Merge tag 'asoc-fix-v4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v4.4 A collection of small driver specific fixes here, nothing that'll affect users who don't have the devices concerned. At least the wm8974 bug indicates that there's not too many users of some of these devices.
author: Takashi Iwai <tiwai@suse.de> 2015-12-23 02:30:28 -0500
committer: Takashi Iwai <tiwai@suse.de> 2015-12-23 02:30:28 -0500
commit: 0fb0b822d157325b66c503d23332f64899bfb828 (patch)
tree: 0699437223be8c87a9c4951c46a5fe27681d57e5 /net
parent: 9f660a1c43890c2cdd1f423fd73654e7ca08fe56 (diff)
parent: 3dd5fc0eeb5d7cc07b8e3e383037261799b38897 (diff)
44 files changed, 347 insertions, 223 deletions
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ae3a47f9d1d5..fbd0acf80b13 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        ax25_cb *ax25;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 83bc1aaf5800..a49c705fb86b 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -566,6 +566,7 @@ batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst)
        int select;
        batadv_dat_addr_t last_max = BATADV_DAT_ADDR_MAX, ip_key;
        struct batadv_dat_candidate *res;
+        struct batadv_dat_entry dat;
        if (!bat_priv->orig_hash)
                return NULL;
@@ -575,7 +576,9 @@ batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst)
        if (!res)
                return NULL;
-        ip_key = (batadv_dat_addr_t)batadv_hash_dat(&ip_dst,
+        dat.ip = ip_dst;
+        dat.vid = 0;
+        ip_key = (batadv_dat_addr_t)batadv_hash_dat(&dat,
                                                    BATADV_DAT_ADDR_MAX);
        batadv_dbg(BATADV_DBG_DAT, bat_priv,
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 8d990b070a2e..3207667e69de 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -836,6 +836,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        u8 *orig_addr;
        struct batadv_orig_node *orig_node = NULL;
        int check, hdr_size = sizeof(*unicast_packet);
+        enum batadv_subtype subtype;
        bool is4addr;
        unicast_packet = (struct batadv_unicast_packet *)skb->data;
@@ -863,10 +864,20 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        /* packet for me */
        if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                if (is4addr) {
-                        batadv_dat_inc_counter(bat_priv,
+                        subtype = unicast_4addr_packet->subtype;
-                                               unicast_4addr_packet->subtype);
+                        batadv_dat_inc_counter(bat_priv, subtype);
-                        orig_addr = unicast_4addr_packet->src;
-                        orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
+                        /* Only payload data should be considered for speedy
+                         * join. For example, DAT also uses unicast 4addr
+                         * types, but those packets should not be considered
+                         * for speedy join, since the clients do not actually
+                         * reside at the sending originator.
+                         */
+                        if (subtype == BATADV_P_DATA) {
+                                orig_addr = unicast_4addr_packet->src;
+                                orig_node = batadv_orig_hash_find(bat_priv,
+                                                                  orig_addr);
+                        }
                }
                if (batadv_dat_snoop_incoming_arp_request(bat_priv, skb,
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 4228b10c47ea..76f19ba62462 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -68,13 +68,15 @@ static void batadv_tt_global_del(struct batadv_priv *bat_priv,
                                 unsigned short vid, const char *message,
                                 bool roaming);
-/* returns 1 if they are the same mac addr */
+/* returns 1 if they are the same mac addr and vid */
 static int batadv_compare_tt(const struct hlist_node *node, const void *data2)
 {
        const void *data1 = container_of(node, struct batadv_tt_common_entry,
                                         hash_entry);
+        const struct batadv_tt_common_entry *tt1 = data1;
+        const struct batadv_tt_common_entry *tt2 = data2;
-        return batadv_compare_eth(data1, data2);
+        return (tt1->vid == tt2->vid) && batadv_compare_eth(data1, data2);
 }
 /**
@@ -1427,9 +1429,15 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
                }
                /* if the client was temporary added before receiving the first
-                 * OGM announcing it, we have to clear the TEMP flag
+                 * OGM announcing it, we have to clear the TEMP flag. Also,
+                 * remove the previous temporary orig node and re-add it
+                 * if required. If the orig entry changed, the new one which
+                 * is a non-temporary entry is preferred.
                 */
-                common->flags &= ~BATADV_TT_CLIENT_TEMP;
+                if (common->flags & BATADV_TT_CLIENT_TEMP) {
+                        batadv_tt_global_del_orig_list(tt_global_entry);
+                        common->flags &= ~BATADV_TT_CLIENT_TEMP;
+                }
                /* the change can carry possible "attribute" flags like the
                 * TT_CLIENT_WIFI, therefore they have to be copied in the
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index fe129663bd3f..f52bcbf2e58c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
        if (!addr || addr->sa_family != AF_BLUETOOTH)
                return -EINVAL;
+        if (addr_len < sizeof(struct sockaddr_sco))
+                return -EINVAL;
        lock_sock(sk);
        if (sk->sk_state != BT_OPEN) {
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 152b9c70e252..b2df375ec9c2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
        serr->ee.ee_info = tstype;
        if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
                serr->ee.ee_data = skb_shinfo(skb)->tskey;
-                if (sk->sk_protocol == IPPROTO_TCP)
+                if (sk->sk_protocol == IPPROTO_TCP &&
+                    sk->sk_type == SOCK_STREAM)
                        serr->ee.ee_data -= sk->sk_tskey;
        }
@@ -4268,7 +4269,7 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
                return NULL;
        }
-        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
+        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
                2 * ETH_ALEN);
        skb->mac_header += VLAN_HLEN;
        return skb;
diff --git a/net/core/sock.c b/net/core/sock.c
index e31dfcee1729..0d91f7dca751 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -433,8 +433,6 @@ static bool sock_needs_netstamp(const struct sock *sk)
        }
 }
-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
 static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
 {
        if (sk->sk_flags & flags) {
@@ -874,7 +872,8 @@ set_rcvbuf:
                if (val & SOF_TIMESTAMPING_OPT_ID &&
                    !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
-                        if (sk->sk_protocol == IPPROTO_TCP) {
+                        if (sk->sk_protocol == IPPROTO_TCP &&
+                            sk->sk_type == SOCK_STREAM) {
                                if (sk->sk_state != TCP_ESTABLISHED) {
                                        ret = -EINVAL;
                                        break;
@@ -1552,7 +1551,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
                         */
                        is_charged = sk_filter_charge(newsk, filter);
-                if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk))) {
+                if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
                        /* It is still raw copy of parent, so invalidate
                         * destructor and make plain sk_free() */
                        newsk->sk_destruct = NULL;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index eebf5ac8ce18..13d6b1a6e0fc 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
 {
        struct sock *sk;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 11c4ca13ec3b..5c5db6636704 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
        int try_loading_module = 0;
        int err;
+        if (protocol < 0 || protocol >= IPPROTO_MAX)
+                return -EINVAL;
        sock->state = SS_UNCONNECTED;
        /* Look for the requested type/protocol pair. */
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index cc8f3e506cde..473447593060 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1155,6 +1155,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
 static int fib_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
 {
        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+        struct netdev_notifier_changeupper_info *info;
        struct in_device *in_dev;
        struct net *net = dev_net(dev);
        unsigned int flags;
@@ -1193,6 +1194,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
        case NETDEV_CHANGEMTU:
                rt_cache_flush(net);
                break;
+        case NETDEV_CHANGEUPPER:
+                info = ptr;
+                /* flush all routes if dev is linked to or unlinked from
+                 * an L3 master device (e.g., VRF)
+                 */
+                if (info->upper_dev && netif_is_l3_master(info->upper_dev))
+                        fib_disable_ip(dev, NETDEV_DOWN, true);
+                break;
        }
        return NOTIFY_DONE;
 }
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index e0fcbbbcfe54..bd903fe0f750 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -24,6 +24,7 @@ struct fou {
        u16 type;
        struct udp_offload udp_offloads;
        struct list_head list;
+        struct rcu_head rcu;
 };
 #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou)
        list_del(&fou->list);
        udp_tunnel_sock_release(sock);
-        kfree(fou);
+        kfree_rcu(fou, rcu);
 }
 static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index a35584176535..c187c60e3e0c 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -60,6 +60,7 @@ config NFT_REJECT_IPV4
 config NFT_DUP_IPV4
        tristate "IPv4 nf_tables packet duplication support"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV4
        help
          This module enables IPv4 packet duplication support for nf_tables.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index db003438aaf5..d8841a2f1569 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1493,7 +1493,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
        if (likely(sk->sk_rx_dst))
                skb_dst_drop(skb);
        else
-                skb_dst_force(skb);
+                skb_dst_force_safe(skb);
        __skb_queue_tail(&tp->ucopy.prequeue, skb);
        tp->ucopy.memory += skb->truesize;
@@ -1721,8 +1721,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-        if (dst) {
+        if (dst && dst_hold_safe(dst)) {
-                dst_hold(dst);
                sk->sk_rx_dst = dst;
                inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
        }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index cb7ca569052c..9bfc39ff2285 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3150,7 +3150,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_fastopen_request *fo = tp->fastopen_req;
-        int syn_loss = 0, space, err = 0, copied;
+        int syn_loss = 0, space, err = 0;
        unsigned long last_syn_loss = 0;
        struct sk_buff *syn_data;
@@ -3188,17 +3188,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
                goto fallback;
        syn_data->ip_summed = CHECKSUM_PARTIAL;
        memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
-        copied = copy_from_iter(skb_put(syn_data, space), space,
+        if (space) {
-                                &fo->data->msg_iter);
+                int copied = copy_from_iter(skb_put(syn_data, space), space,
-        if (unlikely(!copied)) {
+                                            &fo->data->msg_iter);
-                kfree_skb(syn_data);
+                if (unlikely(!copied)) {
-                goto fallback;
+                        kfree_skb(syn_data);
-        }
+                        goto fallback;
-        if (copied != space) {
+                }
-                skb_trim(syn_data, copied);
+                if (copied != space) {
-                space = copied;
+                        skb_trim(syn_data, copied);
+                        space = copied;
+                }
        }
        /* No more data pending in inet_wait_for_connect() */
        if (space == fo->size)
                fo->data = NULL;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 61f26851655c..17f8e7ea133b 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -350,6 +350,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
        setup_timer(&ndev->rs_timer, addrconf_rs_timer,
                    (unsigned long)ndev);
        memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
+        if (ndev->cnf.stable_secret.initialized)
+                ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+        else
+                ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
        ndev->cnf.mtu6 = dev->mtu;
        ndev->cnf.sysctl = NULL;
        ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
@@ -2455,7 +2461,7 @@ ok:
 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
                        if (in6_dev->cnf.optimistic_dad &&
                            !net->ipv6.devconf_all->forwarding && sllao)
-                                addr_flags = IFA_F_OPTIMISTIC;
+                                addr_flags |= IFA_F_OPTIMISTIC;
 #endif
                        /* Do not allow to create too much of autoconfigured
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 8ec0df75f1c4..9f5137cd604e 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
        int try_loading_module = 0;
        int err;
+        if (protocol < 0 || protocol >= IPPROTO_MAX)
+                return -EINVAL;
        /* Look for the requested type/protocol pair. */
 lookup_protocol:
        err = -ESOCKTNOSUPPORT;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 3c7b9310b33f..e5ea177d34c6 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1571,13 +1571,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
                        return -EEXIST;
        } else {
                t = nt;
-                ip6gre_tunnel_unlink(ign, t);
-                ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
-                ip6gre_tunnel_link(ign, t);
-                netdev_state_change(dev);
        }
+        ip6gre_tunnel_unlink(ign, t);
+        ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6gre_tunnel_link(ign, t);
        return 0;
 }
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f6a024e141e5..e10a04c9cdc7 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -49,6 +49,7 @@ config NFT_REJECT_IPV6
 config NFT_DUP_IPV6
        tristate "IPv6 nf_tables packet duplication support"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV6
        help
          This module enables IPv6 packet duplication support for nf_tables.
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index e7aab561b7b4..6b8a8a9091fa 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-        if (dst) {
+        if (dst && dst_hold_safe(dst)) {
                const struct rt6_info *rt = (const struct rt6_info *)dst;
-                dst_hold(dst);
                sk->sk_rx_dst = dst;
                inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
                inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index e6aa48b5395c..923abd6b3064 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        struct irda_sock *self;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (net != &init_net)
                return -EAFNOSUPPORT;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index da471eef07bb..c12f348138ac 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1169,8 +1169,7 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                 * rc isn't initialized here yet, so ignore it
                 */
                __ieee80211_vht_handle_opmode(sdata, sta,
-                                              params->opmode_notif,
+                                              params->opmode_notif, band);
-                                              band, false);
        }
        if (ieee80211_vif_is_mesh(&sdata->vif))
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index d832bd59236b..5322b4c71630 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1709,10 +1709,10 @@ enum ieee80211_sta_rx_bandwidth ieee80211_sta_cur_vht_bw(struct sta_info *sta);
 void ieee80211_sta_set_rx_nss(struct sta_info *sta);
 u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                  struct sta_info *sta, u8 opmode,
-                                  enum ieee80211_band band, bool nss_only);
+                                  enum ieee80211_band band);
 void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                 struct sta_info *sta, u8 opmode,
-                                 enum ieee80211_band band, bool nss_only);
+                                 enum ieee80211_band band);
 void ieee80211_apply_vhtcap_overrides(struct ieee80211_sub_if_data *sdata,
                                      struct ieee80211_sta_vht_cap *vht_cap);
 void ieee80211_get_vht_mask_from_cap(__le16 vht_cap,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index b140cc6651f4..3aa04344942b 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1379,21 +1379,26 @@ static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
         */
        if (has_80211h_pwr &&
            (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
+                new_ap_level = pwr_level_80211h;
+                if (sdata->ap_power_level == new_ap_level)
+                        return 0;
                sdata_dbg(sdata,
                          "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
                          pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
                          sdata->u.mgd.bssid);
-                new_ap_level = pwr_level_80211h;
        } else {  /* has_cisco_pwr is always true here. */
+                new_ap_level = pwr_level_cisco;
+                if (sdata->ap_power_level == new_ap_level)
+                        return 0;
                sdata_dbg(sdata,
                          "Limiting TX power to %d dBm as advertised by %pM\n",
                          pwr_level_cisco, sdata->u.mgd.bssid);
-                new_ap_level = pwr_level_cisco;
        }
-        if (sdata->ap_power_level == new_ap_level)
-                return 0;
        sdata->ap_power_level = new_ap_level;
        if (__ieee80211_recalc_txpower(sdata))
                return BSS_CHANGED_TXPOWER;
@@ -3575,7 +3580,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
        if (sta && elems.opmode_notif)
                ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
-                                            rx_status->band, true);
+                                            rx_status->band);
        mutex_unlock(&local->sta_mtx);
        changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 8bae5de0dc44..82af407fea7a 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2736,8 +2736,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode;
                        ieee80211_vht_handle_opmode(rx->sdata, rx->sta,
-                                                    opmode, status->band,
+                                                    opmode, status->band);
-                                                    false);
                        goto handled;
                }
                default:
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 74058020b7d6..33344f5a66a8 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1641,6 +1641,29 @@ void ieee80211_stop_device(struct ieee80211_local *local)
        drv_stop(local);
 }
+static void ieee80211_flush_completed_scan(struct ieee80211_local *local,
+                                           bool aborted)
+{
+        /* It's possible that we don't handle the scan completion in
+         * time during suspend, so if it's still marked as completed
+         * here, queue the work and flush it to clean things up.
+         * Instead of calling the worker function directly here, we
+         * really queue it to avoid potential races with other flows
+         * scheduling the same work.
+         */
+        if (test_bit(SCAN_COMPLETED, &local->scanning)) {
+                /* If coming from reconfiguration failure, abort the scan so
+                 * we don't attempt to continue a partial HW scan - which is
+                 * possible otherwise if (e.g.) the 2.4 GHz portion was the
+                 * completed scan, and a 5 GHz portion is still pending.
+                 */
+                if (aborted)
+                        set_bit(SCAN_ABORTED, &local->scanning);
+                ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
+                flush_delayed_work(&local->scan_work);
+        }
+}
 static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local)
 {
        struct ieee80211_sub_if_data *sdata;
@@ -1660,6 +1683,8 @@ static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local)
        local->suspended = false;
        local->in_reconfig = false;
+        ieee80211_flush_completed_scan(local, true);
        /* scheduled scan clearly can't be running any more, but tell
         * cfg80211 and clear local state
         */
@@ -1698,6 +1723,27 @@ static void ieee80211_assign_chanctx(struct ieee80211_local *local,
        mutex_unlock(&local->chanctx_mtx);
 }
+static void ieee80211_reconfig_stations(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct sta_info *sta;
+        /* add STAs back */
+        mutex_lock(&local->sta_mtx);
+        list_for_each_entry(sta, &local->sta_list, list) {
+                enum ieee80211_sta_state state;
+                if (!sta->uploaded || sta->sdata != sdata)
+                        continue;
+                for (state = IEEE80211_STA_NOTEXIST;
+                     state < sta->sta_state; state++)
+                        WARN_ON(drv_sta_state(local, sta->sdata, sta, state,
+                                              state + 1));
+        }
+        mutex_unlock(&local->sta_mtx);
+}
 int ieee80211_reconfig(struct ieee80211_local *local)
 {
        struct ieee80211_hw *hw = &local->hw;
@@ -1833,50 +1879,11 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                                WARN_ON(drv_add_chanctx(local, ctx));
                mutex_unlock(&local->chanctx_mtx);
-                list_for_each_entry(sdata, &local->interfaces, list) {
-                        if (!ieee80211_sdata_running(sdata))
-                                continue;
-                        ieee80211_assign_chanctx(local, sdata);
-                }
                sdata = rtnl_dereference(local->monitor_sdata);
                if (sdata && ieee80211_sdata_running(sdata))
                        ieee80211_assign_chanctx(local, sdata);
        }
-        /* add STAs back */
-        mutex_lock(&local->sta_mtx);
-        list_for_each_entry(sta, &local->sta_list, list) {
-                enum ieee80211_sta_state state;
-                if (!sta->uploaded)
-                        continue;
-                /* AP-mode stations will be added later */
-                if (sta->sdata->vif.type == NL80211_IFTYPE_AP)
-                        continue;
-                for (state = IEEE80211_STA_NOTEXIST;
-                     state < sta->sta_state; state++)
-                        WARN_ON(drv_sta_state(local, sta->sdata, sta, state,
-                                              state + 1));
-        }
-        mutex_unlock(&local->sta_mtx);
-        /* reconfigure tx conf */
-        if (hw->queues >= IEEE80211_NUM_ACS) {
-                list_for_each_entry(sdata, &local->interfaces, list) {
-                        if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
-                            sdata->vif.type == NL80211_IFTYPE_MONITOR ||
-                            !ieee80211_sdata_running(sdata))
-                                continue;
-                        for (i = 0; i < IEEE80211_NUM_ACS; i++)
-                                drv_conf_tx(local, sdata, i,
-                                            &sdata->tx_conf[i]);
-                }
-        }
        /* reconfigure hardware */
        ieee80211_hw_config(local, ~0);
@@ -1889,6 +1896,22 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                if (!ieee80211_sdata_running(sdata))
                        continue;
+                ieee80211_assign_chanctx(local, sdata);
+                switch (sdata->vif.type) {
+                case NL80211_IFTYPE_AP_VLAN:
+                case NL80211_IFTYPE_MONITOR:
+                        break;
+                default:
+                        ieee80211_reconfig_stations(sdata);
+                        /* fall through */
+                case NL80211_IFTYPE_AP: /* AP stations are handled later */
+                        for (i = 0; i < IEEE80211_NUM_ACS; i++)
+                                drv_conf_tx(local, sdata, i,
+                                            &sdata->tx_conf[i]);
+                        break;
+                }
                /* common change flags for all interface types */
                changed = BSS_CHANGED_ERP_CTS_PROT |
                          BSS_CHANGED_ERP_PREAMBLE |
@@ -2074,17 +2097,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        mb();
        local->resuming = false;
-        /* It's possible that we don't handle the scan completion in
+        ieee80211_flush_completed_scan(local, false);
-         * time during suspend, so if it's still marked as completed
-         * here, queue the work and flush it to clean things up.
-         * Instead of calling the worker function directly here, we
-         * really queue it to avoid potential races with other flows
-         * scheduling the same work.
-         */
-        if (test_bit(SCAN_COMPLETED, &local->scanning)) {
-                ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
-                flush_delayed_work(&local->scan_work);
-        }
        if (local->open_count && !reconfig_due_to_wowlan)
                drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
index ff1c798921a6..c38b2f07a919 100644
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -378,7 +378,7 @@ void ieee80211_sta_set_rx_nss(struct sta_info *sta)
 u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                  struct sta_info *sta, u8 opmode,
-                                  enum ieee80211_band band, bool nss_only)
+                                  enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_supported_band *sband;
@@ -401,9 +401,6 @@ u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                changed |= IEEE80211_RC_NSS_CHANGED;
        }
-        if (nss_only)
-                return changed;
        switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) {
        case IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ:
                sta->cur_max_bandwidth = IEEE80211_STA_RX_BW_20;
@@ -430,13 +427,12 @@ u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
 void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                 struct sta_info *sta, u8 opmode,
-                                 enum ieee80211_band band, bool nss_only)
+                                 enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
-        u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode,
+        u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode, band);
-                                                    band, nss_only);
        if (changed > 0)
                rate_control_rate_update(local, sband, sta, changed);
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index c70d750148b6..c32fc411a911 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -27,6 +27,8 @@
 */
 #define MAX_MP_SELECT_LABELS 4
+#define MPLS_NEIGH_TABLE_UNSPEC (NEIGH_LINK_TABLE + 1)
 static int zero = 0;
 static int label_limit = (1 << 20) - 1;
@@ -317,7 +319,13 @@ static int mpls_forward(struct sk_buff *skb, struct net_device *dev,
                }
        }
-        err = neigh_xmit(nh->nh_via_table, out_dev, mpls_nh_via(rt, nh), skb);
+        /* If via wasn't specified then send out using device address */
+        if (nh->nh_via_table == MPLS_NEIGH_TABLE_UNSPEC)
+                err = neigh_xmit(NEIGH_LINK_TABLE, out_dev,
+                                 out_dev->dev_addr, skb);
+        else
+                err = neigh_xmit(nh->nh_via_table, out_dev,
+                                 mpls_nh_via(rt, nh), skb);
        if (err)
                net_dbg_ratelimited("%s: packet transmission failed: %d\n",
                                    __func__, err);
@@ -534,6 +542,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt,
        if (!mpls_dev_get(dev))
                goto errout;
+        if ((nh->nh_via_table == NEIGH_LINK_TABLE) &&
+            (dev->addr_len != nh->nh_via_alen))
+                goto errout;
        RCU_INIT_POINTER(nh->nh_dev, dev);
        return 0;
@@ -592,10 +604,14 @@ static int mpls_nh_build(struct net *net, struct mpls_route *rt,
                        goto errout;
        }
-        err = nla_get_via(via, &nh->nh_via_alen, &nh->nh_via_table,
+        if (via) {
-                          __mpls_nh_via(rt, nh));
+                err = nla_get_via(via, &nh->nh_via_alen, &nh->nh_via_table,
-        if (err)
+                                  __mpls_nh_via(rt, nh));
-                goto errout;
+                if (err)
+                        goto errout;
+        } else {
+                nh->nh_via_table = MPLS_NEIGH_TABLE_UNSPEC;
+        }
        err = mpls_nh_assign_dev(net, rt, nh, oif);
        if (err)
@@ -677,9 +693,6 @@ static int mpls_nh_build_multi(struct mpls_route_config *cfg,
                        nla_newdst = nla_find(attrs, attrlen, RTA_NEWDST);
                }
-                if (!nla_via)
-                        goto errout;
                err = mpls_nh_build(cfg->rc_nlinfo.nl_net, rt, nh,
                                    rtnh->rtnh_ifindex, nla_via,
                                    nla_newdst);
@@ -1118,6 +1131,7 @@ static int rtm_to_route_config(struct sk_buff *skb,  struct nlmsghdr *nlh,
        cfg->rc_label           = LABEL_NOT_SPECIFIED;
        cfg->rc_protocol        = rtm->rtm_protocol;
+        cfg->rc_via_table       = MPLS_NEIGH_TABLE_UNSPEC;
        cfg->rc_nlflags         = nlh->nlmsg_flags;
        cfg->rc_nlinfo.portid   = NETLINK_CB(skb).portid;
        cfg->rc_nlinfo.nlh      = nlh;
@@ -1231,7 +1245,8 @@ static int mpls_dump_route(struct sk_buff *skb, u32 portid, u32 seq, int event,
                    nla_put_labels(skb, RTA_NEWDST, nh->nh_labels,
                                   nh->nh_label))
                        goto nla_put_failure;
-                if (nla_put_via(skb, nh->nh_via_table, mpls_nh_via(rt, nh),
+                if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC &&
+                    nla_put_via(skb, nh->nh_via_table, mpls_nh_via(rt, nh),
                                nh->nh_via_alen))
                        goto nla_put_failure;
                dev = rtnl_dereference(nh->nh_dev);
@@ -1257,7 +1272,8 @@ static int mpls_dump_route(struct sk_buff *skb, u32 portid, u32 seq, int event,
                                                            nh->nh_labels,
                                                            nh->nh_label))
                                goto nla_put_failure;
-                        if (nla_put_via(skb, nh->nh_via_table,
+                        if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC &&
+                            nla_put_via(skb, nh->nh_via_table,
                                        mpls_nh_via(rt, nh),
                                        nh->nh_via_alen))
                                goto nla_put_failure;
@@ -1319,7 +1335,8 @@ static inline size_t lfib_nlmsg_size(struct mpls_route *rt)
                if (nh->nh_dev)
                        payload += nla_total_size(4); /* RTA_OIF */
-                payload += nla_total_size(2 + nh->nh_via_alen); /* RTA_VIA */
+                if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC) /* RTA_VIA */
+                        payload += nla_total_size(2 + nh->nh_via_alen);
                if (nh->nh_labels) /* RTA_NEWDST */
                        payload += nla_total_size(nh->nh_labels * 4);
        } else {
@@ -1328,7 +1345,9 @@ static inline size_t lfib_nlmsg_size(struct mpls_route *rt)
                for_nexthops(rt) {
                        nhsize += nla_total_size(sizeof(struct rtnexthop));
-                        nhsize += nla_total_size(2 + nh->nh_via_alen);
+                        /* RTA_VIA */
+                        if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC)
+                                nhsize += nla_total_size(2 + nh->nh_via_alen);
                        if (nh->nh_labels)
                                nhsize += nla_total_size(nh->nh_labels * 4);
                } endfor_nexthops(rt);
diff --git a/net/mpls/mpls_iptunnel.c b/net/mpls/mpls_iptunnel.c
index 67591aef9cae..64afd3d0b144 100644
--- a/net/mpls/mpls_iptunnel.c
+++ b/net/mpls/mpls_iptunnel.c
@@ -54,10 +54,10 @@ int mpls_output(struct net *net, struct sock *sk, struct sk_buff *skb)
        unsigned int ttl;
        /* Obtain the ttl */
-        if (skb->protocol == htons(ETH_P_IP)) {
+        if (dst->ops->family == AF_INET) {
                ttl = ip_hdr(skb)->ttl;
                rt = (struct rtable *)dst;
-        } else if (skb->protocol == htons(ETH_P_IPV6)) {
+        } else if (dst->ops->family == AF_INET6) {
                ttl = ipv6_hdr(skb)->hop_limit;
                rt6 = (struct rt6_info *)dst;
        } else {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 93cc4737018f..2cb429d34c03 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -89,6 +89,7 @@ nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
 }
 static void nft_ctx_init(struct nft_ctx *ctx,
+                         struct net *net,
                         const struct sk_buff *skb,
                         const struct nlmsghdr *nlh,
                         struct nft_af_info *afi,
@@ -96,7 +97,7 @@ static void nft_ctx_init(struct nft_ctx *ctx,
                         struct nft_chain *chain,
                         const struct nlattr * const *nla)
 {
-        ctx->net        = sock_net(skb->sk);
+        ctx->net        = net;
        ctx->afi        = afi;
        ctx->table      = table;
        ctx->chain      = chain;
@@ -672,15 +673,14 @@ err:
        return ret;
 }
-static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newtable(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        const struct nlattr *name;
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        u32 flags = 0;
        struct nft_ctx ctx;
@@ -706,7 +706,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
                if (nlh->nlmsg_flags & NLM_F_REPLACE)
                        return -EOPNOTSUPP;
-                nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+                nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
                return nf_tables_updtable(&ctx);
        }
@@ -730,7 +730,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
        INIT_LIST_HEAD(&table->sets);
        table->flags = flags;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
        err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
        if (err < 0)
                goto err3;
@@ -810,18 +810,17 @@ out:
        return err;
 }
-static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_deltable(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct nft_ctx ctx;
-        nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
        if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
                return nft_flush(&ctx, family);
@@ -1221,8 +1220,8 @@ static void nf_tables_chain_destroy(struct nft_chain *chain)
        }
 }
-static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newchain(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -1232,7 +1231,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
        struct nft_chain *chain;
        struct nft_base_chain *basechain = NULL;
        struct nlattr *ha[NFTA_HOOK_MAX + 1];
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct net_device *dev = NULL;
        u8 policy = NF_ACCEPT;
@@ -1313,7 +1311,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                                return PTR_ERR(stats);
                }
-                nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+                nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
                trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
                                        sizeof(struct nft_trans_chain));
                if (trans == NULL) {
@@ -1461,7 +1459,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
        if (err < 0)
                goto err1;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
        if (err < 0)
                goto err2;
@@ -1476,15 +1474,14 @@ err1:
        return err;
 }
-static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delchain(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
        struct nft_chain *chain;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct nft_ctx ctx;
@@ -1506,7 +1503,7 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
        if (chain->use > 0)
                return -EBUSY;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        return nft_delchain(&ctx);
 }
@@ -2010,13 +2007,12 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
 static struct nft_expr_info *info;
-static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newrule(struct net *net, struct sock *nlsk,
-                             const struct nlmsghdr *nlh,
+                             struct sk_buff *skb, const struct nlmsghdr *nlh,
                             const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_chain *chain;
        struct nft_rule *rule, *old_rule = NULL;
@@ -2075,7 +2071,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
                        return PTR_ERR(old_rule);
        }
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        n = 0;
        size = 0;
@@ -2176,13 +2172,12 @@ err1:
        return err;
 }
-static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delrule(struct net *net, struct sock *nlsk,
-                             const struct nlmsghdr *nlh,
+                             struct sk_buff *skb, const struct nlmsghdr *nlh,
                             const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_chain *chain = NULL;
        struct nft_rule *rule;
@@ -2205,7 +2200,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
                        return PTR_ERR(chain);
        }
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        if (chain) {
                if (nla[NFTA_RULE_HANDLE]) {
@@ -2344,12 +2339,11 @@ static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
        [NFTA_SET_DESC_SIZE]            = { .type = NLA_U32 },
 };
-static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
+static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
                                     const struct sk_buff *skb,
                                     const struct nlmsghdr *nlh,
                                     const struct nlattr * const nla[])
 {
-        struct net *net = sock_net(skb->sk);
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi = NULL;
        struct nft_table *table = NULL;
@@ -2371,7 +2365,7 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
                        return -ENOENT;
        }
-        nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
        return 0;
 }
@@ -2623,6 +2617,7 @@ static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
                            const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_ctx ctx;
        struct sk_buff *skb2;
@@ -2630,7 +2625,7 @@ static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
        int err;
        /* Verify existence before starting dump */
-        err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
+        err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
        if (err < 0)
                return err;
@@ -2693,14 +2688,13 @@ static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
        return 0;
 }
-static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newset(struct net *net, struct sock *nlsk,
-                            const struct nlmsghdr *nlh,
+                            struct sk_buff *skb, const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        const struct nft_set_ops *ops;
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_set *set;
        struct nft_ctx ctx;
@@ -2798,7 +2792,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
        if (IS_ERR(table))
                return PTR_ERR(table);
-        nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
        set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
        if (IS_ERR(set)) {
@@ -2882,8 +2876,8 @@ static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set
        nft_set_destroy(set);
 }
-static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delset(struct net *net, struct sock *nlsk,
-                            const struct nlmsghdr *nlh,
+                            struct sk_buff *skb, const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -2896,7 +2890,7 @@ static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_TABLE] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
+        err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
        if (err < 0)
                return err;
@@ -3024,7 +3018,7 @@ static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX +
        [NFTA_SET_ELEM_LIST_SET_ID]     = { .type = NLA_U32 },
 };
-static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
+static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
                                      const struct sk_buff *skb,
                                      const struct nlmsghdr *nlh,
                                      const struct nlattr * const nla[],
@@ -3033,7 +3027,6 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
        if (IS_ERR(afi))
@@ -3045,7 +3038,7 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
        if (!trans && (table->flags & NFT_TABLE_INACTIVE))
                return -ENOENT;
-        nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
        return 0;
 }
@@ -3135,6 +3128,7 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_set_dump_args args;
        struct nft_ctx ctx;
@@ -3150,8 +3144,8 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
        if (err < 0)
                return err;
-        err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
+        err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
-                                         false);
+                                         (void *)nla, false);
        if (err < 0)
                return err;
@@ -3212,11 +3206,12 @@ static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
                                const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_ctx ctx;
        int err;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
        if (err < 0)
                return err;
@@ -3528,11 +3523,10 @@ err1:
        return err;
 }
-static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
-                                const struct nlmsghdr *nlh,
+                                struct sk_buff *skb, const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
-        struct net *net = sock_net(skb->sk);
        const struct nlattr *attr;
        struct nft_set *set;
        struct nft_ctx ctx;
@@ -3541,7 +3535,7 @@ static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, true);
        if (err < 0)
                return err;
@@ -3623,8 +3617,8 @@ err1:
        return err;
 }
-static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
-                                const struct nlmsghdr *nlh,
+                                struct sk_buff *skb, const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
        const struct nlattr *attr;
@@ -3635,7 +3629,7 @@ static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
        if (err < 0)
                return err;
@@ -4030,7 +4024,8 @@ static int nf_tables_abort(struct sk_buff *skb)
        struct nft_trans *trans, *next;
        struct nft_trans_elem *te;
-        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
+        list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
+                                         list) {
                switch (trans->msg_type) {
                case NFT_MSG_NEWTABLE:
                        if (nft_trans_table_update(trans)) {
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 46453ab318db..77afe913d03d 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -295,8 +295,6 @@ replay:
        if (!skb)
                return netlink_ack(oskb, nlh, -ENOMEM);
-        skb->sk = oskb->sk;
        nfnl_lock(subsys_id);
        ss = rcu_dereference_protected(table[subsys_id].subsys,
                                       lockdep_is_held(&table[subsys_id].mutex));
@@ -381,7 +379,7 @@ replay:
                                goto ack;
                        if (nc->call_batch) {
-                                err = nc->call_batch(net->nfnl, skb, nlh,
+                                err = nc->call_batch(net, net->nfnl, skb, nlh,
                                                     (const struct nlattr **)cda);
                        }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 7d81d280cb4f..861c6615253b 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -365,8 +365,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
                break;
        }
+        nfnl_ct = rcu_dereference(nfnl_ct_hook);
        if (queue->flags & NFQA_CFG_F_CONNTRACK) {
-                nfnl_ct = rcu_dereference(nfnl_ct_hook);
                if (nfnl_ct != NULL) {
                        ct = nfnl_ct->get_ct(entskb, &ctinfo);
                        if (ct != NULL)
@@ -1064,9 +1065,10 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
        if (entry == NULL)
                return -ENOENT;
+        /* rcu lock already held from nfnl->call_rcu. */
+        nfnl_ct = rcu_dereference(nfnl_ct_hook);
        if (nfqa[NFQA_CT]) {
-                /* rcu lock already held from nfnl->call_rcu. */
-                nfnl_ct = rcu_dereference(nfnl_ct_hook);
                if (nfnl_ct != NULL)
                        ct = nfqnl_ct_parse(nfnl_ct, nlh, nfqa, entry, &ctinfo);
        }
@@ -1417,6 +1419,7 @@ static int __init nfnetlink_queue_init(void)
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+        unregister_pernet_subsys(&nfnl_queue_net_ops);
 out:
        return status;
 }
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index c2cc11168fd5..3e8892216f94 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -53,6 +53,8 @@ struct ovs_conntrack_info {
        struct md_labels labels;
 };
+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
 static u16 key_to_nfproto(const struct sw_flow_key *key)
 {
        switch (ntohs(key->eth.type)) {
@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
 * previously sent the packet to conntrack via the ct action.
 */
 static void ovs_ct_update_key(const struct sk_buff *skb,
+                              const struct ovs_conntrack_info *info,
                              struct sw_flow_key *key, bool post_ct)
 {
        const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
                zone = nf_ct_zone(ct);
        } else if (post_ct) {
                state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
+                if (info)
+                        zone = &info->zone;
        }
        __ovs_ct_update_key(key, state, zone, ct);
 }
 void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
 {
-        ovs_ct_update_key(skb, key, false);
+        ovs_ct_update_key(skb, NULL, key, false);
 }
 int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
                }
        }
-        ovs_ct_update_key(skb, key, true);
+        ovs_ct_update_key(skb, info, key, true);
        return 0;
 }
@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
        nf_conntrack_get(&ct_info.ct->ct_general);
        return 0;
 err_free_ct:
-        nf_conntrack_free(ct_info.ct);
+        __ovs_ct_free_action(&ct_info);
        return err;
 }
@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a)
 {
        struct ovs_conntrack_info *ct_info = nla_data(a);
+        __ovs_ct_free_action(ct_info);
+}
+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
+{
        if (ct_info->helper)
                module_put(ct_info->helper->me);
        if (ct_info->ct)
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index b41e9ea2ffff..f53bf3b6558b 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -49,7 +49,6 @@
 struct rfkill {
        spinlock_t              lock;
-        const char              *name;
        enum rfkill_type        type;
        unsigned long           state;
@@ -73,6 +72,7 @@ struct rfkill {
        struct delayed_work     poll_work;
        struct work_struct      uevent_work;
        struct work_struct      sync_work;
+        char                    name[];
 };
 #define to_rfkill(d)    container_of(d, struct rfkill, dev)
@@ -876,14 +876,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name,
        if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
                return NULL;
-        rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
+        rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
        if (!rfkill)
                return NULL;
        spin_lock_init(&rfkill->lock);
        INIT_LIST_HEAD(&rfkill->node);
        rfkill->type = type;
-        rfkill->name = name;
+        strcpy(rfkill->name, name);
        rfkill->ops = ops;
        rfkill->data = ops_data;
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 7ec667dd4ce1..b5c2cf2aa6d4 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
                }
                lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
                if (!netif_is_multiqueue(dev))
-                        sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+                        sch->flags |= TCQ_F_ONETXQUEUE;
        }
        sch->handle = handle;
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index acb45b8c2a9d..ec529121f38a 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -323,14 +323,13 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
                        }
                }
        }
-        rcu_read_unlock();
        if (baddr) {
                fl6->saddr = baddr->v6.sin6_addr;
                fl6->fl6_sport = baddr->v6.sin6_port;
                final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
                dst = ip6_dst_lookup_flow(sk, fl6, final_p);
        }
+        rcu_read_unlock();
 out:
        if (!IS_ERR_OR_NULL(dst)) {
@@ -642,6 +641,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
        struct sock *newsk;
        struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
        struct sctp6_sock *newsctp6sk;
+        struct ipv6_txoptions *opt;
        newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
        if (!newsk)
@@ -661,6 +661,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
        memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+        rcu_read_lock();
+        opt = rcu_dereference(np->opt);
+        if (opt)
+                opt = ipv6_dup_options(newsk, opt);
+        RCU_INIT_POINTER(newnp->opt, opt);
+        rcu_read_unlock();
        /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
         * and getpeername().
         */
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 7e8f0a117106..c0380cfb16ae 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -324,6 +324,7 @@ int sctp_outq_tail(struct sctp_outq *q, struct sctp_chunk *chunk)
                                 sctp_cname(SCTP_ST_CHUNK(chunk->chunk_hdr->type)) :
                                 "illegal chunk");
+                        sctp_chunk_hold(chunk);
                        sctp_outq_tail_data(q, chunk);
                        if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)
                                SCTP_INC_STATS(net, SCTP_MIB_OUTUNORDERCHUNKS);
@@ -1251,6 +1252,7 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_chunk *chunk)
         */
        sack_a_rwnd = ntohl(sack->a_rwnd);
+        asoc->peer.zero_window_announced = !sack_a_rwnd;
        outstanding = q->outstanding_bytes;
        if (outstanding < sack_a_rwnd)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 763e06a55155..5d6a03fad378 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
        /* Set an expiration time for the cookie.  */
        cookie->c.expiration = ktime_add(asoc->cookie_life,
-                                         ktime_get());
+                                         ktime_get_real());
        /* Copy the peer's init packet.  */
        memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
@@ -1780,7 +1780,7 @@ no_hmac:
        if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
                kt = skb_get_ktime(skb);
        else
-                kt = ktime_get();
+                kt = ktime_get_real();
        if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
                /*
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 6f46aa16cb76..cd34a4a34065 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5412,7 +5412,8 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net,
        SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
        if (asoc->overall_error_count >= asoc->max_retrans) {
-                if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
+                if (asoc->peer.zero_window_announced &&
+                    asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
                        /*
                         * We are here likely because the receiver had its rwnd
                         * closed for a while and we have not been able to
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 03c8256063ec..9b6cc6de80d8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1952,8 +1952,6 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
        /* Now send the (possibly) fragmented message. */
        list_for_each_entry(chunk, &datamsg->chunks, frag_list) {
-                sctp_chunk_hold(chunk);
                /* Do accounting for the write space.  */
                sctp_set_owner_w(chunk);
@@ -1966,15 +1964,13 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
         * breaks.
         */
        err = sctp_primitive_SEND(net, asoc, datamsg);
+        sctp_datamsg_put(datamsg);
        /* Did the lower layer accept the chunk? */
-        if (err) {
+        if (err)
-                sctp_datamsg_free(datamsg);
                goto out_free;
-        }
        pr_debug("%s: we sent primitively\n", __func__);
-        sctp_datamsg_put(datamsg);
        err = msg_len;
        if (unlikely(wait_connect)) {
@@ -7167,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
        newsk->sk_type = sk->sk_type;
        newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
        newsk->sk_flags = sk->sk_flags;
+        newsk->sk_tsflags = sk->sk_tsflags;
        newsk->sk_no_check_tx = sk->sk_no_check_tx;
        newsk->sk_no_check_rx = sk->sk_no_check_rx;
        newsk->sk_reuse = sk->sk_reuse;
@@ -7199,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
        newinet->mc_ttl = 1;
        newinet->mc_index = 0;
        newinet->mc_list = NULL;
+        if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
+                net_enable_timestamp();
 }
 static inline void sctp_copy_descendant(struct sock *sk_to,
diff --git a/net/socket.c b/net/socket.c
index 456fadb3d819..29822d6dd91e 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1695,6 +1695,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
        msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
        /* We assume all kernel code knows the size of sockaddr_storage */
        msg.msg_namelen = 0;
+        msg.msg_iocb = NULL;
        if (sock->file->f_flags & O_NONBLOCK)
                flags |= MSG_DONTWAIT;
        err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 45aebd966978..a4631477cedf 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2256,14 +2256,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
        /* Lock the socket to prevent queue disordering
         * while sleeps in memcpy_tomsg
         */
-        err = mutex_lock_interruptible(&u->readlock);
+        mutex_lock(&u->readlock);
-        if (unlikely(err)) {
-                /* recvmsg() in non blocking mode is supposed to return -EAGAIN
-                 * sk_rcvtimeo is not honored by mutex_lock_interruptible()
-                 */
-                err = noblock ? -EAGAIN : -ERESTARTSYS;
-                goto out;
-        }
        if (flags & MSG_PEEK)
                skip = sk_peek_offset(sk, flags);
@@ -2307,12 +2300,12 @@ again:
                        timeo = unix_stream_data_wait(sk, timeo, last,
                                                      last_len);
-                        if (signal_pending(current) ||
+                        if (signal_pending(current)) {
-                            mutex_lock_interruptible(&u->readlock)) {
                                err = sock_intr_errno(timeo);
                                goto out;
                        }
+                        mutex_lock(&u->readlock);
                        continue;
 unlock:
                        unix_state_unlock(sk);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index c71e274c810a..75b0d23ee882 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -7941,8 +7941,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
        if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
                if (!(rdev->wiphy.features &
                      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
-                    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
+                    !(rdev->wiphy.features & NL80211_FEATURE_QUIET)) {
+                        kzfree(connkeys);
                        return -EINVAL;
+                }
                connect.flags |= ASSOC_REQ_USE_RRM;
        }
@@ -9503,6 +9505,7 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
        if (new_triggers.tcp && new_triggers.tcp->sock)
                sock_release(new_triggers.tcp->sock);
        kfree(new_triggers.tcp);
+        kfree(new_triggers.nd_config);
        return err;
 }
 #endif
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 2e8d6f39ed56..06d050da0d94 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -3029,6 +3029,7 @@ int set_regdom(const struct ieee80211_regdomain *rd,
                break;
        default:
                WARN(1, "invalid initiator %d\n", lr->initiator);
+                kfree(rd);
                return -EINVAL;
        }
@@ -3221,8 +3222,10 @@ int __init regulatory_init(void)
        /* We always try to get an update for the static regdomain */
        err = regulatory_hint_core(cfg80211_world_regdom->alpha2);
        if (err) {
-                if (err == -ENOMEM)
+                if (err == -ENOMEM) {
+                        platform_device_unregister(reg_pdev);
                        return err;
+                }
                /*
                 * N.B. kobject_uevent_env() can fail mainly for when we're out
                 * memory which is handled and propagated appropriately above
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 09bfcbac63bb..948fa5560de5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -303,6 +303,14 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
 }
 EXPORT_SYMBOL(xfrm_policy_alloc);
+static void xfrm_policy_destroy_rcu(struct rcu_head *head)
+{
+        struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
+        security_xfrm_policy_free(policy->security);
+        kfree(policy);
+}
 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
 void xfrm_policy_destroy(struct xfrm_policy *policy)
@@ -312,8 +320,7 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
        if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
                BUG();
-        security_xfrm_policy_free(policy->security);
+        call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);
-        kfree(policy);
 }
 EXPORT_SYMBOL(xfrm_policy_destroy);
@@ -1214,8 +1221,10 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
        struct xfrm_policy *pol;
        struct net *net = sock_net(sk);
+        rcu_read_lock();
        read_lock_bh(&net->xfrm.xfrm_policy_lock);
-        if ((pol = sk->sk_policy[dir]) != NULL) {
+        pol = rcu_dereference(sk->sk_policy[dir]);
+        if (pol != NULL) {
                bool match = xfrm_selector_match(&pol->selector, fl,
                                                 sk->sk_family);
                int err = 0;
@@ -1239,6 +1248,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
        }
 out:
        read_unlock_bh(&net->xfrm.xfrm_policy_lock);
+        rcu_read_unlock();
        return pol;
 }
@@ -1307,13 +1317,14 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
 #endif
        write_lock_bh(&net->xfrm.xfrm_policy_lock);
-        old_pol = sk->sk_policy[dir];
+        old_pol = rcu_dereference_protected(sk->sk_policy[dir],
-        sk->sk_policy[dir] = pol;
+                                lockdep_is_held(&net->xfrm.xfrm_policy_lock));
        if (pol) {
                pol->curlft.add_time = get_seconds();
                pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
                xfrm_sk_policy_link(pol, dir);
        }
+        rcu_assign_pointer(sk->sk_policy[dir], pol);
        if (old_pol) {
                if (pol)
                        xfrm_policy_requeue(old_pol, pol);
@@ -1361,17 +1372,26 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
        return newp;
 }
-int __xfrm_sk_clone_policy(struct sock *sk)
+int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
 {
-        struct xfrm_policy *p0 = sk->sk_policy[0],
+        const struct xfrm_policy *p;
-                           *p1 = sk->sk_policy[1];
+        struct xfrm_policy *np;
+        int i, ret = 0;
-        sk->sk_policy[0] = sk->sk_policy[1] = NULL;
+        rcu_read_lock();
-        if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
+        for (i = 0; i < 2; i++) {
-                return -ENOMEM;
+                p = rcu_dereference(osk->sk_policy[i]);
-        if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
+                if (p) {
-                return -ENOMEM;
+                        np = clone_policy(p, i);
-        return 0;
+                        if (unlikely(!np)) {
+                                ret = -ENOMEM;
+                                break;
+                        }
+                        rcu_assign_pointer(sk->sk_policy[i], np);
+                }
+        }
+        rcu_read_unlock();
+        return ret;
 }
 static int
@@ -2198,6 +2218,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
        xdst = NULL;
        route = NULL;
+        sk = sk_const_to_full_sk(sk);
        if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
                num_pols = 1;
                pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
@@ -2477,6 +2498,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        }
        pol = NULL;
+        sk = sk_to_full_sk(sk);
        if (sk && sk->sk_policy[dir]) {
                pol = xfrm_sk_policy_lookup(sk, dir, &fl);
                if (IS_ERR(pol)) {
author	Takashi Iwai <tiwai@suse.de>	2015-12-23 02:30:28 -0500
committer	Takashi Iwai <tiwai@suse.de>	2015-12-23 02:30:28 -0500
commit	0fb0b822d157325b66c503d23332f64899bfb828 (patch)
tree	0699437223be8c87a9c4951c46a5fe27681d57e5 /net
parent	9f660a1c43890c2cdd1f423fd73654e7ca08fe56 (diff)
parent	3dd5fc0eeb5d7cc07b8e3e383037261799b38897 (diff)