40 files changed, 352 insertions, 171 deletions

diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
index d8e376a5f0f1..36a1a739ad68 100644
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -658,14 +658,30 @@ p9_virtio_create(struct p9_client *client, const char *devname, char *args)
 static void p9_virtio_remove(struct virtio_device *vdev)
 {
         struct virtio_chan *chan = vdev->priv;
-
-        if (chan->inuse)
-                p9_virtio_close(chan->client);
-        vdev->config->del_vqs(vdev);
+        unsigned long warning_time;
 
         mutex_lock(&virtio_9p_lock);
+
+        /* Remove self from list so we don't get new users. */
         list_del(&chan->chan_list);
+        warning_time = jiffies;
+
+        /* Wait for existing users to close. */
+        while (chan->inuse) {
+                mutex_unlock(&virtio_9p_lock);
+                msleep(250);
+                if (time_after(jiffies, warning_time + 10 * HZ)) {
+                        dev_emerg(&vdev->dev,
+                                  "p9_virtio_remove: waiting for device in use.\n");
+                        warning_time = jiffies;
+                }
+                mutex_lock(&virtio_9p_lock);
+        }
+
         mutex_unlock(&virtio_9p_lock);
+
+        vdev->config->del_vqs(vdev);
+
         sysfs_remove_file(&(vdev->dev.kobj), &dev_attr_mount_tag.attr);
         kobject_uevent(&(vdev->dev.kobj), KOBJ_CHANGE);
         kfree(chan->tag);
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index b087d278c679..1849d96b3c91 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -563,6 +563,8 @@ int br_del_if(struct net_bridge *br, struct net_device *dev)
          */
         del_nbp(p);
 
+        dev_set_mtu(br->dev, br_min_mtu(br));
+
         spin_lock_bh(&br->lock);
         changed_addr = br_stp_recalculate_bridge_id(br);
         spin_unlock_bh(&br->lock);
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index 769b185fefbd..a6e2da0bc718 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/caif_socket.c
@@ -281,7 +281,7 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
         int copylen;
 
         ret = -EOPNOTSUPP;
-        if (m->msg_flags&MSG_OOB)
+        if (flags & MSG_OOB)
                 goto read_error;
 
         skb = skb_recv_datagram(sk, flags, 0 , &ret);
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 66e08040ced7..32d710eaf1fc 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -259,6 +259,9 @@ int can_send(struct sk_buff *skb, int loop)
                 goto inval_skb;
         }
 
+        skb->ip_summed = CHECKSUM_UNNECESSARY;
+
+        skb_reset_mac_header(skb);
         skb_reset_network_header(skb);
         skb_reset_transport_header(skb);
 
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 25b4b5d23485..ee0608bb3bc0 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2166,28 +2166,28 @@ replay:
                         }
                 }
                 err = rtnl_configure_link(dev, ifm);
-                if (err < 0) {
-                        if (ops->newlink) {
-                                LIST_HEAD(list_kill);
-
-                                ops->dellink(dev, &list_kill);
-                                unregister_netdevice_many(&list_kill);
-                        } else {
-                                unregister_netdevice(dev);
-                        }
-                        goto out;
-                }
-
+                if (err < 0)
+                        goto out_unregister;
                 if (link_net) {
                         err = dev_change_net_namespace(dev, dest_net, ifname);
                         if (err < 0)
-                                unregister_netdevice(dev);
+                                goto out_unregister;
                 }
 out:
                 if (link_net)
                         put_net(link_net);
                 put_net(dest_net);
                 return err;
+out_unregister:
+                if (ops->newlink) {
+                        LIST_HEAD(list_kill);
+
+                        ops->dellink(dev, &list_kill);
+                        unregister_netdevice_many(&list_kill);
+                } else {
+                        unregister_netdevice(dev);
+                }
+                goto out;
         }
 }
 
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index f80507823531..8e4ac97c8477 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3733,9 +3733,13 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
                      struct sock *sk, int tstype)
 {
         struct sk_buff *skb;
-        bool tsonly = sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TSONLY;
+        bool tsonly;
 
-        if (!sk || !skb_may_tx_timestamp(sk, tsonly))
+        if (!sk)
+                return;
+
+        tsonly = sk->sk_tsflags & SOF_TIMESTAMPING_OPT_TSONLY;
+        if (!skb_may_tx_timestamp(sk, tsonly))
                 return;
 
         if (tsonly)
@@ -4173,7 +4177,7 @@ void skb_scrub_packet(struct sk_buff *skb, bool xnet)
         skb->ignore_df = 0;
         skb_dst_drop(skb);
         skb->mark = 0;
-        skb->sender_cpu = 0;
+        skb_sender_cpu_clear(skb);
         skb_init_secmark(skb);
         secpath_reset(skb);
         nf_reset(skb);
diff --git a/net/core/sock.c b/net/core/sock.c
index 93c8b20c91e4..78e89eb7eb70 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1655,6 +1655,10 @@ void sock_rfree(struct sk_buff *skb)
 }
 EXPORT_SYMBOL(sock_rfree);
 
+/*
+ * Buffer destructor for skbs that are not used directly in read or write
+ * path, e.g. for error handler skbs. Automatically called from kfree_skb.
+ */
 void sock_efree(struct sk_buff *skb)
 {
         sock_put(skb->sk);
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 433424804284..8ce351ffceb1 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -25,6 +25,8 @@
 static int zero = 0;
 static int one = 1;
 static int ushort_max = USHRT_MAX;
+static int min_sndbuf = SOCK_MIN_SNDBUF;
+static int min_rcvbuf = SOCK_MIN_RCVBUF;
 
 static int net_msg_warn;        /* Unused, but still a sysctl */
 
@@ -237,7 +239,7 @@ static struct ctl_table net_core_table[] = {
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec_minmax,
-                .extra1         = &one,
+                .extra1         = &min_sndbuf,
         },
         {
                 .procname       = "rmem_max",
@@ -245,7 +247,7 @@ static struct ctl_table net_core_table[] = {
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec_minmax,
-                .extra1         = &one,
+                .extra1         = &min_rcvbuf,
         },
         {
                 .procname       = "wmem_default",
@@ -253,7 +255,7 @@ static struct ctl_table net_core_table[] = {
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec_minmax,
-                .extra1         = &one,
+                .extra1         = &min_sndbuf,
         },
         {
                 .procname       = "rmem_default",
@@ -261,7 +263,7 @@ static struct ctl_table net_core_table[] = {
                 .maxlen         = sizeof(int),
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec_minmax,
-                .extra1         = &one,
+                .extra1         = &min_rcvbuf,
         },
         {
                 .procname       = "dev_weight",
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 14d02ea905b6..3e44b9b0b78e 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -268,6 +268,7 @@ static int inet_csk_wait_for_connect(struct sock *sk, long timeo)
                 release_sock(sk);
                 if (reqsk_queue_empty(&icsk->icsk_accept_queue))
                         timeo = schedule_timeout(timeo);
+                sched_annotate_sleep();
                 lock_sock(sk);
                 err = 0;
                 if (!reqsk_queue_empty(&icsk->icsk_accept_queue))
diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index 81751f12645f..592aff37366b 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -71,6 +71,20 @@ static inline void inet_diag_unlock_handler(
         mutex_unlock(&inet_diag_table_mutex);
 }
 
+static size_t inet_sk_attr_size(void)
+{
+        return    nla_total_size(sizeof(struct tcp_info))
+                + nla_total_size(1) /* INET_DIAG_SHUTDOWN */
+                + nla_total_size(1) /* INET_DIAG_TOS */
+                + nla_total_size(1) /* INET_DIAG_TCLASS */
+                + nla_total_size(sizeof(struct inet_diag_meminfo))
+                + nla_total_size(sizeof(struct inet_diag_msg))
+                + nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
+                + nla_total_size(TCP_CA_NAME_MAX)
+                + nla_total_size(sizeof(struct tcpvegas_info))
+                + 64;
+}
+
 int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
                               struct sk_buff *skb, struct inet_diag_req_v2 *req,
                               struct user_namespace *user_ns,                   
@@ -326,9 +340,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo, struct sk_buff *in_s
         if (err)
                 goto out;
 
-        rep = nlmsg_new(sizeof(struct inet_diag_msg) +
-                        sizeof(struct inet_diag_meminfo) +
-                        sizeof(struct tcp_info) + 64, GFP_KERNEL);
+        rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL);
         if (!rep) {
                 err = -ENOMEM;
                 goto out;
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 787b3c294ce6..d9bc28ac5d1b 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -67,6 +67,7 @@ static int ip_forward_finish(struct sk_buff *skb)
         if (unlikely(opt->optlen))
                 ip_forward_options(skb);
 
+        skb_sender_cpu_clear(skb);
         return dst_output(skb);
 }
 
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 2c8d98e728c0..145a50c4d566 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -659,27 +659,30 @@ EXPORT_SYMBOL(ip_defrag);
 struct sk_buff *ip_check_defrag(struct sk_buff *skb, u32 user)
 {
         struct iphdr iph;
+        int netoff;
         u32 len;
 
         if (skb->protocol != htons(ETH_P_IP))
                 return skb;
 
-        if (skb_copy_bits(skb, 0, &iph, sizeof(iph)) < 0)
+        netoff = skb_network_offset(skb);
+
+        if (skb_copy_bits(skb, netoff, &iph, sizeof(iph)) < 0)
                 return skb;
 
         if (iph.ihl < 5 || iph.version != 4)
                 return skb;
 
         len = ntohs(iph.tot_len);
-        if (skb->len < len || len < (iph.ihl * 4))
+        if (skb->len < netoff + len || len < (iph.ihl * 4))
                 return skb;
 
         if (ip_is_fragment(&iph)) {
                 skb = skb_share_check(skb, GFP_ATOMIC);
                 if (skb) {
-                        if (!pskb_may_pull(skb, iph.ihl*4))
+                        if (!pskb_may_pull(skb, netoff + iph.ihl * 4))
                                 return skb;
-                        if (pskb_trim_rcsum(skb, len))
+                        if (pskb_trim_rcsum(skb, netoff + len))
                                 return skb;
                         memset(IPCB(skb), 0, sizeof(struct inet_skb_parm));
                         if (ip_defrag(skb, user))
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 31d8c71986b4..5cd99271d3a6 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -432,17 +432,32 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf
                 kfree_skb(skb);
 }
 
-static bool ipv4_pktinfo_prepare_errqueue(const struct sock *sk,
-                                          const struct sk_buff *skb,
-                                          int ee_origin)
+/* IPv4 supports cmsg on all imcp errors and some timestamps
+ *
+ * Timestamp code paths do not initialize the fields expected by cmsg:
+ * the PKTINFO fields in skb->cb[]. Fill those in here.
+ */
+static bool ipv4_datagram_support_cmsg(const struct sock *sk,
+                                       struct sk_buff *skb,
+                                       int ee_origin)
 {
-        struct in_pktinfo *info = PKTINFO_SKB_CB(skb);
+        struct in_pktinfo *info;
+
+        if (ee_origin == SO_EE_ORIGIN_ICMP)
+                return true;
 
-        if ((ee_origin != SO_EE_ORIGIN_TIMESTAMPING) ||
-            (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
+        if (ee_origin == SO_EE_ORIGIN_LOCAL)
+                return false;
+
+        /* Support IP_PKTINFO on tstamp packets if requested, to correlate
+         * timestamp with egress dev. Not possible for packets without dev
+         * or without payload (SOF_TIMESTAMPING_OPT_TSONLY).
+         */
+        if ((!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
             (!skb->dev))
                 return false;
 
+        info = PKTINFO_SKB_CB(skb);
         info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
         info->ipi_ifindex = skb->dev->ifindex;
         return true;
@@ -483,7 +498,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
 
         serr = SKB_EXT_ERR(skb);
 
-        if (sin && skb->len) {
+        if (sin && serr->port) {
                 sin->sin_family = AF_INET;
                 sin->sin_addr.s_addr = *(__be32 *)(skb_network_header(skb) +
                                                    serr->addr_offset);
@@ -496,9 +511,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
         sin = &errhdr.offender;
         memset(sin, 0, sizeof(*sin));
 
-        if (skb->len &&
-            (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
-             ipv4_pktinfo_prepare_errqueue(sk, skb, serr->ee.ee_origin))) {
+        if (ipv4_datagram_support_cmsg(sk, skb, serr->ee.ee_origin)) {
                 sin->sin_family = AF_INET;
                 sin->sin_addr.s_addr = ip_hdr(skb)->saddr;
                 if (inet_sk(sk)->cmsg_flags)
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index e9f66e1cda50..208d5439e59b 100644
--- a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -259,6 +259,9 @@ int ping_init_sock(struct sock *sk)
         kgid_t low, high;
         int ret = 0;
 
+        if (sk->sk_family == AF_INET6)
+                sk->sk_ipv6only = 1;
+
         inet_get_ping_group_range_net(net, &low, &high);
         if (gid_lte(low, group) && gid_lte(group, high))
                 return 0;
@@ -305,6 +308,11 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk,
                 if (addr_len < sizeof(*addr))
                         return -EINVAL;
 
+                if (addr->sin_family != AF_INET &&
+                    !(addr->sin_family == AF_UNSPEC &&
+                      addr->sin_addr.s_addr == htonl(INADDR_ANY)))
+                        return -EAFNOSUPPORT;
+
                 pr_debug("ping_check_bind_addr(sk=%p,addr=%pI4,port=%d)\n",
                          sk, &addr->sin_addr.s_addr, ntohs(addr->sin_port));
 
@@ -330,7 +338,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk,
                         return -EINVAL;
 
                 if (addr->sin6_family != AF_INET6)
-                        return -EINVAL;
+                        return -EAFNOSUPPORT;
 
                 pr_debug("ping_check_bind_addr(sk=%p,addr=%pI6c,port=%d)\n",
                          sk, addr->sin6_addr.s6_addr, ntohs(addr->sin6_port));
@@ -716,7 +724,7 @@ static int ping_v4_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m
                 if (msg->msg_namelen < sizeof(*usin))
                         return -EINVAL;
                 if (usin->sin_family != AF_INET)
-                        return -EINVAL;
+                        return -EAFNOSUPPORT;
                 daddr = usin->sin_addr.s_addr;
                 /* no remote port */
         } else {
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 9d72a0fcd928..995a2259bcfc 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -835,17 +835,13 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now,
                                        int large_allowed)
 {
         struct tcp_sock *tp = tcp_sk(sk);
-        u32 new_size_goal, size_goal, hlen;
+        u32 new_size_goal, size_goal;
 
         if (!large_allowed || !sk_can_gso(sk))
                 return mss_now;
 
-        /* Maybe we should/could use sk->sk_prot->max_header here ? */
-        hlen = inet_csk(sk)->icsk_af_ops->net_header_len +
-               inet_csk(sk)->icsk_ext_hdr_len +
-               tp->tcp_header_len;
-
-        new_size_goal = sk->sk_gso_max_size - 1 - hlen;
+        /* Note : tcp_tso_autosize() will eventually split this later */
+        new_size_goal = sk->sk_gso_max_size - 1 - MAX_TCP_HEADER;
         new_size_goal = tcp_bound_to_half_wnd(tp, new_size_goal);
 
         /* We try hard to avoid divides here */
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index d694088214cd..62856e185a93 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -378,6 +378,12 @@ EXPORT_SYMBOL_GPL(tcp_slow_start);
  */
 void tcp_cong_avoid_ai(struct tcp_sock *tp, u32 w, u32 acked)
 {
+        /* If credits accumulated at a higher w, apply them gently now. */
+        if (tp->snd_cwnd_cnt >= w) {
+                tp->snd_cwnd_cnt = 0;
+                tp->snd_cwnd++;
+        }
+
         tp->snd_cwnd_cnt += acked;
         if (tp->snd_cwnd_cnt >= w) {
                 u32 delta = tp->snd_cwnd_cnt / w;
diff --git a/net/ipv4/tcp_cubic.c b/net/ipv4/tcp_cubic.c
index 4b276d1ed980..06d3d665a9fd 100644
--- a/net/ipv4/tcp_cubic.c
+++ b/net/ipv4/tcp_cubic.c
@@ -306,8 +306,10 @@ tcp_friendliness:
                 }
         }
 
-        if (ca->cnt == 0)                       /* cannot be zero */
-                ca->cnt = 1;
+        /* The maximum rate of cwnd increase CUBIC allows is 1 packet per
+         * 2 packets ACKed, meaning cwnd grows at 1.5x per RTT.
+         */
+        ca->cnt = max(ca->cnt, 2U);
 }
 
 static void bictcp_cong_avoid(struct sock *sk, u32 ack, u32 acked)
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index d5f6bd9a210a..dab73813cb92 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -63,6 +63,7 @@ int xfrm4_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                 return err;
 
         IPCB(skb)->flags |= IPSKB_XFRM_TUNNEL_SIZE;
+        skb->protocol = htons(ETH_P_IP);
 
         return x->outer_mode->output2(x, skb);
 }
@@ -71,7 +72,6 @@ EXPORT_SYMBOL(xfrm4_prepare_output);
 int xfrm4_output_finish(struct sk_buff *skb)
 {
         memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-        skb->protocol = htons(ETH_P_IP);
 
 #ifdef CONFIG_NETFILTER
         IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index c215be70cac0..ace8daca5c83 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -325,14 +325,34 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu)
         kfree_skb(skb);
 }
 
-static void ip6_datagram_prepare_pktinfo_errqueue(struct sk_buff *skb)
+/* IPv6 supports cmsg on all origins aside from SO_EE_ORIGIN_LOCAL.
+ *
+ * At one point, excluding local errors was a quick test to identify icmp/icmp6
+ * errors. This is no longer true, but the test remained, so the v6 stack,
+ * unlike v4, also honors cmsg requests on all wifi and timestamp errors.
+ *
+ * Timestamp code paths do not initialize the fields expected by cmsg:
+ * the PKTINFO fields in skb->cb[]. Fill those in here.
+ */
+static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
+                                      struct sock_exterr_skb *serr)
 {
-        int ifindex = skb->dev ? skb->dev->ifindex : -1;
+        if (serr->ee.ee_origin == SO_EE_ORIGIN_ICMP ||
+            serr->ee.ee_origin == SO_EE_ORIGIN_ICMP6)
+                return true;
+
+        if (serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL)
+                return false;
+
+        if (!skb->dev)
+                return false;
 
         if (skb->protocol == htons(ETH_P_IPV6))
-                IP6CB(skb)->iif = ifindex;
+                IP6CB(skb)->iif = skb->dev->ifindex;
         else
-                PKTINFO_SKB_CB(skb)->ipi_ifindex = ifindex;
+                PKTINFO_SKB_CB(skb)->ipi_ifindex = skb->dev->ifindex;
+
+        return true;
 }
 
 /*
@@ -369,7 +389,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
 
         serr = SKB_EXT_ERR(skb);
 
-        if (sin && skb->len) {
+        if (sin && serr->port) {
                 const unsigned char *nh = skb_network_header(skb);
                 sin->sin6_family = AF_INET6;
                 sin->sin6_flowinfo = 0;
@@ -394,14 +414,11 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
         memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err));
         sin = &errhdr.offender;
         memset(sin, 0, sizeof(*sin));
-        if (serr->ee.ee_origin != SO_EE_ORIGIN_LOCAL && skb->len) {
+
+        if (ip6_datagram_support_cmsg(skb, serr)) {
                 sin->sin6_family = AF_INET6;
-                if (np->rxopt.all) {
-                        if (serr->ee.ee_origin != SO_EE_ORIGIN_ICMP &&
-                            serr->ee.ee_origin != SO_EE_ORIGIN_ICMP6)
-                                ip6_datagram_prepare_pktinfo_errqueue(skb);
+                if (np->rxopt.all)
                         ip6_datagram_recv_common_ctl(sk, msg, skb);
-                }
                 if (skb->protocol == htons(ETH_P_IPV6)) {
                         sin->sin6_addr = ipv6_hdr(skb)->saddr;
                         if (np->rxopt.all)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0a04a37305d5..7e80b61b51ff 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -318,6 +318,7 @@ static int ip6_forward_proxy_check(struct sk_buff *skb)
 
 static inline int ip6_forward_finish(struct sk_buff *skb)
 {
+        skb_sender_cpu_clear(skb);
         return dst_output(skb);
 }
 
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 266a264ec212..ddd94eca19b3 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -314,7 +314,7 @@ out:
  *   Create tunnel matching given parameters.
  *
  * Return:
- *   created tunnel or NULL
+ *   created tunnel or error pointer
  **/
 
 static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
@@ -322,7 +322,7 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
         struct net_device *dev;
         struct ip6_tnl *t;
         char name[IFNAMSIZ];
-        int err;
+        int err = -ENOMEM;
 
         if (p->name[0])
                 strlcpy(name, p->name, IFNAMSIZ);
@@ -348,7 +348,7 @@ static struct ip6_tnl *ip6_tnl_create(struct net *net, struct __ip6_tnl_parm *p)
 failed_free:
         ip6_dev_free(dev);
 failed:
-        return NULL;
+        return ERR_PTR(err);
 }
 
 /**
@@ -362,7 +362,7 @@ failed:
  *   tunnel device is created and registered for use.
  *
  * Return:
- *   matching tunnel or NULL
+ *   matching tunnel or error pointer
  **/
 
 static struct ip6_tnl *ip6_tnl_locate(struct net *net,
@@ -380,13 +380,13 @@ static struct ip6_tnl *ip6_tnl_locate(struct net *net,
                 if (ipv6_addr_equal(local, &t->parms.laddr) &&
                     ipv6_addr_equal(remote, &t->parms.raddr)) {
                         if (create)
-                                return NULL;
+                                return ERR_PTR(-EEXIST);
 
                         return t;
                 }
         }
         if (!create)
-                return NULL;
+                return ERR_PTR(-ENODEV);
         return ip6_tnl_create(net, p);
 }
 
@@ -1420,7 +1420,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                         }
                         ip6_tnl_parm_from_user(&p1, &p);
                         t = ip6_tnl_locate(net, &p1, 0);
-                        if (t == NULL)
+                        if (IS_ERR(t))
                                 t = netdev_priv(dev);
                 } else {
                         memset(&p, 0, sizeof(p));
@@ -1445,7 +1445,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                 ip6_tnl_parm_from_user(&p1, &p);
                 t = ip6_tnl_locate(net, &p1, cmd == SIOCADDTUNNEL);
                 if (cmd == SIOCCHGTUNNEL) {
-                        if (t != NULL) {
+                        if (!IS_ERR(t)) {
                                 if (t->dev != dev) {
                                         err = -EEXIST;
                                         break;
@@ -1457,14 +1457,15 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                         else
                                 err = ip6_tnl_update(t, &p1);
                 }
-                if (t) {
+                if (!IS_ERR(t)) {
                         err = 0;
                         ip6_tnl_parm_to_user(&p, &t->parms);
                         if (copy_to_user(ifr->ifr_ifru.ifru_data, &p, sizeof(p)))
                                 err = -EFAULT;
 
-                } else
-                        err = (cmd == SIOCADDTUNNEL ? -ENOBUFS : -ENOENT);
+                } else {
+                        err = PTR_ERR(t);
+                }
                 break;
         case SIOCDELTUNNEL:
                 err = -EPERM;
@@ -1478,7 +1479,7 @@ ip6_tnl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
                         err = -ENOENT;
                         ip6_tnl_parm_from_user(&p1, &p);
                         t = ip6_tnl_locate(net, &p1, 0);
-                        if (t == NULL)
+                        if (IS_ERR(t))
                                 break;
                         err = -EPERM;
                         if (t->dev == ip6n->fb_tnl_dev)
@@ -1672,12 +1673,13 @@ static int ip6_tnl_newlink(struct net *src_net, struct net_device *dev,
                            struct nlattr *tb[], struct nlattr *data[])
 {
         struct net *net = dev_net(dev);
-        struct ip6_tnl *nt;
+        struct ip6_tnl *nt, *t;
 
         nt = netdev_priv(dev);
         ip6_tnl_netlink_parms(data, &nt->parms);
 
-        if (ip6_tnl_locate(net, &nt->parms, 0))
+        t = ip6_tnl_locate(net, &nt->parms, 0);
+        if (!IS_ERR(t))
                 return -EEXIST;
 
         return ip6_tnl_create2(dev);
@@ -1697,8 +1699,7 @@ static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[],
         ip6_tnl_netlink_parms(data, &p);
 
         t = ip6_tnl_locate(net, &p, 0);
-
-        if (t) {
+        if (!IS_ERR(t)) {
                 if (t->dev != dev)
                         return -EEXIST;
         } else
diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
index bd46f736f61d..a2dfff6ff227 100644
--- a/net/ipv6/ping.c
+++ b/net/ipv6/ping.c
@@ -102,9 +102,10 @@ int ping_v6_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
 
         if (msg->msg_name) {
                 DECLARE_SOCKADDR(struct sockaddr_in6 *, u, msg->msg_name);
-                if (msg->msg_namelen < sizeof(struct sockaddr_in6) ||
-                    u->sin6_family != AF_INET6) {
+                if (msg->msg_namelen < sizeof(*u))
                         return -EINVAL;
+                if (u->sin6_family != AF_INET6) {
+                        return -EAFNOSUPPORT;
                 }
                 if (sk->sk_bound_dev_if &&
                     sk->sk_bound_dev_if != u->sin6_scope_id) {
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index ca3f29b98ae5..010f8bd2d577 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -114,6 +114,7 @@ int xfrm6_prepare_output(struct xfrm_state *x, struct sk_buff *skb)
                 return err;
 
         skb->ignore_df = 1;
+        skb->protocol = htons(ETH_P_IPV6);
 
         return x->outer_mode->output2(x, skb);
 }
@@ -122,7 +123,6 @@ EXPORT_SYMBOL(xfrm6_prepare_output);
 int xfrm6_output_finish(struct sk_buff *skb)
 {
         memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
-        skb->protocol = htons(ETH_P_IPV6);
 
 #ifdef CONFIG_NETFILTER
         IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 48bf5a06847b..8d2d01b4800a 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -200,6 +200,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 
 #if IS_ENABLED(CONFIG_IPV6_MIP6)
                 case IPPROTO_MH:
+                        offset += ipv6_optlen(exthdr);
                         if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
                                 struct ip6_mh *mh;
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 3afe36824703..8d53d65bd2ab 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -58,13 +58,24 @@ struct ieee80211_local;
 #define IEEE80211_UNSET_POWER_LEVEL     INT_MIN
 
 /*
- * Some APs experience problems when working with U-APSD. Decrease the
- * probability of that happening by using legacy mode for all ACs but VO.
- * The AP that caused us trouble was a Cisco 4410N. It ignores our
- * setting, and always treats non-VO ACs as legacy.
+ * Some APs experience problems when working with U-APSD. Decreasing the
+ * probability of that happening by using legacy mode for all ACs but VO isn't
+ * enough.
+ *
+ * Cisco 4410N originally forced us to enable VO by default only because it
+ * treated non-VO ACs as legacy.
+ *
+ * However some APs (notably Netgear R7000) silently reclassify packets to
+ * different ACs. Since u-APSD ACs require trigger frames for frame retrieval
+ * clients would never see some frames (e.g. ARP responses) or would fetch them
+ * accidentally after a long time.
+ *
+ * It makes little sense to enable u-APSD queues by default because it needs
+ * userspace applications to be aware of it to actually take advantage of the
+ * possible additional powersavings. Implicitly depending on driver autotrigger
+ * frame support doesn't make much sense.
  */
-#define IEEE80211_DEFAULT_UAPSD_QUEUES \
-        IEEE80211_WMM_IE_STA_QOSINFO_AC_VO
+#define IEEE80211_DEFAULT_UAPSD_QUEUES 0
 
 #define IEEE80211_DEFAULT_MAX_SP_LEN            \
         IEEE80211_WMM_IE_STA_QOSINFO_SP_ALL
@@ -453,6 +464,7 @@ struct ieee80211_if_managed {
         unsigned int flags;
 
         bool csa_waiting_bcn;
+        bool csa_ignored_same_chan;
 
         bool beacon_crc_valid;
         u32 beacon_crc;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 10ac6324c1d0..142f66aece18 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1150,6 +1150,17 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                 return;
         }
 
+        if (cfg80211_chandef_identical(&csa_ie.chandef,
+                                       &sdata->vif.bss_conf.chandef)) {
+                if (ifmgd->csa_ignored_same_chan)
+                        return;
+                sdata_info(sdata,
+                           "AP %pM tries to chanswitch to same channel, ignore\n",
+                           ifmgd->associated->bssid);
+                ifmgd->csa_ignored_same_chan = true;
+                return;
+        }
+
         mutex_lock(&local->mtx);
         mutex_lock(&local->chanctx_mtx);
         conf = rcu_dereference_protected(sdata->vif.chanctx_conf,
@@ -1210,6 +1221,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
         sdata->vif.csa_active = true;
         sdata->csa_chandef = csa_ie.chandef;
         sdata->csa_block_tx = csa_ie.mode;
+        ifmgd->csa_ignored_same_chan = false;
 
         if (sdata->csa_block_tx)
                 ieee80211_stop_vif_queues(local, sdata,
@@ -2090,6 +2102,7 @@ static void ieee80211_set_disassoc(struct ieee80211_sub_if_data *sdata,
 
         sdata->vif.csa_active = false;
         ifmgd->csa_waiting_bcn = false;
+        ifmgd->csa_ignored_same_chan = false;
         if (sdata->csa_block_tx) {
                 ieee80211_wake_vif_queues(local, sdata,
                                           IEEE80211_QUEUE_STOP_REASON_CSA);
@@ -3204,7 +3217,8 @@ static const u64 care_about_ies =
         (1ULL << WLAN_EID_CHANNEL_SWITCH) |
         (1ULL << WLAN_EID_PWR_CONSTRAINT) |
         (1ULL << WLAN_EID_HT_CAPABILITY) |
-        (1ULL << WLAN_EID_HT_OPERATION);
+        (1ULL << WLAN_EID_HT_OPERATION) |
+        (1ULL << WLAN_EID_EXT_CHANSWITCH_ANN);
 
 static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
                                      struct ieee80211_mgmt *mgmt, size_t len,
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1101563357ea..944bdc04e913 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2214,6 +2214,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
         hdr = (struct ieee80211_hdr *) skb->data;
         mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
 
+        if (ieee80211_drop_unencrypted(rx, hdr->frame_control))
+                return RX_DROP_MONITOR;
+
         /* frame is in RMC, don't forward */
         if (ieee80211_is_data(hdr->frame_control) &&
             is_multicast_ether_addr(hdr->addr1) &&
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 8428f4a95479..747bdcf72e92 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -3178,7 +3178,7 @@ int ieee80211_check_combinations(struct ieee80211_sub_if_data *sdata,
                 wdev_iter = &sdata_iter->wdev;
 
                 if (sdata_iter == sdata ||
-                    rcu_access_pointer(sdata_iter->vif.chanctx_conf) == NULL ||
+                    !ieee80211_sdata_running(sdata_iter) ||
                     local->hw.wiphy->software_iftypes & BIT(wdev_iter->iftype))
                         continue;
 
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index c47ffd7a0a70..d93ceeb3ef04 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -896,6 +896,8 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
                         IP_VS_DBG(2, "BACKUP, add new conn. failed\n");
                         return;
                 }
+                if (!(flags & IP_VS_CONN_F_TEMPLATE))
+                        kfree(param->pe_data);
         }
 
         if (opt)
@@ -1169,6 +1171,7 @@ static inline int ip_vs_proc_sync_conn(struct net *net, __u8 *p, __u8 *msg_end)
                                 (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL)
                                 );
 #endif
+        ip_vs_pe_put(param.pe);
         return 0;
         /* Error exit */
 out:
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 199fd0f27b0e..6ab777912237 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
 
 static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
 {
-        rule->genmask = 0;
+        rule->genmask &= ~(1 << gencursor_next(net));
 }
 
 static int
@@ -1711,9 +1711,12 @@ static int nf_tables_fill_rule_info(struct sk_buff *skb, struct net *net,
         }
         nla_nest_end(skb, list);
 
-        if (rule->ulen &&
-            nla_put(skb, NFTA_RULE_USERDATA, rule->ulen, nft_userdata(rule)))
-                goto nla_put_failure;
+        if (rule->udata) {
+                struct nft_userdata *udata = nft_userdata(rule);
+                if (nla_put(skb, NFTA_RULE_USERDATA, udata->len + 1,
+                            udata->data) < 0)
+                        goto nla_put_failure;
+        }
 
         nlmsg_end(skb, nlh);
         return 0;
@@ -1896,11 +1899,12 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
         struct nft_table *table;
         struct nft_chain *chain;
         struct nft_rule *rule, *old_rule = NULL;
+        struct nft_userdata *udata;
         struct nft_trans *trans = NULL;
         struct nft_expr *expr;
         struct nft_ctx ctx;
         struct nlattr *tmp;
-        unsigned int size, i, n, ulen = 0;
+        unsigned int size, i, n, ulen = 0, usize = 0;
         int err, rem;
         bool create;
         u64 handle, pos_handle;
@@ -1968,12 +1972,19 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
                         n++;
                 }
         }
+        /* Check for overflow of dlen field */
+        err = -EFBIG;
+        if (size >= 1 << 12)
+                goto err1;
 
-        if (nla[NFTA_RULE_USERDATA])
+        if (nla[NFTA_RULE_USERDATA]) {
                 ulen = nla_len(nla[NFTA_RULE_USERDATA]);
+                if (ulen > 0)
+                        usize = sizeof(struct nft_userdata) + ulen;
+        }
 
         err = -ENOMEM;
-        rule = kzalloc(sizeof(*rule) + size + ulen, GFP_KERNEL);
+        rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
         if (rule == NULL)
                 goto err1;
 
@@ -1981,10 +1992,13 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 
         rule->handle = handle;
         rule->dlen   = size;
-        rule->ulen   = ulen;
+        rule->udata  = ulen ? 1 : 0;
 
-        if (ulen)
-                nla_memcpy(nft_userdata(rule), nla[NFTA_RULE_USERDATA], ulen);
+        if (ulen) {
+                udata = nft_userdata(rule);
+                udata->len = ulen - 1;
+                nla_memcpy(udata->data, nla[NFTA_RULE_USERDATA], ulen);
+        }
 
         expr = nft_expr_first(rule);
         for (i = 0; i < n; i++) {
@@ -2031,12 +2045,6 @@ static int nf_tables_newrule(struct sock *nlsk, struct sk_buff *skb,
 
 err3:
         list_del_rcu(&rule->list);
-        if (trans) {
-                list_del_rcu(&nft_trans_rule(trans)->list);
-                nft_rule_clear(net, nft_trans_rule(trans));
-                nft_trans_destroy(trans);
-                chain->use++;
-        }
 err2:
         nf_tables_rule_destroy(&ctx, rule);
 err1:
@@ -3612,12 +3620,11 @@ static int nf_tables_commit(struct sk_buff *skb)
                                                  &te->elem,
                                                  NFT_MSG_DELSETELEM, 0);
                         te->set->ops->get(te->set, &te->elem);
-                        te->set->ops->remove(te->set, &te->elem);
                         nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
-                        if (te->elem.flags & NFT_SET_MAP) {
-                                nft_data_uninit(&te->elem.data,
-                                                te->set->dtype);
-                        }
+                        if (te->set->flags & NFT_SET_MAP &&
+                            !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
+                                nft_data_uninit(&te->elem.data, te->set->dtype);
+                        te->set->ops->remove(te->set, &te->elem);
                         nft_trans_destroy(trans);
                         break;
                 }
@@ -3658,7 +3665,7 @@ static int nf_tables_abort(struct sk_buff *skb)
 {
         struct net *net = sock_net(skb->sk);
         struct nft_trans *trans, *next;
-        struct nft_set *set;
+        struct nft_trans_elem *te;
 
         list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) {
                 switch (trans->msg_type) {
@@ -3719,9 +3726,13 @@ static int nf_tables_abort(struct sk_buff *skb)
                         break;
                 case NFT_MSG_NEWSETELEM:
                         nft_trans_elem_set(trans)->nelems--;
-                        set = nft_trans_elem_set(trans);
-                        set->ops->get(set, &nft_trans_elem(trans));
-                        set->ops->remove(set, &nft_trans_elem(trans));
+                        te = (struct nft_trans_elem *)trans->data;
+                        te->set->ops->get(te->set, &te->elem);
+                        nft_data_uninit(&te->elem.key, NFT_DATA_VALUE);
+                        if (te->set->flags & NFT_SET_MAP &&
+                            !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END))
+                                nft_data_uninit(&te->elem.data, te->set->dtype);
+                        te->set->ops->remove(te->set, &te->elem);
                         nft_trans_destroy(trans);
                         break;
                 case NFT_MSG_DELSETELEM:
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 1279cd85663e..213584cf04b3 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -123,7 +123,7 @@ static void
 nft_target_set_tgchk_param(struct xt_tgchk_param *par,
                            const struct nft_ctx *ctx,
                            struct xt_target *target, void *info,
-                           union nft_entry *entry, u8 proto, bool inv)
+                           union nft_entry *entry, u16 proto, bool inv)
 {
         par->net        = ctx->net;
         par->table      = ctx->table->name;
@@ -137,7 +137,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
                 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
                 break;
         case NFPROTO_BRIDGE:
-                entry->ebt.ethproto = proto;
+                entry->ebt.ethproto = (__force __be16)proto;
                 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
                 break;
         }
@@ -171,7 +171,7 @@ static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1]
         [NFTA_RULE_COMPAT_FLAGS]        = { .type = NLA_U32 },
 };
 
-static int nft_parse_compat(const struct nlattr *attr, u8 *proto, bool *inv)
+static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
 {
         struct nlattr *tb[NFTA_RULE_COMPAT_MAX+1];
         u32 flags;
@@ -203,7 +203,7 @@ nft_target_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         struct xt_target *target = expr->ops->data;
         struct xt_tgchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_TARGET_INFO]));
-        u8 proto = 0;
+        u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
         int ret;
@@ -334,7 +334,7 @@ static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
 static void
 nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
                           struct xt_match *match, void *info,
-                          union nft_entry *entry, u8 proto, bool inv)
+                          union nft_entry *entry, u16 proto, bool inv)
 {
         par->net        = ctx->net;
         par->table      = ctx->table->name;
@@ -348,7 +348,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
                 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0;
                 break;
         case NFPROTO_BRIDGE:
-                entry->ebt.ethproto = proto;
+                entry->ebt.ethproto = (__force __be16)proto;
                 entry->ebt.invflags = inv ? EBT_IPROTO : 0;
                 break;
         }
@@ -385,7 +385,7 @@ nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
         struct xt_match *match = expr->ops->data;
         struct xt_mtchk_param par;
         size_t size = XT_ALIGN(nla_len(tb[NFTA_MATCH_INFO]));
-        u8 proto = 0;
+        u16 proto = 0;
         bool inv = false;
         union nft_entry e = {};
         int ret;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 5bf1e968a728..f8db7064d81c 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3123,11 +3123,18 @@ static int packet_dev_mc(struct net_device *dev, struct packet_mclist *i,
         return 0;
 }
 
-static void packet_dev_mclist(struct net_device *dev, struct packet_mclist *i, int what)
+static void packet_dev_mclist_delete(struct net_device *dev,
+                                     struct packet_mclist **mlp)
 {
-        for ( ; i; i = i->next) {
-                if (i->ifindex == dev->ifindex)
-                        packet_dev_mc(dev, i, what);
+        struct packet_mclist *ml;
+
+        while ((ml = *mlp) != NULL) {
+                if (ml->ifindex == dev->ifindex) {
+                        packet_dev_mc(dev, ml, -1);
+                        *mlp = ml->next;
+                        kfree(ml);
+                } else
+                        mlp = &ml->next;
         }
 }
 
@@ -3204,12 +3211,11 @@ static int packet_mc_drop(struct sock *sk, struct packet_mreq_max *mreq)
                                         packet_dev_mc(dev, ml, -1);
                                 kfree(ml);
                         }
-                        rtnl_unlock();
-                        return 0;
+                        break;
                 }
         }
         rtnl_unlock();
-        return -EADDRNOTAVAIL;
+        return 0;
 }
 
 static void packet_flush_mclist(struct sock *sk)
@@ -3559,7 +3565,7 @@ static int packet_notifier(struct notifier_block *this,
                 switch (msg) {
                 case NETDEV_UNREGISTER:
                         if (po->mclist)
-                                packet_dev_mclist(dev, po->mclist, -1);
+                                packet_dev_mclist_delete(dev, &po->mclist);
                         /* fallthrough */
 
                 case NETDEV_DOWN:
diff --git a/net/rds/iw_rdma.c b/net/rds/iw_rdma.c
index a817705ce2d0..dba8d0864f18 100644
--- a/net/rds/iw_rdma.c
+++ b/net/rds/iw_rdma.c
@@ -88,7 +88,9 @@ static unsigned int rds_iw_unmap_fastreg_list(struct rds_iw_mr_pool *pool,
                         int *unpinned);
 static void rds_iw_destroy_fastreg(struct rds_iw_mr_pool *pool, struct rds_iw_mr *ibmr);
 
-static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwdev, struct rdma_cm_id **cm_id)
+static int rds_iw_get_device(struct sockaddr_in *src, struct sockaddr_in *dst,
+                             struct rds_iw_device **rds_iwdev,
+                             struct rdma_cm_id **cm_id)
 {
         struct rds_iw_device *iwdev;
         struct rds_iw_cm_id *i_cm_id;
@@ -112,15 +114,15 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
                                 src_addr->sin_port,
                                 dst_addr->sin_addr.s_addr,
                                 dst_addr->sin_port,
-                                rs->rs_bound_addr,
-                                rs->rs_bound_port,
-                                rs->rs_conn_addr,
-                                rs->rs_conn_port);
+                                src->sin_addr.s_addr,
+                                src->sin_port,
+                                dst->sin_addr.s_addr,
+                                dst->sin_port);
 #ifdef WORKING_TUPLE_DETECTION
-                        if (src_addr->sin_addr.s_addr == rs->rs_bound_addr &&
-                            src_addr->sin_port == rs->rs_bound_port &&
-                            dst_addr->sin_addr.s_addr == rs->rs_conn_addr &&
-                            dst_addr->sin_port == rs->rs_conn_port) {
+                        if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr &&
+                            src_addr->sin_port == src->sin_port &&
+                            dst_addr->sin_addr.s_addr == dst->sin_addr.s_addr &&
+                            dst_addr->sin_port == dst->sin_port) {
 #else
                         /* FIXME - needs to compare the local and remote
                          * ipaddr/port tuple, but the ipaddr is the only
@@ -128,7 +130,7 @@ static int rds_iw_get_device(struct rds_sock *rs, struct rds_iw_device **rds_iwd
                          * zero'ed.  It doesn't appear to be properly populated
                          * during connection setup...
                          */
-                        if (src_addr->sin_addr.s_addr == rs->rs_bound_addr) {
+                        if (src_addr->sin_addr.s_addr == src->sin_addr.s_addr) {
 #endif
                                 spin_unlock_irq(&iwdev->spinlock);
                                 *rds_iwdev = iwdev;
@@ -180,19 +182,13 @@ int rds_iw_update_cm_id(struct rds_iw_device *rds_iwdev, struct rdma_cm_id *cm_i
 {
         struct sockaddr_in *src_addr, *dst_addr;
         struct rds_iw_device *rds_iwdev_old;
-        struct rds_sock rs;
         struct rdma_cm_id *pcm_id;
         int rc;
 
         src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
         dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
 
-        rs.rs_bound_addr = src_addr->sin_addr.s_addr;
-        rs.rs_bound_port = src_addr->sin_port;
-        rs.rs_conn_addr = dst_addr->sin_addr.s_addr;
-        rs.rs_conn_port = dst_addr->sin_port;
-
-        rc = rds_iw_get_device(&rs, &rds_iwdev_old, &pcm_id);
+        rc = rds_iw_get_device(src_addr, dst_addr, &rds_iwdev_old, &pcm_id);
         if (rc)
                 rds_iw_remove_cm_id(rds_iwdev, cm_id);
 
@@ -598,9 +594,17 @@ void *rds_iw_get_mr(struct scatterlist *sg, unsigned long nents,
         struct rds_iw_device *rds_iwdev;
         struct rds_iw_mr *ibmr = NULL;
         struct rdma_cm_id *cm_id;
+        struct sockaddr_in src = {
+                .sin_addr.s_addr = rs->rs_bound_addr,
+                .sin_port = rs->rs_bound_port,
+        };
+        struct sockaddr_in dst = {
+                .sin_addr.s_addr = rs->rs_conn_addr,
+                .sin_port = rs->rs_conn_port,
+        };
         int ret;
 
-        ret = rds_iw_get_device(rs, &rds_iwdev, &cm_id);
+        ret = rds_iw_get_device(&src, &dst, &rds_iwdev, &cm_id);
         if (ret || !cm_id) {
                 ret = -ENODEV;
                 goto out;
diff --git a/net/rxrpc/ar-error.c b/net/rxrpc/ar-error.c
index 5394b6be46ec..0610efa83d72 100644
--- a/net/rxrpc/ar-error.c
+++ b/net/rxrpc/ar-error.c
@@ -42,7 +42,8 @@ void rxrpc_UDP_error_report(struct sock *sk)
                 _leave("UDP socket errqueue empty");
                 return;
         }
-        if (!skb->len) {
+        serr = SKB_EXT_ERR(skb);
+        if (!skb->len && serr->ee.ee_origin == SO_EE_ORIGIN_TIMESTAMPING) {
                 _leave("UDP empty message");
                 kfree_skb(skb);
                 return;
@@ -50,7 +51,6 @@ void rxrpc_UDP_error_report(struct sock *sk)
 
         rxrpc_new_skb(skb);
 
-        serr = SKB_EXT_ERR(skb);
         addr = *(__be32 *)(skb_network_header(skb) + serr->addr_offset);
         port = serr->port;
 
diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c
index 4575485ad1b4..19a560626dc4 100644
--- a/net/rxrpc/ar-recvmsg.c
+++ b/net/rxrpc/ar-recvmsg.c
@@ -87,7 +87,7 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock,
                 if (!skb) {
                         /* nothing remains on the queue */
                         if (copied &&
-                            (msg->msg_flags & MSG_PEEK || timeo == 0))
+                            (flags & MSG_PEEK || timeo == 0))
                                 goto out;
 
                         /* wait for a message to turn up */
diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c
index 82c5d7fc1988..5f6288fa3f12 100644
--- a/net/sched/act_bpf.c
+++ b/net/sched/act_bpf.c
@@ -25,21 +25,41 @@ static int tcf_bpf(struct sk_buff *skb, const struct tc_action *a,
                    struct tcf_result *res)
 {
         struct tcf_bpf *b = a->priv;
-        int action;
-        int filter_res;
+        int action, filter_res;
 
         spin_lock(&b->tcf_lock);
+
         b->tcf_tm.lastuse = jiffies;
         bstats_update(&b->tcf_bstats, skb);
-        action = b->tcf_action;
 
         filter_res = BPF_PROG_RUN(b->filter, skb);
-        if (filter_res == 0) {
-                /* Return code 0 from the BPF program
-                 * is being interpreted as a drop here.
-                 */
-                action = TC_ACT_SHOT;
+
+        /* A BPF program may overwrite the default action opcode.
+         * Similarly as in cls_bpf, if filter_res == -1 we use the
+         * default action specified from tc.
+         *
+         * In case a different well-known TC_ACT opcode has been
+         * returned, it will overwrite the default one.
+         *
+         * For everything else that is unkown, TC_ACT_UNSPEC is
+         * returned.
+         */
+        switch (filter_res) {
+        case TC_ACT_PIPE:
+        case TC_ACT_RECLASSIFY:
+        case TC_ACT_OK:
+                action = filter_res;
+                break;
+        case TC_ACT_SHOT:
+                action = filter_res;
                 b->tcf_qstats.drops++;
+                break;
+        case TC_ACT_UNSPEC:
+                action = b->tcf_action;
+                break;
+        default:
+                action = TC_ACT_UNSPEC;
+                break;
         }
 
         spin_unlock(&b->tcf_lock);
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index 09487afbfd51..95fdf4e40051 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -78,8 +78,11 @@ struct tc_u_hnode {
         struct tc_u_common      *tp_c;
         int                     refcnt;
         unsigned int            divisor;
-        struct tc_u_knode __rcu *ht[1];
         struct rcu_head         rcu;
+        /* The 'ht' field MUST be the last field in structure to allow for
+         * more entries allocated at end of structure.
+         */
+        struct tc_u_knode __rcu *ht[1];
 };
 
 struct tc_u_common {
diff --git a/net/tipc/link.c b/net/tipc/link.c
index a4cf364316de..14f09b3cb87c 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -464,10 +464,11 @@ void tipc_link_reset(struct tipc_link *l_ptr)
         /* Clean up all queues, except inputq: */
         __skb_queue_purge(&l_ptr->outqueue);
         __skb_queue_purge(&l_ptr->deferred_queue);
-        skb_queue_splice_init(&l_ptr->wakeupq, &l_ptr->inputq);
-        if (!skb_queue_empty(&l_ptr->inputq))
+        if (!owner->inputq)
+                owner->inputq = &l_ptr->inputq;
+        skb_queue_splice_init(&l_ptr->wakeupq, owner->inputq);
+        if (!skb_queue_empty(owner->inputq))
                 owner->action_flags |= TIPC_MSG_EVT;
-        owner->inputq = &l_ptr->inputq;
         l_ptr->next_out = NULL;
         l_ptr->unacked_window = 0;
         l_ptr->checkpoint = 1;
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index be2501538011..b6f84f6a2a09 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -4400,6 +4400,16 @@ static int nl80211_new_station(struct sk_buff *skb, struct genl_info *info)
         if (parse_station_flags(info, dev->ieee80211_ptr->iftype, &params))
                 return -EINVAL;
 
+        /* HT/VHT requires QoS, but if we don't have that just ignore HT/VHT
+         * as userspace might just pass through the capabilities from the IEs
+         * directly, rather than enforcing this restriction and returning an
+         * error in this case.
+         */
+        if (!(params.sta_flags_set & BIT(NL80211_STA_FLAG_WME))) {
+                params.ht_capa = NULL;
+                params.vht_capa = NULL;
+        }
+
         /* When you run into this, adjust the code below for the new flag */
         BUILD_BUG_ON(NL80211_STA_FLAG_MAX != 7);
 
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index cee479bc655c..638af0655aaf 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -2269,11 +2269,9 @@ struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig,
                  * have the xfrm_state's. We need to wait for KM to
                  * negotiate new SA's or bail out with error.*/
                 if (net->xfrm.sysctl_larval_drop) {
-                        dst_release(dst);
-                        xfrm_pols_put(pols, drop_pols);
                         XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
-
-                        return ERR_PTR(-EREMOTE);
+                        err = -EREMOTE;
+                        goto error;
                 }
 
                 err = -EAGAIN;
@@ -2324,7 +2322,8 @@ nopol:
 error:
         dst_release(dst);
 dropdst:
-        dst_release(dst_orig);
+        if (!(flags & XFRM_LOOKUP_KEEP_DST_REF))
+                dst_release(dst_orig);
         xfrm_pols_put(pols, drop_pols);
         return ERR_PTR(err);
 }
@@ -2338,7 +2337,8 @@ struct dst_entry *xfrm_lookup_route(struct net *net, struct dst_entry *dst_orig,
                                     struct sock *sk, int flags)
 {
         struct dst_entry *dst = xfrm_lookup(net, dst_orig, fl, sk,
-                                            flags | XFRM_LOOKUP_QUEUE);
+                                            flags | XFRM_LOOKUP_QUEUE |
+                                            XFRM_LOOKUP_KEEP_DST_REF);
 
         if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE)
                 return make_blackhole(net, dst_orig->ops->family, dst_orig);