35 files changed, 229 insertions, 139 deletions
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index f0e82682e071..fb61b6c79235 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -578,7 +578,7 @@ static int br_process_vlan_info(struct net_bridge *br,
                }
                *vinfo_last = NULL;
-                return 0;
+                return err;
        }
        return br_vlan_info(br, p, cmd, vinfo_curr);
diff --git a/net/can/af_can.c b/net/can/af_can.c
index 1f75e11ac35a..003b2d6d655f 100644
--- a/net/can/af_can.c
+++ b/net/can/af_can.c
@@ -78,7 +78,7 @@ MODULE_PARM_DESC(stats_timer, "enable timer for statistics (default:on)");
 static struct kmem_cache *rcv_cache __read_mostly;
 /* table of registered CAN protocols */
-static const struct can_proto *proto_tab[CAN_NPROTO] __read_mostly;
+static const struct can_proto __rcu *proto_tab[CAN_NPROTO] __read_mostly;
 static DEFINE_MUTEX(proto_tab_lock);
 static atomic_t skbcounter = ATOMIC_INIT(0);
@@ -788,7 +788,7 @@ int can_proto_register(const struct can_proto *cp)
        mutex_lock(&proto_tab_lock);
-        if (proto_tab[proto]) {
+        if (rcu_access_pointer(proto_tab[proto])) {
                pr_err("can: protocol %d already registered\n", proto);
                err = -EBUSY;
        } else
@@ -812,7 +812,7 @@ void can_proto_unregister(const struct can_proto *cp)
        int proto = cp->protocol;
        mutex_lock(&proto_tab_lock);
-        BUG_ON(proto_tab[proto] != cp);
+        BUG_ON(rcu_access_pointer(proto_tab[proto]) != cp);
        RCU_INIT_POINTER(proto_tab[proto], NULL);
        mutex_unlock(&proto_tab_lock);
@@ -875,9 +875,14 @@ static int can_pernet_init(struct net *net)
        spin_lock_init(&net->can.can_rcvlists_lock);
        net->can.can_rx_alldev_list =
                kzalloc(sizeof(struct dev_rcv_lists), GFP_KERNEL);
+        if (!net->can.can_rx_alldev_list)
+                goto out;
        net->can.can_stats = kzalloc(sizeof(struct s_stats), GFP_KERNEL);
+        if (!net->can.can_stats)
+                goto out_free_alldev_list;
        net->can.can_pstats = kzalloc(sizeof(struct s_pstats), GFP_KERNEL);
+        if (!net->can.can_pstats)
+                goto out_free_can_stats;
        if (IS_ENABLED(CONFIG_PROC_FS)) {
                /* the statistics are updated every second (timer triggered) */
@@ -892,6 +897,13 @@ static int can_pernet_init(struct net *net)
        }
        return 0;
+ out_free_can_stats:
+        kfree(net->can.can_stats);
+ out_free_alldev_list:
+        kfree(net->can.can_rx_alldev_list);
+ out:
+        return -ENOMEM;
 }
 static void can_pernet_exit(struct net *net)
diff --git a/net/can/bcm.c b/net/can/bcm.c
index 47a8748d953a..13690334efa3 100644
--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -1493,13 +1493,14 @@ static int bcm_init(struct sock *sk)
 static int bcm_release(struct socket *sock)
 {
        struct sock *sk = sock->sk;
-        struct net *net = sock_net(sk);
+        struct net *net;
        struct bcm_sock *bo;
        struct bcm_op *op, *next;
-        if (sk == NULL)
+        if (!sk)
                return 0;
+        net = sock_net(sk);
        bo = bcm_sk(sk);
        /* remove bcm_ops, timer, rx_unregister(), etc. */
diff --git a/net/core/dev.c b/net/core/dev.c
index cf5894f0e6eb..24ac9083bc13 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1149,9 +1149,8 @@ static int dev_alloc_name_ns(struct net *net,
        return ret;
 }
-static int dev_get_valid_name(struct net *net,
+int dev_get_valid_name(struct net *net, struct net_device *dev,
-                              struct net_device *dev,
+                       const char *name)
-                              const char *name)
 {
        BUG_ON(!net);
@@ -1167,6 +1166,7 @@ static int dev_get_valid_name(struct net *net,
        return 0;
 }
+EXPORT_SYMBOL(dev_get_valid_name);
 /**
 *      dev_change_name - change name of a device
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 709a4e6fb447..f9c7a88cd981 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -303,7 +303,18 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, unsigned int cmd)
        case SIOCSIFTXQLEN:
                if (ifr->ifr_qlen < 0)
                        return -EINVAL;
-                dev->tx_queue_len = ifr->ifr_qlen;
+                if (dev->tx_queue_len ^ ifr->ifr_qlen) {
+                        unsigned int orig_len = dev->tx_queue_len;
+                        dev->tx_queue_len = ifr->ifr_qlen;
+                        err = call_netdevice_notifiers(
+                                        NETDEV_CHANGE_TX_QUEUE_LEN, dev);
+                        err = notifier_to_errno(err);
+                        if (err) {
+                                dev->tx_queue_len = orig_len;
+                                return err;
+                        }
+                }
                return 0;
        case SIOCSIFNAME:
diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index 0c406306792a..f8fcf450a36e 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -452,7 +452,7 @@ bool ethtool_convert_link_mode_to_legacy_u32(u32 *legacy_u32,
 EXPORT_SYMBOL(ethtool_convert_link_mode_to_legacy_u32);
 /* return false if legacy contained non-0 deprecated fields
- * transceiver/maxtxpkt/maxrxpkt. rest of ksettings always updated
+ * maxtxpkt/maxrxpkt. rest of ksettings always updated
 */
 static bool
 convert_legacy_settings_to_link_ksettings(
@@ -467,8 +467,7 @@ convert_legacy_settings_to_link_ksettings(
         * deprecated legacy fields, and they should not use
         * %ETHTOOL_GLINKSETTINGS/%ETHTOOL_SLINKSETTINGS
         */
-        if (legacy_settings->transceiver ||
+        if (legacy_settings->maxtxpkt ||
-            legacy_settings->maxtxpkt ||
            legacy_settings->maxrxpkt)
                retval = false;
diff --git a/net/core/filter.c b/net/core/filter.c
index ccf62f44140a..b79c44cc8145 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1840,31 +1840,31 @@ static const struct bpf_func_proto bpf_redirect_proto = {
        .arg2_type      = ARG_ANYTHING,
 };
-BPF_CALL_3(bpf_sk_redirect_map, struct bpf_map *, map, u32, key, u64, flags)
+BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
+           struct bpf_map *, map, u32, key, u64, flags)
 {
-        struct redirect_info *ri = this_cpu_ptr(&redirect_info);
+        struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
        if (unlikely(flags))
                return SK_ABORTED;
-        ri->ifindex = key;
+        tcb->bpf.key = key;
-        ri->flags = flags;
+        tcb->bpf.flags = flags;
-        ri->map = map;
+        tcb->bpf.map = map;
        return SK_REDIRECT;
 }
-struct sock *do_sk_redirect_map(void)
+struct sock *do_sk_redirect_map(struct sk_buff *skb)
 {
-        struct redirect_info *ri = this_cpu_ptr(&redirect_info);
+        struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
        struct sock *sk = NULL;
-        if (ri->map) {
+        if (tcb->bpf.map) {
-                sk = __sock_map_lookup_elem(ri->map, ri->ifindex);
+                sk = __sock_map_lookup_elem(tcb->bpf.map, tcb->bpf.key);
-                ri->ifindex = 0;
+                tcb->bpf.key = 0;
-                ri->map = NULL;
+                tcb->bpf.map = NULL;
-                /* we do not clear flags for future lookup */
        }
        return sk;
@@ -1874,9 +1874,10 @@ static const struct bpf_func_proto bpf_sk_redirect_map_proto = {
        .func           = bpf_sk_redirect_map,
        .gpl_only       = false,
        .ret_type       = RET_INTEGER,
-        .arg1_type      = ARG_CONST_MAP_PTR,
+        .arg1_type      = ARG_PTR_TO_CTX,
-        .arg2_type      = ARG_ANYTHING,
+        .arg2_type      = ARG_CONST_MAP_PTR,
        .arg3_type      = ARG_ANYTHING,
+        .arg4_type      = ARG_ANYTHING,
 };
 BPF_CALL_1(bpf_get_cgroup_classid, const struct sk_buff *, skb)
@@ -3902,7 +3903,6 @@ static bool sk_skb_is_valid_access(int off, int size,
        if (type == BPF_WRITE) {
                switch (off) {
-                case bpf_ctx_range(struct __sk_buff, mark):
                case bpf_ctx_range(struct __sk_buff, tc_index):
                case bpf_ctx_range(struct __sk_buff, priority):
                        break;
@@ -3912,6 +3912,8 @@ static bool sk_skb_is_valid_access(int off, int size,
        }
        switch (off) {
+        case bpf_ctx_range(struct __sk_buff, mark):
+                return false;
        case bpf_ctx_range(struct __sk_buff, data):
                info->reg_type = PTR_TO_PACKET;
                break;
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 20b550d07fe3..04680a53c8dd 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1551,7 +1551,10 @@ static const struct nla_policy ifla_policy[IFLA_MAX+1] = {
        [IFLA_LINKINFO]         = { .type = NLA_NESTED },
        [IFLA_NET_NS_PID]       = { .type = NLA_U32 },
        [IFLA_NET_NS_FD]        = { .type = NLA_U32 },
-        [IFLA_IFALIAS]          = { .type = NLA_STRING, .len = IFALIASZ-1 },
+        /* IFLA_IFALIAS is a string, but policy is set to NLA_BINARY to
+         * allow 0-length string (needed to remove an alias).
+         */
+        [IFLA_IFALIAS]          = { .type = NLA_BINARY, .len = IFALIASZ - 1 },
        [IFLA_VFINFO_LIST]      = {. type = NLA_NESTED },
        [IFLA_VF_PORTS]         = { .type = NLA_NESTED },
        [IFLA_PORT_SELF]        = { .type = NLA_NESTED },
@@ -2172,7 +2175,7 @@ static int do_setlink(const struct sk_buff *skb,
                                dev->tx_queue_len = orig_len;
                                goto errout;
                        }
-                        status |= DO_SETLINK_NOTIFY;
+                        status |= DO_SETLINK_MODIFIED;
                }
        }
@@ -2332,7 +2335,7 @@ static int do_setlink(const struct sk_buff *skb,
 errout:
        if (status & DO_SETLINK_MODIFIED) {
-                if (status & DO_SETLINK_NOTIFY)
+                if ((status & DO_SETLINK_NOTIFY) == DO_SETLINK_NOTIFY)
                        netdev_state_change(dev);
                if (err < 0)
@@ -4373,13 +4376,17 @@ static int rtnetlink_event(struct notifier_block *this, unsigned long event, voi
        switch (event) {
        case NETDEV_REBOOT:
+        case NETDEV_CHANGEMTU:
        case NETDEV_CHANGEADDR:
        case NETDEV_CHANGENAME:
        case NETDEV_FEAT_CHANGE:
        case NETDEV_BONDING_FAILOVER:
+        case NETDEV_POST_TYPE_CHANGE:
        case NETDEV_NOTIFY_PEERS:
+        case NETDEV_CHANGEUPPER:
        case NETDEV_RESEND_IGMP:
        case NETDEV_CHANGEINFODATA:
+        case NETDEV_CHANGE_TX_QUEUE_LEN:
                rtmsg_ifinfo_event(RTM_NEWLINK, dev, 0, rtnl_get_event(event),
                                   GFP_KERNEL, NULL);
                break;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 40717501cbdd..97e604d55d55 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -1124,9 +1124,13 @@ int skb_zerocopy_iter_stream(struct sock *sk, struct sk_buff *skb,
        err = __zerocopy_sg_from_iter(sk, skb, &msg->msg_iter, len);
        if (err == -EFAULT || (err == -EMSGSIZE && skb->len == orig_len)) {
+                struct sock *save_sk = skb->sk;
                /* Streams do not free skb on error. Reset to prev state. */
                msg->msg_iter = orig_iter;
+                skb->sk = sk;
                ___pskb_trim(skb, orig_len);
+                skb->sk = save_sk;
                return err;
        }
@@ -1895,7 +1899,7 @@ void *__pskb_pull_tail(struct sk_buff *skb, int delta)
        }
        /* If we need update frag list, we are in troubles.
-         * Certainly, it possible to add an offset to skb data,
+         * Certainly, it is possible to add an offset to skb data,
         * but taking into account that pulling is expected to
         * be very rare operation, it is worth to fight against
         * further bloating skb head and crucify ourselves here instead.
diff --git a/net/core/sock.c b/net/core/sock.c
index 35656a9e4e44..759400053110 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1677,12 +1677,17 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
                newsk->sk_dst_pending_confirm = 0;
                newsk->sk_wmem_queued   = 0;
                newsk->sk_forward_alloc = 0;
+                /* sk->sk_memcg will be populated at accept() time */
+                newsk->sk_memcg = NULL;
                atomic_set(&newsk->sk_drops, 0);
                newsk->sk_send_head     = NULL;
                newsk->sk_userlocks     = sk->sk_userlocks & ~SOCK_BINDPORT_LOCK;
                atomic_set(&newsk->sk_zckey, 0);
                sock_reset_flag(newsk, SOCK_DONE);
+                cgroup_sk_alloc(&newsk->sk_cgrp_data);
                rcu_read_lock();
                filter = rcu_dereference(sk->sk_filter);
@@ -1714,9 +1719,6 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
                newsk->sk_incoming_cpu = raw_smp_processor_id();
                atomic64_set(&newsk->sk_cookie, 0);
-                mem_cgroup_sk_alloc(newsk);
-                cgroup_sk_alloc(&newsk->sk_cgrp_data);
                /*
                 * Before updating sk_refcnt, we must commit prior changes to memory
                 * (Documentation/RCU/rculist_nulls.txt for details)
diff --git a/net/core/sock_reuseport.c b/net/core/sock_reuseport.c
index eed1ebf7f29d..b1e0dbea1e8c 100644
--- a/net/core/sock_reuseport.c
+++ b/net/core/sock_reuseport.c
@@ -36,9 +36,14 @@ int reuseport_alloc(struct sock *sk)
         * soft irq of receive path or setsockopt from process context
         */
        spin_lock_bh(&reuseport_lock);
-        WARN_ONCE(rcu_dereference_protected(sk->sk_reuseport_cb,
-                                            lockdep_is_held(&reuseport_lock)),
+        /* Allocation attempts can occur concurrently via the setsockopt path
-                  "multiple allocations for the same socket");
+         * and the bind/hash path.  Nothing to do when we lose the race.
+         */
+        if (rcu_dereference_protected(sk->sk_reuseport_cb,
+                                      lockdep_is_held(&reuseport_lock)))
+                goto out;
        reuse = __reuseport_alloc(INIT_SOCKS);
        if (!reuse) {
                spin_unlock_bh(&reuseport_lock);
@@ -49,6 +54,7 @@ int reuseport_alloc(struct sock *sk)
        reuse->num_socks = 1;
        rcu_assign_pointer(sk->sk_reuseport_cb, reuse);
+out:
        spin_unlock_bh(&reuseport_lock);
        return 0;
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index 001c08696334..0490916864f9 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -414,8 +414,7 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk,
        sk_daddr_set(newsk, ireq->ir_rmt_addr);
        sk_rcv_saddr_set(newsk, ireq->ir_loc_addr);
        newinet->inet_saddr     = ireq->ir_loc_addr;
-        newinet->inet_opt       = ireq->opt;
+        RCU_INIT_POINTER(newinet->inet_opt, rcu_dereference(ireq->ireq_opt));
-        ireq->opt          = NULL;
        newinet->mc_index  = inet_iif(skb);
        newinet->mc_ttl    = ip_hdr(skb)->ttl;
        newinet->inet_id   = jiffies;
@@ -430,7 +429,10 @@ struct sock *dccp_v4_request_recv_sock(const struct sock *sk,
        if (__inet_inherit_port(sk, newsk) < 0)
                goto put_and_exit;
        *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
+        if (*own_req)
+                ireq->ireq_opt = NULL;
+        else
+                newinet->inet_opt = NULL;
        return newsk;
 exit_overflow:
@@ -441,6 +443,7 @@ exit:
        __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENDROPS);
        return NULL;
 put_and_exit:
+        newinet->inet_opt = NULL;
        inet_csk_prepare_forced_close(newsk);
        dccp_done(newsk);
        goto exit;
@@ -492,7 +495,7 @@ static int dccp_v4_send_response(const struct sock *sk, struct request_sock *req
                                                              ireq->ir_rmt_addr);
                err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr,
                                            ireq->ir_rmt_addr,
-                                            ireq->opt);
+                                            rcu_dereference(ireq->ireq_opt));
                err = net_xmit_eval(err);
        }
@@ -548,7 +551,7 @@ out:
 static void dccp_v4_reqsk_destructor(struct request_sock *req)
 {
        dccp_feat_list_purge(&dccp_rsk(req)->dreq_featneg);
-        kfree(inet_rsk(req)->opt);
+        kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
 }
 void dccp_syn_ack_timeout(const struct request_sock *req)
diff --git a/net/dns_resolver/dns_key.c b/net/dns_resolver/dns_key.c
index 8737412c7b27..e1d4d898a007 100644
--- a/net/dns_resolver/dns_key.c
+++ b/net/dns_resolver/dns_key.c
@@ -224,7 +224,7 @@ static int dns_resolver_match_preparse(struct key_match_data *match_data)
 static void dns_resolver_describe(const struct key *key, struct seq_file *m)
 {
        seq_puts(m, key->description);
-        if (key_is_instantiated(key)) {
+        if (key_is_positive(key)) {
                int err = PTR_ERR(key->payload.data[dns_key_error]);
                if (err)
diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig
index 91a2557942fa..f48fe6fc7e8c 100644
--- a/net/ipv4/Kconfig
+++ b/net/ipv4/Kconfig
@@ -70,11 +70,9 @@ config IP_MULTIPLE_TABLES
          address into account. Furthermore, the TOS (Type-Of-Service) field
          of the packet can be used for routing decisions as well.
-          If you are interested in this, please see the preliminary
+          If you need more information, see the Linux Advanced
-          documentation at <http://www.compendium.com.ar/policy-routing.txt>
+          Routing and Traffic Control documentation at
-          and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
+          <http://lartc.org/howto/lartc.rpdb.html>
-          You will need supporting software from
-          <ftp://ftp.tux.org/pub/net/ip-routing/>.
          If unsure, say N.
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 2ae8f54cb321..82178cc69c96 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -1951,7 +1951,7 @@ int cipso_v4_req_setattr(struct request_sock *req,
        buf = NULL;
        req_inet = inet_rsk(req);
-        opt = xchg(&req_inet->opt, opt);
+        opt = xchg((__force struct ip_options_rcu **)&req_inet->ireq_opt, opt);
        if (opt)
                kfree_rcu(opt, rcu);
@@ -1973,11 +1973,13 @@ req_setattr_failure:
 * values on failure.
 *
 */
-static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)
+static int cipso_v4_delopt(struct ip_options_rcu __rcu **opt_ptr)
 {
+        struct ip_options_rcu *opt = rcu_dereference_protected(*opt_ptr, 1);
        int hdr_delta = 0;
-        struct ip_options_rcu *opt = *opt_ptr;
+        if (!opt || opt->opt.cipso == 0)
+                return 0;
        if (opt->opt.srr || opt->opt.rr || opt->opt.ts || opt->opt.router_alert) {
                u8 cipso_len;
                u8 cipso_off;
@@ -2039,14 +2041,10 @@ static int cipso_v4_delopt(struct ip_options_rcu **opt_ptr)
 */
 void cipso_v4_sock_delattr(struct sock *sk)
 {
-        int hdr_delta;
-        struct ip_options_rcu *opt;
        struct inet_sock *sk_inet;
+        int hdr_delta;
        sk_inet = inet_sk(sk);
-        opt = rcu_dereference_protected(sk_inet->inet_opt, 1);
-        if (!opt || opt->opt.cipso == 0)
-                return;
        hdr_delta = cipso_v4_delopt(&sk_inet->inet_opt);
        if (sk_inet->is_icsk && hdr_delta > 0) {
@@ -2066,15 +2064,7 @@ void cipso_v4_sock_delattr(struct sock *sk)
 */
 void cipso_v4_req_delattr(struct request_sock *req)
 {
-        struct ip_options_rcu *opt;
+        cipso_v4_delopt(&inet_rsk(req)->ireq_opt);
-        struct inet_request_sock *req_inet;
-        req_inet = inet_rsk(req);
-        opt = req_inet->opt;
-        if (!opt || opt->opt.cipso == 0)
-                return;
-        cipso_v4_delopt(&req_inet->opt);
 }
 /**
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 5c965ecc96a0..ca03a1dcbc8f 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -475,6 +475,7 @@ struct sock *inet_csk_accept(struct sock *sk, int flags, int *err, bool kern)
                }
                spin_unlock_bh(&queue->fastopenq.lock);
        }
+        mem_cgroup_sk_alloc(newsk);
 out:
        release_sock(sk);
        if (req)
@@ -537,9 +538,10 @@ struct dst_entry *inet_csk_route_req(const struct sock *sk,
 {
        const struct inet_request_sock *ireq = inet_rsk(req);
        struct net *net = read_pnet(&ireq->ireq_net);
-        struct ip_options_rcu *opt = ireq->opt;
+        struct ip_options_rcu *opt;
        struct rtable *rt;
+        opt = rcu_dereference(ireq->ireq_opt);
        flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark,
                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
                           sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -573,10 +575,9 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk,
        struct flowi4 *fl4;
        struct rtable *rt;
+        opt = rcu_dereference(ireq->ireq_opt);
        fl4 = &newinet->cork.fl.u.ip4;
-        rcu_read_lock();
-        opt = rcu_dereference(newinet->inet_opt);
        flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark,
                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
                           sk->sk_protocol, inet_sk_flowi_flags(sk),
@@ -589,13 +590,11 @@ struct dst_entry *inet_csk_route_child_sock(const struct sock *sk,
                goto no_route;
        if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
                goto route_err;
-        rcu_read_unlock();
        return &rt->dst;
 route_err:
        ip_rt_put(rt);
 no_route:
-        rcu_read_unlock();
        __IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
        return NULL;
 }
diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
index 597bb4cfe805..e7d15fb0d94d 100644
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -456,10 +456,7 @@ static int inet_reuseport_add_sock(struct sock *sk,
                        return reuseport_add_sock(sk, sk2);
        }
-        /* Initial allocation may have already happened via setsockopt */
+        return reuseport_alloc(sk);
-        if (!rcu_access_pointer(sk->sk_reuseport_cb))
-                return reuseport_alloc(sk);
-        return 0;
 }
 int __inet_hash(struct sock *sk, struct sock *osk)
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index b1bb1b3a1082..77cf32a80952 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -355,7 +355,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
        /* We throwed the options of the initial SYN away, so we hope
         * the ACK carries the same options again (see RFC1122 4.2.3.8)
         */
-        ireq->opt = tcp_v4_save_options(sock_net(sk), skb);
+        RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(sock_net(sk), skb));
        if (security_inet_conn_request(sk, skb, req)) {
                reqsk_free(req);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b2390bfdc68f..ab3f12898245 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6167,7 +6167,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
                struct inet_request_sock *ireq = inet_rsk(req);
                kmemcheck_annotate_bitfield(ireq, flags);
-                ireq->opt = NULL;
+                ireq->ireq_opt = NULL;
 #if IS_ENABLED(CONFIG_IPV6)
                ireq->pktopts = NULL;
 #endif
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 28ca4e177047..e22439f05e46 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -877,7 +877,7 @@ static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst,
                err = ip_build_and_send_pkt(skb, sk, ireq->ir_loc_addr,
                                            ireq->ir_rmt_addr,
-                                            ireq->opt);
+                                            rcu_dereference(ireq->ireq_opt));
                err = net_xmit_eval(err);
        }
@@ -889,7 +889,7 @@ static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst,
 */
 static void tcp_v4_reqsk_destructor(struct request_sock *req)
 {
-        kfree(inet_rsk(req)->opt);
+        kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
 }
 #ifdef CONFIG_TCP_MD5SIG
@@ -1265,10 +1265,11 @@ static void tcp_v4_init_req(struct request_sock *req,
                            struct sk_buff *skb)
 {
        struct inet_request_sock *ireq = inet_rsk(req);
+        struct net *net = sock_net(sk_listener);
        sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr);
        sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr);
-        ireq->opt = tcp_v4_save_options(sock_net(sk_listener), skb);
+        RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
 }
 static struct dst_entry *tcp_v4_route_req(const struct sock *sk,
@@ -1355,10 +1356,9 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
        sk_daddr_set(newsk, ireq->ir_rmt_addr);
        sk_rcv_saddr_set(newsk, ireq->ir_loc_addr);
        newsk->sk_bound_dev_if = ireq->ir_iif;
-        newinet->inet_saddr           = ireq->ir_loc_addr;
+        newinet->inet_saddr   = ireq->ir_loc_addr;
-        inet_opt              = ireq->opt;
+        inet_opt              = rcu_dereference(ireq->ireq_opt);
-        rcu_assign_pointer(newinet->inet_opt, inet_opt);
+        RCU_INIT_POINTER(newinet->inet_opt, inet_opt);
-        ireq->opt             = NULL;
        newinet->mc_index     = inet_iif(skb);
        newinet->mc_ttl       = ip_hdr(skb)->ttl;
        newinet->rcv_tos      = ip_hdr(skb)->tos;
@@ -1403,9 +1403,12 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
        if (__inet_inherit_port(sk, newsk) < 0)
                goto put_and_exit;
        *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
-        if (*own_req)
+        if (likely(*own_req)) {
                tcp_move_syn(newtp, req);
+                ireq->ireq_opt = NULL;
+        } else {
+                newinet->inet_opt = NULL;
+        }
        return newsk;
 exit_overflow:
@@ -1416,6 +1419,7 @@ exit:
        tcp_listendrop(sk);
        return NULL;
 put_and_exit:
+        newinet->inet_opt = NULL;
        inet_csk_prepare_forced_close(newsk);
        tcp_done(newsk);
        goto exit;
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 7c9a6e4a7253..a6699af05539 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -231,10 +231,7 @@ static int udp_reuseport_add_sock(struct sock *sk, struct udp_hslot *hslot)
                }
        }
-        /* Initial allocation may have already happened via setsockopt */
+        return reuseport_alloc(sk);
-        if (!rcu_access_pointer(sk->sk_reuseport_cb))
-                return reuseport_alloc(sk);
-        return 0;
 }
 /**
@@ -1061,7 +1058,7 @@ back_from_confirm:
                /* ... which is an evident application bug. --ANK */
                release_sock(sk);
-                net_dbg_ratelimited("cork app bug 2\n");
+                net_dbg_ratelimited("socket already corked\n");
                err = -EINVAL;
                goto out;
        }
@@ -1144,7 +1141,7 @@ int udp_sendpage(struct sock *sk, struct page *page, int offset,
        if (unlikely(!up->pending)) {
                release_sock(sk);
-                net_dbg_ratelimited("udp cork app bug 3\n");
+                net_dbg_ratelimited("cork failed\n");
                return -EINVAL;
        }
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 8081bafe441b..15535ee327c5 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -315,6 +315,7 @@ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
        }
        opt_space->dst1opt = fopt->dst1opt;
        opt_space->opt_flen = fopt->opt_flen;
+        opt_space->tot_len = fopt->tot_len;
        return opt_space;
 }
 EXPORT_SYMBOL_GPL(fl6_merge_options);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 43ca864327c7..5110a418cc4d 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1161,11 +1161,11 @@ static int ip6_setup_cork(struct sock *sk, struct inet_cork_full *cork,
                if (WARN_ON(v6_cork->opt))
                        return -EINVAL;
-                v6_cork->opt = kzalloc(opt->tot_len, sk->sk_allocation);
+                v6_cork->opt = kzalloc(sizeof(*opt), sk->sk_allocation);
                if (unlikely(!v6_cork->opt))
                        return -ENOBUFS;
-                v6_cork->opt->tot_len = opt->tot_len;
+                v6_cork->opt->tot_len = sizeof(*opt);
                v6_cork->opt->opt_flen = opt->opt_flen;
                v6_cork->opt->opt_nflen = opt->opt_nflen;
diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c
index bc6e8bfc5be4..f50452b919d5 100644
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -988,6 +988,9 @@ static int pppol2tp_session_ioctl(struct l2tp_session *session,
                 session->name, cmd, arg);
        sk = ps->sock;
+        if (!sk)
+                return -EBADR;
        sock_hold(sk);
        switch (cmd) {
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index a98fc2b5e0dc..ae995c8480db 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -4,7 +4,7 @@
 * Copyright 2006-2007  Jiri Benc <jbenc@suse.cz>
 * Copyright 2007-2008  Johannes Berg <johannes@sipsolutions.net>
 * Copyright 2013-2014  Intel Mobile Communications GmbH
- * Copyright 2015       Intel Deutschland GmbH
+ * Copyright 2015-2017  Intel Deutschland GmbH
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
        pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
        idx = key->conf.keyidx;
-        key->local = sdata->local;
-        key->sdata = sdata;
-        key->sta = sta;
        mutex_lock(&sdata->local->key_mtx);
@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
        else
                old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
+        /*
+         * Silently accept key re-installation without really installing the
+         * new version of the key to avoid nonce reuse or replay issues.
+         */
+        if (old_key && key->conf.keylen == old_key->conf.keylen &&
+            !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
+                ieee80211_key_free_unused(key);
+                ret = 0;
+                goto out;
+        }
+        key->local = sdata->local;
+        key->sdata = sdata;
+        key->sta = sta;
        increment_tailroom_need_count(sdata);
        ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
                ret = 0;
        }
+ out:
        mutex_unlock(&sdata->local->key_mtx);
        return ret;
diff --git a/net/ncsi/internal.h b/net/ncsi/internal.h
index af3d636534ef..d30f7bd741d0 100644
--- a/net/ncsi/internal.h
+++ b/net/ncsi/internal.h
@@ -286,6 +286,7 @@ struct ncsi_dev_priv {
        struct work_struct  work;            /* For channel management     */
        struct packet_type  ptype;           /* NCSI packet Rx handler     */
        struct list_head    node;            /* Form NCSI device list      */
+#define NCSI_MAX_VLAN_VIDS      15
        struct list_head    vlan_vids;       /* List of active VLAN IDs */
 };
diff --git a/net/ncsi/ncsi-aen.c b/net/ncsi/ncsi-aen.c
index 6898e7229285..f135938bf781 100644
--- a/net/ncsi/ncsi-aen.c
+++ b/net/ncsi/ncsi-aen.c
@@ -187,7 +187,7 @@ static struct ncsi_aen_handler {
 } ncsi_aen_handlers[] = {
        { NCSI_PKT_AEN_LSC,    12, ncsi_aen_handler_lsc    },
        { NCSI_PKT_AEN_CR,      4, ncsi_aen_handler_cr     },
-        { NCSI_PKT_AEN_HNCDSC,  4, ncsi_aen_handler_hncdsc }
+        { NCSI_PKT_AEN_HNCDSC,  8, ncsi_aen_handler_hncdsc }
 };
 int ncsi_aen_handler(struct ncsi_dev_priv *ndp, struct sk_buff *skb)
diff --git a/net/ncsi/ncsi-manage.c b/net/ncsi/ncsi-manage.c
index 3fd3c39e6278..28c42b22b748 100644
--- a/net/ncsi/ncsi-manage.c
+++ b/net/ncsi/ncsi-manage.c
@@ -189,6 +189,7 @@ static void ncsi_channel_monitor(unsigned long data)
        struct ncsi_channel *nc = (struct ncsi_channel *)data;
        struct ncsi_package *np = nc->package;
        struct ncsi_dev_priv *ndp = np->ndp;
+        struct ncsi_channel_mode *ncm;
        struct ncsi_cmd_arg nca;
        bool enabled, chained;
        unsigned int monitor_state;
@@ -202,11 +203,15 @@ static void ncsi_channel_monitor(unsigned long data)
        monitor_state = nc->monitor.state;
        spin_unlock_irqrestore(&nc->lock, flags);
-        if (!enabled || chained)
+        if (!enabled || chained) {
+                ncsi_stop_channel_monitor(nc);
                return;
+        }
        if (state != NCSI_CHANNEL_INACTIVE &&
-            state != NCSI_CHANNEL_ACTIVE)
+            state != NCSI_CHANNEL_ACTIVE) {
+                ncsi_stop_channel_monitor(nc);
                return;
+        }
        switch (monitor_state) {
        case NCSI_CHANNEL_MONITOR_START:
@@ -217,28 +222,28 @@ static void ncsi_channel_monitor(unsigned long data)
                nca.type = NCSI_PKT_CMD_GLS;
                nca.req_flags = 0;
                ret = ncsi_xmit_cmd(&nca);
-                if (ret) {
+                if (ret)
                        netdev_err(ndp->ndev.dev, "Error %d sending GLS\n",
                                   ret);
-                        return;
-                }
                break;
        case NCSI_CHANNEL_MONITOR_WAIT ... NCSI_CHANNEL_MONITOR_WAIT_MAX:
                break;
        default:
-                if (!(ndp->flags & NCSI_DEV_HWA) &&
+                if (!(ndp->flags & NCSI_DEV_HWA)) {
-                    state == NCSI_CHANNEL_ACTIVE) {
                        ncsi_report_link(ndp, true);
                        ndp->flags |= NCSI_DEV_RESHUFFLE;
                }
+                ncsi_stop_channel_monitor(nc);
+                ncm = &nc->modes[NCSI_MODE_LINK];
                spin_lock_irqsave(&nc->lock, flags);
                nc->state = NCSI_CHANNEL_INVISIBLE;
+                ncm->data[2] &= ~0x1;
                spin_unlock_irqrestore(&nc->lock, flags);
                spin_lock_irqsave(&ndp->lock, flags);
-                nc->state = NCSI_CHANNEL_INACTIVE;
+                nc->state = NCSI_CHANNEL_ACTIVE;
                list_add_tail_rcu(&nc->link, &ndp->channel_queue);
                spin_unlock_irqrestore(&ndp->lock, flags);
                ncsi_process_next_channel(ndp);
@@ -732,6 +737,10 @@ static int set_one_vid(struct ncsi_dev_priv *ndp, struct ncsi_channel *nc,
        if (index < 0) {
                netdev_err(ndp->ndev.dev,
                           "Failed to add new VLAN tag, error %d\n", index);
+                if (index == -ENOSPC)
+                        netdev_err(ndp->ndev.dev,
+                                   "Channel %u already has all VLAN filters set\n",
+                                   nc->id);
                return -1;
        }
@@ -998,12 +1007,15 @@ static bool ncsi_check_hwa(struct ncsi_dev_priv *ndp)
        struct ncsi_package *np;
        struct ncsi_channel *nc;
        unsigned int cap;
+        bool has_channel = false;
        /* The hardware arbitration is disabled if any one channel
         * doesn't support explicitly.
         */
        NCSI_FOR_EACH_PACKAGE(ndp, np) {
                NCSI_FOR_EACH_CHANNEL(np, nc) {
+                        has_channel = true;
                        cap = nc->caps[NCSI_CAP_GENERIC].cap;
                        if (!(cap & NCSI_CAP_GENERIC_HWA) ||
                            (cap & NCSI_CAP_GENERIC_HWA_MASK) !=
@@ -1014,8 +1026,13 @@ static bool ncsi_check_hwa(struct ncsi_dev_priv *ndp)
                }
        }
-        ndp->flags |= NCSI_DEV_HWA;
+        if (has_channel) {
-        return true;
+                ndp->flags |= NCSI_DEV_HWA;
+                return true;
+        }
+        ndp->flags &= ~NCSI_DEV_HWA;
+        return false;
 }
 static int ncsi_enable_hwa(struct ncsi_dev_priv *ndp)
@@ -1403,7 +1420,6 @@ static int ncsi_kick_channels(struct ncsi_dev_priv *ndp)
 int ncsi_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid)
 {
-        struct ncsi_channel_filter *ncf;
        struct ncsi_dev_priv *ndp;
        unsigned int n_vids = 0;
        struct vlan_vid *vlan;
@@ -1420,7 +1436,6 @@ int ncsi_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid)
        }
        ndp = TO_NCSI_DEV_PRIV(nd);
-        ncf = ndp->hot_channel->filters[NCSI_FILTER_VLAN];
        /* Add the VLAN id to our internal list */
        list_for_each_entry_rcu(vlan, &ndp->vlan_vids, list) {
@@ -1431,12 +1446,11 @@ int ncsi_vlan_rx_add_vid(struct net_device *dev, __be16 proto, u16 vid)
                        return 0;
                }
        }
+        if (n_vids >= NCSI_MAX_VLAN_VIDS) {
-        if (n_vids >= ncf->total) {
+                netdev_warn(dev,
-                netdev_info(dev,
+                            "tried to add vlan id %u but NCSI max already registered (%u)\n",
-                            "NCSI Channel supports up to %u VLAN tags but %u are already set\n",
+                            vid, NCSI_MAX_VLAN_VIDS);
-                            ncf->total, n_vids);
+                return -ENOSPC;
-                return -EINVAL;
        }
        vlan = kzalloc(sizeof(*vlan), GFP_KERNEL);
diff --git a/net/ncsi/ncsi-rsp.c b/net/ncsi/ncsi-rsp.c
index 265b9a892d41..927dad4759d1 100644
--- a/net/ncsi/ncsi-rsp.c
+++ b/net/ncsi/ncsi-rsp.c
@@ -959,7 +959,7 @@ static struct ncsi_rsp_handler {
        { NCSI_PKT_RSP_EGMF,    4, ncsi_rsp_handler_egmf    },
        { NCSI_PKT_RSP_DGMF,    4, ncsi_rsp_handler_dgmf    },
        { NCSI_PKT_RSP_SNFC,    4, ncsi_rsp_handler_snfc    },
-        { NCSI_PKT_RSP_GVI,    36, ncsi_rsp_handler_gvi     },
+        { NCSI_PKT_RSP_GVI,    40, ncsi_rsp_handler_gvi     },
        { NCSI_PKT_RSP_GC,     32, ncsi_rsp_handler_gc      },
        { NCSI_PKT_RSP_GP,     -1, ncsi_rsp_handler_gp      },
        { NCSI_PKT_RSP_GCPS,  172, ncsi_rsp_handler_gcps    },
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 336d9c6dcad9..767c84e10e20 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2307,6 +2307,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
        size_t tlvlen = 0;
        struct netlink_sock *nlk = nlk_sk(NETLINK_CB(in_skb).sk);
        unsigned int flags = 0;
+        bool nlk_has_extack = nlk->flags & NETLINK_F_EXT_ACK;
        /* Error messages get the original request appened, unless the user
         * requests to cap the error message, and get extra error data if
@@ -2317,7 +2318,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
                        payload += nlmsg_len(nlh);
                else
                        flags |= NLM_F_CAPPED;
-                if (nlk->flags & NETLINK_F_EXT_ACK && extack) {
+                if (nlk_has_extack && extack) {
                        if (extack->_msg)
                                tlvlen += nla_total_size(strlen(extack->_msg) + 1);
                        if (extack->bad_attr)
@@ -2326,8 +2327,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
        } else {
                flags |= NLM_F_CAPPED;
-                if (nlk->flags & NETLINK_F_EXT_ACK &&
+                if (nlk_has_extack && extack && extack->cookie_len)
-                    extack && extack->cookie_len)
                        tlvlen += nla_total_size(extack->cookie_len);
        }
@@ -2347,7 +2347,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
        errmsg->error = err;
        memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh));
-        if (nlk->flags & NETLINK_F_EXT_ACK && extack) {
+        if (nlk_has_extack && extack) {
                if (err) {
                        if (extack->_msg)
                                WARN_ON(nla_put_string(skb, NLMSGERR_ATTR_MSG,
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 3f5caa3fbd06..4f4fa323171d 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1767,7 +1767,7 @@ static int fanout_add(struct sock *sk, u16 id, u16 type_flags)
 out:
        if (err && rollover) {
-                kfree(rollover);
+                kfree_rcu(rollover, rcu);
                po->rollover = NULL;
        }
        mutex_unlock(&fanout_mutex);
@@ -1794,8 +1794,10 @@ static struct packet_fanout *fanout_release(struct sock *sk)
                else
                        f = NULL;
-                if (po->rollover)
+                if (po->rollover) {
                        kfree_rcu(po->rollover, rcu);
+                        po->rollover = NULL;
+                }
        }
        mutex_unlock(&fanout_mutex);
@@ -3849,6 +3851,7 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
        void *data = &val;
        union tpacket_stats_u st;
        struct tpacket_rollover_stats rstats;
+        struct packet_rollover *rollover;
        if (level != SOL_PACKET)
                return -ENOPROTOOPT;
@@ -3927,13 +3930,18 @@ static int packet_getsockopt(struct socket *sock, int level, int optname,
                       0);
                break;
        case PACKET_ROLLOVER_STATS:
-                if (!po->rollover)
+                rcu_read_lock();
+                rollover = rcu_dereference(po->rollover);
+                if (rollover) {
+                        rstats.tp_all = atomic_long_read(&rollover->num);
+                        rstats.tp_huge = atomic_long_read(&rollover->num_huge);
+                        rstats.tp_failed = atomic_long_read(&rollover->num_failed);
+                        data = &rstats;
+                        lv = sizeof(rstats);
+                }
+                rcu_read_unlock();
+                if (!rollover)
                        return -EINVAL;
-                rstats.tp_all = atomic_long_read(&po->rollover->num);
-                rstats.tp_huge = atomic_long_read(&po->rollover->num_huge);
-                rstats.tp_failed = atomic_long_read(&po->rollover->num_failed);
-                data = &rstats;
-                lv = sizeof(rstats);
                break;
        case PACKET_TX_HAS_OFF:
                val = po->tp_tx_has_off;
diff --git a/net/rxrpc/af_rxrpc.c b/net/rxrpc/af_rxrpc.c
index 73c980e26581..054e32872808 100644
--- a/net/rxrpc/af_rxrpc.c
+++ b/net/rxrpc/af_rxrpc.c
@@ -311,10 +311,11 @@ struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
        call = rxrpc_new_client_call(rx, &cp, srx, user_call_ID, tx_total_len,
                                     gfp);
        /* The socket has been unlocked. */
-        if (!IS_ERR(call))
+        if (!IS_ERR(call)) {
                call->notify_rx = notify_rx;
+                mutex_unlock(&call->user_mutex);
+        }
-        mutex_unlock(&call->user_mutex);
        _leave(" = %p", call);
        return call;
 }
diff --git a/net/sctp/input.c b/net/sctp/input.c
index 92a07141fd07..34f10e75f3b9 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -421,7 +421,7 @@ void sctp_icmp_redirect(struct sock *sk, struct sctp_transport *t,
 {
        struct dst_entry *dst;
-        if (!t)
+        if (sock_owned_by_user(sk) || !t)
                return;
        dst = sctp_transport_dst_check(t);
        if (dst)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 88c28421ec15..c75acdf71a6f 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4978,6 +4978,10 @@ int sctp_do_peeloff(struct sock *sk, sctp_assoc_t id, struct socket **sockp)
        struct socket *sock;
        int err = 0;
+        /* Do not peel off from one netns to another one. */
+        if (!net_eq(current->nsproxy->net_ns, sock_net(sk)))
+                return -EINVAL;
        if (!asoc)
                return -EINVAL;
diff --git a/net/vmw_vsock/hyperv_transport.c b/net/vmw_vsock/hyperv_transport.c
index bbac023e70d1..5583df708b8c 100644
--- a/net/vmw_vsock/hyperv_transport.c
+++ b/net/vmw_vsock/hyperv_transport.c
@@ -310,11 +310,15 @@ static void hvs_close_connection(struct vmbus_channel *chan)
        struct sock *sk = get_per_channel_state(chan);
        struct vsock_sock *vsk = vsock_sk(sk);
+        lock_sock(sk);
        sk->sk_state = TCP_CLOSE;
        sock_set_flag(sk, SOCK_DONE);
        vsk->peer_shutdown |= SEND_SHUTDOWN | RCV_SHUTDOWN;
        sk->sk_state_change(sk);
+        release_sock(sk);
 }
 static void hvs_open_connection(struct vmbus_channel *chan)
@@ -344,6 +348,7 @@ static void hvs_open_connection(struct vmbus_channel *chan)
        if (!sk)
                return;
+        lock_sock(sk);
        if ((conn_from_host && sk->sk_state != TCP_LISTEN) ||
            (!conn_from_host && sk->sk_state != TCP_SYN_SENT))
                goto out;
@@ -395,9 +400,7 @@ static void hvs_open_connection(struct vmbus_channel *chan)
                vsock_insert_connected(vnew);
-                lock_sock(sk);
                vsock_enqueue_accept(sk, new);
-                release_sock(sk);
        } else {
                sk->sk_state = TCP_ESTABLISHED;
                sk->sk_socket->state = SS_CONNECTED;
@@ -410,6 +413,8 @@ static void hvs_open_connection(struct vmbus_channel *chan)
 out:
        /* Release refcnt obtained when we called vsock_find_bound_socket() */
        sock_put(sk);
+        release_sock(sk);
 }
 static u32 hvs_get_local_cid(void)
@@ -476,13 +481,21 @@ out:
 static void hvs_release(struct vsock_sock *vsk)
 {
+        struct sock *sk = sk_vsock(vsk);
        struct hvsock *hvs = vsk->trans;
-        struct vmbus_channel *chan = hvs->chan;
+        struct vmbus_channel *chan;
+        lock_sock(sk);
+        sk->sk_state = SS_DISCONNECTING;
+        vsock_remove_sock(vsk);
+        release_sock(sk);
+        chan = hvs->chan;
        if (chan)
                hvs_shutdown(vsk, RCV_SHUTDOWN | SEND_SHUTDOWN);
-        vsock_remove_sock(vsk);
 }
 static void hvs_destruct(struct vsock_sock *vsk)