100 files changed, 893 insertions, 419 deletions
diff --git a/net/Makefile b/net/Makefile
index a3330ebe2c53..a51d9465e628 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -19,9 +19,7 @@ obj-$(CONFIG_NETFILTER)		+= netfilter/
 obj-$(CONFIG_INET)              += ipv4/
 obj-$(CONFIG_XFRM)              += xfrm/
 obj-$(CONFIG_UNIX)              += unix/
-ifneq ($(CONFIG_IPV6),)
+obj-$(CONFIG_NET)               += ipv6/
-obj-y                           += ipv6/
-endif
 obj-$(CONFIG_PACKET)            += packet/
 obj-$(CONFIG_NET_KEY)           += key/
 obj-$(CONFIG_BRIDGE)            += bridge/
diff --git a/net/batman-adv/unicast.c b/net/batman-adv/unicast.c
index ee41fef04b21..d1a611322549 100644
--- a/net/batman-adv/unicast.c
+++ b/net/batman-adv/unicast.c
@@ -50,12 +50,12 @@ static struct sk_buff *frag_merge_packet(struct list_head *head,
                skb = tfp->skb;
        }
+        if (skb_linearize(skb) < 0 || skb_linearize(tmp_skb) < 0)
+                goto err;
        skb_pull(tmp_skb, sizeof(struct unicast_frag_packet));
-        if (pskb_expand_head(skb, 0, tmp_skb->len, GFP_ATOMIC) < 0) {
+        if (pskb_expand_head(skb, 0, tmp_skb->len, GFP_ATOMIC) < 0)
-                /* free buffered skb, skb will be freed later */
+                goto err;
-                kfree_skb(tfp->skb);
-                return NULL;
-        }
        /* move free entry to end */
        tfp->skb = NULL;
@@ -70,6 +70,11 @@ static struct sk_buff *frag_merge_packet(struct list_head *head,
        unicast_packet->packet_type = BAT_UNICAST;
        return skb;
+err:
+        /* free buffered skb, skb will be freed later */
+        kfree_skb(tfp->skb);
+        return NULL;
 }
 static void frag_create_entry(struct list_head *head, struct sk_buff *skb)
diff --git a/net/batman-adv/vis.c b/net/batman-adv/vis.c
index cd4c4231fa48..de1022cacaf7 100644
--- a/net/batman-adv/vis.c
+++ b/net/batman-adv/vis.c
@@ -64,6 +64,7 @@ static void free_info(struct kref *ref)
        spin_unlock_bh(&bat_priv->vis_list_lock);
        kfree_skb(info->skb_packet);
+        kfree(info);
 }
 /* Compare two vis packets, used by the hashing algorithm */
@@ -268,10 +269,10 @@ int vis_seq_print_text(struct seq_file *seq, void *offset)
                                buff_pos += sprintf(buff + buff_pos, "%pM,",
                                                entry->addr);
-                                for (i = 0; i < packet->entries; i++)
+                                for (j = 0; j < packet->entries; j++)
                                        buff_pos += vis_data_read_entry(
                                                        buff + buff_pos,
-                                                        &entries[i],
+                                                        &entries[j],
                                                        entry->addr,
                                                        entry->primary);
@@ -444,7 +445,7 @@ static struct vis_info *add_packet(struct bat_priv *bat_priv,
                              info);
        if (hash_added < 0) {
                /* did not work (for some reason) */
-                kref_put(&old_info->refcount, free_info);
+                kref_put(&info->refcount, free_info);
                info = NULL;
        }
@@ -815,7 +816,7 @@ static void send_vis_packets(struct work_struct *work)
                container_of(work, struct delayed_work, work);
        struct bat_priv *bat_priv =
                container_of(delayed_work, struct bat_priv, vis_work);
-        struct vis_info *info, *temp;
+        struct vis_info *info;
        spin_lock_bh(&bat_priv->vis_hash_lock);
        purge_vis_packets(bat_priv);
@@ -825,8 +826,9 @@ static void send_vis_packets(struct work_struct *work)
                send_list_add(bat_priv, bat_priv->my_vis_info);
        }
-        list_for_each_entry_safe(info, temp, &bat_priv->vis_send_list,
+        while (!list_empty(&bat_priv->vis_send_list)) {
-                                 send_list) {
+                info = list_first_entry(&bat_priv->vis_send_list,
+                                        typeof(*info), send_list);
                kref_get(&info->refcount);
                spin_unlock_bh(&bat_priv->vis_hash_lock);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 6b90a4191734..99cd8d9d891b 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -379,14 +379,10 @@ struct hci_conn *hci_connect(struct hci_dev *hdev, int type, bdaddr_t *dst, __u8
        hci_conn_hold(acl);
        if (acl->state == BT_OPEN || acl->state == BT_CLOSED) {
-                acl->sec_level = sec_level;
+                acl->sec_level = BT_SECURITY_LOW;
+                acl->pending_sec_level = sec_level;
                acl->auth_type = auth_type;
                hci_acl_connect(acl);
-        } else {
-                if (acl->sec_level < sec_level)
-                        acl->sec_level = sec_level;
-                if (acl->auth_type < auth_type)
-                        acl->auth_type = auth_type;
        }
        if (type == ACL_LINK)
@@ -442,11 +438,17 @@ static int hci_conn_auth(struct hci_conn *conn, __u8 sec_level, __u8 auth_type)
 {
        BT_DBG("conn %p", conn);
+        if (conn->pending_sec_level > sec_level)
+                sec_level = conn->pending_sec_level;
        if (sec_level > conn->sec_level)
-                conn->sec_level = sec_level;
+                conn->pending_sec_level = sec_level;
        else if (conn->link_mode & HCI_LM_AUTH)
                return 1;
+        /* Make sure we preserve an existing MITM requirement*/
+        auth_type |= (conn->auth_type & 0x01);
        conn->auth_type = auth_type;
        if (!test_and_set_bit(HCI_CONN_AUTH_PEND, &conn->pend)) {
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 8b602d881fd7..9c4541bc488a 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1011,6 +1011,10 @@ int hci_unregister_dev(struct hci_dev *hdev)
        destroy_workqueue(hdev->workqueue);
+        hci_dev_lock_bh(hdev);
+        hci_blacklist_clear(hdev);
+        hci_dev_unlock_bh(hdev);
        __hci_dev_put(hdev);
        return 0;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 38100170d380..a290854fdaa6 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -692,13 +692,13 @@ static int hci_outgoing_auth_needed(struct hci_dev *hdev,
        if (conn->state != BT_CONFIG || !conn->out)
                return 0;
-        if (conn->sec_level == BT_SECURITY_SDP)
+        if (conn->pending_sec_level == BT_SECURITY_SDP)
                return 0;
        /* Only request authentication for SSP connections or non-SSP
         * devices with sec_level HIGH */
        if (!(hdev->ssp_mode > 0 && conn->ssp_mode > 0) &&
-                                        conn->sec_level != BT_SECURITY_HIGH)
+                                conn->pending_sec_level != BT_SECURITY_HIGH)
                return 0;
        return 1;
@@ -1095,9 +1095,10 @@ static inline void hci_auth_complete_evt(struct hci_dev *hdev, struct sk_buff *s
        conn = hci_conn_hash_lookup_handle(hdev, __le16_to_cpu(ev->handle));
        if (conn) {
-                if (!ev->status)
+                if (!ev->status) {
                        conn->link_mode |= HCI_LM_AUTH;
-                else
+                        conn->sec_level = conn->pending_sec_level;
+                } else
                        conn->sec_level = BT_SECURITY_LOW;
                clear_bit(HCI_CONN_AUTH_PEND, &conn->pend);
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index c791fcda7b2d..675614e38e14 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -305,33 +305,44 @@ static void l2cap_chan_del(struct sock *sk, int err)
        }
 }
-/* Service level security */
+static inline u8 l2cap_get_auth_type(struct sock *sk)
-static inline int l2cap_check_security(struct sock *sk)
 {
-        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        if (sk->sk_type == SOCK_RAW) {
-        __u8 auth_type;
+                switch (l2cap_pi(sk)->sec_level) {
+                case BT_SECURITY_HIGH:
+                        return HCI_AT_DEDICATED_BONDING_MITM;
+                case BT_SECURITY_MEDIUM:
+                        return HCI_AT_DEDICATED_BONDING;
+                default:
+                        return HCI_AT_NO_BONDING;
+                }
+        } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
+                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
+                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
-        if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
-                        auth_type = HCI_AT_NO_BONDING_MITM;
+                        return HCI_AT_NO_BONDING_MITM;
                else
-                        auth_type = HCI_AT_NO_BONDING;
+                        return HCI_AT_NO_BONDING;
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
        } else {
                switch (l2cap_pi(sk)->sec_level) {
                case BT_SECURITY_HIGH:
-                        auth_type = HCI_AT_GENERAL_BONDING_MITM;
+                        return HCI_AT_GENERAL_BONDING_MITM;
-                        break;
                case BT_SECURITY_MEDIUM:
-                        auth_type = HCI_AT_GENERAL_BONDING;
+                        return HCI_AT_GENERAL_BONDING;
-                        break;
                default:
-                        auth_type = HCI_AT_NO_BONDING;
+                        return HCI_AT_NO_BONDING;
-                        break;
                }
        }
+}
+/* Service level security */
+static inline int l2cap_check_security(struct sock *sk)
+{
+        struct l2cap_conn *conn = l2cap_pi(sk)->conn;
+        __u8 auth_type;
+        auth_type = l2cap_get_auth_type(sk);
        return hci_conn_security(conn->hcon, l2cap_pi(sk)->sec_level,
                                                                auth_type);
@@ -848,6 +859,7 @@ static void __l2cap_sock_close(struct sock *sk, int reason)
                                result = L2CAP_CR_SEC_BLOCK;
                        else
                                result = L2CAP_CR_BAD_PSM;
+                        sk->sk_state = BT_DISCONN;
                        rsp.scid   = cpu_to_le16(l2cap_pi(sk)->dcid);
                        rsp.dcid   = cpu_to_le16(l2cap_pi(sk)->scid);
@@ -1068,39 +1080,7 @@ static int l2cap_do_connect(struct sock *sk)
        err = -ENOMEM;
-        if (sk->sk_type == SOCK_RAW) {
+        auth_type = l2cap_get_auth_type(sk);
-                switch (l2cap_pi(sk)->sec_level) {
-                case BT_SECURITY_HIGH:
-                        auth_type = HCI_AT_DEDICATED_BONDING_MITM;
-                        break;
-                case BT_SECURITY_MEDIUM:
-                        auth_type = HCI_AT_DEDICATED_BONDING;
-                        break;
-                default:
-                        auth_type = HCI_AT_NO_BONDING;
-                        break;
-                }
-        } else if (l2cap_pi(sk)->psm == cpu_to_le16(0x0001)) {
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_HIGH)
-                        auth_type = HCI_AT_NO_BONDING_MITM;
-                else
-                        auth_type = HCI_AT_NO_BONDING;
-                if (l2cap_pi(sk)->sec_level == BT_SECURITY_LOW)
-                        l2cap_pi(sk)->sec_level = BT_SECURITY_SDP;
-        } else {
-                switch (l2cap_pi(sk)->sec_level) {
-                case BT_SECURITY_HIGH:
-                        auth_type = HCI_AT_GENERAL_BONDING_MITM;
-                        break;
-                case BT_SECURITY_MEDIUM:
-                        auth_type = HCI_AT_GENERAL_BONDING;
-                        break;
-                default:
-                        auth_type = HCI_AT_NO_BONDING;
-                        break;
-                }
-        }
        hcon = hci_connect(hdev, ACL_LINK, dst,
                                        l2cap_pi(sk)->sec_level, auth_type);
@@ -1127,7 +1107,8 @@ static int l2cap_do_connect(struct sock *sk)
                if (sk->sk_type != SOCK_SEQPACKET &&
                                sk->sk_type != SOCK_STREAM) {
                        l2cap_sock_clear_timer(sk);
-                        sk->sk_state = BT_CONNECTED;
+                        if (l2cap_check_security(sk))
+                                sk->sk_state = BT_CONNECTED;
                } else
                        l2cap_do_start(sk);
        }
@@ -1893,8 +1874,8 @@ static int l2cap_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct ms
                if (pi->mode == L2CAP_MODE_STREAMING) {
                        l2cap_streaming_send(sk);
                } else {
-                        if (pi->conn_state & L2CAP_CONN_REMOTE_BUSY &&
+                        if ((pi->conn_state & L2CAP_CONN_REMOTE_BUSY) &&
-                                        pi->conn_state && L2CAP_CONN_WAIT_F) {
+                                        (pi->conn_state & L2CAP_CONN_WAIT_F)) {
                                err = len;
                                break;
                        }
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index ff8aaa736650..6b83776534fb 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1164,7 +1164,8 @@ static int rfcomm_recv_ua(struct rfcomm_session *s, u8 dlci)
                         * initiator rfcomm_process_rx already calls
                         * rfcomm_session_put() */
                        if (s->sock->sk->sk_state != BT_CLOSED)
-                                rfcomm_session_put(s);
+                                if (list_empty(&s->dlcs))
+                                        rfcomm_session_put(s);
                        break;
                }
        }
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 2575c2db6404..d7b9af4703d0 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -727,7 +727,9 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
                        break;
                }
+                tty_unlock();
                schedule();
+                tty_lock();
        }
        set_current_state(TASK_RUNNING);
        remove_wait_queue(&dev->wait, &wait);
diff --git a/net/bridge/Kconfig b/net/bridge/Kconfig
index 9190ae462cb4..6dee7bf648a9 100644
--- a/net/bridge/Kconfig
+++ b/net/bridge/Kconfig
@@ -6,6 +6,7 @@ config BRIDGE
        tristate "802.1d Ethernet Bridging"
        select LLC
        select STP
+        depends on IPV6 || IPV6=n
        ---help---
          If you say Y here, then your Linux box will be able to act as an
          Ethernet bridge, which means that the different Ethernet segments it
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 2872393b2939..88485cc74dc3 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -328,12 +328,12 @@ static struct net_bridge_fdb_entry *fdb_create(struct hlist_head *head,
        fdb = kmem_cache_alloc(br_fdb_cache, GFP_ATOMIC);
        if (fdb) {
                memcpy(fdb->addr.addr, addr, ETH_ALEN);
-                hlist_add_head_rcu(&fdb->hlist, head);
                fdb->dst = source;
                fdb->is_local = is_local;
                fdb->is_static = is_local;
                fdb->ageing_timer = jiffies;
+                hlist_add_head_rcu(&fdb->hlist, head);
        }
        return fdb;
 }
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 6f6d8e1b776f..88e4aa9cb1f9 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -80,7 +80,7 @@ int br_handle_frame_finish(struct sk_buff *skb)
        if (is_multicast_ether_addr(dest)) {
                mdst = br_mdb_get(br, skb);
                if (mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) {
-                        if ((mdst && !hlist_unhashed(&mdst->mglist)) ||
+                        if ((mdst && mdst->mglist) ||
                            br_multicast_is_router(br))
                                skb2 = skb;
                        br_multicast_forward(mdst, skb, skb2);
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index f701a21acb34..030a002ff8ee 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -37,10 +37,9 @@
        rcu_dereference_protected(X, lockdep_is_held(&br->multicast_lock))
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-static inline int ipv6_is_local_multicast(const struct in6_addr *addr)
+static inline int ipv6_is_transient_multicast(const struct in6_addr *addr)
 {
-        if (ipv6_addr_is_multicast(addr) &&
+        if (ipv6_addr_is_multicast(addr) && IPV6_ADDR_MC_FLAG_TRANSIENT(addr))
-            IPV6_ADDR_MC_SCOPE(addr) <= IPV6_ADDR_SCOPE_LINKLOCAL)
                return 1;
        return 0;
 }
@@ -232,8 +231,7 @@ static void br_multicast_group_expired(unsigned long data)
        if (!netif_running(br->dev) || timer_pending(&mp->timer))
                goto out;
-        if (!hlist_unhashed(&mp->mglist))
+        mp->mglist = false;
-                hlist_del_init(&mp->mglist);
        if (mp->ports)
                goto out;
@@ -276,7 +274,7 @@ static void br_multicast_del_pg(struct net_bridge *br,
                del_timer(&p->query_timer);
                call_rcu_bh(&p->rcu, br_multicast_free_pg);
-                if (!mp->ports && hlist_unhashed(&mp->mglist) &&
+                if (!mp->ports && !mp->mglist &&
                    netif_running(br->dev))
                        mod_timer(&mp->timer, jiffies);
@@ -436,7 +434,6 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
        eth = eth_hdr(skb);
        memcpy(eth->h_source, br->dev->dev_addr, 6);
-        ipv6_eth_mc_map(group, eth->h_dest);
        eth->h_proto = htons(ETH_P_IPV6);
        skb_put(skb, sizeof(*eth));
@@ -448,8 +445,10 @@ static struct sk_buff *br_ip6_multicast_alloc_query(struct net_bridge *br,
        ip6h->payload_len = htons(8 + sizeof(*mldq));
        ip6h->nexthdr = IPPROTO_HOPOPTS;
        ip6h->hop_limit = 1;
-        ipv6_addr_set(&ip6h->saddr, 0, 0, 0, 0);
+        ipv6_dev_get_saddr(dev_net(br->dev), br->dev, &ip6h->daddr, 0,
+                           &ip6h->saddr);
        ipv6_addr_set(&ip6h->daddr, htonl(0xff020000), 0, 0, htonl(1));
+        ipv6_eth_mc_map(&ip6h->daddr, eth->h_dest);
        hopopt = (u8 *)(ip6h + 1);
        hopopt[0] = IPPROTO_ICMPV6;             /* next hdr */
@@ -528,7 +527,7 @@ static void br_multicast_group_query_expired(unsigned long data)
        struct net_bridge *br = mp->br;
        spin_lock(&br->multicast_lock);
-        if (!netif_running(br->dev) || hlist_unhashed(&mp->mglist) ||
+        if (!netif_running(br->dev) || !mp->mglist ||
            mp->queries_sent >= br->multicast_last_member_count)
                goto out;
@@ -719,7 +718,7 @@ static int br_multicast_add_group(struct net_bridge *br,
                goto err;
        if (!port) {
-                hlist_add_head(&mp->mglist, &br->mglist);
+                mp->mglist = true;
                mod_timer(&mp->timer, now + br->multicast_membership_interval);
                goto out;
        }
@@ -781,11 +780,11 @@ static int br_ip6_multicast_add_group(struct net_bridge *br,
 {
        struct br_ip br_group;
-        if (ipv6_is_local_multicast(group))
+        if (!ipv6_is_transient_multicast(group))
                return 0;
        ipv6_addr_copy(&br_group.u.ip6, group);
-        br_group.proto = htons(ETH_P_IP);
+        br_group.proto = htons(ETH_P_IPV6);
        return br_multicast_add_group(br, port, &br_group);
 }
@@ -1014,18 +1013,19 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br,
                nsrcs = skb_header_pointer(skb,
                                           len + offsetof(struct mld2_grec,
-                                                          grec_mca),
+                                                          grec_nsrcs),
                                           sizeof(_nsrcs), &_nsrcs);
                if (!nsrcs)
                        return -EINVAL;
                if (!pskb_may_pull(skb,
                                   len + sizeof(*grec) +
-                                   sizeof(struct in6_addr) * (*nsrcs)))
+                                   sizeof(struct in6_addr) * ntohs(*nsrcs)))
                        return -EINVAL;
                grec = (struct mld2_grec *)(skb->data + len);
-                len += sizeof(*grec) + sizeof(struct in6_addr) * (*nsrcs);
+                len += sizeof(*grec) +
+                       sizeof(struct in6_addr) * ntohs(*nsrcs);
                /* We treat these as MLDv1 reports for now. */
                switch (grec->grec_type) {
@@ -1165,7 +1165,7 @@ static int br_ip4_multicast_query(struct net_bridge *br,
        max_delay *= br->multicast_last_member_count;
-        if (!hlist_unhashed(&mp->mglist) &&
+        if (mp->mglist &&
            (timer_pending(&mp->timer) ?
             time_after(mp->timer.expires, now + max_delay) :
             try_to_del_timer_sync(&mp->timer) >= 0))
@@ -1177,7 +1177,7 @@ static int br_ip4_multicast_query(struct net_bridge *br,
                if (timer_pending(&p->timer) ?
                    time_after(p->timer.expires, now + max_delay) :
                    try_to_del_timer_sync(&p->timer) >= 0)
-                        mod_timer(&mp->timer, now + max_delay);
+                        mod_timer(&p->timer, now + max_delay);
        }
 out:
@@ -1236,7 +1236,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                goto out;
        max_delay *= br->multicast_last_member_count;
-        if (!hlist_unhashed(&mp->mglist) &&
+        if (mp->mglist &&
            (timer_pending(&mp->timer) ?
             time_after(mp->timer.expires, now + max_delay) :
             try_to_del_timer_sync(&mp->timer) >= 0))
@@ -1248,7 +1248,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
                if (timer_pending(&p->timer) ?
                    time_after(p->timer.expires, now + max_delay) :
                    try_to_del_timer_sync(&p->timer) >= 0)
-                        mod_timer(&mp->timer, now + max_delay);
+                        mod_timer(&p->timer, now + max_delay);
        }
 out:
@@ -1283,7 +1283,7 @@ static void br_multicast_leave_group(struct net_bridge *br,
                     br->multicast_last_member_interval;
        if (!port) {
-                if (!hlist_unhashed(&mp->mglist) &&
+                if (mp->mglist &&
                    (timer_pending(&mp->timer) ?
                     time_after(mp->timer.expires, time) :
                     try_to_del_timer_sync(&mp->timer) >= 0)) {
@@ -1341,7 +1341,7 @@ static void br_ip6_multicast_leave_group(struct net_bridge *br,
 {
        struct br_ip br_group;
-        if (ipv6_is_local_multicast(group))
+        if (!ipv6_is_transient_multicast(group))
                return;
        ipv6_addr_copy(&br_group.u.ip6, group);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 84aac7734bfc..4e1b620b6be6 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -84,13 +84,13 @@ struct net_bridge_port_group {
 struct net_bridge_mdb_entry
 {
        struct hlist_node               hlist[2];
-        struct hlist_node               mglist;
        struct net_bridge               *br;
        struct net_bridge_port_group __rcu *ports;
        struct rcu_head                 rcu;
        struct timer_list               timer;
        struct timer_list               query_timer;
        struct br_ip                    addr;
+        bool                            mglist;
        u32                             queries_sent;
 };
@@ -238,7 +238,6 @@ struct net_bridge
        spinlock_t                      multicast_lock;
        struct net_bridge_mdb_htable __rcu *mdb;
        struct hlist_head               router_list;
-        struct hlist_head               mglist;
        struct timer_list               multicast_router_timer;
        struct timer_list               multicast_querier_timer;
diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
index fa9dab372b68..6008d6dc18a0 100644
--- a/net/caif/chnl_net.c
+++ b/net/caif/chnl_net.c
@@ -394,9 +394,7 @@ static void ipcaif_net_setup(struct net_device *dev)
        priv->conn_req.sockaddr.u.dgm.connection_id = -1;
        priv->flowenabled = false;
-        ASSERT_RTNL();
        init_waitqueue_head(&priv->netmgmt_wq);
-        list_add(&priv->list_field, &chnl_net_list);
 }
@@ -453,6 +451,8 @@ static int ipcaif_newlink(struct net *src_net, struct net_device *dev,
        ret = register_netdevice(dev);
        if (ret)
                pr_warn("device rtml registration failed\n");
+        else
+                list_add(&caifdev->list_field, &chnl_net_list);
        return ret;
 }
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index dff633d62e5b..05f357828a2f 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -252,8 +252,12 @@ static int ceph_tcp_recvmsg(struct socket *sock, void *buf, size_t len)
 {
        struct kvec iov = {buf, len};
        struct msghdr msg = { .msg_flags = MSG_DONTWAIT | MSG_NOSIGNAL };
+        int r;
-        return kernel_recvmsg(sock, &msg, &iov, 1, len, msg.msg_flags);
+        r = kernel_recvmsg(sock, &msg, &iov, 1, len, msg.msg_flags);
+        if (r == -EAGAIN)
+                r = 0;
+        return r;
 }
 /*
@@ -264,13 +268,17 @@ static int ceph_tcp_sendmsg(struct socket *sock, struct kvec *iov,
                     size_t kvlen, size_t len, int more)
 {
        struct msghdr msg = { .msg_flags = MSG_DONTWAIT | MSG_NOSIGNAL };
+        int r;
        if (more)
                msg.msg_flags |= MSG_MORE;
        else
                msg.msg_flags |= MSG_EOR;  /* superfluous, but what the hell */
-        return kernel_sendmsg(sock, &msg, iov, kvlen, len);
+        r = kernel_sendmsg(sock, &msg, iov, kvlen, len);
+        if (r == -EAGAIN)
+                r = 0;
+        return r;
 }
@@ -328,7 +336,6 @@ static void reset_connection(struct ceph_connection *con)
                ceph_msg_put(con->out_msg);
                con->out_msg = NULL;
        }
-        con->out_keepalive_pending = false;
        con->in_seq = 0;
        con->in_seq_acked = 0;
 }
@@ -847,6 +854,8 @@ static int write_partial_msg_pages(struct ceph_connection *con)
                    (msg->pages || msg->pagelist || msg->bio || in_trail))
                        kunmap(page);
+                if (ret == -EAGAIN)
+                        ret = 0;
                if (ret <= 0)
                        goto out;
@@ -1238,8 +1247,6 @@ static int process_connect(struct ceph_connection *con)
                     con->auth_retry);
                if (con->auth_retry == 2) {
                        con->error_msg = "connect authorization failure";
-                        reset_connection(con);
-                        set_bit(CLOSED, &con->state);
                        return -1;
                }
                con->auth_retry = 1;
@@ -1705,14 +1712,6 @@ more:
        /* open the socket first? */
        if (con->sock == NULL) {
-                /*
-                 * if we were STANDBY and are reconnecting _this_
-                 * connection, bump connect_seq now.  Always bump
-                 * global_seq.
-                 */
-                if (test_and_clear_bit(STANDBY, &con->state))
-                        con->connect_seq++;
                prepare_write_banner(msgr, con);
                prepare_write_connect(msgr, con, 1);
                prepare_read_banner(con);
@@ -1737,16 +1736,12 @@ more_kvec:
        if (con->out_skip) {
                ret = write_partial_skip(con);
                if (ret <= 0)
-                        goto done;
+                        goto out;
-                if (ret < 0) {
-                        dout("try_write write_partial_skip err %d\n", ret);
-                        goto done;
-                }
        }
        if (con->out_kvec_left) {
                ret = write_partial_kvec(con);
                if (ret <= 0)
-                        goto done;
+                        goto out;
        }
        /* msg pages? */
@@ -1761,11 +1756,11 @@ more_kvec:
                if (ret == 1)
                        goto more_kvec;  /* we need to send the footer, too! */
                if (ret == 0)
-                        goto done;
+                        goto out;
                if (ret < 0) {
                        dout("try_write write_partial_msg_pages err %d\n",
                             ret);
-                        goto done;
+                        goto out;
                }
        }
@@ -1789,10 +1784,9 @@ do_next:
        /* Nothing to do! */
        clear_bit(WRITE_PENDING, &con->state);
        dout("try_write nothing else to write.\n");
-done:
        ret = 0;
 out:
-        dout("try_write done on %p\n", con);
+        dout("try_write done on %p ret %d\n", con, ret);
        return ret;
 }
@@ -1821,19 +1815,17 @@ more:
                        dout("try_read connecting\n");
                        ret = read_partial_banner(con);
                        if (ret <= 0)
-                                goto done;
-                        if (process_banner(con) < 0) {
-                                ret = -1;
                                goto out;
-                        }
+                        ret = process_banner(con);
+                        if (ret < 0)
+                                goto out;
                }
                ret = read_partial_connect(con);
                if (ret <= 0)
-                        goto done;
-                if (process_connect(con) < 0) {
-                        ret = -1;
                        goto out;
-                }
+                ret = process_connect(con);
+                if (ret < 0)
+                        goto out;
                goto more;
        }
@@ -1848,7 +1840,7 @@ more:
                dout("skipping %d / %d bytes\n", skip, -con->in_base_pos);
                ret = ceph_tcp_recvmsg(con->sock, buf, skip);
                if (ret <= 0)
-                        goto done;
+                        goto out;
                con->in_base_pos += ret;
                if (con->in_base_pos)
                        goto more;
@@ -1859,7 +1851,7 @@ more:
                 */
                ret = ceph_tcp_recvmsg(con->sock, &con->in_tag, 1);
                if (ret <= 0)
-                        goto done;
+                        goto out;
                dout("try_read got tag %d\n", (int)con->in_tag);
                switch (con->in_tag) {
                case CEPH_MSGR_TAG_MSG:
@@ -1870,7 +1862,7 @@ more:
                        break;
                case CEPH_MSGR_TAG_CLOSE:
                        set_bit(CLOSED, &con->state);   /* fixme */
-                        goto done;
+                        goto out;
                default:
                        goto bad_tag;
                }
@@ -1882,13 +1874,12 @@ more:
                        case -EBADMSG:
                                con->error_msg = "bad crc";
                                ret = -EIO;
-                                goto out;
+                                break;
                        case -EIO:
                                con->error_msg = "io error";
-                                goto out;
+                                break;
-                        default:
-                                goto done;
                        }
+                        goto out;
                }
                if (con->in_tag == CEPH_MSGR_TAG_READY)
                        goto more;
@@ -1898,15 +1889,13 @@ more:
        if (con->in_tag == CEPH_MSGR_TAG_ACK) {
                ret = read_partial_ack(con);
                if (ret <= 0)
-                        goto done;
+                        goto out;
                process_ack(con);
                goto more;
        }
-done:
-        ret = 0;
 out:
-        dout("try_read done on %p\n", con);
+        dout("try_read done on %p ret %d\n", con, ret);
        return ret;
 bad_tag:
@@ -1951,7 +1940,24 @@ static void con_work(struct work_struct *work)
                                                   work.work);
        mutex_lock(&con->mutex);
+        if (test_and_clear_bit(BACKOFF, &con->state)) {
+                dout("con_work %p backing off\n", con);
+                if (queue_delayed_work(ceph_msgr_wq, &con->work,
+                                       round_jiffies_relative(con->delay))) {
+                        dout("con_work %p backoff %lu\n", con, con->delay);
+                        mutex_unlock(&con->mutex);
+                        return;
+                } else {
+                        con->ops->put(con);
+                        dout("con_work %p FAILED to back off %lu\n", con,
+                             con->delay);
+                }
+        }
+        if (test_bit(STANDBY, &con->state)) {
+                dout("con_work %p STANDBY\n", con);
+                goto done;
+        }
        if (test_bit(CLOSED, &con->state)) { /* e.g. if we are replaced */
                dout("con_work CLOSED\n");
                con_close_socket(con);
@@ -2008,10 +2014,12 @@ static void ceph_fault(struct ceph_connection *con)
        /* Requeue anything that hasn't been acked */
        list_splice_init(&con->out_sent, &con->out_queue);
-        /* If there are no messages in the queue, place the connection
+        /* If there are no messages queued or keepalive pending, place
-         * in a STANDBY state (i.e., don't try to reconnect just yet). */
+         * the connection in a STANDBY state */
-        if (list_empty(&con->out_queue) && !con->out_keepalive_pending) {
+        if (list_empty(&con->out_queue) &&
-                dout("fault setting STANDBY\n");
+            !test_bit(KEEPALIVE_PENDING, &con->state)) {
+                dout("fault %p setting STANDBY clearing WRITE_PENDING\n", con);
+                clear_bit(WRITE_PENDING, &con->state);
                set_bit(STANDBY, &con->state);
        } else {
                /* retry after a delay. */
@@ -2019,11 +2027,24 @@ static void ceph_fault(struct ceph_connection *con)
                        con->delay = BASE_DELAY_INTERVAL;
                else if (con->delay < MAX_DELAY_INTERVAL)
                        con->delay *= 2;
-                dout("fault queueing %p delay %lu\n", con, con->delay);
                con->ops->get(con);
                if (queue_delayed_work(ceph_msgr_wq, &con->work,
-                                       round_jiffies_relative(con->delay)) == 0)
+                                       round_jiffies_relative(con->delay))) {
+                        dout("fault queued %p delay %lu\n", con, con->delay);
+                } else {
                        con->ops->put(con);
+                        dout("fault failed to queue %p delay %lu, backoff\n",
+                             con, con->delay);
+                        /*
+                         * In many cases we see a socket state change
+                         * while con_work is running and end up
+                         * queuing (non-delayed) work, such that we
+                         * can't backoff with a delay.  Set a flag so
+                         * that when con_work restarts we schedule the
+                         * delay then.
+                         */
+                        set_bit(BACKOFF, &con->state);
+                }
        }
 out_unlock:
@@ -2094,6 +2115,19 @@ void ceph_messenger_destroy(struct ceph_messenger *msgr)
 }
 EXPORT_SYMBOL(ceph_messenger_destroy);
+static void clear_standby(struct ceph_connection *con)
+{
+        /* come back from STANDBY? */
+        if (test_and_clear_bit(STANDBY, &con->state)) {
+                mutex_lock(&con->mutex);
+                dout("clear_standby %p and ++connect_seq\n", con);
+                con->connect_seq++;
+                WARN_ON(test_bit(WRITE_PENDING, &con->state));
+                WARN_ON(test_bit(KEEPALIVE_PENDING, &con->state));
+                mutex_unlock(&con->mutex);
+        }
+}
 /*
 * Queue up an outgoing message on the given connection.
 */
@@ -2126,6 +2160,7 @@ void ceph_con_send(struct ceph_connection *con, struct ceph_msg *msg)
        /* if there wasn't anything waiting to send before, queue
         * new work */
+        clear_standby(con);
        if (test_and_set_bit(WRITE_PENDING, &con->state) == 0)
                queue_con(con);
 }
@@ -2191,6 +2226,8 @@ void ceph_con_revoke_message(struct ceph_connection *con, struct ceph_msg *msg)
 */
 void ceph_con_keepalive(struct ceph_connection *con)
 {
+        dout("con_keepalive %p\n", con);
+        clear_standby(con);
        if (test_and_set_bit(KEEPALIVE_PENDING, &con->state) == 0 &&
            test_and_set_bit(WRITE_PENDING, &con->state) == 0)
                queue_con(con);
diff --git a/net/ceph/pagevec.c b/net/ceph/pagevec.c
index 1a040e64c69f..cd9c21df87d1 100644
--- a/net/ceph/pagevec.c
+++ b/net/ceph/pagevec.c
@@ -16,22 +16,30 @@ struct page **ceph_get_direct_page_vector(const char __user *data,
                                          int num_pages, bool write_page)
 {
        struct page **pages;
-        int rc;
+        int got = 0;
+        int rc = 0;
        pages = kmalloc(sizeof(*pages) * num_pages, GFP_NOFS);
        if (!pages)
                return ERR_PTR(-ENOMEM);
        down_read(&current->mm->mmap_sem);
-        rc = get_user_pages(current, current->mm, (unsigned long)data,
+        while (got < num_pages) {
-                            num_pages, write_page, 0, pages, NULL);
+                rc = get_user_pages(current, current->mm,
+                    (unsigned long)data + ((unsigned long)got * PAGE_SIZE),
+                    num_pages - got, write_page, 0, pages + got, NULL);
+                if (rc < 0)
+                        break;
+                BUG_ON(rc == 0);
+                got += rc;
+        }
        up_read(&current->mm->mmap_sem);
-        if (rc < num_pages)
+        if (rc < 0)
                goto fail;
        return pages;
 fail:
-        ceph_put_page_vector(pages, rc > 0 ? rc : 0, false);
+        ceph_put_page_vector(pages, got, false);
        return ERR_PTR(rc);
 }
 EXPORT_SYMBOL(ceph_get_direct_page_vector);
diff --git a/net/core/dev.c b/net/core/dev.c
index 7c6a46f80372..6561021d22d1 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -749,7 +749,8 @@ EXPORT_SYMBOL(dev_get_by_index);
 *      @ha: hardware address
 *
 *      Search for an interface by MAC address. Returns NULL if the device
- *      is not found or a pointer to the device. The caller must hold RCU
+ *      is not found or a pointer to the device.
+ *      The caller must hold RCU or RTNL.
 *      The returned device has not had its ref count increased
 *      and the caller must therefore be careful about locking
 *
@@ -1113,13 +1114,21 @@ EXPORT_SYMBOL(netdev_bonding_change);
 void dev_load(struct net *net, const char *name)
 {
        struct net_device *dev;
+        int no_module;
        rcu_read_lock();
        dev = dev_get_by_name_rcu(net, name);
        rcu_read_unlock();
-        if (!dev && capable(CAP_NET_ADMIN))
+        no_module = !dev;
-                request_module("%s", name);
+        if (no_module && capable(CAP_NET_ADMIN))
+                no_module = request_module("netdev-%s", name);
+        if (no_module && capable(CAP_SYS_MODULE)) {
+                if (!request_module("%s", name))
+                        pr_err("Loading kernel module for a network device "
+"with CAP_SYS_MODULE (deprecated).  Use CAP_NET_ADMIN and alias netdev-%s "
+"instead\n", name);
+        }
 }
 EXPORT_SYMBOL(dev_load);
@@ -1279,10 +1288,13 @@ static int __dev_close_many(struct list_head *head)
 static int __dev_close(struct net_device *dev)
 {
+        int retval;
        LIST_HEAD(single);
        list_add(&dev->unreg_list, &single);
-        return __dev_close_many(&single);
+        retval = __dev_close_many(&single);
+        list_del(&single);
+        return retval;
 }
 int dev_close_many(struct list_head *head)
@@ -1324,7 +1336,7 @@ int dev_close(struct net_device *dev)
        list_add(&dev->unreg_list, &single);
        dev_close_many(&single);
+        list_del(&single);
        return 0;
 }
 EXPORT_SYMBOL(dev_close);
@@ -2562,7 +2574,8 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
        map = rcu_dereference(rxqueue->rps_map);
        if (map) {
-                if (map->len == 1) {
+                if (map->len == 1 &&
+                    !rcu_dereference_raw(rxqueue->rps_flow_table)) {
                        tcpu = map->cpus[0];
                        if (cpu_online(tcpu))
                                cpu = tcpu;
@@ -3423,6 +3436,8 @@ static void napi_reuse_skb(struct napi_struct *napi, struct sk_buff *skb)
        __skb_pull(skb, skb_headlen(skb));
        skb_reserve(skb, NET_IP_ALIGN - skb_headroom(skb));
        skb->vlan_tci = 0;
+        skb->dev = napi->dev;
+        skb->skb_iif = 0;
        napi->skb = skb;
 }
@@ -5059,6 +5074,7 @@ static void rollback_registered(struct net_device *dev)
        list_add(&dev->unreg_list, &single);
        rollback_registered_many(&single);
+        list_del(&single);
 }
 unsigned long netdev_fix_features(unsigned long features, const char *name)
@@ -5656,30 +5672,35 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
        dev_net_set(dev, &init_net);
+        dev->gso_max_size = GSO_MAX_SIZE;
+        INIT_LIST_HEAD(&dev->ethtool_ntuple_list.list);
+        dev->ethtool_ntuple_list.count = 0;
+        INIT_LIST_HEAD(&dev->napi_list);
+        INIT_LIST_HEAD(&dev->unreg_list);
+        INIT_LIST_HEAD(&dev->link_watch_list);
+        dev->priv_flags = IFF_XMIT_DST_RELEASE;
+        setup(dev);
        dev->num_tx_queues = txqs;
        dev->real_num_tx_queues = txqs;
        if (netif_alloc_netdev_queues(dev))
-                goto free_pcpu;
+                goto free_all;
 #ifdef CONFIG_RPS
        dev->num_rx_queues = rxqs;
        dev->real_num_rx_queues = rxqs;
        if (netif_alloc_rx_queues(dev))
-                goto free_pcpu;
+                goto free_all;
 #endif
-        dev->gso_max_size = GSO_MAX_SIZE;
-        INIT_LIST_HEAD(&dev->ethtool_ntuple_list.list);
-        dev->ethtool_ntuple_list.count = 0;
-        INIT_LIST_HEAD(&dev->napi_list);
-        INIT_LIST_HEAD(&dev->unreg_list);
-        INIT_LIST_HEAD(&dev->link_watch_list);
-        dev->priv_flags = IFF_XMIT_DST_RELEASE;
-        setup(dev);
        strcpy(dev->name, name);
        return dev;
+free_all:
+        free_netdev(dev);
+        return NULL;
 free_pcpu:
        free_percpu(dev->pcpu_refcnt);
        kfree(dev->_tx);
@@ -6207,6 +6228,7 @@ static void __net_exit default_device_exit_batch(struct list_head *net_list)
                }
        }
        unregister_netdevice_many(&dev_kill_list);
+        list_del(&dev_kill_list);
        rtnl_unlock();
 }
diff --git a/net/core/dev_addr_lists.c b/net/core/dev_addr_lists.c
index 508f9c18992f..133fd22ea287 100644
--- a/net/core/dev_addr_lists.c
+++ b/net/core/dev_addr_lists.c
@@ -144,7 +144,7 @@ void __hw_addr_del_multiple(struct netdev_hw_addr_list *to_list,
        list_for_each_entry(ha, &from_list->list, list) {
                type = addr_type ? addr_type : ha->type;
-                __hw_addr_del(to_list, ha->addr, addr_len, addr_type);
+                __hw_addr_del(to_list, ha->addr, addr_len, type);
        }
 }
 EXPORT_SYMBOL(__hw_addr_del_multiple);
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 17741782a345..ff2302910b5e 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -817,7 +817,7 @@ static int ethtool_get_regs(struct net_device *dev, char __user *useraddr)
        if (regs.len > reglen)
                regs.len = reglen;
-        regbuf = vmalloc(reglen);
+        regbuf = vzalloc(reglen);
        if (!regbuf)
                return -ENOMEM;
diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index a9e7fc4c461f..b5bada92f637 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -3321,7 +3321,7 @@ static void show_results(struct pktgen_dev *pkt_dev, int nr_frags)
                                    pkt_dev->started_at);
        ktime_t idle = ns_to_ktime(pkt_dev->idle_acc);
-        p += sprintf(p, "OK: %llu(c%llu+d%llu) nsec, %llu (%dbyte,%dfrags)\n",
+        p += sprintf(p, "OK: %llu(c%llu+d%llu) usec, %llu (%dbyte,%dfrags)\n",
                     (unsigned long long)ktime_to_us(elapsed),
                     (unsigned long long)ktime_to_us(ktime_sub(elapsed, idle)),
                     (unsigned long long)ktime_to_us(idle),
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 750db57f3bb3..2d65c6bb24c1 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1121,8 +1121,7 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[])
                                return -EOPNOTSUPP;
                        if (af_ops->validate_link_af) {
-                                err = af_ops->validate_link_af(dev,
+                                err = af_ops->validate_link_af(dev, af);
-                                                        tb[IFLA_AF_SPEC]);
                                if (err < 0)
                                        return err;
                        }
@@ -1672,6 +1671,9 @@ replay:
                        snprintf(ifname, IFNAMSIZ, "%s%%d", ops->kind);
                dest_net = rtnl_link_get_net(net, tb);
+                if (IS_ERR(dest_net))
+                        return PTR_ERR(dest_net);
                dev = rtnl_create_link(net, dest_net, ifname, ops, tb);
                if (IS_ERR(dev))
diff --git a/net/core/scm.c b/net/core/scm.c
index bbe454450801..4c1ef026d695 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -95,7 +95,7 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp)
                int fd = fdp[i];
                struct file *file;
-                if (fd < 0 || !(file = fget(fd)))
+                if (fd < 0 || !(file = fget_raw(fd)))
                        return -EBADF;
                *fpp++ = file;
                fpl->count++;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d31bb36ae0dc..d883dcc78b6b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -210,6 +210,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask,
        shinfo = skb_shinfo(skb);
        memset(shinfo, 0, offsetof(struct skb_shared_info, dataref));
        atomic_set(&shinfo->dataref, 1);
+        kmemcheck_annotate_variable(shinfo->destructor_arg);
        if (fclone) {
                struct sk_buff *child = skb + 1;
@@ -2744,8 +2745,12 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb)
 merge:
        if (offset > headlen) {
-                skbinfo->frags[0].page_offset += offset - headlen;
+                unsigned int eat = offset - headlen;
-                skbinfo->frags[0].size -= offset - headlen;
+                skbinfo->frags[0].page_offset += eat;
+                skbinfo->frags[0].size -= eat;
+                skb->data_len -= eat;
+                skb->len -= eat;
                offset = headlen;
        }
diff --git a/net/dcb/dcbnl.c b/net/dcb/dcbnl.c
index d900ab99814a..c44348adba3b 100644
--- a/net/dcb/dcbnl.c
+++ b/net/dcb/dcbnl.c
@@ -583,7 +583,7 @@ static int dcbnl_getapp(struct net_device *netdev, struct nlattr **tb,
        u8 up, idtype;
        int ret = -EINVAL;
-        if (!tb[DCB_ATTR_APP] || !netdev->dcbnl_ops->getapp)
+        if (!tb[DCB_ATTR_APP])
                goto out;
        ret = nla_parse_nested(app_tb, DCB_APP_ATTR_MAX, tb[DCB_ATTR_APP],
@@ -604,7 +604,16 @@ static int dcbnl_getapp(struct net_device *netdev, struct nlattr **tb,
                goto out;
        id = nla_get_u16(app_tb[DCB_APP_ATTR_ID]);
-        up = netdev->dcbnl_ops->getapp(netdev, idtype, id);
+        if (netdev->dcbnl_ops->getapp) {
+                up = netdev->dcbnl_ops->getapp(netdev, idtype, id);
+        } else {
+                struct dcb_app app = {
+                                        .selector = idtype,
+                                        .protocol = id,
+                                     };
+                up = dcb_getapp(netdev, &app);
+        }
        /* send this back */
        dcbnl_skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
@@ -617,6 +626,9 @@ static int dcbnl_getapp(struct net_device *netdev, struct nlattr **tb,
        dcb->cmd = DCB_CMD_GAPP;
        app_nest = nla_nest_start(dcbnl_skb, DCB_ATTR_APP);
+        if (!app_nest)
+                goto out_cancel;
        ret = nla_put_u8(dcbnl_skb, DCB_APP_ATTR_IDTYPE, idtype);
        if (ret)
                goto out_cancel;
@@ -1181,7 +1193,7 @@ static int dcbnl_ieee_set(struct net_device *netdev, struct nlattr **tb,
                        goto err;
        }
-        if (ieee[DCB_ATTR_IEEE_PFC] && ops->ieee_setets) {
+        if (ieee[DCB_ATTR_IEEE_PFC] && ops->ieee_setpfc) {
                struct ieee_pfc *pfc = nla_data(ieee[DCB_ATTR_IEEE_PFC]);
                err = ops->ieee_setpfc(netdev, pfc);
                if (err)
@@ -1604,6 +1616,10 @@ EXPORT_SYMBOL(dcb_getapp);
 u8 dcb_setapp(struct net_device *dev, struct dcb_app *new)
 {
        struct dcb_app_type *itr;
+        struct dcb_app_type event;
+        memcpy(&event.name, dev->name, sizeof(event.name));
+        memcpy(&event.app, new, sizeof(event.app));
        spin_lock(&dcb_lock);
        /* Search for existing match and replace */
@@ -1635,7 +1651,7 @@ u8 dcb_setapp(struct net_device *dev, struct dcb_app *new)
        }
 out:
        spin_unlock(&dcb_lock);
-        call_dcbevent_notifiers(DCB_APP_EVENT, new);
+        call_dcbevent_notifiers(DCB_APP_EVENT, &event);
        return 0;
 }
 EXPORT_SYMBOL(dcb_setapp);
diff --git a/net/dccp/input.c b/net/dccp/input.c
index 8cde009e8b85..4222e7a654b0 100644
--- a/net/dccp/input.c
+++ b/net/dccp/input.c
@@ -614,6 +614,9 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                /* Caller (dccp_v4_do_rcv) will send Reset */
                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
                return 1;
+        } else if (sk->sk_state == DCCP_CLOSED) {
+                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
+                return 1;
        }
        if (sk->sk_state != DCCP_REQUESTING && sk->sk_state != DCCP_RESPOND) {
@@ -668,10 +671,6 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
        }
        switch (sk->sk_state) {
-        case DCCP_CLOSED:
-                dcb->dccpd_reset_code = DCCP_RESET_CODE_NO_CONNECTION;
-                return 1;
        case DCCP_REQUESTING:
                queued = dccp_rcv_request_sent_state_process(sk, skb, dh, len);
                if (queued >= 0)
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 739435a6af39..cfa7a5e1c5c9 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -67,8 +67,9 @@ dns_resolver_instantiate(struct key *key, const void *_data, size_t datalen)
        size_t result_len = 0;
        const char *data = _data, *end, *opt;
-        kenter("%%%d,%s,'%s',%zu",
+        kenter("%%%d,%s,'%*.*s',%zu",
-               key->serial, key->description, data, datalen);
+               key->serial, key->description,
+               (int)datalen, (int)datalen, data, datalen);
        if (datalen <= 1 || !data || data[datalen - 1] != '\0')
                return -EINVAL;
@@ -217,6 +218,19 @@ static void dns_resolver_describe(const struct key *key, struct seq_file *m)
                seq_printf(m, ": %u", key->datalen);
 }
+/*
+ * read the DNS data
+ * - the key's semaphore is read-locked
+ */
+static long dns_resolver_read(const struct key *key,
+                              char __user *buffer, size_t buflen)
+{
+        if (key->type_data.x[0])
+                return key->type_data.x[0];
+        return user_read(key, buffer, buflen);
+}
 struct key_type key_type_dns_resolver = {
        .name           = "dns_resolver",
        .instantiate    = dns_resolver_instantiate,
@@ -224,7 +238,7 @@ struct key_type key_type_dns_resolver = {
        .revoke         = user_revoke,
        .destroy        = user_destroy,
        .describe       = dns_resolver_describe,
-        .read           = user_read,
+        .read           = dns_resolver_read,
 };
 static int __init init_dns_resolver(void)
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index 0c877a74e1f4..3fb14b7c13cf 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -428,7 +428,7 @@ static void __exit dsa_cleanup_module(void)
 }
 module_exit(dsa_cleanup_module);
-MODULE_AUTHOR("Lennert Buytenhek <buytenh@wantstofly.org>")
+MODULE_AUTHOR("Lennert Buytenhek <buytenh@wantstofly.org>");
 MODULE_DESCRIPTION("Driver for Distributed Switch Architecture switch chips");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS("platform:dsa");
diff --git a/net/econet/af_econet.c b/net/econet/af_econet.c
index 15dcc1a586b4..0c2826337919 100644
--- a/net/econet/af_econet.c
+++ b/net/econet/af_econet.c
@@ -265,13 +265,13 @@ static void ec_tx_done(struct sk_buff *skb, int result)
 static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
                          struct msghdr *msg, size_t len)
 {
-        struct sock *sk = sock->sk;
        struct sockaddr_ec *saddr=(struct sockaddr_ec *)msg->msg_name;
        struct net_device *dev;
        struct ec_addr addr;
        int err;
        unsigned char port, cb;
 #if defined(CONFIG_ECONET_AUNUDP) || defined(CONFIG_ECONET_NATIVE)
+        struct sock *sk = sock->sk;
        struct sk_buff *skb;
        struct ec_cb *eb;
 #endif
@@ -488,10 +488,10 @@ static int econet_sendmsg(struct kiocb *iocb, struct socket *sock,
 error_free_buf:
        vfree(userbuf);
+error:
 #else
        err = -EPROTOTYPE;
 #endif
-        error:
        mutex_unlock(&econet_mutex);
        return err;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index f2b61107df6c..45b89d7bda5a 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -880,6 +880,19 @@ int inet_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
 }
 EXPORT_SYMBOL(inet_ioctl);
+#ifdef CONFIG_COMPAT
+int inet_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+        struct sock *sk = sock->sk;
+        int err = -ENOIOCTLCMD;
+        if (sk->sk_prot->compat_ioctl)
+                err = sk->sk_prot->compat_ioctl(sk, cmd, arg);
+        return err;
+}
+#endif
 const struct proto_ops inet_stream_ops = {
        .family            = PF_INET,
        .owner             = THIS_MODULE,
@@ -903,6 +916,7 @@ const struct proto_ops inet_stream_ops = {
 #ifdef CONFIG_COMPAT
        .compat_setsockopt = compat_sock_common_setsockopt,
        .compat_getsockopt = compat_sock_common_getsockopt,
+        .compat_ioctl      = inet_compat_ioctl,
 #endif
 };
 EXPORT_SYMBOL(inet_stream_ops);
@@ -929,6 +943,7 @@ const struct proto_ops inet_dgram_ops = {
 #ifdef CONFIG_COMPAT
        .compat_setsockopt = compat_sock_common_setsockopt,
        .compat_getsockopt = compat_sock_common_getsockopt,
+        .compat_ioctl      = inet_compat_ioctl,
 #endif
 };
 EXPORT_SYMBOL(inet_dgram_ops);
@@ -959,6 +974,7 @@ static const struct proto_ops inet_sockraw_ops = {
 #ifdef CONFIG_COMPAT
        .compat_setsockopt = compat_sock_common_setsockopt,
        .compat_getsockopt = compat_sock_common_getsockopt,
+        .compat_ioctl      = inet_compat_ioctl,
 #endif
 };
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 04c8b69fd426..7927589813b5 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1017,14 +1017,13 @@ static int arp_req_set_proxy(struct net *net, struct net_device *dev, int on)
                IPV4_DEVCONF_ALL(net, PROXY_ARP) = on;
                return 0;
        }
-        if (__in_dev_get_rcu(dev)) {
+        if (__in_dev_get_rtnl(dev)) {
-                IN_DEV_CONF_SET(__in_dev_get_rcu(dev), PROXY_ARP, on);
+                IN_DEV_CONF_SET(__in_dev_get_rtnl(dev), PROXY_ARP, on);
                return 0;
        }
        return -ENXIO;
 }
-/* must be called with rcu_read_lock() */
 static int arp_req_set_public(struct net *net, struct arpreq *r,
                struct net_device *dev)
 {
@@ -1233,10 +1232,10 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg)
        if (!(r.arp_flags & ATF_NETMASK))
                ((struct sockaddr_in *)&r.arp_netmask)->sin_addr.s_addr =
                                                           htonl(0xFFFFFFFFUL);
-        rcu_read_lock();
+        rtnl_lock();
        if (r.arp_dev[0]) {
                err = -ENODEV;
-                dev = dev_get_by_name_rcu(net, r.arp_dev);
+                dev = __dev_get_by_name(net, r.arp_dev);
                if (dev == NULL)
                        goto out;
@@ -1263,7 +1262,7 @@ int arp_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                break;
        }
 out:
-        rcu_read_unlock();
+        rtnl_unlock();
        if (cmd == SIOCGARP && !err && copy_to_user(arg, &r, sizeof(r)))
                err = -EFAULT;
        return err;
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 748cb5b337bd..036652c8166d 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -670,7 +670,7 @@ int devinet_ioctl(struct net *net, unsigned int cmd, void __user *arg)
                             ifap = &ifa->ifa_next) {
                                if (!strcmp(ifr.ifr_name, ifa->ifa_label) &&
                                    sin_orig.sin_addr.s_addr ==
-                                                        ifa->ifa_address) {
+                                                        ifa->ifa_local) {
                                        break; /* found */
                                }
                        }
@@ -1030,6 +1030,21 @@ static inline bool inetdev_valid_mtu(unsigned mtu)
        return mtu >= 68;
 }
+static void inetdev_send_gratuitous_arp(struct net_device *dev,
+                                        struct in_device *in_dev)
+{
+        struct in_ifaddr *ifa = in_dev->ifa_list;
+        if (!ifa)
+                return;
+        arp_send(ARPOP_REQUEST, ETH_P_ARP,
+                 ifa->ifa_local, dev,
+                 ifa->ifa_local, NULL,
+                 dev->dev_addr, NULL);
+}
 /* Called only under RTNL semaphore */
 static int inetdev_event(struct notifier_block *this, unsigned long event,
@@ -1082,18 +1097,13 @@ static int inetdev_event(struct notifier_block *this, unsigned long event,
                }
                ip_mc_up(in_dev);
                /* fall through */
-        case NETDEV_NOTIFY_PEERS:
        case NETDEV_CHANGEADDR:
+                if (!IN_DEV_ARP_NOTIFY(in_dev))
+                        break;
+                /* fall through */
+        case NETDEV_NOTIFY_PEERS:
                /* Send gratuitous ARP to notify of link change */
-                if (IN_DEV_ARP_NOTIFY(in_dev)) {
+                inetdev_send_gratuitous_arp(dev, in_dev);
-                        struct in_ifaddr *ifa = in_dev->ifa_list;
-                        if (ifa)
-                                arp_send(ARPOP_REQUEST, ETH_P_ARP,
-                                         ifa->ifa_address, dev,
-                                         ifa->ifa_address, NULL,
-                                         dev->dev_addr, NULL);
-                }
                break;
        case NETDEV_DOWN:
                ip_mc_down(in_dev);
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index c5af909cf701..3c8dfa16614d 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -505,7 +505,9 @@ restart:
                        }
                        rcu_read_unlock();
+                        local_bh_disable();
                        inet_twsk_deschedule(tw, twdr);
+                        local_bh_enable();
                        inet_twsk_put(tw);
                        goto restart_rcu;
                }
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index d9bc85751c74..a96e65674ac3 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -475,7 +475,7 @@ static int cleanup_once(unsigned long ttl)
 struct inet_peer *inet_getpeer(struct inetpeer_addr *daddr, int create)
 {
        struct inet_peer __rcu **stack[PEER_MAXDEPTH], ***stackptr;
-        struct inet_peer_base *base = family_to_base(AF_INET);
+        struct inet_peer_base *base = family_to_base(daddr->family);
        struct inet_peer *p;
        /* Look up for the address quickly, lockless.
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index eb68a0e34e49..d1d0e2c256fc 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -775,6 +775,7 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                        .fl4_dst = dst,
                        .fl4_src = tiph->saddr,
                        .fl4_tos = RT_TOS(tos),
+                        .proto = IPPROTO_GRE,
                        .fl_gre_key = tunnel->parms.o_key
                };
                if (ip_route_output_key(dev_net(dev), &rt, &fl)) {
@@ -1764,4 +1765,4 @@ module_exit(ipgre_fini);
 MODULE_LICENSE("GPL");
 MODULE_ALIAS_RTNL_LINK("gre");
 MODULE_ALIAS_RTNL_LINK("gretap");
-MODULE_ALIAS("gre0");
+MODULE_ALIAS_NETDEV("gre0");
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 988f52fba54a..a5f58e7cbb26 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -913,4 +913,4 @@ static void __exit ipip_fini(void)
 module_init(ipip_init);
 module_exit(ipip_fini);
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("tunl0");
+MODULE_ALIAS_NETDEV("tunl0");
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 3f3a9afd73e0..8b65a12654e7 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -60,6 +60,7 @@
 #include <linux/notifier.h>
 #include <linux/if_arp.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/compat.h>
 #include <net/ipip.h>
 #include <net/checksum.h>
 #include <net/netlink.h>
@@ -1434,6 +1435,81 @@ int ipmr_ioctl(struct sock *sk, int cmd, void __user *arg)
        }
 }
+#ifdef CONFIG_COMPAT
+struct compat_sioc_sg_req {
+        struct in_addr src;
+        struct in_addr grp;
+        compat_ulong_t pktcnt;
+        compat_ulong_t bytecnt;
+        compat_ulong_t wrong_if;
+};
+struct compat_sioc_vif_req {
+        vifi_t  vifi;           /* Which iface */
+        compat_ulong_t icount;
+        compat_ulong_t ocount;
+        compat_ulong_t ibytes;
+        compat_ulong_t obytes;
+};
+int ipmr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+{
+        struct compat_sioc_sg_req sr;
+        struct compat_sioc_vif_req vr;
+        struct vif_device *vif;
+        struct mfc_cache *c;
+        struct net *net = sock_net(sk);
+        struct mr_table *mrt;
+        mrt = ipmr_get_table(net, raw_sk(sk)->ipmr_table ? : RT_TABLE_DEFAULT);
+        if (mrt == NULL)
+                return -ENOENT;
+        switch (cmd) {
+        case SIOCGETVIFCNT:
+                if (copy_from_user(&vr, arg, sizeof(vr)))
+                        return -EFAULT;
+                if (vr.vifi >= mrt->maxvif)
+                        return -EINVAL;
+                read_lock(&mrt_lock);
+                vif = &mrt->vif_table[vr.vifi];
+                if (VIF_EXISTS(mrt, vr.vifi)) {
+                        vr.icount = vif->pkt_in;
+                        vr.ocount = vif->pkt_out;
+                        vr.ibytes = vif->bytes_in;
+                        vr.obytes = vif->bytes_out;
+                        read_unlock(&mrt_lock);
+                        if (copy_to_user(arg, &vr, sizeof(vr)))
+                                return -EFAULT;
+                        return 0;
+                }
+                read_unlock(&mrt_lock);
+                return -EADDRNOTAVAIL;
+        case SIOCGETSGCNT:
+                if (copy_from_user(&sr, arg, sizeof(sr)))
+                        return -EFAULT;
+                rcu_read_lock();
+                c = ipmr_cache_find(mrt, sr.src.s_addr, sr.grp.s_addr);
+                if (c) {
+                        sr.pktcnt = c->mfc_un.res.pkt;
+                        sr.bytecnt = c->mfc_un.res.bytes;
+                        sr.wrong_if = c->mfc_un.res.wrong_if;
+                        rcu_read_unlock();
+                        if (copy_to_user(arg, &sr, sizeof(sr)))
+                                return -EFAULT;
+                        return 0;
+                }
+                rcu_read_unlock();
+                return -EADDRNOTAVAIL;
+        default:
+                return -ENOIOCTLCMD;
+        }
+}
+#endif
 static int ipmr_device_event(struct notifier_block *this, unsigned long event, void *ptr)
 {
diff --git a/net/ipv4/netfilter/arpt_mangle.c b/net/ipv4/netfilter/arpt_mangle.c
index b8ddcc480ed9..a5e52a9f0a12 100644
--- a/net/ipv4/netfilter/arpt_mangle.c
+++ b/net/ipv4/netfilter/arpt_mangle.c
@@ -60,12 +60,12 @@ static int checkentry(const struct xt_tgchk_param *par)
        if (mangle->flags & ~ARPT_MANGLE_MASK ||
            !(mangle->flags & ARPT_MANGLE_MASK))
-                return false;
+                return -EINVAL;
        if (mangle->target != NF_DROP && mangle->target != NF_ACCEPT &&
           mangle->target != XT_CONTINUE)
-                return false;
+                return -EINVAL;
-        return true;
+        return 0;
 }
 static struct xt_target arpt_mangle_reg __read_mostly = {
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index a3d5ab786e81..6390ba299b3d 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -76,6 +76,7 @@
 #include <linux/seq_file.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/compat.h>
 static struct raw_hashinfo raw_v4_hashinfo = {
        .lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
@@ -838,6 +839,23 @@ static int raw_ioctl(struct sock *sk, int cmd, unsigned long arg)
        }
 }
+#ifdef CONFIG_COMPAT
+static int compat_raw_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
+{
+        switch (cmd) {
+        case SIOCOUTQ:
+        case SIOCINQ:
+                return -ENOIOCTLCMD;
+        default:
+#ifdef CONFIG_IP_MROUTE
+                return ipmr_compat_ioctl(sk, cmd, compat_ptr(arg));
+#else
+                return -ENOIOCTLCMD;
+#endif
+        }
+}
+#endif
 struct proto raw_prot = {
        .name              = "RAW",
        .owner             = THIS_MODULE,
@@ -860,6 +878,7 @@ struct proto raw_prot = {
 #ifdef CONFIG_COMPAT
        .compat_setsockopt = compat_raw_setsockopt,
        .compat_getsockopt = compat_raw_getsockopt,
+        .compat_ioctl      = compat_raw_ioctl,
 #endif
 };
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 351dc4e85242..6ed6603c2f6d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2707,6 +2707,11 @@ static struct dst_entry *ipv4_blackhole_dst_check(struct dst_entry *dst, u32 coo
        return NULL;
 }
+static unsigned int ipv4_blackhole_default_mtu(const struct dst_entry *dst)
+{
+        return 0;
+}
 static void ipv4_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
@@ -2716,6 +2721,8 @@ static struct dst_ops ipv4_dst_blackhole_ops = {
        .protocol               =       cpu_to_be16(ETH_P_IP),
        .destroy                =       ipv4_dst_destroy,
        .check                  =       ipv4_blackhole_dst_check,
+        .default_mtu            =       ipv4_blackhole_default_mtu,
+        .default_advmss         =       ipv4_default_advmss,
        .update_pmtu            =       ipv4_rt_blackhole_update_pmtu,
 };
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 2549b29b062d..65f6c0406245 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1222,7 +1222,7 @@ static int tcp_check_dsack(struct sock *sk, struct sk_buff *ack_skb,
        }
        /* D-SACK for already forgotten data... Do dumb counting. */
-        if (dup_sack &&
+        if (dup_sack && tp->undo_marker && tp->undo_retrans &&
            !after(end_seq_0, prior_snd_una) &&
            after(end_seq_0, tp->undo_marker))
                tp->undo_retrans--;
@@ -1299,7 +1299,8 @@ static u8 tcp_sacktag_one(struct sk_buff *skb, struct sock *sk,
        /* Account D-SACK for retransmitted packet. */
        if (dup_sack && (sacked & TCPCB_RETRANS)) {
-                if (after(TCP_SKB_CB(skb)->end_seq, tp->undo_marker))
+                if (tp->undo_marker && tp->undo_retrans &&
+                    after(TCP_SKB_CB(skb)->end_seq, tp->undo_marker))
                        tp->undo_retrans--;
                if (sacked & TCPCB_SACKED_ACKED)
                        state->reord = min(fack_count, state->reord);
@@ -4399,7 +4400,7 @@ static void tcp_data_queue(struct sock *sk, struct sk_buff *skb)
                        if (!skb_copy_datagram_iovec(skb, 0, tp->ucopy.iov, chunk)) {
                                tp->ucopy.len -= chunk;
                                tp->copied_seq += chunk;
-                                eaten = (chunk == skb->len && !th->fin);
+                                eaten = (chunk == skb->len);
                                tcp_rcv_space_adjust(sk);
                        }
                        local_bh_disable();
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 856f68466d49..02f583b3744a 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1994,7 +1994,6 @@ static void *listening_get_next(struct seq_file *seq, void *cur)
                                }
                                req = req->dl_next;
                        }
-                        st->offset = 0;
                        if (++st->sbucket >= icsk->icsk_accept_queue.listen_opt->nr_table_entries)
                                break;
 get_req:
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 406f320336e6..dfa5beb0c1c8 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2162,7 +2162,7 @@ int tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb)
                if (!tp->retrans_stamp)
                        tp->retrans_stamp = TCP_SKB_CB(skb)->when;
-                tp->undo_retrans++;
+                tp->undo_retrans += tcp_skb_pcount(skb);
                /* snd_nxt is stored to detect loss of retransmitted segment,
                 * see tcp_input.c tcp_sacktag_write_queue().
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 24a1cf110d80..fd6782e3a038 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -2661,14 +2661,12 @@ static int addrconf_ifdown(struct net_device *dev, int how)
        struct net *net = dev_net(dev);
        struct inet6_dev *idev;
        struct inet6_ifaddr *ifa;
-        LIST_HEAD(keep_list);
+        int state, i;
-        int state;
        ASSERT_RTNL();
-        /* Flush routes if device is being removed or it is not loopback */
+        rt6_ifdown(net, dev);
-        if (how || !(dev->flags & IFF_LOOPBACK))
+        neigh_ifdown(&nd_tbl, dev);
-                rt6_ifdown(net, dev);
        idev = __in6_dev_get(dev);
        if (idev == NULL)
@@ -2689,6 +2687,23 @@ static int addrconf_ifdown(struct net_device *dev, int how)
        }
+        /* Step 2: clear hash table */
+        for (i = 0; i < IN6_ADDR_HSIZE; i++) {
+                struct hlist_head *h = &inet6_addr_lst[i];
+                struct hlist_node *n;
+                spin_lock_bh(&addrconf_hash_lock);
+        restart:
+                hlist_for_each_entry_rcu(ifa, n, h, addr_lst) {
+                        if (ifa->idev == idev) {
+                                hlist_del_init_rcu(&ifa->addr_lst);
+                                addrconf_del_timer(ifa);
+                                goto restart;
+                        }
+                }
+                spin_unlock_bh(&addrconf_hash_lock);
+        }
        write_lock_bh(&idev->lock);
        /* Step 2: clear flags for stateless addrconf */
@@ -2722,52 +2737,23 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                                       struct inet6_ifaddr, if_list);
                addrconf_del_timer(ifa);
-                /* If just doing link down, and address is permanent
+                list_del(&ifa->if_list);
-                   and not link-local, then retain it. */
-                if (!how &&
-                    (ifa->flags&IFA_F_PERMANENT) &&
-                    !(ipv6_addr_type(&ifa->addr) & IPV6_ADDR_LINKLOCAL)) {
-                        list_move_tail(&ifa->if_list, &keep_list);
-                        /* If not doing DAD on this address, just keep it. */
-                        if ((dev->flags&(IFF_NOARP|IFF_LOOPBACK)) ||
-                            idev->cnf.accept_dad <= 0 ||
-                            (ifa->flags & IFA_F_NODAD))
-                                continue;
-                        /* If it was tentative already, no need to notify */
+                write_unlock_bh(&idev->lock);
-                        if (ifa->flags & IFA_F_TENTATIVE)
-                                continue;
-                        /* Flag it for later restoration when link comes up */
+                spin_lock_bh(&ifa->state_lock);
-                        ifa->flags |= IFA_F_TENTATIVE;
+                state = ifa->state;
-                        ifa->state = INET6_IFADDR_STATE_DAD;
+                ifa->state = INET6_IFADDR_STATE_DEAD;
-                } else {
+                spin_unlock_bh(&ifa->state_lock);
-                        list_del(&ifa->if_list);
-                        /* clear hash table */
-                        spin_lock_bh(&addrconf_hash_lock);
-                        hlist_del_init_rcu(&ifa->addr_lst);
-                        spin_unlock_bh(&addrconf_hash_lock);
-                        write_unlock_bh(&idev->lock);
-                        spin_lock_bh(&ifa->state_lock);
-                        state = ifa->state;
-                        ifa->state = INET6_IFADDR_STATE_DEAD;
-                        spin_unlock_bh(&ifa->state_lock);
-                        if (state != INET6_IFADDR_STATE_DEAD) {
-                                __ipv6_ifa_notify(RTM_DELADDR, ifa);
-                                atomic_notifier_call_chain(&inet6addr_chain,
-                                                           NETDEV_DOWN, ifa);
-                        }
-                        in6_ifa_put(ifa);
+                if (state != INET6_IFADDR_STATE_DEAD) {
-                        write_lock_bh(&idev->lock);
+                        __ipv6_ifa_notify(RTM_DELADDR, ifa);
+                        atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
                }
-        }
+                in6_ifa_put(ifa);
-        list_splice(&keep_list, &idev->addr_list);
+                write_lock_bh(&idev->lock);
+        }
        write_unlock_bh(&idev->lock);
@@ -4156,8 +4142,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
                addrconf_leave_solict(ifp->idev, &ifp->addr);
                dst_hold(&ifp->rt->dst);
-                if (ifp->state == INET6_IFADDR_STATE_DEAD &&
+                if (ip6_del_rt(ifp->rt))
-                    ip6_del_rt(ifp->rt))
                        dst_free(&ifp->rt->dst);
                break;
        }
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 4f4483e697bd..e528a42a52be 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -57,6 +57,7 @@
 MODULE_AUTHOR("Ville Nuorvala");
 MODULE_DESCRIPTION("IPv6 tunneling device");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS_NETDEV("ip6tnl0");
 #ifdef IP6_TNL_DEBUG
 #define IP6_TNL_TRACE(x...) printk(KERN_DEBUG "%s:" x "\n", __func__)
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 9fab274019c0..0e1d53bcf1e0 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -34,6 +34,7 @@
 #include <linux/seq_file.h>
 #include <linux/init.h>
 #include <linux/slab.h>
+#include <linux/compat.h>
 #include <net/protocol.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
@@ -1804,6 +1805,80 @@ int ip6mr_ioctl(struct sock *sk, int cmd, void __user *arg)
        }
 }
+#ifdef CONFIG_COMPAT
+struct compat_sioc_sg_req6 {
+        struct sockaddr_in6 src;
+        struct sockaddr_in6 grp;
+        compat_ulong_t pktcnt;
+        compat_ulong_t bytecnt;
+        compat_ulong_t wrong_if;
+};
+struct compat_sioc_mif_req6 {
+        mifi_t  mifi;
+        compat_ulong_t icount;
+        compat_ulong_t ocount;
+        compat_ulong_t ibytes;
+        compat_ulong_t obytes;
+};
+int ip6mr_compat_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
+{
+        struct compat_sioc_sg_req6 sr;
+        struct compat_sioc_mif_req6 vr;
+        struct mif_device *vif;
+        struct mfc6_cache *c;
+        struct net *net = sock_net(sk);
+        struct mr6_table *mrt;
+        mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT);
+        if (mrt == NULL)
+                return -ENOENT;
+        switch (cmd) {
+        case SIOCGETMIFCNT_IN6:
+                if (copy_from_user(&vr, arg, sizeof(vr)))
+                        return -EFAULT;
+                if (vr.mifi >= mrt->maxvif)
+                        return -EINVAL;
+                read_lock(&mrt_lock);
+                vif = &mrt->vif6_table[vr.mifi];
+                if (MIF_EXISTS(mrt, vr.mifi)) {
+                        vr.icount = vif->pkt_in;
+                        vr.ocount = vif->pkt_out;
+                        vr.ibytes = vif->bytes_in;
+                        vr.obytes = vif->bytes_out;
+                        read_unlock(&mrt_lock);
+                        if (copy_to_user(arg, &vr, sizeof(vr)))
+                                return -EFAULT;
+                        return 0;
+                }
+                read_unlock(&mrt_lock);
+                return -EADDRNOTAVAIL;
+        case SIOCGETSGCNT_IN6:
+                if (copy_from_user(&sr, arg, sizeof(sr)))
+                        return -EFAULT;
+                read_lock(&mrt_lock);
+                c = ip6mr_cache_find(mrt, &sr.src.sin6_addr, &sr.grp.sin6_addr);
+                if (c) {
+                        sr.pktcnt = c->mfc_un.res.pkt;
+                        sr.bytecnt = c->mfc_un.res.bytes;
+                        sr.wrong_if = c->mfc_un.res.wrong_if;
+                        read_unlock(&mrt_lock);
+                        if (copy_to_user(arg, &sr, sizeof(sr)))
+                                return -EFAULT;
+                        return 0;
+                }
+                read_unlock(&mrt_lock);
+                return -EADDRNOTAVAIL;
+        default:
+                return -ENOIOCTLCMD;
+        }
+}
+#endif
 static inline int ip6mr_forward2_finish(struct sk_buff *skb)
 {
diff --git a/net/ipv6/netfilter/ip6t_LOG.c b/net/ipv6/netfilter/ip6t_LOG.c
index 09c88891a753..de338037a736 100644
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -410,7 +410,7 @@ fallback:
                if (p != NULL) {
                        sb_add(m, "%02x", *p++);
                        for (i = 1; i < len; i++)
-                                sb_add(m, ":%02x", p[i]);
+                                sb_add(m, ":%02x", *p++);
                }
                sb_add(m, " ");
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 86c39526ba5e..c5b0915d106b 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -31,6 +31,7 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter_ipv6.h>
 #include <linux/skbuff.h>
+#include <linux/compat.h>
 #include <asm/uaccess.h>
 #include <asm/ioctls.h>
@@ -1157,6 +1158,23 @@ static int rawv6_ioctl(struct sock *sk, int cmd, unsigned long arg)
        }
 }
+#ifdef CONFIG_COMPAT
+static int compat_rawv6_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg)
+{
+        switch (cmd) {
+        case SIOCOUTQ:
+        case SIOCINQ:
+                return -ENOIOCTLCMD;
+        default:
+#ifdef CONFIG_IPV6_MROUTE
+                return ip6mr_compat_ioctl(sk, cmd, compat_ptr(arg));
+#else
+                return -ENOIOCTLCMD;
+#endif
+        }
+}
+#endif
 static void rawv6_close(struct sock *sk, long timeout)
 {
        if (inet_sk(sk)->inet_num == IPPROTO_RAW)
@@ -1215,6 +1233,7 @@ struct proto rawv6_prot = {
 #ifdef CONFIG_COMPAT
        .compat_setsockopt = compat_rawv6_setsockopt,
        .compat_getsockopt = compat_rawv6_getsockopt,
+        .compat_ioctl      = compat_rawv6_ioctl,
 #endif
 };
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 373bd0416f69..e7db7014e89f 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -72,8 +72,6 @@
 #define RT6_TRACE(x...) do { ; } while (0)
 #endif
-#define CLONE_OFFLINK_ROUTE 0
 static struct rt6_info * ip6_rt_copy(struct rt6_info *ort);
 static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie);
 static unsigned int      ip6_default_advmss(const struct dst_entry *dst);
@@ -115,6 +113,11 @@ static struct dst_ops ip6_dst_ops_template = {
        .local_out              =       __ip6_local_out,
 };
+static unsigned int ip6_blackhole_default_mtu(const struct dst_entry *dst)
+{
+        return 0;
+}
 static void ip6_rt_blackhole_update_pmtu(struct dst_entry *dst, u32 mtu)
 {
 }
@@ -124,6 +127,8 @@ static struct dst_ops ip6_dst_blackhole_ops = {
        .protocol               =       cpu_to_be16(ETH_P_IPV6),
        .destroy                =       ip6_dst_destroy,
        .check                  =       ip6_dst_check,
+        .default_mtu            =       ip6_blackhole_default_mtu,
+        .default_advmss         =       ip6_default_advmss,
        .update_pmtu            =       ip6_rt_blackhole_update_pmtu,
 };
@@ -196,7 +201,6 @@ static void ip6_dst_destroy(struct dst_entry *dst)
                in6_dev_put(idev);
        }
        if (peer) {
-                BUG_ON(!(rt->rt6i_flags & RTF_CACHE));
                rt->rt6i_peer = NULL;
                inet_putpeer(peer);
        }
@@ -206,9 +210,6 @@ void rt6_bind_peer(struct rt6_info *rt, int create)
 {
        struct inet_peer *peer;
-        if (WARN_ON(!(rt->rt6i_flags & RTF_CACHE)))
-                return;
        peer = inet_getpeer_v6(&rt->rt6i_dst.addr, create);
        if (peer && cmpxchg(&rt->rt6i_peer, NULL, peer) != NULL)
                inet_putpeer(peer);
@@ -738,13 +739,10 @@ restart:
        if (!rt->rt6i_nexthop && !(rt->rt6i_flags & RTF_NONEXTHOP))
                nrt = rt6_alloc_cow(rt, &fl->fl6_dst, &fl->fl6_src);
-        else {
+        else if (!(rt->dst.flags & DST_HOST))
-#if CLONE_OFFLINK_ROUTE
                nrt = rt6_alloc_clone(rt, &fl->fl6_dst);
-#else
+        else
                goto out2;
-#endif
-        }
        dst_release(&rt->dst);
        rt = nrt ? : net->ipv6.ip6_null_entry;
@@ -2561,14 +2559,16 @@ static
 int ipv6_sysctl_rtcache_flush(ctl_table *ctl, int write,
                              void __user *buffer, size_t *lenp, loff_t *ppos)
 {
-        struct net *net = current->nsproxy->net_ns;
+        struct net *net;
-        int delay = net->ipv6.sysctl.flush_delay;
+        int delay;
-        if (write) {
+        if (!write)
-                proc_dointvec(ctl, write, buffer, lenp, ppos);
-                fib6_run_gc(delay <= 0 ? ~0UL : (unsigned long)delay, net);
-                return 0;
-        } else
                return -EINVAL;
+        net = (struct net *)ctl->extra1;
+        delay = net->ipv6.sysctl.flush_delay;
+        proc_dointvec(ctl, write, buffer, lenp, ppos);
+        fib6_run_gc(delay <= 0 ? ~0UL : (unsigned long)delay, net);
+        return 0;
 }
 ctl_table ipv6_route_table_template[] = {
@@ -2655,6 +2655,7 @@ struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
        if (table) {
                table[0].data = &net->ipv6.sysctl.flush_delay;
+                table[0].extra1 = net;
                table[1].data = &net->ipv6.ip6_dst_ops.gc_thresh;
                table[2].data = &net->ipv6.sysctl.ip6_rt_max_size;
                table[3].data = &net->ipv6.sysctl.ip6_rt_gc_min_interval;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 8ce38f10a547..d2c16e10f650 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1290,4 +1290,4 @@ static int __init sit_init(void)
 module_init(sit_init);
 module_exit(sit_cleanup);
 MODULE_LICENSE("GPL");
-MODULE_ALIAS("sit0");
+MODULE_ALIAS_NETDEV("sit0");
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index fa1d8f4e0051..7cb65ef79f9c 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -15,6 +15,8 @@
 #include <net/addrconf.h>
 #include <net/inet_frag.h>
+static struct ctl_table empty[1];
 static ctl_table ipv6_table_template[] = {
        {
                .procname       = "route",
@@ -35,6 +37,12 @@ static ctl_table ipv6_table_template[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+        {
+                .procname       = "neigh",
+                .maxlen         = 0,
+                .mode           = 0555,
+                .child          = empty,
+        },
        { }
 };
@@ -152,7 +160,6 @@ static struct ctl_table_header *ip6_base;
 int ipv6_static_sysctl_register(void)
 {
-        static struct ctl_table empty[1];
        ip6_base = register_sysctl_paths(net_ipv6_ctl_path, empty);
        if (ip6_base == NULL)
                return -ENOMEM;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 7e74023ea6e4..da87428681cc 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -98,6 +98,10 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
        if (!xdst->u.rt6.rt6i_idev)
                return -ENODEV;
+        xdst->u.rt6.rt6i_peer = rt->rt6i_peer;
+        if (rt->rt6i_peer)
+                atomic_inc(&rt->rt6i_peer->refcnt);
        /* Sheit... I remember I did this right. Apparently,
         * it was magically lost, so this code needs audit */
        xdst->u.rt6.rt6i_flags = rt->rt6i_flags & (RTF_ANYCAST |
@@ -216,6 +220,8 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
        if (likely(xdst->u.rt6.rt6i_idev))
                in6_dev_put(xdst->u.rt6.rt6i_idev);
+        if (likely(xdst->u.rt6.rt6i_peer))
+                inet_putpeer(xdst->u.rt6.rt6i_peer);
        xfrm_dst_destroy(xdst);
 }
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 4bc8a9250cfd..9cd73b11506e 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1822,6 +1822,7 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev,
                *cookie ^= 2;
                IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_TX_OFFCHAN;
                local->hw_roc_skb = skb;
+                local->hw_roc_skb_for_status = skb;
                mutex_unlock(&local->mtx);
                return 0;
@@ -1875,6 +1876,7 @@ static int ieee80211_mgmt_tx_cancel_wait(struct wiphy *wiphy,
                if (ret == 0) {
                        kfree_skb(local->hw_roc_skb);
                        local->hw_roc_skb = NULL;
+                        local->hw_roc_skb_for_status = NULL;
                }
                mutex_unlock(&local->mtx);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index c47d7c0e48a4..533fd32f49ff 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -953,7 +953,7 @@ struct ieee80211_local {
        struct ieee80211_channel *hw_roc_channel;
        struct net_device *hw_roc_dev;
-        struct sk_buff *hw_roc_skb;
+        struct sk_buff *hw_roc_skb, *hw_roc_skb_for_status;
        struct work_struct hw_roc_start, hw_roc_done;
        enum nl80211_channel_type hw_roc_channel_type;
        unsigned int hw_roc_duration;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 8acba456744e..7a10a8d1b2d0 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1229,6 +1229,7 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
        }
        mutex_unlock(&local->iflist_mtx);
        unregister_netdevice_many(&unreg_list);
+        list_del(&unreg_list);
 }
 static u32 ieee80211_idle_off(struct ieee80211_local *local,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 45fbb9e33746..c9ceb4d57ab0 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1033,6 +1033,12 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata,
        if (is_multicast_ether_addr(hdr->addr1))
                return;
+        /*
+         * In case we receive frames after disassociation.
+         */
+        if (!sdata->u.mgd.associated)
+                return;
        ieee80211_sta_reset_conn_monitor(sdata);
 }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 38a797217a91..071ac95c4aa0 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -323,6 +323,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
        if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) {
                struct ieee80211_work *wk;
+                u64 cookie = (unsigned long)skb;
                rcu_read_lock();
                list_for_each_entry_rcu(wk, &local->work_list, list) {
@@ -334,8 +335,12 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                        break;
                }
                rcu_read_unlock();
+                if (local->hw_roc_skb_for_status == skb) {
+                        cookie = local->hw_roc_cookie ^ 2;
+                        local->hw_roc_skb_for_status = NULL;
+                }
                cfg80211_mgmt_tx_status(
-                        skb->dev, (unsigned long) skb, skb->data, skb->len,
+                        skb->dev, cookie, skb->data, skb->len,
                        !!(info->flags & IEEE80211_TX_STAT_ACK), GFP_ATOMIC);
        }
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 5950e3abead9..b0beaa58246b 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1547,7 +1547,7 @@ static int ieee80211_skb_resize(struct ieee80211_local *local,
                skb_orphan(skb);
        }
-        if (skb_header_cloned(skb))
+        if (skb_cloned(skb))
                I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
        else if (head_need || tail_need)
                I802_DEBUG_INC(local->tx_expand_skb_head);
@@ -2230,6 +2230,9 @@ struct sk_buff *ieee80211_beacon_get_tim(struct ieee80211_hw *hw,
        sdata = vif_to_sdata(vif);
+        if (!ieee80211_sdata_running(sdata))
+                goto out;
        if (tim_offset)
                *tim_offset = 0;
        if (tim_length)
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index cf68700abffa..d036597aabbe 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1210,7 +1210,9 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                switch (sdata->vif.type) {
                case NL80211_IFTYPE_STATION:
                        changed |= BSS_CHANGED_ASSOC;
+                        mutex_lock(&sdata->u.mgd.mtx);
                        ieee80211_bss_info_change_notify(sdata, changed);
+                        mutex_unlock(&sdata->u.mgd.mtx);
                        break;
                case NL80211_IFTYPE_ADHOC:
                        changed |= BSS_CHANGED_IBSS;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 32fcbe290c04..4aa614b8a96a 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -133,6 +133,7 @@ unsigned int nf_iterate(struct list_head *head,
                /* Optimization: we don't need to hold module
                   reference here, since function can't sleep. --RR */
+repeat:
                verdict = elem->hook(hook, skb, indev, outdev, okfn);
                if (verdict != NF_ACCEPT) {
 #ifdef CONFIG_NETFILTER_DEBUG
@@ -145,7 +146,7 @@ unsigned int nf_iterate(struct list_head *head,
 #endif
                        if (verdict != NF_REPEAT)
                                return verdict;
-                        *i = (*i)->prev;
+                        goto repeat;
                }
        }
        return NF_ACCEPT;
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 22f7ad5101ab..ba98e1308f3c 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -808,9 +808,9 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
        dest->u_threshold = udest->u_threshold;
        dest->l_threshold = udest->l_threshold;
-        spin_lock(&dest->dst_lock);
+        spin_lock_bh(&dest->dst_lock);
        ip_vs_dst_reset(dest);
-        spin_unlock(&dest->dst_lock);
+        spin_unlock_bh(&dest->dst_lock);
        if (add)
                ip_vs_new_estimator(&dest->stats);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index e61511929c66..84f4fcc5884b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -942,8 +942,15 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
        if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
                nf_conntrack_event_cache(IPCT_REPLY, ct);
 out:
-        if (tmpl)
+        if (tmpl) {
-                nf_ct_put(tmpl);
+                /* Special case: we have to repeat this hook, assign the
+                 * template again to this packet. We assume that this packet
+                 * has no conntrack assigned. This is used by nf_ct_tcp. */
+                if (ret == NF_REPEAT)
+                        skb->nfct = (struct nf_conntrack *)tmpl;
+                else
+                        nf_ct_put(tmpl);
+        }
        return ret;
 }
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index 5702de35e2bb..63a1b915a7e4 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -63,6 +63,9 @@ void nf_ct_deliver_cached_events(struct nf_conn *ct)
                 * this does not harm and it happens very rarely. */
                unsigned long missed = e->missed;
+                if (!((events | missed) & e->ctmask))
+                        goto out_unlock;
                ret = notify->fcn(events | missed, &item);
                if (unlikely(ret < 0 || missed)) {
                        spin_lock_bh(&ct->lock);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 93297aaceb2b..eead9db6f899 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -667,6 +667,7 @@ restart:
                        if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
                                                cb->nlh->nlmsg_seq,
                                                IPCTNL_MSG_CT_NEW, ct) < 0) {
+                                nf_conntrack_get(&ct->ct_general);
                                cb->args[1] = (unsigned long)ct;
                                goto out;
                        }
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index b07393eab88e..91816998ed86 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -85,6 +85,8 @@ EXPORT_SYMBOL(nf_log_unregister);
 int nf_log_bind_pf(u_int8_t pf, const struct nf_logger *logger)
 {
+        if (pf >= ARRAY_SIZE(nf_loggers))
+                return -EINVAL;
        mutex_lock(&nf_log_mutex);
        if (__find_logger(pf, logger->name) == NULL) {
                mutex_unlock(&nf_log_mutex);
@@ -98,6 +100,8 @@ EXPORT_SYMBOL(nf_log_bind_pf);
 void nf_log_unbind_pf(u_int8_t pf)
 {
+        if (pf >= ARRAY_SIZE(nf_loggers))
+                return;
        mutex_lock(&nf_log_mutex);
        rcu_assign_pointer(nf_loggers[pf], NULL);
        mutex_unlock(&nf_log_mutex);
diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c
index 4d87befb04c0..474d621cbc2e 100644
--- a/net/netfilter/nf_tproxy_core.c
+++ b/net/netfilter/nf_tproxy_core.c
@@ -28,26 +28,23 @@ nf_tproxy_destructor(struct sk_buff *skb)
        skb->destructor = NULL;
        if (sk)
-                nf_tproxy_put_sock(sk);
+                sock_put(sk);
 }
 /* consumes sk */
-int
+void
 nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
 {
-        bool transparent = (sk->sk_state == TCP_TIME_WAIT) ?
+        /* assigning tw sockets complicates things; most
-                                inet_twsk(sk)->tw_transparent :
+         * skb->sk->X checks would have to test sk->sk_state first */
-                                inet_sk(sk)->transparent;
+        if (sk->sk_state == TCP_TIME_WAIT) {
+                inet_twsk_put(inet_twsk(sk));
-        if (transparent) {
+                return;
-                skb_orphan(skb);
+        }
-                skb->sk = sk;
-                skb->destructor = nf_tproxy_destructor;
+        skb_orphan(skb);
-                return 1;
+        skb->sk = sk;
-        } else
+        skb->destructor = nf_tproxy_destructor;
-                nf_tproxy_put_sock(sk);
-        return 0;
 }
 EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock);
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 640678f47a2a..dcfd57eb9d02 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -33,6 +33,20 @@
 #include <net/netfilter/nf_tproxy_core.h>
 #include <linux/netfilter/xt_TPROXY.h>
+static bool tproxy_sk_is_transparent(struct sock *sk)
+{
+        if (sk->sk_state != TCP_TIME_WAIT) {
+                if (inet_sk(sk)->transparent)
+                        return true;
+                sock_put(sk);
+        } else {
+                if (inet_twsk(sk)->tw_transparent)
+                        return true;
+                inet_twsk_put(inet_twsk(sk));
+        }
+        return false;
+}
 static inline __be32
 tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
 {
@@ -141,7 +155,7 @@ tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
                                           skb->dev, NFT_LOOKUP_LISTENER);
        /* NOTE: assign_sock consumes our sk reference */
-        if (sk && nf_tproxy_assign_sock(skb, sk)) {
+        if (sk && tproxy_sk_is_transparent(sk)) {
                /* This should be in a separate target, but we don't do multiple
                   targets on the same rule yet */
                skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
@@ -149,6 +163,8 @@ tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
                pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
                         iph->protocol, &iph->daddr, ntohs(hp->dest),
                         &laddr, ntohs(lport), skb->mark);
+                nf_tproxy_assign_sock(skb, sk);
                return NF_ACCEPT;
        }
@@ -306,7 +322,7 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
                                           par->in, NFT_LOOKUP_LISTENER);
        /* NOTE: assign_sock consumes our sk reference */
-        if (sk && nf_tproxy_assign_sock(skb, sk)) {
+        if (sk && tproxy_sk_is_transparent(sk)) {
                /* This should be in a separate target, but we don't do multiple
                   targets on the same rule yet */
                skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
@@ -314,6 +330,8 @@ tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
                pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
                         tproto, &iph->saddr, ntohs(hp->source),
                         laddr, ntohs(lport), skb->mark);
+                nf_tproxy_assign_sock(skb, sk);
                return NF_ACCEPT;
        }
diff --git a/net/netfilter/xt_iprange.c b/net/netfilter/xt_iprange.c
index 88f7c3511c72..73c33a42f87f 100644
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -53,15 +53,13 @@ iprange_mt4(const struct sk_buff *skb, struct xt_action_param *par)
 }
 static inline int
-iprange_ipv6_sub(const struct in6_addr *a, const struct in6_addr *b)
+iprange_ipv6_lt(const struct in6_addr *a, const struct in6_addr *b)
 {
        unsigned int i;
-        int r;
        for (i = 0; i < 4; ++i) {
-                r = ntohl(a->s6_addr32[i]) - ntohl(b->s6_addr32[i]);
+                if (a->s6_addr32[i] != b->s6_addr32[i])
-                if (r != 0)
+                        return ntohl(a->s6_addr32[i]) < ntohl(b->s6_addr32[i]);
-                        return r;
        }
        return 0;
@@ -75,15 +73,15 @@ iprange_mt6(const struct sk_buff *skb, struct xt_action_param *par)
        bool m;
        if (info->flags & IPRANGE_SRC) {
-                m  = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
+                m  = iprange_ipv6_lt(&iph->saddr, &info->src_min.in6);
-                m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
+                m |= iprange_ipv6_lt(&info->src_max.in6, &iph->saddr);
                m ^= !!(info->flags & IPRANGE_SRC_INV);
                if (m)
                        return false;
        }
        if (info->flags & IPRANGE_DST) {
-                m  = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
+                m  = iprange_ipv6_lt(&iph->daddr, &info->dst_min.in6);
-                m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
+                m |= iprange_ipv6_lt(&info->dst_max.in6, &iph->daddr);
                m ^= !!(info->flags & IPRANGE_DST_INV);
                if (m)
                        return false;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 00d6ae838303..9cc46356b577 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -35,6 +35,15 @@
 #include <net/netfilter/nf_conntrack.h>
 #endif
+static void
+xt_socket_put_sk(struct sock *sk)
+{
+        if (sk->sk_state == TCP_TIME_WAIT)
+                inet_twsk_put(inet_twsk(sk));
+        else
+                sock_put(sk);
+}
 static int
 extract_icmp4_fields(const struct sk_buff *skb,
                    u8 *protocol,
@@ -164,7 +173,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
                                       (sk->sk_state == TCP_TIME_WAIT &&
                                        inet_twsk(sk)->tw_transparent));
-                nf_tproxy_put_sock(sk);
+                xt_socket_put_sk(sk);
                if (wildcard || !transparent)
                        sk = NULL;
@@ -298,7 +307,7 @@ socket_mt6_v1(const struct sk_buff *skb, struct xt_action_param *par)
                                       (sk->sk_state == TCP_TIME_WAIT &&
                                        inet_twsk(sk)->tw_transparent));
-                nf_tproxy_put_sock(sk);
+                xt_socket_put_sk(sk);
                if (wildcard || !transparent)
                        sk = NULL;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 478181d53c55..1f924595bdef 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1407,7 +1407,7 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
        int noblock = flags&MSG_DONTWAIT;
        size_t copied;
        struct sk_buff *skb, *data_skb;
-        int err;
+        int err, ret;
        if (flags&MSG_OOB)
                return -EOPNOTSUPP;
@@ -1470,8 +1470,13 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock,
        skb_free_datagram(sk, skb);
-        if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2)
+        if (nlk->cb && atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
-                netlink_dump(sk);
+                ret = netlink_dump(sk);
+                if (ret) {
+                        sk->sk_err = ret;
+                        sk->sk_error_report(sk);
+                }
+        }
        scm_recv(sock, msg, siocb->scm, flags);
 out:
@@ -1736,6 +1741,7 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
        struct netlink_callback *cb;
        struct sock *sk;
        struct netlink_sock *nlk;
+        int ret;
        cb = kzalloc(sizeof(*cb), GFP_KERNEL);
        if (cb == NULL)
@@ -1764,9 +1770,13 @@ int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
        nlk->cb = cb;
        mutex_unlock(nlk->cb_mutex);
-        netlink_dump(sk);
+        ret = netlink_dump(sk);
        sock_put(sk);
+        if (ret)
+                return ret;
        /* We successfully started a dump, by returning -EINTR we
         * signal not to send ACK even if it was requested.
         */
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 71f373c421bc..c47a511f203d 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -551,7 +551,10 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
        if (conn->c_loopback
            && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
                rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
-                return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                scat = &rm->data.op_sg[sg];
+                ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                ret = min_t(int, ret, scat->length - conn->c_xmit_data_off);
+                return ret;
        }
        /* FIXME we may overallocate here */
diff --git a/net/rds/loop.c b/net/rds/loop.c
index aeec1d483b17..bca6761a3ca2 100644
--- a/net/rds/loop.c
+++ b/net/rds/loop.c
@@ -61,10 +61,15 @@ static int rds_loop_xmit(struct rds_connection *conn, struct rds_message *rm,
                         unsigned int hdr_off, unsigned int sg,
                         unsigned int off)
 {
+        struct scatterlist *sgp = &rm->data.op_sg[sg];
+        int ret = sizeof(struct rds_header) +
+                        be32_to_cpu(rm->m_inc.i_hdr.h_len);
        /* Do not send cong updates to loopback */
        if (rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
                rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
-                return sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
+                ret = min_t(int, ret, sgp->length - conn->c_xmit_data_off);
+                goto out;
        }
        BUG_ON(hdr_off || sg || off);
@@ -80,8 +85,8 @@ static int rds_loop_xmit(struct rds_connection *conn, struct rds_message *rm,
                            NULL);
        rds_inc_put(&rm->m_inc);
+out:
-        return sizeof(struct rds_header) + be32_to_cpu(rm->m_inc.i_hdr.h_len);
+        return ret;
 }
 /*
diff --git a/net/rxrpc/ar-input.c b/net/rxrpc/ar-input.c
index 89315009bab1..1a2b0633fece 100644
--- a/net/rxrpc/ar-input.c
+++ b/net/rxrpc/ar-input.c
@@ -423,6 +423,7 @@ void rxrpc_fast_process_packet(struct rxrpc_call *call, struct sk_buff *skb)
                        goto protocol_error;
                }
+        case RXRPC_PACKET_TYPE_ACKALL:
        case RXRPC_PACKET_TYPE_ACK:
                /* ACK processing is done in process context */
                read_lock_bh(&call->state_lock);
diff --git a/net/rxrpc/ar-key.c b/net/rxrpc/ar-key.c
index 5ee16f0353fe..d763793d39de 100644
--- a/net/rxrpc/ar-key.c
+++ b/net/rxrpc/ar-key.c
@@ -89,11 +89,11 @@ static int rxrpc_instantiate_xdr_rxkad(struct key *key, const __be32 *xdr,
                return ret;
        plen -= sizeof(*token);
-        token = kmalloc(sizeof(*token), GFP_KERNEL);
+        token = kzalloc(sizeof(*token), GFP_KERNEL);
        if (!token)
                return -ENOMEM;
-        token->kad = kmalloc(plen, GFP_KERNEL);
+        token->kad = kzalloc(plen, GFP_KERNEL);
        if (!token->kad) {
                kfree(token);
                return -ENOMEM;
@@ -731,10 +731,10 @@ static int rxrpc_instantiate(struct key *key, const void *data, size_t datalen)
                goto error;
        ret = -ENOMEM;
-        token = kmalloc(sizeof(*token), GFP_KERNEL);
+        token = kzalloc(sizeof(*token), GFP_KERNEL);
        if (!token)
                goto error;
-        token->kad = kmalloc(plen, GFP_KERNEL);
+        token->kad = kzalloc(plen, GFP_KERNEL);
        if (!token->kad)
                goto error_free;
diff --git a/net/sched/sch_cbq.c b/net/sched/sch_cbq.c
index c80d1c210c5d..5f63ec58942c 100644
--- a/net/sched/sch_cbq.c
+++ b/net/sched/sch_cbq.c
@@ -390,7 +390,6 @@ cbq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        ret = qdisc_enqueue(skb, cl->q);
        if (ret == NET_XMIT_SUCCESS) {
                sch->q.qlen++;
-                qdisc_bstats_update(sch, skb);
                cbq_mark_toplevel(q, cl);
                if (!cl->next_alive)
                        cbq_activate_class(cl);
@@ -649,7 +648,6 @@ static int cbq_reshape_fail(struct sk_buff *skb, struct Qdisc *child)
                ret = qdisc_enqueue(skb, cl->q);
                if (ret == NET_XMIT_SUCCESS) {
                        sch->q.qlen++;
-                        qdisc_bstats_update(sch, skb);
                        if (!cl->next_alive)
                                cbq_activate_class(cl);
                        return 0;
@@ -971,6 +969,7 @@ cbq_dequeue(struct Qdisc *sch)
                skb = cbq_dequeue_1(sch);
                if (skb) {
+                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
                        sch->flags &= ~TCQ_F_THROTTLED;
                        return skb;
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
index de55e642eafc..6b7fe4a84f13 100644
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -376,7 +376,6 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        }
        bstats_update(&cl->bstats, skb);
-        qdisc_bstats_update(sch, skb);
        sch->q.qlen++;
        return err;
@@ -403,6 +402,7 @@ static struct sk_buff *drr_dequeue(struct Qdisc *sch)
                        skb = qdisc_dequeue_peeked(cl->qdisc);
                        if (cl->qdisc->q.qlen == 0)
                                list_del(&cl->alist);
+                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
                        return skb;
                }
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
index 60f4bdd4408e..0f7bf3fdfea5 100644
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -260,7 +260,6 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                return err;
        }
-        qdisc_bstats_update(sch, skb);
        sch->q.qlen++;
        return NET_XMIT_SUCCESS;
@@ -283,6 +282,7 @@ static struct sk_buff *dsmark_dequeue(struct Qdisc *sch)
        if (skb == NULL)
                return NULL;
+        qdisc_bstats_update(sch, skb);
        sch->q.qlen--;
        index = skb->tc_index & (p->indices - 1);
diff --git a/net/sched/sch_fifo.c b/net/sched/sch_fifo.c
index aa4d6337e43c..d468b479aa93 100644
--- a/net/sched/sch_fifo.c
+++ b/net/sched/sch_fifo.c
@@ -46,17 +46,14 @@ static int pfifo_enqueue(struct sk_buff *skb, struct Qdisc* sch)
 static int pfifo_tail_enqueue(struct sk_buff *skb, struct Qdisc* sch)
 {
-        struct sk_buff *skb_head;
        struct fifo_sched_data *q = qdisc_priv(sch);
        if (likely(skb_queue_len(&sch->q) < q->limit))
                return qdisc_enqueue_tail(skb, sch);
        /* queue full, remove one skb to fulfill the limit */
-        skb_head = qdisc_dequeue_head(sch);
+        __qdisc_queue_drop_head(sch, &sch->q);
        sch->qstats.drops++;
-        kfree_skb(skb_head);
        qdisc_enqueue_tail(skb, sch);
        return NET_XMIT_CN;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 34dc598440a2..1bc698039ae2 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -839,6 +839,7 @@ void dev_deactivate(struct net_device *dev)
        list_add(&dev->unreg_list, &single);
        dev_deactivate_many(&single);
+        list_del(&single);
 }
 static void dev_init_scheduler_queue(struct net_device *dev,
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index 2e45791d4f6c..14a799de1c35 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1600,7 +1600,6 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                set_active(cl, qdisc_pkt_len(skb));
        bstats_update(&cl->bstats, skb);
-        qdisc_bstats_update(sch, skb);
        sch->q.qlen++;
        return NET_XMIT_SUCCESS;
@@ -1666,6 +1665,7 @@ hfsc_dequeue(struct Qdisc *sch)
        }
        sch->flags &= ~TCQ_F_THROTTLED;
+        qdisc_bstats_update(sch, skb);
        sch->q.qlen--;
        return skb;
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 984c1b0c6836..fc12fe6f5597 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -574,7 +574,6 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        }
        sch->q.qlen++;
-        qdisc_bstats_update(sch, skb);
        return NET_XMIT_SUCCESS;
 }
@@ -842,7 +841,7 @@ next:
 static struct sk_buff *htb_dequeue(struct Qdisc *sch)
 {
-        struct sk_buff *skb = NULL;
+        struct sk_buff *skb;
        struct htb_sched *q = qdisc_priv(sch);
        int level;
        psched_time_t next_event;
@@ -851,6 +850,8 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch)
        /* try to dequeue direct packets as high prio (!) to minimize cpu work */
        skb = __skb_dequeue(&q->direct_queue);
        if (skb != NULL) {
+ok:
+                qdisc_bstats_update(sch, skb);
                sch->flags &= ~TCQ_F_THROTTLED;
                sch->q.qlen--;
                return skb;
@@ -884,11 +885,8 @@ static struct sk_buff *htb_dequeue(struct Qdisc *sch)
                        int prio = ffz(m);
                        m |= 1 << prio;
                        skb = htb_dequeue_tree(q, prio, level);
-                        if (likely(skb != NULL)) {
+                        if (likely(skb != NULL))
-                                sch->q.qlen--;
+                                goto ok;
-                                sch->flags &= ~TCQ_F_THROTTLED;
-                                goto fin;
-                        }
                }
        }
        sch->qstats.overlimits++;
diff --git a/net/sched/sch_multiq.c b/net/sched/sch_multiq.c
index 21f13da24763..436a2e75b322 100644
--- a/net/sched/sch_multiq.c
+++ b/net/sched/sch_multiq.c
@@ -83,7 +83,6 @@ multiq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        ret = qdisc_enqueue(skb, qdisc);
        if (ret == NET_XMIT_SUCCESS) {
-                qdisc_bstats_update(sch, skb);
                sch->q.qlen++;
                return NET_XMIT_SUCCESS;
        }
@@ -112,6 +111,7 @@ static struct sk_buff *multiq_dequeue(struct Qdisc *sch)
                        qdisc = q->queues[q->curband];
                        skb = qdisc->dequeue(qdisc);
                        if (skb) {
+                                qdisc_bstats_update(sch, skb);
                                sch->q.qlen--;
                                return skb;
                        }
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 1c4bce863479..6a3006b38dc5 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -240,7 +240,6 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        if (likely(ret == NET_XMIT_SUCCESS)) {
                sch->q.qlen++;
-                qdisc_bstats_update(sch, skb);
        } else if (net_xmit_drop_count(ret)) {
                sch->qstats.drops++;
        }
@@ -289,6 +288,7 @@ static struct sk_buff *netem_dequeue(struct Qdisc *sch)
                                skb->tstamp.tv64 = 0;
 #endif
                        pr_debug("netem_dequeue: return skb=%p\n", skb);
+                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
                        return skb;
                }
@@ -476,7 +476,6 @@ static int tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch)
                __skb_queue_after(list, skb, nskb);
                sch->qstats.backlog += qdisc_pkt_len(nskb);
-                qdisc_bstats_update(sch, nskb);
                return NET_XMIT_SUCCESS;
        }
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index 966158d49dd1..fbd710d619bf 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -84,7 +84,6 @@ prio_enqueue(struct sk_buff *skb, struct Qdisc *sch)
        ret = qdisc_enqueue(skb, qdisc);
        if (ret == NET_XMIT_SUCCESS) {
-                qdisc_bstats_update(sch, skb);
                sch->q.qlen++;
                return NET_XMIT_SUCCESS;
        }
@@ -116,6 +115,7 @@ static struct sk_buff *prio_dequeue(struct Qdisc* sch)
                struct Qdisc *qdisc = q->queues[prio];
                struct sk_buff *skb = qdisc->dequeue(qdisc);
                if (skb) {
+                        qdisc_bstats_update(sch, skb);
                        sch->q.qlen--;
                        return skb;
                }
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index a6009c5a2c97..9f98dbd32d4c 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -94,7 +94,6 @@ static int red_enqueue(struct sk_buff *skb, struct Qdisc* sch)
        ret = qdisc_enqueue(skb, child);
        if (likely(ret == NET_XMIT_SUCCESS)) {
-                qdisc_bstats_update(sch, skb);
                sch->q.qlen++;
        } else if (net_xmit_drop_count(ret)) {
                q->stats.pdrop++;
@@ -114,11 +113,13 @@ static struct sk_buff * red_dequeue(struct Qdisc* sch)
        struct Qdisc *child = q->qdisc;
        skb = child->dequeue(child);
-        if (skb)
+        if (skb) {
+                qdisc_bstats_update(sch, skb);
                sch->q.qlen--;
-        else if (!red_is_idling(&q->parms))
+        } else {
-                red_start_of_idle_period(&q->parms);
+                if (!red_is_idling(&q->parms))
+                        red_start_of_idle_period(&q->parms);
+        }
        return skb;
 }
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 239ec53a634d..edea8cefec6c 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -402,10 +402,8 @@ sfq_enqueue(struct sk_buff *skb, struct Qdisc *sch)
                q->tail = slot;
                slot->allot = q->scaled_quantum;
        }
-        if (++sch->q.qlen <= q->limit) {
+        if (++sch->q.qlen <= q->limit)
-                qdisc_bstats_update(sch, skb);
                return NET_XMIT_SUCCESS;
-        }
        sfq_drop(sch);
        return NET_XMIT_CN;
@@ -445,6 +443,7 @@ next_slot:
        }
        skb = slot_dequeue_head(slot);
        sfq_dec(q, a);
+        qdisc_bstats_update(sch, skb);
        sch->q.qlen--;
        sch->qstats.backlog -= qdisc_pkt_len(skb);
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 77565e721811..e93165820c3f 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -134,7 +134,6 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc* sch)
        }
        sch->q.qlen++;
-        qdisc_bstats_update(sch, skb);
        return NET_XMIT_SUCCESS;
 }
@@ -187,6 +186,7 @@ static struct sk_buff *tbf_dequeue(struct Qdisc* sch)
                        q->ptokens = ptoks;
                        sch->q.qlen--;
                        sch->flags &= ~TCQ_F_THROTTLED;
+                        qdisc_bstats_update(sch, skb);
                        return skb;
                }
diff --git a/net/sched/sch_teql.c b/net/sched/sch_teql.c
index 84ce48eadff4..d84e7329660f 100644
--- a/net/sched/sch_teql.c
+++ b/net/sched/sch_teql.c
@@ -87,7 +87,6 @@ teql_enqueue(struct sk_buff *skb, struct Qdisc* sch)
        if (q->q.qlen < dev->tx_queue_len) {
                __skb_queue_tail(&q->q, skb);
-                qdisc_bstats_update(sch, skb);
                return NET_XMIT_SUCCESS;
        }
@@ -111,6 +110,8 @@ teql_dequeue(struct Qdisc* sch)
                        dat->m->slaves = sch;
                        netif_wake_queue(m);
                }
+        } else {
+                qdisc_bstats_update(sch, skb);
        }
        sch->q.qlen = dat->q.qlen + dat_queue->qdisc->q.qlen;
        return skb;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 2cc46f0962ca..b23428f3c0dd 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2029,11 +2029,11 @@ static sctp_ierror_t sctp_process_unk_param(const struct sctp_association *asoc,
                        *errp = sctp_make_op_error_fixed(asoc, chunk);
                if (*errp) {
-                        sctp_init_cause_fixed(*errp, SCTP_ERROR_UNKNOWN_PARAM,
+                        if (!sctp_init_cause_fixed(*errp, SCTP_ERROR_UNKNOWN_PARAM,
-                                        WORD_ROUND(ntohs(param.p->length)));
+                                        WORD_ROUND(ntohs(param.p->length))))
-                        sctp_addto_chunk_fixed(*errp,
+                                sctp_addto_chunk_fixed(*errp,
-                                        WORD_ROUND(ntohs(param.p->length)),
+                                                WORD_ROUND(ntohs(param.p->length)),
-                                        param.v);
+                                                param.v);
                } else {
                        /* If there is no memory for generating the ERROR
                         * report as specified, an ABORT will be triggered
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index 243fc09b164e..59e599498e37 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -252,23 +252,37 @@ static void rpc_set_active(struct rpc_task *task)
 /*
 * Mark an RPC call as having completed by clearing the 'active' bit
+ * and then waking up all tasks that were sleeping.
 */
-static void rpc_mark_complete_task(struct rpc_task *task)
+static int rpc_complete_task(struct rpc_task *task)
 {
-        smp_mb__before_clear_bit();
+        void *m = &task->tk_runstate;
+        wait_queue_head_t *wq = bit_waitqueue(m, RPC_TASK_ACTIVE);
+        struct wait_bit_key k = __WAIT_BIT_KEY_INITIALIZER(m, RPC_TASK_ACTIVE);
+        unsigned long flags;
+        int ret;
+        spin_lock_irqsave(&wq->lock, flags);
        clear_bit(RPC_TASK_ACTIVE, &task->tk_runstate);
-        smp_mb__after_clear_bit();
+        ret = atomic_dec_and_test(&task->tk_count);
-        wake_up_bit(&task->tk_runstate, RPC_TASK_ACTIVE);
+        if (waitqueue_active(wq))
+                __wake_up_locked_key(wq, TASK_NORMAL, &k);
+        spin_unlock_irqrestore(&wq->lock, flags);
+        return ret;
 }
 /*
 * Allow callers to wait for completion of an RPC call
+ *
+ * Note the use of out_of_line_wait_on_bit() rather than wait_on_bit()
+ * to enforce taking of the wq->lock and hence avoid races with
+ * rpc_complete_task().
 */
 int __rpc_wait_for_completion_task(struct rpc_task *task, int (*action)(void *))
 {
        if (action == NULL)
                action = rpc_wait_bit_killable;
-        return wait_on_bit(&task->tk_runstate, RPC_TASK_ACTIVE,
+        return out_of_line_wait_on_bit(&task->tk_runstate, RPC_TASK_ACTIVE,
                        action, TASK_KILLABLE);
 }
 EXPORT_SYMBOL_GPL(__rpc_wait_for_completion_task);
@@ -857,34 +871,67 @@ static void rpc_async_release(struct work_struct *work)
        rpc_free_task(container_of(work, struct rpc_task, u.tk_work));
 }
-void rpc_put_task(struct rpc_task *task)
+static void rpc_release_resources_task(struct rpc_task *task)
 {
-        if (!atomic_dec_and_test(&task->tk_count))
-                return;
-        /* Release resources */
        if (task->tk_rqstp)
                xprt_release(task);
        if (task->tk_msg.rpc_cred)
                put_rpccred(task->tk_msg.rpc_cred);
        rpc_task_release_client(task);
-        if (task->tk_workqueue != NULL) {
+}
+static void rpc_final_put_task(struct rpc_task *task,
+                struct workqueue_struct *q)
+{
+        if (q != NULL) {
                INIT_WORK(&task->u.tk_work, rpc_async_release);
-                queue_work(task->tk_workqueue, &task->u.tk_work);
+                queue_work(q, &task->u.tk_work);
        } else
                rpc_free_task(task);
 }
+static void rpc_do_put_task(struct rpc_task *task, struct workqueue_struct *q)
+{
+        if (atomic_dec_and_test(&task->tk_count)) {
+                rpc_release_resources_task(task);
+                rpc_final_put_task(task, q);
+        }
+}
+void rpc_put_task(struct rpc_task *task)
+{
+        rpc_do_put_task(task, NULL);
+}
 EXPORT_SYMBOL_GPL(rpc_put_task);
+void rpc_put_task_async(struct rpc_task *task)
+{
+        rpc_do_put_task(task, task->tk_workqueue);
+}
+EXPORT_SYMBOL_GPL(rpc_put_task_async);
 static void rpc_release_task(struct rpc_task *task)
 {
        dprintk("RPC: %5u release task\n", task->tk_pid);
        BUG_ON (RPC_IS_QUEUED(task));
-        /* Wake up anyone who is waiting for task completion */
+        rpc_release_resources_task(task);
-        rpc_mark_complete_task(task);
-        rpc_put_task(task);
+        /*
+         * Note: at this point we have been removed from rpc_clnt->cl_tasks,
+         * so it should be safe to use task->tk_count as a test for whether
+         * or not any other processes still hold references to our rpc_task.
+         */
+        if (atomic_read(&task->tk_count) != 1 + !RPC_IS_ASYNC(task)) {
+                /* Wake up anyone who may be waiting for task completion */
+                if (!rpc_complete_task(task))
+                        return;
+        } else {
+                if (!atomic_dec_and_test(&task->tk_count))
+                        return;
+        }
+        rpc_final_put_task(task, task->tk_workqueue);
 }
 int rpciod_up(void)
diff --git a/net/sunrpc/svcsock.c b/net/sunrpc/svcsock.c
index 7bd3bbba4710..d802e941d365 100644
--- a/net/sunrpc/svcsock.c
+++ b/net/sunrpc/svcsock.c
@@ -1609,9 +1609,7 @@ static struct svc_xprt *svc_bc_create_socket(struct svc_serv *serv,
 */
 static void svc_bc_sock_free(struct svc_xprt *xprt)
 {
-        if (xprt) {
+        if (xprt)
-                kfree(xprt->xpt_bc_sid);
                kfree(container_of(xprt, struct svc_sock, sk_xprt));
-        }
 }
 #endif /* CONFIG_NFS_V4_1 */
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
index 9df1eadc912a..1a10dcd999ea 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -1335,6 +1335,7 @@ void svc_rdma_send_error(struct svcxprt_rdma *xprt, struct rpcrdma_msg *rmsgp,
                                            p, 0, length, DMA_FROM_DEVICE);
        if (ib_dma_mapping_error(xprt->sc_cm_id->device, ctxt->sge[0].addr)) {
                put_page(p);
+                svc_rdma_put_context(ctxt, 1);
                return;
        }
        atomic_inc(&xprt->sc_dma_used);
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index c431f5a57960..be96d429b475 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1631,7 +1631,8 @@ static struct socket *xs_create_sock(struct rpc_xprt *xprt,
        }
        xs_reclassify_socket(family, sock);
-        if (xs_bind(transport, sock)) {
+        err = xs_bind(transport, sock);
+        if (err) {
                sock_release(sock);
                goto out;
        }
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index dd419d286204..ba5b8c208498 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -850,7 +850,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 * Get the parent directory, calculate the hash for last
                 * component.
                 */
-                err = path_lookup(sunaddr->sun_path, LOOKUP_PARENT, &nd);
+                err = kern_path_parent(sunaddr->sun_path, &nd);
                if (err)
                        goto out_mknod_parent;
@@ -1724,7 +1724,11 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
        msg->msg_namelen = 0;
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err) {
+                err = sock_intr_errno(sock_rcvtimeo(sk, noblock));
+                goto out;
+        }
        skb = skb_recv_datagram(sk, flags, noblock, &err);
        if (!skb) {
@@ -1864,7 +1868,11 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                memset(&tmp_scm, 0, sizeof(tmp_scm));
        }
-        mutex_lock(&u->readlock);
+        err = mutex_lock_interruptible(&u->readlock);
+        if (err) {
+                err = sock_intr_errno(timeo);
+                goto out;
+        }
        do {
                int chunk;
@@ -1895,11 +1903,12 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                        timeo = unix_stream_data_wait(sk, timeo);
-                        if (signal_pending(current)) {
+                        if (signal_pending(current)
+                            ||  mutex_lock_interruptible(&u->readlock)) {
                                err = sock_intr_errno(timeo);
                                goto out;
                        }
-                        mutex_lock(&u->readlock);
                        continue;
 unlock:
                        unix_state_unlock(sk);
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index f89f83bf828e..b6f4b994eb35 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -104,7 +104,7 @@ struct sock *unix_get_socket(struct file *filp)
        /*
         *      Socket ?
         */
-        if (S_ISSOCK(inode->i_mode)) {
+        if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
                struct socket *sock = SOCKET_I(inode);
                struct sock *s = sock->sk;
diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c
index 3e5dbd4e4cd5..d112f038edf0 100644
--- a/net/wireless/wext-compat.c
+++ b/net/wireless/wext-compat.c
@@ -802,11 +802,11 @@ int cfg80211_wext_siwfreq(struct net_device *dev,
                        return freq;
                if (freq == 0)
                        return -EINVAL;
-                wdev_lock(wdev);
                mutex_lock(&rdev->devlist_mtx);
+                wdev_lock(wdev);
                err = cfg80211_set_freq(rdev, wdev, freq, NL80211_CHAN_NO_HT);
-                mutex_unlock(&rdev->devlist_mtx);
                wdev_unlock(wdev);
+                mutex_unlock(&rdev->devlist_mtx);
                return err;
        default:
                return -EOPNOTSUPP;
diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c
index 55187c8f6420..406207515b5e 100644
--- a/net/x25/x25_facilities.c
+++ b/net/x25/x25_facilities.c
@@ -27,9 +27,19 @@
 #include <net/sock.h>
 #include <net/x25.h>
-/*
+/**
- * Parse a set of facilities into the facilities structures. Unrecognised
+ * x25_parse_facilities - Parse facilities from skb into the facilities structs
- *      facilities are written to the debug log file.
+ *
+ * @skb: sk_buff to parse
+ * @facilities: Regular facilites, updated as facilities are found
+ * @dte_facs: ITU DTE facilities, updated as DTE facilities are found
+ * @vc_fac_mask: mask is updated with all facilities found
+ *
+ * Return codes:
+ *  -1 - Parsing error, caller should drop call and clean up
+ *   0 - Parse OK, this skb has no facilities
+ *  >0 - Parse OK, returns the length of the facilities header
+ *
 */
 int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                struct x25_dte_facilities *dte_facs, unsigned long *vc_fac_mask)
@@ -62,7 +72,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                switch (*p & X25_FAC_CLASS_MASK) {
                case X25_FAC_CLASS_A:
                        if (len < 2)
-                                return 0;
+                                return -1;
                        switch (*p) {
                        case X25_FAC_REVERSE:
                                if((p[1] & 0x81) == 0x81) {
@@ -107,7 +117,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                        break;
                case X25_FAC_CLASS_B:
                        if (len < 3)
-                                return 0;
+                                return -1;
                        switch (*p) {
                        case X25_FAC_PACKET_SIZE:
                                facilities->pacsize_in  = p[1];
@@ -130,7 +140,7 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                        break;
                case X25_FAC_CLASS_C:
                        if (len < 4)
-                                return 0;
+                                return -1;
                        printk(KERN_DEBUG "X.25: unknown facility %02X, "
                               "values %02X, %02X, %02X\n",
                               p[0], p[1], p[2], p[3]);
@@ -139,18 +149,18 @@ int x25_parse_facilities(struct sk_buff *skb, struct x25_facilities *facilities,
                        break;
                case X25_FAC_CLASS_D:
                        if (len < p[1] + 2)
-                                return 0;
+                                return -1;
                        switch (*p) {
                        case X25_FAC_CALLING_AE:
                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        return 0;
+                                        return -1;
                                dte_facs->calling_len = p[2];
                                memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLING_AE;
                                break;
                        case X25_FAC_CALLED_AE:
                                if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
-                                        return 0;
+                                        return -1;
                                dte_facs->called_len = p[2];
                                memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
                                *vc_fac_mask |= X25_MASK_CALLED_AE;
diff --git a/net/x25/x25_in.c b/net/x25/x25_in.c
index f729f022be69..15de65f04719 100644
--- a/net/x25/x25_in.c
+++ b/net/x25/x25_in.c
@@ -91,10 +91,10 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
 {
        struct x25_address source_addr, dest_addr;
        int len;
+        struct x25_sock *x25 = x25_sk(sk);
        switch (frametype) {
                case X25_CALL_ACCEPTED: {
-                        struct x25_sock *x25 = x25_sk(sk);
                        x25_stop_timer(sk);
                        x25->condition = 0x00;
@@ -113,14 +113,16 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
                                                &dest_addr);
                        if (len > 0)
                                skb_pull(skb, len);
+                        else if (len < 0)
+                                goto out_clear;
                        len = x25_parse_facilities(skb, &x25->facilities,
                                                &x25->dte_facilities,
                                                &x25->vc_facil_mask);
                        if (len > 0)
                                skb_pull(skb, len);
-                        else
+                        else if (len < 0)
-                                return -1;
+                                goto out_clear;
                        /*
                         *      Copy any Call User Data.
                         */
@@ -144,6 +146,12 @@ static int x25_state1_machine(struct sock *sk, struct sk_buff *skb, int frametyp
        }
        return 0;
+out_clear:
+        x25_write_internal(sk, X25_CLEAR_REQUEST);
+        x25->state = X25_STATE_2;
+        x25_start_t23timer(sk);
+        return 0;
 }
 /*
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index 4cbc942f762a..21306928d47f 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -396,9 +396,12 @@ void __exit x25_link_free(void)
        write_lock_bh(&x25_neigh_list_lock);
        list_for_each_safe(entry, tmp, &x25_neigh_list) {
+                struct net_device *dev;
                nb = list_entry(entry, struct x25_neigh, node);
+                dev = nb->dev;
                __x25_remove_neigh(nb);
-                dev_put(nb->dev);
+                dev_put(dev);
        }
        write_unlock_bh(&x25_neigh_list_lock);
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 8b3ef404c794..6459588befc3 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1340,10 +1340,13 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
        default:
                BUG();
        }
-        xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS);
+        xdst = dst_alloc(dst_ops);
        xfrm_policy_put_afinfo(afinfo);
-        xdst->flo.ops = &xfrm_bundle_fc_ops;
+        if (likely(xdst))
+                xdst->flo.ops = &xfrm_bundle_fc_ops;
+        else
+                xdst = ERR_PTR(-ENOBUFS);
        return xdst;
 }