106 files changed, 938 insertions, 638 deletions

diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 71e85643b3f9..6ad3e043c617 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -454,8 +454,8 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
                         goto error_xenbus;
         }
         priv->tag = xenbus_read(xbt, dev->nodename, "tag", NULL);
-        if (!priv->tag) {
-                ret = -EINVAL;
+        if (IS_ERR(priv->tag)) {
+                ret = PTR_ERR(priv->tag);
                 goto error_xenbus;
         }
         ret = xenbus_transaction_end(xbt, 0);
@@ -525,7 +525,7 @@ static struct xenbus_driver xen_9pfs_front_driver = {
         .otherend_changed = xen_9pfs_front_changed,
 };
 
-int p9_trans_xen_init(void)
+static int p9_trans_xen_init(void)
 {
         if (!xen_domain())
                 return -ENODEV;
@@ -537,7 +537,7 @@ int p9_trans_xen_init(void)
 }
 module_init(p9_trans_xen_init);
 
-void p9_trans_xen_exit(void)
+static void p9_trans_xen_exit(void)
 {
         v9fs_unregister_trans(&p9_xen_trans);
         return xenbus_unregister_driver(&xen_9pfs_front_driver);
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index c5ce7745b230..32bd3ead9ba1 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -595,7 +595,7 @@ static int br_afspec(struct net_bridge *br,
                 err = 0;
                 switch (nla_type(attr)) {
                 case IFLA_BRIDGE_VLAN_TUNNEL_INFO:
-                        if (!(p->flags & BR_VLAN_TUNNEL))
+                        if (!p || !(p->flags & BR_VLAN_TUNNEL))
                                 return -EINVAL;
                         err = br_parse_vlan_tunnel_info(attr, &tinfo_curr);
                         if (err)
@@ -835,6 +835,13 @@ static int br_validate(struct nlattr *tb[], struct nlattr *data[])
                         return -EPROTONOSUPPORT;
                 }
         }
+
+        if (data[IFLA_BR_VLAN_DEFAULT_PVID]) {
+                __u16 defpvid = nla_get_u16(data[IFLA_BR_VLAN_DEFAULT_PVID]);
+
+                if (defpvid >= VLAN_VID_MASK)
+                        return -EINVAL;
+        }
 #endif
 
         return 0;
diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c
index 08341d2aa9c9..6f12a5271219 100644
--- a/net/bridge/br_stp_if.c
+++ b/net/bridge/br_stp_if.c
@@ -179,6 +179,8 @@ static void br_stp_start(struct net_bridge *br)
                 br_debug(br, "using kernel STP\n");
 
                 /* To start timers on any ports left in blocking */
+                if (br->dev->flags & IFF_UP)
+                        mod_timer(&br->hello_timer, jiffies + br->hello_time);
                 br_port_state_selection(br);
         }
 
diff --git a/net/bridge/br_stp_timer.c b/net/bridge/br_stp_timer.c
index c98b3e5c140a..60b6fe277a8b 100644
--- a/net/bridge/br_stp_timer.c
+++ b/net/bridge/br_stp_timer.c
@@ -40,7 +40,7 @@ static void br_hello_timer_expired(unsigned long arg)
         if (br->dev->flags & IFF_UP) {
                 br_config_bpdu_generation(br);
 
-                if (br->stp_enabled != BR_USER_STP)
+                if (br->stp_enabled == BR_KERNEL_STP)
                         mod_timer(&br->hello_timer,
                                   round_jiffies(jiffies + br->hello_time));
         }
diff --git a/net/bridge/netfilter/ebt_arpreply.c b/net/bridge/netfilter/ebt_arpreply.c
index 5929309beaa1..db85230e49c3 100644
--- a/net/bridge/netfilter/ebt_arpreply.c
+++ b/net/bridge/netfilter/ebt_arpreply.c
@@ -68,6 +68,9 @@ static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
         if (e->ethproto != htons(ETH_P_ARP) ||
             e->invflags & EBT_IPROTO)
                 return -EINVAL;
+        if (ebt_invalid_target(info->target))
+                return -EINVAL;
+
         return 0;
 }
 
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 9ec0c9f908fa..9c6e619f452b 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1373,7 +1373,8 @@ static inline int ebt_obj_to_user(char __user *um, const char *_name,
         strlcpy(name, _name, sizeof(name));
         if (copy_to_user(um, name, EBT_FUNCTION_MAXNAMELEN) ||
             put_user(datasize, (int __user *)(um + EBT_FUNCTION_MAXNAMELEN)) ||
-            xt_data_to_user(um + entrysize, data, usersize, datasize))
+            xt_data_to_user(um + entrysize, data, usersize, datasize,
+                            XT_ALIGN(datasize)))
                 return -EFAULT;
 
         return 0;
@@ -1658,7 +1659,8 @@ static int compat_match_to_user(struct ebt_entry_match *m, void __user **dstptr,
                 if (match->compat_to_user(cm->data, m->data))
                         return -EFAULT;
         } else {
-                if (xt_data_to_user(cm->data, m->data, match->usersize, msize))
+                if (xt_data_to_user(cm->data, m->data, match->usersize, msize,
+                                    COMPAT_XT_ALIGN(msize)))
                         return -EFAULT;
         }
 
@@ -1687,7 +1689,8 @@ static int compat_target_to_user(struct ebt_entry_target *t,
                 if (target->compat_to_user(cm->data, t->data))
                         return -EFAULT;
         } else {
-                if (xt_data_to_user(cm->data, t->data, target->usersize, tsize))
+                if (xt_data_to_user(cm->data, t->data, target->usersize, tsize,
+                                    COMPAT_XT_ALIGN(tsize)))
                         return -EFAULT;
         }
 
diff --git a/net/ceph/auth_x.c b/net/ceph/auth_x.c
index 2034fb926670..8757fb87dab8 100644
--- a/net/ceph/auth_x.c
+++ b/net/ceph/auth_x.c
@@ -151,7 +151,7 @@ static int process_one_ticket(struct ceph_auth_client *ac,
         struct timespec validity;
         void *tp, *tpend;
         void **ptp;
-        struct ceph_crypto_key new_session_key;
+        struct ceph_crypto_key new_session_key = { 0 };
         struct ceph_buffer *new_ticket_blob;
         unsigned long new_expires, new_renew_after;
         u64 new_secret_id;
@@ -215,6 +215,9 @@ static int process_one_ticket(struct ceph_auth_client *ac,
         dout(" ticket blob is %d bytes\n", dlen);
         ceph_decode_need(ptp, tpend, 1 + sizeof(u64), bad);
         blob_struct_v = ceph_decode_8(ptp);
+        if (blob_struct_v != 1)
+                goto bad;
+
         new_secret_id = ceph_decode_64(ptp);
         ret = ceph_decode_buffer(&new_ticket_blob, ptp, tpend);
         if (ret)
@@ -234,13 +237,13 @@ static int process_one_ticket(struct ceph_auth_client *ac,
              type, ceph_entity_type_name(type), th->secret_id,
              (int)th->ticket_blob->vec.iov_len);
         xi->have_keys |= th->service;
-
-out:
-        return ret;
+        return 0;
 
 bad:
         ret = -EINVAL;
-        goto out;
+out:
+        ceph_crypto_key_destroy(&new_session_key);
+        return ret;
 }
 
 static int ceph_x_proc_ticket_reply(struct ceph_auth_client *ac,
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 4fd02831beed..47e94b560ba0 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -56,19 +56,6 @@ static const struct kernel_param_ops param_ops_supported_features = {
 module_param_cb(supported_features, &param_ops_supported_features, NULL,
                 S_IRUGO);
 
-/*
- * find filename portion of a path (/foo/bar/baz -> baz)
- */
-const char *ceph_file_part(const char *s, int len)
-{
-        const char *e = s + len;
-
-        while (e != s && *(e-1) != '/')
-                e--;
-        return e;
-}
-EXPORT_SYMBOL(ceph_file_part);
-
 const char *ceph_msg_type_name(int type)
 {
         switch (type) {
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index 5766a6c896c4..588a91930051 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1174,8 +1174,8 @@ static struct page *ceph_msg_data_next(struct ceph_msg_data_cursor *cursor,
  * Returns true if the result moves the cursor on to the next piece
  * of the data item.
  */
-static bool ceph_msg_data_advance(struct ceph_msg_data_cursor *cursor,
-                                size_t bytes)
+static void ceph_msg_data_advance(struct ceph_msg_data_cursor *cursor,
+                                  size_t bytes)
 {
         bool new_piece;
 
@@ -1207,8 +1207,6 @@ static bool ceph_msg_data_advance(struct ceph_msg_data_cursor *cursor,
                 new_piece = true;
         }
         cursor->need_crc = new_piece;
-
-        return new_piece;
 }
 
 static size_t sizeof_footer(struct ceph_connection *con)
@@ -1577,7 +1575,6 @@ static int write_partial_message_data(struct ceph_connection *con)
                 size_t page_offset;
                 size_t length;
                 bool last_piece;
-                bool need_crc;
                 int ret;
 
                 page = ceph_msg_data_next(cursor, &page_offset, &length,
@@ -1592,7 +1589,7 @@ static int write_partial_message_data(struct ceph_connection *con)
                 }
                 if (do_datacrc && cursor->need_crc)
                         crc = ceph_crc32c_page(crc, page, page_offset, length);
-                need_crc = ceph_msg_data_advance(cursor, (size_t)ret);
+                ceph_msg_data_advance(cursor, (size_t)ret);
         }
 
         dout("%s %p msg %p done\n", __func__, con, msg);
@@ -2231,10 +2228,18 @@ static void process_ack(struct ceph_connection *con)
         struct ceph_msg *m;
         u64 ack = le64_to_cpu(con->in_temp_ack);
         u64 seq;
+        bool reconnect = (con->in_tag == CEPH_MSGR_TAG_SEQ);
+        struct list_head *list = reconnect ? &con->out_queue : &con->out_sent;
 
-        while (!list_empty(&con->out_sent)) {
-                m = list_first_entry(&con->out_sent, struct ceph_msg,
-                                     list_head);
+        /*
+         * In the reconnect case, con_fault() has requeued messages
+         * in out_sent. We should cleanup old messages according to
+         * the reconnect seq.
+         */
+        while (!list_empty(list)) {
+                m = list_first_entry(list, struct ceph_msg, list_head);
+                if (reconnect && m->needs_out_seq)
+                        break;
                 seq = le64_to_cpu(m->hdr.seq);
                 if (seq > ack)
                         break;
@@ -2243,6 +2248,7 @@ static void process_ack(struct ceph_connection *con)
                 m->ack_stamp = jiffies;
                 ceph_msg_remove(m);
         }
+
         prepare_read_tag(con);
 }
 
@@ -2299,7 +2305,7 @@ static int read_partial_msg_data(struct ceph_connection *con)
 
                 if (do_datacrc)
                         crc = ceph_crc32c_page(crc, page, page_offset, ret);
-                (void) ceph_msg_data_advance(cursor, (size_t)ret);
+                ceph_msg_data_advance(cursor, (size_t)ret);
         }
         if (do_datacrc)
                 con->in_data_crc = crc;
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 29a0ef351c5e..250f11f78609 100644
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -43,15 +43,13 @@ struct ceph_monmap *ceph_monmap_decode(void *p, void *end)
         int i, err = -EINVAL;
         struct ceph_fsid fsid;
         u32 epoch, num_mon;
-        u16 version;
         u32 len;
 
         ceph_decode_32_safe(&p, end, len, bad);
         ceph_decode_need(&p, end, len, bad);
 
         dout("monmap_decode %p %p len %d\n", p, end, (int)(end-p));
-
-        ceph_decode_16_safe(&p, end, version, bad);
+        p += sizeof(u16);  /* skip version */
 
         ceph_decode_need(&p, end, sizeof(fsid) + 2*sizeof(u32), bad);
         ceph_decode_copy(&p, &fsid, sizeof(fsid));
diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index ffe9e904d4d1..55e3a477f92d 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -317,6 +317,7 @@ static struct crush_map *crush_decode(void *pbyval, void *end)
                 u32 yes;
                 struct crush_rule *r;
 
+                err = -EINVAL;
                 ceph_decode_32_safe(p, end, yes, bad);
                 if (!yes) {
                         dout("crush_decode NO rule %d off %x %p to %p\n",
diff --git a/net/core/dev.c b/net/core/dev.c
index 96cf83da0d66..fca407b4a6ea 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6852,6 +6852,32 @@ int dev_change_proto_down(struct net_device *dev, bool proto_down)
 }
 EXPORT_SYMBOL(dev_change_proto_down);
 
+bool __dev_xdp_attached(struct net_device *dev, xdp_op_t xdp_op)
+{
+        struct netdev_xdp xdp;
+
+        memset(&xdp, 0, sizeof(xdp));
+        xdp.command = XDP_QUERY_PROG;
+
+        /* Query must always succeed. */
+        WARN_ON(xdp_op(dev, &xdp) < 0);
+        return xdp.prog_attached;
+}
+
+static int dev_xdp_install(struct net_device *dev, xdp_op_t xdp_op,
+                           struct netlink_ext_ack *extack,
+                           struct bpf_prog *prog)
+{
+        struct netdev_xdp xdp;
+
+        memset(&xdp, 0, sizeof(xdp));
+        xdp.command = XDP_SETUP_PROG;
+        xdp.extack = extack;
+        xdp.prog = prog;
+
+        return xdp_op(dev, &xdp);
+}
+
 /**
  *      dev_change_xdp_fd - set or clear a bpf program for a device rx path
  *      @dev: device
@@ -6864,41 +6890,34 @@ EXPORT_SYMBOL(dev_change_proto_down);
 int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
                       int fd, u32 flags)
 {
-        int (*xdp_op)(struct net_device *dev, struct netdev_xdp *xdp);
         const struct net_device_ops *ops = dev->netdev_ops;
         struct bpf_prog *prog = NULL;
-        struct netdev_xdp xdp;
+        xdp_op_t xdp_op, xdp_chk;
         int err;
 
         ASSERT_RTNL();
 
-        xdp_op = ops->ndo_xdp;
+        xdp_op = xdp_chk = ops->ndo_xdp;
+        if (!xdp_op && (flags & XDP_FLAGS_DRV_MODE))
+                return -EOPNOTSUPP;
         if (!xdp_op || (flags & XDP_FLAGS_SKB_MODE))
                 xdp_op = generic_xdp_install;
+        if (xdp_op == xdp_chk)
+                xdp_chk = generic_xdp_install;
 
         if (fd >= 0) {
-                if (flags & XDP_FLAGS_UPDATE_IF_NOEXIST) {
-                        memset(&xdp, 0, sizeof(xdp));
-                        xdp.command = XDP_QUERY_PROG;
-
-                        err = xdp_op(dev, &xdp);
-                        if (err < 0)
-                                return err;
-                        if (xdp.prog_attached)
-                                return -EBUSY;
-                }
+                if (xdp_chk && __dev_xdp_attached(dev, xdp_chk))
+                        return -EEXIST;
+                if ((flags & XDP_FLAGS_UPDATE_IF_NOEXIST) &&
+                    __dev_xdp_attached(dev, xdp_op))
+                        return -EBUSY;
 
                 prog = bpf_prog_get_type(fd, BPF_PROG_TYPE_XDP);
                 if (IS_ERR(prog))
                         return PTR_ERR(prog);
         }
 
-        memset(&xdp, 0, sizeof(xdp));
-        xdp.command = XDP_SETUP_PROG;
-        xdp.extack = extack;
-        xdp.prog = prog;
-
-        err = xdp_op(dev, &xdp);
+        err = dev_xdp_install(dev, xdp_op, extack, prog);
         if (err < 0 && prog)
                 bpf_prog_put(prog);
 
diff --git a/net/core/devlink.c b/net/core/devlink.c
index b0b87a292e7c..a0adfc31a3fe 100644
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -1680,8 +1680,10 @@ start_again:
 
         hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq,
                           &devlink_nl_family, NLM_F_MULTI, cmd);
-        if (!hdr)
+        if (!hdr) {
+                nlmsg_free(skb);
                 return -EMSGSIZE;
+        }
 
         if (devlink_nl_put_handle(skb, devlink))
                 goto nla_put_failure;
@@ -2098,8 +2100,10 @@ start_again:
 
         hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq,
                           &devlink_nl_family, NLM_F_MULTI, cmd);
-        if (!hdr)
+        if (!hdr) {
+                nlmsg_free(skb);
                 return -EMSGSIZE;
+        }
 
         if (devlink_nl_put_handle(skb, devlink))
                 goto nla_put_failure;
diff --git a/net/core/dst.c b/net/core/dst.c
index 960e503b5a52..6192f11beec9 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -151,13 +151,13 @@ int dst_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb)
 }
 EXPORT_SYMBOL(dst_discard_out);
 
-const u32 dst_default_metrics[RTAX_MAX + 1] = {
+const struct dst_metrics dst_default_metrics = {
         /* This initializer is needed to force linker to place this variable
          * into const section. Otherwise it might end into bss section.
          * We really want to avoid false sharing on this variable, and catch
          * any writes on it.
          */
-        [RTAX_MAX] = 0xdeadbeef,
+        .refcnt = ATOMIC_INIT(1),
 };
 
 void dst_init(struct dst_entry *dst, struct dst_ops *ops,
@@ -169,7 +169,7 @@ void dst_init(struct dst_entry *dst, struct dst_ops *ops,
         if (dev)
                 dev_hold(dev);
         dst->ops = ops;
-        dst_init_metrics(dst, dst_default_metrics, true);
+        dst_init_metrics(dst, dst_default_metrics.metrics, true);
         dst->expires = 0UL;
         dst->path = dst;
         dst->from = NULL;
@@ -314,25 +314,30 @@ EXPORT_SYMBOL(dst_release);
 
 u32 *dst_cow_metrics_generic(struct dst_entry *dst, unsigned long old)
 {
-        u32 *p = kmalloc(sizeof(u32) * RTAX_MAX, GFP_ATOMIC);
+        struct dst_metrics *p = kmalloc(sizeof(*p), GFP_ATOMIC);
 
         if (p) {
-                u32 *old_p = __DST_METRICS_PTR(old);
+                struct dst_metrics *old_p = (struct dst_metrics *)__DST_METRICS_PTR(old);
                 unsigned long prev, new;
 
-                memcpy(p, old_p, sizeof(u32) * RTAX_MAX);
+                atomic_set(&p->refcnt, 1);
+                memcpy(p->metrics, old_p->metrics, sizeof(p->metrics));
 
                 new = (unsigned long) p;
                 prev = cmpxchg(&dst->_metrics, old, new);
 
                 if (prev != old) {
                         kfree(p);
-                        p = __DST_METRICS_PTR(prev);
+                        p = (struct dst_metrics *)__DST_METRICS_PTR(prev);
                         if (prev & DST_METRICS_READ_ONLY)
                                 p = NULL;
+                } else if (prev & DST_METRICS_REFCOUNTED) {
+                        if (atomic_dec_and_test(&old_p->refcnt))
+                                kfree(old_p);
                 }
         }
-        return p;
+        BUILD_BUG_ON(offsetof(struct dst_metrics, metrics) != 0);
+        return (u32 *)p;
 }
 EXPORT_SYMBOL(dst_cow_metrics_generic);
 
@@ -341,7 +346,7 @@ void __dst_destroy_metrics_generic(struct dst_entry *dst, unsigned long old)
 {
         unsigned long prev, new;
 
-        new = ((unsigned long) dst_default_metrics) | DST_METRICS_READ_ONLY;
+        new = ((unsigned long) &dst_default_metrics) | DST_METRICS_READ_ONLY;
         prev = cmpxchg(&dst->_metrics, old, new);
         if (prev == old)
                 kfree(__DST_METRICS_PTR(old));
diff --git a/net/core/filter.c b/net/core/filter.c
index a253a6197e6b..a6bb95fa87b2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2281,6 +2281,7 @@ bool bpf_helper_changes_pkt_data(void *func)
             func == bpf_skb_change_head ||
             func == bpf_skb_change_tail ||
             func == bpf_skb_pull_data ||
+            func == bpf_clone_redirect ||
             func == bpf_l3_csum_replace ||
             func == bpf_l4_csum_replace ||
             func == bpf_xdp_adjust_head)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 58b0bcc125b5..d274f81fcc2c 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1132,10 +1132,6 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 lladdr = neigh->ha;
         }
 
-        if (new & NUD_CONNECTED)
-                neigh->confirmed = jiffies;
-        neigh->updated = jiffies;
-
         /* If entry was valid and address is not changed,
            do not change entry state, if new one is STALE.
          */
@@ -1157,6 +1153,16 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
                 }
         }
 
+        /* Update timestamps only once we know we will make a change to the
+         * neighbour entry. Otherwise we risk to move the locktime window with
+         * noop updates and ignore relevant ARP updates.
+         */
+        if (new != old || lladdr != neigh->ha) {
+                if (new & NUD_CONNECTED)
+                        neigh->confirmed = jiffies;
+                neigh->updated = jiffies;
+        }
+
         if (new != old) {
                 neigh_del_timer(neigh);
                 if (new & NUD_PROBE)
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 1934efd4a9d4..26bbfababff2 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -315,6 +315,25 @@ out_undo:
         goto out;
 }
 
+static int __net_init net_defaults_init_net(struct net *net)
+{
+        net->core.sysctl_somaxconn = SOMAXCONN;
+        return 0;
+}
+
+static struct pernet_operations net_defaults_ops = {
+        .init = net_defaults_init_net,
+};
+
+static __init int net_defaults_init(void)
+{
+        if (register_pernet_subsys(&net_defaults_ops))
+                panic("Cannot initialize net default settings");
+
+        return 0;
+}
+
+core_initcall(net_defaults_init);
 
 #ifdef CONFIG_NET_NS
 static struct ucounts *inc_net_namespaces(struct user_namespace *ns)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index bcb0f610ee42..9e2c0a7cb325 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -899,8 +899,7 @@ static size_t rtnl_port_size(const struct net_device *dev,
 static size_t rtnl_xdp_size(void)
 {
         size_t xdp_size = nla_total_size(0) +   /* nest IFLA_XDP */
-                          nla_total_size(1) +   /* XDP_ATTACHED */
-                          nla_total_size(4);    /* XDP_FLAGS */
+                          nla_total_size(1);    /* XDP_ATTACHED */
 
         return xdp_size;
 }
@@ -1247,37 +1246,34 @@ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
         return 0;
 }
 
+static u8 rtnl_xdp_attached_mode(struct net_device *dev)
+{
+        const struct net_device_ops *ops = dev->netdev_ops;
+
+        ASSERT_RTNL();
+
+        if (rcu_access_pointer(dev->xdp_prog))
+                return XDP_ATTACHED_SKB;
+        if (ops->ndo_xdp && __dev_xdp_attached(dev, ops->ndo_xdp))
+                return XDP_ATTACHED_DRV;
+
+        return XDP_ATTACHED_NONE;
+}
+
 static int rtnl_xdp_fill(struct sk_buff *skb, struct net_device *dev)
 {
         struct nlattr *xdp;
-        u32 xdp_flags = 0;
-        u8 val = 0;
         int err;
 
         xdp = nla_nest_start(skb, IFLA_XDP);
         if (!xdp)
                 return -EMSGSIZE;
-        if (rcu_access_pointer(dev->xdp_prog)) {
-                xdp_flags = XDP_FLAGS_SKB_MODE;
-                val = 1;
-        } else if (dev->netdev_ops->ndo_xdp) {
-                struct netdev_xdp xdp_op = {};
-
-                xdp_op.command = XDP_QUERY_PROG;
-                err = dev->netdev_ops->ndo_xdp(dev, &xdp_op);
-                if (err)
-                        goto err_cancel;
-                val = xdp_op.prog_attached;
-        }
-        err = nla_put_u8(skb, IFLA_XDP_ATTACHED, val);
+
+        err = nla_put_u8(skb, IFLA_XDP_ATTACHED,
+                         rtnl_xdp_attached_mode(dev));
         if (err)
                 goto err_cancel;
 
-        if (xdp_flags) {
-                err = nla_put_u32(skb, IFLA_XDP_FLAGS, xdp_flags);
-                if (err)
-                        goto err_cancel;
-        }
         nla_nest_end(skb, xdp);
         return 0;
 
@@ -1631,13 +1627,13 @@ static int rtnl_dump_ifinfo(struct sk_buff *skb, struct netlink_callback *cb)
                                                cb->nlh->nlmsg_seq, 0,
                                                flags,
                                                ext_filter_mask);
-                        /* If we ran out of room on the first message,
-                         * we're in trouble
-                         */
-                        WARN_ON((err == -EMSGSIZE) && (skb->len == 0));
 
-                        if (err < 0)
-                                goto out;
+                        if (err < 0) {
+                                if (likely(skb->len))
+                                        goto out;
+
+                                goto out_err;
+                        }
 
                         nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
@@ -1645,10 +1641,12 @@ cont:
                 }
         }
 out:
+        err = skb->len;
+out_err:
         cb->args[1] = idx;
         cb->args[0] = h;
 
-        return skb->len;
+        return err;
 }
 
 int rtnl_nla_parse_ifla(struct nlattr **tb, const struct nlattr *head, int len,
@@ -2199,6 +2197,11 @@ static int do_setlink(const struct sk_buff *skb,
                                 err = -EINVAL;
                                 goto errout;
                         }
+                        if ((xdp_flags & XDP_FLAGS_SKB_MODE) &&
+                            (xdp_flags & XDP_FLAGS_DRV_MODE)) {
+                                err = -EINVAL;
+                                goto errout;
+                        }
                 }
 
                 if (xdp[IFLA_XDP_FD]) {
@@ -3228,8 +3231,11 @@ static int rtnl_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
         int err = 0;
         int fidx = 0;
 
-        if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb,
-                        IFLA_MAX, ifla_policy, NULL) == 0) {
+        err = nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb,
+                          IFLA_MAX, ifla_policy, NULL);
+        if (err < 0) {
+                return -EINVAL;
+        } else if (err == 0) {
                 if (tb[IFLA_MASTER])
                         br_idx = nla_get_u32(tb[IFLA_MASTER]);
         }
@@ -3452,8 +3458,12 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
                                 err = br_dev->netdev_ops->ndo_bridge_getlink(
                                                 skb, portid, seq, dev,
                                                 filter_mask, NLM_F_MULTI);
-                                if (err < 0 && err != -EOPNOTSUPP)
-                                        break;
+                                if (err < 0 && err != -EOPNOTSUPP) {
+                                        if (likely(skb->len))
+                                                break;
+
+                                        goto out_err;
+                                }
                         }
                         idx++;
                 }
@@ -3464,16 +3474,22 @@ static int rtnl_bridge_getlink(struct sk_buff *skb, struct netlink_callback *cb)
                                                               seq, dev,
                                                               filter_mask,
                                                               NLM_F_MULTI);
-                                if (err < 0 && err != -EOPNOTSUPP)
-                                        break;
+                                if (err < 0 && err != -EOPNOTSUPP) {
+                                        if (likely(skb->len))
+                                                break;
+
+                                        goto out_err;
+                                }
                         }
                         idx++;
                 }
         }
+        err = skb->len;
+out_err:
         rcu_read_unlock();
         cb->args[0] = idx;
 
-        return skb->len;
+        return err;
 }
 
 static inline size_t bridge_nlmsg_size(void)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 346d3e85dfbc..b1be7c01efe2 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3754,8 +3754,11 @@ struct sk_buff *sock_dequeue_err_skb(struct sock *sk)
 
         spin_lock_irqsave(&q->lock, flags);
         skb = __skb_dequeue(q);
-        if (skb && (skb_next = skb_peek(q)))
+        if (skb && (skb_next = skb_peek(q))) {
                 icmp_next = is_icmp_err_skb(skb_next);
+                if (icmp_next)
+                        sk->sk_err = SKB_EXT_ERR(skb_next)->ee.ee_origin;
+        }
         spin_unlock_irqrestore(&q->lock, flags);
 
         if (is_icmp_err_skb(skb) && !icmp_next)
diff --git a/net/core/sock.c b/net/core/sock.c
index 79c6aee6af9b..727f924b7f91 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -139,10 +139,7 @@
 
 #include <trace/events/sock.h>
 
-#ifdef CONFIG_INET
 #include <net/tcp.h>
-#endif
-
 #include <net/busy_poll.h>
 
 static DEFINE_MUTEX(proto_list_mutex);
@@ -1803,28 +1800,24 @@ EXPORT_SYMBOL(skb_set_owner_w);
  * delay queue. We want to allow the owner socket to send more
  * packets, as if they were already TX completed by a typical driver.
  * But we also want to keep skb->sk set because some packet schedulers
- * rely on it (sch_fq for example). So we set skb->truesize to a small
- * amount (1) and decrease sk_wmem_alloc accordingly.
+ * rely on it (sch_fq for example).
  */
 void skb_orphan_partial(struct sk_buff *skb)
 {
-        /* If this skb is a TCP pure ACK or already went here,
-         * we have nothing to do. 2 is already a very small truesize.
-         */
-        if (skb->truesize <= 2)
+        if (skb_is_tcp_pure_ack(skb))
                 return;
 
-        /* TCP stack sets skb->ooo_okay based on sk_wmem_alloc,
-         * so we do not completely orphan skb, but transfert all
-         * accounted bytes but one, to avoid unexpected reorders.
-         */
         if (skb->destructor == sock_wfree
 #ifdef CONFIG_INET
             || skb->destructor == tcp_wfree
 #endif
                 ) {
-                atomic_sub(skb->truesize - 1, &skb->sk->sk_wmem_alloc);
-                skb->truesize = 1;
+                struct sock *sk = skb->sk;
+
+                if (atomic_inc_not_zero(&sk->sk_refcnt)) {
+                        atomic_sub(skb->truesize, &sk->sk_wmem_alloc);
+                        skb->destructor = sock_efree;
+                }
         } else {
                 skb_orphan(skb);
         }
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index ea23254b2457..b7cd9aafe99e 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -479,8 +479,6 @@ static __net_init int sysctl_core_net_init(struct net *net)
 {
         struct ctl_table *tbl;
 
-        net->core.sysctl_somaxconn = SOMAXCONN;
-
         tbl = netns_core_table;
         if (!net_eq(net, &init_net)) {
                 tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 840f14aaa016..992621172220 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -426,6 +426,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
                 newsk->sk_backlog_rcv = dccp_v4_do_rcv;
                 newnp->pktoptions  = NULL;
                 newnp->opt         = NULL;
+                newnp->ipv6_mc_list = NULL;
+                newnp->ipv6_ac_list = NULL;
+                newnp->ipv6_fl_list = NULL;
                 newnp->mcast_oif   = inet6_iif(skb);
                 newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
 
@@ -490,6 +493,9 @@ static struct sock *dccp_v6_request_recv_sock(const struct sock *sk,
         /* Clone RX bits */
         newnp->rxopt.all = np->rxopt.all;
 
+        newnp->ipv6_mc_list = NULL;
+        newnp->ipv6_ac_list = NULL;
+        newnp->ipv6_fl_list = NULL;
         newnp->pktoptions = NULL;
         newnp->opt        = NULL;
         newnp->mcast_oif  = inet6_iif(skb);
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index 26130ae438da..90038d45a547 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -223,6 +223,53 @@ static int dsa_switch_rcv(struct sk_buff *skb, struct net_device *dev,
         return 0;
 }
 
+#ifdef CONFIG_PM_SLEEP
+int dsa_switch_suspend(struct dsa_switch *ds)
+{
+        int i, ret = 0;
+
+        /* Suspend slave network devices */
+        for (i = 0; i < ds->num_ports; i++) {
+                if (!dsa_is_port_initialized(ds, i))
+                        continue;
+
+                ret = dsa_slave_suspend(ds->ports[i].netdev);
+                if (ret)
+                        return ret;
+        }
+
+        if (ds->ops->suspend)
+                ret = ds->ops->suspend(ds);
+
+        return ret;
+}
+EXPORT_SYMBOL_GPL(dsa_switch_suspend);
+
+int dsa_switch_resume(struct dsa_switch *ds)
+{
+        int i, ret = 0;
+
+        if (ds->ops->resume)
+                ret = ds->ops->resume(ds);
+
+        if (ret)
+                return ret;
+
+        /* Resume slave network devices */
+        for (i = 0; i < ds->num_ports; i++) {
+                if (!dsa_is_port_initialized(ds, i))
+                        continue;
+
+                ret = dsa_slave_resume(ds->ports[i].netdev);
+                if (ret)
+                        return ret;
+        }
+
+        return 0;
+}
+EXPORT_SYMBOL_GPL(dsa_switch_resume);
+#endif
+
 static struct packet_type dsa_pack_type __read_mostly = {
         .type   = cpu_to_be16(ETH_P_XDSA),
         .func   = dsa_switch_rcv,
diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c
index 033b3bfb63dc..7796580e99ee 100644
--- a/net/dsa/dsa2.c
+++ b/net/dsa/dsa2.c
@@ -484,8 +484,10 @@ static void dsa_dst_unapply(struct dsa_switch_tree *dst)
                 dsa_ds_unapply(dst, ds);
         }
 
-        if (dst->cpu_switch)
+        if (dst->cpu_switch) {
                 dsa_cpu_port_ethtool_restore(dst->cpu_switch);
+                dst->cpu_switch = NULL;
+        }
 
         pr_info("DSA: tree %d unapplied\n", dst->tree);
         dst->applied = false;
diff --git a/net/dsa/legacy.c b/net/dsa/legacy.c
index ad345c8b0b06..7281098df04e 100644
--- a/net/dsa/legacy.c
+++ b/net/dsa/legacy.c
@@ -289,53 +289,6 @@ static void dsa_switch_destroy(struct dsa_switch *ds)
         dsa_switch_unregister_notifier(ds);
 }
 
-#ifdef CONFIG_PM_SLEEP
-int dsa_switch_suspend(struct dsa_switch *ds)
-{
-        int i, ret = 0;
-
-        /* Suspend slave network devices */
-        for (i = 0; i < ds->num_ports; i++) {
-                if (!dsa_is_port_initialized(ds, i))
-                        continue;
-
-                ret = dsa_slave_suspend(ds->ports[i].netdev);
-                if (ret)
-                        return ret;
-        }
-
-        if (ds->ops->suspend)
-                ret = ds->ops->suspend(ds);
-
-        return ret;
-}
-EXPORT_SYMBOL_GPL(dsa_switch_suspend);
-
-int dsa_switch_resume(struct dsa_switch *ds)
-{
-        int i, ret = 0;
-
-        if (ds->ops->resume)
-                ret = ds->ops->resume(ds);
-
-        if (ret)
-                return ret;
-
-        /* Resume slave network devices */
-        for (i = 0; i < ds->num_ports; i++) {
-                if (!dsa_is_port_initialized(ds, i))
-                        continue;
-
-                ret = dsa_slave_resume(ds->ports[i].netdev);
-                if (ret)
-                        return ret;
-        }
-
-        return 0;
-}
-EXPORT_SYMBOL_GPL(dsa_switch_resume);
-#endif
-
 /* platform driver init and cleanup *****************************************/
 static int dev_is_class(struct device *dev, void *class)
 {
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index f3dad1661343..58925b6597de 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -1043,7 +1043,7 @@ static struct inet_protosw inetsw_array[] =
                 .type =       SOCK_DGRAM,
                 .protocol =   IPPROTO_ICMP,
                 .prot =       &ping_prot,
-                .ops =        &inet_dgram_ops,
+                .ops =        &inet_sockraw_ops,
                 .flags =      INET_PROTOSW_REUSE,
        },
 
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 0937b34c27ca..e9f3386a528b 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -641,6 +641,32 @@ void arp_xmit(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(arp_xmit);
 
+static bool arp_is_garp(struct net *net, struct net_device *dev,
+                        int *addr_type, __be16 ar_op,
+                        __be32 sip, __be32 tip,
+                        unsigned char *sha, unsigned char *tha)
+{
+        bool is_garp = tip == sip;
+
+        /* Gratuitous ARP _replies_ also require target hwaddr to be
+         * the same as source.
+         */
+        if (is_garp && ar_op == htons(ARPOP_REPLY))
+                is_garp =
+                        /* IPv4 over IEEE 1394 doesn't provide target
+                         * hardware address field in its ARP payload.
+                         */
+                        tha &&
+                        !memcmp(tha, sha, dev->addr_len);
+
+        if (is_garp) {
+                *addr_type = inet_addr_type_dev_table(net, dev, sip);
+                if (*addr_type != RTN_UNICAST)
+                        is_garp = false;
+        }
+        return is_garp;
+}
+
 /*
  *      Process an arp request.
  */
@@ -653,6 +679,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
         unsigned char *arp_ptr;
         struct rtable *rt;
         unsigned char *sha;
+        unsigned char *tha = NULL;
         __be32 sip, tip;
         u16 dev_type = dev->type;
         int addr_type;
@@ -724,6 +751,7 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
                 break;
 #endif
         default:
+                tha = arp_ptr;
                 arp_ptr += dev->addr_len;
         }
         memcpy(&tip, arp_ptr, 4);
@@ -835,19 +863,25 @@ static int arp_process(struct net *net, struct sock *sk, struct sk_buff *skb)
 
         n = __neigh_lookup(&arp_tbl, &sip, dev, 0);
 
-        if (IN_DEV_ARP_ACCEPT(in_dev)) {
-                unsigned int addr_type = inet_addr_type_dev_table(net, dev, sip);
+        addr_type = -1;
+        if (n || IN_DEV_ARP_ACCEPT(in_dev)) {
+                is_garp = arp_is_garp(net, dev, &addr_type, arp->ar_op,
+                                      sip, tip, sha, tha);
+        }
 
+        if (IN_DEV_ARP_ACCEPT(in_dev)) {
                 /* Unsolicited ARP is not accepted by default.
                    It is possible, that this option should be enabled for some
                    devices (strip is candidate)
                  */
-                is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip &&
-                          addr_type == RTN_UNICAST;
-
                 if (!n &&
-                    ((arp->ar_op == htons(ARPOP_REPLY)  &&
-                                addr_type == RTN_UNICAST) || is_garp))
+                    (is_garp ||
+                     (arp->ar_op == htons(ARPOP_REPLY) &&
+                      (addr_type == RTN_UNICAST ||
+                       (addr_type < 0 &&
+                        /* postpone calculation to as late as possible */
+                        inet_addr_type_dev_table(net, dev, sip) ==
+                                RTN_UNICAST)))))
                         n = __neigh_lookup(&arp_tbl, &sip, dev, 1);
         }
 
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 65cc02bd82bc..93322f895eab 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -248,6 +248,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
         u8 *tail;
         u8 *vaddr;
         int nfrags;
+        int esph_offset;
         struct page *page;
         struct sk_buff *trailer;
         int tailen = esp->tailen;
@@ -313,11 +314,13 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
         }
 
 cow:
+        esph_offset = (unsigned char *)esp->esph - skb_transport_header(skb);
+
         nfrags = skb_cow_data(skb, tailen, &trailer);
         if (nfrags < 0)
                 goto out;
         tail = skb_tail_pointer(trailer);
-        esp->esph = ip_esp_hdr(skb);
+        esp->esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esph_offset);
 
 skip_cow:
         esp_output_fill_trailer(tail, esp->tfclen, esp->plen, esp->proto);
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 39bd1edee676..83e3ed258467 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -763,7 +763,7 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
         unsigned int e = 0, s_e;
         struct fib_table *tb;
         struct hlist_head *head;
-        int dumped = 0;
+        int dumped = 0, err;
 
         if (nlmsg_len(cb->nlh) >= sizeof(struct rtmsg) &&
             ((struct rtmsg *) nlmsg_data(cb->nlh))->rtm_flags & RTM_F_CLONED)
@@ -783,20 +783,27 @@ static int inet_dump_fib(struct sk_buff *skb, struct netlink_callback *cb)
                         if (dumped)
                                 memset(&cb->args[2], 0, sizeof(cb->args) -
                                                  2 * sizeof(cb->args[0]));
-                        if (fib_table_dump(tb, skb, cb) < 0)
-                                goto out;
+                        err = fib_table_dump(tb, skb, cb);
+                        if (err < 0) {
+                                if (likely(skb->len))
+                                        goto out;
+
+                                goto out_err;
+                        }
                         dumped = 1;
 next:
                         e++;
                 }
         }
 out:
+        err = skb->len;
+out_err:
         rcu_read_unlock();
 
         cb->args[1] = e;
         cb->args[0] = h;
 
-        return skb->len;
+        return err;
 }
 
 /* Prepare and feed intra-kernel routing request.
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index da449ddb8cc1..ad9ad4aab5da 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -203,6 +203,7 @@ static void rt_fibinfo_free_cpus(struct rtable __rcu * __percpu *rtp)
 static void free_fib_info_rcu(struct rcu_head *head)
 {
         struct fib_info *fi = container_of(head, struct fib_info, rcu);
+        struct dst_metrics *m;
 
         change_nexthops(fi) {
                 if (nexthop_nh->nh_dev)
@@ -213,8 +214,9 @@ static void free_fib_info_rcu(struct rcu_head *head)
                 rt_fibinfo_free(&nexthop_nh->nh_rth_input);
         } endfor_nexthops(fi);
 
-        if (fi->fib_metrics != (u32 *) dst_default_metrics)
-                kfree(fi->fib_metrics);
+        m = fi->fib_metrics;
+        if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
+                kfree(m);
         kfree(fi);
 }
 
@@ -971,11 +973,11 @@ fib_convert_metrics(struct fib_info *fi, const struct fib_config *cfg)
                         val = 255;
                 if (type == RTAX_FEATURES && (val & ~RTAX_FEATURE_MASK))
                         return -EINVAL;
-                fi->fib_metrics[type - 1] = val;
+                fi->fib_metrics->metrics[type - 1] = val;
         }
 
         if (ecn_ca)
-                fi->fib_metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA;
+                fi->fib_metrics->metrics[RTAX_FEATURES - 1] |= DST_FEATURE_ECN_CA;
 
         return 0;
 }
@@ -1033,11 +1035,12 @@ struct fib_info *fib_create_info(struct fib_config *cfg)
                 goto failure;
         fib_info_cnt++;
         if (cfg->fc_mx) {
-                fi->fib_metrics = kzalloc(sizeof(u32) * RTAX_MAX, GFP_KERNEL);
+                fi->fib_metrics = kzalloc(sizeof(*fi->fib_metrics), GFP_KERNEL);
                 if (!fi->fib_metrics)
                         goto failure;
+                atomic_set(&fi->fib_metrics->refcnt, 1);
         } else
-                fi->fib_metrics = (u32 *) dst_default_metrics;
+                fi->fib_metrics = (struct dst_metrics *)&dst_default_metrics;
 
         fi->fib_net = net;
         fi->fib_protocol = cfg->fc_protocol;
@@ -1238,7 +1241,7 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
         if (fi->fib_priority &&
             nla_put_u32(skb, RTA_PRIORITY, fi->fib_priority))
                 goto nla_put_failure;
-        if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0)
+        if (rtnetlink_put_metrics(skb, fi->fib_metrics->metrics) < 0)
                 goto nla_put_failure;
 
         if (fi->fib_prefsrc &&
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 1201409ba1dc..51182ff2b441 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1983,6 +1983,8 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
 
         /* rcu_read_lock is hold by caller */
         hlist_for_each_entry_rcu(fa, &l->leaf, fa_list) {
+                int err;
+
                 if (i < s_i) {
                         i++;
                         continue;
@@ -1993,17 +1995,14 @@ static int fn_trie_dump_leaf(struct key_vector *l, struct fib_table *tb,
                         continue;
                 }
 
-                if (fib_dump_info(skb, NETLINK_CB(cb->skb).portid,
-                                  cb->nlh->nlmsg_seq,
-                                  RTM_NEWROUTE,
-                                  tb->tb_id,
-                                  fa->fa_type,
-                                  xkey,
-                                  KEYLENGTH - fa->fa_slen,
-                                  fa->fa_tos,
-                                  fa->fa_info, NLM_F_MULTI) < 0) {
+                err = fib_dump_info(skb, NETLINK_CB(cb->skb).portid,
+                                    cb->nlh->nlmsg_seq, RTM_NEWROUTE,
+                                    tb->tb_id, fa->fa_type,
+                                    xkey, KEYLENGTH - fa->fa_slen,
+                                    fa->fa_tos, fa->fa_info, NLM_F_MULTI);
+                if (err < 0) {
                         cb->args[4] = i;
-                        return -1;
+                        return err;
                 }
                 i++;
         }
@@ -2025,10 +2024,13 @@ int fib_table_dump(struct fib_table *tb, struct sk_buff *skb,
         t_key key = cb->args[3];
 
         while ((l = leaf_walk_rcu(&tp, key)) != NULL) {
-                if (fn_trie_dump_leaf(l, tb, skb, cb) < 0) {
+                int err;
+
+                err = fn_trie_dump_leaf(l, tb, skb, cb);
+                if (err < 0) {
                         cb->args[3] = key;
                         cb->args[2] = count;
-                        return -1;
+                        return err;
                 }
 
                 ++count;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 3a02d52ed50e..551de4d023a8 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1980,6 +1980,20 @@ int ip_mr_input(struct sk_buff *skb)
         struct net *net = dev_net(skb->dev);
         int local = skb_rtable(skb)->rt_flags & RTCF_LOCAL;
         struct mr_table *mrt;
+        struct net_device *dev;
+
+        /* skb->dev passed in is the loX master dev for vrfs.
+         * As there are no vifs associated with loopback devices,
+         * get the proper interface that does have a vif associated with it.
+         */
+        dev = skb->dev;
+        if (netif_is_l3_master(skb->dev)) {
+                dev = dev_get_by_index_rcu(net, IPCB(skb)->iif);
+                if (!dev) {
+                        kfree_skb(skb);
+                        return -ENODEV;
+                }
+        }
 
         /* Packet is looped back after forward, it should not be
          * forwarded second time, but still can be delivered locally.
@@ -2017,7 +2031,7 @@ int ip_mr_input(struct sk_buff *skb)
         /* already under rcu_read_lock() */
         cache = ipmr_cache_find(mrt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr);
         if (!cache) {
-                int vif = ipmr_find_vif(mrt, skb->dev);
+                int vif = ipmr_find_vif(mrt, dev);
 
                 if (vif >= 0)
                         cache = ipmr_cache_find_any(mrt, ip_hdr(skb)->daddr,
@@ -2037,7 +2051,7 @@ int ip_mr_input(struct sk_buff *skb)
                 }
 
                 read_lock(&mrt_lock);
-                vif = ipmr_find_vif(mrt, skb->dev);
+                vif = ipmr_find_vif(mrt, dev);
                 if (vif >= 0) {
                         int err2 = ipmr_cache_unresolved(mrt, vif, skb);
                         read_unlock(&mrt_lock);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 655d9eebe43e..6883b3d4ba8f 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1385,8 +1385,12 @@ static void rt_add_uncached_list(struct rtable *rt)
 
 static void ipv4_dst_destroy(struct dst_entry *dst)
 {
+        struct dst_metrics *p = (struct dst_metrics *)DST_METRICS_PTR(dst);
         struct rtable *rt = (struct rtable *) dst;
 
+        if (p != &dst_default_metrics && atomic_dec_and_test(&p->refcnt))
+                kfree(p);
+
         if (!list_empty(&rt->rt_uncached)) {
                 struct uncached_list *ul = rt->rt_uncached_list;
 
@@ -1438,7 +1442,11 @@ static void rt_set_nexthop(struct rtable *rt, __be32 daddr,
                         rt->rt_gateway = nh->nh_gw;
                         rt->rt_uses_gateway = 1;
                 }
-                dst_init_metrics(&rt->dst, fi->fib_metrics, true);
+                dst_init_metrics(&rt->dst, fi->fib_metrics->metrics, true);
+                if (fi->fib_metrics != &dst_default_metrics) {
+                        rt->dst._metrics |= DST_METRICS_REFCOUNTED;
+                        atomic_inc(&fi->fib_metrics->refcnt);
+                }
 #ifdef CONFIG_IP_ROUTE_CLASSID
                 rt->dst.tclassid = nh->nh_tclassid;
 #endif
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1e4c76d2b827..b5ea036ca781 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1084,9 +1084,12 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
 {
         struct tcp_sock *tp = tcp_sk(sk);
         struct inet_sock *inet = inet_sk(sk);
+        struct sockaddr *uaddr = msg->msg_name;
         int err, flags;
 
-        if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE))
+        if (!(sysctl_tcp_fastopen & TFO_CLIENT_ENABLE) ||
+            (uaddr && msg->msg_namelen >= sizeof(uaddr->sa_family) &&
+             uaddr->sa_family == AF_UNSPEC))
                 return -EOPNOTSUPP;
         if (tp->fastopen_req)
                 return -EALREADY; /* Another Fast Open is in progress */
@@ -1108,7 +1111,7 @@ static int tcp_sendmsg_fastopen(struct sock *sk, struct msghdr *msg,
                 }
         }
         flags = (msg->msg_flags & MSG_DONTWAIT) ? O_NONBLOCK : 0;
-        err = __inet_stream_connect(sk->sk_socket, msg->msg_name,
+        err = __inet_stream_connect(sk->sk_socket, uaddr,
                                     msg->msg_namelen, flags, 1);
         /* fastopen_req could already be freed in __inet_stream_connect
          * if the connection times out or gets rst
@@ -2320,6 +2323,10 @@ int tcp_disconnect(struct sock *sk, int flags)
         tcp_set_ca_state(sk, TCP_CA_Open);
         tcp_clear_retrans(tp);
         inet_csk_delack_init(sk);
+        /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
+         * issue in __tcp_select_window()
+         */
+        icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
         tcp_init_send_head(sk);
         memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
         __sk_dst_reset(sk);
@@ -2374,9 +2381,10 @@ static int tcp_repair_set_window(struct tcp_sock *tp, char __user *optbuf, int l
         return 0;
 }
 
-static int tcp_repair_options_est(struct tcp_sock *tp,
+static int tcp_repair_options_est(struct sock *sk,
                 struct tcp_repair_opt __user *optbuf, unsigned int len)
 {
+        struct tcp_sock *tp = tcp_sk(sk);
         struct tcp_repair_opt opt;
 
         while (len >= sizeof(opt)) {
@@ -2389,6 +2397,7 @@ static int tcp_repair_options_est(struct tcp_sock *tp,
                 switch (opt.opt_code) {
                 case TCPOPT_MSS:
                         tp->rx_opt.mss_clamp = opt.opt_val;
+                        tcp_mtup_init(sk);
                         break;
                 case TCPOPT_WINDOW:
                         {
@@ -2548,7 +2557,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
                 if (!tp->repair)
                         err = -EINVAL;
                 else if (sk->sk_state == TCP_ESTABLISHED)
-                        err = tcp_repair_options_est(tp,
+                        err = tcp_repair_options_est(sk,
                                         (struct tcp_repair_opt __user *)optval,
                                         optlen);
                 else
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index 6e3c512054a6..324c9bcc5456 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -180,6 +180,7 @@ void tcp_init_congestion_control(struct sock *sk)
 {
         const struct inet_connection_sock *icsk = inet_csk(sk);
 
+        tcp_sk(sk)->prior_ssthresh = 0;
         if (icsk->icsk_ca_ops->init)
                 icsk->icsk_ca_ops->init(sk);
         if (tcp_ca_needs_ecn(sk))
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 5a3ad09e2786..174d4376baa5 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1179,13 +1179,14 @@ static int tcp_match_skb_to_sack(struct sock *sk, struct sk_buff *skb,
                  */
                 if (pkt_len > mss) {
                         unsigned int new_len = (pkt_len / mss) * mss;
-                        if (!in_sack && new_len < pkt_len) {
+                        if (!in_sack && new_len < pkt_len)
                                 new_len += mss;
-                                if (new_len >= skb->len)
-                                        return 0;
-                        }
                         pkt_len = new_len;
                 }
+
+                if (pkt_len >= skb->len && !in_sack)
+                        return 0;
+
                 err = tcp_fragment(sk, skb, pkt_len, mss, GFP_ATOMIC);
                 if (err < 0)
                         return err;
@@ -3189,7 +3190,7 @@ static int tcp_clean_rtx_queue(struct sock *sk, int prior_fackets,
                         int delta;
 
                         /* Non-retransmitted hole got filled? That's reordering */
-                        if (reord < prior_fackets)
+                        if (reord < prior_fackets && reord <= tp->fackets_out)
                                 tcp_update_reordering(sk, tp->fackets_out - reord, 0);
 
                         delta = tcp_is_fack(tp) ? pkts_acked :
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ea6e4cff9faf..1d6219bf2d6b 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1612,7 +1612,7 @@ static void udp_v4_rehash(struct sock *sk)
         udp_lib_rehash(sk, new_hash);
 }
 
-int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
 
@@ -1657,7 +1657,7 @@ EXPORT_SYMBOL(udp_encap_enable);
  * Note that in the success and error cases, the skb is assumed to
  * have either been requeued or freed.
  */
-int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         struct udp_sock *up = udp_sk(sk);
         int is_udplite = IS_UDPLITE(sk);
diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
index feb50a16398d..a8cf8c6fb60c 100644
--- a/net/ipv4/udp_impl.h
+++ b/net/ipv4/udp_impl.h
@@ -25,7 +25,6 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
                 int flags, int *addr_len);
 int udp_sendpage(struct sock *sk, struct page *page, int offset, size_t size,
                  int flags);
-int __udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
 void udp_destroy_sock(struct sock *sk);
 
 #ifdef CONFIG_PROC_FS
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 8d297a79b568..6a4fb1e629fb 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1022,7 +1022,10 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
         INIT_HLIST_NODE(&ifa->addr_lst);
         ifa->scope = scope;
         ifa->prefix_len = pfxlen;
-        ifa->flags = flags | IFA_F_TENTATIVE;
+        ifa->flags = flags;
+        /* No need to add the TENTATIVE flag for addresses with NODAD */
+        if (!(flags & IFA_F_NODAD))
+                ifa->flags |= IFA_F_TENTATIVE;
         ifa->valid_lft = valid_lft;
         ifa->prefered_lft = prefered_lft;
         ifa->cstamp = ifa->tstamp = jiffies;
diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
index 37ac9de713c6..8d772fea1dde 100644
--- a/net/ipv6/calipso.c
+++ b/net/ipv6/calipso.c
@@ -1319,7 +1319,7 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
         struct ipv6hdr *ip6_hdr;
         struct ipv6_opt_hdr *hop;
         unsigned char buf[CALIPSO_MAX_BUFFER];
-        int len_delta, new_end, pad;
+        int len_delta, new_end, pad, payload;
         unsigned int start, end;
 
         ip6_hdr = ipv6_hdr(skb);
@@ -1346,6 +1346,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
         if (ret_val < 0)
                 return ret_val;
 
+        ip6_hdr = ipv6_hdr(skb); /* Reset as skb_cow() may have moved it */
+
         if (len_delta) {
                 if (len_delta > 0)
                         skb_push(skb, len_delta);
@@ -1355,6 +1357,8 @@ static int calipso_skbuff_setattr(struct sk_buff *skb,
                         sizeof(*ip6_hdr) + start);
                 skb_reset_network_header(skb);
                 ip6_hdr = ipv6_hdr(skb);
+                payload = ntohs(ip6_hdr->payload_len);
+                ip6_hdr->payload_len = htons(payload + len_delta);
         }
 
         hop = (struct ipv6_opt_hdr *)(ip6_hdr + 1);
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 8d128ba79b66..0c5b4caa1949 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -537,11 +537,10 @@ static inline int ip6gre_xmit_ipv4(struct sk_buff *skb, struct net_device *dev)
 
         memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
 
-        dsfield = ipv4_get_dsfield(iph);
-
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
-                fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT)
-                                          & IPV6_TCLASS_MASK;
+                dsfield = ipv4_get_dsfield(iph);
+        else
+                dsfield = ip6_tclass(t->parms.flowinfo);
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
                 fl6.flowi6_mark = skb->mark;
         else
@@ -598,9 +597,11 @@ static inline int ip6gre_xmit_ipv6(struct sk_buff *skb, struct net_device *dev)
 
         memcpy(&fl6, &t->fl.u.ip6, sizeof(fl6));
 
-        dsfield = ipv6_get_dsfield(ipv6h);
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
-                fl6.flowlabel |= (*(__be32 *) ipv6h & IPV6_TCLASS_MASK);
+                dsfield = ipv6_get_dsfield(ipv6h);
+        else
+                dsfield = ip6_tclass(t->parms.flowinfo);
+
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL)
                 fl6.flowlabel |= ip6_flowlabel(ipv6h);
         if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
index 93e58a5e1837..cdb3728faca7 100644
--- a/net/ipv6/ip6_offload.c
+++ b/net/ipv6/ip6_offload.c
@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
         const struct net_offload *ops;
         int proto;
         struct frag_hdr *fptr;
-        unsigned int unfrag_ip6hlen;
         unsigned int payload_len;
         u8 *prevhdr;
         int offset = 0;
@@ -116,8 +115,12 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
                 skb->network_header = (u8 *)ipv6h - skb->head;
 
                 if (udpfrag) {
-                        unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-                        fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
+                        int err = ip6_find_1stfragopt(skb, &prevhdr);
+                        if (err < 0) {
+                                kfree_skb_list(segs);
+                                return ERR_PTR(err);
+                        }
+                        fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
                         fptr->frag_off = htons(offset);
                         if (skb->next)
                                 fptr->frag_off |= htons(IP6_MF);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 58f6288e9ba5..bf8a58a1c32d 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -597,7 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
         int ptr, offset = 0, err = 0;
         u8 *prevhdr, nexthdr = 0;
 
-        hlen = ip6_find_1stfragopt(skb, &prevhdr);
+        err = ip6_find_1stfragopt(skb, &prevhdr);
+        if (err < 0)
+                goto fail;
+        hlen = err;
         nexthdr = *prevhdr;
 
         mtu = ip6_skb_dst_mtu(skb);
@@ -1463,6 +1466,11 @@ alloc_new_skb:
                          */
                         alloclen += sizeof(struct frag_hdr);
 
+                        copy = datalen - transhdrlen - fraggap;
+                        if (copy < 0) {
+                                err = -EINVAL;
+                                goto error;
+                        }
                         if (transhdrlen) {
                                 skb = sock_alloc_send_skb(sk,
                                                 alloclen + hh_len,
@@ -1512,13 +1520,9 @@ alloc_new_skb:
                                 data += fraggap;
                                 pskb_trim_unique(skb_prev, maxfraglen);
                         }
-                        copy = datalen - transhdrlen - fraggap;
-
-                        if (copy < 0) {
-                                err = -EINVAL;
-                                kfree_skb(skb);
-                                goto error;
-                        } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
+                        if (copy > 0 &&
+                            getfrag(from, data + transhdrlen, offset,
+                                    copy, fraggap, skb) < 0) {
                                 err = -EFAULT;
                                 kfree_skb(skb);
                                 goto error;
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 6eb2ae507500..9b37f9747fc6 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1095,6 +1095,9 @@ int ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev, __u8 dsfield,
 
         if (!dst) {
 route_lookup:
+                /* add dsfield to flowlabel for route lookup */
+                fl6->flowlabel = ip6_make_flowinfo(dsfield, fl6->flowlabel);
+
                 dst = ip6_route_output(net, NULL, fl6);
 
                 if (dst->error)
@@ -1196,7 +1199,7 @@ route_lookup:
         skb_push(skb, sizeof(struct ipv6hdr));
         skb_reset_network_header(skb);
         ipv6h = ipv6_hdr(skb);
-        ip6_flow_hdr(ipv6h, INET_ECN_encapsulate(0, dsfield),
+        ip6_flow_hdr(ipv6h, dsfield,
                      ip6_make_flowlabel(net, skb, fl6->flowlabel, true, fl6));
         ipv6h->hop_limit = hop_limit;
         ipv6h->nexthdr = proto;
@@ -1231,8 +1234,6 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         if (tproto != IPPROTO_IPIP && tproto != 0)
                 return -1;
 
-        dsfield = ipv4_get_dsfield(iph);
-
         if (t->parms.collect_md) {
                 struct ip_tunnel_info *tun_info;
                 const struct ip_tunnel_key *key;
@@ -1246,6 +1247,7 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 fl6.flowi6_proto = IPPROTO_IPIP;
                 fl6.daddr = key->u.ipv6.dst;
                 fl6.flowlabel = key->label;
+                dsfield = ip6_tclass(key->label);
         } else {
                 if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
                         encap_limit = t->parms.encap_limit;
@@ -1254,8 +1256,9 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 fl6.flowi6_proto = IPPROTO_IPIP;
 
                 if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
-                        fl6.flowlabel |= htonl((__u32)iph->tos << IPV6_TCLASS_SHIFT)
-                                         & IPV6_TCLASS_MASK;
+                        dsfield = ipv4_get_dsfield(iph);
+                else
+                        dsfield = ip6_tclass(t->parms.flowinfo);
                 if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
                         fl6.flowi6_mark = skb->mark;
                 else
@@ -1267,6 +1270,8 @@ ip4ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
                 return -1;
 
+        dsfield = INET_ECN_encapsulate(dsfield, ipv4_get_dsfield(iph));
+
         skb_set_inner_ipproto(skb, IPPROTO_IPIP);
 
         err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
@@ -1300,8 +1305,6 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
             ip6_tnl_addr_conflict(t, ipv6h))
                 return -1;
 
-        dsfield = ipv6_get_dsfield(ipv6h);
-
         if (t->parms.collect_md) {
                 struct ip_tunnel_info *tun_info;
                 const struct ip_tunnel_key *key;
@@ -1315,6 +1318,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 fl6.flowi6_proto = IPPROTO_IPV6;
                 fl6.daddr = key->u.ipv6.dst;
                 fl6.flowlabel = key->label;
+                dsfield = ip6_tclass(key->label);
         } else {
                 offset = ip6_tnl_parse_tlv_enc_lim(skb, skb_network_header(skb));
                 /* ip6_tnl_parse_tlv_enc_lim() might have reallocated skb->head */
@@ -1337,7 +1341,9 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
                 fl6.flowi6_proto = IPPROTO_IPV6;
 
                 if (t->parms.flags & IP6_TNL_F_USE_ORIG_TCLASS)
-                        fl6.flowlabel |= (*(__be32 *)ipv6h & IPV6_TCLASS_MASK);
+                        dsfield = ipv6_get_dsfield(ipv6h);
+                else
+                        dsfield = ip6_tclass(t->parms.flowinfo);
                 if (t->parms.flags & IP6_TNL_F_USE_ORIG_FLOWLABEL)
                         fl6.flowlabel |= ip6_flowlabel(ipv6h);
                 if (t->parms.flags & IP6_TNL_F_USE_ORIG_FWMARK)
@@ -1351,6 +1357,8 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
         if (iptunnel_handle_offloads(skb, SKB_GSO_IPXIP6))
                 return -1;
 
+        dsfield = INET_ECN_encapsulate(dsfield, ipv6_get_dsfield(ipv6h));
+
         skb_set_inner_ipproto(skb, IPPROTO_IPV6);
 
         err = ip6_tnl_xmit(skb, dev, dsfield, &fl6, encap_limit, &mtu,
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index cd4252346a32..e9065b8d3af8 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -79,14 +79,13 @@ EXPORT_SYMBOL(ipv6_select_ident);
 int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
 {
         u16 offset = sizeof(struct ipv6hdr);
-        struct ipv6_opt_hdr *exthdr =
-                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
         unsigned int packet_len = skb_tail_pointer(skb) -
                 skb_network_header(skb);
         int found_rhdr = 0;
         *nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-        while (offset + 1 <= packet_len) {
+        while (offset <= packet_len) {
+                struct ipv6_opt_hdr *exthdr;
 
                 switch (**nexthdr) {
 
@@ -107,13 +106,16 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
                         return offset;
                 }
 
-                offset += ipv6_optlen(exthdr);
-                *nexthdr = &exthdr->nexthdr;
+                if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+                        return -EINVAL;
+
                 exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
                                                  offset);
+                offset += ipv6_optlen(exthdr);
+                *nexthdr = &exthdr->nexthdr;
         }
 
-        return offset;
+        return -EINVAL;
 }
 EXPORT_SYMBOL(ip6_find_1stfragopt);
 
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index 9b522fa90e6d..ac826dd338ff 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -192,7 +192,7 @@ static struct inet_protosw pingv6_protosw = {
         .type =      SOCK_DGRAM,
         .protocol =  IPPROTO_ICMPV6,
         .prot =      &pingv6_prot,
-        .ops =       &inet6_dgram_ops,
+        .ops =       &inet6_sockraw_ops,
         .flags =     INET_PROTOSW_REUSE,
 };
 
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 1f992d9e261d..60be012fe708 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -1338,7 +1338,7 @@ void raw6_proc_exit(void)
 #endif  /* CONFIG_PROC_FS */
 
 /* Same as inet6_dgram_ops, sans udp_poll.  */
-static const struct proto_ops inet6_sockraw_ops = {
+const struct proto_ops inet6_sockraw_ops = {
         .family            = PF_INET6,
         .owner             = THIS_MODULE,
         .release           = inet6_release,
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 7a8237acd210..4f4310a36a04 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1062,6 +1062,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
                 newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
 #endif
 
+                newnp->ipv6_mc_list = NULL;
                 newnp->ipv6_ac_list = NULL;
                 newnp->ipv6_fl_list = NULL;
                 newnp->pktoptions  = NULL;
@@ -1131,6 +1132,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
            First: no IPv4 options.
          */
         newinet->inet_opt = NULL;
+        newnp->ipv6_mc_list = NULL;
         newnp->ipv6_ac_list = NULL;
         newnp->ipv6_fl_list = NULL;
 
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 04862abfe4ec..06ec39b79609 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -526,7 +526,7 @@ out:
         return;
 }
 
-int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         int rc;
 
@@ -569,7 +569,7 @@ void udpv6_encap_enable(void)
 }
 EXPORT_SYMBOL(udpv6_encap_enable);
 
-int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
+static int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
         struct udp_sock *up = udp_sk(sk);
         int is_udplite = IS_UDPLITE(sk);
diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h
index e78bdc76dcc3..f180b3d85e31 100644
--- a/net/ipv6/udp_impl.h
+++ b/net/ipv6/udp_impl.h
@@ -26,7 +26,6 @@ int compat_udpv6_getsockopt(struct sock *sk, int level, int optname,
 int udpv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len);
 int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
                   int flags, int *addr_len);
-int __udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb);
 void udpv6_destroy_sock(struct sock *sk);
 
 #ifdef CONFIG_PROC_FS
diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c
index ac858c480f2f..a2267f80febb 100644
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
         u8 frag_hdr_sz = sizeof(struct frag_hdr);
         __wsum csum;
         int tnl_hlen;
+        int err;
 
         mss = skb_shinfo(skb)->gso_size;
         if (unlikely(skb->len <= mss))
@@ -90,7 +91,10 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb,
                 /* Find the unfragmentable header and shift it left by frag_hdr_sz
                  * bytes to insert fragment header.
                  */
-                unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+                err = ip6_find_1stfragopt(skb, &prevhdr);
+                if (err < 0)
+                        return ERR_PTR(err);
+                unfrag_ip6hlen = err;
                 nexthdr = *prevhdr;
                 *prevhdr = NEXTHDR_FRAGMENT;
                 unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
diff --git a/net/ipv6/xfrm6_mode_ro.c b/net/ipv6/xfrm6_mode_ro.c
index 0e015906f9ca..07d36573f50b 100644
--- a/net/ipv6/xfrm6_mode_ro.c
+++ b/net/ipv6/xfrm6_mode_ro.c
@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_state *x, struct sk_buff *skb)
         iph = ipv6_hdr(skb);
 
         hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
+        if (hdr_len < 0)
+                return hdr_len;
         skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
         skb_set_network_header(skb, -x->props.header_len);
         skb->transport_header = skb->network_header + hdr_len;
diff --git a/net/ipv6/xfrm6_mode_transport.c b/net/ipv6/xfrm6_mode_transport.c
index 7a92c0f31912..9ad07a91708e 100644
--- a/net/ipv6/xfrm6_mode_transport.c
+++ b/net/ipv6/xfrm6_mode_transport.c
@@ -30,6 +30,8 @@ static int xfrm6_transport_output(struct xfrm_state *x, struct sk_buff *skb)
         skb_set_inner_transport_header(skb, skb_transport_offset(skb));
 
         hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
+        if (hdr_len < 0)
+                return hdr_len;
         skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
         skb_set_network_header(skb, -x->props.header_len);
         skb->transport_header = skb->network_header + hdr_len;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c1950bb14735..512dc43d0ce6 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -3285,7 +3285,7 @@ static struct xfrm_policy *pfkey_compile_policy(struct sock *sk, int opt,
                 p += pol->sadb_x_policy_len*8;
                 sec_ctx = (struct sadb_x_sec_ctx *)p;
                 if (len < pol->sadb_x_policy_len*8 +
-                    sec_ctx->sadb_x_sec_len) {
+                    sec_ctx->sadb_x_sec_len*8) {
                         *dir = -EINVAL;
                         goto out;
                 }
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 8364fe5b59e4..c38d16f22d2a 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -311,6 +311,8 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
         int rc = -EINVAL;
 
         dprintk("%s: binding %02X\n", __func__, addr->sllc_sap);
+
+        lock_sock(sk);
         if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr)))
                 goto out;
         rc = -EAFNOSUPPORT;
@@ -382,6 +384,7 @@ static int llc_ui_bind(struct socket *sock, struct sockaddr *uaddr, int addrlen)
 out_put:
         llc_sap_put(sap);
 out:
+        release_sock(sk);
         return rc;
 }
 
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 60e2a62f7bef..cf2392b2ac71 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -7,7 +7,7 @@
  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
- * Copyright(c) 2015 Intel Deutschland GmbH
+ * Copyright(c) 2015-2017 Intel Deutschland GmbH
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -741,46 +741,43 @@ static void ieee80211_agg_tx_operational(struct ieee80211_local *local,
         ieee80211_agg_start_txq(sta, tid, true);
 }
 
-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid)
+void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid,
+                              struct tid_ampdu_tx *tid_tx)
 {
-        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
         struct ieee80211_local *local = sdata->local;
-        struct sta_info *sta;
-        struct tid_ampdu_tx *tid_tx;
 
-        trace_api_start_tx_ba_cb(sdata, ra, tid);
+        if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)))
+                return;
+
+        if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state))
+                ieee80211_agg_tx_operational(local, sta, tid);
+}
+
+static struct tid_ampdu_tx *
+ieee80211_lookup_tid_tx(struct ieee80211_sub_if_data *sdata,
+                        const u8 *ra, u16 tid, struct sta_info **sta)
+{
+        struct tid_ampdu_tx *tid_tx;
 
         if (tid >= IEEE80211_NUM_TIDS) {
                 ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n",
                        tid, IEEE80211_NUM_TIDS);
-                return;
+                return NULL;
         }
 
-        mutex_lock(&local->sta_mtx);
-        sta = sta_info_get_bss(sdata, ra);
-        if (!sta) {
-                mutex_unlock(&local->sta_mtx);
+        *sta = sta_info_get_bss(sdata, ra);
+        if (!*sta) {
                 ht_dbg(sdata, "Could not find station: %pM\n", ra);
-                return;
+                return NULL;
         }
 
-        mutex_lock(&sta->ampdu_mlme.mtx);
-        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
+        tid_tx = rcu_dereference((*sta)->ampdu_mlme.tid_tx[tid]);
 
-        if (WARN_ON(!tid_tx)) {
+        if (WARN_ON(!tid_tx))
                 ht_dbg(sdata, "addBA was not requested!\n");
-                goto unlock;
-        }
 
-        if (WARN_ON(test_and_set_bit(HT_AGG_STATE_DRV_READY, &tid_tx->state)))
-                goto unlock;
-
-        if (test_bit(HT_AGG_STATE_RESPONSE_RECEIVED, &tid_tx->state))
-                ieee80211_agg_tx_operational(local, sta, tid);
-
- unlock:
-        mutex_unlock(&sta->ampdu_mlme.mtx);
-        mutex_unlock(&local->sta_mtx);
+        return tid_tx;
 }
 
 void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
@@ -788,19 +785,20 @@ void ieee80211_start_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
 {
         struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_ra_tid *ra_tid;
-        struct sk_buff *skb = dev_alloc_skb(0);
+        struct sta_info *sta;
+        struct tid_ampdu_tx *tid_tx;
 
-        if (unlikely(!skb))
-                return;
+        trace_api_start_tx_ba_cb(sdata, ra, tid);
 
-        ra_tid = (struct ieee80211_ra_tid *) &skb->cb;
-        memcpy(&ra_tid->ra, ra, ETH_ALEN);
-        ra_tid->tid = tid;
+        rcu_read_lock();
+        tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
+        if (!tid_tx)
+                goto out;
 
-        skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_START;
-        skb_queue_tail(&sdata->skb_queue, skb);
-        ieee80211_queue_work(&local->hw, &sdata->work);
+        set_bit(HT_AGG_STATE_START_CB, &tid_tx->state);
+        ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
+ out:
+        rcu_read_unlock();
 }
 EXPORT_SYMBOL(ieee80211_start_tx_ba_cb_irqsafe);
 
@@ -860,37 +858,18 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
 }
 EXPORT_SYMBOL(ieee80211_stop_tx_ba_session);
 
-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
+void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx)
 {
-        struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
-        struct ieee80211_local *local = sdata->local;
-        struct sta_info *sta;
-        struct tid_ampdu_tx *tid_tx;
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
         bool send_delba = false;
 
-        trace_api_stop_tx_ba_cb(sdata, ra, tid);
-
-        if (tid >= IEEE80211_NUM_TIDS) {
-                ht_dbg(sdata, "Bad TID value: tid = %d (>= %d)\n",
-                       tid, IEEE80211_NUM_TIDS);
-                return;
-        }
-
-        ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n", ra, tid);
-
-        mutex_lock(&local->sta_mtx);
-
-        sta = sta_info_get_bss(sdata, ra);
-        if (!sta) {
-                ht_dbg(sdata, "Could not find station: %pM\n", ra);
-                goto unlock;
-        }
+        ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n",
+               sta->sta.addr, tid);
 
-        mutex_lock(&sta->ampdu_mlme.mtx);
         spin_lock_bh(&sta->lock);
-        tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
 
-        if (!tid_tx || !test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
+        if (!test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) {
                 ht_dbg(sdata,
                        "unexpected callback to A-MPDU stop for %pM tid %d\n",
                        sta->sta.addr, tid);
@@ -906,12 +885,8 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid)
         spin_unlock_bh(&sta->lock);
 
         if (send_delba)
-                ieee80211_send_delba(sdata, ra, tid,
+                ieee80211_send_delba(sdata, sta->sta.addr, tid,
                         WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
-
-        mutex_unlock(&sta->ampdu_mlme.mtx);
- unlock:
-        mutex_unlock(&local->sta_mtx);
 }
 
 void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
@@ -919,19 +894,20 @@ void ieee80211_stop_tx_ba_cb_irqsafe(struct ieee80211_vif *vif,
 {
         struct ieee80211_sub_if_data *sdata = vif_to_sdata(vif);
         struct ieee80211_local *local = sdata->local;
-        struct ieee80211_ra_tid *ra_tid;
-        struct sk_buff *skb = dev_alloc_skb(0);
+        struct sta_info *sta;
+        struct tid_ampdu_tx *tid_tx;
 
-        if (unlikely(!skb))
-                return;
+        trace_api_stop_tx_ba_cb(sdata, ra, tid);
 
-        ra_tid = (struct ieee80211_ra_tid *) &skb->cb;
-        memcpy(&ra_tid->ra, ra, ETH_ALEN);
-        ra_tid->tid = tid;
+        rcu_read_lock();
+        tid_tx = ieee80211_lookup_tid_tx(sdata, ra, tid, &sta);
+        if (!tid_tx)
+                goto out;
 
-        skb->pkt_type = IEEE80211_SDATA_QUEUE_AGG_STOP;
-        skb_queue_tail(&sdata->skb_queue, skb);
-        ieee80211_queue_work(&local->hw, &sdata->work);
+        set_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state);
+        ieee80211_queue_work(&local->hw, &sta->ampdu_mlme.work);
+ out:
+        rcu_read_unlock();
 }
 EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb_irqsafe);
 
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index f4a528773563..6ca5442b1e03 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -7,6 +7,7 @@
  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
+ * Copyright 2017       Intel Deutschland GmbH
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -289,8 +290,6 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
 {
         int i;
 
-        cancel_work_sync(&sta->ampdu_mlme.work);
-
         for (i = 0; i <  IEEE80211_NUM_TIDS; i++) {
                 __ieee80211_stop_tx_ba_session(sta, i, reason);
                 __ieee80211_stop_rx_ba_session(sta, i, WLAN_BACK_RECIPIENT,
@@ -298,6 +297,9 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
                                                reason != AGG_STOP_DESTROY_STA &&
                                                reason != AGG_STOP_PEER_REQUEST);
         }
+
+        /* stopping might queue the work again - so cancel only afterwards */
+        cancel_work_sync(&sta->ampdu_mlme.work);
 }
 
 void ieee80211_ba_session_work(struct work_struct *work)
@@ -352,10 +354,16 @@ void ieee80211_ba_session_work(struct work_struct *work)
                 spin_unlock_bh(&sta->lock);
 
                 tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
-                if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP,
-                                                 &tid_tx->state))
+                if (!tid_tx)
+                        continue;
+
+                if (test_and_clear_bit(HT_AGG_STATE_START_CB, &tid_tx->state))
+                        ieee80211_start_tx_ba_cb(sta, tid, tid_tx);
+                if (test_and_clear_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state))
                         ___ieee80211_stop_tx_ba_session(sta, tid,
                                                         AGG_STOP_LOCAL_REQUEST);
+                if (test_and_clear_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state))
+                        ieee80211_stop_tx_ba_cb(sta, tid, tid_tx);
         }
         mutex_unlock(&sta->ampdu_mlme.mtx);
 }
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index f8f6c148f554..665501ac358f 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1036,8 +1036,6 @@ struct ieee80211_rx_agg {
 
 enum sdata_queue_type {
         IEEE80211_SDATA_QUEUE_TYPE_FRAME        = 0,
-        IEEE80211_SDATA_QUEUE_AGG_START         = 1,
-        IEEE80211_SDATA_QUEUE_AGG_STOP          = 2,
         IEEE80211_SDATA_QUEUE_RX_AGG_START      = 3,
         IEEE80211_SDATA_QUEUE_RX_AGG_STOP       = 4,
 };
@@ -1427,12 +1425,6 @@ ieee80211_get_sband(struct ieee80211_sub_if_data *sdata)
         return local->hw.wiphy->bands[band];
 }
 
-/* this struct represents 802.11n's RA/TID combination */
-struct ieee80211_ra_tid {
-        u8 ra[ETH_ALEN];
-        u16 tid;
-};
-
 /* this struct holds the value parsing from channel switch IE  */
 struct ieee80211_csa_ie {
         struct cfg80211_chan_def chandef;
@@ -1794,8 +1786,10 @@ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                                    enum ieee80211_agg_stop_reason reason);
 int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
                                     enum ieee80211_agg_stop_reason reason);
-void ieee80211_start_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u16 tid);
-void ieee80211_stop_tx_ba_cb(struct ieee80211_vif *vif, u8 *ra, u8 tid);
+void ieee80211_start_tx_ba_cb(struct sta_info *sta, int tid,
+                              struct tid_ampdu_tx *tid_tx);
+void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
+                             struct tid_ampdu_tx *tid_tx);
 void ieee80211_ba_session_work(struct work_struct *work);
 void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid);
 void ieee80211_release_reorder_timeout(struct sta_info *sta, int tid);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 3bd5b81f5d81..8fae1a72e6a7 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -1237,7 +1237,6 @@ static void ieee80211_iface_work(struct work_struct *work)
         struct ieee80211_local *local = sdata->local;
         struct sk_buff *skb;
         struct sta_info *sta;
-        struct ieee80211_ra_tid *ra_tid;
         struct ieee80211_rx_agg *rx_agg;
 
         if (!ieee80211_sdata_running(sdata))
@@ -1253,15 +1252,7 @@ static void ieee80211_iface_work(struct work_struct *work)
         while ((skb = skb_dequeue(&sdata->skb_queue))) {
                 struct ieee80211_mgmt *mgmt = (void *)skb->data;
 
-                if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_START) {
-                        ra_tid = (void *)&skb->cb;
-                        ieee80211_start_tx_ba_cb(&sdata->vif, ra_tid->ra,
-                                                 ra_tid->tid);
-                } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_AGG_STOP) {
-                        ra_tid = (void *)&skb->cb;
-                        ieee80211_stop_tx_ba_cb(&sdata->vif, ra_tid->ra,
-                                                ra_tid->tid);
-                } else if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) {
+                if (skb->pkt_type == IEEE80211_SDATA_QUEUE_RX_AGG_START) {
                         rx_agg = (void *)&skb->cb;
                         mutex_lock(&local->sta_mtx);
                         sta = sta_info_get_bss(sdata, rx_agg->addr);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 35f4c7d7a500..1f75280ba26c 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2492,7 +2492,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                 if (is_multicast_ether_addr(hdr->addr1)) {
                         mpp_addr = hdr->addr3;
                         proxied_addr = mesh_hdr->eaddr1;
-                } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
+                } else if ((mesh_hdr->flags & MESH_FLAGS_AE) ==
+                            MESH_FLAGS_AE_A5_A6) {
                         /* has_a4 already checked in ieee80211_rx_mesh_check */
                         mpp_addr = hdr->addr4;
                         proxied_addr = mesh_hdr->eaddr2;
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 7cdf7a835bb0..403e3cc58b57 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -2155,7 +2155,7 @@ void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
                         struct ieee80211_sta_rx_stats *cpurxs;
 
                         cpurxs = per_cpu_ptr(sta->pcpu_rx_stats, cpu);
-                        sinfo->rx_packets += cpurxs->dropped;
+                        sinfo->rx_dropped_misc += cpurxs->dropped;
                 }
         }
 
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 5609cacb20d5..ea0747d6a6da 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -116,6 +116,8 @@ enum ieee80211_sta_info_flags {
 #define HT_AGG_STATE_STOPPING           3
 #define HT_AGG_STATE_WANT_START         4
 #define HT_AGG_STATE_WANT_STOP          5
+#define HT_AGG_STATE_START_CB           6
+#define HT_AGG_STATE_STOP_CB            7
 
 enum ieee80211_agg_stop_reason {
         AGG_STOP_DECLINED,
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 257ec66009da..7b05fd1497ce 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -1418,7 +1418,7 @@ static void mpls_ifup(struct net_device *dev, unsigned int flags)
                                 continue;
                         alive++;
                         nh_flags &= ~flags;
-                        WRITE_ONCE(nh->nh_flags, flags);
+                        WRITE_ONCE(nh->nh_flags, nh_flags);
                 } endfor_nexthops(rt);
 
                 WRITE_ONCE(rt->rt_nhn_alive, alive);
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index d2d7bdf1d510..ad99c1ceea6f 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -849,10 +849,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
 {
         unsigned int verdict = NF_DROP;
 
-        if (IP_VS_FWD_METHOD(cp) != 0) {
-                pr_err("shouldn't reach here, because the box is on the "
-                       "half connection in the tun/dr module.\n");
-        }
+        if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
+                goto ignore_cp;
 
         /* Ensure the checksum is correct */
         if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
@@ -886,6 +884,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
                 ip_vs_notrack(skb);
         else
                 ip_vs_update_conntrack(skb, cp, 0);
+
+ignore_cp:
         verdict = NF_ACCEPT;
 
 out:
@@ -1385,8 +1385,11 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
          */
         cp = pp->conn_out_get(ipvs, af, skb, &iph);
 
-        if (likely(cp))
+        if (likely(cp)) {
+                if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
+                        goto ignore_cp;
                 return handle_response(af, skb, pd, cp, &iph, hooknum);
+        }
 
         /* Check for real-server-started requests */
         if (atomic_read(&ipvs->conn_out_counter)) {
@@ -1444,9 +1447,15 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
                         }
                 }
         }
+
+out:
         IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
                       "ip_vs_out: packet continues traversal as normal");
         return NF_ACCEPT;
+
+ignore_cp:
+        __ip_vs_conn_put(cp);
+        goto out;
 }
 
 /*
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 3a60efa7799b..7f6100ca63be 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -174,6 +174,10 @@ nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum)
 #endif
         if (h != NULL && !try_module_get(h->me))
                 h = NULL;
+        if (h != NULL && !refcount_inc_not_zero(&h->refcnt)) {
+                module_put(h->me);
+                h = NULL;
+        }
 
         rcu_read_unlock();
 
@@ -181,6 +185,13 @@ nf_conntrack_helper_try_module_get(const char *name, u16 l3num, u8 protonum)
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_helper_try_module_get);
 
+void nf_conntrack_helper_put(struct nf_conntrack_helper *helper)
+{
+        refcount_dec(&helper->refcnt);
+        module_put(helper->me);
+}
+EXPORT_SYMBOL_GPL(nf_conntrack_helper_put);
+
 struct nf_conn_help *
 nf_ct_helper_ext_add(struct nf_conn *ct,
                      struct nf_conntrack_helper *helper, gfp_t gfp)
@@ -417,6 +428,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
                         }
                 }
         }
+        refcount_set(&me->refcnt, 1);
         hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);
         nf_ct_helper_count++;
 out:
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index dcf561b5c97a..a8be9b72e6cd 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -45,6 +45,8 @@
 #include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/nf_conntrack_timestamp.h>
 #include <net/netfilter/nf_conntrack_labels.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
+#include <net/netfilter/nf_conntrack_synproxy.h>
 #ifdef CONFIG_NF_NAT_NEEDED
 #include <net/netfilter/nf_nat_core.h>
 #include <net/netfilter/nf_nat_l4proto.h>
@@ -888,8 +890,13 @@ restart:
         }
 out:
         local_bh_enable();
-        if (last)
+        if (last) {
+                /* nf ct hash resize happened, now clear the leftover. */
+                if ((struct nf_conn *)cb->args[1] == last)
+                        cb->args[1] = 0;
+
                 nf_ct_put(last);
+        }
 
         while (i) {
                 i--;
@@ -1007,9 +1014,8 @@ static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
 
 static int
 ctnetlink_parse_tuple(const struct nlattr * const cda[],
-                      struct nf_conntrack_tuple *tuple,
-                      enum ctattr_type type, u_int8_t l3num,
-                      struct nf_conntrack_zone *zone)
+                      struct nf_conntrack_tuple *tuple, u32 type,
+                      u_int8_t l3num, struct nf_conntrack_zone *zone)
 {
         struct nlattr *tb[CTA_TUPLE_MAX+1];
         int err;
@@ -1828,6 +1834,8 @@ ctnetlink_create_conntrack(struct net *net,
         nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
         nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
         nf_ct_labels_ext_add(ct);
+        nfct_seqadj_ext_add(ct);
+        nfct_synproxy_ext_add(ct);
 
         /* we must add conntrack extensions before confirmation. */
         ct->status |= IPS_CONFIRMED;
@@ -2447,7 +2455,7 @@ static struct nfnl_ct_hook ctnetlink_glue_hook = {
 
 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
                                     const struct nf_conntrack_tuple *tuple,
-                                    enum ctattr_expect type)
+                                    u32 type)
 {
         struct nlattr *nest_parms;
 
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 13875d599a85..1c5b14a6cab3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -512,16 +512,19 @@ static int sctp_error(struct net *net, struct nf_conn *tpl, struct sk_buff *skb,
                       u8 pf, unsigned int hooknum)
 {
         const struct sctphdr *sh;
-        struct sctphdr _sctph;
         const char *logmsg;
 
-        sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
-        if (!sh) {
+        if (skb->len < dataoff + sizeof(struct sctphdr)) {
                 logmsg = "nf_ct_sctp: short packet ";
                 goto out_invalid;
         }
         if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
             skb->ip_summed == CHECKSUM_NONE) {
+                if (!skb_make_writable(skb, dataoff + sizeof(struct sctphdr))) {
+                        logmsg = "nf_ct_sctp: failed to read header ";
+                        goto out_invalid;
+                }
+                sh = (const struct sctphdr *)(skb->data + dataoff);
                 if (sh->checksum != sctp_compute_cksum(skb, dataoff)) {
                         logmsg = "nf_ct_sctp: bad CRC ";
                         goto out_invalid;
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index b48d6b5aae8a..6c72922d20ca 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -409,6 +409,10 @@ nf_nat_setup_info(struct nf_conn *ct,
 {
         struct nf_conntrack_tuple curr_tuple, new_tuple;
 
+        /* Can't setup nat info for confirmed ct. */
+        if (nf_ct_is_confirmed(ct))
+                return NF_ACCEPT;
+
         NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
                      maniptype == NF_NAT_MANIP_DST);
         BUG_ON(nf_nat_initialized(ct, maniptype));
@@ -562,7 +566,7 @@ static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
          * Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack()
          * will delete entry from already-freed table.
          */
-        ct->status &= ~IPS_NAT_DONE_MASK;
+        clear_bit(IPS_SRC_NAT_DONE_BIT, &ct->status);
         rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
                         nf_nat_bysource_params);
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 559225029740..da314be0c048 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3367,35 +3367,50 @@ static int nf_tables_dump_setelem(const struct nft_ctx *ctx,
         return nf_tables_fill_setelem(args->skb, set, elem);
 }
 
+struct nft_set_dump_ctx {
+        const struct nft_set    *set;
+        struct nft_ctx          ctx;
+};
+
 static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 {
+        struct nft_set_dump_ctx *dump_ctx = cb->data;
         struct net *net = sock_net(skb->sk);
-        u8 genmask = nft_genmask_cur(net);
+        struct nft_af_info *afi;
+        struct nft_table *table;
         struct nft_set *set;
         struct nft_set_dump_args args;
-        struct nft_ctx ctx;
-        struct nlattr *nla[NFTA_SET_ELEM_LIST_MAX + 1];
+        bool set_found = false;
         struct nfgenmsg *nfmsg;
         struct nlmsghdr *nlh;
         struct nlattr *nest;
         u32 portid, seq;
-        int event, err;
+        int event;
 
-        err = nlmsg_parse(cb->nlh, sizeof(struct nfgenmsg), nla,
-                          NFTA_SET_ELEM_LIST_MAX, nft_set_elem_list_policy,
-                          NULL);
-        if (err < 0)
-                return err;
+        rcu_read_lock();
+        list_for_each_entry_rcu(afi, &net->nft.af_info, list) {
+                if (afi != dump_ctx->ctx.afi)
+                        continue;
 
-        err = nft_ctx_init_from_elemattr(&ctx, net, cb->skb, cb->nlh,
-                                         (void *)nla, genmask);
-        if (err < 0)
-                return err;
+                list_for_each_entry_rcu(table, &afi->tables, list) {
+                        if (table != dump_ctx->ctx.table)
+                                continue;
 
-        set = nf_tables_set_lookup(ctx.table, nla[NFTA_SET_ELEM_LIST_SET],
-                                   genmask);
-        if (IS_ERR(set))
-                return PTR_ERR(set);
+                        list_for_each_entry_rcu(set, &table->sets, list) {
+                                if (set == dump_ctx->set) {
+                                        set_found = true;
+                                        break;
+                                }
+                        }
+                        break;
+                }
+                break;
+        }
+
+        if (!set_found) {
+                rcu_read_unlock();
+                return -ENOENT;
+        }
 
         event  = nfnl_msg_type(NFNL_SUBSYS_NFTABLES, NFT_MSG_NEWSETELEM);
         portid = NETLINK_CB(cb->skb).portid;
@@ -3407,11 +3422,11 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
                 goto nla_put_failure;
 
         nfmsg = nlmsg_data(nlh);
-        nfmsg->nfgen_family = ctx.afi->family;
+        nfmsg->nfgen_family = afi->family;
         nfmsg->version      = NFNETLINK_V0;
-        nfmsg->res_id       = htons(ctx.net->nft.base_seq & 0xffff);
+        nfmsg->res_id       = htons(net->nft.base_seq & 0xffff);
 
-        if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, ctx.table->name))
+        if (nla_put_string(skb, NFTA_SET_ELEM_LIST_TABLE, table->name))
                 goto nla_put_failure;
         if (nla_put_string(skb, NFTA_SET_ELEM_LIST_SET, set->name))
                 goto nla_put_failure;
@@ -3422,12 +3437,13 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
 
         args.cb                 = cb;
         args.skb                = skb;
-        args.iter.genmask       = nft_genmask_cur(ctx.net);
+        args.iter.genmask       = nft_genmask_cur(net);
         args.iter.skip          = cb->args[0];
         args.iter.count         = 0;
         args.iter.err           = 0;
         args.iter.fn            = nf_tables_dump_setelem;
-        set->ops->walk(&ctx, set, &args.iter);
+        set->ops->walk(&dump_ctx->ctx, set, &args.iter);
+        rcu_read_unlock();
 
         nla_nest_end(skb, nest);
         nlmsg_end(skb, nlh);
@@ -3441,9 +3457,16 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb)
         return skb->len;
 
 nla_put_failure:
+        rcu_read_unlock();
         return -ENOSPC;
 }
 
+static int nf_tables_dump_set_done(struct netlink_callback *cb)
+{
+        kfree(cb->data);
+        return 0;
+}
+
 static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
                                 struct sk_buff *skb, const struct nlmsghdr *nlh,
                                 const struct nlattr * const nla[])
@@ -3465,7 +3488,18 @@ static int nf_tables_getsetelem(struct net *net, struct sock *nlsk,
         if (nlh->nlmsg_flags & NLM_F_DUMP) {
                 struct netlink_dump_control c = {
                         .dump = nf_tables_dump_set,
+                        .done = nf_tables_dump_set_done,
                 };
+                struct nft_set_dump_ctx *dump_ctx;
+
+                dump_ctx = kmalloc(sizeof(*dump_ctx), GFP_KERNEL);
+                if (!dump_ctx)
+                        return -ENOMEM;
+
+                dump_ctx->set = set;
+                dump_ctx->ctx = ctx;
+
+                c.data = dump_ctx;
                 return netlink_dump_start(nlsk, skb, nlh, &c);
         }
         return -EOPNOTSUPP;
@@ -3593,9 +3627,9 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 {
         struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
 
-        nft_data_uninit(nft_set_ext_key(ext), NFT_DATA_VALUE);
+        nft_data_release(nft_set_ext_key(ext), NFT_DATA_VALUE);
         if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
-                nft_data_uninit(nft_set_ext_data(ext), set->dtype);
+                nft_data_release(nft_set_ext_data(ext), set->dtype);
         if (destroy_expr && nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
                 nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
         if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
@@ -3604,6 +3638,18 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem,
 }
 EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
 
+/* Only called from commit path, nft_set_elem_deactivate() already deals with
+ * the refcounting from the preparation phase.
+ */
+static void nf_tables_set_elem_destroy(const struct nft_set *set, void *elem)
+{
+        struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
+
+        if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPR))
+                nf_tables_expr_destroy(NULL, nft_set_ext_expr(ext));
+        kfree(elem);
+}
+
 static int nft_setelem_parse_flags(const struct nft_set *set,
                                    const struct nlattr *attr, u32 *flags)
 {
@@ -3815,9 +3861,9 @@ err4:
         kfree(elem.priv);
 err3:
         if (nla[NFTA_SET_ELEM_DATA] != NULL)
-                nft_data_uninit(&data, d2.type);
+                nft_data_release(&data, d2.type);
 err2:
-        nft_data_uninit(&elem.key.val, d1.type);
+        nft_data_release(&elem.key.val, d1.type);
 err1:
         return err;
 }
@@ -3862,6 +3908,53 @@ static int nf_tables_newsetelem(struct net *net, struct sock *nlsk,
         return err;
 }
 
+/**
+ *      nft_data_hold - hold a nft_data item
+ *
+ *      @data: struct nft_data to release
+ *      @type: type of data
+ *
+ *      Hold a nft_data item. NFT_DATA_VALUE types can be silently discarded,
+ *      NFT_DATA_VERDICT bumps the reference to chains in case of NFT_JUMP and
+ *      NFT_GOTO verdicts. This function must be called on active data objects
+ *      from the second phase of the commit protocol.
+ */
+static void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
+{
+        if (type == NFT_DATA_VERDICT) {
+                switch (data->verdict.code) {
+                case NFT_JUMP:
+                case NFT_GOTO:
+                        data->verdict.chain->use++;
+                        break;
+                }
+        }
+}
+
+static void nft_set_elem_activate(const struct net *net,
+                                  const struct nft_set *set,
+                                  struct nft_set_elem *elem)
+{
+        const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+        if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
+                nft_data_hold(nft_set_ext_data(ext), set->dtype);
+        if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
+                (*nft_set_ext_obj(ext))->use++;
+}
+
+static void nft_set_elem_deactivate(const struct net *net,
+                                    const struct nft_set *set,
+                                    struct nft_set_elem *elem)
+{
+        const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+        if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
+                nft_data_release(nft_set_ext_data(ext), set->dtype);
+        if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF))
+                (*nft_set_ext_obj(ext))->use--;
+}
+
 static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
                            const struct nlattr *attr)
 {
@@ -3927,6 +4020,8 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
         kfree(elem.priv);
         elem.priv = priv;
 
+        nft_set_elem_deactivate(ctx->net, set, &elem);
+
         nft_trans_elem(trans) = elem;
         list_add_tail(&trans->list, &ctx->net->nft.commit_list);
         return 0;
@@ -3936,7 +4031,7 @@ err4:
 err3:
         kfree(elem.priv);
 err2:
-        nft_data_uninit(&elem.key.val, desc.type);
+        nft_data_release(&elem.key.val, desc.type);
 err1:
         return err;
 }
@@ -4743,8 +4838,8 @@ static void nf_tables_commit_release(struct nft_trans *trans)
                 nft_set_destroy(nft_trans_set(trans));
                 break;
         case NFT_MSG_DELSETELEM:
-                nft_set_elem_destroy(nft_trans_elem_set(trans),
-                                     nft_trans_elem(trans).priv, true);
+                nf_tables_set_elem_destroy(nft_trans_elem_set(trans),
+                                           nft_trans_elem(trans).priv);
                 break;
         case NFT_MSG_DELOBJ:
                 nft_obj_destroy(nft_trans_obj(trans));
@@ -4979,6 +5074,7 @@ static int nf_tables_abort(struct net *net, struct sk_buff *skb)
                 case NFT_MSG_DELSETELEM:
                         te = (struct nft_trans_elem *)trans->data;
 
+                        nft_set_elem_activate(net, te->set, &te->elem);
                         te->set->ops->activate(net, te->set, &te->elem);
                         te->set->ndeact--;
 
@@ -5464,7 +5560,7 @@ int nft_data_init(const struct nft_ctx *ctx,
 EXPORT_SYMBOL_GPL(nft_data_init);
 
 /**
- *      nft_data_uninit - release a nft_data item
+ *      nft_data_release - release a nft_data item
  *
  *      @data: struct nft_data to release
  *      @type: type of data
@@ -5472,7 +5568,7 @@ EXPORT_SYMBOL_GPL(nft_data_init);
  *      Release a nft_data item. NFT_DATA_VALUE types can be silently discarded,
  *      all others need to be released by calling this function.
  */
-void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
+void nft_data_release(const struct nft_data *data, enum nft_data_types type)
 {
         if (type < NFT_DATA_VERDICT)
                 return;
@@ -5483,7 +5579,7 @@ void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
                 WARN_ON(1);
         }
 }
-EXPORT_SYMBOL_GPL(nft_data_uninit);
+EXPORT_SYMBOL_GPL(nft_data_release);
 
 int nft_data_dump(struct sk_buff *skb, int attr, const struct nft_data *data,
                   enum nft_data_types type, unsigned int len)
diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 950bf6eadc65..be678a323598 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -686,6 +686,7 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
                 tuple_set = true;
         }
 
+        ret = -ENOENT;
         list_for_each_entry_safe(nlcth, n, &nfnl_cthelper_list, list) {
                 cur = &nlcth->helper;
                 j++;
@@ -699,16 +700,20 @@ static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
                      tuple.dst.protonum != cur->tuple.dst.protonum))
                         continue;
 
-                found = true;
-                nf_conntrack_helper_unregister(cur);
-                kfree(cur->expect_policy);
+                if (refcount_dec_if_one(&cur->refcnt)) {
+                        found = true;
+                        nf_conntrack_helper_unregister(cur);
+                        kfree(cur->expect_policy);
 
-                list_del(&nlcth->list);
-                kfree(nlcth);
+                        list_del(&nlcth->list);
+                        kfree(nlcth);
+                } else {
+                        ret = -EBUSY;
+                }
         }
 
         /* Make sure we return success if we flush and there is no helpers */
-        return (found || j == 0) ? 0 : -ENOENT;
+        return (found || j == 0) ? 0 : ret;
 }
 
 static const struct nla_policy nfnl_cthelper_policy[NFCTH_MAX+1] = {
diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c
index 877d9acd91ef..fff8073e2a56 100644
--- a/net/netfilter/nft_bitwise.c
+++ b/net/netfilter/nft_bitwise.c
@@ -83,17 +83,26 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,
                             tb[NFTA_BITWISE_MASK]);
         if (err < 0)
                 return err;
-        if (d1.len != priv->len)
-                return -EINVAL;
+        if (d1.len != priv->len) {
+                err = -EINVAL;
+                goto err1;
+        }
 
         err = nft_data_init(NULL, &priv->xor, sizeof(priv->xor), &d2,
                             tb[NFTA_BITWISE_XOR]);
         if (err < 0)
-                return err;
-        if (d2.len != priv->len)
-                return -EINVAL;
+                goto err1;
+        if (d2.len != priv->len) {
+                err = -EINVAL;
+                goto err2;
+        }
 
         return 0;
+err2:
+        nft_data_release(&priv->xor, d2.type);
+err1:
+        nft_data_release(&priv->mask, d1.type);
+        return err;
 }
 
 static int nft_bitwise_dump(struct sk_buff *skb, const struct nft_expr *expr)
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 2b96effeadc1..c2945eb3397c 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -201,10 +201,18 @@ nft_cmp_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[])
         if (err < 0)
                 return ERR_PTR(err);
 
+        if (desc.type != NFT_DATA_VALUE) {
+                err = -EINVAL;
+                goto err1;
+        }
+
         if (desc.len <= sizeof(u32) && op == NFT_CMP_EQ)
                 return &nft_cmp_fast_ops;
-        else
-                return &nft_cmp_ops;
+
+        return &nft_cmp_ops;
+err1:
+        nft_data_release(&data, desc.type);
+        return ERR_PTR(-EINVAL);
 }
 
 struct nft_expr_type nft_cmp_type __read_mostly = {
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index a34ceb38fc55..1678e9e75e8e 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -826,9 +826,9 @@ static void nft_ct_helper_obj_destroy(struct nft_object *obj)
         struct nft_ct_helper_obj *priv = nft_obj_data(obj);
 
         if (priv->helper4)
-                module_put(priv->helper4->me);
+                nf_conntrack_helper_put(priv->helper4);
         if (priv->helper6)
-                module_put(priv->helper6->me);
+                nf_conntrack_helper_put(priv->helper6);
 }
 
 static void nft_ct_helper_obj_eval(struct nft_object *obj,
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 728baf88295a..4717d7796927 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -65,7 +65,7 @@ static int nft_immediate_init(const struct nft_ctx *ctx,
         return 0;
 
 err1:
-        nft_data_uninit(&priv->data, desc.type);
+        nft_data_release(&priv->data, desc.type);
         return err;
 }
 
@@ -73,7 +73,8 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
                                   const struct nft_expr *expr)
 {
         const struct nft_immediate_expr *priv = nft_expr_priv(expr);
-        return nft_data_uninit(&priv->data, nft_dreg_to_type(priv->dreg));
+
+        return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
 }
 
 static int nft_immediate_dump(struct sk_buff *skb, const struct nft_expr *expr)
diff --git a/net/netfilter/nft_range.c b/net/netfilter/nft_range.c
index 9edc74eedc10..cedb96c3619f 100644
--- a/net/netfilter/nft_range.c
+++ b/net/netfilter/nft_range.c
@@ -102,9 +102,9 @@ static int nft_range_init(const struct nft_ctx *ctx, const struct nft_expr *expr
         priv->len = desc_from.len;
         return 0;
 err2:
-        nft_data_uninit(&priv->data_to, desc_to.type);
+        nft_data_release(&priv->data_to, desc_to.type);
 err1:
-        nft_data_uninit(&priv->data_from, desc_from.type);
+        nft_data_release(&priv->data_from, desc_from.type);
         return err;
 }
 
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index 8ec086b6b56b..3d3a6df4ce70 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -222,7 +222,7 @@ static void nft_hash_walk(const struct nft_ctx *ctx, struct nft_set *set,
         struct nft_set_elem elem;
         int err;
 
-        err = rhashtable_walk_init(&priv->ht, &hti, GFP_KERNEL);
+        err = rhashtable_walk_init(&priv->ht, &hti, GFP_ATOMIC);
         iter->err = err;
         if (err)
                 return;
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index e97e2fb53f0a..fbdbaa00dd5f 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -116,17 +116,17 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
                 else if (d > 0)
                         p = &parent->rb_right;
                 else {
-                        if (nft_set_elem_active(&rbe->ext, genmask)) {
-                                if (nft_rbtree_interval_end(rbe) &&
-                                    !nft_rbtree_interval_end(new))
-                                        p = &parent->rb_left;
-                                else if (!nft_rbtree_interval_end(rbe) &&
-                                         nft_rbtree_interval_end(new))
-                                        p = &parent->rb_right;
-                                else {
-                                        *ext = &rbe->ext;
-                                        return -EEXIST;
-                                }
+                        if (nft_rbtree_interval_end(rbe) &&
+                            !nft_rbtree_interval_end(new)) {
+                                p = &parent->rb_left;
+                        } else if (!nft_rbtree_interval_end(rbe) &&
+                                   nft_rbtree_interval_end(new)) {
+                                p = &parent->rb_right;
+                        } else if (nft_set_elem_active(&rbe->ext, genmask)) {
+                                *ext = &rbe->ext;
+                                return -EEXIST;
+                        } else {
+                                p = &parent->rb_left;
                         }
                 }
         }
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8876b7da6884..1770c1d9b37f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -283,28 +283,30 @@ static int xt_obj_to_user(u16 __user *psize, u16 size,
                        &U->u.user.revision, K->u.kernel.TYPE->revision)
 
 int xt_data_to_user(void __user *dst, const void *src,
-                    int usersize, int size)
+                    int usersize, int size, int aligned_size)
 {
         usersize = usersize ? : size;
         if (copy_to_user(dst, src, usersize))
                 return -EFAULT;
-        if (usersize != size && clear_user(dst + usersize, size - usersize))
+        if (usersize != aligned_size &&
+            clear_user(dst + usersize, aligned_size - usersize))
                 return -EFAULT;
 
         return 0;
 }
 EXPORT_SYMBOL_GPL(xt_data_to_user);
 
-#define XT_DATA_TO_USER(U, K, TYPE, C_SIZE)                             \
+#define XT_DATA_TO_USER(U, K, TYPE)                                     \
         xt_data_to_user(U->data, K->data,                               \
                         K->u.kernel.TYPE->usersize,                     \
-                        C_SIZE ? : K->u.kernel.TYPE->TYPE##size)
+                        K->u.kernel.TYPE->TYPE##size,                   \
+                        XT_ALIGN(K->u.kernel.TYPE->TYPE##size))
 
 int xt_match_to_user(const struct xt_entry_match *m,
                      struct xt_entry_match __user *u)
 {
         return XT_OBJ_TO_USER(u, m, match, 0) ||
-               XT_DATA_TO_USER(u, m, match, 0);
+               XT_DATA_TO_USER(u, m, match);
 }
 EXPORT_SYMBOL_GPL(xt_match_to_user);
 
@@ -312,7 +314,7 @@ int xt_target_to_user(const struct xt_entry_target *t,
                       struct xt_entry_target __user *u)
 {
         return XT_OBJ_TO_USER(u, t, target, 0) ||
-               XT_DATA_TO_USER(u, t, target, 0);
+               XT_DATA_TO_USER(u, t, target);
 }
 EXPORT_SYMBOL_GPL(xt_target_to_user);
 
@@ -611,6 +613,12 @@ void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 }
 EXPORT_SYMBOL_GPL(xt_compat_match_from_user);
 
+#define COMPAT_XT_DATA_TO_USER(U, K, TYPE, C_SIZE)                      \
+        xt_data_to_user(U->data, K->data,                               \
+                        K->u.kernel.TYPE->usersize,                     \
+                        C_SIZE,                                         \
+                        COMPAT_XT_ALIGN(C_SIZE))
+
 int xt_compat_match_to_user(const struct xt_entry_match *m,
                             void __user **dstptr, unsigned int *size)
 {
@@ -626,7 +634,7 @@ int xt_compat_match_to_user(const struct xt_entry_match *m,
                 if (match->compat_to_user((void __user *)cm->data, m->data))
                         return -EFAULT;
         } else {
-                if (XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
+                if (COMPAT_XT_DATA_TO_USER(cm, m, match, msize - sizeof(*cm)))
                         return -EFAULT;
         }
 
@@ -972,7 +980,7 @@ int xt_compat_target_to_user(const struct xt_entry_target *t,
                 if (target->compat_to_user((void __user *)ct->data, t->data))
                         return -EFAULT;
         } else {
-                if (XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
+                if (COMPAT_XT_DATA_TO_USER(ct, t, target, tsize - sizeof(*ct)))
                         return -EFAULT;
         }
 
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index bb7ad82dcd56..623ef37de886 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -96,7 +96,7 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
 
         help = nf_ct_helper_ext_add(ct, helper, GFP_KERNEL);
         if (help == NULL) {
-                module_put(helper->me);
+                nf_conntrack_helper_put(helper);
                 return -ENOMEM;
         }
 
@@ -263,7 +263,7 @@ out:
 err4:
         help = nfct_help(ct);
         if (help)
-                module_put(help->helper->me);
+                nf_conntrack_helper_put(help->helper);
 err3:
         nf_ct_tmpl_free(ct);
 err2:
@@ -346,7 +346,7 @@ static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
         if (ct) {
                 help = nfct_help(ct);
                 if (help)
-                        module_put(help->helper->me);
+                        nf_conntrack_helper_put(help->helper);
 
                 nf_ct_netns_put(par->net, par->family);
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index ee841f00a6ec..7586d446d7dc 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -62,6 +62,7 @@
 #include <asm/cacheflush.h>
 #include <linux/hash.h>
 #include <linux/genetlink.h>
+#include <linux/net_namespace.h>
 
 #include <net/net_namespace.h>
 #include <net/sock.h>
@@ -1415,7 +1416,8 @@ static void do_one_broadcast(struct sock *sk,
                 goto out;
         }
         NETLINK_CB(p->skb2).nsid = peernet2id(sock_net(sk), p->net);
-        NETLINK_CB(p->skb2).nsid_is_set = true;
+        if (NETLINK_CB(p->skb2).nsid != NETNSA_NSID_NOT_ASSIGNED)
+                NETLINK_CB(p->skb2).nsid_is_set = true;
         val = netlink_broadcast_deliver(sk, p->skb2);
         if (val < 0) {
                 netlink_overrun(sk);
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index bf602e33c40a..08679ebb3068 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -1123,7 +1123,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name,
 
         help = nf_ct_helper_ext_add(info->ct, helper, GFP_KERNEL);
         if (!help) {
-                module_put(helper->me);
+                nf_conntrack_helper_put(helper);
                 return -ENOMEM;
         }
 
@@ -1584,7 +1584,7 @@ void ovs_ct_free_action(const struct nlattr *a)
 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info)
 {
         if (ct_info->helper)
-                module_put(ct_info->helper->me);
+                nf_conntrack_helper_put(ct_info->helper);
         if (ct_info->ct)
                 nf_ct_tmpl_free(ct_info->ct);
 }
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index f4001763134d..e3eeed19cc7a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2658,13 +2658,6 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
                 dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
         }
 
-        sockc.tsflags = po->sk.sk_tsflags;
-        if (msg->msg_controllen) {
-                err = sock_cmsg_send(&po->sk, msg, &sockc);
-                if (unlikely(err))
-                        goto out;
-        }
-
         err = -ENXIO;
         if (unlikely(dev == NULL))
                 goto out;
@@ -2672,6 +2665,13 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
         if (unlikely(!(dev->flags & IFF_UP)))
                 goto out_put;
 
+        sockc.tsflags = po->sk.sk_tsflags;
+        if (msg->msg_controllen) {
+                err = sock_cmsg_send(&po->sk, msg, &sockc);
+                if (unlikely(err))
+                        goto out_put;
+        }
+
         if (po->sk.sk_socket->type == SOCK_RAW)
                 reserve = dev->hard_header_len;
         size_max = po->tx_ring.frame_size
diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
index dee469fed967..51859b8edd7e 100644
--- a/net/sched/cls_matchall.c
+++ b/net/sched/cls_matchall.c
@@ -203,7 +203,6 @@ static int mall_change(struct net *net, struct sk_buff *in_skb,
 
         *arg = (unsigned long) head;
         rcu_assign_pointer(tp->root, new);
-        call_rcu(&head->rcu, mall_destroy_rcu);
         return 0;
 
 err_replace_hw_filter:
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index bbe57d57b67f..e88342fde1bc 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -1831,6 +1831,12 @@ static int tc_dump_tclass_root(struct Qdisc *root, struct sk_buff *skb,
         if (!qdisc_dev(root))
                 return 0;
 
+        if (tcm->tcm_parent) {
+                q = qdisc_match_from_root(root, TC_H_MAJ(tcm->tcm_parent));
+                if (q && tc_dump_tclass_qdisc(q, skb, tcm, cb, t_p, s_t) < 0)
+                        return -1;
+                return 0;
+        }
         hash_for_each(qdisc_dev(root)->qdisc_hash, b, q, hash) {
                 if (tc_dump_tclass_qdisc(q, skb, tcm, cb, t_p, s_t) < 0)
                         return -1;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index a9708da28eb5..95238284c422 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1176,7 +1176,9 @@ void sctp_assoc_update(struct sctp_association *asoc,
 
                 asoc->ctsn_ack_point = asoc->next_tsn - 1;
                 asoc->adv_peer_ack_point = asoc->ctsn_ack_point;
-                if (!asoc->stream) {
+
+                if (sctp_state(asoc, COOKIE_WAIT)) {
+                        sctp_stream_free(asoc->stream);
                         asoc->stream = new->stream;
                         new->stream = NULL;
                 }
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 0e06a278d2a9..ba9ad32fc447 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -473,15 +473,14 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb,
                              struct sctp_association **app,
                              struct sctp_transport **tpp)
 {
+        struct sctp_init_chunk *chunkhdr, _chunkhdr;
         union sctp_addr saddr;
         union sctp_addr daddr;
         struct sctp_af *af;
         struct sock *sk = NULL;
         struct sctp_association *asoc;
         struct sctp_transport *transport = NULL;
-        struct sctp_init_chunk *chunkhdr;
         __u32 vtag = ntohl(sctphdr->vtag);
-        int len = skb->len - ((void *)sctphdr - (void *)skb->data);
 
         *app = NULL; *tpp = NULL;
 
@@ -516,13 +515,16 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb,
          * discard the packet.
          */
         if (vtag == 0) {
-                chunkhdr = (void *)sctphdr + sizeof(struct sctphdr);
-                if (len < sizeof(struct sctphdr) + sizeof(sctp_chunkhdr_t)
-                          + sizeof(__be32) ||
+                /* chunk header + first 4 octects of init header */
+                chunkhdr = skb_header_pointer(skb, skb_transport_offset(skb) +
+                                              sizeof(struct sctphdr),
+                                              sizeof(struct sctp_chunkhdr) +
+                                              sizeof(__be32), &_chunkhdr);
+                if (!chunkhdr ||
                     chunkhdr->chunk_hdr.type != SCTP_CID_INIT ||
-                    ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag) {
+                    ntohl(chunkhdr->init_hdr.init_tag) != asoc->c.my_vtag)
                         goto out;
-                }
+
         } else if (vtag != asoc->c.peer_vtag) {
                 goto out;
         }
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 961ee59f696a..f5b45b8b8b16 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -240,12 +240,10 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
         struct sctp_bind_addr *bp;
         struct ipv6_pinfo *np = inet6_sk(sk);
         struct sctp_sockaddr_entry *laddr;
-        union sctp_addr *baddr = NULL;
         union sctp_addr *daddr = &t->ipaddr;
         union sctp_addr dst_saddr;
         struct in6_addr *final_p, final;
         __u8 matchlen = 0;
-        __u8 bmatchlen;
         sctp_scope_t scope;
 
         memset(fl6, 0, sizeof(struct flowi6));
@@ -312,23 +310,37 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
          */
         rcu_read_lock();
         list_for_each_entry_rcu(laddr, &bp->address_list, list) {
-                if (!laddr->valid)
+                struct dst_entry *bdst;
+                __u8 bmatchlen;
+
+                if (!laddr->valid ||
+                    laddr->state != SCTP_ADDR_SRC ||
+                    laddr->a.sa.sa_family != AF_INET6 ||
+                    scope > sctp_scope(&laddr->a))
                         continue;
-                if ((laddr->state == SCTP_ADDR_SRC) &&
-                    (laddr->a.sa.sa_family == AF_INET6) &&
-                    (scope <= sctp_scope(&laddr->a))) {
-                        bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
-                        if (!baddr || (matchlen < bmatchlen)) {
-                                baddr = &laddr->a;
-                                matchlen = bmatchlen;
-                        }
-                }
-        }
-        if (baddr) {
-                fl6->saddr = baddr->v6.sin6_addr;
-                fl6->fl6_sport = baddr->v6.sin6_port;
+
+                fl6->saddr = laddr->a.v6.sin6_addr;
+                fl6->fl6_sport = laddr->a.v6.sin6_port;
                 final_p = fl6_update_dst(fl6, rcu_dereference(np->opt), &final);
-                dst = ip6_dst_lookup_flow(sk, fl6, final_p);
+                bdst = ip6_dst_lookup_flow(sk, fl6, final_p);
+
+                if (!IS_ERR(bdst) &&
+                    ipv6_chk_addr(dev_net(bdst->dev),
+                                  &laddr->a.v6.sin6_addr, bdst->dev, 1)) {
+                        if (!IS_ERR_OR_NULL(dst))
+                                dst_release(dst);
+                        dst = bdst;
+                        break;
+                }
+
+                bmatchlen = sctp_v6_addr_match_len(daddr, &laddr->a);
+                if (matchlen > bmatchlen)
+                        continue;
+
+                if (!IS_ERR_OR_NULL(dst))
+                        dst_release(dst);
+                dst = bdst;
+                matchlen = bmatchlen;
         }
         rcu_read_unlock();
 
@@ -665,6 +677,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
         newnp = inet6_sk(newsk);
 
         memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+        newnp->ipv6_mc_list = NULL;
+        newnp->ipv6_ac_list = NULL;
+        newnp->ipv6_fl_list = NULL;
 
         rcu_read_lock();
         opt = rcu_dereference(np->opt);
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 8a08f13469c4..92e332e17391 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2454,16 +2454,11 @@ int sctp_process_init(struct sctp_association *asoc, struct sctp_chunk *chunk,
          * stream sequence number shall be set to 0.
          */
 
-        /* Allocate storage for the negotiated streams if it is not a temporary
-         * association.
-         */
-        if (!asoc->temp) {
-                if (sctp_stream_init(asoc, gfp))
-                        goto clean_up;
+        if (sctp_stream_init(asoc, gfp))
+                goto clean_up;
 
-                if (sctp_assoc_set_id(asoc, gfp))
-                        goto clean_up;
-        }
+        if (!asoc->temp && sctp_assoc_set_id(asoc, gfp))
+                goto clean_up;
 
         /* ADDIP Section 4.1 ASCONF Chunk Procedures
          *
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 4f5e6cfc7f60..f863b5573e42 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2088,6 +2088,9 @@ sctp_disposition_t sctp_sf_do_5_2_4_dupcook(struct net *net,
                 }
         }
 
+        /* Set temp so that it won't be added into hashtable */
+        new_asoc->temp = 1;
+
         /* Compare the tie_tag in cookie with the verification tag of
          * current association.
          */
diff --git a/net/smc/Kconfig b/net/smc/Kconfig
index c717ef0896aa..33954852f3f8 100644
--- a/net/smc/Kconfig
+++ b/net/smc/Kconfig
@@ -8,6 +8,10 @@ config SMC
           The Linux implementation of the SMC-R solution is designed as
           a separate socket family SMC.
 
+          Warning: SMC will expose all memory for remote reads and writes
+          once a connection is established.  Don't enable this option except
+          for tightly controlled lab environment.
+
           Select this option if you want to run SMC socket applications
 
 config SMC_DIAG
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index e41f594a1e1d..03ec058d18df 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -204,7 +204,7 @@ int smc_clc_send_confirm(struct smc_sock *smc)
         memcpy(&cclc.lcl.mac, &link->smcibdev->mac[link->ibport - 1], ETH_ALEN);
         hton24(cclc.qpn, link->roce_qp->qp_num);
         cclc.rmb_rkey =
-                htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey);
+                htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]);
         cclc.conn_idx = 1; /* for now: 1 RMB = 1 RMBE */
         cclc.rmbe_alert_token = htonl(conn->alert_token_local);
         cclc.qp_mtu = min(link->path_mtu, link->peer_mtu);
@@ -256,7 +256,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, int srv_first_contact)
         memcpy(&aclc.lcl.mac, link->smcibdev->mac[link->ibport - 1], ETH_ALEN);
         hton24(aclc.qpn, link->roce_qp->qp_num);
         aclc.rmb_rkey =
-                htonl(conn->rmb_desc->mr_rx[SMC_SINGLE_LINK]->rkey);
+                htonl(conn->rmb_desc->rkey[SMC_SINGLE_LINK]);
         aclc.conn_idx = 1;                      /* as long as 1 RMB = 1 RMBE */
         aclc.rmbe_alert_token = htonl(conn->alert_token_local);
         aclc.qp_mtu = link->path_mtu;
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 65020e93ff21..3ac09a629ea1 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -613,19 +613,8 @@ int smc_rmb_create(struct smc_sock *smc)
                         rmb_desc = NULL;
                         continue; /* if mapping failed, try smaller one */
                 }
-                rc = smc_ib_get_memory_region(lgr->lnk[SMC_SINGLE_LINK].roce_pd,
-                                              IB_ACCESS_REMOTE_WRITE |
-                                              IB_ACCESS_LOCAL_WRITE,
-                                             &rmb_desc->mr_rx[SMC_SINGLE_LINK]);
-                if (rc) {
-                        smc_ib_buf_unmap(lgr->lnk[SMC_SINGLE_LINK].smcibdev,
-                                         tmp_bufsize, rmb_desc,
-                                         DMA_FROM_DEVICE);
-                        kfree(rmb_desc->cpu_addr);
-                        kfree(rmb_desc);
-                        rmb_desc = NULL;
-                        continue;
-                }
+                rmb_desc->rkey[SMC_SINGLE_LINK] =
+                        lgr->lnk[SMC_SINGLE_LINK].roce_pd->unsafe_global_rkey;
                 rmb_desc->used = 1;
                 write_lock_bh(&lgr->rmbs_lock);
                 list_add(&rmb_desc->list,
@@ -668,6 +657,7 @@ int smc_rmb_rtoken_handling(struct smc_connection *conn,
 
         for (i = 0; i < SMC_RMBS_PER_LGR_MAX; i++) {
                 if ((lgr->rtokens[i][SMC_SINGLE_LINK].rkey == rkey) &&
+                    (lgr->rtokens[i][SMC_SINGLE_LINK].dma_addr == dma_addr) &&
                     test_bit(i, lgr->rtokens_used_mask)) {
                         conn->rtoken_idx = i;
                         return 0;
diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
index 27eb38056a27..b013cb43a327 100644
--- a/net/smc/smc_core.h
+++ b/net/smc/smc_core.h
@@ -93,7 +93,7 @@ struct smc_buf_desc {
         u64                     dma_addr[SMC_LINKS_PER_LGR_MAX];
                                                 /* mapped address of buffer */
         void                    *cpu_addr;      /* virtual address of buffer */
-        struct ib_mr            *mr_rx[SMC_LINKS_PER_LGR_MAX];
+        u32                     rkey[SMC_LINKS_PER_LGR_MAX];
                                                 /* for rmb only:
                                                  * rkey provided to peer
                                                  */
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index cb69ab977cd7..b31715505a35 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -37,24 +37,6 @@ u8 local_systemid[SMC_SYSTEMID_LEN] = SMC_LOCAL_SYSTEMID_RESET;	/* unique system
                                                                  * identifier
                                                                  */
 
-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags,
-                             struct ib_mr **mr)
-{
-        int rc;
-
-        if (*mr)
-                return 0; /* already done */
-
-        /* obtain unique key -
-         * next invocation of get_dma_mr returns a different key!
-         */
-        *mr = pd->device->get_dma_mr(pd, access_flags);
-        rc = PTR_ERR_OR_ZERO(*mr);
-        if (IS_ERR(*mr))
-                *mr = NULL;
-        return rc;
-}
-
 static int smc_ib_modify_qp_init(struct smc_link *lnk)
 {
         struct ib_qp_attr qp_attr;
@@ -210,7 +192,8 @@ int smc_ib_create_protection_domain(struct smc_link *lnk)
 {
         int rc;
 
-        lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev, 0);
+        lnk->roce_pd = ib_alloc_pd(lnk->smcibdev->ibdev,
+                                   IB_PD_UNSAFE_GLOBAL_RKEY);
         rc = PTR_ERR_OR_ZERO(lnk->roce_pd);
         if (IS_ERR(lnk->roce_pd))
                 lnk->roce_pd = NULL;
diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h
index 7e1f0e24d177..b567152a526d 100644
--- a/net/smc/smc_ib.h
+++ b/net/smc/smc_ib.h
@@ -61,8 +61,6 @@ void smc_ib_dealloc_protection_domain(struct smc_link *lnk);
 int smc_ib_create_protection_domain(struct smc_link *lnk);
 void smc_ib_destroy_queue_pair(struct smc_link *lnk);
 int smc_ib_create_queue_pair(struct smc_link *lnk);
-int smc_ib_get_memory_region(struct ib_pd *pd, int access_flags,
-                             struct ib_mr **mr);
 int smc_ib_ready_link(struct smc_link *lnk);
 int smc_ib_modify_qp_rts(struct smc_link *lnk);
 int smc_ib_modify_qp_reset(struct smc_link *lnk);
diff --git a/net/sunrpc/xprtrdma/backchannel.c b/net/sunrpc/xprtrdma/backchannel.c
index 24fedd4b117e..03f6b5840764 100644
--- a/net/sunrpc/xprtrdma/backchannel.c
+++ b/net/sunrpc/xprtrdma/backchannel.c
@@ -119,11 +119,9 @@ int xprt_rdma_bc_setup(struct rpc_xprt *xprt, unsigned int reqs)
 
         for (i = 0; i < (reqs << 1); i++) {
                 rqst = kzalloc(sizeof(*rqst), GFP_KERNEL);
-                if (!rqst) {
-                        pr_err("RPC:       %s: Failed to create bc rpc_rqst\n",
-                               __func__);
+                if (!rqst)
                         goto out_free;
-                }
+
                 dprintk("RPC:       %s: new rqst %p\n", __func__, rqst);
 
                 rqst->rq_xprt = &r_xprt->rx_xprt;
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 16aff8ddc16f..d5b54c020dec 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2432,7 +2432,12 @@ static void xs_tcp_setup_socket(struct work_struct *work)
         case -ENETUNREACH:
         case -EADDRINUSE:
         case -ENOBUFS:
-                /* retry with existing socket, after a delay */
+                /*
+                 * xs_tcp_force_close() wakes tasks with -EIO.
+                 * We need to wake them first to ensure the
+                 * correct error code.
+                 */
+                xprt_wake_pending_tasks(xprt, status);
                 xs_tcp_force_close(xprt);
                 goto out;
         }
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 0d4f2f455a7c..1b92b72e812f 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -362,25 +362,25 @@ static int tipc_sk_sock_err(struct socket *sock, long *timeout)
         return 0;
 }
 
-#define tipc_wait_for_cond(sock_, timeout_, condition_)                 \
-({                                                                      \
-        int rc_ = 0;                                                    \
-        int done_ = 0;                                                  \
-                                                                        \
-        while (!(condition_) && !done_) {                               \
-                struct sock *sk_ = sock->sk;                            \
-                DEFINE_WAIT_FUNC(wait_, woken_wake_function);           \
-                                                                        \
-                rc_ = tipc_sk_sock_err(sock_, timeout_);                \
-                if (rc_)                                                \
-                        break;                                          \
-                prepare_to_wait(sk_sleep(sk_), &wait_,                  \
-                                TASK_INTERRUPTIBLE);                    \
-                done_ = sk_wait_event(sk_, timeout_,                    \
-                                      (condition_), &wait_);            \
-                remove_wait_queue(sk_sleep(sk_), &wait_);               \
-        }                                                               \
-        rc_;                                                            \
+#define tipc_wait_for_cond(sock_, timeo_, condition_)                          \
+({                                                                             \
+        struct sock *sk_;                                                      \
+        int rc_;                                                               \
+                                                                               \
+        while ((rc_ = !(condition_))) {                                        \
+                DEFINE_WAIT_FUNC(wait_, woken_wake_function);                  \
+                sk_ = (sock_)->sk;                                             \
+                rc_ = tipc_sk_sock_err((sock_), timeo_);                       \
+                if (rc_)                                                       \
+                        break;                                                 \
+                prepare_to_wait(sk_sleep(sk_), &wait_, TASK_INTERRUPTIBLE);    \
+                release_sock(sk_);                                             \
+                *(timeo_) = wait_woken(&wait_, TASK_INTERRUPTIBLE, *(timeo_)); \
+                sched_annotate_sleep();                                        \
+                lock_sock(sk_);                                                \
+                remove_wait_queue(sk_sleep(sk_), &wait_);                      \
+        }                                                                      \
+        rc_;                                                                   \
 })
 
 /**
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 6f7f6757ceef..dfc8c51e4d74 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1540,8 +1540,7 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
         long timeout;
         int err;
         struct vsock_transport_send_notify_data send_data;
-
-        DEFINE_WAIT(wait);
+        DEFINE_WAIT_FUNC(wait, woken_wake_function);
 
         sk = sock->sk;
         vsk = vsock_sk(sk);
@@ -1584,11 +1583,10 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
         if (err < 0)
                 goto out;
 
-
         while (total_written < len) {
                 ssize_t written;
 
-                prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
+                add_wait_queue(sk_sleep(sk), &wait);
                 while (vsock_stream_has_space(vsk) == 0 &&
                        sk->sk_err == 0 &&
                        !(sk->sk_shutdown & SEND_SHUTDOWN) &&
@@ -1597,33 +1595,30 @@ static int vsock_stream_sendmsg(struct socket *sock, struct msghdr *msg,
                         /* Don't wait for non-blocking sockets. */
                         if (timeout == 0) {
                                 err = -EAGAIN;
-                                finish_wait(sk_sleep(sk), &wait);
+                                remove_wait_queue(sk_sleep(sk), &wait);
                                 goto out_err;
                         }
 
                         err = transport->notify_send_pre_block(vsk, &send_data);
                         if (err < 0) {
-                                finish_wait(sk_sleep(sk), &wait);
+                                remove_wait_queue(sk_sleep(sk), &wait);
                                 goto out_err;
                         }
 
                         release_sock(sk);
-                        timeout = schedule_timeout(timeout);
+                        timeout = wait_woken(&wait, TASK_INTERRUPTIBLE, timeout);
                         lock_sock(sk);
                         if (signal_pending(current)) {
                                 err = sock_intr_errno(timeout);
-                                finish_wait(sk_sleep(sk), &wait);
+                                remove_wait_queue(sk_sleep(sk), &wait);
                                 goto out_err;
                         } else if (timeout == 0) {
                                 err = -EAGAIN;
-                                finish_wait(sk_sleep(sk), &wait);
+                                remove_wait_queue(sk_sleep(sk), &wait);
                                 goto out_err;
                         }
-
-                        prepare_to_wait(sk_sleep(sk), &wait,
-                                        TASK_INTERRUPTIBLE);
                 }
-                finish_wait(sk_sleep(sk), &wait);
+                remove_wait_queue(sk_sleep(sk), &wait);
 
                 /* These checks occur both as part of and after the loop
                  * conditional since we need to check before and after
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 14d5f0c8c45f..9f0901f3e42b 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -322,9 +322,9 @@ cfg80211_find_sched_scan_req(struct cfg80211_registered_device *rdev, u64 reqid)
 {
         struct cfg80211_sched_scan_request *pos;
 
-        ASSERT_RTNL();
+        WARN_ON_ONCE(!rcu_read_lock_held() && !lockdep_rtnl_is_held());
 
-        list_for_each_entry(pos, &rdev->sched_scan_req_list, list) {
+        list_for_each_entry_rcu(pos, &rdev->sched_scan_req_list, list) {
                 if (pos->reqid == reqid)
                         return pos;
         }
@@ -398,13 +398,13 @@ void cfg80211_sched_scan_results(struct wiphy *wiphy, u64 reqid)
         trace_cfg80211_sched_scan_results(wiphy, reqid);
         /* ignore if we're not scanning */
 
-        rtnl_lock();
+        rcu_read_lock();
         request = cfg80211_find_sched_scan_req(rdev, reqid);
         if (request) {
                 request->report_results = true;
                 queue_work(cfg80211_wq, &rdev->sched_scan_res_wk);
         }
-        rtnl_unlock();
+        rcu_read_unlock();
 }
 EXPORT_SYMBOL(cfg80211_sched_scan_results);
 
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 7198373e2920..4992f1025c9d 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -454,6 +454,8 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
         if (iftype == NL80211_IFTYPE_MESH_POINT)
                 skb_copy_bits(skb, hdrlen, &mesh_flags, 1);
 
+        mesh_flags &= MESH_FLAGS_AE;
+
         switch (hdr->frame_control &
                 cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
         case cpu_to_le16(IEEE80211_FCTL_TODS):
@@ -469,9 +471,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
                              iftype != NL80211_IFTYPE_STATION))
                         return -1;
                 if (iftype == NL80211_IFTYPE_MESH_POINT) {
-                        if (mesh_flags & MESH_FLAGS_AE_A4)
+                        if (mesh_flags == MESH_FLAGS_AE_A4)
                                 return -1;
-                        if (mesh_flags & MESH_FLAGS_AE_A5_A6) {
+                        if (mesh_flags == MESH_FLAGS_AE_A5_A6) {
                                 skb_copy_bits(skb, hdrlen +
                                         offsetof(struct ieee80211s_hdr, eaddr1),
                                         tmp.h_dest, 2 * ETH_ALEN);
@@ -487,9 +489,9 @@ int ieee80211_data_to_8023_exthdr(struct sk_buff *skb, struct ethhdr *ehdr,
                      ether_addr_equal(tmp.h_source, addr)))
                         return -1;
                 if (iftype == NL80211_IFTYPE_MESH_POINT) {
-                        if (mesh_flags & MESH_FLAGS_AE_A5_A6)
+                        if (mesh_flags == MESH_FLAGS_AE_A5_A6)
                                 return -1;
-                        if (mesh_flags & MESH_FLAGS_AE_A4)
+                        if (mesh_flags == MESH_FLAGS_AE_A4)
                                 skb_copy_bits(skb, hdrlen +
                                         offsetof(struct ieee80211s_hdr, eaddr1),
                                         tmp.h_source, ETH_ALEN);
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 8b911c29860e..5a1a98df3499 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -1791,32 +1791,40 @@ void x25_kill_by_neigh(struct x25_neigh *nb)
 
 static int __init x25_init(void)
 {
-        int rc = proto_register(&x25_proto, 0);
+        int rc;
 
-        if (rc != 0)
+        rc = proto_register(&x25_proto, 0);
+        if (rc)
                 goto out;
 
         rc = sock_register(&x25_family_ops);
-        if (rc != 0)
+        if (rc)
                 goto out_proto;
 
         dev_add_pack(&x25_packet_type);
 
         rc = register_netdevice_notifier(&x25_dev_notifier);
-        if (rc != 0)
+        if (rc)
                 goto out_sock;
 
-        pr_info("Linux Version 0.2\n");
+        rc = x25_register_sysctl();
+        if (rc)
+                goto out_dev;
 
-        x25_register_sysctl();
         rc = x25_proc_init();
-        if (rc != 0)
-                goto out_dev;
+        if (rc)
+                goto out_sysctl;
+
+        pr_info("Linux Version 0.2\n");
+
 out:
         return rc;
+out_sysctl:
+        x25_unregister_sysctl();
 out_dev:
         unregister_netdevice_notifier(&x25_dev_notifier);
 out_sock:
+        dev_remove_pack(&x25_packet_type);
         sock_unregister(AF_X25);
 out_proto:
         proto_unregister(&x25_proto);
diff --git a/net/x25/sysctl_net_x25.c b/net/x25/sysctl_net_x25.c
index a06dfe143c67..ba078c85f0a1 100644
--- a/net/x25/sysctl_net_x25.c
+++ b/net/x25/sysctl_net_x25.c
@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = {
         { },
 };
 
-void __init x25_register_sysctl(void)
+int __init x25_register_sysctl(void)
 {
         x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table);
+        if (!x25_table_header)
+                return -ENOMEM;
+        return 0;
 }
 
 void x25_unregister_sysctl(void)
diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 8ec8a3fcf8d4..574e6f32f94f 100644
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -170,7 +170,7 @@ static int xfrm_dev_feat_change(struct net_device *dev)
 
 static int xfrm_dev_down(struct net_device *dev)
 {
-        if (dev->hw_features & NETIF_F_HW_ESP)
+        if (dev->features & NETIF_F_HW_ESP)
                 xfrm_dev_state_flush(dev_net(dev), dev, true);
 
         xfrm_garbage_collect(dev_net(dev));
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index b00a1d5a7f52..ed4e52d95172 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1797,43 +1797,6 @@ free_dst:
         goto out;
 }
 
-#ifdef CONFIG_XFRM_SUB_POLICY
-static int xfrm_dst_alloc_copy(void **target, const void *src, int size)
-{
-        if (!*target) {
-                *target = kmalloc(size, GFP_ATOMIC);
-                if (!*target)
-                        return -ENOMEM;
-        }
-
-        memcpy(*target, src, size);
-        return 0;
-}
-#endif
-
-static int xfrm_dst_update_parent(struct dst_entry *dst,
-                                  const struct xfrm_selector *sel)
-{
-#ifdef CONFIG_XFRM_SUB_POLICY
-        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
-        return xfrm_dst_alloc_copy((void **)&(xdst->partner),
-                                   sel, sizeof(*sel));
-#else
-        return 0;
-#endif
-}
-
-static int xfrm_dst_update_origin(struct dst_entry *dst,
-                                  const struct flowi *fl)
-{
-#ifdef CONFIG_XFRM_SUB_POLICY
-        struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
-        return xfrm_dst_alloc_copy((void **)&(xdst->origin), fl, sizeof(*fl));
-#else
-        return 0;
-#endif
-}
-
 static int xfrm_expand_policies(const struct flowi *fl, u16 family,
                                 struct xfrm_policy **pols,
                                 int *num_pols, int *num_xfrms)
@@ -1905,16 +1868,6 @@ xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
 
         xdst = (struct xfrm_dst *)dst;
         xdst->num_xfrms = err;
-        if (num_pols > 1)
-                err = xfrm_dst_update_parent(dst, &pols[1]->selector);
-        else
-                err = xfrm_dst_update_origin(dst, fl);
-        if (unlikely(err)) {
-                dst_free(dst);
-                XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
-                return ERR_PTR(err);
-        }
-
         xdst->num_pols = num_pols;
         memcpy(xdst->pols, pols, sizeof(struct xfrm_policy *) * num_pols);
         xdst->policy_genid = atomic_read(&pols[0]->genid);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index fc3c5aa38754..2e291bc5f1fc 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1383,6 +1383,8 @@ static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig)
         x->curlft.add_time = orig->curlft.add_time;
         x->km.state = orig->km.state;
         x->km.seq = orig->km.seq;
+        x->replay = orig->replay;
+        x->preplay = orig->preplay;
 
         return x;