Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Buffers powersave frame test is reversed in cfg80211, fix from Felix
    Fietkau.

 2) Remove bogus WARN_ON in openvswitch, from Jarno Rajahalme.

 3) Fix some tg3 ethtool logic bugs, and one that would cause no
    interrupts to be generated when rx-coalescing is set to 0.  From
    Satish Baddipadige and Siva Reddy Kallam.

 4) QLCNIC mailbox corruption and napi budget handling fix from Manish
    Chopra.

 5) Fix fib_trie logic when walking the trie during /proc/net/route
    output than can access a stale node pointer.  From David Forster.

 6) Several sctp_diag fixes from Phil Sutter.

 7) PAUSE frame handling fixes in mlxsw driver from Ido Schimmel.

 8) Checksum fixup fixes in bpf from Daniel Borkmann.

 9) Memork leaks in nfnetlink, from Liping Zhang.

10) Use after free in rxrpc, from David Howells.

11) Use after free in new skb_array code of macvtap driver, from Jason
    Wang.

12) Calipso resource leak, from Colin Ian King.

13) mediatek bug fixes (missing stats sync init, etc.) from Sean Wang.

14) Fix bpf non-linear packet write helpers, from Daniel Borkmann.

15) Fix lockdep splats in macsec, from Sabrina Dubroca.

16) hv_netvsc bug fixes from Vitaly Kuznetsov, mostly to do with VF
    handling.

17) Various tc-action bug fixes, from CONG Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
  net_sched: allow flushing tc police actions
  net_sched: unify the init logic for act_police
  net_sched: convert tcf_exts from list to pointer array
  net_sched: move tc offload macros to pkt_cls.h
  net_sched: fix a typo in tc_for_each_action()
  net_sched: remove an unnecessary list_del()
  net_sched: remove the leftover cleanup_a()
  mlxsw: spectrum: Allow packets to be trapped from any PG
  mlxsw: spectrum: Unmap 802.1Q FID before destroying it
  mlxsw: spectrum: Add missing rollbacks in error path
  mlxsw: reg: Fix missing op field fill-up
  mlxsw: spectrum: Trap loop-backed packets
  mlxsw: spectrum: Add missing packet traps
  mlxsw: spectrum: Mark port as active before registering it
  mlxsw: spectrum: Create PVID vPort before registering netdevice
  mlxsw: spectrum: Remove redundant errors from the code
  mlxsw: spectrum: Don't return upon error in removal path
  i40e: check for and deal with non-contiguous TCs
  ixgbe: Re-enable ability to toggle VLAN filtering
  ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths
  ...

47 files changed, 386 insertions, 335 deletions

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 82a116ba590e..8de138d3306b 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -169,7 +169,7 @@ int register_vlan_dev(struct net_device *dev)
         if (err < 0)
                 goto out_uninit_mvrp;
 
-        vlan->nest_level = dev_get_nest_level(real_dev, is_vlan_dev) + 1;
+        vlan->nest_level = dev_get_nest_level(real_dev) + 1;
         err = register_netdevice(dev);
         if (err < 0)
                 goto out_uninit_mvrp;
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index c18080ad4085..cd620fab41b0 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -267,7 +267,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
 
         /* If old entry was unassociated with any port, then delete it. */
         f = __br_fdb_get(br, br->dev->dev_addr, 0);
-        if (f && f->is_local && !f->dst)
+        if (f && f->is_local && !f->dst && !f->added_by_user)
                 fdb_delete_local(br, NULL, f);
 
         fdb_insert(br, NULL, newaddr, 0);
@@ -282,7 +282,7 @@ void br_fdb_change_mac_address(struct net_bridge *br, const u8 *newaddr)
                 if (!br_vlan_should_use(v))
                         continue;
                 f = __br_fdb_get(br, br->dev->dev_addr, v->vid);
-                if (f && f->is_local && !f->dst)
+                if (f && f->is_local && !f->dst && !f->added_by_user)
                         fdb_delete_local(br, NULL, f);
                 fdb_insert(br, NULL, newaddr, v->vid);
         }
@@ -764,20 +764,25 @@ out:
 }
 
 /* Update (create or replace) forwarding database entry */
-static int fdb_add_entry(struct net_bridge_port *source, const __u8 *addr,
-                         __u16 state, __u16 flags, __u16 vid)
+static int fdb_add_entry(struct net_bridge *br, struct net_bridge_port *source,
+                         const __u8 *addr, __u16 state, __u16 flags, __u16 vid)
 {
-        struct net_bridge *br = source->br;
         struct hlist_head *head = &br->hash[br_mac_hash(addr, vid)];
         struct net_bridge_fdb_entry *fdb;
         bool modified = false;
 
         /* If the port cannot learn allow only local and static entries */
-        if (!(state & NUD_PERMANENT) && !(state & NUD_NOARP) &&
+        if (source && !(state & NUD_PERMANENT) && !(state & NUD_NOARP) &&
             !(source->state == BR_STATE_LEARNING ||
               source->state == BR_STATE_FORWARDING))
                 return -EPERM;
 
+        if (!source && !(state & NUD_PERMANENT)) {
+                pr_info("bridge: RTM_NEWNEIGH %s without NUD_PERMANENT\n",
+                        br->dev->name);
+                return -EINVAL;
+        }
+
         fdb = fdb_find(head, addr, vid);
         if (fdb == NULL) {
                 if (!(flags & NLM_F_CREATE))
@@ -832,22 +837,28 @@ static int fdb_add_entry(struct net_bridge_port *source, const __u8 *addr,
         return 0;
 }
 
-static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge_port *p,
-               const unsigned char *addr, u16 nlh_flags, u16 vid)
+static int __br_fdb_add(struct ndmsg *ndm, struct net_bridge *br,
+                        struct net_bridge_port *p, const unsigned char *addr,
+                        u16 nlh_flags, u16 vid)
 {
         int err = 0;
 
         if (ndm->ndm_flags & NTF_USE) {
+                if (!p) {
+                        pr_info("bridge: RTM_NEWNEIGH %s with NTF_USE is not supported\n",
+                                br->dev->name);
+                        return -EINVAL;
+                }
                 local_bh_disable();
                 rcu_read_lock();
-                br_fdb_update(p->br, p, addr, vid, true);
+                br_fdb_update(br, p, addr, vid, true);
                 rcu_read_unlock();
                 local_bh_enable();
         } else {
-                spin_lock_bh(&p->br->hash_lock);
-                err = fdb_add_entry(p, addr, ndm->ndm_state,
+                spin_lock_bh(&br->hash_lock);
+                err = fdb_add_entry(br, p, addr, ndm->ndm_state,
                                     nlh_flags, vid);
-                spin_unlock_bh(&p->br->hash_lock);
+                spin_unlock_bh(&br->hash_lock);
         }
 
         return err;
@@ -884,6 +895,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                                 dev->name);
                         return -EINVAL;
                 }
+                br = p->br;
                 vg = nbp_vlan_group(p);
         }
 
@@ -895,15 +907,9 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                 }
 
                 /* VID was specified, so use it. */
-                if (dev->priv_flags & IFF_EBRIDGE)
-                        err = br_fdb_insert(br, NULL, addr, vid);
-                else
-                        err = __br_fdb_add(ndm, p, addr, nlh_flags, vid);
+                err = __br_fdb_add(ndm, br, p, addr, nlh_flags, vid);
         } else {
-                if (dev->priv_flags & IFF_EBRIDGE)
-                        err = br_fdb_insert(br, NULL, addr, 0);
-                else
-                        err = __br_fdb_add(ndm, p, addr, nlh_flags, 0);
+                err = __br_fdb_add(ndm, br, p, addr, nlh_flags, 0);
                 if (err || !vg || !vg->num_vlans)
                         goto out;
 
@@ -914,11 +920,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[],
                 list_for_each_entry(v, &vg->vlan_list, vlist) {
                         if (!br_vlan_should_use(v))
                                 continue;
-                        if (dev->priv_flags & IFF_EBRIDGE)
-                                err = br_fdb_insert(br, NULL, addr, v->vid);
-                        else
-                                err = __br_fdb_add(ndm, p, addr, nlh_flags,
-                                                   v->vid);
+                        err = __br_fdb_add(ndm, br, p, addr, nlh_flags, v->vid);
                         if (err)
                                 goto out;
                 }
diff --git a/net/core/dev.c b/net/core/dev.c
index 4ce07dc25573..dd6ce598de89 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6045,8 +6045,7 @@ void *netdev_lower_dev_get_private(struct net_device *dev,
 EXPORT_SYMBOL(netdev_lower_dev_get_private);
 
 
-int dev_get_nest_level(struct net_device *dev,
-                       bool (*type_check)(const struct net_device *dev))
+int dev_get_nest_level(struct net_device *dev)
 {
         struct net_device *lower = NULL;
         struct list_head *iter;
@@ -6056,15 +6055,12 @@ int dev_get_nest_level(struct net_device *dev,
         ASSERT_RTNL();
 
         netdev_for_each_lower_dev(dev, lower, iter) {
-                nest = dev_get_nest_level(lower, type_check);
+                nest = dev_get_nest_level(lower);
                 if (max_nest < nest)
                         max_nest = nest;
         }
 
-        if (type_check(dev))
-                max_nest++;
-
-        return max_nest;
+        return max_nest + 1;
 }
 EXPORT_SYMBOL(dev_get_nest_level);
 
diff --git a/net/core/filter.c b/net/core/filter.c
index 5708999f8a79..cb06aceb512a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1355,56 +1355,47 @@ static inline int bpf_try_make_writable(struct sk_buff *skb,
 {
         int err;
 
-        if (!skb_cloned(skb))
-                return 0;
-        if (skb_clone_writable(skb, write_len))
-                return 0;
-        err = pskb_expand_head(skb, 0, 0, GFP_ATOMIC);
-        if (!err)
-                bpf_compute_data_end(skb);
+        err = skb_ensure_writable(skb, write_len);
+        bpf_compute_data_end(skb);
+
         return err;
 }
 
+static inline void bpf_push_mac_rcsum(struct sk_buff *skb)
+{
+        if (skb_at_tc_ingress(skb))
+                skb_postpush_rcsum(skb, skb_mac_header(skb), skb->mac_len);
+}
+
+static inline void bpf_pull_mac_rcsum(struct sk_buff *skb)
+{
+        if (skb_at_tc_ingress(skb))
+                skb_postpull_rcsum(skb, skb_mac_header(skb), skb->mac_len);
+}
+
 static u64 bpf_skb_store_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 flags)
 {
-        struct bpf_scratchpad *sp = this_cpu_ptr(&bpf_sp);
         struct sk_buff *skb = (struct sk_buff *) (long) r1;
-        int offset = (int) r2;
+        unsigned int offset = (unsigned int) r2;
         void *from = (void *) (long) r3;
         unsigned int len = (unsigned int) r4;
         void *ptr;
 
         if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
                 return -EINVAL;
-
-        /* bpf verifier guarantees that:
-         * 'from' pointer points to bpf program stack
-         * 'len' bytes of it were initialized
-         * 'len' > 0
-         * 'skb' is a valid pointer to 'struct sk_buff'
-         *
-         * so check for invalid 'offset' and too large 'len'
-         */
-        if (unlikely((u32) offset > 0xffff || len > sizeof(sp->buff)))
+        if (unlikely(offset > 0xffff))
                 return -EFAULT;
         if (unlikely(bpf_try_make_writable(skb, offset + len)))
                 return -EFAULT;
 
-        ptr = skb_header_pointer(skb, offset, len, sp->buff);
-        if (unlikely(!ptr))
-                return -EFAULT;
-
+        ptr = skb->data + offset;
         if (flags & BPF_F_RECOMPUTE_CSUM)
-                skb_postpull_rcsum(skb, ptr, len);
+                __skb_postpull_rcsum(skb, ptr, len, offset);
 
         memcpy(ptr, from, len);
 
-        if (ptr == sp->buff)
-                /* skb_store_bits cannot return -EFAULT here */
-                skb_store_bits(skb, offset, ptr, len);
-
         if (flags & BPF_F_RECOMPUTE_CSUM)
-                skb_postpush_rcsum(skb, ptr, len);
+                __skb_postpush_rcsum(skb, ptr, len, offset);
         if (flags & BPF_F_INVALIDATE_HASH)
                 skb_clear_hash(skb);
 
@@ -1425,12 +1416,12 @@ static const struct bpf_func_proto bpf_skb_store_bytes_proto = {
 static u64 bpf_skb_load_bytes(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 {
         const struct sk_buff *skb = (const struct sk_buff *)(unsigned long) r1;
-        int offset = (int) r2;
+        unsigned int offset = (unsigned int) r2;
         void *to = (void *)(unsigned long) r3;
         unsigned int len = (unsigned int) r4;
         void *ptr;
 
-        if (unlikely((u32) offset > 0xffff))
+        if (unlikely(offset > 0xffff))
                 goto err_clear;
 
         ptr = skb_header_pointer(skb, offset, len, to);
@@ -1458,20 +1449,17 @@ static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
 static u64 bpf_l3_csum_replace(u64 r1, u64 r2, u64 from, u64 to, u64 flags)
 {
         struct sk_buff *skb = (struct sk_buff *) (long) r1;
-        int offset = (int) r2;
-        __sum16 sum, *ptr;
+        unsigned int offset = (unsigned int) r2;
+        __sum16 *ptr;
 
         if (unlikely(flags & ~(BPF_F_HDR_FIELD_MASK)))
                 return -EINVAL;
-        if (unlikely((u32) offset > 0xffff))
+        if (unlikely(offset > 0xffff || offset & 1))
                 return -EFAULT;
-        if (unlikely(bpf_try_make_writable(skb, offset + sizeof(sum))))
-                return -EFAULT;
-
-        ptr = skb_header_pointer(skb, offset, sizeof(sum), &sum);
-        if (unlikely(!ptr))
+        if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
                 return -EFAULT;
 
+        ptr = (__sum16 *)(skb->data + offset);
         switch (flags & BPF_F_HDR_FIELD_MASK) {
         case 0:
                 if (unlikely(from != 0))
@@ -1489,10 +1477,6 @@ static u64 bpf_l3_csum_replace(u64 r1, u64 r2, u64 from, u64 to, u64 flags)
                 return -EINVAL;
         }
 
-        if (ptr == &sum)
-                /* skb_store_bits guaranteed to not return -EFAULT here */
-                skb_store_bits(skb, offset, ptr, sizeof(sum));
-
         return 0;
 }
 
@@ -1512,20 +1496,18 @@ static u64 bpf_l4_csum_replace(u64 r1, u64 r2, u64 from, u64 to, u64 flags)
         struct sk_buff *skb = (struct sk_buff *) (long) r1;
         bool is_pseudo = flags & BPF_F_PSEUDO_HDR;
         bool is_mmzero = flags & BPF_F_MARK_MANGLED_0;
-        int offset = (int) r2;
-        __sum16 sum, *ptr;
+        unsigned int offset = (unsigned int) r2;
+        __sum16 *ptr;
 
         if (unlikely(flags & ~(BPF_F_MARK_MANGLED_0 | BPF_F_PSEUDO_HDR |
                                BPF_F_HDR_FIELD_MASK)))
                 return -EINVAL;
-        if (unlikely((u32) offset > 0xffff))
+        if (unlikely(offset > 0xffff || offset & 1))
                 return -EFAULT;
-        if (unlikely(bpf_try_make_writable(skb, offset + sizeof(sum))))
+        if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
                 return -EFAULT;
 
-        ptr = skb_header_pointer(skb, offset, sizeof(sum), &sum);
-        if (unlikely(!ptr))
-                return -EFAULT;
+        ptr = (__sum16 *)(skb->data + offset);
         if (is_mmzero && !*ptr)
                 return 0;
 
@@ -1548,10 +1530,6 @@ static u64 bpf_l4_csum_replace(u64 r1, u64 r2, u64 from, u64 to, u64 flags)
 
         if (is_mmzero && !*ptr)
                 *ptr = CSUM_MANGLED_0;
-        if (ptr == &sum)
-                /* skb_store_bits guaranteed to not return -EFAULT here */
-                skb_store_bits(skb, offset, ptr, sizeof(sum));
-
         return 0;
 }
 
@@ -1607,9 +1585,6 @@ static const struct bpf_func_proto bpf_csum_diff_proto = {
 
 static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb)
 {
-        if (skb_at_tc_ingress(skb))
-                skb_postpush_rcsum(skb, skb_mac_header(skb), skb->mac_len);
-
         return dev_forward_skb(dev, skb);
 }
 
@@ -1648,6 +1623,8 @@ static u64 bpf_clone_redirect(u64 r1, u64 ifindex, u64 flags, u64 r4, u64 r5)
         if (unlikely(!skb))
                 return -ENOMEM;
 
+        bpf_push_mac_rcsum(skb);
+
         return flags & BPF_F_INGRESS ?
                __bpf_rx_skb(dev, skb) : __bpf_tx_skb(dev, skb);
 }
@@ -1693,6 +1670,8 @@ int skb_do_redirect(struct sk_buff *skb)
                 return -EINVAL;
         }
 
+        bpf_push_mac_rcsum(skb);
+
         return ri->flags & BPF_F_INGRESS ?
                __bpf_rx_skb(dev, skb) : __bpf_tx_skb(dev, skb);
 }
@@ -1756,7 +1735,10 @@ static u64 bpf_skb_vlan_push(u64 r1, u64 r2, u64 vlan_tci, u64 r4, u64 r5)
                      vlan_proto != htons(ETH_P_8021AD)))
                 vlan_proto = htons(ETH_P_8021Q);
 
+        bpf_push_mac_rcsum(skb);
         ret = skb_vlan_push(skb, vlan_proto, vlan_tci);
+        bpf_pull_mac_rcsum(skb);
+
         bpf_compute_data_end(skb);
         return ret;
 }
@@ -1776,7 +1758,10 @@ static u64 bpf_skb_vlan_pop(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
         struct sk_buff *skb = (struct sk_buff *) (long) r1;
         int ret;
 
+        bpf_push_mac_rcsum(skb);
         ret = skb_vlan_pop(skb);
+        bpf_pull_mac_rcsum(skb);
+
         bpf_compute_data_end(skb);
         return ret;
 }
@@ -2298,7 +2283,7 @@ bpf_get_skb_set_tunnel_proto(enum bpf_func_id which)
 }
 
 #ifdef CONFIG_SOCK_CGROUP_DATA
-static u64 bpf_skb_in_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
+static u64 bpf_skb_under_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 {
         struct sk_buff *skb = (struct sk_buff *)(long)r1;
         struct bpf_map *map = (struct bpf_map *)(long)r2;
@@ -2321,8 +2306,8 @@ static u64 bpf_skb_in_cgroup(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
         return cgroup_is_descendant(sock_cgroup_ptr(&sk->sk_cgrp_data), cgrp);
 }
 
-static const struct bpf_func_proto bpf_skb_in_cgroup_proto = {
-        .func           = bpf_skb_in_cgroup,
+static const struct bpf_func_proto bpf_skb_under_cgroup_proto = {
+        .func           = bpf_skb_under_cgroup,
         .gpl_only       = false,
         .ret_type       = RET_INTEGER,
         .arg1_type      = ARG_PTR_TO_CTX,
@@ -2402,8 +2387,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id)
         case BPF_FUNC_get_smp_processor_id:
                 return &bpf_get_smp_processor_id_proto;
 #ifdef CONFIG_SOCK_CGROUP_DATA
-        case BPF_FUNC_skb_in_cgroup:
-                return &bpf_skb_in_cgroup_proto;
+        case BPF_FUNC_skb_under_cgroup:
+                return &bpf_skb_under_cgroup_proto;
 #endif
         default:
                 return sk_filter_func_proto(func_id);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index d07fc076bea0..febca0f1008c 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2452,9 +2452,7 @@ struct fib_route_iter {
 static struct key_vector *fib_route_get_idx(struct fib_route_iter *iter,
                                             loff_t pos)
 {
-        struct fib_table *tb = iter->main_tb;
         struct key_vector *l, **tp = &iter->tnode;
-        struct trie *t;
         t_key key;
 
         /* use cache location of next-to-find key */
@@ -2462,8 +2460,6 @@ static struct key_vector *fib_route_get_idx(struct fib_route_iter *iter,
                 pos -= iter->pos;
                 key = iter->key;
         } else {
-                t = (struct trie *)tb->tb_data;
-                iter->tnode = t->kv;
                 iter->pos = 0;
                 key = 0;
         }
@@ -2504,12 +2500,12 @@ static void *fib_route_seq_start(struct seq_file *seq, loff_t *pos)
                 return NULL;
 
         iter->main_tb = tb;
+        t = (struct trie *)tb->tb_data;
+        iter->tnode = t->kv;
 
         if (*pos != 0)
                 return fib_route_get_idx(iter, *pos);
 
-        t = (struct trie *)tb->tb_data;
-        iter->tnode = t->kv;
         iter->pos = 0;
         iter->key = 0;
 
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 5b1481be0282..113cc43df789 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -370,7 +370,6 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev,
                          tunnel->parms.o_flags, proto, tunnel->parms.o_key,
                          htonl(tunnel->o_seqno));
 
-        skb_set_inner_protocol(skb, proto);
         ip_tunnel_xmit(skb, dev, tnl_params, tnl_params->protocol);
 }
 
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index a917903d5e97..cc701fa70b12 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -557,6 +557,33 @@ static struct rtnl_link_ops vti_link_ops __read_mostly = {
         .get_link_net   = ip_tunnel_get_link_net,
 };
 
+static bool is_vti_tunnel(const struct net_device *dev)
+{
+        return dev->netdev_ops == &vti_netdev_ops;
+}
+
+static int vti_device_event(struct notifier_block *unused,
+                            unsigned long event, void *ptr)
+{
+        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+        struct ip_tunnel *tunnel = netdev_priv(dev);
+
+        if (!is_vti_tunnel(dev))
+                return NOTIFY_DONE;
+
+        switch (event) {
+        case NETDEV_DOWN:
+                if (!net_eq(tunnel->net, dev_net(dev)))
+                        xfrm_garbage_collect(tunnel->net);
+                break;
+        }
+        return NOTIFY_DONE;
+}
+
+static struct notifier_block vti_notifier_block __read_mostly = {
+        .notifier_call = vti_device_event,
+};
+
 static int __init vti_init(void)
 {
         const char *msg;
@@ -564,6 +591,8 @@ static int __init vti_init(void)
 
         pr_info("IPv4 over IPsec tunneling driver\n");
 
+        register_netdevice_notifier(&vti_notifier_block);
+
         msg = "tunnel device";
         err = register_pernet_device(&vti_net_ops);
         if (err < 0)
@@ -596,6 +625,7 @@ xfrm_proto_ah_failed:
 xfrm_proto_esp_failed:
         unregister_pernet_device(&vti_net_ops);
 pernet_dev_failed:
+        unregister_netdevice_notifier(&vti_notifier_block);
         pr_err("vti init: failed to register %s\n", msg);
         return err;
 }
@@ -607,6 +637,7 @@ static void __exit vti_fini(void)
         xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
         xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
         unregister_pernet_device(&vti_net_ops);
+        unregister_netdevice_notifier(&vti_notifier_block);
 }
 
 module_init(vti_init);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index ab3e796596b1..df8425fcbc2c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3543,7 +3543,7 @@ static int addrconf_ifdown(struct net_device *dev, int how)
         /* combine the user config with event to determine if permanent
          * addresses are to be removed from address hash table
          */
-        keep_addr = !(how || _keep_addr <= 0);
+        keep_addr = !(how || _keep_addr <= 0 || idev->cnf.disable_ipv6);
 
         /* Step 2: clear hash table */
         for (i = 0; i < IN6_ADDR_HSIZE; i++) {
@@ -3599,7 +3599,7 @@ restart:
         /* re-combine the user config with event to determine if permanent
          * addresses are to be removed from the interface list
          */
-        keep_addr = (!how && _keep_addr > 0);
+        keep_addr = (!how && _keep_addr > 0 && !idev->cnf.disable_ipv6);
 
         INIT_LIST_HEAD(&del_list);
         list_for_each_entry_safe(ifa, tmp, &idev->addr_list, if_list) {
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index c53b92c617c5..37ac9de713c6 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -952,8 +952,10 @@ calipso_opt_insert(struct ipv6_opt_hdr *hop,
                 memcpy(new, hop, start);
         ret_val = calipso_genopt((unsigned char *)new, start, buf_len, doi_def,
                                  secattr);
-        if (ret_val < 0)
+        if (ret_val < 0) {
+                kfree(new);
                 return ERR_PTR(ret_val);
+        }
 
         buf_len = start + ret_val;
         /* At this point buf_len aligns to 4n, so (buf_len & 4) pads to 8n */
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 776d145113e1..704274cbd495 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -519,8 +519,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
         gre_build_header(skb, tunnel->tun_hlen, tunnel->parms.o_flags,
                          protocol, tunnel->parms.o_key, htonl(tunnel->o_seqno));
 
-        skb_set_inner_protocol(skb, protocol);
-
         return ip6_tnl_xmit(skb, dev, dsfield, fl6, encap_limit, pmtu,
                             NEXTHDR_GRE);
 }
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index fed40d1ec29b..0900352c924c 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -55,7 +55,7 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         struct icmp6hdr user_icmph;
         int addr_type;
         struct in6_addr *daddr;
-        int iif = 0;
+        int oif = 0;
         struct flowi6 fl6;
         int err;
         struct dst_entry *dst;
@@ -78,25 +78,30 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
                 if (u->sin6_family != AF_INET6) {
                         return -EAFNOSUPPORT;
                 }
-                if (sk->sk_bound_dev_if &&
-                    sk->sk_bound_dev_if != u->sin6_scope_id) {
-                        return -EINVAL;
-                }
                 daddr = &(u->sin6_addr);
-                iif = u->sin6_scope_id;
+                if (__ipv6_addr_needs_scope_id(ipv6_addr_type(daddr)))
+                        oif = u->sin6_scope_id;
         } else {
                 if (sk->sk_state != TCP_ESTABLISHED)
                         return -EDESTADDRREQ;
                 daddr = &sk->sk_v6_daddr;
         }
 
-        if (!iif)
-                iif = sk->sk_bound_dev_if;
+        if (!oif)
+                oif = sk->sk_bound_dev_if;
+
+        if (!oif)
+                oif = np->sticky_pktinfo.ipi6_ifindex;
+
+        if (!oif && ipv6_addr_is_multicast(daddr))
+                oif = np->mcast_oif;
+        else if (!oif)
+                oif = np->ucast_oif;
 
         addr_type = ipv6_addr_type(daddr);
-        if (__ipv6_addr_needs_scope_id(addr_type) && !iif)
-                return -EINVAL;
-        if (addr_type & IPV6_ADDR_MAPPED)
+        if ((__ipv6_addr_needs_scope_id(addr_type) && !oif) ||
+            (addr_type & IPV6_ADDR_MAPPED) ||
+            (oif && sk->sk_bound_dev_if && oif != sk->sk_bound_dev_if))
                 return -EINVAL;
 
         /* TODO: use ip6_datagram_send_ctl to get options from cmsg */
@@ -106,16 +111,12 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         fl6.flowi6_proto = IPPROTO_ICMPV6;
         fl6.saddr = np->saddr;
         fl6.daddr = *daddr;
+        fl6.flowi6_oif = oif;
         fl6.flowi6_mark = sk->sk_mark;
         fl6.fl6_icmp_type = user_icmph.icmp6_type;
         fl6.fl6_icmp_code = user_icmph.icmp6_code;
         security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
 
-        if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
-                fl6.flowi6_oif = np->mcast_oif;
-        else if (!fl6.flowi6_oif)
-                fl6.flowi6_oif = np->ucast_oif;
-
         ipc6.tclass = np->tclass;
         fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel);
 
diff --git a/net/irda/iriap.c b/net/irda/iriap.c
index 4a7ae32afa09..1138eaf5c682 100644
--- a/net/irda/iriap.c
+++ b/net/irda/iriap.c
@@ -185,8 +185,12 @@ struct iriap_cb *iriap_open(__u8 slsap_sel, int mode, void *priv,
 
         self->magic = IAS_MAGIC;
         self->mode = mode;
-        if (mode == IAS_CLIENT)
-                iriap_register_lsap(self, slsap_sel, mode);
+        if (mode == IAS_CLIENT) {
+                if (iriap_register_lsap(self, slsap_sel, mode)) {
+                        kfree(self);
+                        return NULL;
+                }
+        }
 
         self->confirm = callback;
         self->priv = priv;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 47e99ab8d97a..543b1d4fc33d 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -869,7 +869,7 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
 
         /* free all potentially still buffered bcast frames */
         local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
-        skb_queue_purge(&sdata->u.ap.ps.bc_buf);
+        ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
 
         mutex_lock(&local->mtx);
         ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 184473c257eb..ba5fc1f01e53 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -1094,7 +1094,7 @@ static inline u32 drv_get_expected_throughput(struct ieee80211_local *local,
 
         trace_drv_get_expected_throughput(sta);
         if (local->ops->get_expected_throughput)
-                ret = local->ops->get_expected_throughput(sta);
+                ret = local->ops->get_expected_throughput(&local->hw, sta);
         trace_drv_return_u32(local, ret);
 
         return ret;
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index c66411df9863..42120d965263 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -881,20 +881,22 @@ void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata)
 
         netif_carrier_off(sdata->dev);
 
+        /* flush STAs and mpaths on this iface */
+        sta_info_flush(sdata);
+        mesh_path_flush_by_iface(sdata);
+
         /* stop the beacon */
         ifmsh->mesh_id_len = 0;
         sdata->vif.bss_conf.enable_beacon = false;
         clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state);
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED);
+
+        /* remove beacon */
         bcn = rcu_dereference_protected(ifmsh->beacon,
                                         lockdep_is_held(&sdata->wdev.mtx));
         RCU_INIT_POINTER(ifmsh->beacon, NULL);
         kfree_rcu(bcn, rcu_head);
 
-        /* flush STAs and mpaths on this iface */
-        sta_info_flush(sdata);
-        mesh_path_flush_by_iface(sdata);
-
         /* free all potentially still buffered group-addressed frames */
         local->total_ps_buffered -= skb_queue_len(&ifmsh->ps.bc_buf);
         skb_queue_purge(&ifmsh->ps.bc_buf);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 2e8a9024625a..9dce3b157908 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1268,7 +1268,7 @@ static void sta_ps_start(struct sta_info *sta)
         for (tid = 0; tid < ARRAY_SIZE(sta->sta.txq); tid++) {
                 struct txq_info *txqi = to_txq_info(sta->sta.txq[tid]);
 
-                if (!txqi->tin.backlog_packets)
+                if (txqi->tin.backlog_packets)
                         set_bit(tid, &sta->txq_buffered_tids);
                 else
                         clear_bit(tid, &sta->txq_buffered_tids);
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index c6d5c724e032..a2a68269675d 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -771,6 +771,13 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                         clear_sta_flag(sta, WLAN_STA_SP);
 
                 acked = !!(info->flags & IEEE80211_TX_STAT_ACK);
+
+                /* mesh Peer Service Period support */
+                if (ieee80211_vif_is_mesh(&sta->sdata->vif) &&
+                    ieee80211_is_data_qos(fc))
+                        ieee80211_mpsp_trigger_process(
+                                ieee80211_get_qos_ctl(hdr), sta, true, acked);
+
                 if (!acked && test_sta_flag(sta, WLAN_STA_PS_STA)) {
                         /*
                          * The STA is in power save mode, so assume
@@ -781,13 +788,6 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb)
                         return;
                 }
 
-                /* mesh Peer Service Period support */
-                if (ieee80211_vif_is_mesh(&sta->sdata->vif) &&
-                    ieee80211_is_data_qos(fc))
-                        ieee80211_mpsp_trigger_process(
-                                        ieee80211_get_qos_ctl(hdr),
-                                        sta, true, acked);
-
                 if (ieee80211_hw_check(&local->hw, HAS_RATE_CONTROL) &&
                     (ieee80211_is_data(hdr->frame_control)) &&
                     (rates_idx != -1))
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 91461c415525..502396694f47 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -368,7 +368,7 @@ static void purge_old_ps_buffers(struct ieee80211_local *local)
                 skb = skb_dequeue(&ps->bc_buf);
                 if (skb) {
                         purged++;
-                        dev_kfree_skb(skb);
+                        ieee80211_free_txskb(&local->hw, skb);
                 }
                 total += skb_queue_len(&ps->bc_buf);
         }
@@ -451,7 +451,7 @@ ieee80211_tx_h_multicast_ps_buf(struct ieee80211_tx_data *tx)
         if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
                 ps_dbg(tx->sdata,
                        "BC TX buffer full - dropping the oldest frame\n");
-                dev_kfree_skb(skb_dequeue(&ps->bc_buf));
+                ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
         } else
                 tx->local->total_ps_buffered++;
 
@@ -4275,7 +4275,7 @@ ieee80211_get_buffered_bc(struct ieee80211_hw *hw,
                         sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
                 if (!ieee80211_tx_prepare(sdata, &tx, NULL, skb))
                         break;
-                dev_kfree_skb_any(skb);
+                ieee80211_free_txskb(hw, skb);
         }
 
         info = IEEE80211_SKB_CB(skb);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 9e3693128313..f8dbacf66795 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -574,7 +574,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
         helper = rcu_dereference(nfct_help(expect->master)->helper);
         if (helper) {
                 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
-                if (helper->expect_policy[expect->class].name)
+                if (helper->expect_policy[expect->class].name[0])
                         seq_printf(s, "/%s",
                                    helper->expect_policy[expect->class].name);
         }
diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
index bb77a97961bf..5c0db5c64734 100644
--- a/net/netfilter/nf_conntrack_h323_main.c
+++ b/net/netfilter/nf_conntrack_h323_main.c
@@ -1473,7 +1473,8 @@ static int process_rcf(struct sk_buff *skb, struct nf_conn *ct,
                                  "timeout to %u seconds for",
                                  info->timeout);
                         nf_ct_dump_tuple(&exp->tuple);
-                        mod_timer(&exp->timeout, jiffies + info->timeout * HZ);
+                        mod_timer_pending(&exp->timeout,
+                                          jiffies + info->timeout * HZ);
                 }
                 spin_unlock_bh(&nf_conntrack_expect_lock);
         }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 050bb3420a6b..fdfc71f416b7 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1894,6 +1894,8 @@ static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
 
                         if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
                                 return -EINVAL;
+                        if (otuple.dst.protonum != rtuple.dst.protonum)
+                                return -EINVAL;
 
                         ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
                                                         &rtuple, u3);
@@ -2362,12 +2364,8 @@ ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
                 return PTR_ERR(exp);
 
         err = nf_ct_expect_related_report(exp, portid, report);
-        if (err < 0) {
-                nf_ct_expect_put(exp);
-                return err;
-        }
-
-        return 0;
+        nf_ct_expect_put(exp);
+        return err;
 }
 
 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c
index 8d9db9d4702b..7d77217de6a3 100644
--- a/net/netfilter/nf_conntrack_sip.c
+++ b/net/netfilter/nf_conntrack_sip.c
@@ -1383,7 +1383,7 @@ static int process_sip_response(struct sk_buff *skb, unsigned int protoff,
                 return NF_DROP;
         }
         cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
-        if (!cseq) {
+        if (!cseq && *(*dptr + matchoff) != '0') {
                 nf_ct_helper_log(skb, ct, "cannot get cseq");
                 return NF_DROP;
         }
@@ -1446,7 +1446,7 @@ static int process_sip_request(struct sk_buff *skb, unsigned int protoff,
                         return NF_DROP;
                 }
                 cseq = simple_strtoul(*dptr + matchoff, NULL, 10);
-                if (!cseq) {
+                if (!cseq && *(*dptr + matchoff) != '0') {
                         nf_ct_helper_log(skb, ct, "cannot get cseq");
                         return NF_DROP;
                 }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 5d36a0926b4a..f49f45081acb 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1145,10 +1145,8 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl,
         struct nfnl_queue_net *q = nfnl_queue_pernet(net);
         int err;
 
-        queue = instance_lookup(q, queue_num);
-        if (!queue)
-                queue = verdict_instance_lookup(q, queue_num,
-                                                NETLINK_CB(skb).portid);
+        queue = verdict_instance_lookup(q, queue_num,
+                                        NETLINK_CB(skb).portid);
         if (IS_ERR(queue))
                 return PTR_ERR(queue);
 
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index ba7aed13e174..82c264e40278 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -59,6 +59,7 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
                            const struct nlattr * const tb[])
 {
         struct nft_exthdr *priv = nft_expr_priv(expr);
+        u32 offset, len;
 
         if (tb[NFTA_EXTHDR_DREG] == NULL ||
             tb[NFTA_EXTHDR_TYPE] == NULL ||
@@ -66,9 +67,15 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
             tb[NFTA_EXTHDR_LEN] == NULL)
                 return -EINVAL;
 
+        offset = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OFFSET]));
+        len = ntohl(nla_get_be32(tb[NFTA_EXTHDR_LEN]));
+
+        if (offset > U8_MAX || len > U8_MAX)
+                return -ERANGE;
+
         priv->type   = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
-        priv->offset = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OFFSET]));
-        priv->len    = ntohl(nla_get_be32(tb[NFTA_EXTHDR_LEN]));
+        priv->offset = offset;
+        priv->len    = len;
         priv->dreg   = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
 
         return nft_validate_register_store(ctx, priv->dreg, NULL,
diff --git a/net/netfilter/nft_rbtree.c b/net/netfilter/nft_rbtree.c
index 6473936d05c6..ffe9ae062d23 100644
--- a/net/netfilter/nft_rbtree.c
+++ b/net/netfilter/nft_rbtree.c
@@ -70,7 +70,6 @@ static bool nft_rbtree_lookup(const struct net *net, const struct nft_set *set,
                 } else if (d > 0)
                         parent = parent->rb_right;
                 else {
-found:
                         if (!nft_set_elem_active(&rbe->ext, genmask)) {
                                 parent = parent->rb_left;
                                 continue;
@@ -84,9 +83,12 @@ found:
                 }
         }
 
-        if (set->flags & NFT_SET_INTERVAL && interval != NULL) {
-                rbe = interval;
-                goto found;
+        if (set->flags & NFT_SET_INTERVAL && interval != NULL &&
+            nft_set_elem_active(&interval->ext, genmask) &&
+            !nft_rbtree_interval_end(interval)) {
+                spin_unlock_bh(&nft_rbtree_lock);
+                *ext = &interval->ext;
+                return true;
         }
 out:
         spin_unlock_bh(&nft_rbtree_lock);
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index c644c78ed485..e054a748ff25 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -433,7 +433,6 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
         struct nf_conntrack_l4proto *l4proto;
         struct nf_conntrack_tuple tuple;
         struct nf_conntrack_tuple_hash *h;
-        enum ip_conntrack_info ctinfo;
         struct nf_conn *ct;
         unsigned int dataoff;
         u8 protonum;
@@ -458,13 +457,8 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
 
         ct = nf_ct_tuplehash_to_ctrack(h);
 
-        ctinfo = ovs_ct_get_info(h);
-        if (ctinfo == IP_CT_NEW) {
-                /* This should not happen. */
-                WARN_ONCE(1, "ovs_ct_find_existing: new packet for %p\n", ct);
-        }
         skb->nfct = &ct->ct_general;
-        skb->nfctinfo = ctinfo;
+        skb->nfctinfo = ovs_ct_get_info(h);
         return ct;
 }
 
diff --git a/net/openvswitch/vport-geneve.c b/net/openvswitch/vport-geneve.c
index 1a1fcec88695..5aaf3babfc3f 100644
--- a/net/openvswitch/vport-geneve.c
+++ b/net/openvswitch/vport-geneve.c
@@ -93,7 +93,14 @@ static struct vport *geneve_tnl_create(const struct vport_parms *parms)
                 return ERR_CAST(dev);
         }
 
-        dev_change_flags(dev, dev->flags | IFF_UP);
+        err = dev_change_flags(dev, dev->flags | IFF_UP);
+        if (err < 0) {
+                rtnl_delete_link(dev);
+                rtnl_unlock();
+                ovs_vport_free(vport);
+                goto error;
+        }
+
         rtnl_unlock();
         return vport;
 error:
diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index 7f8897f33a67..0e72d95b0e8f 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -54,6 +54,7 @@ static struct vport *gre_tnl_create(const struct vport_parms *parms)
         struct net *net = ovs_dp_get_net(parms->dp);
         struct net_device *dev;
         struct vport *vport;
+        int err;
 
         vport = ovs_vport_alloc(0, &ovs_gre_vport_ops, parms);
         if (IS_ERR(vport))
@@ -67,9 +68,15 @@ static struct vport *gre_tnl_create(const struct vport_parms *parms)
                 return ERR_CAST(dev);
         }
 
-        dev_change_flags(dev, dev->flags | IFF_UP);
-        rtnl_unlock();
+        err = dev_change_flags(dev, dev->flags | IFF_UP);
+        if (err < 0) {
+                rtnl_delete_link(dev);
+                rtnl_unlock();
+                ovs_vport_free(vport);
+                return ERR_PTR(err);
+        }
 
+        rtnl_unlock();
         return vport;
 }
 
diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
index 434e04c3a189..95c36147a6e1 100644
--- a/net/openvswitch/vport-internal_dev.c
+++ b/net/openvswitch/vport-internal_dev.c
@@ -140,7 +140,7 @@ internal_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
 
 static void internal_set_rx_headroom(struct net_device *dev, int new_hr)
 {
-        dev->needed_headroom = new_hr;
+        dev->needed_headroom = new_hr < 0 ? 0 : new_hr;
 }
 
 static const struct net_device_ops internal_dev_netdev_ops = {
diff --git a/net/openvswitch/vport-vxlan.c b/net/openvswitch/vport-vxlan.c
index 5eb7694348b5..7eb955e453e6 100644
--- a/net/openvswitch/vport-vxlan.c
+++ b/net/openvswitch/vport-vxlan.c
@@ -130,7 +130,14 @@ static struct vport *vxlan_tnl_create(const struct vport_parms *parms)
                 return ERR_CAST(dev);
         }
 
-        dev_change_flags(dev, dev->flags | IFF_UP);
+        err = dev_change_flags(dev, dev->flags | IFF_UP);
+        if (err < 0) {
+                rtnl_delete_link(dev);
+                rtnl_unlock();
+                ovs_vport_free(vport);
+                goto error;
+        }
+
         rtnl_unlock();
         return vport;
 error:
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 1bb9e7ac9e14..ff83fb1ddd47 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -425,6 +425,7 @@ struct rxrpc_call {
         spinlock_t              lock;
         rwlock_t                state_lock;     /* lock for state transition */
         atomic_t                usage;
+        atomic_t                skb_count;      /* Outstanding packets on this call */
         atomic_t                sequence;       /* Tx data packet sequence counter */
         u32                     local_abort;    /* local abort code */
         u32                     remote_abort;   /* remote abort code */
diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
index 0b2832141bd0..9bae21e66d65 100644
--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -130,6 +130,7 @@ static int rxrpc_accept_incoming_call(struct rxrpc_local *local,
                         call->state = RXRPC_CALL_SERVER_ACCEPTING;
                         list_add_tail(&call->accept_link, &rx->acceptq);
                         rxrpc_get_call(call);
+                        atomic_inc(&call->skb_count);
                         nsp = rxrpc_skb(notification);
                         nsp->call = call;
 
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index fc32aa5764a2..e60cf65c2232 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -460,6 +460,7 @@ static void rxrpc_insert_oos_packet(struct rxrpc_call *call,
         ASSERTCMP(sp->call, ==, NULL);
         sp->call = call;
         rxrpc_get_call(call);
+        atomic_inc(&call->skb_count);
 
         /* insert into the buffer in sequence order */
         spin_lock_bh(&call->lock);
@@ -734,6 +735,7 @@ all_acked:
                 skb->mark = RXRPC_SKB_MARK_FINAL_ACK;
                 sp->call = call;
                 rxrpc_get_call(call);
+                atomic_inc(&call->skb_count);
                 spin_lock_bh(&call->lock);
                 if (rxrpc_queue_rcv_skb(call, skb, true, true) < 0)
                         BUG();
@@ -793,6 +795,7 @@ static int rxrpc_post_message(struct rxrpc_call *call, u32 mark, u32 error,
                 sp->error = error;
                 sp->call = call;
                 rxrpc_get_call(call);
+                atomic_inc(&call->skb_count);
 
                 spin_lock_bh(&call->lock);
                 ret = rxrpc_queue_rcv_skb(call, skb, true, fatal);
@@ -834,6 +837,9 @@ void rxrpc_process_call(struct work_struct *work)
                 return;
         }
 
+        if (!call->conn)
+                goto skip_msg_init;
+
         /* there's a good chance we're going to have to send a message, so set
          * one up in advance */
         msg.msg_name    = &call->conn->params.peer->srx.transport;
@@ -856,6 +862,7 @@ void rxrpc_process_call(struct work_struct *work)
         memset(iov, 0, sizeof(iov));
         iov[0].iov_base = &whdr;
         iov[0].iov_len  = sizeof(whdr);
+skip_msg_init:
 
         /* deal with events of a final nature */
         if (test_bit(RXRPC_CALL_EV_RCVD_ERROR, &call->events)) {
diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index 91287c9d01bb..ae057e0740f3 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -275,6 +275,7 @@ error:
         list_del_init(&call->link);
         write_unlock_bh(&rxrpc_call_lock);
 
+        set_bit(RXRPC_CALL_RELEASED, &call->flags);
         call->state = RXRPC_CALL_DEAD;
         rxrpc_put_call(call);
         _leave(" = %d", ret);
@@ -287,6 +288,7 @@ error:
          */
 found_user_ID_now_present:
         write_unlock(&rx->call_lock);
+        set_bit(RXRPC_CALL_RELEASED, &call->flags);
         call->state = RXRPC_CALL_DEAD;
         rxrpc_put_call(call);
         _leave(" = -EEXIST [%p]", call);
@@ -491,15 +493,9 @@ void rxrpc_release_call(struct rxrpc_call *call)
                 spin_lock_bh(&call->lock);
                 while ((skb = skb_dequeue(&call->rx_queue)) ||
                        (skb = skb_dequeue(&call->rx_oos_queue))) {
-                        sp = rxrpc_skb(skb);
-                        if (sp->call) {
-                                ASSERTCMP(sp->call, ==, call);
-                                rxrpc_put_call(call);
-                                sp->call = NULL;
-                        }
-                        skb->destructor = NULL;
                         spin_unlock_bh(&call->lock);
 
+                        sp = rxrpc_skb(skb);
                         _debug("- zap %s %%%u #%u",
                                rxrpc_pkts[sp->hdr.type],
                                sp->hdr.serial, sp->hdr.seq);
@@ -605,6 +601,7 @@ void __rxrpc_put_call(struct rxrpc_call *call)
 
         if (atomic_dec_and_test(&call->usage)) {
                 _debug("call %d dead", call->debug_id);
+                WARN_ON(atomic_read(&call->skb_count) != 0);
                 ASSERTCMP(call->state, ==, RXRPC_CALL_DEAD);
                 rxrpc_queue_work(&call->destroyer);
         }
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 991a20d25093..70bb77818dea 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -55,9 +55,6 @@ int rxrpc_queue_rcv_skb(struct rxrpc_call *call, struct sk_buff *skb,
         if (test_bit(RXRPC_CALL_TERMINAL_MSG, &call->flags)) {
                 _debug("already terminated");
                 ASSERTCMP(call->state, >=, RXRPC_CALL_COMPLETE);
-                skb->destructor = NULL;
-                sp->call = NULL;
-                rxrpc_put_call(call);
                 rxrpc_free_skb(skb);
                 return 0;
         }
@@ -111,13 +108,7 @@ int rxrpc_queue_rcv_skb(struct rxrpc_call *call, struct sk_buff *skb,
         ret = 0;
 
 out:
-        /* release the socket buffer */
-        if (skb) {
-                skb->destructor = NULL;
-                sp->call = NULL;
-                rxrpc_put_call(call);
-                rxrpc_free_skb(skb);
-        }
+        rxrpc_free_skb(skb);
 
         _leave(" = %d", ret);
         return ret;
@@ -133,11 +124,15 @@ static int rxrpc_fast_process_data(struct rxrpc_call *call,
         struct rxrpc_skb_priv *sp;
         bool terminal;
         int ret, ackbit, ack;
+        u32 serial;
+        u8 flags;
 
         _enter("{%u,%u},,{%u}", call->rx_data_post, call->rx_first_oos, seq);
 
         sp = rxrpc_skb(skb);
         ASSERTCMP(sp->call, ==, NULL);
+        flags = sp->hdr.flags;
+        serial = sp->hdr.serial;
 
         spin_lock(&call->lock);
 
@@ -200,8 +195,9 @@ static int rxrpc_fast_process_data(struct rxrpc_call *call,
 
         sp->call = call;
         rxrpc_get_call(call);
-        terminal = ((sp->hdr.flags & RXRPC_LAST_PACKET) &&
-                    !(sp->hdr.flags & RXRPC_CLIENT_INITIATED));
+        atomic_inc(&call->skb_count);
+        terminal = ((flags & RXRPC_LAST_PACKET) &&
+                    !(flags & RXRPC_CLIENT_INITIATED));
         ret = rxrpc_queue_rcv_skb(call, skb, false, terminal);
         if (ret < 0) {
                 if (ret == -ENOMEM || ret == -ENOBUFS) {
@@ -213,12 +209,13 @@ static int rxrpc_fast_process_data(struct rxrpc_call *call,
         }
 
         skb = NULL;
+        sp = NULL;
 
         _debug("post #%u", seq);
         ASSERTCMP(call->rx_data_post, ==, seq);
         call->rx_data_post++;
 
-        if (sp->hdr.flags & RXRPC_LAST_PACKET)
+        if (flags & RXRPC_LAST_PACKET)
                 set_bit(RXRPC_CALL_RCVD_LAST, &call->flags);
 
         /* if we've reached an out of sequence packet then we need to drain
@@ -234,7 +231,7 @@ static int rxrpc_fast_process_data(struct rxrpc_call *call,
 
         spin_unlock(&call->lock);
         atomic_inc(&call->ackr_not_idle);
-        rxrpc_propose_ACK(call, RXRPC_ACK_DELAY, sp->hdr.serial, false);
+        rxrpc_propose_ACK(call, RXRPC_ACK_DELAY, serial, false);
         _leave(" = 0 [posted]");
         return 0;
 
@@ -247,7 +244,7 @@ out:
 
 discard_and_ack:
         _debug("discard and ACK packet %p", skb);
-        __rxrpc_propose_ACK(call, ack, sp->hdr.serial, true);
+        __rxrpc_propose_ACK(call, ack, serial, true);
 discard:
         spin_unlock(&call->lock);
         rxrpc_free_skb(skb);
@@ -255,7 +252,7 @@ discard:
         return 0;
 
 enqueue_and_ack:
-        __rxrpc_propose_ACK(call, ack, sp->hdr.serial, true);
+        __rxrpc_propose_ACK(call, ack, serial, true);
 enqueue_packet:
         _net("defer skb %p", skb);
         spin_unlock(&call->lock);
@@ -575,13 +572,13 @@ done:
  * post connection-level events to the connection
  * - this includes challenges, responses and some aborts
  */
-static bool rxrpc_post_packet_to_conn(struct rxrpc_connection *conn,
+static void rxrpc_post_packet_to_conn(struct rxrpc_connection *conn,
                                       struct sk_buff *skb)
 {
         _enter("%p,%p", conn, skb);
 
         skb_queue_tail(&conn->rx_queue, skb);
-        return rxrpc_queue_conn(conn);
+        rxrpc_queue_conn(conn);
 }
 
 /*
@@ -702,7 +699,6 @@ void rxrpc_data_ready(struct sock *sk)
 
         rcu_read_lock();
 
-retry_find_conn:
         conn = rxrpc_find_connection_rcu(local, skb);
         if (!conn)
                 goto cant_route_call;
@@ -710,8 +706,7 @@ retry_find_conn:
         if (sp->hdr.callNumber == 0) {
                 /* Connection-level packet */
                 _debug("CONN %p {%d}", conn, conn->debug_id);
-                if (!rxrpc_post_packet_to_conn(conn, skb))
-                        goto retry_find_conn;
+                rxrpc_post_packet_to_conn(conn, skb);
         } else {
                 /* Call-bound packets are routed by connection channel. */
                 unsigned int channel = sp->hdr.cid & RXRPC_CHANNELMASK;
@@ -749,6 +744,8 @@ cant_route_call:
         if (sp->hdr.type != RXRPC_PACKET_TYPE_ABORT) {
                 _debug("reject type %d",sp->hdr.type);
                 rxrpc_reject_packet(local, skb);
+        } else {
+                rxrpc_free_skb(skb);
         }
         _leave(" [no call]");
         return;
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index a3fa2ed85d63..9ed66d533002 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -203,6 +203,9 @@ int rxrpc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
                 }
 
                 /* we transferred the whole data packet */
+                if (!(flags & MSG_PEEK))
+                        rxrpc_kernel_data_consumed(call, skb);
+
                 if (sp->hdr.flags & RXRPC_LAST_PACKET) {
                         _debug("last");
                         if (rxrpc_conn_is_client(call->conn)) {
@@ -360,28 +363,6 @@ wait_error:
 }
 
 /**
- * rxrpc_kernel_data_delivered - Record delivery of data message
- * @skb: Message holding data
- *
- * Record the delivery of a data message.  This permits RxRPC to keep its
- * tracking correct.  The socket buffer will be deleted.
- */
-void rxrpc_kernel_data_delivered(struct sk_buff *skb)
-{
-        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
-        struct rxrpc_call *call = sp->call;
-
-        ASSERTCMP(sp->hdr.seq, >=, call->rx_data_recv);
-        ASSERTCMP(sp->hdr.seq, <=, call->rx_data_recv + 1);
-        call->rx_data_recv = sp->hdr.seq;
-
-        ASSERTCMP(sp->hdr.seq, >, call->rx_data_eaten);
-        rxrpc_free_skb(skb);
-}
-
-EXPORT_SYMBOL(rxrpc_kernel_data_delivered);
-
-/**
  * rxrpc_kernel_is_data_last - Determine if data message is last one
  * @skb: Message holding data
  *
diff --git a/net/rxrpc/skbuff.c b/net/rxrpc/skbuff.c
index eee0cfd9ac8c..06c51d4b622d 100644
--- a/net/rxrpc/skbuff.c
+++ b/net/rxrpc/skbuff.c
@@ -98,11 +98,39 @@ static void rxrpc_hard_ACK_data(struct rxrpc_call *call,
         spin_unlock_bh(&call->lock);
 }
 
+/**
+ * rxrpc_kernel_data_consumed - Record consumption of data message
+ * @call: The call to which the message pertains.
+ * @skb: Message holding data
+ *
+ * Record the consumption of a data message and generate an ACK if appropriate.
+ * The call state is shifted if this was the final packet.  The caller must be
+ * in process context with no spinlocks held.
+ *
+ * TODO: Actually generate the ACK here rather than punting this to the
+ * workqueue.
+ */
+void rxrpc_kernel_data_consumed(struct rxrpc_call *call, struct sk_buff *skb)
+{
+        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
+
+        _enter("%d,%p{%u}", call->debug_id, skb, sp->hdr.seq);
+
+        ASSERTCMP(sp->call, ==, call);
+        ASSERTCMP(sp->hdr.type, ==, RXRPC_PACKET_TYPE_DATA);
+
+        /* TODO: Fix the sequence number tracking */
+        ASSERTCMP(sp->hdr.seq, >=, call->rx_data_recv);
+        ASSERTCMP(sp->hdr.seq, <=, call->rx_data_recv + 1);
+        ASSERTCMP(sp->hdr.seq, >, call->rx_data_eaten);
+
+        call->rx_data_recv = sp->hdr.seq;
+        rxrpc_hard_ACK_data(call, sp);
+}
+EXPORT_SYMBOL(rxrpc_kernel_data_consumed);
+
 /*
- * destroy a packet that has an RxRPC control buffer
- * - advance the hard-ACK state of the parent call (done here in case something
- *   in the kernel bypasses recvmsg() and steals the packet directly off of the
- *   socket receive queue)
+ * Destroy a packet that has an RxRPC control buffer
  */
 void rxrpc_packet_destructor(struct sk_buff *skb)
 {
@@ -112,9 +140,8 @@ void rxrpc_packet_destructor(struct sk_buff *skb)
         _enter("%p{%p}", skb, call);
 
         if (call) {
-                /* send the final ACK on a client call */
-                if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA)
-                        rxrpc_hard_ACK_data(call, sp);
+                if (atomic_dec_return(&call->skb_count) < 0)
+                        BUG();
                 rxrpc_put_call(call);
                 sp->call = NULL;
         }
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index e4a5f2607ffa..d09d0687594b 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -64,7 +64,6 @@ int __tcf_hash_release(struct tc_action *p, bool bind, bool strict)
                 if (p->tcfa_bindcnt <= 0 && p->tcfa_refcnt <= 0) {
                         if (p->ops->cleanup)
                                 p->ops->cleanup(p, bind);
-                        list_del(&p->list);
                         tcf_hash_destroy(p->hinfo, p);
                         ret = ACT_P_DELETED;
                 }
@@ -421,18 +420,19 @@ static struct tc_action_ops *tc_lookup_action(struct nlattr *kind)
         return res;
 }
 
-int tcf_action_exec(struct sk_buff *skb, const struct list_head *actions,
-                    struct tcf_result *res)
+int tcf_action_exec(struct sk_buff *skb, struct tc_action **actions,
+                    int nr_actions, struct tcf_result *res)
 {
-        const struct tc_action *a;
-        int ret = -1;
+        int ret = -1, i;
 
         if (skb->tc_verd & TC_NCLS) {
                 skb->tc_verd = CLR_TC_NCLS(skb->tc_verd);
                 ret = TC_ACT_OK;
                 goto exec_done;
         }
-        list_for_each_entry(a, actions, list) {
+        for (i = 0; i < nr_actions; i++) {
+                const struct tc_action *a = actions[i];
+
 repeat:
                 ret = a->ops->act(skb, a, res);
                 if (ret == TC_ACT_REPEAT)
@@ -754,16 +754,6 @@ err_out:
         return ERR_PTR(err);
 }
 
-static void cleanup_a(struct list_head *actions)
-{
-        struct tc_action *a, *tmp;
-
-        list_for_each_entry_safe(a, tmp, actions, list) {
-                list_del(&a->list);
-                kfree(a);
-        }
-}
-
 static int tca_action_flush(struct net *net, struct nlattr *nla,
                             struct nlmsghdr *n, u32 portid)
 {
@@ -905,7 +895,7 @@ tca_action_gd(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
                 return ret;
         }
 err:
-        cleanup_a(&actions);
+        tcf_action_destroy(&actions, 0);
         return ret;
 }
 
@@ -942,15 +932,9 @@ tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n,
 
         ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions);
         if (ret)
-                goto done;
+                return ret;
 
-        /* dump then free all the actions after update; inserted policy
-         * stays intact
-         */
-        ret = tcf_add_notify(net, n, &actions, portid);
-        cleanup_a(&actions);
-done:
-        return ret;
+        return tcf_add_notify(net, n, &actions, portid);
 }
 
 static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n)
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index b3c7e975fc9e..8a3be1d99775 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -63,49 +63,8 @@ static int tcf_act_police_walker(struct net *net, struct sk_buff *skb,
                                  const struct tc_action_ops *ops)
 {
         struct tc_action_net *tn = net_generic(net, police_net_id);
-        struct tcf_hashinfo *hinfo = tn->hinfo;
-        int err = 0, index = -1, i = 0, s_i = 0, n_i = 0;
-        struct nlattr *nest;
-
-        spin_lock_bh(&hinfo->lock);
-
-        s_i = cb->args[0];
-
-        for (i = 0; i < (POL_TAB_MASK + 1); i++) {
-                struct hlist_head *head;
-                struct tc_action *p;
-
-                head = &hinfo->htab[tcf_hash(i, POL_TAB_MASK)];
-
-                hlist_for_each_entry_rcu(p, head, tcfa_head) {
-                        index++;
-                        if (index < s_i)
-                                continue;
-                        nest = nla_nest_start(skb, index);
-                        if (nest == NULL)
-                                goto nla_put_failure;
-                        if (type == RTM_DELACTION)
-                                err = tcf_action_dump_1(skb, p, 0, 1);
-                        else
-                                err = tcf_action_dump_1(skb, p, 0, 0);
-                        if (err < 0) {
-                                index--;
-                                nla_nest_cancel(skb, nest);
-                                goto done;
-                        }
-                        nla_nest_end(skb, nest);
-                        n_i++;
-                }
-        }
-done:
-        spin_unlock_bh(&hinfo->lock);
-        if (n_i)
-                cb->args[0] += n_i;
-        return n_i;
 
-nla_put_failure:
-        nla_nest_cancel(skb, nest);
-        goto done;
+        return tcf_generic_walker(tn, skb, cb, type, ops);
 }
 
 static const struct nla_policy police_policy[TCA_POLICE_MAX + 1] = {
@@ -125,6 +84,7 @@ static int tcf_act_police_init(struct net *net, struct nlattr *nla,
         struct tcf_police *police;
         struct qdisc_rate_table *R_tab = NULL, *P_tab = NULL;
         struct tc_action_net *tn = net_generic(net, police_net_id);
+        bool exists = false;
         int size;
 
         if (nla == NULL)
@@ -139,24 +99,24 @@ static int tcf_act_police_init(struct net *net, struct nlattr *nla,
         size = nla_len(tb[TCA_POLICE_TBF]);
         if (size != sizeof(*parm) && size != sizeof(struct tc_police_compat))
                 return -EINVAL;
+
         parm = nla_data(tb[TCA_POLICE_TBF]);
+        exists = tcf_hash_check(tn, parm->index, a, bind);
+        if (exists && bind)
+                return 0;
 
-        if (parm->index) {
-                if (tcf_hash_check(tn, parm->index, a, bind)) {
-                        if (ovr)
-                                goto override;
-                        /* not replacing */
-                        return -EEXIST;
-                }
-        } else {
+        if (!exists) {
                 ret = tcf_hash_create(tn, parm->index, NULL, a,
                                       &act_police_ops, bind, false);
                 if (ret)
                         return ret;
                 ret = ACT_P_CREATED;
+        } else {
+                tcf_hash_release(*a, bind);
+                if (!ovr)
+                        return -EEXIST;
         }
 
-override:
         police = to_police(*a);
         if (parm->rate.rate) {
                 err = -ENOMEM;
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 843a716a4303..a7c5645373af 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -541,8 +541,12 @@ out:
 void tcf_exts_destroy(struct tcf_exts *exts)
 {
 #ifdef CONFIG_NET_CLS_ACT
-        tcf_action_destroy(&exts->actions, TCA_ACT_UNBIND);
-        INIT_LIST_HEAD(&exts->actions);
+        LIST_HEAD(actions);
+
+        tcf_exts_to_list(exts, &actions);
+        tcf_action_destroy(&actions, TCA_ACT_UNBIND);
+        kfree(exts->actions);
+        exts->nr_actions = 0;
 #endif
 }
 EXPORT_SYMBOL(tcf_exts_destroy);
@@ -554,7 +558,6 @@ int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb,
         {
                 struct tc_action *act;
 
-                INIT_LIST_HEAD(&exts->actions);
                 if (exts->police && tb[exts->police]) {
                         act = tcf_action_init_1(net, tb[exts->police], rate_tlv,
                                                 "police", ovr,
@@ -563,14 +566,20 @@ int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb,
                                 return PTR_ERR(act);
 
                         act->type = exts->type = TCA_OLD_COMPAT;
-                        list_add(&act->list, &exts->actions);
+                        exts->actions[0] = act;
+                        exts->nr_actions = 1;
                 } else if (exts->action && tb[exts->action]) {
-                        int err;
+                        LIST_HEAD(actions);
+                        int err, i = 0;
+
                         err = tcf_action_init(net, tb[exts->action], rate_tlv,
                                               NULL, ovr,
-                                              TCA_ACT_BIND, &exts->actions);
+                                              TCA_ACT_BIND, &actions);
                         if (err)
                                 return err;
+                        list_for_each_entry(act, &actions, list)
+                                exts->actions[i++] = act;
+                        exts->nr_actions = i;
                 }
         }
 #else
@@ -587,37 +596,49 @@ void tcf_exts_change(struct tcf_proto *tp, struct tcf_exts *dst,
                      struct tcf_exts *src)
 {
 #ifdef CONFIG_NET_CLS_ACT
-        LIST_HEAD(tmp);
+        struct tcf_exts old = *dst;
+
         tcf_tree_lock(tp);
-        list_splice_init(&dst->actions, &tmp);
-        list_splice(&src->actions, &dst->actions);
+        dst->nr_actions = src->nr_actions;
+        dst->actions = src->actions;
         dst->type = src->type;
         tcf_tree_unlock(tp);
-        tcf_action_destroy(&tmp, TCA_ACT_UNBIND);
+
+        tcf_exts_destroy(&old);
 #endif
 }
 EXPORT_SYMBOL(tcf_exts_change);
 
-#define tcf_exts_first_act(ext)                                 \
-        list_first_entry_or_null(&(exts)->actions,              \
-                                 struct tc_action, list)
+#ifdef CONFIG_NET_CLS_ACT
+static struct tc_action *tcf_exts_first_act(struct tcf_exts *exts)
+{
+        if (exts->nr_actions == 0)
+                return NULL;
+        else
+                return exts->actions[0];
+}
+#endif
 
 int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts)
 {
 #ifdef CONFIG_NET_CLS_ACT
         struct nlattr *nest;
 
-        if (exts->action && !list_empty(&exts->actions)) {
+        if (exts->action && exts->nr_actions) {
                 /*
                  * again for backward compatible mode - we want
                  * to work with both old and new modes of entering
                  * tc data even if iproute2  was newer - jhs
                  */
                 if (exts->type != TCA_OLD_COMPAT) {
+                        LIST_HEAD(actions);
+
                         nest = nla_nest_start(skb, exts->action);
                         if (nest == NULL)
                                 goto nla_put_failure;
-                        if (tcf_action_dump(skb, &exts->actions, 0, 0) < 0)
+
+                        tcf_exts_to_list(exts, &actions);
+                        if (tcf_action_dump(skb, &actions, 0, 0) < 0)
                                 goto nla_put_failure;
                         nla_nest_end(skb, nest);
                 } else if (exts->police) {
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index 4cb5aedfe3ee..ef8ba77a5bea 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -293,6 +293,7 @@ static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
                 return ERR_PTR(err);
         }
 
+        iter->start_fail = 0;
         return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos);
 }
 
diff --git a/net/sctp/sctp_diag.c b/net/sctp/sctp_diag.c
index f69edcf219e5..bb691538adc8 100644
--- a/net/sctp/sctp_diag.c
+++ b/net/sctp/sctp_diag.c
@@ -13,6 +13,7 @@ static void inet_diag_msg_sctpasoc_fill(struct inet_diag_msg *r,
 {
         union sctp_addr laddr, paddr;
         struct dst_entry *dst;
+        struct timer_list *t3_rtx = &asoc->peer.primary_path->T3_rtx_timer;
 
         laddr = list_entry(asoc->base.bind_addr.address_list.next,
                            struct sctp_sockaddr_entry, list)->a;
@@ -40,10 +41,15 @@ static void inet_diag_msg_sctpasoc_fill(struct inet_diag_msg *r,
         }
 
         r->idiag_state = asoc->state;
-        r->idiag_timer = SCTP_EVENT_TIMEOUT_T3_RTX;
-        r->idiag_retrans = asoc->rtx_data_chunks;
-        r->idiag_expires = jiffies_to_msecs(
-                asoc->timeouts[SCTP_EVENT_TIMEOUT_T3_RTX] - jiffies);
+        if (timer_pending(t3_rtx)) {
+                r->idiag_timer = SCTP_EVENT_TIMEOUT_T3_RTX;
+                r->idiag_retrans = asoc->rtx_data_chunks;
+                r->idiag_expires = jiffies_to_msecs(t3_rtx->expires - jiffies);
+        } else {
+                r->idiag_timer = 0;
+                r->idiag_retrans = 0;
+                r->idiag_expires = 0;
+        }
 }
 
 static int inet_diag_msg_sctpladdrs_fill(struct sk_buff *skb,
@@ -350,7 +356,7 @@ static int sctp_ep_dump(struct sctp_endpoint *ep, void *p)
         if (cb->args[4] < cb->args[1])
                 goto next;
 
-        if ((r->idiag_states & ~TCPF_LISTEN) && !list_empty(&ep->asocs))
+        if (!(r->idiag_states & TCPF_LISTEN) && !list_empty(&ep->asocs))
                 goto next;
 
         if (r->sdiag_family != AF_UNSPEC &&
@@ -465,7 +471,7 @@ skip:
          * 3 : to mark if we have dumped the ep info of the current asoc
          * 4 : to work as a temporary variable to traversal list
          */
-        if (!(idiag_states & ~TCPF_LISTEN))
+        if (!(idiag_states & ~(TCPF_LISTEN | TCPF_CLOSE)))
                 goto done;
         sctp_for_each_transport(sctp_tsp_dump, net, cb->args[2], &commp);
 done:
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 1bc4f71aaba8..d85b803da11d 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -702,14 +702,14 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc,
          */
         sctp_ulpevent_init(event, 0, skb->len + sizeof(struct sk_buff));
 
-        sctp_ulpevent_receive_data(event, asoc);
-
         /* And hold the chunk as we need it for getting the IP headers
          * later in recvmsg
          */
         sctp_chunk_hold(chunk);
         event->chunk = chunk;
 
+        sctp_ulpevent_receive_data(event, asoc);
+
         event->stream = ntohs(chunk->subh.data_hdr->stream);
         event->ssn = ntohs(chunk->subh.data_hdr->ssn);
         event->ppid = chunk->subh.data_hdr->ppid;
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
index b62caa1c770c..ed97a5876ebe 100644
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -728,12 +728,13 @@ int tipc_nl_add_monitor_peer(struct net *net, struct tipc_nl_msg *msg,
                              u32 bearer_id, u32 *prev_node)
 {
         struct tipc_monitor *mon = tipc_monitor(net, bearer_id);
-        struct tipc_peer *peer = mon->self;
+        struct tipc_peer *peer;
 
         if (!mon)
                 return -EINVAL;
 
         read_lock_bh(&mon->lock);
+        peer = mon->self;
         do {
                 if (*prev_node) {
                         if (peer->addr == *prev_node)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index c49b8df438cb..f9f5f3c3dab5 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2180,7 +2180,8 @@ restart:
                                               TIPC_CONN_MSG, SHORT_H_SIZE,
                                               0, dnode, onode, dport, oport,
                                               TIPC_CONN_SHUTDOWN);
-                        tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
+                        if (skb)
+                                tipc_node_xmit_skb(net, skb, dnode, tsk->portid);
                 }
                 tsk->connected = 0;
                 sock->state = SS_DISCONNECTING;
diff --git a/net/wireless/chan.c b/net/wireless/chan.c
index b0e11b6dc994..0f506220a3bd 100644
--- a/net/wireless/chan.c
+++ b/net/wireless/chan.c
@@ -513,6 +513,7 @@ static bool cfg80211_chandef_dfs_available(struct wiphy *wiphy,
                 r = cfg80211_get_chans_dfs_available(wiphy,
                                                      chandef->center_freq2,
                                                      width);
+                break;
         default:
                 WARN_ON(chandef->center_freq2);
                 break;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 46417f9cce68..f02653a08993 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5380,6 +5380,7 @@ static int nl80211_parse_mesh_config(struct genl_info *info,
 {
         struct nlattr *tb[NL80211_MESHCONF_ATTR_MAX + 1];
         u32 mask = 0;
+        u16 ht_opmode;
 
 #define FILL_IN_MESH_PARAM_IF_SET(tb, cfg, param, min, max, mask, attr, fn) \
 do {                                                                        \
@@ -5471,9 +5472,36 @@ do {									    \
         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, rssi_threshold, -255, 0,
                                   mask, NL80211_MESHCONF_RSSI_THRESHOLD,
                                   nl80211_check_s32);
-        FILL_IN_MESH_PARAM_IF_SET(tb, cfg, ht_opmode, 0, 16,
-                                  mask, NL80211_MESHCONF_HT_OPMODE,
-                                  nl80211_check_u16);
+        /*
+         * Check HT operation mode based on
+         * IEEE 802.11 2012 8.4.2.59 HT Operation element.
+         */
+        if (tb[NL80211_MESHCONF_HT_OPMODE]) {
+                ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]);
+
+                if (ht_opmode & ~(IEEE80211_HT_OP_MODE_PROTECTION |
+                                  IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT |
+                                  IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
+                        return -EINVAL;
+
+                if ((ht_opmode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT) &&
+                    (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
+                        return -EINVAL;
+
+                switch (ht_opmode & IEEE80211_HT_OP_MODE_PROTECTION) {
+                case IEEE80211_HT_OP_MODE_PROTECTION_NONE:
+                case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ:
+                        if (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT)
+                                return -EINVAL;
+                        break;
+                case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER:
+                case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED:
+                        if (!(ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT))
+                                return -EINVAL;
+                        break;
+                }
+                cfg->ht_opmode = ht_opmode;
+        }
         FILL_IN_MESH_PARAM_IF_SET(tb, cfg, dot11MeshHWMPactivePathToRootTimeout,
                                   1, 65535, mask,
                                   NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT,