196 files changed, 2125 insertions, 1284 deletions

diff --git a/net/ax25/ax25_ip.c b/net/ax25/ax25_ip.c
index 70417e9b932d..314bbc8010fb 100644
--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -114,6 +114,7 @@ netdev_tx_t ax25_ip_xmit(struct sk_buff *skb)
         dst = (ax25_address *)(bp + 1);
         src = (ax25_address *)(bp + 8);
 
+        ax25_route_lock_use();
         route = ax25_get_route(dst, NULL);
         if (route) {
                 digipeat = route->digipeat;
@@ -206,9 +207,8 @@ netdev_tx_t ax25_ip_xmit(struct sk_buff *skb)
         ax25_queue_xmit(skb, dev);
 
 put:
-        if (route)
-                ax25_put_route(route);
 
+        ax25_route_lock_unuse();
         return NETDEV_TX_OK;
 }
 
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c
index a0eff323af12..66f74c85cf6b 100644
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -40,7 +40,7 @@
 #include <linux/export.h>
 
 static ax25_route *ax25_route_list;
-static DEFINE_RWLOCK(ax25_route_lock);
+DEFINE_RWLOCK(ax25_route_lock);
 
 void ax25_rt_device_down(struct net_device *dev)
 {
@@ -335,6 +335,7 @@ const struct seq_operations ax25_rt_seqops = {
  *      Find AX.25 route
  *
  *      Only routes with a reference count of zero can be destroyed.
+ *      Must be called with ax25_route_lock read locked.
  */
 ax25_route *ax25_get_route(ax25_address *addr, struct net_device *dev)
 {
@@ -342,7 +343,6 @@ ax25_route *ax25_get_route(ax25_address *addr, struct net_device *dev)
         ax25_route *ax25_def_rt = NULL;
         ax25_route *ax25_rt;
 
-        read_lock(&ax25_route_lock);
         /*
          *      Bind to the physical interface we heard them on, or the default
          *      route if none is found;
@@ -365,11 +365,6 @@ ax25_route *ax25_get_route(ax25_address *addr, struct net_device *dev)
         if (ax25_spe_rt != NULL)
                 ax25_rt = ax25_spe_rt;
 
-        if (ax25_rt != NULL)
-                ax25_hold_route(ax25_rt);
-
-        read_unlock(&ax25_route_lock);
-
         return ax25_rt;
 }
 
@@ -400,9 +395,12 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25_address *addr)
         ax25_route *ax25_rt;
         int err = 0;
 
-        if ((ax25_rt = ax25_get_route(addr, NULL)) == NULL)
+        ax25_route_lock_use();
+        ax25_rt = ax25_get_route(addr, NULL);
+        if (!ax25_rt) {
+                ax25_route_lock_unuse();
                 return -EHOSTUNREACH;
-
+        }
         if ((ax25->ax25_dev = ax25_dev_ax25dev(ax25_rt->dev)) == NULL) {
                 err = -EHOSTUNREACH;
                 goto put;
@@ -437,8 +435,7 @@ int ax25_rt_autobind(ax25_cb *ax25, ax25_address *addr)
         }
 
 put:
-        ax25_put_route(ax25_rt);
-
+        ax25_route_lock_unuse();
         return err;
 }
 
diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
index e8090f099eb8..ef0dec20c7d8 100644
--- a/net/batman-adv/bat_v_elp.c
+++ b/net/batman-adv/bat_v_elp.c
@@ -104,6 +104,9 @@ static u32 batadv_v_elp_get_throughput(struct batadv_hardif_neigh_node *neigh)
 
                 ret = cfg80211_get_station(real_netdev, neigh->addr, &sinfo);
 
+                /* free the TID stats immediately */
+                cfg80211_sinfo_release_content(&sinfo);
+
                 dev_put(real_netdev);
                 if (ret == -ENOENT) {
                         /* Node is not associated anymore! It would be
diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index 508f4416dfc9..415d494cbe22 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -20,7 +20,6 @@
 #include "main.h"
 
 #include <linux/atomic.h>
-#include <linux/bug.h>
 #include <linux/byteorder/generic.h>
 #include <linux/errno.h>
 #include <linux/gfp.h>
@@ -179,8 +178,10 @@ static bool batadv_is_on_batman_iface(const struct net_device *net_dev)
         parent_dev = __dev_get_by_index((struct net *)parent_net,
                                         dev_get_iflink(net_dev));
         /* if we got a NULL parent_dev there is something broken.. */
-        if (WARN(!parent_dev, "Cannot find parent device"))
+        if (!parent_dev) {
+                pr_err("Cannot find parent device\n");
                 return false;
+        }
 
         if (batadv_mutual_parents(net_dev, net, parent_dev, parent_net))
                 return false;
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index 5db5a0a4c959..ffc83bebfe40 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -221,10 +221,14 @@ static netdev_tx_t batadv_interface_tx(struct sk_buff *skb,
 
         netif_trans_update(soft_iface);
         vid = batadv_get_vid(skb, 0);
+
+        skb_reset_mac_header(skb);
         ethhdr = eth_hdr(skb);
 
         switch (ntohs(ethhdr->h_proto)) {
         case ETH_P_8021Q:
+                if (!pskb_may_pull(skb, sizeof(*vhdr)))
+                        goto dropped;
                 vhdr = vlan_eth_hdr(skb);
 
                 /* drop batman-in-batman packets to prevent loops */
diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
index fa2644d276ef..e31e1b20f7f4 100644
--- a/net/bpf/test_run.c
+++ b/net/bpf/test_run.c
@@ -13,27 +13,13 @@
 #include <net/sock.h>
 #include <net/tcp.h>
 
-static __always_inline u32 bpf_test_run_one(struct bpf_prog *prog, void *ctx,
-                struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE])
-{
-        u32 ret;
-
-        preempt_disable();
-        rcu_read_lock();
-        bpf_cgroup_storage_set(storage);
-        ret = BPF_PROG_RUN(prog, ctx);
-        rcu_read_unlock();
-        preempt_enable();
-
-        return ret;
-}
-
-static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *ret,
-                        u32 *time)
+static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat,
+                        u32 *retval, u32 *time)
 {
         struct bpf_cgroup_storage *storage[MAX_BPF_CGROUP_STORAGE_TYPE] = { 0 };
         enum bpf_cgroup_storage_type stype;
         u64 time_start, time_spent = 0;
+        int ret = 0;
         u32 i;
 
         for_each_cgroup_storage_type(stype) {
@@ -48,25 +34,42 @@ static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, u32 *ret,
 
         if (!repeat)
                 repeat = 1;
+
+        rcu_read_lock();
+        preempt_disable();
         time_start = ktime_get_ns();
         for (i = 0; i < repeat; i++) {
-                *ret = bpf_test_run_one(prog, ctx, storage);
+                bpf_cgroup_storage_set(storage);
+                *retval = BPF_PROG_RUN(prog, ctx);
+
+                if (signal_pending(current)) {
+                        ret = -EINTR;
+                        break;
+                }
+
                 if (need_resched()) {
-                        if (signal_pending(current))
-                                break;
                         time_spent += ktime_get_ns() - time_start;
+                        preempt_enable();
+                        rcu_read_unlock();
+
                         cond_resched();
+
+                        rcu_read_lock();
+                        preempt_disable();
                         time_start = ktime_get_ns();
                 }
         }
         time_spent += ktime_get_ns() - time_start;
+        preempt_enable();
+        rcu_read_unlock();
+
         do_div(time_spent, repeat);
         *time = time_spent > U32_MAX ? U32_MAX : (u32)time_spent;
 
         for_each_cgroup_storage_type(stype)
                 bpf_cgroup_storage_free(storage[stype]);
 
-        return 0;
+        return ret;
 }
 
 static int bpf_test_finish(const union bpf_attr *kattr,
diff --git a/net/bpfilter/bpfilter_kern.c b/net/bpfilter/bpfilter_kern.c
index 7acfc83087d5..7ee4fea93637 100644
--- a/net/bpfilter/bpfilter_kern.c
+++ b/net/bpfilter/bpfilter_kern.c
@@ -13,39 +13,24 @@
 extern char bpfilter_umh_start;
 extern char bpfilter_umh_end;
 
-static struct umh_info info;
-/* since ip_getsockopt() can run in parallel, serialize access to umh */
-static DEFINE_MUTEX(bpfilter_lock);
-
-static void shutdown_umh(struct umh_info *info)
+static void shutdown_umh(void)
 {
         struct task_struct *tsk;
 
-        if (!info->pid)
+        if (bpfilter_ops.stop)
                 return;
-        tsk = get_pid_task(find_vpid(info->pid), PIDTYPE_PID);
+
+        tsk = get_pid_task(find_vpid(bpfilter_ops.info.pid), PIDTYPE_PID);
         if (tsk) {
                 force_sig(SIGKILL, tsk);
                 put_task_struct(tsk);
         }
-        fput(info->pipe_to_umh);
-        fput(info->pipe_from_umh);
-        info->pid = 0;
 }
 
 static void __stop_umh(void)
 {
-        if (IS_ENABLED(CONFIG_INET)) {
-                bpfilter_process_sockopt = NULL;
-                shutdown_umh(&info);
-        }
-}
-
-static void stop_umh(void)
-{
-        mutex_lock(&bpfilter_lock);
-        __stop_umh();
-        mutex_unlock(&bpfilter_lock);
+        if (IS_ENABLED(CONFIG_INET))
+                shutdown_umh();
 }
 
 static int __bpfilter_process_sockopt(struct sock *sk, int optname,
@@ -63,10 +48,10 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
         req.cmd = optname;
         req.addr = (long __force __user)optval;
         req.len = optlen;
-        mutex_lock(&bpfilter_lock);
-        if (!info.pid)
+        if (!bpfilter_ops.info.pid)
                 goto out;
-        n = __kernel_write(info.pipe_to_umh, &req, sizeof(req), &pos);
+        n = __kernel_write(bpfilter_ops.info.pipe_to_umh, &req, sizeof(req),
+                           &pos);
         if (n != sizeof(req)) {
                 pr_err("write fail %zd\n", n);
                 __stop_umh();
@@ -74,7 +59,8 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
                 goto out;
         }
         pos = 0;
-        n = kernel_read(info.pipe_from_umh, &reply, sizeof(reply), &pos);
+        n = kernel_read(bpfilter_ops.info.pipe_from_umh, &reply, sizeof(reply),
+                        &pos);
         if (n != sizeof(reply)) {
                 pr_err("read fail %zd\n", n);
                 __stop_umh();
@@ -83,37 +69,59 @@ static int __bpfilter_process_sockopt(struct sock *sk, int optname,
         }
         ret = reply.status;
 out:
-        mutex_unlock(&bpfilter_lock);
         return ret;
 }
 
-static int __init load_umh(void)
+static int start_umh(void)
 {
         int err;
 
         /* fork usermode process */
-        info.cmdline = "bpfilter_umh";
         err = fork_usermode_blob(&bpfilter_umh_start,
                                  &bpfilter_umh_end - &bpfilter_umh_start,
-                                 &info);
+                                 &bpfilter_ops.info);
         if (err)
                 return err;
-        pr_info("Loaded bpfilter_umh pid %d\n", info.pid);
+        bpfilter_ops.stop = false;
+        pr_info("Loaded bpfilter_umh pid %d\n", bpfilter_ops.info.pid);
 
         /* health check that usermode process started correctly */
         if (__bpfilter_process_sockopt(NULL, 0, NULL, 0, 0) != 0) {
-                stop_umh();
+                shutdown_umh();
                 return -EFAULT;
         }
-        if (IS_ENABLED(CONFIG_INET))
-                bpfilter_process_sockopt = &__bpfilter_process_sockopt;
 
         return 0;
 }
 
+static int __init load_umh(void)
+{
+        int err;
+
+        mutex_lock(&bpfilter_ops.lock);
+        if (!bpfilter_ops.stop) {
+                err = -EFAULT;
+                goto out;
+        }
+        err = start_umh();
+        if (!err && IS_ENABLED(CONFIG_INET)) {
+                bpfilter_ops.sockopt = &__bpfilter_process_sockopt;
+                bpfilter_ops.start = &start_umh;
+        }
+out:
+        mutex_unlock(&bpfilter_ops.lock);
+        return err;
+}
+
 static void __exit fini_umh(void)
 {
-        stop_umh();
+        mutex_lock(&bpfilter_ops.lock);
+        if (IS_ENABLED(CONFIG_INET)) {
+                shutdown_umh();
+                bpfilter_ops.start = NULL;
+                bpfilter_ops.sockopt = NULL;
+        }
+        mutex_unlock(&bpfilter_ops.lock);
 }
 module_init(load_umh);
 module_exit(fini_umh);
diff --git a/net/bpfilter/bpfilter_umh_blob.S b/net/bpfilter/bpfilter_umh_blob.S
index 40311d10d2f2..9ea6100dca87 100644
--- a/net/bpfilter/bpfilter_umh_blob.S
+++ b/net/bpfilter/bpfilter_umh_blob.S
@@ -1,5 +1,5 @@
 /* SPDX-License-Identifier: GPL-2.0 */
-        .section .init.rodata, "a"
+        .section .rodata, "a"
         .global bpfilter_umh_start
 bpfilter_umh_start:
         .incbin "net/bpfilter/bpfilter_umh"
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index fe3c758791ca..9e14767500ea 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -1128,6 +1128,8 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
                         err = -ENOMEM;
                         goto err_unlock;
                 }
+                if (swdev_notify)
+                        fdb->added_by_user = 1;
                 fdb->added_by_external_learn = 1;
                 fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
         } else {
@@ -1147,6 +1149,9 @@ int br_fdb_external_learn_add(struct net_bridge *br, struct net_bridge_port *p,
                         modified = true;
                 }
 
+                if (swdev_notify)
+                        fdb->added_by_user = 1;
+
                 if (modified)
                         fdb_notify(br, fdb, RTM_NEWNEIGH, swdev_notify);
         }
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 5372e2042adf..48ddc60b4fbd 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -36,10 +36,10 @@ static inline int should_deliver(const struct net_bridge_port *p,
 
 int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
+        skb_push(skb, ETH_HLEN);
         if (!is_skb_forwardable(skb->dev, skb))
                 goto drop;
 
-        skb_push(skb, ETH_HLEN);
         br_drop_fake_rtable(skb);
 
         if (skb->ip_summed == CHECKSUM_PARTIAL &&
@@ -65,6 +65,7 @@ EXPORT_SYMBOL_GPL(br_dev_queue_push_xmit);
 
 int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
+        skb->tstamp = 0;
         return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING,
                        net, sk, skb, NULL, skb->dev,
                        br_dev_queue_push_xmit);
@@ -97,12 +98,11 @@ static void __br_forward(const struct net_bridge_port *to,
                 net = dev_net(indev);
         } else {
                 if (unlikely(netpoll_tx_running(to->br->dev))) {
-                        if (!is_skb_forwardable(skb->dev, skb)) {
+                        skb_push(skb, ETH_HLEN);
+                        if (!is_skb_forwardable(skb->dev, skb))
                                 kfree_skb(skb);
-                        } else {
-                                skb_push(skb, ETH_HLEN);
+                        else
                                 br_netpoll_send_skb(to, skb);
-                        }
                         return;
                 }
                 br_hook = NF_BR_LOCAL_OUT;
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 3aeff0895669..ac92b2eb32b1 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1204,14 +1204,7 @@ static void br_multicast_query_received(struct net_bridge *br,
                 return;
 
         br_multicast_update_query_timer(br, query, max_delay);
-
-        /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
-         * the arrival port for IGMP Queries where the source address
-         * is 0.0.0.0 should not be added to router port list.
-         */
-        if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
-            saddr->proto == htons(ETH_P_IPV6))
-                br_multicast_mark_router(br, port);
+        br_multicast_mark_router(br, port);
 }
 
 static void br_ip4_multicast_query(struct net_bridge *br,
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index d21a23698410..c93c35bb73dd 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -265,7 +265,7 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
                 struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
                 int ret;
 
-                if (neigh->hh.hh_len) {
+                if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) {
                         neigh_hh_bridge(&neigh->hh, skb);
                         skb->dev = nf_bridge->physindev;
                         ret = br_handle_frame_finish(net, sk, skb);
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 94039f588f1d..564710f88f93 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -131,6 +131,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb)
                                         IPSTATS_MIB_INDISCARDS);
                         goto drop;
                 }
+                hdr = ipv6_hdr(skb);
         }
         if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
                 goto drop;
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index d240b3e7919f..eabf8bf28a3f 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -107,6 +107,7 @@ struct br_tunnel_info {
 /* private vlan flags */
 enum {
         BR_VLFLAG_PER_PORT_STATS = BIT(0),
+        BR_VLFLAG_ADDED_BY_SWITCHDEV = BIT(1),
 };
 
 /**
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index 4a2f31157ef5..96abf8feb9dc 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -80,16 +80,18 @@ static bool __vlan_add_flags(struct net_bridge_vlan *v, u16 flags)
 }
 
 static int __vlan_vid_add(struct net_device *dev, struct net_bridge *br,
-                          u16 vid, u16 flags, struct netlink_ext_ack *extack)
+                          struct net_bridge_vlan *v, u16 flags,
+                          struct netlink_ext_ack *extack)
 {
         int err;
 
         /* Try switchdev op first. In case it is not supported, fallback to
          * 8021q add.
          */
-        err = br_switchdev_port_vlan_add(dev, vid, flags, extack);
+        err = br_switchdev_port_vlan_add(dev, v->vid, flags, extack);
         if (err == -EOPNOTSUPP)
-                return vlan_vid_add(dev, br->vlan_proto, vid);
+                return vlan_vid_add(dev, br->vlan_proto, v->vid);
+        v->priv_flags |= BR_VLFLAG_ADDED_BY_SWITCHDEV;
         return err;
 }
 
@@ -121,19 +123,17 @@ static void __vlan_del_list(struct net_bridge_vlan *v)
 }
 
 static int __vlan_vid_del(struct net_device *dev, struct net_bridge *br,
-                          u16 vid)
+                          const struct net_bridge_vlan *v)
 {
         int err;
 
         /* Try switchdev op first. In case it is not supported, fallback to
          * 8021q del.
          */
-        err = br_switchdev_port_vlan_del(dev, vid);
-        if (err == -EOPNOTSUPP) {
-                vlan_vid_del(dev, br->vlan_proto, vid);
-                return 0;
-        }
-        return err;
+        err = br_switchdev_port_vlan_del(dev, v->vid);
+        if (!(v->priv_flags & BR_VLFLAG_ADDED_BY_SWITCHDEV))
+                vlan_vid_del(dev, br->vlan_proto, v->vid);
+        return err == -EOPNOTSUPP ? 0 : err;
 }
 
 /* Returns a master vlan, if it didn't exist it gets created. In all cases a
@@ -242,7 +242,7 @@ static int __vlan_add(struct net_bridge_vlan *v, u16 flags,
                  * This ensures tagged traffic enters the bridge when
                  * promiscuous mode is disabled by br_manage_promisc().
                  */
-                err = __vlan_vid_add(dev, br, v->vid, flags, extack);
+                err = __vlan_vid_add(dev, br, v, flags, extack);
                 if (err)
                         goto out;
 
@@ -305,7 +305,7 @@ out_fdb_insert:
 
 out_filt:
         if (p) {
-                __vlan_vid_del(dev, br, v->vid);
+                __vlan_vid_del(dev, br, v);
                 if (masterv) {
                         if (v->stats && masterv->stats != v->stats)
                                 free_percpu(v->stats);
@@ -338,7 +338,7 @@ static int __vlan_del(struct net_bridge_vlan *v)
 
         __vlan_delete_pvid(vg, v->vid);
         if (p) {
-                err = __vlan_vid_del(p->dev, p->br, v->vid);
+                err = __vlan_vid_del(p->dev, p->br, v);
                 if (err)
                         goto out;
         } else {
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 491828713e0b..6693e209efe8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -1137,14 +1137,16 @@ static int do_replace(struct net *net, const void __user *user,
         tmp.name[sizeof(tmp.name) - 1] = 0;
 
         countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
-        newinfo = vmalloc(sizeof(*newinfo) + countersize);
+        newinfo = __vmalloc(sizeof(*newinfo) + countersize, GFP_KERNEL_ACCOUNT,
+                            PAGE_KERNEL);
         if (!newinfo)
                 return -ENOMEM;
 
         if (countersize)
                 memset(newinfo->counters, 0, countersize);
 
-        newinfo->entries = vmalloc(tmp.entries_size);
+        newinfo->entries = __vmalloc(tmp.entries_size, GFP_KERNEL_ACCOUNT,
+                                     PAGE_KERNEL);
         if (!newinfo->entries) {
                 ret = -ENOMEM;
                 goto free_newinfo;
@@ -2291,9 +2293,12 @@ static int compat_do_replace(struct net *net, void __user *user,
 
         xt_compat_lock(NFPROTO_BRIDGE);
 
-        ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
-        if (ret < 0)
-                goto out_unlock;
+        if (tmp.nentries) {
+                ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
+                if (ret < 0)
+                        goto out_unlock;
+        }
+
         ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state);
         if (ret < 0)
                 goto out_unlock;
diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index 08cbed7d940e..419e8edf23ba 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -229,6 +229,7 @@ static bool reject6_br_csum_ok(struct sk_buff *skb, int hook)
             pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h)))
                 return false;
 
+        ip6h = ipv6_hdr(skb);
         thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
         if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
                 return false;
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 0af8f0db892a..79bb8afa9c0c 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -67,6 +67,9 @@
  */
 #define MAX_NFRAMES 256
 
+/* limit timers to 400 days for sending/timeouts */
+#define BCM_TIMER_SEC_MAX (400 * 24 * 60 * 60)
+
 /* use of last_frames[index].flags */
 #define RX_RECV    0x40 /* received data for this element */
 #define RX_THR     0x80 /* element not been sent due to throttle feature */
@@ -140,6 +143,22 @@ static inline ktime_t bcm_timeval_to_ktime(struct bcm_timeval tv)
         return ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC);
 }
 
+/* check limitations for timeval provided by user */
+static bool bcm_is_invalid_tv(struct bcm_msg_head *msg_head)
+{
+        if ((msg_head->ival1.tv_sec < 0) ||
+            (msg_head->ival1.tv_sec > BCM_TIMER_SEC_MAX) ||
+            (msg_head->ival1.tv_usec < 0) ||
+            (msg_head->ival1.tv_usec >= USEC_PER_SEC) ||
+            (msg_head->ival2.tv_sec < 0) ||
+            (msg_head->ival2.tv_sec > BCM_TIMER_SEC_MAX) ||
+            (msg_head->ival2.tv_usec < 0) ||
+            (msg_head->ival2.tv_usec >= USEC_PER_SEC))
+                return true;
+
+        return false;
+}
+
 #define CFSIZ(flags) ((flags & CAN_FD_FRAME) ? CANFD_MTU : CAN_MTU)
 #define OPSIZ sizeof(struct bcm_op)
 #define MHSIZ sizeof(struct bcm_msg_head)
@@ -873,6 +892,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
         if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES)
                 return -EINVAL;
 
+        /* check timeval limitations */
+        if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+                return -EINVAL;
+
         /* check the given can_id */
         op = bcm_find_op(&bo->tx_ops, msg_head, ifindex);
         if (op) {
@@ -1053,6 +1076,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg,
              (!(msg_head->can_id & CAN_RTR_FLAG))))
                 return -EINVAL;
 
+        /* check timeval limitations */
+        if ((msg_head->flags & SETTIMER) && bcm_is_invalid_tv(msg_head))
+                return -EINVAL;
+
         /* check the given can_id */
         op = bcm_find_op(&bo->rx_ops, msg_head, ifindex);
         if (op) {
diff --git a/net/can/gw.c b/net/can/gw.c
index faa3da88a127..53859346dc9a 100644
--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -416,13 +416,29 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
         while (modidx < MAX_MODFUNCTIONS && gwj->mod.modfunc[modidx])
                 (*gwj->mod.modfunc[modidx++])(cf, &gwj->mod);
 
-        /* check for checksum updates when the CAN frame has been modified */
+        /* Has the CAN frame been modified? */
         if (modidx) {
-                if (gwj->mod.csumfunc.crc8)
+                /* get available space for the processed CAN frame type */
+                int max_len = nskb->len - offsetof(struct can_frame, data);
+
+                /* dlc may have changed, make sure it fits to the CAN frame */
+                if (cf->can_dlc > max_len)
+                        goto out_delete;
+
+                /* check for checksum updates in classic CAN length only */
+                if (gwj->mod.csumfunc.crc8) {
+                        if (cf->can_dlc > 8)
+                                goto out_delete;
+
                         (*gwj->mod.csumfunc.crc8)(cf, &gwj->mod.csum.crc8);
+                }
+
+                if (gwj->mod.csumfunc.xor) {
+                        if (cf->can_dlc > 8)
+                                goto out_delete;
 
-                if (gwj->mod.csumfunc.xor)
                         (*gwj->mod.csumfunc.xor)(cf, &gwj->mod.csum.xor);
+                }
         }
 
         /* clear the skb timestamp if not configured the other way */
@@ -434,6 +450,14 @@ static void can_can_gw_rcv(struct sk_buff *skb, void *data)
                 gwj->dropped_frames++;
         else
                 gwj->handled_frames++;
+
+        return;
+
+ out_delete:
+        /* delete frame due to misconfiguration */
+        gwj->deleted_frames++;
+        kfree_skb(nskb);
+        return;
 }
 
 static inline int cgw_register_filter(struct net *net, struct cgw_job *gwj)
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 87afb9ec4c68..9cab80207ced 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -255,6 +255,7 @@ enum {
         Opt_nocephx_sign_messages,
         Opt_tcp_nodelay,
         Opt_notcp_nodelay,
+        Opt_abort_on_full,
 };
 
 static match_table_t opt_tokens = {
@@ -280,6 +281,7 @@ static match_table_t opt_tokens = {
         {Opt_nocephx_sign_messages, "nocephx_sign_messages"},
         {Opt_tcp_nodelay, "tcp_nodelay"},
         {Opt_notcp_nodelay, "notcp_nodelay"},
+        {Opt_abort_on_full, "abort_on_full"},
         {-1, NULL}
 };
 
@@ -535,6 +537,10 @@ ceph_parse_options(char *options, const char *dev_name,
                         opt->flags &= ~CEPH_OPT_TCP_NODELAY;
                         break;
 
+                case Opt_abort_on_full:
+                        opt->flags |= CEPH_OPT_ABORT_ON_FULL;
+                        break;
+
                 default:
                         BUG_ON(token);
                 }
@@ -549,7 +555,8 @@ out:
 }
 EXPORT_SYMBOL(ceph_parse_options);
 
-int ceph_print_client_options(struct seq_file *m, struct ceph_client *client)
+int ceph_print_client_options(struct seq_file *m, struct ceph_client *client,
+                              bool show_all)
 {
         struct ceph_options *opt = client->options;
         size_t pos = m->count;
@@ -574,6 +581,8 @@ int ceph_print_client_options(struct seq_file *m, struct ceph_client *client)
                 seq_puts(m, "nocephx_sign_messages,");
         if ((opt->flags & CEPH_OPT_TCP_NODELAY) == 0)
                 seq_puts(m, "notcp_nodelay,");
+        if (show_all && (opt->flags & CEPH_OPT_ABORT_ON_FULL))
+                seq_puts(m, "abort_on_full,");
 
         if (opt->mount_timeout != CEPH_MOUNT_TIMEOUT_DEFAULT)
                 seq_printf(m, "mount_timeout=%d,",
diff --git a/net/ceph/debugfs.c b/net/ceph/debugfs.c
index 02952605d121..46f65709a6ff 100644
--- a/net/ceph/debugfs.c
+++ b/net/ceph/debugfs.c
@@ -375,7 +375,7 @@ static int client_options_show(struct seq_file *s, void *p)
         struct ceph_client *client = s->private;
         int ret;
 
-        ret = ceph_print_client_options(s, client);
+        ret = ceph_print_client_options(s, client, true);
         if (ret)
                 return ret;
 
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index d5718284db57..7e71b0df1fbc 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -2058,6 +2058,8 @@ static int process_connect(struct ceph_connection *con)
         dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
 
         if (con->auth) {
+                int len = le32_to_cpu(con->in_reply.authorizer_len);
+
                 /*
                  * Any connection that defines ->get_authorizer()
                  * should also define ->add_authorizer_challenge() and
@@ -2067,8 +2069,7 @@ static int process_connect(struct ceph_connection *con)
                  */
                 if (con->in_reply.tag == CEPH_MSGR_TAG_CHALLENGE_AUTHORIZER) {
                         ret = con->ops->add_authorizer_challenge(
-                                    con, con->auth->authorizer_reply_buf,
-                                    le32_to_cpu(con->in_reply.authorizer_len));
+                                    con, con->auth->authorizer_reply_buf, len);
                         if (ret < 0)
                                 return ret;
 
@@ -2078,10 +2079,12 @@ static int process_connect(struct ceph_connection *con)
                         return 0;
                 }
 
-                ret = con->ops->verify_authorizer_reply(con);
-                if (ret < 0) {
-                        con->error_msg = "bad authorize reply";
-                        return ret;
+                if (len) {
+                        ret = con->ops->verify_authorizer_reply(con);
+                        if (ret < 0) {
+                                con->error_msg = "bad authorize reply";
+                                return ret;
+                        }
                 }
         }
 
@@ -3206,9 +3209,10 @@ void ceph_con_keepalive(struct ceph_connection *con)
         dout("con_keepalive %p\n", con);
         mutex_lock(&con->mutex);
         clear_standby(con);
+        con_flag_set(con, CON_FLAG_KEEPALIVE_PENDING);
         mutex_unlock(&con->mutex);
-        if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 &&
-            con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
+
+        if (con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
                 queue_con(con);
 }
 EXPORT_SYMBOL(ceph_con_keepalive);
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index d23a9f81f3d7..fa9530dd876e 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -2315,7 +2315,7 @@ again:
                    (ceph_osdmap_flag(osdc, CEPH_OSDMAP_FULL) ||
                     pool_full(osdc, req->r_t.base_oloc.pool))) {
                 dout("req %p full/pool_full\n", req);
-                if (osdc->abort_on_full) {
+                if (ceph_test_opt(osdc->client, ABORT_ON_FULL)) {
                         err = -ENOSPC;
                 } else {
                         pr_warn_ratelimited("FULL or reached pool quota\n");
@@ -2545,7 +2545,7 @@ static void ceph_osdc_abort_on_full(struct ceph_osd_client *osdc)
 {
         bool victims = false;
 
-        if (osdc->abort_on_full &&
+        if (ceph_test_opt(osdc->client, ABORT_ON_FULL) &&
             (ceph_osdmap_flag(osdc, CEPH_OSDMAP_FULL) || have_pool_full(osdc)))
                 for_each_request(osdc, abort_on_full_fn, &victims);
 }
diff --git a/net/compat.c b/net/compat.c
index 959d1c51826d..3d348198004f 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -388,8 +388,12 @@ static int __compat_sys_setsockopt(int fd, int level, int optname,
                                    char __user *optval, unsigned int optlen)
 {
         int err;
-        struct socket *sock = sockfd_lookup(fd, &err);
+        struct socket *sock;
+
+        if (optlen > INT_MAX)
+                return -EINVAL;
 
+        sock = sockfd_lookup(fd, &err);
         if (sock) {
                 err = security_socket_setsockopt(sock, level, optname);
                 if (err) {
diff --git a/net/core/dev.c b/net/core/dev.c
index 82f20022259d..5d03889502eb 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -8152,7 +8152,7 @@ static netdev_features_t netdev_sync_upper_features(struct net_device *lower,
         netdev_features_t feature;
         int feature_bit;
 
-        for_each_netdev_feature(&upper_disables, feature_bit) {
+        for_each_netdev_feature(upper_disables, feature_bit) {
                 feature = __NETIF_F_BIT(feature_bit);
                 if (!(upper->wanted_features & feature)
                     && (features & feature)) {
@@ -8172,7 +8172,7 @@ static void netdev_sync_lower_features(struct net_device *upper,
         netdev_features_t feature;
         int feature_bit;
 
-        for_each_netdev_feature(&upper_disables, feature_bit) {
+        for_each_netdev_feature(upper_disables, feature_bit) {
                 feature = __NETIF_F_BIT(feature_bit);
                 if (!(features & feature) && (lower->features & feature)) {
                         netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n",
@@ -8712,6 +8712,9 @@ int init_dummy_netdev(struct net_device *dev)
         set_bit(__LINK_STATE_PRESENT, &dev->state);
         set_bit(__LINK_STATE_START, &dev->state);
 
+        /* napi_busy_loop stats accounting wants this */
+        dev_net_set(dev, &init_net);
+
         /* Note : We dont allocate pcpu_refcnt for dummy devices,
          * because users of this 'device' dont need to change
          * its refcount.
diff --git a/net/core/filter.c b/net/core/filter.c
index 447dd1bad31f..f7d0004fc160 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2020,18 +2020,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
 static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
                                  u32 flags)
 {
-        /* skb->mac_len is not set on normal egress */
-        unsigned int mlen = skb->network_header - skb->mac_header;
+        unsigned int mlen = skb_network_offset(skb);
 
-        __skb_pull(skb, mlen);
+        if (mlen) {
+                __skb_pull(skb, mlen);
 
-        /* At ingress, the mac header has already been pulled once.
-         * At egress, skb_pospull_rcsum has to be done in case that
-         * the skb is originated from ingress (i.e. a forwarded skb)
-         * to ensure that rcsum starts at net header.
-         */
-        if (!skb_at_tc_ingress(skb))
-                skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
+                /* At ingress, the mac header has already been pulled once.
+                 * At egress, skb_pospull_rcsum has to be done in case that
+                 * the skb is originated from ingress (i.e. a forwarded skb)
+                 * to ensure that rcsum starts at net header.
+                 */
+                if (!skb_at_tc_ingress(skb))
+                        skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
+        }
         skb_pop_mac_header(skb);
         skb_reset_mac_len(skb);
         return flags & BPF_F_INGRESS ?
@@ -2788,8 +2789,7 @@ static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
         u32 off = skb_mac_header_len(skb);
         int ret;
 
-        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
-        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+        if (!skb_is_gso_tcp(skb))
                 return -ENOTSUPP;
 
         ret = skb_cow(skb, len_diff);
@@ -2830,8 +2830,7 @@ static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
         u32 off = skb_mac_header_len(skb);
         int ret;
 
-        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
-        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+        if (!skb_is_gso_tcp(skb))
                 return -ENOTSUPP;
 
         ret = skb_unclone(skb, GFP_ATOMIC);
@@ -2956,8 +2955,7 @@ static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
         u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
         int ret;
 
-        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
-        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+        if (!skb_is_gso_tcp(skb))
                 return -ENOTSUPP;
 
         ret = skb_cow(skb, len_diff);
@@ -2986,8 +2984,7 @@ static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
         u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
         int ret;
 
-        /* SCTP uses GSO_BY_FRAGS, thus cannot adjust it. */
-        if (skb_is_gso(skb) && unlikely(skb_is_gso_sctp(skb)))
+        if (!skb_is_gso_tcp(skb))
                 return -ENOTSUPP;
 
         ret = skb_unclone(skb, GFP_ATOMIC);
@@ -4111,14 +4108,20 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
                 /* Only some socketops are supported */
                 switch (optname) {
                 case SO_RCVBUF:
+                        val = min_t(u32, val, sysctl_rmem_max);
                         sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
                         sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
                         break;
                 case SO_SNDBUF:
+                        val = min_t(u32, val, sysctl_wmem_max);
                         sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
                         sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
                         break;
                 case SO_MAX_PACING_RATE: /* 32bit version */
+                        if (val != ~0U)
+                                cmpxchg(&sk->sk_pacing_status,
+                                        SK_PACING_NONE,
+                                        SK_PACING_NEEDED);
                         sk->sk_max_pacing_rate = (val == ~0U) ? ~0UL : val;
                         sk->sk_pacing_rate = min(sk->sk_pacing_rate,
                                                  sk->sk_max_pacing_rate);
@@ -4132,7 +4135,10 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
                         sk->sk_rcvlowat = val ? : 1;
                         break;
                 case SO_MARK:
-                        sk->sk_mark = val;
+                        if (sk->sk_mark != val) {
+                                sk->sk_mark = val;
+                                sk_dst_reset(sk);
+                        }
                         break;
                 default:
                         ret = -EINVAL;
@@ -4203,7 +4209,7 @@ BPF_CALL_5(bpf_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
                         /* Only some options are supported */
                         switch (optname) {
                         case TCP_BPF_IW:
-                                if (val <= 0 || tp->data_segs_out > 0)
+                                if (val <= 0 || tp->data_segs_out > tp->syn_data)
                                         ret = -EINVAL;
                                 else
                                         tp->snd_cwnd = val;
@@ -5309,7 +5315,7 @@ bpf_base_func_proto(enum bpf_func_id func_id)
         case BPF_FUNC_trace_printk:
                 if (capable(CAP_SYS_ADMIN))
                         return bpf_get_trace_printk_proto();
-                /* else: fall through */
+                /* else, fall through */
         default:
                 return NULL;
         }
diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index 3e85437f7106..a648568c5e8f 100644
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -63,6 +63,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt,
                                      lwt->name ? : "<unknown>");
                         ret = BPF_OK;
                 } else {
+                        skb_reset_mac_header(skb);
                         ret = skb_do_redirect(skb);
                         if (ret == 0)
                                 ret = BPF_REDIRECT;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 763a7b08df67..4230400b9a30 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -18,6 +18,7 @@
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
 #include <linux/slab.h>
+#include <linux/kmemleak.h>
 #include <linux/types.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
@@ -443,12 +444,14 @@ static struct neigh_hash_table *neigh_hash_alloc(unsigned int shift)
         ret = kmalloc(sizeof(*ret), GFP_ATOMIC);
         if (!ret)
                 return NULL;
-        if (size <= PAGE_SIZE)
+        if (size <= PAGE_SIZE) {
                 buckets = kzalloc(size, GFP_ATOMIC);
-        else
+        } else {
                 buckets = (struct neighbour __rcu **)
                           __get_free_pages(GFP_ATOMIC | __GFP_ZERO,
                                            get_order(size));
+                kmemleak_alloc(buckets, size, 1, GFP_ATOMIC);
+        }
         if (!buckets) {
                 kfree(ret);
                 return NULL;
@@ -468,10 +471,12 @@ static void neigh_hash_free_rcu(struct rcu_head *head)
         size_t size = (1 << nht->hash_shift) * sizeof(struct neighbour *);
         struct neighbour __rcu **buckets = nht->hash_buckets;
 
-        if (size <= PAGE_SIZE)
+        if (size <= PAGE_SIZE) {
                 kfree(buckets);
-        else
+        } else {
+                kmemleak_free(buckets);
                 free_pages((unsigned long)buckets, get_order(size));
+        }
         kfree(nht);
 }
 
@@ -1002,7 +1007,7 @@ static void neigh_probe(struct neighbour *neigh)
         if (neigh->ops->solicit)
                 neigh->ops->solicit(neigh, skb);
         atomic_inc(&neigh->probes);
-        kfree_skb(skb);
+        consume_skb(skb);
 }
 
 /* Called when a timer expires for a neighbour entry. */
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 37317ffec146..2415d9cb9b89 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -356,6 +356,8 @@ static void *__netdev_alloc_frag(unsigned int fragsz, gfp_t gfp_mask)
  */
 void *netdev_alloc_frag(unsigned int fragsz)
 {
+        fragsz = SKB_DATA_ALIGN(fragsz);
+
         return __netdev_alloc_frag(fragsz, GFP_ATOMIC);
 }
 EXPORT_SYMBOL(netdev_alloc_frag);
@@ -369,6 +371,8 @@ static void *__napi_alloc_frag(unsigned int fragsz, gfp_t gfp_mask)
 
 void *napi_alloc_frag(unsigned int fragsz)
 {
+        fragsz = SKB_DATA_ALIGN(fragsz);
+
         return __napi_alloc_frag(fragsz, GFP_ATOMIC);
 }
 EXPORT_SYMBOL(napi_alloc_frag);
@@ -5270,7 +5274,6 @@ struct sk_buff *alloc_skb_with_frags(unsigned long header_len,
         unsigned long chunk;
         struct sk_buff *skb;
         struct page *page;
-        gfp_t gfp_head;
         int i;
 
         *errcode = -EMSGSIZE;
@@ -5280,12 +5283,8 @@ struct sk_buff *alloc_skb_with_frags(unsigned long header_len,
         if (npages > MAX_SKB_FRAGS)
                 return NULL;
 
-        gfp_head = gfp_mask;
-        if (gfp_head & __GFP_DIRECT_RECLAIM)
-                gfp_head |= __GFP_RETRY_MAYFAIL;
-
         *errcode = -ENOBUFS;
-        skb = alloc_skb(header_len, gfp_head);
+        skb = alloc_skb(header_len, gfp_mask);
         if (!skb)
                 return NULL;
 
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index d6d5c20d7044..8c826603bf36 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -545,8 +545,7 @@ static void sk_psock_destroy_deferred(struct work_struct *gc)
         struct sk_psock *psock = container_of(gc, struct sk_psock, gc);
 
         /* No sk_callback_lock since already detached. */
-        if (psock->parser.enabled)
-                strp_done(&psock->parser.strp);
+        strp_done(&psock->parser.strp);
 
         cancel_work_sync(&psock->work);
 
diff --git a/net/core/sock.c b/net/core/sock.c
index 6aa2e7e0b4fb..bc3512f230a3 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2380,7 +2380,7 @@ int __sk_mem_raise_allocated(struct sock *sk, int size, int amt, int kind)
         }
 
         if (sk_has_memory_pressure(sk)) {
-                int alloc;
+                u64 alloc;
 
                 if (!sk_under_memory_pressure(sk))
                         return 1;
diff --git a/net/dccp/ccid.h b/net/dccp/ccid.h
index 6eb837a47b5c..baaaeb2b2c42 100644
--- a/net/dccp/ccid.h
+++ b/net/dccp/ccid.h
@@ -202,7 +202,7 @@ static inline void ccid_hc_tx_packet_recv(struct ccid *ccid, struct sock *sk,
 static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
                                            u8 pkt, u8 opt, u8 *val, u8 len)
 {
-        if (ccid->ccid_ops->ccid_hc_tx_parse_options == NULL)
+        if (!ccid || !ccid->ccid_ops->ccid_hc_tx_parse_options)
                 return 0;
         return ccid->ccid_ops->ccid_hc_tx_parse_options(sk, pkt, opt, val, len);
 }
@@ -214,7 +214,7 @@ static inline int ccid_hc_tx_parse_options(struct ccid *ccid, struct sock *sk,
 static inline int ccid_hc_rx_parse_options(struct ccid *ccid, struct sock *sk,
                                            u8 pkt, u8 opt, u8 *val, u8 len)
 {
-        if (ccid->ccid_ops->ccid_hc_rx_parse_options == NULL)
+        if (!ccid || !ccid->ccid_ops->ccid_hc_rx_parse_options)
                 return 0;
         return ccid->ccid_ops->ccid_hc_rx_parse_options(sk, pkt, opt, val, len);
 }
diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
index d0b3e69c6b39..0962f9201baa 100644
--- a/net/decnet/dn_dev.c
+++ b/net/decnet/dn_dev.c
@@ -56,7 +56,7 @@
 #include <net/dn_neigh.h>
 #include <net/dn_fib.h>
 
-#define DN_IFREQ_SIZE (sizeof(struct ifreq) - sizeof(struct sockaddr) + sizeof(struct sockaddr_dn))
+#define DN_IFREQ_SIZE (offsetof(struct ifreq, ifr_ifru) + sizeof(struct sockaddr_dn))
 
 static char dn_rt_all_end_mcast[ETH_ALEN] = {0xAB,0x00,0x00,0x04,0x00,0x00};
 static char dn_rt_all_rt_mcast[ETH_ALEN]  = {0xAB,0x00,0x00,0x03,0x00,0x00};
diff --git a/net/dsa/master.c b/net/dsa/master.c
index 71bb15f491c8..54f5551fb799 100644
--- a/net/dsa/master.c
+++ b/net/dsa/master.c
@@ -205,6 +205,8 @@ static void dsa_master_reset_mtu(struct net_device *dev)
         rtnl_unlock();
 }
 
+static struct lock_class_key dsa_master_addr_list_lock_key;
+
 int dsa_master_setup(struct net_device *dev, struct dsa_port *cpu_dp)
 {
         int ret;
@@ -218,6 +220,8 @@ int dsa_master_setup(struct net_device *dev, struct dsa_port *cpu_dp)
         wmb();
 
         dev->dsa_ptr = cpu_dp;
+        lockdep_set_class(&dev->addr_list_lock,
+                          &dsa_master_addr_list_lock_key);
 
         ret = dsa_master_ethtool_setup(dev);
         if (ret)
diff --git a/net/dsa/port.c b/net/dsa/port.c
index 2d7e01b23572..2a2a878b5ce3 100644
--- a/net/dsa/port.c
+++ b/net/dsa/port.c
@@ -69,7 +69,6 @@ static void dsa_port_set_state_now(struct dsa_port *dp, u8 state)
 
 int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy)
 {
-        u8 stp_state = dp->bridge_dev ? BR_STATE_BLOCKING : BR_STATE_FORWARDING;
         struct dsa_switch *ds = dp->ds;
         int port = dp->index;
         int err;
@@ -80,7 +79,8 @@ int dsa_port_enable(struct dsa_port *dp, struct phy_device *phy)
                         return err;
         }
 
-        dsa_port_set_state_now(dp, stp_state);
+        if (!dp->bridge_dev)
+                dsa_port_set_state_now(dp, BR_STATE_FORWARDING);
 
         return 0;
 }
@@ -90,7 +90,8 @@ void dsa_port_disable(struct dsa_port *dp, struct phy_device *phy)
         struct dsa_switch *ds = dp->ds;
         int port = dp->index;
 
-        dsa_port_set_state_now(dp, BR_STATE_DISABLED);
+        if (!dp->bridge_dev)
+                dsa_port_set_state_now(dp, BR_STATE_DISABLED);
 
         if (ds->ops->port_disable)
                 ds->ops->port_disable(ds, port, phy);
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index a3fcc1d01615..a1c9fe155057 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -140,11 +140,14 @@ static int dsa_slave_close(struct net_device *dev)
 static void dsa_slave_change_rx_flags(struct net_device *dev, int change)
 {
         struct net_device *master = dsa_slave_to_master(dev);
-
-        if (change & IFF_ALLMULTI)
-                dev_set_allmulti(master, dev->flags & IFF_ALLMULTI ? 1 : -1);
-        if (change & IFF_PROMISC)
-                dev_set_promiscuity(master, dev->flags & IFF_PROMISC ? 1 : -1);
+        if (dev->flags & IFF_UP) {
+                if (change & IFF_ALLMULTI)
+                        dev_set_allmulti(master,
+                                         dev->flags & IFF_ALLMULTI ? 1 : -1);
+                if (change & IFF_PROMISC)
+                        dev_set_promiscuity(master,
+                                            dev->flags & IFF_PROMISC ? 1 : -1);
+        }
 }
 
 static void dsa_slave_set_rx_mode(struct net_device *dev)
@@ -639,7 +642,7 @@ static int dsa_slave_set_eee(struct net_device *dev, struct ethtool_eee *e)
         int ret;
 
         /* Port's PHY and MAC both need to be EEE capable */
-        if (!dev->phydev && !dp->pl)
+        if (!dev->phydev || !dp->pl)
                 return -ENODEV;
 
         if (!ds->ops->set_mac_eee)
@@ -659,7 +662,7 @@ static int dsa_slave_get_eee(struct net_device *dev, struct ethtool_eee *e)
         int ret;
 
         /* Port's PHY and MAC both need to be EEE capable */
-        if (!dev->phydev && !dp->pl)
+        if (!dev->phydev || !dp->pl)
                 return -ENODEV;
 
         if (!ds->ops->get_mac_eee)
diff --git a/net/ipv4/bpfilter/sockopt.c b/net/ipv4/bpfilter/sockopt.c
index 5e04ed25bc0e..1e976bb93d99 100644
--- a/net/ipv4/bpfilter/sockopt.c
+++ b/net/ipv4/bpfilter/sockopt.c
@@ -1,28 +1,54 @@
 // SPDX-License-Identifier: GPL-2.0
+#include <linux/init.h>
+#include <linux/module.h>
 #include <linux/uaccess.h>
 #include <linux/bpfilter.h>
 #include <uapi/linux/bpf.h>
 #include <linux/wait.h>
 #include <linux/kmod.h>
+#include <linux/fs.h>
+#include <linux/file.h>
 
-int (*bpfilter_process_sockopt)(struct sock *sk, int optname,
-                                char __user *optval,
-                                unsigned int optlen, bool is_set);
-EXPORT_SYMBOL_GPL(bpfilter_process_sockopt);
+struct bpfilter_umh_ops bpfilter_ops;
+EXPORT_SYMBOL_GPL(bpfilter_ops);
+
+static void bpfilter_umh_cleanup(struct umh_info *info)
+{
+        mutex_lock(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        fput(info->pipe_to_umh);
+        fput(info->pipe_from_umh);
+        info->pid = 0;
+        mutex_unlock(&bpfilter_ops.lock);
+}
 
 static int bpfilter_mbox_request(struct sock *sk, int optname,
                                  char __user *optval,
                                  unsigned int optlen, bool is_set)
 {
-        if (!bpfilter_process_sockopt) {
-                int err = request_module("bpfilter");
+        int err;
+        mutex_lock(&bpfilter_ops.lock);
+        if (!bpfilter_ops.sockopt) {
+                mutex_unlock(&bpfilter_ops.lock);
+                err = request_module("bpfilter");
+                mutex_lock(&bpfilter_ops.lock);
 
                 if (err)
-                        return err;
-                if (!bpfilter_process_sockopt)
-                        return -ECHILD;
+                        goto out;
+                if (!bpfilter_ops.sockopt) {
+                        err = -ECHILD;
+                        goto out;
+                }
+        }
+        if (bpfilter_ops.stop) {
+                err = bpfilter_ops.start();
+                if (err)
+                        goto out;
         }
-        return bpfilter_process_sockopt(sk, optname, optval, optlen, is_set);
+        err = bpfilter_ops.sockopt(sk, optname, optval, optlen, is_set);
+out:
+        mutex_unlock(&bpfilter_ops.lock);
+        return err;
 }
 
 int bpfilter_ip_set_sockopt(struct sock *sk, int optname, char __user *optval,
@@ -41,3 +67,15 @@ int bpfilter_ip_get_sockopt(struct sock *sk, int optname, char __user *optval,
 
         return bpfilter_mbox_request(sk, optname, optval, len, false);
 }
+
+static int __init bpfilter_sockopt_init(void)
+{
+        mutex_init(&bpfilter_ops.lock);
+        bpfilter_ops.stop = true;
+        bpfilter_ops.info.cmdline = "bpfilter_umh";
+        bpfilter_ops.info.cleanup = &bpfilter_umh_cleanup;
+
+        return 0;
+}
+
+module_init(bpfilter_sockopt_init);
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 04ba321ae5ce..e258a00b4a3d 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1826,7 +1826,7 @@ put_tgt_net:
         if (fillargs.netnsid >= 0)
                 put_net(tgt_net);
 
-        return err < 0 ? err : skb->len;
+        return skb->len ? : err;
 }
 
 static void rtmsg_ifa(int event, struct in_ifaddr *ifa, struct nlmsghdr *nlh,
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5459f41fc26f..10e809b296ec 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -328,7 +328,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
                         skb->len += tailen;
                         skb->data_len += tailen;
                         skb->truesize += tailen;
-                        if (sk)
+                        if (sk && sk_fullsock(sk))
                                 refcount_add(tailen, &sk->sk_wmem_alloc);
 
                         goto out;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6df95be96311..fe4f6a624238 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -203,7 +203,7 @@ static void fib_flush(struct net *net)
                 struct fib_table *tb;
 
                 hlist_for_each_entry_safe(tb, tmp, head, tb_hlist)
-                        flushed += fib_table_flush(net, tb);
+                        flushed += fib_table_flush(net, tb, false);
         }
 
         if (flushed)
@@ -1463,7 +1463,7 @@ static void ip_fib_net_exit(struct net *net)
 
                 hlist_for_each_entry_safe(tb, tmp, head, tb_hlist) {
                         hlist_del(&tb->tb_hlist);
-                        fib_table_flush(net, tb);
+                        fib_table_flush(net, tb, true);
                         fib_free_table(tb);
                 }
         }
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 237c9f72b265..a573e37e0615 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1856,7 +1856,7 @@ void fib_table_flush_external(struct fib_table *tb)
 }
 
 /* Caller must hold RTNL. */
-int fib_table_flush(struct net *net, struct fib_table *tb)
+int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
 {
         struct trie *t = (struct trie *)tb->tb_data;
         struct key_vector *pn = t->kv;
@@ -1904,8 +1904,17 @@ int fib_table_flush(struct net *net, struct fib_table *tb)
                 hlist_for_each_entry_safe(fa, tmp, &n->leaf, fa_list) {
                         struct fib_info *fi = fa->fa_info;
 
-                        if (!fi || !(fi->fib_flags & RTNH_F_DEAD) ||
-                            tb->tb_id != fa->tb_id) {
+                        if (!fi || tb->tb_id != fa->tb_id ||
+                            (!(fi->fib_flags & RTNH_F_DEAD) &&
+                             !fib_props[fa->fa_type].error)) {
+                                slen = fa->fa_slen;
+                                continue;
+                        }
+
+                        /* Do not flush error routes if network namespace is
+                         * not being dismantled
+                         */
+                        if (!flush_all && fib_props[fa->fa_type].error) {
                                 slen = fa->fa_slen;
                                 continue;
                         }
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 0c9f171fb085..437070d1ffb1 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -1020,10 +1020,11 @@ static int gue_err(struct sk_buff *skb, u32 info)
 {
         int transport_offset = skb_transport_offset(skb);
         struct guehdr *guehdr;
-        size_t optlen;
+        size_t len, optlen;
         int ret;
 
-        if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr))
+        len = sizeof(struct udphdr) + sizeof(struct guehdr);
+        if (!pskb_may_pull(skb, len))
                 return -EINVAL;
 
         guehdr = (struct guehdr *)&udp_hdr(skb)[1];
@@ -1058,6 +1059,10 @@ static int gue_err(struct sk_buff *skb, u32 info)
 
         optlen = guehdr->hlen << 2;
 
+        if (!pskb_may_pull(skb, len + optlen))
+                return -EINVAL;
+
+        guehdr = (struct guehdr *)&udp_hdr(skb)[1];
         if (validate_gue_flags(guehdr, optlen))
                 return -EINVAL;
 
@@ -1065,7 +1070,8 @@ static int gue_err(struct sk_buff *skb, u32 info)
          * recursion. Besides, this kind of encapsulation can't even be
          * configured currently. Discard this.
          */
-        if (guehdr->proto_ctype == IPPROTO_UDP)
+        if (guehdr->proto_ctype == IPPROTO_UDP ||
+            guehdr->proto_ctype == IPPROTO_UDPLITE)
                 return -EOPNOTSUPP;
 
         skb_set_transport_header(skb, -(int)sizeof(struct icmphdr));
diff --git a/net/ipv4/gre_demux.c b/net/ipv4/gre_demux.c
index a4bf22ee3aed..7c4a41dc04bb 100644
--- a/net/ipv4/gre_demux.c
+++ b/net/ipv4/gre_demux.c
@@ -25,6 +25,7 @@
 #include <linux/spinlock.h>
 #include <net/protocol.h>
 #include <net/gre.h>
+#include <net/erspan.h>
 
 #include <net/icmp.h>
 #include <net/route.h>
@@ -119,6 +120,22 @@ int gre_parse_header(struct sk_buff *skb, struct tnl_ptk_info *tpi,
                         hdr_len += 4;
         }
         tpi->hdr_len = hdr_len;
+
+        /* ERSPAN ver 1 and 2 protocol sets GRE key field
+         * to 0 and sets the configured key in the
+         * inner erspan header field
+         */
+        if (greh->protocol == htons(ETH_P_ERSPAN) ||
+            greh->protocol == htons(ETH_P_ERSPAN2)) {
+                struct erspan_base_hdr *ershdr;
+
+                if (!pskb_may_pull(skb, nhs + hdr_len + sizeof(*ershdr)))
+                        return -EINVAL;
+
+                ershdr = (struct erspan_base_hdr *)options;
+                tpi->key = cpu_to_be32(get_session_id(ershdr));
+        }
+
         return hdr_len;
 }
 EXPORT_SYMBOL(gre_parse_header);
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 1a4e9ff02762..5731670c560b 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -108,6 +108,7 @@ static size_t inet_sk_attr_size(struct sock *sk,
                 + nla_total_size(1) /* INET_DIAG_TOS */
                 + nla_total_size(1) /* INET_DIAG_TCLASS */
                 + nla_total_size(4) /* INET_DIAG_MARK */
+                + nla_total_size(4) /* INET_DIAG_CLASS_ID */
                 + nla_total_size(sizeof(struct inet_diag_meminfo))
                 + nla_total_size(sizeof(struct inet_diag_msg))
                 + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
@@ -287,12 +288,19 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
                         goto errout;
         }
 
-        if (ext & (1 << (INET_DIAG_CLASS_ID - 1))) {
+        if (ext & (1 << (INET_DIAG_CLASS_ID - 1)) ||
+            ext & (1 << (INET_DIAG_TCLASS - 1))) {
                 u32 classid = 0;
 
 #ifdef CONFIG_SOCK_CGROUP_DATA
                 classid = sock_cgroup_classid(&sk->sk_cgrp_data);
 #endif
+                /* Fallback to socket priority if class id isn't set.
+                 * Classful qdiscs use it as direct reference to class.
+                 * For cgroup2 classid is always zero.
+                 */
+                if (!classid)
+                        classid = sk->sk_priority;
 
                 if (nla_put_u32(skb, INET_DIAG_CLASS_ID, classid))
                         goto errout;
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index d757b9642d0d..be778599bfed 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -216,6 +216,7 @@ struct inet_peer *inet_getpeer(struct inet_peer_base *base,
                         atomic_set(&p->rid, 0);
                         p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
                         p->rate_tokens = 0;
+                        p->n_redirects = 0;
                         /* 60*HZ is arbitrary, but chosen enough high so that the first
                          * calculation of tokens is at its maximum.
                          */
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index d1d09f3e5f9e..6ae89f2b541b 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -268,20 +268,11 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
         int len;
 
         itn = net_generic(net, erspan_net_id);
-        len = gre_hdr_len + sizeof(*ershdr);
-
-        /* Check based hdr len */
-        if (unlikely(!pskb_may_pull(skb, len)))
-                return PACKET_REJECT;
 
         iph = ip_hdr(skb);
         ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
         ver = ershdr->ver;
 
-        /* The original GRE header does not have key field,
-         * Use ERSPAN 10-bit session ID as key.
-         */
-        tpi->key = cpu_to_be32(get_session_id(ershdr));
         tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
                                   tpi->flags | TUNNEL_KEY,
                                   iph->saddr, iph->daddr, tpi->key);
@@ -569,8 +560,7 @@ err_free_skb:
         dev->stats.tx_dropped++;
 }
 
-static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
-                           __be16 proto)
+static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
         struct ip_tunnel_info *tun_info;
@@ -578,10 +568,10 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
         struct erspan_metadata *md;
         struct rtable *rt = NULL;
         bool truncate = false;
+        __be16 df, proto;
         struct flowi4 fl;
         int tunnel_hlen;
         int version;
-        __be16 df;
         int nhoff;
         int thoff;
 
@@ -626,18 +616,20 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev,
         if (version == 1) {
                 erspan_build_header(skb, ntohl(tunnel_id_to_key32(key->tun_id)),
                                     ntohl(md->u.index), truncate, true);
+                proto = htons(ETH_P_ERSPAN);
         } else if (version == 2) {
                 erspan_build_header_v2(skb,
                                        ntohl(tunnel_id_to_key32(key->tun_id)),
                                        md->u.md2.dir,
                                        get_hwid(&md->u.md2),
                                        truncate, true);
+                proto = htons(ETH_P_ERSPAN2);
         } else {
                 goto err_free_rt;
         }
 
         gre_build_header(skb, 8, TUNNEL_SEQ,
-                         htons(ETH_P_ERSPAN), 0, htonl(tunnel->o_seqno++));
+                         proto, 0, htonl(tunnel->o_seqno++));
 
         df = key->tun_flags & TUNNEL_DONT_FRAGMENT ?  htons(IP_DF) : 0;
 
@@ -721,12 +713,13 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
 {
         struct ip_tunnel *tunnel = netdev_priv(dev);
         bool truncate = false;
+        __be16 proto;
 
         if (!pskb_inet_may_pull(skb))
                 goto free_skb;
 
         if (tunnel->collect_md) {
-                erspan_fb_xmit(skb, dev, skb->protocol);
+                erspan_fb_xmit(skb, dev);
                 return NETDEV_TX_OK;
         }
 
@@ -742,19 +735,22 @@ static netdev_tx_t erspan_xmit(struct sk_buff *skb,
         }
 
         /* Push ERSPAN header */
-        if (tunnel->erspan_ver == 1)
+        if (tunnel->erspan_ver == 1) {
                 erspan_build_header(skb, ntohl(tunnel->parms.o_key),
                                     tunnel->index,
                                     truncate, true);
-        else if (tunnel->erspan_ver == 2)
+                proto = htons(ETH_P_ERSPAN);
+        } else if (tunnel->erspan_ver == 2) {
                 erspan_build_header_v2(skb, ntohl(tunnel->parms.o_key),
                                        tunnel->dir, tunnel->hwid,
                                        truncate, true);
-        else
+                proto = htons(ETH_P_ERSPAN2);
+        } else {
                 goto free_skb;
+        }
 
         tunnel->parms.o_flags &= ~TUNNEL_KEY;
-        __gre_xmit(skb, dev, &tunnel->parms.iph, htons(ETH_P_ERSPAN));
+        __gre_xmit(skb, dev, &tunnel->parms.iph, proto);
         return NETDEV_TX_OK;
 
 free_skb:
@@ -1459,12 +1455,31 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
 {
         struct ip_tunnel *t = netdev_priv(dev);
         struct ip_tunnel_parm *p = &t->parms;
+        __be16 o_flags = p->o_flags;
+
+        if (t->erspan_ver == 1 || t->erspan_ver == 2) {
+                if (!t->collect_md)
+                        o_flags |= TUNNEL_KEY;
+
+                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
+                        goto nla_put_failure;
+
+                if (t->erspan_ver == 1) {
+                        if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
+                                goto nla_put_failure;
+                } else {
+                        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
+                                goto nla_put_failure;
+                        if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
+                                goto nla_put_failure;
+                }
+        }
 
         if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) ||
             nla_put_be16(skb, IFLA_GRE_IFLAGS,
                          gre_tnl_flags_to_gre_flags(p->i_flags)) ||
             nla_put_be16(skb, IFLA_GRE_OFLAGS,
-                         gre_tnl_flags_to_gre_flags(p->o_flags)) ||
+                         gre_tnl_flags_to_gre_flags(o_flags)) ||
             nla_put_be32(skb, IFLA_GRE_IKEY, p->i_key) ||
             nla_put_be32(skb, IFLA_GRE_OKEY, p->o_key) ||
             nla_put_in_addr(skb, IFLA_GRE_LOCAL, p->iph.saddr) ||
@@ -1494,19 +1509,6 @@ static int ipgre_fill_info(struct sk_buff *skb, const struct net_device *dev)
                         goto nla_put_failure;
         }
 
-        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, t->erspan_ver))
-                goto nla_put_failure;
-
-        if (t->erspan_ver == 1) {
-                if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, t->index))
-                        goto nla_put_failure;
-        } else if (t->erspan_ver == 2) {
-                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, t->dir))
-                        goto nla_put_failure;
-                if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, t->hwid))
-                        goto nla_put_failure;
-        }
-
         return 0;
 
 nla_put_failure:
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
index 26921f6b3b92..51d8efba6de2 100644
--- a/net/ipv4/ip_input.c
+++ b/net/ipv4/ip_input.c
@@ -488,6 +488,7 @@ static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net)
                 goto drop;
         }
 
+        iph = ip_hdr(skb);
         skb->transport_header = skb->network_header + iph->ihl*4;
 
         /* Remove any debris in the socket control block */
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index fffcc130900e..82f341e84fae 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -148,19 +148,17 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
 
 static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 {
+        __be16 _ports[2], *ports;
         struct sockaddr_in sin;
-        __be16 *ports;
-        int end;
-
-        end = skb_transport_offset(skb) + 4;
-        if (end > 0 && !pskb_may_pull(skb, end))
-                return;
 
         /* All current transport protocols have the port numbers in the
          * first four bytes of the transport header and this function is
          * written with this assumption in mind.
          */
-        ports = (__be16 *)skb_transport_header(skb);
+        ports = skb_header_pointer(skb, skb_transport_offset(skb),
+                                   sizeof(_ports), &_ports);
+        if (!ports)
+                return;
 
         sin.sin_family = AF_INET;
         sin.sin_addr.s_addr = ip_hdr(skb)->daddr;
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index c4f5602308ed..054d01c16dc6 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -644,13 +644,19 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
         dst = tnl_params->daddr;
         if (dst == 0) {
                 /* NBMA tunnel */
+                struct ip_tunnel_info *tun_info;
 
                 if (!skb_dst(skb)) {
                         dev->stats.tx_fifo_errors++;
                         goto tx_error;
                 }
 
-                if (skb->protocol == htons(ETH_P_IP)) {
+                tun_info = skb_tunnel_info(skb);
+                if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX) &&
+                    ip_tunnel_info_af(tun_info) == AF_INET &&
+                    tun_info->key.u.ipv4.dst)
+                        dst = tun_info->key.u.ipv4.dst;
+                else if (skb->protocol == htons(ETH_P_IP)) {
                         rt = skb_rtable(skb);
                         dst = rt_nexthop(rt, inner_iph->daddr);
                 }
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index d7b43e700023..68a21bf75dd0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -74,6 +74,33 @@ drop:
         return 0;
 }
 
+static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+                     int encap_type)
+{
+        struct ip_tunnel *tunnel;
+        const struct iphdr *iph = ip_hdr(skb);
+        struct net *net = dev_net(skb->dev);
+        struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+        tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+                                  iph->saddr, iph->daddr, 0);
+        if (tunnel) {
+                if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+                        goto drop;
+
+                XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
+                skb->dev = tunnel->dev;
+
+                return xfrm_input(skb, nexthdr, spi, encap_type);
+        }
+
+        return -EINVAL;
+drop:
+        kfree_skb(skb);
+        return 0;
+}
+
 static int vti_rcv(struct sk_buff *skb)
 {
         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
         return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
 }
 
+static int vti_rcv_ipip(struct sk_buff *skb)
+{
+        XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+        XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+        return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
+}
+
 static int vti_rcv_cb(struct sk_buff *skb, int err)
 {
         unsigned short family;
@@ -435,6 +470,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
         .priority       =       100,
 };
 
+static struct xfrm_tunnel ipip_handler __read_mostly = {
+        .handler        =       vti_rcv_ipip,
+        .err_handler    =       vti4_err,
+        .priority       =       0,
+};
+
 static int __net_init vti_init_net(struct net *net)
 {
         int err;
@@ -603,6 +644,13 @@ static int __init vti_init(void)
         if (err < 0)
                 goto xfrm_proto_comp_failed;
 
+        msg = "ipip tunnel";
+        err = xfrm4_tunnel_register(&ipip_handler, AF_INET);
+        if (err < 0) {
+                pr_info("%s: cant't register tunnel\n",__func__);
+                goto xfrm_tunnel_failed;
+        }
+
         msg = "netlink interface";
         err = rtnl_link_register(&vti_link_ops);
         if (err < 0)
@@ -612,6 +660,8 @@ static int __init vti_init(void)
 
 rtnl_link_failed:
         xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
+xfrm_tunnel_failed:
+        xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
 xfrm_proto_comp_failed:
         xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
 xfrm_proto_ah_failed:
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index b61977db9b7f..2a909e5f9ba0 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -846,9 +846,9 @@ static int clusterip_net_init(struct net *net)
 
 static void clusterip_net_exit(struct net *net)
 {
+#ifdef CONFIG_PROC_FS
         struct clusterip_net *cn = clusterip_pernet(net);
 
-#ifdef CONFIG_PROC_FS
         mutex_lock(&cn->mutex);
         proc_remove(cn->procdir);
         cn->procdir = NULL;
diff --git a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
index 2687db015b6f..fa2ba7c500e4 100644
--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
@@ -215,6 +215,7 @@ int nf_nat_icmp_reply_translation(struct sk_buff *skb,
 
         /* Change outer to look like the reply to an incoming packet */
         nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
+        target.dst.protonum = IPPROTO_ICMP;
         if (!nf_nat_ipv4_manip_pkt(skb, 0, &target, manip))
                 return 0;
 
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
index a0aa13bcabda..0a8a60c1bf9a 100644
--- a/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic_main.c
@@ -105,6 +105,8 @@ static void fast_csum(struct snmp_ctx *ctx, unsigned char offset)
 int snmp_version(void *context, size_t hdrlen, unsigned char tag,
                  const void *data, size_t datalen)
 {
+        if (datalen != 1)
+                return -EINVAL;
         if (*(unsigned char *)data > 1)
                 return -ENOTSUPP;
         return 1;
@@ -114,8 +116,11 @@ int snmp_helper(void *context, size_t hdrlen, unsigned char tag,
                 const void *data, size_t datalen)
 {
         struct snmp_ctx *ctx = (struct snmp_ctx *)context;
-        __be32 *pdata = (__be32 *)data;
+        __be32 *pdata;
 
+        if (datalen != 4)
+                return -EINVAL;
+        pdata = (__be32 *)data;
         if (*pdata == ctx->from) {
                 pr_debug("%s: %pI4 to %pI4\n", __func__,
                          (void *)&ctx->from, (void *)&ctx->to);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index ce92f73cf104..5163b64f8fb3 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -887,13 +887,15 @@ void ip_rt_send_redirect(struct sk_buff *skb)
         /* No redirected packets during ip_rt_redirect_silence;
          * reset the algorithm.
          */
-        if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence))
+        if (time_after(jiffies, peer->rate_last + ip_rt_redirect_silence)) {
                 peer->rate_tokens = 0;
+                peer->n_redirects = 0;
+        }
 
         /* Too many ignored redirects; do not send anything
          * set dst.rate_last to the last seen redirected packet.
          */
-        if (peer->rate_tokens >= ip_rt_redirect_number) {
+        if (peer->n_redirects >= ip_rt_redirect_number) {
                 peer->rate_last = jiffies;
                 goto out_put_peer;
         }
@@ -910,6 +912,7 @@ void ip_rt_send_redirect(struct sk_buff *skb)
                 icmp_send(skb, ICMP_REDIRECT, ICMP_REDIR_HOST, gw);
                 peer->rate_last = jiffies;
                 ++peer->rate_tokens;
+                ++peer->n_redirects;
 #ifdef CONFIG_IP_ROUTE_VERBOSE
                 if (log_martians &&
                     peer->rate_tokens == ip_rt_redirect_number)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 27e2f6837062..cf3c5095c10e 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -1186,7 +1186,7 @@ int tcp_sendmsg_locked(struct sock *sk, struct msghdr *msg, size_t size)
         flags = msg->msg_flags;
 
         if (flags & MSG_ZEROCOPY && size && sock_flag(sk, SOCK_ZEROCOPY)) {
-                if (sk->sk_state != TCP_ESTABLISHED) {
+                if ((1 << sk->sk_state) & ~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
                         err = -EINVAL;
                         goto out_err;
                 }
@@ -2528,6 +2528,7 @@ void tcp_write_queue_purge(struct sock *sk)
         sk_mem_reclaim(sk);
         tcp_clear_all_retrans_hints(tcp_sk(sk));
         tcp_sk(sk)->packets_out = 0;
+        inet_csk(sk)->icsk_backoff = 0;
 }
 
 int tcp_disconnect(struct sock *sk, int flags)
@@ -2576,7 +2577,6 @@ int tcp_disconnect(struct sock *sk, int flags)
         tp->write_seq += tp->max_window + 2;
         if (tp->write_seq == 0)
                 tp->write_seq = 1;
-        icsk->icsk_backoff = 0;
         tp->snd_cwnd = 2;
         icsk->icsk_probes_out = 0;
         tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index efc6fef692ff..ec3cea9d6828 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -536,12 +536,15 @@ int tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
                 if (sock_owned_by_user(sk))
                         break;
 
+                skb = tcp_rtx_queue_head(sk);
+                if (WARN_ON_ONCE(!skb))
+                        break;
+
                 icsk->icsk_backoff--;
                 icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) :
                                                TCP_TIMEOUT_INIT;
                 icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
 
-                skb = tcp_rtx_queue_head(sk);
 
                 tcp_mstamp_refresh(tp);
                 delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 730bc44dbad9..ccc78f3a4b60 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2347,6 +2347,7 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle,
                         /* "skb_mstamp_ns" is used as a start point for the retransmit timer */
                         skb->skb_mstamp_ns = tp->tcp_wstamp_ns = tp->tcp_clock_cache;
                         list_move_tail(&skb->tcp_tsorted_anchor, &tp->tsorted_sent_queue);
+                        tcp_init_tso_segs(skb, mss_now);
                         goto repair; /* Skip network transmission */
                 }
 
diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
index f87dbc78b6bc..71a29e9c0620 100644
--- a/net/ipv4/tcp_timer.c
+++ b/net/ipv4/tcp_timer.c
@@ -226,7 +226,7 @@ static int tcp_write_timeout(struct sock *sk)
         if ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
                 if (icsk->icsk_retransmits) {
                         dst_negative_advice(sk);
-                } else if (!tp->syn_data && !tp->syn_fastopen) {
+                } else {
                         sk_rethink_txhash(sk);
                 }
                 retry_until = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_syn_retries;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 3fb0ed5e4789..372fdc5381a9 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -562,10 +562,12 @@ static int __udp4_lib_err_encap_no_sk(struct sk_buff *skb, u32 info)
 
         for (i = 0; i < MAX_IPTUN_ENCAP_OPS; i++) {
                 int (*handler)(struct sk_buff *skb, u32 info);
+                const struct ip_tunnel_encap_ops *encap;
 
-                if (!iptun_encaps[i])
+                encap = rcu_dereference(iptun_encaps[i]);
+                if (!encap)
                         continue;
-                handler = rcu_dereference(iptun_encaps[i]->err_handler);
+                handler = encap->err_handler;
                 if (handler && !handler(skb, info))
                         return 0;
         }
@@ -847,15 +849,23 @@ static int udp_send_skb(struct sk_buff *skb, struct flowi4 *fl4,
                 const int hlen = skb_network_header_len(skb) +
                                  sizeof(struct udphdr);
 
-                if (hlen + cork->gso_size > cork->fragsize)
+                if (hlen + cork->gso_size > cork->fragsize) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS)
+                }
+                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (sk->sk_no_check_tx)
+                }
+                if (sk->sk_no_check_tx) {
+                        kfree_skb(skb);
                         return -EINVAL;
+                }
                 if (skb->ip_summed != CHECKSUM_PARTIAL || is_udplite ||
-                    dst_xfrm(skb_dst(skb)))
+                    dst_xfrm(skb_dst(skb))) {
+                        kfree_skb(skb);
                         return -EIO;
+                }
 
                 skb_shinfo(skb)->gso_size = cork->gso_size;
                 skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4;
@@ -1918,7 +1928,7 @@ void udp_lib_rehash(struct sock *sk, u16 newhash)
 }
 EXPORT_SYMBOL(udp_lib_rehash);
 
-static void udp_v4_rehash(struct sock *sk)
+void udp_v4_rehash(struct sock *sk)
 {
         u16 new_hash = ipv4_portaddr_hash(sock_net(sk),
                                           inet_sk(sk)->inet_rcv_saddr,
diff --git a/net/ipv4/udp_impl.h b/net/ipv4/udp_impl.h
index 322672655419..6b2fa77eeb1c 100644
--- a/net/ipv4/udp_impl.h
+++ b/net/ipv4/udp_impl.h
@@ -10,6 +10,7 @@ int __udp4_lib_rcv(struct sk_buff *, struct udp_table *, int);
 int __udp4_lib_err(struct sk_buff *, u32, struct udp_table *);
 
 int udp_v4_get_port(struct sock *sk, unsigned short snum);
+void udp_v4_rehash(struct sock *sk);
 
 int udp_setsockopt(struct sock *sk, int level, int optname,
                    char __user *optval, unsigned int optlen);
diff --git a/net/ipv4/udplite.c b/net/ipv4/udplite.c
index 39c7f17d916f..3c94b8f0ff27 100644
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -53,6 +53,7 @@ struct proto 	udplite_prot = {
         .sendpage          = udp_sendpage,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v4_rehash,
         .get_port          = udp_v4_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 8eeec6eb2bd3..72ffd3d760ff 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1165,7 +1165,8 @@ check_cleanup_prefix_route(struct inet6_ifaddr *ifp, unsigned long *expires)
         list_for_each_entry(ifa, &idev->addr_list, if_list) {
                 if (ifa == ifp)
                         continue;
-                if (!ipv6_prefix_equal(&ifa->addr, &ifp->addr,
+                if (ifa->prefix_len != ifp->prefix_len ||
+                    !ipv6_prefix_equal(&ifa->addr, &ifp->addr,
                                        ifp->prefix_len))
                         continue;
                 if (ifa->flags & (IFA_F_PERMANENT | IFA_F_NOPREFIXROUTE))
@@ -3495,8 +3496,8 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
 
                         if (!addrconf_link_ready(dev)) {
                                 /* device is not ready yet. */
-                                pr_info("ADDRCONF(NETDEV_UP): %s: link is not ready\n",
-                                        dev->name);
+                                pr_debug("ADDRCONF(NETDEV_UP): %s: link is not ready\n",
+                                         dev->name);
                                 break;
                         }
 
@@ -5120,6 +5121,8 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
                         if (idev) {
                                 err = in6_dump_addrs(idev, skb, cb, s_ip_idx,
                                                      &fillargs);
+                                if (err > 0)
+                                        err = 0;
                         }
                         goto put_tgt_net;
                 }
@@ -5154,7 +5157,7 @@ put_tgt_net:
         if (fillargs.netnsid >= 0)
                 put_net(tgt_net);
 
-        return err < 0 ? err : skb->len;
+        return skb->len ? : err;
 }
 
 static int inet6_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index 0bfb6cc0a30a..d99753b5e39b 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -310,6 +310,7 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
 
         /* Check if the address belongs to the host. */
         if (addr_type == IPV6_ADDR_MAPPED) {
+                struct net_device *dev = NULL;
                 int chk_addr_ret;
 
                 /* Binding to v4-mapped address on a v6-only socket
@@ -320,9 +321,20 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,
                         goto out;
                 }
 
+                rcu_read_lock();
+                if (sk->sk_bound_dev_if) {
+                        dev = dev_get_by_index_rcu(net, sk->sk_bound_dev_if);
+                        if (!dev) {
+                                err = -ENODEV;
+                                goto out_unlock;
+                        }
+                }
+
                 /* Reproduce AF_INET checks to make the bindings consistent */
                 v4addr = addr->sin6_addr.s6_addr32[3];
-                chk_addr_ret = inet_addr_type(net, v4addr);
+                chk_addr_ret = inet_addr_type_dev_table(net, dev, v4addr);
+                rcu_read_unlock();
+
                 if (!inet_can_nonlocal_bind(net, inet) &&
                     v4addr != htonl(INADDR_ANY) &&
                     chk_addr_ret != RTN_LOCAL &&
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index bde08aa549f3..ee4a4e54d016 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -341,6 +341,7 @@ void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info)
         skb_reset_network_header(skb);
         iph = ipv6_hdr(skb);
         iph->daddr = fl6->daddr;
+        ip6_flow_hdr(iph, 0, 0);
 
         serr = SKB_EXT_ERR(skb);
         serr->ee.ee_errno = err;
@@ -700,17 +701,15 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
         }
         if (np->rxopt.bits.rxorigdstaddr) {
                 struct sockaddr_in6 sin6;
-                __be16 *ports;
-                int end;
+                __be16 _ports[2], *ports;
 
-                end = skb_transport_offset(skb) + 4;
-                if (end <= 0 || pskb_may_pull(skb, end)) {
+                ports = skb_header_pointer(skb, skb_transport_offset(skb),
+                                           sizeof(_ports), &_ports);
+                if (ports) {
                         /* All current transport protocols have the port numbers in the
                          * first four bytes of the transport header and this function is
                          * written with this assumption in mind.
                          */
-                        ports = (__be16 *)skb_transport_header(skb);
-
                         sin6.sin6_family = AF_INET6;
                         sin6.sin6_addr = ipv6_hdr(skb)->daddr;
                         sin6.sin6_port = ports[1];
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 5afe9f83374d..239d4a65ad6e 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -296,7 +296,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
                         skb->len += tailen;
                         skb->data_len += tailen;
                         skb->truesize += tailen;
-                        if (sk)
+                        if (sk && sk_fullsock(sk))
                                 refcount_add(tailen, &sk->sk_wmem_alloc);
 
                         goto out;
diff --git a/net/ipv6/fou6.c b/net/ipv6/fou6.c
index bd675c61deb1..867474abe269 100644
--- a/net/ipv6/fou6.c
+++ b/net/ipv6/fou6.c
@@ -72,7 +72,7 @@ static int gue6_build_header(struct sk_buff *skb, struct ip_tunnel_encap *e,
 
 static int gue6_err_proto_handler(int proto, struct sk_buff *skb,
                                   struct inet6_skb_parm *opt,
-                                  u8 type, u8 code, int offset, u32 info)
+                                  u8 type, u8 code, int offset, __be32 info)
 {
         const struct inet6_protocol *ipprot;
 
@@ -90,10 +90,11 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 {
         int transport_offset = skb_transport_offset(skb);
         struct guehdr *guehdr;
-        size_t optlen;
+        size_t len, optlen;
         int ret;
 
-        if (skb->len < sizeof(struct udphdr) + sizeof(struct guehdr))
+        len = sizeof(struct udphdr) + sizeof(struct guehdr);
+        if (!pskb_may_pull(skb, len))
                 return -EINVAL;
 
         guehdr = (struct guehdr *)&udp_hdr(skb)[1];
@@ -128,9 +129,21 @@ static int gue6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 
         optlen = guehdr->hlen << 2;
 
+        if (!pskb_may_pull(skb, len + optlen))
+                return -EINVAL;
+
+        guehdr = (struct guehdr *)&udp_hdr(skb)[1];
         if (validate_gue_flags(guehdr, optlen))
                 return -EINVAL;
 
+        /* Handling exceptions for direct UDP encapsulation in GUE would lead to
+         * recursion. Besides, this kind of encapsulation can't even be
+         * configured currently. Discard this.
+         */
+        if (guehdr->proto_ctype == IPPROTO_UDP ||
+            guehdr->proto_ctype == IPPROTO_UDPLITE)
+                return -EOPNOTSUPP;
+
         skb_set_transport_header(skb, -(int)sizeof(struct icmp6hdr));
         ret = gue6_err_proto_handler(guehdr->proto_ctype, skb,
                                      opt, type, code, offset, info);
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 5d7aa2c2770c..bbcdfd299692 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -423,10 +423,10 @@ static int icmp6_iif(const struct sk_buff *skb)
 static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
                        const struct in6_addr *force_saddr)
 {
-        struct net *net = dev_net(skb->dev);
         struct inet6_dev *idev = NULL;
         struct ipv6hdr *hdr = ipv6_hdr(skb);
         struct sock *sk;
+        struct net *net;
         struct ipv6_pinfo *np;
         const struct in6_addr *saddr = NULL;
         struct dst_entry *dst;
@@ -437,12 +437,16 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
         int iif = 0;
         int addr_type = 0;
         int len;
-        u32 mark = IP6_REPLY_MARK(net, skb->mark);
+        u32 mark;
 
         if ((u8 *)hdr < skb->head ||
             (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb))
                 return;
 
+        if (!skb->dev)
+                return;
+        net = dev_net(skb->dev);
+        mark = IP6_REPLY_MARK(net, skb->mark);
         /*
          *      Make sure we respect the rules
          *      i.e. RFC 1885 2.4(e)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 09d0826742f8..26f25b6e2833 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -534,13 +534,9 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len,
         struct ip6_tnl *tunnel;
         u8 ver;
 
-        if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
-                return PACKET_REJECT;
-
         ipv6h = ipv6_hdr(skb);
         ershdr = (struct erspan_base_hdr *)skb->data;
         ver = ershdr->ver;
-        tpi->key = cpu_to_be32(get_session_id(ershdr));
 
         tunnel = ip6gre_tunnel_lookup(skb->dev,
                                       &ipv6h->saddr, &ipv6h->daddr, tpi->key,
@@ -922,6 +918,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
         __u8 dsfield = false;
         struct flowi6 fl6;
         int err = -EINVAL;
+        __be16 proto;
         __u32 mtu;
         int nhoff;
         int thoff;
@@ -1035,8 +1032,9 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
         }
 
         /* Push GRE header. */
-        gre_build_header(skb, 8, TUNNEL_SEQ,
-                         htons(ETH_P_ERSPAN), 0, htonl(t->o_seqno++));
+        proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN)
+                                           : htons(ETH_P_ERSPAN2);
+        gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(t->o_seqno++));
 
         /* TooBig packet may have updated dst->dev's mtu */
         if (!t->parms.collect_md && dst && dst_mtu(dst) > dst->dev->mtu)
@@ -1169,6 +1167,10 @@ static void ip6gre_tnl_copy_tnl_parm(struct ip6_tnl *t,
         t->parms.i_flags = p->i_flags;
         t->parms.o_flags = p->o_flags;
         t->parms.fwmark = p->fwmark;
+        t->parms.erspan_ver = p->erspan_ver;
+        t->parms.index = p->index;
+        t->parms.dir = p->dir;
+        t->parms.hwid = p->hwid;
         dst_cache_reset(&t->dst_cache);
 }
 
@@ -1717,6 +1719,27 @@ static int ip6erspan_tap_validate(struct nlattr *tb[], struct nlattr *data[],
         return 0;
 }
 
+static void ip6erspan_set_version(struct nlattr *data[],
+                                  struct __ip6_tnl_parm *parms)
+{
+        if (!data)
+                return;
+
+        parms->erspan_ver = 1;
+        if (data[IFLA_GRE_ERSPAN_VER])
+                parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
+
+        if (parms->erspan_ver == 1) {
+                if (data[IFLA_GRE_ERSPAN_INDEX])
+                        parms->index = nla_get_u32(data[IFLA_GRE_ERSPAN_INDEX]);
+        } else if (parms->erspan_ver == 2) {
+                if (data[IFLA_GRE_ERSPAN_DIR])
+                        parms->dir = nla_get_u8(data[IFLA_GRE_ERSPAN_DIR]);
+                if (data[IFLA_GRE_ERSPAN_HWID])
+                        parms->hwid = nla_get_u16(data[IFLA_GRE_ERSPAN_HWID]);
+        }
+}
+
 static void ip6gre_netlink_parms(struct nlattr *data[],
                                 struct __ip6_tnl_parm *parms)
 {
@@ -1765,20 +1788,6 @@ static void ip6gre_netlink_parms(struct nlattr *data[],
 
         if (data[IFLA_GRE_COLLECT_METADATA])
                 parms->collect_md = true;
-
-        parms->erspan_ver = 1;
-        if (data[IFLA_GRE_ERSPAN_VER])
-                parms->erspan_ver = nla_get_u8(data[IFLA_GRE_ERSPAN_VER]);
-
-        if (parms->erspan_ver == 1) {
-                if (data[IFLA_GRE_ERSPAN_INDEX])
-                        parms->index = nla_get_u32(data[IFLA_GRE_ERSPAN_INDEX]);
-        } else if (parms->erspan_ver == 2) {
-                if (data[IFLA_GRE_ERSPAN_DIR])
-                        parms->dir = nla_get_u8(data[IFLA_GRE_ERSPAN_DIR]);
-                if (data[IFLA_GRE_ERSPAN_HWID])
-                        parms->hwid = nla_get_u16(data[IFLA_GRE_ERSPAN_HWID]);
-        }
 }
 
 static int ip6gre_tap_init(struct net_device *dev)
@@ -2025,9 +2034,9 @@ static int ip6gre_changelink(struct net_device *dev, struct nlattr *tb[],
                              struct nlattr *data[],
                              struct netlink_ext_ack *extack)
 {
-        struct ip6gre_net *ign = net_generic(dev_net(dev), ip6gre_net_id);
+        struct ip6_tnl *t = netdev_priv(dev);
+        struct ip6gre_net *ign = net_generic(t->net, ip6gre_net_id);
         struct __ip6_tnl_parm p;
-        struct ip6_tnl *t;
 
         t = ip6gre_changelink_common(dev, tb, data, &p, extack);
         if (IS_ERR(t))
@@ -2096,12 +2105,31 @@ static int ip6gre_fill_info(struct sk_buff *skb, const struct net_device *dev)
 {
         struct ip6_tnl *t = netdev_priv(dev);
         struct __ip6_tnl_parm *p = &t->parms;
+        __be16 o_flags = p->o_flags;
+
+        if (p->erspan_ver == 1 || p->erspan_ver == 2) {
+                if (!p->collect_md)
+                        o_flags |= TUNNEL_KEY;
+
+                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, p->erspan_ver))
+                        goto nla_put_failure;
+
+                if (p->erspan_ver == 1) {
+                        if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, p->index))
+                                goto nla_put_failure;
+                } else {
+                        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, p->dir))
+                                goto nla_put_failure;
+                        if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, p->hwid))
+                                goto nla_put_failure;
+                }
+        }
 
         if (nla_put_u32(skb, IFLA_GRE_LINK, p->link) ||
             nla_put_be16(skb, IFLA_GRE_IFLAGS,
                          gre_tnl_flags_to_gre_flags(p->i_flags)) ||
             nla_put_be16(skb, IFLA_GRE_OFLAGS,
-                         gre_tnl_flags_to_gre_flags(p->o_flags)) ||
+                         gre_tnl_flags_to_gre_flags(o_flags)) ||
             nla_put_be32(skb, IFLA_GRE_IKEY, p->i_key) ||
             nla_put_be32(skb, IFLA_GRE_OKEY, p->o_key) ||
             nla_put_in6_addr(skb, IFLA_GRE_LOCAL, &p->laddr) ||
@@ -2110,8 +2138,7 @@ static int ip6gre_fill_info(struct sk_buff *skb, const struct net_device *dev)
             nla_put_u8(skb, IFLA_GRE_ENCAP_LIMIT, p->encap_limit) ||
             nla_put_be32(skb, IFLA_GRE_FLOWINFO, p->flowinfo) ||
             nla_put_u32(skb, IFLA_GRE_FLAGS, p->flags) ||
-            nla_put_u32(skb, IFLA_GRE_FWMARK, p->fwmark) ||
-            nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, p->index))
+            nla_put_u32(skb, IFLA_GRE_FWMARK, p->fwmark))
                 goto nla_put_failure;
 
         if (nla_put_u16(skb, IFLA_GRE_ENCAP_TYPE,
@@ -2129,19 +2156,6 @@ static int ip6gre_fill_info(struct sk_buff *skb, const struct net_device *dev)
                         goto nla_put_failure;
         }
 
-        if (nla_put_u8(skb, IFLA_GRE_ERSPAN_VER, p->erspan_ver))
-                goto nla_put_failure;
-
-        if (p->erspan_ver == 1) {
-                if (nla_put_u32(skb, IFLA_GRE_ERSPAN_INDEX, p->index))
-                        goto nla_put_failure;
-        } else if (p->erspan_ver == 2) {
-                if (nla_put_u8(skb, IFLA_GRE_ERSPAN_DIR, p->dir))
-                        goto nla_put_failure;
-                if (nla_put_u16(skb, IFLA_GRE_ERSPAN_HWID, p->hwid))
-                        goto nla_put_failure;
-        }
-
         return 0;
 
 nla_put_failure:
@@ -2196,6 +2210,7 @@ static int ip6erspan_newlink(struct net *src_net, struct net_device *dev,
         int err;
 
         ip6gre_netlink_parms(data, &nt->parms);
+        ip6erspan_set_version(data, &nt->parms);
         ign = net_generic(net, ip6gre_net_id);
 
         if (nt->parms.collect_md) {
@@ -2241,6 +2256,7 @@ static int ip6erspan_changelink(struct net_device *dev, struct nlattr *tb[],
         if (IS_ERR(t))
                 return PTR_ERR(t);
 
+        ip6erspan_set_version(data, &p);
         ip6gre_tunnel_unlink_md(ign, t);
         ip6gre_tunnel_unlink(ign, t);
         ip6erspan_tnl_change(t, &p, !tb[IFLA_MTU]);
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 30337b38274b..cc01aa3f2b5e 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1516,6 +1516,9 @@ static void mroute_clean_tables(struct mr_table *mrt, bool all)
                         continue;
                 rhltable_remove(&mrt->mfc_hash, &c->mnode, ip6mr_rht_params);
                 list_del_rcu(&c->list);
+                call_ip6mr_mfc_entry_notifiers(read_pnet(&mrt->net),
+                                               FIB_EVENT_ENTRY_DEL,
+                                               (struct mfc6_cache *)c, mrt->id);
                 mr6_netlink_event(mrt, (struct mfc6_cache *)c, RTM_DELROUTE);
                 mr_cache_put(c);
         }
@@ -1524,10 +1527,6 @@ static void mroute_clean_tables(struct mr_table *mrt, bool all)
                 spin_lock_bh(&mfc_unres_lock);
                 list_for_each_entry_safe(c, tmp, &mrt->mfc_unres_queue, list) {
                         list_del(&c->list);
-                        call_ip6mr_mfc_entry_notifiers(read_pnet(&mrt->net),
-                                                       FIB_EVENT_ENTRY_DEL,
-                                                       (struct mfc6_cache *)c,
-                                                       mrt->id);
                         mr6_netlink_event(mrt, (struct mfc6_cache *)c,
                                           RTM_DELROUTE);
                         ip6mr_destroy_unres(mrt, (struct mfc6_cache *)c);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 8b075f0bc351..6d0b1f3e927b 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -23,9 +23,11 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
         struct sock *sk = sk_to_full_sk(skb->sk);
         unsigned int hh_len;
         struct dst_entry *dst;
+        int strict = (ipv6_addr_type(&iph->daddr) &
+                      (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
         struct flowi6 fl6 = {
                 .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
-                        rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+                        strict ? skb_dst(skb)->dev->ifindex : 0,
                 .flowi6_mark = skb->mark,
                 .flowi6_uid = sock_net_uid(net, sk),
                 .daddr = iph->daddr,
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index 23022447eb49..7a41ee3c11b4 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -226,6 +226,7 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb,
         }
 
         nf_ct_invert_tuplepr(&target, &ct->tuplehash[!dir].tuple);
+        target.dst.protonum = IPPROTO_ICMPV6;
         if (!nf_nat_ipv6_manip_pkt(skb, 0, &target, manip))
                 return 0;
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 40b225f87d5e..ce15dc4ccbfa 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1274,18 +1274,29 @@ static DEFINE_SPINLOCK(rt6_exception_lock);
 static void rt6_remove_exception(struct rt6_exception_bucket *bucket,
                                  struct rt6_exception *rt6_ex)
 {
+        struct fib6_info *from;
         struct net *net;
 
         if (!bucket || !rt6_ex)
                 return;
 
         net = dev_net(rt6_ex->rt6i->dst.dev);
+        net->ipv6.rt6_stats->fib_rt_cache--;
+
+        /* purge completely the exception to allow releasing the held resources:
+         * some [sk] cache may keep the dst around for unlimited time
+         */
+        from = rcu_dereference_protected(rt6_ex->rt6i->from,
+                                         lockdep_is_held(&rt6_exception_lock));
+        rcu_assign_pointer(rt6_ex->rt6i->from, NULL);
+        fib6_info_release(from);
+        dst_dev_put(&rt6_ex->rt6i->dst);
+
         hlist_del_rcu(&rt6_ex->hlist);
         dst_release(&rt6_ex->rt6i->dst);
         kfree_rcu(rt6_ex, rcu);
         WARN_ON_ONCE(!bucket->depth);
         bucket->depth--;
-        net->ipv6.rt6_stats->fib_rt_cache--;
 }
 
 /* Remove oldest rt6_ex in bucket and free the memory
@@ -1599,15 +1610,15 @@ static int rt6_remove_exception_rt(struct rt6_info *rt)
 static void rt6_update_exception_stamp_rt(struct rt6_info *rt)
 {
         struct rt6_exception_bucket *bucket;
-        struct fib6_info *from = rt->from;
         struct in6_addr *src_key = NULL;
         struct rt6_exception *rt6_ex;
-
-        if (!from ||
-            !(rt->rt6i_flags & RTF_CACHE))
-                return;
+        struct fib6_info *from;
 
         rcu_read_lock();
+        from = rcu_dereference(rt->from);
+        if (!from || !(rt->rt6i_flags & RTF_CACHE))
+                goto unlock;
+
         bucket = rcu_dereference(from->rt6i_exception_bucket);
 
 #ifdef CONFIG_IPV6_SUBTREES
@@ -1626,6 +1637,7 @@ static void rt6_update_exception_stamp_rt(struct rt6_info *rt)
         if (rt6_ex)
                 rt6_ex->stamp = jiffies;
 
+unlock:
         rcu_read_unlock();
 }
 
@@ -2742,20 +2754,24 @@ static int ip6_route_check_nh_onlink(struct net *net,
         u32 tbid = l3mdev_fib_table(dev) ? : RT_TABLE_MAIN;
         const struct in6_addr *gw_addr = &cfg->fc_gateway;
         u32 flags = RTF_LOCAL | RTF_ANYCAST | RTF_REJECT;
+        struct fib6_info *from;
         struct rt6_info *grt;
         int err;
 
         err = 0;
         grt = ip6_nh_lookup_table(net, cfg, gw_addr, tbid, 0);
         if (grt) {
+                rcu_read_lock();
+                from = rcu_dereference(grt->from);
                 if (!grt->dst.error &&
                     /* ignore match if it is the default route */
-                    grt->from && !ipv6_addr_any(&grt->from->fib6_dst.addr) &&
+                    from && !ipv6_addr_any(&from->fib6_dst.addr) &&
                     (grt->rt6i_flags & flags || dev != grt->dst.dev)) {
                         NL_SET_ERR_MSG(extack,
                                        "Nexthop has invalid gateway or device mismatch");
                         err = -EINVAL;
                 }
+                rcu_read_unlock();
 
                 ip6_rt_put(grt);
         }
@@ -4251,17 +4267,6 @@ struct rt6_nh {
         struct list_head next;
 };
 
-static void ip6_print_replace_route_err(struct list_head *rt6_nh_list)
-{
-        struct rt6_nh *nh;
-
-        list_for_each_entry(nh, rt6_nh_list, next) {
-                pr_warn("IPV6: multipath route replace failed (check consistency of installed routes): %pI6c nexthop %pI6c ifi %d\n",
-                        &nh->r_cfg.fc_dst, &nh->r_cfg.fc_gateway,
-                        nh->r_cfg.fc_ifindex);
-        }
-}
-
 static int ip6_route_info_append(struct net *net,
                                  struct list_head *rt6_nh_list,
                                  struct fib6_info *rt,
@@ -4407,7 +4412,8 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
                 nh->fib6_info = NULL;
                 if (err) {
                         if (replace && nhn)
-                                ip6_print_replace_route_err(&rt6_nh_list);
+                                NL_SET_ERR_MSG_MOD(extack,
+                                                   "multipath route replace failed (check consistency of installed routes)");
                         err_nh = nh;
                         goto add_errout;
                 }
@@ -4659,7 +4665,7 @@ static int rt6_fill_node(struct net *net, struct sk_buff *skb,
                 table = rt->fib6_table->tb6_id;
         else
                 table = RT6_TABLE_UNSPEC;
-        rtm->rtm_table = table;
+        rtm->rtm_table = table < 256 ? table : RT_TABLE_COMPAT;
         if (nla_put_u32(skb, RTA_TABLE, table))
                 goto nla_put_failure;
 
diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index 8d0ba757a46c..9b2f272ca164 100644
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -221,9 +221,7 @@ static int seg6_genl_get_tunsrc(struct sk_buff *skb, struct genl_info *info)
         rcu_read_unlock();
 
         genlmsg_end(msg, hdr);
-        genlmsg_reply(msg, info);
-
-        return 0;
+        return genlmsg_reply(msg, info);
 
 nla_put_failure:
         rcu_read_unlock();
diff --git a/net/ipv6/seg6_iptunnel.c b/net/ipv6/seg6_iptunnel.c
index 8181ee7e1e27..ee5403cbe655 100644
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -146,6 +146,8 @@ int seg6_do_srh_encap(struct sk_buff *skb, struct ipv6_sr_hdr *osrh, int proto)
         } else {
                 ip6_flow_hdr(hdr, 0, flowlabel);
                 hdr->hop_limit = ip6_dst_hoplimit(skb_dst(skb));
+
+                memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
         }
 
         hdr->nexthdr = NEXTHDR_ROUTING;
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 1e03305c0549..e8a1dabef803 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -546,7 +546,8 @@ static int ipip6_err(struct sk_buff *skb, u32 info)
         }
 
         err = 0;
-        if (!ip6_err_gen_icmpv6_unreach(skb, iph->ihl * 4, type, data_len))
+        if (__in6_dev_get(skb->dev) &&
+            !ip6_err_gen_icmpv6_unreach(skb, iph->ihl * 4, type, data_len))
                 goto out;
 
         if (t->parms.iph.daddr == 0)
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 9cbf363172bd..b444483cdb2b 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -102,7 +102,7 @@ int udp_v6_get_port(struct sock *sk, unsigned short snum)
         return udp_lib_get_port(sk, snum, hash2_nulladdr);
 }
 
-static void udp_v6_rehash(struct sock *sk)
+void udp_v6_rehash(struct sock *sk)
 {
         u16 new_hash = ipv6_portaddr_hash(sock_net(sk),
                                           &sk->sk_v6_rcv_saddr,
@@ -288,8 +288,8 @@ int udpv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
         int peeked, peeking, off;
         int err;
         int is_udplite = IS_UDPLITE(sk);
+        struct udp_mib __percpu *mib;
         bool checksum_valid = false;
-        struct udp_mib *mib;
         int is_udp4;
 
         if (flags & MSG_ERRQUEUE)
@@ -420,17 +420,19 @@ EXPORT_SYMBOL(udpv6_encap_enable);
  */
 static int __udp6_lib_err_encap_no_sk(struct sk_buff *skb,
                                       struct inet6_skb_parm *opt,
-                                      u8 type, u8 code, int offset, u32 info)
+                                      u8 type, u8 code, int offset, __be32 info)
 {
         int i;
 
         for (i = 0; i < MAX_IPTUN_ENCAP_OPS; i++) {
                 int (*handler)(struct sk_buff *skb, struct inet6_skb_parm *opt,
-                               u8 type, u8 code, int offset, u32 info);
+                               u8 type, u8 code, int offset, __be32 info);
+                const struct ip6_tnl_encap_ops *encap;
 
-                if (!ip6tun_encaps[i])
+                encap = rcu_dereference(ip6tun_encaps[i]);
+                if (!encap)
                         continue;
-                handler = rcu_dereference(ip6tun_encaps[i]->err_handler);
+                handler = encap->err_handler;
                 if (handler && !handler(skb, opt, type, code, offset, info))
                         return 0;
         }
@@ -1132,15 +1134,23 @@ static int udp_v6_send_skb(struct sk_buff *skb, struct flowi6 *fl6,
                 const int hlen = skb_network_header_len(skb) +
                                  sizeof(struct udphdr);
 
-                if (hlen + cork->gso_size > cork->fragsize)
+                if (hlen + cork->gso_size > cork->fragsize) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS)
+                }
+                if (skb->len > cork->gso_size * UDP_MAX_SEGMENTS) {
+                        kfree_skb(skb);
                         return -EINVAL;
-                if (udp_sk(sk)->no_check6_tx)
+                }
+                if (udp_sk(sk)->no_check6_tx) {
+                        kfree_skb(skb);
                         return -EINVAL;
+                }
                 if (skb->ip_summed != CHECKSUM_PARTIAL || is_udplite ||
-                    dst_xfrm(skb_dst(skb)))
+                    dst_xfrm(skb_dst(skb))) {
+                        kfree_skb(skb);
                         return -EIO;
+                }
 
                 skb_shinfo(skb)->gso_size = cork->gso_size;
                 skb_shinfo(skb)->gso_type = SKB_GSO_UDP_L4;
@@ -1390,10 +1400,7 @@ do_udp_sendmsg:
         ipc6.opt = opt;
 
         fl6.flowi6_proto = sk->sk_protocol;
-        if (!ipv6_addr_any(daddr))
-                fl6.daddr = *daddr;
-        else
-                fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
+        fl6.daddr = *daddr;
         if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr))
                 fl6.saddr = np->saddr;
         fl6.fl6_sport = inet->inet_sport;
@@ -1421,6 +1428,9 @@ do_udp_sendmsg:
                 }
         }
 
+        if (ipv6_addr_any(&fl6.daddr))
+                fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */
+
         final_p = fl6_update_dst(&fl6, opt, &final);
         if (final_p)
                 connected = false;
diff --git a/net/ipv6/udp_impl.h b/net/ipv6/udp_impl.h
index 5730e6503cb4..20e324b6f358 100644
--- a/net/ipv6/udp_impl.h
+++ b/net/ipv6/udp_impl.h
@@ -13,6 +13,7 @@ int __udp6_lib_err(struct sk_buff *, struct inet6_skb_parm *, u8, u8, int,
                    __be32, struct udp_table *);
 
 int udp_v6_get_port(struct sock *sk, unsigned short snum);
+void udp_v6_rehash(struct sock *sk);
 
 int udpv6_getsockopt(struct sock *sk, int level, int optname,
                      char __user *optval, int __user *optlen);
diff --git a/net/ipv6/udplite.c b/net/ipv6/udplite.c
index a125aebc29e5..f35907836444 100644
--- a/net/ipv6/udplite.c
+++ b/net/ipv6/udplite.c
@@ -49,6 +49,7 @@ struct proto udplitev6_prot = {
         .recvmsg           = udpv6_recvmsg,
         .hash              = udp_lib_hash,
         .unhash            = udp_lib_unhash,
+        .rehash            = udp_v6_rehash,
         .get_port          = udp_v6_get_port,
         .memory_allocated  = &udp_memory_allocated,
         .sysctl_mem        = sysctl_udp_mem,
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index f5b4febeaa25..bc65db782bfb 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -344,8 +344,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
         struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
         unsigned int i;
 
-        xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
         xfrm_flush_gc();
+        xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
 
         for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
                 WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 655c787f9d54..5651c29cb5bd 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock)
         return 0;
 }
 
-static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2,
-                               gfp_t allocation, struct sock *sk)
+static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,
+                               struct sock *sk)
 {
         int err = -ENOBUFS;
 
-        sock_hold(sk);
-        if (*skb2 == NULL) {
-                if (refcount_read(&skb->users) != 1) {
-                        *skb2 = skb_clone(skb, allocation);
-                } else {
-                        *skb2 = skb;
-                        refcount_inc(&skb->users);
-                }
-        }
-        if (*skb2 != NULL) {
-                if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) {
-                        skb_set_owner_r(*skb2, sk);
-                        skb_queue_tail(&sk->sk_receive_queue, *skb2);
-                        sk->sk_data_ready(sk);
-                        *skb2 = NULL;
-                        err = 0;
-                }
+        if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
+                return err;
+
+        skb = skb_clone(skb, allocation);
+
+        if (skb) {
+                skb_set_owner_r(skb, sk);
+                skb_queue_tail(&sk->sk_receive_queue, skb);
+                sk->sk_data_ready(sk);
+                err = 0;
         }
-        sock_put(sk);
         return err;
 }
 
@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
 {
         struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
         struct sock *sk;
-        struct sk_buff *skb2 = NULL;
         int err = -ESRCH;
 
         /* XXX Do we need something like netlink_overrun?  I think
@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
                  * socket.
                  */
                 if (pfk->promisc)
-                        pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
+                        pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
 
                 /* the exact target will be processed later */
                 if (sk == one_sk)
@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
                                 continue;
                 }
 
-                err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
+                err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
 
                 /* Error is cleared after successful sending to at least one
                  * registered KM */
@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
         rcu_read_unlock();
 
         if (one_sk != NULL)
-                err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
+                err = pfkey_broadcast_one(skb, allocation, one_sk);
 
-        kfree_skb(skb2);
         kfree_skb(skb);
         return err;
 }
@@ -1783,7 +1773,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
         if (proto == 0)
                 return -EINVAL;
 
-        err = xfrm_state_flush(net, proto, true);
+        err = xfrm_state_flush(net, proto, true, false);
         err2 = unicast_flush_resp(sk, hdr);
         if (err || err2) {
                 if (err == -ESRCH) /* empty table - go quietly */
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 26f1d435696a..fed6becc5daf 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -83,8 +83,7 @@
 #define L2TP_SLFLAG_S      0x40000000
 #define L2TP_SL_SEQ_MASK   0x00ffffff
 
-#define L2TP_HDR_SIZE_SEQ               10
-#define L2TP_HDR_SIZE_NOSEQ             6
+#define L2TP_HDR_SIZE_MAX               14
 
 /* Default trace flags */
 #define L2TP_DEFAULT_DEBUG_FLAGS        0
@@ -808,7 +807,7 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
         __skb_pull(skb, sizeof(struct udphdr));
 
         /* Short packet? */
-        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_SEQ)) {
+        if (!pskb_may_pull(skb, L2TP_HDR_SIZE_MAX)) {
                 l2tp_info(tunnel, L2TP_MSG_DATA,
                           "%s: recv short packet (len=%d)\n",
                           tunnel->name, skb->len);
@@ -884,6 +883,10 @@ static int l2tp_udp_recv_core(struct l2tp_tunnel *tunnel, struct sk_buff *skb)
                 goto error;
         }
 
+        if (tunnel->version == L2TP_HDR_VER_3 &&
+            l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
+                goto error;
+
         l2tp_recv_common(session, skb, ptr, optr, hdrflags, length);
         l2tp_session_dec_refcount(session);
 
diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h
index 9c9afe94d389..b2ce90260c35 100644
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -301,6 +301,26 @@ static inline bool l2tp_tunnel_uses_xfrm(const struct l2tp_tunnel *tunnel)
 }
 #endif
 
+static inline int l2tp_v3_ensure_opt_in_linear(struct l2tp_session *session, struct sk_buff *skb,
+                                               unsigned char **ptr, unsigned char **optr)
+{
+        int opt_len = session->peer_cookie_len + l2tp_get_l2specific_len(session);
+
+        if (opt_len > 0) {
+                int off = *ptr - *optr;
+
+                if (!pskb_may_pull(skb, off + opt_len))
+                        return -1;
+
+                if (skb->data != *optr) {
+                        *optr = skb->data;
+                        *ptr = skb->data + off;
+                }
+        }
+
+        return 0;
+}
+
 #define l2tp_printk(ptr, type, func, fmt, ...)                          \
 do {                                                                    \
         if (((ptr)->debug) & (type))                                    \
diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
index 35f6f86d4dcc..d4c60523c549 100644
--- a/net/l2tp/l2tp_ip.c
+++ b/net/l2tp/l2tp_ip.c
@@ -165,6 +165,9 @@ static int l2tp_ip_recv(struct sk_buff *skb)
                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
         }
 
+        if (l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
+                goto discard_sess;
+
         l2tp_recv_common(session, skb, ptr, optr, 0, skb->len);
         l2tp_session_dec_refcount(session);
 
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index 237f1a4a0b0c..0ae6899edac0 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -178,6 +178,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
                 print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
         }
 
+        if (l2tp_v3_ensure_opt_in_linear(session, skb, &ptr, &optr))
+                goto discard_sess;
+
         l2tp_recv_common(session, skb, ptr, optr, 0, skb->len);
         l2tp_session_dec_refcount(session);
 
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 69e831bc317b..54821fb1a960 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -8,7 +8,7 @@
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
  * Copyright(c) 2015-2017 Intel Deutschland GmbH
- * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2018 - 2019 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -366,6 +366,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
 
         set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state);
 
+        ieee80211_agg_stop_txq(sta, tid);
+
         spin_unlock_bh(&sta->lock);
 
         ht_dbg(sta->sdata, "Tx BA session stop requested for %pM tid %u\n",
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index de65fe3ed9cc..96496b2c1670 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -941,6 +941,7 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
                       BSS_CHANGED_P2P_PS |
                       BSS_CHANGED_TXPOWER;
         int err;
+        int prev_beacon_int;
 
         old = sdata_dereference(sdata->u.ap.beacon, sdata);
         if (old)
@@ -963,6 +964,7 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
 
         sdata->needed_rx_chains = sdata->local->rx_chains;
 
+        prev_beacon_int = sdata->vif.bss_conf.beacon_int;
         sdata->vif.bss_conf.beacon_int = params->beacon_interval;
 
         if (params->he_cap)
@@ -974,8 +976,10 @@ static int ieee80211_start_ap(struct wiphy *wiphy, struct net_device *dev,
         if (!err)
                 ieee80211_vif_copy_chanctx_to_vlans(sdata, false);
         mutex_unlock(&local->mtx);
-        if (err)
+        if (err) {
+                sdata->vif.bss_conf.beacon_int = prev_beacon_int;
                 return err;
+        }
 
         /*
          * Apply control port protocol, this allows us to
@@ -1490,6 +1494,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev,
         if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
                 sta->sta.tdls = true;
 
+        if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
+            !sdata->u.mgd.associated)
+                return -EINVAL;
+
         err = sta_apply_parameters(local, sta, params);
         if (err) {
                 sta_info_free(local, sta);
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index 87a729926734..977dea436ee8 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -615,13 +615,13 @@ struct ieee80211_hw *ieee80211_alloc_hw_nm(size_t priv_data_len,
          * We need a bit of data queued to build aggregates properly, so
          * instruct the TCP stack to allow more than a single ms of data
          * to be queued in the stack. The value is a bit-shift of 1
-         * second, so 8 is ~4ms of queued data. Only affects local TCP
+         * second, so 7 is ~8ms of queued data. Only affects local TCP
          * sockets.
          * This is the default, anyhow - drivers may need to override it
          * for local reasons (longer buffers, longer completion time, or
          * similar).
          */
-        local->hw.tx_sk_pacing_shift = 8;
+        local->hw.tx_sk_pacing_shift = 7;
 
         /* set up some defaults */
         local->hw.queues = 1;
diff --git a/net/mac80211/mesh.h b/net/mac80211/mesh.h
index cad6592c52a1..2ec7011a4d07 100644
--- a/net/mac80211/mesh.h
+++ b/net/mac80211/mesh.h
@@ -70,6 +70,7 @@ enum mesh_deferred_task_flags {
  * @dst: mesh path destination mac address
  * @mpp: mesh proxy mac address
  * @rhash: rhashtable list pointer
+ * @walk_list: linked list containing all mesh_path objects.
  * @gate_list: list pointer for known gates list
  * @sdata: mesh subif
  * @next_hop: mesh neighbor to which frames for this destination will be
@@ -105,6 +106,7 @@ struct mesh_path {
         u8 dst[ETH_ALEN];
         u8 mpp[ETH_ALEN];       /* used for MPP or MAP */
         struct rhash_head rhash;
+        struct hlist_node walk_list;
         struct hlist_node gate_list;
         struct ieee80211_sub_if_data *sdata;
         struct sta_info __rcu *next_hop;
@@ -133,12 +135,16 @@ struct mesh_path {
  * gate's mpath may or may not be resolved and active.
  * @gates_lock: protects updates to known_gates
  * @rhead: the rhashtable containing struct mesh_paths, keyed by dest addr
+ * @walk_head: linked list containging all mesh_path objects
+ * @walk_lock: lock protecting walk_head
  * @entries: number of entries in the table
  */
 struct mesh_table {
         struct hlist_head known_gates;
         spinlock_t gates_lock;
         struct rhashtable rhead;
+        struct hlist_head walk_head;
+        spinlock_t walk_lock;
         atomic_t entries;               /* Up to MAX_MESH_NEIGHBOURS */
 };
 
diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c
index a5125624a76d..88a6d5e18ccc 100644
--- a/net/mac80211/mesh_pathtbl.c
+++ b/net/mac80211/mesh_pathtbl.c
@@ -59,8 +59,10 @@ static struct mesh_table *mesh_table_alloc(void)
                 return NULL;
 
         INIT_HLIST_HEAD(&newtbl->known_gates);
+        INIT_HLIST_HEAD(&newtbl->walk_head);
         atomic_set(&newtbl->entries,  0);
         spin_lock_init(&newtbl->gates_lock);
+        spin_lock_init(&newtbl->walk_lock);
 
         return newtbl;
 }
@@ -249,28 +251,15 @@ mpp_path_lookup(struct ieee80211_sub_if_data *sdata, const u8 *dst)
 static struct mesh_path *
 __mesh_path_lookup_by_idx(struct mesh_table *tbl, int idx)
 {
-        int i = 0, ret;
-        struct mesh_path *mpath = NULL;
-        struct rhashtable_iter iter;
-
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
-        if (ret)
-                return NULL;
-
-        rhashtable_walk_start(&iter);
+        int i = 0;
+        struct mesh_path *mpath;
 
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        hlist_for_each_entry_rcu(mpath, &tbl->walk_head, walk_list) {
                 if (i++ == idx)
                         break;
         }
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
 
-        if (IS_ERR(mpath) || !mpath)
+        if (!mpath)
                 return NULL;
 
         if (mpath_expired(mpath)) {
@@ -432,6 +421,7 @@ struct mesh_path *mesh_path_add(struct ieee80211_sub_if_data *sdata,
                 return ERR_PTR(-ENOMEM);
 
         tbl = sdata->u.mesh.mesh_paths;
+        spin_lock_bh(&tbl->walk_lock);
         do {
                 ret = rhashtable_lookup_insert_fast(&tbl->rhead,
                                                     &new_mpath->rhash,
@@ -441,20 +431,20 @@ struct mesh_path *mesh_path_add(struct ieee80211_sub_if_data *sdata,
                         mpath = rhashtable_lookup_fast(&tbl->rhead,
                                                        dst,
                                                        mesh_rht_params);
-
+                else if (!ret)
+                        hlist_add_head(&new_mpath->walk_list, &tbl->walk_head);
         } while (unlikely(ret == -EEXIST && !mpath));
+        spin_unlock_bh(&tbl->walk_lock);
 
-        if (ret && ret != -EEXIST)
-                return ERR_PTR(ret);
-
-        /* At this point either new_mpath was added, or we found a
-         * matching entry already in the table; in the latter case
-         * free the unnecessary new entry.
-         */
-        if (ret == -EEXIST) {
+        if (ret) {
                 kfree(new_mpath);
+
+                if (ret != -EEXIST)
+                        return ERR_PTR(ret);
+
                 new_mpath = mpath;
         }
+
         sdata->u.mesh.mesh_paths_generation++;
         return new_mpath;
 }
@@ -480,9 +470,17 @@ int mpp_path_add(struct ieee80211_sub_if_data *sdata,
 
         memcpy(new_mpath->mpp, mpp, ETH_ALEN);
         tbl = sdata->u.mesh.mpp_paths;
+
+        spin_lock_bh(&tbl->walk_lock);
         ret = rhashtable_lookup_insert_fast(&tbl->rhead,
                                             &new_mpath->rhash,
                                             mesh_rht_params);
+        if (!ret)
+                hlist_add_head_rcu(&new_mpath->walk_list, &tbl->walk_head);
+        spin_unlock_bh(&tbl->walk_lock);
+
+        if (ret)
+                kfree(new_mpath);
 
         sdata->u.mesh.mpp_paths_generation++;
         return ret;
@@ -503,20 +501,9 @@ void mesh_plink_broken(struct sta_info *sta)
         struct mesh_table *tbl = sdata->u.mesh.mesh_paths;
         static const u8 bcast[ETH_ALEN] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
         struct mesh_path *mpath;
-        struct rhashtable_iter iter;
-        int ret;
-
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
-        if (ret)
-                return;
 
-        rhashtable_walk_start(&iter);
-
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        rcu_read_lock();
+        hlist_for_each_entry_rcu(mpath, &tbl->walk_head, walk_list) {
                 if (rcu_access_pointer(mpath->next_hop) == sta &&
                     mpath->flags & MESH_PATH_ACTIVE &&
                     !(mpath->flags & MESH_PATH_FIXED)) {
@@ -530,8 +517,7 @@ void mesh_plink_broken(struct sta_info *sta)
                                 WLAN_REASON_MESH_PATH_DEST_UNREACHABLE, bcast);
                 }
         }
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
+        rcu_read_unlock();
 }
 
 static void mesh_path_free_rcu(struct mesh_table *tbl,
@@ -551,6 +537,7 @@ static void mesh_path_free_rcu(struct mesh_table *tbl,
 
 static void __mesh_path_del(struct mesh_table *tbl, struct mesh_path *mpath)
 {
+        hlist_del_rcu(&mpath->walk_list);
         rhashtable_remove_fast(&tbl->rhead, &mpath->rhash, mesh_rht_params);
         mesh_path_free_rcu(tbl, mpath);
 }
@@ -571,27 +558,14 @@ void mesh_path_flush_by_nexthop(struct sta_info *sta)
         struct ieee80211_sub_if_data *sdata = sta->sdata;
         struct mesh_table *tbl = sdata->u.mesh.mesh_paths;
         struct mesh_path *mpath;
-        struct rhashtable_iter iter;
-        int ret;
-
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
-        if (ret)
-                return;
-
-        rhashtable_walk_start(&iter);
-
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        struct hlist_node *n;
 
+        spin_lock_bh(&tbl->walk_lock);
+        hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
                 if (rcu_access_pointer(mpath->next_hop) == sta)
                         __mesh_path_del(tbl, mpath);
         }
-
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
+        spin_unlock_bh(&tbl->walk_lock);
 }
 
 static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata,
@@ -599,51 +573,26 @@ static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata,
 {
         struct mesh_table *tbl = sdata->u.mesh.mpp_paths;
         struct mesh_path *mpath;
-        struct rhashtable_iter iter;
-        int ret;
-
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
-        if (ret)
-                return;
-
-        rhashtable_walk_start(&iter);
-
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        struct hlist_node *n;
 
+        spin_lock_bh(&tbl->walk_lock);
+        hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
                 if (ether_addr_equal(mpath->mpp, proxy))
                         __mesh_path_del(tbl, mpath);
         }
-
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
+        spin_unlock_bh(&tbl->walk_lock);
 }
 
 static void table_flush_by_iface(struct mesh_table *tbl)
 {
         struct mesh_path *mpath;
-        struct rhashtable_iter iter;
-        int ret;
-
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_ATOMIC);
-        if (ret)
-                return;
-
-        rhashtable_walk_start(&iter);
+        struct hlist_node *n;
 
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        spin_lock_bh(&tbl->walk_lock);
+        hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
                 __mesh_path_del(tbl, mpath);
         }
-
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
+        spin_unlock_bh(&tbl->walk_lock);
 }
 
 /**
@@ -675,15 +624,15 @@ static int table_path_del(struct mesh_table *tbl,
 {
         struct mesh_path *mpath;
 
-        rcu_read_lock();
+        spin_lock_bh(&tbl->walk_lock);
         mpath = rhashtable_lookup_fast(&tbl->rhead, addr, mesh_rht_params);
         if (!mpath) {
-                rcu_read_unlock();
+                spin_unlock_bh(&tbl->walk_lock);
                 return -ENXIO;
         }
 
         __mesh_path_del(tbl, mpath);
-        rcu_read_unlock();
+        spin_unlock_bh(&tbl->walk_lock);
         return 0;
 }
 
@@ -854,28 +803,16 @@ void mesh_path_tbl_expire(struct ieee80211_sub_if_data *sdata,
                           struct mesh_table *tbl)
 {
         struct mesh_path *mpath;
-        struct rhashtable_iter iter;
-        int ret;
+        struct hlist_node *n;
 
-        ret = rhashtable_walk_init(&tbl->rhead, &iter, GFP_KERNEL);
-        if (ret)
-                return;
-
-        rhashtable_walk_start(&iter);
-
-        while ((mpath = rhashtable_walk_next(&iter))) {
-                if (IS_ERR(mpath) && PTR_ERR(mpath) == -EAGAIN)
-                        continue;
-                if (IS_ERR(mpath))
-                        break;
+        spin_lock_bh(&tbl->walk_lock);
+        hlist_for_each_entry_safe(mpath, n, &tbl->walk_head, walk_list) {
                 if ((!(mpath->flags & MESH_PATH_RESOLVING)) &&
                     (!(mpath->flags & MESH_PATH_FIXED)) &&
                      time_after(jiffies, mpath->exp_time + MESH_PATH_EXPIRE))
                         __mesh_path_del(tbl, mpath);
         }
-
-        rhashtable_walk_stop(&iter);
-        rhashtable_walk_exit(&iter);
+        spin_unlock_bh(&tbl->walk_lock);
 }
 
 void mesh_path_expire(struct ieee80211_sub_if_data *sdata)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 45aad3d3108c..c2a6da5d80da 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -231,7 +231,7 @@ static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata,
                 struct ieee80211_hdr_3addr hdr;
                 u8 category;
                 u8 action_code;
-        } __packed action;
+        } __packed __aligned(2) action;
 
         if (!sdata)
                 return;
@@ -2644,6 +2644,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
         struct ieee80211_sub_if_data *sdata = rx->sdata;
         struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
         u16 ac, q, hdrlen;
+        int tailroom = 0;
 
         hdr = (struct ieee80211_hdr *) skb->data;
         hdrlen = ieee80211_hdrlen(hdr->frame_control);
@@ -2723,15 +2724,21 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
         skb_set_queue_mapping(skb, q);
 
         if (!--mesh_hdr->ttl) {
-                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
+                if (!is_multicast_ether_addr(hdr->addr1))
+                        IEEE80211_IFSTA_MESH_CTR_INC(ifmsh,
+                                                     dropped_frames_ttl);
                 goto out;
         }
 
         if (!ifmsh->mshcfg.dot11MeshForwarding)
                 goto out;
 
+        if (sdata->crypto_tx_tailroom_needed_cnt)
+                tailroom = IEEE80211_ENCRYPT_TAILROOM;
+
         fwd_skb = skb_copy_expand(skb, local->tx_headroom +
-                                       sdata->encrypt_headroom, 0, GFP_ATOMIC);
+                                       sdata->encrypt_headroom,
+                                  tailroom, GFP_ATOMIC);
         if (!fwd_skb)
                 goto out;
 
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index f170d6c6629a..928f13a208b0 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1938,9 +1938,16 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
                                 int head_need, bool may_encrypt)
 {
         struct ieee80211_local *local = sdata->local;
+        struct ieee80211_hdr *hdr;
+        bool enc_tailroom;
         int tail_need = 0;
 
-        if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
+        hdr = (struct ieee80211_hdr *) skb->data;
+        enc_tailroom = may_encrypt &&
+                       (sdata->crypto_tx_tailroom_needed_cnt ||
+                        ieee80211_is_mgmt(hdr->frame_control));
+
+        if (enc_tailroom) {
                 tail_need = IEEE80211_ENCRYPT_TAILROOM;
                 tail_need -= skb_tailroom(skb);
                 tail_need = max_t(int, tail_need, 0);
@@ -1948,8 +1955,7 @@ static int ieee80211_skb_resize(struct ieee80211_sub_if_data *sdata,
 
         if (skb_cloned(skb) &&
             (!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) ||
-             !skb_clone_writable(skb, ETH_HLEN) ||
-             (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt)))
+             !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom))
                 I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
         else if (head_need || tail_need)
                 I802_DEBUG_INC(local->tx_expand_skb_head);
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index d0eb38b890aa..ba950ae974fc 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -5,7 +5,7 @@
  * Copyright 2007       Johannes Berg <johannes@sipsolutions.net>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
  * Copyright (C) 2015-2017      Intel Deutschland GmbH
- * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2018-2019 Intel Corporation
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -2146,6 +2146,10 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                 case NL80211_IFTYPE_AP_VLAN:
                 case NL80211_IFTYPE_MONITOR:
                         break;
+                case NL80211_IFTYPE_ADHOC:
+                        if (sdata->vif.bss_conf.ibss_joined)
+                                WARN_ON(drv_join_ibss(local, sdata));
+                        /* fall through */
                 default:
                         ieee80211_reconfig_stations(sdata);
                         /* fall through */
diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig
index cad48d07c818..8401cefd9f65 100644
--- a/net/netfilter/ipvs/Kconfig
+++ b/net/netfilter/ipvs/Kconfig
@@ -29,6 +29,7 @@ config	IP_VS_IPV6
         bool "IPv6 support for IPVS"
         depends on IPV6 = y || IP_VS = IPV6
         select IP6_NF_IPTABLES
+        select NF_DEFRAG_IPV6
         ---help---
           Add IPv6 support to IPVS.
 
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index fe9abf3cc10a..235205c93e14 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1536,14 +1536,12 @@ ip_vs_try_to_schedule(struct netns_ipvs *ipvs, int af, struct sk_buff *skb,
                 /* sorry, all this trouble for a no-hit :) */
                 IP_VS_DBG_PKT(12, af, pp, skb, iph->off,
                               "ip_vs_in: packet continues traversal as normal");
-                if (iph->fragoffs) {
-                        /* Fragment that couldn't be mapped to a conn entry
-                         * is missing module nf_defrag_ipv6
-                         */
-                        IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n");
+
+                /* Fragment couldn't be mapped to a conn entry */
+                if (iph->fragoffs)
                         IP_VS_DBG_PKT(7, af, pp, skb, iph->off,
                                       "unhandled fragment");
-                }
+
                 *verdict = NF_ACCEPT;
                 return 0;
         }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 432141f04af3..ac8d848d7624 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -43,6 +43,7 @@
 #ifdef CONFIG_IP_VS_IPV6
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
+#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
 #endif
 #include <net/route.h>
 #include <net/sock.h>
@@ -900,11 +901,17 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
 
 #ifdef CONFIG_IP_VS_IPV6
         if (udest->af == AF_INET6) {
+                int ret;
+
                 atype = ipv6_addr_type(&udest->addr.in6);
                 if ((!(atype & IPV6_ADDR_UNICAST) ||
                         atype & IPV6_ADDR_LINKLOCAL) &&
                         !__ip_vs_addr_is_local_v6(svc->ipvs->net, &udest->addr.in6))
                         return -EINVAL;
+
+                ret = nf_defrag_ipv6_enable(svc->ipvs->net);
+                if (ret)
+                        return ret;
         } else
 #endif
         {
@@ -1228,6 +1235,10 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
                         ret = -EINVAL;
                         goto out_err;
                 }
+
+                ret = nf_defrag_ipv6_enable(ipvs->net);
+                if (ret)
+                        goto out_err;
         }
 #endif
 
@@ -2221,6 +2232,18 @@ static int ip_vs_set_timeout(struct netns_ipvs *ipvs, struct ip_vs_timeout_user
                   u->udp_timeout);
 
 #ifdef CONFIG_IP_VS_PROTO_TCP
+        if (u->tcp_timeout < 0 || u->tcp_timeout > (INT_MAX / HZ) ||
+            u->tcp_fin_timeout < 0 || u->tcp_fin_timeout > (INT_MAX / HZ)) {
+                return -EINVAL;
+        }
+#endif
+
+#ifdef CONFIG_IP_VS_PROTO_UDP
+        if (u->udp_timeout < 0 || u->udp_timeout > (INT_MAX / HZ))
+                return -EINVAL;
+#endif
+
+#ifdef CONFIG_IP_VS_PROTO_TCP
         if (u->tcp_timeout) {
                 pd = ip_vs_proto_data_get(ipvs, IPPROTO_TCP);
                 pd->timeout_table[IP_VS_TCP_S_ESTABLISHED]
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 741b533148ba..db4d46332e86 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1007,6 +1007,22 @@ nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
                 }
 
                 if (nf_ct_key_equal(h, tuple, zone, net)) {
+                        /* Tuple is taken already, so caller will need to find
+                         * a new source port to use.
+                         *
+                         * Only exception:
+                         * If the *original tuples* are identical, then both
+                         * conntracks refer to the same flow.
+                         * This is a rare situation, it can occur e.g. when
+                         * more than one UDP packet is sent from same socket
+                         * in different threads.
+                         *
+                         * Let nf_ct_resolve_clash() deal with this later.
+                         */
+                        if (nf_ct_tuple_equal(&ignored_conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
+                                              &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple))
+                                continue;
+
                         NF_CT_STAT_INC_ATOMIC(net, found);
                         rcu_read_unlock();
                         return 1;
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index fa0844e2a68d..c0c72ae9df42 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -28,6 +28,7 @@ flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct,
 {
         struct flow_offload_tuple *ft = &flow->tuplehash[dir].tuple;
         struct nf_conntrack_tuple *ctt = &ct->tuplehash[dir].tuple;
+        struct dst_entry *other_dst = route->tuple[!dir].dst;
         struct dst_entry *dst = route->tuple[dir].dst;
 
         ft->dir = dir;
@@ -50,8 +51,8 @@ flow_offload_fill_dir(struct flow_offload *flow, struct nf_conn *ct,
         ft->src_port = ctt->src.u.tcp.port;
         ft->dst_port = ctt->dst.u.tcp.port;
 
-        ft->iifidx = route->tuple[dir].ifindex;
-        ft->oifidx = route->tuple[!dir].ifindex;
+        ft->iifidx = other_dst->dev->ifindex;
+        ft->oifidx = dst->dev->ifindex;
         ft->dst_cache = dst;
 }
 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2b0a93300dd7..4893f248dfdc 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -116,6 +116,23 @@ static void nft_trans_destroy(struct nft_trans *trans)
         kfree(trans);
 }
 
+static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
+{
+        struct net *net = ctx->net;
+        struct nft_trans *trans;
+
+        if (!nft_set_is_anonymous(set))
+                return;
+
+        list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
+                if (trans->msg_type == NFT_MSG_NEWSET &&
+                    nft_trans_set(trans) == set) {
+                        nft_trans_set_bound(trans) = true;
+                        break;
+                }
+        }
+}
+
 static int nf_tables_register_hook(struct net *net,
                                    const struct nft_table *table,
                                    struct nft_chain *chain)
@@ -211,18 +228,6 @@ static int nft_delchain(struct nft_ctx *ctx)
         return err;
 }
 
-/* either expr ops provide both activate/deactivate, or neither */
-static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
-{
-        if (!ops)
-                return true;
-
-        if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
-                return false;
-
-        return true;
-}
-
 static void nft_rule_expr_activate(const struct nft_ctx *ctx,
                                    struct nft_rule *rule)
 {
@@ -238,14 +243,15 @@ static void nft_rule_expr_activate(const struct nft_ctx *ctx,
 }
 
 static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
-                                     struct nft_rule *rule)
+                                     struct nft_rule *rule,
+                                     enum nft_trans_phase phase)
 {
         struct nft_expr *expr;
 
         expr = nft_expr_first(rule);
         while (expr != nft_expr_last(rule) && expr->ops) {
                 if (expr->ops->deactivate)
-                        expr->ops->deactivate(ctx, expr);
+                        expr->ops->deactivate(ctx, expr, phase);
 
                 expr = nft_expr_next(expr);
         }
@@ -296,7 +302,7 @@ static int nft_delrule(struct nft_ctx *ctx, struct nft_rule *rule)
                 nft_trans_destroy(trans);
                 return err;
         }
-        nft_rule_expr_deactivate(ctx, rule);
+        nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_PREPARE);
 
         return 0;
 }
@@ -307,6 +313,9 @@ static int nft_delrule_by_chain(struct nft_ctx *ctx)
         int err;
 
         list_for_each_entry(rule, &ctx->chain->rules, list) {
+                if (!nft_is_active_next(ctx->net, rule))
+                        continue;
+
                 err = nft_delrule(ctx, rule);
                 if (err < 0)
                         return err;
@@ -1929,9 +1938,6 @@ static int nf_tables_delchain(struct net *net, struct sock *nlsk,
  */
 int nft_register_expr(struct nft_expr_type *type)
 {
-        if (!nft_expr_check_ops(type->ops))
-                return -EINVAL;
-
         nfnl_lock(NFNL_SUBSYS_NFTABLES);
         if (type->family == NFPROTO_UNSPEC)
                 list_add_tail_rcu(&type->list, &nf_tables_expressions);
@@ -2079,10 +2085,6 @@ static int nf_tables_expr_parse(const struct nft_ctx *ctx,
                         err = PTR_ERR(ops);
                         goto err1;
                 }
-                if (!nft_expr_check_ops(ops)) {
-                        err = -EINVAL;
-                        goto err1;
-                }
         } else
                 ops = type->ops;
 
@@ -2304,7 +2306,6 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
         struct net *net = sock_net(skb->sk);
         unsigned int s_idx = cb->args[0];
         const struct nft_rule *rule;
-        int rc = 1;
 
         list_for_each_entry_rcu(rule, &chain->rules, list) {
                 if (!nft_is_active(net, rule))
@@ -2321,16 +2322,13 @@ static int __nf_tables_dump_rules(struct sk_buff *skb,
                                         NLM_F_MULTI | NLM_F_APPEND,
                                         table->family,
                                         table, chain, rule) < 0)
-                        goto out_unfinished;
+                        return 1;
 
                 nl_dump_check_consistent(cb, nlmsg_hdr(skb));
 cont:
                 (*idx)++;
         }
-        rc = 0;
-out_unfinished:
-        cb->args[0] = *idx;
-        return rc;
+        return 0;
 }
 
 static int nf_tables_dump_rules(struct sk_buff *skb,
@@ -2354,7 +2352,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
                 if (ctx && ctx->table && strcmp(ctx->table, table->name) != 0)
                         continue;
 
-                if (ctx && ctx->chain) {
+                if (ctx && ctx->table && ctx->chain) {
                         struct rhlist_head *list, *tmp;
 
                         list = rhltable_lookup(&table->chains_ht, ctx->chain,
@@ -2382,6 +2380,8 @@ static int nf_tables_dump_rules(struct sk_buff *skb,
         }
 done:
         rcu_read_unlock();
+
+        cb->args[0] = idx;
         return skb->len;
 }
 
@@ -2513,7 +2513,7 @@ static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
 static void nf_tables_rule_release(const struct nft_ctx *ctx,
                                    struct nft_rule *rule)
 {
-        nft_rule_expr_deactivate(ctx, rule);
+        nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
         nf_tables_rule_destroy(ctx, rule);
 }
 
@@ -3710,39 +3710,30 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
 bind:
         binding->chain = ctx->chain;
         list_add_tail_rcu(&binding->list, &set->bindings);
+        nft_set_trans_bind(ctx, set);
+
         return 0;
 }
 EXPORT_SYMBOL_GPL(nf_tables_bind_set);
 
-void nf_tables_rebind_set(const struct nft_ctx *ctx, struct nft_set *set,
-                          struct nft_set_binding *binding)
-{
-        if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
-            nft_is_active(ctx->net, set))
-                list_add_tail_rcu(&set->list, &ctx->table->sets);
-
-        list_add_tail_rcu(&binding->list, &set->bindings);
-}
-EXPORT_SYMBOL_GPL(nf_tables_rebind_set);
-
 void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set,
-                          struct nft_set_binding *binding)
+                          struct nft_set_binding *binding, bool event)
 {
         list_del_rcu(&binding->list);
 
-        if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
-            nft_is_active(ctx->net, set))
+        if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) {
                 list_del_rcu(&set->list);
+                if (event)
+                        nf_tables_set_notify(ctx, set, NFT_MSG_DELSET,
+                                             GFP_KERNEL);
+        }
 }
 EXPORT_SYMBOL_GPL(nf_tables_unbind_set);
 
 void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set)
 {
-        if (list_empty(&set->bindings) && nft_set_is_anonymous(set) &&
-            nft_is_active(ctx->net, set)) {
-                nf_tables_set_notify(ctx, set, NFT_MSG_DELSET, GFP_ATOMIC);
+        if (list_empty(&set->bindings) && nft_set_is_anonymous(set))
                 nft_set_destroy(set);
-        }
 }
 EXPORT_SYMBOL_GPL(nf_tables_destroy_set);
 
@@ -4508,6 +4499,8 @@ err6:
 err5:
         kfree(trans);
 err4:
+        if (obj)
+                obj->use--;
         kfree(elem.priv);
 err3:
         if (nla[NFTA_SET_ELEM_DATA] != NULL)
@@ -6535,6 +6528,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
                         nf_tables_rule_notify(&trans->ctx,
                                               nft_trans_rule(trans),
                                               NFT_MSG_DELRULE);
+                        nft_rule_expr_deactivate(&trans->ctx,
+                                                 nft_trans_rule(trans),
+                                                 NFT_TRANS_COMMIT);
                         break;
                 case NFT_MSG_NEWSET:
                         nft_clear(net, nft_trans_set(trans));
@@ -6621,7 +6617,8 @@ static void nf_tables_abort_release(struct nft_trans *trans)
                 nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
                 break;
         case NFT_MSG_NEWSET:
-                nft_set_destroy(nft_trans_set(trans));
+                if (!nft_trans_set_bound(trans))
+                        nft_set_destroy(nft_trans_set(trans));
                 break;
         case NFT_MSG_NEWSETELEM:
                 nft_set_elem_destroy(nft_trans_elem_set(trans),
@@ -6682,7 +6679,9 @@ static int __nf_tables_abort(struct net *net)
                 case NFT_MSG_NEWRULE:
                         trans->ctx.chain->use--;
                         list_del_rcu(&nft_trans_rule(trans)->list);
-                        nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans));
+                        nft_rule_expr_deactivate(&trans->ctx,
+                                                 nft_trans_rule(trans),
+                                                 NFT_TRANS_ABORT);
                         break;
                 case NFT_MSG_DELRULE:
                         trans->ctx.chain->use++;
@@ -6692,7 +6691,8 @@ static int __nf_tables_abort(struct net *net)
                         break;
                 case NFT_MSG_NEWSET:
                         trans->ctx.table->use--;
-                        list_del_rcu(&nft_trans_set(trans)->list);
+                        if (!nft_trans_set_bound(trans))
+                                list_del_rcu(&nft_trans_set(trans)->list);
                         break;
                 case NFT_MSG_DELSET:
                         trans->ctx.table->use++;
diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 6f41dd74729d..1f1d90c1716b 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -66,6 +66,7 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
                              int ttl_check,
                              struct nf_osf_hdr_ctx *ctx)
 {
+        const __u8 *optpinit = ctx->optp;
         unsigned int check_WSS = 0;
         int fmatch = FMATCH_WRONG;
         int foptsize, optnum;
@@ -155,6 +156,9 @@ static bool nf_osf_match_one(const struct sk_buff *skb,
                 }
         }
 
+        if (fmatch != FMATCH_OK)
+                ctx->optp = optpinit;
+
         return fmatch == FMATCH_OK;
 }
 
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 7334e0b80a5e..0a4bad55a8aa 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -22,11 +22,15 @@
 #include <linux/netfilter_bridge/ebtables.h>
 #include <linux/netfilter_arp/arp_tables.h>
 #include <net/netfilter/nf_tables.h>
+#include <net/netns/generic.h>
 
 struct nft_xt {
         struct list_head        head;
         struct nft_expr_ops     ops;
-        unsigned int            refcnt;
+        refcount_t              refcnt;
+
+        /* used only when transaction mutex is locked */
+        unsigned int            listcnt;
 
         /* Unlike other expressions, ops doesn't have static storage duration.
          * nft core assumes they do.  We use kfree_rcu so that nft core can
@@ -43,10 +47,39 @@ struct nft_xt_match_priv {
         void *info;
 };
 
+struct nft_compat_net {
+        struct list_head nft_target_list;
+        struct list_head nft_match_list;
+};
+
+static unsigned int nft_compat_net_id __read_mostly;
+static struct nft_expr_type nft_match_type;
+static struct nft_expr_type nft_target_type;
+
+static struct nft_compat_net *nft_compat_pernet(struct net *net)
+{
+        return net_generic(net, nft_compat_net_id);
+}
+
+static void nft_xt_get(struct nft_xt *xt)
+{
+        /* refcount_inc() warns on 0 -> 1 transition, but we can't
+         * init the reference count to 1 in .select_ops -- we can't
+         * undo such an increase when another expression inside the same
+         * rule fails afterwards.
+         */
+        if (xt->listcnt == 0)
+                refcount_set(&xt->refcnt, 1);
+        else
+                refcount_inc(&xt->refcnt);
+
+        xt->listcnt++;
+}
+
 static bool nft_xt_put(struct nft_xt *xt)
 {
-        if (--xt->refcnt == 0) {
-                list_del(&xt->head);
+        if (refcount_dec_and_test(&xt->refcnt)) {
+                WARN_ON_ONCE(!list_empty(&xt->head));
                 kfree_rcu(xt, rcu_head);
                 return true;
         }
@@ -273,7 +306,7 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
                 return -EINVAL;
 
         nft_xt = container_of(expr->ops, struct nft_xt, ops);
-        nft_xt->refcnt++;
+        nft_xt_get(nft_xt);
         return 0;
 }
 
@@ -282,6 +315,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 {
         struct xt_target *target = expr->ops->data;
         void *info = nft_expr_priv(expr);
+        struct module *me = target->me;
         struct xt_tgdtor_param par;
 
         par.net = ctx->net;
@@ -292,7 +326,7 @@ nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
                 par.target->destroy(&par);
 
         if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
-                module_put(target->me);
+                module_put(me);
 }
 
 static int nft_extension_dump_info(struct sk_buff *skb, int attr,
@@ -486,7 +520,7 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
                 return ret;
 
         nft_xt = container_of(expr->ops, struct nft_xt, ops);
-        nft_xt->refcnt++;
+        nft_xt_get(nft_xt);
         return 0;
 }
 
@@ -540,6 +574,18 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
         __nft_match_destroy(ctx, expr, nft_expr_priv(expr));
 }
 
+static void nft_compat_deactivate(const struct nft_ctx *ctx,
+                                  const struct nft_expr *expr,
+                                  enum nft_trans_phase phase)
+{
+        struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
+
+        if (phase == NFT_TRANS_ABORT || phase == NFT_TRANS_COMMIT) {
+                if (--xt->listcnt == 0)
+                        list_del_init(&xt->head);
+        }
+}
+
 static void
 nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 {
@@ -734,10 +780,6 @@ static const struct nfnetlink_subsystem nfnl_compat_subsys = {
         .cb             = nfnl_nft_compat_cb,
 };
 
-static LIST_HEAD(nft_match_list);
-
-static struct nft_expr_type nft_match_type;
-
 static bool nft_match_cmp(const struct xt_match *match,
                           const char *name, u32 rev, u32 family)
 {
@@ -749,6 +791,7 @@ static const struct nft_expr_ops *
 nft_match_select_ops(const struct nft_ctx *ctx,
                      const struct nlattr * const tb[])
 {
+        struct nft_compat_net *cn;
         struct nft_xt *nft_match;
         struct xt_match *match;
         unsigned int matchsize;
@@ -765,8 +808,10 @@ nft_match_select_ops(const struct nft_ctx *ctx,
         rev = ntohl(nla_get_be32(tb[NFTA_MATCH_REV]));
         family = ctx->family;
 
+        cn = nft_compat_pernet(ctx->net);
+
         /* Re-use the existing match if it's already loaded. */
-        list_for_each_entry(nft_match, &nft_match_list, head) {
+        list_for_each_entry(nft_match, &cn->nft_match_list, head) {
                 struct xt_match *match = nft_match->ops.data;
 
                 if (nft_match_cmp(match, mt_name, rev, family))
@@ -789,11 +834,12 @@ nft_match_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_match->refcnt = 0;
+        refcount_set(&nft_match->refcnt, 0);
         nft_match->ops.type = &nft_match_type;
         nft_match->ops.eval = nft_match_eval;
         nft_match->ops.init = nft_match_init;
         nft_match->ops.destroy = nft_match_destroy;
+        nft_match->ops.deactivate = nft_compat_deactivate;
         nft_match->ops.dump = nft_match_dump;
         nft_match->ops.validate = nft_match_validate;
         nft_match->ops.data = match;
@@ -810,7 +856,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
 
         nft_match->ops.size = matchsize;
 
-        list_add(&nft_match->head, &nft_match_list);
+        nft_match->listcnt = 0;
+        list_add(&nft_match->head, &cn->nft_match_list);
 
         return &nft_match->ops;
 err:
@@ -826,10 +873,6 @@ static struct nft_expr_type nft_match_type __read_mostly = {
         .owner          = THIS_MODULE,
 };
 
-static LIST_HEAD(nft_target_list);
-
-static struct nft_expr_type nft_target_type;
-
 static bool nft_target_cmp(const struct xt_target *tg,
                            const char *name, u32 rev, u32 family)
 {
@@ -841,6 +884,7 @@ static const struct nft_expr_ops *
 nft_target_select_ops(const struct nft_ctx *ctx,
                       const struct nlattr * const tb[])
 {
+        struct nft_compat_net *cn;
         struct nft_xt *nft_target;
         struct xt_target *target;
         char *tg_name;
@@ -861,8 +905,9 @@ nft_target_select_ops(const struct nft_ctx *ctx,
             strcmp(tg_name, "standard") == 0)
                 return ERR_PTR(-EINVAL);
 
+        cn = nft_compat_pernet(ctx->net);
         /* Re-use the existing target if it's already loaded. */
-        list_for_each_entry(nft_target, &nft_target_list, head) {
+        list_for_each_entry(nft_target, &cn->nft_target_list, head) {
                 struct xt_target *target = nft_target->ops.data;
 
                 if (!target->target)
@@ -893,11 +938,12 @@ nft_target_select_ops(const struct nft_ctx *ctx,
                 goto err;
         }
 
-        nft_target->refcnt = 0;
+        refcount_set(&nft_target->refcnt, 0);
         nft_target->ops.type = &nft_target_type;
         nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
         nft_target->ops.init = nft_target_init;
         nft_target->ops.destroy = nft_target_destroy;
+        nft_target->ops.deactivate = nft_compat_deactivate;
         nft_target->ops.dump = nft_target_dump;
         nft_target->ops.validate = nft_target_validate;
         nft_target->ops.data = target;
@@ -907,7 +953,8 @@ nft_target_select_ops(const struct nft_ctx *ctx,
         else
                 nft_target->ops.eval = nft_target_eval_xt;
 
-        list_add(&nft_target->head, &nft_target_list);
+        nft_target->listcnt = 0;
+        list_add(&nft_target->head, &cn->nft_target_list);
 
         return &nft_target->ops;
 err:
@@ -923,13 +970,74 @@ static struct nft_expr_type nft_target_type __read_mostly = {
         .owner          = THIS_MODULE,
 };
 
+static int __net_init nft_compat_init_net(struct net *net)
+{
+        struct nft_compat_net *cn = nft_compat_pernet(net);
+
+        INIT_LIST_HEAD(&cn->nft_target_list);
+        INIT_LIST_HEAD(&cn->nft_match_list);
+
+        return 0;
+}
+
+static void __net_exit nft_compat_exit_net(struct net *net)
+{
+        struct nft_compat_net *cn = nft_compat_pernet(net);
+        struct nft_xt *xt, *next;
+
+        if (list_empty(&cn->nft_match_list) &&
+            list_empty(&cn->nft_target_list))
+                return;
+
+        /* If there was an error that caused nft_xt expr to not be initialized
+         * fully and noone else requested the same expression later, the lists
+         * contain 0-refcount entries that still hold module reference.
+         *
+         * Clean them here.
+         */
+        mutex_lock(&net->nft.commit_mutex);
+        list_for_each_entry_safe(xt, next, &cn->nft_target_list, head) {
+                struct xt_target *target = xt->ops.data;
+
+                list_del_init(&xt->head);
+
+                if (refcount_read(&xt->refcnt))
+                        continue;
+                module_put(target->me);
+                kfree(xt);
+        }
+
+        list_for_each_entry_safe(xt, next, &cn->nft_match_list, head) {
+                struct xt_match *match = xt->ops.data;
+
+                list_del_init(&xt->head);
+
+                if (refcount_read(&xt->refcnt))
+                        continue;
+                module_put(match->me);
+                kfree(xt);
+        }
+        mutex_unlock(&net->nft.commit_mutex);
+}
+
+static struct pernet_operations nft_compat_net_ops = {
+        .init   = nft_compat_init_net,
+        .exit   = nft_compat_exit_net,
+        .id     = &nft_compat_net_id,
+        .size   = sizeof(struct nft_compat_net),
+};
+
 static int __init nft_compat_module_init(void)
 {
         int ret;
 
+        ret = register_pernet_subsys(&nft_compat_net_ops);
+        if (ret < 0)
+                goto err_target;
+
         ret = nft_register_expr(&nft_match_type);
         if (ret < 0)
-                return ret;
+                goto err_pernet;
 
         ret = nft_register_expr(&nft_target_type);
         if (ret < 0)
@@ -942,45 +1050,21 @@ static int __init nft_compat_module_init(void)
         }
 
         return ret;
-
 err_target:
         nft_unregister_expr(&nft_target_type);
 err_match:
         nft_unregister_expr(&nft_match_type);
+err_pernet:
+        unregister_pernet_subsys(&nft_compat_net_ops);
         return ret;
 }
 
 static void __exit nft_compat_module_exit(void)
 {
-        struct nft_xt *xt, *next;
-
-        /* list should be empty here, it can be non-empty only in case there
-         * was an error that caused nft_xt expr to not be initialized fully
-         * and noone else requested the same expression later.
-         *
-         * In this case, the lists contain 0-refcount entries that still
-         * hold module reference.
-         */
-        list_for_each_entry_safe(xt, next, &nft_target_list, head) {
-                struct xt_target *target = xt->ops.data;
-
-                if (WARN_ON_ONCE(xt->refcnt))
-                        continue;
-                module_put(target->me);
-                kfree(xt);
-        }
-
-        list_for_each_entry_safe(xt, next, &nft_match_list, head) {
-                struct xt_match *match = xt->ops.data;
-
-                if (WARN_ON_ONCE(xt->refcnt))
-                        continue;
-                module_put(match->me);
-                kfree(xt);
-        }
         nfnetlink_subsys_unregister(&nfnl_compat_subsys);
         nft_unregister_expr(&nft_target_type);
         nft_unregister_expr(&nft_match_type);
+        unregister_pernet_subsys(&nft_compat_net_ops);
 }
 
 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 07d4efd3d851..f1172f99752b 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -235,20 +235,17 @@ err1:
         return err;
 }
 
-static void nft_dynset_activate(const struct nft_ctx *ctx,
-                                const struct nft_expr *expr)
-{
-        struct nft_dynset *priv = nft_expr_priv(expr);
-
-        nf_tables_rebind_set(ctx, priv->set, &priv->binding);
-}
-
 static void nft_dynset_deactivate(const struct nft_ctx *ctx,
-                                  const struct nft_expr *expr)
+                                  const struct nft_expr *expr,
+                                  enum nft_trans_phase phase)
 {
         struct nft_dynset *priv = nft_expr_priv(expr);
 
-        nf_tables_unbind_set(ctx, priv->set, &priv->binding);
+        if (phase == NFT_TRANS_PREPARE)
+                return;
+
+        nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+                             phase == NFT_TRANS_COMMIT);
 }
 
 static void nft_dynset_destroy(const struct nft_ctx *ctx,
@@ -296,7 +293,6 @@ static const struct nft_expr_ops nft_dynset_ops = {
         .eval           = nft_dynset_eval,
         .init           = nft_dynset_init,
         .destroy        = nft_dynset_destroy,
-        .activate       = nft_dynset_activate,
         .deactivate     = nft_dynset_deactivate,
         .dump           = nft_dynset_dump,
 };
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 974525eb92df..6e6b9adf7d38 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -12,6 +12,7 @@
 #include <net/netfilter/nf_conntrack_core.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <net/netfilter/nf_flow_table.h>
+#include <net/netfilter/nf_conntrack_helper.h>
 
 struct nft_flow_offload {
         struct nft_flowtable    *flowtable;
@@ -29,10 +30,12 @@ static int nft_flow_route(const struct nft_pktinfo *pkt,
         memset(&fl, 0, sizeof(fl));
         switch (nft_pf(pkt)) {
         case NFPROTO_IPV4:
-                fl.u.ip4.daddr = ct->tuplehash[!dir].tuple.dst.u3.ip;
+                fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
+                fl.u.ip4.flowi4_oif = nft_in(pkt)->ifindex;
                 break;
         case NFPROTO_IPV6:
-                fl.u.ip6.daddr = ct->tuplehash[!dir].tuple.dst.u3.in6;
+                fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
+                fl.u.ip6.flowi6_oif = nft_in(pkt)->ifindex;
                 break;
         }
 
@@ -41,9 +44,7 @@ static int nft_flow_route(const struct nft_pktinfo *pkt,
                 return -ENOENT;
 
         route->tuple[dir].dst           = this_dst;
-        route->tuple[dir].ifindex       = nft_in(pkt)->ifindex;
         route->tuple[!dir].dst          = other_dst;
-        route->tuple[!dir].ifindex      = nft_out(pkt)->ifindex;
 
         return 0;
 }
@@ -66,6 +67,7 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
 {
         struct nft_flow_offload *priv = nft_expr_priv(expr);
         struct nf_flowtable *flowtable = &priv->flowtable->data;
+        const struct nf_conn_help *help;
         enum ip_conntrack_info ctinfo;
         struct nf_flow_route route;
         struct flow_offload *flow;
@@ -88,7 +90,8 @@ static void nft_flow_offload_eval(const struct nft_expr *expr,
                 goto out;
         }
 
-        if (test_bit(IPS_HELPER_BIT, &ct->status))
+        help = nfct_help(ct);
+        if (help)
                 goto out;
 
         if (ctinfo == IP_CT_NEW ||
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index 0777a93211e2..3f6d1d2a6281 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -72,10 +72,14 @@ static void nft_immediate_activate(const struct nft_ctx *ctx,
 }
 
 static void nft_immediate_deactivate(const struct nft_ctx *ctx,
-                                     const struct nft_expr *expr)
+                                     const struct nft_expr *expr,
+                                     enum nft_trans_phase phase)
 {
         const struct nft_immediate_expr *priv = nft_expr_priv(expr);
 
+        if (phase == NFT_TRANS_COMMIT)
+                return;
+
         return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
 }
 
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 227b2b15a19c..14496da5141d 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -121,20 +121,17 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
         return 0;
 }
 
-static void nft_lookup_activate(const struct nft_ctx *ctx,
-                                const struct nft_expr *expr)
-{
-        struct nft_lookup *priv = nft_expr_priv(expr);
-
-        nf_tables_rebind_set(ctx, priv->set, &priv->binding);
-}
-
 static void nft_lookup_deactivate(const struct nft_ctx *ctx,
-                                  const struct nft_expr *expr)
+                                  const struct nft_expr *expr,
+                                  enum nft_trans_phase phase)
 {
         struct nft_lookup *priv = nft_expr_priv(expr);
 
-        nf_tables_unbind_set(ctx, priv->set, &priv->binding);
+        if (phase == NFT_TRANS_PREPARE)
+                return;
+
+        nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+                             phase == NFT_TRANS_COMMIT);
 }
 
 static void nft_lookup_destroy(const struct nft_ctx *ctx,
@@ -225,7 +222,6 @@ static const struct nft_expr_ops nft_lookup_ops = {
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
         .eval           = nft_lookup_eval,
         .init           = nft_lookup_init,
-        .activate       = nft_lookup_activate,
         .deactivate     = nft_lookup_deactivate,
         .destroy        = nft_lookup_destroy,
         .dump           = nft_lookup_dump,
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index a3185ca2a3a9..ae178e914486 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -155,20 +155,17 @@ nla_put_failure:
         return -1;
 }
 
-static void nft_objref_map_activate(const struct nft_ctx *ctx,
-                                    const struct nft_expr *expr)
-{
-        struct nft_objref_map *priv = nft_expr_priv(expr);
-
-        nf_tables_rebind_set(ctx, priv->set, &priv->binding);
-}
-
 static void nft_objref_map_deactivate(const struct nft_ctx *ctx,
-                                      const struct nft_expr *expr)
+                                      const struct nft_expr *expr,
+                                      enum nft_trans_phase phase)
 {
         struct nft_objref_map *priv = nft_expr_priv(expr);
 
-        nf_tables_unbind_set(ctx, priv->set, &priv->binding);
+        if (phase == NFT_TRANS_PREPARE)
+                return;
+
+        nf_tables_unbind_set(ctx, priv->set, &priv->binding,
+                             phase == NFT_TRANS_COMMIT);
 }
 
 static void nft_objref_map_destroy(const struct nft_ctx *ctx,
@@ -185,7 +182,6 @@ static const struct nft_expr_ops nft_objref_map_ops = {
         .size           = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)),
         .eval           = nft_objref_map_eval,
         .init           = nft_objref_map_init,
-        .activate       = nft_objref_map_activate,
         .deactivate     = nft_objref_map_deactivate,
         .destroy        = nft_objref_map_destroy,
         .dump           = nft_objref_map_dump,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index aecadd471e1d..13e1ac333fa4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1899,7 +1899,7 @@ static int __init xt_init(void)
                 seqcount_init(&per_cpu(xt_recseq, i));
         }
 
-        xt = kmalloc_array(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
+        xt = kcalloc(NFPROTO_NUMPROTO, sizeof(struct xt_af), GFP_KERNEL);
         if (!xt)
                 return -ENOMEM;
 
diff --git a/net/netrom/nr_timer.c b/net/netrom/nr_timer.c
index cbd51ed5a2d7..908e53ab47a4 100644
--- a/net/netrom/nr_timer.c
+++ b/net/netrom/nr_timer.c
@@ -52,21 +52,21 @@ void nr_start_t1timer(struct sock *sk)
 {
         struct nr_sock *nr = nr_sk(sk);
 
-        mod_timer(&nr->t1timer, jiffies + nr->t1);
+        sk_reset_timer(sk, &nr->t1timer, jiffies + nr->t1);
 }
 
 void nr_start_t2timer(struct sock *sk)
 {
         struct nr_sock *nr = nr_sk(sk);
 
-        mod_timer(&nr->t2timer, jiffies + nr->t2);
+        sk_reset_timer(sk, &nr->t2timer, jiffies + nr->t2);
 }
 
 void nr_start_t4timer(struct sock *sk)
 {
         struct nr_sock *nr = nr_sk(sk);
 
-        mod_timer(&nr->t4timer, jiffies + nr->t4);
+        sk_reset_timer(sk, &nr->t4timer, jiffies + nr->t4);
 }
 
 void nr_start_idletimer(struct sock *sk)
@@ -74,37 +74,37 @@ void nr_start_idletimer(struct sock *sk)
         struct nr_sock *nr = nr_sk(sk);
 
         if (nr->idle > 0)
-                mod_timer(&nr->idletimer, jiffies + nr->idle);
+                sk_reset_timer(sk, &nr->idletimer, jiffies + nr->idle);
 }
 
 void nr_start_heartbeat(struct sock *sk)
 {
-        mod_timer(&sk->sk_timer, jiffies + 5 * HZ);
+        sk_reset_timer(sk, &sk->sk_timer, jiffies + 5 * HZ);
 }
 
 void nr_stop_t1timer(struct sock *sk)
 {
-        del_timer(&nr_sk(sk)->t1timer);
+        sk_stop_timer(sk, &nr_sk(sk)->t1timer);
 }
 
 void nr_stop_t2timer(struct sock *sk)
 {
-        del_timer(&nr_sk(sk)->t2timer);
+        sk_stop_timer(sk, &nr_sk(sk)->t2timer);
 }
 
 void nr_stop_t4timer(struct sock *sk)
 {
-        del_timer(&nr_sk(sk)->t4timer);
+        sk_stop_timer(sk, &nr_sk(sk)->t4timer);
 }
 
 void nr_stop_idletimer(struct sock *sk)
 {
-        del_timer(&nr_sk(sk)->idletimer);
+        sk_stop_timer(sk, &nr_sk(sk)->idletimer);
 }
 
 void nr_stop_heartbeat(struct sock *sk)
 {
-        del_timer(&sk->sk_timer);
+        sk_stop_timer(sk, &sk->sk_timer);
 }
 
 int nr_t1timer_running(struct sock *sk)
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 57e07768c9d1..f54cf17ef7a8 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -276,10 +276,12 @@ static int parse_ipv6hdr(struct sk_buff *skb, struct sw_flow_key *key)
 
         nexthdr = ipv6_find_hdr(skb, &payload_ofs, -1, &frag_off, &flags);
         if (flags & IP6_FH_F_FRAG) {
-                if (frag_off)
+                if (frag_off) {
                         key->ip.frag = OVS_FRAG_TYPE_LATER;
-                else
-                        key->ip.frag = OVS_FRAG_TYPE_FIRST;
+                        key->ip.proto = nexthdr;
+                        return 0;
+                }
+                key->ip.frag = OVS_FRAG_TYPE_FIRST;
         } else {
                 key->ip.frag = OVS_FRAG_TYPE_NONE;
         }
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 435a4bdf8f89..691da853bef5 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -500,7 +500,7 @@ static int __parse_flow_nlattrs(const struct nlattr *attr,
                         return -EINVAL;
                 }
 
-                if (!nz || !is_all_zero(nla_data(nla), expected_len)) {
+                if (!nz || !is_all_zero(nla_data(nla), nla_len(nla))) {
                         attrs |= 1 << type;
                         a[type] = nla;
                 }
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index eedacdebcd4c..1cd1d83a4be0 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2628,7 +2628,7 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg)
                 addr    = saddr->sll_halen ? saddr->sll_addr : NULL;
                 dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex);
                 if (addr && dev && saddr->sll_halen < dev->addr_len)
-                        goto out;
+                        goto out_put;
         }
 
         err = -ENXIO;
@@ -2828,7 +2828,7 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
                 addr    = saddr->sll_halen ? saddr->sll_addr : NULL;
                 dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex);
                 if (addr && dev && saddr->sll_halen < dev->addr_len)
-                        goto out;
+                        goto out_unlock;
         }
 
         err = -ENXIO;
@@ -2887,7 +2887,8 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len)
                         goto out_free;
         } else if (reserve) {
                 skb_reserve(skb, -reserve);
-                if (len < reserve)
+                if (len < reserve + sizeof(struct ipv6hdr) &&
+                    dev->min_header_len != dev->hard_header_len)
                         skb_reset_network_header(skb);
         }
 
@@ -4291,7 +4292,7 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
                 rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
                 if (unlikely(rb->frames_per_block == 0))
                         goto out;
-                if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+                if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))
                         goto out;
                 if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
                                         req->tp_frame_nr))
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 9fc76b19cd3c..db3473540303 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -132,7 +132,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code,
         ph->utid = 0;
         ph->message_id = id;
         ph->pipe_handle = pn->pipe_handle;
-        ph->data[0] = code;
+        ph->error_code = code;
         return pn_skb_send(sk, skb, NULL);
 }
 
@@ -153,7 +153,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code,
         ph->utid = id; /* whatever */
         ph->message_id = id;
         ph->pipe_handle = pn->pipe_handle;
-        ph->data[0] = code;
+        ph->error_code = code;
         return pn_skb_send(sk, skb, NULL);
 }
 
@@ -208,7 +208,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
         struct pnpipehdr *ph;
         struct sockaddr_pn dst;
         u8 data[4] = {
-                oph->data[0], /* PEP type */
+                oph->pep_type, /* PEP type */
                 code, /* error code, at an unusual offset */
                 PAD, PAD,
         };
@@ -221,7 +221,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code,
         ph->utid = oph->utid;
         ph->message_id = PNS_PEP_CTRL_RESP;
         ph->pipe_handle = oph->pipe_handle;
-        ph->data[0] = oph->data[1]; /* CTRL id */
+        ph->data0 = oph->data[0]; /* CTRL id */
 
         pn_skb_get_src_sockaddr(oskb, &dst);
         return pn_skb_send(sk, skb, &dst);
@@ -272,17 +272,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
                 return -EINVAL;
 
         hdr = pnp_hdr(skb);
-        if (hdr->data[0] != PN_PEP_TYPE_COMMON) {
+        if (hdr->pep_type != PN_PEP_TYPE_COMMON) {
                 net_dbg_ratelimited("Phonet unknown PEP type: %u\n",
-                                    (unsigned int)hdr->data[0]);
+                                    (unsigned int)hdr->pep_type);
                 return -EOPNOTSUPP;
         }
 
-        switch (hdr->data[1]) {
+        switch (hdr->data[0]) {
         case PN_PEP_IND_FLOW_CONTROL:
                 switch (pn->tx_fc) {
                 case PN_LEGACY_FLOW_CONTROL:
-                        switch (hdr->data[4]) {
+                        switch (hdr->data[3]) {
                         case PEP_IND_BUSY:
                                 atomic_set(&pn->tx_credits, 0);
                                 break;
@@ -292,7 +292,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
                         }
                         break;
                 case PN_ONE_CREDIT_FLOW_CONTROL:
-                        if (hdr->data[4] == PEP_IND_READY)
+                        if (hdr->data[3] == PEP_IND_READY)
                                 atomic_set(&pn->tx_credits, wake = 1);
                         break;
                 }
@@ -301,12 +301,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb)
         case PN_PEP_IND_ID_MCFC_GRANT_CREDITS:
                 if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL)
                         break;
-                atomic_add(wake = hdr->data[4], &pn->tx_credits);
+                atomic_add(wake = hdr->data[3], &pn->tx_credits);
                 break;
 
         default:
                 net_dbg_ratelimited("Phonet unknown PEP indication: %u\n",
-                                    (unsigned int)hdr->data[1]);
+                                    (unsigned int)hdr->data[0]);
                 return -EOPNOTSUPP;
         }
         if (wake)
@@ -318,7 +318,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb)
 {
         struct pep_sock *pn = pep_sk(sk);
         struct pnpipehdr *hdr = pnp_hdr(skb);
-        u8 n_sb = hdr->data[0];
+        u8 n_sb = hdr->data0;
 
         pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL;
         __skb_pull(skb, sizeof(*hdr));
@@ -506,7 +506,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb)
                 return -ECONNREFUSED;
 
         /* Parse sub-blocks */
-        n_sb = hdr->data[4];
+        n_sb = hdr->data[3];
         while (n_sb > 0) {
                 u8 type, buf[6], len = sizeof(buf);
                 const u8 *data = pep_get_sb(skb, &type, &len, buf);
@@ -739,7 +739,7 @@ static int pipe_do_remove(struct sock *sk)
         ph->utid = 0;
         ph->message_id = PNS_PIPE_REMOVE_REQ;
         ph->pipe_handle = pn->pipe_handle;
-        ph->data[0] = PAD;
+        ph->data0 = PAD;
         return pn_skb_send(sk, skb, NULL);
 }
 
@@ -817,7 +817,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp,
         peer_type = hdr->other_pep_type << 8;
 
         /* Parse sub-blocks (options) */
-        n_sb = hdr->data[4];
+        n_sb = hdr->data[3];
         while (n_sb > 0) {
                 u8 type, buf[1], len = sizeof(buf);
                 const u8 *data = pep_get_sb(skb, &type, &len, buf);
@@ -1109,7 +1109,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb)
         ph->utid = 0;
         if (pn->aligned) {
                 ph->message_id = PNS_PIPE_ALIGNED_DATA;
-                ph->data[0] = 0; /* padding */
+                ph->data0 = 0; /* padding */
         } else
                 ph->message_id = PNS_PIPE_DATA;
         ph->pipe_handle = pn->pipe_handle;
diff --git a/net/rds/bind.c b/net/rds/bind.c
index 762d2c6788a3..17c9d9f0c848 100644
--- a/net/rds/bind.c
+++ b/net/rds/bind.c
@@ -78,10 +78,10 @@ struct rds_sock *rds_find_bound(const struct in6_addr *addr, __be16 port,
         __rds_create_bind_key(key, addr, port, scope_id);
         rcu_read_lock();
         rs = rhashtable_lookup(&bind_hash_table, key, ht_parms);
-        if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
-                rds_sock_addref(rs);
-        else
+        if (rs && (sock_flag(rds_rs_to_sk(rs), SOCK_DEAD) ||
+                   !refcount_inc_not_zero(&rds_rs_to_sk(rs)->sk_refcnt)))
                 rs = NULL;
+
         rcu_read_unlock();
 
         rdsdebug("returning rs %p for %pI6c:%u\n", rs, addr,
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
index 2dcb555e6350..4e0c36acf866 100644
--- a/net/rds/ib_send.c
+++ b/net/rds/ib_send.c
@@ -522,7 +522,7 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
         if (be32_to_cpu(rm->m_inc.i_hdr.h_len) == 0)
                 i = 1;
         else
-                i = ceil(be32_to_cpu(rm->m_inc.i_hdr.h_len), RDS_FRAG_SIZE);
+                i = DIV_ROUND_UP(be32_to_cpu(rm->m_inc.i_hdr.h_len), RDS_FRAG_SIZE);
 
         work_alloc = rds_ib_ring_alloc(&ic->i_send_ring, i, &pos);
         if (work_alloc == 0) {
@@ -879,7 +879,7 @@ int rds_ib_xmit_rdma(struct rds_connection *conn, struct rm_rdma_op *op)
          * Instead of knowing how to return a partial rdma read/write we insist that there
          * be enough work requests to send the entire message.
          */
-        i = ceil(op->op_count, max_sge);
+        i = DIV_ROUND_UP(op->op_count, max_sge);
 
         work_alloc = rds_ib_ring_alloc(&ic->i_send_ring, i, &pos);
         if (work_alloc != i) {
diff --git a/net/rds/message.c b/net/rds/message.c
index f139420ba1f6..50f13f1d4ae0 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -341,7 +341,7 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
 {
         struct rds_message *rm;
         unsigned int i;
-        int num_sgs = ceil(total_len, PAGE_SIZE);
+        int num_sgs = DIV_ROUND_UP(total_len, PAGE_SIZE);
         int extra_bytes = num_sgs * sizeof(struct scatterlist);
         int ret;
 
@@ -351,7 +351,7 @@ struct rds_message *rds_message_map_pages(unsigned long *page_addrs, unsigned in
 
         set_bit(RDS_MSG_PAGEVEC, &rm->m_flags);
         rm->m_inc.i_hdr.h_len = cpu_to_be32(total_len);
-        rm->data.op_nents = ceil(total_len, PAGE_SIZE);
+        rm->data.op_nents = DIV_ROUND_UP(total_len, PAGE_SIZE);
         rm->data.op_sg = rds_message_alloc_sgs(rm, num_sgs, &ret);
         if (!rm->data.op_sg) {
                 rds_message_put(rm);
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 02ec4a3b2799..4ffe100ff5e6 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -48,10 +48,6 @@ void rdsdebug(char *fmt, ...)
 }
 #endif
 
-/* XXX is there one of these somewhere? */
-#define ceil(x, y) \
-        ({ unsigned long __x = (x), __y = (y); (__x + __y - 1) / __y; })
-
 #define RDS_FRAG_SHIFT  12
 #define RDS_FRAG_SIZE   ((unsigned int)(1 << RDS_FRAG_SHIFT))
 
diff --git a/net/rds/send.c b/net/rds/send.c
index 3d822bad7de9..fd8b687d5c05 100644
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -1107,7 +1107,7 @@ int rds_sendmsg(struct socket *sock, struct msghdr *msg, size_t payload_len)
         size_t total_payload_len = payload_len, rdma_payload_len = 0;
         bool zcopy = ((msg->msg_flags & MSG_ZEROCOPY) &&
                       sock_flag(rds_rs_to_sk(rs), SOCK_ZEROCOPY));
-        int num_sgs = ceil(payload_len, PAGE_SIZE);
+        int num_sgs = DIV_ROUND_UP(payload_len, PAGE_SIZE);
         int namelen;
         struct rds_iov_vector_arr vct;
         int ind;
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 77e9f85a2c92..f2ff21d7df08 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -850,6 +850,7 @@ void rose_link_device_down(struct net_device *dev)
 
 /*
  *      Route a frame to an appropriate AX.25 connection.
+ *      A NULL ax25_cb indicates an internally generated frame.
  */
 int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
 {
@@ -867,6 +868,10 @@ int rose_route_frame(struct sk_buff *skb, ax25_cb *ax25)
 
         if (skb->len < ROSE_MIN_LEN)
                 return res;
+
+        if (!ax25)
+                return rose_loopback_queue(skb, NULL);
+
         frametype = skb->data[2];
         lci = ((skb->data[0] << 8) & 0xF00) + ((skb->data[1] << 0) & 0x0FF);
         if (frametype == ROSE_CALL_REQUEST &&
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index a2522f9d71e2..96f2952bbdfd 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -419,76 +419,6 @@ u32 rxrpc_kernel_get_epoch(struct socket *sock, struct rxrpc_call *call)
 EXPORT_SYMBOL(rxrpc_kernel_get_epoch);
 
 /**
- * rxrpc_kernel_check_call - Check a call's state
- * @sock: The socket the call is on
- * @call: The call to check
- * @_compl: Where to store the completion state
- * @_abort_code: Where to store any abort code
- *
- * Allow a kernel service to query the state of a call and find out the manner
- * of its termination if it has completed.  Returns -EINPROGRESS if the call is
- * still going, 0 if the call finished successfully, -ECONNABORTED if the call
- * was aborted and an appropriate error if the call failed in some other way.
- */
-int rxrpc_kernel_check_call(struct socket *sock, struct rxrpc_call *call,
-                            enum rxrpc_call_completion *_compl, u32 *_abort_code)
-{
-        if (call->state != RXRPC_CALL_COMPLETE)
-                return -EINPROGRESS;
-        smp_rmb();
-        *_compl = call->completion;
-        *_abort_code = call->abort_code;
-        return call->error;
-}
-EXPORT_SYMBOL(rxrpc_kernel_check_call);
-
-/**
- * rxrpc_kernel_retry_call - Allow a kernel service to retry a call
- * @sock: The socket the call is on
- * @call: The call to retry
- * @srx: The address of the peer to contact
- * @key: The security context to use (defaults to socket setting)
- *
- * Allow a kernel service to try resending a client call that failed due to a
- * network error to a new address.  The Tx queue is maintained intact, thereby
- * relieving the need to re-encrypt any request data that has already been
- * buffered.
- */
-int rxrpc_kernel_retry_call(struct socket *sock, struct rxrpc_call *call,
-                            struct sockaddr_rxrpc *srx, struct key *key)
-{
-        struct rxrpc_conn_parameters cp;
-        struct rxrpc_sock *rx = rxrpc_sk(sock->sk);
-        int ret;
-
-        _enter("%d{%d}", call->debug_id, atomic_read(&call->usage));
-
-        if (!key)
-                key = rx->key;
-        if (key && !key->payload.data[0])
-                key = NULL; /* a no-security key */
-
-        memset(&cp, 0, sizeof(cp));
-        cp.local                = rx->local;
-        cp.key                  = key;
-        cp.security_level       = 0;
-        cp.exclusive            = false;
-        cp.service_id           = srx->srx_service;
-
-        mutex_lock(&call->user_mutex);
-
-        ret = rxrpc_prepare_call_for_retry(rx, call);
-        if (ret == 0)
-                ret = rxrpc_retry_client_call(rx, call, &cp, srx, GFP_KERNEL);
-
-        mutex_unlock(&call->user_mutex);
-        rxrpc_put_peer(cp.peer);
-        _leave(" = %d", ret);
-        return ret;
-}
-EXPORT_SYMBOL(rxrpc_kernel_retry_call);
-
-/**
  * rxrpc_kernel_new_call_notification - Get notifications of new calls
  * @sock: The socket to intercept received messages on
  * @notify_new_call: Function to be called when new calls appear
diff --git a/net/rxrpc/ar-internal.h b/net/rxrpc/ar-internal.h
index bc628acf4f4f..4b1a534d290a 100644
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -476,7 +476,6 @@ enum rxrpc_call_flag {
         RXRPC_CALL_EXPOSED,             /* The call was exposed to the world */
         RXRPC_CALL_RX_LAST,             /* Received the last packet (at rxtx_top) */
         RXRPC_CALL_TX_LAST,             /* Last packet in Tx buffer (at rxtx_top) */
-        RXRPC_CALL_TX_LASTQ,            /* Last packet has been queued */
         RXRPC_CALL_SEND_PING,           /* A ping will need to be sent */
         RXRPC_CALL_PINGING,             /* Ping in process */
         RXRPC_CALL_RETRANS_TIMEOUT,     /* Retransmission due to timeout occurred */
@@ -518,6 +517,18 @@ enum rxrpc_call_state {
 };
 
 /*
+ * Call completion condition (state == RXRPC_CALL_COMPLETE).
+ */
+enum rxrpc_call_completion {
+        RXRPC_CALL_SUCCEEDED,           /* - Normal termination */
+        RXRPC_CALL_REMOTELY_ABORTED,    /* - call aborted by peer */
+        RXRPC_CALL_LOCALLY_ABORTED,     /* - call aborted locally on error or close */
+        RXRPC_CALL_LOCAL_ERROR,         /* - call failed due to local error */
+        RXRPC_CALL_NETWORK_ERROR,       /* - call terminated by network error */
+        NR__RXRPC_CALL_COMPLETIONS
+};
+
+/*
  * Call Tx congestion management modes.
  */
 enum rxrpc_congest_mode {
@@ -761,15 +772,9 @@ struct rxrpc_call *rxrpc_new_client_call(struct rxrpc_sock *,
                                          struct sockaddr_rxrpc *,
                                          struct rxrpc_call_params *, gfp_t,
                                          unsigned int);
-int rxrpc_retry_client_call(struct rxrpc_sock *,
-                            struct rxrpc_call *,
-                            struct rxrpc_conn_parameters *,
-                            struct sockaddr_rxrpc *,
-                            gfp_t);
 void rxrpc_incoming_call(struct rxrpc_sock *, struct rxrpc_call *,
                          struct sk_buff *);
 void rxrpc_release_call(struct rxrpc_sock *, struct rxrpc_call *);
-int rxrpc_prepare_call_for_retry(struct rxrpc_sock *, struct rxrpc_call *);
 void rxrpc_release_calls_on_socket(struct rxrpc_sock *);
 bool __rxrpc_queue_call(struct rxrpc_call *);
 bool rxrpc_queue_call(struct rxrpc_call *);
diff --git a/net/rxrpc/call_object.c b/net/rxrpc/call_object.c
index 8f1a8f85b1f9..8aa2937b069f 100644
--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -325,48 +325,6 @@ error:
 }
 
 /*
- * Retry a call to a new address.  It is expected that the Tx queue of the call
- * will contain data previously packaged for an old call.
- */
-int rxrpc_retry_client_call(struct rxrpc_sock *rx,
-                            struct rxrpc_call *call,
-                            struct rxrpc_conn_parameters *cp,
-                            struct sockaddr_rxrpc *srx,
-                            gfp_t gfp)
-{
-        const void *here = __builtin_return_address(0);
-        int ret;
-
-        /* Set up or get a connection record and set the protocol parameters,
-         * including channel number and call ID.
-         */
-        ret = rxrpc_connect_call(rx, call, cp, srx, gfp);
-        if (ret < 0)
-                goto error;
-
-        trace_rxrpc_call(call, rxrpc_call_connected, atomic_read(&call->usage),
-                         here, NULL);
-
-        rxrpc_start_call_timer(call);
-
-        _net("CALL new %d on CONN %d", call->debug_id, call->conn->debug_id);
-
-        if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events))
-                rxrpc_queue_call(call);
-
-        _leave(" = 0");
-        return 0;
-
-error:
-        rxrpc_set_call_completion(call, RXRPC_CALL_LOCAL_ERROR,
-                                  RX_CALL_DEAD, ret);
-        trace_rxrpc_call(call, rxrpc_call_error, atomic_read(&call->usage),
-                         here, ERR_PTR(ret));
-        _leave(" = %d", ret);
-        return ret;
-}
-
-/*
  * Set up an incoming call.  call->conn points to the connection.
  * This is called in BH context and isn't allowed to fail.
  */
@@ -534,61 +492,6 @@ void rxrpc_release_call(struct rxrpc_sock *rx, struct rxrpc_call *call)
 }
 
 /*
- * Prepare a kernel service call for retry.
- */
-int rxrpc_prepare_call_for_retry(struct rxrpc_sock *rx, struct rxrpc_call *call)
-{
-        const void *here = __builtin_return_address(0);
-        int i;
-        u8 last = 0;
-
-        _enter("{%d,%d}", call->debug_id, atomic_read(&call->usage));
-
-        trace_rxrpc_call(call, rxrpc_call_release, atomic_read(&call->usage),
-                         here, (const void *)call->flags);
-
-        ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
-        ASSERTCMP(call->completion, !=, RXRPC_CALL_REMOTELY_ABORTED);
-        ASSERTCMP(call->completion, !=, RXRPC_CALL_LOCALLY_ABORTED);
-        ASSERT(list_empty(&call->recvmsg_link));
-
-        del_timer_sync(&call->timer);
-
-        _debug("RELEASE CALL %p (%d CONN %p)", call, call->debug_id, call->conn);
-
-        if (call->conn)
-                rxrpc_disconnect_call(call);
-
-        if (rxrpc_is_service_call(call) ||
-            !call->tx_phase ||
-            call->tx_hard_ack != 0 ||
-            call->rx_hard_ack != 0 ||
-            call->rx_top != 0)
-                return -EINVAL;
-
-        call->state = RXRPC_CALL_UNINITIALISED;
-        call->completion = RXRPC_CALL_SUCCEEDED;
-        call->call_id = 0;
-        call->cid = 0;
-        call->cong_cwnd = 0;
-        call->cong_extra = 0;
-        call->cong_ssthresh = 0;
-        call->cong_mode = 0;
-        call->cong_dup_acks = 0;
-        call->cong_cumul_acks = 0;
-        call->acks_lowest_nak = 0;
-
-        for (i = 0; i < RXRPC_RXTX_BUFF_SIZE; i++) {
-                last |= call->rxtx_annotations[i];
-                call->rxtx_annotations[i] &= RXRPC_TX_ANNO_LAST;
-                call->rxtx_annotations[i] |= RXRPC_TX_ANNO_RETRANS;
-        }
-
-        _leave(" = 0");
-        return 0;
-}
-
-/*
  * release all the calls associated with a socket
  */
 void rxrpc_release_calls_on_socket(struct rxrpc_sock *rx)
diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
index 521189f4b666..b2adfa825363 100644
--- a/net/rxrpc/conn_client.c
+++ b/net/rxrpc/conn_client.c
@@ -562,10 +562,7 @@ static void rxrpc_activate_one_channel(struct rxrpc_connection *conn,
         clear_bit(RXRPC_CONN_FINAL_ACK_0 + channel, &conn->flags);
 
         write_lock_bh(&call->state_lock);
-        if (!test_bit(RXRPC_CALL_TX_LASTQ, &call->flags))
-                call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
-        else
-                call->state = RXRPC_CALL_CLIENT_AWAIT_REPLY;
+        call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
         write_unlock_bh(&call->state_lock);
 
         rxrpc_see_call(call);
diff --git a/net/rxrpc/recvmsg.c b/net/rxrpc/recvmsg.c
index eaf19ebaa964..3f7bb11f3290 100644
--- a/net/rxrpc/recvmsg.c
+++ b/net/rxrpc/recvmsg.c
@@ -596,6 +596,7 @@ error_requeue_call:
         }
 error_no_call:
         release_sock(&rx->sk);
+error_trace:
         trace_rxrpc_recvmsg(call, rxrpc_recvmsg_return, 0, 0, 0, ret);
         return ret;
 
@@ -604,7 +605,7 @@ wait_interrupted:
 wait_error:
         finish_wait(sk_sleep(&rx->sk), &wait);
         call = NULL;
-        goto error_no_call;
+        goto error_trace;
 }
 
 /**
diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index be01f9c5d963..46c9312085b1 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -169,10 +169,8 @@ static void rxrpc_queue_packet(struct rxrpc_sock *rx, struct rxrpc_call *call,
 
         ASSERTCMP(seq, ==, call->tx_top + 1);
 
-        if (last) {
+        if (last)
                 annotation |= RXRPC_TX_ANNO_LAST;
-                set_bit(RXRPC_CALL_TX_LASTQ, &call->flags);
-        }
 
         /* We have to set the timestamp before queueing as the retransmit
          * algorithm can see the packet as soon as we queue it.
@@ -386,6 +384,11 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
                                 call->tx_total_len -= copy;
                 }
 
+                /* check for the far side aborting the call or a network error
+                 * occurring */
+                if (call->state == RXRPC_CALL_COMPLETE)
+                        goto call_terminated;
+
                 /* add the packet to the send queue if it's now full */
                 if (sp->remain <= 0 ||
                     (msg_data_left(msg) == 0 && !more)) {
@@ -425,16 +428,6 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
                                            notify_end_tx);
                         skb = NULL;
                 }
-
-                /* Check for the far side aborting the call or a network error
-                 * occurring.  If this happens, save any packet that was under
-                 * construction so that in the case of a network error, the
-                 * call can be retried or redirected.
-                 */
-                if (call->state == RXRPC_CALL_COMPLETE) {
-                        ret = call->error;
-                        goto out;
-                }
         } while (msg_data_left(msg) > 0);
 
 success:
@@ -444,6 +437,11 @@ out:
         _leave(" = %d", ret);
         return ret;
 
+call_terminated:
+        rxrpc_free_skb(skb, rxrpc_skb_tx_freed);
+        _leave(" = %d", call->error);
+        return call->error;
+
 maybe_error:
         if (copied)
                 goto success;
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index c3b90fadaff6..8b43fe0130f7 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -197,6 +197,15 @@ static const struct nla_policy tunnel_key_policy[TCA_TUNNEL_KEY_MAX + 1] = {
         [TCA_TUNNEL_KEY_ENC_TTL]      = { .type = NLA_U8 },
 };
 
+static void tunnel_key_release_params(struct tcf_tunnel_key_params *p)
+{
+        if (!p)
+                return;
+        if (p->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
+                dst_release(&p->tcft_enc_metadata->dst);
+        kfree_rcu(p, rcu);
+}
+
 static int tunnel_key_init(struct net *net, struct nlattr *nla,
                            struct nlattr *est, struct tc_action **a,
                            int ovr, int bind, bool rtnl_held,
@@ -360,8 +369,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
         rcu_swap_protected(t->params, params_new,
                            lockdep_is_held(&t->tcf_lock));
         spin_unlock_bh(&t->tcf_lock);
-        if (params_new)
-                kfree_rcu(params_new, rcu);
+        tunnel_key_release_params(params_new);
 
         if (ret == ACT_P_CREATED)
                 tcf_idr_insert(tn, *a);
@@ -385,12 +393,7 @@ static void tunnel_key_release(struct tc_action *a)
         struct tcf_tunnel_key_params *params;
 
         params = rcu_dereference_protected(t->params, 1);
-        if (params) {
-                if (params->tcft_action == TCA_TUNNEL_KEY_ACT_SET)
-                        dst_release(&params->tcft_enc_metadata->dst);
-
-                kfree_rcu(params, rcu);
-        }
+        tunnel_key_release_params(params);
 }
 
 static int tunnel_key_geneve_opts_dump(struct sk_buff *skb,
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 8ce2a0507970..e2b5cb2eb34e 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -1277,7 +1277,6 @@ EXPORT_SYMBOL(tcf_block_cb_unregister);
 int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
                  struct tcf_result *res, bool compat_mode)
 {
-        __be16 protocol = tc_skb_protocol(skb);
 #ifdef CONFIG_NET_CLS_ACT
         const int max_reclassify_loop = 4;
         const struct tcf_proto *orig_tp = tp;
@@ -1287,6 +1286,7 @@ int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
 reclassify:
 #endif
         for (; tp; tp = rcu_dereference_bh(tp->next)) {
+                __be16 protocol = tc_skb_protocol(skb);
                 int err;
 
                 if (tp->protocol != protocol &&
@@ -1319,7 +1319,6 @@ reset:
         }
 
         tp = first_tp;
-        protocol = tc_skb_protocol(skb);
         goto reclassify;
 #endif
 }
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index dad04e710493..12ca9d13db83 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1290,17 +1290,23 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
         struct cls_fl_head *head = rtnl_dereference(tp->root);
         struct cls_fl_filter *fold = *arg;
         struct cls_fl_filter *fnew;
+        struct fl_flow_mask *mask;
         struct nlattr **tb;
-        struct fl_flow_mask mask = {};
         int err;
 
         if (!tca[TCA_OPTIONS])
                 return -EINVAL;
 
-        tb = kcalloc(TCA_FLOWER_MAX + 1, sizeof(struct nlattr *), GFP_KERNEL);
-        if (!tb)
+        mask = kzalloc(sizeof(struct fl_flow_mask), GFP_KERNEL);
+        if (!mask)
                 return -ENOBUFS;
 
+        tb = kcalloc(TCA_FLOWER_MAX + 1, sizeof(struct nlattr *), GFP_KERNEL);
+        if (!tb) {
+                err = -ENOBUFS;
+                goto errout_mask_alloc;
+        }
+
         err = nla_parse_nested(tb, TCA_FLOWER_MAX, tca[TCA_OPTIONS],
                                fl_policy, NULL);
         if (err < 0)
@@ -1343,12 +1349,12 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
                 }
         }
 
-        err = fl_set_parms(net, tp, fnew, &mask, base, tb, tca[TCA_RATE], ovr,
+        err = fl_set_parms(net, tp, fnew, mask, base, tb, tca[TCA_RATE], ovr,
                            tp->chain->tmplt_priv, extack);
         if (err)
                 goto errout_idr;
 
-        err = fl_check_assign_mask(head, fnew, fold, &mask);
+        err = fl_check_assign_mask(head, fnew, fold, mask);
         if (err)
                 goto errout_idr;
 
@@ -1365,7 +1371,7 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
         if (!tc_skip_hw(fnew->flags)) {
                 err = fl_hw_replace_filter(tp, fnew, extack);
                 if (err)
-                        goto errout_mask;
+                        goto errout_mask_ht;
         }
 
         if (!tc_in_hw(fnew->flags))
@@ -1392,8 +1398,13 @@ static int fl_change(struct net *net, struct sk_buff *in_skb,
         }
 
         kfree(tb);
+        kfree(mask);
         return 0;
 
+errout_mask_ht:
+        rhashtable_remove_fast(&fnew->mask->ht, &fnew->ht_node,
+                               fnew->mask->filter_ht_params);
+
 errout_mask:
         fl_mask_put(head, fnew->mask, false);
 
@@ -1405,6 +1416,8 @@ errout:
         kfree(fnew);
 errout_tb:
         kfree(tb);
+errout_mask_alloc:
+        kfree(mask);
         return err;
 }
 
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c
index 9ccc93f257db..38bb882bb958 100644
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -48,7 +48,7 @@ struct tcindex_data {
         u32 hash;               /* hash table size; 0 if undefined */
         u32 alloc_hash;         /* allocated size */
         u32 fall_through;       /* 0: only classify if explicit match */
-        struct rcu_head rcu;
+        struct rcu_work rwork;
 };
 
 static inline int tcindex_filter_is_set(struct tcindex_filter_result *r)
@@ -221,17 +221,11 @@ found:
         return 0;
 }
 
-static int tcindex_destroy_element(struct tcf_proto *tp,
-                                   void *arg, struct tcf_walker *walker)
-{
-        bool last;
-
-        return tcindex_delete(tp, arg, &last, NULL);
-}
-
-static void __tcindex_destroy(struct rcu_head *head)
+static void tcindex_destroy_work(struct work_struct *work)
 {
-        struct tcindex_data *p = container_of(head, struct tcindex_data, rcu);
+        struct tcindex_data *p = container_of(to_rcu_work(work),
+                                              struct tcindex_data,
+                                              rwork);
 
         kfree(p->perfect);
         kfree(p->h);
@@ -258,9 +252,11 @@ static int tcindex_filter_result_init(struct tcindex_filter_result *r)
         return tcf_exts_init(&r->exts, TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
 }
 
-static void __tcindex_partial_destroy(struct rcu_head *head)
+static void tcindex_partial_destroy_work(struct work_struct *work)
 {
-        struct tcindex_data *p = container_of(head, struct tcindex_data, rcu);
+        struct tcindex_data *p = container_of(to_rcu_work(work),
+                                              struct tcindex_data,
+                                              rwork);
 
         kfree(p->perfect);
         kfree(p);
@@ -275,7 +271,7 @@ static void tcindex_free_perfect_hash(struct tcindex_data *cp)
         kfree(cp->perfect);
 }
 
-static int tcindex_alloc_perfect_hash(struct tcindex_data *cp)
+static int tcindex_alloc_perfect_hash(struct net *net, struct tcindex_data *cp)
 {
         int i, err = 0;
 
@@ -289,6 +285,9 @@ static int tcindex_alloc_perfect_hash(struct tcindex_data *cp)
                                     TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE);
                 if (err < 0)
                         goto errout;
+#ifdef CONFIG_NET_CLS_ACT
+                cp->perfect[i].exts.net = net;
+#endif
         }
 
         return 0;
@@ -305,9 +304,9 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
                   struct nlattr *est, bool ovr, struct netlink_ext_ack *extack)
 {
         struct tcindex_filter_result new_filter_result, *old_r = r;
-        struct tcindex_filter_result cr;
         struct tcindex_data *cp = NULL, *oldp;
         struct tcindex_filter *f = NULL; /* make gcc behave */
+        struct tcf_result cr = {};
         int err, balloc = 0;
         struct tcf_exts e;
 
@@ -337,7 +336,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
         if (p->perfect) {
                 int i;
 
-                if (tcindex_alloc_perfect_hash(cp) < 0)
+                if (tcindex_alloc_perfect_hash(net, cp) < 0)
                         goto errout;
                 for (i = 0; i < cp->hash; i++)
                         cp->perfect[i].res = p->perfect[i].res;
@@ -348,11 +347,8 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
         err = tcindex_filter_result_init(&new_filter_result);
         if (err < 0)
                 goto errout1;
-        err = tcindex_filter_result_init(&cr);
-        if (err < 0)
-                goto errout1;
         if (old_r)
-                cr.res = r->res;
+                cr = r->res;
 
         if (tb[TCA_TCINDEX_HASH])
                 cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]);
@@ -406,7 +402,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
         err = -ENOMEM;
         if (!cp->perfect && !cp->h) {
                 if (valid_perfect_hash(cp)) {
-                        if (tcindex_alloc_perfect_hash(cp) < 0)
+                        if (tcindex_alloc_perfect_hash(net, cp) < 0)
                                 goto errout_alloc;
                         balloc = 1;
                 } else {
@@ -443,8 +439,8 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
         }
 
         if (tb[TCA_TCINDEX_CLASSID]) {
-                cr.res.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]);
-                tcf_bind_filter(tp, &cr.res, base);
+                cr.classid = nla_get_u32(tb[TCA_TCINDEX_CLASSID]);
+                tcf_bind_filter(tp, &cr, base);
         }
 
         if (old_r && old_r != r) {
@@ -456,7 +452,7 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
         }
 
         oldp = p;
-        r->res = cr.res;
+        r->res = cr;
         tcf_exts_change(&r->exts, &e);
 
         rcu_assign_pointer(tp->root, cp);
@@ -475,10 +471,12 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base,
                                 ; /* nothing */
 
                 rcu_assign_pointer(*fp, f);
+        } else {
+                tcf_exts_destroy(&new_filter_result.exts);
         }
 
         if (oldp)
-                call_rcu(&oldp->rcu, __tcindex_partial_destroy);
+                tcf_queue_work(&oldp->rwork, tcindex_partial_destroy_work);
         return 0;
 
 errout_alloc:
@@ -487,7 +485,6 @@ errout_alloc:
         else if (balloc == 2)
                 kfree(cp->h);
 errout1:
-        tcf_exts_destroy(&cr.exts);
         tcf_exts_destroy(&new_filter_result.exts);
 errout:
         kfree(cp);
@@ -562,15 +559,34 @@ static void tcindex_destroy(struct tcf_proto *tp,
                             struct netlink_ext_ack *extack)
 {
         struct tcindex_data *p = rtnl_dereference(tp->root);
-        struct tcf_walker walker;
+        int i;
 
         pr_debug("tcindex_destroy(tp %p),p %p\n", tp, p);
-        walker.count = 0;
-        walker.skip = 0;
-        walker.fn = tcindex_destroy_element;
-        tcindex_walk(tp, &walker);
 
-        call_rcu(&p->rcu, __tcindex_destroy);
+        if (p->perfect) {
+                for (i = 0; i < p->hash; i++) {
+                        struct tcindex_filter_result *r = p->perfect + i;
+
+                        tcf_unbind_filter(tp, &r->res);
+                        if (tcf_exts_get_net(&r->exts))
+                                tcf_queue_work(&r->rwork,
+                                               tcindex_destroy_rexts_work);
+                        else
+                                __tcindex_destroy_rexts(r);
+                }
+        }
+
+        for (i = 0; p->h && i < p->hash; i++) {
+                struct tcindex_filter *f, *next;
+                bool last;
+
+                for (f = rtnl_dereference(p->h[i]); f; f = next) {
+                        next = rtnl_dereference(f->next);
+                        tcindex_delete(tp, &f->result, &last, NULL);
+                }
+        }
+
+        tcf_queue_work(&p->rwork, tcindex_destroy_work);
 }
 
 
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index b910cd5c56f7..73940293700d 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -1667,7 +1667,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
         if (skb_is_gso(skb) && q->rate_flags & CAKE_FLAG_SPLIT_GSO) {
                 struct sk_buff *segs, *nskb;
                 netdev_features_t features = netif_skb_features(skb);
-                unsigned int slen = 0;
+                unsigned int slen = 0, numsegs = 0;
 
                 segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
                 if (IS_ERR_OR_NULL(segs))
@@ -1683,6 +1683,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                         flow_queue_add(flow, segs);
 
                         sch->q.qlen++;
+                        numsegs++;
                         slen += segs->len;
                         q->buffer_used += segs->truesize;
                         b->packets++;
@@ -1696,7 +1697,7 @@ static s32 cake_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 sch->qstats.backlog += slen;
                 q->avg_window_bytes += slen;
 
-                qdisc_tree_reduce_backlog(sch, 1, len);
+                qdisc_tree_reduce_backlog(sch, 1-numsegs, len-slen);
                 consume_skb(skb);
         } else {
                 /* not splitting */
diff --git a/net/sched/sch_cbs.c b/net/sched/sch_cbs.c
index e689e11b6d0f..c6a502933fe7 100644
--- a/net/sched/sch_cbs.c
+++ b/net/sched/sch_cbs.c
@@ -88,13 +88,14 @@ static int cbs_child_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                              struct Qdisc *child,
                              struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb);
         int err;
 
         err = child->ops->enqueue(skb, child, to_free);
         if (err != NET_XMIT_SUCCESS)
                 return err;
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
 
         return NET_XMIT_SUCCESS;
diff --git a/net/sched/sch_drr.c b/net/sched/sch_drr.c
index cdebaed0f8cf..09b800991065 100644
--- a/net/sched/sch_drr.c
+++ b/net/sched/sch_drr.c
@@ -350,9 +350,11 @@ static struct drr_class *drr_classify(struct sk_buff *skb, struct Qdisc *sch,
 static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                        struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb);
         struct drr_sched *q = qdisc_priv(sch);
         struct drr_class *cl;
         int err = 0;
+        bool first;
 
         cl = drr_classify(skb, sch, &err);
         if (cl == NULL) {
@@ -362,6 +364,7 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 return err;
         }
 
+        first = !cl->qdisc->q.qlen;
         err = qdisc_enqueue(skb, cl->qdisc, to_free);
         if (unlikely(err != NET_XMIT_SUCCESS)) {
                 if (net_xmit_drop_count(err)) {
@@ -371,12 +374,12 @@ static int drr_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 return err;
         }
 
-        if (cl->qdisc->q.qlen == 1) {
+        if (first) {
                 list_add_tail(&cl->alist, &q->active);
                 cl->deficit = cl->quantum;
         }
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
         return err;
 }
diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c
index f6f480784bc6..42471464ded3 100644
--- a/net/sched/sch_dsmark.c
+++ b/net/sched/sch_dsmark.c
@@ -199,6 +199,7 @@ static struct tcf_block *dsmark_tcf_block(struct Qdisc *sch, unsigned long cl,
 static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                           struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb);
         struct dsmark_qdisc_data *p = qdisc_priv(sch);
         int err;
 
@@ -271,7 +272,7 @@ static int dsmark_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 return err;
         }
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
 
         return NET_XMIT_SUCCESS;
diff --git a/net/sched/sch_generic.c b/net/sched/sch_generic.c
index 66ba2ce2320f..968a85fe4d4a 100644
--- a/net/sched/sch_generic.c
+++ b/net/sched/sch_generic.c
@@ -500,7 +500,7 @@ static void dev_watchdog_down(struct net_device *dev)
  *      netif_carrier_on - set carrier
  *      @dev: network device
  *
- * Device has detected that carrier.
+ * Device has detected acquisition of carrier.
  */
 void netif_carrier_on(struct net_device *dev)
 {
diff --git a/net/sched/sch_hfsc.c b/net/sched/sch_hfsc.c
index b18ec1f6de60..24cc220a3218 100644
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -1539,8 +1539,10 @@ hfsc_dump_qdisc(struct Qdisc *sch, struct sk_buff *skb)
 static int
 hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb);
         struct hfsc_class *cl;
         int uninitialized_var(err);
+        bool first;
 
         cl = hfsc_classify(skb, sch, &err);
         if (cl == NULL) {
@@ -1550,6 +1552,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
                 return err;
         }
 
+        first = !cl->qdisc->q.qlen;
         err = qdisc_enqueue(skb, cl->qdisc, to_free);
         if (unlikely(err != NET_XMIT_SUCCESS)) {
                 if (net_xmit_drop_count(err)) {
@@ -1559,9 +1562,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
                 return err;
         }
 
-        if (cl->qdisc->q.qlen == 1) {
-                unsigned int len = qdisc_pkt_len(skb);
-
+        if (first) {
                 if (cl->cl_flags & HFSC_RSC)
                         init_ed(cl, len);
                 if (cl->cl_flags & HFSC_FSC)
@@ -1576,7 +1577,7 @@ hfsc_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 
         }
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
 
         return NET_XMIT_SUCCESS;
diff --git a/net/sched/sch_htb.c b/net/sched/sch_htb.c
index 58b449490757..30f9da7e1076 100644
--- a/net/sched/sch_htb.c
+++ b/net/sched/sch_htb.c
@@ -581,6 +581,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                        struct sk_buff **to_free)
 {
         int uninitialized_var(ret);
+        unsigned int len = qdisc_pkt_len(skb);
         struct htb_sched *q = qdisc_priv(sch);
         struct htb_class *cl = htb_classify(skb, sch, &ret);
 
@@ -610,7 +611,7 @@ static int htb_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 htb_activate(q, cl);
         }
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
         return NET_XMIT_SUCCESS;
 }
diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
index cdf68706e40f..847141cd900f 100644
--- a/net/sched/sch_prio.c
+++ b/net/sched/sch_prio.c
@@ -72,6 +72,7 @@ prio_classify(struct sk_buff *skb, struct Qdisc *sch, int *qerr)
 static int
 prio_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb);
         struct Qdisc *qdisc;
         int ret;
 
@@ -88,7 +89,7 @@ prio_enqueue(struct sk_buff *skb, struct Qdisc *sch, struct sk_buff **to_free)
 
         ret = qdisc_enqueue(skb, qdisc, to_free);
         if (ret == NET_XMIT_SUCCESS) {
-                qdisc_qstats_backlog_inc(sch, skb);
+                sch->qstats.backlog += len;
                 sch->q.qlen++;
                 return NET_XMIT_SUCCESS;
         }
diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index dc37c4ead439..29f5c4a24688 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -1210,10 +1210,12 @@ static struct qfq_aggregate *qfq_choose_next_agg(struct qfq_sched *q)
 static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                        struct sk_buff **to_free)
 {
+        unsigned int len = qdisc_pkt_len(skb), gso_segs;
         struct qfq_sched *q = qdisc_priv(sch);
         struct qfq_class *cl;
         struct qfq_aggregate *agg;
         int err = 0;
+        bool first;
 
         cl = qfq_classify(skb, sch, &err);
         if (cl == NULL) {
@@ -1224,17 +1226,18 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
         }
         pr_debug("qfq_enqueue: cl = %x\n", cl->common.classid);
 
-        if (unlikely(cl->agg->lmax < qdisc_pkt_len(skb))) {
+        if (unlikely(cl->agg->lmax < len)) {
                 pr_debug("qfq: increasing maxpkt from %u to %u for class %u",
-                         cl->agg->lmax, qdisc_pkt_len(skb), cl->common.classid);
-                err = qfq_change_agg(sch, cl, cl->agg->class_weight,
-                                     qdisc_pkt_len(skb));
+                         cl->agg->lmax, len, cl->common.classid);
+                err = qfq_change_agg(sch, cl, cl->agg->class_weight, len);
                 if (err) {
                         cl->qstats.drops++;
                         return qdisc_drop(skb, sch, to_free);
                 }
         }
 
+        gso_segs = skb_is_gso(skb) ? skb_shinfo(skb)->gso_segs : 1;
+        first = !cl->qdisc->q.qlen;
         err = qdisc_enqueue(skb, cl->qdisc, to_free);
         if (unlikely(err != NET_XMIT_SUCCESS)) {
                 pr_debug("qfq_enqueue: enqueue failed %d\n", err);
@@ -1245,16 +1248,17 @@ static int qfq_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 return err;
         }
 
-        bstats_update(&cl->bstats, skb);
-        qdisc_qstats_backlog_inc(sch, skb);
+        cl->bstats.bytes += len;
+        cl->bstats.packets += gso_segs;
+        sch->qstats.backlog += len;
         ++sch->q.qlen;
 
         agg = cl->agg;
         /* if the queue was not empty, then done here */
-        if (cl->qdisc->q.qlen != 1) {
+        if (!first) {
                 if (unlikely(skb == cl->qdisc->ops->peek(cl->qdisc)) &&
                     list_first_entry(&agg->active, struct qfq_class, alist)
-                    == cl && cl->deficit < qdisc_pkt_len(skb))
+                    == cl && cl->deficit < len)
                         list_move_tail(&cl->alist, &agg->active);
 
                 return err;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index 942dcca09cf2..7f272a9070c5 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -185,6 +185,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                        struct sk_buff **to_free)
 {
         struct tbf_sched_data *q = qdisc_priv(sch);
+        unsigned int len = qdisc_pkt_len(skb);
         int ret;
 
         if (qdisc_pkt_len(skb) > q->max_size) {
@@ -200,7 +201,7 @@ static int tbf_enqueue(struct sk_buff *skb, struct Qdisc *sch,
                 return ret;
         }
 
-        qdisc_qstats_backlog_inc(sch, skb);
+        sch->qstats.backlog += len;
         sch->q.qlen++;
         return NET_XMIT_SUCCESS;
 }
diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index 078f01a8d582..435847d98b51 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -256,6 +256,7 @@ static size_t inet_assoc_attr_size(struct sctp_association *asoc)
                 + nla_total_size(1) /* INET_DIAG_TOS */
                 + nla_total_size(1) /* INET_DIAG_TCLASS */
                 + nla_total_size(4) /* INET_DIAG_MARK */
+                + nla_total_size(4) /* INET_DIAG_CLASS_ID */
                 + nla_total_size(addrlen * asoc->peer.transport_count)
                 + nla_total_size(addrlen * addrcnt)
                 + nla_total_size(sizeof(struct inet_diag_meminfo))
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index b9ed271b7ef7..6200cd2b4b99 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -97,11 +97,9 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
 
         switch (ev) {
         case NETDEV_UP:
-                addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
+                addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
                 if (addr) {
                         addr->a.v6.sin6_family = AF_INET6;
-                        addr->a.v6.sin6_port = 0;
-                        addr->a.v6.sin6_flowinfo = 0;
                         addr->a.v6.sin6_addr = ifa->addr;
                         addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
                         addr->valid = 1;
@@ -282,7 +280,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
 
         if (saddr) {
                 fl6->saddr = saddr->v6.sin6_addr;
-                fl6->fl6_sport = saddr->v6.sin6_port;
+                if (!fl6->fl6_sport)
+                        fl6->fl6_sport = saddr->v6.sin6_port;
 
                 pr_debug("src=%pI6 - ", &fl6->saddr);
         }
@@ -434,7 +433,6 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist,
                 addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
                 if (addr) {
                         addr->a.v6.sin6_family = AF_INET6;
-                        addr->a.v6.sin6_port = 0;
                         addr->a.v6.sin6_addr = ifp->addr;
                         addr->a.v6.sin6_scope_id = dev->ifindex;
                         addr->valid = 1;
diff --git a/net/sctp/offload.c b/net/sctp/offload.c
index 123e9f2dc226..edfcf16e704c 100644
--- a/net/sctp/offload.c
+++ b/net/sctp/offload.c
@@ -36,6 +36,7 @@ static __le32 sctp_gso_make_checksum(struct sk_buff *skb)
 {
         skb->ip_summed = CHECKSUM_NONE;
         skb->csum_not_inet = 0;
+        gso_reset_checksum(skb, ~0);
         return sctp_compute_cksum(skb, skb_transport_offset(skb));
 }
 
diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index d5878ae55840..6abc8b274270 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -101,7 +101,6 @@ static void sctp_v4_copy_addrlist(struct list_head *addrlist,
                 addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
                 if (addr) {
                         addr->a.v4.sin_family = AF_INET;
-                        addr->a.v4.sin_port = 0;
                         addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
                         addr->valid = 1;
                         INIT_LIST_HEAD(&addr->list);
@@ -441,7 +440,8 @@ static void sctp_v4_get_dst(struct sctp_transport *t, union sctp_addr *saddr,
         }
         if (saddr) {
                 fl4->saddr = saddr->v4.sin_addr.s_addr;
-                fl4->fl4_sport = saddr->v4.sin_port;
+                if (!fl4->fl4_sport)
+                        fl4->fl4_sport = saddr->v4.sin_port;
         }
 
         pr_debug("%s: dst:%pI4, src:%pI4 - ", __func__, &fl4->daddr,
@@ -776,10 +776,9 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
 
         switch (ev) {
         case NETDEV_UP:
-                addr = kmalloc(sizeof(struct sctp_sockaddr_entry), GFP_ATOMIC);
+                addr = kzalloc(sizeof(*addr), GFP_ATOMIC);
                 if (addr) {
                         addr->a.v4.sin_family = AF_INET;
-                        addr->a.v4.sin_port = 0;
                         addr->a.v4.sin_addr.s_addr = ifa->ifa_local;
                         addr->valid = 1;
                         spin_lock_bh(&net->sctp.local_addr_lock);
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f4ac6c592e13..d05c57664e36 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -495,7 +495,10 @@ struct sctp_chunk *sctp_make_init_ack(const struct sctp_association *asoc,
          *
          * [INIT ACK back to where the INIT came from.]
          */
-        retval->transport = chunk->transport;
+        if (chunk->transport)
+                retval->transport =
+                        sctp_assoc_lookup_paddr(asoc,
+                                                &chunk->transport->ipaddr);
 
         retval->subh.init_hdr =
                 sctp_addto_chunk(retval, sizeof(initack), &initack);
@@ -642,8 +645,10 @@ struct sctp_chunk *sctp_make_cookie_ack(const struct sctp_association *asoc,
          *
          * [COOKIE ACK back to where the COOKIE ECHO came from.]
          */
-        if (retval && chunk)
-                retval->transport = chunk->transport;
+        if (retval && chunk && chunk->transport)
+                retval->transport =
+                        sctp_assoc_lookup_paddr(asoc,
+                                                &chunk->transport->ipaddr);
 
         return retval;
 }
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f93c3cf9e567..65d6d04546ae 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -2027,7 +2027,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
         struct sctp_endpoint *ep = sctp_sk(sk)->ep;
         struct sctp_transport *transport = NULL;
         struct sctp_sndrcvinfo _sinfo, *sinfo;
-        struct sctp_association *asoc;
+        struct sctp_association *asoc, *tmp;
         struct sctp_cmsgs cmsgs;
         union sctp_addr *daddr;
         bool new = false;
@@ -2053,7 +2053,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
 
         /* SCTP_SENDALL process */
         if ((sflags & SCTP_SENDALL) && sctp_style(sk, UDP)) {
-                list_for_each_entry(asoc, &ep->asocs, asocs) {
+                list_for_each_entry_safe(asoc, tmp, &ep->asocs, asocs) {
                         err = sctp_sendmsg_check_sflags(asoc, sflags, msg,
                                                         msg_len);
                         if (err == 0)
diff --git a/net/sctp/stream.c b/net/sctp/stream.c
index 3892e7630f3a..2936ed17bf9e 100644
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -84,6 +84,19 @@ static void fa_zero(struct flex_array *fa, size_t index, size_t count)
         }
 }
 
+static size_t fa_index(struct flex_array *fa, void *elem, size_t count)
+{
+        size_t index = 0;
+
+        while (count--) {
+                if (elem == flex_array_get(fa, index))
+                        break;
+                index++;
+        }
+
+        return index;
+}
+
 /* Migrates chunks from stream queues to new stream queues if needed,
  * but not across associations. Also, removes those chunks to streams
  * higher than the new max.
@@ -131,8 +144,10 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
                 }
         }
 
-        for (i = outcnt; i < stream->outcnt; i++)
+        for (i = outcnt; i < stream->outcnt; i++) {
                 kfree(SCTP_SO(stream, i)->ext);
+                SCTP_SO(stream, i)->ext = NULL;
+        }
 }
 
 static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
@@ -147,6 +162,13 @@ static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
 
         if (stream->out) {
                 fa_copy(out, stream->out, 0, min(outcnt, stream->outcnt));
+                if (stream->out_curr) {
+                        size_t index = fa_index(stream->out, stream->out_curr,
+                                                stream->outcnt);
+
+                        BUG_ON(index == stream->outcnt);
+                        stream->out_curr = flex_array_get(out, index);
+                }
                 fa_free(stream->out);
         }
 
@@ -585,9 +607,9 @@ struct sctp_chunk *sctp_process_strreset_outreq(
         struct sctp_strreset_outreq *outreq = param.v;
         struct sctp_stream *stream = &asoc->stream;
         __u32 result = SCTP_STRRESET_DENIED;
-        __u16 i, nums, flags = 0;
         __be16 *str_p = NULL;
         __u32 request_seq;
+        __u16 i, nums;
 
         request_seq = ntohl(outreq->request_seq);
 
@@ -615,6 +637,15 @@ struct sctp_chunk *sctp_process_strreset_outreq(
         if (!(asoc->strreset_enable & SCTP_ENABLE_RESET_STREAM_REQ))
                 goto out;
 
+        nums = (ntohs(param.p->length) - sizeof(*outreq)) / sizeof(__u16);
+        str_p = outreq->list_of_streams;
+        for (i = 0; i < nums; i++) {
+                if (ntohs(str_p[i]) >= stream->incnt) {
+                        result = SCTP_STRRESET_ERR_WRONG_SSN;
+                        goto out;
+                }
+        }
+
         if (asoc->strreset_chunk) {
                 if (!sctp_chunk_lookup_strreset_param(
                                 asoc, outreq->response_seq,
@@ -637,32 +668,19 @@ struct sctp_chunk *sctp_process_strreset_outreq(
                         sctp_chunk_put(asoc->strreset_chunk);
                         asoc->strreset_chunk = NULL;
                 }
-
-                flags = SCTP_STREAM_RESET_INCOMING_SSN;
         }
 
-        nums = (ntohs(param.p->length) - sizeof(*outreq)) / sizeof(__u16);
-        if (nums) {
-                str_p = outreq->list_of_streams;
-                for (i = 0; i < nums; i++) {
-                        if (ntohs(str_p[i]) >= stream->incnt) {
-                                result = SCTP_STRRESET_ERR_WRONG_SSN;
-                                goto out;
-                        }
-                }
-
+        if (nums)
                 for (i = 0; i < nums; i++)
                         SCTP_SI(stream, ntohs(str_p[i]))->mid = 0;
-        } else {
+        else
                 for (i = 0; i < stream->incnt; i++)
                         SCTP_SI(stream, i)->mid = 0;
-        }
 
         result = SCTP_STRRESET_PERFORMED;
 
         *evp = sctp_ulpevent_make_stream_reset_event(asoc,
-                flags | SCTP_STREAM_RESET_OUTGOING_SSN, nums, str_p,
-                GFP_ATOMIC);
+                SCTP_STREAM_RESET_INCOMING_SSN, nums, str_p, GFP_ATOMIC);
 
 out:
         sctp_update_strreset_result(asoc, result);
@@ -738,9 +756,6 @@ struct sctp_chunk *sctp_process_strreset_inreq(
 
         result = SCTP_STRRESET_PERFORMED;
 
-        *evp = sctp_ulpevent_make_stream_reset_event(asoc,
-                SCTP_STREAM_RESET_INCOMING_SSN, nums, str_p, GFP_ATOMIC);
-
 out:
         sctp_update_strreset_result(asoc, result);
 err:
@@ -873,6 +888,14 @@ struct sctp_chunk *sctp_process_strreset_addstrm_out(
         if (!(asoc->strreset_enable & SCTP_ENABLE_CHANGE_ASSOC_REQ))
                 goto out;
 
+        in = ntohs(addstrm->number_of_streams);
+        incnt = stream->incnt + in;
+        if (!in || incnt > SCTP_MAX_STREAM)
+                goto out;
+
+        if (sctp_stream_alloc_in(stream, incnt, GFP_ATOMIC))
+                goto out;
+
         if (asoc->strreset_chunk) {
                 if (!sctp_chunk_lookup_strreset_param(
                         asoc, 0, SCTP_PARAM_RESET_ADD_IN_STREAMS)) {
@@ -896,14 +919,6 @@ struct sctp_chunk *sctp_process_strreset_addstrm_out(
                 }
         }
 
-        in = ntohs(addstrm->number_of_streams);
-        incnt = stream->incnt + in;
-        if (!in || incnt > SCTP_MAX_STREAM)
-                goto out;
-
-        if (sctp_stream_alloc_in(stream, incnt, GFP_ATOMIC))
-                goto out;
-
         stream->incnt = incnt;
 
         result = SCTP_STRRESET_PERFORMED;
@@ -973,9 +988,6 @@ struct sctp_chunk *sctp_process_strreset_addstrm_in(
 
         result = SCTP_STRRESET_PERFORMED;
 
-        *evp = sctp_ulpevent_make_stream_change_event(asoc,
-                0, 0, ntohs(addstrm->number_of_streams), GFP_ATOMIC);
-
 out:
         sctp_update_strreset_result(asoc, result);
 err:
@@ -1036,10 +1048,10 @@ struct sctp_chunk *sctp_process_strreset_resp(
                                         sout->mid_uo = 0;
                                 }
                         }
-
-                        flags = SCTP_STREAM_RESET_OUTGOING_SSN;
                 }
 
+                flags |= SCTP_STREAM_RESET_OUTGOING_SSN;
+
                 for (i = 0; i < stream->outcnt; i++)
                         SCTP_SO(stream, i)->state = SCTP_STREAM_OPEN;
 
@@ -1058,6 +1070,8 @@ struct sctp_chunk *sctp_process_strreset_resp(
                 nums = (ntohs(inreq->param_hdr.length) - sizeof(*inreq)) /
                        sizeof(__u16);
 
+                flags |= SCTP_STREAM_RESET_INCOMING_SSN;
+
                 *evp = sctp_ulpevent_make_stream_reset_event(asoc, flags,
                         nums, str_p, GFP_ATOMIC);
         } else if (req->type == SCTP_PARAM_RESET_TSN_REQUEST) {
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 033696e6f74f..ad158d311ffa 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -207,7 +207,8 @@ void sctp_transport_reset_hb_timer(struct sctp_transport *transport)
 
         /* When a data chunk is sent, reset the heartbeat interval.  */
         expires = jiffies + sctp_transport_timeout(transport);
-        if (time_before(transport->hb_timer.expires, expires) &&
+        if ((time_before(transport->hb_timer.expires, expires) ||
+             !timer_pending(&transport->hb_timer)) &&
             !mod_timer(&transport->hb_timer,
                        expires + prandom_u32_max(transport->rto)))
                 sctp_transport_hold(transport);
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index c4da4a78d369..b04a813fc865 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -146,6 +146,9 @@ static int smc_release(struct socket *sock)
                 sock_set_flag(sk, SOCK_DEAD);
                 sk->sk_shutdown |= SHUTDOWN_MASK;
         }
+
+        sk->sk_prot->unhash(sk);
+
         if (smc->clcsock) {
                 if (smc->use_fallback && sk->sk_state == SMC_LISTEN) {
                         /* wake up clcsock accept */
@@ -170,7 +173,6 @@ static int smc_release(struct socket *sock)
                 smc_conn_free(&smc->conn);
         release_sock(sk);
 
-        sk->sk_prot->unhash(sk);
         sock_put(sk); /* final sock_put */
 out:
         return rc;
@@ -1503,6 +1505,11 @@ static int smc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
 
         smc = smc_sk(sk);
         lock_sock(sk);
+        if (sk->sk_state == SMC_CLOSED && (sk->sk_shutdown & RCV_SHUTDOWN)) {
+                /* socket was connected before, no more data to read */
+                rc = 0;
+                goto out;
+        }
         if ((sk->sk_state == SMC_INIT) ||
             (sk->sk_state == SMC_LISTEN) ||
             (sk->sk_state == SMC_CLOSED))
@@ -1838,7 +1845,11 @@ static ssize_t smc_splice_read(struct socket *sock, loff_t *ppos,
 
         smc = smc_sk(sk);
         lock_sock(sk);
-
+        if (sk->sk_state == SMC_CLOSED && (sk->sk_shutdown & RCV_SHUTDOWN)) {
+                /* socket was connected before, no more data to read */
+                rc = 0;
+                goto out;
+        }
         if (sk->sk_state == SMC_INIT ||
             sk->sk_state == SMC_LISTEN ||
             sk->sk_state == SMC_CLOSED)
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 5721416d0605..adbdf195eb08 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -113,9 +113,9 @@ struct smc_host_cdc_msg {		/* Connection Data Control message */
 } __aligned(8);
 
 enum smc_urg_state {
-        SMC_URG_VALID,                  /* data present */
-        SMC_URG_NOTYET,                 /* data pending */
-        SMC_URG_READ                    /* data was already read */
+        SMC_URG_VALID   = 1,                    /* data present */
+        SMC_URG_NOTYET  = 2,                    /* data pending */
+        SMC_URG_READ    = 3,                    /* data was already read */
 };
 
 struct smc_connection {
diff --git a/net/smc/smc_cdc.c b/net/smc/smc_cdc.c
index db83332ac1c8..fb07ad8d69a6 100644
--- a/net/smc/smc_cdc.c
+++ b/net/smc/smc_cdc.c
@@ -21,13 +21,6 @@
 
 /********************************** send *************************************/
 
-struct smc_cdc_tx_pend {
-        struct smc_connection   *conn;          /* socket connection */
-        union smc_host_cursor   cursor; /* tx sndbuf cursor sent */
-        union smc_host_cursor   p_cursor;       /* rx RMBE cursor produced */
-        u16                     ctrl_seq;       /* conn. tx sequence # */
-};
-
 /* handler for send/transmission completion of a CDC msg */
 static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
                                struct smc_link *link,
@@ -61,12 +54,14 @@ static void smc_cdc_tx_handler(struct smc_wr_tx_pend_priv *pnd_snd,
 
 int smc_cdc_get_free_slot(struct smc_connection *conn,
                           struct smc_wr_buf **wr_buf,
+                          struct smc_rdma_wr **wr_rdma_buf,
                           struct smc_cdc_tx_pend **pend)
 {
         struct smc_link *link = &conn->lgr->lnk[SMC_SINGLE_LINK];
         int rc;
 
         rc = smc_wr_tx_get_free_slot(link, smc_cdc_tx_handler, wr_buf,
+                                     wr_rdma_buf,
                                      (struct smc_wr_tx_pend_priv **)pend);
         if (!conn->alert_token_local)
                 /* abnormal termination */
@@ -96,6 +91,7 @@ int smc_cdc_msg_send(struct smc_connection *conn,
                      struct smc_wr_buf *wr_buf,
                      struct smc_cdc_tx_pend *pend)
 {
+        union smc_host_cursor cfed;
         struct smc_link *link;
         int rc;
 
@@ -105,12 +101,10 @@ int smc_cdc_msg_send(struct smc_connection *conn,
 
         conn->tx_cdc_seq++;
         conn->local_tx_ctrl.seqno = conn->tx_cdc_seq;
-        smc_host_msg_to_cdc((struct smc_cdc_msg *)wr_buf,
-                            &conn->local_tx_ctrl, conn);
+        smc_host_msg_to_cdc((struct smc_cdc_msg *)wr_buf, conn, &cfed);
         rc = smc_wr_tx_send(link, (struct smc_wr_tx_pend_priv *)pend);
         if (!rc)
-                smc_curs_copy(&conn->rx_curs_confirmed,
-                              &conn->local_tx_ctrl.cons, conn);
+                smc_curs_copy(&conn->rx_curs_confirmed, &cfed, conn);
 
         return rc;
 }
@@ -121,11 +115,14 @@ static int smcr_cdc_get_slot_and_msg_send(struct smc_connection *conn)
         struct smc_wr_buf *wr_buf;
         int rc;
 
-        rc = smc_cdc_get_free_slot(conn, &wr_buf, &pend);
+        rc = smc_cdc_get_free_slot(conn, &wr_buf, NULL, &pend);
         if (rc)
                 return rc;
 
-        return smc_cdc_msg_send(conn, wr_buf, pend);
+        spin_lock_bh(&conn->send_lock);
+        rc = smc_cdc_msg_send(conn, wr_buf, pend);
+        spin_unlock_bh(&conn->send_lock);
+        return rc;
 }
 
 int smc_cdc_get_slot_and_msg_send(struct smc_connection *conn)
diff --git a/net/smc/smc_cdc.h b/net/smc/smc_cdc.h
index b5bfe38c7f9b..f1cdde9d4b89 100644
--- a/net/smc/smc_cdc.h
+++ b/net/smc/smc_cdc.h
@@ -160,7 +160,9 @@ static inline void smcd_curs_copy(union smcd_cdc_cursor *tgt,
 #endif
 }
 
-/* calculate cursor difference between old and new, where old <= new */
+/* calculate cursor difference between old and new, where old <= new and
+ * difference cannot exceed size
+ */
 static inline int smc_curs_diff(unsigned int size,
                                 union smc_host_cursor *old,
                                 union smc_host_cursor *new)
@@ -185,28 +187,51 @@ static inline int smc_curs_comp(unsigned int size,
         return smc_curs_diff(size, old, new);
 }
 
+/* calculate cursor difference between old and new, where old <= new and
+ * difference may exceed size
+ */
+static inline int smc_curs_diff_large(unsigned int size,
+                                      union smc_host_cursor *old,
+                                      union smc_host_cursor *new)
+{
+        if (old->wrap < new->wrap)
+                return min_t(int,
+                             (size - old->count) + new->count +
+                             (new->wrap - old->wrap - 1) * size,
+                             size);
+
+        if (old->wrap > new->wrap) /* wrap has switched from 0xffff to 0x0000 */
+                return min_t(int,
+                             (size - old->count) + new->count +
+                             (new->wrap + 0xffff - old->wrap) * size,
+                             size);
+
+        return max_t(int, 0, (new->count - old->count));
+}
+
 static inline void smc_host_cursor_to_cdc(union smc_cdc_cursor *peer,
                                           union smc_host_cursor *local,
+                                          union smc_host_cursor *save,
                                           struct smc_connection *conn)
 {
-        union smc_host_cursor temp;
-
-        smc_curs_copy(&temp, local, conn);
-        peer->count = htonl(temp.count);
-        peer->wrap = htons(temp.wrap);
+        smc_curs_copy(save, local, conn);
+        peer->count = htonl(save->count);
+        peer->wrap = htons(save->wrap);
         /* peer->reserved = htons(0); must be ensured by caller */
 }
 
 static inline void smc_host_msg_to_cdc(struct smc_cdc_msg *peer,
-                                       struct smc_host_cdc_msg *local,
-                                       struct smc_connection *conn)
+                                       struct smc_connection *conn,
+                                       union smc_host_cursor *save)
 {
+        struct smc_host_cdc_msg *local = &conn->local_tx_ctrl;
+
         peer->common.type = local->common.type;
         peer->len = local->len;
         peer->seqno = htons(local->seqno);
         peer->token = htonl(local->token);
-        smc_host_cursor_to_cdc(&peer->prod, &local->prod, conn);
-        smc_host_cursor_to_cdc(&peer->cons, &local->cons, conn);
+        smc_host_cursor_to_cdc(&peer->prod, &local->prod, save, conn);
+        smc_host_cursor_to_cdc(&peer->cons, &local->cons, save, conn);
         peer->prod_flags = local->prod_flags;
         peer->conn_state_flags = local->conn_state_flags;
 }
@@ -270,10 +295,16 @@ static inline void smc_cdc_msg_to_host(struct smc_host_cdc_msg *local,
                 smcr_cdc_msg_to_host(local, peer, conn);
 }
 
-struct smc_cdc_tx_pend;
+struct smc_cdc_tx_pend {
+        struct smc_connection   *conn;          /* socket connection */
+        union smc_host_cursor   cursor;         /* tx sndbuf cursor sent */
+        union smc_host_cursor   p_cursor;       /* rx RMBE cursor produced */
+        u16                     ctrl_seq;       /* conn. tx sequence # */
+};
 
 int smc_cdc_get_free_slot(struct smc_connection *conn,
                           struct smc_wr_buf **wr_buf,
+                          struct smc_rdma_wr **wr_rdma_buf,
                           struct smc_cdc_tx_pend **pend);
 void smc_cdc_tx_dismiss_slots(struct smc_connection *conn);
 int smc_cdc_msg_send(struct smc_connection *conn, struct smc_wr_buf *wr_buf,
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index 776e9dfc915d..d53fd588d1f5 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -378,7 +378,7 @@ int smc_clc_send_decline(struct smc_sock *smc, u32 peer_diag_info)
         vec.iov_len = sizeof(struct smc_clc_msg_decline);
         len = kernel_sendmsg(smc->clcsock, &msg, &vec, 1,
                              sizeof(struct smc_clc_msg_decline));
-        if (len < sizeof(struct smc_clc_msg_decline))
+        if (len < 0 || len < sizeof(struct smc_clc_msg_decline))
                 len = -EPROTO;
         return len > 0 ? 0 : len;
 }
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index ea2b87f29469..e39cadda1bf5 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -345,14 +345,7 @@ static void smc_close_passive_work(struct work_struct *work)
 
         switch (sk->sk_state) {
         case SMC_INIT:
-                if (atomic_read(&conn->bytes_to_rcv) ||
-                    (rxflags->peer_done_writing &&
-                     !smc_cdc_rxed_any_close(conn))) {
-                        sk->sk_state = SMC_APPCLOSEWAIT1;
-                } else {
-                        sk->sk_state = SMC_CLOSED;
-                        sock_put(sk); /* passive closing */
-                }
+                sk->sk_state = SMC_APPCLOSEWAIT1;
                 break;
         case SMC_ACTIVE:
                 sk->sk_state = SMC_APPCLOSEWAIT1;
diff --git a/net/smc/smc_core.c b/net/smc/smc_core.c
index 35c1cdc93e1c..aa1c551cee81 100644
--- a/net/smc/smc_core.c
+++ b/net/smc/smc_core.c
@@ -128,6 +128,8 @@ static void smc_lgr_unregister_conn(struct smc_connection *conn)
 {
         struct smc_link_group *lgr = conn->lgr;
 
+        if (!lgr)
+                return;
         write_lock_bh(&lgr->conns_lock);
         if (conn->alert_token_local) {
                 __smc_lgr_unregister_conn(conn);
@@ -300,13 +302,13 @@ static void smc_buf_unuse(struct smc_connection *conn,
                 conn->sndbuf_desc->used = 0;
         if (conn->rmb_desc) {
                 if (!conn->rmb_desc->regerr) {
-                        conn->rmb_desc->used = 0;
                         if (!lgr->is_smcd) {
                                 /* unregister rmb with peer */
                                 smc_llc_do_delete_rkey(
                                                 &lgr->lnk[SMC_SINGLE_LINK],
                                                 conn->rmb_desc);
                         }
+                        conn->rmb_desc->used = 0;
                 } else {
                         /* buf registration failed, reuse not possible */
                         write_lock_bh(&lgr->rmbs_lock);
@@ -628,6 +630,8 @@ int smc_conn_create(struct smc_sock *smc, bool is_smcd, int srv_first_contact,
                         local_contact = SMC_REUSE_CONTACT;
                         conn->lgr = lgr;
                         smc_lgr_register_conn(conn); /* add smc conn to lgr */
+                        if (delayed_work_pending(&lgr->free_work))
+                                cancel_delayed_work(&lgr->free_work);
                         write_unlock_bh(&lgr->conns_lock);
                         break;
                 }
diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
index b00287989a3d..8806d2afa6ed 100644
--- a/net/smc/smc_core.h
+++ b/net/smc/smc_core.h
@@ -52,6 +52,24 @@ enum smc_wr_reg_state {
         FAILED          /* ib_wr_reg_mr response: failure */
 };
 
+struct smc_rdma_sge {                           /* sges for RDMA writes */
+        struct ib_sge           wr_tx_rdma_sge[SMC_IB_MAX_SEND_SGE];
+};
+
+#define SMC_MAX_RDMA_WRITES     2               /* max. # of RDMA writes per
+                                                 * message send
+                                                 */
+
+struct smc_rdma_sges {                          /* sges per message send */
+        struct smc_rdma_sge     tx_rdma_sge[SMC_MAX_RDMA_WRITES];
+};
+
+struct smc_rdma_wr {                            /* work requests per message
+                                                 * send
+                                                 */
+        struct ib_rdma_wr       wr_tx_rdma[SMC_MAX_RDMA_WRITES];
+};
+
 struct smc_link {
         struct smc_ib_device    *smcibdev;      /* ib-device */
         u8                      ibport;         /* port - values 1 | 2 */
@@ -64,6 +82,8 @@ struct smc_link {
         struct smc_wr_buf       *wr_tx_bufs;    /* WR send payload buffers */
         struct ib_send_wr       *wr_tx_ibs;     /* WR send meta data */
         struct ib_sge           *wr_tx_sges;    /* WR send gather meta data */
+        struct smc_rdma_sges    *wr_tx_rdma_sges;/*RDMA WRITE gather meta data*/
+        struct smc_rdma_wr      *wr_tx_rdmas;   /* WR RDMA WRITE */
         struct smc_wr_tx_pend   *wr_tx_pends;   /* WR send waiting for CQE */
         /* above four vectors have wr_tx_cnt elements and use the same index */
         dma_addr_t              wr_tx_dma_addr; /* DMA address of wr_tx_bufs */
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index e519ef29c0ff..76487a16934e 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -289,8 +289,8 @@ int smc_ib_create_protection_domain(struct smc_link *lnk)
 
 static void smc_ib_qp_event_handler(struct ib_event *ibevent, void *priv)
 {
-        struct smc_ib_device *smcibdev =
-                (struct smc_ib_device *)ibevent->device;
+        struct smc_link *lnk = (struct smc_link *)priv;
+        struct smc_ib_device *smcibdev = lnk->smcibdev;
         u8 port_idx;
 
         switch (ibevent->event) {
@@ -298,7 +298,7 @@ static void smc_ib_qp_event_handler(struct ib_event *ibevent, void *priv)
         case IB_EVENT_GID_CHANGE:
         case IB_EVENT_PORT_ERR:
         case IB_EVENT_QP_ACCESS_ERR:
-                port_idx = ibevent->element.port_num - 1;
+                port_idx = ibevent->element.qp->port - 1;
                 set_bit(port_idx, &smcibdev->port_event_mask);
                 schedule_work(&smcibdev->port_event_work);
                 break;
diff --git a/net/smc/smc_llc.c b/net/smc/smc_llc.c
index a6d3623d06f4..4fd60c522802 100644
--- a/net/smc/smc_llc.c
+++ b/net/smc/smc_llc.c
@@ -166,7 +166,8 @@ static int smc_llc_add_pending_send(struct smc_link *link,
 {
         int rc;
 
-        rc = smc_wr_tx_get_free_slot(link, smc_llc_tx_handler, wr_buf, pend);
+        rc = smc_wr_tx_get_free_slot(link, smc_llc_tx_handler, wr_buf, NULL,
+                                     pend);
         if (rc < 0)
                 return rc;
         BUILD_BUG_ON_MSG(
diff --git a/net/smc/smc_pnet.c b/net/smc/smc_pnet.c
index 7cb3e4f07c10..632c3109dee5 100644
--- a/net/smc/smc_pnet.c
+++ b/net/smc/smc_pnet.c
@@ -27,7 +27,7 @@
 static struct nla_policy smc_pnet_policy[SMC_PNETID_MAX + 1] = {
         [SMC_PNETID_NAME] = {
                 .type = NLA_NUL_STRING,
-                .len = SMC_MAX_PNETID_LEN - 1
+                .len = SMC_MAX_PNETID_LEN
         },
         [SMC_PNETID_ETHNAME] = {
                 .type = NLA_NUL_STRING,
diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
index d8366ed51757..f93f3580c100 100644
--- a/net/smc/smc_tx.c
+++ b/net/smc/smc_tx.c
@@ -165,12 +165,11 @@ int smc_tx_sendmsg(struct smc_sock *smc, struct msghdr *msg, size_t len)
                         conn->local_tx_ctrl.prod_flags.urg_data_pending = 1;
 
                 if (!atomic_read(&conn->sndbuf_space) || conn->urg_tx_pend) {
+                        if (send_done)
+                                return send_done;
                         rc = smc_tx_wait(smc, msg->msg_flags);
-                        if (rc) {
-                                if (send_done)
-                                        return send_done;
+                        if (rc)
                                 goto out_err;
-                        }
                         continue;
                 }
 
@@ -267,27 +266,23 @@ int smcd_tx_ism_write(struct smc_connection *conn, void *data, size_t len,
 
 /* sndbuf consumer: actual data transfer of one target chunk with RDMA write */
 static int smc_tx_rdma_write(struct smc_connection *conn, int peer_rmbe_offset,
-                             int num_sges, struct ib_sge sges[])
+                             int num_sges, struct ib_rdma_wr *rdma_wr)
 {
         struct smc_link_group *lgr = conn->lgr;
-        struct ib_rdma_wr rdma_wr;
         struct smc_link *link;
         int rc;
 
-        memset(&rdma_wr, 0, sizeof(rdma_wr));
         link = &lgr->lnk[SMC_SINGLE_LINK];
-        rdma_wr.wr.wr_id = smc_wr_tx_get_next_wr_id(link);
-        rdma_wr.wr.sg_list = sges;
-        rdma_wr.wr.num_sge = num_sges;
-        rdma_wr.wr.opcode = IB_WR_RDMA_WRITE;
-        rdma_wr.remote_addr =
+        rdma_wr->wr.wr_id = smc_wr_tx_get_next_wr_id(link);
+        rdma_wr->wr.num_sge = num_sges;
+        rdma_wr->remote_addr =
                 lgr->rtokens[conn->rtoken_idx][SMC_SINGLE_LINK].dma_addr +
                 /* RMBE within RMB */
                 conn->tx_off +
                 /* offset within RMBE */
                 peer_rmbe_offset;
-        rdma_wr.rkey = lgr->rtokens[conn->rtoken_idx][SMC_SINGLE_LINK].rkey;
-        rc = ib_post_send(link->roce_qp, &rdma_wr.wr, NULL);
+        rdma_wr->rkey = lgr->rtokens[conn->rtoken_idx][SMC_SINGLE_LINK].rkey;
+        rc = ib_post_send(link->roce_qp, &rdma_wr->wr, NULL);
         if (rc) {
                 conn->local_tx_ctrl.conn_state_flags.peer_conn_abort = 1;
                 smc_lgr_terminate(lgr);
@@ -314,24 +309,25 @@ static inline void smc_tx_advance_cursors(struct smc_connection *conn,
 /* SMC-R helper for smc_tx_rdma_writes() */
 static int smcr_tx_rdma_writes(struct smc_connection *conn, size_t len,
                                size_t src_off, size_t src_len,
-                               size_t dst_off, size_t dst_len)
+                               size_t dst_off, size_t dst_len,
+                               struct smc_rdma_wr *wr_rdma_buf)
 {
         dma_addr_t dma_addr =
                 sg_dma_address(conn->sndbuf_desc->sgt[SMC_SINGLE_LINK].sgl);
-        struct smc_link *link = &conn->lgr->lnk[SMC_SINGLE_LINK];
         int src_len_sum = src_len, dst_len_sum = dst_len;
-        struct ib_sge sges[SMC_IB_MAX_SEND_SGE];
         int sent_count = src_off;
         int srcchunk, dstchunk;
         int num_sges;
         int rc;
 
         for (dstchunk = 0; dstchunk < 2; dstchunk++) {
+                struct ib_sge *sge =
+                        wr_rdma_buf->wr_tx_rdma[dstchunk].wr.sg_list;
+
                 num_sges = 0;
                 for (srcchunk = 0; srcchunk < 2; srcchunk++) {
-                        sges[srcchunk].addr = dma_addr + src_off;
-                        sges[srcchunk].length = src_len;
-                        sges[srcchunk].lkey = link->roce_pd->local_dma_lkey;
+                        sge[srcchunk].addr = dma_addr + src_off;
+                        sge[srcchunk].length = src_len;
                         num_sges++;
 
                         src_off += src_len;
@@ -344,7 +340,8 @@ static int smcr_tx_rdma_writes(struct smc_connection *conn, size_t len,
                         src_len = dst_len - src_len; /* remainder */
                         src_len_sum += src_len;
                 }
-                rc = smc_tx_rdma_write(conn, dst_off, num_sges, sges);
+                rc = smc_tx_rdma_write(conn, dst_off, num_sges,
+                                       &wr_rdma_buf->wr_tx_rdma[dstchunk]);
                 if (rc)
                         return rc;
                 if (dst_len_sum == len)
@@ -403,7 +400,8 @@ static int smcd_tx_rdma_writes(struct smc_connection *conn, size_t len,
 /* sndbuf consumer: prepare all necessary (src&dst) chunks of data transmit;
  * usable snd_wnd as max transmit
  */
-static int smc_tx_rdma_writes(struct smc_connection *conn)
+static int smc_tx_rdma_writes(struct smc_connection *conn,
+                              struct smc_rdma_wr *wr_rdma_buf)
 {
         size_t len, src_len, dst_off, dst_len; /* current chunk values */
         union smc_host_cursor sent, prep, prod, cons;
@@ -464,7 +462,7 @@ static int smc_tx_rdma_writes(struct smc_connection *conn)
                                          dst_off, dst_len);
         else
                 rc = smcr_tx_rdma_writes(conn, len, sent.count, src_len,
-                                         dst_off, dst_len);
+                                         dst_off, dst_len, wr_rdma_buf);
         if (rc)
                 return rc;
 
@@ -485,31 +483,30 @@ static int smc_tx_rdma_writes(struct smc_connection *conn)
 static int smcr_tx_sndbuf_nonempty(struct smc_connection *conn)
 {
         struct smc_cdc_producer_flags *pflags;
+        struct smc_rdma_wr *wr_rdma_buf;
         struct smc_cdc_tx_pend *pend;
         struct smc_wr_buf *wr_buf;
         int rc;
 
-        spin_lock_bh(&conn->send_lock);
-        rc = smc_cdc_get_free_slot(conn, &wr_buf, &pend);
+        rc = smc_cdc_get_free_slot(conn, &wr_buf, &wr_rdma_buf, &pend);
         if (rc < 0) {
                 if (rc == -EBUSY) {
                         struct smc_sock *smc =
                                 container_of(conn, struct smc_sock, conn);
 
-                        if (smc->sk.sk_err == ECONNABORTED) {
-                                rc = sock_error(&smc->sk);
-                                goto out_unlock;
-                        }
+                        if (smc->sk.sk_err == ECONNABORTED)
+                                return sock_error(&smc->sk);
                         rc = 0;
                         if (conn->alert_token_local) /* connection healthy */
                                 mod_delayed_work(system_wq, &conn->tx_work,
                                                  SMC_TX_WORK_DELAY);
                 }
-                goto out_unlock;
+                return rc;
         }
 
+        spin_lock_bh(&conn->send_lock);
         if (!conn->local_tx_ctrl.prod_flags.urg_data_present) {
-                rc = smc_tx_rdma_writes(conn);
+                rc = smc_tx_rdma_writes(conn, wr_rdma_buf);
                 if (rc) {
                         smc_wr_tx_put_slot(&conn->lgr->lnk[SMC_SINGLE_LINK],
                                            (struct smc_wr_tx_pend_priv *)pend);
@@ -536,7 +533,7 @@ static int smcd_tx_sndbuf_nonempty(struct smc_connection *conn)
 
         spin_lock_bh(&conn->send_lock);
         if (!pflags->urg_data_present)
-                rc = smc_tx_rdma_writes(conn);
+                rc = smc_tx_rdma_writes(conn, NULL);
         if (!rc)
                 rc = smcd_cdc_msg_send(conn);
 
@@ -598,7 +595,8 @@ void smc_tx_consumer_update(struct smc_connection *conn, bool force)
         if (to_confirm > conn->rmbe_update_limit) {
                 smc_curs_copy(&prod, &conn->local_rx_ctrl.prod, conn);
                 sender_free = conn->rmb_desc->len -
-                              smc_curs_diff(conn->rmb_desc->len, &prod, &cfed);
+                              smc_curs_diff_large(conn->rmb_desc->len,
+                                                  &cfed, &prod);
         }
 
         if (conn->local_rx_ctrl.prod_flags.cons_curs_upd_req ||
diff --git a/net/smc/smc_wr.c b/net/smc/smc_wr.c
index c2694750a6a8..253aa75dc2b6 100644
--- a/net/smc/smc_wr.c
+++ b/net/smc/smc_wr.c
@@ -160,6 +160,7 @@ static inline int smc_wr_tx_get_free_slot_index(struct smc_link *link, u32 *idx)
  * @link:               Pointer to smc_link used to later send the message.
  * @handler:            Send completion handler function pointer.
  * @wr_buf:             Out value returns pointer to message buffer.
+ * @wr_rdma_buf:        Out value returns pointer to rdma work request.
  * @wr_pend_priv:       Out value returns pointer serving as handler context.
  *
  * Return: 0 on success, or -errno on error.
@@ -167,6 +168,7 @@ static inline int smc_wr_tx_get_free_slot_index(struct smc_link *link, u32 *idx)
 int smc_wr_tx_get_free_slot(struct smc_link *link,
                             smc_wr_tx_handler handler,
                             struct smc_wr_buf **wr_buf,
+                            struct smc_rdma_wr **wr_rdma_buf,
                             struct smc_wr_tx_pend_priv **wr_pend_priv)
 {
         struct smc_wr_tx_pend *wr_pend;
@@ -204,6 +206,8 @@ int smc_wr_tx_get_free_slot(struct smc_link *link,
         wr_ib = &link->wr_tx_ibs[idx];
         wr_ib->wr_id = wr_id;
         *wr_buf = &link->wr_tx_bufs[idx];
+        if (wr_rdma_buf)
+                *wr_rdma_buf = &link->wr_tx_rdmas[idx];
         *wr_pend_priv = &wr_pend->priv;
         return 0;
 }
@@ -218,10 +222,10 @@ int smc_wr_tx_put_slot(struct smc_link *link,
                 u32 idx = pend->idx;
 
                 /* clear the full struct smc_wr_tx_pend including .priv */
-                memset(&link->wr_tx_pends[pend->idx], 0,
-                       sizeof(link->wr_tx_pends[pend->idx]));
-                memset(&link->wr_tx_bufs[pend->idx], 0,
-                       sizeof(link->wr_tx_bufs[pend->idx]));
+                memset(&link->wr_tx_pends[idx], 0,
+                       sizeof(link->wr_tx_pends[idx]));
+                memset(&link->wr_tx_bufs[idx], 0,
+                       sizeof(link->wr_tx_bufs[idx]));
                 test_and_clear_bit(idx, link->wr_tx_mask);
                 return 1;
         }
@@ -465,12 +469,26 @@ static void smc_wr_init_sge(struct smc_link *lnk)
                         lnk->wr_tx_dma_addr + i * SMC_WR_BUF_SIZE;
                 lnk->wr_tx_sges[i].length = SMC_WR_TX_SIZE;
                 lnk->wr_tx_sges[i].lkey = lnk->roce_pd->local_dma_lkey;
+                lnk->wr_tx_rdma_sges[i].tx_rdma_sge[0].wr_tx_rdma_sge[0].lkey =
+                        lnk->roce_pd->local_dma_lkey;
+                lnk->wr_tx_rdma_sges[i].tx_rdma_sge[0].wr_tx_rdma_sge[1].lkey =
+                        lnk->roce_pd->local_dma_lkey;
+                lnk->wr_tx_rdma_sges[i].tx_rdma_sge[1].wr_tx_rdma_sge[0].lkey =
+                        lnk->roce_pd->local_dma_lkey;
+                lnk->wr_tx_rdma_sges[i].tx_rdma_sge[1].wr_tx_rdma_sge[1].lkey =
+                        lnk->roce_pd->local_dma_lkey;
                 lnk->wr_tx_ibs[i].next = NULL;
                 lnk->wr_tx_ibs[i].sg_list = &lnk->wr_tx_sges[i];
                 lnk->wr_tx_ibs[i].num_sge = 1;
                 lnk->wr_tx_ibs[i].opcode = IB_WR_SEND;
                 lnk->wr_tx_ibs[i].send_flags =
                         IB_SEND_SIGNALED | IB_SEND_SOLICITED;
+                lnk->wr_tx_rdmas[i].wr_tx_rdma[0].wr.opcode = IB_WR_RDMA_WRITE;
+                lnk->wr_tx_rdmas[i].wr_tx_rdma[1].wr.opcode = IB_WR_RDMA_WRITE;
+                lnk->wr_tx_rdmas[i].wr_tx_rdma[0].wr.sg_list =
+                        lnk->wr_tx_rdma_sges[i].tx_rdma_sge[0].wr_tx_rdma_sge;
+                lnk->wr_tx_rdmas[i].wr_tx_rdma[1].wr.sg_list =
+                        lnk->wr_tx_rdma_sges[i].tx_rdma_sge[1].wr_tx_rdma_sge;
         }
         for (i = 0; i < lnk->wr_rx_cnt; i++) {
                 lnk->wr_rx_sges[i].addr =
@@ -521,8 +539,12 @@ void smc_wr_free_link_mem(struct smc_link *lnk)
         lnk->wr_tx_mask = NULL;
         kfree(lnk->wr_tx_sges);
         lnk->wr_tx_sges = NULL;
+        kfree(lnk->wr_tx_rdma_sges);
+        lnk->wr_tx_rdma_sges = NULL;
         kfree(lnk->wr_rx_sges);
         lnk->wr_rx_sges = NULL;
+        kfree(lnk->wr_tx_rdmas);
+        lnk->wr_tx_rdmas = NULL;
         kfree(lnk->wr_rx_ibs);
         lnk->wr_rx_ibs = NULL;
         kfree(lnk->wr_tx_ibs);
@@ -552,10 +574,20 @@ int smc_wr_alloc_link_mem(struct smc_link *link)
                                   GFP_KERNEL);
         if (!link->wr_rx_ibs)
                 goto no_mem_wr_tx_ibs;
+        link->wr_tx_rdmas = kcalloc(SMC_WR_BUF_CNT,
+                                    sizeof(link->wr_tx_rdmas[0]),
+                                    GFP_KERNEL);
+        if (!link->wr_tx_rdmas)
+                goto no_mem_wr_rx_ibs;
+        link->wr_tx_rdma_sges = kcalloc(SMC_WR_BUF_CNT,
+                                        sizeof(link->wr_tx_rdma_sges[0]),
+                                        GFP_KERNEL);
+        if (!link->wr_tx_rdma_sges)
+                goto no_mem_wr_tx_rdmas;
         link->wr_tx_sges = kcalloc(SMC_WR_BUF_CNT, sizeof(link->wr_tx_sges[0]),
                                    GFP_KERNEL);
         if (!link->wr_tx_sges)
-                goto no_mem_wr_rx_ibs;
+                goto no_mem_wr_tx_rdma_sges;
         link->wr_rx_sges = kcalloc(SMC_WR_BUF_CNT * 3,
                                    sizeof(link->wr_rx_sges[0]),
                                    GFP_KERNEL);
@@ -579,6 +611,10 @@ no_mem_wr_rx_sges:
         kfree(link->wr_rx_sges);
 no_mem_wr_tx_sges:
         kfree(link->wr_tx_sges);
+no_mem_wr_tx_rdma_sges:
+        kfree(link->wr_tx_rdma_sges);
+no_mem_wr_tx_rdmas:
+        kfree(link->wr_tx_rdmas);
 no_mem_wr_rx_ibs:
         kfree(link->wr_rx_ibs);
 no_mem_wr_tx_ibs:
diff --git a/net/smc/smc_wr.h b/net/smc/smc_wr.h
index 1d85bb14fd6f..09bf32fd3959 100644
--- a/net/smc/smc_wr.h
+++ b/net/smc/smc_wr.h
@@ -85,6 +85,7 @@ void smc_wr_add_dev(struct smc_ib_device *smcibdev);
 
 int smc_wr_tx_get_free_slot(struct smc_link *link, smc_wr_tx_handler handler,
                             struct smc_wr_buf **wr_buf,
+                            struct smc_rdma_wr **wrs,
                             struct smc_wr_tx_pend_priv **wr_pend_priv);
 int smc_wr_tx_put_slot(struct smc_link *link,
                        struct smc_wr_tx_pend_priv *wr_pend_priv);
diff --git a/net/socket.c b/net/socket.c
index e89884e2197b..d80d87a395ea 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -941,8 +941,7 @@ void dlci_ioctl_set(int (*hook) (unsigned int, void __user *))
 EXPORT_SYMBOL(dlci_ioctl_set);
 
 static long sock_do_ioctl(struct net *net, struct socket *sock,
-                          unsigned int cmd, unsigned long arg,
-                          unsigned int ifreq_size)
+                          unsigned int cmd, unsigned long arg)
 {
         int err;
         void __user *argp = (void __user *)arg;
@@ -968,11 +967,11 @@ static long sock_do_ioctl(struct net *net, struct socket *sock,
         } else {
                 struct ifreq ifr;
                 bool need_copyout;
-                if (copy_from_user(&ifr, argp, ifreq_size))
+                if (copy_from_user(&ifr, argp, sizeof(struct ifreq)))
                         return -EFAULT;
                 err = dev_ioctl(net, cmd, &ifr, &need_copyout);
                 if (!err && need_copyout)
-                        if (copy_to_user(argp, &ifr, ifreq_size))
+                        if (copy_to_user(argp, &ifr, sizeof(struct ifreq)))
                                 return -EFAULT;
         }
         return err;
@@ -1071,8 +1070,7 @@ static long sock_ioctl(struct file *file, unsigned cmd, unsigned long arg)
                         err = open_related_ns(&net->ns, get_net_ns);
                         break;
                 default:
-                        err = sock_do_ioctl(net, sock, cmd, arg,
-                                            sizeof(struct ifreq));
+                        err = sock_do_ioctl(net, sock, cmd, arg);
                         break;
                 }
         return err;
@@ -2780,8 +2778,7 @@ static int do_siocgstamp(struct net *net, struct socket *sock,
         int err;
 
         set_fs(KERNEL_DS);
-        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv,
-                            sizeof(struct compat_ifreq));
+        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv);
         set_fs(old_fs);
         if (!err)
                 err = compat_put_timeval(&ktv, up);
@@ -2797,8 +2794,7 @@ static int do_siocgstampns(struct net *net, struct socket *sock,
         int err;
 
         set_fs(KERNEL_DS);
-        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts,
-                            sizeof(struct compat_ifreq));
+        err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts);
         set_fs(old_fs);
         if (!err)
                 err = compat_put_timespec(&kts, up);
@@ -2994,6 +2990,54 @@ static int compat_ifr_data_ioctl(struct net *net, unsigned int cmd,
         return dev_ioctl(net, cmd, &ifreq, NULL);
 }
 
+static int compat_ifreq_ioctl(struct net *net, struct socket *sock,
+                              unsigned int cmd,
+                              struct compat_ifreq __user *uifr32)
+{
+        struct ifreq __user *uifr;
+        int err;
+
+        /* Handle the fact that while struct ifreq has the same *layout* on
+         * 32/64 for everything but ifreq::ifru_ifmap and ifreq::ifru_data,
+         * which are handled elsewhere, it still has different *size* due to
+         * ifreq::ifru_ifmap (which is 16 bytes on 32 bit, 24 bytes on 64-bit,
+         * resulting in struct ifreq being 32 and 40 bytes respectively).
+         * As a result, if the struct happens to be at the end of a page and
+         * the next page isn't readable/writable, we get a fault. To prevent
+         * that, copy back and forth to the full size.
+         */
+
+        uifr = compat_alloc_user_space(sizeof(*uifr));
+        if (copy_in_user(uifr, uifr32, sizeof(*uifr32)))
+                return -EFAULT;
+
+        err = sock_do_ioctl(net, sock, cmd, (unsigned long)uifr);
+
+        if (!err) {
+                switch (cmd) {
+                case SIOCGIFFLAGS:
+                case SIOCGIFMETRIC:
+                case SIOCGIFMTU:
+                case SIOCGIFMEM:
+                case SIOCGIFHWADDR:
+                case SIOCGIFINDEX:
+                case SIOCGIFADDR:
+                case SIOCGIFBRDADDR:
+                case SIOCGIFDSTADDR:
+                case SIOCGIFNETMASK:
+                case SIOCGIFPFLAGS:
+                case SIOCGIFTXQLEN:
+                case SIOCGMIIPHY:
+                case SIOCGMIIREG:
+                case SIOCGIFNAME:
+                        if (copy_in_user(uifr32, uifr, sizeof(*uifr32)))
+                                err = -EFAULT;
+                        break;
+                }
+        }
+        return err;
+}
+
 static int compat_sioc_ifmap(struct net *net, unsigned int cmd,
                         struct compat_ifreq __user *uifr32)
 {
@@ -3109,8 +3153,7 @@ static int routing_ioctl(struct net *net, struct socket *sock,
         }
 
         set_fs(KERNEL_DS);
-        ret = sock_do_ioctl(net, sock, cmd, (unsigned long) r,
-                            sizeof(struct compat_ifreq));
+        ret = sock_do_ioctl(net, sock, cmd, (unsigned long) r);
         set_fs(old_fs);
 
 out:
@@ -3210,21 +3253,22 @@ static int compat_sock_ioctl_trans(struct file *file, struct socket *sock,
         case SIOCSIFTXQLEN:
         case SIOCBRADDIF:
         case SIOCBRDELIF:
+        case SIOCGIFNAME:
         case SIOCSIFNAME:
         case SIOCGMIIPHY:
         case SIOCGMIIREG:
         case SIOCSMIIREG:
-        case SIOCSARP:
-        case SIOCGARP:
-        case SIOCDARP:
-        case SIOCATMARK:
         case SIOCBONDENSLAVE:
         case SIOCBONDRELEASE:
         case SIOCBONDSETHWADDR:
         case SIOCBONDCHANGEACTIVE:
-        case SIOCGIFNAME:
-                return sock_do_ioctl(net, sock, cmd, arg,
-                                     sizeof(struct compat_ifreq));
+                return compat_ifreq_ioctl(net, sock, cmd, argp);
+
+        case SIOCSARP:
+        case SIOCGARP:
+        case SIOCDARP:
+        case SIOCATMARK:
+                return sock_do_ioctl(net, sock, cmd, arg);
         }
 
         return -ENOIOCTLCMD;
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 1ff9768f5456..f3023bbc0b7f 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -41,6 +41,9 @@ static unsigned long number_cred_unused;
 
 static struct cred machine_cred = {
         .usage = ATOMIC_INIT(1),
+#ifdef CONFIG_DEBUG_CREDENTIALS
+        .magic = CRED_MAGIC,
+#endif
 };
 
 /*
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index dc86713b32b6..1531b0219344 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -1549,8 +1549,10 @@ gss_marshal(struct rpc_task *task, __be32 *p)
         cred_len = p++;
 
         spin_lock(&ctx->gc_seq_lock);
-        req->rq_seqno = ctx->gc_seq++;
+        req->rq_seqno = (ctx->gc_seq < MAXSEQ) ? ctx->gc_seq++ : MAXSEQ;
         spin_unlock(&ctx->gc_seq_lock);
+        if (req->rq_seqno == MAXSEQ)
+                goto out_expired;
 
         *p++ = htonl((u32) RPC_GSS_VERSION);
         *p++ = htonl((u32) ctx->gc_proc);
@@ -1572,14 +1574,18 @@ gss_marshal(struct rpc_task *task, __be32 *p)
         mic.data = (u8 *)(p + 1);
         maj_stat = gss_get_mic(ctx->gc_gss_ctx, &verf_buf, &mic);
         if (maj_stat == GSS_S_CONTEXT_EXPIRED) {
-                clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
+                goto out_expired;
         } else if (maj_stat != 0) {
-                printk("gss_marshal: gss_get_mic FAILED (%d)\n", maj_stat);
+                pr_warn("gss_marshal: gss_get_mic FAILED (%d)\n", maj_stat);
+                task->tk_status = -EIO;
                 goto out_put_ctx;
         }
         p = xdr_encode_opaque(p, NULL, mic.len);
         gss_put_ctx(ctx);
         return p;
+out_expired:
+        clear_bit(RPCAUTH_CRED_UPTODATE, &cred->cr_flags);
+        task->tk_status = -EKEYEXPIRED;
 out_put_ctx:
         gss_put_ctx(ctx);
         return NULL;
diff --git a/net/sunrpc/auth_gss/gss_krb5_seqnum.c b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
index fb6656295204..507105127095 100644
--- a/net/sunrpc/auth_gss/gss_krb5_seqnum.c
+++ b/net/sunrpc/auth_gss/gss_krb5_seqnum.c
@@ -44,7 +44,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
                       unsigned char *cksum, unsigned char *buf)
 {
         struct crypto_sync_skcipher *cipher;
-        unsigned char plain[8];
+        unsigned char *plain;
         s32 code;
 
         dprintk("RPC:       %s:\n", __func__);
@@ -52,6 +52,10 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
         if (IS_ERR(cipher))
                 return PTR_ERR(cipher);
 
+        plain = kmalloc(8, GFP_NOFS);
+        if (!plain)
+                return -ENOMEM;
+
         plain[0] = (unsigned char) ((seqnum >> 24) & 0xff);
         plain[1] = (unsigned char) ((seqnum >> 16) & 0xff);
         plain[2] = (unsigned char) ((seqnum >> 8) & 0xff);
@@ -67,6 +71,7 @@ krb5_make_rc4_seq_num(struct krb5_ctx *kctx, int direction, s32 seqnum,
 
         code = krb5_encrypt(cipher, cksum, plain, buf, 8);
 out:
+        kfree(plain);
         crypto_free_sync_skcipher(cipher);
         return code;
 }
@@ -77,12 +82,17 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
                 u32 seqnum,
                 unsigned char *cksum, unsigned char *buf)
 {
-        unsigned char plain[8];
+        unsigned char *plain;
+        s32 code;
 
         if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
                 return krb5_make_rc4_seq_num(kctx, direction, seqnum,
                                              cksum, buf);
 
+        plain = kmalloc(8, GFP_NOFS);
+        if (!plain)
+                return -ENOMEM;
+
         plain[0] = (unsigned char) (seqnum & 0xff);
         plain[1] = (unsigned char) ((seqnum >> 8) & 0xff);
         plain[2] = (unsigned char) ((seqnum >> 16) & 0xff);
@@ -93,7 +103,9 @@ krb5_make_seq_num(struct krb5_ctx *kctx,
         plain[6] = direction;
         plain[7] = direction;
 
-        return krb5_encrypt(key, cksum, plain, buf, 8);
+        code = krb5_encrypt(key, cksum, plain, buf, 8);
+        kfree(plain);
+        return code;
 }
 
 static s32
@@ -101,7 +113,7 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
                      unsigned char *buf, int *direction, s32 *seqnum)
 {
         struct crypto_sync_skcipher *cipher;
-        unsigned char plain[8];
+        unsigned char *plain;
         s32 code;
 
         dprintk("RPC:       %s:\n", __func__);
@@ -113,20 +125,28 @@ krb5_get_rc4_seq_num(struct krb5_ctx *kctx, unsigned char *cksum,
         if (code)
                 goto out;
 
+        plain = kmalloc(8, GFP_NOFS);
+        if (!plain) {
+                code = -ENOMEM;
+                goto out;
+        }
+
         code = krb5_decrypt(cipher, cksum, buf, plain, 8);
         if (code)
-                goto out;
+                goto out_plain;
 
         if ((plain[4] != plain[5]) || (plain[4] != plain[6])
                                    || (plain[4] != plain[7])) {
                 code = (s32)KG_BAD_SEQ;
-                goto out;
+                goto out_plain;
         }
 
         *direction = plain[4];
 
         *seqnum = ((plain[0] << 24) | (plain[1] << 16) |
                                         (plain[2] << 8) | (plain[3]));
+out_plain:
+        kfree(plain);
 out:
         crypto_free_sync_skcipher(cipher);
         return code;
@@ -139,7 +159,7 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
                int *direction, u32 *seqnum)
 {
         s32 code;
-        unsigned char plain[8];
+        unsigned char *plain;
         struct crypto_sync_skcipher *key = kctx->seq;
 
         dprintk("RPC:       krb5_get_seq_num:\n");
@@ -147,18 +167,25 @@ krb5_get_seq_num(struct krb5_ctx *kctx,
         if (kctx->enctype == ENCTYPE_ARCFOUR_HMAC)
                 return krb5_get_rc4_seq_num(kctx, cksum, buf,
                                             direction, seqnum);
+        plain = kmalloc(8, GFP_NOFS);
+        if (!plain)
+                return -ENOMEM;
 
         if ((code = krb5_decrypt(key, cksum, buf, plain, 8)))
-                return code;
+                goto out;
 
         if ((plain[4] != plain[5]) || (plain[4] != plain[6]) ||
-            (plain[4] != plain[7]))
-                return (s32)KG_BAD_SEQ;
+            (plain[4] != plain[7])) {
+                code = (s32)KG_BAD_SEQ;
+                goto out;
+        }
 
         *direction = plain[4];
 
         *seqnum = ((plain[0]) |
                    (plain[1] << 8) | (plain[2] << 16) | (plain[3] << 24));
 
-        return 0;
+out:
+        kfree(plain);
+        return code;
 }
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index 71d9599b5816..d7ec6132c046 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1739,14 +1739,10 @@ rpc_xdr_encode(struct rpc_task *task)
         xdr_buf_init(&req->rq_rcv_buf,
                      req->rq_rbuffer,
                      req->rq_rcvsize);
-        req->rq_bytes_sent = 0;
 
         p = rpc_encode_header(task);
-        if (p == NULL) {
-                printk(KERN_INFO "RPC: couldn't encode RPC header, exit EIO\n");
-                rpc_exit(task, -EIO);
+        if (p == NULL)
                 return;
-        }
 
         encode = task->tk_msg.rpc_proc->p_encode;
         if (encode == NULL)
@@ -1771,10 +1767,17 @@ call_encode(struct rpc_task *task)
         /* Did the encode result in an error condition? */
         if (task->tk_status != 0) {
                 /* Was the error nonfatal? */
-                if (task->tk_status == -EAGAIN || task->tk_status == -ENOMEM)
+                switch (task->tk_status) {
+                case -EAGAIN:
+                case -ENOMEM:
                         rpc_delay(task, HZ >> 4);
-                else
+                        break;
+                case -EKEYEXPIRED:
+                        task->tk_action = call_refresh;
+                        break;
+                default:
                         rpc_exit(task, task->tk_status);
+                }
                 return;
         }
 
@@ -2336,7 +2339,8 @@ rpc_encode_header(struct rpc_task *task)
         *p++ = htonl(clnt->cl_vers);    /* program version */
         *p++ = htonl(task->tk_msg.rpc_proc->p_proc);    /* procedure */
         p = rpcauth_marshcred(task, p);
-        req->rq_slen = xdr_adjust_iovec(&req->rq_svec[0], p);
+        if (p)
+                req->rq_slen = xdr_adjust_iovec(&req->rq_svec[0], p);
         return p;
 }
 
diff --git a/net/sunrpc/debugfs.c b/net/sunrpc/debugfs.c
index 45a033329cd4..19bb356230ed 100644
--- a/net/sunrpc/debugfs.c
+++ b/net/sunrpc/debugfs.c
@@ -146,7 +146,7 @@ rpc_clnt_debugfs_register(struct rpc_clnt *clnt)
         rcu_read_lock();
         xprt = rcu_dereference(clnt->cl_xprt);
         /* no "debugfs" dentry? Don't bother with the symlink. */
-        if (!xprt->debugfs) {
+        if (IS_ERR_OR_NULL(xprt->debugfs)) {
                 rcu_read_unlock();
                 return;
         }
diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 73547d17d3c6..f1ec2110efeb 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1151,6 +1151,7 @@ xprt_request_enqueue_transmit(struct rpc_task *task)
         struct rpc_xprt *xprt = req->rq_xprt;
 
         if (xprt_request_need_enqueue_transmit(task, req)) {
+                req->rq_bytes_sent = 0;
                 spin_lock(&xprt->queue_lock);
                 /*
                  * Requests that carry congestion control credits are added
@@ -1177,7 +1178,7 @@ xprt_request_enqueue_transmit(struct rpc_task *task)
                                 INIT_LIST_HEAD(&req->rq_xmit2);
                                 goto out;
                         }
-                } else {
+                } else if (!req->rq_seqno) {
                         list_for_each_entry(pos, &xprt->xmit_queue, rq_xmit) {
                                 if (pos->rq_task->tk_owner != task->tk_owner)
                                         continue;
diff --git a/net/sunrpc/xprtrdma/svc_rdma_sendto.c b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
index cf51b8f9b15f..1f200119268c 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_sendto.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_sendto.c
@@ -537,6 +537,99 @@ void svc_rdma_sync_reply_hdr(struct svcxprt_rdma *rdma,
                                       DMA_TO_DEVICE);
 }
 
+/* If the xdr_buf has more elements than the device can
+ * transmit in a single RDMA Send, then the reply will
+ * have to be copied into a bounce buffer.
+ */
+static bool svc_rdma_pull_up_needed(struct svcxprt_rdma *rdma,
+                                    struct xdr_buf *xdr,
+                                    __be32 *wr_lst)
+{
+        int elements;
+
+        /* xdr->head */
+        elements = 1;
+
+        /* xdr->pages */
+        if (!wr_lst) {
+                unsigned int remaining;
+                unsigned long pageoff;
+
+                pageoff = xdr->page_base & ~PAGE_MASK;
+                remaining = xdr->page_len;
+                while (remaining) {
+                        ++elements;
+                        remaining -= min_t(u32, PAGE_SIZE - pageoff,
+                                           remaining);
+                        pageoff = 0;
+                }
+        }
+
+        /* xdr->tail */
+        if (xdr->tail[0].iov_len)
+                ++elements;
+
+        /* assume 1 SGE is needed for the transport header */
+        return elements >= rdma->sc_max_send_sges;
+}
+
+/* The device is not capable of sending the reply directly.
+ * Assemble the elements of @xdr into the transport header
+ * buffer.
+ */
+static int svc_rdma_pull_up_reply_msg(struct svcxprt_rdma *rdma,
+                                      struct svc_rdma_send_ctxt *ctxt,
+                                      struct xdr_buf *xdr, __be32 *wr_lst)
+{
+        unsigned char *dst, *tailbase;
+        unsigned int taillen;
+
+        dst = ctxt->sc_xprt_buf;
+        dst += ctxt->sc_sges[0].length;
+
+        memcpy(dst, xdr->head[0].iov_base, xdr->head[0].iov_len);
+        dst += xdr->head[0].iov_len;
+
+        tailbase = xdr->tail[0].iov_base;
+        taillen = xdr->tail[0].iov_len;
+        if (wr_lst) {
+                u32 xdrpad;
+
+                xdrpad = xdr_padsize(xdr->page_len);
+                if (taillen && xdrpad) {
+                        tailbase += xdrpad;
+                        taillen -= xdrpad;
+                }
+        } else {
+                unsigned int len, remaining;
+                unsigned long pageoff;
+                struct page **ppages;
+
+                ppages = xdr->pages + (xdr->page_base >> PAGE_SHIFT);
+                pageoff = xdr->page_base & ~PAGE_MASK;
+                remaining = xdr->page_len;
+                while (remaining) {
+                        len = min_t(u32, PAGE_SIZE - pageoff, remaining);
+
+                        memcpy(dst, page_address(*ppages), len);
+                        remaining -= len;
+                        dst += len;
+                        pageoff = 0;
+                }
+        }
+
+        if (taillen)
+                memcpy(dst, tailbase, taillen);
+
+        ctxt->sc_sges[0].length += xdr->len;
+        ib_dma_sync_single_for_device(rdma->sc_pd->device,
+                                      ctxt->sc_sges[0].addr,
+                                      ctxt->sc_sges[0].length,
+                                      DMA_TO_DEVICE);
+
+        return 0;
+}
+
 /* svc_rdma_map_reply_msg - Map the buffer holding RPC message
  * @rdma: controlling transport
  * @ctxt: send_ctxt for the Send WR
@@ -559,8 +652,10 @@ int svc_rdma_map_reply_msg(struct svcxprt_rdma *rdma,
         u32 xdr_pad;
         int ret;
 
-        if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-                return -EIO;
+        if (svc_rdma_pull_up_needed(rdma, xdr, wr_lst))
+                return svc_rdma_pull_up_reply_msg(rdma, ctxt, xdr, wr_lst);
+
+        ++ctxt->sc_cur_sge_no;
         ret = svc_rdma_dma_map_buf(rdma, ctxt,
                                    xdr->head[0].iov_base,
                                    xdr->head[0].iov_len);
@@ -591,8 +686,7 @@ int svc_rdma_map_reply_msg(struct svcxprt_rdma *rdma,
         while (remaining) {
                 len = min_t(u32, PAGE_SIZE - page_off, remaining);
 
-                if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-                        return -EIO;
+                ++ctxt->sc_cur_sge_no;
                 ret = svc_rdma_dma_map_page(rdma, ctxt, *ppages++,
                                             page_off, len);
                 if (ret < 0)
@@ -606,8 +700,7 @@ int svc_rdma_map_reply_msg(struct svcxprt_rdma *rdma,
         len = xdr->tail[0].iov_len;
 tail:
         if (len) {
-                if (++ctxt->sc_cur_sge_no >= rdma->sc_max_send_sges)
-                        return -EIO;
+                ++ctxt->sc_cur_sge_no;
                 ret = svc_rdma_dma_map_buf(rdma, ctxt, base, len);
                 if (ret < 0)
                         return ret;
diff --git a/net/sunrpc/xprtrdma/svc_rdma_transport.c b/net/sunrpc/xprtrdma/svc_rdma_transport.c
index 924c17d46903..57f86c63a463 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_transport.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_transport.c
@@ -419,12 +419,9 @@ static struct svc_xprt *svc_rdma_accept(struct svc_xprt *xprt)
         /* Transport header, head iovec, tail iovec */
         newxprt->sc_max_send_sges = 3;
         /* Add one SGE per page list entry */
-        newxprt->sc_max_send_sges += svcrdma_max_req_size / PAGE_SIZE;
-        if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge) {
-                pr_err("svcrdma: too few Send SGEs available (%d needed)\n",
-                       newxprt->sc_max_send_sges);
-                goto errout;
-        }
+        newxprt->sc_max_send_sges += (svcrdma_max_req_size / PAGE_SIZE) + 1;
+        if (newxprt->sc_max_send_sges > dev->attrs.max_send_sge)
+                newxprt->sc_max_send_sges = dev->attrs.max_send_sge;
         newxprt->sc_max_req_size = svcrdma_max_req_size;
         newxprt->sc_max_requests = svcrdma_max_requests;
         newxprt->sc_max_bc_requests = svcrdma_max_bc_requests;
diff --git a/net/sunrpc/xprtrdma/verbs.c b/net/sunrpc/xprtrdma/verbs.c
index 7749a2bf6887..21113bfd4eca 100644
--- a/net/sunrpc/xprtrdma/verbs.c
+++ b/net/sunrpc/xprtrdma/verbs.c
@@ -527,7 +527,8 @@ rpcrdma_ep_create(struct rpcrdma_ep *ep, struct rpcrdma_ia *ia,
 
         sendcq = ib_alloc_cq(ia->ri_device, NULL,
                              ep->rep_attr.cap.max_send_wr + 1,
-                             1, IB_POLL_WORKQUEUE);
+                             ia->ri_device->num_comp_vectors > 1 ? 1 : 0,
+                             IB_POLL_WORKQUEUE);
         if (IS_ERR(sendcq)) {
                 rc = PTR_ERR(sendcq);
                 goto out1;
@@ -845,17 +846,13 @@ static int rpcrdma_sendctxs_create(struct rpcrdma_xprt *r_xprt)
         for (i = 0; i <= buf->rb_sc_last; i++) {
                 sc = rpcrdma_sendctx_create(&r_xprt->rx_ia);
                 if (!sc)
-                        goto out_destroy;
+                        return -ENOMEM;
 
                 sc->sc_xprt = r_xprt;
                 buf->rb_sc_ctxs[i] = sc;
         }
 
         return 0;
-
-out_destroy:
-        rpcrdma_sendctxs_destroy(buf);
-        return -ENOMEM;
 }
 
 /* The sendctx queue is not guaranteed to have a size that is a
@@ -1113,8 +1110,10 @@ rpcrdma_buffer_create(struct rpcrdma_xprt *r_xprt)
                                                 WQ_MEM_RECLAIM | WQ_HIGHPRI,
                                                 0,
                         r_xprt->rx_xprt.address_strings[RPC_DISPLAY_ADDR]);
-        if (!buf->rb_completion_wq)
+        if (!buf->rb_completion_wq) {
+                rc = -ENOMEM;
                 goto out;
+        }
 
         return 0;
 out:
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 13559e6a460b..7754aa3e434f 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -48,6 +48,7 @@
 #include <net/udp.h>
 #include <net/tcp.h>
 #include <linux/bvec.h>
+#include <linux/highmem.h>
 #include <linux/uio.h>
 
 #include <trace/events/sunrpc.h>
@@ -376,6 +377,26 @@ xs_read_discard(struct socket *sock, struct msghdr *msg, int flags,
         return sock_recvmsg(sock, msg, flags);
 }
 
+#if ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE
+static void
+xs_flush_bvec(const struct bio_vec *bvec, size_t count, size_t seek)
+{
+        struct bvec_iter bi = {
+                .bi_size = count,
+        };
+        struct bio_vec bv;
+
+        bvec_iter_advance(bvec, &bi, seek & PAGE_MASK);
+        for_each_bvec(bv, bvec, bi, bi)
+                flush_dcache_page(bv.bv_page);
+}
+#else
+static inline void
+xs_flush_bvec(const struct bio_vec *bvec, size_t count, size_t seek)
+{
+}
+#endif
+
 static ssize_t
 xs_read_xdr_buf(struct socket *sock, struct msghdr *msg, int flags,
                 struct xdr_buf *buf, size_t count, size_t seek, size_t *read)
@@ -409,6 +430,7 @@ xs_read_xdr_buf(struct socket *sock, struct msghdr *msg, int flags,
                                 seek + buf->page_base);
                 if (ret <= 0)
                         goto sock_err;
+                xs_flush_bvec(buf->bvec, ret, seek + buf->page_base);
                 offset += ret - buf->page_base;
                 if (offset == count || msg->msg_flags & (MSG_EOR|MSG_TRUNC))
                         goto out;
diff --git a/net/tipc/link.c b/net/tipc/link.c
index 2792a3cae682..85ad5c0678d0 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -1145,7 +1145,7 @@ static bool tipc_data_input(struct tipc_link *l, struct sk_buff *skb,
         default:
                 pr_warn("Dropping received illegal msg type\n");
                 kfree_skb(skb);
-                return false;
+                return true;
         };
 }
 
@@ -1425,6 +1425,10 @@ static void tipc_link_build_proto_msg(struct tipc_link *l, int mtyp, bool probe,
                 l->rcv_unacked = 0;
         } else {
                 /* RESET_MSG or ACTIVATE_MSG */
+                if (mtyp == ACTIVATE_MSG) {
+                        msg_set_dest_session_valid(hdr, 1);
+                        msg_set_dest_session(hdr, l->peer_session);
+                }
                 msg_set_max_pkt(hdr, l->advertised_mtu);
                 strcpy(data, l->if_name);
                 msg_set_size(hdr, INT_H_SIZE + TIPC_MAX_IF_NAME);
@@ -1642,6 +1646,17 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
                         rc = tipc_link_fsm_evt(l, LINK_FAILURE_EVT);
                         break;
                 }
+
+                /* If this endpoint was re-created while peer was ESTABLISHING
+                 * it doesn't know current session number. Force re-synch.
+                 */
+                if (mtyp == ACTIVATE_MSG && msg_dest_session_valid(hdr) &&
+                    l->session != msg_dest_session(hdr)) {
+                        if (less(l->session, msg_dest_session(hdr)))
+                                l->session = msg_dest_session(hdr) + 1;
+                        break;
+                }
+
                 /* ACTIVATE_MSG serves as PEER_RESET if link is already down */
                 if (mtyp == RESET_MSG || !link_is_up(l))
                         rc = tipc_link_fsm_evt(l, LINK_PEER_RESET_EVT);
diff --git a/net/tipc/msg.h b/net/tipc/msg.h
index a0924956bb61..d7e4b8b93f9d 100644
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -360,6 +360,28 @@ static inline void msg_set_bcast_ack(struct tipc_msg *m, u16 n)
         msg_set_bits(m, 1, 0, 0xffff, n);
 }
 
+/* Note: reusing bits in word 1 for ACTIVATE_MSG only, to re-synch
+ * link peer session number
+ */
+static inline bool msg_dest_session_valid(struct tipc_msg *m)
+{
+        return msg_bits(m, 1, 16, 0x1);
+}
+
+static inline void msg_set_dest_session_valid(struct tipc_msg *m, bool valid)
+{
+        msg_set_bits(m, 1, 16, 0x1, valid);
+}
+
+static inline u16 msg_dest_session(struct tipc_msg *m)
+{
+        return msg_bits(m, 1, 0, 0xffff);
+}
+
+static inline void msg_set_dest_session(struct tipc_msg *m, u16 n)
+{
+        msg_set_bits(m, 1, 0, 0xffff, n);
+}
 
 /*
  * Word 2
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 40f5cae623a7..4ad3586da8f0 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -87,6 +87,11 @@ static int tipc_skb_tailroom(struct sk_buff *skb)
         return limit;
 }
 
+static inline int TLV_GET_DATA_LEN(struct tlv_desc *tlv)
+{
+        return TLV_GET_LEN(tlv) - TLV_SPACE(0);
+}
+
 static int tipc_add_tlv(struct sk_buff *skb, u16 type, void *data, u16 len)
 {
         struct tlv_desc *tlv = (struct tlv_desc *)skb_tail_pointer(skb);
@@ -166,6 +171,11 @@ static struct sk_buff *tipc_get_err_tlv(char *str)
         return buf;
 }
 
+static inline bool string_is_valid(char *s, int len)
+{
+        return memchr(s, '\0', len) ? true : false;
+}
+
 static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
                                    struct tipc_nl_compat_msg *msg,
                                    struct sk_buff *arg)
@@ -379,6 +389,7 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
         struct nlattr *prop;
         struct nlattr *bearer;
         struct tipc_bearer_config *b;
+        int len;
 
         b = (struct tipc_bearer_config *)TLV_DATA(msg->req);
 
@@ -386,6 +397,10 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
         if (!bearer)
                 return -EMSGSIZE;
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
+        if (!string_is_valid(b->name, len))
+                return -EINVAL;
+
         if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name))
                 return -EMSGSIZE;
 
@@ -411,6 +426,7 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
 {
         char *name;
         struct nlattr *bearer;
+        int len;
 
         name = (char *)TLV_DATA(msg->req);
 
@@ -418,6 +434,10 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
         if (!bearer)
                 return -EMSGSIZE;
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
+        if (!string_is_valid(name, len))
+                return -EINVAL;
+
         if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name))
                 return -EMSGSIZE;
 
@@ -478,6 +498,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
         struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
         struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
         int err;
+        int len;
 
         if (!attrs[TIPC_NLA_LINK])
                 return -EINVAL;
@@ -504,6 +525,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
                 return err;
 
         name = (char *)TLV_DATA(msg->req);
+
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+        if (!string_is_valid(name, len))
+                return -EINVAL;
+
         if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
                 return 0;
 
@@ -644,6 +670,7 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
         struct nlattr *prop;
         struct nlattr *media;
         struct tipc_link_config *lc;
+        int len;
 
         lc = (struct tipc_link_config *)TLV_DATA(msg->req);
 
@@ -651,6 +678,10 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
         if (!media)
                 return -EMSGSIZE;
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
+        if (!string_is_valid(lc->name, len))
+                return -EINVAL;
+
         if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name))
                 return -EMSGSIZE;
 
@@ -671,6 +702,7 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
         struct nlattr *prop;
         struct nlattr *bearer;
         struct tipc_link_config *lc;
+        int len;
 
         lc = (struct tipc_link_config *)TLV_DATA(msg->req);
 
@@ -678,6 +710,10 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
         if (!bearer)
                 return -EMSGSIZE;
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
+        if (!string_is_valid(lc->name, len))
+                return -EINVAL;
+
         if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name))
                 return -EMSGSIZE;
 
@@ -726,9 +762,14 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
         struct tipc_link_config *lc;
         struct tipc_bearer *bearer;
         struct tipc_media *media;
+        int len;
 
         lc = (struct tipc_link_config *)TLV_DATA(msg->req);
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+        if (!string_is_valid(lc->name, len))
+                return -EINVAL;
+
         media = tipc_media_find(lc->name);
         if (media) {
                 cmd->doit = &__tipc_nl_media_set;
@@ -750,6 +791,7 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
 {
         char *name;
         struct nlattr *link;
+        int len;
 
         name = (char *)TLV_DATA(msg->req);
 
@@ -757,6 +799,10 @@ static int tipc_nl_compat_link_reset_stats(struct tipc_nl_compat_cmd_doit *cmd,
         if (!link)
                 return -EMSGSIZE;
 
+        len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+        if (!string_is_valid(name, len))
+                return -EINVAL;
+
         if (nla_put_string(skb, TIPC_NLA_LINK_NAME, name))
                 return -EMSGSIZE;
 
@@ -778,6 +824,8 @@ static int tipc_nl_compat_name_table_dump_header(struct tipc_nl_compat_msg *msg)
         };
 
         ntq = (struct tipc_name_table_query *)TLV_DATA(msg->req);
+        if (TLV_GET_DATA_LEN(msg->req) < sizeof(struct tipc_name_table_query))
+                return -EINVAL;
 
         depth = ntohl(ntq->depth);
 
@@ -904,8 +952,10 @@ static int tipc_nl_compat_publ_dump(struct tipc_nl_compat_msg *msg, u32 sock)
 
         hdr = genlmsg_put(args, 0, 0, &tipc_genl_family, NLM_F_MULTI,
                           TIPC_NL_PUBL_GET);
-        if (!hdr)
+        if (!hdr) {
+                kfree_skb(args);
                 return -EMSGSIZE;
+        }
 
         nest = nla_nest_start(args, TIPC_NLA_SOCK);
         if (!nest) {
@@ -1206,7 +1256,7 @@ static int tipc_nl_compat_recv(struct sk_buff *skb, struct genl_info *info)
         }
 
         len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN);
-        if (len && !TLV_OK(msg.req, len)) {
+        if (!len || !TLV_OK(msg.req, len)) {
                 msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED);
                 err = -EOPNOTSUPP;
                 goto send;
diff --git a/net/tipc/node.c b/net/tipc/node.c
index db2a6c3e0be9..2dc4919ab23c 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -830,15 +830,16 @@ static void tipc_node_link_down(struct tipc_node *n, int bearer_id, bool delete)
         tipc_node_write_lock(n);
         if (!tipc_link_is_establishing(l)) {
                 __tipc_node_link_down(n, &bearer_id, &xmitq, &maddr);
-                if (delete) {
-                        kfree(l);
-                        le->link = NULL;
-                        n->link_cnt--;
-                }
         } else {
                 /* Defuse pending tipc_node_link_up() */
+                tipc_link_reset(l);
                 tipc_link_fsm_evt(l, LINK_RESET_EVT);
         }
+        if (delete) {
+                kfree(l);
+                le->link = NULL;
+                n->link_cnt--;
+        }
         trace_tipc_node_link_down(n, true, "node link down or deleted!");
         tipc_node_write_unlock(n);
         if (delete)
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 1217c90a363b..684f2125fc6b 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -388,7 +388,7 @@ static int tipc_sk_sock_err(struct socket *sock, long *timeout)
                 rc_ = tipc_sk_sock_err((sock_), timeo_);                       \
                 if (rc_)                                                       \
                         break;                                                 \
-                prepare_to_wait(sk_sleep(sk_), &wait_, TASK_INTERRUPTIBLE);    \
+                add_wait_queue(sk_sleep(sk_), &wait_);                         \
                 release_sock(sk_);                                             \
                 *(timeo_) = wait_woken(&wait_, TASK_INTERRUPTIBLE, *(timeo_)); \
                 sched_annotate_sleep();                                        \
@@ -1677,7 +1677,7 @@ static void tipc_sk_send_ack(struct tipc_sock *tsk)
 static int tipc_wait_for_rcvmsg(struct socket *sock, long *timeop)
 {
         struct sock *sk = sock->sk;
-        DEFINE_WAIT(wait);
+        DEFINE_WAIT_FUNC(wait, woken_wake_function);
         long timeo = *timeop;
         int err = sock_error(sk);
 
@@ -1685,15 +1685,17 @@ static int tipc_wait_for_rcvmsg(struct socket *sock, long *timeop)
                 return err;
 
         for (;;) {
-                prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
                 if (timeo && skb_queue_empty(&sk->sk_receive_queue)) {
                         if (sk->sk_shutdown & RCV_SHUTDOWN) {
                                 err = -ENOTCONN;
                                 break;
                         }
+                        add_wait_queue(sk_sleep(sk), &wait);
                         release_sock(sk);
-                        timeo = schedule_timeout(timeo);
+                        timeo = wait_woken(&wait, TASK_INTERRUPTIBLE, timeo);
+                        sched_annotate_sleep();
                         lock_sock(sk);
+                        remove_wait_queue(sk_sleep(sk), &wait);
                 }
                 err = 0;
                 if (!skb_queue_empty(&sk->sk_receive_queue))
@@ -1709,7 +1711,6 @@ static int tipc_wait_for_rcvmsg(struct socket *sock, long *timeop)
                 if (err)
                         break;
         }
-        finish_wait(sk_sleep(sk), &wait);
         *timeop = timeo;
         return err;
 }
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index efb16f69bd2c..a457c0fbbef1 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -398,7 +398,7 @@ static int tipc_conn_rcv_from_sock(struct tipc_conn *con)
         ret = sock_recvmsg(con->sock, &msg, MSG_DONTWAIT);
         if (ret == -EWOULDBLOCK)
                 return -EWOULDBLOCK;
-        if (ret > 0) {
+        if (ret == sizeof(s)) {
                 read_lock_bh(&sk->sk_callback_lock);
                 ret = tipc_conn_rcv_sub(srv, con, &s);
                 read_unlock_bh(&sk->sk_callback_lock);
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 11cdc8f7db63..bf5b54b513bc 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -439,6 +439,8 @@ static int tls_do_encryption(struct sock *sk,
         struct scatterlist *sge = sk_msg_elem(msg_en, start);
         int rc;
 
+        memcpy(rec->iv_data, tls_ctx->tx.iv, sizeof(rec->iv_data));
+
         sge->offset += tls_ctx->tx.prepend_size;
         sge->length -= tls_ctx->tx.prepend_size;
 
@@ -448,7 +450,7 @@ static int tls_do_encryption(struct sock *sk,
         aead_request_set_ad(aead_req, TLS_AAD_SPACE_SIZE);
         aead_request_set_crypt(aead_req, rec->sg_aead_in,
                                rec->sg_aead_out,
-                               data_len, tls_ctx->tx.iv);
+                               data_len, rec->iv_data);
 
         aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_BACKLOG,
                                   tls_encrypt_done, sk);
@@ -1792,7 +1794,9 @@ void tls_sw_free_resources_tx(struct sock *sk)
         if (atomic_read(&ctx->encrypt_pending))
                 crypto_wait_req(-EINPROGRESS, &ctx->async_wait);
 
+        release_sock(sk);
         cancel_delayed_work_sync(&ctx->tx_work.work);
+        lock_sock(sk);
 
         /* Tx whatever records we can transmit and abandon the rest */
         tls_tx_records(sk, -1);
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 74d1eed7cbd4..a95d479caeea 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -890,7 +890,7 @@ retry:
         addr->hash ^= sk->sk_type;
 
         __unix_remove_socket(sk);
-        u->addr = addr;
+        smp_store_release(&u->addr, addr);
         __unix_insert_socket(&unix_socket_table[addr->hash], sk);
         spin_unlock(&unix_table_lock);
         err = 0;
@@ -1060,7 +1060,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
 
         err = 0;
         __unix_remove_socket(sk);
-        u->addr = addr;
+        smp_store_release(&u->addr, addr);
         __unix_insert_socket(list, sk);
 
 out_unlock:
@@ -1331,15 +1331,29 @@ restart:
         RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq);
         otheru = unix_sk(other);
 
-        /* copy address information from listening to new sock*/
-        if (otheru->addr) {
-                refcount_inc(&otheru->addr->refcnt);
-                newu->addr = otheru->addr;
-        }
+        /* copy address information from listening to new sock
+         *
+         * The contents of *(otheru->addr) and otheru->path
+         * are seen fully set up here, since we have found
+         * otheru in hash under unix_table_lock.  Insertion
+         * into the hash chain we'd found it in had been done
+         * in an earlier critical area protected by unix_table_lock,
+         * the same one where we'd set *(otheru->addr) contents,
+         * as well as otheru->path and otheru->addr itself.
+         *
+         * Using smp_store_release() here to set newu->addr
+         * is enough to make those stores, as well as stores
+         * to newu->path visible to anyone who gets newu->addr
+         * by smp_load_acquire().  IOW, the same warranties
+         * as for unix_sock instances bound in unix_bind() or
+         * in unix_autobind().
+         */
         if (otheru->path.dentry) {
                 path_get(&otheru->path);
                 newu->path = otheru->path;
         }
+        refcount_inc(&otheru->addr->refcnt);
+        smp_store_release(&newu->addr, otheru->addr);
 
         /* Set credentials */
         copy_peercred(sk, other);
@@ -1453,7 +1467,7 @@ out:
 static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
 {
         struct sock *sk = sock->sk;
-        struct unix_sock *u;
+        struct unix_address *addr;
         DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr);
         int err = 0;
 
@@ -1468,19 +1482,15 @@ static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
                 sock_hold(sk);
         }
 
-        u = unix_sk(sk);
-        unix_state_lock(sk);
-        if (!u->addr) {
+        addr = smp_load_acquire(&unix_sk(sk)->addr);
+        if (!addr) {
                 sunaddr->sun_family = AF_UNIX;
                 sunaddr->sun_path[0] = 0;
                 err = sizeof(short);
         } else {
-                struct unix_address *addr = u->addr;
-
                 err = addr->len;
                 memcpy(sunaddr, addr->name, addr->len);
         }
-        unix_state_unlock(sk);
         sock_put(sk);
 out:
         return err;
@@ -2073,11 +2083,11 @@ static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg,
 
 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
 {
-        struct unix_sock *u = unix_sk(sk);
+        struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr);
 
-        if (u->addr) {
-                msg->msg_namelen = u->addr->len;
-                memcpy(msg->msg_name, u->addr->name, u->addr->len);
+        if (addr) {
+                msg->msg_namelen = addr->len;
+                memcpy(msg->msg_name, addr->name, addr->len);
         }
 }
 
@@ -2581,15 +2591,14 @@ static int unix_open_file(struct sock *sk)
         if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
                 return -EPERM;
 
-        unix_state_lock(sk);
+        if (!smp_load_acquire(&unix_sk(sk)->addr))
+                return -ENOENT;
+
         path = unix_sk(sk)->path;
-        if (!path.dentry) {
-                unix_state_unlock(sk);
+        if (!path.dentry)
                 return -ENOENT;
-        }
 
         path_get(&path);
-        unix_state_unlock(sk);
 
         fd = get_unused_fd_flags(O_CLOEXEC);
         if (fd < 0)
@@ -2830,7 +2839,7 @@ static int unix_seq_show(struct seq_file *seq, void *v)
                         (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING),
                         sock_i_ino(s));
 
-                if (u->addr) {
+                if (u->addr) {  // under unix_table_lock here
                         int i, len;
                         seq_putc(seq, ' ');
 
diff --git a/net/unix/diag.c b/net/unix/diag.c
index 384c84e83462..3183d9b8ab33 100644
--- a/net/unix/diag.c
+++ b/net/unix/diag.c
@@ -10,7 +10,8 @@
 
 static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb)
 {
-        struct unix_address *addr = unix_sk(sk)->addr;
+        /* might or might not have unix_table_lock */
+        struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr);
 
         if (!addr)
                 return 0;
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 5d3cce9e8744..15eb5d3d4750 100644
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -75,6 +75,9 @@ static u32 virtio_transport_get_local_cid(void)
 {
         struct virtio_vsock *vsock = virtio_vsock_get();
 
+        if (!vsock)
+                return VMADDR_CID_ANY;
+
         return vsock->guest_cid;
 }
 
@@ -584,10 +587,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
 
         virtio_vsock_update_guest_cid(vsock);
 
-        ret = vsock_core_init(&virtio_transport.transport);
-        if (ret < 0)
-                goto out_vqs;
-
         vsock->rx_buf_nr = 0;
         vsock->rx_buf_max_nr = 0;
         atomic_set(&vsock->queued_replies, 0);
@@ -618,8 +617,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
         mutex_unlock(&the_virtio_vsock_mutex);
         return 0;
 
-out_vqs:
-        vsock->vdev->config->del_vqs(vsock->vdev);
 out:
         kfree(vsock);
         mutex_unlock(&the_virtio_vsock_mutex);
@@ -637,6 +634,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
         flush_work(&vsock->event_work);
         flush_work(&vsock->send_pkt_work);
 
+        /* Reset all connected sockets when the device disappear */
+        vsock_for_each_connected_socket(virtio_vsock_reset_sock);
+
         vdev->config->reset(vdev);
 
         mutex_lock(&vsock->rx_lock);
@@ -669,7 +669,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
 
         mutex_lock(&the_virtio_vsock_mutex);
         the_virtio_vsock = NULL;
-        vsock_core_exit();
         mutex_unlock(&the_virtio_vsock_mutex);
 
         vdev->config->del_vqs(vdev);
@@ -702,14 +701,28 @@ static int __init virtio_vsock_init(void)
         virtio_vsock_workqueue = alloc_workqueue("virtio_vsock", 0, 0);
         if (!virtio_vsock_workqueue)
                 return -ENOMEM;
+
         ret = register_virtio_driver(&virtio_vsock_driver);
         if (ret)
-                destroy_workqueue(virtio_vsock_workqueue);
+                goto out_wq;
+
+        ret = vsock_core_init(&virtio_transport.transport);
+        if (ret)
+                goto out_vdr;
+
+        return 0;
+
+out_vdr:
+        unregister_virtio_driver(&virtio_vsock_driver);
+out_wq:
+        destroy_workqueue(virtio_vsock_workqueue);
         return ret;
+
 }
 
 static void __exit virtio_vsock_exit(void)
 {
+        vsock_core_exit();
         unregister_virtio_driver(&virtio_vsock_driver);
         destroy_workqueue(virtio_vsock_workqueue);
 }
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index c361ce782412..c3d5ab01fba7 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -1651,6 +1651,10 @@ static void vmci_transport_cleanup(struct work_struct *work)
 
 static void vmci_transport_destruct(struct vsock_sock *vsk)
 {
+        /* transport can be NULL if we hit a failure at init() time */
+        if (!vmci_trans(vsk))
+                return;
+
         /* Ensure that the detach callback doesn't use the sk/vsk
          * we are about to destruct.
          */
diff --git a/net/wireless/ap.c b/net/wireless/ap.c
index 882d97bdc6bf..550ac9d827fe 100644
--- a/net/wireless/ap.c
+++ b/net/wireless/ap.c
@@ -41,6 +41,8 @@ int __cfg80211_stop_ap(struct cfg80211_registered_device *rdev,
                 cfg80211_sched_dfs_chan_update(rdev);
         }
 
+        schedule_work(&cfg80211_disconnect_work);
+
         return err;
 }
 
diff --git a/net/wireless/core.c b/net/wireless/core.c
index 623dfe5e211c..b36ad8efb5e5 100644
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1068,6 +1068,8 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync)
 
         ASSERT_RTNL();
 
+        flush_work(&wdev->pmsr_free_wk);
+
         nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE);
 
         list_del_rcu(&wdev->list);
diff --git a/net/wireless/core.h b/net/wireless/core.h
index c5d6f3418601..f6b40563dc63 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -445,6 +445,8 @@ void cfg80211_process_wdev_events(struct wireless_dev *wdev);
 bool cfg80211_does_bw_fit_range(const struct ieee80211_freq_range *freq_range,
                                 u32 center_freq_khz, u32 bw_khz);
 
+extern struct work_struct cfg80211_disconnect_work;
+
 /**
  * cfg80211_chandef_dfs_usable - checks if chandef is DFS usable
  * @wiphy: the wiphy to validate against
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5e49492d5911..d91a408db113 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -250,7 +250,7 @@ nl80211_pmsr_ftm_req_attr_policy[NL80211_PMSR_FTM_REQ_ATTR_MAX + 1] = {
         [NL80211_PMSR_FTM_REQ_ATTR_BURST_DURATION] =
                 NLA_POLICY_MAX(NLA_U8, 15),
         [NL80211_PMSR_FTM_REQ_ATTR_FTMS_PER_BURST] =
-                NLA_POLICY_MAX(NLA_U8, 15),
+                NLA_POLICY_MAX(NLA_U8, 31),
         [NL80211_PMSR_FTM_REQ_ATTR_NUM_FTMR_RETRIES] = { .type = NLA_U8 },
         [NL80211_PMSR_FTM_REQ_ATTR_REQUEST_LCI] = { .type = NLA_FLAG },
         [NL80211_PMSR_FTM_REQ_ATTR_REQUEST_CIVICLOC] = { .type = NLA_FLAG },
@@ -555,7 +555,7 @@ const struct nla_policy nl80211_policy[NUM_NL80211_ATTR] = {
         },
         [NL80211_ATTR_TIMEOUT] = NLA_POLICY_MIN(NLA_U32, 1),
         [NL80211_ATTR_PEER_MEASUREMENTS] =
-                NLA_POLICY_NESTED(NL80211_PMSR_FTM_REQ_ATTR_MAX,
+                NLA_POLICY_NESTED(NL80211_PMSR_ATTR_MAX,
                                   nl80211_pmsr_attr_policy),
 };
 
diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c
index de9286703280..0216ab555249 100644
--- a/net/wireless/pmsr.c
+++ b/net/wireless/pmsr.c
@@ -256,8 +256,7 @@ int nl80211_pmsr_start(struct sk_buff *skb, struct genl_info *info)
                 if (err)
                         goto out_err;
         } else {
-                memcpy(req->mac_addr, nla_data(info->attrs[NL80211_ATTR_MAC]),
-                       ETH_ALEN);
+                memcpy(req->mac_addr, wdev_address(wdev), ETH_ALEN);
                 memset(req->mac_addr_mask, 0xff, ETH_ALEN);
         }
 
@@ -272,6 +271,7 @@ int nl80211_pmsr_start(struct sk_buff *skb, struct genl_info *info)
 
         req->n_peers = count;
         req->cookie = cfg80211_assign_cookie(rdev);
+        req->nl_portid = info->snd_portid;
 
         err = rdev_start_pmsr(rdev, wdev, req);
         if (err)
@@ -530,14 +530,14 @@ free:
 }
 EXPORT_SYMBOL_GPL(cfg80211_pmsr_report);
 
-void cfg80211_pmsr_free_wk(struct work_struct *work)
+static void cfg80211_pmsr_process_abort(struct wireless_dev *wdev)
 {
-        struct wireless_dev *wdev = container_of(work, struct wireless_dev,
-                                                 pmsr_free_wk);
         struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
         struct cfg80211_pmsr_request *req, *tmp;
         LIST_HEAD(free_list);
 
+        lockdep_assert_held(&wdev->mtx);
+
         spin_lock_bh(&wdev->pmsr_lock);
         list_for_each_entry_safe(req, tmp, &wdev->pmsr_list, list) {
                 if (req->nl_portid)
@@ -547,14 +547,22 @@ void cfg80211_pmsr_free_wk(struct work_struct *work)
         spin_unlock_bh(&wdev->pmsr_lock);
 
         list_for_each_entry_safe(req, tmp, &free_list, list) {
-                wdev_lock(wdev);
                 rdev_abort_pmsr(rdev, wdev, req);
-                wdev_unlock(wdev);
 
                 kfree(req);
         }
 }
 
+void cfg80211_pmsr_free_wk(struct work_struct *work)
+{
+        struct wireless_dev *wdev = container_of(work, struct wireless_dev,
+                                                 pmsr_free_wk);
+
+        wdev_lock(wdev);
+        cfg80211_pmsr_process_abort(wdev);
+        wdev_unlock(wdev);
+}
+
 void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
 {
         struct cfg80211_pmsr_request *req;
@@ -568,8 +576,8 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
         spin_unlock_bh(&wdev->pmsr_lock);
 
         if (found)
-                schedule_work(&wdev->pmsr_free_wk);
-        flush_work(&wdev->pmsr_free_wk);
+                cfg80211_pmsr_process_abort(wdev);
+
         WARN_ON(!list_empty(&wdev->pmsr_list));
 }
 
diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index ecfb1a06dbb2..dd58b9909ac9 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -1024,8 +1024,13 @@ static void regdb_fw_cb(const struct firmware *fw, void *context)
         }
 
         rtnl_lock();
-        if (WARN_ON(regdb && !IS_ERR(regdb))) {
-                /* just restore and free new db */
+        if (regdb && !IS_ERR(regdb)) {
+                /* negative case - a bug
+                 * positive case - can happen due to race in case of multiple cb's in
+                 * queue, due to usage of asynchronous callback
+                 *
+                 * Either case, just restore and free new db.
+                 */
         } else if (set_error) {
                 regdb = ERR_PTR(set_error);
         } else if (fw) {
@@ -1255,7 +1260,7 @@ static bool is_valid_rd(const struct ieee80211_regdomain *rd)
  * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"),
  * however it is safe for now to assume that a frequency rule should not be
  * part of a frequency's band if the start freq or end freq are off by more
- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the
+ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the
  * 60 GHz band.
  * This resolution can be lowered and should be considered as we add
  * regulatory rule support for other "bands".
@@ -1270,7 +1275,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range,
          * with the Channel starting frequency above 45 GHz.
          */
         u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ?
-                        10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
+                        20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ;
         if (abs(freq_khz - freq_range->start_freq_khz) <= limit)
                 return true;
         if (abs(freq_khz - freq_range->end_freq_khz) <= limit)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index f741d8376a46..7d34cb884840 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -667,7 +667,7 @@ static void disconnect_work(struct work_struct *work)
         rtnl_unlock();
 }
 
-static DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
+DECLARE_WORK(cfg80211_disconnect_work, disconnect_work);
 
 
 /*
diff --git a/net/wireless/util.c b/net/wireless/util.c
index cd48cdd582c0..ec30e3732c7b 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -5,7 +5,7 @@
  * Copyright 2007-2009  Johannes Berg <johannes@sipsolutions.net>
  * Copyright 2013-2014  Intel Mobile Communications GmbH
  * Copyright 2017       Intel Deutschland GmbH
- * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2018-2019 Intel Corporation
  */
 #include <linux/export.h>
 #include <linux/bitops.h>
@@ -19,6 +19,7 @@
 #include <linux/mpls.h>
 #include <linux/gcd.h>
 #include <linux/bitfield.h>
+#include <linux/nospec.h>
 #include "core.h"
 #include "rdev-ops.h"
 
@@ -715,20 +716,25 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
 {
         unsigned int dscp;
         unsigned char vlan_priority;
+        unsigned int ret;
 
         /* skb->priority values from 256->263 are magic values to
          * directly indicate a specific 802.1d priority.  This is used
          * to allow 802.1d priority to be passed directly in from VLAN
          * tags, etc.
          */
-        if (skb->priority >= 256 && skb->priority <= 263)
-                return skb->priority - 256;
+        if (skb->priority >= 256 && skb->priority <= 263) {
+                ret = skb->priority - 256;
+                goto out;
+        }
 
         if (skb_vlan_tag_present(skb)) {
                 vlan_priority = (skb_vlan_tag_get(skb) & VLAN_PRIO_MASK)
                         >> VLAN_PRIO_SHIFT;
-                if (vlan_priority > 0)
-                        return vlan_priority;
+                if (vlan_priority > 0) {
+                        ret = vlan_priority;
+                        goto out;
+                }
         }
 
         switch (skb->protocol) {
@@ -747,8 +753,9 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
                 if (!mpls)
                         return 0;
 
-                return (ntohl(mpls->entry) & MPLS_LS_TC_MASK)
+                ret = (ntohl(mpls->entry) & MPLS_LS_TC_MASK)
                         >> MPLS_LS_TC_SHIFT;
+                goto out;
         }
         case htons(ETH_P_80221):
                 /* 802.21 is always network control traffic */
@@ -761,18 +768,24 @@ unsigned int cfg80211_classify8021d(struct sk_buff *skb,
                 unsigned int i, tmp_dscp = dscp >> 2;
 
                 for (i = 0; i < qos_map->num_des; i++) {
-                        if (tmp_dscp == qos_map->dscp_exception[i].dscp)
-                                return qos_map->dscp_exception[i].up;
+                        if (tmp_dscp == qos_map->dscp_exception[i].dscp) {
+                                ret = qos_map->dscp_exception[i].up;
+                                goto out;
+                        }
                 }
 
                 for (i = 0; i < 8; i++) {
                         if (tmp_dscp >= qos_map->up[i].low &&
-                            tmp_dscp <= qos_map->up[i].high)
-                                return i;
+                            tmp_dscp <= qos_map->up[i].high) {
+                                ret = i;
+                                goto out;
+                        }
                 }
         }
 
-        return dscp >> 5;
+        ret = dscp >> 5;
+out:
+        return array_index_nospec(ret, IEEE80211_NUM_TIDS);
 }
 EXPORT_SYMBOL(cfg80211_classify8021d);
 
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 5121729b8b63..eff31348e20b 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -352,17 +352,15 @@ static unsigned int x25_new_lci(struct x25_neigh *nb)
         unsigned int lci = 1;
         struct sock *sk;
 
-        read_lock_bh(&x25_list_lock);
-
-        while ((sk = __x25_find_socket(lci, nb)) != NULL) {
+        while ((sk = x25_find_socket(lci, nb)) != NULL) {
                 sock_put(sk);
                 if (++lci == 4096) {
                         lci = 0;
                         break;
                 }
+                cond_resched();
         }
 
-        read_unlock_bh(&x25_list_lock);
         return lci;
 }
 
@@ -681,8 +679,7 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
         struct sockaddr_x25 *addr = (struct sockaddr_x25 *)uaddr;
         int len, i, rc = 0;
 
-        if (!sock_flag(sk, SOCK_ZAPPED) ||
-            addr_len != sizeof(struct sockaddr_x25) ||
+        if (addr_len != sizeof(struct sockaddr_x25) ||
             addr->sx25_family != AF_X25) {
                 rc = -EINVAL;
                 goto out;
@@ -701,9 +698,13 @@ static int x25_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
         }
 
         lock_sock(sk);
-        x25_sk(sk)->source_addr = addr->sx25_addr;
-        x25_insert_socket(sk);
-        sock_reset_flag(sk, SOCK_ZAPPED);
+        if (sock_flag(sk, SOCK_ZAPPED)) {
+                x25_sk(sk)->source_addr = addr->sx25_addr;
+                x25_insert_socket(sk);
+                sock_reset_flag(sk, SOCK_ZAPPED);
+        } else {
+                rc = -EINVAL;
+        }
         release_sock(sk);
         SOCK_DEBUG(sk, "x25_bind: socket is bound\n");
 out:
diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
index a264cf2accd0..37e1fe180769 100644
--- a/net/xdp/xdp_umem.c
+++ b/net/xdp/xdp_umem.c
@@ -41,13 +41,20 @@ void xdp_del_sk_umem(struct xdp_umem *umem, struct xdp_sock *xs)
  * not know if the device has more tx queues than rx, or the opposite.
  * This might also change during run time.
  */
-static void xdp_reg_umem_at_qid(struct net_device *dev, struct xdp_umem *umem,
-                                u16 queue_id)
+static int xdp_reg_umem_at_qid(struct net_device *dev, struct xdp_umem *umem,
+                               u16 queue_id)
 {
+        if (queue_id >= max_t(unsigned int,
+                              dev->real_num_rx_queues,
+                              dev->real_num_tx_queues))
+                return -EINVAL;
+
         if (queue_id < dev->real_num_rx_queues)
                 dev->_rx[queue_id].umem = umem;
         if (queue_id < dev->real_num_tx_queues)
                 dev->_tx[queue_id].umem = umem;
+
+        return 0;
 }
 
 struct xdp_umem *xdp_get_umem_from_qid(struct net_device *dev,
@@ -88,7 +95,10 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev,
                 goto out_rtnl_unlock;
         }
 
-        xdp_reg_umem_at_qid(dev, umem, queue_id);
+        err = xdp_reg_umem_at_qid(dev, umem, queue_id);
+        if (err)
+                goto out_rtnl_unlock;
+
         umem->dev = dev;
         umem->queue_id = queue_id;
         if (force_copy)
@@ -115,9 +125,10 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev,
         return 0;
 
 err_unreg_umem:
-        xdp_clear_umem_at_qid(dev, queue_id);
         if (!force_zc)
                 err = 0; /* fallback to copy mode */
+        if (err)
+                xdp_clear_umem_at_qid(dev, queue_id);
 out_rtnl_unlock:
         rtnl_unlock();
         return err;
@@ -249,10 +260,10 @@ static int xdp_umem_pin_pages(struct xdp_umem *umem)
         if (!umem->pgs)
                 return -ENOMEM;
 
-        down_write(&current->mm->mmap_sem);
-        npgs = get_user_pages(umem->address, umem->npgs,
-                              gup_flags, &umem->pgs[0], NULL);
-        up_write(&current->mm->mmap_sem);
+        down_read(&current->mm->mmap_sem);
+        npgs = get_user_pages_longterm(umem->address, umem->npgs,
+                                       gup_flags, &umem->pgs[0], NULL);
+        up_read(&current->mm->mmap_sem);
 
         if (npgs != umem->npgs) {
                 if (npgs >= 0) {
diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index a03268454a27..85e4fe4f18cc 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -366,7 +366,6 @@ static int xsk_release(struct socket *sock)
 
         xskq_destroy(xs->rx);
         xskq_destroy(xs->tx);
-        xdp_put_umem(xs->umem);
 
         sock_orphan(sk);
         sock->sk = NULL;
@@ -669,6 +668,8 @@ static int xsk_mmap(struct file *file, struct socket *sock,
                 if (!umem)
                         return -EINVAL;
 
+                /* Matches the smp_wmb() in XDP_UMEM_REG */
+                smp_rmb();
                 if (offset == XDP_UMEM_PGOFF_FILL_RING)
                         q = READ_ONCE(umem->fq);
                 else if (offset == XDP_UMEM_PGOFF_COMPLETION_RING)
@@ -678,6 +679,8 @@ static int xsk_mmap(struct file *file, struct socket *sock,
         if (!q)
                 return -EINVAL;
 
+        /* Matches the smp_wmb() in xsk_init_queue */
+        smp_rmb();
         qpg = virt_to_head_page(q->ring);
         if (size > (PAGE_SIZE << compound_order(qpg)))
                 return -EINVAL;
@@ -714,6 +717,18 @@ static const struct proto_ops xsk_proto_ops = {
         .sendpage       = sock_no_sendpage,
 };
 
+static void xsk_destruct(struct sock *sk)
+{
+        struct xdp_sock *xs = xdp_sk(sk);
+
+        if (!sock_flag(sk, SOCK_DEAD))
+                return;
+
+        xdp_put_umem(xs->umem);
+
+        sk_refcnt_debug_dec(sk);
+}
+
 static int xsk_create(struct net *net, struct socket *sock, int protocol,
                       int kern)
 {
@@ -740,6 +755,9 @@ static int xsk_create(struct net *net, struct socket *sock, int protocol,
 
         sk->sk_family = PF_XDP;
 
+        sk->sk_destruct = xsk_destruct;
+        sk_refcnt_debug_inc(sk);
+
         sock_set_flag(sk, SOCK_RCU_FREE);
 
         xs = xdp_sk(sk);
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 6be8c7df15bb..dbb3c1945b5c 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
         int ifindex;
         struct xfrm_if *xi;
 
-        if (!skb->dev)
+        if (!secpath_exists(skb) || !skb->dev)
                 return NULL;
 
-        xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id);
+        xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
         ifindex = skb->dev->ifindex;
 
         for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 934492bad8e0..8d1a898d0ba5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -680,16 +680,6 @@ static void xfrm_hash_resize(struct work_struct *work)
         mutex_unlock(&hash_resize_mutex);
 }
 
-static void xfrm_hash_reset_inexact_table(struct net *net)
-{
-        struct xfrm_pol_inexact_bin *b;
-
-        lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
-
-        list_for_each_entry(b, &net->xfrm.inexact_bins, inexact_bins)
-                INIT_HLIST_HEAD(&b->hhead);
-}
-
 /* Make sure *pol can be inserted into fastbin.
  * Useful to check that later insert requests will be sucessful
  * (provided xfrm_policy_lock is held throughout).
@@ -833,13 +823,13 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,
                                               u16 family)
 {
         unsigned int matched_s, matched_d;
-        struct hlist_node *newpos = NULL;
         struct xfrm_policy *policy, *p;
 
         matched_s = 0;
         matched_d = 0;
 
         list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
+                struct hlist_node *newpos = NULL;
                 bool matches_s, matches_d;
 
                 if (!policy->bydst_reinsert)
@@ -849,16 +839,19 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net,
 
                 policy->bydst_reinsert = false;
                 hlist_for_each_entry(p, &n->hhead, bydst) {
-                        if (policy->priority >= p->priority)
+                        if (policy->priority > p->priority)
+                                newpos = &p->bydst;
+                        else if (policy->priority == p->priority &&
+                                 policy->pos > p->pos)
                                 newpos = &p->bydst;
                         else
                                 break;
                 }
 
                 if (newpos)
-                        hlist_add_behind(&policy->bydst, newpos);
+                        hlist_add_behind_rcu(&policy->bydst, newpos);
                 else
-                        hlist_add_head(&policy->bydst, &n->hhead);
+                        hlist_add_head_rcu(&policy->bydst, &n->hhead);
 
                 /* paranoia checks follow.
                  * Check that the reinserted policy matches at least
@@ -893,12 +886,13 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net,
                                               struct rb_root *new,
                                               u16 family)
 {
-        struct rb_node **p, *parent = NULL;
         struct xfrm_pol_inexact_node *node;
+        struct rb_node **p, *parent;
 
         /* we should not have another subtree here */
         WARN_ON_ONCE(!RB_EMPTY_ROOT(&n->root));
-
+restart:
+        parent = NULL;
         p = &new->rb_node;
         while (*p) {
                 u8 prefixlen;
@@ -918,12 +912,11 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net,
                 } else {
                         struct xfrm_policy *tmp;
 
-                        hlist_for_each_entry(tmp, &node->hhead, bydst)
-                                tmp->bydst_reinsert = true;
-                        hlist_for_each_entry(tmp, &n->hhead, bydst)
+                        hlist_for_each_entry(tmp, &n->hhead, bydst) {
                                 tmp->bydst_reinsert = true;
+                                hlist_del_rcu(&tmp->bydst);
+                        }
 
-                        INIT_HLIST_HEAD(&node->hhead);
                         xfrm_policy_inexact_list_reinsert(net, node, family);
 
                         if (node->prefixlen == n->prefixlen) {
@@ -935,8 +928,7 @@ static void xfrm_policy_inexact_node_reinsert(struct net *net,
                         kfree_rcu(n, rcu);
                         n = node;
                         n->prefixlen = prefixlen;
-                        *p = new->rb_node;
-                        parent = NULL;
+                        goto restart;
                 }
         }
 
@@ -965,12 +957,11 @@ static void xfrm_policy_inexact_node_merge(struct net *net,
                                                   family);
         }
 
-        hlist_for_each_entry(tmp, &v->hhead, bydst)
-                tmp->bydst_reinsert = true;
-        hlist_for_each_entry(tmp, &n->hhead, bydst)
+        hlist_for_each_entry(tmp, &v->hhead, bydst) {
                 tmp->bydst_reinsert = true;
+                hlist_del_rcu(&tmp->bydst);
+        }
 
-        INIT_HLIST_HEAD(&n->hhead);
         xfrm_policy_inexact_list_reinsert(net, n, family);
 }
 
@@ -1235,6 +1226,7 @@ static void xfrm_hash_rebuild(struct work_struct *work)
         } while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));
 
         spin_lock_bh(&net->xfrm.xfrm_policy_lock);
+        write_seqcount_begin(&xfrm_policy_hash_generation);
 
         /* make sure that we can insert the indirect policies again before
          * we start with destructive action.
@@ -1278,10 +1270,14 @@ static void xfrm_hash_rebuild(struct work_struct *work)
         }
 
         /* reset the bydst and inexact table in all directions */
-        xfrm_hash_reset_inexact_table(net);
-
         for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
-                INIT_HLIST_HEAD(&net->xfrm.policy_inexact[dir]);
+                struct hlist_node *n;
+
+                hlist_for_each_entry_safe(policy, n,
+                                          &net->xfrm.policy_inexact[dir],
+                                          bydst_inexact_list)
+                        hlist_del_init(&policy->bydst_inexact_list);
+
                 hmask = net->xfrm.policy_bydst[dir].hmask;
                 odst = net->xfrm.policy_bydst[dir].table;
                 for (i = hmask; i >= 0; i--)
@@ -1313,6 +1309,9 @@ static void xfrm_hash_rebuild(struct work_struct *work)
                 newpos = NULL;
                 chain = policy_hash_bysel(net, &policy->selector,
                                           policy->family, dir);
+
+                hlist_del_rcu(&policy->bydst);
+
                 if (!chain) {
                         void *p = xfrm_policy_inexact_insert(policy, dir, 0);
 
@@ -1334,6 +1333,7 @@ static void xfrm_hash_rebuild(struct work_struct *work)
 
 out_unlock:
         __xfrm_policy_inexact_flush(net);
+        write_seqcount_end(&xfrm_policy_hash_generation);
         spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
 
         mutex_unlock(&hash_resize_mutex);
@@ -2600,7 +2600,10 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
                 dst_copy_metrics(dst1, dst);
 
                 if (xfrm[i]->props.mode != XFRM_MODE_TRANSPORT) {
-                        __u32 mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
+                        __u32 mark = 0;
+
+                        if (xfrm[i]->props.smark.v || xfrm[i]->props.smark.m)
+                                mark = xfrm_smark_get(fl->flowi_mark, xfrm[i]);
 
                         family = xfrm[i]->props.family;
                         dst = xfrm_dst_lookup(xfrm[i], tos, fl->flowi_oif,
@@ -3311,8 +3314,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 
         if (ifcb) {
                 xi = ifcb->decode_session(skb);
-                if (xi)
+                if (xi) {
                         if_id = xi->p.if_id;
+                        net = xi->net;
+                }
         }
         rcu_read_unlock();
 
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 23c92891758a..1bb971f46fc6 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -432,7 +432,7 @@ void xfrm_state_free(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(xfrm_state_free);
 
-static void xfrm_state_gc_destroy(struct xfrm_state *x)
+static void ___xfrm_state_destroy(struct xfrm_state *x)
 {
         tasklet_hrtimer_cancel(&x->mtimer);
         del_timer_sync(&x->rtimer);
@@ -474,7 +474,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
         synchronize_rcu();
 
         hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
-                xfrm_state_gc_destroy(x);
+                ___xfrm_state_destroy(x);
 }
 
 static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -598,14 +598,19 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
 }
 EXPORT_SYMBOL(xfrm_state_alloc);
 
-void __xfrm_state_destroy(struct xfrm_state *x)
+void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
 {
         WARN_ON(x->km.state != XFRM_STATE_DEAD);
 
-        spin_lock_bh(&xfrm_state_gc_lock);
-        hlist_add_head(&x->gclist, &xfrm_state_gc_list);
-        spin_unlock_bh(&xfrm_state_gc_lock);
-        schedule_work(&xfrm_state_gc_work);
+        if (sync) {
+                synchronize_rcu();
+                ___xfrm_state_destroy(x);
+        } else {
+                spin_lock_bh(&xfrm_state_gc_lock);
+                hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+                spin_unlock_bh(&xfrm_state_gc_lock);
+                schedule_work(&xfrm_state_gc_work);
+        }
 }
 EXPORT_SYMBOL(__xfrm_state_destroy);
 
@@ -708,7 +713,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
 }
 #endif
 
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
 {
         int i, err = 0, cnt = 0;
 
@@ -730,7 +735,10 @@ restart:
                                 err = xfrm_state_delete(x);
                                 xfrm_audit_state_delete(x, err ? 0 : 1,
                                                         task_valid);
-                                xfrm_state_put(x);
+                                if (sync)
+                                        xfrm_state_put_sync(x);
+                                else
+                                        xfrm_state_put(x);
                                 if (!err)
                                         cnt++;
 
@@ -2215,7 +2223,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
                 if (atomic_read(&t->tunnel_users) == 2)
                         xfrm_state_delete(t);
                 atomic_dec(&t->tunnel_users);
-                xfrm_state_put(t);
+                xfrm_state_put_sync(t);
                 x->tunnel = NULL;
         }
 }
@@ -2375,8 +2383,8 @@ void xfrm_state_fini(struct net *net)
         unsigned int sz;
 
         flush_work(&net->xfrm.state_hash_work);
-        xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
         flush_work(&xfrm_state_gc_work);
+        xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
 
         WARN_ON(!list_empty(&net->xfrm.state_all));
 
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 277c1c46fe94..a131f9ff979e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1488,10 +1488,15 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
                 if (!ut[i].family)
                         ut[i].family = family;
 
-                if ((ut[i].mode == XFRM_MODE_TRANSPORT) &&
-                    (ut[i].family != prev_family))
-                        return -EINVAL;
-
+                switch (ut[i].mode) {
+                case XFRM_MODE_TUNNEL:
+                case XFRM_MODE_BEET:
+                        break;
+                default:
+                        if (ut[i].family != prev_family)
+                                return -EINVAL;
+                        break;
+                }
                 if (ut[i].mode >= XFRM_MODE_MAX)
                         return -EINVAL;
 
@@ -1927,7 +1932,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
         struct xfrm_usersa_flush *p = nlmsg_data(nlh);
         int err;
 
-        err = xfrm_state_flush(net, p->proto, true);
+        err = xfrm_state_flush(net, p->proto, true, false);
         if (err) {
                 if (err == -ESRCH) /* empty table */
                         return 0;