BackMerge v4.19-rc5 into drm-next

Sean Paul requested an -rc5 backmerge from some sun4i fixes.

Signed-off-by: Dave Airlie <airlied@redhat.com>

82 files changed, 836 insertions, 526 deletions

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index ae91e2d40056..3a7b0773536b 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -83,6 +83,7 @@ enum {
 
 struct smp_dev {
         /* Secure Connections OOB data */
+        bool                    local_oob;
         u8                      local_pk[64];
         u8                      local_rand[16];
         bool                    debug_key;
@@ -599,6 +600,8 @@ int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
 
         memcpy(rand, smp->local_rand, 16);
 
+        smp->local_oob = true;
+
         return 0;
 }
 
@@ -1785,7 +1788,7 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
          * successfully received our local OOB data - therefore set the
          * flag to indicate that local OOB is in use.
          */
-        if (req->oob_flag == SMP_OOB_PRESENT)
+        if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
 
         /* SMP over BR/EDR requires special treatment */
@@ -1967,7 +1970,7 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
          * successfully received our local OOB data - therefore set the
          * flag to indicate that local OOB is in use.
          */
-        if (rsp->oob_flag == SMP_OOB_PRESENT)
+        if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
 
         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
@@ -2697,7 +2700,13 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
          * key was set/generated.
          */
         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
-                struct smp_dev *smp_dev = chan->data;
+                struct l2cap_chan *hchan = hdev->smp_data;
+                struct smp_dev *smp_dev;
+
+                if (!hchan || !hchan->data)
+                        return SMP_UNSPECIFIED;
+
+                smp_dev = hchan->data;
 
                 tfm_ecdh = smp_dev->tfm_ecdh;
         } else {
@@ -3230,6 +3239,7 @@ static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
                 return ERR_CAST(tfm_ecdh);
         }
 
+        smp->local_oob = false;
         smp->tfm_aes = tfm_aes;
         smp->tfm_cmac = tfm_cmac;
         smp->tfm_ecdh = tfm_ecdh;
diff --git a/net/core/filter.c b/net/core/filter.c
index c25eb36f1320..5e00f2b85a56 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2282,14 +2282,21 @@ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = {
         .arg2_type      = ARG_ANYTHING,
 };
 
+#define sk_msg_iter_var(var)                    \
+        do {                                    \
+                var++;                          \
+                if (var == MAX_SKB_FRAGS)       \
+                        var = 0;                \
+        } while (0)
+
 BPF_CALL_4(bpf_msg_pull_data,
            struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags)
 {
-        unsigned int len = 0, offset = 0, copy = 0;
+        unsigned int len = 0, offset = 0, copy = 0, poffset = 0;
+        int bytes = end - start, bytes_sg_total;
         struct scatterlist *sg = msg->sg_data;
         int first_sg, last_sg, i, shift;
         unsigned char *p, *to, *from;
-        int bytes = end - start;
         struct page *page;
 
         if (unlikely(flags || end <= start))
@@ -2299,21 +2306,22 @@ BPF_CALL_4(bpf_msg_pull_data,
         i = msg->sg_start;
         do {
                 len = sg[i].length;
-                offset += len;
                 if (start < offset + len)
                         break;
-                i++;
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
+                offset += len;
+                sk_msg_iter_var(i);
         } while (i != msg->sg_end);
 
         if (unlikely(start >= offset + len))
                 return -EINVAL;
 
-        if (!msg->sg_copy[i] && bytes <= len)
-                goto out;
-
         first_sg = i;
+        /* The start may point into the sg element so we need to also
+         * account for the headroom.
+         */
+        bytes_sg_total = start - offset + bytes;
+        if (!msg->sg_copy[i] && bytes_sg_total <= len)
+                goto out;
 
         /* At this point we need to linearize multiple scatterlist
          * elements or a single shared page. Either way we need to
@@ -2327,37 +2335,33 @@ BPF_CALL_4(bpf_msg_pull_data,
          */
         do {
                 copy += sg[i].length;
-                i++;
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
-                if (bytes < copy)
+                sk_msg_iter_var(i);
+                if (bytes_sg_total <= copy)
                         break;
         } while (i != msg->sg_end);
         last_sg = i;
 
-        if (unlikely(copy < end - start))
+        if (unlikely(bytes_sg_total > copy))
                 return -EINVAL;
 
-        page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC, get_order(copy));
+        page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC | __GFP_COMP,
+                           get_order(copy));
         if (unlikely(!page))
                 return -ENOMEM;
         p = page_address(page);
-        offset = 0;
 
         i = first_sg;
         do {
                 from = sg_virt(&sg[i]);
                 len = sg[i].length;
-                to = p + offset;
+                to = p + poffset;
 
                 memcpy(to, from, len);
-                offset += len;
+                poffset += len;
                 sg[i].length = 0;
                 put_page(sg_page(&sg[i]));
 
-                i++;
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
+                sk_msg_iter_var(i);
         } while (i != last_sg);
 
         sg[first_sg].length = copy;
@@ -2367,11 +2371,15 @@ BPF_CALL_4(bpf_msg_pull_data,
          * had a single entry though we can just replace it and
          * be done. Otherwise walk the ring and shift the entries.
          */
-        shift = last_sg - first_sg - 1;
+        WARN_ON_ONCE(last_sg == first_sg);
+        shift = last_sg > first_sg ?
+                last_sg - first_sg - 1 :
+                MAX_SKB_FRAGS - first_sg + last_sg - 1;
         if (!shift)
                 goto out;
 
-        i = first_sg + 1;
+        i = first_sg;
+        sk_msg_iter_var(i);
         do {
                 int move_from;
 
@@ -2388,15 +2396,13 @@ BPF_CALL_4(bpf_msg_pull_data,
                 sg[move_from].page_link = 0;
                 sg[move_from].offset = 0;
 
-                i++;
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
+                sk_msg_iter_var(i);
         } while (1);
         msg->sg_end -= shift;
         if (msg->sg_end < 0)
                 msg->sg_end += MAX_SKB_FRAGS;
 out:
-        msg->data = sg_virt(&sg[i]) + start - offset;
+        msg->data = sg_virt(&sg[first_sg]) + start - offset;
         msg->data_end = msg->data + bytes;
 
         return 0;
@@ -7281,7 +7287,7 @@ static u32 sk_reuseport_convert_ctx_access(enum bpf_access_type type,
                 break;
 
         case offsetof(struct sk_reuseport_md, ip_protocol):
-                BUILD_BUG_ON(hweight_long(SK_FL_PROTO_MASK) != BITS_PER_BYTE);
+                BUILD_BUG_ON(HWEIGHT32(SK_FL_PROTO_MASK) != BITS_PER_BYTE);
                 SK_REUSEPORT_LOAD_SK_FIELD_SIZE_OFF(__sk_flags_offset,
                                                     BPF_W, 0);
                 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, SK_FL_PROTO_MASK);
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index aa19d86937af..91592fceeaad 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1180,6 +1180,12 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 lladdr = neigh->ha;
         }
 
+        /* Update confirmed timestamp for neighbour entry after we
+         * received ARP packet even if it doesn't change IP to MAC binding.
+         */
+        if (new & NUD_CONNECTED)
+                neigh->confirmed = jiffies;
+
         /* If entry was valid and address is not changed,
            do not change entry state, if new one is STALE.
          */
@@ -1201,15 +1207,12 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 }
         }
 
-        /* Update timestamps only once we know we will make a change to the
+        /* Update timestamp only once we know we will make a change to the
          * neighbour entry. Otherwise we risk to move the locktime window with
          * noop updates and ignore relevant ARP updates.
          */
-        if (new != old || lladdr != neigh->ha) {
-                if (new & NUD_CONNECTED)
-                        neigh->confirmed = jiffies;
+        if (new != old || lladdr != neigh->ha)
                 neigh->updated = jiffies;
-        }
 
         if (new != old) {
                 neigh_del_timer(neigh);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 24431e578310..63ce2283a456 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -324,6 +324,10 @@ void rtnl_unregister_all(int protocol)
 
         rtnl_lock();
         tab = rtnl_msg_handlers[protocol];
+        if (!tab) {
+                rtnl_unlock();
+                return;
+        }
         RCU_INIT_POINTER(rtnl_msg_handlers[protocol], NULL);
         for (msgindex = 0; msgindex < RTM_NR_MSGTYPES; msgindex++) {
                 link = tab[msgindex];
@@ -2806,7 +2810,7 @@ int rtnl_configure_link(struct net_device *dev, const struct ifinfomsg *ifm)
         }
 
         if (dev->rtnl_link_state == RTNL_LINK_INITIALIZED) {
-                __dev_notify_flags(dev, old_flags, 0U);
+                __dev_notify_flags(dev, old_flags, (old_flags ^ dev->flags));
         } else {
                 dev->rtnl_link_state = RTNL_LINK_INITIALIZED;
                 __dev_notify_flags(dev, old_flags, ~0U);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index c996c09d095f..b2c807f67aba 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -939,9 +939,6 @@ struct ubuf_info *sock_zerocopy_alloc(struct sock *sk, size_t size)
 
         WARN_ON_ONCE(!in_task());
 
-        if (!sock_flag(sk, SOCK_ZEROCOPY))
-                return NULL;
-
         skb = sock_omalloc(sk, 0, GFP_KERNEL);
         if (!skb)
                 return NULL;
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index e63c554e0623..9f3209ff7ffd 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -19,12 +19,10 @@
 #include <linux/of_mdio.h>
 #include <linux/of_platform.h>
 #include <linux/of_net.h>
-#include <linux/of_gpio.h>
 #include <linux/netdevice.h>
 #include <linux/sysfs.h>
 #include <linux/phy_fixed.h>
 #include <linux/ptp_classify.h>
-#include <linux/gpio/consumer.h>
 #include <linux/etherdevice.h>
 
 #include "dsa_priv.h"
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 20fda8fb8ffd..1fbe2f815474 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1377,6 +1377,7 @@ struct sk_buff *inet_gso_segment(struct sk_buff *skb,
                 if (encap)
                         skb_reset_inner_headers(skb);
                 skb->network_header = (u8 *)iph - skb->head;
+                skb_reset_mac_len(skb);
         } while ((skb = skb->next));
 
 out:
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index cf75f8944b05..4da39446da2d 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -820,10 +820,9 @@ static void igmp_timer_expire(struct timer_list *t)
         spin_lock(&im->lock);
         im->tm_running = 0;
 
-        if (im->unsolicit_count) {
-                im->unsolicit_count--;
+        if (im->unsolicit_count && --im->unsolicit_count)
                 igmp_start_timer(im, unsolicited_report_interval(in_dev));
-        }
+
         im->reporter = 1;
         spin_unlock(&im->lock);
 
@@ -1308,6 +1307,8 @@ static void igmp_group_added(struct ip_mc_list *im)
 
         if (in_dev->dead)
                 return;
+
+        im->unsolicit_count = net->ipv4.sysctl_igmp_qrv;
         if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) {
                 spin_lock_bh(&im->lock);
                 igmp_start_timer(im, IGMP_INITIAL_REPORT_DELAY);
@@ -1391,9 +1392,6 @@ static void __ip_mc_inc_group(struct in_device *in_dev, __be32 addr,
                               unsigned int mode)
 {
         struct ip_mc_list *im;
-#ifdef CONFIG_IP_MULTICAST
-        struct net *net = dev_net(in_dev->dev);
-#endif
 
         ASSERT_RTNL();
 
@@ -1420,7 +1418,6 @@ static void __ip_mc_inc_group(struct in_device *in_dev, __be32 addr,
         spin_lock_init(&im->lock);
 #ifdef CONFIG_IP_MULTICAST
         timer_setup(&im->timer, igmp_timer_expire, 0);
-        im->unsolicit_count = net->ipv4.sysctl_igmp_qrv;
 #endif
 
         im->next_rcu = in_dev->mc_list;
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 88281fbce88c..e7227128df2c 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -599,6 +599,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
                         nextp = &fp->next;
                         fp->prev = NULL;
                         memset(&fp->rbnode, 0, sizeof(fp->rbnode));
+                        fp->sk = NULL;
                         head->data_len += fp->len;
                         head->len += fp->len;
                         if (head->ip_summed != fp->ip_summed)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 51a5d06085ac..8cce0e9ea08c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -178,6 +178,9 @@ static void ipgre_err(struct sk_buff *skb, u32 info,
 
         if (tpi->proto == htons(ETH_P_TEB))
                 itn = net_generic(net, gre_tap_net_id);
+        else if (tpi->proto == htons(ETH_P_ERSPAN) ||
+                 tpi->proto == htons(ETH_P_ERSPAN2))
+                itn = net_generic(net, erspan_net_id);
         else
                 itn = net_generic(net, ipgre_net_id);
 
@@ -328,6 +331,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
                 ip_tunnel_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error);
                 return PACKET_RCVD;
         }
+        return PACKET_REJECT;
+
 drop:
         kfree_skb(skb);
         return PACKET_RCVD;
@@ -1508,11 +1513,14 @@ nla_put_failure:
 
 static void erspan_setup(struct net_device *dev)
 {
+        struct ip_tunnel *t = netdev_priv(dev);
+
         ether_setup(dev);
         dev->netdev_ops = &erspan_netdev_ops;
         dev->priv_flags &= ~IFF_TX_SKB_SHARING;
         dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
         ip_tunnel_setup(dev, erspan_net_id);
+        t->erspan_ver = 1;
 }
 
 static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index d9504adc47b3..184bf2e0a1ed 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -106,6 +106,10 @@ config NF_NAT_IPV4
 
 if NF_NAT_IPV4
 
+config NF_NAT_MASQUERADE_IPV4
+        bool
+
+if NF_TABLES
 config NFT_CHAIN_NAT_IPV4
         depends on NF_TABLES_IPV4
         tristate "IPv4 nf_tables nat chain support"
@@ -115,9 +119,6 @@ config NFT_CHAIN_NAT_IPV4
           packet transformations such as the source, destination address and
           source and destination ports.
 
-config NF_NAT_MASQUERADE_IPV4
-        bool
-
 config NFT_MASQ_IPV4
         tristate "IPv4 masquerading support for nf_tables"
         depends on NF_TABLES_IPV4
@@ -135,6 +136,7 @@ config NFT_REDIR_IPV4
         help
           This is the expression that provides IPv4 redirect support for
           nf_tables.
+endif # NF_TABLES
 
 config NF_NAT_SNMP_BASIC
         tristate "Basic SNMP-ALG support"
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b8af2fec5ad5..10c6246396cc 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1185,7 +1185,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
 
         flags = msg->msg_flags;
 
-        if (flags & MSG_ZEROCOPY && size) {
+        if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
                 if (sk->sk_state != TCP_ESTABLISHED) {
                         err = -EINVAL;
                         goto out_err;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 4c2dd9f863f7..4cf2f7bb2802 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6367,8 +6367,8 @@ static bool tcp_syn_flood_action(const struct sock *sk,
         if (!queue->synflood_warned &&
             net->ipv4.sysctl_tcp_syncookies != 2 &&
             xchg(&queue->synflood_warned, 1) == 0)
-                pr_info("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
-                        proto, ntohs(tcp_hdr(skb)->dest), msg);
+                net_info_ratelimited("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
+                                     proto, ntohs(tcp_hdr(skb)->dest), msg);
 
         return want_cookie;
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 75ef332a7caf..12affb7864d9 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -184,8 +184,9 @@ kill:
                                 inet_twsk_deschedule_put(tw);
                                 return TCP_TW_SUCCESS;
                         }
+                } else {
+                        inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
                 }
-                inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
 
                 if (tmp_opt.saw_tstamp) {
                         tcptw->tw_ts_recent       = tmp_opt.rcv_tsval;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index f4e35b2ff8b8..7d69dd6fa7e8 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2124,6 +2124,28 @@ static inline int udp4_csum_init(struct sk_buff *skb, struct udphdr *uh,
                                                          inet_compute_pseudo);
 }
 
+/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
+ * return code conversion for ip layer consumption
+ */
+static int udp_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb,
+                               struct udphdr *uh)
+{
+        int ret;
+
+        if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
+                skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
+                                         inet_compute_pseudo);
+
+        ret = udp_queue_rcv_skb(sk, skb);
+
+        /* a return value > 0 means to resubmit the input, but
+         * it wants the return to be -protocol, or 0
+         */
+        if (ret > 0)
+                return -ret;
+        return 0;
+}
+
 /*
  *      All we need to do is get the socket, and then do a checksum.
  */
@@ -2170,14 +2192,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
                 if (unlikely(sk->sk_rx_dst != dst))
                         udp_sk_rx_dst_set(sk, dst);
 
-                ret = udp_queue_rcv_skb(sk, skb);
+                ret = udp_unicast_rcv_skb(sk, skb, uh);
                 sock_put(sk);
-                /* a return value > 0 means to resubmit the input, but
-                 * it wants the return to be -protocol, or 0
-                 */
-                if (ret > 0)
-                        return -ret;
-                return 0;
+                return ret;
         }
 
         if (rt->rt_flags & (RTCF_BROADCAST|RTCF_MULTICAST))
@@ -2185,22 +2202,8 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
                                                 saddr, daddr, udptable, proto);
 
         sk = __udp4_lib_lookup_skb(skb, uh->source, uh->dest, udptable);
-        if (sk) {
-                int ret;
-
-                if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
-                        skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
-                                                 inet_compute_pseudo);
-
-                ret = udp_queue_rcv_skb(sk, skb);
-
-                /* a return value > 0 means to resubmit the input, but
-                 * it wants the return to be -protocol, or 0
-                 */
-                if (ret > 0)
-                        return -ret;
-                return 0;
-        }
+        if (sk)
+                return udp_unicast_rcv_skb(sk, skb, uh);
 
         if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
                 goto drop;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 673bba31eb18..9a4261e50272 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -938,14 +938,14 @@ static int __init inet6_init(void)
 
         err = proto_register(&pingv6_prot, 1);
         if (err)
-                goto out_unregister_ping_proto;
+                goto out_unregister_raw_proto;
 
         /* We MUST register RAW sockets before we create the ICMP6,
          * IGMP6, or NDISC control sockets.
          */
         err = rawv6_init();
         if (err)
-                goto out_unregister_raw_proto;
+                goto out_unregister_ping_proto;
 
         /* Register the family here so that the init calls below will
          * be able to create sockets. (?? is this dangerous ??)
@@ -1113,11 +1113,11 @@ netfilter_fail:
 igmp_fail:
         ndisc_cleanup();
 ndisc_fail:
-        ip6_mr_cleanup();
+        icmpv6_cleanup();
 icmp_fail:
-        unregister_pernet_subsys(&inet6_net_ops);
+        ip6_mr_cleanup();
 ipmr_fail:
-        icmpv6_cleanup();
+        unregister_pernet_subsys(&inet6_net_ops);
 register_pernet_fail:
         sock_unregister(PF_INET6);
         rtnl_unregister_all(PF_INET6);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index c861a6d4671d..5516f55e214b 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -989,7 +989,10 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
                                         fib6_clean_expires(iter);
                                 else
                                         fib6_set_expires(iter, rt->expires);
-                                fib6_metric_set(iter, RTAX_MTU, rt->fib6_pmtu);
+
+                                if (rt->fib6_pmtu)
+                                        fib6_metric_set(iter, RTAX_MTU,
+                                                        rt->fib6_pmtu);
                                 return -EEXIST;
                         }
                         /* If we have the same destination and the same metric,
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 18a3794b0f52..e493b041d4ac 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1778,6 +1778,7 @@ static void ip6gre_netlink_parms(struct nlattr *data[],
         if (data[IFLA_GRE_COLLECT_METADATA])
                 parms->collect_md = true;
 
+        parms->erspan_ver = 1;
         if (data[IFLA_GRE_ERSPAN_VER])
                 parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
 
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 37ff4805b20c..c7e495f12011 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -115,6 +115,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
                         payload_len = skb->len - nhoff - sizeof(*ipv6h);
                 ipv6h->payload_len = htons(payload_len);
                 skb->network_header = (u8 *)ipv6h - skb->head;
+                skb_reset_mac_len(skb);
 
                 if (udpfrag) {
                         int err = ip6_find_1stfragopt(skb, &prevhdr);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 16f200f06500..f9f8f554d141 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -219,12 +219,10 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
                                 kfree_skb(skb);
                                 return -ENOBUFS;
                         }
+                        if (skb->sk)
+                                skb_set_owner_w(skb2, skb->sk);
                         consume_skb(skb);
                         skb = skb2;
-                        /* skb_set_owner_w() changes sk->sk_wmem_alloc atomically,
-                         * it is safe to call in our context (socket lock not held)
-                         */
-                        skb_set_owner_w(skb, (struct sock *)sk);
                 }
                 if (opt->opt_flen)
                         ipv6_push_frag_opts(skb, opt, &proto);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 5df2a58d945c..419960b0ba16 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1188,7 +1188,15 @@ route_lookup:
                 init_tel_txopt(&opt, encap_limit);
                 ipv6_push_frag_opts(skb, &opt.ops, &proto);
         }
-        hop_limit = hop_limit ? : ip6_dst_hoplimit(dst);
+
+        if (hop_limit == 0) {
+                if (skb->protocol == htons(ETH_P_IP))
+                        hop_limit = ip_hdr(skb)->ttl;
+                else if (skb->protocol == htons(ETH_P_IPV6))
+                        hop_limit = ipv6_hdr(skb)->hop_limit;
+                else
+                        hop_limit = ip6_dst_hoplimit(dst);
+        }
 
         /* Calculate max headroom for all the headers and adjust
          * needed_headroom if necessary.
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 5095367c7204..eeaf7455d51e 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -481,7 +481,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
         }
 
         mtu = dst_mtu(dst);
-        if (!skb->ignore_df && skb->len > mtu) {
+        if (skb->len > mtu) {
                 skb_dst_update_pmtu(skb, mtu);
 
                 if (skb->protocol == htons(ETH_P_IPV6)) {
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a14d8b65924..8f68a518d9db 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -445,6 +445,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_devic
                 else if (head->ip_summed == CHECKSUM_COMPLETE)
                         head->csum = csum_add(head->csum, fp->csum);
                 head->truesize += fp->truesize;
+                fp->sk = NULL;
         }
         sub_frag_mem_limit(fq->q.net, head->truesize);
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c4ea13e8360b..480a79f47c52 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -946,8 +946,6 @@ static void ip6_rt_init_dst_reject(struct rt6_info *rt, struct fib6_info *ort)
 
 static void ip6_rt_init_dst(struct rt6_info *rt, struct fib6_info *ort)
 {
-        rt->dst.flags |= fib6_info_dst_flags(ort);
-
         if (ort->fib6_flags & RTF_REJECT) {
                 ip6_rt_init_dst_reject(rt, ort);
                 return;
@@ -996,7 +994,6 @@ static void ip6_rt_copy_init(struct rt6_info *rt, struct fib6_info *ort)
         rt->rt6i_src = ort->fib6_src;
 #endif
         rt->rt6i_prefsrc = ort->fib6_prefsrc;
-        rt->dst.lwtstate = lwtstate_get(ort->fib6_nh.nh_lwtstate);
 }
 
 static struct fib6_node* fib6_backtrack(struct fib6_node *fn,
@@ -4671,20 +4668,31 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
                          int iif, int type, u32 portid, u32 seq,
                          unsigned int flags)
 {
-        struct rtmsg *rtm;
+        struct rt6_info *rt6 = (struct rt6_info *)dst;
+        struct rt6key *rt6_dst, *rt6_src;
+        u32 *pmetrics, table, rt6_flags;
         struct nlmsghdr *nlh;
+        struct rtmsg *rtm;
         long expires = 0;
-        u32 *pmetrics;
-        u32 table;
 
         nlh = nlmsg_put(skb, portid, seq, type, sizeof(*rtm), flags);
         if (!nlh)
                 return -EMSGSIZE;
 
+        if (rt6) {
+                rt6_dst = &rt6->rt6i_dst;
+                rt6_src = &rt6->rt6i_src;
+                rt6_flags = rt6->rt6i_flags;
+        } else {
+                rt6_dst = &rt->fib6_dst;
+                rt6_src = &rt->fib6_src;
+                rt6_flags = rt->fib6_flags;
+        }
+
         rtm = nlmsg_data(nlh);
         rtm->rtm_family = AF_INET6;
-        rtm->rtm_dst_len = rt->fib6_dst.plen;
-        rtm->rtm_src_len = rt->fib6_src.plen;
+        rtm->rtm_dst_len = rt6_dst->plen;
+        rtm->rtm_src_len = rt6_src->plen;
         rtm->rtm_tos = 0;
         if (rt->fib6_table)
                 table = rt->fib6_table->tb6_id;
@@ -4699,7 +4707,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
         rtm->rtm_scope = RT_SCOPE_UNIVERSE;
         rtm->rtm_protocol = rt->fib6_protocol;
 
-        if (rt->fib6_flags & RTF_CACHE)
+        if (rt6_flags & RTF_CACHE)
                 rtm->rtm_flags |= RTM_F_CLONED;
 
         if (dest) {
@@ -4707,7 +4715,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
                         goto nla_put_failure;
                 rtm->rtm_dst_len = 128;
         } else if (rtm->rtm_dst_len)
-                if (nla_put_in6_addr(skb, RTA_DST, &rt->fib6_dst.addr))
+                if (nla_put_in6_addr(skb, RTA_DST, &rt6_dst->addr))
                         goto nla_put_failure;
 #ifdef CONFIG_IPV6_SUBTREES
         if (src) {
@@ -4715,12 +4723,12 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
                         goto nla_put_failure;
                 rtm->rtm_src_len = 128;
         } else if (rtm->rtm_src_len &&
-                   nla_put_in6_addr(skb, RTA_SRC, &rt->fib6_src.addr))
+                   nla_put_in6_addr(skb, RTA_SRC, &rt6_src->addr))
                 goto nla_put_failure;
 #endif
         if (iif) {
 #ifdef CONFIG_IPV6_MROUTE
-                if (ipv6_addr_is_multicast(&rt->fib6_dst.addr)) {
+                if (ipv6_addr_is_multicast(&rt6_dst->addr)) {
                         int err = ip6mr_get_route(net, skb, rtm, portid);
 
                         if (err == 0)
@@ -4755,7 +4763,14 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
         /* For multipath routes, walk the siblings list and add
          * each as a nexthop within RTA_MULTIPATH.
          */
-        if (rt->fib6_nsiblings) {
+        if (rt6) {
+                if (rt6_flags & RTF_GATEWAY &&
+                    nla_put_in6_addr(skb, RTA_GATEWAY, &rt6->rt6i_gateway))
+                        goto nla_put_failure;
+
+                if (dst->dev && nla_put_u32(skb, RTA_OIF, dst->dev->ifindex))
+                        goto nla_put_failure;
+        } else if (rt->fib6_nsiblings) {
                 struct fib6_info *sibling, *next_sibling;
                 struct nlattr *mp;
 
@@ -4778,7 +4793,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
                         goto nla_put_failure;
         }
 
-        if (rt->fib6_flags & RTF_EXPIRES) {
+        if (rt6_flags & RTF_EXPIRES) {
                 expires = dst ? dst->expires : rt->expires;
                 expires -= jiffies;
         }
@@ -4786,7 +4801,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
         if (rtnl_put_cacheinfo(skb, dst, 0, expires, dst ? dst->error : 0) < 0)
                 goto nla_put_failure;
 
-        if (nla_put_u8(skb, RTA_PREF, IPV6_EXTRACT_PREF(rt->fib6_flags)))
+        if (nla_put_u8(skb, RTA_PREF, IPV6_EXTRACT_PREF(rt6_flags)))
                 goto nla_put_failure;
 
 
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 83f4c77c79d8..28c4aa5078fc 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -752,6 +752,28 @@ static void udp6_sk_rx_dst_set(struct sock *sk, struct dst_entry *dst)
         }
 }
 
+/* wrapper for udp_queue_rcv_skb tacking care of csum conversion and
+ * return code conversion for ip layer consumption
+ */
+static int udp6_unicast_rcv_skb(struct sock *sk, struct sk_buff *skb,
+                                struct udphdr *uh)
+{
+        int ret;
+
+        if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
+                skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
+                                         ip6_compute_pseudo);
+
+        ret = udpv6_queue_rcv_skb(sk, skb);
+
+        /* a return value > 0 means to resubmit the input, but
+         * it wants the return to be -protocol, or 0
+         */
+        if (ret > 0)
+                return -ret;
+        return 0;
+}
+
 int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
                    int proto)
 {
@@ -803,13 +825,14 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
                 if (unlikely(sk->sk_rx_dst != dst))
                         udp6_sk_rx_dst_set(sk, dst);
 
-                ret = udpv6_queue_rcv_skb(sk, skb);
-                sock_put(sk);
+                if (!uh->check && !udp_sk(sk)->no_check6_rx) {
+                        sock_put(sk);
+                        goto report_csum_error;
+                }
 
-                /* a return value > 0 means to resubmit the input */
-                if (ret > 0)
-                        return ret;
-                return 0;
+                ret = udp6_unicast_rcv_skb(sk, skb, uh);
+                sock_put(sk);
+                return ret;
         }
 
         /*
@@ -822,30 +845,13 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
         /* Unicast */
         sk = __udp6_lib_lookup_skb(skb, uh->source, uh->dest, udptable);
         if (sk) {
-                int ret;
-
-                if (!uh->check && !udp_sk(sk)->no_check6_rx) {
-                        udp6_csum_zero_error(skb);
-                        goto csum_error;
-                }
-
-                if (inet_get_convert_csum(sk) && uh->check && !IS_UDPLITE(sk))
-                        skb_checksum_try_convert(skb, IPPROTO_UDP, uh->check,
-                                                 ip6_compute_pseudo);
-
-                ret = udpv6_queue_rcv_skb(sk, skb);
-
-                /* a return value > 0 means to resubmit the input */
-                if (ret > 0)
-                        return ret;
-
-                return 0;
+                if (!uh->check && !udp_sk(sk)->no_check6_rx)
+                        goto report_csum_error;
+                return udp6_unicast_rcv_skb(sk, skb, uh);
         }
 
-        if (!uh->check) {
-                udp6_csum_zero_error(skb);
-                goto csum_error;
-        }
+        if (!uh->check)
+                goto report_csum_error;
 
         if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
                 goto discard;
@@ -866,6 +872,9 @@ short_packet:
                             ulen, skb->len,
                             daddr, ntohs(uh->dest));
         goto discard;
+
+report_csum_error:
+        udp6_csum_zero_error(skb);
 csum_error:
         __UDP6_INC_STATS(net, UDP_MIB_CSUMERRORS, proto == IPPROTO_UDPLITE);
 discard:
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index a21d8ed0a325..e2f16a0173a9 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -351,20 +351,28 @@ static int afiucv_hs_send(struct iucv_message *imsg, struct sock *sock,
                 memcpy(&phs_hdr->iucv_hdr, imsg, sizeof(struct iucv_message));
 
         skb->dev = iucv->hs_dev;
-        if (!skb->dev)
-                return -ENODEV;
-        if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev))
-                return -ENETDOWN;
+        if (!skb->dev) {
+                err = -ENODEV;
+                goto err_free;
+        }
+        if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev)) {
+                err = -ENETDOWN;
+                goto err_free;
+        }
         if (skb->len > skb->dev->mtu) {
-                if (sock->sk_type == SOCK_SEQPACKET)
-                        return -EMSGSIZE;
-                else
-                        skb_trim(skb, skb->dev->mtu);
+                if (sock->sk_type == SOCK_SEQPACKET) {
+                        err = -EMSGSIZE;
+                        goto err_free;
+                }
+                skb_trim(skb, skb->dev->mtu);
         }
         skb->protocol = cpu_to_be16(ETH_P_AF_IUCV);
         nskb = skb_clone(skb, GFP_ATOMIC);
-        if (!nskb)
-                return -ENOMEM;
+        if (!nskb) {
+                err = -ENOMEM;
+                goto err_free;
+        }
+
         skb_queue_tail(&iucv->send_skb_q, nskb);
         err = dev_queue_xmit(skb);
         if (net_xmit_eval(err)) {
@@ -375,6 +383,10 @@ static int afiucv_hs_send(struct iucv_message *imsg, struct sock *sock,
                 WARN_ON(atomic_read(&iucv->msg_recv) < 0);
         }
         return net_xmit_eval(err);
+
+err_free:
+        kfree_skb(skb);
+        return err;
 }
 
 static struct sock *__iucv_get_sock_by_name(char *nm)
@@ -1167,7 +1179,7 @@ static int iucv_sock_sendmsg(struct socket *sock, struct msghdr *msg,
                 err = afiucv_hs_send(&txmsg, sk, skb, 0);
                 if (err) {
                         atomic_dec(&iucv->msg_sent);
-                        goto fail;
+                        goto out;
                 }
         } else { /* Classic VM IUCV transport */
                 skb_queue_tail(&iucv->send_skb_q, skb);
@@ -2155,8 +2167,8 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
         struct sock *sk;
         struct iucv_sock *iucv;
         struct af_iucv_trans_hdr *trans_hdr;
+        int err = NET_RX_SUCCESS;
         char nullstring[8];
-        int err = 0;
 
         if (skb->len < (ETH_HLEN + sizeof(struct af_iucv_trans_hdr))) {
                 WARN_ONCE(1, "AF_IUCV too short skb, len=%d, min=%d",
@@ -2254,7 +2266,7 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
                 err = afiucv_hs_callback_rx(sk, skb);
                 break;
         default:
-                ;
+                kfree_skb(skb);
         }
 
         return err;
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 8f7ef167c45a..eb502c6290c2 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -1874,7 +1874,7 @@ static void iucv_pm_complete(struct device *dev)
  * Returns 0 if there are still iucv pathes defined
  *         1 if there are no iucv pathes defined
  */
-int iucv_path_table_empty(void)
+static int iucv_path_table_empty(void)
 {
         int i;
 
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 6449a1c2283b..f0f5fedb8caa 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibss(struct ieee80211_sub_if_data *sdata,
         if (len < IEEE80211_DEAUTH_FRAME_LEN)
                 return;
 
-        ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n",
-                 mgmt->sa, mgmt->da, mgmt->bssid, reason);
+        ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
+        ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason);
         sta_info_destroy_addr(sdata, mgmt->sa);
 }
 
@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
         auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
         auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
 
-        ibss_dbg(sdata,
-                 "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n",
-                 mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction);
+        ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
+        ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n",
+                 mgmt->bssid, auth_transaction);
 
         if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1)
                 return;
@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                 rx_timestamp = drv_get_tsf(local, sdata);
         }
 
-        ibss_dbg(sdata,
-                 "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n",
+        ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n",
                  mgmt->sa, mgmt->bssid,
-                 (unsigned long long)rx_timestamp,
+                 (unsigned long long)rx_timestamp);
+        ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n",
                  (unsigned long long)beacon_timestamp,
                  (unsigned long long)(rx_timestamp - beacon_timestamp),
                  jiffies);
@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
 
         tx_last_beacon = drv_tx_last_beacon(local);
 
-        ibss_dbg(sdata,
-                 "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n",
-                 mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon);
+        ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
+        ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n",
+                 mgmt->bssid, tx_last_beacon);
 
         if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
                 return;
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 4fb2709cb527..513627896204 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -256,8 +256,27 @@ static void ieee80211_restart_work(struct work_struct *work)
 
         flush_work(&local->radar_detected_work);
         rtnl_lock();
-        list_for_each_entry(sdata, &local->interfaces, list)
+        list_for_each_entry(sdata, &local->interfaces, list) {
+                /*
+                 * XXX: there may be more work for other vif types and even
+                 * for station mode: a good thing would be to run most of
+                 * the iface type's dependent _stop (ieee80211_mg_stop,
+                 * ieee80211_ibss_stop) etc...
+                 * For now, fix only the specific bug that was seen: race
+                 * between csa_connection_drop_work and us.
+                 */
+                if (sdata->vif.type == NL80211_IFTYPE_STATION) {
+                        /*
+                         * This worker is scheduled from the iface worker that
+                         * runs on mac80211's workqueue, so we can't be
+                         * scheduling this worker after the cancel right here.
+                         * The exception is ieee80211_chswitch_done.
+                         * Then we can have a race...
+                         */
+                        cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work);
+                }
                 flush_delayed_work(&sdata->dec_tailroom_needed_wk);
+        }
         ieee80211_scan_cancel(local);
 
         /* make sure any new ROC will consider local->in_reconfig */
@@ -471,10 +490,7 @@ static const struct ieee80211_vht_cap mac80211_vht_capa_mod_mask = {
                 cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC |
                             IEEE80211_VHT_CAP_SHORT_GI_80 |
                             IEEE80211_VHT_CAP_SHORT_GI_160 |
-                            IEEE80211_VHT_CAP_RXSTBC_1 |
-                            IEEE80211_VHT_CAP_RXSTBC_2 |
-                            IEEE80211_VHT_CAP_RXSTBC_3 |
-                            IEEE80211_VHT_CAP_RXSTBC_4 |
+                            IEEE80211_VHT_CAP_RXSTBC_MASK |
                             IEEE80211_VHT_CAP_TXSTBC |
                             IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE |
                             IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
@@ -1208,6 +1224,7 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 #if IS_ENABLED(CONFIG_IPV6)
         unregister_inet6addr_notifier(&local->ifa6_notifier);
 #endif
+        ieee80211_txq_teardown_flows(local);
 
         rtnl_lock();
 
@@ -1236,7 +1253,6 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
         skb_queue_purge(&local->skb_queue);
         skb_queue_purge(&local->skb_queue_unreliable);
         skb_queue_purge(&local->skb_queue_tdls_chsw);
-        ieee80211_txq_teardown_flows(local);
 
         destroy_workqueue(local->workqueue);
         wiphy_unregister(local->hw.wiphy);
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 35ad3983ae4b..daf9db3c8f24 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
                 forward = false;
                 reply = true;
                 target_metric = 0;
+
+                if (SN_GT(target_sn, ifmsh->sn))
+                        ifmsh->sn = target_sn;
+
                 if (time_after(jiffies, ifmsh->last_sn_update +
                                         net_traversal_jiffies(sdata)) ||
                     time_before(jiffies, ifmsh->last_sn_update)) {
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 7fb9957359a3..3dbecae4be73 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1073,6 +1073,10 @@ static void ieee80211_chswitch_work(struct work_struct *work)
          */
 
         if (sdata->reserved_chanctx) {
+                struct ieee80211_supported_band *sband = NULL;
+                struct sta_info *mgd_sta = NULL;
+                enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20;
+
                 /*
                  * with multi-vif csa driver may call ieee80211_csa_finish()
                  * many times while waiting for other interfaces to use their
@@ -1081,6 +1085,48 @@ static void ieee80211_chswitch_work(struct work_struct *work)
                 if (sdata->reserved_ready)
                         goto out;
 
+                if (sdata->vif.bss_conf.chandef.width !=
+                    sdata->csa_chandef.width) {
+                        /*
+                         * For managed interface, we need to also update the AP
+                         * station bandwidth and align the rate scale algorithm
+                         * on the bandwidth change. Here we only consider the
+                         * bandwidth of the new channel definition (as channel
+                         * switch flow does not have the full HT/VHT/HE
+                         * information), assuming that if additional changes are
+                         * required they would be done as part of the processing
+                         * of the next beacon from the AP.
+                         */
+                        switch (sdata->csa_chandef.width) {
+                        case NL80211_CHAN_WIDTH_20_NOHT:
+                        case NL80211_CHAN_WIDTH_20:
+                        default:
+                                bw = IEEE80211_STA_RX_BW_20;
+                                break;
+                        case NL80211_CHAN_WIDTH_40:
+                                bw = IEEE80211_STA_RX_BW_40;
+                                break;
+                        case NL80211_CHAN_WIDTH_80:
+                                bw = IEEE80211_STA_RX_BW_80;
+                                break;
+                        case NL80211_CHAN_WIDTH_80P80:
+                        case NL80211_CHAN_WIDTH_160:
+                                bw = IEEE80211_STA_RX_BW_160;
+                                break;
+                        }
+
+                        mgd_sta = sta_info_get(sdata, ifmgd->bssid);
+                        sband =
+                                local->hw.wiphy->bands[sdata->csa_chandef.chan->band];
+                }
+
+                if (sdata->vif.bss_conf.chandef.width >
+                    sdata->csa_chandef.width) {
+                        mgd_sta->sta.bandwidth = bw;
+                        rate_control_rate_update(local, sband, mgd_sta,
+                                                 IEEE80211_RC_BW_CHANGED);
+                }
+
                 ret = ieee80211_vif_use_reserved_context(sdata);
                 if (ret) {
                         sdata_info(sdata,
@@ -1091,6 +1137,13 @@ static void ieee80211_chswitch_work(struct work_struct *work)
                         goto out;
                 }
 
+                if (sdata->vif.bss_conf.chandef.width <
+                    sdata->csa_chandef.width) {
+                        mgd_sta->sta.bandwidth = bw;
+                        rate_control_rate_update(local, sband, mgd_sta,
+                                                 IEEE80211_RC_BW_CHANGED);
+                }
+
                 goto out;
         }
 
@@ -1312,6 +1365,16 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                          cbss->beacon_interval));
         return;
  drop_connection:
+        /*
+         * This is just so that the disconnect flow will know that
+         * we were trying to switch channel and failed. In case the
+         * mode is 1 (we are not allowed to Tx), we will know not to
+         * send a deauthentication frame. Those two fields will be
+         * reset when the disconnection worker runs.
+         */
+        sdata->vif.csa_active = true;
+        sdata->csa_block_tx = csa_ie.mode;
+
         ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
         mutex_unlock(&local->chanctx_mtx);
         mutex_unlock(&local->mtx);
@@ -2522,6 +2585,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
         struct ieee80211_local *local = sdata->local;
         struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
         u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+        bool tx;
 
         sdata_lock(sdata);
         if (!ifmgd->associated) {
@@ -2529,6 +2593,8 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
                 return;
         }
 
+        tx = !sdata->csa_block_tx;
+
         /* AP is probably out of range (or not reachable for another reason) so
          * remove the bss struct for that AP.
          */
@@ -2536,7 +2602,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
 
         ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
                                WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
-                               true, frame_buf);
+                               tx, frame_buf);
         mutex_lock(&local->mtx);
         sdata->vif.csa_active = false;
         ifmgd->csa_waiting_bcn = false;
@@ -2547,7 +2613,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
         }
         mutex_unlock(&local->mtx);
 
-        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
+        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
                                     WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
 
         sdata_unlock(sdata);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 64742f2765c4..96611d5dfadb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1728,6 +1728,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
          */
         if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
             !ieee80211_has_morefrags(hdr->frame_control) &&
+            !is_multicast_ether_addr(hdr->addr1) &&
             (ieee80211_is_mgmt(hdr->frame_control) ||
              ieee80211_is_data(hdr->frame_control)) &&
             !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index cd332e3e1134..f353d9db54bc 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3078,27 +3078,18 @@ void ieee80211_clear_fast_xmit(struct sta_info *sta)
 }
 
 static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
-                                        struct sk_buff *skb, int headroom,
-                                        int *subframe_len)
+                                        struct sk_buff *skb, int headroom)
 {
-        int amsdu_len = *subframe_len + sizeof(struct ethhdr);
-        int padding = (4 - amsdu_len) & 3;
-
-        if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
+        if (skb_headroom(skb) < headroom) {
                 I802_DEBUG_INC(local->tx_expand_skb_head);
 
-                if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
+                if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
                         wiphy_debug(local->hw.wiphy,
                                     "failed to reallocate TX buffer\n");
                         return false;
                 }
         }
 
-        if (padding) {
-                *subframe_len += padding;
-                skb_put_zero(skb, padding);
-        }
-
         return true;
 }
 
@@ -3122,8 +3113,7 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
         if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
                 return true;
 
-        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
-                                         &subframe_len))
+        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
                 return false;
 
         data = skb_push(skb, sizeof(*amsdu_hdr));
@@ -3189,7 +3179,8 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
         void *data;
         bool ret = false;
         unsigned int orig_len;
-        int n = 1, nfrags;
+        int n = 2, nfrags, pad = 0;
+        u16 hdrlen;
 
         if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
                 return false;
@@ -3222,9 +3213,6 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
         if (skb->len + head->len > max_amsdu_len)
                 goto out;
 
-        if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
-                goto out;
-
         nfrags = 1 + skb_shinfo(skb)->nr_frags;
         nfrags += 1 + skb_shinfo(head)->nr_frags;
         frag_tail = &skb_shinfo(head)->frag_list;
@@ -3240,10 +3228,24 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
         if (max_frags && nfrags > max_frags)
                 goto out;
 
-        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
-                                         &subframe_len))
+        if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
                 goto out;
 
+        /*
+         * Pad out the previous subframe to a multiple of 4 by adding the
+         * padding to the next one, that's being added. Note that head->len
+         * is the length of the full A-MSDU, but that works since each time
+         * we add a new subframe we pad out the previous one to a multiple
+         * of 4 and thus it no longer matters in the next round.
+         */
+        hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
+        if ((head->len - hdrlen) & 3)
+                pad = 4 - ((head->len - hdrlen) & 3);
+
+        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
+                                                     2 + pad))
+                goto out_recalc;
+
         ret = true;
         data = skb_push(skb, ETH_ALEN + 2);
         memmove(data, data + ETH_ALEN + 2, 2 * ETH_ALEN);
@@ -3253,15 +3255,19 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
         memcpy(data, &len, 2);
         memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
 
+        memset(skb_push(skb, pad), 0, pad);
+
         head->len += skb->len;
         head->data_len += skb->len;
         *frag_tail = skb;
 
-        flow->backlog += head->len - orig_len;
-        tin->backlog_bytes += head->len - orig_len;
-
-        fq_recalc_backlog(fq, tin, flow);
+out_recalc:
+        if (head->len != orig_len) {
+                flow->backlog += head->len - orig_len;
+                tin->backlog_bytes += head->len - orig_len;
 
+                fq_recalc_backlog(fq, tin, flow);
+        }
 out:
         spin_unlock_bh(&fq->lock);
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 88efda7c9f8a..716cd6442d86 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1135,7 +1135,7 @@ void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
 {
         struct ieee80211_chanctx_conf *chanctx_conf;
         const struct ieee80211_reg_rule *rrule;
-        struct ieee80211_wmm_ac *wmm_ac;
+        const struct ieee80211_wmm_ac *wmm_ac;
         u16 center_freq = 0;
 
         if (sdata->vif.type != NL80211_IFTYPE_AP &&
@@ -1154,20 +1154,19 @@ void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
 
         rrule = freq_reg_info(sdata->wdev.wiphy, MHZ_TO_KHZ(center_freq));
 
-        if (IS_ERR_OR_NULL(rrule) || !rrule->wmm_rule) {
+        if (IS_ERR_OR_NULL(rrule) || !rrule->has_wmm) {
                 rcu_read_unlock();
                 return;
         }
 
         if (sdata->vif.type == NL80211_IFTYPE_AP)
-                wmm_ac = &rrule->wmm_rule->ap[ac];
+                wmm_ac = &rrule->wmm_rule.ap[ac];
         else
-                wmm_ac = &rrule->wmm_rule->client[ac];
+                wmm_ac = &rrule->wmm_rule.client[ac];
         qparam->cw_min = max_t(u16, qparam->cw_min, wmm_ac->cw_min);
         qparam->cw_max = max_t(u16, qparam->cw_max, wmm_ac->cw_max);
         qparam->aifs = max_t(u8, qparam->aifs, wmm_ac->aifsn);
-        qparam->txop = !qparam->txop ? wmm_ac->cot / 32 :
-                min_t(u16, qparam->txop, wmm_ac->cot / 32);
+        qparam->txop = min_t(u16, qparam->txop, wmm_ac->cot / 32);
         rcu_read_unlock();
 }
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 71709c104081..f61c306de1d0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -771,13 +771,13 @@ config NETFILTER_XT_TARGET_CHECKSUM
         depends on NETFILTER_ADVANCED
         ---help---
           This option adds a `CHECKSUM' target, which can be used in the iptables mangle
-          table.
+          table to work around buggy DHCP clients in virtualized environments.
 
-          You can use this target to compute and fill in the checksum in
-          a packet that lacks a checksum.  This is particularly useful,
-          if you need to work around old applications such as dhcp clients,
-          that do not work well with checksum offloads, but don't want to disable
-          checksum offload in your device.
+          Some old DHCP clients drop packets because they are not aware
+          that the checksum would normally be offloaded to hardware and
+          thus should be considered valid.
+          This target can be used to fill in the checksum using iptables
+          when such packets are sent via a virtual network device.
 
           To compile it as a module, choose M here.  If unsure, say N.
 
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 9f14b0df6960..51c5d7eec0a3 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -776,9 +776,26 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = {
 };
 #endif
 
+static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto)
+{
+        u8 nfproto = (unsigned long)_nfproto;
+
+        if (nf_ct_l3num(ct) != nfproto)
+                return 0;
+
+        if (nf_ct_protonum(ct) == IPPROTO_TCP &&
+            ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {
+                ct->proto.tcp.seen[0].td_maxwin = 0;
+                ct->proto.tcp.seen[1].td_maxwin = 0;
+        }
+
+        return 0;
+}
+
 static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
 {
         struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
+        bool fixup_needed = false;
         int err = 0;
 
         mutex_lock(&nf_ct_proto_mutex);
@@ -798,6 +815,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
                                             ARRAY_SIZE(ipv4_conntrack_ops));
                 if (err)
                         cnet->users4 = 0;
+                else
+                        fixup_needed = true;
                 break;
 #if IS_ENABLED(CONFIG_IPV6)
         case NFPROTO_IPV6:
@@ -814,6 +833,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
                                             ARRAY_SIZE(ipv6_conntrack_ops));
                 if (err)
                         cnet->users6 = 0;
+                else
+                        fixup_needed = true;
                 break;
 #endif
         default:
@@ -822,6 +843,11 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
         }
  out_unlock:
         mutex_unlock(&nf_ct_proto_mutex);
+
+        if (fixup_needed)
+                nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,
+                                          (void *)(unsigned long)nfproto, 0, 0);
+
         return err;
 }
 
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 8c58f96b59e7..f3f91ed2c21a 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -675,7 +675,7 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
 }
 #endif
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -697,6 +697,8 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
                         timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
                 }
         }
+
+        timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
         return 0;
 }
 
@@ -726,7 +728,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
         [CTA_TIMEOUT_DCCP_CLOSING]      = { .type = NLA_U32 },
         [CTA_TIMEOUT_DCCP_TIMEWAIT]     = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 /* template, data assigned later */
@@ -827,6 +829,11 @@ static int dccp_init_net(struct net *net, u_int16_t proto)
                 dn->dccp_timeout[CT_DCCP_CLOSEREQ]      = 64 * HZ;
                 dn->dccp_timeout[CT_DCCP_CLOSING]       = 64 * HZ;
                 dn->dccp_timeout[CT_DCCP_TIMEWAIT]      = 2 * DCCP_MSL;
+
+                /* timeouts[0] is unused, make it same as SYN_SENT so
+                 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
+                 */
+                dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
         }
 
         return dccp_kmemdup_sysctl_table(net, pn, dn);
@@ -856,7 +863,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = {
         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = dccp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = dccp_timeout_obj_to_nlattr,
@@ -864,7 +871,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = {
                 .obj_size       = sizeof(unsigned int) * CT_DCCP_MAX,
                 .nla_policy     = dccp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = dccp_init_net,
         .get_net_proto          = dccp_get_net_proto,
 };
@@ -889,7 +896,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = {
         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = dccp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = dccp_timeout_obj_to_nlattr,
@@ -897,7 +904,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = {
                 .obj_size       = sizeof(unsigned int) * CT_DCCP_MAX,
                 .nla_policy     = dccp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = dccp_init_net,
         .get_net_proto          = dccp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index ac4a0b296dcd..1df3244ecd07 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -70,7 +70,7 @@ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
         return ret;
 }
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -113,7 +113,7 @@ static const struct nla_policy
 generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
         [CTA_TIMEOUT_GENERIC_TIMEOUT]   = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table generic_sysctl_table[] = {
@@ -164,7 +164,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
         .pkt_to_tuple           = generic_pkt_to_tuple,
         .packet                 = generic_packet,
         .new                    = generic_new,
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = generic_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = generic_timeout_obj_to_nlattr,
@@ -172,7 +172,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
                 .obj_size       = sizeof(unsigned int),
                 .nla_policy     = generic_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = generic_init_net,
         .get_net_proto          = generic_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index d1632252bf5b..650eb4fba2c5 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -285,7 +285,7 @@ static void gre_destroy(struct nf_conn *ct)
                 nf_ct_gre_keymap_destroy(master);
 }
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -334,7 +334,7 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
         [CTA_TIMEOUT_GRE_UNREPLIED]     = { .type = NLA_U32 },
         [CTA_TIMEOUT_GRE_REPLIED]       = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 static int gre_init_net(struct net *net, u_int16_t proto)
 {
@@ -367,7 +367,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = {
         .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
         .nla_policy      = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout    = {
                 .nlattr_to_obj  = gre_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = gre_timeout_obj_to_nlattr,
@@ -375,7 +375,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = {
                 .obj_size       = sizeof(unsigned int) * GRE_CT_MAX,
                 .nla_policy     = gre_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .net_id         = &proto_gre_net_id,
         .init_net       = gre_init_net,
 };
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
index 036670b38282..43c7e1a217b9 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -273,7 +273,7 @@ static unsigned int icmp_nlattr_tuple_size(void)
 }
 #endif
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -313,7 +313,7 @@ static const struct nla_policy
 icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
         [CTA_TIMEOUT_ICMP_TIMEOUT]      = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table icmp_sysctl_table[] = {
@@ -374,7 +374,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
         .nlattr_to_tuple        = icmp_nlattr_to_tuple,
         .nla_policy             = icmp_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = icmp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = icmp_timeout_obj_to_nlattr,
@@ -382,7 +382,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
                 .obj_size       = sizeof(unsigned int),
                 .nla_policy     = icmp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = icmp_init_net,
         .get_net_proto          = icmp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index bed07b998a10..97e40f77d678 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -274,7 +274,7 @@ static unsigned int icmpv6_nlattr_tuple_size(void)
 }
 #endif
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -314,7 +314,7 @@ static const struct nla_policy
 icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
         [CTA_TIMEOUT_ICMPV6_TIMEOUT]    = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table icmpv6_sysctl_table[] = {
@@ -373,7 +373,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
         .nlattr_to_tuple        = icmpv6_nlattr_to_tuple,
         .nla_policy             = icmpv6_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = icmpv6_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = icmpv6_timeout_obj_to_nlattr,
@@ -381,7 +381,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
                 .obj_size       = sizeof(unsigned int),
                 .nla_policy     = icmpv6_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = icmpv6_init_net,
         .get_net_proto          = icmpv6_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 8d1e085fc14a..e4d738d34cd0 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -591,7 +591,7 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 }
 #endif
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -613,6 +613,8 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
                         timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
                 }
         }
+
+        timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
         return 0;
 }
 
@@ -644,7 +646,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
         [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
         [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 
 #ifdef CONFIG_SYSCTL
@@ -743,6 +745,11 @@ static int sctp_init_net(struct net *net, u_int16_t proto)
 
                 for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
                         sn->timeouts[i] = sctp_timeouts[i];
+
+                /* timeouts[0] is unused, init it so ->timeouts[0] contains
+                 * 'new' timeout, like udp or icmp.
+                 */
+                sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
         }
 
         return sctp_kmemdup_sysctl_table(pn, sn);
@@ -773,7 +780,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
@@ -781,7 +788,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
                 .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
                 .nla_policy     = sctp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = sctp_init_net,
         .get_net_proto          = sctp_get_net_proto,
 };
@@ -806,7 +813,8 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
         .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
         .nla_policy             = nf_ct_port_nla_policy,
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#endif
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
@@ -814,8 +822,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
                 .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
                 .nla_policy     = sctp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
-#endif
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = sctp_init_net,
         .get_net_proto          = sctp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index d80d322b9d8b..b4bdf9eda7b7 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1279,7 +1279,7 @@ static unsigned int tcp_nlattr_tuple_size(void)
 }
 #endif
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -1301,6 +1301,7 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
                 timeouts[TCP_CONNTRACK_SYN_SENT] =
                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
         }
+
         if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
                 timeouts[TCP_CONNTRACK_SYN_RECV] =
                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
@@ -1341,6 +1342,8 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
                 timeouts[TCP_CONNTRACK_UNACK] =
                         ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
         }
+
+        timeouts[CTA_TIMEOUT_TCP_UNSPEC] = timeouts[CTA_TIMEOUT_TCP_SYN_SENT];
         return 0;
 }
 
@@ -1391,7 +1394,7 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
         [CTA_TIMEOUT_TCP_RETRANS]       = { .type = NLA_U32 },
         [CTA_TIMEOUT_TCP_UNACK]         = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table tcp_sysctl_table[] = {
@@ -1518,6 +1521,10 @@ static int tcp_init_net(struct net *net, u_int16_t proto)
                 for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
                         tn->timeouts[i] = tcp_timeouts[i];
 
+                /* timeouts[0] is unused, make it same as SYN_SENT so
+                 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
+                 */
+                tn->timeouts[0] = tcp_timeouts[TCP_CONNTRACK_SYN_SENT];
                 tn->tcp_loose = nf_ct_tcp_loose;
                 tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
                 tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
@@ -1551,7 +1558,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
         .nlattr_size            = TCP_NLATTR_SIZE,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = tcp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = tcp_timeout_obj_to_nlattr,
@@ -1560,7 +1567,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
                                         TCP_CONNTRACK_TIMEOUT_MAX,
                 .nla_policy     = tcp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = tcp_init_net,
         .get_net_proto          = tcp_get_net_proto,
 };
@@ -1586,7 +1593,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
         .nlattr_tuple_size      = tcp_nlattr_tuple_size,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = tcp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = tcp_timeout_obj_to_nlattr,
@@ -1595,7 +1602,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
                                         TCP_CONNTRACK_TIMEOUT_MAX,
                 .nla_policy     = tcp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = tcp_init_net,
         .get_net_proto          = tcp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 7a1b8988a931..3065fb8ef91b 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -171,7 +171,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
         return NF_ACCEPT;
 }
 
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -221,7 +221,7 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
        [CTA_TIMEOUT_UDP_UNREPLIED]      = { .type = NLA_U32 },
        [CTA_TIMEOUT_UDP_REPLIED]        = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 
 #ifdef CONFIG_SYSCTL
 static struct ctl_table udp_sysctl_table[] = {
@@ -292,7 +292,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -300,7 +300,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                 .nla_policy     = udp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = udp_init_net,
         .get_net_proto          = udp_get_net_proto,
 };
@@ -321,7 +321,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -329,7 +329,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                 .nla_policy     = udp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = udp_init_net,
         .get_net_proto          = udp_get_net_proto,
 };
@@ -350,7 +350,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -358,7 +358,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                 .nla_policy     = udp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = udp_init_net,
         .get_net_proto          = udp_get_net_proto,
 };
@@ -379,7 +379,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
         .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
         .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
         .ctnl_timeout           = {
                 .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                 .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -387,10 +387,9 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
                 .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                 .nla_policy     = udp_timeout_nla_policy,
         },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
         .init_net               = udp_init_net,
         .get_net_proto          = udp_get_net_proto,
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
 #endif
-#include <net/netfilter/nf_conntrack_timeout.h>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1dca5683f59f..2cfb173cd0b2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4637,6 +4637,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
         }
         set->ndeact++;
 
+        nft_set_elem_deactivate(ctx->net, set, elem);
         nft_trans_elem_set(trans) = set;
         nft_trans_elem(trans) = *elem;
         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index d46a236cdf31..a30f8ba4b89a 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -489,8 +489,8 @@ err:
         return err;
 }
 
-static struct ctnl_timeout *
-ctnl_timeout_find_get(struct net *net, const char *name)
+static struct nf_ct_timeout *ctnl_timeout_find_get(struct net *net,
+                                                   const char *name)
 {
         struct ctnl_timeout *timeout, *matching = NULL;
 
@@ -509,7 +509,7 @@ ctnl_timeout_find_get(struct net *net, const char *name)
                 break;
         }
 err:
-        return matching;
+        return matching ? &matching->timeout : NULL;
 }
 
 static void ctnl_timeout_put(struct nf_ct_timeout *t)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index ea4ba551abb2..d33094f4ec41 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
         int err;
 
         if (verdict == NF_ACCEPT ||
+            verdict == NF_REPEAT ||
             verdict == NF_STOP) {
                 rcu_read_lock();
                 ct_hook = rcu_dereference(nf_ct_hook);
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 26a8baebd072..5dd87748afa8 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -799,7 +799,7 @@ err:
 }
 
 struct nft_ct_timeout_obj {
-        struct nf_conn          *tmpl;
+        struct nf_ct_timeout    *timeout;
         u8                      l4proto;
 };
 
@@ -809,26 +809,42 @@ static void nft_ct_timeout_obj_eval(struct nft_object *obj,
 {
         const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
         struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
-        struct sk_buff *skb = pkt->skb;
+        struct nf_conn_timeout *timeout;
+        const unsigned int *values;
+
+        if (priv->l4proto != pkt->tprot)
+                return;
 
-        if (ct ||
-            priv->l4proto != pkt->tprot)
+        if (!ct || nf_ct_is_template(ct) || nf_ct_is_confirmed(ct))
                 return;
 
-        nf_ct_set(skb, priv->tmpl, IP_CT_NEW);
+        timeout = nf_ct_timeout_find(ct);
+        if (!timeout) {
+                timeout = nf_ct_timeout_ext_add(ct, priv->timeout, GFP_ATOMIC);
+                if (!timeout) {
+                        regs->verdict.code = NF_DROP;
+                        return;
+                }
+        }
+
+        rcu_assign_pointer(timeout->timeout, priv->timeout);
+
+        /* adjust the timeout as per 'new' state. ct is unconfirmed,
+         * so the current timestamp must not be added.
+         */
+        values = nf_ct_timeout_data(timeout);
+        if (values)
+                nf_ct_refresh(ct, pkt->skb, values[0]);
 }
 
 static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
                                    const struct nlattr * const tb[],
                                    struct nft_object *obj)
 {
-        const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
         struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
         const struct nf_conntrack_l4proto *l4proto;
-        struct nf_conn_timeout *timeout_ext;
         struct nf_ct_timeout *timeout;
         int l3num = ctx->family;
-        struct nf_conn *tmpl;
         __u8 l4num;
         int ret;
 
@@ -863,28 +879,14 @@ static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
 
         timeout->l3num = l3num;
         timeout->l4proto = l4proto;
-        tmpl = nf_ct_tmpl_alloc(ctx->net, zone, GFP_ATOMIC);
-        if (!tmpl) {
-                ret = -ENOMEM;
-                goto err_free_timeout;
-        }
-
-        timeout_ext = nf_ct_timeout_ext_add(tmpl, timeout, GFP_ATOMIC);
-        if (!timeout_ext) {
-                ret = -ENOMEM;
-                goto err_free_tmpl;
-        }
 
         ret = nf_ct_netns_get(ctx->net, ctx->family);
         if (ret < 0)
-                goto err_free_tmpl;
-
-        priv->tmpl = tmpl;
+                goto err_free_timeout;
 
+        priv->timeout = timeout;
         return 0;
 
-err_free_tmpl:
-        nf_ct_tmpl_free(tmpl);
 err_free_timeout:
         kfree(timeout);
 err_proto_put:
@@ -896,22 +898,19 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
                                        struct nft_object *obj)
 {
         struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
-        struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
-        struct nf_ct_timeout *timeout;
+        struct nf_ct_timeout *timeout = priv->timeout;
 
-        timeout = rcu_dereference_raw(t->timeout);
         nf_ct_untimeout(ctx->net, timeout);
         nf_ct_l4proto_put(timeout->l4proto);
         nf_ct_netns_put(ctx->net, ctx->family);
-        nf_ct_tmpl_free(priv->tmpl);
+        kfree(priv->timeout);
 }
 
 static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
                                    struct nft_object *obj, bool reset)
 {
         const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
-        const struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
-        const struct nf_ct_timeout *timeout = rcu_dereference_raw(t->timeout);
+        const struct nf_ct_timeout *timeout = priv->timeout;
         struct nlattr *nest_params;
         int ret;
 
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 9f4151ec3e06..6c7aa6a0a0d2 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -16,6 +16,9 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CHECKSUM.h>
 
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
+
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
 MODULE_DESCRIPTION("Xtables: checksum modification");
@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM");
 static unsigned int
 checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        if (skb->ip_summed == CHECKSUM_PARTIAL)
+        if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
                 skb_checksum_help(skb);
 
         return XT_CONTINUE;
@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
 static int checksum_tg_check(const struct xt_tgchk_param *par)
 {
         const struct xt_CHECKSUM_info *einfo = par->targinfo;
+        const struct ip6t_ip6 *i6 = par->entryinfo;
+        const struct ipt_ip *i4 = par->entryinfo;
 
         if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
                 pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
@@ -43,6 +48,21 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
         if (!einfo->operation)
                 return -EINVAL;
 
+        switch (par->family) {
+        case NFPROTO_IPV4:
+                if (i4->proto == IPPROTO_UDP &&
+                    (i4->invflags & XT_INV_PROTO) == 0)
+                        return 0;
+                break;
+        case NFPROTO_IPV6:
+                if ((i6->flags & IP6T_F_PROTO) &&
+                    i6->proto == IPPROTO_UDP &&
+                    (i6->invflags & XT_INV_PROTO) == 0)
+                        return 0;
+                break;
+        }
+
+        pr_warn_once("CHECKSUM should be avoided.  If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
         return 0;
 }
 
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index dfbdbb2fc0ed..51d0c257e7a5 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
 static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
 {
         struct xt_cluster_match_info *info = par->matchinfo;
+        int ret;
 
         if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
                 pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
@@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
                 pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
                 return -EDOM;
         }
-        return 0;
+
+        ret = nf_ct_netns_get(par->net, par->family);
+        if (ret < 0)
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
+                                    par->family);
+        return ret;
+}
+
+static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par)
+{
+        nf_ct_netns_put(par->net, par->family);
 }
 
 static struct xt_match xt_cluster_match __read_mostly = {
@@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match __read_mostly = {
         .match          = xt_cluster_mt,
         .checkentry     = xt_cluster_mt_checkentry,
         .matchsize      = sizeof(struct xt_cluster_match_info),
+        .destroy        = xt_cluster_mt_destroy,
         .me             = THIS_MODULE,
 };
 
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 9b16402f29af..3e7d259e5d8d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -1057,7 +1057,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
 static void *dl_seq_start(struct seq_file *s, loff_t *pos)
         __acquires(htable->lock)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket;
 
         spin_lock_bh(&htable->lock);
@@ -1074,7 +1074,7 @@ static void *dl_seq_start(struct seq_file *s, loff_t *pos)
 
 static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket = v;
 
         *pos = ++(*bucket);
@@ -1088,7 +1088,7 @@ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
 static void dl_seq_stop(struct seq_file *s, void *v)
         __releases(htable->lock)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket = v;
 
         if (!IS_ERR(bucket))
@@ -1130,7 +1130,7 @@ static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
                                struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
 
         spin_lock(&ent->lock);
         /* recalculate to show accurate numbers */
@@ -1145,7 +1145,7 @@ static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
                                struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
 
         spin_lock(&ent->lock);
         /* recalculate to show accurate numbers */
@@ -1160,7 +1160,7 @@ static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
                             struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
 
         spin_lock(&ent->lock);
         /* recalculate to show accurate numbers */
@@ -1174,7 +1174,7 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
 
 static int dl_seq_show_v2(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket = (unsigned int *)v;
         struct dsthash_ent *ent;
 
@@ -1188,7 +1188,7 @@ static int dl_seq_show_v2(struct seq_file *s, void *v)
 
 static int dl_seq_show_v1(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket = v;
         struct dsthash_ent *ent;
 
@@ -1202,7 +1202,7 @@ static int dl_seq_show_v1(struct seq_file *s, void *v)
 
 static int dl_seq_show(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
         unsigned int *bucket = v;
         struct dsthash_ent *ent;
 
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 5610061e7f2e..75c92a87e7b2 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4137,36 +4137,52 @@ static const struct vm_operations_struct packet_mmap_ops = {
         .close  =       packet_mm_close,
 };
 
-static void free_pg_vec(struct pgv *pg_vec, unsigned int len)
+static void free_pg_vec(struct pgv *pg_vec, unsigned int order,
+                        unsigned int len)
 {
         int i;
 
         for (i = 0; i < len; i++) {
                 if (likely(pg_vec[i].buffer)) {
-                        kvfree(pg_vec[i].buffer);
+                        if (is_vmalloc_addr(pg_vec[i].buffer))
+                                vfree(pg_vec[i].buffer);
+                        else
+                                free_pages((unsigned long)pg_vec[i].buffer,
+                                           order);
                         pg_vec[i].buffer = NULL;
                 }
         }
         kfree(pg_vec);
 }
 
-static char *alloc_one_pg_vec_page(unsigned long size)
+static char *alloc_one_pg_vec_page(unsigned long order)
 {
         char *buffer;
+        gfp_t gfp_flags = GFP_KERNEL | __GFP_COMP |
+                          __GFP_ZERO | __GFP_NOWARN | __GFP_NORETRY;
 
-        buffer = kvzalloc(size, GFP_KERNEL);
+        buffer = (char *) __get_free_pages(gfp_flags, order);
         if (buffer)
                 return buffer;
 
-        buffer = kvzalloc(size, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
+        /* __get_free_pages failed, fall back to vmalloc */
+        buffer = vzalloc(array_size((1 << order), PAGE_SIZE));
+        if (buffer)
+                return buffer;
 
-        return buffer;
+        /* vmalloc failed, lets dig into swap here */
+        gfp_flags &= ~__GFP_NORETRY;
+        buffer = (char *) __get_free_pages(gfp_flags, order);
+        if (buffer)
+                return buffer;
+
+        /* complete and utter failure */
+        return NULL;
 }
 
-static struct pgv *alloc_pg_vec(struct tpacket_req *req)
+static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order)
 {
         unsigned int block_nr = req->tp_block_nr;
-        unsigned long size = req->tp_block_size;
         struct pgv *pg_vec;
         int i;
 
@@ -4175,7 +4191,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req)
                 goto out;
 
         for (i = 0; i < block_nr; i++) {
-                pg_vec[i].buffer = alloc_one_pg_vec_page(size);
+                pg_vec[i].buffer = alloc_one_pg_vec_page(order);
                 if (unlikely(!pg_vec[i].buffer))
                         goto out_free_pgvec;
         }
@@ -4184,7 +4200,7 @@ out:
         return pg_vec;
 
 out_free_pgvec:
-        free_pg_vec(pg_vec, block_nr);
+        free_pg_vec(pg_vec, order, block_nr);
         pg_vec = NULL;
         goto out;
 }
@@ -4194,9 +4210,9 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 {
         struct pgv *pg_vec = NULL;
         struct packet_sock *po = pkt_sk(sk);
+        int was_running, order = 0;
         struct packet_ring_buffer *rb;
         struct sk_buff_head *rb_queue;
-        int was_running;
         __be16 num;
         int err = -EINVAL;
         /* Added to avoid minimal code churn */
@@ -4258,7 +4274,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                         goto out;
 
                 err = -ENOMEM;
-                pg_vec = alloc_pg_vec(req);
+                order = get_order(req->tp_block_size);
+                pg_vec = alloc_pg_vec(req, order);
                 if (unlikely(!pg_vec))
                         goto out;
                 switch (po->tp_version) {
@@ -4312,6 +4329,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                 rb->frame_size = req->tp_frame_size;
                 spin_unlock_bh(&rb_queue->lock);
 
+                swap(rb->pg_vec_order, order);
                 swap(rb->pg_vec_len, req->tp_block_nr);
 
                 rb->pg_vec_pages = req->tp_block_size/PAGE_SIZE;
@@ -4337,7 +4355,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
         }
 
         if (pg_vec)
-                free_pg_vec(pg_vec, req->tp_block_nr);
+                free_pg_vec(pg_vec, order, req->tp_block_nr);
 out:
         return err;
 }
diff --git a/net/packet/internal.h b/net/packet/internal.h
index 8f50036f62f0..3bb7c5fb3bff 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -64,6 +64,7 @@ struct packet_ring_buffer {
         unsigned int            frame_size;
         unsigned int            frame_max;
 
+        unsigned int            pg_vec_order;
         unsigned int            pg_vec_pages;
         unsigned int            pg_vec_len;
 
diff --git a/net/rds/Kconfig b/net/rds/Kconfig
index 01b3bd6a3708..b9092111bc45 100644
--- a/net/rds/Kconfig
+++ b/net/rds/Kconfig
@@ -1,6 +1,6 @@
 
 config RDS
-        tristate "The RDS Protocol"
+        tristate "The Reliable Datagram Sockets Protocol"
         depends on INET
         ---help---
           The RDS (Reliable Datagram Sockets) protocol provides reliable,
diff --git a/net/rds/bind.c b/net/rds/bind.c
index 3ab55784b637..762d2c6788a3 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -76,11 +76,13 @@ struct rds_sock *rds_find_bound(const struct in6_addr *addr, __be16 port,
         struct rds_sock *rs;
 
         __rds_create_bind_key(key, addr, port, scope_id);
-        rs = rhashtable_lookup_fast(&bind_hash_table, key, ht_parms);
+        rcu_read_lock();
+        rs = rhashtable_lookup(&bind_hash_table, key, ht_parms);
         if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
                 rds_sock_addref(rs);
         else
                 rs = NULL;
+        rcu_read_unlock();
 
         rdsdebug("returning rs %p for %pI6c:%u\n", rs, addr,
                  ntohs(port));
@@ -235,6 +237,7 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                 goto out;
         }
 
+        sock_set_flag(sk, SOCK_RCU_FREE);
         ret = rds_add_bound(rs, binding_addr, &port, scope_id);
         if (ret)
                 goto out;
diff --git a/net/rds/ib.c b/net/rds/ib.c
index c1d97640c0be..eba75c1ba359 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -341,15 +341,10 @@ static int rds6_ib_conn_info_visitor(struct rds_connection *conn,
 
         if (rds_conn_state(conn) == RDS_CONN_UP) {
                 struct rds_ib_device *rds_ibdev;
-                struct rdma_dev_addr *dev_addr;
 
                 ic = conn->c_transport_data;
-                dev_addr = &ic->i_cm_id->route.addr.dev_addr;
-                rdma_addr_get_sgid(dev_addr,
-                                   (union ib_gid *)&iinfo6->src_gid);
-                rdma_addr_get_dgid(dev_addr,
-                                   (union ib_gid *)&iinfo6->dst_gid);
-
+                rdma_read_gids(ic->i_cm_id, (union ib_gid *)&iinfo6->src_gid,
+                               (union ib_gid *)&iinfo6->dst_gid);
                 rds_ibdev = ic->rds_ibdev;
                 iinfo6->max_send_wr = ic->i_send_ring.w_nr;
                 iinfo6->max_recv_wr = ic->i_recv_ring.w_nr;
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
index 00192a996be0..0f8465852254 100644
--- a/net/rfkill/rfkill-gpio.c
+++ b/net/rfkill/rfkill-gpio.c
@@ -20,6 +20,7 @@
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/mod_devicetable.h>
 #include <linux/rfkill.h>
 #include <linux/platform_device.h>
 #include <linux/clk.h>
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index db83dac1e7f4..e12f8ef7baa4 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -662,6 +662,13 @@ int tcf_action_destroy(struct tc_action *actions[], int bind)
         return ret;
 }
 
+static int tcf_action_destroy_1(struct tc_action *a, int bind)
+{
+        struct tc_action *actions[] = { a, NULL };
+
+        return tcf_action_destroy(actions, bind);
+}
+
 static int tcf_action_put(struct tc_action *p)
 {
         return __tcf_action_put(p, false);
@@ -881,17 +888,16 @@ struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp,
         if (TC_ACT_EXT_CMP(a->tcfa_action, TC_ACT_GOTO_CHAIN)) {
                 err = tcf_action_goto_chain_init(a, tp);
                 if (err) {
-                        struct tc_action *actions[] = { a, NULL };
-
-                        tcf_action_destroy(actions, bind);
+                        tcf_action_destroy_1(a, bind);
                         NL_SET_ERR_MSG(extack, "Failed to init TC action chain");
                         return ERR_PTR(err);
                 }
         }
 
         if (!tcf_action_valid(a->tcfa_action)) {
-                NL_SET_ERR_MSG(extack, "invalid action value, using TC_ACT_UNSPEC instead");
-                a->tcfa_action = TC_ACT_UNSPEC;
+                tcf_action_destroy_1(a, bind);
+                NL_SET_ERR_MSG(extack, "Invalid control action value");
+                return ERR_PTR(-EINVAL);
         }
 
         return a;
@@ -1173,6 +1179,7 @@ static int tcf_action_delete(struct net *net, struct tc_action *actions[])
                 struct tcf_idrinfo *idrinfo = a->idrinfo;
                 u32 act_index = a->tcfa_index;
 
+                actions[i] = NULL;
                 if (tcf_action_put(a)) {
                         /* last reference, action was deleted concurrently */
                         module_put(ops->owner);
@@ -1184,7 +1191,6 @@ static int tcf_action_delete(struct net *net, struct tc_action *actions[])
                         if (ret < 0)
                                 return ret;
                 }
-                actions[i] = NULL;
         }
         return 0;
 }
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 196430aefe87..06a3d4801878 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -326,6 +326,20 @@ static int __add_metainfo(const struct tcf_meta_ops *ops,
         return ret;
 }
 
+static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops,
+                                    struct tcf_ife_info *ife, u32 metaid,
+                                    bool exists)
+{
+        int ret;
+
+        if (!try_module_get(ops->owner))
+                return -ENOENT;
+        ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists);
+        if (ret)
+                module_put(ops->owner);
+        return ret;
+}
+
 static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
                         int len, bool exists)
 {
@@ -349,7 +363,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
 
         read_lock(&ife_mod_lock);
         list_for_each_entry(o, &ifeoplist, list) {
-                rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists);
+                rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists);
                 if (rc == 0)
                         installed += 1;
         }
@@ -400,7 +414,6 @@ static void _tcf_ife_cleanup(struct tc_action *a)
         struct tcf_meta_info *e, *n;
 
         list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-                module_put(e->ops->owner);
                 list_del(&e->metalist);
                 if (e->metaval) {
                         if (e->ops->release)
@@ -408,6 +421,7 @@ static void _tcf_ife_cleanup(struct tc_action *a)
                         else
                                 kfree(e->metaval);
                 }
+                module_put(e->ops->owner);
                 kfree(e);
         }
 }
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 107034070019..ad99a99f11f6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -109,16 +109,18 @@ static int tcf_pedit_key_ex_dump(struct sk_buff *skb,
 {
         struct nlattr *keys_start = nla_nest_start(skb, TCA_PEDIT_KEYS_EX);
 
+        if (!keys_start)
+                goto nla_failure;
         for (; n > 0; n--) {
                 struct nlattr *key_start;
 
                 key_start = nla_nest_start(skb, TCA_PEDIT_KEY_EX);
+                if (!key_start)
+                        goto nla_failure;
 
                 if (nla_put_u16(skb, TCA_PEDIT_KEY_EX_HTYPE, keys_ex->htype) ||
-                    nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) {
-                        nlmsg_trim(skb, keys_start);
-                        return -EINVAL;
-                }
+                    nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd))
+                        goto nla_failure;
 
                 nla_nest_end(skb, key_start);
 
@@ -128,6 +130,9 @@ static int tcf_pedit_key_ex_dump(struct sk_buff *skb,
         nla_nest_end(skb, keys_start);
 
         return 0;
+nla_failure:
+        nla_nest_cancel(skb, keys_start);
+        return -EINVAL;
 }
 
 static int tcf_pedit_init(struct net *net, struct nlattr *nla,
@@ -418,7 +423,10 @@ static int tcf_pedit_dump(struct sk_buff *skb, struct tc_action *a,
         opt->bindcnt = atomic_read(&p->tcf_bindcnt) - bind;
 
         if (p->tcfp_keys_ex) {
-                tcf_pedit_key_ex_dump(skb, p->tcfp_keys_ex, p->tcfp_nkeys);
+                if (tcf_pedit_key_ex_dump(skb,
+                                          p->tcfp_keys_ex,
+                                          p->tcfp_nkeys))
+                        goto nla_put_failure;
 
                 if (nla_put(skb, TCA_PEDIT_PARMS_EX, s, opt))
                         goto nla_put_failure;
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index 44e9c00657bc..6b67aa13d2dd 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -69,7 +69,7 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
 
         if (!exists) {
                 ret = tcf_idr_create(tn, parm->index, est, a,
-                                     &act_sample_ops, bind, false);
+                                     &act_sample_ops, bind, true);
                 if (ret) {
                         tcf_idr_cleanup(tn, parm->index);
                         return ret;
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index 420759153d5f..681f6f04e7da 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -317,7 +317,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
                                                   &metadata->u.tun_info,
                                                   opts_len, extack);
                         if (ret < 0)
-                                goto err_out;
+                                goto release_tun_meta;
                 }
 
                 metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX;
@@ -333,23 +333,24 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
                                      &act_tunnel_key_ops, bind, true);
                 if (ret) {
                         NL_SET_ERR_MSG(extack, "Cannot create TC IDR");
-                        goto err_out;
+                        goto release_tun_meta;
                 }
 
                 ret = ACT_P_CREATED;
         } else if (!ovr) {
-                tcf_idr_release(*a, bind);
                 NL_SET_ERR_MSG(extack, "TC IDR already exists");
-                return -EEXIST;
+                ret = -EEXIST;
+                goto release_tun_meta;
         }
 
         t = to_tunnel_key(*a);
 
         params_new = kzalloc(sizeof(*params_new), GFP_KERNEL);
         if (unlikely(!params_new)) {
-                tcf_idr_release(*a, bind);
                 NL_SET_ERR_MSG(extack, "Cannot allocate tunnel key parameters");
-                return -ENOMEM;
+                ret = -ENOMEM;
+                exists = true;
+                goto release_tun_meta;
         }
         params_new->tcft_action = parm->t_action;
         params_new->tcft_enc_metadata = metadata;
@@ -367,6 +368,9 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
 
         return ret;
 
+release_tun_meta:
+        dst_release(&metadata->dst);
+
 err_out:
         if (exists)
                 tcf_idr_release(*a, bind);
@@ -408,8 +412,10 @@ static int tunnel_key_geneve_opts_dump(struct sk_buff *skb,
                     nla_put_u8(skb, TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE,
                                opt->type) ||
                     nla_put(skb, TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA,
-                            opt->length * 4, opt + 1))
+                            opt->length * 4, opt + 1)) {
+                        nla_nest_cancel(skb, start);
                         return -EMSGSIZE;
+                }
 
                 len -= sizeof(struct geneve_opt) + opt->length * 4;
                 src += sizeof(struct geneve_opt) + opt->length * 4;
@@ -423,7 +429,7 @@ static int tunnel_key_opts_dump(struct sk_buff *skb,
                                 const struct ip_tunnel_info *info)
 {
         struct nlattr *start;
-        int err;
+        int err = -EINVAL;
 
         if (!info->options_len)
                 return 0;
@@ -435,9 +441,11 @@ static int tunnel_key_opts_dump(struct sk_buff *skb,
         if (info->key.tun_flags & TUNNEL_GENEVE_OPT) {
                 err = tunnel_key_geneve_opts_dump(skb, info);
                 if (err)
-                        return err;
+                        goto err_out;
         } else {
-                return -EINVAL;
+err_out:
+                nla_nest_cancel(skb, start);
+                return err;
         }
 
         nla_nest_end(skb, start);
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 31bd1439cf60..0a75cb2e5e7b 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1252,7 +1252,7 @@ replay:
         }
         chain = tcf_chain_get(block, chain_index, true);
         if (!chain) {
-                NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
+                NL_SET_ERR_MSG(extack, "Cannot create specified filter chain");
                 err = -ENOMEM;
                 goto errout;
         }
@@ -1399,7 +1399,7 @@ static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
                         goto errout;
                 }
                 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
-                err = -EINVAL;
+                err = -ENOENT;
                 goto errout;
         }
 
@@ -1902,6 +1902,8 @@ replay:
                                 RTM_NEWCHAIN, false);
                 break;
         case RTM_DELCHAIN:
+                tfilter_notify_chain(net, skb, block, q, parent, n,
+                                     chain, RTM_DELTFILTER);
                 /* Flush the chain first as the user requested chain removal. */
                 tcf_chain_flush(chain);
                 /* In case the chain was successfully deleted, put a reference
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index ef5c9a82d4e8..a644292f9faf 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -215,7 +215,6 @@ static const struct seq_operations sctp_eps_ops = {
 struct sctp_ht_iter {
         struct seq_net_private p;
         struct rhashtable_iter hti;
-        int start_fail;
 };
 
 static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
@@ -224,7 +223,6 @@ static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
 
         sctp_transport_walk_start(&iter->hti);
 
-        iter->start_fail = 0;
         return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos);
 }
 
@@ -232,8 +230,6 @@ static void sctp_transport_seq_stop(struct seq_file *seq, void *v)
 {
         struct sctp_ht_iter *iter = seq->private;
 
-        if (iter->start_fail)
-                return;
         sctp_transport_walk_stop(&iter->hti);
 }
 
@@ -264,8 +260,6 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
         }
 
         transport = (struct sctp_transport *)v;
-        if (!sctp_transport_hold(transport))
-                return 0;
         assoc = transport->asoc;
         epb = &assoc->base;
         sk = epb->sk;
@@ -322,8 +316,6 @@ static int sctp_remaddr_seq_show(struct seq_file *seq, void *v)
         }
 
         transport = (struct sctp_transport *)v;
-        if (!sctp_transport_hold(transport))
-                return 0;
         assoc = transport->asoc;
 
         list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e96b15a66aba..f73e9d38d5ba 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2658,20 +2658,23 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
         }
 
         if (params->spp_flags & SPP_IPV6_FLOWLABEL) {
-                if (trans && trans->ipaddr.sa.sa_family == AF_INET6) {
-                        trans->flowlabel = params->spp_ipv6_flowlabel &
-                                           SCTP_FLOWLABEL_VAL_MASK;
-                        trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
-                } else if (asoc) {
-                        list_for_each_entry(trans,
-                                            &asoc->peer.transport_addr_list,
-                                            transports) {
-                                if (trans->ipaddr.sa.sa_family != AF_INET6)
-                                        continue;
+                if (trans) {
+                        if (trans->ipaddr.sa.sa_family == AF_INET6) {
                                 trans->flowlabel = params->spp_ipv6_flowlabel &
                                                    SCTP_FLOWLABEL_VAL_MASK;
                                 trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
                         }
+                } else if (asoc) {
+                        struct sctp_transport *t;
+
+                        list_for_each_entry(t, &asoc->peer.transport_addr_list,
+                                            transports) {
+                                if (t->ipaddr.sa.sa_family != AF_INET6)
+                                        continue;
+                                t->flowlabel = params->spp_ipv6_flowlabel &
+                                               SCTP_FLOWLABEL_VAL_MASK;
+                                t->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
+                        }
                         asoc->flowlabel = params->spp_ipv6_flowlabel &
                                           SCTP_FLOWLABEL_VAL_MASK;
                         asoc->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
@@ -2687,12 +2690,13 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
                         trans->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;
                         trans->dscp |= SCTP_DSCP_SET_MASK;
                 } else if (asoc) {
-                        list_for_each_entry(trans,
-                                            &asoc->peer.transport_addr_list,
+                        struct sctp_transport *t;
+
+                        list_for_each_entry(t, &asoc->peer.transport_addr_list,
                                             transports) {
-                                trans->dscp = params->spp_dscp &
-                                              SCTP_DSCP_VAL_MASK;
-                                trans->dscp |= SCTP_DSCP_SET_MASK;
+                                t->dscp = params->spp_dscp &
+                                          SCTP_DSCP_VAL_MASK;
+                                t->dscp |= SCTP_DSCP_SET_MASK;
                         }
                         asoc->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;
                         asoc->dscp |= SCTP_DSCP_SET_MASK;
@@ -5005,9 +5009,14 @@ struct sctp_transport *sctp_transport_get_next(struct net *net,
                         break;
                 }
 
+                if (!sctp_transport_hold(t))
+                        continue;
+
                 if (net_eq(sock_net(t->asoc->base.sk), net) &&
                     t->asoc->peer.primary_path == t)
                         break;
+
+                sctp_transport_put(t);
         }
 
         return t;
@@ -5017,13 +5026,18 @@ struct sctp_transport *sctp_transport_get_idx(struct net *net,
                                               struct rhashtable_iter *iter,
                                               int pos)
 {
-        void *obj = SEQ_START_TOKEN;
+        struct sctp_transport *t;
 
-        while (pos && (obj = sctp_transport_get_next(net, iter)) &&
-               !IS_ERR(obj))
-                pos--;
+        if (!pos)
+                return SEQ_START_TOKEN;
 
-        return obj;
+        while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) {
+                if (!--pos)
+                        break;
+                sctp_transport_put(t);
+        }
+
+        return t;
 }
 
 int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *),
@@ -5082,8 +5096,6 @@ again:
 
         tsp = sctp_transport_get_idx(net, &hti, *pos + 1);
         for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) {
-                if (!sctp_transport_hold(tsp))
-                        continue;
                 ret = cb(tsp, p);
                 if (ret)
                         break;
diff --git a/net/socket.c b/net/socket.c
index e6945e318f02..01f3f8f32d6f 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -941,7 +941,8 @@ void dlci_ioctl_set(int (*hook) (unsigned int, void __user *))
 EXPORT_SYMBOL(dlci_ioctl_set);
 
 static long sock_do_ioctl(struct net *net, struct socket *sock,
-                                 unsigned int cmd, unsigned long arg)
+                          unsigned int cmd, unsigned long arg,
+                          unsigned int ifreq_size)
 {
         int err;
         void __user *argp = (void __user *)arg;
@@ -967,11 +968,11 @@ static long sock_do_ioctl(struct net *net, struct socket *sock,
         } else {
                 struct ifreq ifr;
                 bool need_copyout;
-                if (copy_from_user(&ifr, argp, sizeof(struct ifreq)))
+                if (copy_from_user(&ifr, argp, ifreq_size))
                         return -EFAULT;
                 err = dev_ioctl(net, cmd, &ifr, &need_copyout);
                 if (!err && need_copyout)
-                        if (copy_to_user(argp, &ifr, sizeof(struct ifreq)))
+                        if (copy_to_user(argp, &ifr, ifreq_size))
                                 return -EFAULT;
         }
         return err;
@@ -1070,7 +1071,8 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
                         err = open_related_ns(&net->ns, get_net_ns);
                         break;
                 default:
-                        err = sock_do_ioctl(net, sock, cmd, arg);
+                        err = sock_do_ioctl(net, sock, cmd, arg,
+                                            sizeof(struct ifreq));
                         break;
                 }
         return err;
@@ -2750,7 +2752,8 @@ static int do_siocgstamp(struct net *net, struct socket *sock,
         int err;
 
         set_fs(KERNEL_DS);
-        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv);
+        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv,
+                            sizeof(struct compat_ifreq));
         set_fs(old_fs);
         if (!err)
                 err = compat_put_timeval(&ktv, up);
@@ -2766,7 +2769,8 @@ static int do_siocgstampns(struct net *net, struct socket *sock,
         int err;
 
         set_fs(KERNEL_DS);
-        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts);
+        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts,
+                            sizeof(struct compat_ifreq));
         set_fs(old_fs);
         if (!err)
                 err = compat_put_timespec(&kts, up);
@@ -3072,7 +3076,8 @@ static int routing_ioctl(struct net *net, struct socket *sock,
         }
 
         set_fs(KERNEL_DS);
-        ret = sock_do_ioctl(net, sock, cmd, (unsigned long) r);
+        ret = sock_do_ioctl(net, sock, cmd, (unsigned long) r,
+                            sizeof(struct compat_ifreq));
         set_fs(old_fs);
 
 out:
@@ -3185,7 +3190,8 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock,
         case SIOCBONDSETHWADDR:
         case SIOCBONDCHANGEACTIVE:
         case SIOCGIFNAME:
-                return sock_do_ioctl(net, sock, cmd, arg);
+                return sock_do_ioctl(net, sock, cmd, arg,
+                                     sizeof(struct compat_ifreq));
         }
 
         return -ENOIOCTLCMD;
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 9ee6cfea56dd..d8026543bf4c 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -51,12 +51,12 @@ const char tipc_bclink_name[] = "broadcast-link";
  * struct tipc_bc_base - base structure for keeping broadcast send state
  * @link: broadcast send link structure
  * @inputq: data input queue; will only carry SOCK_WAKEUP messages
- * @dest: array keeping number of reachable destinations per bearer
+ * @dests: array keeping number of reachable destinations per bearer
  * @primary_bearer: a bearer having links to all broadcast destinations, if any
  * @bcast_support: indicates if primary bearer, if any, supports broadcast
  * @rcast_support: indicates if all peer nodes support replicast
  * @rc_ratio: dest count as percentage of cluster size where send method changes
- * @bc_threshold: calculated drom rc_ratio; if dests > threshold use broadcast
+ * @bc_threshold: calculated from rc_ratio; if dests > threshold use broadcast
  */
 struct tipc_bc_base {
         struct tipc_link *link;
diff --git a/net/tipc/diag.c b/net/tipc/diag.c
index aaabb0b776dd..73137f4aeb68 100644
--- a/net/tipc/diag.c
+++ b/net/tipc/diag.c
@@ -84,7 +84,9 @@ static int tipc_sock_diag_handler_dump(struct sk_buff *skb,
 
         if (h->nlmsg_flags & NLM_F_DUMP) {
                 struct netlink_dump_control c = {
+                        .start = tipc_dump_start,
                         .dump = tipc_diag_dump,
+                        .done = tipc_dump_done,
                 };
                 netlink_dump_start(net->diag_nlsk, skb, h, &c);
                 return 0;
diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index 88f027b502f6..66d5b2c5987a 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -980,20 +980,17 @@ int tipc_nl_name_table_dump(struct sk_buff *skb, struct netlink_callback *cb)
 
 struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port)
 {
-        u64 value = (u64)node << 32 | port;
         struct tipc_dest *dst;
 
         list_for_each_entry(dst, l, list) {
-                if (dst->value != value)
-                        continue;
-                return dst;
+                if (dst->node == node && dst->port == port)
+                        return dst;
         }
         return NULL;
 }
 
 bool tipc_dest_push(struct list_head *l, u32 node, u32 port)
 {
-        u64 value = (u64)node << 32 | port;
         struct tipc_dest *dst;
 
         if (tipc_dest_find(l, node, port))
@@ -1002,7 +999,8 @@ bool tipc_dest_push(struct list_head *l, u32 node, u32 port)
         dst = kmalloc(sizeof(*dst), GFP_ATOMIC);
         if (unlikely(!dst))
                 return false;
-        dst->value = value;
+        dst->node = node;
+        dst->port = port;
         list_add(&dst->list, l);
         return true;
 }
diff --git a/net/tipc/name_table.h b/net/tipc/name_table.h
index 0febba41da86..892bd750b85f 100644
--- a/net/tipc/name_table.h
+++ b/net/tipc/name_table.h
@@ -133,13 +133,8 @@ void tipc_nametbl_stop(struct net *net);
 
 struct tipc_dest {
         struct list_head list;
-        union {
-                struct {
-                        u32 port;
-                        u32 node;
-                };
-                u64 value;
-        };
+        u32 port;
+        u32 node;
 };
 
 struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port);
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 6ff2254088f6..99ee419210ba 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -167,7 +167,9 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
         },
         {
                 .cmd    = TIPC_NL_SOCK_GET,
+                .start = tipc_dump_start,
                 .dumpit = tipc_nl_sk_dump,
+                .done   = tipc_dump_done,
                 .policy = tipc_nl_policy,
         },
         {
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index a2f76743c73a..6376467e78f8 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -185,6 +185,10 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
                 return -ENOMEM;
 
         buf->sk = msg->dst_sk;
+        if (__tipc_dump_start(&cb, msg->net)) {
+                kfree_skb(buf);
+                return -ENOMEM;
+        }
 
         do {
                 int rem;
@@ -216,6 +220,7 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
         err = 0;
 
 err_out:
+        tipc_dump_done(&cb);
         kfree_skb(buf);
 
         if (err == -EMSGSIZE) {
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index c1e93c9515bc..3f03ddd0e35b 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock)
         sk_stop_timer(sk, &sk->sk_timer);
         tipc_sk_remove(tsk);
 
+        sock_orphan(sk);
         /* Reject any messages that accumulated in backlog queue */
         release_sock(sk);
         tipc_dest_list_purge(&tsk->cong_links);
@@ -2672,6 +2673,8 @@ void tipc_sk_reinit(struct net *net)
 
                 rhashtable_walk_stop(&iter);
         } while (tsk == ERR_PTR(-EAGAIN));
+
+        rhashtable_walk_exit(&iter);
 }
 
 static struct tipc_sock *tipc_sk_lookup(struct net *net, u32 portid)
@@ -3227,45 +3230,74 @@ int tipc_nl_sk_walk(struct sk_buff *skb, struct netlink_callback *cb,
                                        struct netlink_callback *cb,
                                        struct tipc_sock *tsk))
 {
-        struct net *net = sock_net(skb->sk);
-        struct tipc_net *tn = tipc_net(net);
-        const struct bucket_table *tbl;
-        u32 prev_portid = cb->args[1];
-        u32 tbl_id = cb->args[0];
-        struct rhash_head *pos;
+        struct rhashtable_iter *iter = (void *)cb->args[4];
         struct tipc_sock *tsk;
         int err;
 
-        rcu_read_lock();
-        tbl = rht_dereference_rcu((&tn->sk_rht)->tbl, &tn->sk_rht);
-        for (; tbl_id < tbl->size; tbl_id++) {
-                rht_for_each_entry_rcu(tsk, pos, tbl, tbl_id, node) {
-                        spin_lock_bh(&tsk->sk.sk_lock.slock);
-                        if (prev_portid && prev_portid != tsk->portid) {
-                                spin_unlock_bh(&tsk->sk.sk_lock.slock);
+        rhashtable_walk_start(iter);
+        while ((tsk = rhashtable_walk_next(iter)) != NULL) {
+                if (IS_ERR(tsk)) {
+                        err = PTR_ERR(tsk);
+                        if (err == -EAGAIN) {
+                                err = 0;
                                 continue;
                         }
+                        break;
+                }
 
-                        err = skb_handler(skb, cb, tsk);
-                        if (err) {
-                                prev_portid = tsk->portid;
-                                spin_unlock_bh(&tsk->sk.sk_lock.slock);
-                                goto out;
-                        }
-
-                        prev_portid = 0;
-                        spin_unlock_bh(&tsk->sk.sk_lock.slock);
+                sock_hold(&tsk->sk);
+                rhashtable_walk_stop(iter);
+                lock_sock(&tsk->sk);
+                err = skb_handler(skb, cb, tsk);
+                if (err) {
+                        release_sock(&tsk->sk);
+                        sock_put(&tsk->sk);
+                        goto out;
                 }
+                release_sock(&tsk->sk);
+                rhashtable_walk_start(iter);
+                sock_put(&tsk->sk);
         }
+        rhashtable_walk_stop(iter);
 out:
-        rcu_read_unlock();
-        cb->args[0] = tbl_id;
-        cb->args[1] = prev_portid;
-
         return skb->len;
 }
 EXPORT_SYMBOL(tipc_nl_sk_walk);
 
+int tipc_dump_start(struct netlink_callback *cb)
+{
+        return __tipc_dump_start(cb, sock_net(cb->skb->sk));
+}
+EXPORT_SYMBOL(tipc_dump_start);
+
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net)
+{
+        /* tipc_nl_name_table_dump() uses cb->args[0...3]. */
+        struct rhashtable_iter *iter = (void *)cb->args[4];
+        struct tipc_net *tn = tipc_net(net);
+
+        if (!iter) {
+                iter = kmalloc(sizeof(*iter), GFP_KERNEL);
+                if (!iter)
+                        return -ENOMEM;
+
+                cb->args[4] = (long)iter;
+        }
+
+        rhashtable_walk_enter(&tn->sk_rht, iter);
+        return 0;
+}
+
+int tipc_dump_done(struct netlink_callback *cb)
+{
+        struct rhashtable_iter *hti = (void *)cb->args[4];
+
+        rhashtable_walk_exit(hti);
+        kfree(hti);
+        return 0;
+}
+EXPORT_SYMBOL(tipc_dump_done);
+
 int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb,
                            struct tipc_sock *tsk, u32 sk_filter_state,
                            u64 (*tipc_diag_gen_cookie)(struct sock *sk))
diff --git a/net/tipc/socket.h b/net/tipc/socket.h
index aff9b2ae5a1f..5e575f205afe 100644
--- a/net/tipc/socket.h
+++ b/net/tipc/socket.h
@@ -68,4 +68,7 @@ int tipc_nl_sk_walk(struct sk_buff *skb, struct netlink_callback *cb,
                     int (*skb_handler)(struct sk_buff *skb,
                                        struct netlink_callback *cb,
                                        struct tipc_sock *tsk));
+int tipc_dump_start(struct netlink_callback *cb);
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net);
+int tipc_dump_done(struct netlink_callback *cb);
 #endif
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index c8e34ef22c30..2627b5d812e9 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -313,8 +313,8 @@ static void tipc_conn_send_work(struct work_struct *work)
         conn_put(con);
 }
 
-/* tipc_conn_queue_evt() - interrupt level call from a subscription instance
- * The queued work is launched into tipc_send_work()->tipc_send_to_sock()
+/* tipc_topsrv_queue_evt() - interrupt level call from a subscription instance
+ * The queued work is launched into tipc_conn_send_work()->tipc_conn_send_to_sock()
  */
 void tipc_topsrv_queue_evt(struct net *net, int conid,
                            u32 event, struct tipc_event *evt)
diff --git a/net/tls/tls_device.c b/net/tls/tls_device.c
index 292742e50bfa..961b07d4d41c 100644
--- a/net/tls/tls_device.c
+++ b/net/tls/tls_device.c
@@ -686,7 +686,7 @@ int tls_set_device_offload(struct sock *sk, struct tls_context *ctx)
                 goto free_marker_record;
         }
 
-        crypto_info = &ctx->crypto_send;
+        crypto_info = &ctx->crypto_send.info;
         switch (crypto_info->cipher_type) {
         case TLS_CIPHER_AES_GCM_128:
                 nonce_size = TLS_CIPHER_AES_GCM_128_IV_SIZE;
@@ -780,7 +780,7 @@ int tls_set_device_offload(struct sock *sk, struct tls_context *ctx)
 
         ctx->priv_ctx_tx = offload_ctx;
         rc = netdev->tlsdev_ops->tls_dev_add(netdev, sk, TLS_OFFLOAD_CTX_DIR_TX,
-                                             &ctx->crypto_send,
+                                             &ctx->crypto_send.info,
                                              tcp_sk(sk)->write_seq);
         if (rc)
                 goto release_netdev;
@@ -862,7 +862,7 @@ int tls_set_device_offload_rx(struct sock *sk, struct tls_context *ctx)
                 goto release_ctx;
 
         rc = netdev->tlsdev_ops->tls_dev_add(netdev, sk, TLS_OFFLOAD_CTX_DIR_RX,
-                                             &ctx->crypto_recv,
+                                             &ctx->crypto_recv.info,
                                              tcp_sk(sk)->copied_seq);
         if (rc) {
                 pr_err_ratelimited("%s: The netdev has refused to offload this socket\n",
diff --git a/net/tls/tls_device_fallback.c b/net/tls/tls_device_fallback.c
index 6102169239d1..450a6dbc5a88 100644
--- a/net/tls/tls_device_fallback.c
+++ b/net/tls/tls_device_fallback.c
@@ -320,7 +320,7 @@ static struct sk_buff *tls_enc_skb(struct tls_context *tls_ctx,
                 goto free_req;
 
         iv = buf;
-        memcpy(iv, tls_ctx->crypto_send_aes_gcm_128.salt,
+        memcpy(iv, tls_ctx->crypto_send.aes_gcm_128.salt,
                TLS_CIPHER_AES_GCM_128_SALT_SIZE);
         aad = buf + TLS_CIPHER_AES_GCM_128_SALT_SIZE +
               TLS_CIPHER_AES_GCM_128_IV_SIZE;
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 180b6640e531..523622dc74f8 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -241,6 +241,16 @@ static void tls_write_space(struct sock *sk)
         ctx->sk_write_space(sk);
 }
 
+static void tls_ctx_free(struct tls_context *ctx)
+{
+        if (!ctx)
+                return;
+
+        memzero_explicit(&ctx->crypto_send, sizeof(ctx->crypto_send));
+        memzero_explicit(&ctx->crypto_recv, sizeof(ctx->crypto_recv));
+        kfree(ctx);
+}
+
 static void tls_sk_proto_close(struct sock *sk, long timeout)
 {
         struct tls_context *ctx = tls_get_ctx(sk);
@@ -294,7 +304,7 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
 #else
         {
 #endif
-                kfree(ctx);
+                tls_ctx_free(ctx);
                 ctx = NULL;
         }
 
@@ -305,7 +315,7 @@ skip_tx_cleanup:
          * for sk->sk_prot->unhash [tls_hw_unhash]
          */
         if (free_ctx)
-                kfree(ctx);
+                tls_ctx_free(ctx);
 }
 
 static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
@@ -330,7 +340,7 @@ static int do_tls_getsockopt_tx(struct sock *sk, char __user *optval,
         }
 
         /* get user crypto info */
-        crypto_info = &ctx->crypto_send;
+        crypto_info = &ctx->crypto_send.info;
 
         if (!TLS_CRYPTO_INFO_READY(crypto_info)) {
                 rc = -EBUSY;
@@ -417,9 +427,9 @@ static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
         }
 
         if (tx)
-                crypto_info = &ctx->crypto_send;
+                crypto_info = &ctx->crypto_send.info;
         else
-                crypto_info = &ctx->crypto_recv;
+                crypto_info = &ctx->crypto_recv.info;
 
         /* Currently we don't support set crypto info more than one time */
         if (TLS_CRYPTO_INFO_READY(crypto_info)) {
@@ -499,7 +509,7 @@ static int do_tls_setsockopt_conf(struct sock *sk, char __user *optval,
         goto out;
 
 err_crypto_info:
-        memset(crypto_info, 0, sizeof(*crypto_info));
+        memzero_explicit(crypto_info, sizeof(union tls_crypto_context));
 out:
         return rc;
 }
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 52fbe727d7c1..b9c6ecfbcfea 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -125,6 +125,9 @@ static int alloc_encrypted_sg(struct sock *sk, int len)
                          &ctx->sg_encrypted_num_elem,
                          &ctx->sg_encrypted_size, 0);
 
+        if (rc == -ENOSPC)
+                ctx->sg_encrypted_num_elem = ARRAY_SIZE(ctx->sg_encrypted_data);
+
         return rc;
 }
 
@@ -138,6 +141,9 @@ static int alloc_plaintext_sg(struct sock *sk, int len)
                          &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
                          tls_ctx->pending_open_record_frags);
 
+        if (rc == -ENOSPC)
+                ctx->sg_plaintext_num_elem = ARRAY_SIZE(ctx->sg_plaintext_data);
+
         return rc;
 }
 
@@ -925,7 +931,15 @@ int tls_sw_recvmsg(struct sock *sk,
                                 if (control != TLS_RECORD_TYPE_DATA)
                                         goto recv_end;
                         }
+                } else {
+                        /* MSG_PEEK right now cannot look beyond current skb
+                         * from strparser, meaning we cannot advance skb here
+                         * and thus unpause strparser since we'd loose original
+                         * one.
+                         */
+                        break;
                 }
+
                 /* If we have a new message from strparser, continue now. */
                 if (copied >= target && !ctx->recv_pkt)
                         break;
@@ -1049,8 +1063,8 @@ static int tls_read_size(struct strparser *strp, struct sk_buff *skb)
                 goto read_failure;
         }
 
-        if (header[1] != TLS_VERSION_MINOR(tls_ctx->crypto_recv.version) ||
-            header[2] != TLS_VERSION_MAJOR(tls_ctx->crypto_recv.version)) {
+        if (header[1] != TLS_VERSION_MINOR(tls_ctx->crypto_recv.info.version) ||
+            header[2] != TLS_VERSION_MAJOR(tls_ctx->crypto_recv.info.version)) {
                 ret = -EINVAL;
                 goto read_failure;
         }
@@ -1130,7 +1144,6 @@ void tls_sw_free_resources_rx(struct sock *sk)
 
 int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
 {
-        char keyval[TLS_CIPHER_AES_GCM_128_KEY_SIZE];
         struct tls_crypto_info *crypto_info;
         struct tls12_crypto_info_aes_gcm_128 *gcm_128_info;
         struct tls_sw_context_tx *sw_ctx_tx = NULL;
@@ -1175,12 +1188,12 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
 
         if (tx) {
                 crypto_init_wait(&sw_ctx_tx->async_wait);
-                crypto_info = &ctx->crypto_send;
+                crypto_info = &ctx->crypto_send.info;
                 cctx = &ctx->tx;
                 aead = &sw_ctx_tx->aead_send;
         } else {
                 crypto_init_wait(&sw_ctx_rx->async_wait);
-                crypto_info = &ctx->crypto_recv;
+                crypto_info = &ctx->crypto_recv.info;
                 cctx = &ctx->rx;
                 aead = &sw_ctx_rx->aead_recv;
         }
@@ -1259,9 +1272,7 @@ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx)
 
         ctx->push_pending_record = tls_sw_push_pending_record;
 
-        memcpy(keyval, gcm_128_info->key, TLS_CIPHER_AES_GCM_128_KEY_SIZE);
-
-        rc = crypto_aead_setkey(*aead, keyval,
+        rc = crypto_aead_setkey(*aead, gcm_128_info->key,
                                 TLS_CIPHER_AES_GCM_128_KEY_SIZE);
         if (rc)
                 goto free_aead;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5fb9b7dd9831..4b8ec659e797 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -669,13 +669,13 @@ static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
                         goto nla_put_failure;
 
                 if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
-                                rule->wmm_rule->client[j].cw_min) ||
+                                rule->wmm_rule.client[j].cw_min) ||
                     nla_put_u16(msg, NL80211_WMMR_CW_MAX,
-                                rule->wmm_rule->client[j].cw_max) ||
+                                rule->wmm_rule.client[j].cw_max) ||
                     nla_put_u8(msg, NL80211_WMMR_AIFSN,
-                               rule->wmm_rule->client[j].aifsn) ||
-                    nla_put_u8(msg, NL80211_WMMR_TXOP,
-                               rule->wmm_rule->client[j].cot))
+                               rule->wmm_rule.client[j].aifsn) ||
+                    nla_put_u16(msg, NL80211_WMMR_TXOP,
+                                rule->wmm_rule.client[j].cot))
                         goto nla_put_failure;
 
                 nla_nest_end(msg, nl_wmm_rule);
@@ -766,9 +766,9 @@ static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
 
         if (large) {
                 const struct ieee80211_reg_rule *rule =
-                        freq_reg_info(wiphy, chan->center_freq);
+                        freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
 
-                if (!IS_ERR(rule) && rule->wmm_rule) {
+                if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
                         if (nl80211_msg_put_wmm_rules(msg, rule))
                                 goto nla_put_failure;
                 }
@@ -12205,6 +12205,7 @@ static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
                 return -EOPNOTSUPP;
 
         if (!info->attrs[NL80211_ATTR_MDID] ||
+            !info->attrs[NL80211_ATTR_IE] ||
             !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
                 return -EINVAL;
 
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 4fc66a117b7d..2f702adf2912 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -425,36 +425,23 @@ static const struct ieee80211_regdomain *
 reg_copy_regd(const struct ieee80211_regdomain *src_regd)
 {
         struct ieee80211_regdomain *regd;
-        int size_of_regd, size_of_wmms;
+        int size_of_regd;
         unsigned int i;
-        struct ieee80211_wmm_rule *d_wmm, *s_wmm;
 
         size_of_regd =
                 sizeof(struct ieee80211_regdomain) +
                 src_regd->n_reg_rules * sizeof(struct ieee80211_reg_rule);
-        size_of_wmms = src_regd->n_wmm_rules *
-                sizeof(struct ieee80211_wmm_rule);
 
-        regd = kzalloc(size_of_regd + size_of_wmms, GFP_KERNEL);
+        regd = kzalloc(size_of_regd, GFP_KERNEL);
         if (!regd)
                 return ERR_PTR(-ENOMEM);
 
         memcpy(regd, src_regd, sizeof(struct ieee80211_regdomain));
 
-        d_wmm = (struct ieee80211_wmm_rule *)((u8 *)regd + size_of_regd);
-        s_wmm = (struct ieee80211_wmm_rule *)((u8 *)src_regd + size_of_regd);
-        memcpy(d_wmm, s_wmm, size_of_wmms);
-
-        for (i = 0; i < src_regd->n_reg_rules; i++) {
+        for (i = 0; i < src_regd->n_reg_rules; i++)
                 memcpy(&regd->reg_rules[i], &src_regd->reg_rules[i],
                        sizeof(struct ieee80211_reg_rule));
-                if (!src_regd->reg_rules[i].wmm_rule)
-                        continue;
 
-                regd->reg_rules[i].wmm_rule = d_wmm +
-                        (src_regd->reg_rules[i].wmm_rule - s_wmm) /
-                        sizeof(struct ieee80211_wmm_rule);
-        }
         return regd;
 }
 
@@ -860,9 +847,10 @@ static bool valid_regdb(const u8 *data, unsigned int size)
         return true;
 }
 
-static void set_wmm_rule(struct ieee80211_wmm_rule *rule,
+static void set_wmm_rule(struct ieee80211_reg_rule *rrule,
                          struct fwdb_wmm_rule *wmm)
 {
+        struct ieee80211_wmm_rule *rule = &rrule->wmm_rule;
         unsigned int i;
 
         for (i = 0; i < IEEE80211_NUM_ACS; i++) {
@@ -876,11 +864,13 @@ static void set_wmm_rule(struct ieee80211_wmm_rule *rule,
                 rule->ap[i].aifsn = wmm->ap[i].aifsn;
                 rule->ap[i].cot = 1000 * be16_to_cpu(wmm->ap[i].cot);
         }
+
+        rrule->has_wmm = true;
 }
 
 static int __regdb_query_wmm(const struct fwdb_header *db,
                              const struct fwdb_country *country, int freq,
-                             u32 *dbptr, struct ieee80211_wmm_rule *rule)
+                             struct ieee80211_reg_rule *rule)
 {
         unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2;
         struct fwdb_collection *coll = (void *)((u8 *)db + ptr);
@@ -901,8 +891,6 @@ static int __regdb_query_wmm(const struct fwdb_header *db,
                         wmm_ptr = be16_to_cpu(rrule->wmm_ptr) << 2;
                         wmm = (void *)((u8 *)db + wmm_ptr);
                         set_wmm_rule(rule, wmm);
-                        if (dbptr)
-                                *dbptr = wmm_ptr;
                         return 0;
                 }
         }
@@ -910,8 +898,7 @@ static int __regdb_query_wmm(const struct fwdb_header *db,
         return -ENODATA;
 }
 
-int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
-                        struct ieee80211_wmm_rule *rule)
+int reg_query_regdb_wmm(char *alpha2, int freq, struct ieee80211_reg_rule *rule)
 {
         const struct fwdb_header *hdr = regdb;
         const struct fwdb_country *country;
@@ -925,8 +912,7 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
         country = &hdr->country[0];
         while (country->coll_ptr) {
                 if (alpha2_equal(alpha2, country->alpha2))
-                        return __regdb_query_wmm(regdb, country, freq, dbptr,
-                                                 rule);
+                        return __regdb_query_wmm(regdb, country, freq, rule);
 
                 country++;
         }
@@ -935,32 +921,13 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
 }
 EXPORT_SYMBOL(reg_query_regdb_wmm);
 
-struct wmm_ptrs {
-        struct ieee80211_wmm_rule *rule;
-        u32 ptr;
-};
-
-static struct ieee80211_wmm_rule *find_wmm_ptr(struct wmm_ptrs *wmm_ptrs,
-                                               u32 wmm_ptr, int n_wmms)
-{
-        int i;
-
-        for (i = 0; i < n_wmms; i++) {
-                if (wmm_ptrs[i].ptr == wmm_ptr)
-                        return wmm_ptrs[i].rule;
-        }
-        return NULL;
-}
-
 static int regdb_query_country(const struct fwdb_header *db,
                                const struct fwdb_country *country)
 {
         unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2;
         struct fwdb_collection *coll = (void *)((u8 *)db + ptr);
         struct ieee80211_regdomain *regdom;
-        struct ieee80211_regdomain *tmp_rd;
-        unsigned int size_of_regd, i, n_wmms = 0;
-        struct wmm_ptrs *wmm_ptrs;
+        unsigned int size_of_regd, i;
 
         size_of_regd = sizeof(struct ieee80211_regdomain) +
                 coll->n_rules * sizeof(struct ieee80211_reg_rule);
@@ -969,12 +936,6 @@ static int regdb_query_country(const struct fwdb_header *db,
         if (!regdom)
                 return -ENOMEM;
 
-        wmm_ptrs = kcalloc(coll->n_rules, sizeof(*wmm_ptrs), GFP_KERNEL);
-        if (!wmm_ptrs) {
-                kfree(regdom);
-                return -ENOMEM;
-        }
-
         regdom->n_reg_rules = coll->n_rules;
         regdom->alpha2[0] = country->alpha2[0];
         regdom->alpha2[1] = country->alpha2[1];
@@ -1013,37 +974,11 @@ static int regdb_query_country(const struct fwdb_header *db,
                                 1000 * be16_to_cpu(rule->cac_timeout);
                 if (rule->len >= offsetofend(struct fwdb_rule, wmm_ptr)) {
                         u32 wmm_ptr = be16_to_cpu(rule->wmm_ptr) << 2;
-                        struct ieee80211_wmm_rule *wmm_pos =
-                                find_wmm_ptr(wmm_ptrs, wmm_ptr, n_wmms);
-                        struct fwdb_wmm_rule *wmm;
-                        struct ieee80211_wmm_rule *wmm_rule;
-
-                        if (wmm_pos) {
-                                rrule->wmm_rule = wmm_pos;
-                                continue;
-                        }
-                        wmm = (void *)((u8 *)db + wmm_ptr);
-                        tmp_rd = krealloc(regdom, size_of_regd + (n_wmms + 1) *
-                                          sizeof(struct ieee80211_wmm_rule),
-                                          GFP_KERNEL);
-
-                        if (!tmp_rd) {
-                                kfree(regdom);
-                                kfree(wmm_ptrs);
-                                return -ENOMEM;
-                        }
-                        regdom = tmp_rd;
-
-                        wmm_rule = (struct ieee80211_wmm_rule *)
-                                ((u8 *)regdom + size_of_regd + n_wmms *
-                                sizeof(struct ieee80211_wmm_rule));
+                        struct fwdb_wmm_rule *wmm = (void *)((u8 *)db + wmm_ptr);
 
-                        set_wmm_rule(wmm_rule, wmm);
-                        wmm_ptrs[n_wmms].ptr = wmm_ptr;
-                        wmm_ptrs[n_wmms++].rule = wmm_rule;
+                        set_wmm_rule(rrule, wmm);
                 }
         }
-        kfree(wmm_ptrs);
 
         return reg_schedule_apply(regdom);
 }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index e0825a019e9f..959ed3acd240 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1456,7 +1456,7 @@ bool ieee80211_chandef_to_operating_class(struct cfg80211_chan_def *chandef,
                                           u8 *op_class)
 {
         u8 vht_opclass;
-        u16 freq = chandef->center_freq1;
+        u32 freq = chandef->center_freq1;
 
         if (freq >= 2412 && freq <= 2472) {
                 if (chandef->width > NL80211_CHAN_WIDTH_40)