Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix use-after-free in IPSEC input parsing, desintation address
    pointer was loaded before pskb_may_pull() which can change the SKB
    data pointers. From Florian Westphal.

 2) Stack out-of-bounds read in xfrm_state_find(), from Steffen
    Klassert.

 3) IPVS state of SKB is not properly reset when moving between
    namespaces, from Ye Yin.

 4) Fix crash in asix driver suspend and resume, from Andrey Konovalov.

 5) Don't deliver ipv6 l2tp tunnel packets to ipv4 l2tp tunnels, and
    vice versa, from Guillaume Nault.

 6) Fix DSACK undo on non-dup ACKs, from Priyaranjan Jha.

 7) Fix regression in bond_xmit_hash()'s behavior after the TCP port
    selection changes back in 4.2, from Hangbin Liu.

 8) Two divide by zero bugs in USB networking drivers when parsing
    descriptors, from Bjorn Mork.

 9) Fix bonding slaves being stuck in BOND_LINK_FAIL state, from Jay
    Vosburgh.

10) Missing skb_reset_mac_header() in qmi_wwan, from Kristian Evensen.

11) Fix the destruction of tc action object races properly, from Cong
    Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (31 commits)
  cls_u32: use tcf_exts_get_net() before call_rcu()
  cls_tcindex: use tcf_exts_get_net() before call_rcu()
  cls_rsvp: use tcf_exts_get_net() before call_rcu()
  cls_route: use tcf_exts_get_net() before call_rcu()
  cls_matchall: use tcf_exts_get_net() before call_rcu()
  cls_fw: use tcf_exts_get_net() before call_rcu()
  cls_flower: use tcf_exts_get_net() before call_rcu()
  cls_flow: use tcf_exts_get_net() before call_rcu()
  cls_cgroup: use tcf_exts_get_net() before call_rcu()
  cls_bpf: use tcf_exts_get_net() before call_rcu()
  cls_basic: use tcf_exts_get_net() before call_rcu()
  net_sched: introduce tcf_exts_get_net() and tcf_exts_put_net()
  Revert "net_sched: hold netns refcnt for each action"
  net: usb: asix: fill null-ptr-deref in asix_suspend
  Revert "net: usb: asix: fill null-ptr-deref in asix_suspend"
  qmi_wwan: Add missing skb_reset_mac_header-call
  bonding: fix slave stuck in BOND_LINK_FAIL state
  qrtr: Move to postcore_initcall
  net: qmi_wwan: fix divide by 0 on bad descriptors
  net: cdc_ether: fix divide by 0 on bad descriptors
  ...

46 files changed, 285 insertions, 146 deletions

diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index c99dc59d729b..b2db581131b2 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -2042,6 +2042,7 @@ static int bond_miimon_inspect(struct bonding *bond)
 
         bond_for_each_slave_rcu(bond, slave, iter) {
                 slave->new_link = BOND_LINK_NOCHANGE;
+                slave->link_new_state = slave->link;
 
                 link_state = bond_check_dev_link(bond, slave->dev, 0);
 
@@ -3253,7 +3254,7 @@ u32 bond_xmit_hash(struct bonding *bond, struct sk_buff *skb)
         hash ^= (hash >> 16);
         hash ^= (hash >> 8);
 
-        return hash;
+        return hash >> 1;
 }
 
 /*-------------------------- Device entry points ----------------------------*/
diff --git a/drivers/net/ethernet/chelsio/cxgb4/t4fw_version.h b/drivers/net/ethernet/chelsio/cxgb4/t4fw_version.h
index f2d623a7aee0..123e2c1b65f5 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/t4fw_version.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/t4fw_version.h
@@ -37,7 +37,7 @@
 
 #define T4FW_VERSION_MAJOR 0x01
 #define T4FW_VERSION_MINOR 0x10
-#define T4FW_VERSION_MICRO 0x2D
+#define T4FW_VERSION_MICRO 0x3F
 #define T4FW_VERSION_BUILD 0x00
 
 #define T4FW_MIN_VERSION_MAJOR 0x01
@@ -46,7 +46,7 @@
 
 #define T5FW_VERSION_MAJOR 0x01
 #define T5FW_VERSION_MINOR 0x10
-#define T5FW_VERSION_MICRO 0x2D
+#define T5FW_VERSION_MICRO 0x3F
 #define T5FW_VERSION_BUILD 0x00
 
 #define T5FW_MIN_VERSION_MAJOR 0x00
@@ -55,7 +55,7 @@
 
 #define T6FW_VERSION_MAJOR 0x01
 #define T6FW_VERSION_MINOR 0x10
-#define T6FW_VERSION_MICRO 0x2D
+#define T6FW_VERSION_MICRO 0x3F
 #define T6FW_VERSION_BUILD 0x00
 
 #define T6FW_MIN_VERSION_MAJOR 0x00
diff --git a/drivers/net/ethernet/marvell/mvpp2.c b/drivers/net/ethernet/marvell/mvpp2.c
index a37af5813f33..fcf9ba5eb8d1 100644
--- a/drivers/net/ethernet/marvell/mvpp2.c
+++ b/drivers/net/ethernet/marvell/mvpp2.c
@@ -6747,6 +6747,9 @@ static int mvpp2_irqs_init(struct mvpp2_port *port)
         for (i = 0; i < port->nqvecs; i++) {
                 struct mvpp2_queue_vector *qv = port->qvecs + i;
 
+                if (qv->type == MVPP2_QUEUE_VECTOR_PRIVATE)
+                        irq_set_status_flags(qv->irq, IRQ_NO_BALANCING);
+
                 err = request_irq(qv->irq, mvpp2_isr, 0, port->dev->name, qv);
                 if (err)
                         goto err;
@@ -6776,6 +6779,7 @@ static void mvpp2_irqs_deinit(struct mvpp2_port *port)
                 struct mvpp2_queue_vector *qv = port->qvecs + i;
 
                 irq_set_affinity_hint(qv->irq, NULL);
+                irq_clear_status_flags(qv->irq, IRQ_NO_BALANCING);
                 free_irq(qv->irq, qv);
         }
 }
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
index 850cdc980ab5..4837045ffba3 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_fs.c
@@ -365,21 +365,24 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
                                     struct mlx5e_l2_hash_node *hn)
 {
         u8 action = hn->action;
+        u8 mac_addr[ETH_ALEN];
         int l2_err = 0;
 
+        ether_addr_copy(mac_addr, hn->ai.addr);
+
         switch (action) {
         case MLX5E_ACTION_ADD:
                 mlx5e_add_l2_flow_rule(priv, &hn->ai, MLX5E_FULLMATCH);
-                if (!is_multicast_ether_addr(hn->ai.addr)) {
-                        l2_err = mlx5_mpfs_add_mac(priv->mdev, hn->ai.addr);
+                if (!is_multicast_ether_addr(mac_addr)) {
+                        l2_err = mlx5_mpfs_add_mac(priv->mdev, mac_addr);
                         hn->mpfs = !l2_err;
                 }
                 hn->action = MLX5E_ACTION_NONE;
                 break;
 
         case MLX5E_ACTION_DEL:
-                if (!is_multicast_ether_addr(hn->ai.addr) && hn->mpfs)
-                        l2_err = mlx5_mpfs_del_mac(priv->mdev, hn->ai.addr);
+                if (!is_multicast_ether_addr(mac_addr) && hn->mpfs)
+                        l2_err = mlx5_mpfs_del_mac(priv->mdev, mac_addr);
                 mlx5e_del_l2_flow_rule(priv, &hn->ai);
                 mlx5e_del_l2_from_hash(hn);
                 break;
@@ -387,7 +390,7 @@ static void mlx5e_execute_l2_action(struct mlx5e_priv *priv,
 
         if (l2_err)
                 netdev_warn(priv->netdev, "MPFS, failed to %s mac %pM, err(%d)\n",
-                            action == MLX5E_ACTION_ADD ? "add" : "del", hn->ai.addr, l2_err);
+                            action == MLX5E_ACTION_ADD ? "add" : "del", mac_addr, l2_err);
 }
 
 static void mlx5e_sync_netdev_addr(struct mlx5e_priv *priv)
diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c
index b2ff88e69a81..3d4f7959dabb 100644
--- a/drivers/net/usb/asix_devices.c
+++ b/drivers/net/usb/asix_devices.c
@@ -626,7 +626,7 @@ static int asix_suspend(struct usb_interface *intf, pm_message_t message)
         struct usbnet *dev = usb_get_intfdata(intf);
         struct asix_common_private *priv = dev->driver_priv;
 
-        if (priv->suspend)
+        if (priv && priv->suspend)
                 priv->suspend(dev);
 
         return usbnet_suspend(intf, message);
@@ -678,7 +678,7 @@ static int asix_resume(struct usb_interface *intf)
         struct usbnet *dev = usb_get_intfdata(intf);
         struct asix_common_private *priv = dev->driver_priv;
 
-        if (priv->resume)
+        if (priv && priv->resume)
                 priv->resume(dev);
 
         return usbnet_resume(intf);
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 3e7a3ac3a362..05dca3e5c93d 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -230,7 +230,7 @@ skip:
                         goto bad_desc;
         }
 
-        if (header.usb_cdc_ether_desc) {
+        if (header.usb_cdc_ether_desc && info->ether->wMaxSegmentSize) {
                 dev->hard_mtu = le16_to_cpu(info->ether->wMaxSegmentSize);
                 /* because of Zaurus, we may be ignoring the host
                  * side link address we were given.
diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 8c3733608271..8d4a6f7cba61 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -499,6 +499,7 @@ static int qmi_wwan_rx_fixup(struct usbnet *dev, struct sk_buff *skb)
                 return 1;
         }
         if (rawip) {
+                skb_reset_mac_header(skb);
                 skb->dev = dev->net; /* normally set by eth_type_trans */
                 skb->protocol = proto;
                 return 1;
@@ -681,7 +682,7 @@ static int qmi_wwan_bind(struct usbnet *dev, struct usb_interface *intf)
         }
 
         /* errors aren't fatal - we can live with the dynamic address */
-        if (cdc_ether) {
+        if (cdc_ether && cdc_ether->wMaxSegmentSize) {
                 dev->hard_mtu = le16_to_cpu(cdc_ether->wMaxSegmentSize);
                 usbnet_get_ethernet_addr(dev, cdc_ether->iMACAddress);
         }
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 72299ef00061..d448a4804aea 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3770,6 +3770,13 @@ static inline void nf_reset_trace(struct sk_buff *skb)
 #endif
 }
 
+static inline void ipvs_reset(struct sk_buff *skb)
+{
+#if IS_ENABLED(CONFIG_IP_VS)
+        skb->ipvs_property = 0;
+#endif
+}
+
 /* Note: This doesn't put any conntrack and bridge info in dst. */
 static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src,
                              bool copy)
diff --git a/include/net/act_api.h b/include/net/act_api.h
index 1e6df0eb058f..a10a3b1813f3 100644
--- a/include/net/act_api.h
+++ b/include/net/act_api.h
@@ -14,7 +14,6 @@
 struct tcf_idrinfo {
         spinlock_t      lock;
         struct idr      action_idr;
-        struct net      *net;
 };
 
 struct tc_action_ops;
@@ -106,7 +105,7 @@ struct tc_action_net {
 
 static inline
 int tc_action_net_init(struct tc_action_net *tn,
-                       const struct tc_action_ops *ops, struct net *net)
+                       const struct tc_action_ops *ops)
 {
         int err = 0;
 
@@ -114,7 +113,6 @@ int tc_action_net_init(struct tc_action_net *tn,
         if (!tn->idrinfo)
                 return -ENOMEM;
         tn->ops = ops;
-        tn->idrinfo->net = net;
         spin_lock_init(&tn->idrinfo->lock);
         idr_init(&tn->idrinfo->action_idr);
         return err;
diff --git a/include/net/pkt_cls.h b/include/net/pkt_cls.h
index 70ca2437740e..8826747ef83e 100644
--- a/include/net/pkt_cls.h
+++ b/include/net/pkt_cls.h
@@ -94,6 +94,7 @@ struct tcf_exts {
         __u32   type; /* for backward compat(TCA_OLD_COMPAT) */
         int nr_actions;
         struct tc_action **actions;
+        struct net *net;
 #endif
         /* Map to export classifier specific extension TLV types to the
          * generic extensions API. Unsupported extensions must be set to 0.
@@ -107,6 +108,7 @@ static inline int tcf_exts_init(struct tcf_exts *exts, int action, int police)
 #ifdef CONFIG_NET_CLS_ACT
         exts->type = 0;
         exts->nr_actions = 0;
+        exts->net = NULL;
         exts->actions = kcalloc(TCA_ACT_MAX_PRIO, sizeof(struct tc_action *),
                                 GFP_KERNEL);
         if (!exts->actions)
@@ -117,6 +119,28 @@ static inline int tcf_exts_init(struct tcf_exts *exts, int action, int police)
         return 0;
 }
 
+/* Return false if the netns is being destroyed in cleanup_net(). Callers
+ * need to do cleanup synchronously in this case, otherwise may race with
+ * tc_action_net_exit(). Return true for other cases.
+ */
+static inline bool tcf_exts_get_net(struct tcf_exts *exts)
+{
+#ifdef CONFIG_NET_CLS_ACT
+        exts->net = maybe_get_net(exts->net);
+        return exts->net != NULL;
+#else
+        return true;
+#endif
+}
+
+static inline void tcf_exts_put_net(struct tcf_exts *exts)
+{
+#ifdef CONFIG_NET_CLS_ACT
+        if (exts->net)
+                put_net(exts->net);
+#endif
+}
+
 static inline void tcf_exts_to_list(const struct tcf_exts *exts,
                                     struct list_head *actions)
 {
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 24656076906d..e140ba49b30a 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4864,6 +4864,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
         if (!xnet)
                 return;
 
+        ipvs_reset(skb);
         skb_orphan(skb);
         skb->mark = 0;
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5a87a00641d3..b2fc7163bd40 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -115,7 +115,7 @@ int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2;
 
 #define FLAG_ACKED              (FLAG_DATA_ACKED|FLAG_SYN_ACKED)
 #define FLAG_NOT_DUP            (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED)
-#define FLAG_CA_ALERT           (FLAG_DATA_SACKED|FLAG_ECE)
+#define FLAG_CA_ALERT           (FLAG_DATA_SACKED|FLAG_ECE|FLAG_DSACKING_ACK)
 #define FLAG_FORWARD_PROGRESS   (FLAG_ACKED|FLAG_DATA_SACKED)
 
 #define TCP_REMNANT (TCP_FLAG_FIN|TCP_FLAG_URG|TCP_FLAG_SYN|TCP_FLAG_PSH)
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 4d322c1b7233..e4280b6568b4 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -123,6 +123,7 @@ static int l2tp_ip_recv(struct sk_buff *skb)
         unsigned char *ptr, *optr;
         struct l2tp_session *session;
         struct l2tp_tunnel *tunnel = NULL;
+        struct iphdr *iph;
         int length;
 
         if (!pskb_may_pull(skb, 4))
@@ -178,24 +179,17 @@ pass_up:
                 goto discard;
 
         tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
-        tunnel = l2tp_tunnel_find(net, tunnel_id);
-        if (tunnel) {
-                sk = tunnel->sock;
-                sock_hold(sk);
-        } else {
-                struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
-
-                read_lock_bh(&l2tp_ip_lock);
-                sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr,
-                                           inet_iif(skb), tunnel_id);
-                if (!sk) {
-                        read_unlock_bh(&l2tp_ip_lock);
-                        goto discard;
-                }
+        iph = (struct iphdr *)skb_network_header(skb);
 
-                sock_hold(sk);
+        read_lock_bh(&l2tp_ip_lock);
+        sk = __l2tp_ip_bind_lookup(net, iph->daddr, iph->saddr, inet_iif(skb),
+                                   tunnel_id);
+        if (!sk) {
                 read_unlock_bh(&l2tp_ip_lock);
+                goto discard;
         }
+        sock_hold(sk);
+        read_unlock_bh(&l2tp_ip_lock);
 
         if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_put;
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 88b397c30d86..8bcaa975b432 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -136,6 +136,7 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
         unsigned char *ptr, *optr;
         struct l2tp_session *session;
         struct l2tp_tunnel *tunnel = NULL;
+        struct ipv6hdr *iph;
         int length;
 
         if (!pskb_may_pull(skb, 4))
@@ -192,24 +193,17 @@ pass_up:
                 goto discard;
 
         tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
-        tunnel = l2tp_tunnel_find(net, tunnel_id);
-        if (tunnel) {
-                sk = tunnel->sock;
-                sock_hold(sk);
-        } else {
-                struct ipv6hdr *iph = ipv6_hdr(skb);
-
-                read_lock_bh(&l2tp_ip6_lock);
-                sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
-                                            inet6_iif(skb), tunnel_id);
-                if (!sk) {
-                        read_unlock_bh(&l2tp_ip6_lock);
-                        goto discard;
-                }
+        iph = ipv6_hdr(skb);
 
-                sock_hold(sk);
+        read_lock_bh(&l2tp_ip6_lock);
+        sk = __l2tp_ip6_bind_lookup(net, &iph->daddr, &iph->saddr,
+                                    inet6_iif(skb), tunnel_id);
+        if (!sk) {
                 read_unlock_bh(&l2tp_ip6_lock);
+                goto discard;
         }
+        sock_hold(sk);
+        read_unlock_bh(&l2tp_ip6_lock);
 
         if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
                 goto discard_put;
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index c2f5c13550c0..78418f38464a 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -1085,7 +1085,7 @@ static int __init qrtr_proto_init(void)
 
         return 0;
 }
-module_init(qrtr_proto_init);
+postcore_initcall(qrtr_proto_init);
 
 static void __exit qrtr_proto_fini(void)
 {
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index ca2ff0b3123f..8f2c63514956 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -78,7 +78,6 @@ static void tcf_idr_remove(struct tcf_idrinfo *idrinfo, struct tc_action *p)
         spin_lock_bh(&idrinfo->lock);
         idr_remove_ext(&idrinfo->action_idr, p->tcfa_index);
         spin_unlock_bh(&idrinfo->lock);
-        put_net(idrinfo->net);
         gen_kill_estimator(&p->tcfa_rate_est);
         free_tcf(p);
 }
@@ -337,7 +336,6 @@ err3:
         p->idrinfo = idrinfo;
         p->ops = ops;
         INIT_LIST_HEAD(&p->list);
-        get_net(idrinfo->net);
         *a = p;
         return 0;
 }
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 9bce8cc84cbb..c0c707eb2c96 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -398,7 +398,7 @@ static __net_init int bpf_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, bpf_net_id);
 
-        return tc_action_net_init(tn, &act_bpf_ops, net);
+        return tc_action_net_init(tn, &act_bpf_ops);
 }
 
 static void __net_exit bpf_exit_net(struct net *net)
diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
index 34e52d01a5dd..10b7a8855a6c 100644
--- a/net/sched/act_connmark.c
+++ b/net/sched/act_connmark.c
@@ -206,7 +206,7 @@ static __net_init int connmark_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, connmark_net_id);
 
-        return tc_action_net_init(tn, &act_connmark_ops, net);
+        return tc_action_net_init(tn, &act_connmark_ops);
 }
 
 static void __net_exit connmark_exit_net(struct net *net)
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index 35171df2ebef..1c40caadcff9 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -626,7 +626,7 @@ static __net_init int csum_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, csum_net_id);
 
-        return tc_action_net_init(tn, &act_csum_ops, net);
+        return tc_action_net_init(tn, &act_csum_ops);
 }
 
 static void __net_exit csum_exit_net(struct net *net)
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index ef7f7f39d26d..e29a48ef7fc3 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -232,7 +232,7 @@ static __net_init int gact_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, gact_net_id);
 
-        return tc_action_net_init(tn, &act_gact_ops, net);
+        return tc_action_net_init(tn, &act_gact_ops);
 }
 
 static void __net_exit gact_exit_net(struct net *net)
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index f65e4b5058e0..8ccd35825b6b 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -818,7 +818,7 @@ static __net_init int ife_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, ife_net_id);
 
-        return tc_action_net_init(tn, &act_ife_ops, net);
+        return tc_action_net_init(tn, &act_ife_ops);
 }
 
 static void __net_exit ife_exit_net(struct net *net)
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index dbdf3b2470d5..d9e399a7e3d5 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -334,7 +334,7 @@ static __net_init int ipt_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, ipt_net_id);
 
-        return tc_action_net_init(tn, &act_ipt_ops, net);
+        return tc_action_net_init(tn, &act_ipt_ops);
 }
 
 static void __net_exit ipt_exit_net(struct net *net)
@@ -384,7 +384,7 @@ static __net_init int xt_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, xt_net_id);
 
-        return tc_action_net_init(tn, &act_xt_ops, net);
+        return tc_action_net_init(tn, &act_xt_ops);
 }
 
 static void __net_exit xt_exit_net(struct net *net)
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 84759cfd5a33..416627c66f08 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -343,7 +343,7 @@ static __net_init int mirred_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, mirred_net_id);
 
-        return tc_action_net_init(tn, &act_mirred_ops, net);
+        return tc_action_net_init(tn, &act_mirred_ops);
 }
 
 static void __net_exit mirred_exit_net(struct net *net)
diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c
index 7eeaaf9217b6..c365d01b99c8 100644
--- a/net/sched/act_nat.c
+++ b/net/sched/act_nat.c
@@ -307,7 +307,7 @@ static __net_init int nat_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, nat_net_id);
 
-        return tc_action_net_init(tn, &act_nat_ops, net);
+        return tc_action_net_init(tn, &act_nat_ops);
 }
 
 static void __net_exit nat_exit_net(struct net *net)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index b3d82c334a5f..491fe5deb09e 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -450,7 +450,7 @@ static __net_init int pedit_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, pedit_net_id);
 
-        return tc_action_net_init(tn, &act_pedit_ops, net);
+        return tc_action_net_init(tn, &act_pedit_ops);
 }
 
 static void __net_exit pedit_exit_net(struct net *net)
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 9ec42b26e4b9..3bb2ebf9e9ae 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -331,7 +331,7 @@ static __net_init int police_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, police_net_id);
 
-        return tc_action_net_init(tn, &act_police_ops, net);
+        return tc_action_net_init(tn, &act_police_ops);
 }
 
 static void __net_exit police_exit_net(struct net *net)
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index e69a1e3a39bf..8b5abcd2f32f 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -240,7 +240,7 @@ static __net_init int sample_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, sample_net_id);
 
-        return tc_action_net_init(tn, &act_sample_ops, net);
+        return tc_action_net_init(tn, &act_sample_ops);
 }
 
 static void __net_exit sample_exit_net(struct net *net)
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index a8d0ea95f894..e7b57e5071a3 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -201,7 +201,7 @@ static __net_init int simp_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, simp_net_id);
 
-        return tc_action_net_init(tn, &act_simp_ops, net);
+        return tc_action_net_init(tn, &act_simp_ops);
 }
 
 static void __net_exit simp_exit_net(struct net *net)
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index fbac62472e09..59949d61f20d 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -238,7 +238,7 @@ static __net_init int skbedit_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, skbedit_net_id);
 
-        return tc_action_net_init(tn, &act_skbedit_ops, net);
+        return tc_action_net_init(tn, &act_skbedit_ops);
 }
 
 static void __net_exit skbedit_exit_net(struct net *net)
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index 8e12d8897d2f..b642ad3d39dd 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -263,7 +263,7 @@ static __net_init int skbmod_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, skbmod_net_id);
 
-        return tc_action_net_init(tn, &act_skbmod_ops, net);
+        return tc_action_net_init(tn, &act_skbmod_ops);
 }
 
 static void __net_exit skbmod_exit_net(struct net *net)
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index c33faa373cf2..30c96274c638 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -322,7 +322,7 @@ static __net_init int tunnel_key_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, tunnel_key_net_id);
 
-        return tc_action_net_init(tn, &act_tunnel_key_ops, net);
+        return tc_action_net_init(tn, &act_tunnel_key_ops);
 }
 
 static void __net_exit tunnel_key_exit_net(struct net *net)
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 115fc33cc6d8..16eb067a8d8f 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -269,7 +269,7 @@ static __net_init int vlan_init_net(struct net *net)
 {
         struct tc_action_net *tn = net_generic(net, vlan_net_id);
 
-        return tc_action_net_init(tn, &act_vlan_ops, net);
+        return tc_action_net_init(tn, &act_vlan_ops);
 }
 
 static void __net_exit vlan_exit_net(struct net *net)
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index b2d310745487..ecbb019efcbd 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -927,6 +927,7 @@ int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb,
                                 exts->actions[i++] = act;
                         exts->nr_actions = i;
                 }
+                exts->net = net;
         }
 #else
         if ((exts->action && tb[exts->action]) ||
diff --git a/net/sched/cls_basic.c b/net/sched/cls_basic.c
index f177649a2419..e43c56d5b96a 100644
--- a/net/sched/cls_basic.c
+++ b/net/sched/cls_basic.c
@@ -85,16 +85,21 @@ static int basic_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __basic_delete_filter(struct basic_filter *f)
+{
+        tcf_exts_destroy(&f->exts);
+        tcf_em_tree_destroy(&f->ematches);
+        tcf_exts_put_net(&f->exts);
+        kfree(f);
+}
+
 static void basic_delete_filter_work(struct work_struct *work)
 {
         struct basic_filter *f = container_of(work, struct basic_filter, work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->exts);
-        tcf_em_tree_destroy(&f->ematches);
+        __basic_delete_filter(f);
         rtnl_unlock();
-
-        kfree(f);
 }
 
 static void basic_delete_filter(struct rcu_head *head)
@@ -113,7 +118,10 @@ static void basic_destroy(struct tcf_proto *tp)
         list_for_each_entry_safe(f, n, &head->flist, link) {
                 list_del_rcu(&f->link);
                 tcf_unbind_filter(tp, &f->res);
-                call_rcu(&f->rcu, basic_delete_filter);
+                if (tcf_exts_get_net(&f->exts))
+                        call_rcu(&f->rcu, basic_delete_filter);
+                else
+                        __basic_delete_filter(f);
         }
         kfree_rcu(head, rcu);
 }
@@ -125,6 +133,7 @@ static int basic_delete(struct tcf_proto *tp, void *arg, bool *last)
 
         list_del_rcu(&f->link);
         tcf_unbind_filter(tp, &f->res);
+        tcf_exts_get_net(&f->exts);
         call_rcu(&f->rcu, basic_delete_filter);
         *last = list_empty(&head->flist);
         return 0;
@@ -219,6 +228,7 @@ static int basic_change(struct net *net, struct sk_buff *in_skb,
         if (fold) {
                 list_replace_rcu(&fold->link, &fnew->link);
                 tcf_unbind_filter(tp, &fold->res);
+                tcf_exts_get_net(&fold->exts);
                 call_rcu(&fold->rcu, basic_delete_filter);
         } else {
                 list_add_rcu(&fnew->link, &head->flist);
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 037a3ae86829..990eb4d91d54 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -249,6 +249,7 @@ static int cls_bpf_init(struct tcf_proto *tp)
 static void __cls_bpf_delete_prog(struct cls_bpf_prog *prog)
 {
         tcf_exts_destroy(&prog->exts);
+        tcf_exts_put_net(&prog->exts);
 
         if (cls_bpf_is_ebpf(prog))
                 bpf_prog_put(prog->filter);
@@ -282,7 +283,10 @@ static void __cls_bpf_delete(struct tcf_proto *tp, struct cls_bpf_prog *prog)
         cls_bpf_stop_offload(tp, prog);
         list_del_rcu(&prog->link);
         tcf_unbind_filter(tp, &prog->res);
-        call_rcu(&prog->rcu, cls_bpf_delete_prog_rcu);
+        if (tcf_exts_get_net(&prog->exts))
+                call_rcu(&prog->rcu, cls_bpf_delete_prog_rcu);
+        else
+                __cls_bpf_delete_prog(prog);
 }
 
 static int cls_bpf_delete(struct tcf_proto *tp, void *arg, bool *last)
@@ -516,6 +520,7 @@ static int cls_bpf_change(struct net *net, struct sk_buff *in_skb,
         if (oldprog) {
                 list_replace_rcu(&oldprog->link, &prog->link);
                 tcf_unbind_filter(tp, &oldprog->res);
+                tcf_exts_get_net(&oldprog->exts);
                 call_rcu(&oldprog->rcu, cls_bpf_delete_prog_rcu);
         } else {
                 list_add_rcu(&prog->link, &head->plist);
diff --git a/net/sched/cls_cgroup.c b/net/sched/cls_cgroup.c
index a97e069bee89..309d5899265f 100644
--- a/net/sched/cls_cgroup.c
+++ b/net/sched/cls_cgroup.c
@@ -60,15 +60,21 @@ static const struct nla_policy cgroup_policy[TCA_CGROUP_MAX + 1] = {
         [TCA_CGROUP_EMATCHES]   = { .type = NLA_NESTED },
 };
 
+static void __cls_cgroup_destroy(struct cls_cgroup_head *head)
+{
+        tcf_exts_destroy(&head->exts);
+        tcf_em_tree_destroy(&head->ematches);
+        tcf_exts_put_net(&head->exts);
+        kfree(head);
+}
+
 static void cls_cgroup_destroy_work(struct work_struct *work)
 {
         struct cls_cgroup_head *head = container_of(work,
                                                     struct cls_cgroup_head,
                                                     work);
         rtnl_lock();
-        tcf_exts_destroy(&head->exts);
-        tcf_em_tree_destroy(&head->ematches);
-        kfree(head);
+        __cls_cgroup_destroy(head);
         rtnl_unlock();
 }
 
@@ -124,8 +130,10 @@ static int cls_cgroup_change(struct net *net, struct sk_buff *in_skb,
                 goto errout;
 
         rcu_assign_pointer(tp->root, new);
-        if (head)
+        if (head) {
+                tcf_exts_get_net(&head->exts);
                 call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+        }
         return 0;
 errout:
         tcf_exts_destroy(&new->exts);
@@ -138,8 +146,12 @@ static void cls_cgroup_destroy(struct tcf_proto *tp)
         struct cls_cgroup_head *head = rtnl_dereference(tp->root);
 
         /* Head can still be NULL due to cls_cgroup_init(). */
-        if (head)
-                call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+        if (head) {
+                if (tcf_exts_get_net(&head->exts))
+                        call_rcu(&head->rcu, cls_cgroup_destroy_rcu);
+                else
+                        __cls_cgroup_destroy(head);
+        }
 }
 
 static int cls_cgroup_delete(struct tcf_proto *tp, void *arg, bool *last)
diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index 67f3a2af6aab..85f765cff697 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -372,15 +372,21 @@ static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = {
         [TCA_FLOW_PERTURB]      = { .type = NLA_U32 },
 };
 
-static void flow_destroy_filter_work(struct work_struct *work)
+static void __flow_destroy_filter(struct flow_filter *f)
 {
-        struct flow_filter *f = container_of(work, struct flow_filter, work);
-
-        rtnl_lock();
         del_timer_sync(&f->perturb_timer);
         tcf_exts_destroy(&f->exts);
         tcf_em_tree_destroy(&f->ematches);
+        tcf_exts_put_net(&f->exts);
         kfree(f);
+}
+
+static void flow_destroy_filter_work(struct work_struct *work)
+{
+        struct flow_filter *f = container_of(work, struct flow_filter, work);
+
+        rtnl_lock();
+        __flow_destroy_filter(f);
         rtnl_unlock();
 }
 
@@ -552,8 +558,10 @@ static int flow_change(struct net *net, struct sk_buff *in_skb,
 
         *arg = fnew;
 
-        if (fold)
+        if (fold) {
+                tcf_exts_get_net(&fold->exts);
                 call_rcu(&fold->rcu, flow_destroy_filter);
+        }
         return 0;
 
 err2:
@@ -570,6 +578,7 @@ static int flow_delete(struct tcf_proto *tp, void *arg, bool *last)
         struct flow_filter *f = arg;
 
         list_del_rcu(&f->list);
+        tcf_exts_get_net(&f->exts);
         call_rcu(&f->rcu, flow_destroy_filter);
         *last = list_empty(&head->filters);
         return 0;
@@ -594,7 +603,10 @@ static void flow_destroy(struct tcf_proto *tp)
 
         list_for_each_entry_safe(f, next, &head->filters, list) {
                 list_del_rcu(&f->list);
-                call_rcu(&f->rcu, flow_destroy_filter);
+                if (tcf_exts_get_net(&f->exts))
+                        call_rcu(&f->rcu, flow_destroy_filter);
+                else
+                        __flow_destroy_filter(f);
         }
         kfree_rcu(head, rcu);
 }
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 5b5722c8b32c..7a838d1c1c00 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -218,13 +218,19 @@ static int fl_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __fl_destroy_filter(struct cls_fl_filter *f)
+{
+        tcf_exts_destroy(&f->exts);
+        tcf_exts_put_net(&f->exts);
+        kfree(f);
+}
+
 static void fl_destroy_filter_work(struct work_struct *work)
 {
         struct cls_fl_filter *f = container_of(work, struct cls_fl_filter, work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->exts);
-        kfree(f);
+        __fl_destroy_filter(f);
         rtnl_unlock();
 }
 
@@ -318,7 +324,10 @@ static void __fl_delete(struct tcf_proto *tp, struct cls_fl_filter *f)
         if (!tc_skip_hw(f->flags))
                 fl_hw_destroy_filter(tp, f);
         tcf_unbind_filter(tp, &f->res);
-        call_rcu(&f->rcu, fl_destroy_filter);
+        if (tcf_exts_get_net(&f->exts))
+                call_rcu(&f->rcu, fl_destroy_filter);
+        else
+                __fl_destroy_filter(f);
 }
 
 static void fl_destroy_sleepable(struct work_struct *work)
@@ -988,6 +997,7 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
                 idr_replace_ext(&head->handle_idr, fnew, fnew->handle);
                 list_replace_rcu(&fold->list, &fnew->list);
                 tcf_unbind_filter(tp, &fold->res);
+                tcf_exts_get_net(&fold->exts);
                 call_rcu(&fold->rcu, fl_destroy_filter);
         } else {
                 list_add_tail_rcu(&fnew->list, &head->filters);
diff --git a/net/sched/cls_fw.c b/net/sched/cls_fw.c
index 99183b8621ec..7f45e5ab8afc 100644
--- a/net/sched/cls_fw.c
+++ b/net/sched/cls_fw.c
@@ -122,13 +122,19 @@ static int fw_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __fw_delete_filter(struct fw_filter *f)
+{
+        tcf_exts_destroy(&f->exts);
+        tcf_exts_put_net(&f->exts);
+        kfree(f);
+}
+
 static void fw_delete_filter_work(struct work_struct *work)
 {
         struct fw_filter *f = container_of(work, struct fw_filter, work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->exts);
-        kfree(f);
+        __fw_delete_filter(f);
         rtnl_unlock();
 }
 
@@ -154,7 +160,10 @@ static void fw_destroy(struct tcf_proto *tp)
                         RCU_INIT_POINTER(head->ht[h],
                                          rtnl_dereference(f->next));
                         tcf_unbind_filter(tp, &f->res);
-                        call_rcu(&f->rcu, fw_delete_filter);
+                        if (tcf_exts_get_net(&f->exts))
+                                call_rcu(&f->rcu, fw_delete_filter);
+                        else
+                                __fw_delete_filter(f);
                 }
         }
         kfree_rcu(head, rcu);
@@ -179,6 +188,7 @@ static int fw_delete(struct tcf_proto *tp, void *arg, bool *last)
                 if (pfp == f) {
                         RCU_INIT_POINTER(*fp, rtnl_dereference(f->next));
                         tcf_unbind_filter(tp, &f->res);
+                        tcf_exts_get_net(&f->exts);
                         call_rcu(&f->rcu, fw_delete_filter);
                         ret = 0;
                         break;
@@ -299,6 +309,7 @@ static int fw_change(struct net *net, struct sk_buff *in_skb,
                 RCU_INIT_POINTER(fnew->next, rtnl_dereference(pfp->next));
                 rcu_assign_pointer(*fp, fnew);
                 tcf_unbind_filter(tp, &f->res);
+                tcf_exts_get_net(&f->exts);
                 call_rcu(&f->rcu, fw_delete_filter);
 
                 *arg = fnew;
diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
index c33f711b9019..3684153cd8a9 100644
--- a/net/sched/cls_matchall.c
+++ b/net/sched/cls_matchall.c
@@ -44,13 +44,19 @@ static int mall_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __mall_destroy(struct cls_mall_head *head)
+{
+        tcf_exts_destroy(&head->exts);
+        tcf_exts_put_net(&head->exts);
+        kfree(head);
+}
+
 static void mall_destroy_work(struct work_struct *work)
 {
         struct cls_mall_head *head = container_of(work, struct cls_mall_head,
                                                   work);
         rtnl_lock();
-        tcf_exts_destroy(&head->exts);
-        kfree(head);
+        __mall_destroy(head);
         rtnl_unlock();
 }
 
@@ -109,7 +115,10 @@ static void mall_destroy(struct tcf_proto *tp)
         if (tc_should_offload(dev, head->flags))
                 mall_destroy_hw_filter(tp, head, (unsigned long) head);
 
-        call_rcu(&head->rcu, mall_destroy_rcu);
+        if (tcf_exts_get_net(&head->exts))
+                call_rcu(&head->rcu, mall_destroy_rcu);
+        else
+                __mall_destroy(head);
 }
 
 static void *mall_get(struct tcf_proto *tp, u32 handle)
diff --git a/net/sched/cls_route.c b/net/sched/cls_route.c
index 4b14ccd8b8f2..ac9a5b8825b9 100644
--- a/net/sched/cls_route.c
+++ b/net/sched/cls_route.c
@@ -257,13 +257,19 @@ static int route4_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __route4_delete_filter(struct route4_filter *f)
+{
+        tcf_exts_destroy(&f->exts);
+        tcf_exts_put_net(&f->exts);
+        kfree(f);
+}
+
 static void route4_delete_filter_work(struct work_struct *work)
 {
         struct route4_filter *f = container_of(work, struct route4_filter, work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->exts);
-        kfree(f);
+        __route4_delete_filter(f);
         rtnl_unlock();
 }
 
@@ -297,7 +303,10 @@ static void route4_destroy(struct tcf_proto *tp)
                                         next = rtnl_dereference(f->next);
                                         RCU_INIT_POINTER(b->ht[h2], next);
                                         tcf_unbind_filter(tp, &f->res);
-                                        call_rcu(&f->rcu, route4_delete_filter);
+                                        if (tcf_exts_get_net(&f->exts))
+                                                call_rcu(&f->rcu, route4_delete_filter);
+                                        else
+                                                __route4_delete_filter(f);
                                 }
                         }
                         RCU_INIT_POINTER(head->table[h1], NULL);
@@ -338,6 +347,7 @@ static int route4_delete(struct tcf_proto *tp, void *arg, bool *last)
 
                         /* Delete it */
                         tcf_unbind_filter(tp, &f->res);
+                        tcf_exts_get_net(&f->exts);
                         call_rcu(&f->rcu, route4_delete_filter);
 
                         /* Strip RTNL protected tree */
@@ -541,6 +551,7 @@ static int route4_change(struct net *net, struct sk_buff *in_skb,
         *arg = f;
         if (fold) {
                 tcf_unbind_filter(tp, &fold->res);
+                tcf_exts_get_net(&fold->exts);
                 call_rcu(&fold->rcu, route4_delete_filter);
         }
         return 0;
diff --git a/net/sched/cls_rsvp.h b/net/sched/cls_rsvp.h
index bdbc541787f8..cf325625c99d 100644
--- a/net/sched/cls_rsvp.h
+++ b/net/sched/cls_rsvp.h
@@ -285,13 +285,19 @@ static int rsvp_init(struct tcf_proto *tp)
         return -ENOBUFS;
 }
 
+static void __rsvp_delete_filter(struct rsvp_filter *f)
+{
+        tcf_exts_destroy(&f->exts);
+        tcf_exts_put_net(&f->exts);
+        kfree(f);
+}
+
 static void rsvp_delete_filter_work(struct work_struct *work)
 {
         struct rsvp_filter *f = container_of(work, struct rsvp_filter, work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->exts);
-        kfree(f);
+        __rsvp_delete_filter(f);
         rtnl_unlock();
 }
 
@@ -310,7 +316,10 @@ static void rsvp_delete_filter(struct tcf_proto *tp, struct rsvp_filter *f)
          * grace period, since converted-to-rcu actions are relying on that
          * in cleanup() callback
          */
-        call_rcu(&f->rcu, rsvp_delete_filter_rcu);
+        if (tcf_exts_get_net(&f->exts))
+                call_rcu(&f->rcu, rsvp_delete_filter_rcu);
+        else
+                __rsvp_delete_filter(f);
 }
 
 static void rsvp_destroy(struct tcf_proto *tp)
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index beaa95e09c25..a76937ee0b2d 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -139,13 +139,19 @@ static int tcindex_init(struct tcf_proto *tp)
         return 0;
 }
 
+static void __tcindex_destroy_rexts(struct tcindex_filter_result *r)
+{
+        tcf_exts_destroy(&r->exts);
+        tcf_exts_put_net(&r->exts);
+}
+
 static void tcindex_destroy_rexts_work(struct work_struct *work)
 {
         struct tcindex_filter_result *r;
 
         r = container_of(work, struct tcindex_filter_result, work);
         rtnl_lock();
-        tcf_exts_destroy(&r->exts);
+        __tcindex_destroy_rexts(r);
         rtnl_unlock();
 }
 
@@ -158,14 +164,20 @@ static void tcindex_destroy_rexts(struct rcu_head *head)
         tcf_queue_work(&r->work);
 }
 
+static void __tcindex_destroy_fexts(struct tcindex_filter *f)
+{
+        tcf_exts_destroy(&f->result.exts);
+        tcf_exts_put_net(&f->result.exts);
+        kfree(f);
+}
+
 static void tcindex_destroy_fexts_work(struct work_struct *work)
 {
         struct tcindex_filter *f = container_of(work, struct tcindex_filter,
                                                 work);
 
         rtnl_lock();
-        tcf_exts_destroy(&f->result.exts);
-        kfree(f);
+        __tcindex_destroy_fexts(f);
         rtnl_unlock();
 }
 
@@ -210,10 +222,17 @@ found:
          * grace period, since converted-to-rcu actions are relying on that
          * in cleanup() callback
          */
-        if (f)
-                call_rcu(&f->rcu, tcindex_destroy_fexts);
-        else
-                call_rcu(&r->rcu, tcindex_destroy_rexts);
+        if (f) {
+                if (tcf_exts_get_net(&f->result.exts))
+                        call_rcu(&f->rcu, tcindex_destroy_fexts);
+                else
+                        __tcindex_destroy_fexts(f);
+        } else {
+                if (tcf_exts_get_net(&r->exts))
+                        call_rcu(&r->rcu, tcindex_destroy_rexts);
+                else
+                        __tcindex_destroy_rexts(r);
+        }
 
         *last = false;
         return 0;
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index dadd1b344497..b58eccb21f03 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -399,6 +399,7 @@ static int u32_destroy_key(struct tcf_proto *tp, struct tc_u_knode *n,
                            bool free_pf)
 {
         tcf_exts_destroy(&n->exts);
+        tcf_exts_put_net(&n->exts);
         if (n->ht_down)
                 n->ht_down->refcnt--;
 #ifdef CONFIG_CLS_U32_PERF
@@ -476,6 +477,7 @@ static int u32_delete_key(struct tcf_proto *tp, struct tc_u_knode *key)
                                 RCU_INIT_POINTER(*kp, key->next);
 
                                 tcf_unbind_filter(tp, &key->res);
+                                tcf_exts_get_net(&key->exts);
                                 call_rcu(&key->rcu, u32_delete_key_freepf_rcu);
                                 return 0;
                         }
@@ -588,7 +590,10 @@ static void u32_clear_hnode(struct tcf_proto *tp, struct tc_u_hnode *ht)
                                          rtnl_dereference(n->next));
                         tcf_unbind_filter(tp, &n->res);
                         u32_remove_hw_knode(tp, n->handle);
-                        call_rcu(&n->rcu, u32_delete_key_freepf_rcu);
+                        if (tcf_exts_get_net(&n->exts))
+                                call_rcu(&n->rcu, u32_delete_key_freepf_rcu);
+                        else
+                                u32_destroy_key(n->tp, n, true);
                 }
         }
 }
@@ -949,6 +954,7 @@ static int u32_change(struct net *net, struct sk_buff *in_skb,
 
                 u32_replace_knode(tp, tp_c, new);
                 tcf_unbind_filter(tp, &n->res);
+                tcf_exts_get_net(&n->exts);
                 call_rcu(&n->rcu, u32_delete_key_rcu);
                 return 0;
         }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 82d20ee34581..347ab31574d5 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -266,8 +266,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                 goto lock;
         }
 
-        daddr = (xfrm_address_t *)(skb_network_header(skb) +
-                                   XFRM_SPI_SKB_CB(skb)->daddroff);
         family = XFRM_SPI_SKB_CB(skb)->family;
 
         /* if tunnel is present override skb->mark value with tunnel i_key */
@@ -294,6 +292,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                 goto drop;
         }
 
+        daddr = (xfrm_address_t *)(skb_network_header(skb) +
+                                   XFRM_SPI_SKB_CB(skb)->daddroff);
         do {
                 if (skb->sp->len == XFRM_MAX_DEPTH) {
                         XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 8cafb3c0a4ac..6eb228a70131 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1361,36 +1361,29 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, const struct flowi *fl,
         struct net *net = xp_net(policy);
         int nx;
         int i, error;
-        xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
-        xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
         xfrm_address_t tmp;
 
         for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
                 struct xfrm_state *x;
-                xfrm_address_t *remote = daddr;
-                xfrm_address_t *local  = saddr;
+                xfrm_address_t *local;
+                xfrm_address_t *remote;
                 struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
 
-                if (tmpl->mode == XFRM_MODE_TUNNEL ||
-                    tmpl->mode == XFRM_MODE_BEET) {
-                        remote = &tmpl->id.daddr;
-                        local = &tmpl->saddr;
-                        if (xfrm_addr_any(local, tmpl->encap_family)) {
-                                error = xfrm_get_saddr(net, fl->flowi_oif,
-                                                       &tmp, remote,
-                                                       tmpl->encap_family, 0);
-                                if (error)
-                                        goto fail;
-                                local = &tmp;
-                        }
+                remote = &tmpl->id.daddr;
+                local = &tmpl->saddr;
+                if (xfrm_addr_any(local, tmpl->encap_family)) {
+                        error = xfrm_get_saddr(net, fl->flowi_oif,
+                                               &tmp, remote,
+                                               tmpl->encap_family, 0);
+                        if (error)
+                                goto fail;
+                        local = &tmp;
                 }
 
                 x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
 
                 if (x && x->km.state == XFRM_STATE_VALID) {
                         xfrm[nx++] = x;
-                        daddr = remote;
-                        saddr = local;
                         continue;
                 }
                 if (x) {
@@ -1787,19 +1780,23 @@ void xfrm_policy_cache_flush(void)
         put_online_cpus();
 }
 
-static bool xfrm_pol_dead(struct xfrm_dst *xdst)
+static bool xfrm_xdst_can_reuse(struct xfrm_dst *xdst,
+                                struct xfrm_state * const xfrm[],
+                                int num)
 {
-        unsigned int num_pols = xdst->num_pols;
-        unsigned int pol_dead = 0, i;
+        const struct dst_entry *dst = &xdst->u.dst;
+        int i;
 
-        for (i = 0; i < num_pols; i++)
-                pol_dead |= xdst->pols[i]->walk.dead;
+        if (xdst->num_xfrms != num)
+                return false;
 
-        /* Mark DST_OBSOLETE_DEAD to fail the next xfrm_dst_check() */
-        if (pol_dead)
-                xdst->u.dst.obsolete = DST_OBSOLETE_DEAD;
+        for (i = 0; i < num; i++) {
+                if (!dst || dst->xfrm != xfrm[i])
+                        return false;
+                dst = dst->child;
+        }
 
-        return pol_dead;
+        return xfrm_bundle_ok(xdst);
 }
 
 static struct xfrm_dst *
@@ -1813,26 +1810,28 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
         struct dst_entry *dst;
         int err;
 
+        /* Try to instantiate a bundle */
+        err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
+        if (err <= 0) {
+                if (err != 0 && err != -EAGAIN)
+                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
+                return ERR_PTR(err);
+        }
+
         xdst = this_cpu_read(xfrm_last_dst);
         if (xdst &&
             xdst->u.dst.dev == dst_orig->dev &&
             xdst->num_pols == num_pols &&
-            !xfrm_pol_dead(xdst) &&
             memcmp(xdst->pols, pols,
                    sizeof(struct xfrm_policy *) * num_pols) == 0 &&
-            xfrm_bundle_ok(xdst)) {
+            xfrm_xdst_can_reuse(xdst, xfrm, err)) {
                 dst_hold(&xdst->u.dst);
+                while (err > 0)
+                        xfrm_state_put(xfrm[--err]);
                 return xdst;
         }
 
         old = xdst;
-        /* Try to instantiate a bundle */
-        err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
-        if (err <= 0) {
-                if (err != 0 && err != -EAGAIN)
-                        XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
-                return ERR_PTR(err);
-        }
 
         dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
         if (IS_ERR(dst)) {