51 files changed, 408 insertions, 179 deletions
diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 98a30a5b8664..59555f0f8fc8 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -443,7 +443,7 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
        case NETDEV_UP:
                /* Put all VLANs for this dev in the up state too.  */
                vlan_group_for_each_dev(grp, i, vlandev) {
-                        flgs = vlandev->flags;
+                        flgs = dev_get_flags(vlandev);
                        if (flgs & IFF_UP)
                                continue;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 4663c3dad3f5..c4802f3bd4c5 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2854,9 +2854,11 @@ static void le_scan_disable_work_complete(struct hci_dev *hdev, u8 status,
                         * state. If we were running both LE and BR/EDR inquiry
                         * simultaneously, and BR/EDR inquiry is already
                         * finished, stop discovery, otherwise BR/EDR inquiry
-                         * will stop discovery when finished.
+                         * will stop discovery when finished. If we will resolve
+                         * remote device name, do not change discovery state.
                         */
-                        if (!test_bit(HCI_INQUIRY, &hdev->flags))
+                        if (!test_bit(HCI_INQUIRY, &hdev->flags) &&
+                            hdev->discovery.state != DISCOVERY_RESOLVING)
                                hci_discovery_set_state(hdev,
                                                        DISCOVERY_STOPPED);
                } else {
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 4b6722f8f179..22fd0419b314 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1072,7 +1072,7 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br,
                err = br_ip6_multicast_add_group(br, port, &grec->grec_mca,
                                                 vid);
-                if (!err)
+                if (err)
                        break;
        }
@@ -1822,7 +1822,7 @@ static void br_multicast_query_expired(struct net_bridge *br,
        if (query->startup_sent < br->multicast_startup_query_count)
                query->startup_sent++;
-        RCU_INIT_POINTER(querier, NULL);
+        RCU_INIT_POINTER(querier->port, NULL);
        br_multicast_send_query(br, NULL, query);
        spin_unlock(&br->multicast_lock);
 }
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index ab55e2472beb..60ddfbeb47f5 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -37,10 +37,6 @@
 #include <net/route.h>
 #include <net/netfilter/br_netfilter.h>
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
-#include <net/netfilter/nf_conntrack.h>
-#endif
 #include <asm/uaccess.h>
 #include "br_private.h"
 #ifdef CONFIG_SYSCTL
@@ -350,24 +346,15 @@ free_skb:
        return 0;
 }
-static bool dnat_took_place(const struct sk_buff *skb)
+static bool daddr_was_changed(const struct sk_buff *skb,
+                              const struct nf_bridge_info *nf_bridge)
 {
-#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+        return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
-        enum ip_conntrack_info ctinfo;
-        struct nf_conn *ct;
-        ct = nf_ct_get(skb, &ctinfo);
-        if (!ct || nf_ct_is_untracked(ct))
-                return false;
-        return test_bit(IPS_DST_NAT_BIT, &ct->status);
-#else
-        return false;
-#endif
 }
 /* This requires some explaining. If DNAT has taken place,
 * we will need to fix up the destination Ethernet address.
+ * This is also true when SNAT takes place (for the reply direction).
 *
 * There are two cases to consider:
 * 1. The packet was DNAT'ed to a device in the same bridge
@@ -421,7 +408,7 @@ static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
                nf_bridge->pkt_otherhost = false;
        }
        nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
-        if (dnat_took_place(skb)) {
+        if (daddr_was_changed(skb, nf_bridge)) {
                if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
                        struct in_device *in_dev = __in_dev_get_rcu(dev);
@@ -632,6 +619,7 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
                                      struct sk_buff *skb,
                                      const struct nf_hook_state *state)
 {
+        struct nf_bridge_info *nf_bridge;
        struct net_bridge_port *p;
        struct net_bridge *br;
        __u32 len = nf_bridge_encap_header_len(skb);
@@ -669,6 +657,9 @@ static unsigned int br_nf_pre_routing(const struct nf_hook_ops *ops,
        if (!setup_pre_routing(skb))
                return NF_DROP;
+        nf_bridge = nf_bridge_info_get(skb);
+        nf_bridge->ipv4_daddr = ip_hdr(skb)->daddr;
        skb->protocol = htons(ETH_P_IP);
        NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, state->sk, skb,
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index 4fcaa67750fd..7caf7fae2d5b 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -97,7 +97,9 @@ static void br_forward_delay_timer_expired(unsigned long arg)
                netif_carrier_on(br->dev);
        }
        br_log_state(p);
+        rcu_read_lock();
        br_ifinfo_notify(RTM_NEWLINK, p);
+        rcu_read_unlock();
        spin_unlock(&br->lock);
 }
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 4ec0c803aef1..112ad784838a 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -330,6 +330,10 @@ static long caif_stream_data_wait(struct sock *sk, long timeo)
                release_sock(sk);
                timeo = schedule_timeout(timeo);
                lock_sock(sk);
+                if (sock_flag(sk, SOCK_DEAD))
+                        break;
                clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
        }
@@ -373,6 +377,10 @@ static int caif_stream_recvmsg(struct socket *sock, struct msghdr *msg,
                struct sk_buff *skb;
                lock_sock(sk);
+                if (sock_flag(sk, SOCK_DEAD)) {
+                        err = -ECONNRESET;
+                        goto unlock;
+                }
                skb = skb_dequeue(&sk->sk_receive_queue);
                caif_check_flow_release(sk);
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index 41a4abc7e98e..c4ec9239249a 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1306,8 +1306,6 @@ static void __unregister_linger_request(struct ceph_osd_client *osdc,
                if (list_empty(&req->r_osd_item))
                        req->r_osd = NULL;
        }
-        list_del_init(&req->r_req_lru_item); /* can be on notarget */
        ceph_osdc_put_request(req);
 }
@@ -2017,20 +2015,29 @@ static void kick_requests(struct ceph_osd_client *osdc, bool force_resend,
                err = __map_request(osdc, req,
                                    force_resend || force_resend_writes);
                dout("__map_request returned %d\n", err);
-                if (err == 0)
-                        continue;  /* no change and no osd was specified */
                if (err < 0)
                        continue;  /* hrm! */
-                if (req->r_osd == NULL) {
+                if (req->r_osd == NULL || err > 0) {
-                        dout("tid %llu maps to no valid osd\n", req->r_tid);
+                        if (req->r_osd == NULL) {
-                        needmap++;  /* request a newer map */
+                                dout("lingering %p tid %llu maps to no osd\n",
-                        continue;
+                                     req, req->r_tid);
-                }
+                                /*
+                                 * A homeless lingering request makes
+                                 * no sense, as it's job is to keep
+                                 * a particular OSD connection open.
+                                 * Request a newer map and kick the
+                                 * request, knowing that it won't be
+                                 * resent until we actually get a map
+                                 * that can tell us where to send it.
+                                 */
+                                needmap++;
+                        }
-                dout("kicking lingering %p tid %llu osd%d\n", req, req->r_tid,
+                        dout("kicking lingering %p tid %llu osd%d\n", req,
-                     req->r_osd ? req->r_osd->o_osd : -1);
+                             req->r_tid, req->r_osd ? req->r_osd->o_osd : -1);
-                __register_request(osdc, req);
+                        __register_request(osdc, req);
-                __unregister_linger_request(osdc, req);
+                        __unregister_linger_request(osdc, req);
+                }
        }
        reset_changed_osds(osdc);
        mutex_unlock(&osdc->request_mutex);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 666e0928ba40..8de36824018d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2416,6 +2416,9 @@ void rtmsg_ifinfo(int type, struct net_device *dev, unsigned int change,
 {
        struct sk_buff *skb;
+        if (dev->reg_state != NETREG_REGISTERED)
+                return;
        skb = rtmsg_ifinfo_build_skb(type, dev, change, flags);
        if (skb)
                rtmsg_ifinfo_send(skb, dev, flags);
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index e6f6cc3a1bcf..392e29a0227d 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -359,7 +359,7 @@ dsa_switch_setup(struct dsa_switch_tree *dst, int index,
         */
        ds = kzalloc(sizeof(*ds) + drv->priv_size, GFP_KERNEL);
        if (ds == NULL)
-                return NULL;
+                return ERR_PTR(-ENOMEM);
        ds->dst = dst;
        ds->index = index;
@@ -370,7 +370,7 @@ dsa_switch_setup(struct dsa_switch_tree *dst, int index,
        ret = dsa_switch_setup_one(ds, parent);
        if (ret)
-                return NULL;
+                return ERR_PTR(ret);
        return ds;
 }
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 421a80b09b62..30b544f025ac 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -256,7 +256,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
        aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
        aead_givcrypt_set_assoc(req, asg, assoclen);
        aead_givcrypt_set_giv(req, esph->enc_data,
-                              XFRM_SKB_CB(skb)->seq.output.low);
+                              XFRM_SKB_CB(skb)->seq.output.low +
+                              ((u64)XFRM_SKB_CB(skb)->seq.output.hi << 32));
        ESP_SKB_CB(skb)->tmp = tmp;
        err = crypto_aead_givencrypt(req);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index e13fcc602da2..09b62e17dd8c 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1164,6 +1164,7 @@ int fib_table_insert(struct fib_table *tb, struct fib_config *cfg)
                        state = fa->fa_state;
                        new_fa->fa_state = state & ~FA_S_ACCESSED;
                        new_fa->fa_slen = fa->fa_slen;
+                        new_fa->tb_id = tb->tb_id;
                        err = netdev_switch_fib_ipv4_add(key, plen, fi,
                                                         new_fa->fa_tos,
@@ -1764,7 +1765,7 @@ void fib_table_flush_external(struct fib_table *tb)
                        /* record local slen */
                        slen = fa->fa_slen;
-                        if (!fi || !(fi->fib_flags & RTNH_F_EXTERNAL))
+                        if (!fi || !(fi->fib_flags & RTNH_F_OFFLOAD))
                                continue;
                        netdev_switch_fib_ipv4_del(n->key,
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 9f7269f3c54a..0c152087ca15 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -65,7 +65,6 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
                        goto drop;
                XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
-                skb->mark = be32_to_cpu(tunnel->parms.i_key);
                return xfrm_input(skb, nexthdr, spi, encap_type);
        }
@@ -91,6 +90,8 @@ static int vti_rcv_cb(struct sk_buff *skb, int err)
        struct pcpu_sw_netstats *tstats;
        struct xfrm_state *x;
        struct ip_tunnel *tunnel = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4;
+        u32 orig_mark = skb->mark;
+        int ret;
        if (!tunnel)
                return 1;
@@ -107,7 +108,11 @@ static int vti_rcv_cb(struct sk_buff *skb, int err)
        x = xfrm_input_state(skb);
        family = x->inner_mode->afinfo->family;
-        if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
+        skb->mark = be32_to_cpu(tunnel->parms.i_key);
+        ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
+        skb->mark = orig_mark;
+        if (!ret)
                return -EPERM;
        skb_scrub_packet(skb, !net_eq(tunnel->net, dev_net(skb->dev)));
@@ -216,8 +221,6 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
        memset(&fl, 0, sizeof(fl));
-        skb->mark = be32_to_cpu(tunnel->parms.o_key);
        switch (skb->protocol) {
        case htons(ETH_P_IP):
                xfrm_decode_session(skb, &fl, AF_INET);
@@ -233,6 +236,9 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
                return NETDEV_TX_OK;
        }
+        /* override mark with tunnel output key */
+        fl.flowi_mark = be32_to_cpu(tunnel->parms.o_key);
        return vti_xmit(skb, dev, &fl);
 }
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 13bfe84bf3ca..a61200754f4b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -1075,6 +1075,9 @@ static int do_replace(struct net *net, const void __user *user,
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
@@ -1499,6 +1502,9 @@ static int compat_do_replace(struct net *net, void __user *user,
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index c69db7fa25ee..2d0e265fef6e 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -1262,6 +1262,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
@@ -1809,6 +1812,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index bff62fc87b8e..f45f2a12f37b 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -902,6 +902,10 @@ static int ip_error(struct sk_buff *skb)
        bool send;
        int code;
+        /* IP on this device is disabled. */
+        if (!in_dev)
+                goto out;
        net = dev_net(rt->dst.dev);
        if (!IN_DEV_FORWARD(in_dev)) {
                switch (rt->dst.error) {
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 46efa03d2b11..f1377f2a0472 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -402,6 +402,7 @@ void tcp_init_sock(struct sock *sk)
        tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
        tp->snd_cwnd_clamp = ~0;
        tp->mss_cache = TCP_MSS_DEFAULT;
+        u64_stats_init(&tp->syncp);
        tp->reordering = sysctl_tcp_reordering;
        tcp_enable_early_retrans(tp);
@@ -2598,6 +2599,7 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
        const struct tcp_sock *tp = tcp_sk(sk);
        const struct inet_connection_sock *icsk = inet_csk(sk);
        u32 now = tcp_time_stamp;
+        unsigned int start;
        u32 rate;
        memset(info, 0, sizeof(*info));
@@ -2665,10 +2667,11 @@ void tcp_get_info(struct sock *sk, struct tcp_info *info)
        rate = READ_ONCE(sk->sk_max_pacing_rate);
        info->tcpi_max_pacing_rate = rate != ~0U ? rate : ~0ULL;
-        spin_lock_bh(&sk->sk_lock.slock);
+        do {
-        info->tcpi_bytes_acked = tp->bytes_acked;
+                start = u64_stats_fetch_begin_irq(&tp->syncp);
-        info->tcpi_bytes_received = tp->bytes_received;
+                info->tcpi_bytes_acked = tp->bytes_acked;
-        spin_unlock_bh(&sk->sk_lock.slock);
+                info->tcpi_bytes_received = tp->bytes_received;
+        } while (u64_stats_fetch_retry_irq(&tp->syncp, start));
 }
 EXPORT_SYMBOL_GPL(tcp_get_info);
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 7a5ae50c80c8..84be008c945c 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -187,6 +187,7 @@ static void tcp_reinit_congestion_control(struct sock *sk,
        tcp_cleanup_congestion_control(sk);
        icsk->icsk_ca_ops = ca;
+        icsk->icsk_ca_setsockopt = 1;
        if (sk->sk_state != TCP_CLOSE && icsk->icsk_ca_ops->init)
                icsk->icsk_ca_ops->init(sk);
@@ -335,8 +336,10 @@ int tcp_set_congestion_control(struct sock *sk, const char *name)
        rcu_read_lock();
        ca = __tcp_ca_find_autoload(name);
        /* No change asking for existing value */
-        if (ca == icsk->icsk_ca_ops)
+        if (ca == icsk->icsk_ca_ops) {
+                icsk->icsk_ca_setsockopt = 1;
                goto out;
+        }
        if (!ca)
                err = -ENOENT;
        else if (!((ca->flags & TCP_CONG_NON_RESTRICTED) ||
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 3c673d5e6cff..46b087a27503 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -206,6 +206,10 @@ static bool tcp_fastopen_create_child(struct sock *sk,
                        skb_set_owner_r(skb2, child);
                        __skb_queue_tail(&child->sk_receive_queue, skb2);
                        tp->syn_data_acked = 1;
+                        /* u64_stats_update_begin(&tp->syncp) not needed here,
+                         * as we certainly are not changing upper 32bit value (0)
+                         */
                        tp->bytes_received = end_seq - TCP_SKB_CB(skb)->seq - 1;
                } else {
                        end_seq = TCP_SKB_CB(skb)->seq + 1;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index bc790ea9960f..c9ab964189a0 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2698,16 +2698,21 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
        struct tcp_sock *tp = tcp_sk(sk);
        bool recovered = !before(tp->snd_una, tp->high_seq);
+        if ((flag & FLAG_SND_UNA_ADVANCED) &&
+            tcp_try_undo_loss(sk, false))
+                return;
        if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
                /* Step 3.b. A timeout is spurious if not all data are
                 * lost, i.e., never-retransmitted data are (s)acked.
                 */
-                if (tcp_try_undo_loss(sk, flag & FLAG_ORIG_SACK_ACKED))
+                if ((flag & FLAG_ORIG_SACK_ACKED) &&
+                    tcp_try_undo_loss(sk, true))
                        return;
-                if (after(tp->snd_nxt, tp->high_seq) &&
+                if (after(tp->snd_nxt, tp->high_seq)) {
-                    (flag & FLAG_DATA_SACKED || is_dupack)) {
+                        if (flag & FLAG_DATA_SACKED || is_dupack)
-                        tp->frto = 0; /* Loss was real: 2nd part of step 3.a */
+                                tp->frto = 0; /* Step 3.a. loss was real */
                } else if (flag & FLAG_SND_UNA_ADVANCED && !recovered) {
                        tp->high_seq = tp->snd_nxt;
                        __tcp_push_pending_frames(sk, tcp_current_mss(sk),
@@ -2732,8 +2737,6 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack)
                else if (flag & FLAG_SND_UNA_ADVANCED)
                        tcp_reset_reno_sack(tp);
        }
-        if (tcp_try_undo_loss(sk, false))
-                return;
        tcp_xmit_retransmit_queue(sk);
 }
@@ -3283,7 +3286,9 @@ static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
 {
        u32 delta = ack - tp->snd_una;
+        u64_stats_update_begin(&tp->syncp);
        tp->bytes_acked += delta;
+        u64_stats_update_end(&tp->syncp);
        tp->snd_una = ack;
 }
@@ -3292,7 +3297,9 @@ static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
 {
        u32 delta = seq - tp->rcv_nxt;
+        u64_stats_update_begin(&tp->syncp);
        tp->bytes_received += delta;
+        u64_stats_update_end(&tp->syncp);
        tp->rcv_nxt = seq;
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index e5d7649136fc..17e7339ee5ca 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -300,7 +300,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
                        tw->tw_v6_daddr = sk->sk_v6_daddr;
                        tw->tw_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
                        tw->tw_tclass = np->tclass;
-                        tw->tw_flowlabel = np->flow_label >> 12;
+                        tw->tw_flowlabel = be32_to_cpu(np->flow_label & IPV6_FLOWLABEL_MASK);
                        tw->tw_ipv6only = sk->sk_ipv6only;
                }
 #endif
@@ -420,7 +420,10 @@ void tcp_ca_openreq_child(struct sock *sk, const struct dst_entry *dst)
                rcu_read_unlock();
        }
-        if (!ca_got_dst && !try_module_get(icsk->icsk_ca_ops->owner))
+        /* If no valid choice made yet, assign current system default ca. */
+        if (!ca_got_dst &&
+            (!icsk->icsk_ca_setsockopt ||
+             !try_module_get(icsk->icsk_ca_ops->owner)))
                tcp_assign_congestion_control(sk);
        tcp_set_ca_state(sk, TCP_CA_Open);
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index d10b7e0112eb..1c92ea67baef 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1345,10 +1345,8 @@ csum_copy_err:
        }
        unlock_sock_fast(sk, slow);
-        if (noblock)
+        /* starting over for a new packet, but check if we need to yield */
-                return -EAGAIN;
+        cond_resched();
-        /* starting over for a new packet */
        msg->msg_flags &= ~MSG_TRUNC;
        goto try_again;
 }
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 31f1b5d5e2ef..7c07ce36aae2 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -248,7 +248,8 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
        aead_givcrypt_set_crypt(req, sg, sg, clen, iv);
        aead_givcrypt_set_assoc(req, asg, assoclen);
        aead_givcrypt_set_giv(req, esph->enc_data,
-                              XFRM_SKB_CB(skb)->seq.output.low);
+                              XFRM_SKB_CB(skb)->seq.output.low +
+                              ((u64)XFRM_SKB_CB(skb)->seq.output.hi << 32));
        ESP_SKB_CB(skb)->tmp = tmp;
        err = crypto_aead_givencrypt(req);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 96dbffff5a24..bde57b113009 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -693,6 +693,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
 {
        struct rt6_info *iter = NULL;
        struct rt6_info **ins;
+        struct rt6_info **fallback_ins = NULL;
        int replace = (info->nlh &&
                       (info->nlh->nlmsg_flags & NLM_F_REPLACE));
        int add = (!info->nlh ||
@@ -716,8 +717,13 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
                            (info->nlh->nlmsg_flags & NLM_F_EXCL))
                                return -EEXIST;
                        if (replace) {
-                                found++;
+                                if (rt_can_ecmp == rt6_qualify_for_ecmp(iter)) {
-                                break;
+                                        found++;
+                                        break;
+                                }
+                                if (rt_can_ecmp)
+                                        fallback_ins = fallback_ins ?: ins;
+                                goto next_iter;
                        }
                        if (iter->dst.dev == rt->dst.dev &&
@@ -753,9 +759,17 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt,
                if (iter->rt6i_metric > rt->rt6i_metric)
                        break;
+next_iter:
                ins = &iter->dst.rt6_next;
        }
+        if (fallback_ins && !found) {
+                /* No ECMP-able route found, replace first non-ECMP one */
+                ins = fallback_ins;
+                iter = *ins;
+                found++;
+        }
        /* Reset round-robin state, if necessary */
        if (ins == &fn->leaf)
                fn->rr_ptr = NULL;
@@ -815,6 +829,8 @@ add:
                }
        } else {
+                int nsiblings;
                if (!found) {
                        if (add)
                                goto add;
@@ -835,8 +851,27 @@ add:
                        info->nl_net->ipv6.rt6_stats->fib_route_nodes++;
                        fn->fn_flags |= RTN_RTINFO;
                }
+                nsiblings = iter->rt6i_nsiblings;
                fib6_purge_rt(iter, fn, info->nl_net);
                rt6_release(iter);
+                if (nsiblings) {
+                        /* Replacing an ECMP route, remove all siblings */
+                        ins = &rt->dst.rt6_next;
+                        iter = *ins;
+                        while (iter) {
+                                if (rt6_qualify_for_ecmp(iter)) {
+                                        *ins = iter->dst.rt6_next;
+                                        fib6_purge_rt(iter, fn, info->nl_net);
+                                        rt6_release(iter);
+                                        nsiblings--;
+                                } else {
+                                        ins = &iter->dst.rt6_next;
+                                }
+                                iter = *ins;
+                        }
+                        WARN_ON(nsiblings != 0);
+                }
        }
        return 0;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index c21777565c58..bc09cb97b840 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1300,8 +1300,10 @@ emsgsize:
        /* If this is the first and only packet and device
         * supports checksum offloading, let's use it.
+         * Use transhdrlen, same as IPv4, because partial
+         * sums only work when transhdrlen is set.
         */
-        if (!skb && sk->sk_protocol == IPPROTO_UDP &&
+        if (transhdrlen && sk->sk_protocol == IPPROTO_UDP &&
            length + fragheaderlen < mtu &&
            rt->dst.dev->features & NETIF_F_V6_CSUM &&
            !exthdrlen)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index ed9d681207fa..0224c032dca5 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -322,7 +322,6 @@ static int vti6_rcv(struct sk_buff *skb)
                }
                XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
-                skb->mark = be32_to_cpu(t->parms.i_key);
                rcu_read_unlock();
@@ -342,6 +341,8 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
        struct pcpu_sw_netstats *tstats;
        struct xfrm_state *x;
        struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6;
+        u32 orig_mark = skb->mark;
+        int ret;
        if (!t)
                return 1;
@@ -358,7 +359,11 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
        x = xfrm_input_state(skb);
        family = x->inner_mode->afinfo->family;
-        if (!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
+        skb->mark = be32_to_cpu(t->parms.i_key);
+        ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
+        skb->mark = orig_mark;
+        if (!ret)
                return -EPERM;
        skb_scrub_packet(skb, !net_eq(t->net, dev_net(skb->dev)));
@@ -430,6 +435,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
        struct net_device *tdev;
        struct xfrm_state *x;
        int err = -1;
+        int mtu;
        if (!dst)
                goto tx_err_link_failure;
@@ -463,6 +469,19 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
        skb_dst_set(skb, dst);
        skb->dev = skb_dst(skb)->dev;
+        mtu = dst_mtu(dst);
+        if (!skb->ignore_df && skb->len > mtu) {
+                skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu);
+                if (skb->protocol == htons(ETH_P_IPV6))
+                        icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
+                else
+                        icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
+                                  htonl(mtu));
+                return -EMSGSIZE;
+        }
        err = dst_output(skb);
        if (net_xmit_eval(err) == 0) {
                struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
@@ -495,7 +514,6 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
        int ret;
        memset(&fl, 0, sizeof(fl));
-        skb->mark = be32_to_cpu(t->parms.o_key);
        switch (skb->protocol) {
        case htons(ETH_P_IPV6):
@@ -516,6 +534,9 @@ vti6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                goto tx_err;
        }
+        /* override mark with tunnel output key */
+        fl.flowi_mark = be32_to_cpu(t->parms.o_key);
        ret = vti6_xmit(skb, dev, &fl);
        if (ret < 0)
                goto tx_err;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 1a732a1d3c8e..62f5b0d0bc9b 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -1275,6 +1275,9 @@ do_replace(struct net *net, const void __user *user, unsigned int len)
        /* overflow check */
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
@@ -1822,6 +1825,9 @@ compat_do_replace(struct net *net, void __user *user, unsigned int len)
                return -ENOMEM;
        if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
                return -ENOMEM;
+        if (tmp.num_counters == 0)
+                return -EINVAL;
        tmp.name[sizeof(tmp.name)-1] = 0;
        newinfo = xt_alloc_table_info(tmp.size);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d3588885f097..c73ae5039e46 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2504,9 +2504,9 @@ static int ip6_route_multipath(struct fib6_config *cfg, int add)
        int attrlen;
        int err = 0, last_err = 0;
+        remaining = cfg->fc_mp_len;
 beginning:
        rtnh = (struct rtnexthop *)cfg->fc_mp;
-        remaining = cfg->fc_mp_len;
        /* Parse a Multipath Entry */
        while (rtnh_ok(rtnh, remaining)) {
@@ -2536,15 +2536,19 @@ beginning:
                                 * next hops that have been already added.
                                 */
                                add = 0;
+                                remaining = cfg->fc_mp_len - remaining;
                                goto beginning;
                        }
                }
                /* Because each route is added like a single route we remove
-                 * this flag after the first nexthop (if there is a collision,
+                 * these flags after the first nexthop: if there is a collision,
-                 * we have already fail to add the first nexthop:
+                 * we have already failed to add the first nexthop:
-                 * fib6_add_rt2node() has reject it).
+                 * fib6_add_rt2node() has rejected it; when replacing, old
+                 * nexthops have been replaced by first new, the rest should
+                 * be added to it.
                 */
-                cfg->fc_nlinfo.nlh->nlmsg_flags &= ~NLM_F_EXCL;
+                cfg->fc_nlinfo.nlh->nlmsg_flags &= ~(NLM_F_EXCL |
+                                                     NLM_F_REPLACE);
                rtnh = rtnh_next(rtnh, &remaining);
        }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index b6575d665568..3adffb300238 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -914,7 +914,7 @@ static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
                        tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
                        tcp_time_stamp + tcptw->tw_ts_offset,
                        tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
-                        tw->tw_tclass, (tw->tw_flowlabel << 12));
+                        tw->tw_tclass, cpu_to_be32(tw->tw_flowlabel));
        inet_twsk_put(tw);
 }
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 3477c919fcc8..e51fc3eee6db 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -525,10 +525,8 @@ csum_copy_err:
        }
        unlock_sock_fast(sk, slow);
-        if (noblock)
+        /* starting over for a new packet, but check if we need to yield */
-                return -EAGAIN;
+        cond_resched();
-        /* starting over for a new packet */
        msg->msg_flags &= ~MSG_TRUNC;
        goto try_again;
 }
@@ -731,7 +729,9 @@ static bool __udp_v6_is_mcast_sock(struct net *net, struct sock *sk,
            (inet->inet_dport && inet->inet_dport != rmt_port) ||
            (!ipv6_addr_any(&sk->sk_v6_daddr) &&
                    !ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr)) ||
-            (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif))
+            (sk->sk_bound_dev_if && sk->sk_bound_dev_if != dif) ||
+            (!ipv6_addr_any(&sk->sk_v6_rcv_saddr) &&
+                    !ipv6_addr_equal(&sk->sk_v6_rcv_saddr, loc_addr)))
                return false;
        if (!inet6_mc_check(sk, loc_addr, rmt_addr))
                return false;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 265e42721a66..ff347a0eebd4 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2495,51 +2495,22 @@ static bool ieee80211_coalesce_started_roc(struct ieee80211_local *local,
                                           struct ieee80211_roc_work *new_roc,
                                           struct ieee80211_roc_work *cur_roc)
 {
-        unsigned long j = jiffies;
+        unsigned long now = jiffies;
-        unsigned long cur_roc_end = cur_roc->hw_start_time +
+        unsigned long remaining = cur_roc->hw_start_time +
-                                    msecs_to_jiffies(cur_roc->duration);
+                                  msecs_to_jiffies(cur_roc->duration) -
-        struct ieee80211_roc_work *next_roc;
+                                  now;
-        int new_dur;
        if (WARN_ON(!cur_roc->started || !cur_roc->hw_begun))
                return false;
-        if (time_after(j + IEEE80211_ROC_MIN_LEFT, cur_roc_end))
+        /* if it doesn't fit entirely, schedule a new one */
+        if (new_roc->duration > jiffies_to_msecs(remaining))
                return false;
        ieee80211_handle_roc_started(new_roc);
-        new_dur = new_roc->duration - jiffies_to_msecs(cur_roc_end - j);
+        /* add to dependents so we send the expired event properly */
+        list_add_tail(&new_roc->list, &cur_roc->dependents);
-        /* cur_roc is long enough - add new_roc to the dependents list. */
-        if (new_dur <= 0) {
-                list_add_tail(&new_roc->list, &cur_roc->dependents);
-                return true;
-        }
-        new_roc->duration = new_dur;
-        /*
-         * if cur_roc was already coalesced before, we might
-         * want to extend the next roc instead of adding
-         * a new one.
-         */
-        next_roc = list_entry(cur_roc->list.next,
-                              struct ieee80211_roc_work, list);
-        if (&next_roc->list != &local->roc_list &&
-            next_roc->chan == new_roc->chan &&
-            next_roc->sdata == new_roc->sdata &&
-            !WARN_ON(next_roc->started)) {
-                list_add_tail(&new_roc->list, &next_roc->dependents);
-                next_roc->duration = max(next_roc->duration,
-                                         new_roc->duration);
-                next_roc->type = max(next_roc->type, new_roc->type);
-                return true;
-        }
-        /* add right after cur_roc */
-        list_add(&new_roc->list, &cur_roc->list);
        return true;
 }
@@ -2652,17 +2623,9 @@ static int ieee80211_start_roc_work(struct ieee80211_local *local,
                         * In the offloaded ROC case, if it hasn't begun, add
                         * this new one to the dependent list to be handled
                         * when the master one begins. If it has begun,
-                         * check that there's still a minimum time left and
+                         * check if it fits entirely within the existing one,
-                         * if so, start this one, transmitting the frame, but
+                         * in which case it will just be dependent as well.
-                         * add it to the list directly after this one with
+                         * Otherwise, schedule it by itself.
-                         * a reduced time so we'll ask the driver to execute
-                         * it right after finishing the previous one, in the
-                         * hope that it'll also be executed right afterwards,
-                         * effectively extending the old one.
-                         * If there's no minimum time left, just add it to the
-                         * normal list.
-                         * TODO: the ROC type is ignored here, assuming that it
-                         * is better to immediately use the current ROC.
                         */
                        if (!tmp->hw_begun) {
                                list_add_tail(&roc->list, &tmp->dependents);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index ab46ab4a7249..c0a9187bc3a9 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -205,6 +205,8 @@ enum ieee80211_packet_rx_flags {
 * @IEEE80211_RX_CMNTR: received on cooked monitor already
 * @IEEE80211_RX_BEACON_REPORTED: This frame was already reported
 *      to cfg80211_report_obss_beacon().
+ * @IEEE80211_RX_REORDER_TIMER: this frame is released by the
+ *      reorder buffer timeout timer, not the normal RX path
 *
 * These flags are used across handling multiple interfaces
 * for a single frame.
@@ -212,6 +214,7 @@ enum ieee80211_packet_rx_flags {
 enum ieee80211_rx_flags {
        IEEE80211_RX_CMNTR              = BIT(0),
        IEEE80211_RX_BEACON_REPORTED    = BIT(1),
+        IEEE80211_RX_REORDER_TIMER      = BIT(2),
 };
 struct ieee80211_rx_data {
@@ -325,12 +328,6 @@ struct mesh_preq_queue {
        u8 flags;
 };
-#if HZ/100 == 0
-#define IEEE80211_ROC_MIN_LEFT  1
-#else
-#define IEEE80211_ROC_MIN_LEFT  (HZ/100)
-#endif
 struct ieee80211_roc_work {
        struct list_head list;
        struct list_head dependents;
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index bab5c63c0bad..84cef600c573 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -522,6 +522,12 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
                memcpy(sdata->vif.hw_queue, master->vif.hw_queue,
                       sizeof(sdata->vif.hw_queue));
                sdata->vif.bss_conf.chandef = master->vif.bss_conf.chandef;
+                mutex_lock(&local->key_mtx);
+                sdata->crypto_tx_tailroom_needed_cnt +=
+                        master->crypto_tx_tailroom_needed_cnt;
+                mutex_unlock(&local->key_mtx);
                break;
                }
        case NL80211_IFTYPE_AP:
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index 2291cd730091..a907f2d5c12d 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -58,6 +58,22 @@ static void assert_key_lock(struct ieee80211_local *local)
        lockdep_assert_held(&local->key_mtx);
 }
+static void
+update_vlan_tailroom_need_count(struct ieee80211_sub_if_data *sdata, int delta)
+{
+        struct ieee80211_sub_if_data *vlan;
+        if (sdata->vif.type != NL80211_IFTYPE_AP)
+                return;
+        mutex_lock(&sdata->local->mtx);
+        list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                vlan->crypto_tx_tailroom_needed_cnt += delta;
+        mutex_unlock(&sdata->local->mtx);
+}
 static void increment_tailroom_need_count(struct ieee80211_sub_if_data *sdata)
 {
        /*
@@ -79,6 +95,8 @@ static void increment_tailroom_need_count(struct ieee80211_sub_if_data *sdata)
         * http://mid.gmane.org/1308590980.4322.19.camel@jlt3.sipsolutions.net
         */
+        update_vlan_tailroom_need_count(sdata, 1);
        if (!sdata->crypto_tx_tailroom_needed_cnt++) {
                /*
                 * Flush all XMIT packets currently using HW encryption or no
@@ -88,6 +106,15 @@ static void increment_tailroom_need_count(struct ieee80211_sub_if_data *sdata)
        }
 }
+static void decrease_tailroom_need_count(struct ieee80211_sub_if_data *sdata,
+                                         int delta)
+{
+        WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt < delta);
+        update_vlan_tailroom_need_count(sdata, -delta);
+        sdata->crypto_tx_tailroom_needed_cnt -= delta;
+}
 static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
 {
        struct ieee80211_sub_if_data *sdata;
@@ -144,7 +171,7 @@ static int ieee80211_key_enable_hw_accel(struct ieee80211_key *key)
                if (!((key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_MMIC) ||
                      (key->conf.flags & IEEE80211_KEY_FLAG_RESERVE_TAILROOM)))
-                        sdata->crypto_tx_tailroom_needed_cnt--;
+                        decrease_tailroom_need_count(sdata, 1);
                WARN_ON((key->conf.flags & IEEE80211_KEY_FLAG_PUT_IV_SPACE) &&
                        (key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV));
@@ -541,7 +568,7 @@ static void __ieee80211_key_destroy(struct ieee80211_key *key,
                        schedule_delayed_work(&sdata->dec_tailroom_needed_wk,
                                              HZ/2);
                } else {
-                        sdata->crypto_tx_tailroom_needed_cnt--;
+                        decrease_tailroom_need_count(sdata, 1);
                }
        }
@@ -631,6 +658,7 @@ void ieee80211_key_free(struct ieee80211_key *key, bool delay_tailroom)
 void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata)
 {
        struct ieee80211_key *key;
+        struct ieee80211_sub_if_data *vlan;
        ASSERT_RTNL();
@@ -639,7 +667,14 @@ void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata)
        mutex_lock(&sdata->local->key_mtx);
-        sdata->crypto_tx_tailroom_needed_cnt = 0;
+        WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
+                     sdata->crypto_tx_tailroom_pending_dec);
+        if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                        WARN_ON_ONCE(vlan->crypto_tx_tailroom_needed_cnt ||
+                                     vlan->crypto_tx_tailroom_pending_dec);
+        }
        list_for_each_entry(key, &sdata->key_list, list) {
                increment_tailroom_need_count(sdata);
@@ -649,6 +684,22 @@ void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata)
        mutex_unlock(&sdata->local->key_mtx);
 }
+void ieee80211_reset_crypto_tx_tailroom(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_sub_if_data *vlan;
+        mutex_lock(&sdata->local->key_mtx);
+        sdata->crypto_tx_tailroom_needed_cnt = 0;
+        if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                        vlan->crypto_tx_tailroom_needed_cnt = 0;
+        }
+        mutex_unlock(&sdata->local->key_mtx);
+}
 void ieee80211_iter_keys(struct ieee80211_hw *hw,
                         struct ieee80211_vif *vif,
                         void (*iter)(struct ieee80211_hw *hw,
@@ -688,8 +739,8 @@ static void ieee80211_free_keys_iface(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_key *key, *tmp;
-        sdata->crypto_tx_tailroom_needed_cnt -=
+        decrease_tailroom_need_count(sdata,
-                sdata->crypto_tx_tailroom_pending_dec;
+                                     sdata->crypto_tx_tailroom_pending_dec);
        sdata->crypto_tx_tailroom_pending_dec = 0;
        ieee80211_debugfs_key_remove_mgmt_default(sdata);
@@ -709,6 +760,7 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_sub_if_data *vlan;
+        struct ieee80211_sub_if_data *master;
        struct ieee80211_key *key, *tmp;
        LIST_HEAD(keys);
@@ -728,8 +780,20 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata,
        list_for_each_entry_safe(key, tmp, &keys, list)
                __ieee80211_key_destroy(key, false);
-        WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
+        if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
-                     sdata->crypto_tx_tailroom_pending_dec);
+                if (sdata->bss) {
+                        master = container_of(sdata->bss,
+                                              struct ieee80211_sub_if_data,
+                                              u.ap);
+                        WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt !=
+                                     master->crypto_tx_tailroom_needed_cnt);
+                }
+        } else {
+                WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
+                             sdata->crypto_tx_tailroom_pending_dec);
+        }
        if (sdata->vif.type == NL80211_IFTYPE_AP) {
                list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
                        WARN_ON_ONCE(vlan->crypto_tx_tailroom_needed_cnt ||
@@ -793,8 +857,8 @@ void ieee80211_delayed_tailroom_dec(struct work_struct *wk)
         */
        mutex_lock(&sdata->local->key_mtx);
-        sdata->crypto_tx_tailroom_needed_cnt -=
+        decrease_tailroom_need_count(sdata,
-                sdata->crypto_tx_tailroom_pending_dec;
+                                     sdata->crypto_tx_tailroom_pending_dec);
        sdata->crypto_tx_tailroom_pending_dec = 0;
        mutex_unlock(&sdata->local->key_mtx);
 }
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index c5a31835be0e..96557dd1e77d 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -161,6 +161,7 @@ void ieee80211_free_keys(struct ieee80211_sub_if_data *sdata,
 void ieee80211_free_sta_keys(struct ieee80211_local *local,
                             struct sta_info *sta);
 void ieee80211_enable_keys(struct ieee80211_sub_if_data *sdata);
+void ieee80211_reset_crypto_tx_tailroom(struct ieee80211_sub_if_data *sdata);
 #define key_mtx_dereference(local, ref) \
        rcu_dereference_protected(ref, lockdep_is_held(&((local)->key_mtx)))
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 260eed45b6d2..5793f75c5ffd 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2121,7 +2121,8 @@ ieee80211_deliver_skb(struct ieee80211_rx_data *rx)
                /* deliver to local stack */
                skb->protocol = eth_type_trans(skb, dev);
                memset(skb->cb, 0, sizeof(skb->cb));
-                if (rx->local->napi)
+                if (!(rx->flags & IEEE80211_RX_REORDER_TIMER) &&
+                    rx->local->napi)
                        napi_gro_receive(rx->local->napi, skb);
                else
                        netif_receive_skb(skb);
@@ -3231,7 +3232,7 @@ void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid)
                /* This is OK -- must be QoS data frame */
                .security_idx = tid,
                .seqno_idx = tid,
-                .flags = 0,
+                .flags = IEEE80211_RX_REORDER_TIMER,
        };
        struct tid_ampdu_rx *tid_agg_rx;
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 79412f16b61d..b864ebc6ab8f 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -2023,6 +2023,9 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        /* add back keys */
        list_for_each_entry(sdata, &local->interfaces, list)
+                ieee80211_reset_crypto_tx_tailroom(sdata);
+        list_for_each_entry(sdata, &local->interfaces, list)
                if (ieee80211_sdata_running(sdata))
                        ieee80211_enable_keys(sdata);
diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c
index a4220e92f0cc..efa3f48f1ec5 100644
--- a/net/mac80211/wep.c
+++ b/net/mac80211/wep.c
@@ -98,8 +98,7 @@ static u8 *ieee80211_wep_add_iv(struct ieee80211_local *local,
        hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PROTECTED);
-        if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN ||
+        if (WARN_ON(skb_headroom(skb) < IEEE80211_WEP_IV_LEN))
-                    skb_headroom(skb) < IEEE80211_WEP_IV_LEN))
                return NULL;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
@@ -167,6 +166,9 @@ int ieee80211_wep_encrypt(struct ieee80211_local *local,
        size_t len;
        u8 rc4key[3 + WLAN_KEY_LEN_WEP104];
+        if (WARN_ON(skb_tailroom(skb) < IEEE80211_WEP_ICV_LEN))
+                return -1;
        iv = ieee80211_wep_add_iv(local, skb, keylen, keyidx);
        if (!iv)
                return -1;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index f70e34a68f70..a0f3e6a3c7d1 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -863,6 +863,7 @@ config NETFILTER_XT_TARGET_TPROXY
        depends on NETFILTER_XTABLES
        depends on NETFILTER_ADVANCED
        depends on (IPV6 || IPV6=n)
+        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
        depends on IP_NF_MANGLE
        select NF_DEFRAG_IPV4
        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
@@ -1356,6 +1357,7 @@ config NETFILTER_XT_MATCH_SOCKET
        depends on NETFILTER_ADVANCED
        depends on !NF_CONNTRACK || NF_CONNTRACK
        depends on (IPV6 || IPV6=n)
+        depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
        select NF_DEFRAG_IPV4
        select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
        help
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 49532672f66d..285eae3a1454 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3823,6 +3823,9 @@ static void __net_exit ip_vs_control_net_cleanup_sysctl(struct net *net)
        cancel_work_sync(&ipvs->defense_work.work);
        unregister_net_sysctl_table(ipvs->sysctl_hdr);
        ip_vs_stop_estimator(net, &ipvs->tot_stats);
+        if (!net_eq(net, &init_net))
+                kfree(ipvs->sysctl_tbl);
 }
 #else
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 5caa0c41bf26..70383de72054 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -202,7 +202,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
 *      sES -> sES      :-)
 *      sFW -> sCW      Normal close request answered by ACK.
 *      sCW -> sCW
- *      sLA -> sTW      Last ACK detected.
+ *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
 *      sTW -> sTW      Retransmitted last ACK. Remain in the same state.
 *      sCL -> sCL
 */
@@ -261,7 +261,7 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
 *      sES -> sES      :-)
 *      sFW -> sCW      Normal close request answered by ACK.
 *      sCW -> sCW
- *      sLA -> sTW      Last ACK detected.
+ *      sLA -> sTW      Last ACK detected (RFC5961 challenged)
 *      sTW -> sTW      Retransmitted last ACK.
 *      sCL -> sCL
 */
@@ -906,6 +906,7 @@ static int tcp_packet(struct nf_conn *ct,
                                        1 : ct->proto.tcp.last_win;
                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
                                ct->proto.tcp.last_wscale;
+                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
                        ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
                                ct->proto.tcp.last_flags;
                        memset(&ct->proto.tcp.seen[dir], 0,
@@ -923,7 +924,9 @@ static int tcp_packet(struct nf_conn *ct,
                 * may be in sync but we are not. In that case, we annotate
                 * the TCP options and let the packet go through. If it is a
                 * valid SYN packet, the server will reply with a SYN/ACK, and
-                 * then we'll get in sync. Otherwise, the server ignores it. */
+                 * then we'll get in sync. Otherwise, the server potentially
+                 * responds with a challenge ACK if implementing RFC5961.
+                 */
                if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
                        struct ip_ct_tcp_state seen = {};
@@ -939,6 +942,13 @@ static int tcp_packet(struct nf_conn *ct,
                                ct->proto.tcp.last_flags |=
                                        IP_CT_TCP_FLAG_SACK_PERM;
                        }
+                        /* Mark the potential for RFC5961 challenge ACK,
+                         * this pose a special problem for LAST_ACK state
+                         * as ACK is intrepretated as ACKing last FIN.
+                         */
+                        if (old_state == TCP_CONNTRACK_LAST_ACK)
+                                ct->proto.tcp.last_flags |=
+                                        IP_CT_EXP_CHALLENGE_ACK;
                }
                spin_unlock_bh(&ct->lock);
                if (LOG_INVALID(net, IPPROTO_TCP))
@@ -970,6 +980,25 @@ static int tcp_packet(struct nf_conn *ct,
                        nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
                                  "nf_ct_tcp: invalid state ");
                return -NF_ACCEPT;
+        case TCP_CONNTRACK_TIME_WAIT:
+                /* RFC5961 compliance cause stack to send "challenge-ACK"
+                 * e.g. in response to spurious SYNs.  Conntrack MUST
+                 * not believe this ACK is acking last FIN.
+                 */
+                if (old_state == TCP_CONNTRACK_LAST_ACK &&
+                    index == TCP_ACK_SET &&
+                    ct->proto.tcp.last_dir != dir &&
+                    ct->proto.tcp.last_index == TCP_SYN_SET &&
+                    (ct->proto.tcp.last_flags & IP_CT_EXP_CHALLENGE_ACK)) {
+                        /* Detected RFC5961 challenge ACK */
+                        ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
+                        spin_unlock_bh(&ct->lock);
+                        if (LOG_INVALID(net, IPPROTO_TCP))
+                                nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
+                                      "nf_ct_tcp: challenge-ACK ignored ");
+                        return NF_ACCEPT; /* Don't change state */
+                }
+                break;
        case TCP_CONNTRACK_CLOSE:
                if (index == TCP_RST_SET
                    && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index ad9d11fb29fd..34ded09317e7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4472,9 +4472,9 @@ EXPORT_SYMBOL_GPL(nft_data_init);
 */
 void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
 {
-        switch (type) {
+        if (type < NFT_DATA_VERDICT)
-        case NFT_DATA_VALUE:
                return;
+        switch (type) {
        case NFT_DATA_VERDICT:
                return nft_verdict_uninit(data);
        default:
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3ad91266c821..4ef1fae8445e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1073,7 +1073,13 @@ static struct pernet_operations nfnl_log_net_ops = {
 static int __init nfnetlink_log_init(void)
 {
-        int status = -ENOMEM;
+        int status;
+        status = register_pernet_subsys(&nfnl_log_net_ops);
+        if (status < 0) {
+                pr_err("failed to register pernet ops\n");
+                goto out;
+        }
        netlink_register_notifier(&nfulnl_rtnl_notifier);
        status = nfnetlink_subsys_register(&nfulnl_subsys);
@@ -1088,28 +1094,23 @@ static int __init nfnetlink_log_init(void)
                goto cleanup_subsys;
        }
-        status = register_pernet_subsys(&nfnl_log_net_ops);
-        if (status < 0) {
-                pr_err("failed to register pernet ops\n");
-                goto cleanup_logger;
-        }
        return status;
-cleanup_logger:
-        nf_log_unregister(&nfulnl_logger);
 cleanup_subsys:
        nfnetlink_subsys_unregister(&nfulnl_subsys);
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfulnl_rtnl_notifier);
+        unregister_pernet_subsys(&nfnl_log_net_ops);
+out:
        return status;
 }
 static void __exit nfnetlink_log_fini(void)
 {
-        unregister_pernet_subsys(&nfnl_log_net_ops);
        nf_log_unregister(&nfulnl_logger);
        nfnetlink_subsys_unregister(&nfulnl_subsys);
        netlink_unregister_notifier(&nfulnl_rtnl_notifier);
+        unregister_pernet_subsys(&nfnl_log_net_ops);
 }
 MODULE_DESCRIPTION("netfilter userspace logging");
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 0b98c7420239..11c7682fa0ea 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1317,7 +1317,13 @@ static struct pernet_operations nfnl_queue_net_ops = {
 static int __init nfnetlink_queue_init(void)
 {
-        int status = -ENOMEM;
+        int status;
+        status = register_pernet_subsys(&nfnl_queue_net_ops);
+        if (status < 0) {
+                pr_err("nf_queue: failed to register pernet ops\n");
+                goto out;
+        }
        netlink_register_notifier(&nfqnl_rtnl_notifier);
        status = nfnetlink_subsys_register(&nfqnl_subsys);
@@ -1326,19 +1332,13 @@ static int __init nfnetlink_queue_init(void)
                goto cleanup_netlink_notifier;
        }
-        status = register_pernet_subsys(&nfnl_queue_net_ops);
-        if (status < 0) {
-                pr_err("nf_queue: failed to register pernet ops\n");
-                goto cleanup_subsys;
-        }
        register_netdevice_notifier(&nfqnl_dev_notifier);
        nf_register_queue_handler(&nfqh);
        return status;
-cleanup_subsys:
-        nfnetlink_subsys_unregister(&nfqnl_subsys);
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+out:
        return status;
 }
@@ -1346,9 +1346,9 @@ static void __exit nfnetlink_queue_fini(void)
 {
        nf_unregister_queue_handler();
        unregister_netdevice_notifier(&nfqnl_dev_notifier);
-        unregister_pernet_subsys(&nfnl_queue_net_ops);
        nfnetlink_subsys_unregister(&nfqnl_subsys);
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+        unregister_pernet_subsys(&nfnl_queue_net_ops);
        rcu_barrier(); /* Wait for completion of call_rcu()'s */
 }
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index daa0b818174b..bf6e76643f78 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -89,7 +89,7 @@ static inline int netlink_is_kernel(struct sock *sk)
        return nlk_sk(sk)->flags & NETLINK_KERNEL_SOCKET;
 }
-struct netlink_table *nl_table;
+struct netlink_table *nl_table __read_mostly;
 EXPORT_SYMBOL_GPL(nl_table);
 static DECLARE_WAIT_QUEUE_HEAD(nl_table_wait);
@@ -1081,6 +1081,7 @@ static int netlink_insert(struct sock *sk, u32 portid)
        if (err) {
                if (err == -EEXIST)
                        err = -EADDRINUSE;
+                nlk_sk(sk)->portid = 0;
                sock_put(sk);
        }
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index b6ef9a04de06..a75864d93142 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -81,6 +81,11 @@ int unregister_tcf_proto_ops(struct tcf_proto_ops *ops)
        struct tcf_proto_ops *t;
        int rc = -ENOENT;
+        /* Wait for outstanding call_rcu()s, if any, from a
+         * tcf_proto_ops's destroy() handler.
+         */
+        rcu_barrier();
        write_lock(&cls_mod_lock);
        list_for_each_entry(t, &tcf_proto_base, head) {
                if (t == ops) {
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index ad9eed70bc8f..1e1c89e51a11 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -815,10 +815,8 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent,
                if (dev->flags & IFF_UP)
                        dev_deactivate(dev);
-                if (new && new->ops->attach) {
+                if (new && new->ops->attach)
-                        new->ops->attach(new);
+                        goto skip;
-                        num_q = 0;
-                }
                for (i = 0; i < num_q; i++) {
                        struct netdev_queue *dev_queue = dev_ingress_queue(dev);
@@ -834,12 +832,16 @@ static int qdisc_graft(struct net_device *dev, struct Qdisc *parent,
                                qdisc_destroy(old);
                }
+skip:
                if (!ingress) {
                        notify_and_destroy(net, skb, n, classid,
                                           dev->qdisc, new);
                        if (new && !new->ops->attach)
                                atomic_inc(&new->refcnt);
                        dev->qdisc = new ? : &noop_qdisc;
+                        if (new && new->ops->attach)
+                                new->ops->attach(new);
                } else {
                        notify_and_destroy(net, skb, n, classid, old, new);
                }
diff --git a/net/switchdev/switchdev.c b/net/switchdev/switchdev.c
index 46568b85c333..055453d48668 100644
--- a/net/switchdev/switchdev.c
+++ b/net/switchdev/switchdev.c
@@ -338,7 +338,7 @@ int netdev_switch_fib_ipv4_add(u32 dst, int dst_len, struct fib_info *fi,
                                              fi, tos, type, nlflags,
                                              tb_id);
                if (!err)
-                        fi->fib_flags |= RTNH_F_EXTERNAL;
+                        fi->fib_flags |= RTNH_F_OFFLOAD;
        }
        return err;
@@ -364,7 +364,7 @@ int netdev_switch_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
        const struct swdev_ops *ops;
        int err = 0;
-        if (!(fi->fib_flags & RTNH_F_EXTERNAL))
+        if (!(fi->fib_flags & RTNH_F_OFFLOAD))
                return 0;
        dev = netdev_switch_get_dev_by_nhs(fi);
@@ -376,7 +376,7 @@ int netdev_switch_fib_ipv4_del(u32 dst, int dst_len, struct fib_info *fi,
                err = ops->swdev_fib_ipv4_del(dev, htonl(dst), dst_len,
                                              fi, tos, type, tb_id);
                if (!err)
-                        fi->fib_flags &= ~RTNH_F_EXTERNAL;
+                        fi->fib_flags &= ~RTNH_F_OFFLOAD;
        }
        return err;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 5266ea7b922b..06430598cf51 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1880,6 +1880,10 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
                unix_state_unlock(sk);
                timeo = freezable_schedule_timeout(timeo);
                unix_state_lock(sk);
+                if (sock_flag(sk, SOCK_DEAD))
+                        break;
                clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags);
        }
@@ -1939,6 +1943,10 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
                struct sk_buff *skb, *last;
                unix_state_lock(sk);
+                if (sock_flag(sk, SOCK_DEAD)) {
+                        err = -ECONNRESET;
+                        goto unlock;
+                }
                last = skb = skb_peek(&sk->sk_receive_queue);
 again:
                if (skb == NULL) {
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 526c4feb3b50..b58286ecd156 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -13,6 +13,8 @@
 #include <net/dst.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
+#include <net/ip_tunnels.h>
+#include <net/ip6_tunnel.h>
 static struct kmem_cache *secpath_cachep __read_mostly;
@@ -186,6 +188,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        struct xfrm_state *x = NULL;
        xfrm_address_t *daddr;
        struct xfrm_mode *inner_mode;
+        u32 mark = skb->mark;
        unsigned int family;
        int decaps = 0;
        int async = 0;
@@ -203,6 +206,18 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                                   XFRM_SPI_SKB_CB(skb)->daddroff);
        family = XFRM_SPI_SKB_CB(skb)->family;
+        /* if tunnel is present override skb->mark value with tunnel i_key */
+        if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) {
+                switch (family) {
+                case AF_INET:
+                        mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
+                        break;
+                case AF_INET6:
+                        mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
+                        break;
+                }
+        }
        /* Allocate new secpath or COW existing one. */
        if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
                struct sec_path *sp;
@@ -229,7 +244,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                        goto drop;
                }
-                x = xfrm_state_lookup(net, skb->mark, daddr, spi, nexthdr, family);
+                x = xfrm_state_lookup(net, mark, daddr, spi, nexthdr, family);
                if (x == NULL) {
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
                        xfrm_audit_state_notfound(skb, family, spi, seq);
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index dab57daae408..4fd725a0c500 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -99,6 +99,7 @@ static int xfrm_replay_overflow(struct xfrm_state *x, struct sk_buff *skb)
        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
                XFRM_SKB_CB(skb)->seq.output.low = ++x->replay.oseq;
+                XFRM_SKB_CB(skb)->seq.output.hi = 0;
                if (unlikely(x->replay.oseq == 0)) {
                        x->replay.oseq--;
                        xfrm_audit_state_replay_overflow(x, skb);
@@ -177,6 +178,7 @@ static int xfrm_replay_overflow_bmp(struct xfrm_state *x, struct sk_buff *skb)
        if (x->type->flags & XFRM_TYPE_REPLAY_PROT) {
                XFRM_SKB_CB(skb)->seq.output.low = ++replay_esn->oseq;
+                XFRM_SKB_CB(skb)->seq.output.hi = 0;
                if (unlikely(replay_esn->oseq == 0)) {
                        replay_esn->oseq--;
                        xfrm_audit_state_replay_overflow(x, skb);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f5e39e35d73a..96688cd0f6f1 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -927,8 +927,8 @@ struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
                        x->id.spi != spi)
                        continue;
-                spin_unlock_bh(&net->xfrm.xfrm_state_lock);
                xfrm_state_hold(x);
+                spin_unlock_bh(&net->xfrm.xfrm_state_lock);
                return x;
        }
        spin_unlock_bh(&net->xfrm.xfrm_state_lock);