_MSG_H_SIZE);
-        p_ptr->sent++;
        if (dest->node == tipc_own_addr)
-                return tipc_port_recv_sections(p_ptr, num_sect, msg_sect);
+                res =  tipc_port_recv_sections(p_ptr, num_sect, msg_sect,
-        res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect, dest->node);
+                                               total_len);
-        if (likely(res != -ELINKCONG))
+        else
+                res = tipc_link_send_sections_fast(p_ptr, msg_sect, num_sect,
+                                                   total_len, dest->node);
+        if (likely(res != -ELINKCONG)) {
+                if (res > 0)
+                        p_ptr->sent++;
                return res;
+        }
        if (port_unreliable(p_ptr)) {
-                /* Just calculate msg length and return */
+                return total_len;
-                return tipc_msg_calc_data_size(msg_sect, num_sect);
        }
        return -ELINKCONG;
 }
@@ -1322,15 +1317,15 @@ int tipc_send2port(u32 ref, struct tipc_portid const *dest,
 int tipc_send_buf2port(u32 ref, struct tipc_portid const *dest,
               struct sk_buff *buf, unsigned int dsz)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg;
        int res;
-        p_ptr = (struct port *)tipc_ref_deref(ref);
+        p_ptr = (struct tipc_port *)tipc_ref_deref(ref);
-        if (!p_ptr || p_ptr->publ.connected)
+        if (!p_ptr || p_ptr->connected)
                return -EINVAL;
-        msg = &p_ptr->publ.phdr;
+        msg = &p_ptr->phdr;
        msg_set_type(msg, TIPC_DIRECT_MSG);
        msg_set_orignode(msg, tipc_own_addr);
        msg_set_origport(msg, ref);
@@ -1343,12 +1338,16 @@ int tipc_send_buf2port(u32 ref, struct tipc_portid const *dest,
        skb_push(buf, DIR_MSG_H_SIZE);
        skb_copy_to_linear_data(buf, msg, DIR_MSG_H_SIZE);
-        p_ptr->sent++;
        if (dest->node == tipc_own_addr)
-                return tipc_port_recv_msg(buf);
+                res = tipc_port_recv_msg(buf);
-        res = tipc_send_buf_fast(buf, dest->node);
+        else
-        if (likely(res != -ELINKCONG))
+                res = tipc_send_buf_fast(buf, dest->node);
+        if (likely(res != -ELINKCONG)) {
+                if (res > 0)
+                        p_ptr->sent++;
                return res;
+        }
        if (port_unreliable(p_ptr))
                return dsz;
        return -ELINKCONG;
diff --git a/net/tipc/port.h b/net/tipc/port.h
index 8e84b989949c..b9aa34195aec 100644
--- a/net/tipc/port.h
+++ b/net/tipc/port.h
@@ -2,7 +2,7 @@
 * net/tipc/port.h: Include file for TIPC port code
 *
 * Copyright (c) 1994-2007, Ericsson AB
- * Copyright (c) 2004-2007, Wind River Systems
+ * Copyright (c) 2004-2007, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -95,7 +95,7 @@ struct user_port {
 };
 /**
- * struct tipc_port - TIPC port info available to socket API
+ * struct tipc_port - TIPC port structure
 * @usr_handle: pointer to additional user-defined information about port
 * @lock: pointer to spinlock for controlling access to port
 * @connected: non-zero if port is currently connected to a peer port
@@ -107,43 +107,33 @@ struct user_port {
 * @max_pkt: maximum packet size "hint" used when building messages sent by port
 * @ref: unique reference to port in TIPC object registry
 * @phdr: preformatted message header used when sending messages
- */
-struct tipc_port {
-        void *usr_handle;
-        spinlock_t *lock;
-        int connected;
-        u32 conn_type;
-        u32 conn_instance;
-        u32 conn_unacked;
-        int published;
-        u32 congested;
-        u32 max_pkt;
-        u32 ref;
-        struct tipc_msg phdr;
-};
-/**
- * struct port - TIPC port structure
- * @publ: TIPC port info available to privileged users
 * @port_list: adjacent ports in TIPC's global list of ports
 * @dispatcher: ptr to routine which handles received messages
 * @wakeup: ptr to routine to call when port is no longer congested
 * @user_port: ptr to user port associated with port (if any)
 * @wait_list: adjacent ports in list of ports waiting on link congestion
 * @waiting_pkts:
- * @sent:
+ * @sent: # of non-empty messages sent by port
- * @acked:
+ * @acked: # of non-empty message acknowledgements from connected port's peer
 * @publications: list of publications for port
 * @pub_count: total # of publications port has made during its lifetime
 * @probing_state:
 * @probing_interval:
- * @last_in_seqno:
 * @timer_ref:
 * @subscription: "node down" subscription used to terminate failed connections
 */
+struct tipc_port {
-struct port {
+        void *usr_handle;
-        struct tipc_port publ;
+        spinlock_t *lock;
+        int connected;
+        u32 conn_type;
+        u32 conn_instance;
+        u32 conn_unacked;
+        int published;
+        u32 congested;
+        u32 max_pkt;
+        u32 ref;
+        struct tipc_msg phdr;
        struct list_head port_list;
        u32 (*dispatcher)(struct tipc_port *, struct sk_buff *);
        void (*wakeup)(struct tipc_port *);
@@ -156,7 +146,6 @@ struct port {
        u32 pub_count;
        u32 probing_state;
        u32 probing_interval;
-        u32 last_in_seqno;
        struct timer_list timer;
        struct tipc_node_subscr subscription;
 };
@@ -216,23 +205,27 @@ int tipc_disconnect_port(struct tipc_port *tp_ptr);
 /*
 * TIPC messaging routines
 */
-int tipc_send(u32 portref, unsigned int num_sect, struct iovec const *msg_sect);
+int tipc_send(u32 portref, unsigned int num_sect, struct iovec const *msg_sect,
+              unsigned int total_len);
 int tipc_send2name(u32 portref, struct tipc_name const *name, u32 domain,
-                unsigned int num_sect, struct iovec const *msg_sect);
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len);
 int tipc_send2port(u32 portref, struct tipc_portid const *dest,
-                unsigned int num_sect, struct iovec const *msg_sect);
+                   unsigned int num_sect, struct iovec const *msg_sect,
+                   unsigned int total_len);
 int tipc_send_buf2port(u32 portref, struct tipc_portid const *dest,
                struct sk_buff *buf, unsigned int dsz);
 int tipc_multicast(u32 portref, struct tipc_name_seq const *seq,
-                unsigned int section_count, struct iovec const *msg);
+                   unsigned int section_count, struct iovec const *msg,
+                   unsigned int total_len);
-int tipc_port_reject_sections(struct port *p_ptr, struct tipc_msg *hdr,
+int tipc_port_reject_sections(struct tipc_port *p_ptr, struct tipc_msg *hdr,
                              struct iovec const *msg_sect, u32 num_sect,
-                              int err);
+                              unsigned int total_len, int err);
 struct sk_buff *tipc_port_get_ports(void);
 void tipc_port_recv_proto_msg(struct sk_buff *buf);
 void tipc_port_recv_mcast(struct sk_buff *buf, struct port_list *dp);
@@ -242,9 +235,9 @@ void tipc_port_reinit(void);
 * tipc_port_lock - lock port instance referred to and return its pointer
 */
-static inline struct port *tipc_port_lock(u32 ref)
+static inline struct tipc_port *tipc_port_lock(u32 ref)
 {
-        return (struct port *)tipc_ref_lock(ref);
+        return (struct tipc_port *)tipc_ref_lock(ref);
 }
 /**
@@ -253,27 +246,27 @@ static inline struct port *tipc_port_lock(u32 ref)
 * Can use pointer instead of tipc_ref_unlock() since port is already locked.
 */
-static inline void tipc_port_unlock(struct port *p_ptr)
+static inline void tipc_port_unlock(struct tipc_port *p_ptr)
 {
-        spin_unlock_bh(p_ptr->publ.lock);
+        spin_unlock_bh(p_ptr->lock);
 }
-static inline struct port *tipc_port_deref(u32 ref)
+static inline struct tipc_port *tipc_port_deref(u32 ref)
 {
-        return (struct port *)tipc_ref_deref(ref);
+        return (struct tipc_port *)tipc_ref_deref(ref);
 }
-static inline u32 tipc_peer_port(struct port *p_ptr)
+static inline u32 tipc_peer_port(struct tipc_port *p_ptr)
 {
-        return msg_destport(&p_ptr->publ.phdr);
+        return msg_destport(&p_ptr->phdr);
 }
-static inline u32 tipc_peer_node(struct port *p_ptr)
+static inline u32 tipc_peer_node(struct tipc_port *p_ptr)
 {
-        return msg_destnode(&p_ptr->publ.phdr);
+        return msg_destnode(&p_ptr->phdr);
 }
-static inline int tipc_port_congested(struct port *p_ptr)
+static inline int tipc_port_congested(struct tipc_port *p_ptr)
 {
        return (p_ptr->sent - p_ptr->acked) >= (TIPC_FLOW_CONTROL_WIN * 2);
 }
@@ -284,7 +277,7 @@ static inline int tipc_port_congested(struct port *p_ptr)
 static inline int tipc_port_recv_msg(struct sk_buff *buf)
 {
-        struct port *p_ptr;
+        struct tipc_port *p_ptr;
        struct tipc_msg *msg = buf_msg(buf);
        u32 destport = msg_destport(msg);
        u32 dsz = msg_data_sz(msg);
@@ -299,7 +292,7 @@ static inline int tipc_port_recv_msg(struct sk_buff *buf)
        /* validate destination & pass to port, otherwise reject message */
        p_ptr = tipc_port_lock(destport);
        if (likely(p_ptr)) {
-                if (likely(p_ptr->publ.connected)) {
+                if (likely(p_ptr->connected)) {
                        if ((unlikely(msg_origport(msg) != tipc_peer_port(p_ptr))) ||
                            (unlikely(msg_orignode(msg) != tipc_peer_node(p_ptr))) ||
                            (unlikely(!msg_connected(msg)))) {
@@ -308,7 +301,7 @@ static inline int tipc_port_recv_msg(struct sk_buff *buf)
                                goto reject;
                        }
                }
-                err = p_ptr->dispatcher(&p_ptr->publ, buf);
+                err = p_ptr->dispatcher(p_ptr, buf);
                tipc_port_unlock(p_ptr);
                if (likely(!err))
                        return dsz;
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 2b02a3a80313..338837396642 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2,7 +2,7 @@
 * net/tipc/socket.c: TIPC socket API
 *
 * Copyright (c) 2001-2007, Ericsson AB
- * Copyright (c) 2004-2008, Wind River Systems
+ * Copyright (c) 2004-2008, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -58,6 +58,9 @@ struct tipc_sock {
 #define tipc_sk(sk) ((struct tipc_sock *)(sk))
 #define tipc_sk_port(sk) ((struct tipc_port *)(tipc_sk(sk)->p))
+#define tipc_rx_ready(sock) (!skb_queue_empty(&sock->sk->sk_receive_queue) || \
+                        (sock->state == SS_DISCONNECTING))
 static int backlog_rcv(struct sock *sk, struct sk_buff *skb);
 static u32 dispatch(struct tipc_port *tport, struct sk_buff *buf);
 static void wakeupdispatch(struct tipc_port *tport);
@@ -241,7 +244,6 @@ static int tipc_create(struct net *net, struct socket *sock, int protocol,
                        tipc_set_portunreliable(tp_ptr->ref, 1);
        }
-        atomic_inc(&tipc_user_count);
        return 0;
 }
@@ -290,7 +292,7 @@ static int release(struct socket *sock)
                if (buf == NULL)
                        break;
                atomic_dec(&tipc_queue_size);
-                if (TIPC_SKB_CB(buf)->handle != msg_data(buf_msg(buf)))
+                if (TIPC_SKB_CB(buf)->handle != 0)
                        buf_discard(buf);
                else {
                        if ((sock->state == SS_CONNECTING) ||
@@ -321,7 +323,6 @@ static int release(struct socket *sock)
        sock_put(sk);
        sock->sk = NULL;
-        atomic_dec(&tipc_user_count);
        return res;
 }
@@ -495,6 +496,8 @@ static int dest_name_check(struct sockaddr_tipc *dest, struct msghdr *m)
        if (likely(dest->addr.name.name.type != TIPC_CFG_SRV))
                return -EACCES;
+        if (!m->msg_iovlen || (m->msg_iov[0].iov_len < sizeof(hdr)))
+                return -EMSGSIZE;
        if (copy_from_user(&hdr, m->msg_iov[0].iov_base, sizeof(hdr)))
                return -EFAULT;
        if ((ntohs(hdr.tcm_type) & 0xC000) && (!capable(CAP_NET_ADMIN)))
@@ -532,6 +535,9 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
        if (unlikely((m->msg_namelen < sizeof(*dest)) ||
                     (dest->family != AF_TIPC)))
                return -EINVAL;
+        if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+            (m->msg_iovlen > (unsigned)INT_MAX))
+                return -EMSGSIZE;
        if (iocb)
                lock_sock(sk);
@@ -570,12 +576,14 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
                                             &dest->addr.name.name,
                                             dest->addr.name.domain,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                } else if (dest->addrtype == TIPC_ADDR_ID) {
                        res = tipc_send2port(tport->ref,
                                             &dest->addr.id,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                } else if (dest->addrtype == TIPC_ADDR_MCAST) {
                        if (needs_conn) {
                                res = -EOPNOTSUPP;
@@ -587,7 +595,8 @@ static int send_msg(struct kiocb *iocb, struct socket *sock,
                        res = tipc_multicast(tport->ref,
                                             &dest->addr.nameseq,
                                             m->msg_iovlen,
-                                             m->msg_iov);
+                                             m->msg_iov,
+                                             total_len);
                }
                if (likely(res != -ELINKCONG)) {
                        if (needs_conn && (res >= 0))
@@ -637,6 +646,10 @@ static int send_packet(struct kiocb *iocb, struct socket *sock,
        if (unlikely(dest))
                return send_msg(iocb, sock, m, total_len);
+        if ((total_len > TIPC_MAX_USER_MSG_SIZE) ||
+            (m->msg_iovlen > (unsigned)INT_MAX))
+                return -EMSGSIZE;
        if (iocb)
                lock_sock(sk);
@@ -649,7 +662,8 @@ static int send_packet(struct kiocb *iocb, struct socket *sock,
                        break;
                }
-                res = tipc_send(tport->ref, m->msg_iovlen, m->msg_iov);
+                res = tipc_send(tport->ref, m->msg_iovlen, m->msg_iov,
+                                total_len);
                if (likely(res != -ELINKCONG))
                        break;
                if (m->msg_flags & MSG_DONTWAIT) {
@@ -720,6 +734,12 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
                goto exit;
        }
+        if ((total_len > (unsigned)INT_MAX) ||
+            (m->msg_iovlen > (unsigned)INT_MAX)) {
+                res = -EMSGSIZE;
+                goto exit;
+        }
        /*
         * Send each iovec entry using one or more messages
         *
@@ -750,7 +770,7 @@ static int send_stream(struct kiocb *iocb, struct socket *sock,
                                bytes_to_send = curr_left;
                        my_iov.iov_base = curr_start;
                        my_iov.iov_len = bytes_to_send;
-                        res = send_packet(NULL, sock, &my_msg, 0);
+                        res = send_packet(NULL, sock, &my_msg, bytes_to_send);
                        if (res < 0) {
                                if (bytes_sent)
                                        res = bytes_sent;
@@ -911,15 +931,13 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
        struct tipc_port *tport = tipc_sk_port(sk);
        struct sk_buff *buf;
        struct tipc_msg *msg;
+        long timeout;
        unsigned int sz;
        u32 err;
        int res;
        /* Catch invalid receive requests */
-        if (m->msg_iovlen != 1)
-                return -EOPNOTSUPP;   /* Don't do multiple iovec entries yet */
        if (unlikely(!buf_len))
                return -EINVAL;
@@ -930,6 +948,7 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
                goto exit;
        }
+        timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
 restart:
        /* Look for a message in receive queue; wait if necessary */
@@ -939,17 +958,15 @@ restart:
                        res = -ENOTCONN;
                        goto exit;
                }
-                if (flags & MSG_DONTWAIT) {
+                if (timeout <= 0L) {
-                        res = -EWOULDBLOCK;
+                        res = timeout ? timeout : -EWOULDBLOCK;
                        goto exit;
                }
                release_sock(sk);
-                res = wait_event_interruptible(*sk_sleep(sk),
+                timeout = wait_event_interruptible_timeout(*sk_sleep(sk),
-                        (!skb_queue_empty(&sk->sk_receive_queue) ||
+                                                           tipc_rx_ready(sock),
-                         (sock->state == SS_DISCONNECTING)));
+                                                           timeout);
                lock_sock(sk);
-                if (res)
-                        goto exit;
        }
        /* Look at first message in receive queue */
@@ -991,11 +1008,10 @@ restart:
                        sz = buf_len;
                        m->msg_flags |= MSG_TRUNC;
                }
-                if (unlikely(copy_to_user(m->msg_iov->iov_base, msg_data(msg),
+                res = skb_copy_datagram_iovec(buf, msg_hdr_sz(msg),
-                                          sz))) {
+                                              m->msg_iov, sz);
-                        res = -EFAULT;
+                if (res)
                        goto exit;
-                }
                res = sz;
        } else {
                if ((sock->state == SS_READY) ||
@@ -1038,19 +1054,15 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
        struct tipc_port *tport = tipc_sk_port(sk);
        struct sk_buff *buf;
        struct tipc_msg *msg;
+        long timeout;
        unsigned int sz;
        int sz_to_copy, target, needed;
        int sz_copied = 0;
-        char __user *crs = m->msg_iov->iov_base;
-        unsigned char *buf_crs;
        u32 err;
        int res = 0;
        /* Catch invalid receive attempts */
-        if (m->msg_iovlen != 1)
-                return -EOPNOTSUPP;   /* Don't do multiple iovec entries yet */
        if (unlikely(!buf_len))
                return -EINVAL;
@@ -1063,7 +1075,7 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
        }
        target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+        timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
 restart:
        /* Look for a message in receive queue; wait if necessary */
@@ -1073,17 +1085,15 @@ restart:
                        res = -ENOTCONN;
                        goto exit;
                }
-                if (flags & MSG_DONTWAIT) {
+                if (timeout <= 0L) {
-                        res = -EWOULDBLOCK;
+                        res = timeout ? timeout : -EWOULDBLOCK;
                        goto exit;
                }
                release_sock(sk);
-                res = wait_event_interruptible(*sk_sleep(sk),
+                timeout = wait_event_interruptible_timeout(*sk_sleep(sk),
-                        (!skb_queue_empty(&sk->sk_receive_queue) ||
+                                                           tipc_rx_ready(sock),
-                         (sock->state == SS_DISCONNECTING)));
+                                                           timeout);
                lock_sock(sk);
-                if (res)
-                        goto exit;
        }
        /* Look at first message in receive queue */
@@ -1112,24 +1122,25 @@ restart:
        /* Capture message data (if valid) & compute return value (always) */
        if (!err) {
-                buf_crs = (unsigned char *)(TIPC_SKB_CB(buf)->handle);
+                u32 offset = (u32)(unsigned long)(TIPC_SKB_CB(buf)->handle);
-                sz = (unsigned char *)msg + msg_size(msg) - buf_crs;
+                sz -= offset;
                needed = (buf_len - sz_copied);
                sz_to_copy = (sz <= needed) ? sz : needed;
-                if (unlikely(copy_to_user(crs, buf_crs, sz_to_copy))) {
-                        res = -EFAULT;
+                res = skb_copy_datagram_iovec(buf, msg_hdr_sz(msg) + offset,
+                                              m->msg_iov, sz_to_copy);
+                if (res)
                        goto exit;
-                }
                sz_copied += sz_to_copy;
                if (sz_to_copy < sz) {
                        if (!(flags & MSG_PEEK))
-                                TIPC_SKB_CB(buf)->handle = buf_crs + sz_to_copy;
+                                TIPC_SKB_CB(buf)->handle =
+                                (void *)(unsigned long)(offset + sz_to_copy);
                        goto exit;
                }
-                crs += sz_to_copy;
        } else {
                if (sz_copied != 0)
                        goto exit; /* can't add error msg to valid data */
@@ -1256,7 +1267,7 @@ static u32 filter_rcv(struct sock *sk, struct sk_buff *buf)
        /* Enqueue message (finally!) */
-        TIPC_SKB_CB(buf)->handle = msg_data(msg);
+        TIPC_SKB_CB(buf)->handle = 0;
        atomic_inc(&tipc_queue_size);
        __skb_queue_tail(&sk->sk_receive_queue, buf);
@@ -1608,7 +1619,7 @@ restart:
                buf = __skb_dequeue(&sk->sk_receive_queue);
                if (buf) {
                        atomic_dec(&tipc_queue_size);
-                        if (TIPC_SKB_CB(buf)->handle != msg_data(buf_msg(buf))) {
+                        if (TIPC_SKB_CB(buf)->handle != 0) {
                                buf_discard(buf);
                                goto restart;
                        }
diff --git a/net/tipc/subscr.c b/net/tipc/subscr.c
index ca04479c3d42..6cf726863485 100644
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -2,7 +2,7 @@
 * net/tipc/subscr.c: TIPC network topology service
 *
 * Copyright (c) 2000-2006, Ericsson AB
- * Copyright (c) 2005-2007, Wind River Systems
+ * Copyright (c) 2005-2007, 2010-2011, Wind River Systems
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -109,7 +109,7 @@ static void subscr_send_event(struct subscription *sub,
        sub->evt.found_upper = htohl(found_upper, sub->swap);
        sub->evt.port.ref = htohl(port_ref, sub->swap);
        sub->evt.port.node = htohl(node, sub->swap);
-        tipc_send(sub->server_ref, 1, &msg_sect);
+        tipc_send(sub->server_ref, 1, &msg_sect, msg_sect.iov_len);
 }
 /**
@@ -160,7 +160,7 @@ void tipc_subscr_report_overlap(struct subscription *sub,
 static void subscr_timeout(struct subscription *sub)
 {
-        struct port *server_port;
+        struct tipc_port *server_port;
        /* Validate server port reference (in case subscriber is terminating) */
@@ -472,8 +472,6 @@ static void subscr_named_msg_event(void *usr_handle,
                                   struct tipc_portid const *orig,
                                   struct tipc_name_seq const *dest)
 {
-        static struct iovec msg_sect = {NULL, 0};
        struct subscriber *subscriber;
        u32 server_port_ref;
@@ -508,7 +506,7 @@ static void subscr_named_msg_event(void *usr_handle,
        /* Lock server port (& save lock address for future use) */
-        subscriber->lock = tipc_port_lock(subscriber->port_ref)->publ.lock;
+        subscriber->lock = tipc_port_lock(subscriber->port_ref)->lock;
        /* Add subscriber to topology server's subscriber list */
@@ -523,7 +521,7 @@ static void subscr_named_msg_event(void *usr_handle,
        /* Send an ACK- to complete connection handshaking */
-        tipc_send(server_port_ref, 1, &msg_sect);
+        tipc_send(server_port_ref, 0, NULL, 0);
        /* Handle optional subscription request */
@@ -542,7 +540,6 @@ int tipc_subscr_start(void)
        spin_lock_init(&topsrv.lock);
        INIT_LIST_HEAD(&topsrv.subscriber_list);
-        spin_lock_bh(&topsrv.lock);
        res = tipc_createport(NULL,
                              TIPC_CRITICAL_IMPORTANCE,
                              NULL,
@@ -563,12 +560,10 @@ int tipc_subscr_start(void)
                goto failed;
        }
-        spin_unlock_bh(&topsrv.lock);
        return 0;
 failed:
        err("Failed to create subscription service\n");
-        spin_unlock_bh(&topsrv.lock);
        return res;
 }
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index dd419d286204..b1d75beb7e20 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -207,7 +207,7 @@ static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned *hashp)
                /*
                 * This may look like an off by one error but it is a bit more
                 * subtle. 108 is the longest valid AF_UNIX path for a binding.
-                 * sun_path[108] doesnt as such exist.  However in kernel space
+                 * sun_path[108] doesn't as such exist.  However in kernel space
                 * we are guaranteed that it is a valid memory location in our
                 * kernel address buffer.
                 */
@@ -524,6 +524,8 @@ static int unix_dgram_connect(struct socket *, struct sockaddr *,
                              int, int);
 static int unix_seqpacket_sendmsg(struct kiocb *, struct socket *,
                                  struct msghdr *, size_t);
+static int unix_seqpacket_recvmsg(struct kiocb *, struct socket *,
+                                  struct msghdr *, size_t, int);
 static const struct proto_ops unix_stream_ops = {
        .family =       PF_UNIX,
@@ -583,7 +585,7 @@ static const struct proto_ops unix_seqpacket_ops = {
        .setsockopt =   sock_no_setsockopt,
        .getsockopt =   sock_no_getsockopt,
        .sendmsg =      unix_seqpacket_sendmsg,
-        .recvmsg =      unix_dgram_recvmsg,
+        .recvmsg =      unix_seqpacket_recvmsg,
        .mmap =         sock_no_mmap,
        .sendpage =     sock_no_sendpage,
 };
@@ -850,7 +852,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 * Get the parent directory, calculate the hash for last
                 * component.
                 */
-                err = path_lookup(sunaddr->sun_path, LOOKUP_PARENT, &nd);
+                err = kern_path_parent(sunaddr->sun_path, &nd);
                if (err)
                        goto out_mknod_parent;
@@ -1124,7 +1126,7 @@ restart:
        /* Latch our state.
-           It is tricky place. We need to grab write lock and cannot
+           It is tricky place. We need to grab our state lock and cannot
           drop lock on peer. It is dangerous because deadlock is
           possible. Connect to self case and simultaneous
           attempt to connect are eliminated by checking socket
@@ -1171,7 +1173,7 @@ restart:
        newsk->sk_type          = sk->sk_type;
        init_peercred(newsk);
        newu = unix_sk(newsk);
-        newsk->sk_wq            = &newu->peer_wq;
+        RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq);
        otheru = unix_sk(other);
        /* copy address information from listening to new sock*/
@@ -1475,6 +1477,12 @@ restart:
                        goto out_free;
        }
+        if (sk_filter(other, skb) < 0) {
+                /* Toss the packet but do not return any error to the sender */
+                err = len;
+                goto out_free;
+        }
        unix_state_lock(other);
        err = -EPERM;
        if (!unix_may_send(sk, other))
@@ -1561,7 +1569,6 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
        struct sock_iocb *siocb = kiocb_to_siocb(kiocb);
        struct sock *sk = sock->sk;
        struct sock *other = NULL;
-        struct sockaddr_un *sunaddr = msg->msg_name;
        int err, size;
        struct sk_buff *skb;
        int sent = 0;
@@ -1584,7 +1591,6 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
                goto out_err;
        } else {
-                sunaddr = NULL;
                err = -ENOTCONN;
                other = unix_peer(sk);
                if (!other)
@@ -1695,6 +1701,18 @@ static int unix_seqpacket_sendmsg(struct kiocb *kiocb, struct socket *sock,
        return unix_dgram_sendmsg(kiocb, sock, msg, len);
 }
+static int unix_seqpacket_recvmsg(struct kiocb *iocb, struct socket *sock,
+                              struct msghdr *msg, size_t size,
+                              int flags)
+{
+        struct sock *sk = sock->sk;
+        if (sk->sk_state != TCP_ESTABLISHED)
+                return -ENOTCONN;
+        return unix_dgram_recvmsg(iocb, sock, msg, size, flags);
+}
 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
 {
        struct unix_sock *u = unix_sk(sk);
@@ -1724,7 +1742,11 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
        msg->msg_namelen = 0;
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err) {
+                err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
+                goto out;
+        }
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb) {
@@ -1864,7 +1886,11 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                memset(&tmp_scm, 0, sizeof(tmp_scm));
        }
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err) {
+                err = sock_intr_errno(timeo);
+                goto out;
+        }
        do {
                int chunk;
@@ -1895,11 +1921,12 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                        timeo = unix_stream_data_wait(sk, timeo);
-                        if (signal_pending(current)) {
+                        if (signal_pending(current)
+                            ||  mutex_lock_interruptible(&u->readlock)) {
                                err = sock_intr_errno(timeo);
                                goto out;
                        }
-                        mutex_lock(&u->readlock);
                        continue;
 unlock:
                        unix_state_unlock(sk);
@@ -1978,36 +2005,38 @@ static int unix_shutdown(struct socket *sock, int mode)
        mode = (mode+1)&(RCV_SHUTDOWN|SEND_SHUTDOWN);
-        if (mode) {
+        if (!mode)
-                unix_state_lock(sk);
+                return 0;
-                sk->sk_shutdown |= mode;
-                other = unix_peer(sk);
+        unix_state_lock(sk);
-                if (other)
+        sk->sk_shutdown |= mode;
-                        sock_hold(other);
+        other = unix_peer(sk);
-                unix_state_unlock(sk);
+        if (other)
-                sk->sk_state_change(sk);
+                sock_hold(other);
+        unix_state_unlock(sk);
-                if (other &&
+        sk->sk_state_change(sk);
-                        (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) {
+        if (other &&
-                        int peer_mode = 0;
+                (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) {
-                        if (mode&RCV_SHUTDOWN)
+                int peer_mode = 0;
-                                peer_mode |= SEND_SHUTDOWN;
-                        if (mode&SEND_SHUTDOWN)
+                if (mode&RCV_SHUTDOWN)
-                                peer_mode |= RCV_SHUTDOWN;
+                        peer_mode |= SEND_SHUTDOWN;
-                        unix_state_lock(other);
+                if (mode&SEND_SHUTDOWN)
-                        other->sk_shutdown |= peer_mode;
+                        peer_mode |= RCV_SHUTDOWN;
-                        unix_state_unlock(other);
+                unix_state_lock(other);
-                        other->sk_state_change(other);
+                other->sk_shutdown |= peer_mode;
-                        if (peer_mode == SHUTDOWN_MASK)
+                unix_state_unlock(other);
-                                sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP);
+                other->sk_state_change(other);
-                        else if (peer_mode & RCV_SHUTDOWN)
+                if (peer_mode == SHUTDOWN_MASK)
-                                sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN);
+                        sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP);
-                }
+                else if (peer_mode & RCV_SHUTDOWN)
-                if (other)
+                        sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN);
-                        sock_put(other);
        }
+        if (other)
+                sock_put(other);
        return 0;
 }
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index f89f83bf828e..b6f4b994eb35 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -104,7 +104,7 @@ struct sock *unix_get_socket(struct file *filp)
        /*
         *      Socket ?
         */
-        if (S_ISSOCK(inode->i_mode)) {
+        if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
                struct socket *sock = SOCKET_I(inode);
                struct sock *s = sock->sk;
diff --git a/net/wanrouter/wanmain.c b/net/wanrouter/wanmain.c
index 74944a2dd436..788a12c1eb5d 100644
--- a/net/wanrouter/wanmain.c
+++ b/net/wanrouter/wanmain.c
@@ -59,8 +59,6 @@
 #include <asm/uaccess.h>        /* copy_to/from_user */
 #include <linux/init.h>         /* __initfunc et al. */
-#define KMEM_SAFETYZONE 8
 #define DEV_TO_SLAVE(dev)       (*((struct net_device **)netdev_priv(dev)))
 /*
diff --git a/net/wanrouter/wanproc.c b/net/wanrouter/wanproc.c
index 11f25c7a7a05..f346395314ba 100644
--- a/net/wanrouter/wanproc.c
+++ b/net/wanrouter/wanproc.c
@@ -51,7 +51,7 @@
 /*
 *      Structures for interfacing with the /proc filesystem.
- *      Router creates its own directory /proc/net/router with the folowing
+ *      Router creates its own directory /proc/net/router with the following
 *      entries:
 *      config          device configuration
 *      status          global device statistics
diff --git a/net/wireless/core.c b/net/wireless/core.c
index e9a5f8ca4c27..c22ef3492ee6 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -46,6 +46,11 @@ static struct dentry *ieee80211_debugfs_dir;
 /* for the cleanup, scan and event works */
 struct workqueue_struct *cfg80211_wq;
+static bool cfg80211_disable_40mhz_24ghz;
+module_param(cfg80211_disable_40mhz_24ghz, bool, 0644);
+MODULE_PARM_DESC(cfg80211_disable_40mhz_24ghz,
+                 "Disable 40MHz support in the 2.4GHz band");
 /* requires cfg80211_mutex to be held! */
 struct cfg80211_registered_device *cfg80211_rdev_by_wiphy_idx(int wiphy_idx)
 {
@@ -365,7 +370,7 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
        spin_lock_init(&rdev->bss_lock);
        INIT_LIST_HEAD(&rdev->bss_list);
        INIT_WORK(&rdev->scan_done_wk, __cfg80211_scan_done);
+        INIT_WORK(&rdev->sched_scan_results_wk, __cfg80211_sched_scan_results);
 #ifdef CONFIG_CFG80211_WEXT
        rdev->wiphy.wext = &cfg80211_wext_handler;
 #endif
@@ -411,6 +416,67 @@ struct wiphy *wiphy_new(const struct cfg80211_ops *ops, int sizeof_priv)
 }
 EXPORT_SYMBOL(wiphy_new);
+static int wiphy_verify_combinations(struct wiphy *wiphy)
+{
+        const struct ieee80211_iface_combination *c;
+        int i, j;
+        /* If we have combinations enforce them */
+        if (wiphy->n_iface_combinations)
+                wiphy->flags |= WIPHY_FLAG_ENFORCE_COMBINATIONS;
+        for (i = 0; i < wiphy->n_iface_combinations; i++) {
+                u32 cnt = 0;
+                u16 all_iftypes = 0;
+                c = &wiphy->iface_combinations[i];
+                /* Combinations with just one interface aren't real */
+                if (WARN_ON(c->max_interfaces < 2))
+                        return -EINVAL;
+                /* Need at least one channel */
+                if (WARN_ON(!c->num_different_channels))
+                        return -EINVAL;
+                if (WARN_ON(!c->n_limits))
+                        return -EINVAL;
+                for (j = 0; j < c->n_limits; j++) {
+                        u16 types = c->limits[j].types;
+                        /*
+                         * interface types shouldn't overlap, this is
+                         * used in cfg80211_can_change_interface()
+                         */
+                        if (WARN_ON(types & all_iftypes))
+                                return -EINVAL;
+                        all_iftypes |= types;
+                        if (WARN_ON(!c->limits[j].max))
+                                return -EINVAL;
+                        /* Shouldn't list software iftypes in combinations! */
+                        if (WARN_ON(wiphy->software_iftypes & types))
+                                return -EINVAL;
+                        cnt += c->limits[j].max;
+                        /*
+                         * Don't advertise an unsupported type
+                         * in a combination.
+                         */
+                        if (WARN_ON((wiphy->interface_modes & types) != types))
+                                return -EINVAL;
+                }
+                /* You can't even choose that many! */
+                if (WARN_ON(cnt < c->max_interfaces))
+                        return -EINVAL;
+        }
+        return 0;
+}
 int wiphy_register(struct wiphy *wiphy)
 {
        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
@@ -439,6 +505,10 @@ int wiphy_register(struct wiphy *wiphy)
        if (WARN_ON(ifmodes != wiphy->interface_modes))
                wiphy->interface_modes = ifmodes;
+        res = wiphy_verify_combinations(wiphy);
+        if (res)
+                return res;
        /* sanity check supported bands/channels */
        for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
                sband = wiphy->bands[band];
@@ -451,6 +521,18 @@ int wiphy_register(struct wiphy *wiphy)
                        return -EINVAL;
                /*
+                 * Since cfg80211_disable_40mhz_24ghz is global, we can
+                 * modify the sband's ht data even if the driver uses a
+                 * global structure for that.
+                 */
+                if (cfg80211_disable_40mhz_24ghz &&
+                    band == IEEE80211_BAND_2GHZ &&
+                    sband->ht_cap.ht_supported) {
+                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SUP_WIDTH_20_40;
+                        sband->ht_cap.cap &= ~IEEE80211_HT_CAP_SGI_40;
+                }
+                /*
                 * Since we use a u32 for rate bitmaps in
                 * ieee80211_get_response_rate, we cannot
                 * have more than 32 legacy rates.
@@ -476,6 +558,13 @@ int wiphy_register(struct wiphy *wiphy)
                return -EINVAL;
        }
+        if (rdev->wiphy.wowlan.n_patterns) {
+                if (WARN_ON(!rdev->wiphy.wowlan.pattern_min_len ||
+                            rdev->wiphy.wowlan.pattern_min_len >
+                            rdev->wiphy.wowlan.pattern_max_len))
+                        return -EINVAL;
+        }
        /* check and set up bitrates */
        ieee80211_set_bitrate_flags(wiphy);
@@ -614,6 +703,7 @@ void cfg80211_dev_free(struct cfg80211_registered_device *rdev)
        mutex_destroy(&rdev->devlist_mtx);
        list_for_each_entry_safe(scan, tmp, &rdev->bss_list, list)
                cfg80211_put_bss(&scan->pub);
+        cfg80211_rdev_free_wowlan(rdev);
        kfree(rdev);
 }
@@ -647,6 +737,11 @@ static void wdev_cleanup_work(struct work_struct *work)
                ___cfg80211_scan_done(rdev, true);
        }
+        if (WARN_ON(rdev->sched_scan_req &&
+                    rdev->sched_scan_req->dev == wdev->netdev)) {
+                __cfg80211_stop_sched_scan(rdev, false);
+        }
        cfg80211_unlock_rdev(rdev);
        mutex_lock(&rdev->devlist_mtx);
@@ -668,6 +763,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
        struct net_device *dev = ndev;
        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct cfg80211_registered_device *rdev;
+        int ret;
        if (!wdev)
                return NOTIFY_DONE;
@@ -718,13 +814,6 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                        wdev->ps = false;
                /* allow mac80211 to determine the timeout */
                wdev->ps_timeout = -1;
-                if (rdev->ops->set_power_mgmt)
-                        if (rdev->ops->set_power_mgmt(wdev->wiphy, dev,
-                                                      wdev->ps,
-                                                      wdev->ps_timeout)) {
-                                /* assume this means it's off */
-                                wdev->ps = false;
-                        }
                if (!dev->ethtool_ops)
                        dev->ethtool_ops = &cfg80211_ethtool_ops;
@@ -741,6 +830,10 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                        break;
                case NL80211_IFTYPE_P2P_CLIENT:
                case NL80211_IFTYPE_STATION:
+                        cfg80211_lock_rdev(rdev);
+                        __cfg80211_stop_sched_scan(rdev, false);
+                        cfg80211_unlock_rdev(rdev);
                        wdev_lock(wdev);
 #ifdef CONFIG_CFG80211_WEXT
                        kfree(wdev->wext.ie);
@@ -759,6 +852,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                default:
                        break;
                }
+                wdev->beacon_interval = 0;
                break;
        case NETDEV_DOWN:
                dev_hold(dev);
@@ -813,6 +907,19 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                rdev->opencount++;
                mutex_unlock(&rdev->devlist_mtx);
                cfg80211_unlock_rdev(rdev);
+                /*
+                 * Configure power management to the driver here so that its
+                 * correctly set also after interface type changes etc.
+                 */
+                if (wdev->iftype == NL80211_IFTYPE_STATION &&
+                    rdev->ops->set_power_mgmt)
+                        if (rdev->ops->set_power_mgmt(wdev->wiphy, dev,
+                                                      wdev->ps,
+                                                      wdev->ps_timeout)) {
+                                /* assume this means it's off */
+                                wdev->ps = false;
+                        }
                break;
        case NETDEV_UNREGISTER:
                /*
@@ -852,6 +959,9 @@ static int cfg80211_netdev_notifier_call(struct notifier_block * nb,
                        return notifier_from_errno(-EOPNOTSUPP);
                if (rfkill_blocked(rdev->rfkill))
                        return notifier_from_errno(-ERFKILL);
+                ret = cfg80211_can_add_interface(rdev, wdev->iftype);
+                if (ret)
+                        return notifier_from_errno(ret);
                break;
        }
diff --git a/net/wireless/core.h b/net/wireless/core.h
index 26a0a084e16b..bf0fb40e3c8b 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -60,8 +60,10 @@ struct cfg80211_registered_device {
        struct rb_root bss_tree;
        u32 bss_generation;
        struct cfg80211_scan_request *scan_req; /* protected by RTNL */
+        struct cfg80211_sched_scan_request *sched_scan_req;
        unsigned long suspend_at;
        struct work_struct scan_done_wk;
+        struct work_struct sched_scan_results_wk;
 #ifdef CONFIG_NL80211_TESTMODE
        struct genl_info *testmode_info;
@@ -70,6 +72,8 @@ struct cfg80211_registered_device {
        struct work_struct conn_work;
        struct work_struct event_work;
+        struct cfg80211_wowlan *wowlan;
        /* must be last because of the way we do wiphy_priv(),
         * and it should at least be aligned to NETDEV_ALIGN */
        struct wiphy wiphy __attribute__((__aligned__(NETDEV_ALIGN)));
@@ -89,6 +93,18 @@ bool wiphy_idx_valid(int wiphy_idx)
        return wiphy_idx >= 0;
 }
+static inline void
+cfg80211_rdev_free_wowlan(struct cfg80211_registered_device *rdev)
+{
+        int i;
+        if (!rdev->wowlan)
+                return;
+        for (i = 0; i < rdev->wowlan->n_patterns; i++)
+                kfree(rdev->wowlan->patterns[i].mask);
+        kfree(rdev->wowlan->patterns);
+        kfree(rdev->wowlan);
+}
 extern struct workqueue_struct *cfg80211_wq;
 extern struct mutex cfg80211_mutex;
@@ -397,12 +413,26 @@ void cfg80211_sme_rx_auth(struct net_device *dev, const u8 *buf, size_t len);
 void cfg80211_sme_disassoc(struct net_device *dev, int idx);
 void __cfg80211_scan_done(struct work_struct *wk);
 void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, bool leak);
+void __cfg80211_sched_scan_results(struct work_struct *wk);
+int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
+                               bool driver_initiated);
 void cfg80211_upload_connect_keys(struct wireless_dev *wdev);
 int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                          struct net_device *dev, enum nl80211_iftype ntype,
                          u32 *flags, struct vif_params *params);
 void cfg80211_process_rdev_events(struct cfg80211_registered_device *rdev);
+int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
+                                  struct wireless_dev *wdev,
+                                  enum nl80211_iftype iftype);
+static inline int
+cfg80211_can_add_interface(struct cfg80211_registered_device *rdev,
+                           enum nl80211_iftype iftype)
+{
+        return cfg80211_can_change_interface(rdev, NULL, iftype);
+}
 struct ieee80211_channel *
 rdev_freq_to_chan(struct cfg80211_registered_device *rdev,
                  int freq, enum nl80211_channel_type channel_type);
@@ -412,6 +442,9 @@ int cfg80211_set_freq(struct cfg80211_registered_device *rdev,
 u16 cfg80211_calculate_bitrate(struct rate_info *rate);
+int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
+                                 u32 beacon_int);
 #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS
 #define CFG80211_DEV_WARN_ON(cond)      WARN_ON(cond)
 #else
diff --git a/net/wireless/ethtool.c b/net/wireless/ethtool.c
index ca4c825be93d..9bde4d1d3e9b 100644
--- a/net/wireless/ethtool.c
+++ b/net/wireless/ethtool.c
@@ -1,5 +1,6 @@
 #include <linux/utsname.h>
 #include <net/cfg80211.h>
+#include "core.h"
 #include "ethtool.h"
 static void cfg80211_get_drvinfo(struct net_device *dev,
@@ -37,9 +38,41 @@ static void cfg80211_get_regs(struct net_device *dev, struct ethtool_regs *regs,
        regs->len = 0;
 }
+static void cfg80211_get_ringparam(struct net_device *dev,
+                                   struct ethtool_ringparam *rp)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
+        memset(rp, 0, sizeof(*rp));
+        if (rdev->ops->get_ringparam)
+                rdev->ops->get_ringparam(wdev->wiphy,
+                                         &rp->tx_pending, &rp->tx_max_pending,
+                                         &rp->rx_pending, &rp->rx_max_pending);
+}
+static int cfg80211_set_ringparam(struct net_device *dev,
+                                  struct ethtool_ringparam *rp)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
+        if (rp->rx_mini_pending != 0 || rp->rx_jumbo_pending != 0)
+                return -EINVAL;
+        if (rdev->ops->set_ringparam)
+                return rdev->ops->set_ringparam(wdev->wiphy,
+                                                rp->tx_pending, rp->rx_pending);
+        return -ENOTSUPP;
+}
 const struct ethtool_ops cfg80211_ethtool_ops = {
        .get_drvinfo = cfg80211_get_drvinfo,
        .get_regs_len = cfg80211_get_regs_len,
        .get_regs = cfg80211_get_regs,
        .get_link = ethtool_op_get_link,
+        .get_ringparam = cfg80211_get_ringparam,
+        .set_ringparam = cfg80211_set_ringparam,
 };
diff --git a/net/wireless/lib80211_crypt_wep.c b/net/wireless/lib80211_crypt_wep.c
index e2e88878ba35..2f265e033ae2 100644
--- a/net/wireless/lib80211_crypt_wep.c
+++ b/net/wireless/lib80211_crypt_wep.c
@@ -96,13 +96,12 @@ static int lib80211_wep_build_iv(struct sk_buff *skb, int hdr_len,
                               u8 *key, int keylen, void *priv)
 {
        struct lib80211_wep_data *wep = priv;
-        u32 klen, len;
+        u32 klen;
        u8 *pos;
        if (skb_headroom(skb) < 4 || skb->len < hdr_len)
                return -1;
-        len = skb->len - hdr_len;
        pos = skb_push(skb, 4);
        memmove(pos, pos + 4, hdr_len);
        pos += hdr_len;
diff --git a/net/wireless/mesh.c b/net/wireless/mesh.c
index 73e39c171ffb..5c116083eeca 100644
--- a/net/wireless/mesh.c
+++ b/net/wireless/mesh.c
@@ -1,5 +1,6 @@
 #include <linux/ieee80211.h>
 #include <net/cfg80211.h>
+#include "nl80211.h"
 #include "core.h"
 /* Default values, timeouts in ms */
@@ -53,8 +54,9 @@ const struct mesh_config default_mesh_config = {
 const struct mesh_setup default_mesh_setup = {
        .path_sel_proto = IEEE80211_PATH_PROTOCOL_HWMP,
        .path_metric = IEEE80211_PATH_METRIC_AIRTIME,
-        .vendor_ie = NULL,
+        .ie = NULL,
-        .vendor_ie_len = 0,
+        .ie_len = 0,
+        .is_secure = false,
 };
 int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
@@ -72,6 +74,10 @@ int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT)
                return -EOPNOTSUPP;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_MESH_AUTH) &&
+              setup->is_secure)
+                return -EOPNOTSUPP;
        if (wdev->mesh_id_len)
                return -EALREADY;
@@ -105,6 +111,19 @@ int cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
        return err;
 }
+void cfg80211_notify_new_peer_candidate(struct net_device *dev,
+                const u8 *macaddr, const u8* ie, u8 ie_len, gfp_t gfp)
+{
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        if (WARN_ON(wdev->iftype != NL80211_IFTYPE_MESH_POINT))
+                return;
+        nl80211_send_new_peer_candidate(wiphy_to_dev(wdev->wiphy), dev,
+                        macaddr, ie, ie_len, gfp);
+}
+EXPORT_SYMBOL(cfg80211_notify_new_peer_candidate);
 static int __cfg80211_leave_mesh(struct cfg80211_registered_device *rdev,
                                 struct net_device *dev)
 {
diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c
index aa5df8865ff7..493b939970cd 100644
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -770,6 +770,15 @@ void cfg80211_new_sta(struct net_device *dev, const u8 *mac_addr,
 }
 EXPORT_SYMBOL(cfg80211_new_sta);
+void cfg80211_del_sta(struct net_device *dev, const u8 *mac_addr, gfp_t gfp)
+{
+        struct wiphy *wiphy = dev->ieee80211_ptr->wiphy;
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+        nl80211_send_sta_del_event(rdev, dev, mac_addr, gfp);
+}
+EXPORT_SYMBOL(cfg80211_del_sta);
 struct cfg80211_mgmt_registration {
        struct list_head list;
@@ -954,6 +963,16 @@ int cfg80211_mlme_mgmt_tx(struct cfg80211_registered_device *rdev,
                        if (memcmp(mgmt->bssid, dev->dev_addr, ETH_ALEN))
                                err = -EINVAL;
                        break;
+                case NL80211_IFTYPE_MESH_POINT:
+                        if (memcmp(mgmt->sa, mgmt->bssid, ETH_ALEN)) {
+                                err = -EINVAL;
+                                break;
+                        }
+                        /*
+                         * check for mesh DA must be done by driver as
+                         * cfg80211 doesn't track the stations
+                         */
+                        break;
                default:
                        err = -EOPNOTSUPP;
                        break;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 9b62710891a2..2222ce08ee91 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -124,6 +124,7 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
        [NL80211_ATTR_BSS_HT_OPMODE] = { .type = NLA_U16 },
        [NL80211_ATTR_MESH_CONFIG] = { .type = NLA_NESTED },
+        [NL80211_ATTR_SUPPORT_MESH_AUTH] = { .type = NLA_FLAG },
        [NL80211_ATTR_HT_CAPABILITY] = { .type = NLA_BINARY,
                                         .len = NL80211_HT_CAPABILITY_LEN },
@@ -172,6 +173,9 @@ static const struct nla_policy nl80211_policy[NL80211_ATTR_MAX+1] = {
        [NL80211_ATTR_MCAST_RATE] = { .type = NLA_U32 },
        [NL80211_ATTR_OFFCHANNEL_TX_OK] = { .type = NLA_FLAG },
        [NL80211_ATTR_KEY_DEFAULT_TYPES] = { .type = NLA_NESTED },
+        [NL80211_ATTR_WOWLAN_TRIGGERS] = { .type = NLA_NESTED },
+        [NL80211_ATTR_STA_PLINK_STATE] = { .type = NLA_U8 },
+        [NL80211_ATTR_SCHED_SCAN_INTERVAL] = { .type = NLA_U32 },
 };
 /* policy for the key attributes */
@@ -193,6 +197,15 @@ nl80211_key_default_policy[NUM_NL80211_KEY_DEFAULT_TYPES] = {
        [NL80211_KEY_DEFAULT_TYPE_MULTICAST] = { .type = NLA_FLAG },
 };
+/* policy for WoWLAN attributes */
+static const struct nla_policy
+nl80211_wowlan_policy[NUM_NL80211_WOWLAN_TRIG] = {
+        [NL80211_WOWLAN_TRIG_ANY] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_DISCONNECT] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_MAGIC_PKT] = { .type = NLA_FLAG },
+        [NL80211_WOWLAN_TRIG_PKT_PATTERN] = { .type = NLA_NESTED },
+};
 /* ifidx get helper */
 static int nl80211_get_ifidx(struct netlink_callback *cb)
 {
@@ -533,6 +546,7 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
        case NL80211_IFTYPE_AP:
        case NL80211_IFTYPE_AP_VLAN:
        case NL80211_IFTYPE_P2P_GO:
+        case NL80211_IFTYPE_MESH_POINT:
                break;
        case NL80211_IFTYPE_ADHOC:
                if (!wdev->current_bss)
@@ -550,6 +564,88 @@ static int nl80211_key_allowed(struct wireless_dev *wdev)
        return 0;
 }
+static int nl80211_put_iftypes(struct sk_buff *msg, u32 attr, u16 ifmodes)
+{
+        struct nlattr *nl_modes = nla_nest_start(msg, attr);
+        int i;
+        if (!nl_modes)
+                goto nla_put_failure;
+        i = 0;
+        while (ifmodes) {
+                if (ifmodes & 1)
+                        NLA_PUT_FLAG(msg, i);
+                ifmodes >>= 1;
+                i++;
+        }
+        nla_nest_end(msg, nl_modes);
+        return 0;
+nla_put_failure:
+        return -ENOBUFS;
+}
+static int nl80211_put_iface_combinations(struct wiphy *wiphy,
+                                          struct sk_buff *msg)
+{
+        struct nlattr *nl_combis;
+        int i, j;
+        nl_combis = nla_nest_start(msg,
+                                NL80211_ATTR_INTERFACE_COMBINATIONS);
+        if (!nl_combis)
+                goto nla_put_failure;
+        for (i = 0; i < wiphy->n_iface_combinations; i++) {
+                const struct ieee80211_iface_combination *c;
+                struct nlattr *nl_combi, *nl_limits;
+                c = &wiphy->iface_combinations[i];
+                nl_combi = nla_nest_start(msg, i + 1);
+                if (!nl_combi)
+                        goto nla_put_failure;
+                nl_limits = nla_nest_start(msg, NL80211_IFACE_COMB_LIMITS);
+                if (!nl_limits)
+                        goto nla_put_failure;
+                for (j = 0; j < c->n_limits; j++) {
+                        struct nlattr *nl_limit;
+                        nl_limit = nla_nest_start(msg, j + 1);
+                        if (!nl_limit)
+                                goto nla_put_failure;
+                        NLA_PUT_U32(msg, NL80211_IFACE_LIMIT_MAX,
+                                    c->limits[j].max);
+                        if (nl80211_put_iftypes(msg, NL80211_IFACE_LIMIT_TYPES,
+                                                c->limits[j].types))
+                                goto nla_put_failure;
+                        nla_nest_end(msg, nl_limit);
+                }
+                nla_nest_end(msg, nl_limits);
+                if (c->beacon_int_infra_match)
+                        NLA_PUT_FLAG(msg,
+                                NL80211_IFACE_COMB_STA_AP_BI_MATCH);
+                NLA_PUT_U32(msg, NL80211_IFACE_COMB_NUM_CHANNELS,
+                            c->num_different_channels);
+                NLA_PUT_U32(msg, NL80211_IFACE_COMB_MAXNUM,
+                            c->max_interfaces);
+                nla_nest_end(msg, nl_combi);
+        }
+        nla_nest_end(msg, nl_combis);
+        return 0;
+nla_put_failure:
+        return -ENOBUFS;
+}
 static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                              struct cfg80211_registered_device *dev)
 {
@@ -557,13 +653,11 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        struct nlattr *nl_bands, *nl_band;
        struct nlattr *nl_freqs, *nl_freq;
        struct nlattr *nl_rates, *nl_rate;
-        struct nlattr *nl_modes;
        struct nlattr *nl_cmds;
        enum ieee80211_band band;
        struct ieee80211_channel *chan;
        struct ieee80211_rate *rate;
        int i;
-        u16 ifmodes = dev->wiphy.interface_modes;
        const struct ieee80211_txrx_stypes *mgmt_stypes =
                                dev->wiphy.mgmt_stypes;
@@ -594,6 +688,8 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        if (dev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)
                NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_IBSS_RSN);
+        if (dev->wiphy.flags & WIPHY_FLAG_MESH_AUTH)
+                NLA_PUT_FLAG(msg, NL80211_ATTR_SUPPORT_MESH_AUTH);
        NLA_PUT(msg, NL80211_ATTR_CIPHER_SUITES,
                sizeof(u32) * dev->wiphy.n_cipher_suites,
@@ -621,20 +717,10 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                }
        }
-        nl_modes = nla_nest_start(msg, NL80211_ATTR_SUPPORTED_IFTYPES);
+        if (nl80211_put_iftypes(msg, NL80211_ATTR_SUPPORTED_IFTYPES,
-        if (!nl_modes)
+                                dev->wiphy.interface_modes))
                goto nla_put_failure;
-        i = 0;
-        while (ifmodes) {
-                if (ifmodes & 1)
-                        NLA_PUT_FLAG(msg, i);
-                ifmodes >>= 1;
-                i++;
-        }
-        nla_nest_end(msg, nl_modes);
        nl_bands = nla_nest_start(msg, NL80211_ATTR_WIPHY_BANDS);
        if (!nl_bands)
                goto nla_put_failure;
@@ -746,6 +832,8 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
        }
        CMD(set_channel, SET_CHANNEL);
        CMD(set_wds_peer, SET_WDS_PEER);
+        if (dev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN)
+                CMD(sched_scan_start, START_SCHED_SCAN);
 #undef CMD
@@ -818,6 +906,42 @@ static int nl80211_send_wiphy(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                nla_nest_end(msg, nl_ifs);
        }
+        if (dev->wiphy.wowlan.flags || dev->wiphy.wowlan.n_patterns) {
+                struct nlattr *nl_wowlan;
+                nl_wowlan = nla_nest_start(msg,
+                                NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED);
+                if (!nl_wowlan)
+                        goto nla_put_failure;
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_ANY)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_DISCONNECT)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
+                if (dev->wiphy.wowlan.flags & WIPHY_WOWLAN_MAGIC_PKT)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
+                if (dev->wiphy.wowlan.n_patterns) {
+                        struct nl80211_wowlan_pattern_support pat = {
+                                .max_patterns = dev->wiphy.wowlan.n_patterns,
+                                .min_pattern_len =
+                                        dev->wiphy.wowlan.pattern_min_len,
+                                .max_pattern_len =
+                                        dev->wiphy.wowlan.pattern_max_len,
+                        };
+                        NLA_PUT(msg, NL80211_WOWLAN_TRIG_PKT_PATTERN,
+                                sizeof(pat), &pat);
+                }
+                nla_nest_end(msg, nl_wowlan);
+        }
+        if (nl80211_put_iftypes(msg, NL80211_ATTR_SOFTWARE_IFTYPES,
+                                dev->wiphy.software_iftypes))
+                goto nla_put_failure;
+        if (nl80211_put_iface_combinations(&dev->wiphy, msg))
+                goto nla_put_failure;
        return genlmsg_end(msg, hdr);
 nla_put_failure:
@@ -1679,14 +1803,6 @@ static int nl80211_set_key(struct sk_buff *skb, struct genl_info *info)
                if (err)
                        goto out;
-                if (!(rdev->wiphy.flags &
-                                WIPHY_FLAG_SUPPORTS_SEPARATE_DEFAULT_KEYS)) {
-                        if (!key.def_uni || !key.def_multi) {
-                                err = -EOPNOTSUPP;
-                                goto out;
-                        }
-                }
                err = rdev->ops->set_default_key(&rdev->wiphy, dev, key.idx,
                                                 key.def_uni, key.def_multi);
@@ -1837,8 +1953,9 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
                    struct beacon_parameters *info);
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
        struct beacon_parameters params;
-        int haveinfo = 0;
+        int haveinfo = 0, err;
        if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_BEACON_TAIL]))
                return -EINVAL;
@@ -1847,6 +1964,8 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EOPNOTSUPP;
+        memset(&params, 0, sizeof(params));
        switch (info->genlhdr->cmd) {
        case NL80211_CMD_NEW_BEACON:
                /* these are required for NEW_BEACON */
@@ -1855,6 +1974,15 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
                    !info->attrs[NL80211_ATTR_BEACON_HEAD])
                        return -EINVAL;
+                params.interval =
+                        nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
+                params.dtim_period =
+                        nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
+                err = cfg80211_validate_beacon_int(rdev, params.interval);
+                if (err)
+                        return err;
                call = rdev->ops->add_beacon;
                break;
        case NL80211_CMD_SET_BEACON:
@@ -1868,20 +1996,6 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
        if (!call)
                return -EOPNOTSUPP;
-        memset(&params, 0, sizeof(params));
-        if (info->attrs[NL80211_ATTR_BEACON_INTERVAL]) {
-                params.interval =
-                    nla_get_u32(info->attrs[NL80211_ATTR_BEACON_INTERVAL]);
-                haveinfo = 1;
-        }
-        if (info->attrs[NL80211_ATTR_DTIM_PERIOD]) {
-                params.dtim_period =
-                    nla_get_u32(info->attrs[NL80211_ATTR_DTIM_PERIOD]);
-                haveinfo = 1;
-        }
        if (info->attrs[NL80211_ATTR_BEACON_HEAD]) {
                params.head = nla_data(info->attrs[NL80211_ATTR_BEACON_HEAD]);
                params.head_len =
@@ -1899,13 +2013,18 @@ static int nl80211_addset_beacon(struct sk_buff *skb, struct genl_info *info)
        if (!haveinfo)
                return -EINVAL;
-        return call(&rdev->wiphy, dev, &params);
+        err = call(&rdev->wiphy, dev, &params);
+        if (!err && params.interval)
+                wdev->beacon_interval = params.interval;
+        return err;
 }
 static int nl80211_del_beacon(struct sk_buff *skb, struct genl_info *info)
 {
        struct cfg80211_registered_device *rdev = info->user_ptr[0];
        struct net_device *dev = info->user_ptr[1];
+        struct wireless_dev *wdev = dev->ieee80211_ptr;
+        int err;
        if (!rdev->ops->del_beacon)
                return -EOPNOTSUPP;
@@ -1914,7 +2033,10 @@ static int nl80211_del_beacon(struct sk_buff *skb, struct genl_info *info)
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EOPNOTSUPP;
-        return rdev->ops->del_beacon(&rdev->wiphy, dev);
+        err = rdev->ops->del_beacon(&rdev->wiphy, dev);
+        if (!err)
+                wdev->beacon_interval = 0;
+        return err;
 }
 static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
@@ -1922,6 +2044,7 @@ static const struct nla_policy sta_flags_policy[NL80211_STA_FLAG_MAX + 1] = {
        [NL80211_STA_FLAG_SHORT_PREAMBLE] = { .type = NLA_FLAG },
        [NL80211_STA_FLAG_WME] = { .type = NLA_FLAG },
        [NL80211_STA_FLAG_MFP] = { .type = NLA_FLAG },
+        [NL80211_STA_FLAG_AUTHENTICATED] = { .type = NLA_FLAG },
 };
 static int parse_station_flags(struct genl_info *info,
@@ -1968,13 +2091,41 @@ static int parse_station_flags(struct genl_info *info,
        return 0;
 }
+static bool nl80211_put_sta_rate(struct sk_buff *msg, struct rate_info *info,
+                                 int attr)
+{
+        struct nlattr *rate;
+        u16 bitrate;
+        rate = nla_nest_start(msg, attr);
+        if (!rate)
+                goto nla_put_failure;
+        /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
+        bitrate = cfg80211_calculate_bitrate(info);
+        if (bitrate > 0)
+                NLA_PUT_U16(msg, NL80211_RATE_INFO_BITRATE, bitrate);
+        if (info->flags & RATE_INFO_FLAGS_MCS)
+                NLA_PUT_U8(msg, NL80211_RATE_INFO_MCS, info->mcs);
+        if (info->flags & RATE_INFO_FLAGS_40_MHZ_WIDTH)
+                NLA_PUT_FLAG(msg, NL80211_RATE_INFO_40_MHZ_WIDTH);
+        if (info->flags & RATE_INFO_FLAGS_SHORT_GI)
+                NLA_PUT_FLAG(msg, NL80211_RATE_INFO_SHORT_GI);
+        nla_nest_end(msg, rate);
+        return true;
+nla_put_failure:
+        return false;
+}
 static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
                                int flags, struct net_device *dev,
                                const u8 *mac_addr, struct station_info *sinfo)
 {
        void *hdr;
-        struct nlattr *sinfoattr, *txrate;
+        struct nlattr *sinfoattr, *bss_param;
-        u16 bitrate;
        hdr = nl80211hdr_put(msg, pid, seq, flags, NL80211_CMD_NEW_STATION);
        if (!hdr)
@@ -1988,6 +2139,9 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
        sinfoattr = nla_nest_start(msg, NL80211_ATTR_STA_INFO);
        if (!sinfoattr)
                goto nla_put_failure;
+        if (sinfo->filled & STATION_INFO_CONNECTED_TIME)
+                NLA_PUT_U32(msg, NL80211_STA_INFO_CONNECTED_TIME,
+                            sinfo->connected_time);
        if (sinfo->filled & STATION_INFO_INACTIVE_TIME)
                NLA_PUT_U32(msg, NL80211_STA_INFO_INACTIVE_TIME,
                            sinfo->inactive_time);
@@ -2013,24 +2167,14 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
                NLA_PUT_U8(msg, NL80211_STA_INFO_SIGNAL_AVG,
                           sinfo->signal_avg);
        if (sinfo->filled & STATION_INFO_TX_BITRATE) {
-                txrate = nla_nest_start(msg, NL80211_STA_INFO_TX_BITRATE);
+                if (!nl80211_put_sta_rate(msg, &sinfo->txrate,
-                if (!txrate)
+                                          NL80211_STA_INFO_TX_BITRATE))
+                        goto nla_put_failure;
+        }
+        if (sinfo->filled & STATION_INFO_RX_BITRATE) {
+                if (!nl80211_put_sta_rate(msg, &sinfo->rxrate,
+                                          NL80211_STA_INFO_RX_BITRATE))
                        goto nla_put_failure;
-                /* cfg80211_calculate_bitrate will return 0 for mcs >= 32 */
-                bitrate = cfg80211_calculate_bitrate(&sinfo->txrate);
-                if (bitrate > 0)
-                        NLA_PUT_U16(msg, NL80211_RATE_INFO_BITRATE, bitrate);
-                if (sinfo->txrate.flags & RATE_INFO_FLAGS_MCS)
-                        NLA_PUT_U8(msg, NL80211_RATE_INFO_MCS,
-                                    sinfo->txrate.mcs);
-                if (sinfo->txrate.flags & RATE_INFO_FLAGS_40_MHZ_WIDTH)
-                        NLA_PUT_FLAG(msg, NL80211_RATE_INFO_40_MHZ_WIDTH);
-                if (sinfo->txrate.flags & RATE_INFO_FLAGS_SHORT_GI)
-                        NLA_PUT_FLAG(msg, NL80211_RATE_INFO_SHORT_GI);
-                nla_nest_end(msg, txrate);
        }
        if (sinfo->filled & STATION_INFO_RX_PACKETS)
                NLA_PUT_U32(msg, NL80211_STA_INFO_RX_PACKETS,
@@ -2044,6 +2188,25 @@ static int nl80211_send_station(struct sk_buff *msg, u32 pid, u32 seq,
        if (sinfo->filled & STATION_INFO_TX_FAILED)
                NLA_PUT_U32(msg, NL80211_STA_INFO_TX_FAILED,
                            sinfo->tx_failed);
+        if (sinfo->filled & STATION_INFO_BSS_PARAM) {
+                bss_param = nla_nest_start(msg, NL80211_STA_INFO_BSS_PARAM);
+                if (!bss_param)
+                        goto nla_put_failure;
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_CTS_PROT)
+                        NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_CTS_PROT);
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_PREAMBLE)
+                        NLA_PUT_FLAG(msg, NL80211_STA_BSS_PARAM_SHORT_PREAMBLE);
+                if (sinfo->bss_param.flags & BSS_PARAM_FLAGS_SHORT_SLOT_TIME)
+                        NLA_PUT_FLAG(msg,
+                                     NL80211_STA_BSS_PARAM_SHORT_SLOT_TIME);
+                NLA_PUT_U8(msg, NL80211_STA_BSS_PARAM_DTIM_PERIOD,
+                           sinfo->bss_param.dtim_period);
+                NLA_PUT_U16(msg, NL80211_STA_BSS_PARAM_BEACON_INTERVAL,
+                            sinfo->bss_param.beacon_interval);
+                nla_nest_end(msg, bss_param);
+        }
        nla_nest_end(msg, sinfoattr);
        return genlmsg_end(msg, hdr);
@@ -2172,6 +2335,7 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
        memset(&params, 0, sizeof(params));
        params.listen_interval = -1;
+        params.plink_state = -1;
        if (info->attrs[NL80211_ATTR_STA_AID])
                return -EINVAL;
@@ -2203,6 +2367,10 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
                params.plink_action =
                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
+        if (info->attrs[NL80211_ATTR_STA_PLINK_STATE])
+                params.plink_state =
+                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_STATE]);
        err = get_vlan(info, rdev, &params.vlan);
        if (err)
                goto out;
@@ -2242,9 +2410,10 @@ static int nl80211_set_station(struct sk_buff *skb, struct genl_info *info)
                        err = -EINVAL;
                if (params.listen_interval >= 0)
                        err = -EINVAL;
-                if (params.supported_rates)
+                if (params.sta_flags_mask &
-                        err = -EINVAL;
+                                ~(BIT(NL80211_STA_FLAG_AUTHENTICATED) |
-                if (params.sta_flags_mask)
+                                  BIT(NL80211_STA_FLAG_MFP) |
+                                  BIT(NL80211_STA_FLAG_AUTHORIZED)))
                        err = -EINVAL;
                break;
        default:
@@ -2306,11 +2475,16 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
                params.ht_capa =
                        nla_data(info->attrs[NL80211_ATTR_HT_CAPABILITY]);
+        if (info->attrs[NL80211_ATTR_STA_PLINK_ACTION])
+                params.plink_action =
+                    nla_get_u8(info->attrs[NL80211_ATTR_STA_PLINK_ACTION]);
        if (parse_station_flags(info, &params))
                return -EINVAL;
        if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP &&
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_AP_VLAN &&
+            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_MESH_POINT &&
            dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_GO)
                return -EINVAL;
@@ -2718,7 +2892,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
        hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
                             NL80211_CMD_GET_MESH_CONFIG);
        if (!hdr)
-                goto nla_put_failure;
+                goto out;
        pinfoattr = nla_nest_start(msg, NL80211_ATTR_MESH_CONFIG);
        if (!pinfoattr)
                goto nla_put_failure;
@@ -2759,6 +2933,7 @@ static int nl80211_get_mesh_config(struct sk_buff *skb,
 nla_put_failure:
        genlmsg_cancel(msg, hdr);
+ out:
        nlmsg_free(msg);
        return -ENOBUFS;
 }
@@ -2785,8 +2960,10 @@ static const struct nla_policy
        nl80211_mesh_setup_params_policy[NL80211_MESH_SETUP_ATTR_MAX+1] = {
        [NL80211_MESH_SETUP_ENABLE_VENDOR_PATH_SEL] = { .type = NLA_U8 },
        [NL80211_MESH_SETUP_ENABLE_VENDOR_METRIC] = { .type = NLA_U8 },
-        [NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE] = { .type = NLA_BINARY,
+        [NL80211_MESH_SETUP_USERSPACE_AUTH] = { .type = NLA_FLAG },
+        [NL80211_MESH_SETUP_IE] = { .type = NLA_BINARY,
                .len = IEEE80211_MAX_DATA_LEN },
+        [NL80211_MESH_SETUP_USERSPACE_AMPE] = { .type = NLA_FLAG },
 };
 static int nl80211_parse_mesh_config(struct genl_info *info,
@@ -2887,14 +3064,17 @@ static int nl80211_parse_mesh_setup(struct genl_info *info,
                 IEEE80211_PATH_METRIC_VENDOR :
                 IEEE80211_PATH_METRIC_AIRTIME;
-        if (tb[NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE]) {
+        if (tb[NL80211_MESH_SETUP_IE]) {
                struct nlattr *ieattr =
-                        tb[NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE];
+                        tb[NL80211_MESH_SETUP_IE];
                if (!is_valid_ie_attr(ieattr))
                        return -EINVAL;
-                setup->vendor_ie = nla_data(ieattr);
+                setup->ie = nla_data(ieattr);
-                setup->vendor_ie_len = nla_len(ieattr);
+                setup->ie_len = nla_len(ieattr);
        }
+        setup->is_authenticated = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AUTH]);
+        setup->is_secure = nla_get_flag(tb[NL80211_MESH_SETUP_USERSPACE_AMPE]);
        return 0;
 }
@@ -2954,7 +3134,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
        hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
                             NL80211_CMD_GET_REG);
        if (!hdr)
-                goto nla_put_failure;
+                goto put_failure;
        NLA_PUT_STRING(msg, NL80211_ATTR_REG_ALPHA2,
                cfg80211_regdomain->alpha2);
@@ -3001,6 +3181,7 @@ static int nl80211_get_reg(struct sk_buff *skb, struct genl_info *info)
 nla_put_failure:
        genlmsg_cancel(msg, hdr);
+put_failure:
        nlmsg_free(msg);
        err = -EMSGSIZE;
 out:
@@ -3262,6 +3443,188 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info)
        return err;
 }
+static int nl80211_start_sched_scan(struct sk_buff *skb,
+                                    struct genl_info *info)
+{
+        struct cfg80211_sched_scan_request *request;
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct net_device *dev = info->user_ptr[1];
+        struct cfg80211_ssid *ssid;
+        struct ieee80211_channel *channel;
+        struct nlattr *attr;
+        struct wiphy *wiphy;
+        int err, tmp, n_ssids = 0, n_channels, i;
+        u32 interval;
+        enum ieee80211_band band;
+        size_t ie_len;
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+            !rdev->ops->sched_scan_start)
+                return -EOPNOTSUPP;
+        if (!is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
+                return -EINVAL;
+        if (rdev->sched_scan_req)
+                return -EINPROGRESS;
+        if (!info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL])
+                return -EINVAL;
+        interval = nla_get_u32(info->attrs[NL80211_ATTR_SCHED_SCAN_INTERVAL]);
+        if (interval == 0)
+                return -EINVAL;
+        wiphy = &rdev->wiphy;
+        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+                n_channels = validate_scan_freqs(
+                                info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]);
+                if (!n_channels)
+                        return -EINVAL;
+        } else {
+                n_channels = 0;
+                for (band = 0; band < IEEE80211_NUM_BANDS; band++)
+                        if (wiphy->bands[band])
+                                n_channels += wiphy->bands[band]->n_channels;
+        }
+        if (info->attrs[NL80211_ATTR_SCAN_SSIDS])
+                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                                    tmp)
+                        n_ssids++;
+        if (n_ssids > wiphy->max_scan_ssids)
+                return -EINVAL;
+        if (info->attrs[NL80211_ATTR_IE])
+                ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+        else
+                ie_len = 0;
+        if (ie_len > wiphy->max_scan_ie_len)
+                return -EINVAL;
+        request = kzalloc(sizeof(*request)
+                        + sizeof(*ssid) * n_ssids
+                        + sizeof(channel) * n_channels
+                        + ie_len, GFP_KERNEL);
+        if (!request)
+                return -ENOMEM;
+        if (n_ssids)
+                request->ssids = (void *)&request->channels[n_channels];
+        request->n_ssids = n_ssids;
+        if (ie_len) {
+                if (request->ssids)
+                        request->ie = (void *)(request->ssids + n_ssids);
+                else
+                        request->ie = (void *)(request->channels + n_channels);
+        }
+        i = 0;
+        if (info->attrs[NL80211_ATTR_SCAN_FREQUENCIES]) {
+                /* user specified, bail out if channel not found */
+                nla_for_each_nested(attr,
+                                    info->attrs[NL80211_ATTR_SCAN_FREQUENCIES],
+                                    tmp) {
+                        struct ieee80211_channel *chan;
+                        chan = ieee80211_get_channel(wiphy, nla_get_u32(attr));
+                        if (!chan) {
+                                err = -EINVAL;
+                                goto out_free;
+                        }
+                        /* ignore disabled channels */
+                        if (chan->flags & IEEE80211_CHAN_DISABLED)
+                                continue;
+                        request->channels[i] = chan;
+                        i++;
+                }
+        } else {
+                /* all channels */
+                for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
+                        int j;
+                        if (!wiphy->bands[band])
+                                continue;
+                        for (j = 0; j < wiphy->bands[band]->n_channels; j++) {
+                                struct ieee80211_channel *chan;
+                                chan = &wiphy->bands[band]->channels[j];
+                                if (chan->flags & IEEE80211_CHAN_DISABLED)
+                                        continue;
+                                request->channels[i] = chan;
+                                i++;
+                        }
+                }
+        }
+        if (!i) {
+                err = -EINVAL;
+                goto out_free;
+        }
+        request->n_channels = i;
+        i = 0;
+        if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) {
+                nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS],
+                                    tmp) {
+                        if (request->ssids[i].ssid_len >
+                            IEEE80211_MAX_SSID_LEN) {
+                                err = -EINVAL;
+                                goto out_free;
+                        }
+                        memcpy(request->ssids[i].ssid, nla_data(attr),
+                               nla_len(attr));
+                        request->ssids[i].ssid_len = nla_len(attr);
+                        i++;
+                }
+        }
+        if (info->attrs[NL80211_ATTR_IE]) {
+                request->ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
+                memcpy((void *)request->ie,
+                       nla_data(info->attrs[NL80211_ATTR_IE]),
+                       request->ie_len);
+        }
+        request->dev = dev;
+        request->wiphy = &rdev->wiphy;
+        request->interval = interval;
+        err = rdev->ops->sched_scan_start(&rdev->wiphy, dev, request);
+        if (!err) {
+                rdev->sched_scan_req = request;
+                nl80211_send_sched_scan(rdev, dev,
+                                        NL80211_CMD_START_SCHED_SCAN);
+                goto out;
+        }
+out_free:
+        kfree(request);
+out:
+        return err;
+}
+static int nl80211_stop_sched_scan(struct sk_buff *skb,
+                                   struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
+            !rdev->ops->sched_scan_stop)
+                return -EOPNOTSUPP;
+        return __cfg80211_stop_sched_scan(rdev, false);
+}
 static int nl80211_send_bss(struct sk_buff *msg, u32 pid, u32 seq, int flags,
                            struct cfg80211_registered_device *rdev,
                            struct wireless_dev *wdev,
@@ -4760,6 +5123,194 @@ static int nl80211_leave_mesh(struct sk_buff *skb, struct genl_info *info)
        return cfg80211_leave_mesh(rdev, dev);
 }
+static int nl80211_get_wowlan(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct sk_buff *msg;
+        void *hdr;
+        if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
+                return -EOPNOTSUPP;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return -ENOMEM;
+        hdr = nl80211hdr_put(msg, info->snd_pid, info->snd_seq, 0,
+                             NL80211_CMD_GET_WOWLAN);
+        if (!hdr)
+                goto nla_put_failure;
+        if (rdev->wowlan) {
+                struct nlattr *nl_wowlan;
+                nl_wowlan = nla_nest_start(msg, NL80211_ATTR_WOWLAN_TRIGGERS);
+                if (!nl_wowlan)
+                        goto nla_put_failure;
+                if (rdev->wowlan->any)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_ANY);
+                if (rdev->wowlan->disconnect)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_DISCONNECT);
+                if (rdev->wowlan->magic_pkt)
+                        NLA_PUT_FLAG(msg, NL80211_WOWLAN_TRIG_MAGIC_PKT);
+                if (rdev->wowlan->n_patterns) {
+                        struct nlattr *nl_pats, *nl_pat;
+                        int i, pat_len;
+                        nl_pats = nla_nest_start(msg,
+                                        NL80211_WOWLAN_TRIG_PKT_PATTERN);
+                        if (!nl_pats)
+                                goto nla_put_failure;
+                        for (i = 0; i < rdev->wowlan->n_patterns; i++) {
+                                nl_pat = nla_nest_start(msg, i + 1);
+                                if (!nl_pat)
+                                        goto nla_put_failure;
+                                pat_len = rdev->wowlan->patterns[i].pattern_len;
+                                NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_MASK,
+                                        DIV_ROUND_UP(pat_len, 8),
+                                        rdev->wowlan->patterns[i].mask);
+                                NLA_PUT(msg, NL80211_WOWLAN_PKTPAT_PATTERN,
+                                        pat_len,
+                                        rdev->wowlan->patterns[i].pattern);
+                                nla_nest_end(msg, nl_pat);
+                        }
+                        nla_nest_end(msg, nl_pats);
+                }
+                nla_nest_end(msg, nl_wowlan);
+        }
+        genlmsg_end(msg, hdr);
+        return genlmsg_reply(msg, info);
+nla_put_failure:
+        nlmsg_free(msg);
+        return -ENOBUFS;
+}
+static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
+{
+        struct cfg80211_registered_device *rdev = info->user_ptr[0];
+        struct nlattr *tb[NUM_NL80211_WOWLAN_TRIG];
+        struct cfg80211_wowlan no_triggers = {};
+        struct cfg80211_wowlan new_triggers = {};
+        struct wiphy_wowlan_support *wowlan = &rdev->wiphy.wowlan;
+        int err, i;
+        if (!rdev->wiphy.wowlan.flags && !rdev->wiphy.wowlan.n_patterns)
+                return -EOPNOTSUPP;
+        if (!info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS])
+                goto no_triggers;
+        err = nla_parse(tb, MAX_NL80211_WOWLAN_TRIG,
+                        nla_data(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
+                        nla_len(info->attrs[NL80211_ATTR_WOWLAN_TRIGGERS]),
+                        nl80211_wowlan_policy);
+        if (err)
+                return err;
+        if (tb[NL80211_WOWLAN_TRIG_ANY]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_ANY))
+                        return -EINVAL;
+                new_triggers.any = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_DISCONNECT]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_DISCONNECT))
+                        return -EINVAL;
+                new_triggers.disconnect = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_MAGIC_PKT]) {
+                if (!(wowlan->flags & WIPHY_WOWLAN_MAGIC_PKT))
+                        return -EINVAL;
+                new_triggers.magic_pkt = true;
+        }
+        if (tb[NL80211_WOWLAN_TRIG_PKT_PATTERN]) {
+                struct nlattr *pat;
+                int n_patterns = 0;
+                int rem, pat_len, mask_len;
+                struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT];
+                nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
+                                    rem)
+                        n_patterns++;
+                if (n_patterns > wowlan->n_patterns)
+                        return -EINVAL;
+                new_triggers.patterns = kcalloc(n_patterns,
+                                                sizeof(new_triggers.patterns[0]),
+                                                GFP_KERNEL);
+                if (!new_triggers.patterns)
+                        return -ENOMEM;
+                new_triggers.n_patterns = n_patterns;
+                i = 0;
+                nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN],
+                                    rem) {
+                        nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT,
+                                  nla_data(pat), nla_len(pat), NULL);
+                        err = -EINVAL;
+                        if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] ||
+                            !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN])
+                                goto error;
+                        pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]);
+                        mask_len = DIV_ROUND_UP(pat_len, 8);
+                        if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) !=
+                            mask_len)
+                                goto error;
+                        if (pat_len > wowlan->pattern_max_len ||
+                            pat_len < wowlan->pattern_min_len)
+                                goto error;
+                        new_triggers.patterns[i].mask =
+                                kmalloc(mask_len + pat_len, GFP_KERNEL);
+                        if (!new_triggers.patterns[i].mask) {
+                                err = -ENOMEM;
+                                goto error;
+                        }
+                        new_triggers.patterns[i].pattern =
+                                new_triggers.patterns[i].mask + mask_len;
+                        memcpy(new_triggers.patterns[i].mask,
+                               nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]),
+                               mask_len);
+                        new_triggers.patterns[i].pattern_len = pat_len;
+                        memcpy(new_triggers.patterns[i].pattern,
+                               nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]),
+                               pat_len);
+                        i++;
+                }
+        }
+        if (memcmp(&new_triggers, &no_triggers, sizeof(new_triggers))) {
+                struct cfg80211_wowlan *ntrig;
+                ntrig = kmemdup(&new_triggers, sizeof(new_triggers),
+                                GFP_KERNEL);
+                if (!ntrig) {
+                        err = -ENOMEM;
+                        goto error;
+                }
+                cfg80211_rdev_free_wowlan(rdev);
+                rdev->wowlan = ntrig;
+        } else {
+ no_triggers:
+                cfg80211_rdev_free_wowlan(rdev);
+                rdev->wowlan = NULL;
+        }
+        return 0;
+ error:
+        for (i = 0; i < new_triggers.n_patterns; i++)
+                kfree(new_triggers.patterns[i].mask);
+        kfree(new_triggers.patterns);
+        return err;
+}
 #define NL80211_FLAG_NEED_WIPHY         0x01
 #define NL80211_FLAG_NEED_NETDEV        0x02
 #define NL80211_FLAG_NEED_RTNL          0x04
@@ -5044,6 +5595,22 @@ static struct genl_ops nl80211_ops[] = {
                .dumpit = nl80211_dump_scan,
        },
        {
+                .cmd = NL80211_CMD_START_SCHED_SCAN,
+                .doit = nl80211_start_sched_scan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_STOP_SCHED_SCAN,
+                .doit = nl80211_stop_sched_scan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
                .cmd = NL80211_CMD_AUTHENTICATE,
                .doit = nl80211_authenticate,
                .policy = nl80211_policy,
@@ -5258,6 +5825,22 @@ static struct genl_ops nl80211_ops[] = {
                .internal_flags = NL80211_FLAG_NEED_NETDEV_UP |
                                  NL80211_FLAG_NEED_RTNL,
        },
+        {
+                .cmd = NL80211_CMD_GET_WOWLAN,
+                .doit = nl80211_get_wowlan,
+                .policy = nl80211_policy,
+                /* can be retrieved by unprivileged users */
+                .internal_flags = NL80211_FLAG_NEED_WIPHY |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
+        {
+                .cmd = NL80211_CMD_SET_WOWLAN,
+                .doit = nl80211_set_wowlan,
+                .policy = nl80211_policy,
+                .flags = GENL_ADMIN_PERM,
+                .internal_flags = NL80211_FLAG_NEED_WIPHY |
+                                  NL80211_FLAG_NEED_RTNL,
+        },
 };
 static struct genl_multicast_group nl80211_mlme_mcgrp = {
@@ -5353,6 +5936,28 @@ static int nl80211_send_scan_msg(struct sk_buff *msg,
        return -EMSGSIZE;
 }
+static int
+nl80211_send_sched_scan_msg(struct sk_buff *msg,
+                            struct cfg80211_registered_device *rdev,
+                            struct net_device *netdev,
+                            u32 pid, u32 seq, int flags, u32 cmd)
+{
+        void *hdr;
+        hdr = nl80211hdr_put(msg, pid, seq, flags, cmd);
+        if (!hdr)
+                return -1;
+        NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
+        return genlmsg_end(msg, hdr);
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        return -EMSGSIZE;
+}
 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
                             struct net_device *netdev)
 {
@@ -5410,6 +6015,43 @@ void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
                                nl80211_scan_mcgrp.id, GFP_KERNEL);
 }
+void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev)
+{
+        struct sk_buff *msg;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+        if (!msg)
+                return;
+        if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0,
+                                        NL80211_CMD_SCHED_SCAN_RESULTS) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_scan_mcgrp.id, GFP_KERNEL);
+}
+void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
+                             struct net_device *netdev, u32 cmd)
+{
+        struct sk_buff *msg;
+        msg = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
+        if (!msg)
+                return;
+        if (nl80211_send_sched_scan_msg(msg, rdev, netdev, 0, 0, 0, cmd) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_scan_mcgrp.id, GFP_KERNEL);
+}
 /*
 * This can happen on global regulatory changes or device specific settings
 * based on custom world regulatory domains.
@@ -5765,6 +6407,44 @@ void nl80211_send_ibss_bssid(struct cfg80211_registered_device *rdev,
        nlmsg_free(msg);
 }
+void nl80211_send_new_peer_candidate(struct cfg80211_registered_device *rdev,
+                struct net_device *netdev,
+                const u8 *macaddr, const u8* ie, u8 ie_len,
+                gfp_t gfp)
+{
+        struct sk_buff *msg;
+        void *hdr;
+        msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
+        if (!msg)
+                return;
+        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_NEW_PEER_CANDIDATE);
+        if (!hdr) {
+                nlmsg_free(msg);
+                return;
+        }
+        NLA_PUT_U32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx);
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, netdev->ifindex);
+        NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, macaddr);
+        if (ie_len && ie)
+                NLA_PUT(msg, NL80211_ATTR_IE, ie_len , ie);
+        if (genlmsg_end(msg, hdr) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_mlme_mcgrp.id, gfp);
+        return;
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        nlmsg_free(msg);
+}
 void nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
                                 struct net_device *netdev, const u8 *addr,
                                 enum nl80211_key_type key_type, int key_id,
@@ -5946,6 +6626,40 @@ void nl80211_send_sta_event(struct cfg80211_registered_device *rdev,
                                nl80211_mlme_mcgrp.id, gfp);
 }
+void nl80211_send_sta_del_event(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, const u8 *mac_addr,
+                                gfp_t gfp)
+{
+        struct sk_buff *msg;
+        void *hdr;
+        msg = nlmsg_new(NLMSG_GOODSIZE, gfp);
+        if (!msg)
+                return;
+        hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_DEL_STATION);
+        if (!hdr) {
+                nlmsg_free(msg);
+                return;
+        }
+        NLA_PUT_U32(msg, NL80211_ATTR_IFINDEX, dev->ifindex);
+        NLA_PUT(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr);
+        if (genlmsg_end(msg, hdr) < 0) {
+                nlmsg_free(msg);
+                return;
+        }
+        genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0,
+                                nl80211_mlme_mcgrp.id, gfp);
+        return;
+ nla_put_failure:
+        genlmsg_cancel(msg, hdr);
+        nlmsg_free(msg);
+}
 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
                      struct net_device *netdev, u32 nlpid,
                      int freq, const u8 *buf, size_t len, gfp_t gfp)
diff --git a/net/wireless/nl80211.h b/net/wireless/nl80211.h
index e3f7fa886966..2f1bfb87a651 100644
--- a/net/wireless/nl80211.h
+++ b/net/wireless/nl80211.h
@@ -12,6 +12,10 @@ void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
                            struct net_device *netdev);
 void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
                               struct net_device *netdev);
+void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
+                             struct net_device *netdev, u32 cmd);
+void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev);
 void nl80211_send_reg_change_event(struct regulatory_request *request);
 void nl80211_send_rx_auth(struct cfg80211_registered_device *rdev,
                          struct net_device *netdev,
@@ -50,6 +54,10 @@ void nl80211_send_disconnected(struct cfg80211_registered_device *rdev,
                               struct net_device *netdev, u16 reason,
                               const u8 *ie, size_t ie_len, bool from_ap);
+void nl80211_send_new_peer_candidate(struct cfg80211_registered_device *rdev,
+                                     struct net_device *netdev,
+                                     const u8 *macaddr, const u8* ie, u8 ie_len,
+                                     gfp_t gfp);
 void
 nl80211_michael_mic_failure(struct cfg80211_registered_device *rdev,
                            struct net_device *netdev, const u8 *addr,
@@ -79,6 +87,9 @@ void nl80211_send_remain_on_channel_cancel(
 void nl80211_send_sta_event(struct cfg80211_registered_device *rdev,
                            struct net_device *dev, const u8 *mac_addr,
                            struct station_info *sinfo, gfp_t gfp);
+void nl80211_send_sta_del_event(struct cfg80211_registered_device *rdev,
+                                struct net_device *dev, const u8 *mac_addr,
+                                gfp_t gfp);
 int nl80211_send_mgmt(struct cfg80211_registered_device *rdev,
                      struct net_device *netdev, u32 nlpid, int freq,
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 37693b6ef23a..1ad0f39fe091 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -63,6 +63,10 @@ static struct regulatory_request *last_request;
 /* To trigger userspace events */
 static struct platform_device *reg_pdev;
+static struct device_type reg_device_type = {
+        .uevent = reg_device_uevent,
+};
 /*
 * Central wireless core regulatory domains, we only need two,
 * the current one and a world regulatory domain in case we have no
@@ -102,6 +106,9 @@ struct reg_beacon {
 static void reg_todo(struct work_struct *work);
 static DECLARE_WORK(reg_work, reg_todo);
+static void reg_timeout_work(struct work_struct *work);
+static DECLARE_DELAYED_WORK(reg_timeout, reg_timeout_work);
 /* We keep a static world regulatory domain in case of the absence of CRDA */
 static const struct ieee80211_regdomain world_regdom = {
        .n_reg_rules = 5,
@@ -362,16 +369,11 @@ static inline void reg_regdb_query(const char *alpha2) {}
 /*
 * This lets us keep regulatory code which is updated on a regulatory
- * basis in userspace.
+ * basis in userspace. Country information is filled in by
+ * reg_device_uevent
 */
 static int call_crda(const char *alpha2)
 {
-        char country_env[9 + 2] = "COUNTRY=";
-        char *envp[] = {
-                country_env,
-                NULL
-        };
        if (!is_world_regdom((char *) alpha2))
                pr_info("Calling CRDA for country: %c%c\n",
                        alpha2[0], alpha2[1]);
@@ -381,10 +383,7 @@ static int call_crda(const char *alpha2)
        /* query internal regulatory database (if it exists) */
        reg_regdb_query(alpha2);
-        country_env[8] = alpha2[0];
+        return kobject_uevent(&reg_pdev->dev.kobj, KOBJ_CHANGE);
-        country_env[9] = alpha2[1];
-        return kobject_uevent_env(&reg_pdev->dev.kobj, KOBJ_CHANGE, envp);
 }
 /* Used by nl80211 before kmalloc'ing our regulatory domain */
@@ -673,11 +672,9 @@ static int freq_reg_info_regd(struct wiphy *wiphy,
        for (i = 0; i < regd->n_reg_rules; i++) {
                const struct ieee80211_reg_rule *rr;
                const struct ieee80211_freq_range *fr = NULL;
-                const struct ieee80211_power_rule *pr = NULL;
                rr = &regd->reg_rules[i];
                fr = &rr->freq_range;
-                pr = &rr->power_rule;
                /*
                 * We only need to know if one frequency rule was
@@ -813,7 +810,7 @@ static void handle_channel(struct wiphy *wiphy,
        if (r) {
                /*
                 * We will disable all channels that do not match our
-                 * recieved regulatory rule unless the hint is coming
+                 * received regulatory rule unless the hint is coming
                 * from a Country IE and the Country IE had no information
                 * about a band. The IEEE 802.11 spec allows for an AP
                 * to send only a subset of the regulatory rules allowed,
@@ -842,7 +839,7 @@ static void handle_channel(struct wiphy *wiphy,
            request_wiphy && request_wiphy == wiphy &&
            request_wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY) {
                /*
-                 * This gaurantees the driver's requested regulatory domain
+                 * This guarantees the driver's requested regulatory domain
                 * will always be used as a base for further regulatory
                 * settings
                 */
@@ -1334,6 +1331,9 @@ static void reg_set_request_processed(void)
                need_more_processing = true;
        spin_unlock(&reg_requests_lock);
+        if (last_request->initiator == NL80211_REGDOM_SET_BY_USER)
+                cancel_delayed_work_sync(&reg_timeout);
        if (need_more_processing)
                schedule_work(&reg_work);
 }
@@ -1444,8 +1444,18 @@ static void reg_process_hint(struct regulatory_request *reg_request)
        r = __regulatory_hint(wiphy, reg_request);
        /* This is required so that the orig_* parameters are saved */
        if (r == -EALREADY && wiphy &&
-            wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY)
+            wiphy->flags & WIPHY_FLAG_STRICT_REGULATORY) {
                wiphy_update_regulatory(wiphy, initiator);
+                return;
+        }
+        /*
+         * We only time out user hints, given that they should be the only
+         * source of bogus requests.
+         */
+        if (r != -EALREADY &&
+            reg_request->initiator == NL80211_REGDOM_SET_BY_USER)
+                schedule_delayed_work(&reg_timeout, msecs_to_jiffies(3142));
 }
 /*
@@ -1748,6 +1758,8 @@ static void restore_regulatory_settings(bool reset_user)
 {
        char alpha2[2];
        struct reg_beacon *reg_beacon, *btmp;
+        struct regulatory_request *reg_request, *tmp;
+        LIST_HEAD(tmp_reg_req_list);
        mutex_lock(&cfg80211_mutex);
        mutex_lock(&reg_mutex);
@@ -1755,6 +1767,25 @@ static void restore_regulatory_settings(bool reset_user)
        reset_regdomains();
        restore_alpha2(alpha2, reset_user);
+        /*
+         * If there's any pending requests we simply
+         * stash them to a temporary pending queue and
+         * add then after we've restored regulatory
+         * settings.
+         */
+        spin_lock(&reg_requests_lock);
+        if (!list_empty(&reg_requests_list)) {
+                list_for_each_entry_safe(reg_request, tmp,
+                                         &reg_requests_list, list) {
+                        if (reg_request->initiator !=
+                            NL80211_REGDOM_SET_BY_USER)
+                                continue;
+                        list_del(&reg_request->list);
+                        list_add_tail(&reg_request->list, &tmp_reg_req_list);
+                }
+        }
+        spin_unlock(&reg_requests_lock);
        /* Clear beacon hints */
        spin_lock_bh(&reg_pending_beacons_lock);
        if (!list_empty(&reg_pending_beacons)) {
@@ -1789,8 +1820,31 @@ static void restore_regulatory_settings(bool reset_user)
         */
        if (is_an_alpha2(alpha2))
                regulatory_hint_user(user_alpha2);
-}
+        if (list_empty(&tmp_reg_req_list))
+                return;
+        mutex_lock(&cfg80211_mutex);
+        mutex_lock(&reg_mutex);
+        spin_lock(&reg_requests_lock);
+        list_for_each_entry_safe(reg_request, tmp, &tmp_reg_req_list, list) {
+                REG_DBG_PRINT("Adding request for country %c%c back "
+                              "into the queue\n",
+                              reg_request->alpha2[0],
+                              reg_request->alpha2[1]);
+                list_del(&reg_request->list);
+                list_add_tail(&reg_request->list, &reg_requests_list);
+        }
+        spin_unlock(&reg_requests_lock);
+        mutex_unlock(&reg_mutex);
+        mutex_unlock(&cfg80211_mutex);
+        REG_DBG_PRINT("Kicking the queue\n");
+        schedule_work(&reg_work);
+}
 void regulatory_hint_disconnect(void)
 {
@@ -1801,9 +1855,9 @@ void regulatory_hint_disconnect(void)
 static bool freq_is_chan_12_13_14(u16 freq)
 {
-        if (freq == ieee80211_channel_to_frequency(12) ||
+        if (freq == ieee80211_channel_to_frequency(12, IEEE80211_BAND_2GHZ) ||
-            freq == ieee80211_channel_to_frequency(13) ||
+            freq == ieee80211_channel_to_frequency(13, IEEE80211_BAND_2GHZ) ||
-            freq == ieee80211_channel_to_frequency(14))
+            freq == ieee80211_channel_to_frequency(14, IEEE80211_BAND_2GHZ))
                return true;
        return false;
 }
@@ -2087,6 +2141,25 @@ int set_regdom(const struct ieee80211_regdomain *rd)
        return r;
 }
+#ifdef CONFIG_HOTPLUG
+int reg_device_uevent(struct device *dev, struct kobj_uevent_env *env)
+{
+        if (last_request && !last_request->processed) {
+                if (add_uevent_var(env, "COUNTRY=%c%c",
+                                   last_request->alpha2[0],
+                                   last_request->alpha2[1]))
+                        return -ENOMEM;
+        }
+        return 0;
+}
+#else
+int reg_device_uevent(struct device *dev, struct kobj_uevent_env *env)
+{
+        return -ENODEV;
+}
+#endif /* CONFIG_HOTPLUG */
 /* Caller must hold cfg80211_mutex */
 void reg_device_remove(struct wiphy *wiphy)
 {
@@ -2110,6 +2183,13 @@ out:
        mutex_unlock(&reg_mutex);
 }
+static void reg_timeout_work(struct work_struct *work)
+{
+        REG_DBG_PRINT("Timeout while waiting for CRDA to reply, "
+                      "restoring regulatory settings");
+        restore_regulatory_settings(true);
+}
 int __init regulatory_init(void)
 {
        int err = 0;
@@ -2118,6 +2198,8 @@ int __init regulatory_init(void)
        if (IS_ERR(reg_pdev))
                return PTR_ERR(reg_pdev);
+        reg_pdev->dev.type = &reg_device_type;
        spin_lock_init(&reg_requests_lock);
        spin_lock_init(&reg_pending_beacons_lock);
@@ -2161,6 +2243,7 @@ void /* __init_or_exit */ regulatory_exit(void)
        struct reg_beacon *reg_beacon, *btmp;
        cancel_work_sync(&reg_work);
+        cancel_delayed_work_sync(&reg_timeout);
        mutex_lock(&cfg80211_mutex);
        mutex_lock(&reg_mutex);
diff --git a/net/wireless/reg.h b/net/wireless/reg.h
index c4695d07af23..b67d1c3a2fb9 100644
--- a/net/wireless/reg.h
+++ b/net/wireless/reg.h
@@ -8,6 +8,7 @@ bool reg_is_valid_request(const char *alpha2);
 int regulatory_hint_user(const char *alpha2);
+int reg_device_uevent(struct device *dev, struct kobj_uevent_env *env);
 void reg_device_remove(struct wiphy *wiphy);
 int __init regulatory_init(void);
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index ea427f418f64..73a441d237b5 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -93,6 +93,69 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted)
 }
 EXPORT_SYMBOL(cfg80211_scan_done);
+void __cfg80211_sched_scan_results(struct work_struct *wk)
+{
+        struct cfg80211_registered_device *rdev;
+        rdev = container_of(wk, struct cfg80211_registered_device,
+                            sched_scan_results_wk);
+        cfg80211_lock_rdev(rdev);
+        /* we don't have sched_scan_req anymore if the scan is stopping */
+        if (rdev->sched_scan_req)
+                nl80211_send_sched_scan_results(rdev,
+                                                rdev->sched_scan_req->dev);
+        cfg80211_unlock_rdev(rdev);
+}
+void cfg80211_sched_scan_results(struct wiphy *wiphy)
+{
+        /* ignore if we're not scanning */
+        if (wiphy_to_dev(wiphy)->sched_scan_req)
+                queue_work(cfg80211_wq,
+                           &wiphy_to_dev(wiphy)->sched_scan_results_wk);
+}
+EXPORT_SYMBOL(cfg80211_sched_scan_results);
+void cfg80211_sched_scan_stopped(struct wiphy *wiphy)
+{
+        struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
+        cfg80211_lock_rdev(rdev);
+        __cfg80211_stop_sched_scan(rdev, true);
+        cfg80211_unlock_rdev(rdev);
+}
+EXPORT_SYMBOL(cfg80211_sched_scan_stopped);
+int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
+                               bool driver_initiated)
+{
+        int err;
+        struct net_device *dev;
+        ASSERT_RDEV_LOCK(rdev);
+        if (!rdev->sched_scan_req)
+                return 0;
+        dev = rdev->sched_scan_req->dev;
+        if (!driver_initiated) {
+                err = rdev->ops->sched_scan_stop(&rdev->wiphy, dev);
+                if (err)
+                        return err;
+        }
+        nl80211_send_sched_scan(rdev, dev, NL80211_CMD_SCHED_SCAN_STOPPED);
+        kfree(rdev->sched_scan_req);
+        rdev->sched_scan_req = NULL;
+        return err;
+}
 static void bss_release(struct kref *ref)
 {
        struct cfg80211_internal_bss *bss;
@@ -124,6 +187,15 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev,
 }
 /* must hold dev->bss_lock! */
+static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev,
+                                  struct cfg80211_internal_bss *bss)
+{
+        list_del_init(&bss->list);
+        rb_erase(&bss->rbn, &dev->bss_tree);
+        kref_put(&bss->ref, bss_release);
+}
+/* must hold dev->bss_lock! */
 void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
 {
        struct cfg80211_internal_bss *bss, *tmp;
@@ -134,9 +206,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev)
                        continue;
                if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE))
                        continue;
-                list_del(&bss->list);
+                __cfg80211_unlink_bss(dev, bss);
-                rb_erase(&bss->rbn, &dev->bss_tree);
-                kref_put(&bss->ref, bss_release);
                expired = true;
        }
@@ -203,7 +273,7 @@ static bool is_mesh(struct cfg80211_bss *a,
 {
        const u8 *ie;
-        if (!is_zero_ether_addr(a->bssid))
+        if (!WLAN_CAPABILITY_IS_MBSS(a->capability))
                return false;
        ie = cfg80211_find_ie(WLAN_EID_MESH_ID,
@@ -241,11 +311,7 @@ static int cmp_bss(struct cfg80211_bss *a,
        if (a->channel != b->channel)
                return b->channel->center_freq - a->channel->center_freq;
-        r = memcmp(a->bssid, b->bssid, ETH_ALEN);
+        if (WLAN_CAPABILITY_IS_MBSS(a->capability | b->capability)) {
-        if (r)
-                return r;
-        if (is_zero_ether_addr(a->bssid)) {
                r = cmp_ies(WLAN_EID_MESH_ID,
                            a->information_elements,
                            a->len_information_elements,
@@ -260,6 +326,10 @@ static int cmp_bss(struct cfg80211_bss *a,
                               b->len_information_elements);
        }
+        r = memcmp(a->bssid, b->bssid, ETH_ALEN);
+        if (r)
+                return r;
        return cmp_ies(WLAN_EID_SSID,
                       a->information_elements,
                       a->len_information_elements,
@@ -400,7 +470,7 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
        res->ts = jiffies;
-        if (is_zero_ether_addr(res->pub.bssid)) {
+        if (WLAN_CAPABILITY_IS_MBSS(res->pub.capability)) {
                /* must be mesh, verify */
                meshid = cfg80211_find_ie(WLAN_EID_MESH_ID,
                                          res->pub.information_elements,
@@ -585,16 +655,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy,
        struct cfg80211_internal_bss *res;
        size_t ielen = len - offsetof(struct ieee80211_mgmt,
                                      u.probe_resp.variable);
-        size_t privsz = wiphy->bss_priv_size;
+        size_t privsz;
+        if (WARN_ON(!mgmt))
+                return NULL;
+        if (WARN_ON(!wiphy))
+                return NULL;
        if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC &&
                    (signal < 0 || signal > 100)))
                return NULL;
-        if (WARN_ON(!mgmt || !wiphy ||
+        if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
-                    len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable)))
                return NULL;
+        privsz = wiphy->bss_priv_size;
        res = kzalloc(sizeof(*res) + privsz + ielen, gfp);
        if (!res)
                return NULL;
@@ -662,11 +739,8 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
        spin_lock_bh(&dev->bss_lock);
        if (!list_empty(&bss->list)) {
-                list_del_init(&bss->list);
+                __cfg80211_unlink_bss(dev, bss);
                dev->bss_generation++;
-                rb_erase(&bss->rbn, &dev->bss_tree);
-                kref_put(&bss->ref, bss_release);
        }
        spin_unlock_bh(&dev->bss_lock);
 }
diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c
index 4294fa22bb2d..c6e4ca6a7d2e 100644
--- a/net/wireless/sysfs.c
+++ b/net/wireless/sysfs.c
@@ -93,7 +93,7 @@ static int wiphy_suspend(struct device *dev, pm_message_t state)
        if (rdev->ops->suspend) {
                rtnl_lock();
-                ret = rdev->ops->suspend(&rdev->wiphy);
+                ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan);
                rtnl_unlock();
        }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 7620ae2fcf18..f0536d44d43c 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -29,29 +29,37 @@ ieee80211_get_response_rate(struct ieee80211_supported_band *sband,
 }
 EXPORT_SYMBOL(ieee80211_get_response_rate);
-int ieee80211_channel_to_frequency(int chan)
+int ieee80211_channel_to_frequency(int chan, enum ieee80211_band band)
 {
-        if (chan < 14)
+        /* see 802.11 17.3.8.3.2 and Annex J
-                return 2407 + chan * 5;
+         * there are overlapping channel numbers in 5GHz and 2GHz bands */
+        if (band == IEEE80211_BAND_5GHZ) {
-        if (chan == 14)
+                if (chan >= 182 && chan <= 196)
-                return 2484;
+                        return 4000 + chan * 5;
+                else
-        /* FIXME: 802.11j 17.3.8.3.2 */
+                        return 5000 + chan * 5;
-        return (chan + 1000) * 5;
+        } else { /* IEEE80211_BAND_2GHZ */
+                if (chan == 14)
+                        return 2484;
+                else if (chan < 14)
+                        return 2407 + chan * 5;
+                else
+                        return 0; /* not supported */
+        }
 }
 EXPORT_SYMBOL(ieee80211_channel_to_frequency);
 int ieee80211_frequency_to_channel(int freq)
 {
+        /* see 802.11 17.3.8.3.2 and Annex J */
        if (freq == 2484)
                return 14;
+        else if (freq < 2484)
-        if (freq < 2484)
                return (freq - 2407) / 5;
+        else if (freq >= 4910 && freq <= 4980)
-        /* FIXME: 802.11j 17.3.8.3.2 */
+                return (freq - 4000) / 5;
-        return freq/5 - 1000;
+        else
+                return (freq - 5000) / 5;
 }
 EXPORT_SYMBOL(ieee80211_frequency_to_channel);
@@ -159,12 +167,15 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
        /*
         * Disallow pairwise keys with non-zero index unless it's WEP
-         * (because current deployments use pairwise WEP keys with
+         * or a vendor specific cipher (because current deployments use
-         * non-zero indizes but 802.11i clearly specifies to use zero)
+         * pairwise WEP keys with non-zero indices and for vendor specific
+         * ciphers this should be validated in the driver or hardware level
+         * - but 802.11i clearly specifies to use zero)
         */
        if (pairwise && key_idx &&
-            params->cipher != WLAN_CIPHER_SUITE_WEP40 &&
+            ((params->cipher == WLAN_CIPHER_SUITE_TKIP) ||
-            params->cipher != WLAN_CIPHER_SUITE_WEP104)
+             (params->cipher == WLAN_CIPHER_SUITE_CCMP) ||
+             (params->cipher == WLAN_CIPHER_SUITE_AES_CMAC)))
                return -EINVAL;
        switch (params->cipher) {
@@ -533,7 +544,8 @@ EXPORT_SYMBOL(ieee80211_data_from_8023);
 void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
                              const u8 *addr, enum nl80211_iftype iftype,
-                              const unsigned int extra_headroom)
+                              const unsigned int extra_headroom,
+                              bool has_80211_header)
 {
        struct sk_buff *frame = NULL;
        u16 ethertype;
@@ -542,14 +554,18 @@ void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
        int remaining, err;
        u8 dst[ETH_ALEN], src[ETH_ALEN];
-        err = ieee80211_data_to_8023(skb, addr, iftype);
+        if (has_80211_header) {
-        if (err)
+                err = ieee80211_data_to_8023(skb, addr, iftype);
-                goto out;
+                if (err)
+                        goto out;
-        /* skip the wrapping header */
+                /* skip the wrapping header */
-        eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
+                eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
-        if (!eth)
+                if (!eth)
-                goto out;
+                        goto out;
+        } else {
+                eth = (struct ethhdr *) skb->data;
+        }
        while (skb != frame) {
                u8 padding;
@@ -792,6 +808,11 @@ int cfg80211_change_iface(struct cfg80211_registered_device *rdev,
                return -EBUSY;
        if (ntype != otype) {
+                err = cfg80211_can_change_interface(rdev, dev->ieee80211_ptr,
+                                                    ntype);
+                if (err)
+                        return err;
                dev->ieee80211_ptr->use_4addr = false;
                dev->ieee80211_ptr->mesh_id_up_len = 0;
@@ -885,3 +906,103 @@ u16 cfg80211_calculate_bitrate(struct rate_info *rate)
        /* do NOT round down here */
        return (bitrate + 50000) / 100000;
 }
+int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev,
+                                 u32 beacon_int)
+{
+        struct wireless_dev *wdev;
+        int res = 0;
+        if (!beacon_int)
+                return -EINVAL;
+        mutex_lock(&rdev->devlist_mtx);
+        list_for_each_entry(wdev, &rdev->netdev_list, list) {
+                if (!wdev->beacon_interval)
+                        continue;
+                if (wdev->beacon_interval != beacon_int) {
+                        res = -EINVAL;
+                        break;
+                }
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+        return res;
+}
+int cfg80211_can_change_interface(struct cfg80211_registered_device *rdev,
+                                  struct wireless_dev *wdev,
+                                  enum nl80211_iftype iftype)
+{
+        struct wireless_dev *wdev_iter;
+        int num[NUM_NL80211_IFTYPES];
+        int total = 1;
+        int i, j;
+        ASSERT_RTNL();
+        /* Always allow software iftypes */
+        if (rdev->wiphy.software_iftypes & BIT(iftype))
+                return 0;
+        /*
+         * Drivers will gradually all set this flag, until all
+         * have it we only enforce for those that set it.
+         */
+        if (!(rdev->wiphy.flags & WIPHY_FLAG_ENFORCE_COMBINATIONS))
+                return 0;
+        memset(num, 0, sizeof(num));
+        num[iftype] = 1;
+        mutex_lock(&rdev->devlist_mtx);
+        list_for_each_entry(wdev_iter, &rdev->netdev_list, list) {
+                if (wdev_iter == wdev)
+                        continue;
+                if (!netif_running(wdev_iter->netdev))
+                        continue;
+                if (rdev->wiphy.software_iftypes & BIT(wdev_iter->iftype))
+                        continue;
+                num[wdev_iter->iftype]++;
+                total++;
+        }
+        mutex_unlock(&rdev->devlist_mtx);
+        for (i = 0; i < rdev->wiphy.n_iface_combinations; i++) {
+                const struct ieee80211_iface_combination *c;
+                struct ieee80211_iface_limit *limits;
+                c = &rdev->wiphy.iface_combinations[i];
+                limits = kmemdup(c->limits, sizeof(limits[0]) * c->n_limits,
+                                 GFP_KERNEL);
+                if (!limits)
+                        return -ENOMEM;
+                if (total > c->max_interfaces)
+                        goto cont;
+                for (iftype = 0; iftype < NUM_NL80211_IFTYPES; iftype++) {
+                        if (rdev->wiphy.software_iftypes & BIT(iftype))
+                                continue;
+                        for (j = 0; j < c->n_limits; j++) {
+                                if (!(limits[j].types & iftype))
+                                        continue;
+                                if (limits[j].max < num[iftype])
+                                        goto cont;
+                                limits[j].max -= num[iftype];
+                        }
+                }
+                /* yay, it fits */
+                kfree(limits);
+                return 0;
+ cont:
+                kfree(limits);
+        }
+        return -EBUSY;
+}
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index d112f038edf0..0bf169bb770e 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -267,9 +267,12 @@ int cfg80211_wext_freq(struct wiphy *wiphy, struct iw_freq *freq)
         * -EINVAL for impossible things.
         */
        if (freq->e == 0) {
+                enum ieee80211_band band = IEEE80211_BAND_2GHZ;
                if (freq->m < 0)
                        return 0;
-                return ieee80211_channel_to_frequency(freq->m);
+                if (freq->m > 14)
+                        band = IEEE80211_BAND_5GHZ;
+                return ieee80211_channel_to_frequency(freq->m, band);
        } else {
                int i, div = 1000000;
                for (i = 0; i < freq->e; i++)
diff --git a/net/x25/Kconfig b/net/x25/Kconfig
index 2196e55e4f61..e6759c9660bb 100644
--- a/net/x25/Kconfig
+++ b/net/x25/Kconfig
@@ -5,7 +5,6 @@
 config X25
        tristate "CCITT X.25 Packet Layer (EXPERIMENTAL)"
        depends on EXPERIMENTAL
-        depends on BKL # should be fixable
        ---help---
          X.25 is a set of standardized network protocols, similar in scope to
          frame relay; the one physical line from your box to the X.25 network
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index ad96ee90fe27..4680b1e4c79c 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -40,7 +40,6 @@
 #include <linux/errno.h>
 #include <linux/kernel.h>
 #include <linux/sched.h>
-#include <linux/smp_lock.h>
 #include <linux/timer.h>
 #include <linux/string.h>
 #include <linux/net.h>
@@ -432,15 +431,6 @@ void x25_destroy_socket_from_timer(struct sock *sk)
        sock_put(sk);
 }
-static void x25_destroy_socket(struct sock *sk)
-{
-        sock_hold(sk);
-        lock_sock(sk);
-        __x25_destroy_socket(sk);
-        release_sock(sk);
-        sock_put(sk);
-}
 /*
 *      Handling for system calls applied via the various interfaces to a
 *      X.25 socket object.
@@ -647,18 +637,19 @@ static int x25_release(struct socket *sock)
        struct sock *sk = sock->sk;
        struct x25_sock *x25;
-        lock_kernel();
        if (!sk)
-                goto out;
+                return 0;
        x25 = x25_sk(sk);
+        sock_hold(sk);
+        lock_sock(sk);
        switch (x25->state) {
                case X25_STATE_0:
                case X25_STATE_2:
                        x25_disconnect(sk, 0, 0, 0);
-                        x25_destroy_socket(sk);
+                        __x25_destroy_socket(sk);
                        goto out;
                case X25_STATE_1:
@@ -678,7 +669,8 @@ static int x25_release(struct socket *sock)
        sock_orphan(sk);
 out:
-        unlock_kernel();
+        release_sock(sk);
+        sock_put(sk);
        return 0;
 }
@@ -1085,7 +1077,7 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
        size_t size;
        int qbit = 0, rc = -EINVAL;
-        lock_kernel();
+        lock_sock(sk);
        if (msg->msg_flags & ~(MSG_DONTWAIT|MSG_OOB|MSG_EOR|MSG_CMSG_COMPAT))
                goto out;
@@ -1148,7 +1140,9 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
        size = len + X25_MAX_L2_LEN + X25_EXT_MIN_LEN;
+        release_sock(sk);
        skb = sock_alloc_send_skb(sk, size, noblock, &rc);
+        lock_sock(sk);
        if (!skb)
                goto out;
        X25_SKB_CB(skb)->flags = msg->msg_flags;
@@ -1231,26 +1225,10 @@ static int x25_sendmsg(struct kiocb *iocb, struct socket *sock,
                        len++;
        }
-        /*
-         * lock_sock() is currently only used to serialize this x25_kick()
-         * against input-driven x25_kick() calls. It currently only blocks
-         * incoming packets for this socket and does not protect against
-         * any other socket state changes and is not called from anywhere
-         * else. As x25_kick() cannot block and as long as all socket
-         * operations are BKL-wrapped, we don't need take to care about
-         * purging the backlog queue in x25_release().
-         *
-         * Using lock_sock() to protect all socket operations entirely
-         * (and making the whole x25 stack SMP aware) unfortunately would
-         * require major changes to {send,recv}msg and skb allocation methods.
-         * -> 2.5 ;)
-         */
-        lock_sock(sk);
        x25_kick(sk);
-        release_sock(sk);
        rc = len;
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 out_kfree_skb:
        kfree_skb(skb);
@@ -1271,7 +1249,7 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
        unsigned char *asmptr;
        int rc = -ENOTCONN;
-        lock_kernel();
+        lock_sock(sk);
        /*
         * This works for seqpacket too. The receiver has ordered the queue for
         * us! We do one quick check first though
@@ -1300,8 +1278,10 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
                msg->msg_flags |= MSG_OOB;
        } else {
                /* Now we can treat all alike */
+                release_sock(sk);
                skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
                                        flags & MSG_DONTWAIT, &rc);
+                lock_sock(sk);
                if (!skb)
                        goto out;
@@ -1338,14 +1318,12 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock,
        msg->msg_namelen = sizeof(struct sockaddr_x25);
-        lock_sock(sk);
        x25_check_rbuf(sk);
-        release_sock(sk);
        rc = copied;
 out_free_dgram:
        skb_free_datagram(sk, skb);
 out:
-        unlock_kernel();
+        release_sock(sk);
        return rc;
 }
@@ -1581,18 +1559,18 @@ out_cud_release:
                case SIOCX25CALLACCPTAPPRV: {
                        rc = -EINVAL;
-                        lock_kernel();
+                        lock_sock(sk);
                        if (sk->sk_state != TCP_CLOSE)
                                break;
                        clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags);
-                        unlock_kernel();
+                        release_sock(sk);
                        rc = 0;
                        break;
                }
                case SIOCX25SENDCALLACCPT:  {
                        rc = -EINVAL;
-                        lock_kernel();
+                        lock_sock(sk);
                        if (sk->sk_state != TCP_ESTABLISHED)
                                break;
                        /* must call accptapprv above */
@@ -1600,7 +1578,7 @@ out_cud_release:
                                break;
                        x25_write_internal(sk, X25_CALL_ACCEPTED);
                        x25->state = X25_STATE_3;
-                        unlock_kernel();
+                        release_sock(sk);
                        rc = 0;
                        break;
                }
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 406207515b5e..f77e4e75f914 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -31,7 +31,7 @@
 * x25_parse_facilities - Parse facilities from skb into the facilities structs
 *
 * @skb: sk_buff to parse
- * @facilities: Regular facilites, updated as facilities are found
+ * @facilities: Regular facilities, updated as facilities are found
 * @dte_facs: ITU DTE facilities, updated as DTE facilities are found
 * @vc_fac_mask: mask is updated with all facilities found
 *
diff --git a/net/x25/x25_forward.c b/net/x25/x25_forward.c
index 25a810793968..c541b622ae16 100644
--- a/net/x25/x25_forward.c
+++ b/net/x25/x25_forward.c
@@ -31,7 +31,7 @@ int x25_forward_call(struct x25_address *dest_addr, struct x25_neigh *from,
                goto out_no_route;
        if ((neigh_new = x25_get_neigh(rt->dev)) == NULL) {
-                /* This shouldnt happen, if it occurs somehow
+                /* This shouldn't happen, if it occurs somehow
                 * do something sensible
                 */
                goto out_put_route;
@@ -45,7 +45,7 @@ int x25_forward_call(struct x25_address *dest_addr, struct x25_neigh *from,
        }
        /* Remote end sending a call request on an already
-         * established LCI? It shouldnt happen, just in case..
+         * established LCI? It shouldn't happen, just in case..
         */
        read_lock_bh(&x25_forward_list_lock);
        list_for_each(entry, &x25_forward_list) {
diff --git a/net/x25/x25_out.c b/net/x25/x25_out.c
index d00649fb251d..0144271d2184 100644
--- a/net/x25/x25_out.c
+++ b/net/x25/x25_out.c
@@ -68,8 +68,11 @@ int x25_output(struct sock *sk, struct sk_buff *skb)
                frontlen = skb_headroom(skb);
                while (skb->len > 0) {
-                        if ((skbn = sock_alloc_send_skb(sk, frontlen + max_len,
+                        release_sock(sk);
-                                                        noblock, &err)) == NULL){
+                        skbn = sock_alloc_send_skb(sk, frontlen + max_len,
+                                                   noblock, &err);
+                        lock_sock(sk);
+                        if (!skbn) {
                                if (err == -EWOULDBLOCK && noblock){
                                        kfree_skb(skb);
                                        return sent;
diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
index c631047e1b27..aa429eefe919 100644
--- a/net/xfrm/Makefile
+++ b/net/xfrm/Makefile
@@ -4,7 +4,7 @@
 obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \
                      xfrm_input.o xfrm_output.o xfrm_algo.o \
-                      xfrm_sysctl.o
+                      xfrm_sysctl.o xfrm_replay.o
 obj-$(CONFIG_XFRM_STATISTICS) += xfrm_proc.o
 obj-$(CONFIG_XFRM_USER) += xfrm_user.o
 obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
diff --git a/net/xfrm/xfrm_algo.c b/net/xfrm/xfrm_algo.c
index 8b4d6e3246e5..58064d9e565d 100644
--- a/net/xfrm/xfrm_algo.c
+++ b/net/xfrm/xfrm_algo.c
@@ -618,21 +618,21 @@ static int xfrm_alg_name_match(const struct xfrm_algo_desc *entry,
                        (entry->compat && !strcmp(name, entry->compat)));
 }
-struct xfrm_algo_desc *xfrm_aalg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_aalg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_aalg_list, xfrm_alg_name_match, name,
                              probe);
 }
 EXPORT_SYMBOL_GPL(xfrm_aalg_get_byname);
-struct xfrm_algo_desc *xfrm_ealg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_ealg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_ealg_list, xfrm_alg_name_match, name,
                              probe);
 }
 EXPORT_SYMBOL_GPL(xfrm_ealg_get_byname);
-struct xfrm_algo_desc *xfrm_calg_get_byname(char *name, int probe)
+struct xfrm_algo_desc *xfrm_calg_get_byname(const char *name, int probe)
 {
        return xfrm_find_algo(&xfrm_calg_list, xfrm_alg_name_match, name,
                              probe);
@@ -654,7 +654,7 @@ static int xfrm_aead_name_match(const struct xfrm_algo_desc *entry,
               !strcmp(name, entry->name);
 }
-struct xfrm_algo_desc *xfrm_aead_get_byname(char *name, int icv_len, int probe)
+struct xfrm_algo_desc *xfrm_aead_get_byname(const char *name, int icv_len, int probe)
 {
        struct xfrm_aead_name data = {
                .name = name,
diff --git a/net/xfrm/xfrm_hash.h b/net/xfrm/xfrm_hash.h
index 8e69533d2313..7199d78b2aa1 100644
--- a/net/xfrm/xfrm_hash.h
+++ b/net/xfrm/xfrm_hash.h
@@ -4,29 +4,32 @@
 #include <linux/xfrm.h>
 #include <linux/socket.h>
-static inline unsigned int __xfrm4_addr_hash(xfrm_address_t *addr)
+static inline unsigned int __xfrm4_addr_hash(const xfrm_address_t *addr)
 {
        return ntohl(addr->a4);
 }
-static inline unsigned int __xfrm6_addr_hash(xfrm_address_t *addr)
+static inline unsigned int __xfrm6_addr_hash(const xfrm_address_t *addr)
 {
        return ntohl(addr->a6[2] ^ addr->a6[3]);
 }
-static inline unsigned int __xfrm4_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr)
+static inline unsigned int __xfrm4_daddr_saddr_hash(const xfrm_address_t *daddr,
+                                                    const xfrm_address_t *saddr)
 {
        u32 sum = (__force u32)daddr->a4 + (__force u32)saddr->a4;
        return ntohl((__force __be32)sum);
 }
-static inline unsigned int __xfrm6_daddr_saddr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr)
+static inline unsigned int __xfrm6_daddr_saddr_hash(const xfrm_address_t *daddr,
+                                                    const xfrm_address_t *saddr)
 {
        return ntohl(daddr->a6[2] ^ daddr->a6[3] ^
                     saddr->a6[2] ^ saddr->a6[3]);
 }
-static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t *saddr,
+static inline unsigned int __xfrm_dst_hash(const xfrm_address_t *daddr,
+                                           const xfrm_address_t *saddr,
                                           u32 reqid, unsigned short family,
                                           unsigned int hmask)
 {
@@ -42,8 +45,8 @@ static inline unsigned int __xfrm_dst_hash(xfrm_address_t *daddr, xfrm_address_t
        return (h ^ (h >> 16)) & hmask;
 }
-static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
+static inline unsigned __xfrm_src_hash(const xfrm_address_t *daddr,
-                                       xfrm_address_t *saddr,
+                                       const xfrm_address_t *saddr,
                                       unsigned short family,
                                       unsigned int hmask)
 {
@@ -60,8 +63,8 @@ static inline unsigned __xfrm_src_hash(xfrm_address_t *daddr,
 }
 static inline unsigned int
-__xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family,
+__xfrm_spi_hash(const xfrm_address_t *daddr, __be32 spi, u8 proto,
-                unsigned int hmask)
+                unsigned short family, unsigned int hmask)
 {
        unsigned int h = (__force u32)spi ^ proto;
        switch (family) {
@@ -80,10 +83,11 @@ static inline unsigned int __idx_hash(u32 index, unsigned int hmask)
        return (index ^ (index >> 8)) & hmask;
 }
-static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short family, unsigned int hmask)
+static inline unsigned int __sel_hash(const struct xfrm_selector *sel,
+                                      unsigned short family, unsigned int hmask)
 {
-        xfrm_address_t *daddr = &sel->daddr;
+        const xfrm_address_t *daddr = &sel->daddr;
-        xfrm_address_t *saddr = &sel->saddr;
+        const xfrm_address_t *saddr = &sel->saddr;
        unsigned int h = 0;
        switch (family) {
@@ -107,7 +111,9 @@ static inline unsigned int __sel_hash(struct xfrm_selector *sel, unsigned short
        return h & hmask;
 }
-static inline unsigned int __addr_hash(xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, unsigned int hmask)
+static inline unsigned int __addr_hash(const xfrm_address_t *daddr,
+                                       const xfrm_address_t *saddr,
+                                       unsigned short family, unsigned int hmask)
 {
        unsigned int h = 0;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 45f1c98d4fce..a026b0ef2443 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -107,6 +107,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        struct net *net = dev_net(skb->dev);
        int err;
        __be32 seq;
+        __be32 seq_hi;
        struct xfrm_state *x;
        xfrm_address_t *daddr;
        struct xfrm_mode *inner_mode;
@@ -118,7 +119,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        if (encap_type < 0) {
                async = 1;
                x = xfrm_input_state(skb);
-                seq = XFRM_SKB_CB(skb)->seq.input;
+                seq = XFRM_SKB_CB(skb)->seq.input.low;
                goto resume;
        }
@@ -172,7 +173,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                        goto drop_unlock;
                }
-                if (x->props.replay_window && xfrm_replay_check(x, skb, seq)) {
+                if (x->repl->check(x, skb, seq)) {
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
                        goto drop_unlock;
                }
@@ -184,7 +185,12 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                spin_unlock(&x->lock);
-                XFRM_SKB_CB(skb)->seq.input = seq;
+                seq_hi = htonl(xfrm_replay_seqhi(x, seq));
+                XFRM_SKB_CB(skb)->seq.input.low = seq;
+                XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
+                skb_dst_force(skb);
                nexthdr = x->type->input(x, skb);
@@ -206,8 +212,7 @@ resume:
                /* only the first xfrm gets the encap type */
                encap_type = 0;
-                if (x->props.replay_window)
+                x->repl->advance(x, seq);
-                        xfrm_replay_advance(x, seq);
                x->curlft.bytes += skb->len;
                x->curlft.packets++;
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 64f2ae1fdc15..47bacd8c0250 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -67,17 +67,10 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
                        goto error;
                }
-                if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                err = x->repl->overflow(x, skb);
-                        XFRM_SKB_CB(skb)->seq.output = ++x->replay.oseq;
+                if (err) {
-                        if (unlikely(x->replay.oseq == 0)) {
+                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
-                                XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTSTATESEQERROR);
+                        goto error;
-                                x->replay.oseq--;
-                                xfrm_audit_state_replay_overflow(x, skb);
-                                err = -EOVERFLOW;
-                                goto error;
-                        }
-                        if (xfrm_aevent_is_on(net))
-                                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
                }
                x->curlft.bytes += skb->len;
@@ -85,6 +78,8 @@ static int xfrm_output_one(struct sk_buff *skb, int err)
                spin_unlock_bh(&x->lock);
+                skb_dst_force(skb);
                err = x->type->output(x, skb);
                if (err == -EINPROGRESS)
                        goto out_exit;
@@ -101,7 +96,7 @@ resume:
                        err = -EHOSTUNREACH;
                        goto error_nolock;
                }
-                skb_dst_set(skb, dst_clone(dst));
+                skb_dst_set(skb, dst);
                x = dst->xfrm;
        } while (x && !(x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL));
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 6459588befc3..9bec2e8a838c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,37 +50,40 @@ static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
 static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
 static void xfrm_init_pmtu(struct dst_entry *dst);
 static int stale_bundle(struct dst_entry *dst);
-static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *xdst,
+static int xfrm_bundle_ok(struct xfrm_dst *xdst, int family);
-                          struct flowi *fl, int family, int strict);
 static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
                                                int dir);
 static inline int
-__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
 {
-        return  addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
+        const struct flowi4 *fl4 = &fl->u.ip4;
-                addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
-                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+        return  addr_match(&fl4->daddr, &sel->daddr, sel->prefixlen_d) &&
-                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                addr_match(&fl4->saddr, &sel->saddr, sel->prefixlen_s) &&
-                (fl->proto == sel->proto || !sel->proto) &&
+                !((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
-                (fl->oif == sel->ifindex || !sel->ifindex);
+                !((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
+                (fl4->flowi4_proto == sel->proto || !sel->proto) &&
+                (fl4->flowi4_oif == sel->ifindex || !sel->ifindex);
 }
 static inline int
-__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+__xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)
 {
-        return  addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
+        const struct flowi6 *fl6 = &fl->u.ip6;
-                addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
-                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+        return  addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
-                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
-                (fl->proto == sel->proto || !sel->proto) &&
+                !((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
-                (fl->oif == sel->ifindex || !sel->ifindex);
+                !((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
+                (fl6->flowi6_proto == sel->proto || !sel->proto) &&
+                (fl6->flowi6_oif == sel->ifindex || !sel->ifindex);
 }
-int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
+int xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
-                    unsigned short family)
+                        unsigned short family)
 {
        switch (family) {
        case AF_INET:
@@ -92,8 +95,8 @@ int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
 }
 static inline struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos,
-                                                  xfrm_address_t *saddr,
+                                                  const xfrm_address_t *saddr,
-                                                  xfrm_address_t *daddr,
+                                                  const xfrm_address_t *daddr,
                                                  int family)
 {
        struct xfrm_policy_afinfo *afinfo;
@@ -311,7 +314,9 @@ static inline unsigned int idx_hash(struct net *net, u32 index)
        return __idx_hash(index, net->xfrm.policy_idx_hmask);
 }
-static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selector *sel, unsigned short family, int dir)
+static struct hlist_head *policy_hash_bysel(struct net *net,
+                                            const struct xfrm_selector *sel,
+                                            unsigned short family, int dir)
 {
        unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
        unsigned int hash = __sel_hash(sel, family, hmask);
@@ -321,7 +326,10 @@ static struct hlist_head *policy_hash_bysel(struct net *net, struct xfrm_selecto
                net->xfrm.policy_bydst[dir].table + hash);
 }
-static struct hlist_head *policy_hash_direct(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, unsigned short family, int dir)
+static struct hlist_head *policy_hash_direct(struct net *net,
+                                             const xfrm_address_t *daddr,
+                                             const xfrm_address_t *saddr,
+                                             unsigned short family, int dir)
 {
        unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;
        unsigned int hash = __addr_hash(daddr, saddr, family, hmask);
@@ -864,32 +872,33 @@ EXPORT_SYMBOL(xfrm_policy_walk_done);
 *
 * Returns 0 if policy found, else an -errno.
 */
-static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
+static int xfrm_policy_match(const struct xfrm_policy *pol,
+                             const struct flowi *fl,
                             u8 type, u16 family, int dir)
 {
-        struct xfrm_selector *sel = &pol->selector;
+        const struct xfrm_selector *sel = &pol->selector;
        int match, ret = -ESRCH;
        if (pol->family != family ||
-            (fl->mark & pol->mark.m) != pol->mark.v ||
+            (fl->flowi_mark & pol->mark.m) != pol->mark.v ||
            pol->type != type)
                return ret;
        match = xfrm_selector_match(sel, fl, family);
        if (match)
-                ret = security_xfrm_policy_lookup(pol->security, fl->secid,
+                ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,
                                                  dir);
        return ret;
 }
 static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
-                                                     struct flowi *fl,
+                                                     const struct flowi *fl,
                                                     u16 family, u8 dir)
 {
        int err;
        struct xfrm_policy *pol, *ret;
-        xfrm_address_t *daddr, *saddr;
+        const xfrm_address_t *daddr, *saddr;
        struct hlist_node *entry;
        struct hlist_head *chain;
        u32 priority = ~0U;
@@ -941,7 +950,7 @@ fail:
 }
 static struct xfrm_policy *
-__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
+__xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_policy *pol;
@@ -954,7 +963,7 @@ __xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
 }
 static struct flow_cache_object *
-xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family,
+xfrm_policy_lookup(struct net *net, const struct flowi *fl, u16 family,
                   u8 dir, struct flow_cache_object *old_obj, void *ctx)
 {
        struct xfrm_policy *pol;
@@ -990,7 +999,8 @@ static inline int policy_to_flow_dir(int dir)
        }
 }
-static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struct flowi *fl)
+static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
+                                                 const struct flowi *fl)
 {
        struct xfrm_policy *pol;
@@ -1006,7 +1016,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
                                goto out;
                        }
                        err = security_xfrm_policy_lookup(pol->security,
-                                                      fl->secid,
+                                                      fl->flowi_secid,
                                                      policy_to_flow_dir(dir));
                        if (!err)
                                xfrm_pol_hold(pol);
@@ -1098,7 +1108,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
        return 0;
 }
-static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
+static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
 {
        struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
@@ -1157,9 +1167,8 @@ xfrm_get_saddr(struct net *net, xfrm_address_t *local, xfrm_address_t *remote,
 /* Resolve list of templates for the flow, given policy. */
 static int
-xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
+xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
-                      struct xfrm_state **xfrm,
+                      struct xfrm_state **xfrm, unsigned short family)
-                      unsigned short family)
 {
        struct net *net = xp_net(policy);
        int nx;
@@ -1214,9 +1223,8 @@ fail:
 }
 static int
-xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
+xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
-                  struct xfrm_state **xfrm,
+                  struct xfrm_state **xfrm, unsigned short family)
-                  unsigned short family)
 {
        struct xfrm_state *tp[XFRM_MAX_DEPTH];
        struct xfrm_state **tpp = (npols > 1) ? tp : xfrm;
@@ -1256,7 +1264,7 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
 * still valid.
 */
-static inline int xfrm_get_tos(struct flowi *fl, int family)
+static inline int xfrm_get_tos(const struct flowi *fl, int family)
 {
        struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
        int tos;
@@ -1340,7 +1348,8 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
        default:
                BUG();
        }
-        xdst = dst_alloc(dst_ops);
+        xdst = dst_alloc(dst_ops, NULL, 0, 0, 0);
+        memset(&xdst->u.rt6.rt6i_table, 0, sizeof(*xdst) - sizeof(struct dst_entry));
        xfrm_policy_put_afinfo(afinfo);
        if (likely(xdst))
@@ -1369,7 +1378,7 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
 }
 static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
-                                struct flowi *fl)
+                                const struct flowi *fl)
 {
        struct xfrm_policy_afinfo *afinfo =
                xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1392,12 +1401,13 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
 static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                                            struct xfrm_state **xfrm, int nx,
-                                            struct flowi *fl,
+                                            const struct flowi *fl,
                                            struct dst_entry *dst)
 {
        struct net *net = xp_net(policy);
        unsigned long now = jiffies;
        struct net_device *dev;
+        struct xfrm_mode *inner_mode;
        struct dst_entry *dst_prev = NULL;
        struct dst_entry *dst0 = NULL;
        int i = 0;
@@ -1428,6 +1438,17 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                        goto put_states;
                }
+                if (xfrm[i]->sel.family == AF_UNSPEC) {
+                        inner_mode = xfrm_ip2inner_mode(xfrm[i],
+                                                        xfrm_af2proto(family));
+                        if (!inner_mode) {
+                                err = -EAFNOSUPPORT;
+                                dst_release(dst);
+                                goto put_states;
+                        }
+                } else
+                        inner_mode = xfrm[i]->inner_mode;
                if (!dst_prev)
                        dst0 = dst1;
                else {
@@ -1456,7 +1477,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                dst1->lastuse = now;
                dst1->input = dst_discard;
-                dst1->output = xfrm[i]->outer_mode->afinfo->output;
+                dst1->output = inner_mode->afinfo->output;
                dst1->next = dst_prev;
                dst_prev = dst1;
@@ -1508,7 +1529,7 @@ free_dst:
 }
 static int inline
-xfrm_dst_alloc_copy(void **target, void *src, int size)
+xfrm_dst_alloc_copy(void **target, const void *src, int size)
 {
        if (!*target) {
                *target = kmalloc(size, GFP_ATOMIC);
@@ -1520,7 +1541,7 @@ xfrm_dst_alloc_copy(void **target, void *src, int size)
 }
 static int inline
-xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
+xfrm_dst_update_parent(struct dst_entry *dst, const struct xfrm_selector *sel)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1532,7 +1553,7 @@ xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
 }
 static int inline
-xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
+xfrm_dst_update_origin(struct dst_entry *dst, const struct flowi *fl)
 {
 #ifdef CONFIG_XFRM_SUB_POLICY
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
@@ -1542,7 +1563,7 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
 #endif
 }
-static int xfrm_expand_policies(struct flowi *fl, u16 family,
+static int xfrm_expand_policies(const struct flowi *fl, u16 family,
                                struct xfrm_policy **pols,
                                int *num_pols, int *num_xfrms)
 {
@@ -1588,7 +1609,7 @@ static int xfrm_expand_policies(struct flowi *fl, u16 family,
 static struct xfrm_dst *
 xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
-                               struct flowi *fl, u16 family,
+                               const struct flowi *fl, u16 family,
                               struct dst_entry *dst_orig)
 {
        struct net *net = xp_net(pols[0]);
@@ -1631,7 +1652,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
 }
 static struct flow_cache_object *
-xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir,
+xfrm_bundle_lookup(struct net *net, const struct flowi *fl, u16 family, u8 dir,
                   struct flow_cache_object *oldflo, void *ctx)
 {
        struct dst_entry *dst_orig = (struct dst_entry *)ctx;
@@ -1730,18 +1751,36 @@ error:
        return ERR_PTR(err);
 }
+static struct dst_entry *make_blackhole(struct net *net, u16 family,
+                                        struct dst_entry *dst_orig)
+{
+        struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
+        struct dst_entry *ret;
+        if (!afinfo) {
+                dst_release(dst_orig);
+                ret = ERR_PTR(-EINVAL);
+        } else {
+                ret = afinfo->blackhole_route(net, dst_orig);
+        }
+        xfrm_policy_put_afinfo(afinfo);
+        return ret;
+}
 /* Main function: finds/creates a bundle for given flow.
 *
 * At the moment we eat a raw IP route. Mostly to speed up lookups
 * on interfaces with disabled IPsec.
 */
-int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
+struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
-                  struct sock *sk, int flags)
+                              const struct flowi *fl,
+                              struct sock *sk, int flags)
 {
        struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
        struct flow_cache_object *flo;
        struct xfrm_dst *xdst;
-        struct dst_entry *dst, *dst_orig = *dst_p, *route;
+        struct dst_entry *dst, *route;
        u16 family = dst_orig->ops->family;
        u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
        int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
@@ -1778,6 +1817,8 @@ restart:
                                goto no_transform;
                        }
+                        dst_hold(&xdst->u.dst);
                        spin_lock_bh(&xfrm_policy_sk_bundle_lock);
                        xdst->u.dst.next = xfrm_policy_sk_bundles;
                        xfrm_policy_sk_bundles = &xdst->u.dst;
@@ -1823,9 +1864,10 @@ restart:
                        dst_release(dst);
                        xfrm_pols_put(pols, drop_pols);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
-                        return -EREMOTE;
+                        return make_blackhole(net, family, dst_orig);
                }
-                if (flags & XFRM_LOOKUP_WAIT) {
+                if (fl->flowi_flags & FLOWI_FLAG_CAN_SLEEP) {
                        DECLARE_WAITQUEUE(wait, current);
                        add_wait_queue(&net->xfrm.km_waitq, &wait);
@@ -1867,47 +1909,33 @@ no_transform:
                goto error;
        } else if (num_xfrms > 0) {
                /* Flow transformed */
-                *dst_p = dst;
                dst_release(dst_orig);
        } else {
                /* Flow passes untransformed */
                dst_release(dst);
+                dst = dst_orig;
        }
 ok:
        xfrm_pols_put(pols, drop_pols);
-        return 0;
+        return dst;
 nopol:
-        if (!(flags & XFRM_LOOKUP_ICMP))
+        if (!(flags & XFRM_LOOKUP_ICMP)) {
+                dst = dst_orig;
                goto ok;
+        }
        err = -ENOENT;
 error:
        dst_release(dst);
 dropdst:
        dst_release(dst_orig);
-        *dst_p = NULL;
        xfrm_pols_put(pols, drop_pols);
-        return err;
+        return ERR_PTR(err);
-}
-EXPORT_SYMBOL(__xfrm_lookup);
-int xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
-                struct sock *sk, int flags)
-{
-        int err = __xfrm_lookup(net, dst_p, fl, sk, flags);
-        if (err == -EREMOTE) {
-                dst_release(*dst_p);
-                *dst_p = NULL;
-                err = -EAGAIN;
-        }
-        return err;
 }
 EXPORT_SYMBOL(xfrm_lookup);
 static inline int
-xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
+xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
 {
        struct xfrm_state *x;
@@ -1926,7 +1954,7 @@ xfrm_secpath_reject(int idx, struct sk_buff *skb, struct flowi *fl)
 */
 static inline int
-xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
+xfrm_state_ok(const struct xfrm_tmpl *tmpl, const struct xfrm_state *x,
              unsigned short family)
 {
        if (xfrm_state_kern(x))
@@ -1949,7 +1977,7 @@ xfrm_state_ok(struct xfrm_tmpl *tmpl, struct xfrm_state *x,
 * Otherwise "-2 - errored_index" is returned.
 */
 static inline int
-xfrm_policy_ok(struct xfrm_tmpl *tmpl, struct sec_path *sp, int start,
+xfrm_policy_ok(const struct xfrm_tmpl *tmpl, const struct sec_path *sp, int start,
               unsigned short family)
 {
        int idx = start;
@@ -1981,13 +2009,13 @@ int __xfrm_decode_session(struct sk_buff *skb, struct flowi *fl,
                return -EAFNOSUPPORT;
        afinfo->decode_session(skb, fl, reverse);
-        err = security_xfrm_decode_session(skb, &fl->secid);
+        err = security_xfrm_decode_session(skb, &fl->flowi_secid);
        xfrm_policy_put_afinfo(afinfo);
        return err;
 }
 EXPORT_SYMBOL(__xfrm_decode_session);
-static inline int secpath_has_nontransport(struct sec_path *sp, int k, int *idxp)
+static inline int secpath_has_nontransport(const struct sec_path *sp, int k, int *idxp)
 {
        for (; k < sp->len; k++) {
                if (sp->xvec[k]->props.mode != XFRM_MODE_TRANSPORT) {
@@ -2162,7 +2190,7 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
        struct net *net = dev_net(skb->dev);
        struct flowi fl;
        struct dst_entry *dst;
-        int res;
+        int res = 1;
        if (xfrm_decode_session(skb, &fl, family) < 0) {
                XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
@@ -2170,9 +2198,12 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
        }
        skb_dst_force(skb);
-        dst = skb_dst(skb);
-        res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
+        dst = xfrm_lookup(net, skb_dst(skb), &fl, NULL, 0);
+        if (IS_ERR(dst)) {
+                res = 0;
+                dst = NULL;
+        }
        skb_dst_set(skb, dst);
        return res;
 }
@@ -2210,7 +2241,7 @@ static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
 static int stale_bundle(struct dst_entry *dst)
 {
-        return !xfrm_bundle_ok(NULL, (struct xfrm_dst *)dst, NULL, AF_UNSPEC, 0);
+        return !xfrm_bundle_ok((struct xfrm_dst *)dst, AF_UNSPEC);
 }
 void xfrm_dst_ifdown(struct dst_entry *dst, struct net_device *dev)
@@ -2282,8 +2313,7 @@ static void xfrm_init_pmtu(struct dst_entry *dst)
 * still valid.
 */
-static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
+static int xfrm_bundle_ok(struct xfrm_dst *first, int family)
-                struct flowi *fl, int family, int strict)
 {
        struct dst_entry *dst = &first->u.dst;
        struct xfrm_dst *last;
@@ -2292,26 +2322,12 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
        if (!dst_check(dst->path, ((struct xfrm_dst *)dst)->path_cookie) ||
            (dst->dev && !netif_running(dst->dev)))
                return 0;
-#ifdef CONFIG_XFRM_SUB_POLICY
-        if (fl) {
-                if (first->origin && !flow_cache_uli_match(first->origin, fl))
-                        return 0;
-                if (first->partner &&
-                    !xfrm_selector_match(first->partner, fl, family))
-                        return 0;
-        }
-#endif
        last = NULL;
        do {
                struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
-                if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
-                        return 0;
-                if (fl && pol &&
-                    !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
-                        return 0;
                if (dst->xfrm->km.state != XFRM_STATE_VALID)
                        return 0;
                if (xdst->xfrm_genid != dst->xfrm->genid)
@@ -2320,11 +2336,6 @@ static int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                    xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
                        return 0;
-                if (strict && fl &&
-                    !(dst->xfrm->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
-                    !xfrm_state_addr_flow_check(dst->xfrm, fl, family))
-                        return 0;
                mtu = dst_mtu(dst->child);
                if (xdst->child_mtu_cached != mtu) {
                        last = xdst;
@@ -2735,8 +2746,8 @@ EXPORT_SYMBOL_GPL(xfrm_audit_policy_delete);
 #endif
 #ifdef CONFIG_XFRM_MIGRATE
-static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
+static int xfrm_migrate_selector_match(const struct xfrm_selector *sel_cmp,
-                                       struct xfrm_selector *sel_tgt)
+                                       const struct xfrm_selector *sel_tgt)
 {
        if (sel_cmp->proto == IPSEC_ULPROTO_ANY) {
                if (sel_tgt->family == sel_cmp->family &&
@@ -2756,7 +2767,7 @@ static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
        return 0;
 }
-static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
+static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector *sel,
                                                     u8 dir, u8 type)
 {
        struct xfrm_policy *pol, *ret = NULL;
@@ -2792,7 +2803,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(struct xfrm_selector *sel,
        return ret;
 }
-static int migrate_tmpl_match(struct xfrm_migrate *m, struct xfrm_tmpl *t)
+static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tmpl *t)
 {
        int match = 0;
@@ -2862,7 +2873,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
        return 0;
 }
-static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
+static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
 {
        int i, j;
@@ -2896,7 +2907,7 @@ static int xfrm_migrate_check(struct xfrm_migrate *m, int num_migrate)
        return 0;
 }
-int xfrm_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
                 struct xfrm_migrate *m, int num_migrate,
                 struct xfrm_kmaddress *k)
 {
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
new file mode 100644
index 000000000000..47f1b8638df9
--- /dev/null
+++ b/net/xfrm/xfrm_replay.c
@@ -0,0 +1,550 @@
+/*
+ * xfrm_replay.c - xfrm replay detection, derived from xfrm_state.c.
+ *
+ * Copyright (C) 2010 secunet Security Networks AG
+ * Copyright (C) 2010 Steffen Klassert <steffen.klassert@secunet.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms and conditions of the GNU General Public License,
+ * version 2, as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include <net/xfrm.h>
+u32 xfrm_replay_seqhi(struct xfrm_state *x, __be32 net_seq)
+{
+        u32 seq, seq_hi, bottom;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (!(x->props.flags & XFRM_STATE_ESN))
+                return 0;
+        seq = ntohl(net_seq);
+        seq_hi = replay_esn->seq_hi;
+        bottom = replay_esn->seq - replay_esn->replay_window + 1;
+        if (likely(replay_esn->seq >= replay_esn->replay_window - 1)) {
+                /* A. same subspace */
+                if (unlikely(seq < bottom))
+                        seq_hi++;
+        } else {
+                /* B. window spans two subspaces */
+                if (unlikely(seq >= bottom))
+                        seq_hi--;
+        }
+        return seq_hi;
+}
+static void xfrm_replay_notify(struct xfrm_state *x, int event)
+{
+        struct km_event c;
+        /* we send notify messages in case
+         *  1. we updated on of the sequence numbers, and the seqno difference
+         *     is at least x->replay_maxdiff, in this case we also update the
+         *     timeout of our timer function
+         *  2. if x->replay_maxage has elapsed since last update,
+         *     and there were changes
+         *
+         *  The state structure must be locked!
+         */
+        switch (event) {
+        case XFRM_REPLAY_UPDATE:
+                if (x->replay_maxdiff &&
+                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
+                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
+                        if (x->xflags & XFRM_TIME_DEFER)
+                                event = XFRM_REPLAY_TIMEOUT;
+                        else
+                                return;
+                }
+                break;
+        case XFRM_REPLAY_TIMEOUT:
+                if (memcmp(&x->replay, &x->preplay,
+                           sizeof(struct xfrm_replay_state)) == 0) {
+                        x->xflags |= XFRM_TIME_DEFER;
+                        return;
+                }
+                break;
+        }
+        memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
+        c.event = XFRM_MSG_NEWAE;
+        c.data.aevent = event;
+        km_state_notify(x, &c);
+        if (x->replay_maxage &&
+            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+                x->xflags &= ~XFRM_TIME_DEFER;
+}
+static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
+                if (unlikely(x->replay.oseq == 0)) {
+                        x->replay.oseq--;
+                        xfrm_audit_state_replay_overflow(x, skb);
+                        err = -EOVERFLOW;
+                        return err;
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check(struct xfrm_state *x,
+                      struct sk_buff *skb, __be32 net_seq)
+{
+        u32 diff;
+        u32 seq = ntohl(net_seq);
+        if (!x->props.replay_window)
+                return 0;
+        if (unlikely(seq == 0))
+                goto err;
+        if (likely(seq > x->replay.seq))
+                return 0;
+        diff = x->replay.seq - seq;
+        if (diff >= min_t(unsigned int, x->props.replay_window,
+                          sizeof(x->replay.bitmap) * 8)) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (x->replay.bitmap & (1U << diff)) {
+                x->stats.replay++;
+                goto err;
+        }
+        return 0;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
+{
+        u32 diff;
+        u32 seq = ntohl(net_seq);
+        if (!x->props.replay_window)
+                return;
+        if (seq > x->replay.seq) {
+                diff = seq - x->replay.seq;
+                if (diff < x->props.replay_window)
+                        x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
+                else
+                        x->replay.bitmap = 1;
+                x->replay.seq = seq;
+        } else {
+                diff = x->replay.seq - seq;
+                x->replay.bitmap |= (1U << diff);
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+                if (unlikely(replay_esn->oseq == 0)) {
+                        replay_esn->oseq--;
+                        xfrm_audit_state_replay_overflow(x, skb);
+                        err = -EOVERFLOW;
+                        return err;
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check_bmp(struct xfrm_state *x,
+                                 struct sk_buff *skb, __be32 net_seq)
+{
+        unsigned int bitnr, nr;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 pos;
+        u32 seq = ntohl(net_seq);
+        u32 diff =  replay_esn->seq - seq;
+        if (!replay_esn->replay_window)
+                return 0;
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (unlikely(seq == 0))
+                goto err;
+        if (likely(seq > replay_esn->seq))
+                return 0;
+        if (diff >= replay_esn->replay_window) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (pos >= diff) {
+                bitnr = (pos - diff) % replay_esn->replay_window;
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        } else {
+                bitnr = replay_esn->replay_window - (diff - pos);
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        }
+        return 0;
+err_replay:
+        x->stats.replay++;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
+{
+        unsigned int bitnr, nr, i;
+        u32 diff;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 seq = ntohl(net_seq);
+        u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (!replay_esn->replay_window)
+                return;
+        if (seq > replay_esn->seq) {
+                diff = seq - replay_esn->seq;
+                if (diff < replay_esn->replay_window) {
+                        for (i = 1; i < diff; i++) {
+                                bitnr = (pos + i) % replay_esn->replay_window;
+                                nr = bitnr >> 5;
+                                bitnr = bitnr & 0x1F;
+                                replay_esn->bmp[nr] &=  ~(1U << bitnr);
+                        }
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        nr = replay_esn->replay_window >> 5;
+                        for (i = 0; i <= nr; i++)
+                                replay_esn->bmp[i] = 0;
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+                replay_esn->seq = seq;
+        } else {
+                diff = replay_esn->seq - seq;
+                if (pos >= diff) {
+                        bitnr = (pos - diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        bitnr = replay_esn->replay_window - (diff - pos);
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
+{
+        struct km_event c;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct xfrm_replay_state_esn *preplay_esn = x->preplay_esn;
+        /* we send notify messages in case
+         *  1. we updated on of the sequence numbers, and the seqno difference
+         *     is at least x->replay_maxdiff, in this case we also update the
+         *     timeout of our timer function
+         *  2. if x->replay_maxage has elapsed since last update,
+         *     and there were changes
+         *
+         *  The state structure must be locked!
+         */
+        switch (event) {
+        case XFRM_REPLAY_UPDATE:
+                if (x->replay_maxdiff &&
+                    (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
+                    (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
+                        if (x->xflags & XFRM_TIME_DEFER)
+                                event = XFRM_REPLAY_TIMEOUT;
+                        else
+                                return;
+                }
+                break;
+        case XFRM_REPLAY_TIMEOUT:
+                if (memcmp(x->replay_esn, x->preplay_esn,
+                           xfrm_replay_state_esn_len(replay_esn)) == 0) {
+                        x->xflags |= XFRM_TIME_DEFER;
+                        return;
+                }
+                break;
+        }
+        memcpy(x->preplay_esn, x->replay_esn,
+               xfrm_replay_state_esn_len(replay_esn));
+        c.event = XFRM_MSG_NEWAE;
+        c.data.aevent = event;
+        km_state_notify(x, &c);
+        if (x->replay_maxage &&
+            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
+                x->xflags &= ~XFRM_TIME_DEFER;
+}
+static int xfrm_replay_overflow_esn(struct xfrm_state *x, struct sk_buff *skb)
+{
+        int err = 0;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        struct net *net = xs_net(x);
+        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
+                XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+                XFRM_SKB_CB(skb)->seq.output.hi = replay_esn->oseq_hi;
+                if (unlikely(replay_esn->oseq == 0)) {
+                        XFRM_SKB_CB(skb)->seq.output.hi = ++replay_esn->oseq_hi;
+                        if (replay_esn->oseq_hi == 0) {
+                                replay_esn->oseq--;
+                                replay_esn->oseq_hi--;
+                                xfrm_audit_state_replay_overflow(x, skb);
+                                err = -EOVERFLOW;
+                                return err;
+                        }
+                }
+                if (xfrm_aevent_is_on(net))
+                        x->repl->notify(x, XFRM_REPLAY_UPDATE);
+        }
+        return err;
+}
+static int xfrm_replay_check_esn(struct xfrm_state *x,
+                                 struct sk_buff *skb, __be32 net_seq)
+{
+        unsigned int bitnr, nr;
+        u32 diff;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        u32 pos;
+        u32 seq = ntohl(net_seq);
+        u32 wsize = replay_esn->replay_window;
+        u32 top = replay_esn->seq;
+        u32 bottom = top - wsize + 1;
+        if (!wsize)
+                return 0;
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        if (unlikely(seq == 0 && replay_esn->seq_hi == 0 &&
+                     (replay_esn->seq < replay_esn->replay_window - 1)))
+                goto err;
+        diff = top - seq;
+        if (likely(top >= wsize - 1)) {
+                /* A. same subspace */
+                if (likely(seq > top) || seq < bottom)
+                        return 0;
+        } else {
+                /* B. window spans two subspaces */
+                if (likely(seq > top && seq < bottom))
+                        return 0;
+                if (seq >= bottom)
+                        diff = ~seq + top + 1;
+        }
+        if (diff >= replay_esn->replay_window) {
+                x->stats.replay_window++;
+                goto err;
+        }
+        if (pos >= diff) {
+                bitnr = (pos - diff) % replay_esn->replay_window;
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        } else {
+                bitnr = replay_esn->replay_window - (diff - pos);
+                nr = bitnr >> 5;
+                bitnr = bitnr & 0x1F;
+                if (replay_esn->bmp[nr] & (1U << bitnr))
+                        goto err_replay;
+        }
+        return 0;
+err_replay:
+        x->stats.replay++;
+err:
+        xfrm_audit_state_replay(x, skb, net_seq);
+        return -EINVAL;
+}
+static void xfrm_replay_advance_esn(struct xfrm_state *x, __be32 net_seq)
+{
+        unsigned int bitnr, nr, i;
+        int wrap;
+        u32 diff, pos, seq, seq_hi;
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (!replay_esn->replay_window)
+                return;
+        seq = ntohl(net_seq);
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        seq_hi = xfrm_replay_seqhi(x, net_seq);
+        wrap = seq_hi - replay_esn->seq_hi;
+        if ((!wrap && seq > replay_esn->seq) || wrap > 0) {
+                if (likely(!wrap))
+                        diff = seq - replay_esn->seq;
+                else
+                        diff = ~replay_esn->seq + seq + 1;
+                if (diff < replay_esn->replay_window) {
+                        for (i = 1; i < diff; i++) {
+                                bitnr = (pos + i) % replay_esn->replay_window;
+                                nr = bitnr >> 5;
+                                bitnr = bitnr & 0x1F;
+                                replay_esn->bmp[nr] &=  ~(1U << bitnr);
+                        }
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        nr = replay_esn->replay_window >> 5;
+                        for (i = 0; i <= nr; i++)
+                                replay_esn->bmp[i] = 0;
+                        bitnr = (pos + diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+                replay_esn->seq = seq;
+                if (unlikely(wrap > 0))
+                        replay_esn->seq_hi++;
+        } else {
+                diff = replay_esn->seq - seq;
+                if (pos >= diff) {
+                        bitnr = (pos - diff) % replay_esn->replay_window;
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                } else {
+                        bitnr = replay_esn->replay_window - (diff - pos);
+                        nr = bitnr >> 5;
+                        bitnr = bitnr & 0x1F;
+                        replay_esn->bmp[nr] |= (1U << bitnr);
+                }
+        }
+        if (xfrm_aevent_is_on(xs_net(x)))
+                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
+}
+static struct xfrm_replay xfrm_replay_legacy = {
+        .advance        = xfrm_replay_advance,
+        .check          = xfrm_replay_check,
+        .notify         = xfrm_replay_notify,
+        .overflow       = xfrm_replay_overflow,
+};
+static struct xfrm_replay xfrm_replay_bmp = {
+        .advance        = xfrm_replay_advance_bmp,
+        .check          = xfrm_replay_check_bmp,
+        .notify         = xfrm_replay_notify_bmp,
+        .overflow       = xfrm_replay_overflow_bmp,
+};
+static struct xfrm_replay xfrm_replay_esn = {
+        .advance        = xfrm_replay_advance_esn,
+        .check          = xfrm_replay_check_esn,
+        .notify         = xfrm_replay_notify_bmp,
+        .overflow       = xfrm_replay_overflow_esn,
+};
+int xfrm_init_replay(struct xfrm_state *x)
+{
+        struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
+        if (replay_esn) {
+                if (replay_esn->replay_window >
+                    replay_esn->bmp_len * sizeof(__u32) * 8)
+                        return -EINVAL;
+        if ((x->props.flags & XFRM_STATE_ESN) && replay_esn->replay_window == 0)
+                return -EINVAL;
+        if ((x->props.flags & XFRM_STATE_ESN) && x->replay_esn)
+                x->repl = &xfrm_replay_esn;
+        else
+                x->repl = &xfrm_replay_bmp;
+        } else
+                x->repl = &xfrm_replay_legacy;
+        return 0;
+}
+EXPORT_SYMBOL(xfrm_init_replay);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 220ebc05c7af..d70f85eb7864 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -42,16 +42,9 @@ static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
-#ifdef CONFIG_AUDITSYSCALL
-static void xfrm_audit_state_replay(struct xfrm_state *x,
-                                    struct sk_buff *skb, __be32 net_seq);
-#else
-#define xfrm_audit_state_replay(x, s, sq)       do { ; } while (0)
-#endif /* CONFIG_AUDITSYSCALL */
 static inline unsigned int xfrm_dst_hash(struct net *net,
-                                         xfrm_address_t *daddr,
+                                         const xfrm_address_t *daddr,
-                                         xfrm_address_t *saddr,
+                                         const xfrm_address_t *saddr,
                                         u32 reqid,
                                         unsigned short family)
 {
@@ -59,15 +52,16 @@ static inline unsigned int xfrm_dst_hash(struct net *net,
 }
 static inline unsigned int xfrm_src_hash(struct net *net,
-                                         xfrm_address_t *daddr,
+                                         const xfrm_address_t *daddr,
-                                         xfrm_address_t *saddr,
+                                         const xfrm_address_t *saddr,
                                         unsigned short family)
 {
        return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
 }
 static inline unsigned int
-xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
+xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr,
+              __be32 spi, u8 proto, unsigned short family)
 {
        return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
 }
@@ -362,6 +356,8 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
        kfree(x->calg);
        kfree(x->encap);
        kfree(x->coaddr);
+        kfree(x->replay_esn);
+        kfree(x->preplay_esn);
        if (x->inner_mode)
                xfrm_put_mode(x->inner_mode);
        if (x->inner_mode_iaf)
@@ -656,9 +652,9 @@ void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
 EXPORT_SYMBOL(xfrm_sad_getinfo);
 static int
-xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl,
+xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
-                    struct xfrm_tmpl *tmpl,
+                    const struct xfrm_tmpl *tmpl,
-                    xfrm_address_t *daddr, xfrm_address_t *saddr,
+                    const xfrm_address_t *daddr, const xfrm_address_t *saddr,
                    unsigned short family)
 {
        struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
@@ -677,7 +673,10 @@ xfrm_init_tempstate(struct xfrm_state *x, struct flowi *fl,
        return 0;
 }
-static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
+static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
+                                              const xfrm_address_t *daddr,
+                                              __be32 spi, u8 proto,
+                                              unsigned short family)
 {
        unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
        struct xfrm_state *x;
@@ -699,7 +698,10 @@ static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark, xfrm_ad
        return NULL;
 }
-static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
+static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark,
+                                                     const xfrm_address_t *daddr,
+                                                     const xfrm_address_t *saddr,
+                                                     u8 proto, unsigned short family)
 {
        unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
        struct xfrm_state *x;
@@ -746,8 +748,7 @@ static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
 }
 static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
-                               struct flowi *fl, unsigned short family,
+                               const struct flowi *fl, unsigned short family,
-                               xfrm_address_t *daddr, xfrm_address_t *saddr,
                               struct xfrm_state **best, int *acq_in_progress,
                               int *error)
 {
@@ -784,8 +785,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
 }
 struct xfrm_state *
-xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
+xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
-                struct flowi *fl, struct xfrm_tmpl *tmpl,
+                const struct flowi *fl, struct xfrm_tmpl *tmpl,
                struct xfrm_policy *pol, int *err,
                unsigned short family)
 {
@@ -813,7 +814,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
                    tmpl->mode == x->props.mode &&
                    tmpl->id.proto == x->id.proto &&
                    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-                        xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr,
+                        xfrm_state_look_at(pol, x, fl, encap_family,
                                           &best, &acquire_in_progress, &error);
        }
        if (best)
@@ -829,7 +830,7 @@ xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
                    tmpl->mode == x->props.mode &&
                    tmpl->id.proto == x->id.proto &&
                    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-                        xfrm_state_look_at(pol, x, fl, encap_family, daddr, saddr,
+                        xfrm_state_look_at(pol, x, fl, encap_family,
                                           &best, &acquire_in_progress, &error);
        }
@@ -853,7 +854,7 @@ found:
                xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family);
                memcpy(&x->mark, &pol->mark, sizeof(x->mark));
-                error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
+                error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
                if (error) {
                        x->km.state = XFRM_STATE_DEAD;
                        to_put = x;
@@ -991,7 +992,11 @@ void xfrm_state_insert(struct xfrm_state *x)
 EXPORT_SYMBOL(xfrm_state_insert);
 /* xfrm_state_lock is held */
-static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m, unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
+static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
+                                          unsigned short family, u8 mode,
+                                          u32 reqid, u8 proto,
+                                          const xfrm_address_t *daddr,
+                                          const xfrm_address_t *saddr, int create)
 {
        unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
        struct hlist_node *entry;
@@ -1031,15 +1036,15 @@ static struct xfrm_state *__find_acq_core(struct net *net, struct xfrm_mark *m,
                case AF_INET6:
                        ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        x->sel.prefixlen_d = 128;
                        x->sel.prefixlen_s = 128;
                        ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
-                                       (struct in6_addr *)saddr);
+                                       (const struct in6_addr *)saddr);
                        ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
-                                       (struct in6_addr *)daddr);
+                                       (const struct in6_addr *)daddr);
                        break;
                }
@@ -1176,6 +1181,12 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
                        goto error;
        }
+        if (orig->replay_esn) {
+                err = xfrm_replay_clone(x, orig);
+                if (err)
+                        goto error;
+        }
        memcpy(&x->mark, &orig->mark, sizeof(x->mark));
        err = xfrm_init_state(x);
@@ -1369,7 +1380,7 @@ int xfrm_state_check_expire(struct xfrm_state *x)
 EXPORT_SYMBOL(xfrm_state_check_expire);
 struct xfrm_state *
-xfrm_state_lookup(struct net *net, u32 mark, xfrm_address_t *daddr, __be32 spi,
+xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi,
                  u8 proto, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1383,7 +1394,7 @@ EXPORT_SYMBOL(xfrm_state_lookup);
 struct xfrm_state *
 xfrm_state_lookup_byaddr(struct net *net, u32 mark,
-                         xfrm_address_t *daddr, xfrm_address_t *saddr,
+                         const xfrm_address_t *daddr, const xfrm_address_t *saddr,
                         u8 proto, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1397,7 +1408,7 @@ EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
 struct xfrm_state *
 xfrm_find_acq(struct net *net, struct xfrm_mark *mark, u8 mode, u32 reqid, u8 proto,
-              xfrm_address_t *daddr, xfrm_address_t *saddr,
+              const xfrm_address_t *daddr, const xfrm_address_t *saddr,
              int create, unsigned short family)
 {
        struct xfrm_state *x;
@@ -1609,54 +1620,6 @@ void xfrm_state_walk_done(struct xfrm_state_walk *walk)
 }
 EXPORT_SYMBOL(xfrm_state_walk_done);
-void xfrm_replay_notify(struct xfrm_state *x, int event)
-{
-        struct km_event c;
-        /* we send notify messages in case
-         *  1. we updated on of the sequence numbers, and the seqno difference
-         *     is at least x->replay_maxdiff, in this case we also update the
-         *     timeout of our timer function
-         *  2. if x->replay_maxage has elapsed since last update,
-         *     and there were changes
-         *
-         *  The state structure must be locked!
-         */
-        switch (event) {
-        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
-                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
-                        if (x->xflags & XFRM_TIME_DEFER)
-                                event = XFRM_REPLAY_TIMEOUT;
-                        else
-                                return;
-                }
-                break;
-        case XFRM_REPLAY_TIMEOUT:
-                if ((x->replay.seq == x->preplay.seq) &&
-                    (x->replay.bitmap == x->preplay.bitmap) &&
-                    (x->replay.oseq == x->preplay.oseq)) {
-                        x->xflags |= XFRM_TIME_DEFER;
-                        return;
-                }
-                break;
-        }
-        memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
-        c.event = XFRM_MSG_NEWAE;
-        c.data.aevent = event;
-        km_state_notify(x, &c);
-        if (x->replay_maxage &&
-            !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
-                x->xflags &= ~XFRM_TIME_DEFER;
-}
 static void xfrm_replay_timer_handler(unsigned long data)
 {
        struct xfrm_state *x = (struct xfrm_state*)data;
@@ -1665,7 +1628,7 @@ static void xfrm_replay_timer_handler(unsigned long data)
        if (x->km.state == XFRM_STATE_VALID) {
                if (xfrm_aevent_is_on(xs_net(x)))
-                        xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
+                        x->repl->notify(x, XFRM_REPLAY_TIMEOUT);
                else
                        x->xflags |= XFRM_TIME_DEFER;
        }
@@ -1673,61 +1636,10 @@ static void xfrm_replay_timer_handler(unsigned long data)
        spin_unlock(&x->lock);
 }
-int xfrm_replay_check(struct xfrm_state *x,
-                      struct sk_buff *skb, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (unlikely(seq == 0))
-                goto err;
-        if (likely(seq > x->replay.seq))
-                return 0;
-        diff = x->replay.seq - seq;
-        if (diff >= min_t(unsigned int, x->props.replay_window,
-                          sizeof(x->replay.bitmap) * 8)) {
-                x->stats.replay_window++;
-                goto err;
-        }
-        if (x->replay.bitmap & (1U << diff)) {
-                x->stats.replay++;
-                goto err;
-        }
-        return 0;
-err:
-        xfrm_audit_state_replay(x, skb, net_seq);
-        return -EINVAL;
-}
-void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
-{
-        u32 diff;
-        u32 seq = ntohl(net_seq);
-        if (seq > x->replay.seq) {
-                diff = seq - x->replay.seq;
-                if (diff < x->props.replay_window)
-                        x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
-                else
-                        x->replay.bitmap = 1;
-                x->replay.seq = seq;
-        } else {
-                diff = x->replay.seq - seq;
-                x->replay.bitmap |= (1U << diff);
-        }
-        if (xfrm_aevent_is_on(xs_net(x)))
-                xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
-}
 static LIST_HEAD(xfrm_km_list);
 static DEFINE_RWLOCK(xfrm_km_lock);
-void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct xfrm_mgr *km;
@@ -1738,7 +1650,7 @@ void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
        read_unlock(&xfrm_km_lock);
 }
-void km_state_notify(struct xfrm_state *x, struct km_event *c)
+void km_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_mgr *km;
        read_lock(&xfrm_km_lock);
@@ -1819,9 +1731,9 @@ void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
 EXPORT_SYMBOL(km_policy_expired);
 #ifdef CONFIG_XFRM_MIGRATE
-int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-               struct xfrm_migrate *m, int num_migrate,
+               const struct xfrm_migrate *m, int num_migrate,
-               struct xfrm_kmaddress *k)
+               const struct xfrm_kmaddress *k)
 {
        int err = -EINVAL;
        int ret;
@@ -2001,7 +1913,7 @@ int xfrm_state_mtu(struct xfrm_state *x, int mtu)
        return res;
 }
-int xfrm_init_state(struct xfrm_state *x)
+int __xfrm_init_state(struct xfrm_state *x, bool init_replay)
 {
        struct xfrm_state_afinfo *afinfo;
        struct xfrm_mode *inner_mode;
@@ -2074,12 +1986,25 @@ int xfrm_init_state(struct xfrm_state *x)
        if (x->outer_mode == NULL)
                goto error;
+        if (init_replay) {
+                err = xfrm_init_replay(x);
+                if (err)
+                        goto error;
+        }
        x->km.state = XFRM_STATE_VALID;
 error:
        return err;
 }
+EXPORT_SYMBOL(__xfrm_init_state);
+int xfrm_init_state(struct xfrm_state *x)
+{
+        return __xfrm_init_state(x, true);
+}
 EXPORT_SYMBOL(xfrm_init_state);
 int __net_init xfrm_state_init(struct net *net)
@@ -2167,8 +2092,8 @@ static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
                                      struct audit_buffer *audit_buf)
 {
-        struct iphdr *iph4;
+        const struct iphdr *iph4;
-        struct ipv6hdr *iph6;
+        const struct ipv6hdr *iph6;
        switch (family) {
        case AF_INET:
@@ -2236,7 +2161,7 @@ void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
 }
 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
-static void xfrm_audit_state_replay(struct xfrm_state *x,
+void xfrm_audit_state_replay(struct xfrm_state *x,
                             struct sk_buff *skb, __be32 net_seq)
 {
        struct audit_buffer *audit_buf;
@@ -2251,6 +2176,7 @@ static void xfrm_audit_state_replay(struct xfrm_state *x,
                         spi, spi, ntohl(net_seq));
        audit_log_end(audit_buf);
 }
+EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
 {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 61291965c5f6..c658cb3bc7c3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -119,6 +119,25 @@ static inline int verify_sec_ctx_len(struct nlattr **attrs)
        return 0;
 }
+static inline int verify_replay(struct xfrm_usersa_info *p,
+                                struct nlattr **attrs)
+{
+        struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
+        if ((p->flags & XFRM_STATE_ESN) && !rt)
+                return -EINVAL;
+        if (!rt)
+                return 0;
+        if (p->id.proto != IPPROTO_ESP)
+                return -EINVAL;
+        if (p->replay_window != 0)
+                return -EINVAL;
+        return 0;
+}
 static int verify_newsa_info(struct xfrm_usersa_info *p,
                             struct nlattr **attrs)
@@ -214,6 +233,8 @@ static int verify_newsa_info(struct xfrm_usersa_info *p,
                goto out;
        if ((err = verify_sec_ctx_len(attrs)))
                goto out;
+        if ((err = verify_replay(p, attrs)))
+                goto out;
        err = -EINVAL;
        switch (p->mode) {
@@ -234,7 +255,7 @@ out:
 }
 static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
-                           struct xfrm_algo_desc *(*get_byname)(char *, int),
+                           struct xfrm_algo_desc *(*get_byname)(const char *, int),
                           struct nlattr *rta)
 {
        struct xfrm_algo *p, *ualg;
@@ -345,6 +366,50 @@ static int attach_aead(struct xfrm_algo_aead **algpp, u8 *props,
        return 0;
 }
+static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
+                                         struct nlattr *rp)
+{
+        struct xfrm_replay_state_esn *up;
+        if (!replay_esn || !rp)
+                return 0;
+        up = nla_data(rp);
+        if (xfrm_replay_state_esn_len(replay_esn) !=
+                        xfrm_replay_state_esn_len(up))
+                return -EINVAL;
+        return 0;
+}
+static int xfrm_alloc_replay_state_esn(struct xfrm_replay_state_esn **replay_esn,
+                                       struct xfrm_replay_state_esn **preplay_esn,
+                                       struct nlattr *rta)
+{
+        struct xfrm_replay_state_esn *p, *pp, *up;
+        if (!rta)
+                return 0;
+        up = nla_data(rta);
+        p = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
+        if (!p)
+                return -ENOMEM;
+        pp = kmemdup(up, xfrm_replay_state_esn_len(up), GFP_KERNEL);
+        if (!pp) {
+                kfree(p);
+                return -ENOMEM;
+        }
+        *replay_esn = p;
+        *preplay_esn = pp;
+        return 0;
+}
 static inline int xfrm_user_sec_ctx_size(struct xfrm_sec_ctx *xfrm_ctx)
 {
        int len = 0;
@@ -380,10 +445,20 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
 static void xfrm_update_ae_params(struct xfrm_state *x, struct nlattr **attrs)
 {
        struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+        struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
        struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
        struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
        struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
+        if (re) {
+                struct xfrm_replay_state_esn *replay_esn;
+                replay_esn = nla_data(re);
+                memcpy(x->replay_esn, replay_esn,
+                       xfrm_replay_state_esn_len(replay_esn));
+                memcpy(x->preplay_esn, replay_esn,
+                       xfrm_replay_state_esn_len(replay_esn));
+        }
        if (rp) {
                struct xfrm_replay_state *replay;
                replay = nla_data(rp);
@@ -459,7 +534,7 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
        xfrm_mark_get(attrs, &x->mark);
-        err = xfrm_init_state(x);
+        err = __xfrm_init_state(x, false);
        if (err)
                goto error;
@@ -467,16 +542,19 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
            security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
                goto error;
+        if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
+                                               attrs[XFRMA_REPLAY_ESN_VAL])))
+                goto error;
        x->km.seq = p->seq;
        x->replay_maxdiff = net->xfrm.sysctl_aevent_rseqth;
        /* sysctl_xfrm_aevent_etime is in 100ms units */
        x->replay_maxage = (net->xfrm.sysctl_aevent_etime*HZ)/XFRM_AE_ETH_M;
-        x->preplay.bitmap = 0;
-        x->preplay.seq = x->replay.seq+x->replay_maxdiff;
-        x->preplay.oseq = x->replay.oseq +x->replay_maxdiff;
-        /* override default values from above */
+        if ((err = xfrm_init_replay(x)))
+                goto error;
+        /* override default values from above */
        xfrm_update_ae_params(x, attrs);
        return x;
@@ -497,9 +575,9 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_state *x;
        int err;
        struct km_event c;
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        err = verify_newsa_info(p, attrs);
        if (err)
@@ -515,6 +593,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        else
                err = xfrm_state_update(x);
+        security_task_getsecid(current, &sid);
        xfrm_audit_state_add(x, err ? 0 : 1, loginuid, sessionid, sid);
        if (err < 0) {
@@ -575,9 +654,9 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        int err = -ESRCH;
        struct km_event c;
        struct xfrm_usersa_id *p = nlmsg_data(nlh);
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        x = xfrm_user_state_lookup(net, p, attrs, &err);
        if (x == NULL)
@@ -602,6 +681,7 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        km_state_notify(x, &c);
 out:
+        security_task_getsecid(current, &sid);
        xfrm_audit_state_delete(x, err ? 0 : 1, loginuid, sessionid, sid);
        xfrm_state_put(x);
        return err;
@@ -705,6 +785,10 @@ static int copy_to_user_state_extra(struct xfrm_state *x,
        if (xfrm_mark_put(skb, &x->mark))
                goto nla_put_failure;
+        if (x->replay_esn)
+                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+                        xfrm_replay_state_esn_len(x->replay_esn), x->replay_esn);
        if (x->security && copy_sec_ctx(x->security, skb) < 0)
                goto nla_put_failure;
@@ -813,7 +897,7 @@ static int build_spdinfo(struct sk_buff *skb, struct net *net,
        u32 *f;
        nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSPDINFO, sizeof(u32), 0);
-        if (nlh == NULL) /* shouldnt really happen ... */
+        if (nlh == NULL) /* shouldn't really happen ... */
                return -EMSGSIZE;
        f = nlmsg_data(nlh);
@@ -873,7 +957,7 @@ static int build_sadinfo(struct sk_buff *skb, struct net *net,
        u32 *f;
        nlh = nlmsg_put(skb, pid, seq, XFRM_MSG_NEWSADINFO, sizeof(u32), 0);
-        if (nlh == NULL) /* shouldnt really happen ... */
+        if (nlh == NULL) /* shouldn't really happen ... */
                return -EMSGSIZE;
        f = nlmsg_data(nlh);
@@ -1265,9 +1349,9 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct km_event c;
        int err;
        int excl;
-        uid_t loginuid = NETLINK_CB(skb).loginuid;
+        uid_t loginuid = audit_get_loginuid(current);
-        u32 sessionid = NETLINK_CB(skb).sessionid;
+        u32 sessionid = audit_get_sessionid(current);
-        u32 sid = NETLINK_CB(skb).sid;
+        u32 sid;
        err = verify_newpolicy_info(p);
        if (err)
@@ -1280,12 +1364,13 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (!xp)
                return err;
-        /* shouldnt excl be based on nlh flags??
+        /* shouldn't excl be based on nlh flags??
         * Aha! this is anti-netlink really i.e  more pfkey derived
         * in netlink excl is a flag and you wouldnt need
         * a type XFRM_MSG_UPDPOLICY - JHS */
        excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
        err = xfrm_policy_insert(p->dir, xp, excl);
+        security_task_getsecid(current, &sid);
        xfrm_audit_policy_add(xp, err ? 0 : 1, loginuid, sessionid, sid);
        if (err) {
@@ -1522,10 +1607,11 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                                            NETLINK_CB(skb).pid);
                }
        } else {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                u32 sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                xfrm_audit_policy_delete(xp, err ? 0 : 1, loginuid, sessionid,
                                         sid);
@@ -1553,9 +1639,9 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_audit audit_info;
        int err;
-        audit_info.loginuid = NETLINK_CB(skb).loginuid;
+        audit_info.loginuid = audit_get_loginuid(current);
-        audit_info.sessionid = NETLINK_CB(skb).sessionid;
+        audit_info.sessionid = audit_get_sessionid(current);
-        audit_info.secid = NETLINK_CB(skb).sid;
+        security_task_getsecid(current, &audit_info.secid);
        err = xfrm_state_flush(net, p->proto, &audit_info);
        if (err) {
                if (err == -ESRCH) /* empty table */
@@ -1572,17 +1658,21 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        return 0;
 }
-static inline size_t xfrm_aevent_msgsize(void)
+static inline size_t xfrm_aevent_msgsize(struct xfrm_state *x)
 {
+        size_t replay_size = x->replay_esn ?
+                              xfrm_replay_state_esn_len(x->replay_esn) :
+                              sizeof(struct xfrm_replay_state);
        return NLMSG_ALIGN(sizeof(struct xfrm_aevent_id))
-               + nla_total_size(sizeof(struct xfrm_replay_state))
+               + nla_total_size(replay_size)
               + nla_total_size(sizeof(struct xfrm_lifetime_cur))
               + nla_total_size(sizeof(struct xfrm_mark))
               + nla_total_size(4) /* XFRM_AE_RTHR */
               + nla_total_size(4); /* XFRM_AE_ETHR */
 }
-static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c)
+static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_aevent_id *id;
        struct nlmsghdr *nlh;
@@ -1600,7 +1690,13 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_eve
        id->reqid = x->props.reqid;
        id->flags = c->data.aevent;
-        NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
+        if (x->replay_esn)
+                NLA_PUT(skb, XFRMA_REPLAY_ESN_VAL,
+                        xfrm_replay_state_esn_len(x->replay_esn),
+                        x->replay_esn);
+        else
+                NLA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
        NLA_PUT(skb, XFRMA_LTIME_VAL, sizeof(x->curlft), &x->curlft);
        if (id->flags & XFRM_AE_RTHR)
@@ -1633,16 +1729,16 @@ static int xfrm_get_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_aevent_id *p = nlmsg_data(nlh);
        struct xfrm_usersa_id *id = &p->sa_id;
-        r_skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC);
-        if (r_skb == NULL)
-                return -ENOMEM;
        mark = xfrm_mark_get(attrs, &m);
        x = xfrm_state_lookup(net, mark, &id->daddr, id->spi, id->proto, id->family);
-        if (x == NULL) {
+        if (x == NULL)
-                kfree_skb(r_skb);
                return -ESRCH;
+        r_skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
+        if (r_skb == NULL) {
+                xfrm_state_put(x);
+                return -ENOMEM;
        }
        /*
@@ -1674,9 +1770,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_mark m;
        struct xfrm_aevent_id *p = nlmsg_data(nlh);
        struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
+        struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
        struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
-        if (!lt && !rp)
+        if (!lt && !rp && !re)
                return err;
        /* pedantic mode - thou shalt sayeth replaceth */
@@ -1692,6 +1789,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
+        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        if (err)
+                goto out;
        spin_lock_bh(&x->lock);
        xfrm_update_ae_params(x, attrs);
        spin_unlock_bh(&x->lock);
@@ -1720,9 +1821,9 @@ static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (err)
                return err;
-        audit_info.loginuid = NETLINK_CB(skb).loginuid;
+        audit_info.loginuid = audit_get_loginuid(current);
-        audit_info.sessionid = NETLINK_CB(skb).sessionid;
+        audit_info.sessionid = audit_get_sessionid(current);
-        audit_info.secid = NETLINK_CB(skb).sid;
+        security_task_getsecid(current, &audit_info.secid);
        err = xfrm_policy_flush(net, type, &audit_info);
        if (err) {
                if (err == -ESRCH) /* empty table */
@@ -1789,9 +1890,11 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        err = 0;
        if (up->hard) {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                uid_t sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                xfrm_policy_delete(xp, p->dir);
                xfrm_audit_policy_delete(xp, 1, loginuid, sessionid, sid);
@@ -1830,9 +1933,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
        km_state_expired(x, ue->hard, current->pid);
        if (ue->hard) {
-                uid_t loginuid = NETLINK_CB(skb).loginuid;
+                uid_t loginuid = audit_get_loginuid(current);
-                uid_t sessionid = NETLINK_CB(skb).sessionid;
+                u32 sessionid = audit_get_sessionid(current);
-                u32 sid = NETLINK_CB(skb).sid;
+                u32 sid;
+                security_task_getsecid(current, &sid);
                __xfrm_state_delete(x);
                xfrm_audit_state_delete(x, 1, loginuid, sessionid, sid);
        }
@@ -1986,7 +2091,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
 #endif
 #ifdef CONFIG_XFRM_MIGRATE
-static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb)
+static int copy_to_user_migrate(const struct xfrm_migrate *m, struct sk_buff *skb)
 {
        struct xfrm_user_migrate um;
@@ -2004,7 +2109,7 @@ static int copy_to_user_migrate(struct xfrm_migrate *m, struct sk_buff *skb)
        return nla_put(skb, XFRMA_MIGRATE, sizeof(um), &um);
 }
-static int copy_to_user_kmaddress(struct xfrm_kmaddress *k, struct sk_buff *skb)
+static int copy_to_user_kmaddress(const struct xfrm_kmaddress *k, struct sk_buff *skb)
 {
        struct xfrm_user_kmaddress uk;
@@ -2025,11 +2130,11 @@ static inline size_t xfrm_migrate_msgsize(int num_migrate, int with_kma)
              + userpolicy_type_attrsize();
 }
-static int build_migrate(struct sk_buff *skb, struct xfrm_migrate *m,
+static int build_migrate(struct sk_buff *skb, const struct xfrm_migrate *m,
-                         int num_migrate, struct xfrm_kmaddress *k,
+                         int num_migrate, const struct xfrm_kmaddress *k,
-                         struct xfrm_selector *sel, u8 dir, u8 type)
+                         const struct xfrm_selector *sel, u8 dir, u8 type)
 {
-        struct xfrm_migrate *mp;
+        const struct xfrm_migrate *mp;
        struct xfrm_userpolicy_id *pol_id;
        struct nlmsghdr *nlh;
        int i;
@@ -2061,9 +2166,9 @@ nlmsg_failure:
        return -EMSGSIZE;
 }
-static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                             struct xfrm_migrate *m, int num_migrate,
+                             const struct xfrm_migrate *m, int num_migrate,
-                             struct xfrm_kmaddress *k)
+                             const struct xfrm_kmaddress *k)
 {
        struct net *net = &init_net;
        struct sk_buff *skb;
@@ -2079,9 +2184,9 @@ static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_MIGRATE, GFP_ATOMIC);
 }
 #else
-static int xfrm_send_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
+static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
-                             struct xfrm_migrate *m, int num_migrate,
+                             const struct xfrm_migrate *m, int num_migrate,
-                             struct xfrm_kmaddress *k)
+                             const struct xfrm_kmaddress *k)
 {
        return -ENOPROTOOPT;
 }
@@ -2137,6 +2242,7 @@ static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
        [XFRMA_KMADDRESS]       = { .len = sizeof(struct xfrm_user_kmaddress) },
        [XFRMA_MARK]            = { .len = sizeof(struct xfrm_mark) },
        [XFRMA_TFCPAD]          = { .type = NLA_U32 },
+        [XFRMA_REPLAY_ESN_VAL]  = { .len = sizeof(struct xfrm_replay_state_esn) },
 };
 static struct xfrm_link {
@@ -2220,7 +2326,7 @@ static inline size_t xfrm_expire_msgsize(void)
               + nla_total_size(sizeof(struct xfrm_mark));
 }
-static int build_expire(struct sk_buff *skb, struct xfrm_state *x, struct km_event *c)
+static int build_expire(struct sk_buff *skb, struct xfrm_state *x, const struct km_event *c)
 {
        struct xfrm_user_expire *ue;
        struct nlmsghdr *nlh;
@@ -2242,7 +2348,7 @@ nla_put_failure:
        return -EMSGSIZE;
 }
-static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_exp_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct sk_buff *skb;
@@ -2259,12 +2365,12 @@ static int xfrm_exp_state_notify(struct xfrm_state *x, struct km_event *c)
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
 }
-static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_aevent_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct sk_buff *skb;
-        skb = nlmsg_new(xfrm_aevent_msgsize(), GFP_ATOMIC);
+        skb = nlmsg_new(xfrm_aevent_msgsize(x), GFP_ATOMIC);
        if (skb == NULL)
                return -ENOMEM;
@@ -2274,7 +2380,7 @@ static int xfrm_aevent_state_notify(struct xfrm_state *x, struct km_event *c)
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_AEVENTS, GFP_ATOMIC);
 }
-static int xfrm_notify_sa_flush(struct km_event *c)
+static int xfrm_notify_sa_flush(const struct km_event *c)
 {
        struct net *net = c->net;
        struct xfrm_usersa_flush *p;
@@ -2318,6 +2424,8 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
                l += nla_total_size(sizeof(*x->encap));
        if (x->tfcpad)
                l += nla_total_size(sizeof(x->tfcpad));
+        if (x->replay_esn)
+                l += nla_total_size(xfrm_replay_state_esn_len(x->replay_esn));
        if (x->security)
                l += nla_total_size(sizeof(struct xfrm_user_sec_ctx) +
                                    x->security->ctx_len);
@@ -2330,7 +2438,7 @@ static inline size_t xfrm_sa_len(struct xfrm_state *x)
        return l;
 }
-static int xfrm_notify_sa(struct xfrm_state *x, struct km_event *c)
+static int xfrm_notify_sa(struct xfrm_state *x, const struct km_event *c)
 {
        struct net *net = xs_net(x);
        struct xfrm_usersa_info *p;
@@ -2387,7 +2495,7 @@ nla_put_failure:
        return -1;
 }
-static int xfrm_send_state_notify(struct xfrm_state *x, struct km_event *c)
+static int xfrm_send_state_notify(struct xfrm_state *x, const struct km_event *c)
 {
        switch (c->event) {
@@ -2546,7 +2654,7 @@ static inline size_t xfrm_polexpire_msgsize(struct xfrm_policy *xp)
 }
 static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
-                           int dir, struct km_event *c)
+                           int dir, const struct km_event *c)
 {
        struct xfrm_user_polexpire *upe;
        struct nlmsghdr *nlh;
@@ -2576,7 +2684,7 @@ nlmsg_failure:
        return -EMSGSIZE;
 }
-static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct net *net = xp_net(xp);
        struct sk_buff *skb;
@@ -2591,7 +2699,7 @@ static int xfrm_exp_policy_notify(struct xfrm_policy *xp, int dir, struct km_eve
        return nlmsg_multicast(net->xfrm.nlsk, skb, 0, XFRMNLGRP_EXPIRE, GFP_ATOMIC);
 }
-static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        struct net *net = xp_net(xp);
        struct xfrm_userpolicy_info *p;
@@ -2656,7 +2764,7 @@ nlmsg_failure:
        return -1;
 }
-static int xfrm_notify_policy_flush(struct km_event *c)
+static int xfrm_notify_policy_flush(const struct km_event *c)
 {
        struct net *net = c->net;
        struct nlmsghdr *nlh;
@@ -2681,7 +2789,7 @@ nlmsg_failure:
        return -1;
 }
-static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
+static int xfrm_send_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
 {
        switch (c->event) {