40 files changed, 329 insertions, 302 deletions

diff --git a/net/core/dev.c b/net/core/dev.c
index 1225b4be8ed6..13f49f81ae13 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -99,6 +99,7 @@
 #include <linux/rtnetlink.h>
 #include <linux/stat.h>
 #include <net/dst.h>
+#include <net/dst_metadata.h>
 #include <net/pkt_sched.h>
 #include <net/checksum.h>
 #include <net/xfrm.h>
@@ -682,6 +683,32 @@ int dev_get_iflink(const struct net_device *dev)
 EXPORT_SYMBOL(dev_get_iflink);
 
 /**
+ *      dev_fill_metadata_dst - Retrieve tunnel egress information.
+ *      @dev: targeted interface
+ *      @skb: The packet.
+ *
+ *      For better visibility of tunnel traffic OVS needs to retrieve
+ *      egress tunnel information for a packet. Following API allows
+ *      user to get this info.
+ */
+int dev_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
+{
+        struct ip_tunnel_info *info;
+
+        if (!dev->netdev_ops  || !dev->netdev_ops->ndo_fill_metadata_dst)
+                return -EINVAL;
+
+        info = skb_tunnel_info_unclone(skb);
+        if (!info)
+                return -ENOMEM;
+        if (unlikely(!(info->mode & IP_TUNNEL_INFO_TX)))
+                return -EINVAL;
+
+        return dev->netdev_ops->ndo_fill_metadata_dst(dev, skb);
+}
+EXPORT_SYMBOL_GPL(dev_fill_metadata_dst);
+
+/**
  *      __dev_get_by_name       - find a device by its name
  *      @net: the applicable net namespace
  *      @name: name to find
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index bd0679d90519..614521437e30 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -498,10 +498,26 @@ static struct sk_buff *gre_handle_offloads(struct sk_buff *skb,
                                         csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE);
 }
 
+static struct rtable *gre_get_rt(struct sk_buff *skb,
+                                 struct net_device *dev,
+                                 struct flowi4 *fl,
+                                 const struct ip_tunnel_key *key)
+{
+        struct net *net = dev_net(dev);
+
+        memset(fl, 0, sizeof(*fl));
+        fl->daddr = key->u.ipv4.dst;
+        fl->saddr = key->u.ipv4.src;
+        fl->flowi4_tos = RT_TOS(key->tos);
+        fl->flowi4_mark = skb->mark;
+        fl->flowi4_proto = IPPROTO_GRE;
+
+        return ip_route_output_key(net, fl);
+}
+
 static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev)
 {
         struct ip_tunnel_info *tun_info;
-        struct net *net = dev_net(dev);
         const struct ip_tunnel_key *key;
         struct flowi4 fl;
         struct rtable *rt;
@@ -516,14 +532,7 @@ static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev)
                 goto err_free_skb;
 
         key = &tun_info->key;
-        memset(&fl, 0, sizeof(fl));
-        fl.daddr = key->u.ipv4.dst;
-        fl.saddr = key->u.ipv4.src;
-        fl.flowi4_tos = RT_TOS(key->tos);
-        fl.flowi4_mark = skb->mark;
-        fl.flowi4_proto = IPPROTO_GRE;
-
-        rt = ip_route_output_key(net, &fl);
+        rt = gre_get_rt(skb, dev, &fl, key);
         if (IS_ERR(rt))
                 goto err_free_skb;
 
@@ -566,6 +575,24 @@ err_free_skb:
         dev->stats.tx_dropped++;
 }
 
+static int gre_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
+{
+        struct ip_tunnel_info *info = skb_tunnel_info(skb);
+        struct rtable *rt;
+        struct flowi4 fl4;
+
+        if (ip_tunnel_info_af(info) != AF_INET)
+                return -EINVAL;
+
+        rt = gre_get_rt(skb, dev, &fl4, &info->key);
+        if (IS_ERR(rt))
+                return PTR_ERR(rt);
+
+        ip_rt_put(rt);
+        info->key.u.ipv4.src = fl4.saddr;
+        return 0;
+}
+
 static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
                               struct net_device *dev)
 {
@@ -1023,6 +1050,7 @@ static const struct net_device_ops gre_tap_netdev_ops = {
         .ndo_change_mtu         = ip_tunnel_change_mtu,
         .ndo_get_stats64        = ip_tunnel_get_stats64,
         .ndo_get_iflink         = ip_tunnel_get_iflink,
+        .ndo_fill_metadata_dst  = gre_fill_metadata_dst,
 };
 
 static void ipgre_tap_setup(struct net_device *dev)
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index 690d27d3f2f9..a35584176535 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -75,6 +75,7 @@ endif # NF_TABLES
 
 config NF_DUP_IPV4
         tristate "Netfilter IPv4 packet duplication to alternate destination"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
         help
           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
           packet to be rerouted to another destination.
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 74dd6671b66d..78cc64eddfc1 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -60,9 +60,7 @@ static bool rpfilter_lookup_reverse(struct net *net, struct flowi4 *fl4,
         if (FIB_RES_DEV(res) == dev)
                 dev_match = true;
 #endif
-        if (dev_match || flags & XT_RPFILTER_LOOSE)
-                return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
-        return dev_match;
+        return dev_match || flags & XT_RPFILTER_LOOSE;
 }
 
 static bool rpfilter_is_local(const struct sk_buff *skb)
diff --git a/net/ipv4/tcp_dctcp.c b/net/ipv4/tcp_dctcp.c
index 7092a61c4dc8..7e538f71f5fb 100644
--- a/net/ipv4/tcp_dctcp.c
+++ b/net/ipv4/tcp_dctcp.c
@@ -209,7 +209,7 @@ static void dctcp_update_alpha(struct sock *sk, u32 flags)
 
                 /* alpha = (1 - g) * alpha + g * F */
 
-                alpha -= alpha >> dctcp_shift_g;
+                alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);
                 if (bytes_ecn) {
                         /* If dctcp_shift_g == 1, a 32bit value would overflow
                          * after 8 Mbytes.
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index f6f7f9b4901b..f4f9793eb025 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3410,7 +3410,7 @@ static int tcp_xmit_probe_skb(struct sock *sk, int urgent, int mib)
          */
         tcp_init_nondata_skb(skb, tp->snd_una - !urgent, TCPHDR_ACK);
         skb_mstamp_get(&skb->skb_mstamp);
-        NET_INC_STATS_BH(sock_net(sk), mib);
+        NET_INC_STATS(sock_net(sk), mib);
         return tcp_transmit_skb(sk, skb, 0, GFP_ATOMIC);
 }
 
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 9f298d0dc9a1..7ee6518afa86 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -30,6 +30,8 @@ static int xfrm4_tunnel_check_size(struct sk_buff *skb)
 
         mtu = dst_mtu(skb_dst(skb));
         if (skb->len > mtu) {
+                skb->protocol = htons(ETH_P_IP);
+
                 if (skb->sk)
                         xfrm_local_error(skb, mtu);
                 else
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 9f777ec59a59..ed33abf57abd 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -32,6 +32,7 @@ struct fib6_rule {
 struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
                                    int flags, pol_lookup_t lookup)
 {
+        struct rt6_info *rt;
         struct fib_lookup_arg arg = {
                 .lookup_ptr = lookup,
                 .flags = FIB_LOOKUP_NOREF,
@@ -40,11 +41,21 @@ struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
         fib_rules_lookup(net->ipv6.fib6_rules_ops,
                          flowi6_to_flowi(fl6), flags, &arg);
 
-        if (arg.result)
-                return arg.result;
+        rt = arg.result;
 
-        dst_hold(&net->ipv6.ip6_null_entry->dst);
-        return &net->ipv6.ip6_null_entry->dst;
+        if (!rt) {
+                dst_hold(&net->ipv6.ip6_null_entry->dst);
+                return &net->ipv6.ip6_null_entry->dst;
+        }
+
+        if (rt->rt6i_flags & RTF_REJECT &&
+            rt->dst.error == -EAGAIN) {
+                ip6_rt_put(rt);
+                rt = net->ipv6.ip6_null_entry;
+                dst_hold(&rt->dst);
+        }
+
+        return &rt->dst;
 }
 
 static int fib6_rule_action(struct fib_rule *rule, struct flowi *flp,
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 09fddf70cca4..0c7e276c230e 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -286,7 +286,17 @@ struct fib6_table *fib6_get_table(struct net *net, u32 id)
 struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6,
                                    int flags, pol_lookup_t lookup)
 {
-        return (struct dst_entry *) lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
+        struct rt6_info *rt;
+
+        rt = lookup(net, net->ipv6.fib6_main_tbl, fl6, flags);
+        if (rt->rt6i_flags & RTF_REJECT &&
+            rt->dst.error == -EAGAIN) {
+                ip6_rt_put(rt);
+                rt = net->ipv6.ip6_null_entry;
+                dst_hold(&rt->dst);
+        }
+
+        return &rt->dst;
 }
 
 static void __net_init fib6_tables_init(struct net *net)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0c89671e0767..c2650688aca7 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -28,6 +28,7 @@
 
 #include <linux/errno.h>
 #include <linux/kernel.h>
+#include <linux/overflow-arith.h>
 #include <linux/string.h>
 #include <linux/socket.h>
 #include <linux/net.h>
@@ -596,7 +597,10 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
                 if (np->frag_size)
                         mtu = np->frag_size;
         }
-        mtu -= hlen + sizeof(struct frag_hdr);
+
+        if (overflow_usub(mtu, hlen + sizeof(struct frag_hdr), &mtu) ||
+            mtu <= 7)
+                goto fail_toobig;
 
         frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
                                     &ipv6_hdr(skb)->saddr);
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 96833e4b3193..f6a024e141e5 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -58,6 +58,7 @@ endif # NF_TABLES
 
 config NF_DUP_IPV6
         tristate "Netfilter IPv6 packet duplication to alternate destination"
+        depends on !NF_CONNTRACK || NF_CONNTRACK
         help
           This option enables the nf_dup_ipv6 core, which duplicates an IPv6
           packet to be rerouted to another destination.
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d0619632723a..2701cb3d88e9 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1171,6 +1171,7 @@ struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,
 {
         struct dst_entry *dst;
         int flags = 0;
+        bool any_src;
 
         dst = l3mdev_rt6_dst_by_oif(net, fl6);
         if (dst)
@@ -1178,11 +1179,12 @@ struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,
 
         fl6->flowi6_iif = LOOPBACK_IFINDEX;
 
+        any_src = ipv6_addr_any(&fl6->saddr);
         if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl6->daddr) ||
-            fl6->flowi6_oif)
+            (fl6->flowi6_oif && any_src))
                 flags |= RT6_LOOKUP_F_IFACE;
 
-        if (!ipv6_addr_any(&fl6->saddr))
+        if (!any_src)
                 flags |= RT6_LOOKUP_F_HAS_SADDR;
         else if (sk)
                 flags |= rt6_srcprefs2flags(inet6_sk(sk)->srcprefs);
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index 9db067a11b52..4d09ce6fa90e 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -79,6 +79,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
 
         if (!skb->ignore_df && skb->len > mtu) {
                 skb->dev = dst->dev;
+                skb->protocol = htons(ETH_P_IPV6);
 
                 if (xfrm6_local_dontfrag(skb))
                         xfrm6_local_rxpmtu(skb, mtu);
@@ -143,6 +144,7 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
         struct dst_entry *dst = skb_dst(skb);
         struct xfrm_state *x = dst->xfrm;
         int mtu;
+        bool toobig;
 
 #ifdef CONFIG_NETFILTER
         if (!x) {
@@ -151,25 +153,29 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb)
         }
 #endif
 
+        if (x->props.mode != XFRM_MODE_TUNNEL)
+                goto skip_frag;
+
         if (skb->protocol == htons(ETH_P_IPV6))
                 mtu = ip6_skb_dst_mtu(skb);
         else
                 mtu = dst_mtu(skb_dst(skb));
 
-        if (skb->len > mtu && xfrm6_local_dontfrag(skb)) {
+        toobig = skb->len > mtu && !skb_is_gso(skb);
+
+        if (toobig && xfrm6_local_dontfrag(skb)) {
                 xfrm6_local_rxpmtu(skb, mtu);
                 return -EMSGSIZE;
-        } else if (!skb->ignore_df && skb->len > mtu && skb->sk) {
+        } else if (!skb->ignore_df && toobig && skb->sk) {
                 xfrm_local_error(skb, mtu);
                 return -EMSGSIZE;
         }
 
-        if (x->props.mode == XFRM_MODE_TUNNEL &&
-            ((skb->len > mtu && !skb_is_gso(skb)) ||
-                dst_allfrag(skb_dst(skb)))) {
+        if (toobig || dst_allfrag(skb_dst(skb)))
                 return ip6_fragment(net, sk, skb,
                                     __xfrm6_output_finish);
-        }
+
+skip_frag:
         return x->outer_mode->afinfo->output_finish(sk, skb);
 }
 
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 08c9c93f3527..2cc5840f943d 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -177,7 +177,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
                         return;
 
                 case IPPROTO_ICMPV6:
-                        if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
+                        if (!onlyproto && (nh + offset + 2 < skb->data ||
+                            pskb_may_pull(skb, nh + offset + 2 - skb->data))) {
                                 u8 *icmp;
 
                                 nh = skb_network_header(skb);
@@ -191,7 +192,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 #if IS_ENABLED(CONFIG_IPV6_MIP6)
                 case IPPROTO_MH:
                         offset += ipv6_optlen(exthdr);
-                        if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
+                        if (!onlyproto && (nh + offset + 3 < skb->data ||
+                            pskb_may_pull(skb, nh + offset + 3 - skb->data))) {
                                 struct ip6_mh *mh;
 
                                 nh = skb_network_header(skb);
diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
index a26c401ef4a4..43964594aa12 100644
--- a/net/irda/irlmp.c
+++ b/net/irda/irlmp.c
@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
         for (element = hashbin_get_first(iter->hashbin);
              element != NULL;
              element = hashbin_get_next(iter->hashbin)) {
-                if (!off || *off-- == 0) {
+                if (!off || (*off)-- == 0) {
                         /* NB: hashbin left locked */
                         return element;
                 }
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 83a70688784b..f9c9ecb0cdd3 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -261,7 +261,7 @@ static int pfkey_broadcast(struct sk_buff *skb,
 
                 err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
 
-                /* Error is cleare after succecful sending to at least one
+                /* Error is cleared after successful sending to at least one
                  * registered KM */
                 if ((broadcast_flags & BROADCAST_REGISTERED) && err)
                         err = err2;
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 09e661c3ae58..f39276d1c2d7 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -152,6 +152,8 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
 #endif
         synchronize_net();
         nf_queue_nf_hook_drop(net, &entry->ops);
+        /* other cpu might still process nfqueue verdict that used reg */
+        synchronize_net();
         kfree(entry);
 }
 EXPORT_SYMBOL(nf_unregister_net_hook);
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index a1fe5377a2b3..5a30ce6e8c90 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -297,7 +297,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
               ip_set_timeout_expired(ext_timeout(n, set))))
                 n =  NULL;
 
-        e = kzalloc(set->dsize, GFP_KERNEL);
+        e = kzalloc(set->dsize, GFP_ATOMIC);
         if (!e)
                 return -ENOMEM;
         e->id = d->id;
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 0a49a8c7c564..fafe33bdb619 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2371,7 +2371,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
                 int pos, idx, shift;
 
                 err = 0;
-                netlink_table_grab();
+                netlink_lock_table();
                 for (pos = 0; pos * 8 < nlk->ngroups; pos += sizeof(u32)) {
                         if (len - pos < sizeof(u32))
                                 break;
@@ -2386,7 +2386,7 @@ static int netlink_getsockopt(struct socket *sock, int level, int optname,
                 }
                 if (put_user(ALIGN(nlk->ngroups / 8, sizeof(u32)), optlen))
                         err = -EFAULT;
-                netlink_table_ungrab();
+                netlink_unlock_table();
                 break;
         }
         case NETLINK_CAP_ACK:
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index c6087233d7fc..221fa8b37a47 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -769,7 +769,6 @@ static int output_userspace(struct datapath *dp, struct sk_buff *skb,
                             struct sw_flow_key *key, const struct nlattr *attr,
                             const struct nlattr *actions, int actions_len)
 {
-        struct ip_tunnel_info info;
         struct dp_upcall_info upcall;
         const struct nlattr *a;
         int rem;
@@ -797,11 +796,9 @@ static int output_userspace(struct datapath *dp, struct sk_buff *skb,
                         if (vport) {
                                 int err;
 
-                                upcall.egress_tun_info = &info;
-                                err = ovs_vport_get_egress_tun_info(vport, skb,
-                                                                    &upcall);
-                                if (err)
-                                        upcall.egress_tun_info = NULL;
+                                err = dev_fill_metadata_dst(vport->dev, skb);
+                                if (!err)
+                                        upcall.egress_tun_info = skb_tunnel_info(skb);
                         }
 
                         break;
diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 9ed833e9bb7d..bd165ee2bb16 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -151,6 +151,8 @@ static void ovs_ct_update_key(const struct sk_buff *skb,
         ct = nf_ct_get(skb, &ctinfo);
         if (ct) {
                 state = ovs_ct_get_state(ctinfo);
+                if (!nf_ct_is_confirmed(ct))
+                        state |= OVS_CS_F_NEW;
                 if (ct->master)
                         state |= OVS_CS_F_RELATED;
                 zone = nf_ct_zone(ct);
@@ -222,9 +224,6 @@ static int ovs_ct_set_labels(struct sk_buff *skb, struct sw_flow_key *key,
         struct nf_conn *ct;
         int err;
 
-        if (!IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS))
-                return -ENOTSUPP;
-
         /* The connection could be invalid, in which case set_label is no-op.*/
         ct = nf_ct_get(skb, &ctinfo);
         if (!ct)
@@ -377,7 +376,7 @@ static bool skb_nfct_cached(const struct net *net, const struct sk_buff *skb,
         return true;
 }
 
-static int __ovs_ct_lookup(struct net *net, const struct sw_flow_key *key,
+static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
                            const struct ovs_conntrack_info *info,
                            struct sk_buff *skb)
 {
@@ -408,6 +407,8 @@ static int __ovs_ct_lookup(struct net *net, const struct sw_flow_key *key,
                 }
         }
 
+        ovs_ct_update_key(skb, key, true);
+
         return 0;
 }
 
@@ -430,8 +431,6 @@ static int ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
                 err = __ovs_ct_lookup(net, key, info, skb);
                 if (err)
                         return err;
-
-                ovs_ct_update_key(skb, key, true);
         }
 
         return 0;
@@ -460,8 +459,6 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key,
         if (nf_conntrack_confirm(skb) != NF_ACCEPT)
                 return -EINVAL;
 
-        ovs_ct_update_key(skb, key, true);
-
         return 0;
 }
 
@@ -587,6 +584,10 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
                 case OVS_CT_ATTR_MARK: {
                         struct md_mark *mark = nla_data(a);
 
+                        if (!mark->mask) {
+                                OVS_NLERR(log, "ct_mark mask cannot be 0");
+                                return -EINVAL;
+                        }
                         info->mark = *mark;
                         break;
                 }
@@ -595,6 +596,10 @@ static int parse_ct(const struct nlattr *attr, struct ovs_conntrack_info *info,
                 case OVS_CT_ATTR_LABELS: {
                         struct md_labels *labels = nla_data(a);
 
+                        if (!labels_nonzero(&labels->mask)) {
+                                OVS_NLERR(log, "ct_labels mask cannot be 0");
+                                return -EINVAL;
+                        }
                         info->labels = *labels;
                         break;
                 }
@@ -705,11 +710,12 @@ int ovs_ct_action_to_attr(const struct ovs_conntrack_info *ct_info,
         if (IS_ENABLED(CONFIG_NF_CONNTRACK_ZONES) &&
             nla_put_u16(skb, OVS_CT_ATTR_ZONE, ct_info->zone.id))
                 return -EMSGSIZE;
-        if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) &&
+        if (IS_ENABLED(CONFIG_NF_CONNTRACK_MARK) && ct_info->mark.mask &&
             nla_put(skb, OVS_CT_ATTR_MARK, sizeof(ct_info->mark),
                     &ct_info->mark))
                 return -EMSGSIZE;
         if (IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS) &&
+            labels_nonzero(&ct_info->labels.mask) &&
             nla_put(skb, OVS_CT_ATTR_LABELS, sizeof(ct_info->labels),
                     &ct_info->labels))
                 return -EMSGSIZE;
diff --git a/net/openvswitch/conntrack.h b/net/openvswitch/conntrack.h
index da8714942c95..82e0dfc66028 100644
--- a/net/openvswitch/conntrack.h
+++ b/net/openvswitch/conntrack.h
@@ -35,12 +35,9 @@ void ovs_ct_fill_key(const struct sk_buff *skb, struct sw_flow_key *key);
 int ovs_ct_put_key(const struct sw_flow_key *key, struct sk_buff *skb);
 void ovs_ct_free_action(const struct nlattr *a);
 
-static inline bool ovs_ct_state_supported(u32 state)
-{
-        return !(state & ~(OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED |
-                         OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR |
-                         OVS_CS_F_INVALID | OVS_CS_F_TRACKED));
-}
+#define CT_SUPPORTED_MASK (OVS_CS_F_NEW | OVS_CS_F_ESTABLISHED | \
+                           OVS_CS_F_RELATED | OVS_CS_F_REPLY_DIR | \
+                           OVS_CS_F_INVALID | OVS_CS_F_TRACKED)
 #else
 #include <linux/errno.h>
 
@@ -53,11 +50,6 @@ static inline bool ovs_ct_verify(struct net *net, int attr)
         return false;
 }
 
-static inline bool ovs_ct_state_supported(u32 state)
-{
-        return false;
-}
-
 static inline int ovs_ct_copy_action(struct net *net, const struct nlattr *nla,
                                      const struct sw_flow_key *key,
                                      struct sw_flow_actions **acts, bool log)
@@ -94,5 +86,7 @@ static inline int ovs_ct_put_key(const struct sw_flow_key *key,
 }
 
 static inline void ovs_ct_free_action(const struct nlattr *a) { }
+
+#define CT_SUPPORTED_MASK 0
 #endif /* CONFIG_NF_CONNTRACK */
 #endif /* ovs_conntrack.h */
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index a75828091e21..5633172b791a 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -489,9 +489,8 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb,
 
         if (upcall_info->egress_tun_info) {
                 nla = nla_nest_start(user_skb, OVS_PACKET_ATTR_EGRESS_TUN_KEY);
-                err = ovs_nla_put_egress_tunnel_key(user_skb,
-                                                    upcall_info->egress_tun_info,
-                                                    upcall_info->egress_tun_opts);
+                err = ovs_nla_put_tunnel_info(user_skb,
+                                              upcall_info->egress_tun_info);
                 BUG_ON(err);
                 nla_nest_end(user_skb, nla);
         }
diff --git a/net/openvswitch/datapath.h b/net/openvswitch/datapath.h
index f88038a99f44..67bdecd9fdc1 100644
--- a/net/openvswitch/datapath.h
+++ b/net/openvswitch/datapath.h
@@ -117,7 +117,6 @@ struct ovs_skb_cb {
  */
 struct dp_upcall_info {
         struct ip_tunnel_info *egress_tun_info;
-        const void *egress_tun_opts;
         const struct nlattr *userdata;
         const struct nlattr *actions;
         int actions_len;
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 80e1f09397c0..907d6fd28ede 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -764,7 +764,7 @@ static int __ip_tun_to_nlattr(struct sk_buff *skb,
         if ((output->tun_flags & TUNNEL_OAM) &&
             nla_put_flag(skb, OVS_TUNNEL_KEY_ATTR_OAM))
                 return -EMSGSIZE;
-        if (tun_opts) {
+        if (swkey_tun_opts_len) {
                 if (output->tun_flags & TUNNEL_GENEVE_OPT &&
                     nla_put(skb, OVS_TUNNEL_KEY_ATTR_GENEVE_OPTS,
                             swkey_tun_opts_len, tun_opts))
@@ -798,14 +798,13 @@ static int ip_tun_to_nlattr(struct sk_buff *skb,
         return 0;
 }
 
-int ovs_nla_put_egress_tunnel_key(struct sk_buff *skb,
-                                  const struct ip_tunnel_info *egress_tun_info,
-                                  const void *egress_tun_opts)
+int ovs_nla_put_tunnel_info(struct sk_buff *skb,
+                            struct ip_tunnel_info *tun_info)
 {
-        return __ip_tun_to_nlattr(skb, &egress_tun_info->key,
-                                  egress_tun_opts,
-                                  egress_tun_info->options_len,
-                                  ip_tunnel_info_af(egress_tun_info));
+        return __ip_tun_to_nlattr(skb, &tun_info->key,
+                                  ip_tunnel_info_opts(tun_info),
+                                  tun_info->options_len,
+                                  ip_tunnel_info_af(tun_info));
 }
 
 static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
@@ -866,7 +865,7 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
             ovs_ct_verify(net, OVS_KEY_ATTR_CT_STATE)) {
                 u32 ct_state = nla_get_u32(a[OVS_KEY_ATTR_CT_STATE]);
 
-                if (!is_mask && !ovs_ct_state_supported(ct_state)) {
+                if (ct_state & ~CT_SUPPORTED_MASK) {
                         OVS_NLERR(log, "ct_state flags %08x unsupported",
                                   ct_state);
                         return -EINVAL;
@@ -1149,6 +1148,9 @@ static void nlattr_set(struct nlattr *attr, u8 val,
                 } else {
                         memset(nla_data(nla), val, nla_len(nla));
                 }
+
+                if (nla_type(nla) == OVS_KEY_ATTR_CT_STATE)
+                        *(u32 *)nla_data(nla) &= CT_SUPPORTED_MASK;
         }
 }
 
@@ -2432,11 +2434,7 @@ static int set_action_to_attr(const struct nlattr *a, struct sk_buff *skb)
                 if (!start)
                         return -EMSGSIZE;
 
-                err = ip_tun_to_nlattr(skb, &tun_info->key,
-                                       tun_info->options_len ?
-                                             ip_tunnel_info_opts(tun_info) : NULL,
-                                       tun_info->options_len,
-                                       ip_tunnel_info_af(tun_info));
+                err = ovs_nla_put_tunnel_info(skb, tun_info);
                 if (err)
                         return err;
                 nla_nest_end(skb, start);
diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
index 6ca3f0baf449..47dd142eca1c 100644
--- a/net/openvswitch/flow_netlink.h
+++ b/net/openvswitch/flow_netlink.h
@@ -55,9 +55,9 @@ int ovs_nla_put_mask(const struct sw_flow *flow, struct sk_buff *skb);
 int ovs_nla_get_match(struct net *, struct sw_flow_match *,
                       const struct nlattr *key, const struct nlattr *mask,
                       bool log);
-int ovs_nla_put_egress_tunnel_key(struct sk_buff *,
-                                  const struct ip_tunnel_info *,
-                                  const void *egress_tun_opts);
+
+int ovs_nla_put_tunnel_info(struct sk_buff *skb,
+                            struct ip_tunnel_info *tun_info);
 
 bool ovs_nla_get_ufid(struct sw_flow_id *, const struct nlattr *, bool log);
 int ovs_nla_get_identifier(struct sw_flow_id *sfid, const struct nlattr *ufid,
diff --git a/net/openvswitch/vport-geneve.c b/net/openvswitch/vport-geneve.c
index 7a568ca8da54..efb736bb6855 100644
--- a/net/openvswitch/vport-geneve.c
+++ b/net/openvswitch/vport-geneve.c
@@ -52,18 +52,6 @@ static int geneve_get_options(const struct vport *vport,
         return 0;
 }
 
-static int geneve_get_egress_tun_info(struct vport *vport, struct sk_buff *skb,
-                                      struct dp_upcall_info *upcall)
-{
-        struct geneve_port *geneve_port = geneve_vport(vport);
-        struct net *net = ovs_dp_get_net(vport->dp);
-        __be16 dport = htons(geneve_port->port_no);
-        __be16 sport = udp_flow_src_port(net, skb, 1, USHRT_MAX, true);
-
-        return ovs_tunnel_get_egress_info(upcall, ovs_dp_get_net(vport->dp),
-                                          skb, IPPROTO_UDP, sport, dport);
-}
-
 static struct vport *geneve_tnl_create(const struct vport_parms *parms)
 {
         struct net *net = ovs_dp_get_net(parms->dp);
@@ -130,7 +118,6 @@ static struct vport_ops ovs_geneve_vport_ops = {
         .get_options    = geneve_get_options,
         .send           = dev_queue_xmit,
         .owner          = THIS_MODULE,
-        .get_egress_tun_info    = geneve_get_egress_tun_info,
 };
 
 static int __init ovs_geneve_tnl_init(void)
diff --git a/net/openvswitch/vport-gre.c b/net/openvswitch/vport-gre.c
index cdb758ab01cf..c3257d78d3d2 100644
--- a/net/openvswitch/vport-gre.c
+++ b/net/openvswitch/vport-gre.c
@@ -84,18 +84,10 @@ static struct vport *gre_create(const struct vport_parms *parms)
         return ovs_netdev_link(vport, parms->name);
 }
 
-static int gre_get_egress_tun_info(struct vport *vport, struct sk_buff *skb,
-                                   struct dp_upcall_info *upcall)
-{
-        return ovs_tunnel_get_egress_info(upcall, ovs_dp_get_net(vport->dp),
-                                          skb, IPPROTO_GRE, 0, 0);
-}
-
 static struct vport_ops ovs_gre_vport_ops = {
         .type           = OVS_VPORT_TYPE_GRE,
         .create         = gre_create,
         .send           = dev_queue_xmit,
-        .get_egress_tun_info    = gre_get_egress_tun_info,
         .destroy        = ovs_netdev_tunnel_destroy,
         .owner          = THIS_MODULE,
 };
diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
index 7f0a8bd08857..ec76398a792f 100644
--- a/net/openvswitch/vport-internal_dev.c
+++ b/net/openvswitch/vport-internal_dev.c
@@ -106,12 +106,45 @@ static void internal_dev_destructor(struct net_device *dev)
         free_netdev(dev);
 }
 
+static struct rtnl_link_stats64 *
+internal_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
+{
+        int i;
+
+        memset(stats, 0, sizeof(*stats));
+        stats->rx_errors  = dev->stats.rx_errors;
+        stats->tx_errors  = dev->stats.tx_errors;
+        stats->tx_dropped = dev->stats.tx_dropped;
+        stats->rx_dropped = dev->stats.rx_dropped;
+
+        for_each_possible_cpu(i) {
+                const struct pcpu_sw_netstats *percpu_stats;
+                struct pcpu_sw_netstats local_stats;
+                unsigned int start;
+
+                percpu_stats = per_cpu_ptr(dev->tstats, i);
+
+                do {
+                        start = u64_stats_fetch_begin_irq(&percpu_stats->syncp);
+                        local_stats = *percpu_stats;
+                } while (u64_stats_fetch_retry_irq(&percpu_stats->syncp, start));
+
+                stats->rx_bytes         += local_stats.rx_bytes;
+                stats->rx_packets       += local_stats.rx_packets;
+                stats->tx_bytes         += local_stats.tx_bytes;
+                stats->tx_packets       += local_stats.tx_packets;
+        }
+
+        return stats;
+}
+
 static const struct net_device_ops internal_dev_netdev_ops = {
         .ndo_open = internal_dev_open,
         .ndo_stop = internal_dev_stop,
         .ndo_start_xmit = internal_dev_xmit,
         .ndo_set_mac_address = eth_mac_addr,
         .ndo_change_mtu = internal_dev_change_mtu,
+        .ndo_get_stats64 = internal_get_stats,
 };
 
 static struct rtnl_link_ops internal_dev_link_ops __read_mostly = {
@@ -161,6 +194,11 @@ static struct vport *internal_dev_create(const struct vport_parms *parms)
                 err = -ENOMEM;
                 goto error_free_vport;
         }
+        vport->dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
+        if (!vport->dev->tstats) {
+                err = -ENOMEM;
+                goto error_free_netdev;
+        }
 
         dev_net_set(vport->dev, ovs_dp_get_net(vport->dp));
         internal_dev = internal_dev_priv(vport->dev);
@@ -173,7 +211,7 @@ static struct vport *internal_dev_create(const struct vport_parms *parms)
         rtnl_lock();
         err = register_netdevice(vport->dev);
         if (err)
-                goto error_free_netdev;
+                goto error_unlock;
 
         dev_set_promiscuity(vport->dev, 1);
         rtnl_unlock();
@@ -181,8 +219,10 @@ static struct vport *internal_dev_create(const struct vport_parms *parms)
 
         return vport;
 
-error_free_netdev:
+error_unlock:
         rtnl_unlock();
+        free_percpu(vport->dev->tstats);
+error_free_netdev:
         free_netdev(vport->dev);
 error_free_vport:
         ovs_vport_free(vport);
@@ -198,7 +238,7 @@ static void internal_dev_destroy(struct vport *vport)
 
         /* unregister_netdevice() waits for an RCU grace period. */
         unregister_netdevice(vport->dev);
-
+        free_percpu(vport->dev->tstats);
         rtnl_unlock();
 }
 
diff --git a/net/openvswitch/vport-vxlan.c b/net/openvswitch/vport-vxlan.c
index 6f700710d413..1605691d9414 100644
--- a/net/openvswitch/vport-vxlan.c
+++ b/net/openvswitch/vport-vxlan.c
@@ -146,32 +146,12 @@ static struct vport *vxlan_create(const struct vport_parms *parms)
         return ovs_netdev_link(vport, parms->name);
 }
 
-static int vxlan_get_egress_tun_info(struct vport *vport, struct sk_buff *skb,
-                                     struct dp_upcall_info *upcall)
-{
-        struct vxlan_dev *vxlan = netdev_priv(vport->dev);
-        struct net *net = ovs_dp_get_net(vport->dp);
-        unsigned short family = ip_tunnel_info_af(upcall->egress_tun_info);
-        __be16 dst_port = vxlan_dev_dst_port(vxlan, family);
-        __be16 src_port;
-        int port_min;
-        int port_max;
-
-        inet_get_local_port_range(net, &port_min, &port_max);
-        src_port = udp_flow_src_port(net, skb, 0, 0, true);
-
-        return ovs_tunnel_get_egress_info(upcall, net,
-                                          skb, IPPROTO_UDP,
-                                          src_port, dst_port);
-}
-
 static struct vport_ops ovs_vxlan_netdev_vport_ops = {
         .type                   = OVS_VPORT_TYPE_VXLAN,
         .create                 = vxlan_create,
         .destroy                = ovs_netdev_tunnel_destroy,
         .get_options            = vxlan_get_options,
         .send                   = dev_queue_xmit,
-        .get_egress_tun_info    = vxlan_get_egress_tun_info,
 };
 
 static int __init ovs_vxlan_tnl_init(void)
diff --git a/net/openvswitch/vport.c b/net/openvswitch/vport.c
index ef19d0b77d13..0ac0fd004d7e 100644
--- a/net/openvswitch/vport.c
+++ b/net/openvswitch/vport.c
@@ -480,64 +480,6 @@ void ovs_vport_deferred_free(struct vport *vport)
 }
 EXPORT_SYMBOL_GPL(ovs_vport_deferred_free);
 
-int ovs_tunnel_get_egress_info(struct dp_upcall_info *upcall,
-                               struct net *net,
-                               struct sk_buff *skb,
-                               u8 ipproto,
-                               __be16 tp_src,
-                               __be16 tp_dst)
-{
-        struct ip_tunnel_info *egress_tun_info = upcall->egress_tun_info;
-        const struct ip_tunnel_info *tun_info = skb_tunnel_info(skb);
-        const struct ip_tunnel_key *tun_key;
-        u32 skb_mark = skb->mark;
-        struct rtable *rt;
-        struct flowi4 fl;
-
-        if (unlikely(!tun_info))
-                return -EINVAL;
-        if (ip_tunnel_info_af(tun_info) != AF_INET)
-                return -EINVAL;
-
-        tun_key = &tun_info->key;
-
-        /* Route lookup to get srouce IP address.
-         * The process may need to be changed if the corresponding process
-         * in vports ops changed.
-         */
-        rt = ovs_tunnel_route_lookup(net, tun_key, skb_mark, &fl, ipproto);
-        if (IS_ERR(rt))
-                return PTR_ERR(rt);
-
-        ip_rt_put(rt);
-
-        /* Generate egress_tun_info based on tun_info,
-         * saddr, tp_src and tp_dst
-         */
-        ip_tunnel_key_init(&egress_tun_info->key,
-                           fl.saddr, tun_key->u.ipv4.dst,
-                           tun_key->tos,
-                           tun_key->ttl,
-                           tp_src, tp_dst,
-                           tun_key->tun_id,
-                           tun_key->tun_flags);
-        egress_tun_info->options_len = tun_info->options_len;
-        egress_tun_info->mode = tun_info->mode;
-        upcall->egress_tun_opts = ip_tunnel_info_opts(egress_tun_info);
-        return 0;
-}
-EXPORT_SYMBOL_GPL(ovs_tunnel_get_egress_info);
-
-int ovs_vport_get_egress_tun_info(struct vport *vport, struct sk_buff *skb,
-                                  struct dp_upcall_info *upcall)
-{
-        /* get_egress_tun_info() is only implemented on tunnel ports. */
-        if (unlikely(!vport->ops->get_egress_tun_info))
-                return -EINVAL;
-
-        return vport->ops->get_egress_tun_info(vport, skb, upcall);
-}
-
 static unsigned int packet_length(const struct sk_buff *skb)
 {
         unsigned int length = skb->len - ETH_HLEN;
diff --git a/net/openvswitch/vport.h b/net/openvswitch/vport.h
index 885607f28d56..bdfd82a7c064 100644
--- a/net/openvswitch/vport.h
+++ b/net/openvswitch/vport.h
@@ -27,7 +27,6 @@
 #include <linux/skbuff.h>
 #include <linux/spinlock.h>
 #include <linux/u64_stats_sync.h>
-#include <net/route.h>
 
 #include "datapath.h"
 
@@ -53,16 +52,6 @@ int ovs_vport_set_upcall_portids(struct vport *, const struct nlattr *pids);
 int ovs_vport_get_upcall_portids(const struct vport *, struct sk_buff *);
 u32 ovs_vport_find_upcall_portid(const struct vport *, struct sk_buff *);
 
-int ovs_tunnel_get_egress_info(struct dp_upcall_info *upcall,
-                               struct net *net,
-                               struct sk_buff *,
-                               u8 ipproto,
-                               __be16 tp_src,
-                               __be16 tp_dst);
-
-int ovs_vport_get_egress_tun_info(struct vport *vport, struct sk_buff *skb,
-                                  struct dp_upcall_info *upcall);
-
 /**
  * struct vport_portids - array of netlink portids of a vport.
  *                        must be protected by rcu.
@@ -140,8 +129,6 @@ struct vport_parms {
  * have any configuration.
  * @send: Send a packet on the device.
  * zero for dropped packets or negative for error.
- * @get_egress_tun_info: Get the egress tunnel 5-tuple and other info for
- * a packet.
  */
 struct vport_ops {
         enum ovs_vport_type type;
@@ -154,9 +141,6 @@ struct vport_ops {
         int (*get_options)(const struct vport *, struct sk_buff *);
 
         netdev_tx_t (*send) (struct sk_buff *skb);
-        int (*get_egress_tun_info)(struct vport *, struct sk_buff *,
-                                   struct dp_upcall_info *upcall);
-
         struct module *owner;
         struct list_head list;
 };
diff --git a/net/sysctl_net.c b/net/sysctl_net.c
index e7000be321b0..ed98c1fc3de1 100644
--- a/net/sysctl_net.c
+++ b/net/sysctl_net.c
@@ -94,10 +94,14 @@ __init int net_sysctl_init(void)
                 goto out;
         ret = register_pernet_subsys(&sysctl_pernet_ops);
         if (ret)
-                goto out;
+                goto out1;
         register_sysctl_root(&net_sysctl_root);
 out:
         return ret;
+out1:
+        unregister_sysctl_table(net_header);
+        net_header = NULL;
+        goto out;
 }
 
 struct ctl_table_header *register_net_sysctl(struct net *net,
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 41042de3ae9b..eadba62afa85 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -42,7 +42,8 @@
 #include "core.h"
 
 #define MAX_PKT_DEFAULT_MCAST   1500    /* bcast link max packet size (fixed) */
-#define BCLINK_WIN_DEFAULT      20      /* bcast link window size (default) */
+#define BCLINK_WIN_DEFAULT      50      /* bcast link window size (default) */
+#define BCLINK_WIN_MIN          32      /* bcast minimum link window size */
 
 const char tipc_bclink_name[] = "broadcast-link";
 
@@ -908,9 +909,10 @@ int tipc_bclink_set_queue_limits(struct net *net, u32 limit)
 
         if (!bcl)
                 return -ENOPROTOOPT;
-        if ((limit < TIPC_MIN_LINK_WIN) || (limit > TIPC_MAX_LINK_WIN))
+        if (limit < BCLINK_WIN_MIN)
+                limit = BCLINK_WIN_MIN;
+        if (limit > TIPC_MAX_LINK_WIN)
                 return -EINVAL;
-
         tipc_bclink_lock(net);
         tipc_link_set_queue_limits(bcl, limit);
         tipc_bclink_unlock(net);
diff --git a/net/tipc/msg.c b/net/tipc/msg.c
index 454f5ec275c8..26d38b3d8760 100644
--- a/net/tipc/msg.c
+++ b/net/tipc/msg.c
@@ -121,7 +121,7 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
 {
         struct sk_buff *head = *headbuf;
         struct sk_buff *frag = *buf;
-        struct sk_buff *tail;
+        struct sk_buff *tail = NULL;
         struct tipc_msg *msg;
         u32 fragid;
         int delta;
@@ -141,9 +141,15 @@ int tipc_buf_append(struct sk_buff **headbuf, struct sk_buff **buf)
                 if (unlikely(skb_unclone(frag, GFP_ATOMIC)))
                         goto err;
                 head = *headbuf = frag;
-                skb_frag_list_init(head);
-                TIPC_SKB_CB(head)->tail = NULL;
                 *buf = NULL;
+                TIPC_SKB_CB(head)->tail = NULL;
+                if (skb_is_nonlinear(head)) {
+                        skb_walk_frags(head, tail) {
+                                TIPC_SKB_CB(head)->tail = tail;
+                        }
+                } else {
+                        skb_frag_list_init(head);
+                }
                 return 0;
         }
 
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index 9bc0b1e515fa..0021c01dec17 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -52,6 +52,8 @@
 /* IANA assigned UDP port */
 #define UDP_PORT_DEFAULT        6118
 
+#define UDP_MIN_HEADROOM        28
+
 static const struct nla_policy tipc_nl_udp_policy[TIPC_NLA_UDP_MAX + 1] = {
         [TIPC_NLA_UDP_UNSPEC]   = {.type = NLA_UNSPEC},
         [TIPC_NLA_UDP_LOCAL]    = {.type = NLA_BINARY,
@@ -156,6 +158,9 @@ static int tipc_udp_send_msg(struct net *net, struct sk_buff *skb,
         struct sk_buff *clone;
         struct rtable *rt;
 
+        if (skb_headroom(skb) < UDP_MIN_HEADROOM)
+                pskb_expand_head(skb, UDP_MIN_HEADROOM, 0, GFP_ATOMIC);
+
         clone = skb_clone(skb, GFP_ATOMIC);
         skb_set_inner_protocol(clone, htons(ETH_P_TIPC));
         ub = rcu_dereference_rtnl(b->media_ptr);
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index df5fc6b340f1..00e8a349aabc 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1948,13 +1948,13 @@ int __vsock_core_init(const struct vsock_transport *t, struct module *owner)
         err = misc_register(&vsock_device);
         if (err) {
                 pr_err("Failed to register misc device\n");
-                return -ENOENT;
+                goto err_reset_transport;
         }
 
         err = proto_register(&vsock_proto, 1);  /* we want our slab */
         if (err) {
                 pr_err("Cannot register vsock protocol\n");
-                goto err_misc_deregister;
+                goto err_deregister_misc;
         }
 
         err = sock_register(&vsock_family_ops);
@@ -1969,8 +1969,9 @@ int __vsock_core_init(const struct vsock_transport *t, struct module *owner)
 
 err_unregister_proto:
         proto_unregister(&vsock_proto);
-err_misc_deregister:
+err_deregister_misc:
         misc_deregister(&vsock_device);
+err_reset_transport:
         transport = NULL;
 err_busy:
         mutex_unlock(&vsock_register_mutex);
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 1f63daff3965..7555cad83a75 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -40,13 +40,11 @@
 
 static int vmci_transport_recv_dgram_cb(void *data, struct vmci_datagram *dg);
 static int vmci_transport_recv_stream_cb(void *data, struct vmci_datagram *dg);
-static void vmci_transport_peer_attach_cb(u32 sub_id,
-                                          const struct vmci_event_data *ed,
-                                          void *client_data);
 static void vmci_transport_peer_detach_cb(u32 sub_id,
                                           const struct vmci_event_data *ed,
                                           void *client_data);
 static void vmci_transport_recv_pkt_work(struct work_struct *work);
+static void vmci_transport_cleanup(struct work_struct *work);
 static int vmci_transport_recv_listen(struct sock *sk,
                                       struct vmci_transport_packet *pkt);
 static int vmci_transport_recv_connecting_server(
@@ -75,6 +73,10 @@ struct vmci_transport_recv_pkt_info {
         struct vmci_transport_packet pkt;
 };
 
+static LIST_HEAD(vmci_transport_cleanup_list);
+static DEFINE_SPINLOCK(vmci_transport_cleanup_lock);
+static DECLARE_WORK(vmci_transport_cleanup_work, vmci_transport_cleanup);
+
 static struct vmci_handle vmci_transport_stream_handle = { VMCI_INVALID_ID,
                                                            VMCI_INVALID_ID };
 static u32 vmci_transport_qp_resumed_sub_id = VMCI_INVALID_ID;
@@ -791,44 +793,6 @@ out:
         return err;
 }
 
-static void vmci_transport_peer_attach_cb(u32 sub_id,
-                                          const struct vmci_event_data *e_data,
-                                          void *client_data)
-{
-        struct sock *sk = client_data;
-        const struct vmci_event_payload_qp *e_payload;
-        struct vsock_sock *vsk;
-
-        e_payload = vmci_event_data_const_payload(e_data);
-
-        vsk = vsock_sk(sk);
-
-        /* We don't ask for delayed CBs when we subscribe to this event (we
-         * pass 0 as flags to vmci_event_subscribe()).  VMCI makes no
-         * guarantees in that case about what context we might be running in,
-         * so it could be BH or process, blockable or non-blockable.  So we
-         * need to account for all possible contexts here.
-         */
-        local_bh_disable();
-        bh_lock_sock(sk);
-
-        /* XXX This is lame, we should provide a way to lookup sockets by
-         * qp_handle.
-         */
-        if (vmci_handle_is_equal(vmci_trans(vsk)->qp_handle,
-                                 e_payload->handle)) {
-                /* XXX This doesn't do anything, but in the future we may want
-                 * to set a flag here to verify the attach really did occur and
-                 * we weren't just sent a datagram claiming it was.
-                 */
-                goto out;
-        }
-
-out:
-        bh_unlock_sock(sk);
-        local_bh_enable();
-}
-
 static void vmci_transport_handle_detach(struct sock *sk)
 {
         struct vsock_sock *vsk;
@@ -871,28 +835,38 @@ static void vmci_transport_peer_detach_cb(u32 sub_id,
                                           const struct vmci_event_data *e_data,
                                           void *client_data)
 {
-        struct sock *sk = client_data;
+        struct vmci_transport *trans = client_data;
         const struct vmci_event_payload_qp *e_payload;
-        struct vsock_sock *vsk;
 
         e_payload = vmci_event_data_const_payload(e_data);
-        vsk = vsock_sk(sk);
-        if (vmci_handle_is_invalid(e_payload->handle))
-                return;
-
-        /* Same rules for locking as for peer_attach_cb(). */
-        local_bh_disable();
-        bh_lock_sock(sk);
 
         /* XXX This is lame, we should provide a way to lookup sockets by
          * qp_handle.
          */
-        if (vmci_handle_is_equal(vmci_trans(vsk)->qp_handle,
-                                 e_payload->handle))
-                vmci_transport_handle_detach(sk);
+        if (vmci_handle_is_invalid(e_payload->handle) ||
+            vmci_handle_is_equal(trans->qp_handle, e_payload->handle))
+                return;
 
-        bh_unlock_sock(sk);
-        local_bh_enable();
+        /* We don't ask for delayed CBs when we subscribe to this event (we
+         * pass 0 as flags to vmci_event_subscribe()).  VMCI makes no
+         * guarantees in that case about what context we might be running in,
+         * so it could be BH or process, blockable or non-blockable.  So we
+         * need to account for all possible contexts here.
+         */
+        spin_lock_bh(&trans->lock);
+        if (!trans->sk)
+                goto out;
+
+        /* Apart from here, trans->lock is only grabbed as part of sk destruct,
+         * where trans->sk isn't locked.
+         */
+        bh_lock_sock(trans->sk);
+
+        vmci_transport_handle_detach(trans->sk);
+
+        bh_unlock_sock(trans->sk);
+ out:
+        spin_unlock_bh(&trans->lock);
 }
 
 static void vmci_transport_qp_resumed_cb(u32 sub_id,
@@ -1181,7 +1155,7 @@ vmci_transport_recv_connecting_server(struct sock *listener,
          */
         err = vmci_event_subscribe(VMCI_EVENT_QP_PEER_DETACH,
                                    vmci_transport_peer_detach_cb,
-                                   pending, &detach_sub_id);
+                                   vmci_trans(vpending), &detach_sub_id);
         if (err < VMCI_SUCCESS) {
                 vmci_transport_send_reset(pending, pkt);
                 err = vmci_transport_error_to_vsock_error(err);
@@ -1321,7 +1295,6 @@ vmci_transport_recv_connecting_client(struct sock *sk,
                     || vmci_trans(vsk)->qpair
                     || vmci_trans(vsk)->produce_size != 0
                     || vmci_trans(vsk)->consume_size != 0
-                    || vmci_trans(vsk)->attach_sub_id != VMCI_INVALID_ID
                     || vmci_trans(vsk)->detach_sub_id != VMCI_INVALID_ID) {
                         skerr = EPROTO;
                         err = -EINVAL;
@@ -1389,7 +1362,6 @@ static int vmci_transport_recv_connecting_client_negotiate(
         struct vsock_sock *vsk;
         struct vmci_handle handle;
         struct vmci_qp *qpair;
-        u32 attach_sub_id;
         u32 detach_sub_id;
         bool is_local;
         u32 flags;
@@ -1399,7 +1371,6 @@ static int vmci_transport_recv_connecting_client_negotiate(
 
         vsk = vsock_sk(sk);
         handle = VMCI_INVALID_HANDLE;
-        attach_sub_id = VMCI_INVALID_ID;
         detach_sub_id = VMCI_INVALID_ID;
 
         /* If we have gotten here then we should be past the point where old
@@ -1444,23 +1415,15 @@ static int vmci_transport_recv_connecting_client_negotiate(
                 goto destroy;
         }
 
-        /* Subscribe to attach and detach events first.
+        /* Subscribe to detach events first.
          *
          * XXX We attach once for each queue pair created for now so it is easy
          * to find the socket (it's provided), but later we should only
          * subscribe once and add a way to lookup sockets by queue pair handle.
          */
-        err = vmci_event_subscribe(VMCI_EVENT_QP_PEER_ATTACH,
-                                   vmci_transport_peer_attach_cb,
-                                   sk, &attach_sub_id);
-        if (err < VMCI_SUCCESS) {
-                err = vmci_transport_error_to_vsock_error(err);
-                goto destroy;
-        }
-
         err = vmci_event_subscribe(VMCI_EVENT_QP_PEER_DETACH,
                                    vmci_transport_peer_detach_cb,
-                                   sk, &detach_sub_id);
+                                   vmci_trans(vsk), &detach_sub_id);
         if (err < VMCI_SUCCESS) {
                 err = vmci_transport_error_to_vsock_error(err);
                 goto destroy;
@@ -1496,7 +1459,6 @@ static int vmci_transport_recv_connecting_client_negotiate(
         vmci_trans(vsk)->produce_size = vmci_trans(vsk)->consume_size =
                 pkt->u.size;
 
-        vmci_trans(vsk)->attach_sub_id = attach_sub_id;
         vmci_trans(vsk)->detach_sub_id = detach_sub_id;
 
         vmci_trans(vsk)->notify_ops->process_negotiate(sk);
@@ -1504,9 +1466,6 @@ static int vmci_transport_recv_connecting_client_negotiate(
         return 0;
 
 destroy:
-        if (attach_sub_id != VMCI_INVALID_ID)
-                vmci_event_unsubscribe(attach_sub_id);
-
         if (detach_sub_id != VMCI_INVALID_ID)
                 vmci_event_unsubscribe(detach_sub_id);
 
@@ -1607,9 +1566,11 @@ static int vmci_transport_socket_init(struct vsock_sock *vsk,
         vmci_trans(vsk)->qp_handle = VMCI_INVALID_HANDLE;
         vmci_trans(vsk)->qpair = NULL;
         vmci_trans(vsk)->produce_size = vmci_trans(vsk)->consume_size = 0;
-        vmci_trans(vsk)->attach_sub_id = vmci_trans(vsk)->detach_sub_id =
-                VMCI_INVALID_ID;
+        vmci_trans(vsk)->detach_sub_id = VMCI_INVALID_ID;
         vmci_trans(vsk)->notify_ops = NULL;
+        INIT_LIST_HEAD(&vmci_trans(vsk)->elem);
+        vmci_trans(vsk)->sk = &vsk->sk;
+        spin_lock_init(&vmci_trans(vsk)->lock);
         if (psk) {
                 vmci_trans(vsk)->queue_pair_size =
                         vmci_trans(psk)->queue_pair_size;
@@ -1629,29 +1590,57 @@ static int vmci_transport_socket_init(struct vsock_sock *vsk,
         return 0;
 }
 
-static void vmci_transport_destruct(struct vsock_sock *vsk)
+static void vmci_transport_free_resources(struct list_head *transport_list)
 {
-        if (vmci_trans(vsk)->attach_sub_id != VMCI_INVALID_ID) {
-                vmci_event_unsubscribe(vmci_trans(vsk)->attach_sub_id);
-                vmci_trans(vsk)->attach_sub_id = VMCI_INVALID_ID;
-        }
+        while (!list_empty(transport_list)) {
+                struct vmci_transport *transport =
+                    list_first_entry(transport_list, struct vmci_transport,
+                                     elem);
+                list_del(&transport->elem);
 
-        if (vmci_trans(vsk)->detach_sub_id != VMCI_INVALID_ID) {
-                vmci_event_unsubscribe(vmci_trans(vsk)->detach_sub_id);
-                vmci_trans(vsk)->detach_sub_id = VMCI_INVALID_ID;
-        }
+                if (transport->detach_sub_id != VMCI_INVALID_ID) {
+                        vmci_event_unsubscribe(transport->detach_sub_id);
+                        transport->detach_sub_id = VMCI_INVALID_ID;
+                }
 
-        if (!vmci_handle_is_invalid(vmci_trans(vsk)->qp_handle)) {
-                vmci_qpair_detach(&vmci_trans(vsk)->qpair);
-                vmci_trans(vsk)->qp_handle = VMCI_INVALID_HANDLE;
-                vmci_trans(vsk)->produce_size = 0;
-                vmci_trans(vsk)->consume_size = 0;
+                if (!vmci_handle_is_invalid(transport->qp_handle)) {
+                        vmci_qpair_detach(&transport->qpair);
+                        transport->qp_handle = VMCI_INVALID_HANDLE;
+                        transport->produce_size = 0;
+                        transport->consume_size = 0;
+                }
+
+                kfree(transport);
         }
+}
+
+static void vmci_transport_cleanup(struct work_struct *work)
+{
+        LIST_HEAD(pending);
+
+        spin_lock_bh(&vmci_transport_cleanup_lock);
+        list_replace_init(&vmci_transport_cleanup_list, &pending);
+        spin_unlock_bh(&vmci_transport_cleanup_lock);
+        vmci_transport_free_resources(&pending);
+}
+
+static void vmci_transport_destruct(struct vsock_sock *vsk)
+{
+        /* Ensure that the detach callback doesn't use the sk/vsk
+         * we are about to destruct.
+         */
+        spin_lock_bh(&vmci_trans(vsk)->lock);
+        vmci_trans(vsk)->sk = NULL;
+        spin_unlock_bh(&vmci_trans(vsk)->lock);
 
         if (vmci_trans(vsk)->notify_ops)
                 vmci_trans(vsk)->notify_ops->socket_destruct(vsk);
 
-        kfree(vsk->trans);
+        spin_lock_bh(&vmci_transport_cleanup_lock);
+        list_add(&vmci_trans(vsk)->elem, &vmci_transport_cleanup_list);
+        spin_unlock_bh(&vmci_transport_cleanup_lock);
+        schedule_work(&vmci_transport_cleanup_work);
+
         vsk->trans = NULL;
 }
 
@@ -2146,6 +2135,9 @@ module_init(vmci_transport_init);
 
 static void __exit vmci_transport_exit(void)
 {
+        cancel_work_sync(&vmci_transport_cleanup_work);
+        vmci_transport_free_resources(&vmci_transport_cleanup_list);
+
         if (!vmci_handle_is_invalid(vmci_transport_stream_handle)) {
                 if (vmci_datagram_destroy_handle(
                         vmci_transport_stream_handle) != VMCI_SUCCESS)
@@ -2164,6 +2156,7 @@ module_exit(vmci_transport_exit);
 
 MODULE_AUTHOR("VMware, Inc.");
 MODULE_DESCRIPTION("VMCI transport for Virtual Sockets");
+MODULE_VERSION("1.0.2.0-k");
 MODULE_LICENSE("GPL v2");
 MODULE_ALIAS("vmware_vsock");
 MODULE_ALIAS_NETPROTO(PF_VSOCK);
diff --git a/net/vmw_vsock/vmci_transport.h b/net/vmw_vsock/vmci_transport.h
index ce6c9623d5f0..2ad46f39649f 100644
--- a/net/vmw_vsock/vmci_transport.h
+++ b/net/vmw_vsock/vmci_transport.h
@@ -119,10 +119,12 @@ struct vmci_transport {
         u64 queue_pair_size;
         u64 queue_pair_min_size;
         u64 queue_pair_max_size;
-        u32 attach_sub_id;
         u32 detach_sub_id;
         union vmci_transport_notify notify;
         struct vmci_transport_notify_ops *notify_ops;
+        struct list_head elem;
+        struct sock *sk;
+        spinlock_t lock; /* protects sk. */
 };
 
 int vmci_transport_register(void);
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a8de9e300200..24e06a2377f6 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1928,8 +1928,10 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
         struct nlattr *rp = attrs[XFRMA_REPLAY_VAL];
         struct nlattr *re = attrs[XFRMA_REPLAY_ESN_VAL];
         struct nlattr *lt = attrs[XFRMA_LTIME_VAL];
+        struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
+        struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
 
-        if (!lt && !rp && !re)
+        if (!lt && !rp && !re && !et && !rt)
                 return err;
 
         /* pedantic mode - thou shalt sayeth replaceth */