Merge branch 'for-4.16/dax' into libnvdimm-for-next

author: Ross Zwisler <ross.zwisler@linux.intel.com> 2018-02-03 02:26:10 -0500
committer: Ross Zwisler <ross.zwisler@linux.intel.com> 2018-02-03 02:26:10 -0500
commit: d121f07691415df824e6b60520f782f6d13b3c81 (patch)
tree: 422ad3cc6fd631604fef4e469e49bacba8202e52 /net
parent: 59858d3d54cfad1f8db67c2c07e4dd33bb6ed955 (diff)
parent: 569d0365f571fa6421a5c80bc30d1b2cdab857fe (diff)
111 files changed, 1019 insertions, 519 deletions
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 985046ae4231..80f5c79053a4 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -839,7 +839,6 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
        if (IS_ERR(file)) {
                pr_err("%s (%d): failed to map fd\n",
                       __func__, task_pid_nr(current));
-                sock_release(csocket);
                kfree(p);
                return PTR_ERR(file);
        }
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 1b659ab652fb..bbe8414b6ee7 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1214,7 +1214,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
        orig_node->last_seen = jiffies;
        /* find packet count of corresponding one hop neighbor */
-        spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
+        spin_lock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
        if_num = if_incoming->if_num;
        orig_eq_count = orig_neigh_node->bat_iv.bcast_own_sum[if_num];
        neigh_ifinfo = batadv_neigh_ifinfo_new(neigh_node, if_outgoing);
@@ -1224,7 +1224,7 @@ static bool batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
        } else {
                neigh_rq_count = 0;
        }
-        spin_unlock_bh(&orig_node->bat_iv.ogm_cnt_lock);
+        spin_unlock_bh(&orig_neigh_node->bat_iv.ogm_cnt_lock);
        /* pay attention to not get a value bigger than 100 % */
        if (orig_eq_count > neigh_rq_count)
diff --git a/net/batman-adv/bat_v.c b/net/batman-adv/bat_v.c
index 341ceab8338d..e0e2bfcd6b3e 100644
--- a/net/batman-adv/bat_v.c
+++ b/net/batman-adv/bat_v.c
@@ -814,7 +814,7 @@ static bool batadv_v_gw_is_eligible(struct batadv_priv *bat_priv,
        }
        orig_gw = batadv_gw_node_get(bat_priv, orig_node);
-        if (!orig_node)
+        if (!orig_gw)
                goto out;
        if (batadv_v_gw_throughput_get(orig_gw, &orig_throughput) < 0)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index a98cf1104a30..ebe6e38934e4 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -499,6 +499,8 @@ int batadv_frag_send_packet(struct sk_buff *skb,
         */
        if (skb->priority >= 256 && skb->priority <= 263)
                frag_header.priority = skb->priority - 256;
+        else
+                frag_header.priority = 0;
        ether_addr_copy(frag_header.orig, primary_if->net_dev->dev_addr);
        ether_addr_copy(frag_header.dest, orig_node->orig);
diff --git a/net/batman-adv/tp_meter.c b/net/batman-adv/tp_meter.c
index 15cd2139381e..ebc4e2241c77 100644
--- a/net/batman-adv/tp_meter.c
+++ b/net/batman-adv/tp_meter.c
@@ -482,7 +482,7 @@ static void batadv_tp_reset_sender_timer(struct batadv_tp_vars *tp_vars)
 /**
 * batadv_tp_sender_timeout - timer that fires in case of packet loss
- * @arg: address of the related tp_vars
+ * @t: address to timer_list inside tp_vars
 *
 * If fired it means that there was packet loss.
 * Switch to Slow Start, set the ss_threshold to half of the current cwnd and
@@ -1106,7 +1106,7 @@ static void batadv_tp_reset_receiver_timer(struct batadv_tp_vars *tp_vars)
 /**
 * batadv_tp_receiver_shutdown - stop a tp meter receiver when timeout is
 *  reached without received ack
- * @arg: address of the related tp_vars
+ * @t: address to timer_list inside tp_vars
 */
 static void batadv_tp_receiver_shutdown(struct timer_list *t)
 {
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index d0ef0a8e8831..015f465c514b 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -1262,19 +1262,20 @@ static int br_dev_newlink(struct net *src_net, struct net_device *dev,
        struct net_bridge *br = netdev_priv(dev);
        int err;
+        err = register_netdevice(dev);
+        if (err)
+                return err;
        if (tb[IFLA_ADDRESS]) {
                spin_lock_bh(&br->lock);
                br_stp_change_bridge_id(br, nla_data(tb[IFLA_ADDRESS]));
                spin_unlock_bh(&br->lock);
        }
-        err = register_netdevice(dev);
-        if (err)
-                return err;
        err = br_changelink(dev, tb, data, extack);
        if (err)
-                unregister_netdevice(dev);
+                br_dev_delete(dev, NULL);
        return err;
 }
diff --git a/net/core/dev.c b/net/core/dev.c
index 07ed21d64f92..01ee854454a8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1106,7 +1106,7 @@ static int __dev_alloc_name(struct net *net, const char *name, char *buf)
         * when the name is long and there isn't enough space left
         * for the digits, or if all bits are used.
         */
-        return p ? -ENFILE : -EEXIST;
+        return -ENFILE;
 }
 static int dev_alloc_name_ns(struct net *net,
@@ -3904,7 +3904,7 @@ static u32 netif_receive_generic_xdp(struct sk_buff *skb,
                                     hroom > 0 ? ALIGN(hroom, NET_SKB_PAD) : 0,
                                     troom > 0 ? troom + 128 : 0, GFP_ATOMIC))
                        goto do_drop;
-                if (troom > 0 && __skb_linearize(skb))
+                if (skb_linearize(skb))
                        goto do_drop;
        }
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index b797832565d3..60a71be75aea 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -267,7 +267,7 @@ struct net *get_net_ns_by_id(struct net *net, int id)
        spin_lock_bh(&net->nsid_lock);
        peer = idr_find(&net->netns_ids, id);
        if (peer)
-                get_net(peer);
+                peer = maybe_get_net(peer);
        spin_unlock_bh(&net->nsid_lock);
        rcu_read_unlock();
diff --git a/net/core/netprio_cgroup.c b/net/core/netprio_cgroup.c
index 1c4810919a0a..b9057478d69c 100644
--- a/net/core/netprio_cgroup.c
+++ b/net/core/netprio_cgroup.c
@@ -14,7 +14,6 @@
 #include <linux/module.h>
 #include <linux/slab.h>
 #include <linux/types.h>
-#include <linux/module.h>
 #include <linux/string.h>
 #include <linux/errno.h>
 #include <linux/skbuff.h>
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6b0ff396fa9d..08f574081315 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1177,12 +1177,12 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
        int i, new_frags;
        u32 d_off;
-        if (!num_frags)
-                return 0;
        if (skb_shared(skb) || skb_unclone(skb, gfp_mask))
                return -EINVAL;
+        if (!num_frags)
+                goto release;
        new_frags = (__skb_pagelen(skb) + PAGE_SIZE - 1) >> PAGE_SHIFT;
        for (i = 0; i < new_frags; i++) {
                page = alloc_page(gfp_mask);
@@ -1238,6 +1238,7 @@ int skb_copy_ubufs(struct sk_buff *skb, gfp_t gfp_mask)
        __skb_fill_page_desc(skb, new_frags - 1, head, 0, d_off);
        skb_shinfo(skb)->nr_frags = new_frags;
+release:
        skb_zcopy_clear(skb, false);
        return 0;
 }
@@ -3654,8 +3655,6 @@ normal:
                skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags &
                                              SKBTX_SHARED_FRAG;
-                if (skb_zerocopy_clone(nskb, head_skb, GFP_ATOMIC))
-                        goto err;
                while (pos < offset + len) {
                        if (i >= nfrags) {
@@ -3681,6 +3680,8 @@ normal:
                        if (unlikely(skb_orphan_frags(frag_skb, GFP_ATOMIC)))
                                goto err;
+                        if (skb_zerocopy_clone(nskb, frag_skb, GFP_ATOMIC))
+                                goto err;
                        *nskb_frag = *frag;
                        __skb_frag_ref(nskb_frag);
@@ -4293,7 +4294,7 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
        struct sock *sk = skb->sk;
        if (!skb_may_tx_timestamp(sk, false))
-                return;
+                goto err;
        /* Take a reference to prevent skb_orphan() from freeing the socket,
         * but only if the socket refcount is not zero.
@@ -4302,7 +4303,11 @@ void skb_complete_tx_timestamp(struct sk_buff *skb,
                *skb_hwtstamps(skb) = *hwtstamps;
                __skb_complete_tx_timestamp(skb, sk, SCM_TSTAMP_SND, false);
                sock_put(sk);
+                return;
        }
+err:
+        kfree_skb(skb);
 }
 EXPORT_SYMBOL_GPL(skb_complete_tx_timestamp);
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index abd07a443219..178bb9833311 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -57,10 +57,16 @@ void dccp_time_wait(struct sock *sk, int state, int timeo)
                if (state == DCCP_TIME_WAIT)
                        timeo = DCCP_TIMEWAIT_LEN;
+                /* tw_timer is pinned, so we need to make sure BH are disabled
+                 * in following section, otherwise timer handler could run before
+                 * we complete the initialization.
+                 */
+                local_bh_disable();
                inet_twsk_schedule(tw, timeo);
                /* Linkage updates. */
                __inet_twsk_hashdance(tw, sk, &dccp_hashinfo);
                inet_twsk_put(tw);
+                local_bh_enable();
        } else {
                /* Sorry, if we're out of memory, just CLOSE this
                 * socket up.  We've got bigger problems than
diff --git a/net/dccp/proto.c b/net/dccp/proto.c
index b68168fcc06a..9d43c1f40274 100644
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int flags)
 {
        struct inet_connection_sock *icsk = inet_csk(sk);
        struct inet_sock *inet = inet_sk(sk);
+        struct dccp_sock *dp = dccp_sk(sk);
        int err = 0;
        const int old_state = sk->sk_state;
@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int flags)
                sk->sk_err = ECONNRESET;
        dccp_clear_xmit_timers(sk);
+        ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
+        ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
+        dp->dccps_hc_rx_ccid = NULL;
+        dp->dccps_hc_tx_ccid = NULL;
        __skb_queue_purge(&sk->sk_receive_queue);
        __skb_queue_purge(&sk->sk_write_queue);
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index d6e7a642493b..a95a55f79137 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -16,7 +16,6 @@
 #include <linux/of_net.h>
 #include <linux/of_mdio.h>
 #include <linux/mdio.h>
-#include <linux/list.h>
 #include <net/rtnetlink.h>
 #include <net/pkt_cls.h>
 #include <net/tc_act/tc_mirred.h>
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index a4573bccd6da..7a93359fbc72 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1428,7 +1428,7 @@ skip:
 static bool inetdev_valid_mtu(unsigned int mtu)
 {
-        return mtu >= 68;
+        return mtu >= IPV4_MIN_MTU;
 }
 static void inetdev_send_gratuitous_arp(struct net_device *dev,
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index f52d27a422c3..08259d078b1c 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1298,14 +1298,19 @@ err_table_hash_alloc:
 static void ip_fib_net_exit(struct net *net)
 {
-        unsigned int i;
+        int i;
        rtnl_lock();
 #ifdef CONFIG_IP_MULTIPLE_TABLES
        RCU_INIT_POINTER(net->ipv4.fib_main, NULL);
        RCU_INIT_POINTER(net->ipv4.fib_default, NULL);
 #endif
-        for (i = 0; i < FIB_TABLE_HASHSZ; i++) {
+        /* Destroy the tables in reverse order to guarantee that the
+         * local table, ID 255, is destroyed before the main table, ID
+         * 254. This is necessary as the local table may contain
+         * references to data contained in the main table.
+         */
+        for (i = FIB_TABLE_HASHSZ - 1; i >= 0; i--) {
                struct hlist_head *head = &net->ipv4.fib_table_hash[i];
                struct hlist_node *tmp;
                struct fib_table *tb;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index f04d944f8abe..c586597da20d 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -698,7 +698,7 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
        nla_for_each_attr(nla, cfg->fc_mx, cfg->fc_mx_len, remaining) {
                int type = nla_type(nla);
-                u32 val;
+                u32 fi_val, val;
                if (!type)
                        continue;
@@ -715,7 +715,11 @@ bool fib_metrics_match(struct fib_config *cfg, struct fib_info *fi)
                        val = nla_get_u32(nla);
                }
-                if (fi->fib_metrics->metrics[type - 1] != val)
+                fi_val = fi->fib_metrics->metrics[type - 1];
+                if (type == RTAX_FEATURES)
+                        fi_val &= ~DST_FEATURE_ECN_CA;
+                if (fi_val != val)
                        return false;
        }
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index d1f8f302dbf3..726f6b608274 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -89,6 +89,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/times.h>
 #include <linux/pkt_sched.h>
+#include <linux/byteorder/generic.h>
 #include <net/net_namespace.h>
 #include <net/arp.h>
@@ -321,6 +322,23 @@ igmp_scount(struct ip_mc_list *pmc, int type, int gdeleted, int sdeleted)
        return scount;
 }
+/* source address selection per RFC 3376 section 4.2.13 */
+static __be32 igmpv3_get_srcaddr(struct net_device *dev,
+                                 const struct flowi4 *fl4)
+{
+        struct in_device *in_dev = __in_dev_get_rcu(dev);
+        if (!in_dev)
+                return htonl(INADDR_ANY);
+        for_ifa(in_dev) {
+                if (inet_ifa_match(fl4->saddr, ifa))
+                        return fl4->saddr;
+        } endfor_ifa(in_dev);
+        return htonl(INADDR_ANY);
+}
 static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
 {
        struct sk_buff *skb;
@@ -368,7 +386,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, unsigned int mtu)
        pip->frag_off = htons(IP_DF);
        pip->ttl      = 1;
        pip->daddr    = fl4.daddr;
-        pip->saddr    = fl4.saddr;
+        pip->saddr    = igmpv3_get_srcaddr(dev, &fl4);
        pip->protocol = IPPROTO_IGMP;
        pip->tot_len  = 0;      /* filled in later */
        ip_select_ident(net, skb, NULL);
@@ -404,16 +422,17 @@ static int grec_size(struct ip_mc_list *pmc, int type, int gdel, int sdel)
 }
 static struct sk_buff *add_grhead(struct sk_buff *skb, struct ip_mc_list *pmc,
-        int type, struct igmpv3_grec **ppgr)
+        int type, struct igmpv3_grec **ppgr, unsigned int mtu)
 {
        struct net_device *dev = pmc->interface->dev;
        struct igmpv3_report *pih;
        struct igmpv3_grec *pgr;
-        if (!skb)
+        if (!skb) {
-                skb = igmpv3_newpack(dev, dev->mtu);
+                skb = igmpv3_newpack(dev, mtu);
-        if (!skb)
+                if (!skb)
-                return NULL;
+                        return NULL;
+        }
        pgr = skb_put(skb, sizeof(struct igmpv3_grec));
        pgr->grec_type = type;
        pgr->grec_auxwords = 0;
@@ -436,12 +455,17 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
        struct igmpv3_grec *pgr = NULL;
        struct ip_sf_list *psf, *psf_next, *psf_prev, **psf_list;
        int scount, stotal, first, isquery, truncate;
+        unsigned int mtu;
        if (pmc->multiaddr == IGMP_ALL_HOSTS)
                return skb;
        if (ipv4_is_local_multicast(pmc->multiaddr) && !net->ipv4.sysctl_igmp_llm_reports)
                return skb;
+        mtu = READ_ONCE(dev->mtu);
+        if (mtu < IPV4_MIN_MTU)
+                return skb;
        isquery = type == IGMPV3_MODE_IS_INCLUDE ||
                  type == IGMPV3_MODE_IS_EXCLUDE;
        truncate = type == IGMPV3_MODE_IS_EXCLUDE ||
@@ -462,7 +486,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
                    AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
                        if (skb)
                                igmpv3_sendpack(skb);
-                        skb = igmpv3_newpack(dev, dev->mtu);
+                        skb = igmpv3_newpack(dev, mtu);
                }
        }
        first = 1;
@@ -498,12 +522,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ip_mc_list *pmc,
                                pgr->grec_nsrcs = htons(scount);
                        if (skb)
                                igmpv3_sendpack(skb);
-                        skb = igmpv3_newpack(dev, dev->mtu);
+                        skb = igmpv3_newpack(dev, mtu);
                        first = 1;
                        scount = 0;
                }
                if (first) {
-                        skb = add_grhead(skb, pmc, type, &pgr);
+                        skb = add_grhead(skb, pmc, type, &pgr, mtu);
                        first = 0;
                }
                if (!skb)
@@ -538,7 +562,7 @@ empty_source:
                                igmpv3_sendpack(skb);
                                skb = NULL; /* add_grhead will get a new one */
                        }
-                        skb = add_grhead(skb, pmc, type, &pgr);
+                        skb = add_grhead(skb, pmc, type, &pgr, mtu);
                }
        }
        if (pgr)
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index c690cd0d9b3f..b563e0c46bac 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -93,7 +93,7 @@ static void inet_twsk_add_bind_node(struct inet_timewait_sock *tw,
 }
 /*
- * Enter the time wait state.
+ * Enter the time wait state. This is called with locally disabled BH.
 * Essentially we whip up a timewait bucket, copy the relevant info into it
 * from the SK, and mess with hash chains and list linkage.
 */
@@ -111,7 +111,7 @@ void __inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
         */
        bhead = &hashinfo->bhash[inet_bhashfn(twsk_net(tw), inet->inet_num,
                        hashinfo->bhash_size)];
-        spin_lock_bh(&bhead->lock);
+        spin_lock(&bhead->lock);
        tw->tw_tb = icsk->icsk_bind_hash;
        WARN_ON(!icsk->icsk_bind_hash);
        inet_twsk_add_bind_node(tw, &tw->tw_tb->owners);
@@ -137,7 +137,7 @@ void __inet_twsk_hashdance(struct inet_timewait_sock *tw, struct sock *sk,
        if (__sk_nulls_del_node_init_rcu(sk))
                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-        spin_unlock_bh(lock);
+        spin_unlock(lock);
 }
 EXPORT_SYMBOL_GPL(__inet_twsk_hashdance);
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index bb6239169b1a..45ffd3d045d2 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -266,7 +266,7 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
        len = gre_hdr_len + sizeof(*ershdr);
        if (unlikely(!pskb_may_pull(skb, len)))
-                return -ENOMEM;
+                return PACKET_REJECT;
        iph = ip_hdr(skb);
        ershdr = (struct erspanhdr *)(skb->data + gre_hdr_len);
@@ -1310,6 +1310,7 @@ static const struct net_device_ops erspan_netdev_ops = {
 static void ipgre_tap_setup(struct net_device *dev)
 {
        ether_setup(dev);
+        dev->max_mtu = 0;
        dev->netdev_ops = &gre_tap_netdev_ops;
        dev->priv_flags &= ~IFF_TX_SKB_SHARING;
        dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index fe6fee728ce4..5ddb1cb52bd4 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -349,8 +349,8 @@ static int ip_tunnel_bind_dev(struct net_device *dev)
        dev->needed_headroom = t_hlen + hlen;
        mtu -= (dev->hard_header_len + t_hlen);
-        if (mtu < 68)
+        if (mtu < IPV4_MIN_MTU)
-                mtu = 68;
+                mtu = IPV4_MIN_MTU;
        return mtu;
 }
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index f88221aebc9d..0c3c944a7b72 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -373,7 +373,6 @@ static int mark_source_chains(const struct xt_table_info *newinfo,
                                        if (!xt_find_jump_offset(offsets, newpos,
                                                                 newinfo->number))
                                                return 0;
-                                        e = entry0 + newpos;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 4cbe5e80f3bf..2e0d339028bb 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -439,7 +439,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
                                        if (!xt_find_jump_offset(offsets, newpos,
                                                                 newinfo->number))
                                                return 0;
-                                        e = entry0 + newpos;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 17b4ca562944..69060e3abe85 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -813,12 +813,13 @@ static int clusterip_net_init(struct net *net)
 static void clusterip_net_exit(struct net *net)
 {
-#ifdef CONFIG_PROC_FS
        struct clusterip_net *cn = net_generic(net, clusterip_net_id);
+#ifdef CONFIG_PROC_FS
        proc_remove(cn->procdir);
        cn->procdir = NULL;
 #endif
        nf_unregister_net_hook(net, &cip_arp_ops);
+        WARN_ON_ONCE(!list_empty(&cn->configs));
 }
 static struct pernet_operations clusterip_net_ops = {
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 33b70bfd1122..125c1eab3eaa 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        int err;
        struct ip_options_data opt_copy;
        struct raw_frag_vec rfv;
+        int hdrincl;
        err = -EMSGSIZE;
        if (len > 0xFFFF)
                goto out;
+        /* hdrincl should be READ_ONCE(inet->hdrincl)
+         * but READ_ONCE() doesn't work with bit fields
+         */
+        hdrincl = inet->hdrincl;
        /*
         *      Check the flags.
         */
@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
                /* Linux does not mangle headers on raw sockets,
                 * so that IP options + IP_HDRINCL is non-sense.
                 */
-                if (inet->hdrincl)
+                if (hdrincl)
                        goto done;
                if (ipc.opt->opt.srr) {
                        if (!daddr)
@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
        flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
                           RT_SCOPE_UNIVERSE,
-                           inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+                           hdrincl ? IPPROTO_RAW : sk->sk_protocol,
                           inet_sk_flowi_flags(sk) |
-                            (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+                            (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
                           daddr, saddr, 0, 0, sk->sk_uid);
-        if (!inet->hdrincl) {
+        if (!hdrincl) {
                rfv.msg = msg;
                rfv.hlen = 0;
@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
                goto do_confirm;
 back_from_confirm:
-        if (inet->hdrincl)
+        if (hdrincl)
                err = raw_send_hdrinc(sk, &fl4, msg, len,
                                      &rt, msg->msg_flags, &ipc.sockc);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index bf97317e6c97..f08eebe60446 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2412,6 +2412,7 @@ int tcp_disconnect(struct sock *sk, int flags)
        tp->snd_cwnd_cnt = 0;
        tp->window_clamp = 0;
        tcp_set_ca_state(sk, TCP_CA_Open);
+        tp->is_sack_reneg = 0;
        tcp_clear_retrans(tp);
        inet_csk_delack_init(sk);
        /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
diff --git a/net/ipv4/tcp_bbr.c b/net/ipv4/tcp_bbr.c
index 69ee877574d0..8322f26e770e 100644
--- a/net/ipv4/tcp_bbr.c
+++ b/net/ipv4/tcp_bbr.c
@@ -110,7 +110,8 @@ struct bbr {
        u32     lt_last_lost;        /* LT intvl start: tp->lost */
        u32     pacing_gain:10, /* current gain for setting pacing rate */
                cwnd_gain:10,   /* current gain for setting cwnd */
-                full_bw_cnt:3,  /* number of rounds without large bw gains */
+                full_bw_reached:1,   /* reached full bw in Startup? */
+                full_bw_cnt:2,  /* number of rounds without large bw gains */
                cycle_idx:3,    /* current index in pacing_gain cycle array */
                has_seen_rtt:1, /* have we seen an RTT sample yet? */
                unused_b:5;
@@ -180,7 +181,7 @@ static bool bbr_full_bw_reached(const struct sock *sk)
 {
        const struct bbr *bbr = inet_csk_ca(sk);
-        return bbr->full_bw_cnt >= bbr_full_bw_cnt;
+        return bbr->full_bw_reached;
 }
 /* Return the windowed max recent bandwidth sample, in pkts/uS << BW_SCALE. */
@@ -717,6 +718,7 @@ static void bbr_check_full_bw_reached(struct sock *sk,
                return;
        }
        ++bbr->full_bw_cnt;
+        bbr->full_bw_reached = bbr->full_bw_cnt >= bbr_full_bw_cnt;
 }
 /* If pipe is probably full, drain the queue and then enter steady-state. */
@@ -850,6 +852,7 @@ static void bbr_init(struct sock *sk)
        bbr->restore_cwnd = 0;
        bbr->round_start = 0;
        bbr->idle_restart = 0;
+        bbr->full_bw_reached = 0;
        bbr->full_bw = 0;
        bbr->full_bw_cnt = 0;
        bbr->cycle_mstamp = 0;
@@ -871,6 +874,11 @@ static u32 bbr_sndbuf_expand(struct sock *sk)
 */
 static u32 bbr_undo_cwnd(struct sock *sk)
 {
+        struct bbr *bbr = inet_csk_ca(sk);
+        bbr->full_bw = 0;   /* spurious slow-down; reset full pipe detection */
+        bbr->full_bw_cnt = 0;
+        bbr_reset_lt_bw_sampling(sk);
        return tcp_sk(sk)->snd_cwnd;
 }
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 734cfc8ff76e..45f750e85714 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -508,9 +508,6 @@ static void tcp_rcv_rtt_update(struct tcp_sock *tp, u32 sample, int win_dep)
        u32 new_sample = tp->rcv_rtt_est.rtt_us;
        long m = sample;
-        if (m == 0)
-                m = 1;
        if (new_sample != 0) {
                /* If we sample in larger samples in the non-timestamp
                 * case, we could grossly overestimate the RTT especially
@@ -547,6 +544,8 @@ static inline void tcp_rcv_rtt_measure(struct tcp_sock *tp)
        if (before(tp->rcv_nxt, tp->rcv_rtt_est.seq))
                return;
        delta_us = tcp_stamp_us_delta(tp->tcp_mstamp, tp->rcv_rtt_est.time);
+        if (!delta_us)
+                delta_us = 1;
        tcp_rcv_rtt_update(tp, delta_us, 1);
 new_measure:
@@ -563,8 +562,11 @@ static inline void tcp_rcv_rtt_measure_ts(struct sock *sk,
            (TCP_SKB_CB(skb)->end_seq -
             TCP_SKB_CB(skb)->seq >= inet_csk(sk)->icsk_ack.rcv_mss)) {
                u32 delta = tcp_time_stamp(tp) - tp->rx_opt.rcv_tsecr;
-                u32 delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ);
+                u32 delta_us;
+                if (!delta)
+                        delta = 1;
+                delta_us = delta * (USEC_PER_SEC / TCP_TS_HZ);
                tcp_rcv_rtt_update(tp, delta_us, 0);
        }
 }
@@ -579,6 +581,7 @@ void tcp_rcv_space_adjust(struct sock *sk)
        int time;
        int copied;
+        tcp_mstamp_refresh(tp);
        time = tcp_stamp_us_delta(tp->tcp_mstamp, tp->rcvq_space.time);
        if (time < (tp->rcv_rtt_est.rtt_us >> 3) || tp->rcv_rtt_est.rtt_us == 0)
                return;
@@ -1941,6 +1944,8 @@ void tcp_enter_loss(struct sock *sk)
        if (is_reneg) {
                NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSACKRENEGING);
                tp->sacked_out = 0;
+                /* Mark SACK reneging until we recover from this loss event. */
+                tp->is_sack_reneg = 1;
        }
        tcp_clear_all_retrans_hints(tp);
@@ -2326,6 +2331,7 @@ static void tcp_undo_cwnd_reduction(struct sock *sk, bool unmark_loss)
        }
        tp->snd_cwnd_stamp = tcp_jiffies32;
        tp->undo_marker = 0;
+        tp->rack.advanced = 1; /* Force RACK to re-exam losses */
 }
 static inline bool tcp_may_undo(const struct tcp_sock *tp)
@@ -2364,6 +2370,7 @@ static bool tcp_try_undo_recovery(struct sock *sk)
                return true;
        }
        tcp_set_ca_state(sk, TCP_CA_Open);
+        tp->is_sack_reneg = 0;
        return false;
 }
@@ -2397,8 +2404,10 @@ static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo)
                        NET_INC_STATS(sock_net(sk),
                                        LINUX_MIB_TCPSPURIOUSRTOS);
                inet_csk(sk)->icsk_retransmits = 0;
-                if (frto_undo || tcp_is_sack(tp))
+                if (frto_undo || tcp_is_sack(tp)) {
                        tcp_set_ca_state(sk, TCP_CA_Open);
+                        tp->is_sack_reneg = 0;
+                }
                return true;
        }
        return false;
@@ -3495,6 +3504,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        struct tcp_sacktag_state sack_state;
        struct rate_sample rs = { .prior_delivered = 0 };
        u32 prior_snd_una = tp->snd_una;
+        bool is_sack_reneg = tp->is_sack_reneg;
        u32 ack_seq = TCP_SKB_CB(skb)->seq;
        u32 ack = TCP_SKB_CB(skb)->ack_seq;
        bool is_dupack = false;
@@ -3611,7 +3621,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag)
        delivered = tp->delivered - delivered;  /* freshly ACKed or SACKed */
        lost = tp->lost - lost;                 /* freshly marked lost */
-        tcp_rate_gen(sk, delivered, lost, sack_state.rate);
+        tcp_rate_gen(sk, delivered, lost, is_sack_reneg, sack_state.rate);
        tcp_cong_control(sk, ack, delivered, flag, sack_state.rate);
        tcp_xmit_recovery(sk, rexmit);
        return 1;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index c6bc0c4d19c6..94e28350f420 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -848,7 +848,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
                        tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
                        req->ts_recent,
                        0,
-                        tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr,
+                        tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->saddr,
                                          AF_INET),
                        inet_rsk(req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,
                        ip_hdr(skb)->tos);
@@ -1591,6 +1591,34 @@ int tcp_filter(struct sock *sk, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(tcp_filter);
+static void tcp_v4_restore_cb(struct sk_buff *skb)
+{
+        memmove(IPCB(skb), &TCP_SKB_CB(skb)->header.h4,
+                sizeof(struct inet_skb_parm));
+}
+static void tcp_v4_fill_cb(struct sk_buff *skb, const struct iphdr *iph,
+                           const struct tcphdr *th)
+{
+        /* This is tricky : We move IPCB at its correct location into TCP_SKB_CB()
+         * barrier() makes sure compiler wont play fool^Waliasing games.
+         */
+        memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
+                sizeof(struct inet_skb_parm));
+        barrier();
+        TCP_SKB_CB(skb)->seq = ntohl(th->seq);
+        TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
+                                    skb->len - th->doff * 4);
+        TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
+        TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
+        TCP_SKB_CB(skb)->tcp_tw_isn = 0;
+        TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
+        TCP_SKB_CB(skb)->sacked  = 0;
+        TCP_SKB_CB(skb)->has_rxtstamp =
+                        skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
+}
 /*
 *      From tcp_input.c
 */
@@ -1631,24 +1659,6 @@ int tcp_v4_rcv(struct sk_buff *skb)
        th = (const struct tcphdr *)skb->data;
        iph = ip_hdr(skb);
-        /* This is tricky : We move IPCB at its correct location into TCP_SKB_CB()
-         * barrier() makes sure compiler wont play fool^Waliasing games.
-         */
-        memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
-                sizeof(struct inet_skb_parm));
-        barrier();
-        TCP_SKB_CB(skb)->seq = ntohl(th->seq);
-        TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
-                                    skb->len - th->doff * 4);
-        TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
-        TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
-        TCP_SKB_CB(skb)->tcp_tw_isn = 0;
-        TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
-        TCP_SKB_CB(skb)->sacked  = 0;
-        TCP_SKB_CB(skb)->has_rxtstamp =
-                        skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
 lookup:
        sk = __inet_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th), th->source,
                               th->dest, sdif, &refcounted);
@@ -1679,14 +1689,19 @@ process:
                sock_hold(sk);
                refcounted = true;
                nsk = NULL;
-                if (!tcp_filter(sk, skb))
+                if (!tcp_filter(sk, skb)) {
+                        th = (const struct tcphdr *)skb->data;
+                        iph = ip_hdr(skb);
+                        tcp_v4_fill_cb(skb, iph, th);
                        nsk = tcp_check_req(sk, skb, req, false);
+                }
                if (!nsk) {
                        reqsk_put(req);
                        goto discard_and_relse;
                }
                if (nsk == sk) {
                        reqsk_put(req);
+                        tcp_v4_restore_cb(skb);
                } else if (tcp_child_process(sk, nsk, skb)) {
                        tcp_v4_send_reset(nsk, skb);
                        goto discard_and_relse;
@@ -1712,6 +1727,7 @@ process:
                goto discard_and_relse;
        th = (const struct tcphdr *)skb->data;
        iph = ip_hdr(skb);
+        tcp_v4_fill_cb(skb, iph, th);
        skb->dev = NULL;
@@ -1742,6 +1758,8 @@ no_tcp_socket:
        if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
                goto discard_it;
+        tcp_v4_fill_cb(skb, iph, th);
        if (tcp_checksum_complete(skb)) {
 csum_error:
                __TCP_INC_STATS(net, TCP_MIB_CSUMERRORS);
@@ -1768,6 +1786,8 @@ do_time_wait:
                goto discard_it;
        }
+        tcp_v4_fill_cb(skb, iph, th);
        if (tcp_checksum_complete(skb)) {
                inet_twsk_put(inet_twsk(sk));
                goto csum_error;
@@ -1784,6 +1804,7 @@ do_time_wait:
                if (sk2) {
                        inet_twsk_deschedule_put(inet_twsk(sk));
                        sk = sk2;
+                        tcp_v4_restore_cb(skb);
                        refcounted = false;
                        goto process;
                }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index e36eff0403f4..b079b619b60c 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -310,10 +310,16 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
                if (state == TCP_TIME_WAIT)
                        timeo = TCP_TIMEWAIT_LEN;
+                /* tw_timer is pinned, so we need to make sure BH are disabled
+                 * in following section, otherwise timer handler could run before
+                 * we complete the initialization.
+                 */
+                local_bh_disable();
                inet_twsk_schedule(tw, timeo);
                /* Linkage updates. */
                __inet_twsk_hashdance(tw, sk, &tcp_hashinfo);
                inet_twsk_put(tw);
+                local_bh_enable();
        } else {
                /* Sorry, if we're out of memory, just CLOSE this
                 * socket up.  We've got bigger problems than
diff --git a/net/ipv4/tcp_rate.c b/net/ipv4/tcp_rate.c
index 3330a370d306..c61240e43923 100644
--- a/net/ipv4/tcp_rate.c
+++ b/net/ipv4/tcp_rate.c
@@ -106,7 +106,7 @@ void tcp_rate_skb_delivered(struct sock *sk, struct sk_buff *skb,
 /* Update the connection delivery information and generate a rate sample. */
 void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost,
-                  struct rate_sample *rs)
+                  bool is_sack_reneg, struct rate_sample *rs)
 {
        struct tcp_sock *tp = tcp_sk(sk);
        u32 snd_us, ack_us;
@@ -124,8 +124,12 @@ void tcp_rate_gen(struct sock *sk, u32 delivered, u32 lost,
        rs->acked_sacked = delivered;   /* freshly ACKed or SACKed */
        rs->losses = lost;              /* freshly marked lost */
-        /* Return an invalid sample if no timing information is available. */
+        /* Return an invalid sample if no timing information is available or
-        if (!rs->prior_mstamp) {
+         * in recovery from loss with SACK reneging. Rate samples taken during
+         * a SACK reneging event may overestimate bw by including packets that
+         * were SACKed before the reneg.
+         */
+        if (!rs->prior_mstamp || is_sack_reneg) {
                rs->delivered = -1;
                rs->interval_us = -1;
                return;
diff --git a/net/ipv4/tcp_recovery.c b/net/ipv4/tcp_recovery.c
index d3ea89020c69..3a81720ac0c4 100644
--- a/net/ipv4/tcp_recovery.c
+++ b/net/ipv4/tcp_recovery.c
@@ -55,7 +55,8 @@ static void tcp_rack_detect_loss(struct sock *sk, u32 *reo_timeout)
         * to queuing or delayed ACKs.
         */
        reo_wnd = 1000;
-        if ((tp->rack.reord || !tp->lost_out) && min_rtt != ~0U) {
+        if ((tp->rack.reord || inet_csk(sk)->icsk_ca_state < TCP_CA_Recovery) &&
+            min_rtt != ~0U) {
                reo_wnd = max((min_rtt >> 2) * tp->rack.reo_wnd_steps, reo_wnd);
                reo_wnd = min(reo_wnd, tp->srtt_us >> 3);
        }
@@ -79,12 +80,12 @@ static void tcp_rack_detect_loss(struct sock *sk, u32 *reo_timeout)
                 */
                remaining = tp->rack.rtt_us + reo_wnd -
                            tcp_stamp_us_delta(tp->tcp_mstamp, skb->skb_mstamp);
-                if (remaining < 0) {
+                if (remaining <= 0) {
                        tcp_rack_mark_skb_lost(sk, skb);
                        list_del_init(&skb->tcp_tsorted_anchor);
                } else {
-                        /* Record maximum wait time (+1 to avoid 0) */
+                        /* Record maximum wait time */
-                        *reo_timeout = max_t(u32, *reo_timeout, 1 + remaining);
+                        *reo_timeout = max_t(u32, *reo_timeout, remaining);
                }
        }
 }
@@ -116,13 +117,8 @@ void tcp_rack_advance(struct tcp_sock *tp, u8 sacked, u32 end_seq,
 {
        u32 rtt_us;
-        if (tp->rack.mstamp &&
-            !tcp_rack_sent_after(xmit_time, tp->rack.mstamp,
-                                 end_seq, tp->rack.end_seq))
-                return;
        rtt_us = tcp_stamp_us_delta(tp->tcp_mstamp, xmit_time);
-        if (sacked & TCPCB_RETRANS) {
+        if (rtt_us < tcp_min_rtt(tp) && (sacked & TCPCB_RETRANS)) {
                /* If the sacked packet was retransmitted, it's ambiguous
                 * whether the retransmission or the original (or the prior
                 * retransmission) was sacked.
@@ -133,13 +129,15 @@ void tcp_rack_advance(struct tcp_sock *tp, u8 sacked, u32 end_seq,
                 * so it's at least one RTT (i.e., retransmission is at least
                 * an RTT later).
                 */
-                if (rtt_us < tcp_min_rtt(tp))
+                return;
-                        return;
        }
-        tp->rack.rtt_us = rtt_us;
-        tp->rack.mstamp = xmit_time;
-        tp->rack.end_seq = end_seq;
        tp->rack.advanced = 1;
+        tp->rack.rtt_us = rtt_us;
+        if (tcp_rack_sent_after(xmit_time, tp->rack.mstamp,
+                                end_seq, tp->rack.end_seq)) {
+                tp->rack.mstamp = xmit_time;
+                tp->rack.end_seq = end_seq;
+        }
 }
 /* We have waited long enough to accommodate reordering. Mark the expired
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index 16df6dd44b98..968fda198376 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -264,6 +264,7 @@ void tcp_delack_timer_handler(struct sock *sk)
                        icsk->icsk_ack.pingpong = 0;
                        icsk->icsk_ack.ato      = TCP_ATO_MIN;
                }
+                tcp_mstamp_refresh(tcp_sk(sk));
                tcp_send_ack(sk);
                __NET_INC_STATS(sock_net(sk), LINUX_MIB_DELAYEDACKS);
        }
@@ -632,6 +633,7 @@ static void tcp_keepalive_timer (struct timer_list *t)
                goto out;
        }
+        tcp_mstamp_refresh(tp);
        if (sk->sk_state == TCP_FIN_WAIT2 && sock_flag(sk, SOCK_DEAD)) {
                if (tp->linger2 >= 0) {
                        const int tmo = tcp_fin_time(sk) - TCP_TIMEWAIT_LEN;
diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
index e50b7fea57ee..bcfc00e88756 100644
--- a/net/ipv4/xfrm4_input.c
+++ b/net/ipv4/xfrm4_input.c
@@ -23,6 +23,12 @@ int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb)
        return xfrm4_extract_header(skb);
 }
+static int xfrm4_rcv_encap_finish2(struct net *net, struct sock *sk,
+                                   struct sk_buff *skb)
+{
+        return dst_input(skb);
+}
 static inline int xfrm4_rcv_encap_finish(struct net *net, struct sock *sk,
                                         struct sk_buff *skb)
 {
@@ -33,7 +39,11 @@ static inline int xfrm4_rcv_encap_finish(struct net *net, struct sock *sk,
                                         iph->tos, skb->dev))
                        goto drop;
        }
-        return dst_input(skb);
+        if (xfrm_trans_queue(skb, xfrm4_rcv_encap_finish2))
+                goto drop;
+        return 0;
 drop:
        kfree_skb(skb);
        return NET_RX_DROP;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index c26f71234b9c..c9441ca45399 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -210,7 +210,6 @@ lookup_protocol:
        np->mcast_hops  = IPV6_DEFAULT_MCASTHOPS;
        np->mc_loop     = 1;
        np->pmtudisc    = IPV6_PMTUDISC_WANT;
-        np->autoflowlabel = ip6_default_np_autolabel(net);
        np->repflow     = net->ipv6.sysctl.flowlabel_reflect;
        sk->sk_ipv6only = net->ipv6.sysctl.bindv6only;
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 4cfd8e0696fe..772695960890 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1014,6 +1014,36 @@ static void ip6gre_tunnel_setup(struct net_device *dev)
        eth_random_addr(dev->perm_addr);
 }
+#define GRE6_FEATURES (NETIF_F_SG |             \
+                       NETIF_F_FRAGLIST |       \
+                       NETIF_F_HIGHDMA |        \
+                       NETIF_F_HW_CSUM)
+static void ip6gre_tnl_init_features(struct net_device *dev)
+{
+        struct ip6_tnl *nt = netdev_priv(dev);
+        dev->features           |= GRE6_FEATURES;
+        dev->hw_features        |= GRE6_FEATURES;
+        if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
+                /* TCP offload with GRE SEQ is not supported, nor
+                 * can we support 2 levels of outer headers requiring
+                 * an update.
+                 */
+                if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
+                    nt->encap.type == TUNNEL_ENCAP_NONE) {
+                        dev->features    |= NETIF_F_GSO_SOFTWARE;
+                        dev->hw_features |= NETIF_F_GSO_SOFTWARE;
+                }
+                /* Can use a lockless transmit, unless we generate
+                 * output sequences
+                 */
+                dev->features |= NETIF_F_LLTX;
+        }
+}
 static int ip6gre_tunnel_init_common(struct net_device *dev)
 {
        struct ip6_tnl *tunnel;
@@ -1048,6 +1078,8 @@ static int ip6gre_tunnel_init_common(struct net_device *dev)
        if (!(tunnel->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
                dev->mtu -= 8;
+        ip6gre_tnl_init_features(dev);
        return 0;
 }
@@ -1298,16 +1330,12 @@ static const struct net_device_ops ip6gre_tap_netdev_ops = {
        .ndo_get_iflink = ip6_tnl_get_iflink,
 };
-#define GRE6_FEATURES (NETIF_F_SG |             \
-                       NETIF_F_FRAGLIST |       \
-                       NETIF_F_HIGHDMA |                \
-                       NETIF_F_HW_CSUM)
 static void ip6gre_tap_setup(struct net_device *dev)
 {
        ether_setup(dev);
+        dev->max_mtu = 0;
        dev->netdev_ops = &ip6gre_tap_netdev_ops;
        dev->needs_free_netdev = true;
        dev->priv_destructor = ip6gre_dev_free;
@@ -1382,26 +1410,6 @@ static int ip6gre_newlink(struct net *src_net, struct net_device *dev,
        nt->net = dev_net(dev);
        ip6gre_tnl_link_config(nt, !tb[IFLA_MTU]);
-        dev->features           |= GRE6_FEATURES;
-        dev->hw_features        |= GRE6_FEATURES;
-        if (!(nt->parms.o_flags & TUNNEL_SEQ)) {
-                /* TCP offload with GRE SEQ is not supported, nor
-                 * can we support 2 levels of outer headers requiring
-                 * an update.
-                 */
-                if (!(nt->parms.o_flags & TUNNEL_CSUM) ||
-                    (nt->encap.type == TUNNEL_ENCAP_NONE)) {
-                        dev->features    |= NETIF_F_GSO_SOFTWARE;
-                        dev->hw_features |= NETIF_F_GSO_SOFTWARE;
-                }
-                /* Can use a lockless transmit, unless we generate
-                 * output sequences
-                 */
-                dev->features |= NETIF_F_LLTX;
-        }
        err = register_netdevice(dev);
        if (err)
                goto out;
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 5110a418cc4d..f7dd51c42314 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -166,6 +166,14 @@ int ip6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
                            !(IP6CB(skb)->flags & IP6SKB_REROUTED));
 }
+static bool ip6_autoflowlabel(struct net *net, const struct ipv6_pinfo *np)
+{
+        if (!np->autoflowlabel_set)
+                return ip6_default_np_autolabel(net);
+        else
+                return np->autoflowlabel;
+}
 /*
 * xmit an sk_buff (used by TCP, SCTP and DCCP)
 * Note : socket lock is not held for SYNACK packets, but might be modified
@@ -230,7 +238,7 @@ int ip6_xmit(const struct sock *sk, struct sk_buff *skb, struct flowi6 *fl6,
                hlimit = ip6_dst_hoplimit(dst);
        ip6_flow_hdr(hdr, tclass, ip6_make_flowlabel(net, skb, fl6->flowlabel,
-                                                     np->autoflowlabel, fl6));
+                                ip6_autoflowlabel(net, np), fl6));
        hdr->payload_len = htons(seg_len);
        hdr->nexthdr = proto;
@@ -1626,7 +1634,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk,
        ip6_flow_hdr(hdr, v6_cork->tclass,
                     ip6_make_flowlabel(net, skb, fl6->flowlabel,
-                                        np->autoflowlabel, fl6));
+                                        ip6_autoflowlabel(net, np), fl6));
        hdr->hop_limit = v6_cork->hop_limit;
        hdr->nexthdr = proto;
        hdr->saddr = fl6->saddr;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 3d3092adf1d2..931c38f6ff4a 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -904,7 +904,7 @@ static int ipxip6_rcv(struct sk_buff *skb, u8 ipproto,
                if (t->parms.collect_md) {
                        tun_dst = ipv6_tun_rx_dst(skb, 0, 0, 0);
                        if (!tun_dst)
-                                return 0;
+                                goto drop;
                }
                ret = __ip6_tnl_rcv(t, skb, tpi, tun_dst, dscp_ecn_decapsulate,
                                    log_ecn_error);
@@ -1123,8 +1123,13 @@ route_lookup:
                max_headroom += 8;
                mtu -= 8;
        }
-        if (mtu < IPV6_MIN_MTU)
+        if (skb->protocol == htons(ETH_P_IPV6)) {
-                mtu = IPV6_MIN_MTU;
+                if (mtu < IPV6_MIN_MTU)
+                        mtu = IPV6_MIN_MTU;
+        } else if (mtu < 576) {
+                mtu = 576;
+        }
        if (skb_dst(skb) && !t->parms.collect_md)
                skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu);
        if (skb->len - t->tun_hlen - eth_hlen > mtu && !skb_is_gso(skb)) {
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index b9404feabd78..2d4680e0376f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -886,6 +886,7 @@ pref_skip_coa:
                break;
        case IPV6_AUTOFLOWLABEL:
                np->autoflowlabel = valbool;
+                np->autoflowlabel_set = 1;
                retv = 0;
                break;
        case IPV6_RECVFRAGSIZE:
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index fc6d7d143f2c..844642682b83 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -1682,16 +1682,16 @@ static int grec_size(struct ifmcaddr6 *pmc, int type, int gdel, int sdel)
 }
 static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc,
-        int type, struct mld2_grec **ppgr)
+        int type, struct mld2_grec **ppgr, unsigned int mtu)
 {
-        struct net_device *dev = pmc->idev->dev;
        struct mld2_report *pmr;
        struct mld2_grec *pgr;
-        if (!skb)
+        if (!skb) {
-                skb = mld_newpack(pmc->idev, dev->mtu);
+                skb = mld_newpack(pmc->idev, mtu);
-        if (!skb)
+                if (!skb)
-                return NULL;
+                        return NULL;
+        }
        pgr = skb_put(skb, sizeof(struct mld2_grec));
        pgr->grec_type = type;
        pgr->grec_auxwords = 0;
@@ -1714,10 +1714,15 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
        struct mld2_grec *pgr = NULL;
        struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list;
        int scount, stotal, first, isquery, truncate;
+        unsigned int mtu;
        if (pmc->mca_flags & MAF_NOREPORT)
                return skb;
+        mtu = READ_ONCE(dev->mtu);
+        if (mtu < IPV6_MIN_MTU)
+                return skb;
        isquery = type == MLD2_MODE_IS_INCLUDE ||
                  type == MLD2_MODE_IS_EXCLUDE;
        truncate = type == MLD2_MODE_IS_EXCLUDE ||
@@ -1738,7 +1743,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
                    AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) {
                        if (skb)
                                mld_sendpack(skb);
-                        skb = mld_newpack(idev, dev->mtu);
+                        skb = mld_newpack(idev, mtu);
                }
        }
        first = 1;
@@ -1774,12 +1779,12 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc,
                                pgr->grec_nsrcs = htons(scount);
                        if (skb)
                                mld_sendpack(skb);
-                        skb = mld_newpack(idev, dev->mtu);
+                        skb = mld_newpack(idev, mtu);
                        first = 1;
                        scount = 0;
                }
                if (first) {
-                        skb = add_grhead(skb, pmc, type, &pgr);
+                        skb = add_grhead(skb, pmc, type, &pgr, mtu);
                        first = 0;
                }
                if (!skb)
@@ -1814,7 +1819,7 @@ empty_source:
                                mld_sendpack(skb);
                                skb = NULL; /* add_grhead will get a new one */
                        }
-                        skb = add_grhead(skb, pmc, type, &pgr);
+                        skb = add_grhead(skb, pmc, type, &pgr, mtu);
                }
        }
        if (pgr)
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index f06e25065a34..1d7ae9366335 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -458,7 +458,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
                                        if (!xt_find_jump_offset(offsets, newpos,
                                                                 newinfo->number))
                                                return 0;
-                                        e = entry0 + newpos;
                                } else {
                                        /* ... this is a fallthru */
                                        newpos = pos + e->next_offset;
diff --git a/net/ipv6/netfilter/ip6t_MASQUERADE.c b/net/ipv6/netfilter/ip6t_MASQUERADE.c
index 2b1a15846f9a..92c0047e7e33 100644
--- a/net/ipv6/netfilter/ip6t_MASQUERADE.c
+++ b/net/ipv6/netfilter/ip6t_MASQUERADE.c
@@ -33,13 +33,19 @@ static int masquerade_tg6_checkentry(const struct xt_tgchk_param *par)
        if (range->flags & NF_NAT_RANGE_MAP_IPS)
                return -EINVAL;
-        return 0;
+        return nf_ct_netns_get(par->net, par->family);
+}
+static void masquerade_tg6_destroy(const struct xt_tgdtor_param *par)
+{
+        nf_ct_netns_put(par->net, par->family);
 }
 static struct xt_target masquerade_tg6_reg __read_mostly = {
        .name           = "MASQUERADE",
        .family         = NFPROTO_IPV6,
        .checkentry     = masquerade_tg6_checkentry,
+        .destroy        = masquerade_tg6_destroy,
        .target         = masquerade_tg6,
        .targetsize     = sizeof(struct nf_nat_range),
        .table          = "nat",
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 7a8d1500d374..0458b761f3c5 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2336,6 +2336,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
        }
        rt->dst.flags |= DST_HOST;
+        rt->dst.input = ip6_input;
        rt->dst.output  = ip6_output;
        rt->rt6i_gateway  = fl6->daddr;
        rt->rt6i_dst.addr = fl6->daddr;
@@ -4297,19 +4298,13 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                if (!ipv6_addr_any(&fl6.saddr))
                        flags |= RT6_LOOKUP_F_HAS_SADDR;
-                if (!fibmatch)
+                dst = ip6_route_input_lookup(net, dev, &fl6, flags);
-                        dst = ip6_route_input_lookup(net, dev, &fl6, flags);
-                else
-                        dst = ip6_route_lookup(net, &fl6, 0);
                rcu_read_unlock();
        } else {
                fl6.flowi6_oif = oif;
-                if (!fibmatch)
+                dst = ip6_route_output(net, NULL, &fl6);
-                        dst = ip6_route_output(net, NULL, &fl6);
-                else
-                        dst = ip6_route_lookup(net, &fl6, 0);
        }
@@ -4326,6 +4321,15 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
                goto errout;
        }
+        if (fibmatch && rt->dst.from) {
+                struct rt6_info *ort = container_of(rt->dst.from,
+                                                    struct rt6_info, dst);
+                dst_hold(&ort->dst);
+                ip6_rt_put(rt);
+                rt = ort;
+        }
        skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
        if (!skb) {
                ip6_rt_put(rt);
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index d60ddcb0bfe2..d7dc23c1b2ca 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1098,6 +1098,7 @@ static void ipip6_tunnel_update(struct ip_tunnel *t, struct ip_tunnel_parm *p,
        ipip6_tunnel_link(sitn, t);
        t->parms.iph.ttl = p->iph.ttl;
        t->parms.iph.tos = p->iph.tos;
+        t->parms.iph.frag_off = p->iph.frag_off;
        if (t->parms.link != p->link || t->fwmark != fwmark) {
                t->parms.link = p->link;
                t->fwmark = fwmark;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6bb98c93edfe..7178476b3d2f 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -994,7 +994,7 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
                        req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
                        tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
                        req->ts_recent, sk->sk_bound_dev_if,
-                        tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr),
+                        tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr),
                        0, 0);
 }
@@ -1454,7 +1454,6 @@ process:
                struct sock *nsk;
                sk = req->rsk_listener;
-                tcp_v6_fill_cb(skb, hdr, th);
                if (tcp_v6_inbound_md5_hash(sk, skb)) {
                        sk_drops_add(sk, skb);
                        reqsk_put(req);
@@ -1467,8 +1466,12 @@ process:
                sock_hold(sk);
                refcounted = true;
                nsk = NULL;
-                if (!tcp_filter(sk, skb))
+                if (!tcp_filter(sk, skb)) {
+                        th = (const struct tcphdr *)skb->data;
+                        hdr = ipv6_hdr(skb);
+                        tcp_v6_fill_cb(skb, hdr, th);
                        nsk = tcp_check_req(sk, skb, req, false);
+                }
                if (!nsk) {
                        reqsk_put(req);
                        goto discard_and_relse;
@@ -1492,8 +1495,6 @@ process:
        if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
                goto discard_and_relse;
-        tcp_v6_fill_cb(skb, hdr, th);
        if (tcp_v6_inbound_md5_hash(sk, skb))
                goto discard_and_relse;
@@ -1501,6 +1502,7 @@ process:
                goto discard_and_relse;
        th = (const struct tcphdr *)skb->data;
        hdr = ipv6_hdr(skb);
+        tcp_v6_fill_cb(skb, hdr, th);
        skb->dev = NULL;
@@ -1590,7 +1592,6 @@ do_time_wait:
                tcp_v6_timewait_ack(sk, skb);
                break;
        case TCP_TW_RST:
-                tcp_v6_restore_cb(skb);
                tcp_v6_send_reset(sk, skb);
                inet_twsk_deschedule_put(inet_twsk(sk));
                goto discard_it;
diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index fe04e23af986..841f4a07438e 100644
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -32,6 +32,14 @@ int xfrm6_rcv_spi(struct sk_buff *skb, int nexthdr, __be32 spi,
 }
 EXPORT_SYMBOL(xfrm6_rcv_spi);
+static int xfrm6_transport_finish2(struct net *net, struct sock *sk,
+                                   struct sk_buff *skb)
+{
+        if (xfrm_trans_queue(skb, ip6_rcv_finish))
+                __kfree_skb(skb);
+        return -1;
+}
 int xfrm6_transport_finish(struct sk_buff *skb, int async)
 {
        struct xfrm_offload *xo = xfrm_offload(skb);
@@ -56,7 +64,7 @@ int xfrm6_transport_finish(struct sk_buff *skb, int async)
        NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING,
                dev_net(skb->dev), NULL, skb, skb->dev, NULL,
-                ip6_rcv_finish);
+                xfrm6_transport_finish2);
        return -1;
 }
diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 0b750a22c4b9..d4e98f20fc2a 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1625,60 +1625,30 @@ static struct proto kcm_proto = {
 };
 /* Clone a kcm socket. */
-static int kcm_clone(struct socket *osock, struct kcm_clone *info,
+static struct file *kcm_clone(struct socket *osock)
-                     struct socket **newsockp)
 {
        struct socket *newsock;
        struct sock *newsk;
-        struct file *newfile;
-        int err, newfd;
-        err = -ENFILE;
        newsock = sock_alloc();
        if (!newsock)
-                goto out;
+                return ERR_PTR(-ENFILE);
        newsock->type = osock->type;
        newsock->ops = osock->ops;
        __module_get(newsock->ops->owner);
-        newfd = get_unused_fd_flags(0);
-        if (unlikely(newfd < 0)) {
-                err = newfd;
-                goto out_fd_fail;
-        }
-        newfile = sock_alloc_file(newsock, 0, osock->sk->sk_prot_creator->name);
-        if (IS_ERR(newfile)) {
-                err = PTR_ERR(newfile);
-                goto out_sock_alloc_fail;
-        }
        newsk = sk_alloc(sock_net(osock->sk), PF_KCM, GFP_KERNEL,
                         &kcm_proto, true);
        if (!newsk) {
-                err = -ENOMEM;
+                sock_release(newsock);
-                goto out_sk_alloc_fail;
+                return ERR_PTR(-ENOMEM);
        }
        sock_init_data(newsock, newsk);
        init_kcm_sock(kcm_sk(newsk), kcm_sk(osock->sk)->mux);
-        fd_install(newfd, newfile);
+        return sock_alloc_file(newsock, 0, osock->sk->sk_prot_creator->name);
-        *newsockp = newsock;
-        info->fd = newfd;
-        return 0;
-out_sk_alloc_fail:
-        fput(newfile);
-out_sock_alloc_fail:
-        put_unused_fd(newfd);
-out_fd_fail:
-        sock_release(newsock);
-out:
-        return err;
 }
 static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
@@ -1708,17 +1678,25 @@ static int kcm_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
        }
        case SIOCKCMCLONE: {
                struct kcm_clone info;
-                struct socket *newsock = NULL;
+                struct file *file;
-                err = kcm_clone(sock, &info, &newsock);
+                info.fd = get_unused_fd_flags(0);
-                if (!err) {
+                if (unlikely(info.fd < 0))
-                        if (copy_to_user((void __user *)arg, &info,
+                        return info.fd;
-                                         sizeof(info))) {
-                                err = -EFAULT;
-                                sys_close(info.fd);
-                        }
-                }
+                file = kcm_clone(sock);
+                if (IS_ERR(file)) {
+                        put_unused_fd(info.fd);
+                        return PTR_ERR(file);
+                }
+                if (copy_to_user((void __user *)arg, &info,
+                                 sizeof(info))) {
+                        put_unused_fd(info.fd);
+                        fput(file);
+                        return -EFAULT;
+                }
+                fd_install(info.fd, file);
+                err = 0;
                break;
        }
        default:
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 167f83b853e6..1621b6ab17ba 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -291,16 +291,15 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
        int i;
        mutex_lock(&sta->ampdu_mlme.mtx);
-        for (i = 0; i <  IEEE80211_NUM_TIDS; i++) {
+        for (i = 0; i <  IEEE80211_NUM_TIDS; i++)
                ___ieee80211_stop_rx_ba_session(sta, i, WLAN_BACK_RECIPIENT,
                                                WLAN_REASON_QSTA_LEAVE_QBSS,
                                                reason != AGG_STOP_DESTROY_STA &&
                                                reason != AGG_STOP_PEER_REQUEST);
-        }
-        mutex_unlock(&sta->ampdu_mlme.mtx);
        for (i = 0; i <  IEEE80211_NUM_TIDS; i++)
                ___ieee80211_stop_tx_ba_session(sta, i, reason);
+        mutex_unlock(&sta->ampdu_mlme.mtx);
        /* stopping might queue the work again - so cancel only afterwards */
        cancel_work_sync(&sta->ampdu_mlme.work);
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index cf1bf2605c10..dc6347342e34 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -103,7 +103,6 @@ struct bitstr {
 #define INC_BIT(bs) if((++(bs)->bit)>7){(bs)->cur++;(bs)->bit=0;}
 #define INC_BITS(bs,b) if(((bs)->bit+=(b))>7){(bs)->cur+=(bs)->bit>>3;(bs)->bit&=7;}
 #define BYTE_ALIGN(bs) if((bs)->bit){(bs)->cur++;(bs)->bit=0;}
-#define CHECK_BOUND(bs,n) if((bs)->cur+(n)>(bs)->end)return(H323_ERROR_BOUND)
 static unsigned int get_len(struct bitstr *bs);
 static unsigned int get_bit(struct bitstr *bs);
 static unsigned int get_bits(struct bitstr *bs, unsigned int b);
@@ -165,6 +164,19 @@ static unsigned int get_len(struct bitstr *bs)
        return v;
 }
+static int nf_h323_error_boundary(struct bitstr *bs, size_t bytes, size_t bits)
+{
+        bits += bs->bit;
+        bytes += bits / BITS_PER_BYTE;
+        if (bits % BITS_PER_BYTE > 0)
+                bytes++;
+        if (*bs->cur + bytes > *bs->end)
+                return 1;
+        return 0;
+}
 /****************************************************************************/
 static unsigned int get_bit(struct bitstr *bs)
 {
@@ -279,8 +291,8 @@ static int decode_bool(struct bitstr *bs, const struct field_t *f,
        PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
        INC_BIT(bs);
+        if (nf_h323_error_boundary(bs, 0, 0))
-        CHECK_BOUND(bs, 0);
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -293,11 +305,14 @@ static int decode_oid(struct bitstr *bs, const struct field_t *f,
        PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
        BYTE_ALIGN(bs);
-        CHECK_BOUND(bs, 1);
+        if (nf_h323_error_boundary(bs, 1, 0))
+                return H323_ERROR_BOUND;
        len = *bs->cur++;
        bs->cur += len;
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
-        CHECK_BOUND(bs, 0);
        return H323_ERROR_NONE;
 }
@@ -319,6 +334,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
                bs->cur += 2;
                break;
        case CONS:              /* 64K < Range < 4G */
+                if (nf_h323_error_boundary(bs, 0, 2))
+                        return H323_ERROR_BOUND;
                len = get_bits(bs, 2) + 1;
                BYTE_ALIGN(bs);
                if (base && (f->attr & DECODE)) {       /* timeToLive */
@@ -330,7 +347,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
                break;
        case UNCO:
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs);
                bs->cur += len;
                break;
@@ -341,7 +359,8 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
        PRINT("\n");
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -357,7 +376,8 @@ static int decode_enum(struct bitstr *bs, const struct field_t *f,
                INC_BITS(bs, f->sz);
        }
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -375,12 +395,14 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f,
                len = f->lb;
                break;
        case WORD:              /* 2-byte length */
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = (*bs->cur++) << 8;
                len += (*bs->cur++) + f->lb;
                break;
        case SEMI:
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs);
                break;
        default:
@@ -391,7 +413,8 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f,
        bs->cur += len >> 3;
        bs->bit = len & 7;
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -404,12 +427,15 @@ static int decode_numstr(struct bitstr *bs, const struct field_t *f,
        PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
        /* 2 <= Range <= 255 */
+        if (nf_h323_error_boundary(bs, 0, f->sz))
+                return H323_ERROR_BOUND;
        len = get_bits(bs, f->sz) + f->lb;
        BYTE_ALIGN(bs);
        INC_BITS(bs, (len << 2));
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -440,15 +466,19 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f,
                break;
        case BYTE:              /* Range == 256 */
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 1);
+                if (nf_h323_error_boundary(bs, 1, 0))
+                        return H323_ERROR_BOUND;
                len = (*bs->cur++) + f->lb;
                break;
        case SEMI:
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs) + f->lb;
                break;
        default:                /* 2 <= Range <= 255 */
+                if (nf_h323_error_boundary(bs, 0, f->sz))
+                        return H323_ERROR_BOUND;
                len = get_bits(bs, f->sz) + f->lb;
                BYTE_ALIGN(bs);
                break;
@@ -458,7 +488,8 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f,
        PRINT("\n");
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -473,10 +504,13 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f,
        switch (f->sz) {
        case BYTE:              /* Range == 256 */
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 1);
+                if (nf_h323_error_boundary(bs, 1, 0))
+                        return H323_ERROR_BOUND;
                len = (*bs->cur++) + f->lb;
                break;
        default:                /* 2 <= Range <= 255 */
+                if (nf_h323_error_boundary(bs, 0, f->sz))
+                        return H323_ERROR_BOUND;
                len = get_bits(bs, f->sz) + f->lb;
                BYTE_ALIGN(bs);
                break;
@@ -484,7 +518,8 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f,
        bs->cur += len << 1;
-        CHECK_BOUND(bs, 0);
+        if (nf_h323_error_boundary(bs, 0, 0))
+                return H323_ERROR_BOUND;
        return H323_ERROR_NONE;
 }
@@ -503,9 +538,13 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
        base = (base && (f->attr & DECODE)) ? base + f->offset : NULL;
        /* Extensible? */
+        if (nf_h323_error_boundary(bs, 0, 1))
+                return H323_ERROR_BOUND;
        ext = (f->attr & EXT) ? get_bit(bs) : 0;
        /* Get fields bitmap */
+        if (nf_h323_error_boundary(bs, 0, f->sz))
+                return H323_ERROR_BOUND;
        bmp = get_bitmap(bs, f->sz);
        if (base)
                *(unsigned int *)base = bmp;
@@ -525,9 +564,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
                /* Decode */
                if (son->attr & OPEN) { /* Open field */
-                        CHECK_BOUND(bs, 2);
+                        if (nf_h323_error_boundary(bs, 2, 0))
+                                return H323_ERROR_BOUND;
                        len = get_len(bs);
-                        CHECK_BOUND(bs, len);
+                        if (nf_h323_error_boundary(bs, len, 0))
+                                return H323_ERROR_BOUND;
                        if (!base || !(son->attr & DECODE)) {
                                PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
                                      " ", son->name);
@@ -555,8 +596,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
                return H323_ERROR_NONE;
        /* Get the extension bitmap */
+        if (nf_h323_error_boundary(bs, 0, 7))
+                return H323_ERROR_BOUND;
        bmp2_len = get_bits(bs, 7) + 1;
-        CHECK_BOUND(bs, (bmp2_len + 7) >> 3);
+        if (nf_h323_error_boundary(bs, 0, bmp2_len))
+                return H323_ERROR_BOUND;
        bmp2 = get_bitmap(bs, bmp2_len);
        bmp |= bmp2 >> f->sz;
        if (base)
@@ -567,9 +611,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
        for (opt = 0; opt < bmp2_len; opt++, i++, son++) {
                /* Check Range */
                if (i >= f->ub) {       /* Newer Version? */
-                        CHECK_BOUND(bs, 2);
+                        if (nf_h323_error_boundary(bs, 2, 0))
+                                return H323_ERROR_BOUND;
                        len = get_len(bs);
-                        CHECK_BOUND(bs, len);
+                        if (nf_h323_error_boundary(bs, len, 0))
+                                return H323_ERROR_BOUND;
                        bs->cur += len;
                        continue;
                }
@@ -583,9 +629,11 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
                if (!((0x80000000 >> opt) & bmp2))      /* Not present */
                        continue;
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs);
-                CHECK_BOUND(bs, len);
+                if (nf_h323_error_boundary(bs, len, 0))
+                        return H323_ERROR_BOUND;
                if (!base || !(son->attr & DECODE)) {
                        PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
                              son->name);
@@ -623,22 +671,27 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f,
        switch (f->sz) {
        case BYTE:
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 1);
+                if (nf_h323_error_boundary(bs, 1, 0))
+                        return H323_ERROR_BOUND;
                count = *bs->cur++;
                break;
        case WORD:
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                count = *bs->cur++;
                count <<= 8;
                count += *bs->cur++;
                break;
        case SEMI:
                BYTE_ALIGN(bs);
-                CHECK_BOUND(bs, 2);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                count = get_len(bs);
                break;
        default:
+                if (nf_h323_error_boundary(bs, 0, f->sz))
+                        return H323_ERROR_BOUND;
                count = get_bits(bs, f->sz);
                break;
        }
@@ -658,8 +711,11 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f,
        for (i = 0; i < count; i++) {
                if (son->attr & OPEN) {
                        BYTE_ALIGN(bs);
+                        if (nf_h323_error_boundary(bs, 2, 0))
+                                return H323_ERROR_BOUND;
                        len = get_len(bs);
-                        CHECK_BOUND(bs, len);
+                        if (nf_h323_error_boundary(bs, len, 0))
+                                return H323_ERROR_BOUND;
                        if (!base || !(son->attr & DECODE)) {
                                PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
                                      " ", son->name);
@@ -710,11 +766,17 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
        base = (base && (f->attr & DECODE)) ? base + f->offset : NULL;
        /* Decode the choice index number */
+        if (nf_h323_error_boundary(bs, 0, 1))
+                return H323_ERROR_BOUND;
        if ((f->attr & EXT) && get_bit(bs)) {
                ext = 1;
+                if (nf_h323_error_boundary(bs, 0, 7))
+                        return H323_ERROR_BOUND;
                type = get_bits(bs, 7) + f->lb;
        } else {
                ext = 0;
+                if (nf_h323_error_boundary(bs, 0, f->sz))
+                        return H323_ERROR_BOUND;
                type = get_bits(bs, f->sz);
                if (type >= f->lb)
                        return H323_ERROR_RANGE;
@@ -727,8 +789,11 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
        /* Check Range */
        if (type >= f->ub) {    /* Newer version? */
                BYTE_ALIGN(bs);
+                if (nf_h323_error_boundary(bs, 2, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs);
-                CHECK_BOUND(bs, len);
+                if (nf_h323_error_boundary(bs, len, 0))
+                        return H323_ERROR_BOUND;
                bs->cur += len;
                return H323_ERROR_NONE;
        }
@@ -742,8 +807,11 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
        if (ext || (son->attr & OPEN)) {
                BYTE_ALIGN(bs);
+                if (nf_h323_error_boundary(bs, len, 0))
+                        return H323_ERROR_BOUND;
                len = get_len(bs);
-                CHECK_BOUND(bs, len);
+                if (nf_h323_error_boundary(bs, len, 0))
+                        return H323_ERROR_BOUND;
                if (!base || !(son->attr & DECODE)) {
                        PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
                              son->name);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 59c08997bfdf..382d49792f42 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,7 +45,6 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_labels.h>
-#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_synproxy.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
@@ -1566,9 +1565,11 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
 static int ctnetlink_change_timeout(struct nf_conn *ct,
                                    const struct nlattr * const cda[])
 {
-        u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
+        u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
-        ct->timeout = nfct_time_stamp + timeout * HZ;
+        if (timeout > INT_MAX)
+                timeout = INT_MAX;
+        ct->timeout = nfct_time_stamp + (u32)timeout;
        if (test_bit(IPS_DYING_BIT, &ct->status))
                return -ETIME;
@@ -1768,6 +1769,7 @@ ctnetlink_create_conntrack(struct net *net,
        int err = -EINVAL;
        struct nf_conntrack_helper *helper;
        struct nf_conn_tstamp *tstamp;
+        u64 timeout;
        ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
        if (IS_ERR(ct))
@@ -1776,7 +1778,10 @@ ctnetlink_create_conntrack(struct net *net,
        if (!cda[CTA_TIMEOUT])
                goto err1;
-        ct->timeout = nfct_time_stamp + ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+        timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
+        if (timeout > INT_MAX)
+                timeout = INT_MAX;
+        ct->timeout = (u32)timeout + nfct_time_stamp;
        rcu_read_lock();
        if (cda[CTA_HELP]) {
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b12fc07111d0..37ef35b861f2 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1039,6 +1039,9 @@ static int tcp_packet(struct nf_conn *ct,
                 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
                 timeouts[new_state] > timeouts[TCP_CONNTRACK_UNACK])
                timeout = timeouts[TCP_CONNTRACK_UNACK];
+        else if (ct->proto.tcp.last_win == 0 &&
+                 timeouts[new_state] > timeouts[TCP_CONNTRACK_RETRANS])
+                timeout = timeouts[TCP_CONNTRACK_RETRANS];
        else
                timeout = timeouts[new_state];
        spin_unlock_bh(&ct->lock);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d8327b43e4dc..10798b357481 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5847,6 +5847,12 @@ static int __net_init nf_tables_init_net(struct net *net)
        return 0;
 }
+static void __net_exit nf_tables_exit_net(struct net *net)
+{
+        WARN_ON_ONCE(!list_empty(&net->nft.af_info));
+        WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
+}
 int __nft_release_basechain(struct nft_ctx *ctx)
 {
        struct nft_rule *rule, *nr;
@@ -5917,6 +5923,7 @@ static void __nft_release_afinfo(struct net *net, struct nft_af_info *afi)
 static struct pernet_operations nf_tables_net_ops = {
        .init   = nf_tables_init_net,
+        .exit   = nf_tables_exit_net,
 };
 static int __init nf_tables_module_init(void)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 41628b393673..d33ce6d5ebce 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -17,6 +17,7 @@
 #include <linux/types.h>
 #include <linux/list.h>
 #include <linux/errno.h>
+#include <linux/capability.h>
 #include <net/netlink.h>
 #include <net/sock.h>
@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
        struct nfnl_cthelper *nlcth;
        int ret = 0;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
                return -EINVAL;
@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
        struct nfnl_cthelper *nlcth;
        bool tuple_set = false;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (nlh->nlmsg_flags & NLM_F_DUMP) {
                struct netlink_dump_control c = {
                        .dump = nfnl_cthelper_dump_table,
@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
        struct nfnl_cthelper *nlcth, *n;
        int j = 0, ret;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (tb[NFCTH_NAME])
                helper_name = nla_data(tb[NFCTH_NAME]);
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index e5afab86381c..e955bec0acc6 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1093,10 +1093,15 @@ static int __net_init nfnl_log_net_init(struct net *net)
 static void __net_exit nfnl_log_net_exit(struct net *net)
 {
+        struct nfnl_log_net *log = nfnl_log_pernet(net);
+        unsigned int i;
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
 #endif
        nf_log_unset(net, &nfulnl_logger);
+        for (i = 0; i < INSTANCE_BUCKETS; i++)
+                WARN_ON_ONCE(!hlist_empty(&log->instance_table[i]));
 }
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index a16356cacec3..c09b36755ed7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1512,10 +1512,15 @@ static int __net_init nfnl_queue_net_init(struct net *net)
 static void __net_exit nfnl_queue_net_exit(struct net *net)
 {
+        struct nfnl_queue_net *q = nfnl_queue_pernet(net);
+        unsigned int i;
        nf_unregister_queue_handler(net);
 #ifdef CONFIG_PROC_FS
        remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
 #endif
+        for (i = 0; i < INSTANCE_BUCKETS; i++)
+                WARN_ON_ONCE(!hlist_empty(&q->instance_table[i]));
 }
 static void nfnl_queue_net_exit_batch(struct list_head *net_exit_list)
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index a0a93d987a3b..47ec1046ad11 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -214,6 +214,8 @@ static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
        [NFTA_EXTHDR_OFFSET]            = { .type = NLA_U32 },
        [NFTA_EXTHDR_LEN]               = { .type = NLA_U32 },
        [NFTA_EXTHDR_FLAGS]             = { .type = NLA_U32 },
+        [NFTA_EXTHDR_OP]                = { .type = NLA_U32 },
+        [NFTA_EXTHDR_SREG]              = { .type = NLA_U32 },
 };
 static int nft_exthdr_init(const struct nft_ctx *ctx,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index a77dd514297c..55802e97f906 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1729,8 +1729,17 @@ static int __net_init xt_net_init(struct net *net)
        return 0;
 }
+static void __net_exit xt_net_exit(struct net *net)
+{
+        int i;
+        for (i = 0; i < NFPROTO_NUMPROTO; i++)
+                WARN_ON_ONCE(!list_empty(&net->xt.tables[i]));
+}
 static struct pernet_operations xt_net_ops = {
        .init = xt_net_init,
+        .exit = xt_net_exit,
 };
 static int __init xt_init(void)
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 041da0d9c06f..1f7fbd3c7e5a 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -27,6 +27,9 @@ static int __bpf_mt_check_bytecode(struct sock_filter *insns, __u16 len,
 {
        struct sock_fprog_kern program;
+        if (len > XT_BPF_MAX_NUM_INSTR)
+                return -EINVAL;
        program.len = len;
        program.filter = insns;
@@ -55,6 +58,9 @@ static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret)
        mm_segment_t oldfs = get_fs();
        int retval, fd;
+        if (strnlen(path, XT_BPF_PATH_MAX) == XT_BPF_PATH_MAX)
+                return -EINVAL;
        set_fs(KERNEL_DS);
        fd = bpf_obj_get_user(path, 0);
        set_fs(oldfs);
diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
index 36e14b1f061d..a34f314a8c23 100644
--- a/net/netfilter/xt_osf.c
+++ b/net/netfilter/xt_osf.c
@@ -19,6 +19,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
+#include <linux/capability.h>
 #include <linux/if.h>
 #include <linux/inetdevice.h>
 #include <linux/ip.h>
@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct net *net, struct sock *ctnl,
        struct xt_osf_finger *kf = NULL, *sf;
        int err = 0;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!osf_attrs[OSF_ATTR_FINGER])
                return -EINVAL;
@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct net *net, struct sock *ctnl,
        struct xt_osf_finger *sf;
        int err = -ENOENT;
+        if (!capable(CAP_NET_ADMIN))
+                return -EPERM;
        if (!osf_attrs[OSF_ATTR_FINGER])
                return -EINVAL;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b9e0ee4e22f5..79cc1bf36e4a 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -253,6 +253,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
        struct sock *sk = skb->sk;
        int ret = -ENOMEM;
+        if (!net_eq(dev_net(dev), sock_net(sk)))
+                return 0;
        dev_hold(dev);
        if (is_vmalloc_addr(skb->head))
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index dbe2379329c5..f039064ce922 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -579,6 +579,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
                        return -EINVAL;
                skb_reset_network_header(skb);
+                key->eth.type = skb->protocol;
        } else {
                eth = eth_hdr(skb);
                ether_addr_copy(key->eth.src, eth->h_source);
@@ -592,15 +593,23 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
                if (unlikely(parse_vlan(skb, key)))
                        return -ENOMEM;
-                skb->protocol = parse_ethertype(skb);
+                key->eth.type = parse_ethertype(skb);
-                if (unlikely(skb->protocol == htons(0)))
+                if (unlikely(key->eth.type == htons(0)))
                        return -ENOMEM;
+                /* Multiple tagged packets need to retain TPID to satisfy
+                 * skb_vlan_pop(), which will later shift the ethertype into
+                 * skb->protocol.
+                 */
+                if (key->eth.cvlan.tci & htons(VLAN_TAG_PRESENT))
+                        skb->protocol = key->eth.cvlan.tpid;
+                else
+                        skb->protocol = key->eth.type;
                skb_reset_network_header(skb);
                __skb_push(skb, skb->data - skb_mac_header(skb));
        }
        skb_reset_mac_len(skb);
-        key->eth.type = skb->protocol;
        /* Network layer. */
        if (key->eth.type == htons(ETH_P_IP)) {
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index 8886f15abe90..bc2f1e0977d6 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -183,7 +183,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
        long i;
        int ret;
-        if (rs->rs_bound_addr == 0) {
+        if (rs->rs_bound_addr == 0 || !rs->rs_transport) {
                ret = -ENOTCONN; /* XXX not a great errno */
                goto out;
        }
diff --git a/net/rds/send.c b/net/rds/send.c
index b52cdc8ae428..f72466c63f0c 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -1009,6 +1009,9 @@ static int rds_rdma_bytes(struct msghdr *msg, size_t *rdma_bytes)
                        continue;
                if (cmsg->cmsg_type == RDS_CMSG_RDMA_ARGS) {
+                        if (cmsg->cmsg_len <
+                            CMSG_LEN(sizeof(struct rds_rdma_args)))
+                                return -EINVAL;
                        args = CMSG_DATA(cmsg);
                        *rdma_bytes += args->remote_vec.bytes;
                }
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 8f7cf4c042be..dcd818fa837e 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -860,6 +860,7 @@ static void rxrpc_sock_destructor(struct sock *sk)
 static int rxrpc_release_sock(struct sock *sk)
 {
        struct rxrpc_sock *rx = rxrpc_sk(sk);
+        struct rxrpc_net *rxnet = rxrpc_net(sock_net(&rx->sk));
        _enter("%p{%d,%d}", sk, sk->sk_state, refcount_read(&sk->sk_refcnt));
@@ -895,8 +896,8 @@ static int rxrpc_release_sock(struct sock *sk)
        rxrpc_release_calls_on_socket(rx);
        flush_workqueue(rxrpc_workqueue);
        rxrpc_purge_queue(&sk->sk_receive_queue);
-        rxrpc_queue_work(&rx->local->rxnet->service_conn_reaper);
+        rxrpc_queue_work(&rxnet->service_conn_reaper);
-        rxrpc_queue_work(&rx->local->rxnet->client_conn_reaper);
+        rxrpc_queue_work(&rxnet->client_conn_reaper);
        rxrpc_put_local(rx->local);
        rx->local = NULL;
diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c
index bda952ffe6a6..ad2ab1103189 100644
--- a/net/rxrpc/call_event.c
+++ b/net/rxrpc/call_event.c
@@ -123,7 +123,7 @@ static void __rxrpc_propose_ACK(struct rxrpc_call *call, u8 ack_reason,
                else
                        ack_at = expiry;
-                ack_at = jiffies + expiry;
+                ack_at += now;
                if (time_before(ack_at, call->ack_at)) {
                        WRITE_ONCE(call->ack_at, ack_at);
                        rxrpc_reduce_call_timer(call, ack_at, now,
@@ -426,7 +426,7 @@ recheck_state:
        next = call->expect_rx_by;
 #define set(T) { t = READ_ONCE(T); if (time_before(t, next)) next = t; }
-        
        set(call->expect_req_by);
        set(call->expect_term_by);
        set(call->ack_at);
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index 9e9a8db1bc9c..4ca11be6be3c 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -30,22 +30,18 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
        struct rxrpc_skb_priv *sp = skb ? rxrpc_skb(skb) : NULL;
        struct rxrpc_channel *chan;
        struct msghdr msg;
-        struct kvec iov;
+        struct kvec iov[3];
        struct {
                struct rxrpc_wire_header whdr;
                union {
-                        struct {
+                        __be32 abort_code;
-                                __be32 code;
+                        struct rxrpc_ackpacket ack;
-                        } abort;
-                        struct {
-                                struct rxrpc_ackpacket ack;
-                                u8 padding[3];
-                                struct rxrpc_ackinfo info;
-                        };
                };
        } __attribute__((packed)) pkt;
+        struct rxrpc_ackinfo ack_info;
        size_t len;
-        u32 serial, mtu, call_id;
+        int ioc;
+        u32 serial, mtu, call_id, padding;
        _enter("%d", conn->debug_id);
@@ -66,6 +62,13 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
        msg.msg_controllen = 0;
        msg.msg_flags   = 0;
+        iov[0].iov_base = &pkt;
+        iov[0].iov_len  = sizeof(pkt.whdr);
+        iov[1].iov_base = &padding;
+        iov[1].iov_len  = 3;
+        iov[2].iov_base = &ack_info;
+        iov[2].iov_len  = sizeof(ack_info);
        pkt.whdr.epoch          = htonl(conn->proto.epoch);
        pkt.whdr.cid            = htonl(conn->proto.cid);
        pkt.whdr.callNumber     = htonl(call_id);
@@ -80,8 +83,10 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
        len = sizeof(pkt.whdr);
        switch (chan->last_type) {
        case RXRPC_PACKET_TYPE_ABORT:
-                pkt.abort.code  = htonl(chan->last_abort);
+                pkt.abort_code  = htonl(chan->last_abort);
-                len += sizeof(pkt.abort);
+                iov[0].iov_len += sizeof(pkt.abort_code);
+                len += sizeof(pkt.abort_code);
+                ioc = 1;
                break;
        case RXRPC_PACKET_TYPE_ACK:
@@ -94,13 +99,19 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
                pkt.ack.serial          = htonl(skb ? sp->hdr.serial : 0);
                pkt.ack.reason          = skb ? RXRPC_ACK_DUPLICATE : RXRPC_ACK_IDLE;
                pkt.ack.nAcks           = 0;
-                pkt.info.rxMTU          = htonl(rxrpc_rx_mtu);
+                ack_info.rxMTU          = htonl(rxrpc_rx_mtu);
-                pkt.info.maxMTU         = htonl(mtu);
+                ack_info.maxMTU         = htonl(mtu);
-                pkt.info.rwind          = htonl(rxrpc_rx_window_size);
+                ack_info.rwind          = htonl(rxrpc_rx_window_size);
-                pkt.info.jumbo_max      = htonl(rxrpc_rx_jumbo_max);
+                ack_info.jumbo_max      = htonl(rxrpc_rx_jumbo_max);
                pkt.whdr.flags          |= RXRPC_SLOW_START_OK;
-                len += sizeof(pkt.ack) + sizeof(pkt.info);
+                padding                 = 0;
+                iov[0].iov_len += sizeof(pkt.ack);
+                len += sizeof(pkt.ack) + 3 + sizeof(ack_info);
+                ioc = 3;
                break;
+        default:
+                return;
        }
        /* Resync with __rxrpc_disconnect_call() and check that the last call
@@ -110,9 +121,6 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
        if (READ_ONCE(chan->last_call) != call_id)
                return;
-        iov.iov_base    = &pkt;
-        iov.iov_len     = len;
        serial = atomic_inc_return(&conn->serial);
        pkt.whdr.serial = htonl(serial);
@@ -127,7 +135,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
                break;
        }
-        kernel_sendmsg(conn->params.local->socket, &msg, &iov, 1, len);
+        kernel_sendmsg(conn->params.local->socket, &msg, iov, ioc, len);
        _leave("");
        return;
 }
diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c
index 1aad04a32d5e..c628351eb900 100644
--- a/net/rxrpc/conn_object.c
+++ b/net/rxrpc/conn_object.c
@@ -424,7 +424,7 @@ void rxrpc_service_connection_reaper(struct work_struct *work)
        if (earliest != now + MAX_JIFFY_OFFSET) {
                _debug("reschedule reaper %ld", (long)earliest - (long)now);
                ASSERT(time_after(earliest, now));
-                rxrpc_set_service_reap_timer(rxnet, earliest);          
+                rxrpc_set_service_reap_timer(rxnet, earliest);
        }
        while (!list_empty(&graveyard)) {
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 23a5e61d8f79..6fc61400337f 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -976,7 +976,7 @@ static void rxrpc_input_call_packet(struct rxrpc_call *call,
                rxrpc_reduce_call_timer(call, expect_rx_by, now,
                                        rxrpc_timer_set_for_normal);
        }
-        
        switch (sp->hdr.type) {
        case RXRPC_PACKET_TYPE_DATA:
                rxrpc_input_data(call, skb, skew);
@@ -1213,7 +1213,7 @@ void rxrpc_data_ready(struct sock *udp_sk)
                                goto reupgrade;
                        conn->service_id = sp->hdr.serviceId;
                }
-                
                if (sp->hdr.callNumber == 0) {
                        /* Connection-level packet */
                        _debug("CONN %p {%d}", conn, conn->debug_id);
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index a1c53ac066a1..09f2a3e05221 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -233,7 +233,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
                if (resend_at < 1)
                        resend_at = 1;
-                resend_at = now + rxrpc_resend_timeout;
+                resend_at += now;
                WRITE_ONCE(call->resend_at, resend_at);
                rxrpc_reduce_call_timer(call, resend_at, now,
                                        rxrpc_timer_set_for_send);
diff --git a/net/sched/act_meta_mark.c b/net/sched/act_meta_mark.c
index 1e3f10e5da99..6445184b2759 100644
--- a/net/sched/act_meta_mark.c
+++ b/net/sched/act_meta_mark.c
@@ -22,7 +22,6 @@
 #include <net/pkt_sched.h>
 #include <uapi/linux/tc_act/tc_ife.h>
 #include <net/tc_act/tc_ife.h>
-#include <linux/rtnetlink.h>
 static int skbmark_encode(struct sk_buff *skb, void *skbdata,
                          struct tcf_meta_info *e)
diff --git a/net/sched/act_meta_skbtcindex.c b/net/sched/act_meta_skbtcindex.c
index 2ea1f26c9e96..7221437ca3a6 100644
--- a/net/sched/act_meta_skbtcindex.c
+++ b/net/sched/act_meta_skbtcindex.c
@@ -22,7 +22,6 @@
 #include <net/pkt_sched.h>
 #include <uapi/linux/tc_act/tc_ife.h>
 #include <net/tc_act/tc_ife.h>
-#include <linux/rtnetlink.h>
 static int skbtcindex_encode(struct sk_buff *skb, void *skbdata,
                             struct tcf_meta_info *e)
diff --git a/net/sched/act_sample.c b/net/sched/act_sample.c
index 8b5abcd2f32f..9438969290a6 100644
--- a/net/sched/act_sample.c
+++ b/net/sched/act_sample.c
@@ -96,23 +96,16 @@ static int tcf_sample_init(struct net *net, struct nlattr *nla,
        return ret;
 }
-static void tcf_sample_cleanup_rcu(struct rcu_head *rcu)
+static void tcf_sample_cleanup(struct tc_action *a, int bind)
 {
-        struct tcf_sample *s = container_of(rcu, struct tcf_sample, rcu);
+        struct tcf_sample *s = to_sample(a);
        struct psample_group *psample_group;
-        psample_group = rcu_dereference_protected(s->psample_group, 1);
+        psample_group = rtnl_dereference(s->psample_group);
        RCU_INIT_POINTER(s->psample_group, NULL);
        psample_group_put(psample_group);
 }
-static void tcf_sample_cleanup(struct tc_action *a, int bind)
-{
-        struct tcf_sample *s = to_sample(a);
-        call_rcu(&s->rcu, tcf_sample_cleanup_rcu);
-}
 static bool tcf_sample_dev_ok_push(struct net_device *dev)
 {
        switch (dev->type) {
@@ -264,7 +257,6 @@ static int __init sample_init_module(void)
 static void __exit sample_cleanup_module(void)
 {
-        rcu_barrier();
        tcf_unregister_action(&act_sample_ops, &sample_net_ops);
 }
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index ddcf04b4ab43..b9d63d2246e6 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -23,7 +23,6 @@
 #include <linux/skbuff.h>
 #include <linux/init.h>
 #include <linux/kmod.h>
-#include <linux/err.h>
 #include <linux/slab.h>
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -352,6 +351,8 @@ void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q,
 {
        struct tcf_chain *chain;
+        if (!block)
+                return;
        /* Hold a refcnt for all chains, except 0, so that they don't disappear
         * while we are iterating.
         */
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 6fe798c2df1a..8d78e7f4ecc3 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -42,7 +42,6 @@ struct cls_bpf_prog {
        struct list_head link;
        struct tcf_result res;
        bool exts_integrated;
-        bool offloaded;
        u32 gen_flags;
        struct tcf_exts exts;
        u32 handle;
@@ -148,33 +147,37 @@ static bool cls_bpf_is_ebpf(const struct cls_bpf_prog *prog)
 }
 static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
-                               enum tc_clsbpf_command cmd)
+                               struct cls_bpf_prog *oldprog)
 {
-        bool addorrep = cmd == TC_CLSBPF_ADD || cmd == TC_CLSBPF_REPLACE;
        struct tcf_block *block = tp->chain->block;
-        bool skip_sw = tc_skip_sw(prog->gen_flags);
        struct tc_cls_bpf_offload cls_bpf = {};
+        struct cls_bpf_prog *obj;
+        bool skip_sw;
        int err;
+        skip_sw = prog && tc_skip_sw(prog->gen_flags);
+        obj = prog ?: oldprog;
        tc_cls_common_offload_init(&cls_bpf.common, tp);
-        cls_bpf.command = cmd;
+        cls_bpf.command = TC_CLSBPF_OFFLOAD;
-        cls_bpf.exts = &prog->exts;
+        cls_bpf.exts = &obj->exts;
-        cls_bpf.prog = prog->filter;
+        cls_bpf.prog = prog ? prog->filter : NULL;
-        cls_bpf.name = prog->bpf_name;
+        cls_bpf.oldprog = oldprog ? oldprog->filter : NULL;
-        cls_bpf.exts_integrated = prog->exts_integrated;
+        cls_bpf.name = obj->bpf_name;
-        cls_bpf.gen_flags = prog->gen_flags;
+        cls_bpf.exts_integrated = obj->exts_integrated;
+        cls_bpf.gen_flags = obj->gen_flags;
        err = tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, skip_sw);
-        if (addorrep) {
+        if (prog) {
                if (err < 0) {
-                        cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY);
+                        cls_bpf_offload_cmd(tp, oldprog, prog);
                        return err;
                } else if (err > 0) {
                        prog->gen_flags |= TCA_CLS_FLAGS_IN_HW;
                }
        }
-        if (addorrep && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW))
+        if (prog && skip_sw && !(prog->gen_flags & TCA_CLS_FLAGS_IN_HW))
                return -EINVAL;
        return 0;
@@ -183,38 +186,17 @@ static int cls_bpf_offload_cmd(struct tcf_proto *tp, struct cls_bpf_prog *prog,
 static int cls_bpf_offload(struct tcf_proto *tp, struct cls_bpf_prog *prog,
                           struct cls_bpf_prog *oldprog)
 {
-        struct cls_bpf_prog *obj = prog;
+        if (prog && oldprog && prog->gen_flags != oldprog->gen_flags)
-        enum tc_clsbpf_command cmd;
+                return -EINVAL;
-        bool skip_sw;
-        int ret;
-        skip_sw = tc_skip_sw(prog->gen_flags) ||
-                (oldprog && tc_skip_sw(oldprog->gen_flags));
-        if (oldprog && oldprog->offloaded) {
-                if (!tc_skip_hw(prog->gen_flags)) {
-                        cmd = TC_CLSBPF_REPLACE;
-                } else if (!tc_skip_sw(prog->gen_flags)) {
-                        obj = oldprog;
-                        cmd = TC_CLSBPF_DESTROY;
-                } else {
-                        return -EINVAL;
-                }
-        } else {
-                if (tc_skip_hw(prog->gen_flags))
-                        return skip_sw ? -EINVAL : 0;
-                cmd = TC_CLSBPF_ADD;
-        }
-        ret = cls_bpf_offload_cmd(tp, obj, cmd);
-        if (ret)
-                return ret;
-        obj->offloaded = true;
+        if (prog && tc_skip_hw(prog->gen_flags))
-        if (oldprog)
+                prog = NULL;
-                oldprog->offloaded = false;
+        if (oldprog && tc_skip_hw(oldprog->gen_flags))
+                oldprog = NULL;
+        if (!prog && !oldprog)
+                return 0;
-        return 0;
+        return cls_bpf_offload_cmd(tp, prog, oldprog);
 }
 static void cls_bpf_stop_offload(struct tcf_proto *tp,
@@ -222,25 +204,26 @@ static void cls_bpf_stop_offload(struct tcf_proto *tp,
 {
        int err;
-        if (!prog->offloaded)
+        err = cls_bpf_offload_cmd(tp, NULL, prog);
-                return;
+        if (err)
-        err = cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_DESTROY);
-        if (err) {
                pr_err("Stopping hardware offload failed: %d\n", err);
-                return;
-        }
-        prog->offloaded = false;
 }
 static void cls_bpf_offload_update_stats(struct tcf_proto *tp,
                                         struct cls_bpf_prog *prog)
 {
-        if (!prog->offloaded)
+        struct tcf_block *block = tp->chain->block;
-                return;
+        struct tc_cls_bpf_offload cls_bpf = {};
+        tc_cls_common_offload_init(&cls_bpf.common, tp);
+        cls_bpf.command = TC_CLSBPF_STATS;
+        cls_bpf.exts = &prog->exts;
+        cls_bpf.prog = prog->filter;
+        cls_bpf.name = prog->bpf_name;
+        cls_bpf.exts_integrated = prog->exts_integrated;
+        cls_bpf.gen_flags = prog->gen_flags;
-        cls_bpf_offload_cmd(tp, prog, TC_CLSBPF_STATS);
+        tc_setup_cb_call(block, NULL, TC_SETUP_CLSBPF, &cls_bpf, false);
 }
 static int cls_bpf_init(struct tcf_proto *tp)
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index ac152b4f4247..507859cdd1cb 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -45,7 +45,6 @@
 #include <net/netlink.h>
 #include <net/act_api.h>
 #include <net/pkt_cls.h>
-#include <linux/netdevice.h>
 #include <linux/idr.h>
 struct tc_u_knode {
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index b6c4f536876b..0f1eab99ff4e 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -795,6 +795,8 @@ static int tc_fill_qdisc(struct sk_buff *skb, struct Qdisc *q, u32 clid,
        tcm->tcm_info = refcount_read(&q->refcnt);
        if (nla_put_string(skb, TCA_KIND, q->ops->id))
                goto nla_put_failure;
+        if (nla_put_u8(skb, TCA_HW_OFFLOAD, !!(q->flags & TCQ_F_OFFLOADED)))
+                goto nla_put_failure;
        if (q->ops->dump && q->ops->dump(q, skb) < 0)
                goto nla_put_failure;
        qlen = q->q.qlen;
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index b30a2c70bd48..531250fceb9e 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -369,6 +369,9 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt)
        ctl = nla_data(tb[TCA_CHOKE_PARMS]);
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (ctl->limit > CHOKE_MAX_QUEUE)
                return -EINVAL;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 3839cbbdc32b..661c7144b53a 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -26,6 +26,7 @@
 #include <linux/list.h>
 #include <linux/slab.h>
 #include <linux/if_vlan.h>
+#include <linux/if_macvlan.h>
 #include <net/sch_generic.h>
 #include <net/pkt_sched.h>
 #include <net/dst.h>
@@ -277,6 +278,8 @@ unsigned long dev_trans_start(struct net_device *dev)
        if (is_vlan_dev(dev))
                dev = vlan_dev_real_dev(dev);
+        else if (netif_is_macvlan(dev))
+                dev = macvlan_dev_real_dev(dev);
        res = netdev_get_tx_queue(dev, 0)->trans_start;
        for (i = 1; i < dev->num_tx_queues; i++) {
                val = netdev_get_tx_queue(dev, i)->trans_start;
@@ -1037,6 +1040,8 @@ void mini_qdisc_pair_swap(struct mini_Qdisc_pair *miniqp,
        if (!tp_head) {
                RCU_INIT_POINTER(*miniqp->p_miniq, NULL);
+                /* Wait for flying RCU callback before it is freed. */
+                rcu_barrier_bh();
                return;
        }
@@ -1052,7 +1057,7 @@ void mini_qdisc_pair_swap(struct mini_Qdisc_pair *miniqp,
        rcu_assign_pointer(*miniqp->p_miniq, miniq);
        if (miniq_old)
-                /* This is counterpart of the rcu barrier above. We need to
+                /* This is counterpart of the rcu barriers above. We need to
                 * block potential new user of miniq_old until all readers
                 * are not seeing it.
                 */
diff --git a/net/sched/sch_gred.c b/net/sched/sch_gred.c
index 17c7130454bd..bc30f9186ac6 100644
--- a/net/sched/sch_gred.c
+++ b/net/sched/sch_gred.c
@@ -356,6 +356,9 @@ static inline int gred_change_vq(struct Qdisc *sch, int dp,
        struct gred_sched *table = qdisc_priv(sch);
        struct gred_sched_data *q = table->tab[dp];
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (!q) {
                table->tab[dp] = q = *prealloc;
                *prealloc = NULL;
diff --git a/net/sched/sch_ingress.c b/net/sched/sch_ingress.c
index 5ecc38f35d47..fc1286f499c1 100644
--- a/net/sched/sch_ingress.c
+++ b/net/sched/sch_ingress.c
@@ -68,6 +68,8 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt)
        struct net_device *dev = qdisc_dev(sch);
        int err;
+        net_inc_ingress_queue();
        mini_qdisc_pair_init(&q->miniqp, sch, &dev->miniq_ingress);
        q->block_info.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
@@ -78,7 +80,6 @@ static int ingress_init(struct Qdisc *sch, struct nlattr *opt)
        if (err)
                return err;
-        net_inc_ingress_queue();
        sch->flags |= TCQ_F_CPUSTATS;
        return 0;
@@ -172,6 +173,9 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
        struct net_device *dev = qdisc_dev(sch);
        int err;
+        net_inc_ingress_queue();
+        net_inc_egress_queue();
        mini_qdisc_pair_init(&q->miniqp_ingress, sch, &dev->miniq_ingress);
        q->ingress_block_info.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
@@ -190,18 +194,11 @@ static int clsact_init(struct Qdisc *sch, struct nlattr *opt)
        err = tcf_block_get_ext(&q->egress_block, sch, &q->egress_block_info);
        if (err)
-                goto err_egress_block_get;
+                return err;
-        net_inc_ingress_queue();
-        net_inc_egress_queue();
        sch->flags |= TCQ_F_CPUSTATS;
        return 0;
-err_egress_block_get:
-        tcf_block_put_ext(q->ingress_block, sch, &q->ingress_block_info);
-        return err;
 }
 static void clsact_destroy(struct Qdisc *sch)
diff --git a/net/sched/sch_red.c b/net/sched/sch_red.c
index 7f8ea9e297c3..f0747eb87dc4 100644
--- a/net/sched/sch_red.c
+++ b/net/sched/sch_red.c
@@ -157,6 +157,7 @@ static int red_offload(struct Qdisc *sch, bool enable)
                .handle = sch->handle,
                .parent = sch->parent,
        };
+        int err;
        if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
                return -EOPNOTSUPP;
@@ -171,7 +172,14 @@ static int red_offload(struct Qdisc *sch, bool enable)
                opt.command = TC_RED_DESTROY;
        }
-        return dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED, &opt);
+        err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED, &opt);
+        if (!err && enable)
+                sch->flags |= TCQ_F_OFFLOADED;
+        else
+                sch->flags &= ~TCQ_F_OFFLOADED;
+        return err;
 }
 static void red_destroy(struct Qdisc *sch)
@@ -212,6 +220,8 @@ static int red_change(struct Qdisc *sch, struct nlattr *opt)
        max_P = tb[TCA_RED_MAX_P] ? nla_get_u32(tb[TCA_RED_MAX_P]) : 0;
        ctl = nla_data(tb[TCA_RED_PARMS]);
+        if (!red_check_params(ctl->qth_min, ctl->qth_max, ctl->Wlog))
+                return -EINVAL;
        if (ctl->limit > 0) {
                child = fifo_create_dflt(sch, &bfifo_qdisc_ops, ctl->limit);
@@ -272,7 +282,7 @@ static int red_init(struct Qdisc *sch, struct nlattr *opt)
        return red_change(sch, opt);
 }
-static int red_dump_offload(struct Qdisc *sch, struct tc_red_qopt *opt)
+static int red_dump_offload_stats(struct Qdisc *sch, struct tc_red_qopt *opt)
 {
        struct net_device *dev = qdisc_dev(sch);
        struct tc_red_qopt_offload hw_stats = {
@@ -284,21 +294,12 @@ static int red_dump_offload(struct Qdisc *sch, struct tc_red_qopt *opt)
                        .stats.qstats = &sch->qstats,
                },
        };
-        int err;
-        opt->flags &= ~TC_RED_OFFLOADED;
+        if (!(sch->flags & TCQ_F_OFFLOADED))
-        if (!tc_can_offload(dev) || !dev->netdev_ops->ndo_setup_tc)
-                return 0;
-        err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED,
-                                            &hw_stats);
-        if (err == -EOPNOTSUPP)
                return 0;
-        if (!err)
+        return dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_QDISC_RED,
-                opt->flags |= TC_RED_OFFLOADED;
+                                             &hw_stats);
-        return err;
 }
 static int red_dump(struct Qdisc *sch, struct sk_buff *skb)
@@ -317,7 +318,7 @@ static int red_dump(struct Qdisc *sch, struct sk_buff *skb)
        int err;
        sch->qstats.backlog = q->qdisc->qstats.backlog;
-        err = red_dump_offload(sch, &opt);
+        err = red_dump_offload_stats(sch, &opt);
        if (err)
                goto nla_put_failure;
@@ -345,7 +346,7 @@ static int red_dump_stats(struct Qdisc *sch, struct gnet_dump *d)
                .marked = q->stats.prob_mark + q->stats.forced_mark,
        };
-        if (tc_can_offload(dev) &&  dev->netdev_ops->ndo_setup_tc) {
+        if (sch->flags & TCQ_F_OFFLOADED) {
                struct red_stats hw_stats = {0};
                struct tc_red_qopt_offload hw_stats_request = {
                        .command = TC_RED_XSTATS,
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index 09c1203c1711..930e5bd26d3d 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -639,6 +639,9 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
        if (ctl->divisor &&
            (!is_power_of_2(ctl->divisor) || ctl->divisor > 65536))
                return -EINVAL;
+        if (ctl_v1 && !red_check_params(ctl_v1->qth_min, ctl_v1->qth_max,
+                                        ctl_v1->Wlog))
+                return -EINVAL;
        if (ctl_v1 && ctl_v1->qth_min) {
                p = kmalloc(sizeof(*p), GFP_KERNEL);
                if (!p)
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index 7b261afc47b9..7f8baa48e7c2 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -53,6 +53,7 @@ static void sctp_datamsg_init(struct sctp_datamsg *msg)
        msg->send_failed = 0;
        msg->send_error = 0;
        msg->can_delay = 1;
+        msg->abandoned = 0;
        msg->expires_at = 0;
        INIT_LIST_HEAD(&msg->chunks);
 }
@@ -304,6 +305,13 @@ int sctp_chunk_abandoned(struct sctp_chunk *chunk)
        if (!chunk->asoc->peer.prsctp_capable)
                return 0;
+        if (chunk->msg->abandoned)
+                return 1;
+        if (!chunk->has_tsn &&
+            !(chunk->chunk_hdr->flags & SCTP_DATA_FIRST_FRAG))
+                return 0;
        if (SCTP_PR_TTL_ENABLED(chunk->sinfo.sinfo_flags) &&
            time_after(jiffies, chunk->msg->expires_at)) {
                struct sctp_stream_out *streamout =
@@ -316,6 +324,7 @@ int sctp_chunk_abandoned(struct sctp_chunk *chunk)
                        chunk->asoc->abandoned_unsent[SCTP_PR_INDEX(TTL)]++;
                        streamout->ext->abandoned_unsent[SCTP_PR_INDEX(TTL)]++;
                }
+                chunk->msg->abandoned = 1;
                return 1;
        } else if (SCTP_PR_RTX_ENABLED(chunk->sinfo.sinfo_flags) &&
                   chunk->sent_count > chunk->sinfo.sinfo_timetolive) {
@@ -324,10 +333,12 @@ int sctp_chunk_abandoned(struct sctp_chunk *chunk)
                chunk->asoc->abandoned_sent[SCTP_PR_INDEX(RTX)]++;
                streamout->ext->abandoned_sent[SCTP_PR_INDEX(RTX)]++;
+                chunk->msg->abandoned = 1;
                return 1;
        } else if (!SCTP_PR_POLICY(chunk->sinfo.sinfo_flags) &&
                   chunk->msg->expires_at &&
                   time_after(jiffies, chunk->msg->expires_at)) {
+                chunk->msg->abandoned = 1;
                return 1;
        }
        /* PRIO policy is processed by sendmsg, not here */
diff --git a/net/sctp/debug.c b/net/sctp/debug.c
index 3f619fdcbf0a..291c97b07058 100644
--- a/net/sctp/debug.c
+++ b/net/sctp/debug.c
@@ -78,6 +78,9 @@ const char *sctp_cname(const union sctp_subtype cid)
        case SCTP_CID_AUTH:
                return "AUTH";
+        case SCTP_CID_RECONF:
+                return "RECONF";
        default:
                break;
        }
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 4db012aa25f7..7d67feeeffc1 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -364,10 +364,12 @@ static int sctp_prsctp_prune_sent(struct sctp_association *asoc,
        list_for_each_entry_safe(chk, temp, queue, transmitted_list) {
                struct sctp_stream_out *streamout;
-                if (!SCTP_PR_PRIO_ENABLED(chk->sinfo.sinfo_flags) ||
+                if (!chk->msg->abandoned &&
-                    chk->sinfo.sinfo_timetolive <= sinfo->sinfo_timetolive)
+                    (!SCTP_PR_PRIO_ENABLED(chk->sinfo.sinfo_flags) ||
+                     chk->sinfo.sinfo_timetolive <= sinfo->sinfo_timetolive))
                        continue;
+                chk->msg->abandoned = 1;
                list_del_init(&chk->transmitted_list);
                sctp_insert_list(&asoc->outqueue.abandoned,
                                 &chk->transmitted_list);
@@ -377,7 +379,8 @@ static int sctp_prsctp_prune_sent(struct sctp_association *asoc,
                asoc->abandoned_sent[SCTP_PR_INDEX(PRIO)]++;
                streamout->ext->abandoned_sent[SCTP_PR_INDEX(PRIO)]++;
-                if (!chk->tsn_gap_acked) {
+                if (queue != &asoc->outqueue.retransmit &&
+                    !chk->tsn_gap_acked) {
                        if (chk->transport)
                                chk->transport->flight_size -=
                                                sctp_data_size(chk);
@@ -403,10 +406,13 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc,
        q->sched->unsched_all(&asoc->stream);
        list_for_each_entry_safe(chk, temp, &q->out_chunk_list, list) {
-                if (!SCTP_PR_PRIO_ENABLED(chk->sinfo.sinfo_flags) ||
+                if (!chk->msg->abandoned &&
-                    chk->sinfo.sinfo_timetolive <= sinfo->sinfo_timetolive)
+                    (!(chk->chunk_hdr->flags & SCTP_DATA_FIRST_FRAG) ||
+                     !SCTP_PR_PRIO_ENABLED(chk->sinfo.sinfo_flags) ||
+                     chk->sinfo.sinfo_timetolive <= sinfo->sinfo_timetolive))
                        continue;
+                chk->msg->abandoned = 1;
                sctp_sched_dequeue_common(q, chk);
                asoc->sent_cnt_removable--;
                asoc->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++;
@@ -1434,7 +1440,8 @@ static void sctp_check_transmitted(struct sctp_outq *q,
                        /* If this chunk has not been acked, stop
                         * considering it as 'outstanding'.
                         */
-                        if (!tchunk->tsn_gap_acked) {
+                        if (transmitted_queue != &q->retransmit &&
+                            !tchunk->tsn_gap_acked) {
                                if (tchunk->transport)
                                        tchunk->transport->flight_size -=
                                                        sctp_data_size(tchunk);
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 014847e25648..b4fb6e4886d2 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3891,13 +3891,17 @@ static int sctp_setsockopt_reset_streams(struct sock *sk,
        struct sctp_association *asoc;
        int retval = -EINVAL;
-        if (optlen < sizeof(struct sctp_reset_streams))
+        if (optlen < sizeof(*params))
                return -EINVAL;
        params = memdup_user(optval, optlen);
        if (IS_ERR(params))
                return PTR_ERR(params);
+        if (params->srs_number_streams * sizeof(__u16) >
+            optlen - sizeof(*params))
+                goto out;
        asoc = sctp_id2assoc(sk, params->srs_assoc_id);
        if (!asoc)
                goto out;
@@ -4494,7 +4498,7 @@ static int sctp_init_sock(struct sock *sk)
        SCTP_DBG_OBJCNT_INC(sock);
        local_bh_disable();
-        percpu_counter_inc(&sctp_sockets_allocated);
+        sk_sockets_allocated_inc(sk);
        sock_prot_inuse_add(net, sk->sk_prot, 1);
        /* Nothing can fail after this block, otherwise
@@ -4538,7 +4542,7 @@ static void sctp_destroy_sock(struct sock *sk)
        }
        sctp_endpoint_free(sp->ep);
        local_bh_disable();
-        percpu_counter_dec(&sctp_sockets_allocated);
+        sk_sockets_allocated_dec(sk);
        sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
        local_bh_enable();
 }
@@ -5080,7 +5084,6 @@ static int sctp_getsockopt_peeloff_common(struct sock *sk, sctp_peeloff_arg_t *p
        *newfile = sock_alloc_file(newsock, 0, NULL);
        if (IS_ERR(*newfile)) {
                put_unused_fd(retval);
-                sock_release(newsock);
                retval = PTR_ERR(*newfile);
                *newfile = NULL;
                return retval;
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index a71be33f3afe..e36ec5dd64c6 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -1084,29 +1084,21 @@ void sctp_ulpq_partial_delivery(struct sctp_ulpq *ulpq,
 void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
                      gfp_t gfp)
 {
-        struct sctp_association *asoc;
+        struct sctp_association *asoc = ulpq->asoc;
-        __u16 needed, freed;
+        __u32 freed = 0;
+        __u16 needed;
-        asoc = ulpq->asoc;
-        if (chunk) {
+        needed = ntohs(chunk->chunk_hdr->length) -
-                needed = ntohs(chunk->chunk_hdr->length);
+                 sizeof(struct sctp_data_chunk);
-                needed -= sizeof(struct sctp_data_chunk);
-        } else
-                needed = SCTP_DEFAULT_MAXWINDOW;
-        freed = 0;
        if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) {
                freed = sctp_ulpq_renege_order(ulpq, needed);
-                if (freed < needed) {
+                if (freed < needed)
                        freed += sctp_ulpq_renege_frags(ulpq, needed - freed);
-                }
        }
        /* If able to free enough room, accept this chunk. */
-        if (chunk && (freed >= needed)) {
+        if (freed >= needed) {
-                int retval;
+                int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
-                retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
                /*
                 * Enter partial delivery if chunk has not been
                 * delivered; otherwise, drain the reassembly queue.
diff --git a/net/socket.c b/net/socket.c
index 42d8e9c9ccd5..05f361faec45 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -406,8 +406,10 @@ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
                name.len = strlen(name.name);
        }
        path.dentry = d_alloc_pseudo(sock_mnt->mnt_sb, &name);
-        if (unlikely(!path.dentry))
+        if (unlikely(!path.dentry)) {
+                sock_release(sock);
                return ERR_PTR(-ENOMEM);
+        }
        path.mnt = mntget(sock_mnt);
        d_instantiate(path.dentry, SOCK_INODE(sock));
@@ -415,9 +417,11 @@ struct file *sock_alloc_file(struct socket *sock, int flags, const char *dname)
        file = alloc_file(&path, FMODE_READ | FMODE_WRITE,
                  &socket_file_ops);
        if (IS_ERR(file)) {
-                /* drop dentry, keep inode */
+                /* drop dentry, keep inode for a bit */
                ihold(d_inode(path.dentry));
                path_put(&path);
+                /* ... and now kill it properly */
+                sock_release(sock);
                return file;
        }
@@ -1330,19 +1334,9 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol)
        retval = sock_create(family, type, protocol, &sock);
        if (retval < 0)
-                goto out;
+                return retval;
-        retval = sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK));
-        if (retval < 0)
-                goto out_release;
-out:
-        /* It may be already another descriptor 8) Not kernel problem. */
-        return retval;
-out_release:
+        return sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK));
-        sock_release(sock);
-        return retval;
 }
 /*
@@ -1366,87 +1360,72 @@ SYSCALL_DEFINE4(socketpair, int, family, int, type, int, protocol,
                flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
        /*
+         * reserve descriptors and make sure we won't fail
+         * to return them to userland.
+         */
+        fd1 = get_unused_fd_flags(flags);
+        if (unlikely(fd1 < 0))
+                return fd1;
+        fd2 = get_unused_fd_flags(flags);
+        if (unlikely(fd2 < 0)) {
+                put_unused_fd(fd1);
+                return fd2;
+        }
+        err = put_user(fd1, &usockvec[0]);
+        if (err)
+                goto out;
+        err = put_user(fd2, &usockvec[1]);
+        if (err)
+                goto out;
+        /*
         * Obtain the first socket and check if the underlying protocol
         * supports the socketpair call.
         */
        err = sock_create(family, type, protocol, &sock1);
-        if (err < 0)
+        if (unlikely(err < 0))
                goto out;
        err = sock_create(family, type, protocol, &sock2);
-        if (err < 0)
+        if (unlikely(err < 0)) {
-                goto out_release_1;
+                sock_release(sock1);
+                goto out;
-        err = sock1->ops->socketpair(sock1, sock2);
-        if (err < 0)
-                goto out_release_both;
-        fd1 = get_unused_fd_flags(flags);
-        if (unlikely(fd1 < 0)) {
-                err = fd1;
-                goto out_release_both;
        }
-        fd2 = get_unused_fd_flags(flags);
+        err = sock1->ops->socketpair(sock1, sock2);
-        if (unlikely(fd2 < 0)) {
+        if (unlikely(err < 0)) {
-                err = fd2;
+                sock_release(sock2);
-                goto out_put_unused_1;
+                sock_release(sock1);
+                goto out;
        }
        newfile1 = sock_alloc_file(sock1, flags, NULL);
        if (IS_ERR(newfile1)) {
                err = PTR_ERR(newfile1);
-                goto out_put_unused_both;
+                sock_release(sock2);
+                goto out;
        }
        newfile2 = sock_alloc_file(sock2, flags, NULL);
        if (IS_ERR(newfile2)) {
                err = PTR_ERR(newfile2);
-                goto out_fput_1;
+                fput(newfile1);
+                goto out;
        }
-        err = put_user(fd1, &usockvec[0]);
-        if (err)
-                goto out_fput_both;
-        err = put_user(fd2, &usockvec[1]);
-        if (err)
-                goto out_fput_both;
        audit_fd_pair(fd1, fd2);
        fd_install(fd1, newfile1);
        fd_install(fd2, newfile2);
-        /* fd1 and fd2 may be already another descriptors.
-         * Not kernel problem.
-         */
        return 0;
-out_fput_both:
+out:
-        fput(newfile2);
-        fput(newfile1);
-        put_unused_fd(fd2);
-        put_unused_fd(fd1);
-        goto out;
-out_fput_1:
-        fput(newfile1);
-        put_unused_fd(fd2);
-        put_unused_fd(fd1);
-        sock_release(sock2);
-        goto out;
-out_put_unused_both:
        put_unused_fd(fd2);
-out_put_unused_1:
        put_unused_fd(fd1);
-out_release_both:
-        sock_release(sock2);
-out_release_1:
-        sock_release(sock1);
-out:
        return err;
 }
@@ -1562,7 +1541,6 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
        if (IS_ERR(newfile)) {
                err = PTR_ERR(newfile);
                put_unused_fd(newfd);
-                sock_release(newsock);
                goto out_put;
        }
diff --git a/net/strparser/strparser.c b/net/strparser/strparser.c
index c5fda15ba319..1fdab5c4eda8 100644
--- a/net/strparser/strparser.c
+++ b/net/strparser/strparser.c
@@ -401,7 +401,7 @@ void strp_data_ready(struct strparser *strp)
         * allows a thread in BH context to safely check if the process
         * lock is held. In this case, if the lock is held, queue work.
         */
-        if (sock_owned_by_user(strp->sk)) {
+        if (sock_owned_by_user_nocheck(strp->sk)) {
                queue_work(strp_wq, &strp->work);
                return;
        }
diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c
index c4778cae58ef..444380f968f1 100644
--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c
+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c
@@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr,
                        goto out_free_groups;
                creds->cr_group_info->gid[i] = kgid;
        }
+        groups_sort(creds->cr_group_info);
        return 0;
 out_free_groups:
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 5dd4e6c9fef2..26531193fce4 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail *cd,
                                goto out;
                        rsci.cred.cr_group_info->gid[i] = kgid;
                }
+                groups_sort(rsci.cred.cr_group_info);
                /* mech name */
                len = qword_get(&mesg, buf, mlen);
diff --git a/net/sunrpc/svcauth_unix.c b/net/sunrpc/svcauth_unix.c
index 740b67d5a733..af7f28fb8102 100644
--- a/net/sunrpc/svcauth_unix.c
+++ b/net/sunrpc/svcauth_unix.c
@@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_detail *cd,
                ug.gi->gid[i] = kgid;
        }
+        groups_sort(ug.gi);
        ugp = unix_gid_lookup(cd, uid);
        if (ugp) {
                struct cache_head *ch;
@@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqstp, __be32 *authp)
                kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv));
                cred->cr_group_info->gid[i] = kgid;
        }
+        groups_sort(cred->cr_group_info);
        if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) {
                *authp = rpc_autherr_badverf;
                return SVC_DENIED;
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 333b9d697ae5..33b74fd84051 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1001,6 +1001,7 @@ void xprt_transmit(struct rpc_task *task)
 {
        struct rpc_rqst *req = task->tk_rqstp;
        struct rpc_xprt *xprt = req->rq_xprt;
+        unsigned int connect_cookie;
        int status, numreqs;
        dprintk("RPC: %5u xprt_transmit(%u)\n", task->tk_pid, req->rq_slen);
@@ -1024,6 +1025,7 @@ void xprt_transmit(struct rpc_task *task)
        } else if (!req->rq_bytes_sent)
                return;
+        connect_cookie = xprt->connect_cookie;
        req->rq_xtime = ktime_get();
        status = xprt->ops->send_request(task);
        trace_xprt_transmit(xprt, req->rq_xid, status);
@@ -1047,20 +1049,28 @@ void xprt_transmit(struct rpc_task *task)
        xprt->stat.bklog_u += xprt->backlog.qlen;
        xprt->stat.sending_u += xprt->sending.qlen;
        xprt->stat.pending_u += xprt->pending.qlen;
+        spin_unlock_bh(&xprt->transport_lock);
-        /* Don't race with disconnect */
+        req->rq_connect_cookie = connect_cookie;
-        if (!xprt_connected(xprt))
+        if (rpc_reply_expected(task) && !READ_ONCE(req->rq_reply_bytes_recvd)) {
-                task->tk_status = -ENOTCONN;
-        else {
                /*
-                 * Sleep on the pending queue since
+                 * Sleep on the pending queue if we're expecting a reply.
-                 * we're expecting a reply.
+                 * The spinlock ensures atomicity between the test of
+                 * req->rq_reply_bytes_recvd, and the call to rpc_sleep_on().
                 */
-                if (!req->rq_reply_bytes_recvd && rpc_reply_expected(task))
+                spin_lock(&xprt->recv_lock);
+                if (!req->rq_reply_bytes_recvd) {
                        rpc_sleep_on(&xprt->pending, task, xprt_timer);
-                req->rq_connect_cookie = xprt->connect_cookie;
+                        /*
+                         * Send an extra queue wakeup call if the
+                         * connection was dropped in case the call to
+                         * rpc_sleep_on() raced.
+                         */
+                        if (!xprt_connected(xprt))
+                                xprt_wake_pending_tasks(xprt, -ENOTCONN);
+                }
+                spin_unlock(&xprt->recv_lock);
        }
-        spin_unlock_bh(&xprt->transport_lock);
 }
 static void xprt_add_backlog(struct rpc_xprt *xprt, struct rpc_task *task)
diff --git a/net/sunrpc/xprtrdma/rpc_rdma.c b/net/sunrpc/xprtrdma/rpc_rdma.c
index ed34dc0f144c..a3f2ab283aeb 100644
--- a/net/sunrpc/xprtrdma/rpc_rdma.c
+++ b/net/sunrpc/xprtrdma/rpc_rdma.c
@@ -1408,11 +1408,7 @@ void rpcrdma_reply_handler(struct rpcrdma_rep *rep)
        dprintk("RPC:       %s: reply %p completes request %p (xid 0x%08x)\n",
                __func__, rep, req, be32_to_cpu(rep->rr_xid));
-        if (list_empty(&req->rl_registered) &&
+        queue_work_on(req->rl_cpu, rpcrdma_receive_wq, &rep->rr_work);
-            !test_bit(RPCRDMA_REQ_F_TX_RESOURCES, &req->rl_flags))
-                rpcrdma_complete_rqst(rep);
-        else
-                queue_work(rpcrdma_receive_wq, &rep->rr_work);
        return;
 out_badstatus:
diff --git a/net/sunrpc/xprtrdma/transport.c b/net/sunrpc/xprtrdma/transport.c
index 646c24494ea7..6ee1ad8978f3 100644
--- a/net/sunrpc/xprtrdma/transport.c
+++ b/net/sunrpc/xprtrdma/transport.c
@@ -52,6 +52,7 @@
 #include <linux/slab.h>
 #include <linux/seq_file.h>
 #include <linux/sunrpc/addr.h>
+#include <linux/smp.h>
 #include "xprt_rdma.h"
@@ -656,6 +657,7 @@ xprt_rdma_allocate(struct rpc_task *task)
                task->tk_pid, __func__, rqst->rq_callsize,
                rqst->rq_rcvsize, req);
+        req->rl_cpu = smp_processor_id();
        req->rl_connect_cookie = 0;     /* our reserved value */
        rpcrdma_set_xprtdata(rqst, req);
        rqst->rq_buffer = req->rl_sendbuf->rg_base;
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 710b3f77db82..8607c029c0dd 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -83,7 +83,7 @@ rpcrdma_alloc_wq(void)
        struct workqueue_struct *recv_wq;
        recv_wq = alloc_workqueue("xprtrdma_receive",
-                                  WQ_MEM_RECLAIM | WQ_UNBOUND | WQ_HIGHPRI,
+                                  WQ_MEM_RECLAIM | WQ_HIGHPRI,
                                  0);
        if (!recv_wq)
                return -ENOMEM;
diff --git a/net/sunrpc/xprtrdma/xprt_rdma.h b/net/sunrpc/xprtrdma/xprt_rdma.h
index 51686d9eac5f..1342f743f1c4 100644
--- a/net/sunrpc/xprtrdma/xprt_rdma.h
+++ b/net/sunrpc/xprtrdma/xprt_rdma.h
@@ -342,6 +342,7 @@ enum {
 struct rpcrdma_buffer;
 struct rpcrdma_req {
        struct list_head        rl_list;
+        int                     rl_cpu;
        unsigned int            rl_connect_cookie;
        struct rpcrdma_buffer   *rl_buffer;
        struct rpcrdma_rep      *rl_reply;
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 47ec121574ce..c8001471da6c 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -324,6 +324,7 @@ restart:
        if (res) {
                pr_warn("Bearer <%s> rejected, enable failure (%d)\n",
                        name, -res);
+                kfree(b);
                return -EINVAL;
        }
@@ -347,8 +348,10 @@ restart:
        if (skb)
                tipc_bearer_xmit_skb(net, bearer_id, skb, &b->bcast_addr);
-        if (tipc_mon_create(net, bearer_id))
+        if (tipc_mon_create(net, bearer_id)) {
+                bearer_disable(net, b);
                return -ENOMEM;
+        }
        pr_info("Enabled bearer <%s>, discovery domain %s, priority %u\n",
                name,
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 95fec2c057d6..8e12ab55346b 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -351,8 +351,7 @@ void tipc_group_update_member(struct tipc_member *m, int len)
        if (m->window >= ADV_IDLE)
                return;
-        if (!list_empty(&m->congested))
+        list_del_init(&m->congested);
-                return;
        /* Sort member into congested members' list */
        list_for_each_entry_safe(_m, tmp, &grp->congested, congested) {
@@ -369,18 +368,20 @@ void tipc_group_update_bc_members(struct tipc_group *grp, int len, bool ack)
        u16 prev = grp->bc_snd_nxt - 1;
        struct tipc_member *m;
        struct rb_node *n;
+        u16 ackers = 0;
        for (n = rb_first(&grp->members); n; n = rb_next(n)) {
                m = container_of(n, struct tipc_member, tree_node);
                if (tipc_group_is_enabled(m)) {
                        tipc_group_update_member(m, len);
                        m->bc_acked = prev;
+                        ackers++;
                }
        }
        /* Mark number of acknowledges to expect, if any */
        if (ack)
-                grp->bc_ackers = grp->member_cnt;
+                grp->bc_ackers = ackers;
        grp->bc_snd_nxt++;
 }
@@ -648,6 +649,7 @@ static void tipc_group_proto_xmit(struct tipc_group *grp, struct tipc_member *m,
        } else if (mtyp == GRP_REMIT_MSG) {
                msg_set_grp_remitted(hdr, m->window);
        }
+        msg_set_dest_droppable(hdr, true);
        __skb_queue_tail(xmitq, skb);
 }
@@ -689,15 +691,16 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                        msg_set_grp_bc_seqno(ehdr, m->bc_syncpt);
                        __skb_queue_tail(inputq, m->event_msg);
                }
-                if (m->window < ADV_IDLE)
+                list_del_init(&m->congested);
-                        tipc_group_update_member(m, 0);
+                tipc_group_update_member(m, 0);
-                else
-                        list_del_init(&m->congested);
                return;
        case GRP_LEAVE_MSG:
                if (!m)
                        return;
                m->bc_syncpt = msg_grp_bc_syncpt(hdr);
+                list_del_init(&m->list);
+                list_del_init(&m->congested);
+                *usr_wakeup = true;
                /* Wait until WITHDRAW event is received */
                if (m->state != MBR_LEAVING) {
@@ -709,8 +712,6 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                ehdr = buf_msg(m->event_msg);
                msg_set_grp_bc_seqno(ehdr, m->bc_syncpt);
                __skb_queue_tail(inputq, m->event_msg);
-                *usr_wakeup = true;
-                list_del_init(&m->congested);
                return;
        case GRP_ADV_MSG:
                if (!m)
@@ -849,19 +850,29 @@ void tipc_group_member_evt(struct tipc_group *grp,
                *usr_wakeup = true;
                m->usr_pending = false;
                node_up = tipc_node_is_up(net, node);
+                m->event_msg = NULL;
-                /* Hold back event if more messages might be expected */
-                if (m->state != MBR_LEAVING && node_up) {
+                if (node_up) {
-                        m->event_msg = skb;
+                        /* Hold back event if a LEAVE msg should be expected */
-                        tipc_group_decr_active(grp, m);
+                        if (m->state != MBR_LEAVING) {
-                        m->state = MBR_LEAVING;
+                                m->event_msg = skb;
-                } else {
+                                tipc_group_decr_active(grp, m);
-                        if (node_up)
+                                m->state = MBR_LEAVING;
+                        } else {
                                msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
-                        else
+                                __skb_queue_tail(inputq, skb);
+                        }
+                } else {
+                        if (m->state != MBR_LEAVING) {
+                                tipc_group_decr_active(grp, m);
+                                m->state = MBR_LEAVING;
                                msg_set_grp_bc_seqno(hdr, m->bc_rcv_nxt);
+                        } else {
+                                msg_set_grp_bc_seqno(hdr, m->bc_syncpt);
+                        }
                        __skb_queue_tail(inputq, skb);
                }
+                list_del_init(&m->list);
                list_del_init(&m->congested);
        }
        *sk_rcvbuf = tipc_group_rcvbuf_limit(grp);
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c
index 8e884ed06d4b..32dc33a94bc7 100644
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -642,9 +642,13 @@ void tipc_mon_delete(struct net *net, int bearer_id)
 {
        struct tipc_net *tn = tipc_net(net);
        struct tipc_monitor *mon = tipc_monitor(net, bearer_id);
-        struct tipc_peer *self = get_self(net, bearer_id);
+        struct tipc_peer *self;
        struct tipc_peer *peer, *tmp;
+        if (!mon)
+                return;
+        self = get_self(net, bearer_id);
        write_lock_bh(&mon->lock);
        tn->monitors[bearer_id] = NULL;
        list_for_each_entry_safe(peer, tmp, &self->list, list) {
diff --git a/net/tipc/server.c b/net/tipc/server.c
index acaef80fb88c..d60c30342327 100644
--- a/net/tipc/server.c
+++ b/net/tipc/server.c
@@ -314,6 +314,7 @@ static int tipc_accept_from_sock(struct tipc_conn *con)
        newcon->usr_data = s->tipc_conn_new(newcon->conid);
        if (!newcon->usr_data) {
                sock_release(newsock);
+                conn_put(newcon);
                return -ENOMEM;
        }
@@ -511,7 +512,7 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type,
        s = con->server;
        scbr = s->tipc_conn_new(*conid);
        if (!scbr) {
-                tipc_close_conn(con);
+                conn_put(con);
                return false;
        }
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 5d18c0caa92b..3b4084480377 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -727,11 +727,11 @@ static unsigned int tipc_poll(struct file *file, struct socket *sock,
        switch (sk->sk_state) {
        case TIPC_ESTABLISHED:
+        case TIPC_CONNECTING:
                if (!tsk->cong_link_cnt && !tsk_conn_cong(tsk))
                        revents |= POLLOUT;
                /* fall thru' */
        case TIPC_LISTEN:
-        case TIPC_CONNECTING:
                if (!skb_queue_empty(&sk->sk_receive_queue))
                        revents |= POLLIN | POLLRDNORM;
                break;
@@ -1140,7 +1140,7 @@ void tipc_sk_mcast_rcv(struct net *net, struct sk_buff_head *arrvq,
                                __skb_dequeue(arrvq);
                                __skb_queue_tail(inputq, skb);
                        }
-                        refcount_dec(&skb->users);
+                        kfree_skb(skb);
                        spin_unlock_bh(&inputq->lock);
                        continue;
                }
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index ecca64fc6a6f..3deabcab4882 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -371,10 +371,6 @@ static int tipc_udp_recv(struct sock *sk, struct sk_buff *skb)
                        goto rcu_out;
        }
-        tipc_rcv(sock_net(sk), skb, b);
-        rcu_read_unlock();
-        return 0;
 rcu_out:
        rcu_read_unlock();
 out:
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index 5583df708b8c..a827547aa102 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -487,7 +487,7 @@ static void hvs_release(struct vsock_sock *vsk)
        lock_sock(sk);
-        sk->sk_state = SS_DISCONNECTING;
+        sk->sk_state = TCP_CLOSING;
        vsock_remove_sock(vsk);
        release_sock(sk);
diff --git a/net/wireless/Makefile b/net/wireless/Makefile
index 278d979c211a..1d84f91bbfb0 100644
--- a/net/wireless/Makefile
+++ b/net/wireless/Makefile
@@ -23,19 +23,36 @@ ifneq ($(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR),)
 cfg80211-y += extra-certs.o
 endif
-$(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.x509)
+$(obj)/shipped-certs.c: $(wildcard $(srctree)/$(src)/certs/*.hex)
        @$(kecho) "  GEN     $@"
-        @echo '#include "reg.h"' > $@
+        @(echo '#include "reg.h"'; \
-        @echo 'const u8 shipped_regdb_certs[] = {' >> $@
+          echo 'const u8 shipped_regdb_certs[] = {'; \
-        @for f in $^ ; do hexdump -v -e '1/1 "0x%.2x," "\n"' < $$f >> $@ ; done
+          cat $^ ; \
-        @echo '};' >> $@
+          echo '};'; \
-        @echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);' >> $@
+          echo 'unsigned int shipped_regdb_certs_len = sizeof(shipped_regdb_certs);'; \
+         ) > $@
 $(obj)/extra-certs.c: $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%) \
                      $(wildcard $(CONFIG_CFG80211_EXTRA_REGDB_KEYDIR:"%"=%)/*.x509)
        @$(kecho) "  GEN     $@"
-        @echo '#include "reg.h"' > $@
+        @(set -e; \
-        @echo 'const u8 extra_regdb_certs[] = {' >> $@
+          allf=""; \
-        @for f in $^ ; do test -f $$f && hexdump -v -e '1/1 "0x%.2x," "\n"' < $$f >> $@ || true ; done
+          for f in $^ ; do \
-        @echo '};' >> $@
+              # similar to hexdump -v -e '1/1 "0x%.2x," "\n"' \
-        @echo 'unsigned int extra_regdb_certs_len = sizeof(extra_regdb_certs);' >> $@
+              thisf=$$(od -An -v -tx1 < $$f | \
+                           sed -e 's/ /\n/g' | \
+                           sed -e 's/^[0-9a-f]\+$$/\0/;t;d' | \
+                           sed -e 's/^/0x/;s/$$/,/'); \
+              # file should not be empty - maybe command substitution failed? \
+              test ! -z "$$thisf";\
+              allf=$$allf$$thisf;\
+          done; \
+          ( \
+              echo '#include "reg.h"'; \
+              echo 'const u8 extra_regdb_certs[] = {'; \
+              echo "$$allf"; \
+              echo '};'; \
+              echo 'unsigned int extra_regdb_certs_len = sizeof(extra_regdb_certs);'; \
+          ) > $@)
+clean-files += shipped-certs.c extra-certs.c
diff --git a/net/wireless/certs/sforshee.hex b/net/wireless/certs/sforshee.hex
new file mode 100644
index 000000000000..14ea66643ffa
--- /dev/null
+++ b/net/wireless/certs/sforshee.hex
@@ -0,0 +1,86 @@
+/* Seth Forshee's regdb certificate */
+0x30, 0x82, 0x02, 0xa4, 0x30, 0x82, 0x01, 0x8c,
+0x02, 0x09, 0x00, 0xb2, 0x8d, 0xdf, 0x47, 0xae,
+0xf9, 0xce, 0xa7, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
+0x05, 0x00, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f,
+0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73,
+0x66, 0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30,
+0x20, 0x17, 0x0d, 0x31, 0x37, 0x31, 0x30, 0x30,
+0x36, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35, 0x5a,
+0x18, 0x0f, 0x32, 0x31, 0x31, 0x37, 0x30, 0x39,
+0x31, 0x32, 0x31, 0x39, 0x34, 0x30, 0x33, 0x35,
+0x5a, 0x30, 0x13, 0x31, 0x11, 0x30, 0x0f, 0x06,
+0x03, 0x55, 0x04, 0x03, 0x0c, 0x08, 0x73, 0x66,
+0x6f, 0x72, 0x73, 0x68, 0x65, 0x65, 0x30, 0x82,
+0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
+0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
+0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82,
+0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb5,
+0x40, 0xe3, 0x9c, 0x28, 0x84, 0x39, 0x03, 0xf2,
+0x39, 0xd7, 0x66, 0x2c, 0x41, 0x38, 0x15, 0xac,
+0x7e, 0xa5, 0x83, 0x71, 0x25, 0x7e, 0x90, 0x7c,
+0x68, 0xdd, 0x6f, 0x3f, 0xd9, 0xd7, 0x59, 0x38,
+0x9f, 0x7c, 0x6a, 0x52, 0xc2, 0x03, 0x2a, 0x2d,
+0x7e, 0x66, 0xf4, 0x1e, 0xb3, 0x12, 0x70, 0x20,
+0x5b, 0xd4, 0x97, 0x32, 0x3d, 0x71, 0x8b, 0x3b,
+0x1b, 0x08, 0x17, 0x14, 0x6b, 0x61, 0xc4, 0x57,
+0x8b, 0x96, 0x16, 0x1c, 0xfd, 0x24, 0xd5, 0x0b,
+0x09, 0xf9, 0x68, 0x11, 0x84, 0xfb, 0xca, 0x51,
+0x0c, 0xd1, 0x45, 0x19, 0xda, 0x10, 0x44, 0x8a,
+0xd9, 0xfe, 0x76, 0xa9, 0xfd, 0x60, 0x2d, 0x18,
+0x0b, 0x28, 0x95, 0xb2, 0x2d, 0xea, 0x88, 0x98,
+0xb8, 0xd1, 0x56, 0x21, 0xf0, 0x53, 0x1f, 0xf1,
+0x02, 0x6f, 0xe9, 0x46, 0x9b, 0x93, 0x5f, 0x28,
+0x90, 0x0f, 0xac, 0x36, 0xfa, 0x68, 0x23, 0x71,
+0x57, 0x56, 0xf6, 0xcc, 0xd3, 0xdf, 0x7d, 0x2a,
+0xd9, 0x1b, 0x73, 0x45, 0xeb, 0xba, 0x27, 0x85,
+0xef, 0x7a, 0x7f, 0xa5, 0xcb, 0x80, 0xc7, 0x30,
+0x36, 0xd2, 0x53, 0xee, 0xec, 0xac, 0x1e, 0xe7,
+0x31, 0xf1, 0x36, 0xa2, 0x9c, 0x63, 0xc6, 0x65,
+0x5b, 0x7f, 0x25, 0x75, 0x68, 0xa1, 0xea, 0xd3,
+0x7e, 0x00, 0x5c, 0x9a, 0x5e, 0xd8, 0x20, 0x18,
+0x32, 0x77, 0x07, 0x29, 0x12, 0x66, 0x1e, 0x36,
+0x73, 0xe7, 0x97, 0x04, 0x41, 0x37, 0xb1, 0xb1,
+0x72, 0x2b, 0xf4, 0xa1, 0x29, 0x20, 0x7c, 0x96,
+0x79, 0x0b, 0x2b, 0xd0, 0xd8, 0xde, 0xc8, 0x6c,
+0x3f, 0x93, 0xfb, 0xc5, 0xee, 0x78, 0x52, 0x11,
+0x15, 0x1b, 0x7a, 0xf6, 0xe2, 0x68, 0x99, 0xe7,
+0xfb, 0x46, 0x16, 0x84, 0xe3, 0xc7, 0xa1, 0xe6,
+0xe0, 0xd2, 0x46, 0xd5, 0xe1, 0xc4, 0x5f, 0xa0,
+0x66, 0xf4, 0xda, 0xc4, 0xff, 0x95, 0x1d, 0x02,
+0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09,
+0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
+0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
+0x87, 0x03, 0xda, 0xf2, 0x82, 0xc2, 0xdd, 0xaf,
+0x7c, 0x44, 0x2f, 0x86, 0xd3, 0x5f, 0x4c, 0x93,
+0x48, 0xb9, 0xfe, 0x07, 0x17, 0xbb, 0x21, 0xf7,
+0x25, 0x23, 0x4e, 0xaa, 0x22, 0x0c, 0x16, 0xb9,
+0x73, 0xae, 0x9d, 0x46, 0x7c, 0x75, 0xd9, 0xc3,
+0x49, 0x57, 0x47, 0xbf, 0x33, 0xb7, 0x97, 0xec,
+0xf5, 0x40, 0x75, 0xc0, 0x46, 0x22, 0xf0, 0xa0,
+0x5d, 0x9c, 0x79, 0x13, 0xa1, 0xff, 0xb8, 0xa3,
+0x2f, 0x7b, 0x8e, 0x06, 0x3f, 0xc8, 0xb6, 0xe4,
+0x6a, 0x28, 0xf2, 0x34, 0x5c, 0x23, 0x3f, 0x32,
+0xc0, 0xe6, 0xad, 0x0f, 0xac, 0xcf, 0x55, 0x74,
+0x47, 0x73, 0xd3, 0x01, 0x85, 0xb7, 0x0b, 0x22,
+0x56, 0x24, 0x7d, 0x9f, 0x09, 0xa9, 0x0e, 0x86,
+0x9e, 0x37, 0x5b, 0x9c, 0x6d, 0x02, 0xd9, 0x8c,
+0xc8, 0x50, 0x6a, 0xe2, 0x59, 0xf3, 0x16, 0x06,
+0xea, 0xb2, 0x42, 0xb5, 0x58, 0xfe, 0xba, 0xd1,
+0x81, 0x57, 0x1a, 0xef, 0xb2, 0x38, 0x88, 0x58,
+0xf6, 0xaa, 0xc4, 0x2e, 0x8b, 0x5a, 0x27, 0xe4,
+0xa5, 0xe8, 0xa4, 0xca, 0x67, 0x5c, 0xac, 0x72,
+0x67, 0xc3, 0x6f, 0x13, 0xc3, 0x2d, 0x35, 0x79,
+0xd7, 0x8a, 0xe7, 0xf5, 0xd4, 0x21, 0x30, 0x4a,
+0xd5, 0xf6, 0xa3, 0xd9, 0x79, 0x56, 0xf2, 0x0f,
+0x10, 0xf7, 0x7d, 0xd0, 0x51, 0x93, 0x2f, 0x47,
+0xf8, 0x7d, 0x4b, 0x0a, 0x84, 0x55, 0x12, 0x0a,
+0x7d, 0x4e, 0x3b, 0x1f, 0x2b, 0x2f, 0xfc, 0x28,
+0xb3, 0x69, 0x34, 0xe1, 0x80, 0x80, 0xbb, 0xe2,
+0xaf, 0xb9, 0xd6, 0x30, 0xf1, 0x1d, 0x54, 0x87,
+0x23, 0x99, 0x9f, 0x51, 0x03, 0x4c, 0x45, 0x7d,
+0x02, 0x65, 0x73, 0xab, 0xfd, 0xcf, 0x94, 0xcc,
+0x0d, 0x3a, 0x60, 0xfd, 0x3c, 0x14, 0x2f, 0x16,
+0x33, 0xa9, 0x21, 0x1f, 0xcb, 0x50, 0xb1, 0x8f,
+0x03, 0xee, 0xa0, 0x66, 0xa9, 0x16, 0x79, 0x14,
diff --git a/net/wireless/certs/sforshee.x509 b/net/wireless/certs/sforshee.x509
deleted file mode 100644
index c6f8f9d6b988..000000000000
--- a/net/wireless/certs/sforshee.x509
+++ /dev/null
Binary files differ
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index b1ac23ca20c8..213d0c498c97 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2610,7 +2610,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
        case NL80211_IFTYPE_AP:
                if (wdev->ssid_len &&
                    nla_put(msg, NL80211_ATTR_SSID, wdev->ssid_len, wdev->ssid))
-                        goto nla_put_failure;
+                        goto nla_put_failure_locked;
                break;
        case NL80211_IFTYPE_STATION:
        case NL80211_IFTYPE_P2P_CLIENT:
@@ -2623,7 +2623,7 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
                if (!ssid_ie)
                        break;
                if (nla_put(msg, NL80211_ATTR_SSID, ssid_ie[1], ssid_ie + 2))
-                        goto nla_put_failure;
+                        goto nla_put_failure_locked;
                break;
                }
        default:
@@ -2635,6 +2635,8 @@ static int nl80211_send_iface(struct sk_buff *msg, u32 portid, u32 seq, int flag
        genlmsg_end(msg, hdr);
        return 0;
+ nla_put_failure_locked:
+        wdev_unlock(wdev);
 nla_put_failure:
        genlmsg_cancel(msg, hdr);
        return -EMSGSIZE;
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 347ab31574d5..3f6f6f8c9fa5 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -8,15 +8,29 @@
 *
 */
+#include <linux/bottom_half.h>
+#include <linux/interrupt.h>
 #include <linux/slab.h>
 #include <linux/module.h>
 #include <linux/netdevice.h>
+#include <linux/percpu.h>
 #include <net/dst.h>
 #include <net/ip.h>
 #include <net/xfrm.h>
 #include <net/ip_tunnels.h>
 #include <net/ip6_tunnel.h>
+struct xfrm_trans_tasklet {
+        struct tasklet_struct tasklet;
+        struct sk_buff_head queue;
+};
+struct xfrm_trans_cb {
+        int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb);
+};
+#define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
 static struct kmem_cache *secpath_cachep __read_mostly;
 static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
@@ -25,6 +39,8 @@ static struct xfrm_input_afinfo const __rcu *xfrm_input_afinfo[AF_INET6 + 1];
 static struct gro_cells gro_cells;
 static struct net_device xfrm_napi_dev;
+static DEFINE_PER_CPU(struct xfrm_trans_tasklet, xfrm_trans_tasklet);
 int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo)
 {
        int err = 0;
@@ -207,7 +223,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        xfrm_address_t *daddr;
        struct xfrm_mode *inner_mode;
        u32 mark = skb->mark;
-        unsigned int family;
+        unsigned int family = AF_UNSPEC;
        int decaps = 0;
        int async = 0;
        bool xfrm_gro = false;
@@ -216,6 +232,16 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        if (encap_type < 0) {
                x = xfrm_input_state(skb);
+                if (unlikely(x->km.state != XFRM_STATE_VALID)) {
+                        if (x->km.state == XFRM_STATE_ACQ)
+                                XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
+                        else
+                                XFRM_INC_STATS(net,
+                                               LINUX_MIB_XFRMINSTATEINVALID);
+                        goto drop;
+                }
                family = x->outer_mode->afinfo->family;
                /* An encap_type of -1 indicates async resumption. */
@@ -467,9 +493,41 @@ int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
 }
 EXPORT_SYMBOL(xfrm_input_resume);
+static void xfrm_trans_reinject(unsigned long data)
+{
+        struct xfrm_trans_tasklet *trans = (void *)data;
+        struct sk_buff_head queue;
+        struct sk_buff *skb;
+        __skb_queue_head_init(&queue);
+        skb_queue_splice_init(&trans->queue, &queue);
+        while ((skb = __skb_dequeue(&queue)))
+                XFRM_TRANS_SKB_CB(skb)->finish(dev_net(skb->dev), NULL, skb);
+}
+int xfrm_trans_queue(struct sk_buff *skb,
+                     int (*finish)(struct net *, struct sock *,
+                                   struct sk_buff *))
+{
+        struct xfrm_trans_tasklet *trans;
+        trans = this_cpu_ptr(&xfrm_trans_tasklet);
+        if (skb_queue_len(&trans->queue) >= netdev_max_backlog)
+                return -ENOBUFS;
+        XFRM_TRANS_SKB_CB(skb)->finish = finish;
+        skb_queue_tail(&trans->queue, skb);
+        tasklet_schedule(&trans->tasklet);
+        return 0;
+}
+EXPORT_SYMBOL(xfrm_trans_queue);
 void __init xfrm_input_init(void)
 {
        int err;
+        int i;
        init_dummy_netdev(&xfrm_napi_dev);
        err = gro_cells_init(&gro_cells, &xfrm_napi_dev);
@@ -480,4 +538,13 @@ void __init xfrm_input_init(void)
                                           sizeof(struct sec_path),
                                           0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
                                           NULL);
+        for_each_possible_cpu(i) {
+                struct xfrm_trans_tasklet *trans;
+                trans = &per_cpu(xfrm_trans_tasklet, i);
+                __skb_queue_head_init(&trans->queue);
+                tasklet_init(&trans->tasklet, xfrm_trans_reinject,
+                             (unsigned long)trans);
+        }
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 9542975eb2f9..70aa5cb0c659 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1168,9 +1168,15 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(const struct sock *sk, int dir,
 again:
        pol = rcu_dereference(sk->sk_policy[dir]);
        if (pol != NULL) {
-                bool match = xfrm_selector_match(&pol->selector, fl, family);
+                bool match;
                int err = 0;
+                if (pol->family != family) {
+                        pol = NULL;
+                        goto out;
+                }
+                match = xfrm_selector_match(&pol->selector, fl, family);
                if (match) {
                        if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
                                pol = NULL;
@@ -1833,6 +1839,7 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
                   sizeof(struct xfrm_policy *) * num_pols) == 0 &&
            xfrm_xdst_can_reuse(xdst, xfrm, err)) {
                dst_hold(&xdst->u.dst);
+                xfrm_pols_put(pols, num_pols);
                while (err > 0)
                        xfrm_state_put(xfrm[--err]);
                return xdst;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 065d89606888..500b3391f474 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1343,6 +1343,7 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
        if (orig->aead) {
                x->aead = xfrm_algo_aead_clone(orig->aead);
+                x->geniv = orig->geniv;
                if (!x->aead)
                        goto error;
        }
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 983b0233767b..bdb48e5dba04 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1419,11 +1419,14 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
 {
+        u16 prev_family;
        int i;
        if (nr > XFRM_MAX_DEPTH)
                return -EINVAL;
+        prev_family = family;
        for (i = 0; i < nr; i++) {
                /* We never validated the ut->family value, so many
                 * applications simply leave it at zero.  The check was
@@ -1435,6 +1438,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
                if (!ut[i].family)
                        ut[i].family = family;
+                if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
+                    (ut[i].family != prev_family))
+                        return -EINVAL;
+                prev_family = ut[i].family;
                switch (ut[i].family) {
                case AF_INET:
                        break;
@@ -1445,6 +1454,21 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
                default:
                        return -EINVAL;
                }
+                switch (ut[i].id.proto) {
+                case IPPROTO_AH:
+                case IPPROTO_ESP:
+                case IPPROTO_COMP:
+#if IS_ENABLED(CONFIG_IPV6)
+                case IPPROTO_ROUTING:
+                case IPPROTO_DSTOPTS:
+#endif
+                case IPSEC_PROTO_ANY:
+                        break;
+                default:
+                        return -EINVAL;
+                }
        }
        return 0;
@@ -2470,7 +2494,7 @@ static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
        [XFRMA_PROTO]           = { .type = NLA_U8 },
        [XFRMA_ADDRESS_FILTER]  = { .len = sizeof(struct xfrm_address_filter) },
        [XFRMA_OFFLOAD_DEV]     = { .len = sizeof(struct xfrm_user_offload) },
-        [XFRMA_OUTPUT_MARK]     = { .len = NLA_U32 },
+        [XFRMA_OUTPUT_MARK]     = { .type = NLA_U32 },
 };
 static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
author	Ross Zwisler <ross.zwisler@linux.intel.com>	2018-02-03 02:26:10 -0500
committer	Ross Zwisler <ross.zwisler@linux.intel.com>	2018-02-03 02:26:10 -0500
commit	d121f07691415df824e6b60520f782f6d13b3c81 (patch)
tree	422ad3cc6fd631604fef4e469e49bacba8202e52 /net
parent	59858d3d54cfad1f8db67c2c07e4dd33bb6ed955 (diff)
parent	569d0365f571fa6421a5c80bc30d1b2cdab857fe (diff)