70 files changed, 665 insertions, 420 deletions
diff --git a/net/core/filter.c b/net/core/filter.c
index c25eb36f1320..aecdeba052d3 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2282,14 +2282,21 @@ static const struct bpf_func_proto bpf_msg_cork_bytes_proto = {
        .arg2_type      = ARG_ANYTHING,
 };
+#define sk_msg_iter_var(var)                    \
+        do {                                    \
+                var++;                          \
+                if (var == MAX_SKB_FRAGS)       \
+                        var = 0;                \
+        } while (0)
 BPF_CALL_4(bpf_msg_pull_data,
           struct sk_msg_buff *, msg, u32, start, u32, end, u64, flags)
 {
-        unsigned int len = 0, offset = 0, copy = 0;
+        unsigned int len = 0, offset = 0, copy = 0, poffset = 0;
+        int bytes = end - start, bytes_sg_total;
        struct scatterlist *sg = msg->sg_data;
        int first_sg, last_sg, i, shift;
        unsigned char *p, *to, *from;
-        int bytes = end - start;
        struct page *page;
        if (unlikely(flags || end <= start))
@@ -2299,21 +2306,22 @@ BPF_CALL_4(bpf_msg_pull_data,
        i = msg->sg_start;
        do {
                len = sg[i].length;
-                offset += len;
                if (start < offset + len)
                        break;
-                i++;
+                offset += len;
-                if (i == MAX_SKB_FRAGS)
+                sk_msg_iter_var(i);
-                        i = 0;
        } while (i != msg->sg_end);
        if (unlikely(start >= offset + len))
                return -EINVAL;
-        if (!msg->sg_copy[i] && bytes <= len)
-                goto out;
        first_sg = i;
+        /* The start may point into the sg element so we need to also
+         * account for the headroom.
+         */
+        bytes_sg_total = start - offset + bytes;
+        if (!msg->sg_copy[i] && bytes_sg_total <= len)
+                goto out;
        /* At this point we need to linearize multiple scatterlist
         * elements or a single shared page. Either way we need to
@@ -2327,37 +2335,32 @@ BPF_CALL_4(bpf_msg_pull_data,
         */
        do {
                copy += sg[i].length;
-                i++;
+                sk_msg_iter_var(i);
-                if (i == MAX_SKB_FRAGS)
+                if (bytes_sg_total <= copy)
-                        i = 0;
-                if (bytes < copy)
                        break;
        } while (i != msg->sg_end);
        last_sg = i;
-        if (unlikely(copy < end - start))
+        if (unlikely(bytes_sg_total > copy))
                return -EINVAL;
        page = alloc_pages(__GFP_NOWARN | GFP_ATOMIC, get_order(copy));
        if (unlikely(!page))
                return -ENOMEM;
        p = page_address(page);
-        offset = 0;
        i = first_sg;
        do {
                from = sg_virt(&sg[i]);
                len = sg[i].length;
-                to = p + offset;
+                to = p + poffset;
                memcpy(to, from, len);
-                offset += len;
+                poffset += len;
                sg[i].length = 0;
                put_page(sg_page(&sg[i]));
-                i++;
+                sk_msg_iter_var(i);
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
        } while (i != last_sg);
        sg[first_sg].length = copy;
@@ -2367,11 +2370,15 @@ BPF_CALL_4(bpf_msg_pull_data,
         * had a single entry though we can just replace it and
         * be done. Otherwise walk the ring and shift the entries.
         */
-        shift = last_sg - first_sg - 1;
+        WARN_ON_ONCE(last_sg == first_sg);
+        shift = last_sg > first_sg ?
+                last_sg - first_sg - 1 :
+                MAX_SKB_FRAGS - first_sg + last_sg - 1;
        if (!shift)
                goto out;
-        i = first_sg + 1;
+        i = first_sg;
+        sk_msg_iter_var(i);
        do {
                int move_from;
@@ -2388,15 +2395,13 @@ BPF_CALL_4(bpf_msg_pull_data,
                sg[move_from].page_link = 0;
                sg[move_from].offset = 0;
-                i++;
+                sk_msg_iter_var(i);
-                if (i == MAX_SKB_FRAGS)
-                        i = 0;
        } while (1);
        msg->sg_end -= shift;
        if (msg->sg_end < 0)
                msg->sg_end += MAX_SKB_FRAGS;
 out:
-        msg->data = sg_virt(&sg[i]) + start - offset;
+        msg->data = sg_virt(&sg[first_sg]) + start - offset;
        msg->data_end = msg->data + bytes;
        return 0;
@@ -7281,7 +7286,7 @@ static u32 sk_reuseport_convert_ctx_access(enum bpf_access_type type,
                break;
        case offsetof(struct sk_reuseport_md, ip_protocol):
-                BUILD_BUG_ON(hweight_long(SK_FL_PROTO_MASK) != BITS_PER_BYTE);
+                BUILD_BUG_ON(HWEIGHT32(SK_FL_PROTO_MASK) != BITS_PER_BYTE);
                SK_REUSEPORT_LOAD_SK_FIELD_SIZE_OFF(__sk_flags_offset,
                                                    BPF_W, 0);
                *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, SK_FL_PROTO_MASK);
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 24431e578310..60c928894a78 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -324,6 +324,10 @@ void rtnl_unregister_all(int protocol)
        rtnl_lock();
        tab = rtnl_msg_handlers[protocol];
+        if (!tab) {
+                rtnl_unlock();
+                return;
+        }
        RCU_INIT_POINTER(rtnl_msg_handlers[protocol], NULL);
        for (msgindex = 0; msgindex < RTM_NR_MSGTYPES; msgindex++) {
                link = tab[msgindex];
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index c996c09d095f..b2c807f67aba 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -939,9 +939,6 @@ struct ubuf_info *sock_zerocopy_alloc(struct sock *sk, size_t size)
        WARN_ON_ONCE(!in_task());
-        if (!sock_flag(sk, SOCK_ZEROCOPY))
-                return NULL;
        skb = sock_omalloc(sk, 0, GFP_KERNEL);
        if (!skb)
                return NULL;
diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
index e63c554e0623..9f3209ff7ffd 100644
--- a/net/dsa/dsa.c
+++ b/net/dsa/dsa.c
@@ -19,12 +19,10 @@
 #include <linux/of_mdio.h>
 #include <linux/of_platform.h>
 #include <linux/of_net.h>
-#include <linux/of_gpio.h>
 #include <linux/netdevice.h>
 #include <linux/sysfs.h>
 #include <linux/phy_fixed.h>
 #include <linux/ptp_classify.h>
-#include <linux/gpio/consumer.h>
 #include <linux/etherdevice.h>
 #include "dsa_priv.h"
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index cf75f8944b05..4da39446da2d 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -820,10 +820,9 @@ static void igmp_timer_expire(struct timer_list *t)
        spin_lock(&im->lock);
        im->tm_running = 0;
-        if (im->unsolicit_count) {
+        if (im->unsolicit_count && --im->unsolicit_count)
-                im->unsolicit_count--;
                igmp_start_timer(im, unsolicited_report_interval(in_dev));
-        }
        im->reporter = 1;
        spin_unlock(&im->lock);
@@ -1308,6 +1307,8 @@ static void igmp_group_added(struct ip_mc_list *im)
        if (in_dev->dead)
                return;
+        im->unsolicit_count = net->ipv4.sysctl_igmp_qrv;
        if (IGMP_V1_SEEN(in_dev) || IGMP_V2_SEEN(in_dev)) {
                spin_lock_bh(&im->lock);
                igmp_start_timer(im, IGMP_INITIAL_REPORT_DELAY);
@@ -1391,9 +1392,6 @@ static void __ip_mc_inc_group(struct in_device *in_dev, __be32 addr,
                              unsigned int mode)
 {
        struct ip_mc_list *im;
-#ifdef CONFIG_IP_MULTICAST
-        struct net *net = dev_net(in_dev->dev);
-#endif
        ASSERT_RTNL();
@@ -1420,7 +1418,6 @@ static void __ip_mc_inc_group(struct in_device *in_dev, __be32 addr,
        spin_lock_init(&im->lock);
 #ifdef CONFIG_IP_MULTICAST
        timer_setup(&im->timer, igmp_timer_expire, 0);
-        im->unsolicit_count = net->ipv4.sysctl_igmp_qrv;
 #endif
        im->next_rcu = in_dev->mc_list;
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 88281fbce88c..e7227128df2c 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -599,6 +599,7 @@ static int ip_frag_reasm(struct ipq *qp, struct sk_buff *skb,
                        nextp = &fp->next;
                        fp->prev = NULL;
                        memset(&fp->rbnode, 0, sizeof(fp->rbnode));
+                        fp->sk = NULL;
                        head->data_len += fp->len;
                        head->len += fp->len;
                        if (head->ip_summed != fp->ip_summed)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index 51a5d06085ac..8cce0e9ea08c 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -178,6 +178,9 @@ static void ipgre_err(struct sk_buff *skb, u32 info,
        if (tpi->proto == htons(ETH_P_TEB))
                itn = net_generic(net, gre_tap_net_id);
+        else if (tpi->proto == htons(ETH_P_ERSPAN) ||
+                 tpi->proto == htons(ETH_P_ERSPAN2))
+                itn = net_generic(net, erspan_net_id);
        else
                itn = net_generic(net, ipgre_net_id);
@@ -328,6 +331,8 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
                ip_tunnel_rcv(tunnel, skb, tpi, tun_dst, log_ecn_error);
                return PACKET_RCVD;
        }
+        return PACKET_REJECT;
 drop:
        kfree_skb(skb);
        return PACKET_RCVD;
@@ -1508,11 +1513,14 @@ nla_put_failure:
 static void erspan_setup(struct net_device *dev)
 {
+        struct ip_tunnel *t = netdev_priv(dev);
        ether_setup(dev);
        dev->netdev_ops = &erspan_netdev_ops;
        dev->priv_flags &= ~IFF_TX_SKB_SHARING;
        dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
        ip_tunnel_setup(dev, erspan_net_id);
+        t->erspan_ver = 1;
 }
 static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index d9504adc47b3..184bf2e0a1ed 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -106,6 +106,10 @@ config NF_NAT_IPV4
 if NF_NAT_IPV4
+config NF_NAT_MASQUERADE_IPV4
+        bool
+if NF_TABLES
 config NFT_CHAIN_NAT_IPV4
        depends on NF_TABLES_IPV4
        tristate "IPv4 nf_tables nat chain support"
@@ -115,9 +119,6 @@ config NFT_CHAIN_NAT_IPV4
          packet transformations such as the source, destination address and
          source and destination ports.
-config NF_NAT_MASQUERADE_IPV4
-        bool
 config NFT_MASQ_IPV4
        tristate "IPv4 masquerading support for nf_tables"
        depends on NF_TABLES_IPV4
@@ -135,6 +136,7 @@ config NFT_REDIR_IPV4
        help
          This is the expression that provides IPv4 redirect support for
          nf_tables.
+endif # NF_TABLES
 config NF_NAT_SNMP_BASIC
        tristate "Basic SNMP-ALG support"
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index b8af2fec5ad5..10c6246396cc 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1185,7 +1185,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
        flags = msg->msg_flags;
-        if (flags & MSG_ZEROCOPY && size) {
+        if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
                if (sk->sk_state != TCP_ESTABLISHED) {
                        err = -EINVAL;
                        goto out_err;
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 4c2dd9f863f7..4cf2f7bb2802 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6367,8 +6367,8 @@ static bool tcp_syn_flood_action(const struct sock *sk,
        if (!queue->synflood_warned &&
            net->ipv4.sysctl_tcp_syncookies != 2 &&
            xchg(&queue->synflood_warned, 1) == 0)
-                pr_info("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
+                net_info_ratelimited("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
-                        proto, ntohs(tcp_hdr(skb)->dest), msg);
+                                     proto, ntohs(tcp_hdr(skb)->dest), msg);
        return want_cookie;
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 75ef332a7caf..12affb7864d9 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -184,8 +184,9 @@ kill:
                                inet_twsk_deschedule_put(tw);
                                return TCP_TW_SUCCESS;
                        }
+                } else {
+                        inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
                }
-                inet_twsk_reschedule(tw, TCP_TIMEWAIT_LEN);
                if (tmp_opt.saw_tstamp) {
                        tcptw->tw_ts_recent       = tmp_opt.rcv_tsval;
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 673bba31eb18..9a4261e50272 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -938,14 +938,14 @@ static int __init inet6_init(void)
        err = proto_register(&pingv6_prot, 1);
        if (err)
-                goto out_unregister_ping_proto;
+                goto out_unregister_raw_proto;
        /* We MUST register RAW sockets before we create the ICMP6,
         * IGMP6, or NDISC control sockets.
         */
        err = rawv6_init();
        if (err)
-                goto out_unregister_raw_proto;
+                goto out_unregister_ping_proto;
        /* Register the family here so that the init calls below will
         * be able to create sockets. (?? is this dangerous ??)
@@ -1113,11 +1113,11 @@ netfilter_fail:
 igmp_fail:
        ndisc_cleanup();
 ndisc_fail:
-        ip6_mr_cleanup();
+        icmpv6_cleanup();
 icmp_fail:
-        unregister_pernet_subsys(&inet6_net_ops);
+        ip6_mr_cleanup();
 ipmr_fail:
-        icmpv6_cleanup();
+        unregister_pernet_subsys(&inet6_net_ops);
 register_pernet_fail:
        sock_unregister(PF_INET6);
        rtnl_unregister_all(PF_INET6);
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index c861a6d4671d..5516f55e214b 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -989,7 +989,10 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct fib6_info *rt,
                                        fib6_clean_expires(iter);
                                else
                                        fib6_set_expires(iter, rt->expires);
-                                fib6_metric_set(iter, RTAX_MTU, rt->fib6_pmtu);
+                                if (rt->fib6_pmtu)
+                                        fib6_metric_set(iter, RTAX_MTU,
+                                                        rt->fib6_pmtu);
                                return -EEXIST;
                        }
                        /* If we have the same destination and the same metric,
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 18a3794b0f52..e493b041d4ac 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1778,6 +1778,7 @@ static void ip6gre_netlink_parms(struct nlattr *data[],
        if (data[IFLA_GRE_COLLECT_METADATA])
                parms->collect_md = true;
+        parms->erspan_ver = 1;
        if (data[IFLA_GRE_ERSPAN_VER])
                parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 5df2a58d945c..419960b0ba16 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1188,7 +1188,15 @@ route_lookup:
                init_tel_txopt(&opt, encap_limit);
                ipv6_push_frag_opts(skb, &opt.ops, &proto);
        }
-        hop_limit = hop_limit ? : ip6_dst_hoplimit(dst);
+        if (hop_limit == 0) {
+                if (skb->protocol == htons(ETH_P_IP))
+                        hop_limit = ip_hdr(skb)->ttl;
+                else if (skb->protocol == htons(ETH_P_IPV6))
+                        hop_limit = ipv6_hdr(skb)->hop_limit;
+                else
+                        hop_limit = ip6_dst_hoplimit(dst);
+        }
        /* Calculate max headroom for all the headers and adjust
         * needed_headroom if necessary.
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 5095367c7204..eeaf7455d51e 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -481,7 +481,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
        }
        mtu = dst_mtu(dst);
-        if (!skb->ignore_df && skb->len > mtu) {
+        if (skb->len > mtu) {
                skb_dst_update_pmtu(skb, mtu);
                if (skb->protocol == htons(ETH_P_IPV6)) {
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 2a14d8b65924..8f68a518d9db 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -445,6 +445,7 @@ nf_ct_frag6_reasm(struct frag_queue *fq, struct sk_buff *prev,  struct net_devic
                else if (head->ip_summed == CHECKSUM_COMPLETE)
                        head->csum = csum_add(head->csum, fp->csum);
                head->truesize += fp->truesize;
+                fp->sk = NULL;
        }
        sub_frag_mem_limit(fq->q.net, head->truesize);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index c4ea13e8360b..18e00ce1719a 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -996,7 +996,6 @@ static void ip6_rt_copy_init(struct rt6_info *rt, struct fib6_info *ort)
        rt->rt6i_src = ort->fib6_src;
 #endif
        rt->rt6i_prefsrc = ort->fib6_prefsrc;
-        rt->dst.lwtstate = lwtstate_get(ort->fib6_nh.nh_lwtstate);
 }
 static struct fib6_node* fib6_backtrack(struct fib6_node *fn,
diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index a21d8ed0a325..e2f16a0173a9 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -351,20 +351,28 @@ static int afiucv_hs_send(struct iucv_message *imsg, struct sock *sock,
                memcpy(&phs_hdr->iucv_hdr, imsg, sizeof(struct iucv_message));
        skb->dev = iucv->hs_dev;
-        if (!skb->dev)
+        if (!skb->dev) {
-                return -ENODEV;
+                err = -ENODEV;
-        if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev))
+                goto err_free;
-                return -ENETDOWN;
+        }
+        if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev)) {
+                err = -ENETDOWN;
+                goto err_free;
+        }
        if (skb->len > skb->dev->mtu) {
-                if (sock->sk_type == SOCK_SEQPACKET)
+                if (sock->sk_type == SOCK_SEQPACKET) {
-                        return -EMSGSIZE;
+                        err = -EMSGSIZE;
-                else
+                        goto err_free;
-                        skb_trim(skb, skb->dev->mtu);
+                }
+                skb_trim(skb, skb->dev->mtu);
        }
        skb->protocol = cpu_to_be16(ETH_P_AF_IUCV);
        nskb = skb_clone(skb, GFP_ATOMIC);
-        if (!nskb)
+        if (!nskb) {
-                return -ENOMEM;
+                err = -ENOMEM;
+                goto err_free;
+        }
        skb_queue_tail(&iucv->send_skb_q, nskb);
        err = dev_queue_xmit(skb);
        if (net_xmit_eval(err)) {
@@ -375,6 +383,10 @@ static int afiucv_hs_send(struct iucv_message *imsg, struct sock *sock,
                WARN_ON(atomic_read(&iucv->msg_recv) < 0);
        }
        return net_xmit_eval(err);
+err_free:
+        kfree_skb(skb);
+        return err;
 }
 static struct sock *__iucv_get_sock_by_name(char *nm)
@@ -1167,7 +1179,7 @@ static int iucv_sock_sendmsg(struct socket *sock, struct msghdr *msg,
                err = afiucv_hs_send(&txmsg, sk, skb, 0);
                if (err) {
                        atomic_dec(&iucv->msg_sent);
-                        goto fail;
+                        goto out;
                }
        } else { /* Classic VM IUCV transport */
                skb_queue_tail(&iucv->send_skb_q, skb);
@@ -2155,8 +2167,8 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
        struct sock *sk;
        struct iucv_sock *iucv;
        struct af_iucv_trans_hdr *trans_hdr;
+        int err = NET_RX_SUCCESS;
        char nullstring[8];
-        int err = 0;
        if (skb->len < (ETH_HLEN + sizeof(struct af_iucv_trans_hdr))) {
                WARN_ONCE(1, "AF_IUCV too short skb, len=%d, min=%d",
@@ -2254,7 +2266,7 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct net_device *dev,
                err = afiucv_hs_callback_rx(sk, skb);
                break;
        default:
-                ;
+                kfree_skb(skb);
        }
        return err;
diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
index 8f7ef167c45a..eb502c6290c2 100644
--- a/net/iucv/iucv.c
+++ b/net/iucv/iucv.c
@@ -1874,7 +1874,7 @@ static void iucv_pm_complete(struct device *dev)
 * Returns 0 if there are still iucv pathes defined
 *         1 if there are no iucv pathes defined
 */
-int iucv_path_table_empty(void)
+static int iucv_path_table_empty(void)
 {
        int i;
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 6449a1c2283b..f0f5fedb8caa 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -947,8 +947,8 @@ static void ieee80211_rx_mgmt_deauth_ibss(struct ieee80211_sub_if_data *sdata,
        if (len < IEEE80211_DEAUTH_FRAME_LEN)
                return;
-        ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM BSSID=%pM (reason: %d)\n",
+        ibss_dbg(sdata, "RX DeAuth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
-                 mgmt->sa, mgmt->da, mgmt->bssid, reason);
+        ibss_dbg(sdata, "\tBSSID=%pM (reason: %d)\n", mgmt->bssid, reason);
        sta_info_destroy_addr(sdata, mgmt->sa);
 }
@@ -966,9 +966,9 @@ static void ieee80211_rx_mgmt_auth_ibss(struct ieee80211_sub_if_data *sdata,
        auth_alg = le16_to_cpu(mgmt->u.auth.auth_alg);
        auth_transaction = le16_to_cpu(mgmt->u.auth.auth_transaction);
-        ibss_dbg(sdata,
+        ibss_dbg(sdata, "RX Auth SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
-                 "RX Auth SA=%pM DA=%pM BSSID=%pM (auth_transaction=%d)\n",
+        ibss_dbg(sdata, "\tBSSID=%pM (auth_transaction=%d)\n",
-                 mgmt->sa, mgmt->da, mgmt->bssid, auth_transaction);
+                 mgmt->bssid, auth_transaction);
        if (auth_alg != WLAN_AUTH_OPEN || auth_transaction != 1)
                return;
@@ -1175,10 +1175,10 @@ static void ieee80211_rx_bss_info(struct ieee80211_sub_if_data *sdata,
                rx_timestamp = drv_get_tsf(local, sdata);
        }
-        ibss_dbg(sdata,
+        ibss_dbg(sdata, "RX beacon SA=%pM BSSID=%pM TSF=0x%llx\n",
-                 "RX beacon SA=%pM BSSID=%pM TSF=0x%llx BCN=0x%llx diff=%lld @%lu\n",
                 mgmt->sa, mgmt->bssid,
-                 (unsigned long long)rx_timestamp,
+                 (unsigned long long)rx_timestamp);
+        ibss_dbg(sdata, "\tBCN=0x%llx diff=%lld @%lu\n",
                 (unsigned long long)beacon_timestamp,
                 (unsigned long long)(rx_timestamp - beacon_timestamp),
                 jiffies);
@@ -1537,9 +1537,9 @@ static void ieee80211_rx_mgmt_probe_req(struct ieee80211_sub_if_data *sdata,
        tx_last_beacon = drv_tx_last_beacon(local);
-        ibss_dbg(sdata,
+        ibss_dbg(sdata, "RX ProbeReq SA=%pM DA=%pM\n", mgmt->sa, mgmt->da);
-                 "RX ProbeReq SA=%pM DA=%pM BSSID=%pM (tx_last_beacon=%d)\n",
+        ibss_dbg(sdata, "\tBSSID=%pM (tx_last_beacon=%d)\n",
-                 mgmt->sa, mgmt->da, mgmt->bssid, tx_last_beacon);
+                 mgmt->bssid, tx_last_beacon);
        if (!tx_last_beacon && is_multicast_ether_addr(mgmt->da))
                return;
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 4fb2709cb527..513627896204 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -256,8 +256,27 @@ static void ieee80211_restart_work(struct work_struct *work)
        flush_work(&local->radar_detected_work);
        rtnl_lock();
-        list_for_each_entry(sdata, &local->interfaces, list)
+        list_for_each_entry(sdata, &local->interfaces, list) {
+                /*
+                 * XXX: there may be more work for other vif types and even
+                 * for station mode: a good thing would be to run most of
+                 * the iface type's dependent _stop (ieee80211_mg_stop,
+                 * ieee80211_ibss_stop) etc...
+                 * For now, fix only the specific bug that was seen: race
+                 * between csa_connection_drop_work and us.
+                 */
+                if (sdata->vif.type == NL80211_IFTYPE_STATION) {
+                        /*
+                         * This worker is scheduled from the iface worker that
+                         * runs on mac80211's workqueue, so we can't be
+                         * scheduling this worker after the cancel right here.
+                         * The exception is ieee80211_chswitch_done.
+                         * Then we can have a race...
+                         */
+                        cancel_work_sync(&sdata->u.mgd.csa_connection_drop_work);
+                }
                flush_delayed_work(&sdata->dec_tailroom_needed_wk);
+        }
        ieee80211_scan_cancel(local);
        /* make sure any new ROC will consider local->in_reconfig */
@@ -471,10 +490,7 @@ static const struct ieee80211_vht_cap mac80211_vht_capa_mod_mask = {
                cpu_to_le32(IEEE80211_VHT_CAP_RXLDPC |
                            IEEE80211_VHT_CAP_SHORT_GI_80 |
                            IEEE80211_VHT_CAP_SHORT_GI_160 |
-                            IEEE80211_VHT_CAP_RXSTBC_1 |
+                            IEEE80211_VHT_CAP_RXSTBC_MASK |
-                            IEEE80211_VHT_CAP_RXSTBC_2 |
-                            IEEE80211_VHT_CAP_RXSTBC_3 |
-                            IEEE80211_VHT_CAP_RXSTBC_4 |
                            IEEE80211_VHT_CAP_TXSTBC |
                            IEEE80211_VHT_CAP_SU_BEAMFORMER_CAPABLE |
                            IEEE80211_VHT_CAP_SU_BEAMFORMEE_CAPABLE |
@@ -1208,6 +1224,7 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
 #if IS_ENABLED(CONFIG_IPV6)
        unregister_inet6addr_notifier(&local->ifa6_notifier);
 #endif
+        ieee80211_txq_teardown_flows(local);
        rtnl_lock();
@@ -1236,7 +1253,6 @@ void ieee80211_unregister_hw(struct ieee80211_hw *hw)
        skb_queue_purge(&local->skb_queue);
        skb_queue_purge(&local->skb_queue_unreliable);
        skb_queue_purge(&local->skb_queue_tdls_chsw);
-        ieee80211_txq_teardown_flows(local);
        destroy_workqueue(local->workqueue);
        wiphy_unregister(local->hw.wiphy);
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 35ad3983ae4b..daf9db3c8f24 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -572,6 +572,10 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
                forward = false;
                reply = true;
                target_metric = 0;
+                if (SN_GT(target_sn, ifmsh->sn))
+                        ifmsh->sn = target_sn;
                if (time_after(jiffies, ifmsh->last_sn_update +
                                        net_traversal_jiffies(sdata)) ||
                    time_before(jiffies, ifmsh->last_sn_update)) {
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 7fb9957359a3..3dbecae4be73 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1073,6 +1073,10 @@ static void ieee80211_chswitch_work(struct work_struct *work)
         */
        if (sdata->reserved_chanctx) {
+                struct ieee80211_supported_band *sband = NULL;
+                struct sta_info *mgd_sta = NULL;
+                enum ieee80211_sta_rx_bandwidth bw = IEEE80211_STA_RX_BW_20;
                /*
                 * with multi-vif csa driver may call ieee80211_csa_finish()
                 * many times while waiting for other interfaces to use their
@@ -1081,6 +1085,48 @@ static void ieee80211_chswitch_work(struct work_struct *work)
                if (sdata->reserved_ready)
                        goto out;
+                if (sdata->vif.bss_conf.chandef.width !=
+                    sdata->csa_chandef.width) {
+                        /*
+                         * For managed interface, we need to also update the AP
+                         * station bandwidth and align the rate scale algorithm
+                         * on the bandwidth change. Here we only consider the
+                         * bandwidth of the new channel definition (as channel
+                         * switch flow does not have the full HT/VHT/HE
+                         * information), assuming that if additional changes are
+                         * required they would be done as part of the processing
+                         * of the next beacon from the AP.
+                         */
+                        switch (sdata->csa_chandef.width) {
+                        case NL80211_CHAN_WIDTH_20_NOHT:
+                        case NL80211_CHAN_WIDTH_20:
+                        default:
+                                bw = IEEE80211_STA_RX_BW_20;
+                                break;
+                        case NL80211_CHAN_WIDTH_40:
+                                bw = IEEE80211_STA_RX_BW_40;
+                                break;
+                        case NL80211_CHAN_WIDTH_80:
+                                bw = IEEE80211_STA_RX_BW_80;
+                                break;
+                        case NL80211_CHAN_WIDTH_80P80:
+                        case NL80211_CHAN_WIDTH_160:
+                                bw = IEEE80211_STA_RX_BW_160;
+                                break;
+                        }
+                        mgd_sta = sta_info_get(sdata, ifmgd->bssid);
+                        sband =
+                                local->hw.wiphy->bands[sdata->csa_chandef.chan->band];
+                }
+                if (sdata->vif.bss_conf.chandef.width >
+                    sdata->csa_chandef.width) {
+                        mgd_sta->sta.bandwidth = bw;
+                        rate_control_rate_update(local, sband, mgd_sta,
+                                                 IEEE80211_RC_BW_CHANGED);
+                }
                ret = ieee80211_vif_use_reserved_context(sdata);
                if (ret) {
                        sdata_info(sdata,
@@ -1091,6 +1137,13 @@ static void ieee80211_chswitch_work(struct work_struct *work)
                        goto out;
                }
+                if (sdata->vif.bss_conf.chandef.width <
+                    sdata->csa_chandef.width) {
+                        mgd_sta->sta.bandwidth = bw;
+                        rate_control_rate_update(local, sband, mgd_sta,
+                                                 IEEE80211_RC_BW_CHANGED);
+                }
                goto out;
        }
@@ -1312,6 +1365,16 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                                         cbss->beacon_interval));
        return;
 drop_connection:
+        /*
+         * This is just so that the disconnect flow will know that
+         * we were trying to switch channel and failed. In case the
+         * mode is 1 (we are not allowed to Tx), we will know not to
+         * send a deauthentication frame. Those two fields will be
+         * reset when the disconnection worker runs.
+         */
+        sdata->vif.csa_active = true;
+        sdata->csa_block_tx = csa_ie.mode;
        ieee80211_queue_work(&local->hw, &ifmgd->csa_connection_drop_work);
        mutex_unlock(&local->chanctx_mtx);
        mutex_unlock(&local->mtx);
@@ -2522,6 +2585,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
        struct ieee80211_local *local = sdata->local;
        struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
        u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
+        bool tx;
        sdata_lock(sdata);
        if (!ifmgd->associated) {
@@ -2529,6 +2593,8 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
                return;
        }
+        tx = !sdata->csa_block_tx;
        /* AP is probably out of range (or not reachable for another reason) so
         * remove the bss struct for that AP.
         */
@@ -2536,7 +2602,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
        ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
                               WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY,
-                               true, frame_buf);
+                               tx, frame_buf);
        mutex_lock(&local->mtx);
        sdata->vif.csa_active = false;
        ifmgd->csa_waiting_bcn = false;
@@ -2547,7 +2613,7 @@ static void __ieee80211_disconnect(struct ieee80211_sub_if_data *sdata)
        }
        mutex_unlock(&local->mtx);
-        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), true,
+        ieee80211_report_disconnect(sdata, frame_buf, sizeof(frame_buf), tx,
                                    WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY);
        sdata_unlock(sdata);
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 64742f2765c4..96611d5dfadb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1728,6 +1728,7 @@ ieee80211_rx_h_sta_process(struct ieee80211_rx_data *rx)
         */
        if (!ieee80211_hw_check(&sta->local->hw, AP_LINK_PS) &&
            !ieee80211_has_morefrags(hdr->frame_control) &&
+            !is_multicast_ether_addr(hdr->addr1) &&
            (ieee80211_is_mgmt(hdr->frame_control) ||
             ieee80211_is_data(hdr->frame_control)) &&
            !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index cd332e3e1134..f353d9db54bc 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3078,27 +3078,18 @@ void ieee80211_clear_fast_xmit(struct sta_info *sta)
 }
 static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
-                                        struct sk_buff *skb, int headroom,
+                                        struct sk_buff *skb, int headroom)
-                                        int *subframe_len)
 {
-        int amsdu_len = *subframe_len + sizeof(struct ethhdr);
+        if (skb_headroom(skb) < headroom) {
-        int padding = (4 - amsdu_len) & 3;
-        if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
                I802_DEBUG_INC(local->tx_expand_skb_head);
-                if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
+                if (pskb_expand_head(skb, headroom, 0, GFP_ATOMIC)) {
                        wiphy_debug(local->hw.wiphy,
                                    "failed to reallocate TX buffer\n");
                        return false;
                }
        }
-        if (padding) {
-                *subframe_len += padding;
-                skb_put_zero(skb, padding);
-        }
        return true;
 }
@@ -3122,8 +3113,7 @@ static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
        if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
                return true;
-        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr),
+        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(*amsdu_hdr)))
-                                         &subframe_len))
                return false;
        data = skb_push(skb, sizeof(*amsdu_hdr));
@@ -3189,7 +3179,8 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
        void *data;
        bool ret = false;
        unsigned int orig_len;
-        int n = 1, nfrags;
+        int n = 2, nfrags, pad = 0;
+        u16 hdrlen;
        if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
                return false;
@@ -3222,9 +3213,6 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
        if (skb->len + head->len > max_amsdu_len)
                goto out;
-        if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
-                goto out;
        nfrags = 1 + skb_shinfo(skb)->nr_frags;
        nfrags += 1 + skb_shinfo(head)->nr_frags;
        frag_tail = &skb_shinfo(head)->frag_list;
@@ -3240,10 +3228,24 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
        if (max_frags && nfrags > max_frags)
                goto out;
-        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
+        if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
-                                         &subframe_len))
                goto out;
+        /*
+         * Pad out the previous subframe to a multiple of 4 by adding the
+         * padding to the next one, that's being added. Note that head->len
+         * is the length of the full A-MSDU, but that works since each time
+         * we add a new subframe we pad out the previous one to a multiple
+         * of 4 and thus it no longer matters in the next round.
+         */
+        hdrlen = fast_tx->hdr_len - sizeof(rfc1042_header);
+        if ((head->len - hdrlen) & 3)
+                pad = 4 - ((head->len - hdrlen) & 3);
+        if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) +
+                                                     2 + pad))
+                goto out_recalc;
        ret = true;
        data = skb_push(skb, ETH_ALEN + 2);
        memmove(data, data + ETH_ALEN + 2, 2 * ETH_ALEN);
@@ -3253,15 +3255,19 @@ static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
        memcpy(data, &len, 2);
        memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
+        memset(skb_push(skb, pad), 0, pad);
        head->len += skb->len;
        head->data_len += skb->len;
        *frag_tail = skb;
-        flow->backlog += head->len - orig_len;
+out_recalc:
-        tin->backlog_bytes += head->len - orig_len;
+        if (head->len != orig_len) {
+                flow->backlog += head->len - orig_len;
-        fq_recalc_backlog(fq, tin, flow);
+                tin->backlog_bytes += head->len - orig_len;
+                fq_recalc_backlog(fq, tin, flow);
+        }
 out:
        spin_unlock_bh(&fq->lock);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 88efda7c9f8a..716cd6442d86 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -1135,7 +1135,7 @@ void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
 {
        struct ieee80211_chanctx_conf *chanctx_conf;
        const struct ieee80211_reg_rule *rrule;
-        struct ieee80211_wmm_ac *wmm_ac;
+        const struct ieee80211_wmm_ac *wmm_ac;
        u16 center_freq = 0;
        if (sdata->vif.type != NL80211_IFTYPE_AP &&
@@ -1154,20 +1154,19 @@ void ieee80211_regulatory_limit_wmm_params(struct ieee80211_sub_if_data *sdata,
        rrule = freq_reg_info(sdata->wdev.wiphy, MHZ_TO_KHZ(center_freq));
-        if (IS_ERR_OR_NULL(rrule) || !rrule->wmm_rule) {
+        if (IS_ERR_OR_NULL(rrule) || !rrule->has_wmm) {
                rcu_read_unlock();
                return;
        }
        if (sdata->vif.type == NL80211_IFTYPE_AP)
-                wmm_ac = &rrule->wmm_rule->ap[ac];
+                wmm_ac = &rrule->wmm_rule.ap[ac];
        else
-                wmm_ac = &rrule->wmm_rule->client[ac];
+                wmm_ac = &rrule->wmm_rule.client[ac];
        qparam->cw_min = max_t(u16, qparam->cw_min, wmm_ac->cw_min);
        qparam->cw_max = max_t(u16, qparam->cw_max, wmm_ac->cw_max);
        qparam->aifs = max_t(u8, qparam->aifs, wmm_ac->aifsn);
-        qparam->txop = !qparam->txop ? wmm_ac->cot / 32 :
+        qparam->txop = min_t(u16, qparam->txop, wmm_ac->cot / 32);
-                min_t(u16, qparam->txop, wmm_ac->cot / 32);
        rcu_read_unlock();
 }
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 71709c104081..f61c306de1d0 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -771,13 +771,13 @@ config NETFILTER_XT_TARGET_CHECKSUM
        depends on NETFILTER_ADVANCED
        ---help---
          This option adds a `CHECKSUM' target, which can be used in the iptables mangle
-          table.
+          table to work around buggy DHCP clients in virtualized environments.
-          You can use this target to compute and fill in the checksum in
+          Some old DHCP clients drop packets because they are not aware
-          a packet that lacks a checksum.  This is particularly useful,
+          that the checksum would normally be offloaded to hardware and
-          if you need to work around old applications such as dhcp clients,
+          thus should be considered valid.
-          that do not work well with checksum offloads, but don't want to disable
+          This target can be used to fill in the checksum using iptables
-          checksum offload in your device.
+          when such packets are sent via a virtual network device.
          To compile it as a module, choose M here.  If unsure, say N.
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index 9f14b0df6960..51c5d7eec0a3 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -776,9 +776,26 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = {
 };
 #endif
+static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto)
+{
+        u8 nfproto = (unsigned long)_nfproto;
+        if (nf_ct_l3num(ct) != nfproto)
+                return 0;
+        if (nf_ct_protonum(ct) == IPPROTO_TCP &&
+            ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {
+                ct->proto.tcp.seen[0].td_maxwin = 0;
+                ct->proto.tcp.seen[1].td_maxwin = 0;
+        }
+        return 0;
+}
 static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
 {
        struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
+        bool fixup_needed = false;
        int err = 0;
        mutex_lock(&nf_ct_proto_mutex);
@@ -798,6 +815,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
                                            ARRAY_SIZE(ipv4_conntrack_ops));
                if (err)
                        cnet->users4 = 0;
+                else
+                        fixup_needed = true;
                break;
 #if IS_ENABLED(CONFIG_IPV6)
        case NFPROTO_IPV6:
@@ -814,6 +833,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
                                            ARRAY_SIZE(ipv6_conntrack_ops));
                if (err)
                        cnet->users6 = 0;
+                else
+                        fixup_needed = true;
                break;
 #endif
        default:
@@ -822,6 +843,11 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
        }
 out_unlock:
        mutex_unlock(&nf_ct_proto_mutex);
+        if (fixup_needed)
+                nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,
+                                          (void *)(unsigned long)nfproto, 0, 0);
        return err;
 }
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 8c58f96b59e7..f3f91ed2c21a 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -675,7 +675,7 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
 }
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -697,6 +697,8 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[],
                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
                }
        }
+        timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST];
        return 0;
 }
@@ -726,7 +728,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = {
        [CTA_TIMEOUT_DCCP_CLOSING]      = { .type = NLA_U32 },
        [CTA_TIMEOUT_DCCP_TIMEWAIT]     = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 /* template, data assigned later */
@@ -827,6 +829,11 @@ static int dccp_init_net(struct net *net, u_int16_t proto)
                dn->dccp_timeout[CT_DCCP_CLOSEREQ]      = 64 * HZ;
                dn->dccp_timeout[CT_DCCP_CLOSING]       = 64 * HZ;
                dn->dccp_timeout[CT_DCCP_TIMEWAIT]      = 2 * DCCP_MSL;
+                /* timeouts[0] is unused, make it same as SYN_SENT so
+                 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
+                 */
+                dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST];
        }
        return dccp_kmemdup_sysctl_table(net, pn, dn);
@@ -856,7 +863,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = {
        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = dccp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = dccp_timeout_obj_to_nlattr,
@@ -864,7 +871,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = {
                .obj_size       = sizeof(unsigned int) * CT_DCCP_MAX,
                .nla_policy     = dccp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = dccp_init_net,
        .get_net_proto          = dccp_get_net_proto,
 };
@@ -889,7 +896,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = {
        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = dccp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = dccp_timeout_obj_to_nlattr,
@@ -897,7 +904,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = {
                .obj_size       = sizeof(unsigned int) * CT_DCCP_MAX,
                .nla_policy     = dccp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = dccp_init_net,
        .get_net_proto          = dccp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index ac4a0b296dcd..1df3244ecd07 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -70,7 +70,7 @@ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb,
        return ret;
 }
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -113,7 +113,7 @@ static const struct nla_policy
 generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = {
        [CTA_TIMEOUT_GENERIC_TIMEOUT]   = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table generic_sysctl_table[] = {
@@ -164,7 +164,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
        .pkt_to_tuple           = generic_pkt_to_tuple,
        .packet                 = generic_packet,
        .new                    = generic_new,
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = generic_timeout_nlattr_to_obj,
                .obj_to_nlattr  = generic_timeout_obj_to_nlattr,
@@ -172,7 +172,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic =
                .obj_size       = sizeof(unsigned int),
                .nla_policy     = generic_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = generic_init_net,
        .get_net_proto          = generic_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c
index d1632252bf5b..650eb4fba2c5 100644
--- a/net/netfilter/nf_conntrack_proto_gre.c
+++ b/net/netfilter/nf_conntrack_proto_gre.c
@@ -285,7 +285,7 @@ static void gre_destroy(struct nf_conn *ct)
                nf_ct_gre_keymap_destroy(master);
 }
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -334,7 +334,7 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = {
        [CTA_TIMEOUT_GRE_UNREPLIED]     = { .type = NLA_U32 },
        [CTA_TIMEOUT_GRE_REPLIED]       = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 static int gre_init_net(struct net *net, u_int16_t proto)
 {
@@ -367,7 +367,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = {
        .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
        .nla_policy      = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout    = {
                .nlattr_to_obj  = gre_timeout_nlattr_to_obj,
                .obj_to_nlattr  = gre_timeout_obj_to_nlattr,
@@ -375,7 +375,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = {
                .obj_size       = sizeof(unsigned int) * GRE_CT_MAX,
                .nla_policy     = gre_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .net_id         = &proto_gre_net_id,
        .init_net       = gre_init_net,
 };
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c
index 036670b38282..43c7e1a217b9 100644
--- a/net/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/netfilter/nf_conntrack_proto_icmp.c
@@ -273,7 +273,7 @@ static unsigned int icmp_nlattr_tuple_size(void)
 }
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -313,7 +313,7 @@ static const struct nla_policy
 icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = {
        [CTA_TIMEOUT_ICMP_TIMEOUT]      = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table icmp_sysctl_table[] = {
@@ -374,7 +374,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
        .nlattr_to_tuple        = icmp_nlattr_to_tuple,
        .nla_policy             = icmp_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = icmp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = icmp_timeout_obj_to_nlattr,
@@ -382,7 +382,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
                .obj_size       = sizeof(unsigned int),
                .nla_policy     = icmp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = icmp_init_net,
        .get_net_proto          = icmp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c
index bed07b998a10..97e40f77d678 100644
--- a/net/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/netfilter/nf_conntrack_proto_icmpv6.c
@@ -274,7 +274,7 @@ static unsigned int icmpv6_nlattr_tuple_size(void)
 }
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -314,7 +314,7 @@ static const struct nla_policy
 icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
        [CTA_TIMEOUT_ICMPV6_TIMEOUT]    = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table icmpv6_sysctl_table[] = {
@@ -373,7 +373,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
        .nlattr_to_tuple        = icmpv6_nlattr_to_tuple,
        .nla_policy             = icmpv6_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = icmpv6_timeout_nlattr_to_obj,
                .obj_to_nlattr  = icmpv6_timeout_obj_to_nlattr,
@@ -381,7 +381,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
                .obj_size       = sizeof(unsigned int),
                .nla_policy     = icmpv6_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = icmpv6_init_net,
        .get_net_proto          = icmpv6_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 8d1e085fc14a..e4d738d34cd0 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -591,7 +591,7 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
 }
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -613,6 +613,8 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[],
                        timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ;
                }
        }
+        timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED];
        return 0;
 }
@@ -644,7 +646,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = {
        [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT]       = { .type = NLA_U32 },
        [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED]      = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
@@ -743,6 +745,11 @@ static int sctp_init_net(struct net *net, u_int16_t proto)
                for (i = 0; i < SCTP_CONNTRACK_MAX; i++)
                        sn->timeouts[i] = sctp_timeouts[i];
+                /* timeouts[0] is unused, init it so ->timeouts[0] contains
+                 * 'new' timeout, like udp or icmp.
+                 */
+                sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED];
        }
        return sctp_kmemdup_sysctl_table(pn, sn);
@@ -773,7 +780,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
@@ -781,7 +788,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
                .nla_policy     = sctp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = sctp_init_net,
        .get_net_proto          = sctp_get_net_proto,
 };
@@ -806,7 +813,8 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
        .nlattr_to_tuple        = nf_ct_port_nlattr_to_tuple,
        .nla_policy             = nf_ct_port_nla_policy,
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#endif
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = sctp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = sctp_timeout_obj_to_nlattr,
@@ -814,8 +822,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
                .obj_size       = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
                .nla_policy     = sctp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
-#endif
        .init_net               = sctp_init_net,
        .get_net_proto          = sctp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index d80d322b9d8b..b4bdf9eda7b7 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1279,7 +1279,7 @@ static unsigned int tcp_nlattr_tuple_size(void)
 }
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -1301,6 +1301,7 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
                timeouts[TCP_CONNTRACK_SYN_SENT] =
                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ;
        }
        if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) {
                timeouts[TCP_CONNTRACK_SYN_RECV] =
                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ;
@@ -1341,6 +1342,8 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[],
                timeouts[TCP_CONNTRACK_UNACK] =
                        ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ;
        }
+        timeouts[CTA_TIMEOUT_TCP_UNSPEC] = timeouts[CTA_TIMEOUT_TCP_SYN_SENT];
        return 0;
 }
@@ -1391,7 +1394,7 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = {
        [CTA_TIMEOUT_TCP_RETRANS]       = { .type = NLA_U32 },
        [CTA_TIMEOUT_TCP_UNACK]         = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table tcp_sysctl_table[] = {
@@ -1518,6 +1521,10 @@ static int tcp_init_net(struct net *net, u_int16_t proto)
                for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++)
                        tn->timeouts[i] = tcp_timeouts[i];
+                /* timeouts[0] is unused, make it same as SYN_SENT so
+                 * ->timeouts[0] contains 'new' timeout, like udp or icmp.
+                 */
+                tn->timeouts[0] = tcp_timeouts[TCP_CONNTRACK_SYN_SENT];
                tn->tcp_loose = nf_ct_tcp_loose;
                tn->tcp_be_liberal = nf_ct_tcp_be_liberal;
                tn->tcp_max_retrans = nf_ct_tcp_max_retrans;
@@ -1551,7 +1558,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
        .nlattr_size            = TCP_NLATTR_SIZE,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = tcp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = tcp_timeout_obj_to_nlattr,
@@ -1560,7 +1567,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
                                        TCP_CONNTRACK_TIMEOUT_MAX,
                .nla_policy     = tcp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = tcp_init_net,
        .get_net_proto          = tcp_get_net_proto,
 };
@@ -1586,7 +1593,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
        .nlattr_tuple_size      = tcp_nlattr_tuple_size,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = tcp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = tcp_timeout_obj_to_nlattr,
@@ -1595,7 +1602,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
                                        TCP_CONNTRACK_TIMEOUT_MAX,
                .nla_policy     = tcp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = tcp_init_net,
        .get_net_proto          = tcp_get_net_proto,
 };
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 7a1b8988a931..3065fb8ef91b 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -171,7 +171,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
        return NF_ACCEPT;
 }
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_cttimeout.h>
@@ -221,7 +221,7 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = {
       [CTA_TIMEOUT_UDP_UNREPLIED]      = { .type = NLA_U32 },
       [CTA_TIMEOUT_UDP_REPLIED]        = { .type = NLA_U32 },
 };
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
 #ifdef CONFIG_SYSCTL
 static struct ctl_table udp_sysctl_table[] = {
@@ -292,7 +292,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -300,7 +300,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
                .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                .nla_policy     = udp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = udp_init_net,
        .get_net_proto          = udp_get_net_proto,
 };
@@ -321,7 +321,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -329,7 +329,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
                .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                .nla_policy     = udp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = udp_init_net,
        .get_net_proto          = udp_get_net_proto,
 };
@@ -350,7 +350,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -358,7 +358,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
                .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                .nla_policy     = udp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = udp_init_net,
        .get_net_proto          = udp_get_net_proto,
 };
@@ -379,7 +379,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
        .nlattr_tuple_size      = nf_ct_port_nlattr_tuple_size,
        .nla_policy             = nf_ct_port_nla_policy,
 #endif
-#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
+#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        .ctnl_timeout           = {
                .nlattr_to_obj  = udp_timeout_nlattr_to_obj,
                .obj_to_nlattr  = udp_timeout_obj_to_nlattr,
@@ -387,10 +387,9 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
                .obj_size       = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
                .nla_policy     = udp_timeout_nla_policy,
        },
-#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
+#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
        .init_net               = udp_init_net,
        .get_net_proto          = udp_get_net_proto,
 };
 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
 #endif
-#include <net/netfilter/nf_conntrack_timeout.h>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1dca5683f59f..2cfb173cd0b2 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4637,6 +4637,7 @@ static int nft_flush_set(const struct nft_ctx *ctx,
        }
        set->ndeact++;
+        nft_set_elem_deactivate(ctx->net, set, elem);
        nft_trans_elem_set(trans) = set;
        nft_trans_elem(trans) = *elem;
        list_add_tail(&trans->list, &ctx->net->nft.commit_list);
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index d46a236cdf31..a30f8ba4b89a 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -489,8 +489,8 @@ err:
        return err;
 }
-static struct ctnl_timeout *
+static struct nf_ct_timeout *ctnl_timeout_find_get(struct net *net,
-ctnl_timeout_find_get(struct net *net, const char *name)
+                                                   const char *name)
 {
        struct ctnl_timeout *timeout, *matching = NULL;
@@ -509,7 +509,7 @@ ctnl_timeout_find_get(struct net *net, const char *name)
                break;
        }
 err:
-        return matching;
+        return matching ? &matching->timeout : NULL;
 }
 static void ctnl_timeout_put(struct nf_ct_timeout *t)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index ea4ba551abb2..d33094f4ec41 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict)
        int err;
        if (verdict == NF_ACCEPT ||
+            verdict == NF_REPEAT ||
            verdict == NF_STOP) {
                rcu_read_lock();
                ct_hook = rcu_dereference(nf_ct_hook);
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 26a8baebd072..5dd87748afa8 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -799,7 +799,7 @@ err:
 }
 struct nft_ct_timeout_obj {
-        struct nf_conn          *tmpl;
+        struct nf_ct_timeout    *timeout;
        u8                      l4proto;
 };
@@ -809,26 +809,42 @@ static void nft_ct_timeout_obj_eval(struct nft_object *obj,
 {
        const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
        struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
-        struct sk_buff *skb = pkt->skb;
+        struct nf_conn_timeout *timeout;
+        const unsigned int *values;
+        if (priv->l4proto != pkt->tprot)
+                return;
-        if (ct ||
+        if (!ct || nf_ct_is_template(ct) || nf_ct_is_confirmed(ct))
-            priv->l4proto != pkt->tprot)
                return;
-        nf_ct_set(skb, priv->tmpl, IP_CT_NEW);
+        timeout = nf_ct_timeout_find(ct);
+        if (!timeout) {
+                timeout = nf_ct_timeout_ext_add(ct, priv->timeout, GFP_ATOMIC);
+                if (!timeout) {
+                        regs->verdict.code = NF_DROP;
+                        return;
+                }
+        }
+        rcu_assign_pointer(timeout->timeout, priv->timeout);
+        /* adjust the timeout as per 'new' state. ct is unconfirmed,
+         * so the current timestamp must not be added.
+         */
+        values = nf_ct_timeout_data(timeout);
+        if (values)
+                nf_ct_refresh(ct, pkt->skb, values[0]);
 }
 static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
                                   const struct nlattr * const tb[],
                                   struct nft_object *obj)
 {
-        const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
        struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
        const struct nf_conntrack_l4proto *l4proto;
-        struct nf_conn_timeout *timeout_ext;
        struct nf_ct_timeout *timeout;
        int l3num = ctx->family;
-        struct nf_conn *tmpl;
        __u8 l4num;
        int ret;
@@ -863,28 +879,14 @@ static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
        timeout->l3num = l3num;
        timeout->l4proto = l4proto;
-        tmpl = nf_ct_tmpl_alloc(ctx->net, zone, GFP_ATOMIC);
-        if (!tmpl) {
-                ret = -ENOMEM;
-                goto err_free_timeout;
-        }
-        timeout_ext = nf_ct_timeout_ext_add(tmpl, timeout, GFP_ATOMIC);
-        if (!timeout_ext) {
-                ret = -ENOMEM;
-                goto err_free_tmpl;
-        }
        ret = nf_ct_netns_get(ctx->net, ctx->family);
        if (ret < 0)
-                goto err_free_tmpl;
+                goto err_free_timeout;
-        priv->tmpl = tmpl;
+        priv->timeout = timeout;
        return 0;
-err_free_tmpl:
-        nf_ct_tmpl_free(tmpl);
 err_free_timeout:
        kfree(timeout);
 err_proto_put:
@@ -896,22 +898,19 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
                                       struct nft_object *obj)
 {
        struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
-        struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
+        struct nf_ct_timeout *timeout = priv->timeout;
-        struct nf_ct_timeout *timeout;
-        timeout = rcu_dereference_raw(t->timeout);
        nf_ct_untimeout(ctx->net, timeout);
        nf_ct_l4proto_put(timeout->l4proto);
        nf_ct_netns_put(ctx->net, ctx->family);
-        nf_ct_tmpl_free(priv->tmpl);
+        kfree(priv->timeout);
 }
 static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
                                   struct nft_object *obj, bool reset)
 {
        const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
-        const struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
+        const struct nf_ct_timeout *timeout = priv->timeout;
-        const struct nf_ct_timeout *timeout = rcu_dereference_raw(t->timeout);
        struct nlattr *nest_params;
        int ret;
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c
index 9f4151ec3e06..6c7aa6a0a0d2 100644
--- a/net/netfilter/xt_CHECKSUM.c
+++ b/net/netfilter/xt_CHECKSUM.c
@@ -16,6 +16,9 @@
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_CHECKSUM.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv6/ip6_tables.h>
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>");
 MODULE_DESCRIPTION("Xtables: checksum modification");
@@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM");
 static unsigned int
 checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        if (skb->ip_summed == CHECKSUM_PARTIAL)
+        if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb))
                skb_checksum_help(skb);
        return XT_CONTINUE;
@@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par)
 static int checksum_tg_check(const struct xt_tgchk_param *par)
 {
        const struct xt_CHECKSUM_info *einfo = par->targinfo;
+        const struct ip6t_ip6 *i6 = par->entryinfo;
+        const struct ipt_ip *i4 = par->entryinfo;
        if (einfo->operation & ~XT_CHECKSUM_OP_FILL) {
                pr_info_ratelimited("unsupported CHECKSUM operation %x\n",
@@ -43,6 +48,21 @@ static int checksum_tg_check(const struct xt_tgchk_param *par)
        if (!einfo->operation)
                return -EINVAL;
+        switch (par->family) {
+        case NFPROTO_IPV4:
+                if (i4->proto == IPPROTO_UDP &&
+                    (i4->invflags & XT_INV_PROTO) == 0)
+                        return 0;
+                break;
+        case NFPROTO_IPV6:
+                if ((i6->flags & IP6T_F_PROTO) &&
+                    i6->proto == IPPROTO_UDP &&
+                    (i6->invflags & XT_INV_PROTO) == 0)
+                        return 0;
+                break;
+        }
+        pr_warn_once("CHECKSUM should be avoided.  If really needed, restrict with \"-p udp\" and only use in OUTPUT\n");
        return 0;
 }
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c
index dfbdbb2fc0ed..51d0c257e7a5 100644
--- a/net/netfilter/xt_cluster.c
+++ b/net/netfilter/xt_cluster.c
@@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par)
 static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
 {
        struct xt_cluster_match_info *info = par->matchinfo;
+        int ret;
        if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
                pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n",
@@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
                pr_info_ratelimited("node mask cannot exceed total number of nodes\n");
                return -EDOM;
        }
-        return 0;
+        ret = nf_ct_netns_get(par->net, par->family);
+        if (ret < 0)
+                pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
+                                    par->family);
+        return ret;
+}
+static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par)
+{
+        nf_ct_netns_put(par->net, par->family);
 }
 static struct xt_match xt_cluster_match __read_mostly = {
@@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match __read_mostly = {
        .match          = xt_cluster_mt,
        .checkentry     = xt_cluster_mt_checkentry,
        .matchsize      = sizeof(struct xt_cluster_match_info),
+        .destroy        = xt_cluster_mt_destroy,
        .me             = THIS_MODULE,
 };
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 9b16402f29af..3e7d259e5d8d 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -1057,7 +1057,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = {
 static void *dl_seq_start(struct seq_file *s, loff_t *pos)
        __acquires(htable->lock)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket;
        spin_lock_bh(&htable->lock);
@@ -1074,7 +1074,7 @@ static void *dl_seq_start(struct seq_file *s, loff_t *pos)
 static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket = v;
        *pos = ++(*bucket);
@@ -1088,7 +1088,7 @@ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos)
 static void dl_seq_stop(struct seq_file *s, void *v)
        __releases(htable->lock)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket = v;
        if (!IS_ERR(bucket))
@@ -1130,7 +1130,7 @@ static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
                               struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
        spin_lock(&ent->lock);
        /* recalculate to show accurate numbers */
@@ -1145,7 +1145,7 @@ static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
                               struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
        spin_lock(&ent->lock);
        /* recalculate to show accurate numbers */
@@ -1160,7 +1160,7 @@ static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
                            struct seq_file *s)
 {
-        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file));
        spin_lock(&ent->lock);
        /* recalculate to show accurate numbers */
@@ -1174,7 +1174,7 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
 static int dl_seq_show_v2(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket = (unsigned int *)v;
        struct dsthash_ent *ent;
@@ -1188,7 +1188,7 @@ static int dl_seq_show_v2(struct seq_file *s, void *v)
 static int dl_seq_show_v1(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket = v;
        struct dsthash_ent *ent;
@@ -1202,7 +1202,7 @@ static int dl_seq_show_v1(struct seq_file *s, void *v)
 static int dl_seq_show(struct seq_file *s, void *v)
 {
-        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private));
+        struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file));
        unsigned int *bucket = v;
        struct dsthash_ent *ent;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 5610061e7f2e..75c92a87e7b2 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4137,36 +4137,52 @@ static const struct vm_operations_struct packet_mmap_ops = {
        .close  =       packet_mm_close,
 };
-static void free_pg_vec(struct pgv *pg_vec, unsigned int len)
+static void free_pg_vec(struct pgv *pg_vec, unsigned int order,
+                        unsigned int len)
 {
        int i;
        for (i = 0; i < len; i++) {
                if (likely(pg_vec[i].buffer)) {
-                        kvfree(pg_vec[i].buffer);
+                        if (is_vmalloc_addr(pg_vec[i].buffer))
+                                vfree(pg_vec[i].buffer);
+                        else
+                                free_pages((unsigned long)pg_vec[i].buffer,
+                                           order);
                        pg_vec[i].buffer = NULL;
                }
        }
        kfree(pg_vec);
 }
-static char *alloc_one_pg_vec_page(unsigned long size)
+static char *alloc_one_pg_vec_page(unsigned long order)
 {
        char *buffer;
+        gfp_t gfp_flags = GFP_KERNEL | __GFP_COMP |
+                          __GFP_ZERO | __GFP_NOWARN | __GFP_NORETRY;
-        buffer = kvzalloc(size, GFP_KERNEL);
+        buffer = (char *) __get_free_pages(gfp_flags, order);
        if (buffer)
                return buffer;
-        buffer = kvzalloc(size, GFP_KERNEL | __GFP_RETRY_MAYFAIL);
+        /* __get_free_pages failed, fall back to vmalloc */
+        buffer = vzalloc(array_size((1 << order), PAGE_SIZE));
+        if (buffer)
+                return buffer;
-        return buffer;
+        /* vmalloc failed, lets dig into swap here */
+        gfp_flags &= ~__GFP_NORETRY;
+        buffer = (char *) __get_free_pages(gfp_flags, order);
+        if (buffer)
+                return buffer;
+        /* complete and utter failure */
+        return NULL;
 }
-static struct pgv *alloc_pg_vec(struct tpacket_req *req)
+static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order)
 {
        unsigned int block_nr = req->tp_block_nr;
-        unsigned long size = req->tp_block_size;
        struct pgv *pg_vec;
        int i;
@@ -4175,7 +4191,7 @@ static struct pgv *alloc_pg_vec(struct tpacket_req *req)
                goto out;
        for (i = 0; i < block_nr; i++) {
-                pg_vec[i].buffer = alloc_one_pg_vec_page(size);
+                pg_vec[i].buffer = alloc_one_pg_vec_page(order);
                if (unlikely(!pg_vec[i].buffer))
                        goto out_free_pgvec;
        }
@@ -4184,7 +4200,7 @@ out:
        return pg_vec;
 out_free_pgvec:
-        free_pg_vec(pg_vec, block_nr);
+        free_pg_vec(pg_vec, order, block_nr);
        pg_vec = NULL;
        goto out;
 }
@@ -4194,9 +4210,9 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 {
        struct pgv *pg_vec = NULL;
        struct packet_sock *po = pkt_sk(sk);
+        int was_running, order = 0;
        struct packet_ring_buffer *rb;
        struct sk_buff_head *rb_queue;
-        int was_running;
        __be16 num;
        int err = -EINVAL;
        /* Added to avoid minimal code churn */
@@ -4258,7 +4274,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                        goto out;
                err = -ENOMEM;
-                pg_vec = alloc_pg_vec(req);
+                order = get_order(req->tp_block_size);
+                pg_vec = alloc_pg_vec(req, order);
                if (unlikely(!pg_vec))
                        goto out;
                switch (po->tp_version) {
@@ -4312,6 +4329,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                rb->frame_size = req->tp_frame_size;
                spin_unlock_bh(&rb_queue->lock);
+                swap(rb->pg_vec_order, order);
                swap(rb->pg_vec_len, req->tp_block_nr);
                rb->pg_vec_pages = req->tp_block_size/PAGE_SIZE;
@@ -4337,7 +4355,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
        }
        if (pg_vec)
-                free_pg_vec(pg_vec, req->tp_block_nr);
+                free_pg_vec(pg_vec, order, req->tp_block_nr);
 out:
        return err;
 }
diff --git a/net/packet/internal.h b/net/packet/internal.h
index 8f50036f62f0..3bb7c5fb3bff 100644
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -64,6 +64,7 @@ struct packet_ring_buffer {
        unsigned int            frame_size;
        unsigned int            frame_max;
+        unsigned int            pg_vec_order;
        unsigned int            pg_vec_pages;
        unsigned int            pg_vec_len;
diff --git a/net/rds/Kconfig b/net/rds/Kconfig
index 01b3bd6a3708..b9092111bc45 100644
--- a/net/rds/Kconfig
+++ b/net/rds/Kconfig
@@ -1,6 +1,6 @@
 config RDS
-        tristate "The RDS Protocol"
+        tristate "The Reliable Datagram Sockets Protocol"
        depends on INET
        ---help---
          The RDS (Reliable Datagram Sockets) protocol provides reliable,
diff --git a/net/rds/bind.c b/net/rds/bind.c
index 3ab55784b637..762d2c6788a3 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -76,11 +76,13 @@ struct rds_sock *rds_find_bound(const struct in6_addr *addr, __be16 port,
        struct rds_sock *rs;
        __rds_create_bind_key(key, addr, port, scope_id);
-        rs = rhashtable_lookup_fast(&bind_hash_table, key, ht_parms);
+        rcu_read_lock();
+        rs = rhashtable_lookup(&bind_hash_table, key, ht_parms);
        if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
                rds_sock_addref(rs);
        else
                rs = NULL;
+        rcu_read_unlock();
        rdsdebug("returning rs %p for %pI6c:%u\n", rs, addr,
                 ntohs(port));
@@ -235,6 +237,7 @@ int rds_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
                goto out;
        }
+        sock_set_flag(sk, SOCK_RCU_FREE);
        ret = rds_add_bound(rs, binding_addr, &port, scope_id);
        if (ret)
                goto out;
diff --git a/net/rds/ib.c b/net/rds/ib.c
index c1d97640c0be..eba75c1ba359 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -341,15 +341,10 @@ static int rds6_ib_conn_info_visitor(struct rds_connection *conn,
        if (rds_conn_state(conn) == RDS_CONN_UP) {
                struct rds_ib_device *rds_ibdev;
-                struct rdma_dev_addr *dev_addr;
                ic = conn->c_transport_data;
-                dev_addr = &ic->i_cm_id->route.addr.dev_addr;
+                rdma_read_gids(ic->i_cm_id, (union ib_gid *)&iinfo6->src_gid,
-                rdma_addr_get_sgid(dev_addr,
+                               (union ib_gid *)&iinfo6->dst_gid);
-                                   (union ib_gid *)&iinfo6->src_gid);
-                rdma_addr_get_dgid(dev_addr,
-                                   (union ib_gid *)&iinfo6->dst_gid);
                rds_ibdev = ic->rds_ibdev;
                iinfo6->max_send_wr = ic->i_send_ring.w_nr;
                iinfo6->max_recv_wr = ic->i_recv_ring.w_nr;
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
index 00192a996be0..0f8465852254 100644
--- a/net/rfkill/rfkill-gpio.c
+++ b/net/rfkill/rfkill-gpio.c
@@ -20,6 +20,7 @@
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/mod_devicetable.h>
 #include <linux/rfkill.h>
 #include <linux/platform_device.h>
 #include <linux/clk.h>
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index db83dac1e7f4..e12f8ef7baa4 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -662,6 +662,13 @@ int tcf_action_destroy(struct tc_action *actions[], int bind)
        return ret;
 }
+static int tcf_action_destroy_1(struct tc_action *a, int bind)
+{
+        struct tc_action *actions[] = { a, NULL };
+        return tcf_action_destroy(actions, bind);
+}
 static int tcf_action_put(struct tc_action *p)
 {
        return __tcf_action_put(p, false);
@@ -881,17 +888,16 @@ struct tc_action *tcf_action_init_1(struct net *net, struct tcf_proto *tp,
        if (TC_ACT_EXT_CMP(a->tcfa_action, TC_ACT_GOTO_CHAIN)) {
                err = tcf_action_goto_chain_init(a, tp);
                if (err) {
-                        struct tc_action *actions[] = { a, NULL };
+                        tcf_action_destroy_1(a, bind);
-                        tcf_action_destroy(actions, bind);
                        NL_SET_ERR_MSG(extack, "Failed to init TC action chain");
                        return ERR_PTR(err);
                }
        }
        if (!tcf_action_valid(a->tcfa_action)) {
-                NL_SET_ERR_MSG(extack, "invalid action value, using TC_ACT_UNSPEC instead");
+                tcf_action_destroy_1(a, bind);
-                a->tcfa_action = TC_ACT_UNSPEC;
+                NL_SET_ERR_MSG(extack, "Invalid control action value");
+                return ERR_PTR(-EINVAL);
        }
        return a;
@@ -1173,6 +1179,7 @@ static int tcf_action_delete(struct net *net, struct tc_action *actions[])
                struct tcf_idrinfo *idrinfo = a->idrinfo;
                u32 act_index = a->tcfa_index;
+                actions[i] = NULL;
                if (tcf_action_put(a)) {
                        /* last reference, action was deleted concurrently */
                        module_put(ops->owner);
@@ -1184,7 +1191,6 @@ static int tcf_action_delete(struct net *net, struct tc_action *actions[])
                        if (ret < 0)
                                return ret;
                }
-                actions[i] = NULL;
        }
        return 0;
 }
diff --git a/net/sched/act_ife.c b/net/sched/act_ife.c
index 196430aefe87..06a3d4801878 100644
--- a/net/sched/act_ife.c
+++ b/net/sched/act_ife.c
@@ -326,6 +326,20 @@ static int __add_metainfo(const struct tcf_meta_ops *ops,
        return ret;
 }
+static int add_metainfo_and_get_ops(const struct tcf_meta_ops *ops,
+                                    struct tcf_ife_info *ife, u32 metaid,
+                                    bool exists)
+{
+        int ret;
+        if (!try_module_get(ops->owner))
+                return -ENOENT;
+        ret = __add_metainfo(ops, ife, metaid, NULL, 0, true, exists);
+        if (ret)
+                module_put(ops->owner);
+        return ret;
+}
 static int add_metainfo(struct tcf_ife_info *ife, u32 metaid, void *metaval,
                        int len, bool exists)
 {
@@ -349,7 +363,7 @@ static int use_all_metadata(struct tcf_ife_info *ife, bool exists)
        read_lock(&ife_mod_lock);
        list_for_each_entry(o, &ifeoplist, list) {
-                rc = __add_metainfo(o, ife, o->metaid, NULL, 0, true, exists);
+                rc = add_metainfo_and_get_ops(o, ife, o->metaid, exists);
                if (rc == 0)
                        installed += 1;
        }
@@ -400,7 +414,6 @@ static void _tcf_ife_cleanup(struct tc_action *a)
        struct tcf_meta_info *e, *n;
        list_for_each_entry_safe(e, n, &ife->metalist, metalist) {
-                module_put(e->ops->owner);
                list_del(&e->metalist);
                if (e->metaval) {
                        if (e->ops->release)
@@ -408,6 +421,7 @@ static void _tcf_ife_cleanup(struct tc_action *a)
                        else
                                kfree(e->metaval);
                }
+                module_put(e->ops->owner);
                kfree(e);
        }
 }
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index 107034070019..ad99a99f11f6 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -109,16 +109,18 @@ static int tcf_pedit_key_ex_dump(struct sk_buff *skb,
 {
        struct nlattr *keys_start = nla_nest_start(skb, TCA_PEDIT_KEYS_EX);
+        if (!keys_start)
+                goto nla_failure;
        for (; n > 0; n--) {
                struct nlattr *key_start;
                key_start = nla_nest_start(skb, TCA_PEDIT_KEY_EX);
+                if (!key_start)
+                        goto nla_failure;
                if (nla_put_u16(skb, TCA_PEDIT_KEY_EX_HTYPE, keys_ex->htype) ||
-                    nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) {
+                    nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd))
-                        nlmsg_trim(skb, keys_start);
+                        goto nla_failure;
-                        return -EINVAL;
-                }
                nla_nest_end(skb, key_start);
@@ -128,6 +130,9 @@ static int tcf_pedit_key_ex_dump(struct sk_buff *skb,
        nla_nest_end(skb, keys_start);
        return 0;
+nla_failure:
+        nla_nest_cancel(skb, keys_start);
+        return -EINVAL;
 }
 static int tcf_pedit_init(struct net *net, struct nlattr *nla,
@@ -418,7 +423,10 @@ static int tcf_pedit_dump(struct sk_buff *skb, struct tc_action *a,
        opt->bindcnt = atomic_read(&p->tcf_bindcnt) - bind;
        if (p->tcfp_keys_ex) {
-                tcf_pedit_key_ex_dump(skb, p->tcfp_keys_ex, p->tcfp_nkeys);
+                if (tcf_pedit_key_ex_dump(skb,
+                                          p->tcfp_keys_ex,
+                                          p->tcfp_nkeys))
+                        goto nla_put_failure;
                if (nla_put(skb, TCA_PEDIT_PARMS_EX, s, opt))
                        goto nla_put_failure;
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index 420759153d5f..681f6f04e7da 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -317,7 +317,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
                                                  &metadata->u.tun_info,
                                                  opts_len, extack);
                        if (ret < 0)
-                                goto err_out;
+                                goto release_tun_meta;
                }
                metadata->u.tun_info.mode |= IP_TUNNEL_INFO_TX;
@@ -333,23 +333,24 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
                                     &act_tunnel_key_ops, bind, true);
                if (ret) {
                        NL_SET_ERR_MSG(extack, "Cannot create TC IDR");
-                        goto err_out;
+                        goto release_tun_meta;
                }
                ret = ACT_P_CREATED;
        } else if (!ovr) {
-                tcf_idr_release(*a, bind);
                NL_SET_ERR_MSG(extack, "TC IDR already exists");
-                return -EEXIST;
+                ret = -EEXIST;
+                goto release_tun_meta;
        }
        t = to_tunnel_key(*a);
        params_new = kzalloc(sizeof(*params_new), GFP_KERNEL);
        if (unlikely(!params_new)) {
-                tcf_idr_release(*a, bind);
                NL_SET_ERR_MSG(extack, "Cannot allocate tunnel key parameters");
-                return -ENOMEM;
+                ret = -ENOMEM;
+                exists = true;
+                goto release_tun_meta;
        }
        params_new->tcft_action = parm->t_action;
        params_new->tcft_enc_metadata = metadata;
@@ -367,6 +368,9 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
        return ret;
+release_tun_meta:
+        dst_release(&metadata->dst);
 err_out:
        if (exists)
                tcf_idr_release(*a, bind);
@@ -408,8 +412,10 @@ static int tunnel_key_geneve_opts_dump(struct sk_buff *skb,
                    nla_put_u8(skb, TCA_TUNNEL_KEY_ENC_OPT_GENEVE_TYPE,
                               opt->type) ||
                    nla_put(skb, TCA_TUNNEL_KEY_ENC_OPT_GENEVE_DATA,
-                            opt->length * 4, opt + 1))
+                            opt->length * 4, opt + 1)) {
+                        nla_nest_cancel(skb, start);
                        return -EMSGSIZE;
+                }
                len -= sizeof(struct geneve_opt) + opt->length * 4;
                src += sizeof(struct geneve_opt) + opt->length * 4;
@@ -423,7 +429,7 @@ static int tunnel_key_opts_dump(struct sk_buff *skb,
                                const struct ip_tunnel_info *info)
 {
        struct nlattr *start;
-        int err;
+        int err = -EINVAL;
        if (!info->options_len)
                return 0;
@@ -435,9 +441,11 @@ static int tunnel_key_opts_dump(struct sk_buff *skb,
        if (info->key.tun_flags & TUNNEL_GENEVE_OPT) {
                err = tunnel_key_geneve_opts_dump(skb, info);
                if (err)
-                        return err;
+                        goto err_out;
        } else {
-                return -EINVAL;
+err_out:
+                nla_nest_cancel(skb, start);
+                return err;
        }
        nla_nest_end(skb, start);
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 31bd1439cf60..1a67af8a6e8c 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1252,7 +1252,7 @@ replay:
        }
        chain = tcf_chain_get(block, chain_index, true);
        if (!chain) {
-                NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
+                NL_SET_ERR_MSG(extack, "Cannot create specified filter chain");
                err = -ENOMEM;
                goto errout;
        }
@@ -1399,7 +1399,7 @@ static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
                        goto errout;
                }
                NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
-                err = -EINVAL;
+                err = -ENOENT;
                goto errout;
        }
diff --git a/net/sctp/proc.c b/net/sctp/proc.c
index ef5c9a82d4e8..a644292f9faf 100644
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -215,7 +215,6 @@ static const struct seq_operations sctp_eps_ops = {
 struct sctp_ht_iter {
        struct seq_net_private p;
        struct rhashtable_iter hti;
-        int start_fail;
 };
 static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
@@ -224,7 +223,6 @@ static void *sctp_transport_seq_start(struct seq_file *seq, loff_t *pos)
        sctp_transport_walk_start(&iter->hti);
-        iter->start_fail = 0;
        return sctp_transport_get_idx(seq_file_net(seq), &iter->hti, *pos);
 }
@@ -232,8 +230,6 @@ static void sctp_transport_seq_stop(struct seq_file *seq, void *v)
 {
        struct sctp_ht_iter *iter = seq->private;
-        if (iter->start_fail)
-                return;
        sctp_transport_walk_stop(&iter->hti);
 }
@@ -264,8 +260,6 @@ static int sctp_assocs_seq_show(struct seq_file *seq, void *v)
        }
        transport = (struct sctp_transport *)v;
-        if (!sctp_transport_hold(transport))
-                return 0;
        assoc = transport->asoc;
        epb = &assoc->base;
        sk = epb->sk;
@@ -322,8 +316,6 @@ static int sctp_remaddr_seq_show(struct seq_file *seq, void *v)
        }
        transport = (struct sctp_transport *)v;
-        if (!sctp_transport_hold(transport))
-                return 0;
        assoc = transport->asoc;
        list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list,
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index e96b15a66aba..f73e9d38d5ba 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2658,20 +2658,23 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
        }
        if (params->spp_flags & SPP_IPV6_FLOWLABEL) {
-                if (trans && trans->ipaddr.sa.sa_family == AF_INET6) {
+                if (trans) {
-                        trans->flowlabel = params->spp_ipv6_flowlabel &
+                        if (trans->ipaddr.sa.sa_family == AF_INET6) {
-                                           SCTP_FLOWLABEL_VAL_MASK;
-                        trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
-                } else if (asoc) {
-                        list_for_each_entry(trans,
-                                            &asoc->peer.transport_addr_list,
-                                            transports) {
-                                if (trans->ipaddr.sa.sa_family != AF_INET6)
-                                        continue;
                                trans->flowlabel = params->spp_ipv6_flowlabel &
                                                   SCTP_FLOWLABEL_VAL_MASK;
                                trans->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
                        }
+                } else if (asoc) {
+                        struct sctp_transport *t;
+                        list_for_each_entry(t, &asoc->peer.transport_addr_list,
+                                            transports) {
+                                if (t->ipaddr.sa.sa_family != AF_INET6)
+                                        continue;
+                                t->flowlabel = params->spp_ipv6_flowlabel &
+                                               SCTP_FLOWLABEL_VAL_MASK;
+                                t->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
+                        }
                        asoc->flowlabel = params->spp_ipv6_flowlabel &
                                          SCTP_FLOWLABEL_VAL_MASK;
                        asoc->flowlabel |= SCTP_FLOWLABEL_SET_MASK;
@@ -2687,12 +2690,13 @@ static int sctp_apply_peer_addr_params(struct sctp_paddrparams *params,
                        trans->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;
                        trans->dscp |= SCTP_DSCP_SET_MASK;
                } else if (asoc) {
-                        list_for_each_entry(trans,
+                        struct sctp_transport *t;
-                                            &asoc->peer.transport_addr_list,
+                        list_for_each_entry(t, &asoc->peer.transport_addr_list,
                                            transports) {
-                                trans->dscp = params->spp_dscp &
+                                t->dscp = params->spp_dscp &
-                                              SCTP_DSCP_VAL_MASK;
+                                          SCTP_DSCP_VAL_MASK;
-                                trans->dscp |= SCTP_DSCP_SET_MASK;
+                                t->dscp |= SCTP_DSCP_SET_MASK;
                        }
                        asoc->dscp = params->spp_dscp & SCTP_DSCP_VAL_MASK;
                        asoc->dscp |= SCTP_DSCP_SET_MASK;
@@ -5005,9 +5009,14 @@ struct sctp_transport *sctp_transport_get_next(struct net *net,
                        break;
                }
+                if (!sctp_transport_hold(t))
+                        continue;
                if (net_eq(sock_net(t->asoc->base.sk), net) &&
                    t->asoc->peer.primary_path == t)
                        break;
+                sctp_transport_put(t);
        }
        return t;
@@ -5017,13 +5026,18 @@ struct sctp_transport *sctp_transport_get_idx(struct net *net,
                                              struct rhashtable_iter *iter,
                                              int pos)
 {
-        void *obj = SEQ_START_TOKEN;
+        struct sctp_transport *t;
-        while (pos && (obj = sctp_transport_get_next(net, iter)) &&
+        if (!pos)
-               !IS_ERR(obj))
+                return SEQ_START_TOKEN;
-                pos--;
-        return obj;
+        while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) {
+                if (!--pos)
+                        break;
+                sctp_transport_put(t);
+        }
+        return t;
 }
 int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *),
@@ -5082,8 +5096,6 @@ again:
        tsp = sctp_transport_get_idx(net, &hti, *pos + 1);
        for (; !IS_ERR_OR_NULL(tsp); tsp = sctp_transport_get_next(net, &hti)) {
-                if (!sctp_transport_hold(tsp))
-                        continue;
                ret = cb(tsp, p);
                if (ret)
                        break;
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 9ee6cfea56dd..d8026543bf4c 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -51,12 +51,12 @@ const char tipc_bclink_name[] = "broadcast-link";
 * struct tipc_bc_base - base structure for keeping broadcast send state
 * @link: broadcast send link structure
 * @inputq: data input queue; will only carry SOCK_WAKEUP messages
- * @dest: array keeping number of reachable destinations per bearer
+ * @dests: array keeping number of reachable destinations per bearer
 * @primary_bearer: a bearer having links to all broadcast destinations, if any
 * @bcast_support: indicates if primary bearer, if any, supports broadcast
 * @rcast_support: indicates if all peer nodes support replicast
 * @rc_ratio: dest count as percentage of cluster size where send method changes
- * @bc_threshold: calculated drom rc_ratio; if dests > threshold use broadcast
+ * @bc_threshold: calculated from rc_ratio; if dests > threshold use broadcast
 */
 struct tipc_bc_base {
        struct tipc_link *link;
diff --git a/net/tipc/diag.c b/net/tipc/diag.c
index aaabb0b776dd..73137f4aeb68 100644
--- a/net/tipc/diag.c
+++ b/net/tipc/diag.c
@@ -84,7 +84,9 @@ static int tipc_sock_diag_handler_dump(struct sk_buff *skb,
        if (h->nlmsg_flags & NLM_F_DUMP) {
                struct netlink_dump_control c = {
+                        .start = tipc_dump_start,
                        .dump = tipc_diag_dump,
+                        .done = tipc_dump_done,
                };
                netlink_dump_start(net->diag_nlsk, skb, h, &c);
                return 0;
diff --git a/net/tipc/name_table.c b/net/tipc/name_table.c
index 88f027b502f6..66d5b2c5987a 100644
--- a/net/tipc/name_table.c
+++ b/net/tipc/name_table.c
@@ -980,20 +980,17 @@ int tipc_nl_name_table_dump(struct sk_buff *skb, struct netlink_callback *cb)
 struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port)
 {
-        u64 value = (u64)node << 32 | port;
        struct tipc_dest *dst;
        list_for_each_entry(dst, l, list) {
-                if (dst->value != value)
+                if (dst->node == node && dst->port == port)
-                        continue;
+                        return dst;
-                return dst;
        }
        return NULL;
 }
 bool tipc_dest_push(struct list_head *l, u32 node, u32 port)
 {
-        u64 value = (u64)node << 32 | port;
        struct tipc_dest *dst;
        if (tipc_dest_find(l, node, port))
@@ -1002,7 +999,8 @@ bool tipc_dest_push(struct list_head *l, u32 node, u32 port)
        dst = kmalloc(sizeof(*dst), GFP_ATOMIC);
        if (unlikely(!dst))
                return false;
-        dst->value = value;
+        dst->node = node;
+        dst->port = port;
        list_add(&dst->list, l);
        return true;
 }
diff --git a/net/tipc/name_table.h b/net/tipc/name_table.h
index 0febba41da86..892bd750b85f 100644
--- a/net/tipc/name_table.h
+++ b/net/tipc/name_table.h
@@ -133,13 +133,8 @@ void tipc_nametbl_stop(struct net *net);
 struct tipc_dest {
        struct list_head list;
-        union {
+        u32 port;
-                struct {
+        u32 node;
-                        u32 port;
-                        u32 node;
-                };
-                u64 value;
-        };
 };
 struct tipc_dest *tipc_dest_find(struct list_head *l, u32 node, u32 port);
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index 6ff2254088f6..99ee419210ba 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -167,7 +167,9 @@ static const struct genl_ops tipc_genl_v2_ops[] = {
        },
        {
                .cmd    = TIPC_NL_SOCK_GET,
+                .start = tipc_dump_start,
                .dumpit = tipc_nl_sk_dump,
+                .done   = tipc_dump_done,
                .policy = tipc_nl_policy,
        },
        {
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index a2f76743c73a..6376467e78f8 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -185,6 +185,10 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
                return -ENOMEM;
        buf->sk = msg->dst_sk;
+        if (__tipc_dump_start(&cb, msg->net)) {
+                kfree_skb(buf);
+                return -ENOMEM;
+        }
        do {
                int rem;
@@ -216,6 +220,7 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
        err = 0;
 err_out:
+        tipc_dump_done(&cb);
        kfree_skb(buf);
        if (err == -EMSGSIZE) {
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index c1e93c9515bc..3f03ddd0e35b 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -576,6 +576,7 @@ static int tipc_release(struct socket *sock)
        sk_stop_timer(sk, &sk->sk_timer);
        tipc_sk_remove(tsk);
+        sock_orphan(sk);
        /* Reject any messages that accumulated in backlog queue */
        release_sock(sk);
        tipc_dest_list_purge(&tsk->cong_links);
@@ -2672,6 +2673,8 @@ void tipc_sk_reinit(struct net *net)
                rhashtable_walk_stop(&iter);
        } while (tsk == ERR_PTR(-EAGAIN));
+        rhashtable_walk_exit(&iter);
 }
 static struct tipc_sock *tipc_sk_lookup(struct net *net, u32 portid)
@@ -3227,45 +3230,74 @@ int tipc_nl_sk_walk(struct sk_buff *skb, struct netlink_callback *cb,
                                       struct netlink_callback *cb,
                                       struct tipc_sock *tsk))
 {
-        struct net *net = sock_net(skb->sk);
+        struct rhashtable_iter *iter = (void *)cb->args[4];
-        struct tipc_net *tn = tipc_net(net);
-        const struct bucket_table *tbl;
-        u32 prev_portid = cb->args[1];
-        u32 tbl_id = cb->args[0];
-        struct rhash_head *pos;
        struct tipc_sock *tsk;
        int err;
-        rcu_read_lock();
+        rhashtable_walk_start(iter);
-        tbl = rht_dereference_rcu((&tn->sk_rht)->tbl, &tn->sk_rht);
+        while ((tsk = rhashtable_walk_next(iter)) != NULL) {
-        for (; tbl_id < tbl->size; tbl_id++) {
+                if (IS_ERR(tsk)) {
-                rht_for_each_entry_rcu(tsk, pos, tbl, tbl_id, node) {
+                        err = PTR_ERR(tsk);
-                        spin_lock_bh(&tsk->sk.sk_lock.slock);
+                        if (err == -EAGAIN) {
-                        if (prev_portid && prev_portid != tsk->portid) {
+                                err = 0;
-                                spin_unlock_bh(&tsk->sk.sk_lock.slock);
                                continue;
                        }
+                        break;
+                }
-                        err = skb_handler(skb, cb, tsk);
+                sock_hold(&tsk->sk);
-                        if (err) {
+                rhashtable_walk_stop(iter);
-                                prev_portid = tsk->portid;
+                lock_sock(&tsk->sk);
-                                spin_unlock_bh(&tsk->sk.sk_lock.slock);
+                err = skb_handler(skb, cb, tsk);
-                                goto out;
+                if (err) {
-                        }
+                        release_sock(&tsk->sk);
+                        sock_put(&tsk->sk);
-                        prev_portid = 0;
+                        goto out;
-                        spin_unlock_bh(&tsk->sk.sk_lock.slock);
                }
+                release_sock(&tsk->sk);
+                rhashtable_walk_start(iter);
+                sock_put(&tsk->sk);
        }
+        rhashtable_walk_stop(iter);
 out:
-        rcu_read_unlock();
-        cb->args[0] = tbl_id;
-        cb->args[1] = prev_portid;
        return skb->len;
 }
 EXPORT_SYMBOL(tipc_nl_sk_walk);
+int tipc_dump_start(struct netlink_callback *cb)
+{
+        return __tipc_dump_start(cb, sock_net(cb->skb->sk));
+}
+EXPORT_SYMBOL(tipc_dump_start);
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net)
+{
+        /* tipc_nl_name_table_dump() uses cb->args[0...3]. */
+        struct rhashtable_iter *iter = (void *)cb->args[4];
+        struct tipc_net *tn = tipc_net(net);
+        if (!iter) {
+                iter = kmalloc(sizeof(*iter), GFP_KERNEL);
+                if (!iter)
+                        return -ENOMEM;
+                cb->args[4] = (long)iter;
+        }
+        rhashtable_walk_enter(&tn->sk_rht, iter);
+        return 0;
+}
+int tipc_dump_done(struct netlink_callback *cb)
+{
+        struct rhashtable_iter *hti = (void *)cb->args[4];
+        rhashtable_walk_exit(hti);
+        kfree(hti);
+        return 0;
+}
+EXPORT_SYMBOL(tipc_dump_done);
 int tipc_sk_fill_sock_diag(struct sk_buff *skb, struct netlink_callback *cb,
                           struct tipc_sock *tsk, u32 sk_filter_state,
                           u64 (*tipc_diag_gen_cookie)(struct sock *sk))
diff --git a/net/tipc/socket.h b/net/tipc/socket.h
index aff9b2ae5a1f..5e575f205afe 100644
--- a/net/tipc/socket.h
+++ b/net/tipc/socket.h
@@ -68,4 +68,7 @@ int tipc_nl_sk_walk(struct sk_buff *skb, struct netlink_callback *cb,
                    int (*skb_handler)(struct sk_buff *skb,
                                       struct netlink_callback *cb,
                                       struct tipc_sock *tsk));
+int tipc_dump_start(struct netlink_callback *cb);
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net);
+int tipc_dump_done(struct netlink_callback *cb);
 #endif
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index c8e34ef22c30..2627b5d812e9 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -313,8 +313,8 @@ static void tipc_conn_send_work(struct work_struct *work)
        conn_put(con);
 }
-/* tipc_conn_queue_evt() - interrupt level call from a subscription instance
+/* tipc_topsrv_queue_evt() - interrupt level call from a subscription instance
- * The queued work is launched into tipc_send_work()->tipc_send_to_sock()
+ * The queued work is launched into tipc_conn_send_work()->tipc_conn_send_to_sock()
 */
 void tipc_topsrv_queue_evt(struct net *net, int conid,
                           u32 event, struct tipc_event *evt)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 52fbe727d7c1..e28a6ff25d96 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -125,6 +125,9 @@ static int alloc_encrypted_sg(struct sock *sk, int len)
                         &ctx->sg_encrypted_num_elem,
                         &ctx->sg_encrypted_size, 0);
+        if (rc == -ENOSPC)
+                ctx->sg_encrypted_num_elem = ARRAY_SIZE(ctx->sg_encrypted_data);
        return rc;
 }
@@ -138,6 +141,9 @@ static int alloc_plaintext_sg(struct sock *sk, int len)
                         &ctx->sg_plaintext_num_elem, &ctx->sg_plaintext_size,
                         tls_ctx->pending_open_record_frags);
+        if (rc == -ENOSPC)
+                ctx->sg_plaintext_num_elem = ARRAY_SIZE(ctx->sg_plaintext_data);
        return rc;
 }
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5fb9b7dd9831..4b8ec659e797 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -669,13 +669,13 @@ static int nl80211_msg_put_wmm_rules(struct sk_buff *msg,
                        goto nla_put_failure;
                if (nla_put_u16(msg, NL80211_WMMR_CW_MIN,
-                                rule->wmm_rule->client[j].cw_min) ||
+                                rule->wmm_rule.client[j].cw_min) ||
                    nla_put_u16(msg, NL80211_WMMR_CW_MAX,
-                                rule->wmm_rule->client[j].cw_max) ||
+                                rule->wmm_rule.client[j].cw_max) ||
                    nla_put_u8(msg, NL80211_WMMR_AIFSN,
-                               rule->wmm_rule->client[j].aifsn) ||
+                               rule->wmm_rule.client[j].aifsn) ||
-                    nla_put_u8(msg, NL80211_WMMR_TXOP,
+                    nla_put_u16(msg, NL80211_WMMR_TXOP,
-                               rule->wmm_rule->client[j].cot))
+                                rule->wmm_rule.client[j].cot))
                        goto nla_put_failure;
                nla_nest_end(msg, nl_wmm_rule);
@@ -766,9 +766,9 @@ static int nl80211_msg_put_channel(struct sk_buff *msg, struct wiphy *wiphy,
        if (large) {
                const struct ieee80211_reg_rule *rule =
-                        freq_reg_info(wiphy, chan->center_freq);
+                        freq_reg_info(wiphy, MHZ_TO_KHZ(chan->center_freq));
-                if (!IS_ERR(rule) && rule->wmm_rule) {
+                if (!IS_ERR_OR_NULL(rule) && rule->has_wmm) {
                        if (nl80211_msg_put_wmm_rules(msg, rule))
                                goto nla_put_failure;
                }
@@ -12205,6 +12205,7 @@ static int nl80211_update_ft_ies(struct sk_buff *skb, struct genl_info *info)
                return -EOPNOTSUPP;
        if (!info->attrs[NL80211_ATTR_MDID] ||
+            !info->attrs[NL80211_ATTR_IE] ||
            !is_valid_ie_attr(info->attrs[NL80211_ATTR_IE]))
                return -EINVAL;
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 4fc66a117b7d..2f702adf2912 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -425,36 +425,23 @@ static const struct ieee80211_regdomain *
 reg_copy_regd(const struct ieee80211_regdomain *src_regd)
 {
        struct ieee80211_regdomain *regd;
-        int size_of_regd, size_of_wmms;
+        int size_of_regd;
        unsigned int i;
-        struct ieee80211_wmm_rule *d_wmm, *s_wmm;
        size_of_regd =
                sizeof(struct ieee80211_regdomain) +
                src_regd->n_reg_rules * sizeof(struct ieee80211_reg_rule);
-        size_of_wmms = src_regd->n_wmm_rules *
-                sizeof(struct ieee80211_wmm_rule);
-        regd = kzalloc(size_of_regd + size_of_wmms, GFP_KERNEL);
+        regd = kzalloc(size_of_regd, GFP_KERNEL);
        if (!regd)
                return ERR_PTR(-ENOMEM);
        memcpy(regd, src_regd, sizeof(struct ieee80211_regdomain));
-        d_wmm = (struct ieee80211_wmm_rule *)((u8 *)regd + size_of_regd);
+        for (i = 0; i < src_regd->n_reg_rules; i++)
-        s_wmm = (struct ieee80211_wmm_rule *)((u8 *)src_regd + size_of_regd);
-        memcpy(d_wmm, s_wmm, size_of_wmms);
-        for (i = 0; i < src_regd->n_reg_rules; i++) {
                memcpy(&regd->reg_rules[i], &src_regd->reg_rules[i],
                       sizeof(struct ieee80211_reg_rule));
-                if (!src_regd->reg_rules[i].wmm_rule)
-                        continue;
-                regd->reg_rules[i].wmm_rule = d_wmm +
-                        (src_regd->reg_rules[i].wmm_rule - s_wmm) /
-                        sizeof(struct ieee80211_wmm_rule);
-        }
        return regd;
 }
@@ -860,9 +847,10 @@ static bool valid_regdb(const u8 *data, unsigned int size)
        return true;
 }
-static void set_wmm_rule(struct ieee80211_wmm_rule *rule,
+static void set_wmm_rule(struct ieee80211_reg_rule *rrule,
                         struct fwdb_wmm_rule *wmm)
 {
+        struct ieee80211_wmm_rule *rule = &rrule->wmm_rule;
        unsigned int i;
        for (i = 0; i < IEEE80211_NUM_ACS; i++) {
@@ -876,11 +864,13 @@ static void set_wmm_rule(struct ieee80211_wmm_rule *rule,
                rule->ap[i].aifsn = wmm->ap[i].aifsn;
                rule->ap[i].cot = 1000 * be16_to_cpu(wmm->ap[i].cot);
        }
+        rrule->has_wmm = true;
 }
 static int __regdb_query_wmm(const struct fwdb_header *db,
                             const struct fwdb_country *country, int freq,
-                             u32 *dbptr, struct ieee80211_wmm_rule *rule)
+                             struct ieee80211_reg_rule *rule)
 {
        unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2;
        struct fwdb_collection *coll = (void *)((u8 *)db + ptr);
@@ -901,8 +891,6 @@ static int __regdb_query_wmm(const struct fwdb_header *db,
                        wmm_ptr = be16_to_cpu(rrule->wmm_ptr) << 2;
                        wmm = (void *)((u8 *)db + wmm_ptr);
                        set_wmm_rule(rule, wmm);
-                        if (dbptr)
-                                *dbptr = wmm_ptr;
                        return 0;
                }
        }
@@ -910,8 +898,7 @@ static int __regdb_query_wmm(const struct fwdb_header *db,
        return -ENODATA;
 }
-int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
+int reg_query_regdb_wmm(char *alpha2, int freq, struct ieee80211_reg_rule *rule)
-                        struct ieee80211_wmm_rule *rule)
 {
        const struct fwdb_header *hdr = regdb;
        const struct fwdb_country *country;
@@ -925,8 +912,7 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
        country = &hdr->country[0];
        while (country->coll_ptr) {
                if (alpha2_equal(alpha2, country->alpha2))
-                        return __regdb_query_wmm(regdb, country, freq, dbptr,
+                        return __regdb_query_wmm(regdb, country, freq, rule);
-                                                 rule);
                country++;
        }
@@ -935,32 +921,13 @@ int reg_query_regdb_wmm(char *alpha2, int freq, u32 *dbptr,
 }
 EXPORT_SYMBOL(reg_query_regdb_wmm);
-struct wmm_ptrs {
-        struct ieee80211_wmm_rule *rule;
-        u32 ptr;
-};
-static struct ieee80211_wmm_rule *find_wmm_ptr(struct wmm_ptrs *wmm_ptrs,
-                                               u32 wmm_ptr, int n_wmms)
-{
-        int i;
-        for (i = 0; i < n_wmms; i++) {
-                if (wmm_ptrs[i].ptr == wmm_ptr)
-                        return wmm_ptrs[i].rule;
-        }
-        return NULL;
-}
 static int regdb_query_country(const struct fwdb_header *db,
                               const struct fwdb_country *country)
 {
        unsigned int ptr = be16_to_cpu(country->coll_ptr) << 2;
        struct fwdb_collection *coll = (void *)((u8 *)db + ptr);
        struct ieee80211_regdomain *regdom;
-        struct ieee80211_regdomain *tmp_rd;
+        unsigned int size_of_regd, i;
-        unsigned int size_of_regd, i, n_wmms = 0;
-        struct wmm_ptrs *wmm_ptrs;
        size_of_regd = sizeof(struct ieee80211_regdomain) +
                coll->n_rules * sizeof(struct ieee80211_reg_rule);
@@ -969,12 +936,6 @@ static int regdb_query_country(const struct fwdb_header *db,
        if (!regdom)
                return -ENOMEM;
-        wmm_ptrs = kcalloc(coll->n_rules, sizeof(*wmm_ptrs), GFP_KERNEL);
-        if (!wmm_ptrs) {
-                kfree(regdom);
-                return -ENOMEM;
-        }
        regdom->n_reg_rules = coll->n_rules;
        regdom->alpha2[0] = country->alpha2[0];
        regdom->alpha2[1] = country->alpha2[1];
@@ -1013,37 +974,11 @@ static int regdb_query_country(const struct fwdb_header *db,
                                1000 * be16_to_cpu(rule->cac_timeout);
                if (rule->len >= offsetofend(struct fwdb_rule, wmm_ptr)) {
                        u32 wmm_ptr = be16_to_cpu(rule->wmm_ptr) << 2;
-                        struct ieee80211_wmm_rule *wmm_pos =
+                        struct fwdb_wmm_rule *wmm = (void *)((u8 *)db + wmm_ptr);
-                                find_wmm_ptr(wmm_ptrs, wmm_ptr, n_wmms);
-                        struct fwdb_wmm_rule *wmm;
-                        struct ieee80211_wmm_rule *wmm_rule;
-                        if (wmm_pos) {
-                                rrule->wmm_rule = wmm_pos;
-                                continue;
-                        }
-                        wmm = (void *)((u8 *)db + wmm_ptr);
-                        tmp_rd = krealloc(regdom, size_of_regd + (n_wmms + 1) *
-                                          sizeof(struct ieee80211_wmm_rule),
-                                          GFP_KERNEL);
-                        if (!tmp_rd) {
-                                kfree(regdom);
-                                kfree(wmm_ptrs);
-                                return -ENOMEM;
-                        }
-                        regdom = tmp_rd;
-                        wmm_rule = (struct ieee80211_wmm_rule *)
-                                ((u8 *)regdom + size_of_regd + n_wmms *
-                                sizeof(struct ieee80211_wmm_rule));
-                        set_wmm_rule(wmm_rule, wmm);
+                        set_wmm_rule(rrule, wmm);
-                        wmm_ptrs[n_wmms].ptr = wmm_ptr;
-                        wmm_ptrs[n_wmms++].rule = wmm_rule;
                }
        }
-        kfree(wmm_ptrs);
        return reg_schedule_apply(regdom);
 }
diff --git a/net/wireless/util.c b/net/wireless/util.c
index e0825a019e9f..959ed3acd240 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1456,7 +1456,7 @@ bool ieee80211_chandef_to_operating_class(struct cfg80211_chan_def *chandef,
                                          u8 *op_class)
 {
        u8 vht_opclass;
-        u16 freq = chandef->center_freq1;
+        u32 freq = chandef->center_freq1;
        if (freq >= 2412 && freq <= 2472) {
                if (chandef->width > NL80211_CHAN_WIDTH_40)