56 files changed, 527 insertions, 240 deletions

diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c
index 8e1d89d2b1c1..183f97a86bb2 100644
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -738,6 +738,7 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv,
         struct arphdr *arphdr;
         struct ethhdr *ethhdr;
         __be32 ip_src, ip_dst;
+        uint8_t *hw_src, *hw_dst;
         uint16_t type = 0;
 
         /* pull the ethernet header */
@@ -777,9 +778,23 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv,
         ip_src = batadv_arp_ip_src(skb, hdr_size);
         ip_dst = batadv_arp_ip_dst(skb, hdr_size);
         if (ipv4_is_loopback(ip_src) || ipv4_is_multicast(ip_src) ||
-            ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst))
+            ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst) ||
+            ipv4_is_zeronet(ip_src) || ipv4_is_lbcast(ip_src) ||
+            ipv4_is_zeronet(ip_dst) || ipv4_is_lbcast(ip_dst))
                 goto out;
 
+        hw_src = batadv_arp_hw_src(skb, hdr_size);
+        if (is_zero_ether_addr(hw_src) || is_multicast_ether_addr(hw_src))
+                goto out;
+
+        /* we don't care about the destination MAC address in ARP requests */
+        if (arphdr->ar_op != htons(ARPOP_REQUEST)) {
+                hw_dst = batadv_arp_hw_dst(skb, hdr_size);
+                if (is_zero_ether_addr(hw_dst) ||
+                    is_multicast_ether_addr(hw_dst))
+                        goto out;
+        }
+
         type = ntohs(arphdr->ar_op);
 out:
         return type;
@@ -1012,6 +1027,8 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv,
          */
         ret = !batadv_is_my_client(bat_priv, hw_dst);
 out:
+        if (ret)
+                kfree_skb(skb);
         /* if ret == false -> packet has to be delivered to the interface */
         return ret;
 }
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 596660d37c5e..0f78e34220c9 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2810,14 +2810,6 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
         if (conn) {
                 hci_conn_enter_active_mode(conn, BT_POWER_FORCE_ACTIVE_OFF);
 
-                hci_dev_lock(hdev);
-                if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
-                    !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags))
-                        mgmt_device_connected(hdev, &conn->dst, conn->type,
-                                              conn->dst_type, 0, NULL, 0,
-                                              conn->dev_class);
-                hci_dev_unlock(hdev);
-
                 /* Send to upper protocol */
                 l2cap_recv_acldata(conn, skb, flags);
                 return;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 705078a0cc39..81b44481d0d9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2688,7 +2688,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
         if (ev->opcode != HCI_OP_NOP)
                 del_timer(&hdev->cmd_timer);
 
-        if (ev->ncmd) {
+        if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) {
                 atomic_set(&hdev->cmd_cnt, 1);
                 if (!skb_queue_empty(&hdev->cmd_q))
                         queue_work(hdev->workqueue, &hdev->cmd_work);
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index b2bcbe2dc328..a7352ff3fd1e 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -931,7 +931,7 @@ static int hidp_setup_hid(struct hidp_session *session,
         hid->version = req->version;
         hid->country = req->country;
 
-        strncpy(hid->name, req->name, 128);
+        strncpy(hid->name, req->name, sizeof(req->name) - 1);
 
         snprintf(hid->phys, sizeof(hid->phys), "%pMR",
                  &bt_sk(session->ctrl_sock->sk)->src);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2c78208d793e..22e658322845 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3727,6 +3727,17 @@ sendresp:
 static int l2cap_connect_req(struct l2cap_conn *conn,
                              struct l2cap_cmd_hdr *cmd, u8 *data)
 {
+        struct hci_dev *hdev = conn->hcon->hdev;
+        struct hci_conn *hcon = conn->hcon;
+
+        hci_dev_lock(hdev);
+        if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
+            !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
+                mgmt_device_connected(hdev, &hcon->dst, hcon->type,
+                                      hcon->dst_type, 0, NULL, 0,
+                                      hcon->dev_class);
+        hci_dev_unlock(hdev);
+
         l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP, 0);
         return 0;
 }
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 531a93d613d4..57f250c20e39 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -352,7 +352,7 @@ static void __sco_sock_close(struct sock *sk)
 
         case BT_CONNECTED:
         case BT_CONFIG:
-                if (sco_pi(sk)->conn) {
+                if (sco_pi(sk)->conn->hcon) {
                         sk->sk_state = BT_DISCONN;
                         sco_sock_set_timer(sk, SCO_DISCONN_TIMEOUT);
                         hci_conn_put(sco_pi(sk)->conn->hcon);
diff --git a/net/core/dev.c b/net/core/dev.c
index 515473ee52cb..f64e439b4a00 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6121,6 +6121,14 @@ struct netdev_queue *dev_ingress_queue_create(struct net_device *dev)
 
 static const struct ethtool_ops default_ethtool_ops;
 
+void netdev_set_default_ethtool_ops(struct net_device *dev,
+                                    const struct ethtool_ops *ops)
+{
+        if (dev->ethtool_ops == &default_ethtool_ops)
+                dev->ethtool_ops = ops;
+}
+EXPORT_SYMBOL_GPL(netdev_set_default_ethtool_ops);
+
 /**
  *      alloc_netdev_mqs - allocate network device
  *      @sizeof_priv:   size of private data to allocate space for
diff --git a/net/core/request_sock.c b/net/core/request_sock.c
index c31d9e8668c3..4425148d2b51 100644
--- a/net/core/request_sock.c
+++ b/net/core/request_sock.c
@@ -186,8 +186,6 @@ void reqsk_fastopen_remove(struct sock *sk, struct request_sock *req,
         struct fastopen_queue *fastopenq =
             inet_csk(lsk)->icsk_accept_queue.fastopenq;
 
-        BUG_ON(!spin_is_locked(&sk->sk_lock.slock) && !sock_owned_by_user(sk));
-
         tcp_sk(sk)->fastopen_rsk = NULL;
         spin_lock_bh(&fastopenq->lock);
         fastopenq->qlen--;
diff --git a/net/core/scm.c b/net/core/scm.c
index 57fb1ee6649f..905dcc6ad1e3 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -35,6 +35,7 @@
 #include <net/sock.h>
 #include <net/compat.h>
 #include <net/scm.h>
+#include <net/cls_cgroup.h>
 
 
 /*
@@ -302,8 +303,10 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
                 }
                 /* Bump the usage count and install the file. */
                 sock = sock_from_file(fp[i], &err);
-                if (sock)
+                if (sock) {
                         sock_update_netprioidx(sock->sk, current);
+                        sock_update_classid(sock->sk, current);
+                }
                 fd_install(new_fd, get_file(fp[i]));
         }
 
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3ab989b0de42..a9a2ae3e2213 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1649,7 +1649,7 @@ static void sock_spd_release(struct splice_pipe_desc *spd, unsigned int i)
 
 static struct page *linear_to_page(struct page *page, unsigned int *len,
                                    unsigned int *offset,
-                                   struct sk_buff *skb, struct sock *sk)
+                                   struct sock *sk)
 {
         struct page_frag *pfrag = sk_page_frag(sk);
 
@@ -1682,14 +1682,14 @@ static bool spd_can_coalesce(const struct splice_pipe_desc *spd,
 static bool spd_fill_page(struct splice_pipe_desc *spd,
                           struct pipe_inode_info *pipe, struct page *page,
                           unsigned int *len, unsigned int offset,
-                          struct sk_buff *skb, bool linear,
+                          bool linear,
                           struct sock *sk)
 {
         if (unlikely(spd->nr_pages == MAX_SKB_FRAGS))
                 return true;
 
         if (linear) {
-                page = linear_to_page(page, len, &offset, skb, sk);
+                page = linear_to_page(page, len, &offset, sk);
                 if (!page)
                         return true;
         }
@@ -1706,23 +1706,9 @@ static bool spd_fill_page(struct splice_pipe_desc *spd,
         return false;
 }
 
-static inline void __segment_seek(struct page **page, unsigned int *poff,
-                                  unsigned int *plen, unsigned int off)
-{
-        unsigned long n;
-
-        *poff += off;
-        n = *poff / PAGE_SIZE;
-        if (n)
-                *page = nth_page(*page, n);
-
-        *poff = *poff % PAGE_SIZE;
-        *plen -= off;
-}
-
 static bool __splice_segment(struct page *page, unsigned int poff,
                              unsigned int plen, unsigned int *off,
-                             unsigned int *len, struct sk_buff *skb,
+                             unsigned int *len,
                              struct splice_pipe_desc *spd, bool linear,
                              struct sock *sk,
                              struct pipe_inode_info *pipe)
@@ -1737,23 +1723,19 @@ static bool __splice_segment(struct page *page, unsigned int poff,
         }
 
         /* ignore any bits we already processed */
-        if (*off) {
-                __segment_seek(&page, &poff, &plen, *off);
-                *off = 0;
-        }
+        poff += *off;
+        plen -= *off;
+        *off = 0;
 
         do {
                 unsigned int flen = min(*len, plen);
 
-                /* the linear region may spread across several pages  */
-                flen = min_t(unsigned int, flen, PAGE_SIZE - poff);
-
-                if (spd_fill_page(spd, pipe, page, &flen, poff, skb, linear, sk))
+                if (spd_fill_page(spd, pipe, page, &flen, poff,
+                                  linear, sk))
                         return true;
-
-                __segment_seek(&page, &poff, &plen, flen);
+                poff += flen;
+                plen -= flen;
                 *len -= flen;
-
         } while (*len && plen);
 
         return false;
@@ -1777,7 +1759,7 @@ static bool __skb_splice_bits(struct sk_buff *skb, struct pipe_inode_info *pipe,
         if (__splice_segment(virt_to_page(skb->data),
                              (unsigned long) skb->data & (PAGE_SIZE - 1),
                              skb_headlen(skb),
-                             offset, len, skb, spd,
+                             offset, len, spd,
                              skb_head_is_locked(skb),
                              sk, pipe))
                 return true;
@@ -1790,7 +1772,7 @@ static bool __skb_splice_bits(struct sk_buff *skb, struct pipe_inode_info *pipe,
 
                 if (__splice_segment(skb_frag_page(f),
                                      f->page_offset, skb_frag_size(f),
-                                     offset, len, skb, spd, false, sk, pipe))
+                                     offset, len, spd, false, sk, pipe))
                         return true;
         }
 
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c
index a0d8392491c3..a69b4e4a02b5 100644
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@@ -269,7 +269,11 @@ static void ah_input_done(struct crypto_async_request *base, int err)
         skb->network_header += ah_hlen;
         memcpy(skb_network_header(skb), work_iph, ihl);
         __skb_pull(skb, ah_hlen + ihl);
-        skb_set_transport_header(skb, -ihl);
+
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -ihl);
 out:
         kfree(AH_SKB_CB(skb)->tmp);
         xfrm_input_resume(skb, err);
@@ -381,7 +385,10 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
         skb->network_header += ah_hlen;
         memcpy(skb_network_header(skb), work_iph, ihl);
         __skb_pull(skb, ah_hlen + ihl);
-        skb_set_transport_header(skb, -ihl);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -ihl);
 
         err = nexthdr;
 
@@ -413,9 +420,12 @@ static void ah4_err(struct sk_buff *skb, u32 info)
         if (!x)
                 return;
 
-        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+                atomic_inc(&flow_cache_genid);
+                rt_genid_bump(net);
+
                 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_AH, 0);
-        else
+        } else
                 ipv4_redirect(skb, net, 0, 0, IPPROTO_AH, 0);
         xfrm_state_put(x);
 }
diff --git a/net/ipv4/datagram.c b/net/ipv4/datagram.c
index 424fafbc8cb0..b28e863fe0a7 100644
--- a/net/ipv4/datagram.c
+++ b/net/ipv4/datagram.c
@@ -85,3 +85,28 @@ out:
         return err;
 }
 EXPORT_SYMBOL(ip4_datagram_connect);
+
+void ip4_datagram_release_cb(struct sock *sk)
+{
+        const struct inet_sock *inet = inet_sk(sk);
+        const struct ip_options_rcu *inet_opt;
+        __be32 daddr = inet->inet_daddr;
+        struct flowi4 fl4;
+        struct rtable *rt;
+
+        if (! __sk_dst_get(sk) || __sk_dst_check(sk, 0))
+                return;
+
+        rcu_read_lock();
+        inet_opt = rcu_dereference(inet->inet_opt);
+        if (inet_opt && inet_opt->opt.srr)
+                daddr = inet_opt->opt.faddr;
+        rt = ip_route_output_ports(sock_net(sk), &fl4, sk, daddr,
+                                   inet->inet_saddr, inet->inet_dport,
+                                   inet->inet_sport, sk->sk_protocol,
+                                   RT_CONN_FLAGS(sk), sk->sk_bound_dev_if);
+        if (!IS_ERR(rt))
+                __sk_dst_set(sk, &rt->dst);
+        rcu_read_unlock();
+}
+EXPORT_SYMBOL_GPL(ip4_datagram_release_cb);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index b61e9deb7c7e..3b4f0cd2e63e 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -346,7 +346,10 @@ static int esp_input_done2(struct sk_buff *skb, int err)
 
         pskb_trim(skb, skb->len - alen - padlen - 2);
         __skb_pull(skb, hlen);
-        skb_set_transport_header(skb, -ihl);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -ihl);
 
         err = nexthdr[1];
 
@@ -499,9 +502,12 @@ static void esp4_err(struct sk_buff *skb, u32 info)
         if (!x)
                 return;
 
-        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+                atomic_inc(&flow_cache_genid);
+                rt_genid_bump(net);
+
                 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_ESP, 0);
-        else
+        } else
                 ipv4_redirect(skb, net, 0, 0, IPPROTO_ESP, 0);
         xfrm_state_put(x);
 }
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 303012adf9e6..e81b1caf2ea2 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -963,8 +963,12 @@ static netdev_tx_t ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev
                         ptr--;
                 }
                 if (tunnel->parms.o_flags&GRE_CSUM) {
+                        int offset = skb_transport_offset(skb);
+
                         *ptr = 0;
-                        *(__sum16 *)ptr = ip_compute_csum((void *)(iph+1), skb->len - sizeof(struct iphdr));
+                        *(__sum16 *)ptr = csum_fold(skb_checksum(skb, offset,
+                                                                 skb->len - offset,
+                                                                 0));
                 }
         }
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 3c9d20880283..d9c4f113d709 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -590,7 +590,7 @@ static int do_ip_setsockopt(struct sock *sk, int level,
         case IP_TTL:
                 if (optlen < 1)
                         goto e_inval;
-                if (val != -1 && (val < 0 || val > 255))
+                if (val != -1 && (val < 1 || val > 255))
                         goto e_inval;
                 inet->uc_ttl = val;
                 break;
diff --git a/net/ipv4/ipcomp.c b/net/ipv4/ipcomp.c
index d3ab47e19a89..9a46daed2f3c 100644
--- a/net/ipv4/ipcomp.c
+++ b/net/ipv4/ipcomp.c
@@ -47,9 +47,12 @@ static void ipcomp4_err(struct sk_buff *skb, u32 info)
         if (!x)
                 return;
 
-        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)
+        if (icmp_hdr(skb)->type == ICMP_DEST_UNREACH) {
+                atomic_inc(&flow_cache_genid);
+                rt_genid_bump(net);
+
                 ipv4_update_pmtu(skb, net, info, 0, 0, IPPROTO_COMP, 0);
-        else
+        } else
                 ipv4_redirect(skb, net, 0, 0, IPPROTO_COMP, 0);
         xfrm_state_put(x);
 }
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 8f3d05424a3e..6f9c07268cf6 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -738,6 +738,7 @@ struct proto ping_prot = {
         .recvmsg =      ping_recvmsg,
         .bind =         ping_bind,
         .backlog_rcv =  ping_queue_rcv_skb,
+        .release_cb =   ip4_datagram_release_cb,
         .hash =         ping_v4_hash,
         .unhash =       ping_v4_unhash,
         .get_port =     ping_v4_get_port,
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 73d1e4df4bf6..6f08991409c3 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -894,6 +894,7 @@ struct proto raw_prot = {
         .recvmsg           = raw_recvmsg,
         .bind              = raw_bind,
         .backlog_rcv       = raw_rcv_skb,
+        .release_cb        = ip4_datagram_release_cb,
         .hash              = raw_hash_sk,
         .unhash            = raw_unhash_sk,
         .obj_size          = sizeof(struct raw_sock),
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 844a9ef60dbd..a0fcc47fee73 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -912,6 +912,9 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
         struct dst_entry *dst = &rt->dst;
         struct fib_result res;
 
+        if (dst_metric_locked(dst, RTAX_MTU))
+                return;
+
         if (dst->dev->mtu < mtu)
                 return;
 
@@ -962,7 +965,7 @@ void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu,
 }
 EXPORT_SYMBOL_GPL(ipv4_update_pmtu);
 
-void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
+static void __ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
 {
         const struct iphdr *iph = (const struct iphdr *) skb->data;
         struct flowi4 fl4;
@@ -975,6 +978,53 @@ void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
                 ip_rt_put(rt);
         }
 }
+
+void ipv4_sk_update_pmtu(struct sk_buff *skb, struct sock *sk, u32 mtu)
+{
+        const struct iphdr *iph = (const struct iphdr *) skb->data;
+        struct flowi4 fl4;
+        struct rtable *rt;
+        struct dst_entry *dst;
+        bool new = false;
+
+        bh_lock_sock(sk);
+        rt = (struct rtable *) __sk_dst_get(sk);
+
+        if (sock_owned_by_user(sk) || !rt) {
+                __ipv4_sk_update_pmtu(skb, sk, mtu);
+                goto out;
+        }
+
+        __build_flow_key(&fl4, sk, iph, 0, 0, 0, 0, 0);
+
+        if (!__sk_dst_check(sk, 0)) {
+                rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
+                if (IS_ERR(rt))
+                        goto out;
+
+                new = true;
+        }
+
+        __ip_rt_update_pmtu((struct rtable *) rt->dst.path, &fl4, mtu);
+
+        dst = dst_check(&rt->dst, 0);
+        if (!dst) {
+                if (new)
+                        dst_release(&rt->dst);
+
+                rt = ip_route_output_flow(sock_net(sk), &fl4, sk);
+                if (IS_ERR(rt))
+                        goto out;
+
+                new = true;
+        }
+
+        if (new)
+                __sk_dst_set(sk, &rt->dst);
+
+out:
+        bh_unlock_sock(sk);
+}
 EXPORT_SYMBOL_GPL(ipv4_sk_update_pmtu);
 
 void ipv4_redirect(struct sk_buff *skb, struct net *net,
@@ -1120,7 +1170,7 @@ static unsigned int ipv4_mtu(const struct dst_entry *dst)
         if (!mtu || time_after_eq(jiffies, rt->dst.expires))
                 mtu = dst_metric_raw(dst, RTAX_MTU);
 
-        if (mtu && rt_is_output_route(rt))
+        if (mtu)
                 return mtu;
 
         mtu = dst->dev->mtu;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1ca253635f7a..2aa69c8ae60c 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1428,12 +1428,12 @@ static void tcp_service_net_dma(struct sock *sk, bool wait)
 }
 #endif
 
-static inline struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
+static struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
 {
         struct sk_buff *skb;
         u32 offset;
 
-        skb_queue_walk(&sk->sk_receive_queue, skb) {
+        while ((skb = skb_peek(&sk->sk_receive_queue)) != NULL) {
                 offset = seq - TCP_SKB_CB(skb)->seq;
                 if (tcp_hdr(skb)->syn)
                         offset--;
@@ -1441,6 +1441,11 @@ static inline struct sk_buff *tcp_recv_skb(struct sock *sk, u32 seq, u32 *off)
                         *off = offset;
                         return skb;
                 }
+                /* This looks weird, but this can happen if TCP collapsing
+                 * splitted a fat GRO packet, while we released socket lock
+                 * in skb_splice_bits()
+                 */
+                sk_eat_skb(sk, skb, false);
         }
         return NULL;
 }
@@ -1482,7 +1487,7 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
                                         break;
                         }
                         used = recv_actor(desc, skb, offset, len);
-                        if (used < 0) {
+                        if (used <= 0) {
                                 if (!copied)
                                         copied = used;
                                 break;
@@ -1520,8 +1525,10 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
         tcp_rcv_space_adjust(sk);
 
         /* Clean up data we have read: This will do ACK frames. */
-        if (copied > 0)
+        if (copied > 0) {
+                tcp_recv_skb(sk, seq, &offset);
                 tcp_cleanup_rbuf(sk, copied);
+        }
         return copied;
 }
 EXPORT_SYMBOL(tcp_read_sock);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a28e4db8a952..18f97ca76b00 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5543,7 +5543,7 @@ slow_path:
         if (len < (th->doff << 2) || tcp_checksum_complete_user(sk, skb))
                 goto csum_error;
 
-        if (!th->ack)
+        if (!th->ack && !th->rst)
                 goto discard;
 
         /*
@@ -5988,7 +5988,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
                         goto discard;
         }
 
-        if (!th->ack)
+        if (!th->ack && !th->rst)
                 goto discard;
 
         if (!tcp_validate_incoming(sk, skb, th, 0))
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 54139fa514e6..70b09ef2463b 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -369,11 +369,10 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
          * We do take care of PMTU discovery (RFC1191) special case :
          * we can receive locally generated ICMP messages while socket is held.
          */
-        if (sock_owned_by_user(sk) &&
-            type != ICMP_DEST_UNREACH &&
-            code != ICMP_FRAG_NEEDED)
-                NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
-
+        if (sock_owned_by_user(sk)) {
+                if (!(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED))
+                        NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
+        }
         if (sk->sk_state == TCP_CLOSE)
                 goto out;
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 79c8dbe59b54..1f4d405eafba 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1952,6 +1952,7 @@ struct proto udp_prot = {
         .recvmsg           = udp_recvmsg,
         .sendpage          = udp_sendpage,
         .backlog_rcv       = __udp_queue_rcv_skb,
+        .release_cb        = ip4_datagram_release_cb,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
         .rehash            = udp_v4_rehash,
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 408cac4ae00a..420e56326384 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -154,6 +154,11 @@ static void addrconf_type_change(struct net_device *dev,
                                  unsigned long event);
 static int addrconf_ifdown(struct net_device *dev, int how);
 
+static struct rt6_info *addrconf_get_prefix_route(const struct in6_addr *pfx,
+                                                  int plen,
+                                                  const struct net_device *dev,
+                                                  u32 flags, u32 noflags);
+
 static void addrconf_dad_start(struct inet6_ifaddr *ifp);
 static void addrconf_dad_timer(unsigned long data);
 static void addrconf_dad_completed(struct inet6_ifaddr *ifp);
@@ -250,12 +255,6 @@ static inline bool addrconf_qdisc_ok(const struct net_device *dev)
         return !qdisc_tx_is_noop(dev);
 }
 
-/* Check if a route is valid prefix route */
-static inline int addrconf_is_prefix_route(const struct rt6_info *rt)
-{
-        return (rt->rt6i_flags & (RTF_GATEWAY | RTF_DEFAULT)) == 0;
-}
-
 static void addrconf_del_timer(struct inet6_ifaddr *ifp)
 {
         if (del_timer(&ifp->timer))
@@ -941,17 +940,15 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
         if ((ifp->flags & IFA_F_PERMANENT) && onlink < 1) {
                 struct in6_addr prefix;
                 struct rt6_info *rt;
-                struct net *net = dev_net(ifp->idev->dev);
-                struct flowi6 fl6 = {};
 
                 ipv6_addr_prefix(&prefix, &ifp->addr, ifp->prefix_len);
-                fl6.flowi6_oif = ifp->idev->dev->ifindex;
-                fl6.daddr = prefix;
-                rt = (struct rt6_info *)ip6_route_lookup(net, &fl6,
-                                                         RT6_LOOKUP_F_IFACE);
 
-                if (rt != net->ipv6.ip6_null_entry &&
-                    addrconf_is_prefix_route(rt)) {
+                rt = addrconf_get_prefix_route(&prefix,
+                                               ifp->prefix_len,
+                                               ifp->idev->dev,
+                                               0, RTF_GATEWAY | RTF_DEFAULT);
+
+                if (rt) {
                         if (onlink == 0) {
                                 ip6_del_rt(rt);
                                 rt = NULL;
@@ -1877,7 +1874,7 @@ static struct rt6_info *addrconf_get_prefix_route(const struct in6_addr *pfx,
                         continue;
                 if ((rt->rt6i_flags & flags) != flags)
                         continue;
-                if ((noflags != 0) && ((rt->rt6i_flags & flags) != 0))
+                if ((rt->rt6i_flags & noflags) != 0)
                         continue;
                 dst_hold(&rt->dst);
                 break;
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index ecc35b93314b..384233188ac1 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -472,7 +472,10 @@ static void ah6_input_done(struct crypto_async_request *base, int err)
         skb->network_header += ah_hlen;
         memcpy(skb_network_header(skb), work_iph, hdr_len);
         __skb_pull(skb, ah_hlen + hdr_len);
-        skb_set_transport_header(skb, -hdr_len);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -hdr_len);
 out:
         kfree(AH_SKB_CB(skb)->tmp);
         xfrm_input_resume(skb, err);
@@ -593,9 +596,13 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
 
         skb->network_header += ah_hlen;
         memcpy(skb_network_header(skb), work_iph, hdr_len);
-        skb->transport_header = skb->network_header;
         __skb_pull(skb, ah_hlen + hdr_len);
 
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -hdr_len);
+
         err = nexthdr;
 
 out_free:
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 282f3723ee19..40ffd72243a4 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -300,7 +300,10 @@ static int esp_input_done2(struct sk_buff *skb, int err)
 
         pskb_trim(skb, skb->len - alen - padlen - 2);
         __skb_pull(skb, hlen);
-        skb_set_transport_header(skb, -hdr_len);
+        if (x->props.mode == XFRM_MODE_TUNNEL)
+                skb_reset_transport_header(skb);
+        else
+                skb_set_transport_header(skb, -hdr_len);
 
         err = nexthdr[1];
 
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index b4a9fd51dae7..fff5bdd8b680 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -81,10 +81,22 @@ static inline struct sock *icmpv6_sk(struct net *net)
         return net->ipv6.icmp_sk[smp_processor_id()];
 }
 
+static void icmpv6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
+                       u8 type, u8 code, int offset, __be32 info)
+{
+        struct net *net = dev_net(skb->dev);
+
+        if (type == ICMPV6_PKT_TOOBIG)
+                ip6_update_pmtu(skb, net, info, 0, 0);
+        else if (type == NDISC_REDIRECT)
+                ip6_redirect(skb, net, 0, 0);
+}
+
 static int icmpv6_rcv(struct sk_buff *skb);
 
 static const struct inet6_protocol icmpv6_protocol = {
         .handler        =       icmpv6_rcv,
+        .err_handler    =       icmpv6_err,
         .flags          =       INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
 };
 
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 5552d13ae92f..0c7c03d50dc0 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1213,10 +1213,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to,
                 if (dst_allfrag(rt->dst.path))
                         cork->flags |= IPCORK_ALLFRAG;
                 cork->length = 0;
-                exthdrlen = (opt ? opt->opt_flen : 0) - rt->rt6i_nfheader_len;
+                exthdrlen = (opt ? opt->opt_flen : 0);
                 length += exthdrlen;
                 transhdrlen += exthdrlen;
-                dst_exthdrlen = rt->dst.header_len;
+                dst_exthdrlen = rt->dst.header_len - rt->rt6i_nfheader_len;
         } else {
                 rt = (struct rt6_info *)cork->dst;
                 fl6 = &inet->cork.fl.u.ip6;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 26dcdec9e3a5..8fd154e5f079 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1710,6 +1710,9 @@ int ip6_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, uns
                         return -EINVAL;
                 if (get_user(v, (u32 __user *)optval))
                         return -EFAULT;
+                /* "pim6reg%u" should not exceed 16 bytes (IFNAMSIZ) */
+                if (v != RT_TABLE_DEFAULT && v >= 100000000)
+                        return -EINVAL;
                 if (sk == mrt->mroute6_sk)
                         return -EBUSY;
 
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 5c61677487cf..516fbc96feff 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -164,7 +164,17 @@ static int ieee80211_add_key(struct wiphy *wiphy, struct net_device *dev,
                         sta = sta_info_get(sdata, mac_addr);
                 else
                         sta = sta_info_get_bss(sdata, mac_addr);
-                if (!sta) {
+                /*
+                 * The ASSOC test makes sure the driver is ready to
+                 * receive the key. When wpa_supplicant has roamed
+                 * using FT, it attempts to set the key before
+                 * association has completed, this rejects that attempt
+                 * so it will set the key again after assocation.
+                 *
+                 * TODO: accept the key if we have a station entry and
+                 *       add it to the device after the station.
+                 */
+                if (!sta || !test_sta_flag(sta, WLAN_STA_ASSOC)) {
                         ieee80211_key_free(sdata->local, key);
                         err = -ENOENT;
                         goto out_unlock;
@@ -1009,6 +1019,8 @@ static int ieee80211_stop_ap(struct wiphy *wiphy, struct net_device *dev)
         if (old_probe_resp)
                 kfree_rcu(old_probe_resp, rcu_head);
 
+        list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                sta_info_flush(local, vlan);
         sta_info_flush(local, sdata);
         ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED);
 
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 53f03120db55..80e55527504b 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -4,6 +4,7 @@
 
 #include <linux/nl80211.h>
 #include <linux/export.h>
+#include <linux/rtnetlink.h>
 #include <net/cfg80211.h>
 #include "ieee80211_i.h"
 #include "driver-ops.h"
@@ -197,6 +198,15 @@ static void __ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
 
         ctx = container_of(conf, struct ieee80211_chanctx, conf);
 
+        if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                struct ieee80211_sub_if_data *vlan;
+
+                /* for the VLAN list */
+                ASSERT_RTNL();
+                list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                        rcu_assign_pointer(vlan->vif.chanctx_conf, NULL);
+        }
+
         ieee80211_unassign_vif_chanctx(sdata, ctx);
         if (ctx->refcount == 0)
                 ieee80211_free_chanctx(local, ctx);
@@ -316,6 +326,15 @@ int ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
                 goto out;
         }
 
+        if (sdata->vif.type == NL80211_IFTYPE_AP) {
+                struct ieee80211_sub_if_data *vlan;
+
+                /* for the VLAN list */
+                ASSERT_RTNL();
+                list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
+                        rcu_assign_pointer(vlan->vif.chanctx_conf, &ctx->conf);
+        }
+
         ieee80211_recalc_smps_chanctx(local, ctx);
  out:
         mutex_unlock(&local->chanctx_mtx);
@@ -331,6 +350,25 @@ void ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata)
         mutex_unlock(&sdata->local->chanctx_mtx);
 }
 
+void ieee80211_vif_vlan_copy_chanctx(struct ieee80211_sub_if_data *sdata)
+{
+        struct ieee80211_local *local = sdata->local;
+        struct ieee80211_sub_if_data *ap;
+        struct ieee80211_chanctx_conf *conf;
+
+        if (WARN_ON(sdata->vif.type != NL80211_IFTYPE_AP_VLAN || !sdata->bss))
+                return;
+
+        ap = container_of(sdata->bss, struct ieee80211_sub_if_data, u.ap);
+
+        mutex_lock(&local->chanctx_mtx);
+
+        conf = rcu_dereference_protected(ap->vif.chanctx_conf,
+                                         lockdep_is_held(&local->chanctx_mtx));
+        rcu_assign_pointer(sdata->vif.chanctx_conf, conf);
+        mutex_unlock(&local->chanctx_mtx);
+}
+
 void ieee80211_iter_chan_contexts_atomic(
         struct ieee80211_hw *hw,
         void (*iter)(struct ieee80211_hw *hw,
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 8881fc77fb13..6b7644e818d8 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -703,8 +703,8 @@ static void ieee80211_sta_merge_ibss(struct ieee80211_sub_if_data *sdata)
         sdata_info(sdata,
                    "No active IBSS STAs - trying to scan for other IBSS networks with same SSID (merge)\n");
 
-        ieee80211_request_internal_scan(sdata,
-                        ifibss->ssid, ifibss->ssid_len, NULL);
+        ieee80211_request_ibss_scan(sdata, ifibss->ssid, ifibss->ssid_len,
+                                    NULL);
 }
 
 static void ieee80211_sta_create_ibss(struct ieee80211_sub_if_data *sdata)
@@ -802,9 +802,8 @@ static void ieee80211_sta_find_ibss(struct ieee80211_sub_if_data *sdata)
                                         IEEE80211_SCAN_INTERVAL)) {
                 sdata_info(sdata, "Trigger new scan to find an IBSS to join\n");
 
-                ieee80211_request_internal_scan(sdata,
-                                ifibss->ssid, ifibss->ssid_len,
-                                ifibss->fixed_channel ? ifibss->channel : NULL);
+                ieee80211_request_ibss_scan(sdata, ifibss->ssid,
+                                            ifibss->ssid_len, chan);
         } else {
                 int interval = IEEE80211_SCAN_INTERVAL;
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 42d0d0267730..2ed065c09562 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -92,8 +92,6 @@ struct ieee80211_bss {
 
         u32 device_ts;
 
-        u8 dtim_period;
-
         bool wmm_used;
         bool uapsd_supported;
 
@@ -140,7 +138,6 @@ enum ieee80211_bss_corrupt_data_flags {
 
 /**
  * enum ieee80211_valid_data_flags - BSS valid data flags
- * @IEEE80211_BSS_VALID_DTIM: DTIM data was gathered from non-corrupt IE
  * @IEEE80211_BSS_VALID_WMM: WMM/UAPSD data was gathered from non-corrupt IE
  * @IEEE80211_BSS_VALID_RATES: Supported rates were gathered from non-corrupt IE
  * @IEEE80211_BSS_VALID_ERP: ERP flag was gathered from non-corrupt IE
@@ -151,7 +148,6 @@ enum ieee80211_bss_corrupt_data_flags {
  * beacon/probe response.
  */
 enum ieee80211_bss_valid_data_flags {
-        IEEE80211_BSS_VALID_DTIM                = BIT(0),
         IEEE80211_BSS_VALID_WMM                 = BIT(1),
         IEEE80211_BSS_VALID_RATES               = BIT(2),
         IEEE80211_BSS_VALID_ERP                 = BIT(3)
@@ -440,6 +436,7 @@ struct ieee80211_if_managed {
         unsigned long timers_running; /* used for quiesce/restart */
         bool powersave; /* powersave requested for this iface */
         bool broken_ap; /* AP is broken -- turn off powersave */
+        u8 dtim_period;
         enum ieee80211_smps_mode req_smps, /* requested smps mode */
                                  driver_smps_mode; /* smps mode request */
 
@@ -773,6 +770,10 @@ struct ieee80211_sub_if_data {
                 u32 mntr_flags;
         } u;
 
+        spinlock_t cleanup_stations_lock;
+        struct list_head cleanup_stations;
+        struct work_struct cleanup_stations_wk;
+
 #ifdef CONFIG_MAC80211_DEBUGFS
         struct {
                 struct dentry *dir;
@@ -1329,9 +1330,9 @@ void ieee80211_mesh_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
 
 /* scan/BSS handling */
 void ieee80211_scan_work(struct work_struct *work);
-int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
-                                    const u8 *ssid, u8 ssid_len,
-                                    struct ieee80211_channel *chan);
+int ieee80211_request_ibss_scan(struct ieee80211_sub_if_data *sdata,
+                                const u8 *ssid, u8 ssid_len,
+                                struct ieee80211_channel *chan);
 int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
                            struct cfg80211_scan_request *req);
 void ieee80211_scan_cancel(struct ieee80211_local *local);
@@ -1357,10 +1358,8 @@ int ieee80211_request_sched_scan_stop(struct ieee80211_sub_if_data *sdata);
 void ieee80211_sched_scan_stopped_work(struct work_struct *work);
 
 /* off-channel helpers */
-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
-                                    bool offchannel_ps_enable);
-void ieee80211_offchannel_return(struct ieee80211_local *local,
-                                 bool offchannel_ps_disable);
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local);
+void ieee80211_offchannel_return(struct ieee80211_local *local);
 void ieee80211_roc_setup(struct ieee80211_local *local);
 void ieee80211_start_next_roc(struct ieee80211_local *local);
 void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata);
@@ -1628,6 +1627,7 @@ ieee80211_vif_use_channel(struct ieee80211_sub_if_data *sdata,
                           const struct cfg80211_chan_def *chandef,
                           enum ieee80211_chanctx_mode mode);
 void ieee80211_vif_release_channel(struct ieee80211_sub_if_data *sdata);
+void ieee80211_vif_vlan_copy_chanctx(struct ieee80211_sub_if_data *sdata);
 
 void ieee80211_recalc_smps_chanctx(struct ieee80211_local *local,
                                    struct ieee80211_chanctx *chanctx);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 09a80b55cf5a..8be854e86cd9 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -207,17 +207,8 @@ void ieee80211_recalc_idle(struct ieee80211_local *local)
 
 static int ieee80211_change_mtu(struct net_device *dev, int new_mtu)
 {
-        int meshhdrlen;
-        struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
-
-        meshhdrlen = (sdata->vif.type == NL80211_IFTYPE_MESH_POINT) ? 5 : 0;
-
-        /* FIX: what would be proper limits for MTU?
-         * This interface uses 802.3 frames. */
-        if (new_mtu < 256 ||
-            new_mtu > IEEE80211_MAX_DATA_LEN - 24 - 6 - meshhdrlen) {
+        if (new_mtu < 256 || new_mtu > IEEE80211_MAX_DATA_LEN)
                 return -EINVAL;
-        }
 
         dev->mtu = new_mtu;
         return 0;
@@ -586,11 +577,13 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
 
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP_VLAN:
-                /* no need to tell driver, but set carrier */
-                if (rtnl_dereference(sdata->bss->beacon))
+                /* no need to tell driver, but set carrier and chanctx */
+                if (rtnl_dereference(sdata->bss->beacon)) {
+                        ieee80211_vif_vlan_copy_chanctx(sdata);
                         netif_carrier_on(dev);
-                else
+                } else {
                         netif_carrier_off(dev);
+                }
                 break;
         case NL80211_IFTYPE_MONITOR:
                 if (sdata->u.mntr_flags & MONITOR_FLAG_COOK_FRAMES) {
@@ -839,6 +832,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         switch (sdata->vif.type) {
         case NL80211_IFTYPE_AP_VLAN:
                 list_del(&sdata->u.vlan.list);
+                rcu_assign_pointer(sdata->vif.chanctx_conf, NULL);
                 /* no need to tell driver */
                 break;
         case NL80211_IFTYPE_MONITOR:
@@ -865,20 +859,11 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 cancel_work_sync(&sdata->work);
                 /*
                  * When we get here, the interface is marked down.
-                 * Call rcu_barrier() to wait both for the RX path
+                 * Call synchronize_rcu() to wait for the RX path
                  * should it be using the interface and enqueuing
-                 * frames at this very time on another CPU, and
-                 * for the sta free call_rcu callbacks.
-                 */
-                rcu_barrier();
-
-                /*
-                 * free_sta_rcu() enqueues a work for the actual
-                 * sta cleanup, so we need to flush it while
-                 * sdata is still valid.
+                 * frames at this very time on another CPU.
                  */
-                flush_workqueue(local->workqueue);
-
+                synchronize_rcu();
                 skb_queue_purge(&sdata->skb_queue);
 
                 /*
@@ -1498,6 +1483,15 @@ static void ieee80211_assign_perm_addr(struct ieee80211_local *local,
         mutex_unlock(&local->iflist_mtx);
 }
 
+static void ieee80211_cleanup_sdata_stas_wk(struct work_struct *wk)
+{
+        struct ieee80211_sub_if_data *sdata;
+
+        sdata = container_of(wk, struct ieee80211_sub_if_data, cleanup_stations_wk);
+
+        ieee80211_cleanup_sdata_stas(sdata);
+}
+
 int ieee80211_if_add(struct ieee80211_local *local, const char *name,
                      struct wireless_dev **new_wdev, enum nl80211_iftype type,
                      struct vif_params *params)
@@ -1573,6 +1567,10 @@ int ieee80211_if_add(struct ieee80211_local *local, const char *name,
 
         INIT_LIST_HEAD(&sdata->key_list);
 
+        spin_lock_init(&sdata->cleanup_stations_lock);
+        INIT_LIST_HEAD(&sdata->cleanup_stations);
+        INIT_WORK(&sdata->cleanup_stations_wk, ieee80211_cleanup_sdata_stas_wk);
+
         for (i = 0; i < IEEE80211_NUM_BANDS; i++) {
                 struct ieee80211_supported_band *sband;
                 sband = local->hw.wiphy->bands[i];
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index 1bf03f9ff3ba..649ad513547f 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -163,7 +163,7 @@ int mesh_rmc_init(struct ieee80211_sub_if_data *sdata)
                 return -ENOMEM;
         sdata->u.mesh.rmc->idx_mask = RMC_BUCKETS - 1;
         for (i = 0; i < RMC_BUCKETS; i++)
-                INIT_LIST_HEAD(&sdata->u.mesh.rmc->bucket[i].list);
+                INIT_LIST_HEAD(&sdata->u.mesh.rmc->bucket[i]);
         return 0;
 }
 
@@ -177,7 +177,7 @@ void mesh_rmc_free(struct ieee80211_sub_if_data *sdata)
                 return;
 
         for (i = 0; i < RMC_BUCKETS; i++)
-                list_for_each_entry_safe(p, n, &rmc->bucket[i].list, list) {
+                list_for_each_entry_safe(p, n, &rmc->bucket[i], list) {
                         list_del(&p->list);
                         kmem_cache_free(rm_cache, p);
                 }
@@ -210,7 +210,7 @@ int mesh_rmc_check(u8 *sa, struct ieee80211s_hdr *mesh_hdr,
         /* Don't care about endianness since only match matters */
         memcpy(&seqnum, &mesh_hdr->seqnum, sizeof(mesh_hdr->seqnum));
         idx = le32_to_cpu(mesh_hdr->seqnum) & rmc->idx_mask;
-        list_for_each_entry_safe(p, n, &rmc->bucket[idx].list, list) {
+        list_for_each_entry_safe(p, n, &rmc->bucket[idx], list) {
                 ++entries;
                 if (time_after(jiffies, p->exp_time) ||
                                 (entries == RMC_QUEUE_MAX_LEN)) {
@@ -229,7 +229,7 @@ int mesh_rmc_check(u8 *sa, struct ieee80211s_hdr *mesh_hdr,
         p->seqnum = seqnum;
         p->exp_time = jiffies + RMC_TIMEOUT;
         memcpy(p->sa, sa, ETH_ALEN);
-        list_add(&p->list, &rmc->bucket[idx].list);
+        list_add(&p->list, &rmc->bucket[idx]);
         return 0;
 }
 
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index 7c9215fb2ac8..84c28c6101cd 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -184,7 +184,7 @@ struct rmc_entry {
 };
 
 struct mesh_rmc {
-        struct rmc_entry bucket[RMC_BUCKETS];
+        struct list_head bucket[RMC_BUCKETS];
         u32 idx_mask;
 };
 
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 47aeee2d8db1..2659e428b80c 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -215,6 +215,7 @@ static void prepare_frame_for_deferred_tx(struct ieee80211_sub_if_data *sdata,
         skb->priority = 7;
 
         info->control.vif = &sdata->vif;
+        info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
         ieee80211_set_qos_hdr(sdata, skb);
 }
 
@@ -246,11 +247,13 @@ int mesh_path_error_tx(u8 ttl, u8 *target, __le32 target_sn,
                 return -EAGAIN;
 
         skb = dev_alloc_skb(local->tx_headroom +
+                            IEEE80211_ENCRYPT_HEADROOM +
+                            IEEE80211_ENCRYPT_TAILROOM +
                             hdr_len +
                             2 + 15 /* PERR IE */);
         if (!skb)
                 return -1;
-        skb_reserve(skb, local->tx_headroom);
+        skb_reserve(skb, local->tx_headroom + IEEE80211_ENCRYPT_HEADROOM);
         mgmt = (struct ieee80211_mgmt *) skb_put(skb, hdr_len);
         memset(mgmt, 0, hdr_len);
         mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT |
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 7753a9ca98a6..a3552929a21d 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1074,12 +1074,8 @@ void ieee80211_recalc_ps(struct ieee80211_local *local, s32 latency)
                 if (beaconint_us > latency) {
                         local->ps_sdata = NULL;
                 } else {
-                        struct ieee80211_bss *bss;
                         int maxslp = 1;
-                        u8 dtimper;
-
-                        bss = (void *)found->u.mgd.associated->priv;
-                        dtimper = bss->dtim_period;
+                        u8 dtimper = found->u.mgd.dtim_period;
 
                         /* If the TIM IE is invalid, pretend the value is 1 */
                         if (!dtimper)
@@ -1410,10 +1406,17 @@ static void ieee80211_set_associated(struct ieee80211_sub_if_data *sdata,
 
         ieee80211_led_assoc(local, 1);
 
-        if (local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD)
-                bss_conf->dtim_period = bss->dtim_period;
-        else
+        if (local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD) {
+                /*
+                 * If the AP is buggy we may get here with no DTIM period
+                 * known, so assume it's 1 which is the only safe assumption
+                 * in that case, although if the TIM IE is broken powersave
+                 * probably just won't work at all.
+                 */
+                bss_conf->dtim_period = sdata->u.mgd.dtim_period ?: 1;
+        } else {
                 bss_conf->dtim_period = 0;
+        }
 
         bss_conf->assoc = 1;
 
@@ -1562,6 +1565,8 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
 
         sdata->u.mgd.timers_running = 0;
 
+        sdata->vif.bss_conf.dtim_period = 0;
+
         ifmgd->flags = 0;
         ieee80211_vif_release_channel(sdata);
 }
@@ -2373,11 +2378,18 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
         struct ieee80211_channel *channel;
         bool need_ps = false;
 
-        if (sdata->u.mgd.associated &&
-            ether_addr_equal(mgmt->bssid, sdata->u.mgd.associated->bssid)) {
-                bss = (void *)sdata->u.mgd.associated->priv;
+        if ((sdata->u.mgd.associated &&
+             ether_addr_equal(mgmt->bssid, sdata->u.mgd.associated->bssid)) ||
+            (sdata->u.mgd.assoc_data &&
+             ether_addr_equal(mgmt->bssid,
+                              sdata->u.mgd.assoc_data->bss->bssid))) {
                 /* not previously set so we may need to recalc */
-                need_ps = !bss->dtim_period;
+                need_ps = sdata->u.mgd.associated && !sdata->u.mgd.dtim_period;
+
+                if (elems->tim && !elems->parse_error) {
+                        struct ieee80211_tim_ie *tim_ie = elems->tim;
+                        sdata->u.mgd.dtim_period = tim_ie->dtim_period;
+                }
         }
 
         if (elems->ds_params && elems->ds_params_len == 1)
@@ -3896,20 +3908,41 @@ int ieee80211_mgd_assoc(struct ieee80211_sub_if_data *sdata,
         /* kick off associate process */
 
         ifmgd->assoc_data = assoc_data;
+        ifmgd->dtim_period = 0;
 
         err = ieee80211_prep_connection(sdata, req->bss, true);
         if (err)
                 goto err_clear;
 
-        if (!bss->dtim_period &&
-            sdata->local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD) {
-                /*
-                 * Wait up to one beacon interval ...
-                 * should this be more if we miss one?
-                 */
-                sdata_info(sdata, "waiting for beacon from %pM\n",
-                           ifmgd->bssid);
-                assoc_data->timeout = TU_TO_EXP_TIME(req->bss->beacon_interval);
+        if (sdata->local->hw.flags & IEEE80211_HW_NEED_DTIM_PERIOD) {
+                const struct cfg80211_bss_ies *beacon_ies;
+
+                rcu_read_lock();
+                beacon_ies = rcu_dereference(req->bss->beacon_ies);
+                if (!beacon_ies) {
+                        /*
+                         * Wait up to one beacon interval ...
+                         * should this be more if we miss one?
+                         */
+                        sdata_info(sdata, "waiting for beacon from %pM\n",
+                                   ifmgd->bssid);
+                        assoc_data->timeout =
+                                TU_TO_EXP_TIME(req->bss->beacon_interval);
+                } else {
+                        const u8 *tim_ie = cfg80211_find_ie(WLAN_EID_TIM,
+                                                            beacon_ies->data,
+                                                            beacon_ies->len);
+                        if (tim_ie && tim_ie[1] >=
+                                        sizeof(struct ieee80211_tim_ie)) {
+                                const struct ieee80211_tim_ie *tim;
+                                tim = (void *)(tim_ie + 2);
+                                ifmgd->dtim_period = tim->dtim_period;
+                        }
+                        assoc_data->have_beacon = true;
+                        assoc_data->sent_assoc = false;
+                        assoc_data->timeout = jiffies;
+                }
+                rcu_read_unlock();
         } else {
                 assoc_data->have_beacon = true;
                 assoc_data->sent_assoc = false;
diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index a5379aea7d09..a3ad4c3c80a3 100644
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -102,8 +102,7 @@ static void ieee80211_offchannel_ps_disable(struct ieee80211_sub_if_data *sdata)
         ieee80211_sta_reset_conn_monitor(sdata);
 }
 
-void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
-                                    bool offchannel_ps_enable)
+void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local)
 {
         struct ieee80211_sub_if_data *sdata;
 
@@ -134,8 +133,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
 
                 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
                         netif_tx_stop_all_queues(sdata->dev);
-                        if (offchannel_ps_enable &&
-                            (sdata->vif.type == NL80211_IFTYPE_STATION) &&
+                        if (sdata->vif.type == NL80211_IFTYPE_STATION &&
                             sdata->u.mgd.associated)
                                 ieee80211_offchannel_ps_enable(sdata);
                 }
@@ -143,8 +141,7 @@ void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local,
         mutex_unlock(&local->iflist_mtx);
 }
 
-void ieee80211_offchannel_return(struct ieee80211_local *local,
-                                 bool offchannel_ps_disable)
+void ieee80211_offchannel_return(struct ieee80211_local *local)
 {
         struct ieee80211_sub_if_data *sdata;
 
@@ -163,11 +160,9 @@ void ieee80211_offchannel_return(struct ieee80211_local *local,
                         continue;
 
                 /* Tell AP we're back */
-                if (offchannel_ps_disable &&
-                    sdata->vif.type == NL80211_IFTYPE_STATION) {
-                        if (sdata->u.mgd.associated)
-                                ieee80211_offchannel_ps_disable(sdata);
-                }
+                if (sdata->vif.type == NL80211_IFTYPE_STATION &&
+                    sdata->u.mgd.associated)
+                        ieee80211_offchannel_ps_disable(sdata);
 
                 if (sdata->vif.type != NL80211_IFTYPE_MONITOR) {
                         /*
@@ -385,7 +380,7 @@ void ieee80211_sw_roc_work(struct work_struct *work)
                         local->tmp_channel = NULL;
                         ieee80211_hw_config(local, 0);
 
-                        ieee80211_offchannel_return(local, true);
+                        ieee80211_offchannel_return(local);
                 }
 
                 ieee80211_recalc_idle(local);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index 8ed83dcc149f..bf82e69d0601 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -113,18 +113,6 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
                         bss->valid_data |= IEEE80211_BSS_VALID_ERP;
         }
 
-        if (elems->tim && (!elems->parse_error ||
-                           !(bss->valid_data & IEEE80211_BSS_VALID_DTIM))) {
-                struct ieee80211_tim_ie *tim_ie = elems->tim;
-                bss->dtim_period = tim_ie->dtim_period;
-                if (!elems->parse_error)
-                        bss->valid_data |= IEEE80211_BSS_VALID_DTIM;
-        }
-
-        /* If the beacon had no TIM IE, or it was invalid, use 1 */
-        if (beacon && !bss->dtim_period)
-                bss->dtim_period = 1;
-
         /* replace old supported rates if we get new values */
         if (!elems->parse_error ||
             !(bss->valid_data & IEEE80211_BSS_VALID_RATES)) {
@@ -304,7 +292,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted,
         if (!was_hw_scan) {
                 ieee80211_configure_filter(local);
                 drv_sw_scan_complete(local);
-                ieee80211_offchannel_return(local, true);
+                ieee80211_offchannel_return(local);
         }
 
         ieee80211_recalc_idle(local);
@@ -353,7 +341,7 @@ static int ieee80211_start_sw_scan(struct ieee80211_local *local)
         local->next_scan_state = SCAN_DECISION;
         local->scan_channel_idx = 0;
 
-        ieee80211_offchannel_stop_vifs(local, true);
+        ieee80211_offchannel_stop_vifs(local);
 
         ieee80211_configure_filter(local);
 
@@ -690,12 +678,8 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
         local->scan_channel = NULL;
         ieee80211_hw_config(local, IEEE80211_CONF_CHANGE_CHANNEL);
 
-        /*
-         * Re-enable vifs and beaconing.  Leave PS
-         * in off-channel state..will put that back
-         * on-channel at the end of scanning.
-         */
-        ieee80211_offchannel_return(local, false);
+        /* disable PS */
+        ieee80211_offchannel_return(local);
 
         *next_delay = HZ / 5;
         /* afterwards, resume scan & go to next channel */
@@ -705,8 +689,7 @@ static void ieee80211_scan_state_suspend(struct ieee80211_local *local,
 static void ieee80211_scan_state_resume(struct ieee80211_local *local,
                                         unsigned long *next_delay)
 {
-        /* PS already is in off-channel mode */
-        ieee80211_offchannel_stop_vifs(local, false);
+        ieee80211_offchannel_stop_vifs(local);
 
         if (local->ops->flush) {
                 drv_flush(local, false);
@@ -832,9 +815,9 @@ int ieee80211_request_scan(struct ieee80211_sub_if_data *sdata,
         return res;
 }
 
-int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
-                                    const u8 *ssid, u8 ssid_len,
-                                    struct ieee80211_channel *chan)
+int ieee80211_request_ibss_scan(struct ieee80211_sub_if_data *sdata,
+                                const u8 *ssid, u8 ssid_len,
+                                struct ieee80211_channel *chan)
 {
         struct ieee80211_local *local = sdata->local;
         int ret = -EBUSY;
@@ -848,22 +831,36 @@ int ieee80211_request_internal_scan(struct ieee80211_sub_if_data *sdata,
 
         /* fill internal scan request */
         if (!chan) {
-                int i, nchan = 0;
+                int i, max_n;
+                int n_ch = 0;
 
                 for (band = 0; band < IEEE80211_NUM_BANDS; band++) {
                         if (!local->hw.wiphy->bands[band])
                                 continue;
-                        for (i = 0;
-                             i < local->hw.wiphy->bands[band]->n_channels;
-                             i++) {
-                                local->int_scan_req->channels[nchan] =
+
+                        max_n = local->hw.wiphy->bands[band]->n_channels;
+                        for (i = 0; i < max_n; i++) {
+                                struct ieee80211_channel *tmp_ch =
                                     &local->hw.wiphy->bands[band]->channels[i];
-                                nchan++;
+
+                                if (tmp_ch->flags & (IEEE80211_CHAN_NO_IBSS |
+                                                     IEEE80211_CHAN_DISABLED))
+                                        continue;
+
+                                local->int_scan_req->channels[n_ch] = tmp_ch;
+                                n_ch++;
                         }
                 }
 
-                local->int_scan_req->n_channels = nchan;
+                if (WARN_ON_ONCE(n_ch == 0))
+                        goto unlock;
+
+                local->int_scan_req->n_channels = n_ch;
         } else {
+                if (WARN_ON_ONCE(chan->flags & (IEEE80211_CHAN_NO_IBSS |
+                                                IEEE80211_CHAN_DISABLED)))
+                        goto unlock;
+
                 local->int_scan_req->channels[0] = chan;
                 local->int_scan_req->n_channels = 1;
         }
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f3e502502fee..ca9fde198188 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -91,9 +91,8 @@ static int sta_info_hash_del(struct ieee80211_local *local,
         return -ENOENT;
 }
 
-static void free_sta_work(struct work_struct *wk)
+static void cleanup_single_sta(struct sta_info *sta)
 {
-        struct sta_info *sta = container_of(wk, struct sta_info, free_sta_wk);
         int ac, i;
         struct tid_ampdu_tx *tid_tx;
         struct ieee80211_sub_if_data *sdata = sta->sdata;
@@ -153,11 +152,35 @@ static void free_sta_work(struct work_struct *wk)
         sta_info_free(local, sta);
 }
 
+void ieee80211_cleanup_sdata_stas(struct ieee80211_sub_if_data *sdata)
+{
+        struct sta_info *sta;
+
+        spin_lock_bh(&sdata->cleanup_stations_lock);
+        while (!list_empty(&sdata->cleanup_stations)) {
+                sta = list_first_entry(&sdata->cleanup_stations,
+                                       struct sta_info, list);
+                list_del(&sta->list);
+                spin_unlock_bh(&sdata->cleanup_stations_lock);
+
+                cleanup_single_sta(sta);
+
+                spin_lock_bh(&sdata->cleanup_stations_lock);
+        }
+
+        spin_unlock_bh(&sdata->cleanup_stations_lock);
+}
+
 static void free_sta_rcu(struct rcu_head *h)
 {
         struct sta_info *sta = container_of(h, struct sta_info, rcu_head);
+        struct ieee80211_sub_if_data *sdata = sta->sdata;
 
-        ieee80211_queue_work(&sta->local->hw, &sta->free_sta_wk);
+        spin_lock(&sdata->cleanup_stations_lock);
+        list_add_tail(&sta->list, &sdata->cleanup_stations);
+        spin_unlock(&sdata->cleanup_stations_lock);
+
+        ieee80211_queue_work(&sdata->local->hw, &sdata->cleanup_stations_wk);
 }
 
 /* protected by RCU */
@@ -310,7 +333,6 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
 
         spin_lock_init(&sta->lock);
         INIT_WORK(&sta->drv_unblock_wk, sta_unblock);
-        INIT_WORK(&sta->free_sta_wk, free_sta_work);
         INIT_WORK(&sta->ampdu_mlme.work, ieee80211_ba_session_work);
         mutex_init(&sta->ampdu_mlme.mtx);
 
@@ -862,7 +884,7 @@ void sta_info_init(struct ieee80211_local *local)
 
 void sta_info_stop(struct ieee80211_local *local)
 {
-        del_timer(&local->sta_cleanup);
+        del_timer_sync(&local->sta_cleanup);
         sta_info_flush(local, NULL);
 }
 
@@ -891,6 +913,20 @@ int sta_info_flush(struct ieee80211_local *local,
         }
         mutex_unlock(&local->sta_mtx);
 
+        rcu_barrier();
+
+        if (sdata) {
+                ieee80211_cleanup_sdata_stas(sdata);
+                cancel_work_sync(&sdata->cleanup_stations_wk);
+        } else {
+                mutex_lock(&local->iflist_mtx);
+                list_for_each_entry(sdata, &local->interfaces, list) {
+                        ieee80211_cleanup_sdata_stas(sdata);
+                        cancel_work_sync(&sdata->cleanup_stations_wk);
+                }
+                mutex_unlock(&local->iflist_mtx);
+        }
+
         return ret;
 }
 
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index 1489bca9ea97..37c1889afd3a 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -299,7 +299,6 @@ struct sta_info {
         spinlock_t lock;
 
         struct work_struct drv_unblock_wk;
-        struct work_struct free_sta_wk;
 
         u16 listen_interval;
 
@@ -563,4 +562,6 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta);
 void ieee80211_sta_ps_deliver_poll_response(struct sta_info *sta);
 void ieee80211_sta_ps_deliver_uapsd(struct sta_info *sta);
 
+void ieee80211_cleanup_sdata_stas(struct ieee80211_sub_if_data *sdata);
+
 #endif /* STA_INFO_H */
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index e9eadc40c09c..467c1d1b66f2 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1673,10 +1673,13 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                         chanctx_conf =
                                 rcu_dereference(tmp_sdata->vif.chanctx_conf);
         }
-        if (!chanctx_conf)
-                goto fail_rcu;
 
-        chan = chanctx_conf->def.chan;
+        if (chanctx_conf)
+                chan = chanctx_conf->def.chan;
+        else if (!local->use_chanctx)
+                chan = local->_oper_channel;
+        else
+                goto fail_rcu;
 
         /*
          * Frame injection is not allowed if beaconing is not allowed
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 016d95ead930..e4a0c4fb3a7c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1376,11 +1376,12 @@ void nf_conntrack_cleanup(struct net *net)
         synchronize_net();
         nf_conntrack_proto_fini(net);
         nf_conntrack_cleanup_net(net);
+}
 
-        if (net_eq(net, &init_net)) {
-                RCU_INIT_POINTER(nf_ct_destroy, NULL);
-                nf_conntrack_cleanup_init_net();
-        }
+void nf_conntrack_cleanup_end(void)
+{
+        RCU_INIT_POINTER(nf_ct_destroy, NULL);
+        nf_conntrack_cleanup_init_net();
 }
 
 void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 363285d544a1..e7185c684816 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -575,6 +575,7 @@ static int __init nf_conntrack_standalone_init(void)
 static void __exit nf_conntrack_standalone_fini(void)
 {
         unregister_pernet_subsys(&nf_conntrack_net_ops);
+        nf_conntrack_cleanup_end();
 }
 
 module_init(nf_conntrack_standalone_init);
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 8d987c3573fd..7b3a9e5999c0 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -345,19 +345,27 @@ int xt_find_revision(u8 af, const char *name, u8 revision, int target,
 }
 EXPORT_SYMBOL_GPL(xt_find_revision);
 
-static char *textify_hooks(char *buf, size_t size, unsigned int mask)
+static char *
+textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto)
 {
-        static const char *const names[] = {
+        static const char *const inetbr_names[] = {
                 "PREROUTING", "INPUT", "FORWARD",
                 "OUTPUT", "POSTROUTING", "BROUTING",
         };
-        unsigned int i;
+        static const char *const arp_names[] = {
+                "INPUT", "FORWARD", "OUTPUT",
+        };
+        const char *const *names;
+        unsigned int i, max;
         char *p = buf;
         bool np = false;
         int res;
 
+        names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names;
+        max   = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) :
+                                           ARRAY_SIZE(inetbr_names);
         *p = '\0';
-        for (i = 0; i < ARRAY_SIZE(names); ++i) {
+        for (i = 0; i < max; ++i) {
                 if (!(mask & (1 << i)))
                         continue;
                 res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]);
@@ -402,8 +410,10 @@ int xt_check_match(struct xt_mtchk_param *par,
                 pr_err("%s_tables: %s match: used from hooks %s, but only "
                        "valid from %s\n",
                        xt_prefix[par->family], par->match->name,
-                       textify_hooks(used, sizeof(used), par->hook_mask),
-                       textify_hooks(allow, sizeof(allow), par->match->hooks));
+                       textify_hooks(used, sizeof(used), par->hook_mask,
+                                     par->family),
+                       textify_hooks(allow, sizeof(allow), par->match->hooks,
+                                     par->family));
                 return -EINVAL;
         }
         if (par->match->proto && (par->match->proto != proto || inv_proto)) {
@@ -575,8 +585,10 @@ int xt_check_target(struct xt_tgchk_param *par,
                 pr_err("%s_tables: %s target: used from hooks %s, but only "
                        "usable from %s\n",
                        xt_prefix[par->family], par->target->name,
-                       textify_hooks(used, sizeof(used), par->hook_mask),
-                       textify_hooks(allow, sizeof(allow), par->target->hooks));
+                       textify_hooks(used, sizeof(used), par->hook_mask,
+                                     par->family),
+                       textify_hooks(allow, sizeof(allow), par->target->hooks,
+                                     par->family));
                 return -EINVAL;
         }
         if (par->target->proto && (par->target->proto != proto || inv_proto)) {
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 2a0843081840..bde009ed8d3b 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -109,7 +109,7 @@ static int xt_ct_tg_check_v0(const struct xt_tgchk_param *par)
         struct xt_ct_target_info *info = par->targinfo;
         struct nf_conntrack_tuple t;
         struct nf_conn *ct;
-        int ret;
+        int ret = -EOPNOTSUPP;
 
         if (info->flags & ~XT_CT_NOTRACK)
                 return -EINVAL;
@@ -247,7 +247,7 @@ static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
         struct xt_ct_target_info_v1 *info = par->targinfo;
         struct nf_conntrack_tuple t;
         struct nf_conn *ct;
-        int ret;
+        int ret = -EOPNOTSUPP;
 
         if (info->flags & ~XT_CT_NOTRACK)
                 return -EINVAL;
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 379c81dee9d1..9bcdbd02d777 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -224,7 +224,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)
 
 /* Free the outqueue structure and any related pending chunks.
  */
-void sctp_outq_teardown(struct sctp_outq *q)
+static void __sctp_outq_teardown(struct sctp_outq *q)
 {
         struct sctp_transport *transport;
         struct list_head *lchunk, *temp;
@@ -277,8 +277,6 @@ void sctp_outq_teardown(struct sctp_outq *q)
                 sctp_chunk_free(chunk);
         }
 
-        q->error = 0;
-
         /* Throw away any leftover control chunks. */
         list_for_each_entry_safe(chunk, tmp, &q->control_chunk_list, list) {
                 list_del_init(&chunk->list);
@@ -286,11 +284,17 @@ void sctp_outq_teardown(struct sctp_outq *q)
         }
 }
 
+void sctp_outq_teardown(struct sctp_outq *q)
+{
+        __sctp_outq_teardown(q);
+        sctp_outq_init(q->asoc, q);
+}
+
 /* Free the outqueue structure and any related pending chunks.  */
 void sctp_outq_free(struct sctp_outq *q)
 {
         /* Throw away leftover chunks. */
-        sctp_outq_teardown(q);
+        __sctp_outq_teardown(q);
 
         /* If we were kmalloc()'d, free the memory.  */
         if (q->malloced)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 618ec7e216ca..5131fcfedb03 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1779,8 +1779,10 @@ static sctp_disposition_t sctp_sf_do_dupcook_a(struct net *net,
 
         /* Update the content of current association. */
         sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
-        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
         sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
+        sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
+                        SCTP_STATE(SCTP_STATE_ESTABLISHED));
+        sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
         return SCTP_DISPOSITION_CONSUME;
 
 nomem_ev:
diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 043889ac86c0..bf3c6e8fc401 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -366,7 +366,11 @@ int sctp_sysctl_net_register(struct net *net)
 
 void sctp_sysctl_net_unregister(struct net *net)
 {
+        struct ctl_table *table;
+
+        table = net->sctp.sysctl_header->ctl_table_arg;
         unregister_net_sysctl_table(net->sctp.sysctl_header);
+        kfree(table);
 }
 
 static struct ctl_table_header * sctp_sysctl_header;
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 1915ffe598e3..507b5e84fbdb 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -555,7 +555,7 @@ EXPORT_SYMBOL_GPL(rpc_clone_client);
  * rpc_clone_client_set_auth - Clone an RPC client structure and set its auth
  *
  * @clnt: RPC client whose parameters are copied
- * @auth: security flavor for new client
+ * @flavor: security flavor for new client
  *
  * Returns a fresh RPC client or an ERR_PTR.
  */
diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c
index b4133bd13915..bfa31714581f 100644
--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -972,8 +972,7 @@ static void rpc_async_release(struct work_struct *work)
 
 static void rpc_release_resources_task(struct rpc_task *task)
 {
-        if (task->tk_rqstp)
-                xprt_release(task);
+        xprt_release(task);
         if (task->tk_msg.rpc_cred) {
                 put_rpccred(task->tk_msg.rpc_cred);
                 task->tk_msg.rpc_cred = NULL;
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index bd462a532acf..33811db8788a 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1136,10 +1136,18 @@ static void xprt_request_init(struct rpc_task *task, struct rpc_xprt *xprt)
 void xprt_release(struct rpc_task *task)
 {
         struct rpc_xprt *xprt;
-        struct rpc_rqst *req;
+        struct rpc_rqst *req = task->tk_rqstp;
 
-        if (!(req = task->tk_rqstp))
+        if (req == NULL) {
+                if (task->tk_client) {
+                        rcu_read_lock();
+                        xprt = rcu_dereference(task->tk_client->cl_xprt);
+                        if (xprt->snd_task == task)
+                                xprt_release_write(xprt, task);
+                        rcu_read_unlock();
+                }
                 return;
+        }
 
         xprt = req->rq_xprt;
         if (task->tk_ops->rpc_count_stats != NULL)
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 14d990400354..b677eab55b68 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -866,8 +866,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
                 /* allow mac80211 to determine the timeout */
                 wdev->ps_timeout = -1;
 
-                if (!dev->ethtool_ops)
-                        dev->ethtool_ops = &cfg80211_ethtool_ops;
+                netdev_set_default_ethtool_ops(dev, &cfg80211_ethtool_ops);
 
                 if ((wdev->iftype == NL80211_IFTYPE_STATION ||
                      wdev->iftype == NL80211_IFTYPE_P2P_CLIENT ||
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 41eabc46f110..07c585756d2a 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2656,7 +2656,7 @@ static void xfrm_policy_fini(struct net *net)
                 WARN_ON(!hlist_empty(&net->xfrm.policy_inexact[dir]));
 
                 htab = &net->xfrm.policy_bydst[dir];
-                sz = (htab->hmask + 1);
+                sz = (htab->hmask + 1) * sizeof(struct hlist_head);
                 WARN_ON(!hlist_empty(htab->table));
                 xfrm_hash_free(htab->table, sz);
         }
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 765f6fe951eb..35754cc8a9e5 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -242,11 +242,13 @@ static void xfrm_replay_advance_bmp(struct xfrm_state *x, __be32 net_seq)
         u32 diff;
         struct xfrm_replay_state_esn *replay_esn = x->replay_esn;
         u32 seq = ntohl(net_seq);
-        u32 pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+        u32 pos;
 
         if (!replay_esn->replay_window)
                 return;
 
+        pos = (replay_esn->seq - 1) % replay_esn->replay_window;
+
         if (seq > replay_esn->seq) {
                 diff = seq - replay_esn->seq;