58 files changed, 968 insertions, 386 deletions

diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 9ee5787634e5..953b6728bd00 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -626,11 +626,18 @@ static netdev_features_t vlan_dev_fix_features(struct net_device *dev,
 {
         struct net_device *real_dev = vlan_dev_priv(dev)->real_dev;
         netdev_features_t old_features = features;
+        netdev_features_t lower_features;
 
-        features = netdev_intersect_features(features, real_dev->vlan_features);
-        features |= NETIF_F_RXCSUM;
-        features = netdev_intersect_features(features, real_dev->features);
+        lower_features = netdev_intersect_features((real_dev->vlan_features |
+                                                    NETIF_F_RXCSUM),
+                                                   real_dev->features);
 
+        /* Add HW_CSUM setting to preserve user ability to control
+         * checksum offload on the vlan device.
+         */
+        if (lower_features & (NETIF_F_IP_CSUM|NETIF_F_IPV6_CSUM))
+                lower_features |= NETIF_F_HW_CSUM;
+        features = netdev_intersect_features(features, lower_features);
         features |= old_features & (NETIF_F_SOFT_FEATURES | NETIF_F_GSO_SOFTWARE);
         features |= NETIF_F_LLTX;
 
diff --git a/net/9p/Kconfig b/net/9p/Kconfig
index a75174a33723..e6014e0e51f7 100644
--- a/net/9p/Kconfig
+++ b/net/9p/Kconfig
@@ -22,6 +22,15 @@ config NET_9P_VIRTIO
           This builds support for a transports between
           guest partitions and a host partition.
 
+config NET_9P_XEN
+        depends on XEN
+        select XEN_XENBUS_FRONTEND
+        tristate "9P Xen Transport"
+        help
+          This builds support for a transport for 9pfs between
+          two Xen domains.
+
+
 config NET_9P_RDMA
         depends on INET && INFINIBAND && INFINIBAND_ADDR_TRANS
         tristate "9P RDMA Transport (Experimental)"
diff --git a/net/9p/Makefile b/net/9p/Makefile
index a0874cc1f718..697ea7caf466 100644
--- a/net/9p/Makefile
+++ b/net/9p/Makefile
@@ -1,4 +1,5 @@
 obj-$(CONFIG_NET_9P) := 9pnet.o
+obj-$(CONFIG_NET_9P_XEN) += 9pnet_xen.o
 obj-$(CONFIG_NET_9P_VIRTIO) += 9pnet_virtio.o
 obj-$(CONFIG_NET_9P_RDMA) += 9pnet_rdma.o
 
@@ -14,5 +15,8 @@ obj-$(CONFIG_NET_9P_RDMA) += 9pnet_rdma.o
 9pnet_virtio-objs := \
         trans_virtio.o \
 
+9pnet_xen-objs := \
+        trans_xen.o \
+
 9pnet_rdma-objs := \
         trans_rdma.o \
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
new file mode 100644
index 000000000000..71e85643b3f9
--- /dev/null
+++ b/net/9p/trans_xen.c
@@ -0,0 +1,545 @@
+/*
+ * linux/fs/9p/trans_xen
+ *
+ * Xen transport layer.
+ *
+ * Copyright (C) 2017 by Stefano Stabellini <stefano@aporeto.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation; or, when distributed
+ * separately from the Linux kernel or incorporated into other
+ * software packages, subject to the following license:
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this source file (the "Software"), to deal in the Software without
+ * restriction, including without limitation the rights to use, copy, modify,
+ * merge, publish, distribute, sublicense, and/or sell copies of the Software,
+ * and to permit persons to whom the Software is furnished to do so, subject to
+ * the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#include <xen/events.h>
+#include <xen/grant_table.h>
+#include <xen/xen.h>
+#include <xen/xenbus.h>
+#include <xen/interface/io/9pfs.h>
+
+#include <linux/module.h>
+#include <linux/spinlock.h>
+#include <linux/rwlock.h>
+#include <net/9p/9p.h>
+#include <net/9p/client.h>
+#include <net/9p/transport.h>
+
+#define XEN_9PFS_NUM_RINGS 2
+#define XEN_9PFS_RING_ORDER 6
+#define XEN_9PFS_RING_SIZE  XEN_FLEX_RING_SIZE(XEN_9PFS_RING_ORDER)
+
+struct xen_9pfs_header {
+        uint32_t size;
+        uint8_t id;
+        uint16_t tag;
+
+        /* uint8_t sdata[]; */
+} __attribute__((packed));
+
+/* One per ring, more than one per 9pfs share */
+struct xen_9pfs_dataring {
+        struct xen_9pfs_front_priv *priv;
+
+        struct xen_9pfs_data_intf *intf;
+        grant_ref_t ref;
+        int evtchn;
+        int irq;
+        /* protect a ring from concurrent accesses */
+        spinlock_t lock;
+
+        struct xen_9pfs_data data;
+        wait_queue_head_t wq;
+        struct work_struct work;
+};
+
+/* One per 9pfs share */
+struct xen_9pfs_front_priv {
+        struct list_head list;
+        struct xenbus_device *dev;
+        char *tag;
+        struct p9_client *client;
+
+        int num_rings;
+        struct xen_9pfs_dataring *rings;
+};
+
+static LIST_HEAD(xen_9pfs_devs);
+static DEFINE_RWLOCK(xen_9pfs_lock);
+
+/* We don't currently allow canceling of requests */
+static int p9_xen_cancel(struct p9_client *client, struct p9_req_t *req)
+{
+        return 1;
+}
+
+static int p9_xen_create(struct p9_client *client, const char *addr, char *args)
+{
+        struct xen_9pfs_front_priv *priv;
+
+        read_lock(&xen_9pfs_lock);
+        list_for_each_entry(priv, &xen_9pfs_devs, list) {
+                if (!strcmp(priv->tag, addr)) {
+                        priv->client = client;
+                        read_unlock(&xen_9pfs_lock);
+                        return 0;
+                }
+        }
+        read_unlock(&xen_9pfs_lock);
+        return -EINVAL;
+}
+
+static void p9_xen_close(struct p9_client *client)
+{
+        struct xen_9pfs_front_priv *priv;
+
+        read_lock(&xen_9pfs_lock);
+        list_for_each_entry(priv, &xen_9pfs_devs, list) {
+                if (priv->client == client) {
+                        priv->client = NULL;
+                        read_unlock(&xen_9pfs_lock);
+                        return;
+                }
+        }
+        read_unlock(&xen_9pfs_lock);
+}
+
+static bool p9_xen_write_todo(struct xen_9pfs_dataring *ring, RING_IDX size)
+{
+        RING_IDX cons, prod;
+
+        cons = ring->intf->out_cons;
+        prod = ring->intf->out_prod;
+        virt_mb();
+
+        return XEN_9PFS_RING_SIZE -
+                xen_9pfs_queued(prod, cons, XEN_9PFS_RING_SIZE) >= size;
+}
+
+static int p9_xen_request(struct p9_client *client, struct p9_req_t *p9_req)
+{
+        struct xen_9pfs_front_priv *priv = NULL;
+        RING_IDX cons, prod, masked_cons, masked_prod;
+        unsigned long flags;
+        u32 size = p9_req->tc->size;
+        struct xen_9pfs_dataring *ring;
+        int num;
+
+        read_lock(&xen_9pfs_lock);
+        list_for_each_entry(priv, &xen_9pfs_devs, list) {
+                if (priv->client == client)
+                        break;
+        }
+        read_unlock(&xen_9pfs_lock);
+        if (!priv || priv->client != client)
+                return -EINVAL;
+
+        num = p9_req->tc->tag % priv->num_rings;
+        ring = &priv->rings[num];
+
+again:
+        while (wait_event_interruptible(ring->wq,
+                                        p9_xen_write_todo(ring, size)) != 0)
+                ;
+
+        spin_lock_irqsave(&ring->lock, flags);
+        cons = ring->intf->out_cons;
+        prod = ring->intf->out_prod;
+        virt_mb();
+
+        if (XEN_9PFS_RING_SIZE - xen_9pfs_queued(prod, cons,
+                                                 XEN_9PFS_RING_SIZE) < size) {
+                spin_unlock_irqrestore(&ring->lock, flags);
+                goto again;
+        }
+
+        masked_prod = xen_9pfs_mask(prod, XEN_9PFS_RING_SIZE);
+        masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE);
+
+        xen_9pfs_write_packet(ring->data.out, p9_req->tc->sdata, size,
+                              &masked_prod, masked_cons, XEN_9PFS_RING_SIZE);
+
+        p9_req->status = REQ_STATUS_SENT;
+        virt_wmb();                     /* write ring before updating pointer */
+        prod += size;
+        ring->intf->out_prod = prod;
+        spin_unlock_irqrestore(&ring->lock, flags);
+        notify_remote_via_irq(ring->irq);
+
+        return 0;
+}
+
+static void p9_xen_response(struct work_struct *work)
+{
+        struct xen_9pfs_front_priv *priv;
+        struct xen_9pfs_dataring *ring;
+        RING_IDX cons, prod, masked_cons, masked_prod;
+        struct xen_9pfs_header h;
+        struct p9_req_t *req;
+        int status;
+
+        ring = container_of(work, struct xen_9pfs_dataring, work);
+        priv = ring->priv;
+
+        while (1) {
+                cons = ring->intf->in_cons;
+                prod = ring->intf->in_prod;
+                virt_rmb();
+
+                if (xen_9pfs_queued(prod, cons, XEN_9PFS_RING_SIZE) <
+                    sizeof(h)) {
+                        notify_remote_via_irq(ring->irq);
+                        return;
+                }
+
+                masked_prod = xen_9pfs_mask(prod, XEN_9PFS_RING_SIZE);
+                masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE);
+
+                /* First, read just the header */
+                xen_9pfs_read_packet(&h, ring->data.in, sizeof(h),
+                                     masked_prod, &masked_cons,
+                                     XEN_9PFS_RING_SIZE);
+
+                req = p9_tag_lookup(priv->client, h.tag);
+                if (!req || req->status != REQ_STATUS_SENT) {
+                        dev_warn(&priv->dev->dev, "Wrong req tag=%x\n", h.tag);
+                        cons += h.size;
+                        virt_mb();
+                        ring->intf->in_cons = cons;
+                        continue;
+                }
+
+                memcpy(req->rc, &h, sizeof(h));
+                req->rc->offset = 0;
+
+                masked_cons = xen_9pfs_mask(cons, XEN_9PFS_RING_SIZE);
+                /* Then, read the whole packet (including the header) */
+                xen_9pfs_read_packet(req->rc->sdata, ring->data.in, h.size,
+                                     masked_prod, &masked_cons,
+                                     XEN_9PFS_RING_SIZE);
+
+                virt_mb();
+                cons += h.size;
+                ring->intf->in_cons = cons;
+
+                status = (req->status != REQ_STATUS_ERROR) ?
+                        REQ_STATUS_RCVD : REQ_STATUS_ERROR;
+
+                p9_client_cb(priv->client, req, status);
+        }
+}
+
+static irqreturn_t xen_9pfs_front_event_handler(int irq, void *r)
+{
+        struct xen_9pfs_dataring *ring = r;
+
+        if (!ring || !ring->priv->client) {
+                /* ignore spurious interrupt */
+                return IRQ_HANDLED;
+        }
+
+        wake_up_interruptible(&ring->wq);
+        schedule_work(&ring->work);
+
+        return IRQ_HANDLED;
+}
+
+static struct p9_trans_module p9_xen_trans = {
+        .name = "xen",
+        .maxsize = 1 << (XEN_9PFS_RING_ORDER + XEN_PAGE_SHIFT),
+        .def = 1,
+        .create = p9_xen_create,
+        .close = p9_xen_close,
+        .request = p9_xen_request,
+        .cancel = p9_xen_cancel,
+        .owner = THIS_MODULE,
+};
+
+static const struct xenbus_device_id xen_9pfs_front_ids[] = {
+        { "9pfs" },
+        { "" }
+};
+
+static void xen_9pfs_front_free(struct xen_9pfs_front_priv *priv)
+{
+        int i, j;
+
+        write_lock(&xen_9pfs_lock);
+        list_del(&priv->list);
+        write_unlock(&xen_9pfs_lock);
+
+        for (i = 0; i < priv->num_rings; i++) {
+                if (!priv->rings[i].intf)
+                        break;
+                if (priv->rings[i].irq > 0)
+                        unbind_from_irqhandler(priv->rings[i].irq, priv->dev);
+                if (priv->rings[i].data.in) {
+                        for (j = 0; j < (1 << XEN_9PFS_RING_ORDER); j++) {
+                                grant_ref_t ref;
+
+                                ref = priv->rings[i].intf->ref[j];
+                                gnttab_end_foreign_access(ref, 0, 0);
+                        }
+                        free_pages((unsigned long)priv->rings[i].data.in,
+                                   XEN_9PFS_RING_ORDER -
+                                   (PAGE_SHIFT - XEN_PAGE_SHIFT));
+                }
+                gnttab_end_foreign_access(priv->rings[i].ref, 0, 0);
+                free_page((unsigned long)priv->rings[i].intf);
+        }
+        kfree(priv->rings);
+        kfree(priv->tag);
+        kfree(priv);
+}
+
+static int xen_9pfs_front_remove(struct xenbus_device *dev)
+{
+        struct xen_9pfs_front_priv *priv = dev_get_drvdata(&dev->dev);
+
+        dev_set_drvdata(&dev->dev, NULL);
+        xen_9pfs_front_free(priv);
+        return 0;
+}
+
+static int xen_9pfs_front_alloc_dataring(struct xenbus_device *dev,
+                                         struct xen_9pfs_dataring *ring)
+{
+        int i = 0;
+        int ret = -ENOMEM;
+        void *bytes = NULL;
+
+        init_waitqueue_head(&ring->wq);
+        spin_lock_init(&ring->lock);
+        INIT_WORK(&ring->work, p9_xen_response);
+
+        ring->intf = (struct xen_9pfs_data_intf *)get_zeroed_page(GFP_KERNEL);
+        if (!ring->intf)
+                return ret;
+        ret = gnttab_grant_foreign_access(dev->otherend_id,
+                                          virt_to_gfn(ring->intf), 0);
+        if (ret < 0)
+                goto out;
+        ring->ref = ret;
+        bytes = (void *)__get_free_pages(GFP_KERNEL | __GFP_ZERO,
+                        XEN_9PFS_RING_ORDER - (PAGE_SHIFT - XEN_PAGE_SHIFT));
+        if (!bytes) {
+                ret = -ENOMEM;
+                goto out;
+        }
+        for (; i < (1 << XEN_9PFS_RING_ORDER); i++) {
+                ret = gnttab_grant_foreign_access(
+                                dev->otherend_id, virt_to_gfn(bytes) + i, 0);
+                if (ret < 0)
+                        goto out;
+                ring->intf->ref[i] = ret;
+        }
+        ring->intf->ring_order = XEN_9PFS_RING_ORDER;
+        ring->data.in = bytes;
+        ring->data.out = bytes + XEN_9PFS_RING_SIZE;
+
+        ret = xenbus_alloc_evtchn(dev, &ring->evtchn);
+        if (ret)
+                goto out;
+        ring->irq = bind_evtchn_to_irqhandler(ring->evtchn,
+                                              xen_9pfs_front_event_handler,
+                                              0, "xen_9pfs-frontend", ring);
+        if (ring->irq >= 0)
+                return 0;
+
+        xenbus_free_evtchn(dev, ring->evtchn);
+        ret = ring->irq;
+out:
+        if (bytes) {
+                for (i--; i >= 0; i--)
+                        gnttab_end_foreign_access(ring->intf->ref[i], 0, 0);
+                free_pages((unsigned long)bytes,
+                           XEN_9PFS_RING_ORDER -
+                           (PAGE_SHIFT - XEN_PAGE_SHIFT));
+        }
+        gnttab_end_foreign_access(ring->ref, 0, 0);
+        free_page((unsigned long)ring->intf);
+        return ret;
+}
+
+static int xen_9pfs_front_probe(struct xenbus_device *dev,
+                                const struct xenbus_device_id *id)
+{
+        int ret, i;
+        struct xenbus_transaction xbt;
+        struct xen_9pfs_front_priv *priv = NULL;
+        char *versions;
+        unsigned int max_rings, max_ring_order, len = 0;
+
+        versions = xenbus_read(XBT_NIL, dev->otherend, "versions", &len);
+        if (!len)
+                return -EINVAL;
+        if (strcmp(versions, "1")) {
+                kfree(versions);
+                return -EINVAL;
+        }
+        kfree(versions);
+        max_rings = xenbus_read_unsigned(dev->otherend, "max-rings", 0);
+        if (max_rings < XEN_9PFS_NUM_RINGS)
+                return -EINVAL;
+        max_ring_order = xenbus_read_unsigned(dev->otherend,
+                                              "max-ring-page-order", 0);
+        if (max_ring_order < XEN_9PFS_RING_ORDER)
+                return -EINVAL;
+
+        priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+        if (!priv)
+                return -ENOMEM;
+
+        priv->dev = dev;
+        priv->num_rings = XEN_9PFS_NUM_RINGS;
+        priv->rings = kcalloc(priv->num_rings, sizeof(*priv->rings),
+                              GFP_KERNEL);
+        if (!priv->rings) {
+                kfree(priv);
+                return -ENOMEM;
+        }
+
+        for (i = 0; i < priv->num_rings; i++) {
+                priv->rings[i].priv = priv;
+                ret = xen_9pfs_front_alloc_dataring(dev, &priv->rings[i]);
+                if (ret < 0)
+                        goto error;
+        }
+
+ again:
+        ret = xenbus_transaction_start(&xbt);
+        if (ret) {
+                xenbus_dev_fatal(dev, ret, "starting transaction");
+                goto error;
+        }
+        ret = xenbus_printf(xbt, dev->nodename, "version", "%u", 1);
+        if (ret)
+                goto error_xenbus;
+        ret = xenbus_printf(xbt, dev->nodename, "num-rings", "%u",
+                            priv->num_rings);
+        if (ret)
+                goto error_xenbus;
+        for (i = 0; i < priv->num_rings; i++) {
+                char str[16];
+
+                BUILD_BUG_ON(XEN_9PFS_NUM_RINGS > 9);
+                sprintf(str, "ring-ref%u", i);
+                ret = xenbus_printf(xbt, dev->nodename, str, "%d",
+                                    priv->rings[i].ref);
+                if (ret)
+                        goto error_xenbus;
+
+                sprintf(str, "event-channel-%u", i);
+                ret = xenbus_printf(xbt, dev->nodename, str, "%u",
+                                    priv->rings[i].evtchn);
+                if (ret)
+                        goto error_xenbus;
+        }
+        priv->tag = xenbus_read(xbt, dev->nodename, "tag", NULL);
+        if (!priv->tag) {
+                ret = -EINVAL;
+                goto error_xenbus;
+        }
+        ret = xenbus_transaction_end(xbt, 0);
+        if (ret) {
+                if (ret == -EAGAIN)
+                        goto again;
+                xenbus_dev_fatal(dev, ret, "completing transaction");
+                goto error;
+        }
+
+        write_lock(&xen_9pfs_lock);
+        list_add_tail(&priv->list, &xen_9pfs_devs);
+        write_unlock(&xen_9pfs_lock);
+        dev_set_drvdata(&dev->dev, priv);
+        xenbus_switch_state(dev, XenbusStateInitialised);
+
+        return 0;
+
+ error_xenbus:
+        xenbus_transaction_end(xbt, 1);
+        xenbus_dev_fatal(dev, ret, "writing xenstore");
+ error:
+        dev_set_drvdata(&dev->dev, NULL);
+        xen_9pfs_front_free(priv);
+        return ret;
+}
+
+static int xen_9pfs_front_resume(struct xenbus_device *dev)
+{
+        dev_warn(&dev->dev, "suspsend/resume unsupported\n");
+        return 0;
+}
+
+static void xen_9pfs_front_changed(struct xenbus_device *dev,
+                                   enum xenbus_state backend_state)
+{
+        switch (backend_state) {
+        case XenbusStateReconfiguring:
+        case XenbusStateReconfigured:
+        case XenbusStateInitialising:
+        case XenbusStateInitialised:
+        case XenbusStateUnknown:
+                break;
+
+        case XenbusStateInitWait:
+                break;
+
+        case XenbusStateConnected:
+                xenbus_switch_state(dev, XenbusStateConnected);
+                break;
+
+        case XenbusStateClosed:
+                if (dev->state == XenbusStateClosed)
+                        break;
+                /* Missed the backend's CLOSING state -- fallthrough */
+        case XenbusStateClosing:
+                xenbus_frontend_closed(dev);
+                break;
+        }
+}
+
+static struct xenbus_driver xen_9pfs_front_driver = {
+        .ids = xen_9pfs_front_ids,
+        .probe = xen_9pfs_front_probe,
+        .remove = xen_9pfs_front_remove,
+        .resume = xen_9pfs_front_resume,
+        .otherend_changed = xen_9pfs_front_changed,
+};
+
+int p9_trans_xen_init(void)
+{
+        if (!xen_domain())
+                return -ENODEV;
+
+        pr_info("Initialising Xen transport for 9pfs\n");
+
+        v9fs_register_trans(&p9_xen_trans);
+        return xenbus_register_frontend(&xen_9pfs_front_driver);
+}
+module_init(p9_trans_xen_init);
+
+void p9_trans_xen_exit(void)
+{
+        v9fs_unregister_trans(&p9_xen_trans);
+        return xenbus_unregister_driver(&xen_9pfs_front_driver);
+}
+module_exit(p9_trans_xen_exit);
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index a572db710d4e..c5ce7745b230 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -133,6 +133,8 @@ static inline size_t br_port_info_size(void)
                 + nla_total_size(1)     /* IFLA_BRPORT_MCAST_TO_UCAST */
                 + nla_total_size(1)     /* IFLA_BRPORT_LEARNING */
                 + nla_total_size(1)     /* IFLA_BRPORT_UNICAST_FLOOD */
+                + nla_total_size(1)     /* IFLA_BRPORT_MCAST_FLOOD */
+                + nla_total_size(1)     /* IFLA_BRPORT_BCAST_FLOOD */
                 + nla_total_size(1)     /* IFLA_BRPORT_PROXYARP */
                 + nla_total_size(1)     /* IFLA_BRPORT_PROXYARP_WIFI */
                 + nla_total_size(1)     /* IFLA_BRPORT_VLAN_TUNNEL */
@@ -633,6 +635,8 @@ static const struct nla_policy br_port_policy[IFLA_BRPORT_MAX + 1] = {
         [IFLA_BRPORT_PROXYARP_WIFI] = { .type = NLA_U8 },
         [IFLA_BRPORT_MULTICAST_ROUTER] = { .type = NLA_U8 },
         [IFLA_BRPORT_MCAST_TO_UCAST] = { .type = NLA_U8 },
+        [IFLA_BRPORT_MCAST_FLOOD] = { .type = NLA_U8 },
+        [IFLA_BRPORT_BCAST_FLOOD] = { .type = NLA_U8 },
 };
 
 /* Change the state of the port and notify spanning tree */
diff --git a/net/bridge/netfilter/ebt_dnat.c b/net/bridge/netfilter/ebt_dnat.c
index 4e0b0c359325..e0bb624c3845 100644
--- a/net/bridge/netfilter/ebt_dnat.c
+++ b/net/bridge/netfilter/ebt_dnat.c
@@ -9,6 +9,7 @@
  */
 #include <linux/module.h>
 #include <net/sock.h>
+#include "../br_private.h"
 #include <linux/netfilter.h>
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter_bridge/ebtables.h>
@@ -18,11 +19,30 @@ static unsigned int
 ebt_dnat_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
         const struct ebt_nat_info *info = par->targinfo;
+        struct net_device *dev;
 
         if (!skb_make_writable(skb, 0))
                 return EBT_DROP;
 
         ether_addr_copy(eth_hdr(skb)->h_dest, info->mac);
+
+        if (is_multicast_ether_addr(info->mac)) {
+                if (is_broadcast_ether_addr(info->mac))
+                        skb->pkt_type = PACKET_BROADCAST;
+                else
+                        skb->pkt_type = PACKET_MULTICAST;
+        } else {
+                if (xt_hooknum(par) != NF_BR_BROUTING)
+                        dev = br_port_get_rcu(xt_in(par))->br->dev;
+                else
+                        dev = xt_in(par);
+
+                if (ether_addr_equal(info->mac, dev->dev_addr))
+                        skb->pkt_type = PACKET_HOST;
+                else
+                        skb->pkt_type = PACKET_OTHERHOST;
+        }
+
         return info->target;
 }
 
diff --git a/net/ceph/ceph_common.c b/net/ceph/ceph_common.c
index 108533859a53..4eb773ccce11 100644
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -187,7 +187,7 @@ void *ceph_kvmalloc(size_t size, gfp_t flags)
                         return ptr;
         }
 
-        return __vmalloc(size, flags | __GFP_HIGHMEM, PAGE_KERNEL);
+        return __vmalloc(size, flags, PAGE_KERNEL);
 }
 
 
diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
index f76bb3332613..5766a6c896c4 100644
--- a/net/ceph/messenger.c
+++ b/net/ceph/messenger.c
@@ -1386,8 +1386,9 @@ static void prepare_write_keepalive(struct ceph_connection *con)
         dout("prepare_write_keepalive %p\n", con);
         con_out_kvec_reset(con);
         if (con->peer_features & CEPH_FEATURE_MSGR_KEEPALIVE2) {
-                struct timespec now = CURRENT_TIME;
+                struct timespec now;
 
+                ktime_get_real_ts(&now);
                 con_out_kvec_add(con, sizeof(tag_keepalive2), &tag_keepalive2);
                 ceph_encode_timespec(&con->out_temp_keepalive2, &now);
                 con_out_kvec_add(con, sizeof(con->out_temp_keepalive2),
@@ -3176,8 +3177,9 @@ bool ceph_con_keepalive_expired(struct ceph_connection *con,
 {
         if (interval > 0 &&
             (con->peer_features & CEPH_FEATURE_MSGR_KEEPALIVE2)) {
-                struct timespec now = CURRENT_TIME;
+                struct timespec now;
                 struct timespec ts;
+                ktime_get_real_ts(&now);
                 jiffies_to_timespec(interval, &ts);
                 ts = timespec_add(con->last_keepalive_ack, ts);
                 return timespec_compare(&now, &ts) >= 0;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index e15ea9e4c495..242d7c0d92f8 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -3574,7 +3574,7 @@ ceph_osdc_watch(struct ceph_osd_client *osdc,
         ceph_oid_copy(&lreq->t.base_oid, oid);
         ceph_oloc_copy(&lreq->t.base_oloc, oloc);
         lreq->t.flags = CEPH_OSD_FLAG_WRITE;
-        lreq->mtime = CURRENT_TIME;
+        ktime_get_real_ts(&lreq->mtime);
 
         lreq->reg_req = alloc_linger_request(lreq);
         if (!lreq->reg_req) {
@@ -3632,7 +3632,7 @@ int ceph_osdc_unwatch(struct ceph_osd_client *osdc,
         ceph_oid_copy(&req->r_base_oid, &lreq->t.base_oid);
         ceph_oloc_copy(&req->r_base_oloc, &lreq->t.base_oloc);
         req->r_flags = CEPH_OSD_FLAG_WRITE;
-        req->r_mtime = CURRENT_TIME;
+        ktime_get_real_ts(&req->r_mtime);
         osd_req_op_watch_init(req, 0, lreq->linger_id,
                               CEPH_OSD_WATCH_OP_UNWATCH);
 
diff --git a/net/core/dev.c b/net/core/dev.c
index d07aa5ffb511..96cf83da0d66 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -81,6 +81,7 @@
 #include <linux/hash.h>
 #include <linux/slab.h>
 #include <linux/sched.h>
+#include <linux/sched/mm.h>
 #include <linux/mutex.h>
 #include <linux/string.h>
 #include <linux/mm.h>
@@ -4235,7 +4236,7 @@ static int __netif_receive_skb(struct sk_buff *skb)
         int ret;
 
         if (sk_memalloc_socks() && skb_pfmemalloc(skb)) {
-                unsigned long pflags = current->flags;
+                unsigned int noreclaim_flag;
 
                 /*
                  * PFMEMALLOC skbs are special, they should
@@ -4246,9 +4247,9 @@ static int __netif_receive_skb(struct sk_buff *skb)
                  * Use PF_MEMALLOC as this saves us from propagating the allocation
                  * context down to all allocation sites.
                  */
-                current->flags |= PF_MEMALLOC;
+                noreclaim_flag = memalloc_noreclaim_save();
                 ret = __netif_receive_skb_core(skb, true);
-                current_restore_flags(pflags, PF_MEMALLOC);
+                memalloc_noreclaim_restore(noreclaim_flag);
         } else
                 ret = __netif_receive_skb_core(skb, false);
 
@@ -7264,12 +7265,10 @@ static int netif_alloc_rx_queues(struct net_device *dev)
 
         BUG_ON(count < 1);
 
-        rx = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
-        if (!rx) {
-                rx = vzalloc(sz);
-                if (!rx)
-                        return -ENOMEM;
-        }
+        rx = kvzalloc(sz, GFP_KERNEL | __GFP_REPEAT);
+        if (!rx)
+                return -ENOMEM;
+
         dev->_rx = rx;
 
         for (i = 0; i < count; i++)
@@ -7306,12 +7305,10 @@ static int netif_alloc_netdev_queues(struct net_device *dev)
         if (count < 1 || count > 0xffff)
                 return -EINVAL;
 
-        tx = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
-        if (!tx) {
-                tx = vzalloc(sz);
-                if (!tx)
-                        return -ENOMEM;
-        }
+        tx = kvzalloc(sz, GFP_KERNEL | __GFP_REPEAT);
+        if (!tx)
+                return -ENOMEM;
+
         dev->_tx = tx;
 
         netdev_for_each_tx_queue(dev, netdev_init_one_queue, NULL);
@@ -7845,9 +7842,7 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
         /* ensure 32-byte alignment of whole construct */
         alloc_size += NETDEV_ALIGN - 1;
 
-        p = kzalloc(alloc_size, GFP_KERNEL | __GFP_NOWARN | __GFP_REPEAT);
-        if (!p)
-                p = vzalloc(alloc_size);
+        p = kvzalloc(alloc_size, GFP_KERNEL | __GFP_REPEAT);
         if (!p)
                 return NULL;
 
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6e67315ec368..bcb0f610ee42 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1054,7 +1054,7 @@ static int rtnl_phys_port_name_fill(struct sk_buff *skb, struct net_device *dev)
                 return err;
         }
 
-        if (nla_put(skb, IFLA_PHYS_PORT_NAME, strlen(name), name))
+        if (nla_put_string(skb, IFLA_PHYS_PORT_NAME, name))
                 return -EMSGSIZE;
 
         return 0;
diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c
index 6bd2f8fb0476..ae35cce3a40d 100644
--- a/net/core/secure_seq.c
+++ b/net/core/secure_seq.c
@@ -24,9 +24,13 @@ static siphash_key_t ts_secret __read_mostly;
 
 static __always_inline void net_secret_init(void)
 {
-        net_get_random_once(&ts_secret, sizeof(ts_secret));
         net_get_random_once(&net_secret, sizeof(net_secret));
 }
+
+static __always_inline void ts_secret_init(void)
+{
+        net_get_random_once(&ts_secret, sizeof(ts_secret));
+}
 #endif
 
 #ifdef CONFIG_INET
@@ -47,7 +51,7 @@ static u32 seq_scale(u32 seq)
 #endif
 
 #if IS_ENABLED(CONFIG_IPV6)
-static u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
+u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
 {
         const struct {
                 struct in6_addr saddr;
@@ -60,12 +64,14 @@ static u32 secure_tcpv6_ts_off(const __be32 *saddr, const __be32 *daddr)
         if (sysctl_tcp_timestamps != 1)
                 return 0;
 
+        ts_secret_init();
         return siphash(&combined, offsetofend(typeof(combined), daddr),
                        &ts_secret);
 }
+EXPORT_SYMBOL(secure_tcpv6_ts_off);
 
-u32 secure_tcpv6_seq_and_tsoff(const __be32 *saddr, const __be32 *daddr,
-                               __be16 sport, __be16 dport, u32 *tsoff)
+u32 secure_tcpv6_seq(const __be32 *saddr, const __be32 *daddr,
+                     __be16 sport, __be16 dport)
 {
         const struct {
                 struct in6_addr saddr;
@@ -78,14 +84,14 @@ u32 secure_tcpv6_seq_and_tsoff(const __be32 *saddr, const __be32 *daddr,
                 .sport = sport,
                 .dport = dport
         };
-        u64 hash;
+        u32 hash;
+
         net_secret_init();
         hash = siphash(&combined, offsetofend(typeof(combined), dport),
                        &net_secret);
-        *tsoff = secure_tcpv6_ts_off(saddr, daddr);
         return seq_scale(hash);
 }
-EXPORT_SYMBOL(secure_tcpv6_seq_and_tsoff);
+EXPORT_SYMBOL(secure_tcpv6_seq);
 
 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
                                __be16 dport)
@@ -107,11 +113,12 @@ EXPORT_SYMBOL(secure_ipv6_port_ephemeral);
 #endif
 
 #ifdef CONFIG_INET
-static u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr)
+u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr)
 {
         if (sysctl_tcp_timestamps != 1)
                 return 0;
 
+        ts_secret_init();
         return siphash_2u32((__force u32)saddr, (__force u32)daddr,
                             &ts_secret);
 }
@@ -121,15 +128,15 @@ static u32 secure_tcp_ts_off(__be32 saddr, __be32 daddr)
  * it would be easy enough to have the former function use siphash_4u32, passing
  * the arguments as separate u32.
  */
-u32 secure_tcp_seq_and_tsoff(__be32 saddr, __be32 daddr,
-                             __be16 sport, __be16 dport, u32 *tsoff)
+u32 secure_tcp_seq(__be32 saddr, __be32 daddr,
+                   __be16 sport, __be16 dport)
 {
-        u64 hash;
+        u32 hash;
+
         net_secret_init();
         hash = siphash_3u32((__force u32)saddr, (__force u32)daddr,
                             (__force u32)sport << 16 | (__force u32)dport,
                             &net_secret);
-        *tsoff = secure_tcp_ts_off(saddr, daddr);
         return seq_scale(hash);
 }
 
diff --git a/net/core/sock.c b/net/core/sock.c
index b5baeb9cb0fb..79c6aee6af9b 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -102,6 +102,7 @@
 #include <linux/proc_fs.h>
 #include <linux/seq_file.h>
 #include <linux/sched.h>
+#include <linux/sched/mm.h>
 #include <linux/timer.h>
 #include <linux/string.h>
 #include <linux/sockios.h>
@@ -372,14 +373,14 @@ EXPORT_SYMBOL_GPL(sk_clear_memalloc);
 int __sk_backlog_rcv(struct sock *sk, struct sk_buff *skb)
 {
         int ret;
-        unsigned long pflags = current->flags;
+        unsigned int noreclaim_flag;
 
         /* these should have been dropped before queueing */
         BUG_ON(!sock_flag(sk, SOCK_MEMALLOC));
 
-        current->flags |= PF_MEMALLOC;
+        noreclaim_flag = memalloc_noreclaim_save();
         ret = sk->sk_backlog_rcv(sk, skb);
-        current_restore_flags(pflags, PF_MEMALLOC);
+        memalloc_noreclaim_restore(noreclaim_flag);
 
         return ret;
 }
diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
index 9afa2a5030b2..405483a07efc 100644
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -2361,7 +2361,8 @@ MODULE_AUTHOR("Linux DECnet Project Team");
 MODULE_LICENSE("GPL");
 MODULE_ALIAS_NETPROTO(PF_DECnet);
 
-static char banner[] __initdata = KERN_INFO "NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n";
+static const char banner[] __initconst = KERN_INFO
+"NET4: DECnet for Linux: V.2.5.68s (C) 1995-2003 Linux DECnet Project Team\n";
 
 static int __init decnet_init(void)
 {
diff --git a/net/decnet/dn_neigh.c b/net/decnet/dn_neigh.c
index 482730cd8a56..eeb5fc561f80 100644
--- a/net/decnet/dn_neigh.c
+++ b/net/decnet/dn_neigh.c
@@ -110,7 +110,7 @@ struct neigh_table dn_neigh_table = {
 static int dn_neigh_construct(struct neighbour *neigh)
 {
         struct net_device *dev = neigh->dev;
-        struct dn_neigh *dn = (struct dn_neigh *)neigh;
+        struct dn_neigh *dn = container_of(neigh, struct dn_neigh, n);
         struct dn_dev *dn_db;
         struct neigh_parms *parms;
 
@@ -339,7 +339,7 @@ int dn_to_neigh_output(struct net *net, struct sock *sk, struct sk_buff *skb)
         struct dst_entry *dst = skb_dst(skb);
         struct dn_route *rt = (struct dn_route *) dst;
         struct neighbour *neigh = rt->n;
-        struct dn_neigh *dn = (struct dn_neigh *)neigh;
+        struct dn_neigh *dn = container_of(neigh, struct dn_neigh, n);
         struct dn_dev *dn_db;
         bool use_long;
 
@@ -391,7 +391,7 @@ int dn_neigh_router_hello(struct net *net, struct sock *sk, struct sk_buff *skb)
 
         neigh = __neigh_lookup(&dn_neigh_table, &src, skb->dev, 1);
 
-        dn = (struct dn_neigh *)neigh;
+        dn = container_of(neigh, struct dn_neigh, n);
 
         if (neigh) {
                 write_lock(&neigh->lock);
@@ -451,7 +451,7 @@ int dn_neigh_endnode_hello(struct net *net, struct sock *sk, struct sk_buff *skb
 
         neigh = __neigh_lookup(&dn_neigh_table, &src, skb->dev, 1);
 
-        dn = (struct dn_neigh *)neigh;
+        dn = container_of(neigh, struct dn_neigh, n);
 
         if (neigh) {
                 write_lock(&neigh->lock);
@@ -510,7 +510,7 @@ static void neigh_elist_cb(struct neighbour *neigh, void *_info)
         if (neigh->dev != s->dev)
                 return;
 
-        dn = (struct dn_neigh *) neigh;
+        dn = container_of(neigh, struct dn_neigh, n);
         if (!(dn->flags & (DN_NDFLAG_R1|DN_NDFLAG_R2)))
                 return;
 
@@ -549,7 +549,7 @@ int dn_neigh_elist(struct net_device *dev, unsigned char *ptr, int n)
 static inline void dn_neigh_format_entry(struct seq_file *seq,
                                          struct neighbour *n)
 {
-        struct dn_neigh *dn = (struct dn_neigh *) n;
+        struct dn_neigh *dn = container_of(n, struct dn_neigh, n);
         char buf[DN_ASCBUF_LEN];
 
         read_lock(&n->lock);
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 5e313c1ac94f..1054d330bf9d 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
                 /* listeners have SOCK_RCU_FREE, not the children */
                 sock_reset_flag(newsk, SOCK_RCU_FREE);
 
+                inet_sk(newsk)->mc_list = NULL;
+
                 newsk->sk_mark = inet_rsk(req)->ir_mark;
                 atomic64_set(&newsk->sk_cookie,
                              atomic64_read(&inet_rsk(req)->ir_cookie));
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 8bea74298173..e9a59d2d91d4 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -678,11 +678,7 @@ int inet_ehash_locks_alloc(struct inet_hashinfo *hashinfo)
                 /* no more locks than number of hash buckets */
                 nblocks = min(nblocks, hashinfo->ehash_mask + 1);
 
-                hashinfo->ehash_locks = kmalloc_array(nblocks, locksz,
-                                                      GFP_KERNEL | __GFP_NOWARN);
-                if (!hashinfo->ehash_locks)
-                        hashinfo->ehash_locks = vmalloc(nblocks * locksz);
-
+                hashinfo->ehash_locks = kvmalloc_array(nblocks, locksz, GFP_KERNEL);
                 if (!hashinfo->ehash_locks)
                         return -ENOMEM;
 
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 40977413fd48..4ec9affb2252 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -546,12 +546,13 @@ static int vti_fill_info(struct sk_buff *skb, const struct net_device *dev)
         struct ip_tunnel *t = netdev_priv(dev);
         struct ip_tunnel_parm *p = &t->parms;
 
-        nla_put_u32(skb, IFLA_VTI_LINK, p->link);
-        nla_put_be32(skb, IFLA_VTI_IKEY, p->i_key);
-        nla_put_be32(skb, IFLA_VTI_OKEY, p->o_key);
-        nla_put_in_addr(skb, IFLA_VTI_LOCAL, p->iph.saddr);
-        nla_put_in_addr(skb, IFLA_VTI_REMOTE, p->iph.daddr);
-        nla_put_u32(skb, IFLA_VTI_FWMARK, t->fwmark);
+        if (nla_put_u32(skb, IFLA_VTI_LINK, p->link) ||
+            nla_put_be32(skb, IFLA_VTI_IKEY, p->i_key) ||
+            nla_put_be32(skb, IFLA_VTI_OKEY, p->o_key) ||
+            nla_put_in_addr(skb, IFLA_VTI_LOCAL, p->iph.saddr) ||
+            nla_put_in_addr(skb, IFLA_VTI_REMOTE, p->iph.daddr) ||
+            nla_put_u32(skb, IFLA_VTI_FWMARK, t->fwmark))
+                return -EMSGSIZE;
 
         return 0;
 }
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 9d943974de2b..bdffad875691 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -358,6 +358,9 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
                                rt->dst.dev->mtu);
                 return -EMSGSIZE;
         }
+        if (length < sizeof(struct iphdr))
+                return -EINVAL;
+
         if (flags&MSG_PROBE)
                 goto out;
 
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 496b97e17aaf..0257d965f111 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -16,6 +16,7 @@
 #include <linux/siphash.h>
 #include <linux/kernel.h>
 #include <linux/export.h>
+#include <net/secure_seq.h>
 #include <net/tcp.h>
 #include <net/route.h>
 
@@ -203,7 +204,7 @@ EXPORT_SYMBOL_GPL(__cookie_v4_check);
 
 struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb,
                                  struct request_sock *req,
-                                 struct dst_entry *dst)
+                                 struct dst_entry *dst, u32 tsoff)
 {
         struct inet_connection_sock *icsk = inet_csk(sk);
         struct sock *child;
@@ -213,6 +214,7 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb,
                                                  NULL, &own_req);
         if (child) {
                 atomic_set(&req->rsk_refcnt, 1);
+                tcp_sk(child)->tsoffset = tsoff;
                 sock_rps_save_rxhash(child, skb);
                 inet_csk_reqsk_queue_add(sk, req, child);
         } else {
@@ -292,6 +294,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
         struct rtable *rt;
         __u8 rcv_wscale;
         struct flowi4 fl4;
+        u32 tsoff = 0;
 
         if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)
                 goto out;
@@ -311,6 +314,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
         memset(&tcp_opt, 0, sizeof(tcp_opt));
         tcp_parse_options(skb, &tcp_opt, 0, NULL);
 
+        if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
+                tsoff = secure_tcp_ts_off(ip_hdr(skb)->daddr, ip_hdr(skb)->saddr);
+                tcp_opt.rcv_tsecr -= tsoff;
+        }
+
         if (!cookie_timestamp_decode(&tcp_opt))
                 goto out;
 
@@ -381,7 +389,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
         ireq->rcv_wscale  = rcv_wscale;
         ireq->ecn_ok = cookie_ecn_ok(&tcp_opt, sock_net(sk), &rt->dst);
 
-        ret = tcp_get_cookie_sock(sk, skb, req, &rt->dst);
+        ret = tcp_get_cookie_sock(sk, skb, req, &rt->dst, tsoff);
         /* ip_queue_xmit() depends on our flow being setup
          * Normal sockets get it right from inet_csk_route_child_sock()
          */
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 9739962bfb3f..5a3ad09e2786 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -85,7 +85,6 @@ int sysctl_tcp_dsack __read_mostly = 1;
 int sysctl_tcp_app_win __read_mostly = 31;
 int sysctl_tcp_adv_win_scale __read_mostly = 1;
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
-EXPORT_SYMBOL(sysctl_tcp_timestamps);
 
 /* rfc5961 challenge ack rate limiting */
 int sysctl_tcp_challenge_ack_limit = 1000;
@@ -6347,8 +6346,8 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
         if (security_inet_conn_request(sk, skb, req))
                 goto drop_and_free;
 
-        if (isn && tmp_opt.tstamp_ok)
-                af_ops->init_seq_tsoff(skb, &tcp_rsk(req)->ts_off);
+        if (tmp_opt.tstamp_ok)
+                tcp_rsk(req)->ts_off = af_ops->init_ts_off(skb);
 
         if (!want_cookie && !isn) {
                 /* Kill the following clause, if you dislike this way. */
@@ -6368,7 +6367,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
                         goto drop_and_release;
                 }
 
-                isn = af_ops->init_seq_tsoff(skb, &tcp_rsk(req)->ts_off);
+                isn = af_ops->init_seq(skb);
         }
         if (!dst) {
                 dst = af_ops->route_req(sk, &fl, req);
@@ -6380,7 +6379,6 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
 
         if (want_cookie) {
                 isn = cookie_init_sequence(af_ops, sk, skb, &req->mss);
-                tcp_rsk(req)->ts_off = 0;
                 req->cookie_ts = tmp_opt.tstamp_ok;
                 if (!tmp_opt.tstamp_ok)
                         inet_rsk(req)->ecn_ok = 0;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index cbbafe546c0f..3a51582bef55 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -94,12 +94,18 @@ static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
 struct inet_hashinfo tcp_hashinfo;
 EXPORT_SYMBOL(tcp_hashinfo);
 
-static u32 tcp_v4_init_seq_and_tsoff(const struct sk_buff *skb, u32 *tsoff)
+static u32 tcp_v4_init_seq(const struct sk_buff *skb)
 {
-        return secure_tcp_seq_and_tsoff(ip_hdr(skb)->daddr,
-                                        ip_hdr(skb)->saddr,
-                                        tcp_hdr(skb)->dest,
-                                        tcp_hdr(skb)->source, tsoff);
+        return secure_tcp_seq(ip_hdr(skb)->daddr,
+                              ip_hdr(skb)->saddr,
+                              tcp_hdr(skb)->dest,
+                              tcp_hdr(skb)->source);
+}
+
+static u32 tcp_v4_init_ts_off(const struct sk_buff *skb)
+{
+        return secure_tcp_ts_off(ip_hdr(skb)->daddr,
+                                 ip_hdr(skb)->saddr);
 }
 
 int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
@@ -145,7 +151,6 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
         struct flowi4 *fl4;
         struct rtable *rt;
         int err;
-        u32 seq;
         struct ip_options_rcu *inet_opt;
         struct inet_timewait_death_row *tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
 
@@ -232,13 +237,13 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
         rt = NULL;
 
         if (likely(!tp->repair)) {
-                seq = secure_tcp_seq_and_tsoff(inet->inet_saddr,
-                                               inet->inet_daddr,
-                                               inet->inet_sport,
-                                               usin->sin_port,
-                                               &tp->tsoffset);
                 if (!tp->write_seq)
-                        tp->write_seq = seq;
+                        tp->write_seq = secure_tcp_seq(inet->inet_saddr,
+                                                       inet->inet_daddr,
+                                                       inet->inet_sport,
+                                                       usin->sin_port);
+                tp->tsoffset = secure_tcp_ts_off(inet->inet_saddr,
+                                                 inet->inet_daddr);
         }
 
         inet->inet_id = tp->write_seq ^ jiffies;
@@ -1239,7 +1244,8 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
         .cookie_init_seq =      cookie_v4_init_sequence,
 #endif
         .route_req      =       tcp_v4_route_req,
-        .init_seq_tsoff =       tcp_v4_init_seq_and_tsoff,
+        .init_seq       =       tcp_v4_init_seq,
+        .init_ts_off    =       tcp_v4_init_ts_off,
         .send_synack    =       tcp_v4_send_synack,
 };
 
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c
index 9d0d4f39e42b..653bbd67e3a3 100644
--- a/net/ipv4/tcp_metrics.c
+++ b/net/ipv4/tcp_metrics.c
@@ -1011,10 +1011,7 @@ static int __net_init tcp_net_metrics_init(struct net *net)
         tcp_metrics_hash_log = order_base_2(slots);
         size = sizeof(struct tcpm_hash_bucket) << tcp_metrics_hash_log;
 
-        tcp_metrics_hash = kzalloc(size, GFP_KERNEL | __GFP_NOWARN);
-        if (!tcp_metrics_hash)
-                tcp_metrics_hash = vzalloc(size);
-
+        tcp_metrics_hash = kvzalloc(size, GFP_KERNEL);
         if (!tcp_metrics_hash)
                 return -ENOMEM;
 
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 8f6373b0cd77..717be4de5324 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -523,6 +523,7 @@ struct sock *tcp_create_openreq_child(const struct sock *sk,
                         newicsk->icsk_ack.last_seg_size = skb->len - newtp->tcp_header_len;
                 newtp->rx_opt.mss_clamp = req->mss;
                 tcp_ecn_openreq_child(newtp, req);
+                newtp->fastopen_req = NULL;
                 newtp->fastopen_rsk = NULL;
                 newtp->syn_data_acked = 0;
                 newtp->rack.mstamp.v64 = 0;
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 60111a0fc201..4858e190f6ac 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1514,6 +1514,7 @@ static void tcp_cwnd_application_limited(struct sock *sk)
 
 static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited)
 {
+        const struct tcp_congestion_ops *ca_ops = inet_csk(sk)->icsk_ca_ops;
         struct tcp_sock *tp = tcp_sk(sk);
 
         /* Track the maximum number of outstanding packets in each
@@ -1536,7 +1537,8 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited)
                         tp->snd_cwnd_used = tp->packets_out;
 
                 if (sysctl_tcp_slow_start_after_idle &&
-                    (s32)(tcp_time_stamp - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto)
+                    (s32)(tcp_time_stamp - tp->snd_cwnd_stamp) >= inet_csk(sk)->icsk_rto &&
+                    !ca_ops->cong_control)
                         tcp_cwnd_application_limited(sk);
 
                 /* The following conditions together indicate the starvation
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index b09ac38d8dc4..8d297a79b568 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3328,7 +3328,8 @@ static int fixup_permanent_addr(struct inet6_dev *idev,
                                       idev->dev, 0, 0);
         }
 
-        addrconf_dad_start(ifp);
+        if (ifp->state == INET6_IFADDR_STATE_PREDAD)
+                addrconf_dad_start(ifp);
 
         return 0;
 }
@@ -3547,6 +3548,7 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
  */
 static struct notifier_block ipv6_dev_notf = {
         .notifier_call = addrconf_notify,
+        .priority = ADDRCONF_NOTIFY_PRIORITY,
 };
 
 static void addrconf_type_change(struct net_device *dev, unsigned long event)
@@ -3683,7 +3685,7 @@ restart:
                 if (keep) {
                         /* set state to skip the notifier below */
                         state = INET6_IFADDR_STATE_DEAD;
-                        ifa->state = 0;
+                        ifa->state = INET6_IFADDR_STATE_PREDAD;
                         if (!(ifa->flags & IFA_F_NODAD))
                                 ifa->flags |= IFA_F_TENTATIVE;
 
@@ -6572,6 +6574,8 @@ int __init addrconf_init(void)
                 goto errlo;
         }
 
+        ip6_route_init_special_entries();
+
         for (i = 0; i < IN6_ADDR_HSIZE; i++)
                 INIT_HLIST_HEAD(&inet6_addr_lst[i]);
 
diff --git a/net/ipv6/ila/ila_xlat.c b/net/ipv6/ila/ila_xlat.c
index af8f52ee7180..2fd5ca151dcf 100644
--- a/net/ipv6/ila/ila_xlat.c
+++ b/net/ipv6/ila/ila_xlat.c
@@ -41,13 +41,7 @@ static int alloc_ila_locks(struct ila_net *ilan)
         size = roundup_pow_of_two(nr_pcpus * LOCKS_PER_CPU);
 
         if (sizeof(spinlock_t) != 0) {
-#ifdef CONFIG_NUMA
-                if (size * sizeof(spinlock_t) > PAGE_SIZE)
-                        ilan->locks = vmalloc(size * sizeof(spinlock_t));
-                else
-#endif
-                ilan->locks = kmalloc_array(size, sizeof(spinlock_t),
-                                            GFP_KERNEL);
+                ilan->locks = kvmalloc(size * sizeof(spinlock_t), GFP_KERNEL);
                 if (!ilan->locks)
                         return -ENOMEM;
                 for (i = 0; i < size; i++)
diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
index bf3ad3e7b647..b2b4f031b3a1 100644
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
@@ -235,7 +235,7 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb,
                 inside->icmp6.icmp6_cksum =
                         csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
                                         skb->len - hdrlen, IPPROTO_ICMPV6,
-                                        csum_partial(&inside->icmp6,
+                                        skb_checksum(skb, hdrlen,
                                                      skb->len - hdrlen, 0));
         }
 
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index 0da6a12b5472..1f992d9e261d 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -632,6 +632,8 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
                 ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
                 return -EMSGSIZE;
         }
+        if (length < sizeof(struct ipv6hdr))
+                return -EINVAL;
         if (flags&MSG_PROBE)
                 goto out;
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index a1bf426c959b..dc61b0b5e64e 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3709,7 +3709,10 @@ static int ip6_route_dev_notify(struct notifier_block *this,
         struct net_device *dev = netdev_notifier_info_to_dev(ptr);
         struct net *net = dev_net(dev);
 
-        if (event == NETDEV_REGISTER && (dev->flags & IFF_LOOPBACK)) {
+        if (!(dev->flags & IFF_LOOPBACK))
+                return NOTIFY_OK;
+
+        if (event == NETDEV_REGISTER) {
                 net->ipv6.ip6_null_entry->dst.dev = dev;
                 net->ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(dev);
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
@@ -3718,6 +3721,12 @@ static int ip6_route_dev_notify(struct notifier_block *this,
                 net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
                 net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
 #endif
+         } else if (event == NETDEV_UNREGISTER) {
+                in6_dev_put(net->ipv6.ip6_null_entry->rt6i_idev);
+#ifdef CONFIG_IPV6_MULTIPLE_TABLES
+                in6_dev_put(net->ipv6.ip6_prohibit_entry->rt6i_idev);
+                in6_dev_put(net->ipv6.ip6_blk_hole_entry->rt6i_idev);
+#endif
         }
 
         return NOTIFY_OK;
@@ -4024,9 +4033,24 @@ static struct pernet_operations ip6_route_net_late_ops = {
 
 static struct notifier_block ip6_route_dev_notifier = {
         .notifier_call = ip6_route_dev_notify,
-        .priority = 0,
+        .priority = ADDRCONF_NOTIFY_PRIORITY - 10,
 };
 
+void __init ip6_route_init_special_entries(void)
+{
+        /* Registering of the loopback is done before this portion of code,
+         * the loopback reference in rt6_info will not be taken, do it
+         * manually for init_net */
+        init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev;
+        init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
+        init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev;
+        init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+        init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
+        init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
+  #endif
+}
+
 int __init ip6_route_init(void)
 {
         int ret;
@@ -4053,17 +4077,6 @@ int __init ip6_route_init(void)
 
         ip6_dst_blackhole_ops.kmem_cachep = ip6_dst_ops_template.kmem_cachep;
 
-        /* Registering of the loopback is done before this portion of code,
-         * the loopback reference in rt6_info will not be taken, do it
-         * manually for init_net */
-        init_net.ipv6.ip6_null_entry->dst.dev = init_net.loopback_dev;
-        init_net.ipv6.ip6_null_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
-  #ifdef CONFIG_IPV6_MULTIPLE_TABLES
-        init_net.ipv6.ip6_prohibit_entry->dst.dev = init_net.loopback_dev;
-        init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
-        init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
-        init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
-  #endif
         ret = fib6_init();
         if (ret)
                 goto out_register_subsys;
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 895ff650db43..5abc3692b901 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -18,6 +18,7 @@
 #include <linux/random.h>
 #include <linux/siphash.h>
 #include <linux/kernel.h>
+#include <net/secure_seq.h>
 #include <net/ipv6.h>
 #include <net/tcp.h>
 
@@ -143,6 +144,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
         int mss;
         struct dst_entry *dst;
         __u8 rcv_wscale;
+        u32 tsoff = 0;
 
         if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)
                 goto out;
@@ -162,6 +164,12 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
         memset(&tcp_opt, 0, sizeof(tcp_opt));
         tcp_parse_options(skb, &tcp_opt, 0, NULL);
 
+        if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
+                tsoff = secure_tcpv6_ts_off(ipv6_hdr(skb)->daddr.s6_addr32,
+                                            ipv6_hdr(skb)->saddr.s6_addr32);
+                tcp_opt.rcv_tsecr -= tsoff;
+        }
+
         if (!cookie_timestamp_decode(&tcp_opt))
                 goto out;
 
@@ -242,7 +250,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
         ireq->rcv_wscale = rcv_wscale;
         ireq->ecn_ok = cookie_ecn_ok(&tcp_opt, sock_net(sk), dst);
 
-        ret = tcp_get_cookie_sock(sk, skb, req, dst);
+        ret = tcp_get_cookie_sock(sk, skb, req, dst, tsoff);
 out:
         return ret;
 out_free:
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 8e42e8f54b70..aeb9497b5bb7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -101,12 +101,18 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
         }
 }
 
-static u32 tcp_v6_init_seq_and_tsoff(const struct sk_buff *skb, u32 *tsoff)
+static u32 tcp_v6_init_seq(const struct sk_buff *skb)
 {
-        return secure_tcpv6_seq_and_tsoff(ipv6_hdr(skb)->daddr.s6_addr32,
-                                          ipv6_hdr(skb)->saddr.s6_addr32,
-                                          tcp_hdr(skb)->dest,
-                                          tcp_hdr(skb)->source, tsoff);
+        return secure_tcpv6_seq(ipv6_hdr(skb)->daddr.s6_addr32,
+                                ipv6_hdr(skb)->saddr.s6_addr32,
+                                tcp_hdr(skb)->dest,
+                                tcp_hdr(skb)->source);
+}
+
+static u32 tcp_v6_init_ts_off(const struct sk_buff *skb)
+{
+        return secure_tcpv6_ts_off(ipv6_hdr(skb)->daddr.s6_addr32,
+                                   ipv6_hdr(skb)->saddr.s6_addr32);
 }
 
 static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
@@ -122,7 +128,6 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
         struct flowi6 fl6;
         struct dst_entry *dst;
         int addr_type;
-        u32 seq;
         int err;
         struct inet_timewait_death_row *tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
 
@@ -282,13 +287,13 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
         sk_set_txhash(sk);
 
         if (likely(!tp->repair)) {
-                seq = secure_tcpv6_seq_and_tsoff(np->saddr.s6_addr32,
-                                                 sk->sk_v6_daddr.s6_addr32,
-                                                 inet->inet_sport,
-                                                 inet->inet_dport,
-                                                 &tp->tsoffset);
                 if (!tp->write_seq)
-                        tp->write_seq = seq;
+                        tp->write_seq = secure_tcpv6_seq(np->saddr.s6_addr32,
+                                                         sk->sk_v6_daddr.s6_addr32,
+                                                         inet->inet_sport,
+                                                         inet->inet_dport);
+                tp->tsoffset = secure_tcpv6_ts_off(np->saddr.s6_addr32,
+                                                   sk->sk_v6_daddr.s6_addr32);
         }
 
         if (tcp_fastopen_defer_connect(sk, &err))
@@ -749,7 +754,8 @@ static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
         .cookie_init_seq =      cookie_v6_init_sequence,
 #endif
         .route_req      =       tcp_v6_route_req,
-        .init_seq_tsoff =       tcp_v6_init_seq_and_tsoff,
+        .init_seq       =       tcp_v6_init_seq,
+        .init_ts_off    =       tcp_v6_init_ts_off,
         .send_synack    =       tcp_v6_send_synack,
 };
 
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 6db09fa18269..364d4e137649 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -66,6 +66,8 @@ ieee80211_ibss_build_presp(struct ieee80211_sub_if_data *sdata,
                     2 + (IEEE80211_MAX_SUPP_RATES - 8) +
                     2 + sizeof(struct ieee80211_ht_cap) +
                     2 + sizeof(struct ieee80211_ht_operation) +
+                    2 + sizeof(struct ieee80211_vht_cap) +
+                    2 + sizeof(struct ieee80211_vht_operation) +
                     ifibss->ie_len;
         presp = kzalloc(sizeof(*presp) + frame_len, GFP_KERNEL);
         if (!presp)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 89dff563b1ec..0ea9712bd99e 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4382,6 +4382,10 @@ static int ieee80211_prep_connection(struct ieee80211_sub_if_data *sdata,
         if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data))
                 return -EINVAL;
 
+        /* If a reconfig is happening, bail out */
+        if (local->in_reconfig)
+                return -EBUSY;
+
         if (assoc) {
                 rcu_read_lock();
                 have_sta = sta_info_get(sdata, cbss->bssid);
diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
index 088e2b459d0f..257ec66009da 100644
--- a/net/mpls/af_mpls.c
+++ b/net/mpls/af_mpls.c
@@ -2005,10 +2005,7 @@ static int resize_platform_label_table(struct net *net, size_t limit)
         unsigned index;
 
         if (size) {
-                labels = kzalloc(size, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
-                if (!labels)
-                        labels = vzalloc(size);
-
+                labels = kvzalloc(size, GFP_KERNEL);
                 if (!labels)
                         goto nolabels;
         }
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 668d9643f0cc..1fa3c2307b6e 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -3078,6 +3078,17 @@ nla_put_failure:
         return skb->len;
 }
 
+static bool ip_vs_is_af_valid(int af)
+{
+        if (af == AF_INET)
+                return true;
+#ifdef CONFIG_IP_VS_IPV6
+        if (af == AF_INET6 && ipv6_mod_enabled())
+                return true;
+#endif
+        return false;
+}
+
 static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs,
                                     struct ip_vs_service_user_kern *usvc,
                                     struct nlattr *nla, int full_entry,
@@ -3105,11 +3116,7 @@ static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs,
         memset(usvc, 0, sizeof(*usvc));
 
         usvc->af = nla_get_u16(nla_af);
-#ifdef CONFIG_IP_VS_IPV6
-        if (usvc->af != AF_INET && usvc->af != AF_INET6)
-#else
-        if (usvc->af != AF_INET)
-#endif
+        if (!ip_vs_is_af_valid(usvc->af))
                 return -EAFNOSUPPORT;
 
         if (nla_fwmark) {
@@ -3612,6 +3619,11 @@ static int ip_vs_genl_set_cmd(struct sk_buff *skb, struct genl_info *info)
                 if (udest.af == 0)
                         udest.af = svc->af;
 
+                if (!ip_vs_is_af_valid(udest.af)) {
+                        ret = -EAFNOSUPPORT;
+                        goto out;
+                }
+
                 if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) {
                         /* The synchronization protocol is incompatible
                          * with mixed family services
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f9245dbfe435..3c8f1ed2f555 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1853,7 +1853,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
                   &nf_conntrack_htable_size, 0600);
 
-static unsigned int total_extension_size(void)
+static __always_inline unsigned int total_extension_size(void)
 {
         /* remember to add new extensions below */
         BUILD_BUG_ON(NF_CT_EXT_NUM > 9);
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 4b9dfe3eef62..3a60efa7799b 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -385,7 +385,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
         struct nf_conntrack_tuple_mask mask = { .src.u.all = htons(0xFFFF) };
         unsigned int h = helper_hash(&me->tuple);
         struct nf_conntrack_helper *cur;
-        int ret = 0;
+        int ret = 0, i;
 
         BUG_ON(me->expect_policy == NULL);
         BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES);
@@ -395,10 +395,26 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
                 return -EINVAL;
 
         mutex_lock(&nf_ct_helper_mutex);
-        hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
-                if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) {
-                        ret = -EEXIST;
-                        goto out;
+        for (i = 0; i < nf_ct_helper_hsize; i++) {
+                hlist_for_each_entry(cur, &nf_ct_helper_hash[i], hnode) {
+                        if (!strcmp(cur->name, me->name) &&
+                            (cur->tuple.src.l3num == NFPROTO_UNSPEC ||
+                             cur->tuple.src.l3num == me->tuple.src.l3num) &&
+                            cur->tuple.dst.protonum == me->tuple.dst.protonum) {
+                                ret = -EEXIST;
+                                goto out;
+                        }
+                }
+        }
+
+        /* avoid unpredictable behaviour for auto_assign_helper */
+        if (!(me->flags & NF_CT_HELPER_F_USERSPACE)) {
+                hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) {
+                        if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple,
+                                                     &mask)) {
+                                ret = -EEXIST;
+                                goto out;
+                        }
                 }
         }
         hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 5f6f2f388928..dcf561b5c97a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -417,8 +417,7 @@ nla_put_failure:
         return -1;
 }
 
-static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb,
-                                     const struct nf_conn *ct)
+static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
 {
         struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
         struct nf_ct_seqadj *seq;
@@ -426,15 +425,20 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb,
         if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
                 return 0;
 
+        spin_lock_bh(&ct->lock);
         seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
         if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
-                return -1;
+                goto err;
 
         seq = &seqadj->seq[IP_CT_DIR_REPLY];
         if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
-                return -1;
+                goto err;
 
+        spin_unlock_bh(&ct->lock);
         return 0;
+err:
+        spin_unlock_bh(&ct->lock);
+        return -1;
 }
 
 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
@@ -1417,6 +1421,24 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
 }
 #endif
 
+static void
+__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
+                          unsigned long off)
+{
+        unsigned int bit;
+
+        /* Ignore these unchangable bits */
+        on &= ~IPS_UNCHANGEABLE_MASK;
+        off &= ~IPS_UNCHANGEABLE_MASK;
+
+        for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
+                if (on & (1 << bit))
+                        set_bit(bit, &ct->status);
+                else if (off & (1 << bit))
+                        clear_bit(bit, &ct->status);
+        }
+}
+
 static int
 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
 {
@@ -1436,10 +1458,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
                 /* ASSURED bit can only be set */
                 return -EBUSY;
 
-        /* Be careful here, modifying NAT bits can screw up things,
-         * so don't let users modify them directly if they don't pass
-         * nf_nat_range. */
-        ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
+        __ctnetlink_change_status(ct, status, 0);
         return 0;
 }
 
@@ -1508,23 +1527,11 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
                 return 0;
         }
 
+        rcu_read_lock();
         helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
                                             nf_ct_protonum(ct));
         if (helper == NULL) {
-#ifdef CONFIG_MODULES
-                spin_unlock_bh(&nf_conntrack_expect_lock);
-
-                if (request_module("nfct-helper-%s", helpname) < 0) {
-                        spin_lock_bh(&nf_conntrack_expect_lock);
-                        return -EOPNOTSUPP;
-                }
-
-                spin_lock_bh(&nf_conntrack_expect_lock);
-                helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
-                                                    nf_ct_protonum(ct));
-                if (helper)
-                        return -EAGAIN;
-#endif
+                rcu_read_unlock();
                 return -EOPNOTSUPP;
         }
 
@@ -1533,13 +1540,16 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
                         /* update private helper data if allowed. */
                         if (helper->from_nlattr)
                                 helper->from_nlattr(helpinfo, ct);
-                        return 0;
+                        err = 0;
                 } else
-                        return -EBUSY;
+                        err = -EBUSY;
+        } else {
+                /* we cannot set a helper for an existing conntrack */
+                err = -EOPNOTSUPP;
         }
 
-        /* we cannot set a helper for an existing conntrack */
-        return -EOPNOTSUPP;
+        rcu_read_unlock();
+        return err;
 }
 
 static int ctnetlink_change_timeout(struct nf_conn *ct,
@@ -1630,25 +1640,30 @@ ctnetlink_change_seq_adj(struct nf_conn *ct,
         if (!seqadj)
                 return 0;
 
+        spin_lock_bh(&ct->lock);
         if (cda[CTA_SEQ_ADJ_ORIG]) {
                 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
                                      cda[CTA_SEQ_ADJ_ORIG]);
                 if (ret < 0)
-                        return ret;
+                        goto err;
 
-                ct->status |= IPS_SEQ_ADJUST;
+                set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
         }
 
         if (cda[CTA_SEQ_ADJ_REPLY]) {
                 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
                                      cda[CTA_SEQ_ADJ_REPLY]);
                 if (ret < 0)
-                        return ret;
+                        goto err;
 
-                ct->status |= IPS_SEQ_ADJUST;
+                set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
         }
 
+        spin_unlock_bh(&ct->lock);
         return 0;
+err:
+        spin_unlock_bh(&ct->lock);
+        return ret;
 }
 
 static int
@@ -1959,9 +1974,7 @@ static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
         err = -EEXIST;
         ct = nf_ct_tuplehash_to_ctrack(h);
         if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
-                spin_lock_bh(&nf_conntrack_expect_lock);
                 err = ctnetlink_change_conntrack(ct, cda);
-                spin_unlock_bh(&nf_conntrack_expect_lock);
                 if (err == 0) {
                         nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
                                                       (1 << IPCT_ASSURED) |
@@ -2294,10 +2307,10 @@ ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
         /* This check is less strict than ctnetlink_change_status()
          * because callers often flip IPS_EXPECTED bits when sending
          * an NFQA_CT attribute to the kernel.  So ignore the
-         * unchangeable bits but do not error out.
+         * unchangeable bits but do not error out. Also user programs
+         * are allowed to clear the bits that they are allowed to change.
          */
-        ct->status = (status & ~IPS_UNCHANGEABLE_MASK) |
-                     (ct->status & IPS_UNCHANGEABLE_MASK);
+        __ctnetlink_change_status(ct, status, ~status);
         return 0;
 }
 
@@ -2351,11 +2364,7 @@ ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
         if (ret < 0)
                 return ret;
 
-        spin_lock_bh(&nf_conntrack_expect_lock);
-        ret = ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
-        spin_unlock_bh(&nf_conntrack_expect_lock);
-
-        return ret;
+        return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
 }
 
 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1c6482d2c4dc..559225029740 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3778,6 +3778,11 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
         err = set->ops->insert(ctx->net, set, &elem, &ext2);
         if (err) {
                 if (err == -EEXIST) {
+                        if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) ^
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) ||
+                            nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF) ^
+                            nft_set_ext_exists(ext2, NFT_SET_EXT_OBJREF))
+                                return -EBUSY;
                         if ((nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
                              nft_set_ext_exists(ext2, NFT_SET_EXT_DATA) &&
                              memcmp(nft_set_ext_data(ext),
diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c
index 3948da380259..66221ad891a9 100644
--- a/net/netfilter/nft_dynset.c
+++ b/net/netfilter/nft_dynset.c
@@ -82,8 +82,7 @@ static void nft_dynset_eval(const struct nft_expr *expr,
                     nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
                         timeout = priv->timeout ? : set->timeout;
                         *nft_set_ext_expiration(ext) = jiffies + timeout;
-                } else if (sexpr == NULL)
-                        goto out;
+                }
 
                 if (sexpr != NULL)
                         sexpr->ops->eval(sexpr, regs, pkt);
@@ -92,7 +91,7 @@ static void nft_dynset_eval(const struct nft_expr *expr,
                         regs->verdict.code = NFT_BREAK;
                 return;
         }
-out:
+
         if (!priv->invert)
                 regs->verdict.code = NFT_BREAK;
 }
diff --git a/net/netfilter/nft_set_bitmap.c b/net/netfilter/nft_set_bitmap.c
index 8ebbc2940f4c..b988162b5b15 100644
--- a/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -257,6 +257,11 @@ static int nft_bitmap_init(const struct nft_set *set,
 
 static void nft_bitmap_destroy(const struct nft_set *set)
 {
+        struct nft_bitmap *priv = nft_set_priv(set);
+        struct nft_bitmap_elem *be, *n;
+
+        list_for_each_entry_safe(be, n, &priv->list, head)
+                nft_set_elem_destroy(set, be, true);
 }
 
 static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features,
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 14857afc9937..8876b7da6884 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -763,17 +763,8 @@ EXPORT_SYMBOL(xt_check_entry_offsets);
  */
 unsigned int *xt_alloc_entry_offsets(unsigned int size)
 {
-        unsigned int *off;
+        return kvmalloc_array(size, sizeof(unsigned int), GFP_KERNEL | __GFP_ZERO);
 
-        off = kcalloc(size, sizeof(unsigned int), GFP_KERNEL | __GFP_NOWARN);
-
-        if (off)
-                return off;
-
-        if (size < (SIZE_MAX / sizeof(unsigned int)))
-                off = vmalloc(size * sizeof(unsigned int));
-
-        return off;
 }
 EXPORT_SYMBOL(xt_alloc_entry_offsets);
 
@@ -1007,8 +998,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
         if (sz <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER))
                 info = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY);
         if (!info) {
-                info = __vmalloc(sz, GFP_KERNEL | __GFP_NOWARN |
-                                     __GFP_NORETRY | __GFP_HIGHMEM,
+                info = __vmalloc(sz, GFP_KERNEL | __GFP_NOWARN | __GFP_NORETRY,
                                  PAGE_KERNEL);
                 if (!info)
                         return NULL;
@@ -1051,8 +1041,10 @@ struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
         list_for_each_entry(t, &init_net.xt.tables[af], list) {
                 if (strcmp(t->name, name))
                         continue;
-                if (!try_module_get(t->me))
+                if (!try_module_get(t->me)) {
+                        mutex_unlock(&xt[af].mutex);
                         return NULL;
+                }
 
                 mutex_unlock(&xt[af].mutex);
                 if (t->table_init(net) != 0) {
@@ -1114,7 +1106,7 @@ static int xt_jumpstack_alloc(struct xt_table_info *i)
 
         size = sizeof(void **) * nr_cpu_ids;
         if (size > PAGE_SIZE)
-                i->jumpstack = vzalloc(size);
+                i->jumpstack = kvzalloc(size, GFP_KERNEL);
         else
                 i->jumpstack = kzalloc(size, GFP_KERNEL);
         if (i->jumpstack == NULL)
@@ -1136,12 +1128,8 @@ static int xt_jumpstack_alloc(struct xt_table_info *i)
          */
         size = sizeof(void *) * i->stacksize * 2u;
         for_each_possible_cpu(cpu) {
-                if (size > PAGE_SIZE)
-                        i->jumpstack[cpu] = vmalloc_node(size,
-                                cpu_to_node(cpu));
-                else
-                        i->jumpstack[cpu] = kmalloc_node(size,
-                                GFP_KERNEL, cpu_to_node(cpu));
+                i->jumpstack[cpu] = kvmalloc_node(size, GFP_KERNEL,
+                        cpu_to_node(cpu));
                 if (i->jumpstack[cpu] == NULL)
                         /*
                          * Freeing will be done later on by the callers. The
diff --git a/net/netfilter/xt_AUDIT.c b/net/netfilter/xt_AUDIT.c
index 19247a17e511..c502419d6306 100644
--- a/net/netfilter/xt_AUDIT.c
+++ b/net/netfilter/xt_AUDIT.c
@@ -31,146 +31,76 @@ MODULE_ALIAS("ip6t_AUDIT");
 MODULE_ALIAS("ebt_AUDIT");
 MODULE_ALIAS("arpt_AUDIT");
 
-static void audit_proto(struct audit_buffer *ab, struct sk_buff *skb,
-                        unsigned int proto, unsigned int offset)
-{
-        switch (proto) {
-        case IPPROTO_TCP:
-        case IPPROTO_UDP:
-        case IPPROTO_UDPLITE: {
-                const __be16 *pptr;
-                __be16 _ports[2];
-
-                pptr = skb_header_pointer(skb, offset, sizeof(_ports), _ports);
-                if (pptr == NULL) {
-                        audit_log_format(ab, " truncated=1");
-                        return;
-                }
-
-                audit_log_format(ab, " sport=%hu dport=%hu",
-                                 ntohs(pptr[0]), ntohs(pptr[1]));
-                }
-                break;
-
-        case IPPROTO_ICMP:
-        case IPPROTO_ICMPV6: {
-                const u8 *iptr;
-                u8 _ih[2];
-
-                iptr = skb_header_pointer(skb, offset, sizeof(_ih), &_ih);
-                if (iptr == NULL) {
-                        audit_log_format(ab, " truncated=1");
-                        return;
-                }
-
-                audit_log_format(ab, " icmptype=%hhu icmpcode=%hhu",
-                                 iptr[0], iptr[1]);
-
-                }
-                break;
-        }
-}
-
-static void audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip4(struct audit_buffer *ab, struct sk_buff *skb)
 {
         struct iphdr _iph;
         const struct iphdr *ih;
 
-        ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
-        if (!ih) {
-                audit_log_format(ab, " truncated=1");
-                return;
-        }
+        ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_iph), &_iph);
+        if (!ih)
+                return false;
 
-        audit_log_format(ab, " saddr=%pI4 daddr=%pI4 ipid=%hu proto=%hhu",
-                &ih->saddr, &ih->daddr, ntohs(ih->id), ih->protocol);
+        audit_log_format(ab, " saddr=%pI4 daddr=%pI4 proto=%hhu",
+                         &ih->saddr, &ih->daddr, ih->protocol);
 
-        if (ntohs(ih->frag_off) & IP_OFFSET) {
-                audit_log_format(ab, " frag=1");
-                return;
-        }
-
-        audit_proto(ab, skb, ih->protocol, ih->ihl * 4);
+        return true;
 }
 
-static void audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
+static bool audit_ip6(struct audit_buffer *ab, struct sk_buff *skb)
 {
         struct ipv6hdr _ip6h;
         const struct ipv6hdr *ih;
         u8 nexthdr;
         __be16 frag_off;
-        int offset;
 
         ih = skb_header_pointer(skb, skb_network_offset(skb), sizeof(_ip6h), &_ip6h);
-        if (!ih) {
-                audit_log_format(ab, " truncated=1");
-                return;
-        }
+        if (!ih)
+                return false;
 
         nexthdr = ih->nexthdr;
-        offset = ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h),
-                                  &nexthdr, &frag_off);
+        ipv6_skip_exthdr(skb, skb_network_offset(skb) + sizeof(_ip6h), &nexthdr, &frag_off);
 
         audit_log_format(ab, " saddr=%pI6c daddr=%pI6c proto=%hhu",
                          &ih->saddr, &ih->daddr, nexthdr);
 
-        if (offset)
-                audit_proto(ab, skb, nexthdr, offset);
+        return true;
 }
 
 static unsigned int
 audit_tg(struct sk_buff *skb, const struct xt_action_param *par)
 {
-        const struct xt_audit_info *info = par->targinfo;
         struct audit_buffer *ab;
+        int fam = -1;
 
         if (audit_enabled == 0)
                 goto errout;
-
         ab = audit_log_start(NULL, GFP_ATOMIC, AUDIT_NETFILTER_PKT);
         if (ab == NULL)
                 goto errout;
 
-        audit_log_format(ab, "action=%hhu hook=%u len=%u inif=%s outif=%s",
-                         info->type, xt_hooknum(par), skb->len,
-                         xt_in(par) ? xt_inname(par) : "?",
-                         xt_out(par) ? xt_outname(par) : "?");
-
-        if (skb->mark)
-                audit_log_format(ab, " mark=%#x", skb->mark);
-
-        if (skb->dev && skb->dev->type == ARPHRD_ETHER) {
-                audit_log_format(ab, " smac=%pM dmac=%pM macproto=0x%04x",
-                                 eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
-                                 ntohs(eth_hdr(skb)->h_proto));
-
-                if (xt_family(par) == NFPROTO_BRIDGE) {
-                        switch (eth_hdr(skb)->h_proto) {
-                        case htons(ETH_P_IP):
-                                audit_ip4(ab, skb);
-                                break;
-
-                        case htons(ETH_P_IPV6):
-                                audit_ip6(ab, skb);
-                                break;
-                        }
-                }
-        }
+        audit_log_format(ab, "mark=%#x", skb->mark);
 
         switch (xt_family(par)) {
+        case NFPROTO_BRIDGE:
+                switch (eth_hdr(skb)->h_proto) {
+                case htons(ETH_P_IP):
+                        fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
+                        break;
+                case htons(ETH_P_IPV6):
+                        fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
+                        break;
+                }
+                break;
         case NFPROTO_IPV4:
-                audit_ip4(ab, skb);
+                fam = audit_ip4(ab, skb) ? NFPROTO_IPV4 : -1;
                 break;
-
         case NFPROTO_IPV6:
-                audit_ip6(ab, skb);
+                fam = audit_ip6(ab, skb) ? NFPROTO_IPV6 : -1;
                 break;
         }
 
-#ifdef CONFIG_NETWORK_SECMARK
-        if (skb->secmark)
-                audit_log_secctx(ab, skb->secmark);
-#endif
+        if (fam == -1)
+                audit_log_format(ab, " saddr=? daddr=? proto=-1");
 
         audit_log_end(ab);
 
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 3cbe1bcf6a74..bb7ad82dcd56 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -168,8 +168,10 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
                 goto err_put_timeout;
         }
         timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
-        if (timeout_ext == NULL)
+        if (!timeout_ext) {
                 ret = -ENOMEM;
+                goto err_put_timeout;
+        }
 
         rcu_read_unlock();
         return ret;
@@ -201,6 +203,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
                           struct xt_ct_target_info_v1 *info)
 {
         struct nf_conntrack_zone zone;
+        struct nf_conn_help *help;
         struct nf_conn *ct;
         int ret = -EOPNOTSUPP;
 
@@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par,
         if (info->timeout[0]) {
                 ret = xt_ct_set_timeout(ct, par, info->timeout);
                 if (ret < 0)
-                        goto err3;
+                        goto err4;
         }
         __set_bit(IPS_CONFIRMED_BIT, &ct->status);
         nf_conntrack_get(&ct->ct_general);
@@ -257,6 +260,10 @@ out:
         info->ct = ct;
         return 0;
 
+err4:
+        help = nfct_help(ct);
+        if (help)
+                module_put(help->helper->me);
 err3:
         nf_ct_tmpl_free(ct);
 err2:
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 37d581a31cff..3f6c4fa78bdb 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -388,10 +388,7 @@ static int recent_mt_check(const struct xt_mtchk_param *par,
         }
 
         sz = sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size;
-        if (sz <= PAGE_SIZE)
-                t = kzalloc(sz, GFP_KERNEL);
-        else
-                t = vzalloc(sz);
+        t = kvzalloc(sz, GFP_KERNEL);
         if (t == NULL) {
                 ret = -ENOMEM;
                 goto out;
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index 770bbec878f1..e75ef39669c5 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -152,7 +152,7 @@ static int socket_mt_enable_defrag(struct net *net, int family)
         switch (family) {
         case NFPROTO_IPV4:
                 return nf_defrag_ipv4_enable(net);
-#ifdef XT_SOCKET_HAVE_IPV6
+#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
         case NFPROTO_IPV6:
                 return nf_defrag_ipv6_enable(net);
 #endif
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 42a95919df09..bf602e33c40a 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -516,10 +516,38 @@ ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
                    u16 proto, const struct sk_buff *skb)
 {
         struct nf_conntrack_tuple tuple;
+        struct nf_conntrack_expect *exp;
 
         if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
                 return NULL;
-        return __nf_ct_expect_find(net, zone, &tuple);
+
+        exp = __nf_ct_expect_find(net, zone, &tuple);
+        if (exp) {
+                struct nf_conntrack_tuple_hash *h;
+
+                /* Delete existing conntrack entry, if it clashes with the
+                 * expectation.  This can happen since conntrack ALGs do not
+                 * check for clashes between (new) expectations and existing
+                 * conntrack entries.  nf_conntrack_in() will check the
+                 * expectations only if a conntrack entry can not be found,
+                 * which can lead to OVS finding the expectation (here) in the
+                 * init direction, but which will not be removed by the
+                 * nf_conntrack_in() call, if a matching conntrack entry is
+                 * found instead.  In this case all init direction packets
+                 * would be reported as new related packets, while reply
+                 * direction packets would be reported as un-related
+                 * established packets.
+                 */
+                h = nf_conntrack_find_get(net, zone, &tuple);
+                if (h) {
+                        struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
+
+                        nf_ct_delete(ct, 0, 0);
+                        nf_conntrack_put(&ct->ct_general);
+                }
+        }
+
+        return exp;
 }
 
 /* This replicates logic from nf_conntrack_core.c that is not exported. */
diff --git a/net/sched/cls_matchall.c b/net/sched/cls_matchall.c
index 2efb36c08f2a..dee469fed967 100644
--- a/net/sched/cls_matchall.c
+++ b/net/sched/cls_matchall.c
@@ -203,8 +203,7 @@ static int mall_change(struct net *net, struct sk_buff *in_skb,
 
         *arg = (unsigned long) head;
         rcu_assign_pointer(tp->root, new);
-        if (head)
-                call_rcu(&head->rcu, mall_destroy_rcu);
+        call_rcu(&head->rcu, mall_destroy_rcu);
         return 0;
 
 err_replace_hw_filter:
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index d00f4c7c2f3a..b30a2c70bd48 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -376,10 +376,7 @@ static int choke_change(struct Qdisc *sch, struct nlattr *opt)
         if (mask != q->tab_mask) {
                 struct sk_buff **ntab;
 
-                ntab = kcalloc(mask + 1, sizeof(struct sk_buff *),
-                               GFP_KERNEL | __GFP_NOWARN);
-                if (!ntab)
-                        ntab = vzalloc((mask + 1) * sizeof(struct sk_buff *));
+                ntab = kvmalloc_array((mask + 1), sizeof(struct sk_buff *), GFP_KERNEL | __GFP_ZERO);
                 if (!ntab)
                         return -ENOMEM;
 
diff --git a/net/sched/sch_fq.c b/net/sched/sch_fq.c
index da4f67bda0ee..b488721a0059 100644
--- a/net/sched/sch_fq.c
+++ b/net/sched/sch_fq.c
@@ -624,16 +624,6 @@ static void fq_rehash(struct fq_sched_data *q,
         q->stat_gc_flows += fcnt;
 }
 
-static void *fq_alloc_node(size_t sz, int node)
-{
-        void *ptr;
-
-        ptr = kmalloc_node(sz, GFP_KERNEL | __GFP_REPEAT | __GFP_NOWARN, node);
-        if (!ptr)
-                ptr = vmalloc_node(sz, node);
-        return ptr;
-}
-
 static void fq_free(void *addr)
 {
         kvfree(addr);
@@ -650,7 +640,7 @@ static int fq_resize(struct Qdisc *sch, u32 log)
                 return 0;
 
         /* If XPS was setup, we can allocate memory on right NUMA node */
-        array = fq_alloc_node(sizeof(struct rb_root) << log,
+        array = kvmalloc_node(sizeof(struct rb_root) << log, GFP_KERNEL | __GFP_REPEAT,
                               netdev_queue_numa_node_read(sch->dev_queue));
         if (!array)
                 return -ENOMEM;
diff --git a/net/sched/sch_fq_codel.c b/net/sched/sch_fq_codel.c
index 18bbb5476c83..9201abce928c 100644
--- a/net/sched/sch_fq_codel.c
+++ b/net/sched/sch_fq_codel.c
@@ -446,27 +446,13 @@ static int fq_codel_change(struct Qdisc *sch, struct nlattr *opt)
         return 0;
 }
 
-static void *fq_codel_zalloc(size_t sz)
-{
-        void *ptr = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN);
-
-        if (!ptr)
-                ptr = vzalloc(sz);
-        return ptr;
-}
-
-static void fq_codel_free(void *addr)
-{
-        kvfree(addr);
-}
-
 static void fq_codel_destroy(struct Qdisc *sch)
 {
         struct fq_codel_sched_data *q = qdisc_priv(sch);
 
         tcf_destroy_chain(&q->filter_list);
-        fq_codel_free(q->backlogs);
-        fq_codel_free(q->flows);
+        kvfree(q->backlogs);
+        kvfree(q->flows);
 }
 
 static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt)
@@ -493,13 +479,13 @@ static int fq_codel_init(struct Qdisc *sch, struct nlattr *opt)
         }
 
         if (!q->flows) {
-                q->flows = fq_codel_zalloc(q->flows_cnt *
-                                           sizeof(struct fq_codel_flow));
+                q->flows = kvzalloc(q->flows_cnt *
+                                           sizeof(struct fq_codel_flow), GFP_KERNEL);
                 if (!q->flows)
                         return -ENOMEM;
-                q->backlogs = fq_codel_zalloc(q->flows_cnt * sizeof(u32));
+                q->backlogs = kvzalloc(q->flows_cnt * sizeof(u32), GFP_KERNEL);
                 if (!q->backlogs) {
-                        fq_codel_free(q->flows);
+                        kvfree(q->flows);
                         return -ENOMEM;
                 }
                 for (i = 0; i < q->flows_cnt; i++) {
diff --git a/net/sched/sch_hhf.c b/net/sched/sch_hhf.c
index c19d346e6c5a..51d3ba682af9 100644
--- a/net/sched/sch_hhf.c
+++ b/net/sched/sch_hhf.c
@@ -467,29 +467,14 @@ static void hhf_reset(struct Qdisc *sch)
                 rtnl_kfree_skbs(skb, skb);
 }
 
-static void *hhf_zalloc(size_t sz)
-{
-        void *ptr = kzalloc(sz, GFP_KERNEL | __GFP_NOWARN);
-
-        if (!ptr)
-                ptr = vzalloc(sz);
-
-        return ptr;
-}
-
-static void hhf_free(void *addr)
-{
-        kvfree(addr);
-}
-
 static void hhf_destroy(struct Qdisc *sch)
 {
         int i;
         struct hhf_sched_data *q = qdisc_priv(sch);
 
         for (i = 0; i < HHF_ARRAYS_CNT; i++) {
-                hhf_free(q->hhf_arrays[i]);
-                hhf_free(q->hhf_valid_bits[i]);
+                kvfree(q->hhf_arrays[i]);
+                kvfree(q->hhf_valid_bits[i]);
         }
 
         for (i = 0; i < HH_FLOWS_CNT; i++) {
@@ -503,7 +488,7 @@ static void hhf_destroy(struct Qdisc *sch)
                         kfree(flow);
                 }
         }
-        hhf_free(q->hh_flows);
+        kvfree(q->hh_flows);
 }
 
 static const struct nla_policy hhf_policy[TCA_HHF_MAX + 1] = {
@@ -609,8 +594,8 @@ static int hhf_init(struct Qdisc *sch, struct nlattr *opt)
 
         if (!q->hh_flows) {
                 /* Initialize heavy-hitter flow table. */
-                q->hh_flows = hhf_zalloc(HH_FLOWS_CNT *
-                                         sizeof(struct list_head));
+                q->hh_flows = kvzalloc(HH_FLOWS_CNT *
+                                         sizeof(struct list_head), GFP_KERNEL);
                 if (!q->hh_flows)
                         return -ENOMEM;
                 for (i = 0; i < HH_FLOWS_CNT; i++)
@@ -624,8 +609,8 @@ static int hhf_init(struct Qdisc *sch, struct nlattr *opt)
 
                 /* Initialize heavy-hitter filter arrays. */
                 for (i = 0; i < HHF_ARRAYS_CNT; i++) {
-                        q->hhf_arrays[i] = hhf_zalloc(HHF_ARRAYS_LEN *
-                                                      sizeof(u32));
+                        q->hhf_arrays[i] = kvzalloc(HHF_ARRAYS_LEN *
+                                                      sizeof(u32), GFP_KERNEL);
                         if (!q->hhf_arrays[i]) {
                                 /* Note: hhf_destroy() will be called
                                  * by our caller.
@@ -637,8 +622,8 @@ static int hhf_init(struct Qdisc *sch, struct nlattr *opt)
 
                 /* Initialize valid bits of heavy-hitter filter arrays. */
                 for (i = 0; i < HHF_ARRAYS_CNT; i++) {
-                        q->hhf_valid_bits[i] = hhf_zalloc(HHF_ARRAYS_LEN /
-                                                          BITS_PER_BYTE);
+                        q->hhf_valid_bits[i] = kvzalloc(HHF_ARRAYS_LEN /
+                                                          BITS_PER_BYTE, GFP_KERNEL);
                         if (!q->hhf_valid_bits[i]) {
                                 /* Note: hhf_destroy() will be called
                                  * by our caller.
diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index f0ce4780f395..1b3dd6190e93 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -702,15 +702,11 @@ static int get_dist_table(struct Qdisc *sch, const struct nlattr *attr)
         spinlock_t *root_lock;
         struct disttable *d;
         int i;
-        size_t s;
 
         if (n > NETEM_DIST_MAX)
                 return -EINVAL;
 
-        s = sizeof(struct disttable) + n * sizeof(s16);
-        d = kmalloc(s, GFP_KERNEL | __GFP_NOWARN);
-        if (!d)
-                d = vmalloc(s);
+        d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
         if (!d)
                 return -ENOMEM;
 
diff --git a/net/sched/sch_sfq.c b/net/sched/sch_sfq.c
index b00e02c139de..332d94be6e1c 100644
--- a/net/sched/sch_sfq.c
+++ b/net/sched/sch_sfq.c
@@ -685,11 +685,7 @@ static int sfq_change(struct Qdisc *sch, struct nlattr *opt)
 
 static void *sfq_alloc(size_t sz)
 {
-        void *ptr = kmalloc(sz, GFP_KERNEL | __GFP_NOWARN);
-
-        if (!ptr)
-                ptr = vmalloc(sz);
-        return ptr;
+        return  kvmalloc(sz, GFP_KERNEL);
 }
 
 static void sfq_free(void *addr)
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index 16b7c801f8b6..cb69ab977cd7 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -80,12 +80,11 @@ static int smc_ib_modify_qp_rtr(struct smc_link *lnk)
         memset(&qp_attr, 0, sizeof(qp_attr));
         qp_attr.qp_state = IB_QPS_RTR;
         qp_attr.path_mtu = min(lnk->path_mtu, lnk->peer_mtu);
-        qp_attr.ah_attr.port_num = lnk->ibport;
-        qp_attr.ah_attr.ah_flags = IB_AH_GRH;
-        qp_attr.ah_attr.grh.hop_limit = 1;
-        memcpy(&qp_attr.ah_attr.grh.dgid, lnk->peer_gid,
-               sizeof(lnk->peer_gid));
-        memcpy(&qp_attr.ah_attr.dmac, lnk->peer_mac,
+        qp_attr.ah_attr.type = RDMA_AH_ATTR_TYPE_ROCE;
+        rdma_ah_set_port_num(&qp_attr.ah_attr, lnk->ibport);
+        rdma_ah_set_grh(&qp_attr.ah_attr, NULL, 0, 0, 1, 0);
+        rdma_ah_set_dgid_raw(&qp_attr.ah_attr, lnk->peer_gid);
+        memcpy(&qp_attr.ah_attr.roce.dmac, lnk->peer_mac,
                sizeof(lnk->peer_mac));
         qp_attr.dest_qp_num = lnk->peer_qpn;
         qp_attr.rq_psn = lnk->peer_psn; /* starting receive packet seq # */
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index 919981324171..9aed6fe1bf1a 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -106,7 +106,6 @@ __init int net_sysctl_init(void)
         ret = register_pernet_subsys(&sysctl_pernet_ops);
         if (ret)
                 goto out1;
-        register_sysctl_root(&net_sysctl_root);
 out:
         return ret;
 out1:
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 570fc95dc507..c3bc9da30cff 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2764,8 +2764,8 @@ static int nl80211_parse_mon_options(struct cfg80211_registered_device *rdev,
                         nla_data(info->attrs[NL80211_ATTR_MU_MIMO_GROUP_DATA]);
 
                 /* bits 0 and 63 are reserved and must be zero */
-                if ((mumimo_groups[0] & BIT(7)) ||
-                    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(0)))
+                if ((mumimo_groups[0] & BIT(0)) ||
+                    (mumimo_groups[VHT_MUMIMO_GROUPS_DATA_LEN - 1] & BIT(7)))
                         return -EINVAL;
 
                 params->vht_mumimo_groups = mumimo_groups;