Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix refcounting bug for connections in on-packet scheduling mode of
    IPVS, from Julian Anastasov.

 2) Set network header properly in AF_PACKET's packet_snd, from Willem
    de Bruijn.

 3) Fix regressions in 3c59x by converting to generic DMA API. It was
    relying upon the hack that the PCI DMA interfaces would accept NULL
    for EISA devices. From Christoph Hellwig.

 4) Remove RDMA devices before unregistering netdev in QEDE driver, from
    Michal Kalderon.

 5) Use after free in TUN driver ptr_ring usage, from Jason Wang.

 6) Properly check for missing netlink attributes in SMC_PNETID
    requests, from Eric Biggers.

 7) Set DMA mask before performaing any DMA operations in vmxnet3
    driver, from Regis Duchesne.

 8) Fix mlx5 build with SMP=n, from Saeed Mahameed.

 9) Classifier fixes in bcm_sf2 driver from Florian Fainelli.

10) Tuntap use after free during release, from Jason Wang.

11) Don't use stack memory in scatterlists in tls code, from Matt
    Mullins.

12) Not fully initialized flow key object in ipv4 routing code, from
    David Ahern.

13) Various packet headroom bug fixes in ip6_gre driver, from Petr
    Machata.

14) Remove queues from XPS maps using correct index, from Amritha
    Nambiar.

15) Fix use after free in sock_diag, from Eric Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (64 commits)
  net: ip6_gre: fix tunnel metadata device sharing.
  cxgb4: fix offset in collecting TX rate limit info
  net: sched: red: avoid hashing NULL child
  sock_diag: fix use-after-free read in __sk_free
  sh_eth: Change platform check to CONFIG_ARCH_RENESAS
  net: dsa: Do not register devlink for unused ports
  net: Fix a bug in removing queues from XPS map
  bpf: fix truncated jump targets on heavy expansions
  bpf: parse and verdict prog attach may race with bpf map update
  bpf: sockmap update rollback on error can incorrectly dec prog refcnt
  net: test tailroom before appending to linear skb
  net: ip6_gre: Fix ip6erspan hlen calculation
  net: ip6_gre: Split up ip6gre_changelink()
  net: ip6_gre: Split up ip6gre_newlink()
  net: ip6_gre: Split up ip6gre_tnl_change()
  net: ip6_gre: Split up ip6gre_tnl_link_config()
  net: ip6_gre: Fix headroom request in ip6erspan_tunnel_xmit()
  net: ip6_gre: Request headroom in __gre6_xmit()
  selftests/bpf: check return value of fopen in test_verifier.c
  erspan: fix invalid erspan version.
  ...

32 files changed, 615 insertions, 203 deletions

diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 47ba98db145d..46c1fe7637ea 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -161,8 +161,8 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
         /* Make sure the match only receives stp frames */
         if (!par->nft_compat &&
             (!ether_addr_equal(e->destmac, eth_stp_addr) ||
-             !is_broadcast_ether_addr(e->destmsk) ||
-             !(e->bitmask & EBT_DESTMAC)))
+             !(e->bitmask & EBT_DESTMAC) ||
+             !is_broadcast_ether_addr(e->destmsk)))
                 return -EINVAL;
 
         return 0;
diff --git a/net/core/dev.c b/net/core/dev.c
index af0558b00c6c..2af787e8b130 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2124,7 +2124,7 @@ static bool remove_xps_queue_cpu(struct net_device *dev,
                 int i, j;
 
                 for (i = count, j = offset; i--; j++) {
-                        if (!remove_xps_queue(dev_maps, cpu, j))
+                        if (!remove_xps_queue(dev_maps, tci, j))
                                 break;
                 }
 
diff --git a/net/core/filter.c b/net/core/filter.c
index e77c30ca491d..201ff36b17a8 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -481,11 +481,18 @@ do_pass:
 
 #define BPF_EMIT_JMP                                                    \
         do {                                                            \
+                const s32 off_min = S16_MIN, off_max = S16_MAX;         \
+                s32 off;                                                \
+                                                                        \
                 if (target >= len || target < 0)                        \
                         goto err;                                       \
-                insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0;   \
+                off = addrs ? addrs[target] - addrs[i] - 1 : 0;         \
                 /* Adjust pc relative offset for 2nd or 3rd insn. */    \
-                insn->off -= insn - tmp_insns;                          \
+                off -= insn - tmp_insns;                                \
+                /* Reject anything not fitting into insn->off. */       \
+                if (off < off_min || off > off_max)                     \
+                        goto err;                                       \
+                insn->off = off;                                        \
         } while (0)
 
                 case BPF_JMP | BPF_JA:
diff --git a/net/core/sock.c b/net/core/sock.c
index 6444525f610c..3b6d02854e57 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1606,7 +1606,7 @@ static void __sk_free(struct sock *sk)
         if (likely(sk->sk_net_refcnt))
                 sock_inuse_add(sock_net(sk), -1);
 
-        if (unlikely(sock_diag_has_destroy_listeners(sk) && sk->sk_net_refcnt))
+        if (unlikely(sk->sk_net_refcnt && sock_diag_has_destroy_listeners(sk)))
                 sock_diag_broadcast_destroy(sk);
         else
                 sk_destruct(sk);
diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
index adf50fbc4c13..47725250b4ca 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -258,11 +258,13 @@ static void dsa_tree_teardown_default_cpu(struct dsa_switch_tree *dst)
 static int dsa_port_setup(struct dsa_port *dp)
 {
         struct dsa_switch *ds = dp->ds;
-        int err;
+        int err = 0;
 
         memset(&dp->devlink_port, 0, sizeof(dp->devlink_port));
 
-        err = devlink_port_register(ds->devlink, &dp->devlink_port, dp->index);
+        if (dp->type != DSA_PORT_TYPE_UNUSED)
+                err = devlink_port_register(ds->devlink, &dp->devlink_port,
+                                            dp->index);
         if (err)
                 return err;
 
@@ -293,7 +295,8 @@ static int dsa_port_setup(struct dsa_port *dp)
 
 static void dsa_port_teardown(struct dsa_port *dp)
 {
-        devlink_port_unregister(&dp->devlink_port);
+        if (dp->type != DSA_PORT_TYPE_UNUSED)
+                devlink_port_unregister(&dp->devlink_port);
 
         switch (dp->type) {
         case DSA_PORT_TYPE_UNUSED:
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index f05afaf3235c..4d622112bf95 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -326,10 +326,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
                                  u8 tos, int oif, struct net_device *dev,
                                  int rpf, struct in_device *idev, u32 *itag)
 {
+        struct net *net = dev_net(dev);
+        struct flow_keys flkeys;
         int ret, no_addr;
         struct fib_result res;
         struct flowi4 fl4;
-        struct net *net = dev_net(dev);
         bool dev_match;
 
         fl4.flowi4_oif = 0;
@@ -347,6 +348,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
         no_addr = idev->ifa_list == NULL;
 
         fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
+        if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
+                fl4.flowi4_proto = 0;
+                fl4.fl4_sport = 0;
+                fl4.fl4_dport = 0;
+        }
 
         trace_fib_validate_source(dev, &fl4);
 
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 9c169bb2444d..f200b304f76c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -722,10 +722,12 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
                 erspan_build_header(skb, ntohl(tunnel->parms.o_key),
                                     tunnel->index,
                                     truncate, true);
-        else
+        else if (tunnel->erspan_ver == 2)
                 erspan_build_header_v2(skb, ntohl(tunnel->parms.o_key),
                                        tunnel->dir, tunnel->hwid,
                                        truncate, true);
+        else
+                goto free_skb;
 
         tunnel->parms.o_flags &= ~TUNNEL_KEY;
         __gre_xmit(skb, dev, &tunnel->parms.iph, htons(ETH_P_ERSPAN));
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 83c73bab2c3d..d54abc097800 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1045,7 +1045,8 @@ alloc_new_skb:
                 if (copy > length)
                         copy = length;
 
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                         unsigned int off;
 
                         off = skb->len;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 44b308d93ec2..e85f35b89c49 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -34,6 +34,7 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("IPv4 packet filter");
+MODULE_ALIAS("ipt_icmp");
 
 void *ipt_alloc_initial_table(const struct xt_table *info)
 {
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index fd01f13c896a..12843c9ef142 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,10 +89,10 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
                         return true ^ invert;
         }
 
+        memset(&flow, 0, sizeof(flow));
         flow.flowi4_iif = LOOPBACK_IFINDEX;
         flow.daddr = iph->saddr;
         flow.saddr = rpfilter_get_saddr(iph->daddr);
-        flow.flowi4_oif = 0;
         flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
         flow.flowi4_tos = RT_TOS(iph->tos);
         flow.flowi4_scope = RT_SCOPE_UNIVERSE;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 29268efad247..2cfa1b518f8d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1961,8 +1961,13 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
         fl4.saddr = saddr;
         fl4.flowi4_uid = sock_net_uid(net, NULL);
 
-        if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys))
+        if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
                 flkeys = &_flkeys;
+        } else {
+                fl4.flowi4_proto = 0;
+                fl4.fl4_sport = 0;
+                fl4.fl4_dport = 0;
+        }
 
         err = fib_lookup(net, &fl4, res, 0);
         if (err != 0) {
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 383cac0ff0ec..d07e34f8e309 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2833,8 +2833,10 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs)
                 return -EBUSY;
 
         if (before(TCP_SKB_CB(skb)->seq, tp->snd_una)) {
-                if (before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))
-                        BUG();
+                if (unlikely(before(TCP_SKB_CB(skb)->end_seq, tp->snd_una))) {
+                        WARN_ON_ONCE(1);
+                        return -EINVAL;
+                }
                 if (tcp_trim_head(sk, skb, tp->snd_una - TCP_SKB_CB(skb)->seq))
                         return -ENOMEM;
         }
@@ -3342,6 +3344,7 @@ static void tcp_connect_init(struct sock *sk)
         sock_reset_flag(sk, SOCK_DONE);
         tp->snd_wnd = 0;
         tcp_init_wl(tp, 0);
+        tcp_write_queue_purge(sk);
         tp->snd_una = tp->write_seq;
         tp->snd_sml = tp->write_seq;
         tp->snd_up = tp->write_seq;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 69727bc168cb..458de353f5d9 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -71,6 +71,7 @@ struct ip6gre_net {
         struct ip6_tnl __rcu *tunnels[4][IP6_GRE_HASH_SIZE];
 
         struct ip6_tnl __rcu *collect_md_tun;
+        struct ip6_tnl __rcu *collect_md_tun_erspan;
         struct net_device *fb_tunnel_dev;
 };
 
@@ -81,6 +82,7 @@ static int ip6gre_tunnel_init(struct net_device *dev);
 static void ip6gre_tunnel_setup(struct net_device *dev);
 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
 static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu);
+static void ip6erspan_tnl_link_config(struct ip6_tnl *t, int set_mtu);
 
 /* Tunnel hash table */
 
@@ -232,7 +234,12 @@ static struct ip6_tnl *ip6gre_tunnel_lookup(struct net_device *dev,
         if (cand)
                 return cand;
 
-        t = rcu_dereference(ign->collect_md_tun);
+        if (gre_proto == htons(ETH_P_ERSPAN) ||
+            gre_proto == htons(ETH_P_ERSPAN2))
+                t = rcu_dereference(ign->collect_md_tun_erspan);
+        else
+                t = rcu_dereference(ign->collect_md_tun);
+
         if (t && t->dev->flags & IFF_UP)
                 return t;
 
@@ -261,6 +268,31 @@ static struct ip6_tnl __rcu **__ip6gre_bucket(struct ip6gre_net *ign,
         return &ign->tunnels[prio][h];
 }
 
+static void ip6gre_tunnel_link_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun, t);
+}
+
+static void ip6erspan_tunnel_link_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun_erspan, t);
+}
+
+static void ip6gre_tunnel_unlink_md(struct ip6gre_net *ign, struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun, NULL);
+}
+
+static void ip6erspan_tunnel_unlink_md(struct ip6gre_net *ign,
+                                       struct ip6_tnl *t)
+{
+        if (t->parms.collect_md)
+                rcu_assign_pointer(ign->collect_md_tun_erspan, NULL);
+}
+
 static inline struct ip6_tnl __rcu **ip6gre_bucket(struct ip6gre_net *ign,
                 const struct ip6_tnl *t)
 {
@@ -271,9 +303,6 @@ static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t)
 {
         struct ip6_tnl __rcu **tp = ip6gre_bucket(ign, t);
 
-        if (t->parms.collect_md)
-                rcu_assign_pointer(ign->collect_md_tun, t);
-
         rcu_assign_pointer(t->next, rtnl_dereference(*tp));
         rcu_assign_pointer(*tp, t);
 }
@@ -283,9 +312,6 @@ static void ip6gre_tunnel_unlink(struct ip6gre_net *ign, struct ip6_tnl *t)
         struct ip6_tnl __rcu **tp;
         struct ip6_tnl *iter;
 
-        if (t->parms.collect_md)
-                rcu_assign_pointer(ign->collect_md_tun, NULL);
-
         for (tp = ip6gre_bucket(ign, t);
              (iter = rtnl_dereference(*tp)) != NULL;
              tp = &iter->next) {
@@ -374,11 +400,23 @@ failed_free:
         return NULL;
 }
 
+static void ip6erspan_tunnel_uninit(struct net_device *dev)
+{
+        struct ip6_tnl *t = netdev_priv(dev);
+        struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
+
+        ip6erspan_tunnel_unlink_md(ign, t);
+        ip6gre_tunnel_unlink(ign, t);
+        dst_cache_reset(&t->dst_cache);
+        dev_put(dev);
+}
+
 static void ip6gre_tunnel_uninit(struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
         struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
 
+        ip6gre_tunnel_unlink_md(ign, t);
         ip6gre_tunnel_unlink(ign, t);
         dst_cache_reset(&t->dst_cache);
         dev_put(dev);
@@ -698,6 +736,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
         else
                 fl6->daddr = tunnel->parms.raddr;
 
+        if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
+                return -ENOMEM;
+
         /* Push GRE header. */
         protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
 
@@ -908,7 +949,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                 truncate = true;
         }
 
-        if (skb_cow_head(skb, dev->needed_headroom))
+        if (skb_cow_head(skb, dev->needed_headroom ?: t->hlen))
                 goto tx_err;
 
         t->parms.o_flags &= ~TUNNEL_KEY;
@@ -979,11 +1020,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
                         erspan_build_header(skb, ntohl(t->parms.o_key),
                                             t->parms.index,
                                             truncate, false);
-                else
+                else if (t->parms.erspan_ver == 2)
                         erspan_build_header_v2(skb, ntohl(t->parms.o_key),
                                                t->parms.dir,
                                                t->parms.hwid,
                                                truncate, false);
+                else
+                        goto tx_err;
+
                 fl6.daddr = t->parms.raddr;
         }
 
@@ -1019,12 +1063,11 @@ tx_err:
         return NETDEV_TX_OK;
 }
 
-static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+static void ip6gre_tnl_link_config_common(struct ip6_tnl *t)
 {
         struct net_device *dev = t->dev;
         struct __ip6_tnl_parm *p = &t->parms;
         struct flowi6 *fl6 = &t->fl.u.ip6;
-        int t_hlen;
 
         if (dev->type != ARPHRD_ETHER) {
                 memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
@@ -1051,12 +1094,13 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
                 dev->flags |= IFF_POINTOPOINT;
         else
                 dev->flags &= ~IFF_POINTOPOINT;
+}
 
-        t->tun_hlen = gre_calc_hlen(t->parms.o_flags);
-
-        t->hlen = t->encap_hlen + t->tun_hlen;
-
-        t_hlen = t->hlen + sizeof(struct ipv6hdr);
+static void ip6gre_tnl_link_config_route(struct ip6_tnl *t, int set_mtu,
+                                         int t_hlen)
+{
+        const struct __ip6_tnl_parm *p = &t->parms;
+        struct net_device *dev = t->dev;
 
         if (p->flags & IP6_TNL_F_CAP_XMIT) {
                 int strict = (ipv6_addr_type(&p->raddr) &
@@ -1088,8 +1132,26 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
         }
 }
 
-static int ip6gre_tnl_change(struct ip6_tnl *t,
-        const struct __ip6_tnl_parm *p, int set_mtu)
+static int ip6gre_calc_hlen(struct ip6_tnl *tunnel)
+{
+        int t_hlen;
+
+        tunnel->tun_hlen = gre_calc_hlen(tunnel->parms.o_flags);
+        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
+
+        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
+        tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        return t_hlen;
+}
+
+static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+{
+        ip6gre_tnl_link_config_common(t);
+        ip6gre_tnl_link_config_route(t, set_mtu, ip6gre_calc_hlen(t));
+}
+
+static void ip6gre_tnl_copy_tnl_parm(struct ip6_tnl *t,
+                                     const struct __ip6_tnl_parm *p)
 {
         t->parms.laddr = p->laddr;
         t->parms.raddr = p->raddr;
@@ -1105,6 +1167,12 @@ static int ip6gre_tnl_change(struct ip6_tnl *t,
         t->parms.o_flags = p->o_flags;
         t->parms.fwmark = p->fwmark;
         dst_cache_reset(&t->dst_cache);
+}
+
+static int ip6gre_tnl_change(struct ip6_tnl *t, const struct __ip6_tnl_parm *p,
+                             int set_mtu)
+{
+        ip6gre_tnl_copy_tnl_parm(t, p);
         ip6gre_tnl_link_config(t, set_mtu);
         return 0;
 }
@@ -1381,11 +1449,7 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
                 return ret;
         }
 
-        tunnel->tun_hlen = gre_calc_hlen(tunnel->parms.o_flags);
-        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen;
-        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
-
-        dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        t_hlen = ip6gre_calc_hlen(tunnel);
         dev->mtu = ETH_DATA_LEN - t_hlen;
         if (dev->type == ARPHRD_ETHER)
                 dev->mtu -= ETH_HLEN;
@@ -1728,6 +1792,19 @@ static const struct net_device_ops ip6gre_tap_netdev_ops = {
         .ndo_get_iflink = ip6_tnl_get_iflink,
 };
 
+static int ip6erspan_calc_hlen(struct ip6_tnl *tunnel)
+{
+        int t_hlen;
+
+        tunnel->tun_hlen = 8;
+        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
+                       erspan_hdr_len(tunnel->parms.erspan_ver);
+
+        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
+        tunnel->dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        return t_hlen;
+}
+
 static int ip6erspan_tap_init(struct net_device *dev)
 {
         struct ip6_tnl *tunnel;
@@ -1751,12 +1828,7 @@ static int ip6erspan_tap_init(struct net_device *dev)
                 return ret;
         }
 
-        tunnel->tun_hlen = 8;
-        tunnel->hlen = tunnel->tun_hlen + tunnel->encap_hlen +
-                       erspan_hdr_len(tunnel->parms.erspan_ver);
-        t_hlen = tunnel->hlen + sizeof(struct ipv6hdr);
-
-        dev->hard_header_len = LL_MAX_HEADER + t_hlen;
+        t_hlen = ip6erspan_calc_hlen(tunnel);
         dev->mtu = ETH_DATA_LEN - t_hlen;
         if (dev->type == ARPHRD_ETHER)
                 dev->mtu -= ETH_HLEN;
@@ -1764,14 +1836,14 @@ static int ip6erspan_tap_init(struct net_device *dev)
                 dev->mtu -= 8;
 
         dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
-        ip6gre_tnl_link_config(tunnel, 1);
+        ip6erspan_tnl_link_config(tunnel, 1);
 
         return 0;
 }
 
 static const struct net_device_ops ip6erspan_netdev_ops = {
         .ndo_init =             ip6erspan_tap_init,
-        .ndo_uninit =           ip6gre_tunnel_uninit,
+        .ndo_uninit =           ip6erspan_tunnel_uninit,
         .ndo_start_xmit =       ip6erspan_tunnel_xmit,
         .ndo_set_mac_address =  eth_mac_addr,
         .ndo_validate_addr =    eth_validate_addr,
@@ -1835,13 +1907,11 @@ static bool ip6gre_netlink_encap_parms(struct nlattr *data[],
         return ret;
 }
 
-static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
-                          struct nlattr *tb[], struct nlattr *data[],
-                          struct netlink_ext_ack *extack)
+static int ip6gre_newlink_common(struct net *src_net, struct net_device *dev,
+                                 struct nlattr *tb[], struct nlattr *data[],
+                                 struct netlink_ext_ack *extack)
 {
         struct ip6_tnl *nt;
-        struct net *net = dev_net(dev);
-        struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
         struct ip_tunnel_encap ipencap;
         int err;
 
@@ -1854,16 +1924,6 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
                         return err;
         }
 
-        ip6gre_netlink_parms(data, &nt->parms);
-
-        if (nt->parms.collect_md) {
-                if (rtnl_dereference(ign->collect_md_tun))
-                        return -EEXIST;
-        } else {
-                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
-                        return -EEXIST;
-        }
-
         if (dev->type == ARPHRD_ETHER && !tb[IFLA_ADDRESS])
                 eth_hw_addr_random(dev);
 
@@ -1874,51 +1934,94 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
         if (err)
                 goto out;
 
-        ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
-
         if (tb[IFLA_MTU])
                 ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU]));
 
         dev_hold(dev);
-        ip6gre_tunnel_link(ign, nt);
 
 out:
         return err;
 }
 
-static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
-                             struct nlattr *data[],
-                             struct netlink_ext_ack *extack)
+static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
+                          struct nlattr *tb[], struct nlattr *data[],
+                          struct netlink_ext_ack *extack)
+{
+        struct ip6_tnl *nt = netdev_priv(dev);
+        struct net *net = dev_net(dev);
+        struct ip6gre_net *ign;
+        int err;
+
+        ip6gre_netlink_parms(data, &nt->parms);
+        ign = net_generic(net, ip6gre_net_id);
+
+        if (nt->parms.collect_md) {
+                if (rtnl_dereference(ign->collect_md_tun))
+                        return -EEXIST;
+        } else {
+                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
+                        return -EEXIST;
+        }
+
+        err = ip6gre_newlink_common(src_net, dev, tb, data, extack);
+        if (!err) {
+                ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
+                ip6gre_tunnel_link_md(ign, nt);
+                ip6gre_tunnel_link(net_generic(net, ip6gre_net_id), nt);
+        }
+        return err;
+}
+
+static struct ip6_tnl *
+ip6gre_changelink_common(struct net_device *dev, struct nlattr *tb[],
+                         struct nlattr *data[], struct __ip6_tnl_parm *p_p,
+                         struct netlink_ext_ack *extack)
 {
         struct ip6_tnl *t, *nt = netdev_priv(dev);
         struct net *net = nt->net;
         struct ip6gre_net *ign = net_generic(net, ip6gre_net_id);
-        struct __ip6_tnl_parm p;
         struct ip_tunnel_encap ipencap;
 
         if (dev == ign->fb_tunnel_dev)
-                return -EINVAL;
+                return ERR_PTR(-EINVAL);
 
         if (ip6gre_netlink_encap_parms(data, &ipencap)) {
                 int err = ip6_tnl_encap_setup(nt, &ipencap);
 
                 if (err < 0)
-                        return err;
+                        return ERR_PTR(err);
         }
 
-        ip6gre_netlink_parms(data, &p);
+        ip6gre_netlink_parms(data, p_p);
 
-        t = ip6gre_tunnel_locate(net, &p, 0);
+        t = ip6gre_tunnel_locate(net, p_p, 0);
 
         if (t) {
                 if (t->dev != dev)
-                        return -EEXIST;
+                        return ERR_PTR(-EEXIST);
         } else {
                 t = nt;
         }
 
+        return t;
+}
+
+static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
+                             struct nlattr *data[],
+                             struct netlink_ext_ack *extack)
+{
+        struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+        struct __ip6_tnl_parm p;
+        struct ip6_tnl *t;
+
+        t = ip6gre_changelink_common(dev, tb, data, &p, extack);
+        if (IS_ERR(t))
+                return PTR_ERR(t);
+
+        ip6gre_tunnel_unlink_md(ign, t);
         ip6gre_tunnel_unlink(ign, t);
         ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6gre_tunnel_link_md(ign, t);
         ip6gre_tunnel_link(ign, t);
         return 0;
 }
@@ -2068,6 +2171,69 @@ static void ip6erspan_tap_setup(struct net_device *dev)
         netif_keep_dst(dev);
 }
 
+static int ip6erspan_newlink(struct net *src_net, struct net_device *dev,
+                             struct nlattr *tb[], struct nlattr *data[],
+                             struct netlink_ext_ack *extack)
+{
+        struct ip6_tnl *nt = netdev_priv(dev);
+        struct net *net = dev_net(dev);
+        struct ip6gre_net *ign;
+        int err;
+
+        ip6gre_netlink_parms(data, &nt->parms);
+        ign = net_generic(net, ip6gre_net_id);
+
+        if (nt->parms.collect_md) {
+                if (rtnl_dereference(ign->collect_md_tun_erspan))
+                        return -EEXIST;
+        } else {
+                if (ip6gre_tunnel_find(net, &nt->parms, dev->type))
+                        return -EEXIST;
+        }
+
+        err = ip6gre_newlink_common(src_net, dev, tb, data, extack);
+        if (!err) {
+                ip6erspan_tnl_link_config(nt, !tb[IFLA_MTU]);
+                ip6erspan_tunnel_link_md(ign, nt);
+                ip6gre_tunnel_link(net_generic(net, ip6gre_net_id), nt);
+        }
+        return err;
+}
+
+static void ip6erspan_tnl_link_config(struct ip6_tnl *t, int set_mtu)
+{
+        ip6gre_tnl_link_config_common(t);
+        ip6gre_tnl_link_config_route(t, set_mtu, ip6erspan_calc_hlen(t));
+}
+
+static int ip6erspan_tnl_change(struct ip6_tnl *t,
+                                const struct __ip6_tnl_parm *p, int set_mtu)
+{
+        ip6gre_tnl_copy_tnl_parm(t, p);
+        ip6erspan_tnl_link_config(t, set_mtu);
+        return 0;
+}
+
+static int ip6erspan_changelink(struct net_device *dev, struct nlattr *tb[],
+                                struct nlattr *data[],
+                                struct netlink_ext_ack *extack)
+{
+        struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+        struct __ip6_tnl_parm p;
+        struct ip6_tnl *t;
+
+        t = ip6gre_changelink_common(dev, tb, data, &p, extack);
+        if (IS_ERR(t))
+                return PTR_ERR(t);
+
+        ip6gre_tunnel_unlink_md(ign, t);
+        ip6gre_tunnel_unlink(ign, t);
+        ip6erspan_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6erspan_tunnel_link_md(ign, t);
+        ip6gre_tunnel_link(ign, t);
+        return 0;
+}
+
 static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
         .kind           = "ip6gre",
         .maxtype        = IFLA_GRE_MAX,
@@ -2104,8 +2270,8 @@ static struct rtnl_link_ops ip6erspan_tap_ops __read_mostly = {
         .priv_size      = sizeof(struct ip6_tnl),
         .setup          = ip6erspan_tap_setup,
         .validate       = ip6erspan_tap_validate,
-        .newlink        = ip6gre_newlink,
-        .changelink     = ip6gre_changelink,
+        .newlink        = ip6erspan_newlink,
+        .changelink     = ip6erspan_changelink,
         .get_size       = ip6gre_get_size,
         .fill_info      = ip6gre_fill_info,
         .get_link_net   = ip6_tnl_get_link_net,
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 2e891d2c30ef..7b6d1689087b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1503,7 +1503,8 @@ alloc_new_skb:
                 if (copy > length)
                         copy = length;
 
-                if (!(rt->dst.dev->features&NETIF_F_SG)) {
+                if (!(rt->dst.dev->features&NETIF_F_SG) &&
+                    skb_tailroom(skb) >= copy) {
                         unsigned int off;
 
                         off = skb->len;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 65c9e1a58305..97f79dc943d7 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -38,6 +38,7 @@
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
 MODULE_DESCRIPTION("IPv6 packet filter");
+MODULE_ALIAS("ip6t_icmp6");
 
 void *ip6t_alloc_initial_table(const struct xt_table *info)
 {
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0f6b8172fb9a..206fb2c4c319 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -585,7 +585,8 @@ void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
 EXPORT_SYMBOL(nf_nat_decode_session_hook);
 #endif
 
-static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max)
+static void __net_init
+__netfilter_net_init(struct nf_hook_entries __rcu **e, int max)
 {
         int h;
 
diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
index 370abbf6f421..75de46576f51 100644
--- a/net/netfilter/ipvs/ip_vs_conn.c
+++ b/net/netfilter/ipvs/ip_vs_conn.c
@@ -232,7 +232,10 @@ static inline int ip_vs_conn_unhash(struct ip_vs_conn *cp)
 static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp)
 {
         unsigned int hash;
-        bool ret;
+        bool ret = false;
+
+        if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
+                return refcount_dec_if_one(&cp->refcnt);
 
         hash = ip_vs_conn_hashkey_conn(cp);
 
@@ -240,15 +243,13 @@ static inline bool ip_vs_conn_unlink(struct ip_vs_conn *cp)
         spin_lock(&cp->lock);
 
         if (cp->flags & IP_VS_CONN_F_HASHED) {
-                ret = false;
                 /* Decrease refcnt and unlink conn only if we are last user */
                 if (refcount_dec_if_one(&cp->refcnt)) {
                         hlist_del_rcu(&cp->c_list);
                         cp->flags &= ~IP_VS_CONN_F_HASHED;
                         ret = true;
                 }
-        } else
-                ret = refcount_read(&cp->refcnt) ? false : true;
+        }
 
         spin_unlock(&cp->lock);
         ct_write_unlock_bh(hash);
@@ -454,12 +455,6 @@ ip_vs_conn_out_get_proto(struct netns_ipvs *ipvs, int af,
 }
 EXPORT_SYMBOL_GPL(ip_vs_conn_out_get_proto);
 
-static void __ip_vs_conn_put_notimer(struct ip_vs_conn *cp)
-{
-        __ip_vs_conn_put(cp);
-        ip_vs_conn_expire(&cp->timer);
-}
-
 /*
  *      Put back the conn and restart its timer with its timeout
  */
@@ -478,7 +473,7 @@ void ip_vs_conn_put(struct ip_vs_conn *cp)
             (refcount_read(&cp->refcnt) == 1) &&
             !timer_pending(&cp->timer))
                 /* expire connection immediately */
-                __ip_vs_conn_put_notimer(cp);
+                ip_vs_conn_expire(&cp->timer);
         else
                 __ip_vs_conn_put_timer(cp);
 }
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 5f6f73cf2174..0679dd101e72 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -119,6 +119,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 struct ip_vs_cpu_stats *s;
                 struct ip_vs_service *svc;
 
+                local_bh_disable();
+
                 s = this_cpu_ptr(dest->stats.cpustats);
                 u64_stats_update_begin(&s->syncp);
                 s->cnt.inpkts++;
@@ -137,6 +139,8 @@ ip_vs_in_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 s->cnt.inpkts++;
                 s->cnt.inbytes += skb->len;
                 u64_stats_update_end(&s->syncp);
+
+                local_bh_enable();
         }
 }
 
@@ -151,6 +155,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 struct ip_vs_cpu_stats *s;
                 struct ip_vs_service *svc;
 
+                local_bh_disable();
+
                 s = this_cpu_ptr(dest->stats.cpustats);
                 u64_stats_update_begin(&s->syncp);
                 s->cnt.outpkts++;
@@ -169,6 +175,8 @@ ip_vs_out_stats(struct ip_vs_conn *cp, struct sk_buff *skb)
                 s->cnt.outpkts++;
                 s->cnt.outbytes += skb->len;
                 u64_stats_update_end(&s->syncp);
+
+                local_bh_enable();
         }
 }
 
@@ -179,6 +187,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
         struct netns_ipvs *ipvs = svc->ipvs;
         struct ip_vs_cpu_stats *s;
 
+        local_bh_disable();
+
         s = this_cpu_ptr(cp->dest->stats.cpustats);
         u64_stats_update_begin(&s->syncp);
         s->cnt.conns++;
@@ -193,6 +203,8 @@ ip_vs_conn_stats(struct ip_vs_conn *cp, struct ip_vs_service *svc)
         u64_stats_update_begin(&s->syncp);
         s->cnt.conns++;
         u64_stats_update_end(&s->syncp);
+
+        local_bh_enable();
 }
 
 
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index e97cdc1cf98c..8e67910185a0 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -981,6 +981,17 @@ static int tcp_packet(struct nf_conn *ct,
                         return NF_ACCEPT; /* Don't change state */
                 }
                 break;
+        case TCP_CONNTRACK_SYN_SENT2:
+                /* tcp_conntracks table is not smart enough to handle
+                 * simultaneous open.
+                 */
+                ct->proto.tcp.last_flags |= IP_CT_TCP_SIMULTANEOUS_OPEN;
+                break;
+        case TCP_CONNTRACK_SYN_RECV:
+                if (dir == IP_CT_DIR_REPLY && index == TCP_ACK_SET &&
+                    ct->proto.tcp.last_flags & IP_CT_TCP_SIMULTANEOUS_OPEN)
+                        new_state = TCP_CONNTRACK_ESTABLISHED;
+                break;
         case TCP_CONNTRACK_CLOSE:
                 if (index == TCP_RST_SET
                     && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 04d4e3772584..91e80aa852d6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -214,6 +214,34 @@ static int nft_delchain(struct nft_ctx *ctx)
         return err;
 }
 
+static void nft_rule_expr_activate(const struct nft_ctx *ctx,
+                                   struct nft_rule *rule)
+{
+        struct nft_expr *expr;
+
+        expr = nft_expr_first(rule);
+        while (expr != nft_expr_last(rule) && expr->ops) {
+                if (expr->ops->activate)
+                        expr->ops->activate(ctx, expr);
+
+                expr = nft_expr_next(expr);
+        }
+}
+
+static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
+                                     struct nft_rule *rule)
+{
+        struct nft_expr *expr;
+
+        expr = nft_expr_first(rule);
+        while (expr != nft_expr_last(rule) && expr->ops) {
+                if (expr->ops->deactivate)
+                        expr->ops->deactivate(ctx, expr);
+
+                expr = nft_expr_next(expr);
+        }
+}
+
 static int
 nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule)
 {
@@ -259,6 +287,7 @@ static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
                 nft_trans_destroy(trans);
                 return err;
         }
+        nft_rule_expr_deactivate(ctx, rule);
 
         return 0;
 }
@@ -2238,6 +2267,13 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
         kfree(rule);
 }
 
+static void nf_tables_rule_release(const struct nft_ctx *ctx,
+                                   struct nft_rule *rule)
+{
+        nft_rule_expr_deactivate(ctx, rule);
+        nf_tables_rule_destroy(ctx, rule);
+}
+
 #define NFT_RULE_MAXEXPRS       128
 
 static struct nft_expr_info *info;
@@ -2402,7 +2438,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
         return 0;
 
 err2:
-        nf_tables_rule_destroy(&ctx, rule);
+        nf_tables_rule_release(&ctx, rule);
 err1:
         for (i = 0; i < n; i++) {
                 if (info[i].ops != NULL)
@@ -4044,8 +4080,10 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
                         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
                             nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
                             nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
-                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
-                                return -EBUSY;
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF)) {
+                                err = -EBUSY;
+                                goto err5;
+                        }
                         if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
                              nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
                              memcmp(nft_set_ext_data(ext),
@@ -4130,7 +4168,7 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
  *      NFT_GOTO verdicts. This function must be called on active data objects
  *      from the second phase of the commit protocol.
  */
-static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
+void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
 {
         if (type == NFT_DATA_VERDICT) {
                 switch (data->verdict.code) {
@@ -5761,7 +5799,7 @@ static void nft_chain_commit_update(struct nft_trans *trans)
         }
 }
 
-static void nf_tables_commit_release(struct nft_trans *trans)
+static void nft_commit_release(struct nft_trans *trans)
 {
         switch (trans->msg_type) {
         case NFT_MSG_DELTABLE:
@@ -5790,6 +5828,21 @@ static void nf_tables_commit_release(struct nft_trans *trans)
         kfree(trans);
 }
 
+static void nf_tables_commit_release(struct net *net)
+{
+        struct nft_trans *trans, *next;
+
+        if (list_empty(&net->nft.commit_list))
+                return;
+
+        synchronize_rcu();
+
+        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
+                list_del(&trans->list);
+                nft_commit_release(trans);
+        }
+}
+
 static int nf_tables_commit(struct net *net, struct sk_buff *skb)
 {
         struct nft_trans *trans, *next;
@@ -5920,13 +5973,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                 }
         }
 
-        synchronize_rcu();
-
-        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
-                list_del(&trans->list);
-                nf_tables_commit_release(trans);
-        }
-
+        nf_tables_commit_release(net);
         nf_tables_gen_notify(net, skb, NFT_MSG_NEWGEN);
 
         return 0;
@@ -6006,10 +6053,12 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
                 case NFT_MSG_NEWRULE:
                         trans->ctx.chain->use--;
                         list_del_rcu(&nft_trans_rule(trans)->list);
+                        nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
                         break;
                 case NFT_MSG_DELRULE:
                         trans->ctx.chain->use++;
                         nft_clear(trans->ctx.net, nft_trans_rule(trans));
+                        nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans));
                         nft_trans_destroy(trans);
                         break;
                 case NFT_MSG_NEWSET:
@@ -6585,7 +6634,7 @@ int __nft_release_basechain(struct nft_ctx *ctx)
         list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
                 list_del(&rule->list);
                 ctx->chain->use--;
-                nf_tables_rule_destroy(ctx, rule);
+                nf_tables_rule_release(ctx, rule);
         }
         list_del(&ctx->chain->list);
         ctx->table->use--;
@@ -6623,7 +6672,7 @@ static void __nft_release_tables(struct net *net)
                         list_for_each_entry_safe(rule, nr, &chain->rules, list) {
                                 list_del(&rule->list);
                                 chain->use--;
-                                nf_tables_rule_destroy(&ctx, rule);
+                                nf_tables_rule_release(&ctx, rule);
                         }
                 }
                 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) {
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index dfd0bf3810d2..942702a2776f 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -119,15 +119,22 @@ DEFINE_STATIC_KEY_FALSE(nft_counters_enabled);
 static noinline void nft_update_chain_stats(const struct nft_chain *chain,
                                             const struct nft_pktinfo *pkt)
 {
+        struct nft_base_chain *base_chain;
         struct nft_stats *stats;
 
-        local_bh_disable();
-        stats = this_cpu_ptr(rcu_dereference(nft_base_chain(chain)->stats));
-        u64_stats_update_begin(&stats->syncp);
-        stats->pkts++;
-        stats->bytes += pkt->skb->len;
-        u64_stats_update_end(&stats->syncp);
-        local_bh_enable();
+        base_chain = nft_base_chain(chain);
+        if (!base_chain->stats)
+                return;
+
+        stats = this_cpu_ptr(rcu_dereference(base_chain->stats));
+        if (stats) {
+                local_bh_disable();
+                u64_stats_update_begin(&stats->syncp);
+                stats->pkts++;
+                stats->bytes += pkt->skb->len;
+                u64_stats_update_end(&stats->syncp);
+                local_bh_enable();
+        }
 }
 
 struct nft_jumpstack {
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index b9505bcd3827..6ddf89183e7b 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -115,7 +115,7 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl,
                 nfacct->flags = flags;
         }
 
-        strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
+        nla_strlcpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
 
         if (tb[NFACCT_BYTES]) {
                 atomic64_set(&nfacct->bytes,
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 4a4b293fb2e5..fa026b269b36 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -149,8 +149,8 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
             !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
                 return -EINVAL;
 
-        strncpy(expect_policy->name,
-                nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
+        nla_strlcpy(expect_policy->name,
+                    nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
         expect_policy->max_expected =
                 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
         if (expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT)
@@ -234,7 +234,8 @@ nfnl_cthelper_create(const struct nlattr * const tb[],
         if (ret < 0)
                 goto err1;
 
-        strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
+        nla_strlcpy(helper->name,
+                    nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
         size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
         if (size > FIELD_SIZEOF(struct nf_conn_help, data)) {
                 ret = -ENOMEM;
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 8e23726b9081..1d99a1efdafc 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -27,14 +27,31 @@ struct nft_xt {
         struct list_head        head;
         struct nft_expr_ops     ops;
         unsigned int            refcnt;
+
+        /* Unlike other expressions, ops doesn't have static storage duration.
+         * nft core assumes they do.  We use kfree_rcu so that nft core can
+         * can check expr->ops->size even after nft_compat->destroy() frees
+         * the nft_xt struct that holds the ops structure.
+         */
+        struct rcu_head         rcu_head;
+};
+
+/* Used for matches where *info is larger than X byte */
+#define NFT_MATCH_LARGE_THRESH  192
+
+struct nft_xt_match_priv {
+        void *info;
 };
 
-static void nft_xt_put(struct nft_xt *xt)
+static bool nft_xt_put(struct nft_xt *xt)
 {
         if (--xt->refcnt == 0) {
                 list_del(&xt->head);
-                kfree(xt);
+                kfree_rcu(xt, rcu_head);
+                return true;
         }
+
+        return false;
 }
 
 static int nft_compat_chain_validate_dependency(const char *tablename,
@@ -226,6 +243,7 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         struct xt_target *target = expr->ops->data;
         struct xt_tgchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
+        struct nft_xt *nft_xt;
         u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
@@ -236,25 +254,22 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         if (ctx->nla[NFTA_RULE_COMPAT]) {
                 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
                 if (ret < 0)
-                        goto err;
+                        return ret;
         }
 
         nft_target_set_tgchk_param(&par, ctx, target, info, &e, proto, inv);
 
         ret = xt_check_target(&par, size, proto, inv);
         if (ret < 0)
-                goto err;
+                return ret;
 
         /* The standard target cannot be used */
-        if (target->target == NULL) {
-                ret = -EINVAL;
-                goto err;
-        }
+        if (!target->target)
+                return -EINVAL;
 
+        nft_xt = container_of(expr->ops, struct nft_xt, ops);
+        nft_xt->refcnt++;
         return 0;
-err:
-        module_put(target->me);
-        return ret;
 }
 
 static void
@@ -271,8 +286,8 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
         if (par.target->destroy != NULL)
                 par.target->destroy(&par);
 
-        nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
-        module_put(target->me);
+        if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+                module_put(target->me);
 }
 
 static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
@@ -316,11 +331,11 @@ static int nft_target_validate(const struct nft_ctx *ctx,
         return 0;
 }
 
-static void nft_match_eval(const struct nft_expr *expr,
-                           struct nft_regs *regs,
-                           const struct nft_pktinfo *pkt)
+static void __nft_match_eval(const struct nft_expr *expr,
+                             struct nft_regs *regs,
+                             const struct nft_pktinfo *pkt,
+                             void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
         struct sk_buff *skb = pkt->skb;
         bool ret;
@@ -344,6 +359,22 @@ static void nft_match_eval(const struct nft_expr *expr,
         }
 }
 
+static void nft_match_large_eval(const struct nft_expr *expr,
+                                 struct nft_regs *regs,
+                                 const struct nft_pktinfo *pkt)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+
+        __nft_match_eval(expr, regs, pkt, priv->info);
+}
+
+static void nft_match_eval(const struct nft_expr *expr,
+                           struct nft_regs *regs,
+                           const struct nft_pktinfo *pkt)
+{
+        __nft_match_eval(expr, regs, pkt, nft_expr_priv(expr));
+}
+
 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
         [NFTA_MATCH_NAME]       = { .type = NLA_NUL_STRING },
         [NFTA_MATCH_REV]        = { .type = NLA_U32 },
@@ -404,13 +435,14 @@ static void match_compat_from_user(struct xt_match *m, void *in, void *out)
 }
 
 static int
-nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                const struct nlattr * const tb[])
+__nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                 const struct nlattr * const tb[],
+                 void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
         struct xt_mtchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
+        struct nft_xt *nft_xt;
         u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
@@ -421,26 +453,50 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         if (ctx->nla[NFTA_RULE_COMPAT]) {
                 ret = nft_parse_compat(ctx->nla[NFTA_RULE_COMPAT], &proto, &inv);
                 if (ret < 0)
-                        goto err;
+                        return ret;
         }
 
         nft_match_set_mtchk_param(&par, ctx, match, info, &e, proto, inv);
 
         ret = xt_check_match(&par, size, proto, inv);
         if (ret < 0)
-                goto err;
+                return ret;
 
+        nft_xt = container_of(expr->ops, struct nft_xt, ops);
+        nft_xt->refcnt++;
         return 0;
-err:
-        module_put(match->me);
+}
+
+static int
+nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+               const struct nlattr * const tb[])
+{
+        return __nft_match_init(ctx, expr, tb, nft_expr_priv(expr));
+}
+
+static int
+nft_match_large_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                     const struct nlattr * const tb[])
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+        struct xt_match *m = expr->ops->data;
+        int ret;
+
+        priv->info = kmalloc(XT_ALIGN(m->matchsize), GFP_KERNEL);
+        if (!priv->info)
+                return -ENOMEM;
+
+        ret = __nft_match_init(ctx, expr, tb, priv->info);
+        if (ret)
+                kfree(priv->info);
         return ret;
 }
 
 static void
-nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+__nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                    void *info)
 {
         struct xt_match *match = expr->ops->data;
-        void *info = nft_expr_priv(expr);
         struct xt_mtdtor_param par;
 
         par.net = ctx->net;
@@ -450,13 +506,28 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
         if (par.match->destroy != NULL)
                 par.match->destroy(&par);
 
-        nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
-        module_put(match->me);
+        if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+                module_put(match->me);
 }
 
-static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
+static void
+nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+        __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
+}
+
+static void
+nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(expr);
+
+        __nft_match_destroy(ctx, expr, priv->info);
+        kfree(priv->info);
+}
+
+static int __nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr,
+                            void *info)
 {
-        void *info = nft_expr_priv(expr);
         struct xt_match *match = expr->ops->data;
 
         if (nla_put_string(skb, NFTA_MATCH_NAME, match->name) ||
@@ -470,6 +541,18 @@ nla_put_failure:
         return -1;
 }
 
+static int nft_match_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        return __nft_match_dump(skb, expr, nft_expr_priv(expr));
+}
+
+static int nft_match_large_dump(struct sk_buff *skb, const struct nft_expr *e)
+{
+        struct nft_xt_match_priv *priv = nft_expr_priv(e);
+
+        return __nft_match_dump(skb, e, priv->info);
+}
+
 static int nft_match_validate(const struct nft_ctx *ctx,
                               const struct nft_expr *expr,
                               const struct nft_data **data)
@@ -637,6 +720,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
 {
         struct nft_xt *nft_match;
         struct xt_match *match;
+        unsigned int matchsize;
         char *mt_name;
         u32 rev, family;
         int err;
@@ -654,13 +738,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
         list_for_each_entry(nft_match, &nft_match_list, head) {
                 struct xt_match *match = nft_match->ops.data;
 
-                if (nft_match_cmp(match, mt_name, rev, family)) {
-                        if (!try_module_get(match->me))
-                                return ERR_PTR(-ENOENT);
-
-                        nft_match->refcnt++;
+                if (nft_match_cmp(match, mt_name, rev, family))
                         return &nft_match->ops;
-                }
         }
 
         match = xt_request_find_match(family, mt_name, rev);
@@ -679,9 +758,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_match->refcnt = 1;
+        nft_match->refcnt = 0;
         nft_match->ops.type = &nft_match_type;
-        nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
         nft_match->ops.eval = nft_match_eval;
         nft_match->ops.init = nft_match_init;
         nft_match->ops.destroy = nft_match_destroy;
@@ -689,6 +767,18 @@ nft_match_select_ops(const struct nft_ctx *ctx,
         nft_match->ops.validate = nft_match_validate;
         nft_match->ops.data = match;
 
+        matchsize = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
+        if (matchsize > NFT_MATCH_LARGE_THRESH) {
+                matchsize = NFT_EXPR_SIZE(sizeof(struct nft_xt_match_priv));
+
+                nft_match->ops.eval = nft_match_large_eval;
+                nft_match->ops.init = nft_match_large_init;
+                nft_match->ops.destroy = nft_match_large_destroy;
+                nft_match->ops.dump = nft_match_large_dump;
+        }
+
+        nft_match->ops.size = matchsize;
+
         list_add(&nft_match->head, &nft_match_list);
 
         return &nft_match->ops;
@@ -739,13 +829,8 @@ nft_target_select_ops(const struct nft_ctx *ctx,
         list_for_each_entry(nft_target, &nft_target_list, head) {
                 struct xt_target *target = nft_target->ops.data;
 
-                if (nft_target_cmp(target, tg_name, rev, family)) {
-                        if (!try_module_get(target->me))
-                                return ERR_PTR(-ENOENT);
-
-                        nft_target->refcnt++;
+                if (nft_target_cmp(target, tg_name, rev, family))
                         return &nft_target->ops;
-                }
         }
 
         target = xt_request_find_target(family, tg_name, rev);
@@ -764,7 +849,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_target->refcnt = 1;
+        nft_target->refcnt = 0;
         nft_target->ops.type = &nft_target_type;
         nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
         nft_target->ops.init = nft_target_init;
@@ -823,6 +908,32 @@ err_match:
 
 static void __exit nft_compat_module_exit(void)
 {
+        struct nft_xt *xt, *next;
+
+        /* list should be empty here, it can be non-empty only in case there
+         * was an error that caused nft_xt expr to not be initialized fully
+         * and noone else requested the same expression later.
+         *
+         * In this case, the lists contain 0-refcount entries that still
+         * hold module reference.
+         */
+        list_for_each_entry_safe(xt, next, &nft_target_list, head) {
+                struct xt_target *target = xt->ops.data;
+
+                if (WARN_ON_ONCE(xt->refcnt))
+                        continue;
+                module_put(target->me);
+                kfree(xt);
+        }
+
+        list_for_each_entry_safe(xt, next, &nft_match_list, head) {
+                struct xt_match *match = xt->ops.data;
+
+                if (WARN_ON_ONCE(xt->refcnt))
+                        continue;
+                module_put(match->me);
+                kfree(xt);
+        }
         nfnetlink_subsys_unregister(&nfnl_compat_subsys);
         nft_unregister_expr(&nft_target_type);
         nft_unregister_expr(&nft_match_type);
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 4717d7796927..aa87ff8beae8 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -69,8 +69,16 @@ err1:
         return err;
 }
 
-static void nft_immediate_destroy(const struct nft_ctx *ctx,
-                                  const struct nft_expr *expr)
+static void nft_immediate_activate(const struct nft_ctx *ctx,
+                                   const struct nft_expr *expr)
+{
+        const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+
+        return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
+}
+
+static void nft_immediate_deactivate(const struct nft_ctx *ctx,
+                                     const struct nft_expr *expr)
 {
         const struct nft_immediate_expr *priv = nft_expr_priv(expr);
 
@@ -108,7 +116,8 @@ static const struct nft_expr_ops nft_imm_ops = {
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
         .eval           = nft_immediate_eval,
         .init           = nft_immediate_init,
-        .destroy        = nft_immediate_destroy,
+        .activate       = nft_immediate_activate,
+        .deactivate     = nft_immediate_deactivate,
         .dump           = nft_immediate_dump,
         .validate       = nft_immediate_validate,
 };
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 71325fef647d..cb7cb300c3bc 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -183,6 +183,9 @@ struct xt_match *xt_find_match(u8 af, const char *name, u8 revision)
         struct xt_match *m;
         int err = -ENOENT;
 
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
+
         mutex_lock(&xt[af].mutex);
         list_for_each_entry(m, &xt[af].match, list) {
                 if (strcmp(m->name, name) == 0) {
@@ -229,6 +232,9 @@ struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
         struct xt_target *t;
         int err = -ENOENT;
 
+        if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+                return ERR_PTR(-EINVAL);
+
         mutex_lock(&xt[af].mutex);
         list_for_each_entry(t, &xt[af].target, list) {
                 if (strcmp(t->name, name) == 0) {
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 01f3515cada0..e9422fe45179 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2903,13 +2903,15 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
         if (skb == NULL)
                 goto out_unlock;
 
-        skb_set_network_header(skb, reserve);
+        skb_reset_network_header(skb);
 
         err = -EINVAL;
         if (sock->type == SOCK_DGRAM) {
                 offset = dev_hard_header(skb, dev, ntohs(proto), addr, NULL, len);
                 if (unlikely(offset < 0))
                         goto out_free;
+        } else if (reserve) {
+                skb_push(skb, reserve);
         }
 
         /* Returns -EFAULT on error */
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 853604685965..1fb39e1f9d07 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -161,6 +161,8 @@ static int tcf_vlan_init(struct net *net, struct nlattr *nla,
                         case htons(ETH_P_8021AD):
                                 break;
                         default:
+                                if (exists)
+                                        tcf_idr_release(*a, bind);
                                 return -EPROTONOSUPPORT;
                         }
                 } else {
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 16644b3d2362..56c181c3feeb 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -222,10 +222,11 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt,
                                          extack);
                 if (IS_ERR(child))
                         return PTR_ERR(child);
-        }
 
-        if (child != &noop_qdisc)
+                /* child is fifo, no need to check for noop_qdisc */
                 qdisc_hash_add(child, true);
+        }
+
         sch_tree_lock(sch);
         q->flags = ctl->flags;
         q->limit = ctl->limit;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 03225a8df973..6f74a426f159 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -383,6 +383,9 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
                         err = PTR_ERR(child);
                         goto done;
                 }
+
+                /* child is fifo, no need to check for noop_qdisc */
+                qdisc_hash_add(child, true);
         }
 
         sch_tree_lock(sch);
@@ -391,8 +394,6 @@ static int tbf_change(struct Qdisc *sch, struct nlattr *opt,
                                           q->qdisc->qstats.backlog);
                 qdisc_destroy(q->qdisc);
                 q->qdisc = child;
-                if (child != &noop_qdisc)
-                        qdisc_hash_add(child, true);
         }
         q->limit = qopt->limit;
         if (tb[TCA_TBF_PBURST])
diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
index 74568cdbca70..d7b88b2d1b22 100644
--- a/net/smc/smc_pnet.c
+++ b/net/smc/smc_pnet.c
@@ -245,40 +245,45 @@ out:
 static int smc_pnet_fill_entry(struct net *net, struct smc_pnetentry *pnetelem,
                                struct nlattr *tb[])
 {
-        char *string, *ibname = NULL;
-        int rc = 0;
+        char *string, *ibname;
+        int rc;
 
         memset(pnetelem, 0, sizeof(*pnetelem));
         INIT_LIST_HEAD(&pnetelem->list);
-        if (tb[SMC_PNETID_NAME]) {
-                string = (char *)nla_data(tb[SMC_PNETID_NAME]);
-                if (!smc_pnetid_valid(string, pnetelem->pnet_name)) {
-                        rc = -EINVAL;
-                        goto error;
-                }
-        }
-        if (tb[SMC_PNETID_ETHNAME]) {
-                string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
-                pnetelem->ndev = dev_get_by_name(net, string);
-                if (!pnetelem->ndev)
-                        return -ENOENT;
-        }
-        if (tb[SMC_PNETID_IBNAME]) {
-                ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
-                ibname = strim(ibname);
-                pnetelem->smcibdev = smc_pnet_find_ib(ibname);
-                if (!pnetelem->smcibdev) {
-                        rc = -ENOENT;
-                        goto error;
-                }
-        }
-        if (tb[SMC_PNETID_IBPORT]) {
-                pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
-                if (pnetelem->ib_port > SMC_MAX_PORTS) {
-                        rc = -EINVAL;
-                        goto error;
-                }
-        }
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_NAME])
+                goto error;
+        string = (char *)nla_data(tb[SMC_PNETID_NAME]);
+        if (!smc_pnetid_valid(string, pnetelem->pnet_name))
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_ETHNAME])
+                goto error;
+        rc = -ENOENT;
+        string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
+        pnetelem->ndev = dev_get_by_name(net, string);
+        if (!pnetelem->ndev)
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_IBNAME])
+                goto error;
+        rc = -ENOENT;
+        ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
+        ibname = strim(ibname);
+        pnetelem->smcibdev = smc_pnet_find_ib(ibname);
+        if (!pnetelem->smcibdev)
+                goto error;
+
+        rc = -EINVAL;
+        if (!tb[SMC_PNETID_IBPORT])
+                goto error;
+        pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
+        if (pnetelem->ib_port < 1 || pnetelem->ib_port > SMC_MAX_PORTS)
+                goto error;
+
         return 0;
 
 error:
@@ -307,6 +312,8 @@ static int smc_pnet_get(struct sk_buff *skb, struct genl_info *info)
         void *hdr;
         int rc;
 
+        if (!info->attrs[SMC_PNETID_NAME])
+                return -EINVAL;
         pnetelem = smc_pnet_find_pnetid(
                                 (char *)nla_data(info->attrs[SMC_PNETID_NAME]));
         if (!pnetelem)
@@ -359,6 +366,8 @@ static int smc_pnet_add(struct sk_buff *skb, struct genl_info *info)
 
 static int smc_pnet_del(struct sk_buff *skb, struct genl_info *info)
 {
+        if (!info->attrs[SMC_PNETID_NAME])
+                return -EINVAL;
         return smc_pnet_remove_by_pnetid(
                                 (char *)nla_data(info->attrs[SMC_PNETID_NAME]));
 }
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 71e79597f940..e1c93ce74e0f 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -680,7 +680,6 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
         struct scatterlist *sgin = &sgin_arr[0];
         struct strp_msg *rxm = strp_msg(skb);
         int ret, nsg = ARRAY_SIZE(sgin_arr);
-        char aad_recv[TLS_AAD_SPACE_SIZE];
         struct sk_buff *unused;
 
         ret = skb_copy_bits(skb, rxm->offset + TLS_HEADER_SIZE,
@@ -698,13 +697,13 @@ static int decrypt_skb(struct sock *sk, struct sk_buff *skb,
         }
 
         sg_init_table(sgin, nsg);
-        sg_set_buf(&sgin[0], aad_recv, sizeof(aad_recv));
+        sg_set_buf(&sgin[0], ctx->rx_aad_ciphertext, TLS_AAD_SPACE_SIZE);
 
         nsg = skb_to_sgvec(skb, &sgin[1],
                            rxm->offset + tls_ctx->rx.prepend_size,
                            rxm->full_len - tls_ctx->rx.prepend_size);
 
-        tls_make_aad(aad_recv,
+        tls_make_aad(ctx->rx_aad_ciphertext,
                      rxm->full_len - tls_ctx->rx.overhead_size,
                      tls_ctx->rx.rec_seq,
                      tls_ctx->rx.rec_seq_size,
@@ -803,12 +802,12 @@ int tls_sw_recvmsg(struct sock *sk,
                         if (to_copy <= len && page_count < MAX_SKB_FRAGS &&
                             likely(!(flags & MSG_PEEK)))  {
                                 struct scatterlist sgin[MAX_SKB_FRAGS + 1];
-                                char unused[21];
                                 int pages = 0;
 
                                 zc = true;
                                 sg_init_table(sgin, MAX_SKB_FRAGS + 1);
-                                sg_set_buf(&sgin[0], unused, 13);
+                                sg_set_buf(&sgin[0], ctx->rx_aad_plaintext,
+                                           TLS_AAD_SPACE_SIZE);
 
                                 err = zerocopy_from_iter(sk, &msg->msg_iter,
                                                          to_copy, &pages,