Backmerge tag 'v4.16-rc7' into drm-next

Linux 4.16-rc7 This was requested by Daniel, and things were getting a bit hard to reconcile, most of the conflicts were trivial though.
author: Dave Airlie <airlied@redhat.com> 2018-03-28 00:30:41 -0400
committer: Dave Airlie <airlied@redhat.com> 2018-03-28 00:30:41 -0400
commit: 2b4f44eec2be2688511c2b617d0e1b4f94c45ba4 (patch)
tree: 533c03602f4ae6d6404db6fa56c88e6f83e1bebe /net
parent: 33d009cd889490838c5db9b9339856c9e3d3facc (diff)
parent: 3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (diff)
199 files changed, 1540 insertions, 1088 deletions
diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c
index 64aa9f755e1d..45c9bf5ff3a0 100644
--- a/net/8021q/vlan_core.c
+++ b/net/8021q/vlan_core.c
@@ -48,8 +48,8 @@ bool vlan_do_receive(struct sk_buff **skbp)
                 * original position later
                 */
                skb_push(skb, offset);
-                skb = *skbp = vlan_insert_tag(skb, skb->vlan_proto,
+                skb = *skbp = vlan_insert_inner_tag(skb, skb->vlan_proto,
-                                              skb->vlan_tci);
+                                                    skb->vlan_tci, skb->mac_len);
                if (!skb)
                        return false;
                skb_pull(skb, offset + VLAN_HLEN);
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index f3a4efcf1456..3aa5a93ad107 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -160,7 +160,8 @@ static void req_done(struct virtqueue *vq)
                spin_unlock_irqrestore(&chan->lock, flags);
                /* Wakeup if anyone waiting for VirtIO ring space. */
                wake_up(chan->vc_wq);
-                p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
+                if (len)
+                        p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
        }
 }
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 79e326383726..99abeadf416e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -157,7 +157,7 @@ static void batadv_iv_ogm_orig_free(struct batadv_orig_node *orig_node)
 * Return: 0 on success, a negative error code otherwise.
 */
 static int batadv_iv_ogm_orig_add_if(struct batadv_orig_node *orig_node,
-                                     int max_if_num)
+                                     unsigned int max_if_num)
 {
        void *data_ptr;
        size_t old_size;
@@ -201,7 +201,8 @@ unlock:
 */
 static void
 batadv_iv_ogm_drop_bcast_own_entry(struct batadv_orig_node *orig_node,
-                                   int max_if_num, int del_if_num)
+                                   unsigned int max_if_num,
+                                   unsigned int del_if_num)
 {
        size_t chunk_size;
        size_t if_offset;
@@ -239,7 +240,8 @@ batadv_iv_ogm_drop_bcast_own_entry(struct batadv_orig_node *orig_node,
 */
 static void
 batadv_iv_ogm_drop_bcast_own_sum_entry(struct batadv_orig_node *orig_node,
-                                       int max_if_num, int del_if_num)
+                                       unsigned int max_if_num,
+                                       unsigned int del_if_num)
 {
        size_t if_offset;
        void *data_ptr;
@@ -276,7 +278,8 @@ batadv_iv_ogm_drop_bcast_own_sum_entry(struct batadv_orig_node *orig_node,
 * Return: 0 on success, a negative error code otherwise.
 */
 static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
-                                     int max_if_num, int del_if_num)
+                                     unsigned int max_if_num,
+                                     unsigned int del_if_num)
 {
        spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
@@ -311,7 +314,8 @@ static struct batadv_orig_node *
 batadv_iv_ogm_orig_get(struct batadv_priv *bat_priv, const u8 *addr)
 {
        struct batadv_orig_node *orig_node;
-        int size, hash_added;
+        int hash_added;
+        size_t size;
        orig_node = batadv_orig_hash_find(bat_priv, addr);
        if (orig_node)
@@ -893,7 +897,7 @@ batadv_iv_ogm_slide_own_bcast_window(struct batadv_hard_iface *hard_iface)
        u32 i;
        size_t word_index;
        u8 *w;
-        int if_num;
+        unsigned int if_num;
        for (i = 0; i < hash->size; i++) {
                head = &hash->table[i];
@@ -1023,7 +1027,7 @@ batadv_iv_ogm_orig_update(struct batadv_priv *bat_priv,
        struct batadv_neigh_node *tmp_neigh_node = NULL;
        struct batadv_neigh_node *router = NULL;
        struct batadv_orig_node *orig_node_tmp;
-        int if_num;
+        unsigned int if_num;
        u8 sum_orig, sum_neigh;
        u8 *neigh_addr;
        u8 tq_avg;
@@ -1182,7 +1186,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
        u8 total_count;
        u8 orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
        unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
-        int if_num;
+        unsigned int if_num;
        unsigned int tq_asym_penalty, inv_asym_penalty;
        unsigned int combined_tq;
        unsigned int tq_iface_penalty;
@@ -1702,9 +1706,9 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
        if (is_my_orig) {
                unsigned long *word;
-                int offset;
+                size_t offset;
                s32 bit_pos;
-                s16 if_num;
+                unsigned int if_num;
                u8 *weight;
                orig_neigh_node = batadv_iv_ogm_orig_get(bat_priv,
@@ -2729,7 +2733,7 @@ static int batadv_iv_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
        struct batadv_neigh_ifinfo *router_ifinfo = NULL;
        struct batadv_neigh_node *router;
        struct batadv_gw_node *curr_gw;
-        int ret = -EINVAL;
+        int ret = 0;
        void *hdr;
        router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);
diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
index 27e165ac9302..c74f81341dab 100644
--- a/net/batman-adv/bat_v.c
+++ b/net/batman-adv/bat_v.c
@@ -928,7 +928,7 @@ static int batadv_v_gw_dump_entry(struct sk_buff *msg, u32 portid, u32 seq,
        struct batadv_neigh_ifinfo *router_ifinfo = NULL;
        struct batadv_neigh_node *router;
        struct batadv_gw_node *curr_gw;
-        int ret = -EINVAL;
+        int ret = 0;
        void *hdr;
        router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT);
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index fad47853ad3c..b1a08374088b 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -2161,22 +2161,25 @@ batadv_bla_claim_dump_bucket(struct sk_buff *msg, u32 portid, u32 seq,
 {
        struct batadv_bla_claim *claim;
        int idx = 0;
+        int ret = 0;
        rcu_read_lock();
        hlist_for_each_entry_rcu(claim, head, hash_entry) {
                if (idx++ < *idx_skip)
                        continue;
-                if (batadv_bla_claim_dump_entry(msg, portid, seq,
-                                                primary_if, claim)) {
+                ret = batadv_bla_claim_dump_entry(msg, portid, seq,
+                                                  primary_if, claim);
+                if (ret) {
                        *idx_skip = idx - 1;
                        goto unlock;
                }
        }
-        *idx_skip = idx;
+        *idx_skip = 0;
 unlock:
        rcu_read_unlock();
-        return 0;
+        return ret;
 }
 /**
@@ -2391,22 +2394,25 @@ batadv_bla_backbone_dump_bucket(struct sk_buff *msg, u32 portid, u32 seq,
 {
        struct batadv_bla_backbone_gw *backbone_gw;
        int idx = 0;
+        int ret = 0;
        rcu_read_lock();
        hlist_for_each_entry_rcu(backbone_gw, head, hash_entry) {
                if (idx++ < *idx_skip)
                        continue;
-                if (batadv_bla_backbone_dump_entry(msg, portid, seq,
-                                                   primary_if, backbone_gw)) {
+                ret = batadv_bla_backbone_dump_entry(msg, portid, seq,
+                                                     primary_if, backbone_gw);
+                if (ret) {
                        *idx_skip = idx - 1;
                        goto unlock;
                }
        }
-        *idx_skip = idx;
+        *idx_skip = 0;
 unlock:
        rcu_read_unlock();
-        return 0;
+        return ret;
 }
 /**
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 9703c791ffc5..87cd962d28d5 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -393,7 +393,7 @@ static void batadv_dbg_arp(struct batadv_priv *bat_priv, struct sk_buff *skb,
                   batadv_arp_hw_src(skb, hdr_size), &ip_src,
                   batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
-        if (hdr_size == 0)
+        if (hdr_size < sizeof(struct batadv_unicast_packet))
                return;
        unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 22dde42fd80e..5afe641ee4b0 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -288,7 +288,8 @@ batadv_frag_merge_packets(struct hlist_head *chain)
        /* Move the existing MAC header to just before the payload. (Override
         * the fragment header.)
         */
-        skb_pull_rcsum(skb_out, hdr_size);
+        skb_pull(skb_out, hdr_size);
+        skb_out->ip_summed = CHECKSUM_NONE;
        memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN);
        skb_set_mac_header(skb_out, -ETH_HLEN);
        skb_reset_network_header(skb_out);
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index 5f186bff284a..68b54a39c51d 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -763,6 +763,11 @@ int batadv_hardif_enable_interface(struct batadv_hard_iface *hard_iface,
        hard_iface->soft_iface = soft_iface;
        bat_priv = netdev_priv(hard_iface->soft_iface);
+        if (bat_priv->num_ifaces >= UINT_MAX) {
+                ret = -ENOSPC;
+                goto err_dev;
+        }
        ret = netdev_master_upper_dev_link(hard_iface->net_dev,
                                           soft_iface, NULL, NULL, NULL);
        if (ret)
@@ -876,7 +881,7 @@ void batadv_hardif_disable_interface(struct batadv_hard_iface *hard_iface,
        batadv_hardif_recalc_extra_skbroom(hard_iface->soft_iface);
        /* nobody uses this interface anymore */
-        if (!bat_priv->num_ifaces) {
+        if (bat_priv->num_ifaces == 0) {
                batadv_gw_check_client_stop(bat_priv);
                if (autodel == BATADV_IF_CLEANUP_AUTO)
@@ -912,7 +917,7 @@ batadv_hardif_add_interface(struct net_device *net_dev)
        if (ret)
                goto free_if;
-        hard_iface->if_num = -1;
+        hard_iface->if_num = 0;
        hard_iface->net_dev = net_dev;
        hard_iface->soft_iface = NULL;
        hard_iface->if_status = BATADV_IF_NOT_IN_USE;
diff --git a/net/batman-adv/icmp_socket.c b/net/batman-adv/icmp_socket.c
index e91f29c7c638..5daa3d50da17 100644
--- a/net/batman-adv/icmp_socket.c
+++ b/net/batman-adv/icmp_socket.c
@@ -24,6 +24,7 @@
 #include <linux/debugfs.h>
 #include <linux/errno.h>
 #include <linux/etherdevice.h>
+#include <linux/eventpoll.h>
 #include <linux/export.h>
 #include <linux/fcntl.h>
 #include <linux/fs.h>
diff --git a/net/batman-adv/log.c b/net/batman-adv/log.c
index dc9fa37ddd14..cdbe0e5e208b 100644
--- a/net/batman-adv/log.c
+++ b/net/batman-adv/log.c
@@ -22,6 +22,7 @@
 #include <linux/compiler.h>
 #include <linux/debugfs.h>
 #include <linux/errno.h>
+#include <linux/eventpoll.h>
 #include <linux/export.h>
 #include <linux/fcntl.h>
 #include <linux/fs.h>
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index cbdeb47ec3f6..d70640135e3a 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -543,8 +543,8 @@ update:
                bat_priv->mcast.enabled = true;
        }
-        return !(mcast_data.flags &
+        return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 &&
-                 (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6));
+                 mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6);
 }
 /**
diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c
index 58a7d9274435..74782426bb77 100644
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -1569,7 +1569,7 @@ int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb)
 * Return: 0 on success or negative error number in case of failure
 */
 int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
-                            int max_if_num)
+                            unsigned int max_if_num)
 {
        struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        struct batadv_algo_ops *bao = bat_priv->algo_ops;
@@ -1611,7 +1611,7 @@ err:
 * Return: 0 on success or negative error number in case of failure
 */
 int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
-                            int max_if_num)
+                            unsigned int max_if_num)
 {
        struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
        struct batadv_hashtable *hash = bat_priv->orig_hash;
diff --git a/net/batman-adv/originator.h b/net/batman-adv/originator.h
index 8e543a3cdc6c..15d896b2de6f 100644
--- a/net/batman-adv/originator.h
+++ b/net/batman-adv/originator.h
@@ -73,9 +73,9 @@ int batadv_orig_seq_print_text(struct seq_file *seq, void *offset);
 int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb);
 int batadv_orig_hardif_seq_print_text(struct seq_file *seq, void *offset);
 int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
-                            int max_if_num);
+                            unsigned int max_if_num);
 int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
-                            int max_if_num);
+                            unsigned int max_if_num);
 struct batadv_orig_node_vlan *
 batadv_orig_node_vlan_new(struct batadv_orig_node *orig_node,
                          unsigned short vid);
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index b6891e8b741c..e61dc1293bb5 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -759,6 +759,7 @@ free_skb:
 /**
 * batadv_reroute_unicast_packet() - update the unicast header for re-routing
 * @bat_priv: the bat priv with all the soft interface information
+ * @skb: unicast packet to process
 * @unicast_packet: the unicast header to be updated
 * @dst_addr: the payload destination
 * @vid: VLAN identifier
@@ -770,7 +771,7 @@ free_skb:
 * Return: true if the packet header has been updated, false otherwise
 */
 static bool
-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
+batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
                              struct batadv_unicast_packet *unicast_packet,
                              u8 *dst_addr, unsigned short vid)
 {
@@ -799,8 +800,10 @@ batadv_reroute_unicast_packet(struct batadv_priv *bat_priv,
        }
        /* update the packet header */
+        skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
        ether_addr_copy(unicast_packet->dest, orig_addr);
        unicast_packet->ttvn = orig_ttvn;
+        skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
        ret = true;
 out:
@@ -841,7 +844,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
         * the packet to
         */
        if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) {
-                if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
+                if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
                                                  ethhdr->h_dest, vid))
                        batadv_dbg_ratelimited(BATADV_DBG_TT,
                                               bat_priv,
@@ -887,7 +890,7 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
         * destination can possibly be updated and forwarded towards the new
         * target host
         */
-        if (batadv_reroute_unicast_packet(bat_priv, unicast_packet,
+        if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet,
                                          ethhdr->h_dest, vid)) {
                batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv,
                                       "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n",
@@ -910,12 +913,14 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
        if (!primary_if)
                return false;
+        /* update the packet header */
+        skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
        ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr);
+        unicast_packet->ttvn = curr_ttvn;
+        skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet));
        batadv_hardif_put(primary_if);
-        unicast_packet->ttvn = curr_ttvn;
        return true;
 }
@@ -968,14 +973,10 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        struct batadv_orig_node *orig_node = NULL, *orig_node_gw = NULL;
        int check, hdr_size = sizeof(*unicast_packet);
        enum batadv_subtype subtype;
-        struct ethhdr *ethhdr;
        int ret = NET_RX_DROP;
        bool is4addr, is_gw;
        unicast_packet = (struct batadv_unicast_packet *)skb->data;
-        unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
-        ethhdr = eth_hdr(skb);
        is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
        /* the caller function should have already pulled 2 bytes */
        if (is4addr)
@@ -995,12 +996,14 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
                goto free_skb;
+        unicast_packet = (struct batadv_unicast_packet *)skb->data;
        /* packet for me */
        if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                /* If this is a unicast packet from another backgone gw,
                 * drop it.
                 */
-                orig_addr_gw = ethhdr->h_source;
+                orig_addr_gw = eth_hdr(skb)->h_source;
                orig_node_gw = batadv_orig_hash_find(bat_priv, orig_addr_gw);
                if (orig_node_gw) {
                        is_gw = batadv_bla_is_backbone_gw(skb, orig_node_gw,
@@ -1015,6 +1018,8 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
                }
                if (is4addr) {
+                        unicast_4addr_packet =
+                                (struct batadv_unicast_4addr_packet *)skb->data;
                        subtype = unicast_4addr_packet->subtype;
                        batadv_dat_inc_counter(bat_priv, subtype);
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 900c5ce21cd4..367a81fb785f 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -459,13 +459,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
        /* skb->dev & skb->pkt_type are set here */
        skb->protocol = eth_type_trans(skb, soft_iface);
+        skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
-        /* should not be necessary anymore as we use skb_pull_rcsum()
-         * TODO: please verify this and remove this TODO
-         * -- Dec 21st 2009, Simon Wunderlich
-         */
-        /* skb->ip_summed = CHECKSUM_UNNECESSARY; */
        batadv_inc_counter(bat_priv, BATADV_CNT_RX);
        batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index bb1578410e0c..a5aa6d61f4e2 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -167,7 +167,7 @@ struct batadv_hard_iface {
        struct list_head list;
        /** @if_num: identificator of the interface */
-        s16 if_num;
+        unsigned int if_num;
        /** @if_status: status of the interface for batman-adv */
        char if_status;
@@ -1596,7 +1596,7 @@ struct batadv_priv {
        atomic_t batman_queue_left;
        /** @num_ifaces: number of interfaces assigned to this mesh interface */
-        char num_ifaces;
+        unsigned int num_ifaces;
        /** @mesh_obj: kobject for sysfs mesh subdirectory */
        struct kobject *mesh_obj;
@@ -2186,15 +2186,16 @@ struct batadv_algo_orig_ops {
         *  orig_node due to a new hard-interface being added into the mesh
         *  (optional)
         */
-        int (*add_if)(struct batadv_orig_node *orig_node, int max_if_num);
+        int (*add_if)(struct batadv_orig_node *orig_node,
+                      unsigned int max_if_num);
        /**
         * @del_if: ask the routing algorithm to apply the needed changes to the
         *  orig_node due to an hard-interface being removed from the mesh
         *  (optional)
         */
-        int (*del_if)(struct batadv_orig_node *orig_node, int max_if_num,
+        int (*del_if)(struct batadv_orig_node *orig_node,
-                      int del_if_num);
+                      unsigned int max_if_num, unsigned int del_if_num);
 #ifdef CONFIG_BATMAN_ADV_DEBUGFS
        /** @print: print the originator table (optional) */
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 01117ae84f1d..a2ddae2f37d7 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2296,8 +2296,14 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
        else
                sec_level = authreq_to_seclevel(auth);
-        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
+        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
+                /* If link is already encrypted with sufficient security we
+                 * still need refresh encryption as per Core Spec 5.0 Vol 3,
+                 * Part H 2.4.6
+                 */
+                smp_ltk_encrypt(conn, hcon->sec_level);
                return 0;
+        }
        if (sec_level > hcon->pending_sec_level)
                hcon->pending_sec_level = sec_level;
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 27f1d4f2114a..9b16eaf33819 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -214,7 +214,7 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
        iph = ip_hdr(skb);
        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
-                goto inhdr_error;
+                goto csum_error;
        len = ntohs(iph->tot_len);
        if (skb->len < len) {
@@ -236,6 +236,8 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
         */
        return 0;
+csum_error:
+        __IP_INC_STATS(net, IPSTATS_MIB_CSUMERRORS);
 inhdr_error:
        __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
 drop:
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 0254c35b2bf0..126a8ea73c96 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -255,6 +255,9 @@ static ssize_t brport_show(struct kobject *kobj,
        struct brport_attribute *brport_attr = to_brport_attr(attr);
        struct net_bridge_port *p = to_brport(kobj);
+        if (!brport_attr->show)
+                return -EINVAL;
        return brport_attr->show(p, buf);
 }
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 51935270c651..9896f4975353 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -168,6 +168,8 @@ static struct net_bridge_vlan *br_vlan_get_master(struct net_bridge *br, u16 vid
                masterv = br_vlan_find(vg, vid);
                if (WARN_ON(!masterv))
                        return NULL;
+                refcount_set(&masterv->refcnt, 1);
+                return masterv;
        }
        refcount_inc(&masterv->refcnt);
diff --git a/net/bridge/netfilter/ebt_among.c b/net/bridge/netfilter/ebt_among.c
index 279527f8b1fe..620e54f08296 100644
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -172,32 +172,83 @@ ebt_among_mt(const struct sk_buff *skb, struct xt_action_param *par)
        return true;
 }
+static bool poolsize_invalid(const struct ebt_mac_wormhash *w)
+{
+        return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
+}
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+        if (off == 0) /* not present */
+                return false;
+        if (off < (int)sizeof(struct ebt_among_info) ||
+            off % __alignof__(struct ebt_mac_wormhash))
+                return true;
+        off += sizeof(struct ebt_mac_wormhash);
+        return off > len;
+}
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
+{
+        if (a == 0)
+                a = sizeof(struct ebt_among_info);
+        return ebt_mac_wormhash_size(wh) + a == b;
+}
 static int ebt_among_mt_check(const struct xt_mtchk_param *par)
 {
        const struct ebt_among_info *info = par->matchinfo;
        const struct ebt_entry_match *em =
                container_of(par->matchinfo, const struct ebt_entry_match, data);
-        int expected_length = sizeof(struct ebt_among_info);
+        unsigned int expected_length = sizeof(struct ebt_among_info);
        const struct ebt_mac_wormhash *wh_dst, *wh_src;
        int err;
+        if (expected_length > em->match_size)
+                return -EINVAL;
+        if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+            wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+                return -EINVAL;
        wh_dst = ebt_among_wh_dst(info);
-        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_dst))
+                return -EINVAL;
        expected_length += ebt_mac_wormhash_size(wh_dst);
+        if (expected_length > em->match_size)
+                return -EINVAL;
+        wh_src = ebt_among_wh_src(info);
+        if (poolsize_invalid(wh_src))
+                return -EINVAL;
+        if (info->wh_src_ofs < info->wh_dst_ofs) {
+                if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
+                        return -EINVAL;
+        } else {
+                if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
+                        return -EINVAL;
+        }
        expected_length += ebt_mac_wormhash_size(wh_src);
        if (em->match_size != EBT_ALIGN(expected_length)) {
-                pr_info("wrong size: %d against expected %d, rounded to %zd\n",
+                pr_err_ratelimited("wrong size: %d against expected %d, rounded to %zd\n",
-                        em->match_size, expected_length,
+                                   em->match_size, expected_length,
-                        EBT_ALIGN(expected_length));
+                                   EBT_ALIGN(expected_length));
                return -EINVAL;
        }
        if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
-                pr_info("dst integrity fail: %x\n", -err);
+                pr_err_ratelimited("dst integrity fail: %x\n", -err);
                return -EINVAL;
        }
        if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
-                pr_info("src integrity fail: %x\n", -err);
+                pr_err_ratelimited("src integrity fail: %x\n", -err);
                return -EINVAL;
        }
        return 0;
diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
index 61a9f1be1263..165b9d678cf1 100644
--- a/net/bridge/netfilter/ebt_limit.c
+++ b/net/bridge/netfilter/ebt_limit.c
@@ -72,8 +72,8 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
        /* Check for overflow. */
        if (info->burst == 0 ||
            user2credits(info->avg * info->burst) < user2credits(info->avg)) {
-                pr_info("overflow, try lower: %u/%u\n",
+                pr_info_ratelimited("overflow, try lower: %u/%u\n",
-                        info->avg, info->burst);
+                                    info->avg, info->burst);
                return -EINVAL;
        }
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 02c4b409d317..a94d23b0a9af 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1641,7 +1641,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
        int off = ebt_compat_match_offset(match, m->match_size);
        compat_uint_t msize = m->match_size - off;
-        BUG_ON(off >= m->match_size);
+        if (WARN_ON(off >= m->match_size))
+                return -EINVAL;
        if (copy_to_user(cm->u.name, match->name,
            strlen(match->name) + 1) || put_user(msize, &cm->match_size))
@@ -1671,7 +1672,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
        int off = xt_compat_target_offset(target);
        compat_uint_t tsize = t->target_size - off;
-        BUG_ON(off >= t->target_size);
+        if (WARN_ON(off >= t->target_size))
+                return -EINVAL;
        if (copy_to_user(cm->u.name, target->name,
            strlen(target->name) + 1) || put_user(tsize, &cm->match_size))
@@ -1902,7 +1904,8 @@ static int ebt_buf_add(struct ebt_entries_buf_state *state,
        if (state->buf_kern_start == NULL)
                goto count_only;
-        BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len);
+        if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len))
+                return -EINVAL;
        memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz);
@@ -1915,7 +1918,8 @@ static int ebt_buf_add_pad(struct ebt_entries_buf_state *state, unsigned int sz)
 {
        char *b = state->buf_kern_start;
-        BUG_ON(b && state->buf_kern_offset > state->buf_kern_len);
+        if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len))
+                return -EINVAL;
        if (b != NULL && sz > 0)
                memset(b + state->buf_kern_offset, 0, sz);
@@ -1992,8 +1996,10 @@ static int compat_mtw_from_user(struct compat_ebt_entry_mwt *mwt,
        pad = XT_ALIGN(size_kern) - size_kern;
        if (pad > 0 && dst) {
-                BUG_ON(state->buf_kern_len <= pad);
+                if (WARN_ON(state->buf_kern_len <= pad))
-                BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad);
+                        return -EINVAL;
+                if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad))
+                        return -EINVAL;
                memset(dst + size_kern, 0, pad);
        }
        return off + match_size;
@@ -2043,7 +2049,8 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                if (ret < 0)
                        return ret;
-                BUG_ON(ret < match32->match_size);
+                if (WARN_ON(ret < match32->match_size))
+                        return -EINVAL;
                growth += ret - match32->match_size;
                growth += ebt_compat_entry_padsize();
@@ -2053,7 +2060,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32,
                if (match_kern)
                        match_kern->match_size = ret;
-                WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+                if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+                        return -EINVAL;
                match32 = (struct compat_ebt_entry_mwt *) buf;
        }
@@ -2109,6 +2118,19 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
         *
         * offsets are relative to beginning of struct ebt_entry (i.e., 0).
         */
+        for (i = 0; i < 4 ; ++i) {
+                if (offsets[i] > *total)
+                        return -EINVAL;
+                if (i < 3 && offsets[i] == *total)
+                        return -EINVAL;
+                if (i == 0)
+                        continue;
+                if (offsets[i-1] > offsets[i])
+                        return -EINVAL;
+        }
        for (i = 0, j = 1 ; j < 4 ; j++, i++) {
                struct compat_ebt_entry_mwt *match32;
                unsigned int size;
@@ -2140,7 +2162,8 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base,
        startoff = state->buf_user_offset - startoff;
-        BUG_ON(*total < startoff);
+        if (WARN_ON(*total < startoff))
+                return -EINVAL;
        *total -= startoff;
        return 0;
 }
@@ -2267,7 +2290,8 @@ static int compat_do_replace(struct net *net, void __user *user,
        state.buf_kern_len = size64;
        ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
-        BUG_ON(ret < 0);        /* parses same data again */
+        if (WARN_ON(ret < 0))
+                goto out_unlock;
        vfree(entries_tmp);
        tmp.entries_size = size64;
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 1e492ef2a33d..4d4c82229e9e 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -418,6 +418,7 @@ ceph_parse_options(char *options, const char *dev_name,
                                opt->flags |= CEPH_OPT_FSID;
                        break;
                case Opt_name:
+                        kfree(opt->name);
                        opt->name = kstrndup(argstr[0].from,
                                              argstr[0].to-argstr[0].from,
                                              GFP_KERNEL);
@@ -427,6 +428,9 @@ ceph_parse_options(char *options, const char *dev_name,
                        }
                        break;
                case Opt_secret:
+                        ceph_crypto_key_destroy(opt->key);
+                        kfree(opt->key);
                        opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
                        if (!opt->key) {
                                err = -ENOMEM;
@@ -437,6 +441,9 @@ ceph_parse_options(char *options, const char *dev_name,
                                goto out;
                        break;
                case Opt_key:
+                        ceph_crypto_key_destroy(opt->key);
+                        kfree(opt->key);
                        opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL);
                        if (!opt->key) {
                                err = -ENOMEM;
diff --git a/net/core/dev.c b/net/core/dev.c
index dda9d7b9a840..12be20535714 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2382,8 +2382,11 @@ EXPORT_SYMBOL(netdev_set_num_tc);
 */
 int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
 {
+        bool disabling;
        int rc;
+        disabling = txq < dev->real_num_tx_queues;
        if (txq < 1 || txq > dev->num_tx_queues)
                return -EINVAL;
@@ -2399,15 +2402,19 @@ int netif_set_real_num_tx_queues(struct net_device *dev, unsigned int txq)
                if (dev->num_tc)
                        netif_setup_tc(dev, txq);
-                if (txq < dev->real_num_tx_queues) {
+                dev->real_num_tx_queues = txq;
+                if (disabling) {
+                        synchronize_net();
                        qdisc_reset_all_tx_gt(dev, txq);
 #ifdef CONFIG_XPS
                        netif_reset_xps_queues_gt(dev, txq);
 #endif
                }
+        } else {
+                dev->real_num_tx_queues = txq;
        }
-        dev->real_num_tx_queues = txq;
        return 0;
 }
 EXPORT_SYMBOL(netif_set_real_num_tx_queues);
@@ -3271,15 +3278,23 @@ static inline int __dev_xmit_skb(struct sk_buff *skb, struct Qdisc *q,
 #if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 static void skb_update_prio(struct sk_buff *skb)
 {
-        struct netprio_map *map = rcu_dereference_bh(skb->dev->priomap);
+        const struct netprio_map *map;
+        const struct sock *sk;
+        unsigned int prioidx;
-        if (!skb->priority && skb->sk && map) {
+        if (skb->priority)
-                unsigned int prioidx =
+                return;
-                        sock_cgroup_prioidx(&skb->sk->sk_cgrp_data);
+        map = rcu_dereference_bh(skb->dev->priomap);
+        if (!map)
+                return;
+        sk = skb_to_full_sk(skb);
+        if (!sk)
+                return;
-                if (prioidx < map->priomap_len)
+        prioidx = sock_cgroup_prioidx(&sk->sk_cgrp_data);
-                        skb->priority = map->priomap[prioidx];
-        }
+        if (prioidx < map->priomap_len)
+                skb->priority = map->priomap[prioidx];
 }
 #else
 #define skb_update_prio(skb)
@@ -6389,6 +6404,7 @@ static int __netdev_upper_dev_link(struct net_device *dev,
                .linking = true,
                .upper_info = upper_info,
        };
+        struct net_device *master_dev;
        int ret = 0;
        ASSERT_RTNL();
@@ -6400,11 +6416,14 @@ static int __netdev_upper_dev_link(struct net_device *dev,
        if (netdev_has_upper_dev(upper_dev, dev))
                return -EBUSY;
-        if (netdev_has_upper_dev(dev, upper_dev))
+        if (!master) {
-                return -EEXIST;
+                if (netdev_has_upper_dev(dev, upper_dev))
+                        return -EEXIST;
-        if (master && netdev_master_upper_dev_get(dev))
+        } else {
-                return -EBUSY;
+                master_dev = netdev_master_upper_dev_get(dev);
+                if (master_dev)
+                        return master_dev == upper_dev ? -EEXIST : -EBUSY;
+        }
        ret = call_netdevice_notifiers_info(NETDEV_PRECHANGEUPPER,
                                            &changeupper_info.info);
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 0ab1af04296c..a04e1e88bf3a 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -402,8 +402,6 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
        if (colon)
                *colon = 0;
-        dev_load(net, ifr->ifr_name);
        /*
         *      See which interface the caller is talking about.
         */
@@ -423,6 +421,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
        case SIOCGIFMAP:
        case SIOCGIFINDEX:
        case SIOCGIFTXQLEN:
+                dev_load(net, ifr->ifr_name);
                rcu_read_lock();
                ret = dev_ifsioc_locked(net, ifr, cmd);
                rcu_read_unlock();
@@ -431,6 +430,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
                return ret;
        case SIOCETHTOOL:
+                dev_load(net, ifr->ifr_name);
                rtnl_lock();
                ret = dev_ethtool(net, ifr);
                rtnl_unlock();
@@ -447,6 +447,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
        case SIOCGMIIPHY:
        case SIOCGMIIREG:
        case SIOCSIFNAME:
+                dev_load(net, ifr->ifr_name);
                if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
                        return -EPERM;
                rtnl_lock();
@@ -494,6 +495,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
                /* fall through */
        case SIOCBONDSLAVEINFOQUERY:
        case SIOCBONDINFOQUERY:
+                dev_load(net, ifr->ifr_name);
                rtnl_lock();
                ret = dev_ifsioc(net, ifr, cmd);
                rtnl_unlock();
@@ -518,6 +520,7 @@ int dev_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr, bool *need_c
                    cmd == SIOCGHWTSTAMP ||
                    (cmd >= SIOCDEVPRIVATE &&
                     cmd <= SIOCDEVPRIVATE + 15)) {
+                        dev_load(net, ifr->ifr_name);
                        rtnl_lock();
                        ret = dev_ifsioc(net, ifr, cmd);
                        rtnl_unlock();
diff --git a/net/core/devlink.c b/net/core/devlink.c
index 18d385ed8237..effd4848c2b4 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -1695,10 +1695,11 @@ static int devlink_dpipe_table_put(struct sk_buff *skb,
                goto nla_put_failure;
        if (table->resource_valid) {
-                nla_put_u64_64bit(skb, DEVLINK_ATTR_DPIPE_TABLE_RESOURCE_ID,
+                if (nla_put_u64_64bit(skb, DEVLINK_ATTR_DPIPE_TABLE_RESOURCE_ID,
-                                  table->resource_id, DEVLINK_ATTR_PAD);
+                                      table->resource_id, DEVLINK_ATTR_PAD) ||
-                nla_put_u64_64bit(skb, DEVLINK_ATTR_DPIPE_TABLE_RESOURCE_UNITS,
+                    nla_put_u64_64bit(skb, DEVLINK_ATTR_DPIPE_TABLE_RESOURCE_UNITS,
-                                  table->resource_units, DEVLINK_ATTR_PAD);
+                                      table->resource_units, DEVLINK_ATTR_PAD))
+                        goto nla_put_failure;
        }
        if (devlink_dpipe_matches_put(table, skb))
                goto nla_put_failure;
@@ -1797,7 +1798,7 @@ send_done:
        if (!nlh) {
                err = devlink_dpipe_send_and_alloc_skb(&skb, info);
                if (err)
-                        goto err_skb_send_alloc;
+                        return err;
                goto send_done;
        }
@@ -1806,7 +1807,6 @@ send_done:
 nla_put_failure:
        err = -EMSGSIZE;
 err_table_put:
-err_skb_send_alloc:
        genlmsg_cancel(skb, hdr);
        nlmsg_free(skb);
        return err;
@@ -2072,7 +2072,7 @@ static int devlink_dpipe_entries_fill(struct genl_info *info,
                                             table->counters_enabled,
                                             &dump_ctx);
        if (err)
-                goto err_entries_dump;
+                return err;
 send_done:
        nlh = nlmsg_put(dump_ctx.skb, info->snd_portid, info->snd_seq,
@@ -2080,16 +2080,10 @@ send_done:
        if (!nlh) {
                err = devlink_dpipe_send_and_alloc_skb(&dump_ctx.skb, info);
                if (err)
-                        goto err_skb_send_alloc;
+                        return err;
                goto send_done;
        }
        return genlmsg_reply(dump_ctx.skb, info);
-err_entries_dump:
-err_skb_send_alloc:
-        genlmsg_cancel(dump_ctx.skb, dump_ctx.hdr);
-        nlmsg_free(dump_ctx.skb);
-        return err;
 }
 static int devlink_nl_cmd_dpipe_entries_get(struct sk_buff *skb,
@@ -2228,7 +2222,7 @@ send_done:
        if (!nlh) {
                err = devlink_dpipe_send_and_alloc_skb(&skb, info);
                if (err)
-                        goto err_skb_send_alloc;
+                        return err;
                goto send_done;
        }
        return genlmsg_reply(skb, info);
@@ -2236,7 +2230,6 @@ send_done:
 nla_put_failure:
        err = -EMSGSIZE;
 err_table_put:
-err_skb_send_alloc:
        genlmsg_cancel(skb, hdr);
        nlmsg_free(skb);
        return err;
@@ -2332,7 +2325,7 @@ devlink_resource_validate_children(struct devlink_resource *resource)
        list_for_each_entry(child_resource, &resource->resource_list, list)
                parts_size += child_resource->size_new;
-        if (parts_size > resource->size)
+        if (parts_size > resource->size_new)
                size_valid = false;
 out:
        resource->size_valid = size_valid;
@@ -2372,20 +2365,22 @@ static int devlink_nl_cmd_resource_set(struct sk_buff *skb,
        return 0;
 }
-static void
+static int
 devlink_resource_size_params_put(struct devlink_resource *resource,
                                 struct sk_buff *skb)
 {
        struct devlink_resource_size_params *size_params;
-        size_params = resource->size_params;
+        size_params = &resource->size_params;
-        nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_GRAN,
+        if (nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_GRAN,
-                          size_params->size_granularity, DEVLINK_ATTR_PAD);
+                              size_params->size_granularity, DEVLINK_ATTR_PAD) ||
-        nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_MAX,
+            nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_MAX,
-                          size_params->size_max, DEVLINK_ATTR_PAD);
+                              size_params->size_max, DEVLINK_ATTR_PAD) ||
-        nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_MIN,
+            nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_MIN,
-                          size_params->size_min, DEVLINK_ATTR_PAD);
+                              size_params->size_min, DEVLINK_ATTR_PAD) ||
-        nla_put_u8(skb, DEVLINK_ATTR_RESOURCE_UNIT, size_params->unit);
+            nla_put_u8(skb, DEVLINK_ATTR_RESOURCE_UNIT, size_params->unit))
+                return -EMSGSIZE;
+        return 0;
 }
 static int devlink_resource_put(struct devlink *devlink, struct sk_buff *skb,
@@ -2409,10 +2404,12 @@ static int devlink_resource_put(struct devlink *devlink, struct sk_buff *skb,
                nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_SIZE_NEW,
                                  resource->size_new, DEVLINK_ATTR_PAD);
        if (resource->resource_ops && resource->resource_ops->occ_get)
-                nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_OCC,
+                if (nla_put_u64_64bit(skb, DEVLINK_ATTR_RESOURCE_OCC,
-                                  resource->resource_ops->occ_get(devlink),
+                                      resource->resource_ops->occ_get(devlink),
-                                  DEVLINK_ATTR_PAD);
+                                      DEVLINK_ATTR_PAD))
-        devlink_resource_size_params_put(resource, skb);
+                        goto nla_put_failure;
+        if (devlink_resource_size_params_put(resource, skb))
+                goto nla_put_failure;
        if (list_empty(&resource->resource_list))
                goto out;
@@ -3151,7 +3148,7 @@ int devlink_resource_register(struct devlink *devlink,
                              u64 resource_size,
                              u64 resource_id,
                              u64 parent_resource_id,
-                              struct devlink_resource_size_params *size_params,
+                              const struct devlink_resource_size_params *size_params,
                              const struct devlink_resource_ops *resource_ops)
 {
        struct devlink_resource *resource;
@@ -3194,7 +3191,8 @@ int devlink_resource_register(struct devlink *devlink,
        resource->id = resource_id;
        resource->resource_ops = resource_ops;
        resource->size_valid = true;
-        resource->size_params = size_params;
+        memcpy(&resource->size_params, size_params,
+               sizeof(resource->size_params));
        INIT_LIST_HEAD(&resource->resource_list);
        list_add_tail(&resource->list, resource_list);
 out:
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 494e6a5d7306..3f89c76d5c24 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -2520,11 +2520,14 @@ static int set_phy_tunable(struct net_device *dev, void __user *useraddr)
 static int ethtool_get_fecparam(struct net_device *dev, void __user *useraddr)
 {
        struct ethtool_fecparam fecparam = { ETHTOOL_GFECPARAM };
+        int rc;
        if (!dev->ethtool_ops->get_fecparam)
                return -EOPNOTSUPP;
-        dev->ethtool_ops->get_fecparam(dev, &fecparam);
+        rc = dev->ethtool_ops->get_fecparam(dev, &fecparam);
+        if (rc)
+                return rc;
        if (copy_to_user(useraddr, &fecparam, sizeof(fecparam)))
                return -EFAULT;
diff --git a/net/core/filter.c b/net/core/filter.c
index 08ab4c65a998..48aa7c7320db 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2087,6 +2087,10 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
        u32 off = skb_mac_header_len(skb);
        int ret;
+        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
+        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+                return -ENOTSUPP;
        ret = skb_cow(skb, len_diff);
        if (unlikely(ret < 0))
                return ret;
@@ -2096,19 +2100,21 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
                return ret;
        if (skb_is_gso(skb)) {
+                struct skb_shared_info *shinfo = skb_shinfo(skb);
                /* SKB_GSO_TCPV4 needs to be changed into
                 * SKB_GSO_TCPV6.
                 */
-                if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
+                if (shinfo->gso_type & SKB_GSO_TCPV4) {
-                        skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV4;
+                        shinfo->gso_type &= ~SKB_GSO_TCPV4;
-                        skb_shinfo(skb)->gso_type |=  SKB_GSO_TCPV6;
+                        shinfo->gso_type |=  SKB_GSO_TCPV6;
                }
                /* Due to IPv6 header, MSS needs to be downgraded. */
-                skb_shinfo(skb)->gso_size -= len_diff;
+                skb_decrease_gso_size(shinfo, len_diff);
                /* Header must be checked, and gso_segs recomputed. */
-                skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+                shinfo->gso_type |= SKB_GSO_DODGY;
-                skb_shinfo(skb)->gso_segs = 0;
+                shinfo->gso_segs = 0;
        }
        skb->protocol = htons(ETH_P_IPV6);
@@ -2123,6 +2129,10 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
        u32 off = skb_mac_header_len(skb);
        int ret;
+        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
+        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+                return -ENOTSUPP;
        ret = skb_unclone(skb, GFP_ATOMIC);
        if (unlikely(ret < 0))
                return ret;
@@ -2132,19 +2142,21 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
                return ret;
        if (skb_is_gso(skb)) {
+                struct skb_shared_info *shinfo = skb_shinfo(skb);
                /* SKB_GSO_TCPV6 needs to be changed into
                 * SKB_GSO_TCPV4.
                 */
-                if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) {
+                if (shinfo->gso_type & SKB_GSO_TCPV6) {
-                        skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV6;
+                        shinfo->gso_type &= ~SKB_GSO_TCPV6;
-                        skb_shinfo(skb)->gso_type |=  SKB_GSO_TCPV4;
+                        shinfo->gso_type |=  SKB_GSO_TCPV4;
                }
                /* Due to IPv4 header, MSS can be upgraded. */
-                skb_shinfo(skb)->gso_size += len_diff;
+                skb_increase_gso_size(shinfo, len_diff);
                /* Header must be checked, and gso_segs recomputed. */
-                skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+                shinfo->gso_type |= SKB_GSO_DODGY;
-                skb_shinfo(skb)->gso_segs = 0;
+                shinfo->gso_segs = 0;
        }
        skb->protocol = htons(ETH_P_IP);
@@ -2243,6 +2255,10 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
        u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
        int ret;
+        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
+        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+                return -ENOTSUPP;
        ret = skb_cow(skb, len_diff);
        if (unlikely(ret < 0))
                return ret;
@@ -2252,11 +2268,13 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
                return ret;
        if (skb_is_gso(skb)) {
+                struct skb_shared_info *shinfo = skb_shinfo(skb);
                /* Due to header grow, MSS needs to be downgraded. */
-                skb_shinfo(skb)->gso_size -= len_diff;
+                skb_decrease_gso_size(shinfo, len_diff);
                /* Header must be checked, and gso_segs recomputed. */
-                skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+                shinfo->gso_type |= SKB_GSO_DODGY;
-                skb_shinfo(skb)->gso_segs = 0;
+                shinfo->gso_segs = 0;
        }
        return 0;
@@ -2267,6 +2285,10 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
        u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
        int ret;
+        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
+        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+                return -ENOTSUPP;
        ret = skb_unclone(skb, GFP_ATOMIC);
        if (unlikely(ret < 0))
                return ret;
@@ -2276,11 +2298,13 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
                return ret;
        if (skb_is_gso(skb)) {
+                struct skb_shared_info *shinfo = skb_shinfo(skb);
                /* Due to header shrink, MSS can be upgraded. */
-                skb_shinfo(skb)->gso_size += len_diff;
+                skb_increase_gso_size(shinfo, len_diff);
                /* Header must be checked, and gso_segs recomputed. */
-                skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
+                shinfo->gso_type |= SKB_GSO_DODGY;
-                skb_shinfo(skb)->gso_segs = 0;
+                shinfo->gso_segs = 0;
        }
        return 0;
@@ -3381,17 +3405,13 @@ BPF_CALL_2(bpf_sock_ops_cb_flags_set, struct bpf_sock_ops_kern *, bpf_sock,
        struct sock *sk = bpf_sock->sk;
        int val = argval & BPF_SOCK_OPS_ALL_CB_FLAGS;
-        if (!sk_fullsock(sk))
+        if (!IS_ENABLED(CONFIG_INET) || !sk_fullsock(sk))
                return -EINVAL;
-#ifdef CONFIG_INET
        if (val)
                tcp_sk(sk)->bpf_sock_ops_cb_flags = val;
        return argval & (~BPF_SOCK_OPS_ALL_CB_FLAGS);
-#else
-        return -EINVAL;
-#endif
 }
 static const struct bpf_func_proto bpf_sock_ops_cb_flags_set_proto = {
diff --git a/net/core/gen_estimator.c b/net/core/gen_estimator.c
index 0a3f88f08727..98fd12721221 100644
--- a/net/core/gen_estimator.c
+++ b/net/core/gen_estimator.c
@@ -66,6 +66,7 @@ struct net_rate_estimator {
 static void est_fetch_counters(struct net_rate_estimator *e,
                               struct gnet_stats_basic_packed *b)
 {
+        memset(b, 0, sizeof(*b));
        if (e->stats_lock)
                spin_lock(e->stats_lock);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 09bd89c90a71..1e7acdc30732 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4179,7 +4179,7 @@ int sock_queue_err_skb(struct sock *sk, struct sk_buff *skb)
        skb_queue_tail(&sk->sk_error_queue, skb);
        if (!sock_flag(sk, SOCK_DEAD))
-                sk->sk_data_ready(sk);
+                sk->sk_error_report(sk);
        return 0;
 }
 EXPORT_SYMBOL(sock_queue_err_skb);
@@ -4891,7 +4891,7 @@ EXPORT_SYMBOL_GPL(skb_scrub_packet);
 *
 * The MAC/L2 or network (IP, IPv6) headers are not accounted for.
 */
-unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
+static unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
 {
        const struct skb_shared_info *shinfo = skb_shinfo(skb);
        unsigned int thlen = 0;
@@ -4904,7 +4904,7 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
                        thlen += inner_tcp_hdrlen(skb);
        } else if (likely(shinfo->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6))) {
                thlen = tcp_hdrlen(skb);
-        } else if (unlikely(shinfo->gso_type & SKB_GSO_SCTP)) {
+        } else if (unlikely(skb_is_gso_sctp(skb))) {
                thlen = sizeof(struct sctphdr);
        }
        /* UFO sets gso_size to the size of the fragmentation
@@ -4913,7 +4913,40 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
         */
        return thlen + shinfo->gso_size;
 }
-EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
+/**
+ * skb_gso_network_seglen - Return length of individual segments of a gso packet
+ *
+ * @skb: GSO skb
+ *
+ * skb_gso_network_seglen is used to determine the real size of the
+ * individual segments, including Layer3 (IP, IPv6) and L4 headers (TCP/UDP).
+ *
+ * The MAC/L2 header is not accounted for.
+ */
+static unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
+{
+        unsigned int hdr_len = skb_transport_header(skb) -
+                               skb_network_header(skb);
+        return hdr_len + skb_gso_transport_seglen(skb);
+}
+/**
+ * skb_gso_mac_seglen - Return length of individual segments of a gso packet
+ *
+ * @skb: GSO skb
+ *
+ * skb_gso_mac_seglen is used to determine the real size of the
+ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
+ * headers (TCP/UDP).
+ */
+static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
+{
+        unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+        return hdr_len + skb_gso_transport_seglen(skb);
+}
 /**
 * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
@@ -4955,19 +4988,20 @@ static inline bool skb_gso_size_check(const struct sk_buff *skb,
 }
 /**
- * skb_gso_validate_mtu - Return in case such skb fits a given MTU
+ * skb_gso_validate_network_len - Will a split GSO skb fit into a given MTU?
 *
 * @skb: GSO skb
 * @mtu: MTU to validate against
 *
- * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
+ * skb_gso_validate_network_len validates if a given skb will fit a
- * once split.
+ * wanted MTU once split. It considers L3 headers, L4 headers, and the
+ * payload.
 */
-bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
+bool skb_gso_validate_network_len(const struct sk_buff *skb, unsigned int mtu)
 {
        return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
 }
-EXPORT_SYMBOL_GPL(skb_gso_validate_mtu);
+EXPORT_SYMBOL_GPL(skb_gso_validate_network_len);
 /**
 * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
@@ -4986,13 +5020,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
 {
+        int mac_len;
        if (skb_cow(skb, skb_headroom(skb)) < 0) {
                kfree_skb(skb);
                return NULL;
        }
-        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
+        mac_len = skb->data - skb_mac_header(skb);
-                2 * ETH_ALEN);
+        memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+                mac_len - VLAN_HLEN - ETH_TLEN);
        skb->mac_header += VLAN_HLEN;
        return skb;
 }
diff --git a/net/core/sock.c b/net/core/sock.c
index c501499a04fe..85b0b64e7f9d 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3261,6 +3261,27 @@ void proto_unregister(struct proto *prot)
 }
 EXPORT_SYMBOL(proto_unregister);
+int sock_load_diag_module(int family, int protocol)
+{
+        if (!protocol) {
+                if (!sock_is_registered(family))
+                        return -ENOENT;
+                return request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+                                      NETLINK_SOCK_DIAG, family);
+        }
+#ifdef CONFIG_INET
+        if (family == AF_INET &&
+            !rcu_access_pointer(inet_protos[protocol]))
+                return -ENOENT;
+#endif
+        return request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
+                              NETLINK_SOCK_DIAG, family, protocol);
+}
+EXPORT_SYMBOL(sock_load_diag_module);
 #ifdef CONFIG_PROC_FS
 static void *proto_seq_start(struct seq_file *seq, loff_t *pos)
        __acquires(proto_list_mutex)
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 146b50e30659..c37b5be7c5e4 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -220,8 +220,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
                return -EINVAL;
        if (sock_diag_handlers[req->sdiag_family] == NULL)
-                request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+                sock_load_diag_module(req->sdiag_family, 0);
-                                NETLINK_SOCK_DIAG, req->sdiag_family);
        mutex_lock(&sock_diag_table_mutex);
        hndl = sock_diag_handlers[req->sdiag_family];
@@ -247,8 +246,7 @@ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
        case TCPDIAG_GETSOCK:
        case DCCPDIAG_GETSOCK:
                if (inet_rcv_compat == NULL)
-                        request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+                        sock_load_diag_module(AF_INET, 0);
-                                        NETLINK_SOCK_DIAG, AF_INET);
                mutex_lock(&sock_diag_table_mutex);
                if (inet_rcv_compat != NULL)
@@ -281,14 +279,12 @@ static int sock_diag_bind(struct net *net, int group)
        case SKNLGRP_INET_TCP_DESTROY:
        case SKNLGRP_INET_UDP_DESTROY:
                if (!sock_diag_handlers[AF_INET])
-                        request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+                        sock_load_diag_module(AF_INET, 0);
-                                       NETLINK_SOCK_DIAG, AF_INET);
                break;
        case SKNLGRP_INET6_TCP_DESTROY:
        case SKNLGRP_INET6_UDP_DESTROY:
                if (!sock_diag_handlers[AF_INET6])
-                        request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
+                        sock_load_diag_module(AF_INET6, 0);
-                                       NETLINK_SOCK_DIAG, AF_INET6);
                break;
        }
        return 0;
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index 15bdc002d90c..84cd4e3fd01b 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -794,6 +794,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        if (skb == NULL)
                goto out_release;
+        if (sk->sk_state == DCCP_CLOSED) {
+                rc = -ENOTCONN;
+                goto out_discard;
+        }
        skb_reserve(skb, sk->sk_prot->max_header);
        rc = memcpy_from_msg(skb_put(skb, len), msg, len);
        if (rc != 0)
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 91dd09f79808..791aff68af88 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1338,6 +1338,12 @@ static int dn_setsockopt(struct socket *sock, int level, int optname, char __use
        lock_sock(sk);
        err = __dn_setsockopt(sock, level, optname, optval, optlen, 0);
        release_sock(sk);
+#ifdef CONFIG_NETFILTER
+        /* we need to exclude all possible ENOPROTOOPTs except default case */
+        if (err == -ENOPROTOOPT && optname != DSO_LINKINFO &&
+            optname != DSO_STREAM && optname != DSO_SEQPACKET)
+                err = nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
+#endif
        return err;
 }
@@ -1445,15 +1451,6 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
                dn_nsp_send_disc(sk, 0x38, 0, sk->sk_allocation);
                break;
-        default:
-#ifdef CONFIG_NETFILTER
-                return nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
-#endif
-        case DSO_LINKINFO:
-        case DSO_STREAM:
-        case DSO_SEQPACKET:
-                return -ENOPROTOOPT;
        case DSO_MAXWINDOW:
                if (optlen != sizeof(unsigned long))
                        return -EINVAL;
@@ -1501,6 +1498,12 @@ static int __dn_setsockopt(struct socket *sock, int level,int optname, char __us
                        return -EINVAL;
                scp->info_loc = u.info;
                break;
+        case DSO_LINKINFO:
+        case DSO_STREAM:
+        case DSO_SEQPACKET:
+        default:
+                return -ENOPROTOOPT;
        }
        return 0;
@@ -1514,6 +1517,20 @@ static int dn_getsockopt(struct socket *sock, int level, int optname, char __use
        lock_sock(sk);
        err = __dn_getsockopt(sock, level, optname, optval, optlen, 0);
        release_sock(sk);
+#ifdef CONFIG_NETFILTER
+        if (err == -ENOPROTOOPT && optname != DSO_STREAM &&
+            optname != DSO_SEQPACKET && optname != DSO_CONACCEPT &&
+            optname != DSO_CONREJECT) {
+                int len;
+                if (get_user(len, optlen))
+                        return -EFAULT;
+                err = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
+                if (err >= 0)
+                        err = put_user(len, optlen);
+        }
+#endif
        return err;
 }
@@ -1579,26 +1596,6 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                r_data = &link;
                break;
-        default:
-#ifdef CONFIG_NETFILTER
-        {
-                int ret, len;
-                if (get_user(len, optlen))
-                        return -EFAULT;
-                ret = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
-                if (ret >= 0)
-                        ret = put_user(len, optlen);
-                return ret;
-        }
-#endif
-        case DSO_STREAM:
-        case DSO_SEQPACKET:
-        case DSO_CONACCEPT:
-        case DSO_CONREJECT:
-                return -ENOPROTOOPT;
        case DSO_MAXWINDOW:
                if (r_len > sizeof(unsigned long))
                        r_len = sizeof(unsigned long);
@@ -1630,6 +1627,13 @@ static int __dn_getsockopt(struct socket *sock, int level,int optname, char __us
                        r_len = sizeof(unsigned char);
                r_data = &scp->info_rem;
                break;
+        case DSO_STREAM:
+        case DSO_SEQPACKET:
+        case DSO_CONACCEPT:
+        case DSO_CONREJECT:
+        default:
+                return -ENOPROTOOPT;
        }
        if (r_data) {
diff --git a/net/dsa/legacy.c b/net/dsa/legacy.c
index cb54b81d0bd9..42a7b85b84e1 100644
--- a/net/dsa/legacy.c
+++ b/net/dsa/legacy.c
@@ -194,7 +194,7 @@ static int dsa_switch_setup_one(struct dsa_switch *ds,
                ds->ports[i].dn = cd->port_dn[i];
                ds->ports[i].cpu_dp = dst->cpu_dp;
-                if (dsa_is_user_port(ds, i))
+                if (!dsa_is_user_port(ds, i))
                        continue;
                ret = dsa_slave_create(&ds->ports[i]);
diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
index 974765b7d92a..e9f0489e4229 100644
--- a/net/ieee802154/6lowpan/core.c
+++ b/net/ieee802154/6lowpan/core.c
@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(void)
 static int lowpan_device_event(struct notifier_block *unused,
                               unsigned long event, void *ptr)
 {
-        struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
+        struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
+        struct wpan_dev *wpan_dev;
-        if (wdev->type != ARPHRD_IEEE802154)
+        if (ndev->type != ARPHRD_IEEE802154)
+                return NOTIFY_DONE;
+        wpan_dev = ndev->ieee802154_ptr;
+        if (!wpan_dev)
                return NOTIFY_DONE;
        switch (event) {
@@ -217,8 +221,8 @@ static int lowpan_device_event(struct notifier_block *unused,
                 * also delete possible lowpan interfaces which belongs
                 * to the wpan interface.
                 */
-                if (wdev->ieee802154_ptr->lowpan_dev)
+                if (wpan_dev->lowpan_dev)
-                        lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
+                        lowpan_dellink(wpan_dev->lowpan_dev, NULL);
                break;
        default:
                return NOTIFY_DONE;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index c586597da20d..7d36a950d961 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -646,6 +646,11 @@ int fib_nh_match(struct fib_config *cfg, struct fib_info *fi,
                                            fi->fib_nh, cfg, extack))
                                return 1;
                }
+#ifdef CONFIG_IP_ROUTE_CLASSID
+                if (cfg->fc_flow &&
+                    cfg->fc_flow != fi->fib_nh->nh_tclassid)
+                        return 1;
+#endif
                if ((!cfg->fc_oif || cfg->fc_oif == fi->fib_nh->nh_oif) &&
                    (!cfg->fc_gw  || cfg->fc_gw == fi->fib_nh->nh_gw))
                        return 0;
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index a383f299ce24..4e5bc4b2f14e 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -53,8 +53,7 @@ static DEFINE_MUTEX(inet_diag_table_mutex);
 static const struct inet_diag_handler *inet_diag_lock_handler(int proto)
 {
        if (!inet_diag_table[proto])
-                request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
+                sock_load_diag_module(AF_INET, proto);
-                               NETLINK_SOCK_DIAG, AF_INET, proto);
        mutex_lock(&inet_diag_table_mutex);
        if (!inet_diag_table[proto])
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 26a3d0315728..e8ec28999f5c 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ out:
 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+        if (!hlist_unhashed(&q->list_evictor))
+                return false;
        return q->net->low_thresh == 0 ||
               frag_mem_limit(q->net) >= q->net->low_thresh;
 }
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 2dd21c3281a1..b54b948b0596 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -55,7 +55,7 @@ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
        if (skb->ignore_df)
                return false;
-        if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+        if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                return false;
        return true;
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 45d97e9b2759..0901de42ed85 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -970,9 +970,6 @@ static void __gre_tunnel_init(struct net_device *dev)
        t_hlen = tunnel->hlen + sizeof(struct iphdr);
-        dev->needed_headroom    = LL_MAX_HEADER + t_hlen + 4;
-        dev->mtu                = ETH_DATA_LEN - t_hlen - 4;
        dev->features           |= GRE_FEATURES;
        dev->hw_features        |= GRE_FEATURES;
@@ -1290,8 +1287,6 @@ static int erspan_tunnel_init(struct net_device *dev)
                       erspan_hdr_len(tunnel->erspan_ver);
        t_hlen = tunnel->hlen + sizeof(struct iphdr);
-        dev->needed_headroom = LL_MAX_HEADER + t_hlen + 4;
-        dev->mtu = ETH_DATA_LEN - t_hlen - 4;
        dev->features           |= GRE_FEATURES;
        dev->hw_features        |= GRE_FEATURES;
        dev->priv_flags         |= IFF_LIVE_ADDR_CHANGE;
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e8e675be60ec..66340ab750e6 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -248,7 +248,7 @@ static int ip_finish_output_gso(struct net *net, struct sock *sk,
        /* common case: seglen is <= mtu
         */
-        if (skb_gso_validate_mtu(skb, mtu))
+        if (skb_gso_validate_network_len(skb, mtu))
                return ip_finish_output2(net, sk, skb);
        /* Slowpath -  GSO segment length exceeds the egress MTU.
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 008be04ac1cc..74c962b9b09c 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -258,7 +258,8 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc,
                        src_info = (struct in6_pktinfo *)CMSG_DATA(cmsg);
                        if (!ipv6_addr_v4mapped(&src_info->ipi6_addr))
                                return -EINVAL;
-                        ipc->oif = src_info->ipi6_ifindex;
+                        if (src_info->ipi6_ifindex)
+                                ipc->oif = src_info->ipi6_ifindex;
                        ipc->addr = src_info->ipi6_addr.s6_addr32[3];
                        continue;
                }
@@ -288,7 +289,8 @@ int ip_cmsg_send(struct sock *sk, struct msghdr *msg, struct ipcm_cookie *ipc,
                        if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct in_pktinfo)))
                                return -EINVAL;
                        info = (struct in_pktinfo *)CMSG_DATA(cmsg);
-                        ipc->oif = info->ipi_ifindex;
+                        if (info->ipi_ifindex)
+                                ipc->oif = info->ipi_ifindex;
                        ipc->addr = info->ipi_spec_dst.s_addr;
                        break;
                }
@@ -1567,10 +1569,7 @@ int ip_getsockopt(struct sock *sk, int level,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
-                err = nf_getsockopt(sk, PF_INET, optname, optval,
-                                &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
                return err;
@@ -1602,9 +1601,7 @@ int compat_ip_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
                err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
                return err;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index d786a8441bce..6d21068f9b55 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -710,16 +710,9 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
                }
        }
-        if (tunnel->fwmark) {
+        init_tunnel_flow(&fl4, protocol, dst, tnl_params->saddr,
-                init_tunnel_flow(&fl4, protocol, dst, tnl_params->saddr,
+                         tunnel->parms.o_key, RT_TOS(tos), tunnel->parms.link,
-                                 tunnel->parms.o_key, RT_TOS(tos), tunnel->parms.link,
+                         tunnel->fwmark);
-                                 tunnel->fwmark);
-        }
-        else {
-                init_tunnel_flow(&fl4, protocol, dst, tnl_params->saddr,
-                                 tunnel->parms.o_key, RT_TOS(tos), tunnel->parms.link,
-                                 skb->mark);
-        }
        if (ip_tunnel_encap(skb, tunnel, &protocol, &fl4) < 0)
                goto tx_error;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 4ffe302f9b82..e3e420f3ba7b 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -252,6 +252,10 @@ unsigned int arpt_do_table(struct sk_buff *skb,
                        }
                        if (table_base + v
                            != arpt_next_entry(e)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
                        }
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 9a71f3149507..e38395a8dcf2 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -330,8 +330,13 @@ ipt_do_table(struct sk_buff *skb,
                                continue;
                        }
                        if (table_base + v != ipt_next_entry(e) &&
-                            !(e->ip.flags & IPT_F_GOTO))
+                            !(e->ip.flags & IPT_F_GOTO)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
+                        }
                        e = get_entry(table_base, v);
                        continue;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 3a84a60f6b39..8a8ae61cea71 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -107,12 +107,6 @@ clusterip_config_entry_put(struct net *net, struct clusterip_config *c)
        local_bh_disable();
        if (refcount_dec_and_lock(&c->entries, &cn->lock)) {
-                list_del_rcu(&c->list);
-                spin_unlock(&cn->lock);
-                local_bh_enable();
-                unregister_netdevice_notifier(&c->notifier);
                /* In case anyone still accesses the file, the open/close
                 * functions are also incrementing the refcount on their own,
                 * so it's safe to remove the entry even if it's in use. */
@@ -120,6 +114,12 @@ clusterip_config_entry_put(struct net *net, struct clusterip_config *c)
                if (cn->procdir)
                        proc_remove(c->pde);
 #endif
+                list_del_rcu(&c->list);
+                spin_unlock(&cn->lock);
+                local_bh_enable();
+                unregister_netdevice_notifier(&c->notifier);
                return;
        }
        local_bh_enable();
@@ -154,8 +154,12 @@ clusterip_config_find_get(struct net *net, __be32 clusterip, int entry)
 #endif
                if (unlikely(!refcount_inc_not_zero(&c->refcount)))
                        c = NULL;
-                else if (entry)
+                else if (entry) {
-                        refcount_inc(&c->entries);
+                        if (unlikely(!refcount_inc_not_zero(&c->entries))) {
+                                clusterip_config_put(c);
+                                c = NULL;
+                        }
+                }
        }
        rcu_read_unlock_bh();
@@ -228,7 +232,6 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
        c->hash_mode = i->hash_mode;
        c->hash_initval = i->hash_initval;
        refcount_set(&c->refcount, 1);
-        refcount_set(&c->entries, 1);
        spin_lock_bh(&cn->lock);
        if (__clusterip_config_find(net, ip)) {
@@ -259,8 +262,10 @@ clusterip_config_init(struct net *net, const struct ipt_clusterip_tgt_info *i,
        c->notifier.notifier_call = clusterip_netdev_event;
        err = register_netdevice_notifier(&c->notifier);
-        if (!err)
+        if (!err) {
+                refcount_set(&c->entries, 1);
                return c;
+        }
 #ifdef CONFIG_PROC_FS
        proc_remove(c->pde);
@@ -269,7 +274,7 @@ err:
        spin_lock_bh(&cn->lock);
        list_del_rcu(&c->list);
        spin_unlock_bh(&cn->lock);
-        kfree(c);
+        clusterip_config_put(c);
        return ERR_PTR(err);
 }
@@ -492,12 +497,15 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
                                return PTR_ERR(config);
                }
        }
-        cipinfo->config = config;
        ret = nf_ct_netns_get(par->net, par->family);
-        if (ret < 0)
+        if (ret < 0) {
                pr_info("cannot load conntrack support for proto=%u\n",
                        par->family);
+                clusterip_config_entry_put(par->net, config);
+                clusterip_config_put(config);
+                return ret;
+        }
        if (!par->net->xt.clusterip_deprecated_warning) {
                pr_info("ipt_CLUSTERIP is deprecated and it will removed soon, "
@@ -505,6 +513,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
                par->net->xt.clusterip_deprecated_warning = true;
        }
+        cipinfo->config = config;
        return ret;
 }
diff --git a/net/ipv4/netfilter/ipt_ECN.c b/net/ipv4/netfilter/ipt_ECN.c
index 270765236f5e..aaaf9a81fbc9 100644
--- a/net/ipv4/netfilter/ipt_ECN.c
+++ b/net/ipv4/netfilter/ipt_ECN.c
@@ -98,17 +98,15 @@ static int ecn_tg_check(const struct xt_tgchk_param *par)
        const struct ipt_ECN_info *einfo = par->targinfo;
        const struct ipt_entry *e = par->entryinfo;
-        if (einfo->operation & IPT_ECN_OP_MASK) {
+        if (einfo->operation & IPT_ECN_OP_MASK)
-                pr_info("unsupported ECN operation %x\n", einfo->operation);
                return -EINVAL;
-        }
-        if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
+        if (einfo->ip_ect & ~IPT_ECN_IP_MASK)
-                pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
                return -EINVAL;
-        }
        if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
            (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
-                pr_info("cannot use TCP operations on a non-tcp rule\n");
+                pr_info_ratelimited("cannot use operation on non-tcp rule\n");
                return -EINVAL;
        }
        return 0;
diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c
index 8bd0d7b26632..e8bed3390e58 100644
--- a/net/ipv4/netfilter/ipt_REJECT.c
+++ b/net/ipv4/netfilter/ipt_REJECT.c
@@ -74,13 +74,13 @@ static int reject_tg_check(const struct xt_tgchk_param *par)
        const struct ipt_entry *e = par->entryinfo;
        if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
-                pr_info("ECHOREPLY no longer supported.\n");
+                pr_info_ratelimited("ECHOREPLY no longer supported.\n");
                return -EINVAL;
        } else if (rejinfo->with == IPT_TCP_RESET) {
                /* Must specify that it's a TCP packet */
                if (e->ip.proto != IPPROTO_TCP ||
                    (e->ip.invflags & XT_INV_PROTO)) {
-                        pr_info("TCP_RESET invalid for non-tcp\n");
+                        pr_info_ratelimited("TCP_RESET invalid for non-tcp\n");
                        return -EINVAL;
                }
        }
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 37fb9552e858..fd01f13c896a 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -105,14 +105,14 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
        const struct xt_rpfilter_info *info = par->matchinfo;
        unsigned int options = ~XT_RPFILTER_OPTION_MASK;
        if (info->flags & options) {
-                pr_info("unknown options encountered");
+                pr_info_ratelimited("unknown options\n");
                return -EINVAL;
        }
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "raw") != 0) {
-                pr_info("match only valid in the \'raw\' "
+                pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, not \'%s\'\n",
-                        "or \'mangle\' tables, not \'%s\'.\n", par->table);
+                                    par->table);
                return -EINVAL;
        }
diff --git a/net/ipv4/netfilter/nf_flow_table_ipv4.c b/net/ipv4/netfilter/nf_flow_table_ipv4.c
index 25d2975da156..0cd46bffa469 100644
--- a/net/ipv4/netfilter/nf_flow_table_ipv4.c
+++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c
@@ -111,6 +111,7 @@ static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb,
        default:
                return -1;
        }
+        csum_replace4(&iph->check, addr, new_addr);
        return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);
 }
@@ -185,7 +186,7 @@ static bool __nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
        if ((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0)
                return false;
-        if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+        if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                return false;
        return true;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 49cc1c1df1ba..299e247b2032 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -128,10 +128,11 @@ static int ip_rt_redirect_silence __read_mostly	= ((HZ / 50) << (9 + 1));
 static int ip_rt_error_cost __read_mostly       = HZ;
 static int ip_rt_error_burst __read_mostly      = 5 * HZ;
 static int ip_rt_mtu_expires __read_mostly      = 10 * 60 * HZ;
-static int ip_rt_min_pmtu __read_mostly         = 512 + 20 + 20;
+static u32 ip_rt_min_pmtu __read_mostly         = 512 + 20 + 20;
 static int ip_rt_min_advmss __read_mostly       = 256;
 static int ip_rt_gc_timeout __read_mostly       = RT_GC_TIMEOUT;
 /*
 *      Interface to generic destination cache.
 */
@@ -633,6 +634,7 @@ static inline u32 fnhe_hashfun(__be32 daddr)
 static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
 {
        rt->rt_pmtu = fnhe->fnhe_pmtu;
+        rt->rt_mtu_locked = fnhe->fnhe_mtu_locked;
        rt->dst.expires = fnhe->fnhe_expires;
        if (fnhe->fnhe_gw) {
@@ -643,7 +645,7 @@ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnh
 }
 static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
-                                  u32 pmtu, unsigned long expires)
+                                  u32 pmtu, bool lock, unsigned long expires)
 {
        struct fnhe_hash_bucket *hash;
        struct fib_nh_exception *fnhe;
@@ -680,8 +682,10 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
                        fnhe->fnhe_genid = genid;
                if (gw)
                        fnhe->fnhe_gw = gw;
-                if (pmtu)
+                if (pmtu) {
                        fnhe->fnhe_pmtu = pmtu;
+                        fnhe->fnhe_mtu_locked = lock;
+                }
                fnhe->fnhe_expires = max(1UL, expires);
                /* Update all cached dsts too */
                rt = rcu_dereference(fnhe->fnhe_rth_input);
@@ -705,6 +709,7 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
                fnhe->fnhe_daddr = daddr;
                fnhe->fnhe_gw = gw;
                fnhe->fnhe_pmtu = pmtu;
+                fnhe->fnhe_mtu_locked = lock;
                fnhe->fnhe_expires = expires;
                /* Exception created; mark the cached routes for the nexthop
@@ -786,7 +791,8 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
                                struct fib_nh *nh = &FIB_RES_NH(res);
                                update_or_create_fnhe(nh, fl4->daddr, new_gw,
-                                                0, jiffies + ip_rt_gc_timeout);
+                                                0, false,
+                                                jiffies + ip_rt_gc_timeout);
                        }
                        if (kill_route)
                                rt->dst.obsolete = DST_OBSOLETE_KILL;
@@ -930,14 +936,23 @@ out_put_peer:
 static int ip_error(struct sk_buff *skb)
 {
-        struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
        struct rtable *rt = skb_rtable(skb);
+        struct net_device *dev = skb->dev;
+        struct in_device *in_dev;
        struct inet_peer *peer;
        unsigned long now;
        struct net *net;
        bool send;
        int code;
+        if (netif_is_l3_master(skb->dev)) {
+                dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
+                if (!dev)
+                        goto out;
+        }
+        in_dev = __in_dev_get_rcu(dev);
        /* IP on this device is disabled. */
        if (!in_dev)
                goto out;
@@ -999,15 +1014,18 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
 {
        struct dst_entry *dst = &rt->dst;
        struct fib_result res;
+        bool lock = false;
-        if (dst_metric_locked(dst, RTAX_MTU))
+        if (ip_mtu_locked(dst))
                return;
        if (ipv4_mtu(dst) < mtu)
                return;
-        if (mtu < ip_rt_min_pmtu)
+        if (mtu < ip_rt_min_pmtu) {
+                lock = true;
                mtu = ip_rt_min_pmtu;
+        }
        if (rt->rt_pmtu == mtu &&
            time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2))
@@ -1017,7 +1035,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
        if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
                struct fib_nh *nh = &FIB_RES_NH(res);
-                update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
+                update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock,
                                      jiffies + ip_rt_mtu_expires);
        }
        rcu_read_unlock();
@@ -1270,7 +1288,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
        mtu = READ_ONCE(dst->dev->mtu);
-        if (unlikely(dst_metric_locked(dst, RTAX_MTU))) {
+        if (unlikely(ip_mtu_locked(dst))) {
                if (rt->rt_uses_gateway && mtu > 576)
                        mtu = 576;
        }
@@ -1383,7 +1401,7 @@ struct uncached_list {
 static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt_uncached_list);
-static void rt_add_uncached_list(struct rtable *rt)
+void rt_add_uncached_list(struct rtable *rt)
 {
        struct uncached_list *ul = raw_cpu_ptr(&rt_uncached_list);
@@ -1394,14 +1412,8 @@ static void rt_add_uncached_list(struct rtable *rt)
        spin_unlock_bh(&ul->lock);
 }
-static void ipv4_dst_destroy(struct dst_entry *dst)
+void rt_del_uncached_list(struct rtable *rt)
 {
-        struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
-        struct rtable *rt = (struct rtable *) dst;
-        if (p != &dst_default_metrics && refcount_dec_and_test(&p->refcnt))
-                kfree(p);
        if (!list_empty(&rt->rt_uncached)) {
                struct uncached_list *ul = rt->rt_uncached_list;
@@ -1411,6 +1423,17 @@ static void ipv4_dst_destroy(struct dst_entry *dst)
        }
 }
+static void ipv4_dst_destroy(struct dst_entry *dst)
+{
+        struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
+        struct rtable *rt = (struct rtable *)dst;
+        if (p != &dst_default_metrics && refcount_dec_and_test(&p->refcnt))
+                kfree(p);
+        rt_del_uncached_list(rt);
+}
 void rt_flush_dev(struct net_device *dev)
 {
        struct net *net = dev_net(dev);
@@ -1506,6 +1529,7 @@ struct rtable *rt_dst_alloc(struct net_device *dev,
                rt->rt_is_input = 0;
                rt->rt_iif = 0;
                rt->rt_pmtu = 0;
+                rt->rt_mtu_locked = 0;
                rt->rt_gateway = 0;
                rt->rt_uses_gateway = 0;
                rt->rt_table_id = 0;
@@ -1826,6 +1850,8 @@ int fib_multipath_hash(const struct fib_info *fi, const struct flowi4 *fl4,
                                return skb_get_hash_raw(skb) >> 1;
                        memset(&hash_keys, 0, sizeof(hash_keys));
                        skb_flow_dissect_flow_keys(skb, &keys, flag);
+                        hash_keys.control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
                        hash_keys.addrs.v4addrs.src = keys.addrs.v4addrs.src;
                        hash_keys.addrs.v4addrs.dst = keys.addrs.v4addrs.dst;
                        hash_keys.ports.src = keys.ports.src;
@@ -2529,6 +2555,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
                rt->rt_is_input = ort->rt_is_input;
                rt->rt_iif = ort->rt_iif;
                rt->rt_pmtu = ort->rt_pmtu;
+                rt->rt_mtu_locked = ort->rt_mtu_locked;
                rt->rt_genid = rt_genid_ipv4(net);
                rt->rt_flags = ort->rt_flags;
@@ -2631,6 +2658,8 @@ static int rt_fill_info(struct net *net,  __be32 dst, __be32 src, u32 table_id,
        memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics));
        if (rt->rt_pmtu && expires)
                metrics[RTAX_MTU - 1] = rt->rt_pmtu;
+        if (rt->rt_mtu_locked && expires)
+                metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU);
        if (rtnetlink_put_metrics(skb, metrics) < 0)
                goto nla_put_failure;
@@ -2816,6 +2845,7 @@ void ip_rt_multicast_event(struct in_device *in_dev)
 static int ip_rt_gc_interval __read_mostly  = 60 * HZ;
 static int ip_rt_gc_min_interval __read_mostly  = HZ / 2;
 static int ip_rt_gc_elasticity __read_mostly    = 8;
+static int ip_min_valid_pmtu __read_mostly      = IPV4_MIN_MTU;
 static int ipv4_sysctl_rtcache_flush(struct ctl_table *__ctl, int write,
                                        void __user *buffer,
@@ -2931,7 +2961,8 @@ static struct ctl_table ipv4_route_table[] = {
                .data           = &ip_rt_min_pmtu,
                .maxlen         = sizeof(int),
                .mode           = 0644,
-                .proc_handler   = proc_dointvec,
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &ip_min_valid_pmtu,
        },
        {
                .procname       = "min_adv_mss",
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 48636aee23c3..8b8059b7af4d 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3566,6 +3566,7 @@ int tcp_abort(struct sock *sk, int err)
        bh_unlock_sock(sk);
        local_bh_enable();
+        tcp_write_queue_purge(sk);
        release_sock(sk);
        return 0;
 }
diff --git a/net/ipv4/tcp_illinois.c b/net/ipv4/tcp_illinois.c
index 7c843578f233..faddf4f9a707 100644
--- a/net/ipv4/tcp_illinois.c
+++ b/net/ipv4/tcp_illinois.c
@@ -6,7 +6,7 @@
 * The algorithm is described in:
 * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm
 *  for High-Speed Networks"
- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf
+ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf
 *
 * Implemented from description in paper and ns-2 simulation.
 * Copyright (C) 2007 Stephen Hemminger <shemminger@linux-foundation.org>
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 575d3c1fb6e8..9a1b3c1c1c14 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1971,11 +1971,6 @@ void tcp_enter_loss(struct sock *sk)
        /* F-RTO RFC5682 sec 3.1 step 1: retransmit SND.UNA if no previous
         * loss recovery is underway except recurring timeout(s) on
         * the same SND.UNA (sec 3.2). Disable F-RTO on path MTU probing
-         *
-         * In theory F-RTO can be used repeatedly during loss recovery.
-         * In practice this interacts badly with broken middle-boxes that
-         * falsely raise the receive window, which results in repeated
-         * timeouts and stop-and-go behavior.
         */
        tp->frto = net->ipv4.sysctl_tcp_frto &&
                   (new_recovery || icsk->icsk_retransmits) &&
@@ -2631,18 +2626,14 @@ static void tcp_process_loss(struct sock *sk, int flag, bool is_dupack,
            tcp_try_undo_loss(sk, false))
                return;
-        /* The ACK (s)acks some never-retransmitted data meaning not all
-         * the data packets before the timeout were lost. Therefore we
-         * undo the congestion window and state. This is essentially
-         * the operation in F-RTO (RFC5682 section 3.1 step 3.b). Since
-         * a retransmitted skb is permantly marked, we can apply such an
-         * operation even if F-RTO was not used.
-         */
-        if ((flag & FLAG_ORIG_SACK_ACKED) &&
-            tcp_try_undo_loss(sk, tp->undo_marker))
-                return;
        if (tp->frto) { /* F-RTO RFC5682 sec 3.1 (sack enhanced version). */
+                /* Step 3.b. A timeout is spurious if not all data are
+                 * lost, i.e., never-retransmitted data are (s)acked.
+                 */
+                if ((flag & FLAG_ORIG_SACK_ACKED) &&
+                    tcp_try_undo_loss(sk, true))
+                        return;
                if (after(tp->snd_nxt, tp->high_seq)) {
                        if (flag & FLAG_DATA_SACKED || is_dupack)
                                tp->frto = 0; /* Step 3.a. loss was real */
@@ -4001,6 +3992,7 @@ void tcp_reset(struct sock *sk)
        /* This barrier is coupled with smp_rmb() in tcp_poll() */
        smp_wmb();
+        tcp_write_queue_purge(sk);
        tcp_done(sk);
        if (!sock_flag(sk, SOCK_DEAD))
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index e9f985e42405..6818042cd8a9 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1730,7 +1730,7 @@ u32 tcp_tso_autosize(const struct sock *sk, unsigned int mss_now,
         */
        segs = max_t(u32, bytes / mss_now, min_tso_segs);
-        return min_t(u32, segs, sk->sk_gso_max_segs);
+        return segs;
 }
 EXPORT_SYMBOL(tcp_tso_autosize);
@@ -1742,9 +1742,10 @@ static u32 tcp_tso_segs(struct sock *sk, unsigned int mss_now)
        const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops;
        u32 tso_segs = ca_ops->tso_segs_goal ? ca_ops->tso_segs_goal(sk) : 0;
-        return tso_segs ? :
+        if (!tso_segs)
-                tcp_tso_autosize(sk, mss_now,
+                tso_segs = tcp_tso_autosize(sk, mss_now,
-                                 sock_net(sk)->ipv4.sysctl_tcp_min_tso_segs);
+                                sock_net(sk)->ipv4.sysctl_tcp_min_tso_segs);
+        return min_t(u32, tso_segs, sk->sk_gso_max_segs);
 }
 /* Returns the portion of skb which can be sent right away */
@@ -2027,6 +2028,24 @@ static inline void tcp_mtu_check_reprobe(struct sock *sk)
        }
 }
+static bool tcp_can_coalesce_send_queue_head(struct sock *sk, int len)
+{
+        struct sk_buff *skb, *next;
+        skb = tcp_send_head(sk);
+        tcp_for_write_queue_from_safe(skb, next, sk) {
+                if (len <= skb->len)
+                        break;
+                if (unlikely(TCP_SKB_CB(skb)->eor))
+                        return false;
+                len -= skb->len;
+        }
+        return true;
+}
 /* Create a new MTU probe if we are ready.
 * MTU probe is regularly attempting to increase the path MTU by
 * deliberately sending larger packets.  This discovers routing
@@ -2099,6 +2118,9 @@ static int tcp_mtu_probe(struct sock *sk)
                        return 0;
        }
+        if (!tcp_can_coalesce_send_queue_head(sk, probe_size))
+                return -1;
        /* We're allowed to probe.  Build it now. */
        nskb = sk_stream_alloc_skb(sk, probe_size, GFP_ATOMIC, false);
        if (!nskb)
@@ -2134,6 +2156,10 @@ static int tcp_mtu_probe(struct sock *sk)
                        /* We've eaten all the data from this skb.
                         * Throw it away. */
                        TCP_SKB_CB(nskb)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
+                        /* If this is the last SKB we copy and eor is set
+                         * we need to propagate it to the new skb.
+                         */
+                        TCP_SKB_CB(nskb)->eor = TCP_SKB_CB(skb)->eor;
                        tcp_unlink_write_queue(skb, sk);
                        sk_wmem_free_skb(sk, skb);
                } else {
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 71fc60f1b326..f7d944855f8e 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -34,6 +34,7 @@ static void tcp_write_err(struct sock *sk)
        sk->sk_err = sk->sk_err_soft ? : ETIMEDOUT;
        sk->sk_error_report(sk);
+        tcp_write_queue_purge(sk);
        tcp_done(sk);
        __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPABORTONTIMEOUT);
 }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index bfaefe560b5c..e5ef7c38c934 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2024,6 +2024,11 @@ static inline int udp4_csum_init(struct sk_buff *skb, struct udphdr *uh,
                err = udplite_checksum_init(skb, uh);
                if (err)
                        return err;
+                if (UDP_SKB_CB(skb)->partial_cov) {
+                        skb->csum = inet_compute_pseudo(skb, proto);
+                        return 0;
+                }
        }
        /* Note, we are only interested in != 0 or == 0, thus the
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index 63faeee989a9..2a9764bd1719 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -92,7 +92,8 @@ static int xfrm4_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
        skb_reset_network_header(skb);
        skb_mac_header_rebuild(skb);
-        eth_hdr(skb)->h_proto = skb->protocol;
+        if (skb->mac_len)
+                eth_hdr(skb)->h_proto = skb->protocol;
        err = 0;
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 94b8702603bc..be980c195fc5 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -30,7 +30,8 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
        mtu = dst_mtu(skb_dst(skb));
        if ((!skb_is_gso(skb) && skb->len > mtu) ||
-            (skb_is_gso(skb) && skb_gso_network_seglen(skb) > ip_skb_dst_mtu(skb->sk, skb))) {
+            (skb_is_gso(skb) &&
+             !skb_gso_validate_network_len(skb, ip_skb_dst_mtu(skb->sk, skb)))) {
                skb->protocol = htons(ETH_P_IP);
                if (skb->sk)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 05017e2c849c..fbebda67ac1b 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -100,8 +100,10 @@ static int xfrm4_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
        xdst->u.rt.rt_gateway = rt->rt_gateway;
        xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway;
        xdst->u.rt.rt_pmtu = rt->rt_pmtu;
+        xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked;
        xdst->u.rt.rt_table_id = rt->rt_table_id;
        INIT_LIST_HEAD(&xdst->u.rt.rt_uncached);
+        rt_add_uncached_list(&xdst->u.rt);
        return 0;
 }
@@ -241,7 +243,8 @@ static void xfrm4_dst_destroy(struct dst_entry *dst)
        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
        dst_destroy_metrics_generic(dst);
+        if (xdst->u.rt.rt_uncached_list)
+                rt_del_uncached_list(&xdst->u.rt);
        xfrm_dst_destroy(xdst);
 }
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fbf08ce3f5ab..a9f7eca0b6a3 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -146,10 +146,12 @@ int __ip6_datagram_connect(struct sock *sk, struct sockaddr *uaddr,
        struct sockaddr_in6     *usin = (struct sockaddr_in6 *) uaddr;
        struct inet_sock        *inet = inet_sk(sk);
        struct ipv6_pinfo       *np = inet6_sk(sk);
-        struct in6_addr         *daddr;
+        struct in6_addr         *daddr, old_daddr;
+        __be32                  fl6_flowlabel = 0;
+        __be32                  old_fl6_flowlabel;
+        __be16                  old_dport;
        int                     addr_type;
        int                     err;
-        __be32                  fl6_flowlabel = 0;
        if (usin->sin6_family == AF_INET) {
                if (__ipv6_only_sock(sk))
@@ -238,9 +240,13 @@ ipv4_connected:
                }
        }
+        /* save the current peer information before updating it */
+        old_daddr = sk->sk_v6_daddr;
+        old_fl6_flowlabel = np->flow_label;
+        old_dport = inet->inet_dport;
        sk->sk_v6_daddr = *daddr;
        np->flow_label = fl6_flowlabel;
        inet->inet_dport = usin->sin6_port;
        /*
@@ -250,11 +256,12 @@ ipv4_connected:
        err = ip6_datagram_dst_update(sk, true);
        if (err) {
-                /* Reset daddr and dport so that udp_v6_early_demux()
+                /* Restore the socket peer info, to keep it consistent with
-                 * fails to find this socket
+                 * the old socket state
                 */
-                memset(&sk->sk_v6_daddr, 0, sizeof(sk->sk_v6_daddr));
+                sk->sk_v6_daddr = old_daddr;
-                inet->inet_dport = 0;
+                np->flow_label = old_fl6_flowlabel;
+                inet->inet_dport = old_dport;
                goto out;
        }
diff --git a/net/ipv6/ip6_checksum.c b/net/ipv6/ip6_checksum.c
index ec43d18b5ff9..547515e8450a 100644
--- a/net/ipv6/ip6_checksum.c
+++ b/net/ipv6/ip6_checksum.c
@@ -73,6 +73,11 @@ int udp6_csum_init(struct sk_buff *skb, struct udphdr *uh, int proto)
                err = udplite_checksum_init(skb, uh);
                if (err)
                        return err;
+                if (UDP_SKB_CB(skb)->partial_cov) {
+                        skb->csum = ip6_compute_pseudo(skb, proto);
+                        return 0;
+                }
        }
        /* To support RFC 6936 (allow zero checksum in UDP/IPV6 for tunnels)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 3c353125546d..1bbd0930063e 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -126,7 +126,8 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct net_device *dev,
        struct ip6_tnl *t, *cand = NULL;
        struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
        int dev_type = (gre_proto == htons(ETH_P_TEB) ||
-                        gre_proto == htons(ETH_P_ERSPAN)) ?
+                        gre_proto == htons(ETH_P_ERSPAN) ||
+                        gre_proto == htons(ETH_P_ERSPAN2)) ?
                       ARPHRD_ETHER : ARPHRD_IP6GRE;
        int score, cand_score = 4;
@@ -902,6 +903,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                truncate = true;
        }
+        if (skb_cow_head(skb, dev->needed_headroom))
+                goto tx_err;
        t->parms.o_flags &= ~TUNNEL_KEY;
        IPCB(skb)->flags = 0;
@@ -944,6 +948,8 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                                               md->u.md2.dir,
                                               get_hwid(&md->u.md2),
                                               truncate, false);
+                } else {
+                        goto tx_err;
                }
        } else {
                switch (skb->protocol) {
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 997c7f19ad62..a8a919520090 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -412,7 +412,7 @@ static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
        if (skb->ignore_df)
                return false;
-        if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+        if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                return false;
        return true;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 4b15fe928278..6e0f21eed88a 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1982,14 +1982,14 @@ static int ip6_tnl_newlink(struct net *src_net, struct net_device *dev,
 {
        struct net *net = dev_net(dev);
        struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
-        struct ip6_tnl *nt, *t;
        struct ip_tunnel_encap ipencap;
+        struct ip6_tnl *nt, *t;
+        int err;
        nt = netdev_priv(dev);
        if (ip6_tnl_netlink_encap_parms(data, &ipencap)) {
-                int err = ip6_tnl_encap_setup(nt, &ipencap);
+                err = ip6_tnl_encap_setup(nt, &ipencap);
                if (err < 0)
                        return err;
        }
@@ -2005,7 +2005,11 @@ static int ip6_tnl_newlink(struct net *src_net, struct net_device *dev,
                        return -EEXIST;
        }
-        return ip6_tnl_create2(dev);
+        err = ip6_tnl_create2(dev);
+        if (!err && tb[IFLA_MTU])
+                ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
+        return err;
 }
 static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[],
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index d78d41fc4b1a..24535169663d 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -1367,10 +1367,7 @@ int ipv6_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = nf_getsockopt(sk, PF_INET6, optname, optval, &len);
-                err = nf_getsockopt(sk, PF_INET6, optname, optval,
-                                &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
        }
@@ -1409,10 +1406,7 @@ int compat_ipv6_getsockopt(struct sock *sk, int level, int optname,
                if (get_user(len, optlen))
                        return -EFAULT;
-                lock_sock(sk);
+                err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len);
-                err = compat_nf_getsockopt(sk, PF_INET6,
-                                           optname, optval, &len);
-                release_sock(sk);
                if (err >= 0)
                        err = put_user(len, optlen);
        }
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index f61a5b613b52..ba5e04c6ae17 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1554,7 +1554,8 @@ static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
        *(opt++) = (rd_len >> 3);
        opt += 6;
-        memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
+        skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
+                      rd_len - 8);
 }
 void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index d95ceca7ff8f..531d6957af36 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -21,18 +21,19 @@
 int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
 {
        const struct ipv6hdr *iph = ipv6_hdr(skb);
+        struct sock *sk = sk_to_full_sk(skb->sk);
        unsigned int hh_len;
        struct dst_entry *dst;
        struct flowi6 fl6 = {
-                .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
+                .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
                .flowi6_mark = skb->mark,
-                .flowi6_uid = sock_net_uid(net, skb->sk),
+                .flowi6_uid = sock_net_uid(net, sk),
                .daddr = iph->daddr,
                .saddr = iph->saddr,
        };
        int err;
-        dst = ip6_route_output(net, skb->sk, &fl6);
+        dst = ip6_route_output(net, sk, &fl6);
        err = dst->error;
        if (err) {
                IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
@@ -50,7 +51,7 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
        if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
            xfrm_decode_session(skb, flowi6_to_flowi(&fl6), AF_INET6) == 0) {
                skb_dst_set(skb, NULL);
-                dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), skb->sk, 0);
+                dst = xfrm_lookup(net, dst, flowi6_to_flowi(&fl6), sk, 0);
                if (IS_ERR(dst))
                        return PTR_ERR(dst);
                skb_dst_set(skb, dst);
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index af4c917e0836..62358b93bbac 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -352,6 +352,10 @@ ip6t_do_table(struct sk_buff *skb,
                        }
                        if (table_base + v != ip6t_next_entry(e) &&
                            !(e->ipv6.flags & IP6T_F_GOTO)) {
+                                if (unlikely(stackidx >= private->stacksize)) {
+                                        verdict = NF_DROP;
+                                        break;
+                                }
                                jumpstack[stackidx++] = e;
                        }
diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
index fa51a205918d..38dea8ff680f 100644
--- a/net/ipv6/netfilter/ip6t_REJECT.c
+++ b/net/ipv6/netfilter/ip6t_REJECT.c
@@ -85,14 +85,14 @@ static int reject_tg6_check(const struct xt_tgchk_param *par)
        const struct ip6t_entry *e = par->entryinfo;
        if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
-                pr_info("ECHOREPLY is not supported.\n");
+                pr_info_ratelimited("ECHOREPLY is not supported\n");
                return -EINVAL;
        } else if (rejinfo->with == IP6T_TCP_RESET) {
                /* Must specify that it's a TCP packet */
                if (!(e->ipv6.flags & IP6T_F_PROTO) ||
                    e->ipv6.proto != IPPROTO_TCP ||
                    (e->ipv6.invflags & XT_INV_PROTO)) {
-                        pr_info("TCP_RESET illegal for non-tcp\n");
+                        pr_info_ratelimited("TCP_RESET illegal for non-tcp\n");
                        return -EINVAL;
                }
        }
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index b12e61b7b16c..91ed25a24b79 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -48,10 +48,6 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
        }
        fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
-        if ((flags & XT_RPFILTER_LOOSE) == 0) {
-                fl6.flowi6_oif = dev->ifindex;
-                lookup_flags |= RT6_LOOKUP_F_IFACE;
-        }
        rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags);
        if (rt->dst.error)
@@ -103,14 +99,14 @@ static int rpfilter_check(const struct xt_mtchk_param *par)
        unsigned int options = ~XT_RPFILTER_OPTION_MASK;
        if (info->flags & options) {
-                pr_info("unknown options encountered");
+                pr_info_ratelimited("unknown options\n");
                return -EINVAL;
        }
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "raw") != 0) {
-                pr_info("match only valid in the \'raw\' "
+                pr_info_ratelimited("only valid in \'raw\' or \'mangle\' table, not \'%s\'\n",
-                        "or \'mangle\' tables, not \'%s\'.\n", par->table);
+                                    par->table);
                return -EINVAL;
        }
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
index 9642164107ce..33719d5560c8 100644
--- a/net/ipv6/netfilter/ip6t_srh.c
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -122,12 +122,14 @@ static int srh_mt6_check(const struct xt_mtchk_param *par)
        const struct ip6t_srh *srhinfo = par->matchinfo;
        if (srhinfo->mt_flags & ~IP6T_SRH_MASK) {
-                pr_err("unknown srh match flags  %X\n", srhinfo->mt_flags);
+                pr_info_ratelimited("unknown srh match flags  %X\n",
+                                    srhinfo->mt_flags);
                return -EINVAL;
        }
        if (srhinfo->mt_invflags & ~IP6T_SRH_INV_MASK) {
-                pr_err("unknown srh invflags %X\n", srhinfo->mt_invflags);
+                pr_info_ratelimited("unknown srh invflags %X\n",
+                                    srhinfo->mt_invflags);
                return -EINVAL;
        }
diff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c b/net/ipv6/netfilter/nf_flow_table_ipv6.c
index d346705d6ee6..207cb35569b1 100644
--- a/net/ipv6/netfilter/nf_flow_table_ipv6.c
+++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c
@@ -178,7 +178,7 @@ static bool __nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
        if (skb->len <= mtu)
                return false;
-        if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+        if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                return false;
        return true;
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index bed57ee65f7b..6b7f075f811f 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
            !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
                                target, maniptype))
                return false;
+        /* must reload, offset might have changed */
+        ipv6h = (void *)skb->data + iphdroff;
 manip_addr:
        if (maniptype == NF_NAT_MANIP_SRC)
                ipv6h->saddr = target->src.u3.in6;
diff --git a/net/ipv6/netfilter/nft_fib_ipv6.c b/net/ipv6/netfilter/nft_fib_ipv6.c
index cc5174c7254c..62fc84d7bdff 100644
--- a/net/ipv6/netfilter/nft_fib_ipv6.c
+++ b/net/ipv6/netfilter/nft_fib_ipv6.c
@@ -180,7 +180,6 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
        }
        *dest = 0;
- again:
        rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags);
        if (rt->dst.error)
                goto put_rt_err;
@@ -189,15 +188,8 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
        if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
                goto put_rt_err;
-        if (oif && oif != rt->rt6i_idev->dev) {
+        if (oif && oif != rt->rt6i_idev->dev)
-                /* multipath route? Try again with F_IFACE */
+                goto put_rt_err;
-                if ((lookup_flags & RT6_LOOKUP_F_IFACE) == 0) {
-                        lookup_flags |= RT6_LOOKUP_F_IFACE;
-                        fl6.flowi6_oif = oif->ifindex;
-                        ip6_rt_put(rt);
-                        goto again;
-                }
-        }
        switch (priv->result) {
        case NFT_FIB_RESULT_OIF:
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 9dcfadddd800..b0d5c64e1978 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -128,7 +128,7 @@ struct uncached_list {
 static DEFINE_PER_CPU_ALIGNED(struct uncached_list, rt6_uncached_list);
-static void rt6_uncached_list_add(struct rt6_info *rt)
+void rt6_uncached_list_add(struct rt6_info *rt)
 {
        struct uncached_list *ul = raw_cpu_ptr(&rt6_uncached_list);
@@ -139,7 +139,7 @@ static void rt6_uncached_list_add(struct rt6_info *rt)
        spin_unlock_bh(&ul->lock);
 }
-static void rt6_uncached_list_del(struct rt6_info *rt)
+void rt6_uncached_list_del(struct rt6_info *rt)
 {
        if (!list_empty(&rt->rt6i_uncached)) {
                struct uncached_list *ul = rt->rt6i_uncached_list;
@@ -1509,7 +1509,30 @@ static void rt6_exceptions_remove_prefsrc(struct rt6_info *rt)
        }
 }
-static void rt6_exceptions_update_pmtu(struct rt6_info *rt, int mtu)
+static bool rt6_mtu_change_route_allowed(struct inet6_dev *idev,
+                                         struct rt6_info *rt, int mtu)
+{
+        /* If the new MTU is lower than the route PMTU, this new MTU will be the
+         * lowest MTU in the path: always allow updating the route PMTU to
+         * reflect PMTU decreases.
+         *
+         * If the new MTU is higher, and the route PMTU is equal to the local
+         * MTU, this means the old MTU is the lowest in the path, so allow
+         * updating it: if other nodes now have lower MTUs, PMTU discovery will
+         * handle this.
+         */
+        if (dst_mtu(&rt->dst) >= mtu)
+                return true;
+        if (dst_mtu(&rt->dst) == idev->cnf.mtu6)
+                return true;
+        return false;
+}
+static void rt6_exceptions_update_pmtu(struct inet6_dev *idev,
+                                       struct rt6_info *rt, int mtu)
 {
        struct rt6_exception_bucket *bucket;
        struct rt6_exception *rt6_ex;
@@ -1518,20 +1541,22 @@ static void rt6_exceptions_update_pmtu(struct rt6_info *rt, int mtu)
        bucket = rcu_dereference_protected(rt->rt6i_exception_bucket,
                                        lockdep_is_held(&rt6_exception_lock));
-        if (bucket) {
+        if (!bucket)
-                for (i = 0; i < FIB6_EXCEPTION_BUCKET_SIZE; i++) {
+                return;
-                        hlist_for_each_entry(rt6_ex, &bucket->chain, hlist) {
-                                struct rt6_info *entry = rt6_ex->rt6i;
+        for (i = 0; i < FIB6_EXCEPTION_BUCKET_SIZE; i++) {
-                                /* For RTF_CACHE with rt6i_pmtu == 0
+                hlist_for_each_entry(rt6_ex, &bucket->chain, hlist) {
-                                 * (i.e. a redirected route),
+                        struct rt6_info *entry = rt6_ex->rt6i;
-                                 * the metrics of its rt->dst.from has already
-                                 * been updated.
+                        /* For RTF_CACHE with rt6i_pmtu == 0 (i.e. a redirected
-                                 */
+                         * route), the metrics of its rt->dst.from have already
-                                if (entry->rt6i_pmtu && entry->rt6i_pmtu > mtu)
+                         * been updated.
-                                        entry->rt6i_pmtu = mtu;
+                         */
-                        }
+                        if (entry->rt6i_pmtu &&
-                        bucket++;
+                            rt6_mtu_change_route_allowed(idev, entry, mtu))
+                                entry->rt6i_pmtu = mtu;
                }
+                bucket++;
        }
 }
@@ -3809,25 +3834,13 @@ static int rt6_mtu_change_route(struct rt6_info *rt, void *p_arg)
           Since RFC 1981 doesn't include administrative MTU increase
           update PMTU increase is a MUST. (i.e. jumbo frame)
         */
-        /*
-           If new MTU is less than route PMTU, this new MTU will be the
-           lowest MTU in the path, update the route PMTU to reflect PMTU
-           decreases; if new MTU is greater than route PMTU, and the
-           old MTU is the lowest MTU in the path, update the route PMTU
-           to reflect the increase. In this case if the other nodes' MTU
-           also have the lowest MTU, TOO BIG MESSAGE will be lead to
-           PMTU discovery.
-         */
        if (rt->dst.dev == arg->dev &&
-            dst_metric_raw(&rt->dst, RTAX_MTU) &&
            !dst_metric_locked(&rt->dst, RTAX_MTU)) {
                spin_lock_bh(&rt6_exception_lock);
-                if (dst_mtu(&rt->dst) >= arg->mtu ||
+                if (dst_metric_raw(&rt->dst, RTAX_MTU) &&
-                    (dst_mtu(&rt->dst) < arg->mtu &&
+                    rt6_mtu_change_route_allowed(idev, rt, arg->mtu))
-                     dst_mtu(&rt->dst) == idev->cnf.mtu6)) {
                        dst_metric_set(&rt->dst, RTAX_MTU, arg->mtu);
-                }
+                rt6_exceptions_update_pmtu(idev, rt, arg->mtu);
-                rt6_exceptions_update_pmtu(rt, arg->mtu);
                spin_unlock_bh(&rt6_exception_lock);
        }
        return 0;
@@ -4099,6 +4112,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
                                r_cfg.fc_encap_type = nla_get_u16(nla);
                }
+                r_cfg.fc_flags |= (rtnh->rtnh_flags & RTNH_F_ONLINK);
                rt = ip6_route_info_create(&r_cfg, extack);
                if (IS_ERR(rt)) {
                        err = PTR_ERR(rt);
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index bd6cc688bd19..7a78dcfda68a 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -93,7 +93,8 @@ static void set_tun_src(struct net *net, struct net_device *dev,
 /* encapsulate an IPv6 packet within an outer IPv6 header with a given SRH */
 int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
 {
-        struct net *net = dev_net(skb_dst(skb)->dev);
+        struct dst_entry *dst = skb_dst(skb);
+        struct net *net = dev_net(dst->dev);
        struct ipv6hdr *hdr, *inner_hdr;
        struct ipv6_sr_hdr *isrh;
        int hdrlen, tot_len, err;
@@ -134,7 +135,7 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
        isrh->nexthdr = proto;
        hdr->daddr = isrh->segments[isrh->first_segment];
-        set_tun_src(net, skb->dev, &hdr->daddr, &hdr->saddr);
+        set_tun_src(net, ip6_dst_idev(dst)->dev, &hdr->daddr, &hdr->saddr);
 #ifdef CONFIG_IPV6_SEG6_HMAC
        if (sr_has_hmac(isrh)) {
@@ -418,7 +419,7 @@ static int seg6_build_state(struct nlattr *nla,
        slwt = seg6_lwt_lwtunnel(newts);
-        err = dst_cache_init(&slwt->cache, GFP_KERNEL);
+        err = dst_cache_init(&slwt->cache, GFP_ATOMIC);
        if (err) {
                kfree(newts);
                return err;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 3873d3877135..0195598f7bb5 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -182,7 +182,7 @@ static void ipip6_tunnel_clone_6rd(struct net_device *dev, struct sit_net *sitn)
 #ifdef CONFIG_IPV6_SIT_6RD
        struct ip_tunnel *t = netdev_priv(dev);
-        if (t->dev == sitn->fb_tunnel_dev) {
+        if (dev == sitn->fb_tunnel_dev) {
                ipv6_addr_set(&t->ip6rd.prefix, htonl(0x20020000), 0, 0, 0);
                t->ip6rd.relay_prefix = 0;
                t->ip6rd.prefixlen = 16;
@@ -1578,6 +1578,13 @@ static int ipip6_newlink(struct net *src_net, struct net_device *dev,
        if (err < 0)
                return err;
+        if (tb[IFLA_MTU]) {
+                u32 mtu = nla_get_u32(tb[IFLA_MTU]);
+                if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len)
+                        dev->mtu = mtu;
+        }
 #ifdef CONFIG_IPV6_SIT_6RD
        if (ipip6_netlink_6rd_parms(data, &ip6rd))
                err = ipip6_tunnel_update_6rd(nt, &ip6rd);
diff --git a/net/ipv6/xfrm6_mode_tunnel.c b/net/ipv6/xfrm6_mode_tunnel.c
index bb935a3b7fea..de1b0b8c53b0 100644
--- a/net/ipv6/xfrm6_mode_tunnel.c
+++ b/net/ipv6/xfrm6_mode_tunnel.c
@@ -92,7 +92,8 @@ static int xfrm6_mode_tunnel_input(struct xfrm_state *x, struct sk_buff *skb)
        skb_reset_network_header(skb);
        skb_mac_header_rebuild(skb);
-        eth_hdr(skb)->h_proto = skb->protocol;
+        if (skb->mac_len)
+                eth_hdr(skb)->h_proto = skb->protocol;
        err = 0;
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 8ae87d4ec5ff..5959ce9620eb 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -82,7 +82,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
        if ((!skb_is_gso(skb) && skb->len > mtu) ||
            (skb_is_gso(skb) &&
-             skb_gso_network_seglen(skb) > ip6_skb_dst_mtu(skb))) {
+             !skb_gso_validate_network_len(skb, ip6_skb_dst_mtu(skb)))) {
                skb->dev = dst->dev;
                skb->protocol = htons(ETH_P_IPV6);
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 09fb44ee3b45..416fe67271a9 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -113,6 +113,9 @@ static int xfrm6_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
        xdst->u.rt6.rt6i_gateway = rt->rt6i_gateway;
        xdst->u.rt6.rt6i_dst = rt->rt6i_dst;
        xdst->u.rt6.rt6i_src = rt->rt6i_src;
+        INIT_LIST_HEAD(&xdst->u.rt6.rt6i_uncached);
+        rt6_uncached_list_add(&xdst->u.rt6);
+        atomic_inc(&dev_net(dev)->ipv6.rt6_stats->fib_rt_uncache);
        return 0;
 }
@@ -244,6 +247,8 @@ static void xfrm6_dst_destroy(struct dst_entry *dst)
        if (likely(xdst->u.rt6.rt6i_idev))
                in6_dev_put(xdst->u.rt6.rt6i_idev);
        dst_destroy_metrics_generic(dst);
+        if (xdst->u.rt6.rt6i_uncached_list)
+                rt6_uncached_list_del(&xdst->u.rt6);
        xfrm_dst_destroy(xdst);
 }
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 1e8cc7bcbca3..9e2643ab4ccb 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -2433,9 +2433,11 @@ static int afiucv_iucv_init(void)
        af_iucv_dev->driver = &af_iucv_driver;
        err = device_register(af_iucv_dev);
        if (err)
-                goto out_driver;
+                goto out_iucv_dev;
        return 0;
+out_iucv_dev:
+        put_device(af_iucv_dev);
 out_driver:
        driver_unregister(&af_iucv_driver);
 out_iucv:
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index f297d53a11aa..34355fd19f27 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1381,24 +1381,32 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
                .parse_msg = kcm_parse_func_strparser,
                .read_sock_done = kcm_read_sock_done,
        };
-        int err;
+        int err = 0;
        csk = csock->sk;
        if (!csk)
                return -EINVAL;
+        lock_sock(csk);
        /* Only allow TCP sockets to be attached for now */
        if ((csk->sk_family != AF_INET && csk->sk_family != AF_INET6) ||
-            csk->sk_protocol != IPPROTO_TCP)
+            csk->sk_protocol != IPPROTO_TCP) {
-                return -EOPNOTSUPP;
+                err = -EOPNOTSUPP;
+                goto out;
+        }
        /* Don't allow listeners or closed sockets */
-        if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE)
+        if (csk->sk_state == TCP_LISTEN || csk->sk_state == TCP_CLOSE) {
-                return -EOPNOTSUPP;
+                err = -EOPNOTSUPP;
+                goto out;
+        }
        psock = kmem_cache_zalloc(kcm_psockp, GFP_KERNEL);
-        if (!psock)
+        if (!psock) {
-                return -ENOMEM;
+                err = -ENOMEM;
+                goto out;
+        }
        psock->mux = mux;
        psock->sk = csk;
@@ -1407,7 +1415,7 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
        err = strp_init(&psock->strp, csk, &cb);
        if (err) {
                kmem_cache_free(kcm_psockp, psock);
-                return err;
+                goto out;
        }
        write_lock_bh(&csk->sk_callback_lock);
@@ -1419,7 +1427,8 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
                write_unlock_bh(&csk->sk_callback_lock);
                strp_done(&psock->strp);
                kmem_cache_free(kcm_psockp, psock);
-                return -EALREADY;
+                err = -EALREADY;
+                goto out;
        }
        psock->save_data_ready = csk->sk_data_ready;
@@ -1455,7 +1464,10 @@ static int kcm_attach(struct socket *sock, struct socket *csock,
        /* Schedule RX work in case there are already bytes queued */
        strp_check_rcv(&psock->strp);
-        return 0;
+out:
+        release_sock(csk);
+        return err;
 }
 static int kcm_attach_ioctl(struct socket *sock, struct kcm_attach *info)
@@ -1507,6 +1519,7 @@ static void kcm_unattach(struct kcm_psock *psock)
        if (WARN_ON(psock->rx_kcm)) {
                write_unlock_bh(&csk->sk_callback_lock);
+                release_sock(csk);
                return;
        }
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 194a7483bb93..14b67dfacc4b 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -111,6 +111,13 @@ struct l2tp_net {
        spinlock_t l2tp_session_hlist_lock;
 };
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+        return sk->sk_family == PF_INET6 &&
+               !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+}
+#endif
 static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
 {
@@ -136,51 +143,6 @@ l2tp_session_id_hash_2(struct l2tp_net *pn, u32 session_id)
 }
-/* Lookup the tunnel socket, possibly involving the fs code if the socket is
- * owned by userspace.  A struct sock returned from this function must be
- * released using l2tp_tunnel_sock_put once you're done with it.
- */
-static struct sock *l2tp_tunnel_sock_lookup(struct l2tp_tunnel *tunnel)
-{
-        int err = 0;
-        struct socket *sock = NULL;
-        struct sock *sk = NULL;
-        if (!tunnel)
-                goto out;
-        if (tunnel->fd >= 0) {
-                /* Socket is owned by userspace, who might be in the process
-                 * of closing it.  Look the socket up using the fd to ensure
-                 * consistency.
-                 */
-                sock = sockfd_lookup(tunnel->fd, &err);
-                if (sock)
-                        sk = sock->sk;
-        } else {
-                /* Socket is owned by kernelspace */
-                sk = tunnel->sock;
-                sock_hold(sk);
-        }
-out:
-        return sk;
-}
-/* Drop a reference to a tunnel socket obtained via. l2tp_tunnel_sock_put */
-static void l2tp_tunnel_sock_put(struct sock *sk)
-{
-        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
-        if (tunnel) {
-                if (tunnel->fd >= 0) {
-                        /* Socket is owned by userspace */
-                        sockfd_put(sk->sk_socket);
-                }
-                sock_put(sk);
-        }
-        sock_put(sk);
-}
 /* Session hash list.
 * The session_id SHOULD be random according to RFC2661, but several
 * L2TP implementations (Cisco and Microsoft) use incrementing
@@ -193,6 +155,13 @@ l2tp_session_id_hash(struct l2tp_tunnel *tunnel, u32 session_id)
        return &tunnel->session_hlist[hash_32(session_id, L2TP_HASH_BITS)];
 }
+void l2tp_tunnel_free(struct l2tp_tunnel *tunnel)
+{
+        sock_put(tunnel->sock);
+        /* the tunnel is freed in the socket destructor */
+}
+EXPORT_SYMBOL(l2tp_tunnel_free);
 /* Lookup a tunnel. A new reference is held on the returned tunnel. */
 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id)
 {
@@ -345,13 +314,11 @@ int l2tp_session_register(struct l2tp_session *session,
                        }
                l2tp_tunnel_inc_refcount(tunnel);
-                sock_hold(tunnel->sock);
                hlist_add_head_rcu(&session->global_hlist, g_head);
                spin_unlock_bh(&pn->l2tp_session_hlist_lock);
        } else {
                l2tp_tunnel_inc_refcount(tunnel);
-                sock_hold(tunnel->sock);
        }
        hlist_add_head(&session->hlist, head);
@@ -969,7 +936,7 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
 {
        struct l2tp_tunnel *tunnel;
-        tunnel = l2tp_sock_to_tunnel(sk);
+        tunnel = l2tp_tunnel(sk);
        if (tunnel == NULL)
                goto pass_up;
@@ -977,13 +944,10 @@ int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb)
                 tunnel->name, skb->len);
        if (l2tp_udp_recv_core(tunnel, skb, tunnel->recv_payload_hook))
-                goto pass_up_put;
+                goto pass_up;
-        sock_put(sk);
        return 0;
-pass_up_put:
-        sock_put(sk);
 pass_up:
        return 1;
 }
@@ -1092,7 +1056,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb,
        /* Queue the packet to IP for output */
        skb->ignore_df = 1;
 #if IS_ENABLED(CONFIG_IPV6)
-        if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+        if (l2tp_sk_is_v6(tunnel->sock))
                error = inet6_csk_xmit(tunnel->sock, skb, NULL);
        else
 #endif
@@ -1155,6 +1119,15 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                goto out_unlock;
        }
+        /* The user-space may change the connection status for the user-space
+         * provided socket at run time: we must check it under the socket lock
+         */
+        if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
+                kfree_skb(skb);
+                ret = NET_XMIT_DROP;
+                goto out_unlock;
+        }
        /* Get routing info from the tunnel socket */
        skb_dst_drop(skb);
        skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
@@ -1174,7 +1147,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len
                /* Calculate UDP checksum if configured to do so */
 #if IS_ENABLED(CONFIG_IPV6)
-                if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+                if (l2tp_sk_is_v6(sk))
                        udp6_set_csum(udp_get_no_check6_tx(sk),
                                      skb, &inet6_sk(sk)->saddr,
                                      &sk->sk_v6_daddr, udp_len);
@@ -1207,14 +1180,12 @@ EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
 static void l2tp_tunnel_destruct(struct sock *sk)
 {
        struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
-        struct l2tp_net *pn;
        if (tunnel == NULL)
                goto end;
        l2tp_info(tunnel, L2TP_MSG_CONTROL, "%s: closing...\n", tunnel->name);
        /* Disable udp encapsulation */
        switch (tunnel->encap) {
        case L2TP_ENCAPTYPE_UDP:
@@ -1231,18 +1202,11 @@ static void l2tp_tunnel_destruct(struct sock *sk)
        sk->sk_destruct = tunnel->old_sk_destruct;
        sk->sk_user_data = NULL;
-        /* Remove the tunnel struct from the tunnel list */
-        pn = l2tp_pernet(tunnel->l2tp_net);
-        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
-        list_del_rcu(&tunnel->list);
-        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-        tunnel->sock = NULL;
-        l2tp_tunnel_dec_refcount(tunnel);
        /* Call the original destructor */
        if (sk->sk_destruct)
                (*sk->sk_destruct)(sk);
+        kfree_rcu(tunnel, rcu);
 end:
        return;
 }
@@ -1303,49 +1267,43 @@ EXPORT_SYMBOL_GPL(l2tp_tunnel_closeall);
 /* Tunnel socket destroy hook for UDP encapsulation */
 static void l2tp_udp_encap_destroy(struct sock *sk)
 {
-        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+        struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
-        if (tunnel) {
-                l2tp_tunnel_closeall(tunnel);
+        if (tunnel)
-                sock_put(sk);
+                l2tp_tunnel_delete(tunnel);
-        }
 }
 /* Workqueue tunnel deletion function */
 static void l2tp_tunnel_del_work(struct work_struct *work)
 {
-        struct l2tp_tunnel *tunnel = NULL;
+        struct l2tp_tunnel *tunnel = container_of(work, struct l2tp_tunnel,
-        struct socket *sock = NULL;
+                                                  del_work);
-        struct sock *sk = NULL;
+        struct sock *sk = tunnel->sock;
+        struct socket *sock = sk->sk_socket;
-        tunnel = container_of(work, struct l2tp_tunnel, del_work);
+        struct l2tp_net *pn;
        l2tp_tunnel_closeall(tunnel);
-        sk = l2tp_tunnel_sock_lookup(tunnel);
+        /* If the tunnel socket was created within the kernel, use
-        if (!sk)
-                goto out;
-        sock = sk->sk_socket;
-        /* If the tunnel socket was created by userspace, then go through the
-         * inet layer to shut the socket down, and let userspace close it.
-         * Otherwise, if we created the socket directly within the kernel, use
         * the sk API to release it here.
-         * In either case the tunnel resources are freed in the socket
-         * destructor when the tunnel socket goes away.
         */
-        if (tunnel->fd >= 0) {
+        if (tunnel->fd < 0) {
-                if (sock)
-                        inet_shutdown(sock, 2);
-        } else {
                if (sock) {
                        kernel_sock_shutdown(sock, SHUT_RDWR);
                        sock_release(sock);
                }
        }
-        l2tp_tunnel_sock_put(sk);
+        /* Remove the tunnel struct from the tunnel list */
-out:
+        pn = l2tp_pernet(tunnel->l2tp_net);
+        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+        list_del_rcu(&tunnel->list);
+        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+        /* drop initial ref */
+        l2tp_tunnel_dec_refcount(tunnel);
+        /* drop workqueue ref */
        l2tp_tunnel_dec_refcount(tunnel);
 }
@@ -1515,9 +1473,14 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                encap = cfg->encap;
        /* Quick sanity checks */
+        err = -EPROTONOSUPPORT;
+        if (sk->sk_type != SOCK_DGRAM) {
+                pr_debug("tunl %hu: fd %d wrong socket type\n",
+                         tunnel_id, fd);
+                goto err;
+        }
        switch (encap) {
        case L2TP_ENCAPTYPE_UDP:
-                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_UDP) {
                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
@@ -1525,7 +1488,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                }
                break;
        case L2TP_ENCAPTYPE_IP:
-                err = -EPROTONOSUPPORT;
                if (sk->sk_protocol != IPPROTO_L2TP) {
                        pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
                               tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
@@ -1565,24 +1527,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        if (cfg != NULL)
                tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
-        if (sk->sk_family == PF_INET6) {
-                struct ipv6_pinfo *np = inet6_sk(sk);
-                if (ipv6_addr_v4mapped(&np->saddr) &&
-                    ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
-                        struct inet_sock *inet = inet_sk(sk);
-                        tunnel->v4mapped = true;
-                        inet->inet_saddr = np->saddr.s6_addr32[3];
-                        inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
-                        inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
-                } else {
-                        tunnel->v4mapped = false;
-                }
-        }
-#endif
        /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
        tunnel->encap = encap;
        if (encap == L2TP_ENCAPTYPE_UDP) {
@@ -1598,13 +1542,22 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
                sk->sk_user_data = tunnel;
        }
+        /* Bump the reference count. The tunnel context is deleted
+         * only when this drops to zero. A reference is also held on
+         * the tunnel socket to ensure that it is not released while
+         * the tunnel is extant. Must be done before sk_destruct is
+         * set.
+         */
+        refcount_set(&tunnel->ref_count, 1);
+        sock_hold(sk);
+        tunnel->sock = sk;
+        tunnel->fd = fd;
        /* Hook on the tunnel socket destructor so that we can cleanup
         * if the tunnel socket goes away.
         */
        tunnel->old_sk_destruct = sk->sk_destruct;
        sk->sk_destruct = &l2tp_tunnel_destruct;
-        tunnel->sock = sk;
-        tunnel->fd = fd;
        lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
        sk->sk_allocation = GFP_ATOMIC;
@@ -1614,11 +1567,6 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32
        /* Add tunnel to our list */
        INIT_LIST_HEAD(&tunnel->list);
-        /* Bump the reference count. The tunnel context is deleted
-         * only when this drops to zero. Must be done before list insertion
-         */
-        refcount_set(&tunnel->ref_count, 1);
        spin_lock_bh(&pn->l2tp_tunnel_list_lock);
        list_add_rcu(&tunnel->list, &pn->l2tp_tunnel_list);
        spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
@@ -1659,8 +1607,6 @@ void l2tp_session_free(struct l2tp_session *session)
        if (tunnel) {
                BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
-                sock_put(tunnel->sock);
-                session->tunnel = NULL;
                l2tp_tunnel_dec_refcount(tunnel);
        }
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 9bbee90e9963..2718d0b284d0 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -188,9 +188,6 @@ struct l2tp_tunnel {
        struct sock             *sock;          /* Parent socket */
        int                     fd;             /* Parent fd, if tunnel socket
                                                 * was created by userspace */
-#if IS_ENABLED(CONFIG_IPV6)
-        bool                    v4mapped;
-#endif
        struct work_struct      del_work;
@@ -214,27 +211,8 @@ static inline void *l2tp_session_priv(struct l2tp_session *session)
        return &session->priv[0];
 }
-static inline struct l2tp_tunnel *l2tp_sock_to_tunnel(struct sock *sk)
-{
-        struct l2tp_tunnel *tunnel;
-        if (sk == NULL)
-                return NULL;
-        sock_hold(sk);
-        tunnel = (struct l2tp_tunnel *)(sk->sk_user_data);
-        if (tunnel == NULL) {
-                sock_put(sk);
-                goto out;
-        }
-        BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
-out:
-        return tunnel;
-}
 struct l2tp_tunnel *l2tp_tunnel_get(const struct net *net, u32 tunnel_id);
+void l2tp_tunnel_free(struct l2tp_tunnel *tunnel);
 struct l2tp_session *l2tp_session_get(const struct net *net,
                                      struct l2tp_tunnel *tunnel,
@@ -283,7 +261,7 @@ static inline void l2tp_tunnel_inc_refcount(struct l2tp_tunnel *tunnel)
 static inline void l2tp_tunnel_dec_refcount(struct l2tp_tunnel *tunnel)
 {
        if (refcount_dec_and_test(&tunnel->ref_count))
-                kfree_rcu(tunnel, rcu);
+                l2tp_tunnel_free(tunnel);
 }
 /* Session reference counts. Incremented when code obtains a reference
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index ff61124fdf59..3428fba6f2b7 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -234,17 +234,13 @@ static void l2tp_ip_close(struct sock *sk, long timeout)
 static void l2tp_ip_destroy_sock(struct sock *sk)
 {
        struct sk_buff *skb;
-        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+        struct l2tp_tunnel *tunnel = sk->sk_user_data;
        while ((skb = __skb_dequeue_tail(&sk->sk_write_queue)) != NULL)
                kfree_skb(skb);
-        if (tunnel) {
+        if (tunnel)
-                l2tp_tunnel_closeall(tunnel);
+                l2tp_tunnel_delete(tunnel);
-                sock_put(sk);
-        }
-        sk_refcnt_debug_dec(sk);
 }
 static int l2tp_ip_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 192344688c06..6f009eaa5fbe 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -248,16 +248,14 @@ static void l2tp_ip6_close(struct sock *sk, long timeout)
 static void l2tp_ip6_destroy_sock(struct sock *sk)
 {
-        struct l2tp_tunnel *tunnel = l2tp_sock_to_tunnel(sk);
+        struct l2tp_tunnel *tunnel = sk->sk_user_data;
        lock_sock(sk);
        ip6_flush_pending_frames(sk);
        release_sock(sk);
-        if (tunnel) {
+        if (tunnel)
-                l2tp_tunnel_closeall(tunnel);
+                l2tp_tunnel_delete(tunnel);
-                sock_put(sk);
-        }
        inet6_destroy_sock(sk);
 }
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index 59f246d7b290..3b02f24ea9ec 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -416,20 +416,28 @@ abort:
 * Session (and tunnel control) socket create/destroy.
 *****************************************************************************/
+static void pppol2tp_put_sk(struct rcu_head *head)
+{
+        struct pppol2tp_session *ps;
+        ps = container_of(head, typeof(*ps), rcu);
+        sock_put(ps->__sk);
+}
 /* Called by l2tp_core when a session socket is being closed.
 */
 static void pppol2tp_session_close(struct l2tp_session *session)
 {
-        struct sock *sk;
+        struct pppol2tp_session *ps;
-        BUG_ON(session->magic != L2TP_SESSION_MAGIC);
-        sk = pppol2tp_session_get_sock(session);
+        ps = l2tp_session_priv(session);
-        if (sk) {
+        mutex_lock(&ps->sk_lock);
-                if (sk->sk_socket)
+        ps->__sk = rcu_dereference_protected(ps->sk,
-                        inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
+                                             lockdep_is_held(&ps->sk_lock));
-                sock_put(sk);
+        RCU_INIT_POINTER(ps->sk, NULL);
-        }
+        if (ps->__sk)
+                call_rcu(&ps->rcu, pppol2tp_put_sk);
+        mutex_unlock(&ps->sk_lock);
 }
 /* Really kill the session socket. (Called from sock_put() if
@@ -449,14 +457,6 @@ static void pppol2tp_session_destruct(struct sock *sk)
        }
 }
-static void pppol2tp_put_sk(struct rcu_head *head)
-{
-        struct pppol2tp_session *ps;
-        ps = container_of(head, typeof(*ps), rcu);
-        sock_put(ps->__sk);
-}
 /* Called when the PPPoX socket (session) is closed.
 */
 static int pppol2tp_release(struct socket *sock)
@@ -480,26 +480,17 @@ static int pppol2tp_release(struct socket *sock)
        sock_orphan(sk);
        sock->sk = NULL;
+        /* If the socket is associated with a session,
+         * l2tp_session_delete will call pppol2tp_session_close which
+         * will drop the session's ref on the socket.
+         */
        session = pppol2tp_sock_to_session(sk);
+        if (session) {
-        if (session != NULL) {
-                struct pppol2tp_session *ps;
                l2tp_session_delete(session);
+                /* drop the ref obtained by pppol2tp_sock_to_session */
-                ps = l2tp_session_priv(session);
+                sock_put(sk);
-                mutex_lock(&ps->sk_lock);
-                ps->__sk = rcu_dereference_protected(ps->sk,
-                                                     lockdep_is_held(&ps->sk_lock));
-                RCU_INIT_POINTER(ps->sk, NULL);
-                mutex_unlock(&ps->sk_lock);
-                call_rcu(&ps->rcu, pppol2tp_put_sk);
-                /* Rely on the sock_put() call at the end of the function for
-                 * dropping the reference held by pppol2tp_sock_to_session().
-                 * The last reference will be dropped by pppol2tp_put_sk().
-                 */
        }
        release_sock(sk);
        /* This will delete the session context via
@@ -796,6 +787,7 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
 out_no_ppp:
        /* This is how we get the session context from the socket. */
+        sock_hold(sk);
        sk->sk_user_data = session;
        rcu_assign_pointer(ps->sk, sk);
        mutex_unlock(&ps->sk_lock);
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index a8b1616cec41..1f3188d03840 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -8,6 +8,7 @@
 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
 * Copyright 2007-2010, Intel Corporation
 * Copyright(c) 2015-2017 Intel Deutschland GmbH
+ * Copyright (C) 2018        Intel Corporation
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -304,9 +305,6 @@ void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
                         * driver so reject the timeout update.
                         */
                        status = WLAN_STATUS_REQUEST_DECLINED;
-                        ieee80211_send_addba_resp(sta->sdata, sta->sta.addr,
-                                                  tid, dialog_token, status,
-                                                  1, buf_size, timeout);
                        goto end;
                }
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 46028e12e216..f4195a0f0279 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2892,7 +2892,7 @@ cfg80211_beacon_dup(struct cfg80211_beacon_data *beacon)
        }
        if (beacon->probe_resp_len) {
                new_beacon->probe_resp_len = beacon->probe_resp_len;
-                beacon->probe_resp = pos;
+                new_beacon->probe_resp = pos;
                memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
                pos += beacon->probe_resp_len;
        }
diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
index 1f466d12a6bc..94c7ee9df33b 100644
--- a/net/mac80211/debugfs.c
+++ b/net/mac80211/debugfs.c
@@ -212,6 +212,7 @@ static const char *hw_flag_names[] = {
        FLAG(REPORTS_LOW_ACK),
        FLAG(SUPPORTS_TX_FRAG),
        FLAG(SUPPORTS_TDLS_BUFFER_STA),
+        FLAG(DOESNT_SUPPORT_QOS_NDP),
 #undef FLAG
 };
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 26900025de2f..ae9c33cd8ada 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1467,7 +1467,7 @@ struct ieee802_11_elems {
        const struct ieee80211_timeout_interval_ie *timeout_int;
        const u8 *opmode_notif;
        const struct ieee80211_sec_chan_offs_ie *sec_chan_offs;
-        const struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
+        struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie;
        const struct ieee80211_bss_max_idle_period_ie *max_idle_period_ie;
        /* length of them, respectively */
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 73ac607beb5d..6a381cbe1e33 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -1255,13 +1255,12 @@ int ieee80211_mesh_csa_beacon(struct ieee80211_sub_if_data *sdata,
 }
 static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
-                               struct ieee80211_mgmt *mgmt, size_t len)
+                               struct ieee80211_mgmt *mgmt, size_t len,
+                               struct ieee802_11_elems *elems)
 {
        struct ieee80211_mgmt *mgmt_fwd;
        struct sk_buff *skb;
        struct ieee80211_local *local = sdata->local;
-        u8 *pos = mgmt->u.action.u.chan_switch.variable;
-        size_t offset_ttl;
        skb = dev_alloc_skb(local->tx_headroom + len);
        if (!skb)
@@ -1269,13 +1268,9 @@ static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
        skb_reserve(skb, local->tx_headroom);
        mgmt_fwd = skb_put(skb, len);
-        /* offset_ttl is based on whether the secondary channel
+        elems->mesh_chansw_params_ie->mesh_ttl--;
-         * offset is available or not. Subtract 1 from the mesh TTL
+        elems->mesh_chansw_params_ie->mesh_flags &=
-         * and disable the initiator flag before forwarding.
+                ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
-         */
-        offset_ttl = (len < 42) ? 7 : 10;
-        *(pos + offset_ttl) -= 1;
-        *(pos + offset_ttl + 1) &= ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
        memcpy(mgmt_fwd, mgmt, len);
        eth_broadcast_addr(mgmt_fwd->da);
@@ -1323,7 +1318,7 @@ static void mesh_rx_csa_frame(struct ieee80211_sub_if_data *sdata,
        /* forward or re-broadcast the CSA frame */
        if (fwd_csa) {
-                if (mesh_fwd_csa_frame(sdata, mgmt, len) < 0)
+                if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0)
                        mcsa_dbg(sdata, "Failed to forward the CSA frame");
        }
 }
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 39b660b9a908..5f303abac5ad 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -896,7 +896,8 @@ void ieee80211_send_nullfunc(struct ieee80211_local *local,
        struct ieee80211_hdr_3addr *nullfunc;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-        skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif, true);
+        skb = ieee80211_nullfunc_get(&local->hw, &sdata->vif,
+                !ieee80211_hw_check(&local->hw, DOESNT_SUPPORT_QOS_NDP));
        if (!skb)
                return;
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index fd580614085b..56fe16b07538 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3921,7 +3921,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
        if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS |
                                              IEEE80211_FCTL_TODS)) !=
            fast_rx->expected_ds_bits)
-                goto drop;
+                return false;
        /* assign the key to drop unencrypted frames (later)
         * and strip the IV/MIC if necessary
diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
index ee0181778a42..029334835747 100644
--- a/net/mac80211/spectmgmt.c
+++ b/net/mac80211/spectmgmt.c
@@ -8,6 +8,7 @@
 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
 * Copyright 2007-2008, Intel Corporation
 * Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
+ * Copyright (C) 2018        Intel Corporation
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -27,7 +28,7 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
                                 u32 sta_flags, u8 *bssid,
                                 struct ieee80211_csa_ie *csa_ie)
 {
-        enum nl80211_band new_band;
+        enum nl80211_band new_band = current_band;
        int new_freq;
        u8 new_chan_no;
        struct ieee80211_channel *new_chan;
@@ -55,15 +56,13 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
                                elems->ext_chansw_ie->new_operating_class,
                                &new_band)) {
                        sdata_info(sdata,
-                                   "cannot understand ECSA IE operating class %d, disconnecting\n",
+                                   "cannot understand ECSA IE operating class, %d, ignoring\n",
                                   elems->ext_chansw_ie->new_operating_class);
-                        return -EINVAL;
                }
                new_chan_no = elems->ext_chansw_ie->new_ch_num;
                csa_ie->count = elems->ext_chansw_ie->count;
                csa_ie->mode = elems->ext_chansw_ie->mode;
        } else if (elems->ch_switch_ie) {
-                new_band = current_band;
                new_chan_no = elems->ch_switch_ie->new_ch_num;
                csa_ie->count = elems->ch_switch_ie->count;
                csa_ie->mode = elems->ch_switch_ie->mode;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 0c5627f8a104..af0b608ee8ed 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -314,7 +314,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
        if (ieee80211_hw_check(hw, USES_RSS)) {
                sta->pcpu_rx_stats =
-                        alloc_percpu(struct ieee80211_sta_rx_stats);
+                        alloc_percpu_gfp(struct ieee80211_sta_rx_stats, gfp);
                if (!sta->pcpu_rx_stats)
                        goto free;
        }
@@ -433,6 +433,7 @@ free_txq:
        if (sta->sta.txq[0])
                kfree(to_txq_info(sta->sta.txq[0]));
 free:
+        free_percpu(sta->pcpu_rx_stats);
 #ifdef CONFIG_MAC80211_MESH
        kfree(sta->mesh);
 #endif
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 25904af38839..69722504e3e1 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3574,6 +3574,14 @@ void __ieee80211_subif_start_xmit(struct sk_buff *skb,
        if (!IS_ERR_OR_NULL(sta)) {
                struct ieee80211_fast_tx *fast_tx;
+                /* We need a bit of data queued to build aggregates properly, so
+                 * instruct the TCP stack to allow more than a single ms of data
+                 * to be queued in the stack. The value is a bit-shift of 1
+                 * second, so 8 is ~4ms of queued data. Only affects local TCP
+                 * sockets.
+                 */
+                sk_pacing_shift_update(skb->sk, 8);
                fast_tx = rcu_dereference(sta->fast_tx);
                if (fast_tx &&
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index e545a3c9365f..7a4de6d618b1 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -122,7 +122,7 @@ bool mpls_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)
        if (skb->len <= mtu)
                return false;
-        if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+        if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                return false;
        return true;
diff --git a/net/netfilter/ipvs/ip_vs_ftp.c b/net/netfilter/ipvs/ip_vs_ftp.c
index 3e17d32b629d..58d5d05aec24 100644
--- a/net/netfilter/ipvs/ip_vs_ftp.c
+++ b/net/netfilter/ipvs/ip_vs_ftp.c
@@ -260,7 +260,7 @@ static int ip_vs_ftp_out(struct ip_vs_app *app, struct ip_vs_conn *cp,
                buf_len = strlen(buf);
                ct = nf_ct_get(skb, &ctinfo);
-                if (ct && (ct->status & IPS_NAT_MASK)) {
+                if (ct) {
                        bool mangled;
                        /* If mangling fails this function will return 0
diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index fbce552a796e..7d7466dbf663 100644
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
                                 const struct nf_conn *ct,
                                 u16 *rover)
 {
-        unsigned int range_size, min, i;
+        unsigned int range_size, min, max, i;
        __be16 *portptr;
        u_int16_t off;
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
                }
        } else {
                min = ntohs(range->min_proto.all);
-                range_size = ntohs(range->max_proto.all) - min + 1;
+                max = ntohs(range->max_proto.all);
+                if (unlikely(max < min))
+                        swap(max, min);
+                range_size = max - min + 1;
        }
        if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8b9fe30de0cd..c4acc7340eb1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5037,9 +5037,9 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        const struct nf_flowtable_type *type;
+        struct nft_flowtable *flowtable, *ft;
        u8 genmask = nft_genmask_next(net);
        int family = nfmsg->nfgen_family;
-        struct nft_flowtable *flowtable;
        struct nft_table *table;
        struct nft_ctx ctx;
        int err, i, k;
@@ -5099,6 +5099,22 @@ static int nf_tables_newflowtable(struct net *net, struct sock *nlsk,
                goto err3;
        for (i = 0; i < flowtable->ops_len; i++) {
+                if (!flowtable->ops[i].dev)
+                        continue;
+                list_for_each_entry(ft, &table->flowtables, list) {
+                        for (k = 0; k < ft->ops_len; k++) {
+                                if (!ft->ops[k].dev)
+                                        continue;
+                                if (flowtable->ops[i].dev == ft->ops[k].dev &&
+                                    flowtable->ops[i].pf == ft->ops[k].pf) {
+                                        err = -EBUSY;
+                                        goto err4;
+                                }
+                        }
+                }
                err = nf_register_net_hook(net, &flowtable->ops[i]);
                if (err < 0)
                        goto err4;
@@ -5120,7 +5136,7 @@ err5:
        i = flowtable->ops_len;
 err4:
        for (k = i - 1; k >= 0; k--)
-                nf_unregister_net_hook(net, &flowtable->ops[i]);
+                nf_unregister_net_hook(net, &flowtable->ops[k]);
        kfree(flowtable->ops);
 err3:
@@ -5145,6 +5161,11 @@ static int nf_tables_delflowtable(struct net *net, struct sock *nlsk,
        struct nft_table *table;
        struct nft_ctx ctx;
+        if (!nla[NFTA_FLOWTABLE_TABLE] ||
+            (!nla[NFTA_FLOWTABLE_NAME] &&
+             !nla[NFTA_FLOWTABLE_HANDLE]))
+                return -EINVAL;
        table = nf_tables_table_lookup(net, nla[NFTA_FLOWTABLE_TABLE],
                                       family, genmask);
        if (IS_ERR(table))
@@ -5402,6 +5423,7 @@ err:
 static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
 {
        cancel_delayed_work_sync(&flowtable->data.gc_work);
+        kfree(flowtable->ops);
        kfree(flowtable->name);
        flowtable->data.type->free(&flowtable->data);
        rhashtable_destroy(&flowtable->data.rhashtable);
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 3f1624ee056f..d40591fe1b2f 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -674,7 +674,7 @@ static const struct nft_set_ops *
 nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
                    u32 flags)
 {
-        if (desc->size) {
+        if (desc->size && !(flags & NFT_SET_TIMEOUT)) {
                switch (desc->klen) {
                case 4:
                        return &nft_hash_fast_ops;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 2f685ee1f9c8..4aa01c90e9d1 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -423,6 +423,36 @@ textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
        return buf;
 }
+/**
+ * xt_check_proc_name - check that name is suitable for /proc file creation
+ *
+ * @name: file name candidate
+ * @size: length of buffer
+ *
+ * some x_tables modules wish to create a file in /proc.
+ * This function makes sure that the name is suitable for this
+ * purpose, it checks that name is NUL terminated and isn't a 'special'
+ * name, like "..".
+ *
+ * returns negative number on error or 0 if name is useable.
+ */
+int xt_check_proc_name(const char *name, unsigned int size)
+{
+        if (name[0] == '\0')
+                return -EINVAL;
+        if (strnlen(name, size) == size)
+                return -ENAMETOOLONG;
+        if (strcmp(name, ".") == 0 ||
+            strcmp(name, "..") == 0 ||
+            strchr(name, '/'))
+                return -EINVAL;
+        return 0;
+}
+EXPORT_SYMBOL(xt_check_proc_name);
 int xt_check_match(struct xt_mtchk_param *par,
                   unsigned int size, u_int8_t proto, bool inv_proto)
 {
@@ -434,36 +464,35 @@ int xt_check_match(struct xt_mtchk_param *par,
                 * ebt_among is exempt from centralized matchsize checking
                 * because it uses a dynamic-size data set.
                 */
-                pr_err("%s_tables: %s.%u match: invalid size "
+                pr_err_ratelimited("%s_tables: %s.%u match: invalid size %u (kernel) != (user) %u\n",
-                       "%u (kernel) != (user) %u\n",
+                                   xt_prefix[par->family], par->match->name,
-                       xt_prefix[par->family], par->match->name,
+                                   par->match->revision,
-                       par->match->revision,
+                                   XT_ALIGN(par->match->matchsize), size);
-                       XT_ALIGN(par->match->matchsize), size);
                return -EINVAL;
        }
        if (par->match->table != NULL &&
            strcmp(par->match->table, par->table) != 0) {
-                pr_err("%s_tables: %s match: only valid in %s table, not %s\n",
+                pr_info_ratelimited("%s_tables: %s match: only valid in %s table, not %s\n",
-                       xt_prefix[par->family], par->match->name,
+                                    xt_prefix[par->family], par->match->name,
-                       par->match->table, par->table);
+                                    par->match->table, par->table);
                return -EINVAL;
        }
        if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
                char used[64], allow[64];
-                pr_err("%s_tables: %s match: used from hooks %s, but only "
+                pr_info_ratelimited("%s_tables: %s match: used from hooks %s, but only valid from %s\n",
-                       "valid from %s\n",
+                                    xt_prefix[par->family], par->match->name,
-                       xt_prefix[par->family], par->match->name,
+                                    textify_hooks(used, sizeof(used),
-                       textify_hooks(used, sizeof(used), par->hook_mask,
+                                                  par->hook_mask, par->family),
-                                     par->family),
+                                    textify_hooks(allow, sizeof(allow),
-                       textify_hooks(allow, sizeof(allow), par->match->hooks,
+                                                  par->match->hooks,
-                                     par->family));
+                                                  par->family));
                return -EINVAL;
        }
        if (par->match->proto && (par->match->proto != proto || inv_proto)) {
-                pr_err("%s_tables: %s match: only valid for protocol %u\n",
+                pr_info_ratelimited("%s_tables: %s match: only valid for protocol %u\n",
-                       xt_prefix[par->family], par->match->name,
+                                    xt_prefix[par->family], par->match->name,
-                       par->match->proto);
+                                    par->match->proto);
                return -EINVAL;
        }
        if (par->match->checkentry != NULL) {
@@ -814,36 +843,35 @@ int xt_check_target(struct xt_tgchk_param *par,
        int ret;
        if (XT_ALIGN(par->target->targetsize) != size) {
-                pr_err("%s_tables: %s.%u target: invalid size "
+                pr_err_ratelimited("%s_tables: %s.%u target: invalid size %u (kernel) != (user) %u\n",
-                       "%u (kernel) != (user) %u\n",
+                                   xt_prefix[par->family], par->target->name,
-                       xt_prefix[par->family], par->target->name,
+                                   par->target->revision,
-                       par->target->revision,
+                                   XT_ALIGN(par->target->targetsize), size);
-                       XT_ALIGN(par->target->targetsize), size);
                return -EINVAL;
        }
        if (par->target->table != NULL &&
            strcmp(par->target->table, par->table) != 0) {
-                pr_err("%s_tables: %s target: only valid in %s table, not %s\n",
+                pr_info_ratelimited("%s_tables: %s target: only valid in %s table, not %s\n",
-                       xt_prefix[par->family], par->target->name,
+                                    xt_prefix[par->family], par->target->name,
-                       par->target->table, par->table);
+                                    par->target->table, par->table);
                return -EINVAL;
        }
        if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
                char used[64], allow[64];
-                pr_err("%s_tables: %s target: used from hooks %s, but only "
+                pr_info_ratelimited("%s_tables: %s target: used from hooks %s, but only usable from %s\n",
-                       "usable from %s\n",
+                                    xt_prefix[par->family], par->target->name,
-                       xt_prefix[par->family], par->target->name,
+                                    textify_hooks(used, sizeof(used),
-                       textify_hooks(used, sizeof(used), par->hook_mask,
+                                                  par->hook_mask, par->family),
-                                     par->family),
+                                    textify_hooks(allow, sizeof(allow),
-                       textify_hooks(allow, sizeof(allow), par->target->hooks,
+                                                  par->target->hooks,
-                                     par->family));
+                                                  par->family));
                return -EINVAL;
        }
        if (par->target->proto && (par->target->proto != proto || inv_proto)) {
-                pr_err("%s_tables: %s target: only valid for protocol %u\n",
+                pr_info_ratelimited("%s_tables: %s target: only valid for protocol %u\n",
-                       xt_prefix[par->family], par->target->name,
+                                    xt_prefix[par->family], par->target->name,
-                       par->target->proto);
+                                    par->target->proto);
                return -EINVAL;
        }
        if (par->target->checkentry != NULL) {
@@ -1004,10 +1032,6 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
        if (sz < sizeof(*info))
                return NULL;
-        /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
-        if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
-                return NULL;
        /* __GFP_NORETRY is not fully supported by kvmalloc but it should
         * work reasonably well if sz is too large and bail out rather
         * than shoot all processes down before realizing there is nothing
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index c502419d6306..f368ee6741db 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -120,8 +120,8 @@ static int audit_tg_check(const struct xt_tgchk_param *par)
        const struct xt_audit_info *info = par->targinfo;
        if (info->type > XT_AUDIT_TYPE_MAX) {
-                pr_info("Audit type out of range (valid range: 0..%hhu)\n",
+                pr_info_ratelimited("Audit type out of range (valid range: 0..%hhu)\n",
-                        XT_AUDIT_TYPE_MAX);
+                                    XT_AUDIT_TYPE_MAX);
                return -ERANGE;
        }
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 0f642ef8cd26..9f4151ec3e06 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -36,13 +36,13 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
        const struct xt_CHECKSUM_info *einfo = par->targinfo;
        if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
-                pr_info("unsupported CHECKSUM operation %x\n", einfo->operation);
+                pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
+                                    einfo->operation);
                return -EINVAL;
        }
-        if (!einfo->operation) {
+        if (!einfo->operation)
-                pr_info("no CHECKSUM operation enabled\n");
                return -EINVAL;
-        }
        return 0;
 }
diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c
index da56c06a443c..f3f1caac949b 100644
--- a/net/netfilter/xt_CONNSECMARK.c
+++ b/net/netfilter/xt_CONNSECMARK.c
@@ -91,8 +91,8 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "security") != 0) {
-                pr_info("target only valid in the \'mangle\' "
+                pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
-                        "or \'security\' tables, not \'%s\'.\n", par->table);
+                                    par->table);
                return -EINVAL;
        }
@@ -102,14 +102,14 @@ static int connsecmark_tg_check(const struct xt_tgchk_param *par)
                break;
        default:
-                pr_info("invalid mode: %hu\n", info->mode);
+                pr_info_ratelimited("invalid mode: %hu\n", info->mode);
                return -EINVAL;
        }
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        return ret;
 }
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 5a152e2acfd5..8790190c6feb 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -82,15 +82,14 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
        proto = xt_ct_find_proto(par);
        if (!proto) {
-                pr_info("You must specify a L4 protocol, and not use "
+                pr_info_ratelimited("You must specify a L4 protocol and not use inversions on it\n");
-                        "inversions on it.\n");
                return -ENOENT;
        }
        helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
                                                    proto);
        if (helper == NULL) {
-                pr_info("No such helper \"%s\"\n", helper_name);
+                pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
                return -ENOENT;
        }
@@ -124,6 +123,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
        const struct nf_conntrack_l4proto *l4proto;
        struct ctnl_timeout *timeout;
        struct nf_conn_timeout *timeout_ext;
+        const char *errmsg = NULL;
        int ret = 0;
        u8 proto;
@@ -131,29 +131,29 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
        timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
        if (timeout_find_get == NULL) {
                ret = -ENOENT;
-                pr_info("Timeout policy base is empty\n");
+                errmsg = "Timeout policy base is empty";
                goto out;
        }
        proto = xt_ct_find_proto(par);
        if (!proto) {
                ret = -EINVAL;
-                pr_info("You must specify a L4 protocol, and not use "
+                errmsg = "You must specify a L4 protocol and not use inversions on it";
-                        "inversions on it.\n");
                goto out;
        }
        timeout = timeout_find_get(par->net, timeout_name);
        if (timeout == NULL) {
                ret = -ENOENT;
-                pr_info("No such timeout policy \"%s\"\n", timeout_name);
+                pr_info_ratelimited("No such timeout policy \"%s\"\n",
+                                    timeout_name);
                goto out;
        }
        if (timeout->l3num != par->family) {
                ret = -EINVAL;
-                pr_info("Timeout policy `%s' can only be used by L3 protocol "
+                pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
-                        "number %d\n", timeout_name, timeout->l3num);
+                                    timeout_name, 3, timeout->l3num);
                goto err_put_timeout;
        }
        /* Make sure the timeout policy matches any existing protocol tracker,
@@ -162,9 +162,8 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
        l4proto = __nf_ct_l4proto_find(par->family, proto);
        if (timeout->l4proto->l4proto != l4proto->l4proto) {
                ret = -EINVAL;
-                pr_info("Timeout policy `%s' can only be used by L4 protocol "
+                pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",
-                        "number %d\n",
+                                    timeout_name, 4, timeout->l4proto->l4proto);
-                        timeout_name, timeout->l4proto->l4proto);
                goto err_put_timeout;
        }
        timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
@@ -180,6 +179,8 @@ err_put_timeout:
        __xt_ct_tg_timeout_put(timeout);
 out:
        rcu_read_unlock();
+        if (errmsg)
+                pr_info_ratelimited("%s\n", errmsg);
        return ret;
 #else
        return -EOPNOTSUPP;
diff --git a/net/netfilter/xt_DSCP.c b/net/netfilter/xt_DSCP.c
index 3f83d38c4e5b..098ed851b7a7 100644
--- a/net/netfilter/xt_DSCP.c
+++ b/net/netfilter/xt_DSCP.c
@@ -66,10 +66,8 @@ static int dscp_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_DSCP_info *info = par->targinfo;
-        if (info->dscp > XT_DSCP_MAX) {
+        if (info->dscp > XT_DSCP_MAX)
-                pr_info("dscp %x out of range\n", info->dscp);
                return -EDOM;
-        }
        return 0;
 }
diff --git a/net/netfilter/xt_HL.c b/net/netfilter/xt_HL.c
index 1535e87ed9bd..4653b071bed4 100644
--- a/net/netfilter/xt_HL.c
+++ b/net/netfilter/xt_HL.c
@@ -105,10 +105,8 @@ static int ttl_tg_check(const struct xt_tgchk_param *par)
 {
        const struct ipt_TTL_info *info = par->targinfo;
-        if (info->mode > IPT_TTL_MAXMODE) {
+        if (info->mode > IPT_TTL_MAXMODE)
-                pr_info("TTL: invalid or unknown mode %u\n", info->mode);
                return -EINVAL;
-        }
        if (info->mode != IPT_TTL_SET && info->ttl == 0)
                return -EINVAL;
        return 0;
@@ -118,15 +116,10 @@ static int hl_tg6_check(const struct xt_tgchk_param *par)
 {
        const struct ip6t_HL_info *info = par->targinfo;
-        if (info->mode > IP6T_HL_MAXMODE) {
+        if (info->mode > IP6T_HL_MAXMODE)
-                pr_info("invalid or unknown mode %u\n", info->mode);
                return -EINVAL;
-        }
+        if (info->mode != IP6T_HL_SET && info->hop_limit == 0)
-        if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
-                pr_info("increment/decrement does not "
-                        "make sense with value 0\n");
                return -EINVAL;
-        }
        return 0;
 }
diff --git a/net/netfilter/xt_HMARK.c b/net/netfilter/xt_HMARK.c
index 60e6dbe12460..9c75f419cd80 100644
--- a/net/netfilter/xt_HMARK.c
+++ b/net/netfilter/xt_HMARK.c
@@ -9,6 +9,8 @@
 * the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/icmp.h>
@@ -312,29 +314,30 @@ hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par)
 static int hmark_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_hmark_info *info = par->targinfo;
+        const char *errmsg = "proto mask must be zero with L3 mode";
-        if (!info->hmodulus) {
+        if (!info->hmodulus)
-                pr_info("xt_HMARK: hash modulus can't be zero\n");
                return -EINVAL;
-        }
        if (info->proto_mask &&
-            (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) {
+            (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)))
-                pr_info("xt_HMARK: proto mask must be zero with L3 mode\n");
+                goto err;
-                return -EINVAL;
-        }
        if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
            (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
-                             XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) {
+                             XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))))
-                pr_info("xt_HMARK: spi-mask and port-mask can't be combined\n");
                return -EINVAL;
-        }
        if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) &&
            (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) |
                             XT_HMARK_FLAG(XT_HMARK_DPORT)))) {
-                pr_info("xt_HMARK: spi-set and port-set can't be combined\n");
+                errmsg = "spi-set and port-set can't be combined";
-                return -EINVAL;
+                goto err;
        }
        return 0;
+err:
+        pr_info_ratelimited("%s\n", errmsg);
+        return -EINVAL;
 }
 static struct xt_target hmark_tg_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 6c2482b709b1..1ac6600bfafd 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -146,11 +146,11 @@ static int idletimer_tg_create(struct idletimer_tg_info *info)
        timer_setup(&info->timer->timer, idletimer_tg_expired, 0);
        info->timer->refcnt = 1;
+        INIT_WORK(&info->timer->work, idletimer_tg_work);
        mod_timer(&info->timer->timer,
                  msecs_to_jiffies(info->timeout * 1000) + jiffies);
-        INIT_WORK(&info->timer->work, idletimer_tg_work);
        return 0;
 out_free_attr:
@@ -191,7 +191,10 @@ static int idletimer_tg_checkentry(const struct xt_tgchk_param *par)
                pr_debug("timeout value is zero\n");
                return -EINVAL;
        }
+        if (info->timeout >= INT_MAX / 1000) {
+                pr_debug("timeout value is too big\n");
+                return -EINVAL;
+        }
        if (info->label[0] == '\0' ||
            strnlen(info->label,
                    MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 1dcad893df78..19846445504d 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -111,10 +111,8 @@ static int led_tg_check(const struct xt_tgchk_param *par)
        struct xt_led_info_internal *ledinternal;
        int err;
-        if (ledinfo->id[0] == '\0') {
+        if (ledinfo->id[0] == '\0')
-                pr_info("No 'id' parameter given.\n");
                return -EINVAL;
-        }
        mutex_lock(&xt_led_mutex);
@@ -138,13 +136,14 @@ static int led_tg_check(const struct xt_tgchk_param *par)
        err = led_trigger_register(&ledinternal->netfilter_led_trigger);
        if (err) {
-                pr_err("Trigger name is already in use.\n");
+                pr_info_ratelimited("Trigger name is already in use.\n");
                goto exit_alloc;
        }
-        /* See if we need to set up a timer */
+        /* Since the letinternal timer can be shared between multiple targets,
-        if (ledinfo->delay > 0)
+         * always set it up, even if the current target does not need it
-                timer_setup(&ledinternal->timer, led_timeout_callback, 0);
+         */
+        timer_setup(&ledinternal->timer, led_timeout_callback, 0);
        list_add_tail(&ledinternal->list, &xt_led_triggers);
@@ -181,8 +180,7 @@ static void led_tg_destroy(const struct xt_tgdtor_param *par)
        list_del(&ledinternal->list);
-        if (ledinfo->delay > 0)
+        del_timer_sync(&ledinternal->timer);
-                del_timer_sync(&ledinternal->timer);
        led_trigger_unregister(&ledinternal->netfilter_led_trigger);
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index a360b99a958a..a9aca80a32ae 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -8,6 +8,8 @@
 *
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -67,13 +69,13 @@ static int nfqueue_tg_check(const struct xt_tgchk_param *par)
        init_hashrandom(&jhash_initval);
        if (info->queues_total == 0) {
-                pr_err("NFQUEUE: number of total queues is 0\n");
+                pr_info_ratelimited("number of total queues is 0\n");
                return -EINVAL;
        }
        maxid = info->queues_total - 1 + info->queuenum;
        if (maxid > 0xffff) {
-                pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
+                pr_info_ratelimited("number of queues (%u) out of range (got %u)\n",
-                       info->queues_total, maxid);
+                                    info->queues_total, maxid);
                return -ERANGE;
        }
        if (par->target->revision == 2 && info->flags > 1)
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 9faf5e050b79..4ad5fe27e08b 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -60,18 +60,20 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
                                       &info->secid);
        if (err) {
                if (err == -EINVAL)
-                        pr_info("invalid security context \'%s\'\n", info->secctx);
+                        pr_info_ratelimited("invalid security context \'%s\'\n",
+                                            info->secctx);
                return err;
        }
        if (!info->secid) {
-                pr_info("unable to map security context \'%s\'\n", info->secctx);
+                pr_info_ratelimited("unable to map security context \'%s\'\n",
+                                    info->secctx);
                return -ENOENT;
        }
        err = security_secmark_relabel_packet(info->secid);
        if (err) {
-                pr_info("unable to obtain relabeling permission\n");
+                pr_info_ratelimited("unable to obtain relabeling permission\n");
                return err;
        }
@@ -86,14 +88,14 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
        if (strcmp(par->table, "mangle") != 0 &&
            strcmp(par->table, "security") != 0) {
-                pr_info("target only valid in the \'mangle\' "
+                pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
-                        "or \'security\' tables, not \'%s\'.\n", par->table);
+                                    par->table);
                return -EINVAL;
        }
        if (mode && mode != info->mode) {
-                pr_info("mode already set to %hu cannot mix with "
+                pr_info_ratelimited("mode already set to %hu cannot mix with rules for mode %hu\n",
-                        "rules for mode %hu\n", mode, info->mode);
+                                    mode, info->mode);
                return -EINVAL;
        }
@@ -101,7 +103,7 @@ static int secmark_tg_check(const struct xt_tgchk_param *par)
        case SECMARK_MODE_SEL:
                break;
        default:
-                pr_info("invalid mode: %hu\n", info->mode);
+                pr_info_ratelimited("invalid mode: %hu\n", info->mode);
                return -EINVAL;
        }
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 99bb8e410f22..98efb202f8b4 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -273,8 +273,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
            (par->hook_mask & ~((1 << NF_INET_FORWARD) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_POST_ROUTING))) != 0) {
-                pr_info("path-MTU clamping only supported in "
+                pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
-                        "FORWARD, OUTPUT and POSTROUTING hooks\n");
                return -EINVAL;
        }
        if (par->nft_compat)
@@ -283,7 +282,7 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
        xt_ematch_foreach(ematch, e)
                if (find_syn_match(ematch))
                        return 0;
-        pr_info("Only works on TCP SYN packets\n");
+        pr_info_ratelimited("Only works on TCP SYN packets\n");
        return -EINVAL;
 }
@@ -298,8 +297,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
            (par->hook_mask & ~((1 << NF_INET_FORWARD) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_POST_ROUTING))) != 0) {
-                pr_info("path-MTU clamping only supported in "
+                pr_info_ratelimited("path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks\n");
-                        "FORWARD, OUTPUT and POSTROUTING hooks\n");
                return -EINVAL;
        }
        if (par->nft_compat)
@@ -308,7 +306,7 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
        xt_ematch_foreach(ematch, e)
                if (find_syn_match(ematch))
                        return 0;
-        pr_info("Only works on TCP SYN packets\n");
+        pr_info_ratelimited("Only works on TCP SYN packets\n");
        return -EINVAL;
 }
 #endif
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index 17d7705e3bd4..8c89323c06af 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -540,8 +540,7 @@ static int tproxy_tg6_check(const struct xt_tgchk_param *par)
            !(i->invflags & IP6T_INV_PROTO))
                return 0;
-        pr_info("Can be used only in combination with "
+        pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
-                "either -p tcp or -p udp\n");
        return -EINVAL;
 }
 #endif
@@ -559,8 +558,7 @@ static int tproxy_tg4_check(const struct xt_tgchk_param *par)
            && !(i->invflags & IPT_INV_PROTO))
                return 0;
-        pr_info("Can be used only in combination with "
+        pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
-                "either -p tcp or -p udp\n");
        return -EINVAL;
 }
diff --git a/net/netfilter/xt_addrtype.c b/net/netfilter/xt_addrtype.c
index 911a7c0da504..89e281b3bfc2 100644
--- a/net/netfilter/xt_addrtype.c
+++ b/net/netfilter/xt_addrtype.c
@@ -164,48 +164,47 @@ addrtype_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
 static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
 {
+        const char *errmsg = "both incoming and outgoing interface limitation cannot be selected";
        struct xt_addrtype_info_v1 *info = par->matchinfo;
        if (info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN &&
-            info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
+            info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT)
-                pr_info("both incoming and outgoing "
+                goto err;
-                        "interface limitation cannot be selected\n");
-                return -EINVAL;
-        }
        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
            (1 << NF_INET_LOCAL_IN)) &&
            info->flags & XT_ADDRTYPE_LIMIT_IFACE_OUT) {
-                pr_info("output interface limitation "
+                errmsg = "output interface limitation not valid in PREROUTING and INPUT";
-                        "not valid in PREROUTING and INPUT\n");
+                goto err;
-                return -EINVAL;
        }
        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
            (1 << NF_INET_LOCAL_OUT)) &&
            info->flags & XT_ADDRTYPE_LIMIT_IFACE_IN) {
-                pr_info("input interface limitation "
+                errmsg = "input interface limitation not valid in POSTROUTING and OUTPUT";
-                        "not valid in POSTROUTING and OUTPUT\n");
+                goto err;
-                return -EINVAL;
        }
 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
        if (par->family == NFPROTO_IPV6) {
                if ((info->source | info->dest) & XT_ADDRTYPE_BLACKHOLE) {
-                        pr_err("ipv6 BLACKHOLE matching not supported\n");
+                        errmsg = "ipv6 BLACKHOLE matching not supported";
-                        return -EINVAL;
+                        goto err;
                }
                if ((info->source | info->dest) >= XT_ADDRTYPE_PROHIBIT) {
-                        pr_err("ipv6 PROHIBIT (THROW, NAT ..) matching not supported\n");
+                        errmsg = "ipv6 PROHIBIT (THROW, NAT ..) matching not supported";
-                        return -EINVAL;
+                        goto err;
                }
                if ((info->source | info->dest) & XT_ADDRTYPE_BROADCAST) {
-                        pr_err("ipv6 does not support BROADCAST matching\n");
+                        errmsg = "ipv6 does not support BROADCAST matching";
-                        return -EINVAL;
+                        goto err;
                }
        }
 #endif
        return 0;
+err:
+        pr_info_ratelimited("%s\n", errmsg);
+        return -EINVAL;
 }
 static struct xt_match addrtype_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 06b090d8e901..a2cf8a6236d6 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -7,6 +7,8 @@
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/syscalls.h>
 #include <linux/skbuff.h>
@@ -34,7 +36,7 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len,
        program.filter = insns;
        if (bpf_prog_create(ret, &program)) {
-                pr_info("bpf: check failed: parse error\n");
+                pr_info_ratelimited("check failed: parse error\n");
                return -EINVAL;
        }
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index 891f4e7e8ea7..7df2dece57d3 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -12,6 +12,8 @@
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/skbuff.h>
 #include <linux/module.h>
 #include <linux/netfilter/x_tables.h>
@@ -48,7 +50,7 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
        }
        if (info->has_path && info->has_classid) {
-                pr_info("xt_cgroup: both path and classid specified\n");
+                pr_info_ratelimited("path and classid specified\n");
                return -EINVAL;
        }
@@ -56,8 +58,8 @@ static int cgroup_mt_check_v1(const struct xt_mtchk_param *par)
        if (info->has_path) {
                cgrp = cgroup_get_from_path(info->path);
                if (IS_ERR(cgrp)) {
-                        pr_info("xt_cgroup: invalid path, errno=%ld\n",
+                        pr_info_ratelimited("invalid path, errno=%ld\n",
-                                PTR_ERR(cgrp));
+                                            PTR_ERR(cgrp));
                        return -EINVAL;
                }
                info->priv = cgrp;
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index 57ef175dfbfa..0068688995c8 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -135,14 +135,12 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
        struct xt_cluster_match_info *info = par->matchinfo;
        if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
-                pr_info("you have exceeded the maximum "
+                pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
-                        "number of cluster nodes (%u > %u)\n",
+                                    info->total_nodes, XT_CLUSTER_NODES_MAX);
-                        info->total_nodes, XT_CLUSTER_NODES_MAX);
                return -EINVAL;
        }
        if (info->node_mask >= (1ULL << info->total_nodes)) {
-                pr_info("this node mask cannot be "
+                pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
-                        "higher than the total number of nodes\n");
                return -EDOM;
        }
        return 0;
diff --git a/net/netfilter/xt_connbytes.c b/net/netfilter/xt_connbytes.c
index cad0b7b5eb35..93cb018c3055 100644
--- a/net/netfilter/xt_connbytes.c
+++ b/net/netfilter/xt_connbytes.c
@@ -112,8 +112,8 @@ static int connbytes_mt_check(const struct xt_mtchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        /*
         * This filter cannot function correctly unless connection tracking
diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c
index 23372879e6e3..4fa4efd24353 100644
--- a/net/netfilter/xt_connlabel.c
+++ b/net/netfilter/xt_connlabel.c
@@ -57,14 +57,15 @@ static int connlabel_mt_check(const struct xt_mtchk_param *par)
        int ret;
        if (info->options & ~options) {
-                pr_err("Unknown options in mask %x\n", info->options);
+                pr_info_ratelimited("Unknown options in mask %x\n",
+                                    info->options);
                return -EINVAL;
        }
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0) {
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                                                        par->family);
+                                    par->family);
                return ret;
        }
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index ec377cc6a369..809639ce6f5a 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -79,8 +79,8 @@ static int connmark_tg_check(const struct xt_tgchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        return ret;
 }
@@ -109,8 +109,8 @@ static int connmark_mt_check(const struct xt_mtchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        return ret;
 }
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 39cf1d019240..df80fe7d391c 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -272,8 +272,8 @@ static int conntrack_mt_check(const struct xt_mtchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        return ret;
 }
diff --git a/net/netfilter/xt_dscp.c b/net/netfilter/xt_dscp.c
index 236ac8008909..a4c2b862f820 100644
--- a/net/netfilter/xt_dscp.c
+++ b/net/netfilter/xt_dscp.c
@@ -46,10 +46,8 @@ static int dscp_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_dscp_info *info = par->matchinfo;
-        if (info->dscp > XT_DSCP_MAX) {
+        if (info->dscp > XT_DSCP_MAX)
-                pr_info("dscp %x out of range\n", info->dscp);
                return -EDOM;
-        }
        return 0;
 }
diff --git a/net/netfilter/xt_ecn.c b/net/netfilter/xt_ecn.c
index 3c831a8efebc..c7ad4afa5fb8 100644
--- a/net/netfilter/xt_ecn.c
+++ b/net/netfilter/xt_ecn.c
@@ -97,7 +97,7 @@ static int ecn_mt_check4(const struct xt_mtchk_param *par)
        if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
            (ip->proto != IPPROTO_TCP || ip->invflags & IPT_INV_PROTO)) {
-                pr_info("cannot match TCP bits in rule for non-tcp packets\n");
+                pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
                return -EINVAL;
        }
@@ -139,7 +139,7 @@ static int ecn_mt_check6(const struct xt_mtchk_param *par)
        if (info->operation & (XT_ECN_OP_MATCH_ECE | XT_ECN_OP_MATCH_CWR) &&
            (ip->proto != IPPROTO_TCP || ip->invflags & IP6T_INV_PROTO)) {
-                pr_info("cannot match TCP bits in rule for non-tcp packets\n");
+                pr_info_ratelimited("cannot match TCP bits for non-tcp packets\n");
                return -EINVAL;
        }
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index ca6847403ca2..3360f13dc208 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -523,7 +523,8 @@ static u64 user2rate(u64 user)
        if (user != 0) {
                return div64_u64(XT_HASHLIMIT_SCALE_v2, user);
        } else {
-                pr_warn("invalid rate from userspace: %llu\n", user);
+                pr_info_ratelimited("invalid rate from userspace: %llu\n",
+                                    user);
                return 0;
        }
 }
@@ -774,7 +775,7 @@ hashlimit_mt_common(const struct sk_buff *skb, struct xt_action_param *par,
                if (!dh->rateinfo.prev_window &&
                    (dh->rateinfo.current_rate <= dh->rateinfo.burst)) {
                        spin_unlock(&dh->lock);
-                        rcu_read_unlock_bh();
+                        local_bh_enable();
                        return !(cfg->mode & XT_HASHLIMIT_INVERT);
                } else {
                        goto overlimit;
@@ -865,33 +866,34 @@ static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
        }
        if (cfg->mode & ~XT_HASHLIMIT_ALL) {
-                pr_info("Unknown mode mask %X, kernel too old?\n",
+                pr_info_ratelimited("Unknown mode mask %X, kernel too old?\n",
-                                                cfg->mode);
+                                    cfg->mode);
                return -EINVAL;
        }
        /* Check for overflow. */
        if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
                if (cfg->avg == 0 || cfg->avg > U32_MAX) {
-                        pr_info("hashlimit invalid rate\n");
+                        pr_info_ratelimited("invalid rate\n");
                        return -ERANGE;
                }
                if (cfg->interval == 0) {
-                        pr_info("hashlimit invalid interval\n");
+                        pr_info_ratelimited("invalid interval\n");
                        return -EINVAL;
                }
        } else if (cfg->mode & XT_HASHLIMIT_BYTES) {
                if (user2credits_byte(cfg->avg) == 0) {
-                        pr_info("overflow, rate too high: %llu\n", cfg->avg);
+                        pr_info_ratelimited("overflow, rate too high: %llu\n",
+                                            cfg->avg);
                        return -EINVAL;
                }
        } else if (cfg->burst == 0 ||
-                    user2credits(cfg->avg * cfg->burst, revision) <
+                   user2credits(cfg->avg * cfg->burst, revision) <
-                    user2credits(cfg->avg, revision)) {
+                   user2credits(cfg->avg, revision)) {
-                        pr_info("overflow, try lower: %llu/%llu\n",
+                pr_info_ratelimited("overflow, try lower: %llu/%llu\n",
-                                cfg->avg, cfg->burst);
+                                    cfg->avg, cfg->burst);
-                        return -ERANGE;
+                return -ERANGE;
        }
        mutex_lock(&hashlimit_mutex);
@@ -915,8 +917,9 @@ static int hashlimit_mt_check_v1(const struct xt_mtchk_param *par)
        struct hashlimit_cfg3 cfg = {};
        int ret;
-        if (info->name[sizeof(info->name) - 1] != '\0')
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-                return -EINVAL;
+        if (ret)
+                return ret;
        ret = cfg_copy(&cfg, (void *)&info->cfg, 1);
@@ -933,8 +936,9 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
        struct hashlimit_cfg3 cfg = {};
        int ret;
-        if (info->name[sizeof(info->name) - 1] != '\0')
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-                return -EINVAL;
+        if (ret)
+                return ret;
        ret = cfg_copy(&cfg, (void *)&info->cfg, 2);
@@ -948,9 +952,11 @@ static int hashlimit_mt_check_v2(const struct xt_mtchk_param *par)
 static int hashlimit_mt_check(const struct xt_mtchk_param *par)
 {
        struct xt_hashlimit_mtinfo3 *info = par->matchinfo;
+        int ret;
-        if (info->name[sizeof(info->name) - 1] != '\0')
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-                return -EINVAL;
+        if (ret)
+                return ret;
        return hashlimit_mt_check_common(par, &info->hinfo, &info->cfg,
                                         info->name, 3);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 38a78151c0e9..fd077aeaaed9 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -61,8 +61,8 @@ static int helper_mt_check(const struct xt_mtchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0) {
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
                return ret;
        }
        info->name[sizeof(info->name) - 1] = '\0';
diff --git a/net/netfilter/xt_ipcomp.c b/net/netfilter/xt_ipcomp.c
index 7ca64a50db04..57f1df575701 100644
--- a/net/netfilter/xt_ipcomp.c
+++ b/net/netfilter/xt_ipcomp.c
@@ -72,7 +72,7 @@ static int comp_mt_check(const struct xt_mtchk_param *par)
        /* Must specify no unknown invflags */
        if (compinfo->invflags & ~XT_IPCOMP_INV_MASK) {
-                pr_err("unknown flags %X\n", compinfo->invflags);
+                pr_info_ratelimited("unknown flags %X\n", compinfo->invflags);
                return -EINVAL;
        }
        return 0;
diff --git a/net/netfilter/xt_ipvs.c b/net/netfilter/xt_ipvs.c
index 42540d26c2b8..1d950a6100af 100644
--- a/net/netfilter/xt_ipvs.c
+++ b/net/netfilter/xt_ipvs.c
@@ -158,7 +158,8 @@ static int ipvs_mt_check(const struct xt_mtchk_param *par)
            && par->family != NFPROTO_IPV6
 #endif
                ) {
-                pr_info("protocol family %u not supported\n", par->family);
+                pr_info_ratelimited("protocol family %u not supported\n",
+                                    par->family);
                return -EINVAL;
        }
diff --git a/net/netfilter/xt_l2tp.c b/net/netfilter/xt_l2tp.c
index 8aee572771f2..c43482bf48e6 100644
--- a/net/netfilter/xt_l2tp.c
+++ b/net/netfilter/xt_l2tp.c
@@ -216,7 +216,7 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
        /* Check for invalid flags */
        if (info->flags & ~(XT_L2TP_TID | XT_L2TP_SID | XT_L2TP_VERSION |
                            XT_L2TP_TYPE)) {
-                pr_info("unknown flags: %x\n", info->flags);
+                pr_info_ratelimited("unknown flags: %x\n", info->flags);
                return -EINVAL;
        }
@@ -225,7 +225,8 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
            (!(info->flags & XT_L2TP_SID)) &&
            ((!(info->flags & XT_L2TP_TYPE)) ||
             (info->type != XT_L2TP_TYPE_CONTROL))) {
-                pr_info("invalid flags combination: %x\n", info->flags);
+                pr_info_ratelimited("invalid flags combination: %x\n",
+                                    info->flags);
                return -EINVAL;
        }
@@ -234,19 +235,22 @@ static int l2tp_mt_check(const struct xt_mtchk_param *par)
         */
        if (info->flags & XT_L2TP_VERSION) {
                if ((info->version < 2) || (info->version > 3)) {
-                        pr_info("wrong L2TP version: %u\n", info->version);
+                        pr_info_ratelimited("wrong L2TP version: %u\n",
+                                            info->version);
                        return -EINVAL;
                }
                if (info->version == 2) {
                        if ((info->flags & XT_L2TP_TID) &&
                            (info->tid > 0xffff)) {
-                                pr_info("v2 tid > 0xffff: %u\n", info->tid);
+                                pr_info_ratelimited("v2 tid > 0xffff: %u\n",
+                                                    info->tid);
                                return -EINVAL;
                        }
                        if ((info->flags & XT_L2TP_SID) &&
                            (info->sid > 0xffff)) {
-                                pr_info("v2 sid > 0xffff: %u\n", info->sid);
+                                pr_info_ratelimited("v2 sid > 0xffff: %u\n",
+                                                    info->sid);
                                return -EINVAL;
                        }
                }
@@ -268,13 +272,13 @@ static int l2tp_mt_check4(const struct xt_mtchk_param *par)
        if ((ip->proto != IPPROTO_UDP) &&
            (ip->proto != IPPROTO_L2TP)) {
-                pr_info("missing protocol rule (udp|l2tpip)\n");
+                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
                return -EINVAL;
        }
        if ((ip->proto == IPPROTO_L2TP) &&
            (info->version == 2)) {
-                pr_info("v2 doesn't support IP mode\n");
+                pr_info_ratelimited("v2 doesn't support IP mode\n");
                return -EINVAL;
        }
@@ -295,13 +299,13 @@ static int l2tp_mt_check6(const struct xt_mtchk_param *par)
        if ((ip->proto != IPPROTO_UDP) &&
            (ip->proto != IPPROTO_L2TP)) {
-                pr_info("missing protocol rule (udp|l2tpip)\n");
+                pr_info_ratelimited("missing protocol rule (udp|l2tpip)\n");
                return -EINVAL;
        }
        if ((ip->proto == IPPROTO_L2TP) &&
            (info->version == 2)) {
-                pr_info("v2 doesn't support IP mode\n");
+                pr_info_ratelimited("v2 doesn't support IP mode\n");
                return -EINVAL;
        }
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index 61403b77361c..55d18cd67635 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -106,8 +106,8 @@ static int limit_mt_check(const struct xt_mtchk_param *par)
        /* Check for overflow. */
        if (r->burst == 0
            || user2credits(r->avg * r->burst) < user2credits(r->avg)) {
-                pr_info("Overflow, try lower: %u/%u\n",
+                pr_info_ratelimited("Overflow, try lower: %u/%u\n",
-                        r->avg, r->burst);
+                                    r->avg, r->burst);
                return -ERANGE;
        }
diff --git a/net/netfilter/xt_nat.c b/net/netfilter/xt_nat.c
index 0fd14d1eb09d..bdb689cdc829 100644
--- a/net/netfilter/xt_nat.c
+++ b/net/netfilter/xt_nat.c
@@ -8,6 +8,8 @@
 * published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/netfilter.h>
@@ -19,8 +21,7 @@ static int xt_nat_checkentry_v0(const struct xt_tgchk_param *par)
        const struct nf_nat_ipv4_multi_range_compat *mr = par->targinfo;
        if (mr->rangesize != 1) {
-                pr_info("%s: multiple ranges no longer supported\n",
+                pr_info_ratelimited("multiple ranges no longer supported\n");
-                        par->target->name);
                return -EINVAL;
        }
        return nf_ct_netns_get(par->net, par->family);
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index 6f92d25590a8..c8674deed4eb 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -6,6 +6,8 @@
 * it under the terms of the GNU General Public License version 2 (or any
 * later at your option) as published by the Free Software Foundation.
 */
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 #include <linux/module.h>
 #include <linux/skbuff.h>
@@ -39,8 +41,8 @@ nfacct_mt_checkentry(const struct xt_mtchk_param *par)
        nfacct = nfnl_acct_find_get(par->net, info->name);
        if (nfacct == NULL) {
-                pr_info("xt_nfacct: accounting object with name `%s' "
+                pr_info_ratelimited("accounting object `%s' does not exists\n",
-                        "does not exists\n", info->name);
+                                    info->name);
                return -ENOENT;
        }
        info->nfacct = nfacct;
diff --git a/net/netfilter/xt_physdev.c b/net/netfilter/xt_physdev.c
index bb33598e4530..9d6d67b953ac 100644
--- a/net/netfilter/xt_physdev.c
+++ b/net/netfilter/xt_physdev.c
@@ -107,9 +107,7 @@ static int physdev_mt_check(const struct xt_mtchk_param *par)
             info->invert & XT_PHYSDEV_OP_BRIDGED) &&
            par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
            (1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
-                pr_info("using --physdev-out and --physdev-is-out are only "
+                pr_info_ratelimited("--physdev-out and --physdev-is-out only supported in the FORWARD and POSTROUTING chains with bridged traffic\n");
-                        "supported in the FORWARD and POSTROUTING chains with "
-                        "bridged traffic.\n");
                if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
                        return -EINVAL;
        }
diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 5639fb03bdd9..13f8ccf946d6 100644
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -132,26 +132,29 @@ policy_mt(const struct sk_buff *skb, struct xt_action_param *par)
 static int policy_mt_check(const struct xt_mtchk_param *par)
 {
        const struct xt_policy_info *info = par->matchinfo;
+        const char *errmsg = "neither incoming nor outgoing policy selected";
+        if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT)))
+                goto err;
-        if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
-                pr_info("neither incoming nor outgoing policy selected\n");
-                return -EINVAL;
-        }
        if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
            (1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
-                pr_info("output policy not valid in PREROUTING and INPUT\n");
+                errmsg = "output policy not valid in PREROUTING and INPUT";
-                return -EINVAL;
+                goto err;
        }
        if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
            (1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
-                pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
+                errmsg = "input policy not valid in POSTROUTING and OUTPUT";
-                return -EINVAL;
+                goto err;
        }
        if (info->len > XT_POLICY_MAX_ELEM) {
-                pr_info("too many policy elements\n");
+                errmsg = "too many policy elements";
-                return -EINVAL;
+                goto err;
        }
        return 0;
+err:
+        pr_info_ratelimited("%s\n", errmsg);
+        return -EINVAL;
 }
 static struct xt_match policy_mt_reg[] __read_mostly = {
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 245fa350a7a8..81ee1d6543b2 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -342,8 +342,8 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
        net_get_random_once(&hash_rnd, sizeof(hash_rnd));
        if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
-                pr_info("Unsupported user space flags (%08x)\n",
+                pr_info_ratelimited("Unsupported userspace flags (%08x)\n",
-                        info->check_set);
+                                    info->check_set);
                return -EINVAL;
        }
        if (hweight8(info->check_set &
@@ -357,13 +357,13 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
        if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
                return -EINVAL;
        if (info->hit_count >= XT_RECENT_MAX_NSTAMPS) {
-                pr_info("hitcount (%u) is larger than allowed maximum (%u)\n",
+                pr_info_ratelimited("hitcount (%u) is larger than allowed maximum (%u)\n",
-                        info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
+                                    info->hit_count, XT_RECENT_MAX_NSTAMPS - 1);
                return -EINVAL;
        }
-        if (info->name[0] == '\0' ||
+        ret = xt_check_proc_name(info->name, sizeof(info->name));
-            strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
+        if (ret)
-                return -EINVAL;
+                return ret;
        if (ip_pkt_list_tot && info->hit_count < ip_pkt_list_tot)
                nstamp_mask = roundup_pow_of_two(ip_pkt_list_tot) - 1;
@@ -587,7 +587,7 @@ recent_mt_proc_write(struct file *file, const char __user *input,
                add = true;
                break;
        default:
-                pr_info("Need \"+ip\", \"-ip\" or \"/\"\n");
+                pr_info_ratelimited("Need \"+ip\", \"-ip\" or \"/\"\n");
                return -EINVAL;
        }
@@ -601,10 +601,8 @@ recent_mt_proc_write(struct file *file, const char __user *input,
                succ   = in4_pton(c, size, (void *)&addr, '\n', NULL);
        }
-        if (!succ) {
+        if (!succ)
-                pr_info("illegal address written to procfs\n");
                return -EINVAL;
-        }
        spin_lock_bh(&recent_lock);
        e = recent_entry_lookup(t, &addr, family, 0);
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 16b6b11ee83f..6f4c5217d835 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -92,12 +92,12 @@ set_match_v0_checkentry(const struct xt_mtchk_param *par)
        index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
        if (index == IPSET_INVALID_ID) {
-                pr_warn("Cannot find set identified by id %u to match\n",
+                pr_info_ratelimited("Cannot find set identified by id %u to match\n",
-                        info->match_set.index);
+                                    info->match_set.index);
                return -ENOENT;
        }
        if (info->match_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
-                pr_warn("Protocol error: set match dimension is over the limit!\n");
+                pr_info_ratelimited("set match dimension is over the limit!\n");
                ip_set_nfnl_put(par->net, info->match_set.index);
                return -ERANGE;
        }
@@ -143,12 +143,12 @@ set_match_v1_checkentry(const struct xt_mtchk_param *par)
        index = ip_set_nfnl_get_byindex(par->net, info->match_set.index);
        if (index == IPSET_INVALID_ID) {
-                pr_warn("Cannot find set identified by id %u to match\n",
+                pr_info_ratelimited("Cannot find set identified by id %u to match\n",
-                        info->match_set.index);
+                                    info->match_set.index);
                return -ENOENT;
        }
        if (info->match_set.dim > IPSET_DIM_MAX) {
-                pr_warn("Protocol error: set match dimension is over the limit!\n");
+                pr_info_ratelimited("set match dimension is over the limit!\n");
                ip_set_nfnl_put(par->net, info->match_set.index);
                return -ERANGE;
        }
@@ -241,8 +241,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
        if (info->add_set.index != IPSET_INVALID_ID) {
                index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find add_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find add_set index %u as target\n",
-                                info->add_set.index);
+                                            info->add_set.index);
                        return -ENOENT;
                }
        }
@@ -250,8 +250,8 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
        if (info->del_set.index != IPSET_INVALID_ID) {
                index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find del_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find del_set index %u as target\n",
-                                info->del_set.index);
+                                            info->del_set.index);
                        if (info->add_set.index != IPSET_INVALID_ID)
                                ip_set_nfnl_put(par->net, info->add_set.index);
                        return -ENOENT;
@@ -259,7 +259,7 @@ set_target_v0_checkentry(const struct xt_tgchk_param *par)
        }
        if (info->add_set.u.flags[IPSET_DIM_MAX - 1] != 0 ||
            info->del_set.u.flags[IPSET_DIM_MAX - 1] != 0) {
-                pr_warn("Protocol error: SET target dimension is over the limit!\n");
+                pr_info_ratelimited("SET target dimension over the limit!\n");
                if (info->add_set.index != IPSET_INVALID_ID)
                        ip_set_nfnl_put(par->net, info->add_set.index);
                if (info->del_set.index != IPSET_INVALID_ID)
@@ -316,8 +316,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
        if (info->add_set.index != IPSET_INVALID_ID) {
                index = ip_set_nfnl_get_byindex(par->net, info->add_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find add_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find add_set index %u as target\n",
-                                info->add_set.index);
+                                            info->add_set.index);
                        return -ENOENT;
                }
        }
@@ -325,8 +325,8 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
        if (info->del_set.index != IPSET_INVALID_ID) {
                index = ip_set_nfnl_get_byindex(par->net, info->del_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find del_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find del_set index %u as target\n",
-                                info->del_set.index);
+                                            info->del_set.index);
                        if (info->add_set.index != IPSET_INVALID_ID)
                                ip_set_nfnl_put(par->net, info->add_set.index);
                        return -ENOENT;
@@ -334,7 +334,7 @@ set_target_v1_checkentry(const struct xt_tgchk_param *par)
        }
        if (info->add_set.dim > IPSET_DIM_MAX ||
            info->del_set.dim > IPSET_DIM_MAX) {
-                pr_warn("Protocol error: SET target dimension is over the limit!\n");
+                pr_info_ratelimited("SET target dimension over the limit!\n");
                if (info->add_set.index != IPSET_INVALID_ID)
                        ip_set_nfnl_put(par->net, info->add_set.index);
                if (info->del_set.index != IPSET_INVALID_ID)
@@ -444,8 +444,8 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
                index = ip_set_nfnl_get_byindex(par->net,
                                                info->add_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find add_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find add_set index %u as target\n",
-                                info->add_set.index);
+                                            info->add_set.index);
                        return -ENOENT;
                }
        }
@@ -454,8 +454,8 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
                index = ip_set_nfnl_get_byindex(par->net,
                                                info->del_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find del_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find del_set index %u as target\n",
-                                info->del_set.index);
+                                            info->del_set.index);
                        if (info->add_set.index != IPSET_INVALID_ID)
                                ip_set_nfnl_put(par->net,
                                                info->add_set.index);
@@ -465,7 +465,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
        if (info->map_set.index != IPSET_INVALID_ID) {
                if (strncmp(par->table, "mangle", 7)) {
-                        pr_warn("--map-set only usable from mangle table\n");
+                        pr_info_ratelimited("--map-set only usable from mangle table\n");
                        return -EINVAL;
                }
                if (((info->flags & IPSET_FLAG_MAP_SKBPRIO) |
@@ -473,14 +473,14 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
                     !(par->hook_mask & (1 << NF_INET_FORWARD |
                                         1 << NF_INET_LOCAL_OUT |
                                         1 << NF_INET_POST_ROUTING))) {
-                        pr_warn("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");
+                        pr_info_ratelimited("mapping of prio or/and queue is allowed only from OUTPUT/FORWARD/POSTROUTING chains\n");
                        return -EINVAL;
                }
                index = ip_set_nfnl_get_byindex(par->net,
                                                info->map_set.index);
                if (index == IPSET_INVALID_ID) {
-                        pr_warn("Cannot find map_set index %u as target\n",
+                        pr_info_ratelimited("Cannot find map_set index %u as target\n",
-                                info->map_set.index);
+                                            info->map_set.index);
                        if (info->add_set.index != IPSET_INVALID_ID)
                                ip_set_nfnl_put(par->net,
                                                info->add_set.index);
@@ -494,7 +494,7 @@ set_target_v3_checkentry(const struct xt_tgchk_param *par)
        if (info->add_set.dim > IPSET_DIM_MAX ||
            info->del_set.dim > IPSET_DIM_MAX ||
            info->map_set.dim > IPSET_DIM_MAX) {
-                pr_warn("Protocol error: SET target dimension is over the limit!\n");
+                pr_info_ratelimited("SET target dimension over the limit!\n");
                if (info->add_set.index != IPSET_INVALID_ID)
                        ip_set_nfnl_put(par->net, info->add_set.index);
                if (info->del_set.index != IPSET_INVALID_ID)
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 575d2153e3b8..2ac7f674d19b 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -171,7 +171,8 @@ static int socket_mt_v1_check(const struct xt_mtchk_param *par)
                return err;
        if (info->flags & ~XT_SOCKET_FLAGS_V1) {
-                pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1);
+                pr_info_ratelimited("unknown flags 0x%x\n",
+                                    info->flags & ~XT_SOCKET_FLAGS_V1);
                return -EINVAL;
        }
        return 0;
@@ -187,7 +188,8 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
                return err;
        if (info->flags & ~XT_SOCKET_FLAGS_V2) {
-                pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2);
+                pr_info_ratelimited("unknown flags 0x%x\n",
+                                    info->flags & ~XT_SOCKET_FLAGS_V2);
                return -EINVAL;
        }
        return 0;
@@ -203,8 +205,8 @@ static int socket_mt_v3_check(const struct xt_mtchk_param *par)
        if (err)
                return err;
        if (info->flags & ~XT_SOCKET_FLAGS_V3) {
-                pr_info("unknown flags 0x%x\n",
+                pr_info_ratelimited("unknown flags 0x%x\n",
-                        info->flags & ~XT_SOCKET_FLAGS_V3);
+                                    info->flags & ~XT_SOCKET_FLAGS_V3);
                return -EINVAL;
        }
        return 0;
diff --git a/net/netfilter/xt_state.c b/net/netfilter/xt_state.c
index 5fbd79194d21..0b41c0befe3c 100644
--- a/net/netfilter/xt_state.c
+++ b/net/netfilter/xt_state.c
@@ -44,8 +44,8 @@ static int state_mt_check(const struct xt_mtchk_param *par)
        ret = nf_ct_netns_get(par->net, par->family);
        if (ret < 0)
-                pr_info("cannot load conntrack support for proto=%u\n",
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
-                        par->family);
+                                    par->family);
        return ret;
 }
diff --git a/net/netfilter/xt_time.c b/net/netfilter/xt_time.c
index 1b01eec1fbda..0160f505e337 100644
--- a/net/netfilter/xt_time.c
+++ b/net/netfilter/xt_time.c
@@ -235,13 +235,13 @@ static int time_mt_check(const struct xt_mtchk_param *par)
        if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
            info->daytime_stop > XT_TIME_MAX_DAYTIME) {
-                pr_info("invalid argument - start or "
+                pr_info_ratelimited("invalid argument - start or stop time greater than 23:59:59\n");
-                        "stop time greater than 23:59:59\n");
                return -EDOM;
        }
        if (info->flags & ~XT_TIME_ALL_FLAGS) {
-                pr_info("unknown flags 0x%x\n", info->flags & ~XT_TIME_ALL_FLAGS);
+                pr_info_ratelimited("unknown flags 0x%x\n",
+                                    info->flags & ~XT_TIME_ALL_FLAGS);
                return -EINVAL;
        }
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 2ad445c1d27c..07e8478068f0 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2308,7 +2308,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
        if (cb->start) {
                ret = cb->start(cb);
                if (ret)
-                        goto error_unlock;
+                        goto error_put;
        }
        nlk->cb_running = true;
@@ -2328,6 +2328,8 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
         */
        return -EINTR;
+error_put:
+        module_put(control->module);
 error_unlock:
        sock_put(sk);
        mutex_unlock(nlk->cb_mutex);
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 6f02499ef007..b9ce82c9440f 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1106,7 +1106,7 @@ static int genlmsg_mcast(struct sk_buff *skb, u32 portid, unsigned long group,
        if (!err)
                delivered = true;
        else if (err != -ESRCH)
-                goto error;
+                return err;
        return delivered ? 0 : -ESRCH;
 error:
        kfree_skb(skb);
diff --git a/net/nfc/llcp_commands.c b/net/nfc/llcp_commands.c
index 367d8c027101..2ceefa183cee 100644
--- a/net/nfc/llcp_commands.c
+++ b/net/nfc/llcp_commands.c
@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_sdreq_tlv(u8 tid, char *uri,
        pr_debug("uri: %s, len: %zu\n", uri, uri_len);
+        /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */
+        if (WARN_ON_ONCE(uri_len > U8_MAX - 4))
+                return NULL;
        sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL);
        if (sdreq == NULL)
                return NULL;
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index c0b83dc9d993..f018eafc2a0d 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -61,7 +61,8 @@ static const struct nla_policy nfc_genl_policy[NFC_ATTR_MAX + 1] = {
 };
 static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = {
-        [NFC_SDP_ATTR_URI] = { .type = NLA_STRING },
+        [NFC_SDP_ATTR_URI] = { .type = NLA_STRING,
+                               .len = U8_MAX - 4 },
        [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 },
 };
diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c
index 04b94281a30b..b891a91577f8 100644
--- a/net/openvswitch/meter.c
+++ b/net/openvswitch/meter.c
@@ -242,14 +242,20 @@ static struct dp_meter *dp_meter_create(struct nlattr **a)
                band->type = nla_get_u32(attr[OVS_BAND_ATTR_TYPE]);
                band->rate = nla_get_u32(attr[OVS_BAND_ATTR_RATE]);
+                if (band->rate == 0) {
+                        err = -EINVAL;
+                        goto exit_free_meter;
+                }
                band->burst_size = nla_get_u32(attr[OVS_BAND_ATTR_BURST]);
                /* Figure out max delta_t that is enough to fill any bucket.
                 * Keep max_delta_t size to the bucket units:
                 * pkts => 1/1000 packets, kilobits => bits.
+                 *
+                 * Start with a full bucket.
                 */
-                band_max_delta_t = (band->burst_size + band->rate) * 1000;
+                band->bucket = (band->burst_size + band->rate) * 1000;
-                /* Start with a full bucket. */
+                band_max_delta_t = band->bucket / band->rate;
-                band->bucket = band_max_delta_t;
                if (band_max_delta_t > meter->max_delta_t)
                        meter->max_delta_t = band_max_delta_t;
                band++;
diff --git a/net/qrtr/smd.c b/net/qrtr/smd.c
index 50615d5efac1..9cf089b9754e 100644
--- a/net/qrtr/smd.c
+++ b/net/qrtr/smd.c
@@ -114,5 +114,6 @@ static struct rpmsg_driver qcom_smd_qrtr_driver = {
 module_rpmsg_driver(qcom_smd_qrtr_driver);
+MODULE_ALIAS("rpmsg:IPCRTR");
 MODULE_DESCRIPTION("Qualcomm IPC-Router SMD interface driver");
 MODULE_LICENSE("GPL v2");
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 94e190febfdd..2da3176bf792 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -224,7 +224,7 @@ static struct rds_connection *__rds_conn_create(struct net *net,
        if (rds_destroy_pending(conn))
                ret = -ENETDOWN;
        else
-                ret = trans->conn_alloc(conn, gfp);
+                ret = trans->conn_alloc(conn, GFP_ATOMIC);
        if (ret) {
                rcu_read_unlock();
                kfree(conn->c_path);
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index c061d6eb465d..22571189f21e 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006 Oracle.  All rights reserved.
+ * Copyright (c) 2006, 2018 Oracle.  All rights reserved.
 *
 * This software is available to you under a choice of one of two
 * licenses.  You may choose to be licensed under the terms of the GNU
@@ -142,12 +142,20 @@ int rds_tcp_accept_one(struct socket *sock)
        if (ret)
                goto out;
-        new_sock->type = sock->type;
-        new_sock->ops = sock->ops;
        ret = sock->ops->accept(sock, new_sock, O_NONBLOCK, true);
        if (ret < 0)
                goto out;
+        /* sock_create_lite() does not get a hold on the owner module so we
+         * need to do it here.  Note that sock_release() uses sock->ops to
+         * determine if it needs to decrement the reference count.  So set
+         * sock->ops after calling accept() in case that fails.  And there's
+         * no need to do try_module_get() as the listener should have a hold
+         * already.
+         */
+        new_sock->ops = sock->ops;
+        __module_get(new_sock->ops->owner);
        ret = rds_tcp_keepalive(new_sock);
        if (ret < 0)
                goto out;
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 42410e910aff..cf73dc006c3b 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -445,7 +445,7 @@ send_fragmentable:
                                        (char *)&opt, sizeof(opt));
                if (ret == 0) {
                        ret = kernel_sendmsg(conn->params.local->socket, &msg,
-                                             iov, 1, iov[0].iov_len);
+                                             iov, 2, len);
                        opt = IPV6_PMTUDISC_DO;
                        kernel_setsockopt(conn->params.local->socket,
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index cc21e8db25b0..9d45d8b56744 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -517,9 +517,10 @@ try_again:
                        ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
                                       sizeof(unsigned int), &id32);
                } else {
+                        unsigned long idl = call->user_call_ID;
                        ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID,
-                                       sizeof(unsigned long),
+                                       sizeof(unsigned long), &idl);
-                                       &call->user_call_ID);
                }
                if (ret < 0)
                        goto error_unlock_call;
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index b3f2c15affa7..9d2cabf1dc7e 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -352,7 +352,7 @@ static int tcf_bpf_init(struct net *net, struct nlattr *nla,
        return res;
 out:
        if (res == ACT_P_CREATED)
-                tcf_idr_cleanup(*act, est);
+                tcf_idr_release(*act, bind);
        return ret;
 }
diff --git a/net/sched/act_csum.c b/net/sched/act_csum.c
index b7ba9b06b147..2a5c8fd860cf 100644
--- a/net/sched/act_csum.c
+++ b/net/sched/act_csum.c
@@ -350,7 +350,7 @@ static int tcf_csum_sctp(struct sk_buff *skb, unsigned int ihl,
 {
        struct sctphdr *sctph;
-        if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_SCTP)
+        if (skb_is_gso(skb) && skb_is_gso_sctp(skb))
                return 1;
        sctph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*sctph));
@@ -626,7 +626,8 @@ static void tcf_csum_cleanup(struct tc_action *a)
        struct tcf_csum_params *params;
        params = rcu_dereference_protected(p->params, 1);
-        kfree_rcu(params, rcu);
+        if (params)
+                kfree_rcu(params, rcu);
 }
 static int tcf_csum_walker(struct net *net, struct sk_buff *skb,
diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c
index 06e380ae0928..7e06b9b62613 100644
--- a/net/sched/act_ipt.c
+++ b/net/sched/act_ipt.c
@@ -80,9 +80,12 @@ static void ipt_destroy_target(struct xt_entry_target *t)
 static void tcf_ipt_release(struct tc_action *a)
 {
        struct tcf_ipt *ipt = to_ipt(a);
-        ipt_destroy_target(ipt->tcfi_t);
+        if (ipt->tcfi_t) {
+                ipt_destroy_target(ipt->tcfi_t);
+                kfree(ipt->tcfi_t);
+        }
        kfree(ipt->tcfi_tname);
-        kfree(ipt->tcfi_t);
 }
 static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = {
@@ -187,7 +190,7 @@ err2:
        kfree(tname);
 err1:
        if (ret == ACT_P_CREATED)
-                tcf_idr_cleanup(*a, est);
+                tcf_idr_release(*a, bind);
        return err;
 }
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 349beaffb29e..fef08835f26d 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -176,7 +176,7 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
                p = to_pedit(*a);
                keys = kmalloc(ksize, GFP_KERNEL);
                if (keys == NULL) {
-                        tcf_idr_cleanup(*a, est);
+                        tcf_idr_release(*a, bind);
                        kfree(keys_ex);
                        return -ENOMEM;
                }
diff --git a/net/sched/act_police.c b/net/sched/act_police.c
index 95d3c9097b25..faebf82b99f1 100644
--- a/net/sched/act_police.c
+++ b/net/sched/act_police.c
@@ -194,7 +194,7 @@ failure:
        qdisc_put_rtab(P_tab);
        qdisc_put_rtab(R_tab);
        if (ret == ACT_P_CREATED)
-                tcf_idr_cleanup(*a, est);
+                tcf_idr_release(*a, bind);
        return err;
 }
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index 1ba0df238756..74c5d7e6a0fa 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -103,7 +103,8 @@ static void tcf_sample_cleanup(struct tc_action *a)
        psample_group = rtnl_dereference(s->psample_group);
        RCU_INIT_POINTER(s->psample_group, NULL);
-        psample_group_put(psample_group);
+        if (psample_group)
+                psample_group_put(psample_group);
 }
 static bool tcf_sample_dev_ok_push(struct net_device *dev)
diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c
index 425eac11f6da..b1f38063ada0 100644
--- a/net/sched/act_simple.c
+++ b/net/sched/act_simple.c
@@ -121,7 +121,7 @@ static int tcf_simp_init(struct net *net, struct nlattr *nla,
                d = to_defact(*a);
                ret = alloc_defdata(d, defdata);
                if (ret < 0) {
-                        tcf_idr_cleanup(*a, est);
+                        tcf_idr_release(*a, bind);
                        return ret;
                }
                d->tcf_action = parm->action;
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index fa975262dbac..7b0700f52b50 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -152,7 +152,7 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
        ASSERT_RTNL();
        p = kzalloc(sizeof(struct tcf_skbmod_params), GFP_KERNEL);
        if (unlikely(!p)) {
-                if (ovr)
+                if (ret == ACT_P_CREATED)
                        tcf_idr_release(*a, bind);
                return -ENOMEM;
        }
@@ -190,7 +190,8 @@ static void tcf_skbmod_cleanup(struct tc_action *a)
        struct tcf_skbmod_params  *p;
        p = rcu_dereference_protected(d->skbmod_p, 1);
-        kfree_rcu(p, rcu);
+        if (p)
+                kfree_rcu(p, rcu);
 }
 static int tcf_skbmod_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index 0e23aac09ad6..1281ca463727 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -153,6 +153,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
                metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX;
                break;
        default:
+                ret = -EINVAL;
                goto err_out;
        }
@@ -207,11 +208,12 @@ static void tunnel_key_release(struct tc_action *a)
        struct tcf_tunnel_key_params *params;
        params = rcu_dereference_protected(t->params, 1);
+        if (params) {
+                if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+                        dst_release(&params->tcft_enc_metadata->dst);
-        if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+                kfree_rcu(params, rcu);
-                dst_release(&params->tcft_enc_metadata->dst);
+        }
-        kfree_rcu(params, rcu);
 }
 static int tunnel_key_dump_addresses(struct sk_buff *skb,
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index e1a1b3f3983a..c49cb61adedf 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -195,7 +195,7 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
        ASSERT_RTNL();
        p = kzalloc(sizeof(*p), GFP_KERNEL);
        if (!p) {
-                if (ovr)
+                if (ret == ACT_P_CREATED)
                        tcf_idr_release(*a, bind);
                return -ENOMEM;
        }
@@ -225,7 +225,8 @@ static void tcf_vlan_cleanup(struct tc_action *a)
        struct tcf_vlan_params *p;
        p = rcu_dereference_protected(v->vlan_p, 1);
-        kfree_rcu(p, rcu);
+        if (p)
+                kfree_rcu(p, rcu);
 }
 static int tcf_vlan_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2bc1bc23d42e..247b7cc20c13 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -376,17 +376,12 @@ struct tcf_net {
 static unsigned int tcf_net_id;
 static int tcf_block_insert(struct tcf_block *block, struct net *net,
-                            u32 block_index, struct netlink_ext_ack *extack)
+                            struct netlink_ext_ack *extack)
 {
        struct tcf_net *tn = net_generic(net, tcf_net_id);
-        int err;
-        err = idr_alloc_u32(&tn->idr, block, &block_index, block_index,
+        return idr_alloc_u32(&tn->idr, block, &block->index, block->index,
-                            GFP_KERNEL);
+                             GFP_KERNEL);
-        if (err)
-                return err;
-        block->index = block_index;
-        return 0;
 }
 static void tcf_block_remove(struct tcf_block *block, struct net *net)
@@ -397,6 +392,7 @@ static void tcf_block_remove(struct tcf_block *block, struct net *net)
 }
 static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q,
+                                          u32 block_index,
                                          struct netlink_ext_ack *extack)
 {
        struct tcf_block *block;
@@ -419,10 +415,13 @@ static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q,
                err = -ENOMEM;
                goto err_chain_create;
        }
-        block->net = qdisc_net(q);
        block->refcnt = 1;
        block->net = net;
-        block->q = q;
+        block->index = block_index;
+        /* Don't store q pointer for blocks which are shared */
+        if (!tcf_block_shared(block))
+                block->q = q;
        return block;
 err_chain_create:
@@ -518,13 +517,12 @@ int tcf_block_get_ext(struct tcf_block **p_block, struct Qdisc *q,
        }
        if (!block) {
-                block = tcf_block_create(net, q, extack);
+                block = tcf_block_create(net, q, ei->block_index, extack);
                if (IS_ERR(block))
                        return PTR_ERR(block);
                created = true;
-                if (ei->block_index) {
+                if (tcf_block_shared(block)) {
-                        err = tcf_block_insert(block, net,
+                        err = tcf_block_insert(block, net, extack);
-                                               ei->block_index, extack);
                        if (err)
                                goto err_block_insert;
                }
@@ -1399,13 +1397,18 @@ static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
                    nla_get_u32(tca[TCA_CHAIN]) != chain->index)
                        continue;
                if (!tcf_chain_dump(chain, q, parent, skb, cb,
-                                    index_start, &index))
+                                    index_start, &index)) {
+                        err = -EMSGSIZE;
                        break;
+                }
        }
        cb->args[0] = index;
 out:
+        /* If we did no progress, the error (EMSGSIZE) is real */
+        if (skb->len == 0 && err)
+                return err;
        return skb->len;
 }
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 6c7601a530e3..ed8b6a24b9e9 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -96,7 +96,7 @@ struct tc_u_hnode {
 struct tc_u_common {
        struct tc_u_hnode __rcu *hlist;
-        struct tcf_block        *block;
+        void                    *ptr;
        int                     refcnt;
        struct idr              handle_idr;
        struct hlist_node       hnode;
@@ -330,9 +330,25 @@ static struct hlist_head *tc_u_common_hash;
 #define U32_HASH_SHIFT 10
 #define U32_HASH_SIZE (1 << U32_HASH_SHIFT)
+static void *tc_u_common_ptr(const struct tcf_proto *tp)
+{
+        struct tcf_block *block = tp->chain->block;
+        /* The block sharing is currently supported only
+         * for classless qdiscs. In that case we use block
+         * for tc_u_common identification. In case the
+         * block is not shared, block->q is a valid pointer
+         * and we can use that. That works for classful qdiscs.
+         */
+        if (tcf_block_shared(block))
+                return block;
+        else
+                return block->q;
+}
 static unsigned int tc_u_hash(const struct tcf_proto *tp)
 {
-        return hash_ptr(tp->chain->block, U32_HASH_SHIFT);
+        return hash_ptr(tc_u_common_ptr(tp), U32_HASH_SHIFT);
 }
 static struct tc_u_common *tc_u_common_find(const struct tcf_proto *tp)
@@ -342,7 +358,7 @@ static struct tc_u_common *tc_u_common_find(const struct tcf_proto *tp)
        h = tc_u_hash(tp);
        hlist_for_each_entry(tc, &tc_u_common_hash[h], hnode) {
-                if (tc->block == tp->chain->block)
+                if (tc->ptr == tc_u_common_ptr(tp))
                        return tc;
        }
        return NULL;
@@ -371,7 +387,7 @@ static int u32_init(struct tcf_proto *tp)
                        kfree(root_ht);
                        return -ENOBUFS;
                }
-                tp_c->block = tp->chain->block;
+                tp_c->ptr = tc_u_common_ptr(tp);
                INIT_HLIST_NODE(&tp_c->hnode);
                idr_init(&tp_c->handle_idr);
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 190570f21b20..7e3fbe9cc936 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -106,6 +106,14 @@ static inline void qdisc_enqueue_skb_bad_txq(struct Qdisc *q,
        __skb_queue_tail(&q->skb_bad_txq, skb);
+        if (qdisc_is_percpu_stats(q)) {
+                qdisc_qstats_cpu_backlog_inc(q, skb);
+                qdisc_qstats_cpu_qlen_inc(q);
+        } else {
+                qdisc_qstats_backlog_inc(q, skb);
+                q->q.qlen++;
+        }
        if (lock)
                spin_unlock(lock);
 }
@@ -196,14 +204,6 @@ static void try_bulk_dequeue_skb_slow(struct Qdisc *q,
                        break;
                if (unlikely(skb_get_queue_mapping(nskb) != mapping)) {
                        qdisc_enqueue_skb_bad_txq(q, nskb);
-                        if (qdisc_is_percpu_stats(q)) {
-                                qdisc_qstats_cpu_backlog_inc(q, nskb);
-                                qdisc_qstats_cpu_qlen_inc(q);
-                        } else {
-                                qdisc_qstats_backlog_inc(q, nskb);
-                                q->q.qlen++;
-                        }
                        break;
                }
                skb->next = nskb;
@@ -628,6 +628,7 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc,
        int band = prio2band[skb->priority & TC_PRIO_MAX];
        struct pfifo_fast_priv *priv = qdisc_priv(qdisc);
        struct skb_array *q = band2list(priv, band);
+        unsigned int pkt_len = qdisc_pkt_len(skb);
        int err;
        err = skb_array_produce(q, skb);
@@ -636,7 +637,10 @@ static int pfifo_fast_enqueue(struct sk_buff *skb, struct Qdisc *qdisc,
                return qdisc_drop_cpu(skb, qdisc, to_free);
        qdisc_qstats_cpu_qlen_inc(qdisc);
-        qdisc_qstats_cpu_backlog_inc(qdisc, skb);
+        /* Note: skb can not be used after skb_array_produce(),
+         * so we better not use qdisc_qstats_cpu_backlog_inc()
+         */
+        this_cpu_add(qdisc->cpu_qstats->backlog, pkt_len);
        return NET_XMIT_SUCCESS;
 }
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index 7c179addebcd..7d6801fc5340 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -509,7 +509,7 @@ static int netem_enqueue(struct sk_buff *skb, struct Qdisc *sch,
        }
        if (unlikely(sch->q.qlen >= sch->limit))
-                return qdisc_drop(skb, sch, to_free);
+                return qdisc_drop_all(skb, sch, to_free);
        qdisc_qstats_backlog_inc(sch, skb);
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 229172d509cc..03225a8df973 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -188,7 +188,8 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
        int ret;
        if (qdisc_pkt_len(skb) > q->max_size) {
-                if (skb_is_gso(skb) && skb_gso_mac_seglen(skb) <= q->max_size)
+                if (skb_is_gso(skb) &&
+                    skb_gso_validate_mac_len(skb, q->max_size))
                        return tbf_segment(skb, sch, to_free);
                return qdisc_drop(skb, sch, to_free);
        }
diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index 291c97b07058..8f6c2e8c0953 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -81,6 +81,12 @@ const char *sctp_cname(const union sctp_subtype cid)
        case SCTP_CID_RECONF:
                return "RECONF";
+        case SCTP_CID_I_DATA:
+                return "I_DATA";
+        case SCTP_CID_I_FWD_TSN:
+                return "I_FWD_TSN";
        default:
                break;
        }
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 141c9c466ec1..b381d78548ac 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -106,6 +106,7 @@ int sctp_rcv(struct sk_buff *skb)
        int family;
        struct sctp_af *af;
        struct net *net = dev_net(skb->dev);
+        bool is_gso = skb_is_gso(skb) && skb_is_gso_sctp(skb);
        if (skb->pkt_type != PACKET_HOST)
                goto discard_it;
@@ -123,8 +124,7 @@ int sctp_rcv(struct sk_buff *skb)
         * it's better to just linearize it otherwise crc computing
         * takes longer.
         */
-        if ((!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) &&
+        if ((!is_gso && skb_linearize(skb)) ||
-             skb_linearize(skb)) ||
            !pskb_may_pull(skb, sizeof(struct sctphdr)))
                goto discard_it;
@@ -135,7 +135,7 @@ int sctp_rcv(struct sk_buff *skb)
        if (skb_csum_unnecessary(skb))
                __skb_decr_checksum_unnecessary(skb);
        else if (!sctp_checksum_disable &&
-                 !(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) &&
+                 !is_gso &&
                 sctp_rcv_checksum(net, skb) < 0)
                goto discard_it;
        skb->csum_valid = 1;
@@ -897,15 +897,12 @@ int sctp_hash_transport(struct sctp_transport *t)
        rhl_for_each_entry_rcu(transport, tmp, list, node)
                if (transport->asoc->ep == t->asoc->ep) {
                        rcu_read_unlock();
-                        err = -EEXIST;
+                        return -EEXIST;
-                        goto out;
                }
        rcu_read_unlock();
        err = rhltable_insert_key(&sctp_transport_hashtable, &arg,
                                  &t->node, sctp_hash_params);
-out:
        if (err)
                pr_err_once("insert transport fail, errno %d\n", err);
@@ -1221,7 +1218,7 @@ static struct sctp_association *__sctp_rcv_lookup_harder(struct net *net,
         * issue as packets hitting this are mostly INIT or INIT-ACK and
         * those cannot be on GSO-style anyway.
         */
-        if ((skb_shinfo(skb)->gso_type & SKB_GSO_SCTP) == SKB_GSO_SCTP)
+        if (skb_is_gso(skb) && skb_is_gso_sctp(skb))
                return NULL;
        ch = (struct sctp_chunkhdr *)skb->data;
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index 48392552ee7c..23ebc5318edc 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -170,7 +170,7 @@ next_chunk:
                chunk = list_entry(entry, struct sctp_chunk, list);
-                if ((skb_shinfo(chunk->skb)->gso_type & SKB_GSO_SCTP) == SKB_GSO_SCTP) {
+                if (skb_is_gso(chunk->skb) && skb_is_gso_sctp(chunk->skb)) {
                        /* GSO-marked skbs but without frags, handle
                         * them normally
                         */
diff --git a/net/sctp/offload.c b/net/sctp/offload.c
index 35bc7106d182..123e9f2dc226 100644
--- a/net/sctp/offload.c
+++ b/net/sctp/offload.c
@@ -45,7 +45,7 @@ static struct sk_buff *sctp_gso_segment(struct sk_buff *skb,
        struct sk_buff *segs = ERR_PTR(-EINVAL);
        struct sctphdr *sh;
-        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP))
+        if (!skb_is_gso_sctp(skb))
                goto out;
        sh = sctp_hdr(skb);
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index cedf672487f9..f799043abec9 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -6,7 +6,7 @@
 *
 * This file is part of the SCTP kernel implementation
 *
- * These functions manipulate sctp tsn mapping array.
+ * This file contains sctp stream maniuplation primitives and helpers.
 *
 * This SCTP implementation is free software;
 * you can redistribute it and/or modify it under the terms of
diff --git a/net/sctp/stream_interleave.c b/net/sctp/stream_interleave.c
index 8c7cf8f08711..d3764c181299 100644
--- a/net/sctp/stream_interleave.c
+++ b/net/sctp/stream_interleave.c
@@ -3,7 +3,8 @@
 *
 * This file is part of the SCTP kernel implementation
 *
- * These functions manipulate sctp stream queue/scheduling.
+ * These functions implement sctp stream message interleaving, mostly
+ * including I-DATA and I-FORWARD-TSN chunks process.
 *
 * This SCTP implementation is free software;
 * you can redistribute it and/or modify it under the terms of
@@ -954,12 +955,8 @@ static void sctp_renege_events(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
        __u32 freed = 0;
        __u16 needed;
-        if (chunk) {
+        needed = ntohs(chunk->chunk_hdr->length) -
-                needed = ntohs(chunk->chunk_hdr->length);
+                 sizeof(struct sctp_idata_chunk);
-                needed -= sizeof(struct sctp_idata_chunk);
-        } else {
-                needed = SCTP_DEFAULT_MAXWINDOW;
-        }
        if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) {
                freed = sctp_ulpq_renege_list(ulpq, &ulpq->lobby, needed);
@@ -971,9 +968,8 @@ static void sctp_renege_events(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
                                                       needed);
        }
-        if (chunk && freed >= needed)
+        if (freed >= needed && sctp_ulpevent_idata(ulpq, chunk, gfp) <= 0)
-                if (sctp_ulpevent_idata(ulpq, chunk, gfp) <= 0)
+                sctp_intl_start_pd(ulpq, gfp);
-                        sctp_intl_start_pd(ulpq, gfp);
        sk_mem_reclaim(asoc->base.sk);
 }
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index da1a5cdefd13..1e0d780855c3 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -978,10 +978,6 @@ out:
                lsmc->clcsock = NULL;
        }
        release_sock(lsk);
-        /* no more listening, wake up smc_close_wait_listen_clcsock and
-         * accept
-         */
-        lsk->sk_state_change(lsk);
        sock_put(&lsmc->sk); /* sock_hold in smc_listen */
 }
@@ -1406,8 +1402,10 @@ static int smc_create(struct net *net, struct socket *sock, int protocol,
        smc->use_fallback = false; /* assume rdma capability first */
        rc = sock_create_kern(net, PF_INET, SOCK_STREAM,
                              IPPROTO_TCP, &smc->clcsock);
-        if (rc)
+        if (rc) {
                sk_common_release(sk);
+                goto out;
+        }
        smc->sk.sk_sndbuf = max(smc->clcsock->sk->sk_sndbuf, SMC_BUF_MIN_SIZE);
        smc->sk.sk_rcvbuf = max(smc->clcsock->sk->sk_rcvbuf, SMC_BUF_MIN_SIZE);
diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index 3cd086e5bd28..b42395d24cba 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -269,7 +269,7 @@ static void smc_cdc_rx_handler(struct ib_wc *wc, void *buf)
        if (wc->byte_len < offsetof(struct smc_cdc_msg, reserved))
                return; /* short message */
-        if (cdc->len != sizeof(*cdc))
+        if (cdc->len != SMC_WR_TX_SIZE)
                return; /* invalid message */
        smc_cdc_msg_recv(cdc, link, wc->wr_id);
 }
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index e339c0186dcf..fa41d9881741 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -30,27 +30,6 @@ static void smc_close_cleanup_listen(struct sock *parent)
                smc_close_non_accepted(sk);
 }
-static void smc_close_wait_listen_clcsock(struct smc_sock *smc)
-{
-        DEFINE_WAIT_FUNC(wait, woken_wake_function);
-        struct sock *sk = &smc->sk;
-        signed long timeout;
-        timeout = SMC_CLOSE_WAIT_LISTEN_CLCSOCK_TIME;
-        add_wait_queue(sk_sleep(sk), &wait);
-        do {
-                release_sock(sk);
-                if (smc->clcsock)
-                        timeout = wait_woken(&wait, TASK_UNINTERRUPTIBLE,
-                                             timeout);
-                sched_annotate_sleep();
-                lock_sock(sk);
-                if (!smc->clcsock)
-                        break;
-        } while (timeout);
-        remove_wait_queue(sk_sleep(sk), &wait);
-}
 /* wait for sndbuf data being transmitted */
 static void smc_close_stream_wait(struct smc_sock *smc, long timeout)
 {
@@ -204,9 +183,11 @@ again:
                        rc = kernel_sock_shutdown(smc->clcsock, SHUT_RDWR);
                        /* wake up kernel_accept of smc_tcp_listen_worker */
                        smc->clcsock->sk->sk_data_ready(smc->clcsock->sk);
-                        smc_close_wait_listen_clcsock(smc);
                }
                smc_close_cleanup_listen(sk);
+                release_sock(sk);
+                flush_work(&smc->tcp_listen_work);
+                lock_sock(sk);
                break;
        case SMC_ACTIVE:
                smc_close_stream_wait(smc, timeout);
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 2424c7100aaf..645dd226177b 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -177,6 +177,7 @@ static int smc_lgr_create(struct smc_sock *smc, __be32 peer_in_addr,
        lnk = &lgr->lnk[SMC_SINGLE_LINK];
        /* initialize link */
+        lnk->link_id = SMC_SINGLE_LINK;
        lnk->smcibdev = smcibdev;
        lnk->ibport = ibport;
        lnk->path_mtu = smcibdev->pattr[ibport - 1].active_mtu;
@@ -465,7 +466,7 @@ create:
                rc = smc_link_determine_gid(conn->lgr);
        }
        conn->local_tx_ctrl.common.type = SMC_CDC_MSG_TYPE;
-        conn->local_tx_ctrl.len = sizeof(struct smc_cdc_msg);
+        conn->local_tx_ctrl.len = SMC_WR_TX_SIZE;
 #ifndef KERNEL_HAS_ATOMIC64
        spin_lock_init(&conn->acurs_lock);
 #endif
diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
index 92fe4cc8c82c..b4aa4fcedb96 100644
--- a/net/smc/smc_llc.c
+++ b/net/smc/smc_llc.c
@@ -92,7 +92,7 @@ int smc_llc_send_confirm_link(struct smc_link *link, u8 mac[],
        memcpy(confllc->sender_mac, mac, ETH_ALEN);
        memcpy(confllc->sender_gid, gid, SMC_GID_SIZE);
        hton24(confllc->sender_qp_num, link->roce_qp->qp_num);
-        /* confllc->link_num = SMC_SINGLE_LINK; already done by memset above */
+        confllc->link_num = link->link_id;
        memcpy(confllc->link_uid, lgr->id, SMC_LGR_ID_SIZE);
        confllc->max_links = SMC_LINKS_PER_LGR_MAX;
        /* send llc message */
diff --git a/net/socket.c b/net/socket.c
index a93c99b518ca..08847c3b8c39 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2587,6 +2587,11 @@ void sock_unregister(int family)
 }
 EXPORT_SYMBOL(sock_unregister);
+bool sock_is_registered(int family)
+{
+        return family < NPROTO && rcu_access_pointer(net_families[family]);
+}
 static int __init sock_init(void)
 {
        int err;
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index c8001471da6c..3e3dce3d4c63 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -813,7 +813,7 @@ err_out:
        return err;
 }
-int tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info)
+int __tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info)
 {
        int err;
        char *name;
@@ -835,20 +835,27 @@ int tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info)
        name = nla_data(attrs[TIPC_NLA_BEARER_NAME]);
-        rtnl_lock();
        bearer = tipc_bearer_find(net, name);
-        if (!bearer) {
+        if (!bearer)
-                rtnl_unlock();
                return -EINVAL;
-        }
        bearer_disable(net, bearer);
-        rtnl_unlock();
        return 0;
 }
-int tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
+int tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info)
+{
+        int err;
+        rtnl_lock();
+        err = __tipc_nl_bearer_disable(skb, info);
+        rtnl_unlock();
+        return err;
+}
+int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
 {
        int err;
        char *bearer;
@@ -890,15 +897,18 @@ int tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
                        prio = nla_get_u32(props[TIPC_NLA_PROP_PRIO]);
        }
+        return tipc_enable_bearer(net, bearer, domain, prio, attrs);
+}
+int tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
+{
+        int err;
        rtnl_lock();
-        err = tipc_enable_bearer(net, bearer, domain, prio, attrs);
+        err = __tipc_nl_bearer_enable(skb, info);
-        if (err) {
-                rtnl_unlock();
-                return err;
-        }
        rtnl_unlock();
-        return 0;
+        return err;
 }
 int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info)
@@ -944,7 +954,7 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info)
        return 0;
 }
-int tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
+int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
 {
        int err;
        char *name;
@@ -965,22 +975,17 @@ int tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
                return -EINVAL;
        name = nla_data(attrs[TIPC_NLA_BEARER_NAME]);
-        rtnl_lock();
        b = tipc_bearer_find(net, name);
-        if (!b) {
+        if (!b)
-                rtnl_unlock();
                return -EINVAL;
-        }
        if (attrs[TIPC_NLA_BEARER_PROP]) {
                struct nlattr *props[TIPC_NLA_PROP_MAX + 1];
                err = tipc_nl_parse_link_prop(attrs[TIPC_NLA_BEARER_PROP],
                                              props);
-                if (err) {
+                if (err)
-                        rtnl_unlock();
                        return err;
-                }
                if (props[TIPC_NLA_PROP_TOL])
                        b->tolerance = nla_get_u32(props[TIPC_NLA_PROP_TOL]);
@@ -989,11 +994,21 @@ int tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
                if (props[TIPC_NLA_PROP_WIN])
                        b->window = nla_get_u32(props[TIPC_NLA_PROP_WIN]);
        }
-        rtnl_unlock();
        return 0;
 }
+int tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
+{
+        int err;
+        rtnl_lock();
+        err = __tipc_nl_bearer_set(skb, info);
+        rtnl_unlock();
+        return err;
+}
 static int __tipc_nl_add_media(struct tipc_nl_msg *msg,
                               struct tipc_media *media, int nlflags)
 {
@@ -1115,7 +1130,7 @@ err_out:
        return err;
 }
-int tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
+int __tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
 {
        int err;
        char *name;
@@ -1133,22 +1148,17 @@ int tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
                return -EINVAL;
        name = nla_data(attrs[TIPC_NLA_MEDIA_NAME]);
-        rtnl_lock();
        m = tipc_media_find(name);
-        if (!m) {
+        if (!m)
-                rtnl_unlock();
                return -EINVAL;
-        }
        if (attrs[TIPC_NLA_MEDIA_PROP]) {
                struct nlattr *props[TIPC_NLA_PROP_MAX + 1];
                err = tipc_nl_parse_link_prop(attrs[TIPC_NLA_MEDIA_PROP],
                                              props);
-                if (err) {
+                if (err)
-                        rtnl_unlock();
                        return err;
-                }
                if (props[TIPC_NLA_PROP_TOL])
                        m->tolerance = nla_get_u32(props[TIPC_NLA_PROP_TOL]);
@@ -1157,7 +1167,17 @@ int tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
                if (props[TIPC_NLA_PROP_WIN])
                        m->window = nla_get_u32(props[TIPC_NLA_PROP_WIN]);
        }
-        rtnl_unlock();
        return 0;
 }
+int tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
+{
+        int err;
+        rtnl_lock();
+        err = __tipc_nl_media_set(skb, info);
+        rtnl_unlock();
+        return err;
+}
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index 42d6eeeb646d..a53613d95bc9 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -188,15 +188,19 @@ extern struct tipc_media udp_media_info;
 #endif
 int tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info);
+int __tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info);
+int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_bearer_dump(struct sk_buff *skb, struct netlink_callback *cb);
 int tipc_nl_bearer_get(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info);
+int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_media_dump(struct sk_buff *skb, struct netlink_callback *cb);
 int tipc_nl_media_get(struct sk_buff *skb, struct genl_info *info);
 int tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info);
+int __tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info);
 int tipc_media_set_priority(const char *name, u32 new_value);
 int tipc_media_set_window(const char *name, u32 new_value);
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 122162a31816..04e516d18054 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -189,6 +189,7 @@ struct tipc_group *tipc_group_create(struct net *net, u32 portid,
        grp->loopback = mreq->flags & TIPC_GROUP_LOOPBACK;
        grp->events = mreq->flags & TIPC_GROUP_MEMBER_EVTS;
        grp->open = group_is_open;
+        *grp->open = false;
        filter |= global ? TIPC_SUB_CLUSTER_SCOPE : TIPC_SUB_NODE_SCOPE;
        if (tipc_topsrv_kern_subscr(net, portid, type, 0, ~0,
                                    filter, &grp->subid))
diff --git a/net/tipc/net.c b/net/tipc/net.c
index 719c5924b638..1a2fde0d6f61 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -200,7 +200,7 @@ out:
        return skb->len;
 }
-int tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
+int __tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
 {
        struct net *net = sock_net(skb->sk);
        struct tipc_net *tn = net_generic(net, tipc_net_id);
@@ -241,10 +241,19 @@ int tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
                if (!tipc_addr_node_valid(addr))
                        return -EINVAL;
-                rtnl_lock();
                tipc_net_start(net, addr);
-                rtnl_unlock();
        }
        return 0;
 }
+int tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
+{
+        int err;
+        rtnl_lock();
+        err = __tipc_nl_net_set(skb, info);
+        rtnl_unlock();
+        return err;
+}
diff --git a/net/tipc/net.h b/net/tipc/net.h
index c7c254902873..c0306aa2374b 100644
--- a/net/tipc/net.h
+++ b/net/tipc/net.h
@@ -47,5 +47,6 @@ void tipc_net_stop(struct net *net);
 int tipc_nl_net_dump(struct sk_buff *skb, struct netlink_callback *cb);
 int tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info);
+int __tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info);
 #endif
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index e48f0b2c01b9..4492cda45566 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -285,10 +285,6 @@ static int __tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
        if (!trans_buf)
                return -ENOMEM;
-        err = (*cmd->transcode)(cmd, trans_buf, msg);
-        if (err)
-                goto trans_out;
        attrbuf = kmalloc((tipc_genl_family.maxattr + 1) *
                        sizeof(struct nlattr *), GFP_KERNEL);
        if (!attrbuf) {
@@ -296,27 +292,34 @@ static int __tipc_nl_compat_doit(struct tipc_nl_compat_cmd_doit *cmd,
                goto trans_out;
        }
-        err = nla_parse(attrbuf, tipc_genl_family.maxattr,
-                        (const struct nlattr *)trans_buf->data,
-                        trans_buf->len, NULL, NULL);
-        if (err)
-                goto parse_out;
        doit_buf = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
        if (!doit_buf) {
                err = -ENOMEM;
-                goto parse_out;
+                goto attrbuf_out;
        }
-        doit_buf->sk = msg->dst_sk;
        memset(&info, 0, sizeof(info));
        info.attrs = attrbuf;
+        rtnl_lock();
+        err = (*cmd->transcode)(cmd, trans_buf, msg);
+        if (err)
+                goto doit_out;
+        err = nla_parse(attrbuf, tipc_genl_family.maxattr,
+                        (const struct nlattr *)trans_buf->data,
+                        trans_buf->len, NULL, NULL);
+        if (err)
+                goto doit_out;
+        doit_buf->sk = msg->dst_sk;
        err = (*cmd->doit)(doit_buf, &info);
+doit_out:
+        rtnl_unlock();
        kfree_skb(doit_buf);
-parse_out:
+attrbuf_out:
        kfree(attrbuf);
 trans_out:
        kfree_skb(trans_buf);
@@ -722,13 +725,13 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
        media = tipc_media_find(lc->name);
        if (media) {
-                cmd->doit = &tipc_nl_media_set;
+                cmd->doit = &__tipc_nl_media_set;
                return tipc_nl_compat_media_set(skb, msg);
        }
        bearer = tipc_bearer_find(msg->net, lc->name);
        if (bearer) {
-                cmd->doit = &tipc_nl_bearer_set;
+                cmd->doit = &__tipc_nl_bearer_set;
                return tipc_nl_compat_bearer_set(skb, msg);
        }
@@ -1089,12 +1092,12 @@ static int tipc_nl_compat_handle(struct tipc_nl_compat_msg *msg)
                return tipc_nl_compat_dumpit(&dump, msg);
        case TIPC_CMD_ENABLE_BEARER:
                msg->req_type = TIPC_TLV_BEARER_CONFIG;
-                doit.doit = tipc_nl_bearer_enable;
+                doit.doit = __tipc_nl_bearer_enable;
                doit.transcode = tipc_nl_compat_bearer_enable;
                return tipc_nl_compat_doit(&doit, msg);
        case TIPC_CMD_DISABLE_BEARER:
                msg->req_type = TIPC_TLV_BEARER_NAME;
-                doit.doit = tipc_nl_bearer_disable;
+                doit.doit = __tipc_nl_bearer_disable;
                doit.transcode = tipc_nl_compat_bearer_disable;
                return tipc_nl_compat_doit(&doit, msg);
        case TIPC_CMD_SHOW_LINK_STATS:
@@ -1148,12 +1151,12 @@ static int tipc_nl_compat_handle(struct tipc_nl_compat_msg *msg)
                return tipc_nl_compat_dumpit(&dump, msg);
        case TIPC_CMD_SET_NODE_ADDR:
                msg->req_type = TIPC_TLV_NET_ADDR;
-                doit.doit = tipc_nl_net_set;
+                doit.doit = __tipc_nl_net_set;
                doit.transcode = tipc_nl_compat_net_set;
                return tipc_nl_compat_doit(&doit, msg);
        case TIPC_CMD_SET_NETID:
                msg->req_type = TIPC_TLV_UNSIGNED;
-                doit.doit = tipc_nl_net_set;
+                doit.doit = __tipc_nl_net_set;
                doit.transcode = tipc_nl_compat_net_set;
                return tipc_nl_compat_doit(&doit, msg);
        case TIPC_CMD_GET_NETID:
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index b0323ec7971e..7dfa9fc99ec3 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -473,6 +473,7 @@ static int tipc_sk_create(struct net *net, struct socket *sock,
        sk->sk_write_space = tipc_write_space;
        sk->sk_destruct = tipc_sock_destruct;
        tsk->conn_timeout = CONN_TIMEOUT_DEFAULT;
+        tsk->group_is_open = true;
        atomic_set(&tsk->dupl_rcvcnt, 0);
        /* Start out with safe limits until we receive an advertised window */
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index b0d5fcea47e7..d824d548447e 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -46,16 +46,26 @@ MODULE_DESCRIPTION("Transport Layer Security Support");
 MODULE_LICENSE("Dual BSD/GPL");
 enum {
+        TLSV4,
+        TLSV6,
+        TLS_NUM_PROTS,
+};
+enum {
        TLS_BASE_TX,
        TLS_SW_TX,
        TLS_NUM_CONFIG,
 };
-static struct proto tls_prots[TLS_NUM_CONFIG];
+static struct proto *saved_tcpv6_prot;
+static DEFINE_MUTEX(tcpv6_prot_mutex);
+static struct proto tls_prots[TLS_NUM_PROTS][TLS_NUM_CONFIG];
 static inline void update_sk_prot(struct sock *sk, struct tls_context *ctx)
 {
-        sk->sk_prot = &tls_prots[ctx->tx_conf];
+        int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
+        sk->sk_prot = &tls_prots[ip_ver][ctx->tx_conf];
 }
 int wait_on_pending_writer(struct sock *sk, long *timeo)
@@ -308,8 +318,11 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
                        goto out;
                }
                lock_sock(sk);
-                memcpy(crypto_info_aes_gcm_128->iv, ctx->iv,
+                memcpy(crypto_info_aes_gcm_128->iv,
+                       ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
                       TLS_CIPHER_AES_GCM_128_IV_SIZE);
+                memcpy(crypto_info_aes_gcm_128->rec_seq, ctx->rec_seq,
+                       TLS_CIPHER_AES_GCM_128_REC_SEQ_SIZE);
                release_sock(sk);
                if (copy_to_user(optval,
                                 crypto_info_aes_gcm_128,
@@ -375,7 +388,7 @@ static int do_tls_setsockopt_tx(struct sock *sk, char __user *optval,
        rc = copy_from_user(crypto_info, optval, sizeof(*crypto_info));
        if (rc) {
                rc = -EFAULT;
-                goto out;
+                goto err_crypto_info;
        }
        /* check version */
@@ -450,8 +463,21 @@ static int tls_setsockopt(struct sock *sk, int level, int optname,
        return do_tls_setsockopt(sk, optname, optval, optlen);
 }
+static void build_protos(struct proto *prot, struct proto *base)
+{
+        prot[TLS_BASE_TX] = *base;
+        prot[TLS_BASE_TX].setsockopt    = tls_setsockopt;
+        prot[TLS_BASE_TX].getsockopt    = tls_getsockopt;
+        prot[TLS_BASE_TX].close         = tls_sk_proto_close;
+        prot[TLS_SW_TX] = prot[TLS_BASE_TX];
+        prot[TLS_SW_TX].sendmsg         = tls_sw_sendmsg;
+        prot[TLS_SW_TX].sendpage        = tls_sw_sendpage;
+}
 static int tls_init(struct sock *sk)
 {
+        int ip_ver = sk->sk_family == AF_INET6 ? TLSV6 : TLSV4;
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct tls_context *ctx;
        int rc = 0;
@@ -476,6 +502,17 @@ static int tls_init(struct sock *sk)
        ctx->getsockopt = sk->sk_prot->getsockopt;
        ctx->sk_proto_close = sk->sk_prot->close;
+        /* Build IPv6 TLS whenever the address of tcpv6_prot changes */
+        if (ip_ver == TLSV6 &&
+            unlikely(sk->sk_prot != smp_load_acquire(&saved_tcpv6_prot))) {
+                mutex_lock(&tcpv6_prot_mutex);
+                if (likely(sk->sk_prot != saved_tcpv6_prot)) {
+                        build_protos(tls_prots[TLSV6], sk->sk_prot);
+                        smp_store_release(&saved_tcpv6_prot, sk->sk_prot);
+                }
+                mutex_unlock(&tcpv6_prot_mutex);
+        }
        ctx->tx_conf = TLS_BASE_TX;
        update_sk_prot(sk, ctx);
 out:
@@ -490,21 +527,9 @@ static struct tcp_ulp_ops tcp_tls_ulp_ops __read_mostly = {
        .init                   = tls_init,
 };
-static void build_protos(struct proto *prot, struct proto *base)
-{
-        prot[TLS_BASE_TX] = *base;
-        prot[TLS_BASE_TX].setsockopt    = tls_setsockopt;
-        prot[TLS_BASE_TX].getsockopt    = tls_getsockopt;
-        prot[TLS_BASE_TX].close         = tls_sk_proto_close;
-        prot[TLS_SW_TX] = prot[TLS_BASE_TX];
-        prot[TLS_SW_TX].sendmsg         = tls_sw_sendmsg;
-        prot[TLS_SW_TX].sendpage        = tls_sw_sendpage;
-}
 static int __init tls_register(void)
 {
-        build_protos(tls_prots, &tcp_prot);
+        build_protos(tls_prots[TLSV4], &tcp_prot);
        tcp_register_ulp(&tcp_tls_ulp_ops);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index d545e1d0dea2..2d465bdeccbc 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1825,7 +1825,7 @@ out:
 }
 /* We use paged skbs for stream sockets, and limit occupancy to 32768
- * bytes, and a minimun of a full page.
+ * bytes, and a minimum of a full page.
 */
 #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
diff --git a/net/wireless/Kconfig b/net/wireless/Kconfig
index 1abcc4fc4df1..41722046b937 100644
--- a/net/wireless/Kconfig
+++ b/net/wireless/Kconfig
@@ -34,9 +34,10 @@ config CFG80211
          When built as a module it will be called cfg80211.
+if CFG80211
 config NL80211_TESTMODE
        bool "nl80211 testmode command"
-        depends on CFG80211
        help
          The nl80211 testmode command helps implementing things like
          factory calibration or validation tools for wireless chips.
@@ -51,7 +52,6 @@ config NL80211_TESTMODE
 config CFG80211_DEVELOPER_WARNINGS
        bool "enable developer warnings"
-        depends on CFG80211
        default n
        help
          This option enables some additional warnings that help
@@ -68,7 +68,7 @@ config CFG80211_DEVELOPER_WARNINGS
 config CFG80211_CERTIFICATION_ONUS
        bool "cfg80211 certification onus"
-        depends on CFG80211 && EXPERT
+        depends on EXPERT
        default n
        ---help---
          You should disable this option unless you are both capable
@@ -159,7 +159,6 @@ config CFG80211_REG_RELAX_NO_IR
 config CFG80211_DEFAULT_PS
        bool "enable powersave by default"
-        depends on CFG80211
        default y
        help
          This option enables powersave mode by default.
@@ -170,7 +169,6 @@ config CFG80211_DEFAULT_PS
 config CFG80211_DEBUGFS
        bool "cfg80211 DebugFS entries"
-        depends on CFG80211
        depends on DEBUG_FS
        ---help---
          You can enable this if you want debugfs entries for cfg80211.
@@ -180,7 +178,6 @@ config CFG80211_DEBUGFS
 config CFG80211_CRDA_SUPPORT
        bool "support CRDA" if EXPERT
        default y
-        depends on CFG80211
        help
          You should enable this option unless you know for sure you have no
          need for it, for example when using internal regdb (above) or the
@@ -190,7 +187,6 @@ config CFG80211_CRDA_SUPPORT
 config CFG80211_WEXT
        bool "cfg80211 wireless extensions compatibility" if !CFG80211_WEXT_EXPORT
-        depends on CFG80211
        select WEXT_CORE
        default y if CFG80211_WEXT_EXPORT
        help
@@ -199,11 +195,12 @@ config CFG80211_WEXT
 config CFG80211_WEXT_EXPORT
        bool
-        depends on CFG80211
        help
          Drivers should select this option if they require cfg80211's
          wext compatibility symbols to be exported.
+endif # CFG80211
 config LIB80211
        tristate
        default n
diff --git a/net/wireless/mesh.c b/net/wireless/mesh.c
index 51aa55618ef7..b12da6ef3c12 100644
--- a/net/wireless/mesh.c
+++ b/net/wireless/mesh.c
@@ -170,9 +170,28 @@ int __cfg80211_join_mesh(struct cfg80211_registered_device *rdev,
                enum nl80211_bss_scan_width scan_width;
                struct ieee80211_supported_band *sband =
                                rdev->wiphy.bands[setup->chandef.chan->band];
-                scan_width = cfg80211_chandef_to_scan_width(&setup->chandef);
-                setup->basic_rates = ieee80211_mandatory_rates(sband,
+                if (setup->chandef.chan->band == NL80211_BAND_2GHZ) {
-                                                               scan_width);
+                        int i;
+                        /*
+                         * Older versions selected the mandatory rates for
+                         * 2.4 GHz as well, but were broken in that only
+                         * 1 Mbps was regarded as a mandatory rate. Keep
+                         * using just 1 Mbps as the default basic rate for
+                         * mesh to be interoperable with older versions.
+                         */
+                        for (i = 0; i < sband->n_bitrates; i++) {
+                                if (sband->bitrates[i].bitrate == 10) {
+                                        setup->basic_rates = BIT(i);
+                                        break;
+                                }
+                        }
+                } else {
+                        scan_width = cfg80211_chandef_to_scan_width(&setup->chandef);
+                        setup->basic_rates = ieee80211_mandatory_rates(sband,
+                                                                       scan_width);
+                }
        }
        err = cfg80211_chandef_dfs_required(&rdev->wiphy,
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index fdb3646274a5..701cfd7acc1b 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -1032,6 +1032,8 @@ void __cfg80211_disconnected(struct net_device *dev, const u8 *ie,
        wdev->current_bss = NULL;
        wdev->ssid_len = 0;
        wdev->conn_owner_nlportid = 0;
+        kzfree(wdev->connect_keys);
+        wdev->connect_keys = NULL;
        nl80211_send_disconnected(rdev, dev, reason, ie, ie_len, from_ap);
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 8e70291e586a..e87d6c4dd5b6 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -217,7 +217,7 @@ bool xfrm_dev_offload_ok(struct sk_buff *skb, struct xfrm_state *x)
                if (skb->len <= mtu)
                        goto ok;
-                if (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))
+                if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
                        goto ok;
        }
diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c
index ccfdc7115a83..a00ec715aa46 100644
--- a/net/xfrm/xfrm_ipcomp.c
+++ b/net/xfrm/xfrm_ipcomp.c
@@ -283,7 +283,7 @@ static struct crypto_comp * __percpu *ipcomp_alloc_tfms(const char *alg_name)
                struct crypto_comp *tfm;
                /* This can be any valid CPU ID so we don't need locking. */
-                tfm = __this_cpu_read(*pos->tfms);
+                tfm = this_cpu_read(*pos->tfms);
                if (!strcmp(crypto_comp_name(tfm), alg_name)) {
                        pos->users++;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 7a23078132cf..625b3fca5704 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1458,10 +1458,13 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, const struct flowi *fl,
 static int xfrm_get_tos(const struct flowi *fl, int family)
 {
        const struct xfrm_policy_afinfo *afinfo;
-        int tos = 0;
+        int tos;
        afinfo = xfrm_policy_get_afinfo(family);
-        tos = afinfo ? afinfo->get_tos(fl) : 0;
+        if (!afinfo)
+                return 0;
+        tos = afinfo->get_tos(fl);
        rcu_read_unlock();
@@ -1891,7 +1894,7 @@ static void xfrm_policy_queue_process(struct timer_list *t)
        spin_unlock(&pq->hold_queue.lock);
        dst_hold(xfrm_dst_path(dst));
-        dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, 0);
+        dst = xfrm_lookup(net, xfrm_dst_path(dst), &fl, sk, XFRM_LOOKUP_QUEUE);
        if (IS_ERR(dst))
                goto purge_queue;
@@ -2729,14 +2732,14 @@ static const void *xfrm_get_dst_nexthop(const struct dst_entry *dst,
        while (dst->xfrm) {
                const struct xfrm_state *xfrm = dst->xfrm;
+                dst = xfrm_dst_child(dst);
                if (xfrm->props.mode == XFRM_MODE_TRANSPORT)
                        continue;
                if (xfrm->type->flags & XFRM_TYPE_REMOTE_COADDR)
                        daddr = xfrm->coaddr;
                else if (!(xfrm->type->flags & XFRM_TYPE_LOCAL_COADDR))
                        daddr = &xfrm->id.daddr;
-                dst = xfrm_dst_child(dst);
        }
        return daddr;
 }
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 1d38c6acf8af..9e3a5e85f828 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -660,7 +660,7 @@ static int xfrm_replay_overflow_offload_esn(struct xfrm_state *x, struct sk_buff
                } else {
                        XFRM_SKB_CB(skb)->seq.output.low = oseq + 1;
                        XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi;
-                        xo->seq.low = oseq = oseq + 1;
+                        xo->seq.low = oseq + 1;
                        xo->seq.hi = oseq_hi;
                        oseq += skb_shinfo(skb)->gso_segs;
                }
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 54e21f19d722..f9d2f2233f09 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2056,6 +2056,11 @@ int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen
        struct xfrm_mgr *km;
        struct xfrm_policy *pol = NULL;
+#ifdef CONFIG_COMPAT
+        if (in_compat_syscall())
+                return -EOPNOTSUPP;
+#endif
        if (!optval && !optlen) {
                xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
                xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 7f52b8eb177d..080035f056d9 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -121,22 +121,17 @@ static inline int verify_replay(struct xfrm_usersa_info *p,
        struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
        struct xfrm_replay_state_esn *rs;
-        if (p->flags & XFRM_STATE_ESN) {
+        if (!rt)
-                if (!rt)
+                return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
-                        return -EINVAL;
-                rs = nla_data(rt);
+        rs = nla_data(rt);
-                if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+        if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
-                        return -EINVAL;
+                return -EINVAL;
-                if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
-                    nla_len(rt) != sizeof(*rs))
-                        return -EINVAL;
-        }
-        if (!rt)
+        if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) &&
-                return 0;
+            nla_len(rt) != sizeof(*rs))
+                return -EINVAL;
        /* As only ESP and AH support ESN feature. */
        if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
author	Dave Airlie <airlied@redhat.com>	2018-03-28 00:30:41 -0400
committer	Dave Airlie <airlied@redhat.com>	2018-03-28 00:30:41 -0400
commit	2b4f44eec2be2688511c2b617d0e1b4f94c45ba4 (patch)
tree	533c03602f4ae6d6404db6fa56c88e6f83e1bebe /net
parent	33d009cd889490838c5db9b9339856c9e3d3facc (diff)
parent	3eb2ce825ea1ad89d20f7a3b5780df850e4be274 (diff)