Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) sunhme driver lacks DMA mapping error checks, based upon a report by
    Meelis Roos.

 2) Fix memory leak in mvpp2 driver, from Sudip Mukherjee.

 3) DMA memory allocation sizes are wrong in systemport ethernet driver,
    fix from Florian Fainelli.

 4) Fix use after free in mac80211 defragmentation code, from Johannes
    Berg.

 5) Some networking uapi headers missing from Kbuild file, from Stephen
    Hemminger.

 6) TUN driver gets csum_start offset wrong when VLAN accel is enabled,
    and macvtap has a similar bug, from Herbert Xu.

 7) Adjust several tunneling drivers to set dev->iflink after registry,
    because registry sets that to -1 overwriting whatever we did.  From
    Steffen Klassert.

 8) Geneve forgets to set inner tunneling type, causing GSO segmentation
    to fail on some NICs.  From Jesse Gross.

 9) Fix several locking bugs in stmmac driver, from Fabrice Gasnier and
    Giuseppe CAVALLARO.

10) Fix spurious timeouts with NewReno on low traffic connections, from
    Marcelo Leitner.

11) Fix descriptor updates in enic driver, from Govindarajulu
    Varadarajan.

12) PPP calls bpf_prog_create() with locks held, which isn't kosher.
    Fix from Takashi Iwai.

13) Fix NULL deref in SCTP with malformed INIT packets, from Daniel
    Borkmann.

14) psock_fanout selftest accesses past the end of the mmap ring, fix
    from Shuah Khan.

15) Fix PTP timestamping for VLAN packets, from Richard Cochran.

16) netlink_unbind() calls in netlink pass wrong initial argument, from
    Hiroaki SHIMODA.

17) vxlan socket reuse accidently reuses a socket when the address
    family is different, so we have to explicitly check this, from
    Marcelo Lietner.

18) Fix missing include in nft_reject_bridge.c breaking the build on ppc
    and other architectures, from Guenter Roeck.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (75 commits)
  vxlan: Do not reuse sockets for a different address family
  smsc911x: power-up phydev before doing a software reset.
  lib: rhashtable - Remove weird non-ASCII characters from comments
  net/smsc911x: Fix delays in the PHY enable/disable routines
  net/smsc911x: Fix rare soft reset timeout issue due to PHY power-down mode
  netlink: Properly unbind in error conditions.
  net: ptp: fix time stamp matching logic for VLAN packets.
  cxgb4 : dcb open-lldp interop fixes
  selftests/net: psock_fanout seg faults in sock_fanout_read_ring()
  net: bcmgenet: apply MII configuration in bcmgenet_open()
  net: bcmgenet: connect and disconnect from the PHY state machine
  net: qualcomm: Fix dependency
  ixgbe: phy: fix uninitialized status in ixgbe_setup_phy_link_tnx
  net: phy: Correctly handle MII ioctl which changes autonegotiation.
  ipv6: fix IPV6_PKTINFO with v4 mapped
  net: sctp: fix memory leak in auth key management
  net: sctp: fix NULL pointer dereference in af->from_addr_param on malformed packet
  net: ppp: Don't call bpf_prog_create() in ppp_lock
  net/mlx4_en: Advertize encapsulation offloads features only when VXLAN tunnel is set
  cxgb4 : Fix bug in DCB app deletion
  ...

20 files changed, 91 insertions, 97 deletions

diff --git a/net/bridge/netfilter/nft_reject_bridge.c b/net/bridge/netfilter/nft_reject_bridge.c
index 654c9018e3e7..48da2c54a69e 100644
--- a/net/bridge/netfilter/nft_reject_bridge.c
+++ b/net/bridge/netfilter/nft_reject_bridge.c
@@ -18,6 +18,7 @@
 #include <net/netfilter/ipv6/nf_reject.h>
 #include <linux/ip.h>
 #include <net/ip.h>
+#include <net/ip6_checksum.h>
 #include <linux/netfilter_bridge.h>
 #include "../br_private.h"
 
diff --git a/net/dsa/slave.c b/net/dsa/slave.c
index 6d1817449c36..ab03e00ffe8f 100644
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -489,11 +489,14 @@ static void dsa_slave_phy_setup(struct dsa_slave_priv *p,
         /* We could not connect to a designated PHY, so use the switch internal
          * MDIO bus instead
          */
-        if (!p->phy)
+        if (!p->phy) {
                 p->phy = ds->slave_mii_bus->phy_map[p->port];
-        else
+                phy_connect_direct(slave_dev, p->phy, dsa_slave_adjust_link,
+                                   p->phy_interface);
+        } else {
                 pr_info("attached PHY at address %d [%s]\n",
                         p->phy->addr, p->phy->drv->name);
+        }
 }
 
 int dsa_slave_suspend(struct net_device *slave_dev)
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 32e78924e246..606c520ffd5a 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -133,6 +133,8 @@ static int fou_gro_complete(struct sk_buff *skb, int nhoff)
         int err = -ENOSYS;
         const struct net_offload **offloads;
 
+        udp_tunnel_gro_complete(skb, nhoff);
+
         rcu_read_lock();
         offloads = NAPI_GRO_CB(skb)->is_ipv6 ? inet6_offloads : inet_offloads;
         ops = rcu_dereference(offloads[proto]);
diff --git a/net/ipv4/geneve.c b/net/ipv4/geneve.c
index 065cd94c640c..dedb21e99914 100644
--- a/net/ipv4/geneve.c
+++ b/net/ipv4/geneve.c
@@ -144,6 +144,8 @@ int geneve_xmit_skb(struct geneve_sock *gs, struct rtable *rt,
         gnvh = (struct genevehdr *)__skb_push(skb, sizeof(*gnvh) + opt_len);
         geneve_build_header(gnvh, tun_flags, vni, opt_len, opt);
 
+        skb_set_inner_protocol(skb, htons(ETH_P_TEB));
+
         return udp_tunnel_xmit_skb(gs->sock, rt, skb, src, dst,
                                    tos, ttl, df, src_port, dst_port, xnet);
 }
@@ -364,6 +366,7 @@ late_initcall(geneve_init_module);
 static void __exit geneve_cleanup_module(void)
 {
         destroy_workqueue(geneve_wq);
+        unregister_pernet_subsys(&geneve_net_ops);
 }
 module_exit(geneve_cleanup_module);
 
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index c373a9ad4555..9daf2177dc00 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -195,7 +195,7 @@ int ip_cmsg_send(struct net *net, struct msghdr *msg, struct ipcm_cookie *ipc,
         for (cmsg = CMSG_FIRSTHDR(msg); cmsg; cmsg = CMSG_NXTHDR(msg, cmsg)) {
                 if (!CMSG_OK(msg, cmsg))
                         return -EINVAL;
-#if defined(CONFIG_IPV6)
+#if IS_ENABLED(CONFIG_IPV6)
                 if (allow_ipv6 &&
                     cmsg->cmsg_level == SOL_IPV6 &&
                     cmsg->cmsg_type == IPV6_PKTINFO) {
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a12b455928e5..88fa2d160685 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -2315,6 +2315,35 @@ static inline bool tcp_packet_delayed(const struct tcp_sock *tp)
 
 /* Undo procedures. */
 
+/* We can clear retrans_stamp when there are no retransmissions in the
+ * window. It would seem that it is trivially available for us in
+ * tp->retrans_out, however, that kind of assumptions doesn't consider
+ * what will happen if errors occur when sending retransmission for the
+ * second time. ...It could the that such segment has only
+ * TCPCB_EVER_RETRANS set at the present time. It seems that checking
+ * the head skb is enough except for some reneging corner cases that
+ * are not worth the effort.
+ *
+ * Main reason for all this complexity is the fact that connection dying
+ * time now depends on the validity of the retrans_stamp, in particular,
+ * that successive retransmissions of a segment must not advance
+ * retrans_stamp under any conditions.
+ */
+static bool tcp_any_retrans_done(const struct sock *sk)
+{
+        const struct tcp_sock *tp = tcp_sk(sk);
+        struct sk_buff *skb;
+
+        if (tp->retrans_out)
+                return true;
+
+        skb = tcp_write_queue_head(sk);
+        if (unlikely(skb && TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS))
+                return true;
+
+        return false;
+}
+
 #if FASTRETRANS_DEBUG > 1
 static void DBGUNDO(struct sock *sk, const char *msg)
 {
@@ -2410,6 +2439,8 @@ static bool tcp_try_undo_recovery(struct sock *sk)
                  * is ACKed. For Reno it is MUST to prevent false
                  * fast retransmits (RFC2582). SACK TCP is safe. */
                 tcp_moderate_cwnd(tp);
+                if (!tcp_any_retrans_done(sk))
+                        tp->retrans_stamp = 0;
                 return true;
         }
         tcp_set_ca_state(sk, TCP_CA_Open);
@@ -2430,35 +2461,6 @@ static bool tcp_try_undo_dsack(struct sock *sk)
         return false;
 }
 
-/* We can clear retrans_stamp when there are no retransmissions in the
- * window. It would seem that it is trivially available for us in
- * tp->retrans_out, however, that kind of assumptions doesn't consider
- * what will happen if errors occur when sending retransmission for the
- * second time. ...It could the that such segment has only
- * TCPCB_EVER_RETRANS set at the present time. It seems that checking
- * the head skb is enough except for some reneging corner cases that
- * are not worth the effort.
- *
- * Main reason for all this complexity is the fact that connection dying
- * time now depends on the validity of the retrans_stamp, in particular,
- * that successive retransmissions of a segment must not advance
- * retrans_stamp under any conditions.
- */
-static bool tcp_any_retrans_done(const struct sock *sk)
-{
-        const struct tcp_sock *tp = tcp_sk(sk);
-        struct sk_buff *skb;
-
-        if (tp->retrans_out)
-                return true;
-
-        skb = tcp_write_queue_head(sk);
-        if (unlikely(skb && TCP_SKB_CB(skb)->sacked & TCPCB_EVER_RETRANS))
-                return true;
-
-        return false;
-}
-
 /* Undo during loss recovery after partial ACK or using F-RTO. */
 static bool tcp_try_undo_loss(struct sock *sk, bool frto_undo)
 {
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 12c3c8ef3849..4564e1fca3eb 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -961,8 +961,6 @@ static void ip6gre_tnl_link_config(struct ip6_tnl *t, int set_mtu)
         else
                 dev->flags &= ~IFF_POINTOPOINT;
 
-        dev->iflink = p->link;
-
         /* Precalculate GRE options length */
         if (t->parms.o_flags&(GRE_CSUM|GRE_KEY|GRE_SEQ)) {
                 if (t->parms.o_flags&GRE_CSUM)
@@ -1272,6 +1270,7 @@ static int ip6gre_tunnel_init(struct net_device *dev)
                 u64_stats_init(&ip6gre_tunnel_stats->syncp);
         }
 
+        dev->iflink = tunnel->parms.link;
 
         return 0;
 }
@@ -1481,6 +1480,8 @@ static int ip6gre_tap_init(struct net_device *dev)
         if (!dev->tstats)
                 return -ENOMEM;
 
+        dev->iflink = tunnel->parms.link;
+
         return 0;
 }
 
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 9409887fb664..9cb94cfa0ae7 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -272,9 +272,6 @@ static int ip6_tnl_create2(struct net_device *dev)
         int err;
 
         t = netdev_priv(dev);
-        err = ip6_tnl_dev_init(dev);
-        if (err < 0)
-                goto out;
 
         err = register_netdevice(dev);
         if (err < 0)
@@ -1462,6 +1459,7 @@ ip6_tnl_change_mtu(struct net_device *dev, int new_mtu)
 
 
 static const struct net_device_ops ip6_tnl_netdev_ops = {
+        .ndo_init       = ip6_tnl_dev_init,
         .ndo_uninit     = ip6_tnl_dev_uninit,
         .ndo_start_xmit = ip6_tnl_xmit,
         .ndo_do_ioctl   = ip6_tnl_ioctl,
@@ -1546,16 +1544,10 @@ static int __net_init ip6_fb_tnl_dev_init(struct net_device *dev)
         struct ip6_tnl *t = netdev_priv(dev);
         struct net *net = dev_net(dev);
         struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id);
-        int err = ip6_tnl_dev_init_gen(dev);
-
-        if (err)
-                return err;
 
         t->parms.proto = IPPROTO_IPV6;
         dev_hold(dev);
 
-        ip6_tnl_link_config(t);
-
         rcu_assign_pointer(ip6n->tnls_wc[0], t);
         return 0;
 }
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index d440bb585524..31089d153fd3 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -172,10 +172,6 @@ static int vti6_tnl_create2(struct net_device *dev)
         struct vti6_net *ip6n = net_generic(net, vti6_net_id);
         int err;
 
-        err = vti6_dev_init(dev);
-        if (err < 0)
-                goto out;
-
         err = register_netdevice(dev);
         if (err < 0)
                 goto out;
@@ -783,6 +779,7 @@ static int vti6_change_mtu(struct net_device *dev, int new_mtu)
 }
 
 static const struct net_device_ops vti6_netdev_ops = {
+        .ndo_init       = vti6_dev_init,
         .ndo_uninit     = vti6_dev_uninit,
         .ndo_start_xmit = vti6_tnl_xmit,
         .ndo_do_ioctl   = vti6_ioctl,
@@ -852,16 +849,10 @@ static int __net_init vti6_fb_tnl_dev_init(struct net_device *dev)
         struct ip6_tnl *t = netdev_priv(dev);
         struct net *net = dev_net(dev);
         struct vti6_net *ip6n = net_generic(net, vti6_net_id);
-        int err = vti6_dev_init_gen(dev);
-
-        if (err)
-                return err;
 
         t->parms.proto = IPPROTO_IPV6;
         dev_hold(dev);
 
-        vti6_link_config(t);
-
         rcu_assign_pointer(ip6n->tnls_wc[0], t);
         return 0;
 }
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 58e5b4710127..a24557a1c1d8 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -195,10 +195,8 @@ static int ipip6_tunnel_create(struct net_device *dev)
         struct sit_net *sitn = net_generic(net, sit_net_id);
         int err;
 
-        err = ipip6_tunnel_init(dev);
-        if (err < 0)
-                goto out;
-        ipip6_tunnel_clone_6rd(dev, sitn);
+        memcpy(dev->dev_addr, &t->parms.iph.saddr, 4);
+        memcpy(dev->broadcast, &t->parms.iph.daddr, 4);
 
         if ((__force u16)t->parms.i_flags & SIT_ISATAP)
                 dev->priv_flags |= IFF_ISATAP;
@@ -207,7 +205,8 @@ static int ipip6_tunnel_create(struct net_device *dev)
         if (err < 0)
                 goto out;
 
-        strcpy(t->parms.name, dev->name);
+        ipip6_tunnel_clone_6rd(dev, sitn);
+
         dev->rtnl_link_ops = &sit_link_ops;
 
         dev_hold(dev);
@@ -1330,6 +1329,7 @@ static int ipip6_tunnel_change_mtu(struct net_device *dev, int new_mtu)
 }
 
 static const struct net_device_ops ipip6_netdev_ops = {
+        .ndo_init       = ipip6_tunnel_init,
         .ndo_uninit     = ipip6_tunnel_uninit,
         .ndo_start_xmit = sit_tunnel_xmit,
         .ndo_do_ioctl   = ipip6_tunnel_ioctl,
@@ -1378,9 +1378,7 @@ static int ipip6_tunnel_init(struct net_device *dev)
 
         tunnel->dev = dev;
         tunnel->net = dev_net(dev);
-
-        memcpy(dev->dev_addr, &tunnel->parms.iph.saddr, 4);
-        memcpy(dev->broadcast, &tunnel->parms.iph.daddr, 4);
+        strcpy(tunnel->parms.name, dev->name);
 
         ipip6_tunnel_bind_dev(dev);
         dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
@@ -1405,7 +1403,6 @@ static int __net_init ipip6_fb_tunnel_init(struct net_device *dev)
 
         tunnel->dev = dev;
         tunnel->net = dev_net(dev);
-        strcpy(tunnel->parms.name, dev->name);
 
         iph->version            = 4;
         iph->protocol           = IPPROTO_IPV6;
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 56b53571c807..509bc157ce55 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -805,7 +805,7 @@ ieee80211_ibss_process_chanswitch(struct ieee80211_sub_if_data *sdata,
 
         memset(&params, 0, sizeof(params));
         memset(&csa_ie, 0, sizeof(csa_ie));
-        err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon,
+        err = ieee80211_parse_ch_switch_ie(sdata, elems,
                                            ifibss->chandef.chan->band,
                                            sta_flags, ifibss->bssid, &csa_ie);
         /* can't switch to destination channel, fail */
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index c2aaec4dfcf0..8c68da30595d 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1642,7 +1642,6 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
  * ieee80211_parse_ch_switch_ie - parses channel switch IEs
  * @sdata: the sdata of the interface which has received the frame
  * @elems: parsed 802.11 elements received with the frame
- * @beacon: indicates if the frame was a beacon or probe response
  * @current_band: indicates the current band
  * @sta_flags: contains information about own capabilities and restrictions
  *      to decide which channel switch announcements can be accepted. Only the
@@ -1656,7 +1655,7 @@ void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata,
  * Return: 0 on success, <0 on error and >0 if there is nothing to parse.
  */
 int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
-                                 struct ieee802_11_elems *elems, bool beacon,
+                                 struct ieee802_11_elems *elems,
                                  enum ieee80211_band current_band,
                                  u32 sta_flags, u8 *bssid,
                                  struct ieee80211_csa_ie *csa_ie);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index af237223a8cd..653f5eb07a27 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -766,10 +766,12 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
         int i, flushed;
         struct ps_data *ps;
         struct cfg80211_chan_def chandef;
+        bool cancel_scan;
 
         clear_bit(SDATA_STATE_RUNNING, &sdata->state);
 
-        if (rcu_access_pointer(local->scan_sdata) == sdata)
+        cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
+        if (cancel_scan)
                 ieee80211_scan_cancel(local);
 
         /*
@@ -898,6 +900,8 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 list_del(&sdata->u.vlan.list);
                 mutex_unlock(&local->mtx);
                 RCU_INIT_POINTER(sdata->vif.chanctx_conf, NULL);
+                /* see comment in the default case below */
+                ieee80211_free_keys(sdata, true);
                 /* no need to tell driver */
                 break;
         case NL80211_IFTYPE_MONITOR:
@@ -923,17 +927,16 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                 /*
                  * When we get here, the interface is marked down.
                  * Free the remaining keys, if there are any
-                 * (shouldn't be, except maybe in WDS mode?)
+                 * (which can happen in AP mode if userspace sets
+                 * keys before the interface is operating, and maybe
+                 * also in WDS mode)
                  *
                  * Force the key freeing to always synchronize_net()
                  * to wait for the RX path in case it is using this
-                 * interface enqueuing frames * at this very time on
+                 * interface enqueuing frames at this very time on
                  * another CPU.
                  */
                 ieee80211_free_keys(sdata, true);
-
-                /* fall through */
-        case NL80211_IFTYPE_AP:
                 skb_queue_purge(&sdata->skb_queue);
         }
 
@@ -991,6 +994,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
 
         ieee80211_recalc_ps(local, -1);
 
+        if (cancel_scan)
+                flush_delayed_work(&local->scan_work);
+
         if (local->open_count == 0) {
                 ieee80211_stop_device(local);
 
diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c
index e9f99c1e3fad..0c8b2a77d312 100644
--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -874,7 +874,7 @@ ieee80211_mesh_process_chnswitch(struct ieee80211_sub_if_data *sdata,
 
         memset(&params, 0, sizeof(params));
         memset(&csa_ie, 0, sizeof(csa_ie));
-        err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, band,
+        err = ieee80211_parse_ch_switch_ie(sdata, elems, band,
                                            sta_flags, sdata->vif.addr,
                                            &csa_ie);
         if (err < 0)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 2de88704278b..93af0f1c9d99 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1072,7 +1072,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
 
         current_band = cbss->channel->band;
         memset(&csa_ie, 0, sizeof(csa_ie));
-        res = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, current_band,
+        res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
                                            ifmgd->flags,
                                            ifmgd->associated->bssid, &csa_ie);
         if (res < 0)
@@ -1168,7 +1168,8 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata,
                 ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
         else
                 mod_timer(&ifmgd->chswitch_timer,
-                          TU_TO_EXP_TIME(csa_ie.count * cbss->beacon_interval));
+                          TU_TO_EXP_TIME((csa_ie.count - 1) *
+                                         cbss->beacon_interval));
 }
 
 static bool
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index b04ca4049c95..a37f9af634cb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1678,11 +1678,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         sc = le16_to_cpu(hdr->seq_ctrl);
         frag = sc & IEEE80211_SCTL_FRAG;
 
-        if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
-                   is_multicast_ether_addr(hdr->addr1))) {
-                /* not fragmented */
+        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+                goto out;
+
+        if (is_multicast_ether_addr(hdr->addr1)) {
+                rx->local->dot11MulticastReceivedFrameCount++;
                 goto out;
         }
+
         I802_DEBUG_INC(rx->local->rx_handlers_fragments);
 
         if (skb_linearize(rx->skb))
@@ -1775,10 +1778,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
  out:
         if (rx->sta)
                 rx->sta->rx_packets++;
-        if (is_multicast_ether_addr(hdr->addr1))
-                rx->local->dot11MulticastReceivedFrameCount++;
-        else
-                ieee80211_led_rx(rx->local);
+        ieee80211_led_rx(rx->local);
         return RX_CONTINUE;
 }
 
diff --git a/net/mac80211/spectmgmt.c b/net/mac80211/spectmgmt.c
index 6ab009070084..efeba56c913b 100644
--- a/net/mac80211/spectmgmt.c
+++ b/net/mac80211/spectmgmt.c
@@ -22,7 +22,7 @@
 #include "wme.h"
 
 int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
-                                 struct ieee802_11_elems *elems, bool beacon,
+                                 struct ieee802_11_elems *elems,
                                  enum ieee80211_band current_band,
                                  u32 sta_flags, u8 *bssid,
                                  struct ieee80211_csa_ie *csa_ie)
@@ -91,19 +91,13 @@ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
                 return -EINVAL;
         }
 
-        if (!beacon && sec_chan_offs) {
+        if (sec_chan_offs) {
                 secondary_channel_offset = sec_chan_offs->sec_chan_offs;
-        } else if (beacon && ht_oper) {
-                secondary_channel_offset =
-                        ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET;
         } else if (!(sta_flags & IEEE80211_STA_DISABLE_HT)) {
-                /* If it's not a beacon, HT is enabled and the IE not present,
-                 * it's 20 MHz, 802.11-2012 8.5.2.6:
-                 *      This element [the Secondary Channel Offset Element] is
-                 *      present when switching to a 40 MHz channel. It may be
-                 *      present when switching to a 20 MHz channel (in which
-                 *      case the secondary channel offset is set to SCN).
-                 */
+                /* If the secondary channel offset IE is not present,
+                 * we can't know what's the post-CSA offset, so the
+                 * best we can do is use 20MHz.
+                */
                 secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE;
         }
 
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index f1de72de273e..0007b8180397 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1440,7 +1440,7 @@ static void netlink_unbind(int group, long unsigned int groups,
                 return;
 
         for (undo = 0; undo < group; undo++)
-                if (test_bit(group, &groups))
+                if (test_bit(undo, &groups))
                         nlk->netlink_unbind(undo);
 }
 
@@ -1492,7 +1492,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
                         netlink_insert(sk, net, nladdr->nl_pid) :
                         netlink_autobind(sock);
                 if (err) {
-                        netlink_unbind(nlk->ngroups - 1, groups, nlk);
+                        netlink_unbind(nlk->ngroups, groups, nlk);
                         return err;
                 }
         }
@@ -2509,6 +2509,7 @@ __netlink_kernel_create(struct net *net, int unit, struct module *module,
                 nl_table[unit].module = module;
                 if (cfg) {
                         nl_table[unit].bind = cfg->bind;
+                        nl_table[unit].unbind = cfg->unbind;
                         nl_table[unit].flags = cfg->flags;
                         if (cfg->compare)
                                 nl_table[unit].compare = cfg->compare;
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index 0e8529113dc5..fb7976aee61c 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -862,8 +862,6 @@ int sctp_auth_set_key(struct sctp_endpoint *ep,
                 list_add(&cur_key->key_list, sh_keys);
 
         cur_key->key = key;
-        sctp_auth_key_hold(key);
-
         return 0;
 nomem:
         if (!replace)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index ab734be8cb20..9f32741abb1c 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2609,6 +2609,9 @@ do_addr_param:
                 addr_param = param.v + sizeof(sctp_addip_param_t);
 
                 af = sctp_get_af_specific(param_type2af(param.p->type));
+                if (af == NULL)
+                        break;
+
                 af->from_addr_param(&addr, addr_param,
                                     htons(asoc->peer.port), 0);