Merge branch 'for-4.16/nfit' into libnvdimm-for-next

30 files changed, 235 insertions, 151 deletions

diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
index 8dfdd94e430f..bad01b14a4ad 100644
--- a/net/8021q/vlan.c
+++ b/net/8021q/vlan.c
@@ -111,12 +111,7 @@ void unregister_vlan_dev(struct net_device *dev, struct list_head *head)
                 vlan_gvrp_uninit_applicant(real_dev);
         }
 
-        /* Take it out of our own structures, but be sure to interlock with
-         * HW accelerating devices or SW vlan input packet processing if
-         * VLAN is not 0 (leave it there for 802.1p).
-         */
-        if (vlan_id)
-                vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
+        vlan_vid_del(real_dev, vlan->vlan_proto, vlan_id);
 
         /* Get rid of the vlan's reference to real_dev */
         dev_put(real_dev);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 43ba91c440bc..fc6615d59165 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
                         break;
 
                 case L2CAP_CONF_EFS:
-                        remote_efs = 1;
-                        if (olen == sizeof(efs))
+                        if (olen == sizeof(efs)) {
+                                remote_efs = 1;
                                 memcpy(&efs, (void *) val, olen);
+                        }
                         break;
 
                 case L2CAP_CONF_EWS:
@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
                         break;
 
                 case L2CAP_CONF_EFS:
-                        if (olen == sizeof(efs))
+                        if (olen == sizeof(efs)) {
                                 memcpy(&efs, (void *)val, olen);
 
-                        if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
-                            efs.stype != L2CAP_SERV_NOTRAFIC &&
-                            efs.stype != chan->local_stype)
-                                return -ECONNREFUSED;
+                                if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+                                    efs.stype != L2CAP_SERV_NOTRAFIC &&
+                                    efs.stype != chan->local_stype)
+                                        return -ECONNREFUSED;
 
-                        l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
-                                           (unsigned long) &efs, endptr - ptr);
+                                l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+                                                   (unsigned long) &efs, endptr - ptr);
+                        }
                         break;
 
                 case L2CAP_CONF_FCS:
diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c
index 2d38b6e34203..e0adcd123f48 100644
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -334,9 +334,8 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
         mutex_lock(&caifdevs->lock);
         list_add_rcu(&caifd->list, &caifdevs->list);
 
-        strncpy(caifd->layer.name, dev->name,
-                sizeof(caifd->layer.name) - 1);
-        caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
+        strlcpy(caifd->layer.name, dev->name,
+                sizeof(caifd->layer.name));
         caifd->layer.transmit = transmit;
         cfcnfg_add_phy_layer(cfg,
                                 dev,
diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c
index 5cd44f001f64..1a082a946045 100644
--- a/net/caif/caif_usb.c
+++ b/net/caif/caif_usb.c
@@ -176,9 +176,7 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what,
                 dev_add_pack(&caif_usb_type);
         pack_added = true;
 
-        strncpy(layer->name, dev->name,
-                        sizeof(layer->name) - 1);
-        layer->name[sizeof(layer->name) - 1] = 0;
+        strlcpy(layer->name, dev->name, sizeof(layer->name));
 
         return 0;
 }
diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c
index 273cb07f57d8..8f00bea093b9 100644
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -268,17 +268,15 @@ static int caif_connect_req_to_link_param(struct cfcnfg *cnfg,
         case CAIFPROTO_RFM:
                 l->linktype = CFCTRL_SRV_RFM;
                 l->u.datagram.connid = s->sockaddr.u.rfm.connection_id;
-                strncpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
-                        sizeof(l->u.rfm.volume)-1);
-                l->u.rfm.volume[sizeof(l->u.rfm.volume)-1] = 0;
+                strlcpy(l->u.rfm.volume, s->sockaddr.u.rfm.volume,
+                        sizeof(l->u.rfm.volume));
                 break;
         case CAIFPROTO_UTIL:
                 l->linktype = CFCTRL_SRV_UTIL;
                 l->endpoint = 0x00;
                 l->chtype = 0x00;
-                strncpy(l->u.utility.name, s->sockaddr.u.util.service,
-                        sizeof(l->u.utility.name)-1);
-                l->u.utility.name[sizeof(l->u.utility.name)-1] = 0;
+                strlcpy(l->u.utility.name, s->sockaddr.u.util.service,
+                        sizeof(l->u.utility.name));
                 caif_assert(sizeof(l->u.utility.name) > 10);
                 l->u.utility.paramlen = s->param.size;
                 if (l->u.utility.paramlen > sizeof(l->u.utility.params))
diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
index f5afda1abc76..655ed7032150 100644
--- a/net/caif/cfctrl.c
+++ b/net/caif/cfctrl.c
@@ -258,8 +258,8 @@ int cfctrl_linkup_request(struct cflayer *layer,
                 tmp16 = cpu_to_le16(param->u.utility.fifosize_bufs);
                 cfpkt_add_body(pkt, &tmp16, 2);
                 memset(utility_name, 0, sizeof(utility_name));
-                strncpy(utility_name, param->u.utility.name,
-                        UTILITY_NAME_LENGTH - 1);
+                strlcpy(utility_name, param->u.utility.name,
+                        UTILITY_NAME_LENGTH);
                 cfpkt_add_body(pkt, utility_name, UTILITY_NAME_LENGTH);
                 tmp8 = param->u.utility.paramlen;
                 cfpkt_add_body(pkt, &tmp8, 1);
diff --git a/net/core/dev.c b/net/core/dev.c
index 01ee854454a8..0e0ba36eeac9 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1146,7 +1146,19 @@ EXPORT_SYMBOL(dev_alloc_name);
 int dev_get_valid_name(struct net *net, struct net_device *dev,
                        const char *name)
 {
-        return dev_alloc_name_ns(net, dev, name);
+        BUG_ON(!net);
+
+        if (!dev_valid_name(name))
+                return -EINVAL;
+
+        if (strchr(name, '%'))
+                return dev_alloc_name_ns(net, dev, name);
+        else if (__dev_get_by_name(net, name))
+                return -EEXIST;
+        else if (dev->name != name)
+                strlcpy(dev->name, name, IFNAMSIZ);
+
+        return 0;
 }
 EXPORT_SYMBOL(dev_get_valid_name);
 
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index f8fcf450a36e..8225416911ae 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -770,15 +770,6 @@ static int ethtool_set_link_ksettings(struct net_device *dev,
         return dev->ethtool_ops->set_link_ksettings(dev, &link_ksettings);
 }
 
-static void
-warn_incomplete_ethtool_legacy_settings_conversion(const char *details)
-{
-        char name[sizeof(current->comm)];
-
-        pr_info_once("warning: `%s' uses legacy ethtool link settings API, %s\n",
-                     get_task_comm(name, current), details);
-}
-
 /* Query device for its ethtool_cmd settings.
  *
  * Backward compatibility note: for compatibility with legacy ethtool,
@@ -805,10 +796,8 @@ static int ethtool_get_settings(struct net_device *dev, void __user *useraddr)
                                                            &link_ksettings);
                 if (err < 0)
                         return err;
-                if (!convert_link_ksettings_to_legacy_settings(&cmd,
-                                                               &link_ksettings))
-                        warn_incomplete_ethtool_legacy_settings_conversion(
-                                "link modes are only partially reported");
+                convert_link_ksettings_to_legacy_settings(&cmd,
+                                                          &link_ksettings);
 
                 /* send a sensible cmd tag back to user */
                 cmd.cmd = ETHTOOL_GSET;
diff --git a/net/core/filter.c b/net/core/filter.c
index 6a85e67fafce..d339ef170df6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1054,11 +1054,9 @@ static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
                  */
                 goto out_err_free;
 
-        /* We are guaranteed to never error here with cBPF to eBPF
-         * transitions, since there's no issue with type compatibility
-         * checks on program arrays.
-         */
         fp = bpf_prog_select_runtime(fp, &err);
+        if (err)
+                goto out_err_free;
 
         kfree(old_prog);
         return fp;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index dabba2a91fc8..778d7f03404a 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1681,18 +1681,18 @@ static bool link_dump_filtered(struct net_device *dev,
         return false;
 }
 
-static struct net *get_target_net(struct sk_buff *skb, int netnsid)
+static struct net *get_target_net(struct sock *sk, int netnsid)
 {
         struct net *net;
 
-        net = get_net_ns_by_id(sock_net(skb->sk), netnsid);
+        net = get_net_ns_by_id(sock_net(sk), netnsid);
         if (!net)
                 return ERR_PTR(-EINVAL);
 
         /* For now, the caller is required to have CAP_NET_ADMIN in
          * the user namespace owning the target net ns.
          */
-        if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) {
+        if (!sk_ns_capable(sk, net->user_ns, CAP_NET_ADMIN)) {
                 put_net(net);
                 return ERR_PTR(-EACCES);
         }
@@ -1733,7 +1733,7 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
                         ifla_policy, NULL) >= 0) {
                 if (tb[IFLA_IF_NETNSID]) {
                         netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
-                        tgt_net = get_target_net(skb, netnsid);
+                        tgt_net = get_target_net(skb->sk, netnsid);
                         if (IS_ERR(tgt_net)) {
                                 tgt_net = net;
                                 netnsid = -1;
@@ -2883,7 +2883,7 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         if (tb[IFLA_IF_NETNSID]) {
                 netnsid = nla_get_s32(tb[IFLA_IF_NETNSID]);
-                tgt_net = get_target_net(skb, netnsid);
+                tgt_net = get_target_net(NETLINK_CB(skb).sk, netnsid);
                 if (IS_ERR(tgt_net))
                         return PTR_ERR(tgt_net);
         }
diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
index 217f4e3b82f6..146b50e30659 100644
--- a/net/core/sock_diag.c
+++ b/net/core/sock_diag.c
@@ -288,7 +288,7 @@ static int sock_diag_bind(struct net *net, int group)
         case SKNLGRP_INET6_UDP_DESTROY:
                 if (!sock_diag_handlers[AF_INET6])
                         request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
-                                       NETLINK_SOCK_DIAG, AF_INET);
+                                       NETLINK_SOCK_DIAG, AF_INET6);
                 break;
         }
         return 0;
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index cbc3dde4cfcc..a47ad6cd41c0 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -325,7 +325,13 @@ static struct ctl_table net_core_table[] = {
                 .data           = &bpf_jit_enable,
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
+#ifndef CONFIG_BPF_JIT_ALWAYS_ON
                 .proc_handler   = proc_dointvec
+#else
+                .proc_handler   = proc_dointvec_minmax,
+                .extra1         = &one,
+                .extra2         = &one,
+#endif
         },
 # ifdef CONFIG_HAVE_EBPF_JIT
         {
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 125c1eab3eaa..5e570aa9e43b 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -520,9 +520,11 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
                 goto out;
 
         /* hdrincl should be READ_ONCE(inet->hdrincl)
-         * but READ_ONCE() doesn't work with bit fields
+         * but READ_ONCE() doesn't work with bit fields.
+         * Doing this indirectly yields the same result.
          */
         hdrincl = inet->hdrincl;
+        hdrincl = READ_ONCE(hdrincl);
         /*
          *      Check the flags.
          */
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 83bd75713535..bc68eb661970 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -925,6 +925,15 @@ static void ipv6_push_rthdr4(struct sk_buff *skb, u8 *proto,
         sr_phdr->segments[0] = **addr_p;
         *addr_p = &sr_ihdr->segments[sr_ihdr->segments_left];
 
+        if (sr_ihdr->hdrlen > hops * 2) {
+                int tlvs_offset, tlvs_length;
+
+                tlvs_offset = (1 + hops * 2) << 3;
+                tlvs_length = (sr_ihdr->hdrlen - hops * 2) << 3;
+                memcpy((char *)sr_phdr + tlvs_offset,
+                       (char *)sr_ihdr + tlvs_offset, tlvs_length);
+        }
+
 #ifdef CONFIG_IPV6_SEG6_HMAC
         if (sr_has_hmac(sr_phdr)) {
                 struct net *net = NULL;
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index f5285f4e1d08..9dcc3924a975 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -640,6 +640,11 @@ static struct fib6_node *fib6_add_1(struct net *net,
                         if (!(fn->fn_flags & RTN_RTINFO)) {
                                 RCU_INIT_POINTER(fn->leaf, NULL);
                                 rt6_release(leaf);
+                        /* remove null_entry in the root node */
+                        } else if (fn->fn_flags & RTN_TL_ROOT &&
+                                   rcu_access_pointer(fn->leaf) ==
+                                   net->ipv6.ip6_null_entry) {
+                                RCU_INIT_POINTER(fn->leaf, NULL);
                         }
 
                         return fn;
@@ -1241,23 +1246,28 @@ out:
                  * If fib6_add_1 has cleared the old leaf pointer in the
                  * super-tree leaf node we have to find a new one for it.
                  */
-                struct rt6_info *pn_leaf = rcu_dereference_protected(pn->leaf,
-                                            lockdep_is_held(&table->tb6_lock));
-                if (pn != fn && pn_leaf == rt) {
-                        pn_leaf = NULL;
-                        RCU_INIT_POINTER(pn->leaf, NULL);
-                        atomic_dec(&rt->rt6i_ref);
-                }
-                if (pn != fn && !pn_leaf && !(pn->fn_flags & RTN_RTINFO)) {
-                        pn_leaf = fib6_find_prefix(info->nl_net, table, pn);
-#if RT6_DEBUG >= 2
-                        if (!pn_leaf) {
-                                WARN_ON(!pn_leaf);
-                                pn_leaf = info->nl_net->ipv6.ip6_null_entry;
+                if (pn != fn) {
+                        struct rt6_info *pn_leaf =
+                                rcu_dereference_protected(pn->leaf,
+                                    lockdep_is_held(&table->tb6_lock));
+                        if (pn_leaf == rt) {
+                                pn_leaf = NULL;
+                                RCU_INIT_POINTER(pn->leaf, NULL);
+                                atomic_dec(&rt->rt6i_ref);
                         }
+                        if (!pn_leaf && !(pn->fn_flags & RTN_RTINFO)) {
+                                pn_leaf = fib6_find_prefix(info->nl_net, table,
+                                                           pn);
+#if RT6_DEBUG >= 2
+                                if (!pn_leaf) {
+                                        WARN_ON(!pn_leaf);
+                                        pn_leaf =
+                                            info->nl_net->ipv6.ip6_null_entry;
+                                }
 #endif
-                        atomic_inc(&pn_leaf->rt6i_ref);
-                        rcu_assign_pointer(pn->leaf, pn_leaf);
+                                atomic_inc(&pn_leaf->rt6i_ref);
+                                rcu_assign_pointer(pn->leaf, pn_leaf);
+                        }
                 }
 #endif
                 goto failure;
@@ -1265,13 +1275,17 @@ out:
         return err;
 
 failure:
-        /* fn->leaf could be NULL if fn is an intermediate node and we
-         * failed to add the new route to it in both subtree creation
-         * failure and fib6_add_rt2node() failure case.
-         * In both cases, fib6_repair_tree() should be called to fix
-         * fn->leaf.
+        /* fn->leaf could be NULL and fib6_repair_tree() needs to be called if:
+         * 1. fn is an intermediate node and we failed to add the new
+         * route to it in both subtree creation failure and fib6_add_rt2node()
+         * failure case.
+         * 2. fn is the root node in the table and we fail to add the first
+         * default route to it.
          */
-        if (fn && !(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)))
+        if (fn &&
+            (!(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)) ||
+             (fn->fn_flags & RTN_TL_ROOT &&
+              !rcu_access_pointer(fn->leaf))))
                 fib6_repair_tree(info->nl_net, table, fn);
         /* Always release dst as dst->__refcnt is guaranteed
          * to be taken before entering this function
@@ -1526,6 +1540,12 @@ static struct fib6_node *fib6_repair_tree(struct net *net,
         struct fib6_walker *w;
         int iter = 0;
 
+        /* Set fn->leaf to null_entry for root node. */
+        if (fn->fn_flags & RTN_TL_ROOT) {
+                rcu_assign_pointer(fn->leaf, net->ipv6.ip6_null_entry);
+                return fn;
+        }
+
         for (;;) {
                 struct fib6_node *fn_r = rcu_dereference_protected(fn->right,
                                             lockdep_is_held(&table->tb6_lock));
@@ -1680,10 +1700,15 @@ static void fib6_del_route(struct fib6_table *table, struct fib6_node *fn,
         }
         read_unlock(&net->ipv6.fib6_walker_lock);
 
-        /* If it was last route, expunge its radix tree node */
+        /* If it was last route, call fib6_repair_tree() to:
+         * 1. For root node, put back null_entry as how the table was created.
+         * 2. For other nodes, expunge its radix tree node.
+         */
         if (!rcu_access_pointer(fn->leaf)) {
-                fn->fn_flags &= ~RTN_RTINFO;
-                net->ipv6.rt6_stats->fib_route_nodes--;
+                if (!(fn->fn_flags & RTN_TL_ROOT)) {
+                        fn->fn_flags &= ~RTN_RTINFO;
+                        net->ipv6.rt6_stats->fib_route_nodes--;
+                }
                 fn = fib6_repair_tree(net, table, fn);
         }
 
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index f7dd51c42314..688ba5f7516b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1735,9 +1735,10 @@ struct sk_buff *ip6_make_skb(struct sock *sk,
         cork.base.opt = NULL;
         v6_cork.opt = NULL;
         err = ip6_setup_cork(sk, &cork, &v6_cork, ipc6, rt, fl6);
-        if (err)
+        if (err) {
+                ip6_cork_release(&cork, &v6_cork);
                 return ERR_PTR(err);
-
+        }
         if (ipc6->dontfrag < 0)
                 ipc6->dontfrag = inet6_sk(sk)->dontfrag;
 
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 931c38f6ff4a..9a7cf355bc8c 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1074,10 +1074,11 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
                         memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
                         neigh_release(neigh);
                 }
-        } else if (!(t->parms.flags &
-                     (IP6_TNL_F_USE_ORIG_TCLASS | IP6_TNL_F_USE_ORIG_FWMARK))) {
-                /* enable the cache only only if the routing decision does
-                 * not depend on the current inner header value
+        } else if (t->parms.proto != 0 && !(t->parms.flags &
+                                            (IP6_TNL_F_USE_ORIG_TCLASS |
+                                             IP6_TNL_F_USE_ORIG_FWMARK))) {
+                /* enable the cache only if neither the outer protocol nor the
+                 * routing decision depends on the current inner header value
                  */
                 use_cache = true;
         }
@@ -1676,11 +1677,11 @@ int ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
 {
         struct ip6_tnl *tnl = netdev_priv(dev);
 
-        if (tnl->parms.proto == IPPROTO_IPIP) {
-                if (new_mtu < ETH_MIN_MTU)
+        if (tnl->parms.proto == IPPROTO_IPV6) {
+                if (new_mtu < IPV6_MIN_MTU)
                         return -EINVAL;
         } else {
-                if (new_mtu < IPV6_MIN_MTU)
+                if (new_mtu < ETH_MIN_MTU)
                         return -EINVAL;
         }
         if (new_mtu > 0xFFF8 - dev->hard_header_len)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 70e9d2ca8bbe..4daafb07602f 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -3632,6 +3632,8 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
                 }
                 return true;
         case NL80211_IFTYPE_MESH_POINT:
+                if (ether_addr_equal(sdata->vif.addr, hdr->addr2))
+                        return false;
                 if (multicast)
                         return true;
                 return ether_addr_equal(sdata->vif.addr, hdr->addr1);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 10798b357481..07bd4138c84e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2072,7 +2072,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
                                 continue;
 
                         list_for_each_entry_rcu(chain, &table->chains, list) {
-                                if (ctx && ctx->chain[0] &&
+                                if (ctx && ctx->chain &&
                                     strcmp(ctx->chain, chain->name) != 0)
                                         continue;
 
@@ -4665,8 +4665,10 @@ static int nf_tables_dump_obj_done(struct netlink_callback *cb)
 {
         struct nft_obj_filter *filter = cb->data;
 
-        kfree(filter->table);
-        kfree(filter);
+        if (filter) {
+                kfree(filter->table);
+                kfree(filter);
+        }
 
         return 0;
 }
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 1f7fbd3c7e5a..06b090d8e901 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -55,21 +55,11 @@ static int __bpf_mt_check_fd(int fd, struct bpf_prog **ret)
 
 static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret)
 {
-        mm_segment_t oldfs = get_fs();
-        int retval, fd;
-
         if (strnlen(path, XT_BPF_PATH_MAX) == XT_BPF_PATH_MAX)
                 return -EINVAL;
 
-        set_fs(KERNEL_DS);
-        fd = bpf_obj_get_user(path, 0);
-        set_fs(oldfs);
-        if (fd < 0)
-                return fd;
-
-        retval = __bpf_mt_check_fd(fd, ret);
-        sys_close(fd);
-        return retval;
+        *ret = bpf_prog_get_type_path(path, BPF_PROG_TYPE_SOCKET_FILTER);
+        return PTR_ERR_OR_ZERO(*ret);
 }
 
 static int bpf_mt_check(const struct xt_mtchk_param *par)
diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index bc2f1e0977d6..634cfcb7bba6 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -525,6 +525,9 @@ int rds_rdma_extra_size(struct rds_rdma_args *args)
 
         local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr;
 
+        if (args->nr_local == 0)
+                return -EINVAL;
+
         /* figure out the number of pages in the vector */
         for (i = 0; i < args->nr_local; i++) {
                 if (copy_from_user(&vec, &local_vec[i],
@@ -874,6 +877,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 err:
         if (page)
                 put_page(page);
+        rm->atomic.op_active = 0;
         kfree(rm->atomic.op_notifier);
 
         return ret;
diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c
index e29a48ef7fc3..a0ac42b3ed06 100644
--- a/net/sched/act_gact.c
+++ b/net/sched/act_gact.c
@@ -159,7 +159,7 @@ static void tcf_gact_stats_update(struct tc_action *a, u64 bytes, u32 packets,
         if (action == TC_ACT_SHOT)
                 this_cpu_ptr(gact->common.cpu_qstats)->drops += packets;
 
-        tm->lastuse = lastuse;
+        tm->lastuse = max_t(u64, tm->lastuse, lastuse);
 }
 
 static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a,
diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 8b3e59388480..08b61849c2a2 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -239,7 +239,7 @@ static void tcf_stats_update(struct tc_action *a, u64 bytes, u32 packets,
         struct tcf_t *tm = &m->tcf_tm;
 
         _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets);
-        tm->lastuse = lastuse;
+        tm->lastuse = max_t(u64, tm->lastuse, lastuse);
 }
 
 static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind,
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 621b5ca3fd1c..141c9c466ec1 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -399,20 +399,24 @@ void sctp_icmp_frag_needed(struct sock *sk, struct sctp_association *asoc,
                 return;
         }
 
-        if (t->param_flags & SPP_PMTUD_ENABLE) {
-                /* Update transports view of the MTU */
-                sctp_transport_update_pmtu(t, pmtu);
-
-                /* Update association pmtu. */
-                sctp_assoc_sync_pmtu(asoc);
-        }
+        if (!(t->param_flags & SPP_PMTUD_ENABLE))
+                /* We can't allow retransmitting in such case, as the
+                 * retransmission would be sized just as before, and thus we
+                 * would get another icmp, and retransmit again.
+                 */
+                return;
 
-        /* Retransmit with the new pmtu setting.
-         * Normally, if PMTU discovery is disabled, an ICMP Fragmentation
-         * Needed will never be sent, but if a message was sent before
-         * PMTU discovery was disabled that was larger than the PMTU, it
-         * would not be fragmented, so it must be re-transmitted fragmented.
+        /* Update transports view of the MTU. Return if no update was needed.
+         * If an update wasn't needed/possible, it also doesn't make sense to
+         * try to retransmit now.
          */
+        if (!sctp_transport_update_pmtu(t, pmtu))
+                return;
+
+        /* Update association pmtu. */
+        sctp_assoc_sync_pmtu(asoc);
+
+        /* Retransmit with the new pmtu setting. */
         sctp_retransmit(&asoc->outqueue, t, SCTP_RTXR_PMTUD);
 }
 
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index b4fb6e4886d2..9b01e994f661 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2277,7 +2277,7 @@ static int sctp_setsockopt_events(struct sock *sk, char __user *optval,
 
                 if (asoc && sctp_outq_is_empty(&asoc->outqueue)) {
                         event = sctp_ulpevent_make_sender_dry_event(asoc,
-                                        GFP_ATOMIC);
+                                        GFP_USER | __GFP_NOWARN);
                         if (!event)
                                 return -ENOMEM;
 
@@ -3498,6 +3498,8 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
 
         if (optlen < sizeof(struct sctp_hmacalgo))
                 return -EINVAL;
+        optlen = min_t(unsigned int, optlen, sizeof(struct sctp_hmacalgo) +
+                                             SCTP_AUTH_NUM_HMACS * sizeof(u16));
 
         hmacs = memdup_user(optval, optlen);
         if (IS_ERR(hmacs))
@@ -3536,6 +3538,11 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
 
         if (optlen <= sizeof(struct sctp_authkey))
                 return -EINVAL;
+        /* authkey->sca_keylength is u16, so optlen can't be bigger than
+         * this.
+         */
+        optlen = min_t(unsigned int, optlen, USHRT_MAX +
+                                             sizeof(struct sctp_authkey));
 
         authkey = memdup_user(optval, optlen);
         if (IS_ERR(authkey))
@@ -3893,6 +3900,9 @@ static int sctp_setsockopt_reset_streams(struct sock *sk,
 
         if (optlen < sizeof(*params))
                 return -EINVAL;
+        /* srs_number_streams is u16, so optlen can't be bigger than this. */
+        optlen = min_t(unsigned int, optlen, USHRT_MAX +
+                                             sizeof(__u16) * sizeof(*params));
 
         params = memdup_user(optval, optlen);
         if (IS_ERR(params))
@@ -5015,7 +5025,7 @@ static int sctp_getsockopt_autoclose(struct sock *sk, int len, char __user *optv
         len = sizeof(int);
         if (put_user(len, optlen))
                 return -EFAULT;
-        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, sizeof(int)))
+        if (copy_to_user(optval, &sctp_sk(sk)->autoclose, len))
                 return -EFAULT;
         return 0;
 }
@@ -5645,6 +5655,9 @@ copy_getaddrs:
                 err = -EFAULT;
                 goto out;
         }
+        /* XXX: We should have accounted for sizeof(struct sctp_getaddrs) too,
+         * but we can't change it anymore.
+         */
         if (put_user(bytes_copied, optlen))
                 err = -EFAULT;
 out:
@@ -6081,7 +6094,7 @@ static int sctp_getsockopt_maxseg(struct sock *sk, int len,
                 params.assoc_id = 0;
         } else if (len >= sizeof(struct sctp_assoc_value)) {
                 len = sizeof(struct sctp_assoc_value);
-                if (copy_from_user(&params, optval, sizeof(params)))
+                if (copy_from_user(&params, optval, len))
                         return -EFAULT;
         } else
                 return -EINVAL;
@@ -6251,7 +6264,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
 
         if (len < sizeof(struct sctp_authkeyid))
                 return -EINVAL;
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
+
+        len = sizeof(struct sctp_authkeyid);
+        if (copy_from_user(&val, optval, len))
                 return -EFAULT;
 
         asoc = sctp_id2assoc(sk, val.scact_assoc_id);
@@ -6263,7 +6278,6 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
         else
                 val.scact_keynumber = ep->active_key_id;
 
-        len = sizeof(struct sctp_authkeyid);
         if (put_user(len, optlen))
                 return -EFAULT;
         if (copy_to_user(optval, &val, len))
@@ -6289,7 +6303,7 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
         if (len < sizeof(struct sctp_authchunks))
                 return -EINVAL;
 
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                 return -EFAULT;
 
         to = p->gauth_chunks;
@@ -6334,7 +6348,7 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
         if (len < sizeof(struct sctp_authchunks))
                 return -EINVAL;
 
-        if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
+        if (copy_from_user(&val, optval, sizeof(val)))
                 return -EFAULT;
 
         to = p->gauth_chunks;
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index 76ea66be0bbe..524dfeb94c41 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -156,9 +156,9 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt,
         sctp_stream_outq_migrate(stream, NULL, outcnt);
         sched->sched_all(stream);
 
-        i = sctp_stream_alloc_out(stream, outcnt, gfp);
-        if (i)
-                return i;
+        ret = sctp_stream_alloc_out(stream, outcnt, gfp);
+        if (ret)
+                goto out;
 
         stream->outcnt = outcnt;
         for (i = 0; i < stream->outcnt; i++)
@@ -170,19 +170,17 @@ in:
         if (!incnt)
                 goto out;
 
-        i = sctp_stream_alloc_in(stream, incnt, gfp);
-        if (i) {
-                ret = -ENOMEM;
-                goto free;
+        ret = sctp_stream_alloc_in(stream, incnt, gfp);
+        if (ret) {
+                sched->free(stream);
+                kfree(stream->out);
+                stream->out = NULL;
+                stream->outcnt = 0;
+                goto out;
         }
 
         stream->incnt = incnt;
-        goto out;
 
-free:
-        sched->free(stream);
-        kfree(stream->out);
-        stream->out = NULL;
 out:
         return ret;
 }
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 1e5a22430cf5..47f82bd794d9 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -248,28 +248,37 @@ void sctp_transport_pmtu(struct sctp_transport *transport, struct sock *sk)
                 transport->pathmtu = SCTP_DEFAULT_MAXSEGMENT;
 }
 
-void sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
+bool sctp_transport_update_pmtu(struct sctp_transport *t, u32 pmtu)
 {
         struct dst_entry *dst = sctp_transport_dst_check(t);
+        bool change = true;
 
         if (unlikely(pmtu < SCTP_DEFAULT_MINSEGMENT)) {
-                pr_warn("%s: Reported pmtu %d too low, using default minimum of %d\n",
-                        __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
-                /* Use default minimum segment size and disable
-                 * pmtu discovery on this transport.
-                 */
-                t->pathmtu = SCTP_DEFAULT_MINSEGMENT;
-        } else {
-                t->pathmtu = pmtu;
+                pr_warn_ratelimited("%s: Reported pmtu %d too low, using default minimum of %d\n",
+                                    __func__, pmtu, SCTP_DEFAULT_MINSEGMENT);
+                /* Use default minimum segment instead */
+                pmtu = SCTP_DEFAULT_MINSEGMENT;
         }
+        pmtu = SCTP_TRUNC4(pmtu);
 
         if (dst) {
                 dst->ops->update_pmtu(dst, t->asoc->base.sk, NULL, pmtu);
                 dst = sctp_transport_dst_check(t);
         }
 
-        if (!dst)
+        if (!dst) {
                 t->af_specific->get_dst(t, &t->saddr, &t->fl, t->asoc->base.sk);
+                dst = t->dst;
+        }
+
+        if (dst) {
+                /* Re-fetch, as under layers may have a higher minimum size */
+                pmtu = SCTP_TRUNC4(dst_mtu(dst));
+                change = t->pathmtu != pmtu;
+        }
+        t->pathmtu = pmtu;
+
+        return change;
 }
 
 /* Caches the dst entry and source address for a transport's destination
diff --git a/net/socket.c b/net/socket.c
index 05f361faec45..6f05d5c4bf30 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -436,8 +436,10 @@ static int sock_map_fd(struct socket *sock, int flags)
 {
         struct file *newfile;
         int fd = get_unused_fd_flags(flags);
-        if (unlikely(fd < 0))
+        if (unlikely(fd < 0)) {
+                sock_release(sock);
                 return fd;
+        }
 
         newfile = sock_alloc_file(sock, flags, NULL);
         if (likely(!IS_ERR(newfile))) {
@@ -2619,6 +2621,15 @@ out_fs:
 
 core_initcall(sock_init);       /* early initcall */
 
+static int __init jit_init(void)
+{
+#ifdef CONFIG_BPF_JIT_ALWAYS_ON
+        bpf_jit_enable = 1;
+#endif
+        return 0;
+}
+pure_initcall(jit_init);
+
 #ifdef CONFIG_PROC_FS
 void socket_seq_show(struct seq_file *seq)
 {
diff --git a/net/tipc/group.c b/net/tipc/group.c
index 8e12ab55346b..5f4ffae807ee 100644
--- a/net/tipc/group.c
+++ b/net/tipc/group.c
@@ -109,7 +109,8 @@ static void tipc_group_proto_xmit(struct tipc_group *grp, struct tipc_member *m,
 static void tipc_group_decr_active(struct tipc_group *grp,
                                    struct tipc_member *m)
 {
-        if (m->state == MBR_ACTIVE || m->state == MBR_RECLAIMING)
+        if (m->state == MBR_ACTIVE || m->state == MBR_RECLAIMING ||
+            m->state == MBR_REMITTED)
                 grp->active_cnt--;
 }
 
@@ -562,7 +563,7 @@ void tipc_group_update_rcv_win(struct tipc_group *grp, int blks, u32 node,
         int max_active = grp->max_active;
         int reclaim_limit = max_active * 3 / 4;
         int active_cnt = grp->active_cnt;
-        struct tipc_member *m, *rm;
+        struct tipc_member *m, *rm, *pm;
 
         m = tipc_group_find_member(grp, node, port);
         if (!m)
@@ -605,6 +606,17 @@ void tipc_group_update_rcv_win(struct tipc_group *grp, int blks, u32 node,
                         pr_warn_ratelimited("Rcv unexpected msg after REMIT\n");
                         tipc_group_proto_xmit(grp, m, GRP_ADV_MSG, xmitq);
                 }
+                grp->active_cnt--;
+                list_del_init(&m->list);
+                if (list_empty(&grp->pending))
+                        return;
+
+                /* Set oldest pending member to active and advertise */
+                pm = list_first_entry(&grp->pending, struct tipc_member, list);
+                pm->state = MBR_ACTIVE;
+                list_move_tail(&pm->list, &grp->active);
+                grp->active_cnt++;
+                tipc_group_proto_xmit(grp, pm, GRP_ADV_MSG, xmitq);
                 break;
         case MBR_RECLAIMING:
         case MBR_DISCOVERED:
@@ -742,14 +754,14 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                 if (!m || m->state != MBR_RECLAIMING)
                         return;
 
-                list_del_init(&m->list);
-                grp->active_cnt--;
                 remitted = msg_grp_remitted(hdr);
 
                 /* Messages preceding the REMIT still in receive queue */
                 if (m->advertised > remitted) {
                         m->state = MBR_REMITTED;
                         in_flight = m->advertised - remitted;
+                        m->advertised = ADV_IDLE + in_flight;
+                        return;
                 }
                 /* All messages preceding the REMIT have been read */
                 if (m->advertised <= remitted) {
@@ -761,6 +773,8 @@ void tipc_group_proto_rcv(struct tipc_group *grp, bool *usr_wakeup,
                         tipc_group_proto_xmit(grp, m, GRP_ADV_MSG, xmitq);
 
                 m->advertised = ADV_IDLE + in_flight;
+                grp->active_cnt--;
+                list_del_init(&m->list);
 
                 /* Set oldest pending member to active and advertise */
                 if (list_empty(&grp->pending))
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 213d0c498c97..2b3dbcd40e46 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -11361,7 +11361,8 @@ static int nl80211_nan_add_func(struct sk_buff *skb,
                 break;
         case NL80211_NAN_FUNC_FOLLOW_UP:
                 if (!tb[NL80211_NAN_FUNC_FOLLOW_UP_ID] ||
-                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID]) {
+                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_REQ_ID] ||
+                    !tb[NL80211_NAN_FUNC_FOLLOW_UP_DEST]) {
                         err = -EINVAL;
                         goto out;
                 }