118 files changed, 673 insertions, 409 deletions

diff --git a/net/bridge/br.c b/net/bridge/br.c
index d164f63a4345..8a8f9e5f264f 100644
--- a/net/bridge/br.c
+++ b/net/bridge/br.c
@@ -37,12 +37,15 @@ static int br_device_event(struct notifier_block *unused, unsigned long event, v
         int err;
 
         if (dev->priv_flags & IFF_EBRIDGE) {
+                err = br_vlan_bridge_event(dev, event, ptr);
+                if (err)
+                        return notifier_from_errno(err);
+
                 if (event == NETDEV_REGISTER) {
                         /* register of bridge completed, add sysfs entries */
                         br_sysfs_addbr(dev);
                         return NOTIFY_DONE;
                 }
-                br_vlan_bridge_event(dev, event, ptr);
         }
 
         /* not a port of a bridge */
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 3d8deac2353d..f8cac3702712 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1388,6 +1388,9 @@ br_multicast_leave_group(struct net_bridge *br,
                         if (!br_port_group_equal(p, port, src))
                                 continue;
 
+                        if (p->flags & MDB_PG_FLAGS_PERMANENT)
+                                break;
+
                         rcu_assign_pointer(*pp, p->next);
                         hlist_del_init(&p->mglist);
                         del_timer(&p->timer);
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index e8cf03b43b7d..646504db0220 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -894,8 +894,8 @@ int nbp_get_num_vlan_infos(struct net_bridge_port *p, u32 filter_mask);
 void br_vlan_get_stats(const struct net_bridge_vlan *v,
                        struct br_vlan_stats *stats);
 void br_vlan_port_event(struct net_bridge_port *p, unsigned long event);
-void br_vlan_bridge_event(struct net_device *dev, unsigned long event,
-                          void *ptr);
+int br_vlan_bridge_event(struct net_device *dev, unsigned long event,
+                         void *ptr);
 
 static inline struct net_bridge_vlan_group *br_vlan_group(
                                         const struct net_bridge *br)
@@ -1085,9 +1085,10 @@ static inline void br_vlan_port_event(struct net_bridge_port *p,
 {
 }
 
-static inline void br_vlan_bridge_event(struct net_device *dev,
-                                        unsigned long event, void *ptr)
+static inline int br_vlan_bridge_event(struct net_device *dev,
+                                       unsigned long event, void *ptr)
 {
+        return 0;
 }
 #endif
 
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 021cc9f66804..f5b2aeebbfe9 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -1053,7 +1053,6 @@ int br_vlan_init(struct net_bridge *br)
 {
         struct net_bridge_vlan_group *vg;
         int ret = -ENOMEM;
-        bool changed;
 
         vg = kzalloc(sizeof(*vg), GFP_KERNEL);
         if (!vg)
@@ -1068,17 +1067,10 @@ int br_vlan_init(struct net_bridge *br)
         br->vlan_proto = htons(ETH_P_8021Q);
         br->default_pvid = 1;
         rcu_assign_pointer(br->vlgrp, vg);
-        ret = br_vlan_add(br, 1,
-                          BRIDGE_VLAN_INFO_PVID | BRIDGE_VLAN_INFO_UNTAGGED |
-                          BRIDGE_VLAN_INFO_BRENTRY, &changed, NULL);
-        if (ret)
-                goto err_vlan_add;
 
 out:
         return ret;
 
-err_vlan_add:
-        vlan_tunnel_deinit(vg);
 err_tunnel_init:
         rhashtable_destroy(&vg->vlan_hash);
 err_rhtbl:
@@ -1464,13 +1456,23 @@ static void nbp_vlan_set_vlan_dev_state(struct net_bridge_port *p, u16 vid)
 }
 
 /* Must be protected by RTNL. */
-void br_vlan_bridge_event(struct net_device *dev, unsigned long event,
-                          void *ptr)
+int br_vlan_bridge_event(struct net_device *dev, unsigned long event, void *ptr)
 {
         struct netdev_notifier_changeupper_info *info;
-        struct net_bridge *br;
+        struct net_bridge *br = netdev_priv(dev);
+        bool changed;
+        int ret = 0;
 
         switch (event) {
+        case NETDEV_REGISTER:
+                ret = br_vlan_add(br, br->default_pvid,
+                                  BRIDGE_VLAN_INFO_PVID |
+                                  BRIDGE_VLAN_INFO_UNTAGGED |
+                                  BRIDGE_VLAN_INFO_BRENTRY, &changed, NULL);
+                break;
+        case NETDEV_UNREGISTER:
+                br_vlan_delete(br, br->default_pvid);
+                break;
         case NETDEV_CHANGEUPPER:
                 info = ptr;
                 br_vlan_upper_change(dev, info->upper_dev, info->linking);
@@ -1478,12 +1480,13 @@ void br_vlan_bridge_event(struct net_device *dev, unsigned long event,
 
         case NETDEV_CHANGE:
         case NETDEV_UP:
-                br = netdev_priv(dev);
                 if (!br_opt_get(br, BROPT_VLAN_BRIDGE_BINDING))
-                        return;
+                        break;
                 br_vlan_link_state_change(dev, br);
                 break;
         }
+
+        return ret;
 }
 
 /* Must be protected by RTNL. */
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 154fa558bb90..5040fe43f4b4 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -6,7 +6,7 @@
 menuconfig NF_TABLES_BRIDGE
         depends on BRIDGE && NETFILTER && NF_TABLES
         select NETFILTER_FAMILY_BRIDGE
-        bool "Ethernet Bridge nf_tables support"
+        tristate "Ethernet Bridge nf_tables support"
 
 if NF_TABLES_BRIDGE
 
@@ -25,6 +25,8 @@ config NF_LOG_BRIDGE
         tristate "Bridge packet logging"
         select NF_LOG_COMMON
 
+endif # NF_TABLES_BRIDGE
+
 config NF_CONNTRACK_BRIDGE
         tristate "IPv4/IPV6 bridge connection tracking support"
         depends on NF_CONNTRACK
@@ -39,8 +41,6 @@ config NF_CONNTRACK_BRIDGE
 
           To compile it as a module, choose M here.  If unsure, say N.
 
-endif # NF_TABLES_BRIDGE
-
 menuconfig BRIDGE_NF_EBTABLES
         tristate "Ethernet Bridge tables (ebtables) support"
         depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 963dfdc14827..c8177a89f52c 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1770,20 +1770,28 @@ static int compat_calc_entry(const struct ebt_entry *e,
         return 0;
 }
 
+static int ebt_compat_init_offsets(unsigned int number)
+{
+        if (number > INT_MAX)
+                return -EINVAL;
+
+        /* also count the base chain policies */
+        number += NF_BR_NUMHOOKS;
+
+        return xt_compat_init_offsets(NFPROTO_BRIDGE, number);
+}
 
 static int compat_table_info(const struct ebt_table_info *info,
                              struct compat_ebt_replace *newinfo)
 {
         unsigned int size = info->entries_size;
         const void *entries = info->entries;
+        int ret;
 
         newinfo->entries_size = size;
-        if (info->nentries) {
-                int ret = xt_compat_init_offsets(NFPROTO_BRIDGE,
-                                                 info->nentries);
-                if (ret)
-                        return ret;
-        }
+        ret = ebt_compat_init_offsets(info->nentries);
+        if (ret)
+                return ret;
 
         return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info,
                                                         entries, newinfo);
@@ -2234,11 +2242,9 @@ static int compat_do_replace(struct net *net, void __user *user,
 
         xt_compat_lock(NFPROTO_BRIDGE);
 
-        if (tmp.nentries) {
-                ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
-                if (ret < 0)
-                        goto out_unlock;
-        }
+        ret = ebt_compat_init_offsets(tmp.nentries);
+        if (ret < 0)
+                goto out_unlock;
 
         ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
         if (ret < 0)
@@ -2261,8 +2267,10 @@ static int compat_do_replace(struct net *net, void __user *user,
         state.buf_kern_len = size64;
 
         ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-        if (WARN_ON(ret < 0))
+        if (WARN_ON(ret < 0)) {
+                vfree(entries_tmp);
                 goto out_unlock;
+        }
 
         vfree(entries_tmp);
         tmp.entries_size = size64;
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index bed66f536b34..1804e867f715 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -30,13 +30,9 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
         switch (priv->key) {
         case NFT_META_BRI_IIFNAME:
                 br_dev = nft_meta_get_bridge(in);
-                if (!br_dev)
-                        goto err;
                 break;
         case NFT_META_BRI_OIFNAME:
                 br_dev = nft_meta_get_bridge(out);
-                if (!br_dev)
-                        goto err;
                 break;
         case NFT_META_BRI_IIFPVID: {
                 u16 p_pvid;
@@ -61,13 +57,11 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
                 return;
         }
         default:
-                goto out;
+                return nft_meta_get_eval(expr, regs, pkt);
         }
 
-        strncpy((char *)dest, br_dev->name, IFNAMSIZ);
+        strncpy((char *)dest, br_dev ? br_dev->name : "", IFNAMSIZ);
         return;
-out:
-        return nft_meta_get_eval(expr, regs, pkt);
 err:
         regs->verdict.code = NFT_BREAK;
 }
diff --git a/net/can/gw.c b/net/can/gw.c
index 5275ddf580bc..72711053ebe6 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -1046,32 +1046,50 @@ static __init int cgw_module_init(void)
         pr_info("can: netlink gateway (rev " CAN_GW_VERSION ") max_hops=%d\n",
                 max_hops);
 
-        register_pernet_subsys(&cangw_pernet_ops);
+        ret = register_pernet_subsys(&cangw_pernet_ops);
+        if (ret)
+                return ret;
+
+        ret = -ENOMEM;
         cgw_cache = kmem_cache_create("can_gw", sizeof(struct cgw_job),
                                       0, 0, NULL);
-
         if (!cgw_cache)
-                return -ENOMEM;
+                goto out_cache_create;
 
         /* set notifier */
         notifier.notifier_call = cgw_notifier;
-        register_netdevice_notifier(&notifier);
+        ret = register_netdevice_notifier(&notifier);
+        if (ret)
+                goto out_register_notifier;
 
         ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_GETROUTE,
                                    NULL, cgw_dump_jobs, 0);
-        if (ret) {
-                unregister_netdevice_notifier(&notifier);
-                kmem_cache_destroy(cgw_cache);
-                return -ENOBUFS;
-        }
-
-        /* Only the first call to rtnl_register_module can fail */
-        rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
-                             cgw_create_job, NULL, 0);
-        rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
-                             cgw_remove_job, NULL, 0);
+        if (ret)
+                goto out_rtnl_register1;
+
+        ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_NEWROUTE,
+                                   cgw_create_job, NULL, 0);
+        if (ret)
+                goto out_rtnl_register2;
+        ret = rtnl_register_module(THIS_MODULE, PF_CAN, RTM_DELROUTE,
+                                   cgw_remove_job, NULL, 0);
+        if (ret)
+                goto out_rtnl_register3;
 
         return 0;
+
+out_rtnl_register3:
+        rtnl_unregister(PF_CAN, RTM_NEWROUTE);
+out_rtnl_register2:
+        rtnl_unregister(PF_CAN, RTM_GETROUTE);
+out_rtnl_register1:
+        unregister_netdevice_notifier(&notifier);
+out_register_notifier:
+        kmem_cache_destroy(cgw_cache);
+out_cache_create:
+        unregister_pernet_subsys(&cangw_pernet_ops);
+
+        return ret;
 }
 
 static __exit void cgw_module_exit(void)
diff --git a/net/core/dev.c b/net/core/dev.c
index fc676b2610e3..0891f499c1bb 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4374,12 +4374,17 @@ static u32 netif_receive_generic_xdp(struct sk_buff *skb,
 
         act = bpf_prog_run_xdp(xdp_prog, xdp);
 
+        /* check if bpf_xdp_adjust_head was used */
         off = xdp->data - orig_data;
-        if (off > 0)
-                __skb_pull(skb, off);
-        else if (off < 0)
-                __skb_push(skb, -off);
-        skb->mac_header += off;
+        if (off) {
+                if (off > 0)
+                        __skb_pull(skb, off);
+                else if (off < 0)
+                        __skb_push(skb, -off);
+
+                skb->mac_header += off;
+                skb_reset_network_header(skb);
+        }
 
         /* check if bpf_xdp_adjust_tail was used. it can only "shrink"
          * pckt.
@@ -9701,6 +9706,8 @@ static void __net_exit default_device_exit(struct net *net)
 
                 /* Push remaining network devices to init_net */
                 snprintf(fb_name, IFNAMSIZ, "dev%d", dev->ifindex);
+                if (__dev_get_by_name(&init_net, fb_name))
+                        snprintf(fb_name, IFNAMSIZ, "dev%%d");
                 err = dev_change_net_namespace(dev, &init_net, fb_name);
                 if (err) {
                         pr_emerg("%s: failed to move %s to init_net: %d\n",
diff --git a/net/core/filter.c b/net/core/filter.c
index 4e2a79b2fd77..7878f918b8c0 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7455,12 +7455,12 @@ static u32 bpf_convert_ctx_access(enum bpf_access_type type,
         case offsetof(struct __sk_buff, gso_segs):
                 /* si->dst_reg = skb_shinfo(SKB); */
 #ifdef NET_SKBUFF_DATA_USES_OFFSET
-                *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head),
-                                      si->dst_reg, si->src_reg,
-                                      offsetof(struct sk_buff, head));
                 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),
                                       BPF_REG_AX, si->src_reg,
                                       offsetof(struct sk_buff, end));
+                *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head),
+                                      si->dst_reg, si->src_reg,
+                                      offsetof(struct sk_buff, head));
                 *insn++ = BPF_ALU64_REG(BPF_ADD, si->dst_reg, BPF_REG_AX);
 #else
                 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),
diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
index 76f8db3841d7..d63b970784dc 100644
--- a/net/core/flow_offload.c
+++ b/net/core/flow_offload.c
@@ -165,7 +165,7 @@ void flow_rule_match_enc_opts(const struct flow_rule *rule,
 }
 EXPORT_SYMBOL(flow_rule_match_enc_opts);
 
-struct flow_block_cb *flow_block_cb_alloc(struct net *net, tc_setup_cb_t *cb,
+struct flow_block_cb *flow_block_cb_alloc(flow_setup_cb_t *cb,
                                           void *cb_ident, void *cb_priv,
                                           void (*release)(void *cb_priv))
 {
@@ -175,7 +175,6 @@ struct flow_block_cb *flow_block_cb_alloc(struct net *net, tc_setup_cb_t *cb,
         if (!block_cb)
                 return ERR_PTR(-ENOMEM);
 
-        block_cb->net = net;
         block_cb->cb = cb;
         block_cb->cb_ident = cb_ident;
         block_cb->cb_priv = cb_priv;
@@ -194,14 +193,13 @@ void flow_block_cb_free(struct flow_block_cb *block_cb)
 }
 EXPORT_SYMBOL(flow_block_cb_free);
 
-struct flow_block_cb *flow_block_cb_lookup(struct flow_block_offload *f,
-                                           tc_setup_cb_t *cb, void *cb_ident)
+struct flow_block_cb *flow_block_cb_lookup(struct flow_block *block,
+                                           flow_setup_cb_t *cb, void *cb_ident)
 {
         struct flow_block_cb *block_cb;
 
-        list_for_each_entry(block_cb, f->driver_block_list, driver_list) {
-                if (block_cb->net == f->net &&
-                    block_cb->cb == cb &&
+        list_for_each_entry(block_cb, &block->cb_list, list) {
+                if (block_cb->cb == cb &&
                     block_cb->cb_ident == cb_ident)
                         return block_cb;
         }
@@ -228,7 +226,7 @@ unsigned int flow_block_cb_decref(struct flow_block_cb *block_cb)
 }
 EXPORT_SYMBOL(flow_block_cb_decref);
 
-bool flow_block_cb_is_busy(tc_setup_cb_t *cb, void *cb_ident,
+bool flow_block_cb_is_busy(flow_setup_cb_t *cb, void *cb_ident,
                            struct list_head *driver_block_list)
 {
         struct flow_block_cb *block_cb;
@@ -245,7 +243,8 @@ EXPORT_SYMBOL(flow_block_cb_is_busy);
 
 int flow_block_cb_setup_simple(struct flow_block_offload *f,
                                struct list_head *driver_block_list,
-                               tc_setup_cb_t *cb, void *cb_ident, void *cb_priv,
+                               flow_setup_cb_t *cb,
+                               void *cb_ident, void *cb_priv,
                                bool ingress_only)
 {
         struct flow_block_cb *block_cb;
@@ -261,8 +260,7 @@ int flow_block_cb_setup_simple(struct flow_block_offload *f,
                 if (flow_block_cb_is_busy(cb, cb_ident, driver_block_list))
                         return -EBUSY;
 
-                block_cb = flow_block_cb_alloc(f->net, cb, cb_ident,
-                                               cb_priv, NULL);
+                block_cb = flow_block_cb_alloc(cb, cb_ident, cb_priv, NULL);
                 if (IS_ERR(block_cb))
                         return PTR_ERR(block_cb);
 
@@ -270,7 +268,7 @@ int flow_block_cb_setup_simple(struct flow_block_offload *f,
                 list_add_tail(&block_cb->driver_list, driver_block_list);
                 return 0;
         case FLOW_BLOCK_UNBIND:
-                block_cb = flow_block_cb_lookup(f, cb, cb_ident);
+                block_cb = flow_block_cb_lookup(f->block, cb, cb_ident);
                 if (!block_cb)
                         return -ENOENT;
 
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 93bffaad2135..6832eeb4b785 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -585,12 +585,12 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy);
 
 void sk_psock_drop(struct sock *sk, struct sk_psock *psock)
 {
-        rcu_assign_sk_user_data(sk, NULL);
         sk_psock_cork_free(psock);
         sk_psock_zap_ingress(psock);
-        sk_psock_restore_proto(sk, psock);
 
         write_lock_bh(&sk->sk_callback_lock);
+        sk_psock_restore_proto(sk, psock);
+        rcu_assign_sk_user_data(sk, NULL);
         if (psock->progs.skb_parser)
                 sk_psock_stop_strp(sk, psock);
         write_unlock_bh(&sk->sk_callback_lock);
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 52d4faeee18b..1330a7442e5b 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -247,6 +247,8 @@ static void sock_map_free(struct bpf_map *map)
         raw_spin_unlock_bh(&stab->lock);
         rcu_read_unlock();
 
+        synchronize_rcu();
+
         bpf_map_area_free(stab->sks);
         kfree(stab);
 }
@@ -276,16 +278,20 @@ static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test,
                              struct sock **psk)
 {
         struct sock *sk;
+        int err = 0;
 
         raw_spin_lock_bh(&stab->lock);
         sk = *psk;
         if (!sk_test || sk_test == sk)
-                *psk = NULL;
+                sk = xchg(psk, NULL);
+
+        if (likely(sk))
+                sock_map_unref(sk, psk);
+        else
+                err = -EINVAL;
+
         raw_spin_unlock_bh(&stab->lock);
-        if (unlikely(!sk))
-                return -EINVAL;
-        sock_map_unref(sk, psk);
-        return 0;
+        return err;
 }
 
 static void sock_map_delete_from_link(struct bpf_map *map, struct sock *sk,
@@ -328,6 +334,7 @@ static int sock_map_update_common(struct bpf_map *map, u32 idx,
                                   struct sock *sk, u64 flags)
 {
         struct bpf_stab *stab = container_of(map, struct bpf_stab, map);
+        struct inet_connection_sock *icsk = inet_csk(sk);
         struct sk_psock_link *link;
         struct sk_psock *psock;
         struct sock *osk;
@@ -338,6 +345,8 @@ static int sock_map_update_common(struct bpf_map *map, u32 idx,
                 return -EINVAL;
         if (unlikely(idx >= map->max_entries))
                 return -E2BIG;
+        if (unlikely(icsk->icsk_ulp_data))
+                return -EINVAL;
 
         link = sk_psock_init_link();
         if (!link)
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 614c38ece104..33f41178afcc 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -951,7 +951,7 @@ static int dsa_slave_setup_tc_block(struct net_device *dev,
                                     struct flow_block_offload *f)
 {
         struct flow_block_cb *block_cb;
-        tc_setup_cb_t *cb;
+        flow_setup_cb_t *cb;
 
         if (f->binder_type == FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS)
                 cb = dsa_slave_setup_tc_block_cb_ig;
@@ -967,7 +967,7 @@ static int dsa_slave_setup_tc_block(struct net_device *dev,
                 if (flow_block_cb_is_busy(cb, dev, &dsa_slave_block_cb_list))
                         return -EBUSY;
 
-                block_cb = flow_block_cb_alloc(f->net, cb, dev, dev, NULL);
+                block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
                 if (IS_ERR(block_cb))
                         return PTR_ERR(block_cb);
 
@@ -975,7 +975,7 @@ static int dsa_slave_setup_tc_block(struct net_device *dev,
                 list_add_tail(&block_cb->driver_list, &dsa_slave_block_cb_list);
                 return 0;
         case FLOW_BLOCK_UNBIND:
-                block_cb = flow_block_cb_lookup(f, cb, dev);
+                block_cb = flow_block_cb_lookup(f->block, cb, dev);
                 if (!block_cb)
                         return -ENOENT;
 
diff --git a/net/dsa/tag_sja1105.c b/net/dsa/tag_sja1105.c
index 26363d72d25b..47ee88163a9d 100644
--- a/net/dsa/tag_sja1105.c
+++ b/net/dsa/tag_sja1105.c
@@ -165,6 +165,7 @@ static struct sk_buff
                                             "Expected meta frame, is %12llx "
                                             "in the DSA master multicast filter?\n",
                                             SJA1105_META_DMAC);
+                        kfree_skb(sp->data->stampable_skb);
                 }
 
                 /* Hold a reference to avoid dsa_switch_rcv
@@ -211,17 +212,8 @@ static struct sk_buff
                  * for further processing up the network stack.
                  */
                 kfree_skb(skb);
-
-                skb = skb_copy(stampable_skb, GFP_ATOMIC);
-                if (!skb) {
-                        dev_err_ratelimited(dp->ds->dev,
-                                            "Failed to copy stampable skb\n");
-                        spin_unlock(&sp->data->meta_lock);
-                        return NULL;
-                }
+                skb = stampable_skb;
                 sja1105_transfer_meta(skb, meta);
-                /* The cached copy will be freed now */
-                skb_unref(stampable_skb);
 
                 spin_unlock(&sp->data->meta_lock);
         }
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index d666756be5f1..a999451345f9 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -331,7 +331,7 @@ struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key)
         prev = rhashtable_lookup(&fqdir->rhashtable, key, fqdir->f->rhash_params);
         if (!prev)
                 fq = inet_frag_create(fqdir, key, &prev);
-        if (prev && !IS_ERR(prev)) {
+        if (!IS_ERR_OR_NULL(prev)) {
                 fq = prev;
                 if (!refcount_inc_not_zero(&fq->refcnt))
                         fq = NULL;
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
index 43adfc1641ba..2f01cf6fa0de 100644
--- a/net/ipv4/ipip.c
+++ b/net/ipv4/ipip.c
@@ -275,6 +275,9 @@ static netdev_tx_t ipip_tunnel_xmit(struct sk_buff *skb,
         const struct iphdr  *tiph = &tunnel->parms.iph;
         u8 ipproto;
 
+        if (!pskb_inet_may_pull(skb))
+                goto tx_error;
+
         switch (skb->protocol) {
         case htons(ETH_P_IP):
                 ipproto = IPPROTO_IPIP;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 4d6bf7ac0792..6bdb1ab8af61 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -416,8 +416,8 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
              ctinfo == IP_CT_RELATED_REPLY))
                 return XT_CONTINUE;
 
-        /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
-         * TIMESTAMP, INFO_REQUEST or ADDRESS type icmp packets from here
+        /* nf_conntrack_proto_icmp guarantees us that we only have ICMP_ECHO,
+         * TIMESTAMP, INFO_REQUEST or ICMP_ADDRESS type icmp packets from here
          * on, which all have an ID field [relevant for hashing]. */
 
         hash = clusterip_hashfn(skb, cipinfo->config);
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 8e7f84ec783d..0e70f3f65f6f 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -36,6 +36,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                         opts.options |= XT_SYNPROXY_OPT_ECN;
 
                 opts.options &= info->options;
+                opts.mss_encode = opts.mss;
+                opts.mss = info->mss;
                 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
                         synproxy_init_timestamp_cookie(info, &opts);
                 else
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 59031670b16a..cc23f1ce239c 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -78,6 +78,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
         flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
         flow.flowi4_tos = RT_TOS(iph->tos);
         flow.flowi4_scope = RT_SCOPE_UNIVERSE;
+        flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par));
 
         return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert;
 }
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 87b711fd5a44..3e2685c120c7 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -221,11 +221,11 @@ static int nat_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
                 int ret;
 
                 rtp_exp->tuple.dst.u.udp.port = htons(nated_port);
-                ret = nf_ct_expect_related(rtp_exp);
+                ret = nf_ct_expect_related(rtp_exp, 0);
                 if (ret == 0) {
                         rtcp_exp->tuple.dst.u.udp.port =
                             htons(nated_port + 1);
-                        ret = nf_ct_expect_related(rtcp_exp);
+                        ret = nf_ct_expect_related(rtcp_exp, 0);
                         if (ret == 0)
                                 break;
                         else if (ret == -EBUSY) {
@@ -296,7 +296,7 @@ static int nat_t120(struct sk_buff *skb, struct nf_conn *ct,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(nated_port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
@@ -352,7 +352,7 @@ static int nat_h245(struct sk_buff *skb, struct nf_conn *ct,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(nated_port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
@@ -444,7 +444,7 @@ static int nat_q931(struct sk_buff *skb, struct nf_conn *ct,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(nated_port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
@@ -537,7 +537,7 @@ static int nat_callforwarding(struct sk_buff *skb, struct nf_conn *ct,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(nated_port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 4af1f5dae9d3..6e4afc48d7bb 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1288,6 +1288,7 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
         struct tcp_sock *tp = tcp_sk(sk);
         struct sk_buff *buff;
         int nsize, old_factor;
+        long limit;
         int nlen;
         u8 flags;
 
@@ -1298,8 +1299,16 @@ int tcp_fragment(struct sock *sk, enum tcp_queue tcp_queue,
         if (nsize < 0)
                 nsize = 0;
 
-        if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf &&
-                     tcp_queue != TCP_FRAG_IN_WRITE_QUEUE)) {
+        /* tcp_sendmsg() can overshoot sk_wmem_queued by one full size skb.
+         * We need some allowance to not penalize applications setting small
+         * SO_SNDBUF values.
+         * Also allow first and last skb in retransmit queue to be split.
+         */
+        limit = sk->sk_sndbuf + 2 * SKB_TRUESIZE(GSO_MAX_SIZE);
+        if (unlikely((sk->sk_wmem_queued >> 1) > limit &&
+                     tcp_queue != TCP_FRAG_IN_WRITE_QUEUE &&
+                     skb != tcp_rtx_queue_head(sk) &&
+                     skb != tcp_rtx_queue_tail(sk))) {
                 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG);
                 return -ENOMEM;
         }
diff --git a/net/ipv4/tcp_ulp.c b/net/ipv4/tcp_ulp.c
index 3d8a1d835471..4849edb62d52 100644
--- a/net/ipv4/tcp_ulp.c
+++ b/net/ipv4/tcp_ulp.c
@@ -96,6 +96,19 @@ void tcp_get_available_ulp(char *buf, size_t maxlen)
         rcu_read_unlock();
 }
 
+void tcp_update_ulp(struct sock *sk, struct proto *proto)
+{
+        struct inet_connection_sock *icsk = inet_csk(sk);
+
+        if (!icsk->icsk_ulp_ops) {
+                sk->sk_prot = proto;
+                return;
+        }
+
+        if (icsk->icsk_ulp_ops->update)
+                icsk->icsk_ulp_ops->update(sk, proto);
+}
+
 void tcp_cleanup_ulp(struct sock *sk)
 {
         struct inet_connection_sock *icsk = inet_csk(sk);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index c2049c72f3e5..dd2d0b963260 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -660,12 +660,13 @@ static int prepare_ip6gre_xmit_ipv6(struct sk_buff *skb,
                                     struct flowi6 *fl6, __u8 *dsfield,
                                     int *encap_limit)
 {
-        struct ipv6hdr *ipv6h = ipv6_hdr(skb);
+        struct ipv6hdr *ipv6h;
         struct ip6_tnl *t = netdev_priv(dev);
         __u16 offset;
 
         offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
         /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
+        ipv6h = ipv6_hdr(skb);
 
         if (offset > 0) {
                 struct ipv6_tlv_tnl_enc_lim *tel;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 3134fbb65d7f..754a484d35df 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1278,12 +1278,11 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         }
 
         fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+        dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
 
         if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
                 return -1;
 
-        dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
-
         skb_set_inner_ipproto(skb, IPPROTO_IPIP);
 
         err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
@@ -1367,12 +1366,11 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         }
 
         fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+        dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
 
         if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
                 return -1;
 
-        dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
-
         skb_set_inner_ipproto(skb, IPPROTO_IPV6);
 
         err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index e77ea1ed5edd..5cdb4a69d277 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -36,6 +36,8 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
                         opts.options |= XT_SYNPROXY_OPT_ECN;
 
                 opts.options &= info->options;
+                opts.mss_encode = opts.mss;
+                opts.mss = info->mss;
                 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
                         synproxy_init_timestamp_cookie(info, &opts);
                 else
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index 6bcaf7357183..d800801a5dd2 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -55,7 +55,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
         if (rpfilter_addr_linklocal(&iph->saddr)) {
                 lookup_flags |= RT6_LOOKUP_F_IFACE;
                 fl6.flowi6_oif = dev->ifindex;
-        } else if ((flags & XT_RPFILTER_LOOSE) == 0)
+        /* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
+        } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) ||
+                  (flags & XT_RPFILTER_LOOSE) == 0)
                 fl6.flowi6_oif = dev->ifindex;
 
         rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags);
@@ -70,7 +72,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
                 goto out;
         }
 
-        if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
+        if (rt->rt6i_idev->dev == dev ||
+            l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex ||
+            (flags & XT_RPFILTER_LOOSE))
                 ret = true;
  out:
         ip6_rt_put(rt);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e49fec767a10..fd059e08785a 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1951,7 +1951,7 @@ static void rt6_update_exception_stamp_rt(struct rt6_info *rt)
                 nexthop_for_each_fib6_nh(from->nh, fib6_nh_find_match, &arg);
 
                 if (!arg.match)
-                        return;
+                        goto unlock;
                 fib6_nh = arg.match;
         } else {
                 fib6_nh = from->fib6_nh;
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 09e1694b6d34..ebb62a4ebe30 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -512,7 +512,9 @@ static void iucv_sock_close(struct sock *sk)
                         sk->sk_state = IUCV_DISCONN;
                         sk->sk_state_change(sk);
                 }
-        case IUCV_DISCONN:   /* fall through */
+                /* fall through */
+
+        case IUCV_DISCONN:
                 sk->sk_state = IUCV_CLOSING;
                 sk->sk_state_change(sk);
 
@@ -525,8 +527,9 @@ static void iucv_sock_close(struct sock *sk)
                                         iucv_sock_in_state(sk, IUCV_CLOSED, 0),
                                         timeo);
                 }
+                /* fall through */
 
-        case IUCV_CLOSING:   /* fall through */
+        case IUCV_CLOSING:
                 sk->sk_state = IUCV_CLOSED;
                 sk->sk_state_change(sk);
 
@@ -535,8 +538,9 @@ static void iucv_sock_close(struct sock *sk)
 
                 skb_queue_purge(&iucv->send_skb_q);
                 skb_queue_purge(&iucv->backlog_skb_q);
+                /* fall through */
 
-        default:   /* fall through */
+        default:
                 iucv_sever_path(sk, 1);
         }
 
@@ -2247,10 +2251,10 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
                         kfree_skb(skb);
                         break;
                 }
-                /* fall through and receive non-zero length data */
+                /* fall through - and receive non-zero length data */
         case (AF_IUCV_FLAG_SHT):
                 /* shutdown request */
-                /* fall through and receive zero length data */
+                /* fall through - and receive zero length data */
         case 0:
                 /* plain data frame */
                 IUCV_SKB_CB(skb)->class = trans_hdr->iucv_hdr.class;
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 1d0e5904dedf..c54cb59593ef 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1681,6 +1681,9 @@ static const struct proto_ops pppol2tp_ops = {
         .recvmsg        = pppol2tp_recvmsg,
         .mmap           = sock_no_mmap,
         .ioctl          = pppox_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl = pppox_compat_ioctl,
+#endif
 };
 
 static const struct pppox_proto pppol2tp_proto = {
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 76cc9e967fa6..4d458067d80d 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -936,8 +936,10 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
 
         err = ieee80211_set_probe_resp(sdata, params->probe_resp,
                                        params->probe_resp_len, csa);
-        if (err < 0)
+        if (err < 0) {
+                kfree(new);
                 return err;
+        }
         if (err == 0)
                 changed |= BSS_CHANGED_AP_PROBE_RESP;
 
@@ -949,8 +951,10 @@ static int ieee80211_assign_beacon(struct ieee80211_sub_if_data *sdata,
                                                          params->civicloc,
                                                          params->civicloc_len);
 
-                if (err < 0)
+                if (err < 0) {
+                        kfree(new);
                         return err;
+                }
 
                 changed |= BSS_CHANGED_FTM_RESPONDER;
         }
diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c
index acd4afb4944b..c9a8a2433e8a 100644
--- a/net/mac80211/driver-ops.c
+++ b/net/mac80211/driver-ops.c
@@ -187,11 +187,16 @@ int drv_conf_tx(struct ieee80211_local *local,
         if (!check_sdata_in_driver(sdata))
                 return -EIO;
 
-        if (WARN_ONCE(params->cw_min == 0 ||
-                      params->cw_min > params->cw_max,
-                      "%s: invalid CW_min/CW_max: %d/%d\n",
-                      sdata->name, params->cw_min, params->cw_max))
+        if (params->cw_min == 0 || params->cw_min > params->cw_max) {
+                /*
+                 * If we can't configure hardware anyway, don't warn. We may
+                 * never have initialized the CW parameters.
+                 */
+                WARN_ONCE(local->ops->conf_tx,
+                          "%s: invalid CW_min/CW_max: %d/%d\n",
+                          sdata->name, params->cw_min, params->cw_max);
                 return -EINVAL;
+        }
 
         trace_drv_conf_tx(local, sdata, ac, params);
         if (local->ops->conf_tx)
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 06aac0aaae64..8dc6580e1787 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1222,7 +1222,6 @@ static void ieee80211_if_setup(struct net_device *dev)
 static void ieee80211_if_setup_no_queue(struct net_device *dev)
 {
         ieee80211_if_setup(dev);
-        dev->features |= NETIF_F_LLTX;
         dev->priv_flags |= IFF_NO_QUEUE;
 }
 
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index a99ad0325309..4c888dc9bd81 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2042,6 +2042,16 @@ ieee80211_sta_wmm_params(struct ieee80211_local *local,
                 ieee80211_regulatory_limit_wmm_params(sdata, &params[ac], ac);
         }
 
+        /* WMM specification requires all 4 ACIs. */
+        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+                if (params[ac].cw_min == 0) {
+                        sdata_info(sdata,
+                                   "AP has invalid WMM params (missing AC %d), using defaults\n",
+                                   ac);
+                        return false;
+                }
+        }
+
         for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                 mlme_dbg(sdata,
                          "WMM AC=%d acm=%d aifs=%d cWmin=%d cWmax=%d txop=%d uapsd=%d, downgraded=%d\n",
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 1b224fa27367..ad1e58184c4e 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3796,9 +3796,7 @@ int ieee80211_check_combinations(struct ieee80211_sub_if_data *sdata,
         }
 
         /* Always allow software iftypes */
-        if (local->hw.wiphy->software_iftypes & BIT(iftype) ||
-            (iftype == NL80211_IFTYPE_AP_VLAN &&
-             local->hw.wiphy->flags & WIPHY_FLAG_4ADDR_AP)) {
+        if (cfg80211_iftype_allowed(local->hw.wiphy, iftype, 0, 1)) {
                 if (radar_detect)
                         return -EINVAL;
                 return 0;
@@ -3833,7 +3831,8 @@ int ieee80211_check_combinations(struct ieee80211_sub_if_data *sdata,
 
                 if (sdata_iter == sdata ||
                     !ieee80211_sdata_running(sdata_iter) ||
-                    local->hw.wiphy->software_iftypes & BIT(wdev_iter->iftype))
+                    cfg80211_iftype_allowed(local->hw.wiphy,
+                                            wdev_iter->iftype, 0, 1))
                         continue;
 
                 params.iftype_num[wdev_iter->iftype]++;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 32a45c03786e..0d65f4d39494 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -223,8 +223,6 @@ config NF_CONNTRACK_FTP
           of Network Address Translation on them.
 
           This is FTP support on Layer 3 independent connection tracking.
-          Layer 3 independent connection tracking is experimental scheme
-          which generalize ip_conntrack to support other layer 3 protocols.
 
           To compile it as a module, choose M here.  If unsure, say N.
 
@@ -338,7 +336,7 @@ config NF_CONNTRACK_SIP
         help
           SIP is an application-layer control protocol that can establish,
           modify, and terminate multimedia sessions (conferences) such as
-          Internet telephony calls. With the ip_conntrack_sip and
+          Internet telephony calls. With the nf_conntrack_sip and
           the nf_nat_sip modules you can support the protocol on a connection
           tracking/NATing firewall.
 
@@ -1313,7 +1311,7 @@ config NETFILTER_XT_MATCH_HELPER
         depends on NETFILTER_ADVANCED
         help
           Helper matching allows you to match packets in dynamic connections
-          tracked by a conntrack-helper, ie. ip_conntrack_ftp
+          tracked by a conntrack-helper, ie. nf_conntrack_ftp
 
           To compile it as a module, choose M here.  If unsure, say Y.
 
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index ca7ac4a25ada..1d4e63326e68 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -226,7 +226,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 
         e.id = ip_to_id(map, ip);
 
-        if (opt->flags & IPSET_DIM_ONE_SRC)
+        if (opt->flags & IPSET_DIM_TWO_SRC)
                 ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
         else
                 ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 2e151856ad99..e64d5f9a89dd 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1161,7 +1161,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
                 return -ENOENT;
 
         write_lock_bh(&ip_set_ref_lock);
-        if (set->ref != 0) {
+        if (set->ref != 0 || set->ref_netlink != 0) {
                 ret = -IPSET_ERR_REFERENCED;
                 goto out;
         }
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index faf59b6a998f..24d8f4df4230 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -89,15 +89,11 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
         struct hash_ipmac4_elem e = { .ip = 0, { .foo[0] = 0, .foo[1] = 0 } };
         struct ip_set_ext ext = IP_SET_INIT_KEXT(skb, opt, set);
 
-         /* MAC can be src only */
-        if (!(opt->flags & IPSET_DIM_TWO_SRC))
-                return 0;
-
         if (skb_mac_header(skb) < skb->head ||
             (skb_mac_header(skb) + ETH_HLEN) > skb->data)
                 return -EINVAL;
 
-        if (opt->flags & IPSET_DIM_ONE_SRC)
+        if (opt->flags & IPSET_DIM_TWO_SRC)
                 ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
         else
                 ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index 403541996952..08adcb222986 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -231,7 +231,7 @@ void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct,
 
         IP_VS_DBG_BUF(7, "%s: ct=%p, expect tuple=" FMT_TUPLE "\n",
                       __func__, ct, ARG_TUPLE(&exp->tuple));
-        nf_ct_expect_related(exp);
+        nf_ct_expect_related(exp, 0);
         nf_ct_expect_put(exp);
 }
 EXPORT_SYMBOL(ip_vs_nfct_expect_related);
diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c
index 42ee659d0d1e..d011d2eb0848 100644
--- a/net/netfilter/nf_conntrack_amanda.c
+++ b/net/netfilter/nf_conntrack_amanda.c
@@ -159,7 +159,7 @@ static int amanda_help(struct sk_buff *skb,
                 if (nf_nat_amanda && ct->status & IPS_NAT_MASK)
                         ret = nf_nat_amanda(skb, ctinfo, protoff,
                                             off - dataoff, len, exp);
-                else if (nf_ct_expect_related(exp) != 0) {
+                else if (nf_ct_expect_related(exp, 0) != 0) {
                         nf_ct_helper_log(skb, ct, "cannot add expectation");
                         ret = NF_DROP;
                 }
diff --git a/net/netfilter/nf_conntrack_broadcast.c b/net/netfilter/nf_conntrack_broadcast.c
index 921a7b95be68..1ba6becc3079 100644
--- a/net/netfilter/nf_conntrack_broadcast.c
+++ b/net/netfilter/nf_conntrack_broadcast.c
@@ -68,7 +68,7 @@ int nf_conntrack_broadcast_help(struct sk_buff *skb,
         exp->class                = NF_CT_EXPECT_CLASS_DEFAULT;
         exp->helper               = NULL;
 
-        nf_ct_expect_related(exp);
+        nf_ct_expect_related(exp, 0);
         nf_ct_expect_put(exp);
 
         nf_ct_refresh(ct, skb, timeout * HZ);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index bdfeacee0817..a542761e90d1 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1817,9 +1817,7 @@ EXPORT_SYMBOL_GPL(nf_ct_kill_acct);
 #include <linux/netfilter/nfnetlink_conntrack.h>
 #include <linux/mutex.h>
 
-/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
- * in ip_conntrack_core, since we don't want the protocols to autoload
- * or depend on ctnetlink */
+/* Generic function for tcp/udp/sctp/dccp and alike. */
 int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
                                const struct nf_conntrack_tuple *tuple)
 {
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index ffd1f4906c4f..65364de915d1 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -249,13 +249,22 @@ static inline int expect_clash(const struct nf_conntrack_expect *a,
 static inline int expect_matches(const struct nf_conntrack_expect *a,
                                  const struct nf_conntrack_expect *b)
 {
-        return a->master == b->master &&
-               nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
+        return nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
                nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
                net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) &&
                nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master));
 }
 
+static bool master_matches(const struct nf_conntrack_expect *a,
+                           const struct nf_conntrack_expect *b,
+                           unsigned int flags)
+{
+        if (flags & NF_CT_EXP_F_SKIP_MASTER)
+                return true;
+
+        return a->master == b->master;
+}
+
 /* Generally a bad idea to call this: could have matched already. */
 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
 {
@@ -399,7 +408,8 @@ static void evict_oldest_expect(struct nf_conn *master,
                 nf_ct_remove_expect(last);
 }
 
-static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
+static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect,
+                                       unsigned int flags)
 {
         const struct nf_conntrack_expect_policy *p;
         struct nf_conntrack_expect *i;
@@ -417,8 +427,10 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
         }
         h = nf_ct_expect_dst_hash(net, &expect->tuple);
         hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
-                if (expect_matches(i, expect)) {
-                        if (i->class != expect->class)
+                if (master_matches(i, expect, flags) &&
+                    expect_matches(i, expect)) {
+                        if (i->class != expect->class ||
+                            i->master != expect->master)
                                 return -EALREADY;
 
                         if (nf_ct_remove_expect(i))
@@ -453,12 +465,12 @@ out:
 }
 
 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
-                                u32 portid, int report)
+                                u32 portid, int report, unsigned int flags)
 {
         int ret;
 
         spin_lock_bh(&nf_conntrack_expect_lock);
-        ret = __nf_ct_expect_check(expect);
+        ret = __nf_ct_expect_check(expect, flags);
         if (ret < 0)
                 goto out;
 
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 8c6c11bab5b6..0ecb3e289ef2 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -525,7 +525,7 @@ skip_nl_seq:
                                  protoff, matchoff, matchlen, exp);
         else {
                 /* Can't expect this?  Best to drop packet now. */
-                if (nf_ct_expect_related(exp) != 0) {
+                if (nf_ct_expect_related(exp, 0) != 0) {
                         nf_ct_helper_log(skb, ct, "cannot add expectation");
                         ret = NF_DROP;
                 } else
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 8f6ba8162f0b..573cb4481481 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -1,11 +1,10 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * ip_conntrack_helper_h323_asn1.c - BER and PER decoding library for H.323
- *                                   conntrack/NAT module.
+ * BER and PER decoding library for H.323 conntrack/NAT module.
  *
  * Copyright (c) 2006 by Jing Min Zhao <zhaojingmin@users.sourceforge.net>
  *
- * See ip_conntrack_helper_h323_asn1.h for details.
+ * See nf_conntrack_helper_h323_asn1.h for details.
  */
 
 #ifdef __KERNEL__
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index 6497e5fc0871..8ba037b76ad3 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -305,8 +305,8 @@ static int expect_rtp_rtcp(struct sk_buff *skb, struct nf_conn *ct,
                 ret = nat_rtp_rtcp(skb, ct, ctinfo, protoff, data, dataoff,
                                    taddr, port, rtp_port, rtp_exp, rtcp_exp);
         } else {                /* Conntrack only */
-                if (nf_ct_expect_related(rtp_exp) == 0) {
-                        if (nf_ct_expect_related(rtcp_exp) == 0) {
+                if (nf_ct_expect_related(rtp_exp, 0) == 0) {
+                        if (nf_ct_expect_related(rtcp_exp, 0) == 0) {
                                 pr_debug("nf_ct_h323: expect RTP ");
                                 nf_ct_dump_tuple(&rtp_exp->tuple);
                                 pr_debug("nf_ct_h323: expect RTCP ");
@@ -364,7 +364,7 @@ static int expect_t120(struct sk_buff *skb,
                 ret = nat_t120(skb, ct, ctinfo, protoff, data, dataoff, taddr,
                                port, exp);
         } else {                /* Conntrack only */
-                if (nf_ct_expect_related(exp) == 0) {
+                if (nf_ct_expect_related(exp, 0) == 0) {
                         pr_debug("nf_ct_h323: expect T.120 ");
                         nf_ct_dump_tuple(&exp->tuple);
                 } else
@@ -701,7 +701,7 @@ static int expect_h245(struct sk_buff *skb, struct nf_conn *ct,
                 ret = nat_h245(skb, ct, ctinfo, protoff, data, dataoff, taddr,
                                port, exp);
         } else {                /* Conntrack only */
-                if (nf_ct_expect_related(exp) == 0) {
+                if (nf_ct_expect_related(exp, 0) == 0) {
                         pr_debug("nf_ct_q931: expect H.245 ");
                         nf_ct_dump_tuple(&exp->tuple);
                 } else
@@ -825,7 +825,7 @@ static int expect_callforwarding(struct sk_buff *skb,
                                          protoff, data, dataoff,
                                          taddr, port, exp);
         } else {                /* Conntrack only */
-                if (nf_ct_expect_related(exp) == 0) {
+                if (nf_ct_expect_related(exp, 0) == 0) {
                         pr_debug("nf_ct_q931: expect Call Forwarding ");
                         nf_ct_dump_tuple(&exp->tuple);
                 } else
@@ -1284,7 +1284,7 @@ static int expect_q931(struct sk_buff *skb, struct nf_conn *ct,
                 ret = nat_q931(skb, ct, ctinfo, protoff, data,
                                taddr, i, port, exp);
         } else {                /* Conntrack only */
-                if (nf_ct_expect_related(exp) == 0) {
+                if (nf_ct_expect_related(exp, 0) == 0) {
                         pr_debug("nf_ct_ras: expect Q.931 ");
                         nf_ct_dump_tuple(&exp->tuple);
 
@@ -1349,7 +1349,7 @@ static int process_gcf(struct sk_buff *skb, struct nf_conn *ct,
                           IPPROTO_UDP, NULL, &port);
         exp->helper = nf_conntrack_helper_ras;
 
-        if (nf_ct_expect_related(exp) == 0) {
+        if (nf_ct_expect_related(exp, 0) == 0) {
                 pr_debug("nf_ct_ras: expect RAS ");
                 nf_ct_dump_tuple(&exp->tuple);
         } else
@@ -1561,7 +1561,7 @@ static int process_acf(struct sk_buff *skb, struct nf_conn *ct,
         exp->flags = NF_CT_EXPECT_PERMANENT;
         exp->helper = nf_conntrack_helper_q931;
 
-        if (nf_ct_expect_related(exp) == 0) {
+        if (nf_ct_expect_related(exp, 0) == 0) {
                 pr_debug("nf_ct_ras: expect Q.931 ");
                 nf_ct_dump_tuple(&exp->tuple);
         } else
@@ -1615,7 +1615,7 @@ static int process_lcf(struct sk_buff *skb, struct nf_conn *ct,
         exp->flags = NF_CT_EXPECT_PERMANENT;
         exp->helper = nf_conntrack_helper_q931;
 
-        if (nf_ct_expect_related(exp) == 0) {
+        if (nf_ct_expect_related(exp, 0) == 0) {
                 pr_debug("nf_ct_ras: expect Q.931 ");
                 nf_ct_dump_tuple(&exp->tuple);
         } else
diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c
index 7ac156f1f3bc..e40988a2f22f 100644
--- a/net/netfilter/nf_conntrack_irc.c
+++ b/net/netfilter/nf_conntrack_irc.c
@@ -213,7 +213,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
                                                  addr_beg_p - ib_ptr,
                                                  addr_end_p - addr_beg_p,
                                                  exp);
-                        else if (nf_ct_expect_related(exp) != 0) {
+                        else if (nf_ct_expect_related(exp, 0) != 0) {
                                 nf_ct_helper_log(skb, ct,
                                                  "cannot add expectation");
                                 ret = NF_DROP;
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 1b77444d5b52..6aa01eb6fe99 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2616,7 +2616,7 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
         if (IS_ERR(exp))
                 return PTR_ERR(exp);
 
-        err = nf_ct_expect_related_report(exp, portid, report);
+        err = nf_ct_expect_related_report(exp, portid, report, 0);
         nf_ct_expect_put(exp);
         return err;
 }
@@ -3367,7 +3367,7 @@ ctnetlink_create_expect(struct net *net,
                 goto err_rcu;
         }
 
-        err = nf_ct_expect_related_report(exp, portid, report);
+        err = nf_ct_expect_related_report(exp, portid, report, 0);
         nf_ct_expect_put(exp);
 err_rcu:
         rcu_read_unlock();
diff --git a/net/netfilter/nf_conntrack_pptp.c b/net/netfilter/nf_conntrack_pptp.c
index b22042ad0fca..a971183f11af 100644
--- a/net/netfilter/nf_conntrack_pptp.c
+++ b/net/netfilter/nf_conntrack_pptp.c
@@ -234,9 +234,9 @@ static int exp_gre(struct nf_conn *ct, __be16 callid, __be16 peer_callid)
         nf_nat_pptp_exp_gre = rcu_dereference(nf_nat_pptp_hook_exp_gre);
         if (nf_nat_pptp_exp_gre && ct->status & IPS_NAT_MASK)
                 nf_nat_pptp_exp_gre(exp_orig, exp_reply);
-        if (nf_ct_expect_related(exp_orig) != 0)
+        if (nf_ct_expect_related(exp_orig, 0) != 0)
                 goto out_put_both;
-        if (nf_ct_expect_related(exp_reply) != 0)
+        if (nf_ct_expect_related(exp_reply, 0) != 0)
                 goto out_unexpect_orig;
 
         /* Add GRE keymap entries */
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index c2eb365f1723..5b05487a60d2 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -1,7 +1,5 @@
 // SPDX-License-Identifier: GPL-2.0-only
 /*
- * ip_conntrack_proto_gre.c - Version 3.0
- *
  * Connection tracking protocol helper module for GRE.
  *
  * GRE is a generic encapsulation protocol, which is generally not very
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
index dd53e2b20f6b..097deba7441a 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -215,7 +215,7 @@ int nf_conntrack_icmpv4_error(struct nf_conn *tmpl,
                 return -NF_ACCEPT;
         }
 
-        /* See ip_conntrack_proto_tcp.c */
+        /* See nf_conntrack_proto_tcp.c */
         if (state->net->ct.sysctl_checksum &&
             state->hook == NF_INET_PRE_ROUTING &&
             nf_ip_checksum(skb, state->hook, dataoff, IPPROTO_ICMP)) {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index d5fdfa00d683..85c1f8c213b0 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -472,6 +472,7 @@ static bool tcp_in_window(const struct nf_conn *ct,
         struct ip_ct_tcp_state *receiver = &state->seen[!dir];
         const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
         __u32 seq, ack, sack, end, win, swin;
+        u16 win_raw;
         s32 receiver_offset;
         bool res, in_recv_win;
 
@@ -480,7 +481,8 @@ static bool tcp_in_window(const struct nf_conn *ct,
          */
         seq = ntohl(tcph->seq);
         ack = sack = ntohl(tcph->ack_seq);
-        win = ntohs(tcph->window);
+        win_raw = ntohs(tcph->window);
+        win = win_raw;
         end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
 
         if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
@@ -655,14 +657,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
                             && state->last_seq == seq
                             && state->last_ack == ack
                             && state->last_end == end
-                            && state->last_win == win)
+                            && state->last_win == win_raw)
                                 state->retrans++;
                         else {
                                 state->last_dir = dir;
                                 state->last_seq = seq;
                                 state->last_ack = ack;
                                 state->last_end = end;
-                                state->last_win = win;
+                                state->last_win = win_raw;
                                 state->retrans = 0;
                         }
                 }
diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c
index 81448c3db661..1aebd6569d4e 100644
--- a/net/netfilter/nf_conntrack_sane.c
+++ b/net/netfilter/nf_conntrack_sane.c
@@ -153,7 +153,7 @@ static int help(struct sk_buff *skb,
         nf_ct_dump_tuple(&exp->tuple);
 
         /* Can't expect this?  Best to drop packet now. */
-        if (nf_ct_expect_related(exp) != 0) {
+        if (nf_ct_expect_related(exp, 0) != 0) {
                 nf_ct_helper_log(skb, ct, "cannot add expectation");
                 ret = NF_DROP;
         }
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 107251731809..b83dc9bf0a5d 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -977,11 +977,15 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
                 /* -EALREADY handling works around end-points that send
                  * SDP messages with identical port but different media type,
                  * we pretend expectation was set up.
+                 * It also works in the case that SDP messages are sent with
+                 * identical expect tuples but for different master conntracks.
                  */
-                int errp = nf_ct_expect_related(rtp_exp);
+                int errp = nf_ct_expect_related(rtp_exp,
+                                                NF_CT_EXP_F_SKIP_MASTER);
 
                 if (errp == 0 || errp == -EALREADY) {
-                        int errcp = nf_ct_expect_related(rtcp_exp);
+                        int errcp = nf_ct_expect_related(rtcp_exp,
+                                                NF_CT_EXP_F_SKIP_MASTER);
 
                         if (errcp == 0 || errcp == -EALREADY)
                                 ret = NF_ACCEPT;
@@ -1296,7 +1300,7 @@ static int process_register_request(struct sk_buff *skb, unsigned int protoff,
                 ret = hooks->expect(skb, protoff, dataoff, dptr, datalen,
                                     exp, matchoff, matchlen);
         else {
-                if (nf_ct_expect_related(exp) != 0) {
+                if (nf_ct_expect_related(exp, 0) != 0) {
                         nf_ct_helper_log(skb, ct, "cannot add expectation");
                         ret = NF_DROP;
                 } else
diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c
index df6d6d61bd58..80ee53f29f68 100644
--- a/net/netfilter/nf_conntrack_tftp.c
+++ b/net/netfilter/nf_conntrack_tftp.c
@@ -78,7 +78,7 @@ static int tftp_help(struct sk_buff *skb,
                 nf_nat_tftp = rcu_dereference(nf_nat_tftp_hook);
                 if (nf_nat_tftp && ct->status & IPS_NAT_MASK)
                         ret = nf_nat_tftp(skb, ctinfo, exp);
-                else if (nf_ct_expect_related(exp) != 0) {
+                else if (nf_ct_expect_related(exp, 0) != 0) {
                         nf_ct_helper_log(skb, ct, "cannot add expectation");
                         ret = NF_DROP;
                 }
diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c
index a352604d6186..3bc7e0854efe 100644
--- a/net/netfilter/nf_nat_amanda.c
+++ b/net/netfilter/nf_nat_amanda.c
@@ -48,7 +48,7 @@ static unsigned int help(struct sk_buff *skb,
                 int res;
 
                 exp->tuple.dst.u.tcp.port = htons(port);
-                res = nf_ct_expect_related(exp);
+                res = nf_ct_expect_related(exp, 0);
                 if (res == 0)
                         break;
                 else if (res != -EBUSY) {
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 9ab410455992..3f6023ed4966 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -519,7 +519,7 @@ another_round:
  * and NF_INET_LOCAL_OUT, we change the destination to map into the
  * range. It might not be possible to get a unique tuple, but we try.
  * At worst (or if we race), we will end up with a final duplicate in
- * __ip_conntrack_confirm and drop the packet. */
+ * __nf_conntrack_confirm and drop the packet. */
 static void
 get_unique_tuple(struct nf_conntrack_tuple *tuple,
                  const struct nf_conntrack_tuple *orig_tuple,
diff --git a/net/netfilter/nf_nat_ftp.c b/net/netfilter/nf_nat_ftp.c
index d48484a9d52d..aace6768a64e 100644
--- a/net/netfilter/nf_nat_ftp.c
+++ b/net/netfilter/nf_nat_ftp.c
@@ -91,7 +91,7 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c
index dfb7ef8845bd..c691ab8d234c 100644
--- a/net/netfilter/nf_nat_irc.c
+++ b/net/netfilter/nf_nat_irc.c
@@ -53,7 +53,7 @@ static unsigned int help(struct sk_buff *skb,
                 int ret;
 
                 exp->tuple.dst.u.tcp.port = htons(port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, 0);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c
index e338d91980d8..f0a735e86851 100644
--- a/net/netfilter/nf_nat_sip.c
+++ b/net/netfilter/nf_nat_sip.c
@@ -414,7 +414,7 @@ static unsigned int nf_nat_sip_expect(struct sk_buff *skb, unsigned int protoff,
                 int ret;
 
                 exp->tuple.dst.u.udp.port = htons(port);
-                ret = nf_ct_expect_related(exp);
+                ret = nf_ct_expect_related(exp, NF_CT_EXP_F_SKIP_MASTER);
                 if (ret == 0)
                         break;
                 else if (ret != -EBUSY) {
@@ -607,7 +607,8 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff,
                 int ret;
 
                 rtp_exp->tuple.dst.u.udp.port = htons(port);
-                ret = nf_ct_expect_related(rtp_exp);
+                ret = nf_ct_expect_related(rtp_exp,
+                                           NF_CT_EXP_F_SKIP_MASTER);
                 if (ret == -EBUSY)
                         continue;
                 else if (ret < 0) {
@@ -615,7 +616,8 @@ static unsigned int nf_nat_sdp_media(struct sk_buff *skb, unsigned int protoff,
                         break;
                 }
                 rtcp_exp->tuple.dst.u.udp.port = htons(port + 1);
-                ret = nf_ct_expect_related(rtcp_exp);
+                ret = nf_ct_expect_related(rtcp_exp,
+                                           NF_CT_EXP_F_SKIP_MASTER);
                 if (ret == 0)
                         break;
                 else if (ret == -EBUSY) {
diff --git a/net/netfilter/nf_nat_tftp.c b/net/netfilter/nf_nat_tftp.c
index 833a11f68031..1a591132d6eb 100644
--- a/net/netfilter/nf_nat_tftp.c
+++ b/net/netfilter/nf_nat_tftp.c
@@ -30,7 +30,7 @@ static unsigned int help(struct sk_buff *skb,
                 = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u.udp.port;
         exp->dir = IP_CT_DIR_REPLY;
         exp->expectfn = nf_nat_follow_master;
-        if (nf_ct_expect_related(exp) != 0) {
+        if (nf_ct_expect_related(exp, 0) != 0) {
                 nf_ct_helper_log(skb, exp->master, "cannot add expectation");
                 return NF_DROP;
         }
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index b101f187eda8..c769462a839e 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -470,7 +470,7 @@ synproxy_send_client_synack(struct net *net,
         struct iphdr *iph, *niph;
         struct tcphdr *nth;
         unsigned int tcp_hdr_size;
-        u16 mss = opts->mss;
+        u16 mss = opts->mss_encode;
 
         iph = ip_hdr(skb);
 
@@ -687,7 +687,7 @@ ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
         state = &ct->proto.tcp;
         switch (state->state) {
         case TCP_CONNTRACK_CLOSE:
-                if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
+                if (th->rst && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
                         nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
                                                       ntohl(th->seq) + 1);
                         break;
@@ -884,7 +884,7 @@ synproxy_send_client_synack_ipv6(struct net *net,
         struct ipv6hdr *iph, *niph;
         struct tcphdr *nth;
         unsigned int tcp_hdr_size;
-        u16 mss = opts->mss;
+        u16 mss = opts->mss_encode;
 
         iph = ipv6_hdr(skb);
 
@@ -1111,7 +1111,7 @@ ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
         state = &ct->proto.tcp;
         switch (state->state) {
         case TCP_CONNTRACK_CLOSE:
-                if (th->rst && !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
+                if (th->rst && CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) {
                         nf_ct_seqadj_init(ct, ctinfo, synproxy->isn -
                                                       ntohl(th->seq) + 1);
                         break;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ed17a7c29b86..605a7cfe7ca7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1662,7 +1662,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
 
                 chain->flags |= NFT_BASE_CHAIN | flags;
                 basechain->policy = NF_ACCEPT;
-                INIT_LIST_HEAD(&basechain->cb_list);
+                flow_block_init(&basechain->flow_block);
         } else {
                 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
                 if (chain == NULL)
@@ -1900,6 +1900,8 @@ static int nf_tables_newchain(struct net *net, struct sock *nlsk,
 
         if (nla[NFTA_CHAIN_FLAGS])
                 flags = ntohl(nla_get_be32(nla[NFTA_CHAIN_FLAGS]));
+        else if (chain)
+                flags = chain->flags;
 
         nft_ctx_init(&ctx, net, skb, nlh, family, table, chain, nla);
 
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 2c3302845f67..64f5fd5f240e 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -116,7 +116,7 @@ static int nft_setup_cb_call(struct nft_base_chain *basechain,
         struct flow_block_cb *block_cb;
         int err;
 
-        list_for_each_entry(block_cb, &basechain->cb_list, list) {
+        list_for_each_entry(block_cb, &basechain->flow_block.cb_list, list) {
                 err = block_cb->cb(type, type_data, block_cb->cb_priv);
                 if (err < 0)
                         return err;
@@ -154,7 +154,7 @@ static int nft_flow_offload_rule(struct nft_trans *trans,
 static int nft_flow_offload_bind(struct flow_block_offload *bo,
                                  struct nft_base_chain *basechain)
 {
-        list_splice(&bo->cb_list, &basechain->cb_list);
+        list_splice(&bo->cb_list, &basechain->flow_block.cb_list);
         return 0;
 }
 
@@ -198,6 +198,7 @@ static int nft_flow_offload_chain(struct nft_trans *trans,
                 return -EOPNOTSUPP;
 
         bo.command = cmd;
+        bo.block = &basechain->flow_block;
         bo.binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
         bo.extack = &extack;
         INIT_LIST_HEAD(&bo.cb_list);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 92077d459109..4abbb452cf6c 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -578,7 +578,7 @@ static int nfnetlink_bind(struct net *net, int group)
         ss = nfnetlink_get_subsys(type << 8);
         rcu_read_unlock();
         if (!ss)
-                request_module("nfnetlink-subsys-%d", type);
+                request_module_nowait("nfnetlink-subsys-%d", type);
         return 0;
 }
 #endif
diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 3fd540b2c6ba..b5d5d071d765 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -193,7 +193,7 @@ static inline void nft_chain_filter_inet_init(void) {}
 static inline void nft_chain_filter_inet_fini(void) {}
 #endif /* CONFIG_NF_TABLES_IPV6 */
 
-#ifdef CONFIG_NF_TABLES_BRIDGE
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
 static unsigned int
 nft_do_chain_bridge(void *priv,
                     struct sk_buff *skb,
diff --git a/net/netfilter/nft_chain_nat.c b/net/netfilter/nft_chain_nat.c
index 2f89bde3c61c..ff9ac8ae0031 100644
--- a/net/netfilter/nft_chain_nat.c
+++ b/net/netfilter/nft_chain_nat.c
@@ -142,3 +142,6 @@ MODULE_ALIAS_NFT_CHAIN(AF_INET, "nat");
 #ifdef CONFIG_NF_TABLES_IPV6
 MODULE_ALIAS_NFT_CHAIN(AF_INET6, "nat");
 #endif
+#ifdef CONFIG_NF_TABLES_INET
+MODULE_ALIAS_NFT_CHAIN(1, "nat");       /* NFPROTO_INET */
+#endif
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 827ab6196df9..46ca8bcca1bd 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1252,7 +1252,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
                           priv->l4proto, NULL, &priv->dport);
         exp->timeout.expires = jiffies + priv->timeout * HZ;
 
-        if (nf_ct_expect_related(exp) != 0)
+        if (nf_ct_expect_related(exp, 0) != 0)
                 regs->verdict.code = NF_DROP;
 }
 
diff --git a/net/netfilter/nft_hash.c b/net/netfilter/nft_hash.c
index fe93e731dc7f..b836d550b919 100644
--- a/net/netfilter/nft_hash.c
+++ b/net/netfilter/nft_hash.c
@@ -129,7 +129,7 @@ static int nft_symhash_init(const struct nft_ctx *ctx,
         priv->dreg = nft_parse_register(tb[NFTA_HASH_DREG]);
 
         priv->modulus = ntohl(nla_get_be32(tb[NFTA_HASH_MODULUS]));
-        if (priv->modulus <= 1)
+        if (priv->modulus < 1)
                 return -ERANGE;
 
         if (priv->offset + priv->modulus - 1 < priv->offset)
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 76866f77e343..f69afb9ff3cb 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -60,24 +60,16 @@ void nft_meta_get_eval(const struct nft_expr *expr,
                 *dest = skb->mark;
                 break;
         case NFT_META_IIF:
-                if (in == NULL)
-                        goto err;
-                *dest = in->ifindex;
+                *dest = in ? in->ifindex : 0;
                 break;
         case NFT_META_OIF:
-                if (out == NULL)
-                        goto err;
-                *dest = out->ifindex;
+                *dest = out ? out->ifindex : 0;
                 break;
         case NFT_META_IIFNAME:
-                if (in == NULL)
-                        goto err;
-                strncpy((char *)dest, in->name, IFNAMSIZ);
+                strncpy((char *)dest, in ? in->name : "", IFNAMSIZ);
                 break;
         case NFT_META_OIFNAME:
-                if (out == NULL)
-                        goto err;
-                strncpy((char *)dest, out->name, IFNAMSIZ);
+                strncpy((char *)dest, out ? out->name : "", IFNAMSIZ);
                 break;
         case NFT_META_IIFTYPE:
                 if (in == NULL)
@@ -546,7 +538,7 @@ nft_meta_select_ops(const struct nft_ctx *ctx,
         if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
                 return ERR_PTR(-EINVAL);
 
-#ifdef CONFIG_NF_TABLES_BRIDGE
+#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META)
         if (ctx->family == NFPROTO_BRIDGE)
                 return ERR_PTR(-EAGAIN);
 #endif
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 8487eeff5c0e..43eeb1f609f1 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -291,4 +291,4 @@ module_exit(nft_redir_module_exit);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo@debian.org>");
-MODULE_ALIAS_NFT_EXPR("nat");
+MODULE_ALIAS_NFT_EXPR("redir");
diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index 80060ade8a5b..928e661d1517 100644
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -31,6 +31,8 @@ static void nft_synproxy_tcp_options(struct synproxy_options *opts,
                 opts->options |= NF_SYNPROXY_OPT_ECN;
 
         opts->options &= priv->info.options;
+        opts->mss_encode = opts->mss;
+        opts->mss = info->mss;
         if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
                 synproxy_init_timestamp_cookie(info, opts);
         else
diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 96740d389377..c4f54ad2b98a 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -967,6 +967,7 @@ int nr_rx_frame(struct sk_buff *skb, struct net_device *dev)
 
         window = skb->data[20];
 
+        sock_hold(make);
         skb->sk             = make;
         skb->destructor     = sock_efree;
         make->sk_state      = TCP_ESTABLISHED;
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 892287d06c17..d01410e52097 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -1047,7 +1047,7 @@ error:
 }
 
 /* Factor out action copy to avoid "Wframe-larger-than=1024" warning. */
-static struct sw_flow_actions *get_flow_actions(struct net *net,
+static noinline_for_stack struct sw_flow_actions *get_flow_actions(struct net *net,
                                                 const struct nlattr *a,
                                                 const struct sw_flow_key *key,
                                                 const struct sw_flow_mask *mask,
@@ -1081,12 +1081,13 @@ static struct sw_flow_actions *get_flow_actions(struct net *net,
  * we should not to return match object with dangling reference
  * to mask.
  * */
-static int ovs_nla_init_match_and_action(struct net *net,
-                                         struct sw_flow_match *match,
-                                         struct sw_flow_key *key,
-                                         struct nlattr **a,
-                                         struct sw_flow_actions **acts,
-                                         bool log)
+static noinline_for_stack int
+ovs_nla_init_match_and_action(struct net *net,
+                              struct sw_flow_match *match,
+                              struct sw_flow_key *key,
+                              struct nlattr **a,
+                              struct sw_flow_actions **acts,
+                              bool log)
 {
         struct sw_flow_mask mask;
         int error = 0;
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index dca3b1e2acf0..bc89e16e0505 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -59,7 +59,7 @@ u64 ovs_flow_used_time(unsigned long flow_jiffies)
 void ovs_flow_stats_update(struct sw_flow *flow, __be16 tcp_flags,
                            const struct sk_buff *skb)
 {
-        struct flow_stats *stats;
+        struct sw_flow_stats *stats;
         unsigned int cpu = smp_processor_id();
         int len = skb->len + (skb_vlan_tag_present(skb) ? VLAN_HLEN : 0);
 
@@ -87,7 +87,7 @@ void ovs_flow_stats_update(struct sw_flow *flow, __be16 tcp_flags,
                         if (likely(flow->stats_last_writer != -1) &&
                             likely(!rcu_access_pointer(flow->stats[cpu]))) {
                                 /* Try to allocate CPU-specific stats. */
-                                struct flow_stats *new_stats;
+                                struct sw_flow_stats *new_stats;
 
                                 new_stats =
                                         kmem_cache_alloc_node(flow_stats_cache,
@@ -134,7 +134,7 @@ void ovs_flow_stats_get(const struct sw_flow *flow,
 
         /* We open code this to make sure cpu 0 is always considered */
         for (cpu = 0; cpu < nr_cpu_ids; cpu = cpumask_next(cpu, &flow->cpu_used_mask)) {
-                struct flow_stats *stats = rcu_dereference_ovsl(flow->stats[cpu]);
+                struct sw_flow_stats *stats = rcu_dereference_ovsl(flow->stats[cpu]);
 
                 if (stats) {
                         /* Local CPU may write on non-local stats, so we must
@@ -158,7 +158,7 @@ void ovs_flow_stats_clear(struct sw_flow *flow)
 
         /* We open code this to make sure cpu 0 is always considered */
         for (cpu = 0; cpu < nr_cpu_ids; cpu = cpumask_next(cpu, &flow->cpu_used_mask)) {
-                struct flow_stats *stats = ovsl_dereference(flow->stats[cpu]);
+                struct sw_flow_stats *stats = ovsl_dereference(flow->stats[cpu]);
 
                 if (stats) {
                         spin_lock_bh(&stats->lock);
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 3e2cc2202d66..a5506e2d4b7a 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -194,7 +194,7 @@ struct sw_flow_actions {
         struct nlattr actions[];
 };
 
-struct flow_stats {
+struct sw_flow_stats {
         u64 packet_count;               /* Number of packets matched. */
         u64 byte_count;                 /* Number of bytes matched. */
         unsigned long used;             /* Last used time (in jiffies). */
@@ -216,7 +216,7 @@ struct sw_flow {
         struct cpumask cpu_used_mask;
         struct sw_flow_mask *mask;
         struct sw_flow_actions __rcu *sf_acts;
-        struct flow_stats __rcu *stats[]; /* One for each CPU.  First one
+        struct sw_flow_stats __rcu *stats[]; /* One for each CPU.  First one
                                            * is allocated at flow creation time,
                                            * the rest are allocated on demand
                                            * while holding the 'stats[0].lock'.
diff --git a/net/openvswitch/flow_table.c b/net/openvswitch/flow_table.c
index 988fd8a94e43..cf3582c5ed70 100644
--- a/net/openvswitch/flow_table.c
+++ b/net/openvswitch/flow_table.c
@@ -66,7 +66,7 @@ void ovs_flow_mask_key(struct sw_flow_key *dst, const struct sw_flow_key *src,
 struct sw_flow *ovs_flow_alloc(void)
 {
         struct sw_flow *flow;
-        struct flow_stats *stats;
+        struct sw_flow_stats *stats;
 
         flow = kmem_cache_zalloc(flow_cache, GFP_KERNEL);
         if (!flow)
@@ -110,7 +110,7 @@ static void flow_free(struct sw_flow *flow)
         for (cpu = 0; cpu < nr_cpu_ids; cpu = cpumask_next(cpu, &flow->cpu_used_mask))
                 if (flow->stats[cpu])
                         kmem_cache_free(flow_stats_cache,
-                                        (struct flow_stats __force *)flow->stats[cpu]);
+                                        (struct sw_flow_stats __force *)flow->stats[cpu]);
         kmem_cache_free(flow_cache, flow);
 }
 
@@ -712,13 +712,13 @@ int ovs_flow_init(void)
 
         flow_cache = kmem_cache_create("sw_flow", sizeof(struct sw_flow)
                                        + (nr_cpu_ids
-                                          * sizeof(struct flow_stats *)),
+                                          * sizeof(struct sw_flow_stats *)),
                                        0, 0, NULL);
         if (flow_cache == NULL)
                 return -ENOMEM;
 
         flow_stats_cache
-                = kmem_cache_create("sw_flow_stats", sizeof(struct flow_stats),
+                = kmem_cache_create("sw_flow_stats", sizeof(struct sw_flow_stats),
                                     0, SLAB_HWCACHE_ALIGN, NULL);
         if (flow_stats_cache == NULL) {
                 kmem_cache_destroy(flow_cache);
diff --git a/net/rds/rdma_transport.c b/net/rds/rdma_transport.c
index ff74c4bbb9fc..9986d6065c4d 100644
--- a/net/rds/rdma_transport.c
+++ b/net/rds/rdma_transport.c
@@ -105,7 +105,8 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id,
                 break;
 
         case RDMA_CM_EVENT_ESTABLISHED:
-                trans->cm_connect_complete(conn, event);
+                if (conn)
+                        trans->cm_connect_complete(conn, event);
                 break;
 
         case RDMA_CM_EVENT_REJECTED:
@@ -137,6 +138,8 @@ static int rds_rdma_cm_event_handler_cmn(struct rdma_cm_id *cm_id,
                 break;
 
         case RDMA_CM_EVENT_DISCONNECTED:
+                if (!conn)
+                        break;
                 rdsdebug("DISCONNECT event - dropping connection "
                          "%pI6c->%pI6c\n", &conn->c_laddr,
                          &conn->c_faddr);
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 80335b4ee4fd..822f45386e31 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -1061,6 +1061,7 @@ void rxrpc_destroy_all_peers(struct rxrpc_net *);
 struct rxrpc_peer *rxrpc_get_peer(struct rxrpc_peer *);
 struct rxrpc_peer *rxrpc_get_peer_maybe(struct rxrpc_peer *);
 void rxrpc_put_peer(struct rxrpc_peer *);
+void rxrpc_put_peer_locked(struct rxrpc_peer *);
 
 /*
  * proc.c
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index 9f2f45c09e58..7666ec72d37e 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -378,7 +378,7 @@ static void rxrpc_peer_keepalive_dispatch(struct rxrpc_net *rxnet,
                 spin_lock_bh(&rxnet->peer_hash_lock);
                 list_add_tail(&peer->keepalive_link,
                               &rxnet->peer_keepalive[slot & mask]);
-                rxrpc_put_peer(peer);
+                rxrpc_put_peer_locked(peer);
         }
 
         spin_unlock_bh(&rxnet->peer_hash_lock);
diff --git a/net/rxrpc/peer_object.c b/net/rxrpc/peer_object.c
index 9d3ce81cf8ae..9c3ac96f71cb 100644
--- a/net/rxrpc/peer_object.c
+++ b/net/rxrpc/peer_object.c
@@ -437,6 +437,24 @@ void rxrpc_put_peer(struct rxrpc_peer *peer)
 }
 
 /*
+ * Drop a ref on a peer record where the caller already holds the
+ * peer_hash_lock.
+ */
+void rxrpc_put_peer_locked(struct rxrpc_peer *peer)
+{
+        const void *here = __builtin_return_address(0);
+        int n;
+
+        n = atomic_dec_return(&peer->usage);
+        trace_rxrpc_peer(peer, rxrpc_peer_put, n, here);
+        if (n == 0) {
+                hash_del_rcu(&peer->hash_link);
+                list_del_init(&peer->keepalive_link);
+                kfree_rcu(peer, rcu);
+        }
+}
+
+/*
  * Make sure all peer records have been discarded.
  */
 void rxrpc_destroy_all_peers(struct rxrpc_net *rxnet)
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 5d3f33ce6d41..bae14438f869 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -226,6 +226,7 @@ static int rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
                         rxrpc_set_call_completion(call,
                                                   RXRPC_CALL_LOCAL_ERROR,
                                                   0, ret);
+                        rxrpc_notify_socket(call);
                         goto out;
                 }
                 _debug("need instant resend %d", ret);
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 8126b26f125e..fd1f7e799e23 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -285,6 +285,7 @@ static int tcf_bpf_init(struct net *net, struct nlattr *nla,
         struct tcf_bpf *prog;
         bool is_bpf, is_ebpf;
         int ret, res = 0;
+        u32 index;
 
         if (!nla)
                 return -EINVAL;
@@ -298,13 +299,13 @@ static int tcf_bpf_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
 
         parm = nla_data(tb[TCA_ACT_BPF_PARMS]);
-
-        ret = tcf_idr_check_alloc(tn, &parm->index, act, bind);
+        index = parm->index;
+        ret = tcf_idr_check_alloc(tn, &index, act, bind);
         if (!ret) {
-                ret = tcf_idr_create(tn, parm->index, est, act,
+                ret = tcf_idr_create(tn, index, est, act,
                                      &act_bpf_ops, bind, true);
                 if (ret < 0) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index ce36b0f7e1dc..32ac04d77a45 100644
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -103,6 +103,7 @@ static int tcf_connmark_init(struct net *net, struct nlattr *nla,
         struct tcf_connmark_info *ci;
         struct tc_connmark *parm;
         int ret = 0, err;
+        u32 index;
 
         if (!nla)
                 return -EINVAL;
@@ -116,13 +117,13 @@ static int tcf_connmark_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
 
         parm = nla_data(tb[TCA_CONNMARK_PARMS]);
-
-        ret = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        ret = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!ret) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_connmark_ops, bind, false);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 621fb22ce2a9..9b9288267a54 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -52,6 +52,7 @@ static int tcf_csum_init(struct net *net, struct nlattr *nla,
         struct tc_csum *parm;
         struct tcf_csum *p;
         int ret = 0, err;
+        u32 index;
 
         if (nla == NULL)
                 return -EINVAL;
@@ -64,13 +65,13 @@ static int tcf_csum_init(struct net *net, struct nlattr *nla,
         if (tb[TCA_CSUM_PARMS] == NULL)
                 return -EINVAL;
         parm = nla_data(tb[TCA_CSUM_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!err) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_csum_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index b501ce0cf116..33a1a7406e87 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -666,6 +666,7 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
         struct tc_ct *parm;
         struct tcf_ct *c;
         int err, res = 0;
+        u32 index;
 
         if (!nla) {
                 NL_SET_ERR_MSG_MOD(extack, "Ct requires attributes to be passed");
@@ -681,16 +682,16 @@ static int tcf_ct_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
         }
         parm = nla_data(tb[TCA_CT_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
 
         if (!err) {
-                err = tcf_idr_create(tn, parm->index, est, a,
+                err = tcf_idr_create(tn, index, est, a,
                                      &act_ct_ops, bind, true);
                 if (err) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return err;
                 }
                 res = ACT_P_CREATED;
diff --git a/net/sched/act_ctinfo.c b/net/sched/act_ctinfo.c
index 10eb2bb99861..06ef74b74911 100644
--- a/net/sched/act_ctinfo.c
+++ b/net/sched/act_ctinfo.c
@@ -157,10 +157,10 @@ static int tcf_ctinfo_init(struct net *net, struct nlattr *nla,
                            struct netlink_ext_ack *extack)
 {
         struct tc_action_net *tn = net_generic(net, ctinfo_net_id);
+        u32 dscpmask = 0, dscpstatemask, index;
         struct nlattr *tb[TCA_CTINFO_MAX + 1];
         struct tcf_ctinfo_params *cp_new;
         struct tcf_chain *goto_ch = NULL;
-        u32 dscpmask = 0, dscpstatemask;
         struct tc_ctinfo *actparm;
         struct tcf_ctinfo *ci;
         u8 dscpmaskshift;
@@ -206,12 +206,13 @@ static int tcf_ctinfo_init(struct net *net, struct nlattr *nla,
         }
 
         /* done the validation:now to the actual action allocation */
-        err = tcf_idr_check_alloc(tn, &actparm->index, a, bind);
+        index = actparm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!err) {
-                ret = tcf_idr_create(tn, actparm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_ctinfo_ops, bind, false);
                 if (ret) {
-                        tcf_idr_cleanup(tn, actparm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index b2380c5284e6..8f0140c6ca58 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -61,6 +61,7 @@ static int tcf_gact_init(struct net *net, struct nlattr *nla,
         struct tc_gact *parm;
         struct tcf_gact *gact;
         int ret = 0;
+        u32 index;
         int err;
 #ifdef CONFIG_GACT_PROB
         struct tc_gact_p *p_parm = NULL;
@@ -77,6 +78,7 @@ static int tcf_gact_init(struct net *net, struct nlattr *nla,
         if (tb[TCA_GACT_PARMS] == NULL)
                 return -EINVAL;
         parm = nla_data(tb[TCA_GACT_PARMS]);
+        index = parm->index;
 
 #ifndef CONFIG_GACT_PROB
         if (tb[TCA_GACT_PROB] != NULL)
@@ -94,12 +96,12 @@ static int tcf_gact_init(struct net *net, struct nlattr *nla,
         }
 #endif
 
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!err) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_gact_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 41d5398dd2f2..92ee853d43e6 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -479,8 +479,14 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
         u8 *saddr = NULL;
         bool exists = false;
         int ret = 0;
+        u32 index;
         int err;
 
+        if (!nla) {
+                NL_SET_ERR_MSG_MOD(extack, "IFE requires attributes to be passed");
+                return -EINVAL;
+        }
+
         err = nla_parse_nested_deprecated(tb, TCA_IFE_MAX, nla, ife_policy,
                                           NULL);
         if (err < 0)
@@ -502,7 +508,8 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
         if (!p)
                 return -ENOMEM;
 
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0) {
                 kfree(p);
                 return err;
@@ -514,10 +521,10 @@ static int tcf_ife_init(struct net *net, struct nlattr *nla,
         }
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a, &act_ife_ops,
+                ret = tcf_idr_create(tn, index, est, a, &act_ife_ops,
                                      bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         kfree(p);
                         return ret;
                 }
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 055faa298c8e..be3f88dfc37e 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -104,6 +104,7 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
         struct net_device *dev;
         bool exists = false;
         int ret, err;
+        u32 index;
 
         if (!nla) {
                 NL_SET_ERR_MSG_MOD(extack, "Mirred requires attributes to be passed");
@@ -118,8 +119,8 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
         }
         parm = nla_data(tb[TCA_MIRRED_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -136,21 +137,21 @@ static int tcf_mirred_init(struct net *net, struct nlattr *nla,
                 if (exists)
                         tcf_idr_release(*a, bind);
                 else
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                 NL_SET_ERR_MSG_MOD(extack, "Unknown mirred option");
                 return -EINVAL;
         }
 
         if (!exists) {
                 if (!parm->ifindex) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         NL_SET_ERR_MSG_MOD(extack, "Specified device does not exist");
                         return -EINVAL;
                 }
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_mirred_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_mpls.c b/net/sched/act_mpls.c
index ca2597ce4ac9..0f299e3b618c 100644
--- a/net/sched/act_mpls.c
+++ b/net/sched/act_mpls.c
@@ -138,6 +138,7 @@ static int tcf_mpls_init(struct net *net, struct nlattr *nla,
         struct tcf_mpls *m;
         int ret = 0, err;
         u8 mpls_ttl = 0;
+        u32 index;
 
         if (!nla) {
                 NL_SET_ERR_MSG_MOD(extack, "Missing netlink attributes");
@@ -153,6 +154,7 @@ static int tcf_mpls_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
         }
         parm = nla_data(tb[TCA_MPLS_PARMS]);
+        index = parm->index;
 
         /* Verify parameters against action type. */
         switch (parm->m_action) {
@@ -209,7 +211,7 @@ static int tcf_mpls_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
         }
 
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -217,10 +219,10 @@ static int tcf_mpls_init(struct net *net, struct nlattr *nla,
                 return 0;
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_mpls_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index 45923ebb7a4f..7b858c11b1b5 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -44,6 +44,7 @@ static int tcf_nat_init(struct net *net, struct nlattr *nla, struct nlattr *est,
         struct tc_nat *parm;
         int ret = 0, err;
         struct tcf_nat *p;
+        u32 index;
 
         if (nla == NULL)
                 return -EINVAL;
@@ -56,13 +57,13 @@ static int tcf_nat_init(struct net *net, struct nlattr *nla, struct nlattr *est,
         if (tb[TCA_NAT_PARMS] == NULL)
                 return -EINVAL;
         parm = nla_data(tb[TCA_NAT_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!err) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_nat_ops, bind, false);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 45e9d6bfddb3..17360c6faeaa 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -149,6 +149,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
         struct tcf_pedit *p;
         int ret = 0, err;
         int ksize;
+        u32 index;
 
         if (!nla) {
                 NL_SET_ERR_MSG_MOD(extack, "Pedit requires attributes to be passed");
@@ -179,18 +180,19 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
         if (IS_ERR(keys_ex))
                 return PTR_ERR(keys_ex);
 
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (!err) {
                 if (!parm->nkeys) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         NL_SET_ERR_MSG_MOD(extack, "Pedit requires keys to be passed");
                         ret = -EINVAL;
                         goto out_free;
                 }
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_pedit_ops, bind, false);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         goto out_free;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index a065f62fa79c..49cec3e64a4d 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -57,6 +57,7 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
         struct tc_action_net *tn = net_generic(net, police_net_id);
         struct tcf_police_params *new;
         bool exists = false;
+        u32 index;
 
         if (nla == NULL)
                 return -EINVAL;
@@ -73,7 +74,8 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
 
         parm = nla_data(tb[TCA_POLICE_TBF]);
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -81,10 +83,10 @@ static int tcf_police_init(struct net *net, struct nlattr *nla,
                 return 0;
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, NULL, a,
+                ret = tcf_idr_create(tn, index, NULL, a,
                                      &act_police_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index 274d7a0c0e25..595308d60133 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -41,8 +41,8 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
         struct tc_action_net *tn = net_generic(net, sample_net_id);
         struct nlattr *tb[TCA_SAMPLE_MAX + 1];
         struct psample_group *psample_group;
+        u32 psample_group_num, rate, index;
         struct tcf_chain *goto_ch = NULL;
-        u32 psample_group_num, rate;
         struct tc_sample *parm;
         struct tcf_sample *s;
         bool exists = false;
@@ -59,8 +59,8 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
 
         parm = nla_data(tb[TCA_SAMPLE_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -68,10 +68,10 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
                 return 0;
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_sample_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
                 ret = ACT_P_CREATED;
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index f28ddbabff76..33aefa25b545 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -95,6 +95,7 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
         struct tcf_defact *d;
         bool exists = false;
         int ret = 0, err;
+        u32 index;
 
         if (nla == NULL)
                 return -EINVAL;
@@ -108,7 +109,8 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
                 return -EINVAL;
 
         parm = nla_data(tb[TCA_DEF_PARMS]);
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -119,15 +121,15 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
                 if (exists)
                         tcf_idr_release(*a, bind);
                 else
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                 return -EINVAL;
         }
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_simp_ops, bind, false);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index 215a06705cef..b100870f02a6 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -99,6 +99,7 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
         u16 *queue_mapping = NULL, *ptype = NULL;
         bool exists = false;
         int ret = 0, err;
+        u32 index;
 
         if (nla == NULL)
                 return -EINVAL;
@@ -146,8 +147,8 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
         }
 
         parm = nla_data(tb[TCA_SKBEDIT_PARMS]);
-
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -158,15 +159,15 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
                 if (exists)
                         tcf_idr_release(*a, bind);
                 else
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                 return -EINVAL;
         }
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_skbedit_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index 4f07706eff07..7da3518e18ef 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -87,12 +87,12 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
         struct tcf_skbmod_params *p, *p_old;
         struct tcf_chain *goto_ch = NULL;
         struct tc_skbmod *parm;
+        u32 lflags = 0, index;
         struct tcf_skbmod *d;
         bool exists = false;
         u8 *daddr = NULL;
         u8 *saddr = NULL;
         u16 eth_type = 0;
-        u32 lflags = 0;
         int ret = 0, err;
 
         if (!nla)
@@ -122,10 +122,11 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
         }
 
         parm = nla_data(tb[TCA_SKBMOD_PARMS]);
+        index = parm->index;
         if (parm->flags & SKBMOD_F_SWAPMAC)
                 lflags = SKBMOD_F_SWAPMAC;
 
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -136,15 +137,15 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
                 if (exists)
                         tcf_idr_release(*a, bind);
                 else
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                 return -EINVAL;
         }
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_skbmod_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index 10dffda1d5cc..6d0debdc9b97 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -225,6 +225,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
         __be16 flags = 0;
         u8 tos, ttl;
         int ret = 0;
+        u32 index;
         int err;
 
         if (!nla) {
@@ -245,7 +246,8 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
         }
 
         parm = nla_data(tb[TCA_TUNNEL_KEY_PARMS]);
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -345,7 +347,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
         }
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_tunnel_key_ops, bind, true);
                 if (ret) {
                         NL_SET_ERR_MSG(extack, "Cannot create TC IDR");
@@ -403,7 +405,7 @@ err_out:
         if (exists)
                 tcf_idr_release(*a, bind);
         else
-                tcf_idr_cleanup(tn, parm->index);
+                tcf_idr_cleanup(tn, index);
         return ret;
 }
 
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 9269d350fb8a..a3c9eea1ee8a 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -116,6 +116,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
         u8 push_prio = 0;
         bool exists = false;
         int ret = 0, err;
+        u32 index;
 
         if (!nla)
                 return -EINVAL;
@@ -128,7 +129,8 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
         if (!tb[TCA_VLAN_PARMS])
                 return -EINVAL;
         parm = nla_data(tb[TCA_VLAN_PARMS]);
-        err = tcf_idr_check_alloc(tn, &parm->index, a, bind);
+        index = parm->index;
+        err = tcf_idr_check_alloc(tn, &index, a, bind);
         if (err < 0)
                 return err;
         exists = err;
@@ -144,7 +146,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                         if (exists)
                                 tcf_idr_release(*a, bind);
                         else
-                                tcf_idr_cleanup(tn, parm->index);
+                                tcf_idr_cleanup(tn, index);
                         return -EINVAL;
                 }
                 push_vid = nla_get_u16(tb[TCA_VLAN_PUSH_VLAN_ID]);
@@ -152,7 +154,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                         if (exists)
                                 tcf_idr_release(*a, bind);
                         else
-                                tcf_idr_cleanup(tn, parm->index);
+                                tcf_idr_cleanup(tn, index);
                         return -ERANGE;
                 }
 
@@ -166,7 +168,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                                 if (exists)
                                         tcf_idr_release(*a, bind);
                                 else
-                                        tcf_idr_cleanup(tn, parm->index);
+                                        tcf_idr_cleanup(tn, index);
                                 return -EPROTONOSUPPORT;
                         }
                 } else {
@@ -180,16 +182,16 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                 if (exists)
                         tcf_idr_release(*a, bind);
                 else
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                 return -EINVAL;
         }
         action = parm->v_action;
 
         if (!exists) {
-                ret = tcf_idr_create(tn, parm->index, est, a,
+                ret = tcf_idr_create(tn, index, est, a,
                                      &act_vlan_ops, bind, true);
                 if (ret) {
-                        tcf_idr_cleanup(tn, parm->index);
+                        tcf_idr_cleanup(tn, index);
                         return ret;
                 }
 
@@ -306,6 +308,14 @@ static int tcf_vlan_search(struct net *net, struct tc_action **a, u32 index)
         return tcf_idr_search(tn, a, index);
 }
 
+static size_t tcf_vlan_get_fill_size(const struct tc_action *act)
+{
+        return nla_total_size(sizeof(struct tc_vlan))
+                + nla_total_size(sizeof(u16)) /* TCA_VLAN_PUSH_VLAN_ID */
+                + nla_total_size(sizeof(u16)) /* TCA_VLAN_PUSH_VLAN_PROTOCOL */
+                + nla_total_size(sizeof(u8)); /* TCA_VLAN_PUSH_VLAN_PRIORITY */
+}
+
 static struct tc_action_ops act_vlan_ops = {
         .kind           =       "vlan",
         .id             =       TCA_ID_VLAN,
@@ -315,6 +325,7 @@ static struct tc_action_ops act_vlan_ops = {
         .init           =       tcf_vlan_init,
         .cleanup        =       tcf_vlan_cleanup,
         .walk           =       tcf_vlan_walker,
+        .get_fill_size  =       tcf_vlan_get_fill_size,
         .lookup         =       tcf_vlan_search,
         .size           =       sizeof(struct tcf_vlan),
 };
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index d144233423c5..efd3cfb80a2a 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -691,6 +691,8 @@ static void tc_indr_block_ing_cmd(struct tc_indr_block_dev *indr_dev,
         if (!indr_dev->block)
                 return;
 
+        bo.block = &indr_dev->block->flow_block;
+
         indr_block_cb->cb(indr_dev->dev, indr_block_cb->cb_priv, TC_SETUP_BLOCK,
                           &bo);
         tcf_block_setup(indr_dev->block, &bo);
@@ -775,6 +777,7 @@ static void tc_indr_block_call(struct tcf_block *block, struct net_device *dev,
                 .command        = command,
                 .binder_type    = ei->binder_type,
                 .net            = dev_net(dev),
+                .block          = &block->flow_block,
                 .block_shared   = tcf_block_shared(block),
                 .extack         = extack,
         };
@@ -810,6 +813,7 @@ static int tcf_block_offload_cmd(struct tcf_block *block,
         bo.net = dev_net(dev);
         bo.command = command;
         bo.binder_type = ei->binder_type;
+        bo.block = &block->flow_block;
         bo.block_shared = tcf_block_shared(block);
         bo.extack = extack;
         INIT_LIST_HEAD(&bo.cb_list);
@@ -987,8 +991,8 @@ static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q,
                 return ERR_PTR(-ENOMEM);
         }
         mutex_init(&block->lock);
+        flow_block_init(&block->flow_block);
         INIT_LIST_HEAD(&block->chain_list);
-        INIT_LIST_HEAD(&block->cb_list);
         INIT_LIST_HEAD(&block->owner_list);
         INIT_LIST_HEAD(&block->chain0.filter_chain_list);
 
@@ -1514,7 +1518,7 @@ void tcf_block_put(struct tcf_block *block)
 EXPORT_SYMBOL(tcf_block_put);
 
 static int
-tcf_block_playback_offloads(struct tcf_block *block, tc_setup_cb_t *cb,
+tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb,
                             void *cb_priv, bool add, bool offload_in_use,
                             struct netlink_ext_ack *extack)
 {
@@ -1570,7 +1574,7 @@ static int tcf_block_bind(struct tcf_block *block,
 
                 i++;
         }
-        list_splice(&bo->cb_list, &block->cb_list);
+        list_splice(&bo->cb_list, &block->flow_block.cb_list);
 
         return 0;
 
@@ -2152,7 +2156,9 @@ replay:
                 tfilter_notify(net, skb, n, tp, block, q, parent, fh,
                                RTM_NEWTFILTER, false, rtnl_held);
                 tfilter_put(tp, fh);
-                q->flags &= ~TCQ_F_CAN_BYPASS;
+                /* q pointer is NULL for shared blocks */
+                if (q)
+                        q->flags &= ~TCQ_F_CAN_BYPASS;
         }
 
 errout:
@@ -3156,7 +3162,7 @@ int tc_setup_cb_call(struct tcf_block *block, enum tc_setup_type type,
         if (block->nooffloaddevcnt && err_stop)
                 return -EOPNOTSUPP;
 
-        list_for_each_entry(block_cb, &block->cb_list, list) {
+        list_for_each_entry(block_cb, &block->flow_block.cb_list, list) {
                 err = block_cb->cb(type, type_data, block_cb->cb_priv);
                 if (err) {
                         if (err_stop)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 691f71830134..3f7a9c02b70c 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -651,7 +651,7 @@ skip:
         }
 }
 
-static int cls_bpf_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb,
+static int cls_bpf_reoffload(struct tcf_proto *tp, bool add, flow_setup_cb_t *cb,
                              void *cb_priv, struct netlink_ext_ack *extack)
 {
         struct cls_bpf_head *head = rtnl_dereference(tp->root);
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 38d6e85693fc..054123742e32 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1800,7 +1800,7 @@ fl_get_next_hw_filter(struct tcf_proto *tp, struct cls_fl_filter *f, bool add)
         return NULL;
 }
 
-static int fl_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb,
+static int fl_reoffload(struct tcf_proto *tp, bool add, flow_setup_cb_t *cb,
                         void *cb_priv, struct netlink_ext_ack *extack)
 {
         struct tcf_block *block = tp->chain->block;
diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
index a30d2f8feb32..455ea2793f9b 100644
--- a/net/sched/cls_matchall.c
+++ b/net/sched/cls_matchall.c
@@ -282,7 +282,7 @@ skip:
         arg->count++;
 }
 
-static int mall_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb,
+static int mall_reoffload(struct tcf_proto *tp, bool add, flow_setup_cb_t *cb,
                           void *cb_priv, struct netlink_ext_ack *extack)
 {
         struct cls_mall_head *head = rtnl_dereference(tp->root);
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index be9e46c77e8b..8614088edd1b 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -1152,7 +1152,7 @@ static void u32_walk(struct tcf_proto *tp, struct tcf_walker *arg,
 }
 
 static int u32_reoffload_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht,
-                               bool add, tc_setup_cb_t *cb, void *cb_priv,
+                               bool add, flow_setup_cb_t *cb, void *cb_priv,
                                struct netlink_ext_ack *extack)
 {
         struct tc_cls_u32_offload cls_u32 = {};
@@ -1172,7 +1172,7 @@ static int u32_reoffload_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht,
 }
 
 static int u32_reoffload_knode(struct tcf_proto *tp, struct tc_u_knode *n,
-                               bool add, tc_setup_cb_t *cb, void *cb_priv,
+                               bool add, flow_setup_cb_t *cb, void *cb_priv,
                                struct netlink_ext_ack *extack)
 {
         struct tc_u_hnode *ht = rtnl_dereference(n->ht_down);
@@ -1213,7 +1213,7 @@ static int u32_reoffload_knode(struct tcf_proto *tp, struct tc_u_knode *n,
         return 0;
 }
 
-static int u32_reoffload(struct tcf_proto *tp, bool add, tc_setup_cb_t *cb,
+static int u32_reoffload(struct tcf_proto *tp, bool add, flow_setup_cb_t *cb,
                          void *cb_priv, struct netlink_ext_ack *extack)
 {
         struct tc_u_common *tp_c = tp->data;
diff --git a/net/sched/sch_codel.c b/net/sched/sch_codel.c
index 25ef172c23df..30169b3adbbb 100644
--- a/net/sched/sch_codel.c
+++ b/net/sched/sch_codel.c
@@ -71,10 +71,10 @@ static struct sk_buff *dequeue_func(struct codel_vars *vars, void *ctx)
         struct Qdisc *sch = ctx;
         struct sk_buff *skb = __qdisc_dequeue_head(&sch->q);
 
-        if (skb)
+        if (skb) {
                 sch->qstats.backlog -= qdisc_pkt_len(skb);
-
-        prefetch(&skb->end); /* we'll need skb_shinfo() */
+                prefetch(&skb->end); /* we'll need skb_shinfo() */
+        }
         return skb;
 }
 
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index aa80cda36581..9d1f83b10c0a 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -985,7 +985,7 @@ static int sctp_setsockopt_bindx(struct sock *sk,
                 return -EINVAL;
 
         kaddrs = memdup_user(addrs, addrs_size);
-        if (unlikely(IS_ERR(kaddrs)))
+        if (IS_ERR(kaddrs))
                 return PTR_ERR(kaddrs);
 
         /* Walk through the addrs buffer and count the number of addresses. */
@@ -1315,7 +1315,7 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
                 return -EINVAL;
 
         kaddrs = memdup_user(addrs, addrs_size);
-        if (unlikely(IS_ERR(kaddrs)))
+        if (IS_ERR(kaddrs))
                 return PTR_ERR(kaddrs);
 
         /* Allow security module to validate connectx addresses. */
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 302e355f2ebc..5b932583e407 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -263,7 +263,7 @@ static int smc_bind(struct socket *sock, struct sockaddr *uaddr,
 
         /* Check if socket is already active */
         rc = -EINVAL;
-        if (sk->sk_state != SMC_INIT)
+        if (sk->sk_state != SMC_INIT || smc->connect_nonblock)
                 goto out_rel;
 
         smc->clcsock->sk->sk_reuse = sk->sk_reuse;
@@ -1390,7 +1390,8 @@ static int smc_listen(struct socket *sock, int backlog)
         lock_sock(sk);
 
         rc = -EINVAL;
-        if ((sk->sk_state != SMC_INIT) && (sk->sk_state != SMC_LISTEN))
+        if ((sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) ||
+            smc->connect_nonblock)
                 goto out;
 
         rc = 0;
@@ -1518,7 +1519,7 @@ static int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
                 goto out;
 
         if (msg->msg_flags & MSG_FASTOPEN) {
-                if (sk->sk_state == SMC_INIT) {
+                if (sk->sk_state == SMC_INIT && !smc->connect_nonblock) {
                         smc_switch_to_fallback(smc);
                         smc->fallback_rsn = SMC_CLC_DECL_OPTUNSUPP;
                 } else {
@@ -1732,14 +1733,18 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
                 }
                 break;
         case TCP_NODELAY:
-                if (sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) {
+                if (sk->sk_state != SMC_INIT &&
+                    sk->sk_state != SMC_LISTEN &&
+                    sk->sk_state != SMC_CLOSED) {
                         if (val && !smc->use_fallback)
                                 mod_delayed_work(system_wq, &smc->conn.tx_work,
                                                  0);
                 }
                 break;
         case TCP_CORK:
-                if (sk->sk_state != SMC_INIT && sk->sk_state != SMC_LISTEN) {
+                if (sk->sk_state != SMC_INIT &&
+                    sk->sk_state != SMC_LISTEN &&
+                    sk->sk_state != SMC_CLOSED) {
                         if (!val && !smc->use_fallback)
                                 mod_delayed_work(system_wq, &smc->conn.tx_work,
                                                  0);
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index d86030ef1232..e135d4e11231 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -55,6 +55,7 @@ struct tipc_nl_compat_msg {
         int rep_type;
         int rep_size;
         int req_type;
+        int req_size;
         struct net *net;
         struct sk_buff *rep;
         struct tlv_desc *req;
@@ -257,7 +258,8 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
         int err;
         struct sk_buff *arg;
 
-        if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
+        if (msg->req_type && (!msg->req_size ||
+                              !TLV_CHECK_TYPE(msg->req, msg->req_type)))
                 return -EINVAL;
 
         msg->rep = tipc_tlv_alloc(msg->rep_size);
@@ -354,7 +356,8 @@ static int tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
 {
         int err;
 
-        if (msg->req_type && !TLV_CHECK_TYPE(msg->req, msg->req_type))
+        if (msg->req_type && (!msg->req_size ||
+                              !TLV_CHECK_TYPE(msg->req, msg->req_type)))
                 return -EINVAL;
 
         err = __tipc_nl_compat_doit(cmd, msg);
@@ -1278,8 +1281,8 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
                 goto send;
         }
 
-        len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
-        if (!len || !TLV_OK(msg.req, len)) {
+        msg.req_size = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
+        if (msg.req_size && !TLV_OK(msg.req, msg.req_size)) {
                 msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
                 err = -EOPNOTSUPP;
                 goto send;
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index dd8537f988c4..83ae41d7e554 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -485,9 +485,8 @@ static int tipc_sk_create(struct net *net, struct socket *sock,
                 tsk_set_unreturnable(tsk, true);
                 if (sock->type == SOCK_DGRAM)
                         tsk_set_unreliable(tsk, true);
-                __skb_queue_head_init(&tsk->mc_method.deferredq);
         }
-
+        __skb_queue_head_init(&tsk->mc_method.deferredq);
         trace_tipc_sk_create(sk, NULL, TIPC_DUMP_NONE, " ");
         return 0;
 }
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index f345662890a6..ca8ac96d22a9 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -476,7 +476,7 @@ static void tipc_topsrv_accept(struct work_struct *work)
         }
 }
 
-/* tipc_toprsv_listener_data_ready - interrupt callback with connection request
+/* tipc_topsrv_listener_data_ready - interrupt callback with connection request
  * The queued job is launched into tipc_topsrv_accept()
  */
 static void tipc_topsrv_listener_data_ready(struct sock *sk)
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 4674e57e66b0..9cbbae606ced 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -261,24 +261,9 @@ void tls_ctx_free(struct tls_context *ctx)
         kfree(ctx);
 }
 
-static void tls_sk_proto_close(struct sock *sk, long timeout)
+static void tls_sk_proto_cleanup(struct sock *sk,
+                                 struct tls_context *ctx, long timeo)
 {
-        struct tls_context *ctx = tls_get_ctx(sk);
-        long timeo = sock_sndtimeo(sk, 0);
-        void (*sk_proto_close)(struct sock *sk, long timeout);
-        bool free_ctx = false;
-
-        lock_sock(sk);
-        sk_proto_close = ctx->sk_proto_close;
-
-        if (ctx->tx_conf == TLS_HW_RECORD && ctx->rx_conf == TLS_HW_RECORD)
-                goto skip_tx_cleanup;
-
-        if (ctx->tx_conf == TLS_BASE && ctx->rx_conf == TLS_BASE) {
-                free_ctx = true;
-                goto skip_tx_cleanup;
-        }
-
         if (unlikely(sk->sk_write_pending) &&
             !wait_on_pending_writer(sk, &timeo))
                 tls_handle_open_record(sk, 0);
@@ -287,7 +272,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
         if (ctx->tx_conf == TLS_SW) {
                 kfree(ctx->tx.rec_seq);
                 kfree(ctx->tx.iv);
-                tls_sw_free_resources_tx(sk);
+                tls_sw_release_resources_tx(sk);
 #ifdef CONFIG_TLS_DEVICE
         } else if (ctx->tx_conf == TLS_HW) {
                 tls_device_free_resources_tx(sk);
@@ -295,26 +280,44 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
         }
 
         if (ctx->rx_conf == TLS_SW)
-                tls_sw_free_resources_rx(sk);
+                tls_sw_release_resources_rx(sk);
 
 #ifdef CONFIG_TLS_DEVICE
         if (ctx->rx_conf == TLS_HW)
                 tls_device_offload_cleanup_rx(sk);
-
-        if (ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW) {
-#else
-        {
 #endif
-                tls_ctx_free(ctx);
-                ctx = NULL;
-        }
+}
 
-skip_tx_cleanup:
+static void tls_sk_proto_close(struct sock *sk, long timeout)
+{
+        struct inet_connection_sock *icsk = inet_csk(sk);
+        struct tls_context *ctx = tls_get_ctx(sk);
+        long timeo = sock_sndtimeo(sk, 0);
+        bool free_ctx;
+
+        if (ctx->tx_conf == TLS_SW)
+                tls_sw_cancel_work_tx(ctx);
+
+        lock_sock(sk);
+        free_ctx = ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW;
+
+        if (ctx->tx_conf != TLS_BASE || ctx->rx_conf != TLS_BASE)
+                tls_sk_proto_cleanup(sk, ctx, timeo);
+
+        write_lock_bh(&sk->sk_callback_lock);
+        if (free_ctx)
+                icsk->icsk_ulp_data = NULL;
+        sk->sk_prot = ctx->sk_proto;
+        write_unlock_bh(&sk->sk_callback_lock);
         release_sock(sk);
-        sk_proto_close(sk, timeout);
-        /* free ctx for TLS_HW_RECORD, used by tcp_set_state
-         * for sk->sk_prot->unhash [tls_hw_unhash]
-         */
+        if (ctx->tx_conf == TLS_SW)
+                tls_sw_free_ctx_tx(ctx);
+        if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW)
+                tls_sw_strparser_done(ctx);
+        if (ctx->rx_conf == TLS_SW)
+                tls_sw_free_ctx_rx(ctx);
+        ctx->sk_proto_close(sk, timeout);
+
         if (free_ctx)
                 tls_ctx_free(ctx);
 }
@@ -526,6 +529,8 @@ static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
                 {
 #endif
                         rc = tls_set_sw_offload(sk, ctx, 1);
+                        if (rc)
+                                goto err_crypto_info;
                         conf = TLS_SW;
                 }
         } else {
@@ -537,13 +542,13 @@ static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
                 {
 #endif
                         rc = tls_set_sw_offload(sk, ctx, 0);
+                        if (rc)
+                                goto err_crypto_info;
                         conf = TLS_SW;
                 }
+                tls_sw_strparser_arm(sk, ctx);
         }
 
-        if (rc)
-                goto err_crypto_info;
-
         if (tx)
                 ctx->tx_conf = conf;
         else
@@ -607,6 +612,7 @@ static struct tls_context *create_ctx(struct sock *sk)
         ctx->setsockopt = sk->sk_prot->setsockopt;
         ctx->getsockopt = sk->sk_prot->getsockopt;
         ctx->sk_proto_close = sk->sk_prot->close;
+        ctx->unhash = sk->sk_prot->unhash;
         return ctx;
 }
 
@@ -764,7 +770,6 @@ static void build_protos(struct proto prot[TLS_NUM_CONFIG][TLS_NUM_CONFIG],
         prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base;
         prot[TLS_HW_RECORD][TLS_HW_RECORD].hash         = tls_hw_hash;
         prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash       = tls_hw_unhash;
-        prot[TLS_HW_RECORD][TLS_HW_RECORD].close        = tls_sk_proto_close;
 }
 
 static int tls_init(struct sock *sk)
@@ -773,7 +778,7 @@ static int tls_init(struct sock *sk)
         int rc = 0;
 
         if (tls_hw_prot(sk))
-                goto out;
+                return 0;
 
         /* The TLS ulp is currently supported only for TCP sockets
          * in ESTABLISHED state.
@@ -784,21 +789,38 @@ static int tls_init(struct sock *sk)
         if (sk->sk_state != TCP_ESTABLISHED)
                 return -ENOTSUPP;
 
+        tls_build_proto(sk);
+
         /* allocate tls context */
+        write_lock_bh(&sk->sk_callback_lock);
         ctx = create_ctx(sk);
         if (!ctx) {
                 rc = -ENOMEM;
                 goto out;
         }
 
-        tls_build_proto(sk);
         ctx->tx_conf = TLS_BASE;
         ctx->rx_conf = TLS_BASE;
+        ctx->sk_proto = sk->sk_prot;
         update_sk_prot(sk, ctx);
 out:
+        write_unlock_bh(&sk->sk_callback_lock);
         return rc;
 }
 
+static void tls_update(struct sock *sk, struct proto *p)
+{
+        struct tls_context *ctx;
+
+        ctx = tls_get_ctx(sk);
+        if (likely(ctx)) {
+                ctx->sk_proto_close = p->close;
+                ctx->sk_proto = p;
+        } else {
+                sk->sk_prot = p;
+        }
+}
+
 void tls_register_device(struct tls_device *device)
 {
         spin_lock_bh(&device_spinlock);
@@ -819,6 +841,7 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
         .name                   = "tls",
         .owner                  = THIS_MODULE,
         .init                   = tls_init,
+        .update                 = tls_update,
 };
 
 static int __init tls_register(void)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 53b4ad94e74a..91d21b048a9b 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -2054,7 +2054,16 @@ static void tls_data_ready(struct sock *sk)
         }
 }
 
-void tls_sw_free_resources_tx(struct sock *sk)
+void tls_sw_cancel_work_tx(struct tls_context *tls_ctx)
+{
+        struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
+
+        set_bit(BIT_TX_CLOSING, &ctx->tx_bitmask);
+        set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask);
+        cancel_delayed_work_sync(&ctx->tx_work.work);
+}
+
+void tls_sw_release_resources_tx(struct sock *sk)
 {
         struct tls_context *tls_ctx = tls_get_ctx(sk);
         struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
@@ -2065,11 +2074,6 @@ void tls_sw_free_resources_tx(struct sock *sk)
         if (atomic_read(&ctx->encrypt_pending))
                 crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
 
-        release_sock(sk);
-        cancel_delayed_work_sync(&ctx->tx_work.work);
-        lock_sock(sk);
-
-        /* Tx whatever records we can transmit and abandon the rest */
         tls_tx_records(sk, -1);
 
         /* Free up un-sent records in tx_list. First, free
@@ -2092,6 +2096,11 @@ void tls_sw_free_resources_tx(struct sock *sk)
 
         crypto_free_aead(ctx->aead_send);
         tls_free_open_rec(sk);
+}
+
+void tls_sw_free_ctx_tx(struct tls_context *tls_ctx)
+{
+        struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
 
         kfree(ctx);
 }
@@ -2110,25 +2119,40 @@ void tls_sw_release_resources_rx(struct sock *sk)
                 skb_queue_purge(&ctx->rx_list);
                 crypto_free_aead(ctx->aead_recv);
                 strp_stop(&ctx->strp);
-                write_lock_bh(&sk->sk_callback_lock);
-                sk->sk_data_ready = ctx->saved_data_ready;
-                write_unlock_bh(&sk->sk_callback_lock);
-                release_sock(sk);
-                strp_done(&ctx->strp);
-                lock_sock(sk);
+                /* If tls_sw_strparser_arm() was not called (cleanup paths)
+                 * we still want to strp_stop(), but sk->sk_data_ready was
+                 * never swapped.
+                 */
+                if (ctx->saved_data_ready) {
+                        write_lock_bh(&sk->sk_callback_lock);
+                        sk->sk_data_ready = ctx->saved_data_ready;
+                        write_unlock_bh(&sk->sk_callback_lock);
+                }
         }
 }
 
-void tls_sw_free_resources_rx(struct sock *sk)
+void tls_sw_strparser_done(struct tls_context *tls_ctx)
 {
-        struct tls_context *tls_ctx = tls_get_ctx(sk);
         struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
 
-        tls_sw_release_resources_rx(sk);
+        strp_done(&ctx->strp);
+}
+
+void tls_sw_free_ctx_rx(struct tls_context *tls_ctx)
+{
+        struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
 
         kfree(ctx);
 }
 
+void tls_sw_free_resources_rx(struct sock *sk)
+{
+        struct tls_context *tls_ctx = tls_get_ctx(sk);
+
+        tls_sw_release_resources_rx(sk);
+        tls_sw_free_ctx_rx(tls_ctx);
+}
+
 /* The work handler to transmitt the encrypted records in tx_list */
 static void tx_work_handler(struct work_struct *work)
 {
@@ -2137,11 +2161,17 @@ static void tx_work_handler(struct work_struct *work)
                                                struct tx_work, work);
         struct sock *sk = tx_work->sk;
         struct tls_context *tls_ctx = tls_get_ctx(sk);
-        struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx);
+        struct tls_sw_context_tx *ctx;
 
-        if (!test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask))
+        if (unlikely(!tls_ctx))
                 return;
 
+        ctx = tls_sw_ctx_tx(tls_ctx);
+        if (test_bit(BIT_TX_CLOSING, &ctx->tx_bitmask))
+                return;
+
+        if (!test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask))
+                return;
         lock_sock(sk);
         tls_tx_records(sk, -1);
         release_sock(sk);
@@ -2160,6 +2190,18 @@ void tls_sw_write_space(struct sock *sk, struct tls_context *ctx)
         }
 }
 
+void tls_sw_strparser_arm(struct sock *sk, struct tls_context *tls_ctx)
+{
+        struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx);
+
+        write_lock_bh(&sk->sk_callback_lock);
+        rx_ctx->saved_data_ready = sk->sk_data_ready;
+        sk->sk_data_ready = tls_data_ready;
+        write_unlock_bh(&sk->sk_callback_lock);
+
+        strp_check_rcv(&rx_ctx->strp);
+}
+
 int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
 {
         struct tls_context *tls_ctx = tls_get_ctx(sk);
@@ -2357,13 +2399,6 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
                 cb.parse_msg = tls_read_size;
 
                 strp_init(&sw_ctx_rx->strp, sk, &cb);
-
-                write_lock_bh(&sk->sk_callback_lock);
-                sw_ctx_rx->saved_data_ready = sk->sk_data_ready;
-                sk->sk_data_ready = tls_data_ready;
-                write_unlock_bh(&sk->sk_callback_lock);
-
-                strp_check_rcv(&sw_ctx_rx->strp);
         }
 
         goto out;
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index f2084e3f7aa4..9d864ebeb7b3 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -312,6 +312,11 @@ static void hvs_close_connection(struct vmbus_channel *chan)
         lock_sock(sk);
         hvs_do_close_lock_held(vsock_sk(sk), true);
         release_sock(sk);
+
+        /* Release the refcnt for the channel that's opened in
+         * hvs_open_connection().
+         */
+        sock_put(sk);
 }
 
 static void hvs_open_connection(struct vmbus_channel *chan)
@@ -407,6 +412,9 @@ static void hvs_open_connection(struct vmbus_channel *chan)
         }
 
         set_per_channel_state(chan, conn_from_host ? new : sk);
+
+        /* This reference will be dropped by hvs_close_connection(). */
+        sock_hold(conn_from_host ? new : sk);
         vmbus_set_chn_rescind_callback(chan, hvs_close_connection);
 
         /* Set the pending send size to max packet size to always get
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 45d9afcff6d5..32b3c719fdfc 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1410,10 +1410,8 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
                 }
                 break;
         case NETDEV_PRE_UP:
-                if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)) &&
-                    !(wdev->iftype == NL80211_IFTYPE_AP_VLAN &&
-                      rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP &&
-                      wdev->use_4addr))
+                if (!cfg80211_iftype_allowed(wdev->wiphy, wdev->iftype,
+                                             wdev->use_4addr, 0))
                         return notifier_from_errno(-EOPNOTSUPP);
 
                 if (rfkill_blocked(rdev->rfkill))
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index fc83dd179c1a..fd05ae1437a9 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3484,9 +3484,7 @@ static int nl80211_new_interface(struct sk_buff *skb, struct genl_info *info)
                         return err;
         }
 
-        if (!(rdev->wiphy.interface_modes & (1 << type)) &&
-            !(type == NL80211_IFTYPE_AP_VLAN && params.use_4addr &&
-              rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP))
+        if (!cfg80211_iftype_allowed(&rdev->wiphy, type, params.use_4addr, 0))
                 return -EOPNOTSUPP;
 
         err = nl80211_parse_mon_options(rdev, type, info, &params);
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 1c39d6a2e850..d0e35b7b9e35 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1697,7 +1697,7 @@ int cfg80211_iter_combinations(struct wiphy *wiphy,
         for (iftype = 0; iftype < NUM_NL80211_IFTYPES; iftype++) {
                 num_interfaces += params->iftype_num[iftype];
                 if (params->iftype_num[iftype] > 0 &&
-                    !(wiphy->software_iftypes & BIT(iftype)))
+                    !cfg80211_iftype_allowed(wiphy, iftype, 0, 1))
                         used_iftypes |= BIT(iftype);
         }
 
@@ -1719,7 +1719,7 @@ int cfg80211_iter_combinations(struct wiphy *wiphy,
                         return -ENOMEM;
 
                 for (iftype = 0; iftype < NUM_NL80211_IFTYPES; iftype++) {
-                        if (wiphy->software_iftypes & BIT(iftype))
+                        if (cfg80211_iftype_allowed(wiphy, iftype, 0, 1))
                                 continue;
                         for (j = 0; j < c->n_limits; j++) {
                                 all_iftypes |= limits[j].types;
@@ -2072,3 +2072,26 @@ int ieee80211_get_vht_max_nss(struct ieee80211_vht_cap *cap,
         return max_vht_nss;
 }
 EXPORT_SYMBOL(ieee80211_get_vht_max_nss);
+
+bool cfg80211_iftype_allowed(struct wiphy *wiphy, enum nl80211_iftype iftype,
+                             bool is_4addr, u8 check_swif)
+
+{
+        bool is_vlan = iftype == NL80211_IFTYPE_AP_VLAN;
+
+        switch (check_swif) {
+        case 0:
+                if (is_vlan && is_4addr)
+                        return wiphy->flags & WIPHY_FLAG_4ADDR_AP;
+                return wiphy->interface_modes & BIT(iftype);
+        case 1:
+                if (!(wiphy->software_iftypes & BIT(iftype)) && is_vlan)
+                        return wiphy->flags & WIPHY_FLAG_4ADDR_AP;
+                return wiphy->software_iftypes & BIT(iftype);
+        default:
+                break;
+        }
+
+        return false;
+}
+EXPORT_SYMBOL(cfg80211_iftype_allowed);