Merge remote-tracking branch 'ovl/rename2' into for-linus

68 files changed, 482 insertions, 270 deletions

diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
index 7d170010beb9..ee08540ce503 100644
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -335,7 +335,7 @@ int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
                 goto out;
 
         skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
-        elp_buff = skb_push(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
+        elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
         elp_packet = (struct batadv_elp_packet *)elp_buff;
         memset(elp_packet, 0, BATADV_ELP_HLEN);
 
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 7602c001e92b..3d199478c405 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -470,6 +470,29 @@ static int batadv_check_unicast_packet(struct batadv_priv *bat_priv,
 }
 
 /**
+ * batadv_last_bonding_get - Get last_bonding_candidate of orig_node
+ * @orig_node: originator node whose last bonding candidate should be retrieved
+ *
+ * Return: last bonding candidate of router or NULL if not found
+ *
+ * The object is returned with refcounter increased by 1.
+ */
+static struct batadv_orig_ifinfo *
+batadv_last_bonding_get(struct batadv_orig_node *orig_node)
+{
+        struct batadv_orig_ifinfo *last_bonding_candidate;
+
+        spin_lock_bh(&orig_node->neigh_list_lock);
+        last_bonding_candidate = orig_node->last_bonding_candidate;
+
+        if (last_bonding_candidate)
+                kref_get(&last_bonding_candidate->refcount);
+        spin_unlock_bh(&orig_node->neigh_list_lock);
+
+        return last_bonding_candidate;
+}
+
+/**
  * batadv_last_bonding_replace - Replace last_bonding_candidate of orig_node
  * @orig_node: originator node whose bonding candidates should be replaced
  * @new_candidate: new bonding candidate or NULL
@@ -539,7 +562,7 @@ batadv_find_router(struct batadv_priv *bat_priv,
          * router - obviously there are no other candidates.
          */
         rcu_read_lock();
-        last_candidate = orig_node->last_bonding_candidate;
+        last_candidate = batadv_last_bonding_get(orig_node);
         if (last_candidate)
                 last_cand_router = rcu_dereference(last_candidate->router);
 
@@ -631,6 +654,9 @@ next:
                 batadv_orig_ifinfo_put(next_candidate);
         }
 
+        if (last_candidate)
+                batadv_orig_ifinfo_put(last_candidate);
+
         return router;
 }
 
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 8e486203d133..abe11f085479 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -80,13 +80,10 @@ static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br,
 
         BR_INPUT_SKB_CB(skb)->proxyarp_replied = false;
 
-        if (dev->flags & IFF_NOARP)
+        if ((dev->flags & IFF_NOARP) ||
+            !pskb_may_pull(skb, arp_hdr_len(dev)))
                 return;
 
-        if (!pskb_may_pull(skb, arp_hdr_len(dev))) {
-                dev->stats.tx_dropped++;
-                return;
-        }
         parp = arp_hdr(skb);
 
         if (parp->ar_pro != htons(ETH_P_IP) ||
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index a5423a1eec05..c5fea9393946 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1138,7 +1138,7 @@ static int br_ip6_multicast_mld2_report(struct net_bridge *br,
                 } else {
                         err = br_ip6_multicast_add_group(br, port,
                                                          &grec->grec_mca, vid);
-                        if (!err)
+                        if (err)
                                 break;
                 }
         }
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index cceac5bb658f..0833c251aef7 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -368,6 +368,8 @@ ebt_check_match(struct ebt_entry_match *m, struct xt_mtchk_param *par,
 
         match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
         if (IS_ERR(match) || match->family != NFPROTO_BRIDGE) {
+                if (!IS_ERR(match))
+                        module_put(match->me);
                 request_module("ebt_%s", m->u.name);
                 match = xt_find_match(NFPROTO_BRIDGE, m->u.name, 0);
         }
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 4b901d9f2e7c..ad47a921b701 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -86,6 +86,7 @@ static const struct nft_expr_ops nft_meta_bridge_set_ops = {
         .init           = nft_meta_set_init,
         .destroy        = nft_meta_set_destroy,
         .dump           = nft_meta_set_dump,
+        .validate       = nft_meta_set_validate,
 };
 
 static const struct nft_expr_ops *
diff --git a/net/core/dev.c b/net/core/dev.c
index dd6ce598de89..ea6312057a71 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3975,6 +3975,22 @@ sch_handle_ingress(struct sk_buff *skb, struct packet_type **pt_prev, int *ret,
 }
 
 /**
+ *      netdev_is_rx_handler_busy - check if receive handler is registered
+ *      @dev: device to check
+ *
+ *      Check if a receive handler is already registered for a given device.
+ *      Return true if there one.
+ *
+ *      The caller must hold the rtnl_mutex.
+ */
+bool netdev_is_rx_handler_busy(struct net_device *dev)
+{
+        ASSERT_RTNL();
+        return dev && rtnl_dereference(dev->rx_handler);
+}
+EXPORT_SYMBOL_GPL(netdev_is_rx_handler_busy);
+
+/**
  *      netdev_rx_handler_register - register receive handler
  *      @dev: device to register a handler for
  *      @rx_handler: receive handler to register
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 61ad43f61c5e..52742a02814f 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -680,11 +680,13 @@ EXPORT_SYMBOL_GPL(__skb_get_hash_symmetric);
 void __skb_get_hash(struct sk_buff *skb)
 {
         struct flow_keys keys;
+        u32 hash;
 
         __flow_hash_secret_init();
 
-        __skb_set_sw_hash(skb, ___skb_get_hash(skb, &keys, hashrnd),
-                          flow_keys_have_l4(&keys));
+        hash = ___skb_get_hash(skb, &keys, hashrnd);
+
+        __skb_set_sw_hash(skb, hash, flow_keys_have_l4(&keys));
 }
 EXPORT_SYMBOL(__skb_get_hash);
 
diff --git a/net/core/sock.c b/net/core/sock.c
index 25dab8b60223..fd7b41edf1ce 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1362,7 +1362,6 @@ static struct sock *sk_prot_alloc(struct proto *prot, gfp_t priority,
                 if (!try_module_get(prot->owner))
                         goto out_free_sec;
                 sk_tx_queue_clear(sk);
-                cgroup_sk_alloc(&sk->sk_cgrp_data);
         }
 
         return sk;
@@ -1422,6 +1421,7 @@ struct sock *sk_alloc(struct net *net, int family, gfp_t priority,
                 sock_net_set(sk, net);
                 atomic_set(&sk->sk_wmem_alloc, 1);
 
+                cgroup_sk_alloc(&sk->sk_cgrp_data);
                 sock_update_classid(&sk->sk_cgrp_data);
                 sock_update_netprioidx(&sk->sk_cgrp_data);
         }
@@ -1566,6 +1566,9 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
                 newsk->sk_priority = 0;
                 newsk->sk_incoming_cpu = raw_smp_processor_id();
                 atomic64_set(&newsk->sk_cookie, 0);
+
+                cgroup_sk_alloc(&newsk->sk_cgrp_data);
+
                 /*
                  * Before updating sk_refcnt, we must commit prior changes to memory
                  * (Documentation/RCU/rculist_nulls.txt for details)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 415e117967c7..062a67ca9a21 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2232,7 +2232,7 @@ static struct devinet_sysctl_table {
 };
 
 static int __devinet_sysctl_register(struct net *net, char *dev_name,
-                                        struct ipv4_devconf *p)
+                                     int ifindex, struct ipv4_devconf *p)
 {
         int i;
         struct devinet_sysctl_table *t;
@@ -2255,6 +2255,8 @@ static int __devinet_sysctl_register(struct net *net, char *dev_name,
                 goto free;
 
         p->sysctl = t;
+
+        inet_netconf_notify_devconf(net, NETCONFA_ALL, ifindex, p);
         return 0;
 
 free:
@@ -2286,7 +2288,7 @@ static int devinet_sysctl_register(struct in_device *idev)
         if (err)
                 return err;
         err = __devinet_sysctl_register(dev_net(idev->dev), idev->dev->name,
-                                        &idev->cnf);
+                                        idev->dev->ifindex, &idev->cnf);
         if (err)
                 neigh_sysctl_unregister(idev->arp_parms);
         return err;
@@ -2347,11 +2349,12 @@ static __net_init int devinet_init_net(struct net *net)
         }
 
 #ifdef CONFIG_SYSCTL
-        err = __devinet_sysctl_register(net, "all", all);
+        err = __devinet_sysctl_register(net, "all", NETCONFA_IFINDEX_ALL, all);
         if (err < 0)
                 goto err_reg_all;
 
-        err = __devinet_sysctl_register(net, "default", dflt);
+        err = __devinet_sysctl_register(net, "default",
+                                        NETCONFA_IFINDEX_DEFAULT, dflt);
         if (err < 0)
                 goto err_reg_dflt;
 
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index ef2ebeb89d0f..1b25daf8c7f1 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -509,6 +509,7 @@ static int rtentry_to_fib_config(struct net *net, int cmd, struct rtentry *rt,
                 if (!dev)
                         return -ENODEV;
                 cfg->fc_oif = dev->ifindex;
+                cfg->fc_table = l3mdev_fib_table(dev);
                 if (colon) {
                         struct in_ifaddr *ifa;
                         struct in_device *in_dev = __in_dev_get_rtnl(dev);
@@ -1027,7 +1028,7 @@ no_promotions:
                          * First of all, we scan fib_info list searching
                          * for stray nexthop entries, then ignite fib_flush.
                          */
-                        if (fib_sync_down_addr(dev_net(dev), ifa->ifa_local))
+                        if (fib_sync_down_addr(dev, ifa->ifa_local))
                                 fib_flush(dev_net(dev));
                 }
         }
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 539fa264e67d..e9f56225e53f 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1057,6 +1057,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
         fi->fib_priority = cfg->fc_priority;
         fi->fib_prefsrc = cfg->fc_prefsrc;
         fi->fib_type = cfg->fc_type;
+        fi->fib_tb_id = cfg->fc_table;
 
         fi->fib_nhs = nhs;
         change_nexthops(fi) {
@@ -1337,18 +1338,21 @@ nla_put_failure:
  *   referring to it.
  * - device went down -> we must shutdown all nexthops going via it.
  */
-int fib_sync_down_addr(struct net *net, __be32 local)
+int fib_sync_down_addr(struct net_device *dev, __be32 local)
 {
         int ret = 0;
         unsigned int hash = fib_laddr_hashfn(local);
         struct hlist_head *head = &fib_info_laddrhash[hash];
+        struct net *net = dev_net(dev);
+        int tb_id = l3mdev_fib_table(dev);
         struct fib_info *fi;
 
         if (!fib_info_laddrhash || local == 0)
                 return 0;
 
         hlist_for_each_entry(fi, head, fib_lhash) {
-                if (!net_eq(fi->fib_net, net))
+                if (!net_eq(fi->fib_net, net) ||
+                    fi->fib_tb_id != tb_id)
                         continue;
                 if (fi->fib_prefsrc == local) {
                         fi->fib_flags |= RTNH_F_DEAD;
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 4b351af3e67b..d6feabb03516 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -312,6 +312,7 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
         const struct iphdr *iph = ip_hdr(skb);
         struct rtable *rt;
+        struct net_device *dev = skb->dev;
 
         /* if ingress device is enslaved to an L3 master device pass the
          * skb to its handler for processing
@@ -341,7 +342,7 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
          */
         if (!skb_valid_dst(skb)) {
                 int err = ip_route_input_noref(skb, iph->daddr, iph->saddr,
-                                               iph->tos, skb->dev);
+                                               iph->tos, dev);
                 if (unlikely(err)) {
                         if (err == -EXDEV)
                                 __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);
@@ -370,7 +371,7 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
                 __IP_UPD_PO_STATS(net, IPSTATS_MIB_INBCAST, skb->len);
         } else if (skb->pkt_type == PACKET_BROADCAST ||
                    skb->pkt_type == PACKET_MULTICAST) {
-                struct in_device *in_dev = __in_dev_get_rcu(skb->dev);
+                struct in_device *in_dev = __in_dev_get_rcu(dev);
 
                 /* RFC 1122 3.3.6:
                  *
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index cc701fa70b12..5d7944f394d9 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -88,6 +88,7 @@ static int vti_rcv_cb(struct sk_buff *skb, int err)
         struct net_device *dev;
         struct pcpu_sw_netstats *tstats;
         struct xfrm_state *x;
+        struct xfrm_mode *inner_mode;
         struct ip_tunnel *tunnel = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4;
         u32 orig_mark = skb->mark;
         int ret;
@@ -105,7 +106,19 @@ static int vti_rcv_cb(struct sk_buff *skb, int err)
         }
 
         x = xfrm_input_state(skb);
-        family = x->inner_mode->afinfo->family;
+
+        inner_mode = x->inner_mode;
+
+        if (x->sel.family == AF_UNSPEC) {
+                inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
+                if (inner_mode == NULL) {
+                        XFRM_INC_STATS(dev_net(skb->dev),
+                                       LINUX_MIB_XFRMINSTATEMODEERROR);
+                        return -EINVAL;
+                }
+        }
+
+        family = inner_mode->afinfo->family;
 
         skb->mark = be32_to_cpu(tunnel->parms.i_key);
         ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 26253328d227..a87bcd2d4a94 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -2076,6 +2076,7 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
         struct rta_mfc_stats mfcs;
         struct nlattr *mp_attr;
         struct rtnexthop *nhp;
+        unsigned long lastuse;
         int ct;
 
         /* If cache is unresolved, don't try to parse IIF and OIF */
@@ -2105,12 +2106,14 @@ static int __ipmr_fill_mroute(struct mr_table *mrt, struct sk_buff *skb,
 
         nla_nest_end(skb, mp_attr);
 
+        lastuse = READ_ONCE(c->mfc_un.res.lastuse);
+        lastuse = time_after_eq(jiffies, lastuse) ? jiffies - lastuse : 0;
+
         mfcs.mfcs_packets = c->mfc_un.res.pkt;
         mfcs.mfcs_bytes = c->mfc_un.res.bytes;
         mfcs.mfcs_wrong_if = c->mfc_un.res.wrong_if;
         if (nla_put_64bit(skb, RTA_MFC_STATS, sizeof(mfcs), &mfcs, RTA_PAD) ||
-            nla_put_u64_64bit(skb, RTA_EXPIRES,
-                              jiffies_to_clock_t(c->mfc_un.res.lastuse),
+            nla_put_u64_64bit(skb, RTA_EXPIRES, jiffies_to_clock_t(lastuse),
                               RTA_PAD))
                 return -EMSGSIZE;
 
diff --git a/net/ipv4/netfilter/nft_chain_route_ipv4.c b/net/ipv4/netfilter/nft_chain_route_ipv4.c
index 2375b0a8be46..30493beb611a 100644
--- a/net/ipv4/netfilter/nft_chain_route_ipv4.c
+++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
@@ -31,6 +31,7 @@ static unsigned int nf_route_table_hook(void *priv,
         __be32 saddr, daddr;
         u_int8_t tos;
         const struct iphdr *iph;
+        int err;
 
         /* root is playing with raw sockets. */
         if (skb->len < sizeof(struct iphdr) ||
@@ -46,15 +47,17 @@ static unsigned int nf_route_table_hook(void *priv,
         tos = iph->tos;
 
         ret = nft_do_chain(&pkt, priv);
-        if (ret != NF_DROP && ret != NF_QUEUE) {
+        if (ret != NF_DROP && ret != NF_STOLEN) {
                 iph = ip_hdr(skb);
 
                 if (iph->saddr != saddr ||
                     iph->daddr != daddr ||
                     skb->mark != mark ||
-                    iph->tos != tos)
-                        if (ip_route_me_harder(state->net, skb, RTN_UNSPEC))
-                                ret = NF_DROP;
+                    iph->tos != tos) {
+                        err = ip_route_me_harder(state->net, skb, RTN_UNSPEC);
+                        if (err < 0)
+                                ret = NF_DROP_ERR(err);
+                }
         }
         return ret;
 }
diff --git a/net/ipv4/netfilter/nft_reject_ipv4.c b/net/ipv4/netfilter/nft_reject_ipv4.c
index c24f41c816b3..2c2553b9026c 100644
--- a/net/ipv4/netfilter/nft_reject_ipv4.c
+++ b/net/ipv4/netfilter/nft_reject_ipv4.c
@@ -46,6 +46,7 @@ static const struct nft_expr_ops nft_reject_ipv4_ops = {
         .eval           = nft_reject_ipv4_eval,
         .init           = nft_reject_init,
         .dump           = nft_reject_dump,
+        .validate       = nft_reject_validate,
 };
 
 static struct nft_expr_type nft_reject_ipv4_type __read_mostly = {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a1f2830d8110..b5b47a26d4ec 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -476,12 +476,18 @@ u32 ip_idents_reserve(u32 hash, int segs)
         atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
         u32 old = ACCESS_ONCE(*p_tstamp);
         u32 now = (u32)jiffies;
-        u32 delta = 0;
+        u32 new, delta = 0;
 
         if (old != now && cmpxchg(p_tstamp, old, now) == old)
                 delta = prandom_u32_max(now - old);
 
-        return atomic_add_return(segs + delta, p_id) - segs;
+        /* Do not use atomic_add_return() as it makes UBSAN unhappy */
+        do {
+                old = (u32)atomic_read(p_id);
+                new = old + delta + segs;
+        } while (atomic_cmpxchg(p_id, old, new) != old);
+
+        return new - segs;
 }
 EXPORT_SYMBOL(ip_idents_reserve);
 
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 54d9f9b0120f..4e777a3243f9 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -150,6 +150,7 @@ void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
         tp->segs_in = 0;
         tcp_segs_in(tp, skb);
         __skb_pull(skb, tcp_hdrlen(skb));
+        sk_forced_mem_schedule(sk, skb->truesize);
         skb_set_owner_r(skb, sk);
 
         TCP_SKB_CB(skb)->seq++;
@@ -226,6 +227,7 @@ static struct sock *tcp_fastopen_create_child(struct sock *sk,
         tcp_fastopen_add_skb(child, skb);
 
         tcp_rsk(req)->rcv_nxt = tp->rcv_nxt;
+        tp->rcv_wup = tp->rcv_nxt;
         /* tcp_conn_request() is sending the SYNACK,
          * and queues the child into listener accept queue.
          */
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3ebf45b38bc3..08323bd95f2a 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5885,7 +5885,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
                  * so release it.
                  */
                 if (req) {
-                        tp->total_retrans = req->num_retrans;
+                        inet_csk(sk)->icsk_retransmits = 0;
                         reqsk_fastopen_remove(sk, req, false);
                 } else {
                         /* Make sure socket is routed, for correct metrics. */
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index bdaef7fd6e47..5288cec4a2b2 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2605,7 +2605,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
          * copying overhead: fragmentation, tunneling, mangling etc.
          */
         if (atomic_read(&sk->sk_wmem_alloc) >
-            min(sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2), sk->sk_sndbuf))
+            min_t(u32, sk->sk_wmem_queued + (sk->sk_wmem_queued >> 2),
+                  sk->sk_sndbuf))
                 return -EAGAIN;
 
         if (skb_still_in_host_queue(sk, skb))
@@ -2830,7 +2831,7 @@ begin_fwd:
                 if (tcp_retransmit_skb(sk, skb, segs))
                         return;
 
-                NET_INC_STATS(sock_net(sk), mib_idx);
+                NET_ADD_STATS(sock_net(sk), mib_idx, tcp_skb_pcount(skb));
 
                 if (tcp_in_cwnd_reduction(sk))
                         tp->prr_out += tcp_skb_pcount(skb);
@@ -3567,6 +3568,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
         if (!res) {
                 __TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
                 __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+                if (unlikely(tcp_passive_fastopen(sk)))
+                        tcp_sk(sk)->total_retrans++;
         }
         return res;
 }
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index d84930b2dd95..f712b411f6ed 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -384,6 +384,7 @@ static void tcp_fastopen_synack_timer(struct sock *sk)
          */
         inet_rtx_syn_ack(sk, req);
         req->num_timeout++;
+        icsk->icsk_retransmits++;
         inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
                           TCP_TIMEOUT_INIT << req->num_timeout, TCP_RTO_MAX);
 }
diff --git a/net/ipv4/tcp_yeah.c b/net/ipv4/tcp_yeah.c
index 028eb046ea40..9c5fc973267f 100644
--- a/net/ipv4/tcp_yeah.c
+++ b/net/ipv4/tcp_yeah.c
@@ -76,7 +76,7 @@ static void tcp_yeah_cong_avoid(struct sock *sk, u32 ack, u32 acked)
         if (!tcp_is_cwnd_limited(sk))
                 return;
 
-        if (tp->snd_cwnd <= tp->snd_ssthresh)
+        if (tcp_in_slow_start(tp))
                 tcp_slow_start(tp, acked);
 
         else if (!yeah->doing_reno_now) {
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index b644a23c3db0..41f5b504a782 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -29,7 +29,7 @@ static struct dst_entry *__xfrm4_dst_lookup(struct net *net, struct flowi4 *fl4,
         memset(fl4, 0, sizeof(*fl4));
         fl4->daddr = daddr->a4;
         fl4->flowi4_tos = tos;
-        fl4->flowi4_oif = oif;
+        fl4->flowi4_oif = l3mdev_master_ifindex_by_index(net, oif);
         if (saddr)
                 fl4->saddr = saddr->a4;
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f418d2eaeddd..2f1f5d439788 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -778,7 +778,14 @@ static int addrconf_fixup_forwarding(struct ctl_table *table, int *p, int newf)
         }
 
         if (p == &net->ipv6.devconf_all->forwarding) {
+                int old_dflt = net->ipv6.devconf_dflt->forwarding;
+
                 net->ipv6.devconf_dflt->forwarding = newf;
+                if ((!newf) ^ (!old_dflt))
+                        inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
+                                                     NETCONFA_IFINDEX_DEFAULT,
+                                                     net->ipv6.devconf_dflt);
+
                 addrconf_forward_change(net, newf);
                 if ((!newf) ^ (!old))
                         inet6_netconf_notify_devconf(net, NETCONFA_FORWARDING,
@@ -1941,6 +1948,7 @@ errdad:
         spin_unlock_bh(&ifp->lock);
 
         addrconf_mod_dad_work(ifp, 0);
+        in6_ifa_put(ifp);
 }
 
 /* Join to solicited addr multicast group.
@@ -3850,6 +3858,7 @@ static void addrconf_dad_work(struct work_struct *w)
                 addrconf_dad_begin(ifp);
                 goto out;
         } else if (action == DAD_ABORT) {
+                in6_ifa_hold(ifp);
                 addrconf_dad_stop(ifp, 1);
                 if (disable_ipv6)
                         addrconf_ifdown(idev->dev, 0);
@@ -6025,7 +6034,7 @@ static const struct ctl_table addrconf_sysctl[] = {
 static int __addrconf_sysctl_register(struct net *net, char *dev_name,
                 struct inet6_dev *idev, struct ipv6_devconf *p)
 {
-        int i;
+        int i, ifindex;
         struct ctl_table *table;
         char path[sizeof("net/ipv6/conf/") + IFNAMSIZ];
 
@@ -6045,6 +6054,13 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name,
         if (!p->sysctl_header)
                 goto free;
 
+        if (!strcmp(dev_name, "all"))
+                ifindex = NETCONFA_IFINDEX_ALL;
+        else if (!strcmp(dev_name, "default"))
+                ifindex = NETCONFA_IFINDEX_DEFAULT;
+        else
+                ifindex = idev->dev->ifindex;
+        inet6_netconf_notify_devconf(net, NETCONFA_ALL, ifindex, p);
         return 0;
 
 free:
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 7b0481e3738f..888543debe4e 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1174,6 +1174,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 encap_limit = t->parms.encap_limit;
 
         memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
+        fl6.flowi6_proto = IPPROTO_IPIP;
 
         dsfield = ipv4_get_dsfield(iph);
 
@@ -1233,6 +1234,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 encap_limit = t->parms.encap_limit;
 
         memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
+        fl6.flowi6_proto = IPPROTO_IPV6;
 
         dsfield = ipv6_get_dsfield(ipv6h);
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index d90a11f14040..5bd3afdcc771 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -321,11 +321,9 @@ static int vti6_rcv(struct sk_buff *skb)
                         goto discard;
                 }
 
-                XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
-
                 rcu_read_unlock();
 
-                return xfrm6_rcv(skb);
+                return xfrm6_rcv_tnl(skb, t);
         }
         rcu_read_unlock();
         return -EINVAL;
@@ -340,6 +338,7 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
         struct net_device *dev;
         struct pcpu_sw_netstats *tstats;
         struct xfrm_state *x;
+        struct xfrm_mode *inner_mode;
         struct ip6_tnl *t = XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6;
         u32 orig_mark = skb->mark;
         int ret;
@@ -357,7 +356,19 @@ static int vti6_rcv_cb(struct sk_buff *skb, int err)
         }
 
         x = xfrm_input_state(skb);
-        family = x->inner_mode->afinfo->family;
+
+        inner_mode = x->inner_mode;
+
+        if (x->sel.family == AF_UNSPEC) {
+                inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
+                if (inner_mode == NULL) {
+                        XFRM_INC_STATS(dev_net(skb->dev),
+                                       LINUX_MIB_XFRMINSTATEMODEERROR);
+                        return -EINVAL;
+                }
+        }
+
+        family = inner_mode->afinfo->family;
 
         skb->mark = be32_to_cpu(t->parms.i_key);
         ret = xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family);
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 6122f9c5cc49..fccb5dd91902 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -2239,6 +2239,7 @@ static int __ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
         struct rta_mfc_stats mfcs;
         struct nlattr *mp_attr;
         struct rtnexthop *nhp;
+        unsigned long lastuse;
         int ct;
 
         /* If cache is unresolved, don't try to parse IIF and OIF */
@@ -2269,12 +2270,14 @@ static int __ip6mr_fill_mroute(struct mr6_table *mrt, struct sk_buff *skb,
 
         nla_nest_end(skb, mp_attr);
 
+        lastuse = READ_ONCE(c->mfc_un.res.lastuse);
+        lastuse = time_after_eq(jiffies, lastuse) ? jiffies - lastuse : 0;
+
         mfcs.mfcs_packets = c->mfc_un.res.pkt;
         mfcs.mfcs_bytes = c->mfc_un.res.bytes;
         mfcs.mfcs_wrong_if = c->mfc_un.res.wrong_if;
         if (nla_put_64bit(skb, RTA_MFC_STATS, sizeof(mfcs), &mfcs, RTA_PAD) ||
-            nla_put_u64_64bit(skb, RTA_EXPIRES,
-                              jiffies_to_clock_t(c->mfc_un.res.lastuse),
+            nla_put_u64_64bit(skb, RTA_EXPIRES, jiffies_to_clock_t(lastuse),
                               RTA_PAD))
                 return -EMSGSIZE;
 
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 71d995ff3108..2535223ba956 100644
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -31,6 +31,7 @@ static unsigned int nf_route_table_hook(void *priv,
         struct in6_addr saddr, daddr;
         u_int8_t hop_limit;
         u32 mark, flowlabel;
+        int err;
 
         /* malformed packet, drop it */
         if (nft_set_pktinfo_ipv6(&pkt, skb, state) < 0)
@@ -46,13 +47,16 @@ static unsigned int nf_route_table_hook(void *priv,
         flowlabel = *((u32 *)ipv6_hdr(skb));
 
         ret = nft_do_chain(&pkt, priv);
-        if (ret != NF_DROP && ret != NF_QUEUE &&
+        if (ret != NF_DROP && ret != NF_STOLEN &&
             (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
              memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
              skb->mark != mark ||
              ipv6_hdr(skb)->hop_limit != hop_limit ||
-             flowlabel != *((u_int32_t *)ipv6_hdr(skb))))
-                return ip6_route_me_harder(state->net, skb) == 0 ? ret : NF_DROP;
+             flowlabel != *((u_int32_t *)ipv6_hdr(skb)))) {
+                err = ip6_route_me_harder(state->net, skb);
+                if (err < 0)
+                        ret = NF_DROP_ERR(err);
+        }
 
         return ret;
 }
diff --git a/net/ipv6/netfilter/nft_reject_ipv6.c b/net/ipv6/netfilter/nft_reject_ipv6.c
index 533cd5719c59..92bda9908bb9 100644
--- a/net/ipv6/netfilter/nft_reject_ipv6.c
+++ b/net/ipv6/netfilter/nft_reject_ipv6.c
@@ -47,6 +47,7 @@ static const struct nft_expr_ops nft_reject_ipv6_ops = {
         .eval           = nft_reject_ipv6_eval,
         .init           = nft_reject_init,
         .dump           = nft_reject_dump,
+        .validate       = nft_reject_validate,
 };
 
 static struct nft_expr_type nft_reject_ipv6_type __read_mostly = {
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 0900352c924c..0e983b694ee8 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -126,8 +126,10 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         rt = (struct rt6_info *) dst;
 
         np = inet6_sk(sk);
-        if (!np)
-                return -EBADF;
+        if (!np) {
+                err = -EBADF;
+                goto dst_err_out;
+        }
 
         if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr))
                 fl6.flowi6_oif = np->mcast_oif;
@@ -163,6 +165,9 @@ static int ping_v6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         }
         release_sock(sk);
 
+dst_err_out:
+        dst_release(dst);
+
         if (err)
                 return err;
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 49817555449e..e3a224b97905 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1986,9 +1986,18 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg)
                         if (!(gwa_type & IPV6_ADDR_UNICAST))
                                 goto out;
 
-                        if (cfg->fc_table)
+                        if (cfg->fc_table) {
                                 grt = ip6_nh_lookup_table(net, cfg, gw_addr);
 
+                                if (grt) {
+                                        if (grt->rt6i_flags & RTF_GATEWAY ||
+                                            (dev && dev != grt->dst.dev)) {
+                                                ip6_rt_put(grt);
+                                                grt = NULL;
+                                        }
+                                }
+                        }
+
                         if (!grt)
                                 grt = rt6_lookup(net, gw_addr, NULL,
                                                  cfg->fc_ifindex, 1);
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 0eaab1fa6be5..b5789562aded 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -21,8 +21,10 @@ int xfrm6_extract_input(struct xfrm_state *x, struct sk_buff *skb)
         return xfrm6_extract_header(skb);
 }
 
-int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi)
+int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
+                  struct ip6_tnl *t)
 {
+        XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = t;
         XFRM_SPI_SKB_CB(skb)->family = AF_INET6;
         XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
         return xfrm_input(skb, nexthdr, spi, 0);
@@ -48,13 +50,18 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
         return -1;
 }
 
-int xfrm6_rcv(struct sk_buff *skb)
+int xfrm6_rcv_tnl(struct sk_buff *skb, struct ip6_tnl *t)
 {
         return xfrm6_rcv_spi(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
-                             0);
+                             0, t);
 }
-EXPORT_SYMBOL(xfrm6_rcv);
+EXPORT_SYMBOL(xfrm6_rcv_tnl);
 
+int xfrm6_rcv(struct sk_buff *skb)
+{
+        return xfrm6_rcv_tnl(skb, NULL);
+}
+EXPORT_SYMBOL(xfrm6_rcv);
 int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
                      xfrm_address_t *saddr, u8 proto)
 {
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 6cc97003e4a9..70a86adad875 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -36,7 +36,7 @@ static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif,
         int err;
 
         memset(&fl6, 0, sizeof(fl6));
-        fl6.flowi6_oif = oif;
+        fl6.flowi6_oif = l3mdev_master_ifindex_by_index(net, oif);
         fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
         memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
         if (saddr)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 5743044cd660..e1c0bbe7996c 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -236,7 +236,7 @@ static int xfrm6_tunnel_rcv(struct sk_buff *skb)
         __be32 spi;
 
         spi = xfrm6_tunnel_spi_lookup(net, (const xfrm_address_t *)&iph->saddr);
-        return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi);
+        return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi, NULL);
 }
 
 static int xfrm6_tunnel_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index 8d2f7c9b491d..ccc244406fb9 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -832,7 +832,7 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
         struct sock *sk = sock->sk;
         struct irda_sock *new, *self = irda_sk(sk);
         struct sock *newsk;
-        struct sk_buff *skb;
+        struct sk_buff *skb = NULL;
         int err;
 
         err = irda_create(sock_net(sk), newsock, sk->sk_protocol, 0);
@@ -900,7 +900,6 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
         err = -EPERM; /* value does not seem to make sense. -arnd */
         if (!new->tsap) {
                 pr_debug("%s(), dup failed!\n", __func__);
-                kfree_skb(skb);
                 goto out;
         }
 
@@ -919,7 +918,6 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
         /* Clean up the original one to keep it in listen state */
         irttp_listen(self->tsap);
 
-        kfree_skb(skb);
         sk->sk_ack_backlog--;
 
         newsock->state = SS_CONNECTED;
@@ -927,6 +925,7 @@ static int irda_accept(struct socket *sock, struct socket *newsock, int flags)
         irda_connect_response(new);
         err = 0;
 out:
+        kfree_skb(skb);
         release_sock(sk);
         return err;
 }
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index cb39e05b166c..411693288648 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -13,6 +13,7 @@
 #include <linux/socket.h>
 #include <linux/uaccess.h>
 #include <linux/workqueue.h>
+#include <linux/syscalls.h>
 #include <net/kcm.h>
 #include <net/netns/generic.h>
 #include <net/sock.h>
@@ -2029,7 +2030,7 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
                         if (copy_to_user((void __user *)arg, &info,
                                          sizeof(info))) {
                                 err = -EFAULT;
-                                sock_release(newsock);
+                                sys_close(info.fd);
                         }
                 }
 
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 1e40dacaa137..a2ed3bda4ddc 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1855,6 +1855,9 @@ static __net_exit void l2tp_exit_net(struct net *net)
                 (void)l2tp_tunnel_delete(tunnel);
         }
         rcu_read_unlock_bh();
+
+        flush_workqueue(l2tp_wq);
+        rcu_barrier();
 }
 
 static struct pernet_operations l2tp_net_ops = {
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index a9aff6079c42..afa94687d5e1 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -261,10 +261,16 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                 .timeout = timeout,
                 .ssn = start_seq_num,
         };
-
         int i, ret = -EOPNOTSUPP;
         u16 status = WLAN_STATUS_REQUEST_DECLINED;
 
+        if (tid >= IEEE80211_FIRST_TSPEC_TSID) {
+                ht_dbg(sta->sdata,
+                       "STA %pM requests BA session on unsupported tid %d\n",
+                       sta->sta.addr, tid);
+                goto end_no_lock;
+        }
+
         if (!sta->sta.ht_cap.ht_supported) {
                 ht_dbg(sta->sdata,
                        "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 5650c46bf91a..45319cc01121 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -584,6 +584,9 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
             ieee80211_hw_check(&local->hw, TX_AMPDU_SETUP_IN_HW))
                 return -EINVAL;
 
+        if (WARN_ON(tid >= IEEE80211_FIRST_TSPEC_TSID))
+                return -EINVAL;
+
         ht_dbg(sdata, "Open BA session requested for %pM tid %u\n",
                pubsta->addr, tid);
 
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 8f9c3bde835f..faccef977670 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -746,6 +746,7 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
                 sta = next_hop_deref_protected(mpath);
                 if (mpath->flags & MESH_PATH_ACTIVE &&
                     ether_addr_equal(ta, sta->sta.addr) &&
+                    !(mpath->flags & MESH_PATH_FIXED) &&
                     (!(mpath->flags & MESH_PATH_SN_VALID) ||
                     SN_GT(target_sn, mpath->sn)  || target_sn == 0)) {
                         mpath->flags &= ~MESH_PATH_ACTIVE;
@@ -1012,7 +1013,7 @@ void mesh_path_start_discovery(struct ieee80211_sub_if_data *sdata)
                 goto enddiscovery;
 
         spin_lock_bh(&mpath->state_lock);
-        if (mpath->flags & MESH_PATH_DELETED) {
+        if (mpath->flags & (MESH_PATH_DELETED | MESH_PATH_FIXED)) {
                 spin_unlock_bh(&mpath->state_lock);
                 goto enddiscovery;
         }
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index 6db2ddfa0695..f0e6175a9821 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -826,7 +826,7 @@ void mesh_path_fix_nexthop(struct mesh_path *mpath, struct sta_info *next_hop)
         mpath->metric = 0;
         mpath->hop_count = 0;
         mpath->exp_time = 0;
-        mpath->flags |= MESH_PATH_FIXED;
+        mpath->flags = MESH_PATH_FIXED | MESH_PATH_SN_VALID;
         mesh_path_activate(mpath);
         spin_unlock_bh(&mpath->state_lock);
         mesh_path_tx_pending(mpath);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 76b737dcc36f..aa58df80ede0 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -1616,7 +1616,6 @@ ieee80211_sta_ps_deliver_response(struct sta_info *sta,
 
                 sta_info_recalc_tim(sta);
         } else {
-                unsigned long tids = sta->txq_buffered_tids & driver_release_tids;
                 int tid;
 
                 /*
@@ -1648,7 +1647,8 @@ ieee80211_sta_ps_deliver_response(struct sta_info *sta,
                 for (tid = 0; tid < ARRAY_SIZE(sta->sta.txq); tid++) {
                         struct txq_info *txqi = to_txq_info(sta->sta.txq[tid]);
 
-                        if (!(tids & BIT(tid)) || txqi->tin.backlog_packets)
+                        if (!(driver_release_tids & BIT(tid)) ||
+                            txqi->tin.backlog_packets)
                                 continue;
 
                         sta_info_recalc_tim(sta);
diff --git a/net/mac80211/tdls.c b/net/mac80211/tdls.c
index b5d28f14b9cf..afca7d103684 100644
--- a/net/mac80211/tdls.c
+++ b/net/mac80211/tdls.c
@@ -333,10 +333,11 @@ ieee80211_tdls_chandef_vht_upgrade(struct ieee80211_sub_if_data *sdata,
         if (!uc.center_freq1)
                 return;
 
-        /* proceed to downgrade the chandef until usable or the same */
+        /* proceed to downgrade the chandef until usable or the same as AP BW */
         while (uc.width > max_width ||
-               !cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &uc,
-                                              sdata->wdev.iftype))
+               (uc.width > sta->tdls_chandef.width &&
+                !cfg80211_reg_can_beacon_relax(sdata->local->hw.wiphy, &uc,
+                                               sdata->wdev.iftype)))
                 ieee80211_chandef_downgrade(&uc);
 
         if (!cfg80211_chandef_identical(&uc, &sta->tdls_chandef)) {
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 502396694f47..18b285e06bc8 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -796,6 +796,36 @@ static __le16 ieee80211_tx_next_seq(struct sta_info *sta, int tid)
         return ret;
 }
 
+static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local,
+                                          struct ieee80211_vif *vif,
+                                          struct ieee80211_sta *pubsta,
+                                          struct sk_buff *skb)
+{
+        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
+        struct ieee80211_txq *txq = NULL;
+
+        if ((info->flags & IEEE80211_TX_CTL_SEND_AFTER_DTIM) ||
+            (info->control.flags & IEEE80211_TX_CTRL_PS_RESPONSE))
+                return NULL;
+
+        if (!ieee80211_is_data(hdr->frame_control))
+                return NULL;
+
+        if (pubsta) {
+                u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK;
+
+                txq = pubsta->txq[tid];
+        } else if (vif) {
+                txq = vif->txq;
+        }
+
+        if (!txq)
+                return NULL;
+
+        return to_txq_info(txq);
+}
+
 static ieee80211_tx_result debug_noinline
 ieee80211_tx_h_sequence(struct ieee80211_tx_data *tx)
 {
@@ -853,7 +883,8 @@ ieee80211_tx_h_sequence(struct ieee80211_tx_data *tx)
         tid = *qc & IEEE80211_QOS_CTL_TID_MASK;
         tx->sta->tx_stats.msdu[tid]++;
 
-        if (!tx->sta->sta.txq[0])
+        if (!ieee80211_get_txq(tx->local, info->control.vif, &tx->sta->sta,
+                               tx->skb))
                 hdr->seq_ctrl = ieee80211_tx_next_seq(tx->sta, tid);
 
         return TX_CONTINUE;
@@ -1243,36 +1274,6 @@ ieee80211_tx_prepare(struct ieee80211_sub_if_data *sdata,
         return TX_CONTINUE;
 }
 
-static struct txq_info *ieee80211_get_txq(struct ieee80211_local *local,
-                                          struct ieee80211_vif *vif,
-                                          struct ieee80211_sta *pubsta,
-                                          struct sk_buff *skb)
-{
-        struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-        struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-        struct ieee80211_txq *txq = NULL;
-
-        if ((info->flags & IEEE80211_TX_CTL_SEND_AFTER_DTIM) ||
-            (info->control.flags & IEEE80211_TX_CTRL_PS_RESPONSE))
-                return NULL;
-
-        if (!ieee80211_is_data(hdr->frame_control))
-                return NULL;
-
-        if (pubsta) {
-                u8 tid = skb->priority & IEEE80211_QOS_CTL_TID_MASK;
-
-                txq = pubsta->txq[tid];
-        } else if (vif) {
-                txq = vif->txq;
-        }
-
-        if (!txq)
-                return NULL;
-
-        return to_txq_info(txq);
-}
-
 static void ieee80211_set_skb_enqueue_time(struct sk_buff *skb)
 {
         IEEE80211_SKB_CB(skb)->control.enqueue_time = codel_get_time();
@@ -1514,8 +1515,12 @@ out:
         spin_unlock_bh(&fq->lock);
 
         if (skb && skb_has_frag_list(skb) &&
-            !ieee80211_hw_check(&local->hw, TX_FRAG_LIST))
-                skb_linearize(skb);
+            !ieee80211_hw_check(&local->hw, TX_FRAG_LIST)) {
+                if (skb_linearize(skb)) {
+                        ieee80211_free_txskb(&local->hw, skb);
+                        return NULL;
+                }
+        }
 
         return skb;
 }
@@ -3264,7 +3269,7 @@ static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
 
         if (hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_QOS_DATA)) {
                 *ieee80211_get_qos_ctl(hdr) = tid;
-                if (!sta->sta.txq[0])
+                if (!ieee80211_get_txq(local, &sdata->vif, &sta->sta, skb))
                         hdr->seq_ctrl = ieee80211_tx_next_seq(sta, tid);
         } else {
                 info->flags |= IEEE80211_TX_CTL_ASSIGN_SEQ;
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index dd2c43abf9e2..9934b0c93c1e 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1035,9 +1035,9 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
         if (IS_ERR(ct))
                 return (struct nf_conntrack_tuple_hash *)ct;
 
-        if (tmpl && nfct_synproxy(tmpl)) {
-                nfct_seqadj_ext_add(ct);
-                nfct_synproxy_ext_add(ct);
+        if (!nf_ct_add_synproxy(ct, tmpl)) {
+                nf_conntrack_free(ct);
+                return ERR_PTR(-ENOMEM);
         }
 
         timeout_ext = tmpl ? nf_ct_timeout_find(tmpl) : NULL;
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index de31818417b8..ecee105bbada 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -441,7 +441,8 @@ nf_nat_setup_info(struct nf_conn *ct,
                         ct->status |= IPS_DST_NAT;
 
                 if (nfct_help(ct))
-                        nfct_seqadj_ext_add(ct);
+                        if (!nfct_seqadj_ext_add(ct))
+                                return NF_DROP;
         }
 
         if (maniptype == NF_NAT_MANIP_SRC) {
@@ -807,7 +808,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
         if (err < 0)
                 return err;
 
-        return nf_nat_setup_info(ct, &range, manip);
+        return nf_nat_setup_info(ct, &range, manip) == NF_DROP ? -ENOMEM : 0;
 }
 #else
 static int
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 5eefe4a355c6..75d696f11045 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -30,7 +30,6 @@ nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
         if (!iph)
                 return;
 
-        iph = ip_hdr(skb);
         if (iph->ihl < 5 || iph->version != 4)
                 return;
 
diff --git a/net/netfilter/nf_tables_trace.c b/net/netfilter/nf_tables_trace.c
index 39eb1cc62e91..fa24a5b398b1 100644
--- a/net/netfilter/nf_tables_trace.c
+++ b/net/netfilter/nf_tables_trace.c
@@ -237,7 +237,7 @@ void nft_trace_notify(struct nft_traceinfo *info)
                 break;
         case NFT_TRACETYPE_POLICY:
                 if (nla_put_be32(skb, NFTA_TRACE_POLICY,
-                                 info->basechain->policy))
+                                 htonl(info->basechain->policy)))
                         goto nla_put_failure;
                 break;
         }
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 70eb2f6a3b01..d44d89b56127 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -343,12 +343,12 @@ static int nfnl_acct_del(struct net *net, struct sock *nfnl,
                          struct sk_buff *skb, const struct nlmsghdr *nlh,
                          const struct nlattr * const tb[])
 {
-        char *acct_name;
-        struct nf_acct *cur;
+        struct nf_acct *cur, *tmp;
         int ret = -ENOENT;
+        char *acct_name;
 
         if (!tb[NFACCT_NAME]) {
-                list_for_each_entry(cur, &net->nfnl_acct_list, head)
+                list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head)
                         nfnl_acct_try_del(cur);
 
                 return 0;
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 68216cdc7083..139e0867e56e 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -98,31 +98,28 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
                 break;
         }
 
-        l4proto = nf_ct_l4proto_find_get(l3num, l4num);
-
-        /* This protocol is not supportted, skip. */
-        if (l4proto->l4proto != l4num) {
-                ret = -EOPNOTSUPP;
-                goto err_proto_put;
-        }
-
         if (matching) {
                 if (nlh->nlmsg_flags & NLM_F_REPLACE) {
                         /* You cannot replace one timeout policy by another of
                          * different kind, sorry.
                          */
                         if (matching->l3num != l3num ||
-                            matching->l4proto->l4proto != l4num) {
-                                ret = -EINVAL;
-                                goto err_proto_put;
-                        }
-
-                        ret = ctnl_timeout_parse_policy(&matching->data,
-                                                        l4proto, net,
-                                                        cda[CTA_TIMEOUT_DATA]);
-                        return ret;
+                            matching->l4proto->l4proto != l4num)
+                                return -EINVAL;
+
+                        return ctnl_timeout_parse_policy(&matching->data,
+                                                         matching->l4proto, net,
+                                                         cda[CTA_TIMEOUT_DATA]);
                 }
-                ret = -EBUSY;
+
+                return -EBUSY;
+        }
+
+        l4proto = nf_ct_l4proto_find_get(l3num, l4num);
+
+        /* This protocol is not supportted, skip. */
+        if (l4proto->l4proto != l4num) {
+                ret = -EOPNOTSUPP;
                 goto err_proto_put;
         }
 
@@ -305,7 +302,16 @@ static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout)
         const struct hlist_nulls_node *nn;
         unsigned int last_hsize;
         spinlock_t *lock;
-        int i;
+        int i, cpu;
+
+        for_each_possible_cpu(cpu) {
+                struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
+
+                spin_lock_bh(&pcpu->lock);
+                hlist_nulls_for_each_entry(h, nn, &pcpu->unconfirmed, hnnode)
+                        untimeout(h, timeout);
+                spin_unlock_bh(&pcpu->lock);
+        }
 
         local_bh_disable();
 restart:
@@ -350,12 +356,13 @@ static int cttimeout_del_timeout(struct net *net, struct sock *ctnl,
                                  const struct nlmsghdr *nlh,
                                  const struct nlattr * const cda[])
 {
-        struct ctnl_timeout *cur;
+        struct ctnl_timeout *cur, *tmp;
         int ret = -ENOENT;
         char *name;
 
         if (!cda[CTA_TIMEOUT_NAME]) {
-                list_for_each_entry(cur, &net->nfct_timeout_list, head)
+                list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list,
+                                         head)
                         ctnl_timeout_try_del(net, cur);
 
                 return 0;
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 2863f3493038..8a6bc7630912 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -291,10 +291,16 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
 }
 EXPORT_SYMBOL_GPL(nft_meta_get_init);
 
-static int nft_meta_set_init_pkttype(const struct nft_ctx *ctx)
+int nft_meta_set_validate(const struct nft_ctx *ctx,
+                          const struct nft_expr *expr,
+                          const struct nft_data **data)
 {
+        struct nft_meta *priv = nft_expr_priv(expr);
         unsigned int hooks;
 
+        if (priv->key != NFT_META_PKTTYPE)
+                return 0;
+
         switch (ctx->afi->family) {
         case NFPROTO_BRIDGE:
                 hooks = 1 << NF_BR_PRE_ROUTING;
@@ -308,6 +314,7 @@ static int nft_meta_set_init_pkttype(const struct nft_ctx *ctx)
 
         return nft_chain_validate_hooks(ctx->chain, hooks);
 }
+EXPORT_SYMBOL_GPL(nft_meta_set_validate);
 
 int nft_meta_set_init(const struct nft_ctx *ctx,
                       const struct nft_expr *expr,
@@ -327,15 +334,16 @@ int nft_meta_set_init(const struct nft_ctx *ctx,
                 len = sizeof(u8);
                 break;
         case NFT_META_PKTTYPE:
-                err = nft_meta_set_init_pkttype(ctx);
-                if (err)
-                        return err;
                 len = sizeof(u8);
                 break;
         default:
                 return -EOPNOTSUPP;
         }
 
+        err = nft_meta_set_validate(ctx, expr, NULL);
+        if (err < 0)
+                return err;
+
         priv->sreg = nft_parse_register(tb[NFTA_META_SREG]);
         err = nft_validate_register_load(priv->sreg, len);
         if (err < 0)
@@ -407,6 +415,7 @@ static const struct nft_expr_ops nft_meta_set_ops = {
         .init           = nft_meta_set_init,
         .destroy        = nft_meta_set_destroy,
         .dump           = nft_meta_set_dump,
+        .validate       = nft_meta_set_validate,
 };
 
 static const struct nft_expr_ops *
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
index 0522fc9bfb0a..c64de3f7379d 100644
--- a/net/netfilter/nft_reject.c
+++ b/net/netfilter/nft_reject.c
@@ -26,11 +26,27 @@ const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
 };
 EXPORT_SYMBOL_GPL(nft_reject_policy);
 
+int nft_reject_validate(const struct nft_ctx *ctx,
+                        const struct nft_expr *expr,
+                        const struct nft_data **data)
+{
+        return nft_chain_validate_hooks(ctx->chain,
+                                        (1 << NF_INET_LOCAL_IN) |
+                                        (1 << NF_INET_FORWARD) |
+                                        (1 << NF_INET_LOCAL_OUT));
+}
+EXPORT_SYMBOL_GPL(nft_reject_validate);
+
 int nft_reject_init(const struct nft_ctx *ctx,
                     const struct nft_expr *expr,
                     const struct nlattr * const tb[])
 {
         struct nft_reject *priv = nft_expr_priv(expr);
+        int err;
+
+        err = nft_reject_validate(ctx, expr, NULL);
+        if (err < 0)
+                return err;
 
         if (tb[NFTA_REJECT_TYPE] == NULL)
                 return -EINVAL;
diff --git a/net/netfilter/nft_reject_inet.c b/net/netfilter/nft_reject_inet.c
index 759ca5248a3d..e79d9ca2ffee 100644
--- a/net/netfilter/nft_reject_inet.c
+++ b/net/netfilter/nft_reject_inet.c
@@ -66,7 +66,11 @@ static int nft_reject_inet_init(const struct nft_ctx *ctx,
                                 const struct nlattr * const tb[])
 {
         struct nft_reject *priv = nft_expr_priv(expr);
-        int icmp_code;
+        int icmp_code, err;
+
+        err = nft_reject_validate(ctx, expr, NULL);
+        if (err < 0)
+                return err;
 
         if (tb[NFTA_REJECT_TYPE] == NULL)
                 return -EINVAL;
@@ -124,6 +128,7 @@ static const struct nft_expr_ops nft_reject_inet_ops = {
         .eval           = nft_reject_inet_eval,
         .init           = nft_reject_inet_init,
         .dump           = nft_reject_inet_dump,
+        .validate       = nft_reject_validate,
 };
 
 static struct nft_expr_type nft_reject_inet_type __read_mostly = {
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 69444d32ecda..1555fb8c68e0 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -796,27 +796,34 @@ struct sctp_hash_cmp_arg {
 static inline int sctp_hash_cmp(struct rhashtable_compare_arg *arg,
                                 const void *ptr)
 {
+        struct sctp_transport *t = (struct sctp_transport *)ptr;
         const struct sctp_hash_cmp_arg *x = arg->key;
-        const struct sctp_transport *t = ptr;
-        struct sctp_association *asoc = t->asoc;
-        const struct net *net = x->net;
+        struct sctp_association *asoc;
+        int err = 1;
 
         if (!sctp_cmp_addr_exact(&t->ipaddr, x->paddr))
-                return 1;
-        if (!net_eq(sock_net(asoc->base.sk), net))
-                return 1;
+                return err;
+        if (!sctp_transport_hold(t))
+                return err;
+
+        asoc = t->asoc;
+        if (!net_eq(sock_net(asoc->base.sk), x->net))
+                goto out;
         if (x->ep) {
                 if (x->ep != asoc->ep)
-                        return 1;
+                        goto out;
         } else {
                 if (x->laddr->v4.sin_port != htons(asoc->base.bind_addr.port))
-                        return 1;
+                        goto out;
                 if (!sctp_bind_addr_match(&asoc->base.bind_addr,
                                           x->laddr, sctp_sk(asoc->base.sk)))
-                        return 1;
+                        goto out;
         }
 
-        return 0;
+        err = 0;
+out:
+        sctp_transport_put(t);
+        return err;
 }
 
 static inline u32 sctp_hash_obj(const void *data, u32 len, u32 seed)
diff --git a/net/sctp/output.c b/net/sctp/output.c
index 1f1682b9a6a8..31b7bc35895d 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -878,7 +878,7 @@ static sctp_xmit_t sctp_packet_will_fit(struct sctp_packet *packet,
                                         struct sctp_chunk *chunk,
                                         u16 chunk_len)
 {
-        size_t psize, pmtu;
+        size_t psize, pmtu, maxsize;
         sctp_xmit_t retval = SCTP_XMIT_OK;
 
         psize = packet->size;
@@ -906,6 +906,17 @@ static sctp_xmit_t sctp_packet_will_fit(struct sctp_packet *packet,
                         goto out;
                 }
 
+                /* Similarly, if this chunk was built before a PMTU
+                 * reduction, we have to fragment it at IP level now. So
+                 * if the packet already contains something, we need to
+                 * flush.
+                 */
+                maxsize = pmtu - packet->overhead;
+                if (packet->auth)
+                        maxsize -= WORD_ROUND(packet->auth->skb->len);
+                if (chunk_len > maxsize)
+                        retval = SCTP_XMIT_PMTU_FULL;
+
                 /* It is also okay to fragment if the chunk we are
                  * adding is a control chunk, but only if current packet
                  * is not a GSO one otherwise it causes fragmentation of
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 1d281816f2bf..d8582028b346 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -569,9 +569,10 @@ gss_svc_searchbyctx(struct cache_detail *cd, struct xdr_netobj *handle)
         struct rsc *found;
 
         memset(&rsci, 0, sizeof(rsci));
-        rsci.handle.data = handle->data;
-        rsci.handle.len = handle->len;
+        if (dup_to_netobj(&rsci.handle, handle->data, handle->len))
+                return NULL;
         found = rsc_lookup(cd, &rsci);
+        rsc_free(&rsci);
         if (!found)
                 return NULL;
         if (cache_check(cd, &found->h, NULL))
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 536d0be3f61b..799cce6cbe45 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -51,6 +51,7 @@
 #include <linux/slab.h>
 #include <linux/prefetch.h>
 #include <linux/sunrpc/addr.h>
+#include <linux/sunrpc/svc_rdma.h>
 #include <asm/bitops.h>
 #include <linux/module.h> /* try_module_get()/module_put() */
 
@@ -923,7 +924,7 @@ rpcrdma_buffer_create(struct rpcrdma_xprt *r_xprt)
         }
 
         INIT_LIST_HEAD(&buf->rb_recv_bufs);
-        for (i = 0; i < buf->rb_max_requests; i++) {
+        for (i = 0; i < buf->rb_max_requests + RPCRDMA_MAX_BC_REQUESTS; i++) {
                 struct rpcrdma_rep *rep;
 
                 rep = rpcrdma_create_rep(r_xprt);
@@ -1018,6 +1019,7 @@ rpcrdma_buffer_destroy(struct rpcrdma_buffer *buf)
                 rep = rpcrdma_buffer_get_rep_locked(buf);
                 rpcrdma_destroy_rep(ia, rep);
         }
+        buf->rb_send_count = 0;
 
         spin_lock(&buf->rb_reqslock);
         while (!list_empty(&buf->rb_allreqs)) {
@@ -1032,6 +1034,7 @@ rpcrdma_buffer_destroy(struct rpcrdma_buffer *buf)
                 spin_lock(&buf->rb_reqslock);
         }
         spin_unlock(&buf->rb_reqslock);
+        buf->rb_recv_count = 0;
 
         rpcrdma_destroy_mrs(buf);
 }
@@ -1074,8 +1077,27 @@ rpcrdma_put_mw(struct rpcrdma_xprt *r_xprt, struct rpcrdma_mw *mw)
         spin_unlock(&buf->rb_mwlock);
 }
 
+static struct rpcrdma_rep *
+rpcrdma_buffer_get_rep(struct rpcrdma_buffer *buffers)
+{
+        /* If an RPC previously completed without a reply (say, a
+         * credential problem or a soft timeout occurs) then hold off
+         * on supplying more Receive buffers until the number of new
+         * pending RPCs catches up to the number of posted Receives.
+         */
+        if (unlikely(buffers->rb_send_count < buffers->rb_recv_count))
+                return NULL;
+
+        if (unlikely(list_empty(&buffers->rb_recv_bufs)))
+                return NULL;
+        buffers->rb_recv_count++;
+        return rpcrdma_buffer_get_rep_locked(buffers);
+}
+
 /*
  * Get a set of request/reply buffers.
+ *
+ * Reply buffer (if available) is attached to send buffer upon return.
  */
 struct rpcrdma_req *
 rpcrdma_buffer_get(struct rpcrdma_buffer *buffers)
@@ -1085,21 +1107,15 @@ rpcrdma_buffer_get(struct rpcrdma_buffer *buffers)
         spin_lock(&buffers->rb_lock);
         if (list_empty(&buffers->rb_send_bufs))
                 goto out_reqbuf;
+        buffers->rb_send_count++;
         req = rpcrdma_buffer_get_req_locked(buffers);
-        if (list_empty(&buffers->rb_recv_bufs))
-                goto out_repbuf;
-        req->rl_reply = rpcrdma_buffer_get_rep_locked(buffers);
+        req->rl_reply = rpcrdma_buffer_get_rep(buffers);
         spin_unlock(&buffers->rb_lock);
         return req;
 
 out_reqbuf:
         spin_unlock(&buffers->rb_lock);
-        pr_warn("rpcrdma: out of request buffers (%p)\n", buffers);
-        return NULL;
-out_repbuf:
-        list_add(&req->rl_free, &buffers->rb_send_bufs);
-        spin_unlock(&buffers->rb_lock);
-        pr_warn("rpcrdma: out of reply buffers (%p)\n", buffers);
+        pr_warn("RPC:       %s: out of request buffers\n", __func__);
         return NULL;
 }
 
@@ -1117,9 +1133,12 @@ rpcrdma_buffer_put(struct rpcrdma_req *req)
         req->rl_reply = NULL;
 
         spin_lock(&buffers->rb_lock);
+        buffers->rb_send_count--;
         list_add_tail(&req->rl_free, &buffers->rb_send_bufs);
-        if (rep)
+        if (rep) {
+                buffers->rb_recv_count--;
                 list_add_tail(&rep->rr_list, &buffers->rb_recv_bufs);
+        }
         spin_unlock(&buffers->rb_lock);
 }
 
@@ -1133,8 +1152,7 @@ rpcrdma_recv_buffer_get(struct rpcrdma_req *req)
         struct rpcrdma_buffer *buffers = req->rl_buffer;
 
         spin_lock(&buffers->rb_lock);
-        if (!list_empty(&buffers->rb_recv_bufs))
-                req->rl_reply = rpcrdma_buffer_get_rep_locked(buffers);
+        req->rl_reply = rpcrdma_buffer_get_rep(buffers);
         spin_unlock(&buffers->rb_lock);
 }
 
@@ -1148,6 +1166,7 @@ rpcrdma_recv_buffer_put(struct rpcrdma_rep *rep)
         struct rpcrdma_buffer *buffers = &rep->rr_rxprt->rx_buf;
 
         spin_lock(&buffers->rb_lock);
+        buffers->rb_recv_count--;
         list_add_tail(&rep->rr_list, &buffers->rb_recv_bufs);
         spin_unlock(&buffers->rb_lock);
 }
diff --git a/net/sunrpc/xprtrdma/xprt_rdma.h b/net/sunrpc/xprtrdma/xprt_rdma.h
index 670fad57153a..a71b0f5897d8 100644
--- a/net/sunrpc/xprtrdma/xprt_rdma.h
+++ b/net/sunrpc/xprtrdma/xprt_rdma.h
@@ -321,6 +321,7 @@ struct rpcrdma_buffer {
         char                    *rb_pool;
 
         spinlock_t              rb_lock;        /* protect buf lists */
+        int                     rb_send_count, rb_recv_count;
         struct list_head        rb_send_bufs;
         struct list_head        rb_recv_bufs;
         u32                     rb_max_requests;
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 8ede3bc52481..bf168838a029 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -1074,7 +1074,7 @@ static void xs_udp_data_receive(struct sock_xprt *transport)
                 skb = skb_recv_datagram(sk, 0, 1, &err);
                 if (skb != NULL) {
                         xs_udp_data_read_skb(&transport->xprt, sk, skb);
-                        skb_free_datagram(sk, skb);
+                        skb_free_datagram_locked(sk, skb);
                         continue;
                 }
                 if (!test_and_clear_bit(XPRT_SOCK_DATA_READY, &transport->sock_state))
diff --git a/net/tipc/name_distr.c b/net/tipc/name_distr.c
index 6b626a64b517..a04fe9be1c60 100644
--- a/net/tipc/name_distr.c
+++ b/net/tipc/name_distr.c
@@ -62,6 +62,8 @@ static void publ_to_item(struct distr_item *i, struct publication *p)
 
 /**
  * named_prepare_buf - allocate & initialize a publication message
+ *
+ * The buffer returned is of size INT_H_SIZE + payload size
  */
 static struct sk_buff *named_prepare_buf(struct net *net, u32 type, u32 size,
                                          u32 dest)
@@ -141,9 +143,9 @@ static void named_distribute(struct net *net, struct sk_buff_head *list,
         struct publication *publ;
         struct sk_buff *skb = NULL;
         struct distr_item *item = NULL;
-        uint msg_dsz = (tipc_node_get_mtu(net, dnode, 0) / ITEM_SIZE) *
-                        ITEM_SIZE;
-        uint msg_rem = msg_dsz;
+        u32 msg_dsz = ((tipc_node_get_mtu(net, dnode, 0) - INT_H_SIZE) /
+                        ITEM_SIZE) * ITEM_SIZE;
+        u32 msg_rem = msg_dsz;
 
         list_for_each_entry(publ, pls, local_list) {
                 /* Prepare next buffer: */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index f1dffe84f0d5..8309687a56b0 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -661,11 +661,11 @@ static int unix_set_peek_off(struct sock *sk, int val)
 {
         struct unix_sock *u = unix_sk(sk);
 
-        if (mutex_lock_interruptible(&u->readlock))
+        if (mutex_lock_interruptible(&u->iolock))
                 return -EINTR;
 
         sk->sk_peek_off = val;
-        mutex_unlock(&u->readlock);
+        mutex_unlock(&u->iolock);
 
         return 0;
 }
@@ -779,7 +779,8 @@ static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
         spin_lock_init(&u->lock);
         atomic_long_set(&u->inflight, 0);
         INIT_LIST_HEAD(&u->link);
-        mutex_init(&u->readlock); /* single task reading lock */
+        mutex_init(&u->iolock); /* single task reading lock */
+        mutex_init(&u->bindlock); /* single task binding lock */
         init_waitqueue_head(&u->peer_wait);
         init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
         unix_insert_socket(unix_sockets_unbound(sk), sk);
@@ -848,7 +849,7 @@ static int unix_autobind(struct socket *sock)
         int err;
         unsigned int retries = 0;
 
-        err = mutex_lock_interruptible(&u->readlock);
+        err = mutex_lock_interruptible(&u->bindlock);
         if (err)
                 return err;
 
@@ -895,7 +896,7 @@ retry:
         spin_unlock(&unix_table_lock);
         err = 0;
 
-out:    mutex_unlock(&u->readlock);
+out:    mutex_unlock(&u->bindlock);
         return err;
 }
 
@@ -954,20 +955,32 @@ fail:
         return NULL;
 }
 
-static int unix_mknod(struct dentry *dentry, const struct path *path, umode_t mode,
-                      struct path *res)
+static int unix_mknod(const char *sun_path, umode_t mode, struct path *res)
 {
-        int err;
+        struct dentry *dentry;
+        struct path path;
+        int err = 0;
+        /*
+         * Get the parent directory, calculate the hash for last
+         * component.
+         */
+        dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
+        err = PTR_ERR(dentry);
+        if (IS_ERR(dentry))
+                return err;
 
-        err = security_path_mknod(path, dentry, mode, 0);
+        /*
+         * All right, let's create it.
+         */
+        err = security_path_mknod(&path, dentry, mode, 0);
         if (!err) {
-                err = vfs_mknod(d_inode(path->dentry), dentry, mode, 0);
+                err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0);
                 if (!err) {
-                        res->mnt = mntget(path->mnt);
+                        res->mnt = mntget(path.mnt);
                         res->dentry = dget(dentry);
                 }
         }
-
+        done_path_create(&path, dentry);
         return err;
 }
 
@@ -978,12 +991,10 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
         struct unix_sock *u = unix_sk(sk);
         struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
         char *sun_path = sunaddr->sun_path;
-        int err, name_err;
+        int err;
         unsigned int hash;
         struct unix_address *addr;
         struct hlist_head *list;
-        struct path path;
-        struct dentry *dentry;
 
         err = -EINVAL;
         if (sunaddr->sun_family != AF_UNIX)
@@ -999,34 +1010,14 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 goto out;
         addr_len = err;
 
-        name_err = 0;
-        dentry = NULL;
-        if (sun_path[0]) {
-                /* Get the parent directory, calculate the hash for last
-                 * component.
-                 */
-                dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0);
-
-                if (IS_ERR(dentry)) {
-                        /* delay report until after 'already bound' check */
-                        name_err = PTR_ERR(dentry);
-                        dentry = NULL;
-                }
-        }
-
-        err = mutex_lock_interruptible(&u->readlock);
+        err = mutex_lock_interruptible(&u->bindlock);
         if (err)
-                goto out_path;
+                goto out;
 
         err = -EINVAL;
         if (u->addr)
                 goto out_up;
 
-        if (name_err) {
-                err = name_err == -EEXIST ? -EADDRINUSE : name_err;
-                goto out_up;
-        }
-
         err = -ENOMEM;
         addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
         if (!addr)
@@ -1037,11 +1028,11 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
         addr->hash = hash ^ sk->sk_type;
         atomic_set(&addr->refcnt, 1);
 
-        if (dentry) {
-                struct path u_path;
+        if (sun_path[0]) {
+                struct path path;
                 umode_t mode = S_IFSOCK |
                        (SOCK_INODE(sock)->i_mode & ~current_umask());
-                err = unix_mknod(dentry, &path, mode, &u_path);
+                err = unix_mknod(sun_path, mode, &path);
                 if (err) {
                         if (err == -EEXIST)
                                 err = -EADDRINUSE;
@@ -1049,9 +1040,9 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                         goto out_up;
                 }
                 addr->hash = UNIX_HASH_SIZE;
-                hash = d_real_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);
+                hash = d_real_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE - 1);
                 spin_lock(&unix_table_lock);
-                u->path = u_path;
+                u->path = path;
                 list = &unix_socket_table[hash];
         } else {
                 spin_lock(&unix_table_lock);
@@ -1073,11 +1064,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 out_unlock:
         spin_unlock(&unix_table_lock);
 out_up:
-        mutex_unlock(&u->readlock);
-out_path:
-        if (dentry)
-                done_path_create(&path, dentry);
-
+        mutex_unlock(&u->bindlock);
 out:
         return err;
 }
@@ -1969,17 +1956,17 @@ static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
         if (false) {
 alloc_skb:
                 unix_state_unlock(other);
-                mutex_unlock(&unix_sk(other)->readlock);
+                mutex_unlock(&unix_sk(other)->iolock);
                 newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
                                               &err, 0);
                 if (!newskb)
                         goto err;
         }
 
-        /* we must acquire readlock as we modify already present
+        /* we must acquire iolock as we modify already present
          * skbs in the sk_receive_queue and mess with skb->len
          */
-        err = mutex_lock_interruptible(&unix_sk(other)->readlock);
+        err = mutex_lock_interruptible(&unix_sk(other)->iolock);
         if (err) {
                 err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
                 goto err;
@@ -2046,7 +2033,7 @@ alloc_skb:
         }
 
         unix_state_unlock(other);
-        mutex_unlock(&unix_sk(other)->readlock);
+        mutex_unlock(&unix_sk(other)->iolock);
 
         other->sk_data_ready(other);
         scm_destroy(&scm);
@@ -2055,7 +2042,7 @@ alloc_skb:
 err_state_unlock:
         unix_state_unlock(other);
 err_unlock:
-        mutex_unlock(&unix_sk(other)->readlock);
+        mutex_unlock(&unix_sk(other)->iolock);
 err:
         kfree_skb(newskb);
         if (send_sigpipe && !(flags & MSG_NOSIGNAL))
@@ -2123,7 +2110,7 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
         timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
 
         do {
-                mutex_lock(&u->readlock);
+                mutex_lock(&u->iolock);
 
                 skip = sk_peek_offset(sk, flags);
                 skb = __skb_try_recv_datagram(sk, flags, &peeked, &skip, &err,
@@ -2131,14 +2118,14 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
                 if (skb)
                         break;
 
-                mutex_unlock(&u->readlock);
+                mutex_unlock(&u->iolock);
 
                 if (err != -EAGAIN)
                         break;
         } while (timeo &&
                  !__skb_wait_for_more_packets(sk, &err, &timeo, last));
 
-        if (!skb) { /* implies readlock unlocked */
+        if (!skb) { /* implies iolock unlocked */
                 unix_state_lock(sk);
                 /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
                 if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
@@ -2203,7 +2190,7 @@ static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg,
 
 out_free:
         skb_free_datagram(sk, skb);
-        mutex_unlock(&u->readlock);
+        mutex_unlock(&u->iolock);
 out:
         return err;
 }
@@ -2298,7 +2285,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
         /* Lock the socket to prevent queue disordering
          * while sleeps in memcpy_tomsg
          */
-        mutex_lock(&u->readlock);
+        mutex_lock(&u->iolock);
 
         if (flags & MSG_PEEK)
                 skip = sk_peek_offset(sk, flags);
@@ -2340,7 +2327,7 @@ again:
                                 break;
                         }
 
-                        mutex_unlock(&u->readlock);
+                        mutex_unlock(&u->iolock);
 
                         timeo = unix_stream_data_wait(sk, timeo, last,
                                                       last_len);
@@ -2351,7 +2338,7 @@ again:
                                 goto out;
                         }
 
-                        mutex_lock(&u->readlock);
+                        mutex_lock(&u->iolock);
                         goto redo;
 unlock:
                         unix_state_unlock(sk);
@@ -2454,7 +2441,7 @@ unlock:
                 }
         } while (size);
 
-        mutex_unlock(&u->readlock);
+        mutex_unlock(&u->iolock);
         if (state->msg)
                 scm_recv(sock, state->msg, &scm, flags);
         else
@@ -2495,9 +2482,9 @@ static ssize_t skb_unix_socket_splice(struct sock *sk,
         int ret;
         struct unix_sock *u = unix_sk(sk);
 
-        mutex_unlock(&u->readlock);
+        mutex_unlock(&u->iolock);
         ret = splice_to_pipe(pipe, spd);
-        mutex_lock(&u->readlock);
+        mutex_lock(&u->iolock);
 
         return ret;
 }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index f02653a08993..4809f4d2cdcc 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -6978,7 +6978,7 @@ static int nl80211_channel_switch(struct sk_buff *skb, struct genl_info *info)
 
                 params.n_counter_offsets_presp = len / sizeof(u16);
                 if (rdev->wiphy.max_num_csa_counters &&
-                    (params.n_counter_offsets_beacon >
+                    (params.n_counter_offsets_presp >
                      rdev->wiphy.max_num_csa_counters))
                         return -EINVAL;
 
diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c
index dbb2738e356a..6250b1cfcde5 100644
--- a/net/wireless/wext-core.c
+++ b/net/wireless/wext-core.c
@@ -958,29 +958,8 @@ static int wireless_process_ioctl(struct net *net, struct ifreq *ifr,
                         return private(dev, iwr, cmd, info, handler);
         }
         /* Old driver API : call driver ioctl handler */
-        if (dev->netdev_ops->ndo_do_ioctl) {
-#ifdef CONFIG_COMPAT
-                if (info->flags & IW_REQUEST_FLAG_COMPAT) {
-                        int ret = 0;
-                        struct iwreq iwr_lcl;
-                        struct compat_iw_point *iwp_compat = (void *) &iwr->u.data;
-
-                        memcpy(&iwr_lcl, iwr, sizeof(struct iwreq));
-                        iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer);
-                        iwr_lcl.u.data.length = iwp_compat->length;
-                        iwr_lcl.u.data.flags = iwp_compat->flags;
-
-                        ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd);
-
-                        iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer);
-                        iwp_compat->length = iwr_lcl.u.data.length;
-                        iwp_compat->flags = iwr_lcl.u.data.flags;
-
-                        return ret;
-                } else
-#endif
-                        return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
-        }
+        if (dev->netdev_ops->ndo_do_ioctl)
+                return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd);
         return -EOPNOTSUPP;
 }
 
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 1c4ad477ce93..6e3f0254d8a1 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -207,15 +207,15 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
         family = XFRM_SPI_SKB_CB(skb)->family;
 
         /* if tunnel is present override skb->mark value with tunnel i_key */
-        if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4) {
-                switch (family) {
-                case AF_INET:
+        switch (family) {
+        case AF_INET:
+                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
                         mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
-                        break;
-                case AF_INET6:
+                break;
+        case AF_INET6:
+                if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
                         mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
-                        break;
-                }
+                break;
         }
 
         /* Allocate new secpath or COW existing one. */
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index b5e665b3cfb0..45f9cf97ea25 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -626,6 +626,10 @@ static void xfrm_hash_rebuild(struct work_struct *work)
 
         /* re-insert all policies by order of creation */
         list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+                if (xfrm_policy_id2dir(policy->index) >= XFRM_POLICY_MAX) {
+                        /* skip socket policies */
+                        continue;
+                }
                 newpos = NULL;
                 chain = policy_hash_bysel(net, &policy->selector,
                                           policy->family,
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 9895a8c56d8c..a30f898dc1c5 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -332,6 +332,7 @@ static void xfrm_state_gc_destroy(struct xfrm_state *x)
 {
         tasklet_hrtimer_cancel(&x->mtimer);
         del_timer_sync(&x->rtimer);
+        kfree(x->aead);
         kfree(x->aalg);
         kfree(x->ealg);
         kfree(x->calg);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d516845e16e3..08892091cfe3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -581,9 +581,12 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
         if (err)
                 goto error;
 
-        if (attrs[XFRMA_SEC_CTX] &&
-            security_xfrm_state_alloc(x, nla_data(attrs[XFRMA_SEC_CTX])))
-                goto error;
+        if (attrs[XFRMA_SEC_CTX]) {
+                err = security_xfrm_state_alloc(x,
+                                                nla_data(attrs[XFRMA_SEC_CTX]));
+                if (err)
+                        goto error;
+        }
 
         if ((err = xfrm_alloc_replay_state_esn(&x->replay_esn, &x->preplay_esn,
                                                attrs[XFRMA_REPLAY_ESN_VAL])))
@@ -896,7 +899,8 @@ static int xfrm_dump_sa_done(struct netlink_callback *cb)
         struct sock *sk = cb->skb->sk;
         struct net *net = sock_net(sk);
 
-        xfrm_state_walk_done(walk, net);
+        if (cb->args[0])
+                xfrm_state_walk_done(walk, net);
         return 0;
 }
 
@@ -921,8 +925,6 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
                 u8 proto = 0;
                 int err;
 
-                cb->args[0] = 1;
-
                 err = nlmsg_parse(cb->nlh, 0, attrs, XFRMA_MAX,
                                   xfrma_policy);
                 if (err < 0)
@@ -939,6 +941,7 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
                         proto = nla_get_u8(attrs[XFRMA_PROTO]);
 
                 xfrm_state_walk_init(walk, proto, filter);
+                cb->args[0] = 1;
         }
 
         (void) xfrm_state_walk(net, walk, dump_one_state, &info);
@@ -2051,9 +2054,6 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
         if (up->hard) {
                 xfrm_policy_delete(xp, p->dir);
                 xfrm_audit_policy_delete(xp, 1, true);
-        } else {
-                // reset the timers here?
-                WARN(1, "Don't know what to do with soft policy expire\n");
         }
         km_policy_expired(xp, p->dir, up->hard, nlh->nlmsg_pid);
 
@@ -2117,7 +2117,7 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         err = verify_newpolicy_info(&ua->policy);
         if (err)
-                goto bad_policy;
+                goto free_state;
 
         /*   build an XP */
         xp = xfrm_policy_construct(net, &ua->policy, attrs, &err);
@@ -2149,8 +2149,6 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         return 0;
 
-bad_policy:
-        WARN(1, "BAD policy passed\n");
 free_state:
         kfree(x);
 nomem: