48 files changed, 364 insertions, 169 deletions

diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c
index 38aa6345bdfa..b718db2085b2 100644
--- a/net/9p/trans_common.c
+++ b/net/9p/trans_common.c
@@ -16,7 +16,7 @@
 #include <linux/module.h>
 
 /**
- *  p9_release_req_pages - Release pages after the transaction.
+ *  p9_release_pages - Release pages after the transaction.
  */
 void p9_release_pages(struct page **pages, int nr_pages)
 {
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 0cfba919d167..848969fe7979 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -1092,8 +1092,8 @@ static struct p9_trans_module p9_fd_trans = {
 };
 
 /**
- * p9_poll_proc - poll worker thread
- * @a: thread state and arguments
+ * p9_poll_workfn - poll worker thread
+ * @work: work queue
  *
  * polls all v9fs transports for new events and queues the appropriate
  * work to the work queue
diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
index 6d8e3031978f..3d414acb7015 100644
--- a/net/9p/trans_rdma.c
+++ b/net/9p/trans_rdma.c
@@ -68,8 +68,6 @@
  * @pd: Protection Domain pointer
  * @qp: Queue Pair pointer
  * @cq: Completion Queue pointer
- * @dm_mr: DMA Memory Region pointer
- * @lkey: The local access only memory region key
  * @timeout: Number of uSecs to wait for connection management events
  * @privport: Whether a privileged port may be used
  * @port: The port to use
@@ -632,7 +630,7 @@ static int p9_rdma_bind_privport(struct p9_trans_rdma *rdma)
 }
 
 /**
- * trans_create_rdma - Transport method for creating atransport instance
+ * rdma_create_trans - Transport method for creating a transport instance
  * @client: client instance
  * @addr: IP address string
  * @args: Mount options string
diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index 3aa5a93ad107..4d0372263e5d 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -60,7 +60,6 @@ static atomic_t vp_pinned = ATOMIC_INIT(0);
 
 /**
  * struct virtio_chan - per-instance transport information
- * @initialized: whether the channel is initialized
  * @inuse: whether the channel is in use
  * @lock: protects multiple elements within this structure
  * @client: client instance
@@ -385,8 +384,8 @@ static int p9_get_mapped_pages(struct virtio_chan *chan,
  * @uidata: user bffer that should be ued for zero copy read
  * @uodata: user buffer that shoud be user for zero copy write
  * @inlen: read buffer size
- * @olen: write buffer size
- * @hdrlen: reader header size, This is the size of response protocol data
+ * @outlen: write buffer size
+ * @in_hdr_len: reader header size, This is the size of response protocol data
  *
  */
 static int
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 086a4abdfa7c..0f19960390a6 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -485,7 +485,7 @@ static int xen_9pfs_front_probe(struct xenbus_device *dev,
 
 static int xen_9pfs_front_resume(struct xenbus_device *dev)
 {
-        dev_warn(&dev->dev, "suspsend/resume unsupported\n");
+        dev_warn(&dev->dev, "suspend/resume unsupported\n");
         return 0;
 }
 
diff --git a/net/atm/lec.c b/net/atm/lec.c
index 01d5d20a6eb1..3138a869b5c0 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -41,6 +41,9 @@ static unsigned char bridge_ula_lec[] = { 0x01, 0x80, 0xc2, 0x00, 0x00 };
 #include <linux/module.h>
 #include <linux/init.h>
 
+/* Hardening for Spectre-v1 */
+#include <linux/nospec.h>
+
 #include "lec.h"
 #include "lec_arpc.h"
 #include "resources.h"
@@ -687,8 +690,10 @@ static int lec_vcc_attach(struct atm_vcc *vcc, void __user *arg)
         bytes_left = copy_from_user(&ioc_data, arg, sizeof(struct atmlec_ioc));
         if (bytes_left != 0)
                 pr_info("copy from user failed for %d bytes\n", bytes_left);
-        if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF ||
-            !dev_lec[ioc_data.dev_num])
+        if (ioc_data.dev_num < 0 || ioc_data.dev_num >= MAX_LEC_ITF)
+                return -EINVAL;
+        ioc_data.dev_num = array_index_nospec(ioc_data.dev_num, MAX_LEC_ITF);
+        if (!dev_lec[ioc_data.dev_num])
                 return -EINVAL;
         vpriv = kmalloc(sizeof(struct lec_vcc_priv), GFP_KERNEL);
         if (!vpriv)
diff --git a/net/ieee802154/6lowpan/6lowpan_i.h b/net/ieee802154/6lowpan/6lowpan_i.h
index b8d95cb71c25..44a7e16bf3b5 100644
--- a/net/ieee802154/6lowpan/6lowpan_i.h
+++ b/net/ieee802154/6lowpan/6lowpan_i.h
@@ -20,8 +20,8 @@ typedef unsigned __bitwise lowpan_rx_result;
 struct frag_lowpan_compare_key {
         u16 tag;
         u16 d_size;
-        const struct ieee802154_addr src;
-        const struct ieee802154_addr dst;
+        struct ieee802154_addr src;
+        struct ieee802154_addr dst;
 };
 
 /* Equivalent of ipv4 struct ipq
diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
index 1790b65944b3..2cc224106b69 100644
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -75,14 +75,14 @@ fq_find(struct net *net, const struct lowpan_802154_cb *cb,
 {
         struct netns_ieee802154_lowpan *ieee802154_lowpan =
                 net_ieee802154_lowpan(net);
-        struct frag_lowpan_compare_key key = {
-                .tag = cb->d_tag,
-                .d_size = cb->d_size,
-                .src = *src,
-                .dst = *dst,
-        };
+        struct frag_lowpan_compare_key key = {};
         struct inet_frag_queue *q;
 
+        key.tag = cb->d_tag;
+        key.d_size = cb->d_size;
+        key.src = *src;
+        key.dst = *dst;
+
         q = inet_frag_find(&ieee802154_lowpan->frags, &key);
         if (!q)
                 return NULL;
@@ -372,7 +372,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type)
         struct lowpan_frag_queue *fq;
         struct net *net = dev_net(skb->dev);
         struct lowpan_802154_cb *cb = lowpan_802154_cb(skb);
-        struct ieee802154_hdr hdr;
+        struct ieee802154_hdr hdr = {};
         int err;
 
         if (ieee802154_hdr_peek_addrs(skb, &hdr) < 0)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index 05e47d777009..56a010622f70 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -775,8 +775,10 @@ static int ping_v4_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         ipc.addr = faddr = daddr;
 
         if (ipc.opt && ipc.opt->opt.srr) {
-                if (!daddr)
-                        return -EINVAL;
+                if (!daddr) {
+                        err = -EINVAL;
+                        goto out_free;
+                }
                 faddr = ipc.opt->opt.faddr;
         }
         tos = get_rttos(&ipc, inet);
@@ -842,6 +844,7 @@ back_from_confirm:
 
 out:
         ip_rt_put(rt);
+out_free:
         if (free)
                 kfree(ipc.opt);
         if (!err) {
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 1412a7baf0b9..29268efad247 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1375,6 +1375,7 @@ static bool rt_bind_exception(struct rtable *rt, struct fib_nh_exception *fnhe,
                         fnhe->fnhe_gw = 0;
                         fnhe->fnhe_pmtu = 0;
                         fnhe->fnhe_expires = 0;
+                        fnhe->fnhe_mtu_locked = false;
                         fnhe_flush_routes(fnhe);
                         orig = NULL;
                 }
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 24b5c59b1c53..b61a770884fa 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -401,9 +401,9 @@ static int compute_score(struct sock *sk, struct net *net,
                 bool dev_match = (sk->sk_bound_dev_if == dif ||
                                   sk->sk_bound_dev_if == sdif);
 
-                if (exact_dif && !dev_match)
+                if (!dev_match)
                         return -1;
-                if (sk->sk_bound_dev_if && dev_match)
+                if (sk->sk_bound_dev_if)
                         score += 4;
         }
 
@@ -952,8 +952,10 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
         sock_tx_timestamp(sk, ipc.sockc.tsflags, &ipc.tx_flags);
 
         if (ipc.opt && ipc.opt->opt.srr) {
-                if (!daddr)
-                        return -EINVAL;
+                if (!daddr) {
+                        err = -EINVAL;
+                        goto out_free;
+                }
                 faddr = ipc.opt->opt.faddr;
                 connected = 0;
         }
@@ -1074,6 +1076,7 @@ do_append_data:
 
 out:
         ip_rt_put(rt);
+out_free:
         if (free)
                 kfree(ipc.opt);
         if (!err)
diff --git a/net/ipv6/Kconfig b/net/ipv6/Kconfig
index 6794ddf0547c..11e4e80cf7e9 100644
--- a/net/ipv6/Kconfig
+++ b/net/ipv6/Kconfig
@@ -34,16 +34,15 @@ config IPV6_ROUTE_INFO
         bool "IPv6: Route Information (RFC 4191) support"
         depends on IPV6_ROUTER_PREF
         ---help---
-          This is experimental support of Route Information.
+          Support of Route Information.
 
           If unsure, say N.
 
 config IPV6_OPTIMISTIC_DAD
         bool "IPv6: Enable RFC 4429 Optimistic DAD"
         ---help---
-          This is experimental support for optimistic Duplicate
-          Address Detection.  It allows for autoconfigured addresses
-          to be used more quickly.
+          Support for optimistic Duplicate Address Detection. It allows for
+          autoconfigured addresses to be used more quickly.
 
           If unsure, say N.
 
@@ -280,7 +279,7 @@ config IPV6_MROUTE
         depends on IPV6
         select IP_MROUTE_COMMON
         ---help---
-          Experimental support for IPv6 multicast forwarding.
+          Support for IPv6 multicast forwarding.
           If unsure, say N.
 
 config IPV6_MROUTE_MULTIPLE_TABLES
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index c214ffec02f0..ca957dd93a29 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -669,7 +669,7 @@ static void vti6_link_config(struct ip6_tnl *t, bool keep_mtu)
         else
                 mtu = ETH_DATA_LEN - LL_MAX_HEADER - sizeof(struct ipv6hdr);
 
-        dev->mtu = max_t(int, mtu, IPV6_MIN_MTU);
+        dev->mtu = max_t(int, mtu, IPV4_MIN_MTU);
 }
 
 /**
@@ -881,7 +881,7 @@ static void vti6_dev_setup(struct net_device *dev)
         dev->priv_destructor = vti6_dev_free;
 
         dev->type = ARPHRD_TUNNEL6;
-        dev->min_mtu = IPV6_MIN_MTU;
+        dev->min_mtu = IPV4_MIN_MTU;
         dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr);
         dev->flags |= IFF_NOARP;
         dev->addr_len = sizeof(struct in6_addr);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 4ec76a87aeb8..ea0730028e5d 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -148,9 +148,9 @@ static int compute_score(struct sock *sk, struct net *net,
                 bool dev_match = (sk->sk_bound_dev_if == dif ||
                                   sk->sk_bound_dev_if == sdif);
 
-                if (exact_dif && !dev_match)
+                if (!dev_match)
                         return -1;
-                if (sk->sk_bound_dev_if && dev_match)
+                if (sk->sk_bound_dev_if)
                         score++;
         }
 
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index f85f0d7480ac..4a46df8441c9 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -341,6 +341,9 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
         struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
         unsigned int i;
 
+        xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
+        xfrm_flush_gc();
+
         for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
                 WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
 
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 7e2e7188e7f4..e62e52e8f141 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -437,6 +437,24 @@ static int verify_address_len(const void *p)
         return 0;
 }
 
+static inline int sadb_key_len(const struct sadb_key *key)
+{
+        int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
+
+        return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
+                            sizeof(uint64_t));
+}
+
+static int verify_key_len(const void *p)
+{
+        const struct sadb_key *key = p;
+
+        if (sadb_key_len(key) > key->sadb_key_len)
+                return -EINVAL;
+
+        return 0;
+}
+
 static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
 {
         return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void *
                                 return -EINVAL;
                         if (ext_hdrs[ext_type-1] != NULL)
                                 return -EINVAL;
-                        if (ext_type == SADB_EXT_ADDRESS_SRC ||
-                            ext_type == SADB_EXT_ADDRESS_DST ||
-                            ext_type == SADB_EXT_ADDRESS_PROXY ||
-                            ext_type == SADB_X_EXT_NAT_T_OA) {
+                        switch (ext_type) {
+                        case SADB_EXT_ADDRESS_SRC:
+                        case SADB_EXT_ADDRESS_DST:
+                        case SADB_EXT_ADDRESS_PROXY:
+                        case SADB_X_EXT_NAT_T_OA:
                                 if (verify_address_len(p))
                                         return -EINVAL;
-                        }
-                        if (ext_type == SADB_X_EXT_SEC_CTX) {
+                                break;
+                        case SADB_X_EXT_SEC_CTX:
                                 if (verify_sec_ctx_len(p))
                                         return -EINVAL;
+                                break;
+                        case SADB_EXT_KEY_AUTH:
+                        case SADB_EXT_KEY_ENCRYPT:
+                                if (verify_key_len(p))
+                                        return -EINVAL;
+                                break;
+                        default:
+                                break;
                         }
                         ext_hdrs[ext_type-1] = (void *) p;
                 }
@@ -1104,14 +1131,12 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
         key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
         if (key != NULL &&
             sa->sadb_sa_auth != SADB_X_AALG_NULL &&
-            ((key->sadb_key_bits+7) / 8 == 0 ||
-             (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+            key->sadb_key_bits == 0)
                 return ERR_PTR(-EINVAL);
         key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
         if (key != NULL &&
             sa->sadb_sa_encrypt != SADB_EALG_NULL &&
-            ((key->sadb_key_bits+7) / 8 == 0 ||
-             (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+            key->sadb_key_bits == 0)
                 return ERR_PTR(-EINVAL);
 
         x = xfrm_state_alloc(net);
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index cb80ebb38311..1beeea9549fa 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -930,6 +930,9 @@ static int llc_ui_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
         if (size > llc->dev->mtu)
                 size = llc->dev->mtu;
         copied = size - hdrlen;
+        rc = -EINVAL;
+        if (copied < 0)
+                goto release;
         release_sock(sk);
         skb = sock_alloc_send_skb(sk, size, noblock, &rc);
         lock_sock(sk);
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 595c662a61e8..ac4295296514 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -8,6 +8,7 @@
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
  * Copyright(c) 2015-2017 Intel Deutschland GmbH
+ * Copyright (C) 2018 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -970,6 +971,9 @@ void ieee80211_process_addba_resp(struct ieee80211_local *local,
 
                 sta->ampdu_mlme.addba_req_num[tid] = 0;
 
+                tid_tx->timeout =
+                        le16_to_cpu(mgmt->u.action.u.addba_resp.timeout);
+
                 if (tid_tx->timeout) {
                         mod_timer(&tid_tx->session_timer,
                                   TU_TO_EXP_TIME(tid_tx->timeout));
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 69449db7e283..233068756502 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -36,6 +36,7 @@
 #define IEEE80211_AUTH_TIMEOUT          (HZ / 5)
 #define IEEE80211_AUTH_TIMEOUT_LONG     (HZ / 2)
 #define IEEE80211_AUTH_TIMEOUT_SHORT    (HZ / 10)
+#define IEEE80211_AUTH_TIMEOUT_SAE      (HZ * 2)
 #define IEEE80211_AUTH_MAX_TRIES        3
 #define IEEE80211_AUTH_WAIT_ASSOC       (HZ * 5)
 #define IEEE80211_ASSOC_TIMEOUT         (HZ / 5)
@@ -1787,7 +1788,7 @@ static bool ieee80211_sta_wmm_params(struct ieee80211_local *local,
                 params[ac].acm = acm;
                 params[ac].uapsd = uapsd;
 
-                if (params->cw_min == 0 ||
+                if (params[ac].cw_min == 0 ||
                     params[ac].cw_min > params[ac].cw_max) {
                         sdata_info(sdata,
                                    "AP has invalid WMM params (CWmin/max=%d/%d for ACI %d), using defaults\n",
@@ -3814,16 +3815,19 @@ static int ieee80211_auth(struct ieee80211_sub_if_data *sdata)
                             tx_flags);
 
         if (tx_flags == 0) {
-                auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
-                auth_data->timeout_started = true;
-                run_again(sdata, auth_data->timeout);
+                if (auth_data->algorithm == WLAN_AUTH_SAE)
+                        auth_data->timeout = jiffies +
+                                IEEE80211_AUTH_TIMEOUT_SAE;
+                else
+                        auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT;
         } else {
                 auth_data->timeout =
                         round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG);
-                auth_data->timeout_started = true;
-                run_again(sdata, auth_data->timeout);
         }
 
+        auth_data->timeout_started = true;
+        run_again(sdata, auth_data->timeout);
+
         return 0;
 }
 
@@ -3894,8 +3898,15 @@ void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata)
                 ifmgd->status_received = false;
                 if (ifmgd->auth_data && ieee80211_is_auth(fc)) {
                         if (status_acked) {
-                                ifmgd->auth_data->timeout =
-                                        jiffies + IEEE80211_AUTH_TIMEOUT_SHORT;
+                                if (ifmgd->auth_data->algorithm ==
+                                    WLAN_AUTH_SAE)
+                                        ifmgd->auth_data->timeout =
+                                                jiffies +
+                                                IEEE80211_AUTH_TIMEOUT_SAE;
+                                else
+                                        ifmgd->auth_data->timeout =
+                                                jiffies +
+                                                IEEE80211_AUTH_TIMEOUT_SHORT;
                                 run_again(sdata, ifmgd->auth_data->timeout);
                         } else {
                                 ifmgd->auth_data->timeout = jiffies - 1;
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 535de3161a78..05a265cd573d 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -4,6 +4,7 @@
  * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
  * Copyright 2007       Johannes Berg <johannes@sipsolutions.net>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
+ * Copyright (C) 2018 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -1135,7 +1136,7 @@ static bool ieee80211_tx_prep_agg(struct ieee80211_tx_data *tx,
         }
 
         /* reset session timer */
-        if (reset_agg_timer && tid_tx->timeout)
+        if (reset_agg_timer)
                 tid_tx->last_tx = jiffies;
 
         return queued;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 55342c4d5cec..2e2dd88fc79f 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2606,13 +2606,13 @@ static int netlink_seq_show(struct seq_file *seq, void *v)
 {
         if (v == SEQ_START_TOKEN) {
                 seq_puts(seq,
-                         "sk       Eth Pid    Groups   "
-                         "Rmem     Wmem     Dump     Locks     Drops     Inode\n");
+                         "sk               Eth Pid        Groups   "
+                         "Rmem     Wmem     Dump  Locks    Drops    Inode\n");
         } else {
                 struct sock *s = v;
                 struct netlink_sock *nlk = nlk_sk(s);
 
-                seq_printf(seq, "%pK %-3d %-6u %08x %-8d %-8d %d %-8d %-8d %-8lu\n",
+                seq_printf(seq, "%pK %-3d %-10u %08x %-8d %-8d %-5d %-8d %-8d %-8lu\n",
                            s,
                            s->sk_protocol,
                            nlk->portid,
diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index d7da99a0b0b8..9696ef96b719 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -57,6 +57,8 @@ int nsh_pop(struct sk_buff *skb)
                 return -ENOMEM;
         nh = (struct nshhdr *)(skb->data);
         length = nsh_hdr_len(nh);
+        if (length < NSH_BASE_HDR_LEN)
+                return -EINVAL;
         inner_proto = tun_p_to_eth_p(nh->np);
         if (!pskb_may_pull(skb, length))
                 return -ENOMEM;
@@ -90,6 +92,8 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
         if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
                 goto out;
         nsh_len = nsh_hdr_len(nsh_hdr(skb));
+        if (nsh_len < NSH_BASE_HDR_LEN)
+                goto out;
         if (unlikely(!pskb_may_pull(skb, nsh_len)))
                 goto out;
 
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 7322aa1e382e..492ab0c36f7c 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -1712,13 +1712,10 @@ static void nlattr_set(struct nlattr *attr, u8 val,
 
         /* The nlattr stream should already have been validated */
         nla_for_each_nested(nla, attr, rem) {
-                if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED) {
-                        if (tbl[nla_type(nla)].next)
-                                tbl = tbl[nla_type(nla)].next;
-                        nlattr_set(nla, val, tbl);
-                } else {
+                if (tbl[nla_type(nla)].len == OVS_ATTR_NESTED)
+                        nlattr_set(nla, val, tbl[nla_type(nla)].next ? : tbl);
+                else
                         memset(nla_data(nla), val, nla_len(nla));
-                }
 
                 if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE)
                         *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK;
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
index 41bd496531d4..00192a996be0 100644
--- a/net/rfkill/rfkill-gpio.c
+++ b/net/rfkill/rfkill-gpio.c
@@ -137,13 +137,18 @@ static int rfkill_gpio_probe(struct platform_device *pdev)
 
         ret = rfkill_register(rfkill->rfkill_dev);
         if (ret < 0)
-                return ret;
+                goto err_destroy;
 
         platform_set_drvdata(pdev, rfkill);
 
         dev_info(&pdev->dev, "%s device registered.\n", rfkill->name);
 
         return 0;
+
+err_destroy:
+        rfkill_destroy(rfkill->rfkill_dev);
+
+        return ret;
 }
 
 static int rfkill_gpio_remove(struct platform_device *pdev)
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 9a2c8e7c000e..2b463047dd7b 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -313,7 +313,7 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
         memset(&cp, 0, sizeof(cp));
         cp.local                = rx->local;
         cp.key                  = key;
-        cp.security_level       = 0;
+        cp.security_level       = rx->min_sec_level;
         cp.exclusive            = false;
         cp.upgrade              = upgrade;
         cp.service_id           = srx->srx_service;
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index 90d7079e0aa9..19975d2ca9a2 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -476,6 +476,7 @@ enum rxrpc_call_flag {
         RXRPC_CALL_SEND_PING,           /* A ping will need to be sent */
         RXRPC_CALL_PINGING,             /* Ping in process */
         RXRPC_CALL_RETRANS_TIMEOUT,     /* Retransmission due to timeout occurred */
+        RXRPC_CALL_BEGAN_RX_TIMER,      /* We began the expect_rx_by timer */
 };
 
 /*
diff --git a/net/rxrpc/conn_event.c b/net/rxrpc/conn_event.c
index c717152070df..1350f1be8037 100644
--- a/net/rxrpc/conn_event.c
+++ b/net/rxrpc/conn_event.c
@@ -40,7 +40,7 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
         } __attribute__((packed)) pkt;
         struct rxrpc_ackinfo ack_info;
         size_t len;
-        int ioc;
+        int ret, ioc;
         u32 serial, mtu, call_id, padding;
 
         _enter("%d", conn->debug_id);
@@ -135,10 +135,13 @@ static void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
                 break;
         }
 
-        kernel_sendmsg(conn->params.local->socket, &msg, iov, ioc, len);
+        ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, ioc, len);
         conn->params.peer->last_tx_at = ktime_get_real();
+        if (ret < 0)
+                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
+                                    rxrpc_tx_fail_call_final_resend);
+
         _leave("");
-        return;
 }
 
 /*
@@ -236,6 +239,8 @@ static int rxrpc_abort_connection(struct rxrpc_connection *conn,
 
         ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
         if (ret < 0) {
+                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
+                                    rxrpc_tx_fail_conn_abort);
                 _debug("sendmsg failed: %d", ret);
                 return -EAGAIN;
         }
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c
index 0410d2277ca2..b5fd6381313d 100644
--- a/net/rxrpc/input.c
+++ b/net/rxrpc/input.c
@@ -971,7 +971,7 @@ static void rxrpc_input_call_packet(struct rxrpc_call *call,
         if (timo) {
                 unsigned long now = jiffies, expect_rx_by;
 
-                expect_rx_by = jiffies + timo;
+                expect_rx_by = now + timo;
                 WRITE_ONCE(call->expect_rx_by, expect_rx_by);
                 rxrpc_reduce_call_timer(call, expect_rx_by, now,
                                         rxrpc_timer_set_for_normal);
diff --git a/net/rxrpc/local_event.c b/net/rxrpc/local_event.c
index 93b5d910b4a1..8325f1b86840 100644
--- a/net/rxrpc/local_event.c
+++ b/net/rxrpc/local_event.c
@@ -71,7 +71,8 @@ static void rxrpc_send_version_request(struct rxrpc_local *local,
 
         ret = kernel_sendmsg(local->socket, &msg, iov, 2, len);
         if (ret < 0)
-                _debug("sendmsg failed: %d", ret);
+                trace_rxrpc_tx_fail(local->debug_id, 0, ret,
+                                    rxrpc_tx_fail_version_reply);
 
         _leave("");
 }
diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c
index 8b54e9531d52..b493e6b62740 100644
--- a/net/rxrpc/local_object.c
+++ b/net/rxrpc/local_object.c
@@ -134,22 +134,49 @@ static int rxrpc_open_socket(struct rxrpc_local *local, struct net *net)
                 }
         }
 
-        /* we want to receive ICMP errors */
-        opt = 1;
-        ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
-                                (char *) &opt, sizeof(opt));
-        if (ret < 0) {
-                _debug("setsockopt failed");
-                goto error;
-        }
+        switch (local->srx.transport.family) {
+        case AF_INET:
+                /* we want to receive ICMP errors */
+                opt = 1;
+                ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR,
+                                        (char *) &opt, sizeof(opt));
+                if (ret < 0) {
+                        _debug("setsockopt failed");
+                        goto error;
+                }
 
-        /* we want to set the don't fragment bit */
-        opt = IP_PMTUDISC_DO;
-        ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
-                                (char *) &opt, sizeof(opt));
-        if (ret < 0) {
-                _debug("setsockopt failed");
-                goto error;
+                /* we want to set the don't fragment bit */
+                opt = IP_PMTUDISC_DO;
+                ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER,
+                                        (char *) &opt, sizeof(opt));
+                if (ret < 0) {
+                        _debug("setsockopt failed");
+                        goto error;
+                }
+                break;
+
+        case AF_INET6:
+                /* we want to receive ICMP errors */
+                opt = 1;
+                ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR,
+                                        (char *) &opt, sizeof(opt));
+                if (ret < 0) {
+                        _debug("setsockopt failed");
+                        goto error;
+                }
+
+                /* we want to set the don't fragment bit */
+                opt = IPV6_PMTUDISC_DO;
+                ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER,
+                                        (char *) &opt, sizeof(opt));
+                if (ret < 0) {
+                        _debug("setsockopt failed");
+                        goto error;
+                }
+                break;
+
+        default:
+                BUG();
         }
 
         /* set the socket up */
diff --git a/net/rxrpc/output.c b/net/rxrpc/output.c
index 7f1fc04775b3..f03de1c59ba3 100644
--- a/net/rxrpc/output.c
+++ b/net/rxrpc/output.c
@@ -210,6 +210,9 @@ int rxrpc_send_ack_packet(struct rxrpc_call *call, bool ping,
         if (ping)
                 call->ping_time = now;
         conn->params.peer->last_tx_at = ktime_get_real();
+        if (ret < 0)
+                trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+                                    rxrpc_tx_fail_call_ack);
 
         if (call->state < RXRPC_CALL_COMPLETE) {
                 if (ret < 0) {
@@ -294,6 +297,10 @@ int rxrpc_send_abort_packet(struct rxrpc_call *call)
         ret = kernel_sendmsg(conn->params.local->socket,
                              &msg, iov, 1, sizeof(pkt));
         conn->params.peer->last_tx_at = ktime_get_real();
+        if (ret < 0)
+                trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+                                    rxrpc_tx_fail_call_abort);
+
 
         rxrpc_put_connection(conn);
         return ret;
@@ -387,6 +394,9 @@ int rxrpc_send_data_packet(struct rxrpc_call *call, struct sk_buff *skb,
         conn->params.peer->last_tx_at = ktime_get_real();
 
         up_read(&conn->params.local->defrag_sem);
+        if (ret < 0)
+                trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+                                    rxrpc_tx_fail_call_data_nofrag);
         if (ret == -EMSGSIZE)
                 goto send_fragmentable;
 
@@ -414,6 +424,17 @@ done:
                                                         rxrpc_timer_set_for_lost_ack);
                         }
                 }
+
+                if (sp->hdr.seq == 1 &&
+                    !test_and_set_bit(RXRPC_CALL_BEGAN_RX_TIMER,
+                                      &call->flags)) {
+                        unsigned long nowj = jiffies, expect_rx_by;
+
+                        expect_rx_by = nowj + call->next_rx_timo;
+                        WRITE_ONCE(call->expect_rx_by, expect_rx_by);
+                        rxrpc_reduce_call_timer(call, expect_rx_by, nowj,
+                                                rxrpc_timer_set_for_normal);
+                }
         }
 
         rxrpc_set_keepalive(call);
@@ -465,6 +486,10 @@ send_fragmentable:
 #endif
         }
 
+        if (ret < 0)
+                trace_rxrpc_tx_fail(call->debug_id, serial, ret,
+                                    rxrpc_tx_fail_call_data_frag);
+
         up_write(&conn->params.local->defrag_sem);
         goto done;
 }
@@ -482,6 +507,7 @@ void rxrpc_reject_packets(struct rxrpc_local *local)
         struct kvec iov[2];
         size_t size;
         __be32 code;
+        int ret;
 
         _enter("%d", local->debug_id);
 
@@ -516,7 +542,10 @@ void rxrpc_reject_packets(struct rxrpc_local *local)
                         whdr.flags      ^= RXRPC_CLIENT_INITIATED;
                         whdr.flags      &= RXRPC_CLIENT_INITIATED;
 
-                        kernel_sendmsg(local->socket, &msg, iov, 2, size);
+                        ret = kernel_sendmsg(local->socket, &msg, iov, 2, size);
+                        if (ret < 0)
+                                trace_rxrpc_tx_fail(local->debug_id, 0, ret,
+                                                    rxrpc_tx_fail_reject);
                 }
 
                 rxrpc_free_skb(skb, rxrpc_skb_rx_freed);
@@ -567,7 +596,8 @@ void rxrpc_send_keepalive(struct rxrpc_peer *peer)
 
         ret = kernel_sendmsg(peer->local->socket, &msg, iov, 2, len);
         if (ret < 0)
-                _debug("sendmsg failed: %d", ret);
+                trace_rxrpc_tx_fail(peer->debug_id, 0, ret,
+                                    rxrpc_tx_fail_version_keepalive);
 
         peer->last_tx_at = ktime_get_real();
         _leave("");
diff --git a/net/rxrpc/peer_event.c b/net/rxrpc/peer_event.c
index 78c2f95d1f22..0ed8b651cec2 100644
--- a/net/rxrpc/peer_event.c
+++ b/net/rxrpc/peer_event.c
@@ -28,39 +28,39 @@ static void rxrpc_store_error(struct rxrpc_peer *, struct sock_exterr_skb *);
  * Find the peer associated with an ICMP packet.
  */
 static struct rxrpc_peer *rxrpc_lookup_peer_icmp_rcu(struct rxrpc_local *local,
-                                                     const struct sk_buff *skb)
+                                                     const struct sk_buff *skb,
+                                                     struct sockaddr_rxrpc *srx)
 {
         struct sock_exterr_skb *serr = SKB_EXT_ERR(skb);
-        struct sockaddr_rxrpc srx;
 
         _enter("");
 
-        memset(&srx, 0, sizeof(srx));
-        srx.transport_type = local->srx.transport_type;
-        srx.transport_len = local->srx.transport_len;
-        srx.transport.family = local->srx.transport.family;
+        memset(srx, 0, sizeof(*srx));
+        srx->transport_type = local->srx.transport_type;
+        srx->transport_len = local->srx.transport_len;
+        srx->transport.family = local->srx.transport.family;
 
         /* Can we see an ICMP4 packet on an ICMP6 listening socket?  and vice
          * versa?
          */
-        switch (srx.transport.family) {
+        switch (srx->transport.family) {
         case AF_INET:
-                srx.transport.sin.sin_port = serr->port;
+                srx->transport.sin.sin_port = serr->port;
                 switch (serr->ee.ee_origin) {
                 case SO_EE_ORIGIN_ICMP:
                         _net("Rx ICMP");
-                        memcpy(&srx.transport.sin.sin_addr,
+                        memcpy(&srx->transport.sin.sin_addr,
                                skb_network_header(skb) + serr->addr_offset,
                                sizeof(struct in_addr));
                         break;
                 case SO_EE_ORIGIN_ICMP6:
                         _net("Rx ICMP6 on v4 sock");
-                        memcpy(&srx.transport.sin.sin_addr,
+                        memcpy(&srx->transport.sin.sin_addr,
                                skb_network_header(skb) + serr->addr_offset + 12,
                                sizeof(struct in_addr));
                         break;
                 default:
-                        memcpy(&srx.transport.sin.sin_addr, &ip_hdr(skb)->saddr,
+                        memcpy(&srx->transport.sin.sin_addr, &ip_hdr(skb)->saddr,
                                sizeof(struct in_addr));
                         break;
                 }
@@ -68,25 +68,25 @@ static struct rxrpc_peer *rxrpc_lookup_peer_icmp_rcu(struct rxrpc_local *local,
 
 #ifdef CONFIG_AF_RXRPC_IPV6
         case AF_INET6:
-                srx.transport.sin6.sin6_port = serr->port;
+                srx->transport.sin6.sin6_port = serr->port;
                 switch (serr->ee.ee_origin) {
                 case SO_EE_ORIGIN_ICMP6:
                         _net("Rx ICMP6");
-                        memcpy(&srx.transport.sin6.sin6_addr,
+                        memcpy(&srx->transport.sin6.sin6_addr,
                                skb_network_header(skb) + serr->addr_offset,
                                sizeof(struct in6_addr));
                         break;
                 case SO_EE_ORIGIN_ICMP:
                         _net("Rx ICMP on v6 sock");
-                        srx.transport.sin6.sin6_addr.s6_addr32[0] = 0;
-                        srx.transport.sin6.sin6_addr.s6_addr32[1] = 0;
-                        srx.transport.sin6.sin6_addr.s6_addr32[2] = htonl(0xffff);
-                        memcpy(srx.transport.sin6.sin6_addr.s6_addr + 12,
+                        srx->transport.sin6.sin6_addr.s6_addr32[0] = 0;
+                        srx->transport.sin6.sin6_addr.s6_addr32[1] = 0;
+                        srx->transport.sin6.sin6_addr.s6_addr32[2] = htonl(0xffff);
+                        memcpy(srx->transport.sin6.sin6_addr.s6_addr + 12,
                                skb_network_header(skb) + serr->addr_offset,
                                sizeof(struct in_addr));
                         break;
                 default:
-                        memcpy(&srx.transport.sin6.sin6_addr,
+                        memcpy(&srx->transport.sin6.sin6_addr,
                                &ipv6_hdr(skb)->saddr,
                                sizeof(struct in6_addr));
                         break;
@@ -98,7 +98,7 @@ static struct rxrpc_peer *rxrpc_lookup_peer_icmp_rcu(struct rxrpc_local *local,
                 BUG();
         }
 
-        return rxrpc_lookup_peer_rcu(local, &srx);
+        return rxrpc_lookup_peer_rcu(local, srx);
 }
 
 /*
@@ -146,6 +146,7 @@ static void rxrpc_adjust_mtu(struct rxrpc_peer *peer, struct sock_exterr_skb *se
 void rxrpc_error_report(struct sock *sk)
 {
         struct sock_exterr_skb *serr;
+        struct sockaddr_rxrpc srx;
         struct rxrpc_local *local = sk->sk_user_data;
         struct rxrpc_peer *peer;
         struct sk_buff *skb;
@@ -166,7 +167,7 @@ void rxrpc_error_report(struct sock *sk)
         }
 
         rcu_read_lock();
-        peer = rxrpc_lookup_peer_icmp_rcu(local, skb);
+        peer = rxrpc_lookup_peer_icmp_rcu(local, skb, &srx);
         if (peer && !rxrpc_get_peer_maybe(peer))
                 peer = NULL;
         if (!peer) {
@@ -176,6 +177,8 @@ void rxrpc_error_report(struct sock *sk)
                 return;
         }
 
+        trace_rxrpc_rx_icmp(peer, &serr->ee, &srx);
+
         if ((serr->ee.ee_origin == SO_EE_ORIGIN_ICMP &&
              serr->ee.ee_type == ICMP_DEST_UNREACH &&
              serr->ee.ee_code == ICMP_FRAG_NEEDED)) {
@@ -209,9 +212,6 @@ static void rxrpc_store_error(struct rxrpc_peer *peer,
 
         ee = &serr->ee;
 
-        _net("Rx Error o=%d t=%d c=%d e=%d",
-             ee->ee_origin, ee->ee_type, ee->ee_code, ee->ee_errno);
-
         err = ee->ee_errno;
 
         switch (ee->ee_origin) {
diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index 588fea0dd362..6c0ae27fff84 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -664,7 +664,8 @@ static int rxkad_issue_challenge(struct rxrpc_connection *conn)
 
         ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 2, len);
         if (ret < 0) {
-                _debug("sendmsg failed: %d", ret);
+                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
+                                    rxrpc_tx_fail_conn_challenge);
                 return -EAGAIN;
         }
 
@@ -719,7 +720,8 @@ static int rxkad_send_response(struct rxrpc_connection *conn,
 
         ret = kernel_sendmsg(conn->params.local->socket, &msg, iov, 3, len);
         if (ret < 0) {
-                _debug("sendmsg failed: %d", ret);
+                trace_rxrpc_tx_fail(conn->debug_id, serial, ret,
+                                    rxrpc_tx_fail_conn_response);
                 return -EAGAIN;
         }
 
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 206e802ccbdc..be01f9c5d963 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -223,6 +223,15 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
 
         ret = rxrpc_send_data_packet(call, skb, false);
         if (ret < 0) {
+                switch (ret) {
+                case -ENETUNREACH:
+                case -EHOSTUNREACH:
+                case -ECONNREFUSED:
+                        rxrpc_set_call_completion(call,
+                                                  RXRPC_CALL_LOCAL_ERROR,
+                                                  0, ret);
+                        goto out;
+                }
                 _debug("need instant resend %d", ret);
                 rxrpc_instant_resend(call, ix);
         } else {
@@ -241,6 +250,7 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
                                         rxrpc_timer_set_for_send);
         }
 
+out:
         rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
         _leave("");
 }
diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c
index ddf69fc01bdf..6138d1d71900 100644
--- a/net/sched/act_skbedit.c
+++ b/net/sched/act_skbedit.c
@@ -121,7 +121,8 @@ static int tcf_skbedit_init(struct net *net, struct nlattr *nla,
                 return 0;
 
         if (!flags) {
-                tcf_idr_release(*a, bind);
+                if (exists)
+                        tcf_idr_release(*a, bind);
                 return -EINVAL;
         }
 
diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index bbcbdce732cc..ad050d7d4b46 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -131,8 +131,11 @@ static int tcf_skbmod_init(struct net *net, struct nlattr *nla,
         if (exists && bind)
                 return 0;
 
-        if (!lflags)
+        if (!lflags) {
+                if (exists)
+                        tcf_idr_release(*a, bind);
                 return -EINVAL;
+        }
 
         if (!exists) {
                 ret = tcf_idr_create(tn, parm->index, est, a,
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index b66754f52a9f..963e4bf0aab8 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -152,8 +152,8 @@ static struct tcf_proto *tcf_proto_create(const char *kind, u32 protocol,
                         NL_SET_ERR_MSG(extack, "TC classifier not found");
                         err = -ENOENT;
                 }
-                goto errout;
 #endif
+                goto errout;
         }
         tp->classify = tp->ops->classify;
         tp->protocol = protocol;
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 837806dd5799..a47179da24e6 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -1024,8 +1024,9 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
         struct sctp_endpoint *ep;
         struct sctp_chunk *chunk;
         struct sctp_inq *inqueue;
-        int state;
+        int first_time = 1;     /* is this the first time through the loop */
         int error = 0;
+        int state;
 
         /* The association should be held so we should be safe. */
         ep = asoc->ep;
@@ -1036,6 +1037,30 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
                 state = asoc->state;
                 subtype = SCTP_ST_CHUNK(chunk->chunk_hdr->type);
 
+                /* If the first chunk in the packet is AUTH, do special
+                 * processing specified in Section 6.3 of SCTP-AUTH spec
+                 */
+                if (first_time && subtype.chunk == SCTP_CID_AUTH) {
+                        struct sctp_chunkhdr *next_hdr;
+
+                        next_hdr = sctp_inq_peek(inqueue);
+                        if (!next_hdr)
+                                goto normal;
+
+                        /* If the next chunk is COOKIE-ECHO, skip the AUTH
+                         * chunk while saving a pointer to it so we can do
+                         * Authentication later (during cookie-echo
+                         * processing).
+                         */
+                        if (next_hdr->type == SCTP_CID_COOKIE_ECHO) {
+                                chunk->auth_chunk = skb_clone(chunk->skb,
+                                                              GFP_ATOMIC);
+                                chunk->auth = 1;
+                                continue;
+                        }
+                }
+
+normal:
                 /* SCTP-AUTH, Section 6.3:
                  *    The receiver has a list of chunk types which it expects
                  *    to be received only after an AUTH-chunk.  This list has
@@ -1074,6 +1099,9 @@ static void sctp_assoc_bh_rcv(struct work_struct *work)
                 /* If there is an error on chunk, discard this packet. */
                 if (error && chunk)
                         chunk->pdiscard = 1;
+
+                if (first_time)
+                        first_time = 0;
         }
         sctp_association_put(asoc);
 }
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 5a4fb1dc8400..e62addb60434 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1152,7 +1152,7 @@ struct sctp_chunk *sctp_make_violation_max_retrans(
                                         const struct sctp_association *asoc,
                                         const struct sctp_chunk *chunk)
 {
-        static const char error[] = "Association exceeded its max_retans count";
+        static const char error[] = "Association exceeded its max_retrans count";
         size_t payload_len = sizeof(error) + sizeof(struct sctp_errhdr);
         struct sctp_chunk *retval;
 
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 28c070e187c2..c9ae3404b1bb 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -153,10 +153,7 @@ static enum sctp_disposition sctp_sf_violation_chunk(
                                         struct sctp_cmd_seq *commands);
 
 static enum sctp_ierror sctp_sf_authenticate(
-                                        struct net *net,
-                                        const struct sctp_endpoint *ep,
                                         const struct sctp_association *asoc,
-                                        const union sctp_subtype type,
                                         struct sctp_chunk *chunk);
 
 static enum sctp_disposition __sctp_sf_do_9_1_abort(
@@ -626,6 +623,38 @@ enum sctp_disposition sctp_sf_do_5_1C_ack(struct net *net,
         return SCTP_DISPOSITION_CONSUME;
 }
 
+static bool sctp_auth_chunk_verify(struct net *net, struct sctp_chunk *chunk,
+                                   const struct sctp_association *asoc)
+{
+        struct sctp_chunk auth;
+
+        if (!chunk->auth_chunk)
+                return true;
+
+        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
+         * is supposed to be authenticated and we have to do delayed
+         * authentication.  We've just recreated the association using
+         * the information in the cookie and now it's much easier to
+         * do the authentication.
+         */
+
+        /* Make sure that we and the peer are AUTH capable */
+        if (!net->sctp.auth_enable || !asoc->peer.auth_capable)
+                return false;
+
+        /* set-up our fake chunk so that we can process it */
+        auth.skb = chunk->auth_chunk;
+        auth.asoc = chunk->asoc;
+        auth.sctp_hdr = chunk->sctp_hdr;
+        auth.chunk_hdr = (struct sctp_chunkhdr *)
+                                skb_push(chunk->auth_chunk,
+                                         sizeof(struct sctp_chunkhdr));
+        skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
+        auth.transport = chunk->transport;
+
+        return sctp_sf_authenticate(asoc, &auth) == SCTP_IERROR_NO_ERROR;
+}
+
 /*
  * Respond to a normal COOKIE ECHO chunk.
  * We are the side that is being asked for an association.
@@ -763,37 +792,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
         if (error)
                 goto nomem_init;
 
-        /* SCTP-AUTH:  auth_chunk pointer is only set when the cookie-echo
-         * is supposed to be authenticated and we have to do delayed
-         * authentication.  We've just recreated the association using
-         * the information in the cookie and now it's much easier to
-         * do the authentication.
-         */
-        if (chunk->auth_chunk) {
-                struct sctp_chunk auth;
-                enum sctp_ierror ret;
-
-                /* Make sure that we and the peer are AUTH capable */
-                if (!net->sctp.auth_enable || !new_asoc->peer.auth_capable) {
-                        sctp_association_free(new_asoc);
-                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-                }
-
-                /* set-up our fake chunk so that we can process it */
-                auth.skb = chunk->auth_chunk;
-                auth.asoc = chunk->asoc;
-                auth.sctp_hdr = chunk->sctp_hdr;
-                auth.chunk_hdr = (struct sctp_chunkhdr *)
-                                        skb_push(chunk->auth_chunk,
-                                                 sizeof(struct sctp_chunkhdr));
-                skb_pull(chunk->auth_chunk, sizeof(struct sctp_chunkhdr));
-                auth.transport = chunk->transport;
-
-                ret = sctp_sf_authenticate(net, ep, new_asoc, type, &auth);
-                if (ret != SCTP_IERROR_NO_ERROR) {
-                        sctp_association_free(new_asoc);
-                        return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-                }
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc)) {
+                sctp_association_free(new_asoc);
+                return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
         }
 
         repl = sctp_make_cookie_ack(new_asoc, chunk);
@@ -1797,13 +1798,15 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
         if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
                 goto nomem;
 
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+                return SCTP_DISPOSITION_DISCARD;
+
         /* Make sure no new addresses are being added during the
          * restart.  Though this is a pretty complicated attack
          * since you'd have to get inside the cookie.
          */
-        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands)) {
+        if (!sctp_sf_check_restart_addrs(new_asoc, asoc, chunk, commands))
                 return SCTP_DISPOSITION_CONSUME;
-        }
 
         /* If the endpoint is in the SHUTDOWN-ACK-SENT state and recognizes
          * the peer has restarted (Action A), it MUST NOT setup a new
@@ -1912,6 +1915,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
         if (sctp_auth_asoc_init_active_key(new_asoc, GFP_ATOMIC))
                 goto nomem;
 
+        if (!sctp_auth_chunk_verify(net, chunk, new_asoc))
+                return SCTP_DISPOSITION_DISCARD;
+
         /* Update the content of current association.  */
         sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
         sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
@@ -2009,6 +2015,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_d(
          * a COOKIE ACK.
          */
 
+        if (!sctp_auth_chunk_verify(net, chunk, asoc))
+                return SCTP_DISPOSITION_DISCARD;
+
         /* Don't accidentally move back into established state. */
         if (asoc->state < SCTP_STATE_ESTABLISHED) {
                 sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP,
@@ -4171,10 +4180,7 @@ gen_shutdown:
  * The return value is the disposition of the chunk.
  */
 static enum sctp_ierror sctp_sf_authenticate(
-                                        struct net *net,
-                                        const struct sctp_endpoint *ep,
                                         const struct sctp_association *asoc,
-                                        const union sctp_subtype type,
                                         struct sctp_chunk *chunk)
 {
         struct sctp_shared_key *sh_key = NULL;
@@ -4275,7 +4281,7 @@ enum sctp_disposition sctp_sf_eat_auth(struct net *net,
                                                   commands);
 
         auth_hdr = (struct sctp_authhdr *)chunk->skb->data;
-        error = sctp_sf_authenticate(net, ep, asoc, type, chunk);
+        error = sctp_sf_authenticate(asoc, chunk);
         switch (error) {
         case SCTP_IERROR_AUTH_BAD_HMAC:
                 /* Generate the ERROR chunk and discard the rest
diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c
index 84207ad33e8e..8cb7d9858270 100644
--- a/net/sctp/ulpevent.c
+++ b/net/sctp/ulpevent.c
@@ -715,7 +715,6 @@ struct sctp_ulpevent *sctp_ulpevent_make_rcvmsg(struct sctp_association *asoc,
         return event;
 
 fail_mark:
-        sctp_chunk_put(chunk);
         kfree_skb(skb);
 fail:
         return NULL;
diff --git a/net/tipc/node.c b/net/tipc/node.c
index baaf93f12cbd..f29549de9245 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -1950,6 +1950,7 @@ out:
 int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
 {
         struct net *net = genl_info_net(info);
+        struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1];
         struct tipc_nl_msg msg;
         char *name;
         int err;
@@ -1957,9 +1958,19 @@ int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info)
         msg.portid = info->snd_portid;
         msg.seq = info->snd_seq;
 
-        if (!info->attrs[TIPC_NLA_LINK_NAME])
+        if (!info->attrs[TIPC_NLA_LINK])
                 return -EINVAL;
-        name = nla_data(info->attrs[TIPC_NLA_LINK_NAME]);
+
+        err = nla_parse_nested(attrs, TIPC_NLA_LINK_MAX,
+                               info->attrs[TIPC_NLA_LINK],
+                               tipc_nl_link_policy, info->extack);
+        if (err)
+                return err;
+
+        if (!attrs[TIPC_NLA_LINK_NAME])
+                return -EINVAL;
+
+        name = nla_data(attrs[TIPC_NLA_LINK_NAME]);
 
         msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL);
         if (!msg.skb)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 252a52ae0893..6be21575503a 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1516,10 +1516,10 @@ static void tipc_sk_set_orig_addr(struct msghdr *m, struct sk_buff *skb)
 
         srcaddr->sock.family = AF_TIPC;
         srcaddr->sock.addrtype = TIPC_ADDR_ID;
+        srcaddr->sock.scope = 0;
         srcaddr->sock.addr.id.ref = msg_origport(hdr);
         srcaddr->sock.addr.id.node = msg_orignode(hdr);
         srcaddr->sock.addr.name.domain = 0;
-        srcaddr->sock.scope = 0;
         m->msg_namelen = sizeof(struct sockaddr_tipc);
 
         if (!msg_in_group(hdr))
@@ -1528,6 +1528,7 @@ static void tipc_sk_set_orig_addr(struct msghdr *m, struct sk_buff *skb)
         /* Group message users may also want to know sending member's id */
         srcaddr->member.family = AF_TIPC;
         srcaddr->member.addrtype = TIPC_ADDR_NAME;
+        srcaddr->member.scope = 0;
         srcaddr->member.addr.name.name.type = msg_nametype(hdr);
         srcaddr->member.addr.name.name.instance = TIPC_SKB_CB(skb)->orig_member;
         srcaddr->member.addr.name.domain = 0;
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index cc03e00785c7..20cd93be6236 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -135,6 +135,7 @@ retry:
                         offset -= sg->offset;
                         ctx->partially_sent_offset = offset;
                         ctx->partially_sent_record = (void *)sg;
+                        ctx->in_tcp_sendpages = false;
                         return ret;
                 }
 
@@ -248,16 +249,13 @@ static void tls_sk_proto_close(struct sock *sk, long timeout)
         struct tls_context *ctx = tls_get_ctx(sk);
         long timeo = sock_sndtimeo(sk, 0);
         void (*sk_proto_close)(struct sock *sk, long timeout);
+        bool free_ctx = false;
 
         lock_sock(sk);
         sk_proto_close = ctx->sk_proto_close;
 
-        if (ctx->conf == TLS_HW_RECORD)
-                goto skip_tx_cleanup;
-
-        if (ctx->conf == TLS_BASE) {
-                kfree(ctx);
-                ctx = NULL;
+        if (ctx->conf == TLS_BASE || ctx->conf == TLS_HW_RECORD) {
+                free_ctx = true;
                 goto skip_tx_cleanup;
         }
 
@@ -294,7 +292,7 @@ skip_tx_cleanup:
         /* free ctx for TLS_HW_RECORD, used by tcp_set_state
          * for sk->sk_prot->unhash [tls_hw_unhash]
          */
-        if (ctx && ctx->conf == TLS_HW_RECORD)
+        if (free_ctx)
                 kfree(ctx);
 }
 
diff --git a/net/wireless/core.c b/net/wireless/core.c
index a6f3cac8c640..c0fd8a85e7f7 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struct cfg80211_registered_device *rdev,
 
         ASSERT_RTNL();
 
+        if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN)
+                return -EINVAL;
+
         /* prohibit calling the thing phy%d when %d is not its number */
         sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken);
         if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) {
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index ff28f8feeb09..a052693c2e85 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -9214,6 +9214,7 @@ static int nl80211_connect(struct sk_buff *skb, struct genl_info *info)
 
         if (nla_get_flag(info->attrs[NL80211_ATTR_EXTERNAL_AUTH_SUPPORT])) {
                 if (!info->attrs[NL80211_ATTR_SOCKET_OWNER]) {
+                        kzfree(connkeys);
                         GENL_SET_ERR_MSG(info,
                                          "external auth requires connection ownership");
                         return -EINVAL;
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index 16c7e4ef5820..ac3e12c32aa3 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1026,6 +1026,7 @@ static int regdb_query_country(const struct fwdb_header *db,
 
                         if (!tmp_rd) {
                                 kfree(regdom);
+                                kfree(wmm_ptrs);
                                 return -ENOMEM;
                         }
                         regdom = tmp_rd;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index f9d2f2233f09..6c177ae7a6d9 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2175,6 +2175,12 @@ struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
         return afinfo;
 }
 
+void xfrm_flush_gc(void)
+{
+        flush_work(&xfrm_state_gc_work);
+}
+EXPORT_SYMBOL(xfrm_flush_gc);
+
 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
 void xfrm_state_delete_tunnel(struct xfrm_state *x)
 {