Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:
 "The iwlwifi firmware compat fix is in here as well as some other
  stuff:

  1) Fix request socket leak introduced by BPF deadlock fix, from Eric
     Dumazet.

  2) Fix VLAN handling with TXQs in mac80211, from Johannes Berg.

  3) Missing __qdisc_drop conversions in prio and qfq schedulers, from
     Gao Feng.

  4) Use after free in netlink nlk groups handling, from Xin Long.

  5) Handle MTU update properly in ipv6 gre tunnels, from Xin Long.

  6) Fix leak of ipv6 fib tables on netns teardown, from Sabrina Dubroca
     with follow-on fix from Eric Dumazet.

  7) Need RCU and preemption disabled during generic XDP data patch,
     from John Fastabend"

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
  bpf: make error reporting in bpf_warn_invalid_xdp_action more clear
  Revert "mdio_bus: Remove unneeded gpiod NULL check"
  bpf: devmap, use cond_resched instead of cpu_relax
  bpf: add support for sockmap detach programs
  net: rcu lock and preempt disable missing around generic xdp
  bpf: don't select potentially stale ri->map from buggy xdp progs
  net: tulip: Constify tulip_tbl
  net: ethernet: ti: netcp_core: no need in netif_napi_del
  davicom: Display proper debug level up to 6
  net: phy: sfp: rename dt properties to match the binding
  dt-binding: net: sfp binding documentation
  dt-bindings: add SFF vendor prefix
  dt-bindings: net: don't confuse with generic PHY property
  ip6_tunnel: fix setting hop_limit value for ipv6 tunnel
  ip_tunnel: fix setting ttl and tos value in collect_md mode
  ipv6: fix typo in fib6_net_exit()
  tcp: fix a request socket leak
  sctp: fix missing wake ups in some situations
  netfilter: xt_hashlimit: fix build error caused by 64bit division
  netfilter: xt_hashlimit: alloc hashtable with right size
  ...

35 files changed, 323 insertions, 177 deletions

diff --git a/net/core/dev.c b/net/core/dev.c
index 6f845e4fec17..fb766d906148 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3981,8 +3981,13 @@ static int netif_rx_internal(struct sk_buff *skb)
         trace_netif_rx(skb);
 
         if (static_key_false(&generic_xdp_needed)) {
-                int ret = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog),
-                                         skb);
+                int ret;
+
+                preempt_disable();
+                rcu_read_lock();
+                ret = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog), skb);
+                rcu_read_unlock();
+                preempt_enable();
 
                 /* Consider XDP consuming the packet a success from
                  * the netdev point of view we do not want to count
@@ -4500,18 +4505,20 @@ static int netif_receive_skb_internal(struct sk_buff *skb)
         if (skb_defer_rx_timestamp(skb))
                 return NET_RX_SUCCESS;
 
-        rcu_read_lock();
-
         if (static_key_false(&generic_xdp_needed)) {
-                int ret = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog),
-                                         skb);
+                int ret;
 
-                if (ret != XDP_PASS) {
-                        rcu_read_unlock();
+                preempt_disable();
+                rcu_read_lock();
+                ret = do_xdp_generic(rcu_dereference(skb->dev->xdp_prog), skb);
+                rcu_read_unlock();
+                preempt_enable();
+
+                if (ret != XDP_PASS)
                         return NET_RX_DROP;
-                }
         }
 
+        rcu_read_lock();
 #ifdef CONFIG_RPS
         if (static_key_false(&rps_needed)) {
                 struct rps_dev_flow voidflow, *rflow = &voidflow;
diff --git a/net/core/filter.c b/net/core/filter.c
index 5912c738a7b2..3a50a9b021e2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1794,6 +1794,7 @@ struct redirect_info {
         u32 flags;
         struct bpf_map *map;
         struct bpf_map *map_to_flush;
+        const struct bpf_prog *map_owner;
 };
 
 static DEFINE_PER_CPU(struct redirect_info, redirect_info);
@@ -1807,7 +1808,6 @@ BPF_CALL_2(bpf_redirect, u32, ifindex, u64, flags)
 
         ri->ifindex = ifindex;
         ri->flags = flags;
-        ri->map = NULL;
 
         return TC_ACT_REDIRECT;
 }
@@ -2504,6 +2504,7 @@ static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,
                                struct bpf_prog *xdp_prog)
 {
         struct redirect_info *ri = this_cpu_ptr(&redirect_info);
+        const struct bpf_prog *map_owner = ri->map_owner;
         struct bpf_map *map = ri->map;
         u32 index = ri->ifindex;
         struct net_device *fwd;
@@ -2511,6 +2512,15 @@ static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,
 
         ri->ifindex = 0;
         ri->map = NULL;
+        ri->map_owner = NULL;
+
+        /* This is really only caused by a deliberately crappy
+         * BPF program, normally we would never hit that case,
+         * so no need to inform someone via tracepoints either,
+         * just bail out.
+         */
+        if (unlikely(map_owner != xdp_prog))
+                return -EINVAL;
 
         fwd = __dev_map_lookup_elem(map, index);
         if (!fwd) {
@@ -2607,6 +2617,8 @@ BPF_CALL_2(bpf_xdp_redirect, u32, ifindex, u64, flags)
 
         ri->ifindex = ifindex;
         ri->flags = flags;
+        ri->map = NULL;
+        ri->map_owner = NULL;
 
         return XDP_REDIRECT;
 }
@@ -2619,7 +2631,8 @@ static const struct bpf_func_proto bpf_xdp_redirect_proto = {
         .arg2_type      = ARG_ANYTHING,
 };
 
-BPF_CALL_3(bpf_xdp_redirect_map, struct bpf_map *, map, u32, ifindex, u64, flags)
+BPF_CALL_4(bpf_xdp_redirect_map, struct bpf_map *, map, u32, ifindex, u64, flags,
+           const struct bpf_prog *, map_owner)
 {
         struct redirect_info *ri = this_cpu_ptr(&redirect_info);
 
@@ -2629,10 +2642,14 @@ BPF_CALL_3(bpf_xdp_redirect_map, struct bpf_map *, map, u32, ifindex, u64, flags
         ri->ifindex = ifindex;
         ri->flags = flags;
         ri->map = map;
+        ri->map_owner = map_owner;
 
         return XDP_REDIRECT;
 }
 
+/* Note, arg4 is hidden from users and populated by the verifier
+ * with the right pointer.
+ */
 static const struct bpf_func_proto bpf_xdp_redirect_map_proto = {
         .func           = bpf_xdp_redirect_map,
         .gpl_only       = false,
@@ -3592,7 +3609,11 @@ static bool xdp_is_valid_access(int off, int size,
 
 void bpf_warn_invalid_xdp_action(u32 act)
 {
-        WARN_ONCE(1, "Illegal XDP return value %u, expect packet loss\n", act);
+        const u32 act_max = XDP_REDIRECT;
+
+        WARN_ONCE(1, "%s XDP return value %u, expect packet loss!\n",
+                  act > act_max ? "Illegal" : "Driver unsupported",
+                  act);
 }
 EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action);
 
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 68065d7d383f..16982de649b9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -710,14 +710,11 @@ EXPORT_SYMBOL(consume_skb);
  *      consume_stateless_skb - free an skbuff, assuming it is stateless
  *      @skb: buffer to free
  *
- *      Works like consume_skb(), but this variant assumes that all the head
- *      states have been already dropped.
+ *      Alike consume_skb(), but this variant assumes that this is the last
+ *      skb reference and all the head states have been already dropped
  */
-void consume_stateless_skb(struct sk_buff *skb)
+void __consume_stateless_skb(struct sk_buff *skb)
 {
-        if (!skb_unref(skb))
-                return;
-
         trace_consume_skb(skb);
         skb_release_data(skb);
         kfree_skbmem(skb);
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 129d1a3616f8..e1856bfa753d 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -618,8 +618,8 @@ void ip_md_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, u8 proto)
                 ip_rt_put(rt);
                 goto tx_dropped;
         }
-        iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr, proto, key->tos,
-                      key->ttl, df, !net_eq(tunnel->net, dev_net(dev)));
+        iptunnel_xmit(NULL, rt, skb, fl4.saddr, fl4.daddr, proto, tos, ttl,
+                      df, !net_eq(tunnel->net, dev_net(dev)));
         return;
 tx_error:
         dev->stats.tx_errors++;
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index e04457198f93..9e2770fd00be 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -629,6 +629,7 @@ static void get_counters(const struct xt_table_info *t,
 
                         ADD_COUNTER(counters[i], bcnt, pcnt);
                         ++i;
+                        cond_resched();
                 }
         }
 }
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 576cba2b57e9..39286e543ee6 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -776,6 +776,7 @@ get_counters(const struct xt_table_info *t,
 
                         ADD_COUNTER(counters[i], bcnt, pcnt);
                         ++i; /* macro does multi eval of i */
+                        cond_resched();
                 }
         }
 }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a63486afa7a7..d9416b5162bc 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1669,9 +1669,9 @@ process:
                  */
                 sock_hold(sk);
                 refcounted = true;
-                if (tcp_filter(sk, skb))
-                        goto discard_and_relse;
-                nsk = tcp_check_req(sk, skb, req, false);
+                nsk = NULL;
+                if (!tcp_filter(sk, skb))
+                        nsk = tcp_check_req(sk, skb, req, false);
                 if (!nsk) {
                         reqsk_put(req);
                         goto discard_and_relse;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index db1c9e78c83c..ef29df8648e4 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1397,12 +1397,15 @@ void skb_consume_udp(struct sock *sk, struct sk_buff *skb, int len)
                 unlock_sock_fast(sk, slow);
         }
 
+        if (!skb_unref(skb))
+                return;
+
         /* In the more common cases we cleared the head states previously,
          * see __udp_queue_rcv_skb().
          */
         if (unlikely(udp_skb_has_head_state(skb)))
                 skb_release_head_state(skb);
-        consume_stateless_skb(skb);
+        __consume_stateless_skb(skb);
 }
 EXPORT_SYMBOL_GPL(skb_consume_udp);
 
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index a3b5c163325f..e5308d7cbd75 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -191,6 +191,12 @@ void rt6_free_pcpu(struct rt6_info *non_pcpu_rt)
 }
 EXPORT_SYMBOL_GPL(rt6_free_pcpu);
 
+static void fib6_free_table(struct fib6_table *table)
+{
+        inetpeer_invalidate_tree(&table->tb6_peers);
+        kfree(table);
+}
+
 static void fib6_link_table(struct net *net, struct fib6_table *tb)
 {
         unsigned int h;
@@ -2022,15 +2028,22 @@ out_timer:
 
 static void fib6_net_exit(struct net *net)
 {
+        unsigned int i;
+
         rt6_ifdown(net, NULL);
         del_timer_sync(&net->ipv6.ip6_fib_timer);
 
-#ifdef CONFIG_IPV6_MULTIPLE_TABLES
-        inetpeer_invalidate_tree(&net->ipv6.fib6_local_tbl->tb6_peers);
-        kfree(net->ipv6.fib6_local_tbl);
-#endif
-        inetpeer_invalidate_tree(&net->ipv6.fib6_main_tbl->tb6_peers);
-        kfree(net->ipv6.fib6_main_tbl);
+        for (i = 0; i < FIB6_TABLE_HASHSZ; i++) {
+                struct hlist_head *head = &net->ipv6.fib_table_hash[i];
+                struct hlist_node *tmp;
+                struct fib6_table *tb;
+
+                hlist_for_each_entry_safe(tb, tmp, head, tb6_hlist) {
+                        hlist_del(&tb->tb6_hlist);
+                        fib6_free_table(tb);
+                }
+        }
+
         kfree(net->ipv6.fib_table_hash);
         kfree(net->ipv6.rt6_stats);
         fib6_notifier_exit(net);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 67ff2aaf5dcb..b7a72d409334 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -432,7 +432,9 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                 }
                 break;
         case ICMPV6_PKT_TOOBIG:
-                mtu = be32_to_cpu(info) - offset;
+                mtu = be32_to_cpu(info) - offset - t->tun_hlen;
+                if (t->dev->type == ARPHRD_ETHER)
+                        mtu -= ETH_HLEN;
                 if (mtu < IPV6_MIN_MTU)
                         mtu = IPV6_MIN_MTU;
                 t->dev->mtu = mtu;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 3a0ba2ae4b0f..10a693a19323 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1184,6 +1184,7 @@ route_lookup:
                 init_tel_txopt(&opt, encap_limit);
                 ipv6_push_frag_opts(skb, &opt.ops, &proto);
         }
+        hop_limit = hop_limit ? : ip6_dst_hoplimit(dst);
 
         /* Calculate max headroom for all the headers and adjust
          * needed_headroom if necessary.
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 54b1e75eded1..01bd3ee5ebc6 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -795,6 +795,7 @@ get_counters(const struct xt_table_info *t,
 
                         ADD_COUNTER(counters[i], bcnt, pcnt);
                         ++i;
+                        cond_resched();
                 }
         }
 }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 38f76d8b231e..64d94afa427f 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1460,9 +1460,9 @@ process:
                 }
                 sock_hold(sk);
                 refcounted = true;
-                if (tcp_filter(sk, skb))
-                        goto discard_and_relse;
-                nsk = tcp_check_req(sk, skb, req, false);
+                nsk = NULL;
+                if (!tcp_filter(sk, skb))
+                        nsk = tcp_check_req(sk, skb, req, false);
                 if (!nsk) {
                         reqsk_put(req);
                         goto discard_and_relse;
diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index 2b36eff5d97e..2849a1fc41c5 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d
         ieee80211_tx_skb(sdata, skb);
 }
 
-void __ieee80211_start_rx_ba_session(struct sta_info *sta,
-                                     u8 dialog_token, u16 timeout,
-                                     u16 start_seq_num, u16 ba_policy, u16 tid,
-                                     u16 buf_size, bool tx, bool auto_seq)
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
+                                      u8 dialog_token, u16 timeout,
+                                      u16 start_seq_num, u16 ba_policy, u16 tid,
+                                      u16 buf_size, bool tx, bool auto_seq)
 {
         struct ieee80211_local *local = sta->sdata->local;
         struct tid_ampdu_rx *tid_agg_rx;
@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                 ht_dbg(sta->sdata,
                        "STA %pM requests BA session on unsupported tid %d\n",
                        sta->sta.addr, tid);
-                goto end_no_lock;
+                goto end;
         }
 
         if (!sta->sta.ht_cap.ht_supported) {
@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                        "STA %pM erroneously requests BA session on tid %d w/o QoS\n",
                        sta->sta.addr, tid);
                 /* send a response anyway, it's an error case if we get here */
-                goto end_no_lock;
+                goto end;
         }
 
         if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) {
                 ht_dbg(sta->sdata,
                        "Suspend in progress - Denying ADDBA request (%pM tid %d)\n",
                        sta->sta.addr, tid);
-                goto end_no_lock;
+                goto end;
         }
 
         /* sanity check for incoming parameters:
@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                 ht_dbg_ratelimited(sta->sdata,
                                    "AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n",
                                    sta->sta.addr, tid, ba_policy, buf_size);
-                goto end_no_lock;
+                goto end;
         }
         /* determine default buffer size */
         if (buf_size == 0)
@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                buf_size, sta->sta.addr);
 
         /* examine state machine */
-        mutex_lock(&sta->ampdu_mlme.mtx);
+        lockdep_assert_held(&sta->ampdu_mlme.mtx);
 
         if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) {
                 if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) {
@@ -415,15 +415,25 @@ end:
                 __clear_bit(tid, sta->ampdu_mlme.unexpected_agg);
                 sta->ampdu_mlme.tid_rx_token[tid] = dialog_token;
         }
-        mutex_unlock(&sta->ampdu_mlme.mtx);
 
-end_no_lock:
         if (tx)
                 ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid,
                                           dialog_token, status, 1, buf_size,
                                           timeout);
 }
 
+void __ieee80211_start_rx_ba_session(struct sta_info *sta,
+                                     u8 dialog_token, u16 timeout,
+                                     u16 start_seq_num, u16 ba_policy, u16 tid,
+                                     u16 buf_size, bool tx, bool auto_seq)
+{
+        mutex_lock(&sta->ampdu_mlme.mtx);
+        ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout,
+                                         start_seq_num, ba_policy, tid,
+                                         buf_size, tx, auto_seq);
+        mutex_unlock(&sta->ampdu_mlme.mtx);
+}
+
 void ieee80211_process_addba_request(struct ieee80211_local *local,
                                      struct sta_info *sta,
                                      struct ieee80211_mgmt *mgmt,
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index cbd48762256c..bef516ec47f9 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -226,7 +226,11 @@ ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable)
                 clear_bit(IEEE80211_TXQ_AMPDU, &txqi->flags);
 
         clear_bit(IEEE80211_TXQ_STOP, &txqi->flags);
+        local_bh_disable();
+        rcu_read_lock();
         drv_wake_tx_queue(sta->sdata->local, txqi);
+        rcu_read_unlock();
+        local_bh_enable();
 }
 
 /*
@@ -436,7 +440,7 @@ static void sta_addba_resp_timer_expired(unsigned long data)
             test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state)) {
                 rcu_read_unlock();
                 ht_dbg(sta->sdata,
-                       "timer expired on %pM tid %d but we are not (or no longer) expecting addBA response there\n",
+                       "timer expired on %pM tid %d not expecting addBA response\n",
                        sta->sta.addr, tid);
                 return;
         }
@@ -639,7 +643,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid,
             time_before(jiffies, sta->ampdu_mlme.last_addba_req_time[tid] +
                         HT_AGG_RETRIES_PERIOD)) {
                 ht_dbg(sdata,
-                       "BA request denied - waiting a grace period after %d failed requests on %pM tid %u\n",
+                       "BA request denied - %d failed requests on %pM tid %u\n",
                        sta->ampdu_mlme.addba_req_num[tid], sta->sta.addr, tid);
                 ret = -EBUSY;
                 goto err_unlock_sta;
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index c92df492e898..d6d0b4201e40 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -300,6 +300,24 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
 
         /* stopping might queue the work again - so cancel only afterwards */
         cancel_work_sync(&sta->ampdu_mlme.work);
+
+        /*
+         * In case the tear down is part of a reconfigure due to HW restart
+         * request, it is possible that the low level driver requested to stop
+         * the BA session, so handle it to properly clean tid_tx data.
+         */
+        mutex_lock(&sta->ampdu_mlme.mtx);
+        for (i = 0; i < IEEE80211_NUM_TIDS; i++) {
+                struct tid_ampdu_tx *tid_tx =
+                        rcu_dereference_protected_tid_tx(sta, i);
+
+                if (!tid_tx)
+                        continue;
+
+                if (test_and_clear_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state))
+                        ieee80211_stop_tx_ba_cb(sta, i, tid_tx);
+        }
+        mutex_unlock(&sta->ampdu_mlme.mtx);
 }
 
 void ieee80211_ba_session_work(struct work_struct *work)
@@ -333,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work)
 
                 if (test_and_clear_bit(tid,
                                        sta->ampdu_mlme.tid_rx_manage_offl))
-                        __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
-                                                        IEEE80211_MAX_AMPDU_BUF,
-                                                        false, true);
+                        ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid,
+                                                         IEEE80211_MAX_AMPDU_BUF,
+                                                         false, true);
 
                 if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS,
                                        sta->ampdu_mlme.tid_rx_manage_offl))
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 2197c62a0a6e..9675814f64db 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta,
                                      u8 dialog_token, u16 timeout,
                                      u16 start_seq_num, u16 ba_policy, u16 tid,
                                      u16 buf_size, bool tx, bool auto_seq);
+void ___ieee80211_start_rx_ba_session(struct sta_info *sta,
+                                      u8 dialog_token, u16 timeout,
+                                      u16 start_seq_num, u16 ba_policy, u16 tid,
+                                      u16 buf_size, bool tx, bool auto_seq);
 void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
                                          enum ieee80211_agg_stop_reason reason);
 void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 9228ac73c429..f75029abf728 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -731,7 +731,8 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
             sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
             local->ops->wake_tx_queue) {
                 /* XXX: for AP_VLAN, actually track AP queues */
-                netif_tx_start_all_queues(dev);
+                if (dev)
+                        netif_tx_start_all_queues(dev);
         } else if (dev) {
                 unsigned long flags;
                 int n_acs = IEEE80211_NUM_ACS;
@@ -792,6 +793,7 @@ static int ieee80211_open(struct net_device *dev)
 static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                               bool going_down)
 {
+        struct ieee80211_sub_if_data *txq_sdata = sdata;
         struct ieee80211_local *local = sdata->local;
         struct fq *fq = &local->fq;
         unsigned long flags;
@@ -937,6 +939,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
 
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP_VLAN:
+                txq_sdata = container_of(sdata->bss,
+                                         struct ieee80211_sub_if_data, u.ap);
+
                 mutex_lock(&local->mtx);
                 list_del(&sdata->u.vlan.list);
                 mutex_unlock(&local->mtx);
@@ -1007,8 +1012,17 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         }
         spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
 
-        if (sdata->vif.txq) {
-                struct txq_info *txqi = to_txq_info(sdata->vif.txq);
+        if (txq_sdata->vif.txq) {
+                struct txq_info *txqi = to_txq_info(txq_sdata->vif.txq);
+
+                /*
+                 * FIXME FIXME
+                 *
+                 * We really shouldn't purge the *entire* txqi since that
+                 * contains frames for the other AP_VLANs (and possibly
+                 * the AP itself) as well, but there's no API in FQ now
+                 * to be able to filter.
+                 */
 
                 spin_lock_bh(&fq->lock);
                 ieee80211_txq_purge(local, txqi);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index b588e593b0ec..3b8e2709d8de 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3155,7 +3155,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
         if (len < 24 + 6)
                 return;
 
-        reassoc = ieee80211_is_reassoc_req(mgmt->frame_control);
+        reassoc = ieee80211_is_reassoc_resp(mgmt->frame_control);
         capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
         status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
         aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index f8e7a8bbc618..faf4f6055000 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -707,6 +707,8 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
         if (!cookie)
                 return -ENOENT;
 
+        flush_work(&local->hw_roc_start);
+
         mutex_lock(&local->mtx);
         list_for_each_entry_safe(roc, tmp, &local->roc_list, list) {
                 if (!mgmt_tx && roc->cookie != cookie)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 8858f4f185e9..94826680cf2b 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1276,11 +1276,6 @@ static void ieee80211_set_skb_enqueue_time(struct sk_buff *skb)
         IEEE80211_SKB_CB(skb)->control.enqueue_time = codel_get_time();
 }
 
-static void ieee80211_set_skb_vif(struct sk_buff *skb, struct txq_info *txqi)
-{
-        IEEE80211_SKB_CB(skb)->control.vif = txqi->txq.vif;
-}
-
 static u32 codel_skb_len_func(const struct sk_buff *skb)
 {
         return skb->len;
@@ -3414,6 +3409,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
         struct ieee80211_tx_info *info;
         struct ieee80211_tx_data tx;
         ieee80211_tx_result r;
+        struct ieee80211_vif *vif;
 
         spin_lock_bh(&fq->lock);
 
@@ -3430,8 +3426,6 @@ begin:
         if (!skb)
                 goto out;
 
-        ieee80211_set_skb_vif(skb, txqi);
-
         hdr = (struct ieee80211_hdr *)skb->data;
         info = IEEE80211_SKB_CB(skb);
 
@@ -3488,6 +3482,34 @@ begin:
                 }
         }
 
+        switch (tx.sdata->vif.type) {
+        case NL80211_IFTYPE_MONITOR:
+                if (tx.sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE) {
+                        vif = &tx.sdata->vif;
+                        break;
+                }
+                tx.sdata = rcu_dereference(local->monitor_sdata);
+                if (tx.sdata) {
+                        vif = &tx.sdata->vif;
+                        info->hw_queue =
+                                vif->hw_queue[skb_get_queue_mapping(skb)];
+                } else if (ieee80211_hw_check(&local->hw, QUEUE_CONTROL)) {
+                        ieee80211_free_txskb(&local->hw, skb);
+                        goto begin;
+                } else {
+                        vif = NULL;
+                }
+                break;
+        case NL80211_IFTYPE_AP_VLAN:
+                tx.sdata = container_of(tx.sdata->bss,
+                                        struct ieee80211_sub_if_data, u.ap);
+                /* fall through */
+        default:
+                vif = &tx.sdata->vif;
+                break;
+        }
+
+        IEEE80211_SKB_CB(skb)->control.vif = vif;
 out:
         spin_unlock_bh(&fq->lock);
 
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 259698de569f..6aef6793d052 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1436,7 +1436,7 @@ static int ieee80211_build_preq_ies_band(struct ieee80211_local *local,
                         WLAN_EID_SSID_LIST,
                         WLAN_EID_CHANNEL_USAGE,
                         WLAN_EID_INTERWORKING,
-                        /* mesh ID can't happen here */
+                        WLAN_EID_MESH_ID,
                         /* 60 GHz can't happen here right now */
                 };
                 noffset = ieee80211_ie_split(ie, ie_len,
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 04fe25abc5f6..52cd2901a097 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -215,7 +215,7 @@ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries __rcu **pp)
         if (skip == hook_entries)
                 goto out_assign;
 
-        if (WARN_ON(skip == 0))
+        if (skip == 0)
                 return NULL;
 
         hook_entries -= skip;
diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index e1efa446b305..57c8ee66491e 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -24,9 +24,13 @@ sctp_conn_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
                 if (sh) {
                         sch = skb_header_pointer(skb, iph->len + sizeof(_sctph),
                                                  sizeof(_schunkh), &_schunkh);
-                        if (sch && (sch->type == SCTP_CID_INIT ||
-                                    sysctl_sloppy_sctp(ipvs)))
+                        if (sch) {
+                                if (sch->type == SCTP_CID_ABORT ||
+                                    !(sysctl_sloppy_sctp(ipvs) ||
+                                      sch->type == SCTP_CID_INIT))
+                                        return 1;
                                 ports = &sh->source;
+                        }
                 }
         } else {
                 ports = skb_header_pointer(
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 40573aa6c133..f393a7086025 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -30,19 +30,17 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <linux/netfilter/nf_nat.h>
 
+static spinlock_t nf_nat_locks[CONNTRACK_LOCKS];
+
 static DEFINE_MUTEX(nf_nat_proto_mutex);
 static const struct nf_nat_l3proto __rcu *nf_nat_l3protos[NFPROTO_NUMPROTO]
                                                 __read_mostly;
 static const struct nf_nat_l4proto __rcu **nf_nat_l4protos[NFPROTO_NUMPROTO]
                                                 __read_mostly;
 
-struct nf_nat_conn_key {
-        const struct net *net;
-        const struct nf_conntrack_tuple *tuple;
-        const struct nf_conntrack_zone *zone;
-};
-
-static struct rhltable nf_nat_bysource_table;
+static struct hlist_head *nf_nat_bysource __read_mostly;
+static unsigned int nf_nat_htable_size __read_mostly;
+static unsigned int nf_nat_hash_rnd __read_mostly;
 
 inline const struct nf_nat_l3proto *
 __nf_nat_l3proto_find(u8 family)
@@ -118,17 +116,19 @@ int nf_xfrm_me_harder(struct net *net, struct sk_buff *skb, unsigned int family)
 EXPORT_SYMBOL(nf_xfrm_me_harder);
 #endif /* CONFIG_XFRM */
 
-static u32 nf_nat_bysource_hash(const void *data, u32 len, u32 seed)
+/* We keep an extra hash for each conntrack, for fast searching. */
+static unsigned int
+hash_by_src(const struct net *n, const struct nf_conntrack_tuple *tuple)
 {
-        const struct nf_conntrack_tuple *t;
-        const struct nf_conn *ct = data;
+        unsigned int hash;
+
+        get_random_once(&nf_nat_hash_rnd, sizeof(nf_nat_hash_rnd));
 
-        t = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
         /* Original src, to ensure we map it consistently if poss. */
+        hash = jhash2((u32 *)&tuple->src, sizeof(tuple->src) / sizeof(u32),
+                      tuple->dst.protonum ^ nf_nat_hash_rnd ^ net_hash_mix(n));
 
-        seed ^= net_hash_mix(nf_ct_net(ct));
-        return jhash2((const u32 *)&t->src, sizeof(t->src) / sizeof(u32),
-                      t->dst.protonum ^ seed);
+        return reciprocal_scale(hash, nf_nat_htable_size);
 }
 
 /* Is this tuple already taken? (not by us) */
@@ -184,28 +184,6 @@ same_src(const struct nf_conn *ct,
                 t->src.u.all == tuple->src.u.all);
 }
 
-static int nf_nat_bysource_cmp(struct rhashtable_compare_arg *arg,
-                               const void *obj)
-{
-        const struct nf_nat_conn_key *key = arg->key;
-        const struct nf_conn *ct = obj;
-
-        if (!same_src(ct, key->tuple) ||
-            !net_eq(nf_ct_net(ct), key->net) ||
-            !nf_ct_zone_equal(ct, key->zone, IP_CT_DIR_ORIGINAL))
-                return 1;
-
-        return 0;
-}
-
-static struct rhashtable_params nf_nat_bysource_params = {
-        .head_offset = offsetof(struct nf_conn, nat_bysource),
-        .obj_hashfn = nf_nat_bysource_hash,
-        .obj_cmpfn = nf_nat_bysource_cmp,
-        .nelem_hint = 256,
-        .min_size = 1024,
-};
-
 /* Only called for SRC manip */
 static int
 find_appropriate_src(struct net *net,
@@ -216,26 +194,22 @@ find_appropriate_src(struct net *net,
                      struct nf_conntrack_tuple *result,
                      const struct nf_nat_range *range)
 {
+        unsigned int h = hash_by_src(net, tuple);
         const struct nf_conn *ct;
-        struct nf_nat_conn_key key = {
-                .net = net,
-                .tuple = tuple,
-                .zone = zone
-        };
-        struct rhlist_head *hl, *h;
-
-        hl = rhltable_lookup(&nf_nat_bysource_table, &key,
-                             nf_nat_bysource_params);
-
-        rhl_for_each_entry_rcu(ct, h, hl, nat_bysource) {
-                nf_ct_invert_tuplepr(result,
-                                     &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-                result->dst = tuple->dst;
 
-                if (in_range(l3proto, l4proto, result, range))
-                        return 1;
+        hlist_for_each_entry_rcu(ct, &nf_nat_bysource[h], nat_bysource) {
+                if (same_src(ct, tuple) &&
+                    net_eq(net, nf_ct_net(ct)) &&
+                    nf_ct_zone_equal(ct, zone, IP_CT_DIR_ORIGINAL)) {
+                        /* Copy source part from reply tuple. */
+                        nf_ct_invert_tuplepr(result,
+                                       &ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+                        result->dst = tuple->dst;
+
+                        if (in_range(l3proto, l4proto, result, range))
+                                return 1;
+                }
         }
-
         return 0;
 }
 
@@ -408,6 +382,7 @@ nf_nat_setup_info(struct nf_conn *ct,
                   const struct nf_nat_range *range,
                   enum nf_nat_manip_type maniptype)
 {
+        struct net *net = nf_ct_net(ct);
         struct nf_conntrack_tuple curr_tuple, new_tuple;
 
         /* Can't setup nat info for confirmed ct. */
@@ -416,7 +391,9 @@ nf_nat_setup_info(struct nf_conn *ct,
 
         WARN_ON(maniptype != NF_NAT_MANIP_SRC &&
                 maniptype != NF_NAT_MANIP_DST);
-        BUG_ON(nf_nat_initialized(ct, maniptype));
+
+        if (WARN_ON(nf_nat_initialized(ct, maniptype)))
+                return NF_DROP;
 
         /* What we've got will look like inverse of reply. Normally
          * this is what is in the conntrack, except for prior
@@ -447,19 +424,16 @@ nf_nat_setup_info(struct nf_conn *ct,
         }
 
         if (maniptype == NF_NAT_MANIP_SRC) {
-                struct nf_nat_conn_key key = {
-                        .net = nf_ct_net(ct),
-                        .tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
-                        .zone = nf_ct_zone(ct),
-                };
-                int err;
-
-                err = rhltable_insert_key(&nf_nat_bysource_table,
-                                          &key,
-                                          &ct->nat_bysource,
-                                          nf_nat_bysource_params);
-                if (err)
-                        return NF_DROP;
+                unsigned int srchash;
+                spinlock_t *lock;
+
+                srchash = hash_by_src(net,
+                                      &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+                lock = &nf_nat_locks[srchash % ARRAY_SIZE(nf_nat_locks)];
+                spin_lock_bh(lock);
+                hlist_add_head_rcu(&ct->nat_bysource,
+                                   &nf_nat_bysource[srchash]);
+                spin_unlock_bh(lock);
         }
 
         /* It's done. */
@@ -553,6 +527,16 @@ static int nf_nat_proto_remove(struct nf_conn *i, void *data)
         return i->status & IPS_NAT_MASK ? 1 : 0;
 }
 
+static void __nf_nat_cleanup_conntrack(struct nf_conn *ct)
+{
+        unsigned int h;
+
+        h = hash_by_src(nf_ct_net(ct), &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
+        spin_lock_bh(&nf_nat_locks[h % ARRAY_SIZE(nf_nat_locks)]);
+        hlist_del_rcu(&ct->nat_bysource);
+        spin_unlock_bh(&nf_nat_locks[h % ARRAY_SIZE(nf_nat_locks)]);
+}
+
 static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
 {
         if (nf_nat_proto_remove(ct, data))
@@ -568,8 +552,7 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
          * will delete entry from already-freed table.
          */
         clear_bit(IPS_SRC_NAT_DONE_BIT, &ct->status);
-        rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
-                        nf_nat_bysource_params);
+        __nf_nat_cleanup_conntrack(ct);
 
         /* don't delete conntrack.  Although that would make things a lot
          * simpler, we'd end up flushing all conntracks on nat rmmod.
@@ -698,8 +681,7 @@ EXPORT_SYMBOL_GPL(nf_nat_l3proto_unregister);
 static void nf_nat_cleanup_conntrack(struct nf_conn *ct)
 {
         if (ct->status & IPS_SRC_NAT_DONE)
-                rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
-                                nf_nat_bysource_params);
+                __nf_nat_cleanup_conntrack(ct);
 }
 
 static struct nf_ct_ext_type nat_extend __read_mostly = {
@@ -821,19 +803,27 @@ static struct nf_ct_helper_expectfn follow_master_nat = {
 
 static int __init nf_nat_init(void)
 {
-        int ret;
+        int ret, i;
 
-        ret = rhltable_init(&nf_nat_bysource_table, &nf_nat_bysource_params);
-        if (ret)
-                return ret;
+        /* Leave them the same for the moment. */
+        nf_nat_htable_size = nf_conntrack_htable_size;
+        if (nf_nat_htable_size < ARRAY_SIZE(nf_nat_locks))
+                nf_nat_htable_size = ARRAY_SIZE(nf_nat_locks);
+
+        nf_nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size, 0);
+        if (!nf_nat_bysource)
+                return -ENOMEM;
 
         ret = nf_ct_extend_register(&nat_extend);
         if (ret < 0) {
-                rhltable_destroy(&nf_nat_bysource_table);
+                nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size);
                 printk(KERN_ERR "nf_nat_core: Unable to register extension\n");
                 return ret;
         }
 
+        for (i = 0; i < ARRAY_SIZE(nf_nat_locks); i++)
+                spin_lock_init(&nf_nat_locks[i]);
+
         nf_ct_helper_expectfn_register(&follow_master_nat);
 
         BUG_ON(nfnetlink_parse_nat_setup_hook != NULL);
@@ -863,8 +853,8 @@ static void __exit nf_nat_cleanup(void)
 
         for (i = 0; i < NFPROTO_NUMPROTO; i++)
                 kfree(nf_nat_l4protos[i]);
-
-        rhltable_destroy(&nf_nat_bysource_table);
+        synchronize_net();
+        nf_ct_free_hashtable(nf_nat_bysource, nf_nat_htable_size);
 }
 
 MODULE_LICENSE("GPL");
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10d48234f5f4..5da8746f7b88 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -35,6 +35,7 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/netfilter/xt_hashlimit.h>
 #include <linux/mutex.h>
+#include <linux/kernel.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
@@ -279,7 +280,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
                 size = cfg->size;
         } else {
                 size = (totalram_pages << PAGE_SHIFT) / 16384 /
-                       sizeof(struct list_head);
+                       sizeof(struct hlist_head);
                 if (totalram_pages > 1024 * 1024 * 1024 / PAGE_SIZE)
                         size = 8192;
                 if (size < 16)
@@ -287,7 +288,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
         }
         /* FIXME: don't use vmalloc() here or anywhere else -HW */
         hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
-                        sizeof(struct list_head) * size);
+                        sizeof(struct hlist_head) * size);
         if (hinfo == NULL)
                 return -ENOMEM;
         *out_hinfo = hinfo;
@@ -527,12 +528,12 @@ static u64 user2rate(u64 user)
         }
 }
 
-static u64 user2rate_bytes(u64 user)
+static u64 user2rate_bytes(u32 user)
 {
         u64 r;
 
-        r = user ? 0xFFFFFFFFULL / user : 0xFFFFFFFFULL;
-        r = (r - 1) << 4;
+        r = user ? U32_MAX / user : U32_MAX;
+        r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
         return r;
 }
 
@@ -588,7 +589,8 @@ static void rateinfo_init(struct dsthash_ent *dh,
                 dh->rateinfo.prev_window = 0;
                 dh->rateinfo.current_rate = 0;
                 if (hinfo->cfg.mode & XT_HASHLIMIT_BYTES) {
-                        dh->rateinfo.rate = user2rate_bytes(hinfo->cfg.avg);
+                        dh->rateinfo.rate =
+                                user2rate_bytes((u32)hinfo->cfg.avg);
                         if (hinfo->cfg.burst)
                                 dh->rateinfo.burst =
                                         hinfo->cfg.burst * dh->rateinfo.rate;
@@ -870,7 +872,7 @@ static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
 
         /* Check for overflow. */
         if (revision >= 3 && cfg->mode & XT_HASHLIMIT_RATE_MATCH) {
-                if (cfg->avg == 0) {
+                if (cfg->avg == 0 || cfg->avg > U32_MAX) {
                         pr_info("hashlimit invalid rate\n");
                         return -ERANGE;
                 }
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 5acee49db90b..327807731b44 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -691,6 +691,9 @@ static void deferred_put_nlk_sk(struct rcu_head *head)
         struct netlink_sock *nlk = container_of(head, struct netlink_sock, rcu);
         struct sock *sk = &nlk->sk;
 
+        kfree(nlk->groups);
+        nlk->groups = NULL;
+
         if (!refcount_dec_and_test(&sk->sk_refcnt))
                 return;
 
@@ -769,9 +772,6 @@ static int netlink_release(struct socket *sock)
                 netlink_table_ungrab();
         }
 
-        kfree(nlk->groups);
-        nlk->groups = NULL;
-
         local_bh_disable();
         sock_prot_inuse_add(sock_net(sk), &netlink_proto, -1);
         local_bh_enable();
@@ -955,7 +955,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
         struct net *net = sock_net(sk);
         struct netlink_sock *nlk = nlk_sk(sk);
         struct sockaddr_nl *nladdr = (struct sockaddr_nl *)addr;
-        int err;
+        int err = 0;
         long unsigned int groups = nladdr->nl_groups;
         bool bound;
 
@@ -983,6 +983,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
                         return -EINVAL;
         }
 
+        netlink_lock_table();
         if (nlk->netlink_bind && groups) {
                 int group;
 
@@ -993,7 +994,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
                         if (!err)
                                 continue;
                         netlink_undo_bind(group, groups, sk);
-                        return err;
+                        goto unlock;
                 }
         }
 
@@ -1006,12 +1007,13 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
                         netlink_autobind(sock);
                 if (err) {
                         netlink_undo_bind(nlk->ngroups, groups, sk);
-                        return err;
+                        goto unlock;
                 }
         }
 
         if (!groups && (nlk->groups == NULL || !(u32)nlk->groups[0]))
-                return 0;
+                goto unlock;
+        netlink_unlock_table();
 
         netlink_table_grab();
         netlink_update_subscriptions(sk, nlk->subscriptions +
@@ -1022,6 +1024,10 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
         netlink_table_ungrab();
 
         return 0;
+
+unlock:
+        netlink_unlock_table();
+        return err;
 }
 
 static int netlink_connect(struct socket *sock, struct sockaddr *addr,
@@ -1079,7 +1085,9 @@ static int netlink_getname(struct socket *sock, struct sockaddr *addr,
                 nladdr->nl_groups = netlink_group_mask(nlk->dst_group);
         } else {
                 nladdr->nl_pid = nlk->portid;
+                netlink_lock_table();
                 nladdr->nl_groups = nlk->groups ? nlk->groups[0] : 0;
+                netlink_unlock_table();
         }
         return 0;
 }
diff --git a/net/rds/send.c b/net/rds/send.c
index 058a40743041..b52cdc8ae428 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -428,14 +428,18 @@ over_batch:
          * some work and we will skip our goto
          */
         if (ret == 0) {
+                bool raced;
+
                 smp_mb();
+                raced = send_gen != READ_ONCE(cp->cp_send_gen);
+
                 if ((test_bit(0, &conn->c_map_queued) ||
-                     !list_empty(&cp->cp_send_queue)) &&
-                        send_gen == READ_ONCE(cp->cp_send_gen)) {
-                        rds_stats_inc(s_send_lock_queue_raced);
+                    !list_empty(&cp->cp_send_queue)) && !raced) {
                         if (batch_count < send_batch_count)
                                 goto restart;
                         queue_delayed_work(rds_wq, &cp->cp_send_w, 1);
+                } else if (raced) {
+                        rds_stats_inc(s_send_lock_queue_raced);
                 }
         }
 out:
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index ea6c65fd5fc5..c743f03cfebd 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -182,7 +182,7 @@ static struct tcf_chain *tcf_chain_create(struct tcf_block *block,
         list_add_tail(&chain->list, &block->chain_list);
         chain->block = block;
         chain->index = chain_index;
-        chain->refcnt = 1;
+        chain->refcnt = 0;
         return chain;
 }
 
@@ -217,15 +217,15 @@ struct tcf_chain *tcf_chain_get(struct tcf_block *block, u32 chain_index,
         struct tcf_chain *chain;
 
         list_for_each_entry(chain, &block->chain_list, list) {
-                if (chain->index == chain_index) {
-                        chain->refcnt++;
-                        return chain;
-                }
+                if (chain->index == chain_index)
+                        goto incref;
         }
-        if (create)
-                return tcf_chain_create(block, chain_index);
-        else
-                return NULL;
+        chain = create ? tcf_chain_create(block, chain_index) : NULL;
+
+incref:
+        if (chain)
+                chain->refcnt++;
+        return chain;
 }
 EXPORT_SYMBOL(tcf_chain_get);
 
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index f31b28f788c0..2dd6c68ae91e 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -80,7 +80,7 @@ prio_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 
                 if (ret & __NET_XMIT_BYPASS)
                         qdisc_qstats_drop(sch);
-                kfree_skb(skb);
+                __qdisc_drop(skb, to_free);
                 return ret;
         }
 #endif
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index cd661a7f81e6..6ddfd4991108 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1215,7 +1215,7 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
         if (cl == NULL) {
                 if (err & __NET_XMIT_BYPASS)
                         qdisc_qstats_drop(sch);
-                kfree_skb(skb);
+                __qdisc_drop(skb, to_free);
                 return err;
         }
         pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
index 0225d62a869f..a71be33f3afe 100644
--- a/net/sctp/ulpqueue.c
+++ b/net/sctp/ulpqueue.c
@@ -265,7 +265,8 @@ int sctp_ulpq_tail_event(struct sctp_ulpq *ulpq, struct sctp_ulpevent *event)
                 sctp_ulpq_clear_pd(ulpq);
 
         if (queue == &sk->sk_receive_queue && !sp->data_ready_signalled) {
-                sp->data_ready_signalled = 1;
+                if (!sock_owned_by_user(sk))
+                        sp->data_ready_signalled = 1;
                 sk->sk_data_ready(sk);
         }
         return 1;
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index ac1d66d7e1fd..47ec121574ce 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -637,7 +637,7 @@ static int tipc_l2_device_event(struct notifier_block *nb, unsigned long evt,
                 break;
         case NETDEV_UNREGISTER:
         case NETDEV_CHANGENAME:
-                bearer_disable(dev_net(dev), b);
+                bearer_disable(net, b);
                 break;
         }
         return NOTIFY_OK;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 8ce85420ecb0..0df8023f480b 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3791,8 +3791,8 @@ static void nl80211_check_ap_rate_selectors(struct cfg80211_ap_settings *params,
 static void nl80211_calculate_ap_params(struct cfg80211_ap_settings *params)
 {
         const struct cfg80211_beacon_data *bcn = &params->beacon;
-        size_t ies_len = bcn->beacon_ies_len;
-        const u8 *ies = bcn->beacon_ies;
+        size_t ies_len = bcn->tail_len;
+        const u8 *ies = bcn->tail;
         const u8 *rates;
         const u8 *cap;
 
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 5fae296a6a58..6e94f6934a0e 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -4,6 +4,7 @@
  * Copyright 2007       Johannes Berg <johannes@sipsolutions.net>
  * Copyright 2008-2011  Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
+ * Copyright      2017  Intel Deutschland GmbH
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1483,7 +1484,9 @@ static void reg_process_ht_flags_channel(struct wiphy *wiphy,
 {
         struct ieee80211_supported_band *sband = wiphy->bands[channel->band];
         struct ieee80211_channel *channel_before = NULL, *channel_after = NULL;
+        const struct ieee80211_regdomain *regd;
         unsigned int i;
+        u32 flags;
 
         if (!is_ht40_allowed(channel)) {
                 channel->flags |= IEEE80211_CHAN_NO_HT40;
@@ -1503,17 +1506,30 @@ static void reg_process_ht_flags_channel(struct wiphy *wiphy,
                         channel_after = c;
         }
 
+        flags = 0;
+        regd = get_wiphy_regdom(wiphy);
+        if (regd) {
+                const struct ieee80211_reg_rule *reg_rule =
+                        freq_reg_info_regd(MHZ_TO_KHZ(channel->center_freq),
+                                           regd, MHZ_TO_KHZ(20));
+
+                if (!IS_ERR(reg_rule))
+                        flags = reg_rule->flags;
+        }
+
         /*
          * Please note that this assumes target bandwidth is 20 MHz,
          * if that ever changes we also need to change the below logic
          * to include that as well.
          */
-        if (!is_ht40_allowed(channel_before))
+        if (!is_ht40_allowed(channel_before) ||
+            flags & NL80211_RRF_NO_HT40MINUS)
                 channel->flags |= IEEE80211_CHAN_NO_HT40MINUS;
         else
                 channel->flags &= ~IEEE80211_CHAN_NO_HT40MINUS;
 
-        if (!is_ht40_allowed(channel_after))
+        if (!is_ht40_allowed(channel_after) ||
+            flags & NL80211_RRF_NO_HT40PLUS)
                 channel->flags |= IEEE80211_CHAN_NO_HT40PLUS;
         else
                 channel->flags &= ~IEEE80211_CHAN_NO_HT40PLUS;