Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Reject invalid updates to netfilter expectation policies, from Pablo
    Neira Ayuso.

 2) Fix memory leak in nfnl_cthelper, from Jeffy Chen.

 3) Don't do stupid things if we get a neigh_probe() on a neigh entry
    whose ops lack a solicit method. From Eric Dumazet.

 4) Don't transmit packets in r8152 driver when the carrier is off, from
    Hayes Wang.

 5) Fix ipv6 packet type detection in aquantia driver, from Pavel
    Belous.

 6) Don't write uninitialized data into hw registers in bna driver, from
    Arnd Bergmann.

 7) Fix locking in ping_unhash(), from Eric Dumazet.

 8) Make BPF verifier range checks able to understand certain sequences
    emitted by LLVM, from Alexei Starovoitov.

 9) Fix use after free in ipconfig, from Mark Rutland.

10) Fix refcount leak on force commit in openvswitch, from Jarno
    Rajahalme.

11) Fix various overflow checks in AF_PACKET, from Andrey Konovalov.

12) Fix endianness bug in be2net driver, from Suresh Reddy.

13) Don't forget to wake TX queues when processing a timeout, from
    Grygorii Strashko.

14) ARP header on-stack storage is wrong in flow dissector, from Simon
    Horman.

15) Lost retransmit and reordering SNMP stats in TCP can be
    underreported. From Yuchung Cheng.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (82 commits)
  nfp: fix potential use after free on xdp prog
  tcp: fix reordering SNMP under-counting
  tcp: fix lost retransmit SNMP under-counting
  sctp: get sock from transport in sctp_transport_update_pmtu
  net: ethernet: ti: cpsw: fix race condition during open()
  l2tp: fix PPP pseudo-wire auto-loading
  bnx2x: fix spelling mistake in macros HW_INTERRUT_ASSERT_SET_*
  l2tp: take reference on sessions being dumped
  tcp: minimize false-positives on TCP/GRO check
  sctp: check for dst and pathmtu update in sctp_packet_config
  flow dissector: correct size of storage for ARP
  net: ethernet: ti: cpsw: wake tx queues on ndo_tx_timeout
  l2tp: take a reference on sessions used in genetlink handlers
  l2tp: hold session while sending creation notifications
  l2tp: fix duplicate session creation
  l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
  l2tp: fix race in l2tp_recv_common()
  sctp: use right in and out stream cnt
  bpf: add various verifier test cases for self-tests
  bpf, verifier: fix rejection of unaligned access checks for map_value_adj
  ...

88 files changed, 1285 insertions, 518 deletions

diff --git a/MAINTAINERS b/MAINTAINERS
index 664060179807..882ea01b4efe 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -4928,6 +4928,7 @@ F:	include/linux/netfilter_bridge/
 F:      net/bridge/
 
 ETHERNET PHY LIBRARY
+M:      Andrew Lunn <andrew@lunn.ch>
 M:      Florian Fainelli <f.fainelli@gmail.com>
 L:      netdev@vger.kernel.org
 S:      Maintained
@@ -10814,6 +10815,7 @@ F:	drivers/s390/block/dasd*
 F:      block/partitions/ibm.c
 
 S390 NETWORK DRIVERS
+M:      Julian Wiedmann <jwi@linux.vnet.ibm.com>
 M:      Ursula Braun <ubraun@linux.vnet.ibm.com>
 L:      linux-s390@vger.kernel.org
 W:      http://www.ibm.com/developerworks/linux/linux390/
@@ -10844,6 +10846,7 @@ S:	Supported
 F:      drivers/s390/scsi/zfcp_*
 
 S390 IUCV NETWORK LAYER
+M:      Julian Wiedmann <jwi@linux.vnet.ibm.com>
 M:      Ursula Braun <ubraun@linux.vnet.ibm.com>
 L:      linux-s390@vger.kernel.org
 W:      http://www.ibm.com/developerworks/linux/linux390/
diff --git a/drivers/isdn/capi/kcapi.c b/drivers/isdn/capi/kcapi.c
index 1dfd1085a04f..9ca691d6c13b 100644
--- a/drivers/isdn/capi/kcapi.c
+++ b/drivers/isdn/capi/kcapi.c
@@ -1032,6 +1032,7 @@ static int old_capi_manufacturer(unsigned int cmd, void __user *data)
                                                      sizeof(avmb1_carddef))))
                                 return -EFAULT;
                         cdef.cardtype = AVM_CARDTYPE_B1;
+                        cdef.cardnr = 0;
                 } else {
                         if ((retval = copy_from_user(&cdef, data,
                                                      sizeof(avmb1_extcarddef))))
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_main.c b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
index d05fbfdce5e5..5d6c40d86775 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_main.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_main.c
@@ -100,11 +100,6 @@ static int aq_ndev_change_mtu(struct net_device *ndev, int new_mtu)
                 goto err_exit;
         ndev->mtu = new_mtu;
 
-        if (netif_running(ndev)) {
-                aq_ndev_close(ndev);
-                aq_ndev_open(ndev);
-        }
-
 err_exit:
         return err;
 }
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
index ee78444bfb88..cdb02991f249 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c
@@ -487,6 +487,9 @@ static unsigned int aq_nic_map_skb(struct aq_nic_s *self,
                 dx_buff->mss = skb_shinfo(skb)->gso_size;
                 dx_buff->is_txc = 1U;
 
+                dx_buff->is_ipv6 =
+                        (ip_hdr(skb)->version == 6) ? 1U : 0U;
+
                 dx = aq_ring_next_dx(ring, dx);
                 dx_buff = &ring->buff_ring[dx];
                 ++ret;
@@ -510,10 +513,22 @@ static unsigned int aq_nic_map_skb(struct aq_nic_s *self,
         if (skb->ip_summed == CHECKSUM_PARTIAL) {
                 dx_buff->is_ip_cso = (htons(ETH_P_IP) == skb->protocol) ?
                         1U : 0U;
-                dx_buff->is_tcp_cso =
-                        (ip_hdr(skb)->protocol == IPPROTO_TCP) ? 1U : 0U;
-                dx_buff->is_udp_cso =
-                        (ip_hdr(skb)->protocol == IPPROTO_UDP) ? 1U : 0U;
+
+                if (ip_hdr(skb)->version == 4) {
+                        dx_buff->is_tcp_cso =
+                                (ip_hdr(skb)->protocol == IPPROTO_TCP) ?
+                                        1U : 0U;
+                        dx_buff->is_udp_cso =
+                                (ip_hdr(skb)->protocol == IPPROTO_UDP) ?
+                                        1U : 0U;
+                } else if (ip_hdr(skb)->version == 6) {
+                        dx_buff->is_tcp_cso =
+                                (ipv6_hdr(skb)->nexthdr == NEXTHDR_TCP) ?
+                                        1U : 0U;
+                        dx_buff->is_udp_cso =
+                                (ipv6_hdr(skb)->nexthdr == NEXTHDR_UDP) ?
+                                        1U : 0U;
+                }
         }
 
         for (; nr_frags--; ++frag_count) {
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index 0358e6072d45..3a8a4aa13687 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -101,6 +101,7 @@ int aq_ring_init(struct aq_ring_s *self)
         self->hw_head = 0;
         self->sw_head = 0;
         self->sw_tail = 0;
+        spin_lock_init(&self->header.lock);
         return 0;
 }
 
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h
index 257254645068..eecd6d1c4d73 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.h
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.h
@@ -58,7 +58,8 @@ struct __packed aq_ring_buff_s {
                         u8 len_l2;
                         u8 len_l3;
                         u8 len_l4;
-                        u8 rsvd2;
+                        u8 is_ipv6:1;
+                        u8 rsvd2:7;
                         u32 len_pkt;
                 };
         };
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
index a2b746a2dd50..4ee15ff06a44 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_a0.c
@@ -433,6 +433,9 @@ static int hw_atl_a0_hw_ring_tx_xmit(struct aq_hw_s *self,
                                     buff->len_l3 +
                                     buff->len_l2);
                         is_gso = true;
+
+                        if (buff->is_ipv6)
+                                txd->ctl |= HW_ATL_A0_TXD_CTL_CMD_IPV6;
                 } else {
                         buff_pa_len = buff->len;
 
@@ -458,6 +461,7 @@ static int hw_atl_a0_hw_ring_tx_xmit(struct aq_hw_s *self,
                         if (unlikely(buff->is_eop)) {
                                 txd->ctl |= HW_ATL_A0_TXD_CTL_EOP;
                                 txd->ctl |= HW_ATL_A0_TXD_CTL_CMD_WB;
+                                is_gso = false;
                         }
                 }
 
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
index cab2931dab9a..42150708191d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_b0.c
@@ -471,6 +471,9 @@ static int hw_atl_b0_hw_ring_tx_xmit(struct aq_hw_s *self,
                                     buff->len_l3 +
                                     buff->len_l2);
                         is_gso = true;
+
+                        if (buff->is_ipv6)
+                                txd->ctl |= HW_ATL_B0_TXD_CTL_CMD_IPV6;
                 } else {
                         buff_pa_len = buff->len;
 
@@ -496,6 +499,7 @@ static int hw_atl_b0_hw_ring_tx_xmit(struct aq_hw_s *self,
                         if (unlikely(buff->is_eop)) {
                                 txd->ctl |= HW_ATL_B0_TXD_CTL_EOP;
                                 txd->ctl |= HW_ATL_B0_TXD_CTL_CMD_WB;
+                                is_gso = false;
                         }
                 }
 
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
index 0a23034bbe3f..352beff796ae 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h
@@ -2277,7 +2277,7 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id,
                                  GENERAL_ATTEN_OFFSET(LATCHED_ATTN_RBCP) | \
                                  GENERAL_ATTEN_OFFSET(LATCHED_ATTN_RSVD_GRC))
 
-#define HW_INTERRUT_ASSERT_SET_0 \
+#define HW_INTERRUPT_ASSERT_SET_0 \
                                 (AEU_INPUTS_ATTN_BITS_TSDM_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_TCM_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_TSEMI_HW_INTERRUPT | \
@@ -2290,7 +2290,7 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id,
                                  AEU_INPUTS_ATTN_BITS_TSEMI_PARITY_ERROR |\
                                  AEU_INPUTS_ATTN_BITS_TCM_PARITY_ERROR |\
                                  AEU_INPUTS_ATTN_BITS_PBCLIENT_PARITY_ERROR)
-#define HW_INTERRUT_ASSERT_SET_1 \
+#define HW_INTERRUPT_ASSERT_SET_1 \
                                 (AEU_INPUTS_ATTN_BITS_QM_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_TIMERS_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_XSDM_HW_INTERRUPT | \
@@ -2318,7 +2318,7 @@ void bnx2x_igu_clear_sb_gen(struct bnx2x *bp, u8 func, u8 idu_sb_id,
                                  AEU_INPUTS_ATTN_BITS_UPB_PARITY_ERROR | \
                                  AEU_INPUTS_ATTN_BITS_CSDM_PARITY_ERROR |\
                                  AEU_INPUTS_ATTN_BITS_CCM_PARITY_ERROR)
-#define HW_INTERRUT_ASSERT_SET_2 \
+#define HW_INTERRUPT_ASSERT_SET_2 \
                                 (AEU_INPUTS_ATTN_BITS_CSEMI_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_CDU_HW_INTERRUPT | \
                                  AEU_INPUTS_ATTN_BITS_DMAE_HW_INTERRUPT | \
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
index ac76fc251d26..a851f95c307a 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -4166,14 +4166,14 @@ static void bnx2x_attn_int_deasserted0(struct bnx2x *bp, u32 attn)
                 bnx2x_release_phy_lock(bp);
         }
 
-        if (attn & HW_INTERRUT_ASSERT_SET_0) {
+        if (attn & HW_INTERRUPT_ASSERT_SET_0) {
 
                 val = REG_RD(bp, reg_offset);
-                val &= ~(attn & HW_INTERRUT_ASSERT_SET_0);
+                val &= ~(attn & HW_INTERRUPT_ASSERT_SET_0);
                 REG_WR(bp, reg_offset, val);
 
                 BNX2X_ERR("FATAL HW block attention set0 0x%x\n",
-                          (u32)(attn & HW_INTERRUT_ASSERT_SET_0));
+                          (u32)(attn & HW_INTERRUPT_ASSERT_SET_0));
                 bnx2x_panic();
         }
 }
@@ -4191,7 +4191,7 @@ static void bnx2x_attn_int_deasserted1(struct bnx2x *bp, u32 attn)
                         BNX2X_ERR("FATAL error from DORQ\n");
         }
 
-        if (attn & HW_INTERRUT_ASSERT_SET_1) {
+        if (attn & HW_INTERRUPT_ASSERT_SET_1) {
 
                 int port = BP_PORT(bp);
                 int reg_offset;
@@ -4200,11 +4200,11 @@ static void bnx2x_attn_int_deasserted1(struct bnx2x *bp, u32 attn)
                                      MISC_REG_AEU_ENABLE1_FUNC_0_OUT_1);
 
                 val = REG_RD(bp, reg_offset);
-                val &= ~(attn & HW_INTERRUT_ASSERT_SET_1);
+                val &= ~(attn & HW_INTERRUPT_ASSERT_SET_1);
                 REG_WR(bp, reg_offset, val);
 
                 BNX2X_ERR("FATAL HW block attention set1 0x%x\n",
-                          (u32)(attn & HW_INTERRUT_ASSERT_SET_1));
+                          (u32)(attn & HW_INTERRUPT_ASSERT_SET_1));
                 bnx2x_panic();
         }
 }
@@ -4235,7 +4235,7 @@ static void bnx2x_attn_int_deasserted2(struct bnx2x *bp, u32 attn)
                 }
         }
 
-        if (attn & HW_INTERRUT_ASSERT_SET_2) {
+        if (attn & HW_INTERRUPT_ASSERT_SET_2) {
 
                 int port = BP_PORT(bp);
                 int reg_offset;
@@ -4244,11 +4244,11 @@ static void bnx2x_attn_int_deasserted2(struct bnx2x *bp, u32 attn)
                                      MISC_REG_AEU_ENABLE1_FUNC_0_OUT_2);
 
                 val = REG_RD(bp, reg_offset);
-                val &= ~(attn & HW_INTERRUT_ASSERT_SET_2);
+                val &= ~(attn & HW_INTERRUPT_ASSERT_SET_2);
                 REG_WR(bp, reg_offset, val);
 
                 BNX2X_ERR("FATAL HW block attention set2 0x%x\n",
-                          (u32)(attn & HW_INTERRUT_ASSERT_SET_2));
+                          (u32)(attn & HW_INTERRUPT_ASSERT_SET_2));
                 bnx2x_panic();
         }
 }
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 32de4589d16a..1f1e54ba0ecb 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1983,20 +1983,25 @@ static void bnxt_free_rx_skbs(struct bnxt *bp)
 
                 for (j = 0; j < max_idx; j++) {
                         struct bnxt_sw_rx_bd *rx_buf = &rxr->rx_buf_ring[j];
+                        dma_addr_t mapping = rx_buf->mapping;
                         void *data = rx_buf->data;
 
                         if (!data)
                                 continue;
 
-                        dma_unmap_single(&pdev->dev, rx_buf->mapping,
-                                         bp->rx_buf_use_size, bp->rx_dir);
-
                         rx_buf->data = NULL;
 
-                        if (BNXT_RX_PAGE_MODE(bp))
+                        if (BNXT_RX_PAGE_MODE(bp)) {
+                                mapping -= bp->rx_dma_offset;
+                                dma_unmap_page(&pdev->dev, mapping,
+                                               PAGE_SIZE, bp->rx_dir);
                                 __free_page(data);
-                        else
+                        } else {
+                                dma_unmap_single(&pdev->dev, mapping,
+                                                 bp->rx_buf_use_size,
+                                                 bp->rx_dir);
                                 kfree(data);
+                        }
                 }
 
                 for (j = 0; j < max_agg_idx; j++) {
@@ -2455,6 +2460,18 @@ static int bnxt_init_one_rx_ring(struct bnxt *bp, int ring_nr)
         return 0;
 }
 
+static void bnxt_init_cp_rings(struct bnxt *bp)
+{
+        int i;
+
+        for (i = 0; i < bp->cp_nr_rings; i++) {
+                struct bnxt_cp_ring_info *cpr = &bp->bnapi[i]->cp_ring;
+                struct bnxt_ring_struct *ring = &cpr->cp_ring_struct;
+
+                ring->fw_ring_id = INVALID_HW_RING_ID;
+        }
+}
+
 static int bnxt_init_rx_rings(struct bnxt *bp)
 {
         int i, rc = 0;
@@ -4732,7 +4749,7 @@ static int bnxt_set_tpa(struct bnxt *bp, bool set_tpa)
                 rc = bnxt_hwrm_vnic_set_tpa(bp, i, tpa_flags);
                 if (rc) {
                         netdev_err(bp->dev, "hwrm vnic set tpa failure rc for vnic %d: %x\n",
-                                   rc, i);
+                                   i, rc);
                         return rc;
                 }
         }
@@ -5006,6 +5023,7 @@ static int bnxt_shutdown_nic(struct bnxt *bp, bool irq_re_init)
 
 static int bnxt_init_nic(struct bnxt *bp, bool irq_re_init)
 {
+        bnxt_init_cp_rings(bp);
         bnxt_init_rx_rings(bp);
         bnxt_init_tx_rings(bp);
         bnxt_init_ring_grps(bp, irq_re_init);
diff --git a/drivers/net/ethernet/brocade/bna/bfa_ioc.c b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
index 9e59663a6ead..0f6811860ad5 100644
--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c
+++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c
@@ -1930,13 +1930,13 @@ static void
 bfa_ioc_send_enable(struct bfa_ioc *ioc)
 {
         struct bfi_ioc_ctrl_req enable_req;
-        struct timeval tv;
 
         bfi_h2i_set(enable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_ENABLE_REQ,
                     bfa_ioc_portid(ioc));
         enable_req.clscode = htons(ioc->clscode);
-        do_gettimeofday(&tv);
-        enable_req.tv_sec = ntohl(tv.tv_sec);
+        enable_req.rsvd = htons(0);
+        /* overflow in 2106 */
+        enable_req.tv_sec = ntohl(ktime_get_real_seconds());
         bfa_ioc_mbox_send(ioc, &enable_req, sizeof(struct bfi_ioc_ctrl_req));
 }
 
@@ -1947,6 +1947,10 @@ bfa_ioc_send_disable(struct bfa_ioc *ioc)
 
         bfi_h2i_set(disable_req.mh, BFI_MC_IOC, BFI_IOC_H2I_DISABLE_REQ,
                     bfa_ioc_portid(ioc));
+        disable_req.clscode = htons(ioc->clscode);
+        disable_req.rsvd = htons(0);
+        /* overflow in 2106 */
+        disable_req.tv_sec = ntohl(ktime_get_real_seconds());
         bfa_ioc_mbox_send(ioc, &disable_req, sizeof(struct bfi_ioc_ctrl_req));
 }
 
diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c
index 30e855004c57..02dd5246dfae 100644
--- a/drivers/net/ethernet/emulex/benet/be_cmds.c
+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c
@@ -4939,8 +4939,9 @@ static int
 __be_cmd_set_logical_link_config(struct be_adapter *adapter,
                                  int link_state, int version, u8 domain)
 {
-        struct be_mcc_wrb *wrb;
         struct be_cmd_req_set_ll_link *req;
+        struct be_mcc_wrb *wrb;
+        u32 link_config = 0;
         int status;
 
         mutex_lock(&adapter->mcc_lock);
@@ -4962,10 +4963,12 @@ __be_cmd_set_logical_link_config(struct be_adapter *adapter,
 
         if (link_state == IFLA_VF_LINK_STATE_ENABLE ||
             link_state == IFLA_VF_LINK_STATE_AUTO)
-                req->link_config |= PLINK_ENABLE;
+                link_config |= PLINK_ENABLE;
 
         if (link_state == IFLA_VF_LINK_STATE_AUTO)
-                req->link_config |= PLINK_TRACK;
+                link_config |= PLINK_TRACK;
+
+        req->link_config = cpu_to_le32(link_config);
 
         status = be_mcc_notify_wait(adapter);
 err:
diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
index 992ebe973d25..f819843e2bae 100644
--- a/drivers/net/ethernet/ezchip/nps_enet.c
+++ b/drivers/net/ethernet/ezchip/nps_enet.c
@@ -189,11 +189,9 @@ static int nps_enet_poll(struct napi_struct *napi, int budget)
 
         nps_enet_tx_handler(ndev);
         work_done = nps_enet_rx_handler(ndev);
-        if (work_done < budget) {
+        if ((work_done < budget) && napi_complete_done(napi, work_done)) {
                 u32 buf_int_enable_value = 0;
 
-                napi_complete_done(napi, work_done);
-
                 /* set tx_done and rx_rdy bits */
                 buf_int_enable_value |= NPS_ENET_ENABLE << RX_RDY_SHIFT;
                 buf_int_enable_value |= NPS_ENET_ENABLE << TX_DONE_SHIFT;
diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
index 928b0df2b8e0..ade6b3e4ed13 100644
--- a/drivers/net/ethernet/faraday/ftgmac100.c
+++ b/drivers/net/ethernet/faraday/ftgmac100.c
@@ -28,8 +28,10 @@
 #include <linux/io.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
+#include <linux/of.h>
 #include <linux/phy.h>
 #include <linux/platform_device.h>
+#include <linux/property.h>
 #include <net/ip.h>
 #include <net/ncsi.h>
 
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
index 3239d27143b9..bdd8cdd732fb 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
@@ -82,9 +82,12 @@ void hns_mac_get_link_status(struct hns_mac_cb *mac_cb, u32 *link_status)
         else
                 *link_status = 0;
 
-        ret = mac_cb->dsaf_dev->misc_op->get_sfp_prsnt(mac_cb, &sfp_prsnt);
-        if (!ret)
-                *link_status = *link_status && sfp_prsnt;
+        if (mac_cb->media_type == HNAE_MEDIA_TYPE_FIBER) {
+                ret = mac_cb->dsaf_dev->misc_op->get_sfp_prsnt(mac_cb,
+                                                               &sfp_prsnt);
+                if (!ret)
+                        *link_status = *link_status && sfp_prsnt;
+        }
 
         mac_cb->link = *link_status;
 }
@@ -855,7 +858,7 @@ static int  hns_mac_get_info(struct hns_mac_cb *mac_cb)
                 of_node_put(np);
 
                 np = of_parse_phandle(to_of_node(mac_cb->fw_port),
-                                        "serdes-syscon", 0);
+                                      "serdes-syscon", 0);
                 syscon = syscon_node_to_regmap(np);
                 of_node_put(np);
                 if (IS_ERR_OR_NULL(syscon)) {
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
index 90dbda792614..403ea9db6dbd 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c
@@ -1519,6 +1519,7 @@ static void hns_dsaf_set_mac_key(
         mac_key->high.bits.mac_3 = addr[3];
         mac_key->low.bits.mac_4 = addr[4];
         mac_key->low.bits.mac_5 = addr[5];
+        mac_key->low.bits.port_vlan = 0;
         dsaf_set_field(mac_key->low.bits.port_vlan, DSAF_TBL_TCAM_KEY_VLAN_M,
                        DSAF_TBL_TCAM_KEY_VLAN_S, vlan_id);
         dsaf_set_field(mac_key->low.bits.port_vlan, DSAF_TBL_TCAM_KEY_PORT_M,
@@ -2924,10 +2925,11 @@ void hns_dsaf_set_promisc_tcam(struct dsaf_device *dsaf_dev,
         /* find the tcam entry index for promisc */
         entry_index = dsaf_promisc_tcam_entry(port);
 
+        memset(&tbl_tcam_data, 0, sizeof(tbl_tcam_data));
+        memset(&tbl_tcam_mask, 0, sizeof(tbl_tcam_mask));
+
         /* config key mask */
         if (enable) {
-                memset(&tbl_tcam_data, 0, sizeof(tbl_tcam_data));
-                memset(&tbl_tcam_mask, 0, sizeof(tbl_tcam_mask));
                 dsaf_set_field(tbl_tcam_data.low.bits.port_vlan,
                                DSAF_TBL_TCAM_KEY_PORT_M,
                                DSAF_TBL_TCAM_KEY_PORT_S, port);
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
index a2c22d084ce9..e13aa064a8e9 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c
@@ -461,6 +461,32 @@ int hns_mac_get_sfp_prsnt(struct hns_mac_cb *mac_cb, int *sfp_prsnt)
         return 0;
 }
 
+int hns_mac_get_sfp_prsnt_acpi(struct hns_mac_cb *mac_cb, int *sfp_prsnt)
+{
+        union acpi_object *obj;
+        union acpi_object obj_args, argv4;
+
+        obj_args.integer.type = ACPI_TYPE_INTEGER;
+        obj_args.integer.value = mac_cb->mac_id;
+
+        argv4.type = ACPI_TYPE_PACKAGE,
+        argv4.package.count = 1,
+        argv4.package.elements = &obj_args,
+
+        obj = acpi_evaluate_dsm(ACPI_HANDLE(mac_cb->dev),
+                                hns_dsaf_acpi_dsm_uuid, 0,
+                                HNS_OP_GET_SFP_STAT_FUNC, &argv4);
+
+        if (!obj || obj->type != ACPI_TYPE_INTEGER)
+                return -ENODEV;
+
+        *sfp_prsnt = obj->integer.value;
+
+        ACPI_FREE(obj);
+
+        return 0;
+}
+
 /**
  * hns_mac_config_sds_loopback - set loop back for serdes
  * @mac_cb: mac control block
@@ -592,7 +618,7 @@ struct dsaf_misc_op *hns_misc_op_get(struct dsaf_device *dsaf_dev)
                 misc_op->hns_dsaf_roce_srst = hns_dsaf_roce_srst_acpi;
 
                 misc_op->get_phy_if = hns_mac_get_phy_if_acpi;
-                misc_op->get_sfp_prsnt = hns_mac_get_sfp_prsnt;
+                misc_op->get_sfp_prsnt = hns_mac_get_sfp_prsnt_acpi;
 
                 misc_op->cfg_serdes_loopback = hns_mac_config_sds_loopback_acpi;
         } else {
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 2175cced402f..e9af89ad039c 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -6274,8 +6274,8 @@ static int e1000e_pm_freeze(struct device *dev)
                 /* Quiesce the device without resetting the hardware */
                 e1000e_down(adapter, false);
                 e1000_free_irq(adapter);
-                e1000e_reset_interrupt_capability(adapter);
         }
+        e1000e_reset_interrupt_capability(adapter);
 
         /* Allow time for pending master requests to run */
         e1000e_disable_pcie_master(&adapter->hw);
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index e8a8351c8ea9..82a95cc2c8ee 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -4438,8 +4438,12 @@ static void i40e_napi_enable_all(struct i40e_vsi *vsi)
         if (!vsi->netdev)
                 return;
 
-        for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
-                napi_enable(&vsi->q_vectors[q_idx]->napi);
+        for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
+                struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
+
+                if (q_vector->rx.ring || q_vector->tx.ring)
+                        napi_enable(&q_vector->napi);
+        }
 }
 
 /**
@@ -4453,8 +4457,12 @@ static void i40e_napi_disable_all(struct i40e_vsi *vsi)
         if (!vsi->netdev)
                 return;
 
-        for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++)
-                napi_disable(&vsi->q_vectors[q_idx]->napi);
+        for (q_idx = 0; q_idx < vsi->num_q_vectors; q_idx++) {
+                struct i40e_q_vector *q_vector = vsi->q_vectors[q_idx];
+
+                if (q_vector->rx.ring || q_vector->tx.ring)
+                        napi_disable(&q_vector->napi);
+        }
 }
 
 /**
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lag.c b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
index 55957246c0e8..b5d5519542e8 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lag.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lag.c
@@ -294,7 +294,7 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
                                          struct netdev_notifier_changeupper_info *info)
 {
         struct net_device *upper = info->upper_dev, *ndev_tmp;
-        struct netdev_lag_upper_info *lag_upper_info;
+        struct netdev_lag_upper_info *lag_upper_info = NULL;
         bool is_bonded;
         int bond_status = 0;
         int num_slaves = 0;
@@ -303,7 +303,8 @@ static int mlx5_handle_changeupper_event(struct mlx5_lag *ldev,
         if (!netif_is_lag_master(upper))
                 return 0;
 
-        lag_upper_info = info->upper_info;
+        if (info->linking)
+                lag_upper_info = info->upper_info;
 
         /* The event may still be of interest if the slave does not belong to
          * us, but is enslaved to a master which has one or more of our netdevs
diff --git a/drivers/net/ethernet/moxa/moxart_ether.c b/drivers/net/ethernet/moxa/moxart_ether.c
index 06c9f4100cb9..6ad44be08b33 100644
--- a/drivers/net/ethernet/moxa/moxart_ether.c
+++ b/drivers/net/ethernet/moxa/moxart_ether.c
@@ -25,6 +25,7 @@
 #include <linux/of_irq.h>
 #include <linux/crc32.h>
 #include <linux/crc32c.h>
+#include <linux/circ_buf.h>
 
 #include "moxart_ether.h"
 
@@ -278,6 +279,13 @@ rx_next:
         return rx;
 }
 
+static int moxart_tx_queue_space(struct net_device *ndev)
+{
+        struct moxart_mac_priv_t *priv = netdev_priv(ndev);
+
+        return CIRC_SPACE(priv->tx_head, priv->tx_tail, TX_DESC_NUM);
+}
+
 static void moxart_tx_finished(struct net_device *ndev)
 {
         struct moxart_mac_priv_t *priv = netdev_priv(ndev);
@@ -297,6 +305,9 @@ static void moxart_tx_finished(struct net_device *ndev)
                 tx_tail = TX_NEXT(tx_tail);
         }
         priv->tx_tail = tx_tail;
+        if (netif_queue_stopped(ndev) &&
+            moxart_tx_queue_space(ndev) >= TX_WAKE_THRESHOLD)
+                netif_wake_queue(ndev);
 }
 
 static irqreturn_t moxart_mac_interrupt(int irq, void *dev_id)
@@ -324,13 +335,18 @@ static int moxart_mac_start_xmit(struct sk_buff *skb, struct net_device *ndev)
         struct moxart_mac_priv_t *priv = netdev_priv(ndev);
         void *desc;
         unsigned int len;
-        unsigned int tx_head = priv->tx_head;
+        unsigned int tx_head;
         u32 txdes1;
         int ret = NETDEV_TX_BUSY;
 
+        spin_lock_irq(&priv->txlock);
+
+        tx_head = priv->tx_head;
         desc = priv->tx_desc_base + (TX_REG_DESC_SIZE * tx_head);
 
-        spin_lock_irq(&priv->txlock);
+        if (moxart_tx_queue_space(ndev) == 1)
+                netif_stop_queue(ndev);
+
         if (moxart_desc_read(desc + TX_REG_OFFSET_DESC0) & TX_DESC0_DMA_OWN) {
                 net_dbg_ratelimited("no TX space for packet\n");
                 priv->stats.tx_dropped++;
diff --git a/drivers/net/ethernet/moxa/moxart_ether.h b/drivers/net/ethernet/moxa/moxart_ether.h
index 93a9563ac7c6..afc32ec998c0 100644
--- a/drivers/net/ethernet/moxa/moxart_ether.h
+++ b/drivers/net/ethernet/moxa/moxart_ether.h
@@ -59,6 +59,7 @@
 #define TX_NEXT(N)              (((N) + 1) & (TX_DESC_NUM_MASK))
 #define TX_BUF_SIZE             1600
 #define TX_BUF_SIZE_MAX         (TX_DESC1_BUF_SIZE_MASK+1)
+#define TX_WAKE_THRESHOLD       16
 
 #define RX_DESC_NUM             64
 #define RX_DESC_NUM_MASK        (RX_DESC_NUM-1)
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
index 9179a99563af..a41377e26c07 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
@@ -3275,9 +3275,10 @@ void nfp_net_netdev_clean(struct net_device *netdev)
 {
         struct nfp_net *nn = netdev_priv(netdev);
 
+        unregister_netdev(nn->netdev);
+
         if (nn->xdp_prog)
                 bpf_prog_put(nn->xdp_prog);
         if (nn->bpf_offload_xdp)
                 nfp_net_xdp_offload(nn, NULL);
-        unregister_netdev(nn->netdev);
 }
diff --git a/drivers/net/ethernet/rocker/rocker_ofdpa.c b/drivers/net/ethernet/rocker/rocker_ofdpa.c
index 7cd76b6b5cb9..2ae852454780 100644
--- a/drivers/net/ethernet/rocker/rocker_ofdpa.c
+++ b/drivers/net/ethernet/rocker/rocker_ofdpa.c
@@ -2216,18 +2216,15 @@ static int ofdpa_port_stp_update(struct ofdpa_port *ofdpa_port,
 {
         bool want[OFDPA_CTRL_MAX] = { 0, };
         bool prev_ctrls[OFDPA_CTRL_MAX];
-        u8 uninitialized_var(prev_state);
+        u8 prev_state;
         int err;
         int i;
 
-        if (switchdev_trans_ph_prepare(trans)) {
-                memcpy(prev_ctrls, ofdpa_port->ctrls, sizeof(prev_ctrls));
-                prev_state = ofdpa_port->stp_state;
-        }
-
-        if (ofdpa_port->stp_state == state)
+        prev_state = ofdpa_port->stp_state;
+        if (prev_state == state)
                 return 0;
 
+        memcpy(prev_ctrls, ofdpa_port->ctrls, sizeof(prev_ctrls));
         ofdpa_port->stp_state = state;
 
         switch (state) {
diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c
index 9f3d9c67e3fe..fa674a8bda0c 100644
--- a/drivers/net/ethernet/ti/cpsw.c
+++ b/drivers/net/ethernet/ti/cpsw.c
@@ -1267,6 +1267,7 @@ static void soft_reset_slave(struct cpsw_slave *slave)
 static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv)
 {
         u32 slave_port;
+        struct phy_device *phy;
         struct cpsw_common *cpsw = priv->cpsw;
 
         soft_reset_slave(slave);
@@ -1300,27 +1301,28 @@ static void cpsw_slave_open(struct cpsw_slave *slave, struct cpsw_priv *priv)
                                    1 << slave_port, 0, 0, ALE_MCAST_FWD_2);
 
         if (slave->data->phy_node) {
-                slave->phy = of_phy_connect(priv->ndev, slave->data->phy_node,
+                phy = of_phy_connect(priv->ndev, slave->data->phy_node,
                                  &cpsw_adjust_link, 0, slave->data->phy_if);
-                if (!slave->phy) {
+                if (!phy) {
                         dev_err(priv->dev, "phy \"%s\" not found on slave %d\n",
                                 slave->data->phy_node->full_name,
                                 slave->slave_num);
                         return;
                 }
         } else {
-                slave->phy = phy_connect(priv->ndev, slave->data->phy_id,
+                phy = phy_connect(priv->ndev, slave->data->phy_id,
                                  &cpsw_adjust_link, slave->data->phy_if);
-                if (IS_ERR(slave->phy)) {
+                if (IS_ERR(phy)) {
                         dev_err(priv->dev,
                                 "phy \"%s\" not found on slave %d, err %ld\n",
                                 slave->data->phy_id, slave->slave_num,
-                                PTR_ERR(slave->phy));
-                        slave->phy = NULL;
+                                PTR_ERR(phy));
                         return;
                 }
         }
 
+        slave->phy = phy;
+
         phy_attached_info(slave->phy);
 
         phy_start(slave->phy);
@@ -1817,6 +1819,8 @@ static void cpsw_ndo_tx_timeout(struct net_device *ndev)
         }
 
         cpsw_intr_enable(cpsw);
+        netif_trans_update(ndev);
+        netif_tx_wake_all_queues(ndev);
 }
 
 static int cpsw_ndo_set_mac_address(struct net_device *ndev, void *p)
diff --git a/drivers/net/irda/vlsi_ir.c b/drivers/net/irda/vlsi_ir.c
index ffedad2a360a..15b920086251 100644
--- a/drivers/net/irda/vlsi_ir.c
+++ b/drivers/net/irda/vlsi_ir.c
@@ -418,8 +418,9 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr
                 memset(rd, 0, sizeof(*rd));
                 rd->hw = hwmap + i;
                 rd->buf = kmalloc(len, GFP_KERNEL|GFP_DMA);
-                if (rd->buf == NULL ||
-                    !(busaddr = pci_map_single(pdev, rd->buf, len, dir))) {
+                if (rd->buf)
+                        busaddr = pci_map_single(pdev, rd->buf, len, dir);
+                if (rd->buf == NULL || pci_dma_mapping_error(pdev, busaddr)) {
                         if (rd->buf) {
                                 net_err_ratelimited("%s: failed to create PCI-MAP for %p\n",
                                                     __func__, rd->buf);
@@ -430,8 +431,7 @@ static struct vlsi_ring *vlsi_alloc_ring(struct pci_dev *pdev, struct ring_descr
                                 rd = r->rd + j;
                                 busaddr = rd_get_addr(rd);
                                 rd_set_addr_status(rd, 0, 0);
-                                if (busaddr)
-                                        pci_unmap_single(pdev, busaddr, len, dir);
+                                pci_unmap_single(pdev, busaddr, len, dir);
                                 kfree(rd->buf);
                                 rd->buf = NULL;
                         }
diff --git a/drivers/net/phy/mdio-boardinfo.c b/drivers/net/phy/mdio-boardinfo.c
index 6b988f77da08..61941e29daae 100644
--- a/drivers/net/phy/mdio-boardinfo.c
+++ b/drivers/net/phy/mdio-boardinfo.c
@@ -84,3 +84,4 @@ int mdiobus_register_board_info(const struct mdio_board_info *info,
 
         return 0;
 }
+EXPORT_SYMBOL(mdiobus_register_board_info);
diff --git a/drivers/net/phy/phy.c b/drivers/net/phy/phy.c
index 1be69d8bc909..a2bfc82e95d7 100644
--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -681,7 +681,7 @@ void phy_stop_machine(struct phy_device *phydev)
         cancel_delayed_work_sync(&phydev->state_queue);
 
         mutex_lock(&phydev->lock);
-        if (phydev->state > PHY_UP)
+        if (phydev->state > PHY_UP && phydev->state != PHY_HALTED)
                 phydev->state = PHY_UP;
         mutex_unlock(&phydev->lock);
 }
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index f5552aaaa77a..f3ae88fdf332 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -532,6 +532,7 @@ static const struct driver_info wwan_info = {
 #define LENOVO_VENDOR_ID        0x17ef
 #define NVIDIA_VENDOR_ID        0x0955
 #define HP_VENDOR_ID            0x03f0
+#define MICROSOFT_VENDOR_ID     0x045e
 
 static const struct usb_device_id       products[] = {
 /* BLACKLIST !!
@@ -761,6 +762,20 @@ static const struct usb_device_id	products[] = {
         .driver_info = 0,
 },
 
+/* Microsoft Surface 2 dock (based on Realtek RTL8152) */
+{
+        USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x07ab, USB_CLASS_COMM,
+                        USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+        .driver_info = 0,
+},
+
+/* Microsoft Surface 3 dock (based on Realtek RTL8153) */
+{
+        USB_DEVICE_AND_INTERFACE_INFO(MICROSOFT_VENDOR_ID, 0x07c6, USB_CLASS_COMM,
+                        USB_CDC_SUBCLASS_ETHERNET, USB_CDC_PROTO_NONE),
+        .driver_info = 0,
+},
+
 /* WHITELIST!!!
  *
  * CDC Ether uses two interfaces, not necessarily consecutive.
diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
index 0b1b9188625d..07f788c49d57 100644
--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -517,6 +517,7 @@ enum rtl8152_flags {
 
 /* Define these values to match your device */
 #define VENDOR_ID_REALTEK               0x0bda
+#define VENDOR_ID_MICROSOFT             0x045e
 #define VENDOR_ID_SAMSUNG               0x04e8
 #define VENDOR_ID_LENOVO                0x17ef
 #define VENDOR_ID_NVIDIA                0x0955
@@ -1294,6 +1295,7 @@ static void intr_callback(struct urb *urb)
                 }
         } else {
                 if (netif_carrier_ok(tp->netdev)) {
+                        netif_stop_queue(tp->netdev);
                         set_bit(RTL8152_LINK_CHG, &tp->flags);
                         schedule_delayed_work(&tp->schedule, 0);
                 }
@@ -3169,6 +3171,9 @@ static void set_carrier(struct r8152 *tp)
                         napi_enable(&tp->napi);
                         netif_wake_queue(netdev);
                         netif_info(tp, link, netdev, "carrier on\n");
+                } else if (netif_queue_stopped(netdev) &&
+                           skb_queue_len(&tp->tx_queue) < tp->tx_qlen) {
+                        netif_wake_queue(netdev);
                 }
         } else {
                 if (netif_carrier_ok(netdev)) {
@@ -3702,8 +3707,18 @@ static int rtl8152_resume(struct usb_interface *intf)
                         tp->rtl_ops.autosuspend_en(tp, false);
                         napi_disable(&tp->napi);
                         set_bit(WORK_ENABLE, &tp->flags);
-                        if (netif_carrier_ok(tp->netdev))
-                                rtl_start_rx(tp);
+
+                        if (netif_carrier_ok(tp->netdev)) {
+                                if (rtl8152_get_speed(tp) & LINK_STATUS) {
+                                        rtl_start_rx(tp);
+                                } else {
+                                        netif_carrier_off(tp->netdev);
+                                        tp->rtl_ops.disable(tp);
+                                        netif_info(tp, link, tp->netdev,
+                                                   "linking down\n");
+                                }
+                        }
+
                         napi_enable(&tp->napi);
                         clear_bit(SELECTIVE_SUSPEND, &tp->flags);
                         smp_mb__after_atomic();
@@ -4507,6 +4522,8 @@ static void rtl8152_disconnect(struct usb_interface *intf)
 static struct usb_device_id rtl8152_table[] = {
         {REALTEK_USB_DEVICE(VENDOR_ID_REALTEK, 0x8152)},
         {REALTEK_USB_DEVICE(VENDOR_ID_REALTEK, 0x8153)},
+        {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07ab)},
+        {REALTEK_USB_DEVICE(VENDOR_ID_MICROSOFT, 0x07c6)},
         {REALTEK_USB_DEVICE(VENDOR_ID_SAMSUNG, 0xa101)},
         {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO,  0x304f)},
         {REALTEK_USB_DEVICE(VENDOR_ID_LENOVO,  0x3062)},
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
index de19c7c92bc6..85d949e03f79 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
@@ -2238,14 +2238,16 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev)
         struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
         struct brcmf_p2p_info *p2p = &cfg->p2p;
         struct brcmf_cfg80211_vif *vif;
+        enum nl80211_iftype iftype;
         bool wait_for_disable = false;
         int err;
 
         brcmf_dbg(TRACE, "delete P2P vif\n");
         vif = container_of(wdev, struct brcmf_cfg80211_vif, wdev);
 
+        iftype = vif->wdev.iftype;
         brcmf_cfg80211_arm_vif_event(cfg, vif);
-        switch (vif->wdev.iftype) {
+        switch (iftype) {
         case NL80211_IFTYPE_P2P_CLIENT:
                 if (test_bit(BRCMF_VIF_STATUS_DISCONNECTING, &vif->sme_state))
                         wait_for_disable = true;
@@ -2275,7 +2277,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev)
                                             BRCMF_P2P_DISABLE_TIMEOUT);
 
         err = 0;
-        if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE) {
+        if (iftype != NL80211_IFTYPE_P2P_DEVICE) {
                 brcmf_vif_clear_mgmt_ies(vif);
                 err = brcmf_p2p_release_p2p_if(vif);
         }
@@ -2291,7 +2293,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiphy, struct wireless_dev *wdev)
         brcmf_remove_interface(vif->ifp, true);
 
         brcmf_cfg80211_arm_vif_event(cfg, NULL);
-        if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
+        if (iftype != NL80211_IFTYPE_P2P_DEVICE)
                 p2p->bss_idx[P2PAPI_BSSCFG_CONNECTION].vif = NULL;
 
         return err;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
index a260cd503200..077bfd8f4c0c 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c
@@ -1056,6 +1056,8 @@ static ssize_t iwl_dbgfs_fw_dbg_collect_write(struct iwl_mvm *mvm,
 
         if (ret)
                 return ret;
+        if (count == 0)
+                return 0;
 
         iwl_mvm_fw_dbg_collect(mvm, FW_DBG_TRIGGER_USER, buf,
                                (count - 1), NULL);
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
index 99132ea16ede..c5734e1a02d2 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
@@ -216,7 +216,8 @@ u32 iwl_mvm_mac_get_queues_mask(struct ieee80211_vif *vif)
                         qmask |= BIT(vif->hw_queue[ac]);
         }
 
-        if (vif->type == NL80211_IFTYPE_AP)
+        if (vif->type == NL80211_IFTYPE_AP ||
+            vif->type == NL80211_IFTYPE_ADHOC)
                 qmask |= BIT(vif->cab_queue);
 
         return qmask;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 6927caecd48e..486dcceed17a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -2401,7 +2401,7 @@ void iwl_mvm_sta_pm_notif(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
                 return;
 
         rcu_read_lock();
-        sta = mvm->fw_id_to_mac_id[notif->sta_id];
+        sta = rcu_dereference(mvm->fw_id_to_mac_id[notif->sta_id]);
         if (WARN_ON(IS_ERR_OR_NULL(sta))) {
                 rcu_read_unlock();
                 return;
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index b51a2853cc80..9d28db7f56aa 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -1806,7 +1806,8 @@ int iwl_mvm_send_add_bcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
                         iwl_mvm_get_wd_timeout(mvm, vif, false, false);
                 int queue;
 
-                if (vif->type == NL80211_IFTYPE_AP)
+                if (vif->type == NL80211_IFTYPE_AP ||
+                    vif->type == NL80211_IFTYPE_ADHOC)
                         queue = IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
                 else if (vif->type == NL80211_IFTYPE_P2P_DEVICE)
                         queue = IWL_MVM_DQA_P2P_DEVICE_QUEUE;
@@ -1837,7 +1838,8 @@ int iwl_mvm_send_add_bcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
          * enabled-cab_queue to the mask)
          */
         if (iwl_mvm_is_dqa_supported(mvm) &&
-            vif->type == NL80211_IFTYPE_AP) {
+            (vif->type == NL80211_IFTYPE_AP ||
+             vif->type == NL80211_IFTYPE_ADHOC)) {
                 struct iwl_trans_txq_scd_cfg cfg = {
                         .fifo = IWL_MVM_TX_FIFO_MCAST,
                         .sta_id = mvmvif->bcast_sta.sta_id,
@@ -1862,7 +1864,8 @@ static void iwl_mvm_free_bcast_sta_queues(struct iwl_mvm *mvm,
 
         lockdep_assert_held(&mvm->mutex);
 
-        if (vif->type == NL80211_IFTYPE_AP)
+        if (vif->type == NL80211_IFTYPE_AP ||
+            vif->type == NL80211_IFTYPE_ADHOC)
                 iwl_mvm_disable_txq(mvm, vif->cab_queue, vif->cab_queue,
                                     IWL_MAX_TID_COUNT, 0);
 
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 3f37075f4cde..1ba0a6f55503 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -506,6 +506,7 @@ static int iwl_mvm_get_ctrl_vif_queue(struct iwl_mvm *mvm,
 
         switch (info->control.vif->type) {
         case NL80211_IFTYPE_AP:
+        case NL80211_IFTYPE_ADHOC:
                 /*
                  * Handle legacy hostapd as well, where station may be added
                  * only after assoc. Take care of the case where we send a
@@ -517,7 +518,8 @@ static int iwl_mvm_get_ctrl_vif_queue(struct iwl_mvm *mvm,
                 if (info->hw_queue == info->control.vif->cab_queue)
                         return info->hw_queue;
 
-                WARN_ONCE(1, "fc=0x%02x", le16_to_cpu(fc));
+                WARN_ONCE(info->control.vif->type != NL80211_IFTYPE_ADHOC,
+                          "fc=0x%02x", le16_to_cpu(fc));
                 return IWL_MVM_DQA_AP_PROBE_RESP_QUEUE;
         case NL80211_IFTYPE_P2P_DEVICE:
                 if (ieee80211_is_mgmt(fc))
@@ -584,7 +586,8 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mvm *mvm, struct sk_buff *skb)
                         iwl_mvm_vif_from_mac80211(info.control.vif);
 
                 if (info.control.vif->type == NL80211_IFTYPE_P2P_DEVICE ||
-                    info.control.vif->type == NL80211_IFTYPE_AP) {
+                    info.control.vif->type == NL80211_IFTYPE_AP ||
+                    info.control.vif->type == NL80211_IFTYPE_ADHOC) {
                         sta_id = mvmvif->bcast_sta.sta_id;
                         queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info,
                                                            hdr->frame_control);
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index caea350f05aa..bdc379178e87 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -1742,12 +1742,14 @@ void rtl_c2hcmd_enqueue(struct ieee80211_hw *hw, u8 tag, u8 len, u8 *val)
         unsigned long flags;
         struct rtl_c2hcmd *c2hcmd;
 
-        c2hcmd = kmalloc(sizeof(*c2hcmd), GFP_KERNEL);
+        c2hcmd = kmalloc(sizeof(*c2hcmd),
+                         in_interrupt() ? GFP_ATOMIC : GFP_KERNEL);
 
         if (!c2hcmd)
                 goto label_err;
 
-        c2hcmd->val = kmalloc(len, GFP_KERNEL);
+        c2hcmd->val = kmalloc(len,
+                              in_interrupt() ? GFP_ATOMIC : GFP_KERNEL);
 
         if (!c2hcmd->val)
                 goto label_err2;
diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
index e7addea8741b..d9561e39c3b2 100644
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -961,7 +961,8 @@ int qeth_bridgeport_query_ports(struct qeth_card *card,
 int qeth_bridgeport_setrole(struct qeth_card *card, enum qeth_sbp_roles role);
 int qeth_bridgeport_an_set(struct qeth_card *card, int enable);
 int qeth_get_priority_queue(struct qeth_card *, struct sk_buff *, int, int);
-int qeth_get_elements_no(struct qeth_card *, struct sk_buff *, int);
+int qeth_get_elements_no(struct qeth_card *card, struct sk_buff *skb,
+                         int extra_elems, int data_offset);
 int qeth_get_elements_for_frags(struct sk_buff *);
 int qeth_do_send_packet_fast(struct qeth_card *, struct qeth_qdio_out_q *,
                         struct sk_buff *, struct qeth_hdr *, int, int, int);
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
index 315d8a2db7c0..9a5f99ccb122 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -3837,6 +3837,7 @@ EXPORT_SYMBOL_GPL(qeth_get_elements_for_frags);
  * @card:                       qeth card structure, to check max. elems.
  * @skb:                        SKB address
  * @extra_elems:                extra elems needed, to check against max.
+ * @data_offset:                range starts at skb->data + data_offset
  *
  * Returns the number of pages, and thus QDIO buffer elements, needed to cover
  * skb data, including linear part and fragments. Checks if the result plus
@@ -3844,10 +3845,10 @@ EXPORT_SYMBOL_GPL(qeth_get_elements_for_frags);
  * Note: extra_elems is not included in the returned result.
  */
 int qeth_get_elements_no(struct qeth_card *card,
-                     struct sk_buff *skb, int extra_elems)
+                     struct sk_buff *skb, int extra_elems, int data_offset)
 {
         int elements = qeth_get_elements_for_range(
-                                (addr_t)skb->data,
+                                (addr_t)skb->data + data_offset,
                                 (addr_t)skb->data + skb_headlen(skb)) +
                         qeth_get_elements_for_frags(skb);
 
diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index bea483307618..af4e6a639fec 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -849,7 +849,7 @@ static int qeth_l2_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
          * chaining we can not send long frag lists
          */
         if ((card->info.type != QETH_CARD_TYPE_IQD) &&
-            !qeth_get_elements_no(card, new_skb, 0)) {
+            !qeth_get_elements_no(card, new_skb, 0, 0)) {
                 int lin_rc = skb_linearize(new_skb);
 
                 if (card->options.performance_stats) {
@@ -894,7 +894,8 @@ static int qeth_l2_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
                 }
         }
 
-        elements = qeth_get_elements_no(card, new_skb, elements_needed);
+        elements = qeth_get_elements_no(card, new_skb, elements_needed,
+                                        (data_offset > 0) ? data_offset : 0);
         if (!elements) {
                 if (data_offset >= 0)
                         kmem_cache_free(qeth_core_header_cache, hdr);
diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index 06d0addcc058..653f0fb76573 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -2609,17 +2609,13 @@ static void qeth_l3_fill_af_iucv_hdr(struct qeth_card *card,
         char daddr[16];
         struct af_iucv_trans_hdr *iucv_hdr;
 
-        skb_pull(skb, 14);
-        card->dev->header_ops->create(skb, card->dev, 0,
-                                      card->dev->dev_addr, card->dev->dev_addr,
-                                      card->dev->addr_len);
-        skb_pull(skb, 14);
-        iucv_hdr = (struct af_iucv_trans_hdr *)skb->data;
         memset(hdr, 0, sizeof(struct qeth_hdr));
         hdr->hdr.l3.id = QETH_HEADER_TYPE_LAYER3;
         hdr->hdr.l3.ext_flags = 0;
-        hdr->hdr.l3.length = skb->len;
+        hdr->hdr.l3.length = skb->len - ETH_HLEN;
         hdr->hdr.l3.flags = QETH_HDR_IPV6 | QETH_CAST_UNICAST;
+
+        iucv_hdr = (struct af_iucv_trans_hdr *) (skb->data + ETH_HLEN);
         memset(daddr, 0, sizeof(daddr));
         daddr[0] = 0xfe;
         daddr[1] = 0x80;
@@ -2823,10 +2819,7 @@ static int qeth_l3_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
         if ((card->info.type == QETH_CARD_TYPE_IQD) &&
             !skb_is_nonlinear(skb)) {
                 new_skb = skb;
-                if (new_skb->protocol == ETH_P_AF_IUCV)
-                        data_offset = 0;
-                else
-                        data_offset = ETH_HLEN;
+                data_offset = ETH_HLEN;
                 hdr = kmem_cache_alloc(qeth_core_header_cache, GFP_ATOMIC);
                 if (!hdr)
                         goto tx_drop;
@@ -2867,7 +2860,7 @@ static int qeth_l3_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
          */
         if ((card->info.type != QETH_CARD_TYPE_IQD) &&
             ((use_tso && !qeth_l3_get_elements_no_tso(card, new_skb, 1)) ||
-             (!use_tso && !qeth_get_elements_no(card, new_skb, 0)))) {
+             (!use_tso && !qeth_get_elements_no(card, new_skb, 0, 0)))) {
                 int lin_rc = skb_linearize(new_skb);
 
                 if (card->options.performance_stats) {
@@ -2909,7 +2902,8 @@ static int qeth_l3_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
 
         elements = use_tso ?
                    qeth_l3_get_elements_no_tso(card, new_skb, hdr_elements) :
-                   qeth_get_elements_no(card, new_skb, hdr_elements);
+                   qeth_get_elements_no(card, new_skb, hdr_elements,
+                                        (data_offset > 0) ? data_offset : 0);
         if (!elements) {
                 if (data_offset >= 0)
                         kmem_cache_free(qeth_core_header_cache, hdr);
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index 1f71ee5ab518..069582ee5d7f 100644
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -448,10 +448,9 @@ static inline int sctp_frag_point(const struct sctp_association *asoc, int pmtu)
         return frag;
 }
 
-static inline void sctp_assoc_pending_pmtu(struct sock *sk, struct sctp_association *asoc)
+static inline void sctp_assoc_pending_pmtu(struct sctp_association *asoc)
 {
-
-        sctp_assoc_sync_pmtu(sk, asoc);
+        sctp_assoc_sync_pmtu(asoc);
         asoc->pmtu_pending = 0;
 }
 
@@ -596,12 +595,23 @@ static inline void sctp_v4_map_v6(union sctp_addr *addr)
  */
 static inline struct dst_entry *sctp_transport_dst_check(struct sctp_transport *t)
 {
-        if (t->dst && (!dst_check(t->dst, t->dst_cookie) ||
-                       t->pathmtu != max_t(size_t, SCTP_TRUNC4(dst_mtu(t->dst)),
-                                           SCTP_DEFAULT_MINSEGMENT)))
+        if (t->dst && !dst_check(t->dst, t->dst_cookie))
                 sctp_transport_dst_release(t);
 
         return t->dst;
 }
 
+static inline bool sctp_transport_pmtu_check(struct sctp_transport *t)
+{
+        __u32 pmtu = max_t(size_t, SCTP_TRUNC4(dst_mtu(t->dst)),
+                           SCTP_DEFAULT_MINSEGMENT);
+
+        if (t->pathmtu == pmtu)
+                return true;
+
+        t->pathmtu = pmtu;
+
+        return false;
+}
+
 #endif /* __net_sctp_h__ */
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 592decebac75..138f8615acf0 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -377,7 +377,8 @@ typedef struct sctp_sender_hb_info {
         __u64 hb_nonce;
 } sctp_sender_hb_info_t;
 
-struct sctp_stream *sctp_stream_new(__u16 incnt, __u16 outcnt, gfp_t gfp);
+int sctp_stream_new(struct sctp_association *asoc, gfp_t gfp);
+int sctp_stream_init(struct sctp_association *asoc, gfp_t gfp);
 void sctp_stream_free(struct sctp_stream *stream);
 void sctp_stream_clear(struct sctp_stream *stream);
 
@@ -499,7 +500,6 @@ struct sctp_datamsg {
         /* Did the messenge fail to send? */
         int send_error;
         u8 send_failed:1,
-           force_delay:1,
            can_delay;       /* should this message be Nagle delayed */
 };
 
@@ -952,8 +952,8 @@ void sctp_transport_lower_cwnd(struct sctp_transport *, sctp_lower_cwnd_t);
 void sctp_transport_burst_limited(struct sctp_transport *);
 void sctp_transport_burst_reset(struct sctp_transport *);
 unsigned long sctp_transport_timeout(struct sctp_transport *);
-void sctp_transport_reset(struct sctp_transport *);
-void sctp_transport_update_pmtu(struct sock *, struct sctp_transport *, u32);
+void sctp_transport_reset(struct sctp_transport *t);
+void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu);
 void sctp_transport_immediate_rtx(struct sctp_transport *);
 void sctp_transport_dst_release(struct sctp_transport *t);
 void sctp_transport_dst_confirm(struct sctp_transport *t);
@@ -1878,6 +1878,7 @@ struct sctp_association {
 
         __u8 need_ecne:1,       /* Need to send an ECNE Chunk? */
              temp:1,            /* Is it a temporary association? */
+             force_delay:1,
              prsctp_enable:1,
              reconf_enable:1;
 
@@ -1953,7 +1954,7 @@ void sctp_assoc_update(struct sctp_association *old,
 
 __u32 sctp_association_get_next_tsn(struct sctp_association *);
 
-void sctp_assoc_sync_pmtu(struct sock *, struct sctp_association *);
+void sctp_assoc_sync_pmtu(struct sctp_association *asoc);
 void sctp_assoc_rwnd_increase(struct sctp_association *, unsigned int);
 void sctp_assoc_rwnd_decrease(struct sctp_association *, unsigned int);
 void sctp_assoc_set_primary(struct sctp_association *,
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 796b68d00119..a834068a400e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -765,38 +765,56 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
         }
 }
 
-static int check_ptr_alignment(struct bpf_verifier_env *env,
-                               struct bpf_reg_state *reg, int off, int size)
+static int check_pkt_ptr_alignment(const struct bpf_reg_state *reg,
+                                   int off, int size)
 {
-        if (reg->type != PTR_TO_PACKET && reg->type != PTR_TO_MAP_VALUE_ADJ) {
-                if (off % size != 0) {
-                        verbose("misaligned access off %d size %d\n",
-                                off, size);
-                        return -EACCES;
-                } else {
-                        return 0;
-                }
-        }
-
-        if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
-                /* misaligned access to packet is ok on x86,arm,arm64 */
-                return 0;
-
         if (reg->id && size != 1) {
-                verbose("Unknown packet alignment. Only byte-sized access allowed\n");
+                verbose("Unknown alignment. Only byte-sized access allowed in packet access.\n");
                 return -EACCES;
         }
 
         /* skb->data is NET_IP_ALIGN-ed */
-        if (reg->type == PTR_TO_PACKET &&
-            (NET_IP_ALIGN + reg->off + off) % size != 0) {
+        if ((NET_IP_ALIGN + reg->off + off) % size != 0) {
                 verbose("misaligned packet access off %d+%d+%d size %d\n",
                         NET_IP_ALIGN, reg->off, off, size);
                 return -EACCES;
         }
+
         return 0;
 }
 
+static int check_val_ptr_alignment(const struct bpf_reg_state *reg,
+                                   int size)
+{
+        if (size != 1) {
+                verbose("Unknown alignment. Only byte-sized access allowed in value access.\n");
+                return -EACCES;
+        }
+
+        return 0;
+}
+
+static int check_ptr_alignment(const struct bpf_reg_state *reg,
+                               int off, int size)
+{
+        switch (reg->type) {
+        case PTR_TO_PACKET:
+                return IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) ? 0 :
+                       check_pkt_ptr_alignment(reg, off, size);
+        case PTR_TO_MAP_VALUE_ADJ:
+                return IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) ? 0 :
+                       check_val_ptr_alignment(reg, size);
+        default:
+                if (off % size != 0) {
+                        verbose("misaligned access off %d size %d\n",
+                                off, size);
+                        return -EACCES;
+                }
+
+                return 0;
+        }
+}
+
 /* check whether memory at (regno + off) is accessible for t = (read | write)
  * if t==write, value_regno is a register which value is stored into memory
  * if t==read, value_regno is a register which will receive the value from memory
@@ -818,7 +836,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
         if (size < 0)
                 return size;
 
-        err = check_ptr_alignment(env, reg, off, size);
+        err = check_ptr_alignment(reg, off, size);
         if (err)
                 return err;
 
@@ -1925,6 +1943,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                  * register as unknown.
                  */
                 if (env->allow_ptr_leaks &&
+                    BPF_CLASS(insn->code) == BPF_ALU64 && opcode == BPF_ADD &&
                     (dst_reg->type == PTR_TO_MAP_VALUE ||
                      dst_reg->type == PTR_TO_MAP_VALUE_ADJ))
                         dst_reg->type = PTR_TO_MAP_VALUE_ADJ;
@@ -1973,14 +1992,15 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *state,
 
         for (i = 0; i < MAX_BPF_REG; i++)
                 if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id)
-                        regs[i].range = dst_reg->off;
+                        /* keep the maximum range already checked */
+                        regs[i].range = max(regs[i].range, dst_reg->off);
 
         for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
                 if (state->stack_slot_type[i] != STACK_SPILL)
                         continue;
                 reg = &state->spilled_regs[i / BPF_REG_SIZE];
                 if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id)
-                        reg->range = dst_reg->off;
+                        reg->range = max(reg->range, dst_reg->off);
         }
 }
 
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index c35aae13c8d2..d98d4998213d 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -390,7 +390,7 @@ mpls:
                         unsigned char ar_tip[4];
                 } *arp_eth, _arp_eth;
                 const struct arphdr *arp;
-                struct arphdr *_arp;
+                struct arphdr _arp;
 
                 arp = __skb_header_pointer(skb, nhoff, sizeof(_arp), data,
                                            hlen, &_arp);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index e7c12caa20c8..4526cbd7e28a 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -860,7 +860,8 @@ static void neigh_probe(struct neighbour *neigh)
         if (skb)
                 skb = skb_clone(skb, GFP_ATOMIC);
         write_unlock(&neigh->lock);
-        neigh->ops->solicit(neigh, skb);
+        if (neigh->ops->solicit)
+                neigh->ops->solicit(neigh, skb);
         atomic_inc(&neigh->probes);
         kfree_skb(skb);
 }
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
index 758f140b6bed..d28da7d363f1 100644
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -20,9 +20,11 @@
 #include <net/tcp.h>
 
 static siphash_key_t net_secret __read_mostly;
+static siphash_key_t ts_secret __read_mostly;
 
 static __always_inline void net_secret_init(void)
 {
+        net_get_random_once(&ts_secret, sizeof(ts_secret));
         net_get_random_once(&net_secret, sizeof(net_secret));
 }
 #endif
@@ -45,6 +47,23 @@ static u32 seq_scale(u32 seq)
 #endif
 
 #if IS_ENABLED(CONFIG_IPV6)
+static u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
+{
+        const struct {
+                struct in6_addr saddr;
+                struct in6_addr daddr;
+        } __aligned(SIPHASH_ALIGNMENT) combined = {
+                .saddr = *(struct in6_addr *)saddr,
+                .daddr = *(struct in6_addr *)daddr,
+        };
+
+        if (sysctl_tcp_timestamps != 1)
+                return 0;
+
+        return siphash(&combined, offsetofend(typeof(combined), daddr),
+                       &ts_secret);
+}
+
 u32 secure_tcpv6_sequence_number(const __be32 *saddr, const __be32 *daddr,
                                  __be16 sport, __be16 dport, u32 *tsoff)
 {
@@ -63,7 +82,7 @@ u32 secure_tcpv6_sequence_number(const __be32 *saddr, const __be32 *daddr,
         net_secret_init();
         hash = siphash(&combined, offsetofend(typeof(combined), dport),
                        &net_secret);
-        *tsoff = sysctl_tcp_timestamps == 1 ? (hash >> 32) : 0;
+        *tsoff = secure_tcpv6_ts_off(saddr, daddr);
         return seq_scale(hash);
 }
 EXPORT_SYMBOL(secure_tcpv6_sequence_number);
@@ -88,6 +107,14 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
 #endif
 
 #ifdef CONFIG_INET
+static u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr)
+{
+        if (sysctl_tcp_timestamps != 1)
+                return 0;
+
+        return siphash_2u32((__force u32)saddr, (__force u32)daddr,
+                            &ts_secret);
+}
 
 /* secure_tcp_sequence_number(a, b, 0, d) == secure_ipv4_port_ephemeral(a, b, d),
  * but fortunately, `sport' cannot be 0 in any circumstances. If this changes,
@@ -103,7 +130,7 @@ u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
         hash = siphash_3u32((__force u32)saddr, (__force u32)daddr,
                             (__force u32)sport << 16 | (__force u32)dport,
                             &net_secret);
-        *tsoff = sysctl_tcp_timestamps == 1 ? (hash >> 32) : 0;
+        *tsoff = secure_tcp_ts_off(saddr, daddr);
         return seq_scale(hash);
 }
 
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 4ead336e14ea..7f9cc400eca0 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -408,14 +408,16 @@ static struct ctl_table net_core_table[] = {
                 .data           = &sysctl_net_busy_poll,
                 .maxlen         = sizeof(unsigned int),
                 .mode           = 0644,
-                .proc_handler   = proc_dointvec
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
         },
         {
                 .procname       = "busy_read",
                 .data           = &sysctl_net_busy_read,
                 .maxlen         = sizeof(unsigned int),
                 .mode           = 0644,
-                .proc_handler   = proc_dointvec
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &zero,
         },
 #endif
 #ifdef CONFIG_NET_SCHED
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index fd9f34bbd740..dfb2ab2dd3c8 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -306,7 +306,7 @@ static void __init ic_close_devs(void)
         while ((d = next)) {
                 next = d->next;
                 dev = d->dev;
-                if ((!ic_dev || dev != ic_dev->dev) && !netdev_uses_dsa(dev)) {
+                if (d != ic_dev && !netdev_uses_dsa(dev)) {
                         pr_debug("IP-Config: Downing %s\n", dev->name);
                         dev_change_flags(dev, d->flags);
                 }
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
index c9b52c361da2..53e49f5011d3 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1260,16 +1260,6 @@ static const struct nf_conntrack_expect_policy snmp_exp_policy = {
         .timeout        = 180,
 };
 
-static struct nf_conntrack_helper snmp_helper __read_mostly = {
-        .me                     = THIS_MODULE,
-        .help                   = help,
-        .expect_policy          = &snmp_exp_policy,
-        .name                   = "snmp",
-        .tuple.src.l3num        = AF_INET,
-        .tuple.src.u.udp.port   = cpu_to_be16(SNMP_PORT),
-        .tuple.dst.protonum     = IPPROTO_UDP,
-};
-
 static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
         .me                     = THIS_MODULE,
         .help                   = help,
@@ -1288,22 +1278,16 @@ static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {
 
 static int __init nf_nat_snmp_basic_init(void)
 {
-        int ret = 0;
-
         BUG_ON(nf_nat_snmp_hook != NULL);
         RCU_INIT_POINTER(nf_nat_snmp_hook, help);
 
-        ret = nf_conntrack_helper_register(&snmp_trap_helper);
-        if (ret < 0) {
-                nf_conntrack_helper_unregister(&snmp_helper);
-                return ret;
-        }
-        return ret;
+        return nf_conntrack_helper_register(&snmp_trap_helper);
 }
 
 static void __exit nf_nat_snmp_basic_fini(void)
 {
         RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
+        synchronize_rcu();
         nf_conntrack_helper_unregister(&snmp_trap_helper);
 }
 
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 2af6244b83e2..ccfbce13a633 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
 void ping_unhash(struct sock *sk)
 {
         struct inet_sock *isk = inet_sk(sk);
+
         pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
+        write_lock_bh(&ping_table.lock);
         if (sk_hashed(sk)) {
-                write_lock_bh(&ping_table.lock);
                 hlist_nulls_del(&sk->sk_nulls_node);
                 sk_nulls_node_init(&sk->sk_nulls_node);
                 sock_put(sk);
                 isk->inet_num = 0;
                 isk->inet_sport = 0;
                 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-                write_unlock_bh(&ping_table.lock);
         }
+        write_unlock_bh(&ping_table.lock);
 }
 EXPORT_SYMBOL_GPL(ping_unhash);
 
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c43119726a62..2c1f59386a7b 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -126,7 +126,8 @@ int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2;
 #define REXMIT_LOST     1 /* retransmit packets marked lost */
 #define REXMIT_NEW      2 /* FRTO-style transmit of unsent/new packets */
 
-static void tcp_gro_dev_warn(struct sock *sk, const struct sk_buff *skb)
+static void tcp_gro_dev_warn(struct sock *sk, const struct sk_buff *skb,
+                             unsigned int len)
 {
         static bool __once __read_mostly;
 
@@ -137,8 +138,9 @@ static void tcp_gro_dev_warn(struct sock *sk, const struct sk_buff *skb)
 
                 rcu_read_lock();
                 dev = dev_get_by_index_rcu(sock_net(sk), skb->skb_iif);
-                pr_warn("%s: Driver has suspect GRO implementation, TCP performance may be compromised.\n",
-                        dev ? dev->name : "Unknown driver");
+                if (!dev || len >= dev->mtu)
+                        pr_warn("%s: Driver has suspect GRO implementation, TCP performance may be compromised.\n",
+                                dev ? dev->name : "Unknown driver");
                 rcu_read_unlock();
         }
 }
@@ -161,8 +163,10 @@ static void tcp_measure_rcv_mss(struct sock *sk, const struct sk_buff *skb)
         if (len >= icsk->icsk_ack.rcv_mss) {
                 icsk->icsk_ack.rcv_mss = min_t(unsigned int, len,
                                                tcp_sk(sk)->advmss);
-                if (unlikely(icsk->icsk_ack.rcv_mss != len))
-                        tcp_gro_dev_warn(sk, skb);
+                /* Account for possibly-removed options */
+                if (unlikely(len > icsk->icsk_ack.rcv_mss +
+                                   MAX_TCP_OPTION_SPACE))
+                        tcp_gro_dev_warn(sk, skb, len);
         } else {
                 /* Otherwise, we make more careful check taking into account,
                  * that SACKs block is variable.
@@ -874,22 +878,11 @@ static void tcp_update_reordering(struct sock *sk, const int metric,
                                   const int ts)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        if (metric > tp->reordering) {
-                int mib_idx;
+        int mib_idx;
 
+        if (metric > tp->reordering) {
                 tp->reordering = min(sysctl_tcp_max_reordering, metric);
 
-                /* This exciting event is worth to be remembered. 8) */
-                if (ts)
-                        mib_idx = LINUX_MIB_TCPTSREORDER;
-                else if (tcp_is_reno(tp))
-                        mib_idx = LINUX_MIB_TCPRENOREORDER;
-                else if (tcp_is_fack(tp))
-                        mib_idx = LINUX_MIB_TCPFACKREORDER;
-                else
-                        mib_idx = LINUX_MIB_TCPSACKREORDER;
-
-                NET_INC_STATS(sock_net(sk), mib_idx);
 #if FASTRETRANS_DEBUG > 1
                 pr_debug("Disorder%d %d %u f%u s%u rr%d\n",
                          tp->rx_opt.sack_ok, inet_csk(sk)->icsk_ca_state,
@@ -902,6 +895,18 @@ static void tcp_update_reordering(struct sock *sk, const int metric,
         }
 
         tp->rack.reord = 1;
+
+        /* This exciting event is worth to be remembered. 8) */
+        if (ts)
+                mib_idx = LINUX_MIB_TCPTSREORDER;
+        else if (tcp_is_reno(tp))
+                mib_idx = LINUX_MIB_TCPRENOREORDER;
+        else if (tcp_is_fack(tp))
+                mib_idx = LINUX_MIB_TCPFACKREORDER;
+        else
+                mib_idx = LINUX_MIB_TCPSACKREORDER;
+
+        NET_INC_STATS(sock_net(sk), mib_idx);
 }
 
 /* This must be called before lost_out is incremented */
diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c
index 4ecb38ae8504..d8acbd9f477a 100644
--- a/net/ipv4/tcp_recovery.c
+++ b/net/ipv4/tcp_recovery.c
@@ -12,7 +12,8 @@ static void tcp_rack_mark_skb_lost(struct sock *sk, struct sk_buff *skb)
                 /* Account for retransmits that are lost again */
                 TCP_SKB_CB(skb)->sacked &= ~TCPCB_SACKED_RETRANS;
                 tp->retrans_out -= tcp_skb_pcount(skb);
-                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPLOSTRETRANSMIT);
+                NET_ADD_STATS(sock_net(sk), LINUX_MIB_TCPLOSTRETRANSMIT,
+                              tcp_skb_pcount(skb));
         }
 }
 
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 309062f3debe..31762f76cdb5 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1687,7 +1687,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                 struct kcm_attach info;
 
                 if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
-                        err = -EFAULT;
+                        return -EFAULT;
 
                 err = kcm_attach_ioctl(sock, &info);
 
@@ -1697,7 +1697,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                 struct kcm_unattach info;
 
                 if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
-                        err = -EFAULT;
+                        return -EFAULT;
 
                 err = kcm_unattach_ioctl(sock, &info);
 
@@ -1708,7 +1708,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                 struct socket *newsock = NULL;
 
                 if (copy_from_user(&info, (void __user *)arg, sizeof(info)))
-                        err = -EFAULT;
+                        return -EFAULT;
 
                 err = kcm_clone(sock, &info, &newsock);
 
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 8adab6335ced..e37d9554da7b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -278,7 +278,57 @@ struct l2tp_session *l2tp_session_find(struct net *net, struct l2tp_tunnel *tunn
 }
 EXPORT_SYMBOL_GPL(l2tp_session_find);
 
-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
+/* Like l2tp_session_find() but takes a reference on the returned session.
+ * Optionally calls session->ref() too if do_ref is true.
+ */
+struct l2tp_session *l2tp_session_get(struct net *net,
+                                      struct l2tp_tunnel *tunnel,
+                                      u32 session_id, bool do_ref)
+{
+        struct hlist_head *session_list;
+        struct l2tp_session *session;
+
+        if (!tunnel) {
+                struct l2tp_net *pn = l2tp_pernet(net);
+
+                session_list = l2tp_session_id_hash_2(pn, session_id);
+
+                rcu_read_lock_bh();
+                hlist_for_each_entry_rcu(session, session_list, global_hlist) {
+                        if (session->session_id == session_id) {
+                                l2tp_session_inc_refcount(session);
+                                if (do_ref && session->ref)
+                                        session->ref(session);
+                                rcu_read_unlock_bh();
+
+                                return session;
+                        }
+                }
+                rcu_read_unlock_bh();
+
+                return NULL;
+        }
+
+        session_list = l2tp_session_id_hash(tunnel, session_id);
+        read_lock_bh(&tunnel->hlist_lock);
+        hlist_for_each_entry(session, session_list, hlist) {
+                if (session->session_id == session_id) {
+                        l2tp_session_inc_refcount(session);
+                        if (do_ref && session->ref)
+                                session->ref(session);
+                        read_unlock_bh(&tunnel->hlist_lock);
+
+                        return session;
+                }
+        }
+        read_unlock_bh(&tunnel->hlist_lock);
+
+        return NULL;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_get);
+
+struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
+                                          bool do_ref)
 {
         int hash;
         struct l2tp_session *session;
@@ -288,6 +338,9 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
         for (hash = 0; hash < L2TP_HASH_SIZE; hash++) {
                 hlist_for_each_entry(session, &tunnel->session_hlist[hash], hlist) {
                         if (++count > nth) {
+                                l2tp_session_inc_refcount(session);
+                                if (do_ref && session->ref)
+                                        session->ref(session);
                                 read_unlock_bh(&tunnel->hlist_lock);
                                 return session;
                         }
@@ -298,12 +351,13 @@ struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth)
 
         return NULL;
 }
-EXPORT_SYMBOL_GPL(l2tp_session_find_nth);
+EXPORT_SYMBOL_GPL(l2tp_session_get_nth);
 
 /* Lookup a session by interface name.
  * This is very inefficient but is only used by management interfaces.
  */
-struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
+struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+                                                bool do_ref)
 {
         struct l2tp_net *pn = l2tp_pernet(net);
         int hash;
@@ -313,7 +367,11 @@ struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
         for (hash = 0; hash < L2TP_HASH_SIZE_2; hash++) {
                 hlist_for_each_entry_rcu(session, &pn->l2tp_session_hlist[hash], global_hlist) {
                         if (!strcmp(session->ifname, ifname)) {
+                                l2tp_session_inc_refcount(session);
+                                if (do_ref && session->ref)
+                                        session->ref(session);
                                 rcu_read_unlock_bh();
+
                                 return session;
                         }
                 }
@@ -323,7 +381,49 @@ struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname)
 
         return NULL;
 }
-EXPORT_SYMBOL_GPL(l2tp_session_find_by_ifname);
+EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
+
+static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
+                                      struct l2tp_session *session)
+{
+        struct l2tp_session *session_walk;
+        struct hlist_head *g_head;
+        struct hlist_head *head;
+        struct l2tp_net *pn;
+
+        head = l2tp_session_id_hash(tunnel, session->session_id);
+
+        write_lock_bh(&tunnel->hlist_lock);
+        hlist_for_each_entry(session_walk, head, hlist)
+                if (session_walk->session_id == session->session_id)
+                        goto exist;
+
+        if (tunnel->version == L2TP_HDR_VER_3) {
+                pn = l2tp_pernet(tunnel->l2tp_net);
+                g_head = l2tp_session_id_hash_2(l2tp_pernet(tunnel->l2tp_net),
+                                                session->session_id);
+
+                spin_lock_bh(&pn->l2tp_session_hlist_lock);
+                hlist_for_each_entry(session_walk, g_head, global_hlist)
+                        if (session_walk->session_id == session->session_id)
+                                goto exist_glob;
+
+                hlist_add_head_rcu(&session->global_hlist, g_head);
+                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
+        }
+
+        hlist_add_head(&session->hlist, head);
+        write_unlock_bh(&tunnel->hlist_lock);
+
+        return 0;
+
+exist_glob:
+        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
+exist:
+        write_unlock_bh(&tunnel->hlist_lock);
+
+        return -EEXIST;
+}
 
 /* Lookup a tunnel by id
  */
@@ -633,6 +733,9 @@ discard:
  * a data (not control) frame before coming here. Fields up to the
  * session-id have already been parsed and ptr points to the data
  * after the session-id.
+ *
+ * session->ref() must have been called prior to l2tp_recv_common().
+ * session->deref() will be called automatically after skb is processed.
  */
 void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
                       unsigned char *ptr, unsigned char *optr, u16 hdrflags,
@@ -642,14 +745,6 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
         int offset;
         u32 ns, nr;
 
-        /* The ref count is increased since we now hold a pointer to
-         * the session. Take care to decrement the refcnt when exiting
-         * this function from now on...
-         */
-        l2tp_session_inc_refcount(session);
-        if (session->ref)
-                (*session->ref)(session);
-
         /* Parse and check optional cookie */
         if (session->peer_cookie_len > 0) {
                 if (memcmp(ptr, &session->peer_cookie[0], session->peer_cookie_len)) {
@@ -802,8 +897,6 @@ void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb,
         /* Try to dequeue as many skbs from reorder_q as we can. */
         l2tp_recv_dequeue(session);
 
-        l2tp_session_dec_refcount(session);
-
         return;
 
 discard:
@@ -812,8 +905,6 @@ discard:
 
         if (session->deref)
                 (*session->deref)(session);
-
-        l2tp_session_dec_refcount(session);
 }
 EXPORT_SYMBOL(l2tp_recv_common);
 
@@ -920,8 +1011,14 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
         }
 
         /* Find the session context */
-        session = l2tp_session_find(tunnel->l2tp_net, tunnel, session_id);
+        session = l2tp_session_get(tunnel->l2tp_net, tunnel, session_id, true);
         if (!session || !session->recv_skb) {
+                if (session) {
+                        if (session->deref)
+                                session->deref(session);
+                        l2tp_session_dec_refcount(session);
+                }
+
                 /* Not found? Pass to userspace to deal with */
                 l2tp_info(tunnel, L2TP_MSG_DATA,
                           "%s: no session found (%u/%u). Passing up.\n",
@@ -930,6 +1027,7 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb,
         }
 
         l2tp_recv_common(session, skb, ptr, optr, hdrflags, length, payload_hook);
+        l2tp_session_dec_refcount(session);
 
         return 0;
 
@@ -1738,6 +1836,7 @@ EXPORT_SYMBOL_GPL(l2tp_session_set_header_len);
 struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
 {
         struct l2tp_session *session;
+        int err;
 
         session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
         if (session != NULL) {
@@ -1793,6 +1892,13 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
 
                 l2tp_session_set_header_len(session, tunnel->version);
 
+                err = l2tp_session_add_to_tunnel(tunnel, session);
+                if (err) {
+                        kfree(session);
+
+                        return ERR_PTR(err);
+                }
+
                 /* Bump the reference count. The session context is deleted
                  * only when this drops to zero.
                  */
@@ -1802,28 +1908,14 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
                 /* Ensure tunnel socket isn't deleted */
                 sock_hold(tunnel->sock);
 
-                /* Add session to the tunnel's hash list */
-                write_lock_bh(&tunnel->hlist_lock);
-                hlist_add_head(&session->hlist,
-                               l2tp_session_id_hash(tunnel, session_id));
-                write_unlock_bh(&tunnel->hlist_lock);
-
-                /* And to the global session list if L2TPv3 */
-                if (tunnel->version != L2TP_HDR_VER_2) {
-                        struct l2tp_net *pn = l2tp_pernet(tunnel->l2tp_net);
-
-                        spin_lock_bh(&pn->l2tp_session_hlist_lock);
-                        hlist_add_head_rcu(&session->global_hlist,
-                                           l2tp_session_id_hash_2(pn, session_id));
-                        spin_unlock_bh(&pn->l2tp_session_hlist_lock);
-                }
-
                 /* Ignore management session in session count value */
                 if (session->session_id != 0)
                         atomic_inc(&l2tp_session_count);
+
+                return session;
         }
 
-        return session;
+        return ERR_PTR(-ENOMEM);
 }
 EXPORT_SYMBOL_GPL(l2tp_session_create);
 
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index aebf281d09ee..8ce7818c7a9d 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -230,11 +230,16 @@ out:
         return tunnel;
 }
 
+struct l2tp_session *l2tp_session_get(struct net *net,
+                                      struct l2tp_tunnel *tunnel,
+                                      u32 session_id, bool do_ref);
 struct l2tp_session *l2tp_session_find(struct net *net,
                                        struct l2tp_tunnel *tunnel,
                                        u32 session_id);
-struct l2tp_session *l2tp_session_find_nth(struct l2tp_tunnel *tunnel, int nth);
-struct l2tp_session *l2tp_session_find_by_ifname(struct net *net, char *ifname);
+struct l2tp_session *l2tp_session_get_nth(struct l2tp_tunnel *tunnel, int nth,
+                                          bool do_ref);
+struct l2tp_session *l2tp_session_get_by_ifname(struct net *net, char *ifname,
+                                                bool do_ref);
 struct l2tp_tunnel *l2tp_tunnel_find(struct net *net, u32 tunnel_id);
 struct l2tp_tunnel *l2tp_tunnel_find_nth(struct net *net, int nth);
 
diff --git a/net/l2tp/l2tp_debugfs.c b/net/l2tp/l2tp_debugfs.c
index 2d6760a2ae34..d100aed3d06f 100644
--- a/net/l2tp/l2tp_debugfs.c
+++ b/net/l2tp/l2tp_debugfs.c
@@ -53,7 +53,7 @@ static void l2tp_dfs_next_tunnel(struct l2tp_dfs_seq_data *pd)
 
 static void l2tp_dfs_next_session(struct l2tp_dfs_seq_data *pd)
 {
-        pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
+        pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
         pd->session_idx++;
 
         if (pd->session == NULL) {
@@ -238,10 +238,14 @@ static int l2tp_dfs_seq_show(struct seq_file *m, void *v)
         }
 
         /* Show the tunnel or session context */
-        if (pd->session == NULL)
+        if (!pd->session) {
                 l2tp_dfs_seq_tunnel_show(m, pd->tunnel);
-        else
+        } else {
                 l2tp_dfs_seq_session_show(m, pd->session);
+                if (pd->session->deref)
+                        pd->session->deref(pd->session);
+                l2tp_session_dec_refcount(pd->session);
+        }
 
 out:
         return 0;
diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
index 8bf18a5f66e0..6fd41d7afe1e 100644
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -221,12 +221,6 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
                 goto out;
         }
 
-        session = l2tp_session_find(net, tunnel, session_id);
-        if (session) {
-                rc = -EEXIST;
-                goto out;
-        }
-
         if (cfg->ifname) {
                 dev = dev_get_by_name(net, cfg->ifname);
                 if (dev) {
@@ -240,8 +234,8 @@ static int l2tp_eth_create(struct net *net, u32 tunnel_id, u32 session_id, u32 p
 
         session = l2tp_session_create(sizeof(*spriv), tunnel, session_id,
                                       peer_session_id, cfg);
-        if (!session) {
-                rc = -ENOMEM;
+        if (IS_ERR(session)) {
+                rc = PTR_ERR(session);
                 goto out;
         }
 
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index d25038cfd64e..4d322c1b7233 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -143,19 +143,19 @@ static int l2tp_ip_recv(struct sk_buff *skb)
         }
 
         /* Ok, this is a data packet. Lookup the session. */
-        session = l2tp_session_find(net, NULL, session_id);
-        if (session == NULL)
+        session = l2tp_session_get(net, NULL, session_id, true);
+        if (!session)
                 goto discard;
 
         tunnel = session->tunnel;
-        if (tunnel == NULL)
-                goto discard;
+        if (!tunnel)
+                goto discard_sess;
 
         /* Trace packet contents, if enabled */
         if (tunnel->debug & L2TP_MSG_DATA) {
                 length = min(32u, skb->len);
                 if (!pskb_may_pull(skb, length))
-                        goto discard;
+                        goto discard_sess;
 
                 /* Point to L2TP header */
                 optr = ptr = skb->data;
@@ -165,6 +165,7 @@ static int l2tp_ip_recv(struct sk_buff *skb)
         }
 
         l2tp_recv_common(session, skb, ptr, optr, 0, skb->len, tunnel->recv_payload_hook);
+        l2tp_session_dec_refcount(session);
 
         return 0;
 
@@ -178,9 +179,10 @@ pass_up:
 
         tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
         tunnel = l2tp_tunnel_find(net, tunnel_id);
-        if (tunnel != NULL)
+        if (tunnel) {
                 sk = tunnel->sock;
-        else {
+                sock_hold(sk);
+        } else {
                 struct iphdr *iph = (struct iphdr *) skb_network_header(skb);
 
                 read_lock_bh(&l2tp_ip_lock);
@@ -202,6 +204,12 @@ pass_up:
 
         return sk_receive_skb(sk, skb, 1);
 
+discard_sess:
+        if (session->deref)
+                session->deref(session);
+        l2tp_session_dec_refcount(session);
+        goto discard;
+
 discard_put:
         sock_put(sk);
 
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index a4abcbc4c09a..88b397c30d86 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -156,19 +156,19 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
         }
 
         /* Ok, this is a data packet. Lookup the session. */
-        session = l2tp_session_find(net, NULL, session_id);
-        if (session == NULL)
+        session = l2tp_session_get(net, NULL, session_id, true);
+        if (!session)
                 goto discard;
 
         tunnel = session->tunnel;
-        if (tunnel == NULL)
-                goto discard;
+        if (!tunnel)
+                goto discard_sess;
 
         /* Trace packet contents, if enabled */
         if (tunnel->debug & L2TP_MSG_DATA) {
                 length = min(32u, skb->len);
                 if (!pskb_may_pull(skb, length))
-                        goto discard;
+                        goto discard_sess;
 
                 /* Point to L2TP header */
                 optr = ptr = skb->data;
@@ -179,6 +179,8 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
 
         l2tp_recv_common(session, skb, ptr, optr, 0, skb->len,
                          tunnel->recv_payload_hook);
+        l2tp_session_dec_refcount(session);
+
         return 0;
 
 pass_up:
@@ -191,9 +193,10 @@ pass_up:
 
         tunnel_id = ntohl(*(__be32 *) &skb->data[4]);
         tunnel = l2tp_tunnel_find(net, tunnel_id);
-        if (tunnel != NULL)
+        if (tunnel) {
                 sk = tunnel->sock;
-        else {
+                sock_hold(sk);
+        } else {
                 struct ipv6hdr *iph = ipv6_hdr(skb);
 
                 read_lock_bh(&l2tp_ip6_lock);
@@ -215,6 +218,12 @@ pass_up:
 
         return sk_receive_skb(sk, skb, 1);
 
+discard_sess:
+        if (session->deref)
+                session->deref(session);
+        l2tp_session_dec_refcount(session);
+        goto discard;
+
 discard_put:
         sock_put(sk);
 
diff --git a/net/l2tp/l2tp_netlink.c b/net/l2tp/l2tp_netlink.c
index 3620fba31786..7e3e669baac4 100644
--- a/net/l2tp/l2tp_netlink.c
+++ b/net/l2tp/l2tp_netlink.c
@@ -48,7 +48,8 @@ static int l2tp_nl_session_send(struct sk_buff *skb, u32 portid, u32 seq,
 /* Accessed under genl lock */
 static const struct l2tp_nl_cmd_ops *l2tp_nl_cmd_ops[__L2TP_PWTYPE_MAX];
 
-static struct l2tp_session *l2tp_nl_session_find(struct genl_info *info)
+static struct l2tp_session *l2tp_nl_session_get(struct genl_info *info,
+                                                bool do_ref)
 {
         u32 tunnel_id;
         u32 session_id;
@@ -59,14 +60,15 @@ static struct l2tp_session *l2tp_nl_session_find(struct genl_info *info)
 
         if (info->attrs[L2TP_ATTR_IFNAME]) {
                 ifname = nla_data(info->attrs[L2TP_ATTR_IFNAME]);
-                session = l2tp_session_find_by_ifname(net, ifname);
+                session = l2tp_session_get_by_ifname(net, ifname, do_ref);
         } else if ((info->attrs[L2TP_ATTR_SESSION_ID]) &&
                    (info->attrs[L2TP_ATTR_CONN_ID])) {
                 tunnel_id = nla_get_u32(info->attrs[L2TP_ATTR_CONN_ID]);
                 session_id = nla_get_u32(info->attrs[L2TP_ATTR_SESSION_ID]);
                 tunnel = l2tp_tunnel_find(net, tunnel_id);
                 if (tunnel)
-                        session = l2tp_session_find(net, tunnel, session_id);
+                        session = l2tp_session_get(net, tunnel, session_id,
+                                                   do_ref);
         }
 
         return session;
@@ -642,10 +644,12 @@ static int l2tp_nl_cmd_session_create(struct sk_buff *skb, struct genl_info *inf
                         session_id, peer_session_id, &cfg);
 
         if (ret >= 0) {
-                session = l2tp_session_find(net, tunnel, session_id);
-                if (session)
+                session = l2tp_session_get(net, tunnel, session_id, false);
+                if (session) {
                         ret = l2tp_session_notify(&l2tp_nl_family, info, session,
                                                   L2TP_CMD_SESSION_CREATE);
+                        l2tp_session_dec_refcount(session);
+                }
         }
 
 out:
@@ -658,7 +662,7 @@ static int l2tp_nl_cmd_session_delete(struct sk_buff *skb, struct genl_info *inf
         struct l2tp_session *session;
         u16 pw_type;
 
-        session = l2tp_nl_session_find(info);
+        session = l2tp_nl_session_get(info, true);
         if (session == NULL) {
                 ret = -ENODEV;
                 goto out;
@@ -672,6 +676,10 @@ static int l2tp_nl_cmd_session_delete(struct sk_buff *skb, struct genl_info *inf
                 if (l2tp_nl_cmd_ops[pw_type] && l2tp_nl_cmd_ops[pw_type]->session_delete)
                         ret = (*l2tp_nl_cmd_ops[pw_type]->session_delete)(session);
 
+        if (session->deref)
+                session->deref(session);
+        l2tp_session_dec_refcount(session);
+
 out:
         return ret;
 }
@@ -681,7 +689,7 @@ static int l2tp_nl_cmd_session_modify(struct sk_buff *skb, struct genl_info *inf
         int ret = 0;
         struct l2tp_session *session;
 
-        session = l2tp_nl_session_find(info);
+        session = l2tp_nl_session_get(info, false);
         if (session == NULL) {
                 ret = -ENODEV;
                 goto out;
@@ -716,6 +724,8 @@ static int l2tp_nl_cmd_session_modify(struct sk_buff *skb, struct genl_info *inf
         ret = l2tp_session_notify(&l2tp_nl_family, info,
                                   session, L2TP_CMD_SESSION_MODIFY);
 
+        l2tp_session_dec_refcount(session);
+
 out:
         return ret;
 }
@@ -811,29 +821,34 @@ static int l2tp_nl_cmd_session_get(struct sk_buff *skb, struct genl_info *info)
         struct sk_buff *msg;
         int ret;
 
-        session = l2tp_nl_session_find(info);
+        session = l2tp_nl_session_get(info, false);
         if (session == NULL) {
                 ret = -ENODEV;
-                goto out;
+                goto err;
         }
 
         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
         if (!msg) {
                 ret = -ENOMEM;
-                goto out;
+                goto err_ref;
         }
 
         ret = l2tp_nl_session_send(msg, info->snd_portid, info->snd_seq,
                                    0, session, L2TP_CMD_SESSION_GET);
         if (ret < 0)
-                goto err_out;
+                goto err_ref_msg;
 
-        return genlmsg_unicast(genl_info_net(info), msg, info->snd_portid);
+        ret = genlmsg_unicast(genl_info_net(info), msg, info->snd_portid);
 
-err_out:
-        nlmsg_free(msg);
+        l2tp_session_dec_refcount(session);
 
-out:
+        return ret;
+
+err_ref_msg:
+        nlmsg_free(msg);
+err_ref:
+        l2tp_session_dec_refcount(session);
+err:
         return ret;
 }
 
@@ -852,7 +867,7 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
                                 goto out;
                 }
 
-                session = l2tp_session_find_nth(tunnel, si);
+                session = l2tp_session_get_nth(tunnel, si, false);
                 if (session == NULL) {
                         ti++;
                         tunnel = NULL;
@@ -862,8 +877,11 @@ static int l2tp_nl_cmd_session_dump(struct sk_buff *skb, struct netlink_callback
 
                 if (l2tp_nl_session_send(skb, NETLINK_CB(cb->skb).portid,
                                          cb->nlh->nlmsg_seq, NLM_F_MULTI,
-                                         session, L2TP_CMD_SESSION_GET) < 0)
+                                         session, L2TP_CMD_SESSION_GET) < 0) {
+                        l2tp_session_dec_refcount(session);
                         break;
+                }
+                l2tp_session_dec_refcount(session);
 
                 si++;
         }
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 36cc56fd0418..861b255a2d51 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -450,6 +450,10 @@ static void pppol2tp_session_close(struct l2tp_session *session)
 static void pppol2tp_session_destruct(struct sock *sk)
 {
         struct l2tp_session *session = sk->sk_user_data;
+
+        skb_queue_purge(&sk->sk_receive_queue);
+        skb_queue_purge(&sk->sk_write_queue);
+
         if (session) {
                 sk->sk_user_data = NULL;
                 BUG_ON(session->magic != L2TP_SESSION_MAGIC);
@@ -488,9 +492,6 @@ static int pppol2tp_release(struct socket *sock)
                 l2tp_session_queue_purge(session);
                 sock_put(sk);
         }
-        skb_queue_purge(&sk->sk_receive_queue);
-        skb_queue_purge(&sk->sk_write_queue);
-
         release_sock(sk);
 
         /* This will delete the session context via
@@ -582,6 +583,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
         int error = 0;
         u32 tunnel_id, peer_tunnel_id;
         u32 session_id, peer_session_id;
+        bool drop_refcnt = false;
         int ver = 2;
         int fd;
 
@@ -683,36 +685,36 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
         if (tunnel->peer_tunnel_id == 0)
                 tunnel->peer_tunnel_id = peer_tunnel_id;
 
-        /* Create session if it doesn't already exist. We handle the
-         * case where a session was previously created by the netlink
-         * interface by checking that the session doesn't already have
-         * a socket and its tunnel socket are what we expect. If any
-         * of those checks fail, return EEXIST to the caller.
-         */
-        session = l2tp_session_find(sock_net(sk), tunnel, session_id);
-        if (session == NULL) {
-                /* Default MTU must allow space for UDP/L2TP/PPP
-                 * headers.
+        session = l2tp_session_get(sock_net(sk), tunnel, session_id, false);
+        if (session) {
+                drop_refcnt = true;
+                ps = l2tp_session_priv(session);
+
+                /* Using a pre-existing session is fine as long as it hasn't
+                 * been connected yet.
                  */
-                cfg.mtu = cfg.mru = 1500 - PPPOL2TP_HEADER_OVERHEAD;
+                if (ps->sock) {
+                        error = -EEXIST;
+                        goto end;
+                }
 
-                /* Allocate and initialize a new session context. */
-                session = l2tp_session_create(sizeof(struct pppol2tp_session),
-                                              tunnel, session_id,
-                                              peer_session_id, &cfg);
-                if (session == NULL) {
-                        error = -ENOMEM;
+                /* consistency checks */
+                if (ps->tunnel_sock != tunnel->sock) {
+                        error = -EEXIST;
                         goto end;
                 }
         } else {
-                ps = l2tp_session_priv(session);
-                error = -EEXIST;
-                if (ps->sock != NULL)
-                        goto end;
+                /* Default MTU must allow space for UDP/L2TP/PPP headers */
+                cfg.mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
+                cfg.mru = cfg.mtu;
 
-                /* consistency checks */
-                if (ps->tunnel_sock != tunnel->sock)
+                session = l2tp_session_create(sizeof(struct pppol2tp_session),
+                                              tunnel, session_id,
+                                              peer_session_id, &cfg);
+                if (IS_ERR(session)) {
+                        error = PTR_ERR(session);
                         goto end;
+                }
         }
 
         /* Associate session with its PPPoL2TP socket */
@@ -777,6 +779,8 @@ out_no_ppp:
                   session->name);
 
 end:
+        if (drop_refcnt)
+                l2tp_session_dec_refcount(session);
         release_sock(sk);
 
         return error;
@@ -804,12 +808,6 @@ static int pppol2tp_session_create(struct net *net, u32 tunnel_id, u32 session_i
         if (tunnel->sock == NULL)
                 goto out;
 
-        /* Check that this session doesn't already exist */
-        error = -EEXIST;
-        session = l2tp_session_find(net, tunnel, session_id);
-        if (session != NULL)
-                goto out;
-
         /* Default MTU values. */
         if (cfg->mtu == 0)
                 cfg->mtu = 1500 - PPPOL2TP_HEADER_OVERHEAD;
@@ -817,12 +815,13 @@ static int pppol2tp_session_create(struct net *net, u32 tunnel_id, u32 session_i
                 cfg->mru = cfg->mtu;
 
         /* Allocate and initialize a new session context. */
-        error = -ENOMEM;
         session = l2tp_session_create(sizeof(struct pppol2tp_session),
                                       tunnel, session_id,
                                       peer_session_id, cfg);
-        if (session == NULL)
+        if (IS_ERR(session)) {
+                error = PTR_ERR(session);
                 goto out;
+        }
 
         ps = l2tp_session_priv(session);
         ps->tunnel_sock = tunnel->sock;
@@ -1140,11 +1139,18 @@ static int pppol2tp_tunnel_ioctl(struct l2tp_tunnel *tunnel,
                 if (stats.session_id != 0) {
                         /* resend to session ioctl handler */
                         struct l2tp_session *session =
-                                l2tp_session_find(sock_net(sk), tunnel, stats.session_id);
-                        if (session != NULL)
-                                err = pppol2tp_session_ioctl(session, cmd, arg);
-                        else
+                                l2tp_session_get(sock_net(sk), tunnel,
+                                                 stats.session_id, true);
+
+                        if (session) {
+                                err = pppol2tp_session_ioctl(session, cmd,
+                                                             arg);
+                                if (session->deref)
+                                        session->deref(session);
+                                l2tp_session_dec_refcount(session);
+                        } else {
                                 err = -EBADR;
+                        }
                         break;
                 }
 #ifdef CONFIG_XFRM
@@ -1554,7 +1560,7 @@ static void pppol2tp_next_tunnel(struct net *net, struct pppol2tp_seq_data *pd)
 
 static void pppol2tp_next_session(struct net *net, struct pppol2tp_seq_data *pd)
 {
-        pd->session = l2tp_session_find_nth(pd->tunnel, pd->session_idx);
+        pd->session = l2tp_session_get_nth(pd->tunnel, pd->session_idx, true);
         pd->session_idx++;
 
         if (pd->session == NULL) {
@@ -1681,10 +1687,14 @@ static int pppol2tp_seq_show(struct seq_file *m, void *v)
 
         /* Show the tunnel or session context.
          */
-        if (pd->session == NULL)
+        if (!pd->session) {
                 pppol2tp_seq_tunnel_show(m, pd->tunnel);
-        else
+        } else {
                 pppol2tp_seq_session_show(m, pd->session);
+                if (pd->session->deref)
+                        pd->session->deref(pd->session);
+                l2tp_session_dec_refcount(pd->session);
+        }
 
 out:
         return 0;
@@ -1843,4 +1853,4 @@ MODULE_DESCRIPTION("PPP over L2TP over UDP");
 MODULE_LICENSE("GPL");
 MODULE_VERSION(PPPOL2TP_DRV_VERSION);
 MODULE_ALIAS_NET_PF_PROTO(PF_PPPOX, PX_PROTO_OL2TP);
-MODULE_ALIAS_L2TP_PWTYPE(11);
+MODULE_ALIAS_L2TP_PWTYPE(7);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 40813dd3301c..5bb0c5012819 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -718,7 +718,8 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
         ieee80211_recalc_ps(local);
 
         if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
-            sdata->vif.type == NL80211_IFTYPE_AP_VLAN) {
+            sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+            local->ops->wake_tx_queue) {
                 /* XXX: for AP_VLAN, actually track AP queues */
                 netif_tx_start_all_queues(dev);
         } else if (dev) {
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
index da9df2d56e66..22fc32143e9c 100644
--- a/net/netfilter/nf_conntrack_ecache.c
+++ b/net/netfilter/nf_conntrack_ecache.c
@@ -290,6 +290,7 @@ void nf_conntrack_unregister_notifier(struct net *net,
         BUG_ON(notify != new);
         RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
         mutex_unlock(&nf_ct_ecache_mutex);
+        /* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
 
@@ -326,6 +327,7 @@ void nf_ct_expect_unregister_notifier(struct net *net,
         BUG_ON(notify != new);
         RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);
         mutex_unlock(&nf_ct_ecache_mutex);
+        /* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);
 
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 02bcf00c2492..008299b7f78f 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -53,7 +53,11 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id,
 
         rcu_read_lock();
         t = rcu_dereference(nf_ct_ext_types[id]);
-        BUG_ON(t == NULL);
+        if (!t) {
+                rcu_read_unlock();
+                return NULL;
+        }
+
         off = ALIGN(sizeof(struct nf_ct_ext), t->align);
         len = off + t->len + var_alloc_len;
         alloc_size = t->alloc_size + var_alloc_len;
@@ -88,7 +92,10 @@ void *__nf_ct_ext_add_length(struct nf_conn *ct, enum nf_ct_ext_id id,
 
         rcu_read_lock();
         t = rcu_dereference(nf_ct_ext_types[id]);
-        BUG_ON(t == NULL);
+        if (!t) {
+                rcu_read_unlock();
+                return NULL;
+        }
 
         newoff = ALIGN(old->len, t->align);
         newlen = newoff + t->len + var_alloc_len;
@@ -175,6 +182,6 @@ void nf_ct_extend_unregister(struct nf_ct_ext_type *type)
         RCU_INIT_POINTER(nf_ct_ext_types[type->id], NULL);
         update_alloc_size(type);
         mutex_unlock(&nf_ct_ext_type_mutex);
-        rcu_barrier(); /* Wait for completion of call_rcu()'s */
+        synchronize_rcu();
 }
 EXPORT_SYMBOL_GPL(nf_ct_extend_unregister);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 6806b5e73567..908d858034e4 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -3442,6 +3442,7 @@ static void __exit ctnetlink_exit(void)
 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
         RCU_INIT_POINTER(nfnl_ct_hook, NULL);
 #endif
+        synchronize_rcu();
 }
 
 module_init(ctnetlink_init);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 94b14c5a8b17..82802e4a6640 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -903,6 +903,8 @@ static void __exit nf_nat_cleanup(void)
 #ifdef CONFIG_XFRM
         RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
 #endif
+        synchronize_rcu();
+
         for (i = 0; i < NFPROTO_NUMPROTO; i++)
                 kfree(nf_nat_l4protos[i]);
 
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index de8782345c86..d45558178da5 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -32,6 +32,13 @@ MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
 MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
 
+struct nfnl_cthelper {
+        struct list_head                list;
+        struct nf_conntrack_helper      helper;
+};
+
+static LIST_HEAD(nfnl_cthelper_list);
+
 static int
 nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
                         struct nf_conn *ct, enum ip_conntrack_info ctinfo)
@@ -161,6 +168,7 @@ nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
         int i, ret;
         struct nf_conntrack_expect_policy *expect_policy;
         struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
+        unsigned int class_max;
 
         ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
                                nfnl_cthelper_expect_policy_set);
@@ -170,19 +178,18 @@ nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
         if (!tb[NFCTH_POLICY_SET_NUM])
                 return -EINVAL;
 
-        helper->expect_class_max =
-                ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
-
-        if (helper->expect_class_max != 0 &&
-            helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES)
+        class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
+        if (class_max == 0)
+                return -EINVAL;
+        if (class_max > NF_CT_MAX_EXPECT_CLASSES)
                 return -EOVERFLOW;
 
         expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
-                                helper->expect_class_max, GFP_KERNEL);
+                                class_max, GFP_KERNEL);
         if (expect_policy == NULL)
                 return -ENOMEM;
 
-        for (i=0; i<helper->expect_class_max; i++) {
+        for (i = 0; i < class_max; i++) {
                 if (!tb[NFCTH_POLICY_SET+i])
                         goto err;
 
@@ -191,6 +198,8 @@ nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
                 if (ret < 0)
                         goto err;
         }
+
+        helper->expect_class_max = class_max - 1;
         helper->expect_policy = expect_policy;
         return 0;
 err:
@@ -203,18 +212,20 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
                      struct nf_conntrack_tuple *tuple)
 {
         struct nf_conntrack_helper *helper;
+        struct nfnl_cthelper *nfcth;
         int ret;
 
         if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
                 return -EINVAL;
 
-        helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
-        if (helper == NULL)
+        nfcth = kzalloc(sizeof(*nfcth), GFP_KERNEL);
+        if (nfcth == NULL)
                 return -ENOMEM;
+        helper = &nfcth->helper;
 
         ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
         if (ret < 0)
-                goto err;
+                goto err1;
 
         strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
         helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
@@ -245,15 +256,101 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
 
         ret = nf_conntrack_helper_register(helper);
         if (ret < 0)
-                goto err;
+                goto err2;
 
+        list_add_tail(&nfcth->list, &nfnl_cthelper_list);
         return 0;
-err:
-        kfree(helper);
+err2:
+        kfree(helper->expect_policy);
+err1:
+        kfree(nfcth);
         return ret;
 }
 
 static int
+nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
+                                struct nf_conntrack_expect_policy *new_policy,
+                                const struct nlattr *attr)
+{
+        struct nlattr *tb[NFCTH_POLICY_MAX + 1];
+        int err;
+
+        err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr,
+                               nfnl_cthelper_expect_pol);
+        if (err < 0)
+                return err;
+
+        if (!tb[NFCTH_POLICY_NAME] ||
+            !tb[NFCTH_POLICY_EXPECT_MAX] ||
+            !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
+                return -EINVAL;
+
+        if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name))
+                return -EBUSY;
+
+        new_policy->max_expected =
+                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
+        new_policy->timeout =
+                ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
+
+        return 0;
+}
+
+static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
+                                           struct nf_conntrack_helper *helper)
+{
+        struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
+        struct nf_conntrack_expect_policy *policy;
+        int i, err;
+
+        /* Check first that all policy attributes are well-formed, so we don't
+         * leave things in inconsistent state on errors.
+         */
+        for (i = 0; i < helper->expect_class_max + 1; i++) {
+
+                if (!tb[NFCTH_POLICY_SET + i])
+                        return -EINVAL;
+
+                err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
+                                                      &new_policy[i],
+                                                      tb[NFCTH_POLICY_SET + i]);
+                if (err < 0)
+                        return err;
+        }
+        /* Now we can safely update them. */
+        for (i = 0; i < helper->expect_class_max + 1; i++) {
+                policy = (struct nf_conntrack_expect_policy *)
+                                &helper->expect_policy[i];
+                policy->max_expected = new_policy->max_expected;
+                policy->timeout = new_policy->timeout;
+        }
+
+        return 0;
+}
+
+static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,
+                                       const struct nlattr *attr)
+{
+        struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1];
+        unsigned int class_max;
+        int err;
+
+        err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
+                               nfnl_cthelper_expect_policy_set);
+        if (err < 0)
+                return err;
+
+        if (!tb[NFCTH_POLICY_SET_NUM])
+                return -EINVAL;
+
+        class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
+        if (helper->expect_class_max + 1 != class_max)
+                return -EBUSY;
+
+        return nfnl_cthelper_update_policy_all(tb, helper);
+}
+
+static int
 nfnl_cthelper_update(const struct nlattr * const tb[],
                      struct nf_conntrack_helper *helper)
 {
@@ -263,8 +360,7 @@ nfnl_cthelper_update(const struct nlattr * const tb[],
                 return -EBUSY;
 
         if (tb[NFCTH_POLICY]) {
-                ret = nfnl_cthelper_parse_expect_policy(helper,
-                                                        tb[NFCTH_POLICY]);
+                ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
                 if (ret < 0)
                         return ret;
         }
@@ -293,7 +389,8 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
         const char *helper_name;
         struct nf_conntrack_helper *cur, *helper = NULL;
         struct nf_conntrack_tuple tuple;
-        int ret = 0, i;
+        struct nfnl_cthelper *nlcth;
+        int ret = 0;
 
         if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
                 return -EINVAL;
@@ -304,31 +401,22 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
         if (ret < 0)
                 return ret;
 
-        rcu_read_lock();
-        for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
-                hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
+        list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
+                cur = &nlcth->helper;
 
-                        /* skip non-userspace conntrack helpers. */
-                        if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
-                                continue;
+                if (strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
+                        continue;
 
-                        if (strncmp(cur->name, helper_name,
-                                        NF_CT_HELPER_NAME_LEN) != 0)
-                                continue;
+                if ((tuple.src.l3num != cur->tuple.src.l3num ||
+                     tuple.dst.protonum != cur->tuple.dst.protonum))
+                        continue;
 
-                        if ((tuple.src.l3num != cur->tuple.src.l3num ||
-                             tuple.dst.protonum != cur->tuple.dst.protonum))
-                                continue;
+                if (nlh->nlmsg_flags & NLM_F_EXCL)
+                        return -EEXIST;
 
-                        if (nlh->nlmsg_flags & NLM_F_EXCL) {
-                                ret = -EEXIST;
-                                goto err;
-                        }
-                        helper = cur;
-                        break;
-                }
+                helper = cur;
+                break;
         }
-        rcu_read_unlock();
 
         if (helper == NULL)
                 ret = nfnl_cthelper_create(tb, &tuple);
@@ -336,9 +424,6 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
                 ret = nfnl_cthelper_update(tb, helper);
 
         return ret;
-err:
-        rcu_read_unlock();
-        return ret;
 }
 
 static int
@@ -377,10 +462,10 @@ nfnl_cthelper_dump_policy(struct sk_buff *skb,
                 goto nla_put_failure;
 
         if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
-                         htonl(helper->expect_class_max)))
+                         htonl(helper->expect_class_max + 1)))
                 goto nla_put_failure;
 
-        for (i=0; i<helper->expect_class_max; i++) {
+        for (i = 0; i < helper->expect_class_max + 1; i++) {
                 nest_parms2 = nla_nest_start(skb,
                                 (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
                 if (nest_parms2 == NULL)
@@ -502,11 +587,12 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const tb[])
 {
-        int ret = -ENOENT, i;
+        int ret = -ENOENT;
         struct nf_conntrack_helper *cur;
         struct sk_buff *skb2;
         char *helper_name = NULL;
         struct nf_conntrack_tuple tuple;
+        struct nfnl_cthelper *nlcth;
         bool tuple_set = false;
 
         if (nlh->nlmsg_flags & NLM_F_DUMP) {
@@ -527,45 +613,39 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
                 tuple_set = true;
         }
 
-        for (i = 0; i < nf_ct_helper_hsize; i++) {
-                hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
+        list_for_each_entry(nlcth, &nfnl_cthelper_list, list) {
+                cur = &nlcth->helper;
+                if (helper_name &&
+                    strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
+                        continue;
 
-                        /* skip non-userspace conntrack helpers. */
-                        if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
-                                continue;
+                if (tuple_set &&
+                    (tuple.src.l3num != cur->tuple.src.l3num ||
+                     tuple.dst.protonum != cur->tuple.dst.protonum))
+                        continue;
 
-                        if (helper_name && strncmp(cur->name, helper_name,
-                                                NF_CT_HELPER_NAME_LEN) != 0) {
-                                continue;
-                        }
-                        if (tuple_set &&
-                            (tuple.src.l3num != cur->tuple.src.l3num ||
-                             tuple.dst.protonum != cur->tuple.dst.protonum))
-                                continue;
-
-                        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
-                        if (skb2 == NULL) {
-                                ret = -ENOMEM;
-                                break;
-                        }
+                skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+                if (skb2 == NULL) {
+                        ret = -ENOMEM;
+                        break;
+                }
 
-                        ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
-                                                nlh->nlmsg_seq,
-                                                NFNL_MSG_TYPE(nlh->nlmsg_type),
-                                                NFNL_MSG_CTHELPER_NEW, cur);
-                        if (ret <= 0) {
-                                kfree_skb(skb2);
-                                break;
-                        }
+                ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
+                                              nlh->nlmsg_seq,
+                                              NFNL_MSG_TYPE(nlh->nlmsg_type),
+                                              NFNL_MSG_CTHELPER_NEW, cur);
+                if (ret <= 0) {
+                        kfree_skb(skb2);
+                        break;
+                }
 
-                        ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
-                                                MSG_DONTWAIT);
-                        if (ret > 0)
-                                ret = 0;
+                ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
+                                      MSG_DONTWAIT);
+                if (ret > 0)
+                        ret = 0;
 
-                        /* this avoids a loop in nfnetlink. */
-                        return ret == -EAGAIN ? -ENOBUFS : ret;
-                }
+                /* this avoids a loop in nfnetlink. */
+                return ret == -EAGAIN ? -ENOBUFS : ret;
         }
         return ret;
 }
@@ -576,10 +656,10 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
 {
         char *helper_name = NULL;
         struct nf_conntrack_helper *cur;
-        struct hlist_node *tmp;
         struct nf_conntrack_tuple tuple;
         bool tuple_set = false, found = false;
-        int i, j = 0, ret;
+        struct nfnl_cthelper *nlcth, *n;
+        int j = 0, ret;
 
         if (tb[NFCTH_NAME])
                 helper_name = nla_data(tb[NFCTH_NAME]);
@@ -592,28 +672,27 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
                 tuple_set = true;
         }
 
-        for (i = 0; i < nf_ct_helper_hsize; i++) {
-                hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
-                                                                hnode) {
-                        /* skip non-userspace conntrack helpers. */
-                        if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
-                                continue;
+        list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
+                cur = &nlcth->helper;
+                j++;
 
-                        j++;
+                if (helper_name &&
+                    strncmp(cur->name, helper_name, NF_CT_HELPER_NAME_LEN))
+                        continue;
 
-                        if (helper_name && strncmp(cur->name, helper_name,
-                                                NF_CT_HELPER_NAME_LEN) != 0) {
-                                continue;
-                        }
-                        if (tuple_set &&
-                            (tuple.src.l3num != cur->tuple.src.l3num ||
-                             tuple.dst.protonum != cur->tuple.dst.protonum))
-                                continue;
+                if (tuple_set &&
+                    (tuple.src.l3num != cur->tuple.src.l3num ||
+                     tuple.dst.protonum != cur->tuple.dst.protonum))
+                        continue;
 
-                        found = true;
-                        nf_conntrack_helper_unregister(cur);
-                }
+                found = true;
+                nf_conntrack_helper_unregister(cur);
+                kfree(cur->expect_policy);
+
+                list_del(&nlcth->list);
+                kfree(nlcth);
         }
+
         /* Make sure we return success if we flush and there is no helpers */
         return (found || j == 0) ? 0 : -ENOENT;
 }
@@ -662,20 +741,16 @@ err_out:
 static void __exit nfnl_cthelper_exit(void)
 {
         struct nf_conntrack_helper *cur;
-        struct hlist_node *tmp;
-        int i;
+        struct nfnl_cthelper *nlcth, *n;
 
         nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
 
-        for (i=0; i<nf_ct_helper_hsize; i++) {
-                hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
-                                                                        hnode) {
-                        /* skip non-userspace conntrack helpers. */
-                        if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
-                                continue;
+        list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
+                cur = &nlcth->helper;
 
-                        nf_conntrack_helper_unregister(cur);
-                }
+                nf_conntrack_helper_unregister(cur);
+                kfree(cur->expect_policy);
+                kfree(nlcth);
         }
 }
 
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 139e0867e56e..47d6656c9119 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -646,8 +646,8 @@ static void __exit cttimeout_exit(void)
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
         RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
+        synchronize_rcu();
 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
-        rcu_barrier();
 }
 
 module_init(cttimeout_init);
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 3ee0b8a000a4..933509ebf3d3 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -443,7 +443,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
         skb = alloc_skb(size, GFP_ATOMIC);
         if (!skb) {
                 skb_tx_error(entskb);
-                return NULL;
+                goto nlmsg_failure;
         }
 
         nlh = nlmsg_put(skb, 0, 0,
@@ -452,7 +452,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
         if (!nlh) {
                 skb_tx_error(entskb);
                 kfree_skb(skb);
-                return NULL;
+                goto nlmsg_failure;
         }
         nfmsg = nlmsg_data(nlh);
         nfmsg->nfgen_family = entry->state.pf;
@@ -598,12 +598,17 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
         }
 
         nlh->nlmsg_len = skb->len;
+        if (seclen)
+                security_release_secctx(secdata, seclen);
         return skb;
 
 nla_put_failure:
         skb_tx_error(entskb);
         kfree_skb(skb);
         net_err_ratelimited("nf_queue: error creating packet message\n");
+nlmsg_failure:
+        if (seclen)
+                security_release_secctx(secdata, seclen);
         return NULL;
 }
 
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index e0a87776a010..7b2c2fce408a 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -643,8 +643,8 @@ static bool skb_nfct_cached(struct net *net,
                  */
                 if (nf_ct_is_confirmed(ct))
                         nf_ct_delete(ct, 0, 0);
-                else
-                        nf_conntrack_put(&ct->ct_general);
+
+                nf_conntrack_put(&ct->ct_general);
                 nf_ct_set(skb, NULL, 0);
                 return false;
         }
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 9d4bb8eb63f2..3f76cb765e5b 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -527,7 +527,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
 
         /* Link layer. */
         clear_vlan(key);
-        if (key->mac_proto == MAC_PROTO_NONE) {
+        if (ovs_key_mac_proto(key) == MAC_PROTO_NONE) {
                 if (unlikely(eth_type_vlan(skb->protocol)))
                         return -EINVAL;
 
@@ -745,7 +745,13 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
 
 int ovs_flow_key_update(struct sk_buff *skb, struct sw_flow_key *key)
 {
-        return key_extract(skb, key);
+        int res;
+
+        res = key_extract(skb, key);
+        if (!res)
+                key->mac_proto &= ~SW_FLOW_KEY_INVALID;
+
+        return res;
 }
 
 static int key_extract_mac_proto(struct sk_buff *skb)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a0dbe7ca8f72..8489beff5c25 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
                         return -EBUSY;
                 if (copy_from_user(&val, optval, sizeof(val)))
                         return -EFAULT;
+                if (val > INT_MAX)
+                        return -EINVAL;
                 po->tp_reserve = val;
                 return 0;
         }
@@ -4193,8 +4195,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                 if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
                         goto out;
                 if (po->tp_version >= TPACKET_V3 &&
-                    (int)(req->tp_block_size -
-                          BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+                    req->tp_block_size <=
+                          BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
                         goto out;
                 if (unlikely(req->tp_frame_size < po->tp_hdrlen +
                                         po->tp_reserve))
@@ -4205,6 +4207,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                 rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
                 if (unlikely(rb->frames_per_block == 0))
                         goto out;
+                if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+                        goto out;
                 if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
                                         req->tp_frame_nr))
                         goto out;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 0439a1a68367..a9708da28eb5 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -246,6 +246,9 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
         if (!sctp_ulpq_init(&asoc->ulpq, asoc))
                 goto fail_init;
 
+        if (sctp_stream_new(asoc, gfp))
+                goto fail_init;
+
         /* Assume that peer would support both address types unless we are
          * told otherwise.
          */
@@ -264,7 +267,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
         /* AUTH related initializations */
         INIT_LIST_HEAD(&asoc->endpoint_shared_keys);
         if (sctp_auth_asoc_copy_shkeys(ep, asoc, gfp))
-                goto fail_init;
+                goto stream_free;
 
         asoc->active_key_id = ep->active_key_id;
         asoc->prsctp_enable = ep->prsctp_enable;
@@ -287,6 +290,8 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
 
         return asoc;
 
+stream_free:
+        sctp_stream_free(asoc->stream);
 fail_init:
         sock_put(asoc->base.sk);
         sctp_endpoint_put(asoc->ep);
@@ -1407,7 +1412,7 @@ sctp_assoc_choose_alter_transport(struct sctp_association *asoc,
 /* Update the association's pmtu and frag_point by going through all the
  * transports. This routine is called when a transport's PMTU has changed.
  */
-void sctp_assoc_sync_pmtu(struct sock *sk, struct sctp_association *asoc)
+void sctp_assoc_sync_pmtu(struct sctp_association *asoc)
 {
         struct sctp_transport *t;
         __u32 pmtu = 0;
@@ -1419,8 +1424,8 @@ void sctp_assoc_sync_pmtu(struct sock *sk, struct sctp_association *asoc)
         list_for_each_entry(t, &asoc->peer.transport_addr_list,
                                 transports) {
                 if (t->pmtu_pending && t->dst) {
-                        sctp_transport_update_pmtu(sk, t,
-                                                   SCTP_TRUNC4(dst_mtu(t->dst)));
+                        sctp_transport_update_pmtu(
+                                        t, SCTP_TRUNC4(dst_mtu(t->dst)));
                         t->pmtu_pending = 0;
                 }
                 if (!pmtu || (t->pathmtu < pmtu))
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 2a28ab20487f..0e06a278d2a9 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -401,10 +401,10 @@ void sctp_icmp_frag_needed(struct sock *sk, struct sctp_association *asoc,
 
         if (t->param_flags & SPP_PMTUD_ENABLE) {
                 /* Update transports view of the MTU */
-                sctp_transport_update_pmtu(sk, t, pmtu);
+                sctp_transport_update_pmtu(t, pmtu);
 
                 /* Update association pmtu. */
-                sctp_assoc_sync_pmtu(sk, asoc);
+                sctp_assoc_sync_pmtu(asoc);
         }
 
         /* Retransmit with the new pmtu setting.
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 1224421036b3..1409a875ad8e 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -86,43 +86,53 @@ void sctp_packet_config(struct sctp_packet *packet, __u32 vtag,
 {
         struct sctp_transport *tp = packet->transport;
         struct sctp_association *asoc = tp->asoc;
+        struct sock *sk;
 
         pr_debug("%s: packet:%p vtag:0x%x\n", __func__, packet, vtag);
-
         packet->vtag = vtag;
 
-        if (asoc && tp->dst) {
-                struct sock *sk = asoc->base.sk;
-
-                rcu_read_lock();
-                if (__sk_dst_get(sk) != tp->dst) {
-                        dst_hold(tp->dst);
-                        sk_setup_caps(sk, tp->dst);
-                }
-
-                if (sk_can_gso(sk)) {
-                        struct net_device *dev = tp->dst->dev;
+        /* do the following jobs only once for a flush schedule */
+        if (!sctp_packet_empty(packet))
+                return;
 
-                        packet->max_size = dev->gso_max_size;
-                } else {
-                        packet->max_size = asoc->pathmtu;
-                }
-                rcu_read_unlock();
+        /* set packet max_size with pathmtu */
+        packet->max_size = tp->pathmtu;
+        if (!asoc)
+                return;
 
-        } else {
-                packet->max_size = tp->pathmtu;
+        /* update dst or transport pathmtu if in need */
+        sk = asoc->base.sk;
+        if (!sctp_transport_dst_check(tp)) {
+                sctp_transport_route(tp, NULL, sctp_sk(sk));
+                if (asoc->param_flags & SPP_PMTUD_ENABLE)
+                        sctp_assoc_sync_pmtu(asoc);
+        } else if (!sctp_transport_pmtu_check(tp)) {
+                if (asoc->param_flags & SPP_PMTUD_ENABLE)
+                        sctp_assoc_sync_pmtu(asoc);
         }
 
-        if (ecn_capable && sctp_packet_empty(packet)) {
-                struct sctp_chunk *chunk;
+        /* If there a is a prepend chunk stick it on the list before
+         * any other chunks get appended.
+         */
+        if (ecn_capable) {
+                struct sctp_chunk *chunk = sctp_get_ecne_prepend(asoc);
 
-                /* If there a is a prepend chunk stick it on the list before
-                 * any other chunks get appended.
-                 */
-                chunk = sctp_get_ecne_prepend(asoc);
                 if (chunk)
                         sctp_packet_append_chunk(packet, chunk);
         }
+
+        if (!tp->dst)
+                return;
+
+        /* set packet max_size with gso_max_size if gso is enabled*/
+        rcu_read_lock();
+        if (__sk_dst_get(sk) != tp->dst) {
+                dst_hold(tp->dst);
+                sk_setup_caps(sk, tp->dst);
+        }
+        packet->max_size = sk_can_gso(sk) ? tp->dst->dev->gso_max_size
+                                          : asoc->pathmtu;
+        rcu_read_unlock();
 }
 
 /* Initialize the packet structure. */
@@ -582,12 +592,7 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp)
         sh->vtag = htonl(packet->vtag);
         sh->checksum = 0;
 
-        /* update dst if in need */
-        if (!sctp_transport_dst_check(tp)) {
-                sctp_transport_route(tp, NULL, sctp_sk(sk));
-                if (asoc && asoc->param_flags & SPP_PMTUD_ENABLE)
-                        sctp_assoc_sync_pmtu(sk, asoc);
-        }
+        /* drop packet if no dst */
         dst = dst_clone(tp->dst);
         if (!dst) {
                 IP_INC_STATS(sock_net(sk), IPSTATS_MIB_OUTNOROUTES);
@@ -704,7 +709,7 @@ static sctp_xmit_t sctp_packet_can_append_data(struct sctp_packet *packet,
          */
 
         if ((sctp_sk(asoc->base.sk)->nodelay || inflight == 0) &&
-            !chunk->msg->force_delay)
+            !asoc->force_delay)
                 /* Nothing unacked */
                 return SCTP_XMIT_OK;
 
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 025ccff67072..8081476ed313 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -1026,8 +1026,7 @@ static void sctp_outq_flush(struct sctp_outq *q, int rtx_timeout, gfp_t gfp)
                         /* RFC 2960 6.5 Every DATA chunk MUST carry a valid
                          * stream identifier.
                          */
-                        if (chunk->sinfo.sinfo_stream >=
-                            asoc->c.sinit_num_ostreams) {
+                        if (chunk->sinfo.sinfo_stream >= asoc->stream->outcnt) {
 
                                 /* Mark as failed send. */
                                 sctp_chunk_fail(chunk, SCTP_ERROR_INV_STRM);
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 206377fe91ec..a0b29d43627f 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -361,8 +361,8 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
         sctp_seq_dump_remote_addrs(seq, assoc);
         seq_printf(seq, "\t%8lu %5d %5d %4d %4d %4d %8d "
                    "%8d %8d %8d %8d",
-                assoc->hbinterval, assoc->c.sinit_max_instreams,
-                assoc->c.sinit_num_ostreams, assoc->max_retrans,
+                assoc->hbinterval, assoc->stream->incnt,
+                assoc->stream->outcnt, assoc->max_retrans,
                 assoc->init_retries, assoc->shutdown_retries,
                 assoc->rtx_data_chunks,
                 atomic_read(&sk->sk_wmem_alloc),
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 969a30c7bb54..118faff6a332 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2460,15 +2460,10 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
          * association.
          */
         if (!asoc->temp) {
-                int error;
-
-                asoc->stream = sctp_stream_new(asoc->c.sinit_max_instreams,
-                                               asoc->c.sinit_num_ostreams, gfp);
-                if (!asoc->stream)
+                if (sctp_stream_init(asoc, gfp))
                         goto clean_up;
 
-                error = sctp_assoc_set_id(asoc, gfp);
-                if (error)
+                if (sctp_assoc_set_id(asoc, gfp))
                         goto clean_up;
         }
 
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index e03bb1aab4d0..24c6ccce7539 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3946,7 +3946,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn(struct net *net,
 
         /* Silently discard the chunk if stream-id is not valid */
         sctp_walk_fwdtsn(skip, chunk) {
-                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+                if (ntohs(skip->stream) >= asoc->stream->incnt)
                         goto discard_noforce;
         }
 
@@ -4017,7 +4017,7 @@ sctp_disposition_t sctp_sf_eat_fwd_tsn_fast(
 
         /* Silently discard the chunk if stream-id is not valid */
         sctp_walk_fwdtsn(skip, chunk) {
-                if (ntohs(skip->stream) >= asoc->c.sinit_max_instreams)
+                if (ntohs(skip->stream) >= asoc->stream->incnt)
                         goto gen_shutdown;
         }
 
@@ -6353,7 +6353,7 @@ static int sctp_eat_data(const struct sctp_association *asoc,
          * and discard the DATA chunk.
          */
         sid = ntohs(data_hdr->stream);
-        if (sid >= asoc->c.sinit_max_instreams) {
+        if (sid >= asoc->stream->incnt) {
                 /* Mark tsn as received even though we drop it */
                 sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_TSN, SCTP_U32(tsn));
 
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 0f378ea2ae38..c1401f43d40f 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1907,7 +1907,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
         }
 
         if (asoc->pmtu_pending)
-                sctp_assoc_pending_pmtu(sk, asoc);
+                sctp_assoc_pending_pmtu(asoc);
 
         /* If fragmentation is disabled and the message length exceeds the
          * association fragmentation point, return EMSGSIZE.  The I-D
@@ -1920,7 +1920,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
         }
 
         /* Check for invalid stream. */
-        if (sinfo->sinfo_stream >= asoc->c.sinit_num_ostreams) {
+        if (sinfo->sinfo_stream >= asoc->stream->outcnt) {
                 err = -EINVAL;
                 goto out_free;
         }
@@ -1965,7 +1965,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
                 err = PTR_ERR(datamsg);
                 goto out_free;
         }
-        datamsg->force_delay = !!(msg->msg_flags & MSG_MORE);
+        asoc->force_delay = !!(msg->msg_flags & MSG_MORE);
 
         /* Now send the (possibly) fragmented message. */
         list_for_each_entry(chunk, &datamsg->chunks, frag_list) {
@@ -2435,7 +2435,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
         if ((params->spp_flags & SPP_PMTUD_DISABLE) && params->spp_pathmtu) {
                 if (trans) {
                         trans->pathmtu = params->spp_pathmtu;
-                        sctp_assoc_sync_pmtu(sctp_opt2sk(sp), asoc);
+                        sctp_assoc_sync_pmtu(asoc);
                 } else if (asoc) {
                         asoc->pathmtu = params->spp_pathmtu;
                 } else {
@@ -2451,7 +2451,7 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
                                 (trans->param_flags & ~SPP_PMTUD) | pmtud_change;
                         if (update) {
                                 sctp_transport_pmtu(trans, sctp_opt2sk(sp));
-                                sctp_assoc_sync_pmtu(sctp_opt2sk(sp), asoc);
+                                sctp_assoc_sync_pmtu(asoc);
                         }
                 } else if (asoc) {
                         asoc->param_flags =
@@ -4461,8 +4461,8 @@ int sctp_get_sctp_info(struct sock *sk, struct sctp_association *asoc,
         info->sctpi_rwnd = asoc->a_rwnd;
         info->sctpi_unackdata = asoc->unack_data;
         info->sctpi_penddata = sctp_tsnmap_pending(&asoc->peer.tsn_map);
-        info->sctpi_instrms = asoc->c.sinit_max_instreams;
-        info->sctpi_outstrms = asoc->c.sinit_num_ostreams;
+        info->sctpi_instrms = asoc->stream->incnt;
+        info->sctpi_outstrms = asoc->stream->outcnt;
         list_for_each(pos, &asoc->base.inqueue.in_chunk_list)
                 info->sctpi_inqueue++;
         list_for_each(pos, &asoc->outqueue.out_chunk_list)
@@ -4691,8 +4691,8 @@ static int sctp_getsockopt_sctp_status(struct sock *sk, int len,
         status.sstat_unackdata = asoc->unack_data;
 
         status.sstat_penddata = sctp_tsnmap_pending(&asoc->peer.tsn_map);
-        status.sstat_instrms = asoc->c.sinit_max_instreams;
-        status.sstat_outstrms = asoc->c.sinit_num_ostreams;
+        status.sstat_instrms = asoc->stream->incnt;
+        status.sstat_outstrms = asoc->stream->outcnt;
         status.sstat_fragmentation_point = asoc->frag_point;
         status.sstat_primary.spinfo_assoc_id = sctp_assoc2id(transport->asoc);
         memcpy(&status.sstat_primary.spinfo_address, &transport->ipaddr,
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index 1c6cc04fa3a4..bbed997e1c5f 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -35,33 +35,60 @@
 #include <net/sctp/sctp.h>
 #include <net/sctp/sm.h>
 
-struct sctp_stream *sctp_stream_new(__u16 incnt, __u16 outcnt, gfp_t gfp)
+int sctp_stream_new(struct sctp_association *asoc, gfp_t gfp)
 {
         struct sctp_stream *stream;
         int i;
 
         stream = kzalloc(sizeof(*stream), gfp);
         if (!stream)
-                return NULL;
+                return -ENOMEM;
 
-        stream->outcnt = outcnt;
+        stream->outcnt = asoc->c.sinit_num_ostreams;
         stream->out = kcalloc(stream->outcnt, sizeof(*stream->out), gfp);
         if (!stream->out) {
                 kfree(stream);
-                return NULL;
+                return -ENOMEM;
         }
         for (i = 0; i < stream->outcnt; i++)
                 stream->out[i].state = SCTP_STREAM_OPEN;
 
-        stream->incnt = incnt;
+        asoc->stream = stream;
+
+        return 0;
+}
+
+int sctp_stream_init(struct sctp_association *asoc, gfp_t gfp)
+{
+        struct sctp_stream *stream = asoc->stream;
+        int i;
+
+        /* Initial stream->out size may be very big, so free it and alloc
+         * a new one with new outcnt to save memory.
+         */
+        kfree(stream->out);
+        stream->outcnt = asoc->c.sinit_num_ostreams;
+        stream->out = kcalloc(stream->outcnt, sizeof(*stream->out), gfp);
+        if (!stream->out)
+                goto nomem;
+
+        for (i = 0; i < stream->outcnt; i++)
+                stream->out[i].state = SCTP_STREAM_OPEN;
+
+        stream->incnt = asoc->c.sinit_max_instreams;
         stream->in = kcalloc(stream->incnt, sizeof(*stream->in), gfp);
         if (!stream->in) {
                 kfree(stream->out);
-                kfree(stream);
-                return NULL;
+                goto nomem;
         }
 
-        return stream;
+        return 0;
+
+nomem:
+        asoc->stream = NULL;
+        kfree(stream);
+
+        return -ENOMEM;
 }
 
 void sctp_stream_free(struct sctp_stream *stream)
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 3379668af368..721eeebfcd8a 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -251,14 +251,13 @@ void sctp_transport_pmtu(struct sctp_transport *transport, struct sock *sk)
                 transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
 }
 
-void sctp_transport_update_pmtu(struct sock *sk, struct sctp_transport *t, u32 pmtu)
+void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
 {
-        struct dst_entry *dst;
+        struct dst_entry *dst = sctp_transport_dst_check(t);
 
         if (unlikely(pmtu < SCTP_DEFAULT_MINSEGMENT)) {
                 pr_warn("%s: Reported pmtu %d too low, using default minimum of %d\n",
-                        __func__, pmtu,
-                        SCTP_DEFAULT_MINSEGMENT);
+                        __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
                 /* Use default minimum segment size and disable
                  * pmtu discovery on this transport.
                  */
@@ -267,17 +266,13 @@ void sctp_transport_update_pmtu(struct sock *sk, struct sctp_transport *t, u32 p
                 t->pathmtu = pmtu;
         }
 
-        dst = sctp_transport_dst_check(t);
-        if (!dst)
-                t->af_specific->get_dst(t, &t->saddr, &t->fl, sk);
-
         if (dst) {
-                dst->ops->update_pmtu(dst, sk, NULL, pmtu);
-
+                dst->ops->update_pmtu(dst, t->asoc->base.sk, NULL, pmtu);
                 dst = sctp_transport_dst_check(t);
-                if (!dst)
-                        t->af_specific->get_dst(t, &t->saddr, &t->fl, sk);
         }
+
+        if (!dst)
+                t->af_specific->get_dst(t, &t->saddr, &t->fl, t->asoc->base.sk);
 }
 
 /* Caches the dst entry and source address for a transport's destination
diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c
index 16b6b5988be9..570a2b67ca10 100644
--- a/net/wireless/sysfs.c
+++ b/net/wireless/sysfs.c
@@ -132,12 +132,10 @@ static int wiphy_resume(struct device *dev)
         /* Age scan results with time spent in suspend */
         cfg80211_bss_age(rdev, get_seconds() - rdev->suspend_at);
 
-        if (rdev->ops->resume) {
-                rtnl_lock();
-                if (rdev->wiphy.registered)
-                        ret = rdev_resume(rdev);
-                rtnl_unlock();
-        }
+        rtnl_lock();
+        if (rdev->wiphy.registered && rdev->ops->resume)
+                ret = rdev_resume(rdev);
+        rtnl_unlock();
 
         return ret;
 }
diff --git a/tools/include/linux/filter.h b/tools/include/linux/filter.h
index 122153b16ea4..390d7c9685fd 100644
--- a/tools/include/linux/filter.h
+++ b/tools/include/linux/filter.h
@@ -168,6 +168,16 @@
                 .off   = OFF,                                   \
                 .imm   = 0 })
 
+/* Atomic memory add, *(uint *)(dst_reg + off16) += src_reg */
+
+#define BPF_STX_XADD(SIZE, DST, SRC, OFF)                       \
+        ((struct bpf_insn) {                                    \
+                .code  = BPF_STX | BPF_SIZE(SIZE) | BPF_XADD,   \
+                .dst_reg = DST,                                 \
+                .src_reg = SRC,                                 \
+                .off   = OFF,                                   \
+                .imm   = 0 })
+
 /* Memory store, *(uint *) (dst_reg + off16) = imm32 */
 
 #define BPF_ST_MEM(SIZE, DST, OFF, IMM)                         \
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 6a1ad58cb66f..9af09e8099c0 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -1,7 +1,14 @@
 LIBDIR := ../../../lib
 BPFDIR := $(LIBDIR)/bpf
+APIDIR := ../../../include/uapi
+GENDIR := ../../../../include/generated
+GENHDR := $(GENDIR)/autoconf.h
 
-CFLAGS += -Wall -O2 -I../../../include/uapi -I$(LIBDIR)
+ifneq ($(wildcard $(GENHDR)),)
+  GENFLAGS := -DHAVE_GENHDR
+endif
+
+CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS)
 LDLIBS += -lcap
 
 TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index d1555e4240c0..c848e90b6421 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -30,6 +30,14 @@
 
 #include <bpf/bpf.h>
 
+#ifdef HAVE_GENHDR
+# include "autoconf.h"
+#else
+# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
+#  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
+# endif
+#endif
+
 #include "../../../include/linux/filter.h"
 
 #ifndef ARRAY_SIZE
@@ -39,6 +47,8 @@
 #define MAX_INSNS       512
 #define MAX_FIXUPS      8
 
+#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
+
 struct bpf_test {
         const char *descr;
         struct bpf_insn insns[MAX_INSNS];
@@ -53,6 +63,7 @@ struct bpf_test {
                 REJECT
         } result, result_unpriv;
         enum bpf_prog_type prog_type;
+        uint8_t flags;
 };
 
 /* Note we want this to be 64 bit aligned so that the end of our array is
@@ -2432,6 +2443,30 @@ static struct bpf_test tests[] = {
                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
         },
         {
+                "direct packet access: test15 (spill with xadd)",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
+                        BPF_MOV64_IMM(BPF_REG_5, 4096),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
+                        BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
+                        BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R2 invalid mem access 'inv'",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                 "helper access to packet: test1, valid packet_ptr range",
                 .insns = {
                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
@@ -2934,6 +2969,7 @@ static struct bpf_test tests[] = {
                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
                 .result_unpriv = REJECT,
                 .result = ACCEPT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "valid map access into an array with a variable",
@@ -2957,6 +2993,7 @@ static struct bpf_test tests[] = {
                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
                 .result_unpriv = REJECT,
                 .result = ACCEPT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "valid map access into an array with a signed variable",
@@ -2984,6 +3021,7 @@ static struct bpf_test tests[] = {
                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
                 .result_unpriv = REJECT,
                 .result = ACCEPT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid map access into an array with a constant",
@@ -3025,6 +3063,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is outside of the array range",
                 .result_unpriv = REJECT,
                 .result = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid map access into an array with a variable",
@@ -3048,6 +3087,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
                 .result_unpriv = REJECT,
                 .result = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid map access into an array with no floor check",
@@ -3074,6 +3114,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
                 .result_unpriv = REJECT,
                 .result = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid map access into an array with a invalid max check",
@@ -3100,6 +3141,7 @@ static struct bpf_test tests[] = {
                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
                 .result_unpriv = REJECT,
                 .result = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid map access into an array with a invalid max check",
@@ -3129,6 +3171,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
                 .result_unpriv = REJECT,
                 .result = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "multiple registers share map_lookup_elem result",
@@ -3252,6 +3295,7 @@ static struct bpf_test tests[] = {
                 .result = REJECT,
                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
                 .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "constant register |= constant should keep constant type",
@@ -3418,6 +3462,26 @@ static struct bpf_test tests[] = {
                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
         },
         {
+                "overlapping checks for direct packet access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_LWT_XMIT,
+        },
+        {
                 "invalid access of tc_classid for LWT_IN",
                 .insns = {
                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
@@ -3961,7 +4025,208 @@ static struct bpf_test tests[] = {
                 .result_unpriv = REJECT,
         },
         {
-                "map element value (adjusted) is preserved across register spilling",
+                "map element value or null is marked on register spilling",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 leaks addr",
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value store of cleared call register",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R1 !read_ok",
+                .errstr = "R1 !read_ok",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value with unaligned store",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
+                        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
+                        BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "map element value with unaligned load",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
+                        BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
+                        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .result = ACCEPT,
+                .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "map element value illegal alu op, 1",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .errstr = "invalid mem access 'inv'",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value illegal alu op, 2",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .errstr = "invalid mem access 'inv'",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value illegal alu op, 3",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .errstr = "invalid mem access 'inv'",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value illegal alu op, 4",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
+                        BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 pointer arithmetic prohibited",
+                .errstr = "invalid mem access 'inv'",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value illegal alu op, 5",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
+                        BPF_MOV64_IMM(BPF_REG_3, 4096),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
+                        BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup_map2 = { 3 },
+                .errstr_unpriv = "R0 invalid mem access 'inv'",
+                .errstr = "R0 invalid mem access 'inv'",
+                .result = REJECT,
+                .result_unpriv = REJECT,
+        },
+        {
+                "map element value is preserved across register spilling",
                 .insns = {
                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
@@ -3983,6 +4248,7 @@ static struct bpf_test tests[] = {
                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
                 .result = ACCEPT,
                 .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
@@ -4421,6 +4687,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
                 .result = REJECT,
                 .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         },
         {
                 "invalid range check",
@@ -4452,6 +4719,7 @@ static struct bpf_test tests[] = {
                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
                 .result = REJECT,
                 .result_unpriv = REJECT,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
         }
 };
 
@@ -4530,11 +4798,11 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
 static void do_test_single(struct bpf_test *test, bool unpriv,
                            int *passes, int *errors)
 {
+        int fd_prog, expected_ret, reject_from_alignment;
         struct bpf_insn *prog = test->insns;
         int prog_len = probe_filter_length(prog);
         int prog_type = test->prog_type;
         int fd_f1 = -1, fd_f2 = -1, fd_f3 = -1;
-        int fd_prog, expected_ret;
         const char *expected_err;
 
         do_test_fixup(test, prog, &fd_f1, &fd_f2, &fd_f3);
@@ -4547,8 +4815,19 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
                        test->result_unpriv : test->result;
         expected_err = unpriv && test->errstr_unpriv ?
                        test->errstr_unpriv : test->errstr;
+
+        reject_from_alignment = fd_prog < 0 &&
+                                (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
+                                strstr(bpf_vlog, "Unknown alignment.");
+#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+        if (reject_from_alignment) {
+                printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
+                       strerror(errno));
+                goto fail_log;
+        }
+#endif
         if (expected_ret == ACCEPT) {
-                if (fd_prog < 0) {
+                if (fd_prog < 0 && !reject_from_alignment) {
                         printf("FAIL\nFailed to load prog '%s'!\n",
                                strerror(errno));
                         goto fail_log;
@@ -4558,14 +4837,15 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
                         printf("FAIL\nUnexpected success to load!\n");
                         goto fail_log;
                 }
-                if (!strstr(bpf_vlog, expected_err)) {
+                if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
                         printf("FAIL\nUnexpected error message!\n");
                         goto fail_log;
                 }
         }
 
         (*passes)++;
-        printf("OK\n");
+        printf("OK%s\n", reject_from_alignment ?
+               " (NOTE: reject due to unknown alignment)" : "");
 close_fds:
         close(fd_prog);
         close(fd_f1);