Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts: drivers/net/geneve.c Here we had an overlapping change, where in 'net' the extraneous stats bump was being removed whilst in 'net-next' the final argument to udp_tunnel6_xmit_skb() was being changed. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-12-17 22:08:28 -0500
committer: David S. Miller <davem@davemloft.net> 2015-12-17 22:08:28 -0500
commit: b3e0d3d7bab14f2544a3314bec53a23dc7dd2206 (patch)
tree: 2bd3c1c1d128e0c362655fa70a6eea02fc856f62 /net
parent: 3268e5cb494d8778a5a67a9fa2b1bdb0243b77ad (diff)
parent: 73796d8bf27372e26c2b79881947304c14c2d353 (diff)
49 files changed, 371 insertions, 240 deletions
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ae3a47f9d1d5..fbd0acf80b13 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -805,6 +805,9 @@ static int ax25_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        ax25_cb *ax25;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 83bc1aaf5800..a49c705fb86b 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -566,6 +566,7 @@ batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst)
        int select;
        batadv_dat_addr_t last_max = BATADV_DAT_ADDR_MAX, ip_key;
        struct batadv_dat_candidate *res;
+        struct batadv_dat_entry dat;
        if (!bat_priv->orig_hash)
                return NULL;
@@ -575,7 +576,9 @@ batadv_dat_select_candidates(struct batadv_priv *bat_priv, __be32 ip_dst)
        if (!res)
                return NULL;
-        ip_key = (batadv_dat_addr_t)batadv_hash_dat(&ip_dst,
+        dat.ip = ip_dst;
+        dat.vid = 0;
+        ip_key = (batadv_dat_addr_t)batadv_hash_dat(&dat,
                                                    BATADV_DAT_ADDR_MAX);
        batadv_dbg(BATADV_DBG_DAT, bat_priv,
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index a43f02e2d423..e4f2646d9246 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -836,6 +836,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        u8 *orig_addr;
        struct batadv_orig_node *orig_node = NULL;
        int check, hdr_size = sizeof(*unicast_packet);
+        enum batadv_subtype subtype;
        bool is4addr;
        unicast_packet = (struct batadv_unicast_packet *)skb->data;
@@ -863,10 +864,20 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
        /* packet for me */
        if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
                if (is4addr) {
-                        batadv_dat_inc_counter(bat_priv,
+                        subtype = unicast_4addr_packet->subtype;
-                                               unicast_4addr_packet->subtype);
+                        batadv_dat_inc_counter(bat_priv, subtype);
-                        orig_addr = unicast_4addr_packet->src;
-                        orig_node = batadv_orig_hash_find(bat_priv, orig_addr);
+                        /* Only payload data should be considered for speedy
+                         * join. For example, DAT also uses unicast 4addr
+                         * types, but those packets should not be considered
+                         * for speedy join, since the clients do not actually
+                         * reside at the sending originator.
+                         */
+                        if (subtype == BATADV_P_DATA) {
+                                orig_addr = unicast_4addr_packet->src;
+                                orig_node = batadv_orig_hash_find(bat_priv,
+                                                                  orig_addr);
+                        }
                }
                if (batadv_dat_snoop_incoming_arp_request(bat_priv, skb,
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 5cf431177f34..ec67deff1621 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -68,13 +68,15 @@ static void batadv_tt_global_del(struct batadv_priv *bat_priv,
                                 unsigned short vid, const char *message,
                                 bool roaming);
-/* returns 1 if they are the same mac addr */
+/* returns 1 if they are the same mac addr and vid */
 static int batadv_compare_tt(const struct hlist_node *node, const void *data2)
 {
        const void *data1 = container_of(node, struct batadv_tt_common_entry,
                                         hash_entry);
+        const struct batadv_tt_common_entry *tt1 = data1;
+        const struct batadv_tt_common_entry *tt2 = data2;
-        return batadv_compare_eth(data1, data2);
+        return (tt1->vid == tt2->vid) && batadv_compare_eth(data1, data2);
 }
 /**
@@ -1427,9 +1429,15 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
                }
                /* if the client was temporary added before receiving the first
-                 * OGM announcing it, we have to clear the TEMP flag
+                 * OGM announcing it, we have to clear the TEMP flag. Also,
+                 * remove the previous temporary orig node and re-add it
+                 * if required. If the orig entry changed, the new one which
+                 * is a non-temporary entry is preferred.
                 */
-                common->flags &= ~BATADV_TT_CLIENT_TEMP;
+                if (common->flags & BATADV_TT_CLIENT_TEMP) {
+                        batadv_tt_global_del_orig_list(tt_global_entry);
+                        common->flags &= ~BATADV_TT_CLIENT_TEMP;
+                }
                /* the change can carry possible "attribute" flags like the
                 * TT_CLIENT_WIFI, therefore they have to be copied in the
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index fe129663bd3f..f52bcbf2e58c 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
        if (!addr || addr->sa_family != AF_BLUETOOTH)
                return -EINVAL;
+        if (addr_len < sizeof(struct sockaddr_sco))
+                return -EINVAL;
        lock_sock(sk);
        if (sk->sk_state != BT_OPEN) {
diff --git a/net/core/netclassid_cgroup.c b/net/core/netclassid_cgroup.c
index 04257a0e3534..0260c84ed83c 100644
--- a/net/core/netclassid_cgroup.c
+++ b/net/core/netclassid_cgroup.c
@@ -84,9 +84,11 @@ static void update_classid(struct cgroup_subsys_state *css, void *v)
        css_task_iter_end(&it);
 }
-static void cgrp_attach(struct cgroup_subsys_state *css,
+static void cgrp_attach(struct cgroup_taskset *tset)
-                        struct cgroup_taskset *tset)
 {
+        struct cgroup_subsys_state *css;
+        cgroup_taskset_first(tset, &css);
        update_classid(css,
                       (void *)(unsigned long)css_cls_state(css)->classid);
 }
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index 053d60c33395..f1efbc39ef6b 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -233,13 +233,14 @@ static int update_netprio(const void *v, struct file *file, unsigned n)
        return 0;
 }
-static void net_prio_attach(struct cgroup_subsys_state *css,
+static void net_prio_attach(struct cgroup_taskset *tset)
-                            struct cgroup_taskset *tset)
 {
        struct task_struct *p;
-        void *v = (void *)(unsigned long)css->cgroup->id;
+        struct cgroup_subsys_state *css;
+        cgroup_taskset_for_each(p, css, tset) {
+                void *v = (void *)(unsigned long)css->cgroup->id;
-        cgroup_taskset_for_each(p, tset) {
                task_lock(p);
                iterate_fd(p->files, 0, update_netprio, v);
                task_unlock(p);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 152b9c70e252..b2df375ec9c2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3643,7 +3643,8 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb,
        serr->ee.ee_info = tstype;
        if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
                serr->ee.ee_data = skb_shinfo(skb)->tskey;
-                if (sk->sk_protocol == IPPROTO_TCP)
+                if (sk->sk_protocol == IPPROTO_TCP &&
+                    sk->sk_type == SOCK_STREAM)
                        serr->ee.ee_data -= sk->sk_tskey;
        }
@@ -4268,7 +4269,7 @@ static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
                return NULL;
        }
-        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len,
+        memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN,
                2 * ETH_ALEN);
        skb->mac_header += VLAN_HLEN;
        return skb;
diff --git a/net/core/sock.c b/net/core/sock.c
index 1278d7b7bd9a..565bab7baca9 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -433,8 +433,6 @@ static bool sock_needs_netstamp(const struct sock *sk)
        }
 }
-#define SK_FLAGS_TIMESTAMP ((1UL << SOCK_TIMESTAMP) | (1UL << SOCK_TIMESTAMPING_RX_SOFTWARE))
 static void sock_disable_timestamp(struct sock *sk, unsigned long flags)
 {
        if (sk->sk_flags & flags) {
@@ -874,7 +872,8 @@ set_rcvbuf:
                if (val & SOF_TIMESTAMPING_OPT_ID &&
                    !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) {
-                        if (sk->sk_protocol == IPPROTO_TCP) {
+                        if (sk->sk_protocol == IPPROTO_TCP &&
+                            sk->sk_type == SOCK_STREAM) {
                                if (sk->sk_state != TCP_ESTABLISHED) {
                                        ret = -EINVAL;
                                        break;
@@ -1543,7 +1542,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
                         */
                        is_charged = sk_filter_charge(newsk, filter);
-                if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk))) {
+                if (unlikely(!is_charged || xfrm_sk_clone_policy(newsk, sk))) {
                        /* It is still raw copy of parent, so invalidate
                         * destructor and make plain sk_free() */
                        newsk->sk_destruct = NULL;
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index eebf5ac8ce18..13d6b1a6e0fc 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -678,6 +678,9 @@ static int dn_create(struct net *net, struct socket *sock, int protocol,
 {
        struct sock *sk;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (!net_eq(net, &init_net))
                return -EAFNOSUPPORT;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 11c4ca13ec3b..5c5db6636704 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -257,6 +257,9 @@ static int inet_create(struct net *net, struct socket *sock, int protocol,
        int try_loading_module = 0;
        int err;
+        if (protocol < 0 || protocol >= IPPROTO_MAX)
+                return -EINVAL;
        sock->state = SS_UNCONNECTED;
        /* Look for the requested type/protocol pair. */
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index cc8f3e506cde..473447593060 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1155,6 +1155,7 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
 static int fib_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
 {
        struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+        struct netdev_notifier_changeupper_info *info;
        struct in_device *in_dev;
        struct net *net = dev_net(dev);
        unsigned int flags;
@@ -1193,6 +1194,14 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
        case NETDEV_CHANGEMTU:
                rt_cache_flush(net);
                break;
+        case NETDEV_CHANGEUPPER:
+                info = ptr;
+                /* flush all routes if dev is linked to or unlinked from
+                 * an L3 master device (e.g., VRF)
+                 */
+                if (info->upper_dev && netif_is_l3_master(info->upper_dev))
+                        fib_disable_ip(dev, NETDEV_DOWN, true);
+                break;
        }
        return NOTIFY_DONE;
 }
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index e0fcbbbcfe54..bd903fe0f750 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -24,6 +24,7 @@ struct fou {
        u16 type;
        struct udp_offload udp_offloads;
        struct list_head list;
+        struct rcu_head rcu;
 };
 #define FOU_F_REMCSUM_NOPARTIAL BIT(0)
@@ -417,7 +418,7 @@ static void fou_release(struct fou *fou)
        list_del(&fou->list);
        udp_tunnel_sock_release(sock);
-        kfree(fou);
+        kfree_rcu(fou, rcu);
 }
 static int fou_encap_init(struct sock *sk, struct fou *fou, struct fou_cfg *cfg)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index a35584176535..c187c60e3e0c 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -60,6 +60,7 @@ config NFT_REJECT_IPV4
 config NFT_DUP_IPV4
        tristate "IPv4 nf_tables packet duplication support"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV4
        help
          This module enables IPv4 packet duplication support for nf_tables.
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 7aa13bd3de29..205e6745393f 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1493,7 +1493,7 @@ bool tcp_prequeue(struct sock *sk, struct sk_buff *skb)
        if (likely(sk->sk_rx_dst))
                skb_dst_drop(skb);
        else
-                skb_dst_force(skb);
+                skb_dst_force_safe(skb);
        __skb_queue_tail(&tp->ucopy.prequeue, skb);
        tp->ucopy.memory += skb->truesize;
@@ -1721,8 +1721,7 @@ void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-        if (dst) {
+        if (dst && dst_hold_safe(dst)) {
-                dst_hold(dst);
                sk->sk_rx_dst = dst;
                inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
        }
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index a800cee88035..412a920fe0ec 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3150,7 +3150,7 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        struct tcp_fastopen_request *fo = tp->fastopen_req;
-        int syn_loss = 0, space, err = 0, copied;
+        int syn_loss = 0, space, err = 0;
        unsigned long last_syn_loss = 0;
        struct sk_buff *syn_data;
@@ -3188,17 +3188,18 @@ static int tcp_send_syn_data(struct sock *sk, struct sk_buff *syn)
                goto fallback;
        syn_data->ip_summed = CHECKSUM_PARTIAL;
        memcpy(syn_data->cb, syn->cb, sizeof(syn->cb));
-        copied = copy_from_iter(skb_put(syn_data, space), space,
+        if (space) {
-                                &fo->data->msg_iter);
+                int copied = copy_from_iter(skb_put(syn_data, space), space,
-        if (unlikely(!copied)) {
+                                            &fo->data->msg_iter);
-                kfree_skb(syn_data);
+                if (unlikely(!copied)) {
-                goto fallback;
+                        kfree_skb(syn_data);
-        }
+                        goto fallback;
-        if (copied != space) {
+                }
-                skb_trim(syn_data, copied);
+                if (copied != space) {
-                space = copied;
+                        skb_trim(syn_data, copied);
+                        space = copied;
+                }
        }
        /* No more data pending in inet_wait_for_connect() */
        if (space == fo->size)
                fo->data = NULL;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 7082fb79d876..233efa67dc3d 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -350,6 +350,12 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
        setup_timer(&ndev->rs_timer, addrconf_rs_timer,
                    (unsigned long)ndev);
        memcpy(&ndev->cnf, dev_net(dev)->ipv6.devconf_dflt, sizeof(ndev->cnf));
+        if (ndev->cnf.stable_secret.initialized)
+                ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+        else
+                ndev->addr_gen_mode = IN6_ADDR_GEN_MODE_EUI64;
        ndev->cnf.mtu6 = dev->mtu;
        ndev->cnf.sysctl = NULL;
        ndev->nd_parms = neigh_parms_alloc(dev, &nd_tbl);
@@ -2454,7 +2460,7 @@ ok:
 #ifdef CONFIG_IPV6_OPTIMISTIC_DAD
                        if (in6_dev->cnf.optimistic_dad &&
                            !net->ipv6.devconf_all->forwarding && sllao)
-                                addr_flags = IFA_F_OPTIMISTIC;
+                                addr_flags |= IFA_F_OPTIMISTIC;
 #endif
                        /* Do not allow to create too much of autoconfigured
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 8ec0df75f1c4..9f5137cd604e 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, struct socket *sock, int protocol,
        int try_loading_module = 0;
        int err;
+        if (protocol < 0 || protocol >= IPPROTO_MAX)
+                return -EINVAL;
        /* Look for the requested type/protocol pair. */
 lookup_protocol:
        err = -ESOCKTNOSUPPORT;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 938d03ce5e4b..f37f18b6b40c 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1570,13 +1570,11 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
                        return -EEXIST;
        } else {
                t = nt;
-                ip6gre_tunnel_unlink(ign, t);
-                ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
-                ip6gre_tunnel_link(ign, t);
-                netdev_state_change(dev);
        }
+        ip6gre_tunnel_unlink(ign, t);
+        ip6gre_tnl_change(t, &p, !tb[IFLA_MTU]);
+        ip6gre_tunnel_link(ign, t);
        return 0;
 }
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index f6a024e141e5..e10a04c9cdc7 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -49,6 +49,7 @@ config NFT_REJECT_IPV6
 config NFT_DUP_IPV6
        tristate "IPv6 nf_tables packet duplication support"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV6
        help
          This module enables IPv6 packet duplication support for nf_tables.
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5382c2662fa2..f03d2b0445fd 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -93,10 +93,9 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
 {
        struct dst_entry *dst = skb_dst(skb);
-        if (dst) {
+        if (dst && dst_hold_safe(dst)) {
                const struct rt6_info *rt = (const struct rt6_info *)dst;
-                dst_hold(dst);
                sk->sk_rx_dst = dst;
                inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
                inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index e6aa48b5395c..923abd6b3064 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1086,6 +1086,9 @@ static int irda_create(struct net *net, struct socket *sock, int protocol,
        struct sock *sk;
        struct irda_sock *self;
+        if (protocol < 0 || protocol > SK_PROTOCOL_MAX)
+                return -EINVAL;
        if (net != &init_net)
                return -EAFNOSUPPORT;
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 2d1c4c35186d..166a29fe6c35 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1169,8 +1169,7 @@ static int sta_apply_parameters(struct ieee80211_local *local,
                 * rc isn't initialized here yet, so ignore it
                 */
                __ieee80211_vht_handle_opmode(sdata, sta,
-                                              params->opmode_notif,
+                                              params->opmode_notif, band);
-                                              band, false);
        }
        if (ieee80211_vif_is_mesh(&sdata->vif))
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index c30b6842ed9f..b84f6aa32c08 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1716,10 +1716,10 @@ enum ieee80211_sta_rx_bandwidth ieee80211_sta_cur_vht_bw(struct sta_info *sta);
 void ieee80211_sta_set_rx_nss(struct sta_info *sta);
 u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                  struct sta_info *sta, u8 opmode,
-                                  enum ieee80211_band band, bool nss_only);
+                                  enum ieee80211_band band);
 void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                 struct sta_info *sta, u8 opmode,
-                                 enum ieee80211_band band, bool nss_only);
+                                 enum ieee80211_band band);
 void ieee80211_apply_vhtcap_overrides(struct ieee80211_sub_if_data *sdata,
                                      struct ieee80211_sta_vht_cap *vht_cap);
 void ieee80211_get_vht_mask_from_cap(__le16 vht_cap,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 123b26d177e8..1c342e2592c4 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1379,21 +1379,26 @@ static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
         */
        if (has_80211h_pwr &&
            (!has_cisco_pwr || pwr_level_80211h <= pwr_level_cisco)) {
+                new_ap_level = pwr_level_80211h;
+                if (sdata->ap_power_level == new_ap_level)
+                        return 0;
                sdata_dbg(sdata,
                          "Limiting TX power to %d (%d - %d) dBm as advertised by %pM\n",
                          pwr_level_80211h, chan_pwr, pwr_reduction_80211h,
                          sdata->u.mgd.bssid);
-                new_ap_level = pwr_level_80211h;
        } else {  /* has_cisco_pwr is always true here. */
+                new_ap_level = pwr_level_cisco;
+                if (sdata->ap_power_level == new_ap_level)
+                        return 0;
                sdata_dbg(sdata,
                          "Limiting TX power to %d dBm as advertised by %pM\n",
                          pwr_level_cisco, sdata->u.mgd.bssid);
-                new_ap_level = pwr_level_cisco;
        }
-        if (sdata->ap_power_level == new_ap_level)
-                return 0;
        sdata->ap_power_level = new_ap_level;
        if (__ieee80211_recalc_txpower(sdata))
                return BSS_CHANGED_TXPOWER;
@@ -3577,7 +3582,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
        if (sta && elems.opmode_notif)
                ieee80211_vht_handle_opmode(sdata, sta, *elems.opmode_notif,
-                                            rx_status->band, true);
+                                            rx_status->band);
        mutex_unlock(&local->sta_mtx);
        changed |= ieee80211_handle_pwr_constr(sdata, chan, mgmt,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1f827539d828..bc081850ac0e 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2735,8 +2735,7 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                        opmode = mgmt->u.action.u.vht_opmode_notif.operating_mode;
                        ieee80211_vht_handle_opmode(rx->sdata, rx->sta,
-                                                    opmode, status->band,
+                                                    opmode, status->band);
-                                                    false);
                        goto handled;
                }
                default:
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 08af2b307945..3943d4bf289c 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1644,6 +1644,29 @@ void ieee80211_stop_device(struct ieee80211_local *local)
        drv_stop(local);
 }
+static void ieee80211_flush_completed_scan(struct ieee80211_local *local,
+                                           bool aborted)
+{
+        /* It's possible that we don't handle the scan completion in
+         * time during suspend, so if it's still marked as completed
+         * here, queue the work and flush it to clean things up.
+         * Instead of calling the worker function directly here, we
+         * really queue it to avoid potential races with other flows
+         * scheduling the same work.
+         */
+        if (test_bit(SCAN_COMPLETED, &local->scanning)) {
+                /* If coming from reconfiguration failure, abort the scan so
+                 * we don't attempt to continue a partial HW scan - which is
+                 * possible otherwise if (e.g.) the 2.4 GHz portion was the
+                 * completed scan, and a 5 GHz portion is still pending.
+                 */
+                if (aborted)
+                        set_bit(SCAN_ABORTED, &local->scanning);
+                ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
+                flush_delayed_work(&local->scan_work);
+        }
+}
 static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local)
 {
        struct ieee80211_sub_if_data *sdata;
@@ -1663,6 +1686,8 @@ static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local)
        local->suspended = false;
        local->in_reconfig = false;
+        ieee80211_flush_completed_scan(local, true);
        /* scheduled scan clearly can't be running any more, but tell
         * cfg80211 and clear local state
         */
@@ -1701,6 +1726,27 @@ static void ieee80211_assign_chanctx(struct ieee80211_local *local,
        mutex_unlock(&local->chanctx_mtx);
 }
+static void ieee80211_reconfig_stations(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct sta_info *sta;
+        /* add STAs back */
+        mutex_lock(&local->sta_mtx);
+        list_for_each_entry(sta, &local->sta_list, list) {
+                enum ieee80211_sta_state state;
+                if (!sta->uploaded || sta->sdata != sdata)
+                        continue;
+                for (state = IEEE80211_STA_NOTEXIST;
+                     state < sta->sta_state; state++)
+                        WARN_ON(drv_sta_state(local, sta->sdata, sta, state,
+                                              state + 1));
+        }
+        mutex_unlock(&local->sta_mtx);
+}
 int ieee80211_reconfig(struct ieee80211_local *local)
 {
        struct ieee80211_hw *hw = &local->hw;
@@ -1836,50 +1882,11 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                                WARN_ON(drv_add_chanctx(local, ctx));
                mutex_unlock(&local->chanctx_mtx);
-                list_for_each_entry(sdata, &local->interfaces, list) {
-                        if (!ieee80211_sdata_running(sdata))
-                                continue;
-                        ieee80211_assign_chanctx(local, sdata);
-                }
                sdata = rtnl_dereference(local->monitor_sdata);
                if (sdata && ieee80211_sdata_running(sdata))
                        ieee80211_assign_chanctx(local, sdata);
        }
-        /* add STAs back */
-        mutex_lock(&local->sta_mtx);
-        list_for_each_entry(sta, &local->sta_list, list) {
-                enum ieee80211_sta_state state;
-                if (!sta->uploaded)
-                        continue;
-                /* AP-mode stations will be added later */
-                if (sta->sdata->vif.type == NL80211_IFTYPE_AP)
-                        continue;
-                for (state = IEEE80211_STA_NOTEXIST;
-                     state < sta->sta_state; state++)
-                        WARN_ON(drv_sta_state(local, sta->sdata, sta, state,
-                                              state + 1));
-        }
-        mutex_unlock(&local->sta_mtx);
-        /* reconfigure tx conf */
-        if (hw->queues >= IEEE80211_NUM_ACS) {
-                list_for_each_entry(sdata, &local->interfaces, list) {
-                        if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
-                            sdata->vif.type == NL80211_IFTYPE_MONITOR ||
-                            !ieee80211_sdata_running(sdata))
-                                continue;
-                        for (i = 0; i < IEEE80211_NUM_ACS; i++)
-                                drv_conf_tx(local, sdata, i,
-                                            &sdata->tx_conf[i]);
-                }
-        }
        /* reconfigure hardware */
        ieee80211_hw_config(local, ~0);
@@ -1892,6 +1899,22 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                if (!ieee80211_sdata_running(sdata))
                        continue;
+                ieee80211_assign_chanctx(local, sdata);
+                switch (sdata->vif.type) {
+                case NL80211_IFTYPE_AP_VLAN:
+                case NL80211_IFTYPE_MONITOR:
+                        break;
+                default:
+                        ieee80211_reconfig_stations(sdata);
+                        /* fall through */
+                case NL80211_IFTYPE_AP: /* AP stations are handled later */
+                        for (i = 0; i < IEEE80211_NUM_ACS; i++)
+                                drv_conf_tx(local, sdata, i,
+                                            &sdata->tx_conf[i]);
+                        break;
+                }
                /* common change flags for all interface types */
                changed = BSS_CHANGED_ERP_CTS_PROT |
                          BSS_CHANGED_ERP_PREAMBLE |
@@ -2077,17 +2100,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
        mb();
        local->resuming = false;
-        /* It's possible that we don't handle the scan completion in
+        ieee80211_flush_completed_scan(local, false);
-         * time during suspend, so if it's still marked as completed
-         * here, queue the work and flush it to clean things up.
-         * Instead of calling the worker function directly here, we
-         * really queue it to avoid potential races with other flows
-         * scheduling the same work.
-         */
-        if (test_bit(SCAN_COMPLETED, &local->scanning)) {
-                ieee80211_queue_delayed_work(&local->hw, &local->scan_work, 0);
-                flush_delayed_work(&local->scan_work);
-        }
        if (local->open_count && !reconfig_due_to_wowlan)
                drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
index ff1c798921a6..c38b2f07a919 100644
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -378,7 +378,7 @@ void ieee80211_sta_set_rx_nss(struct sta_info *sta)
 u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                  struct sta_info *sta, u8 opmode,
-                                  enum ieee80211_band band, bool nss_only)
+                                  enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_supported_band *sband;
@@ -401,9 +401,6 @@ u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                changed |= IEEE80211_RC_NSS_CHANGED;
        }
-        if (nss_only)
-                return changed;
        switch (opmode & IEEE80211_OPMODE_NOTIF_CHANWIDTH_MASK) {
        case IEEE80211_OPMODE_NOTIF_CHANWIDTH_20MHZ:
                sta->cur_max_bandwidth = IEEE80211_STA_RX_BW_20;
@@ -430,13 +427,12 @@ u32 __ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
 void ieee80211_vht_handle_opmode(struct ieee80211_sub_if_data *sdata,
                                 struct sta_info *sta, u8 opmode,
-                                 enum ieee80211_band band, bool nss_only)
+                                 enum ieee80211_band band)
 {
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band];
-        u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode,
+        u32 changed = __ieee80211_vht_handle_opmode(sdata, sta, opmode, band);
-                                                    band, nss_only);
        if (changed > 0)
                rate_control_rate_update(local, sband, sta, changed);
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 4b3b9b310c3a..b18c5ed42d95 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -27,6 +27,8 @@
 */
 #define MAX_MP_SELECT_LABELS 4
+#define MPLS_NEIGH_TABLE_UNSPEC (NEIGH_LINK_TABLE + 1)
 static int zero = 0;
 static int label_limit = (1 << 20) - 1;
@@ -341,7 +343,13 @@ static int mpls_forward(struct sk_buff *skb, struct net_device *dev,
                }
        }
-        err = neigh_xmit(nh->nh_via_table, out_dev, mpls_nh_via(rt, nh), skb);
+        /* If via wasn't specified then send out using device address */
+        if (nh->nh_via_table == MPLS_NEIGH_TABLE_UNSPEC)
+                err = neigh_xmit(NEIGH_LINK_TABLE, out_dev,
+                                 out_dev->dev_addr, skb);
+        else
+                err = neigh_xmit(nh->nh_via_table, out_dev,
+                                 mpls_nh_via(rt, nh), skb);
        if (err)
                net_dbg_ratelimited("%s: packet transmission failed: %d\n",
                                    __func__, err);
@@ -559,6 +567,10 @@ static int mpls_nh_assign_dev(struct net *net, struct mpls_route *rt,
        if (!mpls_dev_get(dev))
                goto errout;
+        if ((nh->nh_via_table == NEIGH_LINK_TABLE) &&
+            (dev->addr_len != nh->nh_via_alen))
+                goto errout;
        RCU_INIT_POINTER(nh->nh_dev, dev);
        if (!(dev->flags & IFF_UP)) {
@@ -630,10 +642,14 @@ static int mpls_nh_build(struct net *net, struct mpls_route *rt,
                        goto errout;
        }
-        err = nla_get_via(via, &nh->nh_via_alen, &nh->nh_via_table,
+        if (via) {
-                          __mpls_nh_via(rt, nh));
+                err = nla_get_via(via, &nh->nh_via_alen, &nh->nh_via_table,
-        if (err)
+                                  __mpls_nh_via(rt, nh));
-                goto errout;
+                if (err)
+                        goto errout;
+        } else {
+                nh->nh_via_table = MPLS_NEIGH_TABLE_UNSPEC;
+        }
        err = mpls_nh_assign_dev(net, rt, nh, oif);
        if (err)
@@ -715,9 +731,6 @@ static int mpls_nh_build_multi(struct mpls_route_config *cfg,
                        nla_newdst = nla_find(attrs, attrlen, RTA_NEWDST);
                }
-                if (!nla_via)
-                        goto errout;
                err = mpls_nh_build(cfg->rc_nlinfo.nl_net, rt, nh,
                                    rtnh->rtnh_ifindex, nla_via, nla_newdst);
                if (err)
@@ -1227,6 +1240,7 @@ static int rtm_to_route_config(struct sk_buff *skb,  struct nlmsghdr *nlh,
        cfg->rc_label           = LABEL_NOT_SPECIFIED;
        cfg->rc_protocol        = rtm->rtm_protocol;
+        cfg->rc_via_table       = MPLS_NEIGH_TABLE_UNSPEC;
        cfg->rc_nlflags         = nlh->nlmsg_flags;
        cfg->rc_nlinfo.portid   = NETLINK_CB(skb).portid;
        cfg->rc_nlinfo.nlh      = nlh;
@@ -1340,7 +1354,8 @@ static int mpls_dump_route(struct sk_buff *skb, u32 portid, u32 seq, int event,
                    nla_put_labels(skb, RTA_NEWDST, nh->nh_labels,
                                   nh->nh_label))
                        goto nla_put_failure;
-                if (nla_put_via(skb, nh->nh_via_table, mpls_nh_via(rt, nh),
+                if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC &&
+                    nla_put_via(skb, nh->nh_via_table, mpls_nh_via(rt, nh),
                                nh->nh_via_alen))
                        goto nla_put_failure;
                dev = rtnl_dereference(nh->nh_dev);
@@ -1381,7 +1396,8 @@ static int mpls_dump_route(struct sk_buff *skb, u32 portid, u32 seq, int event,
                                                            nh->nh_labels,
                                                            nh->nh_label))
                                goto nla_put_failure;
-                        if (nla_put_via(skb, nh->nh_via_table,
+                        if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC &&
+                            nla_put_via(skb, nh->nh_via_table,
                                        mpls_nh_via(rt, nh),
                                        nh->nh_via_alen))
                                goto nla_put_failure;
@@ -1448,7 +1464,8 @@ static inline size_t lfib_nlmsg_size(struct mpls_route *rt)
                if (nh->nh_dev)
                        payload += nla_total_size(4); /* RTA_OIF */
-                payload += nla_total_size(2 + nh->nh_via_alen); /* RTA_VIA */
+                if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC) /* RTA_VIA */
+                        payload += nla_total_size(2 + nh->nh_via_alen);
                if (nh->nh_labels) /* RTA_NEWDST */
                        payload += nla_total_size(nh->nh_labels * 4);
        } else {
@@ -1457,7 +1474,9 @@ static inline size_t lfib_nlmsg_size(struct mpls_route *rt)
                for_nexthops(rt) {
                        nhsize += nla_total_size(sizeof(struct rtnexthop));
-                        nhsize += nla_total_size(2 + nh->nh_via_alen);
+                        /* RTA_VIA */
+                        if (nh->nh_via_table != MPLS_NEIGH_TABLE_UNSPEC)
+                                nhsize += nla_total_size(2 + nh->nh_via_alen);
                        if (nh->nh_labels)
                                nhsize += nla_total_size(nh->nh_labels * 4);
                } endfor_nexthops(rt);
diff --git a/net/mpls/mpls_iptunnel.c b/net/mpls/mpls_iptunnel.c
index cdd01e6416db..fb31aa87de81 100644
--- a/net/mpls/mpls_iptunnel.c
+++ b/net/mpls/mpls_iptunnel.c
@@ -54,10 +54,10 @@ static int mpls_output(struct net *net, struct sock *sk, struct sk_buff *skb)
        unsigned int ttl;
        /* Obtain the ttl */
-        if (skb->protocol == htons(ETH_P_IP)) {
+        if (dst->ops->family == AF_INET) {
                ttl = ip_hdr(skb)->ttl;
                rt = (struct rtable *)dst;
-        } else if (skb->protocol == htons(ETH_P_IPV6)) {
+        } else if (dst->ops->family == AF_INET6) {
                ttl = ipv6_hdr(skb)->hop_limit;
                rt6 = (struct rt6_info *)dst;
        } else {
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 93cc4737018f..2cb429d34c03 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -89,6 +89,7 @@ nf_tables_afinfo_lookup(struct net *net, int family, bool autoload)
 }
 static void nft_ctx_init(struct nft_ctx *ctx,
+                         struct net *net,
                         const struct sk_buff *skb,
                         const struct nlmsghdr *nlh,
                         struct nft_af_info *afi,
@@ -96,7 +97,7 @@ static void nft_ctx_init(struct nft_ctx *ctx,
                         struct nft_chain *chain,
                         const struct nlattr * const *nla)
 {
-        ctx->net        = sock_net(skb->sk);
+        ctx->net        = net;
        ctx->afi        = afi;
        ctx->table      = table;
        ctx->chain      = chain;
@@ -672,15 +673,14 @@ err:
        return ret;
 }
-static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newtable(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        const struct nlattr *name;
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        u32 flags = 0;
        struct nft_ctx ctx;
@@ -706,7 +706,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
                if (nlh->nlmsg_flags & NLM_F_REPLACE)
                        return -EOPNOTSUPP;
-                nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+                nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
                return nf_tables_updtable(&ctx);
        }
@@ -730,7 +730,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
        INIT_LIST_HEAD(&table->sets);
        table->flags = flags;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
        err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
        if (err < 0)
                goto err3;
@@ -810,18 +810,17 @@ out:
        return err;
 }
-static int nf_tables_deltable(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_deltable(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct nft_ctx ctx;
-        nft_ctx_init(&ctx, skb, nlh, NULL, NULL, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, NULL, NULL, NULL, nla);
        if (family == AF_UNSPEC || nla[NFTA_TABLE_NAME] == NULL)
                return nft_flush(&ctx, family);
@@ -1221,8 +1220,8 @@ static void nf_tables_chain_destroy(struct nft_chain *chain)
        }
 }
-static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newchain(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -1232,7 +1231,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
        struct nft_chain *chain;
        struct nft_base_chain *basechain = NULL;
        struct nlattr *ha[NFTA_HOOK_MAX + 1];
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct net_device *dev = NULL;
        u8 policy = NF_ACCEPT;
@@ -1313,7 +1311,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                                return PTR_ERR(stats);
                }
-                nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+                nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
                trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
                                        sizeof(struct nft_trans_chain));
                if (trans == NULL) {
@@ -1461,7 +1459,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
        if (err < 0)
                goto err1;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        err = nft_trans_chain_add(&ctx, NFT_MSG_NEWCHAIN);
        if (err < 0)
                goto err2;
@@ -1476,15 +1474,14 @@ err1:
        return err;
 }
-static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delchain(struct net *net, struct sock *nlsk,
-                              const struct nlmsghdr *nlh,
+                              struct sk_buff *skb, const struct nlmsghdr *nlh,
                              const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
        struct nft_chain *chain;
-        struct net *net = sock_net(skb->sk);
        int family = nfmsg->nfgen_family;
        struct nft_ctx ctx;
@@ -1506,7 +1503,7 @@ static int nf_tables_delchain(struct sock *nlsk, struct sk_buff *skb,
        if (chain->use > 0)
                return -EBUSY;
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        return nft_delchain(&ctx);
 }
@@ -2010,13 +2007,12 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
 static struct nft_expr_info *info;
-static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newrule(struct net *net, struct sock *nlsk,
-                             const struct nlmsghdr *nlh,
+                             struct sk_buff *skb, const struct nlmsghdr *nlh,
                             const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_chain *chain;
        struct nft_rule *rule, *old_rule = NULL;
@@ -2075,7 +2071,7 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
                        return PTR_ERR(old_rule);
        }
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        n = 0;
        size = 0;
@@ -2176,13 +2172,12 @@ err1:
        return err;
 }
-static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delrule(struct net *net, struct sock *nlsk,
-                             const struct nlmsghdr *nlh,
+                             struct sk_buff *skb, const struct nlmsghdr *nlh,
                             const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_chain *chain = NULL;
        struct nft_rule *rule;
@@ -2205,7 +2200,7 @@ static int nf_tables_delrule(struct sock *nlsk, struct sk_buff *skb,
                        return PTR_ERR(chain);
        }
-        nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, chain, nla);
        if (chain) {
                if (nla[NFTA_RULE_HANDLE]) {
@@ -2344,12 +2339,11 @@ static const struct nla_policy nft_set_desc_policy[NFTA_SET_DESC_MAX + 1] = {
        [NFTA_SET_DESC_SIZE]            = { .type = NLA_U32 },
 };
-static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
+static int nft_ctx_init_from_setattr(struct nft_ctx *ctx, struct net *net,
                                     const struct sk_buff *skb,
                                     const struct nlmsghdr *nlh,
                                     const struct nlattr * const nla[])
 {
-        struct net *net = sock_net(skb->sk);
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi = NULL;
        struct nft_table *table = NULL;
@@ -2371,7 +2365,7 @@ static int nft_ctx_init_from_setattr(struct nft_ctx *ctx,
                        return -ENOENT;
        }
-        nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
        return 0;
 }
@@ -2623,6 +2617,7 @@ static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
                            const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_ctx ctx;
        struct sk_buff *skb2;
@@ -2630,7 +2625,7 @@ static int nf_tables_getset(struct sock *nlsk, struct sk_buff *skb,
        int err;
        /* Verify existence before starting dump */
-        err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
+        err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
        if (err < 0)
                return err;
@@ -2693,14 +2688,13 @@ static int nf_tables_set_desc_parse(const struct nft_ctx *ctx,
        return 0;
 }
-static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newset(struct net *net, struct sock *nlsk,
-                            const struct nlmsghdr *nlh,
+                            struct sk_buff *skb, const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        const struct nft_set_ops *ops;
        struct nft_af_info *afi;
-        struct net *net = sock_net(skb->sk);
        struct nft_table *table;
        struct nft_set *set;
        struct nft_ctx ctx;
@@ -2798,7 +2792,7 @@ static int nf_tables_newset(struct sock *nlsk, struct sk_buff *skb,
        if (IS_ERR(table))
                return PTR_ERR(table);
-        nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(&ctx, net, skb, nlh, afi, table, NULL, nla);
        set = nf_tables_set_lookup(table, nla[NFTA_SET_NAME]);
        if (IS_ERR(set)) {
@@ -2882,8 +2876,8 @@ static void nf_tables_set_destroy(const struct nft_ctx *ctx, struct nft_set *set
        nft_set_destroy(set);
 }
-static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delset(struct net *net, struct sock *nlsk,
-                            const struct nlmsghdr *nlh,
+                            struct sk_buff *skb, const struct nlmsghdr *nlh,
                            const struct nlattr * const nla[])
 {
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
@@ -2896,7 +2890,7 @@ static int nf_tables_delset(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_TABLE] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_setattr(&ctx, skb, nlh, nla);
+        err = nft_ctx_init_from_setattr(&ctx, net, skb, nlh, nla);
        if (err < 0)
                return err;
@@ -3024,7 +3018,7 @@ static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX +
        [NFTA_SET_ELEM_LIST_SET_ID]     = { .type = NLA_U32 },
 };
-static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
+static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx, struct net *net,
                                      const struct sk_buff *skb,
                                      const struct nlmsghdr *nlh,
                                      const struct nlattr * const nla[],
@@ -3033,7 +3027,6 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
        const struct nfgenmsg *nfmsg = nlmsg_data(nlh);
        struct nft_af_info *afi;
        struct nft_table *table;
-        struct net *net = sock_net(skb->sk);
        afi = nf_tables_afinfo_lookup(net, nfmsg->nfgen_family, false);
        if (IS_ERR(afi))
@@ -3045,7 +3038,7 @@ static int nft_ctx_init_from_elemattr(struct nft_ctx *ctx,
        if (!trans && (table->flags & NFT_TABLE_INACTIVE))
                return -ENOENT;
-        nft_ctx_init(ctx, skb, nlh, afi, table, NULL, nla);
+        nft_ctx_init(ctx, net, skb, nlh, afi, table, NULL, nla);
        return 0;
 }
@@ -3135,6 +3128,7 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_set_dump_args args;
        struct nft_ctx ctx;
@@ -3150,8 +3144,8 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
        if (err < 0)
                return err;
-        err = nft_ctx_init_from_elemattr(&ctx, cb->skb, cb->nlh, (void *)nla,
+        err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
-                                         false);
+                                         (void *)nla, false);
        if (err < 0)
                return err;
@@ -3212,11 +3206,12 @@ static int nf_tables_getsetelem(struct sock *nlsk, struct sk_buff *skb,
                                const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
+        struct net *net = sock_net(skb->sk);
        const struct nft_set *set;
        struct nft_ctx ctx;
        int err;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
        if (err < 0)
                return err;
@@ -3528,11 +3523,10 @@ err1:
        return err;
 }
-static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
-                                const struct nlmsghdr *nlh,
+                                struct sk_buff *skb, const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
-        struct net *net = sock_net(skb->sk);
        const struct nlattr *attr;
        struct nft_set *set;
        struct nft_ctx ctx;
@@ -3541,7 +3535,7 @@ static int nf_tables_newsetelem(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, true);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, true);
        if (err < 0)
                return err;
@@ -3623,8 +3617,8 @@ err1:
        return err;
 }
-static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
+static int nf_tables_delsetelem(struct net *net, struct sock *nlsk,
-                                const struct nlmsghdr *nlh,
+                                struct sk_buff *skb, const struct nlmsghdr *nlh,
                                const struct nlattr * const nla[])
 {
        const struct nlattr *attr;
@@ -3635,7 +3629,7 @@ static int nf_tables_delsetelem(struct sock *nlsk, struct sk_buff *skb,
        if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL)
                return -EINVAL;
-        err = nft_ctx_init_from_elemattr(&ctx, skb, nlh, nla, false);
+        err = nft_ctx_init_from_elemattr(&ctx, net, skb, nlh, nla, false);
        if (err < 0)
                return err;
@@ -4030,7 +4024,8 @@ static int nf_tables_abort(struct sk_buff *skb)
        struct nft_trans *trans, *next;
        struct nft_trans_elem *te;
-        list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
+        list_for_each_entry_safe_reverse(trans, next, &net->nft.commit_list,
+                                         list) {
                switch (trans->msg_type) {
                case NFT_MSG_NEWTABLE:
                        if (nft_trans_table_update(trans)) {
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 46453ab318db..77afe913d03d 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -295,8 +295,6 @@ replay:
        if (!skb)
                return netlink_ack(oskb, nlh, -ENOMEM);
-        skb->sk = oskb->sk;
        nfnl_lock(subsys_id);
        ss = rcu_dereference_protected(table[subsys_id].subsys,
                                       lockdep_is_held(&table[subsys_id].mutex));
@@ -381,7 +379,7 @@ replay:
                                goto ack;
                        if (nc->call_batch) {
-                                err = nc->call_batch(net->nfnl, skb, nlh,
+                                err = nc->call_batch(net, net->nfnl, skb, nlh,
                                                     (const struct nlattr **)cda);
                        }
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 7d81d280cb4f..861c6615253b 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -365,8 +365,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
                break;
        }
+        nfnl_ct = rcu_dereference(nfnl_ct_hook);
        if (queue->flags & NFQA_CFG_F_CONNTRACK) {
-                nfnl_ct = rcu_dereference(nfnl_ct_hook);
                if (nfnl_ct != NULL) {
                        ct = nfnl_ct->get_ct(entskb, &ctinfo);
                        if (ct != NULL)
@@ -1064,9 +1065,10 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
        if (entry == NULL)
                return -ENOENT;
+        /* rcu lock already held from nfnl->call_rcu. */
+        nfnl_ct = rcu_dereference(nfnl_ct_hook);
        if (nfqa[NFQA_CT]) {
-                /* rcu lock already held from nfnl->call_rcu. */
-                nfnl_ct = rcu_dereference(nfnl_ct_hook);
                if (nfnl_ct != NULL)
                        ct = nfqnl_ct_parse(nfnl_ct, nlh, nfqa, entry, &ctinfo);
        }
@@ -1417,6 +1419,7 @@ static int __init nfnetlink_queue_init(void)
 cleanup_netlink_notifier:
        netlink_unregister_notifier(&nfqnl_rtnl_notifier);
+        unregister_pernet_subsys(&nfnl_queue_net_ops);
 out:
        return status;
 }
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index c2cc11168fd5..3e8892216f94 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -53,6 +53,8 @@ struct ovs_conntrack_info {
        struct md_labels labels;
 };
+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info);
 static u16 key_to_nfproto(const struct sw_flow_key *key)
 {
        switch (ntohs(key->eth.type)) {
@@ -141,6 +143,7 @@ static void __ovs_ct_update_key(struct sw_flow_key *key, u8 state,
 * previously sent the packet to conntrack via the ct action.
 */
 static void ovs_ct_update_key(const struct sk_buff *skb,
+                              const struct ovs_conntrack_info *info,
                              struct sw_flow_key *key, bool post_ct)
 {
        const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
@@ -158,13 +161,15 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
                zone = nf_ct_zone(ct);
        } else if (post_ct) {
                state = OVS_CS_F_TRACKED | OVS_CS_F_INVALID;
+                if (info)
+                        zone = &info->zone;
        }
        __ovs_ct_update_key(key, state, zone, ct);
 }
 void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key)
 {
-        ovs_ct_update_key(skb, key, false);
+        ovs_ct_update_key(skb, NULL, key, false);
 }
 int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb)
@@ -418,7 +423,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
                }
        }
-        ovs_ct_update_key(skb, key, true);
+        ovs_ct_update_key(skb, info, key, true);
        return 0;
 }
@@ -708,7 +713,7 @@ int ovs_ct_copy_action(struct net *net, const struct nlattr *attr,
        nf_conntrack_get(&ct_info.ct->ct_general);
        return 0;
 err_free_ct:
-        nf_conntrack_free(ct_info.ct);
+        __ovs_ct_free_action(&ct_info);
        return err;
 }
@@ -750,6 +755,11 @@ void ovs_ct_free_action(const struct nlattr *a)
 {
        struct ovs_conntrack_info *ct_info = nla_data(a);
+        __ovs_ct_free_action(ct_info);
+}
+static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
+{
        if (ct_info->helper)
                module_put(ct_info->helper->me);
        if (ct_info->ct)
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index b41e9ea2ffff..f53bf3b6558b 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -49,7 +49,6 @@
 struct rfkill {
        spinlock_t              lock;
-        const char              *name;
        enum rfkill_type        type;
        unsigned long           state;
@@ -73,6 +72,7 @@ struct rfkill {
        struct delayed_work     poll_work;
        struct work_struct      uevent_work;
        struct work_struct      sync_work;
+        char                    name[];
 };
 #define to_rfkill(d)    container_of(d, struct rfkill, dev)
@@ -876,14 +876,14 @@ struct rfkill * __must_check rfkill_alloc(const char *name,
        if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES))
                return NULL;
-        rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL);
+        rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL);
        if (!rfkill)
                return NULL;
        spin_lock_init(&rfkill->lock);
        INIT_LIST_HEAD(&rfkill->node);
        rfkill->type = type;
-        rfkill->name = name;
+        strcpy(rfkill->name, name);
        rfkill->ops = ops;
        rfkill->data = ops_data;
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 7ec667dd4ce1..b5c2cf2aa6d4 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -950,7 +950,7 @@ qdisc_create(struct net_device *dev, struct netdev_queue *dev_queue,
                }
                lockdep_set_class(qdisc_lock(sch), &qdisc_tx_lock);
                if (!netif_is_multiqueue(dev))
-                        sch->flags |= TCQ_F_ONETXQUEUE | TCQ_F_NOPARENT;
+                        sch->flags |= TCQ_F_ONETXQUEUE;
        }
        sch->handle = handle;
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index acb45b8c2a9d..ec529121f38a 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -323,14 +323,13 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
                        }
                }
        }
-        rcu_read_unlock();
        if (baddr) {
                fl6->saddr = baddr->v6.sin6_addr;
                fl6->fl6_sport = baddr->v6.sin6_port;
                final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
                dst = ip6_dst_lookup_flow(sk, fl6, final_p);
        }
+        rcu_read_unlock();
 out:
        if (!IS_ERR_OR_NULL(dst)) {
@@ -642,6 +641,7 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
        struct sock *newsk;
        struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
        struct sctp6_sock *newsctp6sk;
+        struct ipv6_txoptions *opt;
        newsk = sk_alloc(sock_net(sk), PF_INET6, GFP_KERNEL, sk->sk_prot, 0);
        if (!newsk)
@@ -661,6 +661,13 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
        memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+        rcu_read_lock();
+        opt = rcu_dereference(np->opt);
+        if (opt)
+                opt = ipv6_dup_options(newsk, opt);
+        RCU_INIT_POINTER(newnp->opt, opt);
+        rcu_read_unlock();
        /* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
         * and getpeername().
         */
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 7e8f0a117106..c0380cfb16ae 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -324,6 +324,7 @@ int sctp_outq_tail(struct sctp_outq *q, struct sctp_chunk *chunk)
                                 sctp_cname(SCTP_ST_CHUNK(chunk->chunk_hdr->type)) :
                                 "illegal chunk");
+                        sctp_chunk_hold(chunk);
                        sctp_outq_tail_data(q, chunk);
                        if (chunk->chunk_hdr->flags & SCTP_DATA_UNORDERED)
                                SCTP_INC_STATS(net, SCTP_MIB_OUTUNORDERCHUNKS);
@@ -1251,6 +1252,7 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_chunk *chunk)
         */
        sack_a_rwnd = ntohl(sack->a_rwnd);
+        asoc->peer.zero_window_announced = !sack_a_rwnd;
        outstanding = q->outstanding_bytes;
        if (outstanding < sack_a_rwnd)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 763e06a55155..5d6a03fad378 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1652,7 +1652,7 @@ static sctp_cookie_param_t *sctp_pack_cookie(const struct sctp_endpoint *ep,
        /* Set an expiration time for the cookie.  */
        cookie->c.expiration = ktime_add(asoc->cookie_life,
-                                         ktime_get());
+                                         ktime_get_real());
        /* Copy the peer's init packet.  */
        memcpy(&cookie->c.peer_init[0], init_chunk->chunk_hdr,
@@ -1780,7 +1780,7 @@ no_hmac:
        if (sock_flag(ep->base.sk, SOCK_TIMESTAMP))
                kt = skb_get_ktime(skb);
        else
-                kt = ktime_get();
+                kt = ktime_get_real();
        if (!asoc && ktime_before(bear_cookie->expiration, kt)) {
                /*
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 6f46aa16cb76..cd34a4a34065 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5412,7 +5412,8 @@ sctp_disposition_t sctp_sf_do_6_3_3_rtx(struct net *net,
        SCTP_INC_STATS(net, SCTP_MIB_T3_RTX_EXPIREDS);
        if (asoc->overall_error_count >= asoc->max_retrans) {
-                if (asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
+                if (asoc->peer.zero_window_announced &&
+                    asoc->state == SCTP_STATE_SHUTDOWN_PENDING) {
                        /*
                         * We are here likely because the receiver had its rwnd
                         * closed for a while and we have not been able to
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 106bb09636f1..2a1e8ba2808c 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1952,8 +1952,6 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
        /* Now send the (possibly) fragmented message. */
        list_for_each_entry(chunk, &datamsg->chunks, frag_list) {
-                sctp_chunk_hold(chunk);
                /* Do accounting for the write space.  */
                sctp_set_owner_w(chunk);
@@ -1966,15 +1964,13 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
         * breaks.
         */
        err = sctp_primitive_SEND(net, asoc, datamsg);
+        sctp_datamsg_put(datamsg);
        /* Did the lower layer accept the chunk? */
-        if (err) {
+        if (err)
-                sctp_datamsg_free(datamsg);
                goto out_free;
-        }
        pr_debug("%s: we sent primitively\n", __func__);
-        sctp_datamsg_put(datamsg);
        err = msg_len;
        if (unlikely(wait_connect)) {
@@ -7167,6 +7163,7 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
        newsk->sk_type = sk->sk_type;
        newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
        newsk->sk_flags = sk->sk_flags;
+        newsk->sk_tsflags = sk->sk_tsflags;
        newsk->sk_no_check_tx = sk->sk_no_check_tx;
        newsk->sk_no_check_rx = sk->sk_no_check_rx;
        newsk->sk_reuse = sk->sk_reuse;
@@ -7199,6 +7196,9 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
        newinet->mc_ttl = 1;
        newinet->mc_index = 0;
        newinet->mc_list = NULL;
+        if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
+                net_enable_timestamp();
 }
 static inline void sctp_copy_descendant(struct sock *sk_to,
diff --git a/net/socket.c b/net/socket.c
index 456fadb3d819..29822d6dd91e 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1695,6 +1695,7 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size,
        msg.msg_name = addr ? (struct sockaddr *)&address : NULL;
        /* We assume all kernel code knows the size of sockaddr_storage */
        msg.msg_namelen = 0;
+        msg.msg_iocb = NULL;
        if (sock->file->f_flags & O_NONBLOCK)
                flags |= MSG_DONTWAIT;
        err = sock_recvmsg(sock, &msg, iov_iter_count(&msg.msg_iter), flags);
diff --git a/net/sunrpc/backchannel_rqst.c b/net/sunrpc/backchannel_rqst.c
index 95f82d8d4888..229956bf8457 100644
--- a/net/sunrpc/backchannel_rqst.c
+++ b/net/sunrpc/backchannel_rqst.c
@@ -353,20 +353,12 @@ void xprt_complete_bc_request(struct rpc_rqst *req, uint32_t copied)
 {
        struct rpc_xprt *xprt = req->rq_xprt;
        struct svc_serv *bc_serv = xprt->bc_serv;
-        struct xdr_buf *rq_rcv_buf = &req->rq_rcv_buf;
        spin_lock(&xprt->bc_pa_lock);
        list_del(&req->rq_bc_pa_list);
        xprt_dec_alloc_count(xprt, 1);
        spin_unlock(&xprt->bc_pa_lock);
-        if (copied <= rq_rcv_buf->head[0].iov_len) {
-                rq_rcv_buf->head[0].iov_len = copied;
-                rq_rcv_buf->page_len = 0;
-        } else {
-                rq_rcv_buf->page_len = copied - rq_rcv_buf->head[0].iov_len;
-        }
        req->rq_private_buf.len = copied;
        set_bit(RPC_BC_PA_IN_USE, &req->rq_bc_pa_state);
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index f14f24ee9983..73ad57a59989 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -250,11 +250,11 @@ void rpc_destroy_wait_queue(struct rpc_wait_queue *queue)
 }
 EXPORT_SYMBOL_GPL(rpc_destroy_wait_queue);
-static int rpc_wait_bit_killable(struct wait_bit_key *key)
+static int rpc_wait_bit_killable(struct wait_bit_key *key, int mode)
 {
-        if (fatal_signal_pending(current))
-                return -ERESTARTSYS;
        freezable_schedule_unsafe();
+        if (signal_pending_state(mode, current))
+                return -ERESTARTSYS;
        return 0;
 }
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 7fccf9675df8..cc9852897395 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1363,7 +1363,19 @@ bc_svc_process(struct svc_serv *serv, struct rpc_rqst *req,
        memcpy(&rqstp->rq_addr, &req->rq_xprt->addr, rqstp->rq_addrlen);
        memcpy(&rqstp->rq_arg, &req->rq_rcv_buf, sizeof(rqstp->rq_arg));
        memcpy(&rqstp->rq_res, &req->rq_snd_buf, sizeof(rqstp->rq_res));
+        /* Adjust the argument buffer length */
        rqstp->rq_arg.len = req->rq_private_buf.len;
+        if (rqstp->rq_arg.len <= rqstp->rq_arg.head[0].iov_len) {
+                rqstp->rq_arg.head[0].iov_len = rqstp->rq_arg.len;
+                rqstp->rq_arg.page_len = 0;
+        } else if (rqstp->rq_arg.len <= rqstp->rq_arg.head[0].iov_len +
+                        rqstp->rq_arg.page_len)
+                rqstp->rq_arg.page_len = rqstp->rq_arg.len -
+                        rqstp->rq_arg.head[0].iov_len;
+        else
+                rqstp->rq_arg.len = rqstp->rq_arg.head[0].iov_len +
+                        rqstp->rq_arg.page_len;
        /* reset result send buffer "put" position */
        resv->iov_len = 0;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 1c3c1f3a3ec4..b1314c099417 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -2263,14 +2263,7 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)
        /* Lock the socket to prevent queue disordering
         * while sleeps in memcpy_tomsg
         */
-        err = mutex_lock_interruptible(&u->readlock);
+        mutex_lock(&u->readlock);
-        if (unlikely(err)) {
-                /* recvmsg() in non blocking mode is supposed to return -EAGAIN
-                 * sk_rcvtimeo is not honored by mutex_lock_interruptible()
-                 */
-                err = noblock ? -EAGAIN : -ERESTARTSYS;
-                goto out;
-        }
        if (flags & MSG_PEEK)
                skip = sk_peek_offset(sk, flags);
@@ -2314,12 +2307,12 @@ again:
                        timeo = unix_stream_data_wait(sk, timeo, last,
                                                      last_len);
-                        if (signal_pending(current) ||
+                        if (signal_pending(current)) {
-                            mutex_lock_interruptible(&u->readlock)) {
                                err = sock_intr_errno(timeo);
                                goto out;
                        }
+                        mutex_lock(&u->readlock);
                        continue;
 unlock:
                        unix_state_unlock(sk);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 72de6989dd12..d4786f2802aa 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -7973,8 +7973,10 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
        if (nla_get_flag(info->attrs[NL80211_ATTR_USE_RRM])) {
                if (!(rdev->wiphy.features &
                      NL80211_FEATURE_DS_PARAM_SET_IE_IN_PROBES) ||
-                    !(rdev->wiphy.features & NL80211_FEATURE_QUIET))
+                    !(rdev->wiphy.features & NL80211_FEATURE_QUIET)) {
+                        kzfree(connkeys);
                        return -EINVAL;
+                }
                connect.flags |= ASSOC_REQ_USE_RRM;
        }
@@ -9535,6 +9537,7 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
        if (new_triggers.tcp && new_triggers.tcp->sock)
                sock_release(new_triggers.tcp->sock);
        kfree(new_triggers.tcp);
+        kfree(new_triggers.nd_config);
        return err;
 }
 #endif
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 0a4f5481ab83..3b0ce1c484a3 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -3011,6 +3011,7 @@ int set_regdom(const struct ieee80211_regdomain *rd,
                break;
        default:
                WARN(1, "invalid initiator %d\n", lr->initiator);
+                kfree(rd);
                return -EINVAL;
        }
@@ -3203,8 +3204,10 @@ int __init regulatory_init(void)
        /* We always try to get an update for the static regdomain */
        err = regulatory_hint_core(cfg80211_world_regdom->alpha2);
        if (err) {
-                if (err == -ENOMEM)
+                if (err == -ENOMEM) {
+                        platform_device_unregister(reg_pdev);
                        return err;
+                }
                /*
                 * N.B. kobject_uevent_env() can fail mainly for when we're out
                 * memory which is handled and propagated appropriately above
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 09bfcbac63bb..948fa5560de5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -303,6 +303,14 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
 }
 EXPORT_SYMBOL(xfrm_policy_alloc);
+static void xfrm_policy_destroy_rcu(struct rcu_head *head)
+{
+        struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
+        security_xfrm_policy_free(policy->security);
+        kfree(policy);
+}
 /* Destroy xfrm_policy: descendant resources must be released to this moment. */
 void xfrm_policy_destroy(struct xfrm_policy *policy)
@@ -312,8 +320,7 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
        if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))
                BUG();
-        security_xfrm_policy_free(policy->security);
+        call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);
-        kfree(policy);
 }
 EXPORT_SYMBOL(xfrm_policy_destroy);
@@ -1214,8 +1221,10 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
        struct xfrm_policy *pol;
        struct net *net = sock_net(sk);
+        rcu_read_lock();
        read_lock_bh(&net->xfrm.xfrm_policy_lock);
-        if ((pol = sk->sk_policy[dir]) != NULL) {
+        pol = rcu_dereference(sk->sk_policy[dir]);
+        if (pol != NULL) {
                bool match = xfrm_selector_match(&pol->selector, fl,
                                                 sk->sk_family);
                int err = 0;
@@ -1239,6 +1248,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
        }
 out:
        read_unlock_bh(&net->xfrm.xfrm_policy_lock);
+        rcu_read_unlock();
        return pol;
 }
@@ -1307,13 +1317,14 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
 #endif
        write_lock_bh(&net->xfrm.xfrm_policy_lock);
-        old_pol = sk->sk_policy[dir];
+        old_pol = rcu_dereference_protected(sk->sk_policy[dir],
-        sk->sk_policy[dir] = pol;
+                                lockdep_is_held(&net->xfrm.xfrm_policy_lock));
        if (pol) {
                pol->curlft.add_time = get_seconds();
                pol->index = xfrm_gen_index(net, XFRM_POLICY_MAX+dir, 0);
                xfrm_sk_policy_link(pol, dir);
        }
+        rcu_assign_pointer(sk->sk_policy[dir], pol);
        if (old_pol) {
                if (pol)
                        xfrm_policy_requeue(old_pol, pol);
@@ -1361,17 +1372,26 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
        return newp;
 }
-int __xfrm_sk_clone_policy(struct sock *sk)
+int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
 {
-        struct xfrm_policy *p0 = sk->sk_policy[0],
+        const struct xfrm_policy *p;
-                           *p1 = sk->sk_policy[1];
+        struct xfrm_policy *np;
+        int i, ret = 0;
-        sk->sk_policy[0] = sk->sk_policy[1] = NULL;
+        rcu_read_lock();
-        if (p0 && (sk->sk_policy[0] = clone_policy(p0, 0)) == NULL)
+        for (i = 0; i < 2; i++) {
-                return -ENOMEM;
+                p = rcu_dereference(osk->sk_policy[i]);
-        if (p1 && (sk->sk_policy[1] = clone_policy(p1, 1)) == NULL)
+                if (p) {
-                return -ENOMEM;
+                        np = clone_policy(p, i);
-        return 0;
+                        if (unlikely(!np)) {
+                                ret = -ENOMEM;
+                                break;
+                        }
+                        rcu_assign_pointer(sk->sk_policy[i], np);
+                }
+        }
+        rcu_read_unlock();
+        return ret;
 }
 static int
@@ -2198,6 +2218,7 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
        xdst = NULL;
        route = NULL;
+        sk = sk_const_to_full_sk(sk);
        if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
                num_pols = 1;
                pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
@@ -2477,6 +2498,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        }
        pol = NULL;
+        sk = sk_to_full_sk(sk);
        if (sk && sk->sk_policy[dir]) {
                pol = xfrm_sk_policy_lookup(sk, dir, &fl);
                if (IS_ERR(pol)) {
author	David S. Miller <davem@davemloft.net>	2015-12-17 22:08:28 -0500
committer	David S. Miller <davem@davemloft.net>	2015-12-17 22:08:28 -0500
commit	b3e0d3d7bab14f2544a3314bec53a23dc7dd2206 (patch)
tree	2bd3c1c1d128e0c362655fa70a6eea02fc856f62 /net
parent	3268e5cb494d8778a5a67a9fa2b1bdb0243b77ad (diff)
parent	73796d8bf27372e26c2b79881947304c14c2d353 (diff)