54 files changed, 211 insertions, 164 deletions

diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt
index 57f52cdce32e..9ba04c0bab8d 100644
--- a/Documentation/networking/bonding.txt
+++ b/Documentation/networking/bonding.txt
@@ -2387,7 +2387,7 @@ broadcast: Like active-backup, there is not much advantage to this
         and packet type ID), so in a "gatewayed" configuration, all
         outgoing traffic will generally use the same device.  Incoming
         traffic may also end up on a single device, but that is
-        dependent upon the balancing policy of the peer's 8023.ad
+        dependent upon the balancing policy of the peer's 802.3ad
         implementation.  In a "local" configuration, traffic will be
         distributed across the devices in the bond.
 
diff --git a/arch/Kconfig b/arch/Kconfig
index 1aafb4efbb51..d789a89cb32c 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -937,9 +937,6 @@ config STRICT_MODULE_RWX
           and non-text memory will be made non-executable. This provides
           protection against certain security exploits (e.g. writing to text)
 
-config ARCH_WANT_RELAX_ORDER
-        bool
-
 config ARCH_HAS_REFCOUNT
         bool
         help
diff --git a/arch/sparc/Kconfig b/arch/sparc/Kconfig
index 0be3828752e5..4e83f950713e 100644
--- a/arch/sparc/Kconfig
+++ b/arch/sparc/Kconfig
@@ -44,7 +44,6 @@ config SPARC
         select ARCH_HAS_SG_CHAIN
         select CPU_NO_EFFICIENT_FFS
         select LOCKDEP_SMALL if LOCKDEP
-        select ARCH_WANT_RELAX_ORDER
 
 config SPARC32
         def_bool !64BIT
diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
index 49b80da51ba7..805ab45e9b5a 100644
--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c
+++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c
@@ -565,8 +565,10 @@ static inline bool nicvf_xdp_rx(struct nicvf *nic, struct bpf_prog *prog,
                 return true;
         default:
                 bpf_warn_invalid_xdp_action(action);
+                /* fall through */
         case XDP_ABORTED:
                 trace_xdp_exception(nic->netdev, prog, action);
+                /* fall through */
         case XDP_DROP:
                 /* Check if it's a recycled page, if not
                  * unmap the DMA mapping.
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
index 523f9d05a810..8a32eb7d47b9 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_82598.c
@@ -175,31 +175,9 @@ static s32 ixgbe_init_phy_ops_82598(struct ixgbe_hw *hw)
  **/
 static s32 ixgbe_start_hw_82598(struct ixgbe_hw *hw)
 {
-#ifndef CONFIG_SPARC
-        u32 regval;
-        u32 i;
-#endif
         s32 ret_val;
 
         ret_val = ixgbe_start_hw_generic(hw);
-
-#ifndef CONFIG_SPARC
-        /* Disable relaxed ordering */
-        for (i = 0; ((i < hw->mac.max_tx_queues) &&
-             (i < IXGBE_DCA_MAX_QUEUES_82598)); i++) {
-                regval = IXGBE_READ_REG(hw, IXGBE_DCA_TXCTRL(i));
-                regval &= ~IXGBE_DCA_TXCTRL_DESC_WRO_EN;
-                IXGBE_WRITE_REG(hw, IXGBE_DCA_TXCTRL(i), regval);
-        }
-
-        for (i = 0; ((i < hw->mac.max_rx_queues) &&
-             (i < IXGBE_DCA_MAX_QUEUES_82598)); i++) {
-                regval = IXGBE_READ_REG(hw, IXGBE_DCA_RXCTRL(i));
-                regval &= ~(IXGBE_DCA_RXCTRL_DATA_WRO_EN |
-                            IXGBE_DCA_RXCTRL_HEAD_WRO_EN);
-                IXGBE_WRITE_REG(hw, IXGBE_DCA_RXCTRL(i), regval);
-        }
-#endif
         if (ret_val)
                 return ret_val;
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
index 2c19070d2a0b..6e6ab6f6875e 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c
@@ -366,25 +366,6 @@ s32 ixgbe_start_hw_gen2(struct ixgbe_hw *hw)
         }
         IXGBE_WRITE_FLUSH(hw);
 
-#ifndef CONFIG_ARCH_WANT_RELAX_ORDER
-        /* Disable relaxed ordering */
-        for (i = 0; i < hw->mac.max_tx_queues; i++) {
-                u32 regval;
-
-                regval = IXGBE_READ_REG(hw, IXGBE_DCA_TXCTRL_82599(i));
-                regval &= ~IXGBE_DCA_TXCTRL_DESC_WRO_EN;
-                IXGBE_WRITE_REG(hw, IXGBE_DCA_TXCTRL_82599(i), regval);
-        }
-
-        for (i = 0; i < hw->mac.max_rx_queues; i++) {
-                u32 regval;
-
-                regval = IXGBE_READ_REG(hw, IXGBE_DCA_RXCTRL(i));
-                regval &= ~(IXGBE_DCA_RXCTRL_DATA_WRO_EN |
-                            IXGBE_DCA_RXCTRL_HEAD_WRO_EN);
-                IXGBE_WRITE_REG(hw, IXGBE_DCA_RXCTRL(i), regval);
-        }
-#endif
         return 0;
 }
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
index 72c565712a5f..c3e7a8191128 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c
@@ -1048,7 +1048,7 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
 {
         struct ixgbe_adapter *adapter = netdev_priv(netdev);
         struct ixgbe_ring *temp_ring;
-        int i, err = 0;
+        int i, j, err = 0;
         u32 new_rx_count, new_tx_count;
 
         if ((ring->rx_mini_pending) || (ring->rx_jumbo_pending))
@@ -1085,8 +1085,8 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
         }
 
         /* allocate temporary buffer to store rings in */
-        i = max_t(int, adapter->num_tx_queues, adapter->num_rx_queues);
-        i = max_t(int, i, adapter->num_xdp_queues);
+        i = max_t(int, adapter->num_tx_queues + adapter->num_xdp_queues,
+                  adapter->num_rx_queues);
         temp_ring = vmalloc(i * sizeof(struct ixgbe_ring));
 
         if (!temp_ring) {
@@ -1118,8 +1118,8 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
                         }
                 }
 
-                for (i = 0; i < adapter->num_xdp_queues; i++) {
-                        memcpy(&temp_ring[i], adapter->xdp_ring[i],
+                for (j = 0; j < adapter->num_xdp_queues; j++, i++) {
+                        memcpy(&temp_ring[i], adapter->xdp_ring[j],
                                sizeof(struct ixgbe_ring));
 
                         temp_ring[i].count = new_tx_count;
@@ -1139,10 +1139,10 @@ static int ixgbe_set_ringparam(struct net_device *netdev,
                         memcpy(adapter->tx_ring[i], &temp_ring[i],
                                sizeof(struct ixgbe_ring));
                 }
-                for (i = 0; i < adapter->num_xdp_queues; i++) {
-                        ixgbe_free_tx_resources(adapter->xdp_ring[i]);
+                for (j = 0; j < adapter->num_xdp_queues; j++, i++) {
+                        ixgbe_free_tx_resources(adapter->xdp_ring[j]);
 
-                        memcpy(adapter->xdp_ring[i], &temp_ring[i],
+                        memcpy(adapter->xdp_ring[j], &temp_ring[i],
                                sizeof(struct ixgbe_ring));
                 }
 
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index d962368d08d0..4d76afd13868 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -4881,7 +4881,7 @@ static void ixgbe_clear_udp_tunnel_port(struct ixgbe_adapter *adapter, u32 mask)
                                 IXGBE_FLAG_GENEVE_OFFLOAD_CAPABLE)))
                 return;
 
-        vxlanctrl = IXGBE_READ_REG(hw, IXGBE_VXLANCTRL) && ~mask;
+        vxlanctrl = IXGBE_READ_REG(hw, IXGBE_VXLANCTRL) & ~mask;
         IXGBE_WRITE_REG(hw, IXGBE_VXLANCTRL, vxlanctrl);
 
         if (mask & IXGBE_VXLANCTRL_VXLAN_UDPPORT_MASK)
@@ -8529,6 +8529,10 @@ static int ixgbe_ioctl(struct net_device *netdev, struct ifreq *req, int cmd)
                 return ixgbe_ptp_set_ts_config(adapter, req);
         case SIOCGHWTSTAMP:
                 return ixgbe_ptp_get_ts_config(adapter, req);
+        case SIOCGMIIPHY:
+                if (!adapter->hw.phy.ops.read_reg)
+                        return -EOPNOTSUPP;
+                /* fall through */
         default:
                 return mdio_mii_ioctl(&adapter->hw.phy.mdio, if_mii(req), cmd);
         }
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 032089efc1a0..c16718d296d3 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -3505,20 +3505,6 @@ static int mlxsw_sp_fib_lpm_tree_link(struct mlxsw_sp *mlxsw_sp,
 static void mlxsw_sp_fib_lpm_tree_unlink(struct mlxsw_sp *mlxsw_sp,
                                          struct mlxsw_sp_fib *fib)
 {
-        struct mlxsw_sp_prefix_usage req_prefix_usage = {{ 0 } };
-        struct mlxsw_sp_lpm_tree *lpm_tree;
-
-        /* Aggregate prefix lengths across all virtual routers to make
-         * sure we only have used prefix lengths in the LPM tree.
-         */
-        mlxsw_sp_vrs_prefixes(mlxsw_sp, fib->proto, &req_prefix_usage);
-        lpm_tree = mlxsw_sp_lpm_tree_get(mlxsw_sp, &req_prefix_usage,
-                                         fib->proto);
-        if (IS_ERR(lpm_tree))
-                goto err_tree_get;
-        mlxsw_sp_vrs_lpm_tree_replace(mlxsw_sp, fib, lpm_tree);
-
-err_tree_get:
         if (!mlxsw_sp_prefix_usage_none(&fib->prefix_usage))
                 return;
         mlxsw_sp_vr_lpm_tree_unbind(mlxsw_sp, fib);
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index c3f77e3b7819..e365866600ba 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -1339,7 +1339,17 @@ ppp_get_stats64(struct net_device *dev, struct rtnl_link_stats64 *stats64)
 
 static int ppp_dev_init(struct net_device *dev)
 {
+        struct ppp *ppp;
+
         netdev_lockdep_set_classes(dev);
+
+        ppp = netdev_priv(dev);
+        /* Let the netdevice take a reference on the ppp file. This ensures
+         * that ppp_destroy_interface() won't run before the device gets
+         * unregistered.
+         */
+        atomic_inc(&ppp->file.refcnt);
+
         return 0;
 }
 
@@ -1362,6 +1372,15 @@ static void ppp_dev_uninit(struct net_device *dev)
         wake_up_interruptible(&ppp->file.rwait);
 }
 
+static void ppp_dev_priv_destructor(struct net_device *dev)
+{
+        struct ppp *ppp;
+
+        ppp = netdev_priv(dev);
+        if (atomic_dec_and_test(&ppp->file.refcnt))
+                ppp_destroy_interface(ppp);
+}
+
 static const struct net_device_ops ppp_netdev_ops = {
         .ndo_init        = ppp_dev_init,
         .ndo_uninit      = ppp_dev_uninit,
@@ -1387,6 +1406,7 @@ static void ppp_setup(struct net_device *dev)
         dev->tx_queue_len = 3;
         dev->type = ARPHRD_PPP;
         dev->flags = IFF_POINTOPOINT | IFF_NOARP | IFF_MULTICAST;
+        dev->priv_destructor = ppp_dev_priv_destructor;
         netif_keep_dst(dev);
 }
 
diff --git a/drivers/net/usb/cdc_ether.c b/drivers/net/usb/cdc_ether.c
index 29c7e2ec0dcb..52ea80bcd639 100644
--- a/drivers/net/usb/cdc_ether.c
+++ b/drivers/net/usb/cdc_ether.c
@@ -560,6 +560,7 @@ static const struct driver_info wwan_info = {
 #define NVIDIA_VENDOR_ID        0x0955
 #define HP_VENDOR_ID            0x03f0
 #define MICROSOFT_VENDOR_ID     0x045e
+#define UBLOX_VENDOR_ID         0x1546
 
 static const struct usb_device_id       products[] = {
 /* BLACKLIST !!
@@ -869,6 +870,18 @@ static const struct usb_device_id	products[] = {
                                       USB_CDC_PROTO_NONE),
         .driver_info = (unsigned long)&zte_cdc_info,
 }, {
+        /* U-blox TOBY-L2 */
+        USB_DEVICE_AND_INTERFACE_INFO(UBLOX_VENDOR_ID, 0x1143, USB_CLASS_COMM,
+                                      USB_CDC_SUBCLASS_ETHERNET,
+                                      USB_CDC_PROTO_NONE),
+        .driver_info = (unsigned long)&wwan_info,
+}, {
+        /* U-blox SARA-U2 */
+        USB_DEVICE_AND_INTERFACE_INFO(UBLOX_VENDOR_ID, 0x1104, USB_CLASS_COMM,
+                                      USB_CDC_SUBCLASS_ETHERNET,
+                                      USB_CDC_PROTO_NONE),
+        .driver_info = (unsigned long)&wwan_info,
+}, {
         USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ETHERNET,
                         USB_CDC_PROTO_NONE),
         .driver_info = (unsigned long) &cdc_info,
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 8390859e79e7..f1af7d63d678 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -368,6 +368,11 @@ static inline void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
 {
 }
 
+static inline int bpf_obj_get_user(const char __user *pathname)
+{
+        return -EOPNOTSUPP;
+}
+
 static inline struct net_device  *__dev_map_lookup_elem(struct bpf_map *map,
                                                        u32 key)
 {
diff --git a/include/linux/netfilter_bridge/ebtables.h b/include/linux/netfilter_bridge/ebtables.h
index 2c2a5514b0df..528b24c78308 100644
--- a/include/linux/netfilter_bridge/ebtables.h
+++ b/include/linux/netfilter_bridge/ebtables.h
@@ -108,9 +108,10 @@ struct ebt_table {
 
 #define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
                      ~(__alignof__(struct _xt_align)-1))
-extern struct ebt_table *ebt_register_table(struct net *net,
-                                            const struct ebt_table *table,
-                                            const struct nf_hook_ops *);
+extern int ebt_register_table(struct net *net,
+                              const struct ebt_table *table,
+                              const struct nf_hook_ops *ops,
+                              struct ebt_table **res);
 extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
                                  const struct nf_hook_ops *);
 extern unsigned int ebt_do_table(struct sk_buff *skb,
diff --git a/include/uapi/linux/netfilter/xt_bpf.h b/include/uapi/linux/netfilter/xt_bpf.h
index b97725af2ac0..da161b56c79e 100644
--- a/include/uapi/linux/netfilter/xt_bpf.h
+++ b/include/uapi/linux/netfilter/xt_bpf.h
@@ -23,6 +23,7 @@ enum xt_bpf_modes {
         XT_BPF_MODE_FD_PINNED,
         XT_BPF_MODE_FD_ELF,
 };
+#define XT_BPF_MODE_PATH_PINNED XT_BPF_MODE_FD_PINNED
 
 struct xt_bpf_info_v1 {
         __u16 mode;
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index e833ed914358..be1dde967208 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -363,6 +363,7 @@ out:
         putname(pname);
         return ret;
 }
+EXPORT_SYMBOL_GPL(bpf_obj_get_user);
 
 static void bpf_evict_inode(struct inode *inode)
 {
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b914fbe1383e..8b8d6ba39e23 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -653,6 +653,10 @@ static void mark_reg_read(const struct bpf_verifier_state *state, u32 regno)
 {
         struct bpf_verifier_state *parent = state->parent;
 
+        if (regno == BPF_REG_FP)
+                /* We don't need to worry about FP liveness because it's read-only */
+                return;
+
         while (parent) {
                 /* if read wasn't screened by an earlier write ... */
                 if (state->regs[regno].live & REG_LIVE_WRITTEN)
@@ -2345,6 +2349,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                                  * copy register state to dest reg
                                  */
                                 regs[insn->dst_reg] = regs[insn->src_reg];
+                                regs[insn->dst_reg].live |= REG_LIVE_WRITTEN;
                         } else {
                                 /* R1 = (u32) R2 */
                                 if (is_pointer_value(env, insn->src_reg)) {
diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 2585b100ebbb..276b60262981 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -65,8 +65,8 @@ static int ebt_broute(struct sk_buff *skb)
 
 static int __net_init broute_net_init(struct net *net)
 {
-        net->xt.broute_table = ebt_register_table(net, &broute_table, NULL);
-        return PTR_ERR_OR_ZERO(net->xt.broute_table);
+        return ebt_register_table(net, &broute_table, NULL,
+                                  &net->xt.broute_table);
 }
 
 static void __net_exit broute_net_exit(struct net *net)
diff --git a/net/bridge/netfilter/ebtable_filter.c b/net/bridge/netfilter/ebtable_filter.c
index 45a00dbdbcad..c41da5fac84f 100644
--- a/net/bridge/netfilter/ebtable_filter.c
+++ b/net/bridge/netfilter/ebtable_filter.c
@@ -93,8 +93,8 @@ static const struct nf_hook_ops ebt_ops_filter[] = {
 
 static int __net_init frame_filter_net_init(struct net *net)
 {
-        net->xt.frame_filter = ebt_register_table(net, &frame_filter, ebt_ops_filter);
-        return PTR_ERR_OR_ZERO(net->xt.frame_filter);
+        return ebt_register_table(net, &frame_filter, ebt_ops_filter,
+                                  &net->xt.frame_filter);
 }
 
 static void __net_exit frame_filter_net_exit(struct net *net)
diff --git a/net/bridge/netfilter/ebtable_nat.c b/net/bridge/netfilter/ebtable_nat.c
index 57cd5bb154e7..08df7406ecb3 100644
--- a/net/bridge/netfilter/ebtable_nat.c
+++ b/net/bridge/netfilter/ebtable_nat.c
@@ -93,8 +93,8 @@ static const struct nf_hook_ops ebt_ops_nat[] = {
 
 static int __net_init frame_nat_net_init(struct net *net)
 {
-        net->xt.frame_nat = ebt_register_table(net, &frame_nat, ebt_ops_nat);
-        return PTR_ERR_OR_ZERO(net->xt.frame_nat);
+        return ebt_register_table(net, &frame_nat, ebt_ops_nat,
+                                  &net->xt.frame_nat);
 }
 
 static void __net_exit frame_nat_net_exit(struct net *net)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 83951f978445..3b3dcf719e07 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1169,9 +1169,8 @@ static void __ebt_unregister_table(struct net *net, struct ebt_table *table)
         kfree(table);
 }
 
-struct ebt_table *
-ebt_register_table(struct net *net, const struct ebt_table *input_table,
-                   const struct nf_hook_ops *ops)
+int ebt_register_table(struct net *net, const struct ebt_table *input_table,
+                       const struct nf_hook_ops *ops, struct ebt_table **res)
 {
         struct ebt_table_info *newinfo;
         struct ebt_table *t, *table;
@@ -1183,7 +1182,7 @@ ebt_register_table(struct net *net, const struct ebt_table *input_table,
             repl->entries == NULL || repl->entries_size == 0 ||
             repl->counters != NULL || input_table->private != NULL) {
                 BUGPRINT("Bad table data for ebt_register_table!!!\n");
-                return ERR_PTR(-EINVAL);
+                return -EINVAL;
         }
 
         /* Don't add one table to multiple lists. */
@@ -1252,16 +1251,18 @@ ebt_register_table(struct net *net, const struct ebt_table *input_table,
         list_add(&table->list, &net->xt.tables[NFPROTO_BRIDGE]);
         mutex_unlock(&ebt_mutex);
 
+        WRITE_ONCE(*res, table);
+
         if (!ops)
-                return table;
+                return 0;
 
         ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
         if (ret) {
                 __ebt_unregister_table(net, table);
-                return ERR_PTR(ret);
+                *res = NULL;
         }
 
-        return table;
+        return ret;
 free_unlock:
         mutex_unlock(&ebt_mutex);
 free_chainstack:
@@ -1276,7 +1277,7 @@ free_newinfo:
 free_table:
         kfree(table);
 out:
-        return ERR_PTR(ret);
+        return ret;
 }
 
 void ebt_unregister_table(struct net *net, struct ebt_table *table,
diff --git a/net/ipv4/gre_offload.c b/net/ipv4/gre_offload.c
index 416bb304a281..1859c473b21a 100644
--- a/net/ipv4/gre_offload.c
+++ b/net/ipv4/gre_offload.c
@@ -86,7 +86,7 @@ static struct sk_buff *gre_gso_segment(struct sk_buff *skb,
                 greh = (struct gre_base_hdr *)skb_transport_header(skb);
                 pcsum = (__sum16 *)(greh + 1);
 
-                if (gso_partial) {
+                if (gso_partial && skb_is_gso(skb)) {
                         unsigned int partial_adj;
 
                         /* Adjust checksum to account for the fact that
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 811689e523c3..f75fc6b53115 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -330,7 +330,8 @@ static unsigned int ipv4_synproxy_hook(void *priv,
         if (synproxy == NULL)
                 return NF_ACCEPT;
 
-        if (nf_is_loopback_packet(skb))
+        if (nf_is_loopback_packet(skb) ||
+            ip_hdr(skb)->protocol != IPPROTO_TCP)
                 return NF_ACCEPT;
 
         thoff = ip_hdrlen(skb);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index ac6fde5d45f1..3d9f1c2f81c5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2513,7 +2513,7 @@ struct dst_entry *ipv4_blackhole_route(struct net *net, struct dst_entry *dst_or
         struct rtable *ort = (struct rtable *) dst_orig;
         struct rtable *rt;
 
-        rt = dst_alloc(&ipv4_dst_blackhole_ops, NULL, 1, DST_OBSOLETE_NONE, 0);
+        rt = dst_alloc(&ipv4_dst_blackhole_ops, NULL, 1, DST_OBSOLETE_DEAD, 0);
         if (rt) {
                 struct dst_entry *new = &rt->dst;
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 5676237d2b0f..e45177ceb0ee 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2240,20 +2240,16 @@ int udp_v4_early_demux(struct sk_buff *skb)
         iph = ip_hdr(skb);
         uh = udp_hdr(skb);
 
-        if (skb->pkt_type == PACKET_BROADCAST ||
-            skb->pkt_type == PACKET_MULTICAST) {
+        if (skb->pkt_type == PACKET_MULTICAST) {
                 in_dev = __in_dev_get_rcu(skb->dev);
 
                 if (!in_dev)
                         return 0;
 
-                /* we are supposed to accept bcast packets */
-                if (skb->pkt_type == PACKET_MULTICAST) {
-                        ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
-                                               iph->protocol);
-                        if (!ours)
-                                return 0;
-                }
+                ours = ip_check_mc_rcu(in_dev, iph->daddr, iph->saddr,
+                                       iph->protocol);
+                if (!ours)
+                        return 0;
 
                 sk = __udp4_lib_mcast_demux_lookup(net, uh->dest, iph->daddr,
                                                    uh->source, iph->saddr,
diff --git a/net/ipv4/udp_offload.c b/net/ipv4/udp_offload.c
index 97658bfc1b58..e360d55be555 100644
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -120,7 +120,7 @@ static struct sk_buff *__skb_udp_tunnel_segment(struct sk_buff *skb,
                  * will be using a length value equal to only one MSS sized
                  * segment instead of the entire frame.
                  */
-                if (gso_partial) {
+                if (gso_partial && skb_is_gso(skb)) {
                         uh->len = htons(skb_shinfo(skb)->gso_size +
                                         SKB_GSO_CB(skb)->data_offset +
                                         skb->head - (unsigned char *)uh);
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 96861c702c06..4a96ebbf8eda 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3820,8 +3820,8 @@ static void addrconf_dad_begin(struct inet6_ifaddr *ifp)
                 goto out;
 
         if (dev->flags&(IFF_NOARP|IFF_LOOPBACK) ||
-            dev_net(dev)->ipv6.devconf_all->accept_dad < 1 ||
-            idev->cnf.accept_dad < 1 ||
+            (dev_net(dev)->ipv6.devconf_all->accept_dad < 1 &&
+             idev->cnf.accept_dad < 1) ||
             !(ifp->flags&IFA_F_TENTATIVE) ||
             ifp->flags & IFA_F_NODAD) {
                 bump_id = ifp->flags & IFA_F_TENTATIVE;
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index cdb3728faca7..4a87f9428ca5 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -105,7 +105,7 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
 
         for (skb = segs; skb; skb = skb->next) {
                 ipv6h = (struct ipv6hdr *)(skb_mac_header(skb) + nhoff);
-                if (gso_partial)
+                if (gso_partial && skb_is_gso(skb))
                         payload_len = skb_shinfo(skb)->gso_size +
                                       SKB_GSO_CB(skb)->data_offset +
                                       skb->head - (unsigned char *)(ipv6h + 1);
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index a5cd43d75393..437af8c95277 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -353,7 +353,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
         nexthdr = ipv6_hdr(skb)->nexthdr;
         thoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
                                  &frag_off);
-        if (thoff < 0)
+        if (thoff < 0 || nexthdr != IPPROTO_TCP)
                 return NF_ACCEPT;
 
         th = skb_header_pointer(skb, thoff, sizeof(_th), &_th);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 26cc9f483b6d..a96d5b385d8f 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1325,7 +1325,7 @@ struct dst_entry *ip6_blackhole_route(struct net *net, struct dst_entry *dst_ori
         struct dst_entry *new = NULL;
 
         rt = dst_alloc(&ip6_dst_blackhole_ops, loopback_dev, 1,
-                       DST_OBSOLETE_NONE, 0);
+                       DST_OBSOLETE_DEAD, 0);
         if (rt) {
                 rt6_info_init(rt);
 
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index e495b5e484b1..cf84f7b37cd9 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1191,14 +1191,17 @@ static int ip_set_swap(struct net *net, struct sock *ctnl, struct sk_buff *skb,
               from->family == to->family))
                 return -IPSET_ERR_TYPE_MISMATCH;
 
-        if (from->ref_netlink || to->ref_netlink)
+        write_lock_bh(&ip_set_ref_lock);
+
+        if (from->ref_netlink || to->ref_netlink) {
+                write_unlock_bh(&ip_set_ref_lock);
                 return -EBUSY;
+        }
 
         strncpy(from_name, from->name, IPSET_MAXNAMELEN);
         strncpy(from->name, to->name, IPSET_MAXNAMELEN);
         strncpy(to->name, from_name, IPSET_MAXNAMELEN);
 
-        write_lock_bh(&ip_set_ref_lock);
         swap(from->ref, to->ref);
         ip_set(inst, from_id) = to;
         ip_set(inst, to_id) = from;
@@ -2072,25 +2075,28 @@ static struct pernet_operations ip_set_net_ops = {
 static int __init
 ip_set_init(void)
 {
-        int ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
+        int ret = register_pernet_subsys(&ip_set_net_ops);
+
+        if (ret) {
+                pr_err("ip_set: cannot register pernet_subsys.\n");
+                return ret;
+        }
 
+        ret = nfnetlink_subsys_register(&ip_set_netlink_subsys);
         if (ret != 0) {
                 pr_err("ip_set: cannot register with nfnetlink.\n");
+                unregister_pernet_subsys(&ip_set_net_ops);
                 return ret;
         }
+
         ret = nf_register_sockopt(&so_set);
         if (ret != 0) {
                 pr_err("SO_SET registry failed: %d\n", ret);
                 nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+                unregister_pernet_subsys(&ip_set_net_ops);
                 return ret;
         }
-        ret = register_pernet_subsys(&ip_set_net_ops);
-        if (ret) {
-                pr_err("ip_set: cannot register pernet_subsys.\n");
-                nf_unregister_sockopt(&so_set);
-                nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
-                return ret;
-        }
+
         pr_info("ip_set: protocol %u\n", IPSET_PROTOCOL);
         return 0;
 }
@@ -2098,9 +2104,10 @@ ip_set_init(void)
 static void __exit
 ip_set_fini(void)
 {
-        unregister_pernet_subsys(&ip_set_net_ops);
         nf_unregister_sockopt(&so_set);
         nfnetlink_subsys_unregister(&ip_set_netlink_subsys);
+
+        unregister_pernet_subsys(&ip_set_net_ops);
         pr_debug("these are the famous last words\n");
 }
 
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 20bfbd315f61..613eb212cb48 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -123,13 +123,12 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
                 return ret;
 
         ip &= ip_set_hostmask(h->netmask);
+        e.ip = htonl(ip);
+        if (e.ip == 0)
+                return -IPSET_ERR_HASH_ELEM;
 
-        if (adt == IPSET_TEST) {
-                e.ip = htonl(ip);
-                if (e.ip == 0)
-                        return -IPSET_ERR_HASH_ELEM;
+        if (adt == IPSET_TEST)
                 return adtfn(set, &e, &ext, &ext, flags);
-        }
 
         ip_to = ip;
         if (tb[IPSET_ATTR_IP_TO]) {
@@ -148,17 +147,20 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         hosts = h->netmask == 32 ? 1 : 2 << (32 - h->netmask - 1);
 
-        if (retried)
+        if (retried) {
                 ip = ntohl(h->next.ip);
-        for (; !before(ip_to, ip); ip += hosts) {
                 e.ip = htonl(ip);
-                if (e.ip == 0)
-                        return -IPSET_ERR_HASH_ELEM;
+        }
+        for (; ip <= ip_to;) {
                 ret = adtfn(set, &e, &ext, &ext, flags);
-
                 if (ret && !ip_set_eexist(ret, flags))
                         return ret;
 
+                ip += hosts;
+                e.ip = htonl(ip);
+                if (e.ip == 0)
+                        return 0;
+
                 ret = 0;
         }
         return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index b64cf14e8352..f3ba8348cf9d 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -149,7 +149,7 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        for (; !before(ip_to, ip); ip++) {
+        for (; ip <= ip_to; ip++) {
                 e.ip = htonl(ip);
                 ret = adtfn(set, &e, &ext, &ext, flags);
 
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index f438740e6c6a..ddb8039ec1d2 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -178,7 +178,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        for (; !before(ip_to, ip); ip++) {
+        for (; ip <= ip_to; ip++) {
                 p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
                                                        : port;
                 for (; p <= port_to; p++) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 6215fb898c50..a7f4d7a85420 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -185,7 +185,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        for (; !before(ip_to, ip); ip++) {
+        for (; ip <= ip_to; ip++) {
                 p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
                                                        : port;
                 for (; p <= port_to; p++) {
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 5ab1b99a53c2..a2f19b9906e9 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -271,7 +271,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        for (; !before(ip_to, ip); ip++) {
+        for (; ip <= ip_to; ip++) {
                 e.ip = htonl(ip);
                 p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
                                                        : port;
@@ -281,7 +281,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
                               ip == ntohl(h->next.ip) &&
                               p == ntohs(h->next.port)
                                 ? ntohl(h->next.ip2) : ip2_from;
-                        while (!after(ip2, ip2_to)) {
+                        while (ip2 <= ip2_to) {
                                 e.ip2 = htonl(ip2);
                                 ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
                                                                 &cidr);
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 5d9e895452e7..1c67a1761e45 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -193,7 +193,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
         }
         if (retried)
                 ip = ntohl(h->next.ip);
-        while (!after(ip, ip_to)) {
+        while (ip <= ip_to) {
                 e.ip = htonl(ip);
                 last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
                 ret = adtfn(set, &e, &ext, &ext, flags);
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 44cf11939c91..d417074f1c1a 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -255,7 +255,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        while (!after(ip, ip_to)) {
+        while (ip <= ip_to) {
                 e.ip = htonl(ip);
                 last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
                 ret = adtfn(set, &e, &ext, &ext, flags);
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index db614e13b193..7f9ae2e9645b 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -250,13 +250,13 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
         if (retried)
                 ip = ntohl(h->next.ip[0]);
 
-        while (!after(ip, ip_to)) {
+        while (ip <= ip_to) {
                 e.ip[0] = htonl(ip);
                 last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
                 ip2 = (retried &&
                        ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
                                                    : ip2_from;
-                while (!after(ip2, ip2_to)) {
+                while (ip2 <= ip2_to) {
                         e.ip[1] = htonl(ip2);
                         last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
                         ret = adtfn(set, &e, &ext, &ext, flags);
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 54b64b6cd0cd..e6ef382febe4 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -241,7 +241,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
 
         if (retried)
                 ip = ntohl(h->next.ip);
-        while (!after(ip, ip_to)) {
+        while (ip <= ip_to) {
                 e.ip = htonl(ip);
                 last = ip_set_range_to_cidr(ip, ip_to, &cidr);
                 e.cidr = cidr - 1;
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index aff846960ac4..8602f2595a1a 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -291,7 +291,7 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
         if (retried)
                 ip = ntohl(h->next.ip[0]);
 
-        while (!after(ip, ip_to)) {
+        while (ip <= ip_to) {
                 e.ip[0] = htonl(ip);
                 ip_last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
                 p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
@@ -301,7 +301,7 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
                         ip2 = (retried && ip == ntohl(h->next.ip[0]) &&
                                p == ntohs(h->next.port)) ? ntohl(h->next.ip[1])
                                                          : ip2_from;
-                        while (!after(ip2, ip2_to)) {
+                        while (ip2 <= ip2_to) {
                                 e.ip[1] = htonl(ip2);
                                 ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
                                                                 &e.cidr[1]);
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 90d396814798..4527921b1c3a 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -921,6 +921,7 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
 {
         struct sk_buff *new_skb = NULL;
         struct iphdr *old_iph = NULL;
+        __u8 old_dsfield;
 #ifdef CONFIG_IP_VS_IPV6
         struct ipv6hdr *old_ipv6h = NULL;
 #endif
@@ -945,7 +946,7 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
                         *payload_len =
                                 ntohs(old_ipv6h->payload_len) +
                                 sizeof(*old_ipv6h);
-                *dsfield = ipv6_get_dsfield(old_ipv6h);
+                old_dsfield = ipv6_get_dsfield(old_ipv6h);
                 *ttl = old_ipv6h->hop_limit;
                 if (df)
                         *df = 0;
@@ -960,12 +961,15 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
 
                 /* fix old IP header checksum */
                 ip_send_check(old_iph);
-                *dsfield = ipv4_get_dsfield(old_iph);
+                old_dsfield = ipv4_get_dsfield(old_iph);
                 *ttl = old_iph->ttl;
                 if (payload_len)
                         *payload_len = ntohs(old_iph->tot_len);
         }
 
+        /* Implement full-functionality option for ECN encapsulation */
+        *dsfield = INET_ECN_encapsulate(old_dsfield, old_dsfield);
+
         return skb;
 error:
         kfree_skb(skb);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 929927171426..64e1ee091225 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1048,7 +1048,7 @@ static int nf_tables_fill_chain_info(struct sk_buff *skb, struct net *net,
                 if (nla_put_string(skb, NFTA_CHAIN_TYPE, basechain->type->name))
                         goto nla_put_failure;
 
-                if (nft_dump_stats(skb, nft_base_chain(chain)->stats))
+                if (basechain->stats && nft_dump_stats(skb, basechain->stats))
                         goto nla_put_failure;
         }
 
@@ -1487,8 +1487,8 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy,
 
                 chain2 = nf_tables_chain_lookup(table, nla[NFTA_CHAIN_NAME],
                                                 genmask);
-                if (IS_ERR(chain2))
-                        return PTR_ERR(chain2);
+                if (!IS_ERR(chain2))
+                        return -EEXIST;
         }
 
         if (nla[NFTA_CHAIN_COUNTERS]) {
@@ -2741,8 +2741,10 @@ cont:
         list_for_each_entry(i, &ctx->table->sets, list) {
                 if (!nft_is_active_next(ctx->net, i))
                         continue;
-                if (!strcmp(set->name, i->name))
+                if (!strcmp(set->name, i->name)) {
+                        kfree(set->name);
                         return -ENFILE;
+                }
         }
         return 0;
 }
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index c83a3b5e1c6c..d8571f414208 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -892,7 +892,7 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
                 if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
                         return ERR_PTR(-EFAULT);
 
-                strlcpy(info->name, compat_tmp.name, sizeof(info->name));
+                memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
                 info->num_counters = compat_tmp.num_counters;
                 user += sizeof(compat_tmp);
         } else
@@ -905,9 +905,9 @@ void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
                 if (copy_from_user(info, user, sizeof(*info)) != 0)
                         return ERR_PTR(-EFAULT);
 
-                info->name[sizeof(info->name) - 1] = '\0';
                 user += sizeof(*info);
         }
+        info->name[sizeof(info->name) - 1] = '\0';
 
         size = sizeof(struct xt_counters);
         size *= info->num_counters;
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
index 38986a95216c..29123934887b 100644
--- a/net/netfilter/xt_bpf.c
+++ b/net/netfilter/xt_bpf.c
@@ -8,6 +8,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/syscalls.h>
 #include <linux/skbuff.h>
 #include <linux/filter.h>
 #include <linux/bpf.h>
@@ -49,6 +50,22 @@ static int __bpf_mt_check_fd(int fd, struct bpf_prog **ret)
         return 0;
 }
 
+static int __bpf_mt_check_path(const char *path, struct bpf_prog **ret)
+{
+        mm_segment_t oldfs = get_fs();
+        int retval, fd;
+
+        set_fs(KERNEL_DS);
+        fd = bpf_obj_get_user(path);
+        set_fs(oldfs);
+        if (fd < 0)
+                return fd;
+
+        retval = __bpf_mt_check_fd(fd, ret);
+        sys_close(fd);
+        return retval;
+}
+
 static int bpf_mt_check(const struct xt_mtchk_param *par)
 {
         struct xt_bpf_info *info = par->matchinfo;
@@ -66,9 +83,10 @@ static int bpf_mt_check_v1(const struct xt_mtchk_param *par)
                 return __bpf_mt_check_bytecode(info->bpf_program,
                                                info->bpf_program_num_elem,
                                                &info->filter);
-        else if (info->mode == XT_BPF_MODE_FD_PINNED ||
-                 info->mode == XT_BPF_MODE_FD_ELF)
+        else if (info->mode == XT_BPF_MODE_FD_ELF)
                 return __bpf_mt_check_fd(info->fd, &info->filter);
+        else if (info->mode == XT_BPF_MODE_PATH_PINNED)
+                return __bpf_mt_check_path(info->path, &info->filter);
         else
                 return -EINVAL;
 }
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index e75ef39669c5..575d2153e3b8 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -76,7 +76,7 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
                         transparent = nf_sk_is_transparent(sk);
 
                 if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
-                    transparent)
+                    transparent && sk_fullsock(sk))
                         pskb->mark = sk->sk_mark;
 
                 if (sk != skb->sk)
@@ -133,7 +133,7 @@ socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
                         transparent = nf_sk_is_transparent(sk);
 
                 if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
-                    transparent)
+                    transparent && sk_fullsock(sk))
                         pskb->mark = sk->sk_mark;
 
                 if (sk != skb->sk)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 94c11cf0459d..f34750691c5c 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2266,16 +2266,17 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
         cb->min_dump_alloc = control->min_dump_alloc;
         cb->skb = skb;
 
+        if (cb->start) {
+                ret = cb->start(cb);
+                if (ret)
+                        goto error_unlock;
+        }
+
         nlk->cb_running = true;
 
         mutex_unlock(nlk->cb_mutex);
 
-        ret = 0;
-        if (cb->start)
-                ret = cb->start(cb);
-
-        if (!ret)
-                ret = netlink_dump(sk);
+        ret = netlink_dump(sk);
 
         sock_put(sk);
 
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 7d99029df342..a140dd4a84af 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -233,7 +233,7 @@ static int tipc_bcast_xmit(struct net *net, struct sk_buff_head *pkts,
         struct sk_buff_head xmitq;
         int rc = 0;
 
-        __skb_queue_head_init(&xmitq);
+        skb_queue_head_init(&xmitq);
         tipc_bcast_lock(net);
         if (tipc_link_bc_peers(l))
                 rc = tipc_link_xmit(l, pkts, &xmitq);
@@ -263,7 +263,7 @@ static int tipc_rcast_xmit(struct net *net, struct sk_buff_head *pkts,
         u32 dst, selector;
 
         selector = msg_link_selector(buf_msg(skb_peek(pkts)));
-        __skb_queue_head_init(&_pkts);
+        skb_queue_head_init(&_pkts);
 
         list_for_each_entry_safe(n, tmp, &dests->list, list) {
                 dst = n->value;
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 121e59a1d0e7..17146c16ee2d 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -568,6 +568,14 @@ bool tipc_msg_lookup_dest(struct net *net, struct sk_buff *skb, int *err)
         msg_set_destnode(msg, dnode);
         msg_set_destport(msg, dport);
         *err = TIPC_OK;
+
+        if (!skb_cloned(skb))
+                return true;
+
+        /* Unclone buffer in case it was bundled */
+        if (pskb_expand_head(skb, BUF_HEADROOM, BUF_TAILROOM, GFP_ATOMIC))
+                return false;
+
         return true;
 }
 
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 690874293cfc..d396cb61a280 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -549,6 +549,14 @@ nl80211_nan_srf_policy[NL80211_NAN_SRF_ATTR_MAX + 1] = {
         [NL80211_NAN_SRF_MAC_ADDRS] = { .type = NLA_NESTED },
 };
 
+/* policy for packet pattern attributes */
+static const struct nla_policy
+nl80211_packet_pattern_policy[MAX_NL80211_PKTPAT + 1] = {
+        [NL80211_PKTPAT_MASK] = { .type = NLA_BINARY, },
+        [NL80211_PKTPAT_PATTERN] = { .type = NLA_BINARY, },
+        [NL80211_PKTPAT_OFFSET] = { .type = NLA_U32 },
+};
+
 static int nl80211_prepare_wdev_dump(struct sk_buff *skb,
                                      struct netlink_callback *cb,
                                      struct cfg80211_registered_device **rdev,
@@ -10532,7 +10540,8 @@ static int nl80211_set_wowlan(struct sk_buff *skb, struct genl_info *info)
                         u8 *mask_pat;
 
                         nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
-                                         NULL, info->extack);
+                                         nl80211_packet_pattern_policy,
+                                         info->extack);
                         err = -EINVAL;
                         if (!pat_tb[NL80211_PKTPAT_MASK] ||
                             !pat_tb[NL80211_PKTPAT_PATTERN])
@@ -10781,7 +10790,8 @@ static int nl80211_parse_coalesce_rule(struct cfg80211_registered_device *rdev,
                             rem) {
                 u8 *mask_pat;
 
-                nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat, NULL, NULL);
+                nla_parse_nested(pat_tb, MAX_NL80211_PKTPAT, pat,
+                                 nl80211_packet_pattern_policy, NULL);
                 if (!pat_tb[NL80211_PKTPAT_MASK] ||
                     !pat_tb[NL80211_PKTPAT_PATTERN])
                         return -EINVAL;
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index acf00104ef31..30e5746085b8 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -91,6 +91,7 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x,
         }
 
         if (!dev->xfrmdev_ops || !dev->xfrmdev_ops->xdo_dev_state_add) {
+                xso->dev = NULL;
                 dev_put(dev);
                 return 0;
         }
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 2515cd2bc5db..8ac9d32fb79d 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -429,7 +429,8 @@ resume:
         nf_reset(skb);
 
         if (decaps) {
-                skb->sp->olen = 0;
+                if (skb->sp)
+                        skb->sp->olen = 0;
                 skb_dst_drop(skb);
                 gro_cells_receive(&gro_cells, skb);
                 return 0;
@@ -440,7 +441,8 @@ resume:
 
                 err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
                 if (xfrm_gro) {
-                        skb->sp->olen = 0;
+                        if (skb->sp)
+                                skb->sp->olen = 0;
                         skb_dst_drop(skb);
                         gro_cells_receive(&gro_cells, skb);
                         return err;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 0dab1cd79ce4..12213477cd3a 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -732,12 +732,12 @@ restart:
                         }
                 }
         }
+out:
+        spin_unlock_bh(&net->xfrm.xfrm_state_lock);
         if (cnt) {
                 err = 0;
                 xfrm_policy_cache_flush();
         }
-out:
-        spin_unlock_bh(&net->xfrm.xfrm_state_lock);
         return err;
 }
 EXPORT_SYMBOL(xfrm_state_flush);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2bfbd9121e3b..b997f1395357 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -657,6 +657,7 @@ static int xfrm_add_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
 
         if (err < 0) {
                 x->km.state = XFRM_STATE_DEAD;
+                xfrm_dev_state_delete(x);
                 __xfrm_state_put(x);
                 goto out;
         }
diff --git a/tools/testing/selftests/networking/timestamping/rxtimestamp.c b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
index 00f286661dcd..dd4162fc0419 100644
--- a/tools/testing/selftests/networking/timestamping/rxtimestamp.c
+++ b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
@@ -341,7 +341,7 @@ int main(int argc, char **argv)
                         return 0;
                 case 'n':
                         t = atoi(optarg);
-                        if (t > ARRAY_SIZE(test_cases))
+                        if (t >= ARRAY_SIZE(test_cases))
                                 error(1, 0, "Invalid test case: %d", t);
                         all_tests = false;
                         test_cases[t].enabled = true;